[
{
"Name": "Laplink Everywhere",
"Category": "RMM",
"Description": "Laplink Everywhere is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2025-12-14",
"Details": {
"Website": "https://everywhere.laplink.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"laplink.exe",
"laplink-everywhere-setup*.exe",
"laplinkeverywhere.exe",
"llrcservice.exe",
"serverproxyservice.exe",
"OOSysAgent.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"everywhere.laplink.com",
"le.laplink.com",
"atled.syspectr.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_everywhere_network_sigma.yml",
"Description": "Detects potential network activity of Laplink Everywhere RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_everywhere_processes_sigma.yml",
"Description": "Detects potential processes activity of Laplink Everywhere RMM tool"
}
],
"References": [
"https://everywhere.laplink.com/docs"
],
"Acknowledgement": [],
"CodeSigning": {
"search_names": [],
"company_names": [],
"signer_names": [
"Laplink Software",
"Laplink Software Inc."
],
"certificates": [
{
"signer_name": "Laplink Software",
"certificate_thumbprint": "N/A",
"tbs_sha256": "",
"tbs_sha1": "57A69DC3D72F650E411223F24397C7634C077254"
},
{
"signer_name": "Laplink Software",
"certificate_thumbprint": "N/A",
"tbs_sha256": "",
"tbs_sha1": "AA448E02273F6B653CBE0607D6F5DE3EAEBC0263"
},
{
"signer_name": "Laplink Software Inc.",
"certificate_thumbprint": "N/A",
"tbs_sha256": "",
"tbs_sha1": "B7F6BD9F60F2001B96075AF1E8E9B5F684890B10"
},
{
"signer_name": "Laplink Software",
"certificate_thumbprint": "N/A",
"tbs_sha256": "",
"tbs_sha1": "01EEA5225BFBE91579EB0753382E4D87A4765D8D"
}
]
}
},
{
"Name": "mstsc",
"Category": "RAT",
"Description": "mstsc is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.\n\n**IMPORTANT**: This tool is signed with legitimate Microsoft Corporation certificates that are also used to sign numerous other Microsoft products and Windows components. Do NOT blindly block these certificate thumbprints as doing so will likely break essential Windows functionality and other Microsoft applications in your environment. Use certificate data for detection, hunting, and analysis purposes only.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"C:\\Windows\\System32\\mstsc.exe",
"*Windows\\System32\\mstsc.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": []
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mstsc_processes_sigma.yml",
"Description": "Detects potential processes activity of mstsc RMM tool"
}
],
"References": [],
"Acknowledgement": [],
"CodeSigning": {
"search_names": [
"mstsc.exe"
],
"company_names": [],
"signer_names": [
"Microsoft Corporation",
"Power Software Limited"
],
"certificates": [
{
"signer_name": "Power Software Limited",
"certificate_thumbprint": "C8DB5C8424B346AD72D19F40BD63B5EC0C84E677",
"tbs_sha256": "7EDC698ACA865B764240F7E971A1E37480B92A0732889616343B31590D2A9E24",
"tbs_sha1": "",
"certificate_der_base64": "MIIE4TCCA8mgAwIBAgIQGepNrwiVcIYUCOnwXv2biTANBgkqhkiG9w0BAQsFADB/MQswCQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAdBgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxMDAuBgNVBAMTJ1N5bWFudGVjIENsYXNzIDMgU0hBMjU2IENvZGUgU2lnbmluZyBDQTAeFw0yMDAxMjAwMDAwMDBaFw0yMzAzMTUyMzU5NTlaMHkxCzAJBgNVBAYTAkhLMRIwEAYDVQQIDAlIT05HIEtPTkcxFDASBgNVBAcMC05PUlRIIFBPSU5UMR8wHQYDVQQKDBZQb3dlciBTb2Z0d2FyZSBMaW1pdGVkMR8wHQYDVQQDDBZQb3dlciBTb2Z0d2FyZSBMaW1pdGVkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtI0+lymUo/vaA22OwEfmMNScDHmbk7Ppwyx8HI7pVznoOlSedIPP+m6EUPrRERj8xMFlr7MYMzIfC+H53dwC3+dLozr5kAddmyJilrBEsv2d8S4paHE5fevFeooVdHZ89D4oDQgj4wvR8SdzKJiA463wLiB8x9SYhcdp/VFEeGuRwoTEdr2RWL59yeQpRRZNcWNYkjGhCz5oHCF0HU/MUdMWJTONVgRPzTVIC7JTy4AbCDAvARwhgKK2qiZylSGgV2+x+kPCC7KRKFPrzVZ7mQ6iHwTTmKFxxm4i6MnNle20uDhiTQ7nyheRbCrv/pSOLl/s4rTWAytX3LJkDne04QIDAQABo4IBXTCCAVkwCQYDVR0TBAIwADAOBgNVHQ8BAf8EBAMCB4AwKwYDVR0fBCQwIjAgoB6gHIYaaHR0cDovL3N2LnN5bWNiLmNvbS9zdi5jcmwwYQYDVR0gBFowWDBWBgZngQwBBAEwTDAjBggrBgEFBQcCARYXaHR0cHM6Ly9kLnN5bWNiLmNvbS9jcHMwJQYIKwYBBQUHAgIwGQwXaHR0cHM6Ly9kLnN5bWNiLmNvbS9ycGEwEwYDVR0lBAwwCgYIKwYBBQUHAwMwVwYIKwYBBQUHAQEESzBJMB8GCCsGAQUFBzABhhNodHRwOi8vc3Yuc3ltY2QuY29tMCYGCCsGAQUFBzAChhpodHRwOi8vc3Yuc3ltY2IuY29tL3N2LmNydDAfBgNVHSMEGDAWgBSWO1PweTOXr32D7y4rzMq3hh5yZjAdBgNVHQ4EFgQUskGTGQqdk7ut9hoEblovZDT0HnIwDQYJKoZIhvcNAQELBQADggEBAF3B1XcBFdaH7zMHhMdJLyIdFDSR5ZHw57dtFisPBdezX71YY/+eGkintSMAw6AeLy35wbu0MlNFe1InrJ9zMHOUrbmjY17BC65Tmiz97PcGYSjbgC/1gZHAQx3OIiL46h6NdBq4BqvqxGdATtPdIUtMcMhzQVLAGycCUzEdQsWLXMB46BDm0QdkMc0sqYPyzsdjmKW+t35h0nBwqIoeGjFjKcyBDu75tiz1YaqSfHyltDMu9yH41XhaiSQpzIihhAeRYv8VzWpDZ7m9TNh6dYiMyGFrU+pn29ocKS3xezKHKaFRtFooZ029rcWQTWfUSoXdXsY3P1yHCdhvD1ggOmY="
},
{
"signer_name": "Microsoft Corporation",
"issuer": "CN=Microsoft Code Signing PCA 2011",
"certificate_thumbprint": "8F985BE8FD256085C90A95D3C74580511A1DB975",
"tbs_sha256": "3D7ECEA41F3A81E648E26BF630378BE677204330A6A7C3E6E6971A2B6C3B9C0D",
"tbs_sha1": "C71EABE2369212728EF4949B59A97A345FBF6CAE",
"valid_from": "2024-09-12T20:11:14+00:00",
"valid_to": "2025-09-11T20:11:14+00:00",
"certificate_der_base64": "MIIF9DCCA9ygAwIBAgITMwAABARsdAb/VysncgAAAAAEBDANBgkqhkiG9w0BAQsFADB+MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSgwJgYDVQQDEx9NaWNyb3NvZnQgQ29kZSBTaWduaW5nIFBDQSAyMDExMB4XDTI0MDkxMjIwMTExNFoXDTI1MDkxMTIwMTExNFowdDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEeMBwGA1UEAxMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtCg32mOdDA6rBBnZSMwxwXegqiDEUFlvQH9Sxww07hY3w7L52tJxLg0mCZjcszQddI6W4NJYb5E9QM319kyyE0l8EvA/pgcxgljDP8E6XIlgVf6W40ms286Cr0azaA1f7vaJjjNhGsMqOSSSXTZDNnfKs5ENG0bkXeB2q5hrp0qLsm/TWO3oFjeROZVHN2tgETswHR3WKTm6QjnXgGNj+V6rSZJO/WkTqc8NesAo3Up/KjMwgc0e67x9llZLxRyyMWUBE9coT2+pUZqYAUDZ84nR1djnMY3PMDYiA84Gw5JpceeED38O0cEIvKdX8uG8oQa047+evMfDRr94MG9EWwIDAQABo4IBczCCAW8wHwYDVR0lBBgwFgYKKwYBBAGCN0wIAQYIKwYBBQUHAwMwHQYDVR0OBBYEFPIboTWxEw1PmVpZS+AzTDwooxFOMEUGA1UdEQQ+MDykOjA4MR4wHAYDVQQLExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xFjAUBgNVBAUTDTIzMDAxMis1MDI5MjMwHwYDVR0jBBgwFoAUSG5k5VAF04KqFzc3IrVtqMp1ApUwVAYDVR0fBE0wSzBJoEegRYZDaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9jcmwvTWljQ29kU2lnUENBMjAxMV8yMDExLTA3LTA4LmNybDBhBggrBgEFBQcBAQRVMFMwUQYIKwYBBQUHMAKGRWh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2lvcHMvY2VydHMvTWljQ29kU2lnUENBMjAxMV8yMDExLTA3LTA4LmNydDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4ICAQCI5g/SKUFb3wdUHob6Qhnu0Hk0JCkO4925gzI8EqhS+K4umnvSBU3acsJ+bJprUiMimA59/5x7WhJ9F9TQYy+aD9AYwMtbKsQ/rst+QflfML+Rq8YTAyT/JdkIy7R/1IJUkyIS6srfG1AKlX8n6YeAjjEb8MI07wobQp1F1wArgl2B1mpTqHNDlNqBjfpjySCScWjUHNbIwbDGxiFr93JoEh5AhJqzL+8monaXj7elfsjzIpPnl8NyH2eXjTojYC9a2c4EiX0571KomhENF3RtR25A7/X7+gk6upuE8tyMy4sBkl2MUSF08U+E2LOVcR8trhYxV1lUi9CdgEU2CxODspdcFwxdT1+G8YNcgzHyjx3BNSI4nOZcdSnStUpGhCXbaOIXfvtOSfQX/UwJoruhCugvTnub0Wna6CQiturglCOMyIy/6hu5rMFvqk9AltIJ0fSR5FwljW6PHHDJNbCWrZkaEgIn24M2mG1M/Ppb/iF8uRhbgJi5zWxo2nAdyDBqWvpWxYIoee/3yIWpquVYcYGhJp/1I1sq/nD4gBVrk1SKX7Do2xAMMO+cFETTNSJqfTSSsntTtuBLKRB5mw5qglHKuzapDiiBuD1Zt4QwxA/1kKcyQ5L7uBayG78kxlVNNbyrIOFH3HYmdH0Pv1dIX/Mq7avQpAfIiLpOWwcbjw=="
},
{
"signer_name": "win.rar GmbH",
"certificate_thumbprint": "729AE1F8B489DE176CC099FF49937F85F9E412F7",
"certificate_der_base64": "MIIHWDCCBUCgAwIBAgIQBIsIOZ7HA2I8cs0gd61l2TANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTIzMDgwODAwMDAwMFoXDTI2MDgwNzIzNTk1OVowgeAxEzARBgsrBgEEAYI3PAIBAxMCREUxFzAVBgsrBgEEAYI3PAIBAhMGQmVybGluMR8wHQYLKwYBBAGCNzwCAQETDkNoYXJsb3R0ZW5idXJnMR0wGwYDVQQPDBRQcml2YXRlIE9yZ2FuaXphdGlvbjETMBEGA1UEBRMKSFJCIDEwOTg4NTELMAkGA1UEBhMCREUxDzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMRUwEwYDVQQKEwx3aW4ucmFyIEdtYkgxFTATBgNVBAMTDHdpbi5yYXIgR21iSDCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAJrNBWkLzla3tj9bhusRhk6ZzgzcgNHbZRI9nSX1/buowo4BjwCRFy7zTVQ9WNey9ghE8mbY8zhPgARuICPibaP19oFySzXSxG0QJWzi/HC50S6r0skMKDR42RBM7KcEazmfmp9RCnNjIJiaINa8RUpS+SuhmUl/iIOr9rHrEE/JGWoS8Ft9XDXwS2CacetaAcdyvKD9QQRoWu0yOkM/CaS1kHIVAayqta7rZvaBcs6SyLT2aR+0cWHcmH++2H2q37KbUcSEopNffmpU3M74Lcm2uckQgjsjEwmNfgLeLLntTx8yn7bfh4ZNNytn6bX2U0zufBJbKehAH6Zfww/aFAH0wsP1148R7pPGoXG4AeyXATWn7ufbWytTrgR8aNvsuS8h3mmUGV6mSNaxGszALQ0KxKAsTpoFVVsz86yVYL/IK9wuq9ogAheDeLR1v7leLbwJsqLRi0Ry8uyX7szJF5i+puSdqGz+lx6FcR2VsD8vnPOVC3Wtq2UgEKZs/0zP0wIDAQABo4ICAjCCAf4wHwYDVR0jBBgwFoAUaDfg67Y7+F8Rhvv+YXsIiGX0TkIwHQYDVR0OBBYEFFhcVBV2Psfb2Ad3xaRy9ZeAf4cTMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzCBtQYDVR0fBIGtMIGqMFOgUaBPhk1odHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDBToFGgT4ZNaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcmwwPQYDVR0gBDYwNDAyBgVngQwBAzApMCcGCCsGAQUFBwIBFhtodHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwgZQGCCsGAQUFBwEBBIGHMIGEMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wXAYIKwYBBQUHMAKGUGh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3J0MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggIBAMQeLwDoY491d3YPbv8Zh5MBMGxgKM4gPL05+gkTSP3UhXVE/ydaCKYtrINTYDHM+SxOb4GcAJZ35YC9G5A9nocvQhyDiQ5I12RccOQ7heNq4h2NgxbShNLgXMZgv1E7fx2J7U7u2DnJK+c4dYADKYLZdQjO3nIojrfR9z6Fg1qaPFQQqkVmudthB5/0kYcOxPucbFlKpFoY6M88ZzOKCRLUYtvXs4nYRggG25VoNLtpLjLXCjmQ0wQ/28QZYtIq7mW+Jfc1vPOiEmPzX6t7X626ulBKCIL/MV5mBeag+0P7vTT+QWQef1v7npeWOSljVv84k7h7HzPn+c208FwNSrPGFBJ7M2HiY1TGUYtCzLHeSNKykvWpp+ALyKQtueN9fJYBLc8DS7aYJvtx3saVysRzHP+4oDZuEtb3hjfSBjAZq20ohXsbNtepSUb7cyjEfaTBjpI9mq6hkDkoTSL2Su8s7o0SXfVPi6o8NfjyCGIbyDRszZWts4wBw83pUDS//zGnfaSv65BoZ9dXGdckRznpgxuHqTeBGx0P1vSLbP76f1OZ/O/tHxBmSG7KL4XyHc6BG7K4tayEI9e6qJoL0St9M7GxZ9g3qHm0kQfPekvcOXxQuVn8n9SG6/QipQKR4fG0dRp4GqoIXGUjjvbJot7A9kG0IrykPagAXznZnMBG",
"src_file_sha256": "39baa167de334fef185ae8b97e8c709a307eed08e80fe115577c59a05200a13a",
"src_file_path": "downloaded_files/mstsc/39baa167de334fef185ae8b97e8c709a307eed08e80fe115577c59a05200a13a",
"src_file_company": "Alexander Roshal"
}
]
}
},
{
"Name": "Bluetrait",
"Category": "RAT",
"Description": "Bluetrait is a Remote Monitoring and Management (RMM) tool designed to provide IT administrators and Managed Service Providers (MSPs) with remote access, system monitoring, and automation capabilities across Windows, Linux, and macOS devices. Like many RMM solutions, Bluetrait enables seamless remote management, allowing administrators to execute commands, install software, and troubleshoot issues without direct user intervention.\n\nHowever, Proofpoint's research has highlighted how threat actors are increasingly abusing RMM tools, including Bluetrait, for malicious purposes. Attackers leverage Bluetrait as part of their post-exploitation strategy, often deploying it through phishing or social engineering techniques. Once installed, Bluetrait allows attackers to establish persistent remote access, circumvent traditional security controls, and execute malicious payloads under the guise of legitimate administrative activity.",
"Author": "The Haag",
"Created": "2025-03-13",
"LastModified": "2025-03-13",
"Details": {
"Website": "https://bluetrait.io/",
"PEMetadata": {
"Filename": "Bluetrait MSP Agent.exe",
"OriginalFileName": "Bluetrait MSP Agent.exe",
"Description": "Bluetrait MSP Agent",
"Product": "Bluetrait"
},
"Privileges": "Current User",
"Free": true,
"Verification": false,
"SupportedOS": [
"Windows",
"Linux",
"macOS"
],
"Capabilities": [
"Remote Monitoring",
"Remote Management",
"File Transfer",
"PowerShell Execution"
],
"Vulnerabilities": [],
"InstallationPaths": [
"C:\\Program Files (x86)\\Bluetrait Agent\\*"
]
},
"Artifacts": {
"Disk": [
{
"File": "C:\\Program Files (x86)\\Bluetrait Agent\\Bluetrait MSP Agent.exe",
"Description": "Main Bluetrait agent executable file",
"OS": "Windows",
"Example": [
"MD5: 1999018A77A57B3DE1CEECEF2FD2E555",
"SHA256: 7DA12D344456FB5B285AD358D7EC7C256A5C1F2163D312BE63FFCEA61BDA668B"
]
},
{
"File": "C:\\Program Files (x86)\\Bluetrait Agent\\BluetraitUserAgent.exe",
"Description": "Bluetrait User Agent executable file",
"OS": "Windows",
"Example": [
"MD5: CA8DCB7C71FE31AF9F4A99667428702B",
"SHA256: 1A00E50CB1086CBE4C2F0E65A290FDA8FCFAC1A56C5DBFA2248E4D7BED44939F"
]
},
{
"File": "C:\\Program Files (x86)\\Bluetrait Agent\\config.db",
"Description": "Bluetrait configuration database file",
"OS": "Windows",
"Example": [
"MD5: D24A10B86F80238D3D5627438DE665EF"
]
},
{
"File": "C:\\Program Files (x86)\\Bluetrait Agent\\config.json",
"Description": "Bluetrait JSON configuration file",
"OS": "Windows",
"Example": [
"MD5: 417D447C221BC58B33BDBF3B67C049BC"
]
},
{
"File": "C:\\Program Files (x86)\\Bluetrait Agent\\libraries\\paexec.exe",
"Description": "PAExec utility used by Bluetrait for remote execution",
"OS": "Windows",
"Example": [
"MD5: A8283F82F258A5577FE39FE24650A880",
"SHA256: 1398D653106A68E31DBB1DA06141A1809A65E92A45F021EDF6BE220265957225"
]
}
],
"EventLog": [
{
"EventID": 4688,
"ProviderName": "Microsoft-Windows-Security-Auditing",
"LogFile": "Security.evtx",
"CommandLine": "C:\\Program Files (x86)\\Bluetrait Agent\\Bluetrait MSP Agent.exe",
"Description": "Execution of Bluetrait MSP Agent"
},
{
"EventID": 7045,
"ProviderName": "Service Control Manager",
"LogFile": "System.evtx",
"ServiceName": "Bluetrait Agent",
"ImagePath": "\"C:\\Program Files (x86)\\Bluetrait Agent\\Bluetrait MSP Agent.exe\"",
"ServiceType": "user mode service",
"StartType": "auto start",
"AccountName": "LocalSystem",
"Description": "Bluetrait service installation event",
"Example": "704504000x8080000000000000170044Systemar-win-3Bluetrait Agent\"C:\\Program Files (x86)\\Bluetrait Agent\\Bluetrait MSP Agent.exe\"user mode serviceauto startLocalSystem"
}
],
"Network": [
{
"Description": "Known domains used by Bluetrait",
"Domains": [
"bluetrait.io",
"*.bluetrait.io"
],
"Ports": [
443,
8080
]
}
]
},
"Detections": [
{
"Name": "Detect Bluetrait Agent Execution",
"Description": "Detects execution of Bluetrait agent executable by monitoring process creation events",
"author": "",
"Link": ""
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/bluetrait_network_sigma.yml",
"Description": "Detects potential network activity of Bluetrait RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/bluetrait_files_sigma.yml",
"Description": "Detects potential files activity of Bluetrait RMM tool"
}
],
"References": [
"https://bluetrait.io/",
"https://www.proofpoint.com/us/blog/threat-insight/ta575-targets-organizations-with-rmm-tools",
"https://any.run/report/62446e7258b20b64c058ae723b5f38b82f0b6214c5e8b9f015bf971be061eeb0/66a67ccf-36bc-46d8-bff1-cb8305b94501"
],
"Acknowledgement": [
{
"Person": "The Haag",
"Handle": "@M_haggis"
}
]
},
{
"Name": "X2Go",
"Category": "RAT",
"Description": "X2Go is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://wiki.x2go.org/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": []
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": []
},
"Detections": [],
"References": [
"https://wiki.x2go.org/doku.php"
],
"Acknowledgement": []
},
{
"Name": "DameWare",
"Category": "RMM",
"Description": "DameWare is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.solarwinds.com/dameware/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"SolarWinds-Dameware-DRS*.exe",
"DameWare Mini Remote Control*.exe",
"C:\\Windows\\dwrcs\\*",
"C:\\Program Files\\SolarWinds\\Dameware Mini Remote Control\\*",
"dntus*.exe",
"dwrcs.exe",
"*\\dwrcs\\*",
"*\\dwrcst.exe",
"DameWare Remote Support.exe",
"SolarWinds-Dameware-MRC*.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"dameware.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dameware_network_sigma.yml",
"Description": "Detects potential network activity of DameWare RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dameware_processes_sigma.yml",
"Description": "Detects potential processes activity of DameWare RMM tool"
}
],
"References": [
"https://documentation.solarwinds.com/en/success_center/dameware/content/install-standalone-port-requirements.htm"
],
"Acknowledgement": []
},
{
"Name": "Level",
"Category": "RMM",
"Description": "Level is a remote monitoring and management (RMM) tool. Threat actors ...",
"Author": "Christian Henriksen, ITM8 | Improsec",
"Created": "2024-02-11",
"LastModified": "2024-02-11",
"Details": {
"Website": "https://level.io/",
"PEMetadata": {
"Filename": "level.exe",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "User",
"Free": "Free",
"Verification": "True",
"SupportedOS": [
"Windows"
],
"Capabilities": [
"File Transfer",
"File System Access",
"Remote Control",
"Automation & Scripting"
],
"InstallationPaths": [
"C:\\Program Files\\Level\\*"
]
},
"Artifacts": {
"Disk": [
{
"File": "C:\\Program Files\\Level\\level.exe",
"Description": "Level Binary",
"OS": "Windows"
},
{
"File": "C:\\Program Files\\Level\\osqueryi.exe",
"Description": "A tool used by level to collect machine state information.",
"OS": "Windows"
},
{
"File": "C:\\Program Files\\Level\\level.log",
"Description": "Client log file for Level.",
"OS": "Windows"
}
],
"EventLog": [
{
"EventID": 4698,
"ProviderName": "Microsoft-Windows-Security-Auditing",
"LogFile": "Security.evtx",
"TaskName": "Level Watchdog",
"Location": "\\Level",
"Description": "To ensure the Level agent is always running, a scheduled task..."
},
{
"EventID": 4697,
"ProviderName": "Microsoft-Windows-Security-Auditing",
"LogFile": "Security.evtx",
"ServiceName": "Level",
"ServiceFileName": "C:\\Program Files\\Level\\level.exe --key --action=run",
"ServiceAccount": "LocalSystem",
"ServiceStartType": 2,
"Description": "The Level Agent Service ..."
},
{
"EventID": 4798,
"ProviderName": "Microsoft-Windows-Security-Auditing",
"LogFile": "Security.evtx",
"CallerProcessName": "C:\\Program Files\\Level\\osqueri.exe",
"Description": "Evidence of osqueryi doing automatic user/group enumeration."
}
],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"level.io",
"builds.level.io",
"agents.level.io",
"online.level.io",
"downloads.io"
],
"Ports": [
443
]
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level_network_sigma.yml",
"Description": "Detects potential network activity of Level RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level_files_sigma.yml",
"Description": "Detects potential files activity of Level RMM tool"
}
],
"References": [
"https://dfirtnt.wordpress.com/2023/09/05/rmm-level-io-forensic-artifacts-and-evidence/",
"https://docs.level.io/en/articles/9926456-level-watchdog-task"
],
"CodeSigning": {
"certificates": [
{
"signer_name": "win.rar GmbH",
"certificate_thumbprint": "729AE1F8B489DE176CC099FF49937F85F9E412F7",
"certificate_der_base64": "MIIHWDCCBUCgAwIBAgIQBIsIOZ7HA2I8cs0gd61l2TANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTIzMDgwODAwMDAwMFoXDTI2MDgwNzIzNTk1OVowgeAxEzARBgsrBgEEAYI3PAIBAxMCREUxFzAVBgsrBgEEAYI3PAIBAhMGQmVybGluMR8wHQYLKwYBBAGCNzwCAQETDkNoYXJsb3R0ZW5idXJnMR0wGwYDVQQPDBRQcml2YXRlIE9yZ2FuaXphdGlvbjETMBEGA1UEBRMKSFJCIDEwOTg4NTELMAkGA1UEBhMCREUxDzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMRUwEwYDVQQKEwx3aW4ucmFyIEdtYkgxFTATBgNVBAMTDHdpbi5yYXIgR21iSDCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAJrNBWkLzla3tj9bhusRhk6ZzgzcgNHbZRI9nSX1/buowo4BjwCRFy7zTVQ9WNey9ghE8mbY8zhPgARuICPibaP19oFySzXSxG0QJWzi/HC50S6r0skMKDR42RBM7KcEazmfmp9RCnNjIJiaINa8RUpS+SuhmUl/iIOr9rHrEE/JGWoS8Ft9XDXwS2CacetaAcdyvKD9QQRoWu0yOkM/CaS1kHIVAayqta7rZvaBcs6SyLT2aR+0cWHcmH++2H2q37KbUcSEopNffmpU3M74Lcm2uckQgjsjEwmNfgLeLLntTx8yn7bfh4ZNNytn6bX2U0zufBJbKehAH6Zfww/aFAH0wsP1148R7pPGoXG4AeyXATWn7ufbWytTrgR8aNvsuS8h3mmUGV6mSNaxGszALQ0KxKAsTpoFVVsz86yVYL/IK9wuq9ogAheDeLR1v7leLbwJsqLRi0Ry8uyX7szJF5i+puSdqGz+lx6FcR2VsD8vnPOVC3Wtq2UgEKZs/0zP0wIDAQABo4ICAjCCAf4wHwYDVR0jBBgwFoAUaDfg67Y7+F8Rhvv+YXsIiGX0TkIwHQYDVR0OBBYEFFhcVBV2Psfb2Ad3xaRy9ZeAf4cTMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzCBtQYDVR0fBIGtMIGqMFOgUaBPhk1odHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDBToFGgT4ZNaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcmwwPQYDVR0gBDYwNDAyBgVngQwBAzApMCcGCCsGAQUFBwIBFhtodHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwgZQGCCsGAQUFBwEBBIGHMIGEMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wXAYIKwYBBQUHMAKGUGh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3J0MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggIBAMQeLwDoY491d3YPbv8Zh5MBMGxgKM4gPL05+gkTSP3UhXVE/ydaCKYtrINTYDHM+SxOb4GcAJZ35YC9G5A9nocvQhyDiQ5I12RccOQ7heNq4h2NgxbShNLgXMZgv1E7fx2J7U7u2DnJK+c4dYADKYLZdQjO3nIojrfR9z6Fg1qaPFQQqkVmudthB5/0kYcOxPucbFlKpFoY6M88ZzOKCRLUYtvXs4nYRggG25VoNLtpLjLXCjmQ0wQ/28QZYtIq7mW+Jfc1vPOiEmPzX6t7X626ulBKCIL/MV5mBeag+0P7vTT+QWQef1v7npeWOSljVv84k7h7HzPn+c208FwNSrPGFBJ7M2HiY1TGUYtCzLHeSNKykvWpp+ALyKQtueN9fJYBLc8DS7aYJvtx3saVysRzHP+4oDZuEtb3hjfSBjAZq20ohXsbNtepSUb7cyjEfaTBjpI9mq6hkDkoTSL2Su8s7o0SXfVPi6o8NfjyCGIbyDRszZWts4wBw83pUDS//zGnfaSv65BoZ9dXGdckRznpgxuHqTeBGx0P1vSLbP76f1OZ/O/tHxBmSG7KL4XyHc6BG7K4tayEI9e6qJoL0St9M7GxZ9g3qHm0kQfPekvcOXxQuVn8n9SG6/QipQKR4fG0dRp4GqoIXGUjjvbJot7A9kG0IrykPagAXznZnMBG",
"src_file_sha256": "9ce73bf30a1b85bb85dc02b0177ec362b39587e48b968b411a9ae5cc0557a7c6",
"src_file_path": "downloaded_files/level/9ce73bf30a1b85bb85dc02b0177ec362b39587e48b968b411a9ae5cc0557a7c6",
"src_file_company": "Alexander Roshal"
},
{
"signer_name": "Level Software, Inc.",
"certificate_thumbprint": "3C002DCBBCB603AE08699F4CEF973864AEB16860",
"certificate_der_base64": "MIIHUTCCBTmgAwIBAgIQDXpBaik29NO6ZJdeYLpAZzANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTI0MDgxNDAwMDAwMFoXDTI3MDgxMzIzNTk1OVowgdkxEzARBgsrBgEEAYI3PAIBAxMCVVMxGTAXBgsrBgEEAYI3PAIBAhMIRGVsYXdhcmUxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRAwDgYDVQQFEwc3NjQ3NDk3MQswCQYDVQQGEwJVUzEXMBUGA1UECBMOTm9ydGggQ2Fyb2xpbmExEjAQBgNVBAcTCUFzaGV2aWxsZTEdMBsGA1UEChMUTGV2ZWwgU29mdHdhcmUsIEluYy4xHTAbBgNVBAMTFExldmVsIFNvZnR3YXJlLCBJbmMuMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEA4BAxcUFBnTVEutBs58CaSOPugQ43SVDvjLrVJDI+ao/9mOtejtFqu3cRmVYAXogDhPGcaZhohxPesBvs9f+VaZajh51jhGiTUp228B+dj64sZB6cUsTT0+99YnBc33mHjRyk+TsdKbwhBxbUDLzhJ7n6lrFuYIJEnPQD7x5IWqSMPP5wqVP3DgToolwAx0czhgoeqvltmm9Mgq4cpfj4wVFS4aF8mP2xhnorwnPp3LAPPvyVzMnqVcLYrofRFYYOcCOiYdjNN2Yro9z1GKDGy/GTpPFMMsqrV0xKWmyzUqICVWP3GiFMSMQTJ8sm1ZRx0oNlNK1G9MxcozWKHLtjCvrixlJKSjtall5rlhV4tofqKhBlfjGVL9GNtr3X65ynTKvb4WWAKDcUMTg4KHEnMsb4KAx/6/jzkmcz9tEnC4q1BBDxPRTZhRbTaU9wd8MBDh3K/3tR35ZAGb8QLWcUURL3YRxCciW6fEPUx7q7JlZn1GT7ZfzI5y9c1TBkbRQJAgMBAAGjggICMIIB/jAfBgNVHSMEGDAWgBRoN+Drtjv4XxGG+/5hewiIZfROQjAdBgNVHQ4EFgQUdZ88BsguNJzpT2k7/fcF/vkkoqQwPQYDVR0gBDYwNDAyBgVngQwBAzApMCcGCCsGAQUFBwIBFhtodHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMIG1BgNVHR8Ega0wgaowU6BRoE+GTWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3JsMFOgUaBPhk1odHRwOi8vY3JsNC5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDCBlAYIKwYBBQUHAQEEgYcwgYQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBcBggrBgEFBQcwAoZQaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcnQwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAgEAjhahg1qKOCTT9qXRpjjennKhFo43Lxpbf2h1ybWTgvYh0tOEJcK7k4cXi3j1oy8SK5p5lAh09ArOmMCcVmn3mvf1iNmJOhjiVS0FXx0D0x0HKJRAagcqR000LUnj3gZ/IgwHKeUevUDX8dr+BNKpaLBJv8EsrU0s03FVCB4uygrNpN11cXi1oeAAvYdDheX0ssi80dAR0RM9fLApbm+EqI1BNx16gOoJERWFKjUCKyvDEZbw/Q3auaYsRK3nmWYhnEWne69yk9fTJUDJ2Qa81ZKclFBjtn+oSW9CsmulZHGJL+N/iWy8evrXNcZoMYoM1YbHEHC70OfsvHWqiImzP0hFl1ydGBTHdljVu/hgHQQrTpi/7jdZFf8gekIS+hBNMhsV8W/dqklTzEOg2RsYW3L41OSvo1PW7gCRzZ3q2x4xCUXhKQQYVCQXCS/ugRsmiE1L8SqSelReOOpGoJgOfoDBe1O/HNydFYN5EXShRimgac/8tHFJzvAjooKqm/Ng+xShyYzks/i3mTjmwoA/ITxyjuYhPUbGwO2bhdQnW4G8RrEUM5N58YARzweKwopygPCyxhbJ9A2C309pTyPxH8Ra5xloG0kWGUFLrTXW6vLF6sJqkXu5A6qlrJKnTg2tryvvNavE8SPuZ8azbwowSiLl7wyXu0ciDhtWJHYgwzY=",
"src_file_sha256": "075b9694aa770850d54870e4a3a55fd11a26497ccb8de4f2ec7b2ecca2b88d83",
"src_file_path": "downloaded_files/level/075b9694aa770850d54870e4a3a55fd11a26497ccb8de4f2ec7b2ecca2b88d83"
}
]
}
},
{
"Name": "MyGreenPC",
"Category": "RMM",
"Description": "MyGreenPC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://mygreenpc.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"mygreenpc.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*mygreenpc.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mygreenpc_network_sigma.yml",
"Description": "Detects potential network activity of MyGreenPC RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mygreenpc_processes_sigma.yml",
"Description": "Detects potential processes activity of MyGreenPC RMM tool"
}
],
"References": [
"http://www.mygreenpc.com/"
],
"Acknowledgement": []
},
{
"Name": "NinjaRMM",
"Category": "RMM",
"Description": "NinjaRMM is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2026-01-27",
"Details": {
"Website": "https://www.ninjaone.com/rmm/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"NinjaRMMAgent.exe",
"NinjaRMMAgentPatcher.exe",
"ninjarmm-cli.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*.ninjarmm.com",
"*.ninjaone.com",
"resources.ninjarmm.com",
"ninjaone.com",
"ninjarmm.net",
"*.ninjarmm.net",
"rmmservice.eu",
"*.rmmservice.eu",
"rmmservice.eu",
"*.rmmservice.eu",
"rmmservice.com.au",
"*.rmmservice.com.au",
"rmmservice.ca",
"*.rmmservice.ca",
"ninja-backup.com",
"*.ninja-backup.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ninjarmm_network_sigma.yml",
"Description": "Detects potential network activity of NinjaRMM RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ninjarmm_processes_sigma.yml",
"Description": "Detects potential processes activity of NinjaRMM RMM tool"
}
],
"References": [
"https://www.ninjaone.com/faq/"
],
"Acknowledgement": [],
"CodeSigning": {
"certificates": [
{
"signer_name": "NinjaOne LLC",
"certificate_thumbprint": "5F4F53C903859C0BDEFD456789D9C517F9F68C06",
"certificate_der_base64": "MIIHuDCCBaCgAwIBAgIQAm3WF8BzwKVRLimlK+g6bTANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTI0MDYxMzAwMDAwMFoXDTI3MDYxNTIzNTk1OVowgcAxEzARBgsrBgEEAYI3PAIBAxMCVVMxGTAXBgsrBgEEAYI3PAIBAhMIRGVsYXdhcmUxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRAwDgYDVQQFEwc2ODIxODQ5MQswCQYDVQQGEwJVUzEQMA4GA1UECBMHRmxvcmlkYTEQMA4GA1UEBxMHT2xkc21hcjEVMBMGA1UEChMMTmluamFPbmUgTExDMRUwEwYDVQQDEwxOaW5qYU9uZSBMTEMwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDjD5TbBGdQR1o0Yc2UE1U+pRdDWXKHeGvB8SdR848vaOvOY02KccjbOn+Q8BSi7xGstAAhprTdrC8PUihHmG2RJ8cLVoss0yo/loWeaP4cEf6IXXUizIH/+rQV92aGXRfC2TksSnLwwbYU8KYTEH7EZfgQ0S5M6iCPp1bw2Q4KcI6T6V/0CPrcwd45Do99xMWRMK9Ug4NZJi5m/Z+/3RvTRYLkGP0QVHfnwSzpJaN5ay1hSO0QLAFF9qQ8lsRGxqGDURTb+vWZZYzbzqxiD7HTuFcLrYL8hEXMXSaaanlBPQ+KGZprejRF/3NlozGYiSvuqIbgkorXr4gZvsXMDaCJwCY3/4Op6NopX2dbxJIBfc8Ag09Q3yEn7ap0rweL5AJJm+cvTL/P/uJS8N1JBZ99GUExr9Zk1lDxyfCpmxmRGrH8F/s5RE026KdhuuSIsKzl0Y5yAAms64fFXO1SvBhHEPiT9KY+wFsW2+FCyR+FlMIvtFr1WM+SgaPHzjyG+AmMdvDC5uWQ4so7cMW0ZU2DoGdWIambIj2hikPNb1mv5nLK2IrPSHlF+vwHkAzZ6vWDUD0maltCrUjZOy/7lP6NukaQSfpqwV+a+2OOE9Pa6/XJWo2V7305bt8HFTz0xAMAkmnjh+rxLp9+U1UutSniCABMp8aOw/XT21teQhuIVQIDAQABo4ICAjCCAf4wHwYDVR0jBBgwFoAUaDfg67Y7+F8Rhvv+YXsIiGX0TkIwHQYDVR0OBBYEFE+XwVujaKf229y9dTuZ4rOthoGiMD0GA1UdIAQ2MDQwMgYFZ4EMAQMwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpY2VydC5jb20vQ1BTMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzCBtQYDVR0fBIGtMIGqMFOgUaBPhk1odHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDBToFGgT4ZNaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcmwwgZQGCCsGAQUFBwEBBIGHMIGEMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wXAYIKwYBBQUHMAKGUGh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3J0MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggIBAAj8jLtU8Q6rt+hJB17XJtj/LJ41zNnB1lfe7yXd6YyMxyeiEBn16YyeW1Jblf2glWHIz0q95GQPtKJmHxuVAFImrmcJLaqP+5hcyAB3U+uljpd2K0n9u/NkO8adBX5pAFfSUuMSsGimZ3QYL0RmJk263rD8raOBlGMUF6A8uyuA09/ecJlxDS3YEI/1HFrCev+X27C67Gg5AMadRoUO+dMH32UqYCk/N9iV81GaQIsl5IhARfYS1rVT2xIWYR5F2oAbJ6Eou3n31LsYL/WT8B9ZpEHfbFExIWdS9bwZ8J3OT7myL5ztlbN/4B/V2TaDAFKHD8MIeLARSz/rf7asUi1jQVpyk1sm4Nf4mFlpI7MyY6B7LN0L7U6CjbeuO9BYsC4kOuGV8I52cwhdL2urUzKlx3ANuDSyQITRG5snvM87cr6Lf4l+QG7QIAlL2BH/M5G244vIoP7y/RcFQxnjmfRY/E5KQQJlT+NZxczCXed/2B5jEnURxunrsL6KPDavplqQzbhRPt96V4ID+yBf9E4bRNntzf0kZ/YtXr3SDCtkLLoLWTYIqDzBxVVkn/CBzeudf5xaQuK0Eptq3d0VQ91jPTu0z3GZWU3dBGGE+UpEDl7U2fxvmT3WiFEz7loZIho/ok6gmWJ2HAFeB10cv2j7wVjC8YL/0f9eZKJHHeWc",
"src_file_sha256": "61e3d7e1235c0f6d5318721715ce5fb136c8e03783f0d3d75aa026c845958032",
"src_file_path": "downloaded_files/ninjarmm/61e3d7e1235c0f6d5318721715ce5fb136c8e03783f0d3d75aa026c845958032",
"src_file_company": "NinjaRMM, LLC"
}
]
}
},
{
"Name": "RdClient",
"Category": "RAT",
"Description": "RdClient is a slim remote desktop client for the protocols RDP, VNC and Hyper-V. It manages remote desktops in a tree view similar to the Windows Explorer.\n",
"Author": "Daniel Koifman (KoifSec)",
"Created": "2025-11-12",
"LastModified": "2025-11-12",
"Details": {
"Website": "https://www.pierschel.com/en/software-blog/28-rdclient-en",
"Privileges": "User",
"Free": true,
"Verification": true,
"SupportedOS": [
"Windows"
],
"Capabilities": [
"Remote Desktop Access",
"Multiple Protocol Support",
"Connection Management"
],
"Vulnerabilities": [],
"InstallationPaths": [
"C:\\Program Files (x86)\\RdClient\\*",
"C:\\Program Files\\RdClient\\*",
"rdclient.exe",
"RdClientInstaller.exe",
"SupportTool.exe"
]
},
"Artifacts": {
"Disk": [
{
"File": "%APPDATA%\\RdClient\\*",
"Description": null,
"OS": "Windows"
}
],
"EventLog": [],
"Registry": [
{
"Path": "HKLM\\SOFTWARE\\RdClient",
"Description": "RdClient Installation"
}
],
"Network": []
},
"Detections": [
{
"AQL": "https://raw.githubusercontent.com/Koifman/Deathcon25/refs/heads/main/rmm_rodeo/rdclient/aql.aql",
"Description": "QRadar AQL query detecting RdClient activity through process creation (EventID 4688) for rdclient.exe and supporttool.exe, and registry modifications (EventID 4657) to SOFTWARE\\RdClient registry path"
}
],
"References": [
"https://rdclient.en.softonic.com/",
"https://geekflare.com/software/remote-desktop-client-software/"
],
"Acknowledgement": [
{
"Person": "Daniel Koifman",
"Handle": "@KoifSec"
}
]
},
{
"Name": "Dev Tunnels (aka Visual Studio Dev Tunnel)",
"Category": "RAT",
"Description": "Dev Tunnels (aka Visual Studio Dev Tunnel) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://learn.microsoft.com/azure/developer/dev-tunnels/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": []
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"learn.microsoft.com/en-us/azure/developer/dev-tunnels/overview"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dev_tunnels__aka_visual_studio_dev_tunnel__network_sigma.yml",
"Description": "Detects potential network activity of Dev Tunnels (aka Visual Studio Dev Tunnel) RMM tool"
}
],
"References": [],
"Acknowledgement": []
},
{
"Name": "Kabuto",
"Category": "RMM",
"Description": "Kabuto is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"Kabuto.App.Runner.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*.kabuto.io",
"repairtechsolutions.com/kabuto/"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kabuto_network_sigma.yml",
"Description": "Detects potential network activity of Kabuto RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kabuto_processes_sigma.yml",
"Description": "Detects potential processes activity of Kabuto RMM tool"
}
],
"References": [
"https://www.repairtechsolutions.com/documentation/kabuto/"
],
"Acknowledgement": []
},
{
"Name": "RES Automation Manager",
"Category": "RMM",
"Description": "RES Automation Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.ivanti.com/company/history/res-software",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"wisshell*.exe",
"wmc.exe",
"wmc_deployer.exe",
"wmcsvc.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"user_managed",
"ivanti.com/"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/res_automation_manager_network_sigma.yml",
"Description": "Detects potential network activity of RES Automation Manager RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/res_automation_manager_processes_sigma.yml",
"Description": "Detects potential processes activity of RES Automation Manager RMM tool"
}
],
"References": [
"https://forums.ivanti.com/s/article/INFO-Which-ports-does-Ivanti-Automation-use?language=en_US&ui-force-components-controllers-recordGlobalValueProvider.RecordGvp.getRecord=1"
],
"Acknowledgement": [],
"CodeSigning": {
"certificates": [
{
"signer_name": "Ivanti, Inc.",
"certificate_thumbprint": "B310DCA4816C8E3E41E6C72BBB67A255AD8E0363",
"certificate_der_base64": "MIIHWTCCBUGgAwIBAgIQBsyN0tcIuQcyg45nl3swfzANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTIzMDMyMzAwMDAwMFoXDTI2MDQyOTIzNTk1OVowYTELMAkGA1UEBhMCVVMxDTALBgNVBAgTBFV0YWgxFTATBgNVBAcTDFNvdXRoIEpvcmRhbjEVMBMGA1UEChMMSXZhbnRpLCBJbmMuMRUwEwYDVQQDEwxJdmFudGksIEluYy4wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDJ3RSNQX//5l85k0tbY0veBq3kRuTO5TKZgJC00IR0Y3xMpPj4HzM32fPOzsV6ooV6AcKM/3X20ENhHE2Cj/FB3v+ptWOniYRRxtJhaRZlRxs7saEK+xirr+kB+2vtYpfsgerArxOb19exJ/OSnzYFbMzsoZcKhm0IEcik/qkkDttnmD1KaR8wSxZi434bwByV9rTme23Vt783sqWjZjEtjtMGUo4cxHvFoewmvItfIp0JYoIwfnjRVNK/uRRnIAqosnxmH5Lr8IatWRFqVH6WaVIf5Fn+NDPUVF8UI2+78FvbZfeddNNNmGqr8m/j6BYZLWW4krsTlIcIIUP5aO8jmg6soQln05/uSTgQstlhm3UEc/G+BPMdzYvXDNgcMCqfOw+fsXPgTbfH5VryNrVA2GZ3pkkumLmTPr0lqgI+qkBE/YFuDGkPJanQl74/rxhFZEgzt0hJRfsF7u7TITry+4MFyhOjob+sq4yWwQ71QyY28ivLt8lQfZsBH6mKUk8Jgge6hk45sPHd7nXSOeAO2uMr+iBr/u2Wf1z5/KqB+ftG9KaHmSEmeU9uLo5z/3g4MtUt6F/ZE+GRXE/sJg8YqdZcQ/nBhtreePdX9pZhlNeBDFiLzAfhm7zmyLLhaTOtTBkwCoilc2XazcASFky+Cvy1oMkVeN/K6CuGDsVvGwIDAQABo4ICAzCCAf8wHwYDVR0jBBgwFoAUaDfg67Y7+F8Rhvv+YXsIiGX0TkIwHQYDVR0OBBYEFH3ZYvZskV07lrAXICI6I9lAazpJMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzCBtQYDVR0fBIGtMIGqMFOgUaBPhk1odHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDBToFGgT4ZNaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcmwwPgYDVR0gBDcwNTAzBgZngQwBBAEwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpY2VydC5jb20vQ1BTMIGUBggrBgEFBQcBAQSBhzCBhDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMFwGCCsGAQUFBzAChlBodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNydDAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4ICAQDUFsZWQJeNmFx5Qvr0gQvPwUc0VgRHThr0M69gIzTIf5NzDsKiCr/V6q4u9Se8kJrHxp4lFraH5ncW8RQSEJTgsR+MpBfWMLx7GO6LmekcWiwwEe7KW7sCt4Pw0Zz9wysdm2w2RRCKo+YlMLbOh5ts+FmV2g3xSyCZoI0olBD1ja8FWdPCVA9qM6Cp+WC9qi8nOYMPEQGz8m9/HZ7Xtd6iVYEUnlf9moeO2WEf1EOojJzdNwN43gkGX3Wo47pXTTmRnDucraSg9nIz9orvc2Xhq9PWu2fM3n3Z/CfWEtfSBfJ5TBXY6JXaVaQb3y/fie3L71bDdiQtbuxINeee0p9Ctya3CJHTO+K1BhFHYjaSmJDwInh4mNr9z28Hs6IVS5Pl+eew9IX+3a++X2s+qiGIsauiR9DvvcpwDcwiQdxTnsepui5hsPZGgSjsY3sqXt+8Jos4uhqqg6tIdywPPjZFVBzkiqBm38JQUHaKeAU1pe/t7V4JyYYtOYSTHuYXRLg8VdmrVNmt0jlLCvtYYqNTJQy0sVg3WEogRC2Hp3haXOBPizTq6mdeeYDYU65ADQfgq5P6reuZ76AWCuoKVsaVUT2Bm+I1p46kVj5pIvjcCLXNX/vMHH62tn20eiukFpDwUVEDwDkX4pGxI2XjIEOjXhqMK8OYfSmO1GWglXWqMg==",
"src_file_sha256": "a48d80e35636a24613adcb9b1f928eeef86073a580878d023871bc762ac8a2c8",
"src_file_path": "downloaded_files/res_automation_manager/a48d80e35636a24613adcb9b1f928eeef86073a580878d023871bc762ac8a2c8",
"src_file_company": "Ivanti"
}
]
}
},
{
"Name": "Domotz",
"Category": "RMM",
"Description": "Domotz is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2025-12-14",
"Details": {
"Website": "https://www.domotz.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"domotz.exe",
"Domotz Pro Desktop App.exe",
"domotz_bash.exe",
"domotz*.exe",
"Domotz Pro Desktop App Setup*.exe",
"domotz-windows*.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*.domotz.co",
"domotz.com",
"*cell-1.domotz.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/domotz_network_sigma.yml",
"Description": "Detects potential network activity of Domotz RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/domotz_processes_sigma.yml",
"Description": "Detects potential processes activity of Domotz RMM tool"
}
],
"References": [
"https://help.domotz.com/tips-tricks/unblock-outgoing-connections-on-firewall/"
],
"Acknowledgement": [],
"CodeSigning": {
"search_names": [
"exmtweaksservice.exe",
"libegl.dll",
"libglesv2.dll",
"vk_swiftshader.dll",
"vulkan-1.dll"
],
"company_names": [],
"signer_names": [
"Domotz Inc",
"OpenVPN Inc."
],
"certificates": [
{
"signer_name": "Domotz Inc",
"certificate_thumbprint": "2361B8924DF61C7A57B4B77CAAD6BF3968E7DCD3",
"tbs_sha256": "25457BE25A9D546CC3189A234EA5D84FAEC54C46D15B9E04AB08BDFC26AD513E",
"tbs_sha1": "",
"certificate_der_base64": "MIIGEDCCBPigAwIBAgIRALoJHwi9zHQIWUB9SVsj8rkwDQYJKoZIhvcNAQELBQAwgZExCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTcwNQYDVQQDEy5DT01PRE8gUlNBIEV4dGVuZGVkIFZhbGlkYXRpb24gQ29kZSBTaWduaW5nIENBMB4XDTE5MDkwNDAwMDAwMFoXDTIxMDkwMzIzNTk1OVowgfsxEDAOBgNVBAUTBzU3Mzg1NDMxEzARBgsrBgEEAYI3PAIBAxMCVVMxGTAXBgsrBgEEAYI3PAIBAhMIRGVsYXdhcmUxHTAbBgNVBA8TFFByaXZhdGUgT3JnYW5pemF0aW9uMQswCQYDVQQGEwJVUzEOMAwGA1UEEQwFODQwMjAxDTALBgNVBAgMBFV0YWgxDzANBgNVBAcMBkRyYXBlcjESMBAGA1UECQwJU3VpdGUgMjAwMR0wGwYDVQQJDBQxMjAgRWFzdCAxMzA2NSBTb3V0aDETMBEGA1UECgwKRG9tb3R6IEluYzETMBEGA1UEAwwKRG9tb3R6IEluYzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALl8fW/1kXQlNaqlsVxc8BLMn+AXMqkaT1Cc1iXHfQG8qsRkv+knSCYiIxkL+oQrgqfDQ3qtUBc1bs3i0wFyyX+I7e18MQl+ZHXH59ahyQitjGJs2+qq0YcM0En9pNDkmN0efcfkFoABReTHRyqYi8o/nxMT9T2BUOj9b47vkyIF8TCJQLBtry4GGhvZcGIxNq5CGbCYI+tI85/PraGGYwAwCsYsWGB9En2xyOllxNOqM6bWT+eZWr+JlcgdVrBMHubrInyWkS3l+QSMaxLLQrvndGw3Tf+R//A+ztxPHNunTRkJRlbSJc+NjbNUvQ0fxO+RzuGLFbSPMRfW/bGwKUMCAwEAAaOCAfUwggHxMB8GA1UdIwQYMBaAFN+P8yAM6cqmBNhbWDcqPatG3INJMB0GA1UdDgQWBBRV2yz98kyEhJ7OCGdQom7BgxZNuDAOBgNVHQ8BAf8EBAMCB4AwDAYDVR0TAQH/BAIwADATBgNVHSUEDDAKBggrBgEFBQcDAzARBglghkgBhvhCAQEEBAMCBBAwRgYDVR0gBD8wPTA7BgwrBgEEAbIxAQIBBgEwKzApBggrBgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUuY29tb2RvLmNvbS9DUFMwVQYDVR0fBE4wTDBKoEigRoZEaHR0cDovL2NybC5jb21vZG9jYS5jb20vQ09NT0RPUlNBRXh0ZW5kZWRWYWxpZGF0aW9uQ29kZVNpZ25pbmdDQS5jcmwwgYYGCCsGAQUFBwEBBHoweDBQBggrBgEFBQcwAoZEaHR0cDovL2NydC5jb21vZG9jYS5jb20vQ09NT0RPUlNBRXh0ZW5kZWRWYWxpZGF0aW9uQ29kZVNpZ25pbmdDQS5jcnQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmNvbW9kb2NhLmNvbTBBBgNVHREEOjA4oCMGCCsGAQUFBwgDoBcwFQwTVVMtREVMQVdBUkUtNTczODU0M4ERc2lsdmlvQGRvbW90ei5jb20wDQYJKoZIhvcNAQELBQADggEBAHcp+cCT8UjT0IdMe7nDq5+IR9c2ImLEJ5RZTS5xpBaw3ZrFwSVpGLRzmJ2lcIBI9yn3YC4vqMzJ9dT1WI5WnEqqBynPwx/ifw6vnpSun7E45Q48/Nt5fdpu3K07gFtqsAxjH8plB34em7EoPr2gkoGP902wnqwIaIlkBy56S86JtyI9QGFenInmKOES235qzvJAaxTVBbW0fMH5YUu7M68TM/dy+ZUGCMCADgSqjnvzKKQlU8FzuJemWw/gWsrNRrstrHesr/sQULWOLu8Wd2Y5J1a7Q4xYWFOWHh/Ky8YcXnDKyOguFuJFx/03ERkSmZedKMGQwVNmhXdcvKuwTjI="
},
{
"signer_name": "Domotz Inc",
"certificate_thumbprint": "0034E538D1FE10D11AEDB19820917F8455375F59",
"tbs_sha256": "1F28243E790F8A14833AD151223E08AE287F8938156E2BD2809D91EB1B872EAD",
"tbs_sha1": "",
"certificate_der_base64": "MIIG2jCCBUKgAwIBAgIQFU9iv66iyrwORm2ZEOZhPDANBgkqhkiG9w0BAQsFADBXMQswCQYDVQQGEwJHQjEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMS4wLAYDVQQDEyVTZWN0aWdvIFB1YmxpYyBDb2RlIFNpZ25pbmcgQ0EgRVYgUjM2MB4XDTIyMDIxODAwMDAwMFoXDTI0MDIxODIzNTk1OVowgacxEDAOBgNVBAUTBzU3Mzg1NDMxEzARBgsrBgEEAYI3PAIBAxMCVVMxGTAXBgsrBgEEAYI3PAIBAhMIRGVsYXdhcmUxHTAbBgNVBA8TFFByaXZhdGUgT3JnYW5pemF0aW9uMQswCQYDVQQGEwJVUzENMAsGA1UECAwEVXRhaDETMBEGA1UECgwKRG9tb3R6IEluYzETMBEGA1UEAwwKRG9tb3R6IEluYzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAM6aen9TwP21UFgSRPTg2O4f+p2QazQmP8MJHYqn0XY+L9XjDoC4g2eq8p3DiTEtydMbDAOX80kRBX5MRTNS4anqvw9u/CrH1en0Op72gzCoZD6zYrfvMvahkYa4H5aIfIhFAYTpnoz7fB6lgQICXDKYgFazsFSFSgksLSfpukfK0lS3d0WZH4ifimLCcteyQ5SbdI4dTlFi6tRoaCUKdRxvmQ+z4zByb5Y0r3fnbJu4vj4Fs4MlRm9zK/fASuK1bz4T4hmv/rggxsMY1cv7uc7EajCIU7XsN0VXijoCnVHOiw9F+qehFSW/XYQzO4W7rD4dzFmOcP5IdbJ4trTBuDRO4dRuHwbNcHdqFfbQKa6RK4kbQO2fU6IQvJnsWW6WCu5CkoRUA44GDm3XC1XyVqiiZzBgwL/SaFaEUV2QHd1DkklfyR2SVtfqBfU1NuJRJj3DtgKj3BXp035V2kG32LSIm2XyHIDleFwXHew8D7TrdFOCDZ5NcVgB4ESu+PO4L52AJzodTZhuFpdEjdnWcd2jIanAyR13qC+wvAq0oqnbobX4TIwOu4CbeVa1MKI/ouFiPashfkwCVngWN6Ung8Ny0Oiy07kyRlIkytROTvr8mv6KLAwGq9yhwJ1EHo7z2aFOhAHTVBLEpicifivPy6njr9EVkfpW3OI2LCzwWi3lAgMBAAGjggHPMIIByzAfBgNVHSMEGDAWgBSBMpJBKyjNRsjEosYqORLsSKk/FDAdBgNVHQ4EFgQUcAziv9pGJeM77dxNRPJoKiLG0uEwDgYDVR0PAQH/BAQDAgeAMAwGA1UdEwEB/wQCMAAwEwYDVR0lBAwwCgYIKwYBBQUHAwMwEQYJYIZIAYb4QgEBBAQDAgQQMEkGA1UdIARCMEAwNQYMKwYBBAGyMQECAQYBMCUwIwYIKwYBBQUHAgEWF2h0dHBzOi8vc2VjdGlnby5jb20vQ1BTMAcGBWeBDAEDMEsGA1UdHwREMEIwQKA+oDyGOmh0dHA6Ly9jcmwuc2VjdGlnby5jb20vU2VjdGlnb1B1YmxpY0NvZGVTaWduaW5nQ0FFVlIzNi5jcmwwewYIKwYBBQUHAQEEbzBtMEYGCCsGAQUFBzAChjpodHRwOi8vY3J0LnNlY3RpZ28uY29tL1NlY3RpZ29QdWJsaWNDb2RlU2lnbmluZ0NBRVZSMzYuY3J0MCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5zZWN0aWdvLmNvbTAuBgNVHREEJzAloCMGCCsGAQUFBwgDoBcwFQwTVVMtREVMQVdBUkUtNTczODU0MzANBgkqhkiG9w0BAQsFAAOCAYEAXFxGiW1vIwsPNPIDif3AyuuGg9++TakBspDj4DNKl8gsdyfF4g9czab6hW3Lzjualaxe6XkPuU6gsM8+9iNuHy+EVI6bXqCQ4hKpEMknAvJhJuPLZzp7udY80/db/aZastmTeUgECdtUHM3r8xaAvW2X2Yh4nN3pkybhQl6UEDKIzl5sQyn9jKqnbpP0WQnuNC/NAaD4XJZwCJvUxMSYQpkUB8SiWwfpwZr078oEX4clETFxr9oJ2b2Dh4xMRIxJaebZhQyLfuKV8qrDZu5of/mzM9S6d2V9FoPg4stVMdjXDzePlXgOy0lBhNCqWCsJhjSYRiOs4aRq6wl+E9iKHCqkQ7QNHa/CtKz8GOmf+RbnC7M5aR4S5Ds/4wIh2zii5HfFfFiY2iB4Kv5Xm5ovsvYFG7fBytn9HG/Tn+QNXjR+fc3+ayKwiOv8AoTilrPG3O4CEV9J1hsuznYfHk6cBlOqZznQb2d6fPYG/CIGSn5ET3Pp662niYhJQ356faCR"
},
{
"signer_name": "OpenVPN Inc.",
"certificate_thumbprint": "478646B53E3F991A02E8A04D36B178DB1AFFF851",
"tbs_sha256": "5AA2294423E61B2EA4278E048CE26663264439CEFCE9E19B82F7829BA1579A31",
"tbs_sha1": "",
"certificate_der_base64": "MIIFsDCCBJigAwIBAgIQCy3tkBteg/fWDOrC2nic7DANBgkqhkiG9w0BAQsFADBsMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBFViBDb2RlIFNpZ25pbmcgQ0EgKFNIQTIpMB4XDTE5MDIxMzAwMDAwMFoXDTIyMDIyMzEyMDAwMFowgcYxEzARBgsrBgEEAYI3PAIBAxMCVVMxGTAXBgsrBgEEAYI3PAIBAhMIRGVsYXdhcmUxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRAwDgYDVQQFEwczNzYxMjU2MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTETMBEGA1UEBxMKUGxlYXNhbnRvbjEVMBMGA1UEChMMT3BlblZQTiBJbmMuMRUwEwYDVQQDEwxPcGVuVlBOIEluYy4wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBkcQPXtX3PvdzLk1FN0K9CdtMdfVtXFUSU8IR2ksKqSBn3AKfQbdHFAHVVb46TjXzIdstAdUoBLxZ3JBJ63IR74taRZdtuXFJTd2y3pBlUEjbXhZjsMpmcTIvMM9NAbWZKndrBwyMzqlnwdURgLlP29KivTNcctSCWmD95yhQ6SW6U8zAmk6ttSJJIPPCdDmY8m6qzgByOQ7KFxH+y1IupAqimtIed+vZxjPZYHEDEzE20n1hoIS2avVL96zN9zlLRQTwO5uRABgmNtI0s3Ln4nM9M/am0cTYMribKKjXkPvXlhHnbyqCTaD2mgZo4DzjvBK8g/GciEwYrnJ7hEW5AgMBAAGjggHxMIIB7TAfBgNVHSMEGDAWgBSP6H7wbTJqAAUjx3CXajqQ/2vq1DAdBgNVHQ4EFgQU/mOc7P1ax1MKxuNY4QrWDGR85cAwLgYDVR0RBCcwJaAjBggrBgEFBQcIA6AXMBUME1VTLURFTEFXQVJFLTM3NjEyNTYwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMHsGA1UdHwR0MHIwN6A1oDOGMWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9FVkNvZGVTaWduaW5nU0hBMi1nMS5jcmwwN6A1oDOGMWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9FVkNvZGVTaWduaW5nU0hBMi1nMS5jcmwwSwYDVR0gBEQwQjA3BglghkgBhv1sAwIwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAHBgVngQwBAzB+BggrBgEFBQcBAQRyMHAwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBIBggrBgEFBQcwAoY8aHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0RVZDb2RlU2lnbmluZ0NBLVNIQTIuY3J0MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggEBABnMHBLp/++Urgq2bogoGr85oks8Rtqq6Ok2z5R83eVfULu82kUSYZruD6yTY5QnwRRLrHEopGLmmVKeW0Sx268pHmA0oIj4BWpP26MvGV9tu94iOKeE0q6gGF3B24Y+Q6OLme5vt4HbhEgO/VYR3/1y8gJC36Up08jovxYA3Tgp4TfDbheF4di9SwFKUeIsOG/TTQZc83e7oaBjfNmCx6apNR3C6AgcB7dDpx4GaD45Sw47ugXCrUA08Whc4rmPa9tcClJFzXec1NQQHlCVCKE6l4fahsWiZ0jCLi6tBvwvnyfLQr1nmDnMBizfrJOVTw+ay+C0xRbp9MNfnprsrEY="
},
{
"signer_name": "OpenVPN Inc.",
"certificate_thumbprint": "N/A",
"tbs_sha256": "BD4325E2A812983153FFB4CE0484AE9638E38647106BD1DAB419733022006EB9",
"tbs_sha1": ""
},
{
"signer_name": "DOMOTZ INC.",
"certificate_thumbprint": "B306B74F3BB81B3CD057AB400514B0D56D421788",
"certificate_der_base64": "MIIG4jCCBMqgAwIBAgIQHKFONHrchh8U4ItEvJsAPzANBgkqhkiG9w0BAQsFADBqMQswCQYDVQQGEwJQTDEhMB8GA1UEChMYQXNzZWNvIERhdGEgU3lzdGVtcyBTLkEuMTgwNgYDVQQDEy9DZXJ0dW0gRXh0ZW5kZWQgVmFsaWRhdGlvbiBDb2RlIFNpZ25pbmcgMjAyMSBDQTAeFw0yNDAxMTEwODQyNDhaFw0yNjAxMTAwODQyNDdaMIG4MR0wGwYDVQQPExRQcml2YXRlIE9yZ2FuaXphdGlvbjETMBEGCysGAQQBgjc8AgEDEwJVUzEZMBcGCysGAQQBgjc8AgECDAhEZWxhd2FyZTEQMA4GA1UEBRMHNTczODU0MzELMAkGA1UEBhMCVVMxDzANBgNVBAcMBkRyYXBlcjEUMBIGA1UECgwLRE9NT1RaIElOQy4xCzAJBgNVBAsMAklUMRQwEgYDVQQDDAtET01PVFogSU5DLjCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBALOUa0uq5CmTLXBJ7E6Z/AIb6OFFPWNwDKu38pCr9v9mbRy3G4wAXSpFRC+/UMwREgAnhoD3L0RGF94Umhs2mtxIKideuX3W+B33bmQ2NPyp7jzyz3fBnOsAMF4VgDPsA1OTd1S7gkZS42mltm8VP/bhFlqBsOAO+4YMocFuvdwyvRwNBG/H0vw4uczu2VRObTGi8hpKwJBtN+VetyKVGy02WKHXCv1+cbmCtg+ec8AmXvrn5/9O7zd4SI9NL4SiqRe0vTfXgq05qgP0w+JKrNGQi3l9K4I3kuIJoOpUZXbcbhS4/9YSuIX/gLtHo7z13ZgdomjfTFZ2YQpTqjVyEGa79dOZZ+USbGI+ukIfGPrFQivhQXh137dICxzxwQI2b1nMOctZVXTZIC+z2KwR1N+HmQs8WU+pH6xLL4nSXmERWs3tWPWIQxGcLWz4ELxP5T0hgEHNCBq8KFfUtNhzHsHYQ/eKdiAn40jCo0eDcvswVtNuM/yu9g8jCvVoLWrXRQIDAQABo4IBszCCAa8wDAYDVR0TAQH/BAIwADBBBgNVHR8EOjA4MDagNKAyhjBodHRwOi8vY2V2Y3NjYTIwMjEuY3JsLmNlcnR1bS5wbC9jZXZjc2NhMjAyMS5jcmwwdwYIKwYBBQUHAQEEazBpMC4GCCsGAQUFBzABhiJodHRwOi8vY2V2Y3NjYTIwMjEub2NzcC1jZXJ0dW0uY29tMDcGCCsGAQUFBzAChitodHRwOi8vcmVwb3NpdG9yeS5jZXJ0dW0ucGwvY2V2Y3NjYTIwMjEuY2VyMB8GA1UdIwQYMBaAFKxXyggW3D/FMRwKTdv78d6ZJy00MB0GA1UdDgQWBBTiGMZjXcduui9y1YFc5KLyvLm8xjBKBgNVHSAEQzBBMAcGBWeBDAEDMDYGCyqEaAGG9ncCBQEHMCcwJQYIKwYBBQUHAgEWGWh0dHBzOi8vd3d3LmNlcnR1bS5wbC9DUFMwEwYDVR0lBAwwCgYIKwYBBQUHAwMwDgYDVR0PAQH/BAQDAgeAMDIGA1UdEQQrMCmgJwYIKwYBBQUHCAOgGzAZDBdVUy1ERUxBV0FSRS1ET01PVFogSU5DLjANBgkqhkiG9w0BAQsFAAOCAgEAJF/ooBaF/5WQMgcuv65WSFGLkYj4DIXVW3N9hpBRrEmMs3wtpn43rLYpnalgLJsWfGKeZ6VFSuphweni5u012/AwXAbmCZY/xOEYil8mMDw9J3AVpgMMEaM7/8VBTzPq9yg9wuW5AjuglQwwkjY4hz6RdgJtshlc90i0DiYdKhmfqKA6uMfJINDUQstbCxKM1a2Y6mRaDBqbBbVv5ly9Atxo17W0NEoTgFykVOZTtGX51MhGeeeB5JMN3mJwWc1R9uTHq48QnGCGSJo+u2zDnehaPv68tpUseWvFAYCQlejbmfLEP1lKDUeU0lsItKS94p+h1ZbKf9VPlWzGA1Sajq0RX+Srgyf2otkLA455nMZr6Kvz4qVNr94UelLDzZdnCQz4/Or+oEEOH6IOYyebKYS2OMdUDyYPfZ8VGcYfyiULzRF1qwl7tttviNI8e3Qbdwgh05WTwLl4BCTGtFJJzh+aFdRpz2YB3n3UElb8m+1oxqfShxBz2PCKiB4LKbvkWWPmDCSN3vaw/16b7mw+2ez9fN6OinsJV+rixkwcCgQo32HAfUDUp3snFrNKgdlQ+dg09RtYZW1LTwjX8Y74H7+pe37/LPC8tWvQq2VQF+iwFy5TGdHtAlVVyfh1UJEA8ZelgHYteVAvKiDtlxJsQcK6NCPh6Vd1yOQG1HP7cO0=",
"src_file_sha256": "2761bda50e77e0a0e2a8ac1836281035cd8d3d2c5faf8b41d607519ca22a7bf5",
"src_file_path": "downloaded_files/domotz/2761bda50e77e0a0e2a8ac1836281035cd8d3d2c5faf8b41d607519ca22a7bf5"
}
]
},
"FileHashes": {
"authenticode": [
{
"file_name": "libGLESv2.dll",
"sha256": "8B3CA207456B73048B14401D514A218F91E3AC362DA380D5F42846871390950A",
"sha1": "DEB3F4BF111F08EDD21CD45236980F9BAAEE8674"
},
{
"file_name": "exmtweaksservice.exe",
"sha256": "0BCF88B46DD1EC5DBAB3C7A93AA71935485D2301410060DFAE037A131CF40174",
"sha1": "6BF09D1CF379E7812E77949A52E4A44424FC2E71"
},
{
"file_name": "libEGL.dll",
"sha256": "959410DBEA458A73A2DFEF4126D8AE86A05AAA51918EF622479D96A80C58C97A",
"sha1": "0356E88D072931B1A2EEB49BD6AD7023C8D83EBA"
},
{
"file_name": "vulkan-1.dll",
"sha256": "DFFB91B009F255C9AC0521B4357539F9E774009BD7840F42144F1322B37D9F9C",
"sha1": "A48555CF8ACEC1490EA62B6E9F43D72D9EB4E29B"
},
{
"file_name": "vk_swiftshader.dll",
"sha256": "0DC03434E216CC1AFC474A4546D5191F48C54725CAC435288C5D678D0289976E",
"sha1": "47768556FF79EF9EA281FC0926C474F583B20077"
}
],
"page": [
{
"file_name": "libGLESv2.dll",
"sha256": "CEB843E1186242264FBAB170AF4ADF3298B7ADF6169A80C21D885CC742C87700",
"sha1": "AB54BF0739C16C996CDE7F98192868A0F156E6F2"
},
{
"file_name": "exmtweaksservice.exe",
"sha256": "B962D7066212CB69934B5A7320645493F158FF50CE693D96285E1BFCC69450A6",
"sha1": "FFFACB71C5CB6393D3B7EBF05EEC991167B2793D"
},
{
"file_name": "libEGL.dll",
"sha256": "D81FE4599903910759C1F65F3A1B4974D827C653A2C89C95D786F60A0243929B",
"sha1": "9DEFE71AC3B38EE3B64A495148F13D789BDE2BAB"
},
{
"file_name": "vulkan-1.dll",
"sha256": "A647D0D274F88A36F6ACC2A75C22DA8039A4C92602756DC386FFC1742D61939D",
"sha1": "9653B310379320E3E83C767BAAB6A7C3D741D707"
},
{
"file_name": "vk_swiftshader.dll",
"sha256": "B879F1472F766619BCA6A8482E71909ADB417A7939A2B87E1FE6E1E09464208C",
"sha1": "05261154E5FA4E88FDC4B244B6FAD9F27C204D44"
}
]
}
},
{
"Name": "PDQ Connect",
"Category": "RMM",
"Description": "PDQ Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2025-12-14",
"Details": {
"Website": "https://www.pdq.com/pdq-connect/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"pdq-connect*.exe",
"PDQConnectUpdater-*.msi"
]
},
"Artifacts": {
"Disk": [
{
"File": "C:\\ProgramData\\PDQ\\PDQConnectAgent\\PDQConnectAgent.db-journal",
"Description": "Journal file that is part of the database system used by the PDQ Connect Agent to manage and store data related to its operations",
"OS": "Windows"
}
],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"app.pdq.com",
"cfcdn.pdq.com",
"pdqinstallers.*.r2.cloudflarestorage.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pdq_connect_network_sigma.yml",
"Description": "Detects potential network activity of PDQ Connect RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pdq_connect_files_sigma.yml",
"Description": "Detects potential files activity of PDQ Connect RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pdq_connect_processes_sigma.yml",
"Description": "Detects potential processes activity of PDQ Connect RMM tool"
}
],
"References": [
"https://connect.pdq.com/hc/en-us/articles/12489014928667-Collect-PDQ-Connect-Event-Logs",
"https://connect.pdq.com/hc/en-us/articles/19197321496219-PDQ-Connect-Output-Logs",
"https://connect.pdq.com/hc/en-us/articles/9518992071707-Network-Requirements"
],
"Acknowledgement": [],
"CodeSigning": {
"search_names": [
"msi8c70.tmp",
"pdq-connect-agent.exe",
"pdq-connect.exe",
"pdqconnectupdater-.msi",
"pdqconnectupdater-setup.exe"
],
"company_names": [],
"signer_names": [
"PDQ.com Corporation"
],
"certificates": [
{
"signer_name": "PDQ.com Corporation",
"certificate_thumbprint": "8AB2A176E3B80545CE2E15ED12D186B9EF53C108",
"tbs_sha256": "4C3ADBB8A2662E65EC5C714632D015950295E0F8383D25FD125D1EA4994525B5",
"tbs_sha1": "",
"certificate_der_base64": "MIIG7TCCBNWgAwIBAgIQC9ygS6EIr8CUcY90qajqCzANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMjU2IDIwMjEgQ0ExMB4XDTIyMDkyMDAwMDAwMFoXDTI1MDkxMjIzNTk1OVowcjELMAkGA1UEBhMCVVMxDTALBgNVBAgTBFV0YWgxGDAWBgNVBAcTD1NvdXRoIFNhbHQgTGFrZTEcMBoGA1UEChMTUERRLmNvbSBDb3Jwb3JhdGlvbjEcMBoGA1UEAxMTUERRLmNvbSBDb3Jwb3JhdGlvbjCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAJ1N7EhHI8KUXIdzm9UJ+VZmdA2xy0rs4g8J07mgf+cLvkw3v1ZS85vw8zqBxbW4DcuPF8uqeIRBeQ2jvLB404MkTLYYU6UScsnTZjw/0kK2q2g11kWsaXdcrNQKQJyMFUBtvfguFsBTEYK5oazcMWxHowlYVQQQRA2clO2fFzSmCn389YOVyAiAamUIO/rJmXsrJBJJDzHHqF74kL5ntNAnzsfpgxp+fvbEyAPiWlOhmLeBbM4DrNN0zl8yKl3iOz6IMBnW+OI6jL+5cpEyius3pelq5QeqIrPMw09v5Npy0bMK2FtpI7n4Ip4Cg5TLL9GFOPIKElzLp1D+7IDqdcMW/6YXsr7g4nh1DEDXI0o6DwrYlpuk6Qp/QE6CLqdpgjkDE5ZYs9DWbWDQ+2G6INMZm0PBeTnUhJ8jJk3b1Rn+E8v5NMCKMTEG9N2tQVpvTQuSTvLFmqPJozdB2W6F3YZ1nuPz7j6iyOOFHgpZa3W9NkqNn0vePVULRIQU4A1CeQIDAQABo4ICBjCCAgIwHwYDVR0jBBgwFoAUvGsiZZ2MaObmHgXx2HIl1LjgSMAwHQYDVR0OBBYEFKNE6v5QO5/QqFqkeaFnrM6RGHlbMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzCBtQYDVR0fBIGtMIGqMFOgUaBPhk1odHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEyNTYyMDIxQ0ExLmNybDBToFGgT4ZNaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMjU2MjAyMUNBMS5jcmwwPgYDVR0gBDcwNTAzBgZngQwBBAEwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpY2VydC5jb20vQ1BTMIGUBggrBgEFBQcBAQSBhzCBhDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMFwGCCsGAQUFBzAChlBodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEyNTYyMDIxQ0ExLmNydDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4ICAQBty0YteciwNXfdimEx91ny3k2EpHh2AHeyn5KcNBprfvpFQzd8benbeqBkkgmwxIDzcrT4avAKNfCtHmJoiLQsHdSBfr0B5dSe2SgYh5aXcQKN6dm2b5bbYXWdg1EVO1UnqAwUosUEpJpa+lg/gqr+Qurs3PxXzaMrg1wXdOFw6RHzbBo6R8vr9GJuPxuBaTA8XclzNAsSugsq2XC3YDQ3IEXu1lTqdB633Jt/MyS71DfxOKSJEjW1g/l/jn1YoFMcStvKdiJSmvlFe3UFOmlpa67X15MEIe90hMZZ90mJQez0onpG9YgnSuuT4st7ToHIz/92qQ6Z1hcy4ie4sfAWe/H8AAwx0If5udcYkHaGD8X3lyaF9GMsAv8Ic5kUl25TZV9RBN/3CT/XX7kB2T//+daLm7zpOHi5RB8QwDEvybBmePapE9+W/LkSc6xucYaZP8byy1v9nImwT0myM8q8njX2eNF7FHttWERZB9xgdGV2cqbiJiF+Vt5eQ+V+QMWfLWkH1A2MbxHEQDwtaZuCKOe9ey+E20/MuvoPc+nHEAXSAk7p/tAHWFQ8p73f3Pv7ikRvUd962lEsmyuL/gS89RQe4bDar/Fg+AHhnkEj1c0dFSRgVPglhp3WgtHEJu5og77EgJVx63ILW8K718VH1DCd+VOZS5E1FHNtTF/66w=="
},
{
"signer_name": "PDQ.com Corporation",
"certificate_thumbprint": "E706901A2E7EB16DA4D420BF61BBC47BFBBF8CE6",
"tbs_sha256": "6D661EF88C0FAA44D96DD73137EE50A09E9A1BA9180A8A850A6A6D708DA2004E",
"tbs_sha1": "",
"certificate_der_base64": "MIIHajCCBVKgAwIBAgIQD1NbUWX37AUfMq68UROUqDANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTI1MTAwOTAwMDAwMFoXDTI4MDkyMTIzNTk1OVowcjELMAkGA1UEBhMCVVMxDTALBgNVBAgTBFV0YWgxGDAWBgNVBAcTD1NvdXRoIFNhbHQgTGFrZTEcMBoGA1UEChMTUERRLmNvbSBDb3Jwb3JhdGlvbjEcMBoGA1UEAxMTUERRLmNvbSBDb3Jwb3JhdGlvbjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJRpXEXNpVK0v+vEWREwn62cY0/KRqaUGalkEILSnNSuRcvJitI+sCl8cvqYl7Z7pxkGs1J9208P++CJPGbgq+xq+RbLmxnKUD25aIpvChwJ0tbNNCa3kb8DjX6lOThIDWzXZJOkXhBeYOyX7WgcqQEXI/FiR53tsP1xpjOQZNI5UogXM1pwSJqXdWlbEn1sC3gyxKoR9CbGiHBGem0IGPeM4jTcC4mgazwm9iBDrfVuEgfjfajhWcKD5HPQ3Wm4MpdEOWv8WEOCP2gUZeTWdnXjCvfsUQWqDajPP3f2N2ClTZk6dKPbO/yBYu8julRroc8KuOJY79pBrKtDjPix7juN16d6SKvNlyjriWoZX9hTaT4TSYU6TDKn8E0yl3ohdCDpXfiuuDExuZhm+/a3iukxJY8WRq+l1YivZD9HYUcGzlfOn7lPtKrz7w/aBpPZXZlD3i3Mr42SPjrezdS/y56R9h/5NE/qtPUlWMKn1vMR63/vIdEU4UKcazPAZ5YiFmzR2ej930fXrmveeSSP/axpK6v2HH4xlESKyVtu0RAvepgGm240KfWIZic914fuymPHC9aUGMsSzSi2G+RuD+jgcTz8wUIxU3k5WHOEnw2aZvbKlVMdFhUtizcrSDtPwpgiIc5oGmlU19NOK5zpXHwpkg/QT26VvSHkLwO5zPl7AgMBAAGjggIDMIIB/zAfBgNVHSMEGDAWgBRoN+Drtjv4XxGG+/5hewiIZfROQjAdBgNVHQ4EFgQU01aUSSlKJzSZo/IM++8QN3TJIs4wPgYDVR0gBDcwNTAzBgZngQwBBAEwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpY2VydC5jb20vQ1BTMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzCBtQYDVR0fBIGtMIGqMFOgUaBPhk1odHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDBToFGgT4ZNaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcmwwgZQGCCsGAQUFBwEBBIGHMIGEMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wXAYIKwYBBQUHMAKGUGh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3J0MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggIBADFl762caN8Wpp6wV6aheTmETZKFx+5eVDSvK0X3mWcj23Z5I7gpg7wCZRAc+W3/dsutKTo/kQDENyK+4h0RVHy/jt8faetR4OyP01RoitflHZVUFkvsLb9uosQePCqS/enRy6p06MzIm4ich5wS4Ofho21XQKgTJPvM0bviQkNFn1oKc3X/euT6GmnHakT1VPrlYXMnZlq4vxqyr+bWKGgO323WUreB+YfGiG6IDn/lX+AlcBH23eZ6chb9/zVhfvWUnUNcJSDRZ9sRdYy64fN+ULYJ2qD+HRq/3RDbm4IDAPdRlobUVeP6hUGyr9CMPLlAyCAycCwZMqDw0cGKyPlASsNtNTg5Q9XplhVPqWSBvq48FRMgScMHvn12zZTc2H5drN4AAEUnEuMx9rMQxqC/PUvEMMWtVvpzsez1YjiLXB+9NDPqroclUIn5oDl0ALLiX9DHlKxBoswNvWqNM73VfBbqzz6v6L4w0raRdEkf9X1APPXR0M19csszcLY6QZF4opejRlNYYgSeUIGWwWFjDbl9iJERVh42ttK/ebWKlg2n153pjrxqjuG3dt8wv+/ZkeZKDFugqVUrwQ1V4PXtVCyQRPjSueokmjiPvAjt+dwvi/LDMf1q/8LNwtnGUuG2er1hU40ikgpeNt999nILVZ6LOXSg0t3aPgS32EWL"
},
{
"signer_name": "PDQ.com Corporation",
"issuer": "CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1",
"certificate_thumbprint": "7B4313B6CDB8176DFAAB4125E51651E2A813AB74",
"tbs_sha256": "476A0D993DE124D3925AD602D11F294C1D374A3ACF50567A5928D269840993E4",
"tbs_sha1": "7C423168C986239661A17B2199D0ADFF457188CA",
"valid_from": "2025-08-07T00:00:00+00:00",
"valid_to": "2028-09-21T23:59:59+00:00",
"certificate_der_base64": "MIIHajCCBVKgAwIBAgIQBngE4KsKpvA9U4HjwjinSDANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTI1MDgwNzAwMDAwMFoXDTI4MDkyMTIzNTk1OVowcjELMAkGA1UEBhMCVVMxDTALBgNVBAgTBFV0YWgxGDAWBgNVBAcTD1NvdXRoIFNhbHQgTGFrZTEcMBoGA1UEChMTUERRLmNvbSBDb3Jwb3JhdGlvbjEcMBoGA1UEAxMTUERRLmNvbSBDb3Jwb3JhdGlvbjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJRpXEXNpVK0v+vEWREwn62cY0/KRqaUGalkEILSnNSuRcvJitI+sCl8cvqYl7Z7pxkGs1J9208P++CJPGbgq+xq+RbLmxnKUD25aIpvChwJ0tbNNCa3kb8DjX6lOThIDWzXZJOkXhBeYOyX7WgcqQEXI/FiR53tsP1xpjOQZNI5UogXM1pwSJqXdWlbEn1sC3gyxKoR9CbGiHBGem0IGPeM4jTcC4mgazwm9iBDrfVuEgfjfajhWcKD5HPQ3Wm4MpdEOWv8WEOCP2gUZeTWdnXjCvfsUQWqDajPP3f2N2ClTZk6dKPbO/yBYu8julRroc8KuOJY79pBrKtDjPix7juN16d6SKvNlyjriWoZX9hTaT4TSYU6TDKn8E0yl3ohdCDpXfiuuDExuZhm+/a3iukxJY8WRq+l1YivZD9HYUcGzlfOn7lPtKrz7w/aBpPZXZlD3i3Mr42SPjrezdS/y56R9h/5NE/qtPUlWMKn1vMR63/vIdEU4UKcazPAZ5YiFmzR2ej930fXrmveeSSP/axpK6v2HH4xlESKyVtu0RAvepgGm240KfWIZic914fuymPHC9aUGMsSzSi2G+RuD+jgcTz8wUIxU3k5WHOEnw2aZvbKlVMdFhUtizcrSDtPwpgiIc5oGmlU19NOK5zpXHwpkg/QT26VvSHkLwO5zPl7AgMBAAGjggIDMIIB/zAfBgNVHSMEGDAWgBRoN+Drtjv4XxGG+/5hewiIZfROQjAdBgNVHQ4EFgQU01aUSSlKJzSZo/IM++8QN3TJIs4wPgYDVR0gBDcwNTAzBgZngQwBBAEwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpY2VydC5jb20vQ1BTMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzCBtQYDVR0fBIGtMIGqMFOgUaBPhk1odHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDBToFGgT4ZNaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcmwwgZQGCCsGAQUFBwEBBIGHMIGEMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wXAYIKwYBBQUHMAKGUGh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3J0MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggIBAFo2V/xt85Zsrppjg5zN9KWuS9qQ9gddl2NNeKOUID3dCdRp108fdXQ52hIxsvfeuqc7iifL/JXzq69bVJNhQWua8qBDumkJfDN9LMGtGT8qY6bvZSlW9Ddm6ti1LAwAHq4gPVz1QfgvQDYbr8Os88lMY0vMh7f/8GellAvsfGhgJq4rmo0Z8LTm/q6s63NJpqasBzMK2TinoKKY/UwPBrngmKKDaDuF3x2orTHHX8U69LzfemD8DderVndrtWEZlKfcEujiANwrsHexy3/N4qonBaD9lHOOw7slqGrL8ZVZSWARTLDPo9wiwGw02U2knXpxSB33MTFx1fzZ36WBmQub28tkODZYqs3hbU0X7NYVQfRDPJf36hm8MJYrAg5qB1NQST2J02+F/uP6dZzQh8gZEyf53em6w03wb996XMMRdVNrAuZjGpD4Ea8ppVB/0uanrZngyEJmrm7eMNXBd1aj7sY4vL4Sgzg8gPfisI6+MGeqkDlrSOc9EdciTMtChwdb+RLu3LhGhOrM/dk4vQ8TVLgjNG8/es9IlUldQ0KdBKyfwPjVSI09P5RFG6ScnFEKB07VXiAxF3jh/zPYX5gnSMCPFKZm80ILDWyaoH7DJSyfmGf/vUoLqxRed4f15WZdtKoaaj1yXGpmx1bhIUWKZWE8Puz9rPTGOt3gjjbS"
}
]
},
"FileHashes": {
"authenticode": [
{
"file_name": "pdqconnectupdater-setup.exe",
"sha256": "DC91E1507E9DDD1FDB6089204745D1A5DC34B58AD1C8971B91D1F8DE91A9097F",
"sha1": "CF2244E33899080106C9600EBFBB400DB956C0B2"
},
{
"file_name": "pdqconnectupdater-setup.exe",
"sha256": "8B589F83D7DDA927AF5A37EC16620C2818475A59B26BFDF8C385B6A01B9411A2",
"sha1": "66861A75A8F1C70B91B1A7D8067B88E218561963"
},
{
"file_name": "pdqconnectupdater-setup.exe",
"sha256": "3311BCD8BCFCEF75A8E28058ABEB468115EE2AA89E914A07DDF7F09C36205166",
"sha1": "A201099C0708137F1904CA0C32AF369568FA3502"
},
{
"file_name": "pdq-connect-agent.exe",
"sha256": "DAD414979334FA5F5BCD41AFA38AEC1CEB73AF35067233C16C6CEE468C57CBFE",
"sha1": "B73678A32046FCC1CC7FDDF51D25EF362D14BDBC"
},
{
"file_name": "pdqconnectupdater-setup.exe",
"sha256": "FA4B54628A7EB0D2E00121E7C9E99599D0C5D4753C3B7FC94D44DB0C5FA08652",
"sha1": "78EDE3F92667D17CF74B5968DD0CB5093DC97AF3"
},
{
"file_name": "MSI8C70.tmp",
"sha256": "F795EA98AA00776AEC80D2B71E791BC0A46E973E9CFDF4C8DE29D3696CDDBA1B",
"sha1": "110B1C819D1967B94026C0E8E8ECCFAB7060E14F"
}
],
"page": [
{
"file_name": "pdqconnectupdater-setup.exe",
"sha256": "B010BBBD1F47F82F875DFAD737728B2BD986E7948389A8EDF770CD20249D5B19",
"sha1": "69FEC87441B8D54397E018F9464A087F21EBC03D"
},
{
"file_name": "pdqconnectupdater-setup.exe",
"sha256": "0795852574BC4CFA156C5D687EEE420CEF4F085ADAD5F3CEDB234E0D320D98C9",
"sha1": "F66BDF0363ADFC41A5F67250B66C9A9618E0BB88"
}
]
}
},
{
"Name": "Zabbix Agent",
"Category": "RMM",
"Description": "Zabbix Agent is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2025-12-14",
"Details": {
"Website": "https://www.zabbix.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"zabbix_agent*.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"user_managed",
"zabbix.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zabbix_agent_network_sigma.yml",
"Description": "Detects potential network activity of Zabbix Agent RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zabbix_agent_processes_sigma.yml",
"Description": "Detects potential processes activity of Zabbix Agent RMM tool"
}
],
"References": [
"https://www.zabbix.com/documentation/current/en/manual/appendix/install/windows_agent"
],
"Acknowledgement": [],
"CodeSigning": {
"search_names": [
"aga.controls.dll",
"librehardwaremonitorlib.dll",
"openhardwaremonitorlib.dll",
"oxyplot.dll",
"oxyplot.windowsforms.dll",
"smartctl.exe",
"zabbix_agent2.exe"
],
"company_names": [],
"signer_names": [
"Zabbix SIA"
],
"certificates": [
{
"signer_name": "Zabbix SIA",
"certificate_thumbprint": "N/A",
"tbs_sha256": "6EA7E157D0630DEDEFA9A840B0BC5C48FA0A5E29AAF10F877AF01D348F5C695E",
"tbs_sha1": ""
},
{
"signer_name": "Zabbix SIA",
"certificate_thumbprint": "1E158B87803F8F9B4189C62B762EA6E60340D65C",
"certificate_der_base64": "MIIGXzCCBEegAwIBAgIQAcU4KuX9OB0balShHH6TTjANBgkqhkiG9w0BAQsFADB4MQswCQYDVQQGEwJVUzEOMAwGA1UECAwFVGV4YXMxEDAOBgNVBAcMB0hvdXN0b24xETAPBgNVBAoMCFNTTCBDb3JwMTQwMgYDVQQDDCtTU0wuY29tIENvZGUgU2lnbmluZyBJbnRlcm1lZGlhdGUgQ0EgUlNBIFIxMB4XDTI1MDUxMjAxMDgwMFoXDTI3MDUxMjAxMDgwMFowRjELMAkGA1UEBhMCTFYxDTALBgNVBAcMBFJpZ2ExEzARBgNVBAoMClphYmJpeCBTSUExEzARBgNVBAMMClphYmJpeCBTSUEwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQCtxxh2tAq+eu50XNYe+wNn2obCnR8pl9ueoEZDP5NPH71Ngda9JFiAPYQ69U3C+CysQjBDcValrJDmURw6au9ogIeHE1o07C4HDXq1TRbuwbvSH6CsXknXWz3Ms8ekALn8tIqiwEN0dTTB6vNAz9Y+WwvUXVKoTk3tJu8+JMsF26f7jB/rcXvG4009qBQp3ENqTxfthK6jc9m0CuqNVkgDo+Iimhg5DD6Yv4gkK7U012SZFvBKtxI8MhyazyVUtcPWkPmvzT+X32UzRyb1r0OlXuC1p4qFzkj2VgSKi8t8pv8vfNgrzFzBnUmu3MpZBjWMRFZ/2X6Ifp3uo3CcCvOVKUe4eJ4AGk6u3qGQ3u0X7rcIOA30gJ4sFfVLJO4e6iVe9nKLAj0PidDcxmy8Fa50Fed4xTNZWmFEmapd/3hZM5jrZQLOHjhXiA9YXbluk0O4CQrCpSk1W7E6zHEP29J5axZNt1OqUptmyh4VW7jQ21e+aXf4/Ci5j10fQv0oUccCAwEAAaOCAZUwggGRMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUVML+EJUAk81q9efA19myS7iPDOMwegYIKwYBBQUHAQEEbjBsMEgGCCsGAQUFBzAChjxodHRwOi8vY2VydC5zc2wuY29tL1NTTGNvbS1TdWJDQS1Db2RlU2lnbmluZy1SU0EtNDA5Ni1SMS5jZXIwIAYIKwYBBQUHMAGGFGh0dHA6Ly9vY3Nwcy5zc2wuY29tMFEGA1UdIARKMEgwCAYGZ4EMAQQBMDwGDCsGAQQBgqkwAQMDATAsMCoGCCsGAQUFBwIBFh5odHRwczovL3d3dy5zc2wuY29tL3JlcG9zaXRvcnkwEwYDVR0lBAwwCgYIKwYBBQUHAwMwTQYDVR0fBEYwRDBCoECgPoY8aHR0cDovL2NybHMuc3NsLmNvbS9TU0xjb20tU3ViQ0EtQ29kZVNpZ25pbmctUlNBLTQwOTYtUjEuY3JsMB0GA1UdDgQWBBRfikuMMYml4VjTlfeLTthXHTn3mjAOBgNVHQ8BAf8EBAMCB4AwDQYJKoZIhvcNAQELBQADggIBAHqFTiEaNFAg/5JHY5bTWu1uSV+EW0h4jCYIqhDWLHPe5FNp4ovZhcdiKZ8AIAbaOWwoZUaasTaSdJwXwwL5ShRSFq8HJEgCGGCPcz3mn7gzZ4FssOh1wz/AtApANM2mYWvAcRo9T6k3OkmCQSbZQwSKrj1xRI/7aeqDMCWAbtClFPKtPOBm6VmWULhnrOSplbQDK2hr1MSyZKn29WcuRfR+e3XYl11EQY8xdblun7s+T7WFODwym0rbjXc6Omsx8nqgZrUtRN3HPWOBNmgENRstyHfLyNKlgP4Dpd4fmvaCb5Fu9pX2lyOEBe81X0quYNWzs4aCEDATOf/T6FuR5oYuLx/mhFWWbLfSFWsNP8EdTK/H9GrldAD7QFbl34rWbu4SoZU14UqwD7zcWHmurwx1kDuOuPrGUk8XcpTuOF59OE2Do7wZ3rwzrztTCFTv2T197ONOD3qNJuAxzml72BPHY968Mv8hhzSid3D/UrKYFmIWdgHxwIqWXOvmUHlPxChjr3qLlOx82vdsbLQz7PCnaPCA7c4AD6yd3PIemxdExl0kN50N5LPL3RpmNVZT5quXE5EVODL9EnvUcdXMA0fOLYxtwy4fwKssMZK4OuCqlM+qvlHUh+d4RbOxzsrLBiMqgORszJUzgyPvLBJjkCXVhv0WwEisdERX5f3Ccl5r",
"src_file_sha256": "0b2070c42e42bfad0fb239a25696e4a734de487dd293135121fa3651cb9e826b",
"src_file_path": "downloaded_files/zabbix_agent/0b2070c42e42bfad0fb239a25696e4a734de487dd293135121fa3651cb9e826b",
"src_file_company": "Zabbix SIA"
}
]
},
"FileHashes": {
"authenticode": [
{
"file_name": "OxyPlot.WindowsForms.dll",
"sha256": "AAC544630C825D295BFCED85667E967E823AA12544EB52522579B5A38DF342C0",
"sha1": "89CB4FCA740429F4534E2FCB8E169647F9651167"
},
{
"file_name": "OxyPlot.dll",
"sha256": "6E08EE9F84C21270E37481982FED30520B09CEEAA7D55642ADCCE6766041178E",
"sha1": "CE298F7684BA74A39C60DFDAC73E933356574DCF"
},
{
"file_name": "LibreHardwareMonitorLib.dll",
"sha256": "22414271105D103A14DD8AE009BEC293C5BFC575AA23174BDB5690DA08749748",
"sha1": "0CC5A2BA08CD98DE9CCD23CFD2BB2F83851B31BF"
},
{
"file_name": "OpenHardwareMonitorLib.dll",
"sha256": "1053E55C0BCC4002F23B383AAB0A038110764104DE4B350CB91FDF88C785E237",
"sha1": "2622288E737F1486465576E14405FB3333F7D583"
},
{
"file_name": "Aga.Controls.dll",
"sha256": "01662C51780F895E60CF6B984A3D5BF4BD60A03D7173EE96E486F5296C309248",
"sha1": "611FFAA90BF81C22A3355D10F70E4C39D75AF7FC"
},
{
"file_name": "smartctl.exe",
"sha256": "01E17D55620DB645C69573A14E3B5C7E266620B718713C62FEBDC25927D08DD3",
"sha1": "8541EB7070834867FEC7D08CC32A8E787D220341"
},
{
"file_name": "OpenHardwareMonitorLib.dll",
"sha256": "3572E4912214422865DA0FF2E120353A52668B7FC88103F574771FBECE2E20FA",
"sha1": "7377A591EA9B5769E4C08FB52E8DCEBD6FD17667"
},
{
"file_name": "zabbix_agent2.exe",
"sha256": "25961B16B3486DB34EAB7168EC716C13FD212D6328F038A33F739622370D9E32",
"sha1": "CD6ABD39A67C99A783BD53979E904AA089E2D0B7"
}
],
"page": [
{
"file_name": "OxyPlot.WindowsForms.dll",
"sha256": "791C1FD12C47053AF8AE411FAA657E3E0CC2A1B224E8327E030549B95BADA291",
"sha1": "83BEC1543EC304B9B252822503731A07CC9CA4B1"
},
{
"file_name": "OxyPlot.dll",
"sha256": "92DCDB288EA627FFE5C68BE5A9F06C87D9003DE3D01391F0FF08C887117F0FDF",
"sha1": "BD33E6D8EE244397FECCFDCD3E227598BD674E66"
},
{
"file_name": "LibreHardwareMonitorLib.dll",
"sha256": "B8A575D65CE153E072F2162FF8CC522AF4018DE8BDAC133B56A7B823B48A5CC9",
"sha1": "93AC73405441317D2ED2667BA83654692AC662B9"
},
{
"file_name": "OpenHardwareMonitorLib.dll",
"sha256": "BD2512F293B861F85B67EDF56AD39C47C5488983973DEA239DF2AFBBA0E1955A",
"sha1": "C8A01D4466AAC998103ABA19A3EE8CE3D630F805"
},
{
"file_name": "Aga.Controls.dll",
"sha256": "BCCD11AEA8A80D912F8C400208E9451DEB2F881EBB581DF05ED79867865BD55C",
"sha1": "7B3684B99259A5864D12D21EAE35444B9FF7AFD4"
},
{
"file_name": "smartctl.exe",
"sha256": "8FF105352772CD03FB1EAC780206097E045A2123D50BE2A92AACFCC081521085",
"sha1": "EE9F07413020B5C0E8EDB73F1F5799520E10608C"
},
{
"file_name": "OpenHardwareMonitorLib.dll",
"sha256": "FB8C1A22E5E6FA0ADFEF0C55A576E439DE27AF5E7A1F4EFC75004F42B60E49D0",
"sha1": "5B2B840A237C7EDC46255D94701F7D20750A6378"
},
{
"file_name": "zabbix_agent2.exe",
"sha256": "787F1315191CEC6E15A3697CA06295C7BCD7D9B05014F295DA9BE93F94098B54",
"sha1": "1B78645786C5AB77AF255A2CE87A110BE7139DC5"
}
]
}
},
{
"Name": "Mouse Without Borders",
"Category": "RAT",
"Description": "Mouse Without Borders is a Microsoft Garage utility that lets you control up to four Windows computers with a single keyboard and mouse, with clipboard sharing and simple drag-and-drop file transfers.\n\n**IMPORTANT**: This tool is signed with legitimate Microsoft Corporation certificates that are also used to sign numerous other Microsoft products and Windows components. Do NOT blindly block these certificate thumbprints as doing so will likely break essential Windows functionality and other Microsoft applications in your environment. Use certificate data for detection, hunting, and analysis purposes only.",
"Author": "Microsoft",
"Created": "2011-09-12",
"LastModified": "2011-09-12",
"Details": {
"Website": "https://www.microsoft.com/en-us/download/details.aspx?id=35460",
"PEMetadata": {
"Filename": "MouseWithoutBorders.exe",
"OriginalFileName": "MouseWithoutBorders.exe",
"Description": "Mouse Without Borders",
"Product": "Mouse Without Borders"
},
"Privileges": "User; optional Service Mode for elevated apps",
"Free": true,
"Verification": true,
"SupportedOS": [
"Windows"
],
"Capabilities": [
"Multi-computer input sharing",
"Clipboard sharing",
"Drag-and-drop file transfer (up to 100 MB)",
"Optional service for elevated app control"
],
"Vulnerabilities": [],
"InstallationPaths": [
"C:\\Program Files (x86)\\Microsoft Garage\\Mouse without Borders\\*"
]
},
"Artifacts": {
"Disk": [
{
"File": "C:\\Program Files (x86)\\Microsoft Garage\\Mouse without Borders\\MouseWithoutBorders.exe",
"Description": "Main application binary",
"OS": "Windows",
"Example": [
"SHA256: 0DE3E5D76E1359EEA6AAAD2A37F8D787CF4E1D686C4AB45C8221556CF5982BA1"
]
},
{
"File": "C:\\Program Files (x86)\\Microsoft Garage\\Mouse without Borders\\MouseWithoutBordersSvc.exe",
"Description": "Optional service binary when Service Mode is enabled",
"OS": "Windows",
"Example": [
"SHA256: D65D44126E2327891BA426A09471DF0564456A9B37AAD8B3453D2D5B06F6AEF3"
]
},
{
"File": "C:\\Program Files (x86)\\Microsoft Garage\\Mouse without Borders\\MouseWithoutBordersHelper.exe",
"Description": "Helper executable used by Mouse Without Borders",
"OS": "Windows",
"Example": [
"SHA256: D7E8F30B3F87373E89E8DEC1273F161C478E621E2450279A01A3D0914D754B4F"
]
}
],
"EventLog": [
{
"EventID": 7045,
"ProviderName": "Service Control Manager",
"LogFile": "System.evtx",
"ServiceName": "Mouse without Borders Service",
"ImagePath": "C:\\Program Files (x86)\\Microsoft Garage\\Mouse without Borders\\MouseWithoutBordersSvc.exe",
"Description": "Service installed (user mode service), auto start, account LocalSystem"
}
],
"Network": [
{
"Description": "Peer discovery and control traffic",
"Domains": [],
"Ports": [
"15100/tcp",
"15101/tcp"
]
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mouse_without_borders_files_sigma.yml",
"Description": "Detects potential files activity of Mouse Without Borders RMM tool"
}
],
"References": [
"https://www.microsoft.com/en-us/download/details.aspx?id=35460",
"https://learn.microsoft.com/windows/powertoys/mouse-without-borders",
"https://github.com/microsoft/PowerToys/issues/29700"
],
"Acknowledgement": [
{
"Person": "Michael Haag"
}
],
"CodeSigning": {
"certificates": [
{
"signer_name": "Microsoft Corporation",
"certificate_thumbprint": "F5877012FBD62FABCBDC8D8CEE9C9585BA30DF79",
"certificate_der_base64": "MIIGAzCCA+ugAwIBAgITMwAABISY4hLgeKMxXQAAAAAEhDANBgkqhkiG9w0BAQsFADB+MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSgwJgYDVQQDEx9NaWNyb3NvZnQgQ29kZSBTaWduaW5nIFBDQSAyMDExMB4XDTI1MDYxOTE4MjEzNVoXDTI2MDYxNzE4MjEzNVowdDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEeMBwGA1UEAxMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7XpKjCg5837MnNU9UKR3xba/q5Iq/JXcyzypjF20Q6LlVwLLwX3ehPNrT4+GM2kpbhg0KF9zaTCqKCnlRY4zUat+8sk/4dUEyzAfHaZrGf+9FDPlP7GMb7dT1lsS4zDSF6swfD4xuoux9mBYJOGDoXxknpL581td3SwLX4w9MIsERD7wjZYpUc+16BXXuSjtNXhYlnrXoePKlDqlGgJCM5wuFwd7BXdS1lJrqVxytOUHyUpp3ovamSQWE7fGYQKxg4e50J/mNYzgN6AYglCeJ9QjGlnQ4a4HTLrtNuqFgG3wt6a6pFJ/C1qdvB/tki3rTRuSkGWcL8t2XJ+/j0BpeQIDAQABo4IBgjCCAX4wHwYDVR0lBBgwFgYKKwYBBAGCN0wIAQYIKwYBBQUHAwMwHQYDVR0OBBYEFATf9G+hYepzHROBQMWBvZFgqW2FMFQGA1UdEQRNMEukSTBHMS0wKwYDVQQLEyRNaWNyb3NvZnQgSXJlbGFuZCBPcGVyYXRpb25zIExpbWl0ZWQxFjAUBgNVBAUTDTIzMDAxMis1MDUzNjIwHwYDVR0jBBgwFoAUSG5k5VAF04KqFzc3IrVtqMp1ApUwVAYDVR0fBE0wSzBJoEegRYZDaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9jcmwvTWljQ29kU2lnUENBMjAxMV8yMDExLTA3LTA4LmNybDBhBggrBgEFBQcBAQRVMFMwUQYIKwYBBQUHMAKGRWh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2lvcHMvY2VydHMvTWljQ29kU2lnUENBMjAxMV8yMDExLTA3LTA4LmNydDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4ICAQBi0KbNV1OEU3KAyAyz+kBtzZ0RN6f1kjKetQrPGfiVL98SVhrQc2JgiDZh1Rb+ovKWBf3u/RTSuj9aCo3bsah0onAXYPDI9JPJAxQP9HlNumzwUUFCGolq4bAzq11nS5u2ZrudeqEKFFnCDbOIwX4wxFVeG5oEGH3vuPzFCcECfYepnxPpHAj+B5T+AoSEAVB6EspmpHEwb2cPkLLe7G3beSp0CpEhDdNQszxtWsApQiOsyyn/7yiMJ6h8P/lr3AK+4MCpVjZi8EzYvNO6/a1rF0HqdUPGDJCLhpmdGtagndxrjpEkc589v9KI3mVWIWcqIQkItQbPsX0ZL/38tB31d5jcjttnRVLx8wWYKhORWxo5lJ60q9cfJQqyvrOAPmzhqdiHozqYVqGRDxjnKPxxM52eS5OsOlvhNictzx6BRNGPE7ZEhOP/NGNpQSYS49u3fLnifCHUIUqS/1s04457mB+w8eaPaVnSBkmhTWLkqjmMa1VuzeABEFUQ2Xqg3H6jxtzuq+UjbMV23e9QwiEFEbVCrLOdzjfr65VdK44igSHcLzDS0PcytI8u+6MA8l16GJEMWpDdrhSATtVDQLwmF47OK8N0kZgV/aomeRDcXJ/6SzJIsm+vEHcB1F8/tXyOnmt/446TT8+g5XP0THFyFnjDJIbqf1xG8Lu91Prs/w==",
"src_file_sha256": "bf283be664cacfb08009f3996a7907fccebf7e0502652ef40582d64238fdfe22",
"src_file_path": "downloaded_files/mouse_without_borders/bf283be664cacfb08009f3996a7907fccebf7e0502652ef40582d64238fdfe22",
"src_file_company": "Microsoft Corporation"
},
{
"signer_name": "Microsoft Corporation",
"certificate_thumbprint": "3F56A45111684D454E231CFDC4DA5C8D370F9816",
"certificate_der_base64": "MIIF9DCCA9ygAwIBAgITMwAABIVemewOWS/N1wAAAAAEhTANBgkqhkiG9w0BAQsFADB+MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSgwJgYDVQQDEx9NaWNyb3NvZnQgQ29kZSBTaWduaW5nIFBDQSAyMDExMB4XDTI1MDYxOTE4MjEzN1oXDTI2MDYxNzE4MjEzN1owdDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEeMBwGA1UEAxMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwEpIdXKb7lKn26sXpXuywkhxGplTQXxROLmNRZBrAHVBf7546RNXZwA/bzDqsuWTuPSC4T+I4j/z9j5/WqPuUw7SpnEPqWXc2xu7eN8kVyQt5170xkK6KHT4vVEkIvayPtIMLl0SgSCOy/pN5DJCi5ha7FlI84F1Qi2GumR+wQgCwHCVmU8Fj6Ik+B6akISXGCwe6X3rQFQngRFWQ/IrSkOkAOfy0EfvV+nZUo+FcbWuCZ6cb4Eq5I1ws/rZSeuwAWeedZcNt0VlNbsn4AnxBYQX4sj0dlko7JD5fWqeqq3/HzUNbBmLp9qeCXV8XlACn9YVWv900F47z04kVwpyTwIDAQABo4IBczCCAW8wHwYDVR0lBBgwFgYKKwYBBAGCN0wIAQYIKwYBBQUHAwMwHQYDVR0OBBYEFLgmchogri2BNGlO4+UxamNOZJKNMEUGA1UdEQQ+MDykOjA4MR4wHAYDVQQLExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xFjAUBgNVBAUTDTIzMDAxMis1MDUzNTkwHwYDVR0jBBgwFoAUSG5k5VAF04KqFzc3IrVtqMp1ApUwVAYDVR0fBE0wSzBJoEegRYZDaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9jcmwvTWljQ29kU2lnUENBMjAxMV8yMDExLTA3LTA4LmNybDBhBggrBgEFBQcBAQRVMFMwUQYIKwYBBQUHMAKGRWh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2lvcHMvY2VydHMvTWljQ29kU2lnUENBMjAxMV8yMDExLTA3LTA4LmNydDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4ICAQAo5qgKdgouLEx2XIvqpLRACrBZORzVRislkdqxRl7He3IIGdOB+VOEldHwC+nzhPXS77eCOxwRy4aRnROVIy8uDcS0xtmwwJHgFZsZndrillRisptWmqw8V379xgjeJkV/j5+HPqct0v+ipLeXkgwCCLK8ysNyodkltYQsF1/5Nb+G/jR9RY5fov8TybKVwhbmQeGguRS0+X4G0Sqp7FngHZ/A7K2EIU90Fy7ejb9/3TM7+xvwnaW3XKLpfBWJfrd3ZlzPkiApQt5dmntMDpTa0ONskBMnLj1OTqKi0/OY7Ge/uAmknHxSDZTu5e2O6/8Wrqh20j0Na96CAvnu9ebNhtwpWWt8vfWmMdpZ12HtbK3KyMfDQF01YosqV1Z/WRphJHzXHw4qhkMJJpec/Z5t6VogWevWnWgQWwBRI8iRuMtGu+m3pf+LAwlb2mcyzN0xW8VTvQUK42UbWyWW5At1wK6S6mUn8ed0rmHXXcT1/Kb3KhbhLvMHFHg9ObfcTWyeE7XQBAiZRItL7wcZZjObcxV8tqmXqjzFx0kGKj4GfY70nGejcM5xQ9Pt95G88oTks/1rhmwLuHB2RvICp5UFU+LgNg4nsfQzLNlh4qJDZJ2JS6FHll1tUKyS6ajvNky8ik2wTP6GRwHSHNJM6Ek66PW9/r459vNPQ9PkjjglWQ==",
"src_file_sha256": "f4b2e2dac7ba4458f79e7333d093b5259c18300ad201bfcb9b4674c00109815d",
"src_file_path": "downloaded_files/mouse_without_borders/f4b2e2dac7ba4458f79e7333d093b5259c18300ad201bfcb9b4674c00109815d",
"src_file_company": "Microsoft Corporation"
}
]
}
},
{
"Name": "Tailscale",
"Category": "RAT",
"Description": "Tailscale is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://tailscale.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"tailscale-*.exe",
"tailscaled.exe",
"tailscale-ipn.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*.tailscale.com",
"*.tailscale.io",
"tailscale.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tailscale_network_sigma.yml",
"Description": "Detects potential network activity of Tailscale RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tailscale_processes_sigma.yml",
"Description": "Detects potential processes activity of Tailscale RMM tool"
}
],
"References": [
"https://tailscale.com/kb/1023/troubleshooting"
],
"Acknowledgement": []
},
{
"Name": "Pocket Controller (Soti Xsight)",
"Category": "RMM",
"Description": "Pocket Controller (Soti Xsight) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2025-12-14",
"Details": {
"Website": "https://soti.net/products/soti-xsight/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [
"Windows"
],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"pocketcontroller.exe",
"wysebrowser.exe",
"XSightService.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*soti.net"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller__soti_xsight__network_sigma.yml",
"Description": "Detects potential network activity of Pocket Controller (Soti Xsight) RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller__soti_xsight__processes_sigma.yml",
"Description": "Detects potential processes activity of Pocket Controller (Soti Xsight) RMM tool"
}
],
"References": [
"https://pulse.soti.net/support/soti-xsight/help/"
],
"Acknowledgement": [],
"CodeSigning": {
"search_names": [
"pcpro602setup.exe",
"pocket controller",
"pocket controller - professional",
"pocket controller professional",
"pocketcontroller.exe",
"wysebrowser.exe",
"xsightservice.core.dll",
"xsightservice.dll",
"xsightservice.exe",
"xsightservice.linux.dll",
"xsightservice.windows.dll"
],
"company_names": [],
"signer_names": [
"SOTI Inc.",
"Wyse Technology Inc"
],
"certificates": [
{
"signer_name": "SOTI Inc.",
"certificate_thumbprint": "N/A",
"tbs_sha256": "",
"tbs_sha1": "326E0C36EE3DF3DE0FB7183A30ED6682254AB2E5"
},
{
"signer_name": "SOTI Inc.",
"certificate_thumbprint": "N/A",
"tbs_sha256": "",
"tbs_sha1": "",
"tbs_sha384": "4265D6A8BFDDD5383B9A45AB04EF925DCCA723FE04AAF792B74A83CD6E817CEF125F1A388E855837D7E1DBE33733A820"
},
{
"signer_name": "SOTI Inc.",
"issuer": "CN=VeriSign Class 3 Code Signing 2010 CA",
"certificate_thumbprint": "7A3E4DECEE064889D6F6EC54C8DBAEE092ACB26E",
"tbs_sha256": "AFBA691FEB4E4205B37C8929E5D10C40493F9C32D8C4FEF35C02C942BE6AE2AC",
"tbs_sha1": "326E0C36EE3DF3DE0FB7183A30ED6682254AB2E5",
"valid_from": "2011-02-24T00:00:00+00:00",
"valid_to": "2012-02-24T23:59:59+00:00",
"certificate_der_base64": "MIIFWjCCBEKgAwIBAgIQPeLsNVa1VJQJuS+PWl7dTDANBgkqhkiG9w0BAQUFADCBtDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEuMCwGA1UEAxMlVmVyaVNpZ24gQ2xhc3MgMyBDb2RlIFNpZ25pbmcgMjAxMCBDQTAeFw0xMTAyMjQwMDAwMDBaFw0xMjAyMjQyMzU5NTlaMIGdMQswCQYDVQQGEwJDQTEQMA4GA1UECBMHT250YXJpbzEUMBIGA1UEBxMLTWlzc2lzc2F1Z2ExEjAQBgNVBAoUCVNPVEkgSW5jLjE+MDwGA1UECxM1RGlnaXRhbCBJRCBDbGFzcyAzIC0gTWljcm9zb2Z0IFNvZnR3YXJlIFZhbGlkYXRpb24gdjIxEjAQBgNVBAMUCVNPVEkgSW5jLjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIDuS892Xu2pNtHTcjWKywWw0XAcbiFUcge8tvR1TkNpgYFThKRaONszjaIY2VYPlrDIw9sE/k8BtjoI2gjDAd91gPiPrbgrejgrhWdNZbXR84gbMXSWXWCYb8Ikgdg4ymrbDOnZPfn+0B/3ozV5oOpjvn8WmwyXiOdvEmZpeFNDUhg5Mpzk17lvqFsxOfOly5XfYdy9IZH6zg5cuYfBcFJabRTxo7tjEjRMKGF0DQBrrfh1Kip0EAqyKmVv1t4KuknVw/UCfWlRty37oe+jRAkCz8G5FU16qft7Vq3gi9LkMkd4P2DxizTeb/SxiAvSeyy4/UIolkWO4Qbi+sXNbXECAwEAAaOCAXswggF3MAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQDAgeAMEAGA1UdHwQ5MDcwNaAzoDGGL2h0dHA6Ly9jc2MzLTIwMTAtY3JsLnZlcmlzaWduLmNvbS9DU0MzLTIwMTAuY3JsMEQGA1UdIAQ9MDswOQYLYIZIAYb4RQEHFwMwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYTATBgNVHSUEDDAKBggrBgEFBQcDAzBxBggrBgEFBQcBAQRlMGMwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnZlcmlzaWduLmNvbTA7BggrBgEFBQcwAoYvaHR0cDovL2NzYzMtMjAxMC1haWEudmVyaXNpZ24uY29tL0NTQzMtMjAxMC5jZXIwHwYDVR0jBBgwFoAUz5mp6nsm9EvJjo/X8AUm7+PSp50wEQYJYIZIAYb4QgEBBAQDAgQQMBYGCisGAQQBgjcCARsECDAGAQEAAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQBwPblnl4oj8EFmONplf6IzrlgD4AB9m7VbCl6zN6AoqUVTBbZ3m0kurhslGUsmwv+rMG4SBHrPBG3wIO8qvHcsxZYIKwfzlHfzQGdYEiN9o/1MI+n0XpP5yuIY/Wq/xyShCnd0CDADBRMC8COR/IEeJSLL7Wny5UgbDFyonU8MXNQDRlt6ArqQDynkqsnPIyeBC8ncmzXU8NjS9WGswJg72mwVsbSiR5w13Fs3ID6LB25/9Mw8pKdbto6Xk8oloWAAhk1p1+fPs7YVVEDojVvEXKjAwpZjiHDcVcoqiZZufFoUCZcRgBrUHuD8Dy6bV1zJ7Fni9cpLoyJNJpDMxkxg"
},
{
"signer_name": "SOTI Inc.",
"issuer": "CN=Sectigo Public Code Signing CA R36",
"certificate_thumbprint": "EBABD13769964EA7279533174328F28BB711CB03",
"tbs_sha256": "20442C9DC0B4BB786D51EC3B9246AC870FB78FA32759CDC539CF05AA63FC6911",
"tbs_sha1": "FCFE638120C602F83FE960E11B80ED837461F175",
"valid_from": "2024-07-23T00:00:00+00:00",
"valid_to": "2026-07-23T23:59:59+00:00",
"certificate_der_base64": "MIIGVjCCBL6gAwIBAgIRAOC564rZlEms0wKFspYh4YUwDQYJKoZIhvcNAQEMBQAwVDELMAkGA1UEBhMCR0IxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDErMCkGA1UEAxMiU2VjdGlnbyBQdWJsaWMgQ29kZSBTaWduaW5nIENBIFIzNjAeFw0yNDA3MjMwMDAwMDBaFw0yNjA3MjMyMzU5NTlaMEcxCzAJBgNVBAYTAkNBMRAwDgYDVQQIDAdPbnRhcmlvMRIwEAYDVQQKDAlTT1RJIEluYy4xEjAQBgNVBAMMCVNPVEkgSW5jLjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKZ4olXEdSGaPV0sv4FujPSqmH7gBmXf/5rK4YHKamh/3T9hI5kYA86bpSrjVkRKJuMFJs4q/ACGEagKvv8u/CC+wUV4RcOsiHu7BF+tbKOucAYuTXlmP1bH0GbalOJKFOpcDpoFnnCy6uaMCkd+6b5oDRbnCyxjvQS6JDYrfSaSCu73DgUWgT0zg7vx1iSj73ACwNdyDLXa4nPOcsQrfINfysbeUHe4jg1SExN2l83wBIvyJX45neSp/5Uyr6hr+fgQ5SCq/HAf/lsdchNjQioKlzhBsyWDh0CxfokV0PSWf2ub4D9dPD6eM2BcwSDz5bAn4A53ZiDmJmPnO5DUolcdcajW47WmOvQd58FOuLRBpF1dkN/dqceVcR8WKnZ0eTG7HEZIi0NonTxAyOD/OlHdluPdXpvzFaiSQ09DdG42ilDvpkKJod/Jh8mDM0SfcrYnEteYvBwUEJSXwVkyn5KRVr7cRbHGuYyHkZQ4NzOIdGjOBhKHqje+Y4azoB8qdUQ4AUjNtxVBRI+lWHh5FID4gClhEgBDJ3hZYzJFB8DosstZYcM0g4ZHrzUpNDYM8rymb/FiNPNvTO6FZniH3Gki50WlDc7rlSTu/8jCvOyugxAczdCN3/v/nsJjDu9EjhVCTps/JvK7IJm+muveLGvegagm041yimKwSIne5ZQlAgMBAAGjggGuMIIBqjAfBgNVHSMEGDAWgBQPKssghyi47G9IritUpimqF6TNDDAdBgNVHQ4EFgQUO+DW1h67BQldvilGJOlo1Mqe5QcwDgYDVR0PAQH/BAQDAgeAMAwGA1UdEwEB/wQCMAAwEwYDVR0lBAwwCgYIKwYBBQUHAwMwSgYDVR0gBEMwQTA1BgwrBgEEAbIxAQIBAwIwJTAjBggrBgEFBQcCARYXaHR0cHM6Ly9zZWN0aWdvLmNvbS9DUFMwCAYGZ4EMAQQBMEkGA1UdHwRCMEAwPqA8oDqGOGh0dHA6Ly9jcmwuc2VjdGlnby5jb20vU2VjdGlnb1B1YmxpY0NvZGVTaWduaW5nQ0FSMzYuY3JsMHkGCCsGAQUFBwEBBG0wazBEBggrBgEFBQcwAoY4aHR0cDovL2NydC5zZWN0aWdvLmNvbS9TZWN0aWdvUHVibGljQ29kZVNpZ25pbmdDQVIzNi5jcnQwIwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLnNlY3RpZ28uY29tMCMGA1UdEQQcMBqBGGNoYW5kbGVyLnJhY2luZUBzb3RpLm5ldDANBgkqhkiG9w0BAQwFAAOCAYEAU50eFELIpAIILGTHQ6sl1CTblNV7L0dUxGVoS7GFERZJ9Tb86RVRK847cxsbqTgqOKrFfuXFg8TQBMQSprWqBSl/fLNbnpJYcwD2NMQM+qv0KBC0WVTzHZ7d690n9Jg+PIPZD5aDQKet+xwYXYu+7b3kgmEk6et1mE3hDXLaFcT9D8MBnQSgINl+QdBBSn4irhra9CXFBZDXtupm+qZvU7Sripjc09e0D1ArGxLbdT+ofNnNlfpxDsDtaKmk8clPeNblRg4mAVcMuoLycSlu3zJG3P/lQse+M6ra6qfvMshnkdacxg38NQ1wu46VB/BzeCocu36dq8ieE/3IZGys3I0iodsO3XpJ90FT0P9Y4dq9z6zCkkt0M/6zsU2Tc6MIyc20oBz4Ho8V10JGd+ajnKFZUADtAY6tKdS9vKo5LomWj9qm/gdAveLkruv7l8KcZqmzKg/xB/lmkWV2+XLnVK9FW9HpJYX/FEQPxishQDsaGuFWoozRAEuoaQt8jJA/"
},
{
"signer_name": "Wyse Technology Inc",
"issuer": "CN=VeriSign Class 3 Code Signing 2010 CA",
"certificate_thumbprint": "537AE8B3453C27FE7C5DD562ECF90CA76551E95C",
"tbs_sha256": "64AC7AE69C452B5F6ACF71EA0485E36D88A868DD187C196AA2D140EA3124A0F6",
"tbs_sha1": "5249EAF595CF905C688A7CA49CD9B49E7DD9E4E1",
"valid_from": "2012-09-17T00:00:00+00:00",
"valid_to": "2013-09-17T23:59:59+00:00",
"certificate_der_base64": "MIIFjDCCBHSgAwIBAgIQB3HyQPsosUPqq38SQJ2VMjANBgkqhkiG9w0BAQUFADCBtDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEuMCwGA1UEAxMlVmVyaVNpZ24gQ2xhc3MgMyBDb2RlIFNpZ25pbmcgMjAxMCBDQTAeFw0xMjA5MTcwMDAwMDBaFw0xMzA5MTcyMzU5NTlaMIHPMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxHDAaBgNVBAoUE1d5c2UgVGVjaG5vbG9neSBJbmMxHDAaBgNVBAsUE1d5c2UgVGVjaG5vbG9neSBJbmMxPjA8BgNVBAsTNURpZ2l0YWwgSUQgQ2xhc3MgMyAtIE1pY3Jvc29mdCBTb2Z0d2FyZSBWYWxpZGF0aW9uIHYyMRwwGgYDVQQDFBNXeXNlIFRlY2hub2xvZ3kgSW5jMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp7yS8F/L95u4Hx5DEeQ6Elf1hTg/U2XQkzlWdeMBEDwGztZxoaRs+xVAdUzDmdfZTS/ZrR2k/QrRFDS2yjmQc2JUFxh8y4kQ5rT662qf95VKw0Q7iz/eLwnb60J1uhc38dZ68gcgenb8iBRubvBP0JLCVsxhzr6kEqPHuHc9MDgUWsu9ti0eVUx0hFHA7J3jj/Ize9HVdmEr2wMGRphdf0EXnrBJ0E1C90GvmqYQ5CGPugnIu4hgSwfZEoe/XiqpsiriLT6P/+sNrB+Cvsu1JLh+LZcrDjh4cHRuUoBJQoWQnmLpzwWsBJOxgyJMsvqbVOz+PQe12X56NHnWUGP0KQIDAQABo4IBezCCAXcwCQYDVR0TBAIwADAOBgNVHQ8BAf8EBAMCB4AwQAYDVR0fBDkwNzA1oDOgMYYvaHR0cDovL2NzYzMtMjAxMC1jcmwudmVyaXNpZ24uY29tL0NTQzMtMjAxMC5jcmwwRAYDVR0gBD0wOzA5BgtghkgBhvhFAQcXAzAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vY3BzMBMGA1UdJQQMMAoGCCsGAQUFBwMDMHEGCCsGAQUFBwEBBGUwYzAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AudmVyaXNpZ24uY29tMDsGCCsGAQUFBzAChi9odHRwOi8vY3NjMy0yMDEwLWFpYS52ZXJpc2lnbi5jb20vQ1NDMy0yMDEwLmNlcjAfBgNVHSMEGDAWgBTPmanqeyb0S8mOj9fwBSbv49KnnTARBglghkgBhvhCAQEEBAMCBBAwFgYKKwYBBAGCNwIBGwQIMAYBAQABAf8wDQYJKoZIhvcNAQEFBQADggEBAE3fgd8wSlrAV0g9+up4/oGCsBskdMy8Tq9P803JDlYnK3bUbXezB6T4qCSai08UfGlo8FdHIl/zmprBRoi5KGZ5VgO84C4Y9shPBiQSKEbVJln/wCRAiQb33nR/KTvJ/kKDYwAVZivcQZZ90FUTzQ8kcTX+wZUvW7ZJWkmXhMiCIVwrJjVJjlUq72+HWgns4Wa/tnnhnhCx5WyN0ujZuMcYccDZGiL6Eae+me24QkmKq4xJcy+PQ+dQmFJu1vcjtgFaZt7s50CDpx38CpJZSAPgFe1wZ3X/tmxJrJXYgGowEaoGfRexT/xzcNXyU47d4TuIeqWUPFgK/zzaEjAZ130="
}
]
},
"FileHashes": {
"authenticode": [
{
"file_name": "Pocket Controller - Professional",
"sha256": "C8C95F39CBD230B362337428F9D8FF5FD6B0FA9AFC0F9BBA590DC18F33258998",
"sha1": "5AB1D8EA968152256B067C3D8697272B9CEC9F56"
},
{
"file_name": "PocketController.exe",
"sha256": "B8E99BFAF205C97AF579AD6B73C05FDC1EA08B7A56C51C6964A7697CAD064400",
"sha1": "653831627348E40F9E5AF084D047560621896179"
},
{
"file_name": "XSightService.dll",
"sha256": "36ABF6CBDB0CC0811AB9DCA56B5E7A28FB67CFCF9995EC961905D8EC2D62EE8A",
"sha1": "85580901DB83608717DF082D3ADB93438641799B"
},
{
"file_name": "Pocket Controller Professional",
"sha256": "96E0074337F819EBC5DD8321087E196577F6114A1071CF53C5D112BB8714EC6C",
"sha1": "44231844BA9E0DBD13286002D781318DEE8AB1E5"
},
{
"file_name": "Pocket Controller",
"sha256": "C7FDC274CDDC5B15F1F3E711B0357FE4BA0B44671172E245C4EDFDECF1C740A9",
"sha1": "7928FAF909D49128E98E96880EE7D656679A9F00"
},
{
"file_name": "XSightService.Core.dll",
"sha256": "D5047115F94567CE14743272131AC9AD7C604680A3B9FD2182516E8B06B065DF",
"sha1": "D87494923B5114F4E1797EB9F0FE953627565E2C"
},
{
"file_name": "XSightService.Windows.dll",
"sha256": "31B3EF905B727EDAD232595471DE256587BBFE57D4608A09C8DEBDDF21BDE890",
"sha1": "D979A4ABBAC552D64E32BD36737AC8E6798A87F3"
},
{
"file_name": "PCPro602Setup.exe",
"sha256": "81638DDB4550AEB1161B2D24D30E41A505E651DC25A55E4A62F0AC32A510CCFA",
"sha1": "1334B034565DE833410FD50DC14E13FE2215F576"
},
{
"file_name": "Pocket Controller - Professional",
"sha256": "ECF236477A707C45292A049EF3FBB6BE4B25C691132A6AB9CE0AA95F043ADB52",
"sha1": "65970C526943AB2CBD0BB01DA31C1C8ACAC77ADC"
},
{
"file_name": "XSightService.Linux.dll",
"sha256": "4747545FC0506731BB7F7A2154A69CDE4EE35C2FFEA3407A91EEA6FC687728AD",
"sha1": "8C51B1DA012A9E23D6AF3AF86EEFD6F4A752A692"
},
{
"file_name": "PocketController.exe",
"sha256": "A121581AD6F5C8DC176AF0FB1B9FF69A12786D305902DCCA29B7F765767E0785",
"sha1": "D128E371B03E5E7C0415D537A5C6CF659D15030C"
}
],
"page": [
{
"file_name": "Pocket Controller - Professional",
"sha256": "9C499645FB1A3E22BD638F432E0C3263C09A9544C81F2EB21EA13894C9084E4E",
"sha1": "81D649FA0EBF918EA1B73DC45C1115CFFB4BD70B"
},
{
"file_name": "PocketController.exe",
"sha256": "D4784E9C2890D87B5796B84888BAE6732FCF974E8681B3FF31C09D651CD2BBC5",
"sha1": "EEA19CFDD2200CF1ECBF73FCC9BFEF7C1DB388E3"
},
{
"file_name": "XSightService.dll",
"sha256": "9C29FE63C81DD70D2C7978C92634336F11F96806877726108F966E3C8B6367DC",
"sha1": "D7BFE918146B3626C3474EEC60BD9EAD8909167D"
},
{
"file_name": "Pocket Controller Professional",
"sha256": "19676D30C7AF609F69FDB0071E7707F68F5CF21102F483FADA1785C721ABFF9E",
"sha1": "D6BD6EF154F2A7E065415D2B61FCD1EC15D87BFF"
},
{
"file_name": "Pocket Controller",
"sha256": "C7C6FBDD502FF945F1CD104F0F8F4280769CA532095850E88BC5A523BE6E760E",
"sha1": "CF1AB8172D8909774C70CB25C96BE78AB8682A02"
},
{
"file_name": "XSightService.Core.dll",
"sha256": "0175EF28328517DC999022D2A1D97B6F7D4B9B40A0502B1A97527A638E5A3F88",
"sha1": "A3C8A160811DBD929958F0400426F838340A3FB7"
},
{
"file_name": "XSightService.Windows.dll",
"sha256": "193D06828C6E920E7EDD95170B77E0BC696972C6BDD839C5C51E5568188D1F0F",
"sha1": "8EBA4A7E030690F77CAA3891801673D76B541CBF"
},
{
"file_name": "PCPro602Setup.exe",
"sha256": "F5285668D1B167242BFD832FDACF0CF461FEC07AE68F90D2AB521B00A98CD1F5",
"sha1": "D5E51B1B4CD54F75B5E18ADD5D35165710CC79A8"
},
{
"file_name": "Pocket Controller - Professional",
"sha256": "E9ECEC8A3C424D5890F1AF729A7AEC67F9A395C09A2AED5295FD646C8CCA286B",
"sha1": "E116F6FF705BF8151E03955A327E4B7EF7817CC8"
},
{
"file_name": "XSightService.Linux.dll",
"sha256": "E865EC62D5AABFC1F3D3BB2E20F62163CBA74CBE2C2C0661F84B8DB45D4E85A2",
"sha1": "C1E1E2EEF8DB7A6FC26CB1A870D230A863655DA8"
},
{
"file_name": "PocketController.exe",
"sha256": "A1C74233EF3BE253A8D9081957CA403DE007374CD217DF6F1446F2DDCE61492D",
"sha1": "D48515A5A75C696F834C39EFB452E4BFB8A2D122"
}
]
}
},
{
"Name": "NetSupport Manager",
"Category": "RMM",
"Description": "NetSupport Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2025-12-14",
"Details": {
"Website": "https://www.netsupportmanager.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"pcictlui.exe",
"pcicfgui.exe",
"client32.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*.netsupportmanager.com",
"netsupportmanager.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netsupport_manager_network_sigma.yml",
"Description": "Detects potential network activity of NetSupport Manager RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netsupport_manager_processes_sigma.yml",
"Description": "Detects potential processes activity of NetSupport Manager RMM tool"
}
],
"References": [
"https://www.netsupportmanager.com/resources/"
],
"Acknowledgement": [],
"CodeSigning": {
"search_names": [
"client32.exe",
"pcicfgui.exe",
"pcictlui",
"pcictlui.exe"
],
"company_names": [],
"signer_names": [
"NetSupport Ltd",
"Simon Tatham"
],
"certificates": [
{
"signer_name": "Simon Tatham",
"issuer": "CN=Sectigo Public Code Signing CA R36",
"certificate_thumbprint": "6026ABF61401A3A86F1A4C6D37E7A4CC4D50B3AD",
"tbs_sha256": "3D9382C098531F21907C342B98A10541EFB28405518CF834F21C3BA4649A39FE",
"tbs_sha1": "ECB918730717D407950B66E230C12ED401C84D9D",
"valid_from": "2021-11-06T00:00:00+00:00",
"valid_to": "2024-11-05T23:59:59+00:00",
"certificate_der_base64": "MIIGUTCCBLmgAwIBAgIRAI4/v7kb5toEG6Qfepg61h4wDQYJKoZIhvcNAQEMBQAwVDELMAkGA1UEBhMCR0IxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDErMCkGA1UEAxMiU2VjdGlnbyBQdWJsaWMgQ29kZSBTaWduaW5nIENBIFIzNjAeFw0yMTExMDYwMDAwMDBaFw0yNDExMDUyMzU5NTlaMFQxCzAJBgNVBAYTAkdCMRcwFQYDVQQIDA5DYW1icmlkZ2VzaGlyZTEVMBMGA1UECgwMU2ltb24gVGF0aGFtMRUwEwYDVQQDDAxTaW1vbiBUYXRoYW0wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCouP6/1Zf7dVxT8N05jnjSZiJ3h5XMdIL1i3RNXTldkEdxjet8x1mFtmYu1ldfAptvs1RZYTsbM4Mv7MJ1dYf9Dhz1AAO7AQIF4dEjFQo7bCrmp8gCt8to/nkwN1FRuh4Q4DmCi/e4DSqy/PUtQwH1iRI6FC2RPGblqdy8pNaK/v99AWh6m/ZgsJAcPcVDwgLRuIY731E+VgGiydQ/sE6DZvYPpGBHQ/L3klLYIFJ2MAA1Z1yQxlfW+IVMtBuZ5UOPIu89l6HvDhYRveJ2+I2KKJVz0krrpUkkIl34a0/3Qh6oQl6My6ggPbCM3E9yQ9PeIlqnSbvsLnJ8Cya+0aiZVOiakx531TAIwgbp0PlJy44q1zsZy4cRJ/kH0zm5Y8FWeeK+KBtSScGIASjkopGyKQ05TVeIe2mfsxhphPbXoUZaeYLASK5tvld+jHiAa1o8K1zVGP/4u0CiXicwpWRdtbw1qEr5Z+6tbCpg5BSBSBtBdHVO5gPmLds2EtqaWdTrX3MYMHXW/6SXj5AA/riFcdEgBsoWLgtgWb0xsURM5kRBnr76eWpr9D3Y0nK/5GwZAK+BDug7hryFTYrr97muYCLuIIip1nKHbI7LwKWMUFNQjXlImv2hTPeUnvXFCdddw3QWxD3cnDsx3ayzFA+ypDPK0oZ3MWjV4Zvy6CSkEwIDAQABo4IBnDCCAZgwHwYDVR0jBBgwFoAUDyrLIIcouOxvSK4rVKYpqhekzQwwHQYDVR0OBBYEFP+BvU11FnUCsL5jdXCrMXfb0uA/MA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMBEGCWCGSAGG+EIBAQQEAwIEEDBKBgNVHSAEQzBBMDUGDCsGAQQBsjEBAgEDAjAlMCMGCCsGAQUFBwIBFhdodHRwczovL3NlY3RpZ28uY29tL0NQUzAIBgZngQwBBAEwSQYDVR0fBEIwQDA+oDygOoY4aHR0cDovL2NybC5zZWN0aWdvLmNvbS9TZWN0aWdvUHVibGljQ29kZVNpZ25pbmdDQVIzNi5jcmwweQYIKwYBBQUHAQEEbTBrMEQGCCsGAQUFBzAChjhodHRwOi8vY3J0LnNlY3RpZ28uY29tL1NlY3RpZ29QdWJsaWNDb2RlU2lnbmluZ0NBUjM2LmNydDAjBggrBgEFBQcwAYYXaHR0cDovL29jc3Auc2VjdGlnby5jb20wDQYJKoZIhvcNAQEMBQADggGBABy6w3V00NBOw9+xyDpXLaetITlU3FZwSYjtXswIGWUIsGspNiL0PkLlsWwjF9xTu8k/HXY/q8mMveONY1QJ01/BNQtwJUbXTQZytZw9y2DFX+g0JX+GhqAxrhOTaLAayuklG4yB9FPUAURDwMflrrOruhVw+vVvLhy7jpHOJZgWbGwZKVSwJmXMxKQD8DQIiECWoreDAcAtOxGOGgMBeDI3RZAzNKwkE4MEWNRiWfUZVPARD5E58Kc7R+ahD/F6LRm/2+hHtf8uJqwfZ3nmP69SHp7juZovfguYMUoKSbstYUJSPbzC6844vefQh3pWh7kk13bcZ29VxozwBORdZuEDIaDPZcOchG9D9DVuDRJVnrYaucotTWwmrPY4SC8c96j4QNUpZqjpDuryucunDc76mqCkcPgOVjIG8sFZotntgfQjRoTr5tCvTGD167nM1FUKi4nTrr0W4LrShiILM01ZEGwz7nll3cE+Ey0D0ZbgBCIAIw/ugG9F4V8RSG7I+g=="
},
{
"signer_name": "NetSupport Ltd",
"issuer": "CN=VeriSign Class 3 Code Signing 2009-2 CA",
"certificate_thumbprint": "435A8DAF631D61F4277FD77172B8F11132586EA0",
"tbs_sha256": "981F4E400F3855D33FC61580297B279A85424BDB015FD0CE22234113EB684C07",
"tbs_sha1": "0BFDCC6AD2055D1E1C66C2554AF56ED334AFA565",
"valid_from": "2009-07-08T00:00:00+00:00",
"valid_to": "2011-08-21T23:59:59+00:00",
"certificate_der_base64": "MIIFBzCCA++gAwIBAgIQLm+f/7sq9bnLBVmEfV5ZdDANBgkqhkiG9w0BAQUFADCBtjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwOTEwMC4GA1UEAxMnVmVyaVNpZ24gQ2xhc3MgMyBDb2RlIFNpZ25pbmcgMjAwOS0yIENBMB4XDTA5MDcwODAwMDAwMFoXDTExMDgyMTIzNTk1OVowgcQxCzAJBgNVBAYTAkdCMRcwFQYDVQQIEw5DYW1icmlkZ2VzaGlyZTEVMBMGA1UEBxMMUGV0ZXJib3JvdWdoMRcwFQYDVQQKFA5OZXRTdXBwb3J0IEx0ZDE+MDwGA1UECxM1RGlnaXRhbCBJRCBDbGFzcyAzIC0gTWljcm9zb2Z0IFNvZnR3YXJlIFZhbGlkYXRpb24gdjIxEzARBgNVBAsUCk5ldFN1cHBvcnQxFzAVBgNVBAMUDk5ldFN1cHBvcnQgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCDtzYbG/oY6Dyuu/elthBHo7L8IVAYzctOlk89V1ptL1Wx7KeygDDwdnAG8wwNvH0/DwElGdbqguYWZiO53yAsB+O7NevwJb9+BUoo1ZxR0Rrz6mtSas36e/Sy+X3PIk0JTMXnw3DG8+uhYfkiKnr7lFPpQR39+QuZErUjxjYrFQIDAQABo4IBgzCCAX8wCQYDVR0TBAIwADAOBgNVHQ8BAf8EBAMCB4AwRAYDVR0fBD0wOzA5oDegNYYzaHR0cDovL2NzYzMtMjAwOS0yLWNybC52ZXJpc2lnbi5jb20vQ1NDMy0yMDA5LTIuY3JsMEQGA1UdIAQ9MDswOQYLYIZIAYb4RQEHFwMwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYTATBgNVHSUEDDAKBggrBgEFBQcDAzB1BggrBgEFBQcBAQRpMGcwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnZlcmlzaWduLmNvbTA/BggrBgEFBQcwAoYzaHR0cDovL2NzYzMtMjAwOS0yLWFpYS52ZXJpc2lnbi5jb20vQ1NDMy0yMDA5LTIuY2VyMB8GA1UdIwQYMBaAFJfQa6gmcMihP5QfCC3ENZukoR7yMBEGCWCGSAGG+EIBAQQEAwIEEDAWBgorBgEEAYI3AgEbBAgwBgEBAAEB/zANBgkqhkiG9w0BAQUFAAOCAQEAAM+QCZqxXvCfBpat9dJJqA4BUB/pAMBnspVKaBlR1Zi2j+Zi5RVz73PikKlakQOeFnjY74EB/gTiYYlLPl1RkBVAUPV9FaB69wrxJv/O3f9lZaLFcsi3M4DBfhdzsV0M7pmZDHQSxDCwAvPIwHzKc/temcJptT43wR7bfsiT3AsU8DOoZ+9f4s/mP5A9eVQtHM/2MKy3aI6jZuwjIhx1tstOvRp0GyDlWrKRM5N9aFuscagWKL2VOEfvnBLQApbfNBM2SCVixLJAp7WbfaDmZVaPoFsT8rqvgQUQg/Y9G8hcBApH4u7ffFY8du7uGWoqM7eHHn30nX98hp3eAiAAsg=="
},
{
"signer_name": "NETSUPPORT LTD.",
"certificate_thumbprint": "061DFEC06DE16DF52E9BD821E4248E81E82246E0",
"certificate_der_base64": "MIIH3jCCBcagAwIBAgIMIeMX/YiMlwTmHemwMA0GCSqGSIb3DQEBCwUAMFwxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTIwMAYDVQQDEylHbG9iYWxTaWduIEdDQyBSNDUgRVYgQ29kZVNpZ25pbmcgQ0EgMjAyMDAeFw0yNTA1MjkxNTEzMTdaFw0yODA3MTcxMzAxMTVaMIIBHDEdMBsGA1UEDwwUUHJpdmF0ZSBPcmdhbml6YXRpb24xETAPBgNVBAUTCDAyMzg2NjM4MRMwEQYLKwYBBAGCNzwCAQMTAkdCMQswCQYDVQQGEwJHQjEXMBUGA1UECBMOQ2FtYnJpZGdlc2hpcmUxFTATBgNVBAcTDFBldGVyYm9yb3VnaDE4MDYGA1UECRMvTmV0c3VwcG9ydCBIb3VzZSBUb3duZ2F0ZSBFYXN0LCBNYXJrZXQgRGVlcGluZywxGDAWBgNVBAoTD05FVFNVUFBPUlQgTFRELjEYMBYGA1UEAxMPTkVUU1VQUE9SVCBMVEQuMSgwJgYJKoZIhvcNAQkBFhlpc0BuZXRzdXBwb3J0c29mdHdhcmUuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAw/PAOehy6dRc7Au6yX4xn3fcEhoIaqhI4HpmUG2bHW8RYtYhvN57qyOwx6gKm7lTjaJqDpoyBsY0inslnJIsyGNgiwpcfITYhfo4bXcdojWSWnfyNA9WlrSVTwARhstsggtJtBwAGqj2RDejXv/tTlqjtSK8u5YTx/GaGtXUWtGaASfEhCeBONKoWvLLtwF45NmyQSrCTdRVex5Se0X7vLtFb2g8fB/2id0gues2weZym/2OBdkpN3JaQpGQwjrP/P6hSemwafyG+o1/1QLdbvRHIDooAxZ6Sz2+wxYWjA5vLrwYtA5+K06XfJF8y4zzbHOOgaswvRqeoyMnWznJMCJ61bFkNaEMVwc1eTeTYu51DgQTDTeswtX+4agAWW3O792X5lgjod+IEECc9JAsJDV18hihN3coNkuXuhloPhKLypn8EW/BUPTlovxvlsvgzpV46gudxAQzr42QQbFHhOFnF+dzlUFxvHttbPn4SBahJEHxoEq+XtY68PgOqu598izTWAtdgfoeS/Z4yshIPQB5XJk0WycB6Krd4z5IJHN/TNYY1YKTrM6KpvEIbtOVYrKnHBXpc//IxX5qODaxVavXbOVokHZei0mRi9e/GIPJvJEVJP6Rh3+Ym/yjvUHy00WuDQ+QzwwKC4+KDEf1lPRDq/UnmctguCeMrmMp2pECAwEAAaOCAdwwggHYMA4GA1UdDwEB/wQEAwIHgDCBnwYIKwYBBQUHAQEEgZIwgY8wTAYIKwYBBQUHMAKGQGh0dHA6Ly9zZWN1cmUuZ2xvYmFsc2lnbi5jb20vY2FjZXJ0L2dzZ2NjcjQ1ZXZjb2Rlc2lnbmNhMjAyMC5jcnQwPwYIKwYBBQUHMAGGM2h0dHA6Ly9vY3NwLmdsb2JhbHNpZ24uY29tL2dzZ2NjcjQ1ZXZjb2Rlc2lnbmNhMjAyMDBVBgNVHSAETjBMMEEGCSsGAQQBoDIBAjA0MDIGCCsGAQUFBwIBFiZodHRwczovL3d3dy5nbG9iYWxzaWduLmNvbS9yZXBvc2l0b3J5LzAHBgVngQwBAzAJBgNVHRMEAjAAMEcGA1UdHwRAMD4wPKA6oDiGNmh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5jb20vZ3NnY2NyNDVldmNvZGVzaWduY2EyMDIwLmNybDAkBgNVHREEHTAbgRlpc0BuZXRzdXBwb3J0c29mdHdhcmUuY29tMBMGA1UdJQQMMAoGCCsGAQUFBwMDMB8GA1UdIwQYMBaAFCWd0PxZCYZjxezzsRM7VxwDkjYRMB0GA1UdDgQWBBQFe+NgbkzLPQDTdRnj+Oi2AMoMCjANBgkqhkiG9w0BAQsFAAOCAgEAgmd8nDVvPcRHGs330DtzF3AxuNfbQ8kdgTvMoN1x6MWd4mtY56ed+fRSUAZNSIyk399Ee0K+a/q+SUsfJWodb4NMJ5B1+nywz4z8dJ5TRE9DBBRvtCjJ8pvKMQjfn9KfRpPV2I9RN/Lf29OU8ZboFnh/un+8xgfqPmLJFoajWBeZowhVzC7Qox6t9JoO6XcImtYEF2uCYBVOqHQ4Uk9aX3KrB977h34XmT9TehUPn33FFj5x5WbnbwGVDA8ripvLT9wY3oyfFqYJZ8JT4oB5f6nf4XpgFHdTUSsryplVWIKRQsjdvZDeTE2RdxZaR86WbO9eiyTH46od77v05Y4QA9uyQyKFUteQOvGMF86sP0v7ZnbqFb0bk7TJahXHYoh0Nza1oJsqGhc1Cd02wYOqUl0trA2lOCmkDHhxVru5rY37UYE93kyTazxK661iFt6NDqmEswdQZ3+pd5t4l6nxRt6LTU6gJqlYqwPRuwCXmqYr2H8ikDav86JTK5ULoi8Fb2GXOwqNNDvqdRk0zoJLi9yxkJHbr/DXzqKYqHTM9yjIN1LSF+0onCbYs4cTu7rDOOahtnioz1O5vt6FZtCA7Fb6vMKWYA+R5xvQ8vwAaECiTRvHRujVuIziVBirOrm9Ztq9DZdrfiVGK13l4JF1Z7vHXBu8ih+HJ4II/BGC0q0=",
"src_file_sha256": "a0ce8c26b6b322cc7311b19decab019dcdd2766768e011936d7701ac75a97ee9",
"src_file_path": "downloaded_files/netsupport_manager/a0ce8c26b6b322cc7311b19decab019dcdd2766768e011936d7701ac75a97ee9",
"src_file_company": "NetSupport Ltd"
}
]
},
"FileHashes": {
"authenticode": [
{
"file_name": "pcictlui.exe",
"sha256": "E176AFE937B564EFB92EA2BF9D8637F16C5CEB0DCC25C78006A494B630520357",
"sha1": "BC5EE8C8516010512D3FE2A43154053B0849D786"
},
{
"file_name": "pcictlui",
"sha256": "F4F5A883014EB39AEA7DA4448FFE160245AEB89808080D26D63628998B08E6A5",
"sha1": "5718989BCB7D5BD84E2F54C2258F6A11FAE5607E"
}
],
"page": [
{
"file_name": "pcictlui.exe",
"sha256": "13A2EB0CB8DA8A3E92D05B08FCEB3A1273BBC0A3FD1743187EEBD6E49BFD59C2",
"sha1": "1D15BCE915E4CB9AA1CC9CC467AD50D36EB19590"
},
{
"file_name": "pcictlui",
"sha256": "E6BD8D309C4F3FE08DF483C0F2FE7A89617922F08547F94ECA802DC2D449F1CC",
"sha1": "B498816D255C122EA1890EBC81E92ED820EC792D"
}
]
}
},
{
"Name": "Pcvisit",
"Category": "RMM",
"Description": "Pcvisit is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2025-12-14",
"Details": {
"Website": "https://www.pcvisit.de/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"pcvisit.exe",
"pcvisit_client.exe",
"pcvisit-easysupport.exe",
"pcvisit_service_client.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*.pcvisit.de",
"pcvisit.de"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcvisit_network_sigma.yml",
"Description": "Detects potential network activity of Pcvisit RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcvisit_processes_sigma.yml",
"Description": "Detects potential processes activity of Pcvisit RMM tool"
}
],
"References": [
"https://www.pcvisit.de/"
],
"Acknowledgement": [],
"CodeSigning": {
"search_names": [
"pcvisit-easysupport.exe",
"pcvisit.exe",
"pcvisit_client.exe",
"pcvisit_service_client.exe"
],
"company_names": [],
"signer_names": [
"Adobe Systems Incorporated",
"Martin Prikryl",
"pcvisit software ag"
],
"certificates": [
{
"signer_name": "Adobe Systems Incorporated",
"certificate_thumbprint": "N/A",
"tbs_sha256": "",
"tbs_sha1": "7EF13196EC47F2AB7072D93A679AE21C13C764EB"
},
{
"signer_name": "pcvisit software ag",
"certificate_thumbprint": "N/A",
"tbs_sha256": "",
"tbs_sha1": "85E765462871AC9D332C18A9B833A862E2811C83"
},
{
"signer_name": "Martin Prikryl",
"issuer": "CN=COMODO Code Signing CA 2",
"certificate_thumbprint": "ED06995F21BEC16EDF3112F91E121926C7782BB4",
"tbs_sha256": "5CDFA7F5F971770D3C1DC097CAD683A24D38A832B87DC56FD67834F9EA5EFCF2",
"tbs_sha1": "D2F63F6BE83E61B9E64E25752802F7F06F8B5BE5",
"valid_from": "2011-09-21T00:00:00+00:00",
"valid_to": "2014-09-20T23:59:59+00:00",
"certificate_der_base64": "MIIFITCCBAmgAwIBAgIRAOZqfSBqWcLz1wT8Wnqxy4cwDQYJKoZIhvcNAQEFBQAwezELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxITAfBgNVBAMTGENPTU9ETyBDb2RlIFNpZ25pbmcgQ0EgMjAeFw0xMTA5MjEwMDAwMDBaFw0xNDA5MjAyMzU5NTlaMIGPMQswCQYDVQQGEwJDWjEPMA0GA1UEEQwGMTIwIDAwMQ8wDQYDVQQIDAZQcmFndWUxETAPBgNVBAcMCFByYWd1ZSAyMRkwFwYDVQQJDBBMb25keW5za2EgMjE3LzMzMRcwFQYDVQQKDA5NYXJ0aW4gUHJpa3J5bDEXMBUGA1UEAwwOTWFydGluIFByaWtyeWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCussTW+t2obGP1zx2DhDWMRTb+pTniJ61dDbCIt6wesxFCQipCwI5cY+D66mJGOHBK8C/QL9ua2t/ufOs5yXwaizZcxRa5B608GZBdQFDZ4BFHkYUQHp93zJfNVsQjmRILJOj9n/a8p7O+7ftjQiD+reU+hFRfnKpklc5SEreEaOz8W6gGoEGLPP08SQpmMbFenP5uH3GPlNd2ooTL2itnQWKTkaiDk9+OYFp+kGKQoBmuHJQWUtdzoFsaZA8EEud72arYkPVndkk977J4/kO02cPIp8SAl1QAgFgtPc4TH18wc8QNi0XOj0QMhOgWD4AxBBYijx1YDXKlQsvaCTs/AgMBAAGjggGJMIIBhTAfBgNVHSMEGDAWgBQexbEsfYfaAmh8JbwMB4Q/ts/e8TAdBgNVHQ4EFgQUefpxehBGjv+Zk08UMxeixlojTbwwDgYDVR0PAQH/BAQDAgeAMAwGA1UdEwEB/wQCMAAwEwYDVR0lBAwwCgYIKwYBBQUHAwMwEQYJYIZIAYb4QgEBBAQDAgQQMEYGA1UdIAQ/MD0wOwYMKwYBBAGyMQECAQMCMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5uZXQvQ1BTMEEGA1UdHwQ6MDgwNqA0oDKGMGh0dHA6Ly9jcmwuY29tb2RvY2EuY29tL0NPTU9ET0NvZGVTaWduaW5nQ0EyLmNybDByBggrBgEFBQcBAQRmMGQwPAYIKwYBBQUHMAKGMGh0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9ET0NvZGVTaWduaW5nQ0EyLmNydDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMA0GCSqGSIb3DQEBBQUAA4IBAQCqK7XXoyAnWpFNEpdZwj1kBRempuDDaMEf8CcDlnhZYUij0uU4mudpA/bQWJsrbE/J8Y+YE6gfDRsqgH32rivQWN7Oz1xLbb3T5rUqj4qePjkGA0qJorP2SyQ+28Ck8mR7YG2cKHsboliZtUBHkUXmeHBMcujfr8KMyq2NC+CA105hfoRYHbR+9L+y4lcor48vGVArycIV1FVt/1ILR4M9IFp1GXGYYLt4hggsSN2PLg/KTwD9Ai+w1HPaIAoworh1/1H5IlZUJilbsvZ6oApgRPbm2d/PWbAefgOHCFM+H46iJ5d3OaWTuJmb4XuZCJ81fMDzU1Nl5pJ7ZjRaOuHl"
},
{
"signer_name": "pcvisit software ag",
"issuer": "CN=Thawte Code Signing CA - G2",
"certificate_thumbprint": "A2183200DC3C802E5699B3068BE452CE2A0D689B",
"tbs_sha256": "458ABB4B93C3B182FFF61AB4EE3877574461BAB7C168B2E8E2850E39C5F4A4AC",
"tbs_sha1": "85E765462871AC9D332C18A9B833A862E2811C83",
"valid_from": "2012-07-11T00:00:00+00:00",
"valid_to": "2014-07-11T23:59:59+00:00",
"certificate_der_base64": "MIIEFzCCAv+gAwIBAgIQOzYOvN8sEvEadacupQycrjANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMVGhhd3RlLCBJbmMuMSQwIgYDVQQDExtUaGF3dGUgQ29kZSBTaWduaW5nIENBIC0gRzIwHhcNMTIwNzExMDAwMDAwWhcNMTQwNzExMjM1OTU5WjBtMQswCQYDVQQGEwJERTEQMA4GA1UECBMHU2FjaHNlbjEQMA4GA1UEBxMHRHJlc2RlbjEcMBoGA1UEChQTcGN2aXNpdCBzb2Z0d2FyZSBhZzEcMBoGA1UEAxQTcGN2aXNpdCBzb2Z0d2FyZSBhZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJwaTPqJWn37/VAIJeEjqEyqwNrznB9ybSJHSjefZ3d28fJCRErmJmGgAdEVXz4HD3PrmhONxjgafh8RP793b/7HOe7Yvk3dvjD4CHYRvZlwHWn/25LL4n7xuIPrQtwpIJ2pGNBviv9mfAYXNwD+hNMIzLsaGiBwOufquZbGcGwfydXCihWpARvcOpJ/SlmkwpVCHwtsn6do/sMZ09bcWF+JN6HZ3cDdQtu2ld5WJ7k9EBLGzlmpBhrC5CcQgW6xd3fPIAdpC+4TBpsfmbuqJyVmxkxXHhMkHO8JJ6ooF0GWxQctv6jk2WY+ouFPfn63qWQTKt3+GGj0jwhRrKeo2rsCAwEAAaOB1TCB0jAMBgNVHRMBAf8EAjAAMDsGA1UdHwQ0MDIwMKAuoCyGKmh0dHA6Ly9jcy1nMi1jcmwudGhhd3RlLmNvbS9UaGF3dGVDU0cyLmNybDAfBgNVHSUEGDAWBggrBgEFBQcDAwYKKwYBBAGCNwIBFjAdBgNVHQQEFjAUMA4wDAYKKwYBBAGCNwIBFgMCB4AwMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vb2NzcC50aGF3dGUuY29tMBEGCWCGSAGG+EIBAQQEAwIEEDANBgkqhkiG9w0BAQUFAAOCAQEAdMIbFUmobGxOyB1ieABowLsJh9GK/sjo2yADgDgVZr5vvQzWAjHHAKd1MNmAUi71Ov3Euaza9huekaZrD5JVxLw5I4EXXNXCtOpu8Kaez7vSTHcvoW2+X/NWUq5Gdxzq9DdAjjT/jnWmcj9NalSXkhaNWLMIDZFPfAgx1xdnSeLNy7GB28MFIpI5f6OZfwnRbHFm3GkRXBSp4+8oPDP0SPF5xFAxccHc+dkcaGC5Sw4OLqXtQ9BWzMZ6Rhwm3dzGCmKreyw7tLFOvW+p9PvWAp8IByd84IvD0uMS9+4LYveSco9CN5VBex/ry89L/paFlTy5QpZMNaWUOMiBz5DH+Q=="
},
{
"signer_name": "Adobe Systems Incorporated",
"issuer": "CN=VeriSign Class 3 Code Signing 2010 CA",
"certificate_thumbprint": "FDF01DD3F37C66AC4C779D92623C77814A07FE4C",
"tbs_sha256": "6F11994EC8673B1FDBFB8A08F0AA78F13FC2BE6890F6F5E386FE9FCAE64D2CA4",
"tbs_sha1": "7EF13196EC47F2AB7072D93A679AE21C13C764EB",
"valid_from": "2010-12-15T00:00:00+00:00",
"valid_to": "2012-12-14T23:59:59+00:00",
"certificate_der_base64": "MIIFFjCCA/6gAwIBAgIQFeWsCkhwY3GOOdpSMBoEiDANBgkqhkiG9w0BAQUFADCBtDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEuMCwGA1UEAxMlVmVyaVNpZ24gQ2xhc3MgMyBDb2RlIFNpZ25pbmcgMjAxMCBDQTAeFw0xMDEyMTUwMDAwMDBaFw0xMjEyMTQyMzU5NTlaMIHdMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxIzAhBgNVBAoUGkFkb2JlIFN5c3RlbXMgSW5jb3Jwb3JhdGVkMRwwGgYDVQQLFBNJbmZvcm1hdGlvbiBTeXN0ZW1zMT4wPAYDVQQLEzVEaWdpdGFsIElEIENsYXNzIDMgLSBNaWNyb3NvZnQgU29mdHdhcmUgVmFsaWRhdGlvbiB2MjEjMCEGA1UEAxQaQWRvYmUgU3lzdGVtcyBJbmNvcnBvcmF0ZWQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOOsWw50PLi3ulRVRS2iVzHvqrb1ALTqXh+fjRAr9UGy8aQw40Pi+A/rEL2fy9Y1GlYsxtXRE2s6XqJGkouXeqhdjZMl5cNFVrfAD7KsD4KuVBXORLYrKlqND3L7p4BM1mkqNvSO6Lwkp7WbmT+weEoxYzX6Qh/WYUuX5/ZMXcFpAgMBAAGjggF7MIIBdzAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIHgDBABgNVHR8EOTA3MDWgM6Axhi9odHRwOi8vY3NjMy0yMDEwLWNybC52ZXJpc2lnbi5jb20vQ1NDMy0yMDEwLmNybDBEBgNVHSAEPTA7MDkGC2CGSAGG+EUBBxcDMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEwEwYDVR0lBAwwCgYIKwYBBQUHAwMwcQYIKwYBBQUHAQEEZTBjMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC52ZXJpc2lnbi5jb20wOwYIKwYBBQUHMAKGL2h0dHA6Ly9jc2MzLTIwMTAtYWlhLnZlcmlzaWduLmNvbS9DU0MzLTIwMTAuY2VyMB8GA1UdIwQYMBaAFM+Zqep7JvRLyY6P1/AFJu/j0qedMBEGCWCGSAGG+EIBAQQEAwIEEDAWBgorBgEEAYI3AgEbBAgwBgEBAAEB/zANBgkqhkiG9w0BAQUFAAOCAQEAquu3mUtIU0XYXxhaOsniYeUzFWU+FbgcZn6ixHRXqwx/PC3iRfsl25VqyUgQ287ZKnEe/NsezeHsN5aBz5u7MkYRF1BY8z/GISgJC4ip1IL9rF8Y0QDqLGQJK8IeTobVH4/1lBNqi1RoNCdkDHFaR6K8z5iP9CZM8XgwRNkv8JXEQBA0iMM5I5yicFtbfhX2pYyC5MRGSMADI+qF6WaEQXv6qdyK+fzoCzXN6tPUHBvfq65ABqn92mh5iAywIUgz4liR4jTRNoJYp4ADyxSDUiAfdoohIrj/xGP6wIhZtBXygx6yX3rY0MCNr3lia2dbYGCarw8bACigl9b7ShHetA=="
},
{
"signer_name": "pcvisit software ag",
"certificate_thumbprint": "0C371BE84975964A87BF480676D3CEEBFC88CD60",
"certificate_der_base64": "MIIG0zCCBLugAwIBAgIQCpdzgUj4YjGltRIsud/y7zANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTI0MDcwMTAwMDAwMFoXDTI3MDYzMDIzNTk1OVowWzELMAkGA1UEBhMCREUxEDAOBgNVBAcTB0RyZXNkZW4xHDAaBgNVBAoTE3BjdmlzaXQgc29mdHdhcmUgYWcxHDAaBgNVBAMTE3BjdmlzaXQgc29mdHdhcmUgYWcwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQDrpE0WaSiWbRdhuN6GYLpZH0Eb/L/M/mqaqdODzKecidtvtoustcygusAHAUMH3N4t876FimpfWgGu/wsSdRcRMxB7OwlgS1dtyo6GnturZXDdqbwHKOomEUeG+IxUlZCKZTPFEflz6c1j7wAa1UlzmsVe5UiaQdaUU8WOX/DTK+rHGERaCtmoe/KFSS1ninUA1jjiXNxe6gLTAyT+EcPtWHcXsF2H4aCyQb95zBVGhWrCZ2Hz/QaqIwFnhixOUxAoWm6OMOc90I7annvSkdxMlFNe7lKSfLnGeFaseZ1nhT5DyUUv6qzvB+hg2TDYV24eehO8q93FYBNKyK2/CLm3x+sVFWduboGNL8aD9ZWKTCP6MhAS+MwtSQM6m3yah7fcjGEfPJr5+iPmbN9Nnnl+fGeEmXAx43Yq7ablAK4g4XEta1bOAgERS/eFfyduzmzRMz8IKmqVDB5qbIpZVu/IvIFw8b4YBu39DfPXPBapoSD4E8AUmbSxtvztaF05VR0CAwEAAaOCAgMwggH/MB8GA1UdIwQYMBaAFGg34Ou2O/hfEYb7/mF7CIhl9E5CMB0GA1UdDgQWBBRGIE/KV1k0HAMXeWnTKf/hQSZkUDA+BgNVHSAENzA1MDMGBmeBDAEEATApMCcGCCsGAQUFBwIBFhtodHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMIG1BgNVHR8Ega0wgaowU6BRoE+GTWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3JsMFOgUaBPhk1odHRwOi8vY3JsNC5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDCBlAYIKwYBBQUHAQEEgYcwgYQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBcBggrBgEFBQcwAoZQaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcnQwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAgEAvRusr7U/ZesCiOzDyT/WfC3fF4TkxKQ4p/6J5aS1YIZzC1nPtPqfirYK99r3H4VHL5XTJAn+W94hDl4YCmiwDVeVe52LQT3acUHC8I/pw+uULYKj1lBNGUqhn2BwEQWef/tAe88GNrYTDsLK1XCixjnj22KF6zyj4hGcZNhJaHeJ7uOAmR4tubDM3DGFFbNh/Af3GeOanBv54hZLyB5J2dOVylS8Fpvk4HpdZ16FO3lc3pK892XXRWdodRuVpy6QnxC1p4+TXnFitQ+mRi3ngkMF14sNacVqXoH4RYPx5O2eGjJ0cLL2uj1G1dQIfN8vqRMGOs1wg2dCXWcvhO6ZLGz6EILtuYnHjqc+9ITbVbEF2t1z0MhHlFGgJf5/r1grx4ePmYBisbLqHaotd2pkDNMOaZHRjh2foAkXYFSgWsqyS6rzxklt2Vw+WZcjrXGIjtUfguZ3OQ3BZ1OSVC6/BS+5KGqB7Bbz0b+RRTO9FXHmbt6z3ergntrTXt1QbbNBs4OXE4tkMNNjzsi1yD9XtENrx6OdejTiBtNi6nlHoaUSY1xiXfJmz2veceKFqhqHYCEi8zWjGFylAk8fDuwvIvkRss5WKt6vC9QEc3w6B/LOhD8LQSOZJm/mG9nwHI6U024E255NmBRoz3b9Bx4lVh1QNNPWFYqL8FVS7Z7ajAY=",
"src_file_sha256": "57fa4781f5817841c56b058c0b244318bc18aaa3c842ee3d74294de2441f1da1",
"src_file_path": "downloaded_files/pcvisit/57fa4781f5817841c56b058c0b244318bc18aaa3c842ee3d74294de2441f1da1",
"src_file_company": "pcvisit Software AG"
}
]
}
},
{
"Name": "Distant Desktop",
"Category": "RMM",
"Description": "Distant Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.distantdesktop.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"ddsystem.exe",
"dd.exe",
"distant-desktop.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*.distantdesktop.com",
"*signalserver.xyz"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/distant_desktop_network_sigma.yml",
"Description": "Detects potential network activity of Distant Desktop RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/distant_desktop_processes_sigma.yml",
"Description": "Detects potential processes activity of Distant Desktop RMM tool"
}
],
"References": [
"https://www.distantdesktop.com/manual/first-start.htm"
],
"Acknowledgement": []
},
{
"Name": "FreeRDP",
"Category": "RAT",
"Description": "FreeRDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.freerdp.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": []
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": []
},
"Detections": [],
"References": [],
"Acknowledgement": []
},
{
"Name": "Level.io",
"Category": "RMM",
"Description": "Level.io is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://level.io/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [
"Windows"
],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"level-windows-amd64.exe",
"level.exe",
"level-remote-control-ffmpeg.exe"
]
},
"Artifacts": {
"Disk": [
{
"File": "C:\\Program Files\\Level\\level.exe",
"Description": "Level Binary",
"OS": "Windows"
},
{
"File": "C:\\Program Files\\Level\\osqueryi.exe",
"Description": "A tool used by level to collect machine state information.",
"OS": "Windows"
},
{
"File": "C:\\Program Files\\Level\\level.log",
"Description": "Client log file for Level.",
"OS": "Windows"
}
],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"level.io",
"*.level.io"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level.io_network_sigma.yml",
"Description": "Detects potential network activity of Level.io RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level.io_files_sigma.yml",
"Description": "Detects potential files activity of Level.io RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level.io_processes_sigma.yml",
"Description": "Detects potential processes activity of Level.io RMM tool"
}
],
"References": [
"https://docs.level.io/1.0/admin-guides/troubleshooting-agent-issues"
],
"Acknowledgement": []
},
{
"Name": "CloudFlare Tunnel",
"Category": "RAT",
"Description": "CloudFlare Tunnel is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://cloudflare.com/products/tunnel/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"cloudflared.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"cloudflare.com/products/tunnel/"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cloudflare_tunnel_network_sigma.yml",
"Description": "Detects potential network activity of CloudFlare Tunnel RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cloudflare_tunnel_processes_sigma.yml",
"Description": "Detects potential processes activity of CloudFlare Tunnel RMM tool"
}
],
"References": [
"https://cloudflare.com/products/tunnel/"
],
"Acknowledgement": []
},
{
"Name": "Rodex RMM",
"Category": "RAT",
"Description": "Rodex RMM is marketed at https://www.rodex.cc/ as a self-hostable Remote Monitoring & Management platform — the operator pays in cryptocurrency ($150-$650/mo recurring, $250-$2,200 first-month onboarding) and the vendor's provisioner installs a stack (Node.js + MongoDB + Go relay + Nginx + SSL) onto the operator's own VPS. The agent is a single Go binary (`RodexAgent.exe`, ~7.3 MB) which establishes a WebSocket back to the operator's relay for remote desktop (WebRTC GUI streaming), remote terminal (PowerShell / Bash / Zsh), CPU/RAM/disk/network monitoring, Windows Update orchestration, and arbitrary script execution.\n\nThe marketing positions Rodex as a privacy-preserving alternative to cloud RMMs (\"every byte of data stays on your server\"), comparable in shape to RustDesk / Tactical RMM / NetLock RMM. **However**, the project profile is materially different from those legitimate self-hostable peers and tracks closer to the TrustConnect / fake-RMM-as-a-service pattern:\n\n- No public source code (RustDesk, Tactical RMM, NetLock are open-source on GitHub; Rodex is not).\n- No corporate identity disclosed — no leadership names, no LinkedIn presence, the only contact is `support@rodex.cc`.\n- The `rodex.cc` domain was registered 2026-03-12 (NameSilo privacy WHOIS, Cloudflare-fronted).\n- Cryptocurrency-only payment.\n- Every `RodexAgent.exe` sample observed on VirusTotal is **unsigned** (no Authenticode publisher cert), despite the PE version block claiming `Rodex RMM Suite` / `© 2024-2025 Rodex Technologies Inc.` — that company name is not verifiable in any registry.\n- In-the-wild RodexAgent.exe samples have antivirus detection ratios ranging 27/76 to 48/76, with several engines applying the `trojan.tedy/misc` label (Tedy is a known stealer family); one sample carries the label `PasswordStealer.Spyware.Stealer.DDS`.\n- Agent filenames observed in the wild include both random-name `C:\\Windows\\<6-9-char>.exe` drops (e.g. `airj5.exe`, `ccwojfhc.exe`, `n0y9ytr.exe`) and decoy installers impersonating real organisations (`PROSEGURAgent.exe`, `FundacinAdsisAgent.exe`, `Daleph-Install-Default.exe`, `SifemInstall.exe`, `AdobepluginD3238-Install-Default.exe`, `AccessWinRAR.exe`, `InvitationCard.exe`) — all carrying the same `RodexAgent.exe` PE version-block strings underneath.\n\n Catalogued here as **Category: RAT** (same precedent as `trustconnect.yaml`) — not because the product is necessarily intended as malware, but because the in-the-wild distribution pattern is indistinguishable from RAT-as-a-service and defenders matching `RodexAgent.exe` will encounter unsigned binaries with malware-class filenames rather than vendor-signed RMM agents.\n",
"Author": "johnk3r",
"Created": "2026-04-03",
"LastModified": "2026-05-04",
"Details": {
"Website": "https://www.rodex.cc/",
"PEMetadata": [
{
"Filename": "RodexAgent.exe",
"OriginalFileName": "RodexAgent.exe",
"Description": "Rodex RMM Agent — Go-based WebSocket agent (~7.3 MB). PE version-block strings (Product=`Rodex RMM Suite`, CopyrightHolder=`Rodex Technologies Inc.`) are vendor-claimed but not verifiable in any corporate registry; binary is unsigned."
}
],
"Privileges": "User",
"Free": "No (crypto-only paid plans, $150-$650/mo recurring)",
"Verification": "No verification — binaries are unsigned despite PE version-block claiming \"Rodex Technologies Inc.\" copyright",
"SupportedOS": [
"Windows",
"Linux",
"MacOS"
],
"Capabilities": [
"Remote desktop (WebRTC GUI streaming)",
"Remote terminal (PowerShell / Bash / Zsh)",
"Endpoint monitoring (CPU / RAM / disk / network)",
"Windows Update / patch orchestration",
"Script automation",
"Self-hosted operator-controlled relay"
],
"Vulnerabilities": [],
"InstallationPaths": [
"RodexAgent.exe",
"rodexagent.exe",
"C:\\Program Files\\Rodex\\RodexAgent.exe",
"C:\\Windows\\.exe"
]
},
"Artifacts": {
"Disk": [
{
"File": "RodexAgent.exe",
"Description": "Rodex Go-based agent binary, ~7.3 MB. Unsigned. Multiple decoy filenames observed in the wild — match on the binary's PE version-block strings or authentihash rather than filename.",
"OS": "Windows",
"Example": [
"SHA256: e08a097fe259aeca06133b5d1df226f9a2e79e79d7fb44cf5a3503c2b484c21b (det 27/76, freshest sample)",
"SHA256: 26dfaebeee560a938a572ed387db816c7e5a8415e126115111cd0ed0dbf59c8a (det 48/76)",
"SHA256: 28b33dddab17f219316079d43f47bb92b587962b608df4ed5c3c9020948b5db4 (det 40/76)",
"SHA256: 4e2f69b87d108fb58fde72c5e51cc5bf587a7665e4d406693742ae8afca77300 (det 42/76)",
"SHA256: 20fc3c4eaf48c79a4a2da019135c33be8bc06d80aca68e3d1ce405f76b774857 (det 39/76)"
]
},
{
"File": "C:\\Windows\\.exe",
"Description": "Stage-1 drop location pattern observed across multiple campaigns delivering RodexAgent.exe under random hex / lowercase filenames.",
"OS": "Windows"
},
{
"File": "Agent.exe",
"Description": "Decoy installer naming pattern — RodexAgent.exe wrapped or renamed to look like a legitimate organisation's installer (PROSEGURAgent.exe, FundacinAdsisAgent.exe, Daleph-Install-Default.exe, SifemInstall.exe, AdobepluginD3238-Install-Default.exe, AccessWinRAR.exe, InvitationCard.exe observed in VirusTotal corpus).",
"OS": "Windows"
}
],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Rodex marketing / customer portal — registered 2026-03-12 via NameSilo privacy WHOIS, fronted by Cloudflare. Operators visit this site to purchase a plan and provision a relay onto their VPS.",
"Domains": [
"rodex.cc",
"www.rodex.cc"
],
"Ports": [
443
]
},
{
"Description": "Per-operator relay — the operator's own VPS hosts the Node.js dashboard / Go relay / MongoDB stack. Network destination is operator-controlled, not vendor-centralised, so per-campaign infrastructure varies. The agent connects back to whatever relay URL was baked in at install time over WebSocket (HTTPS:443 by default).",
"Domains": [
""
],
"Ports": [
443
]
}
],
"Other": [
{
"Type": "Note",
"Value": "r3v13wd0s.com — alternate domain referenced in earlier writeups; flagged 14/91 malicious + tagged \"dga\" on VirusTotal. Likely a previous staging / payload-host name; rodex.cc appears to be the current marketing front."
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rodexrmm_files_sigma.yml",
"Description": "Detects potential files activity of Rodex RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rodexrmm_processes_sigma.yml",
"Description": "Detects potential processes activity of Rodex RMM tool"
}
],
"References": [
"https://www.rodex.cc/",
"https://www.virustotal.com/gui/file/e08a097fe259aeca06133b5d1df226f9a2e79e79d7fb44cf5a3503c2b484c21b",
"https://www.virustotal.com/gui/domain/rodex.cc"
],
"Acknowledgement": [
{
"Person": "johnk3r",
"Handle": "@johnk3r"
},
{
"Person": "Michael Haag",
"Handle": "@M_haggis"
}
]
},
{
"Name": "Veyon",
"Category": "RAT",
"Description": "Veyon (Virtual Eye On Networks) is a free and open-source remote monitoring and classroom management software designed for educational environments and remote support scenarios. It enables monitoring and controlling computers across multiple platforms, allowing administrators and teachers to view and control computer labs, interact with students, and provide remote technical support.\n",
"Author": "Daniel Koifman (KoifSec)",
"Created": "2025-11-12",
"LastModified": "2025-11-12",
"Details": {
"Website": "https://veyon.io",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": "",
"Product": ""
},
"Privileges": "User",
"Free": true,
"Verification": false,
"SupportedOS": [
"Linux",
"Windows"
],
"Capabilities": [
"Remote Control",
"Screen Monitoring",
"Screen Broadcasting (Demo Mode)",
"Remote Command Execution",
"File Transfer",
"Power Management",
"Screen Lock",
"User Messaging",
"Application Launching",
"Screenshot Capture",
"Clipboard Synchronization"
],
"Vulnerabilities": [],
"InstallationPaths": [
"C:\\Program Files\\Veyon\\*",
"C:\\Program Files (x86)\\Veyon\\*",
"veyon-wcli.exe",
"veyon-worker.exe",
"veyon-server.exe",
"veyon-service.exe",
"veyon-master.exe"
]
},
"Artifacts": {
"Disk": [
{
"File": "C:\\Windows\\Temp\\VeyonServer.log",
"Description": "VeyonServer log file",
"OS": "Windows"
},
{
"File": "C:\\Windows\\Temp\\VeyonService.log",
"Description": "VeyonService log file",
"OS": "Windows"
},
{
"File": "C:\\Users\\*\\AppData\\Local\\VeyonCLI.log",
"Description": "Veyon command-line interface utility log",
"OS": "Windows"
}
],
"EventLog": [
{
"EventID": 7045,
"ProviderName": "Service Control Manager",
"LogFile": "System.evtx",
"ServiceName": "Veyon Service",
"ImagePath": "\"C:\\\\Program Files\\\\Veyon\\\\veyon-service.exe\"",
"Description": "Service installation event for Veyon Service"
}
],
"Registry": [
{
"Path": "HKLM\\SOFTWARE\\Veyon Solutions",
"Description": "Main Veyon configuration registry key containing all service and application settings"
},
{
"Path": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\VeyonService",
"Description": "Veyon service registration and configuration"
}
],
"Network": []
},
"Detections": [
{
"Splunk": "https://raw.githubusercontent.com/Koifman/Deathcon25/refs/heads/main/rmm_rodeo/veyon/spl.spl",
"Description": "Detects Veyon RMM activity through registry modifications (EventCode 13), process creation (EventCode 1), and service installation (EventCode 4697)"
}
],
"References": [
"https://veyon.io",
"https://github.com/veyon/veyon",
"https://docs.veyon.io/en/latest/"
],
"Acknowledgement": [],
"CodeSigning": {
"search_names": [
"veyon-server.exe",
"veyon-service.exe",
"veyon-wcli.exe",
"veyon-worker.exe"
],
"company_names": [],
"signer_names": [
"Tobias Junghans"
],
"certificates": [
{
"signer_name": "Tobias Junghans",
"certificate_thumbprint": "8F892D81447CDC2964F118C7DC45CA9759C222E9",
"tbs_sha256": "A505895C8E2222B5DE687B0BDAB5C3BF49E247C85E4FDF8779C028D31F00A376",
"tbs_sha1": "",
"certificate_der_base64": "MIIFKTCCBBGgAwIBAgIQR3BTB9yaNiE0t6ReA4sRpjANBgkqhkiG9w0BAQsFADCBgDELMAkGA1UEBhMCUEwxIjAgBgNVBAoMGVVuaXpldG8gVGVjaG5vbG9naWVzIFMuQS4xJzAlBgNVBAsMHkNlcnR1bSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEkMCIGA1UEAwwbQ2VydHVtIENvZGUgU2lnbmluZyBDQSBTSEEyMB4XDTIxMDIwOTEzNDcxOVoXDTIzMDIwOTEzMDI0MlowgYUxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIDAZTYXhvbnkxETAPBgNVBAcMCENoZW1uaXR6MRgwFgYDVQQKDA9Ub2JpYXMgSnVuZ2hhbnMxGDAWBgNVBAMMD1RvYmlhcyBKdW5naGFuczEeMBwGCSqGSIb3DQEJARYPb2ZmaWNlQHZleW9uLmlvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAgHFqeiXl6xqKfE/fDe35X8eT7k61M7EpV1xk96CU9TotN7NABBymGOllZOBk6dS9fJr6jfhlWr1VBto3w//k470cj4DWaNZP/sZAzjY6gP5ios6r/JrOjU1iz0ZF1BFOQaW/J9UAwg9TSlD5Yo0iZfGx+GDir0LHn80y3KqEx/qMmyptCs7YG9BGLDQLTd/GvecnXpzg8OrBCdjH1PJfWnzmCV6o46/9eLUB84cB9JpvwTf6woi9nsn3io+0Xe9q0pbOlfl8Wjp51Xhtkw42hyy+3vdEpGQql9Xy9rlXTOR37BAfjG3hJcCeik7R4zM4j4LKKE1nquoQZEk6O3oMIwIDAQABo4IBljCCAZIwDAYDVR0TAQH/BAIwADAyBgNVHR8EKzApMCegJaAjhiFodHRwOi8vY3JsLmNlcnR1bS5wbC9jc2Nhc2hhMi5jcmwwcQYIKwYBBQUHAQEEZTBjMCsGCCsGAQUFBzABhh9odHRwOi8vY3NjYXNoYTIub2NzcC1jZXJ0dW0uY29tMDQGCCsGAQUFBzAChihodHRwOi8vcmVwb3NpdG9yeS5jZXJ0dW0ucGwvY3NjYXNoYTIuY2VyMB8GA1UdIwQYMBaAFMB7tMi3blanCUia+HJP19ckLDY+MB0GA1UdDgQWBBTl0jdhh8XOie9aUtAzjvcbpgZ3hjAdBgNVHRIEFjAUgRJjc2Nhc2hhMkBjZXJ0dW0ucGwwSwYDVR0gBEQwQjAIBgZngQwBBAEwNgYLKoRoAYb2dwIFAQQwJzAlBggrBgEFBQcCARYZaHR0cHM6Ly93d3cuY2VydHVtLnBsL0NQUzAfBgNVHSUEGDAWBggrBgEFBQcDAwYKKwYBBAGCNz0BATAOBgNVHQ8BAf8EBAMCB4AwDQYJKoZIhvcNAQELBQADggEBADb/wYe7mIu/flFdvbeL/iYZZKNyw6X2X+rriUoc85EwpixV0skxS/EnH9WoQ4piOXd5tdSnk3ob3MSz7fsdST86/sxkWnoUzH1Ny6e3cc51wLUaXqS6lXgLqDApF/mKltc832e0xiKLnOAwi9rzysSzbGpmDEpQ790B3b2Zpsjjakd+t6rKBzc6rulzrYIaThW5Ro5Zn8fN8tSg0yT1KFvSbg85rbxD2CsalKb4xDkk5aWeStOZ3s08DIh1HWQO/yfWP+17D+s1NaWyA5RWP1GZxKb/utAGE9wzoCx4ToqAbAQTPqaEyI2CCCvadWNUokZAVabnBWoZPs+IaEfPbss="
},
{
"signer_name": "Tobias Junghans",
"certificate_thumbprint": "EBB8477300D089B339FECB224835A0A0B87EFEA0",
"tbs_sha256": "8EF0D8B0EA4B35008C88AA54CA6787E2F4140361D0B193CDB5481EB49B32355D",
"tbs_sha1": "",
"certificate_der_base64": "MIIG4DCCBMigAwIBAgIQLwRUuPe1fFOx0VR+Zt/GljANBgkqhkiG9w0BAQsFADBWMQswCQYDVQQGEwJQTDEhMB8GA1UEChMYQXNzZWNvIERhdGEgU3lzdGVtcyBTLkEuMSQwIgYDVQQDExtDZXJ0dW0gQ29kZSBTaWduaW5nIDIwMjEgQ0EwHhcNMjMwNDIxMDkwMzU4WhcNMjYwNDIwMDkwMzU3WjCBhTELMAkGA1UEBhMCREUxDzANBgNVBAgMBlNheG9ueTERMA8GA1UEBwwIQ2hlbW5pdHoxGDAWBgNVBAoMD1RvYmlhcyBKdW5naGFuczEYMBYGA1UEAwwPVG9iaWFzIEp1bmdoYW5zMR4wHAYJKoZIhvcNAQkBFg9vZmZpY2VAdmV5b24uaW8wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCkZT/fA/A6IhYksrAHHIyms4O+VB44BJtMxnvK74DxjiwHYueVeyD+LBgWaND3dhiQFziUIzUKc0A6mXiZyObggk36PTYWg98Zr/BlGBy5iY09mFFX7uGJ0bGQO+hwA5pGhqtbHS1LQlJQC+ISSXgmmnHrsfM1hagbU/0Z81qDM4fN7jDSN5pbHVu2W6H+LwoaHt3CopzlF1MTdJLNHpp0hMkiYt5iTRX4DsQ3ifu65meUabDVqhchXTvPv4XQGD7cWjtP91DgMYgXja+p+lk3FPFwXImt5/5RiPZS7P6XQGMNUZYE95iC1KbfDqA4ShQEqOg87oF4iz4aRcCA2GU+71XAnqFyxxOKOV8MJjKTBlc0cld57kTvdjN+yjxfvtWf3wIYPqJphPNsy1Wd3D25sGMvA0JmDfWOC492vxzPoD/dnWj11+WGouxICmrdXrDRvTdlNWw0cVUN88B8f/tGE9XGN393ScJa+yih1Kd6/P9sXLqAcmJo82jAsa9P7jDRj9LuzKJXsafImH9mAHFmIBqlQfHfrEdxhWPTWVwWmTjeB0J4dVkdC+RVXu/r900ceMd0BgtPhQoLE6oimh4X7OQvNLkKzmTsO+BucV29G4VthQ5QTms+LzgGg9X0o+6+M7VTOTdtGkaC0y1SOoA6NP1Ubzv1AmU9n4lqgI+uUQIDAQABo4IBeDCCAXQwDAYDVR0TAQH/BAIwADA9BgNVHR8ENjA0MDKgMKAuhixodHRwOi8vY2NzY2EyMDIxLmNybC5jZXJ0dW0ucGwvY2NzY2EyMDIxLmNybDBzBggrBgEFBQcBAQRnMGUwLAYIKwYBBQUHMAGGIGh0dHA6Ly9jY3NjYTIwMjEub2NzcC1jZXJ0dW0uY29tMDUGCCsGAQUFBzAChilodHRwOi8vcmVwb3NpdG9yeS5jZXJ0dW0ucGwvY2NzY2EyMDIxLmNlcjAfBgNVHSMEGDAWgBTddF1MANt7n6B0yrFu9zzAMsBwzTAdBgNVHQ4EFgQU38XVzyGcCnitXvM7Al1pneEfdw0wSwYDVR0gBEQwQjAIBgZngQwBBAEwNgYLKoRoAYb2dwIFAQQwJzAlBggrBgEFBQcCARYZaHR0cHM6Ly93d3cuY2VydHVtLnBsL0NQUzATBgNVHSUEDDAKBggrBgEFBQcDAzAOBgNVHQ8BAf8EBAMCB4AwDQYJKoZIhvcNAQELBQADggIBACLrJ4ZANZPwvbh7fcGnuqA2a9uMNhHhTX+ctW/+Q6TfopbuidvNJ3zRHWQMD0o0igIVjlGA40BBEl//ekrGxrw+tDBKA+wbZCop1U87p2bdV3HGQgjRP9TugTdZY7+nZkw29hiFdJS8mOiToYtFTGwaYaZBgXm754bqxNHaF6+thSDLkQB7rhF3k+v5x7Q4ftUsV5iIJJb735T3VRZp30GkzgEyoPhzmiEFwppDcBWYUBeHGGWUzQbWNqqjC0+gAf+jfH86+wChAteDcQd61z4ZBdqAC2xHPt2dpoaopwcmL7r0+G1OeWd7oIhoEDFKwV/o7UlsiKut03ITI2F8ZoXi1ks6fNjnaK34G8IwqrHs7ggEqGJyb1Vm2PUGKjsH/sY903yasXD1r25SXhuWs11zwspRv5iACBQ7/SDOlMjnvi3FC9lDIKheN5Vbf85tiwUUy7F5w3G/h81gg0ET+cfvPyVl/W1q1/LPG2FC6NRHwr1kUG9VE63FBLPWF4mdn3mkwU/aapER2F/w1sx6ycZNZauSZ3qII5W34MJf6THV0tud75+fMHtpihjKm/ew2vJ/FItFNPT0GSdhMo4l9cX2j8hX0M4elka4XE/ezcpmvYEiq4G82Ggk34LXRiN7iwYvCGEHa9+fqQiSwarm6pE7vJ13wgW09FRIP+h5iwKa"
}
]
},
"FileHashes": {
"authenticode": [
{
"file_name": "veyon-service.exe",
"sha256": "85D48AC33F718DBBA7295A6FA3C8A05BD6B39B402566709BDA6FE3E94986899B",
"sha1": "1F4C1A5FDCE602D67F41F55D30E4ED015B9B10E5"
},
{
"file_name": "veyon-server.exe",
"sha256": "7EF0076A6B0FDBE0EBB0266D59EC916424DB9F236F5B4D78AF79DB14532A47B5",
"sha1": "5367689376BDF0F7E9BA4418BE06F0DE0BB91328"
},
{
"file_name": "veyon-service.exe",
"sha256": "9C8311F37078C8EB6D132FFC89094E2E352A53F0E36B73019696134819DC775D",
"sha1": "64A8685F7DCE2AC2597F95133F930D0AA618187A"
},
{
"file_name": "veyon-worker.exe",
"sha256": "BBF57D6E6FDC601E1F31A8221F0FD7845DBB32689DCB670654A0FB421F2C5195",
"sha1": "F2D58832DBB0E38B544045AC8DD2FDE078BA3CF0"
},
{
"file_name": "veyon-server.exe",
"sha256": "D530C5CE3875986E46F3985915C6DAFB149C9FE7362DE7548B8E53A904167F1F",
"sha1": "0FB7B3A7F9A53CDE64E09F7897B12974B637F2F6"
},
{
"file_name": "veyon-wcli.exe",
"sha256": "DE0EC89B5BE9D22B6A28EFC4BA4C9D102E9A8430007D6DE91E2A24F0F6EBEA42",
"sha1": "A2B2A1CD78B2975357906E0D65BB638423C0FAF2"
}
],
"page": []
}
},
{
"Name": "BeInSync",
"Category": "RAT",
"Description": "BeInSync is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"Beinsync*.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*.beinsync.net",
"*.beinsync.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beinsync_network_sigma.yml",
"Description": "Detects potential network activity of BeInSync RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beinsync_processes_sigma.yml",
"Description": "Detects potential processes activity of BeInSync RMM tool"
}
],
"References": [
"https://en.wikipedia.org/wiki/Phoenix_Technologies"
],
"Acknowledgement": []
},
{
"Name": "Echoware",
"Category": "RMM",
"Description": "Echoware is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2025-12-14",
"Details": {
"Website": "",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"echoserver*.exe",
"echoware.dll"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": []
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/echoware_processes_sigma.yml",
"Description": "Detects potential processes activity of Echoware RMM tool"
}
],
"References": [],
"Acknowledgement": [],
"CodeSigning": {
"search_names": [
"echoserver",
"echoserver_1.65_setup.exe"
],
"company_names": [],
"signer_names": [],
"certificates": []
},
"FileHashes": {
"authenticode": [
{
"file_name": "EchoServer",
"sha256": "7EF380FAEAB1598E2512A0CEE910D2257F1A0E7240F7EF1DEC473030C303C900",
"sha1": "0B3ABD2E4602AF64C3679491BA4EE7B24E79853A"
},
{
"file_name": "echoserver_1.65_setup.exe",
"sha256": "C39291B633997A8C22873C20BE165D557083D9315D60957C6208C55B08F0A5B6",
"sha1": "A70042F29715722E12C645DB86116DE69752B6D0"
},
{
"file_name": "EchoServer",
"sha256": "DB6CB26F70AF00F6941C03C80DF5F12C28F7AB52A42245395FA4A35D1E04449C",
"sha1": "5EBA8A591839F6DF7812FBEA4BAD15943ABABB2C"
},
{
"file_name": "EchoServer",
"sha256": "452A11B1989B43FB6B5577031A8485ABFEC0145DAF92FE1A6116BB4E142E10D2",
"sha1": "EB3378089AC2AD8BA39E9A174A4A58629906EA26"
},
{
"file_name": "EchoServer",
"sha256": "C12A293470B42028F1688F768926426AD62D0CA264C7EA9F65AC3010E520250E",
"sha1": "5C9FBCEA424747DFF39396A0C2A6ECB8974BD95C"
}
],
"page": [
{
"file_name": "EchoServer",
"sha256": "1953C682EDD721C59EBA16197719FE8B6851A44477F30972749ABC7462240052",
"sha1": "2CB088337ABF6D69B14E01A1F1FFE6F287A75E82"
},
{
"file_name": "echoserver_1.65_setup.exe",
"sha256": "6B592D4CA92B7F66009744EF4366E7F7DEBD309AF5F77CC24FBBB00865CC6E95",
"sha1": "37D2313B94090DBE461F73F99BD6FCA68622D161"
},
{
"file_name": "EchoServer",
"sha256": "45A1FD5844F846C64148C6D8BC3BF5EBB3F4DC23505116230013D3E069B74530",
"sha1": "7ECD337A8BFE22DCBC633A4E2BFE1A878560D9CF"
},
{
"file_name": "EchoServer",
"sha256": "9E3F14C90EB1786AAF5FB72B264339365BF3C85477909742E7B6A1C393D5A6C9",
"sha1": "68653D0E6A6C71EC72862CBBF3C9B1A3ABBBA73B"
},
{
"file_name": "EchoServer",
"sha256": "4D720555D438B76FF224EA9A94DF2D2D1985A917945FF33F5E6F133D492E1048",
"sha1": "D4D3BCBF8C6FC79C5E582847F730F6E0BAEBD033"
}
]
}
},
{
"Name": "AnyDesk",
"Category": "RMM",
"Description": "AnyDesk is a popular remote desktop software that enables users to access\nand control a computer or device from a remote location. It was developed with the\nprimary goal of facilitating remote work, technical support, and collaboration between\nindividuals and teams.\n",
"Author": "Ali Alwashali, Nasreddine Bencherchali",
"Created": "2023-09-29",
"LastModified": "2023-09-29",
"Details": {
"Website": "https://anydesk.com/en",
"PEMetadata": [
{
"Filename": "anydesk.exe",
"OriginalFileName": "AnyDesk.exe",
"Description": "AnyDesk",
"Product": "AnyDesk"
}
],
"Privileges": "User",
"Free": true,
"Verification": false,
"SupportedOS": [
"Android",
"ChromeOS",
"IOS",
"Linux",
"Mac",
"Windows"
],
"Capabilities": [
"File Transfer",
"File System Access",
"Remote Control",
"GUI Support",
"Command line Support"
],
"Vulnerabilities": [
"https://www.cvedetails.com/vulnerability-list/vendor_id-16953/product_id-40173/Anydesk-Anydesk.html"
],
"InstallationPaths": [
"C:\\Program Files (x86)\\AnyDesk\\*",
"C:\\Program Files\\AnyDesk\\*",
"/Applications/AnyDesk.app"
]
},
"Artifacts": {
"Disk": [
{
"File": "%programdata%\\AnyDesk\\ad_svc.trace",
"Description": "AnyDesk service log file. As well as ad.trace, we can determine the IP address of the other participant and its AnyDesk ID when a connection is established.",
"OS": "Windows",
"Example": [
"info 2022-08-23 10:20:11.969 gsvc 4628 3528 3 anynet.relay_conn - External address: 34.xx.xx.123:46798"
]
},
{
"File": "%programdata%\\AnyDesk\\connection_trace.txt",
"Description": "Incoming connection logs, contains IP Address of the remote machine and file transfer activity. Only generated on target side. The content indicates how the connection was approved (e.g. the local user authorized it, or a password was used)",
"OS": "Windows",
"Example": [
"Incoming 2022-08-23, 10:23 Passwd 547911884 547911884",
"Incoming 2022-09-28, 12:39 User 442226597 442226597"
]
},
{
"File": "%APPDATA%\\AnyDesk\\connection_trace.txt",
"Description": "Incoming connection logs, contains IP Address of the remote machine and file transfer activity. Only generated on target side. The content indicates how the connection was approved (e.g. the local user authorized it, or a password was used)",
"OS": "Windows",
"Example": [
"Incoming 2022-08-23, 10:23 Passwd 547911884 547911884",
"Incoming 2022-09-28, 12:39 User 442226597 442226597"
]
},
{
"File": "%APPDATA%\\AnyDesk\\ad.trace",
"Description": "AnyDesk user interface log file. In this log file, we can determine the IP address of the other participant and its AnyDesk ID. It is also possible to track events of file transfer. Below is the Client ID and external IP address of the remote participant.",
"OS": "Windows",
"Example": [
"info 2022-09-28 12:39:26.845 lsvc 9952 9944 21 anynet.any_socket - Client-ID: 442226597 (FPR: 8e28a2a25b30).",
"info 2022-09-28 12:39:26.845 lsvc 9952 9944 21 anynet.any_socket - Logged in from 12.xx.xx.21:59562 on relay 80e496c0."
]
},
{
"File": "%APPDATA%\\AnyDesk\\chat\\*.txt",
"Description": "If the chat functionality is used, its entries will be printed in a text file in this folder.",
"OS": "Windows"
},
{
"File": "%APPDATA%\\AnyDesk\\user.conf",
"Description": "N/A",
"OS": "Windows"
},
{
"File": "%PROGRAMDATA%\\AnyDesk\\service.conf",
"Description": "Password can be set to auto-validate the session. The password will be saved in a salted hash format.",
"OS": "Windows"
},
{
"File": "%APPDATA%\\AnyDesk\\service.conf",
"Description": "N/A",
"OS": "Windows"
},
{
"File": "%APPDATA%\\AnyDesk\\system.conf",
"Description": "N/A",
"OS": "Windows"
},
{
"File": "%PROGRAMDATA%\\AnyDesk\\system.conf",
"Description": "N/A",
"OS": "Windows"
},
{
"File": "%PROGRAMDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\AnyDesk.lnk",
"Description": "N/A",
"OS": "Windows"
},
{
"File": "%PROGRAMDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\AnyDesk\\Uninstall AnyDesk.lnk",
"Description": "N/A",
"OS": "Windows"
},
{
"File": "C:\\Users\\*\\Videos\\AnyDesk\\*.anydesk",
"Description": "N/A",
"OS": "Windows"
},
{
"File": "C:\\Windows\\SysWOW64\\config\\systemprofile\\AppData\\Roaming\\AnyDesk\\*",
"Description": "N/A",
"OS": "Windows"
},
{
"File": "~/Library/Application Support/AnyDesk/Logs/",
"Description": "N/A",
"OS": "Mac"
},
{
"File": "~/.config/AnyDesk/Logs/",
"Description": "N/A",
"OS": "Linux"
}
],
"EventLog": [
{
"EventID": 7045,
"ProviderName": "Service Control Manager",
"LogFile": "System.evtx",
"ServiceName": "AnyDesk Service",
"ImagePath": "\"C:\\\\Program Files (x86)\\\\AnyDesk\\\\AnyDesk.exe\" --service",
"Description": "Service installation event as result of AnyDesk installation."
},
{
"EventID": 4697,
"ProviderName": "Microsoft-Security-Auditing",
"LogFile": "Security.evtx",
"ServiceName": "AnyDesk Service",
"ImagePath": "\"C:\\\\Program Files (x86)\\\\AnyDesk\\\\AnyDesk.exe\" --service",
"Description": "Service installation event as result of AnyDesk installation."
}
],
"Registry": [
{
"Path": "HKLM\\SOFTWARE\\Clients\\Media\\AnyDesk",
"Description": "N/A"
},
{
"Path": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\AnyDesk",
"Description": "N/A"
},
{
"Path": "HKLM\\SOFTWARE\\Classes\\.anydesk\\shell\\open\\command",
"Description": "N/A"
},
{
"Path": "HKLM\\SOFTWARE\\Classes\\AnyDesk\\shell\\open\\command",
"Description": "N/A"
},
{
"Path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print\\Printers\\AnyDesk Printer\\*",
"Description": "N/A"
},
{
"Path": "HKLM\\DRIVERS\\DriverDatabase\\DeviceIds\\USBPRINT\\AnyDesk",
"Description": "N/A"
},
{
"Path": "HKLM\\DRIVERS\\DriverDatabase\\DeviceIds\\WSDPRINT\\AnyDesk",
"Description": "N/A"
},
{
"Path": "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\AnyDesk",
"Description": "N/A"
}
],
"Network": [
{
"Description": "During setup the boot.net.anydesk.com domain is request over port 443",
"Domains": [
"boot.net.anydesk.com"
],
"Ports": [
443
]
},
{
"Description": "N/A",
"Domains": [
"relay-[a-f0-9]{8}.net.anydesk.com:443"
],
"Ports": [
443
]
},
{
"Description": "N/A",
"Domains": [
"*.anydesk.com"
],
"Ports": [
443
]
}
],
"Other": [
{
"Type": "User-Agent",
"Value": "AnyDesk/*"
},
{
"Type": "NamedPipe",
"Value": "adprinterpipe"
}
]
},
"Detections": [
{
"Sigma": "https://github.com/SigmaHQ/sigma/blob/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/builtin/system/service_control_manager/win_system_service_install_anydesk.yml",
"Description": "Anydesk Remote Access Software Service Installation"
},
{
"Sigma": "https://github.com/SigmaHQ/sigma/blob/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/file/file_event/file_event_win_anydesk_artefact.yml",
"Description": "N/A"
},
{
"Sigma": "https://github.com/SigmaHQ/sigma/blob/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk.yml",
"Description": "N/A"
},
{
"Sigma": "https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_silent_install.yml",
"Description": "Remote Access Tool - AnyDesk Silent Installation"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anydesk_registry_sigma.yml",
"Description": "Detects potential registry activity of AnyDesk RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anydesk_network_sigma.yml",
"Description": "Detects potential network activity of AnyDesk RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anydesk_files_sigma.yml",
"Description": "Detects potential files activity of AnyDesk RMM tool"
}
],
"References": [
"https://support.anydesk.com/knowledge/firewall",
"https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html",
"https://github.com/mthcht/awesome-lists/tree/79ced75eebe53bcabf1235b3c17eb11788875482/Lists/RMM/anydesk",
"https://ruler-project.github.io/ruler-project/RULER/remote/AnyDesk/"
],
"Acknowledgement": [
{
"Person": "Théo Letailleur",
"Handle": "in/theosyn"
},
{
"Person": "Ali Alwashali",
"Handle": "@ali_alwashali"
},
{
"Person": "Nasreddine Bencherchali",
"Handle": "@nas_bench"
}
],
"CodeSigning": {
"certificates": [
{
"signer_name": "AnyDesk Software GmbH",
"certificate_thumbprint": "E5ABE8D3CEA37B45F3D3896B49FB91920B4A4E9D",
"certificate_der_base64": "MIIHdjCCBV6gAwIBAgIQAwAxnXYn3kKWWaCDFdV5tTANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTI1MDEyMzAwMDAwMFoXDTI2MDIxMjIzNTk1OVowfjELMAkGA1UEBhMCREUxGzAZBgNVBAgMEkJhZGVuLVfDvHJ0dGVtYmVyZzESMBAGA1UEBxMJU3R1dHRnYXJ0MR4wHAYDVQQKExVBbnlEZXNrIFNvZnR3YXJlIEdtYkgxHjAcBgNVBAMTFUFueURlc2sgU29mdHdhcmUgR21iSDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL1k2pJoURK7/NrLzaSHeccuQBdX71KoC6uydLDAfUBC3JPINwCqfYSJ9Umbc6E4tuEdPo7zyvAX7nbQ2fayGI5sB7vRSrmwgQdePRkmAB0SwBqLKNzmKfnWho/tcnN8U/I6/1Y5/smvEYuuq9qsw+0gX8NMu8k78gKzFR2rfO2selgy0eV6rbyfNHu67x3QMJY8l4HuAAjtINNdWf4ZnNmDRZ5NpcL/ho5kHl9g8qZoxzyvOSr4yeYpSqD9+kMQsB/CC81crT/bNcJjvp9Cjz4pjYImIcZMj7Z5IDiYV/us6lEhiePMdGB4VeAc8EpmgTxI5ETPC8KW+PKlnYvoOpxquOXWRTlirFZ+7sTXjMxMDZHL8E7ZkX9+6j1fVL/HTNyyGILU7RPzjSqMcPev9LYK8yHFxpAuMtdn3yCsjV4pKyqHpTEWOVfP2X4FVdDVGCFF3tGZP8SC+dlasPh5So1gx7bQ7uihajvGuqaUEA1jUAr44nH8FX1g1GafMg9oMAHmmJ5WYWuFHZ8QzWLY4R7prxu7EviSgIRidTh3V81LhYLFuS0YtX/df7c+ts++QP7z6XMSSLcRHs+cpIlg1DkTWo/at/75naFJomrZ2u9f18wQlqPaW3N1YerZbWMfLnhndTqOLm2LlA+C5wQ3Yv7xeOzuifTn26xo33UocICpAgMBAAGjggIDMIIB/zAfBgNVHSMEGDAWgBRoN+Drtjv4XxGG+/5hewiIZfROQjAdBgNVHQ4EFgQU/tAzGYdhanJDdpFVA+/3INrtmaYwPgYDVR0gBDcwNTAzBgZngQwBBAEwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpY2VydC5jb20vQ1BTMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzCBtQYDVR0fBIGtMIGqMFOgUaBPhk1odHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDBToFGgT4ZNaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcmwwgZQGCCsGAQUFBwEBBIGHMIGEMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wXAYIKwYBBQUHMAKGUGh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3J0MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggIBAE2O5kv+58fE5RhP8qsWAATBSNY75r8szo63teWw7eERkTgv97lbM+r4S1/fw0Rqu0eBT8HEDK69ULmRnZg0xRMvOdREuNAd010aAGoLI/V5QTzgQQEevC9v79i4lATDWn31TMPTXGZUQEe2GBsBQia6vMeMRfyVFpS5cpN+EWc19x4RqLhRHA4GIIEh+ZMpjXsOZ2TBLvDS1kS+tVtfjnxgnD6eU9SV0K7ifQxqw9FpeQo+BNmdqohrAsGchIUoUS0VW05dHgjw6EHzG0Y0+di2A2o7YaV/24+G9qvz6fJ3VuMB3L2DaxhDep0Fd61H3ILZyOGl7HKNya0rsNfUKZqhsXeBgsuEB1yx6mRqijrqxAh+4RCXYNXA9CrQ1f8JHVfgEwqPu2TtzZpkYNaEKI3q6n0K4Io2BOE+o/qt182WgZ/Y/daA6hOMVZ5qj5yVhS0ks9NIYkQEh/ZUzGf8KFMgDpNFWxI+LsR3e9YG9laYsA8qXEQaI3HAQ5Uuuc1HcGZHbgTb6oxF3vyPx1eakNWSBR5dxwkiXsoXlDZW9gO4sVQmRB2mO2PeGxhPvqw2yeCrxL3dTiqt9cK2Jdgm2ZqZ4+OxRbc4F9KySIzmFvHqndSkKDpZ5l+7Mg8GfPcKBBWnq//n5SS7ayR0sdDr18Imh8zfaP26Hg4/aqsTJUAG",
"src_file_sha256": "864e2c3675d05cd4816a42167b45ab66e3d5995fae7e1fd680223940061b9803",
"src_file_path": "downloaded_files/anydesk/864e2c3675d05cd4816a42167b45ab66e3d5995fae7e1fd680223940061b9803",
"src_file_company": "AnyDesk Software GmbH"
}
]
}
},
{
"Name": "Free Tools Launcher",
"Category": "RMM",
"Description": "Free Tools Launcher is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.manageengine.com/free-tools.html",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"C:\\Program Files\\ManageEngine\\ManageEngine Free Tools\\Launcher\\*",
"*\\ManageEngine\\*"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": []
},
"Detections": [],
"References": [],
"Acknowledgement": []
},
{
"Name": "ImmyBot",
"Category": "RMM",
"Description": "ImmyBot is a remote monitoring and management (RMM) and automation tool designed for MSPs, focusing on workstation configuration, software deployment, and patch management. The tool has been reported in private threat intelligence as being delivered via phishing campaigns to establish unauthorized remote access, though no public references are currently available. ImmyBot uses signed agents and operates over secure websockets to managed endpoints.",
"Author": "Michael Haag",
"Created": "2026-01-15",
"LastModified": "2026-01-15",
"Details": {
"Website": "https://www.immy.bot/",
"PEMetadata": [
{
"Filename": "ImmyAgent.exe",
"OriginalFileName": "",
"Description": "ImmyBot agent executable (verified via official documentation)"
},
{
"Filename": "ImmyUpdater.exe",
"OriginalFileName": "",
"Description": "ImmyBot updater executable (verified via official documentation)"
},
{
"Filename": "ImmyBot.Agent.Ephemeral.exe",
"OriginalFileName": "",
"Description": "ImmyBot ephemeral agent for script execution (verified via official documentation)"
},
{
"Filename": "ImmyBot.msi",
"OriginalFileName": "",
"Description": "ImmyBot installer MSI (verified via VirusTotal)"
}
],
"Privileges": "SYSTEM",
"Free": "Trial Available",
"Verification": "Code-signed with EV certificate",
"SupportedOS": [
"Windows"
],
"Capabilities": [
"Remote Control",
"Remote Access",
"File Transfer",
"Command Line Support",
"Software Deployment",
"Patch Management",
"Script Execution",
"Automated Configuration"
],
"Vulnerabilities": [],
"InstallationPaths": [
"C:\\Program Files\\ImmyBot\\ImmyAgent.exe",
"C:\\Program Files\\ImmyBot\\ImmyUpdater.exe",
"C:\\Program Files (x86)\\ImmyBot\\ImmyAgent.exe",
"C:\\Program Files (x86)\\ImmyBot\\ImmyUpdater.exe",
"*\\ImmyBot\\*",
"C:\\Windows\\Temp\\ImmyBot\\*",
"ImmyAgent.exe",
"ImmyUpdater.exe",
"ImmyBot.Agent.Ephemeral.exe",
"ImmyBot.msi"
]
},
"Artifacts": {
"Disk": [
{
"File": "C:\\Program Files\\ImmyBot\\*",
"Description": "ImmyBot installation directory (verified via official documentation)",
"OS": "Windows"
},
{
"File": "C:\\Program Files (x86)\\ImmyBot\\*",
"Description": "ImmyBot installation directory for 32-bit (verified via official documentation)",
"OS": "Windows"
},
{
"File": "C:\\ProgramData\\ImmyBot\\Logs\\*",
"Description": "ImmyBot agent logs (verified via official documentation)",
"OS": "Windows"
},
{
"File": "C:\\ProgramData\\ImmyBot\\Scripts\\*",
"Description": "ImmyBot script execution directory (verified via official documentation)",
"OS": "Windows"
},
{
"File": "C:\\ProgramData\\ImmyBotAgentService\\config.json",
"Description": "ImmyBot agent configuration file (verified via official documentation)",
"OS": "Windows"
},
{
"File": "C:\\Windows\\Temp\\ImmyBot\\*",
"Description": "ImmyBot temporary files directory",
"OS": "Windows"
}
],
"EventLog": [
{
"EventID": 7045,
"Description": "Service installation event for ImmyBot Agent",
"OS": "Windows"
}
],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*.immy.bot",
"immy.bot"
],
"Ports": [
443
]
}
]
},
"Detections": [],
"References": [
"https://github.com/magicsword-io/LOLRMM/issues/135",
"https://www.immy.bot/",
"https://docs.immy.bot/Documentation/HowToGuides/agent-installation",
"https://docs.immy.bot/Documentation/Troubleshooting/security-software.html",
"https://docs.immy.bot/troubleshooting"
],
"Acknowledgement": [
{
"Person": "boredchilada",
"Handle": "@boredchilada"
}
]
},
{
"Name": "Pocket Controller",
"Category": "RMM",
"Description": "Pocket Controller is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://soti.net/products/soti-pocket-controller",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [
"Windows"
],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"pocketcontroller.exe",
"pocketcloudservice.exe",
"wysebrowser.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"soti.net/products/soti-pocket-controller"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller_network_sigma.yml",
"Description": "Detects potential network activity of Pocket Controller RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller_processes_sigma.yml",
"Description": "Detects potential processes activity of Pocket Controller RMM tool"
}
],
"References": [],
"Acknowledgement": []
},
{
"Name": "ISL Online",
"Category": "RMM",
"Description": "ISL Online is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.islonline.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"*\\ISLLight.exe",
"isllight.exe",
"ISLLightClient.exe",
"C:\\Program Files (x86)\\ISL Online\\ISL Light*",
"*\\ISL Online\\ISL Light*",
"ISLLight.exe",
"isllightservice.exe",
"islalwaysonmonitor.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*.islonline.com",
"*.islonline.net"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_online_network_sigma.yml",
"Description": "Detects potential network activity of ISL Online RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_online_processes_sigma.yml",
"Description": "Detects potential processes activity of ISL Online RMM tool"
}
],
"References": [
"https://help.islonline.com/19818/165940"
],
"Acknowledgement": [],
"CodeSigning": {
"certificates": [
{
"signer_name": "ISL Online Ltd.",
"certificate_thumbprint": "69D863EBB31F6E58D1511DE618489AB47BB0B361",
"certificate_der_base64": "MIIHSzCCBTOgAwIBAgIQD9LyyHRgH2JtiKDVk0AFBDANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTIzMDUyNDAwMDAwMFoXDTI2MDUyNTIzNTk1OVowUzELMAkGA1UEBhMCR0IxEDAOBgNVBAcTB1N3aW5kb24xGDAWBgNVBAoTD0lTTCBPbmxpbmUgTHRkLjEYMBYGA1UEAxMPSVNMIE9ubGluZSBMdGQuMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvlr5XM0bUQx1AcpTnLokfwq3MYsm8GEmRUJxz/JzsRxqTHrgnANEI2dTKSupoaGBrWND9oedptkig4f/5/WbYlXVaI7EliiQMJxk87L8X6SRK76qWl98nMtE9rgkscvCPeO0GGc5ctyOMZSgW5VdQhyWttLDU2O/R33wO5c3M0hFt2taXa7W1/sU9+RMd4Gyuk0VTPd8VbRiwGXhCwy97OOH+8MR+KMF6S/HbuSTlmm3ly9pUmYg3QbaMXwcCJwDv21qVaXwDGKLCaPs86mRnBu3kigD+ZtgFLUMJIY7t60rM5sFcHMfOo/IYTShBDjvQfvQfkJz3p0/gIqXe55RvWiaTHMs5oYJR35YTBQBtfvcgKVGCNnH1yt5M3phNPogGESWlujjO8yMjcqAnfMleN8xA5Gbcy796CX46sTtL4xve3GYCk/ngjMqyOVcCTC8pcf9HzxOOeGXHpbcvhqy6ZGiffVO3T2cxU2cDvSgqIewVxW12PwYNkBMaWlmS63vPwHav1OAz2LrzbzG+pUaMQJj7zfhcdGZf3Eg3TiZow7DzBXlnsimqfsS524/XP+rejcDkkuM2X9zoOKLB0g0cC8OYIZOE89NKoJi2EZehPEqqaNU+06DyFO6ZJgBpX60CTIV6TEKAxmo+CsXKvc5nCaJisMJuJmoLBfsQiQm8b0CAwEAAaOCAgMwggH/MB8GA1UdIwQYMBaAFGg34Ou2O/hfEYb7/mF7CIhl9E5CMB0GA1UdDgQWBBQEn5Oe0FNYepFXMRsMYFTdENsaxTAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwgbUGA1UdHwSBrTCBqjBToFGgT4ZNaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcmwwU6BRoE+GTWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3JsMD4GA1UdIAQ3MDUwMwYGZ4EMAQQBMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzCBlAYIKwYBBQUHAQEEgYcwgYQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBcBggrBgEFBQcwAoZQaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcnQwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAgEAtw9K8h8OWVJokYeiuZo1ok0lUL+Ba9xSFKcHXHU3nIcDcBhyYFmq+9WGh4iaZw2H8rg111zRpnWR0ci4L2W1uEIY5tLpIexh0+tecYKdXJW4my4scjfTZxipHhYmpZuC4M0ElA49G/gj5QX6ytXDJe9dhl1TS7B+5uyuHnWM6V+R14kD6VdHtfSyBzRyKsSZFpQo0vmDdpyjZ6LOhNo7uzFrm5th2fL/CoR9GH5DDvpZcKBdykqb3r+3IQcTguEjrAKeq+XI9aoUQB/QyNFo1AV3dwtLjO31ZLnwLucmJmg+g3MvQ4KP7KACo4jWPXeegwlxPYce+j8kmpqiIJp0rbZ2NNJnGnrJGIXq/1wMK9WjqrKFK0Sm1bRa66gxM+DmOlkRPKn/DqwHW61M4ZuEOg3pmo5slOXngIoiOz3a7s68Q58yz8p5pgIvj/svbxmTXB3VWRPSw9X64CnFcE9pE/Qh2/PdFldbAu0YFTba3pbx/c4Ow2PbV4okODTJiFnjeH64rU6N/6u2UDFqlLNPNqTtKjR1rVHKKKnVOG69ya7B4kyIm6bSXFeZSIn7/HMuIMeX5W/i6KqiE8m15NQzsqe7nvphjNt6Q7Y6TvVlZRpQWpW2qZaSa2JOcm1b0asfIKQfkRINMAVw3MqJydDgywaidfF/Sky7sX+7entTJ20=",
"src_file_sha256": "ae6c0e25c5867370a9208f63cecd039779384ca205336f7a8d1635058eb0f759",
"src_file_path": "downloaded_files/isl_online/ae6c0e25c5867370a9208f63cecd039779384ca205336f7a8d1635058eb0f759",
"src_file_company": "XLAB d.o.o."
},
{
"signer_name": "PDQ.com Corporation",
"certificate_thumbprint": "C215D204EA384B3D85057CB11B4D23B5DC301AE5",
"certificate_der_base64": "MIIHajCCBVKgAwIBAgIQBZMfc4/QWrkQgFOVimHTQTANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTI1MTEwNTAwMDAwMFoXDTI4MDkyMTIzNTk1OVowcjELMAkGA1UEBhMCVVMxDTALBgNVBAgTBFV0YWgxGDAWBgNVBAcTD1NvdXRoIFNhbHQgTGFrZTEcMBoGA1UEChMTUERRLmNvbSBDb3Jwb3JhdGlvbjEcMBoGA1UEAxMTUERRLmNvbSBDb3Jwb3JhdGlvbjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJT3t/vUOwAicml7czDshzRfZjQUkhtNdAukRoh2av0FiJSBx2qoHZ0z9LIwNa7fUDRO7UIKxz8GgLkb3bcNkJ46lysYyagbQbL/FK7yXTxOSIRD/Sc549ks7eeZMeJuIIuX4fSyUhl7vitJYitoKJy5zXEuB5ycF0t2V6VpLBwWjszYjWvu9/9v8dB9LTS/ufdfQnqvcmqb3jh/CrJy83W78NnejkPaG1pNYwVsJcOXBmT16gnOkpafO8A3Cl9rRtkTHnQC8sCwK94YMETDsG2HcK6Fy7pLt3X9IeW6XYRZBsbr+teJrWHePqPhbBKZyLD4vELKuxJYFltb3ntnz7zXLo5EmqjmYIrpiZps8VXWism/BEMU1un1Rj2zhZtzbNreYaG+PgMEmmz0EokqZSn20mCf/Svj8Sl0PNUJ/Pgm41PfgdwHm/ES4i4bkd0L0pPotCWrKsMBVksM1pJ1DkBjH8n50oDy7T/NycKe3WYuURYqRMFi0s0royvSCoSVzYMZNsSV3nX79UDd0Z+3S7wDRsmkV73eLLTucnf2PQLaj98hbNJk22XbJorQioVIinP0Z/odmRm2/+7KqEeQZXVA4x4ZtCTOUNi4E2XtWnzFAvxllHs2GcrI87o+wO7qta0ttTRKVcd9zcKKo4GuvS99+g0454xzfAg7xU8DNRZDAgMBAAGjggIDMIIB/zAfBgNVHSMEGDAWgBRoN+Drtjv4XxGG+/5hewiIZfROQjAdBgNVHQ4EFgQUbcLQbj1+bVs0PeKQo50enrAmnD0wPgYDVR0gBDcwNTAzBgZngQwBBAEwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpY2VydC5jb20vQ1BTMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzCBtQYDVR0fBIGtMIGqMFOgUaBPhk1odHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDBToFGgT4ZNaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcmwwgZQGCCsGAQUFBwEBBIGHMIGEMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wXAYIKwYBBQUHMAKGUGh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3J0MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggIBAM6YR4s3ddDkkAXwLfQrtej/2Q1SplBIZ2Z6Q62/F3V/+XCymfAWM98bYx5oHiwZMSqhToL+OFuiQAIGtiMkvolaKTE8739E2pdbwrkbfTRpizcyumEo5TvK3xNoYbVler7mOrWcNafNZITdanVxp7pRWQ/EGTbmTDqsi3730XKva2dyPLSsd5cGA1KO9djqEOhm0a2zSbLswl6zZ1jhLuuv2kaarVJUemUKyzbG5JWOHjyKlNUu5HLhBSJbQL96pFhFIOVYS2lIVdkX3UuGF1tS2yZReOTXLTlR1fFpKy69O+jec5Gfntmb1/9tsAsbFj6Ewr70lev5P7dDP1FZSuK5/mopM+UsaR/xSZj9TvXe7T7YTK1OKf7ebmDD9CmiVypNlr/zi6Z4DaGR95oiQS6H1jHWMdetBIrw5AENG+yYFnFrFKUEpQEnArqsvzu1DFSgDJXaPheLNRxm+tOaIr7EPfZCJFBGQaepRE+FZ0cKQCNkotfm3sFJigU+XChD+BdfnwJruWZyFI2miwuN/RQGe7MH2LKErKvK/DH5o/D6jPkwsC3FcNMzR+8YVJ1DW2ZtYfeSjsXp5yORJai3+3gBkaDoaa+OmvVFvB/5zeg/MvLuR4bIn118qxF+SQ23j7qi0UDPf9RU3HlNdiOVX2U6cVknuLq+RiSinNuAtt9J",
"src_file_sha256": "0a52b503f8461b741a50e48bfd47daff299d29ed2dde29dadaffa7398e1db6f6",
"src_file_path": "downloaded_files/isl_online/0a52b503f8461b741a50e48bfd47daff299d29ed2dde29dadaffa7398e1db6f6",
"src_file_company": "XLAB d.o.o."
},
{
"signer_name": "ISL Online Ltd.",
"certificate_thumbprint": "FD412CA692ED576E5FA7723CB06ABE14077A2C67",
"certificate_der_base64": "MIIHSzCCBTOgAwIBAgIQBjE8I8Eu/6bB6Bqngx6j7zANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTIzMDUyNDAwMDAwMFoXDTI2MDUyMzIzNTk1OVowUzELMAkGA1UEBhMCR0IxEDAOBgNVBAcTB1N3aW5kb24xGDAWBgNVBAoTD0lTTCBPbmxpbmUgTHRkLjEYMBYGA1UEAxMPSVNMIE9ubGluZSBMdGQuMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAoKB7NEjPmq5+JRkjsaS5/1GXkZ3tnfIGqn/pP2flcn+UFbbqw27ImsBsxONkuUs/fqK4fjwCNuIAo/fTci+GJs+sOWRhYlfwJJ5jgGEAkPh73pq+fgPf4tCZPfzYodTycPWmAF1CMyvivgyxDS8iNzxHg/4Gj+f2u1Pfiu6Yncjzt0CfuRRlyJ+UZ1eLxXUxjQ9UYC+vOmrgwwyeLNxlHaEL7Efb1Eeu+fytyKHia9egnBul0d/OqYBLQMDTlZaURCdrPIoLJKRp93xC23i1EMhH6u5e4VUEN0L6aPx0kPvRLbOuOlbd/DOoHwd9jnjrpn61t99CAIrcjzYSy9JQOwE1xLsjDVq5GbG3B4Ws7Cm+cH8sezRmeT4hKy5cWrqR8BTMDFaGRswX9gJLSwd9hgVicnz7EsZNjeK2KKsV4C+500bwvsc4DLb2ATBej2YxcTznpqBmcR2R64pnwGLNVV1Kotq8or4L6ClLQDOqhGCGYIhEY88NljJMNtANLiUm3/g0ego2JDgLlDgIB2Hv360Eiig9Eba6JSvbNtFPWCgEZPUlfliohtvD+px82QhpmcHfOUXjHHwCS2lpjWD1ksup4/+TFjnqcjZQKnX++R5gFm/1UOlQWxwDQKSNT8BO899lf1T1Zl/efjpWhHVCtETIPzsnT/xB9Jj6PtxQcUcCAwEAAaOCAgMwggH/MB8GA1UdIwQYMBaAFGg34Ou2O/hfEYb7/mF7CIhl9E5CMB0GA1UdDgQWBBS5rxYNZunqlcry3f6y9vUTFv+A5jAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwgbUGA1UdHwSBrTCBqjBToFGgT4ZNaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcmwwU6BRoE+GTWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3JsMD4GA1UdIAQ3MDUwMwYGZ4EMAQQBMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzCBlAYIKwYBBQUHAQEEgYcwgYQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBcBggrBgEFBQcwAoZQaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcnQwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAgEAjOyPUNyDNp16g0FFhUeZ5bx29FXBNv3CyAjBkbLt5+ia3B63kWud52rUPbAGmqRJV998Aj8MlEz6+GYdGYXdJ6ynHamTAGkRokoCGjtpvJz+pNEupio1zFREhIrXEXz9FuasNBGlwR1y4iZRm7xzzbIV99q4eK8cGa6IU6R1AL1wEl4AU3XwJngJyplNv24Tprw7TYFxNlljEm3gAKXtjsjcpuL/pbmZlOcoG5/RV1GIIb9SZHRO8QEL/1OOVcoWPR40M3Wclk3+sHB7sQZkW3L7WYegirkfLdtrEqeZnxnAi1lqy7t03oS+iGrYBW9LbErIOGEWZPljFay7QPHQg786dEOOTCjL90m/Pq6v5uvv9qt1TexC3vbToEE46lttO/97HhxCGdemBU/1+2ns52fLDKMNepja68/hPsux/TefIskLyBmgYiB6XnVsUgTes0iz1Q/K+vlloFItBCFIekuny3Mc9G55X0fjN2YmhCS39kZdQ2v+2iwfXqWBqLsv3QzA1P/mLU+lnWgnXrLweIZkEqpSI6HsE+5zkCToZ37Yb6UBemj+2eVAIeyrErS9iyj2DQvSm9lXw3YgJx2lTr3oMoe5IggoImD/B+TuAU0O1f44eLXBrGAMdSGJTkSvgywMjnKTs8VTleH1KeMpjHsclY5kBlh5Vte8bDGAgI4=",
"src_file_sha256": "03214d8b41186760f2cf299ba70a22695f4a28be0080551dc582d7a52ac2b96a",
"src_file_path": "downloaded_files/isl_online/03214d8b41186760f2cf299ba70a22695f4a28be0080551dc582d7a52ac2b96a",
"src_file_company": "XLAB d.o.o."
}
]
}
},
{
"Name": "Remmon",
"Category": "RMM",
"Description": "Remmon is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"remmon.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*.remmon.hu",
"remmon.hu"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remmon_network_sigma.yml",
"Description": "Detects potential network activity of Remmon RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remmon_processes_sigma.yml",
"Description": "Detects potential processes activity of Remmon RMM tool"
}
],
"References": [
"https://remmon.hu"
],
"Acknowledgement": []
},
{
"Name": "Goverlan",
"Category": "RMM",
"Description": "Goverlan is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [
"Windows"
],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"goverrmc.exe",
"govsrv*.exe",
"GovAgentInstallHelper.exe",
"GovAgentx64.exe",
"GovReachClient.exe",
"C:\\Program Files (x86)\\PJ Technologies\\GOVsrv\\*",
"*\\PJ Technologies\\GOVsrv\\*",
"*\\GovSrv.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"user_managed",
"goverlan.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/goverlan_network_sigma.yml",
"Description": "Detects potential network activity of Goverlan RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/goverlan_processes_sigma.yml",
"Description": "Detects potential processes activity of Goverlan RMM tool"
}
],
"References": [
"https://www.goverlan.com/pdf/Goverlan-Remote-Control-Software.pdf"
],
"Acknowledgement": [],
"CodeSigning": {
"certificates": [
{
"signer_name": "EASYVISTA SAS",
"certificate_thumbprint": "2AEEBB150801E156594DFD89A474F5A8C6D3EAE2",
"certificate_der_base64": "MIIHbTCCBVWgAwIBAgIQDMXEltxtmNdaKbrONd1jzDANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTI0MTEwMTAwMDAwMFoXDTI3MTAzMDIzNTk1OVowdTELMAkGA1UEBhMCRlIxFzAVBgNVBAcTDk5PSVNZIExFIEdSQU5EMRYwFAYDVQQKEw1FQVNZVklTVEEgU0FTMR0wGwYDVQQLExRFbmdpbmVlcmluZyBzZXJ2aWNlczEWMBQGA1UEAxMNRUFTWVZJU1RBIFNBUzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANUg/kU+TvFLlDgozHc5Nmp85gB5MEL74r9b0bmw7Tg+Nuo7Jq3nBVViL4geCVyL/FKl+FLKw5iGU5T16lJuIksBhRsehKxL9QbL4IbBlHKR1IugrF5jUlXl6MzxzPRGrQwfZIXthI2pZvNhu5CFE7cnDbB/YTBBV1J7YceKlrzeRVA/VUHSLVId4DHFMGYExDSlUo3yGG9BfqzQ7P4OKMXRgX/LghMLV/JHK1J+vghq2MnND/GLmJjiSLfW5Nrl7oa0DHrIS1SGpuAZrTUxbpWMExT6ucFOVfN5J5+hpyIKLQlF13Lhb+GfZ0od3vT2vsHTZus1yXXmWFMXCSJVZPkD6pXMCTwpwZtbLIav/MKnhT5FVuCvOyA7L4gT/LEi7Xczh7ulRzWTPPpNZcQ93pwvSgiLgIfc5zf+/bVRxZ79AJxbwWYMlOGt5YNG+Qhbj8iui6AbEBowpJdOJfr8ahY5P8UNI5aC0yZ7c+yKUBTjtATjTTCCXraQshzzB+uMs3GbfcZ7wUCo1NlH5i4fc+GPN0/p8UYfO50OjmukexZqVyWc8JIVeKcJnBrwZeeOhpCN94cTfNqRijmEhoH8/zKOA6sg6adnTE+dlHrpYS8jZCo8QowO+Q+Wz/s5+MRWTQRhobsw0FWtf1ol5hNnV3bUr/6aAYZHKVOPAP2CqCqZAgMBAAGjggIDMIIB/zAfBgNVHSMEGDAWgBRoN+Drtjv4XxGG+/5hewiIZfROQjAdBgNVHQ4EFgQUCsfbi+EIEK0KXV1HLKxu8Eb4JNMwPgYDVR0gBDcwNTAzBgZngQwBBAEwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpY2VydC5jb20vQ1BTMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzCBtQYDVR0fBIGtMIGqMFOgUaBPhk1odHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDBToFGgT4ZNaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcmwwgZQGCCsGAQUFBwEBBIGHMIGEMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wXAYIKwYBBQUHMAKGUGh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3J0MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggIBALMBDffcYRU0N9kafAdWYoDW7YZRodkIfeQtKGTJh14RYMs7fkftJh+AHxNhjTE/NmrVaBPasetlNu48MCc3tavUBbgZUJ0Zm1c7pvNsO7awjI5tvFmSLqLudQGqMMtIBCNiNpdvmiOSedPra3CfxbbBAiNlI0grA1ufCrrcak0vecJKS2venEAjhqZy9JAO5euc2qOz1rmEDM11ZWWMoBat3UuJHXX9DWEJjJ9AafLd/yIKGx+KwO7lANvpprp/ThfSI7XEqnoAou0iEi24AXAUgYSiEbBf3d0stM60+Ewxvfi9xlDFljceM/2VQOVDNHRalOq667LGDZza+dS+lua3c9YZcpe5bQusbFZqMOAaASvq+AzdiAo7hZMTK047YgJ8fXMVCeoJr6CXoU6FZmycVOcLhXpT+wltbvaQWytHLM1U0c0hHmfGCPPgpQWOxwhSpSwnS0UiFC74YXCWhNHmp6Lp/g7xTciuakjp6Dwe2WyQ5b/e0GLoEVwYNwclIsuizS/1J3v7WgZ99yhAJjPCW36DdqevKhSAuBwDIyQmC6pXN1AY3nZxmLL1aGx3zUOmdH6iLeqiCxXm0ioNFdFiTQ9KROQG3sxlbvYpCovKYhgfDnsoNOfxfezDiSMPVn4c/rU0zs8CiPTHkggNee2Jftd47w+LcEk5iZdJ/ojs",
"src_file_sha256": "086207248872cecd4d338c0aa26f69aaff779c7c88f02d13fe5e004df85bdece",
"src_file_path": "downloaded_files/goverlan/086207248872cecd4d338c0aa26f69aaff779c7c88f02d13fe5e004df85bdece",
"src_file_company": "EasyVista, Inc."
}
]
}
},
{
"Name": "GoToMyPC",
"Category": "RMM",
"Description": "GoToMyPC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.\n",
"Author": "Nasreddine Bencherchali",
"Created": "2024-08-05",
"LastModified": "2024-08-05",
"Details": {
"Website": "https://get.gotomypc.com/",
"PEMetadata": [
{
"Filename": "AppCore.exe"
},
{
"Filename": "g2comm.exe"
},
{
"Filename": "g2file*.exe"
},
{
"Filename": "g2fileh.exe"
},
{
"Filename": "g2host.exe"
},
{
"Filename": "g2m_download.exe"
},
{
"Filename": "g2mainh.exe"
},
{
"Filename": "G2MChat.exe"
},
{
"Filename": "G2MCodecInstExtractor.exe"
},
{
"Filename": "G2MComm.exe"
},
{
"Filename": "G2MCoreInstExtractor.exe"
},
{
"Filename": "G2MFeedback.exe"
},
{
"Filename": "G2MHost.exee"
},
{
"Filename": "G2MInstaller.exe"
},
{
"Filename": "G2MInstallerExtractor.exe"
},
{
"Filename": "G2MInstHigh.exe"
},
{
"Filename": "G2MLauncher.exe"
},
{
"Filename": "G2MMatchMaking.exe"
},
{
"Filename": "G2MMaterials.exe"
},
{
"Filename": "G2MPolling.exe"
},
{
"Filename": "G2MQandA.exe"
},
{
"Filename": "G2MRecorder.exe"
},
{
"Filename": "G2MScrUtil64.exe"
},
{
"Filename": "G2MSessionControl.exe"
},
{
"Filename": "G2MStart.exe"
},
{
"Filename": "G2MTesting.exe"
},
{
"Filename": "G2MTranscoder.exe"
},
{
"Filename": "G2MUI.exe"
},
{
"Filename": "G2MUninstall.exe"
},
{
"Filename": "g2mupload.exe"
},
{
"Filename": "g2mvideoconference.exe"
},
{
"Filename": "G2MView.exe"
},
{
"Filename": "g2printh.exe"
},
{
"Filename": "g2quick.exe"
},
{
"Filename": "g2svc.exe"
},
{
"Filename": "g2tray.exe"
},
{
"Filename": "gopcsrv.exe"
},
{
"Filename": "GoToScrUtils.exe"
},
{
"Filename": "GoTo.exe",
"OriginalFileName": "",
"Description": ""
}
],
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"C:\\Program Files (x86)\\GoToMyPC\\*"
]
},
"Artifacts": {
"Disk": [
{
"File": "%AppData%\\GoTo\\Logs\\goto.log",
"Description": "N/A",
"OS": "Windows"
}
],
"EventLog": [],
"Registry": [
{
"Path": "HKEY_LOCAL_MACHINE\\WOW6432Node\\Citrix\\GoToMyPc",
"Description": "Configuration settings including registration email"
},
{
"Path": "HKEY_LOCAL_MACHINE\\WOW6432Node\\Citrix\\GoToMyPc\\GuestInvite",
"Description": "Guest invites send to connect"
},
{
"Path": "HKEY_CURRENT_USER\\SOFTWARE\\Citrix\\GoToMyPc\\FileTransfer\\history",
"Description": "hostname of the computer making connections and location of transferred files"
},
{
"Path": "HKEY_USERS\\\\SOFTWARE\\Citrix\\GoToMyPc\\FileTransfer\\history",
"Description": "hostname of the computer making connections and location of transferred files"
}
],
"Network": [
{
"Description": "N/A",
"Domains": [
"*.GoToMyPC.com"
],
"Ports": [
"N/A"
]
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotomypc_registry_sigma.yml",
"Description": "Detects potential registry activity of GoToMyPC RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotomypc_network_sigma.yml",
"Description": "Detects potential network activity of GoToMyPC RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotomypc_files_sigma.yml",
"Description": "Detects potential files activity of GoToMyPC RMM tool"
}
],
"References": [
"https://support.logmeininc.com/gotomypc/help/what-are-the-optimal-firewall-configurations#",
"https://support.goto.com/training/help/how-do-i-configure-gototraining-to-work-with-firewalls",
"https://ruler-project.github.io/ruler-project/RULER/remote/Citrix%20GoToMyPC/"
],
"Acknowledgement": [
{
"Person": "Phill Moore",
"Handle": "@phillmoore"
}
]
},
{
"Name": "Basecamp",
"Category": "RAT",
"Description": "Basecamp is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://basecamp.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": []
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"basecamp.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/basecamp_network_sigma.yml",
"Description": "Detects potential network activity of Basecamp RMM tool"
}
],
"References": [],
"Acknowledgement": []
},
{
"Name": "Netop Remote Control (aka Impero Connect)",
"Category": "RMM",
"Description": "Netop Remote Control (aka Impero Connect) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://netop.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"nhostsvc.exe",
"nhstw32.exe",
"nldrw32.exe",
"rmserverconsolemediator.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"imperosoftware.com/impero-connect/"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__aka_impero_connect__network_sigma.yml",
"Description": "Detects potential network activity of Netop Remote Control (aka Impero Connect) RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__aka_impero_connect__processes_sigma.yml",
"Description": "Detects potential processes activity of Netop Remote Control (aka Impero Connect) RMM tool"
}
],
"References": [],
"Acknowledgement": [],
"CodeSigning": {
"certificates": [
{
"signer_name": "NETOP TECH SRL",
"certificate_thumbprint": "311FD401E4AA27E856311EAE5D80C31CDE46A67C",
"certificate_der_base64": "MIIHyzCCBbOgAwIBAgIMDACKCO9kIrQ6l7swMA0GCSqGSIb3DQEBCwUAMFwxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTIwMAYDVQQDEylHbG9iYWxTaWduIEdDQyBSNDUgRVYgQ29kZVNpZ25pbmcgQ0EgMjAyMDAeFw0yNTA2MjQxMTQ2MDVaFw0yNjA2MjUxMTQ2MDVaMIIBCTEdMBsGA1UEDwwUUHJpdmF0ZSBPcmdhbml6YXRpb24xFjAUBgNVBAUTDUo0MC82NzU4LzIwMDYxEzARBgsrBgEEAYI3PAIBAxMCUk8xCzAJBgNVBAYTAlJPMRIwEAYDVQQIEwlCdWNoYXJlc3QxEjAQBgNVBAcTCUJ1Y2hhcmVzdDEqMCgGA1UECRMhU3RyLiBQcmluY2lwYXRlbGUgVW5pdGUgbnIuIDQ2LTQ4MRcwFQYDVQQKEw5ORVRPUCBURUNIIFNSTDEXMBUGA1UEAxMOTkVUT1AgVEVDSCBTUkwxKDAmBgkqhkiG9w0BCQEWGXRlYW1fb3BlcmF0aW9uc0BuZXRvcC5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC8VHVCcnFSviQkiQ1DDTz4A5Qw+c/hEcdeVePKLjM85ofv1LsqcSQB/RauAlBY2HsdPGxO13lYibsWQfq4a6NzGONkqFN4b4UR0ezGhQftDOQA+9VnTDBViOPElAsDvd4Jm09nE5uUEXUTmk5Lii2YyHOl3v+ATcRGndFQWsxs33bT3qZp1K8t1xOsfn+Eb7d8rwhdo6xBEYsAVz+n+HwK0LU1cVwl1wdtzWrHgTHHLwH6nweOnpsUvsK1KX6o8mV4xA2x93EbR03LohXzrvtkb4ynT/z6fTi+vxPWuKPVL/GKj0dRVpZVQfjCKOUCMk8gbzTjuYOrNExBmZvykmGFg8534OrnG1AnUNqXjXTdVt0U4HCSRAPhVSADCFNRFNIc3DQUl3v+dKdjS/yk7/bUXkHWCiTLr8q/eK+UQkhmSxGkNu9dx482zPdH+lZyQqeFjnY0dF47pEY1GQC6L6FK7/89OHmAGS/vW3CWeUxoG7t207W5LZlvueTEXjYsEfZXaCnAzUiiDJL6dvie5J2Wi/1PxKmuo4OqzheePIXRDr1163418A6BkkqswcOTmrwHUrk9WimJ7qd3vfEh4OCRmHzOiYPX5PboBagvU7iVsZKOjpapB/8czo0cGBL6LsDqSg/5TGOYvXWolL9+kHW+6lpGqVigoNTpDKD8emjx5QIDAQABo4IB3DCCAdgwDgYDVR0PAQH/BAQDAgeAMIGfBggrBgEFBQcBAQSBkjCBjzBMBggrBgEFBQcwAoZAaHR0cDovL3NlY3VyZS5nbG9iYWxzaWduLmNvbS9jYWNlcnQvZ3NnY2NyNDVldmNvZGVzaWduY2EyMDIwLmNydDA/BggrBgEFBQcwAYYzaHR0cDovL29jc3AuZ2xvYmFsc2lnbi5jb20vZ3NnY2NyNDVldmNvZGVzaWduY2EyMDIwMFUGA1UdIAROMEwwQQYJKwYBBAGgMgECMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMAcGBWeBDAEDMAkGA1UdEwQCMAAwRwYDVR0fBEAwPjA8oDqgOIY2aHR0cDovL2NybC5nbG9iYWxzaWduLmNvbS9nc2djY3I0NWV2Y29kZXNpZ25jYTIwMjAuY3JsMCQGA1UdEQQdMBuBGXRlYW1fb3BlcmF0aW9uc0BuZXRvcC5jb20wEwYDVR0lBAwwCgYIKwYBBQUHAwMwHwYDVR0jBBgwFoAUJZ3Q/FkJhmPF7POxEztXHAOSNhEwHQYDVR0OBBYEFODI7vdgpWZuRNV6CcVfOi8FwJQ4MA0GCSqGSIb3DQEBCwUAA4ICAQClnUdzXOjxR3/qvY+jo+aC2wjV3DnfNj1r2VcPr529NHXTDTOuKvQ0FU/SGq+BOF3l4rusQFkWFnNr9OSmmias7wOqmIWBbReQQ+SqygvSKGdcYmjUqgeiVVIzW8yS9CHa/dhorH+jdNUp3//nFHuuexIFooB4HmKV/tQo2J+v75seFcYCNIGCFxfWvcmSxr5fZLbCfeZ9DgbxL7gsvQJUJqGgBhkhDdQ1SoQW7qvfVJ4l2of6g/I29p3zoSXV+mU3f0mra3vzh9jZZjxghxWWtB5/dx2LCP1mzUcAGV5o+kRsHm09DHgs7/4Gg9dOE5aTysRtuYrgT7YkxPR01Rv/K5VxM2zh6WExuGpCYqKkWoVxKYIQqy0DVt9jQYag9fm/ROlnB/sKEyE39UG4gfeG7gImO78QUaagZKxKznXH/HL0h6h2L0jPOETuxnJEuZbBIJXxuuuBF235pi7nFFgSX43MK4UteIw3XBe8Tevz/UeFkrcR4aXObaGXZmtK3QwB2LvjQsZwcdsfADSwcZE3ETPrtL+BQXVSOxL/ZWh3AJuhqnf+2jxt+NE7EGX5gDUP9v5F0+4ik6sFApKEfWlKVq0kB6JW91tWHWvhvAYpGhq+6kC0LA5qyuuV85AmW1NoUHZu7dinoo0HVAQ5Y/aF8gFliUekAEL7wC18pkjWRQ==",
"src_file_sha256": "c5b98ab84cb24ddcfd5e01928ea959b6af8bb4963a9d1ae10fef3734ba99657d",
"src_file_path": "downloaded_files/netop_remote_control_(aka_impero_connect)/c5b98ab84cb24ddcfd5e01928ea959b6af8bb4963a9d1ae10fef3734ba99657d",
"src_file_company": "Netop Solutions Limited"
}
]
}
},
{
"Name": "NetBird",
"Category": "RAT",
"Description": "NetBird is an open-source VPN and remote access platform that provides secure peer-to-peer connectivity. It has been observed being leveraged in spear phishing campaigns across Europe, Africa, Canada, the Middle East, and South Asia, targeting financial executives and CFOs. The tool was deployed as part of multi-stage phishing attacks by threat actors including APT MuddyWater.",
"Author": "Michael Haag",
"Created": "2026-01-15",
"LastModified": "2026-01-15",
"Details": {
"Website": "https://netbird.io/",
"PEMetadata": [
{
"Filename": "netbird.exe",
"OriginalFileName": "",
"Description": "NetBird client executable for Windows"
},
{
"Filename": "netbird-ui.exe",
"OriginalFileName": "",
"Description": "NetBird UI executable for Windows"
},
{
"Filename": "netbird",
"OriginalFileName": "",
"Description": "NetBird client binary for Linux/macOS"
}
],
"Privileges": "User",
"Free": "Yes (Open Source)",
"Verification": "Open Source",
"SupportedOS": [
"Windows",
"Linux",
"macOS",
"Android",
"iOS"
],
"Capabilities": [
"Remote Access",
"VPN Connectivity",
"Peer-to-Peer Networking",
"Secure Tunneling",
"Network Management"
],
"Vulnerabilities": [],
"InstallationPaths": [
"C:\\Program Files\\Netbird\\netbird.exe",
"C:\\Program Files\\Netbird\\netbird-ui.exe",
"C:\\ProgramData\\Netbird\\*",
"/usr/bin/netbird",
"/usr/local/bin/netbird",
"/opt/netbird/*",
"netbird.exe",
"netbird-ui.exe",
"netbird"
]
},
"Artifacts": {
"Disk": [
{
"File": "C:\\Program Files\\Netbird\\netbird.exe",
"Description": "NetBird client installation directory",
"OS": "Windows"
},
{
"File": "C:\\ProgramData\\Netbird\\config.json",
"Description": "NetBird configuration file",
"OS": "Windows"
},
{
"File": "/etc/netbird/config.json",
"Description": "NetBird configuration file",
"OS": "Linux"
},
{
"File": "/var/log/netbird/*",
"Description": "NetBird log files",
"OS": "Linux"
}
],
"EventLog": [
{
"EventID": 4688,
"Description": "Process creation event for netbird.exe",
"OS": "Windows"
},
{
"EventID": 7045,
"Description": "Service installation event for NetBird",
"OS": "Windows"
}
],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"netbird.io",
"*.netbird.io",
"api.netbird.io",
"signal.netbird.io"
],
"Ports": [
443,
51820
]
}
]
},
"Detections": [],
"References": [
"https://github.com/magicsword-io/LOLRMM/issues/81",
"https://www.trellix.com/en-in/blogs/research/a-flyby-on-the-cfos-inbox-spear-phishing-campaign-targeting-financial-executives-with-netbird-deployment/",
"https://hunt.io/blog/apt-muddywater-deploys-multi-stage-phishing-to-target-cfos",
"https://netbird.io/use-cases/remote-access",
"https://github.com/netbirdio/netbird"
],
"Acknowledgement": [
{
"Person": "jacobholtz",
"Handle": "@jacobholtz"
},
{
"Person": "ruppde",
"Handle": "@ruppde"
}
]
},
{
"Name": "Seetrol",
"Category": "RMM",
"Description": "Seetrol is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.seetrol.co.kr/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"seetrolcenter.exe",
"seetrolclient.exe",
"seetrolmyservice.exe",
"seetrolremote.exe",
"seetrolsetting.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"seetrol.co.kr"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/seetrol_network_sigma.yml",
"Description": "Detects potential network activity of Seetrol RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/seetrol_processes_sigma.yml",
"Description": "Detects potential processes activity of Seetrol RMM tool"
}
],
"References": [
"http://www.seetrol.com/en/features/features3.php"
],
"Acknowledgement": [],
"CodeSigning": {
"certificates": [
{
"signer_name": "Knowhow Electel Inc.",
"certificate_thumbprint": "205E6A6C500F8B5E36DDA0FBF791D96EF55FCB03",
"certificate_der_base64": "MIIH0jCCBbqgAwIBAgIQDgOO54eRGqkGlBjDyH2JzzANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTIzMTIwNDAwMDAwMFoXDTI3MDMwMjIzNTk1OVowgdoxEzARBgsrBgEEAYI3PAIBAxMCS1IxFjAUBgsrBgEEAYI3PAIBAhMFU2VvdWwxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRcwFQYDVQQFEw4xMTAxMTEtMjcwMzAzNDELMAkGA1UEBhMCS1IxDjAMBgNVBAgTBVNlb3VsMRgwFgYDVQQHEw9ZZW9uZ2RldW5ncG8tZ3UxHTAbBgNVBAoTFEtub3dob3cgRWxlY3RlbCBJbmMuMR0wGwYDVQQDExRLbm93aG93IEVsZWN0ZWwgSW5jLjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAO5h4c+OtmgXE2uWSEdxsjRrajDNYE415v1gbWweeWDr7oqfgO+esrBMTCjREixmEXbOun7F5ODQAD4IQErTf7qlUMGSBp5fR73eXrTZ8SbnwQPpU+e09rCpOud3dBh/bAEESSCk+avajfm34zWJMXuQGLCydn0foHvKtmR6NzLok2sXiCUPO7aYNGIn1ZzBK5i5TBBlhZFk9oQegjMFLvImZKq+LTx1b/zk9wnl1k8Q/WvDPOvhbmmqzUp6H43smKTfjKJd414R+MsmgQc9YUdcQSYWVc+wVlj7fTt8igi/weT8oGBjg4yYLYx0sJ1fT1pNKpfQFSthVj8IB9/t2J6FJIk2i2zLaTKxsSSj5OauabW90cn7+EbFjQx+jhp91lGuhkw3t4TCmpySeD/dXBuQXwBiOcjhsHSW9Jbk6VrbpliolyTSvoHhsWRgrxDuaTZ+OGrc9VzMQMzkP+7KGGwi/tUGkWOTJ/0abR1rnyMp3O046BxCjL0vZDgeY7NGo2/9MZB9xF4oA0ev+lQB8+o081V84hnqqmAz0j1Msek7KC34hdN+8esRtIukXUi0JYAGW/pBkwNZGE2Gt66b++aSxVWmOXqzTQ/94N1X5plNkWLzxV5pPj+rqU/XfiTB6k9TpAMge/vgCtxONKzWIoQ1t+a8C8ILgF27NBovq2ahAgMBAAGjggICMIIB/jAfBgNVHSMEGDAWgBRoN+Drtjv4XxGG+/5hewiIZfROQjAdBgNVHQ4EFgQUkr9zYBZXIjZByit2n3MOBXFWH3IwPQYDVR0gBDYwNDAyBgVngQwBAzApMCcGCCsGAQUFBwIBFhtodHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMIG1BgNVHR8Ega0wgaowU6BRoE+GTWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3JsMFOgUaBPhk1odHRwOi8vY3JsNC5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDCBlAYIKwYBBQUHAQEEgYcwgYQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBcBggrBgEFBQcwAoZQaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcnQwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAgEAMK+AtKI0orxWOqkf/FuFgO67m9UEs9zYran21IGcEQ3Eh3b5B2MvDu/i8jD/BSFFSTDRfhArUfnCyUbWE45FBRCgFswETjB37acALtg+XFwFKbteciDlJGTJboRNbLKnEru3A4a40ti7DAUvE/iyJHiNPJKQX8VXSvEW31RH+i5expCfVTn0R0LonOnqRfPJIUYeegq2ydnogmR0Hc1lJdb6Xo3pbXrXhGBKIGDO3JRQCe5Jk4HFL0ftq7BsbQZWwYv0fDdPo7nW9ICtFRAUQWc0O5gyjKF8wBbzHLpWEHVctRtHCtUgsV0m3aIIA+oZpbziLrSnr9wU9HXCjnYZmBJas440fu3YsNO7QUSLvXcw4ud5Rndw4xW0yHBmGusG+n9AGNd7sZ0HEZ8yfXtm+eUrxPMLIdPMWvkleELNP2otnJJjoQN4JDvnDLxZ+Tp6SK0zZgmijLOOhcOIcRn3bLBSTDjM+BcxOvus+HEFk0axWymXK1WAyjj/Ym7ey3ax46cTg+KXoVh4sg7sSUhsMefE+j3CR4PK5BBNMrTZN8B2jf4OnbhBGJ6ODioooI8KyvFhzrDNoNAfvHdzCmmpjzhzW0iFYl0J1aAaGC5IRicg0aTC2jjgm/EMKhi7iN47t9KWgIyg/Y1kYgnQ4N3rTpDeCb8pZdQa3fr0fFPCqOs=",
"src_file_sha256": "d3aadff853f04dd787a094f8237e23f86f0909c87f2507d759036c2f35816190",
"src_file_path": "downloaded_files/seetrol/d3aadff853f04dd787a094f8237e23f86f0909c87f2507d759036c2f35816190",
"src_file_company": "Knowhow Electel Inc."
}
]
}
},
{
"Name": "Netviewer",
"Category": "RMM",
"Description": "Netviewer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"netviewer*.exe",
"netviewer.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"download.cnet.com/Net-Viewer/3000-2370_4-10034828.html"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netviewer_network_sigma.yml",
"Description": "Detects potential network activity of Netviewer RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netviewer_processes_sigma.yml",
"Description": "Detects potential processes activity of Netviewer RMM tool"
}
],
"References": [],
"Acknowledgement": []
},
{
"Name": "Remote Utilities",
"Category": "RMM",
"Description": "Remote Utilities is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.remoteutilities.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"rutview.exe",
"rutserv.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*.internetid.ru"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_utilities_network_sigma.yml",
"Description": "Detects potential network activity of Remote Utilities RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_utilities_processes_sigma.yml",
"Description": "Detects potential processes activity of Remote Utilities RMM tool"
}
],
"References": [
"https://www.remoteutilities.com/download/"
],
"Acknowledgement": [],
"CodeSigning": {
"certificates": [
{
"signer_name": "REMOTE UTILITIES PTE. LTD.",
"certificate_thumbprint": "902CC2BB628B651954A5F7A1D68C6CDE84707A54",
"certificate_der_base64": "MIIHsTCCBZmgAwIBAgIMGxe0xhAOf9QVbF8BMA0GCSqGSIb3DQEBCwUAMFwxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTIwMAYDVQQDEylHbG9iYWxTaWduIEdDQyBSNDUgRVYgQ29kZVNpZ25pbmcgQ0EgMjAyMDAeFw0yNDEwMTYwNzA1MDZaFw0yNjEwMTcwNzA1MDZaMIHxMR0wGwYDVQQPDBRQcml2YXRlIE9yZ2FuaXphdGlvbjETMBEGA1UEBRMKMjAyNDMxMjU3RDETMBEGCysGAQQBgjc8AgEDEwJTRzELMAkGA1UEBhMCU0cxEjAQBgNVBAgTCVNpbmdhcG9yZTESMBAGA1UEBxMJU2luZ2Fwb3JlMSMwIQYDVQQKExpSRU1PVEUgVVRJTElUSUVTIFBURS4gTFRELjEjMCEGA1UEAxMaUkVNT1RFIFVUSUxJVElFUyBQVEUuIExURC4xJzAlBgkqhkiG9w0BCQEWGGluZm9AcmVtb3RldXRpbGl0aWVzLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK/qf9AZbk/S6XPTSRSBjGpn8fWnIFkDquBFMDBAlOHE3fi1/x4tw0XkwOsHcwKb+5VZbmMvff4E/sumEAut846vQubDDPk4ofXLQouY7QzJhj5ZfYxEqLrJNQNNOQnyOTJUg4ehdpITMoVxVKRuDkNT3I54mpeefG+x4aNWhZ42jEDEDQ7O8i9dNtqe3mC2B3SYDqRV/ASwZEbt5NUFss0PzuZPAmPSf8XX8kiD9XNG3l7uRVzWK2MztCa2YH7TqBYaHHVmWy4RlM16+cCl4QtaTRfM/dCZZKdKVzTeflt3Kqp9Ho1NL6tn1Wv230i74CwTPYBIzd1yMWdENegCwd1+LRp7PfOvbOvrjLKDQQFJjboEZ/a1XvDHNq+DneyLAWUGD8PUNsb61mMd7s2g5bM9Fa6cdssIo64huzSxFbP3qIIXPZRzoAqvv7UUOkdXhSvBlTVex7YIPOiRiCOywmDtPqDg1rQVz2UBNWN9UdXZP0cnEaWLWdjkC2ExYvnpSQ4pWJk0eEcEpJzGpTXqCjqtYwDFczUnIUlYBA8bpINcbK5moUHWUllKQkFwPEig1qgo9vmklt5Xy2XbATr26GId4FsZCtrGbWbkoV+3npo6IsV9RaCNMdfdcrQ/P92l3H6wsMO5L8RDiMXaFb9meCQ6N41dkI9QYtz0pLG8ZD/pAgMBAAGjggHbMIIB1zAOBgNVHQ8BAf8EBAMCB4AwgZ8GCCsGAQUFBwEBBIGSMIGPMEwGCCsGAQUFBzAChkBodHRwOi8vc2VjdXJlLmdsb2JhbHNpZ24uY29tL2NhY2VydC9nc2djY3I0NWV2Y29kZXNpZ25jYTIwMjAuY3J0MD8GCCsGAQUFBzABhjNodHRwOi8vb2NzcC5nbG9iYWxzaWduLmNvbS9nc2djY3I0NWV2Y29kZXNpZ25jYTIwMjAwVQYDVR0gBE4wTDBBBgkrBgEEAaAyAQIwNDAyBggrBgEFBQcCARYmaHR0cHM6Ly93d3cuZ2xvYmFsc2lnbi5jb20vcmVwb3NpdG9yeS8wBwYFZ4EMAQMwCQYDVR0TBAIwADBHBgNVHR8EQDA+MDygOqA4hjZodHRwOi8vY3JsLmdsb2JhbHNpZ24uY29tL2dzZ2NjcjQ1ZXZjb2Rlc2lnbmNhMjAyMC5jcmwwIwYDVR0RBBwwGoEYaW5mb0ByZW1vdGV1dGlsaXRpZXMuY29tMBMGA1UdJQQMMAoGCCsGAQUFBwMDMB8GA1UdIwQYMBaAFCWd0PxZCYZjxezzsRM7VxwDkjYRMB0GA1UdDgQWBBS/DLg3OD1zoYV4Our7+3IqTJkG7zANBgkqhkiG9w0BAQsFAAOCAgEAJQ0aHmccdAHsf5Snj1SHlfPD/t/ukYuR+4EhjuOsyB5rI4mHYOMRUYw0DTlDJimecjh95SsucIlAJv7TANQ4RehNVLtWTLth0oyCdyzhoTo7orSko99uY6EOhfmbYOaxZYZ9JdCCkcZEwEGkyQ+H3DytWTuFxWpS1g3IAXPYwsh+MgAEyXq7qI4ZFFhc677iW/KusCAdePL++pX1f0yDzH2HvbnFYapnVjnTIm8ghXJgcwK8JW+tZsXWg8auILuK+lKQf1vJy5yDLMAcl2fu/hlTgQKd5t1cnn6qWUAJo6TwjR46bMFE/AVcUUhR9MdjJBd3Gbly4bir8vJPX35ZsunabIYV5+w/wTAA4bTH+kRP99jpROwWkaulhwVlNqSNzPZQG/hE89Exl0M/fdHlaHfzs+xDpaDK5pMOxolgsofclmqZ+4JAlhcwmzpkbPvgbveBG9pOzIGmsB7t8l25bqig4IxewV00/EBLdspdAxQN4cNHRpe32ydLYdAWxpSfaPq1k76Wo1mEgtTuuJgWoa4SuqC1n3wMAyBRQvo3APG5D+znG9SiMpOoBX0robGUloTA7jvzkx0nrotmxThXR2buv3VBzq68G8CnyBqeVoKmFzUQHGiVvRi7LJxJNR6tRhrZbNz+MhKX62JWW1GuQFG+BoXl0egmYehSvo72Drk=",
"src_file_sha256": "fe0d943f853c27b741328cfaf188718ccad383517c457ad291b9c08b5f7be0db",
"src_file_path": "downloaded_files/remote_utilities/fe0d943f853c27b741328cfaf188718ccad383517c457ad291b9c08b5f7be0db",
"src_file_company": "Remote Utilities Pte. Ltd."
}
]
}
},
{
"Name": "TurboMeeting",
"Category": "RMM",
"Description": "TurboMeeting is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"pcstarter.exe",
"turbomeeting.exe",
"turbomeetingstarter.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"user_managed",
"acceo.com/turbomeeting/"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/turbomeeting_network_sigma.yml",
"Description": "Detects potential network activity of TurboMeeting RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/turbomeeting_processes_sigma.yml",
"Description": "Detects potential processes activity of TurboMeeting RMM tool"
}
],
"References": [
"http://sourcing.rhubcom.com/v5/faqs.html#collapsetwentysix2-topdiv"
],
"Acknowledgement": []
},
{
"Name": "N-ABLE Remote Access Software",
"Category": "RMM",
"Description": "N-ABLE Remote Access Software is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.n-able.com/features/remote-access",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": []
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"n-able.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_remote_access_software_network_sigma.yml",
"Description": "Detects potential network activity of N-ABLE Remote Access Software RMM tool"
}
],
"References": [],
"Acknowledgement": []
},
{
"Name": "FastViewer",
"Category": "RMM",
"Description": "FastViewer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2025-12-14",
"Details": {
"Website": "https://www.matrix42.com/en/fastviewer",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"fastclient.exe",
"fastmaster.exe",
"FastViewer.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*.fastviewer.com",
"fastviewer.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fastviewer_network_sigma.yml",
"Description": "Detects potential network activity of FastViewer RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fastviewer_processes_sigma.yml",
"Description": "Detects potential processes activity of FastViewer RMM tool"
}
],
"References": [
"https://fastviewer.com/demo/EN_FastViewer_Server%20Installation%20Configuration.pdf"
],
"Acknowledgement": [],
"CodeSigning": {
"search_names": [],
"company_names": [],
"signer_names": [
"FastViewer GmbH"
],
"certificates": [
{
"signer_name": "FastViewer GmbH",
"certificate_thumbprint": "224026512C56BCE38073813BDB3D3207D88C1172",
"tbs_sha256": "AD3D2D1485CAB1E72DD2A0C7228E9467D5A36E93BB3F17C4699882DA901348E0",
"tbs_sha1": "",
"certificate_der_base64": "MIIEzDCCA7SgAwIBAgIQS4hjVUJTXYndyitRl5EfpTANBgkqhkiG9w0BAQsFADBMMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMdGhhd3RlLCBJbmMuMSYwJAYDVQQDEx10aGF3dGUgU0hBMjU2IENvZGUgU2lnbmluZyBDQTAeFw0xNzA4MTcwMDAwMDBaFw0yMDEwMTAyMzU5NTlaMIGJMQswCQYDVQQGEwJERTEPMA0GA1UECAwGQmF5ZXJuMRowGAYDVQQHDBFOZXVtYXJrdCBpLmQuT1BmLjEYMBYGA1UECgwPRmFzdFZpZXdlciBHbWJIMRkwFwYDVQQLDBBXZWJjb2xsYWJvcmF0aW9uMRgwFgYDVQQDDA9GYXN0Vmlld2VyIEdtYkgwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDGQOLEWWYtL8Icv1MOSu0Wb8mAb8y/7/9TkOMZjW6aIyG41BlwsoNT64A/WykkSH6F8sULoh4ggF6w2aQA91sLKhhCxz0sy0nRqpPBNcXg2cq/bVYHk9EXFjqGPjEYyWDKkJJOlS8rVNCLTWXcEsQ7M7QUYcriX5X4UGJnuCTHGVNYrKd/FHP7LOEeRDpTrLxX5am/HjBlSAiWCB+wAwzPQmjPIx2Kn7/hsUdC0GqgWTOYIN6cESeDojlTEROKSLFlJ6zo09mGiU8DUNRsukHQw+N2LB8/z7thZlYvhZvGIXDeU99r3dYUYa5BM6fbkxU9vDW8u08RvN5Rr7EOdMWVAgMBAAGjggFqMIIBZjAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFFeGm1S4vqYpiuT2wuITGImFzdy3MB0GA1UdDgQWBBSsUpxneiC4BXoA1FZGRBuJ3sr+ujArBgNVHR8EJDAiMCCgHqAchhpodHRwOi8vdGwuc3ltY2IuY29tL3RsLmNybDAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwbgYDVR0gBGcwZTBjBgZngQwBBAEwWTAmBggrBgEFBQcCARYaaHR0cHM6Ly93d3cudGhhd3RlLmNvbS9jcHMwLwYIKwYBBQUHAgIwIwwhaHR0cHM6Ly93d3cudGhhd3RlLmNvbS9yZXBvc2l0b3J5MFcGCCsGAQUFBwEBBEswSTAfBggrBgEFBQcwAYYTaHR0cDovL3RsLnN5bWNkLmNvbTAmBggrBgEFBQcwAoYaaHR0cDovL3RsLnN5bWNiLmNvbS90bC5jcnQwDQYJKoZIhvcNAQELBQADggEBAGhqfX5BACju9vHJaEHEi8QjV2w1CPXIqkkBsoN88MsoSxNW+kGnm6BKiP5VeOTwmk1/bb9uTrhCO9C04G3i5pSzZpk0b9b4Gx89TUAlBw9MpNKTW4bSbgQ5RKxvsWe6y+tJh1c7J6FQBaJ1M0cn0A9m7iqQry740GPmu+00RfYSmVQmzXgsddlJp7GOqDpqIKqqPSGBUHoH2d43nBJdd2tZ+NsRboUviNRyJJGk0p4qfq5IQd/MUTROhM6BWJuyCpTAazZfadrABWDl45+H2nK+/TlrJJBd9mQ1UhjaVkeAD/TaAiNZ1ef3IgDjfWuVfNvDPCo3wJVVT84idv44leQ="
},
{
"signer_name": "FastViewer GmbH",
"certificate_thumbprint": "634F4B6F419B57A16C8F58054AE9E6DA7D1FC6A4",
"tbs_sha256": "FF61DC60973A1DB2A6871C7AF1EEAEDE65EEECE92D36675107592266766149D2",
"tbs_sha1": "",
"certificate_der_base64": "MIIHVTCCBT2gAwIBAgIQCE8Ba/EpBcaNFSGYw92rYjANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTI0MDYyNzAwMDAwMFoXDTI3MDgzMDIzNTk1OVowXTELMAkGA1UEBhMCREUxGjAYBgNVBAcTEUZyYW5rZnVydCBhbSBNYWluMRgwFgYDVQQKEw9GYXN0Vmlld2VyIEdtYkgxGDAWBgNVBAMTD0Zhc3RWaWV3ZXIgR21iSDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKP3XEkY3l2JySfdEP3ZJU3ddQrWprwXGwszUDLPvrLNj4RZ9jFuu5PZ3G5eUDis4JnlWlYU08kZzDVE4z1jg6GJG34yvF16w019JDQRxnntkyF6lA50qmfbjfp8Vezniemskl15yaMQ06zS8TkXxlL5cej76vnHxPj5hyYq9M1ZhlEayLpn3BymRcRgOGtDrGHVA/hnpXtUq+NxXI8Ov8Z4THx4kD5Tys8POTjkhimxg6rg9KpB3n4AUlNI6lr0DLj4AJtl16yXr3h07Cqvj/TSu5P54tlblYAWkyIgbICf6vAZxi+KFcCl/j98A0CRPtVjKlpFsuSkPCUdBrhPiUJ3NoEG2nX1nL1QpjLxuNpFVjGrwrCFedqbJSDnHF52GPK3eXBImv16ldKOALI1kqra9mM0/qr40bqGAHgpFvLPdBEY8TuKL/chWEuE8DNlr8hNtXcTBdPyRQUKBIcJmPIojec6Z+uq5bX/xx/Cktht7NIE6JdTp3EGKyYxkgYIykADSC4d9Zm9BZH23OV0yXMS2jJrC0H39Kl6avaNo1Z0LZYYVVffK/ofFSvIIum1PwWdakQVRu+ScL1Qqouhm8QE49WFLRs6qjAq10fJaWPKm8jR31G32JYTMv2nVIe5a18Dswt8L3ueSfkjLWXs5GXmKq+dLFis8heCAKFEfjn3AgMBAAGjggIDMIIB/zAfBgNVHSMEGDAWgBRoN+Drtjv4XxGG+/5hewiIZfROQjAdBgNVHQ4EFgQU1cfzElYZ6ggcpPtZwSKQy/FfCOAwPgYDVR0gBDcwNTAzBgZngQwBBAEwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpY2VydC5jb20vQ1BTMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzCBtQYDVR0fBIGtMIGqMFOgUaBPhk1odHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDBToFGgT4ZNaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcmwwgZQGCCsGAQUFBwEBBIGHMIGEMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wXAYIKwYBBQUHMAKGUGh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3J0MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggIBAFLTQcNZwodZhB7iMb8YaBOmvlfKGE9GAu79ZcX65+DeLNNBYOPeArHwvOwDQVYDHk+aQ2p8im3wig/ec9c7gtcPNUeflPKRPzRlGyyJB4RsbnFU/ulK+n6V1BGSv/3FAKo82EpMAvyLTQOSFWxpNjMC/Mc5F4VfBlwpLW5qFSXIaBVXMl10IRLjazJ5NGONJAQzORRVeY9U5VL0wu1rEfyuW+bwkMjTrtlw+Habalkb/mV09mof19mP1+ZxdtBsHX1waOAUhZWwmwPbirHbOBwucg96iQ/V3BO71xr9JrsCRqeQTqx+aRlsOIERTQFl8fw44oNm62xWx47uD5Aehm8p2xtuv7yKih+mLnu3XBYYgiRnmXm3aaAs1f1KtFIrWAEVvYh7FMkx7SvWzGeYxBSslhgNDA9A6SxOIhsGiS8ehcdMqOsVltq/LHQ3ZPtyUXfnoCD711LKgkgNmSLx8IltLH3rYbc1F13lVVSypltOokHrMNVIImXd5UcMjb9fjBVxcE1i+44o3ehfCRFnbo+vaGoavw8ny1FzGcJTZfsAarhFwkArDURTh7u3Br5heiAoocNLQfa+J5OaeeBb08JH+lvLPP52/ZumELM8Xom15IHmPVagi0/m1IExQSaepLz0ZiPF59AeIJLlvU5JcnTcSwOBOIfX6chBBlN42ymh"
},
{
"signer_name": "FastViewer GmbH",
"certificate_thumbprint": "2F3A90AD6ECFC24F0781D7DFB6815A1D83A1B52E",
"tbs_sha256": "5ADD1D07C05E16B75D504C5EB76DFC892888620DF8205D3F23E6068049130510",
"tbs_sha1": "",
"certificate_der_base64": "MIIF5zCCBM+gAwIBAgIQDy3U/FIKQ688076Ia2g7fzANBgkqhkiG9w0BAQsFADBsMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBFViBDb2RlIFNpZ25pbmcgQ0EgKFNIQTIpMB4XDTIwMDgzMTAwMDAwMFoXDTIyMDkwODEyMDAwMFowgf0xEzARBgsrBgEEAYI3PAIBAxMCREUxFzAVBgsrBgEEAYI3PAIBAhMGQmF5ZXJuMRowGAYLKwYBBAGCNzwCAQEMCU7DvHJuYmVyZzEdMBsGA1UEDwwUUHJpdmF0ZSBPcmdhbml6YXRpb24xEjAQBgNVBAUTCUhSQiAyMzA3NjELMAkGA1UEBhMCREUxDzANBgNVBAgTBkJheWVybjERMA8GA1UEBwwITcO8bmNoZW4xGDAWBgNVBAoTD0Zhc3RWaWV3ZXIgR21iSDEZMBcGA1UECxMQV2ViY29sbGFib3JhdGlvbjEYMBYGA1UEAxMPRmFzdFZpZXdlciBHbWJIMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp7rcIFN6nGukOCqTYc4aeBfN2S4d9UckPUusSZfcl01ISC5xn2IORvGVoPFhdPiJ60Gijv70um1Y8hSKum0xCbQNhESGDEhe8ujGlhKM/7l2urKKCk4/FpCVErHU+mKeBNjbieBh2LtkFcK4l2i/SWxA/KgX13nSuGbsDU+F9l3pk5sA3DmuARL/oNrwN9yawnGv9vr3XHSLlEef3WqqcQx+cJkAqndlLWUDAMyCQCCjoAdlGhxR/BdqS0ZNGGqim6mQFxLB+Tdj8pgt00HMfrFm/E74PHIgmIOyYOMPaj7bcJjmmeVXmGzrrPMfNIhXejG/66swXpfvxAG8zj1jVQIDAQABo4IB8TCCAe0wHwYDVR0jBBgwFoAUj+h+8G0yagAFI8dwl2o6kP9r6tQwHQYDVR0OBBYEFGth2gd6s/JOrt1c+APvDHwqol0uMC4GA1UdEQQnMCWgIwYIKwYBBQUHCAOgFzAVDBNERS1CQVlFUk4tSFJCIDIzMDc2MA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzB7BgNVHR8EdDByMDegNaAzhjFodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRVZDb2RlU2lnbmluZ1NIQTItZzEuY3JsMDegNaAzhjFodHRwOi8vY3JsNC5kaWdpY2VydC5jb20vRVZDb2RlU2lnbmluZ1NIQTItZzEuY3JsMEsGA1UdIAREMEIwNwYJYIZIAYb9bAMCMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwBwYFZ4EMAQMwfgYIKwYBBQUHAQEEcjBwMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wSAYIKwYBBQUHMAKGPGh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEVWQ29kZVNpZ25pbmdDQS1TSEEyLmNydDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQAMSLp2YPuLmpO5DyeVGPWdJjJjP6vPLae5rJgDwcRGIr1osMwRCq5Al/Prb+xLa97KuhKMxCo4z1OxZezzmJ0QUP4Kqo1GrVbuO6pjdYrHOHymxso3wEEbPBJoBvrNZ2KfXEM+001fvC2PGlLGJJ9tID9qIWmCw/IqdeBwwR23v65b1YwKPw50m+ng7ni2Nuchr/rzGnI3jVNtXdcbnTnJTwmXyuxoZvyqTZZWWkBnyqEsBd+ZjrY94fPWz4lRzoWuSLgm6bZkiEnyzPZuWTFNc/GQNl/x0ONyI9mjvlwKqYxbFHclaoWKsahqDVxyUvmWeytjWINKbHP+ZLoOpM34"
}
]
}
},
{
"Name": "NoMachine",
"Category": "RAT",
"Description": "NoMachine is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.nomachine.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"nomachine*.exe",
"nxservice*.ese",
"nxd.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"user_managed",
"nomachine.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nomachine_network_sigma.yml",
"Description": "Detects potential network activity of NoMachine RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nomachine_processes_sigma.yml",
"Description": "Detects potential processes activity of NoMachine RMM tool"
}
],
"References": [
"https://kb.nomachine.com/AR04S01122"
],
"Acknowledgement": [],
"CodeSigning": {
"certificates": [
{
"signer_name": "NoMachine S.à r.l",
"certificate_thumbprint": "08E7F3C348651CFEAB2C2F123FCE83AD1E5CA3CD",
"certificate_der_base64": "MIIHnzCCBYegAwIBAgIQBnKmqOV/UjkBpR3CZpevfjANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTI1MTAxMzAwMDAwMFoXDTI4MTAwNzIzNTk1OVowgacxEzARBgsrBgEEAYI3PAIBAxMCTFUxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRAwDgYDVQQFEwdCMTcxNzA0MQswCQYDVQQGEwJMVTEYMBYGA1UEBxMPTHV4ZW1ib3VyZyBDaXR5MRswGQYDVQQKDBJOb01hY2hpbmUgUy7DoCByLmwxGzAZBgNVBAMMEk5vTWFjaGluZSBTLsOgIHIubDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMpldU/aZL9gS4osNUwqlRCUeQfUN/uRxHA11CewzZbWcf3hfNs7orysBEzdyMMGv65paI+locoddtNrRo3fN6dD97uHuz2TpmFp4+CM+B4yr5X+DqvIqLxW/dnwv0GjbVxI7YhmWRgAvsu4bihnHOWQ+HjGeNSeVMA8aCUkY8yC48RAAwbNYudCDc3gL/HE38fWz9Td1d09ZGVv+K/ibHSUYoqt4kBcMHjyoyLJ/qFe9Vu1DQBVZHg9HvX4GIWxmjMgueQk18PJBRG8pc/wIo2xfkofyYRbsrBqEMUTpRy/xdrEq7gR9oVEJpI9uGcR2ANnH17o61MxXdsaVKaRzW68rOQLrBPMzWwk74M/sTNiJ4XYfESwgLIJRDkTIUgVf+ZEd1J/Urx78KYENQbTiKGwAh4FnvfACZShYRjLXcijF1yunEqh6Ago2U/Ps1SYEbuzi+Vl+fMOLyLCQdwRHcDmqPj566x70HBClMYuMUHQ4F1xdAGGWiVjNzq8WwZKxRvOahVjAYUuQGNhRFDjHfwGiD6TDn+MYn9FyTObjzpJbLxq29eF63FjILEo/ZJHyYA5vEjz4AbMXau6yr7jCT/TIpzflN42MdZBxYiVMHX/zw4bwz58MFRIbU3mLL344WW0nXCdWpOr9NRtO1bfJQJ04DILVU0Z4fVSU2x/xZOJAgMBAAGjggICMIIB/jAfBgNVHSMEGDAWgBRoN+Drtjv4XxGG+/5hewiIZfROQjAdBgNVHQ4EFgQUim7xbqIgMtwdecpGkH3h8sHoeuowPQYDVR0gBDYwNDAyBgVngQwBAzApMCcGCCsGAQUFBwIBFhtodHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMIG1BgNVHR8Ega0wgaowU6BRoE+GTWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3JsMFOgUaBPhk1odHRwOi8vY3JsNC5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDCBlAYIKwYBBQUHAQEEgYcwgYQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBcBggrBgEFBQcwAoZQaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcnQwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAgEApnfhnHdyjPrAcWVdWQBcII80CwMiH2K603bF/7CemqKUZZT/qfNrFibsrzcpLQdeEY4uK5Qmps7ONyH/uR/v12gecnuzPnQfKXb88ht1I32mzC/VCHVImjQGbo//lq1JYRzU+2/IkNBjjsqW/3Jl+F9QEaRK3r7FshJ0puQ/cNZx+q6QynwTZgO8BBE6M0Pu5DdpIeFJ5gOrWme+/0516g7/eTKhZILb1Cgbozhp3x/0RsQdBkVBFbmra/BQXo087pY9GeXNKGq6yzFnvzoORH5TKywcsqgNWd/nVjxY5HRYOQFO3I3NiExyXnzO3Kpgi05sQIqB9DEJg3B5puGBZwYAkfwgx6etVDxRiNBX0KXMYkq2g/+pFZH/LRgG7A3TbxehyZkTi9ChQxpe88hArMZRF1H2GNoNcYwUzrq0uGS5INYSNAJV3pVXZ0FKFhLG3E7/fNYmNIo8HyyIh3Xk+ipXqObZxxkve+e66kzt3Xs5L9yvy4rO8ux3fsJfCahNk3IGeznoPflheElBks6pmE5VyU4uzCh5kgzIE3f+9MC3FzUDAPiY1Xb87oBiXCAicyadQcakfPZ6Dp8K3Tz6uD2HRTFDJdTljr1A/dS1D4GSQ6pa8yjHOAaciB6GkytB30m9r0l6kJlTSNWx5mW/J2JNz9F/45o5Yxk1B2VTGEs=",
"src_file_sha256": "720e5eedeb8c552a0d4ca14414f5e99fd313e4d95d550169b7b4314e75686996",
"src_file_path": "downloaded_files/nomachine/720e5eedeb8c552a0d4ca14414f5e99fd313e4d95d550169b7b4314e75686996",
"src_file_company": "NoMachine"
},
{
"signer_name": "NoMachine S.a.r.l.",
"certificate_thumbprint": "B10BE4C8C9132A19607B268D5176EFCB43A0654E",
"certificate_der_base64": "MIIHmjCCBYKgAwIBAgIQCucg57cCmoIHNphL21PEOzANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTI0MDkxMDAwMDAwMFoXDTI3MTAxMjIzNTk1OVowgaIxEzARBgsrBgEEAYI3PAIBAxMCTFUxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRAwDgYDVQQFEwdCMTcxNzA0MQswCQYDVQQGEwJMVTETMBEGA1UEBxMKTHV4ZW1ib3VyZzEbMBkGA1UEChMSTm9NYWNoaW5lIFMuYS5yLmwuMRswGQYDVQQDExJOb01hY2hpbmUgUy5hLnIubC4wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC1inZHH8ZxVKipOVZ0gMQrDzpDIzJmSfF91PvbOrYyVi4eurHa1LWAHbhEshBHkkwilhVmDCaCfFayIOK64shGMrsn5OvFe72afLBUrxgmSF4PiGjL/2bPAuNAEiOpd6We3bpbU7IHHf9kHxw7d7Qydvv0OYa0kkFzALh+3s5Ei1Qps/GIjusdEtJhuClc0mHosPEgAHpb7F6vU7Nm8iT6Lcgm2rM8Q7iXr7Oln2KKUYPgVFLzxUKLWA0vtJD6SpCdMxzcy4+d8Jjj6rdW0EQKbafXqYPrxQ/2bdMXnWxqWQ083yOqqNy28KgpjruaqhbAUP7FHKYBBtuhbNzbzZ+gBS7Iunz01QC1mIhiTUwX7pzx5+Nf7mnpH4BnzUfrrso3U+ppBoCUJ4hnvYNf3xWfa5ZzklIUIoQn862eW/P3z42kQqwMwx/dBq6TLorgkOK2Pc8bmpFdrY+qS4iYqnaoY+ltF2IzapPNR2JD+H/pGHtWFuax/6EWkdpfLChAuaftd2JD9GtQBIXZq8dtW8Xm7Dfu5KaK2eFSF7W5U5S5ex8PRAOF9YNMyWA8zATlEtNeIbpcnsVVLGIOFcZg9bn3K1JuKJ/6j9EJEHbFyMyqEYZBQZrewWXdEqvq6RgXPqSC2OQ16rzyebG3Ju2s078asvQRfwWpOBHLIJFsb0gS5QIDAQABo4ICAjCCAf4wHwYDVR0jBBgwFoAUaDfg67Y7+F8Rhvv+YXsIiGX0TkIwHQYDVR0OBBYEFFMwxf3pU92kg6+jjCW+xUn4mnwMMD0GA1UdIAQ2MDQwMgYFZ4EMAQMwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpY2VydC5jb20vQ1BTMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzCBtQYDVR0fBIGtMIGqMFOgUaBPhk1odHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDBToFGgT4ZNaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcmwwgZQGCCsGAQUFBwEBBIGHMIGEMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wXAYIKwYBBQUHMAKGUGh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3J0MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggIBALEGhWIDXINX7RPifA4DSriTLAgHI/6fcuO/L+Kz0rtVrc4NSR48L7w63Qj0dE201d6sr2AuWKm+Oisi6X4wRGAHjpJGBY8RgMp1yaOs67WJ3BXZSzFK/P9T4eep9eCb51/VcWJ0GVUalTtKQNkv18qiVf7q3Ll7+wqemyi/EeK7rKE0kkaMYhMU7Bqx16OlnS+ufm9WFDtSS7LfyBQJjAbOipfe/lMgoMWNjo2EqaR6A6hM7vWBX4CmrkORZUr5WkVk52tZvDa/HSOxwhZoa8YiNpeq2J8D8SaReTxHcrLRqEqHp86JfdU1XSfLGomuGlB7ySMO1t7zKx1KeEr8JSKjZAX4vG1FGEeZKv7Dff8wKqZEy28DSAWTuOuNN5ohEZSYYvXp0Yyy72vIUsZ5rbIU5KrwkBH/6si7L+g7IlU42dAZJjwIWlJAhOmglwmN7bcmt9ZCAMDTEfGlxZW2iSFO+sNq1bnAKoBftUMEwYpUHMWXxxYd7YRBQlee5bg+C7whYSD2gHWylAvZ5XQSrVbzVoVgkFNxx6HKTrM3XokYDnjwWdmF+W0TCvMFPZ3ELFsAuFMXQGMPJXxkLzTMsd1IpdVXkrcZMatAc3loqjX8Ng/OPX/WQF4w8EpbAuu4zWF09K8bEPO+Z7F0KHg6TnwtzvzeNveTLiIJaMfu8xSA",
"src_file_sha256": "27836f35070f263f487db12cfd34b909678f9049cb0317cf3e64931c7eaad73c",
"src_file_path": "downloaded_files/nomachine/27836f35070f263f487db12cfd34b909678f9049cb0317cf3e64931c7eaad73c",
"src_file_company": "NoMachine"
}
]
}
},
{
"Name": "ManageEngine",
"Category": "RMM",
"Description": "ManageEngine is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2025-12-14",
"Details": {
"Website": "https://www.manageengine.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"InstallShield Setup.exe",
"ManageEngine_Remote_Access_Plus.exe",
"*\\dcagentservice.exe",
"C:\\Program Files (x86)\\DesktopCentral_Agent\\bin\\*",
"*\\DesktopCentral_Agent\\bin\\*"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": []
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/manageengine_processes_sigma.yml",
"Description": "Detects potential processes activity of ManageEngine RMM tool"
}
],
"References": [],
"Acknowledgement": [],
"CodeSigning": {
"search_names": [
"2025-12-12_dc91d52bc3085602a97b2b29dd90279d_amadey_elex_floxif_hijackloader_mafia_remcos_smoke-loader",
"dcagentservice.exe",
"installshield setup.exe",
"manageengine_remote_access_plus.exe",
"mulkstg.exe",
"n047693i.exe",
"setup",
"vayrcy.exe"
],
"company_names": [],
"signer_names": [
"Tuxera Inc"
],
"certificates": [
{
"signer_name": "Tuxera Inc",
"issuer": "CN=DigiCert Global G3 Code Signing ECC SHA384 2021 CA1",
"certificate_thumbprint": "F840AB496D3000D82535C05C73C89E761ABD572C",
"tbs_sha256": "849E9128B875986C17452F7AA428A3BC1A515A541D1FD2A60AB5531363CFA594",
"tbs_sha1": "140AFBF2F401470E6320CA647E8068D733BF4480",
"valid_from": "2022-11-04T00:00:00+00:00",
"valid_to": "2026-01-28T23:59:59+00:00",
"certificate_der_base64": "MIIEUDCCA9WgAwIBAgIQCMf6pXnLjwH1dLHdjgoMpjAKBggqhkjOPQQDAzBkMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xPDA6BgNVBAMTM0RpZ2lDZXJ0IEdsb2JhbCBHMyBDb2RlIFNpZ25pbmcgRUNDIFNIQTM4NCAyMDIxIENBMTAeFw0yMjExMDQwMDAwMDBaFw0yNjAxMjgyMzU5NTlaMIGPMRMwEQYLKwYBBAGCNzwCAQMTAkZJMR0wGwYDVQQPDBRQcml2YXRlIE9yZ2FuaXphdGlvbjESMBAGA1UEBRMJMjIxNTUxMS04MQswCQYDVQQGEwJGSTEOMAwGA1UEBxMFRXNwb28xEzARBgNVBAoTClR1eGVyYSBJbmMxEzARBgNVBAMTClR1eGVyYSBJbmMwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQKndNqvED3EPjM/ZP0HAFPMTMPenxT8AFbi7/czz2nRUedXh1EB0ZcJ5ouW18eHMJF3ACT8yB0qBJlnySBUeCZ7pXE3ewSB3mXYG6npKFC9K/REw7EnYyIVlgq8fZEeL+jggIeMIICGjAfBgNVHSMEGDAWgBSbX7A2up0GrhknvcCgIsCLizh37TAdBgNVHQ4EFgQU1tC/ix9U4d9tktaPScG2GfgA4hAwJwYDVR0RBCAwHqAcBggrBgEFBQcIA6AQMA4MDEZJLTIyMTU1MTEtODAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwgasGA1UdHwSBozCBoDBOoEygSoZIaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0R2xvYmFsRzNDb2RlU2lnbmluZ0VDQ1NIQTM4NDIwMjFDQTEuY3JsME6gTKBKhkhodHRwOi8vY3JsNC5kaWdpY2VydC5jb20vRGlnaUNlcnRHbG9iYWxHM0NvZGVTaWduaW5nRUNDU0hBMzg0MjAyMUNBMS5jcmwwPQYDVR0gBDYwNDAyBgVngQwBAzApMCcGCCsGAQUFBwIBFhtodHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwgY4GCCsGAQUFBwEBBIGBMH8wJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBXBggrBgEFBQcwAoZLaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0R2xvYmFsRzNDb2RlU2lnbmluZ0VDQ1NIQTM4NDIwMjFDQTEuY3J0MAwGA1UdEwEB/wQCMAAwCgYIKoZIzj0EAwMDaQAwZgIxALTk9p9Wv7gHy6/Ex9hXeVgbi6USS4OwBCgF5IWxnfzFlE0vABR2omFkVaIY8IUXqAIxAPRrPuxTM7mkBSocOn9UckEp5r9fMH4xUL9GW3KeqdYttDrVqBdHXvu4qudzAiahJA=="
},
{
"signer_name": "ZOHO Corporation Private Limited",
"certificate_thumbprint": "9CFE33A8A1FB933BEDF943EF4263D03B6A5F828E",
"certificate_der_base64": "MIIHHTCCBQWgAwIBAgIMDGsl8hryZ5tnz4h0MA0GCSqGSIb3DQEBCwUAMFkxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMS8wLQYDVQQDEyZHbG9iYWxTaWduIEdDQyBSNDUgQ29kZVNpZ25pbmcgQ0EgMjAyMDAeFw0yNTAyMTgxMzU5NDBaFw0yNjEwMDkwNzQwNThaMIGKMQswCQYDVQQGEwJJTjETMBEGA1UECBMKVGFtaWwgTmFkdTEQMA4GA1UEBxMHQ2hlbm5haTEpMCcGA1UEChMgWk9ITyBDb3Jwb3JhdGlvbiBQcml2YXRlIExpbWl0ZWQxKTAnBgNVBAMTIFpPSE8gQ29ycG9yYXRpb24gUHJpdmF0ZSBMaW1pdGVkMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAz09Cd5TDWpRU90iuUgEngTp7kHP4WsQlU5MroTyh0/57BWlmg+/Ve/GoDiwWWfX9zHl3Qi1KQEquw8AhkzzwLCSn634vUTM5kEleezZDAvaS2QjrcvOY4tydRgejobpWJHdrJIWiNPBEM5uBzF8LSFEB6nUgF24QuG3MW1MYjC1s7xRgUZeqPBKvaL3qzdm1A5DezRXOJ9bgeFy9e9m1s+6ts39yO+2cyAc9/nhGmio0sWvaGpbPDCssHIcInGQGw8lW9FCIqhERgTBGsi8QC3vdWWi/dHju6Akt3497dCA9PbXVwkcMS5PSuoC5iKrQjnUvQO1/mlEyd6CR2NC4D+DGYIynSvet1ceaaOUUriI6f8MiAKMYDmGa1lOGVhbR7CRO5BjkPEPzczHuffYchPNtiYE6VRSd05zysSwpIYYZfiIHQptIhW/I2DoSIrDKo1WVG3jNrYiAL6t68P8xoL2hHvwekV9RAqMVYHxKVA0Ur+DKCPrCDS01/NXKD6jeBoWyGEKE11J65nXuphTbsZmp+T3ATPJepkiN2qXmzW2SQD9YC8FW2BsTQx6lKwjMRNA5WcpYbm8P0l+eo9ck1uwDwq6W1fYuhBGebG7FTUAUj73b47TxeKf2AG5YD5x+xrOf463q06lbIYn61lbUJjMF/Dwd3woLV/VxHShciI8CAwEAAaOCAbEwggGtMA4GA1UdDwEB/wQEAwIHgDCBmwYIKwYBBQUHAQEEgY4wgYswSgYIKwYBBQUHMAKGPmh0dHA6Ly9zZWN1cmUuZ2xvYmFsc2lnbi5jb20vY2FjZXJ0L2dzZ2NjcjQ1Y29kZXNpZ25jYTIwMjAuY3J0MD0GCCsGAQUFBzABhjFodHRwOi8vb2NzcC5nbG9iYWxzaWduLmNvbS9nc2djY3I0NWNvZGVzaWduY2EyMDIwMFYGA1UdIARPME0wQQYJKwYBBAGgMgEyMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMAgGBmeBDAEEATAJBgNVHRMEAjAAMEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5jb20vZ3NnY2NyNDVjb2Rlc2lnbmNhMjAyMC5jcmwwEwYDVR0lBAwwCgYIKwYBBQUHAwMwHwYDVR0jBBgwFoAU2rONwCSQo2t30wygWd0hZ2R2C3gwHQYDVR0OBBYEFDqaXb/UoQJmwU/awDe9Pdx+MvqYMA0GCSqGSIb3DQEBCwUAA4ICAQAGEr1oLiiri9QNjpj9GX0NzyGumOynnfJB8X6M8SuLsdmTJWHKKp/mjXcYLT4Ce0tAmHgkHRt2hel9ANzdcjl8RjPWsYScVn5cZ3sfSGmH9dwPNSCp9gdRUwwT9jDU+B4KMd4rz6XrtL+kVgbTVGzRpnnoCz/9PVRApRP7xcLsgdbrVolr2A37OOkVEdaY5XW2orW+mw+a7Q1vdeJDt/rmXnUf/E8txo9gpPcCK6D3Ufi9g89qBHU8IOvDXrvlYjcgiRsPa4QzTwtBaXNrCuI3vjycQe/eoAL8XJHNwuPeG8UimO/OlQuaofa9pgCmyMH5TL9JayS2r1oqdxXQySTii9v7Djk35WVxhnBumAZQa9uO5aoGcMWX9XGKe8BIpxgA16Wg+/K6JQyRzgIy3eaKxkZFXtJhzu2Qd+NIPpDOmCxBRcwHE5T/kV1bq/xR4MX+WUrU3YS1TQoi6y4pXzeKEYjkWrZZDk3rY1/oZh5LIA/FSME4klrpaxJCYjMlABeWQeEuCEKJEbRYrV7TxT180M1NKTQatBSSjKWIWFE14GIlBWgs+9OmLR+09Q2pplEKUFw3OW7hqTMN8PRk3ZwYEBwNiAbSdRhCj6Zy8eRPBBCLksWJo44IJcniqGhmFdD07ALvRwudvItKPvajzqtaTMZAOaLZia5AXWbxRpCHdg==",
"src_file_sha256": "b9326bd53d5cfd1d1ff72f52e92e776487e206e76363d4c23a3c60143349c790",
"src_file_path": "downloaded_files/manageengine/b9326bd53d5cfd1d1ff72f52e92e776487e206e76363d4c23a3c60143349c790",
"src_file_company": "Zoho Corporation Pvt. Ltd.,"
},
{
"signer_name": "ZOHO Corporation Private Limited",
"certificate_thumbprint": "039B7B91AFEFDB68B36E6A2D246545D581D1BF0D",
"certificate_der_base64": "MIIHHTCCBQWgAwIBAgIMJLsRnOfnHVmJ4Mb2MA0GCSqGSIb3DQEBCwUAMFkxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMS8wLQYDVQQDEyZHbG9iYWxTaWduIEdDQyBSNDUgQ29kZVNpZ25pbmcgQ0EgMjAyMDAeFw0yNTAyMjEwOTQwNTBaFw0yNjEwMDkwNzQwNThaMIGKMQswCQYDVQQGEwJJTjETMBEGA1UECBMKVGFtaWwgTmFkdTEQMA4GA1UEBxMHQ2hlbm5haTEpMCcGA1UEChMgWk9ITyBDb3Jwb3JhdGlvbiBQcml2YXRlIExpbWl0ZWQxKTAnBgNVBAMTIFpPSE8gQ29ycG9yYXRpb24gUHJpdmF0ZSBMaW1pdGVkMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtnRtnGmOSz83W/xFrNqPV6bvmT2EDvWLACUb00a+4lYlmoBpdxMAEMoFyT6C1wsknR+yDzD3Fvv3ZakDDtAyMlcaHwDEGL++B8nGcjcw7K1+apL7x8TcQzekrSBsTr8KAaz6u5kL2ba0AMLkLm183u2CKpjaxl8Yq4QTwpHd468pNuVqTHPin/mWJgrG/ME2+oqoLrw+53z5UH+3O2gFHefvgmVCic6jALPZ/y/IdJyq3ga+gWa+nWb0Xp4vyq2d02pQ0vRpXCiGxNVbO96Z6VcqkSyYifeuOJ160FPSh2y2kptPSgbg+DRJlgoZ7B9aUeZJ0OuiOshSHq/F7nff0+BFmnhVmVP4zyshIfS9BJMC/A2PMVWTqc2nfdQirBwA9KChPUu+LOOI0E6oRCXl5DqIPmORzAUYGenmvcdztvlAfm4yuHDORBIX1S/CfrMLJE6P0TQRdOWUit7gENgZNEGELwth6JiKxw+bUvhmxmcKJOTbBERYsaTChVpSnq1/NqRZlzOuh2DlzTs8IxZ9Ze6q29iKBobFrOgjesyZRONV6CQQvZ43HW1OZsakYmjG0XnxBPWtOJ1yJgvJrkJAb4xTPU66oziBTztmJvJcWMlLPAGMfdF+jFI0C9wREh4vthwM3vOATNG3BknjgKLMETQWMnYEc91cE66EstD2N9ECAwEAAaOCAbEwggGtMA4GA1UdDwEB/wQEAwIHgDCBmwYIKwYBBQUHAQEEgY4wgYswSgYIKwYBBQUHMAKGPmh0dHA6Ly9zZWN1cmUuZ2xvYmFsc2lnbi5jb20vY2FjZXJ0L2dzZ2NjcjQ1Y29kZXNpZ25jYTIwMjAuY3J0MD0GCCsGAQUFBzABhjFodHRwOi8vb2NzcC5nbG9iYWxzaWduLmNvbS9nc2djY3I0NWNvZGVzaWduY2EyMDIwMFYGA1UdIARPME0wQQYJKwYBBAGgMgEyMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMAgGBmeBDAEEATAJBgNVHRMEAjAAMEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5jb20vZ3NnY2NyNDVjb2Rlc2lnbmNhMjAyMC5jcmwwEwYDVR0lBAwwCgYIKwYBBQUHAwMwHwYDVR0jBBgwFoAU2rONwCSQo2t30wygWd0hZ2R2C3gwHQYDVR0OBBYEFOEVX0xefVGKmOHi/uHr17eQOdG4MA0GCSqGSIb3DQEBCwUAA4ICAQB9ErI0zm8zbr2borpvUdDBZusx0w11dlAO1Gx0WRz40hwLPZ2ygUyPChSl8GC1RV8aggNwQG8AQ+v4D/nbTu/62tEgIFS3CB/0g6thdZXWz1gaUWdS7C5IvXDFdJygnMUImM/pvNZNCDbRGjmHPufM9qa7z6OyMwUUeiw1/ITYrW7TYU0fE22u7jHuJdZCJjkSysT/ITjB/reDqadzXgd/vsQhmzw6poyVLoUfRc6l6sZXwqGtD8gJbA0tJ26+tzYRP7P7P5wBFYU8pFGi4fG6cTKFsoJJEI6UfiYBiI1v67l8TEABgG0XKzz+LTwiz51Z3xP+U68GioeZYim68fsbcqTdthm+V6E4CAvQpr4Kn+fOwFZ/hVD1BrlYy6iHSDT2SnhLckkg1cBTLG3sVeek6KWB0KyfzOxO9hIKNttQFkN4aOGigTA/VSpU53SPsjJ1tjaauxo1Ytug4+aWe6XypUi1UaCFUu91lTtlUtI4PSCuhbf56oYB6dTc0w44O6f2d8M4jOSTNmhF1fiWQ9MnRgD/UUpRxdSLvxJEj7D1bUfGzPs7pjJyJNRTA0BeY5FpyuxxllBytLMjptt8CKXK8Uu5o+l6F30nyOENNfbqx62GXpkSiplOv6p0vOGVGJ9NrD9WuKiEHmwadwlqOWnka0HBF2iLQGrf0V7mF2+Lkw==",
"src_file_sha256": "e65be97dfb0ae62de4bfbfed140aaa1e16e9f4461e8e29c9816fc54dea595694",
"src_file_path": "downloaded_files/manageengine/e65be97dfb0ae62de4bfbfed140aaa1e16e9f4461e8e29c9816fc54dea595694",
"src_file_company": "Zoho Corporation Pvt. Ltd.,"
},
{
"signer_name": "ZOHO Corporation Private Limited",
"certificate_thumbprint": "1FFC1D0860B748F0E9D53297B716E497C81D687B",
"certificate_der_base64": "MIIHHTCCBQWgAwIBAgIMA45xUryaeKB6Oa9HMA0GCSqGSIb3DQEBCwUAMFkxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMS8wLQYDVQQDEyZHbG9iYWxTaWduIEdDQyBSNDUgQ29kZVNpZ25pbmcgQ0EgMjAyMDAeFw0yNDAxMTQwNjQ5MDhaFw0yNjEwMDkwNzQwNThaMIGKMQswCQYDVQQGEwJJTjETMBEGA1UECBMKVGFtaWwgTmFkdTEQMA4GA1UEBxMHQ2hlbm5haTEpMCcGA1UEChMgWk9ITyBDb3Jwb3JhdGlvbiBQcml2YXRlIExpbWl0ZWQxKTAnBgNVBAMTIFpPSE8gQ29ycG9yYXRpb24gUHJpdmF0ZSBMaW1pdGVkMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtIL3ByQto2SDD7yn/6sAHCPqWRPur/a+UzLglMhIQQIkoerBIDJ26kVNYpSs7HEyaTgbOqHWF+Ms356LcxGDUBp8XvCtgQpLXs/Nr33gqHSQpxpWjQ1CifWqrHHjnwWl/J1BtQ2Rb/UN1+X3S7+Fcu5ht9mpG97LuaLjhnt8KhyD9bNwYwTqcj4LVuMUi//64wyy1sgEfQaQNZHh5QkUnOUg2H4oBAe7EDcI13Rj8T9GmA8IPqlCv267UL9nnTfiPHfOc6mGoFSLyhV+bNlcY2ZCy8pQchu0+dGUkzby1SZP1QuOsjDgbicKyxIw2H082sF2bLUVMEmDbU5oaJ5QuBDhl6S0fkAqvE+8HtzHXXtA1IxR9fnmnq3IWS0gVSRaNx9lxGCHgfzKwNbSzxcQoBu88y5nXpUmgZKir0MzTWUnEFW1yOoXd6bFadwjTqTxH4f5g8bFIMaHLw4Q7oqotfvSn6pcLFqNBHtDKRf4aLU1HVNudIpiWD70PFfdw0eG79RNmZjzZcZdijYZ56GFsgtOpFVYkY3pcYWfCoEMnF5t+4ZLZRLk1zifNo4OexTMkS84y+3QK7u4alSn5yPQbjThXCTOAlWnJpvN3BNO8MMSf1/v/csXk6a1Nk5dqzvdey61HToBpv4eqFxyKjuI4sc/FKh14xBycZCqziAnSRMCAwEAAaOCAbEwggGtMA4GA1UdDwEB/wQEAwIHgDCBmwYIKwYBBQUHAQEEgY4wgYswSgYIKwYBBQUHMAKGPmh0dHA6Ly9zZWN1cmUuZ2xvYmFsc2lnbi5jb20vY2FjZXJ0L2dzZ2NjcjQ1Y29kZXNpZ25jYTIwMjAuY3J0MD0GCCsGAQUFBzABhjFodHRwOi8vb2NzcC5nbG9iYWxzaWduLmNvbS9nc2djY3I0NWNvZGVzaWduY2EyMDIwMFYGA1UdIARPME0wQQYJKwYBBAGgMgEyMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMAgGBmeBDAEEATAJBgNVHRMEAjAAMEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5jb20vZ3NnY2NyNDVjb2Rlc2lnbmNhMjAyMC5jcmwwEwYDVR0lBAwwCgYIKwYBBQUHAwMwHwYDVR0jBBgwFoAU2rONwCSQo2t30wygWd0hZ2R2C3gwHQYDVR0OBBYEFCRVE30wXvY9bzq9B8MYzbwS8uSHMA0GCSqGSIb3DQEBCwUAA4ICAQDH8lxo3zFJmtU5uLkyQ43HIYvOtcNJVuSRe9PG3035vRGqg4QuOLIbm1dZUoStUiszYmOJwDSP2UkU6nZvBTKFSVI4ludsDspxhjDNwRLpS4/v0yDiyVWqWFbVP7mm7R/GdMxkPcUDafroQph0ICfFQ3t6Vf5sPLc+wqHMbWHP7TVzbAcBK+mLsJZVzx/C6eklua8Nfn1NgNGcITHCdX5Z8IqjcAChtNSvEOeWa7Z8k9CIXsYzkg9JCT+Twr6DlaXK5mlseWIbCKpxBT3uuN9pDiacFFLAugpv7RCVG7MWwPU3tzWAXzsTmEgvQNlQsWkAu1uEnGy6JfRo/9tr33deOD5zxhj5GEkV9xMFVk5ey8JUOiDlORDV2DinZvYoRlGLtkbZd2cHhrYl6WKBfPsADkCIswdM7TsDqWE7y1l+z/dqHhzrhHlY0bAuy+Ik0fiIu82mikGCAuKjWkBrTTKG5pLCT8w0mCIXg7VM7vwS25yDIAzwWBABPlovdh0ZPCH5+4eL4wJzVtwaszZQkHbeHmsT1XXpbIV3bWPmCLJgZvI9HlIrasXeo4LVRbbZZa4Q+iFcfyKUrKzU+ITEpuTwusbv4kIlgf7FSRYVvXKA9oFqiNH2y/IigOZDj13R7uMp7Ubjawtz+VGAooMMbU0DArC3M6pp5QaOn49E/YvgFQ==",
"src_file_sha256": "b51dee244adcf4795db9378e56897a97b48eb2c3d4ed758af98ddab2e6f9967b",
"src_file_path": "downloaded_files/manageengine/b51dee244adcf4795db9378e56897a97b48eb2c3d4ed758af98ddab2e6f9967b",
"src_file_company": "ZOHO Corporation"
},
{
"signer_name": "ZOHO Corporation Private Limited",
"certificate_thumbprint": "03498B4CC5B51DB6CE80699F23CAC1724BB36B69",
"certificate_der_base64": "MIIHHTCCBQWgAwIBAgIMRIVZ6NWf4FYpnm6PMA0GCSqGSIb3DQEBCwUAMFkxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMS8wLQYDVQQDEyZHbG9iYWxTaWduIEdDQyBSNDUgQ29kZVNpZ25pbmcgQ0EgMjAyMDAeFw0yMzEyMTExNzAwMzZaFw0yNjEwMDkwNzQwNThaMIGKMQswCQYDVQQGEwJJTjETMBEGA1UECBMKVGFtaWwgTmFkdTEQMA4GA1UEBxMHQ2hlbm5haTEpMCcGA1UEChMgWk9ITyBDb3Jwb3JhdGlvbiBQcml2YXRlIExpbWl0ZWQxKTAnBgNVBAMTIFpPSE8gQ29ycG9yYXRpb24gUHJpdmF0ZSBMaW1pdGVkMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAi/dpUgQBQva56fCAkCCzDp/8w91w1v2DXP8H91K2zNZzqe/e/nT54W3+k8Zmm10c8bTINu9cv4i71njHhImaAM768y0fNPKZ2uLS2Fn5jlefmwcNj0iGuqIXaIai4C8b1iLFf7tnAmvv8HACZ6/gfhV4diRPYsCWF+0ouJaFOfDPrPbDV0Zd6GCvQhe62ByVWy0NhcsE4VFSN/xlVsjs4X3L9dr1I3AjA9EHO3Cf6PrqqdMGEGveRwCfSaiXuQ7YLlnABKRXxucX3XX+RGE2tbFJ9ClYf5BmEBfBTOgpBxPNmJdyDOTZOpsq8OWj4BGYq9Mmtm3uS+VVp9cTgwgHquSJQYkcCpI1zbqlllNXKMH7a4gD7chhB/Y2aQUfweDXNZvviFDRf3YXiluViFnPMdgOm7qluaW8IyxHoCLLALDoEvwvAHpzTrPRhYwZYMl8459upNWC1AdufZhBcO2vAxLmGBRLeotnngKjBtjURLz1RyIBM0VnKD+0kS07Sj3MXLxJpRUZFE/1mjPd0LjUP5rFpjMmQUPS/Dgvh7dWRkfUzAC/yZiHtCiz/SMBBHCYsZAMNpwicaxkFwedzwLvjia3g8In+9iXWMsfgJDeKgaTfzgBgc/Qf9aAIBcUU068hgFYEZc8lXzSDVu+ZQZ905w4/6MaAdfWg/qaNpfRft0CAwEAAaOCAbEwggGtMA4GA1UdDwEB/wQEAwIHgDCBmwYIKwYBBQUHAQEEgY4wgYswSgYIKwYBBQUHMAKGPmh0dHA6Ly9zZWN1cmUuZ2xvYmFsc2lnbi5jb20vY2FjZXJ0L2dzZ2NjcjQ1Y29kZXNpZ25jYTIwMjAuY3J0MD0GCCsGAQUFBzABhjFodHRwOi8vb2NzcC5nbG9iYWxzaWduLmNvbS9nc2djY3I0NWNvZGVzaWduY2EyMDIwMFYGA1UdIARPME0wQQYJKwYBBAGgMgEyMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMAgGBmeBDAEEATAJBgNVHRMEAjAAMEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5jb20vZ3NnY2NyNDVjb2Rlc2lnbmNhMjAyMC5jcmwwEwYDVR0lBAwwCgYIKwYBBQUHAwMwHwYDVR0jBBgwFoAU2rONwCSQo2t30wygWd0hZ2R2C3gwHQYDVR0OBBYEFAARgUPptWUtWWkph2EsCOn0mA6dMA0GCSqGSIb3DQEBCwUAA4ICAQCG8wXa2OeXAGcSQchK4csNRA8D1i0JfXHFQcVQy9/zkWXPRYWlbcagbLRmPzfWza1JVtXuYim1eOQzHvJQcyB67TWm0RY+oQR8CYonP17BJvI/TG3xsMd0b9g2dXpX66ZsFFHeppGqcSs5enhmcYoICgPle1nCq+dxam9hQbMuHWTNT1OEKb9+fTLC/n+l2/O3ROhAUHFPC+xuFg/6n2Jyix7N1JX7cWvgtPeQCz/ptcRCMF3a1l0FLRb3cYq9dMlBMYiDbnXmvKDASPRH6wA7LE3LfVFROCLnj/Y6FEnetBQbDFn0iidN9MGnrn0ndeT4k+82Gx0gRVyv083L1XcJnsylDBQE6qJpQtiv7lYo6ttt5kpQj7NUhEfQ/IqvTPnLeGR6bluEOyN+4pCKCdXWwgyeAL76BBojbuDP9EsMLGy9f7oh6WwNoAA+dgZ6+8OrI3uSwjDb6MGzsFYyT9JGPEcIFve7dTcFl9V9HcmMmeDh0yLkRXTCvCzZ8YyYV09lOmzYzVqTDqu7ADukJzr19o4ZupwvDnbLj6jE58ckz/OmBDvkC2aBg3eeHUb8v5mw1rkgjp7zCwJvCvLDq9W7SDZPF1DZFpN42N7ZE4qCir75zApSnsBhC/NUsHU512xNjGGqRe5WlAS2C9apk4C/1JGLeVFqnVhyDTjm4xKHCg==",
"src_file_sha256": "7ac27dd17b4cfa28f37deb6dcb9519b4e7a2dd405134ac881a8c49d32cb904e6",
"src_file_path": "downloaded_files/manageengine/7ac27dd17b4cfa28f37deb6dcb9519b4e7a2dd405134ac881a8c49d32cb904e6",
"src_file_company": "ZOHO Corporation"
}
]
},
"FileHashes": {
"authenticode": [
{
"file_name": "dcagentservice.exe",
"sha256": "1F901E09874DAEFF644B3D52E11A442C27505A59216BC4F6F5A6914AA80C80C4",
"sha1": "49AE897644CA33AF6CDAA8D5FFAC221041C6E56D"
},
{
"file_name": "2025-12-12_dc91d52bc3085602a97b2b29dd90279d_amadey_elex_floxif_hijackloader_mafia_remcos_smoke-loader",
"sha256": "5EA43E39C87E336D81625DBFE42F99F89729E0C7F380B57841D913D506BA80A1",
"sha1": "3E52E9FAE6E7EFDC1192621EA16E92FC2C984E45"
},
{
"file_name": "dcagentservice.exe",
"sha256": "6EA8901D44764DC7EB419BFD59B78EC33DBDF25012D3EEB5445B04AB11EF4A19",
"sha1": "9D0F7EF001D56D766FDA676321C35FC1B3E8D562"
},
{
"file_name": "dcagentservice.exe",
"sha256": "9136E16ED61B0898551B87CA5B0695FFF4F19FE32A7A8257F526A5BBE9A73475",
"sha1": "5887DAB0F98C4FC3E2BCC708A03624CECD7FBF92"
},
{
"file_name": "Setup",
"sha256": "C0D97469E968F9201270C3CA1E8E0E0C31537314A057FC54B57818D07BADBCA5",
"sha1": "22AB91E8CBC234A8385610189F806906EE41CB19"
},
{
"file_name": "n047693i.exe",
"sha256": "C47843292B3E243B57769B1E9AB6CF1E963A8F5033EFD2E5885E1845A3346741",
"sha1": "77D74B6353A3AEF30F71BBAF5D1EB8E282A3C18A"
},
{
"file_name": "mulkstg.exe",
"sha256": "CF0DF68F8693252EE995CF2B099E36B0DD8CD07E73584E68DEF37A1D478B03B7",
"sha1": "E176ECA952CB8B7A9062D87FC99FE18EAE463C18"
},
{
"file_name": "vayrcy.exe",
"sha256": "DE82A9AF1D3B3CAA39EFFEE0C0E35D4A91A035FAB8F69BC0E6C9EC10A5BD5A60",
"sha1": "A90D71968349B8DF153D96FBA9C3D79923B74246"
},
{
"file_name": "dcagentservice.exe",
"sha256": "EE4E96929D07BB1954B0B37364EF5BC5D2C3D41F47B7897E5DE936800E7D7A51",
"sha1": "7257D2C06233626819EDE26CB942A295F2973134"
},
{
"file_name": "dcagentservice.exe",
"sha256": "F4DE6C3DA0EEBE57B3ADA9BE216D84ACCF9B46370563D4A25A726DE0F43D9F51",
"sha1": "B51FE873A01463AE15A836D57478155510916B7C"
},
{
"file_name": "dcagentservice.exe",
"sha256": "F84433207EE3C130F493904241457FA59D1EC746355F6D62624FB97C9F9C0E5F",
"sha1": "4DAD43D616035CA1613C9BD5577EA7BFD0C8D295"
}
],
"page": []
}
},
{
"Name": "Sorillus",
"Category": "RMM",
"Description": "Sorillus is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"Sorillus-Launcher*.exe",
"Sorillus Launcher.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*.sorillus.com",
"sorillus.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sorillus_network_sigma.yml",
"Description": "Detects potential network activity of Sorillus RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sorillus_processes_sigma.yml",
"Description": "Detects potential processes activity of Sorillus RMM tool"
}
],
"References": [
"https://sorillus.com/"
],
"Acknowledgement": []
},
{
"Name": "BeyondTrust",
"Category": "RMM",
"Description": "BeyondTrust is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2025-12-14",
"Details": {
"Website": "",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": []
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": []
},
"Detections": [],
"References": [],
"Acknowledgement": [],
"CodeSigning": {
"search_names": [],
"company_names": [],
"signer_names": [
"Bomgar Corporation"
],
"certificates": [
{
"signer_name": "Bomgar Corporation",
"certificate_thumbprint": "N/A",
"tbs_sha256": "285DEE21A4A5A2DC9738A10949F1BA1D3A900B28D293A388EC3CA6BC03E5C51E",
"tbs_sha1": ""
},
{
"signer_name": "Bomgar Corporation",
"certificate_thumbprint": "N/A",
"tbs_sha256": "B4473DB8F320305470070B00181E2276B68CEE95E11C3612DF22036ED2A0C15C",
"tbs_sha1": ""
}
]
}
},
{
"Name": "AweRay",
"Category": "RMM",
"Description": "AweRay is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2025-12-14",
"Details": {
"Website": "https://awesun.aweray.com/en",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"aweray_remote*.exe",
"AweSun.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"asapi*.aweray.net",
"client-api.aweray.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aweray_network_sigma.yml",
"Description": "Detects potential network activity of AweRay RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aweray_processes_sigma.yml",
"Description": "Detects potential processes activity of AweRay RMM tool"
}
],
"References": [
"https://sun.aweray.com/help"
],
"Acknowledgement": [],
"CodeSigning": {
"search_names": [],
"company_names": [],
"signer_names": [
"DUC FABULOUS CO.,LTD"
],
"certificates": [
{
"signer_name": "DUC FABULOUS CO.,LTD",
"certificate_thumbprint": "2C1D12F8BBE0827400A8440AF74FFFA8DCC8097C",
"tbs_sha256": "E745D44D154427FA248F601B5C094ACFF07D4D3AB678D5EDB26899FD9114AD46",
"tbs_sha1": "",
"certificate_der_base64": "MIIFpzCCA4+gAwIBAgIQbdLjFzmV9Rv6wdn7TLIAwTANBgkqhkiG9w0BAQsFADB7MQswCQYDVQQGEwJVUzEOMAwGA1UECAwFVGV4YXMxEDAOBgNVBAcMB0hvdXN0b24xETAPBgNVBAoMCFNTTCBDb3JwMTcwNQYDVQQDDC5TU0wuY29tIEVWIENvZGUgU2lnbmluZyBJbnRlcm1lZGlhdGUgQ0EgUlNBIFIzMB4XDTI0MDcwNDA0MzUzMloXDTI3MDUxNTE1MTUwNFowgaQxCzAJBgNVBAYTAlZOMQ4wDAYDVQQHDAVIYW5vaTEdMBsGA1UECgwURFVDIEZBQlVMT1VTIENPLixMVEQxEzARBgNVBAUTCjAxMDU4Mzg0MDkxHTAbBgNVBAMMFERVQyBGQUJVTE9VUyBDTy4sTFREMR0wGwYDVQQPDBRQcml2YXRlIE9yZ2FuaXphdGlvbjETMBEGCysGAQQBgjc8AgEDEwJWTjB2MBAGByqGSM49AgEGBSuBBAAiA2IABC/mVjb9UgdRWMq3nmRrYGMv2ywk4C8+LmdZVMN453wtViJ4dWh+LMHxI1VRzC8k4wRFoR4lLJ+HSeasLd/IN1VjANU42jcLckPkJsFmRS/gJIyZ+1+s9q7iCQFHEeCn2aOCAakwggGlMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUNr1J/zEs669qQP6ZwBbtuvxI3V8wfQYIKwYBBQUHAQEEcTBvMEsGCCsGAQUFBzAChj9odHRwOi8vY2VydC5zc2wuY29tL1NTTGNvbS1TdWJDQS1FVi1Db2RlU2lnbmluZy1SU0EtNDA5Ni1SMy5jZXIwIAYIKwYBBQUHMAGGFGh0dHA6Ly9vY3Nwcy5zc2wuY29tMF8GA1UdIARYMFYwBwYFZ4EMAQMwDQYLKoRoAYb2dwIFAQcwPAYMKwYBBAGCqTABAwMCMCwwKgYIKwYBBQUHAgEWHmh0dHBzOi8vd3d3LnNzbC5jb20vcmVwb3NpdG9yeTATBgNVHSUEDDAKBggrBgEFBQcDAzBQBgNVHR8ESTBHMEWgQ6BBhj9odHRwOi8vY3Jscy5zc2wuY29tL1NTTGNvbS1TdWJDQS1FVi1Db2RlU2lnbmluZy1SU0EtNDA5Ni1SMy5jcmwwHQYDVR0OBBYEFBFUh+U2pbSNNP3NVnIF+FRcFWRcMA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG9w0BAQsFAAOCAgEAINp7VfTLYt9iWMRhOL2mIs5Avtwe0pGU+VvE4rnaKb8KA/EHzhEPYiWygoj9WN6MXraBgHk3caSP5f/mdT/HkpzX17Zy9yHiAcDKcuIte8AkhS7IK6b5IQU7r8eFUP6BptStrY9xNJADpgcO0EmBDoeeIpGRFKpE6cerSOJaoxxjgLxMGyUfrr39I6v/b7doJYlWXk0ki98hZNsCZ9GTKEsYoU4ek2YU3tgIR0BIfyuVoDQ8dy41P5AUVSVS2FAWRHcT88WkNpZLI78pgUBCmrjfQsT0TTyfNf0WwiAfMqf4ACS6TXyFKBk6wbbbkSPPOiodRjEAizL+LtEchnm1/2mre0Oe7P5bnYohI/6XwIvQxmoeV+uV3/Zo6TaSk6wUJQ2WKrooIoVxkiuDm5WXKZamr9jS+5yzdNKM+Frvnde8iS5HObIDBcDmEUWcHWOVuCwd/xVU7XStncpz9JEWgcILn8Pwnn/V5fdI7TV6G+ddrfECPowxFBvji+GpUEZWM3jz6tsp9iFDbnPHSKLbifn43rU0LdeEFXllF0GDIE3yrWuvYLfiPUmIZwZspL02hFhRuZgVe5jX1xKujU5o/LU76qcN4Ts6b7Lyw8IaYM1LKsvmh9bNxsqdIKXuNH+JbBN90mcA7x0auYSw9fD6iYbHY4wmiq/hCreMsysm+OU="
},
{
"signer_name": "DUC FABULOUS CO.,LTD",
"certificate_thumbprint": "1C8854BCA4E9E8249979957000414E9BBB8DBBEC",
"tbs_sha256": "8D5708904EE6AA475A0928A7043E0E0D2B0DC31F559A3DF4FA345763831DC70C",
"tbs_sha1": "",
"certificate_der_base64": "MIIFJTCCBA2gAwIBAgIRAP+xO9fCfIqB7B05Wzte/fMwDQYJKoZIhvcNAQELBQAwfDELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMSQwIgYDVQQDExtTZWN0aWdvIFJTQSBDb2RlIFNpZ25pbmcgQ0EwHhcNMjAwMjE0MDAwMDAwWhcNMjEwMjEzMjM1OTU5WjCBlTELMAkGA1UEBhMCVk4xDzANBgNVBBEMBjEwMDAwMDEPMA0GA1UEBwwGSGEgTm9pMSYwJAYDVQQJDB00LCBMYW5lIDE3OSBNaW5oIEtoYWkgU3RyZWV0LDEdMBsGA1UECgwURFVDIEZBQlVMT1VTIENPLixMVEQxHTAbBgNVBAMMFERVQyBGQUJVTE9VUyBDTy4sTFREMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlga8mO+fiI7It/tdu0RSojWGco14Hj7LpSEW/+baAo4XSseQNDTTkdpt1CrOWDLsQ4Dy6QjzCQbI2FIWDZJ7CQnw8FogPZZ7kiMttVrd1BSpEfpn2c5ZMm7OyH3EyfSMQpwIylFilirqMqHThHB5QpW5wK4hoAQrwRVzXfdJnduUWlc0Al6qORhLKIJVFlaiKMmLIQBwftmN+5vl0V8GORkEDZlX2EirHAg0fNA1cxVjVikRZx/60Og14wGgWTgkKAt25WMhW78MocQ6Akrxet5bcLuJkBAdhpSq39ICgEAKzGXcW5gmy/kZMRaYHx25ZBUdvRxJctPGEGKUiEiEhwIDAQABo4IBhjCCAYIwHwYDVR0jBBgwFoAUDuE6qFM6MdWKvsG7rWcaA4WtNA4wHQYDVR0OBBYEFBKCHr9zqb5fB5LTGZFCtN5UIn+vMA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMBEGCWCGSAGG+EIBAQQEAwIEEDBABgNVHSAEOTA3MDUGDCsGAQQBsjEBAgEDAjAlMCMGCCsGAQUFBwIBFhdodHRwczovL3NlY3RpZ28uY29tL0NQUzBDBgNVHR8EPDA6MDigNqA0hjJodHRwOi8vY3JsLnNlY3RpZ28uY29tL1NlY3RpZ29SU0FDb2RlU2lnbmluZ0NBLmNybDBzBggrBgEFBQcBAQRnMGUwPgYIKwYBBQUHMAKGMmh0dHA6Ly9jcnQuc2VjdGlnby5jb20vU2VjdGlnb1JTQUNvZGVTaWduaW5nQ0EuY3J0MCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5zZWN0aWdvLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAQD6M+fJIdL2o3WsFJs71aTfTpqiJm81Bu01GwY/v/TtLLe8cUK0pN55wc35gL/oHzZPIKuPJcH8QS1/72t3SMvivd9b8ez14/vkpz0c9CAa9P+H0uVWYHSHkjk67tZFm3CxknteZOQS50C2aWbL5pNwVyrDza8y6mEv+ri6tjlLKL9yJ8PMGNfYueAIefPeslh5jlTR8VI4s3AmFWmNOKGskQAEyCnL3J7I56c5Ic4C3ZC2UIyfrBtYA2hTOL+yPXTBYXoqIx9c58dPpR7nVxVIxYRokNO+WQQHSw0HCwcqAiuOLzt78wlpF49+aUHl/n3Fgo1JZzS1wYRe/DuAopQ=="
},
{
"signer_name": "上海贝锐信息科技股份有限公司",
"certificate_thumbprint": "CD22D7228E666132008B90BB8D2D143BFD36D4EF",
"certificate_der_base64": "MIIH8DCCBdigAwIBAgIQBKWhM+f+21PI8WaHz7xO2zANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTIzMDQwNDAwMDAwMFoXDTI2MDQwNDIzNTk1OVowgfgxEzARBgsrBgEEAYI3PAIBAxMCQ04xGjAYBgsrBgEEAYI3PAIBAgwJ5LiK5rW35biCMR0wGwYDVQQPDBRQcml2YXRlIE9yZ2FuaXphdGlvbjEbMBkGA1UEBRMSOTEzMTAxMTA3ODc4NjI0MTJCMQswCQYDVQQGEwJDTjESMBAGA1UECAwJ5LiK5rW35biCMTMwMQYDVQQKDCrkuIrmtbfotJ3plJDkv6Hmga/np5HmioDogqHku73mnInpmZDlhazlj7gxMzAxBgNVBAMMKuS4iua1t+i0nemUkOS/oeaBr+enkeaKgOiCoeS7veaciemZkOWFrOWPuDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAOJopQDuM9BxJ5WQmgHCz7fs1zZChUYjOW19C+SUsKAgy3cRP/Bfm2KeJtbXig4TDnFVdv09k2+MjqDAO1lferKQcm8wc2vKG6Ft2r+AS0eUhz+IdmxvVsPUUCpFbsAkHt5uHtb8LBJyXqFrYeyhVccRbcxZHTAeyHCzHcUOkSUxckEBj6CT94xzWxN/idh96ldDWWf8vrJmlSRtLXJFhSWUtMyuXbz6xydd1R8xE185F1AWNRgGXb8IEkrYcaqdj84nzzDnCJoPvcc0pPBxPG+YWucmid0JFO6E+Vvdmd6Sk/IHk3eyYTUJwQ5CuJJ/B2DgtZQdIFZdjDGuIBOPXqXGj2orusB2wBW4iJiJqRYSL4MVwsO8EGPofzecAXBuXx73cj0M+LI4NOpFOlBTKKBVSd7PsD4epEqUev2HbGQSsIZm3I6NFk78duAqK1hAfBwdyq9QuvczQkECOcQYnfAXoWRRmfUDl5dRyn/ahjJT+oUTbykufgGSWgOWEvf8hRFyakKo2w/Xn19GEjYHTN5spJu7xsisLdSVUN2jUU0bk1UX0AnvAiUcX7h4g/L4pATsOsLl9ON6GGP0nDsDI4GGKnlCabDDzla2/lMv+tScLZ+niEg8dK+/g0diLol0NVtyq6oaouCVWYlRoLKcBBbYhBtVvb5gFM1sqUsi/aTbAgMBAAGjggICMIIB/jAfBgNVHSMEGDAWgBRoN+Drtjv4XxGG+/5hewiIZfROQjAdBgNVHQ4EFgQUt9sRSy3XECe+vKv4UsxMowQ74twwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMIG1BgNVHR8Ega0wgaowU6BRoE+GTWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3JsMFOgUaBPhk1odHRwOi8vY3JsNC5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDA9BgNVHSAENjA0MDIGBWeBDAEDMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzCBlAYIKwYBBQUHAQEEgYcwgYQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBcBggrBgEFBQcwAoZQaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcnQwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAgEAwAPmorGMuQZuc8m3oJbb01jgyxLubzW7DKTFBouZO+NzB/i8UceGCK6/F03YgMHsp2Q8+a7P9fhxfOUlAzE11cSL69JPX7z9Vk5rZmbbWiH0TqpcxdFt9MI8RvRXAkM9wcAUIjmH8KxLAFeCDEzknH2JlyH+IBQZutAtEBm+o52qiUPyvhcR/rMNYuXSR7qbuReSApg3PpwCzgQEYojzrxMHcN8jl85lgOJvC1VLARjWijwVomArA3ep2aiMWyZEuGq6qBFxeUkyTxbJ+LIA4UTYuNv3b65s1M9tKFJk9yjhGaJNEkhfoxl1gwix1Z7/s47rktEy2SbPFila7n1ONs6mPiKC/QR6lfEgLk332ikLJw16zlx9bfst5wwd+tpxSNwvJP0uOGkK8+7/0pgjjip7M2bO2+jn9xmJ5xZA65QOloM/ldvbO4D0jjIXchSEj56UaDYxTGQOXcRo/8j+ZTkT5BKrwYni48fEyLWuKNYH/u3QgtfQHWmrCwMm8qgLPNUO4K7OtGDKWgOPIaUIIx9paJmu8vm+gTi8x0dsnYAPFgnTeiqeYf7+FMYlUAMdrcxfcHw/avsC62/v59nwopRMNASljjHjuhiCKnsapK/U2ClZxIhCEzyw1zD6PnukZDgkm1Vy8uOfa2FkHqEuAMA4ICbeFt8OKwLWTYeA1Uo=",
"src_file_sha256": "995cdb276cd21557532b0b73c0ada53415f223400103177be9dd47e42a54e940",
"src_file_path": "downloaded_files/aweray/995cdb276cd21557532b0b73c0ada53415f223400103177be9dd47e42a54e940",
"src_file_company": "上海貝銳信息科技股份有限公司"
}
]
}
},
{
"Name": "Acronis Cyber Protect (Remotix)",
"Category": "RMM",
"Description": "Acronis Cyber Protect (Remotix) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2025-09-05",
"LastModified": "2025-09-05",
"Details": {
"Website": "https://www.acronis.com/en/products/cyber-protect-connect/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [
"Windows"
],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"AcronisCyberProtectConnectQuickAssist*.exe",
"AcronisCyberProtectConnectAgent.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"cloud.acronis.com",
"agents*-cloud.acronis.com",
"gw.remotix.com",
"connect.acronis.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/acronis_cyber_protect__remotix__network_sigma.yml",
"Description": "Detects potential network activity of Acronis Cyber Protect (Remotix) RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/acronis_cyber_protect__remotix__processes_sigma.yml",
"Description": "Detects potential processes activity of Acronis Cyber Protect (Remotix) RMM tool"
}
],
"References": [
"https://kb.acronis.com/content/47189"
],
"Acknowledgement": []
},
{
"Name": "DeskShare",
"Category": "RMM",
"Description": "DeskShare is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://deskshare.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"TeamTaskManager.exe",
"DSGuest.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"user_managed"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/deskshare_network_sigma.yml",
"Description": "Detects potential network activity of DeskShare RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/deskshare_processes_sigma.yml",
"Description": "Detects potential processes activity of DeskShare RMM tool"
}
],
"References": [
"https://www.deskshare.com/help/fml/Active-and-Passive-connection-mode.aspx"
],
"Acknowledgement": []
},
{
"Name": "OptiTune",
"Category": "RMM",
"Description": "OptiTune is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.bravurasoftware.com/optitune/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"OTService.exe",
"OTPowerShell.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*.optitune.us",
"*.opti-tune.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/optitune_network_sigma.yml",
"Description": "Detects potential network activity of OptiTune RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/optitune_processes_sigma.yml",
"Description": "Detects potential processes activity of OptiTune RMM tool"
}
],
"References": [
"https://www.bravurasoftware.com/optitune/support/faq.aspx"
],
"Acknowledgement": []
},
{
"Name": "Weezo",
"Category": "RMM",
"Description": "Weezo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2025-12-14",
"Details": {
"Website": "",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"weezohttpd.exe",
"weezo.exe",
"weezo setup*.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*.weezo.me",
"weezo.net",
"*.weezo.net",
"weezo.en.softonic.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/weezo_network_sigma.yml",
"Description": "Detects potential network activity of Weezo RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/weezo_processes_sigma.yml",
"Description": "Detects potential processes activity of Weezo RMM tool"
}
],
"References": [
"https://weezo.en.softonic.com"
],
"Acknowledgement": [],
"CodeSigning": {
"search_names": [
"22ba2e94e332dfa49e9bd0b0ab6f3d1e42f22208ce1866be50b1c7d1407ffb97bfadd7e2a9b9590607b41b8308e618a605146236626523b9dbecfdd40e90bdb9",
"weezo setup.3.0.0.exe",
"weezo setup.4.0.0.exe",
"weezo setup.exe",
"weezo-2078.exe",
"weezo_setup.4.2.3.exe",
"weezo_setup.exe"
],
"company_names": [],
"signer_names": [],
"certificates": []
},
"FileHashes": {
"authenticode": [
{
"file_name": "Weezo setup.exe",
"sha256": "70153918280FF279DCB2EAB03104C12F33A9F2AD29330678748C995F885054A7",
"sha1": "A3AA5A8472D4FCE6AEEB0C3C6A58B471DEC44887"
},
{
"file_name": "weezo-2078.exe",
"sha256": "4D8346AE025FA55B9CE791B0599872E6E5F874EAB07CD032AF81483139B04A8D",
"sha1": "F4F5831576488FA505D5895CD815874746B514AD"
},
{
"file_name": "weezo_setup.exe",
"sha256": "390E8BB86207AC87225F19C80985E7C6372B13652D069ACC39FC47FC446B5D6B",
"sha1": "E686A6E3AFE3D4062B53F35918B2067E95EF212C"
},
{
"file_name": "Weezo setup.3.0.0.exe",
"sha256": "84E6C57533BB118A09CE342802AED3D7590AB3DD45BBA8542EC871ADA48D59EF",
"sha1": "1BDAE866AE253944649A7B7F234500B8F9423155"
},
{
"file_name": "22ba2e94e332dfa49e9bd0b0ab6f3d1e42f22208ce1866be50b1c7d1407ffb97bfadd7e2a9b9590607b41b8308e618a605146236626523b9dbecfdd40e90bdb9",
"sha256": "8C86DAACCAEB8E10DE2A4FF9D05A1D0DD3AC7E59BBC9537ED566163D34DA0605",
"sha1": "7EFCBAACF0E9B64B583DDD5824ACA05235FE7F2D"
},
{
"file_name": "Weezo_setup.exe",
"sha256": "C372AF01469F554B94B1DB3EAFD4124637A6BF956C7B205C290E1951F5265C28",
"sha1": "0D0D544C25B0B3827BE50A1BDB07805FB7C6C21D"
},
{
"file_name": "weezo setup.4.0.0.exe",
"sha256": "7B38E039497F699DC85E017C7197A425A05CCFEA36F2101A7F0B170F714683C0",
"sha1": "E409F3910AD3DFF75F01FCE143F010827A7509A7"
},
{
"file_name": "Weezo_setup.4.2.3.exe",
"sha256": "B6776EB6DD8526B1F439362CF663B202CC785EF71F12E0C51AB4254C7902CCC3",
"sha1": "22DA7242E3410C92529A73BF7FA91F89380970BD"
}
],
"page": [
{
"file_name": "Weezo setup.exe",
"sha256": "170E12BD1F8D7BDDBEA3D2577D295381164CCC77555B512DD7F3954F3F2FFD01",
"sha1": "19153EE1E3B98ADDE8274F2424D3E6754D524FF5"
},
{
"file_name": "weezo-2078.exe",
"sha256": "01D419D9CA58F743AF87967A2BBDF81C10F41E24FD06B55A0FE6BBB73AAC6786",
"sha1": "103CC504DD34E8DFABFC8ADC3D2185C5F5619E84"
}
]
}
},
{
"Name": "Synergy",
"Category": "RAT",
"Description": "Synergy is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://symless.com/synergy",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": []
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"user_managed"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/synergy_network_sigma.yml",
"Description": "Detects potential network activity of Synergy RMM tool"
}
],
"References": [
"https://symless.com/synergy"
],
"Acknowledgement": []
},
{
"Name": "Sophos-Remote Management System",
"Category": "RMM",
"Description": "Sophos-Remote Management System is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"clientmrinit.exe",
"mgntsvc.exe",
"routernt.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*.sophos.com",
"*.sophosupd.com",
"*.sophosupd.net",
"community.sophos.com/on-premise-endpoint/f/sophos-endpoint-software/5725/sophos-remote-management-system"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sophos-remote_management_system_network_sigma.yml",
"Description": "Detects potential network activity of Sophos-Remote Management System RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sophos-remote_management_system_processes_sigma.yml",
"Description": "Detects potential processes activity of Sophos-Remote Management System RMM tool"
}
],
"References": [
"https://community.sophos.com/on-premise-endpoint/f/sophos-endpoint-software/5725/sophos-remote-management-system"
],
"Acknowledgement": []
},
{
"Name": "WebRDP",
"Category": "RAT",
"Description": "WebRDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://github.com/Mikej81/WebRDP",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"webrdp.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"user_managed",
"github.com/Mikej81/WebRDP"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/webrdp_network_sigma.yml",
"Description": "Detects potential network activity of WebRDP RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/webrdp_processes_sigma.yml",
"Description": "Detects potential processes activity of WebRDP RMM tool"
}
],
"References": [
"https://github.com/Mikej81/WebRDP"
],
"Acknowledgement": []
},
{
"Name": "RemoteCall",
"Category": "RMM",
"Description": "RemoteCall is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.remotecall.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [
"Windows"
],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"rcengmgru.exe",
"rcmgrsvc.exe",
"rxstartsupport.exe",
"rcstartsupport.exe",
"raautoup.exe",
"agentu.exe",
"remotesupportplayeru.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*.remotecall.com",
"*.startsupport.com",
"remotecall.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotecall_network_sigma.yml",
"Description": "Detects potential network activity of RemoteCall RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotecall_processes_sigma.yml",
"Description": "Detects potential processes activity of RemoteCall RMM tool"
}
],
"References": [
"https://help.remotecall.com/hc/en-us/articles/360005128814--RemoteCall-Server-List-For-Firewall"
],
"Acknowledgement": [],
"CodeSigning": {
"certificates": [
{
"signer_name": "Rsupport Co., Ltd.",
"certificate_thumbprint": "3E3B0B3E214A4549446257C92C06839F92DCE444",
"certificate_der_base64": "MIIHyjCCBbKgAwIBAgIQDSe264XyjRcsVC2OmotjNDANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTI0MTIxNjAwMDAwMFoXDTI4MDEwMzIzNTk1OVowgdIxEzARBgsrBgEEAYI3PAIBAxMCS1IxFjAUBgsrBgEEAYI3PAIBAhMFU2VvdWwxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRcwFQYDVQQFEw4xMTAxMTEtNDM5ODg1OTELMAkGA1UEBhMCS1IxDjAMBgNVBAgTBVNlb3VsMRQwEgYDVQQHEwtHYW5nZG9uZy1ndTEbMBkGA1UEChMSUnN1cHBvcnQgQ28uLCBMdGQuMRswGQYDVQQDExJSc3VwcG9ydCBDby4sIEx0ZC4wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCvxYBBtfpn3U+4PbVtgqgg35bZA0uixzR4GdbEC3q6fCZWBu6JOXur/NB8WJ/+8IY5JBiSGUWFKVf7FrHaeSqhD14714iLCtGmn7CjC1M4xg5z4mQdoVc1yGkslEYYPDcJ8GEh7vC6fvZfGtcGPhezOcopLOa1SVsFtNyqscxgvtkMJPTxleqHy/0425uHwK6lf8X2WV98GVsNH/g0tHOJeNZbqIds+LJKOOO2oQabqfpBFm2SrEQAOeAsEcomeUWV16kTrFdywGkAx5XWBcklr3u2Jfzlo/Wvv1+RBbZs30XOanMdhmOK+ChgZ+aYsFSLpzZmTMRJJVHwqKkFMsV3ORkQbHjG2W3JYIaBj6o76Yd1oE7C5J3dTGmHP0VlswAIxJixRfom8Q8VTApY+XsK5RJAzi39XyLfsBB0GXPExQ+OqmGI4mdNKlr+enOL8hC3tdJzTtD+heRGmciOd30u81Ki69grdo82ffxXbA9qlhm29aHOEYCwVzMJWGIP18a6UfgIxmvTnzJGz5aHD3ffixTGsTWZOM+5tKz/tkyQwYHssvq0Psi3PXmU2i9yw+FbShwh4TAhARL+hO95rcYNnzQ9nCSYwmCIEiChUnxMQulGSL6V/vJ534u4+tFY6qWdmuFAdPi/afFcY3O1Cb967+/JgZkFF9yPHu0JEskwrQIDAQABo4ICAjCCAf4wHwYDVR0jBBgwFoAUaDfg67Y7+F8Rhvv+YXsIiGX0TkIwHQYDVR0OBBYEFKJG5p5JQVRQaOTdAHsZ3ujFE3RSMD0GA1UdIAQ2MDQwMgYFZ4EMAQMwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpY2VydC5jb20vQ1BTMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzCBtQYDVR0fBIGtMIGqMFOgUaBPhk1odHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDBToFGgT4ZNaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcmwwgZQGCCsGAQUFBwEBBIGHMIGEMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wXAYIKwYBBQUHMAKGUGh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3J0MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggIBAHYT5Km/Rgx4yzza9xm45cFRBeA0w8BtFUkdqd5C4ZAlCgjrU56npOz5fT0gCi8cmsuwJMiZpPAKqbrXJeBgSlPJpUgjN4ofgQxI5Vin8JCdii1GVZlYahINhZcaZebqsI/h3+u2nlb63u1tHdTjhiZZbTcfVPXTu0dfJ7l15Uv+3eJK5UkB4CaMySURshdhwTcQofheHInuvhPPcV35hjVTha4X5f3PdhyosEGXyae1oTygcHicuQx09hZ1hkp74Yg1TlkciOV4MYzKYIN3my2e/Kcua8jXgY5PLwKJrwxEDSindm2QJ8KA5+oXBNVxH1y0Fza3ZBecIX9j38OS7WpMcdv8jU4iWHk65Tj3H9ORCAg4EzF2gMyZMHYFdXhUcp6uFanEtpBCPZR5SLDKvEo3/mdybTUy78C1myikYSxvOfHfxpBMyq4ESCHp7ThpSBVfgkNiahdEmesVIs2kc4sOAO8EMKgAmzhQDzsxN/VvcWhRmN9hzp5Daos2UKiVlPqCl2ZZtuamVSabjx9EWgnHIsJNp6+YVLJgw0g52MtWixYt9aaS5VPnqYDqbrPq6WpNjwyaxWEkNBL4OBISjdRhFcLZ6+8PlNMZN3CcH6xy8jxeSCDt8WXRU5+d3DtrircpOGeIp+fhZSdXesW0TdEZVCobW438nh4xdTLDnfsA",
"src_file_sha256": "d8d56802d3a0f12a33a9c014ca5edb075e7272bb38274fdcb0d4a8a95a4147a6",
"src_file_path": "downloaded_files/remotecall/d8d56802d3a0f12a33a9c014ca5edb075e7272bb38274fdcb0d4a8a95a4147a6",
"src_file_company": "RSUPPORT"
},
{
"signer_name": "Rsupport Co., Ltd.",
"certificate_thumbprint": "D5980651B93ED19EC1DB036FC73024C4761437BC",
"certificate_der_base64": "MIIHZTCCBU2gAwIBAgIQBGghklMcCh6YE7yRgbTNLTANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTI0MTIxNjAwMDAwMFoXDTI4MDIwODIzNTk1OVowbTELMAkGA1UEBhMCS1IxDjAMBgNVBAgTBVNlb3VsMRQwEgYDVQQHEwtHYW5nZG9uZy1ndTEbMBkGA1UEChMSUnN1cHBvcnQgQ28uLCBMdGQuMRswGQYDVQQDExJSc3VwcG9ydCBDby4sIEx0ZC4wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCzdC7vp1iePN6hujQGcAU4X4oX0TGV6lMqtEj0HbIW+SUVmHca3O/6KTPoxahyjxPJH2ZWfr6jnhwvH54OO63r7qyfwYlBEtpnL/j0nu2B2fQi1jq0S+4+/0f1h4/sPtuKVPI4eH2Iicy6hri7L0YsXsegeJrYgIUQT19NBmg5zRWuRfM35r+VEEeDTEg+YUqG+es77MDFmWhEe70bSGcziAEqxfq7U+twL0LeZK6P+MyfidV5Y1TqkClcujbamI7BaZY7HDDxR01xbRQuDxbyVdQX+dflVKK3NgLGJZiq5f8No+90PnimAEgLppZQBsiZsyzUxLTPplVIvjVOpbJdNiq9p0GWwHU9U0A1POzrEZjLUui0O7+k/DcJVJFTesjHC7BNeyn7JLd50+YYzRB5pGRsTcRofURyybYeBZTrJl+Spcy7iAPLfEvnQABDrgJzJjyAvuqiTFTG5YGYhLtqToOGro6u5oWc/ZRrd5Hqb9h08qwAmsA2xGHougDZgOBQmtFwNcIyLlsP+LTxu3VRLQaKeiTb3mMV1fatvo3viyto8wV1OVJ0/9BDKjk/F4lmm4SEMojWbPZSk+WAOhD62nCOFBNHqaV0OrcY94oNHfVG6MDjTr6gTgBzBwXK/sATPPGJRlFSLAPpz49OxMy0ZPEEqKg/YpNc48jEvHPTfQIDAQABo4ICAzCCAf8wHwYDVR0jBBgwFoAUaDfg67Y7+F8Rhvv+YXsIiGX0TkIwHQYDVR0OBBYEFF1vWyO13SratWCKgRbAQ0Zu4ze/MD4GA1UdIAQ3MDUwMwYGZ4EMAQQBMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwgbUGA1UdHwSBrTCBqjBToFGgT4ZNaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcmwwU6BRoE+GTWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3JsMIGUBggrBgEFBQcBAQSBhzCBhDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMFwGCCsGAQUFBzAChlBodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNydDAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4ICAQCasWVK3s1zAOGUmPpi7n6USuQQd3xJViCoNx1MVyuJYqMKyKZbV2xrRyKsX8r/ZJlGIokiXsFq1mKxokZ+EEocJJNPOYXC7yVwo8dhUOlWNtfAWfIbSbMUIk0BYcbest1UoFAirETwj646AW7bkjpTwbItAIRytGo7la8+4402nCfd3dAvx2n1UtOyk7ATDxbReMQF5AYOByqkn/QntotJDw+xeGNvG0tR1cKerr5QWYeS5icRFg5ctrWuW9IJKG2m9/rgfDwVQ1DantJkWZ14AFIwKhyygLeD0PBbBBNKeI7JhgBYEURs+6Pv6YJbWnYJRZuqwa3KTMRL3O4kriFrZIA76zIPatONUhLzyMjy/AYce1bz8fAYeIGAT1ws28Ys96lma3iJjKyHVq6JnmjOq5c/y3rlLbAlQ2m6hPY+AVpupbS9cO5dVYDb8IXFlbed8WS/DqvHUtz5VRgnHfrLGihvcL3OLvAr/fENw9ZcX5xbIsC2hG6HeQrwv68N8sqaJV7DYmNSBXXJJm9qM0t3rOgN4hMyaq0gleiQBozIESn8b5knhefdZ9z806Byz3jKBtQHAuR52AX04IhbeYUL82H9v5p2/Z+hcSTBD9mZh5SjFeRDxRVqj0aCPmDWgQv2K0DQDN1CiqXVhc8lgib5TulGrNgQu3R1Jul6SjQORA==",
"src_file_sha256": "47b4ff9f8cda6a49a31e1c1f9b42ed1a574bdb71f42f27c147bce48d1b48ac5d",
"src_file_path": "downloaded_files/remotecall/47b4ff9f8cda6a49a31e1c1f9b42ed1a574bdb71f42f27c147bce48d1b48ac5d",
"src_file_company": "Rsupport Corporation"
}
]
}
},
{
"Name": "Adobe Connect",
"Category": "RAT",
"Description": "Adobe Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.adobe.com/products/adobeconnect.html",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"ConnectAppSetup*.exe",
"ConnectShellSetup*.exe",
"Connect.exe",
"ConnectDetector.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*.adobeconnect.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/adobe_connect_network_sigma.yml",
"Description": "Detects potential network activity of Adobe Connect RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/adobe_connect_processes_sigma.yml",
"Description": "Detects potential processes activity of Adobe Connect RMM tool"
}
],
"References": [
"https://helpx.adobe.com/adobe-connect/firewall-proxy-server-configuration-adobe-connect.html"
],
"Acknowledgement": [],
"CodeSigning": {
"certificates": [
{
"signer_name": "The Anti-Cloud Corporation",
"certificate_thumbprint": "013371A3E52D87E59DA1C93A305732B1501FFE5A",
"certificate_der_base64": "MIIHCDCCBXCgAwIBAgIQELxx+9/3nakrEeQQTpVJ3DANBgkqhkiG9w0BAQsFADBXMQswCQYDVQQGEwJHQjEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMS4wLAYDVQQDEyVTZWN0aWdvIFB1YmxpYyBDb2RlIFNpZ25pbmcgQ0EgRVYgUjM2MB4XDTI0MDYwNzAwMDAwMFoXDTI3MDYwNzIzNTk1OVowgdMxEDAOBgNVBAUTBzY4NjMwNzkxEzARBgsrBgEEAYI3PAIBAxMCVVMxHTAbBgsrBgEEAYI3PAIBAhMMUGVubnN5bHZhbmlhMR0wGwYDVQQPExRQcml2YXRlIE9yZ2FuaXphdGlvbjELMAkGA1UEBhMCVVMxFTATBgNVBAgMDFBlbm5zeWx2YW5pYTEjMCEGA1UECgwaVGhlIEFudGktQ2xvdWQgQ29ycG9yYXRpb24xIzAhBgNVBAMMGlRoZSBBbnRpLUNsb3VkIENvcnBvcmF0aW9uMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAxK6KBpRevoHwssLlnMCZ0XHus/ulb8FxD9Cg6zbWj3eXLA2VPJ4jbFJ83vTJHedxvikhIzbOcyc/lfypoQPDdqMihFpAI/d485h3hcPwTUpA3n3sa7L6opRhrcwcUtJLwvokMndJqipQwcZl9zBK9MchCovCps4TppZ8KkwWMmI2qKQGLwXUeNhGQc5O+rND29fXX/yHStEXnrYnUrakOwd+u6/uSvKbMYl204LaFuYqCks7tjVSLW6PJ/vk3G6oQnxi8BgIegHilhmTFWzpECIXiAFac891LYM1mQ/1vRUsLoVi2JsOJ/5j2lj9BKQix5Y41ShVcgGK0a8wn1MRsWdaTD+mhd0bZH2o7vY7J04dWuRBW04Ho6+u3Ovlcfu/zv/+vw6b7eMMQ3G6lxNpKrRTjqrphvBbO5l8iVe9OKWWHq0MkWX0HUhFlWYrp1Uu2XkkYA3fM1GxPI9IJbPT7QLvWzvyYkV6Gi/ZRuBLE9q0zvbjz047sZvkeXFyntNfx/5hrzzqT44NW1xiDB72Vl5OQ3V1qZOtqDsfb4rs2H8wv3j1I46OTwuooFj8/dkKkRO+XxADaRvZ/ngvI7waSd4y/JgCjEOFpm6qOhToZqR9blrY/XBYl9snYTXEFnaDqRNmE9nUF0iePzVKuyu2Oz7QnAWxr1JKU/l3UFPbG58CAwEAAaOCAdEwggHNMB8GA1UdIwQYMBaAFIEykkErKM1GyMSixio5EuxIqT8UMB0GA1UdDgQWBBQmV3aX87vbRJ2LIOoHGLK3MnbpxTAOBgNVHQ8BAf8EBAMCB4AwDAYDVR0TAQH/BAIwADATBgNVHSUEDDAKBggrBgEFBQcDAzBJBgNVHSAEQjBAMDUGDCsGAQQBsjEBAgEGATAlMCMGCCsGAQUFBwIBFhdodHRwczovL3NlY3RpZ28uY29tL0NQUzAHBgVngQwBAzBLBgNVHR8ERDBCMECgPqA8hjpodHRwOi8vY3JsLnNlY3RpZ28uY29tL1NlY3RpZ29QdWJsaWNDb2RlU2lnbmluZ0NBRVZSMzYuY3JsMHsGCCsGAQUFBwEBBG8wbTBGBggrBgEFBQcwAoY6aHR0cDovL2NydC5zZWN0aWdvLmNvbS9TZWN0aWdvUHVibGljQ29kZVNpZ25pbmdDQUVWUjM2LmNydDAjBggrBgEFBQcwAYYXaHR0cDovL29jc3Auc2VjdGlnby5jb20wQwYDVR0RBDwwOqAnBggrBgEFBQcIA6AbMBkMF1VTLVBFTk5TWUxWQU5JQS02ODYzMDc5gQ9qaEBteWFudGkuY2xvdWQwDQYJKoZIhvcNAQELBQADggGBAGcuakicEBGxpJpvdjkwSRwAbrB2LPpBxvvSJ2eWSoWma57en3M8/Z3KK4zwBDXHWMQV5HHKcoU8h9OZmllJ8n9cIG+wN1tw+G7Zp+jBzSuqflN5kq51QMIr3XmjGz8Sljrz7dhR8X4gH9cEvc0GJAqf0XSr5sdg9WZ1SPGSIv63hvQdU2drQh5LqbbSsyRyOBxsxom0bf5xCaCFGNs1C/1HfdwMeoIy6jnAJ2UAI7i/N2EGShNmxmW20qVBYYUFVQjoaez0nLPr4tleFbMh7oUVQ6Z9lZ6MnVDfjYIBLRA9XJVINJqs+81HzJa3J5BdOTVpGQ2XwoHsO0aKaI4he6aCAQ+b8Bm6jwWmJgVfrrOELiT+gKv1DK+UsDQ7Sj6AP9HQ9XhVWbQQQPa2lfXDAwSqSdl5O+aQgmKXGnaHDWqvz6aynROMl4EyKIuq6iqe9p9+gnXzOIy1z7gg8gJ8sr3YTG+R63dEWhUH3K4zitCf9xZHqKDBilpcHAy7nqAlqQ==",
"src_file_sha256": "4d5e55cb8cbeb6fc530c38ffd6413ce22b618e4e06fa5c3ebb7c24902aa4ae4d",
"src_file_path": "downloaded_files/adobe_connect/4d5e55cb8cbeb6fc530c38ffd6413ce22b618e4e06fa5c3ebb7c24902aa4ae4d",
"src_file_company": "WireSock Foundation"
}
]
}
},
{
"Name": "Chrome Remote Desktop",
"Category": "RAT",
"Description": "Chrome Remote Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.\n\n**IMPORTANT**: This tool is signed with legitimate Google LLC certificates that are also used to sign Chrome browser and other Google applications. Do NOT blindly block these certificate thumbprints as doing so will break Google Chrome and other Google products in your environment. Use certificate data for detection, hunting, and analysis purposes only.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://remotedesktop.google.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [
"Windows"
],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"remote_host.exe",
"remoting_host.exe",
"C:\\Program Files (x86)\\Google\\Chrome Remote Desktop\\*",
"*\\Google\\Chrome Remote Desktop\\*",
"*\\remoting_host.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*remotedesktop.google.com",
"*remotedesktop-pa.googleapis.com",
"remotedesktop.google.com",
"chromoting-client.talkgadget.google.com",
"chromoting-host.talkgadget.google.com",
"chromoting-oauth.talkgadget.google.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/chrome_remote_desktop_network_sigma.yml",
"Description": "Detects potential network activity of Chrome Remote Desktop RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/chrome_remote_desktop_processes_sigma.yml",
"Description": "Detects potential processes activity of Chrome Remote Desktop RMM tool"
}
],
"References": [
"https://support.google.com/chrome/a/answer/2799701?hl=en"
],
"Acknowledgement": [],
"CodeSigning": {
"certificates": [
{
"signer_name": "Google LLC",
"certificate_thumbprint": "607A3EDAA64933E94422FC8F0C80388E0590986C",
"certificate_der_base64": "MIIHvTCCBaWgAwIBAgIQC1DPJGsmPv2FpykxUVjz/zANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTI0MDQwODAwMDAwMFoXDTI3MDQxMDIzNTk1OVowgcUxEzARBgsrBgEEAYI3PAIBAxMCVVMxGTAXBgsrBgEEAYI3PAIBAhMIRGVsYXdhcmUxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRAwDgYDVQQFEwczNTgyNjkxMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzETMBEGA1UEChMKR29vZ2xlIExMQzETMBEGA1UEAxMKR29vZ2xlIExMQzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALEbiH4H31sVTQxVJTBpKgRjwYubR+0ZwqBSXudeNE/vHfytN3fyutyz2lycUKCW6X3qPjK+zb3+uwbC2WkjRksqNNXqTQYgrBJuksJxRD+cSShaZG/7sJaey0R3WNa5wlAbBrZBAMwgZXaLX0YDr1NzcknsjCou4o7y6jh/0TjC0bo7wYsVKb0Pq1oN2zYwO48NaFeU4bNn7AgEwwYy6GVLoPtrziEq8TVn4i9kU6wRWyUNBmBRyyAoFsbcyQPnr7wp13PXs5sIy6FI85XC3/NTC881SdXClMJEpoQzgjj6BpJgDaiwhM6muReB1zReN4J2rPsuEwFxp/cSeCaE3bOj5+rSMe4H1gt5U+k9U1/pRe8jyJ9DSG7c3q18HIa3znV5I26DtG5D+An8iK1gBQpI1kPJyLttRePBjEwav9L7I6iSa2ygp2Aw8bhjmIFzdK68eBpAwxCNfhY4JUY6e6ors5F5zWqebwcCL2kFJxAYDLML1Gw625Jos/9Fop+VNglkuN4PKo/qYJaDRRqaNLl+5VkwCSakbIo0M03hMBEDUe0urQFzDqXxHAD1tvjiCwgyLL8eDa2Co7+QhZlblAFL7IKWri9GFBZ0RCgGQj+nA6r//FbYbU00PDgOKHjrJduad4gH6aRwG62MZAGxJcK+yfKxMs+zesiVzeTINs91AgMBAAGjggICMIIB/jAfBgNVHSMEGDAWgBRoN+Drtjv4XxGG+/5hewiIZfROQjAdBgNVHQ4EFgQUT17SRem6UfzmqjVYayx7xFZ0MjQwPQYDVR0gBDYwNDAyBgVngQwBAzApMCcGCCsGAQUFBwIBFhtodHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMIG1BgNVHR8Ega0wgaowU6BRoE+GTWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3JsMFOgUaBPhk1odHRwOi8vY3JsNC5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDCBlAYIKwYBBQUHAQEEgYcwgYQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBcBggrBgEFBQcwAoZQaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcnQwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAgEAtWb9U46/Mxfbnpi8mtN8CdXLVl4tSWvsVqzs9HopC1jf/crM0cOsWNH09wcwd0RMXm9emge5jENyq7GOk0vqLLioFAktTqICdKqrkwp2csGIYyVMEDwBe5R3RQ0xr281+F0CFB2C38fmrHZXDPjLtb2AGIbvG5fY7oo9VIkmphrNTKsY9Pzv5g/pAjDjmoeyh266xmGNt8WaOyCjK2PQivipS1ewonKzCGuNTKo3g5XvyFe1A51diis1KuV9EGth6jKAujRPmCV2u9pZayhDTv/6eF+uKFEEzc0GLaLjiUw0CQ9JYYgb8Y74kalPqlfXlHTEmmwMHWGmnB82/I64FHXqU2QOjPUKRSdphndsOct8fjpkzhkXzMwLUBsgANOuXsb9IkDOR5b25jrFUfo0C0eH58J66eiQlsc9bnhctHaE5xZKGYv1n+OtO3zA0ownE+LvnEX1ejUaOWJp6lEy9vvQxrBOKZ07vCb+WxI3XK9moP5N/yaci73hUKRtdykpqbYNdpzonDuCFLRKPBFRPrguQK9SvHijXn0g3lX9WQSqzpzTv1dUBOjF2Y/N4W2EYnBADG7+hG8+wC/gjnMLdGLWvcaaTiU+ITNDLaH4rlMkayJjkI7RETBcRNxZiq+wJ7yMCjxzjo+33njjgLNJaatyXA55aijNcTH7f/PIimw=",
"src_file_sha256": "1e0fbe101bbca4efdfb05c012495265f1db731c97fb82fa8e569c6ab725c0140",
"src_file_path": "downloaded_files/chrome_remote_desktop/1e0fbe101bbca4efdfb05c012495265f1db731c97fb82fa8e569c6ab725c0140",
"src_file_company": "Google LLC"
}
]
}
},
{
"Name": "Quest KACE Agent (formerly Dell KACE)",
"Category": "RMM",
"Description": "Quest KACE Agent (formerly Dell KACE) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2025-12-14",
"Details": {
"Website": "https://www.quest.com/kace/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"konea.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*.kace.com",
"www.quest.com/kace/"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quest_kace_agent__formerly_dell_kace__network_sigma.yml",
"Description": "Detects potential network activity of Quest KACE Agent (formerly Dell KACE) RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quest_kace_agent__formerly_dell_kace__processes_sigma.yml",
"Description": "Detects potential processes activity of Quest KACE Agent (formerly Dell KACE) RMM tool"
}
],
"References": [
"https://support.quest.com/kb/4211365/which-network-ports-and-urls-are-required-for-the-kace-sma-appliance-to-function"
],
"Acknowledgement": [],
"CodeSigning": {
"search_names": [],
"company_names": [],
"signer_names": [
"Quest Software Inc."
],
"certificates": [
{
"signer_name": "Quest Software Inc.",
"certificate_thumbprint": "41D7B56D7E8A181A954AA35A3A0FDF178FAAE01A",
"tbs_sha256": "C7638A5AF56C9F4AE902251705B2E370E209E7A9218605628995AD73469E0F53",
"tbs_sha1": "",
"certificate_der_base64": "MIIFDjCCA/agAwIBAgIQEfKQonSQc9jEZMzfkxO3rTANBgkqhkiG9w0BAQsFADB9MQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDEjMCEGA1UEAxMaQ09NT0RPIFJTQSBDb2RlIFNpZ25pbmcgQ0EwHhcNMjEwNTE5MDAwMDAwWhcNMjQwNTE4MjM1OTU5WjB0MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLQWxpc28gVmllam8xHDAaBgNVBAoME1F1ZXN0IFNvZnR3YXJlIEluYy4xHDAaBgNVBAMME1F1ZXN0IFNvZnR3YXJlIEluYy4wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC0l6j3a7y55QHCxXRddxsu0/kxDHpEQNa7TJpJQOs/Q8cgc/Qvss1j00xc5Sxrt6YBm1jNQg7Q06ihCls6hvU4IxxzeuDLwhGjF0M4gj4pQnZ7jcoHD7iak2RvRWVl+6bn4n6q/W0mYv9qsIvpYgBjIAz3fyYrSNDvjCUK4g7u9CfnaY2Vgfjj6pWn/G5pS/svptnZeCgpuFGyPIK36Civ26q6fvCoY+3EP/TZGhVM655t5t5AKM+gtaSHtbwOXTvFcywKFTMJV0tzmi7kPUnV9w+7xr3m87uTcrQjRq6Mw8YMQ3FkzusNbFRTOs7vw1X2OeMoz5OHrBQEQjbeuEQXAgMBAAGjggGRMIIBjTAfBgNVHSMEGDAWgBQpkWD/ik366/mmarjP+eZLvUnOEjAdBgNVHQ4EFgQUBgvRF5oqO6cm0XdELhdZ1w3qiTAwDgYDVR0PAQH/BAQDAgeAMAwGA1UdEwEB/wQCMAAwEwYDVR0lBAwwCgYIKwYBBQUHAwMwEQYJYIZIAYb4QgEBBAQDAgQQMEoGA1UdIARDMEEwNQYMKwYBBAGyMQECAQMCMCUwIwYIKwYBBQUHAgEWF2h0dHBzOi8vc2VjdGlnby5jb20vQ1BTMAgGBmeBDAEEATBDBgNVHR8EPDA6MDigNqA0hjJodHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9DT01PRE9SU0FDb2RlU2lnbmluZ0NBLmNybDB0BggrBgEFBQcBAQRoMGYwPgYIKwYBBQUHMAKGMmh0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9ET1JTQUNvZGVTaWduaW5nQ0EuY3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21vZG9jYS5jb20wDQYJKoZIhvcNAQELBQADggEBABvAXlNe+h4e8jWN9JG37CAUhS7maC1C3SQN7DfpVuYBVmcbOAd81jLixoU8HbbwVhXgLxrgO8kdPEz8MiJtACAcfTbqgghTHyXmDi69NwfPzmQySDcvvjsW88IDJmYi/pT6JQQCUCeQ09Yb/8DSdpmwdg31CuKwHGe6aB6T4pOdJ4u+Ry4DLTf82m3BFUG1oLR++7fiOK9X8nsmrM8NsTXvxbFvJm3wGeFWJbZcOwkaXkFmhU7OVukvdR64saXcx7O9MUtxQ01hT3tC3R2pxy5ZzR5gc5WUJ/jjzqBGr6ZtepAhN1pUBicLRGd8EhCwO+CvCEDQWlRzlC2+0eTAoGM="
},
{
"signer_name": "Quest Software Inc.",
"certificate_thumbprint": "B7DF1291422B3186EE44BFF040931D8788DB63E6",
"certificate_der_base64": "MIIGSDCCBLCgAwIBAgIRAOSb9emaya2tyNrjhziVJh4wDQYJKoZIhvcNAQEMBQAwVDELMAkGA1UEBhMCR0IxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDErMCkGA1UEAxMiU2VjdGlnbyBQdWJsaWMgQ29kZSBTaWduaW5nIENBIFIzNjAeFw0yMzA0MTcwMDAwMDBaFw0yNjA0MTYyMzU5NTlaMF4xCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRwwGgYDVQQKDBNRdWVzdCBTb2Z0d2FyZSBJbmMuMRwwGgYDVQQDDBNRdWVzdCBTb2Z0d2FyZSBJbmMuMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA1qSuxiOmKkO8eeQsFZ4wCVdW6UpZPvFCocFas+tukHi8wRHk5N6MjlZhhKi7d/xyqE2ScplntssYwvfOIXiHRd2f/8scgH1+24VSY7sBWQZ7m436EL3yHbl/FlgjeYadFG8ieZyrzBZ37eDg/9QDBL+TpXKA2k+B0oeSpK8pvg72WkJAscDXwb8xgh2u/BRLCJ3h21VkMpQGbkjSy4obf7308JI26ghGDWDswLOKRJEK241NHouz8KX9boZLMq4Ld9J6z04ikpyOJt8jSMSsUovJqtsSSjqG0SCJuj1yj47HQOdCKEh0cVhgcA5qde+VfML5ozMUU/49Cm6t6yjcch13xZfMT0QoWxXUOVpoRLzK+DjtVEjxjmgyaP+MBygcRsbPVnwsK0v0Vl4kv3sHKYsAyDWSo8By840bddUySv4EfBgOqXhIgbBI5jaRgtC1F2JvbyxRWvzO/iMbO6NDCR6nHm+NNecaIq7Y2WcbsXwUczmnwnlfbt6yK8w2Cp/GFqVTLVtWAEedd7LbyHIzvOq379YfoGaT36XUidfb/A2I2lkwEnhewa/uiJuX056VtKC2zy2WvH6xdLEmT818ExFJ8e4uuhd4CgE0jZ7EiYi2K5ELOwzemrS3G2zSrz2Hzw3g1+1nqRUVa156wzjdiPXyQmqm7g952+FuUxuqHpECAwEAAaOCAYkwggGFMB8GA1UdIwQYMBaAFA8qyyCHKLjsb0iuK1SmKaoXpM0MMB0GA1UdDgQWBBSjPqOFNjp92OUXa6Pg+ecTScxjkzAOBgNVHQ8BAf8EBAMCB4AwDAYDVR0TAQH/BAIwADATBgNVHSUEDDAKBggrBgEFBQcDAzBKBgNVHSAEQzBBMDUGDCsGAQQBsjEBAgEDAjAlMCMGCCsGAQUFBwIBFhdodHRwczovL3NlY3RpZ28uY29tL0NQUzAIBgZngQwBBAEwSQYDVR0fBEIwQDA+oDygOoY4aHR0cDovL2NybC5zZWN0aWdvLmNvbS9TZWN0aWdvUHVibGljQ29kZVNpZ25pbmdDQVIzNi5jcmwweQYIKwYBBQUHAQEEbTBrMEQGCCsGAQUFBzAChjhodHRwOi8vY3J0LnNlY3RpZ28uY29tL1NlY3RpZ29QdWJsaWNDb2RlU2lnbmluZ0NBUjM2LmNydDAjBggrBgEFBQcwAYYXaHR0cDovL29jc3Auc2VjdGlnby5jb20wDQYJKoZIhvcNAQEMBQADggGBACmWJXb+vE5D9meFUSz4f1Uo9/63op2xT06EBi3TnTKJiy5MjM3XwPhcgpWekGUBQJGDKnsXaAVlluXwk8Bl3ydGqCBuD/BKh5Ch+u1ZJE8niHWXDSqxRrBIUeq8/j5vdZPCcMmDwn5TZyJUvcvdYoNFUCuxC/EB1EDSyBLgJUBztsfQe8AsIk2+NyQHqef7DKC543xGvLSDwq+79ewzGbOXDWNC360/pljN8bkvxNtki++ZwwV7BfHmo1dXE3sxvOP3lqUSZ0NMFWkrNhCq8yoPkyumGAbviKPZqra8bLr9maSMQ7oAAEErfVvi3kB/pRzgHHpsa/NjxvN5XDPct2w1gZelulpohTKi7E2fv4OC4uicpYmHU0NzVmbmz0Dg3b6ExVvYJPesHW7pyHIr1CQqjCaN8Q/Rw4Xe7+NrA/DI+tHcmhS0svLCie4cLTS58B7myxbAS+fbZtkjjnOH/vWmSDDBYpvnGi0DLzHAt7XzFt6kKlJsw5hl2Npwe79DOg==",
"src_file_sha256": "850a4c24055afc7d293232f250f8ec7cc4bb6971f2fe159512427196e96720eb",
"src_file_path": "downloaded_files/quest_kace_agent_(formerly_dell_kace)/850a4c24055afc7d293232f250f8ec7cc4bb6971f2fe159512427196e96720eb",
"src_file_company": "Quest Software Inc."
}
]
}
},
{
"Name": "Microsoft Quick Assist",
"Category": "RAT",
"Description": "Microsoft Quick Assist is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://support.microsoft.com/windows/solve-pc-problems-remotely-using-quick-assist-b077e31a-16f4-2529-1a47-21f6a9040bf3",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"quickassist.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"user_managed",
"*.support.services.microsoft.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_quick_assist_network_sigma.yml",
"Description": "Detects potential network activity of Microsoft Quick Assist RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_quick_assist_processes_sigma.yml",
"Description": "Detects potential processes activity of Microsoft Quick Assist RMM tool"
}
],
"References": [
"https://support.microsoft.com/en-us/windows/install-quick-assist-c17479b7-a49d-4d12-938c-dbfb97c88bca"
],
"Acknowledgement": [],
"CodeSigning": {
"certificates": [
{
"signer_name": "GlobalSigningDig",
"certificate_thumbprint": "DE523085FB77B3D8B78E80EF14BC627772C6E1D0",
"certificate_der_base64": "MIIDBjCCAe6gAwIBAgIQc+jN31/yRqxBNamgs3AXfDANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDDBBHbG9iYWxTaWduaW5nRGlnMB4XDTI1MTAzMDA4MTE0N1oXDTI2MTAzMDA4MzE0N1owGzEZMBcGA1UEAwwQR2xvYmFsU2lnbmluZ0RpZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMx/Ld3o0K7RMJtTr0DHt1pMqrpNzLFQZja9ZPTPmYvRw4JF8gu5Sb/apCpz//BIAQJQ0N9D4C8bkoeVxsmlcuNzjaiCTBOeEHKC/epZiVvOC8OWjwoQxZcInovFiv0PS6V8cl1kM6S/4FXpVDCn2uqpxKFQHQeTrxsZa07VMyVvAKcx0u8mTFHEgiuNvgcbPZ959V+BRZ+siyzWJyzS/UmoyXO8jkkArwMybcKYVvK40FLH1t/S8teERp6iiyke2YB2eAC+EmKnkG9+HSB3NFb7Q1pOu5YrD3ieUMoNJPrpb5amUfW2fKhRAElSJD9oYW0OtA6XoROiQb3A89I6An0CAwEAAaNGMEQwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMB0GA1UdDgQWBBQbfXHoPs6WtHehmqYdqtanuiy+QTANBgkqhkiG9w0BAQsFAAOCAQEAIEJubEC/2gOkiYK6yjzfXip17fJSviz/wJ4O69XOKpHLTL0Nx9WjmqUAFUTQG46+xYOx5FU5Zvq76RmOtKfWXOXVyRgSnJVk5FYA9B+3dO4bsD6i16rRrnlGmTdWJx8WRRZBFTYhmJ24CSJtrnd5BU4Cl9Y6XYNNFOG5tsQRtGYPK1JGWJ+PVUxnZYkQC0hT4SX0mKhQQfrB1gZTySTnM2qaHkmeOOewgYzfFfkYSUn8QLiqwlrPrssU0xntqvk9PAbeRv+J+laYFDHPg/Cl1OcS8uwk4/VOInniSLQnLoDGbtQIIPOAmxezDu1l5eaT90E1TAC+sopyTOyrR8UeLw==",
"src_file_sha256": "0f6269a8095b8c622ea2b864df5fd6f09f676f0a5f87618d475b936e27b19af3",
"src_file_path": "downloaded_files/microsoft_quick_assist/0f6269a8095b8c622ea2b864df5fd6f09f676f0a5f87618d475b936e27b19af3",
"src_file_company": "Microsoft Corporation"
},
{
"signer_name": "CodeSigningMico",
"certificate_thumbprint": "6116BB0D666C358E66E8E18E25B8C147B9C0F2F6",
"certificate_der_base64": "MIIDBDCCAeygAwIBAgIQb/mz6VvfdIVCveBrem6XCTANBgkqhkiG9w0BAQsFADAaMRgwFgYDVQQDDA9Db2RlU2lnbmluZ01pY28wHhcNMjUxMDI4MjExMzI3WhcNMjYxMDI4MjEzMzI3WjAaMRgwFgYDVQQDDA9Db2RlU2lnbmluZ01pY28wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDZuvZi1Hj4Jm1u++tpo5pREUTd8ryNRtZA8EXsQhRgLc8P65gfpg5owobw8rgpEgoVB2WWhREVotBzt9cdsHNECmQb30HXuVQdeGjsFu+cvTy0+l+EN5M8tHHdfXEv4b04O45KsHiivKWTFM/MRQVI5iY5u+4vOimrUnH70c2KPmvqKIvaDqQz2XReMe5JBG3UguVdn2IL4Csmg9kL++oM8wIEoP4mj8gG3+5pHeoPSLKEIxolkascHIl6WGeNd7T4fvu8KNSDhNAYzS84x3el2HvRCBqwJ/Xqhesp2WCYFmmzOJbv1mIICPT29qbGO5pYTSmDZZsGWPmdJE3jgah5AgMBAAGjRjBEMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUvozeOtjQSswck1CbmPJnPd9mAXcwDQYJKoZIhvcNAQELBQADggEBAFvjyqepTkG5dST/G10jUjgLwmnTC27dImW5mcG4B3VZLWGzYH1Wh8HnXCn8y9hHFqhIWqr1j22paxDeNm9biasfFvyJ/4WQqxoi/cBY/niIIP08IqlMCakJPqfZYlEw3krYeDmtXAIAuJyWeEwlG2mFfxf+TOLhUoOKwnBtN+CoSE7+TP1+83HHT0hR+i2Lt6pNdqJQENy1lxZRYkTdSKVglZMwASLnCfVtslhmnFTMabrADWUWNtpZRrP7+5fUYQ/h3xUFy8aQ7hOHRPpyjs9M0vh6c+qr0xXl7qpHHcLad8NLZzuICoA7wKBc7uKuDyjvk24cVoSpc2pV6vbBC8M=",
"src_file_sha256": "9653b13e7bfa2f3be8a175ff895e5bf46537e5f742905751282f956e39587b0b",
"src_file_path": "downloaded_files/microsoft_quick_assist/9653b13e7bfa2f3be8a175ff895e5bf46537e5f742905751282f956e39587b0b",
"src_file_company": "Microsoft Corporation"
}
]
}
},
{
"Name": "Guacamole",
"Category": "RAT",
"Description": "Guacamole is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://guacamole.apache.org/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"guacd.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"user_managed",
"guacamole.apache.org"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/guacamole_network_sigma.yml",
"Description": "Detects potential network activity of Guacamole RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/guacamole_processes_sigma.yml",
"Description": "Detects potential processes activity of Guacamole RMM tool"
}
],
"References": [
"https://guacamole.apache.org"
],
"Acknowledgement": []
},
{
"Name": "WebEx (Remote Access)",
"Category": "RMM",
"Description": "WebEx (Remote Access) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.webex.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": []
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": []
},
"Detections": [],
"References": [
"https://help.webex.com/en-us/article/nyc3q0b/Set-Up-a-Computer-for-Remote-Access"
],
"Acknowledgement": []
},
{
"Name": "QQ IM-remote assistance",
"Category": "RMM",
"Description": "QQ IM-remote assistance is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"qq.exe",
"QQProtect.exe",
"qqpcmgr.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*.mdt.qq.com",
"*.desktop.qq.com",
"upload_data.qq.com",
"qq-messenger.en.softonic.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/qq_im-remote_assistance_network_sigma.yml",
"Description": "Detects potential network activity of QQ IM-remote assistance RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/qq_im-remote_assistance_processes_sigma.yml",
"Description": "Detects potential processes activity of QQ IM-remote assistance RMM tool"
}
],
"References": [
"https://en.wikipedia.org/wiki/Tencent_QQ"
],
"Acknowledgement": [],
"CodeSigning": {
"certificates": [
{
"signer_name": "Tencent Technology (Shenzhen) Company Limited",
"certificate_thumbprint": "0F55B47074C6B8D76B79ECF07EA9FC92BDA8B87D",
"certificate_der_base64": "MIIINzCCBh+gAwIBAgIQA/z0Ea1W8atH6MJQLOioMjANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTI0MTEyODAwMDAwMFoXDTI2MDYwNTIzNTk1OVowggE+MRMwEQYLKwYBBAGCNzwCAQMTAkNOMSMwIQYLKwYBBAGCNzwCAQITEkd1YW5nZG9uZyBQcm92aW5jZTEZMBcGCysGAQQBgjc8AgEBEwhTaGVuemhlbjEdMBsGA1UEDwwUUHJpdmF0ZSBPcmdhbml6YXRpb24xGzAZBgNVBAUTEjkxNDQwMzAwNzE1MjY3MjZYRzELMAkGA1UEBhMCQ04xGzAZBgNVBAgTEkd1YW5nZG9uZyBQcm92aW5jZTERMA8GA1UEBxMIU2hlbnpoZW4xNjA0BgNVBAoTLVRlbmNlbnQgVGVjaG5vbG9neSAoU2hlbnpoZW4pIENvbXBhbnkgTGltaXRlZDE2MDQGA1UEAxMtVGVuY2VudCBUZWNobm9sb2d5IChTaGVuemhlbikgQ29tcGFueSBMaW1pdGVkMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAxKLg8gXKpdmWtQ43edjDpTzSxe9Vl/8g9wkOO7nKxtd6fsE4IJHY3RN4yC/ZBds7Db5hOP8sPBDcZM5lOQKW8/OHL9EmRRHYKpPxMdcPVscoUX/eBp0bG60nX9uDAlJu9p5P757W7EA3vxwP/RJ7ksJ1CHAgz1jDRZPcElMwLotiu1aE49+N4ZX9HktN4ZXyc86D+/pzsLKMMXN/emEZTJZe2k1Y9nicMfhCz0ipI8HFRJqKMdhQzxfYcH6n6kvDB52+hqFtnVlqSLJ4hztUz8W4ickndPrBQ6rxKWm5PVG6WDTlcBe2HO8wijMC9qJ86itSXGwXmbBv6ViH593dR0SKKBfj46Ioe9W7H+ahtQqO+JXnOiV6gYJ7EAy+pg0kKR66uAONmJK+Ob3vIyeInylnD0cruNyYQTv4VYGMyFHVsdkt+7JhaEtB7bnQ/4wf9SBan0TemY4vurJFdoaC0OMrqDn68H5mHS9NsjLERON50PzmkMQHjxQCLozcbE3m6zAvKA9RgmozivabiXXi8FYZXOt2q8K1YzXFmVlT1qrwpn3h8REtdrEFlWdzihKDILAqzGYJjViAkxca7D2P8AtQZb3KxQiUMSrE2LJw+NPeHwZPjVeIL+8PHsv4vjykSsLRSuZhqNkFraTXjMaDRiITwIb9lyFuTmNiJNJESPsCAwEAAaOCAgIwggH+MB8GA1UdIwQYMBaAFGg34Ou2O/hfEYb7/mF7CIhl9E5CMB0GA1UdDgQWBBQdqi6z/TwjK2wA33wLN8aK+hi+UjA9BgNVHSAENjA0MDIGBWeBDAEDMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwgbUGA1UdHwSBrTCBqjBToFGgT4ZNaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcmwwU6BRoE+GTWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3JsMIGUBggrBgEFBQcBAQSBhzCBhDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMFwGCCsGAQUFBzAChlBodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNydDAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4ICAQBxkf40BcGMLe5sycFB/ihF5pbTaCCxCH+lJWmB2rpLiRydQgA+Owv8LxsmscTo3P8P0kgH3PI9SSOM/CEszlzdRCi2gc+GZnYpBLQBJxBaloBKU9RXfAIvvFletIbmNO0mj0Q6RYVeiNb4tSQKxVpQCm4CJdOtDaomTlpwlaDx5bOSAzsoBjW9OF4xOToxUQsfW7IN6wXfxvgGlaR67gkOva5CWmco5wUIeqCM156fpXkTV422NtjBhQbthZd33Up0S6xypUxx23vMMHiuYii8rz7II8QSEfaiCv76mrJrWpikZZE8YLqbvjjsXKF8F2rhmTjhERdx+C9iLIpZNjq7nx9TqFb23dEIk8vQQBI+8uTbafpkQlAa8NcWIwab89KQLkRmov/aqSOYsqQBYkmOny7X0jIiu/eT57tCufQ/L3arxkALoEV9b9+YUt3ZwGcii32JTCjzz4K3G/JxBz1LJDD6JoP3eAGcw/Au2n0nUEQHZbXiJiwxRrO1oQD2y9aCkSVQoYVYvW2GXE0MU2s5h2IMJlrWdjw4Kw4C41j6o6FMb7WmL41UjPH6SjkjuelpJbtuAkAciaqNkIJrIusXn1ws/P7acECfyMdJK5/z0W5CjNdeVw3/8oHOSdXtcUQ9t7BGdX2YO8FcOTXS5BetiIgn3WfX9SlQ03fs8D4QTw==",
"src_file_sha256": "ade688d199df2896a0fb1c1242cc3cbca8c779c9e6a99f067a0e3ca07de136d0",
"src_file_path": "downloaded_files/qq_im-remote_assistance/ade688d199df2896a0fb1c1242cc3cbca8c779c9e6a99f067a0e3ca07de136d0",
"src_file_company": "Tencent"
},
{
"signer_name": "Tencent Technology (Shenzhen) Company Limited",
"certificate_thumbprint": "902745066D65FB8841D5EAD85DB9CA125C21CF42",
"certificate_der_base64": "MIIINzCCBh+gAwIBAgIQBjTiPX9yvrkTyispwpdw5jANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTI1MTAxNDAwMDAwMFoXDTI4MTAxMjIzNTk1OVowggE+MRMwEQYLKwYBBAGCNzwCAQMTAkNOMSMwIQYLKwYBBAGCNzwCAQITEkd1YW5nZG9uZyBQcm92aW5jZTEZMBcGCysGAQQBgjc8AgEBEwhTaGVuemhlbjEdMBsGA1UEDwwUUHJpdmF0ZSBPcmdhbml6YXRpb24xGzAZBgNVBAUTEjkxNDQwMzAwNzE1MjY3MjZYRzELMAkGA1UEBhMCQ04xGzAZBgNVBAgTEkd1YW5nZG9uZyBQcm92aW5jZTERMA8GA1UEBxMIU2hlbnpoZW4xNjA0BgNVBAoTLVRlbmNlbnQgVGVjaG5vbG9neSAoU2hlbnpoZW4pIENvbXBhbnkgTGltaXRlZDE2MDQGA1UEAxMtVGVuY2VudCBUZWNobm9sb2d5IChTaGVuemhlbikgQ29tcGFueSBMaW1pdGVkMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAk4nHyT+Ue697vL1Vyj6Ave/JN0ikKPYyg58cSUDJI5Ems/hW/fIyV0n1ZP6Y2flVb6Pnl1rLqcGt5KrGG+PzUnb3qot0k5PfolBCqjVUhcFHCHAmivuOQe/pAu3SztZ4/Z3mvQQPG+bOrFpb/PSDY+iHSiIMhvlEIk4heLNqDVxbm1Az9KTPzzqChXbwp+3ssi+iueT8mcvuamOKQsA/IbnpD9RetSBUpQSiU7Hacns0W1KJFAfhMAT2mcB6cEmQPPwOcxQwZpYYY5+QSKo6O+eq93zgDzdQpGsUp6tGVO+tRWU/2yv99NbPaxAXOEsKooyV4CF13pQ7zz9IbX+ONdcuDYhDvEtJCY1qaLoR19k2MCtOeybbOGHdxTyxtrgaDxZbYVByORZ8LwqLdY2mLZduy1dXYIPk4VnMwvae8bYaY62TPoUQe6HblIIHhzi1DUuSu5sHOb2269xgrOxVe1AWyX8kU1QPhXZ8Q3NtMleaBovBEFp+2yuvtGr5hrOdAw0oyAlKW21fDn3I3O+2H5ycmwbAJSu1NUhvjLxpzKK+CFucU8L23ltp+0FEUDxf6jTzL12vvbynlnMOMvjL1SvQd8kQYOPgYpDbG/UV09Yz4jrUP2Cpg1hzzsjD/NIDFWX3hbYSdE2MRNvlww6yfKE0hjIU6rLSPzMEduH6LrMCAwEAAaOCAgIwggH+MB8GA1UdIwQYMBaAFGg34Ou2O/hfEYb7/mF7CIhl9E5CMB0GA1UdDgQWBBSHeGLds3z7dBUCpGS9olsGv/agJDA9BgNVHSAENjA0MDIGBWeBDAEDMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwgbUGA1UdHwSBrTCBqjBToFGgT4ZNaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcmwwU6BRoE+GTWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3JsMIGUBggrBgEFBQcBAQSBhzCBhDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMFwGCCsGAQUFBzAChlBodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNydDAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4ICAQBWlbV5ZGLHzUteFEd5CaiFfp7QQkRwr2FhnnQBBkfHYdqomxMvBnYzn6c5LAvsxsLSdaZBvogb07y1QAVtqBRRe3cykBiRCQCfix0ikN3N4QowTcIuQc/p/wgkCN1anjPH+M5FycEQTi544aLw2BnbJNqLOMhDXMt4et2q81dJNmavPYM0uhx8uD77qyZAfgvcHWdXVG8hWIBLOaiLvMzo75m+wZDqkgBGp9l1LygWJLMScK69ZBjKumCmeqahT7CQaX8IV4uXpv0yzoSnMNaDRAb421b4keqGHEjZYcfkn0drgMc+JvZ4IjCMxDZzu47lvuyxZclI/c7f74PRrMXR2/UoHJCaP95KY3MMS/tuFh9Niif6VVW0tKLyqIF3rJu9p2tZ/R37S+PqLnh6ddQUqWGJWq1x0TF15dckgxyPqBFOYpwjS3GswWgZfkEo1UmmWT7oOLeENmZr392fm4SDj/id/SUOXvDHKsqWJzOt/xl1nnWD0Q9zpiDtcsM8ROh3zXQl+eLHkjYuvqemyEVdflSgi0Bul4j0f4U3hRcum2w56vtMMrVH1Y2oAMtd7JeGw6OCVrJbxsCIFDyuUL5Gx4S4lH+2xEDeB0MXuV40WuXEoqrdMlaj2khEgqKw9FAQt2p6YWItnX1nKNZZRWHrjPP4MuvbMiWXm9ih7fbeBw==",
"src_file_sha256": "efb865721cf7fe1483a9a6d1f54b65a83a85a064fa488d24b3c6a681e1ffbc15",
"src_file_path": "downloaded_files/qq_im-remote_assistance/efb865721cf7fe1483a9a6d1f54b65a83a85a064fa488d24b3c6a681e1ffbc15",
"src_file_company": "Tencent"
},
{
"signer_name": "Tencent Technology (Shenzhen) Company Limited",
"certificate_thumbprint": "4B32EB2444E6BB9144A088E59606BCF02B8F2613",
"certificate_der_base64": "MIIINzCCBh+gAwIBAgIQC/BFcs3Yn27QCqvKBy+3nzANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTI0MTEwMTAwMDAwMFoXDTI2MDYwNTIzNTk1OVowggE+MRMwEQYLKwYBBAGCNzwCAQMTAkNOMSMwIQYLKwYBBAGCNzwCAQITEkd1YW5nZG9uZyBQcm92aW5jZTEZMBcGCysGAQQBgjc8AgEBEwhTaGVuemhlbjEdMBsGA1UEDwwUUHJpdmF0ZSBPcmdhbml6YXRpb24xGzAZBgNVBAUTEjkxNDQwMzAwNzE1MjY3MjZYRzELMAkGA1UEBhMCQ04xGzAZBgNVBAgTEkd1YW5nZG9uZyBQcm92aW5jZTERMA8GA1UEBxMIU2hlbnpoZW4xNjA0BgNVBAoTLVRlbmNlbnQgVGVjaG5vbG9neSAoU2hlbnpoZW4pIENvbXBhbnkgTGltaXRlZDE2MDQGA1UEAxMtVGVuY2VudCBUZWNobm9sb2d5IChTaGVuemhlbikgQ29tcGFueSBMaW1pdGVkMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAswOOZ/ztWFMnbRncld/farW0FMczr8EWvSfC2przw6bLHaB7Qifm+DiUlP64IHlUoMp7yKVyeJm3myGwfFxskUr9yXAjMIeqloTdijGYf27gPERBZMy+e4GI1Pbksvo6zvz5JsvY8Qu55uVBFp3zlmV5/HuoH9IF3TZPAX5yi8GGCkM4oBcPVFtBiXfDG5qEc2kzQwyGIDIASVTxX9cuhT6dLy8m57Yb/TtT/+tDQ7nI1ivVSVddzmAq92Op+Hw0pujZcSpmmtE7H9CdNsqtyfxL6l/AkvsI+guNV2DeSZcpgMcE98LsFTGSrNRHcVgxG3wE/KsnpowuiobQTv8/pNB/KzPG4S9Gg75qO6NeNAFIdt0oStyyI6DiG5Z/ehvmf5JDzNecRgwOjO9pcCBzfe/bw8ZdgmGGm/uu3YsnO0WQaRQUJR8p4YHEY9hXqNzriuNirDxLbg+xKfk00+8ZjgXp/eeTy6GM2qh2aEC2iqAraH4Tm3Ms6gwAZ0AEdAHpdej6D0hvWKumpJ1inmM6bqeVttZUYDhAVulbQvNBwSLSRV0DhLYyYqxnXnRbfpMrD8FnaTt5EFkMeJ41MPt4iDuZe9b4+2mf8cVqnOm5aM8bAOujAqr3MID6ir0fnrGap7OvbtfOH1Z3Xd0eaH3NPZt8pMh0aP2NLFZ96Hby6jkCAwEAAaOCAgIwggH+MB8GA1UdIwQYMBaAFGg34Ou2O/hfEYb7/mF7CIhl9E5CMB0GA1UdDgQWBBT3WS2bRlyx66dKm9xr5mE7pFnonjA9BgNVHSAENjA0MDIGBWeBDAEDMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwgbUGA1UdHwSBrTCBqjBToFGgT4ZNaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcmwwU6BRoE+GTWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3JsMIGUBggrBgEFBQcBAQSBhzCBhDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMFwGCCsGAQUFBzAChlBodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNydDAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4ICAQBQcUsARnz3BtCHfsRea80S44guHg0f42bDKiYUTLqCIONP0mAJyxnOxddIlE6ejifVUxpT0vhwRSc8YPSFHXultLR8Nr5FMwgbXFQP+IjIpB/PDhzVVmzFBiYsB+f066zvrPQMk56BfTbbQC98VRrXOCZ4YqWB8zjRf+B1fLW5ESgNNppDl6kqguHXUXYJnbeS+QOCku3ExkUNdJ/wL+ZX6TRyllnsljOsSPHNZiDdAgtGT5+013SttuJtNwd6JneULWgutBEx+xLHmFSTXT5SWNK31oUYI3FxwWMJAi05b4V2WS4b3lFAT2sniCvQvCa2agG/whMBo1ApdiZrI7LS485xPzx5hTPIETth6gUmxb/SA4Vs+nKJSIm2dUpA+EQ93+A/91Bt7J7TzcwiHI27Oj71BhpMzJaCEGHiZML9WYl2PaHJEGQWkK29MBcXOzh1bDlCG3sSFMcxc7PIyvp1i4oUo9mwhZQXc2nyuu04bGV1WX+ODeB+9/fcnwPduvvXuXqbNHkN1Bp3p4NJbY781kOo4HwcGeQs7T7Vp0mlO/vHhVPO+oihk2yxVHMKoWLuCBB17iPeFSyYziMkewt2/L/OhiHl6tnPdq+tidOxesOSVtb1JmPhL3JEONciGHcwMi5F/QFx4SeDbqKbkf3n5nSUipcpMgQYOJFZnO/zww==",
"src_file_sha256": "502e415e49b34695f487a733573019f07a090e885d01efeeb5b7dab229c03cfc",
"src_file_path": "downloaded_files/qq_im-remote_assistance/502e415e49b34695f487a733573019f07a090e885d01efeeb5b7dab229c03cfc",
"src_file_company": "Tencent"
}
]
}
},
{
"Name": "LabTeach (Connectwise Automate)",
"Category": "RMM",
"Description": "LabTeach (Connectwise Automate) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.connectwise.com/platform/automate",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [
"Windows"
],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"ltsvc.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": []
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/labteach__connectwise_automate__processes_sigma.yml",
"Description": "Detects potential processes activity of LabTeach (Connectwise Automate) RMM tool"
}
],
"References": [],
"Acknowledgement": []
},
{
"Name": "HeartbeatRM",
"Category": "RMM",
"Description": "HeartbeatRM is a remote monitoring and management (RMM) tool that has been observed being leveraged in social engineering campaigns, including invitation-themed and Social Security–related phishing lures, to establish unauthorised remote access on victim endpoints prior to the deployment of ScreenConnect. The tool installs as a Windows service and serves as an initial access mechanism and staging point for secondary RMM deployment. Note - Specific binary names and paths reported in threat intelligence could not be independently verified via VirusTotal or official documentation.",
"Author": "Michael Haag",
"Created": "2026-01-15",
"LastModified": "2026-01-15",
"Details": {
"Website": "https://heartbeatrm.com/",
"PEMetadata": [
{
"Filename": "agent-installer-any.exe",
"OriginalFileName": "",
"Description": "Official HeartbeatRM installer (verified via VirusTotal)"
},
{
"Filename": "hbrm-x64.exe",
"OriginalFileName": "",
"Description": "Reported HeartbeatRM executable (unverified - from threat intelligence report)"
},
{
"Filename": "hbrm-updater-x64.exe",
"OriginalFileName": "",
"Description": "Reported HeartbeatRM updater executable (unverified - from threat intelligence report)"
}
],
"Privileges": "SYSTEM",
"Free": "Unknown",
"Verification": "",
"SupportedOS": [
"Windows"
],
"Capabilities": [
"Remote Control",
"Remote Access",
"File Transfer",
"Command Line Support"
],
"Vulnerabilities": [],
"InstallationPaths": [
"C:\\Program Files (x86)\\HeartbeatRM\\*",
"C:\\Program Files\\HeartbeatRM\\*",
"*\\HeartbeatRM\\*",
"agent-installer-any.exe",
"hbrm-x64.exe",
"hbrm-updater-x64.exe"
]
},
"Artifacts": {
"Disk": [
{
"File": "C:\\Program Files (x86)\\HeartbeatRM\\*",
"Description": "HeartbeatRM official installation directory (verified via vendor documentation)",
"OS": "Windows"
},
{
"File": "C:\\Program Files\\HeartbeatRM\\*",
"Description": "HeartbeatRM reported installation directory (unverified - from threat intelligence)",
"OS": "Windows"
},
{
"File": "*\\agent-installer-any.exe",
"Description": "HeartbeatRM official installer (verified via VirusTotal)",
"OS": "Windows"
}
],
"EventLog": [
{
"EventID": 7045,
"Description": "Service installation event for HeartbeatRM",
"OS": "Windows"
}
],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*.heartbeatrm.com",
"heartbeatrm.com"
],
"Ports": []
}
]
},
"Detections": [],
"References": [
"https://github.com/magicsword-io/LOLRMM/issues/136",
"https://heartbeatrm.com/"
],
"Acknowledgement": [
{
"Person": "0xburgers",
"Handle": "@0xburgers"
}
]
},
{
"Name": "ToDesk",
"Category": "RMM",
"Description": "ToDesk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.todesk.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"todesk.exe",
"ToDesk_Service.exe",
"ToDesk_Setup.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"todesk.com",
"*.todesk.com",
"*.todesk.com",
"todesktop.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/todesk_network_sigma.yml",
"Description": "Detects potential network activity of ToDesk RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/todesk_processes_sigma.yml",
"Description": "Detects potential processes activity of ToDesk RMM tool"
}
],
"References": [
"https://www.todesk.com/"
],
"Acknowledgement": []
},
{
"Name": "ITSupport247 (ConnectWise)",
"Category": "RMM",
"Description": "ITSupport247 (ConnectWise) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://control.itsupport247.net/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"saazapsc.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*.itsupport247.net",
"itsupport247.net"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__network_sigma.yml",
"Description": "Detects potential network activity of ITSupport247 (ConnectWise) RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__processes_sigma.yml",
"Description": "Detects potential processes activity of ITSupport247 (ConnectWise) RMM tool"
}
],
"References": [
"https://control.itsupport247.net/"
],
"Acknowledgement": []
},
{
"Name": "Jump Cloud",
"Category": "RMM",
"Description": "Jump Cloud is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://jumpcloud.com/platform/remote-assistance",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"JumpCloud*.exe "
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*.api.jumpcloud.com",
"*.assist.jumpcloud.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/jump_cloud_network_sigma.yml",
"Description": "Detects potential network activity of Jump Cloud RMM tool"
}
],
"References": [
"https://jumpcloud.com/support/understand-remote-assist-agent"
],
"Acknowledgement": [],
"CodeSigning": {
"certificates": [
{
"signer_name": "JumpCloud Inc",
"certificate_thumbprint": "10DAFAAFE2293D627AE971DAC84B64D33F2B3F80",
"certificate_der_base64": "MIIH1jCCBb6gAwIBAgIQCRWf7W36ZGMb1p9I74SPjjANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTI1MDIxMDAwMDAwMFoXDTI2MDIwOTIzNTk1OVowgd4xEzARBgsrBgEEAYI3PAIBAxMCVVMxGTAXBgsrBgEEAYI3PAIBAhMIRGVsYXdhcmUxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRAwDgYDVQQFEwc0OTE2MDUxMQswCQYDVQQGEwJVUzERMA8GA1UECBMIQ29sb3JhZG8xEzARBgNVBAcTCkxvdWlzdmlsbGUxFjAUBgNVBAoTDUp1bXBDbG91ZCBJbmMxFjAUBgNVBAsTDUp1bXBDbG91ZCBJbmMxFjAUBgNVBAMTDUp1bXBDbG91ZCBJbmMwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDsWXhY4Ur6jz+G/Muoii9M3kvJ/oXKB26hD1bb+mFyGaWwBkyiu7SfoNvkrf89QvxB3fgqQ1WSxg+X+UzR+cG4fVMlCzOGl2/HJUJwR+qAvqCemsRSNE+K+1m0ys632mvWxDR1ZLAkUmUEpGcqFl3Gxwtk+JfBMC3mYOVib1Uic+Ibr0k3xXumq9s9iuuZ/6waFswn7m7NIHbmaFoTMPznxtwT9TQ1pm10CU0ideRBWTzgMWEUvXCCBiXQwOpQG9B6fP+7eSKUgsdCtrqLpe53n8MhS2gfeztB8QibBgGnHEZAGqLIx0Co6ugvYAFPeRqsOL63kkVeofoGGgPBQTiRv+UZDthQzd6tgEYXFmUD+sk0x2tUfCTeDy/hgQC/aNNDHvokdTaz3G+eDMZ9c2LUeWpRWuOg5SBG2Fw8FJYgCQD+uhsADreH7r8VRmoWLjjOxhrx5im84MLol5Ig1Vxl16pcut894HvonugWo7vD7vE/vfSVSQ5S8gOdICtEhNYcumySDR1B+MLkNMdil+9aBYj6Maf2yEheoY8N6ieKN2Dos6MqxZ0sSg1MaBOmVMLe7J3ka5Ex+26j8RWJLievjIes1CdAd8pKLDP5hCL1wizIBS1BdqP82UIAQvUjSGnbnJaUG3VyC3eeu1rKxc/A0cjGMLyySpX5GZ2lM8kbiwIDAQABo4ICAjCCAf4wHwYDVR0jBBgwFoAUaDfg67Y7+F8Rhvv+YXsIiGX0TkIwHQYDVR0OBBYEFBMRGPTFXPgDTxXgHMXtmx/cZkg5MD0GA1UdIAQ2MDQwMgYFZ4EMAQMwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpY2VydC5jb20vQ1BTMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzCBtQYDVR0fBIGtMIGqMFOgUaBPhk1odHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDBToFGgT4ZNaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcmwwgZQGCCsGAQUFBwEBBIGHMIGEMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wXAYIKwYBBQUHMAKGUGh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3J0MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggIBADzojnlLJV4c0QEOwlHG464/7q6BRdqv2oI9QHAJkMIkvuFdE0LJr6rwV6m9w8wnmwU5AHEMZQ5PeXjOwg0DblDk3hVfgvYIh/M73s1HIH2RW4f6o5ojOTW/ftdE4mDwB4T/o5JhhNDVyGSgvud1PTJlyy/J8q27YLVxxrCob5xyhr+QvAgs0LNGEdaj7DTzz1lBiRv2V0JxH8TpfMQv7ODba1B0tAUV/ue2TQS1SlShMJgpNHrjkSIUBoJkzU9oSC7tjs859KZW8TH95rz2EaLHFKojqXQIrI/u57gl0GP9zNvdI676WLG2JTXm6uh5vOcD/F4SUAB5K9p/EGzI4J+gdlLVXS9ltT0SchJR6sMeuERO3clK1wlEAE5lQLyGi5OahSQpFlKt4P7Bbpk30ZdZyO+p043/kTxHrKfkOxNdqdaM2tcLHC+swp3jBko7HIOgFlhGdjuFB80iap3yJv+pW2dSwygxSRi2LTv8wCOfYEE3QZWNaLKvdklHgei/0+R8IyVLMwWyyS6JWC73FZyXGiBnbI/HaLnWhIkogtJ7XT9Zs6gCTpfWSltNwNaaTz+f+3CO351RC3mDOW8AzSnRgHMac+BP7B76/emRRP5TifoX3ZNv6/lvttrY28FI26YC61Z0Lcm8rQrokWSBTGEU0sx4sZnoMOtRzejCzBwD",
"src_file_sha256": "be269a8a5a57a4525cf0f4342e864e7a5e307f4aa1246cf52a08a26e0a30b1af",
"src_file_path": "downloaded_files/jump_cloud/be269a8a5a57a4525cf0f4342e864e7a5e307f4aa1246cf52a08a26e0a30b1af",
"src_file_company": "JumpCloud"
},
{
"signer_name": "JumpCloud Inc",
"certificate_thumbprint": "A4532C9F5D789FE2D6726651339D1D4F9AE6429C",
"certificate_der_base64": "MIIH1jCCBb6gAwIBAgIQCEvBI6EF/YIpvtMp/H3xQzANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTI1MDEyNzAwMDAwMFoXDTI2MDEyNjIzNTk1OVowgd4xEzARBgsrBgEEAYI3PAIBAxMCVVMxGTAXBgsrBgEEAYI3PAIBAhMIRGVsYXdhcmUxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRAwDgYDVQQFEwc0OTE2MDUxMQswCQYDVQQGEwJVUzERMA8GA1UECBMIQ29sb3JhZG8xEzARBgNVBAcTCkxvdWlzdmlsbGUxFjAUBgNVBAoTDUp1bXBDbG91ZCBJbmMxFjAUBgNVBAsTDUp1bXBDbG91ZCBJbmMxFjAUBgNVBAMTDUp1bXBDbG91ZCBJbmMwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDViNj2voOlV7Dan/a422SayQvGrC2iu7VyreFoJQ/TonOoLVUXbPWEPcl4yGe2P0ady/UTXrQEUG04e2VhQzU3lkB/Si0yG1F3l1TZ2ho5QK9TcRGHC7c/Fv8dGtzEkcT7woa65/q0kOxkyoop0SxA9kRJmnm3HBOjuTreqXrA2yejk45F+GSdlzDqJ0a2oKielUHtPj40j4KlgsW8gQWsWdAfh+fstaLdjh2eUMAT9VhYQCkc4Rgeq6163uSjsGXtKN5HJwPwkvKG5mRYmqI9y7bikQJYyeXuUBtMW3kb+UMICmLXRCBHDWHDI/L/efFL/zsbyJnqtEqRQ95SAn2HrNCATm9S1GAun2fdfXyJS8hkygKI1jnQd0051l+aw6dsrmKwqBqntGXjlBBIJwsg5dsmcUSOehW1YZAYCkfZTg0f4AJtl8ZRQfUtP3YnkQE7Ir/VNNACW0jM7Bbwq0rBPfwnlqviPx37S3dr/v9f5jYN3WsFVEAxF9mxd2uUT8k1qUKdhIQmu/NJnx1E8fjITyold7SOhLtcWXEz8veT1/UUFlZ4wqNNBqnPk3riIN6BswKZvRAb6peNMnh5ZDLpbPPITAiBkTz6q++UfiL6VLb2B1WdfaLD5HyublsKrCW2TZQAR519H/LeFmhVrjtDdv4JDn8IOOsD2nummshrUwIDAQABo4ICAjCCAf4wHwYDVR0jBBgwFoAUaDfg67Y7+F8Rhvv+YXsIiGX0TkIwHQYDVR0OBBYEFDuEyn/U5u4JoHHwsV81nogyBJGCMD0GA1UdIAQ2MDQwMgYFZ4EMAQMwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpY2VydC5jb20vQ1BTMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzCBtQYDVR0fBIGtMIGqMFOgUaBPhk1odHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDBToFGgT4ZNaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcmwwgZQGCCsGAQUFBwEBBIGHMIGEMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wXAYIKwYBBQUHMAKGUGh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3J0MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggIBAM3fj7VpKRKqi4UfMOwccDemjDZGNzwcWOzlhVyw9LSvd1vAUQc9503AQp4LcWRmwt2JYDK3VNQCfZVfIK5pcfIvweK01z5MmQ3zGib36KFuUx36fE9/+q3QazFR/iyVElvhwuL8dU2p/cs+ujcSvvhjMAc3lEe+tizGSs2/PM52STWaVJa4buReBCKb8q+tzjHXzbXyU9Cml4PQRw9OeHDG8GbjC7FOZCSO1No/549KqbH6JxyWd6Oz/WPUGfM44Re7lc+izFpdOYOGQ0YOB/ROYXM/F7EB8PWgfVfWZnjgkExKBYamgMEnQLuCK9wUp4WEN3EyfrXb04cGlU8aghDkWu3NXzSJ5Pm4KRZvFwTvFQmF+r3kBB4BFHuEi5/RSuCdOjwrt5Hk8E17ciB/XOZx8prErhGEif5TQDm/XtFtt3OLJHt354SrlYKi4u93mNrZB/2y2Al7w0c4t7egYnKrPW4yGJpC8cpAgJmHt6VhoS34x36prbZK3KlzO2/1CNwdKaYpWyBhEEvXwgM8OXgP36AwRDqjUcADLXHZ4+IxpPmo8k+6pyqjmT2eHH3RRsGg/e93iTF2oyXcBLz3zt1aNcOWM0MRcR/wZOSVI6Ajb6xutDj4OtGJIeeYk/IHgRVG4YG8293U5dzq8iOxtIsMZ9+R4SiYyJXG5LnBccIB",
"src_file_sha256": "73afc1ff220df0f407d9db143645dcb15f57c1f95918ab01daa0a96e3824e56e",
"src_file_path": "downloaded_files/jump_cloud/73afc1ff220df0f407d9db143645dcb15f57c1f95918ab01daa0a96e3824e56e",
"src_file_company": "JumpCloud"
}
]
}
},
{
"Name": "Neturo",
"Category": "RMM",
"Description": "Neturo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [
"Windows"
],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"neturo*.exe",
"ntrntservice.exe",
"neturo.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"neturo.uplus.co.kr"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/neturo_network_sigma.yml",
"Description": "Detects potential network activity of Neturo RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/neturo_processes_sigma.yml",
"Description": "Detects potential processes activity of Neturo RMM tool"
}
],
"References": [
"http://www.iconpos.com/pos/home/iconpos/bbs.php?id=file&q=view&uid=2"
],
"Acknowledgement": [],
"CodeSigning": {
"certificates": [
{
"signer_name": "LG Uplus Corp.",
"certificate_thumbprint": "A6AFB7E544982EE2CEE2348C20F90C403973868C",
"certificate_der_base64": "MIIHXDCCBUSgAwIBAgIQAcRZ1Gd1s3mGlyhYFt7WSTANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTI0MDQyMjAwMDAwMFoXDTI2MDQyMjIzNTk1OVowZDELMAkGA1UEBhMCS1IxDjAMBgNVBAgTBVNlb3VsMRMwEQYDVQQHEwpZb25nc2FuLWd1MRcwFQYDVQQKEw5MRyBVcGx1cyBDb3JwLjEXMBUGA1UEAxMOTEcgVXBsdXMgQ29ycC4wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDI+1JOnDsX1yYvOOaQueaPV5QtllDyTTzf0/JaGZZs/7h+jbuhaXLI52BlS2fXm3hfnWE8qjPS5bX7XA8ofsDv9JxHAt5eI9OsoOq66pig01G1EcPmAwhQUKvxZeuE/JfPubqHI6h2P6OAxcmmBBRLjGEPYzRVLsgvmvc50Svhac+LDY1xmCGv6FLWpCuUaQGZv/CjR2TIkV0fRMycbI8OXPIdG185Li0/odKs4aGKHV207iJ1HRgwJzXtjp0nvYxBVyWC+yUoirAoa8HvU/ujY0dmSJuigTn2GGEzhiN+HGIK6H2xI4zt291t9fXV1wHAXpk9SvKjAkBsf4crX4DeZ7x/4AlLMgz0bKEmdr6X+eDjABo5E22vFqjOIeH3twxshH9zk0DQWBSa3IqWTMyEwJVnFF92w08tLG9Ng3oMQ2xpUzpKTal2NFGEivRUNUKiw+xLFjJurHD6ssnMDdfi3uzP93APuwOZgVNZGpu+oOo2GRWnV/uKLqmb8Zcloxuk1AhgJ2zzLb4Mn1IW0i+Df4J7BmwMgwpUE7Blh2B1+Tsfi6jI3be8Y3E1ZmHYeahECHwQ+UxHpxScllWrrJzp+9F5+nm111aTd419bqplk9XSiz2g/166gVpcZqFVXovZauaFKGDnNsoai4LOWsjo/fwa8vG1+3LTacyeBLsH1wIDAQABo4ICAzCCAf8wHwYDVR0jBBgwFoAUaDfg67Y7+F8Rhvv+YXsIiGX0TkIwHQYDVR0OBBYEFBTd9ZPvs18XQm8bBMxG8iJhgCdmMD4GA1UdIAQ3MDUwMwYGZ4EMAQQBMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwgbUGA1UdHwSBrTCBqjBToFGgT4ZNaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcmwwU6BRoE+GTWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3JsMIGUBggrBgEFBQcBAQSBhzCBhDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMFwGCCsGAQUFBzAChlBodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNydDAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4ICAQCTtbG+nuWMh+EosGkvKaC88EPY2kooTcxMc2pF2tjpHyDVHM9Dl32xR38a33RTg3LtNpa04NNEp+gXBUceTAgMCqll4L2KdBaCu5rwvWK/QeEpFCm22qzgb8+oRRFnkzcDcg4L91a4WFYjC1Mcm3YPHopOCplgjO+pRIhYWEP+jzoQe5oMZUw1aR0WHMWAKrsHk8Tm890HFfwu69Tqze2x27CYkq/G3MRK63JkxnCBjtxfn2jBpkXom697RKI4XdxzuwFFUK83Vxr22OdaUjnb6nBw7+FFJabu/aBmtjpuT489jq1PW5iSglQdt488ARxy3nlAEdywx4B0ickeZ7Yh1McDpp7k6bhvo6prPWJRcnVql6gPYgaQlGizd7oNFBi42bTog3rH6kCrUWZ8RJ92m+w/hlfYmpVbrBJY2Z1iLlRy635jaqlPrLCiX6dzed/zaz2lYUPh1MXtt5l3MnWUqTT2oF8ZP0vhSqRNtk1SstiP46I6lZWGdybs/24+nPPDuH/WXMs8NoGDUSCVZVj4QR5vju7RdVQ+dKKY81KfnFGYXVY4jNs7raG8xhCukD6Z6Qzog+fI6KFBaJ93e2I48eQifd4SZt1gfE5EGGXtX+LMphd0XMpe2xDsPcvxEopyn1xDr4X6CJwCKjyxl59zw6N9ZMt96wVQElbe329LTw==",
"src_file_sha256": "8f58e4840aba88c7bbf69f86139498f6a6ab92d317491f729a79c5ed12c1d046",
"src_file_path": "downloaded_files/neturo/8f58e4840aba88c7bbf69f86139498f6a6ab92d317491f729a79c5ed12c1d046",
"src_file_company": "LG Uplus Corp."
}
]
}
},
{
"Name": "NetSupport Manager",
"Category": "RMM",
"Description": "NetSupport Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.netsupportmanager.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"pcictlui.exe",
"client32.exe",
"pcicfgui.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"geo.netsupportsoftware.com",
"netsupportmanager.com",
"*.netsupportmanager.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netsupport_manager_network_sigma.yml",
"Description": "Detects potential network activity of NetSupport Manager RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netsupport_manager_processes_sigma.yml",
"Description": "Detects potential processes activity of NetSupport Manager RMM tool"
}
],
"References": [
"https://www.netsupportmanager.com/resources/"
],
"Acknowledgement": []
},
{
"Name": "Connectwise Automate (LabTech)",
"Category": "RMM",
"Description": "Connectwise Automate (LabTech) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2025-12-14",
"Details": {
"Website": "https://www.connectwise.com/platform/automate",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"ltsvc.exe",
"ltsvcmon.exe",
"lttray.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*.hostedrmm.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_automate__labtech__network_sigma.yml",
"Description": "Detects potential network activity of Connectwise Automate (LabTech) RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_automate__labtech__processes_sigma.yml",
"Description": "Detects potential processes activity of Connectwise Automate (LabTech) RMM tool"
}
],
"References": [
"https://www.connectwise.com/company/announcements/labtech-now-connectwise-automate"
],
"Acknowledgement": [],
"CodeSigning": {
"search_names": [
"ltsvc.exe",
"ltsvcmon.exe",
"lttray.exe"
],
"company_names": [],
"signer_names": [
"ConnectWise\\",
"Connectwise\\"
],
"certificates": [
{
"signer_name": "ConnectWise\\",
"issuer": "CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1",
"certificate_thumbprint": "DC69069188D5CBC5FE18B7D035C90061C8741E21",
"tbs_sha256": "EE87E0B6968C49806887874C952D0F6C1DAABA50D699FE8C5524103D7A3A82D1",
"tbs_sha1": "8A97D01B55E4A964BC3379B13A5C8FF616756F98",
"valid_from": "2025-06-18T00:00:00+00:00",
"valid_to": "2028-06-20T23:59:59+00:00",
"certificate_der_base64": "MIIHXTCCBUWgAwIBAgIQBpZG91oaMuTChvVRWtcOIDANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTI1MDYxODAwMDAwMFoXDTI4MDYyMDIzNTk1OVowZTELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0Zsb3JpZGExDjAMBgNVBAcTBVRhbXBhMRkwFwYDVQQKExBDb25uZWN0V2lzZSwgTExDMRkwFwYDVQQDExBDb25uZWN0V2lzZSwgTExDMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAm/opd1E6FclqVZaXjFSyxB/i1278mBL30KGBcxBCUSLrr2UmS0v0Ui4dNvqVJqBZej7WMuPVG7WhLSsh7dn0LiYigu9eC2Xzf/dXgysvTaWjqywWEdaztB9wk1UW4JKBQCofhFwO0fq2QGfwdIB624mAJHYv3RhgRGJnrS4pj5GI7yhbqRymLKiY5HNNxFNfBeYDonFlXJRXCFiy+MmILIUKZ7z6w4ADZdADtrKnFqfPiOT08SXmFh1/DPxa2i72+SDyBRh2D3WeEYO/XgRpeeiPGw2UicNXbv0EXmwlYnd1OsEPVZk9rwiQi5P3IxphTYvRzCbxsA4fvUzy29gYzKAy3rX6EGROL6yOIu0I+019+KF65VpPZuZ5oGQUWF4o1zorT0n1KnhJo1g+wXehbXNmZzwFmjQRq2VGAG+YlQ4r1ziG6H2Mpsqp3M2XPKBzkpnfb92aWhkDE8PIF+AZJ7aaxU2zqvDAqPTNRsTuafr5bruBhCP+Ura5vDDqNlvrgaUA1C8w/DDUjXiVGma7RiHyayGoayo71/AW6sU1MMX1i4kJZ30Htv4AEJf0NAIYv/ZtjwJ3xBdKOBSMFn1jPDWyc2toMnpkYwA+uxVWFz9zGTt6gTabr88rcFkkiVBkQCtbCPep7O9r3p/f931BBe0roIgLBJIpImC0c/G/voUCAwEAAaOCAgMwggH/MB8GA1UdIwQYMBaAFGg34Ou2O/hfEYb7/mF7CIhl9E5CMB0GA1UdDgQWBBSq40FoSy7cpXCTRDHLq1qzOdaVPjA+BgNVHSAENzA1MDMGBmeBDAEEATApMCcGCCsGAQUFBwIBFhtodHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMIG1BgNVHR8Ega0wgaowU6BRoE+GTWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3JsMFOgUaBPhk1odHRwOi8vY3JsNC5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDCBlAYIKwYBBQUHAQEEgYcwgYQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBcBggrBgEFBQcwAoZQaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcnQwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAgEAy/9kDJuQ95np5yEq/biXDf1pXB8CY7NB6bz6MSd56CcsfrL2qfxsB4SIKXT/NLmBk8IF2tVN0g5YdLxTZcFpu3jVa/ohfLcyAcYUQ+YUDVt+q4OwOWxph9QPC6IwzwGyKRphFqh7XiRzTAdTX5+aKCqpfVKSrvV9sATTJSExxAKrrOMOEYpjrhRPQ6AtnkEFvuEGoE4ESk6IkDwBzRrQ7VkDcDf8n1a6tKBxVliVtYkf89gEeda9peF9d1ZCjhhKuzvCSO17XGKsjtda3oaPo3uGktQ8Lm1h17rnupGcwasEynzu7xTVxSKEXkfSnHYRvCRM+waSjVMKd5Dw/mfTLwcwbKwbwZNG8IKKJUrKk5DADiFZKcB7thUsxj3U49ToC9Oxks5OFzN9VQer4oKUHsRGGXUZKyY1t5/pQ+hxHkIMZzY1JQTSOVsZw/mpCaVt56KEfyVwgiOBiNLgUOdECaQpNUZjSMSeJbr6L52M9doC4lJpkF31R+UmY6V4CXxR7B29Iq6B2tbfGXqaKqPirIY5qqpeX/+etxMhgsm0k9XtuscSYIIJ32EL0d8XCr0JEFm/PmYf34OJKMP/HqoqkiJGRuEniTMM9N1QwitjxBS/dxgI/zfBK5Kx0WgTEjSognI8h5+KrPCMNUid1f3X7r+hwhtRhzu9CKhjDBBxTZ8="
},
{
"signer_name": "Connectwise\\",
"issuer": "CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1",
"certificate_thumbprint": "FF8BFAFA697459874FB9843B1EFDA5C91871A44C",
"tbs_sha256": "46135C0D0BC2714588E2E99AEB2BBC714F972F50D46C4C6D084F9D9CF9E485A4",
"tbs_sha1": "8FA64999CB0CB343856CECBA0F7475CD2079B01B",
"valid_from": "2022-07-13T00:00:00+00:00",
"valid_to": "2025-07-12T23:59:59+00:00",
"certificate_der_base64": "MIIHYDCCBUigAwIBAgIQD8iQIY68GzxLhSH2VZeTcTANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTIyMDcxMzAwMDAwMFoXDTI1MDcxMjIzNTk1OVowZTELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0Zsb3JpZGExDjAMBgNVBAcTBVRhbXBhMRkwFwYDVQQKExBDb25uZWN0d2lzZSwgTExDMRkwFwYDVQQDExBDb25uZWN0d2lzZSwgTExDMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA2l17brRNXYxj98R8GKG/mHWRWOBhGRgQvkABt1RDvZbh3mhFn9cvf+IKvNq50QVB1bMzoZHIaU5w6t61kKRvusxL8eWA49SZABB/MaRLsHYcJulfMtPSB2/BzhVQ/Mm4DTqeEmz5SPXXiQf4J5W9HFQ3+H9YKpz6PJrfsHnTrxsmejXC/tErmaoHLbGpdNizcEgx+RwHw0P4vf5SqIpam6HOh6lX7tWW6lr43Cgh+JcImDVdRnYh8YjNo3HL8ZRiWsRedoKvxKdoff31j6EvZ9qfiGj48buvqlRVki/OdVzO7uLEyqjHQ1BCA5b0ReW44jQN3KInzkhGp4cVD/ULmCoC+sVyLiYw2p5/TxH2HUbEo6dBg03gC6lv6NDuxTuNczL8hWfVna5YydorTNOUOR8aNcB1znbk9YEY9Cz/0PnQl9hubkDnF0WDuJ6jjeKIW5ru0UfvpX3cF61CGyyTI1dangGUV2glrtO1hqBysvTcYZSlVml2hlB5rJiLHAyt/RCFG+YrH3nK1qk3+HTquMs2UeKehi1cr+nRtCqD8zXSq6bsTvnZqhFaBpwkkW1kXeQVhE3DZcYWYoZlukXVflpOmsCltBTogz7XfkWRZHk35vSW1ctwjinjymDtgdWUyZVBhuCOfb81VfCgpOVmJbTf3EZXfYgyG0cZzCGwp60CAwEAAaOCAgYwggICMB8GA1UdIwQYMBaAFGg34Ou2O/hfEYb7/mF7CIhl9E5CMB0GA1UdDgQWBBQpT5v/AO231msiGDB9d6g/XCsNhTAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwgbUGA1UdHwSBrTCBqjBToFGgT4ZNaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcmwwU6BRoE+GTWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3JsMD4GA1UdIAQ3MDUwMwYGZ4EMAQQBMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzCBlAYIKwYBBQUHAQEEgYcwgYQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBcBggrBgEFBQcwAoZQaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAgEATjNONUU9LsNlCCvX6Yg5JZageLZsyRp9UplYhtnS716xFg5hGrVLAHBODNf98ScYcdVlhM4GQTuW4m0DlutlfLvVwSA50BMNUuMdGnoYbKIIeDeMgyZV25r4/I4GcsqULTX9E+6IA6enR6UC/znOi7trBU14vknttacPfFyaDt86an4954rAGwigUZjGpMzWRDztj02aZaI+Z7Cak6/gHC4/PZBYHPUTj5MaOvihXyfOGlFaGkfxdzktbTcpvGLOYGeT0gK4n/iFMfA1Z1aA5AW0lBSXG/nzZSjBxE7RfO2d7jU8FEZXGaA5HjGX2FHfAa6ONst5GKJsou7A2lVcT6By8Fp+5ZOC4JOk7dJphkXAShejkDyp/ati4DP+wPhlPdGTuQUKeLDhEBtzziyvc6Z3NzeD0qHuPOeUBV4FNawe3J6xM+BD0Wy2+BHy18yFXwmGc5INCUjC+TpwXup2LKeK/Y1LR6X09ewCs0133vu+foVLULJhgtwFuiZf473j+9ahLyqpZW05Nh2TQleJcUMj10/+9jR6WuPkSmMi125gS/dZvuX3qAI9VaI1b9ntEEHVhP7YwnaXNpob4VnJZyKyGpKmxNnRfawYmwR1OPCZsaPR73KILw4Jp2fWIvNxl2zUuV5jV8LHuXSZuB8EYHyf5yoL0T8ciZEHUx1Hhbc="
},
{
"signer_name": "ConnectWise\\",
"issuer": "CN=GlobalSign Extended Validation CodeSigning CA - SHA256 - G3",
"certificate_thumbprint": "07290735CAC17E851C608F28C3C03F68B94DDC35",
"tbs_sha256": "2536E3C682B73B99B516CDEEE24FCB828C84CBDA003E3C3075CA771717B4CEBA",
"tbs_sha1": "50795CA816F444E2EF35E42C95AFC0AD99633491",
"valid_from": "2019-01-11T20:03:41+00:00",
"valid_to": "2022-04-07T21:58:55+00:00",
"certificate_der_base64": "MIIFkjCCBHqgAwIBAgIMFZy9YdRoNYJ6CJvQMA0GCSqGSIb3DQEBCwUAMG4xCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMUQwQgYDVQQDEztHbG9iYWxTaWduIEV4dGVuZGVkIFZhbGlkYXRpb24gQ29kZVNpZ25pbmcgQ0EgLSBTSEEyNTYgLSBHMzAeFw0xOTAxMTEyMDAzNDFaFw0yMjA0MDcyMTU4NTVaMIHmMR0wGwYDVQQPDBRQcml2YXRlIE9yZ2FuaXphdGlvbjEVMBMGA1UEBRMMRjE2MDAwMDAwMzA4MRMwEQYLKwYBBAGCNzwCAQMTAlVTMRgwFgYLKwYBBAGCNzwCAQITB0Zsb3JpZGExCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdGbG9yaWRhMQ4wDAYDVQQHEwVUYW1wYTEYMBYGA1UECRMPNDExMCBHZW9yZ2UgUmQuMRowGAYDVQQKExFDb25uZWN0V2lzZSwgSW5jLjEaMBgGA1UEAxMRQ29ubmVjdFdpc2UsIEluYy4wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCwamu+xMZ1KHNjtyNMzlJIdUVxKRrfkxLE95RlT0UqNUTLQluB3ORJdZyqFH29xmM6ZKksq0FmB3MqiZTFcn8hsl5h44IoD6TP87XySHmKAT5RMnzL4Fw0AbS7w1xE7aRvPAOI6r2IBld3hPaR6zI79qy4NkULsZWHyBfTYxRW9YrTJgvtZv6L8S0BBzTqSQWZL83aEpmQT7duNU+Okvpo5NZA1sO9jFuGF2o4mqEWduwxnoWeVkF8ISTUVd/bT2Bl0Wle8yzWbQI8n7lf59SMyJGvUxtrf0BXI7bpq3QDbXiEa0wwej+dGMemrELXbBgUlbhgdE2DCVn0wFNLQCblAgMBAAGjggG1MIIBsTAOBgNVHQ8BAf8EBAMCB4AwgaAGCCsGAQUFBwEBBIGTMIGQME4GCCsGAQUFBzAChkJodHRwOi8vc2VjdXJlLmdsb2JhbHNpZ24uY29tL2NhY2VydC9nc2V4dGVuZGNvZGVzaWduc2hhMmczb2NzcC5jcnQwPgYIKwYBBQUHMAGGMmh0dHA6Ly9vY3NwMi5nbG9iYWxzaWduLmNvbS9nc2V4dGVuZGNvZGVzaWduc2hhMmczMFUGA1UdIAROMEwwQQYJKwYBBAGgMgECMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMAcGBWeBDAEDMAkGA1UdEwQCMAAwRQYDVR0fBD4wPDA6oDigNoY0aHR0cDovL2NybC5nbG9iYWxzaWduLmNvbS9nc2V4dGVuZGNvZGVzaWduc2hhMmczLmNybDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUnK+sWt3Pg30GOFuEWDNm5DXMfXMwHwYDVR0jBBgwFoAU3CxYLCpvNS2feZWoSF3EbT5Tv7kwDQYJKoZIhvcNAQELBQADggEBAGQNB5koBqGLMM4Cd/l1ALVESVSs5AoueNHiJL9p9its1i0cGwdvrQwBDIylhLnxFdrj2m9xoB4nYy5aU7DcdzMha/TRaCSv1e1DhWqxNSAAoKacXjof425ZxAY/ZKlPrjyo7YjLgLTcMc3cVDEbgtAZshr1AgsW8/XJ3uRZ9FcgeCAnd0yy8IMuRtyrXq99oo+6r97kvTeXk6CakMRrJhc1uN9MSEHZLGSwVR33Az6C67Wt/rPO5i+jMDRF0PO/bVaNrwA7gxYqysrUHMzL/ra7Wwh44kkyYudSDGwLvWCYTAxrZNL7BjLPGjyOLn/C9dWekw+y0sKTkNp/7/eEDZQ="
},
{
"signer_name": "ConnectWise, LLC",
"certificate_thumbprint": "70644D15A9833AE7E85FCC0D2146831978BEEFF4",
"certificate_der_base64": "MIIG3TCCBMWgAwIBAgIQBNke4DLdGhpLIOSOdesphzANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTI1MDYxMDAwMDAwMFoXDTI4MDYwOTIzNTk1OVowZTELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0Zsb3JpZGExDjAMBgNVBAcTBVRhbXBhMRkwFwYDVQQKExBDb25uZWN0V2lzZSwgTExDMRkwFwYDVQQDExBDb25uZWN0V2lzZSwgTExDMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEA4cUf5+kV+KFRM9L+s8gGJ73hTXcEe/LUeGwf6wpdSBd3t8zNmow4GXP+ihQcr69EEDG+zO42ptsHoKbU4dn/Sg/iy9GZ7a0ERKdAGqOZI0YZTd0obkGdXVF/xNdI68jcFE3Sqza+v5gtaAbZicVhY1r/tbcA0Cc/hpSyEPJqu97a+ZygEYfrEFL2htAmV/NrXdjozidRIn187o6uGGAbwlQPNCtkTfGRg+kPT9Nf8P8wSf1UlwnMQcpSbkQ2aOIYXba2FyGfY1d6Tx1NGRp1FC98CLfOcXv5WlG6JBIOuyVHPVSDmgsw/n8C6EkhRGvm2hy45XrP4mZ7M53Vo+BicKuB2o7ZY4pPdqdbrz6odORhBcxk3vUYgGH95WOO8Cxc1SxXl4A4WbCF1ZWb5Shv/G31qFMM5ws1M4K916AJJ+QNQV4tKHCmMaqqRL6L+ScCnCrwl5qwB23nWsL49AAMDqrvzVESE18wBdtbzury31VP7A7KBj0fPORSgnRA4OEJAgMBAAGjggIDMIIB/zAfBgNVHSMEGDAWgBRoN+Drtjv4XxGG+/5hewiIZfROQjAdBgNVHQ4EFgQUqNJlVmweChoGu8mVcpUE0a2qrYcwPgYDVR0gBDcwNTAzBgZngQwBBAEwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpY2VydC5jb20vQ1BTMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzCBtQYDVR0fBIGtMIGqMFOgUaBPhk1odHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDBToFGgT4ZNaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcmwwgZQGCCsGAQUFBwEBBIGHMIGEMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wXAYIKwYBBQUHMAKGUGh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3J0MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggIBAF+IcSWmB7jYA5OiN94R2HN4pnixOb0NaZbS8oxucBPeo6FHp6oM7DIEHiWu8T/G5dt1WPzOPyDRZCVTp0HSJs9QXjTg2XavK7KDCAM/nnwI+lV1AYsyUKE6pLde367jFgbg4pFD0W+kPyShUH82LfcQGMoNcw5QiX0ebdCAk+F6859YtJHGKzMQGl6a1dg++6/SgNRXavGM7NTCevkaw+b3rB8x7Il2PQzgaHmzBy0QSapFxn7mx2d4rJEXEjxJCmDvpxKnqa7JDjhzjt8GtnynxjtWjROi3jQWlspFSUSI1lyV3G43O3anQi00i/3LiYFHMOZZKTwzA4lWRDk8h7jFeKP4evsJvLRpbBLEXYB93FXBS/S6HIl6aY2f+tgTr4el9NKV/hXBx4Wt5DDtEw13igePI4FLs85tC3HJB4UCcA0rzoGE9RiJDpiC5eZQx/CZqXgKCvQ/F5fWBpl/9w1J0mcTb5H1C+Y2FxFPnuw3hEDMbKH6HoOgveh4qtzMU0ZOW1cU2J9cxerU5b4dsBE4NaSD7GKhAKGDWAz/4FBUt1i/5J7KIKAt302fT2Vwba/azrgNZAc9e23bCfOyZrvOL6wUMgnNEkmQWZgcyG0Borz3pI5EPQUSLtO3KAjXsATnUVqGR7r4O0v1vbcnf6H0jFTDLtCqgibKC/nE5U7r",
"src_file_sha256": "532d20a37c6493fae3144fa8aae0a2c3510f6bdc0a2683e9ce7970d6a22d65c2",
"src_file_path": "downloaded_files/connectwise_automate_(labtech)/532d20a37c6493fae3144fa8aae0a2c3510f6bdc0a2683e9ce7970d6a22d65c2",
"src_file_company": "LabTech Software"
}
]
}
},
{
"Name": "Insync",
"Category": "RAT",
"Description": "Insync is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"C:\\Users\\USERNAME\\AppData\\Roaming\\Insync\\App\\Insync.exe",
"*Users\\*\\AppData\\Roaming\\Insync\\App\\Insync.exe",
"*\\Insync.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": []
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/insync_processes_sigma.yml",
"Description": "Detects potential processes activity of Insync RMM tool"
}
],
"References": [],
"Acknowledgement": [],
"CodeSigning": {
"certificates": [
{
"signer_name": "Druva Inc",
"certificate_thumbprint": "69D87180D72B8E218BDBC28D21879BC136184929",
"certificate_der_base64": "MIIGNDCCBJygAwIBAgIRAP2gaiWfhWzhSH1jbP4BsYQwDQYJKoZIhvcNAQEMBQAwVDELMAkGA1UEBhMCR0IxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDErMCkGA1UEAxMiU2VjdGlnbyBQdWJsaWMgQ29kZSBTaWduaW5nIENBIFIzNjAeFw0yNTAzMDMwMDAwMDBaFw0yODAyMDcyMzU5NTlaMEoxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRIwEAYDVQQKDAlEcnV2YSBJbmMxEjAQBgNVBAMMCURydXZhIEluYzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALtZap45hmwZJvcTLjqRcmbyIJr5fUQjqK+BGtalIY8TbvLYeFBdV45+dQOYaK7H/pQRVr14x8w+0uYSX1dH+/K1pKXJh1mBhrK28GxyCoow0ZDU1tnjdkiSj5Udymp5crOBeYvTgXQcwjWcozrs13VdYErZsED9QUKKdBqAM5beFoosXFLp+J4W9TI6dorgDTqdU7EQ4fjIeX3xC4ziCZ3Hm9vUUoKSe0T7p9maX+ZSWt+6H1xEM3yFKTrsEKZpIzQ8LS2oeX+mqARtMibU6pO4OPmSoks6T2K+HugTDZ8Aw6qJPL5rrszDtjWW9Nn+J0isjCQ6uRuDW4tAN6x7dio03QOvs8HGLCdxga44J1bw1gvUFODaV+YiX7W/KTQRfs4NsbEFRPoYlsvsFoXrM/XIGCungGSee5Vl6NlmtEhr+stLqcrePG76p65sposjAMF3JhcSShagD6ibys6ZwzioFOAsJFEHAVCtP0ewTfRay923m6lyn4OhPv+ui6SfaMqGHjQ9pFMab6zK+l2FHoOAOG/EXjX6aKqyY6NfF+o3Kj+/6DI5qJRQwU4Ik4HnMbpuxcwmItlnIM7dwO7jK7tCseQ1CO4MFvhZ37QfEpkx2m/TCHjSrKucVPLL6Sz5IWJlgXj8ZswOy1B0j5/9Cy15ypks+CvHIBhrTjAU4DHlAgMBAAGjggGJMIIBhTAfBgNVHSMEGDAWgBQPKssghyi47G9IritUpimqF6TNDDAdBgNVHQ4EFgQU5Aq6jWxbGydidcmLm99YvdgQZ9swDgYDVR0PAQH/BAQDAgeAMAwGA1UdEwEB/wQCMAAwEwYDVR0lBAwwCgYIKwYBBQUHAwMwSgYDVR0gBEMwQTA1BgwrBgEEAbIxAQIBAwIwJTAjBggrBgEFBQcCARYXaHR0cHM6Ly9zZWN0aWdvLmNvbS9DUFMwCAYGZ4EMAQQBMEkGA1UdHwRCMEAwPqA8oDqGOGh0dHA6Ly9jcmwuc2VjdGlnby5jb20vU2VjdGlnb1B1YmxpY0NvZGVTaWduaW5nQ0FSMzYuY3JsMHkGCCsGAQUFBwEBBG0wazBEBggrBgEFBQcwAoY4aHR0cDovL2NydC5zZWN0aWdvLmNvbS9TZWN0aWdvUHVibGljQ29kZVNpZ25pbmdDQVIzNi5jcnQwIwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLnNlY3RpZ28uY29tMA0GCSqGSIb3DQEBDAUAA4IBgQBKGcCOAA77xKRQfGXZu8+XKMuFQO96G8W2vWtn55U9b3a7VpNXgj7hUppWUTRv1cnpCiYpt+t7sSFgflxpVB0tRlX5F/NiyYutSEQWo6Ef0W+MbVrO8Em4dq2fSd7HdbFd+pH58QRYwPGgj//3nS0Y7KyzmfVEa9RMcRBZ+nbQ2KZQfqbRn9+82uT0sloQwsVG35Hez99SHY0PHYKZcbvE9dZUjoA3+2oGcPgbygc5h4M9yVWYJiJF9XnsHlwfjZYlG5/XCqLhSFl2ixhdkmb42mJBZG0ifPdhOmMIzrzRIWKGSFDTnLcpNm2fb4mJMvPx1b8N5KSpBA+U6DifxJmqCLsbn7KUCeQOIvcyZVC0z1PTK5PFiHPwCQr3krNpomuxwgrhH36VVga3ELmF3BnbTDDSGhZRQqmtnhRPhCAZQAEE+ILXRCLZtUA7XFVnjVpZQEgEdACBkJ8JdA0SIweJWUmAsn81zeH6q8WCCKhhN+4gdzpDerBlmuLOhkthY6s=",
"src_file_sha256": "1f8d76ad0fcbe5fadd066b0a332a58ccd96438dff55c63d90d14dbd96ab7e98f",
"src_file_path": "downloaded_files/insync/1f8d76ad0fcbe5fadd066b0a332a58ccd96438dff55c63d90d14dbd96ab7e98f",
"src_file_company": "GitHub, Inc."
},
{
"signer_name": "Druva Data Solutions Pvt. Ltd",
"certificate_thumbprint": "F6ED487C109762F9A3E91DBCEF6EA41AD1EC5B87",
"certificate_der_base64": "MIIDUTCCAvagAwIBAgIQH8H4Wi8qCNO2/ZIZf/gf4jAKBggqhkjOPQQDAjBUMQswCQYDVQQGEwJHQjEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMSswKQYDVQQDEyJTZWN0aWdvIFB1YmxpYyBDb2RlIFNpZ25pbmcgQ0EgRTM2MB4XDTI1MDIwNzAwMDAwMFoXDTI4MDIwNzIzNTk1OVowczELMAkGA1UEBhMCSU4xFDASBgNVBAgMC01haGFyYXNodHJhMSYwJAYDVQQKDB1EcnV2YSBEYXRhIFNvbHV0aW9ucyBQdnQuIEx0ZDEmMCQGA1UEAwwdRHJ1dmEgRGF0YSBTb2x1dGlvbnMgUHZ0LiBMdGQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASmpF3OP18tER+KcVZccItYnhh7moPiyTngzhfIsPyZZhxOdaDEEU2dJxzQtW0eCPq0kOgIRBaWsr6iPYc3v7iMo4IBiTCCAYUwHwYDVR0jBBgwFoAUJQ2bbdgYd7eKwzhRVuXH8rX/g2owHQYDVR0OBBYEFMTZnoQRuVOOKiAu2MHyodkWxC36MA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMEoGA1UdIARDMEEwNQYMKwYBBAGyMQECAQMCMCUwIwYIKwYBBQUHAgEWF2h0dHBzOi8vc2VjdGlnby5jb20vQ1BTMAgGBmeBDAEEATBJBgNVHR8EQjBAMD6gPKA6hjhodHRwOi8vY3JsLnNlY3RpZ28uY29tL1NlY3RpZ29QdWJsaWNDb2RlU2lnbmluZ0NBRTM2LmNybDB5BggrBgEFBQcBAQRtMGswRAYIKwYBBQUHMAKGOGh0dHA6Ly9jcnQuc2VjdGlnby5jb20vU2VjdGlnb1B1YmxpY0NvZGVTaWduaW5nQ0FFMzYuY3J0MCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5zZWN0aWdvLmNvbTAKBggqhkjOPQQDAgNJADBGAiEA+OrerE0Xn3QW0vrmZAIQ3fDchfQ74KIM5uLAMv8ORBsCIQCJQ7bA0zDC4DsE1mIY4nTwu+Ju1fseWNqRWSSrjESSCA==",
"src_file_sha256": "bcc7ed09d03e12c6e2e8889f08c5056ffc9eb1b5fe47bc199ae9e4965415b86b",
"src_file_path": "downloaded_files/insync/bcc7ed09d03e12c6e2e8889f08c5056ffc9eb1b5fe47bc199ae9e4965415b86b",
"src_file_company": "GitHub, Inc."
}
]
}
},
{
"Name": "Tanium Deploy",
"Category": "RMM",
"Description": "Tanium Deploy is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.tanium.com/products/tanium-deploy/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": []
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"tanium.com/products/tanium-deploy"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tanium_deploy_network_sigma.yml",
"Description": "Detects potential network activity of Tanium Deploy RMM tool"
}
],
"References": [],
"Acknowledgement": []
},
{
"Name": "SpyAnywhere",
"Category": "RMM",
"Description": "SpyAnywhere is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.spytech-web.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"sysdiag.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*.spytech-web.com",
"spyanywhere.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/spyanywhere_network_sigma.yml",
"Description": "Detects potential network activity of SpyAnywhere RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/spyanywhere_processes_sigma.yml",
"Description": "Detects potential processes activity of SpyAnywhere RMM tool"
}
],
"References": [
"https://www.spyanywhere.com/support.shtml"
],
"Acknowledgement": [],
"CodeSigning": {
"certificates": [
{
"signer_name": "北京火绒网络科技有限公司",
"certificate_thumbprint": "951553728DD3DE4E8F93F5A60FC4C54C12F66835",
"certificate_der_base64": "MIIG9DCCBVygAwIBAgIQfat58pikwY6By3+fkJlV/DANBgkqhkiG9w0BAQsFADBXMQswCQYDVQQGEwJHQjEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMS4wLAYDVQQDEyVTZWN0aWdvIFB1YmxpYyBDb2RlIFNpZ25pbmcgQ0EgRVYgUjM2MB4XDTI0MDIyMDAwMDAwMFoXDTI3MDIxOTIzNTk1OVowgdIxGzAZBgNVBAUTEjkxMTEwMTA1TUEwMDVDSDQ4UjETMBEGCysGAQQBgjc8AgEDEwJDTjEdMBsGA1UEDxMUUHJpdmF0ZSBPcmdhbml6YXRpb24xCzAJBgNVBAYTAkNOMRQwEgYDVQQIDAtCZWlqaW5nIFNoaTEtMCsGA1UECgwk5YyX5Lqs54Gr57uS572R57uc56eR5oqA5pyJ6ZmQ5YWs5Y+4MS0wKwYDVQQDDCTljJfkuqzngavnu5LnvZHnu5znp5HmioDmnInpmZDlhazlj7gwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCuvHY2ak2Vn5mAcrP+W3fmpZXljNU8HZNrLGUp/67VVd662zNqkncH96tV03kqsLeenOmOhdDZkOYhRpzING0XFUhK/RKWTu+1XSlMHBIX49QB20zj04FiNYxoADHPggUNSGGiR8t21FfjLtCkb7C3EiXwpakzdrdGodkhhhAUvEXhLr/NtDBbC3Fyhv+rmI9IyiJlkH0yiA5THg2nlt5hwFh7/aa8gTzt6I1mUX9MmEJa9abuz5SGMZLMoxEPdxXzDJ/o0A8Wpc3D/S5LwiTCGTrpGCssi1i1A6ourfO95hIFT/Z313p89aqHUlJymJanZRTxWoI1y2u/8F5Do8jlODKkY9Lclu/d1PfORE0UhAdfxVNzWWXHzVRiikrHCJPZ/Mub4KzC9Xo38tPkKmc/w4DGeNpRa/qzsd5S8RvKCZM9MfugNHEKZIpqfSv5WUfheKkJoLXCze01B8UHK3D8JSVheEfboQmH3napY490+R48iuVTK0zDkhqTnbpJ1PvGcunGYCyeodsDS3n9wnMgmQOBQV0yeoMyCzd6GDW1veSlTMrH/NAQcHJZl7OoUzKSnWv1IJ5bXAXyHp8l5jAinDbn9hSEC0YyKZOlkrLcz3BkeTc2ObziCfBLQFvF/M4qGaxtrZEJ9GwUwRHK6VqsyUuENp5CFxM3zzwR8frZBQIDAQABo4IBvjCCAbowHwYDVR0jBBgwFoAUgTKSQSsozUbIxKLGKjkS7EipPxQwHQYDVR0OBBYEFE6cqPK+2pfGOZg/ntb8qICf3X2lMA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMEkGA1UdIARCMEAwNQYMKwYBBAGyMQECAQYBMCUwIwYIKwYBBQUHAgEWF2h0dHBzOi8vc2VjdGlnby5jb20vQ1BTMAcGBWeBDAEDMEsGA1UdHwREMEIwQKA+oDyGOmh0dHA6Ly9jcmwuc2VjdGlnby5jb20vU2VjdGlnb1B1YmxpY0NvZGVTaWduaW5nQ0FFVlIzNi5jcmwwewYIKwYBBQUHAQEEbzBtMEYGCCsGAQUFBzAChjpodHRwOi8vY3J0LnNlY3RpZ28uY29tL1NlY3RpZ29QdWJsaWNDb2RlU2lnbmluZ0NBRVZSMzYuY3J0MCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5zZWN0aWdvLmNvbTAwBgNVHREEKTAnoCUGCCsGAQUFBwgDoBkwFwwVQ04tOTExMTAxMDVNQTAwNUNINDhSMA0GCSqGSIb3DQEBCwUAA4IBgQB9jaDdDBcZH5gRFMYHytmyxQ84JgSRljSnC0MLChnYf6zl98K7yVX0/QoHQoxfpp3ETk37ZBXOI4ySu5y82+SHzHA1urZU8OczWpFP8uHWbbhvnzx8voL9BicAQjuwyixAbgsZovSN0gAU3GqWF97Y0yvme7JO1hSAAP/0p8riqtuWExVOcQmBDc9T6KcJ0o0Wv++Ewo1AJDMjkdM6ZVZ585br/nfRivn6s9YSRbsaErSn0UMWZ/qgOLvkvuDkffNuwkO+3aA2ES9xKGm1IFtl1M7a5omYD172sDxEXQGZnWAQj685LmpY0McGjAgvSvQ0nOHkgALWWo3y+Hqz3SwK4QQ7GzBQQ3sfzJky7yHwGT1rMyuFpDTMeO1YxrFkkzNg2CoddwuOF+GqS4etOqigtStSoer9Vm4GDHbKB4Zeml+DLQnWL4OR/QSIwnFYJw7MrsTDNpXDq7KyqmtrGa7FhWnHwOZ6/1K4/wh4+QUDkmbDTv+JLW0aVhAy1ntAA30=",
"src_file_sha256": "d77eb49917751cfebc42e468bf023e3a2b86b68a73e292ea651d8869aa2650a4",
"src_file_path": "downloaded_files/spyanywhere/d77eb49917751cfebc42e468bf023e3a2b86b68a73e292ea651d8869aa2650a4",
"src_file_company": "Beijing Huorong Network Technology Co., Ltd."
},
{
"signer_name": "Spytech Software and Design, Inc.",
"certificate_thumbprint": "0F999A1FAF749C55BC095242AD221637850EE6AF",
"certificate_der_base64": "MIIHETCCBXmgAwIBAgIQBM8yxx2IgNuYuMbbfCqd5zANBgkqhkiG9w0BAQsFADBXMQswCQYDVQQGEwJHQjEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMS4wLAYDVQQDEyVTZWN0aWdvIFB1YmxpYyBDb2RlIFNpZ25pbmcgQ0EgRVYgUjM2MB4XDTIzMDYxMzAwMDAwMFoXDTI2MDYxMjIzNTk1OVowgdsxEDAOBgNVBAUTBzEySy0zMDUxEzARBgsrBgEEAYI3PAIBAxMCVVMxGjAYBgsrBgEEAYI3PAIBAhMJTWlubmVzb3RhMR0wGwYDVQQPExRQcml2YXRlIE9yZ2FuaXphdGlvbjELMAkGA1UEBhMCVVMxEjAQBgNVBAgMCU1pbm5lc290YTEqMCgGA1UECgwhU3B5dGVjaCBTb2Z0d2FyZSBhbmQgRGVzaWduLCBJbmMuMSowKAYDVQQDDCFTcHl0ZWNoIFNvZnR3YXJlIGFuZCBEZXNpZ24sIEluYy4wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDyiozbWhmX23R+PDAT+KRlT817QVxjDlKXpUZcE++APQFxZef2l7ICz0KUODpogFimsZ9ZTvTj5qGAzosEfXf1VIGwUlBpSTeKvE9vJ/thvgLHZ44NRfgpHOWRNlZzmlJ82yI2yk7BYIuIFYuPwludavQEZShUxRbxNnaP7p+MpDetK+RzOwtClFc9kG5+toVp1qeLkoZF0NC1cQOGcNNSQ3MyzQ+9lAQ8fDm0D6yvfBQ7A/aUHRpjnhrldOnzYoUkB7ve+SsKHWEp0aU2nJvswlccz878/WzNYe6Y2mkBCUeAdcfmnKTDi2s22aaK8fZsfckZ88r5pXMlykbpD8B9WoNt2PjWoIOkZ6oFW2blVchL78SsYRQJRqJqiSls2nQKOlwW9zg+zOYlrRMHFaK6qMWu+OUgH7xEJEa8EoB2tJmG1Gs1mqB0l8fG+ELsOgiFk6e3TJMk1Z1PgAuxU1MCewsKst/Ado3PZbB8F+mT6j6RfrKvqUSUf9R8Ya6YeKxWb0+9oQ7qV6TZ3MQ+gPufI0TfApQIcdYMLkGn5i9bGdyE0EW4utPy+nfKYSlHGGdjc/yIa4kkD2a0e++APZ4SH+TppFGRaoDccH2oDrgtR9DKuSSugJ3qQ9SpiiBDVJ1qtBdj51Gg7btWyZuFi6aA5DwSVoaZcJxNTUS1/+19ewIDAQABo4IB0jCCAc4wHwYDVR0jBBgwFoAUgTKSQSsozUbIxKLGKjkS7EipPxQwHQYDVR0OBBYEFLb015a3vcu1jzRqO5nmBCi1yXIwMA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMEkGA1UdIARCMEAwNQYMKwYBBAGyMQECAQYBMCUwIwYIKwYBBQUHAgEWF2h0dHBzOi8vc2VjdGlnby5jb20vQ1BTMAcGBWeBDAEDMEsGA1UdHwREMEIwQKA+oDyGOmh0dHA6Ly9jcmwuc2VjdGlnby5jb20vU2VjdGlnb1B1YmxpY0NvZGVTaWduaW5nQ0FFVlIzNi5jcmwwewYIKwYBBQUHAQEEbzBtMEYGCCsGAQUFBzAChjpodHRwOi8vY3J0LnNlY3RpZ28uY29tL1NlY3RpZ29QdWJsaWNDb2RlU2lnbmluZ0NBRVZSMzYuY3J0MCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5zZWN0aWdvLmNvbTBEBgNVHREEPTA7oCQGCCsGAQUFBwgDoBgwFgwUVVMtTUlOTkVTT1RBLTEySy0zMDWBE2Nlb0BzcHl0ZWNoLXdlYi5jb20wDQYJKoZIhvcNAQELBQADggGBAHqIr6L/ayqJ7d3cGxSj2oL8ZAB6n9+NcRRveiPdD/faHw6oVxnIZ7nmkETh9hLFXyGSjkhTSSdYDznHnVnkOw4Zq/3TRtSRgkPvVDBtJ9GWo4iUBWVpZPfKn1Jau6BSTLjU+RfujA0eJhRGPFuojJrgXGSLXZI/KZUS0HixeuA3VBJR5NYRSmtVXc6CqnYPS2/GAOPUgec5Pu0dVzuX53EdqpOf2Op1v+/3UA+cizukz4TR8l1EzQsZQ5SzX7RSiEAYIOQIT292M+STcT0njInd2/Q/iwhO58li69h2uqd4WYk8dj4QoD7mrtRXzc1irekzFrl1GGgPsymYIZDVKplaA2sn3w8dOqwn0bVCKkVppkslICOMZspV1L7CxRd7V4LZRqGrsW6WwbYK5HlXfr/QRv7qg2RL0re7Vb9RSO2ENBtvwQo6OnaGwymSlxdw50c0snaktDDpogSr1eJsjMh4sfuTrTAIeps3kVVw+b661JgggvSJek4xZgNDn54NyQ==",
"src_file_sha256": "8188c9883b46eceed07cc494ac29a02a1506934fcdd3841ea21d7f30fdfbf16b",
"src_file_path": "downloaded_files/spyanywhere/8188c9883b46eceed07cc494ac29a02a1506934fcdd3841ea21d7f30fdfbf16b"
}
]
}
},
{
"Name": "Koofr",
"Category": "RAT",
"Description": "Koofr is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": []
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": []
},
"Detections": [],
"References": [],
"Acknowledgement": []
},
{
"Name": "MyIVO",
"Category": "RMM",
"Description": "MyIVO is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"myivomgr.exe",
"myivomanager.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"myivo-server.software.informer.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/myivo_network_sigma.yml",
"Description": "Detects potential network activity of MyIVO RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/myivo_processes_sigma.yml",
"Description": "Detects potential processes activity of MyIVO RMM tool"
}
],
"References": [
"https://myivo.com"
],
"Acknowledgement": []
},
{
"Name": "Yandex.Disk",
"Category": "RAT",
"Description": "Yandex.Disk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://disk.yandex.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"C:\\Program Files (x86)\\Yandex\\*",
"*\\Yandex\\*",
"*\\YandexDisk2.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": []
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/yandex.disk_processes_sigma.yml",
"Description": "Detects potential processes activity of Yandex.Disk RMM tool"
}
],
"References": [],
"Acknowledgement": [],
"CodeSigning": {
"certificates": [
{
"signer_name": "YANDEX LLC",
"certificate_thumbprint": "46E2F09D295573BB09DACC6B209B142C244A30D6",
"certificate_der_base64": "MIIHejCCBWKgAwIBAgIMbxJsnMKH3kWM6JD2MA0GCSqGSIb3DQEBCwUAMFwxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTIwMAYDVQQDEylHbG9iYWxTaWduIEdDQyBSNDUgRVYgQ29kZVNpZ25pbmcgQ0EgMjAyMDAeFw0yNDAzMjAxNDIzMzVaFw0yNjAzMjExNDIzMzVaMIHfMR0wGwYDVQQPDBRQcml2YXRlIE9yZ2FuaXphdGlvbjEWMBQGA1UEBRMNMTAyNzcwMDIyOTE5MzETMBEGCysGAQQBgjc8AgEDEwJSVTEXMBUGCysGAQQBgjc8AgECEwZNb3Njb3cxCzAJBgNVBAYTAlJVMQ8wDQYDVQQIEwZNb3Njb3cxDzANBgNVBAcTBk1vc2NvdzEfMB0GA1UECRMWTGV2IFRvbHN0b3kgc3RyZWV0LCAxNjETMBEGA1UEChMKWUFOREVYIExMQzETMBEGA1UEAxMKWUFOREVYIExMQzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJBHNIDwuoQRAKsgUHdZAJj95E+tdlQ7Lq7of/skuDP1yn8fETp1arC7JWBK7cweYF2L4oMZDkLaenMe6LSebe4RODrBmJUExwZFCsF2yDbw0EqakrTzeQ3sUjTrBIpcgZiemfFx8kvkHMr7R/XoJx4abhWt5BPa2LidgcskEdmw2KUntRshuIBilg2GR8Oa6s0BZhMxgAE0Ugqw66mWNJWOp+//FwKwoNwtmWceBc7XAkyVK2rCdkaQ9YYJRmw3lGRP7+yLj/cH9I1ALO321j0iYYSoT+4M9ASIzGPZr+EaeE+i07RnUlkiqTntaeQ95Z1lofZ7RDGoIaEfmNU7pB0ecR02NI9UBc31Y6/XEJllauzN8gylSieS0yrS+qa+AsWHrE5wo4umNEHeQYeSpJASIjQwehHXEWbGgoxoCYs6l8HE/F3M2M0vE0Oh1P+UM/jN+ILlrgZN/Fs6w7IntZhBMG9Bz2H9DewILSCz4Naei1HENGK2Fcr+zmoeBxKeOp+NUwgM2dDiuJSQAnLIycwtPXtKUMQDeRiCVHJXupi9junpnVR5GMx3oYrvrZGK7odjUUiuRn8BSON0ixs8pQ94ktyNUFEquL8VATxzUpaai6es+T+DYsJf+BPMLvl1MbspaJ1q57Zyqb3gFW4ON9SaXKZXPCQuWp8uzHTYPkynAgMBAAGjggG2MIIBsjAOBgNVHQ8BAf8EBAMCB4AwgZ8GCCsGAQUFBwEBBIGSMIGPMEwGCCsGAQUFBzAChkBodHRwOi8vc2VjdXJlLmdsb2JhbHNpZ24uY29tL2NhY2VydC9nc2djY3I0NWV2Y29kZXNpZ25jYTIwMjAuY3J0MD8GCCsGAQUFBzABhjNodHRwOi8vb2NzcC5nbG9iYWxzaWduLmNvbS9nc2djY3I0NWV2Y29kZXNpZ25jYTIwMjAwVQYDVR0gBE4wTDBBBgkrBgEEAaAyAQIwNDAyBggrBgEFBQcCARYmaHR0cHM6Ly93d3cuZ2xvYmFsc2lnbi5jb20vcmVwb3NpdG9yeS8wBwYFZ4EMAQMwCQYDVR0TBAIwADBHBgNVHR8EQDA+MDygOqA4hjZodHRwOi8vY3JsLmdsb2JhbHNpZ24uY29tL2dzZ2NjcjQ1ZXZjb2Rlc2lnbmNhMjAyMC5jcmwwEwYDVR0lBAwwCgYIKwYBBQUHAwMwHwYDVR0jBBgwFoAUJZ3Q/FkJhmPF7POxEztXHAOSNhEwHQYDVR0OBBYEFIoN3UJm6MH5Dcw75olDsIF2PuioMA0GCSqGSIb3DQEBCwUAA4ICAQBW4Fq2bcUZm0lsDoFiMyHUNa80jEdmkAzGkEHXnJowhdJwoMgwYxP3c6/cMCMV7tm10gXpeOI6Yf0DIgLz6Xl0qsBIEjK/TxXCQanEvo4qbtZpWbpzfHi+alW3QZv/aKny1sU7MDfedTYWZWd15mvog8uyFx0fvJx3uZOQa/ho/YwgJfNDBkhpqvekTcsu3zakJvstcT4dFFTsvESCWeDFujhLZKi62Ep8g3A06MDBCAePyhhdavDQ/NP0ozZxp/sz23RxsSBHZHRFJgfNOF51m2pN/+q5GeFPXKDCbMZNyec7OrGThkaDyG7ioVdiwSfhpG/QZtZjv3WI86vvBDCvlxwKQ7mXp8HAzn3I/LDhAJcyXTWgtKaKmeOelhWV8Ba2dLJbQ5PYH7fNUNuEjRm9IpXbmH2cK52D6WNKQh14gJfbib9xrbw5c44lZPS33IkIDckfi7mg8299yuSawwhUjk8YBLN1aQfFrfAlm2FoN/XzqDG8rzEcDjt4/D0Rf/1denTDbC/cnkmv8w82RvxhoWJwSGpLbW0HyVaLlXpbBbc25xpFTZzxJ74rctdXHbWD9rOZtkZgfmCyBwquGFG2dKkeg0bBXVFn71pYsSCsJek9pBZ0yReSUnI6Y3IT5l8SkkNeCcl4zHeF8fdbHydTXHqjDiYOvXqZfHz5AVnpjQ==",
"src_file_sha256": "b4de5a3d4ac1c70fdc0c498e3248389392d80efc4fb3a8fb67435f79da830199",
"src_file_path": "downloaded_files/yandex.disk/b4de5a3d4ac1c70fdc0c498e3248389392d80efc4fb3a8fb67435f79da830199",
"src_file_company": "Yandex"
}
]
}
},
{
"Name": "Royal TS",
"Category": "RMM",
"Description": "Royal TS is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.royalapps.com/ts/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"royalts.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"royalapps.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_ts_network_sigma.yml",
"Description": "Detects potential network activity of Royal TS RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_ts_processes_sigma.yml",
"Description": "Detects potential processes activity of Royal TS RMM tool"
}
],
"References": [],
"Acknowledgement": [],
"CodeSigning": {
"certificates": [
{
"signer_name": "Royal Apps GmbH",
"certificate_thumbprint": "564F13E13238C21A522EAC9D8903CBA13F93D7A4",
"certificate_der_base64": "MIIH4zCCBcugAwIBAgIMNKRGN590h7Pf4UEdMA0GCSqGSIb3DQEBCwUAMFwxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTIwMAYDVQQDEylHbG9iYWxTaWduIEdDQyBSNDUgRVYgQ29kZVNpZ25pbmcgQ0EgMjAyMDAeFw0yNDAyMjcxNTE2MjRaFw0yNzAyMjcxNTE2MjRaMIIBIDEdMBsGA1UEDwwUUHJpdmF0ZSBPcmdhbml6YXRpb24xEDAOBgNVBAUTBzUzMTM2NHYxEzARBgsrBgEEAYI3PAIBAxMCQVQxFzAVBgsrBgEEAYI3PAIBAhMGVmllbm5hMRcwFQYLKwYBBAGCNzwCAQETBlZpZW5uYTELMAkGA1UEBhMCQVQxDzANBgNVBAgTBlZpZW5uYTEPMA0GA1UEBxMGVmllbm5hMRgwFgYDVQQJEw9HcmltbWdhc3NlIDM5LzMxGDAWBgNVBAoTD1JveWFsIEFwcHMgR21iSDEYMBYGA1UEAxMPUm95YWwgQXBwcyBHbWJIMSkwJwYJKoZIhvcNAQkBFhpzdGVmYW4ua29lbGxAcm95YWxhcHBzLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAOfoGjxQ7itvAWsi9Mb1H8oXTUYQnfxtaj8YpTCXKPrRjkVos0T6L5Tg4ln7B+v0XL5fmfb4ctRmuSswamTrCYziJToLYgwacfFfuBtE2xhpniHuxModnSD1G9nHQD8OfF/3HnhlnS9Bi3dxf1XIsQ1l8CKA41QuFpfACmJqXlJdTbfktfG24h8Rx/TwT1TeYDkGS8Tuibnb2BGp2Nn07Uvgtm7AmxFt2dcrYsjde2v01qVQptG8iyHSE9fnR1Z5p1gT4k7Yzeq+3Mis4EbYwe3fXB342VhzXQJSIenZqbAfosltqV1BBsA11NmGbYhl5scQFB0l3iqnx8w26U2BBGDTxW1O2PDQbPP364saxt57qKBp6TZNt+/E/+3FeZveFQs+NdaksO7ZQiFSXSSi2tYuK1YFYRKRC5jupKozPSYAD0wR5Nm7lQnqoY6TRYEFH8iY+ThuJHJB8Xjg5614r87v+MYlTr9m+PL++sUf7umnK9jiwicWUDY+VsgI437T6P/6XNgJE0A0PJkKCu0GnstKF2ORmU1TZU5IKR34xDwBDieyt/o07sP+5uFgzou722WECqS2IpnjQadii25/077HU1s+gd4VHNQRMZ1c3Tfue12TXrXekU/R873Q6g5F09cN9MkF3dKxRXtif6c8OIfvaqOyKeNvXLiAmGlKiLLdAgMBAAGjggHdMIIB2TAOBgNVHQ8BAf8EBAMCB4AwgZ8GCCsGAQUFBwEBBIGSMIGPMEwGCCsGAQUFBzAChkBodHRwOi8vc2VjdXJlLmdsb2JhbHNpZ24uY29tL2NhY2VydC9nc2djY3I0NWV2Y29kZXNpZ25jYTIwMjAuY3J0MD8GCCsGAQUFBzABhjNodHRwOi8vb2NzcC5nbG9iYWxzaWduLmNvbS9nc2djY3I0NWV2Y29kZXNpZ25jYTIwMjAwVQYDVR0gBE4wTDBBBgkrBgEEAaAyAQIwNDAyBggrBgEFBQcCARYmaHR0cHM6Ly93d3cuZ2xvYmFsc2lnbi5jb20vcmVwb3NpdG9yeS8wBwYFZ4EMAQMwCQYDVR0TBAIwADBHBgNVHR8EQDA+MDygOqA4hjZodHRwOi8vY3JsLmdsb2JhbHNpZ24uY29tL2dzZ2NjcjQ1ZXZjb2Rlc2lnbmNhMjAyMC5jcmwwJQYDVR0RBB4wHIEac3RlZmFuLmtvZWxsQHJveWFsYXBwcy5jb20wEwYDVR0lBAwwCgYIKwYBBQUHAwMwHwYDVR0jBBgwFoAUJZ3Q/FkJhmPF7POxEztXHAOSNhEwHQYDVR0OBBYEFL5i91y/tCITck8CG7xPJOlWZFS+MA0GCSqGSIb3DQEBCwUAA4ICAQBNuxXWm+YEdOY9MxV6oMHLe2n8vfsBvxCGBHuzsb7sIt3QQmpPeYFsg/CyEdm0v6pKWnO6u5jd9QBY5xSyHu/tSD9B7P954NwR7KmS+kGeuQFkI9KQV3zid4RGpaPZjUEtEhlaRdUAKmBz/2cpg1vBW6VoqB3yXN0qBoe1F24gvAQOepm8WPR/u0rFX0gVlOpfVACNKDFmWGV7VUZX6LI3x+QKuMES99U3pwO6DQsudg1oVAG5SxevaIt+JrG7j6Gw9tsimWaJiv4PAq885a4avcFvutaQYKsnZSX7lwo7gXM3RqLGPB0rTXVZ8jhtcw7dP3mQUEgi6QdkMIV3rrbzTi0fe22LQ2akQM0UtJ1doncEVzb2YuIwXtJ2RmOmsw8u2+QUnalFDsUq5byBnE+ymxp/6qgmmswTsEHSWBQZI4nl2xoOog5r/yXJhyanJg3ysD6V8ejxLIw9ZlpAeSDZt6p649aUL9/l4FKXhfXA7qnr+M8uFMTT7eZulN+Kxu9gkTLCA6DXVwJSQjnSOTxBPtFROBf7LKdjMnqDptYli7VjdCcMeRBIo7Eo60VJ6Amudeh1Xt3ujqftYG74MpEy2e8pK5PWvpe2msUvlo93oQZS3fYNREO9y5A48v1Bp3Htq8XSRp9vqqGXy/wlwFRhz/EupjprvWmZbsSgkKYYsg==",
"src_file_sha256": "4270f73b1e7b4108a5a6b5bec8b0afea15f62c0a3452906ae15fb349dd197336",
"src_file_path": "downloaded_files/royal_ts/4270f73b1e7b4108a5a6b5bec8b0afea15f62c0a3452906ae15fb349dd197336",
"src_file_company": "Royal Apps GmbH"
}
]
}
},
{
"Name": "Ivanti Remote Control",
"Category": "RMM",
"Description": "Ivanti Remote Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2025-12-14",
"Details": {
"Website": "https://www.ivanti.com/use-cases/remote-control-all-of-my-devices-worldwide",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"IvantiRemoteControl.exe",
"ArcUI.exe",
"AgentlessRC.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*.ivanticloud.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ivanti_remote_control_network_sigma.yml",
"Description": "Detects potential network activity of Ivanti Remote Control RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ivanti_remote_control_processes_sigma.yml",
"Description": "Detects potential processes activity of Ivanti Remote Control RMM tool"
}
],
"References": [
"https://rc1.ivanticloud.com/"
],
"Acknowledgement": [],
"CodeSigning": {
"search_names": [
"dlgserver"
],
"company_names": [],
"signer_names": [
"Ivanti, Inc."
],
"certificates": [
{
"signer_name": "Ivanti, Inc.",
"certificate_thumbprint": "E059339A3F58FD4AFDB4296E1EDE30FA77136431",
"tbs_sha256": "F62F22AE6537E816B945FE23AE925AA41276D9CE50B1C5F619A4FB652D90DC13",
"tbs_sha1": "",
"certificate_der_base64": "MIIFIzCCBAugAwIBAgIQDh26LAQFVcbFDsKQFl7KczANBgkqhkiG9w0BAQsFADByMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMTEwLwYDVQQDEyhEaWdpQ2VydCBTSEEyIEFzc3VyZWQgSUQgQ29kZSBTaWduaW5nIENBMB4XDTIxMDQyMjAwMDAwMFoXDTIzMDQyNzIzNTk1OVowYTELMAkGA1UEBhMCVVMxDTALBgNVBAgTBFV0YWgxFTATBgNVBAcTDFNvdXRoIEpvcmRhbjEVMBMGA1UEChMMSXZhbnRpLCBJbmMuMRUwEwYDVQQDEwxJdmFudGksIEluYy4wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCs7yOJ9dOZT1Jj9WGKAkU93bHmmqlTc3GXW4jZOMUxXbj9cd9NVHvQv97RIwB6hzWSHvh7dlfM7yumub26IVMuxGlnNEWwLCXHySr+V12o42WiV7S3F2emyDZguF9rL/7JSobXdFImxkXD79KjHeIZhMd2yFH3b9YTe95vh7TcEQoIfP5ZxvuFh4d4avVSmcP1+RGVxONLkuAF+B3AN67DkA+VTeIHmt4Fq4Px09jzZY/sgJ8oF4ZRkEl/rB1jHQSYopH7y0KjED+6MtiC/AFVvDNHKxTdcFRRghmVb2WYKb422Yr5Wd/hK/PccMy5AK2Fe9AqIL0AOzxfbQ5WV6atAgMBAAGjggHEMIIBwDAfBgNVHSMEGDAWgBRaxLl7KgqjpepxA8Bg+S32ZXUOWDAdBgNVHQ4EFgQUHrMBfINjEJ02mJ58rsxyxfwiJdcwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMHcGA1UdHwRwMG4wNaAzoDGGL2h0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9zaGEyLWFzc3VyZWQtY3MtZzEuY3JsMDWgM6Axhi9odHRwOi8vY3JsNC5kaWdpY2VydC5jb20vc2hhMi1hc3N1cmVkLWNzLWcxLmNybDBLBgNVHSAERDBCMDYGCWCGSAGG/WwDATApMCcGCCsGAQUFBwIBFhtodHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwCAYGZ4EMAQQBMIGEBggrBgEFBQcBAQR4MHYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBOBggrBgEFBQcwAoZCaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkFzc3VyZWRJRENvZGVTaWduaW5nQ0EuY3J0MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggEBADPphDz5FefTbBzCiuTAvCdTCCznwl9bekBOqBc6LF8rK4IlQNeQtpNSh9Ub+q/wwgN5l5Vbr9HlTkdGm1ssCxmkRgErjni7tg3vyaTz82X38Rh2fL2Crw82CfWiSUy/LtolixLNS7CF9S2RmE43YLyC92m0tkaxTh8elNC/LoUpjnOKJNQQjillqkPHN74rQ7V1yh248ZF6WLiaOeOrsbRhZNPBEMzuE6JTNQgNKXsTcuOWc5+bl/Ctrm1qMvk1PUlRSSRQGUjfJ4AWaBK3E3qK6p0t8hAFejUS/DYjngDaGurVDRUS6td/pney8aVMPoRKKBz3/4Maik9WqhfR2cE="
},
{
"signer_name": "Ivanti, Inc.",
"certificate_thumbprint": "B310DCA4816C8E3E41E6C72BBB67A255AD8E0363",
"tbs_sha256": "48CD3051C77583166A1F530EE0F3DA941183A3A201A7205E76521E9FDB55C9CE",
"tbs_sha1": "",
"certificate_der_base64": "MIIHWTCCBUGgAwIBAgIQBsyN0tcIuQcyg45nl3swfzANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTIzMDMyMzAwMDAwMFoXDTI2MDQyOTIzNTk1OVowYTELMAkGA1UEBhMCVVMxDTALBgNVBAgTBFV0YWgxFTATBgNVBAcTDFNvdXRoIEpvcmRhbjEVMBMGA1UEChMMSXZhbnRpLCBJbmMuMRUwEwYDVQQDEwxJdmFudGksIEluYy4wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDJ3RSNQX//5l85k0tbY0veBq3kRuTO5TKZgJC00IR0Y3xMpPj4HzM32fPOzsV6ooV6AcKM/3X20ENhHE2Cj/FB3v+ptWOniYRRxtJhaRZlRxs7saEK+xirr+kB+2vtYpfsgerArxOb19exJ/OSnzYFbMzsoZcKhm0IEcik/qkkDttnmD1KaR8wSxZi434bwByV9rTme23Vt783sqWjZjEtjtMGUo4cxHvFoewmvItfIp0JYoIwfnjRVNK/uRRnIAqosnxmH5Lr8IatWRFqVH6WaVIf5Fn+NDPUVF8UI2+78FvbZfeddNNNmGqr8m/j6BYZLWW4krsTlIcIIUP5aO8jmg6soQln05/uSTgQstlhm3UEc/G+BPMdzYvXDNgcMCqfOw+fsXPgTbfH5VryNrVA2GZ3pkkumLmTPr0lqgI+qkBE/YFuDGkPJanQl74/rxhFZEgzt0hJRfsF7u7TITry+4MFyhOjob+sq4yWwQ71QyY28ivLt8lQfZsBH6mKUk8Jgge6hk45sPHd7nXSOeAO2uMr+iBr/u2Wf1z5/KqB+ftG9KaHmSEmeU9uLo5z/3g4MtUt6F/ZE+GRXE/sJg8YqdZcQ/nBhtreePdX9pZhlNeBDFiLzAfhm7zmyLLhaTOtTBkwCoilc2XazcASFky+Cvy1oMkVeN/K6CuGDsVvGwIDAQABo4ICAzCCAf8wHwYDVR0jBBgwFoAUaDfg67Y7+F8Rhvv+YXsIiGX0TkIwHQYDVR0OBBYEFH3ZYvZskV07lrAXICI6I9lAazpJMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzCBtQYDVR0fBIGtMIGqMFOgUaBPhk1odHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDBToFGgT4ZNaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcmwwPgYDVR0gBDcwNTAzBgZngQwBBAEwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpY2VydC5jb20vQ1BTMIGUBggrBgEFBQcBAQSBhzCBhDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMFwGCCsGAQUFBzAChlBodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNydDAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4ICAQDUFsZWQJeNmFx5Qvr0gQvPwUc0VgRHThr0M69gIzTIf5NzDsKiCr/V6q4u9Se8kJrHxp4lFraH5ncW8RQSEJTgsR+MpBfWMLx7GO6LmekcWiwwEe7KW7sCt4Pw0Zz9wysdm2w2RRCKo+YlMLbOh5ts+FmV2g3xSyCZoI0olBD1ja8FWdPCVA9qM6Cp+WC9qi8nOYMPEQGz8m9/HZ7Xtd6iVYEUnlf9moeO2WEf1EOojJzdNwN43gkGX3Wo47pXTTmRnDucraSg9nIz9orvc2Xhq9PWu2fM3n3Z/CfWEtfSBfJ5TBXY6JXaVaQb3y/fie3L71bDdiQtbuxINeee0p9Ctya3CJHTO+K1BhFHYjaSmJDwInh4mNr9z28Hs6IVS5Pl+eew9IX+3a++X2s+qiGIsauiR9DvvcpwDcwiQdxTnsepui5hsPZGgSjsY3sqXt+8Jos4uhqqg6tIdywPPjZFVBzkiqBm38JQUHaKeAU1pe/t7V4JyYYtOYSTHuYXRLg8VdmrVNmt0jlLCvtYYqNTJQy0sVg3WEogRC2Hp3haXOBPizTq6mdeeYDYU65ADQfgq5P6reuZ76AWCuoKVsaVUT2Bm+I1p46kVj5pIvjcCLXNX/vMHH62tn20eiukFpDwUVEDwDkX4pGxI2XjIEOjXhqMK8OYfSmO1GWglXWqMg=="
},
{
"signer_name": "Ivanti, Inc.",
"certificate_thumbprint": "85651505F0D1CC0BA24040F3F8913D94AF316100",
"tbs_sha256": "B09E0A6BFE645556A89F3B8703C4B496699C3DE4A44819DDC265C2B95672C928",
"tbs_sha1": "",
"certificate_der_base64": "MIIHWTCCBUGgAwIBAgIQClmuDXbqs7Wxt3Xp7Gmn8jANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTIzMDkyNTAwMDAwMFoXDTI2MDQyOTIzNTk1OVowYTELMAkGA1UEBhMCVVMxDTALBgNVBAgTBFV0YWgxFTATBgNVBAcTDFNvdXRoIEpvcmRhbjEVMBMGA1UEChMMSXZhbnRpLCBJbmMuMRUwEwYDVQQDEwxJdmFudGksIEluYy4wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQD2UqOokl1oqbMAuoz6sDsKiYCCR14fD4u7eGl5mqKzpaWvst0N/BCd8Ba1RuHFna3KQRU9NSXvHgEl7oezXcusnAd7HbUONQf8xE9Xj5lmumvSiVdi2MtgZojEaoMNhwTIdCt63Bv4ps0716+uTBVibvoGX1U5s1pMFLQzQkfT35Ubj85JadcPZBU/n0uU4gxgjxnuNuAAXuhy2CRwzU+kci+C5WaGYzPGJ1FTXTy4x63I7bsXdsCDkhXm5/AoesZWAobz8sXiCbQU/X4PjUBJhF9FY2B9pp7+U65TAWL4tbiQ+hwBI8XCLf+kkwYC0OVRj9DUoV/c97qr2ddhNBfkIKiZzdhp7hqg3e7CYrAjNfi0Qy1PlbbLCO5NpIWw5PtO4lfio1aDnW+wXVsQK1oI/1u2CPyuXGtuNTu7+cygtEFtlesdgCuWwNKaPYgnR6BoYxp7PcRNh0ZjSCTUaYeieWJee3eSOILRXw9X1B0PiugBedlvGusnAaBdv/3+DkIk9zBzknwXG9DQYxnjLRC96dBh5+gjldbcZdXy2bQLi1d0BdQzippl99Bw2dBOn9eyZ1DKRFAryAkiC/wZBvstIueDh1FNJ+1qnC1ig7wFpquMf73blkFjpXjibCqTwJ2zZjoQyrB+9fu254pzo0rWCGFJYqjDCgYVZvQiIUxxPwIDAQABo4ICAzCCAf8wHwYDVR0jBBgwFoAUaDfg67Y7+F8Rhvv+YXsIiGX0TkIwHQYDVR0OBBYEFH1RU+aUcJFCY9aNzT4P6GdDu7D3MD4GA1UdIAQ3MDUwMwYGZ4EMAQQBMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwgbUGA1UdHwSBrTCBqjBToFGgT4ZNaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcmwwU6BRoE+GTWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3JsMIGUBggrBgEFBQcBAQSBhzCBhDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMFwGCCsGAQUFBzAChlBodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNydDAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4ICAQA868Zf8PKoCDNWF34RdZo0KIpBp/PMyZshFlupt3YEmcXYcDB5SuvXZAWelOb9BuDJE9Caf0VcgotssJK+cOXncjBpf1C77qFkux7brrF9KxO2Du/YS1i1j/lXEiM13PBL9SMWqiDtY3b+6znX07anPEhX4WM5CrqJjEhQtJWD6CE2oLNoxRRYokpP2op5nTfaaBIQDVXiA/mA9Bcu1O8c76n4tf/mhWJHKbJqeEqqhMQYWXqtkrbnzg1x+X9+sFNqS7SfUGimE9+n+tByKDDRZBeay5qdfAuc2+q1zxVVTe+Y5vsQ+C6smAamcHDyDz5k2IWUFvN0yq8k/Zsr/1kO42r7ZU66Smvt3WE66KGlaKCrU2lbv7Iwz3OOBX5n4lKVO2PpcVC5jIynrmvQRD4Jl1Lyxw+psbvBy2J3eyVPHGonU5IagkOb3WbqEwu6xAt5vK51AxZLzzoDNrKXx/oR4rd6lSL1qcylW8V5tzmOaSQBQGh9Q2ODc7sIHn2nUPgrY3iHiE0Ii/POwLnYhilUpmT0b1zcBeU95ybZQRLR8899gwwO8JhX0t/Ls7xuRUSXGARALrjydrEGyZFeUJwjwxV7GS61IXeOVevf5hjIiWK6cUJ7GzxRVfGzV93xvxbbW7WSLZBt8dyWZV4xiprRMJQS1KauaqNB3spKZniqMg=="
}
]
},
"FileHashes": {
"authenticode": [
{
"file_name": "DlgServer",
"sha256": "629D602ADEE0B644C1742E3B2728B929FDD8E0B17194CB4FAE6F26BCE5B68D79",
"sha1": "6773B4BB4082B38F760E980639AE3C67B9C762B4"
}
],
"page": [
{
"file_name": "DlgServer",
"sha256": "93D38F683E250A6563BF7B1A28A22EABD5D18635F2A0A44D3F6082B7967A2ADD",
"sha1": "08AF57A46D0843BE00C91227F6FA53EEC0D1F8CB"
}
]
}
},
{
"Name": "Chicken (of the VNC)",
"Category": "RAT",
"Description": "Chicken (of the VNC) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://github.com/flit/cotvnc",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": []
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": []
},
"Detections": [],
"References": [
"https://github.com/flit/cotvnc"
],
"Acknowledgement": []
},
{
"Name": "RAdmin",
"Category": "RMM",
"Description": "RAdmin is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.\n",
"Author": "Nasreddine Bencherchali",
"Created": "2024-08-05",
"LastModified": "2024-08-05",
"Details": {
"Website": "https://www.radmin.com/",
"PEMetadata": [
{
"Filename": "RServer3.exe",
"OriginalFileName": "RServer3.exe",
"InternalName": "RServer3",
"Description": "Radmin Server",
"Product": "Radmin Server",
"Comments": "Radmin - Remote Control Server"
},
{
"Filename": "Radmin.exe",
"OriginalFileName": "Radmin.exe",
"InternalName": "Radmin",
"Description": "Radmin Viewer",
"Product": "Radmin Viewer",
"Comments": "Radmin Viewer"
}
],
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [
"Windows"
],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"C:\\Program Files (x86)\\Radmin Viewer 3\\Radmin.exe",
"C:\\Windows\\SysWOW64\\rserver30\\rserver3.exe",
"C:\\Windows\\SysWOW64\\rserver30\\FamItrfc",
"C:\\Windows\\SysWOW64\\rserver30\\FamItrf2"
]
},
"Artifacts": {
"Disk": [
{
"File": "C:\\Windows\\SysWOW64\\rserver30\\Radm_log.htm",
"Description": "RAdmin log file (32-bit)",
"OS": "Windows"
},
{
"File": "C:\\Windows\\System32\\rserver30\\Radm_log.htm",
"Description": "RAdmin log file (64-bit)",
"OS": "Windows"
},
{
"File": "C:\\Windows\\System32\\rserver30\\CHATLOGS\\*\\*.htm",
"Description": "RAdmin chat logs",
"OS": "Windows"
},
{
"File": "C:\\Users\\*\\Documents\\ChatLogs\\*\\*.htm",
"Description": "RAdmin user chat logs",
"OS": "Windows"
}
],
"EventLog": [],
"Registry": [
{
"Path": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Radmin\\v3.0\\Server\\Parameters\\Radmin Security",
"Description": "N/A"
}
],
"Network": [
{
"Description": "N/A",
"Domains": [
"radmin.com"
],
"Ports": [
443
]
}
]
},
"Detections": [
{
"Sigma": "https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_pua_radmin.yml",
"Description": "PUA - Radmin Viewer Utility Execution"
},
{
"Sigma": "https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yml",
"Description": "Enumeration for 3rd Party Creds From CLI"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_registry_sigma.yml",
"Description": "Detects potential registry activity of RAdmin RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_network_sigma.yml",
"Description": "Detects potential network activity of RAdmin RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_files_sigma.yml",
"Description": "Detects potential files activity of RAdmin RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_processes_sigma.yml",
"Description": "Detects potential processes activity of RAdmin RMM tool"
}
],
"References": [
"https://radmin-club.com/radmin/how-to-establish-a-connection-outside-of-lan/",
"https://helpdesk.radmin.com/radmin3help/",
"https://helpdesk.radmin.com/radmin3help/files/viewercmd.htm",
"https://helpdesk.radmin.com/radmin3help/files/cmd.htm"
],
"Acknowledgement": [
{
"Person": "Nasreddine Bencherchali",
"Handle": "@nas_bench"
}
],
"CodeSigning": {
"certificates": [
{
"signer_name": "Famatech Corp.",
"certificate_thumbprint": "9DC1CD24C50424A2BF993D8350F7A0F62DE34823",
"certificate_der_base64": "MIIHSzCCBTOgAwIBAgIQA2ZyEwhlgeP/7z6PxjryzDANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTIzMDQxMTAwMDAwMFoXDTI2MDQxMjIzNTk1OVowUzELMAkGA1UEBhMCVkcxEjAQBgNVBAcTCVJvYWQgVG93bjEXMBUGA1UEChMORmFtYXRlY2ggQ29ycC4xFzAVBgNVBAMTDkZhbWF0ZWNoIENvcnAuMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAnceZJYoHFZAfWvCMFLOahFk8lCpsb0oCwAu7uOuO9502C918h2YuNlIL7VQTo0VaKZufHi3foX6VTlY+XlBD1YiJeSe5tKzou1UKNlhiw/YP5oSTVhMFEwYs5obIRyd8p9UbtqBxC0YfvUK06uSa6PYgNKORIpZBgpZoOH5vd3WSuYzg0r8ZrIblfhz+tp3vijG8EeH6SnGrGEvsXc2UGaZv3buSauL8EJOJ6Mu/iCDZpl9KVCKHeo9SRbkrdM9uEod5Aa2SxTJoL+heAda+PigBEi5sxLbDSY5CSLwL4zhrDyChjC6kWvCz729EJxPd+Q46lAU3D3aQlWQQoWLrDQmoMud8LpzDAvjC4sxRA95pMQZLew8uhqHuOP/L1lJfgD9QWJ2fjbgMT+QuABmphNZopCuNmrcYtuu8Bda7GLQ4RGFMdQmMYjPxxkBhkphjpLTlxGItTxeDDNj/p3LwwNvPz+kLa1qseD0EuPTOU/F0StpbQ38o0zBdWe9BcR2cYDQYRkGC6sav4Qw4IIFn5VICjac4XQxmiC/W5SDBdi18xX/X2P9/QUG5/U5w/gUDrwsQVpkP9xNNWghwI1A4wSuBh8yX3mDoAKoOIJ0b7rI6aitWoYJn1KAZ1lojXw5MrQ3VIWMKXVJV22cH3l5AihdYX2KRy+zfMLAvKMIr2WUCAwEAAaOCAgMwggH/MB8GA1UdIwQYMBaAFGg34Ou2O/hfEYb7/mF7CIhl9E5CMB0GA1UdDgQWBBTk3E0Tmg3ZB+8mrs9tp20c6wCD9DAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwgbUGA1UdHwSBrTCBqjBToFGgT4ZNaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcmwwU6BRoE+GTWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3JsMD4GA1UdIAQ3MDUwMwYGZ4EMAQQBMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzCBlAYIKwYBBQUHAQEEgYcwgYQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBcBggrBgEFBQcwAoZQaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcnQwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAgEAVNVaR0mLKvML8FJgyf9qJPIw1Xa+GZ04HNL9S6fJ+RaCNCZJT0IcUe5VQQnOY9XJ5nu7Fg0LGvBb+kSpH2bJwD78rnJCqDLkhAeYXs3GaC2NStcJqbE2n/RYAcyDDdnb0jAGcBv4A7XB8iO+gi+VlnOCEhLGPhfreTYU8qzLkpi1jWYsGUctzd52RT2AJtoZ2m7i+qn3rW4tuHWaWmtJbaGPI56sMD56AatxJFEiJ6exWylDhOaTG7tlVXRQEVrS5BsOleJ4STaKZOrmaZNBVyx6HqsUVe+VVB/yHtIoDON4orzT79Q+n5mDfNwKYco1IU7s1dQlAs6MbkI291NceIKIJnxKuRBIV91ewXOI/7ASJcmp1tGUt1NxEGalV3XTm293AokgmFVBHPA5vl7xMNnDH+VaQqwyIt7QkEt2jd+u8v/dNzgTKGgITdqiG4UAfqK4CSeGuIn+nGZV5QasQNyEORD6OmgI7vC8zzeBfHsc96MxlyISOVHI4BhqvNtNKhP2jcRiHQqXVO13e6zmJbzShr7z5+pqyDYh77PTM2DgoMWRr2GNnLptmnfGsow+aYitgpVgzZbisIp1JByngFttApweplEWGUA/wEPMxKe8Glo4qiDmZpE/FXSgOV44xyw3haQeNCnSyKcaRpDKeduzM+rpT4cyFcOh/UoCL5A=",
"src_file_sha256": "839153d334bd3fb89488f1499cece43e7d1077f35fe0b0f79c2bd413bc3a9aaa",
"src_file_path": "downloaded_files/radmin/839153d334bd3fb89488f1499cece43e7d1077f35fe0b0f79c2bd413bc3a9aaa",
"src_file_company": "Famatech Corp. "
}
]
}
},
{
"Name": "Zoho Assist",
"Category": "RMM",
"Description": "Zoho Assist is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2026-02-09",
"Details": {
"Website": "https://www.zoho.com/assist/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [
"Windows"
],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"toolsiq.exe",
"zaservice.exe",
"ZMAgent.exe",
"ZohoMeeting.exe",
"Zohours.exe",
"zohotray.exe",
"ZohoURSService.exe",
"*\\ZA_Access.exe",
"za_connect.exe",
"connect.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*.zoho.com.au",
"*.zohoassist.jp",
"assist.zoho.com",
"zoho.com/assist/",
"*.zoho.in",
"downloads.zohodl.com.cn",
"*.zohoassist.com",
"downloads.zohocdn.com",
"gateway.zohoassist.com",
"*.zohoassist.com.cn",
"*.zoho.com.cn",
"*.zoho.com",
"*.zoho.eu"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zoho_assist_network_sigma.yml",
"Description": "Detects potential network activity of Zoho Assist RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zoho_assist_processes_sigma.yml",
"Description": "Detects potential processes activity of Zoho Assist RMM tool"
}
],
"References": [
"https://www.zoho.com/assist/kb/firewall-configuration.html"
],
"Acknowledgement": [
{
"Person": "Daniel Koifman",
"Handle": "@koifsec"
}
],
"CodeSigning": {
"certificates": [
{
"signer_name": "ZOHO Corporation Private Limited",
"certificate_thumbprint": "DF941B5FC512E498D2FE112665AFC5CDCE41EE74",
"certificate_der_base64": "MIIHljCCBX6gAwIBAgIMfd8RpcGD3tOXbmvoMA0GCSqGSIb3DQEBCwUAMFwxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTIwMAYDVQQDEylHbG9iYWxTaWduIEdDQyBSNDUgRVYgQ29kZVNpZ25pbmcgQ0EgMjAyMDAeFw0yNDA4MjAwNzI0NThaFw0yNjA4MjEwNzI0NThaMIH7MR0wGwYDVQQPDBRQcml2YXRlIE9yZ2FuaXphdGlvbjEeMBwGA1UEBRMVVTQwMTAwVE4yMDEwUFRDMDc1OTYxMRMwEQYLKwYBBAGCNzwCAQMTAklOMRswGQYLKwYBBAGCNzwCAQITClRhbWlsIE5hZHUxCzAJBgNVBAYTAklOMRMwEQYDVQQIEwpUYW1pbCBOYWR1MRAwDgYDVQQHEwdDaGVubmFpMSkwJwYDVQQKEyBaT0hPIENvcnBvcmF0aW9uIFByaXZhdGUgTGltaXRlZDEpMCcGA1UEAxMgWk9ITyBDb3Jwb3JhdGlvbiBQcml2YXRlIExpbWl0ZWQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDHU1jNr5QXL3ZCs9i3aHpmGSmIYDOAxY6efHHAcUYPTKTesZ3jNJOQro9pinW7LVFqva2VGfqLGmgyacrZKIoYd2fFcrhhiBYOBKORyGBwCm+k6wHRyqPPZP9er2VEcnKGTWCBJHdoKRWzbJoMyhVN7wqdYkRtUmILfdREReykvTRqIU5ZNKHDWgm1Q2k4QQEdsw9BmCf0ZUCMWdCRPfDG6fJJDezrRGkqaN24ekpEVba6sGWDI9IQXT52LlIH+A5l4dgTLSf1rRWAc2u7jdVKHsdkVVeaj7AZguDlaax4ZA9ZEgD9TDJrAL1WgLfmQ8lU+UHrfu/ULFlS3EkKj++dYzki9ahA5PQdCTWsyAtSDCfJ7T5u24LVZxrYqHhbjfPIn6CRBlrp0C7X8i5Qp//KIi0Bx1OTSa5ywDsMgk5i/pohjOe5PJtA+SjG1+FQIVCD3IadhMaJqPx8xqguJ/B4sSnwqdgh3aw3I0vm4cFnzlnibvTJtrtTXAU1gm3c9TaO0KWp+AjS3jDcFk+loIovRbTHhA9pbBNK8vaydBMKKUy3PsmHXdyBrxA4LuwNM+weBhYZCmDbFi9eAFlPl8hVxCDwYL25nJ3aU10qsSkoF/4M2Ye0wm2kwqrxDE489TAsMxS/FLTWnEwdyuAuN1286Y56tgRRXG/o48QOJFUOIwIDAQABo4IBtjCCAbIwDgYDVR0PAQH/BAQDAgeAMIGfBggrBgEFBQcBAQSBkjCBjzBMBggrBgEFBQcwAoZAaHR0cDovL3NlY3VyZS5nbG9iYWxzaWduLmNvbS9jYWNlcnQvZ3NnY2NyNDVldmNvZGVzaWduY2EyMDIwLmNydDA/BggrBgEFBQcwAYYzaHR0cDovL29jc3AuZ2xvYmFsc2lnbi5jb20vZ3NnY2NyNDVldmNvZGVzaWduY2EyMDIwMFUGA1UdIAROMEwwQQYJKwYBBAGgMgECMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMAcGBWeBDAEDMAkGA1UdEwQCMAAwRwYDVR0fBEAwPjA8oDqgOIY2aHR0cDovL2NybC5nbG9iYWxzaWduLmNvbS9nc2djY3I0NWV2Y29kZXNpZ25jYTIwMjAuY3JsMBMGA1UdJQQMMAoGCCsGAQUFBwMDMB8GA1UdIwQYMBaAFCWd0PxZCYZjxezzsRM7VxwDkjYRMB0GA1UdDgQWBBSXQoKt5NZZFdARpBVx+Sb23A3DKzANBgkqhkiG9w0BAQsFAAOCAgEAiUlZjH3yP5V5RKjOrIw3mOTOIAcrh90uu3JwnvpnOOmMXPVc+Ybh0HIZRgFzdpi5VzfvZWQWvxIwDRYHXEcAnj3klyAptzBR8wb54HHp4zjdsTa6mJF+CaWOTAmWzFVLqH5VJIWVpNW0H8llMpdBNCPRk4624PpHEJFkfbAdNxqh92bBYXcKtjwrwIvEdr60YCAZPA/hh9G8FKBPPKjsM+9gkJEah1VVjBWnbmISeEZhLeeUt6tMUFvIi1qv9rnTrbZsEPZ3CQGCWgF77+yK3vihazAE4bEfCs+YJzt03Pj+PBK7Qa/8pjBWx1P3MkRfGbenkHyf8UcxjXPQfTOhccdHXs7NIfWuwH+KPaATumIC0pER+5CeDRz/CHNqp7Z+B8ioNnhSDDJCaqKDFzgIyCMMzDQldTUmgTe+S/e3dRASOlL7ovz7bEMxO2L9mFrV0ZT+agbocNMGte09jlePtSssya3HJFdIxqvNPJMI70TcRY2FHShMaohGdNxEgFYXMbZFRWoyI+V0coZIqenBkKzMGBwhGsSrmRQ/e55HyGRDpTtstCJuTaaiy0/dNvISVpxnS6kKFILRbn4a1UrYzInDke0H8Bv6D1YyxKdCzs3KcYPH0dLijJjH2I3kDQUirE8nZHhpmgoBWVdMJuY+1cvyF1xW4EVf5z74s0xnEuM=",
"src_file_sha256": "64ebab9cd1ce291382e37fce92ceb657cbfc3299244d38b8f2e0e7a9268408f7",
"src_file_path": "downloaded_files/zoho_assist/64ebab9cd1ce291382e37fce92ceb657cbfc3299244d38b8f2e0e7a9268408f7",
"src_file_company": "Zoho Corporation"
},
{
"signer_name": "ZOHO Corporation Private Limited",
"certificate_thumbprint": "9CFE33A8A1FB933BEDF943EF4263D03B6A5F828E",
"certificate_der_base64": "MIIHHTCCBQWgAwIBAgIMDGsl8hryZ5tnz4h0MA0GCSqGSIb3DQEBCwUAMFkxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMS8wLQYDVQQDEyZHbG9iYWxTaWduIEdDQyBSNDUgQ29kZVNpZ25pbmcgQ0EgMjAyMDAeFw0yNTAyMTgxMzU5NDBaFw0yNjEwMDkwNzQwNThaMIGKMQswCQYDVQQGEwJJTjETMBEGA1UECBMKVGFtaWwgTmFkdTEQMA4GA1UEBxMHQ2hlbm5haTEpMCcGA1UEChMgWk9ITyBDb3Jwb3JhdGlvbiBQcml2YXRlIExpbWl0ZWQxKTAnBgNVBAMTIFpPSE8gQ29ycG9yYXRpb24gUHJpdmF0ZSBMaW1pdGVkMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAz09Cd5TDWpRU90iuUgEngTp7kHP4WsQlU5MroTyh0/57BWlmg+/Ve/GoDiwWWfX9zHl3Qi1KQEquw8AhkzzwLCSn634vUTM5kEleezZDAvaS2QjrcvOY4tydRgejobpWJHdrJIWiNPBEM5uBzF8LSFEB6nUgF24QuG3MW1MYjC1s7xRgUZeqPBKvaL3qzdm1A5DezRXOJ9bgeFy9e9m1s+6ts39yO+2cyAc9/nhGmio0sWvaGpbPDCssHIcInGQGw8lW9FCIqhERgTBGsi8QC3vdWWi/dHju6Akt3497dCA9PbXVwkcMS5PSuoC5iKrQjnUvQO1/mlEyd6CR2NC4D+DGYIynSvet1ceaaOUUriI6f8MiAKMYDmGa1lOGVhbR7CRO5BjkPEPzczHuffYchPNtiYE6VRSd05zysSwpIYYZfiIHQptIhW/I2DoSIrDKo1WVG3jNrYiAL6t68P8xoL2hHvwekV9RAqMVYHxKVA0Ur+DKCPrCDS01/NXKD6jeBoWyGEKE11J65nXuphTbsZmp+T3ATPJepkiN2qXmzW2SQD9YC8FW2BsTQx6lKwjMRNA5WcpYbm8P0l+eo9ck1uwDwq6W1fYuhBGebG7FTUAUj73b47TxeKf2AG5YD5x+xrOf463q06lbIYn61lbUJjMF/Dwd3woLV/VxHShciI8CAwEAAaOCAbEwggGtMA4GA1UdDwEB/wQEAwIHgDCBmwYIKwYBBQUHAQEEgY4wgYswSgYIKwYBBQUHMAKGPmh0dHA6Ly9zZWN1cmUuZ2xvYmFsc2lnbi5jb20vY2FjZXJ0L2dzZ2NjcjQ1Y29kZXNpZ25jYTIwMjAuY3J0MD0GCCsGAQUFBzABhjFodHRwOi8vb2NzcC5nbG9iYWxzaWduLmNvbS9nc2djY3I0NWNvZGVzaWduY2EyMDIwMFYGA1UdIARPME0wQQYJKwYBBAGgMgEyMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMAgGBmeBDAEEATAJBgNVHRMEAjAAMEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5jb20vZ3NnY2NyNDVjb2Rlc2lnbmNhMjAyMC5jcmwwEwYDVR0lBAwwCgYIKwYBBQUHAwMwHwYDVR0jBBgwFoAU2rONwCSQo2t30wygWd0hZ2R2C3gwHQYDVR0OBBYEFDqaXb/UoQJmwU/awDe9Pdx+MvqYMA0GCSqGSIb3DQEBCwUAA4ICAQAGEr1oLiiri9QNjpj9GX0NzyGumOynnfJB8X6M8SuLsdmTJWHKKp/mjXcYLT4Ce0tAmHgkHRt2hel9ANzdcjl8RjPWsYScVn5cZ3sfSGmH9dwPNSCp9gdRUwwT9jDU+B4KMd4rz6XrtL+kVgbTVGzRpnnoCz/9PVRApRP7xcLsgdbrVolr2A37OOkVEdaY5XW2orW+mw+a7Q1vdeJDt/rmXnUf/E8txo9gpPcCK6D3Ufi9g89qBHU8IOvDXrvlYjcgiRsPa4QzTwtBaXNrCuI3vjycQe/eoAL8XJHNwuPeG8UimO/OlQuaofa9pgCmyMH5TL9JayS2r1oqdxXQySTii9v7Djk35WVxhnBumAZQa9uO5aoGcMWX9XGKe8BIpxgA16Wg+/K6JQyRzgIy3eaKxkZFXtJhzu2Qd+NIPpDOmCxBRcwHE5T/kV1bq/xR4MX+WUrU3YS1TQoi6y4pXzeKEYjkWrZZDk3rY1/oZh5LIA/FSME4klrpaxJCYjMlABeWQeEuCEKJEbRYrV7TxT180M1NKTQatBSSjKWIWFE14GIlBWgs+9OmLR+09Q2pplEKUFw3OW7hqTMN8PRk3ZwYEBwNiAbSdRhCj6Zy8eRPBBCLksWJo44IJcniqGhmFdD07ALvRwudvItKPvajzqtaTMZAOaLZia5AXWbxRpCHdg==",
"src_file_sha256": "98bc528011f7604a558abf379965bcf27c04c728850c7b72f2e9ceca78e5c92d",
"src_file_path": "downloaded_files/zoho_assist/98bc528011f7604a558abf379965bcf27c04c728850c7b72f2e9ceca78e5c92d"
},
{
"signer_name": "ZOHO Corporation Private Limited",
"certificate_thumbprint": "1FFC1D0860B748F0E9D53297B716E497C81D687B",
"certificate_der_base64": "MIIHHTCCBQWgAwIBAgIMA45xUryaeKB6Oa9HMA0GCSqGSIb3DQEBCwUAMFkxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMS8wLQYDVQQDEyZHbG9iYWxTaWduIEdDQyBSNDUgQ29kZVNpZ25pbmcgQ0EgMjAyMDAeFw0yNDAxMTQwNjQ5MDhaFw0yNjEwMDkwNzQwNThaMIGKMQswCQYDVQQGEwJJTjETMBEGA1UECBMKVGFtaWwgTmFkdTEQMA4GA1UEBxMHQ2hlbm5haTEpMCcGA1UEChMgWk9ITyBDb3Jwb3JhdGlvbiBQcml2YXRlIExpbWl0ZWQxKTAnBgNVBAMTIFpPSE8gQ29ycG9yYXRpb24gUHJpdmF0ZSBMaW1pdGVkMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtIL3ByQto2SDD7yn/6sAHCPqWRPur/a+UzLglMhIQQIkoerBIDJ26kVNYpSs7HEyaTgbOqHWF+Ms356LcxGDUBp8XvCtgQpLXs/Nr33gqHSQpxpWjQ1CifWqrHHjnwWl/J1BtQ2Rb/UN1+X3S7+Fcu5ht9mpG97LuaLjhnt8KhyD9bNwYwTqcj4LVuMUi//64wyy1sgEfQaQNZHh5QkUnOUg2H4oBAe7EDcI13Rj8T9GmA8IPqlCv267UL9nnTfiPHfOc6mGoFSLyhV+bNlcY2ZCy8pQchu0+dGUkzby1SZP1QuOsjDgbicKyxIw2H082sF2bLUVMEmDbU5oaJ5QuBDhl6S0fkAqvE+8HtzHXXtA1IxR9fnmnq3IWS0gVSRaNx9lxGCHgfzKwNbSzxcQoBu88y5nXpUmgZKir0MzTWUnEFW1yOoXd6bFadwjTqTxH4f5g8bFIMaHLw4Q7oqotfvSn6pcLFqNBHtDKRf4aLU1HVNudIpiWD70PFfdw0eG79RNmZjzZcZdijYZ56GFsgtOpFVYkY3pcYWfCoEMnF5t+4ZLZRLk1zifNo4OexTMkS84y+3QK7u4alSn5yPQbjThXCTOAlWnJpvN3BNO8MMSf1/v/csXk6a1Nk5dqzvdey61HToBpv4eqFxyKjuI4sc/FKh14xBycZCqziAnSRMCAwEAAaOCAbEwggGtMA4GA1UdDwEB/wQEAwIHgDCBmwYIKwYBBQUHAQEEgY4wgYswSgYIKwYBBQUHMAKGPmh0dHA6Ly9zZWN1cmUuZ2xvYmFsc2lnbi5jb20vY2FjZXJ0L2dzZ2NjcjQ1Y29kZXNpZ25jYTIwMjAuY3J0MD0GCCsGAQUFBzABhjFodHRwOi8vb2NzcC5nbG9iYWxzaWduLmNvbS9nc2djY3I0NWNvZGVzaWduY2EyMDIwMFYGA1UdIARPME0wQQYJKwYBBAGgMgEyMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMAgGBmeBDAEEATAJBgNVHRMEAjAAMEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5jb20vZ3NnY2NyNDVjb2Rlc2lnbmNhMjAyMC5jcmwwEwYDVR0lBAwwCgYIKwYBBQUHAwMwHwYDVR0jBBgwFoAU2rONwCSQo2t30wygWd0hZ2R2C3gwHQYDVR0OBBYEFCRVE30wXvY9bzq9B8MYzbwS8uSHMA0GCSqGSIb3DQEBCwUAA4ICAQDH8lxo3zFJmtU5uLkyQ43HIYvOtcNJVuSRe9PG3035vRGqg4QuOLIbm1dZUoStUiszYmOJwDSP2UkU6nZvBTKFSVI4ludsDspxhjDNwRLpS4/v0yDiyVWqWFbVP7mm7R/GdMxkPcUDafroQph0ICfFQ3t6Vf5sPLc+wqHMbWHP7TVzbAcBK+mLsJZVzx/C6eklua8Nfn1NgNGcITHCdX5Z8IqjcAChtNSvEOeWa7Z8k9CIXsYzkg9JCT+Twr6DlaXK5mlseWIbCKpxBT3uuN9pDiacFFLAugpv7RCVG7MWwPU3tzWAXzsTmEgvQNlQsWkAu1uEnGy6JfRo/9tr33deOD5zxhj5GEkV9xMFVk5ey8JUOiDlORDV2DinZvYoRlGLtkbZd2cHhrYl6WKBfPsADkCIswdM7TsDqWE7y1l+z/dqHhzrhHlY0bAuy+Ik0fiIu82mikGCAuKjWkBrTTKG5pLCT8w0mCIXg7VM7vwS25yDIAzwWBABPlovdh0ZPCH5+4eL4wJzVtwaszZQkHbeHmsT1XXpbIV3bWPmCLJgZvI9HlIrasXeo4LVRbbZZa4Q+iFcfyKUrKzU+ITEpuTwusbv4kIlgf7FSRYVvXKA9oFqiNH2y/IigOZDj13R7uMp7Ubjawtz+VGAooMMbU0DArC3M6pp5QaOn49E/YvgFQ==",
"src_file_sha256": "5b6b51b6b0f94767d5dcbf3bfdda9a98d0a0b98463a791d2f0e7c3acfaebf2e8",
"src_file_path": "downloaded_files/zoho_assist/5b6b51b6b0f94767d5dcbf3bfdda9a98d0a0b98463a791d2f0e7c3acfaebf2e8",
"src_file_company": "Zoho Corporation"
},
{
"signer_name": "ZOHO Corporation Private Limited",
"certificate_thumbprint": "99869B5E06680A842469CC3DA2F2DFFFE75AC930",
"certificate_der_base64": "MIIHHTCCBQWgAwIBAgIMMnoO3E5vR9q9dJ9uMA0GCSqGSIb3DQEBCwUAMFkxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMS8wLQYDVQQDEyZHbG9iYWxTaWduIEdDQyBSNDUgQ29kZVNpZ25pbmcgQ0EgMjAyMDAeFw0yMzEwMDkwNzQwNThaFw0yNjEwMDkwNzQwNThaMIGKMQswCQYDVQQGEwJJTjETMBEGA1UECBMKVGFtaWwgTmFkdTEQMA4GA1UEBxMHQ2hlbm5haTEpMCcGA1UEChMgWk9ITyBDb3Jwb3JhdGlvbiBQcml2YXRlIExpbWl0ZWQxKTAnBgNVBAMTIFpPSE8gQ29ycG9yYXRpb24gUHJpdmF0ZSBMaW1pdGVkMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA2ZsurSF1sR+u4K21jaloeoA+zF+t9kmddLFLCaU1PYwce62qf9r9bdt1T4zEtOG4TM7YgCL/EDj/HB4FEeO70nV8UBny6ckvn5nvv2exmwgxcMipzMNUVKH25KkJqKVDeQs8W3c4H19gy2jMD5b++J091hWGLzYYDWzfZ6Os129zerhiPDptrmjY3ORH5amPuoIWqJQhc+W/CT8Zp5qbumAWeRxJVuZ9moUeVl4QlKYblLmPvjLABotdY8tJpiE+9Tn23/qIfNs80tiL4zYfjXjlJ6MYI6WCZ4UTrBHFrMlu5/RYNIujpkiVPMKgW7a5uysislNMs+r+I20ObKRJLRgyoM5decHS+EKnYpDsBAA8ypAf6Ih7L/IiVzypHyMY/FY+R/KbFpygksV8fhIGcislIkvAsqqEzn68IFOUBPsxBq4XzzfnK/7uq+4HQSnPXt9xTU6tiSulM6Ixq6Wqjfpgfm/kz+biNSFTcTCF6EIhUEqQHkXpobQdMDimn1s7dQbBROTzy1IMdSvnxNKMY28T/oSk+QJMFJduZZR3q64H9dtD7bMB3NvF+/z5fGsmOOf52aEOLaxLvGRq/nekIND4etKolKXfPdqvsjx5VCn6Uh2zCgISDZpq2kTmL54n/yBzoBjTidQviR9GmIwkXyGO76i8cUQWjHbEdiF5988CAwEAAaOCAbEwggGtMA4GA1UdDwEB/wQEAwIHgDCBmwYIKwYBBQUHAQEEgY4wgYswSgYIKwYBBQUHMAKGPmh0dHA6Ly9zZWN1cmUuZ2xvYmFsc2lnbi5jb20vY2FjZXJ0L2dzZ2NjcjQ1Y29kZXNpZ25jYTIwMjAuY3J0MD0GCCsGAQUFBzABhjFodHRwOi8vb2NzcC5nbG9iYWxzaWduLmNvbS9nc2djY3I0NWNvZGVzaWduY2EyMDIwMFYGA1UdIARPME0wQQYJKwYBBAGgMgEyMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMAgGBmeBDAEEATAJBgNVHRMEAjAAMEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5jb20vZ3NnY2NyNDVjb2Rlc2lnbmNhMjAyMC5jcmwwEwYDVR0lBAwwCgYIKwYBBQUHAwMwHwYDVR0jBBgwFoAU2rONwCSQo2t30wygWd0hZ2R2C3gwHQYDVR0OBBYEFBgOy6C7VZ1De/CjFsum904Aq+UaMA0GCSqGSIb3DQEBCwUAA4ICAQDIjjnCrMBToMqCwbTVNcV6ngh+MFKX1KVkyYCJmbT2GGA4WIFdOeLgxB9zi6M1+TSYCBS1GipSSREI841Ot+PMQpbdaMaqkIbOyupUfLkJ4LqBQH5stxy6goERm4EiH95bZ096w2b2RrEimokyk3vvY92NO3j3TSUYjq5QwhY8bIc6dFRoAl2sr2RXP7cGR0wGwsI41sGGB+fp1MBXxe5fp/xdcm0aYL1+UHQSIrNoRv81OSi/Sa3qWc3fAaHn+rNEJd750ILA7bCub4l0+Rdm7b7NZjydVxPLebq+4wdsexVPth3shg8TPX+mAS/DsrDJr8IawyTNfS/u/PdUahepeAtlqoyrZgbOdVeF27d5FRH8RoPaDrOC79Sija3/m0XApkls8h3YpOUt7j9llOkUKXwwox/Ng56/ZNzBuUhzLHTqfBwGXCu9wZK2Hh6PbU5MyIy1NFGU3JJFGZob2MOXsLgdwr08jdmIGzPsMcXbGHgP5Q0RrR8COjwag4fsaO3s4CJ7tbv5ewGbf7OeQcuIp5AdrylE40jfpWgcSGUgK3dDD6tKtA55WgWjqSaNqXvC3iBimySUdoNUKnKTbT0bE7D8Q2vQ14FKdRY+m5HaHU/GsYjOIBoAZQchvRyqmGONFv3U7HdFhkvxY4TnoxHELZTv+3YIeacabTrUjCz1Pg==",
"src_file_sha256": "a9171ebd8d965df5fe889defa1406b345ee6c4bcb444f4d6bdc166f05be47c29",
"src_file_path": "downloaded_files/zoho_assist/a9171ebd8d965df5fe889defa1406b345ee6c4bcb444f4d6bdc166f05be47c29"
},
{
"signer_name": "ZOHO Corporation Private Limited",
"certificate_thumbprint": "C70830D17ABB7119FCE1A1DD2DC9FD0E92E33241",
"certificate_der_base64": "MIIHHTCCBQWgAwIBAgIMUTKvkMxVHmhbG2urMA0GCSqGSIb3DQEBCwUAMFkxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMS8wLQYDVQQDEyZHbG9iYWxTaWduIEdDQyBSNDUgQ29kZVNpZ25pbmcgQ0EgMjAyMDAeFw0yMzExMjAxMzIzNTdaFw0yNjEwMDkwNzQwNThaMIGKMQswCQYDVQQGEwJJTjETMBEGA1UECBMKVGFtaWwgTmFkdTEQMA4GA1UEBxMHQ2hlbm5haTEpMCcGA1UEChMgWk9ITyBDb3Jwb3JhdGlvbiBQcml2YXRlIExpbWl0ZWQxKTAnBgNVBAMTIFpPSE8gQ29ycG9yYXRpb24gUHJpdmF0ZSBMaW1pdGVkMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA9kC4vMrdY8My73T7+5srPt9QSKydxWv1QBIufJkNfgwg1swO3WltLDn73RcYEjpgb9oTqlGpyLrmrPinpiN2yopcY6zx1LtauPnpLkkWEFnISTRI8M8viShjgEs5f39wbHKJq1C4BbTDJjyN/qtBdfrSC9aW2kLLpBf5krBOlsgPYwWhqI+5lorqEM/7P8PROv7o3WazqEJi1DvxrPDhZDj2RWaWKbocXS5B/LIZ5g+IuWHvjAeVlTL7NhFzuZ32picea3Ic2Ym1+gsfbuZe0Oc/7rYt3x39IPwqMkdYFjMtwxm9dDIVwOWmpJbLPk8/qZQU3acJdg9b16DkDHSaSJ6VuFjlSMjdDICvuZhv4zKqOHLT2zR9SUIAmnrh3Q4VPZzONU4Q2s7JUYpGHZk4dmDf+ANkPYEleoW6yth9MHW+c01u6yBBYsz3DrlH+vNF+gFEUPeiAxS9WTtqjYZPT5RgtlyzVbnFwcTN9GhC5+RD9WDxb4XabwYtZCyjcLgdbutsNbObGA2W3vcMr7wL3I7Z4tEmm8OPqgYQhtjWxdaj4QIF+ucp8g0alS8oOg2b+7/3lxs9XB6er2zVeWwDrE3k8dThpywjcr/ZyZMq/3PaqaRX19nlJQK6h0nn04/Dvxt1zE0yb5S3OrfuUYiyhZm1N3zLzH6fG8t7wGWgKZ0CAwEAAaOCAbEwggGtMA4GA1UdDwEB/wQEAwIHgDCBmwYIKwYBBQUHAQEEgY4wgYswSgYIKwYBBQUHMAKGPmh0dHA6Ly9zZWN1cmUuZ2xvYmFsc2lnbi5jb20vY2FjZXJ0L2dzZ2NjcjQ1Y29kZXNpZ25jYTIwMjAuY3J0MD0GCCsGAQUFBzABhjFodHRwOi8vb2NzcC5nbG9iYWxzaWduLmNvbS9nc2djY3I0NWNvZGVzaWduY2EyMDIwMFYGA1UdIARPME0wQQYJKwYBBAGgMgEyMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMAgGBmeBDAEEATAJBgNVHRMEAjAAMEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5jb20vZ3NnY2NyNDVjb2Rlc2lnbmNhMjAyMC5jcmwwEwYDVR0lBAwwCgYIKwYBBQUHAwMwHwYDVR0jBBgwFoAU2rONwCSQo2t30wygWd0hZ2R2C3gwHQYDVR0OBBYEFCMn0QszddJ9k7wXrDqrFjMqYforMA0GCSqGSIb3DQEBCwUAA4ICAQAl/RdqXQUt+frZzvsWqSA5LnTScB8kL0ffFGnm8VaPWISnDG9brVVnyeyRNTQ8zCkgjQzZ0UgRe03xx9az+vhbbJ3NrIMZLajD4fz4R4ZJCAos4Vp103wwlTOHBethluckXWW4qzBi69JDOCt8puRcNCchqeqTmK401Lp8Zdzm6nY3zefiVgY4VZKw8YtBbeKn6da+7lrTtfvx7nc/w3TZT6jo7QCfZjr8WQBrwt/Xn2mIjzKgvyI/bnxZhve7DhXPD0+OI0xnkEWvqRx39B7WjMPpq0HrpB9BDOeAFh9i/j3Em1/TaXfIAhpR4CTbkImIbc7YS5qZAZ2mVl02Jy73JFCOrI+wZ6FcWrjMiemHPfzx5xO7Vt3kLG+u81Ly3Sb8Soa16sVKOVc4tGIs2ZOELi6YWJXVDNaiyHtGr1LMWNa+YLbU9J4SURobwq3kg9X+kVX0W3PI+WnTTfbzAcRBmfMlFW9XnDS6zvmI/mhjYFI1UliH81Kn1kGni1txsqhS3A86/3qJOXl0YV5Dql9LUts5Aoml2qqiGansKgNG5C12ZrDOmyPFH9FwBxsAtcvwO/yRpfjHj+s5RvJONHZcFJL+p6eOZB9Neh/50y5MWj60uhxAojt2qOIq74BWBvwycSr5cGrG0Bc+W5PNfOTZgDC1NxnFcL31A+Q2OMDazw==",
"src_file_sha256": "b769b924c99b3c96c44be6d04bc9af3d9943040269e15bc404b93e389db41303",
"src_file_path": "downloaded_files/zoho_assist/b769b924c99b3c96c44be6d04bc9af3d9943040269e15bc404b93e389db41303"
}
]
}
},
{
"Name": "Remmina",
"Category": "RAT",
"Description": "Remmina is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://remmina.org/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": []
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": []
},
"Detections": [],
"References": [],
"Acknowledgement": []
},
{
"Name": "Bitvise SSH Client",
"Category": "RAT",
"Description": "Bitvise SSH Client is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://bitvise.com/ssh-client",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"C:\\Program Files (x86)\\Bitvise SSH Client\\*",
"*\\Bitvise SSH Client\\*",
"*\\BvSshClient-Inst.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": []
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/bitvise_ssh_client_processes_sigma.yml",
"Description": "Detects potential processes activity of Bitvise SSH Client RMM tool"
}
],
"References": [],
"Acknowledgement": [],
"CodeSigning": {
"search_names": [
"bvsshclient-inst.exe"
],
"company_names": [],
"signer_names": [
"Bitvise Limited"
],
"certificates": [
{
"signer_name": "Bitvise Limited",
"certificate_thumbprint": "1BEF6CEC736EF3478E54549018A96C8273ED7C78",
"tbs_sha256": "4AA456A8CA2FC6261D9596F2B1E5CB59F3F573F35ECE6B2BBFAD9457E8C76978",
"tbs_sha1": "",
"certificate_der_base64": "MIIFsDCCBJigAwIBAgIQCuzfQN7DfNtwTjBKZG0Q+zANBgkqhkiG9w0BAQsFADBsMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBFViBDb2RlIFNpZ25pbmcgQ0EgKFNIQTIpMB4XDTE3MTAzMTAwMDAwMFoXDTIwMTEwMjEyMDAwMFowgccxEzARBgsrBgEEAYI3PAIBAxMCVVMxFjAUBgsrBgEEAYI3PAIBAhMFVGV4YXMxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRIwEAYDVQQFEwk4MDI3OTU5NzgxCzAJBgNVBAYTAlVTMQ4wDAYDVQQIEwVUZXhhczEUMBIGA1UEBxMLQ29sbGV5dmlsbGUxGDAWBgNVBAoTD0JpdHZpc2UgTGltaXRlZDEYMBYGA1UEAxMPQml0dmlzZSBMaW1pdGVkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtjIffLXOnEDuPJHT41U2Biqcc1tcI3vpWjQbzj96qjrruuMWjQyGzeOmOWEr3ynnJGco9AgYcMHHwXUGjq906jjQPI7DpblHQskqCry8KD2E7h2oCNzmdxQmVY0AYKtYh1goUlk06naLCh9IoW7QMiiH56Nthix0Ksh/cAB/Mk9UMKCnQoo03oWb4zNx5zcelWo6pSAWIKw9CfpessOxvjuwJb1fsyTVzcWeeZikXEctVRKJxZw9EBkuQCKlbdpLi2pmHQCrDKJrLcc36N7LyYcugFC5d3kKOpVqMpFQHni0uisYYnQ2WIYjLHNIf9T+G532zb5b1+vac4/3lB1H1QIDAQABo4IB8DCCAewwHwYDVR0jBBgwFoAUj+h+8G0yagAFI8dwl2o6kP9r6tQwHQYDVR0OBBYEFPO+DcnnP1nVD7JEulhWUFcwIhGwMC0GA1UdEQQmMCSgIgYIKwYBBQUHCAOgFjAUDBJVUy1URVhBUy04MDI3OTU5NzgwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMHsGA1UdHwR0MHIwN6A1oDOGMWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9FVkNvZGVTaWduaW5nU0hBMi1nMS5jcmwwN6A1oDOGMWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9FVkNvZGVTaWduaW5nU0hBMi1nMS5jcmwwSwYDVR0gBEQwQjA3BglghkgBhv1sAwIwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAHBgVngQwBAzB+BggrBgEFBQcBAQRyMHAwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBIBggrBgEFBQcwAoY8aHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0RVZDb2RlU2lnbmluZ0NBLVNIQTIuY3J0MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggEBAH1FR6+sSmDySKjKAhB6ZXP4jsptE4wsNom3lTU2qmXul3IHST93T7YKVJs7Vvf+DSSxKyPSNw7bpIXAvDRT4GPg9wF+0QhKEcOO7UfzltBBgjHkYScu4MTp6LS+IKQ0KvLXCJw1a1nOEof/jC3gEUItTVMeX9AF8fUNdgN0D/vSfLCtJr2a95dNa/psuDXHUl6nENdUkremKnQ4YIFcB+B7gISYVtWtll2bhF5lTrSQ4OtZcbwXfxQWtWF2omlDkxWky9RTNpbK6+ct+tyDKbc660bwHYr6g8hgYJG22lLIFguB8HAY3CBgQAUfaksopwEFoRLI4o9KDhakNqPaXkA="
},
{
"signer_name": "Bitvise Limited",
"certificate_thumbprint": "N/A",
"tbs_sha256": "",
"tbs_sha1": "58502E7360285E16BBD2936E1B393F81BC1D18BF"
},
{
"signer_name": "Bitvise Limited",
"certificate_thumbprint": "A6D37D7FDF19B73DB3E3A8D6D77B67DFD423BB22",
"tbs_sha256": "30837BDCFDE3280CB0F47072C70F662E99396CE61F83573854A4107C24D9ACF1",
"tbs_sha1": "",
"certificate_der_base64": "MIIHvzCCBaegAwIBAgIQA/2YzXlPmo5tePprQMTjWzANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTIzMTIxODAwMDAwMFoXDTI3MDExMjIzNTk1OVowgccxEzARBgsrBgEEAYI3PAIBAxMCVVMxFjAUBgsrBgEEAYI3PAIBAhMFVGV4YXMxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRIwEAYDVQQFEwk4MDI3OTU5NzgxCzAJBgNVBAYTAlVTMQ4wDAYDVQQIEwVUZXhhczEUMBIGA1UEBxMLQ29sbGV5dmlsbGUxGDAWBgNVBAoTD0JpdHZpc2UgTGltaXRlZDEYMBYGA1UEAxMPQml0dmlzZSBMaW1pdGVkMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAoLHDGqEam2+5mi9Ty0rEtnH5HzM0m5dxvyI2N9Uwza8frEJNTMb+9gvSObp/YHm2co9gVddFIpXFhf9/nv87aqbEbdWy7uj25IUDy73ZMyYiZ5pthhWPd6lp1lqIOiYzLJXJFzu1Dgyo75tECLpR4aX80xYA8l0caX3oQkYcjxOgHotZGUestxd+OBXKln1I9C3rrRYQyG0jWsMIqWy9wWkq+drKdObWX7MsUK4/pud2uVY3wQEF/8Hva+9+8f1/0p5x/hIOSWyM8xb6UsjORErZpyX+es0h93Y3543QDMyXRbgsZEBEIxQb+lD/krgdWLzrvCEA/CCbeUgX8ew3y23kObx+BRK+Zbd+iHV/WxjJaVFoqInij1zqpIWP4kZuJtFfOD3KSz66DEYB09/mJ8WsFQzwidunhp/gu0RahvabnEKBf4AAljH60eMfk/vEsnUgmos7Mdc0YQDJRAfFqCtKXhVHp58pbVgwCGS6cU9uizVIHvROw0ymjLvhTx5IBr7HpU61mOq55jznFy+pSr5tDONXwZxPtFQEh2elpRBbEzaN3OqfJJ8m9z2jFOi7UQ7Kud5DnU81CTfzWwtnXQdoC579dJkFvygnIxkaATJBQ2XOoIVyKp3aWSsfGOoRPhKfusl5xjDom4vPQnStizdaHgnvwkOS93QRt+z/XR8CAwEAAaOCAgIwggH+MB8GA1UdIwQYMBaAFGg34Ou2O/hfEYb7/mF7CIhl9E5CMB0GA1UdDgQWBBRYKAAk1XNwx++ZZqRb9NXCKl/B9DA9BgNVHSAENjA0MDIGBWeBDAEDMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwgbUGA1UdHwSBrTCBqjBToFGgT4ZNaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcmwwU6BRoE+GTWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3JsMIGUBggrBgEFBQcBAQSBhzCBhDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMFwGCCsGAQUFBzAChlBodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNydDAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4ICAQA6NzC26Ri5I0GlbA1Flby29eNERFmWNmkFUSfvCchGvETUMoeeX9Ktt6PsYe89sNUlyKt8Led1MzcBAypOpBm9OREYlz8eQaXaCCKRLBy9HTOjmsCdLoZqlREj7nFJuKaV/ptPEHjpoD2ztUrvO+knyVJ9XLRG9gpBg3vNxIbANU2jB/2jMRye4S4Dm/b1JqjJb7Mw8vwgEc3bazLycEMbRHcHTij/0r7KXFukbgy7hA+OTQIOahVlnAc4Lz0WgjIru1FtuFB6K7/DWg+qcHowPjPK1STOw82s1jw78E5iS/gIYGplgsgcAceigV57L4uf0S1BqDoo1xd8FjUTnpnlZ2Y0AQllMhTI/d9B2Zd/hQq1UaSjMQ7SjJzQtlvhubuHDmrv0dz+glRNMHLFefs29ygs1GGyGBZ7K/qtK/GS1X+au/eFmSWOSGcTIJNu2ByqGqjWTplJ/FvEv5c2w8Zzl5ebgXTXedAt7G7AseY9niqw23ViOw31xihpetfg301d1EzxU38NP2xhlYNaakdxoRZl1UXuDsaVBnJMPXWGEXZPCv5zAir1TaRMIsxeskOKICF+JRFdcSfLTczXZBvYSpQYpbIliasIrU9VaoAMm8Rr2WLb0uRlKoQ4NOXZiEM6DD/n49R0Tg1/ZOgIAAQFKy1qBMZ2pFKNcTaQ9SnOOA==",
"src_file_sha256": "5aa0fd8c3c0c50e452569fbaef291f96b2ae3c9a7b52f80ed34bb48d63a8bcec",
"src_file_path": "downloaded_files/bitvise_ssh_client/5aa0fd8c3c0c50e452569fbaef291f96b2ae3c9a7b52f80ed34bb48d63a8bcec",
"src_file_company": "Bitvise Limited"
},
{
"signer_name": "Bitvise Limited",
"issuer": "CN=Thawte Code Signing CA - G2",
"certificate_thumbprint": "55D8B82CDDE540B5C74614D391CC82E8D281B14C",
"tbs_sha256": "91B0725619F5781AE3B4E815758A6B77D61A3A7E252F87272C21325717DA7FFB",
"tbs_sha1": "58502E7360285E16BBD2936E1B393F81BC1D18BF",
"valid_from": "2013-01-26T00:00:00+00:00",
"valid_to": "2015-02-16T23:59:59+00:00",
"certificate_der_base64": "MIIEMzCCAxugAwIBAgIQJAfCCf3Hj1dNS5vyQGiIEzANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMVGhhd3RlLCBJbmMuMSQwIgYDVQQDExtUaGF3dGUgQ29kZSBTaWduaW5nIENBIC0gRzIwHhcNMTMwMTI2MDAwMDAwWhcNMTUwMjE2MjM1OTU5WjCBiDELMAkGA1UEBhMCR0kxEjAQBgNVBAgTCUdpYnJhbHRhcjESMBAGA1UEBxMJR2licmFsdGFyMRgwFgYDVQQKFA9CaXR2aXNlIExpbWl0ZWQxHTAbBgNVBAsUFFNvZnR3YXJlIERldmVsb3BtZW50MRgwFgYDVQQDFA9CaXR2aXNlIExpbWl0ZWQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCsFFDzN3M9ZpceteuQ77kNnoXmSns0culCXwCA6N3YO1R8B9NjmigSiHbrDIKX1W5a8W/iEjMdmVpijyZvBcXun6d6lBK5ov0P+PiZEstUdDGhLQYNEjHwTfgFlHpjULyfX+6mO3CitLPrxSMXMFA7cNWKXUZTJDBDh2AYLj/TmaYF7fJS+FlPy3SrhBJOnMhWhv4VK6QU0tYYKXo9oQU3EEjBjUoAuwR/8sldf1Pt5lvlUaoTH4SYRC4g7I+v0X3PJhlJFIFJ6ijX5XCRgMgEgjNwVhe0XtfMrQ97X27zpP5D1yIX43A+34cYFuKnvQENt2+dW8DMsuWxfJyZgJvrAgMBAAGjgdUwgdIwDAYDVR0TAQH/BAIwADA7BgNVHR8ENDAyMDCgLqAshipodHRwOi8vY3MtZzItY3JsLnRoYXd0ZS5jb20vVGhhd3RlQ1NHMi5jcmwwHwYDVR0lBBgwFgYIKwYBBQUHAwMGCisGAQQBgjcCARYwHQYDVR0EBBYwFDAOMAwGCisGAQQBgjcCARYDAgeAMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL29jc3AudGhhd3RlLmNvbTARBglghkgBhvhCAQEEBAMCBBAwDQYJKoZIhvcNAQEFBQADggEBALGWYDLJTRkwB0d5BtxnlMn5dr4GfK70c8iuZ7LuJf05KP571TwBacCI//cxInGZhtqFO1Q8fqJwM3Un3uf/ulfZ1yzn9VkBGxcqaXCOVOBepAmOpc7lmmYmayqKj+zjGDab1EZACo63gFm5H44VDx/kqj4vfK3tNSFopZAfPQgHZk0b+r9McSH5o5aAv7E2i4uCrBAI6ZdFX0Dbk8FaMKJuJNBahEXt+Rr+zA75x04yO3nUbB+8BlmN3AoYFNH6qmb18GPUWUQWz+Qtt7HJjIxIFyVs7MHRgxa6D6MWLb2/QoY4ZGWV4bgFWufQhbpLfkj9ZOX7W3+bSDECxRJcK3s="
},
{
"signer_name": "Bitvise Limited",
"certificate_thumbprint": "37A4D270989616341908354E3542171EAB364159",
"certificate_der_base64": "MIIGXjCCBMagAwIBAgIQYvdOaLgZessXqhhCOSizfzANBgkqhkiG9w0BAQwFADBUMQswCQYDVQQGEwJHQjEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMSswKQYDVQQDEyJTZWN0aWdvIFB1YmxpYyBDb2RlIFNpZ25pbmcgQ0EgUjM2MB4XDTIzMDkxOTAwMDAwMFoXDTI2MDkxODIzNTk1OVowUTELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVRleGFzMRgwFgYDVQQKDA9CaXR2aXNlIExpbWl0ZWQxGDAWBgNVBAMMD0JpdHZpc2UgTGltaXRlZDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKDUXqKOwbFRByrfyTGGWw3457TPAEdP0jfm763R9NiQzJupS+4mex5qR1XMfPDXFEBIRm2ytOZ5duYdL/L6lSqJ5OmqeI56GaNWjRrCwuPAuJmI39UkRxWyERJrRZdytU5khXpKDi4AOR3lJA42vWimRChO/5qdhYFkIBj9mYwPH6PY7viHY2QdTsdOwviwHdf483CEP9agLD447qVsayik3TtoZgG/k3UXa7P4ajEcDTVESkX0yxdN+mp9a464R+NxXls3otgJxSu7LQy+CHio8+SS22iBhJs+1G1glQnts3oDrjcg165iZriIfU2JolydcPGNDxMEYwwbyFOsvRHNIQ3Jge//NFAl20IRi25q2HF8ANx6VdzE0i7aXipvqoB6rOlkd+SY9NCr4JgN4mE3AgBTzV32BKVinSilOysLpvUJRBBu2nIR+YsuIex5UOzwRof5hJRrlLv0K7m9o1hqYCAc+okN7jPNuWqUFtx6PJtjXsTgwW02muzzBgpXJ87x4ckjjnXZk70iQ3s5BsBG+ftajJiYYVHCRqkT1yA4B6vEbX/OWo5wdvUxe4rOLkuHMfEmBXHM9KB1bYjAgeDb+Q9/av8gTx0RkLQDm22ITlz+Snyud4zZ2hQgyYghfNxsCNTOkUHda0Je7PrOpoJ9ryHDU6A0jp6XyKTm3gVVAgMBAAGjggGtMIIBqTAfBgNVHSMEGDAWgBQPKssghyi47G9IritUpimqF6TNDDAdBgNVHQ4EFgQUEovuYYSROQhN8eHQ9aguq33MdJgwDgYDVR0PAQH/BAQDAgeAMAwGA1UdEwEB/wQCMAAwEwYDVR0lBAwwCgYIKwYBBQUHAwMwSgYDVR0gBEMwQTA1BgwrBgEEAbIxAQIBAwIwJTAjBggrBgEFBQcCARYXaHR0cHM6Ly9zZWN0aWdvLmNvbS9DUFMwCAYGZ4EMAQQBMEkGA1UdHwRCMEAwPqA8oDqGOGh0dHA6Ly9jcmwuc2VjdGlnby5jb20vU2VjdGlnb1B1YmxpY0NvZGVTaWduaW5nQ0FSMzYuY3JsMHkGCCsGAQUFBwEBBG0wazBEBggrBgEFBQcwAoY4aHR0cDovL2NydC5zZWN0aWdvLmNvbS9TZWN0aWdvUHVibGljQ29kZVNpZ25pbmdDQVIzNi5jcnQwIwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLnNlY3RpZ28uY29tMCIGA1UdEQQbMBmBF2NvZGVzaWduaW5nQGJpdHZpc2UuY29tMA0GCSqGSIb3DQEBDAUAA4IBgQAitLFGtFqCHtT28o0QNs2azPbLD8zuGVLLyNgc2KvmEjAx1n8L5KLaYwL16w0OPzqWRKxg4nIy9MTal3LNqpibHyI+LjLWA/vhSOfq88k+VEMIi1acu0hK/LcpqjkLR9E6z0wfaIG3DfgikRU+vrEVkzpiN7OfftnyN8MCX+9YPT/thPOASSgILXOJ4Yfo2UEQDx2ri8zqc3INoKDQ+JjQSbQMYy0mS97uChKBfSAa4sP7Y3glpKcHrLj+gihpLUInB09MGoNXDiifY+B3HqgXB46cBCeO+zBz+Nq7Ap6nYXrhgdEI4+aarN9E9+MmuTrHB08TwUzxvzPVAYuJ2wZ9OTytHh4OdVCA7AdDyMsFp9JEg5/jqwnuPL0SMIJlTni2V3prwfVX2BbzvNv2I9FdYIIHYbc5NdBDrCZLD9c26lnnZmc+hU7rL1CQb9UmjfpyUT7agWZT8h6Mb8yrVeYSO9fRI4FZNYDmyrMDApmW/cZ+GKZKccGWiEpLetapOhA=",
"src_file_sha256": "a68d7fe876f7968127050a8e42049f751ea2cf18f8965dab9b36433111c8d602",
"src_file_path": "downloaded_files/bitvise_ssh_client/a68d7fe876f7968127050a8e42049f751ea2cf18f8965dab9b36433111c8d602",
"src_file_company": "Bitvise Limited"
}
]
}
},
{
"Name": "Microsoft RDP",
"Category": "RAT",
"Description": "Microsoft RDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.\n\n**NOTE**: Some samples of this tool may be signed with third-party certificates. Always verify certificate ownership before implementing any blocking rules. Use certificate data for detection, hunting, and analysis purposes only.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://learn.microsoft.com/en-us/previous-versions/remote-desktop-client/remote-desktop-windows-urdc",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [
"Windows"
],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"termsrv.exe",
"mstsc.exe",
"Microsoft Remote Desktop"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": []
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_rdp_processes_sigma.yml",
"Description": "Detects potential processes activity of Microsoft RDP RMM tool"
}
],
"References": [
"https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/windows"
],
"Acknowledgement": [],
"CodeSigning": {
"certificates": [
{
"signer_name": "win.rar GmbH",
"certificate_thumbprint": "729AE1F8B489DE176CC099FF49937F85F9E412F7",
"certificate_der_base64": "MIIHWDCCBUCgAwIBAgIQBIsIOZ7HA2I8cs0gd61l2TANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTIzMDgwODAwMDAwMFoXDTI2MDgwNzIzNTk1OVowgeAxEzARBgsrBgEEAYI3PAIBAxMCREUxFzAVBgsrBgEEAYI3PAIBAhMGQmVybGluMR8wHQYLKwYBBAGCNzwCAQETDkNoYXJsb3R0ZW5idXJnMR0wGwYDVQQPDBRQcml2YXRlIE9yZ2FuaXphdGlvbjETMBEGA1UEBRMKSFJCIDEwOTg4NTELMAkGA1UEBhMCREUxDzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMRUwEwYDVQQKEwx3aW4ucmFyIEdtYkgxFTATBgNVBAMTDHdpbi5yYXIgR21iSDCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAJrNBWkLzla3tj9bhusRhk6ZzgzcgNHbZRI9nSX1/buowo4BjwCRFy7zTVQ9WNey9ghE8mbY8zhPgARuICPibaP19oFySzXSxG0QJWzi/HC50S6r0skMKDR42RBM7KcEazmfmp9RCnNjIJiaINa8RUpS+SuhmUl/iIOr9rHrEE/JGWoS8Ft9XDXwS2CacetaAcdyvKD9QQRoWu0yOkM/CaS1kHIVAayqta7rZvaBcs6SyLT2aR+0cWHcmH++2H2q37KbUcSEopNffmpU3M74Lcm2uckQgjsjEwmNfgLeLLntTx8yn7bfh4ZNNytn6bX2U0zufBJbKehAH6Zfww/aFAH0wsP1148R7pPGoXG4AeyXATWn7ufbWytTrgR8aNvsuS8h3mmUGV6mSNaxGszALQ0KxKAsTpoFVVsz86yVYL/IK9wuq9ogAheDeLR1v7leLbwJsqLRi0Ry8uyX7szJF5i+puSdqGz+lx6FcR2VsD8vnPOVC3Wtq2UgEKZs/0zP0wIDAQABo4ICAjCCAf4wHwYDVR0jBBgwFoAUaDfg67Y7+F8Rhvv+YXsIiGX0TkIwHQYDVR0OBBYEFFhcVBV2Psfb2Ad3xaRy9ZeAf4cTMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzCBtQYDVR0fBIGtMIGqMFOgUaBPhk1odHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDBToFGgT4ZNaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcmwwPQYDVR0gBDYwNDAyBgVngQwBAzApMCcGCCsGAQUFBwIBFhtodHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwgZQGCCsGAQUFBwEBBIGHMIGEMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wXAYIKwYBBQUHMAKGUGh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3J0MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggIBAMQeLwDoY491d3YPbv8Zh5MBMGxgKM4gPL05+gkTSP3UhXVE/ydaCKYtrINTYDHM+SxOb4GcAJZ35YC9G5A9nocvQhyDiQ5I12RccOQ7heNq4h2NgxbShNLgXMZgv1E7fx2J7U7u2DnJK+c4dYADKYLZdQjO3nIojrfR9z6Fg1qaPFQQqkVmudthB5/0kYcOxPucbFlKpFoY6M88ZzOKCRLUYtvXs4nYRggG25VoNLtpLjLXCjmQ0wQ/28QZYtIq7mW+Jfc1vPOiEmPzX6t7X626ulBKCIL/MV5mBeag+0P7vTT+QWQef1v7npeWOSljVv84k7h7HzPn+c208FwNSrPGFBJ7M2HiY1TGUYtCzLHeSNKykvWpp+ALyKQtueN9fJYBLc8DS7aYJvtx3saVysRzHP+4oDZuEtb3hjfSBjAZq20ohXsbNtepSUb7cyjEfaTBjpI9mq6hkDkoTSL2Su8s7o0SXfVPi6o8NfjyCGIbyDRszZWts4wBw83pUDS//zGnfaSv65BoZ9dXGdckRznpgxuHqTeBGx0P1vSLbP76f1OZ/O/tHxBmSG7KL4XyHc6BG7K4tayEI9e6qJoL0St9M7GxZ9g3qHm0kQfPekvcOXxQuVn8n9SG6/QipQKR4fG0dRp4GqoIXGUjjvbJot7A9kG0IrykPagAXznZnMBG",
"src_file_sha256": "39baa167de334fef185ae8b97e8c709a307eed08e80fe115577c59a05200a13a",
"src_file_path": "downloaded_files/microsoft_rdp/39baa167de334fef185ae8b97e8c709a307eed08e80fe115577c59a05200a13a",
"src_file_company": "Alexander Roshal"
}
]
}
},
{
"Name": "AeroAdmin",
"Category": "RMM",
"Description": "AeroAdmin is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "http://aeroadmin.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"aeroadmin.exe",
"AeroAdmin.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"auth*.aeroadmin.com",
"aeroadmin.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aeroadmin_network_sigma.yml",
"Description": "Detects potential network activity of AeroAdmin RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aeroadmin_processes_sigma.yml",
"Description": "Detects potential processes activity of AeroAdmin RMM tool"
}
],
"References": [
"https://support.aeroadmin.com/kb/faq.php?id=58"
],
"Acknowledgement": [],
"CodeSigning": {
"certificates": [
{
"signer_name": "Aeroadmin LLC",
"certificate_thumbprint": "3D359801E29FCAFAF08983A0FDEA20798CC451A3",
"certificate_der_base64": "MIIH3jCCBcagAwIBAgIMUZYH+KKytvL7Qy+1MA0GCSqGSIb3DQEBCwUAMFwxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTIwMAYDVQQDEylHbG9iYWxTaWduIEdDQyBSNDUgRVYgQ29kZVNpZ25pbmcgQ0EgMjAyMDAeFw0yNTA3MTcwNjU4MjVaFw0yODA4MjcwODE4NDJaMIIBHzEdMBsGA1UEDwwUUHJpdmF0ZSBPcmdhbml6YXRpb24xFjAUBgNVBAUTDTExODc3NDYzNzQ2NjExEzARBgsrBgEEAYI3PAIBAxMCUlUxFzAVBgsrBgEEAYI3PAIBAhMGTW9zY293MQswCQYDVQQGEwJSVTEPMA0GA1UECBMGTW9zY293MQ8wDQYDVQQHEwZNb3Njb3cxMjAwBgNVBAkTKXVsIEtvbnN0YW50aW5hIFNpbW9ub3ZhLCA1IC8ga29ycCAxIGt2IDE2MRYwFAYDVQQKEw1BZXJvYWRtaW4gTExDMRYwFAYDVQQDEw1BZXJvYWRtaW4gTExDMSUwIwYJKoZIhvcNAQkBFhZldWdlbmUuc0BhZXJvYWRtaW4uY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAxEOio3X8c3LAC4y75m51D3TFliChJKcD3bPMZnzk6aAiefVfTK30shXtP4j97efE9HKVA0FxfeFK1ygi9j/iZ1ADj6pnZR3HB1+73wdTfO2yWwSv+eQ/pS+/lGZQIche/LSlvmXPXkg/9a7V+27IRWPutH9syu1OlOg/nktLRydQRVmgxuVV1Y14KHT1EInUFIefP2upDZAp2huHh3r6G/ryq2ENePZrnaYhlzovOMyWS/DQeqZ8zvLRbmEDg8JCv1hgbXGLpyrjBor1mJSHn77O3XCK5VFRDdiXfDBUWoz3UxMWk86YQoRV9bvtvtZ4ZwOa0RZg2TfVWN0IEjU/WCTqPfLZmlT53/6zRc1Y0pm0D5aUUnVhi9lhWa2kxcG7iE+5u7VZgEHAMFXRF4EfoIXRiJ9p1o6lkOh2giPUhcMl0AuicY0Y5d7FJoyLa8d8E5GiNEQqf2K92ms/+MrgSnj2wW/MHsFaDbHWbYsZKaRhidkvtHLsV1mm4qNuh6CDnNUQSSytWVV/6kL9SqQzjvBuHQfCbGO9UdApmRqpMLgsKfe6/jWy6uvSIU3O105gZcm1YnpxgKg3vrG6EVOsu3Uq0WkqbJK+UFcIw7enqnZcpE7nQROQH7UnylZrR+85xmQTJ89IWgx7lBTcu+a027rgUGqybthM15d1JK9berMCAwEAAaOCAdkwggHVMA4GA1UdDwEB/wQEAwIHgDCBnwYIKwYBBQUHAQEEgZIwgY8wTAYIKwYBBQUHMAKGQGh0dHA6Ly9zZWN1cmUuZ2xvYmFsc2lnbi5jb20vY2FjZXJ0L2dzZ2NjcjQ1ZXZjb2Rlc2lnbmNhMjAyMC5jcnQwPwYIKwYBBQUHMAGGM2h0dHA6Ly9vY3NwLmdsb2JhbHNpZ24uY29tL2dzZ2NjcjQ1ZXZjb2Rlc2lnbmNhMjAyMDBVBgNVHSAETjBMMEEGCSsGAQQBoDIBAjA0MDIGCCsGAQUFBwIBFiZodHRwczovL3d3dy5nbG9iYWxzaWduLmNvbS9yZXBvc2l0b3J5LzAHBgVngQwBAzAJBgNVHRMEAjAAMEcGA1UdHwRAMD4wPKA6oDiGNmh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5jb20vZ3NnY2NyNDVldmNvZGVzaWduY2EyMDIwLmNybDAhBgNVHREEGjAYgRZldWdlbmUuc0BhZXJvYWRtaW4uY29tMBMGA1UdJQQMMAoGCCsGAQUFBwMDMB8GA1UdIwQYMBaAFCWd0PxZCYZjxezzsRM7VxwDkjYRMB0GA1UdDgQWBBR2fsWYoDII+8LHW9bzadqdqxxD9TANBgkqhkiG9w0BAQsFAAOCAgEAOhM/5u0ul5NBinlw8gXLZ4peqjS+c0NZMQhNNRw/9ODiQ5c7aP1ekPS+zbr2tOus8bbJy+03wjc15REbKMNn5oDlUk0z/JahvRFDvcjHFZdscuUNNTL//CUu4GyYbIl2j8MGkOyAb3X0gJWatm4AGISr4q1rQsXBclbVUpVToi8OiT7Z0lRzCSo/oKi9JBIkakHYUiXNp0FgxwxXvPc4T8f6e8I/ZC5jgCWCrH2l8mtpqgIL4efPUgMd4keSTw9SPBee2bP0IKGC5G1cx6d8ngAcdw5BvF18Bf+I97mIa1qpiHXx96Ao3JCA9jRep5NHhKgjZPZw/TzwFKQrU4Od6W0+sFagu9YKE8zq/aZBjDKwBGChNQsyKWJ+e+kqvvTalFx0u3pX8b9QW5cyOxgQ9SR2PyEr6GAOO8DRrbBySj17eN2hc3y8jz5Zf3L21ztyneBqIZCG9ru5G80Lyj5g3LamQYd1gnV+Pi/U3s+7FKopfmKssAtxOXBWQFvvR4pIo27GG4m8xQzHJyBkFvD3O9pWgyMaHo8lIVGx1+95MVlvyDBoeMkwzLj+uMU/doqhv0gBxI1kv0Nyv1wa5dsf9+GYDuKlFIpa5cz98Q9LxmQa9csVF4KqW9B7HaKeCGHk9Tgi7UmgPHmU1BOqlaymYdudlSfkFZGha/LYyspiUv8=",
"src_file_sha256": "00611ecd71f1db02006e287854f9cb09830d5f06513b7f5964cccd27e4fb81e7",
"src_file_path": "downloaded_files/aeroadmin/00611ecd71f1db02006e287854f9cb09830d5f06513b7f5964cccd27e4fb81e7",
"src_file_company": "AeroAdmin LLC"
}
]
}
},
{
"Name": "Total Software Deployment",
"Category": "RMM",
"Description": "Total Software Deployment is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.total-software-deployment.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"C:\\ProgramData\\Total Software Deployment\\*",
"*\\Total Software Deployment\\*",
"*\\tniwinagent.exe",
"*\\Tsdservice.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": []
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/total_software_deployment_processes_sigma.yml",
"Description": "Detects potential processes activity of Total Software Deployment RMM tool"
}
],
"References": [],
"Acknowledgement": [],
"CodeSigning": {
"certificates": [
{
"signer_name": "Softinventive Lab",
"certificate_thumbprint": "0A4F216B5E8FD8B7906F05B71609F002984A9456",
"certificate_der_base64": "MIIGbTCCBNWgAwIBAgIRALPQHIOfM50pvXS9HyDFdJIwDQYJKoZIhvcNAQEMBQAwVDELMAkGA1UEBhMCR0IxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDErMCkGA1UEAxMiU2VjdGlnbyBQdWJsaWMgQ29kZSBTaWduaW5nIENBIFIzNjAeFw0yNTAzMDcwMDAwMDBaFw0yODAzMDYyMzU5NTlaMGAxCzAJBgNVBAYTAlVBMRkwFwYDVQQIDBBaYXBvcml6a2Egb2JsYXN0MRowGAYDVQQKDBFTb2Z0aW52ZW50aXZlIExhYjEaMBgGA1UEAwwRU29mdGludmVudGl2ZSBMYWIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC0uljUb51meR7PXLrwCfg1AbrpW78hgoqnY7Ty+EIe9qTi/YsXoz93KWpMvsK+wgSJhgQf4xVK7sPTHf3+2nwqATj6v5gM3bsjvVYF5d/nSp5gcobEYvz/kO7foF7NNpQYu4ciCga7nlY5tUnrzOI+Sc2ocyMquxEvE1RC/x63lzP/e/1h/T65+Nj57gcAK8bOtohl3N16GqNDvXqTarh10v6kDcZuO8seewTniO9Sj1QsQcFwM/ll3IXwSdbTWE0AwgBDpmm/Wiq+2O2zz2A86beFWknqeXSXDdzHPeE4tebjoo2qkpZKfy96ftSqnhWUXSaKXF1AwL8Nfh9jT0gSnKlnLmexQUe4y+McAdpRMoqcrSLssUqLUGrno0xyZkV237mJj4pU2Wn3MfIRYNk+LXjlZ2oTKVl3HhClBXY6F47rENrSaX2UkOBeMAk9qrP6fkZ6akTSMPLXuvSg9JtSZDqVFJKHYSHlQMrMG7YTXSBQ4A6Unm5jeqZa+bIFyxqfWL4KV7ECaZgYkKycPl0R7mHvxc8DSzmi4uub65++zvWBKlxU39JIEuYFd4VRywfa2WypGPRL2gl9JE+El1405FS2Emj9JDxlvpMqIiIr+UHK+tdaHTuUjeLCvQXCcsvHkVmVhnGbdt1uvf8Hn7UAkMvP1uPGUXy9RPlwtqqRCwIDAQABo4IBrDCCAagwHwYDVR0jBBgwFoAUDyrLIIcouOxvSK4rVKYpqhekzQwwHQYDVR0OBBYEFEMvUl3hYUW5QczmC2+OSWHaR+NgMA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMEoGA1UdIARDMEEwNQYMKwYBBAGyMQECAQMCMCUwIwYIKwYBBQUHAgEWF2h0dHBzOi8vc2VjdGlnby5jb20vQ1BTMAgGBmeBDAEEATBJBgNVHR8EQjBAMD6gPKA6hjhodHRwOi8vY3JsLnNlY3RpZ28uY29tL1NlY3RpZ29QdWJsaWNDb2RlU2lnbmluZ0NBUjM2LmNybDB5BggrBgEFBQcBAQRtMGswRAYIKwYBBQUHMAKGOGh0dHA6Ly9jcnQuc2VjdGlnby5jb20vU2VjdGlnb1B1YmxpY0NvZGVTaWduaW5nQ0FSMzYuY3J0MCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5zZWN0aWdvLmNvbTAhBgNVHREEGjAYgRZpbmZvQHNvZnRpbnZlbnRpdmUuY29tMA0GCSqGSIb3DQEBDAUAA4IBgQA5Hon5kQ+zt1lMKPzr6ND6KvE3PQ+4PyJnpT68Yb0xjUSkPoi1dT72BJj8Fn2HNIrt2reMw5s/QHF19rI7vNKiliAoC8YgcKrO+NlrE+CmHTQYerSNlcyLi6H4w2t77R1YDg1ospd0hgjw6/sN6X5N9ZSc2/416GjGuHOUygFPQNhD9DUXXcAAKjFbilN9TAcuIZhIFABu5tfwLyG6F/TJbQcQWI2A4CCO/x3icpopUcLZROJnVHsJdMwlPL7GzXBSTDrVY/OzrOLGWEOBKa3cUc7f4D9BthaWEqrE4eBZ1bKejK/urxbw2fVNUFlgqWTmWLuxciP7W5I3k7RazA9XLoqyRyiV3+rc34XsJPihHAGjR4/KFpP2lrlpdox/+wegIp3aQEGB7ESwU68LWJk8ukU44v3W8/SXuXA4FcbP9GKTba1iAXjXVPGKs+mCr7OSFDDe6MtIkN92ileG7r5WJJtBCzVytrQ+fYJgl2Pnf8I308T8bbYzhavi7yHepPI=",
"src_file_sha256": "2c3979c76cccc59b5240053a226374f89be4a7f4c58e29b04efd849cb6465575",
"src_file_path": "downloaded_files/total_software_deployment/2c3979c76cccc59b5240053a226374f89be4a7f4c58e29b04efd849cb6465575",
"src_file_company": "Softinventive Lab"
}
]
}
},
{
"Name": "Onionshare",
"Category": "RAT",
"Description": "Onionshare is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://onionshare.org/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"C:\\Program Files (x86)\\OnionShare\\*",
"*\\OnionShare\\*",
"*\\onionshare*.exe",
"OnionShare-win*.msi"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": []
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/onionshare_processes_sigma.yml",
"Description": "Detects potential processes activity of Onionshare RMM tool"
}
],
"References": [],
"Acknowledgement": []
},
{
"Name": "ITSupport247 (ConnectWise)",
"Category": "RMM",
"Description": "ITSupport247 (ConnectWise) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://control.itsupport247.net/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [
"Windows"
],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"saazapsc.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*.itsupport247.net"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__network_sigma.yml",
"Description": "Detects potential network activity of ITSupport247 (ConnectWise) RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__processes_sigma.yml",
"Description": "Detects potential processes activity of ITSupport247 (ConnectWise) RMM tool"
}
],
"References": [
"https://control.itsupport247.net/"
],
"Acknowledgement": []
},
{
"Name": "MioNet (WD Anywhere Access)",
"Category": "RMM",
"Description": "MioNet (WD Anywhere Access) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"mionet.exe",
"mionetmanager.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": []
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mionet__wd_anywhere_access__processes_sigma.yml",
"Description": "Detects potential processes activity of MioNet (WD Anywhere Access) RMM tool"
}
],
"References": [
"https://en.wikipedia.org/wiki/WD_Anywhere_Access - DOA as of 2016"
],
"Acknowledgement": []
},
{
"Name": "I'm InTouch",
"Category": "RMM",
"Description": "I'm InTouch is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://locator.01com.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"iit.exe",
"intouch.exe",
"I'm InTouch Go Installer.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*.01com.com",
"01com.com/imintouch-remote-pc-desktop"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/i'm_intouch_network_sigma.yml",
"Description": "Detects potential network activity of I'm InTouch RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/i'm_intouch_processes_sigma.yml",
"Description": "Detects potential processes activity of I'm InTouch RMM tool"
}
],
"References": [
"https://www.01com.com/mobile/imintouch-remote-pc-desktop/faqs/remote-access/"
],
"Acknowledgement": []
},
{
"Name": "Aspia",
"Category": "RMM",
"Description": "Aspia is an open-source Remote Desktop, file transfer and system information tool.\n",
"Created": "2025-05-09",
"LastModified": "2025-12-14",
"Details": {
"Website": "https://aspia.org/",
"PEMetadata": [
{
"Filename": "aspia_client.exe",
"OriginalFileName": "aspia_client.exe",
"Description": "Aspia Client",
"Product": "Aspia",
"Company": "Dmitry Chapyshev"
}
],
"Privileges": "SYSTEM",
"SupportedOS": [
"Windows",
"MacOS",
"Linux"
],
"Capabilities": [
"Remote desktop management",
"Remote desktop view",
"File transfer",
"System information",
"Text chat",
"Task manager",
"Encryption",
"Authorization (it is possible to add users with different access rights)",
"Address book with encryption and master-password",
"NAT traversal with connection by ID (with using Aspia Router and Aspia Relay)",
"Direct connections",
"Audio support",
"Video recording",
"Client and Console for Windows, MacOSX and Linux",
"Host for Windows only",
"Router/Relay for Windows and Linux"
],
"InstallationPaths": [
"*\\aspia_client.exe",
"C:\\Program Files\\Aspia\\",
"C:\\Program Files (x86)\\Aspia\\"
]
},
"Artifacts": {
"Disk": [
{
"File": "C:\\Users\\*\\AppData\\Roaming\\aspia\\client.ini",
"Description": "N/A",
"OS": "Windows"
},
{
"File": "C:\\Users\\*\\AppData\\Local\\Temp\\aspia\\aspia_client-*.log",
"Description": "N/A",
"OS": "Windows"
},
{
"File": "C:\\Program Files\\Aspia\\Client\\qt.conf",
"Description": "N/A",
"OS": "Windows"
}
],
"EventLog": [
{
"EventID": 11707,
"ProviderName": "MsiInstaller",
"LogFile": "Application.evtx",
"Data": "Product: Aspia Client -- Installation completed successfully.",
"Description": "Aspia Client installation event."
}
],
"Registry": [],
"Network": [
{
"Description": "Aspia can be downloaded from the official github repository.",
"Domains": [
"https://github.com/dchapyshev/aspia"
],
"Ports": [
"N/A"
]
}
]
},
"References": [
"https://ics-cert.kaspersky.com/publications/reports/2025/06/05/ttps-of-cyber-partisans-activity-aimed-at-espionage-and-disruption/",
"https://www.aspia.org/",
"https://github.com/dchapyshev/aspia"
],
"Acknowledgement": [
{
"Person": "Swachchhanda Shrawan Poudel",
"Handle": "@_swachchhanda_"
}
],
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aspia_network_sigma.yml",
"Description": "Detects potential network activity of Aspia RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aspia_files_sigma.yml",
"Description": "Detects potential files activity of Aspia RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aspia_processes_sigma.yml",
"Description": "Detects potential processes activity of Aspia RMM tool"
}
],
"CodeSigning": {
"search_names": [
"aspia_client.exe"
],
"company_names": [],
"signer_names": [],
"certificates": []
},
"FileHashes": {
"authenticode": [
{
"file_name": "aspia_client.exe",
"sha256": "A968363E26D030CB0997244ED626F0A8AA9137CC6F7EA7AFC15B61B74E83B500",
"sha1": "DF6D3915876560EF33EFFD754A0305E0B0036D4B"
}
],
"page": [
{
"file_name": "aspia_client.exe",
"sha256": "3087D8002051D7CD12BFDEF5CAEC4FA2E2DAEF4CF5363FAA2638FD784B4E659D",
"sha1": "A6FC35BA84C36E8646FE839D561A5C7F797470C3"
}
]
}
},
{
"Name": "MeshCentral",
"Category": "RMM",
"Description": "MeshCentral is a remote monitoring and management (RMM) tool. MeshAgent used along with MeshCentral to remotely manage computers. MeshAgent can execute commands on the target host by leveraging win-console to obscure their activities and win-dispatcher to run malicious code through IPC with child processes.\n",
"Author": "@kostastsale",
"Created": "2024-09-20",
"LastModified": "2024-09-20",
"Details": {
"Website": "https://meshcentral.com/",
"PEMetadata": {
"Filename": "MeshAgent.exe",
"OriginalFileName": "",
"Description": "MeshCentral Background Service Agent"
},
"Privileges": "SYSTEM",
"Free": "Yes",
"Verification": "N/A",
"SupportedOS": [
"Windows",
"Linux",
"MacOS",
"FreeBSD"
],
"Capabilities": [
"Remote Desktop & Terminal",
"Remote File Access",
"Text and Voice Chat",
"Server File Storage",
"Real-time User interface",
"Port Forwarding"
],
"Vulnerabilities": [
"CVE-2024-26135"
],
"InstallationPaths": [
"meshcentral*.exe",
"meshagent*.exe",
"/usr/local/mesh_services/meshagent/meshagent/*",
"/usr/local/mesh_services/meshagent/*"
]
},
"Artifacts": {
"Disk": [
{
"File": "C:\\Program Files\\Mesh Agent\\MeshAgent.exe",
"Description": "Local MeshAgent service binary after installation",
"OS": "Windows"
},
{
"File": "C:\\Program Files\\Mesh Agent\\MeshAgent.msh",
"Description": "Local MeshAgent service configuration file. Contains configuration settings including the MeshCentral server address, port, and other settings. If the MeshAgent is run without being installed, the configuration file is created in the same directory as the MeshAgent binary.",
"OS": "Windows"
},
{
"File": "/usr/local/mesh_services/meshagent/meshagent/meshagent",
"Description": "Local MeshAgent service binary after installation",
"OS": "MacOS"
},
{
"File": "/usr/local/mesh_services/meshagent/meshagent/meshagent.db",
"Description": "Local Meshagent database after installation",
"OS": "MacOS"
},
{
"File": "/usr/local/mesh_services/meshagent/meshagent/meshagent.msh",
"Description": "Local Meshagent databconfiguration file after installation",
"OS": "MacOS"
},
{
"File": "/usr/local/mesh_services/meshagent/meshagent",
"Description": "Local MeshAgent service binary after installation",
"OS": "Linux"
},
{
"File": "/usr/local/mesh_services/meshagent/meshagent.db",
"Description": "Local Meshagent database after installation",
"OS": "Linux"
},
{
"File": "/usr/local/mesh_services/meshagent/meshagent.msh",
"Description": "Local Meshagent databconfiguration file after installation",
"OS": "Linux"
}
],
"EventLog": [
{
"EventID": 7045,
"ProviderName": "Service Control Manager",
"LogFile": "System.evtx",
"ServiceName": "Mesh Agent background service",
"ImagePath": "\"C:\\\\Program Files\\\\Mesh Agent\\\\MeshAgent.exe\"",
"Description": "Service installation event as result of MeshAgent installation."
}
],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"user_managed",
"meshcentral.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/tsale/Sigma_rules/blob/main/Threat%20Hunting%20Queries/proc_creation_windows_meshagent.yml",
"Description": "Detects MeshAgent Command Execution via MeshCentral"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/meshcentral_network_sigma.yml",
"Description": "Detects potential network activity of MeshCentral RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/meshcentral_files_sigma.yml",
"Description": "Detects potential files activity of MeshCentral RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/meshcentral_processes_sigma.yml",
"Description": "Detects potential processes activity of MeshCentral RMM tool"
}
],
"References": [
"https://ylianst.github.io/MeshCentral/meshcentral/",
"https://github.com/Ylianst/MeshAgent"
],
"Acknowledgement": [
{
"Person": "Kostas",
"Handle": "@kostastsale"
}
],
"CodeSigning": {
"certificates": [
{
"signer_name": "MOONWHITE TECHNOLOGIES PRIVATE LIMITED",
"certificate_thumbprint": "4E5AB3CC60B41C9C9C218B8C272786ED0E6D8990",
"certificate_der_base64": "MIIHmDCCBYCgAwIBAgIMKvPacCP9l5y1Z79+MA0GCSqGSIb3DQEBCwUAMFwxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTIwMAYDVQQDEylHbG9iYWxTaWduIEdDQyBSNDUgRVYgQ29kZVNpZ25pbmcgQ0EgMjAyMDAeFw0yNTExMjcwOTI3NTVaFw0yNjExMjgwOTI3NTVaMIH9MR0wGwYDVQQPDBRQcml2YXRlIE9yZ2FuaXphdGlvbjEeMBwGA1UEBRMVVTcyOTAwS0wyMDIxUFRDMDY4MzQ0MRMwEQYLKwYBBAGCNzwCAQMTAklOMRcwFQYLKwYBBAGCNzwCAQITBktlcmFsYTELMAkGA1UEBhMCSU4xDzANBgNVBAgTBktlcmFsYTEOMAwGA1UEBxMFS29jaGkxLzAtBgNVBAoTJk1PT05XSElURSBURUNITk9MT0dJRVMgUFJJVkFURSBMSU1JVEVEMS8wLQYDVQQDEyZNT09OV0hJVEUgVEVDSE5PTE9HSUVTIFBSSVZBVEUgTElNSVRFRDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMONPOxf2mHAQvxyBUyl28OaYVG7kpLuEb5hA7OocDkK2Zd4eGFr0GTBht2dhCu+EHK5RvOpsOKZ5caIufuwnNb3Gi0Gc2c8SdgKW7Jr4q6sDsPYw5JDnVW4eHUAVx42VLbc8m71SB3URA+lFnjGVyQWb1o+jY+f3Ftzga2CEQ7u8I3HgyFW29gU97cKyAbuwDL4TFD7le5lt4ZwwUX/LB/W4h2JQpBatJTmVMbVXz3gc4MzzrbRBzzbXjzFyhQ71zOJWj/rLrcwK4jHYxKPdtzI9eNGw+GgfbT/azL5lIbRlY+sTmM+w6IdbwjixAuhCEF3cWKFVwhI75AEsvMOfGZxqQrzDw2ktSa0tPpbXjEx13LuYmL942mn8b++xLDnc4f9NEVOvviqAcagKI8qJSOH4g6ftIBfiIbRCoT0Xen9g0xZyeEBNJkb13Kep3fFY919BbwZDZzo6KaivJAxkBLMtGaawoO3uIrhPiIBD5Nge9mLg1tL9KEOoFVLypTFAlNKokxjKCUKKn/eWpIA9edq33CezjrSRVTurtrhZm3NU4xXctd4o2Z9hd6uGru/KS/4G7gpisMgY/WN9doN+YDvarxf2NS1gPQqG9CM8J5CmW2Gsn26JoUtCTBs2EoPYbm1MA4G94uuy2gIR/IyMg7BJ+9O/PvqdAa6kxNLIcWnAgMBAAGjggG2MIIBsjAOBgNVHQ8BAf8EBAMCB4AwgZ8GCCsGAQUFBwEBBIGSMIGPMEwGCCsGAQUFBzAChkBodHRwOi8vc2VjdXJlLmdsb2JhbHNpZ24uY29tL2NhY2VydC9nc2djY3I0NWV2Y29kZXNpZ25jYTIwMjAuY3J0MD8GCCsGAQUFBzABhjNodHRwOi8vb2NzcC5nbG9iYWxzaWduLmNvbS9nc2djY3I0NWV2Y29kZXNpZ25jYTIwMjAwVQYDVR0gBE4wTDBBBgkrBgEEAaAyAQIwNDAyBggrBgEFBQcCARYmaHR0cHM6Ly93d3cuZ2xvYmFsc2lnbi5jb20vcmVwb3NpdG9yeS8wBwYFZ4EMAQMwCQYDVR0TBAIwADBHBgNVHR8EQDA+MDygOqA4hjZodHRwOi8vY3JsLmdsb2JhbHNpZ24uY29tL2dzZ2NjcjQ1ZXZjb2Rlc2lnbmNhMjAyMC5jcmwwEwYDVR0lBAwwCgYIKwYBBQUHAwMwHwYDVR0jBBgwFoAUJZ3Q/FkJhmPF7POxEztXHAOSNhEwHQYDVR0OBBYEFKQ1L/2Nv3p78wv8ENUMoS3G6p8qMA0GCSqGSIb3DQEBCwUAA4ICAQCkD8MCK7rDiYfNP7O7trx1qCnCyuyNKKBLyyBSiJFyrgbU+xT852+l7dr8qUIpDdTM77brkA3tDO+sdotmrS2kKInazl7usbufbPx6f8IZJyp6Fh5Qf8ST7rNs/qNP6A3F7I/nuWN71CbEDMTJPSOUS3QOG58iCEuCIqFXU7MJkM9Iur3FkdCLjL1UmeA3jd+VHaQkndad/Gd25LVIQkX/nZd9KCZF/9E0yi+b8UN68SxUvTxVg/KJA+kqwoqAIkM1W5Q3SPzAx1p26zIGPwyOl+5FhdNCfE+whoH/VjXBANaS5wR8WxJnAh+4blymYLKqL01SWo98NiLrFXLLvQmhO2LO1XaBVw0dfB5vufuwfj3tF8zYFzt/w/9pofRzSDTeBBfPvHtFqziWFa4vPXjQhSVO6q3BfuL4rMaYiSLBK5e2x5+WzSxfMTXDiDXqZftArOLva+JDDrMhCqjiNjmjgNyKBgZAJvGHLO1GnAXKFvznzWEr8DVLRD5N5U+jfLXxezSfzQOb5LJCvK7LESddcpPNwcN+duVf0ZJvBQmrqFWw3kUgSY09WixYthhTPl/ayBjU7ML5N8yh+/T9iJ3R9EnJ5iOSX0oES07Hlw1R+swoMRePtot9/DGmjqJPq6M+UrgSTvspli/0Y4EnWZdBFUtRPsAYz7qYK3gGgJkOHw==",
"src_file_sha256": "729f6286b503b36b45fb86efdf7a2e148713c1999a0a98fb485e72188ae26bdf",
"src_file_path": "downloaded_files/meshcentral/729f6286b503b36b45fb86efdf7a2e148713c1999a0a98fb485e72188ae26bdf"
}
]
}
},
{
"Name": "Xeox",
"Category": "RMM",
"Description": "Xeox is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://xeox.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [
"Windows"
],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"xeox-agent_x64.exe",
"xeox_service_windows.exe",
"xeox-agent_*.exe",
"xeox-agent_x86.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*.xeox.com",
"xeox.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xeox_network_sigma.yml",
"Description": "Detects potential network activity of Xeox RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xeox_processes_sigma.yml",
"Description": "Detects potential processes activity of Xeox RMM tool"
}
],
"References": [
"https://help.xeox.com/knowledge-base/gSuyNfDH6u79M82utnswf2/firewall-settings-xeox-agent-and-integrations/47T7S9tZJ2L1Z2W5gwuXoW"
],
"Acknowledgement": [],
"CodeSigning": {
"certificates": [
{
"signer_name": "hs2n Informationstechnologie GmbH",
"certificate_thumbprint": "437B1AF6A59B63BCA9F070A90C2D92D527B96598",
"certificate_der_base64": "MIID5TCCA4ygAwIBAgIQftXp/wUFPCkRi3oB86O6YjAKBggqhkjOPQQDAjBXMQswCQYDVQQGEwJHQjEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMS4wLAYDVQQDEyVTZWN0aWdvIFB1YmxpYyBDb2RlIFNpZ25pbmcgQ0EgRVYgRTM2MB4XDTI1MDMwNDAwMDAwMFoXDTI4MDMwMzIzNTk1OVowgb4xEDAOBgNVBAUTBzI2MjUwNnAxEzARBgsrBgEEAYI3PAIBAxMCQVQxHTAbBgNVBA8TFFByaXZhdGUgT3JnYW5pemF0aW9uMQswCQYDVQQGEwJBVDERMA8GA1UECAwIS8Okcm50ZW4xKjAoBgNVBAoMIWhzMm4gSW5mb3JtYXRpb25zdGVjaG5vbG9naWUgR21iSDEqMCgGA1UEAwwhaHMybiBJbmZvcm1hdGlvbnN0ZWNobm9sb2dpZSBHbWJIMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEirubACd4pyg2wV7NMP4w3+MwwyGvYYyKfRRsyhJ040AE9GKAFzvTU+HZz16MjuoSF/9yw+bIhAZv+VN9snNGEXToDxZGHn5fWIIAjPmPHeOfdEf5vLmpcj+d7U69q+Tto4IBszCCAa8wHwYDVR0jBBgwFoAUGnSkONe5tg6zW/rcXq4/tvBzPYgwHQYDVR0OBBYEFM6/Jt8Xj5AXu0+mc2HCh7oVBDsTMA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMEkGA1UdIARCMEAwNQYMKwYBBAGyMQECAQYBMCUwIwYIKwYBBQUHAgEWF2h0dHBzOi8vc2VjdGlnby5jb20vQ1BTMAcGBWeBDAEDMEsGA1UdHwREMEIwQKA+oDyGOmh0dHA6Ly9jcmwuc2VjdGlnby5jb20vU2VjdGlnb1B1YmxpY0NvZGVTaWduaW5nQ0FFVkUzNi5jcmwwewYIKwYBBQUHAQEEbzBtMEYGCCsGAQUFBzAChjpodHRwOi8vY3J0LnNlY3RpZ28uY29tL1NlY3RpZ29QdWJsaWNDb2RlU2lnbmluZ0NBRVZFMzYuY3J0MCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5zZWN0aWdvLmNvbTAlBgNVHREEHjAcoBoGCCsGAQUFBwgDoA4wDAwKQVQtMjYyNTA2cDAKBggqhkjOPQQDAgNHADBEAiBjIGGhtTj7jqHG/QCtcbUnkpKupg1pXsVrZZiWt0lauwIgQCLMQg7g4hk9dgOG1PWYUsiKhrwmDaBbo7LV92prdv8=",
"src_file_sha256": "d0bad90ead3f283a5914042d497613c522f61513c0a63005cb0e86d3297d1f40",
"src_file_path": "downloaded_files/xeox/d0bad90ead3f283a5914042d497613c522f61513c0a63005cb0e86d3297d1f40",
"src_file_company": "hs2n Informationstechnologie GmbH"
}
]
}
},
{
"Name": "Tactical RMM",
"Category": "RMM",
"Description": "Tactical RMM is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2025-12-14",
"Details": {
"Website": "https://docs.tacticalrmm.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"tacticalrmm.exe",
"tacticalrmm.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"login.tailscale.com",
"login.tailscale.com",
"docs.tacticalrmm.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tactical_rmm_network_sigma.yml",
"Description": "Detects potential network activity of Tactical RMM RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tactical_rmm_processes_sigma.yml",
"Description": "Detects potential processes activity of Tactical RMM RMM tool"
}
],
"References": [
"https://docs.tacticalrmm.com"
],
"Acknowledgement": [],
"CodeSigning": {
"search_names": [
"2025-12-14_3570cdbcb1a442eb605fb2b5f3d7aef7_cobalt-strike_coinminer_dosia_frostygoop_glassworm_luca-stealer_poet-rat_quasar-rat_sliver_snatch",
"7v04zvtl.exe",
"ft38y1rpx.exe",
"is-mp1io.tmp",
"l0ahm9y.exe",
"m7i0z.exe",
"nhvs68.exe",
"tacticalagent-v2.9.1-windows-amd64.exe",
"tacticalrmm.exe",
"vz4exk32z.exe"
],
"company_names": [],
"signer_names": [
"Christopher West"
],
"certificates": [
{
"signer_name": "Christopher West",
"certificate_thumbprint": "F73B1F0CA2D3B9FCC00D4CD9B379C9FF9DB518A2",
"tbs_sha256": "EA02531BA6EEAE043DFCDBEAC2A5C520567FC566AB5C2D75AA0DEAD4E2F6414D",
"tbs_sha1": "",
"certificate_der_base64": "MIIFADCCA+igAwIBAgIQQICHQw+Cr45aT34Bn0LB/DANBgkqhkiG9w0BAQsFADB1MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjEpMCcGA1UECxMgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxIzAhBgNVBAMTGlN0YXJ0Q29tIENsYXNzIDIgT2JqZWN0IENBMB4XDTE2MDQxOTIyMzcwNVoXDTE4MDQxOTIyMzcwNVowbTELMAkGA1UEBhMCR0IxFzAVBgNVBAgMDkdyZWF0ZXIgTG9uZG9uMQ8wDQYDVQQHDAZMb25kb24xGTAXBgNVBAoMEENocmlzdG9waGVyIFdlc3QxGTAXBgNVBAMMEENocmlzdG9waGVyIFdlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC5hL38SleO3luj57cDjooMmS1jPUrGBXWZa61NZ+O3edzrQW4ojCyE81DLwmG50guUgy5KvSgBGStn9Vwh4rZa9HCJuuMQ5xwddy5OMbRJAnVXctRwi21lsmS/NblToo3yKg5AN0/S9ad3xoWipzOPV1MAUF9U0NZowlQqD5v/FMiyJXtH5BFjAHx4cUV9om7IhbD2LLoKqjloV/dygVW28C8we5yXHDwvAhyoE6MDw4sb/qQ3IfhMSeeDC37FZvnQElM+W+2lRPskx3tDEVEespZxBUwYZxPiDi3vptzGJf0hYY6mbTEJQHD5SUaubHP9ldeUbvS5vW2SAR1gwDNRAgMBAAGjggGSMIIBjjAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwCQYDVR0TBAIwADAdBgNVHQ4EFgQUJ91DNENlOALLRG1cjTUVVKnTLwYwHwYDVR0jBBgwFoAUPmKTmtfHGe4+j0kQhVUVIOOUhBwwbQYIKwYBBQUHAQEEYTBfMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5zdGFydHNzbC5jb20wNwYIKwYBBQUHMAKGK2h0dHA6Ly9haWEuc3RhcnRzc2wuY29tL2NlcnRzL3NjYS5jb2RlMi5jcnQwNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2NybC5zdGFydHNzbC5jb20vc2NhLWNvZGUyLmNybDAjBgNVHRIEHDAahhhodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS8wUAYDVR0gBEkwRzAIBgZngQwBBAEwOwYLKwYBBAGBtTcBAgUwLDAqBggrBgEFBQcCARYeaHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5MA0GCSqGSIb3DQEBCwUAA4IBAQCmCLyw6Ca8APwJrEyy5nUgkD79aMdE1yMP+2yPARqYs1byhS1L5k9FUPYut2CTFEKi39IlCxOpUCfK47Tulwmy6VFCChuzjJ65W482RdnZ6tI808YYgOuE5eQ3Kw5cE0e1WdxTELiXzya8Yt8FBJhUShfK7ODewYTr5B2dtm2TSpSFZd3ck58WpRFl7Y3u9KG6QRjMFvCqUQWAKK2HsBGDdLjxrXj0zZ6r06vGl553W5nOF41/G0SGtrbyD6IZeLFOL2tpCuBDUftjwnv+PVMvL3+EBk3rLN12QvT/CNZM3iFCzTMlYJ5SOGTv+bDd1ZaUbfpN4vpzUZBXZH7ss6tR"
},
{
"signer_name": "Christopher West",
"certificate_thumbprint": "N/A",
"tbs_sha256": "",
"tbs_sha1": "A306499CEC6AF8C46C2F959731D0D41C6090D06C"
}
]
},
"FileHashes": {
"authenticode": [
{
"file_name": "tacticalrmm.exe",
"sha256": "2850E1F08F4BCDBA6B4FDDB0F85D04EFA28BE2A311DF6C9ADA375A9AA68D8AA3",
"sha1": "115DAA83F7B4DF3CF3BF4F46EE5DA761CB69363A"
},
{
"file_name": "ft38y1rpx.exe",
"sha256": "3CC4C9D00DF29DC51A64A41DEB93CB4B010669D0571040700DFB4D15D3768A90",
"sha1": "EFB8FFC4CB40D47A668CA38DA98CECE3AA3B8902"
},
{
"file_name": "vz4exk32z.exe",
"sha256": "1615799D0036FA60E74689E45F45EA9DC9047065BD37339BEE9CB37D92E48F22",
"sha1": "16780328DEC2D7A10B9168A11F073169667125BE"
},
{
"file_name": "tacticalrmm.exe",
"sha256": "252F57B824BC488FE635391E0E6F554077F530952992618D11DD8D15E2D7AEC4",
"sha1": "7DD42D637F3BAF82CF8CA9551CDA2E62D57EB1A1"
},
{
"file_name": "2025-12-14_3570cdbcb1a442eb605fb2b5f3d7aef7_cobalt-strike_coinminer_dosia_frostygoop_glassworm_luca-stealer_poet-rat_quasar-rat_sliver_snatch",
"sha256": "02BF4D99FE81A2C92A28EFF02A8EEEE93B79C2B019185326917E77A07B5D1640",
"sha1": "0D476F7C7F536242B3003EECAE64E1A223CB56E1"
},
{
"file_name": "tacticalrmm.exe",
"sha256": "3026E8C0E61B78884F5AA1777527B233F3CF4BE14AF6E257BAB50ADB0B4EADAE",
"sha1": "E6A620B83B6C860AECAE59412DF26ECB0331D39F"
},
{
"file_name": "tacticalrmm.exe",
"sha256": "F2835C54CB6E24A0598D74D5A13C110DB84F05D1BE6863280C1BB09E74F207E2",
"sha1": "AC61A1CC25EB933635599AFB6D0B80D9B0C50E7C"
},
{
"file_name": "tacticalrmm.exe",
"sha256": "7ED4D76A0A62329691D4FCBA076F63F09CD60CEF156484328E5AE83956E8F32C",
"sha1": "54179578313D5C13935AF83314F752EEC5385DD7"
},
{
"file_name": "tacticalrmm.exe",
"sha256": "E142022630AB18A1EB2007027FCF4320FBE3E537FA1784E079DF5E0454C95FFA",
"sha1": "7F7D7AB9DB11F142D9CA5B8200784B01416AFC9E"
},
{
"file_name": "7v04zvtl.exe",
"sha256": "9D2FA4720EAA8FC77FD769475D9692628CE231D09B68D3F262A71B6A9918B7A3",
"sha1": "46AC3162F3F78C00B895FF590381B7B13F180B98"
},
{
"file_name": "nhvs68.exe",
"sha256": "EB9F6F96ECE167D782885D01620D5ADCEAE51D69D73BAAC922F0C9F4BB64F8AB",
"sha1": "128666F81B3F8554D58DF76AB84B619A42799FC7"
},
{
"file_name": "tacticalrmm.exe",
"sha256": "11CC8798C52FA3C656A1A584DDE09144E690F62620D3B54295D469952C63D4B4",
"sha1": "C67383FBEC97D9CD08D8F04629DC767D9A435E3D"
},
{
"file_name": "tacticalrmm.exe",
"sha256": "3970FF0BD8B081A6D880D23DE6C2932874B41D6E91F0C77D7A39B5A9E54DB785",
"sha1": "BD871C91B00BF1101B727C1A0E69EA4CF568A3F1"
},
{
"file_name": "l0ahm9y.exe",
"sha256": "AEDFE445946EC94FD2C7CEFD6C4A4C33771134A2AE487FCC4BDB27781328C4BA",
"sha1": "D1C60D1C1C738C3EB45DC3D74155A6E7BB060A22"
},
{
"file_name": "tacticalagent-v2.9.1-windows-amd64.exe",
"sha256": "268CAC5F97338DC5541EB517AE75CFBAB0E5E9E52AD66817129EAFD55DA1BE05",
"sha1": "9BC42B4C6B68724825EB5F0067FD59191853EF9D"
},
{
"file_name": "tacticalrmm.exe",
"sha256": "500C2081B4F2E76DDFB9D30F2794D29FF0BE627F8D81D4A32076B427550E92E1",
"sha1": "B47446613A26F6B5550DD0D8776B94070F82F4BC"
},
{
"file_name": "tacticalrmm.exe",
"sha256": "DDD7083C8595F7A3CB7516DA58320F09121C7DBD3628930FAACF82CA55CC315B",
"sha1": "90AEE3D7A12A420915B13874CA8952FFB33AA067"
},
{
"file_name": "is-MP1IO.tmp",
"sha256": "8CD03F59DB7C549DFEFD239DDB7B6EB4BFD8AB518FBFBE9518C6F004E3BE4C25",
"sha1": "793EAC66DDB705E4DB63BB3116EDF02B0F28918B"
},
{
"file_name": "m7i0z.exe",
"sha256": "FD5E369822E6CF4BC12A342F9A8109CEDEB86781DA411D4C3E64B934BC398058",
"sha1": "96D8C6A59C6B7DA0C3107D988DD94278C95E1EAA"
}
],
"page": [
{
"file_name": "ft38y1rpx.exe",
"sha256": "5D36E860BC011D2A937A2C04D33C41AC22DE22DEC3B10FD229E54F8AB7FF9FC9",
"sha1": "6E489AEB60857D065FD25AFE949B163EE441CE31"
},
{
"file_name": "vz4exk32z.exe",
"sha256": "2C04EF69FB5DFAA678575E4241DB560735A9AD0CDB0B1BA52CC80595279F4EDD",
"sha1": "355CB1AEDF005F6335EEACA302CE00F268F05D90"
},
{
"file_name": "2025-12-14_3570cdbcb1a442eb605fb2b5f3d7aef7_cobalt-strike_coinminer_dosia_frostygoop_glassworm_luca-stealer_poet-rat_quasar-rat_sliver_snatch",
"sha256": "38169383E87CA8B9C0442F6B8AD64BF76C61D41D7C11512640700F29426DCAFF",
"sha1": "9582072F90C99E0337027C542B18E30E63AFE0F2"
},
{
"file_name": "tacticalrmm.exe",
"sha256": "D45072B2EAD3E6F841A59086A0F3FCF63CA4C0667A6C20F16ABEEF26773309C0",
"sha1": "2A2E6E7259A52DAB61D7E077AFD09FB859FFF627"
},
{
"file_name": "tacticalrmm.exe",
"sha256": "BF9797B468D297FA41DE2E6879B0C0450203F99055AA45DF28FC11787852142A",
"sha1": "342D95593FA22B134557C777DB81BB51C47AF6E0"
},
{
"file_name": "tacticalrmm.exe",
"sha256": "4C3AD685700D6703369133F0DD0A13DCCBC1FF8368929ABDE9646DCB673DEB5B",
"sha1": "7B108289E162A6BE86F0E2F81C97357D3D11AC69"
},
{
"file_name": "7v04zvtl.exe",
"sha256": "ACAF8E991A83A50D0B091F2E1C9DECED141C20080CEF8D9F54C0340BCE7F68CC",
"sha1": "745DB9C6B127428E1FBA63547851A4F696A24A91"
},
{
"file_name": "nhvs68.exe",
"sha256": "5F3BA1EE7CB45424DCB04DC4D9C99C399A684AAEB8A227308E8DF60CB5A957B1",
"sha1": "04D53C28F7385E3F46DC02060AF9C8A792CBCDCE"
},
{
"file_name": "tacticalrmm.exe",
"sha256": "94A64F4250C4A199083FCAF98F1B077543DA8964EBCBDE7A4F2223052D68238C",
"sha1": "03458F61391A87208AF29AE560349B91CEEF6F69"
},
{
"file_name": "tacticalrmm.exe",
"sha256": "90022B3F951ECF60130AD47D278150A62F4DAFD84139C3EAD97D0DFFFA08CDFE",
"sha1": "9698BB51C7DC33D8C53F9ECDFD94CBEC588E089A"
},
{
"file_name": "l0ahm9y.exe",
"sha256": "BFF28767946B8ED7C3C1217548F742967637052F6CC5DF7B75BA2922B5ED4A1F",
"sha1": "53C592BFBBDF90EF286512BEDD084CB3A4CBD996"
},
{
"file_name": "tacticalagent-v2.9.1-windows-amd64.exe",
"sha256": "C7E2AEC782798DB83645BFFE14820ED47B035182681B224D262CE11FD1A6D703",
"sha1": "435D9C4486FAEAB61FC0C1681C47347D74ABEA04"
},
{
"file_name": "tacticalrmm.exe",
"sha256": "A628305383B398F760933ABB5AC219F21782AB3E3E677A74444A8E203FB1E0F2",
"sha1": "76F628C73887BA1B00245C6CD374B5B747157A2E"
},
{
"file_name": "is-MP1IO.tmp",
"sha256": "88E768CB07E4E56900325D6A3DC4966CA43B47E0D5F35AEBA6756218459F4EBC",
"sha1": "E180813967854F98734AE14FA2164A2D59FA6C8F"
}
]
}
},
{
"Name": "XRDP",
"Category": "RAT",
"Description": "XRDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.xrdp.org/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": []
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": []
},
"Detections": [],
"References": [],
"Acknowledgement": []
},
{
"Name": "Netviewer (GoToMeet)",
"Category": "RMM",
"Description": "Netviewer (GoToMeet) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.goto.com/meeting/join",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"NetViewer.exe",
"nvClient.exe",
"nvConsole.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*.netviewer.com",
"netviewer.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netviewer__gotomeet__network_sigma.yml",
"Description": "Detects potential network activity of Netviewer (GoToMeet) RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netviewer__gotomeet__processes_sigma.yml",
"Description": "Detects potential processes activity of Netviewer (GoToMeet) RMM tool"
}
],
"References": [
"https://www.netviewer.com/de/support/download/"
],
"Acknowledgement": []
},
{
"Name": "Remobo",
"Category": "RMM",
"Description": "Remobo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"remobo.exe",
"remobo_client.exe",
"remobo_tracker.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"user_managed",
"remobo.en.softonic.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remobo_network_sigma.yml",
"Description": "Detects potential network activity of Remobo RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remobo_processes_sigma.yml",
"Description": "Detects potential processes activity of Remobo RMM tool"
}
],
"References": [
"https://www.remobo.com - DOA as of 2024"
],
"Acknowledgement": []
},
{
"Name": "RemSupp",
"Category": "RMM",
"Description": "RemSupp is a remote desktop / remote support tool observed in a phone-based social engineering phishing attack. It installs in user context, creates RemSupp-specific artifacts under AppData, and communicates with api.remsupp.com. ",
"Created": "2026-04-10",
"LastModified": "2026-05-04",
"Details": {
"Website": "https://api.remsupp.com",
"PEMetadata": [
{
"Filename": "RemSupp_Setup_x64.exe",
"OriginalFileName": "",
"Description": "RemSupp - Remote desktop software",
"Product": "RemSupp"
},
{
"Filename": "RemSupp.exe",
"OriginalFileName": "RemSupp.exe",
"Description": "RemSupp - Remote desktop software",
"Product": "RemSupp"
}
],
"Privileges": "User",
"Free": "unknown",
"Verification": "Installer digitally signed; signer subject \"CN=RemSupp Michał Zarach, O=RemSupp Michał Zarach, L=Gdańsk, ST=Pomorskie, C=PL\" issued under Microsoft Trusted Signing (CN=Microsoft ID Verified CS EOC CA 0*, O=Microsoft Corporation). Trusted Signing mints ephemeral 3-day leaf certs per signing event, so the leaf TBS hash rotates per release while the publisher subject DN is stable.",
"SupportedOS": [
"Windows"
],
"Capabilities": [
"Remote desktop",
"Remote support",
"Remote control",
"Screen sharing",
"File transfer"
],
"Vulnerabilities": [],
"InstallationPaths": [
"C:\\Users\\*\\AppData\\Local\\remsupp-updater\\installer.exe",
"C:\\Users\\*\\AppData\\Local\\Programs\\RemSupp\\RemSupp.exe",
"C:\\Users\\*\\AppData\\Local\\Programs\\RemSupp\\Uninstall RemSupp.exe"
]
},
"Artifacts": {
"Disk": [
{
"File": "C:\\Users\\*\\AppData\\Local\\Programs\\RemSupp\\RemSupp.exe",
"Description": "Main RemSupp executable (Electron 36 / Chromium-based)",
"OS": "Windows"
},
{
"File": "C:\\Users\\*\\AppData\\Local\\Programs\\RemSupp\\Uninstall RemSupp.exe",
"Description": "RemSupp uninstaller",
"OS": "Windows"
},
{
"File": "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\RemSupp.lnk",
"Description": "Start menu shortcut",
"OS": "Windows"
},
{
"File": "C:\\Users\\*\\AppData\\Roaming\\RemSupp\\Local State",
"Description": "Application local state file",
"OS": "Windows"
},
{
"File": "C:\\Users\\*\\AppData\\Roaming\\RemSupp\\Preferences",
"Description": "Application preferences file",
"OS": "Windows"
},
{
"File": "C:\\Users\\*\\AppData\\Roaming\\RemSupp\\chromium.log",
"Description": "Chromium log file",
"OS": "Windows"
},
{
"File": "C:\\Users\\*\\AppData\\Roaming\\RemSupp\\Crashpad\\metadata",
"Description": "Crashpad metadata",
"OS": "Windows"
},
{
"File": "C:\\Users\\*\\AppData\\Roaming\\RemSupp\\Crashpad\\settings.dat",
"Description": "Crashpad settings",
"OS": "Windows"
},
{
"File": "C:\\Users\\*\\AppData\\Roaming\\RemSupp\\Local Storage\\leveldb\\*",
"Description": "Local storage LevelDB artifacts",
"OS": "Windows"
},
{
"File": "C:\\Users\\*\\AppData\\Roaming\\RemSupp\\sentry\\queue\\queue.json",
"Description": "Sentry queue artifact",
"OS": "Windows"
},
{
"File": "C:\\Users\\*\\AppData\\Roaming\\RemSupp\\sentry\\scope_v3.json",
"Description": "Sentry scope artifact",
"OS": "Windows"
},
{
"File": "C:\\Users\\*\\AppData\\Roaming\\RemSupp\\sentry\\session.json",
"Description": "Sentry session artifact",
"OS": "Windows"
},
{
"File": "C:\\Users\\*\\AppData\\Roaming\\RemSupp\\quitAndInstall.json",
"Description": "Updater state artifact",
"OS": "Windows"
}
],
"Registry": [
{
"Path": "HKCU\\Software\\99ac595d-36d0-5122-a860-22a3443073cb",
"Description": "Product-specific installer key (vendor-assigned GUID)"
},
{
"Path": "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\99ac595d-36d0-5122-a860-22a3443073cb",
"Description": "Per-user uninstall key (vendor-assigned GUID)"
}
],
"Network": [
{
"Description": "RemSupp API endpoint observed during analysis",
"Domains": [
"api.remsupp.com"
],
"Ports": [
443
]
},
{
"Description": "RemSupp installer / update download endpoint",
"Domains": [
"download.remsupp.com"
],
"Ports": [
443
]
}
],
"Other": [
{
"Type": "CodeSigningSubject",
"Value": "CN=RemSupp Michał Zarach, O=RemSupp Michał Zarach, L=Gdańsk, ST=Pomorskie, C=PL"
},
{
"Type": "CodeSigningIssuer",
"Value": "CN=Microsoft ID Verified CS EOC CA 01, O=Microsoft Corporation, C=US"
},
{
"Type": "CodeSigningIssuer",
"Value": "CN=Microsoft ID Verified CS EOC CA 02, O=Microsoft Corporation, C=US"
},
{
"Type": "ProcessLineage",
"Value": "RemSupp.exe self-check via cmd.exe /c tasklist /FI \"USERNAME eq %USERNAME%\" /FI \"IMAGENAME eq RemSupp.exe\" /FO csv | find \"RemSupp.exe\""
},
{
"Type": "SHA256",
"Value": "994f537e69f555a6aca89db837f260aa31352d6c6bfe435d3ecafff0b8c683ae"
},
{
"Type": "SHA256",
"Value": "38a3e51bf0fad50dc3bb08f8ce9aa4e9d3f3c7561312605c6827a81984137532"
},
{
"Type": "SHA256",
"Value": "3cad287fbc89c40a4f481aac47d0c2b012388081c9924c09fdb2d29e5455100a"
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remsupp_files_sigma.yml",
"Description": "Detects potential files activity of RemSupp RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remsupp_network_sigma.yml",
"Description": "Detects potential network activity of RemSupp RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remsupp_processes_sigma.yml",
"Description": "Detects potential processes activity of RemSupp RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remsupp_registry_sigma.yml",
"Description": "Detects potential registry activity of RemSupp RMM tool"
}
],
"References": [
"https://api.remsupp.com"
],
"Acknowledgement": [
{
"Person": "Martha Sosa",
"Handle": "@marthajsosa"
}
]
},
{
"Name": "MioNet (Also known as WD Anywhere Access)",
"Category": "RMM",
"Description": "MioNet (Also known as WD Anywhere Access) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"mionet.exe",
"mionetmanager.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": []
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mionet__also_known_as_wd_anywhere_access__processes_sigma.yml",
"Description": "Detects potential processes activity of MioNet (Also known as WD Anywhere Access) RMM tool"
}
],
"References": [],
"Acknowledgement": []
},
{
"Name": "PChelpware",
"Category": "RMM",
"Description": "PChelpware (also known as PCHelpWare) is a free and open-source remote support and remote desktop software developed by the UltraVNC team. Built on VNC technology and following the RFB protocol, PChelpware is designed specifically for remote technical support scenarios, virtual training, and helpdesk operations.\n",
"Author": "Daniel Koifman (KoifSec)",
"Created": "2025-11-12",
"LastModified": "2025-11-12",
"Details": {
"Website": "https://uvnc.com/downloads/pchelpware/",
"Privileges": "User",
"Free": true,
"Verification": true,
"SupportedOS": [
"Windows"
],
"Capabilities": [
"Remote Desktop Control",
"Remote Support",
"Screen Sharing",
"File Transfer"
],
"Vulnerabilities": [],
"InstallationPaths": [
"*\\PcHelpWare_viewer.exe"
]
},
"Artifacts": {
"Disk": [
{
"File": "C:\\temp_phw",
"Description": "Folder that is created upon PcHelpWare execution",
"OS": "Windows"
}
],
"EventLog": [],
"Registry": [],
"Network": []
},
"Detections": [
{
"Splunk": "https://raw.githubusercontent.com/Koifman/Deathcon25/refs/heads/main/rmm_rodeo/pchelpware/spl.spl",
"Description": "Splunk SPL query detecting PChelpware activity through Sysmon EventCode 1 (process creation)."
}
],
"References": [
"https://uvnc.com/downloads/pchelpware/"
],
"Acknowledgement": []
},
{
"Name": "N-Able Advanced Monitoring Agent",
"Category": "RMM",
"Description": "N-Able Advanced Monitoring Agent is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.n-able.com/features/advanced-monitoring-agent",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"BASupSrvc.exe",
"winagent.exe",
"BASupApp.exe",
"BASupTSHelper.exe",
"Agent_*_RW.exe",
"BASEClient.exe",
"BASupSrvcCnfg.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*.beanywhere.com ",
"systemmonitor.co.uk",
"*system-monitor.com",
"cloudbackup.management",
"*systemmonitor.co.uk",
"n-able.com",
"systemmonitor.us",
"*systemmonitor.eu.com",
"*.logicnow.com",
"*.swi-tc.com",
"*remote.management",
"systemmonitor.us.cdn.cloudflare.net",
"*cloudbackup.management",
"remote.management",
"logicnow.com",
"system-monitor.com",
"*systemmonitor.us",
"systemmonitor.eu.com",
"*.n-able.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_advanced_monitoring_agent_network_sigma.yml",
"Description": "Detects potential network activity of N-Able Advanced Monitoring Agent RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_advanced_monitoring_agent_processes_sigma.yml",
"Description": "Detects potential processes activity of N-Able Advanced Monitoring Agent RMM tool"
}
],
"References": [
"https://documentation.n-able.com/takecontrol/troubleshooting/Content/kb/Take-Control-Standalone-Ports-and-Domains-Firewall-and-AV-Exclusions.htm"
],
"Acknowledgement": []
},
{
"Name": "OCS inventory",
"Category": "RMM",
"Description": "OCS inventory is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://ocsinventory-ng.org/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"ocsinventory.exe",
"ocsservice.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"user_managed",
"ocsinventory-ng.org"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ocs_inventory_network_sigma.yml",
"Description": "Detects potential network activity of OCS inventory RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ocs_inventory_processes_sigma.yml",
"Description": "Detects potential processes activity of OCS inventory RMM tool"
}
],
"References": [
"https://ocsinventory-ng.org/?page_id=878&lang=en"
],
"Acknowledgement": [],
"CodeSigning": {
"certificates": [
{
"signer_name": "EZ Web Enterprises Inc.",
"certificate_thumbprint": "8E0F648B184E52B121958F5A043F6A7E9A27F8B1",
"certificate_der_base64": "MIIHCjCCBXKgAwIBAgIQBMtnT+WNeAQVJwbpBi5L7TANBgkqhkiG9w0BAQsFADBXMQswCQYDVQQGEwJHQjEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMS4wLAYDVQQDEyVTZWN0aWdvIFB1YmxpYyBDb2RlIFNpZ25pbmcgQ0EgRVYgUjM2MB4XDTI0MDEyMzAwMDAwMFoXDTI3MDEyMjIzNTk1OVowgccxFjAUBgNVBAUTDUUwNjg3OTcyMDExLTExEzARBgsrBgEEAYI3PAIBAxMCVVMxFzAVBgsrBgEEAYI3PAIBAhMGTmV2YWRhMR0wGwYDVQQPExRQcml2YXRlIE9yZ2FuaXphdGlvbjELMAkGA1UEBhMCVVMxDzANBgNVBAgMBk5ldmFkYTEgMB4GA1UECgwXRVogV2ViIEVudGVycHJpc2VzIEluYy4xIDAeBgNVBAMMF0VaIFdlYiBFbnRlcnByaXNlcyBJbmMuMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtvP9dWUiUCNAS4DoVWpHEwe3ki6i+JgmGOiGFQdwknRi6CnH89Dp1DWowcRHUPN4cA/4BGM2c+VNUnz37mOK59fqP9ZxWcOuPJQ2nyDTq+bTG6JlAOCN38sLshLnRFutpEiDuSfBJpO745Zus7875lgn/r5P83qlQyIA0y8zQQrUt0PKCQv6/3ddFwCGpr76cpxaNN41869HxLxYoDGybq/2IrdoKOovYLVhkzHr/UnfcJvtyeLGzFXhfjSqoBtrsPxc+eFimCQZGaqsyZoe04zoFmHOvbw8129DUcEuOf0SSsH6d1LXIIDhkR52MNwJX43LYZnQ2KkgA26Ba6k3G05aBuWW/7c0l0eGVUiB9zaddQcO7D10qLfQR3ExHC15Ghg7s0IrM63JjgHaBBEBmamWcCHRjtLTSCCF58sCeo+fFAXAjYtptyXTlaVy+tJUhPMsJL8BYhU2qc39emTrkQKkJBLL69PL5nccpdU321Bv/MoNa89h5J4dIUp7R5LgOsJbpDMJYk0FYP7GkIDpMFharA1ccmbYdm3YmqcPhrUaroeOPVYhlTS5YO0DAbvHv4DUHBmF/etHZrGlFhbIU/jK3/sUJSiraoPHsQpgCLT9+tmLTzBuHnBh7GgrBzy/4PIw3lgnL4cXCEmKbN9il/NTIlb6n0VtgqJyRqiZqAUCAwEAAaOCAd8wggHbMB8GA1UdIwQYMBaAFIEykkErKM1GyMSixio5EuxIqT8UMB0GA1UdDgQWBBRzq2VbIenvKbeHExO6Yz7NcdYTjTAOBgNVHQ8BAf8EBAMCB4AwDAYDVR0TAQH/BAIwADATBgNVHSUEDDAKBggrBgEFBQcDAzBJBgNVHSAEQjBAMDUGDCsGAQQBsjEBAgEGATAlMCMGCCsGAQUFBwIBFhdodHRwczovL3NlY3RpZ28uY29tL0NQUzAHBgVngQwBAzBLBgNVHR8ERDBCMECgPqA8hjpodHRwOi8vY3JsLnNlY3RpZ28uY29tL1NlY3RpZ29QdWJsaWNDb2RlU2lnbmluZ0NBRVZSMzYuY3JsMHsGCCsGAQUFBwEBBG8wbTBGBggrBgEFBQcwAoY6aHR0cDovL2NydC5zZWN0aWdvLmNvbS9TZWN0aWdvUHVibGljQ29kZVNpZ25pbmdDQUVWUjM2LmNydDAjBggrBgEFBQcwAYYXaHR0cDovL29jc3Auc2VjdGlnby5jb20wUQYDVR0RBEowSKAnBggrBgEFBQcIA6AbMBkMF1VTLU5FVkFEQS1FMDY4Nzk3MjAxMS0xgR1maW5hbmNlQGV6b2ZmaWNlaW52ZW50b3J5LmNvbTANBgkqhkiG9w0BAQsFAAOCAYEAL0Dfe3p65THa+YpZOjxA7JAcrqfTuRFUtPF3kOVifNbEfmgPcrTqx2C42M47lIrzn8J4Ngf1mG8R0VWU/k1FmmeZK6Oe37vviOZ4+y75dWvBhNTXWJXJu0TvEAI0CUe5rm1asy1xQj52eOLRUJDTDWeDYhF+ZpfpVuB5UhjiFXTpNElnflgRFSVJd96xX+hT42wvAKoM8S5v9esbsdINZkQyKFU+1hFGjuz3cj0o5ocwM/TNXeXHtP3KPRqEEoAeEEm/zudxR5v4jbcVUiVMWxyv1yiqi5igrb7Y10XCZHg69Pj7zn/U9Nluf+uhXiOzSRfEWSuMUFOxWEksY0tanji1hMlnIsfTp5uDhbal9BUYrbhHT3jXmBsg3+ndz999cWPz0cN9aUAyDk+N8kihL99MlQ1hKn79Cx4TM9zy+WEUyh/pB9WKuuc8qyLAbqGCQnnv+Klf3yTZIe+B6jZhOSip/XaDYcak78FsGObYYarXCz33dl1YMFcj8YiGqVW9",
"src_file_sha256": "5040a28ce56fdf1d3cb6719e2a13dd641c7455bd3cb85383e8ee66f17290f8d4",
"src_file_path": "downloaded_files/ocs_inventory/5040a28ce56fdf1d3cb6719e2a13dd641c7455bd3cb85383e8ee66f17290f8d4",
"src_file_company": "OCS Inventory"
}
]
}
},
{
"Name": "Syncthing",
"Category": "RAT",
"Description": "Syncthing is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://syncthing.net/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [
"Windows"
],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"C:\\Users\\*\\AppData\\Roaming\\SyncTrayzor\\*",
"*Users\\*\\AppData\\Roaming\\SyncTrayzor\\*",
"*\\Syncthing.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": []
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syncthing_processes_sigma.yml",
"Description": "Detects potential processes activity of Syncthing RMM tool"
}
],
"References": [],
"Acknowledgement": []
},
{
"Name": "LogMeIn",
"Category": "RMM",
"Description": "LogMeIn is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.\n",
"Author": "Nasreddine Bencherchali",
"Created": "2024-08-05",
"LastModified": "2024-08-05",
"Details": {
"Website": "https://www.logmein.com/",
"PEMetadata": [
{
"Filename": "lmiguardiansvc.exe"
},
{
"Filename": "lmiignition.exe"
},
{
"Filename": "logmeinsystray.exe"
},
{
"Filename": "logmein.exe",
"OriginalFileName": "",
"Company": "LogMeIn, Inc.",
"Description": "LMIGuardianSvc",
"Product": "LMIGuardianSvc"
}
],
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": null
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "N/A",
"Domains": [
"logmein-gateway.com"
],
"Ports": [
443
]
},
{
"Description": "N/A",
"Domains": [
"*.logmein.com"
],
"Ports": [
443
]
},
{
"Description": "N/A",
"Domains": [
"*.logmein.eu"
],
"Ports": [
443
]
},
{
"Description": "N/A",
"Domains": [
"logmeinrescue.com"
],
"Ports": [
443
]
},
{
"Description": "N/A",
"Domains": [
"*.logmeininc.com"
],
"Ports": [
443
]
}
]
},
"Detections": [
{
"Sigma": "https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml",
"Description": "DNS Query To Remote Access Software Domain From Non-Browser App"
},
{
"Sigma": "https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_remote_access_tools_logmein.yml",
"Description": "Remote Access Tool - LogMeIn Execution"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/logmein_network_sigma.yml",
"Description": "Detects potential network activity of LogMeIn RMM tool"
}
],
"References": [
"https://support.logmeininc.com/central/help/allowlisting-and-firewall-configuration"
],
"Acknowledgement": [
{
"Person": "Nasreddine Bencherchali",
"Handle": "@nas_bench"
}
],
"CodeSigning": {
"certificates": [
{
"signer_name": "GoTo Technologies USA, LLC",
"certificate_thumbprint": "33023C0243016946C78CCB9B15AC6C203882E5D9",
"certificate_der_base64": "MIIH2TCCBcGgAwIBAgIQDq06P/pwwKIK4jaBiZNRUzANBgkqhkiG9w0BAQwFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTI1MDgyMTAwMDAwMFoXDTI4MDgyMjIzNTk1OVowgeExEzARBgsrBgEEAYI3PAIBAxMCVVMxGTAXBgsrBgEEAYI3PAIBAhMIRGVsYXdhcmUxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRAwDgYDVQQFEwc1OTg0MTEyMQswCQYDVQQGEwJVUzEWMBQGA1UECBMNTWFzc2FjaHVzZXR0czEPMA0GA1UEBxMGQm9zdG9uMSMwIQYDVQQKExpHb1RvIFRlY2hub2xvZ2llcyBVU0EsIExMQzEjMCEGA1UEAxMaR29UbyBUZWNobm9sb2dpZXMgVVNBLCBMTEMwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDXBnwWFr1Haugt1kOHarj31h9QgazDGc0Ijs8ownMkZ9WxjYhDNd1AfzNc6Rv1IWM52EYnFZfsP24vfDSXsMWQVPqNSAeP6HcNF3zZ3vVVNpydrbX43l2ZqIs3WIw1Y9QFJxRiDgJaPHC8S3XmXvrEGIWMGEUidteAm5c7lAEkklohrxWWnvYZQ6Bk6TrVAqkDKzlXovqL39ERdX1b3vprbudHhZHQAyax5sYb24nlA4y9NpzYKAY7KivhhOQNDJ46TjMCsGfQuyo0Ni21+KjNvMcRcVOh3G/VSSEpg2AIUV6GWa3/XQXBuXyTPj2h5wf6x84d2wzV6XJ9GyxpD8eZLf/9QxMoqAxS0/tlOKpPgEVGh9BhlFyLVaX4AolLE48qhZSL6tIs74965yyrp0OzRierAh2VXoF79Cp5wKdu9id9ztlP72sY5Qf0EUSMFFEe5aS9RY0Fu2PxT5CR2ZdKtSBtYK1nwagYYPjmNW8bO5FC89JiZlcLDVeIyQeAPo3ZSuMhZCz0S12t2QpktFZvEJ1VIayQTC63N9S4VrQRnusnlxJLImrrfu0bI8F9fUoaUwJo14/2lwSczOdmfZxo3bKqQSkrMSBeNixUWeiyrPUczLe5DfgUdzmtJ4fJOTkEQEkNaQ9ed+u4ItEZACUX7ujgYZsJ8a8ClUmrx62yPQIDAQABo4ICAjCCAf4wHwYDVR0jBBgwFoAUaDfg67Y7+F8Rhvv+YXsIiGX0TkIwHQYDVR0OBBYEFLYSDl2IK7QIyBrxGqwuqqHXUmXDMD0GA1UdIAQ2MDQwMgYFZ4EMAQMwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpY2VydC5jb20vQ1BTMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzCBtQYDVR0fBIGtMIGqMFOgUaBPhk1odHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDBToFGgT4ZNaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcmwwgZQGCCsGAQUFBwEBBIGHMIGEMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wXAYIKwYBBQUHMAKGUGh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3J0MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQEMBQADggIBALVnUZsOeb8GoGLjBT3VRdyLnQEuKwn41b8I6fWfIF5jnYtOzW/dJqOuIXvs0LSQ8FHHpvWYUPqjL94pp+SHWCreuCZ6iLrt/tXCmWYUkhU4DY2m4ddNEAvuJaqzcwg8xjrzlHvpyKInfeB8jUujc8Rf/oWVLsgPaI/mp9wkSmVwytA9vnS8mi/BH14/wICihbwuNN9N+uHbeJowiw8NZGxteanaHgoLTZ76adJEOGoHkbtyXDZL7YII8d1HUvwMjB1h1ZxEtFtpYZesvRfSa99pt+jbyeYOXXTxYwyHGtDqTmX3RAKTETtPEsqlY/IZ+MPqLZs/YQORlVrUEC3VCWdUvQvCZpItxAX9Y98bBQzjCAUSqFP7RznSbvtwJwmQaXR1ul2sn22rV2HUpF+C4JuWd1Aq/aD+UQcZcqtiQVag+vBVmXYevdPRFr7v+TauGPIqdSH/igbj2vl/mAV6aG49VSYgz9GMNM33CoLSzydASa2ifgybt4tDsmlqjP2FE1JKVSXN6YxrhEOC0YOi7eugU1JSJrHubaUvRCiUBD5qfN8HOzR6CzOy82FEAurAG4EB56H7W+L1rQhqG5J8/gkPK50kZobrCS/cQ2iK3S7735myNL8zkXfjrwjFuFqpy69crtvDqmlYWsBxlkYdg8EKb/yTlCAicCQyCG5Y4YD3",
"src_file_sha256": "9b6f4f5e6f85dfe628f9781e65ab8917bf9f7d3e24bb6c564ab2fc0020a93f32",
"src_file_path": "downloaded_files/logmein/9b6f4f5e6f85dfe628f9781e65ab8917bf9f7d3e24bb6c564ab2fc0020a93f32",
"src_file_company": "LogMeIn, Inc."
},
{
"signer_name": "GoTo Technologies USA, LLC",
"certificate_thumbprint": "8D3FA6EEEBFC68A0FA76CDC4C6AD5982FE07DE91",
"certificate_der_base64": "MIIHWTCCBUGgAwIBAgIQDgyHZ7stT+/C1hffEc4biTANBgkqhkiG9w0BAQwFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTI0MDUxMzAwMDAwMFoXDTI3MDUxMjIzNTk1OVowgeExEzARBgsrBgEEAYI3PAIBAxMCVVMxGTAXBgsrBgEEAYI3PAIBAhMIRGVsYXdhcmUxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRAwDgYDVQQFEwc1OTg0MTEyMQswCQYDVQQGEwJVUzEWMBQGA1UECBMNTWFzc2FjaHVzZXR0czEPMA0GA1UEBxMGQm9zdG9uMSMwIQYDVQQKExpHb1RvIFRlY2hub2xvZ2llcyBVU0EsIExMQzEjMCEGA1UEAxMaR29UbyBUZWNobm9sb2dpZXMgVVNBLCBMTEMwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQDc511p+U4/ceMa+9gCeidFo8xSj0RQ1VyClI4OP3etR4zxyPnjb4hyLm72YUTyqkJ0Y3b2LOde6UkUuxEG1gT9H0VNZhcKrxmWZ21Ir0vmqXUkfooGRis19bQq1GXnxUyMnhco8auWC4lZJVHsz+dfV88cHLeLvlLT3YXxawpl/uLvH9Vu+tI5CS9asbfzYGBZic6lQaZ+U2nz1QUlN0WWOuWFqL0GiEIlJ+a+avoouNeJpyUThxThX0IKwRUD4LNAzTfyaMiAJXcwARnNgMgcW6YrWEkb0x8BQ3hNVuVizzDEMrMUF1UiGXk+rYefPGdA51wt6wENKXucYHcny6zET0IHVit9zhyXscmtYgz6hwEWV1ale6Zjm2hI1uLNlALB00SDzi4qXMlhWA3bggboQwCrBpO584EXR4955wSuo05Ug7CP+bdCBpDIgG2rB+BeXcnCRFDzilQXt7nRjO050o4tg3K0zdzpXnrSM1mrd/UYw7cfnKy1A6WHK/IMGAECAwEAAaOCAgIwggH+MB8GA1UdIwQYMBaAFGg34Ou2O/hfEYb7/mF7CIhl9E5CMB0GA1UdDgQWBBSnyrp99WDe7wuDoNKOpFjILc5AfDA9BgNVHSAENjA0MDIGBWeBDAEDMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwgbUGA1UdHwSBrTCBqjBToFGgT4ZNaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcmwwU6BRoE+GTWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3JsMIGUBggrBgEFBQcBAQSBhzCBhDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMFwGCCsGAQUFBzAChlBodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNydDAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBDAUAA4ICAQAB5/85dwc018g+cEZViyy1TAraBLqm/YWb/ZVqc1L8C2a/XRReSW5h4w8QtXHOu9kqxVhk20WILztg22kzwH8vJcTHmnGZ2g3OWHufQV/r8pPHM+XedATAZ/v5hSs8BeySPQkessVmmGR8jdk1UzQtXbwbhfhGJc2luPhz9SWW/PG7lZaX6NmD3VtFkf5fjwj0JXO7O/UbKwJVX1jBhc9t0AfuPrpSZjZ/XYIPKA4HXJQjecxIbHxjDBQqyiGs2A8OgibT6dOHT0wh8gJ/lzqNMMae44ToDXj4V736e2L9lllQVMCo3KPjGk0nDE+sYTqoU0kODwUyrW9DbNUUqjolvJxFTQVFcINkLDxOq0KxlXqmZ7V9Rjd939skXYvK2qe29HxHIkH1iEoZIP/WmrZdwa5B8HiWEl7G2Qsz6vT78D4llJOaNVXHFHONE4OLOoC5vcMEO5s4Xxbay7IBkXBm5f49fKuPY3j7+PMpeXqAYkKhcJURPFklu4AyoRq+YCN7S4/WtRpke3nLK6t1yLdqaQ6vxQAWmIdXIpIqEqGnnED4IdH6ROi4h2J8FMunZcBpQfyiIYMfZgKn4Y5VeeNlqdPpbxPT0Zc4AIQ8b9guG1R2hnfntqt6uOVSCPPMMSTLzEKvYtButJ29lG3M2M+7eJ2NuCPcoCMMKwTxRSa/Qw==",
"src_file_sha256": "71cf94f02a53c2a37976acbb0a87fd8bb0edda247c780ca61fbe4a41a17406a5",
"src_file_path": "downloaded_files/logmein/71cf94f02a53c2a37976acbb0a87fd8bb0edda247c780ca61fbe4a41a17406a5",
"src_file_company": "LogMeIn, Inc."
}
]
}
},
{
"Name": "LANDesk",
"Category": "RMM",
"Description": "LANDesk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2025-12-14",
"Details": {
"Website": "https://www.landesk.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"issuser.exe",
"landeskagentbootstrap.exe",
"LANDeskPortalManager.exe",
"ldinv32.exe",
"ldsensors.exe",
"C:\\Program Files (x86)\\LANDesk\\*",
"*\\LANDesk\\*",
"*\\issuser.exe",
"*\\softmon.exe",
"*\\tmcsvc.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*.ivanticloud.com",
"*.ivanti.com",
"ivanti.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/landesk_network_sigma.yml",
"Description": "Detects potential network activity of LANDesk RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/landesk_processes_sigma.yml",
"Description": "Detects potential processes activity of LANDesk RMM tool"
}
],
"References": [
"https://forums.ivanti.com/s/article/URL-exception-list-for-Ivanti-Security-Controls?language=en_US"
],
"Acknowledgement": [],
"CodeSigning": {
"search_names": [
"4gycu.exe",
"ivanti software monitor",
"ivanti ソフトウェア監視",
"landeskportalmanager.resources.dll"
],
"company_names": [],
"signer_names": [
"LANDesk Software, Inc."
],
"certificates": [
{
"signer_name": "LANDesk Software, Inc.",
"certificate_thumbprint": "B0DE69573135B60DE734F2E7E3CF7D5CB155F1D9",
"tbs_sha256": "31FBDBB7E377A3B5B1B3405549F6616E59F6D89FA31B09B0EA1CED441ACD6EA5",
"tbs_sha1": "",
"certificate_der_base64": "MIIE3TCCA8WgAwIBAgIQISM0+JsyaNRQfiQbO4U2RDANBgkqhkiG9w0BAQsFADB/MQswCQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAdBgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxMDAuBgNVBAMTJ1N5bWFudGVjIENsYXNzIDMgU0hBMjU2IENvZGUgU2lnbmluZyBDQTAeFw0xNjEwMjUwMDAwMDBaFw0xOTEwMjUyMzU5NTlaMHUxCzAJBgNVBAYTAlVTMQ0wCwYDVQQIDARVdGFoMRUwEwYDVQQHDAxTb3V0aCBKb3JkYW4xHzAdBgNVBAoMFkxBTkRlc2sgU29mdHdhcmUsIEluYy4xHzAdBgNVBAMMFkxBTkRlc2sgU29mdHdhcmUsIEluYy4wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7V0fODh6Cws1YIa+E7u9rZNtSni6EIPXRMpLH4opjWYQkFvKwKfYWIYgoBg1pF80pVZdqNbZywu1+4yPnUqB6IYTdA8EhOBhYGp1T9zA9k+0nNuxrHixT/pBsp4awNTewMDmH2y97mZEAbc+qoZnEPdsNBOLxlFWuEh0DtumFY5HMVttPyFxlI3aCjdauvHvcDAzOO83pbwLtfHCYa9LgM23Kk2bN0DiWJuCv1d1D03Q2bXk7CZr7smHobJrYc8epMlZkcXVbedlTcqQbvQSDBn6ukXc5/g/p4VlS+BrTLDUP3bHxPtVo0Fs/epWoB7oAQQZhNh9mTXWYSVv6GwxjAgMBAAGjggFdMIIBWTAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIHgDArBgNVHR8EJDAiMCCgHqAchhpodHRwOi8vc3Yuc3ltY2IuY29tL3N2LmNybDBhBgNVHSAEWjBYMFYGBmeBDAEEATBMMCMGCCsGAQUFBwIBFhdodHRwczovL2Quc3ltY2IuY29tL2NwczAlBggrBgEFBQcCAjAZDBdodHRwczovL2Quc3ltY2IuY29tL3JwYTATBgNVHSUEDDAKBggrBgEFBQcDAzBXBggrBgEFBQcBAQRLMEkwHwYIKwYBBQUHMAGGE2h0dHA6Ly9zdi5zeW1jZC5jb20wJgYIKwYBBQUHMAKGGmh0dHA6Ly9zdi5zeW1jYi5jb20vc3YuY3J0MB8GA1UdIwQYMBaAFJY7U/B5M5evfYPvLivMyreGHnJmMB0GA1UdDgQWBBSUTT33oww9NVuY6iPx3Ho/gPyetjANBgkqhkiG9w0BAQsFAAOCAQEAYSeIvaNTXBujhGXGXq8a2KbZrc6NHAfEyvBgcpIV+JGbxFYVOtR1WfiG9KOJ3tRxZt2OndTr4x7i2nc+6vhVn5gXTi+NzTzGj2MS6BspXi49Vomka4o1XBroG0lNJhDXg61u+Y6be8BJXt0YHyXK1L/qVIAJd1F8CzraSHK1obCiUiQ7xKwfIJJKcaINHFDFQTsKjcatNY8+6gZTuQNRE8aEMF/2DSnL9qOmxEwLBAy8BC+1852bPPYS/aQ/aYjYuOYFGHilNyHzy42s/pPqHiOFE1BTkX0nMRyzmDxwFtIru+LzwzJ+O+I+CgG/5glUmJ1lAuzndya7ZAp3BFCizg=="
},
{
"signer_name": "Ivanti, Inc.",
"certificate_thumbprint": "B310DCA4816C8E3E41E6C72BBB67A255AD8E0363",
"certificate_der_base64": "MIIHWTCCBUGgAwIBAgIQBsyN0tcIuQcyg45nl3swfzANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTIzMDMyMzAwMDAwMFoXDTI2MDQyOTIzNTk1OVowYTELMAkGA1UEBhMCVVMxDTALBgNVBAgTBFV0YWgxFTATBgNVBAcTDFNvdXRoIEpvcmRhbjEVMBMGA1UEChMMSXZhbnRpLCBJbmMuMRUwEwYDVQQDEwxJdmFudGksIEluYy4wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDJ3RSNQX//5l85k0tbY0veBq3kRuTO5TKZgJC00IR0Y3xMpPj4HzM32fPOzsV6ooV6AcKM/3X20ENhHE2Cj/FB3v+ptWOniYRRxtJhaRZlRxs7saEK+xirr+kB+2vtYpfsgerArxOb19exJ/OSnzYFbMzsoZcKhm0IEcik/qkkDttnmD1KaR8wSxZi434bwByV9rTme23Vt783sqWjZjEtjtMGUo4cxHvFoewmvItfIp0JYoIwfnjRVNK/uRRnIAqosnxmH5Lr8IatWRFqVH6WaVIf5Fn+NDPUVF8UI2+78FvbZfeddNNNmGqr8m/j6BYZLWW4krsTlIcIIUP5aO8jmg6soQln05/uSTgQstlhm3UEc/G+BPMdzYvXDNgcMCqfOw+fsXPgTbfH5VryNrVA2GZ3pkkumLmTPr0lqgI+qkBE/YFuDGkPJanQl74/rxhFZEgzt0hJRfsF7u7TITry+4MFyhOjob+sq4yWwQ71QyY28ivLt8lQfZsBH6mKUk8Jgge6hk45sPHd7nXSOeAO2uMr+iBr/u2Wf1z5/KqB+ftG9KaHmSEmeU9uLo5z/3g4MtUt6F/ZE+GRXE/sJg8YqdZcQ/nBhtreePdX9pZhlNeBDFiLzAfhm7zmyLLhaTOtTBkwCoilc2XazcASFky+Cvy1oMkVeN/K6CuGDsVvGwIDAQABo4ICAzCCAf8wHwYDVR0jBBgwFoAUaDfg67Y7+F8Rhvv+YXsIiGX0TkIwHQYDVR0OBBYEFH3ZYvZskV07lrAXICI6I9lAazpJMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzCBtQYDVR0fBIGtMIGqMFOgUaBPhk1odHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDBToFGgT4ZNaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcmwwPgYDVR0gBDcwNTAzBgZngQwBBAEwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpY2VydC5jb20vQ1BTMIGUBggrBgEFBQcBAQSBhzCBhDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMFwGCCsGAQUFBzAChlBodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNydDAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4ICAQDUFsZWQJeNmFx5Qvr0gQvPwUc0VgRHThr0M69gIzTIf5NzDsKiCr/V6q4u9Se8kJrHxp4lFraH5ncW8RQSEJTgsR+MpBfWMLx7GO6LmekcWiwwEe7KW7sCt4Pw0Zz9wysdm2w2RRCKo+YlMLbOh5ts+FmV2g3xSyCZoI0olBD1ja8FWdPCVA9qM6Cp+WC9qi8nOYMPEQGz8m9/HZ7Xtd6iVYEUnlf9moeO2WEf1EOojJzdNwN43gkGX3Wo47pXTTmRnDucraSg9nIz9orvc2Xhq9PWu2fM3n3Z/CfWEtfSBfJ5TBXY6JXaVaQb3y/fie3L71bDdiQtbuxINeee0p9Ctya3CJHTO+K1BhFHYjaSmJDwInh4mNr9z28Hs6IVS5Pl+eew9IX+3a++X2s+qiGIsauiR9DvvcpwDcwiQdxTnsepui5hsPZGgSjsY3sqXt+8Jos4uhqqg6tIdywPPjZFVBzkiqBm38JQUHaKeAU1pe/t7V4JyYYtOYSTHuYXRLg8VdmrVNmt0jlLCvtYYqNTJQy0sVg3WEogRC2Hp3haXOBPizTq6mdeeYDYU65ADQfgq5P6reuZ76AWCuoKVsaVUT2Bm+I1p46kVj5pIvjcCLXNX/vMHH62tn20eiukFpDwUVEDwDkX4pGxI2XjIEOjXhqMK8OYfSmO1GWglXWqMg==",
"src_file_sha256": "436e028a3072934418d30d4b9ba9a60b00fc6c7546b9134ee2483e8349516b0c",
"src_file_path": "downloaded_files/landesk/436e028a3072934418d30d4b9ba9a60b00fc6c7546b9134ee2483e8349516b0c",
"src_file_company": "Ivanti"
},
{
"signer_name": "Ivanti, Inc.",
"certificate_thumbprint": "85651505F0D1CC0BA24040F3F8913D94AF316100",
"certificate_der_base64": "MIIHWTCCBUGgAwIBAgIQClmuDXbqs7Wxt3Xp7Gmn8jANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTIzMDkyNTAwMDAwMFoXDTI2MDQyOTIzNTk1OVowYTELMAkGA1UEBhMCVVMxDTALBgNVBAgTBFV0YWgxFTATBgNVBAcTDFNvdXRoIEpvcmRhbjEVMBMGA1UEChMMSXZhbnRpLCBJbmMuMRUwEwYDVQQDEwxJdmFudGksIEluYy4wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQD2UqOokl1oqbMAuoz6sDsKiYCCR14fD4u7eGl5mqKzpaWvst0N/BCd8Ba1RuHFna3KQRU9NSXvHgEl7oezXcusnAd7HbUONQf8xE9Xj5lmumvSiVdi2MtgZojEaoMNhwTIdCt63Bv4ps0716+uTBVibvoGX1U5s1pMFLQzQkfT35Ubj85JadcPZBU/n0uU4gxgjxnuNuAAXuhy2CRwzU+kci+C5WaGYzPGJ1FTXTy4x63I7bsXdsCDkhXm5/AoesZWAobz8sXiCbQU/X4PjUBJhF9FY2B9pp7+U65TAWL4tbiQ+hwBI8XCLf+kkwYC0OVRj9DUoV/c97qr2ddhNBfkIKiZzdhp7hqg3e7CYrAjNfi0Qy1PlbbLCO5NpIWw5PtO4lfio1aDnW+wXVsQK1oI/1u2CPyuXGtuNTu7+cygtEFtlesdgCuWwNKaPYgnR6BoYxp7PcRNh0ZjSCTUaYeieWJee3eSOILRXw9X1B0PiugBedlvGusnAaBdv/3+DkIk9zBzknwXG9DQYxnjLRC96dBh5+gjldbcZdXy2bQLi1d0BdQzippl99Bw2dBOn9eyZ1DKRFAryAkiC/wZBvstIueDh1FNJ+1qnC1ig7wFpquMf73blkFjpXjibCqTwJ2zZjoQyrB+9fu254pzo0rWCGFJYqjDCgYVZvQiIUxxPwIDAQABo4ICAzCCAf8wHwYDVR0jBBgwFoAUaDfg67Y7+F8Rhvv+YXsIiGX0TkIwHQYDVR0OBBYEFH1RU+aUcJFCY9aNzT4P6GdDu7D3MD4GA1UdIAQ3MDUwMwYGZ4EMAQQBMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwgbUGA1UdHwSBrTCBqjBToFGgT4ZNaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcmwwU6BRoE+GTWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3JsMIGUBggrBgEFBQcBAQSBhzCBhDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMFwGCCsGAQUFBzAChlBodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNydDAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4ICAQA868Zf8PKoCDNWF34RdZo0KIpBp/PMyZshFlupt3YEmcXYcDB5SuvXZAWelOb9BuDJE9Caf0VcgotssJK+cOXncjBpf1C77qFkux7brrF9KxO2Du/YS1i1j/lXEiM13PBL9SMWqiDtY3b+6znX07anPEhX4WM5CrqJjEhQtJWD6CE2oLNoxRRYokpP2op5nTfaaBIQDVXiA/mA9Bcu1O8c76n4tf/mhWJHKbJqeEqqhMQYWXqtkrbnzg1x+X9+sFNqS7SfUGimE9+n+tByKDDRZBeay5qdfAuc2+q1zxVVTe+Y5vsQ+C6smAamcHDyDz5k2IWUFvN0yq8k/Zsr/1kO42r7ZU66Smvt3WE66KGlaKCrU2lbv7Iwz3OOBX5n4lKVO2PpcVC5jIynrmvQRD4Jl1Lyxw+psbvBy2J3eyVPHGonU5IagkOb3WbqEwu6xAt5vK51AxZLzzoDNrKXx/oR4rd6lSL1qcylW8V5tzmOaSQBQGh9Q2ODc7sIHn2nUPgrY3iHiE0Ii/POwLnYhilUpmT0b1zcBeU95ybZQRLR8899gwwO8JhX0t/Ls7xuRUSXGARALrjydrEGyZFeUJwjwxV7GS61IXeOVevf5hjIiWK6cUJ7GzxRVfGzV93xvxbbW7WSLZBt8dyWZV4xiprRMJQS1KauaqNB3spKZniqMg==",
"src_file_sha256": "da92f8e474c040a53923cf81dc0d00adb5b3278cdfae039a22ebb2fc21993373",
"src_file_path": "downloaded_files/landesk/da92f8e474c040a53923cf81dc0d00adb5b3278cdfae039a22ebb2fc21993373",
"src_file_company": "Ivanti"
}
]
},
"FileHashes": {
"authenticode": [
{
"file_name": "Ivanti Software Monitor",
"sha256": "474AD1FFADFEBD0F03964C9588C42757215637A782984C043AB89765097547CE",
"sha1": "19E998657F0AF623F5E1C50D1F3F579FD0099132"
},
{
"file_name": "Ivanti Software Monitor",
"sha256": "FF8197C521B49F05EDA07D619AEC70060DCE51F41BFA3BCDE552DB436B077919",
"sha1": "C09290ACDE7C7EFF82ED1DF4DF73BFCA3B2385E9"
},
{
"file_name": "Ivanti Software Monitor",
"sha256": "E1713BA3C96E11B28F51EBB6C21E4B48FBD71A59D03FFA8D83370EBE6C405E10",
"sha1": "24099235CA8B31B6E8124BC6760DDB21479E2009"
},
{
"file_name": "Ivanti Software Monitor",
"sha256": "928ADF822B6B35EE36EFE02C98E87F96EB9973006EE723C76EBD410622C1D804",
"sha1": "F3AD05F482EF217AC5F174F22F4891B528AA46DE"
},
{
"file_name": "Ivanti Software Monitor",
"sha256": "103D34699C3362BD3B3B80E08C514707400ED30837C0BB6FB9515128CE1F7AD3",
"sha1": "A78721A53D0DEAFA034651AAC19DBF94A33B18A4"
},
{
"file_name": "Ivanti Software Monitor",
"sha256": "854C7C69EA3624E3D413DD5AE2575D6D488FF374409F2CCFB384BEFC5A81D5CE",
"sha1": "2164BC7F2EA2C1E51CC98667E5CEE9A2A188C418"
},
{
"file_name": "Ivanti Software Monitor",
"sha256": "095D2AD9215D012DEC9D56C357B7620399EF2A40F8E1C4F5311AB7B788889FBF",
"sha1": "8BBF7ADD9B46357F6736A9115D90C58357643473"
},
{
"file_name": "Ivanti ソフトウェア監視",
"sha256": "D3C04CAA95597596F2F8BF7A30EB8EAA9EDE3A779E6BCF0D553821EDD40783FB",
"sha1": "A2154AB979986D3BFD9DC332DC0FCB83D5429F37"
},
{
"file_name": "Ivanti Software Monitor",
"sha256": "A6102089AD9ECF6D79046D456D85B439FE71CD582A21BC6FAB817E1BDDE19317",
"sha1": "C2951E02793A5E2F9A68DE4E70382E23B4857F12"
},
{
"file_name": "LANDeskPortalManager.resources.dll",
"sha256": "4E6FA2AE6FF11BBF7E02BE8F6F28209DAE76E43E905DCAE1EB7A6A68A5C26695",
"sha1": "79DC3EA43685EFAF92B9436444E7AF63E454D7E4"
},
{
"file_name": "LANDeskPortalManager.resources.dll",
"sha256": "816D76AF509805A4ABF9F8EA83EEB8487C714A68BB65F6F4A1C35F9345598DFE",
"sha1": "7385AB184661814CF67A4E94E3508E43AC32BA91"
},
{
"file_name": "4gycu.exe",
"sha256": "3D23382924B524D75371ADC1A793E9FA8CD55E9E9F30D14D647387C58AB0AF15",
"sha1": "D006B0529FCD31D99BC82469F185FC81E8AD3101"
},
{
"file_name": "LANDeskPortalManager.resources.dll",
"sha256": "FB7EDB587B3CC6B3523FE5F04E4A97F63234EACD1FF65807852527995F5D5529",
"sha1": "6DDF5E8A4F3B2CE683FD3F08C24278FCF9437440"
},
{
"file_name": "LANDeskPortalManager.resources.dll",
"sha256": "F89F128EC31D856E1C86655ADB5F846F7ACA4E99E246A7E4A482BCBB1DC4D925",
"sha1": "8434BCEA68DDFCA75A5A855DF0B9CCF2D169A72D"
},
{
"file_name": "LANDeskPortalManager.resources.dll",
"sha256": "1F48C7B23F10BBA9AFFAF0A89E3EC8F3D63CE3156AE17F56063355CDFE102F29",
"sha1": "540E4874E1FB23E6E5603344542EC5BA7F8BFA9E"
},
{
"file_name": "LANDeskPortalManager.resources.dll",
"sha256": "8ED0CEE1AEE0E9F19F649B1DE7C56992029892115291D46505009545F982D16D",
"sha1": "4592FFC93BCF68317E207535E48A32F04D2F4ADF"
},
{
"file_name": "LANDeskPortalManager.resources.dll",
"sha256": "42A86CB6DF48B82A8544912C387D67FDCE31BD17B89B0EC4590F60984AEC2663",
"sha1": "AED3D04BA0E20FFEC0EAA9E051533F9A941341E1"
},
{
"file_name": "LANDeskPortalManager.resources.dll",
"sha256": "C29987E95B2F965A80125338F7453AF538233F0EE82EE8169376DF528A99E4DF",
"sha1": "7730C4E85F3D946CE998765CC6C8EC382F45901B"
},
{
"file_name": "LANDeskPortalManager.resources.dll",
"sha256": "C1B0112D3EFBBA0F187D79BD982CFCB59825A1653F66A51EED9D6DDB0BCE55E7",
"sha1": "2C94C8D2534C3A7E7D2395F1FCAED30290A8B377"
},
{
"file_name": "Ivanti Software Monitor",
"sha256": "F32F0922B67729C1344A7D35533137DD1DFD084085ABFFFEEC98EA41C88FD59A",
"sha1": "45FA77EAAD2DB8B20DE68621E4FE32CAB48E7DA1"
}
],
"page": [
{
"file_name": "Ivanti Software Monitor",
"sha256": "7AB10DE3A2821CF65FE7DE679B8E6292A51556E996E1D107A6044903DCEEBA3C",
"sha1": "81A42676F3E497FD4AAD2508386EAF65D9632E8F"
},
{
"file_name": "Ivanti Software Monitor",
"sha256": "BEAF45E9E7E28A0793D3B33E2729D5E96AAAB486F8DF92A0766B29D038D1D1A8",
"sha1": "3F839A61BFA40B5EF36CE4DE01253AC631ADA222"
},
{
"file_name": "Ivanti Software Monitor",
"sha256": "0A3BEC7CBFE2C29C716E87EEBCE91DAD9DD225CD6FDBC4984EB2B875405965D2",
"sha1": "753203FB7FE5F70B744D3FF328E422C345E112DF"
},
{
"file_name": "Ivanti Software Monitor",
"sha256": "76AC077A08929C6773B33E63F054B0166B9075A286B9B020C74B75CB42A45CD2",
"sha1": "F9CB7EE92927A620E0F2B649931A72A9964BD5A1"
},
{
"file_name": "Ivanti Software Monitor",
"sha256": "97534C8FB4EF11637CED903CA228A2D6424D47526711625C6D59E24CCA2AEE61",
"sha1": "BF0F16219206E89C687623ACD810E0E4F34838A9"
},
{
"file_name": "Ivanti Software Monitor",
"sha256": "7FDB81B785473F4F311FC782909C622EDA74283E9C3F53BD4E2A3736398D1A61",
"sha1": "1BFEA619F787502B6B91C19345B79F1A21EB90F5"
},
{
"file_name": "Ivanti Software Monitor",
"sha256": "043EF661ED438370D48AEB1DFE0D1D18AD2DD9DD82C8442952B801E4DE4906D8",
"sha1": "E808BA15273A8E9ED5362D7839D6ABBCDD571DAA"
},
{
"file_name": "Ivanti ソフトウェア監視",
"sha256": "D8330BFA9505D99AC9AAF9680D187CDF8485B366AC21113093D1D0C925735CEB",
"sha1": "38D6B1E40A0352A80E84A428E2F55DDD7BC43592"
},
{
"file_name": "Ivanti Software Monitor",
"sha256": "6A085EC9532FD5D514DCAA5B7C43F8B278BB1EF649B86058AE4008610F03734A",
"sha1": "2F82F3F41C1ABC9BD38A42AB78A92A1308C37C05"
},
{
"file_name": "LANDeskPortalManager.resources.dll",
"sha256": "47424DD9F592A51D31A4E23C79193817BFADBFAB9AB302315008DCE89FD3C28F",
"sha1": "01610622842FFE85B6C1BA6BECCF0489662607A4"
},
{
"file_name": "LANDeskPortalManager.resources.dll",
"sha256": "A95052B33719C864D29261951AC7E8EB656B67B34B63B56C56B3D9ACFC938291",
"sha1": "9A356014D37A88614E4559E24E01368031D828BB"
},
{
"file_name": "LANDeskPortalManager.resources.dll",
"sha256": "0A5FA89469545E70278CAB55FDA82A5E2A1B5EB5504BEB5EE9375E559638344E",
"sha1": "E62C93BA5D51CDFBEFC86DCF8EF84FEE7D5FC5AD"
},
{
"file_name": "LANDeskPortalManager.resources.dll",
"sha256": "CCE92117CB8281554324F9633B30C4AD9FB635A852CF1E03354133C9D61F9CED",
"sha1": "BCAE6E0239579FB06BEA00F61948D4C9807830F1"
},
{
"file_name": "LANDeskPortalManager.resources.dll",
"sha256": "1D8D1682FC7A94AE78DF0E42CAB98BF721823EF1286CAC72D1E05ED4478BCA8B",
"sha1": "A8BBC2DF2AF6E8FDBFFBEDA9229CFE0E58DD126A"
},
{
"file_name": "LANDeskPortalManager.resources.dll",
"sha256": "B98FAE0BC60765C69238D7D87402548D19304D39C94EEDB1673A890E02CF4D07",
"sha1": "848131E76C9BEDDB54E70F34A4564672CAEF2937"
},
{
"file_name": "LANDeskPortalManager.resources.dll",
"sha256": "AD67BE1A13DB559EBCB4B770A1993E30E505431C8C36CB7CFE4A70515AE114E9",
"sha1": "D53A30315AEF9AA604EC638E385984EFBDE249C2"
},
{
"file_name": "LANDeskPortalManager.resources.dll",
"sha256": "33795F31BBB7F31FB2C7C2607D0ABF83CBE3CCA80B48E4A413BF5B4ACC3F777B",
"sha1": "6AFFFCCB2BCDAD9CBD9AFAE5A020F8BE1B49EBB9"
},
{
"file_name": "LANDeskPortalManager.resources.dll",
"sha256": "DE1979E509D41F1045781649B4164D4444747807C8EAD8A03BACA5EB1516A94E",
"sha1": "8B36E8D1D2E7673F5D0F13D43D7A252CED5D8C2E"
}
]
}
},
{
"Name": "ezHelp",
"Category": "RMM",
"Description": "ezHelp is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://ezhelp.co.kr/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"ezhelpclientmanager.exe",
"ezHelpManager.exe",
"ezhelpclient.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*.ezhelp.co.kr",
"ezhelp.co.kr"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ezhelp_network_sigma.yml",
"Description": "Detects potential network activity of ezHelp RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ezhelp_processes_sigma.yml",
"Description": "Detects potential processes activity of ezHelp RMM tool"
}
],
"References": [
"https://www.exhelp.co.kr"
],
"Acknowledgement": []
},
{
"Name": "Terminals",
"Category": "RAT",
"Description": "Terminals is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://github.com/Terminals-Origin/Terminals",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": []
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": []
},
"Detections": [],
"References": [],
"Acknowledgement": []
},
{
"Name": "Visual Studio Dev Tunnel",
"Category": "RAT",
"Description": "Visual Studio Dev Tunnel is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://learn.microsoft.com/azure/developer/dev-tunnels/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": []
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"global.rel.tunnels.api.visualstudio.com",
"*.rel.tunnels.api.visualstudio.com",
"*.devtunnels.ms"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/visual_studio_dev_tunnel_network_sigma.yml",
"Description": "Detects potential network activity of Visual Studio Dev Tunnel RMM tool"
}
],
"References": [
"https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security"
],
"Acknowledgement": []
},
{
"Name": "Electric AI (Kaseya)",
"Category": "RMM",
"Description": "Electric AI (Kaseya) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.electric.ai/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": []
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"electric.ai"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/electric_ai__kaseya__network_sigma.yml",
"Description": "Detects potential network activity of Electric AI (Kaseya) RMM tool"
}
],
"References": [
"https://www.electric.ai/product/device-management-solutions - Usess Kaseya/jamf"
],
"Acknowledgement": []
},
{
"Name": "ManageEngine RMM Central",
"Category": "RMM",
"Description": "ManageEngine RMM Central is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.manageengine.com/remote-monitoring-management/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": []
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"manageengine.com/remote-monitoring-management/"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/manageengine_rmm_central_network_sigma.yml",
"Description": "Detects potential network activity of ManageEngine RMM Central RMM tool"
}
],
"References": [],
"Acknowledgement": []
},
{
"Name": "Impero Connect",
"Category": "RMM",
"Description": "Impero Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"ImperoClientSVC.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"imperosoftware.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/impero_connect_network_sigma.yml",
"Description": "Detects potential network activity of Impero Connect RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/impero_connect_processes_sigma.yml",
"Description": "Detects potential processes activity of Impero Connect RMM tool"
}
],
"References": [],
"Acknowledgement": [],
"CodeSigning": {
"certificates": [
{
"signer_name": "Impero Solutions Limited",
"certificate_thumbprint": "E1A00BFD8338A6C9EADC315BF89568DB43DD2220",
"certificate_der_base64": "MIIIITCCBgmgAwIBAgIMEbPwXTIyCNIdALudMA0GCSqGSIb3DQEBCwUAMFwxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTIwMAYDVQQDEylHbG9iYWxTaWduIEdDQyBSNDUgRVYgQ29kZVNpZ25pbmcgQ0EgMjAyMDAeFw0yNDA2MjUxMzQ1NTdaFw0yNzA2MjYxMzQ1NTdaMIIBUjEdMBsGA1UEDwwUUHJpdmF0ZSBPcmdhbml6YXRpb24xETAPBgNVBAUTCDA2MTA2MDEzMRMwEQYLKwYBBAGCNzwCAQMTAkdCMQswCQYDVQQGEwJHQjEYMBYGA1UECBMPTm90dGluZ2hhbXNoaXJlMRMwEQYDVQQHEwpOb3R0aW5naGFtMTEwLwYDVQQJEyhTZXZlbnRoIEZsb29yLCBFYXN0IFdlc3QsIFRvbGxob3VzZSBIaWxsMSEwHwYDVQQKExhJbXBlcm8gU29sdXRpb25zIExpbWl0ZWQxHTAbBgNVBAsTFENsb3VkIEluZnJhc3RydWN0dXJlMSEwHwYDVQQDExhJbXBlcm8gU29sdXRpb25zIExpbWl0ZWQxNTAzBgkqhkiG9w0BCQEWJmVuZ2luZWVyaW5nYWNjb3VudHNAaW1wZXJvc29mdHdhcmUuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArcsppnFqy566RK8J9IsIAtiqpp1QgZ5G+qJqsMMcwNR0HhckGUVc04RPIWiPF5t6TOr2hGJtdyRUTTRSAeR4/nqMpqZSYCPBmT7tPGOIvXoNfxGkOFXDPl/4/QiRPzfA7hQY3xQ6IasmM2PD6RrveGuBsMPCylivU0hooLbFEHK4NGFsHihT1bl7+AhpJGLbNUAblUAGimm0FR9MVC/8mlUVsQGJsOgRsBDWrSGTCghZJ0o4mc3rd+aE5qhHcOEMPWR/YfOQ5MfpMX4+XBJPuFvaMwJcozD/Kdqbay4yIH++H3tX0SvN9L2X9uaORPpcivBEJaoMlb5zV2SLLWVUIi5pEy3wNPTTlZaTv1IfcShoSNyGKq6AM42T++dZqXuE8UaolUKQEItuopnnuiYtjpLz9QzUWaOk+q65NDLe7232igOo9cBvWTqgIP1K5E91ODok4V0xDNBKSpfu5/eZHHPBNYG1VFkcjWh/hoZMh1iHGk532in50ORtOax/yuoJLDtKjGTSxsbDtRj3vE9Ye4c15Dj9rplUnhO/G91aSnIa06obkt9OcoZrRr5oEPKrlA+0Gx2b1nduEVpcc2xSPDuysljvjsvWpPh9LkYnCaui1NUWnnp2X7D50xEWNBpTBqC3B1zgeslK7DO8yVrUHBtT2zcSlXvuRN03yAn/rU8CAwEAAaOCAekwggHlMA4GA1UdDwEB/wQEAwIHgDCBnwYIKwYBBQUHAQEEgZIwgY8wTAYIKwYBBQUHMAKGQGh0dHA6Ly9zZWN1cmUuZ2xvYmFsc2lnbi5jb20vY2FjZXJ0L2dzZ2NjcjQ1ZXZjb2Rlc2lnbmNhMjAyMC5jcnQwPwYIKwYBBQUHMAGGM2h0dHA6Ly9vY3NwLmdsb2JhbHNpZ24uY29tL2dzZ2NjcjQ1ZXZjb2Rlc2lnbmNhMjAyMDBVBgNVHSAETjBMMEEGCSsGAQQBoDIBAjA0MDIGCCsGAQUFBwIBFiZodHRwczovL3d3dy5nbG9iYWxzaWduLmNvbS9yZXBvc2l0b3J5LzAHBgVngQwBAzAJBgNVHRMEAjAAMEcGA1UdHwRAMD4wPKA6oDiGNmh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5jb20vZ3NnY2NyNDVldmNvZGVzaWduY2EyMDIwLmNybDAxBgNVHREEKjAogSZlbmdpbmVlcmluZ2FjY291bnRzQGltcGVyb3NvZnR3YXJlLmNvbTATBgNVHSUEDDAKBggrBgEFBQcDAzAfBgNVHSMEGDAWgBQlndD8WQmGY8Xs87ETO1ccA5I2ETAdBgNVHQ4EFgQUY3co26vXOCF+FgFCE4iz+lo06aowDQYJKoZIhvcNAQELBQADggIBAGtrXPyx052BGgyRf+9LMMojjpa6rtNqHRICDq6rDTvrj9RQtck4az2HuxwjIHTi7uhzqPcb2LMe21tinEQ807ATlL50u8LbDINT28Zkg9MT+iTL8aC1u23Ik4HQmvqVmctKusXJR0S5H2/ZBEDQqF9oRXGZ1jv3bJnwITa0Ki+NplK0mK0vXHYZiJbbMYXu4tUbva38ZwIMU9XabLlwJBqe2Ht+UtmRrWWcZ2z7F4leobQu2pCumluWOzVqsmcVG5kHtVOfu+1Ta/S9lhb4RFW8wyFJ/24WNNyLp94SsynbJpKriYM8h1sAPBYZHQRdzR6QeOvOcxsXeJmqbzLfg+xDsy2LvsZFV1S79YjBnKfipSBJTxa4BJL4jTA9Ovvrbgku/CRbuO4IVsdDVYXvW6mEzz49w8mv/W4dekDdsRkkRmTwQw5HBGYyo9op2+3aQ/4gDBrkzPyYJ/zM/S0RUMmVZXOjcmDNsDpZLlZapIhqLPJ8SwhyUvw42aM2JLhybGQR3n8uF1qvTAhn3ms2W6XCcreiKcFbeySmjfcS3s2TQvVomqDB8HQezu6nY3gtuYYcCMrdubJ+u/smwS9XOE3GYoSNQcBwtCl9+iNVYzt44W41Sx4O8wuYjiASsDTf7bNRID6ar3RIgAmKqZVBlf8AemIn9h4CKUpX9sUz1vp7",
"src_file_sha256": "2ef170a512ba3763050cca4f64055f658ff1df5bdf45784dae8b51256bd3c07c",
"src_file_path": "downloaded_files/impero_connect/2ef170a512ba3763050cca4f64055f658ff1df5bdf45784dae8b51256bd3c07c",
"src_file_company": "Impero Solutions ltd"
}
]
}
},
{
"Name": "MobaXterm",
"Category": "RAT",
"Description": "MobaXterm is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://mobaxterm.mobatek.net/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"C:\\*\\MobaXterm_installer_12.1.msi",
"*\\MobaXterm_installer_*.msi",
"*\\Mobatek\\MobaXterm\\*"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": []
},
"Detections": [],
"References": [],
"Acknowledgement": []
},
{
"Name": "Remote Manipulator System",
"Category": "RMM",
"Description": "Remote Manipulator System is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://rmansys.ru/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"rfusclient.exe",
"rutserv.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*.internetid.ru",
"rmansys.ru"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_manipulator_system_network_sigma.yml",
"Description": "Detects potential network activity of Remote Manipulator System RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_manipulator_system_processes_sigma.yml",
"Description": "Detects potential processes activity of Remote Manipulator System RMM tool"
}
],
"References": [
"https://rmansys.ru/files/"
],
"Acknowledgement": [],
"CodeSigning": {
"certificates": [
{
"signer_name": "REMOTE UTILITIES PTE. LTD.",
"certificate_thumbprint": "902CC2BB628B651954A5F7A1D68C6CDE84707A54",
"certificate_der_base64": "MIIHsTCCBZmgAwIBAgIMGxe0xhAOf9QVbF8BMA0GCSqGSIb3DQEBCwUAMFwxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTIwMAYDVQQDEylHbG9iYWxTaWduIEdDQyBSNDUgRVYgQ29kZVNpZ25pbmcgQ0EgMjAyMDAeFw0yNDEwMTYwNzA1MDZaFw0yNjEwMTcwNzA1MDZaMIHxMR0wGwYDVQQPDBRQcml2YXRlIE9yZ2FuaXphdGlvbjETMBEGA1UEBRMKMjAyNDMxMjU3RDETMBEGCysGAQQBgjc8AgEDEwJTRzELMAkGA1UEBhMCU0cxEjAQBgNVBAgTCVNpbmdhcG9yZTESMBAGA1UEBxMJU2luZ2Fwb3JlMSMwIQYDVQQKExpSRU1PVEUgVVRJTElUSUVTIFBURS4gTFRELjEjMCEGA1UEAxMaUkVNT1RFIFVUSUxJVElFUyBQVEUuIExURC4xJzAlBgkqhkiG9w0BCQEWGGluZm9AcmVtb3RldXRpbGl0aWVzLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK/qf9AZbk/S6XPTSRSBjGpn8fWnIFkDquBFMDBAlOHE3fi1/x4tw0XkwOsHcwKb+5VZbmMvff4E/sumEAut846vQubDDPk4ofXLQouY7QzJhj5ZfYxEqLrJNQNNOQnyOTJUg4ehdpITMoVxVKRuDkNT3I54mpeefG+x4aNWhZ42jEDEDQ7O8i9dNtqe3mC2B3SYDqRV/ASwZEbt5NUFss0PzuZPAmPSf8XX8kiD9XNG3l7uRVzWK2MztCa2YH7TqBYaHHVmWy4RlM16+cCl4QtaTRfM/dCZZKdKVzTeflt3Kqp9Ho1NL6tn1Wv230i74CwTPYBIzd1yMWdENegCwd1+LRp7PfOvbOvrjLKDQQFJjboEZ/a1XvDHNq+DneyLAWUGD8PUNsb61mMd7s2g5bM9Fa6cdssIo64huzSxFbP3qIIXPZRzoAqvv7UUOkdXhSvBlTVex7YIPOiRiCOywmDtPqDg1rQVz2UBNWN9UdXZP0cnEaWLWdjkC2ExYvnpSQ4pWJk0eEcEpJzGpTXqCjqtYwDFczUnIUlYBA8bpINcbK5moUHWUllKQkFwPEig1qgo9vmklt5Xy2XbATr26GId4FsZCtrGbWbkoV+3npo6IsV9RaCNMdfdcrQ/P92l3H6wsMO5L8RDiMXaFb9meCQ6N41dkI9QYtz0pLG8ZD/pAgMBAAGjggHbMIIB1zAOBgNVHQ8BAf8EBAMCB4AwgZ8GCCsGAQUFBwEBBIGSMIGPMEwGCCsGAQUFBzAChkBodHRwOi8vc2VjdXJlLmdsb2JhbHNpZ24uY29tL2NhY2VydC9nc2djY3I0NWV2Y29kZXNpZ25jYTIwMjAuY3J0MD8GCCsGAQUFBzABhjNodHRwOi8vb2NzcC5nbG9iYWxzaWduLmNvbS9nc2djY3I0NWV2Y29kZXNpZ25jYTIwMjAwVQYDVR0gBE4wTDBBBgkrBgEEAaAyAQIwNDAyBggrBgEFBQcCARYmaHR0cHM6Ly93d3cuZ2xvYmFsc2lnbi5jb20vcmVwb3NpdG9yeS8wBwYFZ4EMAQMwCQYDVR0TBAIwADBHBgNVHR8EQDA+MDygOqA4hjZodHRwOi8vY3JsLmdsb2JhbHNpZ24uY29tL2dzZ2NjcjQ1ZXZjb2Rlc2lnbmNhMjAyMC5jcmwwIwYDVR0RBBwwGoEYaW5mb0ByZW1vdGV1dGlsaXRpZXMuY29tMBMGA1UdJQQMMAoGCCsGAQUFBwMDMB8GA1UdIwQYMBaAFCWd0PxZCYZjxezzsRM7VxwDkjYRMB0GA1UdDgQWBBS/DLg3OD1zoYV4Our7+3IqTJkG7zANBgkqhkiG9w0BAQsFAAOCAgEAJQ0aHmccdAHsf5Snj1SHlfPD/t/ukYuR+4EhjuOsyB5rI4mHYOMRUYw0DTlDJimecjh95SsucIlAJv7TANQ4RehNVLtWTLth0oyCdyzhoTo7orSko99uY6EOhfmbYOaxZYZ9JdCCkcZEwEGkyQ+H3DytWTuFxWpS1g3IAXPYwsh+MgAEyXq7qI4ZFFhc677iW/KusCAdePL++pX1f0yDzH2HvbnFYapnVjnTIm8ghXJgcwK8JW+tZsXWg8auILuK+lKQf1vJy5yDLMAcl2fu/hlTgQKd5t1cnn6qWUAJo6TwjR46bMFE/AVcUUhR9MdjJBd3Gbly4bir8vJPX35ZsunabIYV5+w/wTAA4bTH+kRP99jpROwWkaulhwVlNqSNzPZQG/hE89Exl0M/fdHlaHfzs+xDpaDK5pMOxolgsofclmqZ+4JAlhcwmzpkbPvgbveBG9pOzIGmsB7t8l25bqig4IxewV00/EBLdspdAxQN4cNHRpe32ydLYdAWxpSfaPq1k76Wo1mEgtTuuJgWoa4SuqC1n3wMAyBRQvo3APG5D+znG9SiMpOoBX0robGUloTA7jvzkx0nrotmxThXR2buv3VBzq68G8CnyBqeVoKmFzUQHGiVvRi7LJxJNR6tRhrZbNz+MhKX62JWW1GuQFG+BoXl0egmYehSvo72Drk=",
"src_file_sha256": "7906a81b1dec372b4c232306678fda0cbc46db41e3db0c06b858d54d60cd7ab6",
"src_file_path": "downloaded_files/remote_manipulator_system/7906a81b1dec372b4c232306678fda0cbc46db41e3db0c06b858d54d60cd7ab6",
"src_file_company": "Remote Utilities Pte. Ltd."
}
]
}
},
{
"Name": "RemotePC",
"Category": "RMM",
"Description": "RemotePC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.remotepc.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [
"Windows"
],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"C:\\Program Files (x86)\\RemotePC\\*",
"Idrive.File-Transfer",
"*\\RemotePC\\*",
"remotepcservice.exe",
"RemotePC.exe",
"remotepchost.exe",
"idrive.RemotePCAgent",
"rpcsuite.exe",
"*\\RemotePCService.exe",
"RemotePCService.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*.remotedesktop.com",
"*.remotepc.com",
"www.remotepc.com",
"remotepc.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepc_network_sigma.yml",
"Description": "Detects potential network activity of RemotePC RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepc_processes_sigma.yml",
"Description": "Detects potential processes activity of RemotePC RMM tool"
}
],
"References": [
"https://www.remotedesktop.com/helpdesk/faq-firewall"
],
"Acknowledgement": [],
"CodeSigning": {
"certificates": [
{
"signer_name": "IDrive, Inc.",
"certificate_thumbprint": "17792230278CDBA9F4A0ACFC0BCCA9F259286A73",
"certificate_der_base64": "MIIHXDCCBUSgAwIBAgIQAiA7bqdoTSPNMuTZLZDyajANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTI0MTIzMDAwMDAwMFoXDTI4MDIxNjIzNTk1OVowZDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAcTCUNhbGFiYXNhczEVMBMGA1UEChMMSURyaXZlLCBJbmMuMRUwEwYDVQQDEwxJRHJpdmUsIEluYy4wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDPsACUz4kVoV4BQh0OQ7dwQSOXppBEfOxfeJn3KC0SVyFrloF9YG07ihBQVYyitZxNrIymkmOSohsMzXzhsRfIARTefz8xUkP1kgOCBa3EcrkEYeKui+yaDtaaGkB0Fa0b4hxMNliF+2GP6S8PFx/bgtm6h7aYTuXor/AF0ihYRUz7NghlUkkpmqWKuP4R/kC5QomZcRljWPcu1enofIzfsKY6JdJTjdueEszEZtd2FwYMn9cFvkaw6VZILFk95TG6emuT3dcmepjKaqYhnNJlAiM/opszzhTTxM3VB+llhAiC4UYLrdCUAQ9NwSCbUrOo22FVW7tB6WqiN3GqTWYC03qwPEyxy0Dgosz+dtWDZl/7GGlgJLav4e9jzpPmPlswjBPCKf1w9wVbmMeNVfR7E7mwV+hIGPYZUBEIsOMnJRfuzs1LLNsNnNvUgEDNPjY47AVaz59igqp8IM9/3LrsawzX+Fcm3mooCjvAxqTnbdyW/OIIQ5aYJ7TxvVzAOjew2zTbqNAfmMy/V1n7dxAp7zaUmvflOSnvtonzaf7oh+9mDYOFWkIp/cClnnbrJbUboxSFX24neKasCNtpMBnbMwsDFIN4twmuVDCejiSBuyRRZwj4wntjhdnkqREFgVTSEM8dEWM94jQjFS6sf+ICXvsM65g4GHzJN9JhB1GiWwIDAQABo4ICAzCCAf8wHwYDVR0jBBgwFoAUaDfg67Y7+F8Rhvv+YXsIiGX0TkIwHQYDVR0OBBYEFHF3s9KbOG0BTjOcFDHHwmI5g0RYMD4GA1UdIAQ3MDUwMwYGZ4EMAQQBMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwgbUGA1UdHwSBrTCBqjBToFGgT4ZNaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcmwwU6BRoE+GTWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3JsMIGUBggrBgEFBQcBAQSBhzCBhDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMFwGCCsGAQUFBzAChlBodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNydDAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4ICAQBQ1XTnU1IhBVRYqFk8agKryeF5l0nW+Fd0wXA/bfrGUOsTkCCP55m4DC+QNBhG5yWUF8k41BXFaFwBJQdV7gbjrVAJH43pvb64JxVn+34UcaBSJeOFUTGh/vdax1Lmm4cjEfXaFV5OhKXOG6YIioPlsvAb/MZiUr1yYW+JsxjZO035R01JREp6GhoexBLJ122y0Lxjx0DQzvwB7PQZGOnG8C4Yo71RqyyHLeiYPGD3LUPucyz6RL4Ffo2kgmO5cJ2UXsNwvIcgFY0R7TTHHfy3x9vhR7TmcnDAz/8lJDniaNzTYsjlCfqRu+ekfik4w+0ShwJb18WxtL1QBRi1YVZh2UN3Y1Tkv/8WXS8XLJV+yV3/h78iVVneAFOvACI6H688zPJyCNBQKxvI1Izmsjt7Q7m3ycCPtO0EcmQYTjA0FHdiYJhvvkGGUiexpd6B5BR58UF2DM0toBUy81J2PPO09E0UlQdxEJx+AS5XPIH2lLz9RCdM9iwMXoG1QRIONZzp60/lUeM/rGh7g2+qcmufqycdsLeDTOByFg9IHqD5M5oYT5u2FV+48dszFYdIrqApIeYIRdpeDIHczSvSnjGeoYLujCkLhWBA/X/YOI07B9Hp1oEsIi/lz9VCwxkbb2T7668P4mAAhrPF3/Nhnng3TxG1X8cs43Sgg0O7uI6Qkg==",
"src_file_sha256": "f330dd1b146522594b5920b2edf2c66f5566e75fb31959919fed0926bcaec794",
"src_file_path": "downloaded_files/remotepc/f330dd1b146522594b5920b2edf2c66f5566e75fb31959919fed0926bcaec794"
},
{
"signer_name": "IDrive, Inc.",
"certificate_thumbprint": "491640FE02B0F0A1E298191326D2F72527C5DCF7",
"certificate_der_base64": "MIIHXDCCBUSgAwIBAgIQBurd7OwGJJjnrUAGBWKo8jANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTI1MTAyMjAwMDAwMFoXDTI4MDkwMzIzNTk1OVowZDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAcTCUNhbGFiYXNhczEVMBMGA1UEChMMSURyaXZlLCBJbmMuMRUwEwYDVQQDEwxJRHJpdmUsIEluYy4wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCZzA43Verxk10oyQPI/2vIgJHPpfnPCMOg768I8ukK6YTEX8AXMf60yiyGqjwwv/mWScpmRdBQsdQnpTpfyNFBJq2ZX2roR2CO8yEHBDXZfxd4aL00dXYWAVfWslayapH0btPxbwljXDUXhQge2P/dEsNhVPyLN7eMutQQLAgRizC0oSl42qMCAVPxt0CcJuNDlGTowutpuWvOW1o8yHMOyhmA9jrLPvU3tleWv79uQ++whgSkwi0OwVjgI+mdRLXFhVeeO+6sDXUXzxuWzUUG3DbmkS7SB/WvTDOyfNrE2X8+gEZrhRaBqcrInX6EL/ipYTzsT1zNzPDlQ274WLQJl4e9s3crHUzao9dnKtP2q2eiy1K8vW1M5xmmp1C3NRFopI7kkXWVNm0WTFJbB1UfAKd9ybvAi2J+idWpYDUqbIz78sDO0WY6qn/9u3qsEEfYXc5V8CYpFD0Y8LDXQFudJyXGbTJfaKMTwTuDl4ohyxC4UXwwD3yTawX22U6Cu5IaYiKh9iOLYstrCUWxv041ZZpJWFLgzdEXYdZ3GID41Tv6VxekngQ4BQ2UOZN5fa9h4aqcuRGuDvPHN1AfWs1YDC2jEN3Ur0jLAS3MkYeE4lCfiJu+VS15o09fkNRPrO+bCAxWWm2sK7aO9udMU/ec62FmGgNkpfWMI5wh7dGuKwIDAQABo4ICAzCCAf8wHwYDVR0jBBgwFoAUaDfg67Y7+F8Rhvv+YXsIiGX0TkIwHQYDVR0OBBYEFP3BJqTplZrhCMhWCHHdFSH3eJVZMD4GA1UdIAQ3MDUwMwYGZ4EMAQQBMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwgbUGA1UdHwSBrTCBqjBToFGgT4ZNaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcmwwU6BRoE+GTWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3JsMIGUBggrBgEFBQcBAQSBhzCBhDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMFwGCCsGAQUFBzAChlBodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNydDAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4ICAQA0akVRoHMkBNlZCmR/6x9VOQBi3vRUbOJsxsC0nk3lPO4A2iDQXcHtiFK4g8SJWIjc3PBP1iRBVAWbMaXaxNAsaxTuQADpZ9Xtc6LRLDhTBLQjCDQymJ25qHkrlLITizrD94S1o5pAe8lJaRjeqdMKvCyGx//vn/0xxikcmIuiShcCsGB6o88DAzOsISupItvmgXU//UgyloWubkHCjJa/OJrYRFwzKUd6lhsV2LCwee9szAzf+8Mc8zVa0apmj725Jk4AKxWLzrbRpKVj28bZkJWmJq7/+MsKKT2XLKRDqqX+XG2y2gJssZ6Nus8o+vGLCxP2P3nueDwTMdB58emI9ZhDbtUZm9zaWSa3xoHhG97i7lBjygKzAtk0QnZ1s+Eq8rDOiyUIf1xI8frXJEOLICsVp/svM2/2UsZMKsgc4k0iM04Nb/6Kvq7wC1/usdncpk04OIoEeKkLTXcPXaevjkJIJFF6YEBRdzLtJeeMim3zlLGiH/7iN4EId0Va/jIjr04+p6BpZo+MA6H1bXQF6fSY1Zay9p7uvLavLt21NdBPCXUCeuBcMNRTUvIlNldNIeGwkeuOpVSjAZeD3w6IcF2OXdZwSY9H/Q4YoUdFxAChgwTLjgnTzo8GtiHq7REpUDbYY4NnaShRG64UpM5ddO9T/PpOHWpkVt55rY+70g==",
"src_file_sha256": "8156cbcbdc4e2eeedcb4ddbabc0052d2e4898ca27280160c396639bb39d561e4",
"src_file_path": "downloaded_files/remotepc/8156cbcbdc4e2eeedcb4ddbabc0052d2e4898ca27280160c396639bb39d561e4",
"src_file_company": "IDrive Inc "
}
]
}
},
{
"Name": "Access Remote PC",
"Category": "RMM",
"Description": "Access Remote PC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.remotedesktop.com/",
"PEMetadata": {
"Filename": null,
"OriginalFileName": null,
"Description": null
},
"Privileges": null,
"Free": true,
"Verification": true,
"SupportedOS": [
"Windows",
"Mac",
"Linux",
"Android",
"iOS"
],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"C:\\Program Files (x86)\\RemotePC\\*"
]
},
"Artifacts": {
"Disk": [
{
"File": "C:\\Program Files (x86)\\RemotePC\\RemotePCUIU.exe",
"Description": "RemotePC service binary",
"OS": "Windows"
},
{
"File": "C:\\Program Files (x86)\\RemotePC\\*",
"Description": "Multiple files and binaries related to RemotePC installation",
"OS": "Windows"
}
],
"EventLog": [
{
"EventID": 7045,
"ProviderName": "Service Control Manager",
"LogFile": "System.evtx",
"ServiceName": "RemotePC Performance Service",
"ImagePath": "\"C:\\\\Program Files (x86)\\\\RemotePC\\\\RemotePCPerformance\\\\RPCPerformanceService.exe\"",
"Description": "Service installation event as result of RemotePC installation."
},
{
"EventID": 4688,
"ProviderName": "Microsoft-Security-Auditing",
"LogFile": "Security.evtx",
"CommandLine": "sc create RPCService start=auto binpath=\"C:\\\\Program Files (x86)\\\\RemotePC\\\\RemotePCService.exe\"",
"Description": "Executing command to install RemotePC service."
},
{
"EventID": 4688,
"ProviderName": "Microsoft-Security-Auditing",
"LogFile": "Security.evtx",
"CommandLine": "C:\\\\Windows\\\\system32\\\\schtasks /create /SC DAILY /st 12:00 /TN \"RPCPerformanceHealthCheck\" /TR \"C:\\\\Program Files (x86)\\\\RemotePC\\\\RemotePCPerformance\\\\RPCPerformanceDownloader.exe\" /rl HIGHEST /ru system",
"Description": "Executing command to create RemotePC HealthCheck scheduled task."
},
{
"EventID": 4688,
"ProviderName": "Microsoft-Security-Auditing",
"LogFile": "Security.evtx",
"CommandLine": "C:\\Windows\\regedit.exe /s C:\\Program Files (x86)\\RemotePC\\Register.reg",
"Description": "Executing command to install various registry changes related to RemotePC."
},
{
"EventID": 4688,
"ProviderName": "Microsoft-Security-Auditing",
"LogFile": "Security.evtx",
"CommandLine": "netsh advfirewall firewall add rule name=\"RemotePCDesktop\" enable=yes dir=in action=allow profile=any program=\"C:\\Program Files (x86)\\RemotePC\\RemotePCDesktop.exe\" description=\"This program is used for File Transfer and is part of RemotePC product.\"",
"Description": "Executing command to add local firewall rule to allow inbound traffic for RemotePC."
}
],
"Registry": [],
"Network": []
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/access_remote_pc_files_sigma.yml",
"Description": "Detects potential files activity of Access Remote PC RMM tool"
}
],
"References": [],
"Acknowledgement": [
{
"Person": "Daniel Koifman",
"Handle": "@koifsec"
}
]
},
{
"Name": "Auvik",
"Category": "RMM",
"Description": "Auvik is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.auvik.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"auvik.engine.exe",
"auvik.agent.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*.my.auvik.com",
"*.auvik.com",
"auvik.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/auvik_network_sigma.yml",
"Description": "Detects potential network activity of Auvik RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/auvik_processes_sigma.yml",
"Description": "Detects potential processes activity of Auvik RMM tool"
}
],
"References": [
"https://support.auvik.com/hc/en-us/articles/204315700-What-protocols-and-ports-does-the-Auvik-collector-use"
],
"Acknowledgement": []
},
{
"Name": "tmate",
"Category": "RAT",
"Description": "tmate is an open-source terminal sharing tool for Linux and Unix-like systems, built on tmux. It enables instant terminal sharing over SSH, allowing remote terminal access and collaboration. The tool creates a unique session that can be shared with others for remote access, making it a legitimate tool for system administration but also potentially useful for unauthorized remote access.",
"Author": "Michael Haag",
"Created": "2026-01-15",
"LastModified": "2026-01-15",
"Details": {
"Website": "https://tmate.io/",
"PEMetadata": [
{
"Filename": "tmate",
"OriginalFileName": "",
"Description": "tmate terminal sharing binary"
}
],
"Privileges": "User",
"Free": "Open Source",
"Verification": "Open source project",
"SupportedOS": [
"Linux",
"Mac",
"FreeBSD"
],
"Capabilities": [
"Remote Terminal Access",
"Terminal Sharing",
"SSH-based Connection",
"Session Collaboration"
],
"Vulnerabilities": [],
"InstallationPaths": [
"/usr/bin/tmate",
"/usr/local/bin/tmate",
"tmate",
"tmate.sock",
"tmate-ready",
"tmate.bashrc"
]
},
"Artifacts": {
"Disk": [
{
"File": "/tmp/tmate*",
"Description": "tmate socket files for terminal sharing sessions",
"OS": "Linux"
},
{
"File": "~/.tmate.conf",
"Description": "tmate configuration file",
"OS": "Linux"
},
{
"File": "tmate.sock",
"Description": "tmate socket file for session communication",
"OS": "Linux"
},
{
"File": "tmate-ready",
"Description": "tmate readiness indicator file",
"OS": "Linux"
},
{
"File": "tmate.bashrc",
"Description": "tmate bash configuration file",
"OS": "Linux"
}
],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"tmate.io",
"*.tmate.io"
],
"Ports": [
22,
443
]
}
]
},
"Detections": [],
"References": [
"https://github.com/magicsword-io/LOLRMM/issues/106",
"https://github.com/tmate-io/tmate",
"https://tmate.io/"
],
"Acknowledgement": [
{
"Person": "rcKillam",
"Handle": "@rcKillam"
}
]
},
{
"Name": "UltraVNC",
"Category": "RAT",
"Description": "UltraVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://uvnc.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"UltraVNC*.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"ultravnc.com",
"user_managed"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultravnc_network_sigma.yml",
"Description": "Detects potential network activity of UltraVNC RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultravnc_processes_sigma.yml",
"Description": "Detects potential processes activity of UltraVNC RMM tool"
}
],
"References": [
"https://uvnc.com/docs/uvnc-server/49-UltraVNC-server-configuration.html"
],
"Acknowledgement": []
},
{
"Name": "Xshell",
"Category": "RAT",
"Description": "Xshell is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.xshell.com/en/xshell/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"C:\\Program Files (x86)\\NetSarang\\xShell\\*",
"*\\NetSarang\\xShell\\*",
"*\\xShell.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": []
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xshell_processes_sigma.yml",
"Description": "Detects potential processes activity of Xshell RMM tool"
}
],
"References": [],
"Acknowledgement": []
},
{
"Name": "RustDesk",
"Category": "RMM",
"Description": "RustDesk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://rustdesk.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "Yes",
"Verification": "",
"SupportedOS": [
"Windows",
"Linux",
"MacOS"
],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"rustdesk*.exe",
"rustdesk.exe",
"C:\\Users\\*\\AppData\\Local\\rustdesk\\rustdesk.exe",
"C:\\Users\\*\\AppData\\Local\\rustdesk\\*",
"C:\\Program Files\\RustDesk"
]
},
"Artifacts": {
"Disk": [
{
"File": "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Roaming\\RustDesk\\*",
"Description": "N/A",
"OS": "Windows"
}
],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"rustdesk.com",
"user_managed",
"web.rustdesk.com",
"api.rustdesk.com",
"rs-ny.rustdesk.com"
],
"Ports": [
443,
21115,
21116
]
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rustdesk_network_sigma.yml",
"Description": "Detects potential network activity of RustDesk RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rustdesk_files_sigma.yml",
"Description": "Detects potential files activity of RustDesk RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rustdesk_processes_sigma.yml",
"Description": "Detects potential processes activity of RustDesk RMM tool"
}
],
"References": [
"https://rustdesk.com/docs/en/"
],
"Acknowledgement": []
},
{
"Name": "AnyViewer",
"Category": "RMM",
"Description": "AnyViewer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.\n",
"Author": "@kostastsale",
"Created": "2024-08-03",
"LastModified": "2024-08-03",
"Details": {
"Website": "https://www.anyviewer.com/",
"PEMetadata": [
{
"Filename": "AnyViewer.exe",
"OriginalFileName": "AnyViewer",
"Description": "Splash Window"
},
{
"Filename": "RCClient.exe",
"OriginalFileName": "RCClient.exe",
"Description": "AnyViewer Core"
},
{
"Filename": "ScreanCap.exe",
"Description": "Screan capture"
},
{
"Filename": "AVCore.exe"
},
{
"Filename": "RCService.exe"
}
],
"Privileges": "System",
"Free": "up to 10 devices",
"Verification": "None",
"SupportedOS": [
"Windows"
],
"Capabilities": [
"Remote desktop",
"Remote file transfer",
"Remote monitoring and management",
"Remote shell open"
],
"Vulnerabilities": [],
"InstallationPaths": [
"C:\\Program Files (x86)\\AnyViewer\\*"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [
{
"EventID": 4688,
"ProviderName": "Microsoft-Security-Auditing",
"LogFile": "Security.evtx",
"CommandLine": "\"C:\\\\Program Files (x86)\\\\AnyViewer\\\\AVCore.exe\" -d",
"Description": "Taking actions on the remote machine such as opening a command prompt."
},
{
"EventID": 7045,
"ProviderName": "Service Control Manager",
"LogFile": "System.evtx",
"ServiceName": "RCService",
"ImagePath": "C:\\\\Program Files (x86)\\\\AnyViewer\\\\RCService.exe",
"Description": "AnyViewer service installation service."
}
],
"Registry": [],
"Network": [
{
"Description": "N/A",
"Domains": [
"*.anyviewer.com"
],
"Ports": [
443
]
},
{
"Description": "N/A",
"Domains": [
"*.aomeisoftware.com"
],
"Ports": [
443
]
}
]
},
"Detections": [
{
"Name": "Arbitrary code execution and remote sessions via Action1 RMM",
"Description": "Threat hunting rule for detecting the execution of arbitrary code and remote sessions via Action1 RMM",
"author": "@kostastsale",
"Link": "https://github.com/tsale/Sigma_rules/blob/main/Threat%20Hunting%20Queries/Anyviewer.yml"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anyviewer_network_sigma.yml",
"Description": "Detects potential network activity of AnyViewer RMM tool"
}
],
"References": [
"https://www.anyviewer.com/how-to/how-to-open-firewall-ports-for-remote-desktop-0427-gc.html",
"https://www.anyviewer.com/help/remote-technical-support.html"
],
"Acknowledgement": [
{
"Person": "Kostas",
"Handle": "@kostastsale"
}
],
"CodeSigning": {
"certificates": [
{
"signer_name": "AOMEI International Network Limited",
"certificate_thumbprint": "E5132FC7E6BD90602C81BBE92FB064B2CBC73853",
"certificate_der_base64": "MIIG3DCCBUSgAwIBAgIQXZGm7H+I2PaLhNISe9RoITANBgkqhkiG9w0BAQsFADBXMQswCQYDVQQGEwJHQjEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMS4wLAYDVQQDEyVTZWN0aWdvIFB1YmxpYyBDb2RlIFNpZ25pbmcgQ0EgRVYgUjM2MB4XDTI0MDExOTAwMDAwMFoXDTI3MDExODIzNTk1OVowgcQxETAPBgNVBAUTCDY3ODM4NjQyMRMwEQYLKwYBBAGCNzwCAQMTAkhLMR0wGwYDVQQPExRQcml2YXRlIE9yZ2FuaXphdGlvbjELMAkGA1UEBhMCSEsxEjAQBgNVBAgMCUhvbmcgS29uZzEsMCoGA1UECgwjQU9NRUkgSW50ZXJuYXRpb25hbCBOZXR3b3JrIExpbWl0ZWQxLDAqBgNVBAMMI0FPTUVJIEludGVybmF0aW9uYWwgTmV0d29yayBMaW1pdGVkMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA0Ewkm9dgLogLoFSOisf2p7hZAw8hJCsmMtyAnWWOkB5pOu3Cm9SKO81yHtxfeNW039FSG1mhTuqDU5Q+Xf+0w7cVel+/MfjopPS3oND30gJnHyDTOB/jxf4wxQBJvoyBVRibL9mGGBhuccQenT2Y8PmH1B9qvWqYGDe5LvkYtojPA0e22507hBgRw9njHGfz9Mem4Iw3hjnHh69V7IFak1kgnnEQ7qc0C4EOR24KmodAjlnPCfZk0B7MNxv/qj7SjHetmmpaibgiuRd9uT0csvu0hv9YHB1hty9w1BhoqKEi+SFpbw5V92bspJv+UWysdFZtIau7r614i6vtIyQvGHvublBEDS01RL3hA3VfXk6FDhuMbWr2sgcrY7Kb2EDAvwrsHe6k9tfQuHMgia5SSH8mYhpikwgm+iGt8hxHUXExgkSotp6vR4sOcxAf27kunjZPO8Y8DljQ39SJdwLSc97qWFhitWagNggCNu6VxfdfpWRkBax4OEvYCTOfug2R7YI7rLPpu1VC9asRyF5m9ONU1+x5oRx0se1TGTaBe2eoBukmXVqj57/RY9AQ3ykCeTeWHJiQzKIXHJla0e1u273ES/wLd32P0F8/SgCs+lxzomwmPwVFVorq6eAZqI9oT7ucU59W8oOYDaey5Lwfi0AT1m79beaBSZMirlm+Hf0CAwEAAaOCAbQwggGwMB8GA1UdIwQYMBaAFIEykkErKM1GyMSixio5EuxIqT8UMB0GA1UdDgQWBBTlqMO17WYZKtHBkg5NyaEoNCt/4zAOBgNVHQ8BAf8EBAMCB4AwDAYDVR0TAQH/BAIwADATBgNVHSUEDDAKBggrBgEFBQcDAzBJBgNVHSAEQjBAMDUGDCsGAQQBsjEBAgEGATAlMCMGCCsGAQUFBwIBFhdodHRwczovL3NlY3RpZ28uY29tL0NQUzAHBgVngQwBAzBLBgNVHR8ERDBCMECgPqA8hjpodHRwOi8vY3JsLnNlY3RpZ28uY29tL1NlY3RpZ29QdWJsaWNDb2RlU2lnbmluZ0NBRVZSMzYuY3JsMHsGCCsGAQUFBwEBBG8wbTBGBggrBgEFBQcwAoY6aHR0cDovL2NydC5zZWN0aWdvLmNvbS9TZWN0aWdvUHVibGljQ29kZVNpZ25pbmdDQUVWUjM2LmNydDAjBggrBgEFBQcwAYYXaHR0cDovL29jc3Auc2VjdGlnby5jb20wJgYDVR0RBB8wHaAbBggrBgEFBQcIA6APMA0MC0hLLTY3ODM4NjQyMA0GCSqGSIb3DQEBCwUAA4IBgQBboC8AMSMGjd6Wx0/Vmrm8WXmseKSGxY87FYHvB0W5j2XplaYpGcaPUCnL9rWTfr5wD1gJOgbtQnnZHFVAn2R5baJhlpHaEQZY05P5px2/ArHo9prjU5I9p4m+vRmY+1X4tLo6qhAgRbSK7SdeNcDj6dozkJhRsMgXS2jGNIhKSmZGnksrRkkWRSHWDowDiW/Bv9v2pPUvDj7u1j5k4zqiT1y0TfNwSk34HAHJbqeFS6lfUqxmvRtalzdP6CtLfqC3vfAaLuzUNiVHkgC8dWBQNrAkJEtT2tJ5F8j/Slv2vGE5k+6K7KJHkL/Y/al4vBlgCk4MfTiMuUmOlR7G0w2M6u3twg7G7CnWYdm5oXO1n3fgOhoxRATFSpZOtOpVv9GPkEKfhm3DY4extulcAOZWggXmVtaNY6cB8GgJaieVHX2gZxpkx8ViXfRtMHZ/RXGI87U6U45aDXbrrCPP8tsBx81oVHAwp7/DwPntXKYc7xZsLH3lCxoaNxQOdjSkN2Q=",
"src_file_sha256": "4ef164fbedfbd439584d7c692f6ebb9bd9d937af436882c762483303531c5f8d",
"src_file_path": "downloaded_files/anyviewer/4ef164fbedfbd439584d7c692f6ebb9bd9d937af436882c762483303531c5f8d",
"src_file_company": "AOMEI International Network Limited"
}
]
}
},
{
"Name": "SkyFex",
"Category": "RMM",
"Description": "SkyFex is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://deskroll.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"Deskroll.exe",
"DeskRollUA.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"skyfex.com",
"deskroll.com",
"*.deskroll.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/skyfex_network_sigma.yml",
"Description": "Detects potential network activity of SkyFex RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/skyfex_processes_sigma.yml",
"Description": "Detects potential processes activity of SkyFex RMM tool"
}
],
"References": [
"https://skyfex.com/"
],
"Acknowledgement": []
},
{
"Name": "Lite Manager",
"Category": "RMM",
"Description": "Lite Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.litemanager.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"C:\\Program Files\\LiteManager Pro – Viewer\\*",
"*\\LiteManager Pro – Viewer\\*",
"*\\LMNoIpServer.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": []
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/lite_manager_processes_sigma.yml",
"Description": "Detects potential processes activity of Lite Manager RMM tool"
}
],
"References": [],
"Acknowledgement": [],
"CodeSigning": {
"certificates": [
{
"signer_name": "REMOTE UTILITIES PTE. LTD.",
"certificate_thumbprint": "902CC2BB628B651954A5F7A1D68C6CDE84707A54",
"certificate_der_base64": "MIIHsTCCBZmgAwIBAgIMGxe0xhAOf9QVbF8BMA0GCSqGSIb3DQEBCwUAMFwxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTIwMAYDVQQDEylHbG9iYWxTaWduIEdDQyBSNDUgRVYgQ29kZVNpZ25pbmcgQ0EgMjAyMDAeFw0yNDEwMTYwNzA1MDZaFw0yNjEwMTcwNzA1MDZaMIHxMR0wGwYDVQQPDBRQcml2YXRlIE9yZ2FuaXphdGlvbjETMBEGA1UEBRMKMjAyNDMxMjU3RDETMBEGCysGAQQBgjc8AgEDEwJTRzELMAkGA1UEBhMCU0cxEjAQBgNVBAgTCVNpbmdhcG9yZTESMBAGA1UEBxMJU2luZ2Fwb3JlMSMwIQYDVQQKExpSRU1PVEUgVVRJTElUSUVTIFBURS4gTFRELjEjMCEGA1UEAxMaUkVNT1RFIFVUSUxJVElFUyBQVEUuIExURC4xJzAlBgkqhkiG9w0BCQEWGGluZm9AcmVtb3RldXRpbGl0aWVzLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK/qf9AZbk/S6XPTSRSBjGpn8fWnIFkDquBFMDBAlOHE3fi1/x4tw0XkwOsHcwKb+5VZbmMvff4E/sumEAut846vQubDDPk4ofXLQouY7QzJhj5ZfYxEqLrJNQNNOQnyOTJUg4ehdpITMoVxVKRuDkNT3I54mpeefG+x4aNWhZ42jEDEDQ7O8i9dNtqe3mC2B3SYDqRV/ASwZEbt5NUFss0PzuZPAmPSf8XX8kiD9XNG3l7uRVzWK2MztCa2YH7TqBYaHHVmWy4RlM16+cCl4QtaTRfM/dCZZKdKVzTeflt3Kqp9Ho1NL6tn1Wv230i74CwTPYBIzd1yMWdENegCwd1+LRp7PfOvbOvrjLKDQQFJjboEZ/a1XvDHNq+DneyLAWUGD8PUNsb61mMd7s2g5bM9Fa6cdssIo64huzSxFbP3qIIXPZRzoAqvv7UUOkdXhSvBlTVex7YIPOiRiCOywmDtPqDg1rQVz2UBNWN9UdXZP0cnEaWLWdjkC2ExYvnpSQ4pWJk0eEcEpJzGpTXqCjqtYwDFczUnIUlYBA8bpINcbK5moUHWUllKQkFwPEig1qgo9vmklt5Xy2XbATr26GId4FsZCtrGbWbkoV+3npo6IsV9RaCNMdfdcrQ/P92l3H6wsMO5L8RDiMXaFb9meCQ6N41dkI9QYtz0pLG8ZD/pAgMBAAGjggHbMIIB1zAOBgNVHQ8BAf8EBAMCB4AwgZ8GCCsGAQUFBwEBBIGSMIGPMEwGCCsGAQUFBzAChkBodHRwOi8vc2VjdXJlLmdsb2JhbHNpZ24uY29tL2NhY2VydC9nc2djY3I0NWV2Y29kZXNpZ25jYTIwMjAuY3J0MD8GCCsGAQUFBzABhjNodHRwOi8vb2NzcC5nbG9iYWxzaWduLmNvbS9nc2djY3I0NWV2Y29kZXNpZ25jYTIwMjAwVQYDVR0gBE4wTDBBBgkrBgEEAaAyAQIwNDAyBggrBgEFBQcCARYmaHR0cHM6Ly93d3cuZ2xvYmFsc2lnbi5jb20vcmVwb3NpdG9yeS8wBwYFZ4EMAQMwCQYDVR0TBAIwADBHBgNVHR8EQDA+MDygOqA4hjZodHRwOi8vY3JsLmdsb2JhbHNpZ24uY29tL2dzZ2NjcjQ1ZXZjb2Rlc2lnbmNhMjAyMC5jcmwwIwYDVR0RBBwwGoEYaW5mb0ByZW1vdGV1dGlsaXRpZXMuY29tMBMGA1UdJQQMMAoGCCsGAQUFBwMDMB8GA1UdIwQYMBaAFCWd0PxZCYZjxezzsRM7VxwDkjYRMB0GA1UdDgQWBBS/DLg3OD1zoYV4Our7+3IqTJkG7zANBgkqhkiG9w0BAQsFAAOCAgEAJQ0aHmccdAHsf5Snj1SHlfPD/t/ukYuR+4EhjuOsyB5rI4mHYOMRUYw0DTlDJimecjh95SsucIlAJv7TANQ4RehNVLtWTLth0oyCdyzhoTo7orSko99uY6EOhfmbYOaxZYZ9JdCCkcZEwEGkyQ+H3DytWTuFxWpS1g3IAXPYwsh+MgAEyXq7qI4ZFFhc677iW/KusCAdePL++pX1f0yDzH2HvbnFYapnVjnTIm8ghXJgcwK8JW+tZsXWg8auILuK+lKQf1vJy5yDLMAcl2fu/hlTgQKd5t1cnn6qWUAJo6TwjR46bMFE/AVcUUhR9MdjJBd3Gbly4bir8vJPX35ZsunabIYV5+w/wTAA4bTH+kRP99jpROwWkaulhwVlNqSNzPZQG/hE89Exl0M/fdHlaHfzs+xDpaDK5pMOxolgsofclmqZ+4JAlhcwmzpkbPvgbveBG9pOzIGmsB7t8l25bqig4IxewV00/EBLdspdAxQN4cNHRpe32ydLYdAWxpSfaPq1k76Wo1mEgtTuuJgWoa4SuqC1n3wMAyBRQvo3APG5D+znG9SiMpOoBX0robGUloTA7jvzkx0nrotmxThXR2buv3VBzq68G8CnyBqeVoKmFzUQHGiVvRi7LJxJNR6tRhrZbNz+MhKX62JWW1GuQFG+BoXl0egmYehSvo72Drk=",
"src_file_sha256": "d2598c8a6e0928716c94825bc2b4736ad530d0de93d83a507332327c4c883cdc",
"src_file_path": "downloaded_files/litemanager/d2598c8a6e0928716c94825bc2b4736ad530d0de93d83a507332327c4c883cdc",
"src_file_company": "Flexera"
},
{
"signer_name": "IP Ter-Osipov Aleksey Vladimirovich",
"certificate_thumbprint": "1753913DC00AE0D1B1BF1CE2D6F4C5A2C1156316",
"certificate_der_base64": "MIIHfDCCBWSgAwIBAgIMbD1HktY92xLqVspAMA0GCSqGSIb3DQEBCwUAMFkxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMS8wLQYDVQQDEyZHbG9iYWxTaWduIEdDQyBSNDUgQ29kZVNpZ25pbmcgQ0EgMjAyMDAeFw0yNTAzMDMxNjQ4NTRaFw0yODAzMDMxNjQ4NTRaMIHDMQswCQYDVQQGEwJSVTEWMBQGA1UECBMNUm9zdG92IE9ibGFzdDEWMBQGA1UEBxMNUm9zdG92LW9uLURvbjEsMCoGA1UEChMjSVAgVGVyLU9zaXBvdiBBbGVrc2V5IFZsYWRpbWlyb3ZpY2gxLDAqBgNVBAMTI0lQIFRlci1Pc2lwb3YgQWxla3NleSBWbGFkaW1pcm92aWNoMSgwJgYJKoZIhvcNAQkBFhlhbGV4LnRlci5vc2lwb3ZAZ21haWwuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEApMpZKSzph6lOBeClpfNAcTKR/jSJfNbln59JUrr4lOt8HXLbNLpSf65fpFpYE5eD1fFPCMaA7Nko1n+8bbfzR9jE4+xWxwp4oCmt17BsBIYf0CznrjhfltAWgD8nqW1ceWN1z7fz1X2E1MOIpCF8rsrZydj8olsQN6mDzeW8Yh3p90VAHkosK+Y4Jtesys/4YmrF05fzKJNasc960lQutkuZpctK5tK3rUDVMcYJz7lpvejf+215Ka7AmYYhPzm+6SPEKsT382lm5OgNjF38at2eWAvIl+dVg499BLs1IzkOnPcbfGwn00xTuRLs5qUT0U5kSWluwYCD55NC7x+MPuWr/b9mDzVpVL92S8EgHLdHa3WX2C+2xvEO8E+XurcNtqj3CeUHpH8kGCLXH+31HLeItoogRv/pKc1w/3dN2BeROE91wAvLn9EOANqF/9fYx2CkBWDgZXP0DvAeT5w6o3IRcBCjGAg/ENojSHbAz0jgyQJYW68orJ8DCB3evb+1RmCTiC8FY87VJ6FfsvxtkHsZGDEUJ9AUWad/mKIhKn7eeD6qbmYL0pr9/k/Ht5dahyJ1bvLtyCA74TSKgjvl0MWUXVVbCdst9NqPFBgIQbdBm4VNdMf/DexYV8uBMUkJDdAqETVufUv160FUIcpAV6u3U2+G/9j9KvQgZ3P5fvMCAwEAAaOCAdcwggHTMA4GA1UdDwEB/wQEAwIHgDCBmwYIKwYBBQUHAQEEgY4wgYswSgYIKwYBBQUHMAKGPmh0dHA6Ly9zZWN1cmUuZ2xvYmFsc2lnbi5jb20vY2FjZXJ0L2dzZ2NjcjQ1Y29kZXNpZ25jYTIwMjAuY3J0MD0GCCsGAQUFBzABhjFodHRwOi8vb2NzcC5nbG9iYWxzaWduLmNvbS9nc2djY3I0NWNvZGVzaWduY2EyMDIwMFYGA1UdIARPME0wQQYJKwYBBAGgMgEyMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMAgGBmeBDAEEATAJBgNVHRMEAjAAMEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5jb20vZ3NnY2NyNDVjb2Rlc2lnbmNhMjAyMC5jcmwwJAYDVR0RBB0wG4EZYWxleC50ZXIub3NpcG92QGdtYWlsLmNvbTATBgNVHSUEDDAKBggrBgEFBQcDAzAfBgNVHSMEGDAWgBTas43AJJCja3fTDKBZ3SFnZHYLeDAdBgNVHQ4EFgQUxZttTJaVCbGd7RNJPAzaUbhg6RcwDQYJKoZIhvcNAQELBQADggIBAI6kjiylEJlNNm6vWaTKCSCjJ/sCL7VKR37Df/tV6WKrjuyN41KZ03JOqqo4wow6EKxTM+nQQLAWPSAz6gyPWfp6KXENmjWo05lM2Grn3LTPzwd0Q/dW8i6iN5R7dBXshJK9NzRJ8vPWULEDao9LMvveDnG5j6fzUCWeeoMU0xEeHxhYXkOdmgQiQ+P/GYIXDSoS3ZQf+5+1Ly/PUn6zGpWXLOgwAvLIUjd2gF/Xw7J3RLpM7WEq4tGyj6ZR+18iEUOTpnQ2uOz0aj4dsaANP8HL4lxePsHHsgA90T3Hp0fnDsPcxaICCQVVbZaCXrGuPqfeLRGLdX+gT4lmH+ke2czfzTYVfoB4fEGWZWV6C3AGkzlj2sETSdWOo7wYcImySiGgp6/LHHjj9ZKvtpkGzKlPMTRNxpiM6IcWuXJGkGfUqnqswCMc1Z84KkQsmFpTQfUWZvZBm3YGJq4affSbDClvTKDoPM935YZSA5RGoFJLN24zDyi+cXn+O8v9u2QZuEod8RXAv5b+avBL31d5aeVyTiOT2rP6rzo6nu5Tifg+nmz3rwHrY00PuxDPp+gM/M+crJ1UUcfT9lwRMCUiVbe/nAf0TQBr0HwIHupFrrVpHtjGVHGN2HbDrYdWkpyWiWuFYmfBeSlPBWxRwJ7/QxGV28geTLu066a4M3LErLFL",
"src_file_sha256": "a1d75de65bcb6b68bf79d0e826cf5371f5b5df4df02729038aba8d9f0b0f52c8",
"src_file_path": "downloaded_files/litemanager/a1d75de65bcb6b68bf79d0e826cf5371f5b5df4df02729038aba8d9f0b0f52c8",
"src_file_company": "Flexera"
}
]
}
},
{
"Name": "Splashtop Remote",
"Category": "RMM",
"Description": "Splashtop Remote is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2025-12-14",
"Details": {
"Website": "https://www.splashtop.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"strwinclt.exe",
"Splashtop_Streamer_Windows*.exe",
"SplashtopSOS.exe",
"sragent.exe",
"srmanager.exe",
"srserver.exe",
"srservice.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"splashtop.com",
"*.api.splashtop.com",
"*.relay.splashtop.com",
"*.api.splashtop.eu"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_remote_network_sigma.yml",
"Description": "Detects potential network activity of Splashtop Remote RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_remote_processes_sigma.yml",
"Description": "Detects potential processes activity of Splashtop Remote RMM tool"
}
],
"References": [
"https://support-splashtopbusiness.splashtop.com/hc/en-us/articles/115001811966-What-are-the-Firewall-Exceptions-and-IP-addresses-of-Splashtop-servers-Services"
],
"Acknowledgement": [],
"CodeSigning": {
"search_names": [
"3irjc74zj.exe",
"splashtop_streamer_windows.exe",
"splashtopsos.exe",
"sragent.exe",
"srserver.exe",
"srservice.exe"
],
"company_names": [],
"signer_names": [
"Splashtop Inc."
],
"certificates": [
{
"signer_name": "Splashtop Inc.",
"certificate_thumbprint": "D458B32F6946DBB682A9687076EB9209979BDF76",
"tbs_sha256": "2E68D3458EA8DF79CAB66FF9E4EB68904491CB6EBF148AFBE49F7FB46761FC20",
"tbs_sha1": "",
"certificate_der_base64": "MIIHwTCCBamgAwIBAgIQBtI6cGq4XDJJCDeVS55BozANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTI1MDUyMDAwMDAwMFoXDTI4MDUxOTIzNTk1OVowgckxEzARBgsrBgEEAYI3PAIBAxMCVVMxGTAXBgsrBgEEAYI3PAIBAhMIRGVsYXdhcmUxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRAwDgYDVQQFEwc0MTY5ODgxMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTESMBAGA1UEBxMJQ3VwZXJ0aW5vMRcwFQYDVQQKEw5TcGxhc2h0b3AgSW5jLjEXMBUGA1UEAxMOU3BsYXNodG9wIEluYy4wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCtgy9O1cjrcAJs1It6xVS2qq2ngTEhYZWBhjn7SbqUGw6Zs5oKbOkAHiXlAvPGx0XYT9L+ixlXrGRMpSpsbpRVW0vX8N6sT9lvLjSYVvC4z0knVgCeAQH03KJu4KsCBarNBFYrJYWbfDQq5moFbAxvOWRawNCvPzo2FXq4ffUkd24It4V6yo32pyuqOSAY8PijQpe7gE006bdnutelYGMwaWptSKObp6j8cxZF5g87yT4JoIKVBIs7f4TcoaoYHS5+z5hFMtwn+TjFXG2En2tDoEPIVNwHLFJl4eeaJ3+koCV80MWwQ/QFPmrkcE2yBXpsqMd2iSHemwEoYTINKujXejceqs68OKxRNNJauWyiYFB6f/DbgJmFiskTrTd3UPQvyVQ5Rnvk1EDK0EM3YYALSHl8YWnw7kZqn3vHrPZM2qWRzPvIjaNZ/l8NmBwVJf2ELgs1c19cnYbXk5wN0WZSe02tQiXnfA16Ah47Z2O76RR7xuUf2LFMZFa8JImqpgkTqnvIpTUNHibxNMMXwSesIUgRT2Qh8YWhzJbAvRKkXBGiCqptNBdRiIQFp0pro3h1CGe1gdagFQrgeTQlk14rRqETAvxm+TLMlALSeY8bdd7cEr93RUDrwlGKNO+BumTgTnI0nVjXAiQWk/cA9c+cXh7EmjOgaAvao9xOMZfXkwIDAQABo4ICAjCCAf4wHwYDVR0jBBgwFoAUaDfg67Y7+F8Rhvv+YXsIiGX0TkIwHQYDVR0OBBYEFPeCRV/b/V8X0ZEKBcemOR/1zhonMD0GA1UdIAQ2MDQwMgYFZ4EMAQMwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpY2VydC5jb20vQ1BTMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzCBtQYDVR0fBIGtMIGqMFOgUaBPhk1odHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDBToFGgT4ZNaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcmwwgZQGCCsGAQUFBwEBBIGHMIGEMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wXAYIKwYBBQUHMAKGUGh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3J0MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggIBAKL9tbtCq5etewkHZ7JpC53EU8xYEUCQt+igKQVaTaE4A/gfPaDi+cPRfMMtFv7PU5l3XPHB41JZSI3i/GFcF1DIEarWUl5S0OQO69Ni6vhfcL7eO28ZW3PHouAotB/jOkDICvkCjgqU1b1Dmxd1LMT9U0ZkHqSOvunefkjcaoraKNqzjktcJhFMA6vfXFzuMcScX+6jmMgacFkm5ZyWQ3REVKYraJzGrSacI9molf+8dRxA9pm9ePaCIUhXW8u3H9/iAhfhOBCvCOmPkGXP5CsQSx7RferaKhLR9gMaemuMBqW7LdXO9LUVGdEAiPTW+0LRp3aPj9gSPoYl562AQVjJHOSZMmKbuq0qiPsyj4voBq2lv4jveFSCzkg/0SSXNqIvMAHI/k2+71FeRo/6QHeu4saFQ45JzA+ripJNP6a0qieyUboFMxskD9vBKT/sZpFms150Fo31LxMF5s3yYKjUWY5rwlrSdpNGNl6lgm18WbPwrIx7ByoZJudhmoL5j1hldOIu2QCpGkHfdDjrXlFuTccAxXlW2v8GuWy4SDBT9waSy51s27QioAAnnRhiO0z/SaSxaWaAt0PkHLW4fopJTpmwGcLwI2dyYdIPrQ3E4dwMTPEHPPzr+dG5nzbG54aB1KKR4FQXxf1EyrjFxGEA8Ntxf/k4ThFmRFfTNJC+"
},
{
"signer_name": "Splashtop Inc.",
"certificate_thumbprint": "N/A",
"tbs_sha256": "",
"tbs_sha1": "2978060ECCF9B8AB92257B03117DA21AEA5DA8A1"
},
{
"signer_name": "Splashtop Inc.",
"issuer": "CN=VeriSign Class 3 Code Signing 2010 CA",
"certificate_thumbprint": "2D01A46E9147185A5771B5B96675A89659F98C1C",
"tbs_sha256": "51ABFD3E018A65BA17A112836881266A247DB48816BB0F49C24DF2E31C64FF7B",
"tbs_sha1": "2978060ECCF9B8AB92257B03117DA21AEA5DA8A1",
"valid_from": "2013-09-09T00:00:00+00:00",
"valid_to": "2015-12-09T23:59:59+00:00",
"certificate_der_base64": "MIIFZDCCBEygAwIBAgIQMmca3nwN2HmqDvX6X5iD9jANBgkqhkiG9w0BAQUFADCBtDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEuMCwGA1UEAxMlVmVyaVNpZ24gQ2xhc3MgMyBDb2RlIFNpZ25pbmcgMjAxMCBDQTAeFw0xMzA5MDkwMDAwMDBaFw0xNTEyMDkyMzU5NTlaMIGnMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxFzAVBgNVBAoUDlNwbGFzaHRvcCBJbmMuMT4wPAYDVQQLEzVEaWdpdGFsIElEIENsYXNzIDMgLSBNaWNyb3NvZnQgU29mdHdhcmUgVmFsaWRhdGlvbiB2MjEXMBUGA1UEAxQOU3BsYXNodG9wIEluYy4wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC2OUDxZE19MrenyVYPW2LuMazHLvdcYJl/7NiyiaIjs50HZVx0jAHGRul90X4j1dbepw+Bxpt4YHMH1kbcZWRwhjENFx6DYjHcDPOgwlpicUHhAekC3KSGStpD3TG3Bp73rPp5+qcROg2WMgBa1b5D05Zzid0MOSrXR/GX6wOE+3xIpxUlgAP9GH694oUvEpJAnaDs9114dP1wAuOp/SSnfKu7oP20xRjFlMpG/+DUl7dNVR4NZiHdfobNVf7kaTWIcZmX+VmKyrrH9Ac8eJyebVGlgYJgp643ZFeoin9QOlloC3RECB2gycx6usYbb0YI4nZKcbIY2N7TduNExpuLAgMBAAGjggF7MIIBdzAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIHgDBABgNVHR8EOTA3MDWgM6Axhi9odHRwOi8vY3NjMy0yMDEwLWNybC52ZXJpc2lnbi5jb20vQ1NDMy0yMDEwLmNybDBEBgNVHSAEPTA7MDkGC2CGSAGG+EUBBxcDMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEwEwYDVR0lBAwwCgYIKwYBBQUHAwMwcQYIKwYBBQUHAQEEZTBjMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC52ZXJpc2lnbi5jb20wOwYIKwYBBQUHMAKGL2h0dHA6Ly9jc2MzLTIwMTAtYWlhLnZlcmlzaWduLmNvbS9DU0MzLTIwMTAuY2VyMB8GA1UdIwQYMBaAFM+Zqep7JvRLyY6P1/AFJu/j0qedMBEGCWCGSAGG+EIBAQQEAwIEEDAWBgorBgEEAYI3AgEbBAgwBgEBAAEB/zANBgkqhkiG9w0BAQUFAAOCAQEA1Z2TFDB/koYpae0p3RbfgS7+3wVob/HonCpXYUa8CaHYGFFrpMSQQbBQsBpEX6tN0RSINw3fDfF+JIUbuUfvZmEf7HMfWX1WA5mhReFEFwXlaayJrsQst69nedeiCN5pFeQpZa4ElITpmDbNzWWjwcmbdh7kzYeSMXHv3y75EPBvDXr2RamXdhL5bQ6o89Jys3ThQjnWnmXORo3jxfWmMq//QYcWjYLNxBDCxtAZtX8UM+dv7usD+dWk/3UGzyX0TevrOtsZDwr3KmtilpuXzXZq4HNAlohcgHhUtjlT0gE6hXmh5SImc1gXrKeOq1G1k+xFugkZQyQ6XbkGf2hM7w=="
}
]
}
},
{
"Name": "Manage Engine (Desktop Central)",
"Category": "RMM",
"Description": "Manage Engine (Desktop Central) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2025-12-14",
"Details": {
"Website": "https://desktopcentral.manageengine.com",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"dcagentservice.exe",
"dcagentregister.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"desktopcentral.manageengine.com",
"desktopcentral.manageengine.com.eu",
"desktopcentral.manageengine.cn",
"*.dms.zoho.com",
"*.dms.zoho.com.eu",
"*.-dms.zoho.com.cn"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/manage_engine__desktop_central__network_sigma.yml",
"Description": "Detects potential network activity of Manage Engine (Desktop Central) RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/manage_engine__desktop_central__processes_sigma.yml",
"Description": "Detects potential processes activity of Manage Engine (Desktop Central) RMM tool"
}
],
"References": [],
"Acknowledgement": [],
"CodeSigning": {
"search_names": [
"8k1qq1.exe",
"dcagentregister.exe",
"dcagentservice.exe",
"m6hufo2as.exe"
],
"company_names": [],
"signer_names": [
"ZOHO Corporation Private Limited"
],
"certificates": [
{
"signer_name": "ZOHO Corporation Private Limited",
"issuer": "CN=GlobalSign GCC R45 CodeSigning CA 2020",
"certificate_thumbprint": "03498B4CC5B51DB6CE80699F23CAC1724BB36B69",
"tbs_sha256": "48D169144280CEF6AF2316D3DD3BD8B8790D35B71601A48BD77C2A5F1E1E860B",
"tbs_sha1": "89D154D8D97B4FAF3E0B6427731BFC935939895E",
"valid_from": "2023-12-11T17:00:36+00:00",
"valid_to": "2026-10-09T07:40:58+00:00",
"certificate_der_base64": "MIIHHTCCBQWgAwIBAgIMRIVZ6NWf4FYpnm6PMA0GCSqGSIb3DQEBCwUAMFkxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMS8wLQYDVQQDEyZHbG9iYWxTaWduIEdDQyBSNDUgQ29kZVNpZ25pbmcgQ0EgMjAyMDAeFw0yMzEyMTExNzAwMzZaFw0yNjEwMDkwNzQwNThaMIGKMQswCQYDVQQGEwJJTjETMBEGA1UECBMKVGFtaWwgTmFkdTEQMA4GA1UEBxMHQ2hlbm5haTEpMCcGA1UEChMgWk9ITyBDb3Jwb3JhdGlvbiBQcml2YXRlIExpbWl0ZWQxKTAnBgNVBAMTIFpPSE8gQ29ycG9yYXRpb24gUHJpdmF0ZSBMaW1pdGVkMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAi/dpUgQBQva56fCAkCCzDp/8w91w1v2DXP8H91K2zNZzqe/e/nT54W3+k8Zmm10c8bTINu9cv4i71njHhImaAM768y0fNPKZ2uLS2Fn5jlefmwcNj0iGuqIXaIai4C8b1iLFf7tnAmvv8HACZ6/gfhV4diRPYsCWF+0ouJaFOfDPrPbDV0Zd6GCvQhe62ByVWy0NhcsE4VFSN/xlVsjs4X3L9dr1I3AjA9EHO3Cf6PrqqdMGEGveRwCfSaiXuQ7YLlnABKRXxucX3XX+RGE2tbFJ9ClYf5BmEBfBTOgpBxPNmJdyDOTZOpsq8OWj4BGYq9Mmtm3uS+VVp9cTgwgHquSJQYkcCpI1zbqlllNXKMH7a4gD7chhB/Y2aQUfweDXNZvviFDRf3YXiluViFnPMdgOm7qluaW8IyxHoCLLALDoEvwvAHpzTrPRhYwZYMl8459upNWC1AdufZhBcO2vAxLmGBRLeotnngKjBtjURLz1RyIBM0VnKD+0kS07Sj3MXLxJpRUZFE/1mjPd0LjUP5rFpjMmQUPS/Dgvh7dWRkfUzAC/yZiHtCiz/SMBBHCYsZAMNpwicaxkFwedzwLvjia3g8In+9iXWMsfgJDeKgaTfzgBgc/Qf9aAIBcUU068hgFYEZc8lXzSDVu+ZQZ905w4/6MaAdfWg/qaNpfRft0CAwEAAaOCAbEwggGtMA4GA1UdDwEB/wQEAwIHgDCBmwYIKwYBBQUHAQEEgY4wgYswSgYIKwYBBQUHMAKGPmh0dHA6Ly9zZWN1cmUuZ2xvYmFsc2lnbi5jb20vY2FjZXJ0L2dzZ2NjcjQ1Y29kZXNpZ25jYTIwMjAuY3J0MD0GCCsGAQUFBzABhjFodHRwOi8vb2NzcC5nbG9iYWxzaWduLmNvbS9nc2djY3I0NWNvZGVzaWduY2EyMDIwMFYGA1UdIARPME0wQQYJKwYBBAGgMgEyMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMAgGBmeBDAEEATAJBgNVHRMEAjAAMEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5jb20vZ3NnY2NyNDVjb2Rlc2lnbmNhMjAyMC5jcmwwEwYDVR0lBAwwCgYIKwYBBQUHAwMwHwYDVR0jBBgwFoAU2rONwCSQo2t30wygWd0hZ2R2C3gwHQYDVR0OBBYEFAARgUPptWUtWWkph2EsCOn0mA6dMA0GCSqGSIb3DQEBCwUAA4ICAQCG8wXa2OeXAGcSQchK4csNRA8D1i0JfXHFQcVQy9/zkWXPRYWlbcagbLRmPzfWza1JVtXuYim1eOQzHvJQcyB67TWm0RY+oQR8CYonP17BJvI/TG3xsMd0b9g2dXpX66ZsFFHeppGqcSs5enhmcYoICgPle1nCq+dxam9hQbMuHWTNT1OEKb9+fTLC/n+l2/O3ROhAUHFPC+xuFg/6n2Jyix7N1JX7cWvgtPeQCz/ptcRCMF3a1l0FLRb3cYq9dMlBMYiDbnXmvKDASPRH6wA7LE3LfVFROCLnj/Y6FEnetBQbDFn0iidN9MGnrn0ndeT4k+82Gx0gRVyv083L1XcJnsylDBQE6qJpQtiv7lYo6ttt5kpQj7NUhEfQ/IqvTPnLeGR6bluEOyN+4pCKCdXWwgyeAL76BBojbuDP9EsMLGy9f7oh6WwNoAA+dgZ6+8OrI3uSwjDb6MGzsFYyT9JGPEcIFve7dTcFl9V9HcmMmeDh0yLkRXTCvCzZ8YyYV09lOmzYzVqTDqu7ADukJzr19o4ZupwvDnbLj6jE58ckz/OmBDvkC2aBg3eeHUb8v5mw1rkgjp7zCwJvCvLDq9W7SDZPF1DZFpN42N7ZE4qCir75zApSnsBhC/NUsHU512xNjGGqRe5WlAS2C9apk4C/1JGLeVFqnVhyDTjm4xKHCg==",
"src_file_path": "downloaded_files/manage_engine_(desktop_central)/7ac27dd17b4cfa28f37deb6dcb9519b4e7a2dd405134ac881a8c49d32cb904e6",
"src_file_company": "ZOHO Corporation"
},
{
"signer_name": "ZOHO Corporation Private Limited",
"certificate_thumbprint": "9CFE33A8A1FB933BEDF943EF4263D03B6A5F828E",
"certificate_der_base64": "MIIHHTCCBQWgAwIBAgIMDGsl8hryZ5tnz4h0MA0GCSqGSIb3DQEBCwUAMFkxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMS8wLQYDVQQDEyZHbG9iYWxTaWduIEdDQyBSNDUgQ29kZVNpZ25pbmcgQ0EgMjAyMDAeFw0yNTAyMTgxMzU5NDBaFw0yNjEwMDkwNzQwNThaMIGKMQswCQYDVQQGEwJJTjETMBEGA1UECBMKVGFtaWwgTmFkdTEQMA4GA1UEBxMHQ2hlbm5haTEpMCcGA1UEChMgWk9ITyBDb3Jwb3JhdGlvbiBQcml2YXRlIExpbWl0ZWQxKTAnBgNVBAMTIFpPSE8gQ29ycG9yYXRpb24gUHJpdmF0ZSBMaW1pdGVkMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAz09Cd5TDWpRU90iuUgEngTp7kHP4WsQlU5MroTyh0/57BWlmg+/Ve/GoDiwWWfX9zHl3Qi1KQEquw8AhkzzwLCSn634vUTM5kEleezZDAvaS2QjrcvOY4tydRgejobpWJHdrJIWiNPBEM5uBzF8LSFEB6nUgF24QuG3MW1MYjC1s7xRgUZeqPBKvaL3qzdm1A5DezRXOJ9bgeFy9e9m1s+6ts39yO+2cyAc9/nhGmio0sWvaGpbPDCssHIcInGQGw8lW9FCIqhERgTBGsi8QC3vdWWi/dHju6Akt3497dCA9PbXVwkcMS5PSuoC5iKrQjnUvQO1/mlEyd6CR2NC4D+DGYIynSvet1ceaaOUUriI6f8MiAKMYDmGa1lOGVhbR7CRO5BjkPEPzczHuffYchPNtiYE6VRSd05zysSwpIYYZfiIHQptIhW/I2DoSIrDKo1WVG3jNrYiAL6t68P8xoL2hHvwekV9RAqMVYHxKVA0Ur+DKCPrCDS01/NXKD6jeBoWyGEKE11J65nXuphTbsZmp+T3ATPJepkiN2qXmzW2SQD9YC8FW2BsTQx6lKwjMRNA5WcpYbm8P0l+eo9ck1uwDwq6W1fYuhBGebG7FTUAUj73b47TxeKf2AG5YD5x+xrOf463q06lbIYn61lbUJjMF/Dwd3woLV/VxHShciI8CAwEAAaOCAbEwggGtMA4GA1UdDwEB/wQEAwIHgDCBmwYIKwYBBQUHAQEEgY4wgYswSgYIKwYBBQUHMAKGPmh0dHA6Ly9zZWN1cmUuZ2xvYmFsc2lnbi5jb20vY2FjZXJ0L2dzZ2NjcjQ1Y29kZXNpZ25jYTIwMjAuY3J0MD0GCCsGAQUFBzABhjFodHRwOi8vb2NzcC5nbG9iYWxzaWduLmNvbS9nc2djY3I0NWNvZGVzaWduY2EyMDIwMFYGA1UdIARPME0wQQYJKwYBBAGgMgEyMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMAgGBmeBDAEEATAJBgNVHRMEAjAAMEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5jb20vZ3NnY2NyNDVjb2Rlc2lnbmNhMjAyMC5jcmwwEwYDVR0lBAwwCgYIKwYBBQUHAwMwHwYDVR0jBBgwFoAU2rONwCSQo2t30wygWd0hZ2R2C3gwHQYDVR0OBBYEFDqaXb/UoQJmwU/awDe9Pdx+MvqYMA0GCSqGSIb3DQEBCwUAA4ICAQAGEr1oLiiri9QNjpj9GX0NzyGumOynnfJB8X6M8SuLsdmTJWHKKp/mjXcYLT4Ce0tAmHgkHRt2hel9ANzdcjl8RjPWsYScVn5cZ3sfSGmH9dwPNSCp9gdRUwwT9jDU+B4KMd4rz6XrtL+kVgbTVGzRpnnoCz/9PVRApRP7xcLsgdbrVolr2A37OOkVEdaY5XW2orW+mw+a7Q1vdeJDt/rmXnUf/E8txo9gpPcCK6D3Ufi9g89qBHU8IOvDXrvlYjcgiRsPa4QzTwtBaXNrCuI3vjycQe/eoAL8XJHNwuPeG8UimO/OlQuaofa9pgCmyMH5TL9JayS2r1oqdxXQySTii9v7Djk35WVxhnBumAZQa9uO5aoGcMWX9XGKe8BIpxgA16Wg+/K6JQyRzgIy3eaKxkZFXtJhzu2Qd+NIPpDOmCxBRcwHE5T/kV1bq/xR4MX+WUrU3YS1TQoi6y4pXzeKEYjkWrZZDk3rY1/oZh5LIA/FSME4klrpaxJCYjMlABeWQeEuCEKJEbRYrV7TxT180M1NKTQatBSSjKWIWFE14GIlBWgs+9OmLR+09Q2pplEKUFw3OW7hqTMN8PRk3ZwYEBwNiAbSdRhCj6Zy8eRPBBCLksWJo44IJcniqGhmFdD07ALvRwudvItKPvajzqtaTMZAOaLZia5AXWbxRpCHdg==",
"src_file_sha256": "b9326bd53d5cfd1d1ff72f52e92e776487e206e76363d4c23a3c60143349c790",
"src_file_path": "downloaded_files/manage_engine_(desktop_central)/b9326bd53d5cfd1d1ff72f52e92e776487e206e76363d4c23a3c60143349c790",
"src_file_company": "Zoho Corporation Pvt. Ltd.,"
},
{
"signer_name": "ZOHO Corporation Private Limited",
"certificate_thumbprint": "039B7B91AFEFDB68B36E6A2D246545D581D1BF0D",
"certificate_der_base64": "MIIHHTCCBQWgAwIBAgIMJLsRnOfnHVmJ4Mb2MA0GCSqGSIb3DQEBCwUAMFkxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMS8wLQYDVQQDEyZHbG9iYWxTaWduIEdDQyBSNDUgQ29kZVNpZ25pbmcgQ0EgMjAyMDAeFw0yNTAyMjEwOTQwNTBaFw0yNjEwMDkwNzQwNThaMIGKMQswCQYDVQQGEwJJTjETMBEGA1UECBMKVGFtaWwgTmFkdTEQMA4GA1UEBxMHQ2hlbm5haTEpMCcGA1UEChMgWk9ITyBDb3Jwb3JhdGlvbiBQcml2YXRlIExpbWl0ZWQxKTAnBgNVBAMTIFpPSE8gQ29ycG9yYXRpb24gUHJpdmF0ZSBMaW1pdGVkMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtnRtnGmOSz83W/xFrNqPV6bvmT2EDvWLACUb00a+4lYlmoBpdxMAEMoFyT6C1wsknR+yDzD3Fvv3ZakDDtAyMlcaHwDEGL++B8nGcjcw7K1+apL7x8TcQzekrSBsTr8KAaz6u5kL2ba0AMLkLm183u2CKpjaxl8Yq4QTwpHd468pNuVqTHPin/mWJgrG/ME2+oqoLrw+53z5UH+3O2gFHefvgmVCic6jALPZ/y/IdJyq3ga+gWa+nWb0Xp4vyq2d02pQ0vRpXCiGxNVbO96Z6VcqkSyYifeuOJ160FPSh2y2kptPSgbg+DRJlgoZ7B9aUeZJ0OuiOshSHq/F7nff0+BFmnhVmVP4zyshIfS9BJMC/A2PMVWTqc2nfdQirBwA9KChPUu+LOOI0E6oRCXl5DqIPmORzAUYGenmvcdztvlAfm4yuHDORBIX1S/CfrMLJE6P0TQRdOWUit7gENgZNEGELwth6JiKxw+bUvhmxmcKJOTbBERYsaTChVpSnq1/NqRZlzOuh2DlzTs8IxZ9Ze6q29iKBobFrOgjesyZRONV6CQQvZ43HW1OZsakYmjG0XnxBPWtOJ1yJgvJrkJAb4xTPU66oziBTztmJvJcWMlLPAGMfdF+jFI0C9wREh4vthwM3vOATNG3BknjgKLMETQWMnYEc91cE66EstD2N9ECAwEAAaOCAbEwggGtMA4GA1UdDwEB/wQEAwIHgDCBmwYIKwYBBQUHAQEEgY4wgYswSgYIKwYBBQUHMAKGPmh0dHA6Ly9zZWN1cmUuZ2xvYmFsc2lnbi5jb20vY2FjZXJ0L2dzZ2NjcjQ1Y29kZXNpZ25jYTIwMjAuY3J0MD0GCCsGAQUFBzABhjFodHRwOi8vb2NzcC5nbG9iYWxzaWduLmNvbS9nc2djY3I0NWNvZGVzaWduY2EyMDIwMFYGA1UdIARPME0wQQYJKwYBBAGgMgEyMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMAgGBmeBDAEEATAJBgNVHRMEAjAAMEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5jb20vZ3NnY2NyNDVjb2Rlc2lnbmNhMjAyMC5jcmwwEwYDVR0lBAwwCgYIKwYBBQUHAwMwHwYDVR0jBBgwFoAU2rONwCSQo2t30wygWd0hZ2R2C3gwHQYDVR0OBBYEFOEVX0xefVGKmOHi/uHr17eQOdG4MA0GCSqGSIb3DQEBCwUAA4ICAQB9ErI0zm8zbr2borpvUdDBZusx0w11dlAO1Gx0WRz40hwLPZ2ygUyPChSl8GC1RV8aggNwQG8AQ+v4D/nbTu/62tEgIFS3CB/0g6thdZXWz1gaUWdS7C5IvXDFdJygnMUImM/pvNZNCDbRGjmHPufM9qa7z6OyMwUUeiw1/ITYrW7TYU0fE22u7jHuJdZCJjkSysT/ITjB/reDqadzXgd/vsQhmzw6poyVLoUfRc6l6sZXwqGtD8gJbA0tJ26+tzYRP7P7P5wBFYU8pFGi4fG6cTKFsoJJEI6UfiYBiI1v67l8TEABgG0XKzz+LTwiz51Z3xP+U68GioeZYim68fsbcqTdthm+V6E4CAvQpr4Kn+fOwFZ/hVD1BrlYy6iHSDT2SnhLckkg1cBTLG3sVeek6KWB0KyfzOxO9hIKNttQFkN4aOGigTA/VSpU53SPsjJ1tjaauxo1Ytug4+aWe6XypUi1UaCFUu91lTtlUtI4PSCuhbf56oYB6dTc0w44O6f2d8M4jOSTNmhF1fiWQ9MnRgD/UUpRxdSLvxJEj7D1bUfGzPs7pjJyJNRTA0BeY5FpyuxxllBytLMjptt8CKXK8Uu5o+l6F30nyOENNfbqx62GXpkSiplOv6p0vOGVGJ9NrD9WuKiEHmwadwlqOWnka0HBF2iLQGrf0V7mF2+Lkw==",
"src_file_sha256": "e65be97dfb0ae62de4bfbfed140aaa1e16e9f4461e8e29c9816fc54dea595694",
"src_file_path": "downloaded_files/manage_engine_(desktop_central)/e65be97dfb0ae62de4bfbfed140aaa1e16e9f4461e8e29c9816fc54dea595694",
"src_file_company": "Zoho Corporation Pvt. Ltd.,"
},
{
"signer_name": "ZOHO Corporation Private Limited",
"certificate_thumbprint": "1FFC1D0860B748F0E9D53297B716E497C81D687B",
"certificate_der_base64": "MIIHHTCCBQWgAwIBAgIMA45xUryaeKB6Oa9HMA0GCSqGSIb3DQEBCwUAMFkxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMS8wLQYDVQQDEyZHbG9iYWxTaWduIEdDQyBSNDUgQ29kZVNpZ25pbmcgQ0EgMjAyMDAeFw0yNDAxMTQwNjQ5MDhaFw0yNjEwMDkwNzQwNThaMIGKMQswCQYDVQQGEwJJTjETMBEGA1UECBMKVGFtaWwgTmFkdTEQMA4GA1UEBxMHQ2hlbm5haTEpMCcGA1UEChMgWk9ITyBDb3Jwb3JhdGlvbiBQcml2YXRlIExpbWl0ZWQxKTAnBgNVBAMTIFpPSE8gQ29ycG9yYXRpb24gUHJpdmF0ZSBMaW1pdGVkMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtIL3ByQto2SDD7yn/6sAHCPqWRPur/a+UzLglMhIQQIkoerBIDJ26kVNYpSs7HEyaTgbOqHWF+Ms356LcxGDUBp8XvCtgQpLXs/Nr33gqHSQpxpWjQ1CifWqrHHjnwWl/J1BtQ2Rb/UN1+X3S7+Fcu5ht9mpG97LuaLjhnt8KhyD9bNwYwTqcj4LVuMUi//64wyy1sgEfQaQNZHh5QkUnOUg2H4oBAe7EDcI13Rj8T9GmA8IPqlCv267UL9nnTfiPHfOc6mGoFSLyhV+bNlcY2ZCy8pQchu0+dGUkzby1SZP1QuOsjDgbicKyxIw2H082sF2bLUVMEmDbU5oaJ5QuBDhl6S0fkAqvE+8HtzHXXtA1IxR9fnmnq3IWS0gVSRaNx9lxGCHgfzKwNbSzxcQoBu88y5nXpUmgZKir0MzTWUnEFW1yOoXd6bFadwjTqTxH4f5g8bFIMaHLw4Q7oqotfvSn6pcLFqNBHtDKRf4aLU1HVNudIpiWD70PFfdw0eG79RNmZjzZcZdijYZ56GFsgtOpFVYkY3pcYWfCoEMnF5t+4ZLZRLk1zifNo4OexTMkS84y+3QK7u4alSn5yPQbjThXCTOAlWnJpvN3BNO8MMSf1/v/csXk6a1Nk5dqzvdey61HToBpv4eqFxyKjuI4sc/FKh14xBycZCqziAnSRMCAwEAAaOCAbEwggGtMA4GA1UdDwEB/wQEAwIHgDCBmwYIKwYBBQUHAQEEgY4wgYswSgYIKwYBBQUHMAKGPmh0dHA6Ly9zZWN1cmUuZ2xvYmFsc2lnbi5jb20vY2FjZXJ0L2dzZ2NjcjQ1Y29kZXNpZ25jYTIwMjAuY3J0MD0GCCsGAQUFBzABhjFodHRwOi8vb2NzcC5nbG9iYWxzaWduLmNvbS9nc2djY3I0NWNvZGVzaWduY2EyMDIwMFYGA1UdIARPME0wQQYJKwYBBAGgMgEyMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMAgGBmeBDAEEATAJBgNVHRMEAjAAMEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5jb20vZ3NnY2NyNDVjb2Rlc2lnbmNhMjAyMC5jcmwwEwYDVR0lBAwwCgYIKwYBBQUHAwMwHwYDVR0jBBgwFoAU2rONwCSQo2t30wygWd0hZ2R2C3gwHQYDVR0OBBYEFCRVE30wXvY9bzq9B8MYzbwS8uSHMA0GCSqGSIb3DQEBCwUAA4ICAQDH8lxo3zFJmtU5uLkyQ43HIYvOtcNJVuSRe9PG3035vRGqg4QuOLIbm1dZUoStUiszYmOJwDSP2UkU6nZvBTKFSVI4ludsDspxhjDNwRLpS4/v0yDiyVWqWFbVP7mm7R/GdMxkPcUDafroQph0ICfFQ3t6Vf5sPLc+wqHMbWHP7TVzbAcBK+mLsJZVzx/C6eklua8Nfn1NgNGcITHCdX5Z8IqjcAChtNSvEOeWa7Z8k9CIXsYzkg9JCT+Twr6DlaXK5mlseWIbCKpxBT3uuN9pDiacFFLAugpv7RCVG7MWwPU3tzWAXzsTmEgvQNlQsWkAu1uEnGy6JfRo/9tr33deOD5zxhj5GEkV9xMFVk5ey8JUOiDlORDV2DinZvYoRlGLtkbZd2cHhrYl6WKBfPsADkCIswdM7TsDqWE7y1l+z/dqHhzrhHlY0bAuy+Ik0fiIu82mikGCAuKjWkBrTTKG5pLCT8w0mCIXg7VM7vwS25yDIAzwWBABPlovdh0ZPCH5+4eL4wJzVtwaszZQkHbeHmsT1XXpbIV3bWPmCLJgZvI9HlIrasXeo4LVRbbZZa4Q+iFcfyKUrKzU+ITEpuTwusbv4kIlgf7FSRYVvXKA9oFqiNH2y/IigOZDj13R7uMp7Ubjawtz+VGAooMMbU0DArC3M6pp5QaOn49E/YvgFQ==",
"src_file_sha256": "b51dee244adcf4795db9378e56897a97b48eb2c3d4ed758af98ddab2e6f9967b",
"src_file_path": "downloaded_files/manage_engine_(desktop_central)/b51dee244adcf4795db9378e56897a97b48eb2c3d4ed758af98ddab2e6f9967b",
"src_file_company": "ZOHO Corporation"
},
{
"signer_name": "ZOHO Corporation Private Limited",
"certificate_thumbprint": "99869B5E06680A842469CC3DA2F2DFFFE75AC930",
"certificate_der_base64": "MIIHHTCCBQWgAwIBAgIMMnoO3E5vR9q9dJ9uMA0GCSqGSIb3DQEBCwUAMFkxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMS8wLQYDVQQDEyZHbG9iYWxTaWduIEdDQyBSNDUgQ29kZVNpZ25pbmcgQ0EgMjAyMDAeFw0yMzEwMDkwNzQwNThaFw0yNjEwMDkwNzQwNThaMIGKMQswCQYDVQQGEwJJTjETMBEGA1UECBMKVGFtaWwgTmFkdTEQMA4GA1UEBxMHQ2hlbm5haTEpMCcGA1UEChMgWk9ITyBDb3Jwb3JhdGlvbiBQcml2YXRlIExpbWl0ZWQxKTAnBgNVBAMTIFpPSE8gQ29ycG9yYXRpb24gUHJpdmF0ZSBMaW1pdGVkMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA2ZsurSF1sR+u4K21jaloeoA+zF+t9kmddLFLCaU1PYwce62qf9r9bdt1T4zEtOG4TM7YgCL/EDj/HB4FEeO70nV8UBny6ckvn5nvv2exmwgxcMipzMNUVKH25KkJqKVDeQs8W3c4H19gy2jMD5b++J091hWGLzYYDWzfZ6Os129zerhiPDptrmjY3ORH5amPuoIWqJQhc+W/CT8Zp5qbumAWeRxJVuZ9moUeVl4QlKYblLmPvjLABotdY8tJpiE+9Tn23/qIfNs80tiL4zYfjXjlJ6MYI6WCZ4UTrBHFrMlu5/RYNIujpkiVPMKgW7a5uysislNMs+r+I20ObKRJLRgyoM5decHS+EKnYpDsBAA8ypAf6Ih7L/IiVzypHyMY/FY+R/KbFpygksV8fhIGcislIkvAsqqEzn68IFOUBPsxBq4XzzfnK/7uq+4HQSnPXt9xTU6tiSulM6Ixq6Wqjfpgfm/kz+biNSFTcTCF6EIhUEqQHkXpobQdMDimn1s7dQbBROTzy1IMdSvnxNKMY28T/oSk+QJMFJduZZR3q64H9dtD7bMB3NvF+/z5fGsmOOf52aEOLaxLvGRq/nekIND4etKolKXfPdqvsjx5VCn6Uh2zCgISDZpq2kTmL54n/yBzoBjTidQviR9GmIwkXyGO76i8cUQWjHbEdiF5988CAwEAAaOCAbEwggGtMA4GA1UdDwEB/wQEAwIHgDCBmwYIKwYBBQUHAQEEgY4wgYswSgYIKwYBBQUHMAKGPmh0dHA6Ly9zZWN1cmUuZ2xvYmFsc2lnbi5jb20vY2FjZXJ0L2dzZ2NjcjQ1Y29kZXNpZ25jYTIwMjAuY3J0MD0GCCsGAQUFBzABhjFodHRwOi8vb2NzcC5nbG9iYWxzaWduLmNvbS9nc2djY3I0NWNvZGVzaWduY2EyMDIwMFYGA1UdIARPME0wQQYJKwYBBAGgMgEyMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMAgGBmeBDAEEATAJBgNVHRMEAjAAMEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5jb20vZ3NnY2NyNDVjb2Rlc2lnbmNhMjAyMC5jcmwwEwYDVR0lBAwwCgYIKwYBBQUHAwMwHwYDVR0jBBgwFoAU2rONwCSQo2t30wygWd0hZ2R2C3gwHQYDVR0OBBYEFBgOy6C7VZ1De/CjFsum904Aq+UaMA0GCSqGSIb3DQEBCwUAA4ICAQDIjjnCrMBToMqCwbTVNcV6ngh+MFKX1KVkyYCJmbT2GGA4WIFdOeLgxB9zi6M1+TSYCBS1GipSSREI841Ot+PMQpbdaMaqkIbOyupUfLkJ4LqBQH5stxy6goERm4EiH95bZ096w2b2RrEimokyk3vvY92NO3j3TSUYjq5QwhY8bIc6dFRoAl2sr2RXP7cGR0wGwsI41sGGB+fp1MBXxe5fp/xdcm0aYL1+UHQSIrNoRv81OSi/Sa3qWc3fAaHn+rNEJd750ILA7bCub4l0+Rdm7b7NZjydVxPLebq+4wdsexVPth3shg8TPX+mAS/DsrDJr8IawyTNfS/u/PdUahepeAtlqoyrZgbOdVeF27d5FRH8RoPaDrOC79Sija3/m0XApkls8h3YpOUt7j9llOkUKXwwox/Ng56/ZNzBuUhzLHTqfBwGXCu9wZK2Hh6PbU5MyIy1NFGU3JJFGZob2MOXsLgdwr08jdmIGzPsMcXbGHgP5Q0RrR8COjwag4fsaO3s4CJ7tbv5ewGbf7OeQcuIp5AdrylE40jfpWgcSGUgK3dDD6tKtA55WgWjqSaNqXvC3iBimySUdoNUKnKTbT0bE7D8Q2vQ14FKdRY+m5HaHU/GsYjOIBoAZQchvRyqmGONFv3U7HdFhkvxY4TnoxHELZTv+3YIeacabTrUjCz1Pg==",
"src_file_sha256": "6d7903597fc23baa069da2d0fe6959b0c1f01644461bb9f842e6326f1a49077a",
"src_file_path": "downloaded_files/manage_engine_(desktop_central)/6d7903597fc23baa069da2d0fe6959b0c1f01644461bb9f842e6326f1a49077a",
"src_file_company": "ZOHO Corp"
}
]
},
"FileHashes": {
"authenticode": [
{
"file_name": "dcagentregister.exe",
"sha256": "120EF91BB2F6959566EF75D1266F244846BD87F3EC14B847A37D009585C41356",
"sha1": "B3867DA794285F5191181FC59A6F7BFA5AD9FDDC"
},
{
"file_name": "m6hufo2as.exe",
"sha256": "44549C403246C5ACFC715E13D0C08ED825459E5E6CE18A74663AE9167EC18AD8",
"sha1": "0ECA79ED2B35A87FE1081424E1E753A3CDB6CB31"
},
{
"file_name": "dcagentregister.exe",
"sha256": "53815CA5A4F05B9A44C3D2CE6E53D5DF7E5B2DFDAA4B179C417858CADB6890A6",
"sha1": "F873CDF10AC35644062667F8BB65DA822667CF42"
},
{
"file_name": "8k1qq1.exe",
"sha256": "8557CC97E13D38181061BD1B9534DAA79BEE75641F66902547F976F371754616",
"sha1": "52022906A6BFA29D99D4FA5C9BC91CD45293B0E4"
},
{
"file_name": "dcagentregister.exe",
"sha256": "FE8B12417CE05763B55D31710428AF0D87847716577201390ACAD71965883C30",
"sha1": "4DFDDF8496E5AAA9EEE15359D915D4F1F14BAFA9"
}
],
"page": []
}
},
{
"Name": "247ithelp.com (ConnectWise)",
"Category": "RMM",
"Description": "247ithelp.com (ConnectWise) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2025-12-14",
"Details": {
"Website": "https://www.247ithelp.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"Remote Workforce Client.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*.247ithelp.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/247ithelp.com__connectwise__network_sigma.yml",
"Description": "Detects potential network activity of 247ithelp.com (ConnectWise) RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/247ithelp.com__connectwise__processes_sigma.yml",
"Description": "Detects potential processes activity of 247ithelp.com (ConnectWise) RMM tool"
}
],
"References": [],
"Acknowledgement": [],
"CodeSigning": {
"search_names": [
"remote workforce client.exe",
"remoteworkforceclientwpf.exe"
],
"company_names": [],
"signer_names": [],
"certificates": []
},
"FileHashes": {
"authenticode": [
{
"file_name": "RemoteWorkforceClientWpf.exe",
"sha256": "1DB81299210F602CDC21E32A68209B639392CF3714D6C4827C4FB81D8697CFF2",
"sha1": "975A38C110AE8D645F85E25EB89B1B3B5EF57145"
},
{
"file_name": "RemoteWorkforceClientWpf.exe",
"sha256": "13EE0322429E8A56BC563A0151A0FC2B45BC48DA76A3815A6F8CBE4AD0B4D543",
"sha1": "E492C7EA0457064830A0005721199673BA843C2C"
},
{
"file_name": "RemoteWorkforceClientWpf.exe",
"sha256": "A5F5EBC48211E71752125DE8072287E483FC9A31946F539A0299F234CE7D5E9D",
"sha1": "997F2508915A9503F58478FF5578A2A010586CA9"
},
{
"file_name": "RemoteWorkforceClientWpf.exe",
"sha256": "10A657260E0F6137622FECB2D9B87F1D81D7F5D8B0FE8EC8B9DDB9D97A1B74FA",
"sha1": "3AF53CBCB440E4C85D1D904C943F74C85C0E0887"
},
{
"file_name": "RemoteWorkforceClientWpf.exe",
"sha256": "3B8E603758F1DAF444A92769502FA1FE03EABF27B07DFB411F1D7B70D10CCBB4",
"sha1": "F09A875363B8DE259BE5059E2ECFB87697B11A0E"
},
{
"file_name": "Remote Workforce Client.exe",
"sha256": "7A2457ADFE15ED2E8A4230339786FA88BE6F2DF31BA083C2BBF7179DF36D1859",
"sha1": "BE495BBFD534B7E077AD42A4EEA957D98AEBF23D"
},
{
"file_name": "RemoteWorkforceClientWpf.exe",
"sha256": "183B5E1F0E7114426823E2B3543A250976E9D739EBC2FE81D502208DC197FBFF",
"sha1": "BDC8A7AAA1099B590A3C38294BA52FCC419CF421"
},
{
"file_name": "RemoteWorkforceClientWpf.exe",
"sha256": "66C1E8EA6506739A1FFA7F7486D00B61F7126FF54C67E795255A333C86BC730A",
"sha1": "FE2F243B92A51B11A5534A02EFC3F8CCF8DC26EB"
},
{
"file_name": "RemoteWorkforceClientWpf.exe",
"sha256": "B04A9086B765468ED44B383D83334EF7935178C1A3856B57AE821123C08C2494",
"sha1": "E858F6135F4AD5F1BA4FCE079E7C566B0EF3FD54"
},
{
"file_name": "RemoteWorkforceClientWpf.exe",
"sha256": "5F75A6E90C15FAADF18DC7581A65806154AE12DE851B7CA0185A64F2B93374A6",
"sha1": "C59B8C3943BDEB5FE08CACA44F264B8501F0576D"
},
{
"file_name": "RemoteWorkforceClientWpf.exe",
"sha256": "306E6166EBB9A58EBE7BBE868AD7B41C3F0C49AAA7862B6D74C66B35E0F89BCB",
"sha1": "F8C26C0970BBEBB19A0A0030CA1B0DAC5B5BD305"
},
{
"file_name": "RemoteWorkforceClientWpf.exe",
"sha256": "26225AC3BD32BDA82C170C7BFEFDBDB139887C01D0344C78D37B4B7183F9EFFF",
"sha1": "37D92EDFCD244B1C896E743571DF13F38EFC8F01"
},
{
"file_name": "RemoteWorkforceClientWpf.exe",
"sha256": "762FA7FA385D7848C3BE07A164B6BCF116FBE6D6636F82ED8E8CC3D43CB11A64",
"sha1": "F87D5976D12DDAB1DF4C6BE621E10D3A8D641818"
},
{
"file_name": "RemoteWorkforceClientWpf.exe",
"sha256": "B33107C5C51230CDF4F5845BDA4A41CCBDD77C7C907085D0AB0EE8E8D882D41A",
"sha1": "CC632598B8C35132A4012DB9CAE217FA5D235468"
},
{
"file_name": "RemoteWorkforceClientWpf.exe",
"sha256": "3B9E7574E6A05B26F96A007E198145CDBFC6D89787B1F540528F9EC4398A27D5",
"sha1": "D67D16B06EBA7E2AE34AC1CEA60F7479E7E8713C"
},
{
"file_name": "RemoteWorkforceClientWpf.exe",
"sha256": "38194ED130B15B33CB31ACEC9E6203EE6B2D4E1BF24FF201B2E0A3877BD51354",
"sha1": "2379D544AF83EB70FDA255031DC2DF7FE5EAC587"
},
{
"file_name": "RemoteWorkforceClientWpf.exe",
"sha256": "353176BD0B488388D1F20AAA3F377A4215511646B777586BB15F952999727172",
"sha1": "377CB8AB7E242BD0C05EFD1BCF0028C2500634D9"
},
{
"file_name": "RemoteWorkforceClientWpf.exe",
"sha256": "70C2279E3C1E015DF0F8222960C52DA370C88FEC450ECA64E2DB18C0E6A44A76",
"sha1": "D5302B7E79A21E3529A1EF089BE6F25DC71D3F7B"
},
{
"file_name": "RemoteWorkforceClientWpf.exe",
"sha256": "F819995BE08D96DF46227E12DE59F969B6635B496272418BC5F40BCB5771F85E",
"sha1": "36F57363A98FBCEDF00114889EC1879E7ABD1222"
},
{
"file_name": "RemoteWorkforceClientWpf.exe",
"sha256": "2B68153F8E7D3A3949AEA323F449C1381CA76FDD51262948FF7DF7DEDC1F2D2E",
"sha1": "ED69344A0C38CA2EAE793E20750FC2E8F7082B65"
}
],
"page": [
{
"file_name": "RemoteWorkforceClientWpf.exe",
"sha256": "FAAE529A9FCF82757E8371FF4A7349C53D6C92CC88D3A5885946585852C7975B",
"sha1": "0E6B57954C4AF2B0F11C1E075071A9A80A4FD023"
},
{
"file_name": "Remote Workforce Client.exe",
"sha256": "50E30025685A61E771332D280F7FBDB3CA896020B1DF9C807655CCC581EC69A2",
"sha1": "3C231A17DA5450AD5BB85F133F440D773ABF7F5D"
}
]
}
},
{
"Name": "iDrive",
"Category": "RAT",
"Description": "iDrive is a cloud backup and remote management software that has recently been observed being leveraged in social engineering campaigns, including invitation-themed and Social Security-related phishing lures, to establish unauthorized remote access on victim endpoints prior to the deployment of ScreenConnect. The tool installs as a Windows Scheduled Task and has been used as an initial access mechanism and staging point for secondary RMM deployment.",
"Author": "Michael Haag",
"Created": "2026-01-21",
"LastModified": "2026-01-21",
"Details": {
"Website": "https://www.idrive.com/",
"PEMetadata": [
{
"Filename": "IDriveWinSetup.exe",
"OriginalFileName": "",
"Description": "iDrive Windows installer executable (observed in phishing campaigns)"
},
{
"Filename": "IDriveEClassic.exe",
"OriginalFileName": "",
"Description": "iDrive Classic client executable"
},
{
"Filename": "id_tray.exe",
"OriginalFileName": "",
"Description": "iDrive system tray application"
},
{
"Filename": "IDComponent.dll",
"OriginalFileName": "",
"Description": "iDrive component library"
}
],
"Privileges": "User",
"Free": false,
"Verification": "Commercial",
"SupportedOS": [
"Windows",
"macOS",
"Linux",
"Android",
"iOS"
],
"Capabilities": [
"Cloud Backup",
"Remote Access",
"File Synchronization",
"Remote Desktop (BMR)",
"System Management"
],
"Vulnerabilities": [],
"InstallationPaths": [
"C:\\ProgramData\\IDrive\\*",
"C:\\Program Files\\IDrive\\*",
"C:\\Program Files (x86)\\IDrive\\*",
"C:\\Users\\*\\AppData\\Local\\IDrive\\*",
"C:\\Users\\*\\Downloads\\IDriveWinSetup.exe",
"IDriveWinSetup.exe",
"IDriveEClassic.exe",
"id_tray.exe",
"IDComponent.dll"
]
},
"Artifacts": {
"Disk": [
{
"File": "C:\\ProgramData\\IDrive\\*",
"Description": "iDrive installation and data directory (observed in threat intelligence)",
"OS": "Windows"
},
{
"File": "C:\\Program Files\\IDrive\\*",
"Description": "iDrive program files directory",
"OS": "Windows"
},
{
"File": "C:\\Program Files (x86)\\IDrive\\*",
"Description": "iDrive program files directory (32-bit)",
"OS": "Windows"
},
{
"File": "C:\\Users\\*\\AppData\\Local\\IDrive\\*",
"Description": "iDrive user data and configuration",
"OS": "Windows"
}
],
"EventLog": [
{
"EventID": 4688,
"Description": "Process creation event for IDrive executables",
"OS": "Windows"
},
{
"EventID": 4698,
"Description": "Scheduled task creation event for iDrive",
"OS": "Windows"
}
],
"Registry": [
{
"Path": "HKEY_LOCAL_MACHINE\\SOFTWARE\\IDrive\\*",
"Description": "iDrive configuration registry keys",
"OS": "Windows"
},
{
"Path": "HKEY_CURRENT_USER\\SOFTWARE\\IDrive\\*",
"Description": "iDrive user configuration registry keys",
"OS": "Windows"
}
],
"Network": [
{
"Description": "Known remote domains and API endpoints",
"Domains": [
"idrive.com",
"*.idrive.com",
"api.idrive.com"
],
"Ports": [
443,
80
]
}
]
},
"Detections": [],
"References": [
"https://github.com/magicsword-io/LOLRMM/issues/142",
"https://www.idrive.com/reseller/bmr-partner-management",
"https://www.idrive.com/"
],
"Acknowledgement": [
{
"Person": "0xburgers",
"Handle": "@0xburgers"
}
]
},
{
"Name": "Mocha VNC Lite",
"Category": "RAT",
"Description": "Mocha VNC Lite is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"This installs a modified VNC and cannot be blocked by path separate from VNC",
"This installs a modified VNC and cannot be blocked by path separate from VNC",
"*\\RealVNC\\VNC4\\*"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": []
},
"Detections": [],
"References": [],
"Acknowledgement": []
},
{
"Name": "Senso.cloud",
"Category": "RMM",
"Description": "Senso.cloud is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://senso.cloud/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"SensoClient.exe",
"SensoService.exe",
"aadg.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*.senso.cloud",
"senso.cloud"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/senso.cloud_network_sigma.yml",
"Description": "Detects potential network activity of Senso.cloud RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/senso.cloud_processes_sigma.yml",
"Description": "Detects potential processes activity of Senso.cloud RMM tool"
}
],
"References": [
"https://support.senso.cloud/support/solutions/articles/79000116305-firewall-and-content-filter-configuration"
],
"Acknowledgement": []
},
{
"Name": "MSP360",
"Category": "RMM",
"Description": "MSP360 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2025-12-14",
"Details": {
"Website": "https://www.msp360.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"Online Backup.exe",
"CBBackupPlan.exe",
"Cloud.Backup.Scheduler.exe",
"Cloud.Backup.RM.Service.exe",
"cbb.exe",
"CloudRaService.exe",
"CloudRaSd.exe",
"CloudRaCmd.exe",
"CloudRaUtilities.exe",
"Remote Desktop.exe",
"Connect.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*.cloudberrylab.com",
"*.msp360.com",
"*.mspbackups.com",
"msp360.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/msp360_network_sigma.yml",
"Description": "Detects potential network activity of MSP360 RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/msp360_processes_sigma.yml",
"Description": "Detects potential processes activity of MSP360 RMM tool"
}
],
"References": [
"https://kb.msp360.com/managed-backup-service/mbs-tcp-ports-configuration#"
],
"Acknowledgement": [],
"CodeSigning": {
"search_names": [
".bc.t_55370z",
".bc.t_7sapsr",
".bc.t_nptrc3",
".bc.t_qzi9au",
".bc.t_skipgm",
".bc.t_su36ea",
"cbbackupplan.exe",
"cbbackupplan.resources.dll",
"cl2z504wh.exe",
"cloud.backup.scheduler.exe",
"cloudracmd.dll",
"cloudracmd.exe",
"cloudrasd.dll",
"cloudrasd.exe",
"cloudraservice.exe"
],
"company_names": [],
"signer_names": [
"MSPBytes Corp",
"MSPBytes, Corp.",
"MSPBytes\\"
],
"certificates": [
{
"signer_name": "MSPBytes Corp",
"certificate_thumbprint": "C8B331F3152A9D709D0A313D7326154F6787935D",
"tbs_sha256": "AD670F8BD4D505626D4FB0A50380869B4F18F08825BBE4E417618F4E51D977E3",
"tbs_sha1": "",
"certificate_der_base64": "MIIG+zCCBOOgAwIBAgIMU2dT+FquTpAb+OrkMA0GCSqGSIb3DQEBCwUAMFkxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMS8wLQYDVQQDEyZHbG9iYWxTaWduIEdDQyBSNDUgQ29kZVNpZ25pbmcgQ0EgMjAyMDAeFw0yNDA5MzAxOTQxMTdaFw0yNzEwMDExOTQxMTdaMGkxCzAJBgNVBAYTAlVTMRUwEwYDVQQIEwxQZW5uc3lsdmFuaWExEzARBgNVBAcTClBpdHRzYnVyZ2gxFjAUBgNVBAoTDU1TUEJ5dGVzIENvcnAxFjAUBgNVBAMTDU1TUEJ5dGVzIENvcnAwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDDlMi9BUZEPejyxlI0UGsPRJYWAGAKZd9EjsrGWPgrd7DnY2T0sypC2IEzYMxjSBQRJdem9YafV/m+8UHcLQ0ngNe0asXKMh22NwTPR5o32EhCVvGuq+MkO1BQN6vQScmpuYD7ZthDdsJIHa2qp2fC1VDuLQsBbnzu9HuLEKQ0IslUbst0pq9/eMTYAZ2uiOqocutOF558cx8aPm30uIzgxdDe++aMxC5FM9Sl08zyfTSFF5GukhNvsRltQLPpX2ESgMFQ6McmMMYLw1llp3yLH9zLjP2ekTiFqnrvgz7z2UyJkksQcJDmpIwkSVhWwHvsie4/OLVN/pzZt03hfF306M6ND6RYRoXPR5fcQ1bnQ3nEkaIq36JaPf4zCpDF3zP3fHS53FzPUXXIqjrApRmL0ZO5cxUMtgr8Hh83UCl5lkaIRMSOg4ebKx2VkyGq/AicPGJlrBDqqhV5fAaaUYDqQtmD8JFtg3QfAtfj5klGLE5BZLaMFoOJWFQTXP1avgjWJetMRgGNIQqpTxCRcNCgtJARKvB3cNbCdoe2MbG2HsCbNJ8v7I/sqv9w9PwklRwJzcFCPzMdpeb93Rbw/jC7jHrEsKPbWrtEH7HfxDiOq9JbJtiydkZpcyX6RpJagHjGlDqW8lCVPbtc+AR1nOmnWr5CrShAdE2swc2iK8WftwIDAQABo4IBsTCCAa0wDgYDVR0PAQH/BAQDAgeAMIGbBggrBgEFBQcBAQSBjjCBizBKBggrBgEFBQcwAoY+aHR0cDovL3NlY3VyZS5nbG9iYWxzaWduLmNvbS9jYWNlcnQvZ3NnY2NyNDVjb2Rlc2lnbmNhMjAyMC5jcnQwPQYIKwYBBQUHMAGGMWh0dHA6Ly9vY3NwLmdsb2JhbHNpZ24uY29tL2dzZ2NjcjQ1Y29kZXNpZ25jYTIwMjAwVgYDVR0gBE8wTTBBBgkrBgEEAaAyATIwNDAyBggrBgEFBQcCARYmaHR0cHM6Ly93d3cuZ2xvYmFsc2lnbi5jb20vcmVwb3NpdG9yeS8wCAYGZ4EMAQQBMAkGA1UdEwQCMAAwRQYDVR0fBD4wPDA6oDigNoY0aHR0cDovL2NybC5nbG9iYWxzaWduLmNvbS9nc2djY3I0NWNvZGVzaWduY2EyMDIwLmNybDATBgNVHSUEDDAKBggrBgEFBQcDAzAfBgNVHSMEGDAWgBTas43AJJCja3fTDKBZ3SFnZHYLeDAdBgNVHQ4EFgQUJ1Sx8mHNnhp08Qcf3UKnnAh8XucwDQYJKoZIhvcNAQELBQADggIBAJpxiqSvASev21YQifuZWai/F1IGFsHpxTPHghO7xCixOQYAgzLngXRzfx1RiHee0dj3tQFe85eVupSuJAxT8gTYqk2cWpQaCIeFBsyZbQww2AwUanQ4/WCFmzO5RZtYIlhiIQKzLpOcRgPt1AOPoZ2+wa0PM9XtVA81UY9KhcwCxY2wvCrBxWET2/xRqlmaYT/i5PfdczmLC0R3GuGo0rM6Zx1Hru9WQ5zYlEsoQ0CYJd0s6frwHqQw9zOFeRT/hIgTAB5U+GAOd0CC2Qt0r+UKUsHKRe52cfN0p3FRlqKxrcNqgbMGPWdKK0nHrI7SgGAFuajMdve4siRDuw0SVzhyPawbDfoz8h2lbC/sQCaCho6kCWsJF4dvfw8kvReKJxDI7Q2QSufrYrw5/DlcdtPrgEfDmNAldMxddHB0Fos8R3Z7+dZdrnstUqVKRbCoRwSFbeyRN3Z3NcBm3leOtZxcooJIztUV3iBlkzsoc342bYtEckEMaovXym+C5Vzwu4LyU0CieCf3Px/Nhsg39qN0FLEGcoFWYhCvxqt/DmltcIIJbey2VMfEtScobpa5xyLmgvbLWqcq0IkxWvA6nW/sKA9ZI4yiD0D0OgjGWzOhquvJCgKEhwrd2qN+FtoUw/K0LSGOjHUbias/ak/l3F0oKXLRdXbrSd+ioLSIuLxZ"
},
{
"signer_name": "MSPBytes, Corp.",
"certificate_thumbprint": "N/A",
"tbs_sha256": "",
"tbs_sha1": "",
"tbs_sha384": "8A459D01A551D1AFE00C32819DC5E788F67A4E8C5B937D490C53D75A0944E9B3F17599FF5E285F728AEA5191DE96BC16"
},
{
"signer_name": "MSPBytes\\",
"issuer": "CN=Sectigo Public Code Signing CA R36",
"certificate_thumbprint": "EF6439FC45C8031E514DD7D445D1B8BABF474E9B",
"tbs_sha256": "0B0B70BB42674314EFDE0A25E8DD4401C71F243078B51B1E286C663EB33C4E00",
"tbs_sha1": "5CA8DD6F7C06E9EE0BAA9FD811D0F175FA7C280E",
"valid_from": "2021-12-03T00:00:00+00:00",
"valid_to": "2024-12-02T23:59:59+00:00",
"certificate_der_base64": "MIIGVDCCBLygAwIBAgIQUBo9THgA8XEbPxTlNursqzANBgkqhkiG9w0BAQwFADBUMQswCQYDVQQGEwJHQjEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMSswKQYDVQQDEyJTZWN0aWdvIFB1YmxpYyBDb2RlIFNpZ25pbmcgQ0EgUjM2MB4XDTIxMTIwMzAwMDAwMFoXDTI0MTIwMjIzNTk1OVowWDELMAkGA1UEBhMCVVMxFTATBgNVBAgMDFBlbm5zeWx2YW5pYTEYMBYGA1UECgwPTVNQQnl0ZXMsIENvcnAuMRgwFgYDVQQDDA9NU1BCeXRlcywgQ29ycC4wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCjVDmFBooUBo0yXSepORZt/ukCRoY9sFG7m4oqsSXqpluuteqOXhMcIhksTzqmnycziTatFzooG9zkIbXSEeGxt/PiYIRbfK2Xvw8QZjwWQ0fWw9Ya5Pb2O9eEIar4SJVA1x5w1HPaZ1RhXyPeOYUYGhRy++xkABBcjL4zbqTr0+u+PxPKyIGCjEAcGNHKorkUMK9xZ0TJjYXfP+Zqq2RoJQ09SYszp6XxVYDSdMeHr+5j2CBek6xRj8B7Djro88nZhoKr7RgEhLs++AOmq82K4W417/F7BHU9rc+oRyKTMLIFjJOgQygwrEiJeaBJlW0DVyqwtJOtv16W1kXfot+dJNO5JdW3Vfp24tSutk8kvu3lcXoQtYBafip6G9WqgCQ/bDwS3WzdxOBTgf67ziz9YtiMQHExoqwMkZJFK4g+C1EljuqY7kL9leGVP/iv92S12AmyH5c6Q6us/RZmsyuXLL/fQqLJb/bOpZvbNUUcYEQY+bJ9al3v+ZdFWxe7Rv3IAb7fGiQQ9LvJJ7oyNe5Q8tUxgO+6/yio+ucUrMQup5tEQPaU8NLc+TkOAAWKx+k6XVASc/JvHBYD4qb8qITdEXROyJwdzWqNdS9VB5Z5y9Ehtc+akGFOwYb34kruOKUmPf7kz5gD5TSI9zDubrY3zA/jF/bvOnfIfw1sK70GcwIDAQABo4IBnDCCAZgwHwYDVR0jBBgwFoAUDyrLIIcouOxvSK4rVKYpqhekzQwwHQYDVR0OBBYEFO1xhvTdH6VKZ6J5oIeviM0d5Ro9MA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMBEGCWCGSAGG+EIBAQQEAwIEEDBKBgNVHSAEQzBBMDUGDCsGAQQBsjEBAgEDAjAlMCMGCCsGAQUFBwIBFhdodHRwczovL3NlY3RpZ28uY29tL0NQUzAIBgZngQwBBAEwSQYDVR0fBEIwQDA+oDygOoY4aHR0cDovL2NybC5zZWN0aWdvLmNvbS9TZWN0aWdvUHVibGljQ29kZVNpZ25pbmdDQVIzNi5jcmwweQYIKwYBBQUHAQEEbTBrMEQGCCsGAQUFBzAChjhodHRwOi8vY3J0LnNlY3RpZ28uY29tL1NlY3RpZ29QdWJsaWNDb2RlU2lnbmluZ0NBUjM2LmNydDAjBggrBgEFBQcwAYYXaHR0cDovL29jc3Auc2VjdGlnby5jb20wDQYJKoZIhvcNAQEMBQADggGBAIS5VJa1sZgdzEgl/S3GmN6eowp2nhUeHIYEZoY3R/hsuVMhaRKtf91/z79iIRhp19LlW17EPdA/wsBZO21whVFG5buJXczao5p3/pXE7b/1iUfRU0vbe/VnYlm7jf2CBF1QxEVBjwu7+eWmib1yWw0vuL2HiTwB5dsbL2wEVrotZ8ASzklRkxpOk9kOrAZ5RxU6BXOFBbTIWFDH/C9N48qaHDRjPc+smprDgDXf3V7efNlOQw9IO0lUtqchwzre1L1auu+vUxmTcKvbNbRcEI5tyBs+AyDtQAzMKBi86qmpWENcatiQKlKuNYUpTWB3nC04wDk8APNcL+9V22XQEUdA35qanc3SpE21bnFoSRVi+3JQ0NFs3wMdf2bI0bel/afl7i5yTzA91ebMF+dmQnAei2Nxciu5IMDbHh/l6qPi5+zrQLNwcGvwpvZWy8WLPMJA4rcRZ6ShbLchOxBPsLRCZMrM3y6o5JlAsP4Y81+iONIWoWzwsWsXZb/Pt3a3Mw=="
}
]
},
"FileHashes": {
"authenticode": [
{
"file_name": "CBBackupPlan.exe",
"sha256": "94EFB12346EA005189DEDAC715F48E6C01A8EF188DEBABDD40DED8D8D93499A5",
"sha1": "9B84F2157CA5524BBD94B99A6EE8C7C5CB96F6D4"
},
{
"file_name": "CBBackupPlan.resources.dll",
"sha256": "5220B03478F01E2D46CC171C72D1812810D9791CF64E7A6E1BCB721461E61941",
"sha1": "649D49957AA3DBD93E96C80F71A73ABE0F163DF1"
},
{
"file_name": ".BC.T_QzI9aU",
"sha256": "3BD5B8415473613C5BC0BD92B918E267382DFD6E81ECC1152B03F53B9CF3CBD2",
"sha1": "8553FBD6659596BDC6F77345C9361E4869FCF8F9"
},
{
"file_name": "CloudRaSd.dll",
"sha256": "FA06E558BFDB082426C340B7181C99D8D65EDB00B1CC72C28F3BF46768EDAAE3",
"sha1": "62DB5563077353B7404762D70F9CCA2786DBC6FA"
},
{
"file_name": "CBBackupPlan.resources.dll",
"sha256": "6952FD200F1C42FB8BC3002C94675AA33F634080F4549E7DBBC8EB009FF16010",
"sha1": "DF208C3A7DDA7D209CEC63856534C15C2773E2CB"
},
{
"file_name": "CloudRaSd.dll",
"sha256": "56086224AF7D86133FDEBB6B88DCEB546F8F41A82115CE37FEA470BCD5ADA409",
"sha1": "896B129F7F12159C36DD94DCC763E566F862DF55"
},
{
"file_name": "CBBackupPlan.resources.dll",
"sha256": "C65DF16791A6984342D45C47C7311FA3271304FFF2ED3B44A991A10D47FDBF45",
"sha1": "12686213450D197E72290C0B0A8DEB6D062855C8"
},
{
"file_name": ".BC.T_nPtRC3",
"sha256": "7E309A943829B6E6F9DB6E4510C11FAE7C62736CFAE6F02900314F8160F33725",
"sha1": "4F0AAD853B519021531E56578C7F818B532AF2C9"
},
{
"file_name": "CBBackupPlan.resources.dll",
"sha256": "622BCB6916117DDC0DA68BD0616890B6E59CB6F1D309F0918CE0210D543ACA4F",
"sha1": "EF0544F2AF9992504B590A1888C4B72E09199358"
},
{
"file_name": "CBBackupPlan.exe",
"sha256": "5C6171030FF1517E7CD263A79ED0E0B076A21C846547ED2B71DBCC21C30E495A",
"sha1": "0DB58AE74DAB3C861115CB982E36684C2D6AE247"
},
{
"file_name": "CloudRaCmd.exe",
"sha256": "DAE2D1F1673943DDB0BF3FE1E05B016342455627388C1DDE5B03070A5E0C1E89",
"sha1": "01E3E8CDCB81E91B4A8560BB05126CD40EDF1DE8"
},
{
"file_name": ".BC.T_sU36EA",
"sha256": "460E3C1FE1E1B9F3949CCDFE0D907D915577D99E87B184368929E5DC6B3EB3AA",
"sha1": "014229FFFDF466656841BB38AB697B67C498522D"
},
{
"file_name": "CBBackupPlan.resources.dll",
"sha256": "16CB61CE36EBC7F75FFB7056EA9E8366C2264D235DDBB0AAE62D7CA59C49BD91",
"sha1": "9FDD10703CF4E13F57D56E964D5149FCF4139E09"
},
{
"file_name": "CloudRaSd.dll",
"sha256": "FE2473D98A2814DC5A77E5D6D386E2B8DEAC41DFB7A790D9E92A95047640BCD5",
"sha1": "E0C5BEDFFF3E4167894049820254C8DEE68FADD3"
},
{
"file_name": ".BC.T_7SApSr",
"sha256": "4236C711775F449975817DDF115559FEA758333EA54644CCFAE6EBF8A6125FD5",
"sha1": "ACE2F3CA839B67AD43039FB29F39014C94A1049A"
},
{
"file_name": ".BC.T_skIpGM",
"sha256": "35E57F622E3F4D12F040424CAEF8FDB1102DE49B34E3679E26BC48B1C56F9489",
"sha1": "BF46EF161CC43331BA7345999069A39B61A5C67B"
},
{
"file_name": "CloudRaCmd.dll",
"sha256": "095AC7D8ABF395E9E5CD2C640992F992E132CDCFF573846C2292F599CD62674C",
"sha1": "C1B8557C9C4A7891F8E831F5BA5A6582AADB5A40"
},
{
"file_name": "CBBackupPlan.resources.dll",
"sha256": "E39A267346816BAC631EAEBB87F2912CA890481024B98FF07E71E42301224D28",
"sha1": "71B9D469EC920E43D154937781F70DE00CFA3BB9"
},
{
"file_name": "CloudRaCmd.dll",
"sha256": "222E3C9B7E43776E25243FD6D974936A8750B9E2F1305FF6E5229395049FC5E1",
"sha1": "F442A8E06A75B50377916587634A4A601D992E74"
},
{
"file_name": "cl2z504wh.exe",
"sha256": "D733380B2CFF37AC11EBABCEF0162E02339AF286E1B0EF0481AF0303B1C27402",
"sha1": "15775DFDE129D651A327BDB34F05DFCD042FA72C"
},
{
"file_name": "CBBackupPlan.resources.dll",
"sha256": "9DE6390D29F7B546459963D993B4AFBB6C674A0C460E103C4CA7F0BDBFB7BB00",
"sha1": "414B95A271A7AED3566962D6CF22EE8DEFF479FE"
},
{
"file_name": "CloudRaCmd.dll",
"sha256": "3138AE4DC10942811FD087ED489BB1D1BF4C81BAB479A441395437CAB2095126",
"sha1": "90E15115CC40E72F793191F0AA6C8D8A84B87FB2"
},
{
"file_name": "CBBackupPlan.resources.dll",
"sha256": "0F27D3957DEC144B82869352FDAC24B343B31952A72DBFD207AA5C4A8E4D7AFE",
"sha1": "A5525560E45566385970B4C16E29CE7C3E1E5A7B"
},
{
"file_name": "CBBackupPlan.resources.dll",
"sha256": "1A088744BEC59FC6ADE358CA2F8A892F1D050723738AA01AF7736DF1A3C4B497",
"sha1": "F99EFE83A3683910FAA88242ECB8186CEAC9C0B3"
},
{
"file_name": "CBBackupPlan.resources.dll",
"sha256": "8F04BE5F40BA03BCA2351DAAE1BE9D202885D0EC472249D50961C4B88CAC1502",
"sha1": "E98C75CFADA1B7A383A35191BF86DDC0BDD4B826"
},
{
"file_name": "CloudRaCmd.dll",
"sha256": "BC0E5ACD988E5E8DA81F057C539816D5F843EE5A890B5A8EE008A90675D2F885",
"sha1": "466549433B5A6834542C4BBDF622E6A99E415364"
},
{
"file_name": ".BC.T_55370Z",
"sha256": "F894094639DC0F886458653322476C2DE6A7C6FBA19CE18BD3F9C04F8EF0E1A1",
"sha1": "8D75D6AA451AEBCB6DFC712D06FE98684CF5FC3E"
},
{
"file_name": "CloudRaSd.dll",
"sha256": "3CC3A663282367653EB897D1F8DEBDC523AA12C15D737D94B750D71AD511D52E",
"sha1": "B21F45A511C492472BE727488330A01D945E8249"
},
{
"file_name": "CBBackupPlan.resources.dll",
"sha256": "F7158F7EFE789FB7BF51A69073014CD6142888115AAC0E4837EEB65DA694F9CD",
"sha1": "5C53D536E40CFEF057E6C5BBEA3661AAB8D53B12"
}
],
"page": [
{
"file_name": "CBBackupPlan.resources.dll",
"sha256": "43123C2AD78B4CEE1CB47E48998BE97E5814947B0F60038127D2C2C50F404D75",
"sha1": "67C5F7B0D52FACA19AB91917C5B881187BEDA7B3"
},
{
"file_name": ".BC.T_QzI9aU",
"sha256": "F4C47D8498BE0F84ACDFD3221424C84DA44D810F88B03AB8863594526A25E9DF",
"sha1": "0F364E7E39B06F98B15F04B9972A0323AD4E78FC"
},
{
"file_name": "CloudRaSd.dll",
"sha256": "5A03D1E37513981173BEA9109BF0B0F02B3A0148DFCF56DED6E36534FB0A14A0",
"sha1": "D5B96614599DCE0E5B70D64E7E153D0DC8561525"
},
{
"file_name": "CBBackupPlan.resources.dll",
"sha256": "F24F4E359AE981A6BC3B187EDAA5BE6771C132A67AEC20D50BA5F392723468F5",
"sha1": "FB00DC665701B53752C4D65732CC0093A6F3C225"
},
{
"file_name": "CloudRaSd.dll",
"sha256": "BC74EAC79CF492E2DC73FABBD8D90CB6DE6FEF91E9FFBDC71F91C47A7CDDD203",
"sha1": "0C2E9355C460FF781A80BC044887C3E87760719E"
},
{
"file_name": "CBBackupPlan.resources.dll",
"sha256": "E811527C98F8F724EE96902BF39666D364A4560FB19FB13709FD702A52487D00",
"sha1": "7FF87663317B65680E649C27D365A0AD9828B453"
},
{
"file_name": ".BC.T_nPtRC3",
"sha256": "C3B93BB1E501880CBC678F1CE7D587A37015DFD1BBE97D52739352D890029941",
"sha1": "7D915AE56C9866F9988193CA98120C51A4E3D7A7"
},
{
"file_name": "CBBackupPlan.resources.dll",
"sha256": "67F64B6949D9CF6CA307EE3425FA38529E315A405DBF1FD77351BF7915B4D622",
"sha1": "5C19C93D81182971077C7269FEC1941A1028911F"
},
{
"file_name": "CloudRaCmd.exe",
"sha256": "9C50BF139A8C5D443A90CE8536E404B4D2A5B09EF8C1A25B7ED3070E7635AB86",
"sha1": "4AB6C0847E4FBEF632A3433E08029FA9A7055E63"
},
{
"file_name": ".BC.T_sU36EA",
"sha256": "E838F732DBC9BCBB4450946A44ADDA0FB9D7DC61450659BA244525D8F0EAA5DF",
"sha1": "0572DC7072387B42F2228C8F5C53CF9F5C3B5699"
},
{
"file_name": "CBBackupPlan.resources.dll",
"sha256": "1492095EB1D6DE59103D2B25FA4336EDADCECC50D97AAA4B4CA8A845E1794C74",
"sha1": "EED7A864B512E53A38994E0999A50231E8B6FCE4"
},
{
"file_name": "CloudRaSd.dll",
"sha256": "6305E7182DFF5E38A816E014B50496B77BC9E3943F6C19522FACD770A07BDD51",
"sha1": "3E244DBFAB41D64E4F1A9F6EA5D5454F90D83F95"
},
{
"file_name": ".BC.T_7SApSr",
"sha256": "72DC1D003041090400AD8D77AC3A24604BB70FEC968FBA2C12EED333CDE95F54",
"sha1": "9587D7459E112F230A33E18487A0D3AFEC56C178"
},
{
"file_name": ".BC.T_skIpGM",
"sha256": "B3D6ACDDBFA658B11F0ACC15CC7D5025B94BD29CD2D92A85DE72197BFA857370",
"sha1": "E3F6B228882C0BB6929E317CDD6B857B7956957E"
},
{
"file_name": "CloudRaCmd.dll",
"sha256": "625B1920032E3361B9DBB5D723EE5A607E7BBD8C54B24069B07408EC1B132FC1",
"sha1": "2A0D4B93AB8D79D79E9F2CBED2E4408A6B81B093"
},
{
"file_name": "CBBackupPlan.resources.dll",
"sha256": "77BFC2DA61249B3248528A019D5CB6E9414D6DAA31D8835595E7D8D8D4B5240D",
"sha1": "1F4FF763F34D586EC404DC76C34A5E8A3F034FA2"
},
{
"file_name": "CloudRaCmd.dll",
"sha256": "0C0A0997BFF312558FE9B2E0F42CC63BD6398241AAB393AD6D32DDE116AB00DE",
"sha1": "10648B2DB9B674907D8893CDA19BE77E441B114F"
},
{
"file_name": "cl2z504wh.exe",
"sha256": "1A6753760C133219BD3001D9AFB8C80C0D665A1F738BC279D504B42C07E5621E",
"sha1": "4619457D33A1D741357FF1D69BD177D5F9EC06E3"
},
{
"file_name": "CBBackupPlan.resources.dll",
"sha256": "6103778F0F8B431638DFADF5BA45A0220C6D8C83EEA7E3D516468CFDB86E40C6",
"sha1": "1015D99A9E4D01D06BCCD2C8C2A0EA033906C0F7"
},
{
"file_name": "CloudRaCmd.dll",
"sha256": "AB297373C6E055A52986FEDEB15A22D5B9BA390C9B6A4263A77887E107180C01",
"sha1": "69DE22B43782594A8A9E499A5CB2DE9B4ACA9C3B"
},
{
"file_name": "CBBackupPlan.resources.dll",
"sha256": "402CFAAC6074422D8A37D77CFCA735963728BE66BE82CC92450183CFC1843D3F",
"sha1": "4277B3B5F6AFFEB4791793452C3DEB104489D09B"
},
{
"file_name": "CBBackupPlan.resources.dll",
"sha256": "FEDF8878998DF3676F67E3B04C802924B1E915309B8AEA5F6FCB9A17B45475C6",
"sha1": "A4FD7889ED74128D50C7D3DE10236115E5AAA07F"
},
{
"file_name": "CBBackupPlan.resources.dll",
"sha256": "12B07E01BFC04E57B8CEAA1B69CD0BF2F4159F5E037239DA51258DFC952CE01C",
"sha1": "A632AAC2EC72E9D477F58A989B33AB92AEAEE261"
},
{
"file_name": "CloudRaCmd.dll",
"sha256": "4A4A21F4A4EC8A2694A8838B6E27A7DE51503FF5E4C1DE65716563FEFCC5A19A",
"sha1": "10F7ABA68255886692322A39CF1DC7B27DECA789"
},
{
"file_name": ".BC.T_55370Z",
"sha256": "1B1DBBBF0992F43086157E106B15E85CED84AC5C56C94EB93835106977A645F4",
"sha1": "75CBEE455F95A915AC8CE14EF19A67BA0406A44E"
},
{
"file_name": "CloudRaSd.dll",
"sha256": "D63C97AAED18DB59F80CD6561C4AF7CE89DCB852385991C30B452DC071C7C06B",
"sha1": "DF5A1BBC16229C81F39FDEFE41FD8268F1E2009F"
},
{
"file_name": "CBBackupPlan.resources.dll",
"sha256": "5030C3B4141F695B4962853AE1821D8AA374DF06BA59E9BFF5826C676C2566FB",
"sha1": "DA5EBC3CD0D5ACBA4B6C47C0DEC7A2A783E452BB"
}
]
}
},
{
"Name": "ESET Remote Administrator",
"Category": "RMM",
"Description": "ESET Remote Administrator is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.eset.com/me/business/remote-management/remote-administrator/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"era.exe",
"einstaller.exe",
"ezhelp*.exe",
"eratool.exe",
"ERAAgent.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"user_managed",
"eset.com/me/business/remote-management/remote-administrator/"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/eset_remote_administrator_network_sigma.yml",
"Description": "Detects potential network activity of ESET Remote Administrator RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/eset_remote_administrator_processes_sigma.yml",
"Description": "Detects potential processes activity of ESET Remote Administrator RMM tool"
}
],
"References": [
"https://eset.com/me/business/remote-management/remote-administrator/"
],
"Acknowledgement": [],
"CodeSigning": {
"certificates": [
{
"signer_name": "ESET, spol. s r.o.",
"certificate_thumbprint": "87A8825374628D1F6E27117EDD09DB089C9509DB",
"certificate_der_base64": "MIIHGzCCBQOgAwIBAgIQAzHivxhbf+zu9DknEqhtXjANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTIzMDgxNjAwMDAwMFoXDTI2MDgxNjIzNTk1OVowgaMxEzARBgsrBgEEAYI3PAIBAxMCU0sxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMREwDwYDVQQFEwgzMTMzMzUzMjELMAkGA1UEBhMCU0sxEzARBgNVBAcTCkJyYXRpc2xhdmExGzAZBgNVBAoTEkVTRVQsIHNwb2wuIHMgci5vLjEbMBkGA1UEAxMSRVNFVCwgc3BvbC4gcyByLm8uMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAmGq3Mht5zdZoaFbBq7x7cNrLtFv1n33Ko6q0/yAbIbwMtDPfljH2h7Mpgj7fdbcd7Q/vANPMtBCrUgx7Q6tdvz9M0q+B7tDr0Kav1h5jeoSTILqTiDnNLKxO6VploqDof7HTpyjN5dFlyqhx0NrfqK0Rrv4rgGzhs8ZrK7nU08rqmCc3rxrUmvhbQpUn1JGZw7hT9WtXfb/YInAgH29JhesZ4IVps4QJurt69FAYdWhAyu9r56uVIQhtE5GCn6jmhlKb1NaafiaYGnrd9UxnaVkdojuOYSr4fSaJrTummohQDlgMaLoRxC/X6A63AfICNQijrhG/pt7dvW0bgiJ4GEmrOAutDYg5p1RvXFW6qsmL40hegzwGXA4ZYKbNY8CI5DdCmVrLucPnP5u8hrJR8D4BVq9sR5nGg8Bj4OI2Ku4VHOlCUjAYhDw69i4yTJnPZqDTkvzLNPJuO0dT6gaOQ6Vc2FtB86LGST/OP7BGh6Zq6XTn/yApVcUU6tPVMC6hAgMBAAGjggICMIIB/jAfBgNVHSMEGDAWgBRoN+Drtjv4XxGG+/5hewiIZfROQjAdBgNVHQ4EFgQU3ckt9xhKck6mcbDcAdNLqFXtmhwwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMIG1BgNVHR8Ega0wgaowU6BRoE+GTWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3JsMFOgUaBPhk1odHRwOi8vY3JsNC5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDA9BgNVHSAENjA0MDIGBWeBDAEDMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzCBlAYIKwYBBQUHAQEEgYcwgYQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBcBggrBgEFBQcwAoZQaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcnQwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAgEAJpk5fFoDHUj7e5PKCuKo1SWi1LzR1AMZW2N08HgdlcDBTJfOUzdjr+dNtqraIn4aZoUXmQGPAsvg8qHxDS0MnXwvKKwfbkKaBCSQRk2kBfqQL9+fn9wCTuKh2NRZcwaPlFZ7DteNGVKGK8s7ga0x2BJnrlnJAqSvtG+yXgkt+gPqyJLa0QA7oTGshq2voYoH1cXQEWFKucZyhirvPl+R+svi5iY1GmTkEMY/odqv2ULGcoJcWXVP6pLcYLDH0jWmbNCp/rsJvPTDI+N9iaZNh7crJ4TBq0O9KhzQYANiMpUqHeo7TROFlh/JQ0caQkAOVYCMdduwdY6IgfSNJucYebeJ5QTnAOjuB9YJqENpkIopR7krVJX4LCPHl3K73mqMKnXGzMt37GstYddhimooPRCr1sGHb09ZsM6RR5KuSe3FW3EelifHqci83E7p36XV+HYLOp2UPuNTRoA0TAg9ut9gbtbkYOGXLvAtDcA+VNO3VkeijWL0QXcA7/7aKs26empONE++K0EjthfJOs6FLrj0tB3wyOIDZXblMLz6QI/6Qtosqf4IgsCRw31rfH4KPR5R3XcqjnnvySYuvewzihc9sLAullGoh9JsMJOmR9jkxFP4sFJ1BdL7/7DXllMRyD4pxYTfXVDk9711GBOIu7BorPChUQoU98A7kR7plp4=",
"src_file_sha256": "0c8ced779a4b7dca7ba034de52c524d911f9abbb89d885f31a7edde0f015764a",
"src_file_path": "downloaded_files/eset_remote_administrator/0c8ced779a4b7dca7ba034de52c524d911f9abbb89d885f31a7edde0f015764a",
"src_file_company": "ESET"
}
]
}
},
{
"Name": "ExtraPuTTY",
"Category": "RAT",
"Description": "ExtraPuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://sourceforge.net/projects/extraputty/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [
"Windows"
],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"C:\\Users\\*\\ExtraPuTTY-0.30-2016-01-28-installer.exe",
"*Users\\*\\ExtraPuTTY-0.30-2016-01-28-installer.exe",
"*\\ExtraPuTTY-0.30-2016-01-28-installer.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": []
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/extraputty_processes_sigma.yml",
"Description": "Detects potential processes activity of ExtraPuTTY RMM tool"
}
],
"References": [],
"Acknowledgement": []
},
{
"Name": "IntelliAdmin Remote Control",
"Category": "RMM",
"Description": "IntelliAdmin Remote Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "http://www.intelliadmin.com/index.php/remote-control/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"iadmin.exe",
"intelliadmin.exe",
"agent32.exe",
"agent64.exe",
"agent_setup_5.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"user_managed",
"*.intelliadmin.com",
"intelliadmin.com/remote-control"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/intelliadmin_remote_control_network_sigma.yml",
"Description": "Detects potential network activity of IntelliAdmin Remote Control RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/intelliadmin_remote_control_processes_sigma.yml",
"Description": "Detects potential processes activity of IntelliAdmin Remote Control RMM tool"
}
],
"References": [
"http://www.intelliadmin.com/index.php/remote-control/"
],
"Acknowledgement": []
},
{
"Name": "ISL Light",
"Category": "RMM",
"Description": "ISL Light is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.islonline.com/downloads/isl-light.htm",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"islalwaysonmonitor.exe",
"isllight.exe",
"isllightservice.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"islonline.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_light_network_sigma.yml",
"Description": "Detects potential network activity of ISL Light RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_light_processes_sigma.yml",
"Description": "Detects potential processes activity of ISL Light RMM tool"
}
],
"References": [],
"Acknowledgement": [],
"CodeSigning": {
"certificates": [
{
"signer_name": "ISL Online Ltd.",
"certificate_thumbprint": "69D863EBB31F6E58D1511DE618489AB47BB0B361",
"certificate_der_base64": "MIIHSzCCBTOgAwIBAgIQD9LyyHRgH2JtiKDVk0AFBDANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTIzMDUyNDAwMDAwMFoXDTI2MDUyNTIzNTk1OVowUzELMAkGA1UEBhMCR0IxEDAOBgNVBAcTB1N3aW5kb24xGDAWBgNVBAoTD0lTTCBPbmxpbmUgTHRkLjEYMBYGA1UEAxMPSVNMIE9ubGluZSBMdGQuMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvlr5XM0bUQx1AcpTnLokfwq3MYsm8GEmRUJxz/JzsRxqTHrgnANEI2dTKSupoaGBrWND9oedptkig4f/5/WbYlXVaI7EliiQMJxk87L8X6SRK76qWl98nMtE9rgkscvCPeO0GGc5ctyOMZSgW5VdQhyWttLDU2O/R33wO5c3M0hFt2taXa7W1/sU9+RMd4Gyuk0VTPd8VbRiwGXhCwy97OOH+8MR+KMF6S/HbuSTlmm3ly9pUmYg3QbaMXwcCJwDv21qVaXwDGKLCaPs86mRnBu3kigD+ZtgFLUMJIY7t60rM5sFcHMfOo/IYTShBDjvQfvQfkJz3p0/gIqXe55RvWiaTHMs5oYJR35YTBQBtfvcgKVGCNnH1yt5M3phNPogGESWlujjO8yMjcqAnfMleN8xA5Gbcy796CX46sTtL4xve3GYCk/ngjMqyOVcCTC8pcf9HzxOOeGXHpbcvhqy6ZGiffVO3T2cxU2cDvSgqIewVxW12PwYNkBMaWlmS63vPwHav1OAz2LrzbzG+pUaMQJj7zfhcdGZf3Eg3TiZow7DzBXlnsimqfsS524/XP+rejcDkkuM2X9zoOKLB0g0cC8OYIZOE89NKoJi2EZehPEqqaNU+06DyFO6ZJgBpX60CTIV6TEKAxmo+CsXKvc5nCaJisMJuJmoLBfsQiQm8b0CAwEAAaOCAgMwggH/MB8GA1UdIwQYMBaAFGg34Ou2O/hfEYb7/mF7CIhl9E5CMB0GA1UdDgQWBBQEn5Oe0FNYepFXMRsMYFTdENsaxTAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwgbUGA1UdHwSBrTCBqjBToFGgT4ZNaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcmwwU6BRoE+GTWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3JsMD4GA1UdIAQ3MDUwMwYGZ4EMAQQBMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzCBlAYIKwYBBQUHAQEEgYcwgYQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBcBggrBgEFBQcwAoZQaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcnQwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAgEAtw9K8h8OWVJokYeiuZo1ok0lUL+Ba9xSFKcHXHU3nIcDcBhyYFmq+9WGh4iaZw2H8rg111zRpnWR0ci4L2W1uEIY5tLpIexh0+tecYKdXJW4my4scjfTZxipHhYmpZuC4M0ElA49G/gj5QX6ytXDJe9dhl1TS7B+5uyuHnWM6V+R14kD6VdHtfSyBzRyKsSZFpQo0vmDdpyjZ6LOhNo7uzFrm5th2fL/CoR9GH5DDvpZcKBdykqb3r+3IQcTguEjrAKeq+XI9aoUQB/QyNFo1AV3dwtLjO31ZLnwLucmJmg+g3MvQ4KP7KACo4jWPXeegwlxPYce+j8kmpqiIJp0rbZ2NNJnGnrJGIXq/1wMK9WjqrKFK0Sm1bRa66gxM+DmOlkRPKn/DqwHW61M4ZuEOg3pmo5slOXngIoiOz3a7s68Q58yz8p5pgIvj/svbxmTXB3VWRPSw9X64CnFcE9pE/Qh2/PdFldbAu0YFTba3pbx/c4Ow2PbV4okODTJiFnjeH64rU6N/6u2UDFqlLNPNqTtKjR1rVHKKKnVOG69ya7B4kyIm6bSXFeZSIn7/HMuIMeX5W/i6KqiE8m15NQzsqe7nvphjNt6Q7Y6TvVlZRpQWpW2qZaSa2JOcm1b0asfIKQfkRINMAVw3MqJydDgywaidfF/Sky7sX+7entTJ20=",
"src_file_sha256": "ae6c0e25c5867370a9208f63cecd039779384ca205336f7a8d1635058eb0f759",
"src_file_path": "downloaded_files/isl_light/ae6c0e25c5867370a9208f63cecd039779384ca205336f7a8d1635058eb0f759",
"src_file_company": "XLAB d.o.o."
},
{
"signer_name": "PDQ.com Corporation",
"certificate_thumbprint": "C215D204EA384B3D85057CB11B4D23B5DC301AE5",
"certificate_der_base64": "MIIHajCCBVKgAwIBAgIQBZMfc4/QWrkQgFOVimHTQTANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTI1MTEwNTAwMDAwMFoXDTI4MDkyMTIzNTk1OVowcjELMAkGA1UEBhMCVVMxDTALBgNVBAgTBFV0YWgxGDAWBgNVBAcTD1NvdXRoIFNhbHQgTGFrZTEcMBoGA1UEChMTUERRLmNvbSBDb3Jwb3JhdGlvbjEcMBoGA1UEAxMTUERRLmNvbSBDb3Jwb3JhdGlvbjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJT3t/vUOwAicml7czDshzRfZjQUkhtNdAukRoh2av0FiJSBx2qoHZ0z9LIwNa7fUDRO7UIKxz8GgLkb3bcNkJ46lysYyagbQbL/FK7yXTxOSIRD/Sc549ks7eeZMeJuIIuX4fSyUhl7vitJYitoKJy5zXEuB5ycF0t2V6VpLBwWjszYjWvu9/9v8dB9LTS/ufdfQnqvcmqb3jh/CrJy83W78NnejkPaG1pNYwVsJcOXBmT16gnOkpafO8A3Cl9rRtkTHnQC8sCwK94YMETDsG2HcK6Fy7pLt3X9IeW6XYRZBsbr+teJrWHePqPhbBKZyLD4vELKuxJYFltb3ntnz7zXLo5EmqjmYIrpiZps8VXWism/BEMU1un1Rj2zhZtzbNreYaG+PgMEmmz0EokqZSn20mCf/Svj8Sl0PNUJ/Pgm41PfgdwHm/ES4i4bkd0L0pPotCWrKsMBVksM1pJ1DkBjH8n50oDy7T/NycKe3WYuURYqRMFi0s0royvSCoSVzYMZNsSV3nX79UDd0Z+3S7wDRsmkV73eLLTucnf2PQLaj98hbNJk22XbJorQioVIinP0Z/odmRm2/+7KqEeQZXVA4x4ZtCTOUNi4E2XtWnzFAvxllHs2GcrI87o+wO7qta0ttTRKVcd9zcKKo4GuvS99+g0454xzfAg7xU8DNRZDAgMBAAGjggIDMIIB/zAfBgNVHSMEGDAWgBRoN+Drtjv4XxGG+/5hewiIZfROQjAdBgNVHQ4EFgQUbcLQbj1+bVs0PeKQo50enrAmnD0wPgYDVR0gBDcwNTAzBgZngQwBBAEwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpY2VydC5jb20vQ1BTMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzCBtQYDVR0fBIGtMIGqMFOgUaBPhk1odHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDBToFGgT4ZNaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcmwwgZQGCCsGAQUFBwEBBIGHMIGEMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wXAYIKwYBBQUHMAKGUGh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3J0MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggIBAM6YR4s3ddDkkAXwLfQrtej/2Q1SplBIZ2Z6Q62/F3V/+XCymfAWM98bYx5oHiwZMSqhToL+OFuiQAIGtiMkvolaKTE8739E2pdbwrkbfTRpizcyumEo5TvK3xNoYbVler7mOrWcNafNZITdanVxp7pRWQ/EGTbmTDqsi3730XKva2dyPLSsd5cGA1KO9djqEOhm0a2zSbLswl6zZ1jhLuuv2kaarVJUemUKyzbG5JWOHjyKlNUu5HLhBSJbQL96pFhFIOVYS2lIVdkX3UuGF1tS2yZReOTXLTlR1fFpKy69O+jec5Gfntmb1/9tsAsbFj6Ewr70lev5P7dDP1FZSuK5/mopM+UsaR/xSZj9TvXe7T7YTK1OKf7ebmDD9CmiVypNlr/zi6Z4DaGR95oiQS6H1jHWMdetBIrw5AENG+yYFnFrFKUEpQEnArqsvzu1DFSgDJXaPheLNRxm+tOaIr7EPfZCJFBGQaepRE+FZ0cKQCNkotfm3sFJigU+XChD+BdfnwJruWZyFI2miwuN/RQGe7MH2LKErKvK/DH5o/D6jPkwsC3FcNMzR+8YVJ1DW2ZtYfeSjsXp5yORJai3+3gBkaDoaa+OmvVFvB/5zeg/MvLuR4bIn118qxF+SQ23j7qi0UDPf9RU3HlNdiOVX2U6cVknuLq+RiSinNuAtt9J",
"src_file_sha256": "0a52b503f8461b741a50e48bfd47daff299d29ed2dde29dadaffa7398e1db6f6",
"src_file_path": "downloaded_files/isl_light/0a52b503f8461b741a50e48bfd47daff299d29ed2dde29dadaffa7398e1db6f6",
"src_file_company": "XLAB d.o.o."
},
{
"signer_name": "ISL Online Ltd.",
"certificate_thumbprint": "FD412CA692ED576E5FA7723CB06ABE14077A2C67",
"certificate_der_base64": "MIIHSzCCBTOgAwIBAgIQBjE8I8Eu/6bB6Bqngx6j7zANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTIzMDUyNDAwMDAwMFoXDTI2MDUyMzIzNTk1OVowUzELMAkGA1UEBhMCR0IxEDAOBgNVBAcTB1N3aW5kb24xGDAWBgNVBAoTD0lTTCBPbmxpbmUgTHRkLjEYMBYGA1UEAxMPSVNMIE9ubGluZSBMdGQuMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAoKB7NEjPmq5+JRkjsaS5/1GXkZ3tnfIGqn/pP2flcn+UFbbqw27ImsBsxONkuUs/fqK4fjwCNuIAo/fTci+GJs+sOWRhYlfwJJ5jgGEAkPh73pq+fgPf4tCZPfzYodTycPWmAF1CMyvivgyxDS8iNzxHg/4Gj+f2u1Pfiu6Yncjzt0CfuRRlyJ+UZ1eLxXUxjQ9UYC+vOmrgwwyeLNxlHaEL7Efb1Eeu+fytyKHia9egnBul0d/OqYBLQMDTlZaURCdrPIoLJKRp93xC23i1EMhH6u5e4VUEN0L6aPx0kPvRLbOuOlbd/DOoHwd9jnjrpn61t99CAIrcjzYSy9JQOwE1xLsjDVq5GbG3B4Ws7Cm+cH8sezRmeT4hKy5cWrqR8BTMDFaGRswX9gJLSwd9hgVicnz7EsZNjeK2KKsV4C+500bwvsc4DLb2ATBej2YxcTznpqBmcR2R64pnwGLNVV1Kotq8or4L6ClLQDOqhGCGYIhEY88NljJMNtANLiUm3/g0ego2JDgLlDgIB2Hv360Eiig9Eba6JSvbNtFPWCgEZPUlfliohtvD+px82QhpmcHfOUXjHHwCS2lpjWD1ksup4/+TFjnqcjZQKnX++R5gFm/1UOlQWxwDQKSNT8BO899lf1T1Zl/efjpWhHVCtETIPzsnT/xB9Jj6PtxQcUcCAwEAAaOCAgMwggH/MB8GA1UdIwQYMBaAFGg34Ou2O/hfEYb7/mF7CIhl9E5CMB0GA1UdDgQWBBS5rxYNZunqlcry3f6y9vUTFv+A5jAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwgbUGA1UdHwSBrTCBqjBToFGgT4ZNaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcmwwU6BRoE+GTWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3JsMD4GA1UdIAQ3MDUwMwYGZ4EMAQQBMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzCBlAYIKwYBBQUHAQEEgYcwgYQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBcBggrBgEFBQcwAoZQaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcnQwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAgEAjOyPUNyDNp16g0FFhUeZ5bx29FXBNv3CyAjBkbLt5+ia3B63kWud52rUPbAGmqRJV998Aj8MlEz6+GYdGYXdJ6ynHamTAGkRokoCGjtpvJz+pNEupio1zFREhIrXEXz9FuasNBGlwR1y4iZRm7xzzbIV99q4eK8cGa6IU6R1AL1wEl4AU3XwJngJyplNv24Tprw7TYFxNlljEm3gAKXtjsjcpuL/pbmZlOcoG5/RV1GIIb9SZHRO8QEL/1OOVcoWPR40M3Wclk3+sHB7sQZkW3L7WYegirkfLdtrEqeZnxnAi1lqy7t03oS+iGrYBW9LbErIOGEWZPljFay7QPHQg786dEOOTCjL90m/Pq6v5uvv9qt1TexC3vbToEE46lttO/97HhxCGdemBU/1+2ns52fLDKMNepja68/hPsux/TefIskLyBmgYiB6XnVsUgTes0iz1Q/K+vlloFItBCFIekuny3Mc9G55X0fjN2YmhCS39kZdQ2v+2iwfXqWBqLsv3QzA1P/mLU+lnWgnXrLweIZkEqpSI6HsE+5zkCToZ37Yb6UBemj+2eVAIeyrErS9iyj2DQvSm9lXw3YgJx2lTr3oMoe5IggoImD/B+TuAU0O1f44eLXBrGAMdSGJTkSvgywMjnKTs8VTleH1KeMpjHsclY5kBlh5Vte8bDGAgI4=",
"src_file_sha256": "03214d8b41186760f2cf299ba70a22695f4a28be0080551dc582d7a52ac2b96a",
"src_file_path": "downloaded_files/isl_light/03214d8b41186760f2cf299ba70a22695f4a28be0080551dc582d7a52ac2b96a",
"src_file_company": "XLAB d.o.o."
}
]
}
},
{
"Name": "Encapto",
"Category": "RMM",
"Description": "Encapto is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.encapto.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": []
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"encapto.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/encapto_network_sigma.yml",
"Description": "Detects potential network activity of Encapto RMM tool"
}
],
"References": [
"https://www.encapto.com - used to manage Cisco services"
],
"Acknowledgement": []
},
{
"Name": "Duet Display",
"Category": "RAT",
"Description": "Duet Display is a screen sharing and remote desktop software product that ships with RMM capability. The tool includes remote desktop access functionality and is part of the broader itagent product family which features system management and automation functions. Duet Display has been observed being used for remote access capabilities beyond its primary screen-sharing purpose.",
"Author": "Michael Haag",
"Created": "2026-01-15",
"LastModified": "2026-01-15",
"Details": {
"Website": "https://www.duetdisplay.com/remote-desktop-access-software",
"PEMetadata": [
{
"Filename": "duet.exe",
"OriginalFileName": "DuetDisp.exe",
"Description": "Duet Display executable (observed in threat intelligence)"
},
{
"Filename": "DuetSetup.exe",
"OriginalFileName": "",
"Description": "Duet Display installer (verified via VirusTotal)"
}
],
"Privileges": "User/SYSTEM",
"Free": "Trial Available",
"Verification": "Code-signed",
"SupportedOS": [
"Windows",
"Mac",
"iOS",
"Android"
],
"Capabilities": [
"Remote Control",
"Remote Access",
"Screen Sharing",
"Remote Desktop",
"System Management"
],
"Vulnerabilities": [],
"InstallationPaths": [
"duet.exe",
"DuetSetup.exe",
"DuetDisp.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*.duetdisplay.com",
"rdp.duetdisplay.com",
"duetdisplay.com",
"*.itagent.com",
"itagent.com"
],
"Ports": [
443
]
}
]
},
"Detections": [],
"References": [
"https://github.com/magicsword-io/LOLRMM/issues/125",
"https://www.duetdisplay.com/remote-desktop-access-software",
"https://www.itagent.com/it-agent-remote-access"
],
"Acknowledgement": [
{
"Person": "Syndikalist",
"Handle": "@Syndikalist"
}
]
},
{
"Name": "DragonDisk",
"Category": "RAT",
"Description": "DragonDisk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [
"Windows"
],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"C:\\Program Files (x86)\\Almageste\\DragonDisk\\*",
"*\\Almageste\\DragonDisk\\*",
"*\\DragonDisk.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": []
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dragondisk_processes_sigma.yml",
"Description": "Detects potential processes activity of DragonDisk RMM tool"
}
],
"References": [],
"Acknowledgement": []
},
{
"Name": "N-Able Advanced Monitoring Agent",
"Category": "RMM",
"Description": "N-Able Advanced Monitoring Agent is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.n-able.com/features/advanced-monitoring-agent",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"Agent_*_RW.exe",
"BASEClient.exe",
"BASupApp.exe",
"BASupSrvc.exe",
"BASupSrvcCnfg.exe",
"BASupTSHelper.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*remote.management",
"*.logicnow.com",
"*systemmonitor.us",
"*systemmonitor.eu.com",
"*system-monitor.com",
"systemmonitor.us.cdn.cloudflare.net",
"*cloudbackup.management",
"*systemmonitor.co.uk",
"*.n-able.com",
"*.beanywhere.com ",
"*.swi-tc.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_advanced_monitoring_agent_network_sigma.yml",
"Description": "Detects potential network activity of N-Able Advanced Monitoring Agent RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_advanced_monitoring_agent_processes_sigma.yml",
"Description": "Detects potential processes activity of N-Able Advanced Monitoring Agent RMM tool"
}
],
"References": [
"https://documentation.n-able.com/takecontrol/troubleshooting/Content/kb/Take-Control-Standalone-Ports-and-Domains-Firewall-and-AV-Exclusions.htm"
],
"Acknowledgement": [],
"CodeSigning": {
"certificates": [
{
"signer_name": "N-ABLE TECHNOLOGIES LTD",
"certificate_thumbprint": "069C1914D45A50A709E2D71F36EC2F56CB202995",
"certificate_der_base64": "MIIHWjCCBUKgAwIBAgIQDlnqqu2xgVb0F3nw2mgXmjANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTI0MDQxNTAwMDAwMFoXDTI3MDQxMzIzNTk1OVowYjELMAkGA1UEBhMCR0IxDzANBgNVBAcTBkR1bmRlZTEgMB4GA1UEChMXTi1BQkxFIFRFQ0hOT0xPR0lFUyBMVEQxIDAeBgNVBAMTF04tQUJMRSBURUNITk9MT0dJRVMgTFREMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA2QKByGXdPKOwmpD0ogAtCYyuV9SS3V/h2sDA8HcaAkOL/lbVCFSM/teEO6v4BnClfoLmrnNpdz9/zrtX46KtVCrQSyg4TY5zbwXLD8KtnyS62pevr5e+NbprnGvMjC0ACauFE9tFIaoOxzQHJ0djaCc+7KcJbOwq4gIkdWR+yUCFs9/Zj42utbUDw8XEEnXPbZ9OuO8GzYGWIRngQL+nCbpy0a7U+iW2+70mtq+iZPOvPoMKJzAvTuRdlsH+LAgCn6GHsL++utKIq3Hg7K85xl3IMcVgHc4d+BpAVxzr6HJGfkHimu0fUH2V4STDVSPeH+9eVWx3/rWFRA4zQ74kDPHD2t1+DX6mSkT7jR37KPa2ziEY2PbGeZIeZXduw2UoiNX6SgpbQ65VWgS1TeWBsIGTaM+eHA0tOSmazR6w9mw69GfWbSFO/8fcGLhPJ7t95nyKW9+F61Z8BsGn+/b581pXGGRYe696wdvFWAtq/FK2ux8ESzwJ7vanwDfAonnUDf+zGkSmsb4KFxNRgbW9+zJviZuFPEoPZY0BC8j++/YOvq4ge4v477HtrYZhf8aS2gGR9cYVkZtbdh8Eca7aRkIX1VS97pxZJsTxUcRCB4uEiGkNmLYxCdQ+TWLCvmad8bgxmtXz3hLZUjm8VPAscWNOJsoYVeWTtn3nCsBaf9UCAwEAAaOCAgMwggH/MB8GA1UdIwQYMBaAFGg34Ou2O/hfEYb7/mF7CIhl9E5CMB0GA1UdDgQWBBS8HDP4j/OnCaJLUIUID74a9p6PujA+BgNVHSAENzA1MDMGBmeBDAEEATApMCcGCCsGAQUFBwIBFhtodHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMIG1BgNVHR8Ega0wgaowU6BRoE+GTWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3JsMFOgUaBPhk1odHRwOi8vY3JsNC5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDCBlAYIKwYBBQUHAQEEgYcwgYQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBcBggrBgEFBQcwAoZQaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcnQwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAgEABd6MMSoXOvk1e0LmgJsl5StLOyr4SYF0mcOvq3l8gcgLD5p3fioU7jFvsf5ngKBAjGjeanQLL3JYhUSxLDEsDKsJl13YLLgZn0S4f9z8TtkAi2JxHIOqHYWWCGr1gcFc2GzNxV+4sCR9a6CuzeRnyDGlDD8/S0K3kHmHOq6UlerKNMkmq/76zFJp+8ULGcKuT8LXvh5pac/Ch9kDOxtI+qFw1DzIv9Y28NPFtwlUSC8bTgtNjMJjx1HsMbFnxlrPcOQLrmZ3Iis/mXHgkpxdfUjYbXkyCTgecKb1ve4XlnTIVSh5s+TOo/8Wjmk+7ImPVIi7zmGJeYPoeTC79QYJakvE227Dvj/IG7kMo0AIAVE0wuW943socZb3VZM7vIbxaQiv28xiuscvAhhyayDwmGOD5vToxQbO0WGfsVKVWn3QdlpuePMT4jp+osdLhMVxVJEOSYPK8vNIMZCEiCoM/F2Jhgdj3OQsDpk6DMo743RaMzfcgL8jwN02LFRevuL9J6FM7GU0FeUXVNY9lc1M0sfEAYvkrTAdwXVPj8oet52P52BsjG7o7Tdfz1yOpbQHUc2AYTrPkrQW+XWhWRx2253MHt9Bmxzhlo5Ku5KagfgV5cvlWkuXGUOvVq+TrRgW1L+LIc8s4ZPgWhA1E+/jVQN9e/pjCtpfwmzelv/mzGw=",
"src_file_sha256": "e38be606da565f0976f1e42e4939ef3aeffc55985787629062e4e1bbedfa10d7",
"src_file_path": "downloaded_files/n-able_advanced_monitoring_agent/e38be606da565f0976f1e42e4939ef3aeffc55985787629062e4e1bbedfa10d7",
"src_file_company": "N-able Take Control"
}
]
}
},
{
"Name": "Mikogo",
"Category": "RMM",
"Description": "Mikogo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"mikogo.exe",
"mikogo-starter.exe",
"mikogo-service.exe",
"mikogolauncher.exe",
"C:\\Users\\*\\AppData\\Roaming\\Mikogo\\*",
"*Users\\*\\AppData\\Roaming\\Mikogo\\*",
"*\\Mikogo-Service.exe",
"*\\Mikogo-Screen-Service.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*.real-time-collaboration.com",
"*.mikogo4.com",
"*.mikogo.com",
"mikogo.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mikogo_network_sigma.yml",
"Description": "Detects potential network activity of Mikogo RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mikogo_processes_sigma.yml",
"Description": "Detects potential processes activity of Mikogo RMM tool"
}
],
"References": [
"https://mikogo.zendesk.com/hc/en-us/articles/214072478-Which-IP-addresses-do-we-use-for-our-services"
],
"Acknowledgement": []
},
{
"Name": "Remcos",
"Category": "RMM",
"Description": "Remcos is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"remcos*.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": []
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remcos_processes_sigma.yml",
"Description": "Detects potential processes activity of Remcos RMM tool"
}
],
"References": [],
"Acknowledgement": []
},
{
"Name": "Naverisk",
"Category": "RMM",
"Description": "Naverisk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.naverisk.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"AgentSetup-*.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"user_managed",
"naverisk.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/naverisk_network_sigma.yml",
"Description": "Detects potential network activity of Naverisk RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/naverisk_processes_sigma.yml",
"Description": "Detects potential processes activity of Naverisk RMM tool"
}
],
"References": [
"http://kb.naverisk.com/en/articles/2811223-deploying-naverisk-agents"
],
"Acknowledgement": []
},
{
"Name": "Jump Desktop",
"Category": "RMM",
"Description": "Jump Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2025-12-14",
"Details": {
"Website": "https://jumpdesktop.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"jumpclient.exe",
"jumpdesktop.exe",
"jumpservice.exe",
"jumpconnect.exe",
"jumpupdater.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*.jumpdesktop.com",
"jumpdesktop.com",
"jumpto.me",
"*.jumpto.me"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/jump_desktop_network_sigma.yml",
"Description": "Detects potential network activity of Jump Desktop RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/jump_desktop_processes_sigma.yml",
"Description": "Detects potential processes activity of Jump Desktop RMM tool"
}
],
"References": [
"https://support.jumpdesktop.com/hc/en-us/articles/360042490351-Administrators-Guide-For-Jump-Desktop-Connect"
],
"Acknowledgement": [],
"CodeSigning": {
"search_names": [
"jumpconnect.exe",
"jumpconnectcore.dll",
"jumpupdater",
"vespra.exe",
"winkill.exe"
],
"company_names": [],
"signer_names": [
"Phase Five Systems LLC",
"PhaseFive Systems LLC"
],
"certificates": [
{
"signer_name": "PhaseFive Systems LLC",
"certificate_thumbprint": "N/A",
"tbs_sha256": "1BF55DAA063110C36CA3667802D5FAB3FC46D99873BB470CE1E0DD395354BEB6",
"tbs_sha1": ""
},
{
"signer_name": "Phase Five Systems LLC",
"certificate_thumbprint": "N/A",
"tbs_sha256": "603F50F6A334218C4ED384ACF9AA88190B3DFC029D54453C27D3167E48C152A0",
"tbs_sha1": ""
},
{
"signer_name": "PhaseFive Systems LLC",
"certificate_thumbprint": "N/A",
"tbs_sha256": "",
"tbs_sha1": "",
"tbs_sha384": "427CA734B98DF79C7BB95E4520DBFA6A12155FA52D1F7358A60F15A9904BDC6A95EA04123C2C81437EF981F89E5351CC"
},
{
"signer_name": "PhaseFive Systems LLC",
"certificate_thumbprint": "C5FB19F11FEA6AA9A7A61FF4D327ACA054E7145A",
"certificate_der_base64": "MIIGvTCCBSWgAwIBAgIRAM8VKUOiJPFZvp8vmpVhMmAwDQYJKoZIhvcNAQELBQAwVzELMAkGA1UEBhMCR0IxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDEuMCwGA1UEAxMlU2VjdGlnbyBQdWJsaWMgQ29kZSBTaWduaW5nIENBIEVWIFIzNjAeFw0yNDA2MDMwMDAwMDBaFw0yNzA2MDMyMzU5NTlaMIGkMREwDwYDVQQFEwgxMDc5MjkwNDETMBEGCysGAQQBgjc8AgEDEwJBRTEdMBsGA1UEDxMUUHJpdmF0ZSBPcmdhbml6YXRpb24xCzAJBgNVBAYTAkFFMQ4wDAYDVQQIDAVEdWJhaTEeMBwGA1UECgwVUGhhc2VGaXZlIFN5c3RlbXMgTExDMR4wHAYDVQQDDBVQaGFzZUZpdmUgU3lzdGVtcyBMTEMwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC3V9fVBx7IQq8Wy4rYNsBHhc0gZKA8Bd2vYGEw3nojg3OekH2YJy9+4O1D1ju4m3gd3UXwtYKocqk2Aq1QML6o6gpkFpJhfHGO2dvsxH2cT/rqwkrm1OlIQMaQzfNnDNQVewa7szg3BuSzwcAzh/FeGbtr0on2BzCivjYXk0RyXHs1PPIZLDWywUj+QH/1m1FZCOCr9C+FIvXVxlRje7FeDfc3cGpXM+tPfRqkEiq82/vZSm+QsWQyAQ/oM7idUbSfXd+iMhHDmhR6Vy+lEqaMDSqNQuWx/ehTG7Ip/excziI/cI0fgqe7YAmjIUR+OpfTDCmrCCVRpLXcRmHHDzmFjrxig3aOIO5meGhbcFGcUnu74vzhivxEJPje5uERZUbX7VTRMx8rVmNCaFBCMjmMlVlm124WYEO9HwVp39ksz0J+hojiere0OvJyqEnPJ6uyw3Zz5zNtZjXrAT/KpUg7mzfinlW34INJqYDl1TofsFlO1ixQygjCINQ/bkUm9ybtSD2C4OQE/ACYn9Mzk4HkHjECiACZZNwnO2H0bfgog3XycO4XQKHcY76QFKUJ9NOKFuUuYiV0hwzgaoJx2a+JymWUNDNWOR6Pp/UDQsbhAuJM5u/G+SI+6U6AHi5O845QEB3QBWgL743KkAPQF4z0ExXiZMIt9+/iKDnW5fseewIDAQABo4IBtDCCAbAwHwYDVR0jBBgwFoAUgTKSQSsozUbIxKLGKjkS7EipPxQwHQYDVR0OBBYEFI6ifbERkfrmxLoustE+xWtv4bkWMA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMEkGA1UdIARCMEAwNQYMKwYBBAGyMQECAQYBMCUwIwYIKwYBBQUHAgEWF2h0dHBzOi8vc2VjdGlnby5jb20vQ1BTMAcGBWeBDAEDMEsGA1UdHwREMEIwQKA+oDyGOmh0dHA6Ly9jcmwuc2VjdGlnby5jb20vU2VjdGlnb1B1YmxpY0NvZGVTaWduaW5nQ0FFVlIzNi5jcmwwewYIKwYBBQUHAQEEbzBtMEYGCCsGAQUFBzAChjpodHRwOi8vY3J0LnNlY3RpZ28uY29tL1NlY3RpZ29QdWJsaWNDb2RlU2lnbmluZ0NBRVZSMzYuY3J0MCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5zZWN0aWdvLmNvbTAmBgNVHREEHzAdoBsGCCsGAQUFBwgDoA8wDQwLQUUtMTA3OTI5MDQwDQYJKoZIhvcNAQELBQADggGBAHCDH/GplE3CCxpd1ckjhJMRidokGV9rqfyPnGQ7RA4pDy00V/lYUyj76jMftumC1rLZB1dS+7TA9PxoCtS7LH+yT7f5F507TdAjF8jwC7njzDqI6DEja/lPM5zNiSoPW/QFdkKVA274+tl1IuUkqSvXbaOEbdG1NHWC6w1A3gZNhE40Kq1rTDxFN8AP5950KaGroxAtBnlsnHelbLOzZkikv/4v+22G80TByoghehqcgZ5kmdJdTbw8/xCjpA21Aklr5jLsyIDskGB/2SqW2AyNnSpTnJfPe5ReXf9z9CkVTCRf7oewvdUsxikUvYTP2gnXRMzAzxWo8WMEATOK6OpERMHUbFLifQukVFsCWE/2O57pSvuKKxZPKC6pyI4WZLFd4kKGv8XEbO1GCOsdHSIjUHjjBdOrIwyPqSmQ35kiAkc4loBFM0wLb3GU202KiP1iB9Uh93+uXSQrhwpoNE97coLZk4TJ2y4DYdCSj4ymD07cgx85QvczJR950xFATQ==",
"src_file_sha256": "880b3e0e54169ab6e32e9cb9d4c20c234dfc2d0dfeaee6faf68d4257941cf1ed",
"src_file_path": "downloaded_files/jump_desktop/880b3e0e54169ab6e32e9cb9d4c20c234dfc2d0dfeaee6faf68d4257941cf1ed",
"src_file_company": "Phase Five Systems"
}
]
},
"FileHashes": {
"authenticode": [
{
"file_name": "WinKill.exe",
"sha256": "D22A7440AC93F2ED3857F99AF0740E8F4038D061B8D33928F952B5DD1DF6D9BA",
"sha1": "37339CE3C4B94F5E583ACA18E06620BE26C3AD94"
},
{
"file_name": "JumpUpdater",
"sha256": "0E3F9202416DA42E7223E9FD77792996BE56A7A6F1169FEF3F1CA96B7D534312",
"sha1": "900CE766130609452A35EBA3251CB6B0992F080B"
},
{
"file_name": "JumpConnectCore.dll",
"sha256": "EBB553A616BBB7BEFA8C0ED0B72BDE1E8CED079786357ADCA5F48F80FD187418",
"sha1": "A1155A615AC27185AC8C2359C85C9A51971515E4"
},
{
"file_name": "JumpConnect.exe",
"sha256": "0E4949B1752AABCA178C61784766B69F2FF1631B4F7745DB0A9C792F22DDC34C",
"sha1": "8DA38187F5511E9FB1493D767CD543E15D787CCE"
},
{
"file_name": "JumpConnect.exe",
"sha256": "C8E05EDECC32DC21156B150DDAA607068129968518876BCC98E6E75A4A628B99",
"sha1": "B24F381CB79CEE27A5B62BAFBF016CB03A8E9E0F"
},
{
"file_name": "vespra.exe",
"sha256": "D9DBAD65C7AF9F04B890B18A080604A632BE2B9A8F4896E526470C8BA3919C42",
"sha1": "C920B9DDAC8CCE83BC5B316261D16A9FBD2B1408"
}
],
"page": [
{
"file_name": "WinKill.exe",
"sha256": "41898FDA5DA79105D2BA6A06348F36258156D905B2215F201F91727D104E72BA",
"sha1": "4777BF27ABE31CBDF780EC83411A167BB7264500"
},
{
"file_name": "JumpUpdater",
"sha256": "D42825615C9AA55BC1952E578C904F01528D6E8F60C5A1CD4CACDEA255D57B8D",
"sha1": "501900D68D3C7C05A8A7781E4C92B9862B16A538"
},
{
"file_name": "JumpConnectCore.dll",
"sha256": "0D59525F58B5228DFEBFF7A4FF8AE2EF69D8F6B21A29A902CBC4DF09C349C196",
"sha1": "2212678443DAF27CDAA473E85F6C728D18E9DD18"
},
{
"file_name": "JumpConnect.exe",
"sha256": "EBAC7E547E2DECA642BFC0D4950E8D56F3474B67CDCB397F01E88E6667219C6E",
"sha1": "D8CBB63766CD6196AAFA7988B1F15F74450D9E61"
}
]
}
},
{
"Name": "TightVNC",
"Category": "RAT",
"Description": "TightVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.tightvnc.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"tvnviewer.exe",
"TightVNCViewerPortable*.exe",
"tvnserver.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"user_managed",
"tightvnc.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tightvnc_network_sigma.yml",
"Description": "Detects potential network activity of TightVNC RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tightvnc_processes_sigma.yml",
"Description": "Detects potential processes activity of TightVNC RMM tool"
}
],
"References": [
"https://www.tightvnc.com/doc/win/TightVNC_for_Windows-Installation_and_Getting_Started.pdf"
],
"Acknowledgement": [],
"CodeSigning": {
"certificates": [
{
"signer_name": "深圳市玩物科技有限公司",
"certificate_thumbprint": "2FDFB9DE3C87B8F4D9D4470DEF901FAE290E3CC1",
"certificate_der_base64": "MIIHDTCCBPWgAwIBAgIQCid6OL14T6vPFMTjJcClNjANBgkqhkiG9w0BAQsFADBqMQswCQYDVQQGEwJQTDEhMB8GA1UEChMYQXNzZWNvIERhdGEgU3lzdGVtcyBTLkEuMTgwNgYDVQQDEy9DZXJ0dW0gRXh0ZW5kZWQgVmFsaWRhdGlvbiBDb2RlIFNpZ25pbmcgMjAyMSBDQTAeFw0yNDAzMTMxMTUxNDVaFw0yNzAzMTMxMTUxNDRaMIIBFjEdMBsGA1UEDxMUUHJpdmF0ZSBPcmdhbml6YXRpb24xEzARBgsrBgEEAYI3PAIBAxMCQ04xGjAYBgsrBgEEAYI3PAIBAgwJ5bm/5Lic55yBMRowGAYLKwYBBAGCNzwCAQEMCea3seWcs+W4gjEbMBkGA1UEBRMSOTE0NDAzMDBNQTVFSzhEN1hDMQswCQYDVQQGEwJDTjESMBAGA1UECAwJ5bm/5Lic55yBMRIwEAYDVQQHDAnmt7HlnLPluIIxKjAoBgNVBAoMIea3seWcs+W4gueOqeeJqeenkeaKgOaciemZkOWFrOWPuDEqMCgGA1UEAwwh5rex5Zyz5biC546p54mp56eR5oqA5pyJ6ZmQ5YWs5Y+4MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAwOU06ReIzfG6mRIpjXazs68L0EhlhH1a6HAQNQuqwRjAVR9GVcIwp41HcG4tiK3z4npfE7gXRx9FNGevLjdTwAAtaOLoD44kcE5hVPspQv8uJDwD+e/LhA4PPTKytKTpTLSoKH1zbVuu0inOloTgBLQCfFZEGt4nJW45yqtm+3Zp2vMp9uoMHqxdIvwO9xwqtVVfsJvG3/Orzk5K4pJz+k+ZFhK71/xkIptmUSjS3d2C9k8NQ0YCpxcf1auCtUUlWUZEUdkdAQZ+BQ05K2pXPENt3oazX8f6CT3rL5OYphxBErJUoGYcPXQt4j9bZigRcDAJFcWz7bDsMH/XqZP4JYybatoD0awwPGgQvsvUEtQfaHbkGckC5riQtnCteyfsR+VXrtndYJyU+FEuR9OVZczjaM3NzaClWPlGDPKb9zjl1yysod57UmTfUYocWIST719SxZUbfyo/AoU37y4q5z8L4lrA5C+21FclzaKALOZvZqxHHWxFZbb69kxRZH/PAgMBAAGjggF/MIIBezAMBgNVHRMBAf8EAjAAMEEGA1UdHwQ6MDgwNqA0oDKGMGh0dHA6Ly9jZXZjc2NhMjAyMS5jcmwuY2VydHVtLnBsL2NldmNzY2EyMDIxLmNybDB3BggrBgEFBQcBAQRrMGkwLgYIKwYBBQUHMAGGImh0dHA6Ly9jZXZjc2NhMjAyMS5vY3NwLWNlcnR1bS5jb20wNwYIKwYBBQUHMAKGK2h0dHA6Ly9yZXBvc2l0b3J5LmNlcnR1bS5wbC9jZXZjc2NhMjAyMS5jZXIwHwYDVR0jBBgwFoAUrFfKCBbcP8UxHApN2/vx3pknLTQwHQYDVR0OBBYEFPdtxRIKtwgB6IafJuGk+FMtzu0QMEoGA1UdIARDMEEwBwYFZ4EMAQMwNgYLKoRoAYb2dwIFAQcwJzAlBggrBgEFBQcCARYZaHR0cHM6Ly93d3cuY2VydHVtLnBsL0NQUzATBgNVHSUEDDAKBggrBgEFBQcDAzAOBgNVHQ8BAf8EBAMCB4AwDQYJKoZIhvcNAQELBQADggIBAFWUhuKvsOd5rj1NFG0gQ6BZpuTwDW13ls87vbE+CvYosFuwrycfqotoT9nIxC76rsv+m+BsYrTmX/aamtTZjEWmWX9KFmeM9OOQEXr8GrOgWUkBUNH8MVxq1MitvDfTN5SCTqNZtK6yUw/6Ti/Q10f+jE85iNLcAysjQq9qkQUhSEd/0exjxLmhAUbmOX3Z4Mwfj0Ziw/qs87YzQgSBvoV7f9O+6oDqKpXzh2ufdYYK3ZW/vlpm6ttcv+KDutI68DgAl6S8OZDL71C+VZ6rIhSkcJCX2fKx9j7tbYoL2+p68lVsoc+oT7v0ap8ruEkB/rnrMiXGHV4ku5+gto5+CBPdhPVG/L9tQ+yIU1fh+o9/mlPXpyGiFeGKxUa3A7J/55LpeWejlTTBBqzs5Oxdb4e6uHzJ5R+Zn3543HD2q1UDUMmf1HWRsXoCuT7nOfz/dYrqA1eKxNzgqviqjHnq6QBjFWM9E87AtRosrYpYLR8jiG2SWYTnwISk81ve7KyX2EoU6eTBWmA2jr282uAhbVUmr1TZsdu+F6lAceWB4Nhq5RIfakQlyxuhWp6WKytYHJrcfZjuUC7hTb7KQiit61agCRx2vhD4Uj5RGaTE83fI3KidIDhgthS8xjX3eTw24rfuu2lGB15tb+lfEwF2Tg4Y5fOi2ocXuz14dSUs2Hk6",
"src_file_sha256": "25cde88b8245866e45f2cb081a817aef1ec179d10030837ac19c3863088aeeeb",
"src_file_path": "downloaded_files/tightvnc/25cde88b8245866e45f2cb081a817aef1ec179d10030837ac19c3863088aeeeb",
"src_file_company": "GlavSoft LLC."
}
]
}
},
{
"Name": "KickIdler",
"Category": "RMM",
"Description": "KickIdler is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.kickidler.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"grabberEM.*msi",
"grabberTT*.msi"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"kickidler.com",
"my.kickidler.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kickidler_network_sigma.yml",
"Description": "Detects potential network activity of KickIdler RMM tool"
}
],
"References": [
"https://www.kickidler.com/for-it/faq/"
],
"Acknowledgement": []
},
{
"Name": "SecureCRT",
"Category": "RAT",
"Description": "SecureCRT is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.vandyke.com/products/securecrt/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"C:\\*\\SecureCRT.EXE",
"*\\SecureCRT.EXE",
"*\\VanDyke Software\\ClientPack\\*"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": []
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/securecrt_processes_sigma.yml",
"Description": "Detects potential processes activity of SecureCRT RMM tool"
}
],
"References": [],
"Acknowledgement": [],
"CodeSigning": {
"certificates": [
{
"signer_name": "VanDyke Software, Inc.",
"certificate_thumbprint": "57B434C5862F60520A2934E386666DF726CE6284",
"certificate_der_base64": "MIIHcjCCBVqgAwIBAgIQDzbY6qB/PshB7aWtW5UjmzANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTI0MDkxNzAwMDAwMFoXDTI3MDgxNjIzNTk1OVowejELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBNZXhpY28xFDASBgNVBAcTC0FsYnVxdWVycXVlMR8wHQYDVQQKExZWYW5EeWtlIFNvZnR3YXJlLCBJbmMuMR8wHQYDVQQDExZWYW5EeWtlIFNvZnR3YXJlLCBJbmMuMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAzPIGYFJLgTt6wn9RYTpqBk7kG1VDgWjX+FWgAArrAcPMe++ubI314Q/ZCVlts1Kz74ZtZkn9yS+cubUWI6b0uTcxQp0QM75erGqKrWRKywybL836UHoT+0D5vJ3DpW55qEZ3b42Uu9i6bdDFqDRspxG0Zlz2zgSirguoIP5eSMNbqcDh82kfG2slDvta2cDVbDXGkqHq8xngZL/vl5qIM4el9TCjsHnimxC8wCLP6VB0WY0B6foReqh41Oaq9K0JGS9vFaR+CiDsgB2FS+p+rJ0+PdaAsXErMhaR36KBnFps4BK9BQlvYZZDjuNgFJ7bXEVGbea263MjW/jJIIrLB3x3M98tCfHc1y6hxWHV0cTBXBpEeK89uDykqnjJg5BQSMvVGejXUa0OU1MzRlBpuXtPCN3cnQgclsHKyloaSekZn/Wjj8QEdN91VjJ2d6TewnT+QM3HZDkVKadXDTf7RPAUyWPYr/hmm8TxSZZI2g8Dq4uc9j6wFVRGnezTpgWjm6oqhAqv/Jt8CMleRGS5SuHXDuccODv9ShdeWYFo8lMPomY1X7hlp/4GmYCB/82M6DRSJv67/+rGDSQ2Lbmd1w4nVr7n4aNxnpS5zaUW772YjgvHurjy8jb8a5izy6gV68n6Ceps8ZFs7ep619JHjdwyhn7LSmX5dhNGf8398BMCAwEAAaOCAgMwggH/MB8GA1UdIwQYMBaAFGg34Ou2O/hfEYb7/mF7CIhl9E5CMB0GA1UdDgQWBBQHjvhqu8+7ezeONzhyX4LlTUDoqDA+BgNVHSAENzA1MDMGBmeBDAEEATApMCcGCCsGAQUFBwIBFhtodHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMIG1BgNVHR8Ega0wgaowU6BRoE+GTWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3JsMFOgUaBPhk1odHRwOi8vY3JsNC5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDCBlAYIKwYBBQUHAQEEgYcwgYQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBcBggrBgEFBQcwAoZQaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcnQwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAgEA0Vm+X/qNGtORans4UfgmyFB818eDyrc56wTwR6KrFgR/Lq84RGBKF4vaiV+GrVdnfuK7tlbHuEK1tX6c1kfyrK12JAzaNZ34smEm404NGGe+3gvlrPzAOy1RYpSCeZ6+r0/+2xB9ZqA/U+gPD1CsVhodzJ2Zm36R05oiDGAInd9rg95GiqzLCGI/i3IbAXG55DEiC2VwqQgpyZ5elPPwSGNncIpH8yW9UxcLuIPCLTXk2wRW2UngWsQRb+2BNcRbS6gONeucuWHdhUcI8FXfBPSSJaXtQ6+jI+nl/P928G2khi7Fr8Gr1j1gh5t0ozNUDfEPGS8qOPUSXCgQmugwmVEi/cbiYIfGVBzpsSv40wMQqjA7LEJ4QbwYMbmm2iGop5Fja0Qff4njlYZ8PJGobU/1MndSLssxdHYALn9lLsZlbOFjHuzemSbxJH7sRc3PTOQfSuAXX5ptZBpDPuWOpKAN83JdmbmAXGtdHDrGnfTpukoyf9ryOU7cLMaKti1xO0faVkAvB3/qd7PvH8T60pV17GN/FKIrZneKzpXyIxR+iqkxFVmu/N3oddCocHOWDo+N90/eRgiN392OOT924clhAN65PF/j68cB0OMC4xaD6LMYGQX2xfzDT0TheNJ6YFe46cIO0xKyD0uzYaV94vqk6qSkCCTdrJ+sgxLuSBw=",
"src_file_sha256": "85d2ff4ab6928f08dc2295affbf9ba3c125a5071c4d3c8c522bff357d7a2ff77",
"src_file_path": "downloaded_files/securecrt/85d2ff4ab6928f08dc2295affbf9ba3c125a5071c4d3c8c522bff357d7a2ff77",
"src_file_company": "VanDyke Software, Inc."
}
]
}
},
{
"Name": "RPort",
"Category": "RMM",
"Description": "RPort is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://kb.rport.io/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"rport.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"user_managed",
"rport.io"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rport_network_sigma.yml",
"Description": "Detects potential network activity of RPort RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rport_processes_sigma.yml",
"Description": "Detects potential processes activity of RPort RMM tool"
}
],
"References": [
"https://kb.rport.io/using-the-remote-access"
],
"Acknowledgement": [],
"CodeSigning": {
"certificates": [
{
"signer_name": "RealVNC Ltd",
"certificate_thumbprint": "58DDE0EC787718FB68974FC2A9391F56B7083D56",
"certificate_der_base64": "MIIGxTCCBK2gAwIBAgIQBYhPVjmJWwna1urqrten3DANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTIzMDMyMzAwMDAwMFoXDTI2MDMyNTIzNTk1OVowTTELMAkGA1UEBhMCR0IxEjAQBgNVBAcTCUNhbWJyaWRnZTEUMBIGA1UEChMLUmVhbFZOQyBMdGQxFDASBgNVBAMTC1JlYWxWTkMgTHRkMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAqjhiNShVqppqFsWktzqlobUCTtJiRmn//LkHL82kS1fCM3fvp7f4RV6JPyFW2IKNK2Dllt51lvYXR19O0wJHJ3Zr5NUHUtRXpQ+2gZ2BWAZZ9MDiE6IdCCqEV271/Y6n9lJEjzt6/QKQ+h5PIS60uqDyVvtetrtcyAVc3negjKosT9qJA8HpuVEJy8f4mE27kUhEOMLy7vZ99BSK7TZoLRj73w3cr1ojWyL4dVFQ7cTlXl5Fu1hca3EcYC6OL8+wr4+3rdxZXzIWlK0vnitpIL7Q4VXJx7nyUtrslDBBep2S3zckLYcN3Yy6iIqRDxSEqFBmiy4/XDLYkPErl3jfnNBxX6bJfMt3YYaHECWXTH+HvoGqvxxbccNzqH8asf7MuUpea2w7177Ay2rxiOhJ/h1DfYPASqRs4K+diMrdT4C3jXFcAj1mMwekkmdy+6ML4bPYEss3ClMKwuYsiFGR5sWUXXJOobAXlNMODn/R5jAplbhykR8ftzi6/nPpxYt3AgMBAAGjggIDMIIB/zAfBgNVHSMEGDAWgBRoN+Drtjv4XxGG+/5hewiIZfROQjAdBgNVHQ4EFgQUSGcTsurhFEPD1cq7IsnHf4E+51AwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMIG1BgNVHR8Ega0wgaowU6BRoE+GTWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3JsMFOgUaBPhk1odHRwOi8vY3JsNC5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDA+BgNVHSAENzA1MDMGBmeBDAEEATApMCcGCCsGAQUFBwIBFhtodHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwgZQGCCsGAQUFBwEBBIGHMIGEMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wXAYIKwYBBQUHMAKGUGh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3J0MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggIBABAvjZb3YNr7LpzWdxURQBcq5oRNvCRTLgvOjvXTslKp2Z1MDg1wXXGi3bP5K+IFZfRUnPF9bZxguXqUnKBM+fet9L6yRCxntG8+B0Tl6ipm3/jeJjzE5Cssj/YqYbGhSFqaWJfZy3zUMCCZzov5qRum6T9sZOrzQCe7qIQiTNmTyFcZ1XlnjJvF4+8O2n0qOZUafkjndXMgr7yghQS+/QOcPje9OXA/9ZpMEHaJzOZ2fpXES7VLv0z9UF1MBRrZMDD8n16QqakDgcYIY9utyz/zKA1WioaDkbFLo0cyvKXSGCX1t1W6vwfQKvbXMlWxdXb/krYq4SI/FB+rcMIVxaav+Nj5RawmlVsjzDZCyByRv3SuEGLK4fqOGyl04bqWWxkHYMg944FG2kEkncNHDa2GmJfCZ3KvzqVOrutxt12eMnO7m9leShgecK6pI9L1bpS/x8/ruUWbZ5GNIPc0D9hxgRjJ3LADiyZTo6cRtc9nZuYa54k4fJHCW+AZm7XeRkflY58obQ9pKShIT/v1GAy8UBxT85BNz4YyHbbOKaDaM62ogdBTZa6KMEdGl6yv37fsP7FjF7TE235evMmRMH7NXYGG+jZqSCQrvuJv0IwGRk5MMZkxE3Lq+g/xRkHQcgc+l+e+1ifPPr7nbR7TPbO3CQ5T74FxVjmln6ABuchH",
"src_file_sha256": "ab62e9e2d06330073f44c019d226c8dfe81f68afe25063866c9ce504a1ba7ace",
"src_file_path": "downloaded_files/rport/ab62e9e2d06330073f44c019d226c8dfe81f68afe25063866c9ce504a1ba7ace",
"src_file_company": "RealVNC Ltd."
}
]
}
},
{
"Name": "Level.io",
"Category": "RMM",
"Description": "Level.io is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://level.io/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"level-windows-amd64.exe",
"level.exe",
"level-remote-control-ffmpeg.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"level.io",
"*.level.io"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level.io_network_sigma.yml",
"Description": "Detects potential network activity of Level.io RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level.io_processes_sigma.yml",
"Description": "Detects potential processes activity of Level.io RMM tool"
}
],
"References": [
"https://docs.level.io/1.0/admin-guides/troubleshooting-agent-issues"
],
"Acknowledgement": [],
"CodeSigning": {
"certificates": [
{
"signer_name": "Level Software, Inc.",
"certificate_thumbprint": "3C002DCBBCB603AE08699F4CEF973864AEB16860",
"certificate_der_base64": "MIIHUTCCBTmgAwIBAgIQDXpBaik29NO6ZJdeYLpAZzANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTI0MDgxNDAwMDAwMFoXDTI3MDgxMzIzNTk1OVowgdkxEzARBgsrBgEEAYI3PAIBAxMCVVMxGTAXBgsrBgEEAYI3PAIBAhMIRGVsYXdhcmUxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRAwDgYDVQQFEwc3NjQ3NDk3MQswCQYDVQQGEwJVUzEXMBUGA1UECBMOTm9ydGggQ2Fyb2xpbmExEjAQBgNVBAcTCUFzaGV2aWxsZTEdMBsGA1UEChMUTGV2ZWwgU29mdHdhcmUsIEluYy4xHTAbBgNVBAMTFExldmVsIFNvZnR3YXJlLCBJbmMuMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEA4BAxcUFBnTVEutBs58CaSOPugQ43SVDvjLrVJDI+ao/9mOtejtFqu3cRmVYAXogDhPGcaZhohxPesBvs9f+VaZajh51jhGiTUp228B+dj64sZB6cUsTT0+99YnBc33mHjRyk+TsdKbwhBxbUDLzhJ7n6lrFuYIJEnPQD7x5IWqSMPP5wqVP3DgToolwAx0czhgoeqvltmm9Mgq4cpfj4wVFS4aF8mP2xhnorwnPp3LAPPvyVzMnqVcLYrofRFYYOcCOiYdjNN2Yro9z1GKDGy/GTpPFMMsqrV0xKWmyzUqICVWP3GiFMSMQTJ8sm1ZRx0oNlNK1G9MxcozWKHLtjCvrixlJKSjtall5rlhV4tofqKhBlfjGVL9GNtr3X65ynTKvb4WWAKDcUMTg4KHEnMsb4KAx/6/jzkmcz9tEnC4q1BBDxPRTZhRbTaU9wd8MBDh3K/3tR35ZAGb8QLWcUURL3YRxCciW6fEPUx7q7JlZn1GT7ZfzI5y9c1TBkbRQJAgMBAAGjggICMIIB/jAfBgNVHSMEGDAWgBRoN+Drtjv4XxGG+/5hewiIZfROQjAdBgNVHQ4EFgQUdZ88BsguNJzpT2k7/fcF/vkkoqQwPQYDVR0gBDYwNDAyBgVngQwBAzApMCcGCCsGAQUFBwIBFhtodHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMIG1BgNVHR8Ega0wgaowU6BRoE+GTWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3JsMFOgUaBPhk1odHRwOi8vY3JsNC5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDCBlAYIKwYBBQUHAQEEgYcwgYQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBcBggrBgEFBQcwAoZQaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcnQwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAgEAjhahg1qKOCTT9qXRpjjennKhFo43Lxpbf2h1ybWTgvYh0tOEJcK7k4cXi3j1oy8SK5p5lAh09ArOmMCcVmn3mvf1iNmJOhjiVS0FXx0D0x0HKJRAagcqR000LUnj3gZ/IgwHKeUevUDX8dr+BNKpaLBJv8EsrU0s03FVCB4uygrNpN11cXi1oeAAvYdDheX0ssi80dAR0RM9fLApbm+EqI1BNx16gOoJERWFKjUCKyvDEZbw/Q3auaYsRK3nmWYhnEWne69yk9fTJUDJ2Qa81ZKclFBjtn+oSW9CsmulZHGJL+N/iWy8evrXNcZoMYoM1YbHEHC70OfsvHWqiImzP0hFl1ydGBTHdljVu/hgHQQrTpi/7jdZFf8gekIS+hBNMhsV8W/dqklTzEOg2RsYW3L41OSvo1PW7gCRzZ3q2x4xCUXhKQQYVCQXCS/ugRsmiE1L8SqSelReOOpGoJgOfoDBe1O/HNydFYN5EXShRimgac/8tHFJzvAjooKqm/Ng+xShyYzks/i3mTjmwoA/ITxyjuYhPUbGwO2bhdQnW4G8RrEUM5N58YARzweKwopygPCyxhbJ9A2C309pTyPxH8Ra5xloG0kWGUFLrTXW6vLF6sJqkXu5A6qlrJKnTg2tryvvNavE8SPuZ8azbwowSiLl7wyXu0ciDhtWJHYgwzY=",
"src_file_sha256": "075b9694aa770850d54870e4a3a55fd11a26497ccb8de4f2ec7b2ecca2b88d83",
"src_file_path": "downloaded_files/level.io/075b9694aa770850d54870e4a3a55fd11a26497ccb8de4f2ec7b2ecca2b88d83"
}
]
}
},
{
"Name": "Parsec",
"Category": "RAT",
"Description": "Parsec is a remote desktop streaming tool for remote access and monitoring, mainly used for gaming and collaboration. \n\nRemote desktop reimagined – a seamless 4k experience at up to 60 frames per second with near-zero latency. \nSecure, flexible, effortless access to whatever you do, at any time, from wherever you go.\n\nParsec focuses on real-time graphical interaction rather than system administration but can still be abused for lateral movement and initial access.\n",
"Author": "Luca Di Bartolomeo & Matt Green",
"Created": "2025-03-16",
"LastModified": "2025-03-16",
"Details": {
"Website": "https://parsec.app/",
"PEMetadata": {
"Filename": "parsecd.exe",
"OriginalFileName": "",
"Description": "Parsec",
"Product": "Parsec"
},
"Privileges": "Current User",
"Free": true,
"Verification": false,
"SupportedOS": [
"Windows",
"Linux",
"macOS",
"Android"
],
"Capabilities": [
"Remote Control",
"GUI Support"
],
"Vulnerabilities": [],
"InstallationPaths": [
"C:\\Program Files\\Parsec\\*",
"parsecd.exe",
"pservice.exe"
]
},
"Artifacts": {
"Disk": [
{
"File": "C:\\Program Files\\Parsec\\parsecd.exe",
"Description": "Main parsec executable",
"OS": "Windows",
"Example": [
"SHA256: 38011E713B4BE8577576062754CAD03E9899859488932AE4C9C83E5FBB5CB7D2"
]
},
{
"File": "C:\\Program Files\\Parsec\\pservice.exe",
"Description": "Background service managing input devices",
"OS": "Windows",
"Example": [
"SHA256: CC62D22BF8A082621FA25FDEEE3150C17B09DBC09C9371E3DCDD6EC83967770C"
]
},
{
"File": "C:\\Program Files\\Parsec\\teams.exe",
"Description": "Parsec for teams collaboration and user session management",
"OS": "Windows",
"Example": [
"SHA256: 6DC71B2E92B770DCFECA4A32C8F1787210311F731F1124754DF193EC22D5D13E"
]
}
],
"EventLog": [
{
"EventID": 7045,
"ProviderName": "Service Control Manager",
"LogFile": "System.evtx",
"ServiceName": "parsecvirtualds",
"ImagePath": "\"\\SystemRoot\\System32\\drivers\\parsecvirtualds.sys\"",
"ServiceType": "kernel mode driver",
"StartType": "demand start",
"AccountName": "System",
"Description": "Parsec service installation event",
"Example": "704504000x8080000000000000596SystemComputerparsecvirtualds\\SystemRoot\\System32\\drivers\\parsecvirtualds.syskernel mode driverdemand start"
}
],
"Registry": [],
"Network": [
{
"Description": "Known domains used by Parsec",
"Domains": [
"parsec.app",
"parsec.gg",
"*.parsec.app"
],
"Ports": [
443,
3478
]
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/parsec_network_sigma.yml",
"Description": "Detects potential network activity of Parsec RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/parsec_files_sigma.yml",
"Description": "Detects potential files activity of Parsec RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/parsec_processes_sigma.yml",
"Description": "Detects potential processes activity of Parsec RMM tool"
}
],
"References": [
"https://parsec.app/",
"https://www.virustotal.com/gui/file/206cd186aaa431d3975eb30f682b83851ef4f81125d2004f53b681117da23ec6/behavior",
"https://x.com/malmoeb/status/1923255362318196951"
],
"Acknowledgement": [
{
"Person": "Luca Di Bartolomeo",
"Handle": "@LucaInfoSec"
},
{
"Person": "Matt Green",
"Handle": "@mgreen27"
}
],
"CodeSigning": {
"certificates": [
{
"signer_name": "Unity Technologies SF",
"certificate_thumbprint": "B73664F2AF5A8EF4529F03DB4B2CCD8275A6EC91",
"certificate_der_base64": "MIIHODCCBSCgAwIBAgIUWALYqpad1/yvVG95loCZXx8PEcMwDQYJKoZIhvcNAQELBQAwgYYxCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5EaWdpQ2VydCwgSW5jLjEgMB4GA1UECxMXU2VjdXJlIFNvZnR3YXJlIE1hbmFnZXIxPDA6BgNVBAMTM0RpZ2lDZXJ0IFByaXZhdGUgU2hhcmVkIENvZGUgU2lnbmluZyBSU0EgSXNzdWluZyBDQTAeFw0yMzA5MjkxODI5MDhaFw0yNjA5MjkxODI5MDhaMIGiMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEOMAwGA1UEERMFOTQxMDMxFjAUBgNVBAkTDTMwIDNyZCBTdHJlZXQxHjAcBgNVBAoTFVVuaXR5IFRlY2hub2xvZ2llcyBTRjEeMBwGA1UEAxMVVW5pdHkgVGVjaG5vbG9naWVzIFNGMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAmLHyeiEWwXxDhzDgWq+uSrFHo5hK75XBEzRmSSPvBCsncAq6/h/5j1qsdtpN8l+unuZ6J8V5vTMiCDYJfiXqUDzWJGL7KtLwXZVVpbHoI9uR06tIluFA0/ii3Z2Db4bQDT5k3xPgHIov/YzyBl1SNb/OE7u6QwIkPaKUVEjoKr37Uo2e4qLX7WWM4dvgLERokWLB8blZbxkvMLNNwVUaFgH1jmSoSUjHFGofj2OO4B+6w2mgzbF8JKs2n/IBBfP/lnwZkpONH1Z8hgNQUzcRvBxFlSTVz84YNQVgqFabvw+wiLXWDgy8USApmomAMV7V+kfWF8EIdi+wF18ykh7uMHrbLdzdoSz8SLwDrRyquijebMbqCd6FEf1x/VkhUBwb/85PwVwPq+t2zDjrKFY/7wqlRPoNsPAOxxkYn8u/VFOMZ9YlGV2g91x353NQpvCdnKoJS/Q745di8wzcEZDoJwEdfTt8wZhW+seccBVlHFciWVkWAjkMxm5MmhA6ksc9M0xMwV8TzgvZSy4/d5+c25H5cVgJUAnkhVUd+NxECOvbYkfo3zDmsMQOZ37314mP3qgpPVD3LE0FYkPFrHpKTGylVZkIFdGvbjIqJooipwp5422Y0C9r82yKQxR0twXt8p/BIKIhM0k1JGribs+qzj3PLTIWJlNPtHVDd0eZGxcCAwEAAaOCAX4wggF6MAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFMyGFHiKXauN6Pml6gEwewVzMeghMB8GA1UdIwQYMBaAFCZg4bSPjguYZ6t8Z6L5B4np57qAMA4GA1UdDwEB/wQEAwIF4DAgBgNVHSUBAf8EFjAUBggrBgEFBQcDAwYIKwYBBQUHAwIwgZgGCCsGAQUFBwEBBIGLMIGIMCgGCCsGAQUFBzABhhxodHRwOi8vb2NzcC5vbmUuZGlnaWNlcnQuY29tMFwGCCsGAQUFBzAChlBodHRwOi8vY2FjZXJ0cy5vbmUuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0UHJpdmF0ZVNoYXJlZENvZGVTaWduaW5nUlNBSXNzdWluZ0NBLmNydDBdBgNVHR8EVjBUMFKgUKBOhkxodHRwOi8vY3JsLm9uZS5kaWdpY2VydC5jb20vRGlnaUNlcnRQcml2YXRlU2hhcmVkQ29kZVNpZ25pbmdSU0FJc3N1aW5nQ0EuY3JsMA0GCSqGSIb3DQEBCwUAA4ICAQAxfPCy+QHXvWQ0eu5O/RUV1l21CaraMJojROdql0UOLqp2cMQDqO9QEN8rslily9Jr9fM1iixw0KUEi1R6/ghvNFdmwzeAxO/641MxNpptV1Sx+IdThlVKsMzRdw+NiVXnaGj7twrTYDaK+N0wPXGYjX2TH2+WodC0Wt43+y7Ly/boY3l/8XsnhJ+N3UaRgEWUTGy2RPWvtLgoTSB98H74mSiEcxQSMRFF38fzYWhGrSNoUoLIuk0AKGMYq2NZrGUuUYcy+PPrcGHEyyDl5Od/eMSlK1ZAMWQ1nRwU7BWE/IjaPf7nMpDWODV6vm+7cxAmLjSDHl8XRrWQFaBGqYo0uwiWm23v2tHp42xrwmydZCTFwp0ZEdJBnlpYdAamt/ttzDNxM46DEWyStW7vDk3OBHVsZ7AvgQb+xlNVfk3LuEaCgTn72lGmiU2DWvXel3HI3awNCyf9zd6J2qGB9bQRCXtKFsdor3PZ9gppPl/zOwU3jzBH37TZdZ1ZrdwHqPR/16OY8w9RGsGnqSauVvWcJ03JmqbgzMg6uejuMrBgO6KIKrCi4PTh7F84YMVtwS4mFchAAf58kSTZh39axE9s0zCIALANrf9R/VFCg69KV66dnOcXyLny0F52YXhFTcFfSvMH5Xbac/uTsF7zCOSVSROp/5Se0mQSBickpQeeyw==",
"src_file_sha256": "cc62d22bf8a082621fa25fdeee3150c17b09dbc09c9371e3dcdd6ec83967770c",
"src_file_path": "downloaded_files/parsec/cc62d22bf8a082621fa25fdeee3150c17b09dbc09c9371e3dcdd6ec83967770c",
"src_file_company": "Parsec"
}
]
}
},
{
"Name": "RDPView",
"Category": "RAT",
"Description": "RDPView is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"dwrcs.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"user_managed",
"systemmanager.ru/dntu.en/rdp_view.htm"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpview_network_sigma.yml",
"Description": "Detects potential network activity of RDPView RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpview_processes_sigma.yml",
"Description": "Detects potential processes activity of RDPView RMM tool"
}
],
"References": [],
"Acknowledgement": []
},
{
"Name": "NVDA (Non-Visual Desktop Access)",
"Category": "RMM",
"Description": "NVDA (Non-Visual Desktop Access) is a free, open-source screen reader that allows blind and vision impaired people to access and interact with the Windows operating system and many third party applications. Recent versions include a \"Remote Access\" feature that enables remote support and assistance capabilities.",
"Author": "Michael Haag",
"Created": "2026-01-15",
"LastModified": "2026-01-15",
"Details": {
"Website": "https://www.nvaccess.org/",
"PEMetadata": [
{
"Filename": "nvda.exe",
"OriginalFileName": "",
"Description": "NVDA screen reader executable"
},
{
"Filename": "nvda_service.exe",
"OriginalFileName": "",
"Description": "NVDA service executable for secure screens"
}
],
"Privileges": "User",
"Free": true,
"Verification": "Open Source",
"SupportedOS": [
"Windows"
],
"Capabilities": [
"Screen Reading",
"Remote Access",
"Remote Support",
"Accessibility Features"
],
"Vulnerabilities": [],
"InstallationPaths": [
"C:\\Program Files (x86)\\NVDA\\nvda.exe",
"C:\\Program Files\\NVDA\\nvda.exe",
"C:\\Users\\*\\AppData\\Roaming\\nvda\\*",
"C:\\Users\\*\\AppData\\Local\\Temp\\nvda_*\\*",
"nvda.exe",
"nvda_service.exe",
"nvda_*.exe"
]
},
"Artifacts": {
"Disk": [
{
"File": "C:\\Program Files (x86)\\NVDA\\nvda.exe",
"Description": "NVDA installation directory",
"OS": "Windows"
},
{
"File": "C:\\Program Files\\NVDA\\nvda.exe",
"Description": "NVDA installation directory (64-bit)",
"OS": "Windows"
},
{
"File": "C:\\Users\\*\\AppData\\Roaming\\nvda\\nvda.log",
"Description": "NVDA log file",
"OS": "Windows"
},
{
"File": "C:\\Users\\*\\AppData\\Roaming\\nvda\\nvda.ini",
"Description": "NVDA configuration file",
"OS": "Windows"
}
],
"EventLog": [
{
"EventID": 4688,
"Description": "Process creation event for nvda.exe",
"OS": "Windows"
}
],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"nvaccess.org",
"*.nvaccess.org"
],
"Ports": [
443
]
}
]
},
"Detections": [],
"References": [
"https://github.com/magicsword-io/LOLRMM/issues/89",
"https://www.nvaccess.org/",
"https://github.com/nvaccess/nvda/pull/17580"
],
"Acknowledgement": [
{
"Person": "59e5aaf4",
"Handle": "@59e5aaf4"
}
]
},
{
"Name": "Ammyy Admin",
"Category": "RMM",
"Description": "Ammyy Admin is a remote monitoring and management (RMM) tool. Ammyy admin has been used by scammers to gain remote access to victims' computers. The tool is legitimate and is used by IT professionals for remote management. However, it has been abused by scammers to gain unauthorized access to victims' computers. The tool is free for personal use, but a license is required for commercial use. The tool allows for remote desktop control, file transfer, voice chat, and more. The tool is available for Windows only. will be added as it becomes available.",
"Author": "@kostsatsale",
"Created": "2024-05-08",
"LastModified": "2024-05-08",
"Details": {
"Website": "https://www.ammyy.com",
"PEMetadata": {
"Filename": "AA_v3.exe",
"OriginalFileName": "",
"Description": "Ammyy Admin"
},
"Privileges": "Curent User",
"Free": "Yes/1 active session at a time",
"Verification": "None",
"SupportedOS": [
"Windows"
],
"Capabilities": [
"Remote Management session",
"RDP Connection",
"File Transfer",
"Voice Chat"
],
"Vulnerabilities": [
"CVE-2013-5582"
],
"InstallationPaths": [
"C:\\\\ProgramData\\\\AMMYY\\\\*",
"AMMYY_Admin.exe",
"aa_v*.exe",
"C:\\Users\\*\\Downloads\\AMMYY_Admin.exe",
"*\\AMMYY_Admin.exe"
]
},
"Artifacts": {
"Disk": [
{
"File": "%programdata%\\\\AMMYY\\\\access.log",
"Description": "Ammyy Admin access log file. Contains information about the remote IP address, the time of connection, bytes recv/send, and the ID of the remote machine.",
"OS": "Windows",
"Example": [
"20240805-22:20:45.962000 00000D98 - [0] PASSED authorization remoteId=XXXXXXXX; TCP by router 136.243.104.235:443",
"20240805-22:22:34.139000 00000710 - [1] FAILED authorization remoteId=XXXXXXXX; TCP by router 136.243.104.235:443",
"20240805-22:23:10.648000 00000D98 - [0] ENDED authorized session, bytes recv/send = 1164 / 115378"
]
},
{
"File": "%Binary_path%\\\\AA_v3.log",
"Description": "Ammyy Admin log file. Contains application related logs.",
"OS": "Windows",
"Example": [
"20240805-22:19:52.455000 00001318 - ERROR: ERROR: 2 RLEvent::TryToOpen(Global\\AANS_FvwjZ_CHI)",
"20240805-22:23:10.648000 00000D98 - ERROR: ERROR SetThreadDesktop(200) 170"
]
}
],
"EventLog": [
{
"EventID": 4688,
"ProviderName": "Microsoft-Security-Auditing",
"LogFile": "Security.evtx",
"CommandLine": "rundll32.exe \"C:\\ProgramData\\AMMYY\\aa_nts.dll\",run",
"Description": "Execution of Ammyy Admin"
},
{
"EventID": 7045,
"ProviderName": "Service Control Manager",
"LogFile": "System.evtx",
"ServiceName": "Ammyy Admin",
"ImagePath": "C:\\*\\AA_v3.exe",
"Description": "Ammyy Admin service installation event"
}
],
"Registry": [
{
"Path": "HKU\\.DEFAULT\\Software\\Ammyy\\Admin",
"Key": "hr3",
"Type": "Reg_Binary",
"Description": "Writing the hr3 binary in the registry. The hr3 is likely used to store admin-related information."
},
{
"Path": "HKLM\\SYSTEM\\ControlSet001\\Control\\SafeBoot\\Network\\AmmyyAdmin",
"Description": "Ammyy Admin service allows AMMYY admin to run in safe mode."
}
],
"Network": [
{
"Description": "Known remote domains and router IP addresses",
"Domains": [
"ammyy.com",
"*ammyy.com"
],
"Ports": [
5931,
80,
443,
8080
]
},
{
"Description": "Known router IP addresses (TCP connections)",
"Domains": [
"136.243.104.235",
"136.243.104.242",
"136.243.18.122"
],
"Ports": [
443
]
}
]
},
"Detections": [
{
"Sigma": "https://github.com/tsale/Sigma_rules/blob/main/Threat%20Hunting%20Queries/ammyy_admin.yml",
"Name": "Detecting Ammy Admin RMM Agent Execution",
"Description": "Detects the execution of the Ammy Admin RMM agent for remote management."
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ammyy_admin_registry_sigma.yml",
"Description": "Detects potential registry activity of Ammyy Admin RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ammyy_admin_network_sigma.yml",
"Description": "Detects potential network activity of Ammyy Admin RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ammyy_admin_files_sigma.yml",
"Description": "Detects potential files activity of Ammyy Admin RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ammyy_admin_processes_sigma.yml",
"Description": "Detects potential processes activity of Ammyy Admin RMM tool"
}
],
"References": [
"https://www.ammyy.com/en/admin_security.html",
"https://www.ammyy.com/en/admin_mu.html"
],
"Acknowledgement": [
{
"Person": "Kostas",
"Handle": "@kostastsale"
}
]
},
{
"Name": "Netop",
"Category": "RMM",
"Description": "Netop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://netop.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [
"Windows"
],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"C:\\Program Files\\Danware Data\\NetOp Packn Deploy\\*",
"*\\Danware Data\\NetOp Packn Deploy\\*",
"*\\Netop Remote Control\\*"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": []
},
"Detections": [],
"References": [],
"Acknowledgement": []
},
{
"Name": "EMCO Remote Console",
"Category": "RMM",
"Description": "EMCO Remote Console is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://emcosoftware.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"remoteconsole.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"user_managed",
"emcosoftware.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/emco_remote_console_network_sigma.yml",
"Description": "Detects potential network activity of EMCO Remote Console RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/emco_remote_console_processes_sigma.yml",
"Description": "Detects potential processes activity of EMCO Remote Console RMM tool"
}
],
"References": [],
"Acknowledgement": []
},
{
"Name": "FixMe.it",
"Category": "RMM",
"Description": "FixMe.it is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://fixme.it/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [
"Windows"
],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"FixMeit Client.exe",
"TiExpertStandalone.exe",
"FixMeitClient*.exe",
"TiExpertCore.exe",
"FixMeit Unattended Access Setup.exe",
"FixMeit Expert Setup.exe",
"TiExpertCore.exe",
"fixmeitclient.exe",
"TiClientCore.exe",
"TiClientHelper*.exe",
"9380CC75B872221A7425D7503565B67580407F60"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*.fixme.it",
"*.techinline.net",
"fixme.it",
"*set.me",
"*setme.net"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fixme.it_network_sigma.yml",
"Description": "Detects potential network activity of FixMe.it RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fixme.it_processes_sigma.yml",
"Description": "Detects potential processes activity of FixMe.it RMM tool"
}
],
"References": [],
"Acknowledgement": []
},
{
"Name": "ZeroTier",
"Category": "RAT",
"Description": "ZeroTier is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.zerotier.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"zerotier*.msi",
"zerotier*.exe",
"zero-powershell.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"zerotier.com",
"*.zerotier.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zerotier_network_sigma.yml",
"Description": "Detects potential network activity of ZeroTier RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zerotier_processes_sigma.yml",
"Description": "Detects potential processes activity of ZeroTier RMM tool"
}
],
"References": [
"https://my.zerotier.com/"
],
"Acknowledgement": [],
"CodeSigning": {
"search_names": [],
"company_names": [],
"signer_names": [
"ZEROTIER, INC.",
"ZeroTier, Inc."
],
"certificates": [
{
"signer_name": "ZEROTIER, INC.",
"certificate_thumbprint": "N/A",
"tbs_sha256": "767BDA9E3E8B2241DEB7825AACE32C92793E753F7AD3DDCDFAEBC1F4AD9F28C9",
"tbs_sha1": ""
},
{
"signer_name": "ZeroTier, Inc.",
"certificate_thumbprint": "N/A",
"tbs_sha256": "585313F1B71C57E3383163625CB74104DEB13C9DCE97B7F03CF2FBE6353D4C98",
"tbs_sha1": ""
}
]
}
},
{
"Name": "Anyplace Control",
"Category": "RMM",
"Description": "Anyplace Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2025-12-14",
"Details": {
"Website": "http://www.anyplace-control.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [
"Windows"
],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"apc_host.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"anyplace-control.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anyplace_control_network_sigma.yml",
"Description": "Detects potential network activity of Anyplace Control RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anyplace_control_processes_sigma.yml",
"Description": "Detects potential processes activity of Anyplace Control RMM tool"
}
],
"References": [
"http://www.anyplace-control.com/anyplace-control/help/faq.htm"
],
"Acknowledgement": [],
"CodeSigning": {
"search_names": [
"apc_host.exe",
"support-ywrtaw5ay29ycg9yyxrllnbsyw4gmtizndu2ideymzq1nibzdxbwb3j0lmj5dgvjahmuynk=.exe"
],
"company_names": [],
"signer_names": [
"Anyplace Control Software",
"Honcharuk Yuriy",
"Yurii Honcharuk"
],
"certificates": [
{
"signer_name": "Anyplace Control Software",
"certificate_thumbprint": "B25DD2F9459F42C3B60D0BD3045953ABCFAB16D1",
"tbs_sha256": "428EDC9D675B66BF9EAE54B03CF5138F10919C2BCC5BEC4FEBED3701313AA6AE",
"tbs_sha1": "",
"certificate_der_base64": "MIIFZzCCBE+gAwIBAgIQKUXWHTREnllz0d/KXJAAOjANBgkqhkiG9w0BAQsFADB9MQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDEjMCEGA1UEAxMaQ09NT0RPIFJTQSBDb2RlIFNpZ25pbmcgQ0EwHhcNMTUwNTA3MDAwMDAwWhcNMTgwNTA2MjM1OTU5WjCBpzELMAkGA1UEBhMCVUExDjAMBgNVBBEMBTA0MjEwMRAwDgYDVQQIDAdVa3JhaW5lMQ0wCwYDVQQHDARLaWV2MR8wHQYDVQQJDBZHZXJvZXYgU3RhbGluZ3JhZGEgMTNBMSIwIAYDVQQKDBlBbnlwbGFjZSBDb250cm9sIFNvZnR3YXJlMSIwIAYDVQQDDBlBbnlwbGFjZSBDb250cm9sIFNvZnR3YXJlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlZHdwqIh+Y1K229Y8KED88jSjgcVNPH5CUJW98CvXXBjh9k3pEROABHv1zEsVOYB2yTtSlryJePYIUB1JOjhnzUNMUfSSN3PZv/O6EGidrsnHhqOvllTlNnvO6PQB1MYB+TuA1xJh3JpEOrLKTv5FugNdKyJ2bBC+GC2N0jyrC3RYeyDkQoog1TcUKT5U2FtuleOevl/TV1G9G1AX4obzgAvdJu+Sx7StB8Y8oKo0OJ9AvKwbv7CVfVXjcq6w/y0P5ZTbCbyUCqGPvdRMnnSaAxjfOWWEattVIbaLSun1wZserXroded6xuOW7GEusAxvytGVRIBNosHQIPH9IfpgQIDAQABo4IBtjCCAbIwHwYDVR0jBBgwFoAUKZFg/4pN+uv5pmq4z/nmS71JzhIwHQYDVR0OBBYEFApUEYxLVGMIAT5p8vhess35JhLhMA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMBEGCWCGSAGG+EIBAQQEAwIEEDBGBgNVHSAEPzA9MDsGDCsGAQQBsjEBAgEDAjArMCkGCCsGAQUFBwIBFh1odHRwczovL3NlY3VyZS5jb21vZG8ubmV0L0NQUzBDBgNVHR8EPDA6MDigNqA0hjJodHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9DT01PRE9SU0FDb2RlU2lnbmluZ0NBLmNybDB0BggrBgEFBQcBAQRoMGYwPgYIKwYBBQUHMAKGMmh0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9ET1JTQUNvZGVTaWduaW5nQ0EuY3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21vZG9jYS5jb20wJwYDVR0RBCAwHoEcc3VwcG9ydEBhbnlwbGFjZS1jb250cm9sLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAHvXHOj4nFJKmQRXNk3LLKrudlqfa6M9eWfXo8lkn4L2CoDrhwEiu4wXi9R+zKiIYkhLC4fDwzX5nx6mntTpyHaa5Pon580EtlNNoJIbecW4Yxm0OA0zYlm6CFQGegF7yXV3FLD5epnYhNyZJnQL+FF4GyjuIiPTjyZ93rbDvusP+aMpEC0+U03O2UQh2tUolUX7O3zJOmZkAwHPznhPcotytjyApIPxJGU1CX7xQe3KSjl9elfW5R+Cq0GWXVhm2qRgzcDSMbqcJLkfa5AIw0rou7SVtvEqhMXj1Fn3krX6sFuuF4Cv+h2WT/c/khM/XkV1/zGEbVgl9oFGcmEeW4w=="
},
{
"signer_name": "Honcharuk Yuriy",
"issuer": "CN=COMODO Code Signing CA 2",
"certificate_thumbprint": "225068B11F9A75953D8009822A2649E22EF413B6",
"tbs_sha256": "A5D9F123DF7F198FC0EF91D8E05A975B8052FC3FA5A0E99AEA46644E3EE935FB",
"tbs_sha1": "40FC7F598113A7B281219F20971FD40D500C8B75",
"valid_from": "2012-06-12T00:00:00+00:00",
"valid_to": "2015-06-12T23:59:59+00:00",
"certificate_der_base64": "MIIFLjCCBBagAwIBAgIQcq56gyZZbbyDc2wAuGeoGzANBgkqhkiG9w0BAQUFADB7MQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDEhMB8GA1UEAxMYQ09NT0RPIENvZGUgU2lnbmluZyBDQSAyMB4XDTEyMDYxMjAwMDAwMFoXDTE1MDYxMjIzNTk1OVowgZ0xCzAJBgNVBAYTAlVBMQ4wDAYDVQQRDAUwNDIxMDEQMA4GA1UECAwHVWtyYWluZTENMAsGA1UEBwwES2lldjEpMCcGA1UECQwgR2Vyb2V2IFN0YWxpbmdyYWRhIDEzLUEsIGFwLiAyNzUxGDAWBgNVBAoMD0hvbmNoYXJ1ayBZdXJpeTEYMBYGA1UEAwwPSG9uY2hhcnVrIFl1cml5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr6KsV/rTYfi+h76lSX/kA9MHxAVvSnVh35EmFDHDCzOvdieX9aHuvpJ8oyLIXrgnxu9ROWD92P3ibwRYhdUY7052R2hIkYu+ql+bH6tyeG2sAFgOIPjlAA21LoeIhjkoz9loe0EELbvi1UnqOIA4T0QOrpmQkDB88CG4QmrPnU0llFDiki84qmrUdzpe/4igFrmx1ENVMZIvDa2hsT94ZbVaSC/HxKB0R2pbv1priyvAfHyiTFCo/TqqiJmT8XSOfWFzhckNkl5AiPvXACCpn2nnGMHBvsyZ+yc6ZGGP1EN58iGIbX0VTMdy9N1jvuxL/gN5Xe5czNi2zzOHGMQYgwIDAQABo4IBiTCCAYUwHwYDVR0jBBgwFoAUHsWxLH2H2gJofCW8DAeEP7bP3vEwHQYDVR0OBBYEFIiUOUjZpBY22euXdTBtGxszp2PCMA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMBEGCWCGSAGG+EIBAQQEAwIEEDBGBgNVHSAEPzA9MDsGDCsGAQQBsjEBAgEDAjArMCkGCCsGAQUFBwIBFh1odHRwczovL3NlY3VyZS5jb21vZG8ubmV0L0NQUzBBBgNVHR8EOjA4MDagNKAyhjBodHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9DT01PRE9Db2RlU2lnbmluZ0NBMi5jcmwwcgYIKwYBBQUHAQEEZjBkMDwGCCsGAQUFBzAChjBodHRwOi8vY3J0LmNvbW9kb2NhLmNvbS9DT01PRE9Db2RlU2lnbmluZ0NBMi5jcnQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmNvbW9kb2NhLmNvbTANBgkqhkiG9w0BAQUFAAOCAQEAIOVoiXxobZjmbzFGwIjtMyd9Fr5j+5MBfGcEHThlIScqZtbhHEQWxYeNtC8Hso6oAkq7wfRMdCuwpoB/SCnOJ6vshaICN0q+xaMJ9QMkElkeL8Tma5wsRIai0Gm0sZd3qE8uzdvB4g5aECowKNzSkPDuC/tKm9unaBEXlhrb+Y3NPAE4UEfCbz1DwckxobZNZ5rQbYf88HofYP/gzDydJNREc/LAmJRzIOk1Of3LhgrLZJNXZ8n/zpLrKgjkmwofUAQ7fsGqZS8tDRpyzbZ3L+5BhOwhrEEnIQjshvNA0vtfn0+Jul9ZplVC2clPU0zpFFMwPrlAxeH4gnU+AzLFzg=="
},
{
"signer_name": "Yurii Honcharuk",
"issuer": "CN=Sectigo Public Code Signing CA R36",
"certificate_thumbprint": "645A38036CDCBB22DEB85A952780F8CBE428231F",
"tbs_sha256": "950FE76EBEFF3880B7EE411AAF73AF829816B9E666A67BDFA973E75C9527D595",
"tbs_sha1": "B1B204E82B1BCA67DF2F918E5090C4071E387749",
"valid_from": "2021-11-18T00:00:00+00:00",
"valid_to": "2024-11-17T23:59:59+00:00",
"certificate_der_base64": "MIIGdjCCBN6gAwIBAgIRAMV9y3w1fchG6d+AH0m9R1QwDQYJKoZIhvcNAQEMBQAwVDELMAkGA1UEBhMCR0IxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDErMCkGA1UEAxMiU2VjdGlnbyBQdWJsaWMgQ29kZSBTaWduaW5nIENBIFIzNjAeFw0yMTExMTgwMDAwMDBaFw0yNDExMTcyMzU5NTlaMFAxCzAJBgNVBAYTAlVBMQ0wCwYDVQQIDARLeWl2MRgwFgYDVQQKDA9ZdXJpaSBIb25jaGFydWsxGDAWBgNVBAMMD1l1cmlpIEhvbmNoYXJ1azCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALMHSw3NH2aAvTf1ozdTcsTmaRhnXBPP5ksgN2BJgijCxg+YcpkoTsxdaUGWkxtk6TlwjgaFWzP8PPEBZ6s5niCobLxhz2ucXDCejjPkWbvR2MGtXf5zZvhHCV98Ty4vz/6f8xw88SFZpJ4D42DPDYOjr7PEwpn8k8CNbwTrcgu7ElH9cWwDu6B5gVAQPxM12mkMPnbJtoOVParQTZyEdPZWhEH6beF70EG0+6ffddN+tYRfa4mgsMdLqtJaDadYUwsAl3o1uC1BrE3Z4M0gOhmOtxoCIY8qqFOK+EWPVfVlVxBtsLZwsK1k2bAMkRTPEVQpLosQ7yNz54UIgweSphDbhPOaqwf/QZcbcA9bch24jUrVH3pH0UL53jrMmW7lIFPlVxuJ5XCaAPagF6cEiW/bAtM1EF2Uj1zSSf4CUgmqM/Tu/LQQwPbPdfyjQ7HQWNRVGIDQfRNElbDgkfs+fo5Bg8PhWQ85F1M64NeT487DYc6S/aWCOTqU+iMhs8/0E2Fgnujvz0A+ak0gsAlzpikDvuf3jsbfxkYmeDI0GZGMKzE8MAypby1tWrmIVuPVE6yKLhi1TJ4GJ2GHXPb5vnfUAz1ll7Hs07spIj+ctM5G8kBHxunZe10HhytlIQDbqI7r0WA7xk3torTXRmrvPrwlnAhPpRmJo0XPzkqwK391AgMBAAGjggHFMIIBwTAfBgNVHSMEGDAWgBQPKssghyi47G9IritUpimqF6TNDDAdBgNVHQ4EFgQU7s04Md55IHHr4SSMDaJzeM2yXSAwDgYDVR0PAQH/BAQDAgeAMAwGA1UdEwEB/wQCMAAwEwYDVR0lBAwwCgYIKwYBBQUHAwMwEQYJYIZIAYb4QgEBBAQDAgQQMEoGA1UdIARDMEEwNQYMKwYBBAGyMQECAQMCMCUwIwYIKwYBBQUHAgEWF2h0dHBzOi8vc2VjdGlnby5jb20vQ1BTMAgGBmeBDAEEATBJBgNVHR8EQjBAMD6gPKA6hjhodHRwOi8vY3JsLnNlY3RpZ28uY29tL1NlY3RpZ29QdWJsaWNDb2RlU2lnbmluZ0NBUjM2LmNybDB5BggrBgEFBQcBAQRtMGswRAYIKwYBBQUHMAKGOGh0dHA6Ly9jcnQuc2VjdGlnby5jb20vU2VjdGlnb1B1YmxpY0NvZGVTaWduaW5nQ0FSMzYuY3J0MCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5zZWN0aWdvLmNvbTAnBgNVHREEIDAegRxzdXBwb3J0QGFueXBsYWNlLWNvbnRyb2wuY29tMA0GCSqGSIb3DQEBDAUAA4IBgQB2jVNvS59CUC1tv7q9pC4OZxJz771cxXIqbNfmiyYs6r/seige2oX95c0zZMdhaGtehVrI6JSrPMUsxO/Cpn6bOfI2PeqAP1xbqrvs6yGxMqTlalysHZL3aJTESW2JwHb1zbdyUJF3N/Lm0q8S/j/9ApYaEzsPrg0u3vhBzpBcOx1RvPuXDzRLX8lKlAuHGdgpk2ylfmPyyqxRDFdP5P9BX9OtjxK2qOP9EFFvyzS4IRHMg16mO3QqoGIlOIEMRf5pTx9+wnArVOCvByjkg3EJhzJaNuqIGylRMEXG43PG8XMKq13ll8xFqTYxQzNkRfnD7RLkVnLgukJMHgvsuY6i1XNJEhtBRqNuY33GP7+x3lR16gRQV6YU5MsjLRXYqv7Lym+nYkZI8g2OV/QNq3KUcgeOMb4Jy2pqirBG7qpo1PWU4bOtsZ1+C9wMJAr0WyQmzK7p0UzZBHlTfm0oCcGefNGpBGq7lHSsXzaRDeX4sqXu9eQhmcwObLOQXYtwqMM="
}
]
},
"FileHashes": {
"authenticode": [
{
"file_name": "apc_host.exe",
"sha256": "39780F4723D10F75E500B8F2057DA3CB8974CB79A638C97911BD886E09F7CC45",
"sha1": "DCF79315D8DBBD9CC1C889EABFE2086EC2B02F49"
},
{
"file_name": "apc_host.exe",
"sha256": "B0A2D33EF8C85AD2AF4CA0EBF315DC3B1C36DB8288C01CB73D32A3F0CB3D2DB2",
"sha1": "B03F70B21EB4910B91D9C8B9330A7E3BC7755691"
},
{
"file_name": "apc_host.exe",
"sha256": "F172473F0560B5BEC3F9F062AF32899C8080B39B3BCAD41086303CE8DABB2743",
"sha1": "E422F7AABE76721E47809AE09766F5D8AFD44D3B"
},
{
"file_name": "support-YWRtaW5AY29ycG9yYXRlLnBsYW4gMTIzNDU2IDEyMzQ1NiBzdXBwb3J0LmJ5dGVjaHMuYnk=.exe",
"sha256": "E7FF1AC0AC6D9858B2812E168CE6E049136433340C6075F170939B6EF17854AD",
"sha1": "D0FED32033CA30E3B84AF44EF9BD7545AAD1647A"
}
],
"page": [
{
"file_name": "apc_host.exe",
"sha256": "21D8B57A4115514E8A421965C0FE136CC3DDA6F67090704B7B85FC98D1A458C9",
"sha1": "A445D70406CD5D6912E02D57B40A130B1AA52299"
},
{
"file_name": "apc_host.exe",
"sha256": "EDAB32FDC0FDACEF51CB924EFBAA1EC6AB1D677FBA2CD3610A85152C07908A92",
"sha1": "9FD17C34DBE1892051D4DC5B8DC3D9EF4DD89997"
},
{
"file_name": "support-YWRtaW5AY29ycG9yYXRlLnBsYW4gMTIzNDU2IDEyMzQ1NiBzdXBwb3J0LmJ5dGVjaHMuYnk=.exe",
"sha256": "64146218BBB62E26DB6230F358924A722BE4691F7F49F9128F6EFC45106C48D4",
"sha1": "DE2961DF4F4F4F7BF69A812BEE0AB29F300B9689"
}
]
}
},
{
"Name": "DeskDay",
"Category": "RMM",
"Description": "DeskDay is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://deskday.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [
"Windows"
],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"ultimate_*.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"deskday.ai",
"app.deskday.ai"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/deskday_network_sigma.yml",
"Description": "Detects potential network activity of DeskDay RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/deskday_processes_sigma.yml",
"Description": "Detects potential processes activity of DeskDay RMM tool"
}
],
"References": [
"https://support.deskday.ai/en/articles/8235973-installing-the-end-user-application-ultimate"
],
"Acknowledgement": []
},
{
"Name": "GetScreen",
"Category": "RMM",
"Description": "GetScreen is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2025-12-14",
"Details": {
"Website": "https://getscreen.me/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [
"Windows"
],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"GetScreen.exe",
"getscreen.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"getscreen.me",
"GetScreen.me",
"*.getscreen.me"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/getscreen_network_sigma.yml",
"Description": "Detects potential network activity of GetScreen RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/getscreen_processes_sigma.yml",
"Description": "Detects potential processes activity of GetScreen RMM tool"
}
],
"References": [
"https://docs.getscreen.me/self-hosted/system-requirements/"
],
"Acknowledgement": [],
"CodeSigning": {
"search_names": [
"2025-12-14_6f3bd1ad8919f9cd6ab1752009741a86_amadey_darkgate_elex_glassworm_helldown_hijackloader_luca-stealer_lynx_njrat",
"getscreen.me",
"rfbhr3zzo.exe"
],
"company_names": [],
"signer_names": [
"Kopetra Ltd."
],
"certificates": [
{
"signer_name": "Kopetra Ltd.",
"certificate_thumbprint": "8371992440D77154BB64BF0872E861D6372F70E8",
"tbs_sha256": "18450D4DFF502326C24240AA0A1A1971DA4DC7C96D3613B64180FDCE318A710A",
"tbs_sha1": "",
"certificate_der_base64": "MIIGxDCCBSygAwIBAgIRAMUB50/FYYUDqzL5LnrdavgwDQYJKoZIhvcNAQELBQAwVzELMAkGA1UEBhMCR0IxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDEuMCwGA1UEAxMlU2VjdGlnbyBQdWJsaWMgQ29kZSBTaWduaW5nIENBIEVWIFIzNjAeFw0yNTAzMTIwMDAwMDBaFw0yNjAzMTIyMzU5NTlaMIGVMRIwEAYDVQQFEwk1MTY1NzQyODIxEzARBgsrBgEEAYI3PAIBAxMCSUwxHTAbBgNVBA8TFFByaXZhdGUgT3JnYW5pemF0aW9uMQswCQYDVQQGEwJJTDEQMA4GA1UECAwHQ2VudHJhbDEVMBMGA1UECgwMS29wZXRyYSBMdGQuMRUwEwYDVQQDDAxLb3BldHJhIEx0ZC4wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDM2gfTabQXO43JYEhPmEtDf4/TnAdazv5nY3XBB8FZ/vzdrOgeEQmCVNjlKzRaBKtetPqV1IeRF/idg62upWICuKG9qQvUL3q/2qUBiQ4wyiy6HTdtMGs4CJYK3G/TCsEhb9xKOGvu1ghfWPgDz5iLVnmM+eyx+X+UlYjas2mCFmmmunmz4ZAHo6pe9UanrnaPJjw4yRt4+BpnAaDsbluf76d1Bhqy+5g8FfZSDjvj/7pkdzaEkYl2ipOkbXxkraZxLUWDdlhtFt5IoXADpEfnQ9H9yqcCmuCr90PkxEALAnvA+4P7MCvmMfPpDKIH4KhSqE7O9VqM17HsC5OWdxh25j/VqPirrd3tPOs2LeGlZXzXRixeiuFnJv/Ieub8sMihTFrtS/U2rYl+mkLMkNqzvyJuQvHera5MNU8lPRn75egqSH55LwQ9ziYa8p3qtSA1FoHebRayhWJVckDgdFyQdlEPsLQaNg8hO9byJwiu/br4C45LeVmiNo6VQhgcvWm2ee2LmbSIMOSev24po+p0f/s6KyXjMu+sPnfSoM/001QCHuJTQdl7qalO0gFmA9lPFvXGDfbihS+RpyzK8S/4YFOEZl/iKvrADQJz1Vji5OYwJmIlL+Ar6ZMzvgLueZTBC9jUzZKCTAKgXup4kOVrf4Exj/zee4GTkd+YT+nVoQIDAQABo4IByjCCAcYwHwYDVR0jBBgwFoAUgTKSQSsozUbIxKLGKjkS7EipPxQwHQYDVR0OBBYEFGIkbygI0uVjQ1+OlanFS4Dx/FwcMA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMEkGA1UdIARCMEAwNQYMKwYBBAGyMQECAQYBMCUwIwYIKwYBBQUHAgEWF2h0dHBzOi8vc2VjdGlnby5jb20vQ1BTMAcGBWeBDAEDMEsGA1UdHwREMEIwQKA+oDyGOmh0dHA6Ly9jcmwuc2VjdGlnby5jb20vU2VjdGlnb1B1YmxpY0NvZGVTaWduaW5nQ0FFVlIzNi5jcmwwewYIKwYBBQUHAQEEbzBtMEYGCCsGAQUFBzAChjpodHRwOi8vY3J0LnNlY3RpZ28uY29tL1NlY3RpZ29QdWJsaWNDb2RlU2lnbmluZ0NBRVZSMzYuY3J0MCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5zZWN0aWdvLmNvbTA8BgNVHREENTAzoBwGCCsGAQUFBwgDoBAwDgwMSUwtNTE2NTc0MjgygRNzdXBwb3J0QGtvcGV0cmEuY29tMA0GCSqGSIb3DQEBCwUAA4IBgQC1+UafkBtyYUIY0oXg0qk874TzZDPSIdZ4z+spfIosTqOhJhUmrESda69XxsZ/obHoOmTr43KzSPoL+835qEF2OMwTCMjk61ySsGAE4VRly1MOQayqEycR6APQrcdkss4WnVxEQvOQcmu3nxAcThN1ofCHt2dFF8RsE3l+rctScoptGqm6jZNyAQascJ0en3k036JpcD0SAx9spNhfqW9YcUwAQuqZbScIg4ewW1NvQWHAv+35LOIg3pufHbxaDLoO7uXeBD9/6eSyDDeVH6eDCyRGhMMTlHyMnWMoCmg2ZCue24Dsv2/2/ymrSEHIpG3dqzHJqykv885yKj/fP8P3qBLzqq4FPwXsHpAGektJdT9zs9/K4KTOQlNZqGPBDqj2DCKFqZ6tEa6xKFu/CRTrEi5vxDhTvi2b1se8ZDPbbhI9aXS5XOO4ckIkolBUEhdAOQ2jzhU7DNtcCboX8njK3l1QgeiWSPw6Ad0bWrWvdCoph6RAu9vVeDBwu+JaPcI="
}
]
},
"FileHashes": {
"authenticode": [
{
"file_name": "rfbhr3zzo.exe",
"sha256": "05C954C3A8FB10AAA661264282C52975EA1C74A32B8433CED2555B2CF25EFF60",
"sha1": "92AFA21260BC69868A680E6052BC572A19FC88EC"
},
{
"file_name": "Getscreen.me",
"sha256": "925EF1C48B8179F2623519434DBB7CD72E5CA92633EDB7841449AC415B61AB49",
"sha1": "0CE759DD9ACC3250F8D237E10DACB6FEA5A1C3F3"
},
{
"file_name": "2025-12-14_6f3bd1ad8919f9cd6ab1752009741a86_amadey_darkgate_elex_glassworm_helldown_hijackloader_luca-stealer_lynx_njrat",
"sha256": "35E306C5BA02B38E3E693E1EEBEEEE44144606DFB68A4C6E516319958EDD907B",
"sha1": "2379071527D41E23C58CE5CED0344DD3C220C4EA"
}
],
"page": [
{
"file_name": "Getscreen.me",
"sha256": "4ABE10F84D0F58D30A0D8EAE3092987E72507D63253A1D3B190FE7A65263B0BF",
"sha1": "10B8E5D5EE6A573F000233DEF7E7C42136B6BE58"
},
{
"file_name": "2025-12-14_6f3bd1ad8919f9cd6ab1752009741a86_amadey_darkgate_elex_glassworm_helldown_hijackloader_luca-stealer_lynx_njrat",
"sha256": "CAC3DA59CBE1207100FCF9DD22A16756767EBA54AAE765BBE760C0E929A5C27B",
"sha1": "C73D2C372F8DDB0A11F1AFD84E7CF1D529DD8786"
}
]
}
},
{
"Name": "RDCMan",
"Category": "RAT",
"Description": "Remote Desktop Connection Manager (RDCMan) is a free Microsoft tool developed by Julian Burger for managing multiple remote desktop connections from a single interface. Part of the Sysinternals suite, RDCMan enables IT administrators, system administrators, server lab managers, developers, and testers to organize, group, and control numerous RDP sessions efficiently.\n\n**IMPORTANT**: This tool is signed with legitimate Microsoft Corporation certificates that are also used to sign numerous other Microsoft products and Windows components. Do NOT blindly block these certificate thumbprints as doing so will likely break essential Windows functionality and other Microsoft applications in your environment. Use certificate data for detection, hunting, and analysis purposes only.\n",
"Author": "Daniel Koifman (KoifSec)",
"Created": "2025-11-12",
"LastModified": "2025-11-12",
"Details": {
"Website": "https://learn.microsoft.com/en-us/sysinternals/downloads/rdcman",
"Privileges": "User",
"Free": true,
"Verification": true,
"SupportedOS": [
"Windows"
],
"Capabilities": [
"Remote Desktop Management",
"Multiple RDP Sessions"
],
"Vulnerabilities": [
"CVE-2020-0765"
],
"InstallationPaths": [
"*\\RDCMan.exe",
"*\\RDCMan-x86.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": []
},
"Detections": [
{
"KQL": "https://github.com/Koifman/Deathcon25/blob/main/rmm_rodeo/rdcman/kql.kql",
"Description": "KQL query for detecting RDCMan activity in Microsoft Sentinel"
}
],
"References": [
"https://learn.microsoft.com/en-us/sysinternals/downloads/rdcman",
"https://dirteam.com/sander/2021/06/24/remote-desktop-connection-manager-rdcman-is-back/",
"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-0765"
],
"Acknowledgement": [],
"CodeSigning": {
"search_names": [
"nmk092kb9.exe",
"rdcman-x86.dll",
"rdcman-x86.exe",
"rdcman.exe",
"v8yka5.exe"
],
"company_names": [],
"signer_names": [
"Microsoft Corporation"
],
"certificates": [
{
"signer_name": "Microsoft Corporation",
"issuer": "CN=Microsoft Code Signing PCA 2011",
"certificate_thumbprint": "3F56A45111684D454E231CFDC4DA5C8D370F9816",
"tbs_sha256": "21DC4A8B9890842E51963CE36D3A614C716D2D794AFCF606F73CE12B525F9E6B",
"tbs_sha1": "1D04935E420A06C650CB71FB762C0F0E8F90D17C",
"valid_from": "2025-06-19T18:21:37+00:00",
"valid_to": "2026-06-17T18:21:37+00:00",
"certificate_der_base64": "MIIF9DCCA9ygAwIBAgITMwAABIVemewOWS/N1wAAAAAEhTANBgkqhkiG9w0BAQsFADB+MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSgwJgYDVQQDEx9NaWNyb3NvZnQgQ29kZSBTaWduaW5nIFBDQSAyMDExMB4XDTI1MDYxOTE4MjEzN1oXDTI2MDYxNzE4MjEzN1owdDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEeMBwGA1UEAxMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwEpIdXKb7lKn26sXpXuywkhxGplTQXxROLmNRZBrAHVBf7546RNXZwA/bzDqsuWTuPSC4T+I4j/z9j5/WqPuUw7SpnEPqWXc2xu7eN8kVyQt5170xkK6KHT4vVEkIvayPtIMLl0SgSCOy/pN5DJCi5ha7FlI84F1Qi2GumR+wQgCwHCVmU8Fj6Ik+B6akISXGCwe6X3rQFQngRFWQ/IrSkOkAOfy0EfvV+nZUo+FcbWuCZ6cb4Eq5I1ws/rZSeuwAWeedZcNt0VlNbsn4AnxBYQX4sj0dlko7JD5fWqeqq3/HzUNbBmLp9qeCXV8XlACn9YVWv900F47z04kVwpyTwIDAQABo4IBczCCAW8wHwYDVR0lBBgwFgYKKwYBBAGCN0wIAQYIKwYBBQUHAwMwHQYDVR0OBBYEFLgmchogri2BNGlO4+UxamNOZJKNMEUGA1UdEQQ+MDykOjA4MR4wHAYDVQQLExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xFjAUBgNVBAUTDTIzMDAxMis1MDUzNTkwHwYDVR0jBBgwFoAUSG5k5VAF04KqFzc3IrVtqMp1ApUwVAYDVR0fBE0wSzBJoEegRYZDaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9jcmwvTWljQ29kU2lnUENBMjAxMV8yMDExLTA3LTA4LmNybDBhBggrBgEFBQcBAQRVMFMwUQYIKwYBBQUHMAKGRWh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2lvcHMvY2VydHMvTWljQ29kU2lnUENBMjAxMV8yMDExLTA3LTA4LmNydDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4ICAQAo5qgKdgouLEx2XIvqpLRACrBZORzVRislkdqxRl7He3IIGdOB+VOEldHwC+nzhPXS77eCOxwRy4aRnROVIy8uDcS0xtmwwJHgFZsZndrillRisptWmqw8V379xgjeJkV/j5+HPqct0v+ipLeXkgwCCLK8ysNyodkltYQsF1/5Nb+G/jR9RY5fov8TybKVwhbmQeGguRS0+X4G0Sqp7FngHZ/A7K2EIU90Fy7ejb9/3TM7+xvwnaW3XKLpfBWJfrd3ZlzPkiApQt5dmntMDpTa0ONskBMnLj1OTqKi0/OY7Ge/uAmknHxSDZTu5e2O6/8Wrqh20j0Na96CAvnu9ebNhtwpWWt8vfWmMdpZ12HtbK3KyMfDQF01YosqV1Z/WRphJHzXHw4qhkMJJpec/Z5t6VogWevWnWgQWwBRI8iRuMtGu+m3pf+LAwlb2mcyzN0xW8VTvQUK42UbWyWW5At1wK6S6mUn8ed0rmHXXcT1/Kb3KhbhLvMHFHg9ObfcTWyeE7XQBAiZRItL7wcZZjObcxV8tqmXqjzFx0kGKj4GfY70nGejcM5xQ9Pt95G88oTks/1rhmwLuHB2RvICp5UFU+LgNg4nsfQzLNlh4qJDZJ2JS6FHll1tUKyS6ajvNky8ik2wTP6GRwHSHNJM6Ek66PW9/r459vNPQ9PkjjglWQ==",
"src_file_path": "downloaded_files/rdcman/e6067c98e8ffc586d689d1ddb5376f26e1657c15ddafe4eff7b4d231de15770a",
"src_file_company": "Microsoft"
},
{
"signer_name": "Microsoft Corporation",
"issuer": "CN=Microsoft Code Signing PCA",
"certificate_thumbprint": "67B1757863E3EFF760EA9EBB02849AF07D3A8080",
"tbs_sha256": "B4D5162BFE8B7E38196E3C394D21AC408EA0E31A050560AF2909B066526B7207",
"tbs_sha1": "85959A020005CF379188739F02E24D0B6031DBC4",
"valid_from": "2014-04-22T17:39:00+00:00",
"valid_to": "2015-07-22T17:39:00+00:00",
"certificate_der_base64": "MIIE7DCCA9SgAwIBAgITMwAAAMps1TISNcThVQABAAAAyjANBgkqhkiG9w0BAQUFADB5MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSMwIQYDVQQDExpNaWNyb3NvZnQgQ29kZSBTaWduaW5nIFBDQTAeFw0xNDA0MjIxNzM5MDBaFw0xNTA3MjIxNzM5MDBaMIGDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMQ0wCwYDVQQLEwRNT1BSMR4wHAYDVQQDExVNaWNyb3NvZnQgQ29ycG9yYXRpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCWcV3tBkb6hMudW7dGx7DhtBE5A62xFXNgnOuntm4aPD//ZeM08aalIV5WmWxY5JKhClzC09xSLwxlmiBhQFMxnGyPIX26+f4TUFJglTpbuVildGFBqZTgrSZOTKGXcEknXnxnyk8ecYRGvB1LtuIPxcYnyQfmegqlFwAZTHBFOC2BtFCqxWfR+nm8xcyhcpv0JTSY+FTfEjk4Ei+ka6Wafsdi0dzP7T00+LnfNTC67HkyqeGprFVNTH9MVsMTC3bxB/nMR6z7iNVSpR4o+j0tz8+EmIZxZRHPhckJRIbhb+ex/KxARKWpiyM/gkmd1ZZZUBNZGHP/QwytK9R/MEBnAgMBAAGjggFgMIIBXDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUH17iXVCNVoa+SjzPBOinh7XLv4MwUQYDVR0RBEowSKRGMEQxDTALBgNVBAsTBE1PUFIxMzAxBgNVBAUTKjMxNTk1K2I0MjE4ZjEzLTZmY2EtNDkwZi05YzQ3LTNmYzU1N2RmYzQ0MDAfBgNVHSMEGDAWgBTLEejK0rQWWAHJNy4zFha5TJoKHzBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpL2NybC9wcm9kdWN0cy9NaWNDb2RTaWdQQ0FfMDgtMzEtMjAxMC5jcmwwWgYIKwYBBQUHAQEETjBMMEoGCCsGAQUFBzAChj5odHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpL2NlcnRzL01pY0NvZFNpZ1BDQV8wOC0zMS0yMDEwLmNydDANBgkqhkiG9w0BAQUFAAOCAQEAd1zr15E9zb17g9mFqbBDnXN8F8kP7Tbbx7UsG177VAU6g3FAgQmit3EmXtZ9tmw7yapfXQMYKh0nfgfpxWUftc8Nt1THKDhaiOd7wRm2VjK64szLk9uvbg9dRPXUsO8b1U7Brw7vIJvy4f4nXejF/2H2GdIoCiKd381wgp4YctgjzHosQ+7/6sDg5h2qnpczAFJvB7jTiGzepAY1p8JThmURdwmPNVm52IaoAP74MX0s9IwFncDB1XdybOlNWSaD8cKyiFeTNQB8UCu8Wfz+HCk4gtPeUpdFKRhOlludul8bo/EnUOoHlehtNA04V9w3KDWVOjic1O1qhV0OIhFeew=="
},
{
"signer_name": "Microsoft Corporation",
"certificate_thumbprint": "F5877012FBD62FABCBDC8D8CEE9C9585BA30DF79",
"certificate_der_base64": "MIIGAzCCA+ugAwIBAgITMwAABISY4hLgeKMxXQAAAAAEhDANBgkqhkiG9w0BAQsFADB+MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSgwJgYDVQQDEx9NaWNyb3NvZnQgQ29kZSBTaWduaW5nIFBDQSAyMDExMB4XDTI1MDYxOTE4MjEzNVoXDTI2MDYxNzE4MjEzNVowdDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEeMBwGA1UEAxMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7XpKjCg5837MnNU9UKR3xba/q5Iq/JXcyzypjF20Q6LlVwLLwX3ehPNrT4+GM2kpbhg0KF9zaTCqKCnlRY4zUat+8sk/4dUEyzAfHaZrGf+9FDPlP7GMb7dT1lsS4zDSF6swfD4xuoux9mBYJOGDoXxknpL581td3SwLX4w9MIsERD7wjZYpUc+16BXXuSjtNXhYlnrXoePKlDqlGgJCM5wuFwd7BXdS1lJrqVxytOUHyUpp3ovamSQWE7fGYQKxg4e50J/mNYzgN6AYglCeJ9QjGlnQ4a4HTLrtNuqFgG3wt6a6pFJ/C1qdvB/tki3rTRuSkGWcL8t2XJ+/j0BpeQIDAQABo4IBgjCCAX4wHwYDVR0lBBgwFgYKKwYBBAGCN0wIAQYIKwYBBQUHAwMwHQYDVR0OBBYEFATf9G+hYepzHROBQMWBvZFgqW2FMFQGA1UdEQRNMEukSTBHMS0wKwYDVQQLEyRNaWNyb3NvZnQgSXJlbGFuZCBPcGVyYXRpb25zIExpbWl0ZWQxFjAUBgNVBAUTDTIzMDAxMis1MDUzNjIwHwYDVR0jBBgwFoAUSG5k5VAF04KqFzc3IrVtqMp1ApUwVAYDVR0fBE0wSzBJoEegRYZDaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9jcmwvTWljQ29kU2lnUENBMjAxMV8yMDExLTA3LTA4LmNybDBhBggrBgEFBQcBAQRVMFMwUQYIKwYBBQUHMAKGRWh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2lvcHMvY2VydHMvTWljQ29kU2lnUENBMjAxMV8yMDExLTA3LTA4LmNydDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4ICAQBi0KbNV1OEU3KAyAyz+kBtzZ0RN6f1kjKetQrPGfiVL98SVhrQc2JgiDZh1Rb+ovKWBf3u/RTSuj9aCo3bsah0onAXYPDI9JPJAxQP9HlNumzwUUFCGolq4bAzq11nS5u2ZrudeqEKFFnCDbOIwX4wxFVeG5oEGH3vuPzFCcECfYepnxPpHAj+B5T+AoSEAVB6EspmpHEwb2cPkLLe7G3beSp0CpEhDdNQszxtWsApQiOsyyn/7yiMJ6h8P/lr3AK+4MCpVjZi8EzYvNO6/a1rF0HqdUPGDJCLhpmdGtagndxrjpEkc589v9KI3mVWIWcqIQkItQbPsX0ZL/38tB31d5jcjttnRVLx8wWYKhORWxo5lJ60q9cfJQqyvrOAPmzhqdiHozqYVqGRDxjnKPxxM52eS5OsOlvhNictzx6BRNGPE7ZEhOP/NGNpQSYS49u3fLnifCHUIUqS/1s04457mB+w8eaPaVnSBkmhTWLkqjmMa1VuzeABEFUQ2Xqg3H6jxtzuq+UjbMV23e9QwiEFEbVCrLOdzjfr65VdK44igSHcLzDS0PcytI8u+6MA8l16GJEMWpDdrhSATtVDQLwmF47OK8N0kZgV/aomeRDcXJ/6SzJIsm+vEHcB1F8/tXyOnmt/446TT8+g5XP0THFyFnjDJIbqf1xG8Lu91Prs/w==",
"src_file_sha256": "966952d678a8eb7254cf7c024ece8bc47e05a89c760f994db92f5a4309688b25",
"src_file_path": "downloaded_files/rdcman/966952d678a8eb7254cf7c024ece8bc47e05a89c760f994db92f5a4309688b25",
"src_file_company": "Microsoft"
}
]
},
"FileHashes": {
"authenticode": [
{
"file_name": "RDCMan-x86.exe",
"sha256": "5BC272A208BF66991CD5970D394F1E54525EE641B3FD9371ADA17026E75378A5",
"sha1": "9B0422A36C73BF7FE2564420DD90D545231DAEE3"
},
{
"file_name": "RDCMan-x86.exe",
"sha256": "D3E586562037D1639E0A70D6C5AB31F40408B805C8C969857E8BDEC53410C342",
"sha1": "DD13B79EDC779927A728799DC74FD5B06BD0CE43"
},
{
"file_name": "RDCMan-x86.exe",
"sha256": "5841E09FB6E2B8EEB453D177A5E56053CA252714A2BCB484A4481A36BC33F47A",
"sha1": "9FD7AA70A0AD609907EFA546E3AD7CF7A418BE51"
},
{
"file_name": "RDCMan.exe",
"sha256": "1618E995C25C9E881FD50D349BA3D2749BC4E4A133975431D71B6A6EB4FDCFF4",
"sha1": "4C90CB51AE90E54A34446A1581288A05FF45EDEC"
},
{
"file_name": "RDCMan-x86.exe",
"sha256": "D1C67E6934E650D574AD56DB18D1CB09618D9F09C9E4313CA7C9650C1C6AB83D",
"sha1": "5CA8A51931D39B29E4CC161526E1681DED42C114"
},
{
"file_name": "RDCMan-x86.exe",
"sha256": "3CF37A92143E9EAE3223CB9622F951A854D3C46F2D5F024C06DC916953889691",
"sha1": "2E53240995E4A45BCC5A809BD87DD94FE6DAB463"
},
{
"file_name": "RDCMan-x86.exe",
"sha256": "9BA6CF75FC5295BE0E5F92A1A44D6CA6FB9572C5CFE0BE2CD0E2E8AA6C34E432",
"sha1": "EA0A90B7EA86FB3B7F9961B0FB83DFE2E3437932"
},
{
"file_name": "RDCMan-x86.exe",
"sha256": "06E4CB94B7745B10BB2BE17653B13F54CD0F1C3559025208457571EFEC214016",
"sha1": "C071EE8ED4EEBC8C4A84D39C14CB12770234E9F1"
},
{
"file_name": "RDCMan-x86.exe",
"sha256": "74B4F499BF43EFDA77D854D4A36C190DF762DA9D6192BBE8316CD93023FD47CC",
"sha1": "5FE86B3293596EC73840D72EABA258FD0900C9E1"
},
{
"file_name": "RDCMan-x86.dll",
"sha256": "CEAB7C913A68FE70EFE4644B86DA6FCE81D2B9AC2CD597AF5C2A16E181C85F26",
"sha1": "C9AC5C1348942C9D68774733469DD84AF625B71B"
},
{
"file_name": "v8yka5.exe",
"sha256": "ED38AF28E6937AF2BE25FA0BB36FA5FCB227160A813534AEC2ABA00A044864C0",
"sha1": "F1517300A63B03EA966D76356FCE9601ED792781"
},
{
"file_name": "RDCMan.exe",
"sha256": "B0988D2187A02C1E27BA8E2D184A153BA61769B7926D979635A84FD0196CC366",
"sha1": "F1735B0D0FA6CC585C0FA7693511211223511499"
},
{
"file_name": "RDCMan-x86.exe",
"sha256": "7D490021979B3D345C12BC63297D0CC0777FDFBB9B1B6EEC0EA37A344F8762C8",
"sha1": "B3BDCD54D11D6350964537AC409AEBAD16251991"
},
{
"file_name": "nmk092kb9.exe",
"sha256": "C4671732EF6F299C723490AA305BF4439226C79A9107530674AAAA204C436016",
"sha1": "EE8650A59EC911CBAA03C20D5FC9B799D8090309"
},
{
"file_name": "RDCMan-x86.exe",
"sha256": "F865B64E287A090C8C90CC38B447C8169F5FA33F7D0FB713167FEC837E476732",
"sha1": "08A683875545D77768DC26B2C8D0DB67A2CDDC1E"
},
{
"file_name": "RDCMan-x86.exe",
"sha256": "C757873F983503D5FE0DC47DDAAA177DFDD63B40EC255FCC94DF53992F0E5192",
"sha1": "16BAFB5E70A6267129C7EC5E1A5AC792DFAFC58E"
},
{
"file_name": "RDCMan-x86.exe",
"sha256": "301D12BA963F4BB7EFC0C5183F8F405DA29E5BB10D8C6806FFD772E0AB60C54D",
"sha1": "5A75F5E03F19676DC8BACB8C527EBF2B80E9ACE1"
}
],
"page": [
{
"file_name": "RDCMan-x86.exe",
"sha256": "4C7DF8D957FE411B1C7CFF76E942B5FD599BDDF8615F0CBC6DFC0A1B1FE6F46F",
"sha1": "DD0B27369D0E1716E4C958B625F334A82352BF4A"
},
{
"file_name": "RDCMan-x86.exe",
"sha256": "FC99BFF6CF077C5A1D5CA87A0FFDCCF39E21E14D775FAADAA1B90DD01463BB7C",
"sha1": "20A8A0C93661FFE8FCE83968E17C68890CCA4637"
},
{
"file_name": "RDCMan-x86.exe",
"sha256": "56E852B40B0652CC3180DFC9AEEEFBE309A35B283B6DD29B8578B5E86D782063",
"sha1": "2406CA75D570279F64D088912232A6F9BBD6A353"
},
{
"file_name": "RDCMan-x86.exe",
"sha256": "63DB9F738188336426FA928386B5B5B9EA721833BB1EEE2471C48BF5731A25C7",
"sha1": "FCE68D8735341AF594242E42566AE2450AC42A1B"
},
{
"file_name": "RDCMan-x86.exe",
"sha256": "5C02F32FF21647F9CF6E70DC25CACC6AE2599B56A62E7E78CDDD8C599A5B5C88",
"sha1": "D602CBDDD19BF061D967E54356427E58E729A635"
},
{
"file_name": "RDCMan-x86.exe",
"sha256": "C77F9266F297C5590F2F41F6659D4A65E1976D10D3DE16EECCC9AF338EEFC875",
"sha1": "8907AF5497348368F091D9BB3A8CFF42B0242CBD"
},
{
"file_name": "RDCMan-x86.exe",
"sha256": "0AC5F63C1F78EDCAF629D949CAFFA2E15715FD4EE381758284DD4BDC3B4F5532",
"sha1": "417E0C15A9BF212627B1EE09D110F056813A931A"
},
{
"file_name": "RDCMan-x86.exe",
"sha256": "5289255473627ACEFB589EB9DB5C22C4B3329997B502E2F6BC30AFBE6FA07AC4",
"sha1": "DA44E04CD6DEA5670984184C70A1D42594AFE6BE"
},
{
"file_name": "RDCMan-x86.dll",
"sha256": "1BACD80487828AC1F9E8A15E38951C66C90CC0E9AA6A9529A91CE53796E69C4B",
"sha1": "4E99889F7C52328C383743EDF3F7D0D6AA999B1E"
},
{
"file_name": "v8yka5.exe",
"sha256": "F1AD9038A11E8FCAA328F6FB9E444386081005B5C7A5E7C4CF94C89EF97E7768",
"sha1": "385A49F68B86AF4490521873728B5283B67EB6FA"
},
{
"file_name": "RDCMan-x86.exe",
"sha256": "05ED894B82B84256900F02BD440A283A845BF3BD984AB99F67EA385AEB898D40",
"sha1": "1A8F55ECE08544DE8D4FF97A0F82AF41A10073B6"
},
{
"file_name": "RDCMan-x86.exe",
"sha256": "0C6535084571ED5AB1775F49D8CBB85C3F864D9444DD8A3B6B88D7B5F79358CD",
"sha1": "11FFBF5C42DD29F658773A9A7FF0A84F3ADBE2C2"
},
{
"file_name": "RDCMan-x86.exe",
"sha256": "BD09703AD68D3A3FD2F9D779838600662515C50E535F68B23600DE67574CACBD",
"sha1": "D7911C5D4506211CED7D494DA6B159E38ECDB025"
},
{
"file_name": "RDCMan-x86.exe",
"sha256": "E85E05372FF2A191D1353E5D2A83BFB82C7EC17540142725C99AFB0886F7DE2A",
"sha1": "F92CB8B3EDE30EDC70F497CDCFFAC789BB6E096A"
}
]
}
},
{
"Name": "RunSmart",
"Category": "RMM",
"Description": "RunSmart is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://runsmart.io/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": []
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"runsmart.io"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/runsmart_network_sigma.yml",
"Description": "Detects potential network activity of RunSmart RMM tool"
}
],
"References": [],
"Acknowledgement": []
},
{
"Name": "NTR Remote",
"Category": "RMM",
"Description": "NTR Remote is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2025-12-14",
"Details": {
"Website": "",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [
"Windows"
],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"NTRsupportPro_EN.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*.ntrsupport.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ntr_remote_network_sigma.yml",
"Description": "Detects potential network activity of NTR Remote RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ntr_remote_processes_sigma.yml",
"Description": "Detects potential processes activity of NTR Remote RMM tool"
}
],
"References": [],
"Acknowledgement": [],
"CodeSigning": {
"search_names": [
"ntrsupportpro_en.exe"
],
"company_names": [],
"signer_names": [
"Net Transmit & Receive SL"
],
"certificates": [
{
"signer_name": "Net Transmit & Receive SL",
"issuer": "CN=VeriSign Class 3 Code Signing 2009-2 CA",
"certificate_thumbprint": "73F02A06F37D5CF65D1040FABE9EFE6188B29BEB",
"tbs_sha256": "C78E601CC64E39E0738B6889874052EBE0FD261B65491106E350AF0CFF3C086E",
"tbs_sha1": "CEA0DE18000EA92E942B8542864C3E0E917AA829",
"valid_from": "2009-10-23T00:00:00+00:00",
"valid_to": "2012-10-22T23:59:59+00:00",
"certificate_der_base64": "MIIFhDCCBGygAwIBAgIQFB9KwPsrSkmTD8GXU67gTDANBgkqhkiG9w0BAQUFADCBtjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwOTEwMC4GA1UEAxMnVmVyaVNpZ24gQ2xhc3MgMyBDb2RlIFNpZ25pbmcgMjAwOS0yIENBMB4XDTA5MTAyMzAwMDAwMFoXDTEyMTAyMjIzNTk1OVowgb0xCzAJBgNVBAYTAkVTMRIwEAYDVQQIEwlCYXJjZWxvbmExEjAQBgNVBAcTCUJhcmNlbG9uYTEiMCAGA1UEChQZTmV0IFRyYW5zbWl0ICYgUmVjZWl2ZSBTTDE+MDwGA1UECxM1RGlnaXRhbCBJRCBDbGFzcyAzIC0gTWljcm9zb2Z0IFNvZnR3YXJlIFZhbGlkYXRpb24gdjIxIjAgBgNVBAMUGU5ldCBUcmFuc21pdCAmIFJlY2VpdmUgU0wwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDHmIFmYGi25Wjj7OvhjmgiEvzXY0n1aN+jWwtndgGdgwyqB7E8YXpTf6TijenZS8ijL0bKoMCsYvGhjSWJxXwJyQ/clY4Yl+SvvHOnblvA+wZ3Emn3J63hYN6yftVWg96HoGU/FMlBP14IlMoW+ajXDZre6eLzKUUlI7cKZD1SdAortXXXBLlaBaMAND6muGQjezkm0CjftAjE4vhaLzFjWruWqi+l29sno8y8frRtAV/inQaxp4IviBbuDk4z+o10MrdocGMZQHs0iya1yxGNaj3nexyp0oDfHocCog5jvcHVogs1SCM3fDv3EgnltG67tUbaVTs7Lgltse93QNqHAgMBAAGjggGDMIIBfzAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIHgDBEBgNVHR8EPTA7MDmgN6A1hjNodHRwOi8vY3NjMy0yMDA5LTItY3JsLnZlcmlzaWduLmNvbS9DU0MzLTIwMDktMi5jcmwwRAYDVR0gBD0wOzA5BgtghkgBhvhFAQcXAzAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMBMGA1UdJQQMMAoGCCsGAQUFBwMDMHUGCCsGAQUFBwEBBGkwZzAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AudmVyaXNpZ24uY29tMD8GCCsGAQUFBzAChjNodHRwOi8vY3NjMy0yMDA5LTItYWlhLnZlcmlzaWduLmNvbS9DU0MzLTIwMDktMi5jZXIwHwYDVR0jBBgwFoAUl9BrqCZwyKE/lB8ILcQ1m6ShHvIwEQYJYIZIAYb4QgEBBAQDAgQQMBYGCisGAQQBgjcCARsECDAGAQEAAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQCrFEvhyM+lYpZMcm0IIm12GZVkVp4I5GwoL0tGV3sfsiAtXebz173UezN+Llrdfm+nxoZ5Bq84Sa5m+2FQNIXUjJebBSRjtFI/dsQTE+1qLoxQsZXPeGtPWiVyZMnearKHhNz+z0zPeAtADALTE8AnLQ8m2AzusDNCDmbmjdmeHbz+5mtRlPmHGNiS0w5fGS/dtGzwDXVOghY6z/plB7thyDAuxMvLWyTQLRFHZeuTDnLrW0ZUv61CezZwjNkdOItZcnTfAYO6yJpmcpDiFl6bG58r9YohQ/zCevkRkUXa7SBzxCY2YSTGdFGDToSWOJMVz2iL852v97bDK9aCK/QX"
}
]
},
"FileHashes": {
"authenticode": [
{
"file_name": "NTRsupportPro_EN.exe",
"sha256": "DC9D1CC5A6D90136D114B2BAF82DE0A8A35737FB3E9DF7E541099BE72C803D1B",
"sha1": "E9D33FA96A65CD32C9FCA147AF02A8A3E06859AE"
}
],
"page": [
{
"file_name": "NTRsupportPro_EN.exe",
"sha256": "811849CBC486CDDB8AF253E329E822E40ADA561577FA0795111CF8772459CEF1",
"sha1": "1455B4007B9FBCD228050C8F30A9BFD7DA2FA217"
}
]
}
},
{
"Name": "Splashtop (Beta)",
"Category": "RMM",
"Description": "Splashtop (Beta) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.splashtop.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"SRServer.exe",
"SplashtopSOS.exe",
"Splashtop_Streamer_Windows*.exe",
"SRManager.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"splashtop.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop__beta__network_sigma.yml",
"Description": "Detects potential network activity of Splashtop (Beta) RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop__beta__processes_sigma.yml",
"Description": "Detects potential processes activity of Splashtop (Beta) RMM tool"
}
],
"References": [],
"Acknowledgement": []
},
{
"Name": "DesktopNow",
"Category": "RMM",
"Description": "DesktopNow is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.nchsoftware.com/remotedesktop/index.html",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"desktopnow.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*.nchuser.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktopnow_network_sigma.yml",
"Description": "Detects potential network activity of DesktopNow RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktopnow_processes_sigma.yml",
"Description": "Detects potential processes activity of DesktopNow RMM tool"
}
],
"References": [
"https://forums.ivanti.com/s/article/Network-Ports-used-by-Environment-Manager?language=en_US"
],
"Acknowledgement": []
},
{
"Name": "Remote.it",
"Category": "RMM",
"Description": "Remote.it is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.remote.it/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [
"Windows"
],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"remote-it-installer.exe",
"remote.it.exe",
"remoteit.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"auth.api.remote.it",
"api.remote.it",
"remote.it"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote.it_network_sigma.yml",
"Description": "Detects potential network activity of Remote.it RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote.it_processes_sigma.yml",
"Description": "Detects potential processes activity of Remote.it RMM tool"
}
],
"References": [
"https://docs.remote.it/introduction/get-started"
],
"Acknowledgement": [],
"CodeSigning": {
"certificates": [
{
"signer_name": "remot3.it, Inc.",
"certificate_thumbprint": "73D3AC1C006DFE32FBE856011288D9C3AC7F245A",
"certificate_der_base64": "MIIG2jCCBMKgAwIBAgIQU9VhV3aHD9ZFtTacts0eAjANBgkqhkiG9w0BAQsFADB7MQswCQYDVQQGEwJVUzEOMAwGA1UECAwFVGV4YXMxEDAOBgNVBAcMB0hvdXN0b24xETAPBgNVBAoMCFNTTCBDb3JwMTcwNQYDVQQDDC5TU0wuY29tIEVWIENvZGUgU2lnbmluZyBJbnRlcm1lZGlhdGUgQ0EgUlNBIFIzMB4XDTIzMDEyNTAwMzU0MFoXDTI2MDEyNDAwMzU0MFowgcsxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRIwEAYDVQQHDAlQYWxvIEFsdG8xGDAWBgNVBAoMD3JlbW90My5pdCwgSW5jLjEQMA4GA1UEBRMHNDc5NzU0MjEYMBYGA1UEAwwPcmVtb3QzLml0LCBJbmMuMR0wGwYDVQQPDBRQcml2YXRlIE9yZ2FuaXphdGlvbjEZMBcGCysGAQQBgjc8AgECDAhEZWxhd2FyZTETMBEGCysGAQQBgjc8AgEDEwJVUzCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAI6p+iYmXWKRxdiS3685jwAoWxSpPPX/vgf3pvXQd1BDI2TeD8foHp1wNvtlr75/6j/kFcNfEov5qrexBfGST6q1Em42rzbSC/Th263o3ks0NgRaxcCMdDBn3aUe59dsfHMbZFsNibTw4hOmd6Wp86k674xQjZLfRoXTAVnenZwWD69RMLgJn0NpBIJXucRs/qofVuy4L4GNJW6Gh8fM7ZCfT9wJ8rlFtCwVPGU9Z6fhUZgyKlS2fDShognIDUHCrMZWZg7PlhSczP0InGKMubIik5qvace6fqKYcgTghO4rJTuuxoCHnrWNQo6WWzEImTcanA/OUFJIuZ/nAgkrgyj1NcCaQeBe+8cy2GQMOLY7CNrUZoXKFNnJoSm9faojy2QKA3Ae8J10Np2dlPLETMuiLp/zMgRwFs6qVkmoL68p9b97cOt0hvjxcSjL1nGhNjX5n+fQLKQeaNiKJxHpTZaGuScUoi8v2/tYzhoESNmLV3BCFZOFCwkP/iqUrVF/fwIDAQABo4IBhzCCAYMwDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBQ2vUn/MSzrr2pA/pnAFu26/EjdXzBbBggrBgEFBQcBAQRPME0wSwYIKwYBBQUHMAKGP2h0dHA6Ly9jZXJ0LnNzbC5jb20vU1NMY29tLVN1YkNBLUVWLUNvZGVTaWduaW5nLVJTQS00MDk2LVIzLmNlcjBfBgNVHSAEWDBWMAcGBWeBDAEDMA0GCyqEaAGG9ncCBQEHMDwGDCsGAQQBgqkwAQMDAjAsMCoGCCsGAQUFBwIBFh5odHRwczovL3d3dy5zc2wuY29tL3JlcG9zaXRvcnkwEwYDVR0lBAwwCgYIKwYBBQUHAwMwUAYDVR0fBEkwRzBFoEOgQYY/aHR0cDovL2NybHMuc3NsLmNvbS9TU0xjb20tU3ViQ0EtRVYtQ29kZVNpZ25pbmctUlNBLTQwOTYtUjMuY3JsMB0GA1UdDgQWBBSC+QA+tPqjcAb6XY1LQEG4/HuoUzAOBgNVHQ8BAf8EBAMCB4AwDQYJKoZIhvcNAQELBQADggIBAGRG01XeJZL25nbSMj6pf7C724i8fLURyRWn+g0XeufESlLtU1U5RyEYHCT6VWWf3WoQMq513z4GnQS+CZ+ntybqB6tNv4aGOzzDOHGS1vorTBh+vEncLE52yAvuKhIok61g/Xe+OjwUhm6JfAFp1XmYs4u4N11CFnVrUhf6orBg8eyQYZa/dEiTqPN+t5lgkVLSY/ncT//quJIIx9vayuTySTgbztWsamJbePniWzMHiPqnn8x1o6dxw8DjGvILiU0thJDs2mrXwQmoOO1m2qwXlFggSVf3JPLrDbEWkDB9VVKCR/+yQOnAlt6op/zIwQSnbZKSC7JZz3ah+giIU8vNGiWXy36aWGYWaGy0Bkl2w65YcsQ1G7sBH7qctyeb9Z1AHqwBzO2KdgkX2PXyp3pdPsGRDTWb77N2v38a3Opb3WO1ZGOMt22BzGkfRMtUz8Ml3XNeVgOHeJVulRbELAGH7uoI76bL020rjDPCd6XP3E0NgRAyjFkT44+PGDcHNcMNE3OTxG9g4PyfXRUY4kONLujKJaLmrR93w0V6I8Vw9aMVgUD4MRsrEz5zWArbKZnq3fqtjeA2DhIo/2ZlH51lKpc1UhRuFNa61LgKy202KIPsUp1E66TNvmbk07aq1nIuU01QVsqJbZS/bUkC4NSbZ/xuHMtXeoWTuGYzvFxF",
"src_file_sha256": "8689c6ca4c29d0b2f71f7f0df5e37a19fbc1dfd7653eb4f5331e0887d3704471",
"src_file_path": "downloaded_files/remote.it/8689c6ca4c29d0b2f71f7f0df5e37a19fbc1dfd7653eb4f5331e0887d3704471",
"src_file_company": "Remote.It"
}
]
}
},
{
"Name": "Pilixo",
"Category": "RMM",
"Description": "Pilixo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"rdp.exe",
"Pilixo_Installer*.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"pilixo.com",
"download.pilixo.com",
"*.pilixo.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pilixo_network_sigma.yml",
"Description": "Detects potential network activity of Pilixo RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pilixo_processes_sigma.yml",
"Description": "Detects potential processes activity of Pilixo RMM tool"
}
],
"References": [
"https://pilixo.freshdesk.com/support/solutions/articles/9000141879-device-connectivity-and-firewalls"
],
"Acknowledgement": [],
"CodeSigning": {
"certificates": [
{
"signer_name": "Plooto Star Inc",
"certificate_thumbprint": "2347883329B8455D0A0F0D207A3A2279B339DFE8",
"certificate_der_base64": "MIIG7jCCBVagAwIBAgIRAPf0WVyfpIB6tB2s+IutETwwDQYJKoZIhvcNAQELBQAwVzELMAkGA1UEBhMCR0IxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDEuMCwGA1UEAxMlU2VjdGlnbyBQdWJsaWMgQ29kZSBTaWduaW5nIENBIEVWIFIzNjAeFw0yNTA4MTQwMDAwMDBaFw0yNjA4MTQyMzU5NTlaMIG1MRAwDgYDVQQFEwc1NzY3NzcyMRMwEQYLKwYBBAGCNzwCAQMTAlVTMRkwFwYLKwYBBAGCNzwCAQITCERlbGF3YXJlMR0wGwYDVQQPExRQcml2YXRlIE9yZ2FuaXphdGlvbjELMAkGA1UEBhMCVVMxETAPBgNVBAgMCERlbGF3YXJlMRgwFgYDVQQKDA9QbG9vdG8gU3RhciBJbmMxGDAWBgNVBAMMD1Bsb290byBTdGFyIEluYzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAN064DdYD/tJ9gYfyalopSAa+3j4g32PD5gs0WdyPY6jVjR368vi/naeLft3UZ9EbTPw7naaeKizmvsUq4A9ArfJkCNhassmUhIzLEd3xDiRh7nr37JozfhSosTfMSEkTzvIy1D0vXjKaI6oQDuufE3LyKPyFBLm1v+A1/r/zidfihSpbsFG0m9EUclXEZLHTcGSIzgNBiKNFn8OCG9S5MimWsCr84WCft0Ne9kpQlQHWBATPbtNm7IlYNmzAuBezg9XNPhrEjMjksRVor3MBpKuPWb1fYDUSdOHreeVaGN5OVaA2qrMUg6jpQQv+VZjGlp1hXtGthueMyJBN4hImJ/PH1xbRCRkNlY42j0wbYH0KGs8U6OveaN4L72f8B6t2I8mZur5qZa9f5pFy5xQp33ZWX8qQrLud5KGXvYM9U8u0IbvwKYLnMiW24TXqGEZh3upzB/iN414Ou37zc2Hpz6Ogg8aAOdzuy/Hj2Pfa6thmNX7eA8YFNkUFnFWPjS/xnsygD0uHsLdLfrAYh5fuiCvoW3ilr+GYiGjTh3IqstQ9juuAIfnhM6opp0WE/rZFGRUiceJd58NxeyodNLL6V+jilrww0IssHMclGwUzQVa/ig7nH5goWomNITPdU5fJMLVq2Fsog6BUftpKzHJTuNtMZFSktAzAW7kpSoJ2rALAgMBAAGjggHUMIIB0DAfBgNVHSMEGDAWgBSBMpJBKyjNRsjEosYqORLsSKk/FDAdBgNVHQ4EFgQUpu6ahBY3kybEQ/p3JsyOq3NYWKkwDgYDVR0PAQH/BAQDAgeAMAwGA1UdEwEB/wQCMAAwEwYDVR0lBAwwCgYIKwYBBQUHAwMwSQYDVR0gBEIwQDA1BgwrBgEEAbIxAQIBBgEwJTAjBggrBgEFBQcCARYXaHR0cHM6Ly9zZWN0aWdvLmNvbS9DUFMwBwYFZ4EMAQMwSwYDVR0fBEQwQjBAoD6gPIY6aHR0cDovL2NybC5zZWN0aWdvLmNvbS9TZWN0aWdvUHVibGljQ29kZVNpZ25pbmdDQUVWUjM2LmNybDB7BggrBgEFBQcBAQRvMG0wRgYIKwYBBQUHMAKGOmh0dHA6Ly9jcnQuc2VjdGlnby5jb20vU2VjdGlnb1B1YmxpY0NvZGVTaWduaW5nQ0FFVlIzNi5jcnQwIwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLnNlY3RpZ28uY29tMEYGA1UdEQQ/MD2gIwYIKwYBBQUHCAOgFzAVDBNVUy1ERUxBV0FSRS01NzY3NzcygRZzdXBwb3J0QHBsb290b3N0YXIuY29tMA0GCSqGSIb3DQEBCwUAA4IBgQB1pHp6vpJZZxNhol1xMb3oIBIO202kMvneSra+g0uvuPBiGHYsnImK/bXA3tc/ZUE55JfPIGXQXl/ZPWYi2ruGefxFYep0FOrUCbgXattDo7LrhJ5Ow6wC9PXhLuqh0Xyz1rwZtRfgHTdb88b7TZx8+0OUwzaJDf9OiEqKs+0EvThh953CIfVApyYnbWn1Qr4ovsHPgC3eZ3MUMzVP18DBxXjpektCx0E8MKDn4riIB71Y1jKx1KgjXV8DP85COT7Jcn0QSeGdbg9323EhEgbfpTIgJueHzR+/xHFHfnh1T+U5ejonB9m5UAnt74nq9aPMyKCwAC3N+M77YMkCoLs6sco6cQOyP0V0TRN8QlwND13MZZ+T+i3DPK3Nx2yVbZz/Ks+a1d/YJvJR+PkiPc+vVAzYXS5PcPFhPXyy0KZNyzU3JG/XfwZuASyf5B75bQp5HD8ydYuTqOCEG+GygZn0qmwi4+80ja2ockCMZ0JbFCvxq+cRHiEaj6ARFC3s4DQ=",
"src_file_sha256": "44b8093cc6cee4dc28ac779675983f2cbdc74fc33837a16758f988163794bd97",
"src_file_path": "downloaded_files/pilixo/44b8093cc6cee4dc28ac779675983f2cbdc74fc33837a16758f988163794bd97",
"src_file_company": " "
}
]
}
},
{
"Name": "LiteManager",
"Category": "RMM",
"Description": "LiteManager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.litemanager.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"lmnoipserver.exe",
"ROMFUSClient.exe",
"romfusclient.exe",
"romviewer.exe",
"romserver.exe",
"ROMServer.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*.litemanager.ru",
"*.litemanager.com",
"litemanager.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/litemanager_network_sigma.yml",
"Description": "Detects potential network activity of LiteManager RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/litemanager_processes_sigma.yml",
"Description": "Detects potential processes activity of LiteManager RMM tool"
}
],
"References": [
"https://www.litemanager.com/articles/LiteManager_remote_access_to_a_desktop_via_the_Internet_or_LAN/"
],
"Acknowledgement": []
},
{
"Name": "LabTech RMM (Now ConnectWise Automate)",
"Category": "RMM",
"Description": "LabTech RMM (Now ConnectWise Automate) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.connectwise.com/platform/automate",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"ltsvc.exe",
"ltsvcmon.exe",
"lttray.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"connectwise.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/labtech_rmm__now_connectwise_automate__network_sigma.yml",
"Description": "Detects potential network activity of LabTech RMM (Now ConnectWise Automate) RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/labtech_rmm__now_connectwise_automate__processes_sigma.yml",
"Description": "Detects potential processes activity of LabTech RMM (Now ConnectWise Automate) RMM tool"
}
],
"References": [],
"Acknowledgement": [],
"CodeSigning": {
"certificates": [
{
"signer_name": "ConnectWise, LLC",
"certificate_thumbprint": "DC69069188D5CBC5FE18B7D035C90061C8741E21",
"certificate_der_base64": "MIIHXTCCBUWgAwIBAgIQBpZG91oaMuTChvVRWtcOIDANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTI1MDYxODAwMDAwMFoXDTI4MDYyMDIzNTk1OVowZTELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0Zsb3JpZGExDjAMBgNVBAcTBVRhbXBhMRkwFwYDVQQKExBDb25uZWN0V2lzZSwgTExDMRkwFwYDVQQDExBDb25uZWN0V2lzZSwgTExDMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAm/opd1E6FclqVZaXjFSyxB/i1278mBL30KGBcxBCUSLrr2UmS0v0Ui4dNvqVJqBZej7WMuPVG7WhLSsh7dn0LiYigu9eC2Xzf/dXgysvTaWjqywWEdaztB9wk1UW4JKBQCofhFwO0fq2QGfwdIB624mAJHYv3RhgRGJnrS4pj5GI7yhbqRymLKiY5HNNxFNfBeYDonFlXJRXCFiy+MmILIUKZ7z6w4ADZdADtrKnFqfPiOT08SXmFh1/DPxa2i72+SDyBRh2D3WeEYO/XgRpeeiPGw2UicNXbv0EXmwlYnd1OsEPVZk9rwiQi5P3IxphTYvRzCbxsA4fvUzy29gYzKAy3rX6EGROL6yOIu0I+019+KF65VpPZuZ5oGQUWF4o1zorT0n1KnhJo1g+wXehbXNmZzwFmjQRq2VGAG+YlQ4r1ziG6H2Mpsqp3M2XPKBzkpnfb92aWhkDE8PIF+AZJ7aaxU2zqvDAqPTNRsTuafr5bruBhCP+Ura5vDDqNlvrgaUA1C8w/DDUjXiVGma7RiHyayGoayo71/AW6sU1MMX1i4kJZ30Htv4AEJf0NAIYv/ZtjwJ3xBdKOBSMFn1jPDWyc2toMnpkYwA+uxVWFz9zGTt6gTabr88rcFkkiVBkQCtbCPep7O9r3p/f931BBe0roIgLBJIpImC0c/G/voUCAwEAAaOCAgMwggH/MB8GA1UdIwQYMBaAFGg34Ou2O/hfEYb7/mF7CIhl9E5CMB0GA1UdDgQWBBSq40FoSy7cpXCTRDHLq1qzOdaVPjA+BgNVHSAENzA1MDMGBmeBDAEEATApMCcGCCsGAQUFBwIBFhtodHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMIG1BgNVHR8Ega0wgaowU6BRoE+GTWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3JsMFOgUaBPhk1odHRwOi8vY3JsNC5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDCBlAYIKwYBBQUHAQEEgYcwgYQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBcBggrBgEFBQcwAoZQaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcnQwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAgEAy/9kDJuQ95np5yEq/biXDf1pXB8CY7NB6bz6MSd56CcsfrL2qfxsB4SIKXT/NLmBk8IF2tVN0g5YdLxTZcFpu3jVa/ohfLcyAcYUQ+YUDVt+q4OwOWxph9QPC6IwzwGyKRphFqh7XiRzTAdTX5+aKCqpfVKSrvV9sATTJSExxAKrrOMOEYpjrhRPQ6AtnkEFvuEGoE4ESk6IkDwBzRrQ7VkDcDf8n1a6tKBxVliVtYkf89gEeda9peF9d1ZCjhhKuzvCSO17XGKsjtda3oaPo3uGktQ8Lm1h17rnupGcwasEynzu7xTVxSKEXkfSnHYRvCRM+waSjVMKd5Dw/mfTLwcwbKwbwZNG8IKKJUrKk5DADiFZKcB7thUsxj3U49ToC9Oxks5OFzN9VQer4oKUHsRGGXUZKyY1t5/pQ+hxHkIMZzY1JQTSOVsZw/mpCaVt56KEfyVwgiOBiNLgUOdECaQpNUZjSMSeJbr6L52M9doC4lJpkF31R+UmY6V4CXxR7B29Iq6B2tbfGXqaKqPirIY5qqpeX/+etxMhgsm0k9XtuscSYIIJ32EL0d8XCr0JEFm/PmYf34OJKMP/HqoqkiJGRuEniTMM9N1QwitjxBS/dxgI/zfBK5Kx0WgTEjSognI8h5+KrPCMNUid1f3X7r+hwhtRhzu9CKhjDBBxTZ8=",
"src_file_sha256": "66b1ef65896e9f91efd1e3347e70eb2cf1708e1ce2ca267fb4704858aa3ee028",
"src_file_path": "downloaded_files/labtech_rmm_(now_connectwise_automate)/66b1ef65896e9f91efd1e3347e70eb2cf1708e1ce2ca267fb4704858aa3ee028",
"src_file_company": "LabTech Software"
},
{
"signer_name": "ConnectWise, LLC",
"certificate_thumbprint": "70644D15A9833AE7E85FCC0D2146831978BEEFF4",
"certificate_der_base64": "MIIG3TCCBMWgAwIBAgIQBNke4DLdGhpLIOSOdesphzANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTI1MDYxMDAwMDAwMFoXDTI4MDYwOTIzNTk1OVowZTELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0Zsb3JpZGExDjAMBgNVBAcTBVRhbXBhMRkwFwYDVQQKExBDb25uZWN0V2lzZSwgTExDMRkwFwYDVQQDExBDb25uZWN0V2lzZSwgTExDMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEA4cUf5+kV+KFRM9L+s8gGJ73hTXcEe/LUeGwf6wpdSBd3t8zNmow4GXP+ihQcr69EEDG+zO42ptsHoKbU4dn/Sg/iy9GZ7a0ERKdAGqOZI0YZTd0obkGdXVF/xNdI68jcFE3Sqza+v5gtaAbZicVhY1r/tbcA0Cc/hpSyEPJqu97a+ZygEYfrEFL2htAmV/NrXdjozidRIn187o6uGGAbwlQPNCtkTfGRg+kPT9Nf8P8wSf1UlwnMQcpSbkQ2aOIYXba2FyGfY1d6Tx1NGRp1FC98CLfOcXv5WlG6JBIOuyVHPVSDmgsw/n8C6EkhRGvm2hy45XrP4mZ7M53Vo+BicKuB2o7ZY4pPdqdbrz6odORhBcxk3vUYgGH95WOO8Cxc1SxXl4A4WbCF1ZWb5Shv/G31qFMM5ws1M4K916AJJ+QNQV4tKHCmMaqqRL6L+ScCnCrwl5qwB23nWsL49AAMDqrvzVESE18wBdtbzury31VP7A7KBj0fPORSgnRA4OEJAgMBAAGjggIDMIIB/zAfBgNVHSMEGDAWgBRoN+Drtjv4XxGG+/5hewiIZfROQjAdBgNVHQ4EFgQUqNJlVmweChoGu8mVcpUE0a2qrYcwPgYDVR0gBDcwNTAzBgZngQwBBAEwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpY2VydC5jb20vQ1BTMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzCBtQYDVR0fBIGtMIGqMFOgUaBPhk1odHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDBToFGgT4ZNaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcmwwgZQGCCsGAQUFBwEBBIGHMIGEMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wXAYIKwYBBQUHMAKGUGh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3J0MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggIBAF+IcSWmB7jYA5OiN94R2HN4pnixOb0NaZbS8oxucBPeo6FHp6oM7DIEHiWu8T/G5dt1WPzOPyDRZCVTp0HSJs9QXjTg2XavK7KDCAM/nnwI+lV1AYsyUKE6pLde367jFgbg4pFD0W+kPyShUH82LfcQGMoNcw5QiX0ebdCAk+F6859YtJHGKzMQGl6a1dg++6/SgNRXavGM7NTCevkaw+b3rB8x7Il2PQzgaHmzBy0QSapFxn7mx2d4rJEXEjxJCmDvpxKnqa7JDjhzjt8GtnynxjtWjROi3jQWlspFSUSI1lyV3G43O3anQi00i/3LiYFHMOZZKTwzA4lWRDk8h7jFeKP4evsJvLRpbBLEXYB93FXBS/S6HIl6aY2f+tgTr4el9NKV/hXBx4Wt5DDtEw13igePI4FLs85tC3HJB4UCcA0rzoGE9RiJDpiC5eZQx/CZqXgKCvQ/F5fWBpl/9w1J0mcTb5H1C+Y2FxFPnuw3hEDMbKH6HoOgveh4qtzMU0ZOW1cU2J9cxerU5b4dsBE4NaSD7GKhAKGDWAz/4FBUt1i/5J7KIKAt302fT2Vwba/azrgNZAc9e23bCfOyZrvOL6wUMgnNEkmQWZgcyG0Borz3pI5EPQUSLtO3KAjXsATnUVqGR7r4O0v1vbcnf6H0jFTDLtCqgibKC/nE5U7r",
"src_file_sha256": "532d20a37c6493fae3144fa8aae0a2c3510f6bdc0a2683e9ce7970d6a22d65c2",
"src_file_path": "downloaded_files/labtech_rmm_(now_connectwise_automate)/532d20a37c6493fae3144fa8aae0a2c3510f6bdc0a2683e9ce7970d6a22d65c2",
"src_file_company": "LabTech Software"
}
]
}
},
{
"Name": "Lunixar",
"Category": "RMM",
"Description": "Lunixar is a Remote Monitoring and Management (RMM) platform by Lunixar SAS de CV (Mexico) for MSPs and IT teams. Provides remote access from the browser and a Windows app, script execution and scheduling, hardware/software inventory, process and service management, and real-time alerting. Has been observed abused in the wild, renamed as Googlemeet.msi and distributed via the phishing domain mymeetinggoogle.com, and as eDocument-*.msi for social engineering lures.",
"Author": "Michael Haag",
"Created": "2026-04-23",
"LastModified": "2026-04-23",
"Details": {
"Website": "https://lunixar.com/en/",
"PEMetadata": {
"Filename": "Lunixar.exe",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [
"Windows"
],
"Capabilities": [
"Remote access (browser and Windows app)",
"Script execution and scheduling",
"Hardware and software inventory",
"Process and service management",
"Real-time CPU/RAM/disk alerting"
],
"Vulnerabilities": [],
"InstallationPaths": [
"C:\\Program Files\\Lunixar\\*",
"*\\Lunixar\\Lunixar.exe",
"*\\Lunixar\\Lunixar.dll",
"*\\Lunixar\\Lunixar.Agent.Core.dll",
"*\\Lunixar\\LunixarRemote.exe",
"*\\Lunixar\\LunixarRemote.dll",
"*\\Lunixar\\LunixarUpdater.exe",
"*\\Lunixar\\LunixarUpdater.dll",
"LunixarRMM*.msi",
"Googlemeet.msi",
"eDocument-*.msi"
]
},
"Artifacts": {
"Disk": [
{
"Description": "Main agent DLL",
"File": "C:\\Program Files\\Lunixar\\Lunixar.dll",
"OS": "Windows"
},
{
"Description": "Agent core library",
"File": "C:\\Program Files\\Lunixar\\Lunixar.Agent.Core.dll",
"OS": "Windows"
},
{
"Description": "Remote access executable",
"File": "C:\\Program Files\\Lunixar\\LunixarRemote.exe",
"OS": "Windows"
},
{
"Description": "Remote access library",
"File": "C:\\Program Files\\Lunixar\\LunixarRemote.dll",
"OS": "Windows"
},
{
"Description": "Auto-updater executable",
"File": "C:\\Program Files\\Lunixar\\LunixarUpdater.exe",
"OS": "Windows"
},
{
"Description": "Auto-updater library",
"File": "C:\\Program Files\\Lunixar\\LunixarUpdater.dll",
"OS": "Windows"
}
],
"EventLog": [
{
"Description": "Service event log source",
"EventId": "",
"Provider": "Lunixar rmm-client service"
}
],
"Registry": [
{
"Description": "Windows service registration",
"Path": "HKLM\\System\\CurrentControlSet\\Services\\LunixarRMM",
"Key": "ImagePath",
"Value": "\"C:\\Program Files\\Lunixar\\Lunixar.exe\""
}
],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*.lunixar.com",
"lunixar.com",
"app.lunixar.com",
"socket.lunixar.com",
"downloads.lunixar.com",
"devrmm.lunixar.com"
],
"Ports": [
23501
]
},
{
"Description": "Known abuse/phishing domains distributing renamed Lunixar MSI",
"Domains": [
"mymeetinggoogle.com"
],
"Ports": []
}
]
},
"Detections": [],
"References": [
"https://lunixar.com/en/",
"https://www.virustotal.com/gui/file/3160414da55882b9f03bae5aa76f0dc3c6cdb9e27e9091d9dac6fa610bd94c33"
],
"Acknowledgement": []
},
{
"Name": "Barracuda",
"Category": "RMM",
"Description": "Barracuda is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.barracuda.com/products/msp/network-protection/rmm",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": []
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*.islonline.net",
"rmm.barracudamsp.com",
"barracudamsp.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/barracuda_network_sigma.yml",
"Description": "Detects potential network activity of Barracuda RMM tool"
}
],
"References": [
"https://help.islonline.com/19799/166125"
],
"Acknowledgement": []
},
{
"Name": "ZOC",
"Category": "RAT",
"Description": "ZOC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.emtec.com/zoc/index.html",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"C:\\Program Files\\ZOC8\\*",
"*\\ZOC?\\*",
"*\\zoc.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": []
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zoc_processes_sigma.yml",
"Description": "Detects potential processes activity of ZOC RMM tool"
}
],
"References": [],
"Acknowledgement": [],
"CodeSigning": {
"search_names": [],
"company_names": [],
"signer_names": [],
"certificates": [
{
"signer_name": "Markus Schmidt",
"certificate_thumbprint": "DDE8807409ED3EB4B52D49146DB4B6510AC054F4",
"certificate_der_base64": "MIIGOjCCBKKgAwIBAgIRAKkq2KXaEEh4Q/dwcqQh0UMwDQYJKoZIhvcNAQEMBQAwVDELMAkGA1UEBhMCR0IxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDErMCkGA1UEAxMiU2VjdGlnbyBQdWJsaWMgQ29kZSBTaWduaW5nIENBIFIzNjAeFw0yMzA1MDEwMDAwMDBaFw0yNjA3MzEyMzU5NTlaMFAxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIDAZCYXllcm4xFzAVBgNVBAoMDk1hcmt1cyBTY2htaWR0MRcwFQYDVQQDDA5NYXJrdXMgU2NobWlkdDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMFVk+0PzkYtlZbQvoFNrsidRLXf82hFJtPdomJr6YEFRdNuxnmqoiKAvQnYG8CuYL0ZWJ01q6l+bR+XG1rk64e/mRBRLMh/PhjHZsOXDOPhaqbj7vDVA9gtETZfGBsvt6EWsLOZcQHEWxLM2lcPHSq/8PPk/0Afw23zfDNYqdGLE2x9fkeG6JqLIz1UwxQwl/Ta8mMDn5fAPsej5E4tWRopJ6BNpSak9o/LttkXtzgsvA+0wcoDTlMo0AAZPh7dKXWVQISOgqy8RBmrGJ/npbYsImXCQhA7VtuigHIPvXgLRgDHHeg44PRWti7hLYzeeeO9weLF56ZoF7hU52ql91Zi3G6nv10nrA3q5uz8way9Dg+rGOYgixBv2wArnebD5Yb4Llny8CuY1wdZNg2l/k3bVckP71U7TjDIOYkfB0G+LnQL0FIsN83U3Xfv9KuxZwnX9Y5kwYASKONBxiMm/eK5LEAnvjhPLGjqoPxRkJgxDzSDg6x09tokx7hSZQlrMt2aQXOTX0DQ3Hj2+dBkQ0xqg9YiEoB5ys8SrCWtb/pipVDwGNuZR9AuQfU3lpzrjgOLEVv+ZiJZSYRYCLrm4hovJGgS4UNX5Nt67dQtvXb6bZZnkLEpRXDtAAKCUDAydz6HT/HnwjpER9zWQDNR9INUDLMtdK+2H4eR+X7JBZy7AgMBAAGjggGJMIIBhTAfBgNVHSMEGDAWgBQPKssghyi47G9IritUpimqF6TNDDAdBgNVHQ4EFgQU4kOT9DFOj/1QviI4s6+rYeNZlWYwDgYDVR0PAQH/BAQDAgeAMAwGA1UdEwEB/wQCMAAwEwYDVR0lBAwwCgYIKwYBBQUHAwMwSgYDVR0gBEMwQTA1BgwrBgEEAbIxAQIBAwIwJTAjBggrBgEFBQcCARYXaHR0cHM6Ly9zZWN0aWdvLmNvbS9DUFMwCAYGZ4EMAQQBMEkGA1UdHwRCMEAwPqA8oDqGOGh0dHA6Ly9jcmwuc2VjdGlnby5jb20vU2VjdGlnb1B1YmxpY0NvZGVTaWduaW5nQ0FSMzYuY3JsMHkGCCsGAQUFBwEBBG0wazBEBggrBgEFBQcwAoY4aHR0cDovL2NydC5zZWN0aWdvLmNvbS9TZWN0aWdvUHVibGljQ29kZVNpZ25pbmdDQVIzNi5jcnQwIwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLnNlY3RpZ28uY29tMA0GCSqGSIb3DQEBDAUAA4IBgQCDhkMAmWP+EQ7dpJRlaFs0jxCGXxa7nvKk9RPf0qW8FAzesngIT9kP3xkjjl9Y/vbXSzfqQVwT30JMpb1+XAUg5u/J2DdSRkXXpLMdGTR3sNo6s9aonPiMw+3L/eYz5zic6MxF1JfzLPmwC1lNa8zH0qEwXl6nMUAHyk5+AAnfdTmfkcP0MZRx4kI3CkUCLXHnfqtYt8GsvQjJFIOuuBbx6H/XHIZNA//jGq3FuGth1ypRQRX8y6lRxqM3ia1MXhO0jDiYXLX42eRrcppgIEzfTbPnoBPeg6cvFlxud6em2LjJBKrCBFuw7Lvku8MP/h1qqAL8WqNn4+xUZAw+hC0Lfn8A5/iktTM9rLFL6rHSwCYeVxc2NkTSiUnjowwrlwrE+aNOE8oXW5dEIdyXS0eIj57QewO7AdD+OwspV2rxHbMeyBzZXkcUivuVUVkgzeJeCBVt7PiVZD7r5epyYtLPEA7jsUNWwsOOCAg91do/0zg5JYWwUXMOmdxRwd9kuo8=",
"src_file_sha256": "a87e256901f94c986acb31fa1b47e0bb13d4cbfcd2d714cd6d09db41babbec5d",
"src_file_path": "downloaded_files/zoc/a87e256901f94c986acb31fa1b47e0bb13d4cbfcd2d714cd6d09db41babbec5d",
"src_file_company": "EmTec Innovative Software"
}
]
}
},
{
"Name": "ISL Online",
"Category": "RMM",
"Description": "ISL Online is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.islonline.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [
"Windows"
],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"islalwaysonmonitor.exe",
"isllight.exe",
"isllightservice.exe",
"ISLLightClient.exe",
"C:\\Program Files (x86)\\ISL Online\\ISL Light*",
"*\\ISL Online\\ISL Light*",
"*\\ISLLight.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*.islonline.com",
"*.islonline.net"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_online_network_sigma.yml",
"Description": "Detects potential network activity of ISL Online RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_online_processes_sigma.yml",
"Description": "Detects potential processes activity of ISL Online RMM tool"
}
],
"References": [
"https://help.islonline.com/19818/165940"
],
"Acknowledgement": []
},
{
"Name": "Panorama9",
"Category": "RMM",
"Description": "Panorama9 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://panorama9.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"p9agent*.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"trusted.panorama9.com",
"changes.panorama9.com",
"panorama9.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/panorama9_network_sigma.yml",
"Description": "Detects potential network activity of Panorama9 RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/panorama9_processes_sigma.yml",
"Description": "Detects potential processes activity of Panorama9 RMM tool"
}
],
"References": [
"https://support.panorama9.com/en/articles/1859605-what-ports-and-hosts-does-the-p9-agent-communicate-with"
],
"Acknowledgement": []
},
{
"Name": "Free Ping Tool",
"Category": "RAT",
"Description": "Free Ping Tool is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"can't find this one",
"can't find this one"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": []
},
"Detections": [],
"References": [],
"Acknowledgement": []
},
{
"Name": "TigerVNC",
"Category": "RAT",
"Description": "TigerVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://tigervnc.org/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"tigervnc*.exe",
"winvnc4.exe",
"C:\\Program Files\\TightVNC\\*",
"*\\TightVNC\\*",
"*\\tvnserver.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"user_managed"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tigervnc_network_sigma.yml",
"Description": "Detects potential network activity of TigerVNC RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tigervnc_processes_sigma.yml",
"Description": "Detects potential processes activity of TigerVNC RMM tool"
}
],
"References": [
"https://github.com/TigerVNC/tigervnc/releases"
],
"Acknowledgement": []
},
{
"Name": "SunLogin",
"Category": "RMM",
"Description": "SunLogin is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://sunlogin.oray.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"OrayRemoteShell.exe",
"OrayRemoteService.exe",
"sunlogin*.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"sunlogin.oray.com",
"client.oray.net"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sunlogin_network_sigma.yml",
"Description": "Detects potential network activity of SunLogin RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sunlogin_processes_sigma.yml",
"Description": "Detects potential processes activity of SunLogin RMM tool"
}
],
"References": [
"https://sunlogin.oray.com/en/embed/software.html"
],
"Acknowledgement": [],
"CodeSigning": {
"certificates": [
{
"signer_name": "上海贝锐信息科技股份有限公司",
"certificate_thumbprint": "CD22D7228E666132008B90BB8D2D143BFD36D4EF",
"certificate_der_base64": "MIIH8DCCBdigAwIBAgIQBKWhM+f+21PI8WaHz7xO2zANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTIzMDQwNDAwMDAwMFoXDTI2MDQwNDIzNTk1OVowgfgxEzARBgsrBgEEAYI3PAIBAxMCQ04xGjAYBgsrBgEEAYI3PAIBAgwJ5LiK5rW35biCMR0wGwYDVQQPDBRQcml2YXRlIE9yZ2FuaXphdGlvbjEbMBkGA1UEBRMSOTEzMTAxMTA3ODc4NjI0MTJCMQswCQYDVQQGEwJDTjESMBAGA1UECAwJ5LiK5rW35biCMTMwMQYDVQQKDCrkuIrmtbfotJ3plJDkv6Hmga/np5HmioDogqHku73mnInpmZDlhazlj7gxMzAxBgNVBAMMKuS4iua1t+i0nemUkOS/oeaBr+enkeaKgOiCoeS7veaciemZkOWFrOWPuDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAOJopQDuM9BxJ5WQmgHCz7fs1zZChUYjOW19C+SUsKAgy3cRP/Bfm2KeJtbXig4TDnFVdv09k2+MjqDAO1lferKQcm8wc2vKG6Ft2r+AS0eUhz+IdmxvVsPUUCpFbsAkHt5uHtb8LBJyXqFrYeyhVccRbcxZHTAeyHCzHcUOkSUxckEBj6CT94xzWxN/idh96ldDWWf8vrJmlSRtLXJFhSWUtMyuXbz6xydd1R8xE185F1AWNRgGXb8IEkrYcaqdj84nzzDnCJoPvcc0pPBxPG+YWucmid0JFO6E+Vvdmd6Sk/IHk3eyYTUJwQ5CuJJ/B2DgtZQdIFZdjDGuIBOPXqXGj2orusB2wBW4iJiJqRYSL4MVwsO8EGPofzecAXBuXx73cj0M+LI4NOpFOlBTKKBVSd7PsD4epEqUev2HbGQSsIZm3I6NFk78duAqK1hAfBwdyq9QuvczQkECOcQYnfAXoWRRmfUDl5dRyn/ahjJT+oUTbykufgGSWgOWEvf8hRFyakKo2w/Xn19GEjYHTN5spJu7xsisLdSVUN2jUU0bk1UX0AnvAiUcX7h4g/L4pATsOsLl9ON6GGP0nDsDI4GGKnlCabDDzla2/lMv+tScLZ+niEg8dK+/g0diLol0NVtyq6oaouCVWYlRoLKcBBbYhBtVvb5gFM1sqUsi/aTbAgMBAAGjggICMIIB/jAfBgNVHSMEGDAWgBRoN+Drtjv4XxGG+/5hewiIZfROQjAdBgNVHQ4EFgQUt9sRSy3XECe+vKv4UsxMowQ74twwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMIG1BgNVHR8Ega0wgaowU6BRoE+GTWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3JsMFOgUaBPhk1odHRwOi8vY3JsNC5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDA9BgNVHSAENjA0MDIGBWeBDAEDMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzCBlAYIKwYBBQUHAQEEgYcwgYQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBcBggrBgEFBQcwAoZQaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcnQwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAgEAwAPmorGMuQZuc8m3oJbb01jgyxLubzW7DKTFBouZO+NzB/i8UceGCK6/F03YgMHsp2Q8+a7P9fhxfOUlAzE11cSL69JPX7z9Vk5rZmbbWiH0TqpcxdFt9MI8RvRXAkM9wcAUIjmH8KxLAFeCDEzknH2JlyH+IBQZutAtEBm+o52qiUPyvhcR/rMNYuXSR7qbuReSApg3PpwCzgQEYojzrxMHcN8jl85lgOJvC1VLARjWijwVomArA3ep2aiMWyZEuGq6qBFxeUkyTxbJ+LIA4UTYuNv3b65s1M9tKFJk9yjhGaJNEkhfoxl1gwix1Z7/s47rktEy2SbPFila7n1ONs6mPiKC/QR6lfEgLk332ikLJw16zlx9bfst5wwd+tpxSNwvJP0uOGkK8+7/0pgjjip7M2bO2+jn9xmJ5xZA65QOloM/ldvbO4D0jjIXchSEj56UaDYxTGQOXcRo/8j+ZTkT5BKrwYni48fEyLWuKNYH/u3QgtfQHWmrCwMm8qgLPNUO4K7OtGDKWgOPIaUIIx9paJmu8vm+gTi8x0dsnYAPFgnTeiqeYf7+FMYlUAMdrcxfcHw/avsC62/v59nwopRMNASljjHjuhiCKnsapK/U2ClZxIhCEzyw1zD6PnukZDgkm1Vy8uOfa2FkHqEuAMA4ICbeFt8OKwLWTYeA1Uo=",
"src_file_sha256": "9dc5b48a39bb21f43f89130c69e25db29f832843f2cd1f0e6cc33b19a962079f",
"src_file_path": "downloaded_files/sunlogin/9dc5b48a39bb21f43f89130c69e25db29f832843f2cd1f0e6cc33b19a962079f",
"src_file_company": "Shanghai Best Oray Information Technology Co., Ltd."
}
]
}
},
{
"Name": "LogMeIn rescue",
"Category": "RMM",
"Description": "LogMeIn rescue is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2025-12-14",
"Details": {
"Website": "https://www.logmein.com/products/rescue",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"support-logmeinrescue*.exe",
"support-logmeinrescue.exe",
"lmi_rescue.exe",
"C:\\Users\\*\\AppData\\Local\\LogMeIn Rescue Applet\\LMIR*.tmp\\lmi_rescue.exe",
"C:\\Users\\*\\AppData\\Local\\LogMeIn Rescue Applet\\LMIR*.tmp\\lmi_rescue_srv.exe",
"C:\\Users\\*\\AppData\\Local\\LogMeIn Rescue Applet\\LMIR*.tmp\\lmi_rescue.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*.logmeinrescue.com",
"*.logmeinrescue.eu",
"logmeinrescue.com",
"rescue-list.*.logmein-gateway.com",
"rescue-data-cetner.logmein-gateway.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/logmein_rescue_network_sigma.yml",
"Description": "Detects potential network activity of LogMeIn rescue RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/logmein_rescue_processes_sigma.yml",
"Description": "Detects potential processes activity of LogMeIn rescue RMM tool"
}
],
"References": [
"https://support.logmeinrescue.com/rescue/help/allowlisting-and-rescue"
],
"Acknowledgement": [],
"CodeSigning": {
"search_names": [],
"company_names": [],
"signer_names": [
"LogMeIn, Inc."
],
"certificates": [
{
"signer_name": "LogMeIn, Inc.",
"certificate_thumbprint": "N/A",
"tbs_sha256": "67C14D5CC02D94BB4380C3473FC9100FA8567975638F84D82B58773A2AE74DEE",
"tbs_sha1": ""
},
{
"signer_name": "GoTo Technologies USA, LLC",
"certificate_thumbprint": "33023C0243016946C78CCB9B15AC6C203882E5D9",
"certificate_der_base64": "MIIH2TCCBcGgAwIBAgIQDq06P/pwwKIK4jaBiZNRUzANBgkqhkiG9w0BAQwFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTI1MDgyMTAwMDAwMFoXDTI4MDgyMjIzNTk1OVowgeExEzARBgsrBgEEAYI3PAIBAxMCVVMxGTAXBgsrBgEEAYI3PAIBAhMIRGVsYXdhcmUxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRAwDgYDVQQFEwc1OTg0MTEyMQswCQYDVQQGEwJVUzEWMBQGA1UECBMNTWFzc2FjaHVzZXR0czEPMA0GA1UEBxMGQm9zdG9uMSMwIQYDVQQKExpHb1RvIFRlY2hub2xvZ2llcyBVU0EsIExMQzEjMCEGA1UEAxMaR29UbyBUZWNobm9sb2dpZXMgVVNBLCBMTEMwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDXBnwWFr1Haugt1kOHarj31h9QgazDGc0Ijs8ownMkZ9WxjYhDNd1AfzNc6Rv1IWM52EYnFZfsP24vfDSXsMWQVPqNSAeP6HcNF3zZ3vVVNpydrbX43l2ZqIs3WIw1Y9QFJxRiDgJaPHC8S3XmXvrEGIWMGEUidteAm5c7lAEkklohrxWWnvYZQ6Bk6TrVAqkDKzlXovqL39ERdX1b3vprbudHhZHQAyax5sYb24nlA4y9NpzYKAY7KivhhOQNDJ46TjMCsGfQuyo0Ni21+KjNvMcRcVOh3G/VSSEpg2AIUV6GWa3/XQXBuXyTPj2h5wf6x84d2wzV6XJ9GyxpD8eZLf/9QxMoqAxS0/tlOKpPgEVGh9BhlFyLVaX4AolLE48qhZSL6tIs74965yyrp0OzRierAh2VXoF79Cp5wKdu9id9ztlP72sY5Qf0EUSMFFEe5aS9RY0Fu2PxT5CR2ZdKtSBtYK1nwagYYPjmNW8bO5FC89JiZlcLDVeIyQeAPo3ZSuMhZCz0S12t2QpktFZvEJ1VIayQTC63N9S4VrQRnusnlxJLImrrfu0bI8F9fUoaUwJo14/2lwSczOdmfZxo3bKqQSkrMSBeNixUWeiyrPUczLe5DfgUdzmtJ4fJOTkEQEkNaQ9ed+u4ItEZACUX7ujgYZsJ8a8ClUmrx62yPQIDAQABo4ICAjCCAf4wHwYDVR0jBBgwFoAUaDfg67Y7+F8Rhvv+YXsIiGX0TkIwHQYDVR0OBBYEFLYSDl2IK7QIyBrxGqwuqqHXUmXDMD0GA1UdIAQ2MDQwMgYFZ4EMAQMwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpY2VydC5jb20vQ1BTMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzCBtQYDVR0fBIGtMIGqMFOgUaBPhk1odHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDBToFGgT4ZNaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcmwwgZQGCCsGAQUFBwEBBIGHMIGEMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wXAYIKwYBBQUHMAKGUGh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3J0MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQEMBQADggIBALVnUZsOeb8GoGLjBT3VRdyLnQEuKwn41b8I6fWfIF5jnYtOzW/dJqOuIXvs0LSQ8FHHpvWYUPqjL94pp+SHWCreuCZ6iLrt/tXCmWYUkhU4DY2m4ddNEAvuJaqzcwg8xjrzlHvpyKInfeB8jUujc8Rf/oWVLsgPaI/mp9wkSmVwytA9vnS8mi/BH14/wICihbwuNN9N+uHbeJowiw8NZGxteanaHgoLTZ76adJEOGoHkbtyXDZL7YII8d1HUvwMjB1h1ZxEtFtpYZesvRfSa99pt+jbyeYOXXTxYwyHGtDqTmX3RAKTETtPEsqlY/IZ+MPqLZs/YQORlVrUEC3VCWdUvQvCZpItxAX9Y98bBQzjCAUSqFP7RznSbvtwJwmQaXR1ul2sn22rV2HUpF+C4JuWd1Aq/aD+UQcZcqtiQVag+vBVmXYevdPRFr7v+TauGPIqdSH/igbj2vl/mAV6aG49VSYgz9GMNM33CoLSzydASa2ifgybt4tDsmlqjP2FE1JKVSXN6YxrhEOC0YOi7eugU1JSJrHubaUvRCiUBD5qfN8HOzR6CzOy82FEAurAG4EB56H7W+L1rQhqG5J8/gkPK50kZobrCS/cQ2iK3S7735myNL8zkXfjrwjFuFqpy69crtvDqmlYWsBxlkYdg8EKb/yTlCAicCQyCG5Y4YD3",
"src_file_sha256": "093e4af5f61640e64799539e8f3418e0890a3fe0aa3e33613de3d62936ee2f20",
"src_file_path": "downloaded_files/logmein_rescue/093e4af5f61640e64799539e8f3418e0890a3fe0aa3e33613de3d62936ee2f20",
"src_file_company": "LogMeIn, Inc."
},
{
"signer_name": "GoTo Technologies USA, LLC",
"certificate_thumbprint": "ECC24BFE100B96AE619D81554ACFA0439146410E",
"certificate_der_base64": "MIIG+TCCBOGgAwIBAgIQDAvTdPsd2g73FxYaZRkp0TANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTI0MDUxMDAwMDAwMFoXDTI3MDUxMTIzNTk1OVowgYAxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNodXNldHRzMQ8wDQYDVQQHEwZCb3N0b24xIzAhBgNVBAoTGkdvVG8gVGVjaG5vbG9naWVzIFVTQSwgTExDMSMwIQYDVQQDExpHb1RvIFRlY2hub2xvZ2llcyBVU0EsIExMQzCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAKb08AUlm0DbHj08M8dHPLG13kYNWfQb+TLOWCid+il64NImFeEtLDy0mI9Sw1dw70LeXcixgBZxKRtED7HiOJ3tFYnKneOLnVNZIJYTxoODzYdLSo2A7Y/9Y+XLczSstbOI0u26sAz/xhzjfb5n1AdYJ71lZjU0h/ZY32ACdWYMdml0H4oCDFNuoalIs/C0RXS1pKAG49sLMuYyrMASAEwA/YzaDOqmD+gbuTVVMbXdpNBY9COIg/eJBezyOJ/N04p19NcUkR7EE1C7DLtjNdlxzOs9mHOKF/yVz9bQk6FTCFkBFPe8xZILH0Zn9pYoi0roJpLcX9l8+KEMbOrQJf126aAU6fIlG9e+SLAh2wyVNbVEDGs8dzRDRtkZ9sUWP3oWSQAZN+knsou6/JWmlMK4NjH+H+mtr5t0z/TFRq5Kv0Jb9Abd2TstbMdMM5hGOLcsg9wLqrRJGQxcvFB9mx6ygLdmA8v3REhsjWkmJdWmhQL4gT8GjXi1VfXECdiAxwIDAQABo4ICAzCCAf8wHwYDVR0jBBgwFoAUaDfg67Y7+F8Rhvv+YXsIiGX0TkIwHQYDVR0OBBYEFFylwpIc1GCn+bkThzCDUCDm0KfTMD4GA1UdIAQ3MDUwMwYGZ4EMAQQBMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwgbUGA1UdHwSBrTCBqjBToFGgT4ZNaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcmwwU6BRoE+GTWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3JsMIGUBggrBgEFBQcBAQSBhzCBhDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMFwGCCsGAQUFBzAChlBodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNydDAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4ICAQDBavqjVRxVXxHX2Yo5U/rySxEZa9NFk2O4C29xA53v37ZwwfSJTRu2LgLOofSp82d1BT8zOgbdEiIL9UrD47P+7I2PDPl6hVqED0BuAKV1nBReENZBH9bjoz0LWQ+Qrd5ykZL9PVmjC2H1HFGUDNbKZssFvSBu1pn63mxrnc0Q/o7ZXu1+5ockmTQPr4+1GZ+oAaA+GhnSR5Ggk79e/Uq23mvOHODH0AU7zZxo3JKxCBS/jaPhTFah2Z/59cTTXx58p1YfbAURWIQOZyWnSEFE9kZu6d8gd45DGHJkBxAYpDEkd6Y5IWyzXQpLxrRbxKMxYxoyz6hnI97TjyAgmGA/K8xwN2qLXOAEvizwWp36npVSAK7KZk6txkPrMbCQT5TYvaP/PvPwh0cjjAPn7i+iM1anoPZflg+EVArJyT09b2+jpF5hDQL9+nSbPWMIQbrixHpB9hjIMiyhdHtohfz5yeCa/ewDdYtxmvvkQN4CjN0quSWMiUm0e8Va9fnk1SC2tjEG9FO215vfrdluZPMAzclH3LHJ33AKqDoDwrFXs6fTePr8An9lbEP80uzgsHfmZo1H1aPn8ISEFgaq39++DKI8pkDcez9ZQijlrgNsSh4amEL2s3wx7/Btz7G00K5PEWRUYyCRClQLUXEmjxebRaEecH9o2kU7FEGTyga+Sg==",
"src_file_sha256": "50efac7eb47a1ff1deb0b5e037251cbd800513a8e0306659ddd212b5a5a45c25",
"src_file_path": "downloaded_files/logmein_rescue/50efac7eb47a1ff1deb0b5e037251cbd800513a8e0306659ddd212b5a5a45c25",
"src_file_company": "LogMeIn, Inc."
}
]
}
},
{
"Name": "KHelpDesk",
"Category": "RMM",
"Description": "KHelpDesk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2025-12-14",
"Details": {
"Website": "https://www.khelpdesk.com.br/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"KHelpDesk.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*.khelpdesk.com.br"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/khelpdesk_network_sigma.yml",
"Description": "Detects potential network activity of KHelpDesk RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/khelpdesk_processes_sigma.yml",
"Description": "Detects potential processes activity of KHelpDesk RMM tool"
}
],
"References": [
"https://www.khelpdesk.com.br/en-us"
],
"Acknowledgement": [],
"CodeSigning": {
"search_names": [
"khelpdesk"
],
"company_names": [],
"signer_names": [
"KHELPDESK TECHNOLOGY LTDA"
],
"certificates": [
{
"signer_name": "KHELPDESK TECHNOLOGY LTDA",
"certificate_thumbprint": "A01E3A1F64E2808F55FDD95EF6E7CED2FEA625EA",
"tbs_sha256": "713A432503EF08193FF63C6A06EC2D8E2B7F43D959913CD8FA957E2CEEA74D11",
"tbs_sha1": "",
"certificate_der_base64": "MIIH1zCCBb+gAwIBAgIQBqCS69OHf8SbUMNIwZU7bjANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTI0MTIwNTAwMDAwMFoXDTI1MTIwNDIzNTk1OVowgd8xEzARBgsrBgEEAYI3PAIBAxMCQlIxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRswGQYDVQQFExIyMC4zNzAuMTkwLzAwMDEtNDYxCzAJBgNVBAYTAkJSMRwwGgYDVQQIExNSaW8gR3JhbmRlIGRvIE5vcnRlMRkwFwYDVQQHExBUQUJPTEVJUk8gR1JBTkRFMSIwIAYDVQQKExlLSEVMUERFU0sgVEVDSE5PTE9HWSBMVERBMSIwIAYDVQQDExlLSEVMUERFU0sgVEVDSE5PTE9HWSBMVERBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAogS4wodEc1U02YrJHiVY+pKYQN5M9s3yYnrBkudP2xLwGotSWDB+ftJINuWR7veWUbLqU4uFe0fTTLusUGU0AKvZaJkY4fD68C2PhV31qI0Y5kBig01vizmNJ53VhnQqhng3Wm5BtExaTrJKFpeUOg0lLRIf3tEA/zkNFfgBZv8pfM21Yi7vM8Hk0fMzXKKbNeSvq93ohsNHE0JWBA6yLqxmJXYgrghe4z0mqNcPgpsJA6FhIRqjRAIz6xwdoBqAdAEORJSrCmyugJgKJF9r0w9lXYnZ1fQ50LMOVNPb2kbXMl5qlPVLf+FVm8k3nWSPZ2sA1A86fwMwNXmJCdj9pIMdnIF9M9Kp6zY26fsY6Br3rhvY8yAs46dODu+MAwONcYyuwLTHZuqX6OUq4jDPfymFTe5FtPXN/wfwiMJYcPhidgP99eP8kjX3eIeUZpCoio3w2GqwmWIkdxubATnCqVDAMEqhyybuH6gICAm+WDUMLbUlh3A4mwrcRobQdXwFmPCZegdmxAOWAl/UgyQAzNcHlESV3EIII8nTSzyXb+crAlndZmQ5wbpjUPThZsQWLeiBkyVYhQZLx41/gpvbBz2K1dVUIl/Xwi7TTqdlpWiY7wouxXsV7g07N3sY0whtPmZWYT6ZXatph/VnDqxFB2iIgFCg1slh/Fy0R+Z5OuUCAwEAAaOCAgIwggH+MB8GA1UdIwQYMBaAFGg34Ou2O/hfEYb7/mF7CIhl9E5CMB0GA1UdDgQWBBTHyghasis8Gsypfw2ccd9ggBxFsDA9BgNVHSAENjA0MDIGBWeBDAEDMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwgbUGA1UdHwSBrTCBqjBToFGgT4ZNaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcmwwU6BRoE+GTWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3JsMIGUBggrBgEFBQcBAQSBhzCBhDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMFwGCCsGAQUFBzAChlBodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNydDAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4ICAQCw19XlUldOx5db0yjInlwO/of7xvlRBnOAjAJ9LoueIB7V1ZMNR/38r/R+QIiZUKnUJ0uK3kHMI+SXEf5XtyP6G5jg/Dtk9J8n/NpuaesMPf75DhwjfZh+/P76p3WOcbF4My3CfIxdDb1O9ezNYoZoBkK4/h4udfY6kgrr6lTJNA8qZ23p6SuFvEitzzkvEaX4DySzqH83tkaWGpmzAkH26LBSPCYySey0QNMfFZF64GUPeFWXFiojyjQPllYdgR0A76KLAebkHT92day1rj3/QHgDqJz5hBZzjigKVQU5lPqEHDRZm0HgbNRIhuXjUuA3QucrDHYdl/RiV5yb5OrpKPjVNrg3EbmEdu4Tdc5saNPjj6K1jqotyi/6wGkh5+CyfLqrL8sp6m4jdjyOovAbkJBJr4AJlbD+VdT4k3XLlG4TKoASvTtfPk32g/qZsoh8QXN7xTTAShDQJCfOmfTeL6xR4IHYRNMLp0o/tX1oO1n9OoHyXpd93rpw6q5gBE7AzWt+9r5fYQd7M6EcvRQ6CNH/kGEuvGFaCgZGxkAuuG3pnWtPOBe8Vb3vTytoXNJ5iYV8PC4lHmU4laITNRK+3dHnTvSWFCmNvOG+d+z3D1Vnd322kXp7HC7hLHVgiINNKqDKXrN5z+Hx8YLvLdqKGulGRjnqvRYhyb5Rocj1kw=="
},
{
"signer_name": "Maicon Luis Ferreira",
"certificate_thumbprint": "52127994EDBFE9AA612B016E3CB4ADFF11683717",
"src_file_sha256": "712d77f4b1f37367b887ca88c34f41d700f9b684dfaba2cf6856c8d3e1fc7642",
"src_file_path": "downloaded_files/khelpdesk/712d77f4b1f37367b887ca88c34f41d700f9b684dfaba2cf6856c8d3e1fc7642",
"src_file_company": "Kadoshi Sistemas"
}
]
},
"FileHashes": {
"authenticode": [
{
"file_name": "KHelpDesk",
"sha256": "716048A0265DCCA8B0559F499749241BF0E4FD8AF42C6E6927614DE5CD4C62AE",
"sha1": "E5BB87D8B6F307D69FCF3139307292D36387D22A"
},
{
"file_name": "KHelpDesk",
"sha256": "C5807B7E2054A7C0BEBD8EEDD4C630207AC94619A29962BDF91FA7CFB5861512",
"sha1": "857543764064E33B058D7937E4D4BACB19015282"
},
{
"file_name": "KHelpDesk",
"sha256": "E87A594863F26DA3E81DEAE0E3807D86713C7DA73387A7DF04306F42497B8621",
"sha1": "5B2A2397A703BF7B49F98D1D56AB6DBB34C5A963"
},
{
"file_name": "KHelpDesk",
"sha256": "24030404002940959EB2F78582B6CC11DCBB4F6A1806589FA0A54F3ADB70EFE9",
"sha1": "DA3C0E4C883A549BDF634C0970F840ABB96DC74E"
},
{
"file_name": "KHelpDesk",
"sha256": "E8D0A7A9123924017E2B4E11959E37412B1FB72E15BD93916D5CE0A401606259",
"sha1": "240AF8E5067C7FDAD7DF96EB687A8020F2207555"
},
{
"file_name": "KHelpDesk",
"sha256": "3687C69A53A6ED797D519F54FFAEB0E81803AD64777A349201574FC3A03155CC",
"sha1": "DA83E52B8DE6F31E736D3A9E6B3902E959A4CAC9"
},
{
"file_name": "KHelpDesk",
"sha256": "7B8ADFDC9973394324E8F961DF3D64357ED7FB24D540C96E6CACD9D4F4F1D542",
"sha1": "D70A3EC375F3720C65BDBA46CAA25638EC917E24"
},
{
"file_name": "KHelpDesk",
"sha256": "A9CB7D46625F15398D5F8A06A37D88292C1F938F712901AFA38A3A4FC0C74AA5",
"sha1": "E6A3826DF0514643442842F02EF670F5E871F214"
},
{
"file_name": "KHelpDesk",
"sha256": "5AE8118F7D978A6712453B08EFFB7C6157D2B6B956FA2D303CD0175DEF54FB35",
"sha1": "8060705CD27EB1C86DB4D8B4FBA092310406FC74"
},
{
"file_name": "KHelpDesk",
"sha256": "22678AD7BA7F8A6BC8B51DD8978323116A3B8F3B7E394ABA6E2FEBED4F9F01C2",
"sha1": "A1C41D5E5842E05DFA19ED4328EFB1AF255D1C80"
},
{
"file_name": "KHelpDesk",
"sha256": "BA4B9892851DE0E4E911CF6860AA50D0E918DEC29BC30032CEE9F449BEEF8DB9",
"sha1": "82EC7176ADC38382CE2BF72067972FD63389EBEB"
}
],
"page": [
{
"file_name": "KHelpDesk",
"sha256": "ECD8ADD1D9064293EEAA4EFD25E250CEF6471D219929C2B4C437B137EDE73579",
"sha1": "81F3EFC6E60712AD8B3DB6D09FF69F55AF368483"
},
{
"file_name": "KHelpDesk",
"sha256": "5F1DF598EEC4AC748CF795B156AED7A4F21765CC7DE6C18DF90A8EA1956356A2",
"sha1": "32CD551308A21E41F19D5C33FC4CF25D34873A2F"
},
{
"file_name": "KHelpDesk",
"sha256": "B6B9E022E77098007C3763E04EA05EA2AF2A511B4A4F181EB8EEF5AA9ED0DA3F",
"sha1": "296D4ADBEF97C2D387163DBB8B70449BD7A3DD13"
},
{
"file_name": "KHelpDesk",
"sha256": "853BD742C2224125C226BC857B1897927293B54E05C35BEFC1C0209054E0461F",
"sha1": "5EF63BCD34BE0E72FDD131EFAACF3CE666CEE642"
},
{
"file_name": "KHelpDesk",
"sha256": "6C8E773483865AA5299323160D7854A23C4C606A98DA34F95A99CDBC2CB28086",
"sha1": "A9390CF9E9F41F4A0B2E09462B95DC95D2956A66"
}
]
}
},
{
"Name": "ScreenConnect",
"Category": "RMM",
"Description": "ScreenConnect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "Ali Alwashali, Nasreddine Bencherchali",
"Created": "2023-10-01",
"LastModified": "2023-10-01",
"Details": {
"Website": "https://www.connectwise.com",
"PEMetadata": [
{
"Filename": "",
"OriginalFileName": "",
"Description": ""
}
],
"Privileges": "",
"Free": "14-Days Free Trial",
"Verification": "",
"SupportedOS": [
"Android",
"IOS",
"Linux",
"Mac",
"Windows"
],
"Capabilities": [
"Command Line Support",
"File Transfer",
"Install Windows updates",
"Receive notification when user performs a predefined event",
"Remote Command Line",
"Remote Control",
"Sound Capture",
"Start / Stop services",
"View event logs"
],
"Vulnerabilities": [],
"InstallationPaths": [
"C:\\Program Files (x86)\\ScreenConnect Client (Random)\\ScreenConnect.ClientService.exe",
"Remote Workforce Client.exe",
"*\\*\\ScreenConnect.ClientService.exe",
"C:\\Program Files (x86)\\ScreenConnect Client ()\\*",
"*\\ScreenConnect Client*\\*",
"*\\*\\ScreenConnect.WindowsClient.exe",
"screenconnect*.exe",
"screenconnect.windowsclient.exe",
"Remote Workforce Client.exe",
"screenconnect*.exe",
"ConnectWiseControl*.exe",
"connectwise*.exe",
"screenconnect.windowsclient.exe",
"screenconnect.clientservice.exe"
]
},
"Artifacts": {
"Disk": [
{
"File": "C:\\Program Files*\\ScreenConnect\\App_Data\\Session.db",
"Description": "ScreenConnect session database",
"OS": "Windows"
},
{
"File": "C:\\Program Files*\\ScreenConnect\\App_Data\\User.xml",
"Description": "ScreenConnect user configuration",
"OS": "Windows"
},
{
"File": "C:\\ProgramData\\ScreenConnect Client*\\user.config",
"Description": "ScreenConnect client user configuration",
"OS": "Windows"
}
],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"control.connectwise.com",
"*.connectwise.com",
"*.screenconnect.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenconnect_network_sigma.yml",
"Description": "Detects potential network activity of ScreenConnect RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenconnect_files_sigma.yml",
"Description": "Detects potential files activity of ScreenConnect RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenconnect_processes_sigma.yml",
"Description": "Detects potential processes activity of ScreenConnect RMM tool"
}
],
"References": [
"https://thedfirreport.com/2023/09/25/from-screenconnect-to-hive-ransomware-in-61-hours/"
],
"Acknowledgement": [],
"CodeSigning": {
"certificates": [
{
"signer_name": "ConnectWise, LLC",
"certificate_thumbprint": "5C58CEA4608461C9A4188F480466123A9DD02431",
"certificate_der_base64": "MIIHXTCCBUWgAwIBAgIQD81/ADyaYyxAhpn4+vrjbjANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTI1MDYyMzAwMDAwMFoXDTI4MDYyMjIzNTk1OVowZTELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0Zsb3JpZGExDjAMBgNVBAcTBVRhbXBhMRkwFwYDVQQKExBDb25uZWN0V2lzZSwgTExDMRkwFwYDVQQDExBDb25uZWN0V2lzZSwgTExDMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAqx0Q6Rtmi9XINAV6uNuOsYT/EbUT4FpXTePcRV4O+7o+atHNCGMxD77QaAR0KhPQv1QasdQS1tq2xu7ptYx6AasGY7jJSeBvxG17v6AHXolbzgF+yKJBdajteuWf0XlvpruIEj818UybdxHH+MkrFZzfkDojxkwva2STfWe0ONC6ZPHg+BtcdJwgcQbMVkClIgkzhtvYvKEcRbgNtPeps2hjtHrGtSc9f0O9fPOmqyrDCPU1B8Dpzb9M+QIG/NiUyOlTOAuHpgp31lQzg/4ICSpsPcvJokuBQ6JZ7RyULloicAeqAGf/giW4+Xc+KYRjLpASSL2PvygeAF4GYuuK9kM+hqgivaSfkcq+V6P615CXT/JCeH9dBFt6A3wiYe/psMxO865V+ipNUOnwTRVbifQEduG8z9SCR7ANCWW/MJRNpUmecdKJQ0dwM5ttBe6wuYSnc1LtYcuVIipZfON/IKCecxmf5dPJvNkzg10zjuKvA1a0dEk8+sa9SLZ4HpVPLNq/NJlkss6MbBSZUoqXJKuHyM6aWndX5tbvtCNHUo0+Wg7c8bvlzoUe7Oy1mowHpw5/yqySq8UUEzlys8rQ9EAJSJFU3eE5UCiDaECZB91pCY2X5hbH7d++lZthieiri2PqzUlCqSELYV0nvz5Gw1Aebdu+57rOrLcigV/CQHECAwEAAaOCAgMwggH/MB8GA1UdIwQYMBaAFGg34Ou2O/hfEYb7/mF7CIhl9E5CMB0GA1UdDgQWBBQl8B1jLuTxeSeQ/q86VFksC14glzA+BgNVHSAENzA1MDMGBmeBDAEEATApMCcGCCsGAQUFBwIBFhtodHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMIG1BgNVHR8Ega0wgaowU6BRoE+GTWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3JsMFOgUaBPhk1odHRwOi8vY3JsNC5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDCBlAYIKwYBBQUHAQEEgYcwgYQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBcBggrBgEFBQcwAoZQaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcnQwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAgEAZGi04qOtZqygq8yVsgXAi/bn0XtyU5RymJGtTzu5UXWZY6OGaIuB03ffMP94zIwRX8+1qn0hAvUg4f0Guw5wQ0xYgvBLrFVk+LlIaVJL0OL4PsuasAnaeP6p4KP1Dr0YISTu8Qj6EkuFbvdW6BzsR3j1rePv3evIbqyIuF/HMWYyoHmZcn3Rg9Octe+zzepi68J15uG6Vp6LL5p33aGXoEtad3PwgjgxUJZXPfo83Nzy/80BRsqI0geeKbNgDnJ5DDNZx47KuMno/X5rBLjUcVrX0WHoEsCOldCvRN3BhodcNSeORo5D2KFPGnnnIykJuh7T8cgZo5iTWWf81XEmDcbsmWH9NzACJRYKitdKFu7mponGk7B8cPD9Wh0tiWw2LlhLzJ3aU5+621QSl69Oz2fkkpiQRvJiB7uVmQFt5cqDihqznySZ8G7Uq/tNsKoRLscGEEhjfKX1VX6WhDkGuQPp+1djiW/XFOHXeQZ3Gp1Gx1dOIHY5C6HRCEQsVfBWPDAN/b8nC7xaLTurbF5MPLa+gQls/YDLOAk+M1t2zmk8+t4na/ztw5QJ0nLf9/4rqXji0rWVM2cFjmL3saDEWd0oOziS/xebVG+WeIFF5m/HzZhoRl2IbBOH3pzd6gWg498UdinpzDSfWHw2Iux16Ius7pOCvd4hfOzjYKY0Ejc=",
"src_file_sha256": "a5c8ede4d24165797dcfbabbb85f62c44a79b058381e68249bf418a01fc67a1d",
"src_file_path": "downloaded_files/screenconnect/a5c8ede4d24165797dcfbabbb85f62c44a79b058381e68249bf418a01fc67a1d",
"src_file_company": "ScreenConnect Software"
},
{
"signer_name": "ConnectWise, LLC",
"certificate_thumbprint": "DD631BF0A610530A2C8C93B35609054E34FF5F70",
"certificate_der_base64": "MIIHXTCCBUWgAwIBAgIQCVjjqjaGaAXuPDXBVoiYIjANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTI1MDYyMzAwMDAwMFoXDTI4MDYyMjIzNTk1OVowZTELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0Zsb3JpZGExDjAMBgNVBAcTBVRhbXBhMRkwFwYDVQQKExBDb25uZWN0V2lzZSwgTExDMRkwFwYDVQQDExBDb25uZWN0V2lzZSwgTExDMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAkzFvRSIHGVCNMIo7nSV2o3sZOBVkDOdL0txI3ECVLep4eGEDKah9JATp4kDKoHOa8SQucnQATrTfLeGsu6p6fXyri4Hei7HGjL23pka5WQxJV/moHD1gNcpah2Zho6eX4fbdt4MZMUpFveI8X9MCJ+gBdU8OrM3RkfYW4Aim5PMkG4tloB2cucnoeS2WjfD4cDcjWDvA2sn+oIOmBtIDL7Zn7/CDaXL1vBnX6gunbN90+tVedmVIohZaT5jbEFcFMqTIQaqYebFa5ZX6D6GHVwIN2HSnh+SQ31Lffeq2nSs9PVGPDOEc7XMAYUBvlsmOm3FQOsha7JNsr84PheHQqmUQ5/nP4b2cozUGvITwuiKKUTirFw6npDOGqbMqIdgfldbrVXRIMF0nNe5uSG1n0+/iDPp6/FdPNfZU/flk9n8zlHNCqzjrr8/Xrpw4qZPVjTCjosiWTh2CSIYbrmMBr8lt3txSS6Y/zBk1akfRhfh2zDFcMB5TEza7RbAY+rZzQNefVjTcB8MDdtPWjref9BgqYCQ8VlbpWIwG3MTqw9VAuPdiWR/XeumdgzyVLZxhbb+CpmFviUogzIFT77HI5Zer2pMZcY+dy9SVRhdkS5eb697Njc6fwl9UKvr/7ZIcUpAv+nPkaSO8SwiaZy4dEuanRl7/HM6sE7z8A/iY+YkCAwEAAaOCAgMwggH/MB8GA1UdIwQYMBaAFGg34Ou2O/hfEYb7/mF7CIhl9E5CMB0GA1UdDgQWBBRyAA72Q4P+ySscNvl5zvvrp5Qg1jA+BgNVHSAENzA1MDMGBmeBDAEEATApMCcGCCsGAQUFBwIBFhtodHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMIG1BgNVHR8Ega0wgaowU6BRoE+GTWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3JsMFOgUaBPhk1odHRwOi8vY3JsNC5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDCBlAYIKwYBBQUHAQEEgYcwgYQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBcBggrBgEFBQcwAoZQaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcnQwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAgEA0x/U+DrlKqWY1SJ0c01Y4plwHgzLQwB++VIPJ+eyIT6CgZpSZNpZmPZlF1y3BEqZVSoRGknfdzE67lcmjBltQTVQZiI9qZEXeixWquAHzxAGkrB26m7AjWAeOLoC5A1G8zisxDqpKn1fyQUMHjQ4m3aYjJgPtGXndO9dhHbQJf8c4JBC7dovI9lgttx4cWsZafAkf2TRccbWpbZE0PRgRA4dyKgNNGW8pWcIDbobDB9tsFvmNJrdYX7ErN791rkdtH2S4TO7Yv0tunVc5uT91KdyjqwjI7w1TWvo0TkSxOxVgVD/EqZMTq/ZBB0B8ZIcyC6uwMvZslFLPjYwO6KMbkS9NscSMq1bJFGv1MtGp9mSa4oHwmzYKiK1RrCPh3qWfEW/uv+r6CaahAL8G5SC6WSDSWkH2D3v1E48hwqtie379CGq8OMpxvJ6KXbAxSxFUrEgQE07OtQsxr0JUjTragushhtOWIBi1PmeaJM0TzVnYCTLstww+BeKuAqAfZ1hfM69y6cukC2NVMNPvb7Lc+sb6Z73J+5d0Q/3nFSqR2X8P9TpaHL7ADe84FX3P2auMRCOg/x68vDY6qkgAPzSfuaj8eaxRrAXAC8pHzq7vD3RkvT4oGBrPwn3xZENqIs6x0pAi8v4hgyHbgazo8mF6QdPvQU1lXuvEU/hnR8O2s4=",
"src_file_sha256": "c218eb4c68fafc90f1f9dde973ea85184c5a7cb830af174285d8b9e6ce6e1d06",
"src_file_path": "downloaded_files/screenconnect/c218eb4c68fafc90f1f9dde973ea85184c5a7cb830af174285d8b9e6ce6e1d06",
"src_file_company": "ScreenConnect Software"
},
{
"signer_name": "ConnectWise, LLC",
"certificate_thumbprint": "11C81879E141A8407D461ADB14EF568A58022BEC",
"certificate_der_base64": "MIIHXTCCBUWgAwIBAgIQCu6vlAAkcst3UlLSnQ3NYzANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTI1MDYyNzAwMDAwMFoXDTI2MDYyNjIzNTk1OVowZTELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0Zsb3JpZGExDjAMBgNVBAcTBVRhbXBhMRkwFwYDVQQKExBDb25uZWN0V2lzZSwgTExDMRkwFwYDVQQDExBDb25uZWN0V2lzZSwgTExDMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEApM4y2+TjFTwIauLNliXTwIOCJc715TLkQyqe3fFLC9nV+ipORYXuAih383Jxwk9mfZIKUGQ9i5VtD+U5bKxmjcPQ6yvi0AmSMtLbzXBYER6ishzBBTEgxzUVJo/1Jqz4rJEwwMvRVjoXQPwU4Mzi3LnBZtILPyurcO8FLEfNmWXVISzLFJEvs/gwosooBhY+AqPJr4tfahd3UDPVeSBAiH8VUon9uwAi6IjAhmQM1Aee5tP4b+Hu9EMhIpA6ypb+A4GpI6AavDeSOCPFkwblEn3O5QLdPEkUfiQWay2grATCL6Eqte74E4/SvfAet7EF1u1VhbcJQKMeMHnQI4XHnxGBpUvc2GK1KWUrFac2749mTGaoSHy1MkcHhyk3mnqNGedALpcwt3BwBsraEV9KDOsZfLKqRVuYv7NP/dNuwYoUUGSi5EzHTuXQUsJ3I86/1gSvMbvfkGdmWpL8UsqJEcyxJveVmGFlDWz0AyYrpmeZa1LGY8o9IwvHuXC/625LZD97dWNa5gYCxhobVJEHtmd1XhiNHu/H5DWLgY9FSR9CGSPgeRAwoPRkxwZSEhCgDkGlBPiOnMszhtGxUUW6x/k6yhxlpezlxL2rRJpxyxVmLyArbo2snG+6NUp9QQpng+fNPRCW507TSQ5+KItjUEcZEFKzFtZxjXwZoLXwzhcCAwEAAaOCAgMwggH/MB8GA1UdIwQYMBaAFGg34Ou2O/hfEYb7/mF7CIhl9E5CMB0GA1UdDgQWBBRTPUskEGV8ej7DCLhivpmNtPDwzDA+BgNVHSAENzA1MDMGBmeBDAEEATApMCcGCCsGAQUFBwIBFhtodHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMIG1BgNVHR8Ega0wgaowU6BRoE+GTWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3JsMFOgUaBPhk1odHRwOi8vY3JsNC5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDCBlAYIKwYBBQUHAQEEgYcwgYQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBcBggrBgEFBQcwAoZQaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcnQwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAgEAShqxp1alskFFVGAaNDAgA7U4EquJxvalfWydQ1G1KE6bpEeuxauFX+YQzLlQABUt2wE/SvyjE5as2OcdmVR/q3TCOzYxneAhYL2WEppLzzLh0EGijdwRpFkMD1YRCt0AJgxDNLwf5F2xUJmiUiLNA6wK5ez5WfRUJiITfNmFNClhtAAZqHyWmZldYKZxnmXMDmYpOh5+fYXYGFUETCOFFa89TqOhUcY/Z568WcKACtYQD0ajddXa6My/9Tpme8FXxTGUTjiUuUjwxYAyvMqmhmKRhUAfpAY6RZckmxXHUOiMM8WH202leVZ4AKkUqKg3kqYnnseTA3u6p4tKPwvuSnjECNZM9A7RyoXvydTTQyCPsx95BGV0bQxRv2iQaQsVRB4/PWd2CK9ipwTt1uFQyvz/oie4RjQrZtI6mDZm31ihk72AltvfvdhyZbz2n9vWmSBu6R2cZ9CRCgQN5SQcHfIsysFDQuoXibuGuzuSESFZmOhU7UgVADFTWkDdZnq80fx4CcH36pM5KRktrdGue0MpIfT04dfv+oxusZtbwlTknMuRNrOFgty37wXkAmRrdLeAOtEn5AfFwoVjF0PO2W67qlE66kMgmWs2TgHjwU5ZiAwPd/U4/cy9V3jbvhONE93T5QDSzLPBQcLA81L1AYRIyqQasdU5ZGH2qjQqJxY=",
"src_file_sha256": "ee0fd474de7eb1b844ec8359a4453bfb56263191643c03919bd05f439761c722",
"src_file_path": "downloaded_files/screenconnect/ee0fd474de7eb1b844ec8359a4453bfb56263191643c03919bd05f439761c722",
"src_file_company": "ScreenConnect Software"
},
{
"signer_name": "ConnectWise, LLC",
"certificate_thumbprint": "F307637A290C1BCDCCC4437A58DE17C0BDBFC830",
"certificate_der_base64": "MIIG3TCCBMWgAwIBAgIQDNbLpZhB5+RHOw3x3rIMmzANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTI1MDcwMTAwMDAwMFoXDTI2MDYzMDIzNTk1OVowZTELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0Zsb3JpZGExDjAMBgNVBAcTBVRhbXBhMRkwFwYDVQQKExBDb25uZWN0V2lzZSwgTExDMRkwFwYDVQQDExBDb25uZWN0V2lzZSwgTExDMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAypAVEXnqlKUxvUfgH5ATEiVuPHriRa5eK6kgnGWxjhYw2a4IIqCfMajqteGqWSV+l1CkU8iiZKYHWJ2fLKMnTevSyv5XeJc1tceW2RBJyQwXb9Y1XLo1OYiFATgNKCHJxAzeF53oUYufvT2Uxf4E43aeHRMXZaP8Vzwmc56Eh0Dd/Q6xf0gILnUXF9KwuUNTgemkYiyZ56Od+Ag6AFl+tmbvzUZSlxSMGaG1+qfuhgCWIQ9kqOCFasCZDQW18Wa2Yx9jXRZ7PXE4oe0BWobveWkGxcsXStdyIyT9o8xnYco2Jh3G22RoMBxb2hb+x7WjKkUgV6ENUo0VzHVc8RY/Mq3qS2twEDqT23hq3U9GBkQg4aOnMBHv4D1VMLlZ2rVrwuyMImmhJNSAcDpy7r+KdvBBgozezbGRX7jOuAoO4+036Z6uJEjwtO8/cHnMuntm/yK8MTTOqDFyZJOjBrs/BuF9rWcesc0IXa5shRII5cufJ2toFXhCdCIZIQgfTi4LAgMBAAGjggIDMIIB/zAfBgNVHSMEGDAWgBRoN+Drtjv4XxGG+/5hewiIZfROQjAdBgNVHQ4EFgQUvi/fqhyd2YBtDJyzcabHI1k17ZwwPgYDVR0gBDcwNTAzBgZngQwBBAEwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpY2VydC5jb20vQ1BTMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzCBtQYDVR0fBIGtMIGqMFOgUaBPhk1odHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDBToFGgT4ZNaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcmwwgZQGCCsGAQUFBwEBBIGHMIGEMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wXAYIKwYBBQUHMAKGUGh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3J0MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggIBAKcuM1F1ancUbMVNIlaeAqToMHpRNH3ut861w9BmrZmDNyBLTxK+mxYJQonWQcHeUxda28TIAt7B3tQ6OaBW2vjZROyIM5G02DU5ByQNa9ZWcbEXsPThWWTYepUSZkJ5W4Aa7sisG96lwyvUjwrxJVfTwEswzfg7m7Q/XLw/uFIJS6Rf9Bq1Z+BjEtTBMeCaY6V78vQcFm9bMlNa8HfRrNri7UGPNJzasj0Rfu3fe9e0y+bZWn6XZQx/avmku/zsXbBPs2pAfKgNilnMKVkZd8WaOad67YxwSnOuLzzM4ix8h8c9vPyly/ZhqoCWoYisIlkWfoZXeI2On2/g4Gk1J9bsUu4h7pHVGJsz/yI2NNzmZ72OqU/bJMbHfAA9ExQA3fOLUTZNyoecQ91IMqCKUdC+TK4I3m16bhCOvKSbGGw0xjatevgy2oflrHnUb1Q0WsHXSmEwj5ROFxD49LZf4V70B4tGhCuzlbeejUtsAQ/DRQWOZ/godi+Q4F/cB+uWBRyl+Q+Jyb3+m2dDfDz7kzU8ARthe1EbjrBvnb9qe+EqzPSux436CCQ1hr2Sd9HknnoCm1X6Sb8WLCIeuJ5X3mlM9qxCrLFszAA3u9zQHngmoNur6tdbrUgHoSqu+2NIy6iXfa64LWbiiusWSCZ7OpVpvFB84dPmY75SNfPKbERC",
"src_file_sha256": "c79526ce6eed74a509c7192decb2ce8988578cdbe3400c68b66395f9c2941e40",
"src_file_path": "downloaded_files/screenconnect/c79526ce6eed74a509c7192decb2ce8988578cdbe3400c68b66395f9c2941e40",
"src_file_company": "ScreenConnect Software"
},
{
"signer_name": "ConnectWise, LLC",
"certificate_thumbprint": "109D463C280A1E2AF6E87807C6F3D3E4A80E5DBE",
"certificate_der_base64": "MIIG3TCCBMWgAwIBAgIQCrvKEgx5gQoYL3L4nAQ1jzANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTI1MDYyMzAwMDAwMFoXDTI4MDYyMjIzNTk1OVowZTELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0Zsb3JpZGExDjAMBgNVBAcTBVRhbXBhMRkwFwYDVQQKExBDb25uZWN0V2lzZSwgTExDMRkwFwYDVQQDExBDb25uZWN0V2lzZSwgTExDMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAsm6sXT4joe82yx0oJ8hJPqqJ/i2693EVqZacvXYyvi2XrRDCaWslak84qGd5XP+N1F4P7kVnTliQzhBxY0uNGslDm2wQYIgGvSMnxbFNBPoHuEWEwOKY8QcRG6CezTqEXLAL962vs5CoiZyHIN5NeTrCz4h/IwDL+eUYuvNkqdh6Pu+SFOMXxt8pYG7t+9GetMuPi8qXKcvf6yitJnVZLwTtH2WSBTnqSCS+6Sq93zFKxhBtrfkvazSb/umsDeIN0mPnZseNERWolamntjcYLU3TvxwCuYNgzhM8famLnVSxrG9zGaCz5tQmrzALu/1/HJks2LRCz1/XqphgynGhI1g82fqIBFVNcXsswwaTyYm3RyVCw/ILwTzfZvpI+GZfyC62QapXTTFkhb2TZrVIqBuTPgw2C8pv6TnZTRAIUiveLeo+NzPGuztsoQ8MUTVC9ng7C7H/EvQx73K0y/ALz65skoSakR1kCvRw25AcxsbbUq2xP/eIul25gcCYKOavAgMBAAGjggIDMIIB/zAfBgNVHSMEGDAWgBRoN+Drtjv4XxGG+/5hewiIZfROQjAdBgNVHQ4EFgQUvHuoTrNj11foAIPAa4ZT6rf66LgwPgYDVR0gBDcwNTAzBgZngQwBBAEwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpY2VydC5jb20vQ1BTMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzCBtQYDVR0fBIGtMIGqMFOgUaBPhk1odHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDBToFGgT4ZNaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcmwwgZQGCCsGAQUFBwEBBIGHMIGEMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wXAYIKwYBBQUHMAKGUGh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3J0MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggIBADXS6vv5WFVBeyFo4UW2LWFmLM4J/77ySkuvtliHng5aFqudPY0LMQT2K0XjXQeDLM07Y8dU1VE5AR1LpsT2ZdpD+GlW3Tlncjf1wntFbjwo7VHMQXKNgIeesUV6zOS9FKoOHdeA87Jb05XHJFS8noYjdHgBQ1m7BQrSCX1ANO20BHb4lXXOHJjOFXbpGrwkYxevmwgGuF6MRdMZTWp/WPxXYp5zWMzuXl+bhk25q1l9dWpw54RHNxg15E6bWSeW/VabtN3FQqcez+HKDfWxnck+jH1F0Gpr7uEyRkFsftwnuJ4xXRp057tiEtGX0H4P9CVygWlsCEqopDyueST7wbADVbYKgOCF6y9Wpysp6pLSN9T2geJFsSZUG2U/vfio8DfyW0jEX07dW/yfPjZ8ofoyB6QN+HLKMosXXWps+llX77oViA87bgofGW0B+NmLLEqQXu4c/4eNUKNAzUoMzAcBJJiPKVgFIpwlWrulovmSOgRCmP6WumDKfRnlCM2GhuhPs+tp6B/BJeF/0IAGakCRp6k+944LRIGqt8t6fN47LJcnSSPLBdsOMgF7HfOyKHYYoM9ouqQhm9KuYv12s1zLLX5CCmdz3OGrp4zh+g3CPnH/RxMyFO7Ffz8L+82uAjWgPJI+ZigsbiADIhk1uKU12c75XJBBmdscoODjCtEx",
"src_file_sha256": "165f4ecf1727c7f57017fe460640e9b262657feb1af06d918f79917d100531fc",
"src_file_path": "downloaded_files/screenconnect/165f4ecf1727c7f57017fe460640e9b262657feb1af06d918f79917d100531fc"
},
{
"signer_name": "ConnectWise, LLC",
"certificate_thumbprint": "6B7B5475445B4829EE42A588FB8B5378783FEEF3",
"certificate_der_base64": "MIIG3TCCBMWgAwIBAgIQBNm1M46g+lcp6FbP8gBg8jANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTI1MDYxMTAwMDAwMFoXDTI4MDYxMzIzNTk1OVowZTELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0Zsb3JpZGExDjAMBgNVBAcTBVRhbXBhMRkwFwYDVQQKExBDb25uZWN0V2lzZSwgTExDMRkwFwYDVQQDExBDb25uZWN0V2lzZSwgTExDMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAtdNvHdyea534lJKh93NAq4zwamT9u8NkuznZgRd7EWMMk7Va0cOZLSYgRsy8TNT5RQUweAJLnCZVON+OhOupUnmsFapG9bsPBt5tcQiOu6BP9O2eE7VTQUBjlgI+Gz+HeT7ghLk/YMb9X8RvgzTW7lzwaIO6+s3hWLRU/0oWcW0VqSdB0xvxU6aW1nm3P4Rbji9IJrDaAGc0d6oVIMJpo9MoELtTO1pwCIlGZvyYJFwpbr9Ini9G31ATirFQPKGPmufGDHNIVc4WktLlOZbJ8esp/TCM+7wduYOxnqxpedJR2+yomRqWMvvC/v9ra+yeaxD0yCO8sltjejK+HerfS8gedtPhAukDwNaEou1B6ud71SGl3I0MbpvnIp4WygedvYf1CjYPf25lGU691ha6eCJi9Zliw65ptkRfcta7zVwVRud20j8AcoJ8ZGruI30JneoT0baue+FCQbOgVSpkHjHNNrT1BgECeckudab6DhJL8rqSvwYtxUvfQrqQ+forAgMBAAGjggIDMIIB/zAfBgNVHSMEGDAWgBRoN+Drtjv4XxGG+/5hewiIZfROQjAdBgNVHQ4EFgQUHF3yVsKxrm2zj7ZxClMTKU+i2RAwPgYDVR0gBDcwNTAzBgZngQwBBAEwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpY2VydC5jb20vQ1BTMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzCBtQYDVR0fBIGtMIGqMFOgUaBPhk1odHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDBToFGgT4ZNaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcmwwgZQGCCsGAQUFBwEBBIGHMIGEMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wXAYIKwYBBQUHMAKGUGh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3J0MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggIBALB5eKyUxb0RZ6vy9HG1LTFBGc4VxN4/GopcHYy4XZexbzwI34TYMLYnE9z+ETh7+28PCsmDfKIq4Uq+9IDenbRqKIVlUnS+nD5EfsYcryoP1XhNStaWArahrMMQ/1WEu+lNLNg65N9G0ceWtu2oJ4VCdvC28femUMHHjsoXw/p/cMnPeigAnqaGQUG++Ky39uoQxYdSKldYfTqNdJXFfB8WlCX+B8M0b4LXg/AMHHyXRc3kRNxAzFQO/RJD3Jyzy17moyfJzZ9K8AEqysr/bV/sVaUQlHf787cuyF0KzNrO053JbQMdT0b1OGO7i7UEtyIvR5kTc+vPeYdI6fptOHpF4FnFKUfqRLcyeEkwb4sKxgGPDAwh9+qLl8elC0b4kzvybT3v9HE+M9GrApW0o/YWwVhwcAaB9fRnntO1CqR2DzgD/r5ICi1Tm14VtbepNM63yYM4TXNqlz0Hw/gQ/xxp+McIlBofJ67K0O25EUiyUKJDK1G/FyXBLaCMRlFH4KCeMswNA6yZsT7qQyIhvHUcVM8CDPB9+FBCgVr7DA853tj0WnRn9TpJ7UMY4lJnnDPr4cwp1LQAoRetakhHI4tmMjqW7vSBz83FBgr/O409R9xJoFiJgbBBPT4x1tdHbS/iJpdP6FZfC1ctV5mYwc7SGu/xKOUnoivrhjWXq/Be",
"src_file_sha256": "c13b80b70198ced667351ff7f004e6ab5972503049b66a053d55b30f9ea4c0e9",
"src_file_path": "downloaded_files/screenconnect/c13b80b70198ced667351ff7f004e6ab5972503049b66a053d55b30f9ea4c0e9"
},
{
"signer_name": "ConnectWise, LLC",
"certificate_thumbprint": "0F9CE6F3AA0A5C40790CEF493378990FDC766517",
"certificate_der_base64": "MIIG3TCCBMWgAwIBAgIQAyKE901J90NK0uTMuSkBWDANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTI1MDYwMzAwMDAwMFoXDTI4MDgxNDIzNTk1OVowZTELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0Zsb3JpZGExDjAMBgNVBAcTBVRhbXBhMRkwFwYDVQQKExBDb25uZWN0V2lzZSwgTExDMRkwFwYDVQQDExBDb25uZWN0V2lzZSwgTExDMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAwUWPq+HSQJuWDnwvx7dNx/IAOyZE2DlHK8fZOH8oFgB/Mxa4VfkvVML5jBahaovzMh6EmszzqUYAu3tXCjjx22W1+98R3WVkWAI8u6WkRRwnH2KCEsLAo8NH8pDcIoARmWnhBOWwsJ71uouztL3OjTGFLsOD4+71fIVNoh0niuV7VWF0CDXiUHtCCOUvyG5Dcbr74f2xpHCxZcEcXujvZCh4gAO68ApUAJZl/IGdCW3ugenzEdOEPH2AHUJsoHsA7vcNMVpeyPHqcPm3nJOEIRt9SWyL8SR70GxOL4g8ZWxP9KY3LLZXyybqmQwH1vkf7DsfrnyhSQbjw04EJlr6FDKWp60Hlv+PUyuKgRBvm/W9d9qaKagBmgpd+TuYs8XQyG07i/nTMFlP18JvoPBSpkIOGmaOrbBhxNQ2ioCRWUiA3nkjFTR8Af4Tj4HVEMzBski5HOIDFbctgY2UK9YjLhaVgo8AR7mEYnMeDySOEXDyLhIsdQY2VB7mdzyjDIaBAgMBAAGjggIDMIIB/zAfBgNVHSMEGDAWgBRoN+Drtjv4XxGG+/5hewiIZfROQjAdBgNVHQ4EFgQUahM6LrG/7QkCvflbEmS3pOO9N3UwPgYDVR0gBDcwNTAzBgZngQwBBAEwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpY2VydC5jb20vQ1BTMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzCBtQYDVR0fBIGtMIGqMFOgUaBPhk1odHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDBToFGgT4ZNaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcmwwgZQGCCsGAQUFBwEBBIGHMIGEMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wXAYIKwYBBQUHMAKGUGh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3J0MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggIBAGY5cKkAhPIPM7rxFc5XGdM+NQjq55O99eUKT/tNbX6jQwRDJjdm4+FjLzgt+jxeXGq6FVKZCTW8n/PzTfuQtHi5FsP0IaaZCThWpqjM6Rsv4mVKXgAoE+1zV9WEx9l2e5NrGDktsPFtiyEwoIp8sHXUkNHsrqpZjnaLYrpjmzOabUEVStvwrZdP8fU8itZkc87TUyx26MF2jAqpNfkDLvRsiokxuse7+cK4rioThtf7V1gOMvxv4WqfkZI8wgqn5tQI1N1ynspne17KhmlPkDCBVVvTSZ1dpXRZF/CNEWtOpLFMsuuN6Kn/ebsqauKsQ4aBbjtyoP/srcvCxmiFLGz+gCRWNEst0lclL9kXK1q8g1BuQtkUyz8vgQTfKmWmBZSdI0EFpxfoAq86chR9GdhwLx5iljp0n0Oxcvw10dausDvSCS14XnGVJ2lbdgoXpX0BWyuHUmoIh+9LlJh+hRod9ZgassqieL6c3Hy8RQcJv6qZwJdTUZX2S2P8sgXSV2DxXyQUjY72ow5facM2w2u0XuOKO9zvMY3pdEsif5bIMaOav+jtjTWjudO5QYKm+JqUJUZ7ofHviVUjRs7c2/EAXHKrD7o6dVZNYqfZL6ikVKX6neSc5DWSQm1+79hjNppf1VEurUmNSCz4czrRv9R2h8RnskIq91mc/hyEa8h7",
"src_file_sha256": "46457d98fb1c53bbccb66c1015eb831355f30c8bf8e6f25cf3183aac2a5fd8ab",
"src_file_path": "downloaded_files/screenconnect/46457d98fb1c53bbccb66c1015eb831355f30c8bf8e6f25cf3183aac2a5fd8ab",
"src_file_company": " "
},
{
"signer_name": "ConnectWise, LLC",
"certificate_thumbprint": "B9E53B87C889BDBFEE481D49A6DC48289A27CE91",
"certificate_der_base64": "MIIG3TCCBMWgAwIBAgIQA71kvJ786u/iDeZIfradVTANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTI1MDcwMTAwMDAwMFoXDTI2MDYzMDIzNTk1OVowZTELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0Zsb3JpZGExDjAMBgNVBAcTBVRhbXBhMRkwFwYDVQQKExBDb25uZWN0V2lzZSwgTExDMRkwFwYDVQQDExBDb25uZWN0V2lzZSwgTExDMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAtysPV47x90yQGZAFNRGHWhnKqOQMN2NRQIUWGerlzCSxyGFC8gbKRvnqscKdDeeMCS7xNkiIQuIQdeky7cD576Z9KY9RoNMs+jyliCP0iUTxMDSzNpSo0G150gTadoWdY93d/4U0nCIxgjiqI3jtB9fOcIYmFwX0d1PlmAHZv0WSmqH14JSutZK5wTXNXzR4nnC7ogR3QKkmDPOAIDOKGm/N7tarsyTHd64pbHIwZzDcc30iqRAQ4SJcXa3tsHYbRIMTHcJfHOK4g8os5RBX6QPC+SC8PFbS68UnTqcV6rkhgqHaIRvgUYiE2Knin7bo5eEuXGEm8ygBN6gXZF/P7qXzQHt8U4MxXcURM5aNC6LcPbLmTJNqAYL0yhxmCS3dHY4m6+t+dUg7WXfNGPsbxH7c3k5Mzw/xHwCvK7MZrhSer4Q2fYOIW1Qyxj+hm5GJrhuJN6R1fXfSQskGGXHL+s/Z0pqnAyQg7iPW6t3JgGmc6/DyRKAgQQlRQmGkb1d1AgMBAAGjggIDMIIB/zAfBgNVHSMEGDAWgBRoN+Drtjv4XxGG+/5hewiIZfROQjAdBgNVHQ4EFgQUKACUVd7xJ01fkKItVpvGHnX2kLkwPgYDVR0gBDcwNTAzBgZngQwBBAEwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpY2VydC5jb20vQ1BTMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzCBtQYDVR0fBIGtMIGqMFOgUaBPhk1odHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDBToFGgT4ZNaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcmwwgZQGCCsGAQUFBwEBBIGHMIGEMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wXAYIKwYBBQUHMAKGUGh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3J0MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggIBACCoa0lUlpencPchvAUdqyUTWf2/WcuqphouCgXEheSKJAZkUj7C6sEGghXDRWbmCCE2BEFxTSQevxJ7yqZa268a6qKjuDn6qGY4Cud9UU7ftd+WqqHKhi05NqUYPbNFaWwlpeo55cjRnSYeg7zEmjji0SnGZokseipOyUIuRxNLg7i2vryrnBxUmWCnGex6HCuYtnbarKW7q/I34fh0/PaWXfr3TWI4Wpt5JwMsSqFoSc+DuzKgQBvmtuHjobW9f/FFnIjKuWdy1+9hvHRsWt8BSchiDO7DXfmG0+GqkJcbIO6C4DH/grTXBMNh4OUInzlngIV7E92Vcf1wTsltRIAKKJ0QDl5Q6lI6zsBlKnGvD6Tu+zCd5jiRLnu1LPCrb8HlezgYwgEwSch3QMH91gM+C5DB+QWJ0ezmATfNidJLMD1+RV2fhrUw7BnnulHoJ+6rLrmd1e2TColHoafARIUOhCE93L2qwGdvl8a1+gWNl/x/DZZH4HNcRjQTX6BiUuJDfnFCyboRKNxLWlduJ37oQba8xlzqM5yRlFCFv9Nkeu15fftPP/lCWpOGey6fXD12TqzYeHLjpm3mPfqu0mFMpKLnKM2DomIC6+xtVr+AAfGVkzwoFGbqIB05bYA5FnD1ELZsDzex6ZXcJ+vxgTaZs7PcLeQDkd8AtPl8KtMG",
"src_file_sha256": "bc0b03a340d46c23a4a2f91ebd7ed4d0fcf92fc7c4323f522c86369ad483f68a",
"src_file_path": "downloaded_files/screenconnect/bc0b03a340d46c23a4a2f91ebd7ed4d0fcf92fc7c4323f522c86369ad483f68a",
"src_file_company": " "
},
{
"signer_name": "ConnectWise, LLC",
"certificate_thumbprint": "A913789BBC18D15773E26D320081E0BB1B0EC897",
"certificate_der_base64": "MIIHXTCCBUWgAwIBAgIQATNrMCWMODV2u7cp7weJizANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTI1MDMyMDAwMDAwMFoXDTI4MDMyMTIzNTk1OVowZTELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0Zsb3JpZGExDjAMBgNVBAcTBVRhbXBhMRkwFwYDVQQKExBDb25uZWN0V2lzZSwgTExDMRkwFwYDVQQDExBDb25uZWN0V2lzZSwgTExDMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAiUhWPhxbe138qHdMtYpPiDiTqlDVjsjgmHTgz0Ie00vIr9x5hZs/dNg9/SjPEY5gBNMWamqIc9Beqwv0smcm/VsOPuzI4hb7rNfqZQM9faA73fNEI85UsH7ib8Rm8mWDKdZq19TsuWWR9iV069HnxWLpu10NMzQfdzNfO+Rwtm/3HAlZiaw6YY1o/03gx2KzipQDYHj2gmPNqnJWZwPXdMy1PmzQHFiQL5hyOkYGd1uaMz0uGNZosw1GaoLL1U8xNAZlgK8tukQAU/r1EYSUy07KhEM5LNM76tM8j3qt1IZZhJmXVACrhXzAp5Mb7RegbEDDkQ2clrFgZm8OLjHtJQEkRookn+NTN4ikXcOPTmH2gQLZfalFLazc8HxdonM1x4jvxbOmQJfZJagc4rdpN8EwT9ccxfesHb60p+EMlIcg64/KDIouhWc7Fa11b2FS+ukiueYAzEX+evauUuezdxn1N+4+TUyATT6md62WVewOm7QCO1QvQSxsre2SaLQAG9tmpvCs5G3ZkpltSd5zADtyM5o8YsFCS9o7tKHqSyedrM6uWRBox9RZ81Re8iaoi6k4DiEBBub4cpj2TiL5Op6TvRY7R9MKu1qZt5p0ZzdDFHEVeS9F/eKCIs+oR4oeNsIzZ3fSidXLMkeviSCJw8wdm3E3oqXPx25R1q2amQECAwEAAaOCAgMwggH/MB8GA1UdIwQYMBaAFGg34Ou2O/hfEYb7/mF7CIhl9E5CMB0GA1UdDgQWBBTmkduz1pgKUR6WjWuTU46OOmvO2TA+BgNVHSAENzA1MDMGBmeBDAEEATApMCcGCCsGAQUFBwIBFhtodHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMIG1BgNVHR8Ega0wgaowU6BRoE+GTWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3JsMFOgUaBPhk1odHRwOi8vY3JsNC5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDCBlAYIKwYBBQUHAQEEgYcwgYQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBcBggrBgEFBQcwAoZQaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcnQwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAgEAOd1OBVEgjwdaSKBPfzd0ktAieiPwfTKq04Tuer0+qdxfTpSdQggWwcYDJ07dgInrFikw2v4F+m2tTLrPa7dtESGDG6p+br/rwbdDzvJE5Rc91ZTr2CX8SnHYrs0gu6Ckk2SqWQ7QEMDy5cNuB72WqTwiGd18G+Mfw59+DAyun/4s5vhXXyBz9l1wsnsgQrE2jLDoeQOdAkG/F9Ou9W6LmK57dydtYUaFcPMyJZUczBON/C23PWmcxIFB+a+yZQD2G/nULL19FDCkqi60GWgnHMlYjFf0+p9Gq6J59td4xzso+3MLtSy1EuZ8uHxgyxHnYmFPmLODt9p8rU3wTzUJ5APGiCpxPoQeV2CyItsJ+VsTU1Jq2Br9Zijcd0j9a0RsCo0BD+YeBg18RpLXNj7F1vykJabfOJdfXSaf66T+/Ki4b7Oh4W6W3JelMGn8jTSJkm48XDqdupkMsw96LIzEsIJvCaCqlVmqvbHON5OXjrIDUt/bz7fqJ+kIijrJIgAgX3lhE32pFR2ZaJCbbcjIekzCrf9ZRy45deH9+cyQ80vlym0JM78isAwrhy/nMMtDdUuY86ATPf5SwUqAulZcg5/4K4MqUcm9nHiQu1DEiaARGPbJFDRwd4ReO3Ye0iQbcrLpSuts++wQoxuyqebWepEcwkgwd9quLNY46XzPt10=",
"src_file_sha256": "0f39299c04c5c5f79a9a9400fd346adaf82c34b1d5ac38213fb42368f0267bfb",
"src_file_path": "downloaded_files/screenconnect/0f39299c04c5c5f79a9a9400fd346adaf82c34b1d5ac38213fb42368f0267bfb",
"src_file_company": "ConnectWise"
}
]
}
},
{
"Name": "Kaseya (VSA)",
"Category": "RMM",
"Description": "Kaseya (VSA) aka Unigma is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "Nasreddine Bencherchali",
"Created": "2024-08-05",
"LastModified": "2024-08-05",
"Details": {
"Website": "https://www.kaseya.com/",
"PEMetadata": [
{
"Filename": "agentmon.exe"
},
{
"Filename": "KaUpdHlp.exe"
},
{
"Filename": "KaUsrTsk.exe",
"OriginalFileName": "",
"Description": ""
}
],
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [
"Windows"
],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"C:\\Program Files (x86)\\Kaseya\\",
"C:\\ProgramData\\Kaseya\\"
]
},
"Artifacts": {
"Disk": [
{
"File": "%localappdata%\\Kaseya\\Log\\KaseyaLiveConnect\\*",
"Description": "Kaseya Live Connect logs",
"OS": "Windows"
},
{
"File": "~/Library/Logs/com.kaseya/KaseyaLiveConnect/*",
"Description": "Kaseya Live Connect logs",
"OS": "MacOS"
},
{
"File": "C:\\ProgramData\\Kaseya\\Log\\Endpoint\\*",
"Description": "Kaseya Endpoint logs",
"OS": "Windows"
},
{
"File": "C:\\Program Files*\\Kaseya\\*\\agentmon.log",
"Description": "Kaseya Agent Monitor log",
"OS": "Windows"
},
{
"File": "/var/log/system.log",
"Description": "Kaseya Agent Monitor log",
"OS": "MacOS 32bit"
},
{
"File": " ~/opt/kaseya/*/logs*",
"Description": "Kaseya Agent Monitor log",
"OS": "MacOS 64bit"
},
{
"File": "C:\\Users\\*\\AppData\\Local\\Temp\\KASetup.log",
"Description": "Kaseya Setup log in user temp directory",
"OS": "Windows"
},
{
"File": "C:\\Windows\\Temp\\KASetup.log",
"Description": "Kaseya Setup log in Windows temp directory",
"OS": "Windows"
},
{
"File": "C:\\ProgramData\\Kaseya\\Log\\KaseyaEdgeServices\\*",
"Description": "Kaseya Edge Services logs",
"OS": "Windows"
},
{
"File": "C:\\Kaseya\\api\\v1.0\\logs\\",
"Description": "Kaseya API logs",
"OS": "Windows"
},
{
"File": "C:\\Kaseya\\api\\v1.5\\endpoint\\logs",
"Description": "Kaseya API logs",
"OS": "Windows"
},
{
"File": "C:\\Kaseya\\api\\v1.5\\endpoints\\logs",
"Description": "Kaseya API logs",
"OS": "Windows"
},
{
"File": "C:\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\Kaseya\\Log\\MakeSelfSignedCert.exe\\",
"Description": "Certificate creation",
"OS": "Windows"
},
{
"File": "C:\\Kaseya\\WebPages\\install\\makecert.txt",
"Description": "Certificate creation",
"OS": "Windows"
},
{
"File": "C:\\ProgramData\\Kaseya\\Log\\Endpoint\\Instance_*\\KaseyaEndpoint*",
"Description": "Endpoint service logs",
"OS": "Windows"
},
{
"File": "C:\\ProgramData\\Kaseya\\Log\\Endpoint\\Instance_*\\Session_*",
"Description": "Session logs",
"OS": "Windows"
}
],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"deploy01.kaseya.com",
"*managedsupport.kaseya.net",
"*.kaseya.net",
"kaseya.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kaseya__vsa__network_sigma.yml",
"Description": "Detects potential network activity of Kaseya (VSA) RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kaseya__vsa__files_sigma.yml",
"Description": "Detects potential files activity of Kaseya (VSA) RMM tool"
}
],
"References": [
"https://helpdesk.kaseya.com/hc/en-gb/articles/229012608-Software-Deployment-URL-Port-Requirements",
"https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations",
"https://ruler-project.github.io/ruler-project/RULER/remote/Kaseya/",
"https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations"
],
"Acknowledgement": []
},
{
"Name": "ConnectWise Control",
"Category": "RMM",
"Description": "ConnectWise Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2025-12-14",
"Details": {
"Website": "https://www.screenconnect.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"connectwisechat-customer.exe",
"connectwisecontrol.client.exe",
"screenconnect.windowsclient.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"live.screenconnect.com",
"control.connectwise.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_control_network_sigma.yml",
"Description": "Detects potential network activity of ConnectWise Control RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_control_processes_sigma.yml",
"Description": "Detects potential processes activity of ConnectWise Control RMM tool"
}
],
"References": [],
"Acknowledgement": [],
"CodeSigning": {
"search_names": [],
"company_names": [],
"signer_names": [
"ConnectWise, Inc.",
"ConnectWise, LLC",
"Connectwise, LLC"
],
"certificates": [
{
"signer_name": "ConnectWise, Inc.",
"certificate_thumbprint": "07290735CAC17E851C608F28C3C03F68B94DDC35",
"tbs_sha256": "2536E3C682B73B99B516CDEEE24FCB828C84CBDA003E3C3075CA771717B4CEBA",
"tbs_sha1": "",
"certificate_der_base64": "MIIFkjCCBHqgAwIBAgIMFZy9YdRoNYJ6CJvQMA0GCSqGSIb3DQEBCwUAMG4xCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMUQwQgYDVQQDEztHbG9iYWxTaWduIEV4dGVuZGVkIFZhbGlkYXRpb24gQ29kZVNpZ25pbmcgQ0EgLSBTSEEyNTYgLSBHMzAeFw0xOTAxMTEyMDAzNDFaFw0yMjA0MDcyMTU4NTVaMIHmMR0wGwYDVQQPDBRQcml2YXRlIE9yZ2FuaXphdGlvbjEVMBMGA1UEBRMMRjE2MDAwMDAwMzA4MRMwEQYLKwYBBAGCNzwCAQMTAlVTMRgwFgYLKwYBBAGCNzwCAQITB0Zsb3JpZGExCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdGbG9yaWRhMQ4wDAYDVQQHEwVUYW1wYTEYMBYGA1UECRMPNDExMCBHZW9yZ2UgUmQuMRowGAYDVQQKExFDb25uZWN0V2lzZSwgSW5jLjEaMBgGA1UEAxMRQ29ubmVjdFdpc2UsIEluYy4wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCwamu+xMZ1KHNjtyNMzlJIdUVxKRrfkxLE95RlT0UqNUTLQluB3ORJdZyqFH29xmM6ZKksq0FmB3MqiZTFcn8hsl5h44IoD6TP87XySHmKAT5RMnzL4Fw0AbS7w1xE7aRvPAOI6r2IBld3hPaR6zI79qy4NkULsZWHyBfTYxRW9YrTJgvtZv6L8S0BBzTqSQWZL83aEpmQT7duNU+Okvpo5NZA1sO9jFuGF2o4mqEWduwxnoWeVkF8ISTUVd/bT2Bl0Wle8yzWbQI8n7lf59SMyJGvUxtrf0BXI7bpq3QDbXiEa0wwej+dGMemrELXbBgUlbhgdE2DCVn0wFNLQCblAgMBAAGjggG1MIIBsTAOBgNVHQ8BAf8EBAMCB4AwgaAGCCsGAQUFBwEBBIGTMIGQME4GCCsGAQUFBzAChkJodHRwOi8vc2VjdXJlLmdsb2JhbHNpZ24uY29tL2NhY2VydC9nc2V4dGVuZGNvZGVzaWduc2hhMmczb2NzcC5jcnQwPgYIKwYBBQUHMAGGMmh0dHA6Ly9vY3NwMi5nbG9iYWxzaWduLmNvbS9nc2V4dGVuZGNvZGVzaWduc2hhMmczMFUGA1UdIAROMEwwQQYJKwYBBAGgMgECMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMAcGBWeBDAEDMAkGA1UdEwQCMAAwRQYDVR0fBD4wPDA6oDigNoY0aHR0cDovL2NybC5nbG9iYWxzaWduLmNvbS9nc2V4dGVuZGNvZGVzaWduc2hhMmczLmNybDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUnK+sWt3Pg30GOFuEWDNm5DXMfXMwHwYDVR0jBBgwFoAU3CxYLCpvNS2feZWoSF3EbT5Tv7kwDQYJKoZIhvcNAQELBQADggEBAGQNB5koBqGLMM4Cd/l1ALVESVSs5AoueNHiJL9p9its1i0cGwdvrQwBDIylhLnxFdrj2m9xoB4nYy5aU7DcdzMha/TRaCSv1e1DhWqxNSAAoKacXjof425ZxAY/ZKlPrjyo7YjLgLTcMc3cVDEbgtAZshr1AgsW8/XJ3uRZ9FcgeCAnd0yy8IMuRtyrXq99oo+6r97kvTeXk6CakMRrJhc1uN9MSEHZLGSwVR33Az6C67Wt/rPO5i+jMDRF0PO/bVaNrwA7gxYqysrUHMzL/ra7Wwh44kkyYudSDGwLvWCYTAxrZNL7BjLPGjyOLn/C9dWekw+y0sKTkNp/7/eEDZQ="
},
{
"signer_name": "Connectwise, LLC",
"certificate_thumbprint": "FF8BFAFA697459874FB9843B1EFDA5C91871A44C",
"tbs_sha256": "46135C0D0BC2714588E2E99AEB2BBC714F972F50D46C4C6D084F9D9CF9E485A4",
"tbs_sha1": "",
"certificate_der_base64": "MIIHYDCCBUigAwIBAgIQD8iQIY68GzxLhSH2VZeTcTANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTIyMDcxMzAwMDAwMFoXDTI1MDcxMjIzNTk1OVowZTELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0Zsb3JpZGExDjAMBgNVBAcTBVRhbXBhMRkwFwYDVQQKExBDb25uZWN0d2lzZSwgTExDMRkwFwYDVQQDExBDb25uZWN0d2lzZSwgTExDMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA2l17brRNXYxj98R8GKG/mHWRWOBhGRgQvkABt1RDvZbh3mhFn9cvf+IKvNq50QVB1bMzoZHIaU5w6t61kKRvusxL8eWA49SZABB/MaRLsHYcJulfMtPSB2/BzhVQ/Mm4DTqeEmz5SPXXiQf4J5W9HFQ3+H9YKpz6PJrfsHnTrxsmejXC/tErmaoHLbGpdNizcEgx+RwHw0P4vf5SqIpam6HOh6lX7tWW6lr43Cgh+JcImDVdRnYh8YjNo3HL8ZRiWsRedoKvxKdoff31j6EvZ9qfiGj48buvqlRVki/OdVzO7uLEyqjHQ1BCA5b0ReW44jQN3KInzkhGp4cVD/ULmCoC+sVyLiYw2p5/TxH2HUbEo6dBg03gC6lv6NDuxTuNczL8hWfVna5YydorTNOUOR8aNcB1znbk9YEY9Cz/0PnQl9hubkDnF0WDuJ6jjeKIW5ru0UfvpX3cF61CGyyTI1dangGUV2glrtO1hqBysvTcYZSlVml2hlB5rJiLHAyt/RCFG+YrH3nK1qk3+HTquMs2UeKehi1cr+nRtCqD8zXSq6bsTvnZqhFaBpwkkW1kXeQVhE3DZcYWYoZlukXVflpOmsCltBTogz7XfkWRZHk35vSW1ctwjinjymDtgdWUyZVBhuCOfb81VfCgpOVmJbTf3EZXfYgyG0cZzCGwp60CAwEAAaOCAgYwggICMB8GA1UdIwQYMBaAFGg34Ou2O/hfEYb7/mF7CIhl9E5CMB0GA1UdDgQWBBQpT5v/AO231msiGDB9d6g/XCsNhTAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwgbUGA1UdHwSBrTCBqjBToFGgT4ZNaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcmwwU6BRoE+GTWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3JsMD4GA1UdIAQ3MDUwMwYGZ4EMAQQBMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzCBlAYIKwYBBQUHAQEEgYcwgYQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBcBggrBgEFBQcwAoZQaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAgEATjNONUU9LsNlCCvX6Yg5JZageLZsyRp9UplYhtnS716xFg5hGrVLAHBODNf98ScYcdVlhM4GQTuW4m0DlutlfLvVwSA50BMNUuMdGnoYbKIIeDeMgyZV25r4/I4GcsqULTX9E+6IA6enR6UC/znOi7trBU14vknttacPfFyaDt86an4954rAGwigUZjGpMzWRDztj02aZaI+Z7Cak6/gHC4/PZBYHPUTj5MaOvihXyfOGlFaGkfxdzktbTcpvGLOYGeT0gK4n/iFMfA1Z1aA5AW0lBSXG/nzZSjBxE7RfO2d7jU8FEZXGaA5HjGX2FHfAa6ONst5GKJsou7A2lVcT6By8Fp+5ZOC4JOk7dJphkXAShejkDyp/ati4DP+wPhlPdGTuQUKeLDhEBtzziyvc6Z3NzeD0qHuPOeUBV4FNawe3J6xM+BD0Wy2+BHy18yFXwmGc5INCUjC+TpwXup2LKeK/Y1LR6X09ewCs0133vu+foVLULJhgtwFuiZf473j+9ahLyqpZW05Nh2TQleJcUMj10/+9jR6WuPkSmMi125gS/dZvuX3qAI9VaI1b9ntEEHVhP7YwnaXNpob4VnJZyKyGpKmxNnRfawYmwR1OPCZsaPR73KILw4Jp2fWIvNxl2zUuV5jV8LHuXSZuB8EYHyf5yoL0T8ciZEHUx1Hhbc="
},
{
"signer_name": "ConnectWise, LLC",
"certificate_thumbprint": "DC69069188D5CBC5FE18B7D035C90061C8741E21",
"tbs_sha256": "EE87E0B6968C49806887874C952D0F6C1DAABA50D699FE8C5524103D7A3A82D1",
"tbs_sha1": "",
"certificate_der_base64": "MIIHXTCCBUWgAwIBAgIQBpZG91oaMuTChvVRWtcOIDANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTI1MDYxODAwMDAwMFoXDTI4MDYyMDIzNTk1OVowZTELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0Zsb3JpZGExDjAMBgNVBAcTBVRhbXBhMRkwFwYDVQQKExBDb25uZWN0V2lzZSwgTExDMRkwFwYDVQQDExBDb25uZWN0V2lzZSwgTExDMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAm/opd1E6FclqVZaXjFSyxB/i1278mBL30KGBcxBCUSLrr2UmS0v0Ui4dNvqVJqBZej7WMuPVG7WhLSsh7dn0LiYigu9eC2Xzf/dXgysvTaWjqywWEdaztB9wk1UW4JKBQCofhFwO0fq2QGfwdIB624mAJHYv3RhgRGJnrS4pj5GI7yhbqRymLKiY5HNNxFNfBeYDonFlXJRXCFiy+MmILIUKZ7z6w4ADZdADtrKnFqfPiOT08SXmFh1/DPxa2i72+SDyBRh2D3WeEYO/XgRpeeiPGw2UicNXbv0EXmwlYnd1OsEPVZk9rwiQi5P3IxphTYvRzCbxsA4fvUzy29gYzKAy3rX6EGROL6yOIu0I+019+KF65VpPZuZ5oGQUWF4o1zorT0n1KnhJo1g+wXehbXNmZzwFmjQRq2VGAG+YlQ4r1ziG6H2Mpsqp3M2XPKBzkpnfb92aWhkDE8PIF+AZJ7aaxU2zqvDAqPTNRsTuafr5bruBhCP+Ura5vDDqNlvrgaUA1C8w/DDUjXiVGma7RiHyayGoayo71/AW6sU1MMX1i4kJZ30Htv4AEJf0NAIYv/ZtjwJ3xBdKOBSMFn1jPDWyc2toMnpkYwA+uxVWFz9zGTt6gTabr88rcFkkiVBkQCtbCPep7O9r3p/f931BBe0roIgLBJIpImC0c/G/voUCAwEAAaOCAgMwggH/MB8GA1UdIwQYMBaAFGg34Ou2O/hfEYb7/mF7CIhl9E5CMB0GA1UdDgQWBBSq40FoSy7cpXCTRDHLq1qzOdaVPjA+BgNVHSAENzA1MDMGBmeBDAEEATApMCcGCCsGAQUFBwIBFhtodHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMIG1BgNVHR8Ega0wgaowU6BRoE+GTWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3JsMFOgUaBPhk1odHRwOi8vY3JsNC5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDCBlAYIKwYBBQUHAQEEgYcwgYQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBcBggrBgEFBQcwAoZQaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcnQwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAgEAy/9kDJuQ95np5yEq/biXDf1pXB8CY7NB6bz6MSd56CcsfrL2qfxsB4SIKXT/NLmBk8IF2tVN0g5YdLxTZcFpu3jVa/ohfLcyAcYUQ+YUDVt+q4OwOWxph9QPC6IwzwGyKRphFqh7XiRzTAdTX5+aKCqpfVKSrvV9sATTJSExxAKrrOMOEYpjrhRPQ6AtnkEFvuEGoE4ESk6IkDwBzRrQ7VkDcDf8n1a6tKBxVliVtYkf89gEeda9peF9d1ZCjhhKuzvCSO17XGKsjtda3oaPo3uGktQ8Lm1h17rnupGcwasEynzu7xTVxSKEXkfSnHYRvCRM+waSjVMKd5Dw/mfTLwcwbKwbwZNG8IKKJUrKk5DADiFZKcB7thUsxj3U49ToC9Oxks5OFzN9VQer4oKUHsRGGXUZKyY1t5/pQ+hxHkIMZzY1JQTSOVsZw/mpCaVt56KEfyVwgiOBiNLgUOdECaQpNUZjSMSeJbr6L52M9doC4lJpkF31R+UmY6V4CXxR7B29Iq6B2tbfGXqaKqPirIY5qqpeX/+etxMhgsm0k9XtuscSYIIJ32EL0d8XCr0JEFm/PmYf34OJKMP/HqoqkiJGRuEniTMM9N1QwitjxBS/dxgI/zfBK5Kx0WgTEjSognI8h5+KrPCMNUid1f3X7r+hwhtRhzu9CKhjDBBxTZ8="
},
{
"signer_name": "ConnectWise, LLC",
"certificate_thumbprint": "5C58CEA4608461C9A4188F480466123A9DD02431",
"certificate_der_base64": "MIIHXTCCBUWgAwIBAgIQD81/ADyaYyxAhpn4+vrjbjANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTI1MDYyMzAwMDAwMFoXDTI4MDYyMjIzNTk1OVowZTELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0Zsb3JpZGExDjAMBgNVBAcTBVRhbXBhMRkwFwYDVQQKExBDb25uZWN0V2lzZSwgTExDMRkwFwYDVQQDExBDb25uZWN0V2lzZSwgTExDMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAqx0Q6Rtmi9XINAV6uNuOsYT/EbUT4FpXTePcRV4O+7o+atHNCGMxD77QaAR0KhPQv1QasdQS1tq2xu7ptYx6AasGY7jJSeBvxG17v6AHXolbzgF+yKJBdajteuWf0XlvpruIEj818UybdxHH+MkrFZzfkDojxkwva2STfWe0ONC6ZPHg+BtcdJwgcQbMVkClIgkzhtvYvKEcRbgNtPeps2hjtHrGtSc9f0O9fPOmqyrDCPU1B8Dpzb9M+QIG/NiUyOlTOAuHpgp31lQzg/4ICSpsPcvJokuBQ6JZ7RyULloicAeqAGf/giW4+Xc+KYRjLpASSL2PvygeAF4GYuuK9kM+hqgivaSfkcq+V6P615CXT/JCeH9dBFt6A3wiYe/psMxO865V+ipNUOnwTRVbifQEduG8z9SCR7ANCWW/MJRNpUmecdKJQ0dwM5ttBe6wuYSnc1LtYcuVIipZfON/IKCecxmf5dPJvNkzg10zjuKvA1a0dEk8+sa9SLZ4HpVPLNq/NJlkss6MbBSZUoqXJKuHyM6aWndX5tbvtCNHUo0+Wg7c8bvlzoUe7Oy1mowHpw5/yqySq8UUEzlys8rQ9EAJSJFU3eE5UCiDaECZB91pCY2X5hbH7d++lZthieiri2PqzUlCqSELYV0nvz5Gw1Aebdu+57rOrLcigV/CQHECAwEAAaOCAgMwggH/MB8GA1UdIwQYMBaAFGg34Ou2O/hfEYb7/mF7CIhl9E5CMB0GA1UdDgQWBBQl8B1jLuTxeSeQ/q86VFksC14glzA+BgNVHSAENzA1MDMGBmeBDAEEATApMCcGCCsGAQUFBwIBFhtodHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMIG1BgNVHR8Ega0wgaowU6BRoE+GTWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3JsMFOgUaBPhk1odHRwOi8vY3JsNC5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDCBlAYIKwYBBQUHAQEEgYcwgYQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBcBggrBgEFBQcwAoZQaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcnQwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAgEAZGi04qOtZqygq8yVsgXAi/bn0XtyU5RymJGtTzu5UXWZY6OGaIuB03ffMP94zIwRX8+1qn0hAvUg4f0Guw5wQ0xYgvBLrFVk+LlIaVJL0OL4PsuasAnaeP6p4KP1Dr0YISTu8Qj6EkuFbvdW6BzsR3j1rePv3evIbqyIuF/HMWYyoHmZcn3Rg9Octe+zzepi68J15uG6Vp6LL5p33aGXoEtad3PwgjgxUJZXPfo83Nzy/80BRsqI0geeKbNgDnJ5DDNZx47KuMno/X5rBLjUcVrX0WHoEsCOldCvRN3BhodcNSeORo5D2KFPGnnnIykJuh7T8cgZo5iTWWf81XEmDcbsmWH9NzACJRYKitdKFu7mponGk7B8cPD9Wh0tiWw2LlhLzJ3aU5+621QSl69Oz2fkkpiQRvJiB7uVmQFt5cqDihqznySZ8G7Uq/tNsKoRLscGEEhjfKX1VX6WhDkGuQPp+1djiW/XFOHXeQZ3Gp1Gx1dOIHY5C6HRCEQsVfBWPDAN/b8nC7xaLTurbF5MPLa+gQls/YDLOAk+M1t2zmk8+t4na/ztw5QJ0nLf9/4rqXji0rWVM2cFjmL3saDEWd0oOziS/xebVG+WeIFF5m/HzZhoRl2IbBOH3pzd6gWg498UdinpzDSfWHw2Iux16Ius7pOCvd4hfOzjYKY0Ejc=",
"src_file_sha256": "a5c8ede4d24165797dcfbabbb85f62c44a79b058381e68249bf418a01fc67a1d",
"src_file_path": "downloaded_files/connectwise_control/a5c8ede4d24165797dcfbabbb85f62c44a79b058381e68249bf418a01fc67a1d",
"src_file_company": "ScreenConnect Software"
},
{
"signer_name": "ConnectWise, LLC",
"certificate_thumbprint": "DD631BF0A610530A2C8C93B35609054E34FF5F70",
"certificate_der_base64": "MIIHXTCCBUWgAwIBAgIQCVjjqjaGaAXuPDXBVoiYIjANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTI1MDYyMzAwMDAwMFoXDTI4MDYyMjIzNTk1OVowZTELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0Zsb3JpZGExDjAMBgNVBAcTBVRhbXBhMRkwFwYDVQQKExBDb25uZWN0V2lzZSwgTExDMRkwFwYDVQQDExBDb25uZWN0V2lzZSwgTExDMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAkzFvRSIHGVCNMIo7nSV2o3sZOBVkDOdL0txI3ECVLep4eGEDKah9JATp4kDKoHOa8SQucnQATrTfLeGsu6p6fXyri4Hei7HGjL23pka5WQxJV/moHD1gNcpah2Zho6eX4fbdt4MZMUpFveI8X9MCJ+gBdU8OrM3RkfYW4Aim5PMkG4tloB2cucnoeS2WjfD4cDcjWDvA2sn+oIOmBtIDL7Zn7/CDaXL1vBnX6gunbN90+tVedmVIohZaT5jbEFcFMqTIQaqYebFa5ZX6D6GHVwIN2HSnh+SQ31Lffeq2nSs9PVGPDOEc7XMAYUBvlsmOm3FQOsha7JNsr84PheHQqmUQ5/nP4b2cozUGvITwuiKKUTirFw6npDOGqbMqIdgfldbrVXRIMF0nNe5uSG1n0+/iDPp6/FdPNfZU/flk9n8zlHNCqzjrr8/Xrpw4qZPVjTCjosiWTh2CSIYbrmMBr8lt3txSS6Y/zBk1akfRhfh2zDFcMB5TEza7RbAY+rZzQNefVjTcB8MDdtPWjref9BgqYCQ8VlbpWIwG3MTqw9VAuPdiWR/XeumdgzyVLZxhbb+CpmFviUogzIFT77HI5Zer2pMZcY+dy9SVRhdkS5eb697Njc6fwl9UKvr/7ZIcUpAv+nPkaSO8SwiaZy4dEuanRl7/HM6sE7z8A/iY+YkCAwEAAaOCAgMwggH/MB8GA1UdIwQYMBaAFGg34Ou2O/hfEYb7/mF7CIhl9E5CMB0GA1UdDgQWBBRyAA72Q4P+ySscNvl5zvvrp5Qg1jA+BgNVHSAENzA1MDMGBmeBDAEEATApMCcGCCsGAQUFBwIBFhtodHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMIG1BgNVHR8Ega0wgaowU6BRoE+GTWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3JsMFOgUaBPhk1odHRwOi8vY3JsNC5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDCBlAYIKwYBBQUHAQEEgYcwgYQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBcBggrBgEFBQcwAoZQaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcnQwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAgEA0x/U+DrlKqWY1SJ0c01Y4plwHgzLQwB++VIPJ+eyIT6CgZpSZNpZmPZlF1y3BEqZVSoRGknfdzE67lcmjBltQTVQZiI9qZEXeixWquAHzxAGkrB26m7AjWAeOLoC5A1G8zisxDqpKn1fyQUMHjQ4m3aYjJgPtGXndO9dhHbQJf8c4JBC7dovI9lgttx4cWsZafAkf2TRccbWpbZE0PRgRA4dyKgNNGW8pWcIDbobDB9tsFvmNJrdYX7ErN791rkdtH2S4TO7Yv0tunVc5uT91KdyjqwjI7w1TWvo0TkSxOxVgVD/EqZMTq/ZBB0B8ZIcyC6uwMvZslFLPjYwO6KMbkS9NscSMq1bJFGv1MtGp9mSa4oHwmzYKiK1RrCPh3qWfEW/uv+r6CaahAL8G5SC6WSDSWkH2D3v1E48hwqtie379CGq8OMpxvJ6KXbAxSxFUrEgQE07OtQsxr0JUjTragushhtOWIBi1PmeaJM0TzVnYCTLstww+BeKuAqAfZ1hfM69y6cukC2NVMNPvb7Lc+sb6Z73J+5d0Q/3nFSqR2X8P9TpaHL7ADe84FX3P2auMRCOg/x68vDY6qkgAPzSfuaj8eaxRrAXAC8pHzq7vD3RkvT4oGBrPwn3xZENqIs6x0pAi8v4hgyHbgazo8mF6QdPvQU1lXuvEU/hnR8O2s4=",
"src_file_sha256": "c218eb4c68fafc90f1f9dde973ea85184c5a7cb830af174285d8b9e6ce6e1d06",
"src_file_path": "downloaded_files/connectwise_control/c218eb4c68fafc90f1f9dde973ea85184c5a7cb830af174285d8b9e6ce6e1d06",
"src_file_company": "ScreenConnect Software"
},
{
"signer_name": "ConnectWise, LLC",
"certificate_thumbprint": "11C81879E141A8407D461ADB14EF568A58022BEC",
"certificate_der_base64": "MIIHXTCCBUWgAwIBAgIQCu6vlAAkcst3UlLSnQ3NYzANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTI1MDYyNzAwMDAwMFoXDTI2MDYyNjIzNTk1OVowZTELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0Zsb3JpZGExDjAMBgNVBAcTBVRhbXBhMRkwFwYDVQQKExBDb25uZWN0V2lzZSwgTExDMRkwFwYDVQQDExBDb25uZWN0V2lzZSwgTExDMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEApM4y2+TjFTwIauLNliXTwIOCJc715TLkQyqe3fFLC9nV+ipORYXuAih383Jxwk9mfZIKUGQ9i5VtD+U5bKxmjcPQ6yvi0AmSMtLbzXBYER6ishzBBTEgxzUVJo/1Jqz4rJEwwMvRVjoXQPwU4Mzi3LnBZtILPyurcO8FLEfNmWXVISzLFJEvs/gwosooBhY+AqPJr4tfahd3UDPVeSBAiH8VUon9uwAi6IjAhmQM1Aee5tP4b+Hu9EMhIpA6ypb+A4GpI6AavDeSOCPFkwblEn3O5QLdPEkUfiQWay2grATCL6Eqte74E4/SvfAet7EF1u1VhbcJQKMeMHnQI4XHnxGBpUvc2GK1KWUrFac2749mTGaoSHy1MkcHhyk3mnqNGedALpcwt3BwBsraEV9KDOsZfLKqRVuYv7NP/dNuwYoUUGSi5EzHTuXQUsJ3I86/1gSvMbvfkGdmWpL8UsqJEcyxJveVmGFlDWz0AyYrpmeZa1LGY8o9IwvHuXC/625LZD97dWNa5gYCxhobVJEHtmd1XhiNHu/H5DWLgY9FSR9CGSPgeRAwoPRkxwZSEhCgDkGlBPiOnMszhtGxUUW6x/k6yhxlpezlxL2rRJpxyxVmLyArbo2snG+6NUp9QQpng+fNPRCW507TSQ5+KItjUEcZEFKzFtZxjXwZoLXwzhcCAwEAAaOCAgMwggH/MB8GA1UdIwQYMBaAFGg34Ou2O/hfEYb7/mF7CIhl9E5CMB0GA1UdDgQWBBRTPUskEGV8ej7DCLhivpmNtPDwzDA+BgNVHSAENzA1MDMGBmeBDAEEATApMCcGCCsGAQUFBwIBFhtodHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMIG1BgNVHR8Ega0wgaowU6BRoE+GTWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3JsMFOgUaBPhk1odHRwOi8vY3JsNC5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDCBlAYIKwYBBQUHAQEEgYcwgYQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBcBggrBgEFBQcwAoZQaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcnQwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAgEAShqxp1alskFFVGAaNDAgA7U4EquJxvalfWydQ1G1KE6bpEeuxauFX+YQzLlQABUt2wE/SvyjE5as2OcdmVR/q3TCOzYxneAhYL2WEppLzzLh0EGijdwRpFkMD1YRCt0AJgxDNLwf5F2xUJmiUiLNA6wK5ez5WfRUJiITfNmFNClhtAAZqHyWmZldYKZxnmXMDmYpOh5+fYXYGFUETCOFFa89TqOhUcY/Z568WcKACtYQD0ajddXa6My/9Tpme8FXxTGUTjiUuUjwxYAyvMqmhmKRhUAfpAY6RZckmxXHUOiMM8WH202leVZ4AKkUqKg3kqYnnseTA3u6p4tKPwvuSnjECNZM9A7RyoXvydTTQyCPsx95BGV0bQxRv2iQaQsVRB4/PWd2CK9ipwTt1uFQyvz/oie4RjQrZtI6mDZm31ihk72AltvfvdhyZbz2n9vWmSBu6R2cZ9CRCgQN5SQcHfIsysFDQuoXibuGuzuSESFZmOhU7UgVADFTWkDdZnq80fx4CcH36pM5KRktrdGue0MpIfT04dfv+oxusZtbwlTknMuRNrOFgty37wXkAmRrdLeAOtEn5AfFwoVjF0PO2W67qlE66kMgmWs2TgHjwU5ZiAwPd/U4/cy9V3jbvhONE93T5QDSzLPBQcLA81L1AYRIyqQasdU5ZGH2qjQqJxY=",
"src_file_sha256": "ee0fd474de7eb1b844ec8359a4453bfb56263191643c03919bd05f439761c722",
"src_file_path": "downloaded_files/connectwise_control/ee0fd474de7eb1b844ec8359a4453bfb56263191643c03919bd05f439761c722",
"src_file_company": "ScreenConnect Software"
},
{
"signer_name": "ConnectWise, LLC",
"certificate_thumbprint": "F307637A290C1BCDCCC4437A58DE17C0BDBFC830",
"certificate_der_base64": "MIIG3TCCBMWgAwIBAgIQDNbLpZhB5+RHOw3x3rIMmzANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTI1MDcwMTAwMDAwMFoXDTI2MDYzMDIzNTk1OVowZTELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0Zsb3JpZGExDjAMBgNVBAcTBVRhbXBhMRkwFwYDVQQKExBDb25uZWN0V2lzZSwgTExDMRkwFwYDVQQDExBDb25uZWN0V2lzZSwgTExDMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAypAVEXnqlKUxvUfgH5ATEiVuPHriRa5eK6kgnGWxjhYw2a4IIqCfMajqteGqWSV+l1CkU8iiZKYHWJ2fLKMnTevSyv5XeJc1tceW2RBJyQwXb9Y1XLo1OYiFATgNKCHJxAzeF53oUYufvT2Uxf4E43aeHRMXZaP8Vzwmc56Eh0Dd/Q6xf0gILnUXF9KwuUNTgemkYiyZ56Od+Ag6AFl+tmbvzUZSlxSMGaG1+qfuhgCWIQ9kqOCFasCZDQW18Wa2Yx9jXRZ7PXE4oe0BWobveWkGxcsXStdyIyT9o8xnYco2Jh3G22RoMBxb2hb+x7WjKkUgV6ENUo0VzHVc8RY/Mq3qS2twEDqT23hq3U9GBkQg4aOnMBHv4D1VMLlZ2rVrwuyMImmhJNSAcDpy7r+KdvBBgozezbGRX7jOuAoO4+036Z6uJEjwtO8/cHnMuntm/yK8MTTOqDFyZJOjBrs/BuF9rWcesc0IXa5shRII5cufJ2toFXhCdCIZIQgfTi4LAgMBAAGjggIDMIIB/zAfBgNVHSMEGDAWgBRoN+Drtjv4XxGG+/5hewiIZfROQjAdBgNVHQ4EFgQUvi/fqhyd2YBtDJyzcabHI1k17ZwwPgYDVR0gBDcwNTAzBgZngQwBBAEwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpY2VydC5jb20vQ1BTMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzCBtQYDVR0fBIGtMIGqMFOgUaBPhk1odHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDBToFGgT4ZNaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcmwwgZQGCCsGAQUFBwEBBIGHMIGEMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wXAYIKwYBBQUHMAKGUGh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3J0MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggIBAKcuM1F1ancUbMVNIlaeAqToMHpRNH3ut861w9BmrZmDNyBLTxK+mxYJQonWQcHeUxda28TIAt7B3tQ6OaBW2vjZROyIM5G02DU5ByQNa9ZWcbEXsPThWWTYepUSZkJ5W4Aa7sisG96lwyvUjwrxJVfTwEswzfg7m7Q/XLw/uFIJS6Rf9Bq1Z+BjEtTBMeCaY6V78vQcFm9bMlNa8HfRrNri7UGPNJzasj0Rfu3fe9e0y+bZWn6XZQx/avmku/zsXbBPs2pAfKgNilnMKVkZd8WaOad67YxwSnOuLzzM4ix8h8c9vPyly/ZhqoCWoYisIlkWfoZXeI2On2/g4Gk1J9bsUu4h7pHVGJsz/yI2NNzmZ72OqU/bJMbHfAA9ExQA3fOLUTZNyoecQ91IMqCKUdC+TK4I3m16bhCOvKSbGGw0xjatevgy2oflrHnUb1Q0WsHXSmEwj5ROFxD49LZf4V70B4tGhCuzlbeejUtsAQ/DRQWOZ/godi+Q4F/cB+uWBRyl+Q+Jyb3+m2dDfDz7kzU8ARthe1EbjrBvnb9qe+EqzPSux436CCQ1hr2Sd9HknnoCm1X6Sb8WLCIeuJ5X3mlM9qxCrLFszAA3u9zQHngmoNur6tdbrUgHoSqu+2NIy6iXfa64LWbiiusWSCZ7OpVpvFB84dPmY75SNfPKbERC",
"src_file_sha256": "c79526ce6eed74a509c7192decb2ce8988578cdbe3400c68b66395f9c2941e40",
"src_file_path": "downloaded_files/connectwise_control/c79526ce6eed74a509c7192decb2ce8988578cdbe3400c68b66395f9c2941e40",
"src_file_company": "ScreenConnect Software"
}
]
}
},
{
"Name": "VNC Connect",
"Category": "RAT",
"Description": "VNC Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.realvnc.com/en/connect/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"C:\\Program Files\\RealVNC\\VNC Server\\*",
"*\\RealVNC\\VNC Server\\*"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": []
},
"Detections": [],
"References": [],
"Acknowledgement": []
},
{
"Name": "PSEXEC",
"Category": "RAT",
"Description": "PSEXEC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://learn.microsoft.com/en-us/sysinternals/downloads/psexec",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"psexec.exe",
"psexecsvc.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"user_managed"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec_network_sigma.yml",
"Description": "Detects potential network activity of PSEXEC RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec_processes_sigma.yml",
"Description": "Detects potential processes activity of PSEXEC RMM tool"
}
],
"References": [
"https://learn.microsoft.com/en-us/sysinternals/downloads/psexec"
],
"Acknowledgement": [],
"CodeSigning": {
"certificates": [
{
"signer_name": "KNOWLEDGE CENTRIC SOLUTIONS SL.",
"certificate_thumbprint": "1EEBC8C25FE20B6AF6317FBE9B849EC0CCF9233B",
"certificate_der_base64": "MIIG7jCCBVagAwIBAgIRAJUdNXrQ1Wy5xXNwP91MppgwDQYJKoZIhvcNAQELBQAwVzELMAkGA1UEBhMCR0IxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDEuMCwGA1UEAxMlU2VjdGlnbyBQdWJsaWMgQ29kZSBTaWduaW5nIENBIEVWIFIzNjAeFw0yMzA5MjkwMDAwMDBaFw0yNjA5MjgyMzU5NTlaMIG6MRIwEAYDVQQFEwlCODc1MTI4OTMxEzARBgsrBgEEAYI3PAIBAxMCRVMxHTAbBgNVBA8TFFByaXZhdGUgT3JnYW5pemF0aW9uMQswCQYDVQQGEwJFUzEPMA0GA1UECAwGTWFkcmlkMSgwJgYDVQQKDB9LTk9XTEVER0UgQ0VOVFJJQyBTT0xVVElPTlMgU0wuMSgwJgYDVQQDDB9LTk9XTEVER0UgQ0VOVFJJQyBTT0xVVElPTlMgU0wuMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAsVWZmBFhaZEVKOjZ5d4BtrsLfe+q8tkWZ9q5GJ011ZwMdx2dyx/ZdPTLDSXYdifl0z7tUeD9ZXznWte5oOjnd4wlRdDh6h+IR824z9uwSQYE2WT1YVb1bhL+142q+C+4SjdAuBqyZyyzrktQpsXyRRqaPo1SEYGcWA/8/u3vEhoaNoTDGbNASx6NgckPoC0c6ny6wlsw3egEYoqfgO44WA2mK7L1mU2J1wHWhSi1eXmP6dhEQ8VUx13fXC4+XKbUAmSO+IryfiK4MZ8bRGnXCfKwsZf8OFxoCsrHm7cFEy9cKhyM/hUU3e5DpRixg/LAFd9XH6dTxumUq4oI68p1xevYRtmUg4yPnd3DngVvcR3lofirSAqZKhJL9x+kvLXYpcEEudGYrN9yVf+sx2X4+Ys3W5Cd0c2aPMKd3h5GUdcXLhhBlN9dq5dNHssFA05/tVUSL6ORGa5DJ+XhZWNl0G3/hgFvD43L58ym8gvO7vUsHQmx8iXewbTfn3DXrhL4v/IbnN1m9OjVQdLdkmcsLT2Au0nmzbQ2H4wvO52V9yTA7t8c08L7KLo213Y+g79k6GFHtMP6NphAzaNKaQ4l1WSKajOCe5p4UZt2M8ik0W+1/WmldSKmX5FDse/A/qQqJDQ1j+05dhPUNXNNoPU6GIb259GJ8Mb7zRks1/tS5+sCAwEAAaOCAc8wggHLMB8GA1UdIwQYMBaAFIEykkErKM1GyMSixio5EuxIqT8UMB0GA1UdDgQWBBQTFtpzE6XxGIzuON+ODgP0AvH4eTAOBgNVHQ8BAf8EBAMCB4AwDAYDVR0TAQH/BAIwADATBgNVHSUEDDAKBggrBgEFBQcDAzBJBgNVHSAEQjBAMDUGDCsGAQQBsjEBAgEGATAlMCMGCCsGAQUFBwIBFhdodHRwczovL3NlY3RpZ28uY29tL0NQUzAHBgVngQwBAzBLBgNVHR8ERDBCMECgPqA8hjpodHRwOi8vY3JsLnNlY3RpZ28uY29tL1NlY3RpZ29QdWJsaWNDb2RlU2lnbmluZ0NBRVZSMzYuY3JsMHsGCCsGAQUFBwEBBG8wbTBGBggrBgEFBQcwAoY6aHR0cDovL2NydC5zZWN0aWdvLmNvbS9TZWN0aWdvUHVibGljQ29kZVNpZ25pbmdDQUVWUjM2LmNydDAjBggrBgEFBQcwAYYXaHR0cDovL29jc3Auc2VjdGlnby5jb20wQQYDVR0RBDowOKAcBggrBgEFBQcIA6AQMA4MDEVTLUI4NzUxMjg5M4EYY29udGFjdEByZXVzZWNvbXBhbnkuY29tMA0GCSqGSIb3DQEBCwUAA4IBgQAiTT79leNecYHK3FTYrHT+oTA4p0L4qT3XcS1r2D23n0YNyAoOJYlDa9IXf9JxJA2ZIUaFgeXtIIWYYkeouBhIZi0qTfMHBHPKhczggqs0ZZtsdYNC2EsoTh+6W6hC2QfevgikIo6WolIKeSTTXE8CRpXouG0Tgj1BvsouPql3TWv1yqC4eJq7gYboFBA/erkyE6d5RyXGBlUIxbjliR6u18wcv9ef40oBBBx/W8Kr32w9CBk5QJ7zIPSL1/WQbm5FPX0qm0ivTmDcV9YVxynNA80663t1JvoWAEFPOdojRCW5wIUoCBfsfCsf1qZDF4J9/4mOt73qxFd7xBxwH+T90IZUDX3sff8uNcH/YlXd6iWKKJFjrzfE8XzipIIFCvhnqfkFDWD2S+wDuTaHUABYJQsAzedTc8Gp2PBkVftEkz74a3UvHCFrH919gG5C/6UTT/CzYVKoZJTi8VHFJOC5lDANPw/aQarIOaXhKedn1x19xJZMtgDltrlMGXhMUso=",
"src_file_sha256": "046b0719f9659ad368515035768ae5be3599621af5ed1916785239711b898be8",
"src_file_path": "downloaded_files/psexec/046b0719f9659ad368515035768ae5be3599621af5ed1916785239711b898be8",
"src_file_company": "Sysinternals - www.sysinternals.com"
}
]
}
},
{
"Name": "PuTTY",
"Category": "RAT",
"Description": "PuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.chiark.greenend.org.uk/~sgtatham/putty/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"*\\putty.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": []
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/putty_processes_sigma.yml",
"Description": "Detects potential processes activity of PuTTY RMM tool"
}
],
"References": [],
"Acknowledgement": []
},
{
"Name": "SimpleHelp",
"Category": "RMM",
"Description": "SimpleHelp is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "Phyo Paing Htun",
"Created": "2025-03-05",
"LastModified": "2025-03-05",
"Details": {
"Website": "https://simple-help.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [
"windows"
],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"simplehelpcustomer.exe",
"simpleservice.exe",
"simplegatewayservice.exe",
"remote access.exe",
"windowslauncher.exe",
"spsrv.exe",
"serviceconfig.xml"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"user_managed",
"simple-help.com",
"51.255.19.178",
"51.255.19.179"
],
"Ports": [
443
]
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/simplehelp_network_sigma.yml",
"Description": "Detects potential network activity of SimpleHelp RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/simplehelp_processes_sigma.yml",
"Description": "Detects potential processes activity of SimpleHelp RMM tool"
}
],
"References": [
"https://simple-help.com/remote-support",
"https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708",
"https://www.group-ib.com/blog/muddywater-infrastructure/"
],
"Acknowledgement": []
},
{
"Name": "Instant Housecall",
"Category": "RMM",
"Description": "Instant Housecall is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2025-12-14",
"Details": {
"Website": "https://instanthousecall.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"hsloader.exe",
"ihcserver.exe",
"instanthousecall.exe",
"instanthousecall.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*.instanthousecall.com",
"*.instanthousecall.net",
"instanthousecall.com",
"secure.instanthousecall.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_network_sigma.yml",
"Description": "Detects potential network activity of Instant Housecall RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_processes_sigma.yml",
"Description": "Detects potential processes activity of Instant Housecall RMM tool"
}
],
"References": [
"https://instanthousecall.com/features/"
],
"Acknowledgement": [],
"CodeSigning": {
"search_names": [
"5",
"hsloader.exe",
"ihcserver.exe",
"instanthousecall.dll",
"instanthousecall.exe"
],
"company_names": [],
"signer_names": [
"Instant Housecall",
"Symantec Corporation"
],
"certificates": [
{
"signer_name": "Symantec Corporation",
"certificate_thumbprint": "N/A",
"tbs_sha256": "",
"tbs_sha1": "CAED29AAEF995E16501D02FFC4252AA98CFAECD2"
},
{
"signer_name": "Symantec Corporation",
"issuer": "CN=VeriSign Class 3 Code Signing 2004 CA",
"certificate_thumbprint": "508E846523E1B131438B220694BE91793886508E",
"tbs_sha256": "D9C0278CD8DF5E610B66C1AE3E48ABBA1249A60CD6512108C85E1BF70EACEC04",
"tbs_sha1": "CAED29AAEF995E16501D02FFC4252AA98CFAECD2",
"valid_from": "2007-10-31T00:00:00+00:00",
"valid_to": "2010-11-24T23:59:59+00:00",
"certificate_der_base64": "MIIFFTCCA/2gAwIBAgIQdY9e6CY7ZpRxnYQ065mGCDANBgkqhkiG9w0BAQUFADCBtDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNDEuMCwGA1UEAxMlVmVyaVNpZ24gQ2xhc3MgMyBDb2RlIFNpZ25pbmcgMjAwNCBDQTAeFw0wNzEwMzEwMDAwMDBaFw0xMDExMjQyMzU5NTlaMIHYMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEVMBMGA1UEBxMMU2FudGEgTW9uaWNhMR0wGwYDVQQKFBRTeW1hbnRlYyBDb3Jwb3JhdGlvbjE+MDwGA1UECxM1RGlnaXRhbCBJRCBDbGFzcyAzIC0gTWljcm9zb2Z0IFNvZnR3YXJlIFZhbGlkYXRpb24gdjIxHzAdBgNVBAsUFlN5bWFudGVjIFJlc2VhcmNoIExhYnMxHTAbBgNVBAMUFFN5bWFudGVjIENvcnBvcmF0aW9uMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDRb9wjRjdsUm6e5b9EXS2JwrOHqGoKJNMCLUZ7NLlPaX9B9LtaWJ1atiwaEoJL9+bKU3SYt3cD3ybw5dj/JpuZ6LnPc4rmJq709Aozy0LwIEW7oSscav+zO2ycsIq6MC5E1bYPBehBKFffP4BG6+Xzn+GmBJL9qebbfQ6J0WavXwIDAQABo4IBfzCCAXswCQYDVR0TBAIwADAOBgNVHQ8BAf8EBAMCB4AwQAYDVR0fBDkwNzA1oDOgMYYvaHR0cDovL0NTQzMtMjAwNC1jcmwudmVyaXNpZ24uY29tL0NTQzMtMjAwNC5jcmwwRAYDVR0gBD0wOzA5BgtghkgBhvhFAQcXAzAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMBMGA1UdJQQMMAoGCCsGAQUFBwMDMHUGCCsGAQUFBwEBBGkwZzAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AudmVyaXNpZ24uY29tMD8GCCsGAQUFBzAChjNodHRwOi8vQ1NDMy0yMDA0LWFpYS52ZXJpc2lnbi5jb20vQ1NDMy0yMDA0LWFpYS5jZXIwHwYDVR0jBBgwFoAUCPVR6Pv+PT1kNnxoz1t4qN+5xTcwEQYJYIZIAYb4QgEBBAQDAgQQMBYGCisGAQQBgjcCARsECDAGAQEAAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQB0xt4C6DwFJW/dJ/Muef8RaxWTVYwjKUm4SXM0j2D3SpuYr1LFUDL05qp+mGBokiPIvYiy2i/BQNteWOrm2+qbXRYJVzESk4RVT3ygNwPPHcJbrQ8d5XdWwGViYpGNkXMlS5rn9qIFqIQJ6ghMOtSAYHOSigrcokJTWrRxxayzfc1yuCaCKlwCY2+5OpL4PCSg8sL/s2tNx1Nmiu/uOVRqNeO4iAZb2/BtHt4hXEhy/C9jRRkoo4UkWUWhmFeGON1IZDFuert9uXiPtsu6pnerm8cWQ2eV9gmxwmSj2u6VFgudVHpd7N83bYHbOUxL8+qwbnBRVHFOFekSHhIXWaYD"
},
{
"signer_name": "Instant Housecall",
"issuer": "CN=Sectigo Public Code Signing CA R36",
"certificate_thumbprint": "1DF407D385DFA8D8F6BB16D6EC0754FA9BD54F48",
"tbs_sha256": "4C81C4E3313FEF18B2106498DD09790C78128126F405205166A154E80704C1F0",
"tbs_sha1": "B9C066C75BB1498E9B1AB560187B737C9C6D8FE9",
"valid_from": "2022-03-21T00:00:00+00:00",
"valid_to": "2025-03-20T23:59:59+00:00",
"certificate_der_base64": "MIIGQTCCBKmgAwIBAgIRAJN4pDnVykEI6Y9cPbrxxF0wDQYJKoZIhvcNAQEMBQAwVDELMAkGA1UEBhMCR0IxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDErMCkGA1UEAxMiU2VjdGlnbyBQdWJsaWMgQ29kZSBTaWduaW5nIENBIFIzNjAeFw0yMjAzMjEwMDAwMDBaFw0yNTAzMjAyMzU5NTlaMFcxCzAJBgNVBAYTAkNBMRAwDgYDVQQIDAdPbnRhcmlvMRowGAYDVQQKDBFJbnN0YW50IEhvdXNlY2FsbDEaMBgGA1UEAwwRSW5zdGFudCBIb3VzZWNhbGwwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC21R+7uqus/xq7mMjKgGysN0Tsi2SB1zESeo7xjDSB+HHDq/khmrTgFROT7LP3BwIa+odyU0XkRmmgV5zTrXsZiUG82p7bEgfEvMaU+wkMRbATMXE3CFT+t5JjffuGAyqOaUw053R2rBt1AlpoPAiogZM1rGaL+rx/4B/QNB84bmGhbXOs5Z4jvapEyiS1zS0fglXC7BeKfAtBbrJAp6yDyeO0s3QPiSzYqFFF+x+lywUPPozoTI3fWukUHXcYcIL97wfcvfOR0uZ1o3tkFrUWMByRF0jql+kpVhpQ1ePRzbgkcNhy9HdjpD03In6ymw+JiZz0LjjZF9Gv8QT9ocOdKvNMVbpMj87zuenfHRi0Gb3uqFIGNRYwbRIs5eIdr2LpCpoDiLgx154HbHwk7GnBtTWuqrsXNhsSJIPZMKj4K0WNyax99CCN3wt47XKq9NLeOrSFCUa6T2ubqhe/KwBSxhE6S9W0BFVdONPw9nTA/+/nMkK3IIGqOHHGWnormqG/iASRTmFAS/p5FqKMmoIXfO1k32o6mpQyL1cN23B5L6hfJ41mS7mg85H5XVL0GV6f1Av27BMENP6rekGVeRn6vGVjKKxD3UKgoHO6I8EibQtWYzMiCmNlNIWHFC8HjtUodt49+R9LSUGcyftzvKdL40gaY6n7My9xSEH5u/VkNQIDAQABo4IBiTCCAYUwHwYDVR0jBBgwFoAUDyrLIIcouOxvSK4rVKYpqhekzQwwHQYDVR0OBBYEFAhWj5wNV7j8JSAmOxcQBbmX+CNCMA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMEoGA1UdIARDMEEwNQYMKwYBBAGyMQECAQMCMCUwIwYIKwYBBQUHAgEWF2h0dHBzOi8vc2VjdGlnby5jb20vQ1BTMAgGBmeBDAEEATBJBgNVHR8EQjBAMD6gPKA6hjhodHRwOi8vY3JsLnNlY3RpZ28uY29tL1NlY3RpZ29QdWJsaWNDb2RlU2lnbmluZ0NBUjM2LmNybDB5BggrBgEFBQcBAQRtMGswRAYIKwYBBQUHMAKGOGh0dHA6Ly9jcnQuc2VjdGlnby5jb20vU2VjdGlnb1B1YmxpY0NvZGVTaWduaW5nQ0FSMzYuY3J0MCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5zZWN0aWdvLmNvbTANBgkqhkiG9w0BAQwFAAOCAYEAUkvvZo8NPFOt2RIG3OPba0EOfe1RyIBCdOANA1YnUugCNHRICwmcVd4W/X4DlCfk3YhTu3JX1RPsnw6DZmgjS+/B+FVA0/cXYkQivl2pSXvoeTdVh7zQkrgk/GhvOnbYDKeKZAYZo+r2iHhcCkOpE/PgZp7YkSkpLb5q7tY2Wj06N2NwQob480EDqxmaVSMcX+jp8M/KtrEwNJTEI7guPjVYB62UImOuA2gAZgoxUIrUXLuhY1OH3LU0L0iirh+Pj86FJ6iV6lgg7nLMT+kJiqOuFswKK+Ugyg0VSLXEZq6X8E1NZeevjHUPpj4FND2tjls2NBpimitqCeKAIsInbAHFAVsJ8p0jPs8+yWrnhN8I1QKddVdWTBzoQCOJml1THIfUIrM/i5c4XgS/NLafqpQaSrr2DB7D7JRW33jLgX34Hgyv0xhV397eLoKlL0ovsr7bW2eBOENnollV6dNWVx36lke4HP93104w3PvEpYGxjfXGWHnan6TxH9ceF0Ai"
}
]
},
"FileHashes": {
"authenticode": [
{
"file_name": "InstantHousecall.dll",
"sha256": "902C794600376416A01D2B3F6A9F8159E5DBB536E36CEEA67DAD941770A89CC5",
"sha1": "A1ED89927773EEF30426FF2F385473D7CD200FE6"
},
{
"file_name": "5",
"sha256": "1B9641E4F011A1E772B24A5467442E64A17753669C10BD2816F22514B9AFFCB8",
"sha1": "29BB81E28D2923CB3DAC30CAB14B8E76EA7A4C76"
},
{
"file_name": "InstantHousecall.exe",
"sha256": "32475B40BEFE076BA5FF9BDC51C8622F8F7C115EF33E370EECCC3E5826F0DAC9",
"sha1": "3AF4471CE66DD61ADBFC65DE16999A5C3CE52074"
}
],
"page": [
{
"file_name": "InstantHousecall.dll",
"sha256": "4A6EE4B14651961AF7B60957706810BB773B5E2E60BF6E17D17A9874E30FB157",
"sha1": "A3D8271F0626135DDBB2FFAE5904896F0381CC5D"
},
{
"file_name": "5",
"sha256": "163C56D8918C14F83F8890180C902AC3AFA098E16E275A5605C00E0EE6E1BC11",
"sha1": "E94FE28C67229F0E393F649CACBFC7F0D2D81559"
},
{
"file_name": "InstantHousecall.exe",
"sha256": "F77A7D194FA5A35FB99746877C8A21CD722E0D6BB8222EF2C5E1FFE129ACFF32",
"sha1": "ED8A1754F50E59B112BEFFF6F3ED470F54DDB399"
}
]
}
},
{
"Name": "Bitvise SSH Server",
"Category": "RAT",
"Description": "Bitvise SSH Server is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://bitvise.com/ssh-server",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"C:\\Program Files\\Bitvise SSH Server\\*",
"*\\Bitvise SSH Server\\*",
"*\\BvSshServer-Inst.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": []
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/bitvise_ssh_server_processes_sigma.yml",
"Description": "Detects potential processes activity of Bitvise SSH Server RMM tool"
}
],
"References": [],
"Acknowledgement": [],
"CodeSigning": {
"certificates": [
{
"signer_name": "Bitvise Limited",
"certificate_thumbprint": "A6D37D7FDF19B73DB3E3A8D6D77B67DFD423BB22",
"certificate_der_base64": "MIIHvzCCBaegAwIBAgIQA/2YzXlPmo5tePprQMTjWzANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTIzMTIxODAwMDAwMFoXDTI3MDExMjIzNTk1OVowgccxEzARBgsrBgEEAYI3PAIBAxMCVVMxFjAUBgsrBgEEAYI3PAIBAhMFVGV4YXMxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRIwEAYDVQQFEwk4MDI3OTU5NzgxCzAJBgNVBAYTAlVTMQ4wDAYDVQQIEwVUZXhhczEUMBIGA1UEBxMLQ29sbGV5dmlsbGUxGDAWBgNVBAoTD0JpdHZpc2UgTGltaXRlZDEYMBYGA1UEAxMPQml0dmlzZSBMaW1pdGVkMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAoLHDGqEam2+5mi9Ty0rEtnH5HzM0m5dxvyI2N9Uwza8frEJNTMb+9gvSObp/YHm2co9gVddFIpXFhf9/nv87aqbEbdWy7uj25IUDy73ZMyYiZ5pthhWPd6lp1lqIOiYzLJXJFzu1Dgyo75tECLpR4aX80xYA8l0caX3oQkYcjxOgHotZGUestxd+OBXKln1I9C3rrRYQyG0jWsMIqWy9wWkq+drKdObWX7MsUK4/pud2uVY3wQEF/8Hva+9+8f1/0p5x/hIOSWyM8xb6UsjORErZpyX+es0h93Y3543QDMyXRbgsZEBEIxQb+lD/krgdWLzrvCEA/CCbeUgX8ew3y23kObx+BRK+Zbd+iHV/WxjJaVFoqInij1zqpIWP4kZuJtFfOD3KSz66DEYB09/mJ8WsFQzwidunhp/gu0RahvabnEKBf4AAljH60eMfk/vEsnUgmos7Mdc0YQDJRAfFqCtKXhVHp58pbVgwCGS6cU9uizVIHvROw0ymjLvhTx5IBr7HpU61mOq55jznFy+pSr5tDONXwZxPtFQEh2elpRBbEzaN3OqfJJ8m9z2jFOi7UQ7Kud5DnU81CTfzWwtnXQdoC579dJkFvygnIxkaATJBQ2XOoIVyKp3aWSsfGOoRPhKfusl5xjDom4vPQnStizdaHgnvwkOS93QRt+z/XR8CAwEAAaOCAgIwggH+MB8GA1UdIwQYMBaAFGg34Ou2O/hfEYb7/mF7CIhl9E5CMB0GA1UdDgQWBBRYKAAk1XNwx++ZZqRb9NXCKl/B9DA9BgNVHSAENjA0MDIGBWeBDAEDMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwgbUGA1UdHwSBrTCBqjBToFGgT4ZNaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcmwwU6BRoE+GTWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3JsMIGUBggrBgEFBQcBAQSBhzCBhDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMFwGCCsGAQUFBzAChlBodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNydDAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4ICAQA6NzC26Ri5I0GlbA1Flby29eNERFmWNmkFUSfvCchGvETUMoeeX9Ktt6PsYe89sNUlyKt8Led1MzcBAypOpBm9OREYlz8eQaXaCCKRLBy9HTOjmsCdLoZqlREj7nFJuKaV/ptPEHjpoD2ztUrvO+knyVJ9XLRG9gpBg3vNxIbANU2jB/2jMRye4S4Dm/b1JqjJb7Mw8vwgEc3bazLycEMbRHcHTij/0r7KXFukbgy7hA+OTQIOahVlnAc4Lz0WgjIru1FtuFB6K7/DWg+qcHowPjPK1STOw82s1jw78E5iS/gIYGplgsgcAceigV57L4uf0S1BqDoo1xd8FjUTnpnlZ2Y0AQllMhTI/d9B2Zd/hQq1UaSjMQ7SjJzQtlvhubuHDmrv0dz+glRNMHLFefs29ygs1GGyGBZ7K/qtK/GS1X+au/eFmSWOSGcTIJNu2ByqGqjWTplJ/FvEv5c2w8Zzl5ebgXTXedAt7G7AseY9niqw23ViOw31xihpetfg301d1EzxU38NP2xhlYNaakdxoRZl1UXuDsaVBnJMPXWGEXZPCv5zAir1TaRMIsxeskOKICF+JRFdcSfLTczXZBvYSpQYpbIliasIrU9VaoAMm8Rr2WLb0uRlKoQ4NOXZiEM6DD/n49R0Tg1/ZOgIAAQFKy1qBMZ2pFKNcTaQ9SnOOA==",
"src_file_sha256": "5aa0fd8c3c0c50e452569fbaef291f96b2ae3c9a7b52f80ed34bb48d63a8bcec",
"src_file_path": "downloaded_files/bitvise_ssh_server/5aa0fd8c3c0c50e452569fbaef291f96b2ae3c9a7b52f80ed34bb48d63a8bcec",
"src_file_company": "Bitvise Limited"
},
{
"signer_name": "Bitvise Limited",
"certificate_thumbprint": "37A4D270989616341908354E3542171EAB364159",
"certificate_der_base64": "MIIGXjCCBMagAwIBAgIQYvdOaLgZessXqhhCOSizfzANBgkqhkiG9w0BAQwFADBUMQswCQYDVQQGEwJHQjEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMSswKQYDVQQDEyJTZWN0aWdvIFB1YmxpYyBDb2RlIFNpZ25pbmcgQ0EgUjM2MB4XDTIzMDkxOTAwMDAwMFoXDTI2MDkxODIzNTk1OVowUTELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVRleGFzMRgwFgYDVQQKDA9CaXR2aXNlIExpbWl0ZWQxGDAWBgNVBAMMD0JpdHZpc2UgTGltaXRlZDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKDUXqKOwbFRByrfyTGGWw3457TPAEdP0jfm763R9NiQzJupS+4mex5qR1XMfPDXFEBIRm2ytOZ5duYdL/L6lSqJ5OmqeI56GaNWjRrCwuPAuJmI39UkRxWyERJrRZdytU5khXpKDi4AOR3lJA42vWimRChO/5qdhYFkIBj9mYwPH6PY7viHY2QdTsdOwviwHdf483CEP9agLD447qVsayik3TtoZgG/k3UXa7P4ajEcDTVESkX0yxdN+mp9a464R+NxXls3otgJxSu7LQy+CHio8+SS22iBhJs+1G1glQnts3oDrjcg165iZriIfU2JolydcPGNDxMEYwwbyFOsvRHNIQ3Jge//NFAl20IRi25q2HF8ANx6VdzE0i7aXipvqoB6rOlkd+SY9NCr4JgN4mE3AgBTzV32BKVinSilOysLpvUJRBBu2nIR+YsuIex5UOzwRof5hJRrlLv0K7m9o1hqYCAc+okN7jPNuWqUFtx6PJtjXsTgwW02muzzBgpXJ87x4ckjjnXZk70iQ3s5BsBG+ftajJiYYVHCRqkT1yA4B6vEbX/OWo5wdvUxe4rOLkuHMfEmBXHM9KB1bYjAgeDb+Q9/av8gTx0RkLQDm22ITlz+Snyud4zZ2hQgyYghfNxsCNTOkUHda0Je7PrOpoJ9ryHDU6A0jp6XyKTm3gVVAgMBAAGjggGtMIIBqTAfBgNVHSMEGDAWgBQPKssghyi47G9IritUpimqF6TNDDAdBgNVHQ4EFgQUEovuYYSROQhN8eHQ9aguq33MdJgwDgYDVR0PAQH/BAQDAgeAMAwGA1UdEwEB/wQCMAAwEwYDVR0lBAwwCgYIKwYBBQUHAwMwSgYDVR0gBEMwQTA1BgwrBgEEAbIxAQIBAwIwJTAjBggrBgEFBQcCARYXaHR0cHM6Ly9zZWN0aWdvLmNvbS9DUFMwCAYGZ4EMAQQBMEkGA1UdHwRCMEAwPqA8oDqGOGh0dHA6Ly9jcmwuc2VjdGlnby5jb20vU2VjdGlnb1B1YmxpY0NvZGVTaWduaW5nQ0FSMzYuY3JsMHkGCCsGAQUFBwEBBG0wazBEBggrBgEFBQcwAoY4aHR0cDovL2NydC5zZWN0aWdvLmNvbS9TZWN0aWdvUHVibGljQ29kZVNpZ25pbmdDQVIzNi5jcnQwIwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLnNlY3RpZ28uY29tMCIGA1UdEQQbMBmBF2NvZGVzaWduaW5nQGJpdHZpc2UuY29tMA0GCSqGSIb3DQEBDAUAA4IBgQAitLFGtFqCHtT28o0QNs2azPbLD8zuGVLLyNgc2KvmEjAx1n8L5KLaYwL16w0OPzqWRKxg4nIy9MTal3LNqpibHyI+LjLWA/vhSOfq88k+VEMIi1acu0hK/LcpqjkLR9E6z0wfaIG3DfgikRU+vrEVkzpiN7OfftnyN8MCX+9YPT/thPOASSgILXOJ4Yfo2UEQDx2ri8zqc3INoKDQ+JjQSbQMYy0mS97uChKBfSAa4sP7Y3glpKcHrLj+gihpLUInB09MGoNXDiifY+B3HqgXB46cBCeO+zBz+Nq7Ap6nYXrhgdEI4+aarN9E9+MmuTrHB08TwUzxvzPVAYuJ2wZ9OTytHh4OdVCA7AdDyMsFp9JEg5/jqwnuPL0SMIJlTni2V3prwfVX2BbzvNv2I9FdYIIHYbc5NdBDrCZLD9c26lnnZmc+hU7rL1CQb9UmjfpyUT7agWZT8h6Mb8yrVeYSO9fRI4FZNYDmyrMDApmW/cZ+GKZKccGWiEpLetapOhA=",
"src_file_sha256": "821fd942cdfeaf4a5fd2083420ce1e6c743008643fd6aa99d5ae64160dcd33a2",
"src_file_path": "downloaded_files/bitvise_ssh_server/821fd942cdfeaf4a5fd2083420ce1e6c743008643fd6aa99d5ae64160dcd33a2",
"src_file_company": "Bitvise Limited"
}
]
}
},
{
"Name": "Instant Housecall",
"Category": "RMM",
"Description": "Instant Housecall is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://instanthousecall.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"hsloader.exe",
"InstantHousecall.exe",
"ihcserver.exe",
"instanthousecall.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*.instanthousecall.com",
"secure.instanthousecall.com",
"*.instanthousecall.net",
"instanthousecall.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_network_sigma.yml",
"Description": "Detects potential network activity of Instant Housecall RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_processes_sigma.yml",
"Description": "Detects potential processes activity of Instant Housecall RMM tool"
}
],
"References": [
"https://instanthousecall.com/features/"
],
"Acknowledgement": []
},
{
"Name": "Net Monitor for Employees",
"Category": "RMM",
"Description": "Net Monitor for Employees Professional is a commercial workforce monitoring tool developed by NetworkLookout. Marketed for employee productivity tracking, the software provides capabilities that extend well beyond passive screen monitoring, including reverse shell connections, remote desktop control, file management, and the ability to customize service and process names during installation. These features, while designed for legitimate administrative use, make it an attractive tool for threat actors seeking to blend into enterprise environments without deploying traditional malware.\n",
"Author": "Daniel Koifman (KoifSec)",
"Created": "2026-02-12",
"LastModified": "2026-02-12",
"Details": {
"Website": "https://networklookout.com/",
"Privileges": "User",
"Free": true,
"Verification": true,
"SupportedOS": [
"Windows",
"MacOS",
"Linux"
],
"Capabilities": [
"Remote Desktop Access",
"Screen Management",
"Remote Shell",
"Connection Management"
],
"Vulnerabilities": [],
"InstallationPaths": [
"C:\\Program Files (x86)\\Net Monitor for Employees Pro\\*",
"C:\\Program Files\\Net Monitor for Employees Pro\\*",
"nmep_agtconfig.exe",
"nmep_ctrlagent.exe",
"nmep_ctrlagentsvc.exe",
"winpty-agent.exe",
"winpty-agent64.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": []
},
"Detections": [
{
"AQL": "https://github.com/Koifman/LOLRMM/tree/main/detections/sigma/netmonitor_process_sigma.yml",
"Description": "Detects process activity of Network Monitor for Employees"
}
],
"References": [
"https://www.huntress.com/blog/employee-monitoring-simplehelp-abused-in-ransomware-operations",
"https://networklookout.com/"
],
"Acknowledgement": [
{
"Person": "Daniel Koifman",
"Handle": "@KoifSec"
}
]
},
{
"Name": "GoToAssist (GoTo Resolve)",
"Category": "RMM",
"Description": "GoTo Resolve (formerly LogMeIn Resolve) is an all-in-one IT management and remote monitoring and management (RMM) solution designed for small and midsize businesses (SMBs) and managed service providers (MSPs). It combines remote monitoring and management capabilities with remote support and access, ticketing, automation, and helpdesk functionality in a unified platform.\n",
"Author": "Daniel Koifman (KoifSec)",
"Created": "2025-11-12",
"LastModified": "2025-11-12",
"Details": {
"Website": "https://www.logmein.com/products/resolve",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "User",
"Free": false,
"Verification": true,
"SupportedOS": [
"Android",
"Windows",
"Mac"
],
"Capabilities": [
"Command line Support",
"File System Access",
"File Transfer",
"GUI Support",
"Remote Control"
],
"Vulnerabilities": [],
"InstallationPaths": [
"C:\\Program Files (x86)\\GoTo Resolve Unattended\\*",
"C:\\Program Files\\GoTo Resolve Unattended\\*",
"GoToResolveExternalModuleHandler.exe",
"GoToResolveFileManager.exe",
"GoToResolveLoggerProcess.exe",
"GoToResolveNetworkChecker.exe",
"GoToResolveProcessChecker.exe",
"GoToResolveQuickView.exe",
"GoToResolveRegistryEditor.exe",
"GoToResolveRemoteControl.exe",
"GoToResolveService.exe",
"GoToResolveServiceManager.exe",
"GoToResolveTerminal.exe",
"GoToResolveTools32.exe",
"GoToResolveTools64.exe",
"GoToResolveUi.exe",
"GoToResolveUnattended.exe",
"GoToResolveUnattendedRemover.exe",
"GoToResolveUnattendedUi.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [
{
"EventID": 7045,
"ProviderName": "Service Control Manager",
"LogFile": "System.evtx",
"ServiceName": "GoToResolve_*",
"ImagePath": "\"C:\\Program Files (x86)\\GoTo Resolve Unattended\\*\\GoToResolveProcessChecker.exe\" -Service -WorkFolder \"C:\\Program Files (x86)\\GoTo Resolve Unattended\\*\" -ApplicationType \"4\"",
"Description": "Service installation event as result of GoTo Resolve installation."
},
{
"EventID": 4688,
"ProviderName": "Microsoft Windows security auditing",
"LogFile": "Security.evtx",
"NewProcessName": "C:\\Windows\\System32\\sc.exe",
"CreatorProcessName": "C:\\Windows\\System32\\svchost.exe",
"CommandLine": "\"C:\\Windows\\system32\\sc.exe\" start GoToResolve_*",
"Description": "Process creation event as result of GoTo Resolve installation."
}
],
"Registry": [
{
"Path": "HKLM\\SOFTWARE\\GoTo Resolve Unattended\\",
"Description": "N/A"
}
],
"Network": []
},
"Detections": [],
"References": [
"https://asec.ahnlab.com/en/90968/"
],
"Acknowledgement": [],
"CodeSigning": {
"certificates": [
{
"signer_name": "GoTo Technologies USA, LLC",
"certificate_thumbprint": "33023C0243016946C78CCB9B15AC6C203882E5D9",
"certificate_der_base64": "MIIH2TCCBcGgAwIBAgIQDq06P/pwwKIK4jaBiZNRUzANBgkqhkiG9w0BAQwFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTI1MDgyMTAwMDAwMFoXDTI4MDgyMjIzNTk1OVowgeExEzARBgsrBgEEAYI3PAIBAxMCVVMxGTAXBgsrBgEEAYI3PAIBAhMIRGVsYXdhcmUxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRAwDgYDVQQFEwc1OTg0MTEyMQswCQYDVQQGEwJVUzEWMBQGA1UECBMNTWFzc2FjaHVzZXR0czEPMA0GA1UEBxMGQm9zdG9uMSMwIQYDVQQKExpHb1RvIFRlY2hub2xvZ2llcyBVU0EsIExMQzEjMCEGA1UEAxMaR29UbyBUZWNobm9sb2dpZXMgVVNBLCBMTEMwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDXBnwWFr1Haugt1kOHarj31h9QgazDGc0Ijs8ownMkZ9WxjYhDNd1AfzNc6Rv1IWM52EYnFZfsP24vfDSXsMWQVPqNSAeP6HcNF3zZ3vVVNpydrbX43l2ZqIs3WIw1Y9QFJxRiDgJaPHC8S3XmXvrEGIWMGEUidteAm5c7lAEkklohrxWWnvYZQ6Bk6TrVAqkDKzlXovqL39ERdX1b3vprbudHhZHQAyax5sYb24nlA4y9NpzYKAY7KivhhOQNDJ46TjMCsGfQuyo0Ni21+KjNvMcRcVOh3G/VSSEpg2AIUV6GWa3/XQXBuXyTPj2h5wf6x84d2wzV6XJ9GyxpD8eZLf/9QxMoqAxS0/tlOKpPgEVGh9BhlFyLVaX4AolLE48qhZSL6tIs74965yyrp0OzRierAh2VXoF79Cp5wKdu9id9ztlP72sY5Qf0EUSMFFEe5aS9RY0Fu2PxT5CR2ZdKtSBtYK1nwagYYPjmNW8bO5FC89JiZlcLDVeIyQeAPo3ZSuMhZCz0S12t2QpktFZvEJ1VIayQTC63N9S4VrQRnusnlxJLImrrfu0bI8F9fUoaUwJo14/2lwSczOdmfZxo3bKqQSkrMSBeNixUWeiyrPUczLe5DfgUdzmtJ4fJOTkEQEkNaQ9ed+u4ItEZACUX7ujgYZsJ8a8ClUmrx62yPQIDAQABo4ICAjCCAf4wHwYDVR0jBBgwFoAUaDfg67Y7+F8Rhvv+YXsIiGX0TkIwHQYDVR0OBBYEFLYSDl2IK7QIyBrxGqwuqqHXUmXDMD0GA1UdIAQ2MDQwMgYFZ4EMAQMwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpY2VydC5jb20vQ1BTMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzCBtQYDVR0fBIGtMIGqMFOgUaBPhk1odHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDBToFGgT4ZNaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcmwwgZQGCCsGAQUFBwEBBIGHMIGEMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wXAYIKwYBBQUHMAKGUGh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3J0MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQEMBQADggIBALVnUZsOeb8GoGLjBT3VRdyLnQEuKwn41b8I6fWfIF5jnYtOzW/dJqOuIXvs0LSQ8FHHpvWYUPqjL94pp+SHWCreuCZ6iLrt/tXCmWYUkhU4DY2m4ddNEAvuJaqzcwg8xjrzlHvpyKInfeB8jUujc8Rf/oWVLsgPaI/mp9wkSmVwytA9vnS8mi/BH14/wICihbwuNN9N+uHbeJowiw8NZGxteanaHgoLTZ76adJEOGoHkbtyXDZL7YII8d1HUvwMjB1h1ZxEtFtpYZesvRfSa99pt+jbyeYOXXTxYwyHGtDqTmX3RAKTETtPEsqlY/IZ+MPqLZs/YQORlVrUEC3VCWdUvQvCZpItxAX9Y98bBQzjCAUSqFP7RznSbvtwJwmQaXR1ul2sn22rV2HUpF+C4JuWd1Aq/aD+UQcZcqtiQVag+vBVmXYevdPRFr7v+TauGPIqdSH/igbj2vl/mAV6aG49VSYgz9GMNM33CoLSzydASa2ifgybt4tDsmlqjP2FE1JKVSXN6YxrhEOC0YOi7eugU1JSJrHubaUvRCiUBD5qfN8HOzR6CzOy82FEAurAG4EB56H7W+L1rQhqG5J8/gkPK50kZobrCS/cQ2iK3S7735myNL8zkXfjrwjFuFqpy69crtvDqmlYWsBxlkYdg8EKb/yTlCAicCQyCG5Y4YD3",
"src_file_sha256": "5e05eb31ab2b234bf34e66703761f6ff3663376eecf2ced7ec16852d037286cb",
"src_file_path": "downloaded_files/gotoassist_(goto_resolve)/5e05eb31ab2b234bf34e66703761f6ff3663376eecf2ced7ec16852d037286cb",
"src_file_company": "GoTo, Inc."
},
{
"signer_name": "GoTo Technologies USA, LLC",
"certificate_thumbprint": "8D3FA6EEEBFC68A0FA76CDC4C6AD5982FE07DE91",
"certificate_der_base64": "MIIHWTCCBUGgAwIBAgIQDgyHZ7stT+/C1hffEc4biTANBgkqhkiG9w0BAQwFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTI0MDUxMzAwMDAwMFoXDTI3MDUxMjIzNTk1OVowgeExEzARBgsrBgEEAYI3PAIBAxMCVVMxGTAXBgsrBgEEAYI3PAIBAhMIRGVsYXdhcmUxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRAwDgYDVQQFEwc1OTg0MTEyMQswCQYDVQQGEwJVUzEWMBQGA1UECBMNTWFzc2FjaHVzZXR0czEPMA0GA1UEBxMGQm9zdG9uMSMwIQYDVQQKExpHb1RvIFRlY2hub2xvZ2llcyBVU0EsIExMQzEjMCEGA1UEAxMaR29UbyBUZWNobm9sb2dpZXMgVVNBLCBMTEMwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQDc511p+U4/ceMa+9gCeidFo8xSj0RQ1VyClI4OP3etR4zxyPnjb4hyLm72YUTyqkJ0Y3b2LOde6UkUuxEG1gT9H0VNZhcKrxmWZ21Ir0vmqXUkfooGRis19bQq1GXnxUyMnhco8auWC4lZJVHsz+dfV88cHLeLvlLT3YXxawpl/uLvH9Vu+tI5CS9asbfzYGBZic6lQaZ+U2nz1QUlN0WWOuWFqL0GiEIlJ+a+avoouNeJpyUThxThX0IKwRUD4LNAzTfyaMiAJXcwARnNgMgcW6YrWEkb0x8BQ3hNVuVizzDEMrMUF1UiGXk+rYefPGdA51wt6wENKXucYHcny6zET0IHVit9zhyXscmtYgz6hwEWV1ale6Zjm2hI1uLNlALB00SDzi4qXMlhWA3bggboQwCrBpO584EXR4955wSuo05Ug7CP+bdCBpDIgG2rB+BeXcnCRFDzilQXt7nRjO050o4tg3K0zdzpXnrSM1mrd/UYw7cfnKy1A6WHK/IMGAECAwEAAaOCAgIwggH+MB8GA1UdIwQYMBaAFGg34Ou2O/hfEYb7/mF7CIhl9E5CMB0GA1UdDgQWBBSnyrp99WDe7wuDoNKOpFjILc5AfDA9BgNVHSAENjA0MDIGBWeBDAEDMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwgbUGA1UdHwSBrTCBqjBToFGgT4ZNaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcmwwU6BRoE+GTWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3JsMIGUBggrBgEFBQcBAQSBhzCBhDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMFwGCCsGAQUFBzAChlBodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNydDAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBDAUAA4ICAQAB5/85dwc018g+cEZViyy1TAraBLqm/YWb/ZVqc1L8C2a/XRReSW5h4w8QtXHOu9kqxVhk20WILztg22kzwH8vJcTHmnGZ2g3OWHufQV/r8pPHM+XedATAZ/v5hSs8BeySPQkessVmmGR8jdk1UzQtXbwbhfhGJc2luPhz9SWW/PG7lZaX6NmD3VtFkf5fjwj0JXO7O/UbKwJVX1jBhc9t0AfuPrpSZjZ/XYIPKA4HXJQjecxIbHxjDBQqyiGs2A8OgibT6dOHT0wh8gJ/lzqNMMae44ToDXj4V736e2L9lllQVMCo3KPjGk0nDE+sYTqoU0kODwUyrW9DbNUUqjolvJxFTQVFcINkLDxOq0KxlXqmZ7V9Rjd939skXYvK2qe29HxHIkH1iEoZIP/WmrZdwa5B8HiWEl7G2Qsz6vT78D4llJOaNVXHFHONE4OLOoC5vcMEO5s4Xxbay7IBkXBm5f49fKuPY3j7+PMpeXqAYkKhcJURPFklu4AyoRq+YCN7S4/WtRpke3nLK6t1yLdqaQ6vxQAWmIdXIpIqEqGnnED4IdH6ROi4h2J8FMunZcBpQfyiIYMfZgKn4Y5VeeNlqdPpbxPT0Zc4AIQ8b9guG1R2hnfntqt6uOVSCPPMMSTLzEKvYtButJ29lG3M2M+7eJ2NuCPcoCMMKwTxRSa/Qw==",
"src_file_sha256": "961e704a4d364ee384552af3551bac1de02541d8bcce40d5255fbc8cdea3adb1",
"src_file_path": "downloaded_files/gotoassist_(goto_resolve)/961e704a4d364ee384552af3551bac1de02541d8bcce40d5255fbc8cdea3adb1",
"src_file_company": "GoTo, Inc."
}
]
}
},
{
"Name": "SimpleHelp",
"Category": "RMM",
"Description": "SimpleHelp is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://simple-help.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"simplehelpcustomer.exe",
"simpleservice.exe",
"simplegatewayservice.exe",
"remote access.exe",
"windowslauncher.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"user_managed",
"simple-help.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/simplehelp_network_sigma.yml",
"Description": "Detects potential network activity of SimpleHelp RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/simplehelp_processes_sigma.yml",
"Description": "Detects potential processes activity of SimpleHelp RMM tool"
}
],
"References": [
"https://simple-help.com/remote-support"
],
"Acknowledgement": [],
"CodeSigning": {
"certificates": [
{
"signer_name": "SimpleHelp Ltd",
"certificate_thumbprint": "40F61D013FE82F45E7B01D040B4653E8AE80E041",
"certificate_der_base64": "MIIHkjCCBXqgAwIBAgIQAs+1HCm+ZV+0nKOXccK+cTANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTI0MDMxODAwMDAwMFoXDTI3MDMxOTIzNTk1OVowgZoxEzARBgsrBgEEAYI3PAIBAxMCR0IxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMREwDwYDVQQFEwhTQzMzMTkwMjELMAkGA1UEBhMCR0IxEjAQBgNVBAcTCUVkaW5idXJnaDEXMBUGA1UEChMOU2ltcGxlSGVscCBMdGQxFzAVBgNVBAMTDlNpbXBsZUhlbHAgTHRkMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4riOclMZ4KoqVjLPG0Lzid/PcLl0ryx3FJpZ+em6DLTRjGvCTiCxIGg+awoG1ciuyZrdYhuroNMhjiiD2SSzXj0U7vZwC2A7E+VoKYMJ4BH4B+SEE9hjE9obUOiO55mBKZWS7MTkeWoJZTORHXdl5kXNBg65ZTYytpT1VOxhhbiiZicS1XUCQIbC0zlO8ubBRIMKPROeXAkGRTSc2Kkrqu+hn+INb8cdwv8GlbMJouEVdsGTTMtKlx6eLBU3kzBb0Ez+T4R4xTaLNFdFNUsqd5/REkvNCcHzYWqmxbPElug3Y8ga2fJ0/dr4V5fDqQyCUC6Ab8DTnwiUQlH/Pblcmz8/zAEsIxfg5mo79PDv7XZz4qq2As6EuA6CNCCxaKtWIradVW+ZfRft9CDwFpCk3ApCe9BbTH9apM42CML6ZNxf6KGibLvzVqN+CnJ1lQ8u1I7iu0qrdUTzBqKRNP49YyKvY8GqFyfoFRU/V58JcXb0TJ20lusSmJH42SSumhOMHXV/QiadrXz0TNyge4eo/PX4J5i3slhHltc1zDZdir03U62EMSyH0FacsKSocDFAMud5b+F02F7ytBxJtFWVNsMV15VQFL2o4G6oI1qHclqm3abKhpFGrjHahvvgwOxcIJmCG5x5J3yDp7/bWLp73E9TEBvTWEK3dtGEskmPIrcCAwEAAaOCAgIwggH+MB8GA1UdIwQYMBaAFGg34Ou2O/hfEYb7/mF7CIhl9E5CMB0GA1UdDgQWBBR+wsRR/nDloKhI4yMcuH34rkUWHzA9BgNVHSAENjA0MDIGBWeBDAEDMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwgbUGA1UdHwSBrTCBqjBToFGgT4ZNaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcmwwU6BRoE+GTWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3JsMIGUBggrBgEFBQcBAQSBhzCBhDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMFwGCCsGAQUFBzAChlBodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNydDAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4ICAQDDf/fA8r4nGk0m/kNomJjOBQjzCimk1hZX9Y9sSOx2ihf3rcKYuEk4XyqX6sNBmPMhBGIByflFyIikbPrJg2+mKTf2h90BsChzmYZfPQwh3vQj71cpCgv11K1Okdx+qTCdKjkKrNwzoyuQNfWLsuD3Rr3d3x+5Q2ILjoCAXzfk6ufiIpjVq3Xx8G5Puqd5TqaL4/D9p0encvoNSqmDKNHPyeGHCuLgNEgh4057xzvqyRqSuKQH2YGfak3o5a/Ucp3nZCLbR+KYjBUjKOUKofT6b7ShKz+zRpPGqNyJngpcEclaRK4fBEjfj9GhhNfuEd5MsPzLHXru/y0G15y9Xphl/v6WCI4uyK8tfsimgqlKxBQlxGQnoiWG4auzP5Lg+67tugtCdbDxDihvz5YOMF19c6vqYYTRVZ9xtZXjKTx75mc1DIT+PdQzmEV1uYayB3YgBtCP7U1ogKDwAOZ2+I5w0DqVl5bdVSUsHkVhA5OdU5SyCT11PxEILgtWNC0k8c7ecmsiflaJ5MjzjAzkGZpRbnRlRyvLlUSFEf7Q++4CLNxCkqA7SEn2UnWIouhY1DGCmnYybvCPTL5mRNajdUQpZouHI55uAw2kz4tv0nWkeU5nRbHeQKINoSUpi6RDgtfbT+tkFRDUXc6zRHTqmHrgeEB4x5cJTZbtHeA0bdl5Jg==",
"src_file_sha256": "77b8f597b7d20d4f7ae84caa5c22b94a8d9e09051f7cdaa17f41890ccf8c77a2",
"src_file_path": "downloaded_files/simplehelp/77b8f597b7d20d4f7ae84caa5c22b94a8d9e09051f7cdaa17f41890ccf8c77a2",
"src_file_company": "SimpleHelp Ltd "
}
]
}
},
{
"Name": "VNC",
"Category": "RAT",
"Description": "VNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"winvnc*.exe",
"vncserver.exe",
"winwvc.exe",
"winvncsc.exe",
"vncserverui.exe",
"vncviewer.exe",
"winvnc.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"user_managed",
"realvnc.com/en/connect/download/vnc"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/vnc_network_sigma.yml",
"Description": "Detects potential network activity of VNC RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/vnc_processes_sigma.yml",
"Description": "Detects potential processes activity of VNC RMM tool"
}
],
"References": [
"https://realvnc.com/en/connect/download/vnc"
],
"Acknowledgement": []
},
{
"Name": "Pulseway",
"Category": "RMM",
"Description": "Pulseway is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.pulseway.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"PCMonitorManager.exe",
"pcmonitorsrv.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"pulseway.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pulseway_network_sigma.yml",
"Description": "Detects potential network activity of Pulseway RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pulseway_processes_sigma.yml",
"Description": "Detects potential processes activity of Pulseway RMM tool"
}
],
"References": [
"https://intercom.help/pulseway/en/"
],
"Acknowledgement": [],
"CodeSigning": {
"certificates": [
{
"signer_name": "Kaseya Holdings Inc.",
"certificate_thumbprint": "A5C8E6B60B46C4BAE41E1D353873A0A587F11CD5",
"certificate_der_base64": "MIIGZTCCBM2gAwIBAgIQUGTtd2yJPurO3kskpkgbXTANBgkqhkiG9w0BAQwFADBUMQswCQYDVQQGEwJHQjEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMSswKQYDVQQDEyJTZWN0aWdvIFB1YmxpYyBDb2RlIFNpZ25pbmcgQ0EgUjM2MB4XDTIzMDEyNjAwMDAwMFoXDTI2MDEyNTIzNTk1OVowXTELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB0Zsb3JpZGExHTAbBgNVBAoMFEthc2V5YSBIb2xkaW5ncyBJbmMuMR0wGwYDVQQDDBRLYXNleWEgSG9sZGluZ3MgSW5jLjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJpog+aHVQ5N+15Wn/8Qz+1x3QU5qm5v2Pzr2AW+nwIvU+kkTG3kQqdSeDrd6i6of5Cbyt+DGhMJZiQhyLgB+LiR7nyA45EC8UxyvF2bOA+0c8EsQge3NEZlbHs66FldXT08QwnfUgGPBtGwp56JRibkUEXGOsJ1hyzdSkpIK81LCzCX0mS+m1CzqXwoCgNlJoJqcT9eR+qNCsrI/cvoDkL3wG0JHsekcL/N419xPTT1Tc9vwm2sYtL1uk4uMeIiveNAParO29xCzIa4dlM7y6y2rsBMFZENN6sk8IrKByyp0uuD1G3JILregfjK+09JidI66gBiHRP/dls5Kl6UDSPv6QhbdYJ74jbvfS2hgadLAP4BfmJMwGbvW/mwnLEi4LC4YfBgYUPiJGfd6kU1RlXdwxUyMG3lljwDSwpwF6pqgeGx9aHWiuVWi35KoosJT46ywLPzuWUSvgnBqcjUuBxnBGg0mhMlume1YKFzd1L3RY+vzm4EUn42zBW1UXF3ifD8TpsYHRXLyIvKNjrGSaWrqGRhZxHrWCnh5a2rSOcpN+tX+L2YzlCaupRrl0FBkl3QYFg0ODmFu8Yoml6DQge8yuWfP3h7OltZzUiO4R6Wr0R3dqYfyF+ukuNZ1JVJjeZWl/9Mv66ZXn/gCxd0gYKzWP9ykwyhAnG20E6a6M1NAgMBAAGjggGoMIIBpDAfBgNVHSMEGDAWgBQPKssghyi47G9IritUpimqF6TNDDAdBgNVHQ4EFgQUv/AkDABo/30sWiP7qDQNjDhRdnowDgYDVR0PAQH/BAQDAgeAMAwGA1UdEwEB/wQCMAAwEwYDVR0lBAwwCgYIKwYBBQUHAwMwSgYDVR0gBEMwQTA1BgwrBgEEAbIxAQIBAwIwJTAjBggrBgEFBQcCARYXaHR0cHM6Ly9zZWN0aWdvLmNvbS9DUFMwCAYGZ4EMAQQBMEkGA1UdHwRCMEAwPqA8oDqGOGh0dHA6Ly9jcmwuc2VjdGlnby5jb20vU2VjdGlnb1B1YmxpY0NvZGVTaWduaW5nQ0FSMzYuY3JsMHkGCCsGAQUFBwEBBG0wazBEBggrBgEFBQcwAoY4aHR0cDovL2NydC5zZWN0aWdvLmNvbS9TZWN0aWdvUHVibGljQ29kZVNpZ25pbmdDQVIzNi5jcnQwIwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLnNlY3RpZ28uY29tMB0GA1UdEQQWMBSBEmRvbWFpbnNAa2FzZXlhLmNvbTANBgkqhkiG9w0BAQwFAAOCAYEAC2VVZ5L70UFplG3XaksqOh5mAo6Oaw0N+xAETi3FtXhMX4Qsz9yxi69R+dd5I3ciAUZO+eEEykMPq1ccECPMkzdzMGs4vSLztIeTa0dEHRFsi1iIXBAzMqFzFcwRnNxVp0sk+n/q4f6WCgvS/7TAj78ialchtc9p4iwJwRsjN42zF+vloM2Dn5WP39WyY5D6Fb25Q1QG4nFdTo9wZv+GrjcOn4vZx9Gq1VTKFwIu+sefGnFEHlQp8B7VAjCbkdYA2tMD27wJL0GquE/9qvBSeZ05zV8RTZAf8qpyCzc6cZeytNpjEf2l1UvhwlJg4a0rwIeolMgiNyYniTDCUUPVzh8XJYh6sGiNPXW8Qa0u87fOz9Ruk5s2KxRFj0oN7MO2y6dWRth2qZwlRhV6O9bdG4Vi1JbW+LvVjd4UhwpwOomBm2P7jyndCD55ns6OUd/UfU7PpjSSHhfHadn3rqLY/DBs9tAp/u/Ry0R1bk0BOKb9QmEQba5gnCbDuKD8FVof",
"src_file_sha256": "f6f60040d1adeaa011f8a2459e58ac3dfb59c190f45a45fb4ed1f9717ad4ec47",
"src_file_path": "downloaded_files/pulseway/f6f60040d1adeaa011f8a2459e58ac3dfb59c190f45a45fb4ed1f9717ad4ec47",
"src_file_company": "MMSOFT Design Ltd."
}
]
}
},
{
"Name": "Supremo",
"Category": "RMM",
"Description": "Supremo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.\n",
"Author": "@KyawPyiytHtet",
"Created": "2024-08-02",
"LastModified": "2024-12-02",
"Details": {
"Website": "https://www.supremocontrol.com/",
"PEMetadata": [
{
"Filename": "SupremoSystem.exe",
"OriginalFileName": "",
"Description": ""
}
],
"Privileges": "Current User",
"Free": "",
"Verification": "None",
"SupportedOS": [
"Windows",
"Linux",
"MacOS"
],
"Capabilities": [
"Remote Management session"
],
"Vulnerabilities": [],
"InstallationPaths": [
"*\\\\supremoremotedesktop\\\\supremosystem.exe",
"%USERPROFILE%\\\\AppData\\\\Local\\\\Temp\\\\SupremoRemoteDesktop\\\\",
"C:\\\\ProgramData\\\\SupremoRemoteDesktop\\\\",
"supremo.exe",
"supremohelper.exe",
"supremoservice.exe",
"SupremoSystem.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*.supremocontrol.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/supremo_network_sigma.yml",
"Description": "Detects potential network activity of Supremo RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/supremo_processes_sigma.yml",
"Description": "Detects potential processes activity of Supremo RMM tool"
}
],
"References": [
"https://www.supremocontrol.com/"
],
"Acknowledgement": [],
"CodeSigning": {
"search_names": [
"1ssi28.exe",
"supremo.exe",
"supremohelper",
"supremohelper.exe",
"supremoservice.exe",
"supremosystem.exe",
"xdc6h.exe"
],
"company_names": [],
"signer_names": [
"Nanosystems S.r.l."
],
"certificates": [
{
"signer_name": "Nanosystems S.r.l.",
"certificate_thumbprint": "D16BC32A1444D341CC91025A4D7183AF5EAAD30B",
"tbs_sha256": "F437911CEA37149CDE7F297D4086B2C11B2FF9BDCF803EB5217DEBEFF946AFA2",
"tbs_sha1": "",
"certificate_der_base64": "MIIIIjCCBgqgAwIBAgIQAXhEUYpXMYiPY6dpG863dTANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTIxMTAyNjAwMDAwMFoXDTI0MTIwNDIzNTk1OVowge4xHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRMwEQYLKwYBBAGCNzwCAQMTAklUMR4wHAYLKwYBBAGCNzwCAQITDUFzY29saSBQaWNlbm8xFDASBgNVBAUTC0FQIC0gMTExOTk3MQswCQYDVQQGEwJJVDEWMBQGA1UECBMNQXNjb2xpIFBpY2VubzEWMBQGA1UEBxMNQXNjb2xpIFBpY2VubzEbMBkGA1UEChMSTmFub3N5c3RlbXMgUy5yLmwuMQswCQYDVQQLEwJJVDEbMBkGA1UEAxMSTmFub3N5c3RlbXMgUy5yLmwuMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAmlGkR1kDigH4IBCSl4WcdhG25IsOFz7Lp4EUauaopjq5HSmWMEmag1onn128rheWx2TCaMB5tfe/ktW2nvGMOS3K9Kc716gKa9usa0cFMnYgiU8oemN00VYpw1d8m/xFAT504o9znXIXBP9oxgjru3Q3hOy6dwluv3K6AJZYURlFK/JivlsRa3Lw6t20sME+kOQjHo+D6y0qoglPs9guejPfeiucO7icYN4gCMDDKH3iskHdZj/hZ1zqMt2W7a+OkSEQTOuNS/DEaVtBG9BSK81nbiilVJomgt7PRSBWndNbyPoeEkJBfzRUPpRUVvW5Igbl2f6gWllR/aNEFdRYjBoE+U+fSlwGtfciXlDDnBU6ChoZRF09ydIOPIN1fvkdz7wWGqMq/VVsmmRF3Jwymb/qBlMc86Qe46bTFY0siWzY3QpAlrv5pOwPPoeGL6S2nEHWbakJ2jLnc1+tGPm6qmnYDgzDBxfbs4bT79eUDDigu7qgoFBR4I8KfL6fyIKFpjroi+qpYVAr3gF4zaLTWHaJzmK6s2trzT2VT50NrIwMXGSohGn2k+ci9Jr07nCMysOFFq39zLqhVN7iE0t91pfwC0uwa+6CxjRIWe+h7tSReTPqNp89FdfNh8B/WgwcF2UYgyq25lJu5Tl6eKGIa8dSKfjrC0cdqZ4dE8/DSf0CAwEAAaOCAj4wggI6MB8GA1UdIwQYMBaAFGg34Ou2O/hfEYb7/mF7CIhl9E5CMB0GA1UdDgQWBBRc3K6kncLX7fLJRiwc8k8VBiCswDA3BgNVHREEMDAuoCwGCCsGAQUFBwgDoCAwHgwcSVQtQVNDT0xJIFBJQ0VOTy1BUCAtIDExMTk5NzAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwgbUGA1UdHwSBrTCBqjBToFGgT4ZNaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcmwwU6BRoE+GTWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3JsMD0GA1UdIAQ2MDQwMgYFZ4EMAQMwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpY2VydC5jb20vQ1BTMIGUBggrBgEFBQcBAQSBhzCBhDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMFwGCCsGAQUFBzAChlBodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNydDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4ICAQC1LPut0U9rV6tGe529tU/VX+I1ODdQkpyc7EBp9qsdxDFs9oNpniwAgSXpqwJ/NXjR7UeRZxJemcuE/0TG4F1MZwMO7AUVeCpF+1K/+OHQUYFfA+hUCowD+GpQy52RLdO9HkiEkURSqDn/TkJWWMqtS9pLWPaGiWznBOK5/ppBFQ283NLHagTg9FOlOhHwmv5/TFOQJTXwbT7F6YTC2ExxryQz3shGi9XM9uSQY5KNQfYG5nF+pt0iQzpJe0lPWBCKgIFh0b55OkrAbA5qIuLZpUZr8oN0f4rIkOxzTtDA2Z+tTaeneibQNFk9pZzk1MnuzsjIVuclPkxaqZjulFwisJLhqlJJvQXfN9i+LSPZcgETTd4FtA8zjyYFrgdphjBgwG5NzE175yritvwaB0BWY3Qfyz10kH7Q4W2vlPR58RU8Z1H7J8rQquMgmRoryekS6bbKfZNy9nnbeOxmi9gA7nwjv5o1TX9aPy8rSq7h2roqpWp4ZLUaJ6+aMQd8T4gFU2fjPpW24csLCZwRW2MuPxw0/uCIlPrwc9rDKNnNxfRmZaf/jjImRKiy/V4d0NDOszCYhAHJ3kPJwIG0g00bgDEIN+dsvA0Su4spPx+f/0rYOWjgwQKFuckMo4XfPF4dEW4AAajTLGn+rMIfYNG8s7Y1d/Wmfp3igs+3Shrpgw=="
},
{
"signer_name": "Nanosystems S.r.l.",
"issuer": "CN=DigiCert Global G3 Code Signing ECC SHA384 2021 CA1",
"certificate_thumbprint": "C96F520883FA154431F134ED7BFAA91C09D22934",
"tbs_sha256": "B62C60F9FAEEAC5190D79A9F01E44BB29347738FD23382EC7CD9D09AEF49D859",
"tbs_sha1": "3D5BD403031A8328CCE535FF7794A8B62540335F",
"valid_from": "2024-12-09T00:00:00+00:00",
"valid_to": "2027-12-08T23:59:59+00:00",
"certificate_der_base64": "MIIEdjCCA/ugAwIBAgIQB2Zcj1srRFnLSLtu0lAYvDAKBggqhkjOPQQDAzBkMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xPDA6BgNVBAMTM0RpZ2lDZXJ0IEdsb2JhbCBHMyBDb2RlIFNpZ25pbmcgRUNDIFNIQTM4NCAyMDIxIENBMTAeFw0yNDEyMDkwMDAwMDBaFw0yNzEyMDgyMzU5NTlaMIHhMRMwEQYLKwYBBAGCNzwCAQMTAklUMR4wHAYLKwYBBAGCNzwCAQITDUFzY29saSBQaWNlbm8xHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRQwEgYDVQQFEwtBUCAtIDExMTk5NzELMAkGA1UEBhMCSVQxFjAUBgNVBAgTDUFzY29saSBQaWNlbm8xFjAUBgNVBAcTDUFzY29saSBQaWNlbm8xGzAZBgNVBAoTEk5hbm9zeXN0ZW1zIFMuci5sLjEbMBkGA1UEAxMSTmFub3N5c3RlbXMgUy5yLmwuMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEEgEoCGgWP35CV0lqFEvC8b4xBYjgICVLhJFii+MJWe/+aOojgWuHoppGIeN/nRN6NzjE8DYIgBSZsdDIYRY/zIewe/OI14F+iBvtaXx126DX4fBsUdpTMl1Q+D0kuxgmo4IB8jCCAe4wHwYDVR0jBBgwFoAUm1+wNrqdBq4ZJ73AoCLAi4s4d+0wHQYDVR0OBBYEFP7n7KncGVJbvxaChi9f1Fq74DZwMD0GA1UdIAQ2MDQwMgYFZ4EMAQMwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpY2VydC5jb20vQ1BTMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzCBqwYDVR0fBIGjMIGgME6gTKBKhkhodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRHbG9iYWxHM0NvZGVTaWduaW5nRUNDU0hBMzg0MjAyMUNBMS5jcmwwTqBMoEqGSGh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbEczQ29kZVNpZ25pbmdFQ0NTSEEzODQyMDIxQ0ExLmNybDCBjgYIKwYBBQUHAQEEgYEwfzAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMFcGCCsGAQUFBzAChktodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRHbG9iYWxHM0NvZGVTaWduaW5nRUNDU0hBMzg0MjAyMUNBMS5jcnQwCQYDVR0TBAIwADAKBggqhkjOPQQDAwNpADBmAjEAv9Bdka5r+3FYnkeSJIvaMvlt60MokIt0CKwPBUjN6CwAavmKoeqzyHNg7XpXsSYiAjEA3RwgKo6+hfPC4fH/904xpcUPi8DMG3haB/m/CSV2QCysxoT+0yvv7NGOlnTBTIZ9"
}
]
},
"FileHashes": {
"authenticode": [
{
"file_name": "SupremoHelper",
"sha256": "A4FF9D77D7D2C42E8EDD3D0FB83C26B88A4B79DED4051E8048F3835BE4C6F8DF",
"sha1": "5EFA70D9F40D11A22E7955EF0449C49847CAB84C"
},
{
"file_name": "SupremoHelper",
"sha256": "4138192E207173D3E395C1FA7D18CDEB25B0CF7FC74669F5077800324A9B876D",
"sha1": "41331BE6BF541B48FC968C0A95976F2393F1D085"
},
{
"file_name": "SupremoHelper",
"sha256": "954EA41E58B9D7D8ACCA0CEE7F8C2739516111EDD0716E16A5A92B49ED16314A",
"sha1": "7E310392D889E9E5BA09515B876D7886BBCF397A"
},
{
"file_name": "SupremoHelper.exe",
"sha256": "ECF9262BE1FBB07C178FDE8CC0A95FDB791EAEC56CAAFF317320D9533A46F303",
"sha1": "DB25414C5BC82BE949DF93C617335715747B55FF"
},
{
"file_name": "SupremoHelper.exe",
"sha256": "E3D7AF0561A153124480FBCB211B0871C35AEBEF17D67D8BFD2F2D35086C39A7",
"sha1": "73A43745273D5F09D2327F9A6B0573BACC7AEF2E"
},
{
"file_name": "SupremoHelper",
"sha256": "FBBAE034BF0EA1D87F98EDC689791225DE258DCD9F4F8DA0A777D97F418029B9",
"sha1": "2D457A135913858FC88D14C087A712E95E1A907D"
},
{
"file_name": "SupremoHelper.exe",
"sha256": "5A9F54598326CD46D23B3A56739B75526480DCF68099721EA906C50CAB743200",
"sha1": "C5839845056A26B1F8A4EBC750A8E4796344AEDA"
},
{
"file_name": "xdc6h.exe",
"sha256": "A04E22A4C15E1891CF7D2E13184B00CCE31F6B8B0C316716CE64FB14CE91FC17",
"sha1": "D1519C61A3FC2A8A36FF4A51716E35BDA9901578"
},
{
"file_name": "SupremoHelper",
"sha256": "BBF3388180B8AD12ACA9017464C82130187150F2746C7E6F37C9102162B2D40A",
"sha1": "5E24B307F2007AC742513DBD3B9A59C1A96566C7"
},
{
"file_name": "1ssi28.exe",
"sha256": "AB83573FE4C5210FAF7EA45816EA423FE671F5EADFF7BEAC9228C68D667ED2E7",
"sha1": "8F365792E4CB02B376E7A87E21782080D34F31E3"
},
{
"file_name": "SupremoHelper",
"sha256": "C1FB482AF0CC3C3C15A66D5337121BC464541FD85691F563E05F88D302F7DF94",
"sha1": "4D6BC8C64A6AAA746908798AC936A1F5C9CD3EAB"
},
{
"file_name": "SupremoHelper.exe",
"sha256": "B5F794FF6325357A57EACF0F2FFBDC41117544B9B96E4509B0AB590958372BB6",
"sha1": "2FA3D87B7C009A8E9F192AED1C22848C4DC60315"
}
],
"page": [
{
"file_name": "SupremoHelper",
"sha256": "4F5B1008F9F1716D0B1A901809F88265188B521EAF5F5B69033A864544CF0E3A",
"sha1": "F557D9FB6DE4665458A50C089DED7770BA0B63FC"
},
{
"file_name": "SupremoHelper",
"sha256": "976180ED7CF7536991CD96A8DFE21BB9F3CACEFD14E27FD2E7E206327160A3AC",
"sha1": "6F90C4A5E9CDB5E1A4FE5D86809B98C9A7D96590"
},
{
"file_name": "SupremoHelper",
"sha256": "BD0027622910094ABF789EB4DAEF15663265A0D121ABDAD6CD2B8AA9B5917518",
"sha1": "4AA193C15EA16A37A14C7A48A7F3B6880D04EAD0"
},
{
"file_name": "SupremoHelper.exe",
"sha256": "5C7955E22A8EC8C6F1BF9F74A70D08766439444353C399924149C604DE8F83DF",
"sha1": "F33B1E5D75B883C2F4D9CA3F937A3392FAF934BB"
},
{
"file_name": "SupremoHelper.exe",
"sha256": "60AF89DAB29F81EEDE2BB3B4AA287BAA4FEED6E145F53777643073C4677DDE4A",
"sha1": "FF82C5B53043CA1C60E51F9637FC231E060200CA"
},
{
"file_name": "SupremoHelper",
"sha256": "F50BD54B026EF91466C4279090032D3C6AD9E49D20CB80BFACAA11373C324207",
"sha1": "FAE7E2788D1B95D8E8A69FC6DFD356C06A9B9DC6"
},
{
"file_name": "SupremoHelper.exe",
"sha256": "39238E2D12C218C0751AC949F5F086D3E3F6A8DF72680BD61D7D17324BFDDA6C",
"sha1": "32446DBCE30CE08F0AF4A89C5848F4C4185C1ABC"
},
{
"file_name": "xdc6h.exe",
"sha256": "381C2276013C27DA29F950FBB4C731C4D67BA51F3545C3F0F79DB99E2765AE48",
"sha1": "16B437426FF24D5F595FC31D3850D2C77E572F1D"
},
{
"file_name": "SupremoHelper",
"sha256": "8FEADCAA5D785B2CF6E6D0A5492084C115D61ED51ECBEA163C9D3F4C9D1BFADE",
"sha1": "FF5CBEC1C9CE8F844F19BBDE780A35CD31655A6D"
},
{
"file_name": "SupremoHelper.exe",
"sha256": "008E862924422FD03971865523A6E690E2F1541C35C741A2D22CE57F00BC9304",
"sha1": "CAE72609AEC5D5141B02C5B06ED29540C00AFA17"
}
]
}
},
{
"Name": "Remote Ripple",
"Category": "RMM",
"Description": "Remote Ripple is a free VNC viewer client developed by GlavSoft (the creators of TightVNC) for remote desktop access and control. It is a modern, lightweight viewer based on TightVNC technology that allows users to remotely access and control.\n",
"Author": "Daniel Koifman (KoifSec)",
"Created": "2025-11-12",
"LastModified": "2025-11-12",
"Details": {
"Website": "https://remoteripple.com",
"Privileges": "User",
"Free": true,
"Verification": false,
"SupportedOS": [
"Windows",
"Mac",
"Android",
"iOS"
],
"Capabilities": [
"Remote Control",
"Remote View",
"Clipboard Exchange",
"File Transfer",
"Screen Capture"
],
"Vulnerabilities": [],
"InstallationPaths": [
"C:\\Program Files\\Remote Ripple\\*",
"C:\\Program Files (x86)\\Remote Ripple\\*",
"RemoteRipple.exe"
]
},
"Artifacts": {
"Disk": [
{
"File": "%APPDATA%\\GlavSoft\\RemoteRipple\\*",
"Description": "Log files for RemoteRipple",
"OS": "Windows"
},
{
"File": "%TEMP%\\Remote_Ripple_*",
"Description": "Temporary files/logs for RemoteRipple",
"OS": "Windows"
}
],
"EventLog": [],
"Registry": [],
"Network": []
},
"Detections": [
{
"AQL": "https://github.com/Koifman/Deathcon25/blob/main/rmm_rodeo/remoteripple/aql.aql",
"Description": "QRadar AQL query for detecting Remote Ripple RMM activity"
}
],
"References": [
"https://remoteripple.com"
],
"Acknowledgement": []
},
{
"Name": "Quick Assist",
"Category": "RAT",
"Description": "Quick Assist is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://support.microsoft.com/windows/solve-pc-problems-remotely-using-quick-assist-b077e31a-16f4-2529-1a47-21f6a9040bf3",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"quickassist.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*.support.services.microsoft.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quick_assist_network_sigma.yml",
"Description": "Detects potential network activity of Quick Assist RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quick_assist_processes_sigma.yml",
"Description": "Detects potential processes activity of Quick Assist RMM tool"
}
],
"References": [
"https://github.com/magicsword-io/LOLRMM/issues/46"
],
"Acknowledgement": [
{
"Person": "bittib010",
"Handle": "@bittib010"
}
],
"CodeSigning": {
"certificates": [
{
"signer_name": "GlobalSigningDig",
"certificate_thumbprint": "DE523085FB77B3D8B78E80EF14BC627772C6E1D0",
"certificate_der_base64": "MIIDBjCCAe6gAwIBAgIQc+jN31/yRqxBNamgs3AXfDANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDDBBHbG9iYWxTaWduaW5nRGlnMB4XDTI1MTAzMDA4MTE0N1oXDTI2MTAzMDA4MzE0N1owGzEZMBcGA1UEAwwQR2xvYmFsU2lnbmluZ0RpZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMx/Ld3o0K7RMJtTr0DHt1pMqrpNzLFQZja9ZPTPmYvRw4JF8gu5Sb/apCpz//BIAQJQ0N9D4C8bkoeVxsmlcuNzjaiCTBOeEHKC/epZiVvOC8OWjwoQxZcInovFiv0PS6V8cl1kM6S/4FXpVDCn2uqpxKFQHQeTrxsZa07VMyVvAKcx0u8mTFHEgiuNvgcbPZ959V+BRZ+siyzWJyzS/UmoyXO8jkkArwMybcKYVvK40FLH1t/S8teERp6iiyke2YB2eAC+EmKnkG9+HSB3NFb7Q1pOu5YrD3ieUMoNJPrpb5amUfW2fKhRAElSJD9oYW0OtA6XoROiQb3A89I6An0CAwEAAaNGMEQwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMB0GA1UdDgQWBBQbfXHoPs6WtHehmqYdqtanuiy+QTANBgkqhkiG9w0BAQsFAAOCAQEAIEJubEC/2gOkiYK6yjzfXip17fJSviz/wJ4O69XOKpHLTL0Nx9WjmqUAFUTQG46+xYOx5FU5Zvq76RmOtKfWXOXVyRgSnJVk5FYA9B+3dO4bsD6i16rRrnlGmTdWJx8WRRZBFTYhmJ24CSJtrnd5BU4Cl9Y6XYNNFOG5tsQRtGYPK1JGWJ+PVUxnZYkQC0hT4SX0mKhQQfrB1gZTySTnM2qaHkmeOOewgYzfFfkYSUn8QLiqwlrPrssU0xntqvk9PAbeRv+J+laYFDHPg/Cl1OcS8uwk4/VOInniSLQnLoDGbtQIIPOAmxezDu1l5eaT90E1TAC+sopyTOyrR8UeLw==",
"src_file_sha256": "0f6269a8095b8c622ea2b864df5fd6f09f676f0a5f87618d475b936e27b19af3",
"src_file_path": "downloaded_files/quick_assist/0f6269a8095b8c622ea2b864df5fd6f09f676f0a5f87618d475b936e27b19af3",
"src_file_company": "Microsoft Corporation"
},
{
"signer_name": "CodeSigningMico",
"certificate_thumbprint": "6116BB0D666C358E66E8E18E25B8C147B9C0F2F6",
"certificate_der_base64": "MIIDBDCCAeygAwIBAgIQb/mz6VvfdIVCveBrem6XCTANBgkqhkiG9w0BAQsFADAaMRgwFgYDVQQDDA9Db2RlU2lnbmluZ01pY28wHhcNMjUxMDI4MjExMzI3WhcNMjYxMDI4MjEzMzI3WjAaMRgwFgYDVQQDDA9Db2RlU2lnbmluZ01pY28wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDZuvZi1Hj4Jm1u++tpo5pREUTd8ryNRtZA8EXsQhRgLc8P65gfpg5owobw8rgpEgoVB2WWhREVotBzt9cdsHNECmQb30HXuVQdeGjsFu+cvTy0+l+EN5M8tHHdfXEv4b04O45KsHiivKWTFM/MRQVI5iY5u+4vOimrUnH70c2KPmvqKIvaDqQz2XReMe5JBG3UguVdn2IL4Csmg9kL++oM8wIEoP4mj8gG3+5pHeoPSLKEIxolkascHIl6WGeNd7T4fvu8KNSDhNAYzS84x3el2HvRCBqwJ/Xqhesp2WCYFmmzOJbv1mIICPT29qbGO5pYTSmDZZsGWPmdJE3jgah5AgMBAAGjRjBEMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUvozeOtjQSswck1CbmPJnPd9mAXcwDQYJKoZIhvcNAQELBQADggEBAFvjyqepTkG5dST/G10jUjgLwmnTC27dImW5mcG4B3VZLWGzYH1Wh8HnXCn8y9hHFqhIWqr1j22paxDeNm9biasfFvyJ/4WQqxoi/cBY/niIIP08IqlMCakJPqfZYlEw3krYeDmtXAIAuJyWeEwlG2mFfxf+TOLhUoOKwnBtN+CoSE7+TP1+83HHT0hR+i2Lt6pNdqJQENy1lxZRYkTdSKVglZMwASLnCfVtslhmnFTMabrADWUWNtpZRrP7+5fUYQ/h3xUFy8aQ7hOHRPpyjs9M0vh6c+qr0xXl7qpHHcLad8NLZzuICoA7wKBc7uKuDyjvk24cVoSpc2pV6vbBC8M=",
"src_file_sha256": "9653b13e7bfa2f3be8a175ff895e5bf46537e5f742905751282f956e39587b0b",
"src_file_path": "downloaded_files/quick_assist/9653b13e7bfa2f3be8a175ff895e5bf46537e5f742905751282f956e39587b0b",
"src_file_company": "Microsoft Corporation"
}
]
}
},
{
"Name": "Netop Remote Control (Impero Connect)",
"Category": "RMM",
"Description": "Netop Remote Control (Impero Connect) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://netop.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"nhostsvc.exe",
"nhstw32.exe",
"ngstw32.exe",
"Netop Ondemand.exe",
"nldrw32.exe",
"rmserverconsolemediator.exe",
"ImperoInit.exe",
"Connect.Backdrop.cloud*.exe",
"ImperoClientSVC.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*.connect.backdrop.cloud",
"*.netop.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__impero_connect__network_sigma.yml",
"Description": "Detects potential network activity of Netop Remote Control (Impero Connect) RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__impero_connect__processes_sigma.yml",
"Description": "Detects potential processes activity of Netop Remote Control (Impero Connect) RMM tool"
}
],
"References": [
"https://kb.netop.com/article/firewall-and-proxy-server-considerations-when-using-netop-portal-communication-373.html"
],
"Acknowledgement": [],
"CodeSigning": {
"certificates": [
{
"signer_name": "Impero Solutions Limited",
"certificate_thumbprint": "E1A00BFD8338A6C9EADC315BF89568DB43DD2220",
"certificate_der_base64": "MIIIITCCBgmgAwIBAgIMEbPwXTIyCNIdALudMA0GCSqGSIb3DQEBCwUAMFwxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTIwMAYDVQQDEylHbG9iYWxTaWduIEdDQyBSNDUgRVYgQ29kZVNpZ25pbmcgQ0EgMjAyMDAeFw0yNDA2MjUxMzQ1NTdaFw0yNzA2MjYxMzQ1NTdaMIIBUjEdMBsGA1UEDwwUUHJpdmF0ZSBPcmdhbml6YXRpb24xETAPBgNVBAUTCDA2MTA2MDEzMRMwEQYLKwYBBAGCNzwCAQMTAkdCMQswCQYDVQQGEwJHQjEYMBYGA1UECBMPTm90dGluZ2hhbXNoaXJlMRMwEQYDVQQHEwpOb3R0aW5naGFtMTEwLwYDVQQJEyhTZXZlbnRoIEZsb29yLCBFYXN0IFdlc3QsIFRvbGxob3VzZSBIaWxsMSEwHwYDVQQKExhJbXBlcm8gU29sdXRpb25zIExpbWl0ZWQxHTAbBgNVBAsTFENsb3VkIEluZnJhc3RydWN0dXJlMSEwHwYDVQQDExhJbXBlcm8gU29sdXRpb25zIExpbWl0ZWQxNTAzBgkqhkiG9w0BCQEWJmVuZ2luZWVyaW5nYWNjb3VudHNAaW1wZXJvc29mdHdhcmUuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArcsppnFqy566RK8J9IsIAtiqpp1QgZ5G+qJqsMMcwNR0HhckGUVc04RPIWiPF5t6TOr2hGJtdyRUTTRSAeR4/nqMpqZSYCPBmT7tPGOIvXoNfxGkOFXDPl/4/QiRPzfA7hQY3xQ6IasmM2PD6RrveGuBsMPCylivU0hooLbFEHK4NGFsHihT1bl7+AhpJGLbNUAblUAGimm0FR9MVC/8mlUVsQGJsOgRsBDWrSGTCghZJ0o4mc3rd+aE5qhHcOEMPWR/YfOQ5MfpMX4+XBJPuFvaMwJcozD/Kdqbay4yIH++H3tX0SvN9L2X9uaORPpcivBEJaoMlb5zV2SLLWVUIi5pEy3wNPTTlZaTv1IfcShoSNyGKq6AM42T++dZqXuE8UaolUKQEItuopnnuiYtjpLz9QzUWaOk+q65NDLe7232igOo9cBvWTqgIP1K5E91ODok4V0xDNBKSpfu5/eZHHPBNYG1VFkcjWh/hoZMh1iHGk532in50ORtOax/yuoJLDtKjGTSxsbDtRj3vE9Ye4c15Dj9rplUnhO/G91aSnIa06obkt9OcoZrRr5oEPKrlA+0Gx2b1nduEVpcc2xSPDuysljvjsvWpPh9LkYnCaui1NUWnnp2X7D50xEWNBpTBqC3B1zgeslK7DO8yVrUHBtT2zcSlXvuRN03yAn/rU8CAwEAAaOCAekwggHlMA4GA1UdDwEB/wQEAwIHgDCBnwYIKwYBBQUHAQEEgZIwgY8wTAYIKwYBBQUHMAKGQGh0dHA6Ly9zZWN1cmUuZ2xvYmFsc2lnbi5jb20vY2FjZXJ0L2dzZ2NjcjQ1ZXZjb2Rlc2lnbmNhMjAyMC5jcnQwPwYIKwYBBQUHMAGGM2h0dHA6Ly9vY3NwLmdsb2JhbHNpZ24uY29tL2dzZ2NjcjQ1ZXZjb2Rlc2lnbmNhMjAyMDBVBgNVHSAETjBMMEEGCSsGAQQBoDIBAjA0MDIGCCsGAQUFBwIBFiZodHRwczovL3d3dy5nbG9iYWxzaWduLmNvbS9yZXBvc2l0b3J5LzAHBgVngQwBAzAJBgNVHRMEAjAAMEcGA1UdHwRAMD4wPKA6oDiGNmh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5jb20vZ3NnY2NyNDVldmNvZGVzaWduY2EyMDIwLmNybDAxBgNVHREEKjAogSZlbmdpbmVlcmluZ2FjY291bnRzQGltcGVyb3NvZnR3YXJlLmNvbTATBgNVHSUEDDAKBggrBgEFBQcDAzAfBgNVHSMEGDAWgBQlndD8WQmGY8Xs87ETO1ccA5I2ETAdBgNVHQ4EFgQUY3co26vXOCF+FgFCE4iz+lo06aowDQYJKoZIhvcNAQELBQADggIBAGtrXPyx052BGgyRf+9LMMojjpa6rtNqHRICDq6rDTvrj9RQtck4az2HuxwjIHTi7uhzqPcb2LMe21tinEQ807ATlL50u8LbDINT28Zkg9MT+iTL8aC1u23Ik4HQmvqVmctKusXJR0S5H2/ZBEDQqF9oRXGZ1jv3bJnwITa0Ki+NplK0mK0vXHYZiJbbMYXu4tUbva38ZwIMU9XabLlwJBqe2Ht+UtmRrWWcZ2z7F4leobQu2pCumluWOzVqsmcVG5kHtVOfu+1Ta/S9lhb4RFW8wyFJ/24WNNyLp94SsynbJpKriYM8h1sAPBYZHQRdzR6QeOvOcxsXeJmqbzLfg+xDsy2LvsZFV1S79YjBnKfipSBJTxa4BJL4jTA9Ovvrbgku/CRbuO4IVsdDVYXvW6mEzz49w8mv/W4dekDdsRkkRmTwQw5HBGYyo9op2+3aQ/4gDBrkzPyYJ/zM/S0RUMmVZXOjcmDNsDpZLlZapIhqLPJ8SwhyUvw42aM2JLhybGQR3n8uF1qvTAhn3ms2W6XCcreiKcFbeySmjfcS3s2TQvVomqDB8HQezu6nY3gtuYYcCMrdubJ+u/smwS9XOE3GYoSNQcBwtCl9+iNVYzt44W41Sx4O8wuYjiASsDTf7bNRID6ar3RIgAmKqZVBlf8AemIn9h4CKUpX9sUz1vp7",
"src_file_sha256": "2ef170a512ba3763050cca4f64055f658ff1df5bdf45784dae8b51256bd3c07c",
"src_file_path": "downloaded_files/netop_remote_control_(impero_connect)/2ef170a512ba3763050cca4f64055f658ff1df5bdf45784dae8b51256bd3c07c",
"src_file_company": "Impero Solutions ltd"
},
{
"signer_name": "NETOP TECH SRL",
"certificate_thumbprint": "311FD401E4AA27E856311EAE5D80C31CDE46A67C",
"certificate_der_base64": "MIIHyzCCBbOgAwIBAgIMDACKCO9kIrQ6l7swMA0GCSqGSIb3DQEBCwUAMFwxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTIwMAYDVQQDEylHbG9iYWxTaWduIEdDQyBSNDUgRVYgQ29kZVNpZ25pbmcgQ0EgMjAyMDAeFw0yNTA2MjQxMTQ2MDVaFw0yNjA2MjUxMTQ2MDVaMIIBCTEdMBsGA1UEDwwUUHJpdmF0ZSBPcmdhbml6YXRpb24xFjAUBgNVBAUTDUo0MC82NzU4LzIwMDYxEzARBgsrBgEEAYI3PAIBAxMCUk8xCzAJBgNVBAYTAlJPMRIwEAYDVQQIEwlCdWNoYXJlc3QxEjAQBgNVBAcTCUJ1Y2hhcmVzdDEqMCgGA1UECRMhU3RyLiBQcmluY2lwYXRlbGUgVW5pdGUgbnIuIDQ2LTQ4MRcwFQYDVQQKEw5ORVRPUCBURUNIIFNSTDEXMBUGA1UEAxMOTkVUT1AgVEVDSCBTUkwxKDAmBgkqhkiG9w0BCQEWGXRlYW1fb3BlcmF0aW9uc0BuZXRvcC5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC8VHVCcnFSviQkiQ1DDTz4A5Qw+c/hEcdeVePKLjM85ofv1LsqcSQB/RauAlBY2HsdPGxO13lYibsWQfq4a6NzGONkqFN4b4UR0ezGhQftDOQA+9VnTDBViOPElAsDvd4Jm09nE5uUEXUTmk5Lii2YyHOl3v+ATcRGndFQWsxs33bT3qZp1K8t1xOsfn+Eb7d8rwhdo6xBEYsAVz+n+HwK0LU1cVwl1wdtzWrHgTHHLwH6nweOnpsUvsK1KX6o8mV4xA2x93EbR03LohXzrvtkb4ynT/z6fTi+vxPWuKPVL/GKj0dRVpZVQfjCKOUCMk8gbzTjuYOrNExBmZvykmGFg8534OrnG1AnUNqXjXTdVt0U4HCSRAPhVSADCFNRFNIc3DQUl3v+dKdjS/yk7/bUXkHWCiTLr8q/eK+UQkhmSxGkNu9dx482zPdH+lZyQqeFjnY0dF47pEY1GQC6L6FK7/89OHmAGS/vW3CWeUxoG7t207W5LZlvueTEXjYsEfZXaCnAzUiiDJL6dvie5J2Wi/1PxKmuo4OqzheePIXRDr1163418A6BkkqswcOTmrwHUrk9WimJ7qd3vfEh4OCRmHzOiYPX5PboBagvU7iVsZKOjpapB/8czo0cGBL6LsDqSg/5TGOYvXWolL9+kHW+6lpGqVigoNTpDKD8emjx5QIDAQABo4IB3DCCAdgwDgYDVR0PAQH/BAQDAgeAMIGfBggrBgEFBQcBAQSBkjCBjzBMBggrBgEFBQcwAoZAaHR0cDovL3NlY3VyZS5nbG9iYWxzaWduLmNvbS9jYWNlcnQvZ3NnY2NyNDVldmNvZGVzaWduY2EyMDIwLmNydDA/BggrBgEFBQcwAYYzaHR0cDovL29jc3AuZ2xvYmFsc2lnbi5jb20vZ3NnY2NyNDVldmNvZGVzaWduY2EyMDIwMFUGA1UdIAROMEwwQQYJKwYBBAGgMgECMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMAcGBWeBDAEDMAkGA1UdEwQCMAAwRwYDVR0fBEAwPjA8oDqgOIY2aHR0cDovL2NybC5nbG9iYWxzaWduLmNvbS9nc2djY3I0NWV2Y29kZXNpZ25jYTIwMjAuY3JsMCQGA1UdEQQdMBuBGXRlYW1fb3BlcmF0aW9uc0BuZXRvcC5jb20wEwYDVR0lBAwwCgYIKwYBBQUHAwMwHwYDVR0jBBgwFoAUJZ3Q/FkJhmPF7POxEztXHAOSNhEwHQYDVR0OBBYEFODI7vdgpWZuRNV6CcVfOi8FwJQ4MA0GCSqGSIb3DQEBCwUAA4ICAQClnUdzXOjxR3/qvY+jo+aC2wjV3DnfNj1r2VcPr529NHXTDTOuKvQ0FU/SGq+BOF3l4rusQFkWFnNr9OSmmias7wOqmIWBbReQQ+SqygvSKGdcYmjUqgeiVVIzW8yS9CHa/dhorH+jdNUp3//nFHuuexIFooB4HmKV/tQo2J+v75seFcYCNIGCFxfWvcmSxr5fZLbCfeZ9DgbxL7gsvQJUJqGgBhkhDdQ1SoQW7qvfVJ4l2of6g/I29p3zoSXV+mU3f0mra3vzh9jZZjxghxWWtB5/dx2LCP1mzUcAGV5o+kRsHm09DHgs7/4Gg9dOE5aTysRtuYrgT7YkxPR01Rv/K5VxM2zh6WExuGpCYqKkWoVxKYIQqy0DVt9jQYag9fm/ROlnB/sKEyE39UG4gfeG7gImO78QUaagZKxKznXH/HL0h6h2L0jPOETuxnJEuZbBIJXxuuuBF235pi7nFFgSX43MK4UteIw3XBe8Tevz/UeFkrcR4aXObaGXZmtK3QwB2LvjQsZwcdsfADSwcZE3ETPrtL+BQXVSOxL/ZWh3AJuhqnf+2jxt+NE7EGX5gDUP9v5F0+4ik6sFApKEfWlKVq0kB6JW91tWHWvhvAYpGhq+6kC0LA5qyuuV85AmW1NoUHZu7dinoo0HVAQ5Y/aF8gFliUekAEL7wC18pkjWRQ==",
"src_file_sha256": "bdb200d53531c7c66b74b36f622981de8eae40c7833cbea6190877eea10a8cb0",
"src_file_path": "downloaded_files/netop_remote_control_(impero_connect)/bdb200d53531c7c66b74b36f622981de8eae40c7833cbea6190877eea10a8cb0",
"src_file_company": "Netop Solutions Limited"
}
]
}
},
{
"Name": "TeamViewer",
"Category": "RMM",
"Description": "TeamViewer is a remote monitoring and management (RMM) tool.\n",
"Author": "Nasreddine Bencherchali, Michael Haag",
"Created": "2024-08-02",
"LastModified": "2025-12-14",
"Details": {
"Website": "https://www.teamviewer.com/en",
"PEMetadata": [
{
"Filename": "TeamViewer.exe",
"OriginalFileName": "",
"Description": "",
"Product": "TeamViewer"
}
],
"Privileges": "user",
"Free": true,
"Verification": false,
"SupportedOS": [
"Android",
"ChromeOS",
"IOS",
"Linux",
"Mac",
"Windows"
],
"Capabilities": [],
"Vulnerabilities": [
"https://www.cvedetails.com/vulnerability-list/vendor_id-11100/product_id-19942/Teamviewer-Teamviewer.html"
],
"InstallationPaths": [
"C:\\Program Files\\TeamViewer\\",
"teamviewer_desktop.exe",
"teamviewer_service.exe",
"teamviewerhost"
]
},
"Artifacts": {
"Disk": [
{
"File": "C:\\Users\\\\AppData\\Local\\Temp\\TeamViewer\\TV15Install.log",
"Description": "N/A",
"OS": "Windows"
},
{
"File": "TeamViewer\\d\\d_Logfile\\.log",
"Description": "N/A",
"OS": "Windows",
"Type": "Regex"
},
{
"File": "C:\\Program Files\\TeamViewer\\Connections_incoming.txt",
"Description": "N/A",
"OS": "Windows"
},
{
"File": "C:\\Program Files\\TeamViewer\\TVNetwork.log",
"Description": "N/A",
"OS": "Windows"
},
{
"File": "%LOCALAPPDATA%\\Temp\\TeamViewer\\TV15Install.log",
"Description": "N/A",
"OS": "Windows"
},
{
"File": "%APPDATA%\\\\TeamViewer\\\\TeamViewer\\d\\d_Logfile\\.log",
"Description": "N/A",
"OS": "Windows",
"Type": "Regex"
},
{
"File": "teamviewerqs.exe",
"Description": "N/A",
"OS": "Windows"
},
{
"File": "tv_w32.exe",
"Description": "N/A",
"OS": "Windows"
},
{
"File": "tv_w64.exe",
"Description": "N/A",
"OS": "Windows"
},
{
"File": "tv_x64.exe",
"Description": "N/A",
"OS": "Windows"
},
{
"File": "teamviewer.exe",
"Description": "N/A",
"OS": "Windows"
},
{
"File": "teamviewer_service.exe",
"Description": "N/A",
"OS": "Windows"
},
{
"File": "%LOCALAPPDATA%\\TeamViewer\\Database\\tvchatfilecache.db",
"Description": "SQlite 3 database storing cache about TeamViewer chat",
"OS": "Windows"
},
{
"File": "%LOCALAPPDATA%\\TeamViewer\\RemotePrinting\\tvprint.db",
"Description": "SQlite 3 database storing TeamViewer print jobs",
"OS": "Windows"
},
{
"File": "%PROGRAMDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\TeamViewer.lnk",
"Description": "N/A",
"OS": "Windows"
},
{
"File": "C:\\Program Files*\\TeamViewer\\connections*.txt",
"Description": "N/A",
"OS": "Windows"
},
{
"File": "C:\\Users\\*\\AppData\\Roaming\\TeamViewer\\MRU\\RemoteSupport\\*tvc",
"Description": "N/A",
"OS": "Windows"
}
],
"EventLog": [
{
"EventID": 7045,
"ProviderName": "Service Control Manager",
"LogFile": "System.evtx",
"ServiceName": "TeamViewer",
"ImagePath": "\"C:\\\\Program Files\\\\TeamViewer\\\\TeamViewer_Service.exe\"",
"Description": "Service installation event as result of TeamViewer installation."
}
],
"Registry": [
{
"Path": "HKLM\\SOFTWARE\\TeamViewer\\*",
"Description": "N/A"
},
{
"Path": "HKU\\\\SOFTWARE\\TeamViewer\\*",
"Description": "N/A"
},
{
"Path": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\TeamViewer\\*",
"Description": "N/A"
},
{
"Path": "HKLM\\SOFTWARE\\TeamViewer\\ConnectionHistory",
"Description": "N/A"
},
{
"Path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\TeamViewer\\*",
"Description": "N/A"
},
{
"Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\MainWindowHandle",
"Description": "N/A"
},
{
"Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\DesktopWallpaperSingleImage",
"Description": "N/A"
},
{
"Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\DesktopWallpaperSingleImagePath",
"Description": "N/A"
},
{
"Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\DesktopWallpaperSingleImagePosition",
"Description": "N/A"
},
{
"Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\MinimizeToTray",
"Description": "N/A"
},
{
"Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\MultiMedia\\AudioUserSelectedCapturingEndpoint",
"Description": "N/A"
},
{
"Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\MultiMedia\\AudioSendingVolumeV2",
"Description": "N/A"
},
{
"Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\MultiMedia\\AudioUserSelectedRenderingEndpoint",
"Description": "N/A"
},
{
"Path": "HKLM\\SOFTWARE\\TeamViewer\\ConnectionHistory",
"Description": "N/A"
},
{
"Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\ClientWindow_Mode",
"Description": "N/A"
},
{
"Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\ClientWindowPositions",
"Description": "N/A"
}
],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*.teamviewer.com"
],
"Ports": []
},
{
"Description": "N/A",
"Domains": [
"router15.teamviewer.com"
],
"Ports": [
443
]
},
{
"Description": "N/A",
"Domains": [
"client.teamviewer.com"
],
"Ports": [
443
]
},
{
"Description": "N/A",
"Domains": [
"taf.teamviewer.com"
],
"Ports": [
443
]
}
],
"Other": [
{
"Type": "Mutex",
"Value": "TeamViewer_LogMutex"
},
{
"Type": "Mutex",
"Value": "TeamViewerHooks_DynamicMemMutex"
},
{
"Type": "Mutex",
"Value": "TeamViewer3_Win32_Instance_Mutex"
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_registry_sigma.yml",
"Description": "Detects potential registry activity of TeamViewer RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_network_sigma.yml",
"Description": "Detects potential network activity of TeamViewer RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_files_sigma.yml",
"Description": "Detects potential files activity of TeamViewer RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_processes_sigma.yml",
"Description": "Detects potential processes activity of TeamViewer RMM tool"
}
],
"References": [
"https://community.teamviewer.com/English/kb/articles/4139-ports-used-by-teamviewer",
"https://arista.my.site.com/AristaCommunity/s/article/Security-Analysis-TeamViewer#",
"https://www.teamviewer.com/en/global/support/knowledge-base/teamviewer-classic/troubleshooting/log-file-reading-incoming-connection/",
"https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html",
"https://github.com/Purp1eW0lf/Blue-Team-Notes"
],
"Acknowledgement": [
{
"Person": "Théo Letailleur",
"Handle": "in/theosyn"
}
],
"CodeSigning": {
"search_names": [
"teamviewer_desktop.exe",
"teamviewer_service.exe"
],
"company_names": [],
"signer_names": [
"TeamViewer Germany GmbH",
"TeamViewer GmbH"
],
"certificates": [
{
"signer_name": "TeamViewer GmbH",
"certificate_thumbprint": "N/A",
"tbs_sha256": "",
"tbs_sha1": "8A32858C446E0F681927B02BECA029F854B98D31"
},
{
"signer_name": "TeamViewer Germany GmbH",
"certificate_thumbprint": "777A41024CF413CCB49B3434565545C0D78D80E9",
"tbs_sha256": "290C3846B4E52E99DD2B7E5FA600BDB51972D7A3CFD37BA67AC1ED362CC1CA93",
"tbs_sha1": "",
"certificate_der_base64": "MIIHfDCCBWSgAwIBAgIQBi7j/XzcUgl8HaavqHx0XjANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTIzMDUwNDAwMDAwMFoXDTI2MDUwNjIzNTk1OVowgYMxCzAJBgNVBAYTAkRFMRswGQYDVQQIDBJCYWRlbi1Xw7xydHRlbWJlcmcxEzARBgNVBAcMCkfDtnBwaW5nZW4xIDAeBgNVBAoTF1RlYW1WaWV3ZXIgR2VybWFueSBHbWJIMSAwHgYDVQQDExdUZWFtVmlld2VyIEdlcm1hbnkgR21iSDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK7Wp0z09VeTK0qXFBFiU7dKqkMDDV3/Y2wodsiBfGrXmxGyBadZg2B7M8o64PXcSx2PTxpnJ0/K4YRKepnFmgH2/AIaF10sr/xtP3HVG0fbbw7SLymnPgf8cfLd4CpM1zQs7NLyxVVCMSRInc4oKoMEIU2dxYXQJPfk29I3BiU2/3MAmUTA6TnOw5RvltOjtcO1Kxl6dtRmmf/nOtzZSnkK91HxvEO5bTWNuu2nD/LvLTI6RelGIzCh6ruFNNidf0t0NiA6+EleQKLOX1BeeLF9RcuNaadLS/ExbhnfcEPiu1TOizqaZJdJPRescb5VFtJcK5mQLoW68/FU98pXbTGZ3yRfpCaCZSyTDw4LU+dobAi6ZpGnI4oSMHBQB8um3YGQB5Bn7W3aPCXTXWAVQASW8rs598jgLaEDcrRmuPSl2Tj3YDyYFmim87VtTgg6rZ9paq/iGhxPgOaom/IGxMk6dXy4218fCIiKLRsGmN/2MX1/qdHQopwfI3jgreLaMgMD9RUVLIrUBn1ebihal+8GXYp7TzsobKgorxcqAFyBiGqZHrDWq8gOKiJAL+V4qF9/yPZlnPGVmVbhsvkLtXbD/2JVDp0oxjVtZUOtQCHKOPc8Tp2ox0U3ZOEXJePCPGAdUnXFKRme6oLUTgo3N2TorhzkdgmM0Y3Asr03RgxrAgMBAAGjggIDMIIB/zAfBgNVHSMEGDAWgBRoN+Drtjv4XxGG+/5hewiIZfROQjAdBgNVHQ4EFgQUEDJETPaHVJYpbFLHmoOkDlmx0hcwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMIG1BgNVHR8Ega0wgaowU6BRoE+GTWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3JsMFOgUaBPhk1odHRwOi8vY3JsNC5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDA+BgNVHSAENzA1MDMGBmeBDAEEATApMCcGCCsGAQUFBwIBFhtodHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwgZQGCCsGAQUFBwEBBIGHMIGEMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wXAYIKwYBBQUHMAKGUGh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3J0MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggIBAMT8yjyb7RvcLWYR0qWbvJBou3ZunFrs+Cu+YJHjCe9GnZKZJZjKP+Oe/h7J0sZCyCMIh2bvmcDW36fWQ8uw5nxS88Vxr/BGHlaXzk5H94xKrqPE7d0/IxlxqMQsgBlPWgIiRlEWl+ITITkKCnpx3/F4O6Ieoy7oZ9pvE1ta9LJZ5jspBFARg0N4WTF1HhBRIqL6DiemuWo7dPyLIw5M2/kWLQkQL9KVAqch1DCNvXXwwm8Dwajc3ARrn58a6Tqn8j+wDxvyVmsjJLIPsYKeP93l4aiJEl8HHbE0h64Frzrh0lDG3p+bJML0PlRtDCp1YES5baCuEzWDI5rRBggR6llW2TsKtbnIBdKkK2a+/GF3b1YFofFpbDTRW1V/YkKwN3qhadTz0f2sYmWRf57IgRolyB3A+KDd2Bl0NnTAzvAbU31rtLi8Wmgah3LtoQx6qN/1I4HAOUp94j89PQDoQsyJkkHhQxtYQ7VO8yy/pEeXC4byd3V5Q86spB7flqFFB9IuG9LJV8+j+VjFxzOUsX8QWSgXMFA254Ianp11guEBuYeom/oWVUsRCo+NKkmsIs5G7Dq9YJe+9PgGr1XbQEU+L3YjK528yAWzWxSZlBDUYx7WBdbQVC9AN4uSpu9ySJb+Fg4S/viev9pXhHQORmv1BTeYzC9KgRmAu9lT/MTQ"
},
{
"signer_name": "TeamViewer Germany GmbH",
"certificate_thumbprint": "N/A",
"tbs_sha256": "",
"tbs_sha1": "EA00EEBFABBB1D7DB243AFE1349D536A812B0EBF"
},
{
"signer_name": "TeamViewer Germany GmbH",
"issuer": "CN=DigiCert Assured ID Code Signing CA-1",
"certificate_thumbprint": "05CDF79B0EFFFF361DAC0363ADAA75B066C49DE0",
"tbs_sha256": "DFD5337289D8F9FC748CCC9A7DC597EEEFEA7ABEA5AF736AFFD09CAC8145AADB",
"tbs_sha1": "EA00EEBFABBB1D7DB243AFE1349D536A812B0EBF",
"valid_from": "2019-12-19T00:00:00+00:00",
"valid_to": "2020-12-23T12:00:00+00:00",
"certificate_der_base64": "MIIFODCCBCCgAwIBAgIQC0RlRsNlJb9fCE9ru7pwlzANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMS4wLAYDVQQDEyVEaWdpQ2VydCBBc3N1cmVkIElEIENvZGUgU2lnbmluZyBDQS0xMB4XDTE5MTIxOTAwMDAwMFoXDTIwMTIyMzEyMDAwMFowgYMxCzAJBgNVBAYTAkRFMRswGQYDVQQIDBJCYWRlbi1Xw7xydHRlbWJlcmcxEzARBgNVBAcMCkfDtnBwaW5nZW4xIDAeBgNVBAoTF1RlYW1WaWV3ZXIgR2VybWFueSBHbWJIMSAwHgYDVQQDExdUZWFtVmlld2VyIEdlcm1hbnkgR21iSDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMcqqJLw4L0qx5sjN0U+fU8WKvcmcaDU6x2B/x09HhGADDmKnQT6a2R5oILpyfP8txpNLh15CfLbqJzGpuwt3x70EfkwrzKOpMF9inF5d8NkBCrPmO/VufYkXFm7j2H36IcNby861sIkvpvuafXJfaesGACug9iHIFWSrKAh9HTLlu7cGogKdbcyEFxu6HD1WfGyItxoFMJwLlw+ONvmZjDIFwb73OSgDNLGXwahlso+dIwP4yaZDdIcNXjJyC8xB0i20rppLRBWssirx2Q3Ja8f09i8ZjG3YhCjjp75sefmiQuHP6omrf9UFvLEdkTIx/Mfh+h3Q6nqhXwC3Og4YtUCAwEAAaOCAbkwggG1MB8GA1UdIwQYMBaAFHtozimqwBe+SXrh5T/Wp/dFjzUyMB0GA1UdDgQWBBQemA9KE41CNOyylIvvnMNsgYdCDzAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwbQYDVR0fBGYwZDAwoC6gLIYqaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL2Fzc3VyZWQtY3MtZzEuY3JsMDCgLqAshipodHRwOi8vY3JsNC5kaWdpY2VydC5jb20vYXNzdXJlZC1jcy1nMS5jcmwwTAYDVR0gBEUwQzA3BglghkgBhv1sAwEwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAIBgZngQwBBAEwgYIGCCsGAQUFBwEBBHYwdDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMEwGCCsGAQUFBzAChkBodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRBc3N1cmVkSURDb2RlU2lnbmluZ0NBLTEuY3J0MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEFBQADggEBAJiUqjo3HgTXEslNHeWVo8FmL2NxojGVA1bV6QesGGtsvC/xR+rt00AncybotwYpLh2fJroBL+ou+1OM6L9ZSyttGT26PBEIijl8uXf0/Ve7LHrNGjhm5sCQQSjYpc9Af5qzEZzyiMAhbYBUvcQSHJbT4ljBnTPlIignpwF3A7AO8R1CU3nUuV20Q12pvlY3SY0ZROJKNhjWlzeistdvPrwywWwpS376fCJFFEtmkifiomeYqqP6I/TZw6T7upbstmSOFiO4GdPLiF81d5s3vkbdMjhdkrGM6YX//Ke1QUntO6JSBkM1d9G74b0BmI+rw2bAJkqshT7AWp1FtDXvkM0="
},
{
"signer_name": "TeamViewer GmbH",
"issuer": "CN=DigiCert Assured ID Code Signing CA-1",
"certificate_thumbprint": "7709C8FE112562666C7AC973E43831BA9FADBB54",
"tbs_sha256": "454E97CEB89961E5C52E60CC9D4E231DE06BF61747113B90850819EE1EBE19E0",
"tbs_sha1": "8A32858C446E0F681927B02BECA029F854B98D31",
"valid_from": "2019-02-11T00:00:00+00:00",
"valid_to": "2019-12-31T12:00:00+00:00",
"certificate_der_base64": "MIIFJzCCBA+gAwIBAgIQA0ceLIFxsWediYrBm9o3uzANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMS4wLAYDVQQDEyVEaWdpQ2VydCBBc3N1cmVkIElEIENvZGUgU2lnbmluZyBDQS0xMB4XDTE5MDIxMTAwMDAwMFoXDTE5MTIzMTEyMDAwMFowczELMAkGA1UEBhMCREUxGzAZBgNVBAgMEkJhZGVuLVfDvHJ0dGVtYmVyZzETMBEGA1UEBwwKR8O2cHBpbmdlbjEYMBYGA1UEChMPVGVhbVZpZXdlciBHbWJIMRgwFgYDVQQDEw9UZWFtVmlld2VyIEdtYkgwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDMsAyUaLQR03F43NaHWo/u7kk6EgFhWj4PdW/AapZjBt517W5jID9vknMInL0qzSrhUlE4gGuLvKehbq4xOhzzyF3jawPBHpHW8l15lzIY9aDZJkgE8uV0Q3d4zWBE0meWDmOuWem6P87yJmeHkFCjXENMUW2W250aNGJkZVj0bYriU9QOBm3mi5bvIk3pTTdtNFQYh7RXUKen/oVqDJoZAbCmjiAaQL5/QgV6+ydHV69kLRTrBaKh3cmzw0L+TWKCvYwyJbh2P89ARpRQfQu5Jo898BUwpAyatNjDxSgVzYHPUKt+y4obcTa2Zai4wnqWfpv4QBVNky9giqkqu2lVAgMBAAGjggG5MIIBtTAfBgNVHSMEGDAWgBR7aM4pqsAXvkl64eU/1qf3RY81MjAdBgNVHQ4EFgQUBabcs0VUnnel6U/ewh+SVWd44x4wDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMG0GA1UdHwRmMGQwMKAuoCyGKmh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9hc3N1cmVkLWNzLWcxLmNybDAwoC6gLIYqaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL2Fzc3VyZWQtY3MtZzEuY3JsMEwGA1UdIARFMEMwNwYJYIZIAYb9bAMBMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwCAYGZ4EMAQQBMIGCBggrBgEFBQcBAQR2MHQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBMBggrBgEFBQcwAoZAaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0QXNzdXJlZElEQ29kZVNpZ25pbmdDQS0xLmNydDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBQUAA4IBAQB3u+UjW0mRt6JMEuFOmEH46nwYTx5FWnnnEg92qkDfw/fX1EAkcyfPjbwSAwg9V0It+DerJraqzMBHpCp7UZkWf9XLSikrg30OKnwGfS5xVLReK+RUmgfsVVmV2hwQcmFtEXUPcNcXJbJtd7QagyyrdXB5eKCnKlNvnTKB91TSBidOliTZlqixBs/SUu+ACzpugs06xsFUaGyY9YJVqbj4Y+4pVHO3i5hKEujTK2dbhiiKJDJdFmonx3FemtWMsnvhywpPv739NvcLy2+1kmPrY/RhKU0pfniXAXM725MbsDopGI906ZfU3V2x3EOpcrLVvbYIUA4+N2RURdV4erKR"
}
]
}
},
{
"Name": "Ericom AccessNow",
"Category": "RMM",
"Description": "Ericom AccessNow is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.ericom.com/connect-accessnow/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"accessserver*.exe",
"accessserver.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"user_managed",
"ericom.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_accessnow_network_sigma.yml",
"Description": "Detects potential network activity of Ericom AccessNow RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_accessnow_processes_sigma.yml",
"Description": "Detects potential processes activity of Ericom AccessNow RMM tool"
}
],
"References": [
"https://www.ericom.com/connect-accessnow/"
],
"Acknowledgement": []
},
{
"Name": "Itarian",
"Category": "RMM",
"Description": "Itarian is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2025-12-14",
"Details": {
"Website": "https://www.itarian.com/rmm/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"ITSMAgent.exe",
"RViewer.exe",
"ItsmRsp.exe",
"RAccess.exe",
"RmmService.exe",
"ITarianRemoteAccessSetup.exe",
"RDesktop.exe",
"ComodoRemoteControl.exe",
"ITSMService.exe",
"RHost.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"mdmsupport.comodo.com",
"*.itsm-us1.comodo.com",
"*.cmdm.comodo.com",
"remoteaccess.itarian.com",
"servicedesk.itarian.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itarian_network_sigma.yml",
"Description": "Detects potential network activity of Itarian RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itarian_processes_sigma.yml",
"Description": "Detects potential processes activity of Itarian RMM tool"
}
],
"References": [
"https://help.itarian.com/topic-459-1-1005-14776-Appendix-1b---Endpoint-Manager-Services---IP-Nos,-Host-Names-and-Port-Details---US-Customers.html"
],
"Acknowledgement": [],
"CodeSigning": {
"search_names": [
"itsmagent.exe",
"raccess.exe",
"rhost.exe",
"rmmservice.exe",
"rviewer.exe"
],
"company_names": [],
"signer_names": [
"Comodo Security Solutions\\",
"ITarian LLC"
],
"certificates": [
{
"signer_name": "ITarian LLC",
"certificate_thumbprint": "9D4297D5CEBB398B79354FA98031FB577884078F",
"tbs_sha256": "2B3DE9FC259D3C485E40ED5B31E094B1EB24501EE25E9FCB9D02225E817F0DBE",
"tbs_sha1": "",
"certificate_der_base64": "MIIG0DCCBTigAwIBAgIRAMWSTAJz/pDJEr/k9Q/xFIQwDQYJKoZIhvcNAQELBQAwVzELMAkGA1UEBhMCR0IxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDEuMCwGA1UEAxMlU2VjdGlnbyBQdWJsaWMgQ29kZSBTaWduaW5nIENBIEVWIFIzNjAeFw0yMjA0MjAwMDAwMDBaFw0yNTA0MTkyMzU5NTlaMIGvMRAwDgYDVQQFEwc2OTM2MTUyMRMwEQYLKwYBBAGCNzwCAQMTAlVTMRkwFwYLKwYBBAGCNzwCAQITCERlbGF3YXJlMR0wGwYDVQQPExRQcml2YXRlIE9yZ2FuaXphdGlvbjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCk5ldyBKZXJzZXkxFDASBgNVBAoMC0lUYXJpYW4gTExDMRQwEgYDVQQDDAtJVGFyaWFuIExMQzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMqkdCHE9pEcQN8VSu2EA7XjCCyOAWvW5uYCHsCyw+7tkxGovlZ1zFc6kT81DFir/k7KwFUPaCPxDuS8KizKIrhPehrU9FTVEctCXiU/iVy0PFPrY/EvDnMW3QLAdGPYhOXzll8dI+cQisPkFDJvW3UXBMgjH7XJris+kHPznEHk6IreES6YTETOH7yUA0eKo/bDWU8xlIMZ2n5GWRRnUNkP8tIXWaz3JM5wzZ4vED9bCti7zQaShOxE1zEMCWYC55Kl6i825Gv8UzX1wwYEHYnEPMHhyQA771fPF0MqR2JLEeRljwl8s/xuEjIJ9GfBqQpWjTpOf8d3tqhP+gwnpTRTkU7oaig5iavbKLiqusFP7bnM7BN0iiFLE+gzqycmS7iBgThf+/st94Z6Xua2OwUTxkP9UNfwcGsD89RxvB22ER3s424CcdHEnY96LoIzrb5jTx1+xXSUGEhUJj9cURLe3hJ82AakY3CEM0j7rBhIlCNlyrPQHZ9GriP8s/JFBenQrvOy3ef17AtUXgEGz+a2d1aMrxWqK0InDGxvASau+pSQbqKpLXM/mXl2RiNcS6BIyOqq8c3wSh63y6AG139SRhj4nbmlAoP5psXEej3QL65mFMWxIUN+vKG8CCLhYLT1iuzIQ/fgJnyxHhdyY8SmYvlSK8egdwzKj7xTK90VAgMBAAGjggG8MIIBuDAfBgNVHSMEGDAWgBSBMpJBKyjNRsjEosYqORLsSKk/FDAdBgNVHQ4EFgQUwt2vxygZgr/j4barvJ4m8hzCH4gwDgYDVR0PAQH/BAQDAgeAMAwGA1UdEwEB/wQCMAAwEwYDVR0lBAwwCgYIKwYBBQUHAwMwSQYDVR0gBEIwQDA1BgwrBgEEAbIxAQIBBgEwJTAjBggrBgEFBQcCARYXaHR0cHM6Ly9zZWN0aWdvLmNvbS9DUFMwBwYFZ4EMAQMwSwYDVR0fBEQwQjBAoD6gPIY6aHR0cDovL2NybC5zZWN0aWdvLmNvbS9TZWN0aWdvUHVibGljQ29kZVNpZ25pbmdDQUVWUjM2LmNybDB7BggrBgEFBQcBAQRvMG0wRgYIKwYBBQUHMAKGOmh0dHA6Ly9jcnQuc2VjdGlnby5jb20vU2VjdGlnb1B1YmxpY0NvZGVTaWduaW5nQ0FFVlIzNi5jcnQwIwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLnNlY3RpZ28uY29tMC4GA1UdEQQnMCWgIwYIKwYBBQUHCAOgFzAVDBNVUy1ERUxBV0FSRS02OTM2MTUyMA0GCSqGSIb3DQEBCwUAA4IBgQAD3NpOKQI2Z/MltY6V44Y/rLSxR7Q2x8pZXVCLnKoVnjgX7uPXd3Yi788clgj9WHYwevrGFtp9uh9bRjlhbEQ+1iWQl++sGL/zvdwIgVwKlZAtugspInQDLldf++qZrqd4urh3X98OB2H0HIbTQlSqvpBH2gkes7yvCPvYl2E15b9q4E/Y0jlFhWWZxmfaCyLw5VDaDyPa4yLaSgc64o+BoBoqk/+Z8Z5eK6myn1GISLGDsMP71shxMBq2QczKvEcDFDh9ksiU0n6XZ6viPXL4YgF8SpdIbyoCTuNO8Q4RINDbqxXRpA68ue8OmIjIzK2nmSd6dVrnGhdC8thgLbJlPMBUit5qGYoLS30ZMp6+xI9Ctb0loWQ0Db39DE+yYMSmACicbWt9ILPuGRe54UGy9nXleL0lN/RUo7Pep/LP9lE6mLwLeQ+5snCcd0HVOPuQpkJjsByPk3dNA39y/X6qduBG30QGhut+2/D7OS2lcXMbCIhyttMjB6O3FmjT1BY="
},
{
"signer_name": "Comodo Security Solutions\\",
"issuer": "CN=Sectigo Public Code Signing CA R36",
"certificate_thumbprint": "6A2DD5420C34A602C048F8D79BE52690F101001B",
"tbs_sha256": "2E4765F85AE2822A8FAC2C12D791CCC86F74D8478B50D57B17E34B244D02DCC2",
"tbs_sha1": "A280740D90D992EBBF302AC397DC06ABBDFB348C",
"valid_from": "2023-03-17T00:00:00+00:00",
"valid_to": "2024-03-16T23:59:59+00:00",
"certificate_der_base64": "MIIGYDCCBMigAwIBAgIRAMeNXxTVR5B38ajsQUGoITYwDQYJKoZIhvcNAQEMBQAwVDELMAkGA1UEBhMCR0IxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDErMCkGA1UEAxMiU2VjdGlnbyBQdWJsaWMgQ29kZSBTaWduaW5nIENBIFIzNjAeFw0yMzAzMTcwMDAwMDBaFw0yNDAzMTYyMzU5NTlaMHYxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApOZXcgSmVyc2V5MSgwJgYDVQQKDB9Db21vZG8gU2VjdXJpdHkgU29sdXRpb25zLCBJbmMuMSgwJgYDVQQDDB9Db21vZG8gU2VjdXJpdHkgU29sdXRpb25zLCBJbmMuMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAiWzDgKHw6jNNRHOhZyEpTDCy57Skd/8HTVMVpeCvynjy5EgDumJqDjF60tolqd751pmq4jwKQVbEusgexWaO36hSA0U0195jPaT1oW0TVGoCBYBv1+KzhyVJ5h7Fl0s8JbhTVYt5kHfliX74SZt40/xJgQ802vYPvVmtnIWCcpprLtq6L2TUagkU2AOEYsfPCh1oFtVQ0apMnZSLzW7F1lWcz/kC6NrSW02vIjG1RaXJh6PzL5VRdn7sR79/Q0ZeX7pLYJ3ji03jf6unckS5Sg+36qRWwNpwB4KhWOoRR2V62arp2NWMS9TYNOi6rdMFRnKXYWNQPrMzES77XNU+TiAHc6YzVvdrS8CsG1XRQb07mNZpQbvf1M3IBN0KMTnUINWQViukB7QMJRkOIJtHUBTSXlgptloclYnLjlAjc9QOVOIoNv/Zpq0AAiNsOfCm1biMGui1dk1BDPTUMHQtXhM97zXfmuoL8zcBs6M0Ayp14xsnV/lzBxfDtZRyw+SZ0U3PximvPlN8RLa/9JXcWzegZaAq452IMyHj2qusz7LebgaS7P6xOQcM1sr+YQpvYWrnXNA2IqTd7rTrAZfOcOCp7FZ4+ETICeqqipsz1GKR9HoG+WRhinKWX8NGXomUYfaA552nadzgauMVZ7kHVaVPslvsfLGCloGHr9YbCqkCAwEAAaOCAYkwggGFMB8GA1UdIwQYMBaAFA8qyyCHKLjsb0iuK1SmKaoXpM0MMB0GA1UdDgQWBBRPGeWUOE6BzJ9d2+z1cvGtXkX10zAOBgNVHQ8BAf8EBAMCB4AwDAYDVR0TAQH/BAIwADATBgNVHSUEDDAKBggrBgEFBQcDAzBKBgNVHSAEQzBBMDUGDCsGAQQBsjEBAgEDAjAlMCMGCCsGAQUFBwIBFhdodHRwczovL3NlY3RpZ28uY29tL0NQUzAIBgZngQwBBAEwSQYDVR0fBEIwQDA+oDygOoY4aHR0cDovL2NybC5zZWN0aWdvLmNvbS9TZWN0aWdvUHVibGljQ29kZVNpZ25pbmdDQVIzNi5jcmwweQYIKwYBBQUHAQEEbTBrMEQGCCsGAQUFBzAChjhodHRwOi8vY3J0LnNlY3RpZ28uY29tL1NlY3RpZ29QdWJsaWNDb2RlU2lnbmluZ0NBUjM2LmNydDAjBggrBgEFBQcwAYYXaHR0cDovL29jc3Auc2VjdGlnby5jb20wDQYJKoZIhvcNAQEMBQADggGBAAsuL90Z8oLAiu4OZ/8e0YbnOfYmUCfhmc0JuqYt2XXiFGeDb25PEhu9dZETlmRBy3C9RW/xtf9E5N0XQ6PD9FN7z/f25JNea9IltFzq39wK96u7WNmJE8M2m9hT7oXunrQMO/t9cIgEXmcl//nGJ8uuj/8wNMiopXV6LsmyfjJ/p/XV6oXgIS3lRQy4jer3Fovyq8LI5XUPsirPmOxaUXDpe/g+EoWztosB2+EYtJ+u+1AvAvlRy7pfCVSMG9lauNOtgu6sf4V4SnPHFC9Yoz4aKPrI/kNn/1GZbDuesdUbr7iRcqPxKjgk+kqdAugcCffnjhm2VNiuK7sCuxPIX/O3f+1YwwvyMME67QyvAdbbRYFhHUhnNaQAZ/DSaqPiIMTM7lI26VXYXvO+StKNW7wQsEPFiXG21Y0PHj+Hlt2wGOUa2L/Box2/3y+gnhVWb2wS7tQ3wvVwe0UN8glW/9SkDwldUygLk7NdWpgk/m2WbnM5Vxwu6gATtw0D80EENg=="
},
{
"signer_name": "ITarian LLC",
"certificate_thumbprint": "83684997F1ACE5AE105E670E8094EDB2AD0879FD",
"certificate_der_base64": "MIIG0DCCBTigAwIBAgIRAJSlRogHl6mp7ZcLF+l7quUwDQYJKoZIhvcNAQELBQAwVzELMAkGA1UEBhMCR0IxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDEuMCwGA1UEAxMlU2VjdGlnbyBQdWJsaWMgQ29kZSBTaWduaW5nIENBIEVWIFIzNjAeFw0yNTA3MjQwMDAwMDBaFw0yNjA3MjQyMzU5NTlaMIGvMRAwDgYDVQQFEwc2OTM2MTUyMRMwEQYLKwYBBAGCNzwCAQMTAlVTMRkwFwYLKwYBBAGCNzwCAQITCERlbGF3YXJlMR0wGwYDVQQPExRQcml2YXRlIE9yZ2FuaXphdGlvbjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCk5ldyBKZXJzZXkxFDASBgNVBAoMC0lUYXJpYW4gTExDMRQwEgYDVQQDDAtJVGFyaWFuIExMQzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALfKqLU/Zz/Neja5r4Ww4gRnyu4dgJz9qCfo17DeoSd48EBYQTHiG0Sz0zdmZM/cMXX/2F/d8qC0xCOnZFOgeuPoRfG6ytP/ibraz5ocJOxK2SNc299l57grlqjjynC6u+SP9BH1cqQow0prYXutmuXkaBpfSnMGH5IOw6tJTAbGq8A74qkrRFcofiAAYdeA/D1D5Y4umJgeFHywZp65SFVZEo0/RsTh0PI8PFekMCBdobBAmVl6beOLfeT+/HEcCD+LfOpbhXi3PINYAV137OOuYSoCQ7/UK6c1imeb5nYjflHoHJM1oMHtCkeU87vnFhb6gKRcLir2hQCpZrGey8nKQDdYaAHi8LX9l9cdc9JwRKOfw+IyaOwvfd/sPhu4QBwVwPruL0hwkjF5KrAd0bplbMEDBsv80VN6JmHXlV+YoGxZGx6FfRWnIRxCkfj3btjn2Gvl+U+MsPfv7mczf2CwTYfqMB64sUoAd5COaVh28sqT+LoB6L7UIBFf4GwrvptNXrByiFlu2zImyJvuc/uuylOE9bbP/qr8i9vOtUVdsDJNC6GqFXRlVKWANnDZ/kxjuIJWRys8MQziO5nIx4NoJOkzYYGiuVWPFUIoBS1RzVSPdtL4kDy5mpL4L0e51ibWE3cuO6FCL6EPxd/e9QaBBV0OuMWckEy8Qs15hRpHAgMBAAGjggG8MIIBuDAfBgNVHSMEGDAWgBSBMpJBKyjNRsjEosYqORLsSKk/FDAdBgNVHQ4EFgQUk42poCZ7TUZTTzcCyISUhEB9Gt0wDgYDVR0PAQH/BAQDAgeAMAwGA1UdEwEB/wQCMAAwEwYDVR0lBAwwCgYIKwYBBQUHAwMwSQYDVR0gBEIwQDA1BgwrBgEEAbIxAQIBBgEwJTAjBggrBgEFBQcCARYXaHR0cHM6Ly9zZWN0aWdvLmNvbS9DUFMwBwYFZ4EMAQMwSwYDVR0fBEQwQjBAoD6gPIY6aHR0cDovL2NybC5zZWN0aWdvLmNvbS9TZWN0aWdvUHVibGljQ29kZVNpZ25pbmdDQUVWUjM2LmNybDB7BggrBgEFBQcBAQRvMG0wRgYIKwYBBQUHMAKGOmh0dHA6Ly9jcnQuc2VjdGlnby5jb20vU2VjdGlnb1B1YmxpY0NvZGVTaWduaW5nQ0FFVlIzNi5jcnQwIwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLnNlY3RpZ28uY29tMC4GA1UdEQQnMCWgIwYIKwYBBQUHCAOgFzAVDBNVUy1ERUxBV0FSRS02OTM2MTUyMA0GCSqGSIb3DQEBCwUAA4IBgQAeInqUdGSNfL3GvkmY/SlvVW0UgLX9EVb+QrSCu/tbcBoofkpyUJOCRR9ausO95yw7FbK/n8sGoEm+FA/3OfisMS3T8ga6/8Dz+DoTJI0TtXO5lFOsj5u1gdh4Ep3d/udrPkYgn1UpXLQQEiaQWmsijJ8icNx3u1sm8Mme99vhtrK+HrRcUTcYyNyir1hbJxXa+N94a+fpZl8w8+JJ2HuFdi/fEtngHk+3TvMOo92qvm5TMBOP7Tm10GeiM34l6eloBSqikqkSmFaqmlq+/DnZqOJxTqiy79msoyyluKAQSpwl1aIMHqi/pKj2KSbHxmRQfmFzRJwVUzMqWtOKCXNgQAG+izZ69hKotLPHwOOSLGrW/UgddYicxlsCBeHWx2uRJQu/vPA4JTCgdhSnpeDrubHq9qe7C6ioClq9hwp/zq8//iollwtqPNtrNtwTLYpxwtKhumFX1xBBiC9z3Qbo7urohZ6BG4fQNPM73CePByB76asPQBQjhTakQiYReFI=",
"src_file_sha256": "aa7edf0e682942968173fd8904f01cae187262e6952c3c8e24dc1f8b4f2377ac",
"src_file_path": "downloaded_files/itarian/aa7edf0e682942968173fd8904f01cae187262e6952c3c8e24dc1f8b4f2377ac",
"src_file_company": "ITarian"
}
]
}
},
{
"Name": "Remote Desktop Plus",
"Category": "RAT",
"Description": "Remote Desktop Plus is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.donkz.nl/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"rdp.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"donkz.nl"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_desktop_plus_network_sigma.yml",
"Description": "Detects potential network activity of Remote Desktop Plus RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_desktop_plus_processes_sigma.yml",
"Description": "Detects potential processes activity of Remote Desktop Plus RMM tool"
}
],
"References": [
"https://www.donkz.nl/"
],
"Acknowledgement": [],
"CodeSigning": {
"certificates": [
{
"signer_name": "Plooto Star Inc",
"certificate_thumbprint": "2347883329B8455D0A0F0D207A3A2279B339DFE8",
"certificate_der_base64": "MIIG7jCCBVagAwIBAgIRAPf0WVyfpIB6tB2s+IutETwwDQYJKoZIhvcNAQELBQAwVzELMAkGA1UEBhMCR0IxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDEuMCwGA1UEAxMlU2VjdGlnbyBQdWJsaWMgQ29kZSBTaWduaW5nIENBIEVWIFIzNjAeFw0yNTA4MTQwMDAwMDBaFw0yNjA4MTQyMzU5NTlaMIG1MRAwDgYDVQQFEwc1NzY3NzcyMRMwEQYLKwYBBAGCNzwCAQMTAlVTMRkwFwYLKwYBBAGCNzwCAQITCERlbGF3YXJlMR0wGwYDVQQPExRQcml2YXRlIE9yZ2FuaXphdGlvbjELMAkGA1UEBhMCVVMxETAPBgNVBAgMCERlbGF3YXJlMRgwFgYDVQQKDA9QbG9vdG8gU3RhciBJbmMxGDAWBgNVBAMMD1Bsb290byBTdGFyIEluYzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAN064DdYD/tJ9gYfyalopSAa+3j4g32PD5gs0WdyPY6jVjR368vi/naeLft3UZ9EbTPw7naaeKizmvsUq4A9ArfJkCNhassmUhIzLEd3xDiRh7nr37JozfhSosTfMSEkTzvIy1D0vXjKaI6oQDuufE3LyKPyFBLm1v+A1/r/zidfihSpbsFG0m9EUclXEZLHTcGSIzgNBiKNFn8OCG9S5MimWsCr84WCft0Ne9kpQlQHWBATPbtNm7IlYNmzAuBezg9XNPhrEjMjksRVor3MBpKuPWb1fYDUSdOHreeVaGN5OVaA2qrMUg6jpQQv+VZjGlp1hXtGthueMyJBN4hImJ/PH1xbRCRkNlY42j0wbYH0KGs8U6OveaN4L72f8B6t2I8mZur5qZa9f5pFy5xQp33ZWX8qQrLud5KGXvYM9U8u0IbvwKYLnMiW24TXqGEZh3upzB/iN414Ou37zc2Hpz6Ogg8aAOdzuy/Hj2Pfa6thmNX7eA8YFNkUFnFWPjS/xnsygD0uHsLdLfrAYh5fuiCvoW3ilr+GYiGjTh3IqstQ9juuAIfnhM6opp0WE/rZFGRUiceJd58NxeyodNLL6V+jilrww0IssHMclGwUzQVa/ig7nH5goWomNITPdU5fJMLVq2Fsog6BUftpKzHJTuNtMZFSktAzAW7kpSoJ2rALAgMBAAGjggHUMIIB0DAfBgNVHSMEGDAWgBSBMpJBKyjNRsjEosYqORLsSKk/FDAdBgNVHQ4EFgQUpu6ahBY3kybEQ/p3JsyOq3NYWKkwDgYDVR0PAQH/BAQDAgeAMAwGA1UdEwEB/wQCMAAwEwYDVR0lBAwwCgYIKwYBBQUHAwMwSQYDVR0gBEIwQDA1BgwrBgEEAbIxAQIBBgEwJTAjBggrBgEFBQcCARYXaHR0cHM6Ly9zZWN0aWdvLmNvbS9DUFMwBwYFZ4EMAQMwSwYDVR0fBEQwQjBAoD6gPIY6aHR0cDovL2NybC5zZWN0aWdvLmNvbS9TZWN0aWdvUHVibGljQ29kZVNpZ25pbmdDQUVWUjM2LmNybDB7BggrBgEFBQcBAQRvMG0wRgYIKwYBBQUHMAKGOmh0dHA6Ly9jcnQuc2VjdGlnby5jb20vU2VjdGlnb1B1YmxpY0NvZGVTaWduaW5nQ0FFVlIzNi5jcnQwIwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLnNlY3RpZ28uY29tMEYGA1UdEQQ/MD2gIwYIKwYBBQUHCAOgFzAVDBNVUy1ERUxBV0FSRS01NzY3NzcygRZzdXBwb3J0QHBsb290b3N0YXIuY29tMA0GCSqGSIb3DQEBCwUAA4IBgQB1pHp6vpJZZxNhol1xMb3oIBIO202kMvneSra+g0uvuPBiGHYsnImK/bXA3tc/ZUE55JfPIGXQXl/ZPWYi2ruGefxFYep0FOrUCbgXattDo7LrhJ5Ow6wC9PXhLuqh0Xyz1rwZtRfgHTdb88b7TZx8+0OUwzaJDf9OiEqKs+0EvThh953CIfVApyYnbWn1Qr4ovsHPgC3eZ3MUMzVP18DBxXjpektCx0E8MKDn4riIB71Y1jKx1KgjXV8DP85COT7Jcn0QSeGdbg9323EhEgbfpTIgJueHzR+/xHFHfnh1T+U5ejonB9m5UAnt74nq9aPMyKCwAC3N+M77YMkCoLs6sco6cQOyP0V0TRN8QlwND13MZZ+T+i3DPK3Nx2yVbZz/Ks+a1d/YJvJR+PkiPc+vVAzYXS5PcPFhPXyy0KZNyzU3JG/XfwZuASyf5B75bQp5HD8ydYuTqOCEG+GygZn0qmwi4+80ja2ockCMZ0JbFCvxq+cRHiEaj6ARFC3s4DQ=",
"src_file_sha256": "44b8093cc6cee4dc28ac779675983f2cbdc74fc33837a16758f988163794bd97",
"src_file_path": "downloaded_files/remote_desktop_plus/44b8093cc6cee4dc28ac779675983f2cbdc74fc33837a16758f988163794bd97",
"src_file_company": " "
}
]
}
},
{
"Name": "SmartCode Web VNC",
"Category": "RAT",
"Description": "SmartCode Web VNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.s-code.com/products/viewerx/webvnc.aspx",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"C:\\Program Files\\TightVNC\\*",
"*\\TightVNC\\*"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": []
},
"Detections": [],
"References": [],
"Acknowledgement": []
},
{
"Name": "GoToAssist Agent Desktop Console",
"Category": "RMM",
"Description": "GoToAssist Agent Desktop Console is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://console.gotoassist.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"C:\\*\\G2RDesktopConsole-x64.msi",
"*\\G2RDesktopConsole-x64.msi"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": []
},
"Detections": [],
"References": [],
"Acknowledgement": []
},
{
"Name": "HelpU",
"Category": "RMM",
"Description": "HelpU is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://helpu.co.kr/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"helpu_install.exe",
"HelpuUpdater.exe",
"HelpuManager.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"helpu.co.kr",
"*.helpu.co.kr"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/helpu_network_sigma.yml",
"Description": "Detects potential network activity of HelpU RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/helpu_processes_sigma.yml",
"Description": "Detects potential processes activity of HelpU RMM tool"
}
],
"References": [
"https://helpu.co.kr/"
],
"Acknowledgement": [],
"CodeSigning": {
"certificates": [
{
"signer_name": "helpU Inc.",
"certificate_thumbprint": "15102A912051E6360AB9F64B9136B2A399FB6DAC",
"certificate_der_base64": "MIIHuzCCBaOgAwIBAgIQBi3xyejsCZC2xv21jMiTJTANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTIzMDgxMDAwMDAwMFoXDTI2MDYwODIzNTk1OVowgcMxEzARBgsrBgEEAYI3PAIBAxMCS1IxFjAUBgsrBgEEAYI3PAIBAhMFU2VvdWwxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRcwFQYDVQQFEw4xMTAxMTEtNDY5NjIxMTELMAkGA1UEBhMCS1IxDjAMBgNVBAgTBVNlb3VsMRUwEwYDVQQHEwxHZXVtY2hlb24tZ3UxEzARBgNVBAoTCmhlbHBVIEluYy4xEzARBgNVBAMTCmhlbHBVIEluYy4wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC5bByzy4Cg5sxvksEcS94yBuZfP0IwP46/TUxTIB0Qr1KXnzI/Uzloz6xh7doL0U0pLf/oh4kIYcN7sjgiy2IXc5goTPQUAqaVQ+fYMatEPtveq6sHjdocFjiuF605YPtaPDKMHgnwclGUdvZjtuyYtSwn+2jUzSbAra4VtWzAneL0rqt32eHBA0Iib05F6hBVujHekIut9PbARaktqDfe03YuWaH2ep4R154poBH4ShDNgcnHQMHWQlP37hJeOFpejLo5ThiUReKOgczFOSDnu3Yku+oWXLEKVnepK0q3s2TgMjJglDBvb80wFYreQzNFKyVtXCi9trjRHN9qb5ktROJYBgfuPkSed9sWrIKcnlJhxRddmRiXusQHKjn8FNPXSDTigKGBnZQdTF1rfjyK1wQ1UOgxryVLiZIj5W0KiI+zDjKIRxqYNTCyQuk9tsfZ5z0XtBeAif9T2FUKgcIqd1h8nQlSUbqxHbaJyMhJgWwtkyW0ACF3JYD/5z3qkU7QKbLsLJ3gGv+esOzMsxD0MA7BVSTGaBW0mEeAC0JIl4WH78C5tjrIPlNsgUQ82Ze46n4Xg/E9pGbM6kc+22L9KZ5PymKzFTSr4HN2JmV/E/apGptTlU79jsWewykF0Gxlza6Noo41HE+V/PqsXgpXkmNK9dxzWOLn62MyiR2WrwIDAQABo4ICAjCCAf4wHwYDVR0jBBgwFoAUaDfg67Y7+F8Rhvv+YXsIiGX0TkIwHQYDVR0OBBYEFLuqfy4JbXCKaPdWZaZa3vONJGCBMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzCBtQYDVR0fBIGtMIGqMFOgUaBPhk1odHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDBToFGgT4ZNaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcmwwPQYDVR0gBDYwNDAyBgVngQwBAzApMCcGCCsGAQUFBwIBFhtodHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwgZQGCCsGAQUFBwEBBIGHMIGEMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wXAYIKwYBBQUHMAKGUGh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3J0MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggIBAAS2IybtrixpcjgwqfKOJclAM0lfAtQ0UR4whzTXQoVZZ+Mw9M9XIMqZQSK94grng131h/Ag4S9SjWDaIjWAhT1xjH1LTqocI9M3marHVKQxYSWbE8G+cAcVdVmwBduXnzOUUEL5YdKJkKkhiJ5txCcHJZRr19TxgMCPrh1o07eH18XVz2RSw92J+ZShfXbgnSOHLCpJcdFfKeWAvFC7qBvJPqcHPc2MPj5EVI86/1uZDhutDHrcfOwBavBMdUkqKbRqepE91v+5qI5MRk6W87WIA6Ex4Rud49G5sEG075vFvqRPgjR7Xj5xYrT6kHfJpJQf/mgqaNyo6cMv103XkUUYfhr5g1FQ6vJsu4SLFnxgzhfkOlnqo6UGFHyRqatbUBaLIhZEY16xxRVBrE0kF1yuGEuO2Lg9ABii0MbAzuqfaCHm+EPPt7jDzpw/LcbgPyrrrOsaMAjJ9Pffh6+/pnO4RJzDyGuzpHv+L4KBdNNLaltgbQIT4v64+dGykpGXAjdmPUtlHxe9mUn82K2aMcXdfXAH5t/hSmCyA+CWCiv5pH0Y0A3t3PJFi4NpXtm21BZuXFXVXx9JWtr5C9ZfF/mwUCpDQ171Mecys1RH3Qbl7f2UCt4SBXG6E+gdh9+lcKiXAnsaRXDwkdG005DX286fvtZhDEAIOULp9YTsEtVf",
"src_file_sha256": "759ee372252febb7326a65400e44e377a0f68c8e50b3e06184611ff71357b9e3",
"src_file_path": "downloaded_files/helpu/759ee372252febb7326a65400e44e377a0f68c8e50b3e06184611ff71357b9e3",
"src_file_company": "HelpU"
}
]
}
},
{
"Name": "NordLocker",
"Category": "RAT",
"Description": "NordLocker is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://nordlocker.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": []
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": []
},
"Detections": [],
"References": [],
"Acknowledgement": []
},
{
"Name": "NoteOn-desktop sharing",
"Category": "RAT",
"Description": "NoteOn-desktop sharing is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"nateon*.exe",
"nateon.exe",
"nateonmain.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": []
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/noteon-desktop_sharing_processes_sigma.yml",
"Description": "Detects potential processes activity of NoteOn-desktop sharing RMM tool"
}
],
"References": [],
"Acknowledgement": [],
"CodeSigning": {
"certificates": [
{
"signer_name": "NATE Communications Corporation",
"certificate_thumbprint": "37620F2004EDE612CC3BC49AAA80493FBF908482",
"certificate_der_base64": "MIIH5jCCBc6gAwIBAgIQC6WpjL29f6+0Vba5Rhs3BTANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTI1MDMxMTAwMDAwMFoXDTI4MDMxMjIzNTk1OVowge4xEzARBgsrBgEEAYI3PAIBAxMCS1IxFjAUBgsrBgEEAYI3PAIBAhMFU2VvdWwxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRcwFQYDVQQFEw4xMTAxMTEtMTMyMjg4NTELMAkGA1UEBhMCS1IxDjAMBgNVBAgTBVNlb3VsMRYwFAYDVQQHEw1KdW5nIERpc3RyaWN0MSgwJgYDVQQKEx9OQVRFIENvbW11bmljYXRpb25zIENvcnBvcmF0aW9uMSgwJgYDVQQDEx9OQVRFIENvbW11bmljYXRpb25zIENvcnBvcmF0aW9uMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtYNvnAddRFB84JgyXQ4b9dLQ60/Slu98k/51H/fdMG2njcyhw9xL4RF/99JVNJiKfYkW7dE9kQj7dFThE8zZRgXigUF+/pXby0/t9E18cvHTwHIwNTzwoZGyREodZFqQwuISc2H9hZTAnWwJRvIPxZlXvnwuod5re1aZ4utk/QArMZaBhrqnoYVuOVpQ2sqe5S0D+e0fSGKFjVYR7PREMUSDQ7GMqJMaFdMMwb/WpsZzyWNcOM7WUVZXwry+tAfQjUj03bxys1HJZC2HPn91GUwJXvOCfNwA8EQ5MLNBto4L/2Ne6i711wdKUN1DblI5/oNO0yaAx1su/7B0bKSv2Wxs90pMIrMpqWYZiJV4JFabvydeiNdwDO6P6GrIghmC98wYuSLkMJGMDgl3dIKnlMtWptt0GkLgq4OUsb+aZGaDABQcGSfwnSEP95boSWctVEafXCYQ7bnv2pmXzrWuWzSrIYSmnu4oK2VaogtDd8yq2kbyBCa1AE6Ga8Kv4HmUmCHPO9LjRncezD+MBN8s0VuhY01rsD/X9eKRBIKY7jEdC+uU2APmCKssaXjFtv89TFuXQzwEFU+v8cNfmeSoNvW4zqFg3oUxjcI9nBhx+EXzLulFxymFw/xKFFUMXZh0Hb2vMU8hgO9K7Y3e31Pud0gz++D0aZDR0tX/nQv7TZUCAwEAAaOCAgIwggH+MB8GA1UdIwQYMBaAFGg34Ou2O/hfEYb7/mF7CIhl9E5CMB0GA1UdDgQWBBRgrNsEZTj86yNO1UmidxHfGInwDDA9BgNVHSAENjA0MDIGBWeBDAEDMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwgbUGA1UdHwSBrTCBqjBToFGgT4ZNaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcmwwU6BRoE+GTWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3JsMIGUBggrBgEFBQcBAQSBhzCBhDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMFwGCCsGAQUFBzAChlBodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNydDAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4ICAQB1PxGf4oYj4+AjNSIxLg6u76F49Ye7TLknlbyBXEZ2rSmib6whyzqMr8lpCkK1OuL3oL4zm/Vt1ZWOgnkf/PhWg1K14b1wmb2WU8SLt/zlz1Ya0urObk1e02IcrNtdfrbsi8h1+ZPQR6+NBAgJB2Ah9PPfh/lbpuhy8Q79qv3T28gJBU/LdIxIpkHsrhFGyGWZk8ZypuKm4NqHkVJQ9ToqrC6V6R09fm3j7IijZdFU25zyEzeWW4yL1+9cyNd+/adR288dn3HalLl/syEVAkeaE4CO/b72jEzdG6YG4uL4m0Xsa5+6IXu4MtXa+jsFqe0XKitM9NEjVN29pkTU15VjSc3lLJd8CSWm8NPI3niizWQf5NDZy1hzZ02n+LqyBFndB+pgtE4wgt/3JCiL2XdovtudbE7+PpIYLcWUq5/pDShydX5pqS/PU/hbnyKNC3Fi+4JSEu8W0kndvr76HC3w7fnjtIEaQK7Be8+JH9cct+vzHCQnm3RzUn5jBtvBTfz355eoH7DfIlYF1FQJjyjNc0EPAw+Hdu8U7LUJcyhM+l6X4xkSWo0n6R3lTnZn7ZzPoqphCm0nVYqMQsxJCUG0r6Fo+b6W8PDXg6MDJvxkHFuvdYy4U1a6vVB13P1pjPisn+Jfz5f8WV3NQV3SC+sad/J/qBWPJiMlm6HuqXGT7A==",
"src_file_sha256": "dd6cae30fa01137e95bc035020663bd43077affe942be4624e57bb3ac2922756",
"src_file_path": "downloaded_files/noteon-desktop_sharing/dd6cae30fa01137e95bc035020663bd43077affe942be4624e57bb3ac2922756",
"src_file_company": "NATE Communications Corporation"
},
{
"signer_name": "SK COMMUNICATIONS CO.,LTD",
"certificate_thumbprint": "40750B075A5704CD382DAF3EC75C720E9F2FF3FA",
"certificate_der_base64": "MIIH1DCCBbygAwIBAgIQA73crYu2FzZFCVMYQ2iDdDANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTIzMTEyMjAwMDAwMFoXDTI2MTEyNjIzNTk1OVowgdwxEzARBgsrBgEEAYI3PAIBAxMCS1IxFjAUBgsrBgEEAYI3PAIBAhMFU2VvdWwxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRcwFQYDVQQFEw4xMTAxMTEtMTMyMjg4NTELMAkGA1UEBhMCS1IxDjAMBgNVBAgTBVNlb3VsMRAwDgYDVQQHEwdKdW5nLWd1MSIwIAYDVQQKExlTSyBDT01NVU5JQ0FUSU9OUyBDTy4sTFREMSIwIAYDVQQDExlTSyBDT01NVU5JQ0FUSU9OUyBDTy4sTFREMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuQSY1pNqbB9hxYpXXFydhMqW/DYrZifSKbCnh74+JZRKpHqtxrdGmRvt8ir8D7Bogc1+XbeKwoDmK7W/kKlbShZxaIQGU1PiabTpYRjygQNEnPwY/R6qTsgtkBDG7hdqusOLeBkAL7DLSbX/IgFbk8oMDsV581rxEhdBldc6jrDYtfjiGcoY5AK58exCQ7ve95a8CoV7HmWReqflWqnbkGsixhwgwwXzHGG9ivzXfK1LV/Jvv7xKHsXz/pUhT93pati6jQbHzW/hlbjJ1oqfgfYNzaiyhs4BaSn9vDFgYddmv7mDivGqtcqcEyWp1DvrpgBqwFuHHgE9cby6ti+rzkjrsYD4cgcvdA+B0Cg/J6Iw6WzbrMzpMc+t98JZCbkFXi5Zj6j9elpvtOIKp5dMcotjWSrQP1LwF+eaIzhYhw7S+dks5/XC2wzHfxPIc6MaFMvJ47IBYbkWFzywAmkPzz9zX12wapdiePaog5jBPYMKvCfbFVFmTbS895KFn7zMp2kn/G0lF+r+OTPodHZGtWkQoayBKSOC8PnCgxkYFUgu9oS0J3wuSeWPJBO8oWdUDkaFvEzOdYAT1kBCMiD7oe/yH/YoUYOxMQ2lv7+SemDT+uCXzgxUhXYRZfSE+KhoT0BlN7izQ0/Fuf+bQovzmSQNRriAuQ4NZlldjNFPuRUCAwEAAaOCAgIwggH+MB8GA1UdIwQYMBaAFGg34Ou2O/hfEYb7/mF7CIhl9E5CMB0GA1UdDgQWBBS7ibu6mkBcWK9TAAc46DmMc4u48jA9BgNVHSAENjA0MDIGBWeBDAEDMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwgbUGA1UdHwSBrTCBqjBToFGgT4ZNaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcmwwU6BRoE+GTWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3JsMIGUBggrBgEFBQcBAQSBhzCBhDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMFwGCCsGAQUFBzAChlBodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNydDAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4ICAQBmRaeixsMvkMg7BJP1dbD2l9+mNTkXBH7J+xGrOzqInqELHdJE3nYz0rQWbggDZCLEMnNOOyHHHc3qd3V94nBG/votgE51DQ29Dub1ISbBMtfLJ0EHgiGLGrOm0FQpIlSBfFRwp34R+QvosRLin+X9MsCVbFF+ghs2JNb0RxMKl2yLV4FX+Fu+ZDN8Y5OD/M85pNgviIaZdGqzqmHcOeF9AsfDYE0Gv8Utl4pg9MZQdsMxU8mEoqxqNqL9TxMCM21ygVmaTAqS++LlsXKKw1Ao/3pKMNtAisQSTVgS8rlOhE1vftOnn27FVkNEylTKcgUoR9HAy9roE+KWotxFRTeI2+u4DfvAA+Nr/iNGfidwNX0fvx2jap/a7STlFQeBO2eUJb6CeJuj1ZhhRtTqRNhXUc83+dvagM5MgTXzpt0vggdAouex5gzo2qyydahHABNl+alEmPRoJ5EOYOBbKFYwUcmGFgMhIyQsl+EXPrKSEGicCDE1L4dor+Vy1whkCjL8r55o8Y4Xr+GA8+gss39w5K5zfiFXjzJp1HTx1mYoHqm1AsmnpvGhIb6OAy+qoW46881JUizK9+0VPBs7yROiOmpO7hItx4fbULjYom2dMSCDgHz23zCrvtvv8/5riJCEUxT63dBDtdU55Y9QkASyVZdqEk+26rLE8OuH/+9AWw==",
"src_file_sha256": "fcbd2b2c27c1f53007b16f63b7f611b9cf1499362426b08c26f7a924675dfc5c",
"src_file_path": "downloaded_files/noteon-desktop_sharing/fcbd2b2c27c1f53007b16f63b7f611b9cf1499362426b08c26f7a924675dfc5c",
"src_file_company": "SK Communications"
}
]
}
},
{
"Name": "Apple Remote Desktop",
"Category": "RAT",
"Description": "Apple Remote Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.apple.com/remotedesktop/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"ARDAgent.app"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"user_managed"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/apple_remote_desktop_network_sigma.yml",
"Description": "Detects potential network activity of Apple Remote Desktop RMM tool"
}
],
"References": [
"https://support.apple.com/guide/remote-desktop/install-and-set-up-remote-desktop-apdf49e03a4/mac"
],
"Acknowledgement": []
},
{
"Name": "RealVNC",
"Category": "RAT",
"Description": "RealVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.realvnc.com/en/connect/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": []
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": []
},
"Detections": [],
"References": [],
"Acknowledgement": []
},
{
"Name": "Parallels Access",
"Category": "RMM",
"Description": "Parallels Access is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.parallels.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"parallelsaccess-*.exe",
"TSClient.exe",
"prl_deskctl_agent.exe",
"prl_deskctl_wizard.exe",
"prl_pm_service.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*.parallels.com",
"parallels.com/products/ras/try"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/parallels_access_network_sigma.yml",
"Description": "Detects potential network activity of Parallels Access RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/parallels_access_processes_sigma.yml",
"Description": "Detects potential processes activity of Parallels Access RMM tool"
}
],
"References": [
"https://kb.parallels.com/en/129097"
],
"Acknowledgement": []
},
{
"Name": "BeAnyWhere",
"Category": "RMM",
"Description": "BeAnyWhere is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.n-able.com/products/take-control",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"basuptshelper.exe",
"basupsrvcupdate.exe",
"BASupApp.exe",
"BASupSysInf.exe",
"BASupAppSrvc.exe",
"TakeControl.exe",
"BASupAppElev.exe",
"basupsrvc.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"beanywhere.en.uptodown.com/windows",
"beanywhere.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beanywhere_network_sigma.yml",
"Description": "Detects potential network activity of BeAnyWhere RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beanywhere_processes_sigma.yml",
"Description": "Detects potential processes activity of BeAnyWhere RMM tool"
}
],
"References": [
"https://www.shouldiremoveit.com/beanywhere-support-service-40908-program.aspx"
],
"Acknowledgement": [],
"CodeSigning": {
"certificates": [
{
"signer_name": "N-ABLE TECHNOLOGIES LTD",
"certificate_thumbprint": "069C1914D45A50A709E2D71F36EC2F56CB202995",
"certificate_der_base64": "MIIHWjCCBUKgAwIBAgIQDlnqqu2xgVb0F3nw2mgXmjANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTI0MDQxNTAwMDAwMFoXDTI3MDQxMzIzNTk1OVowYjELMAkGA1UEBhMCR0IxDzANBgNVBAcTBkR1bmRlZTEgMB4GA1UEChMXTi1BQkxFIFRFQ0hOT0xPR0lFUyBMVEQxIDAeBgNVBAMTF04tQUJMRSBURUNITk9MT0dJRVMgTFREMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA2QKByGXdPKOwmpD0ogAtCYyuV9SS3V/h2sDA8HcaAkOL/lbVCFSM/teEO6v4BnClfoLmrnNpdz9/zrtX46KtVCrQSyg4TY5zbwXLD8KtnyS62pevr5e+NbprnGvMjC0ACauFE9tFIaoOxzQHJ0djaCc+7KcJbOwq4gIkdWR+yUCFs9/Zj42utbUDw8XEEnXPbZ9OuO8GzYGWIRngQL+nCbpy0a7U+iW2+70mtq+iZPOvPoMKJzAvTuRdlsH+LAgCn6GHsL++utKIq3Hg7K85xl3IMcVgHc4d+BpAVxzr6HJGfkHimu0fUH2V4STDVSPeH+9eVWx3/rWFRA4zQ74kDPHD2t1+DX6mSkT7jR37KPa2ziEY2PbGeZIeZXduw2UoiNX6SgpbQ65VWgS1TeWBsIGTaM+eHA0tOSmazR6w9mw69GfWbSFO/8fcGLhPJ7t95nyKW9+F61Z8BsGn+/b581pXGGRYe696wdvFWAtq/FK2ux8ESzwJ7vanwDfAonnUDf+zGkSmsb4KFxNRgbW9+zJviZuFPEoPZY0BC8j++/YOvq4ge4v477HtrYZhf8aS2gGR9cYVkZtbdh8Eca7aRkIX1VS97pxZJsTxUcRCB4uEiGkNmLYxCdQ+TWLCvmad8bgxmtXz3hLZUjm8VPAscWNOJsoYVeWTtn3nCsBaf9UCAwEAAaOCAgMwggH/MB8GA1UdIwQYMBaAFGg34Ou2O/hfEYb7/mF7CIhl9E5CMB0GA1UdDgQWBBS8HDP4j/OnCaJLUIUID74a9p6PujA+BgNVHSAENzA1MDMGBmeBDAEEATApMCcGCCsGAQUFBwIBFhtodHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMIG1BgNVHR8Ega0wgaowU6BRoE+GTWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3JsMFOgUaBPhk1odHRwOi8vY3JsNC5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDCBlAYIKwYBBQUHAQEEgYcwgYQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBcBggrBgEFBQcwAoZQaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcnQwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAgEABd6MMSoXOvk1e0LmgJsl5StLOyr4SYF0mcOvq3l8gcgLD5p3fioU7jFvsf5ngKBAjGjeanQLL3JYhUSxLDEsDKsJl13YLLgZn0S4f9z8TtkAi2JxHIOqHYWWCGr1gcFc2GzNxV+4sCR9a6CuzeRnyDGlDD8/S0K3kHmHOq6UlerKNMkmq/76zFJp+8ULGcKuT8LXvh5pac/Ch9kDOxtI+qFw1DzIv9Y28NPFtwlUSC8bTgtNjMJjx1HsMbFnxlrPcOQLrmZ3Iis/mXHgkpxdfUjYbXkyCTgecKb1ve4XlnTIVSh5s+TOo/8Wjmk+7ImPVIi7zmGJeYPoeTC79QYJakvE227Dvj/IG7kMo0AIAVE0wuW943socZb3VZM7vIbxaQiv28xiuscvAhhyayDwmGOD5vToxQbO0WGfsVKVWn3QdlpuePMT4jp+osdLhMVxVJEOSYPK8vNIMZCEiCoM/F2Jhgdj3OQsDpk6DMo743RaMzfcgL8jwN02LFRevuL9J6FM7GU0FeUXVNY9lc1M0sfEAYvkrTAdwXVPj8oet52P52BsjG7o7Tdfz1yOpbQHUc2AYTrPkrQW+XWhWRx2253MHt9Bmxzhlo5Ku5KagfgV5cvlWkuXGUOvVq+TrRgW1L+LIc8s4ZPgWhA1E+/jVQN9e/pjCtpfwmzelv/mzGw=",
"src_file_sha256": "6a054444b16470b59c0ff13ada9e9cab8268631112507b6973d7e6d62f3b9fc4",
"src_file_path": "downloaded_files/beanywhere/6a054444b16470b59c0ff13ada9e9cab8268631112507b6973d7e6d62f3b9fc4"
}
]
}
},
{
"Name": "Addigy",
"Category": "RMM",
"Description": "Addigy is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://addigy.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"addigy-*.pkg"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"prod.addigy.com",
"grtmprod.addigy.com",
"agents.addigy.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/addigy_network_sigma.yml",
"Description": "Detects potential network activity of Addigy RMM tool"
}
],
"References": [
"https://addigy.com/"
],
"Acknowledgement": []
},
{
"Name": "ServerEye",
"Category": "RMM",
"Description": "ServerEye is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.servereye.de/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"servereye*.exe",
"ServiceProxyLocalSys.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*.server-eye.de"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/servereye_network_sigma.yml",
"Description": "Detects potential network activity of ServerEye RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/servereye_processes_sigma.yml",
"Description": "Detects potential processes activity of ServerEye RMM tool"
}
],
"References": [
"https://www.servereye.de/wp-content/uploads/Anleitung-zur-Erstinstallation_aktuell.pdf"
],
"Acknowledgement": []
},
{
"Name": "GotoHTTP",
"Category": "RMM",
"Description": "GotoHTTP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://gotohttp.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"GotoHTTP_x64.exe",
"gotohttp.exe",
"GotoHTTP*.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*.gotohttp.com",
"gotohttp.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotohttp_network_sigma.yml",
"Description": "Detects potential network activity of GotoHTTP RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotohttp_processes_sigma.yml",
"Description": "Detects potential processes activity of GotoHTTP RMM tool"
}
],
"References": [
"https://gotohttp.com/goto/help.12x"
],
"Acknowledgement": [],
"CodeSigning": {
"certificates": [
{
"signer_name": "合肥屏播网络科技有限公司",
"certificate_thumbprint": "9B4608217ED049C33A9D76184479BCAB06D957DC",
"certificate_der_base64": "MIIHCDCCBXCgAwIBAgIQaeuXBAcVNIikH5M0+tGjLzANBgkqhkiG9w0BAQsFADBXMQswCQYDVQQGEwJHQjEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMS4wLAYDVQQDEyVTZWN0aWdvIFB1YmxpYyBDb2RlIFNpZ25pbmcgQ0EgRVYgUjM2MB4XDTI0MTExMjAwMDAwMFoXDTI3MTExMjIzNTk1OVowgdAxGzAZBgNVBAUTEjkxMzQwMTAwTUEyVDI0M1Q1UDETMBEGCysGAQQBgjc8AgEDEwJDTjEdMBsGA1UEDxMUUHJpdmF0ZSBPcmdhbml6YXRpb24xCzAJBgNVBAYTAkNOMRIwEAYDVQQIDAnlronlvr3nnIExLTArBgNVBAoMJOWQiOiCpeWxj+aSree9kee7nOenkeaKgOaciemZkOWFrOWPuDEtMCsGA1UEAwwk5ZCI6IKl5bGP5pKt572R57uc56eR5oqA5pyJ6ZmQ5YWs5Y+4MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAnkK23XpAreM23fGRBWRwQIhQn+2cs7r/RcM0sHBWB+Oekb/Rr4xdDU9rV3X7aQghFrEFxGqIpyIJkQg3OpoYr0IP05ExaghBSJPxKTOMGxt7dwGAnzb+MVYc0dNVdYE0i4dFAcFQMaprgluL/dAAjtP72A78OETKBul5xZ9qojrHnLMxymRP8/tWb43UiGxgJCA7VvZlxqjLu7pDHzUeXaGCuApoRCQ/93NVkQ/ZtNi8WWB7oAO9II3TZuJ1UqbkABQSHu5AuYhAztpnYWUxfB9i1SeQ85sjG9u+dXf4Jma22PtLEVQBmPXWtOFN/Cw1TrgXldld10BON0NrBMqzny6Mf5OhtIAC1v99s0FiqIYAKoSbdby9wBlFV8QRf05YFSgPuNOm47pcQtYJCmxbiSot1zMZbYffQAEvyijvBCQGIfsEOaJSebHRLtpNtLWUH1MAPLFbY6C4OJCwLHC8sFji5U7ItrCgK94xdN1sfM7cXxE71W9GoseCaa5RuIQ+27YZGtvCm/BW7xMEdmfUg1m4d8Fyor/5YmJPkq6QWL8uEsiREXhjhU/abgmXTs4KWNG4OBatWna3JSwUTViCtg/LrC2atxTwU5NkYVo5frZT9ETsATDKvgO5QwAbj7DkF1RYhVIIoUz0x7cf0vvr0fPnFqwY+x2NrC1HQ7O+sWcCAwEAAaOCAdQwggHQMB8GA1UdIwQYMBaAFIEykkErKM1GyMSixio5EuxIqT8UMB0GA1UdDgQWBBRseHLAhGetrM5CzwY8VrnJA1IOsjAOBgNVHQ8BAf8EBAMCB4AwDAYDVR0TAQH/BAIwADATBgNVHSUEDDAKBggrBgEFBQcDAzBJBgNVHSAEQjBAMDUGDCsGAQQBsjEBAgEGATAlMCMGCCsGAQUFBwIBFhdodHRwczovL3NlY3RpZ28uY29tL0NQUzAHBgVngQwBAzBLBgNVHR8ERDBCMECgPqA8hjpodHRwOi8vY3JsLnNlY3RpZ28uY29tL1NlY3RpZ29QdWJsaWNDb2RlU2lnbmluZ0NBRVZSMzYuY3JsMHsGCCsGAQUFBwEBBG8wbTBGBggrBgEFBQcwAoY6aHR0cDovL2NydC5zZWN0aWdvLmNvbS9TZWN0aWdvUHVibGljQ29kZVNpZ25pbmdDQUVWUjM2LmNydDAjBggrBgEFBQcwAYYXaHR0cDovL29jc3Auc2VjdGlnby5jb20wRgYDVR0RBD8wPaAlBggrBgEFBQcIA6AZMBcMFUNOLTkxMzQwMTAwTUEyVDI0M1Q1UIEUdHR4bjEwMTBAaG90bWFpbC5jb20wDQYJKoZIhvcNAQELBQADggGBAHUtMagvdCf8qkvulNwTZQQOxu5CwliFq3mBJqn0IqAlfSS+Z+I6nAlASioNcHomFvYHHNO3sG6QMDcT+T6BJYpjRZxLZ41eFyDj+oa51LSB4RlBfwNC5I4Rb11w/1yR2QdBF5Ked1Hrp6o3eUUhad8aUinpTLRLs2UdeNxKtuPTogazJGbX2cs70eLPahAdknZsx8seY8ul71zm3oKL+MRXdiavomRPPwBuLSbvJe5oGKREExi+j5fLKYBniKgINghyAMSm1mXL4yMfpXEP7tN5m02fHqDlcMMlCjHhCMj0KRZ+dx2/AzpEYydhn5pkHB0CZbIuKlPabG4MSa9A+sugeBxxp7kvYPU6Q96+3W4kEIGpW3BgiLC6fUI15eD2CdgH3VOmIueKHSYlKnXJMAWRdWObo7e9aiHapnLDUol16CJcIMNl7hvsaXxT6vw4BY52J6U8cJH4jX3LQ5Y4jHpTxXPG07OftPGEeIJRBodnXZlVLBRwa35Lko5E8hSDrw==",
"src_file_sha256": "baa575f60e834659befcce4a23c2be4ab5e2d8267f9e6558e01f8e915ccb0247",
"src_file_path": "downloaded_files/gotohttp/baa575f60e834659befcce4a23c2be4ab5e2d8267f9e6558e01f8e915ccb0247",
"src_file_company": "Pingbo Inc"
}
]
}
},
{
"Name": "Splashtop",
"Category": "RMM",
"Description": "Splashtop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "Nasreddine Bencherchali",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.splashtop.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"C:\\Program Files (x86)\\Splashtop\\*",
"*\\Splashtop\\Splashtop Remote\\Client for RMM\\*",
"strwinclt.exe"
]
},
"Artifacts": {
"Disk": [
{
"File": "C:\\windows\\System32\\winevt\\Logs\\Splashtop-Splashtop Streamer-Status%4Operational.evtx",
"Description": "N/A",
"OS": "Windows"
},
{
"File": "C:\\windows\\System32\\winevt\\Logs\\Splashtop-Splashtop Streamer-Remote Session%4Operational.evtx",
"Description": "N/A",
"OS": "Windows"
},
{
"File": "%PROGRAMDATA%\\Splashtop\\Temp\\log\\FTCLog.txt",
"Description": "N/A",
"OS": "Windows"
},
{
"File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\log\\agent_log.txt",
"Description": "N/A",
"OS": "Windows"
},
{
"File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\log\\SPLog.txt",
"Description": "N/A",
"OS": "Windows"
},
{
"File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\log\\svcinfo.txt",
"Description": "N/A",
"OS": "Windows"
},
{
"File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\log\\sysinfo.txt",
"Description": "N/A",
"OS": "Windows"
},
{
"File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRService.exe",
"Description": "Splashtop Remote Service",
"OS": "Windows"
},
{
"File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRAgent.exe",
"Description": "SplashTop Remote Agent",
"OS": "Windows"
},
{
"File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Software Updater\\SSUAgent.exe",
"Description": "Splashtop Updater",
"OS": "Windows"
},
{
"File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRUtility.exe",
"Description": "N/A",
"OS": "Windows"
},
{
"File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRFeature.exe",
"Description": "N/A",
"OS": "Windows"
},
{
"File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\db\\SRAgent.sqlite3",
"Description": "N/A",
"OS": "Windows"
}
],
"EventLog": [
{
"EventID": 7045,
"ProviderName": "Service Control Manager",
"LogFile": "System.evtx",
"ServiceName": "Splashtop Software Updater Service",
"ImagePath": "\"C:\\\\Program Files (x86)\\\\Splashtop\\\\Splashtop Software Updater\\\\SSUService.exe\"",
"Description": "Service installation event as result of Splashtop Software Updater Service installation."
},
{
"EventID": 7045,
"ProviderName": "Service Control Manager",
"LogFile": "System.evtx",
"ServiceName": "Splashtop® Remote Service",
"ImagePath": "\"C:\\\\Program Files (x86)\\\\Splashtop\\\\Splashtop Remote\\\\Server\\\\SRService.exe\"",
"Description": "Service installation event as result of Splashtop Remote Service installation."
},
{
"EventID": 7045,
"ProviderName": "Service Control Manager",
"LogFile": "System.evtx",
"ServiceName": "SplashtopRemoteService",
"ImagePath": "\"C:\\\\Program Files (x86)\\\\Splashtop\\\\Splashtop Remote\\\\Server\\\\SRService.exe\"",
"Description": "Service installation event as result of Splashtop Remote Service installation."
}
],
"Registry": [
{
"Path": "KLM\\SOFTWARE\\WOW6432Node\\Splashtop Inc.\\*",
"Description": "Splashtop Inc. registry key"
},
{
"Path": "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Splashtop Software Updater",
"Description": "Splashtop Software Updater uninstall key"
},
{
"Path": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\SplashtopRemoteService",
"Description": "Splashtop Remote Service registry key"
},
{
"Path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Splashtop-Splashtop Streamer-Remote Session/Operational",
"Description": "Splashtop Streamer Remote Session event log channel"
},
{
"Path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Splashtop-Splashtop Streamer-Status/Operational",
"Description": "Splashtop Streamer Status event log channel"
},
{
"Path": "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Splashtop Software Updater\\InstallRefCount",
"Description": "Splashtop Software Updater install reference count"
},
{
"Path": "HKLM\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\Network\\SplashtopRemoteService",
"Description": "Splashtop Remote Service safe boot configuration"
},
{
"Path": "HKU\\.DEFAULT\\Software\\Splashtop Inc.\\*",
"Description": "Default user Splashtop Inc. registry key"
},
{
"Path": "HKU\\SID\\Software\\Splashtop Inc.\\*",
"Description": "User-specific Splashtop Inc. registry key"
},
{
"Path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print\\Printers\\Splashtop PDF Remote Printer",
"Description": "Splashtop PDF Remote Printer configuration"
},
{
"Path": "HKLM\\SOFTWARE\\WOW6432Node\\Splashtop Inc.\\Splashtop Remote Server\\ClientInfo\\*",
"Description": "Splashtop Remote Server client information"
}
],
"Network": [
{
"Description": "N/A",
"Domains": [
"*.splashtop.com"
],
"Ports": [
"N/A"
]
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_registry_sigma.yml",
"Description": "Detects potential registry activity of Splashtop RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_network_sigma.yml",
"Description": "Detects potential network activity of Splashtop RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_files_sigma.yml",
"Description": "Detects potential files activity of Splashtop RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_processes_sigma.yml",
"Description": "Detects potential processes activity of Splashtop RMM tool"
}
],
"References": [
"https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html"
],
"Acknowledgement": [
{
"Person": "Théo Letailleur",
"Handle": "in/theosyn"
}
],
"CodeSigning": {
"certificates": [
{
"signer_name": "Splashtop Inc.",
"certificate_thumbprint": "D458B32F6946DBB682A9687076EB9209979BDF76",
"certificate_der_base64": "MIIHwTCCBamgAwIBAgIQBtI6cGq4XDJJCDeVS55BozANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTI1MDUyMDAwMDAwMFoXDTI4MDUxOTIzNTk1OVowgckxEzARBgsrBgEEAYI3PAIBAxMCVVMxGTAXBgsrBgEEAYI3PAIBAhMIRGVsYXdhcmUxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRAwDgYDVQQFEwc0MTY5ODgxMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTESMBAGA1UEBxMJQ3VwZXJ0aW5vMRcwFQYDVQQKEw5TcGxhc2h0b3AgSW5jLjEXMBUGA1UEAxMOU3BsYXNodG9wIEluYy4wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCtgy9O1cjrcAJs1It6xVS2qq2ngTEhYZWBhjn7SbqUGw6Zs5oKbOkAHiXlAvPGx0XYT9L+ixlXrGRMpSpsbpRVW0vX8N6sT9lvLjSYVvC4z0knVgCeAQH03KJu4KsCBarNBFYrJYWbfDQq5moFbAxvOWRawNCvPzo2FXq4ffUkd24It4V6yo32pyuqOSAY8PijQpe7gE006bdnutelYGMwaWptSKObp6j8cxZF5g87yT4JoIKVBIs7f4TcoaoYHS5+z5hFMtwn+TjFXG2En2tDoEPIVNwHLFJl4eeaJ3+koCV80MWwQ/QFPmrkcE2yBXpsqMd2iSHemwEoYTINKujXejceqs68OKxRNNJauWyiYFB6f/DbgJmFiskTrTd3UPQvyVQ5Rnvk1EDK0EM3YYALSHl8YWnw7kZqn3vHrPZM2qWRzPvIjaNZ/l8NmBwVJf2ELgs1c19cnYbXk5wN0WZSe02tQiXnfA16Ah47Z2O76RR7xuUf2LFMZFa8JImqpgkTqnvIpTUNHibxNMMXwSesIUgRT2Qh8YWhzJbAvRKkXBGiCqptNBdRiIQFp0pro3h1CGe1gdagFQrgeTQlk14rRqETAvxm+TLMlALSeY8bdd7cEr93RUDrwlGKNO+BumTgTnI0nVjXAiQWk/cA9c+cXh7EmjOgaAvao9xOMZfXkwIDAQABo4ICAjCCAf4wHwYDVR0jBBgwFoAUaDfg67Y7+F8Rhvv+YXsIiGX0TkIwHQYDVR0OBBYEFPeCRV/b/V8X0ZEKBcemOR/1zhonMD0GA1UdIAQ2MDQwMgYFZ4EMAQMwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpY2VydC5jb20vQ1BTMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzCBtQYDVR0fBIGtMIGqMFOgUaBPhk1odHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDBToFGgT4ZNaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcmwwgZQGCCsGAQUFBwEBBIGHMIGEMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wXAYIKwYBBQUHMAKGUGh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3J0MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggIBAKL9tbtCq5etewkHZ7JpC53EU8xYEUCQt+igKQVaTaE4A/gfPaDi+cPRfMMtFv7PU5l3XPHB41JZSI3i/GFcF1DIEarWUl5S0OQO69Ni6vhfcL7eO28ZW3PHouAotB/jOkDICvkCjgqU1b1Dmxd1LMT9U0ZkHqSOvunefkjcaoraKNqzjktcJhFMA6vfXFzuMcScX+6jmMgacFkm5ZyWQ3REVKYraJzGrSacI9molf+8dRxA9pm9ePaCIUhXW8u3H9/iAhfhOBCvCOmPkGXP5CsQSx7RferaKhLR9gMaemuMBqW7LdXO9LUVGdEAiPTW+0LRp3aPj9gSPoYl562AQVjJHOSZMmKbuq0qiPsyj4voBq2lv4jveFSCzkg/0SSXNqIvMAHI/k2+71FeRo/6QHeu4saFQ45JzA+ripJNP6a0qieyUboFMxskD9vBKT/sZpFms150Fo31LxMF5s3yYKjUWY5rwlrSdpNGNl6lgm18WbPwrIx7ByoZJudhmoL5j1hldOIu2QCpGkHfdDjrXlFuTccAxXlW2v8GuWy4SDBT9waSy51s27QioAAnnRhiO0z/SaSxaWaAt0PkHLW4fopJTpmwGcLwI2dyYdIPrQ3E4dwMTPEHPPzr+dG5nzbG54aB1KKR4FQXxf1EyrjFxGEA8Ntxf/k4ThFmRFfTNJC+",
"src_file_sha256": "31333b18ca5cf8f09bc6a8464b34b17f415afee14b6eed877f48ebb7a7191d57",
"src_file_path": "downloaded_files/splashtop/31333b18ca5cf8f09bc6a8464b34b17f415afee14b6eed877f48ebb7a7191d57",
"src_file_company": "Splashtop Inc."
}
]
}
},
{
"Name": "CrossLoop",
"Category": "RMM",
"Description": "CrossLoop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://web.archive.org/web/20140117041805/http://www.crossloop.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"crossloopservice.exe",
"CrossLoopConnect.exe",
"WinVNCStub.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*.crossloop.com",
"crossloop.en.softonic.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/crossloop_network_sigma.yml",
"Description": "Detects potential network activity of CrossLoop RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/crossloop_processes_sigma.yml",
"Description": "Detects potential processes activity of CrossLoop RMM tool"
}
],
"References": [],
"Acknowledgement": []
},
{
"Name": "DW Service",
"Category": "RMM",
"Description": "DW Service is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.dwservice.net/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [
"Windows"
],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"dwagsvc.exe",
"dwagent.exe",
"dwagsvc.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*.dwservice.net"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dw_service_network_sigma.yml",
"Description": "Detects potential network activity of DW Service RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dw_service_processes_sigma.yml",
"Description": "Detects potential processes activity of DW Service RMM tool"
}
],
"References": [
"https://news.dwservice.net/dwservice-security-infrastructure/"
],
"Acknowledgement": [],
"CodeSigning": {
"certificates": [
{
"signer_name": "DWSNET srl",
"certificate_thumbprint": "4A13F46DEF2C9427898A46A88A6A2122ED106B37",
"certificate_der_base64": "MIIGMjCCBJqgAwIBAgIRAK+9076yTh3nN4Lp+DR88VMwDQYJKoZIhvcNAQEMBQAwVDELMAkGA1UEBhMCR0IxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDErMCkGA1UEAxMiU2VjdGlnbyBQdWJsaWMgQ29kZSBTaWduaW5nIENBIFIzNjAeFw0yMzA1MDgwMDAwMDBaFw0yNjA4MDcyMzU5NTlaMEgxCzAJBgNVBAYTAklUMQ8wDQYDVQQIDAZOYXBvbGkxEzARBgNVBAoMCkRXU05FVCBzcmwxEzARBgNVBAMMCkRXU05FVCBzcmwwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQClbPZxHk1xOzVQrkOaK6yGIv5ZtSFWw/k+FAXjaRbjPezf/qVWfPqfccx2pvZOeUWdioH/wMUwtlK2Co6r4DQ4ZuNphyUr8QGXUaPlt52v3VRTZCokRMb38GRK5bsFsHOBeSPGYY0bsl2JPiZo62yaYuLwFBaQDpjI4a2mjjta0TeKJ0rAuCRXFHecT87U4aAyWMdJOJLpX+5x5vTjuifqASuOjd85pqDTdWy18s/HxTJPNguqSzE7r0VUKLvKt+2X5ZjnAROWgDn9YD+4fpgE3S62UUYQKw/SnbLvOHzYwKE2o/TcNp9Q6mP/RfbZt5nZD/tfCKGAJ6yFz+O5bAG6+51KsIH5cVjb0PNSD3SD7v/Hxf1/mwnWlK/loN3dbW6Lb0eD+uJItrQdNKcrPK9bZiRsOXoXx/0TmHIVbfUTtd77f5uhaSXCqHzmkRAkfhqRXKI4zN0NOSuoA6ARXfzwGz3YdT8xK0pydzeomtMburW2Uns/VNCL12mADTgT/pSKIrYfZKdgTNL1PaiG7sJInnlbpV6iSafo7JjdpPK+nXKA+TmfcUyaqQZXILjxnZubrcxJM82pp0e1qdV1fR4SHDFQ7/4pVc6pkENnSWd0+ms2BSCsCe4Wzc4rLG+YlPnGJv2RkrSZWCzHBIVKumCUae7LUVuYokYH+YQxJYgDfQIDAQABo4IBiTCCAYUwHwYDVR0jBBgwFoAUDyrLIIcouOxvSK4rVKYpqhekzQwwHQYDVR0OBBYEFIN9HS1q0+NwcfYu8oXoReXMBe43MA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMEoGA1UdIARDMEEwNQYMKwYBBAGyMQECAQMCMCUwIwYIKwYBBQUHAgEWF2h0dHBzOi8vc2VjdGlnby5jb20vQ1BTMAgGBmeBDAEEATBJBgNVHR8EQjBAMD6gPKA6hjhodHRwOi8vY3JsLnNlY3RpZ28uY29tL1NlY3RpZ29QdWJsaWNDb2RlU2lnbmluZ0NBUjM2LmNybDB5BggrBgEFBQcBAQRtMGswRAYIKwYBBQUHMAKGOGh0dHA6Ly9jcnQuc2VjdGlnby5jb20vU2VjdGlnb1B1YmxpY0NvZGVTaWduaW5nQ0FSMzYuY3J0MCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5zZWN0aWdvLmNvbTANBgkqhkiG9w0BAQwFAAOCAYEAGLAzjAkRaXJVxKbc3QgBD7KSnaF7nTdTouteX8InRSLk8aIj6iLcfJQcYSPiRRIIGS7bNsSYN3Okwv/a/L9Sjg8D3hLl5q1IKkDGT/s3u46ba/7BmdvZCGKJ5hUg/IU1NusTtmDtmZDTjlBlJnep+izecfmji9xmwlS/pvCI8gUv1eDBM4LS4/pDg+wmI4OVLpQDaHaXjRTwo0cNu8jwmRW6FXWlQRkYIxqjTQzFq+fzLf95XgtMflh9ejb2O+p1HeFLbwEzuDyYFlwDg1/hRHJBfEAVzIDJN1T9QAfRom2YZLB+VjlpYq27tBPC1vu4Z0P6dgCSo2qQ3gjDR1MbhGADtiDgRF0YbRid44zqLbGtXme84WyuNI0gjFYSLLLvR0T+tu1oB3pq3XT9dzef5uOJjA3OOiUbVM6/WTE1jK5tMMNSYe4cHxyXNdI/SsEfuKBnLzjWtwDSrAALVM5UjIMe06OI9sSciZ7OhaLm8BjyHgmVi5coFaoAm2EmmRSY",
"src_file_sha256": "cd098eddb23f2d2f6c42271ca82803b0d5ac950cb82a9b8ae0928e83945a53df",
"src_file_path": "downloaded_files/dw_service/cd098eddb23f2d2f6c42271ca82803b0d5ac950cb82a9b8ae0928e83945a53df"
}
]
}
},
{
"Name": "BeamYourScreen",
"Category": "RMM",
"Description": "BeamYourScreen is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://web.archive.org/web/20210304100510/https://www.beamyourscreen.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"beamyourscreen.exe",
"beamyourscreen-host.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"beamyourscreen.com",
"*.beamyourscreen.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beamyourscreen_network_sigma.yml",
"Description": "Detects potential network activity of BeamYourScreen RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beamyourscreen_processes_sigma.yml",
"Description": "Detects potential processes activity of BeamYourScreen RMM tool"
}
],
"References": [
"https://www.mikogo.com/"
],
"Acknowledgement": []
},
{
"Name": "Komari",
"Category": "RMM",
"Description": "A simple server monitor tool.\n",
"Author": "Daniel Koifman (KoifSec)",
"Created": "2026-05-03",
"LastModified": "2026-05-03",
"Details": {
"Website": "https://github.com/komari-monitor/komari",
"Privileges": "User",
"Free": true,
"Verification": true,
"SupportedOS": [
"Windows",
"Linux"
],
"Capabilities": [
"Remote Desktop Access",
"Remote Shell"
],
"Vulnerabilities": [],
"InstallationPaths": [
"komari-windows-386.exe",
"komari-windows-amd64.exe",
"komari-windows-arm64.exe",
"komari-agent.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": []
},
"Detections": [
{
"Sigma": "https://github.com/Koifman/LOLRMM/tree/main/detections/sigma/komari_process_sigma.yml",
"Description": "Detects process activity of Komari"
}
],
"References": [
"https://www.huntress.com/blog/komari-c2-agent-abuse"
],
"Acknowledgement": [
{
"Person": "Daniel Koifman",
"Handle": "@KoifSec"
}
]
},
{
"Name": "Centurion",
"Category": "RMM",
"Description": "Centurion is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"ctiserv.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"centuriontech.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/centurion_network_sigma.yml",
"Description": "Detects potential network activity of Centurion RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/centurion_processes_sigma.yml",
"Description": "Detects potential processes activity of Centurion RMM tool"
}
],
"References": [
"https://data443.atlassian.net/servicedesk/customer/portal/20"
],
"Acknowledgement": []
},
{
"Name": "CruzControl",
"Category": "RMM",
"Description": "CruzControl is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.doradosoftware.com/products/cruzcontrol/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": []
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": []
},
"Detections": [],
"References": [
"https://resources.doradosoftware.com/cruz-rmm"
],
"Acknowledgement": []
},
{
"Name": "Rocket Remote Desktop",
"Category": "RMM",
"Description": "Rocket Remote Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.rocketsoftware.com/en-us/products/remote-desktop",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [
"Windows"
],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"RDConsole.exe",
"RocketRemoteDesktop_Setup.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": []
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rocket_remote_desktop_processes_sigma.yml",
"Description": "Detects potential processes activity of Rocket Remote Desktop RMM tool"
}
],
"References": [],
"Acknowledgement": [],
"CodeSigning": {
"certificates": [
{
"signer_name": "Rocket Software, Inc.",
"certificate_thumbprint": "13FDCE37AA7B96441374012A9BE4A065C826F87F",
"certificate_der_base64": "MIIG7zCCBNegAwIBAgIQAXLws+o0BYr7L1yomsCI6TANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTIzMTIwNTAwMDAwMFoXDTI2MTIwNDIzNTk1OVowdzELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxEDAOBgNVBAcTB1dhbHRoYW0xHjAcBgNVBAoTFVJvY2tldCBTb2Z0d2FyZSwgSW5jLjEeMBwGA1UEAxMVUm9ja2V0IFNvZnR3YXJlLCBJbmMuMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEA4d2GC9/9jeo07/kW9O+rEtwFOLxBg8DRloKFzXQ64gLCsMXx7GgqBHqsGW8qSvMBrRhS3W15ooUIwKmvlwQMLHiKb/gQlIRlJvZ1vCubx2MpHRhVT1b5EeCgHJHcEW4IwnR4SuS9RqMPUo/WJAZtjmHMQMfIRO6OGPJ2eKmClDqOsf3y8NnZnVbocTnjBsR1UZsZ5LJEhiqFkCsh/rvpD3K8ApvkoIjBwiO5Nfcx7tOve3v0GBJxtSov2+v26PsA6xRvbw+9mnxa9J3TVLgs6ZIX7Zcd7+hBXGZEm5XQ2uub7BQUiKYxJ6j8naRvpjof3a3MHjKX1zR89Z7RKbw1SvgoyGGFxSVSKmg7Adfsd9wWGbSrjVGNMvAXajqQHQaeMKQZctCzZyxsSPR3ngBqYmzHnbQCWO3uKToQgTo5Gq///ok8NDCN0qloynDGzntRJ5NU3hDjZC0DJhuJ7vrYBwz1FiSNf9/+YevsMJ2hnnvyVcf3BEhn6AD4NtBXw9BZAgMBAAGjggIDMIIB/zAfBgNVHSMEGDAWgBRoN+Drtjv4XxGG+/5hewiIZfROQjAdBgNVHQ4EFgQUqWB17yZeXmkK5nm3z3eVrYPJ0REwPgYDVR0gBDcwNTAzBgZngQwBBAEwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpY2VydC5jb20vQ1BTMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzCBtQYDVR0fBIGtMIGqMFOgUaBPhk1odHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDBToFGgT4ZNaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcmwwgZQGCCsGAQUFBwEBBIGHMIGEMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wXAYIKwYBBQUHMAKGUGh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3J0MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggIBAL6kvycMP0J29n1QnTc6Ieakyrf6CEKIFyMmyo7TfvbbbWedZte1lzmZq84p/muYr2pnfW1IczE5gxGt5pB92jrLxtDp6n5IzhnhkS9ZzURNZe7AGQqERXIeQbHnS4yRXPxtxSVLxvZjVAIf1vspqEKCrMjuDtcxnmdBh3tVHffr+DX+T5+2FJM4grANVakJ56rXlMTz91YdTMJ2xPGfZT8xm1Duryyl6Aalqa/wc7KqK/CAqA+aZhmu/ZbZYBYA7DLXIIkeyUZf0ozcxYUlPrOYZWlbC0nx5Ya4wDD4Fw1PeV4i7epulwdKgbd/fvO0E+/hmawcaGMq2TsEGgZvVJZERR2gYzboXtG1FlPxhT9c+D4xg9ad9BSueaLlZRqAKQWVqOP74zYBeH5OqyeqhDJUpnK4YSu8f6GJt2oALtL4wgTyEtB1ozN+TY64x5H5iAZ5+VoICsyq8yn4WIJGwrTcrFeG/vPtZFxPWjhz6Rx1LfnhTBVjLW99pYX59JkwF0bvVFB+5bm3ROSYyd3aFwXUYECixaFeQbOeXyL3g9lgpxA+CiXXTO8/zcdGrNFo9bh97RBr6z0nNw1z07p+zxsAj/48D+vaHpQeGh9w7zdw7MBzC5bweJfEXr+DR2ZHj+sldcIAITP+vLFPUUSvjBEsXrXoTxSppIQZ8ISU/zWm",
"src_file_sha256": "a06ed00b1f3ae4a4dafe15d3e2d4a49ca2aa3e44c92cff8ac4a39b4c32760444",
"src_file_path": "downloaded_files/rocket_remote_desktop/a06ed00b1f3ae4a4dafe15d3e2d4a49ca2aa3e44c92cff8ac4a39b4c32760444",
"src_file_company": "Rocket Software Inc."
},
{
"signer_name": "Rocket Software, Inc.",
"certificate_thumbprint": "48C97F61CA860422533CD8953EAE30B89B21F782",
"certificate_der_base64": "MIIG7zCCBNegAwIBAgIQDmwcOK6iLkPccFUGn96BPzANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTIzMDgxMDAwMDAwMFoXDTI2MDgwOTIzNTk1OVowdzELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxEDAOBgNVBAcTB1dhbHRoYW0xHjAcBgNVBAoTFVJvY2tldCBTb2Z0d2FyZSwgSW5jLjEeMBwGA1UEAxMVUm9ja2V0IFNvZnR3YXJlLCBJbmMuMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAg+40Hjj+4wpsV1N/pdkaKDBViD9SLbek58vbMlTaOrR+ITxOkVyUArP9PSxR4Vpo9sHoUMP/qMNiNoG4JAyFsI69w7WsAN/g/gmQ2iiytRu8gQ7XH/CvreQc7XpYka/uoxiZ8EQ5Fe+HuJ7B2idSPcu0uK2PkC7+A4a0iD6hO0SimoksqTLwCzdVb1kOabH40HZlWy4PYDMbgy5y0wDpYIrM4ZU6jYqV0Th8fTxoopFiMaYYtIxzIGfrxXho2R2OSk4IYNySYrtSTOxcp/MdOqFrRuDAzk4jVdht+y8RtigqG9GfA0nGpmx1VkuxDwAA8RaNmRhp7vzqnj4SndRYysP3BC0UQiBQCmxbaEDrg25E91S4x+ZUNZ6Ry871Xn3sM5V9DymRq+qQe5bePn/VOKDkH4dWgo6X7dxUInQ0xfhexjGVQtbPqFZumdhrrUDD/2wbMukPn1LdDQFS/nJgW77m6iwrcG3mK44+sacKoQsRZpv+YTV2SsVNEhqONiZTAgMBAAGjggIDMIIB/zAfBgNVHSMEGDAWgBRoN+Drtjv4XxGG+/5hewiIZfROQjAdBgNVHQ4EFgQUwjEKVt+JcCZm85d6RXUBN7AYga0wDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMIG1BgNVHR8Ega0wgaowU6BRoE+GTWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3JsMFOgUaBPhk1odHRwOi8vY3JsNC5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDA+BgNVHSAENzA1MDMGBmeBDAEEATApMCcGCCsGAQUFBwIBFhtodHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwgZQGCCsGAQUFBwEBBIGHMIGEMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wXAYIKwYBBQUHMAKGUGh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3J0MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggIBAM8I+Z7NhZBx8C5j/ppvdspqPqcTnwN+8VR5j0MlOtFwytxevAqJ7valqklu7ZeCr6b4FjCHRQK1Vg0QxkdgHRiEpQYxVN5KJ6uF+eRX6VJk5afXF6Xlo7pZKiTFjUp/eRh9R1Q9vz/m/+wT9uhXXXdipI41UfthZZzNVEEI4O9mT7KZIxKComGo4XCLagdUunTPv8J5ql97tLGndSyHDNaSGbTZDFOe3wXep99X0gAAOrWpIJn14tjQtY5mkYMqd+MOP+RmlFa40DCdKUSn/4mgWcHgBUvE2NbK1BgBS6ABak7D2Rmdtmgrn0FSKugCc5/YvnkwR+ks1SW2NkIDQmMPMrOu4Nm8AVBWkuLX5zLxjtxNRSoDwLyAN/JgfzIlSSRuENcqMlAuw3UU9tytvTymnSgafv3BPXbnEA7p7Dcgafno2zT+YFlO1Hng+2QadER/HtVm/mxKjOk2ENQ49oyntNMNOXFhnFeGrrstgRmDAh0aC531j+5eIR7uG75/iy2b+x2DQrv+Jmg/VVdKA4brtx5ygMAhM8gEmYZVKOltXVxrMMadjrEHK9A0UnEWRZYWaxA+YUNskZ3vQ2/f3zUBPauskVxe+KBcbq2+RafRW3MCCAZnGkJRCsuPXD8XexzeUrHTgp8fO4O/CImfvTUyGrTK33Matjkos8zrV03O",
"src_file_sha256": "b77b82b349b1ae194aef5a41ead566451267f24b5bdd1d4b8a08d2b434cb2837",
"src_file_path": "downloaded_files/rocket_remote_desktop/b77b82b349b1ae194aef5a41ead566451267f24b5bdd1d4b8a08d2b434cb2837",
"src_file_company": "Rocket Software Inc."
}
]
}
},
{
"Name": "HopToDesk",
"Category": "RMM",
"Description": "HopToDesk is an open-source remote desktop tool similar to RustDesk. The tool has been observed being used by ransomware actors as a fallback when Quick Assist is blocked. HopToDesk creates firewall rules automatically and installs itself in Program Files. The tool communicates with signal servers and uses TURN servers for connectivity.",
"Author": "Michael Haag",
"Created": "2026-01-15",
"LastModified": "2026-01-15",
"Details": {
"Website": "https://www.hoptodesk.com/",
"PEMetadata": [
{
"Filename": "HopToDesk.exe",
"OriginalFileName": "",
"Description": "HopToDesk remote desktop application (verified via VirusTotal)"
}
],
"Privileges": "User/SYSTEM",
"Free": "Open Source",
"Verification": "Code-signed by Sectigo",
"SupportedOS": [
"Windows",
"Mac",
"Linux",
"Android"
],
"Capabilities": [
"Remote Control",
"Remote Desktop",
"Screen Sharing",
"File Transfer"
],
"Vulnerabilities": [],
"InstallationPaths": [
"C:\\Program Files (x86)\\HopToDesk\\HopToDesk.exe",
"HopToDesk.exe",
"HopToDesk-Standalone.exe"
]
},
"Artifacts": {
"Disk": [
{
"File": "C:\\Program Files (x86)\\HopToDesk\\HopToDesk.exe",
"Description": "HopToDesk application executable (verified via VirusTotal sandbox analysis)",
"OS": "Windows"
},
{
"File": "C:\\Program Files (x86)\\HopToDesk\\privacyhelper.exe",
"Description": "HopToDesk privacy helper executable (verified via VirusTotal sandbox analysis)",
"OS": "Windows"
},
{
"File": "C:\\Program Files (x86)\\HopToDesk\\PrivacyMode.dll",
"Description": "HopToDesk privacy mode library (verified via VirusTotal sandbox analysis)",
"OS": "Windows"
},
{
"File": "C:\\Program Files (x86)\\HopToDesk\\sciter.dll",
"Description": "HopToDesk Sciter UI library (verified via VirusTotal sandbox analysis)",
"OS": "Windows"
},
{
"File": "C:\\Users\\*\\AppData\\Local\\Temp\\sciter.dll",
"Description": "HopToDesk UI library (verified via VirusTotal sandbox analysis)",
"OS": "Windows"
},
{
"File": "C:\\Users\\*\\AppData\\Local\\Temp\\privacyhelper.exe",
"Description": "HopToDesk privacy helper (verified via VirusTotal sandbox analysis)",
"OS": "Windows"
},
{
"File": "C:\\Users\\*\\AppData\\Roaming\\HopToDesk\\config\\*",
"Description": "HopToDesk configuration files (verified via VirusTotal sandbox analysis)",
"OS": "Windows"
},
{
"File": "C:\\Users\\*\\AppData\\Roaming\\HopToDesk\\config\\hoptodesk.toml",
"Description": "HopToDesk configuration file (verified via VirusTotal sandbox analysis)",
"OS": "Windows"
},
{
"File": "C:\\Users\\*\\AppData\\Roaming\\HopToDesk\\config\\HopToDesk.toml",
"Description": "HopToDesk configuration file (verified via VirusTotal sandbox analysis)",
"OS": "Windows"
},
{
"File": "C:\\Users\\*\\AppData\\Roaming\\HopToDesk\\config\\HopToDesk_rCURRENT.log",
"Description": "HopToDesk log file (verified via VirusTotal sandbox analysis)",
"OS": "Windows"
},
{
"File": "/System/Volumes/Data/Users/*/Library/Logs/HopToDesk/hoptodesk_rCURRENT.log",
"Description": "HopToDesk log file (verified via VirusTotal sandbox analysis)",
"OS": "MacOS"
}
],
"EventLog": [
{
"EventID": 7045,
"Description": "Service installation event for HopToDesk",
"OS": "Windows"
}
],
"Registry": [
{
"Path": "HKEY_CURRENT_USER\\Software\\Classes\\HopToDesk\\shell\\open\\command",
"Description": "HopToDesk URL protocol handler",
"OS": "Windows"
},
{
"Path": "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\HopToDesk",
"Description": "HopToDesk uninstall registry key",
"OS": "Windows"
}
],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"hoptodesk.com",
"api.hoptodesk.com",
"signal.hoptodesk.com",
"turn.hoptodesk.com",
"download.hoptodesk.com",
"www.hoptodesk.com"
],
"Ports": [
443
]
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/hoptodesk_network_sigma.yml",
"Description": "Detects potential network activity of HopToDesk RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/hoptodesk_files_sigma.yml",
"Description": "Detects potential files activity of HopToDesk RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/hoptodesk_processes_sigma.yml",
"Description": "Detects potential processes activity of HopToDesk RMM tool"
}
],
"References": [
"https://www.hoptodesk.com/#faqlink",
"https://gitlab.com/hoptodesk/hoptodesk",
"https://github.com/magicsword-io/LOLRMM/issues/92",
"https://www.hoptodesk.com/",
"https://www.virustotal.com/gui/file/ebd2c015cc43e0fedf0122768d65e3256d78c57422111a3ad21efe7663507ee5/details",
"https://gitlab.com/hoptodesk/hoptodesk/"
],
"Acknowledgement": [
{
"Person": "Tyler Schultz",
"Handle": "@shockwave_ts"
},
{
"Person": "rcKillam",
"Handle": "@rcKillam"
}
],
"CodeSigning": {
"certificates": [
{
"signer_name": "Begonia Holdings LLC",
"certificate_thumbprint": "127CAC9785F8C5F1A88CE70CE1109A4CA3A4CA01",
"certificate_der_base64": "MIIGRzCCBK+gAwIBAgIRAMqCfxUDvYa7uLU9fIl1A8gwDQYJKoZIhvcNAQEMBQAwVDELMAkGA1UEBhMCR0IxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDErMCkGA1UEAxMiU2VjdGlnbyBQdWJsaWMgQ29kZSBTaWduaW5nIENBIFIzNjAeFw0yMzEyMjYwMDAwMDBaFw0yNjEyMjUyMzU5NTlaMF0xCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdXeW9taW5nMR0wGwYDVQQKDBRCZWdvbmlhIEhvbGRpbmdzIExMQzEdMBsGA1UEAwwUQmVnb25pYSBIb2xkaW5ncyBMTEMwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC5/22T3DgJEmGd/8HpbuQkQIVmgKXNASngNH47eg+B9oXasW/shht9x2EQiF7O8LJ3t2bU8c1rIdHcNpx5hO0n0jcCquMwlfLl4iyoX3ubj5ytMUlfvzs+KaiWo708iY0k/AdOTFvXVg2hyDtoaQPgrVf3VCpSyc9TUQdMMwALYMFWH0kcLRj2CZi+JtvJuLtLkJzwWX8DuL6PEzK+r3ha1cJuqb9OpXOqYcEHtVOnAAoH8VbICXR4qhMQMcgLLEMJXCW/vQ6JDCWfvveDlswgK775CItHl3DwaMRsBfhrQ8kbW6ArhpFkt0ykeuu6uAwHx9S/rZPLpnvHGkLftDlWHgzRAmw7EoWTwsVL1DXd4EbBpWeakIbPQkOsNnoRF0ZABhKGhU5uacm5RaKhZ5lOKn/Tpny1nCVWQBtGy4CL6cI2BEj3CYkr4GZcKe73dFIem9X7S/tGJRIexW4JwiGDVyw7AheIczQq3WqAcqWDKL/hocuD0E2dNDJClmpl27yZy6YRh+MX3fgMYwGV4YZPoDklbtfihuFvEUj3FVO6hhCz75sh9H1wdLwupx/w9bzaRNHldFiHStv1UVR7z+QbEAvBdjUPYQL76h1Vx3JzbyprIOFDHtabovZPa63rNJyHyiSN9ieO3mhUqM3XltS5qUxETa0g3v8juHrMA/LO6wIDAQABo4IBiTCCAYUwHwYDVR0jBBgwFoAUDyrLIIcouOxvSK4rVKYpqhekzQwwHQYDVR0OBBYEFBhKeVpYNWvZmMMyXnaikYa2SMbRMA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMEoGA1UdIARDMEEwNQYMKwYBBAGyMQECAQMCMCUwIwYIKwYBBQUHAgEWF2h0dHBzOi8vc2VjdGlnby5jb20vQ1BTMAgGBmeBDAEEATBJBgNVHR8EQjBAMD6gPKA6hjhodHRwOi8vY3JsLnNlY3RpZ28uY29tL1NlY3RpZ29QdWJsaWNDb2RlU2lnbmluZ0NBUjM2LmNybDB5BggrBgEFBQcBAQRtMGswRAYIKwYBBQUHMAKGOGh0dHA6Ly9jcnQuc2VjdGlnby5jb20vU2VjdGlnb1B1YmxpY0NvZGVTaWduaW5nQ0FSMzYuY3J0MCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5zZWN0aWdvLmNvbTANBgkqhkiG9w0BAQwFAAOCAYEAB1kw4qGWviTvcBiUdaJnMNbM0wI07ugml3+0p4Odogk+G0Nnx4x8hAYS02AMO7umCYLOb74CHhbRhSIew5Nf59TknFAPWHRdY/s4cF45k1KGhK4A5k+XeHpL8t+bUgsTSj1Ejtt+m/r+opMSCVx5Mhxh/CQ3tTS7Kn0uYgYnxbrnxqy0eVm7fU0slQwkq5T+J+ZxuB8GI83iZLMAdQjur2RcxLRUdT9BpMmr72ehJM30Ja00r9QlWVGEguE7Oy9Lxepk5H2FZuHftCXnkkGLXEay9BMFVQC0Nfb7YcUa1DDSz4I98Q7RgpldKnX7fscob+uRnFAlTUfKKjOKs8/y9/exwZymYJDVzW7FPUNvTTJvotB2C9lqMRxUWJMpTlicJwnlOXq4Hc0xb6rmnlMDNMEz5Gme8SOQukdaq3cnH/V3TNVW1s80Sp/duiEt7GozKRmU8/ZWqity5aR+9kVM34aOvdlMEiw+kaw9Ggj/0vKhy2am8NKD8YpbeeEsQxVy",
"src_file_sha256": "99b2948fd10b23b6d36e035b60cb92b9b82fb0bd4003e6d28f950f0b227cae2d",
"src_file_path": "downloaded_files/hoptodesk/99b2948fd10b23b6d36e035b60cb92b9b82fb0bd4003e6d28f950f0b227cae2d",
"src_file_company": "Begonia Holdings"
}
]
}
},
{
"Name": "SuperOps",
"Category": "RMM",
"Description": "SuperOps is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://superops.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"superopsticket.exe",
"superops.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*.superopsbeta.com",
"superops.ai",
"serv.superopsalpha.com",
"*.superops.ai",
"*.superopsalpha.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/superops_network_sigma.yml",
"Description": "Detects potential network activity of SuperOps RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/superops_processes_sigma.yml",
"Description": "Detects potential processes activity of SuperOps RMM tool"
}
],
"References": [
"https://support.superops.com/en/articles/6632028-how-to-download-and-deploy-the-agent"
],
"Acknowledgement": [],
"CodeSigning": {
"certificates": [
{
"signer_name": "Superops Inc.",
"certificate_thumbprint": "CBF98AFF4D4BD00B83018D60ABE11DDF95C34664",
"certificate_der_base64": "MIIGOTCCBKGgAwIBAgIQPk8Hg51XSYWATaVcgLXZwDANBgkqhkiG9w0BAQwFADBUMQswCQYDVQQGEwJHQjEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMSswKQYDVQQDEyJTZWN0aWdvIFB1YmxpYyBDb2RlIFNpZ25pbmcgQ0EgUjM2MB4XDTIzMDQxNDAwMDAwMFoXDTI2MDcxMzIzNTk1OVowUDELMAkGA1UEBhMCVVMxETAPBgNVBAgMCERlbGF3YXJlMRYwFAYDVQQKDA1TdXBlcm9wcyBJbmMuMRYwFAYDVQQDDA1TdXBlcm9wcyBJbmMuMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAhtG6EowtrK6G/jJRwxQ2R1pZ7KN+r2inHiRCXTYbz9v1PeCwIwZ7s1LmUdN6VKA5OirI0TrP3I7IMNwLs8IRjsu4n/kEVCu/pMXHIVdXp/DFkf/dLAGPzAextWAXiy3u/Hii+0fYkkP40RS/XoLpv/QLRhmG1BF0jQappjcz1d2NiJMujRQozAiDohZ+wCrFVr814eEcRQ/wmynYRMhPMUuLECGiB62K8BXTM4RqIwG90kMkxZNb3syKzn2i5d5GH2MEBP2Kalup8aCZRar6Mc3TmgiU94IDkYJQIAy+LM2j11ODI9V0PdhxmNVpDrZZSQL1NZVHFAA+ypqWEIbz28BVTjOIiAbNWyJb3N3novJ9Ai4+bu4WC9+pKEnNr+Aj9ywVMrphJ76+ceWeoDXy6Vqkm0fe2qg8Z3Q0zQxhwRqDS1gpVvnhD8Wr5PEkFF5xDfpADRj54Gk1wIfaxTelNZcbp6B+4I4JMqFjJkBOBQMbFP1uLLXp28ffeghpq2FE1zSe+5PqUEreFL0FSnrTsujjSqwsc+Nc3OaJEJ+I5C/eFr0E2PUjBsqg/kGDUpv40UgRRnDJ+MqxaHtEytHF4LgvLnXPka01umlJTGodAw0ZhJD5sPMJeaXra+gu0VVMPhMH1rgD2dleVNsMFzhA1gjjfFlrni4XSWOVuBFwh3UCAwEAAaOCAYkwggGFMB8GA1UdIwQYMBaAFA8qyyCHKLjsb0iuK1SmKaoXpM0MMB0GA1UdDgQWBBTmrC78xQmaGCw+O1+l+6ydfRnB+TAOBgNVHQ8BAf8EBAMCB4AwDAYDVR0TAQH/BAIwADATBgNVHSUEDDAKBggrBgEFBQcDAzBKBgNVHSAEQzBBMDUGDCsGAQQBsjEBAgEDAjAlMCMGCCsGAQUFBwIBFhdodHRwczovL3NlY3RpZ28uY29tL0NQUzAIBgZngQwBBAEwSQYDVR0fBEIwQDA+oDygOoY4aHR0cDovL2NybC5zZWN0aWdvLmNvbS9TZWN0aWdvUHVibGljQ29kZVNpZ25pbmdDQVIzNi5jcmwweQYIKwYBBQUHAQEEbTBrMEQGCCsGAQUFBzAChjhodHRwOi8vY3J0LnNlY3RpZ28uY29tL1NlY3RpZ29QdWJsaWNDb2RlU2lnbmluZ0NBUjM2LmNydDAjBggrBgEFBQcwAYYXaHR0cDovL29jc3Auc2VjdGlnby5jb20wDQYJKoZIhvcNAQEMBQADggGBADSwSFVrepry1m32ZrKBP3lKjEK/IAfz65tj6mITQZFK/PQi6Hhul7SfcEv2XrshomjhYwrOgo1wiAvewWoLViC78GJbvhlGa9qBxGg2JCwenWvfrdLOeK/QFbz6jw0lBoWcYXzgQPziFb1DHkXGRwvWDUDqMKcy6gKNK5sBsIxHwIFdQh6GS4ljaOq/o58//w3Y/R+OsHhnWHGibeCejqoIGZhi9Rp/uigefEBbW106RS2hJLKST5jSjoSNOrwGAn2bGDszUBrFfo7c6GW3BNW22hQGouqojMZxWNWZiV2Pjqy+GVS0DvHXaw1NVixgyQsDo6USj+k1TSpx4xhwt46rCMx5CmNIn+hQ19FhYBUzyl5J/IBlICAqNaisc97eI0hE+3bW/wsuf+Jg84zkzuouXSCY+4Ho4IMO+mbRTf/K+1myW5f/+RO+2go+0O8TyRF+T/6zT4cV8jsJL92rfybxUBT7z4ddWPpoy0ye4QU8zkgk58IhGmXgig72JnxhbQ==",
"src_file_sha256": "f086241d446a5898c068fcd684e90be3fa7a758dbfb8be9464660012ea4f63e6",
"src_file_path": "downloaded_files/superops/f086241d446a5898c068fcd684e90be3fa7a758dbfb8be9464660012ea4f63e6",
"src_file_company": "superopsticket"
},
{
"signer_name": "ISL Online Ltd.",
"certificate_thumbprint": "FD412CA692ED576E5FA7723CB06ABE14077A2C67",
"certificate_der_base64": "MIIHSzCCBTOgAwIBAgIQBjE8I8Eu/6bB6Bqngx6j7zANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTIzMDUyNDAwMDAwMFoXDTI2MDUyMzIzNTk1OVowUzELMAkGA1UEBhMCR0IxEDAOBgNVBAcTB1N3aW5kb24xGDAWBgNVBAoTD0lTTCBPbmxpbmUgTHRkLjEYMBYGA1UEAxMPSVNMIE9ubGluZSBMdGQuMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAoKB7NEjPmq5+JRkjsaS5/1GXkZ3tnfIGqn/pP2flcn+UFbbqw27ImsBsxONkuUs/fqK4fjwCNuIAo/fTci+GJs+sOWRhYlfwJJ5jgGEAkPh73pq+fgPf4tCZPfzYodTycPWmAF1CMyvivgyxDS8iNzxHg/4Gj+f2u1Pfiu6Yncjzt0CfuRRlyJ+UZ1eLxXUxjQ9UYC+vOmrgwwyeLNxlHaEL7Efb1Eeu+fytyKHia9egnBul0d/OqYBLQMDTlZaURCdrPIoLJKRp93xC23i1EMhH6u5e4VUEN0L6aPx0kPvRLbOuOlbd/DOoHwd9jnjrpn61t99CAIrcjzYSy9JQOwE1xLsjDVq5GbG3B4Ws7Cm+cH8sezRmeT4hKy5cWrqR8BTMDFaGRswX9gJLSwd9hgVicnz7EsZNjeK2KKsV4C+500bwvsc4DLb2ATBej2YxcTznpqBmcR2R64pnwGLNVV1Kotq8or4L6ClLQDOqhGCGYIhEY88NljJMNtANLiUm3/g0ego2JDgLlDgIB2Hv360Eiig9Eba6JSvbNtFPWCgEZPUlfliohtvD+px82QhpmcHfOUXjHHwCS2lpjWD1ksup4/+TFjnqcjZQKnX++R5gFm/1UOlQWxwDQKSNT8BO899lf1T1Zl/efjpWhHVCtETIPzsnT/xB9Jj6PtxQcUcCAwEAAaOCAgMwggH/MB8GA1UdIwQYMBaAFGg34Ou2O/hfEYb7/mF7CIhl9E5CMB0GA1UdDgQWBBS5rxYNZunqlcry3f6y9vUTFv+A5jAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwgbUGA1UdHwSBrTCBqjBToFGgT4ZNaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcmwwU6BRoE+GTWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3JsMD4GA1UdIAQ3MDUwMwYGZ4EMAQQBMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzCBlAYIKwYBBQUHAQEEgYcwgYQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBcBggrBgEFBQcwAoZQaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcnQwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAgEAjOyPUNyDNp16g0FFhUeZ5bx29FXBNv3CyAjBkbLt5+ia3B63kWud52rUPbAGmqRJV998Aj8MlEz6+GYdGYXdJ6ynHamTAGkRokoCGjtpvJz+pNEupio1zFREhIrXEXz9FuasNBGlwR1y4iZRm7xzzbIV99q4eK8cGa6IU6R1AL1wEl4AU3XwJngJyplNv24Tprw7TYFxNlljEm3gAKXtjsjcpuL/pbmZlOcoG5/RV1GIIb9SZHRO8QEL/1OOVcoWPR40M3Wclk3+sHB7sQZkW3L7WYegirkfLdtrEqeZnxnAi1lqy7t03oS+iGrYBW9LbErIOGEWZPljFay7QPHQg786dEOOTCjL90m/Pq6v5uvv9qt1TexC3vbToEE46lttO/97HhxCGdemBU/1+2ns52fLDKMNepja68/hPsux/TefIskLyBmgYiB6XnVsUgTes0iz1Q/K+vlloFItBCFIekuny3Mc9G55X0fjN2YmhCS39kZdQ2v+2iwfXqWBqLsv3QzA1P/mLU+lnWgnXrLweIZkEqpSI6HsE+5zkCToZ37Yb6UBemj+2eVAIeyrErS9iyj2DQvSm9lXw3YgJx2lTr3oMoe5IggoImD/B+TuAU0O1f44eLXBrGAMdSGJTkSvgywMjnKTs8VTleH1KeMpjHsclY5kBlh5Vte8bDGAgI4=",
"src_file_sha256": "eb2be7658c833c4abec241cd57c10ff12abe3af726f801c42894d0e541183871",
"src_file_path": "downloaded_files/superops/eb2be7658c833c4abec241cd57c10ff12abe3af726f801c42894d0e541183871",
"src_file_company": "XLAB d.o.o."
},
{
"signer_name": "ISL Online Ltd.",
"certificate_thumbprint": "69D863EBB31F6E58D1511DE618489AB47BB0B361",
"certificate_der_base64": "MIIHSzCCBTOgAwIBAgIQD9LyyHRgH2JtiKDVk0AFBDANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTIzMDUyNDAwMDAwMFoXDTI2MDUyNTIzNTk1OVowUzELMAkGA1UEBhMCR0IxEDAOBgNVBAcTB1N3aW5kb24xGDAWBgNVBAoTD0lTTCBPbmxpbmUgTHRkLjEYMBYGA1UEAxMPSVNMIE9ubGluZSBMdGQuMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvlr5XM0bUQx1AcpTnLokfwq3MYsm8GEmRUJxz/JzsRxqTHrgnANEI2dTKSupoaGBrWND9oedptkig4f/5/WbYlXVaI7EliiQMJxk87L8X6SRK76qWl98nMtE9rgkscvCPeO0GGc5ctyOMZSgW5VdQhyWttLDU2O/R33wO5c3M0hFt2taXa7W1/sU9+RMd4Gyuk0VTPd8VbRiwGXhCwy97OOH+8MR+KMF6S/HbuSTlmm3ly9pUmYg3QbaMXwcCJwDv21qVaXwDGKLCaPs86mRnBu3kigD+ZtgFLUMJIY7t60rM5sFcHMfOo/IYTShBDjvQfvQfkJz3p0/gIqXe55RvWiaTHMs5oYJR35YTBQBtfvcgKVGCNnH1yt5M3phNPogGESWlujjO8yMjcqAnfMleN8xA5Gbcy796CX46sTtL4xve3GYCk/ngjMqyOVcCTC8pcf9HzxOOeGXHpbcvhqy6ZGiffVO3T2cxU2cDvSgqIewVxW12PwYNkBMaWlmS63vPwHav1OAz2LrzbzG+pUaMQJj7zfhcdGZf3Eg3TiZow7DzBXlnsimqfsS524/XP+rejcDkkuM2X9zoOKLB0g0cC8OYIZOE89NKoJi2EZehPEqqaNU+06DyFO6ZJgBpX60CTIV6TEKAxmo+CsXKvc5nCaJisMJuJmoLBfsQiQm8b0CAwEAAaOCAgMwggH/MB8GA1UdIwQYMBaAFGg34Ou2O/hfEYb7/mF7CIhl9E5CMB0GA1UdDgQWBBQEn5Oe0FNYepFXMRsMYFTdENsaxTAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwgbUGA1UdHwSBrTCBqjBToFGgT4ZNaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcmwwU6BRoE+GTWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3JsMD4GA1UdIAQ3MDUwMwYGZ4EMAQQBMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzCBlAYIKwYBBQUHAQEEgYcwgYQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBcBggrBgEFBQcwAoZQaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcnQwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAgEAtw9K8h8OWVJokYeiuZo1ok0lUL+Ba9xSFKcHXHU3nIcDcBhyYFmq+9WGh4iaZw2H8rg111zRpnWR0ci4L2W1uEIY5tLpIexh0+tecYKdXJW4my4scjfTZxipHhYmpZuC4M0ElA49G/gj5QX6ytXDJe9dhl1TS7B+5uyuHnWM6V+R14kD6VdHtfSyBzRyKsSZFpQo0vmDdpyjZ6LOhNo7uzFrm5th2fL/CoR9GH5DDvpZcKBdykqb3r+3IQcTguEjrAKeq+XI9aoUQB/QyNFo1AV3dwtLjO31ZLnwLucmJmg+g3MvQ4KP7KACo4jWPXeegwlxPYce+j8kmpqiIJp0rbZ2NNJnGnrJGIXq/1wMK9WjqrKFK0Sm1bRa66gxM+DmOlkRPKn/DqwHW61M4ZuEOg3pmo5slOXngIoiOz3a7s68Q58yz8p5pgIvj/svbxmTXB3VWRPSw9X64CnFcE9pE/Qh2/PdFldbAu0YFTba3pbx/c4Ow2PbV4okODTJiFnjeH64rU6N/6u2UDFqlLNPNqTtKjR1rVHKKKnVOG69ya7B4kyIm6bSXFeZSIn7/HMuIMeX5W/i6KqiE8m15NQzsqe7nvphjNt6Q7Y6TvVlZRpQWpW2qZaSa2JOcm1b0asfIKQfkRINMAVw3MqJydDgywaidfF/Sky7sX+7entTJ20=",
"src_file_sha256": "15576575fceb3ea566339e0a9c4baffbad3899adff992165d11834943dbc1d3d",
"src_file_path": "downloaded_files/superops/15576575fceb3ea566339e0a9c4baffbad3899adff992165d11834943dbc1d3d",
"src_file_company": "ISL Online Ltd."
}
]
}
},
{
"Name": "MultCloud",
"Category": "RAT",
"Description": "MultCloud is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.multcloud.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"requires sign up",
"requires sign up"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": []
},
"Detections": [],
"References": [],
"Acknowledgement": []
},
{
"Name": "rdp2tcp",
"Category": "RAT",
"Description": "rdp2tcp is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://github.com/V-E-O/rdp2tcp",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [
"Windows"
],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"tdp2tcp.exe",
"rdp2tcp.py"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"user_managed",
"github.com/V-E-O/rdp2tcp"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdp2tcp_network_sigma.yml",
"Description": "Detects potential network activity of rdp2tcp RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdp2tcp_processes_sigma.yml",
"Description": "Detects potential processes activity of rdp2tcp RMM tool"
}
],
"References": [
"https://github.com/V-E-O/rdp2tcp"
],
"Acknowledgement": []
},
{
"Name": "ScreenMeet",
"Category": "RMM",
"Description": "ScreenMeet is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.screenmeet.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"ScreenMeetSupport.exe",
"ScreenMeet.Support.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*.screenmeet.com",
"*.scrn.mt"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenmeet_network_sigma.yml",
"Description": "Detects potential network activity of ScreenMeet RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenmeet_processes_sigma.yml",
"Description": "Detects potential processes activity of ScreenMeet RMM tool"
}
],
"References": [
"https://docs.screenmeet.com/docs/firewall-white-list"
],
"Acknowledgement": []
},
{
"Name": "AliWangWang-remote-control",
"Category": "RMM",
"Description": "AliWangWang-remote-control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://wangwang.taobao.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"alitask.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"wangwang.taobao.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aliwangwang-remote-control_network_sigma.yml",
"Description": "Detects potential network activity of AliWangWang-remote-control RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aliwangwang-remote-control_processes_sigma.yml",
"Description": "Detects potential processes activity of AliWangWang-remote-control RMM tool"
}
],
"References": [
"https://github.com/KKomarov/AliWangWangEng/blob/master/chs.locale"
],
"Acknowledgement": [],
"CodeSigning": {
"certificates": [
{
"signer_name": "TAOBAO (CHINA) SOFTWARE CO.,LTD.",
"certificate_thumbprint": "AD2801EFB6FD0006B0985EBE79011B5855E1A6F8",
"certificate_der_base64": "MIIIDTCCBfWgAwIBAgIQDGdXIdLdQB5bMQOAJnP42TANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTI0MDcwMjAwMDAwMFoXDTI3MDgyNzIzNTk1OVowggEUMRMwEQYLKwYBBAGCNzwCAQMTAkNOMRowGAYLKwYBBAGCNzwCAQIMCea1meaxn+ecgTEaMBgGCysGAQQBgjc8AgEBDAnkvZnmna3ljLoxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRswGQYDVQQFExI5MTMzMDEwMDc2ODIyNTQ2OTgxCzAJBgNVBAYTAkNOMRIwEAYDVQQIDAnmtZnmsZ/nnIExEjAQBgNVBAcMCeadreW3nuW4gjEpMCcGA1UEChMgVEFPQkFPIChDSElOQSkgU09GVFdBUkUgQ08uLExURC4xKTAnBgNVBAMTIFRBT0JBTyAoQ0hJTkEpIFNPRlRXQVJFIENPLixMVEQuMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAlsu3tjU/+YSuvGG5NA3gaxea4HM4QGl7new/Iw5GyZeLMg08Cdsy2DBi1Okk1kjS/GoInrL2q4B3eTrP+sjYMiVsHXWnOkM2rVK0HdRYKoAbvlM4+nq0x+bAEj5WDyzqDAMv/U6tufIZtDeo509UKgtiawV1KqDXXlt+f+dLgNIVHyANQ9DLddGue1aBq59Lr+5F4qPS8ific8j+h6/Btv+lhgG6e3UyaXLxO1IiRUOJq3nWGrquKxQirM9+XPHNjp3qm+o2lY8dib949My/cHBWAaNpausjfcG13j/8AQkWzwD1UPr+GidiTJnZmjTeo1rZoVUh/lNsRXg6kvnYZ2vlJADA1jBSY5zxALUkrvaRhxjMSrvpZbhCmSl+0HksSVsUjp/1cTygB0cyPz6b3sCSHzr4wLFD7fmbxnu8xO39KQSeFnBFzjrxQ2BKaDFUC6ObuZoa58CigDUyQTfGI/x2r0gKyI7fJLjZ8Xx3PfKwZ8NQqMZG9g3Lc9d5/HoulWfHh+3h9PGWFmA0jQRjPENzPiNbtiMjTaz5l7HJkhBXKQ3Zi6Q4VEF6cdx0n6tnkXWJMiWFwATsWof8WcInYtx6AEG/xuCzCGwHM20yM7ENsbbuake1GuWSyds98Eyj0V6W5TDkzwETquh0kfS4uOBNIaeg/GPb7iJpoJz4gR8CAwEAAaOCAgIwggH+MB8GA1UdIwQYMBaAFGg34Ou2O/hfEYb7/mF7CIhl9E5CMB0GA1UdDgQWBBSz2iX6xRQD75M0CiEbY3vco0XWxTA9BgNVHSAENjA0MDIGBWeBDAEDMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwgbUGA1UdHwSBrTCBqjBToFGgT4ZNaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcmwwU6BRoE+GTWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3JsMIGUBggrBgEFBQcBAQSBhzCBhDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMFwGCCsGAQUFBzAChlBodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNydDAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4ICAQCjxlwf3C5M15N2WVyY5uqiBDe0sv+zucAtec6xNNXaitfb6s5DUwNhM1mF35NeUxZL0XW7jG8FHxuHkDvQqN3Ln7zTBSHEIxdDkfrif73LvpdiD/YPFRVrY/sJowIgCeKT4YBCb9v6rF0FAmYb8tcVhi0umD+qmfgJaPOuFeW3bF6Xn5mvZmJwYrhJ0Fehng4Ij0AXMX2ENALOk5Dvplz12sp7/2szXruHuXAOywi31NSfgdgCHbcgjmmQTttsUiyq3dV2y4SkS75/JRBA9HfrB+iDCysvbtHB5k8o75txJCPqbYlboRyLpPr/2qb0O9ipIgov89WGoZ+8vh6K01c29WAWGJkmRAFDhycpX5h6AAfL8gknUc4dcxm1sq/keM6lhVheoJ68s15mQJg4hy3/DuJI1X3TXud3bDrKWatOgWdaPZAM2pjC1CXZZWa+Z6qRkoTlW23to5iuJqTrBezblP1BjphNt6Fb/wzeI8cmMJUOWjBZd2LFyq0PVK1yFVvYWqrDDlT/PzC+Ons7rVAGQ4tHAPZvseSP2BhDO4Ey2xja6+wKHyrEhd5v16lNr/LB4ymCOeQYja7GDq4PymGLNWwbHTnn2ObhJSTj4xFq2Eu+lobnB7oPPsX9LeZHF8LRVBUACRnE3Ft8FteAcpGT+f+fKu1FPiSqdDvxQRkadg==",
"src_file_sha256": "e9bf9575e130de921b6d04e3717c609292ab86ffad1f64cf73ecb94d15c5be91",
"src_file_path": "downloaded_files/aliwangwang-remote-control/e9bf9575e130de921b6d04e3717c609292ab86ffad1f64cf73ecb94d15c5be91",
"src_file_company": "Alibaba Group"
},
{
"signer_name": "ALIBABA (CHINA) NETWORK TECHNOLOGY CO.,LTD.",
"certificate_thumbprint": "7CE867B4E3F3F5CCBD7DCF8BFA3187D762F9EF00",
"certificate_der_base64": "MIIIOzCCBiOgAwIBAgIQA6oieG/A4cRoNGbrO3LwaDANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTI0MDcwMjAwMDAwMFoXDTI3MDgyODIzNTk1OVowggFCMRMwEQYLKwYBBAGCNzwCAQMTAkNOMRowGAYLKwYBBAGCNzwCAQIMCea1meaxn+ecgTEyMDAGCysGAQQBgjc8AgEBDCHmna3lt57pq5jmlrDmioDmnK/kuqfkuJrlvIDlj5HljLoxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRswGQYDVQQFExI5MTMzMDEwMDcxNjEwNTg1MkYxCzAJBgNVBAYTAkNOMRIwEAYDVQQIDAnmtZnmsZ/nnIExEjAQBgNVBAcMCeadreW3nuW4gjE0MDIGA1UEChMrQUxJQkFCQSAoQ0hJTkEpIE5FVFdPUksgVEVDSE5PTE9HWSBDTy4sTFRELjE0MDIGA1UEAxMrQUxJQkFCQSAoQ0hJTkEpIE5FVFdPUksgVEVDSE5PTE9HWSBDTy4sTFRELjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAOriHNxw/UTFgyJEnA0QRj21vP/IlsWbpDQJiC8OcbFOHuFnfWjQe73LYPqrw9uPZPA0frQ5PZFOqDqEcJSNy0YxMlut5nxHyTtxUDVn7bJF1hy1LO+1Ba4eNunqeGYHET/6OOPbRh/2gk2trz1mxrwUFJkd2NuuRktnPJU33j8iPYikYC7D5vm+DhdsG15WVsoy7fitgXeAFKH6Uf78KAy4ry9zTR+8Yu6wGL/7j0LOYv9Nr425suzShjgv39h6mxaM9OsdHP43/2BJ3+KYt7d4DyD0IpAJkuduc86hT3ViGwIhfhXgSgo63TOEfqbodxfjWBJ76SfS+i/6B/ctv6n1Lms6uSJFfwXvyhgtiDAFrtVsNCR1PukG4XO+kYJBXVVVH772UN2mBSW1UutwsbcMj9ZswCsMRjbfpT2DpnoD4Wu+y0VyZb3vYri8zGYXSQpV23AauQ7Iy0AmnpYj2BgV7PqjiBoZsOWQA/kJGu84usWQF/8urZUCx0x788UPp4usj4TrRd45qDYB8uCPQP/dlgg9FzEF11Rh0uKjh4VJKTsw2hTXkUzhZd4jebcN5VN0PejVm+BsAE3E5Tr2evWYzCQiXnhaJehUeWDxGCUh1wN+Qz3II4GTxE7GmhZCrx0RJFaQffZLw6ZMvPIH0d9fD3IwtJVY4ChbDoW4wYxxAgMBAAGjggICMIIB/jAfBgNVHSMEGDAWgBRoN+Drtjv4XxGG+/5hewiIZfROQjAdBgNVHQ4EFgQUgcMb5ezvQJ11hoeUZ5Hm/jFCooAwPQYDVR0gBDYwNDAyBgVngQwBAzApMCcGCCsGAQUFBwIBFhtodHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMIG1BgNVHR8Ega0wgaowU6BRoE+GTWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3JsMFOgUaBPhk1odHRwOi8vY3JsNC5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDCBlAYIKwYBBQUHAQEEgYcwgYQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBcBggrBgEFBQcwAoZQaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcnQwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAgEA0mF6j9DI4HOcQk3kaDRRPISgm0hwg85jROI2d6QClreJf6aBoPfSn4AQYF6Gr1vZR3TpGiMWhIBmsszHLiMT70P8LHtDaZ+hds/dZqMa7oLFxH6zbuxQI3RceGFq4uyQKIUNkIounRMWco1KW9XhLKpDAwBYDb9TSR0UT892OK0gqDWmp8gaUoZFK6oUflCpiWyt9aAUbt4AJzjeh9oAfYf1tncEVX01Mqs5UNgJY5Jp3Mtb9hiDPg5q8PrGZ6KUjYr6X2wiY6RjNlLjQd7FeVQxE2KEjTQKi18MKgDT/ZKJptb2WgnNi4IxouBzv3lh9OHmRNpRL44tjyfmDfbZJbwVyzWmuQk+2n+ff9is3e5gFIo8lrw0mAk1weTO/I+GF/365XF4+OPSxwEshcpBTLOQbYaf8OoWiScg1lxV2eykuhVDFgQytzskChQTnUpZFmAcbC+2JZkdOW6WwiwvorxVIFDg/Kgjko79tosXEY6/eNbCNRNuPceu7N9cLL9vth5OKqwOweZzgjVFSUNnGKiueapdwcHLVls6AeMlsOuNsnQZk+czjC8YnRH2G73f+dinRXJOTAooM7CBEqQLtMwABPSJ6ba3X5Dd81eue9q6HFdHip7FDwhhYEz+cK2PijPG3l4/6PVIkKOpHqsGdM3AWuMPaDf75zrUOAm8ggU=",
"src_file_sha256": "d3b2b174fe34f1e568333977c0bc23b3df3f68e47fbe503772becdeea6d140af",
"src_file_path": "downloaded_files/aliwangwang-remote-control/d3b2b174fe34f1e568333977c0bc23b3df3f68e47fbe503772becdeea6d140af",
"src_file_company": "Alibaba Group"
}
]
}
},
{
"Name": "Royal Apps",
"Category": "RMM",
"Description": "Royal Apps is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.royalapps.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [
"Windows"
],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"royalserver.exe",
"royalts.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"user_managed"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_apps_network_sigma.yml",
"Description": "Detects potential network activity of Royal Apps RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_apps_processes_sigma.yml",
"Description": "Detects potential processes activity of Royal Apps RMM tool"
}
],
"References": [
"https://www.royalapps.com/ts/win/download"
],
"Acknowledgement": [],
"CodeSigning": {
"certificates": [
{
"signer_name": "Royal Apps GmbH",
"certificate_thumbprint": "564F13E13238C21A522EAC9D8903CBA13F93D7A4",
"certificate_der_base64": "MIIH4zCCBcugAwIBAgIMNKRGN590h7Pf4UEdMA0GCSqGSIb3DQEBCwUAMFwxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTIwMAYDVQQDEylHbG9iYWxTaWduIEdDQyBSNDUgRVYgQ29kZVNpZ25pbmcgQ0EgMjAyMDAeFw0yNDAyMjcxNTE2MjRaFw0yNzAyMjcxNTE2MjRaMIIBIDEdMBsGA1UEDwwUUHJpdmF0ZSBPcmdhbml6YXRpb24xEDAOBgNVBAUTBzUzMTM2NHYxEzARBgsrBgEEAYI3PAIBAxMCQVQxFzAVBgsrBgEEAYI3PAIBAhMGVmllbm5hMRcwFQYLKwYBBAGCNzwCAQETBlZpZW5uYTELMAkGA1UEBhMCQVQxDzANBgNVBAgTBlZpZW5uYTEPMA0GA1UEBxMGVmllbm5hMRgwFgYDVQQJEw9HcmltbWdhc3NlIDM5LzMxGDAWBgNVBAoTD1JveWFsIEFwcHMgR21iSDEYMBYGA1UEAxMPUm95YWwgQXBwcyBHbWJIMSkwJwYJKoZIhvcNAQkBFhpzdGVmYW4ua29lbGxAcm95YWxhcHBzLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAOfoGjxQ7itvAWsi9Mb1H8oXTUYQnfxtaj8YpTCXKPrRjkVos0T6L5Tg4ln7B+v0XL5fmfb4ctRmuSswamTrCYziJToLYgwacfFfuBtE2xhpniHuxModnSD1G9nHQD8OfF/3HnhlnS9Bi3dxf1XIsQ1l8CKA41QuFpfACmJqXlJdTbfktfG24h8Rx/TwT1TeYDkGS8Tuibnb2BGp2Nn07Uvgtm7AmxFt2dcrYsjde2v01qVQptG8iyHSE9fnR1Z5p1gT4k7Yzeq+3Mis4EbYwe3fXB342VhzXQJSIenZqbAfosltqV1BBsA11NmGbYhl5scQFB0l3iqnx8w26U2BBGDTxW1O2PDQbPP364saxt57qKBp6TZNt+/E/+3FeZveFQs+NdaksO7ZQiFSXSSi2tYuK1YFYRKRC5jupKozPSYAD0wR5Nm7lQnqoY6TRYEFH8iY+ThuJHJB8Xjg5614r87v+MYlTr9m+PL++sUf7umnK9jiwicWUDY+VsgI437T6P/6XNgJE0A0PJkKCu0GnstKF2ORmU1TZU5IKR34xDwBDieyt/o07sP+5uFgzou722WECqS2IpnjQadii25/077HU1s+gd4VHNQRMZ1c3Tfue12TXrXekU/R873Q6g5F09cN9MkF3dKxRXtif6c8OIfvaqOyKeNvXLiAmGlKiLLdAgMBAAGjggHdMIIB2TAOBgNVHQ8BAf8EBAMCB4AwgZ8GCCsGAQUFBwEBBIGSMIGPMEwGCCsGAQUFBzAChkBodHRwOi8vc2VjdXJlLmdsb2JhbHNpZ24uY29tL2NhY2VydC9nc2djY3I0NWV2Y29kZXNpZ25jYTIwMjAuY3J0MD8GCCsGAQUFBzABhjNodHRwOi8vb2NzcC5nbG9iYWxzaWduLmNvbS9nc2djY3I0NWV2Y29kZXNpZ25jYTIwMjAwVQYDVR0gBE4wTDBBBgkrBgEEAaAyAQIwNDAyBggrBgEFBQcCARYmaHR0cHM6Ly93d3cuZ2xvYmFsc2lnbi5jb20vcmVwb3NpdG9yeS8wBwYFZ4EMAQMwCQYDVR0TBAIwADBHBgNVHR8EQDA+MDygOqA4hjZodHRwOi8vY3JsLmdsb2JhbHNpZ24uY29tL2dzZ2NjcjQ1ZXZjb2Rlc2lnbmNhMjAyMC5jcmwwJQYDVR0RBB4wHIEac3RlZmFuLmtvZWxsQHJveWFsYXBwcy5jb20wEwYDVR0lBAwwCgYIKwYBBQUHAwMwHwYDVR0jBBgwFoAUJZ3Q/FkJhmPF7POxEztXHAOSNhEwHQYDVR0OBBYEFL5i91y/tCITck8CG7xPJOlWZFS+MA0GCSqGSIb3DQEBCwUAA4ICAQBNuxXWm+YEdOY9MxV6oMHLe2n8vfsBvxCGBHuzsb7sIt3QQmpPeYFsg/CyEdm0v6pKWnO6u5jd9QBY5xSyHu/tSD9B7P954NwR7KmS+kGeuQFkI9KQV3zid4RGpaPZjUEtEhlaRdUAKmBz/2cpg1vBW6VoqB3yXN0qBoe1F24gvAQOepm8WPR/u0rFX0gVlOpfVACNKDFmWGV7VUZX6LI3x+QKuMES99U3pwO6DQsudg1oVAG5SxevaIt+JrG7j6Gw9tsimWaJiv4PAq885a4avcFvutaQYKsnZSX7lwo7gXM3RqLGPB0rTXVZ8jhtcw7dP3mQUEgi6QdkMIV3rrbzTi0fe22LQ2akQM0UtJ1doncEVzb2YuIwXtJ2RmOmsw8u2+QUnalFDsUq5byBnE+ymxp/6qgmmswTsEHSWBQZI4nl2xoOog5r/yXJhyanJg3ysD6V8ejxLIw9ZlpAeSDZt6p649aUL9/l4FKXhfXA7qnr+M8uFMTT7eZulN+Kxu9gkTLCA6DXVwJSQjnSOTxBPtFROBf7LKdjMnqDptYli7VjdCcMeRBIo7Eo60VJ6Amudeh1Xt3ujqftYG74MpEy2e8pK5PWvpe2msUvlo93oQZS3fYNREO9y5A48v1Bp3Htq8XSRp9vqqGXy/wlwFRhz/EupjprvWmZbsSgkKYYsg==",
"src_file_sha256": "fdb7e23f6a02780def665e6ea428cd9cd59f115cd33d9dc7ba2b63a5fa8e1b3f",
"src_file_path": "downloaded_files/royal_apps/fdb7e23f6a02780def665e6ea428cd9cd59f115cd33d9dc7ba2b63a5fa8e1b3f",
"src_file_company": "Royal Apps GmbH"
}
]
}
},
{
"Name": "RemoteUtilities",
"Category": "RMM",
"Description": "RemoteUtilities is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.remoteutilities.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"rutview.exe",
"*\\Remote Manipulator System - Server\\*",
"C:\\Program Files\\Remote Utilities\\*",
"*\\Remote Utilities\\*",
"rutserv.exe",
"*\\rutserv.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"remoteutilities.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteutilities_network_sigma.yml",
"Description": "Detects potential network activity of RemoteUtilities RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteutilities_processes_sigma.yml",
"Description": "Detects potential processes activity of RemoteUtilities RMM tool"
}
],
"References": [],
"Acknowledgement": []
},
{
"Name": "Chrome SSH Extension",
"Category": "RAT",
"Description": "Chrome SSH Extension is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://chromewebstore.google.com/detail/secure-shell/iodihamcpbpeioajjeobimgagajmlibd",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"C:\\Users\\*\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\iodihamcpbpeioajjeobimgagajmlibd*",
"*Users\\*\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\iodihamcpbpeioajjeobimgagajmlibd*"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": []
},
"Detections": [],
"References": [],
"Acknowledgement": []
},
{
"Name": "SmartFTP",
"Category": "RAT",
"Description": "SmartFTP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.smartftp.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"C:\\Program Files (x86)\\SmartFTP Client\\en-US\\",
"*\\SmartFTP Client\\*",
"*\\SfShellTools.dll.mui"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": []
},
"Detections": [],
"References": [],
"Acknowledgement": []
},
{
"Name": "UltraViewer",
"Category": "RMM",
"Description": "UltraViewer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2025-12-14",
"Details": {
"Website": "https://www.ultraviewer.net/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"UltraViewer_Service.exe",
"UltraViewer_setup*",
"UltraViewer_Desktop.exe",
"ultraviewer.exe",
"C:\\Program Files (x86)\\UltraViewer\\UltraViewer_Desktop.exe",
"*\\UltraViewer\\",
"*\\UltraViewer_Desktop.exe",
"ultraviewer_desktop.exe",
"ultraviewer_service.exe",
"UltraViewer_Desktop.exe",
"UltraViewer_setup*",
"UltraViewer_Service.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*.ultraviewer.net",
"ultraviewer.net"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultraviewer_network_sigma.yml",
"Description": "Detects potential network activity of UltraViewer RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultraviewer_processes_sigma.yml",
"Description": "Detects potential processes activity of UltraViewer RMM tool"
}
],
"References": [
"https://www.ultraviewer.net/en/200000026-summary-of-ultraviewer-s-security-information.html"
],
"Acknowledgement": [],
"CodeSigning": {
"search_names": [
"400000.ultraviewer_desktop.exe",
"canon-l11121e-driver-for-windows-64-bit.exe",
"guna.ui2.dll",
"j4l3wbiug.exe",
"lzkj4w7z9.exe",
"rk791amfk.exe",
"ultraviewer_desktop",
"ultraviewer_desktop.exe",
"ultraviewer_service.exe"
],
"company_names": [],
"signer_names": [],
"certificates": [
{
"signer_name": "DUC FABULOUS CO.,LTD",
"certificate_thumbprint": "2C1D12F8BBE0827400A8440AF74FFFA8DCC8097C",
"certificate_der_base64": "MIIFpzCCA4+gAwIBAgIQbdLjFzmV9Rv6wdn7TLIAwTANBgkqhkiG9w0BAQsFADB7MQswCQYDVQQGEwJVUzEOMAwGA1UECAwFVGV4YXMxEDAOBgNVBAcMB0hvdXN0b24xETAPBgNVBAoMCFNTTCBDb3JwMTcwNQYDVQQDDC5TU0wuY29tIEVWIENvZGUgU2lnbmluZyBJbnRlcm1lZGlhdGUgQ0EgUlNBIFIzMB4XDTI0MDcwNDA0MzUzMloXDTI3MDUxNTE1MTUwNFowgaQxCzAJBgNVBAYTAlZOMQ4wDAYDVQQHDAVIYW5vaTEdMBsGA1UECgwURFVDIEZBQlVMT1VTIENPLixMVEQxEzARBgNVBAUTCjAxMDU4Mzg0MDkxHTAbBgNVBAMMFERVQyBGQUJVTE9VUyBDTy4sTFREMR0wGwYDVQQPDBRQcml2YXRlIE9yZ2FuaXphdGlvbjETMBEGCysGAQQBgjc8AgEDEwJWTjB2MBAGByqGSM49AgEGBSuBBAAiA2IABC/mVjb9UgdRWMq3nmRrYGMv2ywk4C8+LmdZVMN453wtViJ4dWh+LMHxI1VRzC8k4wRFoR4lLJ+HSeasLd/IN1VjANU42jcLckPkJsFmRS/gJIyZ+1+s9q7iCQFHEeCn2aOCAakwggGlMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUNr1J/zEs669qQP6ZwBbtuvxI3V8wfQYIKwYBBQUHAQEEcTBvMEsGCCsGAQUFBzAChj9odHRwOi8vY2VydC5zc2wuY29tL1NTTGNvbS1TdWJDQS1FVi1Db2RlU2lnbmluZy1SU0EtNDA5Ni1SMy5jZXIwIAYIKwYBBQUHMAGGFGh0dHA6Ly9vY3Nwcy5zc2wuY29tMF8GA1UdIARYMFYwBwYFZ4EMAQMwDQYLKoRoAYb2dwIFAQcwPAYMKwYBBAGCqTABAwMCMCwwKgYIKwYBBQUHAgEWHmh0dHBzOi8vd3d3LnNzbC5jb20vcmVwb3NpdG9yeTATBgNVHSUEDDAKBggrBgEFBQcDAzBQBgNVHR8ESTBHMEWgQ6BBhj9odHRwOi8vY3Jscy5zc2wuY29tL1NTTGNvbS1TdWJDQS1FVi1Db2RlU2lnbmluZy1SU0EtNDA5Ni1SMy5jcmwwHQYDVR0OBBYEFBFUh+U2pbSNNP3NVnIF+FRcFWRcMA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG9w0BAQsFAAOCAgEAINp7VfTLYt9iWMRhOL2mIs5Avtwe0pGU+VvE4rnaKb8KA/EHzhEPYiWygoj9WN6MXraBgHk3caSP5f/mdT/HkpzX17Zy9yHiAcDKcuIte8AkhS7IK6b5IQU7r8eFUP6BptStrY9xNJADpgcO0EmBDoeeIpGRFKpE6cerSOJaoxxjgLxMGyUfrr39I6v/b7doJYlWXk0ki98hZNsCZ9GTKEsYoU4ek2YU3tgIR0BIfyuVoDQ8dy41P5AUVSVS2FAWRHcT88WkNpZLI78pgUBCmrjfQsT0TTyfNf0WwiAfMqf4ACS6TXyFKBk6wbbbkSPPOiodRjEAizL+LtEchnm1/2mre0Oe7P5bnYohI/6XwIvQxmoeV+uV3/Zo6TaSk6wUJQ2WKrooIoVxkiuDm5WXKZamr9jS+5yzdNKM+Frvnde8iS5HObIDBcDmEUWcHWOVuCwd/xVU7XStncpz9JEWgcILn8Pwnn/V5fdI7TV6G+ddrfECPowxFBvji+GpUEZWM3jz6tsp9iFDbnPHSKLbifn43rU0LdeEFXllF0GDIE3yrWuvYLfiPUmIZwZspL02hFhRuZgVe5jX1xKujU5o/LU76qcN4Ts6b7Lyw8IaYM1LKsvmh9bNxsqdIKXuNH+JbBN90mcA7x0auYSw9fD6iYbHY4wmiq/hCreMsysm+OU=",
"src_file_sha256": "1809068550d615bd78bdd3618cf3ab13c35e67102013cf2ef0f316684d80781c",
"src_file_path": "downloaded_files/ultraviewer/1809068550d615bd78bdd3618cf3ab13c35e67102013cf2ef0f316684d80781c"
},
{
"signer_name": "DUC FABULOUS CO.,LTD",
"certificate_thumbprint": "70E9DAEDB055A6E1FA781DDB79380075A3F25F21",
"certificate_der_base64": "MIIFpzCCA4+gAwIBAgIQeYgyse0qaFTKDanLjZ7OdTANBgkqhkiG9w0BAQsFADB7MQswCQYDVQQGEwJVUzEOMAwGA1UECAwFVGV4YXMxEDAOBgNVBAcMB0hvdXN0b24xETAPBgNVBAoMCFNTTCBDb3JwMTcwNQYDVQQDDC5TU0wuY29tIEVWIENvZGUgU2lnbmluZyBJbnRlcm1lZGlhdGUgQ0EgUlNBIFIzMB4XDTI0MDUxNjA0NDgxNloXDTI3MDUxNTE1MTUwNFowgaQxCzAJBgNVBAYTAlZOMQ4wDAYDVQQHDAVIYW5vaTEdMBsGA1UECgwURFVDIEZBQlVMT1VTIENPLixMVEQxEzARBgNVBAUTCjAxMDU4Mzg0MDkxHTAbBgNVBAMMFERVQyBGQUJVTE9VUyBDTy4sTFREMR0wGwYDVQQPDBRQcml2YXRlIE9yZ2FuaXphdGlvbjETMBEGCysGAQQBgjc8AgEDEwJWTjB2MBAGByqGSM49AgEGBSuBBAAiA2IABCU/MvcJ3RjFWiIoLYk4JPlQ2IOvSbwYSTegwMBXlgTeDNor32nQ9JbSjoF2Ykmk2JF3V5YPGm6408HXX+zcSFfwYTVLg2lE+tO6S6FtjGmgfevrSkX1JjUpbLAQELXnS6OCAakwggGlMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUNr1J/zEs669qQP6ZwBbtuvxI3V8wfQYIKwYBBQUHAQEEcTBvMEsGCCsGAQUFBzAChj9odHRwOi8vY2VydC5zc2wuY29tL1NTTGNvbS1TdWJDQS1FVi1Db2RlU2lnbmluZy1SU0EtNDA5Ni1SMy5jZXIwIAYIKwYBBQUHMAGGFGh0dHA6Ly9vY3Nwcy5zc2wuY29tMF8GA1UdIARYMFYwBwYFZ4EMAQMwDQYLKoRoAYb2dwIFAQcwPAYMKwYBBAGCqTABAwMCMCwwKgYIKwYBBQUHAgEWHmh0dHBzOi8vd3d3LnNzbC5jb20vcmVwb3NpdG9yeTATBgNVHSUEDDAKBggrBgEFBQcDAzBQBgNVHR8ESTBHMEWgQ6BBhj9odHRwOi8vY3Jscy5zc2wuY29tL1NTTGNvbS1TdWJDQS1FVi1Db2RlU2lnbmluZy1SU0EtNDA5Ni1SMy5jcmwwHQYDVR0OBBYEFBGD+HIWpkboJeB8FUq+hFWP65EqMA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG9w0BAQsFAAOCAgEAYDxaY9aJEL0XPzVqL8NBHarHBYJS4Sgjn0S9UQE8rArsezy65YVoCVFCi+m8EkmMwyJwWThkLtUa08g6RdcdxiyCONtSW/6uFtzXZCXiL0VySuxVcNezwgstLgrAeDj2gCm1aa6oFu5Rf22jKWywvXkgV/xGEKDn8frLMh7TnJiV6/vwjO1adMaIhlCgnWo+yqdVE9TFIQI2mM0QpPyyKZOd3rtHr4YxTH8vLCP4LU65a7SpYibnPugrKAORM38F7It4n5AR8tEaQMkpM3+Ge2NvhQz9xO4qGVmhP3Az4ESFFU3yDcl4bNBP8THiMx6mx4CZcuIRomd1IzvvwSov76LS07i1WmxQk5GcAoQkVMgqmHHCxndwq85oKgrv8XJFU8eKrrW3yXW/uzPdk7fArzx+wgq3/CxkcPG7zzHoexJEm05qP5TyPR9xvSNK896Nj7O6ks7iQkkR8HqTgyCCCDo9jLzlpQVE4HjzjwojqBYj/KTmG0LSAgNf8/QdHhkbIMSw3dgBr7S8yqp6CcPjSHN6mWz6K/JSfvHg5tHT4w2HoIedYvV2TGlZ6ri4LE26r92bgaKCgRxdhBsSUkpVa7GCwDxJHoN5tlF67eh3pRN9uDUNOeDjA5WO+ZpjH7vhLCAqllB06A68a1G3BnIoaci8soPICWWqjDgSR7B9ixo=",
"src_file_sha256": "0fa31dd2affdad98dbca7d8b7a9dc02c56093ff2ca06e6b03db7aa4cd4bf5260",
"src_file_path": "downloaded_files/ultraviewer/0fa31dd2affdad98dbca7d8b7a9dc02c56093ff2ca06e6b03db7aa4cd4bf5260",
"src_file_company": "DucFabulous "
},
{
"signer_name": "DUC FABULOUS CO.,LTD",
"certificate_thumbprint": "44BCC88C18BF922FF9A0AB675ED7FB44F9F9C5BA",
"certificate_der_base64": "MIIDezCCAyGgAwIBAgIRAPGYM+rN1bUSUa/n/imopJ0wCgYIKoZIzj0EAwIwVDELMAkGA1UEBhMCR0IxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDErMCkGA1UEAxMiU2VjdGlnbyBQdWJsaWMgQ29kZSBTaWduaW5nIENBIEUzNjAeFw0yMzExMzAwMDAwMDBaFw0yNjExMjgyMzU5NTlaMFwxCzAJBgNVBAYTAlZOMQ8wDQYDVQQIDAZIYSBOb2kxHTAbBgNVBAoMFERVQyBGQUJVTE9VUyBDTy4sTFREMR0wGwYDVQQDDBREVUMgRkFCVUxPVVMgQ08uLExURDB2MBAGByqGSM49AgEGBSuBBAAiA2IABJjxfmB3Cjsuvp/hRHIPfbqXCeM2IUgg42LrB9S6HJMIFaH8ZfWPeerMVbhorXcPy35a5qg5d3hYzSqQryYSLC0XLLxpKXftnOrrezfptRLOTAfQBFkzOC+g6yuJ5Za9zaOCAa0wggGpMB8GA1UdIwQYMBaAFCUNm23YGHe3isM4UVblx/K1/4NqMB0GA1UdDgQWBBTPOAlFNgXARALIhTOORnU1oxRTEzAOBgNVHQ8BAf8EBAMCB4AwDAYDVR0TAQH/BAIwADATBgNVHSUEDDAKBggrBgEFBQcDAzBKBgNVHSAEQzBBMDUGDCsGAQQBsjEBAgEDAjAlMCMGCCsGAQUFBwIBFhdodHRwczovL3NlY3RpZ28uY29tL0NQUzAIBgZngQwBBAEwSQYDVR0fBEIwQDA+oDygOoY4aHR0cDovL2NybC5zZWN0aWdvLmNvbS9TZWN0aWdvUHVibGljQ29kZVNpZ25pbmdDQUUzNi5jcmwweQYIKwYBBQUHAQEEbTBrMEQGCCsGAQUFBzAChjhodHRwOi8vY3J0LnNlY3RpZ28uY29tL1NlY3RpZ29QdWJsaWNDb2RlU2lnbmluZ0NBRTM2LmNydDAjBggrBgEFBQcwAYYXaHR0cDovL29jc3Auc2VjdGlnby5jb20wIgYDVR0RBBswGYEXY29udGFjdEB1bHRyYXZpZXdlci5uZXQwCgYIKoZIzj0EAwIDSAAwRQIhAO4o7KRITeIrefJep70oRE/8pEiBH14niamQCuXMEKQwAiAk2C4bdYJI5+lHnOeWME3jpXJ84VK+Yzg1At7Cd6L2sw==",
"src_file_sha256": "a7a7419a44b9e4a858b2d59f9a6876dda83e5e7841376a496e5501ffaa521883",
"src_file_path": "downloaded_files/ultraviewer/a7a7419a44b9e4a858b2d59f9a6876dda83e5e7841376a496e5501ffaa521883",
"src_file_company": "DucFabulous "
}
]
},
"FileHashes": {
"authenticode": [
{
"file_name": "UltraViewer_Desktop",
"sha256": "E81714CE81035A8A47CFAA8DD23DDA6996C8E6D0998BBC0075ED896F68D880B0",
"sha1": "2D92896ABBCBDEB5572B09BBB6F1D65C1D88D927"
},
{
"file_name": "UltraViewer_Desktop.exe",
"sha256": "548124EF42D18C922867BB9EA1DD634B4F12E276294A446D06F884B254F9AF69",
"sha1": "F7F0E920D7EC2E09ACCDCCA1A231520AFCC58A35"
},
{
"file_name": "400000.UltraViewer_Desktop.exe",
"sha256": "1FF1A9E399D350B6F2CE08674A9E5FB128BD8C3A76A7D4DF244092A46D57667C",
"sha1": "C831EA4643B14F8D1CFAA08F838F10E8C9AE7583"
},
{
"file_name": "UltraViewer_Desktop",
"sha256": "CD908C199AEBECB6A73DCAF06EC36C396DD11ABDCB28958B07BFD7C4E8633C23",
"sha1": "651E93450794775ECDB3DC69B15C48F98092E153"
},
{
"file_name": "UltraViewer_Desktop",
"sha256": "62ECF6A18CB7CCD565B229A9B6B8438096FED9BAC1C15412CB93977483842495",
"sha1": "35C4EDF9EF2DF9EC74A7FCFEBD46ED9F5D917F96"
},
{
"file_name": "UltraViewer_Desktop",
"sha256": "DE73B8BC2F835F46BD1DA6E0158917EF537093CC95B2103118C9F77916DE48A4",
"sha1": "EFCC427831AAAF0F5B5FA72F49EA7C74098388A0"
},
{
"file_name": "UltraViewer_Desktop",
"sha256": "A84EA608447177B13F73D95D37C9F2E2E675BFE61E80FDC6C82A14B285167319",
"sha1": "D9D0FDF4B48A80D2902296313571E1D23451DA80"
},
{
"file_name": "UltraViewer_Desktop",
"sha256": "C5FF22EAA1B64FDB9EA4F47290DE911A1CE7FFAE5A3FE561AB30423A99CCE2FC",
"sha1": "3CCBFF99B46EEC7995452FB34C9C123E3A980B3B"
},
{
"file_name": "400000.UltraViewer_Desktop.exe",
"sha256": "D20020049A0FAAB9EABB579472AE9DF9D83DE605ADFED25A198D38AF33BA41CC",
"sha1": "5DF07A765238206F9CF01EC0F7845144F7D31FD2"
},
{
"file_name": "rk791amfk.exe",
"sha256": "6967B731D26A17077EF79DC7C34B025180B32C8E6ADE675CAE211EA5F00A5820",
"sha1": "7799F3D1AF11F61F489A930A783F3D2BD4EF72B8"
},
{
"file_name": "j4l3wbiug.exe",
"sha256": "8D825A1439B1751FF240186F05367C2AEDD0B8D6AA0679D15B5D99B8807E4874",
"sha1": "4D0E1902E6DD93BB1593278FF168D1816BC15886"
},
{
"file_name": "UltraViewer_Desktop",
"sha256": "AADE96BFBD793C3A6C23B0ABD8FB6BAC92E68BFB6FA610DE4BB4A4C68E9386C3",
"sha1": "CD5396DF744E2AAB56CB175F3014F208250130DA"
},
{
"file_name": "UltraViewer_Service.exe",
"sha256": "4A58C2DFF9DDA6E4835F602C05CE21684BA0D68D3151E666ADDF89888F5E9F72",
"sha1": "4B99342E3E3C959C6B0C97C92F3B6FE8234E457D"
},
{
"file_name": "UltraViewer_Service.exe",
"sha256": "4BB4A1CA2676A1E420F9196F482C099DE4F55154DDA9BD2EF736306262E5F6B7",
"sha1": "207508B54321BF3F53DF557ECFB87D643241D104"
},
{
"file_name": "Guna.UI2.dll",
"sha256": "15695F795F048B4B2257F35334D2C65100BE37518B2EB47E10217A20677A9F48",
"sha1": "44DBB1E4571A74EE8845D814D47D35D2B14C0D4D"
},
{
"file_name": "UltraViewer_Service.exe",
"sha256": "6535BC70892DC336E496D055D68B2EB09CEE2ECB287FBF95C0489BDE53F8299D",
"sha1": "2B1551FE2DBFC7D7932CC4183F510A8D492955D4"
},
{
"file_name": "UltraViewer_Service.exe",
"sha256": "87B1DC403D65A327D474CDFAAAE91CBB6F90A61907B158E5E252FC91CFEA5386",
"sha1": "74FDEA9C919E45AAA7AD7453FFE3CB6064BF40A8"
},
{
"file_name": "UltraViewer_Service.exe",
"sha256": "88E9500BD4BF9018BA3F5D03E300B69ED6551EF151416F7EB09A651A9AECC6C1",
"sha1": "B458FB697FFFB3278C350046297BA1ACB89026A4"
},
{
"file_name": "UltraViewer_Service.exe",
"sha256": "8A25B090622F979744672E3BE46A1F0E0A06E6571A8FD23ECDB1B41CE0F2B5DF",
"sha1": "4CC8FF36C3D89CBEFE0D0EB6A2F706EC2811932C"
},
{
"file_name": "UltraViewer_Service.exe",
"sha256": "C47339B8AD420E914962BCC47DA861E56CD35191127FFC8F248C4C2D6F357AD3",
"sha1": "E306339592F3FE3903FEC924322E295F0556C2BD"
},
{
"file_name": "UltraViewer_Service.exe",
"sha256": "550A6902B6F09284EFF7ABB9C13401700E0B9D246559C99323B1AE25A5B76B0F",
"sha1": "DBC2D9B2CF1BE54D26E512DA6ABE9407CA8C8E32"
},
{
"file_name": "lzkj4w7z9.exe",
"sha256": "CF1C8E9D9FE8B9F4EDC149C409A69018C1A52D38FF5720476F2260DC0E87BE50",
"sha1": "7FE447B0F8B879CD2DADDF80DDDB1C3A53B9C691"
},
{
"file_name": "canon-l11121e-Driver-for-Windows-64-bit.exe",
"sha256": "142CF6DA3E1D1BCB3FC862481A6520FC7BB9C15C3B1F769FCA63865FE770B970",
"sha1": "D2D579B11D561C21EA263B294A8EB87BA5B7A58E"
},
{
"file_name": "UltraViewer_Service.exe",
"sha256": "DECA9E44A1903DD28EBBEB05FC2F16A3EBB5407C1F4E7F891B75E8013C4288EC",
"sha1": "0900497365C96C9516DE8C8FE19AEC5FFC9FBB66"
}
],
"page": [
{
"file_name": "UltraViewer_Desktop",
"sha256": "65F75F52138C03586B40F747563EA2DB89884286CAEAC011358F68FC8F21FA6C",
"sha1": "95F0113F0F1A8A8CF21E7A6905713AE037C8CE90"
},
{
"file_name": "UltraViewer_Desktop.exe",
"sha256": "27831DE24F6700FB7CBA9C52EEF66AAC1B8CA5CBD63466F901BAE2FBBECC356D",
"sha1": "10346AE3CE02DC922877675EB198128F844BA802"
},
{
"file_name": "UltraViewer_Desktop",
"sha256": "A142D5C0D5628B7110E3B0D4EA09C2050282854BC2C0D7B350F0D331139494EA",
"sha1": "8B469819FA1DDCD12BDAE4C37BD77587F9CA4BB5"
},
{
"file_name": "UltraViewer_Desktop",
"sha256": "CDE1E041F15EB39BE1ADDE6BDC25FF5DBFCA56FA9A50BB43DDA5969D4EE0901B",
"sha1": "5AF87AEA452E31E48107B4D063A228EBFC0573AA"
},
{
"file_name": "UltraViewer_Desktop",
"sha256": "3678354E6DC305672BA88E3DB7D8A4BD7D09529A3D6E7772D81693F87DB2C637",
"sha1": "08ED9455C11EDDD31B0E91C2BFD928DD82C8A34E"
},
{
"file_name": "rk791amfk.exe",
"sha256": "D9E9E8433C109FD3389CCBFCC238C12CA1676159D0E9B3EB9A3730694CB53AB4",
"sha1": "1F465F1F09B16B096523CAE0194DA7E3CB59D804"
},
{
"file_name": "j4l3wbiug.exe",
"sha256": "5D119DD0F7092B7B4A7B98888012D43BE8926058A758407B54DD1B6E3D0C5EFC",
"sha1": "1B1FE3B48B121FEF1F7DA09F6E01B8FCC72E6DFB"
},
{
"file_name": "UltraViewer_Desktop",
"sha256": "D2972161ED43254F6B345C562B5AFF33A62F035672C18343514E3A15FCEAB58F",
"sha1": "57A317B7574E1FD5C6B6691CBBC16131E79E94EF"
},
{
"file_name": "Guna.UI2.dll",
"sha256": "D6002AE8D604CC3B2A6AFF085DDEB0E9FD66E2261AA4D4B124F93A308D1C5705",
"sha1": "203D4DD208E043B95DD019B21247DB7A9318B028"
},
{
"file_name": "UltraViewer_Service.exe",
"sha256": "0BEE1E0F00AEF8ABAB1E36474781151F22BF8EA42DB34B716684F28A145CE159",
"sha1": "BA236AF2B75EF83E254B0C8E144C9BCFF4681147"
},
{
"file_name": "UltraViewer_Service.exe",
"sha256": "3614DB46986C8779E5D26D93A81F9FF21A6F8B992AC651325D998D8F84AB4AF7",
"sha1": "BBE4F6A39A3208EF55F8AD33778F63B0E4069757"
},
{
"file_name": "canon-l11121e-Driver-for-Windows-64-bit.exe",
"sha256": "1FB3D61B5BFD12E5953A669E1AB019ABDB2D80065C28B1CEA8B7FA3EA88C639A",
"sha1": "D79763DA59E0482BDC85445BE3426C047F36B6F8"
}
]
}
},
{
"Name": "CrossTec Remote Control",
"Category": "RMM",
"Description": "CrossTec Remote Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.\n\n**IMPORTANT**: Some components of this tool may be signed with legitimate Microsoft Windows Component Publisher certificates that are used to sign Windows system components. Do NOT blindly block Microsoft certificate thumbprints as doing so will break Windows functionality in your environment. Use certificate data for detection, hunting, and analysis purposes only.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://web.archive.org/web/20220811150547/https://www.crosstecsoftware.com/remotecontrol",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"PCIVIDEO.EXE",
"supporttool.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"user_managed",
"crosstecsoftware.com/remotecontrol"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/crosstec_remote_control_network_sigma.yml",
"Description": "Detects potential network activity of CrossTec Remote Control RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/crosstec_remote_control_processes_sigma.yml",
"Description": "Detects potential processes activity of CrossTec Remote Control RMM tool"
}
],
"References": [
"https://www.crosstecsoftware.com/supporthome.html"
],
"Acknowledgement": [],
"CodeSigning": {
"search_names": [
"pcivideo.exe",
"supporttool.exe"
],
"company_names": [],
"signer_names": [
"Microsoft Corporation",
"Microsoft Windows Component Publisher"
],
"certificates": [
{
"signer_name": "Microsoft Windows Component Publisher",
"issuer": "CN=Microsoft Windows Verification Intermediate PCA",
"certificate_thumbprint": "5C4D0AED88959C9D30C1B30F9AA916BE57544CF6",
"tbs_sha256": "DDFD99125B30665247E714C0B2A4D17908F2228DD04FBA2EC311249F9BFB678D",
"tbs_sha1": "2169D040A744D6C45E0214C48517B372289D79AF",
"valid_from": "2005-10-11T23:24:57+00:00",
"valid_to": "2007-01-11T23:34:57+00:00",
"certificate_der_base64": "MIIGBDCCBOygAwIBAgIKYRDDUgAAAAAAAzANBgkqhkiG9w0BAQUFADCBjjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjE4MDYGA1UEAxMvTWljcm9zb2Z0IFdpbmRvd3MgVmVyaWZpY2F0aW9uIEludGVybWVkaWF0ZSBQQ0EwHhcNMDUxMDExMjMyNDU3WhcNMDcwMTExMjMzNDU3WjCBhDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEuMCwGA1UEAxMlTWljcm9zb2Z0IFdpbmRvd3MgQ29tcG9uZW50IFB1Ymxpc2hlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMOM0acw9GELvutSbWGagdFj3zsaWTgAEwL/TOKjVfgShZNYnT4mudJmsAC5F6/NdmNXZRDA0UDyjvo9Kq7+O250nEaL66YfvF/DSJ2xqRGBh9wi9OF0hO1S+vNcCrvTkv9qBpCQLmNqEiHX0CJBv3Mp2k/shdxd6fb1RcKxO3XhLrfJSH2a/WKSGbzizk3CTwG41yTb+43U8cNcabxFKj4Qlm5p+jpjlhOTlSl55wUMqJHqV06bQS0pTeTc1glMPFRMClm3WoZxaCKc73gbyNZPiBLhYNRRFXnlJ+SSsu93v8eBky3qA01ujPZKxROrW4N3qezTx4z6lFiFhI1+bNECAwEAAaOCAmowggJmMA4GA1UdDwEB/wQEAwIGwDAdBgNVHQ4EFgQUIbHZusF1p8SphRo6Nh48Z/RWS8AwHwYDVR0lBBgwFgYIKwYBBQUHAwMGCisGAQQBgjcKAwYwgakGA1UdIwSBoTCBnoAUi71bM+FBDLv6QnJ2V2+6gyVTes6hdKRyMHAxKzApBgNVBAsTIkNvcHlyaWdodCAoYykgMTk5NyBNaWNyb3NvZnQgQ29ycC4xHjAcBgNVBAsTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEhMB8GA1UEAxMYTWljcm9zb2Z0IFJvb3QgQXV0aG9yaXR5ghBqC5lPwAAbqxHaOqG23+yIMEgGA1UdHwRBMD8wPaA7oDmGN2h0dHA6Ly9jcmwubWljcm9zb2Z0LmNvbS9wa2kvY3JsL3Byb2R1Y3RzL1dpbkludFBDQS5jcmwwVQYIKwYBBQUHAQEESTBHMEUGCCsGAQUFBzAChjlodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpL2NlcnRzL01pY3Jvc29mdFdpbkludFBDQS5jcnQwgcYGA1UdIASBvjCBuzCBuAYJKwYBBAGCNxUvMIGqMEAGCCsGAQUFBwIBFjRodHRwczovL3d3dy5taWNyb3NvZnQuY29tL3BraS9zc2wvY3BzL1dpbmRvd3NQQ0EuaHRtMGYGCCsGAQUFBwICMFoeWABDAG8AcAB5AHIAaQBnAGgAdAAgAKkAIAAxADkAOQA5AC0AMgAwADAANQAgAE0AaQBjAHIAbwBzAG8AZgB0ACAAQwBvAHIAcABvAHIAYQB0AGkAbwBuAC4wDQYJKoZIhvcNAQEFBQADggEBAA3inZB8cCv7Cb9+qniz0YxsfpXd8A/AnEdA0vYFpebpqJ7tlbGt/2uTHujtKw7cHxrc2f+NKLNAyBeXGexSeBIfaZBQNOO7kwXf3I1A7UPjPTHSfRreqEBmCAnfABJOq7MiiGnkCeH3+gQ4pF3wbTCzfn2J0ryovfj21LCLCMaIzkt4s8CKzQ7c1dP34XQUkNKdFJ/hxyMlU4Zh4OyWD3K7qrLGqynjM7OEWUuYpqiA472iDwoel/pgQpBM96daT26JbJuHK/D4h3CZmn553Ba5xHVA9sgRaTdKBbNj4TFMZE1uA8o1xBfqaaypM5s4i3OhMwQ3AZJHd/cJK74tXig="
},
{
"signer_name": "Microsoft Corporation",
"issuer": "CN=Microsoft Code Signing PCA 2011",
"certificate_thumbprint": "62009AAABDAE749FD47D19150958329BF6FF4B34",
"tbs_sha256": "E17764C39F2AFD7114F8528D2F9783D9A591F6679715EECE730A262CF5CFD3B3",
"tbs_sha1": "3D07186A55AD7D7691B88AC4D130F2002F664B16",
"valid_from": "2019-05-02T21:37:46+00:00",
"valid_to": "2020-05-02T21:37:46+00:00",
"certificate_der_base64": "MIIF/zCCA+egAwIBAgITMwAAAVGejY9AcaMOQQAAAAABUTANBgkqhkiG9w0BAQsFADB+MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSgwJgYDVQQDEx9NaWNyb3NvZnQgQ29kZSBTaWduaW5nIFBDQSAyMDExMB4XDTE5MDUwMjIxMzc0NloXDTIwMDUwMjIxMzc0NlowdDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEeMBwGA1UEAxMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlVrGhmlHHTQe8VXDZnX2YlQYWBRnJ/CjKsYDSLzmVjR/SWEC7oR4ZieUViEstaHst807sai25BwHZm3lPDRTKOPT7+9TICEvSBvxLasDh+7qWp/pSKujTnMOXzujrPtdkdENvDMxp/t8uxdpig56KVbtLBLn8uOd4Mc9ejPGwMOPkF7r+/n0fVs0SdgqVOtsECmIhUDH3sOlYeX7j6F5aDd5OvkJc+84HE+GEZsc8e4zFaT/7ryurGXAcUN1oAf1pMlx4MWmNfSAMy6tkIj4l9mK8okeRLGAat+QT+1NeQ5WbaUrNsCGE5JAwcYTySAyYKMGbuRsoR3aq7Ldzo5EkQIDAQABo4IBfjCCAXowHwYDVR0lBBgwFgYKKwYBBAGCN0wIAQYIKwYBBQUHAwMwHQYDVR0OBBYEFFeCGq5Kue3rGoLuhVAW9u9GYo3PMFAGA1UdEQRJMEekRTBDMSkwJwYDVQQLEyBNaWNyb3NvZnQgT3BlcmF0aW9ucyBQdWVydG8gUmljbzEWMBQGA1UEBRMNMjMwMDEyKzQ1NDEzNTAfBgNVHSMEGDAWgBRIbmTlUAXTgqoXNzcitW2oynUClTBUBgNVHR8ETTBLMEmgR6BFhkNodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NybC9NaWNDb2RTaWdQQ0EyMDExXzIwMTEtMDctMDguY3JsMGEGCCsGAQUFBwEBBFUwUzBRBggrBgEFBQcwAoZFaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9jZXJ0cy9NaWNDb2RTaWdQQ0EyMDExXzIwMTEtMDctMDguY3J0MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggIBAFoPgK0uAJ6uyq6ILJSEJ6DB0l1D6/0ajiISV/t9jm7mNzBb3ZURJW0rEica0cvzggmXUrHvn9gKkPhf9mmMAQ5lEG3jAfJ9KWC2Zzj4n6nu/EQR9n1WbL18cn4s2x7m1lqFHzVvxSZWZS18CZhdwaC/BNqdPSt4WoMM/6LXCrUNfkOPg2jmF1pXqiayVLJx7PVIi3K1RdJXi/0NVeW7IaG9jk5WatKs0nazAy1nYcq1DsZ2fqI2e1HU2OFZwrqIG2fWbPbMiW4O2VEvUlYGJKMEbFr+Y1eJW6kw/rRuBc4TsHEUMHW+gPM6djZ3frO1XQrmBbBoCONbnA/KMVX3ADIxfWF+TdrOJpbZKp1Ht/4bVa58SigwMEmJYmrsdi+4CsPmw9ZBGf+aMy0Zyd44w5KJk6z3LaJGPymmdarm9DVJ5jih/t8VCv6ZViSvATkGLlO4CmB+2MvVkijZT+6So+ouNe/tzWv36yJ45wZCkQif3mE7wR/rOYLns6X0FrVOGzaP4/EMNr6U0PcO35YR+/EZsHd9ffmE5ob+03MQ21pcrXmo+EStsJN6WNaEs9iTxOTzbjZnfRpn+qHj2YMuyIvSSy6vEp1C1e2/iD9FF0WPavhnUYzNgBF+prGb7zwiKBtGmB0LvcGbChCto6r1ovP8XXnnkiPRTeitcOKFUDOD"
}
]
}
},
{
"Name": "PSEXEC (Clone)",
"Category": "RAT",
"Description": "PSEXEC (Clone) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"paexec.exe",
"PAExec-*.exe",
"csexec.exe ",
"remcom.exe",
"remcomsvc.exe",
"xcmd.exe",
"xcmdsvc.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"user_managed"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec__clone__network_sigma.yml",
"Description": "Detects potential network activity of PSEXEC (Clone) RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec__clone__processes_sigma.yml",
"Description": "Detects potential processes activity of PSEXEC (Clone) RMM tool"
}
],
"References": [
"https://www.poweradmin.com/paexec/"
],
"Acknowledgement": [],
"CodeSigning": {
"certificates": [
{
"signer_name": "ZOHO Corporation Private Limited",
"certificate_thumbprint": "9CFE33A8A1FB933BEDF943EF4263D03B6A5F828E",
"certificate_der_base64": "MIIHHTCCBQWgAwIBAgIMDGsl8hryZ5tnz4h0MA0GCSqGSIb3DQEBCwUAMFkxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMS8wLQYDVQQDEyZHbG9iYWxTaWduIEdDQyBSNDUgQ29kZVNpZ25pbmcgQ0EgMjAyMDAeFw0yNTAyMTgxMzU5NDBaFw0yNjEwMDkwNzQwNThaMIGKMQswCQYDVQQGEwJJTjETMBEGA1UECBMKVGFtaWwgTmFkdTEQMA4GA1UEBxMHQ2hlbm5haTEpMCcGA1UEChMgWk9ITyBDb3Jwb3JhdGlvbiBQcml2YXRlIExpbWl0ZWQxKTAnBgNVBAMTIFpPSE8gQ29ycG9yYXRpb24gUHJpdmF0ZSBMaW1pdGVkMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAz09Cd5TDWpRU90iuUgEngTp7kHP4WsQlU5MroTyh0/57BWlmg+/Ve/GoDiwWWfX9zHl3Qi1KQEquw8AhkzzwLCSn634vUTM5kEleezZDAvaS2QjrcvOY4tydRgejobpWJHdrJIWiNPBEM5uBzF8LSFEB6nUgF24QuG3MW1MYjC1s7xRgUZeqPBKvaL3qzdm1A5DezRXOJ9bgeFy9e9m1s+6ts39yO+2cyAc9/nhGmio0sWvaGpbPDCssHIcInGQGw8lW9FCIqhERgTBGsi8QC3vdWWi/dHju6Akt3497dCA9PbXVwkcMS5PSuoC5iKrQjnUvQO1/mlEyd6CR2NC4D+DGYIynSvet1ceaaOUUriI6f8MiAKMYDmGa1lOGVhbR7CRO5BjkPEPzczHuffYchPNtiYE6VRSd05zysSwpIYYZfiIHQptIhW/I2DoSIrDKo1WVG3jNrYiAL6t68P8xoL2hHvwekV9RAqMVYHxKVA0Ur+DKCPrCDS01/NXKD6jeBoWyGEKE11J65nXuphTbsZmp+T3ATPJepkiN2qXmzW2SQD9YC8FW2BsTQx6lKwjMRNA5WcpYbm8P0l+eo9ck1uwDwq6W1fYuhBGebG7FTUAUj73b47TxeKf2AG5YD5x+xrOf463q06lbIYn61lbUJjMF/Dwd3woLV/VxHShciI8CAwEAAaOCAbEwggGtMA4GA1UdDwEB/wQEAwIHgDCBmwYIKwYBBQUHAQEEgY4wgYswSgYIKwYBBQUHMAKGPmh0dHA6Ly9zZWN1cmUuZ2xvYmFsc2lnbi5jb20vY2FjZXJ0L2dzZ2NjcjQ1Y29kZXNpZ25jYTIwMjAuY3J0MD0GCCsGAQUFBzABhjFodHRwOi8vb2NzcC5nbG9iYWxzaWduLmNvbS9nc2djY3I0NWNvZGVzaWduY2EyMDIwMFYGA1UdIARPME0wQQYJKwYBBAGgMgEyMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMAgGBmeBDAEEATAJBgNVHRMEAjAAMEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5jb20vZ3NnY2NyNDVjb2Rlc2lnbmNhMjAyMC5jcmwwEwYDVR0lBAwwCgYIKwYBBQUHAwMwHwYDVR0jBBgwFoAU2rONwCSQo2t30wygWd0hZ2R2C3gwHQYDVR0OBBYEFDqaXb/UoQJmwU/awDe9Pdx+MvqYMA0GCSqGSIb3DQEBCwUAA4ICAQAGEr1oLiiri9QNjpj9GX0NzyGumOynnfJB8X6M8SuLsdmTJWHKKp/mjXcYLT4Ce0tAmHgkHRt2hel9ANzdcjl8RjPWsYScVn5cZ3sfSGmH9dwPNSCp9gdRUwwT9jDU+B4KMd4rz6XrtL+kVgbTVGzRpnnoCz/9PVRApRP7xcLsgdbrVolr2A37OOkVEdaY5XW2orW+mw+a7Q1vdeJDt/rmXnUf/E8txo9gpPcCK6D3Ufi9g89qBHU8IOvDXrvlYjcgiRsPa4QzTwtBaXNrCuI3vjycQe/eoAL8XJHNwuPeG8UimO/OlQuaofa9pgCmyMH5TL9JayS2r1oqdxXQySTii9v7Djk35WVxhnBumAZQa9uO5aoGcMWX9XGKe8BIpxgA16Wg+/K6JQyRzgIy3eaKxkZFXtJhzu2Qd+NIPpDOmCxBRcwHE5T/kV1bq/xR4MX+WUrU3YS1TQoi6y4pXzeKEYjkWrZZDk3rY1/oZh5LIA/FSME4klrpaxJCYjMlABeWQeEuCEKJEbRYrV7TxT180M1NKTQatBSSjKWIWFE14GIlBWgs+9OmLR+09Q2pplEKUFw3OW7hqTMN8PRk3ZwYEBwNiAbSdRhCj6Zy8eRPBBCLksWJo44IJcniqGhmFdD07ALvRwudvItKPvajzqtaTMZAOaLZia5AXWbxRpCHdg==",
"src_file_sha256": "da398afb377c451678b2bc25c13d2ffa160867803f6a6cc29bebeaf1f9b4c625",
"src_file_path": "downloaded_files/psexec_(clone)/da398afb377c451678b2bc25c13d2ffa160867803f6a6cc29bebeaf1f9b4c625",
"src_file_company": "Talha Tariq - [ talhatariq.wordpress.com ]"
},
{
"signer_name": "ZOHO Corporation Private Limited",
"certificate_thumbprint": "99869B5E06680A842469CC3DA2F2DFFFE75AC930",
"certificate_der_base64": "MIIHHTCCBQWgAwIBAgIMMnoO3E5vR9q9dJ9uMA0GCSqGSIb3DQEBCwUAMFkxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMS8wLQYDVQQDEyZHbG9iYWxTaWduIEdDQyBSNDUgQ29kZVNpZ25pbmcgQ0EgMjAyMDAeFw0yMzEwMDkwNzQwNThaFw0yNjEwMDkwNzQwNThaMIGKMQswCQYDVQQGEwJJTjETMBEGA1UECBMKVGFtaWwgTmFkdTEQMA4GA1UEBxMHQ2hlbm5haTEpMCcGA1UEChMgWk9ITyBDb3Jwb3JhdGlvbiBQcml2YXRlIExpbWl0ZWQxKTAnBgNVBAMTIFpPSE8gQ29ycG9yYXRpb24gUHJpdmF0ZSBMaW1pdGVkMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA2ZsurSF1sR+u4K21jaloeoA+zF+t9kmddLFLCaU1PYwce62qf9r9bdt1T4zEtOG4TM7YgCL/EDj/HB4FEeO70nV8UBny6ckvn5nvv2exmwgxcMipzMNUVKH25KkJqKVDeQs8W3c4H19gy2jMD5b++J091hWGLzYYDWzfZ6Os129zerhiPDptrmjY3ORH5amPuoIWqJQhc+W/CT8Zp5qbumAWeRxJVuZ9moUeVl4QlKYblLmPvjLABotdY8tJpiE+9Tn23/qIfNs80tiL4zYfjXjlJ6MYI6WCZ4UTrBHFrMlu5/RYNIujpkiVPMKgW7a5uysislNMs+r+I20ObKRJLRgyoM5decHS+EKnYpDsBAA8ypAf6Ih7L/IiVzypHyMY/FY+R/KbFpygksV8fhIGcislIkvAsqqEzn68IFOUBPsxBq4XzzfnK/7uq+4HQSnPXt9xTU6tiSulM6Ixq6Wqjfpgfm/kz+biNSFTcTCF6EIhUEqQHkXpobQdMDimn1s7dQbBROTzy1IMdSvnxNKMY28T/oSk+QJMFJduZZR3q64H9dtD7bMB3NvF+/z5fGsmOOf52aEOLaxLvGRq/nekIND4etKolKXfPdqvsjx5VCn6Uh2zCgISDZpq2kTmL54n/yBzoBjTidQviR9GmIwkXyGO76i8cUQWjHbEdiF5988CAwEAAaOCAbEwggGtMA4GA1UdDwEB/wQEAwIHgDCBmwYIKwYBBQUHAQEEgY4wgYswSgYIKwYBBQUHMAKGPmh0dHA6Ly9zZWN1cmUuZ2xvYmFsc2lnbi5jb20vY2FjZXJ0L2dzZ2NjcjQ1Y29kZXNpZ25jYTIwMjAuY3J0MD0GCCsGAQUFBzABhjFodHRwOi8vb2NzcC5nbG9iYWxzaWduLmNvbS9nc2djY3I0NWNvZGVzaWduY2EyMDIwMFYGA1UdIARPME0wQQYJKwYBBAGgMgEyMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMAgGBmeBDAEEATAJBgNVHRMEAjAAMEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5jb20vZ3NnY2NyNDVjb2Rlc2lnbmNhMjAyMC5jcmwwEwYDVR0lBAwwCgYIKwYBBQUHAwMwHwYDVR0jBBgwFoAU2rONwCSQo2t30wygWd0hZ2R2C3gwHQYDVR0OBBYEFBgOy6C7VZ1De/CjFsum904Aq+UaMA0GCSqGSIb3DQEBCwUAA4ICAQDIjjnCrMBToMqCwbTVNcV6ngh+MFKX1KVkyYCJmbT2GGA4WIFdOeLgxB9zi6M1+TSYCBS1GipSSREI841Ot+PMQpbdaMaqkIbOyupUfLkJ4LqBQH5stxy6goERm4EiH95bZ096w2b2RrEimokyk3vvY92NO3j3TSUYjq5QwhY8bIc6dFRoAl2sr2RXP7cGR0wGwsI41sGGB+fp1MBXxe5fp/xdcm0aYL1+UHQSIrNoRv81OSi/Sa3qWc3fAaHn+rNEJd750ILA7bCub4l0+Rdm7b7NZjydVxPLebq+4wdsexVPth3shg8TPX+mAS/DsrDJr8IawyTNfS/u/PdUahepeAtlqoyrZgbOdVeF27d5FRH8RoPaDrOC79Sija3/m0XApkls8h3YpOUt7j9llOkUKXwwox/Ng56/ZNzBuUhzLHTqfBwGXCu9wZK2Hh6PbU5MyIy1NFGU3JJFGZob2MOXsLgdwr08jdmIGzPsMcXbGHgP5Q0RrR8COjwag4fsaO3s4CJ7tbv5ewGbf7OeQcuIp5AdrylE40jfpWgcSGUgK3dDD6tKtA55WgWjqSaNqXvC3iBimySUdoNUKnKTbT0bE7D8Q2vQ14FKdRY+m5HaHU/GsYjOIBoAZQchvRyqmGONFv3U7HdFhkvxY4TnoxHELZTv+3YIeacabTrUjCz1Pg==",
"src_file_sha256": "4de5b87554f9ce3af6c0fb466b72cd69400900f2bef83bb5465ec05c8dc6b119",
"src_file_path": "downloaded_files/psexec_(clone)/4de5b87554f9ce3af6c0fb466b72cd69400900f2bef83bb5465ec05c8dc6b119",
"src_file_company": "Talha Tariq - [ talhatariq.wordpress.com ]"
},
{
"signer_name": "ZOHO Corporation Private Limited",
"certificate_thumbprint": "03498B4CC5B51DB6CE80699F23CAC1724BB36B69",
"certificate_der_base64": "MIIHHTCCBQWgAwIBAgIMRIVZ6NWf4FYpnm6PMA0GCSqGSIb3DQEBCwUAMFkxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMS8wLQYDVQQDEyZHbG9iYWxTaWduIEdDQyBSNDUgQ29kZVNpZ25pbmcgQ0EgMjAyMDAeFw0yMzEyMTExNzAwMzZaFw0yNjEwMDkwNzQwNThaMIGKMQswCQYDVQQGEwJJTjETMBEGA1UECBMKVGFtaWwgTmFkdTEQMA4GA1UEBxMHQ2hlbm5haTEpMCcGA1UEChMgWk9ITyBDb3Jwb3JhdGlvbiBQcml2YXRlIExpbWl0ZWQxKTAnBgNVBAMTIFpPSE8gQ29ycG9yYXRpb24gUHJpdmF0ZSBMaW1pdGVkMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAi/dpUgQBQva56fCAkCCzDp/8w91w1v2DXP8H91K2zNZzqe/e/nT54W3+k8Zmm10c8bTINu9cv4i71njHhImaAM768y0fNPKZ2uLS2Fn5jlefmwcNj0iGuqIXaIai4C8b1iLFf7tnAmvv8HACZ6/gfhV4diRPYsCWF+0ouJaFOfDPrPbDV0Zd6GCvQhe62ByVWy0NhcsE4VFSN/xlVsjs4X3L9dr1I3AjA9EHO3Cf6PrqqdMGEGveRwCfSaiXuQ7YLlnABKRXxucX3XX+RGE2tbFJ9ClYf5BmEBfBTOgpBxPNmJdyDOTZOpsq8OWj4BGYq9Mmtm3uS+VVp9cTgwgHquSJQYkcCpI1zbqlllNXKMH7a4gD7chhB/Y2aQUfweDXNZvviFDRf3YXiluViFnPMdgOm7qluaW8IyxHoCLLALDoEvwvAHpzTrPRhYwZYMl8459upNWC1AdufZhBcO2vAxLmGBRLeotnngKjBtjURLz1RyIBM0VnKD+0kS07Sj3MXLxJpRUZFE/1mjPd0LjUP5rFpjMmQUPS/Dgvh7dWRkfUzAC/yZiHtCiz/SMBBHCYsZAMNpwicaxkFwedzwLvjia3g8In+9iXWMsfgJDeKgaTfzgBgc/Qf9aAIBcUU068hgFYEZc8lXzSDVu+ZQZ905w4/6MaAdfWg/qaNpfRft0CAwEAAaOCAbEwggGtMA4GA1UdDwEB/wQEAwIHgDCBmwYIKwYBBQUHAQEEgY4wgYswSgYIKwYBBQUHMAKGPmh0dHA6Ly9zZWN1cmUuZ2xvYmFsc2lnbi5jb20vY2FjZXJ0L2dzZ2NjcjQ1Y29kZXNpZ25jYTIwMjAuY3J0MD0GCCsGAQUFBzABhjFodHRwOi8vb2NzcC5nbG9iYWxzaWduLmNvbS9nc2djY3I0NWNvZGVzaWduY2EyMDIwMFYGA1UdIARPME0wQQYJKwYBBAGgMgEyMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMAgGBmeBDAEEATAJBgNVHRMEAjAAMEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5jb20vZ3NnY2NyNDVjb2Rlc2lnbmNhMjAyMC5jcmwwEwYDVR0lBAwwCgYIKwYBBQUHAwMwHwYDVR0jBBgwFoAU2rONwCSQo2t30wygWd0hZ2R2C3gwHQYDVR0OBBYEFAARgUPptWUtWWkph2EsCOn0mA6dMA0GCSqGSIb3DQEBCwUAA4ICAQCG8wXa2OeXAGcSQchK4csNRA8D1i0JfXHFQcVQy9/zkWXPRYWlbcagbLRmPzfWza1JVtXuYim1eOQzHvJQcyB67TWm0RY+oQR8CYonP17BJvI/TG3xsMd0b9g2dXpX66ZsFFHeppGqcSs5enhmcYoICgPle1nCq+dxam9hQbMuHWTNT1OEKb9+fTLC/n+l2/O3ROhAUHFPC+xuFg/6n2Jyix7N1JX7cWvgtPeQCz/ptcRCMF3a1l0FLRb3cYq9dMlBMYiDbnXmvKDASPRH6wA7LE3LfVFROCLnj/Y6FEnetBQbDFn0iidN9MGnrn0ndeT4k+82Gx0gRVyv083L1XcJnsylDBQE6qJpQtiv7lYo6ttt5kpQj7NUhEfQ/IqvTPnLeGR6bluEOyN+4pCKCdXWwgyeAL76BBojbuDP9EsMLGy9f7oh6WwNoAA+dgZ6+8OrI3uSwjDb6MGzsFYyT9JGPEcIFve7dTcFl9V9HcmMmeDh0yLkRXTCvCzZ8YyYV09lOmzYzVqTDqu7ADukJzr19o4ZupwvDnbLj6jE58ckz/OmBDvkC2aBg3eeHUb8v5mw1rkgjp7zCwJvCvLDq9W7SDZPF1DZFpN42N7ZE4qCir75zApSnsBhC/NUsHU512xNjGGqRe5WlAS2C9apk4C/1JGLeVFqnVhyDTjm4xKHCg==",
"src_file_sha256": "7c8ffcc6c5c0233236d75075074bbba95b306f758f12209bf9aec3649f2b2383",
"src_file_path": "downloaded_files/psexec_(clone)/7c8ffcc6c5c0233236d75075074bbba95b306f758f12209bf9aec3649f2b2383",
"src_file_company": "Talha Tariq - [ talhatariq.wordpress.com ]"
},
{
"signer_name": "ZOHO Corporation Private Limited",
"certificate_thumbprint": "C70830D17ABB7119FCE1A1DD2DC9FD0E92E33241",
"certificate_der_base64": "MIIHHTCCBQWgAwIBAgIMUTKvkMxVHmhbG2urMA0GCSqGSIb3DQEBCwUAMFkxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMS8wLQYDVQQDEyZHbG9iYWxTaWduIEdDQyBSNDUgQ29kZVNpZ25pbmcgQ0EgMjAyMDAeFw0yMzExMjAxMzIzNTdaFw0yNjEwMDkwNzQwNThaMIGKMQswCQYDVQQGEwJJTjETMBEGA1UECBMKVGFtaWwgTmFkdTEQMA4GA1UEBxMHQ2hlbm5haTEpMCcGA1UEChMgWk9ITyBDb3Jwb3JhdGlvbiBQcml2YXRlIExpbWl0ZWQxKTAnBgNVBAMTIFpPSE8gQ29ycG9yYXRpb24gUHJpdmF0ZSBMaW1pdGVkMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA9kC4vMrdY8My73T7+5srPt9QSKydxWv1QBIufJkNfgwg1swO3WltLDn73RcYEjpgb9oTqlGpyLrmrPinpiN2yopcY6zx1LtauPnpLkkWEFnISTRI8M8viShjgEs5f39wbHKJq1C4BbTDJjyN/qtBdfrSC9aW2kLLpBf5krBOlsgPYwWhqI+5lorqEM/7P8PROv7o3WazqEJi1DvxrPDhZDj2RWaWKbocXS5B/LIZ5g+IuWHvjAeVlTL7NhFzuZ32picea3Ic2Ym1+gsfbuZe0Oc/7rYt3x39IPwqMkdYFjMtwxm9dDIVwOWmpJbLPk8/qZQU3acJdg9b16DkDHSaSJ6VuFjlSMjdDICvuZhv4zKqOHLT2zR9SUIAmnrh3Q4VPZzONU4Q2s7JUYpGHZk4dmDf+ANkPYEleoW6yth9MHW+c01u6yBBYsz3DrlH+vNF+gFEUPeiAxS9WTtqjYZPT5RgtlyzVbnFwcTN9GhC5+RD9WDxb4XabwYtZCyjcLgdbutsNbObGA2W3vcMr7wL3I7Z4tEmm8OPqgYQhtjWxdaj4QIF+ucp8g0alS8oOg2b+7/3lxs9XB6er2zVeWwDrE3k8dThpywjcr/ZyZMq/3PaqaRX19nlJQK6h0nn04/Dvxt1zE0yb5S3OrfuUYiyhZm1N3zLzH6fG8t7wGWgKZ0CAwEAAaOCAbEwggGtMA4GA1UdDwEB/wQEAwIHgDCBmwYIKwYBBQUHAQEEgY4wgYswSgYIKwYBBQUHMAKGPmh0dHA6Ly9zZWN1cmUuZ2xvYmFsc2lnbi5jb20vY2FjZXJ0L2dzZ2NjcjQ1Y29kZXNpZ25jYTIwMjAuY3J0MD0GCCsGAQUFBzABhjFodHRwOi8vb2NzcC5nbG9iYWxzaWduLmNvbS9nc2djY3I0NWNvZGVzaWduY2EyMDIwMFYGA1UdIARPME0wQQYJKwYBBAGgMgEyMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMAgGBmeBDAEEATAJBgNVHRMEAjAAMEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5jb20vZ3NnY2NyNDVjb2Rlc2lnbmNhMjAyMC5jcmwwEwYDVR0lBAwwCgYIKwYBBQUHAwMwHwYDVR0jBBgwFoAU2rONwCSQo2t30wygWd0hZ2R2C3gwHQYDVR0OBBYEFCMn0QszddJ9k7wXrDqrFjMqYforMA0GCSqGSIb3DQEBCwUAA4ICAQAl/RdqXQUt+frZzvsWqSA5LnTScB8kL0ffFGnm8VaPWISnDG9brVVnyeyRNTQ8zCkgjQzZ0UgRe03xx9az+vhbbJ3NrIMZLajD4fz4R4ZJCAos4Vp103wwlTOHBethluckXWW4qzBi69JDOCt8puRcNCchqeqTmK401Lp8Zdzm6nY3zefiVgY4VZKw8YtBbeKn6da+7lrTtfvx7nc/w3TZT6jo7QCfZjr8WQBrwt/Xn2mIjzKgvyI/bnxZhve7DhXPD0+OI0xnkEWvqRx39B7WjMPpq0HrpB9BDOeAFh9i/j3Em1/TaXfIAhpR4CTbkImIbc7YS5qZAZ2mVl02Jy73JFCOrI+wZ6FcWrjMiemHPfzx5xO7Vt3kLG+u81Ly3Sb8Soa16sVKOVc4tGIs2ZOELi6YWJXVDNaiyHtGr1LMWNa+YLbU9J4SURobwq3kg9X+kVX0W3PI+WnTTfbzAcRBmfMlFW9XnDS6zvmI/mhjYFI1UliH81Kn1kGni1txsqhS3A86/3qJOXl0YV5Dql9LUts5Aoml2qqiGansKgNG5C12ZrDOmyPFH9FwBxsAtcvwO/yRpfjHj+s5RvJONHZcFJL+p6eOZB9Neh/50y5MWj60uhxAojt2qOIq74BWBvwycSr5cGrG0Bc+W5PNfOTZgDC1NxnFcL31A+Q2OMDazw==",
"src_file_sha256": "3dc95ecd69c20d1c56b4befd135300f93afcfe12e214d86dbf6a70f05121b377",
"src_file_path": "downloaded_files/psexec_(clone)/3dc95ecd69c20d1c56b4befd135300f93afcfe12e214d86dbf6a70f05121b377",
"src_file_company": "Talha Tariq - [ talhatariq.wordpress.com ]"
},
{
"signer_name": "ZOHO Corporation Private Limited",
"certificate_thumbprint": "039B7B91AFEFDB68B36E6A2D246545D581D1BF0D",
"certificate_der_base64": "MIIHHTCCBQWgAwIBAgIMJLsRnOfnHVmJ4Mb2MA0GCSqGSIb3DQEBCwUAMFkxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMS8wLQYDVQQDEyZHbG9iYWxTaWduIEdDQyBSNDUgQ29kZVNpZ25pbmcgQ0EgMjAyMDAeFw0yNTAyMjEwOTQwNTBaFw0yNjEwMDkwNzQwNThaMIGKMQswCQYDVQQGEwJJTjETMBEGA1UECBMKVGFtaWwgTmFkdTEQMA4GA1UEBxMHQ2hlbm5haTEpMCcGA1UEChMgWk9ITyBDb3Jwb3JhdGlvbiBQcml2YXRlIExpbWl0ZWQxKTAnBgNVBAMTIFpPSE8gQ29ycG9yYXRpb24gUHJpdmF0ZSBMaW1pdGVkMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtnRtnGmOSz83W/xFrNqPV6bvmT2EDvWLACUb00a+4lYlmoBpdxMAEMoFyT6C1wsknR+yDzD3Fvv3ZakDDtAyMlcaHwDEGL++B8nGcjcw7K1+apL7x8TcQzekrSBsTr8KAaz6u5kL2ba0AMLkLm183u2CKpjaxl8Yq4QTwpHd468pNuVqTHPin/mWJgrG/ME2+oqoLrw+53z5UH+3O2gFHefvgmVCic6jALPZ/y/IdJyq3ga+gWa+nWb0Xp4vyq2d02pQ0vRpXCiGxNVbO96Z6VcqkSyYifeuOJ160FPSh2y2kptPSgbg+DRJlgoZ7B9aUeZJ0OuiOshSHq/F7nff0+BFmnhVmVP4zyshIfS9BJMC/A2PMVWTqc2nfdQirBwA9KChPUu+LOOI0E6oRCXl5DqIPmORzAUYGenmvcdztvlAfm4yuHDORBIX1S/CfrMLJE6P0TQRdOWUit7gENgZNEGELwth6JiKxw+bUvhmxmcKJOTbBERYsaTChVpSnq1/NqRZlzOuh2DlzTs8IxZ9Ze6q29iKBobFrOgjesyZRONV6CQQvZ43HW1OZsakYmjG0XnxBPWtOJ1yJgvJrkJAb4xTPU66oziBTztmJvJcWMlLPAGMfdF+jFI0C9wREh4vthwM3vOATNG3BknjgKLMETQWMnYEc91cE66EstD2N9ECAwEAAaOCAbEwggGtMA4GA1UdDwEB/wQEAwIHgDCBmwYIKwYBBQUHAQEEgY4wgYswSgYIKwYBBQUHMAKGPmh0dHA6Ly9zZWN1cmUuZ2xvYmFsc2lnbi5jb20vY2FjZXJ0L2dzZ2NjcjQ1Y29kZXNpZ25jYTIwMjAuY3J0MD0GCCsGAQUFBzABhjFodHRwOi8vb2NzcC5nbG9iYWxzaWduLmNvbS9nc2djY3I0NWNvZGVzaWduY2EyMDIwMFYGA1UdIARPME0wQQYJKwYBBAGgMgEyMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMAgGBmeBDAEEATAJBgNVHRMEAjAAMEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5jb20vZ3NnY2NyNDVjb2Rlc2lnbmNhMjAyMC5jcmwwEwYDVR0lBAwwCgYIKwYBBQUHAwMwHwYDVR0jBBgwFoAU2rONwCSQo2t30wygWd0hZ2R2C3gwHQYDVR0OBBYEFOEVX0xefVGKmOHi/uHr17eQOdG4MA0GCSqGSIb3DQEBCwUAA4ICAQB9ErI0zm8zbr2borpvUdDBZusx0w11dlAO1Gx0WRz40hwLPZ2ygUyPChSl8GC1RV8aggNwQG8AQ+v4D/nbTu/62tEgIFS3CB/0g6thdZXWz1gaUWdS7C5IvXDFdJygnMUImM/pvNZNCDbRGjmHPufM9qa7z6OyMwUUeiw1/ITYrW7TYU0fE22u7jHuJdZCJjkSysT/ITjB/reDqadzXgd/vsQhmzw6poyVLoUfRc6l6sZXwqGtD8gJbA0tJ26+tzYRP7P7P5wBFYU8pFGi4fG6cTKFsoJJEI6UfiYBiI1v67l8TEABgG0XKzz+LTwiz51Z3xP+U68GioeZYim68fsbcqTdthm+V6E4CAvQpr4Kn+fOwFZ/hVD1BrlYy6iHSDT2SnhLckkg1cBTLG3sVeek6KWB0KyfzOxO9hIKNttQFkN4aOGigTA/VSpU53SPsjJ1tjaauxo1Ytug4+aWe6XypUi1UaCFUu91lTtlUtI4PSCuhbf56oYB6dTc0w44O6f2d8M4jOSTNmhF1fiWQ9MnRgD/UUpRxdSLvxJEj7D1bUfGzPs7pjJyJNRTA0BeY5FpyuxxllBytLMjptt8CKXK8Uu5o+l6F30nyOENNfbqx62GXpkSiplOv6p0vOGVGJ9NrD9WuKiEHmwadwlqOWnka0HBF2iLQGrf0V7mF2+Lkw==",
"src_file_sha256": "dd54213527e7c541a12e2df04769f44d0e390229ad0756ab3f3883e2b8b80ebe",
"src_file_path": "downloaded_files/psexec_(clone)/dd54213527e7c541a12e2df04769f44d0e390229ad0756ab3f3883e2b8b80ebe",
"src_file_company": "Talha Tariq - [ talhatariq.wordpress.com ]"
}
]
}
},
{
"Name": "mRemoteNG",
"Category": "RAT",
"Description": "mRemoteNG is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://mremoteng.org/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"mRemoteNG.exe",
"C:\\Program Files (x86)\\mRemoteNG\\*",
"*\\mRemoteNG\\*",
"*\\mRemoteNG.exe",
"c:\\Program Files (x86)%\\mRemoteNG",
"*%\\mRemoteNG",
"mRemoteNG-Installer-*.msi",
"*\\mRemoteNG.exe"
]
},
"Artifacts": {
"Disk": [
{
"File": "C:\\Users\\*\\AppData\\Roaming\\mRemoteNG\\mRemoteNG.log",
"Description": "mRemoteNG log file",
"OS": "Windows"
},
{
"File": "C:\\Users\\*\\AppData\\Roaming\\mRemoteNG\\confCons.xml",
"Description": "mRemoteNG configuration file",
"OS": "Windows"
},
{
"File": "C:\\Users\\*\\AppData\\*\\mRemoteNG\\**10\\user.config",
"Description": "mRemoteNG user configuration file",
"OS": "Windows"
}
],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"user_managed",
"mremoteng.org"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mremoteng_network_sigma.yml",
"Description": "Detects potential network activity of mRemoteNG RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mremoteng_files_sigma.yml",
"Description": "Detects potential files activity of mRemoteNG RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mremoteng_processes_sigma.yml",
"Description": "Detects potential processes activity of mRemoteNG RMM tool"
}
],
"References": [
"https://github.com/mRemoteNG/mRemoteNG"
],
"Acknowledgement": [],
"CodeSigning": {
"search_names": [
"7zip.exe",
"mremoteng.dll",
"mremoteng.exe"
],
"company_names": [],
"signer_names": [
"David Sparer",
"Open Source Developer, Dimitrij Gorodeckij",
"Simon Tatham"
],
"certificates": [
{
"signer_name": "David Sparer",
"certificate_thumbprint": "DEFFB77C09F5ADC3691A0EA8A36E2617577AF8AB",
"tbs_sha256": "80840828E6440160B4977E9AA21613D0452E7B272AF7D32B5007AB419E61CD25",
"tbs_sha1": "",
"certificate_der_base64": "MIIFJTCCBA2gAwIBAgIQDB/dLd04rMmv5iAJf7s7ZTANBgkqhkiG9w0BAQsFADByMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMTEwLwYDVQQDEyhEaWdpQ2VydCBTSEEyIEFzc3VyZWQgSUQgQ29kZSBTaWduaW5nIENBMB4XDTE3MTEyNDAwMDAwMFoXDTIxMDEyNjEyMDAwMFowYjELMAkGA1UEBhMCVVMxEjAQBgNVBAgTCVdpc2NvbnNpbjERMA8GA1UEBxMIUHJlc2NvdHQxFTATBgNVBAoTDERhdmlkIFNwYXJlcjEVMBMGA1UEAxMMRGF2aWQgU3BhcmVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsCjrfsUtDpXjWviVJEYW/6Uikc4vrJ/zlGFesw6Zn7yjD00TMagnTBLUFSMKVuW69nZqn2+bOUodSp6aS/rWGlJdWDa63osceIbc/KzMDAOTA2kkaj+kc5PcuLjUvsDw3HNcswYX4jLCWXxE1eVub0Vw0BAhHsNhPnaGHXpnRfTrFNdLJXa7ALfZqYMIin8NlLrXN5vkiTALotWCSpoHjkARhhhH16Rmggz3TN6GHWb1183iMhRfo03LdI2N48HTfwj6EnuvZeLa5HJbncgP1+9bTy05ZlS71ax4gd6I+8aybX/q1aOvevlicfglhi2/UZvPVKHkvSmkqwh4GlGaLQIDAQABo4IBxTCCAcEwHwYDVR0jBBgwFoAUWsS5eyoKo6XqcQPAYPkt9mV1DlgwHQYDVR0OBBYEFEQIYZEwi+1NbR9GW+elDVEJknGIMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzB3BgNVHR8EcDBuMDWgM6Axhi9odHRwOi8vY3JsMy5kaWdpY2VydC5jb20vc2hhMi1hc3N1cmVkLWNzLWcxLmNybDA1oDOgMYYvaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL3NoYTItYXNzdXJlZC1jcy1nMS5jcmwwTAYDVR0gBEUwQzA3BglghkgBhv1sAwEwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAIBgZngQwBBAEwgYQGCCsGAQUFBwEBBHgwdjAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tME4GCCsGAQUFBzAChkJodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRTSEEyQXNzdXJlZElEQ29kZVNpZ25pbmdDQS5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAQEAThIOrbamaTVN7voPim94pJGL0jIwB1DHhJ4mTUkF90Fw9OX96i3fSAbMy/GYsrnsywiGODxLk9WN7IniApuIkaqMIurLybtbUQywsWSxhFn2SyPvYa4It+JolexST1+rgYOS2/z44U8W9JsxH+0ct4dR2X2yz5TJiLJhYuVDqk7+ZGuXc8EiBfZYnR3qR9cmWQh4kE95Bjss6iGZiX5ehiz0HRZrerMmCDTs0QTjy/8Opi7ExY5BEUXwQM1ORyFOhPdkTt/BlNSAxKz4s2WtBzcT3qVNWk9J6ezOJMypVwP7uMvjK4YCe1AQquD1EpJN11cKyOKiILH2BHK1/KM04Q=="
},
{
"signer_name": "Open Source Developer, Dimitrij Gorodeckij",
"certificate_thumbprint": "93F35DA1E0F1E59DB3455D29AF83CE90FAC249F4",
"tbs_sha256": "C85CE1021CB17FCD3C004433B22F1018A75AEBCD8413CD4BBC2D78AE8C8878EB",
"tbs_sha1": "",
"certificate_der_base64": "MIIGzjCCBLagAwIBAgIQNYZI4KfhJG+Jkc2DffhmGzANBgkqhkiG9w0BAQsFADBWMQswCQYDVQQGEwJQTDEhMB8GA1UEChMYQXNzZWNvIERhdGEgU3lzdGVtcyBTLkEuMSQwIgYDVQQDExtDZXJ0dW0gQ29kZSBTaWduaW5nIDIwMjEgQ0EwHhcNMjUwNDEwMTMwNTUyWhcNMjYwNDEwMTMwNTUxWjB0MQswCQYDVQQGEwJHQjEQMA4GA1UEBwwHQnJvbWxleTEeMBwGA1UECgwVT3BlbiBTb3VyY2UgRGV2ZWxvcGVyMTMwMQYDVQQDDCpPcGVuIFNvdXJjZSBEZXZlbG9wZXIsIERpbWl0cmlqIEdvcm9kZWNraWowggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDPNK0bdCCENBgPRp3CnHqnAMRVeq4lRbYLNllWlFgBSkabQXioZY+GYReoDHFAi8Jg/74p0cR5hCXGjJNtRQU8oBMrIA+ZWARllKK0gi0QhgSCczi8OEXjwadCVannexPF208BRLfAkx7ptQ5/3SceXnTRwRpnAc86n/GRCumMrLcHwikafJ9D5sIhSmCH+43tvBKZgFNC9ossE7ZTnaFqd0gm92ZIsSyhsqvgHxCEqZV7SkQrRAtHGUTpQhCbMuIR+h666EeH5n5RE19acMB5PUJkGoZM3lkANRAoMhxLnrERlIVSSOc0zJRC/C5dQUS+eSBWMfmfwbz3GcumpiYNAPzrrN4fZxJUUYpKHkOHO41SfuvEKaCHFBSa7Kv3Q0pUavJ16XGUdLRrcLVtJitvmzFg7JgPIFOEVAoo6TX9Lex0jg1YI7gW0esAsRqnQ3b5dEAQCF8yxpWM569QN6prdLw2Rt/mmVmCr6HXFvd6ldzj+ZTFxlARv3/n27OgOsn+XbUc/eGhtEzPfdH09U5uimzxqj5gGQDRf2egWvfBGUJEx9WaxKMGMTwBnKF4o2zFiaXxPnETkAQEY8OVABP0Xs0GkpQ22qfWgUbMabuZBxgaAHHgD90qQR7qAzw3VF0G2Dw+G5gL90+fHtXghfRhh7x6jpEqrumPGwgn+eyIhwIDAQABo4IBeDCCAXQwDAYDVR0TAQH/BAIwADA9BgNVHR8ENjA0MDKgMKAuhixodHRwOi8vY2NzY2EyMDIxLmNybC5jZXJ0dW0ucGwvY2NzY2EyMDIxLmNybDBzBggrBgEFBQcBAQRnMGUwLAYIKwYBBQUHMAGGIGh0dHA6Ly9jY3NjYTIwMjEub2NzcC1jZXJ0dW0uY29tMDUGCCsGAQUFBzAChilodHRwOi8vcmVwb3NpdG9yeS5jZXJ0dW0ucGwvY2NzY2EyMDIxLmNlcjAfBgNVHSMEGDAWgBTddF1MANt7n6B0yrFu9zzAMsBwzTAdBgNVHQ4EFgQUTzIUCIjH2wVGvsFDhZCiVNnay8UwSwYDVR0gBEQwQjAIBgZngQwBBAEwNgYLKoRoAYb2dwIFAQQwJzAlBggrBgEFBQcCARYZaHR0cHM6Ly93d3cuY2VydHVtLnBsL0NQUzATBgNVHSUEDDAKBggrBgEFBQcDAzAOBgNVHQ8BAf8EBAMCB4AwDQYJKoZIhvcNAQELBQADggIBAEW5qa4FQ6xwNX9C6t2CKbiAGQv12iMEdRJmaGigZ0YPgNXZqoQDNLOzElaFLhG52k4xx3oftbftI69XRpowxJo/DE7bQKz+JVb8RH2r/1ag+Ndg2D4hSWt2WEgqdKHzcX47JuWwHEykpghe0y96pXspZKE7igYazTdtsX3Ka6hHggqiRLCIMr/7VkiQBz5CxUMMwCM1A1wnCMm+jB2PVeM5elPS5imS15OMkDYflqdSY1QqUel0BKjQFTwx+vv2WnDdNGHViEgmKd3H6G3wPqTJwOIdGtol34fWCAT28zUT72xyCu5yzhHXIdouA2l8aghBGwDQ14XIHTD3mfqPF0WhOp0quiATHFQnwQR8eVLCg4jmIrK7Z/TBV5PotfPI8iexRrmPLIHTiPQuCLme4IaMaYzKkO59Dr/+10BHD56Qz4tpp5KSVZlCePwNV0oqiHaA5KKOS0MTgq05bhm+0Z5pdNWZqIEou4A0iwdnmDMQQZ7ZnGFzqLgwm4gdejPGvMlRo90nCWn8V0Zy92UqayXe+KJI3dAxOfvFkEIoq+m2cFtaAjB84/NypLGQaMP9Jb0vBKniLv8HStFgACA3+2bL7UXX1t/LvGsihEgViCY9vtZMUqZZrFgSWE1SB2B02uRHP+OPfSPjbZZhEBtEsy+6898O5mRa79cF7s7+0nI9"
},
{
"signer_name": "David Sparer",
"certificate_thumbprint": "N/A",
"tbs_sha256": "99443F90AB887671A05644A2E854F307E68508B3E7BCB7852EF6AC1DDFBA55FA",
"tbs_sha1": ""
},
{
"signer_name": "Simon Tatham",
"certificate_thumbprint": "N/A",
"tbs_sha256": "",
"tbs_sha1": "",
"tbs_sha384": "47D33AA6FC96754AAB657A6EC79291F7D98D12E39010E6060EF3770042343B1C2BADA6B732510F090C1A592CAE653579"
}
]
},
"FileHashes": {
"authenticode": [
{
"file_name": "mRemoteNG.dll",
"sha256": "482D78559F3E0A3AEC8BF79B0E0C168F800F6B139E4128479C41193EAFAAC1AF",
"sha1": "1C317C6177EE99D84C5D563C8C3A960F73CD6096"
},
{
"file_name": "7zip.exe",
"sha256": "4EF18639D8D70955EC4820948FEBF02C4B7716B3048172955AB164CD562894C1",
"sha1": "E8BDC8FF6F566BDE26438CB2D0507FAEFB1939C5"
},
{
"file_name": "mRemoteNG.dll",
"sha256": "AE488CB60C974C072DB559BF3145D17C4D7F552720CA8F0AA7D2662E9849A3EB",
"sha1": "BA2020535A1E6BAE3594A019AEF3D72479FA2D52"
},
{
"file_name": "mRemoteNG.exe",
"sha256": "0AF3EE69684F0BAAFC16E77385D39FAE0FA67C71F92CF39680F1FB28C3F1EDBB",
"sha1": "E2D90B145DBD83902D7181F084A200B76E2554A0"
}
],
"page": [
{
"file_name": "mRemoteNG.dll",
"sha256": "8CA9E203261D960AB18E6328B80BDF8B9BCAE8CC33DAFA3604C146BD0CB28184",
"sha1": "892C5F2F52D2560173B0A18292FE7C3F23554F47"
},
{
"file_name": "7zip.exe",
"sha256": "81D39F11817B00E1A7C3C4A231D0F194CB28B71FA2858E1801CCB043479D2B1E",
"sha1": "C832238CE751692DFF2664A475C601694BEB8E4B"
},
{
"file_name": "mRemoteNG.dll",
"sha256": "03DA1F5410534F288B3D67C251576555BACB4DA3FF22DC46012C18524412A3F9",
"sha1": "6D818BA71DAA614966A19A0CC215B3A9523BB8A0"
},
{
"file_name": "mRemoteNG.exe",
"sha256": "F41D38027B95545762BE5F7C19193235D6BAF39E20D2F9C9AFAD70BFBA9E8944",
"sha1": "86779603005DCA848CF51C10E48B086EC11159C6"
}
]
}
},
{
"Name": "FleetDeck.io",
"Category": "RMM",
"Description": "FleetDeck is a remote monitoring and management (RMM) tool that provides agent-based remote desktop access and system management capabilities. The software supports remote desktop access, reboot/shutdown capabilities including safe mode, and virtual terminal support. FleetDeck agents report system information and enable remote access to managed endpoints. The tool can be deployed via MSI, MST, or shared link installations.",
"Author": "Michael Haag",
"Created": "2026-01-15",
"LastModified": "2026-01-15",
"Details": {
"Website": "https://fleetdeck.io/",
"PEMetadata": [
{
"Filename": "fleetdeck-agent.exe",
"OriginalFileName": "fleetdeck_installer",
"Description": "FleetDeck agent installer (verified via official documentation)"
},
{
"Filename": "fleetdeck_agent_svc.exe",
"OriginalFileName": "",
"Description": "FleetDeck agent service executable (verified via official documentation)"
},
{
"Filename": "fleetdeck-agent.msi",
"OriginalFileName": "",
"Description": "FleetDeck MSI installer (verified via official documentation)"
},
{
"Filename": "fd_agent.dll",
"OriginalFileName": "",
"Description": "FleetDeck agent DLL component (reported in GitHub issue)"
}
],
"Privileges": "SYSTEM",
"Free": "Trial and Paid",
"Verification": "Code-signed",
"SupportedOS": [
"Windows"
],
"Capabilities": [
"Remote Control",
"Remote Access",
"Remote Desktop",
"System Reboot",
"Safe Mode Access",
"Remote Shutdown",
"Virtual Terminal",
"System Monitoring"
],
"Vulnerabilities": [],
"InstallationPaths": [
"C:\\Program Files (x86)\\FleetDeck Agent\\fleetdeck_agent_svc.exe",
"C:\\Program Files (x86)\\FleetDeck Agent\\*\\fleetdeck_agent.exe",
"C:\\Program Files (x86)\\FleetDeck Agent\\*\\fd_agent.dll",
"C:\\Windows\\Temp\\FleetDeck\\*",
"fleetdeck-agent.exe",
"fleetdeck_agent_svc.exe",
"fleetdeck_commander_svc.exe",
"fleetdeck_installer.exe",
"fleetdeck_commander_launcher.exe",
"fleetdeck_agent.exe",
"fleetdeck-agent.msi",
"fleetdeck-agent.mst"
]
},
"Artifacts": {
"Disk": [
{
"File": "C:\\Program Files (x86)\\FleetDeck Agent\\fleetdeck_agent_svc.exe",
"Description": "FleetDeck agent service executable (verified via official documentation)",
"OS": "Windows"
},
{
"File": "C:\\Program Files (x86)\\FleetDeck Agent\\*\\fleetdeck_agent.exe",
"Description": "FleetDeck agent executable (verified via official documentation)",
"OS": "Windows"
},
{
"File": "C:\\Program Files (x86)\\FleetDeck Agent\\*\\fd_agent.dll",
"Description": "FleetDeck agent DLL (reported in GitHub issue)",
"OS": "Windows"
},
{
"File": "C:\\Windows\\Temp\\FleetDeck\\*",
"Description": "FleetDeck temporary files directory (verified via official documentation)",
"OS": "Windows"
}
],
"EventLog": [
{
"EventID": 7045,
"Description": "Service installation event for FleetDeck Agent Service",
"OS": "Windows"
}
],
"Registry": [
{
"Path": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\FleetDeck Agent Service",
"Description": "FleetDeck service registry key",
"OS": "Windows"
}
],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*.fleetdeck.io",
"fleetdeck.io",
"agentmqtt.fleetdeck.io",
"checkip.zmazonaws.com"
],
"Ports": [
443
]
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdeck_network_sigma.yml",
"Description": "Detects potential network activity of FleetDeck.io RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdeck_processes_sigma.yml",
"Description": "Detects potential processes activity of FleetDeck.io RMM tool"
}
],
"References": [
"https://github.com/magicsword-io/LOLRMM/issues/112",
"https://fleetdeck.io/faq/"
],
"Acknowledgement": [
{
"Person": "default1337",
"Handle": "@default1337"
}
],
"CodeSigning": {
"search_names": [],
"company_names": [],
"signer_names": [
"FLEETDECK INC.",
"FleetDeck Inc"
],
"certificates": [
{
"signer_name": "FLEETDECK INC.",
"certificate_thumbprint": "CA172BACE97F7C97A6AE9E16CC9360F59E7B9CF4",
"tbs_sha256": "10BA0C15DBB8A3DCC97DA22C8EE7ABA6577CD4733356520890518CE115736DFE",
"tbs_sha1": "",
"certificate_der_base64": "MIIG8DCCBVigAwIBAgIRAL3jG3EU7Z7PoAEP8336Xr0wDQYJKoZIhvcNAQELBQAwVzELMAkGA1UEBhMCR0IxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDEuMCwGA1UEAxMlU2VjdGlnbyBQdWJsaWMgQ29kZSBTaWduaW5nIENBIEVWIFIzNjAeFw0yNDA3MTkwMDAwMDBaFw0yNzA3MTkyMzU5NTlaMIG3MRAwDgYDVQQFEwc0MjI3Nzg1MRMwEQYLKwYBBAGCNzwCAQMTAlVTMRswGQYLKwYBBAGCNzwCAQITCkNhbGlmb3JuaWExHTAbBgNVBA8TFFByaXZhdGUgT3JnYW5pemF0aW9uMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEXMBUGA1UECgwORkxFRVRERUNLIElOQy4xFzAVBgNVBAMMDkZMRUVUREVDSyBJTkMuMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuYGOy6FoCondVHevPdDFIKT1v9669CLwR7X9qFw4CxT4kqrNV7SGD8EqpGeNY+0SV0/ixmqDSxplSkjfSyLjgjZNFeXmEgdj9r50rqLfu97VlMtGgAQBcKKnU70WEgRbnJl2tsr5IPKRadi7M5AhV9qT8mtnp/vMmGkLkylrcA1OcU7VZRbD4vFYbQCrFNhHz4BcPGK+7Tt8GctUFaFwrkbmHBcP2V36TowyBgg2IivWr6oAdhIGlUSRqu2ff5rG707NZOaoEWxzicjk20L/rtWjvpJ1YohOdVhnzwG8+ybjzx7yiEQIfiqU6qEH35hKobAsSJwIvC3lPqGHkJ4HPbDf8eQos3NQrYo3qGI5Xa+NA/wedAvh/zCAYwqlWrUetlxcWlDlVpu5LZkrfvZXPxyLmhtNT846fVfMxCs27QbdYPtesrIOQQytF5FrmyDSg+XBdUspqS8AyzjPa8aGyeiA5UBXDDOFOlyhaCguYbhbBoBO/l736MZ2ZIEFOaQG+U+KD47u2pkjr0TnNX7n6qBBz8TVJGoflCUnyYjE9sXhYSVi0Ho8lPqidR2ikWEib2/5opTdRgINy5TZw5XKxT9DZ/2rayRV8e3OY6/XWAVeBo5Om4W0D0oq6jUBucrF80B0gle5uF/K2S6q9AwExPuZ/o5ueKjbbNOweQZaBbkCAwEAAaOCAdQwggHQMB8GA1UdIwQYMBaAFIEykkErKM1GyMSixio5EuxIqT8UMB0GA1UdDgQWBBQ32Wq2/SnWmhKzxYRI2hc6BJgFCDAOBgNVHQ8BAf8EBAMCB4AwDAYDVR0TAQH/BAIwADATBgNVHSUEDDAKBggrBgEFBQcDAzBJBgNVHSAEQjBAMDUGDCsGAQQBsjEBAgEGATAlMCMGCCsGAQUFBwIBFhdodHRwczovL3NlY3RpZ28uY29tL0NQUzAHBgVngQwBAzBLBgNVHR8ERDBCMECgPqA8hjpodHRwOi8vY3JsLnNlY3RpZ28uY29tL1NlY3RpZ29QdWJsaWNDb2RlU2lnbmluZ0NBRVZSMzYuY3JsMHsGCCsGAQUFBwEBBG8wbTBGBggrBgEFBQcwAoY6aHR0cDovL2NydC5zZWN0aWdvLmNvbS9TZWN0aWdvUHVibGljQ29kZVNpZ25pbmdDQUVWUjM2LmNydDAjBggrBgEFBQcwAYYXaHR0cDovL29jc3Auc2VjdGlnby5jb20wRgYDVR0RBD8wPaAlBggrBgEFBQcIA6AZMBcMFVVTLUNBTElGT1JOSUEtNDIyNzc4NYEUY29udGFjdEBmbGVldGRlY2suaW8wDQYJKoZIhvcNAQELBQADggGBACilJMSsOwElJLEfs8tBDAzGpHBE4JIu8sysS0L08pPs1tFnUu822v+CvVn6DwQ4v/YPinIURD0YmTw2dYN8wQ9ezjyMxoJMCucFOlVxbkdzyr+5CW/C1YmDSYP2NcIXNabDWIE11LluT2wkzeh7kid+Ky/4bUTdeyvg6e7O7+cU4DxWuH2yA+kh4t8Gb0jYaIdlv9KrXg8JVNmHseFZQA0HyF0AqA2vUjSBGtudsdhVeNSsKt3wf/j68Elc4CnkyZXcG8ilf8qYbfcO75a8SEmASLxw2hBtkHof4vDAsHGKrEWc4wf9kjD2hhlqOeolevlp77x8OF/i49+HUD8S6LSV8IxWeLY6S4TbrivqwpABrUMz+m7rxGBchcOnVrPN30dkpW6lawZ93/R5Qz570+Y/kosHEbZBg0WqTcT10SD7WElPAuBIFajl8TsuU1gfZpcQBsamibkQpuGtc3Z+jQn6JSxT8/Rm+Nuo9ypq12G3pgvYbT+2gZXyoVRVf/3wBg=="
},
{
"signer_name": "FleetDeck Inc",
"certificate_thumbprint": "77DAF21A6F30487919801D224AADAE95549DBF7B",
"tbs_sha256": "67FB7502C5558CAA36C59E6A08ACCB243C2369C7BB3214A9A321F8CEA5DB16E0",
"tbs_sha1": "",
"certificate_der_base64": "MIIGFzCCBP+gAwIBAgIQTLPKgDssV+IMySvZ0TNybzANBgkqhkiG9w0BAQsFADCBkTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxNzA1BgNVBAMTLkNPTU9ETyBSU0EgRXh0ZW5kZWQgVmFsaWRhdGlvbiBDb2RlIFNpZ25pbmcgQ0EwHhcNMjAwNzA3MDAwMDAwWhcNMjEwNzA3MjM1OTU5WjCB+jERMA8GA1UEBRMIQzQyMjc3ODUxEzARBgsrBgEEAYI3PAIBAxMCVVMxGzAZBgsrBgEEAYI3PAIBAhMKQ2FsaWZvcm5pYTEdMBsGA1UEDxMUUHJpdmF0ZSBPcmdhbml6YXRpb24xCzAJBgNVBAYTAlVTMQ4wDAYDVQQRDAU5MDI5MjETMBEGA1UECAwKQ2FsaWZvcm5pYTEXMBUGA1UEBwwOTWFyaW5hIERlbCBSZXkxGTAXBgNVBAkMEDQxMzYgRGVsIFJleSBBdmUxFjAUBgNVBAoMDUZsZWV0RGVjayBJbmMxFjAUBgNVBAMMDUZsZWV0RGVjayBJbmMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCbAKwsMGCECDl6lc9yNHKfs5U403Hzkoh90a51OayNG8wXUtzzS8dGPPDZOdNVzjjQxf19cgw42FX1GXgWmk/uz7yHIopV8Pt6wTG+Br6W8j6AUlcVMJSkUvDyfZ8hutFhifgUPvkeOScNYqxh0Ch3hgpaRjf8bzY12ZsTf1hHTBwJ2w/nfjo+U6X5LnZHGyMMh4p6L1//fAf6LfoFZSXB/4548+DwN+f3DeN1DixlrDlq4fwycNtrrNOw27F1Fxb/Mg/C8BY9jEH4ZisH8BJ0kOy/B5hZRYDKQmuTkTtPtmVTYi2HD8e4GZN5+Y/lEMoD+ENuBIAOXm+RgylGd1mvAgMBAAGjggH+MIIB+jAfBgNVHSMEGDAWgBTfj/MgDOnKpgTYW1g3Kj2rRtyDSTAdBgNVHQ4EFgQUYuwN3AbxocZIR4PQ7cFJzCzlxXQwDgYDVR0PAQH/BAQDAgeAMAwGA1UdEwEB/wQCMAAwEwYDVR0lBAwwCgYIKwYBBQUHAwMwEQYJYIZIAYb4QgEBBAQDAgQQMEkGA1UdIARCMEAwNQYMKwYBBAGyMQECAQYBMCUwIwYIKwYBBQUHAgEWF2h0dHBzOi8vc2VjdGlnby5jb20vQ1BTMAcGBWeBDAEDMFUGA1UdHwROMEwwSqBIoEaGRGh0dHA6Ly9jcmwuY29tb2RvY2EuY29tL0NPTU9ET1JTQUV4dGVuZGVkVmFsaWRhdGlvbkNvZGVTaWduaW5nQ0EuY3JsMIGGBggrBgEFBQcBAQR6MHgwUAYIKwYBBQUHMAKGRGh0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9ET1JTQUV4dGVuZGVkVmFsaWRhdGlvbkNvZGVTaWduaW5nQ0EuY3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21vZG9jYS5jb20wRwYDVR0RBEAwPqAmBggrBgEFBQcIA6AaMBgMFlVTLUNBTElGT1JOSUEtQzQyMjc3ODWBFGNvbnRhY3RAZmxlZXRkZWNrLmlvMA0GCSqGSIb3DQEBCwUAA4IBAQCJqbj0ovAaF+8WgqyYDt2hVcgZ67SSNhqs7Nrin3exAfwvZu8aihE7acyUuRZadSeTZ2mcvKhZt88f+JtpPD0m4fpCUEGQ5vLDf8/i2gulen25jLa4DR3/aC8/utqeEEQwmipsEoSVVdwFhPhSF0PcFiUZsEUWE40YQAxH8djHIiI7QnQyWG9Wi8biXdeQSotAr77MqQCG/fC3K70KMf4hobZ37L/oBx1Yup19CfM1pD1NEWOj+ZvIJzMLwvp5qjI+NGsPC7I/m1h/2w5GxYr/cqbUfgHBTlMiixc05MsXSradlCXuMsoJjYB9qlSqkcyGpnH+tOIgYZS4Bz0AORlY"
},
{
"signer_name": "FleetDeck Inc",
"certificate_thumbprint": "FD1A886C50EFD9778C8A046967701E34E7A65C12",
"tbs_sha256": "2B558A81F2AE1CFC91FBC2B16A79BBACE77FA34F140C3418D6CF7DC4502AFCBE",
"tbs_sha1": "",
"certificate_der_base64": "MIIHAjCCBWqgAwIBAgIQdHbxH1GP88ADz/zp9nG0WzANBgkqhkiG9w0BAQsFADBXMQswCQYDVQQGEwJHQjEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMS4wLAYDVQQDEyVTZWN0aWdvIFB1YmxpYyBDb2RlIFNpZ25pbmcgQ0EgRVYgUjM2MB4XDTIxMDgxMjAwMDAwMFoXDTI0MDgxMTIzNTk1OVowgbYxETAPBgNVBAUTCEM0MjI3Nzg1MRMwEQYLKwYBBAGCNzwCAQMTAlVTMRswGQYLKwYBBAGCNzwCAQITCkNhbGlmb3JuaWExHTAbBgNVBA8TFFByaXZhdGUgT3JnYW5pemF0aW9uMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UECgwNRmxlZXREZWNrIEluYzEWMBQGA1UEAwwNRmxlZXREZWNrIEluYzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMyK+V4KUYsiLFqq4Gz6GSxAe1kuQQWmNbAXh9NrUa/LLyEGc5xxkxqp1hZmM96Bzxbxj7pZirpqWDi/1FZQY2+vUXCxvrN4s6SHYq+6gA0qR0s3D8xPOA0Xoopq2ACPb28HWgPuid6oSQq5Fh8uFK7Z7Hw7HKGy7iWN+DtHfeBMozWl+GMYDwIGWp/BiYXThzHtaNdcGOtqST6woCW61pcEEJlSDbTXxrI5sUUwZtSrfIAezbAhppNNwnytyeQoCGCz/cSdGH657a4l0uryAsVXBBlaCwCcZ7EO5yBWY5M3wgwyqEvJT2rIgVgctlgYMewxtsp1gXJ3NmdAdFIzhBiz77/xoefWuEFNnnIcQ1mSqfr4upypMFeJVr383gRoh0NBrz2LA3rGvm00tcFS+rAq/ezCo4fLAy5p/FYf6wh0pfu9zro5Bimx/Q8Kys4vbah7R0mxwcvg+4wP/32jBWe+tCHTnQng/zoiPzJrkHMcbA1stmEeYu2LCrcrCepxDEs93Rz2zbDbKb9CukQr6NCdDctcfm38t3HAgnlb68Jj54YnD6I5kpiMIVyED1qs0Izoby7obtsHXJFUGP0ZhfHVy4Gq5hJqktR/py2L5eVh1hvjtxP6YaDw+7ZNAxhmTLIE+ranY9gMX8K4W1/VDGB/MZEXO+hXwfmvZf/EJ0kVAgMBAAGjggHoMIIB5DAfBgNVHSMEGDAWgBSBMpJBKyjNRsjEosYqORLsSKk/FDAdBgNVHQ4EFgQUx7nkDSXVYaenTUNclljZCP5CaY0wDgYDVR0PAQH/BAQDAgeAMAwGA1UdEwEB/wQCMAAwEwYDVR0lBAwwCgYIKwYBBQUHAwMwEQYJYIZIAYb4QgEBBAQDAgQQMEkGA1UdIARCMEAwNQYMKwYBBAGyMQECAQYBMCUwIwYIKwYBBQUHAgEWF2h0dHBzOi8vc2VjdGlnby5jb20vQ1BTMAcGBWeBDAEDMEsGA1UdHwREMEIwQKA+oDyGOmh0dHA6Ly9jcmwuc2VjdGlnby5jb20vU2VjdGlnb1B1YmxpY0NvZGVTaWduaW5nQ0FFVlIzNi5jcmwwewYIKwYBBQUHAQEEbzBtMEYGCCsGAQUFBzAChjpodHRwOi8vY3J0LnNlY3RpZ28uY29tL1NlY3RpZ29QdWJsaWNDb2RlU2lnbmluZ0NBRVZSMzYuY3J0MCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5zZWN0aWdvLmNvbTBHBgNVHREEQDA+oCYGCCsGAQUFBwgDoBowGAwWVVMtQ0FMSUZPUk5JQS1DNDIyNzc4NYEUY29udGFjdEBmbGVldGRlY2suaW8wDQYJKoZIhvcNAQELBQADggGBACFgz4J+9P+bI70KcLkHuDNx93QGR1dVvYE4g0cM6VyPT2J6bQlnmMd2OWFI0aIENwPODs1PFnTNrpTju+Z0JecBCIoUTbmfogqEcS2540x/we4GWSCODo/8zleqnmbLM6Exlo578t1Z5Ac9LNLixZbeTnIWXKL7xhYiB4DZJmgkuqS4WaSsBQIhWAsilzg9mZz/VQzyG+rB/RiLkXJZgxbKLnizmAnuQjz0eqYIiz/Zbv6DSYamhvwNdAMjyjcI1N/er3XMlRpNaoPGis6FF8NSQlZEoqyB9WMXjN6OykyT0auzETx3RjklY9/wsrxyoBSv+YPw8vn5GzaR5ytAJY5pO1GoUJkc4CcCeoMiPxoSBb5EFMKTEteu8QVRYhK0JyCGpjysSWs9G/tUR8M3u41MvRXmw2c1gBekZ8/lVIx2M17QJJkXAvfzFLikPSZhj8H3Oj+AMQwjmNkOWk7m+hjZNrh0jUDPx/IXXgI6vyG6Arra8ojibWFk+JUcaN9hcA=="
}
]
}
},
{
"Name": "SysAid",
"Category": "RMM",
"Description": "SysAid is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.sysaid.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"C:\\Program Files\\SysAidServer\\*",
"*\\SysAidServer\\*",
"*\\SysAid\\*",
"*\\IliAS.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": []
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sysaid_processes_sigma.yml",
"Description": "Detects potential processes activity of SysAid RMM tool"
}
],
"References": [],
"Acknowledgement": []
},
{
"Name": "Comodo RMM",
"Category": "RMM",
"Description": "Comodo RMM is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2025-12-14",
"Details": {
"Website": "https://one.comodo.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [
"Windows"
],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"itsmagent.exe",
"rviewer.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*.itsm-us1.comodo.com",
"*mdmsupport.comodo.com",
"one.comodo.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/comodo_rmm_network_sigma.yml",
"Description": "Detects potential network activity of Comodo RMM RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/comodo_rmm_processes_sigma.yml",
"Description": "Detects potential processes activity of Comodo RMM RMM tool"
}
],
"References": [
"https://help.itarian.com/topic-459-1-1005-14776-Appendix-1b---Endpoint-Manager-Services---IP-Nos,-Host-Names-and-Port-Details---US-Customers.html"
],
"Acknowledgement": [],
"CodeSigning": {
"search_names": [
"itsmagent.exe"
],
"company_names": [],
"signer_names": [
"Comodo Security Solutions",
"Comodo Security Solutions, Inc."
],
"certificates": [
{
"signer_name": "Comodo Security Solutions",
"certificate_thumbprint": "AA6FF933D493EFC39685AC523B7A60748CA98E5C",
"tbs_sha256": "45A11A719D1C128EF2666BFE946DB88E2C7ED0AC7B58974D7CAB7EE19D397309",
"tbs_sha1": "",
"certificate_der_base64": "MIIFXzCCBEegAwIBAgIRAIkGXDwQv2jsUAIhSLaOrqkwDQYJKoZIhvcNAQELBQAwfDELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMSQwIgYDVQQDExtTZWN0aWdvIFJTQSBDb2RlIFNpZ25pbmcgQ0EwHhcNMTkxMjExMDAwMDAwWhcNMjIxMjEwMjM1OTU5WjCBrjELMAkGA1UEBhMCVVMxDjAMBgNVBBEMBTA3MDEzMRMwEQYDVQQIDApOZXcgSmVyc2V5MRAwDgYDVQQHDAdDbGlmdG9uMSAwHgYDVQQJDBcxMjU1IEJyb2FkIFN0IFN1aXRlIDEwMDEiMCAGA1UECgwZQ29tb2RvIFNlY3VyaXR5IFNvbHV0aW9uczEiMCAGA1UEAwwZQ29tb2RvIFNlY3VyaXR5IFNvbHV0aW9uczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOI3+PMfMqEQ2ztP8ooXdE4Z0TyZeo/ZE/kTARWBjVXHrtEc7Opsa1R2KcXCwdDrMN1BjnbY67jB2tWxp2OCN5RiEBW4nEhorCMGOqGBEEvuNiy1wsFE70LBsqO7PDe9lCA9olJ76vDfMOYYhbd1UYZfZzGSP1HAKimIi5Q/PVmYRWw4aRUiiGB8OlGSNfEH+8ic7+SdkayG1U3L7qEYcVydc/Ad8CXHajSGnIwWWavl4dp8LinV7k2VnZHPRj1RnEJp8IzO9K0hs0PM3AvyRTi1tO11kxD5SvsaKx8iIKdVNWYZy0icMhcqs7b+bdagVOwn9HImwvQZhJPUx5U4qmUCAwEAAaOCAacwggGjMB8GA1UdIwQYMBaAFA7hOqhTOjHVir7Bu61nGgOFrTQOMB0GA1UdDgQWBBQpwE0G/kBFN5ef4z9BngSpdHqp8DAOBgNVHQ8BAf8EBAMCB4AwDAYDVR0TAQH/BAIwADATBgNVHSUEDDAKBggrBgEFBQcDAzARBglghkgBhvhCAQEEBAMCBBAwQAYDVR0gBDkwNzA1BgwrBgEEAbIxAQIBAwIwJTAjBggrBgEFBQcCARYXaHR0cHM6Ly9zZWN0aWdvLmNvbS9DUFMwQwYDVR0fBDwwOjA4oDagNIYyaHR0cDovL2NybC5zZWN0aWdvLmNvbS9TZWN0aWdvUlNBQ29kZVNpZ25pbmdDQS5jcmwwcwYIKwYBBQUHAQEEZzBlMD4GCCsGAQUFBzAChjJodHRwOi8vY3J0LnNlY3RpZ28uY29tL1NlY3RpZ29SU0FDb2RlU2lnbmluZ0NBLmNydDAjBggrBgEFBQcwAYYXaHR0cDovL29jc3Auc2VjdGlnby5jb20wHwYDVR0RBBgwFoEUc2NvdC53ZWlyQGNvbW9kby5jb20wDQYJKoZIhvcNAQELBQADggEBAC334tj59lO099CoPhJY4be4CfN0BS85uDVYAVr29zXZYm6AG4NgfdxJ2sUh9wA3zRG8XK7Vd7SaQQ8RfU1Ltfbncsj9G/8Cjdikh/rrYzo3+KtmdRP+5EA87wDczwHAg3WENkdad/Kbg0g44EpT9FGbCTOqObtJBSxg6c8q6/CQLZN2W/g7DdZUaPJdGa8j1UDHGb0eYBxrYB0j6Zu6dGDitq+QsqIfG3KhzabtoA54owQfUSPd+739QMSR3A7fRp4Gnob58rNl4y6ypKR/gS96eh7+zTDVqicHrmHAMtoyuga6GIoz62yLhZIVw0qJnH7aiVf9n4OA5pNONrDwH6w="
},
{
"signer_name": "Comodo Security Solutions, Inc.",
"certificate_thumbprint": "N/A",
"tbs_sha256": "",
"tbs_sha1": "",
"tbs_sha384": "C9FB3AF5B1058E28F4D4B8C8BF07E975C3C4937B20854E7F2E87AD84B5EEC40304851C772118061825EFC49655B77114"
},
{
"signer_name": "ITarian LLC",
"certificate_thumbprint": "83684997F1ACE5AE105E670E8094EDB2AD0879FD",
"certificate_der_base64": "MIIG0DCCBTigAwIBAgIRAJSlRogHl6mp7ZcLF+l7quUwDQYJKoZIhvcNAQELBQAwVzELMAkGA1UEBhMCR0IxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDEuMCwGA1UEAxMlU2VjdGlnbyBQdWJsaWMgQ29kZSBTaWduaW5nIENBIEVWIFIzNjAeFw0yNTA3MjQwMDAwMDBaFw0yNjA3MjQyMzU5NTlaMIGvMRAwDgYDVQQFEwc2OTM2MTUyMRMwEQYLKwYBBAGCNzwCAQMTAlVTMRkwFwYLKwYBBAGCNzwCAQITCERlbGF3YXJlMR0wGwYDVQQPExRQcml2YXRlIE9yZ2FuaXphdGlvbjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCk5ldyBKZXJzZXkxFDASBgNVBAoMC0lUYXJpYW4gTExDMRQwEgYDVQQDDAtJVGFyaWFuIExMQzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALfKqLU/Zz/Neja5r4Ww4gRnyu4dgJz9qCfo17DeoSd48EBYQTHiG0Sz0zdmZM/cMXX/2F/d8qC0xCOnZFOgeuPoRfG6ytP/ibraz5ocJOxK2SNc299l57grlqjjynC6u+SP9BH1cqQow0prYXutmuXkaBpfSnMGH5IOw6tJTAbGq8A74qkrRFcofiAAYdeA/D1D5Y4umJgeFHywZp65SFVZEo0/RsTh0PI8PFekMCBdobBAmVl6beOLfeT+/HEcCD+LfOpbhXi3PINYAV137OOuYSoCQ7/UK6c1imeb5nYjflHoHJM1oMHtCkeU87vnFhb6gKRcLir2hQCpZrGey8nKQDdYaAHi8LX9l9cdc9JwRKOfw+IyaOwvfd/sPhu4QBwVwPruL0hwkjF5KrAd0bplbMEDBsv80VN6JmHXlV+YoGxZGx6FfRWnIRxCkfj3btjn2Gvl+U+MsPfv7mczf2CwTYfqMB64sUoAd5COaVh28sqT+LoB6L7UIBFf4GwrvptNXrByiFlu2zImyJvuc/uuylOE9bbP/qr8i9vOtUVdsDJNC6GqFXRlVKWANnDZ/kxjuIJWRys8MQziO5nIx4NoJOkzYYGiuVWPFUIoBS1RzVSPdtL4kDy5mpL4L0e51ibWE3cuO6FCL6EPxd/e9QaBBV0OuMWckEy8Qs15hRpHAgMBAAGjggG8MIIBuDAfBgNVHSMEGDAWgBSBMpJBKyjNRsjEosYqORLsSKk/FDAdBgNVHQ4EFgQUk42poCZ7TUZTTzcCyISUhEB9Gt0wDgYDVR0PAQH/BAQDAgeAMAwGA1UdEwEB/wQCMAAwEwYDVR0lBAwwCgYIKwYBBQUHAwMwSQYDVR0gBEIwQDA1BgwrBgEEAbIxAQIBBgEwJTAjBggrBgEFBQcCARYXaHR0cHM6Ly9zZWN0aWdvLmNvbS9DUFMwBwYFZ4EMAQMwSwYDVR0fBEQwQjBAoD6gPIY6aHR0cDovL2NybC5zZWN0aWdvLmNvbS9TZWN0aWdvUHVibGljQ29kZVNpZ25pbmdDQUVWUjM2LmNybDB7BggrBgEFBQcBAQRvMG0wRgYIKwYBBQUHMAKGOmh0dHA6Ly9jcnQuc2VjdGlnby5jb20vU2VjdGlnb1B1YmxpY0NvZGVTaWduaW5nQ0FFVlIzNi5jcnQwIwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLnNlY3RpZ28uY29tMC4GA1UdEQQnMCWgIwYIKwYBBQUHCAOgFzAVDBNVUy1ERUxBV0FSRS02OTM2MTUyMA0GCSqGSIb3DQEBCwUAA4IBgQAeInqUdGSNfL3GvkmY/SlvVW0UgLX9EVb+QrSCu/tbcBoofkpyUJOCRR9ausO95yw7FbK/n8sGoEm+FA/3OfisMS3T8ga6/8Dz+DoTJI0TtXO5lFOsj5u1gdh4Ep3d/udrPkYgn1UpXLQQEiaQWmsijJ8icNx3u1sm8Mme99vhtrK+HrRcUTcYyNyir1hbJxXa+N94a+fpZl8w8+JJ2HuFdi/fEtngHk+3TvMOo92qvm5TMBOP7Tm10GeiM34l6eloBSqikqkSmFaqmlq+/DnZqOJxTqiy79msoyyluKAQSpwl1aIMHqi/pKj2KSbHxmRQfmFzRJwVUzMqWtOKCXNgQAG+izZ69hKotLPHwOOSLGrW/UgddYicxlsCBeHWx2uRJQu/vPA4JTCgdhSnpeDrubHq9qe7C6ioClq9hwp/zq8//iollwtqPNtrNtwTLYpxwtKhumFX1xBBiC9z3Qbo7urohZ6BG4fQNPM73CePByB76asPQBQjhTakQiYReFI=",
"src_file_sha256": "0104e8d061e84b6038d1ae63bd184c30b648dfcf20f1ccef375038cbf415356e",
"src_file_path": "downloaded_files/comodo_rmm/0104e8d061e84b6038d1ae63bd184c30b648dfcf20f1ccef375038cbf415356e",
"src_file_company": "ITarian"
}
]
},
"FileHashes": {
"authenticode": [
{
"file_name": "ITSMAgent.exe",
"sha256": "84BC91D460B280B8A6972B8F777277EDC82395D96E665F32FC2242F752EAC37D",
"sha1": "CA2D7EE17FC633F70DB33D24F48DEE3A9C3DA20F"
},
{
"file_name": "ITSMAgent.exe",
"sha256": "B75AB2F03350834B9EC34C06CA0A2358CA6B99A708ADEC745680C6E790E82F01",
"sha1": "ADA914BBC7166300C4C8942F4339C1E945A946F6"
}
],
"page": []
}
},
{
"Name": "Gorelo RMM",
"Category": "RMM",
"Description": "Gorelo RMM is a remote monitoring and management tool facilitating remote access and control of devices for support and administration.",
"Author": "Jean-Marc ALBERT",
"Created": "2025-11-13",
"LastModified": "2025-11-13",
"Details": {
"Website": "https://www.gorelo.io/remote-management/",
"PEMetadata": [
{
"Filename": "Gorelo.Rmm.Setup.exe",
"OriginalFileName": "Gorelo.Rmm.Setup.exe",
"Description": "Gorelo RMM",
"Product": "Gorelo RMM"
}
],
"Privileges": "User",
"Free": false,
"Verification": false,
"SupportedOS": [
"Windows",
"Mac"
],
"Capabilities": [
"File Transfer",
"File System Access",
"Remote Control",
"GUI Support",
"Command line Support"
]
},
"InstallationPaths": [
"C:\\Program Files\\Gorelo\\*"
],
"Artifacts": {
"Disk": [
{
"File": "C:\\Program Files\\Gorelo\\Agent\\Plugins\\Downloads\\Gorelo.RemoteManagement.AppManagement.zip",
"Description": "Gorelo Agent Plugin - App Management",
"OS": "Windows"
},
{
"File": "C:\\Program Files\\Gorelo\\Agent\\Plugins\\Downloads\\Gorelo.RemoteManagement.DeviceChat.zip",
"Description": "Gorelo Agent Plugin - Device Chat",
"OS": "Windows"
},
{
"File": "C:\\Program Files\\Gorelo\\Agent\\Plugins\\Downloads\\Gorelo.RemoteManagement.IpAddressDetector.zip",
"Description": "Gorelo Agent Plugin - IpAddress Detector",
"OS": "Windows"
},
{
"File": "C:\\Program Files\\Gorelo\\Agent\\Plugins\\Downloads\\Gorelo.RemoteManagement.ScreenCapture.zip",
"Description": "Gorelo Agent Plugin - Screen Capture",
"OS": "Windows"
},
{
"File": "C:\\Program Files\\Gorelo\\Agent\\Plugins\\Downloads\\Gorelo.RemoteManagement.ScriptRunner.zip",
"Description": "Gorelo Agent Plugin - Script Runner",
"OS": "Windows"
},
{
"File": "C:\\Program Files\\Gorelo\\Agent\\Plugins\\Downloads\\Gorelo.RemoteManagement.ServerMonitor.zip",
"Description": "Gorelo Agent Plugin - Server Monitor",
"OS": "Windows"
},
{
"File": "C:\\Program Files\\Gorelo\\Agent\\Plugins\\Downloads\\Gorelo.RemoteManagement.ShellCommand.zip",
"Description": "Gorelo Agent Plugin - Shell Command",
"OS": "Windows"
},
{
"File": "C:\\Program Files\\Gorelo\\Agent\\Plugins\\Downloads\\Gorelo.RemoteManagement.SystemProfiler.zip",
"Description": "Gorelo Agent Plugin - System Profiler",
"OS": "Windows"
},
{
"File": "C:\\Program Files\\Gorelo\\Agent\\Plugins\\Downloads\\Gorelo.RemoteManagement.SystemSecurityManagement.zip",
"Description": "Gorelo Agent Plugin - System Security Management",
"OS": "Windows"
},
{
"File": "C:\\Program Files\\Gorelo\\Agent\\Plugins\\Downloads\\Gorelo.RemoteManagement.WindowsChecker.zip",
"Description": "Gorelo Agent Plugin - Windows Checker",
"OS": "Windows"
},
{
"File": "C:\\Program Files\\Gorelo\\Agent\\Plugins\\Downloads\\Gorelo.RemoteManagement.WindowsPatchManagement.zip",
"Description": "Gorelo Agent Plugin - Windows Patch Management",
"OS": "Windows"
},
{
"File": "C:\\Program Files\\Gorelo\\Agent\\RMMAgent\\Gorelo.RemoteManagement.Agent\\Gorelo.RemoteManagement.Agent.exe",
"Description": "Gorelo RMM Agent executable",
"OS": "Windows"
},
{
"File": "C:\\Program Files\\Gorelo\\Agent\\Shell\\Gorelo.RemoteManagement.Shell\\Gorelo.RemoteManagement.Shell.exe",
"Description": "Gorelo RMM Shell executable",
"OS": "Windows"
},
{
"File": "C:\\Program Files\\Gorelo\\Installer\\Downloads\\Gorelo.RemoteManagement.Agent.zip",
"Description": "Installer Download - Agent package",
"OS": "Windows"
},
{
"File": "C:\\Program Files\\Gorelo\\Installer\\Downloads\\Gorelo.RemoteManagement.Shell.zip",
"Description": "Installer Download - Shell package",
"OS": "Windows"
},
{
"File": "C:\\Program Files\\Gorelo\\Installer\\Downloads\\Gorelo.Rmm.Installer.Handler.zip",
"Description": "Installer Download - Handler package",
"OS": "Windows"
},
{
"File": "C:\\Program Files\\Gorelo\\Installer\\Downloads\\Gorelo.Rmm.Installer.zip",
"Description": "Installer Download - Installer package",
"OS": "Windows"
},
{
"File": "C:\\Program Files\\Gorelo\\Installer\\Gorelo.Rmm.Installer.Handler\\Gorelo.Rmm.Installer.Handler.exe",
"Description": "RMM Installer Handler executable",
"OS": "Windows"
},
{
"File": "C:\\Program Files\\Gorelo\\Installer\\Gorelo.Rmm.Installer\\Gorelo.Rmm.Installer.exe",
"Description": "RMM Installer executable",
"OS": "Windows"
},
{
"File": "C:\\Program Files\\Gorelo\\LogFiles\\Agent\\diagnostics-*.txt",
"Description": "Diagnostics logs for the Agent component",
"OS": "Windows"
},
{
"File": "C:\\Program Files\\Gorelo\\LogFiles\\Installer\\diagnostics-*.txt",
"Description": "Diagnostics logs for the Installer component",
"OS": "Windows"
},
{
"File": "C:\\Program Files\\Gorelo\\LogFiles\\InstallerHandler\\diagnostics-*.txt",
"Description": "Diagnostics logs for the InstallerHandler component",
"OS": "Windows"
},
{
"File": "C:\\Program Files\\Gorelo\\LogFiles\\Shell\\diagnostics-*.txt",
"Description": "Diagnostics logs for the Shell component",
"OS": "Windows"
}
],
"InstallationPaths": [
"C:\\Program Files\\Gorelo\\Agent\\*"
],
"Network": [
{
"Description": "Called during access to remote control WebGUI access",
"Domains": [
"app.gorelo.io"
],
"Ports": [
443
]
},
{
"Description": "Called during setup",
"Domains": [
"gorelo-rmm.azurewebsites.net"
],
"Ports": [
443
]
},
{
"Description": "Called during setup",
"Domains": [
"gw.usw.gorelo.tech"
],
"Ports": [
443
]
},
{
"Description": "Called during setup",
"Domains": [
"lr.rmm.pod1.usw.gorelo.tech"
],
"Ports": [
443
]
},
{
"Description": "Called during setup",
"Domains": [
"public.rmm.pod1.usw.gorelo.tech"
],
"Ports": [
443
]
},
{
"Description": "Called during setup",
"Domains": [
"r1.rmm.uw.gorelo.tech"
],
"Ports": [
443
]
},
{
"Description": "Called during setup",
"Domains": [
"sr.rmm.pod1.usw.gorelo.tech"
],
"Ports": [
443
]
}
]
},
"References": [
"https://github.com/magicsword-io/LOLRMM/issues/117",
"https://www.linkedin.com/posts/magicswordio_new-to-lolrmmio-gorelormm-gorelormm-activity-7394482892422393856-BtKl/",
"https://app.any.run/tasks/8b12557e-8c76-41e8-a3c7-e491f32a0b11"
],
"Acknowledgement": [
{
"Person": "Squiblydoo",
"Handle": "https://github.com/Squiblydoo"
},
{
"Person": "Jean-Marc ALBERT",
"Handle": "in/jeanmarcalbert"
}
],
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gorelo_rmm_network_sigma.yml",
"Description": "Detects potential network activity of Gorelo RMM RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gorelo_rmm_files_sigma.yml",
"Description": "Detects potential files activity of Gorelo RMM RMM tool"
}
],
"CodeSigning": {
"certificates": [
{
"signer_name": "GORELO TECH, INC.",
"certificate_thumbprint": "A607C45B264B698F88B0CFBB40553D223E8B7032",
"certificate_der_base64": "MIIHqjCCBZKgAwIBAgIMHyDCJ07eF2bL9CgTMA0GCSqGSIb3DQEBCwUAMFwxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTIwMAYDVQQDEylHbG9iYWxTaWduIEdDQyBSNDUgRVYgQ29kZVNpZ25pbmcgQ0EgMjAyMDAeFw0yNTA1MTYyMTA2MDdaFw0yODA1MTYyMTA2MDdaMIHwMR0wGwYDVQQPDBRQcml2YXRlIE9yZ2FuaXphdGlvbjEQMA4GA1UEBRMHNzgyNDc2OTETMBEGCysGAQQBgjc8AgEDEwJVUzEZMBcGCysGAQQBgjc8AgECEwhEZWxhd2FyZTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1NlYXR0bGUxGjAYBgNVBAoTEUdPUkVMTyBURUNILCBJTkMuMRowGAYDVQQDExFHT1JFTE8gVEVDSCwgSU5DLjEhMB8GCSqGSIb3DQEJARYSc2VjdXJpdHlAZ29yZWxvLmlvMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAozMwup30XWlfNiapYvfHE1YFnyqowRinghHDIdGcxJTHQUbKMpLtwpIvJIM05gbsZ93WNsuA91Ip1xm26d57Dd38kwcUJOYkgJqG+rqFbb+di20O6E/XvdJSOrYltsslFrdHWYlNngCM/voGVUlEDivQScPamyXIQ35DnZvuNLnsFsAYOpgE7TtpTWkv6wjGc31HZTn5lWAKY3Xt7yGnNYacMGP++LZaGTUdchgSXSM/+fbKAckBNGc/rCsdSxK+QlvpKMNpu+Een0pEVHxqsgnfafSj1rxEAKOp+Pccnda1+L1HvqCzcR5rBJkDX/PR1KKDzRWuxrdJv9IsJiinKeocGDF4YA7rhSj+zCYuJqtsp/urfz6uXJe7FSQ768NfVfD7F0RXMFQJGr+rSy5LEw/ugG7TuAuD/cW1R4S2q0pxB5c4BoFqcQH2yWvtqCMKajt4kNveyCjaa9DcABW8wUMyXITediINhW3X1eVjGGn4+nON/zgjsPF6LPcvDZd1EFPuTaueo9QyfphiHIpqHOplTVqogbdZluxfWmqASH1TNxXLBY04LntClOF5MncgCjjcVlPGYXlujiAd7Z7jqyc0KtViGlLtumc9KTyIrLsRgK4SsY02gxi38/9b05qc1Tl/CArRJSZq2SuG0S8nc750H4RMiJAHd4PxQsXslwcCAwEAAaOCAdUwggHRMA4GA1UdDwEB/wQEAwIHgDCBnwYIKwYBBQUHAQEEgZIwgY8wTAYIKwYBBQUHMAKGQGh0dHA6Ly9zZWN1cmUuZ2xvYmFsc2lnbi5jb20vY2FjZXJ0L2dzZ2NjcjQ1ZXZjb2Rlc2lnbmNhMjAyMC5jcnQwPwYIKwYBBQUHMAGGM2h0dHA6Ly9vY3NwLmdsb2JhbHNpZ24uY29tL2dzZ2NjcjQ1ZXZjb2Rlc2lnbmNhMjAyMDBVBgNVHSAETjBMMEEGCSsGAQQBoDIBAjA0MDIGCCsGAQUFBwIBFiZodHRwczovL3d3dy5nbG9iYWxzaWduLmNvbS9yZXBvc2l0b3J5LzAHBgVngQwBAzAJBgNVHRMEAjAAMEcGA1UdHwRAMD4wPKA6oDiGNmh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5jb20vZ3NnY2NyNDVldmNvZGVzaWduY2EyMDIwLmNybDAdBgNVHREEFjAUgRJzZWN1cml0eUBnb3JlbG8uaW8wEwYDVR0lBAwwCgYIKwYBBQUHAwMwHwYDVR0jBBgwFoAUJZ3Q/FkJhmPF7POxEztXHAOSNhEwHQYDVR0OBBYEFEb6h5SfEhpOcHkOa0Zw5bsAcAd9MA0GCSqGSIb3DQEBCwUAA4ICAQCvGmKx0J1x4Vew1NGrryeStdCQ84fVdtjyB8jXT7ht/5YnaywVLNQ5izta3XojeVdptEPHHKS6mOqB7LgF5uBdoHhHYEOWXYThL7yJxlQtm14c3jmnK40IiHabGXWkyqC12xEVaN4pihlPgICE1Hm4/G6Q1h8LwT/5gL5bMA2qD7eYH30xZFP/VkANSDLtCJiNiMA9Fgxa50FaL3NGaUXZTkTvzSAoapTRzPPWOsXTj2lcwA4dFGkIJvmiPlPEqAO5Isemvhq0DAY1HoxIjSH4mfWr7x9mzEV8pcC5sPLut9l7bR6KRtXDSJFphnUJFffy+b7+VgzP23ga8XOGZvbUejTpzVyiqWppeCEdTsXNSpzrhfIyrjXxeUv3Jb3VHCScn9UCIMOF7xj1efMYOReMpLfEAGuxvjUIa9XqmfjU8PYAgi0XW3tY7LhHVqI+Y/rruPfSPD/D+eEMGXS4Q27w1boiHUsxYOEwzlFP/UlrHukgKXWOyb6LU3qgGX15b+zFYDGRQveQ3WS3BhzWnikpzsoGU8wfOIG51jO2ajdXulGrGlnsYaZm4BFU9hjp1RiuGB1YeYGGgc7Xb9C/9y0OhXqpsgknqXj4igL0Of2hSDsOwHVkKSoj3FZoMn570hsvsaRAwj0EFGuU7Cf8DNMOPyIjTiRHng7A/J146W1QMA==",
"src_file_sha256": "caa0721604c85d2779f2d5dfebd2a1f3203d11585231288f254d84d9544c7ce0",
"src_file_path": "downloaded_files/gorelo_rmm/caa0721604c85d2779f2d5dfebd2a1f3203d11585231288f254d84d9544c7ce0",
"src_file_company": "Gorelo.Rmm.Setup"
}
]
}
},
{
"Name": "HelpBeam",
"Category": "RMM",
"Description": "HelpBeam is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://web.archive.org/web/20141223111635/http://www.helpbeam.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"helpbeam*.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"helpbeam.software.informer.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/helpbeam_network_sigma.yml",
"Description": "Detects potential network activity of HelpBeam RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/helpbeam_processes_sigma.yml",
"Description": "Detects potential processes activity of HelpBeam RMM tool"
}
],
"References": [
"https://www.helpbeam.com domain for sale in 2024"
],
"Acknowledgement": []
},
{
"Name": "SmarTTY",
"Category": "RAT",
"Description": "SmarTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://sysprogs.com/SmarTTY/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"c:\\Program Files (x86)\\Sysprogs\\SmarTTY\\*",
"*\\Sysprogs\\SmarTTY\\*",
"*\\SmarTTY.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": []
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/smartty_processes_sigma.yml",
"Description": "Detects potential processes activity of SmarTTY RMM tool"
}
],
"References": [],
"Acknowledgement": []
},
{
"Name": "KiTTY",
"Category": "RAT",
"Description": "KiTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.9bis.net/kitty/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"C:\\*\\kitty.exe",
"*\\kitty.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": []
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kitty_processes_sigma.yml",
"Description": "Detects potential processes activity of KiTTY RMM tool"
}
],
"References": [],
"Acknowledgement": [],
"CodeSigning": {
"certificates": [
{
"signer_name": "Gametop Pte Ltd",
"certificate_thumbprint": "AE549749DC0D0DBE947070D130DA2FAF08FEB6A4",
"certificate_der_base64": "MIIGRjCCBK6gAwIBAgIQcbtGli6oOamtzMoczk1DTTANBgkqhkiG9w0BAQwFADBUMQswCQYDVQQGEwJHQjEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMSswKQYDVQQDEyJTZWN0aWdvIFB1YmxpYyBDb2RlIFNpZ25pbmcgQ0EgUjM2MB4XDTI0MDUyMzAwMDAwMFoXDTI3MDUyMzIzNTk1OVowXTELMAkGA1UEBhMCU0cxGjAYBgNVBAgMEUNlbnRyYWwgU2luZ2Fwb3JlMRgwFgYDVQQKDA9HYW1ldG9wIFB0ZSBMdGQxGDAWBgNVBAMMD0dhbWV0b3AgUHRlIEx0ZDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMrSp76VkbX07gtIxwHO88L28rabUDmReaTqfMz7RTidlPuuJUlwVVwmLRKrNXyqFutb8kixixnsJC2U3Rj2TrV+iAQvkTVjtZ7H/WbL98fFizdzOdCjncDTyZCeuySPPD2MSs08nnQdISbiIdIHEsWIT6ES4tkSi7SClyDT7zPU7VY1s+2/RZ+2rJ9DLZgxrB05DixstMTp7tKnSo6wOkhcFfMYkhXSCUsSccAiESWu0GcGV1p33SRdihVfTvozSqDS1uqxg0LvexWLc+zBTbMA9/x+jwIu08/nSC8aT1CCAxfvgK9PGLWJ+onzBe4f4lWi+DQUfbRukNGbD5L0A+89CtENs/WZIe5YE80VLkYyR+tCYWX4k29VSP0LMC/AxP2l2U2gRt4NQ4AWnJ8yPsB3GOVFUePb7VBeY5EoDn/6uFWVkbVSgHx+m5YvZe5AA3Sx3L/SHy/mHmzYWieljcBgdRxGXZBLhAcile87N4IxfKbVWGwJm0ph0HYFu7hMz7jb2NbC/Ne448umXmYt3bQzY3ONzJblj226+zm9Iw/mMw+AfWO+3arVFV+UYWFCQ2T5p51me7g9gPZ2kud+CdnAqT+neY10lkxwKFW1eOxvEwVMJbYRiuli2TBDWMvt4IyGLftNFQIUp1xFU6IbiCou46eJ6pp25Ejt9Wbs/Fv1AgMBAAGjggGJMIIBhTAfBgNVHSMEGDAWgBQPKssghyi47G9IritUpimqF6TNDDAdBgNVHQ4EFgQUN6f4+IhLFPlUJMrQcq9MQh/uYWcwDgYDVR0PAQH/BAQDAgeAMAwGA1UdEwEB/wQCMAAwEwYDVR0lBAwwCgYIKwYBBQUHAwMwSgYDVR0gBEMwQTA1BgwrBgEEAbIxAQIBAwIwJTAjBggrBgEFBQcCARYXaHR0cHM6Ly9zZWN0aWdvLmNvbS9DUFMwCAYGZ4EMAQQBMEkGA1UdHwRCMEAwPqA8oDqGOGh0dHA6Ly9jcmwuc2VjdGlnby5jb20vU2VjdGlnb1B1YmxpY0NvZGVTaWduaW5nQ0FSMzYuY3JsMHkGCCsGAQUFBwEBBG0wazBEBggrBgEFBQcwAoY4aHR0cDovL2NydC5zZWN0aWdvLmNvbS9TZWN0aWdvUHVibGljQ29kZVNpZ25pbmdDQVIzNi5jcnQwIwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLnNlY3RpZ28uY29tMA0GCSqGSIb3DQEBDAUAA4IBgQA922sRmbC5BLMNEmBm0eo3wZ0M63WBpYLQNKtWxORivvTAF4aCZDT/uhx37MLHpgdqYrKkg54CBJx//fjvr8zLPhYUonDiM/DXI8uxGE6MN4fONHb5eu4RlceP1Iqup6YwLzmsViDlGDPev5Gwb+FEojxSHU5X50joDM763hU3Ra0tXOI5MzcQeImUIrax0lDMXGW8pytptEpvRPbRT77iulYN+Z1YzfhLcqz9S/HEEuOPcqzII5xZFzS4TZkVXY9a18w98jn5Q/GeAQhYky75xmI90QjjY/JLqUuGhyV+pabCygdCdBlje7FX3Oxzd/rYHFNzpeY62LFEo1pwD//VHYiTmiJNv6dqUi8ar+SlsTq7yh+3vR0ovU1vgTm2Ye4WVJEpNg2yksEJ1TzmDdUuUaJXMDBH96bm6HBmo0Mt02RfHIFtYcKZmtviJmkn7atsHEQX77iNkb9e2RAzwK8lCj59ZVBb0Uq5iXMNydAsnkEujP0hX7wCkTmqXUEPZuw=",
"src_file_sha256": "86f4ba4b3eb16c91aac10ad944e2785d08b597b11ba1f938b757c0705f782f37",
"src_file_path": "downloaded_files/kitty/86f4ba4b3eb16c91aac10ad944e2785d08b597b11ba1f938b757c0705f782f37",
"src_file_company": "GameTop Pte. Ltd. "
}
]
}
},
{
"Name": "Solar-PuTTY",
"Category": "RAT",
"Description": "Solar-PuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.solarwinds.com/free-tools/solar-putty",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"C:\\Program Files\\Solar-Putty-v4\\*",
"*\\Solar-Putty-v4\\*",
"*\\Solar-PuTTY.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": []
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/solar-putty_processes_sigma.yml",
"Description": "Detects potential processes activity of Solar-PuTTY RMM tool"
}
],
"References": [],
"Acknowledgement": []
},
{
"Name": "TeleDesktop",
"Category": "RMM",
"Description": "TeleDesktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2025-12-14",
"Details": {
"Website": "",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"pstlaunch.exe",
"ptdskclient.exe",
"ptdskhost.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"user_managed",
"tele-desk.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teledesktop_network_sigma.yml",
"Description": "Detects potential network activity of TeleDesktop RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teledesktop_processes_sigma.yml",
"Description": "Detects potential processes activity of TeleDesktop RMM tool"
}
],
"References": [
"http://potomacsoft.com/ - DOA as of 2024"
],
"Acknowledgement": [],
"CodeSigning": {
"search_names": [
"teledesktop (client)",
"teledesktop (host)"
],
"company_names": [],
"signer_names": [],
"certificates": []
},
"FileHashes": {
"authenticode": [
{
"file_name": "TeleDesktop (Client)",
"sha256": "D3CAC55FFBFFD3E4470CD656C7E95BEAC70F1D2C93E76F18DAEA398222061084",
"sha1": "EC3B660A5975F7CA25860118C74C2CA92B5C2BA2"
},
{
"file_name": "TeleDesktop (Host)",
"sha256": "933CDF254052CC5E8485E887F742DC0B043223DBC61FA7210FA3C1A5C425C1E3",
"sha1": "EFEB2AB0EAE1075239D8A4F1BD91B379FD7DA68D"
}
],
"page": [
{
"file_name": "TeleDesktop (Client)",
"sha256": "BEDD267A97281B4E63B693474CF9E36CE0F83173265FA490B4D6249359E0E767",
"sha1": "EEF00F1F6F1DF3C52CF0056A44EBDD3FDC6F3B69"
},
{
"file_name": "TeleDesktop (Host)",
"sha256": "A23A76F0EC3ADBAF7A7AB01D72EE9876D5C6DEB4BBC234328927229C94776397",
"sha1": "35078CDFD3CE62CCEC5AF9BBDE1B18D3006B838C"
}
]
}
},
{
"Name": "Microsoft TSC",
"Category": "RMM",
"Description": "Microsoft TSC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.\n\n**IMPORTANT**: This tool is signed with legitimate Microsoft Windows certificates that are used to sign core Windows operating system components. Do NOT blindly block these certificate thumbprints as doing so will break Windows functionality in your environment. Use certificate data for detection, hunting, and analysis purposes only.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"termsrv.exe",
"mstsc.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": []
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_tsc_processes_sigma.yml",
"Description": "Detects potential processes activity of Microsoft TSC RMM tool"
}
],
"References": [
"https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/terminal-server-startup-connection-application"
],
"Acknowledgement": [],
"CodeSigning": {
"search_names": [
"mstsc.exe",
"nssm_origin3al.exe",
"rdp.exe",
"termsrv.dll",
"termsrv.exe"
],
"company_names": [],
"signer_names": [
"Microsoft Windows"
],
"certificates": [
{
"signer_name": "Microsoft Windows",
"issuer": "CN=Microsoft Windows Production PCA 2011",
"certificate_thumbprint": "FACDE3D80E99AFCC15E08AC5A69BD22785287F79",
"tbs_sha256": "430E0E3126D270FCDD11F65A1694A7997E86EEABFA93DEB45A58B1DD4930033C",
"tbs_sha1": "1DB42CE638F6A2B4D7E42CCDB8FEC0EEBECA4782",
"valid_from": "2025-06-19T18:11:43+00:00",
"valid_to": "2026-06-17T18:11:43+00:00",
"certificate_der_base64": "MIIFCTCCA/GgAwIBAgITMwAABRhBhBmty60pTwAAAAAFGDANBgkqhkiG9w0BAQsFADCBhDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEuMCwGA1UEAxMlTWljcm9zb2Z0IFdpbmRvd3MgUHJvZHVjdGlvbiBQQ0EgMjAxMTAeFw0yNTA2MTkxODExNDNaFw0yNjA2MTcxODExNDNaMHAxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xGjAYBgNVBAMTEU1pY3Jvc29mdCBXaW5kb3dzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA13mqBajcSzGIQ7kqJCIE6oxXJVfqr0iUnSh2fDN9r18wuHPIlLeHyatPsH1rArFXUyj1IoPlkAbP8shArkP0m3AOlDZv8eH2Dw13ICwabGPn4SgKrY2+HlQtXtv7w+T05JCnEZHNjYXM05FkxvDOp7XlDH+t7trr7jFwtjjt1GSyp/e1la0D5bprFgrZd+idRKV3f0InKTtqr3/3QPgm6AGgcsV6djsk1zCxsbCa2mPbSv2Z0iyjPzdInLsOb/mQF7MuLaG7KcnrpnI8hgr3ce4G0gZTJGp80n8HjEFdpkdfzRJaxhGKyeCziaFukwCJxQvRLdfPyfdzDbibuZUy5QIDAQABo4IBhTCCAYEwHwYDVR0lBBgwFgYKKwYBBAGCNwoDBgYIKwYBBQUHAwMwHQYDVR0OBBYEFOF41I/R69R+LhZJ5/DUoIJ88kCTMFQGA1UdEQRNMEukSTBHMS0wKwYDVQQLEyRNaWNyb3NvZnQgSXJlbGFuZCBPcGVyYXRpb25zIExpbWl0ZWQxFjAUBgNVBAUTDTIyOTg3OSs1MDUzMzYwHwYDVR0jBBgwFoAUqSkCOY4WxJd4zZD5nk+a4XxVr1MwVwYDVR0fBFAwTjBMoEqgSIZGaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9jcmwvTWljV2luUHJvUENBMjAxMV8yMDExLTEwLTE5LmNybCUyMDBhBggrBgEFBQcBAQRVMFMwUQYIKwYBBQUHMAKGRWh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2lvcHMvY2VydHMvTWljV2luUHJvUENBMjAxMV8yMDExLTEwLTE5LmNydDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQA73LToVzb48EsyNktWyWo+IGLgB2p9kuAEQkU+8hLq0rA9WZonC9cODucqsbIMr1+hdczYWea7HVahHNh1e1l/t8UyFkJvbpIlr8SZV+RlV4s+WtBJzI6I85EjEBBNDiz26s/HTuK3hb0mOFTzRZLih4OBnpKR4+lid/Ptj6Vpz1LtTxLX7PrwIntLTvTe2HiJPSJ0kphhrHebSBArR0IRqtHbz/wcx1MMtBSPgjiKI1id83Hyj7Y604D5Z/Dak+1qcCo77G1Inkm39qAtvE5R+jt5TxTZgwWL9DmIjGbP0dqouGyc5FYPoqW6WBsdtBPaL/sxdDGWM77U4g14/8UJ"
},
{
"signer_name": "win.rar GmbH",
"certificate_thumbprint": "729AE1F8B489DE176CC099FF49937F85F9E412F7",
"certificate_der_base64": "MIIHWDCCBUCgAwIBAgIQBIsIOZ7HA2I8cs0gd61l2TANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTIzMDgwODAwMDAwMFoXDTI2MDgwNzIzNTk1OVowgeAxEzARBgsrBgEEAYI3PAIBAxMCREUxFzAVBgsrBgEEAYI3PAIBAhMGQmVybGluMR8wHQYLKwYBBAGCNzwCAQETDkNoYXJsb3R0ZW5idXJnMR0wGwYDVQQPDBRQcml2YXRlIE9yZ2FuaXphdGlvbjETMBEGA1UEBRMKSFJCIDEwOTg4NTELMAkGA1UEBhMCREUxDzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMRUwEwYDVQQKEwx3aW4ucmFyIEdtYkgxFTATBgNVBAMTDHdpbi5yYXIgR21iSDCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAJrNBWkLzla3tj9bhusRhk6ZzgzcgNHbZRI9nSX1/buowo4BjwCRFy7zTVQ9WNey9ghE8mbY8zhPgARuICPibaP19oFySzXSxG0QJWzi/HC50S6r0skMKDR42RBM7KcEazmfmp9RCnNjIJiaINa8RUpS+SuhmUl/iIOr9rHrEE/JGWoS8Ft9XDXwS2CacetaAcdyvKD9QQRoWu0yOkM/CaS1kHIVAayqta7rZvaBcs6SyLT2aR+0cWHcmH++2H2q37KbUcSEopNffmpU3M74Lcm2uckQgjsjEwmNfgLeLLntTx8yn7bfh4ZNNytn6bX2U0zufBJbKehAH6Zfww/aFAH0wsP1148R7pPGoXG4AeyXATWn7ufbWytTrgR8aNvsuS8h3mmUGV6mSNaxGszALQ0KxKAsTpoFVVsz86yVYL/IK9wuq9ogAheDeLR1v7leLbwJsqLRi0Ry8uyX7szJF5i+puSdqGz+lx6FcR2VsD8vnPOVC3Wtq2UgEKZs/0zP0wIDAQABo4ICAjCCAf4wHwYDVR0jBBgwFoAUaDfg67Y7+F8Rhvv+YXsIiGX0TkIwHQYDVR0OBBYEFFhcVBV2Psfb2Ad3xaRy9ZeAf4cTMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzCBtQYDVR0fBIGtMIGqMFOgUaBPhk1odHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDBToFGgT4ZNaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcmwwPQYDVR0gBDYwNDAyBgVngQwBAzApMCcGCCsGAQUFBwIBFhtodHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwgZQGCCsGAQUFBwEBBIGHMIGEMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wXAYIKwYBBQUHMAKGUGh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3J0MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggIBAMQeLwDoY491d3YPbv8Zh5MBMGxgKM4gPL05+gkTSP3UhXVE/ydaCKYtrINTYDHM+SxOb4GcAJZ35YC9G5A9nocvQhyDiQ5I12RccOQ7heNq4h2NgxbShNLgXMZgv1E7fx2J7U7u2DnJK+c4dYADKYLZdQjO3nIojrfR9z6Fg1qaPFQQqkVmudthB5/0kYcOxPucbFlKpFoY6M88ZzOKCRLUYtvXs4nYRggG25VoNLtpLjLXCjmQ0wQ/28QZYtIq7mW+Jfc1vPOiEmPzX6t7X626ulBKCIL/MV5mBeag+0P7vTT+QWQef1v7npeWOSljVv84k7h7HzPn+c208FwNSrPGFBJ7M2HiY1TGUYtCzLHeSNKykvWpp+ALyKQtueN9fJYBLc8DS7aYJvtx3saVysRzHP+4oDZuEtb3hjfSBjAZq20ohXsbNtepSUb7cyjEfaTBjpI9mq6hkDkoTSL2Su8s7o0SXfVPi6o8NfjyCGIbyDRszZWts4wBw83pUDS//zGnfaSv65BoZ9dXGdckRznpgxuHqTeBGx0P1vSLbP76f1OZ/O/tHxBmSG7KL4XyHc6BG7K4tayEI9e6qJoL0St9M7GxZ9g3qHm0kQfPekvcOXxQuVn8n9SG6/QipQKR4fG0dRp4GqoIXGUjjvbJot7A9kG0IrykPagAXznZnMBG",
"src_file_sha256": "39baa167de334fef185ae8b97e8c709a307eed08e80fe115577c59a05200a13a",
"src_file_path": "downloaded_files/microsoft_tsc/39baa167de334fef185ae8b97e8c709a307eed08e80fe115577c59a05200a13a",
"src_file_company": "Alexander Roshal"
}
]
},
"FileHashes": {
"authenticode": [
{
"file_name": "mstsc.exe",
"sha256": "1E05B521C8BD52401F43E5CC7091FF2A9A7949E73733DAB73AF83A3D480C9569",
"sha1": "4286324C3C04C102352FD16E453D9BC4B01967E2"
},
{
"file_name": "termsrv.dll",
"sha256": "6D6C0969243DC45F0EBC8308007C6E5CEE1C8FAA858DB813F1DB2CF9C35AFDD7",
"sha1": "7A3937C5A1CD28F6D0BB5D4481F892AB6F3B64F2"
},
{
"file_name": "termsrv.dll",
"sha256": "E45A1E54300B7365004406463E7B849FB1ACA1F4733FFD6DB347166D72DA7800",
"sha1": "4B934DD90329E3200CF3122ACF26CB4CBC5A4D5C"
},
{
"file_name": "Mstsc.exe",
"sha256": "A7F9DA5D3ED97F2C1E6DAD4EEEBC0075498B18FF55EF3A866657629EABE424CD",
"sha1": "D8D112E22A0D884694BFB9B848BD82DD0BF63F2C"
},
{
"file_name": "termsrv.dll",
"sha256": "3A47B638C27A6DE7E24AF8A04B5DD963AD4EE3B3CDC65170B643F1D1103ED767",
"sha1": "AFC1118D8DCA54648DE9205EB36AD48B57881CBD"
},
{
"file_name": "mstsc.exe",
"sha256": "F7FF5D5419F6B310098870E4F30B9BE386E93BFBC1BC7E4073D01307D2F6C70D",
"sha1": "942B91A5F8D3712F0EEF476C5646FF10BA6D60CD"
},
{
"file_name": "mstsc.exe",
"sha256": "72B1695F661DFE020E8B162A38522BD8BC85BD37CEBDA2F2085A2BBB3BAFA302",
"sha1": "E6E0978F1B6BE303ADA88A42BB1B0E6CD8D70A19"
},
{
"file_name": "mstsc.exe",
"sha256": "3C67B7131057947726C4316BC74936A4B02AB7B26C000EFE8E89B679F704E5E6",
"sha1": "752086DC394C148EB840CCDA68981B553E3DFA0A"
},
{
"file_name": "termsrv.dll",
"sha256": "C3C71349BA6B28753A7CA70B9D154951A784D7A7E2AACFE95D1C0E29E4EC52C3",
"sha1": "2B6335CA72BF5AEDB45EB1F549962A906EDCBF83"
},
{
"file_name": "termsrv.dll",
"sha256": "5C1DFCD62C50CBC1A39F000971541BB819421040D616DF55B08B5DE78B8754DF",
"sha1": "C908976E4926358EE1DDA0BCE7A01A796FFF1C1C"
},
{
"file_name": "rdp.exe",
"sha256": "D2A858E81F72E209885D2AAA4F8BFF951B9EB6FEAA359F0D2216B6A1F45E4E81",
"sha1": "262D9A15A27C2ECD6A8334C4DCE8A596C0EA9C9F"
},
{
"file_name": "nssm_origin3al.exe",
"sha256": "809D787C3EA0714C821AAE5CBBEB3085472451CCE7EFB1066DDAAB1B67D6474E",
"sha1": "67D21A4D233AAF375A6AA6AF67092EDAFFABDB7E"
},
{
"file_name": "mstsc.exe",
"sha256": "EC711CB50A252B974FD2135B22E31A6B4191EF42B882367CC2B027A50727D01A",
"sha1": "68F0D251703CF6F2A9823F57301111CE2EBA445A"
},
{
"file_name": "mstsc.exe",
"sha256": "798851F484337E95B55C779753040A48FB8EE8CDCDEEC699B8853B1A2FF79D45",
"sha1": "A97B4E9FAF034BAD1D1634654A1A4E7EA8CC7CAC"
},
{
"file_name": "mstsc.exe",
"sha256": "84280E8B7014DC3AC3E7CF924ABD2E5341D3B0199AFC617ADB4F3A7EEAC68E2E",
"sha1": "C0348A51494D21A25F8804EE83FD85968F7AE9C5"
},
{
"file_name": "termsrv.dll",
"sha256": "8B5688946010528DDD238EE9B37E441124CFDD89F0954CA795AE7DA28444A1AF",
"sha1": "2024069E97B4F6043E8C0CC9D9A7CC9CBD2A74BD"
},
{
"file_name": "mstsc.exe",
"sha256": "40322286C92F04B90D5947A474524D03A149867D2BC60A81388A580FA76623F9",
"sha1": "78C9BB304099DD09DAFAB2399EDA3EF4A26C1881"
}
],
"page": [
{
"file_name": "mstsc.exe",
"sha256": "EFB23B84D5DD32038A2807A32773D9765B6A5431A689BA5FF2981CAF66C07D21",
"sha1": "B3C6E5A83D35D3E24857FF749357C9D3302B0CC4"
},
{
"file_name": "termsrv.dll",
"sha256": "CE34A0598DF732AE70CADF7D638014787178FDFF8A6F2FDD97507045C7C33845",
"sha1": "A663AA6C71708322723BF28A6DD86FAC1EAD48B9"
},
{
"file_name": "termsrv.dll",
"sha256": "60A78ACE6FC4FEC67AF7B4A0BB44C9A3C6CD68BF69D98D49C8FC0793089A3897",
"sha1": "917801524CC23AD8E061A20D1FB20464E8AADE76"
},
{
"file_name": "Mstsc.exe",
"sha256": "42D3873C07F355FC8B886E55F86266E7C68A9EBE8A131FE2A2E97A5A1CD14A1E",
"sha1": "BB505AE2BEEBA8C26A701BD622485C021634B8C4"
},
{
"file_name": "termsrv.dll",
"sha256": "7E9C0CDC7BE9DAA9AE3C1BD7CAA63275ECA836DDB53BFE7DC610456CA79FD690",
"sha1": "54E6DB7A5765956EC6E5D30BDE4DF2E8EEC2C98F"
},
{
"file_name": "mstsc.exe",
"sha256": "F34F64D5B43B7E7A99463A2C7FC4B19AFBF23CD45D4F744D8787C1BBDACDC3B1",
"sha1": "78175CED1BD06F77C10655B92B14C639B7591B69"
},
{
"file_name": "mstsc.exe",
"sha256": "3164518FED9BF478CF06B9127A27118E018201853AF7D1A25D07E3868BA876AB",
"sha1": "733A9423AE44CB172BF499F01582E59D6C74EC47"
},
{
"file_name": "mstsc.exe",
"sha256": "AE303E1FF86C1E2EF03956CECDD09D55FCC29625CD9BC68FAE8C6AF9A1112228",
"sha1": "25A4DB45870F5ED1AA6436CF1C58697A037032D0"
},
{
"file_name": "termsrv.dll",
"sha256": "743B64F1B4B53C9E8FBE6093CEDF1E2F35DAD8A8F266C826048F2DAB02B0E56F",
"sha1": "E3B41D88051001C6BBA5797BC8F6CA324F09F39C"
},
{
"file_name": "termsrv.dll",
"sha256": "38BFFA279D7247269F2F59739E0538AB7262D6A17CB152D0AEDF3E951C4598F2",
"sha1": "6D085579F114BF10FCB93F7FF91D327080195C19"
},
{
"file_name": "rdp.exe",
"sha256": "AD7A7B8BAF1901FC01CF94025BCF327FD02F71334052D8B4BEC6CE1710C6C504",
"sha1": "5D29ECF5B8979B4DF3F3605849332F7AF62918FF"
},
{
"file_name": "nssm_origin3al.exe",
"sha256": "27712F2684560BEE5BB534179F520AFB4126B30D2958E111117407413A16C23E",
"sha1": "DBDB15E637E2D7FF77E76364C50BF6869BF236F9"
},
{
"file_name": "mstsc.exe",
"sha256": "43E6D5CE75F9AB0F400039DFA3F75294314C29E574ACE702A48A1271FE6D6F00",
"sha1": "A9B8DD69B9AB37D7CE9F3EA81B1E90B47AFA83BD"
},
{
"file_name": "mstsc.exe",
"sha256": "F48D429CB43221DBCF4768FEAECD2FFD292C09C338FE85FD2A5ABF838C9FF1A4",
"sha1": "D226F80E6D62E1C8F7F7A9ED0CD26B09E9D607C7"
},
{
"file_name": "mstsc.exe",
"sha256": "D6FB9388BDA4C7977C1E3C39B5B1F8FABAE585A22F8532D210DFF2C36DDA1968",
"sha1": "F0641E0352301570CABDA8AE4F07935515A92623"
},
{
"file_name": "termsrv.dll",
"sha256": "2FD6F9DB743476A1534D27D76AF678430D37C3E4E0DD99954834D31CA22A8BD3",
"sha1": "58BFC5D10E6624C1A1C81388843BA7F0A93C4E93"
},
{
"file_name": "mstsc.exe",
"sha256": "B15A573DF850D7E79B8765B72CC6168BC2A46ABE35438FAB880CCBECF1F401BB",
"sha1": "D7B71FC64C8EDC31F02BDDD689FAF0DC84F4C9C0"
}
]
}
},
{
"Name": "NinjaOne (formerly NinjaRMM)",
"Category": "RMM",
"Description": "NinjaOne (formerly NinjaRMM) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.ninjaone.com/rmm/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"*ProgramData\\NinjaRMMAgent\\*"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": []
},
"Detections": [],
"References": [],
"Acknowledgement": []
},
{
"Name": "baramundi Management Suite",
"Category": "RMM",
"Description": "baramundi Management Suite is a comprehensive Unified Endpoint Management (UEM) platform designed for automated endpoint management across Windows, macOS, iOS, Linux, and Android devices. It provides features for inventory and network discovery, endpoint security, patch management, mobile device management (MDM), IT automation, operating system deployment and configuration, remote access service, digital employee experience (DEX), and license management. The baramundi Management Agent (bma.exe) operates as a Windows service named BARAAGNT and is used for remote monitoring and management of enterprise systems. The suite is available for on-premises, hybrid, or fully hosted deployment. baramundi also offers the Proactive Hub, a cloud-based platform for proactive IT management.\n",
"Author": "@m_haggis",
"Created": "2025-10-28",
"LastModified": "2025-10-28",
"Details": {
"Website": "https://www.baramundi.com/en-us/",
"PEMetadata": [
{
"Filename": "bma.exe",
"OriginalFileName": "bma.exe",
"Description": "baramundi Management Agent",
"Product": "baramundi Management Suite"
}
],
"Privileges": "System",
"Free": false,
"Verification": true,
"SupportedOS": [
"Windows",
"Linux",
"Mac",
"Android",
"IOS"
],
"Capabilities": [
"Remote Management",
"Inventory and Network Discovery",
"Endpoint Security",
"Patch Management",
"Mobile Device Management",
"IT Automation",
"OS Deployment and Configuration",
"Remote Access Service",
"Digital Employee Experience",
"License Management",
"File Transfer",
"Software Distribution",
"Vulnerability Scanning"
],
"Vulnerabilities": [],
"InstallationPaths": [
"C:\\Program Files\\bsag\\bma\\*",
"C:\\Program Files\\bsag\\*",
"C:\\Program Files (x86)\\bsag\\bma\\*",
"C:\\Program Files (x86)\\bsag\\*"
]
},
"Artifacts": {
"Disk": [
{
"File": "C:\\Program Files\\bsag\\bma\\bma.exe",
"Description": "baramundi Management Agent executable. Main service binary for the baramundi Management Suite agent that runs as a Windows service (BARAAGNT). Depends on RpcSs service.\n",
"OS": "Windows",
"Example": [
"C:\\Program Files\\bsag\\bma\\bma.exe"
]
}
],
"Network": [
{
"Description": "Primary communication with baramundi Management Server over HTTPS",
"Domains": [
"*.baramundi.com",
"www.baramundi.com",
"docs.baramundi.com",
"isodownload.baramundi.com"
],
"Ports": [
443,
2608
]
},
{
"Description": "HTTP communication for updates and downloads",
"Domains": [
"*.baramundi.com"
],
"Ports": [
80
]
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/baramundi_registry_sigma.yml",
"Description": "Detects potential registry activity of baramundi Management Suite RMM tool",
"Name": "baramundi Management Suite Registry Detection"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/baramundi_network_sigma.yml",
"Description": "Detects potential network activity of baramundi Management Suite RMM tool",
"Name": "baramundi Management Suite Network Detection"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/baramundi_files_sigma.yml",
"Description": "Detects potential file activity of baramundi Management Suite RMM tool",
"Name": "baramundi Management Suite File Detection"
}
],
"References": [
"https://www.baramundi.com/en-us/management-suite/",
"https://www.baramundi.com/en-us/resources/demo-trial-version/",
"https://www.herdprotect.com/bma.exe-fcf742c1a764b713f94e0e377e4e4089c1274dfc.aspx",
"https://docs.baramundi.com/",
"https://www.virustotal.com/gui/file/465a46c2677345cadf578623c69755cefd45320bd5cc2094af11ba642a357026",
"https://www.virustotal.com/gui/file/47d9dbd0296aa8321b3f7fd99cd40ffabc8d11c5bd7a1d08e2f9c0f7ce87a64a/details",
"https://www.virustotal.com/gui/file/c7b570d3c52f67cd557cb76f54fc7e329a7f4429b2eaf652e871389701e61e62/details",
"https://www.virustotal.com/gui/file/1bd486d84ae929a501f2488e95ef51dc4e28bdac645beac06277092487568093/details"
],
"Acknowledgement": [
{
"Person": "Michael Haag",
"Handle": "@M_haggis"
}
]
},
{
"Name": "GatherPlace-desktop sharing",
"Category": "RMM",
"Description": "GatherPlace-desktop sharing is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://web.archive.org/web/20241106023713/https://www.gatherplace.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"gp3.exe",
"gp4.exe",
"gp5.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*.gatherplace.com",
"*.gatherplace.net",
"gatherplace.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gatherplace-desktop_sharing_network_sigma.yml",
"Description": "Detects potential network activity of GatherPlace-desktop sharing RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gatherplace-desktop_sharing_processes_sigma.yml",
"Description": "Detects potential processes activity of GatherPlace-desktop sharing RMM tool"
}
],
"References": [
"https://www.gatherplace.com/kb?id=136377"
],
"Acknowledgement": []
},
{
"Name": "Pandora RC (eHorus)",
"Category": "RMM",
"Description": "Pandora RC (eHorus) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://pandorafms.com/en/remote-control/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"ehorus standalone.exe",
"ehorus_agent.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"portal.ehorus.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pandora_rc__ehorus__network_sigma.yml",
"Description": "Detects potential network activity of Pandora RC (eHorus) RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pandora_rc__ehorus__processes_sigma.yml",
"Description": "Detects potential processes activity of Pandora RC (eHorus) RMM tool"
}
],
"References": [
"https://pandorafms.com/manual/!current/en/documentation/09_pandora_rc/01_pandora_rc_introduction"
],
"Acknowledgement": []
},
{
"Name": "Iperius Remote",
"Category": "RMM",
"Description": "Iperius Remote is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.iperiusremote.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"iperius.exe",
"iperiusremote.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*.iperiusremote.com",
"*.iperius.com",
"*.iperius-rs.com",
"iperiusremote.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/iperius_remote_network_sigma.yml",
"Description": "Detects potential network activity of Iperius Remote RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/iperius_remote_processes_sigma.yml",
"Description": "Detects potential processes activity of Iperius Remote RMM tool"
}
],
"References": [
"https://www.iperiusremote.com/download-iperius-remote-desktop-windows.aspx"
],
"Acknowledgement": [],
"CodeSigning": {
"certificates": [
{
"signer_name": "ENTER S.R.L.",
"certificate_thumbprint": "B2D3CCC3D2B287A63C7B382C3D69C2A6146D124E",
"certificate_der_base64": "MIIHvzCCBaegAwIBAgIMP9MyxGju5mDOPW7/MA0GCSqGSIb3DQEBCwUAMFwxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTIwMAYDVQQDEylHbG9iYWxTaWduIEdDQyBSNDUgRVYgQ29kZVNpZ25pbmcgQ0EgMjAyMDAeFw0yNTAyMjUxMTIyMTJaFw0yNjA0MTIxNjA4NDdaMIIBAzEdMBsGA1UEDwwUUHJpdmF0ZSBPcmdhbml6YXRpb24xFDASBgNVBAUTCzAxNTI0NTAwNDQyMRMwEQYLKwYBBAGCNzwCAQMTAklUMQswCQYDVQQGEwJJVDEWMBQGA1UECBMNQXNjb2xpIFBpY2VubzEUMBIGA1UEBxMLR3JvdHRhbW1hcmUxKjAoBgNVBAkTIVZJQSBDQVJMTyBBTEJFUlRPIERBTExBIENISUVTQSAxODEVMBMGA1UEChMMRU5URVIgUy5SLkwuMRUwEwYDVQQDEwxFTlRFUiBTLlIuTC4xIjAgBgkqhkiG9w0BCQEWE2EudG96emlAZW50ZXJzcmwuaXQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCYNpK6B8W5r9zcGmQNl3dxa8yibHSrovnayX7cGmzEA2Y4N1twv/A4fF8SkKPGMumNGcz84Dax9yxPG0SuR6zR6PE5eTwLxkiP142eKkxfl54RziDzAv+hIKsHwH/wdMwL87J+YjuAMZ2zo17kJ2v7EcwHksPZHlnBjPrtt28IhAXQXJKWMNovpA6T0Z5EYlHKG7ZsZpKdnhbcq3htSJ2PRMWrbXDKeV3FenHaIrsr4VXy5g+m+TfcvtohhLXKdNPEI/MCF4brf4f3S+7XDCd9j2/zF7sAQFzG5cgLv7In+iwCU37BJWsPHLY1T1PuMoNecBUYcseI/qoy7UM3Kc4ZbCFOeK52hDCTQ1zR+m6SMev1dqbCrP+S1dFPy3yWWajoZ3vxkoqo6r1p8tFrl+y3uKoe//wlbvY1/UUOQfKPgp7Cx/xxI7CathETx2ou+kPMyeRIozNX2LMak5wyLNHc+gWHclZ7Lzmo2AdsqXcs6q294DDgISQUZ8ORV9zfrYlCJIykK/pDoU3eX1Z/VUYwwWyjp5w1S7ZSaSgzruXUCDHfiqk18iv1GLWMx7dgtTGrMejnvxOpD7efnieUeuUHfNULFG0IGrB7kI6M1gMQF11wLoKi5gnJ4EYGKZvp0WF98Yyi2xL6eTHX907p8P6MC9QIk2U3+iqR6mSZiyOLfQIDAQABo4IB1jCCAdIwDgYDVR0PAQH/BAQDAgeAMIGfBggrBgEFBQcBAQSBkjCBjzBMBggrBgEFBQcwAoZAaHR0cDovL3NlY3VyZS5nbG9iYWxzaWduLmNvbS9jYWNlcnQvZ3NnY2NyNDVldmNvZGVzaWduY2EyMDIwLmNydDA/BggrBgEFBQcwAYYzaHR0cDovL29jc3AuZ2xvYmFsc2lnbi5jb20vZ3NnY2NyNDVldmNvZGVzaWduY2EyMDIwMFUGA1UdIAROMEwwQQYJKwYBBAGgMgECMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMAcGBWeBDAEDMAkGA1UdEwQCMAAwRwYDVR0fBEAwPjA8oDqgOIY2aHR0cDovL2NybC5nbG9iYWxzaWduLmNvbS9nc2djY3I0NWV2Y29kZXNpZ25jYTIwMjAuY3JsMB4GA1UdEQQXMBWBE2EudG96emlAZW50ZXJzcmwuaXQwEwYDVR0lBAwwCgYIKwYBBQUHAwMwHwYDVR0jBBgwFoAUJZ3Q/FkJhmPF7POxEztXHAOSNhEwHQYDVR0OBBYEFHcr45Q+asxU/2TIVqg7R+kiStmmMA0GCSqGSIb3DQEBCwUAA4ICAQBW97Qs62YxbsOczlFSR6HNtAAbBLqf67/WQhfb8Y+PaGxs4XMUhm7+vCnf61wT7DOdW+c0C+sSnCaF/JegG3AZohcdV7L1pouOfGVf9ZsqTpl3eT5BCCbDmymGClwePusJApagr6xIAPUhcX+ELWhX2AW0B3Z6z0aL5NfdO0jR6P7scf59UKuF9M7+sVmfzJpAT+lulztSt+8TOpzfQL2urXkp5fLUl9mQUA9y2Rhy9r+K3jUHdbpgqDhQjRA8ssztaiO7B07Mf4zw7r5zvvllB0Nr3K70ekEQxVFzAdqI5ABflM73CZXo/voBpsZkEkc1WlIZKbN1R18RSwyvTKULxlwCZ0v9sRG1RZbdUbHmGis9VLITtb3g6WEbK34PsH5I3MlhiAqjB4l/pDk27FTw6eaLEStbJCve8V/ynWRdS4KFrzT2YAFoOuJfKhg0fmX7wNpr1KYWS0nuOJEJUOgE/l1zFxm+vTn5MLC3MuWGNSow71kJ9UGDsaT0EjhoND3hY+BjhCc/hhB7xW62HIRPsKQZ+1cKm3zRuHq/WPRDZyY/nQ2THlO2sZjUCuB1ps8L4OQh74C9LcJNdRatMtEJoPswOiAvRMYKtCRUSf0qyUs/ozxsgBlBtpCAJz2f6+amdK9QKjQ46SIGool9D8pTHCMzydxfpjfTzSGjeQQg0g==",
"src_file_sha256": "c712f3e5c62b2c46ba753e1f9f9e437d3049173f8fec45c6fd476318994a3dcc",
"src_file_path": "downloaded_files/iperius_remote/c712f3e5c62b2c46ba753e1f9f9e437d3049173f8fec45c6fd476318994a3dcc",
"src_file_company": "Enter Srl"
}
]
}
},
{
"Name": "BeyondTrust (Bomgar)",
"Category": "RMM",
"Description": "BeyondTrust (Bomgar) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.beyondtrust.com/products/remote-support",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"bomgar-scc-*.exe",
"bomgar-scc.exe",
"bomgar-pac-*.exe",
"bomgar-pac.exe",
"bomgar-rdp.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*.beyondtrustcloud.com",
"*.bomgarcloud.com",
"bomgarcloud.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beyondtrust__bomgar__network_sigma.yml",
"Description": "Detects potential network activity of BeyondTrust (Bomgar) RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beyondtrust__bomgar__processes_sigma.yml",
"Description": "Detects potential processes activity of BeyondTrust (Bomgar) RMM tool"
}
],
"References": [
"https://www.beyondtrust.com/docs/remote-support/getting-started/deployment/cloud/network.htm"
],
"Acknowledgement": []
},
{
"Name": "Miradore",
"Category": "RMM",
"Description": "Miradore is a mobile device management (MDM) and remote monitoring and management (RMM) tool founded in 2006 as a Finnish software company. In 2022, Miradore was acquired by GoTo and is now part of the LogMeIn portfolio of IT solutions. The tool is trusted by over 2,700 customers in more than 100 countries, managing over 900,000 devices globally. Miradore has been observed being used in cyber incidents, including phishing campaigns where the installer was renamed and delivered to establish unauthorized remote access.",
"Author": "Michael Haag",
"Created": "2026-01-15",
"LastModified": "2026-01-15",
"Details": {
"Website": "https://www.miradore.com/",
"PEMetadata": [
{
"Filename": "StatementView.msi",
"OriginalFileName": "",
"Description": "Miradore installer MSI (observed renamed in phishing campaigns - verified via VirusTotal)"
}
],
"Privileges": "SYSTEM",
"Free": "Free tier available",
"Verification": "Code-signed by Sectigo",
"SupportedOS": [
"Windows",
"Mac",
"Linux",
"iOS",
"Android"
],
"Capabilities": [
"Remote Control",
"Remote Access",
"Device Management",
"Software Deployment",
"Patch Management",
"Inventory Management",
"Mobile Device Management"
],
"Vulnerabilities": [],
"InstallationPaths": [
"C:\\Program Files\\Miradore\\OnlineClient\\bin\\*",
"*\\Miradore\\*"
]
},
"Artifacts": {
"Disk": [
{
"File": "C:\\Program Files\\Miradore\\OnlineClient\\bin\\*",
"Description": "Miradore client installation directory (verified via VirusTotal sandbox analysis)",
"OS": "Windows"
},
{
"File": "C:\\Program Files\\Miradore\\OnlineClient\\bin\\7z.dll",
"Description": "Miradore compression library (verified via VirusTotal sandbox analysis)",
"OS": "Windows"
}
],
"EventLog": [
{
"EventID": 7045,
"Description": "Service installation event for Miradore Online Client",
"OS": "Windows"
}
],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"gateway.miradore.com",
"*.miradore.com",
"miradore.com",
"gerwconline.blob.core.windows.net"
],
"Ports": [
443
]
}
]
},
"Detections": [],
"References": [
"https://github.com/magicsword-io/LOLRMM/issues/118",
"https://www.virustotal.com/gui/file/fedf9d82fb1349a5eecf0fad4a9d9eac7e160130e563b9bd3328b5f04891bbd6/details",
"https://app.any.run/tasks/5d088796-fb67-45bb-9ee0-369b502522fc",
"https://www.miradore.com/"
],
"Acknowledgement": [
{
"Person": "Squiblydoo",
"Handle": "@Squiblydoo"
}
]
},
{
"Name": "CentraStage (Now Datto)",
"Category": "RMM",
"Description": "CentraStage (Now Datto) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://rmm.datto.com/help",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"CagService.exe",
"AEMAgent.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*.rmm.datto.com",
"*cc.centrastage.net",
"datto.com/au/products/rmm/"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/centrastage__now_datto__network_sigma.yml",
"Description": "Detects potential network activity of CentraStage (Now Datto) RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/centrastage__now_datto__processes_sigma.yml",
"Description": "Detects potential processes activity of CentraStage (Now Datto) RMM tool"
}
],
"References": [
"https://rmm.datto.com/help/de/Content/1INTRODUCTION/Requirements/AllowListRequirements.htm"
],
"Acknowledgement": []
},
{
"Name": "Royal Server",
"Category": "RMM",
"Description": "Royal Server is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.royalapps.com/server/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": []
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"royalapps.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_server_network_sigma.yml",
"Description": "Detects potential network activity of Royal Server RMM tool"
}
],
"References": [
"https://royalapps.com/server/main/features"
],
"Acknowledgement": []
},
{
"Name": "Netreo",
"Category": "RMM",
"Description": "Netreo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://docs.netreo.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": []
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"charon.netreo.net",
"activation.netreo.net",
"*.api.netreo.com",
"netreo.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netreo_network_sigma.yml",
"Description": "Detects potential network activity of Netreo RMM tool"
}
],
"References": [
"https://solutions.netreo.com/docs/firewall-requirements"
],
"Acknowledgement": []
},
{
"Name": "eHorus",
"Category": "RMM",
"Description": "eHorus is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://ehorus.com",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "true",
"SupportedOS": [
"Windows",
"Linux",
"Mac"
],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"C:\\Program Files\\ehorus_agent\\*",
"ehorus standalone.exe",
"ehorus_agent.exe",
"ehorus_cmd.exe",
"ehorus_launcher.exe",
"ehorus_uit.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"ehorus.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ehorus_network_sigma.yml",
"Description": "Detects potential network activity of eHorus RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ehorus_processes_sigma.yml",
"Description": "Detects potential processes activity of eHorus RMM tool"
}
],
"References": [],
"Acknowledgement": [
{
"Person": "Daniel Koifman",
"Handle": "@KoifSec"
}
]
},
{
"Name": "Action1",
"Category": "RMM",
"Description": "Action1 is a powerful Remote Monitoring and Management(RMM) tool that enables users to execute commands, scripts, and binaries.\nThrough the web interface of action1, the administrator must create a new policy or an app to establish remote execution and then points that the agent is installed.\n",
"Author": "@kostastsale",
"Created": "2024-08-03",
"LastModified": "2024-08-03",
"Details": {
"Website": "https://www.action1.com/",
"PEMetadata": [
{
"Filename": "action1_connector.exe"
},
{
"Filename": "action1_remote.exe"
},
{
"Filename": "action1_update.exe"
},
{
"Filename": "action1_agent.exe",
"OriginalFileName": "action1_agent.exe",
"Description": "Endpoint Agent"
}
],
"Privileges": "SYSTEM",
"Free": "Yes",
"Verification": "Corporate email required although temporary email services are accepted",
"SupportedOS": [
"Windows"
],
"Capabilities": [
"Backup and disaster recovery",
"Billing and invoicing",
"Customer portal",
"HelpDesk and ticketing",
"Mobile app",
"Network discovery",
"Patch management",
"Remote monitoring and management",
"Reporting and analytics"
],
"Vulnerabilities": [],
"InstallationPaths": [
"C:\\Windows\\Action1\\*"
]
},
"Artifacts": {
"Disk": [
{
"File": "C:\\Windows\\Action1\\action1_agent.exe",
"Description": "Action1 service binary",
"OS": "Windows"
},
{
"File": "C:\\Windows\\Action1\\*",
"Description": "Multiple files and binaries related to Action1 installation",
"OS": "Windows"
},
{
"File": "C:\\Windows\\Action1\\scripts\\*",
"Description": "Multiple scripts related to Action1 installation",
"OS": "Windows"
},
{
"File": "C:\\Windows\\Action1\\rule_data\\*",
"Description": "Files related to Action1 rules",
"OS": "Windows"
},
{
"File": "C:\\Windows\\Action1\\action1_log_*.log",
"Description": "Contains history, errors, system notifications. Incoming and outgoing connections.",
"OS": "Windows"
}
],
"EventLog": [
{
"EventID": 7045,
"ProviderName": "Service Control Manager",
"LogFile": "System.evtx",
"ServiceName": "A1Agent",
"ImagePath": "\"C:\\\\Windows\\\\Action1\\\\action1_agent.exe\"",
"Description": "Service installation event as result of Action1 installation."
},
{
"EventID": 4697,
"ProviderName": "Microsoft-Security-Auditing",
"LogFile": "Security.evtx",
"ServiceName": "A1Agent",
"CommandLine": "C:\\Windows\\Action1\\action1_agent.exe service",
"Description": "Service installation event as result of Action1 installation."
},
{
"EventID": 4688,
"ProviderName": "Microsoft-Security-Auditing",
"LogFile": "Security.evtx",
"CommandLine": "C:\\Windows\\Action1\\action1_agent.exe loggedonuser",
"Description": "Executing command to get logged on user."
}
],
"Registry": [
{
"Path": "HKLM\\System\\CurrentControlSet\\Services\\A1Agent",
"Description": "Service installation event as result of Action1 installation."
},
{
"Path": "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps\\action1_agent.exe",
"Description": "Ensures that detailed crash information is available for analysis, which aids in maintaining the stability and reliability of the software."
},
{
"Path": "HKLM\\SOFTWARE\\WOW6432Node\\Action1",
"Description": "Storing its configuration settings and other relevant information"
}
],
"Network": [
{
"Description": "N/A",
"Domains": [
"*.action1.com"
],
"Ports": [
443
]
},
{
"Description": "N/A",
"Domains": [
"a1-backend-packages.s3.amazonaws.com"
],
"Ports": [
443
]
}
]
},
"Detections": [
{
"Name": "Arbitrary code execution and remote sessions via Action1 RMM",
"Description": "Threat hunting rule for detecting the execution of arbitrary code and remote sessions via Action1 RMM",
"author": "@kostastsale",
"Link": "https://github.com/tsale/Sigma_rules/blob/ea87e4fc851207ca0f002ec043624f2b3bf1b2da/Threat%20Hunting%20Queries/Action1_RMM.yml"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/action1_registry_sigma.yml",
"Description": "Detects potential registry activity of Action1 RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/action1_network_sigma.yml",
"Description": "Detects potential network activity of Action1 RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/action1_files_sigma.yml",
"Description": "Detects potential files activity of Action1 RMM tool"
}
],
"References": [
"https://www.action1.com/documentation/firewall-configuration/",
"https://www.action1.com/documentation/",
"https://twitter.com/Kostastsale/status/1646256901506605063?s=20",
"https://ruler-project.github.io/ruler-project/RULER/remote/Action1/"
],
"Acknowledgement": [
{
"Person": "Kostas",
"Handle": "@kostastsale"
}
],
"CodeSigning": {
"certificates": [
{
"signer_name": "Action1 Corporation",
"certificate_thumbprint": "59CE0A286FBDF3F600235A8B7513AE1DC2243A20",
"certificate_der_base64": "MIIG7zCCBVegAwIBAgIQRX/qg+kIZ74njeQp8Mz0wTANBgkqhkiG9w0BAQsFADBXMQswCQYDVQQGEwJHQjEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMS4wLAYDVQQDEyVTZWN0aWdvIFB1YmxpYyBDb2RlIFNpZ25pbmcgQ0EgRVYgUjM2MB4XDTIzMTIyNTAwMDAwMFoXDTI2MTIyNDIzNTk1OVowgboxEDAOBgNVBAUTBzY2MTQyOTAxEzARBgsrBgEEAYI3PAIBAxMCVVMxGTAXBgsrBgEEAYI3PAIBAhMIRGVsYXdhcmUxHTAbBgNVBA8TFFByaXZhdGUgT3JnYW5pemF0aW9uMQswCQYDVQQGEwJVUzEOMAwGA1UECAwFVGV4YXMxHDAaBgNVBAoME0FjdGlvbjEgQ29ycG9yYXRpb24xHDAaBgNVBAMME0FjdGlvbjEgQ29ycG9yYXRpb24wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC2oBvt+IPn0Elboha1d7V+fIrkX422WcnrUcTxQf/S9nvxIpXQJuMe4IREBEgPedKC5kmMLSJbuGQU1dbTSA56umF4JctgySDhM9MWkI0PjZ3NgzR31iS1ANaem59Oi/hDbKLap4QSz0eCB6BRevJHRAy7uTk9rV6S+TQwnIIGG7RHHrIAh4NUD5UBPzdkIhVwlQeSQAGTmd2BgwYIozwyVOHmtiLvLB3n2Us4nlfjieBe+yva/z+7RpPkdsFoSI3CvtL4tRmXMLgoDrlNbgoFIIwEN/MDmM3/ydYivDGn81Kcc3dFGM3zRttrErVK6LNGJYPES2g7k9oGHwSo/eYWLQ6vC2CNAQpO8l79cMvCEfh+pQBZcMnvWJGyKJmjvYNYCzMW/SzPj3mk6uiiFhPat4lqq46qVS6VAgy6CxaPG4bphlvpIAwNgio8AWy41Lst8UoK0NBSdb+WloGxa63njbGFTq2JTHqumwho0ur9ukSo3DCP2IhRsAVqzGWyyBdsxrEibUGmlcBmbbrcbQu7Jy6swPcxO9Ygh6g/Rc+Ggiy17ZCOr8uwTjAA75oJlyEVP1FSSK4DrPfYXz+ewUBnwIT+E1C6/D2v7L0rQJMkFbQZAvUqUSecPO6sE6TcgE1b17QVJPcMYgfnIBAwtxG7iQbtHEb4tcAk5DZ+HYHubQIDAQABo4IB0TCCAc0wHwYDVR0jBBgwFoAUgTKSQSsozUbIxKLGKjkS7EipPxQwHQYDVR0OBBYEFOwGs2b3CqzJ1reNfexfx0Yka+GWMA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMEkGA1UdIARCMEAwNQYMKwYBBAGyMQECAQYBMCUwIwYIKwYBBQUHAgEWF2h0dHBzOi8vc2VjdGlnby5jb20vQ1BTMAcGBWeBDAEDMEsGA1UdHwREMEIwQKA+oDyGOmh0dHA6Ly9jcmwuc2VjdGlnby5jb20vU2VjdGlnb1B1YmxpY0NvZGVTaWduaW5nQ0FFVlIzNi5jcmwwewYIKwYBBQUHAQEEbzBtMEYGCCsGAQUFBzAChjpodHRwOi8vY3J0LnNlY3RpZ28uY29tL1NlY3RpZ29QdWJsaWNDb2RlU2lnbmluZ0NBRVZSMzYuY3J0MCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5zZWN0aWdvLmNvbTBDBgNVHREEPDA6oCMGCCsGAQUFBwgDoBcwFQwTVVMtREVMQVdBUkUtNjYxNDI5MIETY29udGFjdEBhY3Rpb24xLmNvbTANBgkqhkiG9w0BAQsFAAOCAYEAO37KlTiCd9cBnvnfpQ7ZGGZoeqQNvTr+MUlpe/ImRf9Q9tvAna9BHlK579lrRAcDrRh5O3KNphl45XZXoxIULilA8Qwgdl6GoV07CiAyuHG6MJB2Z2cYc5D/pYzDp8+ivaZ1qu5k4LRfjPgzfXGJXAxdC3pij2AmzvsC0NHx+uTgnE9mR5T8C3liyEWEEtuhApoXq2vSl33557wRIqmwRhx7dE3CnB64ItpC9kVWqNl4i+lGHJWskNfka1tgo4deJ8Z2BRcA+LIR9WCaWFHzKZsemWMzLPQAqOYG2cgbWC3S2KiW1RKkXMWu6L1WoerRf/m8TrNyXqc6UXE6X/ifzS3WO2+LJMyocyTe6xyJDSQsR/mAYwNJcdrhvdX6njEt5erITvEIBHOx8Ah6f8Ea851DT8uxaxmzYXdkqSNaRGM1D5iDE6HyAVV4Hjo77V9bN711yBFkpgMamZsjDTxF9fgv2dqots6+dijYqnOSCbrk4l28gVLpar3xYAui0Piu",
"src_file_sha256": "ab6804a23ab76fff5ab63d7be8c3f179fca4154b56759590c27e6fa203e5d1c4",
"src_file_path": "downloaded_files/action1/ab6804a23ab76fff5ab63d7be8c3f179fca4154b56759590c27e6fa203e5d1c4",
"src_file_company": "Action1 Corporation"
}
]
}
},
{
"Name": "RemoteView",
"Category": "RMM",
"Description": "RemoteView is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://content.rview.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"remoteview.exe",
"rv.exe",
"rvagent.exe",
"rvagtray.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*content.rview.com",
"*.rview.com",
"content.rview.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteview_network_sigma.yml",
"Description": "Detects potential network activity of RemoteView RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteview_processes_sigma.yml",
"Description": "Detects potential processes activity of RemoteView RMM tool"
}
],
"References": [
"https://help.rview.com/hc/en-us/articles/360005175994--RemoteView-Server-list-for-firewall"
],
"Acknowledgement": [],
"CodeSigning": {
"certificates": [
{
"signer_name": "Rsupport Co., Ltd.",
"certificate_thumbprint": "3E3B0B3E214A4549446257C92C06839F92DCE444",
"certificate_der_base64": "MIIHyjCCBbKgAwIBAgIQDSe264XyjRcsVC2OmotjNDANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTI0MTIxNjAwMDAwMFoXDTI4MDEwMzIzNTk1OVowgdIxEzARBgsrBgEEAYI3PAIBAxMCS1IxFjAUBgsrBgEEAYI3PAIBAhMFU2VvdWwxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRcwFQYDVQQFEw4xMTAxMTEtNDM5ODg1OTELMAkGA1UEBhMCS1IxDjAMBgNVBAgTBVNlb3VsMRQwEgYDVQQHEwtHYW5nZG9uZy1ndTEbMBkGA1UEChMSUnN1cHBvcnQgQ28uLCBMdGQuMRswGQYDVQQDExJSc3VwcG9ydCBDby4sIEx0ZC4wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCvxYBBtfpn3U+4PbVtgqgg35bZA0uixzR4GdbEC3q6fCZWBu6JOXur/NB8WJ/+8IY5JBiSGUWFKVf7FrHaeSqhD14714iLCtGmn7CjC1M4xg5z4mQdoVc1yGkslEYYPDcJ8GEh7vC6fvZfGtcGPhezOcopLOa1SVsFtNyqscxgvtkMJPTxleqHy/0425uHwK6lf8X2WV98GVsNH/g0tHOJeNZbqIds+LJKOOO2oQabqfpBFm2SrEQAOeAsEcomeUWV16kTrFdywGkAx5XWBcklr3u2Jfzlo/Wvv1+RBbZs30XOanMdhmOK+ChgZ+aYsFSLpzZmTMRJJVHwqKkFMsV3ORkQbHjG2W3JYIaBj6o76Yd1oE7C5J3dTGmHP0VlswAIxJixRfom8Q8VTApY+XsK5RJAzi39XyLfsBB0GXPExQ+OqmGI4mdNKlr+enOL8hC3tdJzTtD+heRGmciOd30u81Ki69grdo82ffxXbA9qlhm29aHOEYCwVzMJWGIP18a6UfgIxmvTnzJGz5aHD3ffixTGsTWZOM+5tKz/tkyQwYHssvq0Psi3PXmU2i9yw+FbShwh4TAhARL+hO95rcYNnzQ9nCSYwmCIEiChUnxMQulGSL6V/vJ534u4+tFY6qWdmuFAdPi/afFcY3O1Cb967+/JgZkFF9yPHu0JEskwrQIDAQABo4ICAjCCAf4wHwYDVR0jBBgwFoAUaDfg67Y7+F8Rhvv+YXsIiGX0TkIwHQYDVR0OBBYEFKJG5p5JQVRQaOTdAHsZ3ujFE3RSMD0GA1UdIAQ2MDQwMgYFZ4EMAQMwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpY2VydC5jb20vQ1BTMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzCBtQYDVR0fBIGtMIGqMFOgUaBPhk1odHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDBToFGgT4ZNaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcmwwgZQGCCsGAQUFBwEBBIGHMIGEMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wXAYIKwYBBQUHMAKGUGh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3J0MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggIBAHYT5Km/Rgx4yzza9xm45cFRBeA0w8BtFUkdqd5C4ZAlCgjrU56npOz5fT0gCi8cmsuwJMiZpPAKqbrXJeBgSlPJpUgjN4ofgQxI5Vin8JCdii1GVZlYahINhZcaZebqsI/h3+u2nlb63u1tHdTjhiZZbTcfVPXTu0dfJ7l15Uv+3eJK5UkB4CaMySURshdhwTcQofheHInuvhPPcV35hjVTha4X5f3PdhyosEGXyae1oTygcHicuQx09hZ1hkp74Yg1TlkciOV4MYzKYIN3my2e/Kcua8jXgY5PLwKJrwxEDSindm2QJ8KA5+oXBNVxH1y0Fza3ZBecIX9j38OS7WpMcdv8jU4iWHk65Tj3H9ORCAg4EzF2gMyZMHYFdXhUcp6uFanEtpBCPZR5SLDKvEo3/mdybTUy78C1myikYSxvOfHfxpBMyq4ESCHp7ThpSBVfgkNiahdEmesVIs2kc4sOAO8EMKgAmzhQDzsxN/VvcWhRmN9hzp5Daos2UKiVlPqCl2ZZtuamVSabjx9EWgnHIsJNp6+YVLJgw0g52MtWixYt9aaS5VPnqYDqbrPq6WpNjwyaxWEkNBL4OBISjdRhFcLZ6+8PlNMZN3CcH6xy8jxeSCDt8WXRU5+d3DtrircpOGeIp+fhZSdXesW0TdEZVCobW438nh4xdTLDnfsA",
"src_file_sha256": "794ba3c194edc7c953ef39efe01686a5c7e1f996c5c090f12ebc124df6347baf",
"src_file_path": "downloaded_files/remoteview/794ba3c194edc7c953ef39efe01686a5c7e1f996c5c090f12ebc124df6347baf",
"src_file_company": "RSUPPORT"
}
]
}
},
{
"Name": "Pcnow",
"Category": "RMM",
"Description": "Pcnow is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"mwcliun.exe",
"pcnmgr.exe",
"webexpcnow.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"au.pcmag.com/utilities/21470/webex-pcnow"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcnow_network_sigma.yml",
"Description": "Detects potential network activity of Pcnow RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcnow_processes_sigma.yml",
"Description": "Detects potential processes activity of Pcnow RMM tool"
}
],
"References": [
"http://pcnow.webex.com/ - DOA as of 2024"
],
"Acknowledgement": []
},
{
"Name": "Controlio",
"Category": "RMM",
"Description": "Controlio is a commercial workforce monitoring tool developed by EfficientLab. Marketed for employee productivity tracking, the software provides capabilities that extend well beyond passive screen monitoring, including keylogging features, screen recording, clippboard logging, and email and web search monitoring. These features, while designed for legitimate administrative use, make it an attractive tool for threat actors seeking to blend into enterprise environments without deploying traditional malware.",
"Author": "CERT Cwatch Almond",
"Created": "2026-03-20",
"LastModified": "2026-03-20",
"Details": {
"Website": "https://controlio.net",
"PEMetadata": [
{
"Filename": "wesvc.exe",
"OriginalFileName": "",
"Description": "uploads the recorded data & logs.",
"Product": "Controlio"
}
],
"Privileges": "user",
"Free": true,
"Verification": false,
"SupportedOS": [
"Mac",
"Windows"
],
"Capabilities": [
"Reporting and analytics",
"Remote Monitoring",
"Clipboard Synchronization",
"Connection Management"
],
"InstallationPaths": [
"C:\\ProgramData\\{E0E95C6C-F194-4846-928D-E5538022226D}\\",
"weCliboardListener.exe",
"bbl.exe",
"weprtct.exe",
"wemonc.exe",
"wesvc.exe",
"libeay32.dll",
"ssleay32.dll",
"wec_launcher_[a-Z0-9]*_.exe",
"wec_launcher_[a-Z0-9]*_.pkg",
"weInstSvc.exe"
]
},
"Artifacts": {
"Disk": [
{
"File": "weClipboardListener.exe",
"Description": "Controlio binary",
"OS": "Windows"
},
{
"File": "bbl.exe",
"Description": "Controlio binary",
"OS": "Windows"
},
{
"File": "weprtct.exe",
"Description": "Controlio binary",
"OS": "Windows"
},
{
"File": "wemonc.exe",
"Description": "Controlio binary",
"OS": "Windows"
},
{
"File": "wesvc.exe",
"Description": "Controlio binary",
"OS": "Windows"
},
{
"File": "libeay32.dll",
"Description": "Controlio binary",
"OS": "Windows"
},
{
"File": "ssleay32.dll",
"Description": "Controlio binary",
"OS": "Windows"
},
{
"File": "wec_launcher_[a-Z0-9]*_.exe",
"Description": "Controlio windows installer",
"OS": "Windows",
"Example": [
"MD5: 2e6f6b62b16904eee7b2de51951f22a8",
"SHA1: 49dcf901491e60079289732c7291a38f18ed4918",
"SHA256: 4ad77ebb2fa42dacd375061ec86ea35bb2d003ce057b764a0faff948d8063cc5"
]
},
{
"File": "wec_launcher_[a-Z0-9]*_.pkg",
"Description": "Controlio macos installer",
"OS": "Mac",
"Example": [
"MD5: df66eb79c15937bfe2cdf8774901778e",
"SHA1: a1f765235010343dd9b25c50de7f6b04e4dd01b5",
"SHA256: 1591df6f0575fa903481b31122f8be5a2ead8ff75800c57e6324c9ccc1969e0f"
]
},
{
"File": "weInstSvc.exe",
"Description": "Controlio binary",
"OS": "Windows",
"Example": [
"MD5: b290abc61e20d8de07f009348c2c3e2f ",
"SHA1: 3b0412a27fc2f9277c0fb484d3ff7382b0da6e32",
"SHA256: 2cae3bfd61025f45810c787cfad9b6287882494fa9317ec6725ac65390be254a"
]
},
{
"File": "C:\\ProgramData\\{E0E95C6C-F194-4846-928D-E5538022226D}\\",
"Description": "Controlio binary",
"OS": "Windows"
}
],
"Other": [
{
"Type": "Service",
"Value": "weSvcService"
}
]
},
"Detections": [],
"References": [
"https://controlio.net",
"https://www.knowyouradversary.ru/2026/01/366-adversaries-started-to-abuse.html",
"https://kb.controlio.net/hc/en-us/articles/360019139977-Which-paths-files-need-to-be-whitelisted-to-avoid-issues-with-the-work-of-Controlio",
"https://kb.controlio.net/hc/en-us/articles/360019262918-Which-processes-in-the-task-manager-belong-to-Contorlio-s-Client"
],
"Acknowledgement": []
},
{
"Name": "Fortra",
"Category": "RMM",
"Description": "Fortra is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://power.fortra.com/solutions/monitoring/remote-management-msps",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": []
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"fortra.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fortra_network_sigma.yml",
"Description": "Detects potential network activity of Fortra RMM tool"
}
],
"References": [
"https://www.fortra.com - No free/cloud RMM softwars listed"
],
"Acknowledgement": []
},
{
"Name": "Tanium",
"Category": "RMM",
"Description": "Tanium is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2025-12-14",
"Details": {
"Website": "https://www.tanium.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"TaniumClient.exe",
"TaniumCX.exe",
"TaniumExecWrapper.exe",
"TaniumFileInfo.exe",
"TPowerShell.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"cloud.tanium.com",
"*.cloud.tanium.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tanium_network_sigma.yml",
"Description": "Detects potential network activity of Tanium RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tanium_processes_sigma.yml",
"Description": "Detects potential processes activity of Tanium RMM tool"
}
],
"References": [
"https://help.tanium.com/bundle/ug_client_cloud/page/client/platform_connections.html"
],
"Acknowledgement": [],
"CodeSigning": {
"search_names": [],
"company_names": [],
"signer_names": [
"Tanium Inc."
],
"certificates": [
{
"signer_name": "Tanium Inc.",
"certificate_thumbprint": "A55D7760CF404CA1F4D1F60861302BDE90B21B01",
"tbs_sha256": "5285CC0A00FA0FA20FAEB8043102876D147FBBEFDD0A66821991559382370ADA",
"tbs_sha1": "",
"certificate_der_base64": "MIIHvDCCBaSgAwIBAgIQBfDEJ2ruHsI1Ojv7HbK25zANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTI0MTEwNjAwMDAwMFoXDTI3MTEzMDIzNTk1OVowgcQxEzARBgsrBgEEAYI3PAIBAxMCVVMxGTAXBgsrBgEEAYI3PAIBAhMIRGVsYXdhcmUxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRAwDgYDVQQFEwc0MzMyMjcwMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTETMBEGA1UEBxMKRW1lcnl2aWxsZTEUMBIGA1UEChMLVGFuaXVtIEluYy4xFDASBgNVBAMTC1Rhbml1bSBJbmMuMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA7N2pGG876KRBUUdL4UbMpO5Arsi4vLchj1SQxsDbAcEATdD2l/r4IhEn9Ee/5x7A11+dpTjtd+nLeMnpEQ3ntUp6s6JSmQ2t6xUab8nNR+BI4oPPutqnkpTFGa8iyLR74G29MfSNk2rYyCmobTeROCmXM5t0/7RBIcVyteMZ18dFRapYo3UC6n9H2y6zJoCzbFSdFzVX37WITrIBzAp5NJREHA94GfZEt2cBbMVtVBt0ks9wpHONSoYc1B9hF2W6DRKoZ2M3nquznVzfdhYz7FfafqX+JcKJvU7c47MHgp5vZrkixRmnw9OBooEL6mB5sr9X+0JfiojpnzZ4ZCMa2s4XhKAY3BAt3Qb2tDS2xpvbrWavHHhoOqvwVW4m7/63tHPTF+lcEmw7VwJg+rRdf3vnWFHjPU76/k6EN8IpHm9UcAuzs++rPQuPh/ZQ2V6Ri010EtbdQuL0Dd+i5o2FZuhJnPTMykxwlXhf/egLlkktXpgiLJXG5zITlDrjv2af0yS9yQVa4oBxPvbhNIn36A9asXg5DaXtDhD6CeBJfN/1o1dNQMQmX3ResyMkrTA75Tr9gn9xYDpsk1uZ/2tIe4Nw2m07DIBiA8JNIuW8tMMZgWG/j6r4Egncu+MZlYP2Zfo4I901mCNhT5zEOVqjlPCuHO9ah9iry7iLvXWOPXECAwEAAaOCAgIwggH+MB8GA1UdIwQYMBaAFGg34Ou2O/hfEYb7/mF7CIhl9E5CMB0GA1UdDgQWBBR/RY/hHQXFx3VoGG3PElrlGnha/TA9BgNVHSAENjA0MDIGBWeBDAEDMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwgbUGA1UdHwSBrTCBqjBToFGgT4ZNaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcmwwU6BRoE+GTWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3JsMIGUBggrBgEFBQcBAQSBhzCBhDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMFwGCCsGAQUFBzAChlBodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNydDAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4ICAQCnAJdFg12oeQnmWLUXkCsu0F6ssE0SXE2x5cXBWy6TkeDMYp9+ZpS1DMjGjFFGQ6mmN6ra3zjMRopKS3VVsVHCo5T5x6jUjVH9V7dwgVIh89yeqMBrjiDXVXyJ/cBESkNCQ5hg2aKQx90HLPO4FI9Lp1xt7YNRKMIOhIjTdTY9Bo9wz/NZJ49cXqOf8AMoFgc/fRgS6wBpj8AhC87KsyL8S4j4c+CzhdCWhwluZGyxyj9LUrkNAyEEE6qHBPzGGEXGh86rD1k+iKynvzPo7pDo6GDE/qfOEcb5CsdOImh0hdzGFgGqarVZ/wM64Zr7HT1WLFP4spjpiU2WP/MI2cTfHZ/lWHg/1lU4z7A0zhEUQg0JTTq1DUh0Csy59s8pj1s9/d/JkA6RNSy39ndH9iEonpTkH3Etji1y8qDLq+Pxj6mOwDDG2naIaDlk7M8eyfo2MN8tKY1yXQXM9pfLLUR9+PZdabPQHXmldiORh3CDcwjMyr/RQ9Y42H0cN4qoEL31fAagYOd5OB6iOPfmFHyYDOytspqeYgJiV96G0ifUYLOebDHbMBZtYLUl7falpXz5zoeirEwLiNxPtHVSoP+bk1gYupqP1nCq4Ub8/KfEzCG24Pm+MyADGax3mIchOw4SLOx6M0DKNGzX9w3F9rYvg2gGmNU6t9WexLCE7lReNQ==",
"src_file_sha256": "3be87ff5ce6a9e0104110027478dbc1ce63c97a5cd1324f06d92d97857afbaf3",
"src_file_path": "downloaded_files/tanium/3be87ff5ce6a9e0104110027478dbc1ce63c97a5cd1324f06d92d97857afbaf3",
"src_file_company": "Tanium Inc."
},
{
"signer_name": "Tanium Inc.",
"certificate_thumbprint": "B1AFC12445071A3724621CDD56A4F1ADC4C67E9E",
"tbs_sha256": "C16C5B0D333FA6422E19D0012405C88511A01A6FB272E9C915E18668270710B9",
"tbs_sha1": "",
"certificate_der_base64": "MIIH7zCCBdegAwIBAgIQCZsFgdT3DF76ZkDZqnqdpDANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMjU2IDIwMjEgQ0ExMB4XDTIxMTIxNjAwMDAwMFoXDTI0MTEyNzIzNTk1OVowgcQxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRMwEQYLKwYBBAGCNzwCAQMTAlVTMRkwFwYLKwYBBAGCNzwCAQITCERlbGF3YXJlMRAwDgYDVQQFEwc0MzMyMjcwMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTETMBEGA1UEBxMKRW1lcnl2aWxsZTEUMBIGA1UEChMLVGFuaXVtIEluYy4xFDASBgNVBAMTC1Rhbml1bSBJbmMuMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvHO7ZQERzFdvZMBTz6EWnRzMG/yywwSCTZatC7BEj3m3SzpbxvLixt0ZyaY1GfFPzzzs6BzBqpNhX8EP9MnFiRkkDh05BZuLwkHkpKQbgkFtDNqN8/o9+J2oMPGIEplypPCTKNiKUWitNQRGtZQgeeCzCVWtgXgfUDi4/RaSDC2m6pKsvwkYGy+YHGVTAqBGiAD7Coib9jAkyvp+ThXFR2Sn745DGZ3rIFyPkAdxsvLrjfiBr+eXdtQ3gO4nFOlb7+PuBmdjzxatW6Pz/3hIcZ5SXA6fCPoZDPozyiylvrPJayFUZ7YXXHcldk7r2xcaexNPuPXOGOt8bwq3Y2zXGIO/L65jG8mSXKq82YesX+Faqp8SoETPJPdSdiDdRFLOixKVIEkzLrf2ZfoorXrSAdMESRlKWdsi/+8oxVkDyG6DesNavwzV81T+pMJisKlkwOjE8FKhSiqfOiO4gRvpitVMcCO+XHExlMMShNpCcie+3OZy+OLt6Lpr36lRGGTVYEebQo2RIvqMJ8OVwJQaSDmuVxHq2tMnkDZf4P5ieapT1VVarXtqSzqVt2RJRiHNyy3FpihUT7rEiCzgm/vpoxzjAlqR4kszc9Pi3HlwyK5j0ciVXfNFBZc3twoCHisjUnVAF93aDTJsVgk19q0O0XvrV1h6f4wSOrP8WyKj45cCAwEAAaOCAjUwggIxMB8GA1UdIwQYMBaAFLxrImWdjGjm5h4F8dhyJdS44EjAMB0GA1UdDgQWBBSMqXgk0mgVZNyiiysehHjeoccVXjAuBgNVHREEJzAloCMGCCsGAQUFBwgDoBcwFQwTVVMtREVMQVdBUkUtNDMzMjI3MDAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwgbUGA1UdHwSBrTCBqjBToFGgT4ZNaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMjU2MjAyMUNBMS5jcmwwU6BRoE+GTWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTI1NjIwMjFDQTEuY3JsMD0GA1UdIAQ2MDQwMgYFZ4EMAQMwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpY2VydC5jb20vQ1BTMIGUBggrBgEFBQcBAQSBhzCBhDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMFwGCCsGAQUFBzAChlBodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEyNTYyMDIxQ0ExLmNydDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4ICAQCg7L9uQYV9loolc8MRoSU+PW89FP2WIrR5Ri+uyebptaNDHehp1kCt2pSVcEDAXA7+h8gyh3nOJG+L8BzBGHo7Ssrr8OHv9SxfLFKNCTYExE+p/qCM0zSNEcKSuN6bA9yFtSaXCpppKxXzUT3MUQUEtYApQ7mfTHHj/qnZXNmbt1CkWUv/iWNzCOk81HvR+X/LFVXw02nwuodgmU4XOB2deGeiDjsDSTJMh3uESuwBLwmgD0uoARdwdDhyXP7N7ZfqT/2w7F3mKr8Sz4hADybgEPEBxvgTky/cKl84+F1n+2hlpfHIevRgc/Eavym3Qbit+kK3w63AATHDlgUtyOItqQ75nQpRRYJf0C+aNtQ/Qn0MbNmUwdNyfRehUespgV/vWguCzdrJDslmiJCeD8zhA4uyBDZ+B4u7J2EnnWRGIEJzTW4uQ0Qcf5G8xTD7HODfYUAOvNKi/TxpaxHeF/1VvMdv5zoumIYN0IewW47ZFYgkukDB+7OOvmB6KN0Mbr0C1KxuFu3tHrgieQnlhP4eza2/nLr/p5mUIPExpqu5QS9oA98wxKksf3lkwZtpcKOXr1c6Qyn+LIPdA8auauP7yHPk2ul4HHUQtCLUhut9ldlrSj+x+iI6EQyMWTWrS/us43LyLWPyya9ss5E0ybBVCDQ1YVi6PibSwBBVTL1eUA=="
},
{
"signer_name": "Tanium Inc.",
"certificate_thumbprint": "D6A226A8280A4C97C3251B3A7B4D5F17E8C05A08",
"tbs_sha256": "81E8FEBE467DE9D69FB9A33AD320613D7BB6AA313E0310568D19FDC05FFD2EFA",
"tbs_sha1": "",
"certificate_der_base64": "MIIFHjCCBAagAwIBAgIQBTcaTDZZlI9VNXRruID8OjANBgkqhkiG9w0BAQsFADByMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMTEwLwYDVQQDEyhEaWdpQ2VydCBTSEEyIEFzc3VyZWQgSUQgQ29kZSBTaWduaW5nIENBMB4XDTE4MDIwMTAwMDAwMFoXDTE5MDIwNTEyMDAwMFowWzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRMwEQYDVQQHEwpFbWVyeXZpbGxlMRQwEgYDVQQKEwtUYW5pdW0gSW5jLjEUMBIGA1UEAxMLVGFuaXVtIEluYy4wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCxiq1HAob4pCT6tvD8p5hdtBvDUbPg+VqYdn64fHil5ytf+r6FEon137hfursTkzWN9zf8EfibVAAkDrD7pwd8iEqzMjlm20ZQPeV5EhkdsJcP4BOK+xFUbpjjg3EmCjAI0qqiyFuKtnOnixSQ8n6IZcFTzD+ilRV/P17hBpOIe+d8DpVMQcIHY9Rne+D3pBP0NGkHl+yKnDqs2DseG1pw+VR55NdQM24HkAZ/OziTwzoAC59iPMamuIb85RpQ0nyvnzobR4iHTQBpEe3prUqXMWezym2V31bN/NSbywB0RN4Ltcvyz5fYsdBePKdnlynOCHuvd3i74HudyYwb2FhJAgMBAAGjggHFMIIBwTAfBgNVHSMEGDAWgBRaxLl7KgqjpepxA8Bg+S32ZXUOWDAdBgNVHQ4EFgQUpdfdYc07usn5Wr6BU4ywaWh0bVYwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMHcGA1UdHwRwMG4wNaAzoDGGL2h0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9zaGEyLWFzc3VyZWQtY3MtZzEuY3JsMDWgM6Axhi9odHRwOi8vY3JsNC5kaWdpY2VydC5jb20vc2hhMi1hc3N1cmVkLWNzLWcxLmNybDBMBgNVHSAERTBDMDcGCWCGSAGG/WwDATAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMAgGBmeBDAEEATCBhAYIKwYBBQUHAQEEeDB2MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wTgYIKwYBBQUHMAKGQmh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFNIQTJBc3N1cmVkSURDb2RlU2lnbmluZ0NBLmNydDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQCa3w8YAZjSNgDqWimZE8SfiYB21KFQq+dgQrjU6dTWRLcmRXgfnI2sQBWjiszhgMurhiFaXWkuqcN4ZiBB3dIKoZicNO0vg9xw0xhvWAJ8ewdNviGY1xmh/myymuE7WxH7YyAu/Hb2Lr9P2cQOwzLZQp45Y2oXNyWETWUJ7UiZyqWJE/NRNggdMf7weH9VY+aO/PIf5YKcAfNg1YFUuMYIfi2oq8vJcKK106XLgTR6H+Oc7sbYPshViQvFs5XsmjbdGb9RFyT0DRv1rh/QUf1U4ePsHWZdTdWpo6nlu+auejzwWBVmB5Qc4NCgdDcucbCBO4F8xx4dYKxHIkbMhqgm"
},
{
"signer_name": "Tanium",
"certificate_thumbprint": "F092414A2EA9FD375D4DB7D16B81906B522F2E37",
"certificate_der_base64": "MIIC8jCCAdqgAwIBAgIQF6yGcvDv/7FC58ga7iOHJjANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZUYW5pdW0wHhcNMjUwODExMjAyNjQ1WhcNMjYwODExMjA0NjQ1WjARMQ8wDQYDVQQDDAZUYW5pdW0wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDOp/L/nf8lDjIdThWmzM6a4MqH9SMXWW33q5B/FR65rzgkLuHZu54t9xSUtZu2WQ9oyA6uLLKkps7JKEYJUFAxeBZo55VhTgaDuaV/X2KMEeSTdQLFgDaw8Yts9wxvJfRZoj6VLcBXGsrNbl4Go1vbASSzaD6OdNl6m9amt6ZnM3gXZJrhAW1Gv0yCGz0ZTwYhVLc2kILua1eiaGWM5bxmUVDDnYc4KSH1QeRoW02USNMol30wgs5tgt/ETDQ39f1OXVwMhV/S2IVmphhtZAPpOzxcCLtEYRFcVZUhL21hs5MiiUQt2aUPsD50HtYjnZBy4WETMPGU2jsVLGqTvtiFAgMBAAGjRjBEMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUn+2J7ytNmZIIiEIN24JCZbEgXkgwDQYJKoZIhvcNAQELBQADggEBAAmAPbbej0QNAlAaOQRM05cJTUnQ1fO5zkZcEj9g6OBKI3X6So5ki3M/dbIO0K6HCdvbT4DNJhCQNaQcHcfheqhe3VyD9NoAOZAhv8pYWPG7cdQVqBOeUoReSaVxmiBEN0H5jzUnSh03m0pVRChJeCmnaPCUt6T9GhOwrSy1IVOsmPqVi34ZCaIt4A4uCevUxy6YYujcGNHQpqu1JxyZUwPXDVAQbjFZPoLg6scEjlyYLicEbLv5fZJ8QydaJQaXMRTgDAlEUQ27CFv6ET5eaDOOQH3of0+OxMV1m3/fHPJmjacMTBdx1eMSpf/OPEDTg/mE4PCfYSEFxXuKxDauuqQ=",
"src_file_sha256": "9c25d19ee1ea68a1a4e729dc0fab0bf879e63c4ab599f86f2e9b5ca961671a84",
"src_file_path": "downloaded_files/tanium/9c25d19ee1ea68a1a4e729dc0fab0bf879e63c4ab599f86f2e9b5ca961671a84",
"src_file_company": "www.tanium.com"
}
]
}
},
{
"Name": "Duplicati",
"Category": "RAT",
"Description": "Duplicati is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://duplicati.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [
"Windows"
],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"c:\\Program Files\\*\\Duplicati.Server.exe",
"*\\*\\Duplicati.Server.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": []
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/duplicati_processes_sigma.yml",
"Description": "Detects potential processes activity of Duplicati RMM tool"
}
],
"References": [],
"Acknowledgement": [],
"CodeSigning": {
"search_names": [
"duplicati.server.dll",
"duplicati.server.implementation.dll",
"duplicati.server.serialization.dll"
],
"company_names": [],
"signer_names": [
"Duplicati Inc."
],
"certificates": [
{
"signer_name": "Duplicati Inc.",
"certificate_thumbprint": "7812DFC61915A4BFC049834D63DBD2E9340D82FC",
"tbs_sha256": "437C2E9C10A4C6176D49821EB04EA42E3AA33A1562071306529B8A5F9620DBF6",
"tbs_sha1": "",
"certificate_der_base64": "MIIFpDCCA4ygAwIBAgIQbRV7ZSVixkz8drvzia9N9TANBgkqhkiG9w0BAQsFADB7MQswCQYDVQQGEwJVUzEOMAwGA1UECAwFVGV4YXMxEDAOBgNVBAcMB0hvdXN0b24xETAPBgNVBAoMCFNTTCBDb3JwMTcwNQYDVQQDDC5TU0wuY29tIEVWIENvZGUgU2lnbmluZyBJbnRlcm1lZGlhdGUgQ0EgUlNBIFIzMB4XDTI1MDIyNTIxMzY0OFoXDTI3MDIxNzIwNTg1Nlowgc0xCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMRcwFQYDVQQKDA5EdXBsaWNhdGkgSW5jLjEQMA4GA1UEBRMHMjk1MjE4ODEXMBUGA1UEAwwORHVwbGljYXRpIEluYy4xHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRkwFwYLKwYBBAGCNzwCAQIMCERlbGF3YXJlMRMwEQYLKwYBBAGCNzwCAQMTAlVTMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEONNVCvIITZI8h9H9VTK7M3tUWeWeEFBsNIveBV1J3OHC/oytZQNgPN7KWFEkiBkKpTDa3De4+UaE6HWIVMNSzaOCAZowggGWMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUNr1J/zEs669qQP6ZwBbtuvxI3V8wfQYIKwYBBQUHAQEEcTBvMEsGCCsGAQUFBzAChj9odHRwOi8vY2VydC5zc2wuY29tL1NTTGNvbS1TdWJDQS1FVi1Db2RlU2lnbmluZy1SU0EtNDA5Ni1SMy5jZXIwIAYIKwYBBQUHMAGGFGh0dHA6Ly9vY3Nwcy5zc2wuY29tMFAGA1UdIARJMEcwBwYFZ4EMAQMwPAYMKwYBBAGCqTABAwMCMCwwKgYIKwYBBQUHAgEWHmh0dHBzOi8vd3d3LnNzbC5jb20vcmVwb3NpdG9yeTATBgNVHSUEDDAKBggrBgEFBQcDAzBQBgNVHR8ESTBHMEWgQ6BBhj9odHRwOi8vY3Jscy5zc2wuY29tL1NTTGNvbS1TdWJDQS1FVi1Db2RlU2lnbmluZy1SU0EtNDA5Ni1SMy5jcmwwHQYDVR0OBBYEFFbYH++ZUZPOSHc/EpvuggHp0rbRMA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG9w0BAQsFAAOCAgEAJDcvg9H9v9sAFpASq+6HcYoSo/MWKDXz0XtwdvSDcnLKjRAq/5XhW4VSzUmLH3UkDUwRwhTfOjj1OMvvMKeTUyf/uvRys+MwMELFQVsHUM0tFSl/ibIZ9x/32QZL7zaD4ENBrn1C7XyEQORR3HSukV1NOGKsYo35ZXxmRqRZPGyGffbyiF69KqUEOJqM0pZNJFuE7PFFRyt5veEvQqPscyxZU+XxT2Zyuo3mv94kyAzENhu2hpn+ExLJvlF+v2ckKD5SIJACac8HOxmJW+Dtz4YZ9oF1x+rfH2CNEy/PUZIUgjCn2Eiq/fTBHs8B/5bYC0OUNvfMEMoE0sceekNnUVm6Bgcsy9DLI6ZbYtFYF6YT4YBw6PbJgJdnorzO63ZIeJDzGXhLwf4sm8kvPg6Q3vleimg2JbYFaXhJklObCPRw/Gx2GrgaT0KmrOHDluYQZFgFuShT+ZzzQHPsQO0PRG4wMUJtuwi320bRcA4VCmffeWezhMLh77xH8NWAGwTWgj3sID2P3KP2KJwEPkpBUwU6F0k5M7EEz0i5B9iOSAdEhUzJXolP9n3GlMw7hepONFmKK3DHJTsVfYBhQidHKDUM9gHerTfAxbNjtQrHIocQhx2FvBnAz1TVC0jv0e6FSMmeO0KQEOMveHOwOVHIv7GS/huaok6GPgNnUozd5hc="
}
]
},
"FileHashes": {
"authenticode": [
{
"file_name": "Duplicati.Server.dll",
"sha256": "2547A6F8A0C31719CC8D2202547FF00D446A2400F6BCA11F3A7DCBB071FBEB57",
"sha1": "FD602EC1C5098A4A21B587A3029510DB40FD2FF7"
},
{
"file_name": "Duplicati.Server.dll",
"sha256": "B11ED82E95C15D709C08A31EFB38F2B4E92B98F99710FAB3DD7E3C4D99EAB6C2",
"sha1": "40ABED77FDBF060BA7D77B22C7069B940C2FB9D1"
},
{
"file_name": "Duplicati.Server.Implementation.dll",
"sha256": "43988D047C1940A40453746B55F5A725F2243DA4BEFD1A4B45670B26DBB30EF0",
"sha1": "5A1DC12993FB1D73A15D717B94544C89388D6282"
},
{
"file_name": "Duplicati.Server.Serialization.dll",
"sha256": "14781D33797B0802037AD4F2A73646082AF535B8473E322CCC96F33E0CC5ECBA",
"sha1": "244230F2649B1A73F352AAB242BE6F46C62AAE31"
}
],
"page": [
{
"file_name": "Duplicati.Server.dll",
"sha256": "194BBDA8F9E081C1941910B4500BD0EC7DEBF08E7DE4F7BE12FCE228EEDC600D",
"sha1": "A426713EE6CC6E24D2D8A17319590CD47FC4F7C6"
},
{
"file_name": "Duplicati.Server.dll",
"sha256": "17D244EE5C8D3D04ECF58E941D74867BFCFC2116F780B4CCAD9387744F36F586",
"sha1": "D713473A24B07488CB120EDC6B3E3C88601BC09D"
},
{
"file_name": "Duplicati.Server.Implementation.dll",
"sha256": "97FFA4D85D49A7370496544CD6F840B8E112B2FD24BFF251BBDBF260E929C267",
"sha1": "EC8AFF5C5DB11F27C803182D36C3D03ABE283779"
},
{
"file_name": "Duplicati.Server.Serialization.dll",
"sha256": "169368BB3D8E3DF1DCA70D0C00C5D3BC8C47B2AC201FE2B22D019929AA815EB7",
"sha1": "2D52248DE6CEBA14E03EBE4E4604C537D798448D"
}
]
}
},
{
"Name": "rdpwrap",
"Category": "RAT",
"Description": "rdpwrap is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://github.com/stascorp/rdpwrap",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"RDPWInst.exe",
"RDPCheck.exe",
"RDPConf.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"user_managed",
"github.com/stascorp/rdpwrap"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpwrap_network_sigma.yml",
"Description": "Detects potential network activity of rdpwrap RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpwrap_processes_sigma.yml",
"Description": "Detects potential processes activity of rdpwrap RMM tool"
}
],
"References": [
"https://github.com/stascorp/rdpwrap"
],
"Acknowledgement": [],
"CodeSigning": {
"certificates": [
{
"signer_name": "Wide Vision Trade GmbH",
"certificate_thumbprint": "6F64E6DF839023E363EC7A375AC7F447AE9DF793",
"certificate_der_base64": "MIIHOzCCBSOgAwIBAgIQetk47hnMmlWkHY8TAZxNcTANBgkqhkiG9w0BAQsFADBqMQswCQYDVQQGEwJQTDEhMB8GA1UEChMYQXNzZWNvIERhdGEgU3lzdGVtcyBTLkEuMTgwNgYDVQQDEy9DZXJ0dW0gRXh0ZW5kZWQgVmFsaWRhdGlvbiBDb2RlIFNpZ25pbmcgMjAyMSBDQTAeFw0yNDAyMjYwNjUxMDlaFw0yNzAyMjUwNjUxMDhaMIHFMR0wGwYDVQQPExRQcml2YXRlIE9yZ2FuaXphdGlvbjETMBEGCysGAQQBgjc8AgEDEwJDSDEXMBUGCysGAQQBgjc8AgECDAZTY2h3eXoxGDAWBgNVBAUTD0NIRS0xMDIuMjQ0LjMyOTELMAkGA1UEBhMCQ0gxDTALBgNVBAcMBEFydGgxHzAdBgNVBAoMFldpZGUgVmlzaW9uIFRyYWRlIEdtYkgxHzAdBgNVBAMMFldpZGUgVmlzaW9uIFRyYWRlIEdtYkgwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC9TpkQrct3cgpeACdfd8V2mdyIX5Wess2BNk0DSnswD+l6UqFybbQ5cjPgJUrHtq2HJZwI4syc0zPexlvJSy/nfsa6MwEeaXf/MoBfS4+FbD6ny8AFGs2jDAghtAvXz6OhrBZa5nrW/wOYhRlgvhAcpn7KQaK3nahd4C/1Qyt4i+AjdvvzxWVEcrw81ZAOEKph4ztSy99UyW3s/croBGmFNwkFQtOydg7rb8JUvAKx2r1ycvLCIGhLN9H22Vi5s/iHUGN8u6RhJumZo5CaEIS+qeA+BRPVeaZuUvuk5fiZCKgi+7eed81RnmgIgxtrUQQ6KlSo6yCfcTVSp1ujOtHZdCZvIF3yZykYLgWZx7D+N1SY/M/wlRj56HytVLB700UAn87rkcWyItHLDNSXNf4JlKND6zb2RwKWlRxkRWUSx8/ddtahntdSOuTnOven9BG2Px6aFqBc/EhEEE+bo3ZgmBD2EpNLYIZSmfDuldeWVCDtqr6Jr9dMMMOPmXHnXsJmy0+8H5JrOwRkgmdiUuqbaGPX8SvswpekIZ9I1NdGceWuqTXfIvtnoqmmS4SrF5SCu4wqMLFyHU0K3Wy8ia3/lIsALP1iEe/r0cF1hdMyqnSIlH/0Tz7zLoK5qc73DsIU7rIIVknPwuvzRRbpPMz9xmg601/4ywlVygfLwTPCHQIDAQABo4IBfzCCAXswDAYDVR0TAQH/BAIwADBBBgNVHR8EOjA4MDagNKAyhjBodHRwOi8vY2V2Y3NjYTIwMjEuY3JsLmNlcnR1bS5wbC9jZXZjc2NhMjAyMS5jcmwwdwYIKwYBBQUHAQEEazBpMC4GCCsGAQUFBzABhiJodHRwOi8vY2V2Y3NjYTIwMjEub2NzcC1jZXJ0dW0uY29tMDcGCCsGAQUFBzAChitodHRwOi8vcmVwb3NpdG9yeS5jZXJ0dW0ucGwvY2V2Y3NjYTIwMjEuY2VyMB8GA1UdIwQYMBaAFKxXyggW3D/FMRwKTdv78d6ZJy00MB0GA1UdDgQWBBT1fKnk0Q9HyDf81aQwtlhbZkELFjBKBgNVHSAEQzBBMAcGBWeBDAEDMDYGCyqEaAGG9ncCBQEHMCcwJQYIKwYBBQUHAgEWGWh0dHBzOi8vd3d3LmNlcnR1bS5wbC9DUFMwEwYDVR0lBAwwCgYIKwYBBQUHAwMwDgYDVR0PAQH/BAQDAgeAMA0GCSqGSIb3DQEBCwUAA4ICAQAEWtzuPjk4piAIpl13FCWh0dhNuJx+JjscrU/8UmUkk4j0vz2TfN8KIAPrZtiLJR7EfTtOd5QSDNgkHeaSGK/ny+qYWI59alKjV8FQRd3/h7unVCAtUyvL16D1buHKz7hejcYzQ/D07LZo09OOeubSglL/TRKjf7P3foAE+Ts58eNvEwKLW5UtvWklEIY22mtNefBIYDyb5ht3LiNK1E7I5r1D/VE9JLsF0211gSrPA0Xc8IzGOvgC/Gls92hyrQoGtlHtnJBZa3T3T/+JIsPNEa+6igkf6AgiRrSlRZfDQgD1CNEycD2hUV2x7HRwcE1F8E+fe+KFRXRvUg04iRZy5pbgrPsBIRg6vdyPC7E2j1zk9oeDxW41Q/hyXreKiOLBXX44ubzFrliCMFDyzlhBjGpofP8ExJsKGzPWX4Vm32VXBH5QPPaJoVUnUlS1YD/Y8Pba1DyPy+ao3qdtI7pmoFCvLI18S+KzRPBjF12pXKSkqI+d2qwEN6rfGBlUuxEiGhLE3Ig/ZcKrGljyLfvcJob+rpMoL4lmHREUD0OBpLXCzxncfHnW8/8+R33ev1ITSEo2FvEMEKmkLlQat3vt9EGojPDYZ4BEr3Du1txym9ifIDnMJrL3R7Dh0rLKGB6b/i9JmRP87z2rqIWeEy9AeqnUMBCBGdwDqG5Reok8cw==",
"src_file_sha256": "756c2904db70b5312ee968ec3d8f1d8c1fe403faa9096b809c2900a7a31de8b8",
"src_file_path": "downloaded_files/rdpwrap/756c2904db70b5312ee968ec3d8f1d8c1fe403faa9096b809c2900a7a31de8b8",
"src_file_company": "Stas'M Corp."
},
{
"signer_name": "中移动信息技术有限公司",
"certificate_thumbprint": "6705D79EFC937ADD45912EA396E978376126ACBC",
"certificate_der_base64": "MIIDnjCCAoagAwIBAgIEAS/qWzANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJDTjEsMCoGA1UEAwwjQ01DQSBJbnRlcm5hbCAgQ29kZSBTaWduaW5nIENBXzIwNDgwHhcNMjExMDE1MDY0NDQwWhcNMzExMDE1MDY0NDQwWjB3MQswCQYDVQQGEwJDTjEaMBgGA1UEBRMRMjAyMTEwMTUxNDQyMDM2OTYxDzANBgNVBAgMBuW5v+S4nDEPMA0GA1UEBwwG5bm/5beeMSowKAYDVQQDDCHkuK3np7vliqjkv6Hmga/mioDmnK/mnInpmZDlhazlj7gwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDHdY/xz+rP6omr90f231BkamOViUeUfK9FWKZa0O8HEInD6jgGZwPHg4rGCebrpMKx440J+gvXRgQ+d629cKsuwES1lbk966X7iAOfFNWJONbo9E48+LODMJR60f3ukhAX33spdzYu7LfVbITjNE31k0EGbLRSQ4brWVVMZUR1tyNOlEolTd1/jjlH15jwGJBL3q1DMclagl7KKWScli/qmaXGPARg6ifkNK09GU2Y0TfS5DTjM5FmkTu7nDzDfDNytPtQ/sL6Hvbmn8tgZDzFF5dj2YA4xS8sRDwMfbtxdztuhOi3YhiE9nmsJSskHSeCX1kzMVXWNi2PZS9DFa8vAgMBAAGjbjBsMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDAzAfBgNVHSMEGDAWgBTgSlqW50x+SVjtB0FRv8JjZ60KfzALBgNVHQ8EBAMCB4AwHQYDVR0OBBYEFBf+xQgJq17DHppeiiSihScSnrAnMA0GCSqGSIb3DQEBCwUAA4IBAQBi7l28R1mdWGs+fiLasT5t63vY4LnT8wElP75t8NXgUjqy4cMIfDWziImQk9PHj0LnyBPG6ngyULaR38srHVDuojWoSqndRM8X+QuUv+6K6h7Vtpfjl3Q7CaiRKvgIcJfO7OcRK9moyL30BIclFgzPT8eHcyhaE9vISrqHqf6Zy0i+zaGMkZxH9YMyqxXLl/3Su0eSh+s9IsVWp5B2qBXAsqju8BkOgn3oe4u50C8ZXChK/zW5MQtBxacrBbSJeqgZ6ozfnN34Ixqhh3YFD2XQCkNPOJ+bmEC2G6k0Wx8x3OfaujtPUnitXZEUDmWt6IQ9UsYe+Yh9suIfBnRrGr7d",
"src_file_sha256": "c36e92e4551c6f1db9c8261b9463fa817e67aa16f2e0394eadc6c3dfd165c385",
"src_file_path": "downloaded_files/rdpwrap/c36e92e4551c6f1db9c8261b9463fa817e67aa16f2e0394eadc6c3dfd165c385",
"src_file_company": "Stas'M Corp."
},
{
"signer_name": "Certification Authority",
"certificate_thumbprint": "070FF09528D3EAFE04798403131D53D30E35C682",
"certificate_der_base64": "MIIFljCCA4KgAwIBAgIQyzWnzN09F49M2DL+hjcNFzAJBgUrDgMCHQUAMEQxIDAeBgkqhkiG9w0BCQEWEWNlcnRtYWtlckBuZXQuY29tMSAwHgYDVQQDExdDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0yMjEyMzEyMzAwMDBaFw0zMjEyMzEyMzAwMDBaMEQxIDAeBgkqhkiG9w0BCQEWEWNlcnRtYWtlckBuZXQuY29tMSAwHgYDVQQDExdDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAOVrMB4zzQZ2aaeLW7ht9Pkr6834LoEnfM+PttJqAJy1AuQ2Bb2mKmb3K/yOqHKkyJ+mBictDG2Kq+HFbrBSsVRdgRKPlnXEYmAiVpNqpn/sfmS/arUWh2vi+vw/RWHwmBjbmmVBNA3oiFyjHtzBVrO+hxOys7cQat8l9SE91QQ2QtUpMBUCUpOxsRA7vGnivADmnuJNg54gS+pEflcHkfm4QCglSVqC+mnm9Y/tfFR93rvrmB/B5buPb2p1wd8DKUqbdPYN0kYVBKOFo+DaGO9RcfbXmGTYnlvpAJ+ToIn3ny9P6l49rFP9pabykGyoFfwXplbP38yAX+wXZIFTqM/vQ9IcL7gvc97GPob9Ovg/TZWPfiNakfsmu9JHJXhQb38+rji5Gnu38gDglU8fwUSab0ZTkmoOzGaU9ClEwxJblWiFzhrTSNdp4Ft6ZlZUtG3Z/HjylGbkwAchd+uBZlWiC0w+7vMPxp1dltozhfKeH2gdnTfeaLutXkS1Bz0rDvJGDXuI8pomOU3O3T9jePHCCuQJ4Fk7fr7zaVKKL/K7qiuZ4m6qmLJ9pR4Nn9c9nN4/bs53KxjJmPawxxcO/1KQPtbPLan+jnkNZ1e0ymRBgBRZ+JWUf06XH2H8AINzL6qcofEeIMf0nqJyVK3UBh1kU7x8YaASYfh1TiHPsPn1AgMBAAGjgYswgYgwDwYDVR0TAQH/BAUwAwEB/zB1BgNVHQEEbjBsgBBerXmlhPrphbVhsgKieGJloUYwRDEgMB4GCSqGSIb3DQEJARYRY2VydG1ha2VyQG5ldC5jb20xIDAeBgNVBAMTF0NlcnRpZmljYXRpb24gQXV0aG9yaXR5ghDLNafM3T0Xj0zYMv6GNw0XMAkGBSsOAwIdBQADggIBANyDUR4jmaKreTZAw7NZT+y/DbFPF+2sXbHbtYFRq7uPZ55d/FaqBS7utaLQSO6TNKR3RR9MdhOBpyS//TDrfss6+9PYovX7YZLavY+ngzMpRQdmcAFgGjF7xVLZzF4WOCmQlyA+/V7iGage2pw3RZV6nVqrXhIyJZx0vtLca/2OhmmXkThNuAidXcHThz++9AzTd4BpRzhBK8s2aFsILpSK6Jqf4qJI/yl78CGfIGDz4u+Nu6ZrVar2TVqYwPrTEel6FMB39f5HjbkmerO39MTeO9qLvtxrBmX6u5rPB+OhdMSEGIdhVFcbR54IwrkAKPm73JJ/PG4FF0OWvPN5Mce/iBHeBPnL+NeoFBMklNOKZQLPhbtQkzVcHkkgA2kOvJlgMwBU6cuvaybvBMTbjGfQu44CjzHi3tPrqIpJQAN1Xe1hvbCPA1it4iqYi/wnwUFD1AjBGrcYsoxNW/hDpZJ/Lt8QqvjkPCBB11krrj7m1xZraiueTU2TLIP9+EgkKzr0yfhAFqkHITF/IgGf4jNFWRktdoGqaL3ia59r3A0Al8xb+v+1LbsMNYvyI6zhYH8djsOzi9PRsovqOEVVypVg3Wsz8sI7qyF/nlGtXFlyQc9w3GtduHXM7tlbLph7F8LnADFmac8xyg1acIwDf6Tck7ejqbcZEjLLdLoeLd15",
"src_file_sha256": "30c22c221f033baf6c52f51f2412cd0aef335703762d5bf19c486e8ee7b8b72f",
"src_file_path": "downloaded_files/rdpwrap/30c22c221f033baf6c52f51f2412cd0aef335703762d5bf19c486e8ee7b8b72f",
"src_file_company": "Stas'M Corp."
}
]
}
},
{
"Name": "GoTo Opener",
"Category": "RMM",
"Description": "GoTo Opener is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://support.goto.com/meeting/help/about-the-goto-opener",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"C:\\Program Files (x86)\\GoTo Opener",
"*\\GoTo Opener"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": []
},
"Detections": [],
"References": [],
"Acknowledgement": []
},
{
"Name": "JollysFastVNC",
"Category": "RAT",
"Description": "JollysFastVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.jinx.de/JollysFastVNC.html",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": []
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": []
},
"Detections": [],
"References": [],
"Acknowledgement": []
},
{
"Name": "ConnectWise",
"Category": "RMM",
"Description": "ConnectWise is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.screenconnect.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"C:\\Program Files (x86)\\ScreenConnect Client ()\\*",
"*\\ScreenConnect*Client*\\*"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": []
},
"Detections": [],
"References": [],
"Acknowledgement": []
},
{
"Name": "S3 Browser",
"Category": "RAT",
"Description": "S3 Browser is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://s3browser.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"C:\\Program Files (x86)\\S3 Browser\\*",
"*\\S3 Browser\\*",
"*\\s3browser*.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": []
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/s3_browser_processes_sigma.yml",
"Description": "Detects potential processes activity of S3 Browser RMM tool"
}
],
"References": [],
"Acknowledgement": []
},
{
"Name": "pcAnywhere",
"Category": "RAT",
"Description": "pcAnywhere is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"awhost32.exe",
"awrem32.exe",
"pcaquickconnect.exe",
"winaw32.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"user_managed"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcanywhere_network_sigma.yml",
"Description": "Detects potential network activity of pcAnywhere RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcanywhere_processes_sigma.yml",
"Description": "Detects potential processes activity of pcAnywhere RMM tool"
}
],
"References": [
"https://en.wikipedia.org/wiki/PcAnywhere"
],
"Acknowledgement": []
},
{
"Name": "Rapid7",
"Category": "RMM",
"Description": "Rapid7 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://docs.rapid7.com/insight-agent/overview/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"ir_agent.exe",
"rapid7_agent_core.exe",
"rapid7_endpoint_broker.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*.analytics.insight.rapid7.com",
"*.endpoint.ingress.rapid7.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rapid7_network_sigma.yml",
"Description": "Detects potential network activity of Rapid7 RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rapid7_processes_sigma.yml",
"Description": "Detects potential processes activity of Rapid7 RMM tool"
}
],
"References": [
"https://docs.rapid7.com/insightvm/configure-communications-with-the-insight-platform/"
],
"Acknowledgement": [],
"CodeSigning": {
"certificates": [
{
"signer_name": "Rapid7 LLC",
"certificate_thumbprint": "8DD67269B148092AC5A14A4982C920C9FDCA3B91",
"certificate_der_base64": "MIIHWDCCBUCgAwIBAgIQC6uFaQnBWrMPIoWu2UyMNzANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTIzMTAxNjAwMDAwMFoXDTI2MTIwNDIzNTk1OVowYDELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxDzANBgNVBAcTBkJvc3RvbjETMBEGA1UEChMKUmFwaWQ3IExMQzETMBEGA1UEAxMKUmFwaWQ3IExMQzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALxUELJok2gfeskrq4wqy1L0sbwU6+605OZ5hsJgyJTYIJGZsyZ8IkdyBupjFpuVdi4txlc4GVrzcTwGXkvUzMQAFZADHn2D8dM4Pi+pRGz+bcZGfgP76bgHqOl0d92LtyVMTT+iwDK7/rb45oAq3z4yWGDQTvBPbDCYVs+tWZnm+6tnP23FOWSGqEy15D5tySpQkS13M+WBozosW+x+qBE/MPvlC9mq0c554/669weS0vlBgjuOhNbfXQg4AdSdDByz96gp3whnV+mWeh2QFC6RfFtOY6XavuBAZz9hVm10FJAl2hzMSVXbEAg5A5533CeKpuityfKsq9mo1H7uHCkoH+Tn0RGbVzsN6L5QT2egWNZ3dHnHe/11r+0DqJPRt3L1wwtyft5z4KTe50wttefNJK/BpNDJ9p9QOGMXPZj8ThAYN7w9gDSfBQOvSpkBCfaYV+3Z8HNKQkpg4C/IPFvOK7dtJBXLDksMSxa22osargcj1uq2HCj7fYrXwuHn60UQ1cSKEv25UnkWLQqv+2TlkOgFUa+HQka2MWtStSvgDnzhUQMiZQLNJ1Q06nTl9u3itQGsOkYOKv6vwV6Fb1IWNsBrLWSw2+qmbKLEQShpSAzkb46JpV8yJ0T/fvQEek0BSpJoHytKriUnXjY5QFbtw9UGbuUn2pRcRPPOTlQNAgMBAAGjggIDMIIB/zAfBgNVHSMEGDAWgBRoN+Drtjv4XxGG+/5hewiIZfROQjAdBgNVHQ4EFgQUCPLZCcMHxLBOXeyogW6McTDhPrUwPgYDVR0gBDcwNTAzBgZngQwBBAEwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpY2VydC5jb20vQ1BTMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzCBtQYDVR0fBIGtMIGqMFOgUaBPhk1odHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDBToFGgT4ZNaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcmwwgZQGCCsGAQUFBwEBBIGHMIGEMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wXAYIKwYBBQUHMAKGUGh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3J0MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggIBAKdSrNI4M7iGU0lcwnsn5uNC/sC8YaLusVrtHk4fnr3oHlIEYQB/Ps9MzjV1MZL5TOfMAKOSOHnhak/sWael0x0P8esSoQo6omb8a3Icm+DXH278m3ZpY8FL1wXZ7Iq1wSV5loAictO/58VjQqRPF3OFS6w3qPLcliFjPqNgkH11Vfyh1+b4uTye7O/yt2GQV6lBTCnsQfwQCsmgcid0TMs+qEmM9DIsJQ6xwL0TirGb0RYeg9h5rS+wtN+mlxQBYb6W8Urj+C8uVqSRC/w0Ffg8tMrno+mzlfbypgYQtCa5hFAluwYfqKvCv0GpZuqM4fkJ1RLpPguV6icCi8UhSx+G37LOGfBu6yKhhGxcYPcPAixr4sOvQrIwHcbjyZfghMijIYPYtf5ZovHiGpdbIXm31rUjZg937+kSpjL77Dn5d0atG6xVXUGy5twibpGU8MnJHJKOBT+ynC97KOgJOZOvmTgHGpNOkZejkGVc4Om9Cgi7lRCDhs7Kq24Nb9o+u8FqYFJLYTk0l0qJEvPpqJQa7XTSO8IsecqNMJaf5lRnO8r4Dre29VPGW5dSY2OzoIMZ32ahwh+Csa9DlmQ9MuNoHzTco6lwM3Ok7kx+t7y9MddmbjE2IsRen/xO6ePWrAZNt+EHDslqspGaqDSh0Ljs8kVg6q8xTlEm+5sVqVSB",
"src_file_sha256": "62d7cb45c4635b60faee5dcfab0e5562a7cf7745c26a8288575e67a7024a683c",
"src_file_path": "downloaded_files/rapid7/62d7cb45c4635b60faee5dcfab0e5562a7cf7745c26a8288575e67a7024a683c",
"src_file_company": "Rapid7, LLC."
},
{
"signer_name": "rapid7Company",
"certificate_thumbprint": "8A16C123080A1960C144D483FF333261726E2B51",
"certificate_der_base64": "MIIC/zCCAeugAwIBAgIQPo/dt8Fa/bhOQ7uLCuxEjTAJBgUrDgMCHQUAMBgxFjAUBgNVBAMTDXJhcGlkN0NvbXBhbnkwHhcNMjQwMzIxMDgzNDA4WhcNMzkxMjMxMjM1OTU5WjAYMRYwFAYDVQQDEw1yYXBpZDdDb21wYW55MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuBZO2RbKbkbj37lh8/54e67ee1XN1EHFfDuOg4a4lQfhjvMCpFGsqLsQy+xBvwOiGtcqUUFAHrVOaA+knPsP4uX88JD8YrSDiyT0b0SAHdreRTJtiGUI0cHuR/autX3gNv3e2OibUk1ZCZPAinZp3tlqKW0TxJ8XJdRRjTNzJ3rTkxo7TUjYs9jSNr/3SfeeC3qC0vEaY8P6GQwbLx4jyaldhqOEBffLq/Zx27kVdUud7Udi5E5cfVXleVZ0D9pkT49h/ikPi+yHgJHNdDgsHEg1XP3AWFgputpN9EsaBp8tsrnItLTTzT4f8V6oaI3QtWDOt17hL/V/U9v8ZCxfsQIDAQABo00wSzBJBgNVHQEEQjBAgBDHDhk3GRjYfhR3YaKFQdpZoRowGDEWMBQGA1UEAxMNcmFwaWQ3Q29tcGFueYIQPo/dt8Fa/bhOQ7uLCuxEjTAJBgUrDgMCHQUAA4IBAQCrh7lxiRLMaNIQzPOkJKyUFJ5UhuAaliliNXA/pF24P6Vs/VNTBrfAriDU2sp4wT/yRip1G8+QPnhpcislKpiEPVN/OzEJL3AjxdmG+Lun5FjKwusKME9AqP3jJgU/1UfhvqiM40l1uIPGbsD4FlSLeVSdPb5pcVZGztjsDLaCM8hEwh+en7wo+c4lX2pYJAnPfh6uHXO3zFhnSfcFmCTKUUxZQhuuWW7UZnKJ2sZQD+OU+ZBOmucGqv5IAfb17X1EyLTLtidqLUSxKAwIOVRrShjfOZZ/DWF2wik9JA3JPF5uveoaKoqOj9vUR7LwEInidLQfBIrkC0gOECcGrAsb",
"src_file_sha256": "0fb44b024e3df56e73db61782a022eeed5126adb850105d9355cff243c1ceab5",
"src_file_path": "downloaded_files/rapid7/0fb44b024e3df56e73db61782a022eeed5126adb850105d9355cff243c1ceab5",
"src_file_company": "rapid7"
}
]
}
},
{
"Name": "SuperPuTTY",
"Category": "RAT",
"Description": "SuperPuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://github.com/jimradford/superputty",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"C:\\Downloads\\SuperPuTTY\\*",
"*Downloads\\SuperPuTTY\\*",
"*\\superputty.exe",
"*\\SuperPuTTY\\*"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": []
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/superputty_processes_sigma.yml",
"Description": "Detects potential processes activity of SuperPuTTY RMM tool"
}
],
"References": [],
"Acknowledgement": []
},
{
"Name": "Pocket Cloud (Wyse)",
"Category": "RMM",
"Description": "Pocket Cloud (Wyse) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"pocketcloud*.exe",
"pocketcloudservice.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": []
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_cloud__wyse__processes_sigma.yml",
"Description": "Detects potential processes activity of Pocket Cloud (Wyse) RMM tool"
}
],
"References": [
"https://wyse-pocketcloud.informer.com/2.1/"
],
"Acknowledgement": []
},
{
"Name": "ngrok",
"Category": "RAT",
"Description": "ngrok is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "Jose Hernandez",
"Created": "2024-07-19",
"LastModified": "2024-07-19",
"Details": {
"Website": "https://ngrok.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"ngrok.exe",
"C:\\*\\ngrok.zip",
"*\\ngrok*"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"connect.ngrok-agent.com",
"connect.us.ngrok-agent.com",
"connect.eu.ngrok-agent.com",
"connect.ap.ngrok-agent.com",
"connect.au.ngrok-agent.com",
"connect.sa.ngrok-agent.com",
"connect.jp.ngrok-agent.com",
"connect.in.ngrok-agent.com",
"ngrok.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ngrok_network_sigma.yml",
"Description": "Detects potential network activity of ngrok RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ngrok_processes_sigma.yml",
"Description": "Detects potential processes activity of ngrok RMM tool"
}
],
"References": [
"https://ngrok.com/docs/guides/running-behind-firewalls/"
],
"Acknowledgement": [],
"CodeSigning": {
"certificates": [
{
"signer_name": "Ngrok, Inc.",
"certificate_thumbprint": "7A54EB0D199484EB8CAEA931C90A744BCF02A7E0",
"certificate_der_base64": "MIIHGzCCBQOgAwIBAgIQCDpC0zHBX9mNKDFdFdnj9zANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTI0MDUzMDAwMDAwMFoXDTI3MDgyNzIzNTk1OVowgYQxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQHEwlTYW4gRGllZ28xFDASBgNVBAoTC05ncm9rLCBJbmMuMRQwEgYDVQQDEwtOZ3JvaywgSW5jLjEgMB4GCSqGSIb3DQEJARYRc3VwcG9ydEBuZ3Jvay5jb20wggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQDA2NHgdj5z99IHeW+WYxfTkM3TpKS9CaED+UmUw0ehXGBUG0e2N+TxrUEELgioeCy09Q9Y0khZpr3QbZKsx/io/yox38JeATIFcrQxP6V64liHdcYy6lQib6sa1xdCRUDTfLNpUilgY5WulZ6hnzONbIWGsmf4KNemoLWBLl/AZ1OkFdt9ltMqutVri8coYzTxP1PDtwMOKPl90CSyMJcZ5sZpwC/PBpniLi3rpz7/QHlNgfkOEP5dtShm5HpEpnZ5bTK5iUhbGPhjzcwE5jPhN0eeCxW8l3G7Yf1wA7962lVf9tTqgEZdJFZLElffnQUwYfSTj248PishMwB6h7vlkh7r1Cverbjsj2C8u1v4vkZ939K0F873LGKM36zwDuXwbjsD/qtpCPaaFm4LMukphoR0eC9+6bOy/myCLi48es2kpVf5WdG3+KBJoxobLthpajLgZX6KPhCd7CVdvkuaY7XPs+xK7Z/F/wbM3Jr0SFkrm0RKHeBg8brDy3HRsnkCAwEAAaOCAiEwggIdMB8GA1UdIwQYMBaAFGg34Ou2O/hfEYb7/mF7CIhl9E5CMB0GA1UdDgQWBBTsSD4On4DePm/Iwp7SbIb5mhSw5zAcBgNVHREEFTATgRFzdXBwb3J0QG5ncm9rLmNvbTA+BgNVHSAENzA1MDMGBmeBDAEEATApMCcGCCsGAQUFBwIBFhtodHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMIG1BgNVHR8Ega0wgaowU6BRoE+GTWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3JsMFOgUaBPhk1odHRwOi8vY3JsNC5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDCBlAYIKwYBBQUHAQEEgYcwgYQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBcBggrBgEFBQcwAoZQaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcnQwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAgEACBRshlgas2e47hK51AloqePLX5Z0dxfQZVLV7RnY/KBKlNkF7UhX5u+RSbXpgSpL1e6HN9nzKfCrls+XAoIJeQ9Cz74uNn9k0rZM24g9xjyA+lntBr447XV34dGAB4PrdIM0rFrF2+tw73s/ZN3tG+Ts02XLZQzKu888gNr0kcrnPhMStNBmY6gwDac+s1YgpE4HkPNiAQxEWHuHsi9wBBAGT+nGOVLg4IKTE3YGA5MLjnsvY7ltObkfrKGhX5N6q2/uYSNY+ZeseviKbuXoe8CJWp4m3m5pfO9s+tOJ5NaVI5sARl1nSzSURomoV3qRHe9w3jqRcepWpMZXsPGpg7QpEuYV+lShqROlrNNXGKHdelaP4sFFj2OZR1XpVDv95nPtsOyEjfMj4HrHZWvbxiBEq25tGDoaT+ZJ1FB7r/PJO0TEWCE0JBWcoRKZFf9a/uRkFnnVHWBKcW3ojPtCHCmE0yDhN8oMxCiyhkME5HhKwApMHLrSVcypUV7fcOGdGOrIIzUlAFiaLz6UCcLkNCWZU3YLibhdRnpBILqRAeRdSY/LWcfF2XKLrUw6BJ3a7j/DiKXvSQboWV9pcK4GxqZatMCa5eWX0Q4BnA2nN7uTTFAkgJJTosNNDzDRV7YsRB3++zYobOjDsmSYAZpAfyDUJ/mJIlgy3FJgcIYwKZg=",
"src_file_sha256": "c4c1e472823a12e2ee127a64d6ee3de9b31d02bc972baeb8800e6d918dce16a1",
"src_file_path": "downloaded_files/ngrok/c4c1e472823a12e2ee127a64d6ee3de9b31d02bc972baeb8800e6d918dce16a1"
}
]
}
},
{
"Name": "ManageEngine ServiceDesk Plus",
"Category": "RMM",
"Description": "ManageEngine ServiceDesk Plus is an IT service management (ITSM) and help desk software that includes remote control capabilities for IT support teams. The software provides comprehensive IT service management features including incident management, asset management, and remote desktop support.",
"Author": "Michael Haag",
"Created": "2026-01-15",
"LastModified": "2026-01-15",
"Details": {
"Website": "https://www.manageengine.com/products/service-desk/",
"PEMetadata": [
{
"Filename": "ManageEngine_ServiceDesk_Plus.exe",
"OriginalFileName": "InstallShield Setup.exe",
"Description": "ManageEngine ServiceDesk Plus installer (verified via VirusTotal)"
},
{
"Filename": "ManageEngine_ServiceDesk_Plus.bin",
"OriginalFileName": "",
"Description": "ManageEngine ServiceDesk Plus binary installer component"
},
{
"Filename": "ISBEW64.exe",
"OriginalFileName": "",
"Description": "InstallShield wrapper executable (observed in VT sandbox)"
}
],
"Privileges": "SYSTEM",
"Free": "Trial Available",
"Verification": "Code-signed",
"SupportedOS": [
"Windows",
"Linux"
],
"Capabilities": [
"Remote Control",
"Remote Desktop",
"IT Service Management",
"Incident Management",
"Asset Management",
"Help Desk"
],
"Vulnerabilities": [],
"InstallationPaths": [
"ManageEngine_ServiceDesk_Plus.exe",
"ManageEngine_ServiceDesk_Plus.bin",
"ISBEW64.exe",
"C:\\Program Files\\ManageEngine\\ServiceDesk\\*",
"C:\\Program Files (x86)\\ManageEngine\\ServiceDesk\\*"
]
},
"Artifacts": {
"Disk": [
{
"File": "C:\\Program Files\\ManageEngine\\ServiceDesk\\*",
"Description": "ManageEngine ServiceDesk Plus installation directory (verified via VirusTotal sandbox)",
"OS": "Windows"
},
{
"File": "C:\\Users\\*\\AppData\\Local\\Temp\\{*}\\ManageEngine_ServiceDesk_Plus.exe",
"Description": "ManageEngine ServiceDesk Plus temporary installer files (verified via VirusTotal sandbox)",
"OS": "Windows"
},
{
"File": "C:\\Users\\*\\AppData\\Local\\Temp\\{*}\\ISBEW64.exe",
"Description": "InstallShield wrapper temporary files (verified via VirusTotal sandbox)",
"OS": "Windows"
}
],
"EventLog": [
{
"EventID": 4688,
"Description": "Process creation event for ManageEngine_ServiceDesk_Plus.exe",
"OS": "Windows"
},
{
"EventID": 7045,
"Description": "Service installation event for ManageEngine ServiceDesk",
"OS": "Windows"
}
],
"Registry": [
{
"Path": "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{*}",
"Description": "ManageEngine ServiceDesk Plus uninstall registry keys (verified via VirusTotal sandbox)",
"OS": "Windows"
}
],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*.manageengine.com",
"manageengine.com"
],
"Ports": [
443,
8080
]
}
]
},
"Detections": [],
"References": [
"https://github.com/magicsword-io/LOLRMM/issues/50",
"https://www.manageengine.com/products/service-desk/download.html",
"https://www.virustotal.com/gui/file/177bfdbe81bb4756d1d324ddf1bff4350252f0efd8a7f5c8b60a3a8e882affbd/details"
],
"Acknowledgement": [
{
"Person": "fuzzybug",
"Handle": "@fuzzybug"
}
]
},
{
"Name": "DeskNets",
"Category": "RMM",
"Description": "DeskNets is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.desknets.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": []
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": []
},
"Detections": [],
"References": [
"https://www.desknets.com/en/download.html"
],
"Acknowledgement": []
},
{
"Name": "RuDesktop",
"Category": "RMM",
"Description": "RuDesktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2025-12-14",
"Details": {
"Website": "https://rudesktop.ru/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"rd.exe",
"rudesktop*.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*.rudesktop.ru",
"rudesktop.ru"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rudesktop_network_sigma.yml",
"Description": "Detects potential network activity of RuDesktop RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rudesktop_processes_sigma.yml",
"Description": "Detects potential processes activity of RuDesktop RMM tool"
}
],
"References": [
"https://rudesktop.ru"
],
"Acknowledgement": [],
"CodeSigning": {
"search_names": [
"iastoriconlaunch.exe"
],
"company_names": [],
"signer_names": [
"Oculus VR, LLC",
"Unity Technologies ApS",
"Unity Technologies SF"
],
"certificates": [
{
"signer_name": "Oculus VR, LLC",
"certificate_thumbprint": "BC09BF25378AD0D469F6B4D2C96EE56F467A9B5B",
"tbs_sha256": "5C2E037072A01071AF8F9809143B1B90ADB6063D67497ABECEBEB815E7844D64",
"tbs_sha1": "",
"certificate_der_base64": "MIIFLDCCBBSgAwIBAgIQBBNPRB24+z+9Kbov1mGyZzANBgkqhkiG9w0BAQsFADByMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMTEwLwYDVQQDEyhEaWdpQ2VydCBTSEEyIEFzc3VyZWQgSUQgQ29kZSBTaWduaW5nIENBMB4XDTIwMDMwNzAwMDAwMFoXDTIxMDQxNTEyMDAwMFowaTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEzARBgNVBAcTCk1lbmxvIFBhcmsxFzAVBgNVBAoTDk9jdWx1cyBWUiwgTExDMRcwFQYDVQQDEw5PY3VsdXMgVlIsIExMQzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALKIiwwXwYlFSuM9BxRuZ2iodi8CNme3asjfk4sN1J+9oxjomZxhck0wLqwb7fmgH/hDgVH4N8NFNPYubU9A3ZTgh2RFEsRkn5roZUK19/UYmcpWw4F5q3ryqAWsrrDDOCr6fst8BqUq9gej5H34ngA81Usqdes0+UJekIljY3tYhsPWjcMWmw+8eXDB2EqP4K12zOvhXwyfT05B+y3GZOtY9SCihxpc3oOjknCYTd87EnJ+wxDf0WhkL6oOV+cuFzGCvMrr2bGvRyckXQi5V+xg+9lHHfIyWi8y+2/6x+uBy50r79oHsJZV855bXeduTowGYqRugAWDmmhpLufPIakCAwEAAaOCAcUwggHBMB8GA1UdIwQYMBaAFFrEuXsqCqOl6nEDwGD5LfZldQ5YMB0GA1UdDgQWBBRNlKgSbPt2xxE/ROgawDcWwSksbjAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwdwYDVR0fBHAwbjA1oDOgMYYvaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL3NoYTItYXNzdXJlZC1jcy1nMS5jcmwwNaAzoDGGL2h0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9zaGEyLWFzc3VyZWQtY3MtZzEuY3JsMEwGA1UdIARFMEMwNwYJYIZIAYb9bAMLMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwCAYGZ4EMAQQBMIGEBggrBgEFBQcBAQR4MHYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBOBggrBgEFBQcwAoZCaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkFzc3VyZWRJRENvZGVTaWduaW5nQ0EuY3J0MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggEBAOUA9wfWLypH55UyI+6kHBuwh/kVEx7DzGu1csjytausceFiKGJggFv26idc0XYL3XErPw1fwF9vk9j2OKK8sThddooXgkAWyd3Hvqv61nXEt/rfXISy4cJ7MLhUgs2KsI2C75CjFyGXiQzDIEMAojaQ0T3YS9hPrPjBg1cNzT2TnWamMNw1xhlV2LsRZqdRN3a0hYX9zTnb0h+yWpIKXuvJSFs74bIfGqRu5/u34hTtN9AbcWDbwLeg4Q/eb6CvVREsHuhV2CPdDDr5Jv8cU6mSNJEXIkTETMW1YEEk/0ZZhmluqJXgOQrgDRZi80pfHCAnCh6bNPsNDrTx0ckkcZ4="
},
{
"signer_name": "Unity Technologies ApS",
"certificate_thumbprint": "F7F8A6FE44B74576FE35176685405E0D058A7271",
"tbs_sha256": "275E28FDBCB9B0DB2E4C498D07906C09061A77BDB8F6E86A7F085F26F92D93B0",
"tbs_sha1": "",
"certificate_der_base64": "MIIHfTCCBWWgAwIBAgIQD3xaXgYqvbr8vh7GPUwwUjANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTIxMDcxNDAwMDAwMFoXDTI0MDcxODIzNTk1OVowgYExCzAJBgNVBAYTAkRLMRMwEQYDVQQHDApLw7hiZW5oYXZuMR8wHQYDVQQKExZVbml0eSBUZWNobm9sb2dpZXMgQXBTMRswGQYDVQQLExJEZXZlbG9wZXIgU2VydmljZXMxHzAdBgNVBAMTFlVuaXR5IFRlY2hub2xvZ2llcyBBcFMwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCzCbb2inJ05Avngb+UbjtAooytIQiwoKacvcuONhwCd6zySsLlJm3pLq3t6F0Pk4a2VmZ1OpRPWGpr6I/ahSSdI8zra/qoJyx8YgoqlZi2PN18bWy3jySNT034o2DUJKwLie1abhrmnYAiX21LZLVTvEdz/7EwgLwxs+2GyGRud26AgIXqqMlX5i7WkvCV9ToSxYf5IbcvPeaxUihmbl560OmWmSu/uLLieg1KfjUau8JcfduH7ClzHpSx8qvGovW3edr08IsOWoFAGM3jhe67zCDeuHP0mKMoVr/TlyrvxzNcVjdsUrqgySu6owEPczk1yZCNrO57l9djSknTGCzPnZ6hUfjJHnAah8RsF78epqBWDQCoZYR8GG2ZwT0v8vf/KOOmE5QKW1zRo0kOCwuP1ERf5nWiJsX+cD0U/kwiDb1crr26ov3tbwGJ5Z1al47v3cewIGGjpdyhoRh0F31UuyemAec0eEYtk27JprUQ87VXzzC17XhI/yPgChKZDml7H6csB15X/bP0uoPHaDhizz1bxJwDdro/gLeT6BJ/Q9HRwkv/gDWeuZ+gYQHCaQezMcMeMkZytyKmr9CrTvXLasznvpIIc8NXC0t3V4yuAqPatBTCdGO74xMmknP4xA17ZS7XgPieS1rvta118/7waWq+EMf/TJn+sMw7UTVYDQIDAQABo4ICBjCCAgIwHwYDVR0jBBgwFoAUaDfg67Y7+F8Rhvv+YXsIiGX0TkIwHQYDVR0OBBYEFFmJ8FPkHHaggnZa9bDR/eHihGu/MA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzCBtQYDVR0fBIGtMIGqMFOgUaBPhk1odHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDBToFGgT4ZNaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcmwwPgYDVR0gBDcwNTAzBgZngQwBBAEwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpY2VydC5jb20vQ1BTMIGUBggrBgEFBQcBAQSBhzCBhDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMFwGCCsGAQUFBzAChlBodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNydDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4ICAQAf035COMHNDzge7k/VyEkuyvV3MhrMZuRRfLhYmemAWeiy3Fq31xzbCUKTqPR4d1rVNavcMpUA/z7fM0UsI73Olz1HsH8h7jcVe9TVVDfmf69J8d8k8CnuFNy5rxeeYn1xU0aqf80u49TFVW2DIyZ8l0RvbwPlPDOskXKOjukz+JIZmmWywfcw+z+PUIYm9zlJ1CwqpHKAnBq9OshMQMUd2PwrNP5SmPEBq7VqPqhyoc45VGkUdscfkg2G2SXkfWDeUia3FwkcnDrXp7v25yeCwEf0+PnVX5kasQmP70YwyCHc6d5IgW5zPY+xoCO085N8bjugjpnJoBeEHIeNKQgchHR5uRzFU98+Ewffp2JmhGE3pqoVLL+rd9zOhMfTvGKtW3pqw23Aj9lpcfnRbDfpZy3N551KPYeWHvZUuLd790x56j5CsNgj3Q5N6KLThTmwhpm1g4764SoP9DdQVheY3OBruXGCbNHrdluAIkhrI6l2rY4cqTYuR1IH1MSUS7vSlMmpvwXCCajzIXFHeOos7Zh+wXTNshlOCdrfZs9iLrJG1pPV26VCziOHdZyRnQnMrlF+rnGg61AD/WsdHDuZjgLuGuM9pAaMryWlGhFPza8dw+rFvtrPymB0K6WHOq68T1Xl34mvE3UI54S4AkQ1OvILBKKEOy3icJNkDA4VGg=="
},
{
"signer_name": "Unity Technologies SF",
"certificate_thumbprint": "BFFD800651947878FCD0DC749C16D57B0D5E397D",
"tbs_sha256": "BE51932815952B391A497BFE3B782E7990EE050A27744763D0EEBDCC9A0A9380",
"tbs_sha1": "",
"certificate_der_base64": "MIIH1TCCBb2gAwIBAgIQA+bLMDUJnmOe8zXqzTfAHzANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTIzMTIxMTAwMDAwMFoXDTI2MDYwODIzNTk1OVowgd0xEzARBgsrBgEEAYI3PAIBAxMCVVMxGzAZBgsrBgEEAYI3PAIBAhMKQ2FsaWZvcm5pYTEdMBsGA1UEDwwUUHJpdmF0ZSBPcmdhbml6YXRpb24xEDAOBgNVBAUTBzMxODMyMzMxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMR4wHAYDVQQKExVVbml0eSBUZWNobm9sb2dpZXMgU0YxHjAcBgNVBAMTFVVuaXR5IFRlY2hub2xvZ2llcyBTRjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALMaauTBlYjKjNYChCazGJGg++VVs8S9dEhtzqVhR9f8hEN3Iyj3rCBye7kQ75wxkQy9oljOC5FDYDOdz95zPuKpa+cWbHLay3yZLFgdZzqtwTKopzLwUbW/HRnNHJozOeP+Oq6jRhv5FywdlaSOh24HLgECLT2Hg/+Anb+QppdtwsOXf9NYIV5mLCB5TGxqn38ZF3Uy6rCJKmqhzuRFibqhoPxOybJ+Y8pDHPHdN8PJcOQrxUQyvOH2Tq32bRB9k3hYFCFVvI8KquC3DtfBYhcpuW6QTNsEP4zR6ZYy+B4XGyEpbMvuTy/oLYozOpsFjJ69BJbcCUODvAB6NAdGWOmmOsgnelQkVDhkbgNk+Dzs13oqUUr5knISM9KahP+T6h48QwMPgnp8lOfcJw/QV/pooCPSrEEDGgRbwup+yCv36K7nPCG7H2bnAMOHufPMW0vppga7p9qrARRDLiFavheACJho2MOGpWuE7zfE2Y2UQYwcEwQyrtzy9JEKlp8RbOR0OkmIo5YjXUqMxuuxxTbd796HsvbpBRzCtCPK6FNnY6NJ7L82/T+G5ltvRpFOYGb38qlyiTRfs1SsW0EG5BuNsxB8QVPkrS2xjR9BzJeyfz6J84+WyhXxxs5xwQ9sLzGDi2qLO/5+EJ7lZznT6WoqzAWXbXzKUYg3OaeSwlt3AgMBAAGjggICMIIB/jAfBgNVHSMEGDAWgBRoN+Drtjv4XxGG+/5hewiIZfROQjAdBgNVHQ4EFgQUZJFhNS1uAJY89XytJWr66kSIkZYwPQYDVR0gBDYwNDAyBgVngQwBAzApMCcGCCsGAQUFBwIBFhtodHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMIG1BgNVHR8Ega0wgaowU6BRoE+GTWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3JsMFOgUaBPhk1odHRwOi8vY3JsNC5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDCBlAYIKwYBBQUHAQEEgYcwgYQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBcBggrBgEFBQcwAoZQaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcnQwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAgEAVT+ZvtuW8H5SZkX7u9tFMrRy5yFyO+Kjlhhz15AgQ0uqif4vkTbjJU1kO1HdANCcVFVge4k1DTEOKYvFy8ZjFDAD3cIe0z39oxcTZ0Bhhazk6eQtEgtKNFEqaiAaEDJ6ZtpdSuu9JTxT/02AesuNOEQOkx3yFlSm19QHnBxD+UViDAB7CIxLKhYZb6SfW3KBVvl5C15v2GxIvY50UnRnhRlSBgntudFLZXCoKIRMbhKx1QbOhYhPXK2jQteWSWFNUxvfNKOuIkYC+dKQ7Ul1gUMg6jMjwdj0gHyaSWiWOneFYAQ4vlItpt3S6obzOlU3qQvfVyHx5lLgSirks9C4kUbXgLeOtglSiw6chwHOMRCk59JPdeSq9VpfsRgN/xDk0AZ6FpXK/bAkVq950VgHcozJ+404SKMIvbWnqHBI06+Q6Qvo1NFI9JkToWX0Li91WQz6T3ZrH3haHpMy6f/poNuv9oniNWUJIuZsUSNtVi+/0QyEOgvGLuX67fuPcsGimAgunCF80pnRXcaKWj3+UJLvAzuafslmyPcqAPXJ6iwo7xddZmmToMqramBgotODI4GlpDnK+n/87PmQ2/yg07PY1gQE+OMaKmo4PJog/iZUF7mZ737tjLNtdz6Ir8JMQGcmHoXxhoVL/gzOFa4iZx/DPF4If/OoUhHAh+a0iH8="
},
{
"signer_name": "Advanced Technologies LLC",
"certificate_thumbprint": "8365B69A1A2077E392A98F3513DDD5795EF8B5FC",
"certificate_der_base64": "MIIHujCCBaKgAwIBAgIMXmTlx5Ux92q359rsMA0GCSqGSIb3DQEBCwUAMFwxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTIwMAYDVQQDEylHbG9iYWxTaWduIEdDQyBSNDUgRVYgQ29kZVNpZ25pbmcgQ0EgMjAyMDAeFw0yNTA2MjYxNTAxMzdaFw0yODA4MTMxMDUyMTdaMIIBHjEdMBsGA1UEDwwUUHJpdmF0ZSBPcmdhbml6YXRpb24xFjAUBgNVBAUTDTEyMjc3MDAzNzU4OTExEzARBgsrBgEEAYI3PAIBAxMCUlUxFzAVBgsrBgEEAYI3PAIBAhMGTW9zY293MQswCQYDVQQGEwJSVTEPMA0GA1UECBMGTW9zY293MQ8wDQYDVQQHEwZNb3Njb3cxQDA+BgNVBAkTN3VsIEJvbHNoYXlhIEdydXppbnNrYXlhLCAyMCBwb21lc2hjaCAxLzEsIGtvbSAyIG9maXMgMTExIjAgBgNVBAoTGUFkdmFuY2VkIFRlY2hub2xvZ2llcyBMTEMxIjAgBgNVBAMTGUFkdmFuY2VkIFRlY2hub2xvZ2llcyBMTEMwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCzcHIB2M53DvyQyujomTjOpz4/j5+xnh8L2cCwNeZTxsVGaSrKJQxoIoS0+gZKzjHb5KSQKR6EiwAYBSAAMEZsm5UGDM7WkDQJqcHotIRRE0qetyf4+aoxJZa4uYsa2+M9cy++Pje8Ey87KupBaQEuVM0pYT/y9D3SKbhrIO/vuyg7euf4cNwdeSge0/65dR1hspSuHIJAX4gV/xZn/SsctHpxC6rbG2rMIeVLXeEZ8VK6MNZIfXXI9+0BtHv5juKu0s2E5HrM57uWVr8sR59RcwlPgamswXW04zkelMtkKcJoQkPwAxdHuJQ5IC2SmzEahqPSFTK1OOj6+cShdjl95zYbgRO4pxASNaMaf/KLjZKmbVAcw2vH2SPQA2lD9hngEyQkvFRQ/9yuzYPC7z9NQ/2/YKejaOh8KYWg51tKPGD4JkkFGAF6qExwhlsK+Mg0FiK69foEvp8nSGbEolrjJ5JOPxWJWIBmbzD5Mtdw74DJ+1UO8W+x90FC9GDsG+jUdNgnKPzGx3MEl8dMnBqnGs/dZkaFToes9nk5aTo07BXfd86AV6UifBxXuRrnGueaGj4V7dhoUJxzPX/86KqWd1bzAtR8U3JpHGhgHB+C6bJh13ZXJNaJx81Vg68+9plmZSR48cyc3t+c+k00MdyhUEmomxT1KZgCRy7j01Tb3QIDAQABo4IBtjCCAbIwDgYDVR0PAQH/BAQDAgeAMIGfBggrBgEFBQcBAQSBkjCBjzBMBggrBgEFBQcwAoZAaHR0cDovL3NlY3VyZS5nbG9iYWxzaWduLmNvbS9jYWNlcnQvZ3NnY2NyNDVldmNvZGVzaWduY2EyMDIwLmNydDA/BggrBgEFBQcwAYYzaHR0cDovL29jc3AuZ2xvYmFsc2lnbi5jb20vZ3NnY2NyNDVldmNvZGVzaWduY2EyMDIwMFUGA1UdIAROMEwwQQYJKwYBBAGgMgECMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMAcGBWeBDAEDMAkGA1UdEwQCMAAwRwYDVR0fBEAwPjA8oDqgOIY2aHR0cDovL2NybC5nbG9iYWxzaWduLmNvbS9nc2djY3I0NWV2Y29kZXNpZ25jYTIwMjAuY3JsMBMGA1UdJQQMMAoGCCsGAQUFBwMDMB8GA1UdIwQYMBaAFCWd0PxZCYZjxezzsRM7VxwDkjYRMB0GA1UdDgQWBBQ9phHhNDtsTPYcR2kEkMe6eoVdtjANBgkqhkiG9w0BAQsFAAOCAgEAf25fxXXRdO4snX3TEQKgEK7x7ete4noh7HUAb6/EoaLM+RcsONpuKW85OUZGAHN8cOzKcWx8IXkc1B4eSRsWbEwBA/bMMtmgJkSX/EeyzP7/+qiJS6Xl2dJqrB1N/UeodlBxnCf/ZoTt6Y0Ajz/a6p9zGa7OBtAYKbTflaqXBuEdAXsJTwmqZN7urBxMuPVePcREdapNm5lf+1nLf2iHUfhRF9G2MdOiAdFkowHUVfkFms4ZtatdBrn3E9Vh37nPGzTGePdluaIY2bfO2cdMFR0Bg6L2QSnw066sBLgi+bpFjfqEOUcjOBW6FDOkqW3vI3eH3a8IFlUIgTDYjsv4KJg3uWpVU638sDPUPwcGzu176XPoHEHFaBphatLYZijRWsCRUN+W4fyMSn9n/hitSwg2vREAfHNF84lg25nsBetL+VZDpSllWNhQjEagOiWhCuBr+mNBOVrqIgyLJ+LTqXAyr+mv28XgTT/f7fRuddFN1zC/4Wk3AkL8hMtn9KGkbbTMRBDgAj0BBrIPPlGwFu3mpGSQ/wDtu/77GJ5Z//2mXHVUb2KxwZadzYXBbUEbtHJNvbN8osr8VWYF7uQmVh3u5JtHmKMw2UtWDiaWKgpZvwQCa8otH4/ooD1IG3GmqKxzFwqaJXWmQvy1fA5pttg6OSbzhHS/8EB4VGXn3eI=",
"src_file_sha256": "3f8795be3197df823b599d8bc96ecbf9c7d94079d490c9d94c3239e635332fdd",
"src_file_path": "downloaded_files/rudesktop/3f8795be3197df823b599d8bc96ecbf9c7d94079d490c9d94c3239e635332fdd",
"src_file_company": "Advanced Technologies, LLC"
}
]
},
"FileHashes": {
"authenticode": [
{
"file_name": "IAStorIconLaunch.exe",
"sha256": "F6F53A49D39810874B56D66DABC85537FB1B514BA52416582DC570AE26A0D8DE",
"sha1": "B83F77E1F13B6AA5211EC8F3C383594C583FB311"
}
],
"page": [
{
"file_name": "IAStorIconLaunch.exe",
"sha256": "E5BF1F8524D39085F8F01C2F0135B7CBA8AEAB93B3395E5758FF8113425D69B8",
"sha1": "EB19FBF0ECE7F4F29282680A98046728CA52A09A"
}
]
}
},
{
"Name": "ShowMyPC",
"Category": "RMM",
"Description": "ShowMyPC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2025-12-14",
"Details": {
"Website": "https://showmypc.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"SMPCSetup.exe",
"showmypc*.exe",
"showmypc.exe",
"smpcsetup.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*.showmypc.com",
"showmypc.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/showmypc_network_sigma.yml",
"Description": "Detects potential network activity of ShowMyPC RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/showmypc_processes_sigma.yml",
"Description": "Detects potential processes activity of ShowMyPC RMM tool"
}
],
"References": [
"https://showmypc.com/service/faq/ShowMyPCSecurityOverview1.pdf"
],
"Acknowledgement": [],
"CodeSigning": {
"search_names": [
"showmypc.exe",
"smpcsetup.exe"
],
"company_names": [],
"signer_names": [
"ShowMyPC INC"
],
"certificates": [
{
"signer_name": "ShowMyPC INC",
"certificate_thumbprint": "6ABC950F7C33A7975667C20B2E7DF8F1CF15C05B",
"tbs_sha256": "F9DBC445B6F1DCD3290171F8078F8B8728C7E33740EDE901C5F8B3609F13729A",
"tbs_sha1": "",
"certificate_der_base64": "MIIG0TCCBTmgAwIBAgIQbuzq3pWSC8PVC/OOFkqnFTANBgkqhkiG9w0BAQsFADBXMQswCQYDVQQGEwJHQjEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMS4wLAYDVQQDEyVTZWN0aWdvIFB1YmxpYyBDb2RlIFNpZ25pbmcgQ0EgRVYgUjM2MB4XDTIzMDkyOTAwMDAwMFoXDTI2MDkyODIzNTk1OVowgbExEDAOBgNVBAUTBzQzOTYwOTgxEzARBgsrBgEEAYI3PAIBAxMCVVMxGTAXBgsrBgEEAYI3PAIBAhMIRGVsYXdhcmUxHTAbBgNVBA8TFFByaXZhdGUgT3JnYW5pemF0aW9uMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEVMBMGA1UECgwMU2hvd015UEMgSU5DMRUwEwYDVQQDDAxTaG93TXlQQyBJTkMwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDHSaeLFaNg56P7Al05db1OlEx7abwfee1tge1LI716aN457W7XCWM0sc/+WgYouCu/NhjbAVwVpGM+S36LqR/8XQeL7tsJw2ZCnD+WIlft8JU46zDd5+a7fMeblKJngabEZgj2M2ImkhaCeJl+D4tez4uIX8ACmOalRfILTNCz+y3EqlZLr1fOaoCrdAdGMOwmX2fZMA3EKBFgXAeUZe5cRhIebNExBx2dEAbNrX08OhcSJet9/lvTDw5f/Kj0mMtK78n3i0sbs+L2b95NYsTRHZVIninFKBjMruqS5h5x6bN5t/9trmnB+7BYPurOVg86YP4GHVqbYvhMutUxw4ZMdBINUPQk23gLPUId2+f3kGY42aN9U7CV9ABHCQSBaJfYc6n98QKcKC/qJP431ZOaQR+l+T/GVnL42ns7bB/9yi+eXtTfa1s8loHHO6/chBGPO2OURtfx9FPBRKcX5Ea5hhr3mJNgj3D4uYeaTBX8aSa6a2yGjwyvgOt4FifY3I+dk02EdEsQBOy9Nl5RZtxMjxPnM84hNgQGVdPmIp8XFCnqfb6gVOxRamF5cZHVLditDRrNvv3K1q19GK+KQ7lfBfTK/u+gXsMYA1b+fJy8gLgLOEcUtj0nPSPz3rTdhQb17JgdH0OWQ+Mk34cz3wzr6W/DXCp61DyUxj18i4qc4wIDAQABo4IBvDCCAbgwHwYDVR0jBBgwFoAUgTKSQSsozUbIxKLGKjkS7EipPxQwHQYDVR0OBBYEFAXPHSmir26nuxrzXl7Ej6rlwI9dMA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMEkGA1UdIARCMEAwNQYMKwYBBAGyMQECAQYBMCUwIwYIKwYBBQUHAgEWF2h0dHBzOi8vc2VjdGlnby5jb20vQ1BTMAcGBWeBDAEDMEsGA1UdHwREMEIwQKA+oDyGOmh0dHA6Ly9jcmwuc2VjdGlnby5jb20vU2VjdGlnb1B1YmxpY0NvZGVTaWduaW5nQ0FFVlIzNi5jcmwwewYIKwYBBQUHAQEEbzBtMEYGCCsGAQUFBzAChjpodHRwOi8vY3J0LnNlY3RpZ28uY29tL1NlY3RpZ29QdWJsaWNDb2RlU2lnbmluZ0NBRVZSMzYuY3J0MCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5zZWN0aWdvLmNvbTAuBgNVHREEJzAloCMGCCsGAQUFBwgDoBcwFQwTVVMtREVMQVdBUkUtNDM5NjA5ODANBgkqhkiG9w0BAQsFAAOCAYEAsTihuZeKliLmEByHQI5DSGJYiAAI7Ac2Y8iW5ur/r4qGAtTtf184hkz0AanWBBn9IVxyWR2y7ZF9sGoQxiGAbqIqJwv/WwQYZ7IQcFPIKBwJPJLZJYM8JHBajBxcKwblArFGJrNBnVpit2/bzsZy/cCySXRjJSo0Jw5eGsvBrr3mek2c3czYaxmfmoXdGo5D2UH9SW9Z033KVwlYTD46EqbXDPUpGnZ9nL30htvfsAwJT5MX4vx/oQZNDYUKZQbOwJJf0UgnUNItGhvKUplh0LVjm1PBxzyriVIXTgO6hp+KpTtDW9tKmYoY03CPzeRBW6Y3ZIUvO0RbYj+S0CzbFq48v5gLl9LxzyFqaNEBnY1UmEfb7SBtMZ7qMmTLLhKXFHNKfyVHGol4zz7LPJFiXpOUtXu32AQnEd3uaQYAJStMQDHZCxcGkbns96hvefmS8mZsPs5GtK2CIH7ubKo2sTwGL1RtCeD+vIDUXBc324/w8JDEc1Q9o1Sa9uX9Y7lE"
},
{
"signer_name": "ShowMyPC INC",
"issuer": "CN=Sectigo RSA Code Signing CA",
"certificate_thumbprint": "08EAACC8774F72E77E8DA8CCC6D14FD8DD41BA18",
"tbs_sha256": "1A76493B74AA1DB9F61663C57AE3346BD30CAA5AB6AD6F153A139F32B7DD47CE",
"tbs_sha1": "7CAA5A676AB833200EDFDB46C06CFDC04340B51A",
"valid_from": "2020-08-11T00:00:00+00:00",
"valid_to": "2023-11-10T23:59:59+00:00",
"certificate_der_base64": "MIIFYDCCBEigAwIBAgIRAKMJ8O3zNB/QDmXvd2YslcowDQYJKoZIhvcNAQELBQAwfDELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMSQwIgYDVQQDExtTZWN0aWdvIFJTQSBDb2RlIFNpZ25pbmcgQ0EwHhcNMjAwODExMDAwMDAwWhcNMjMxMTEwMjM1OTU5WjCBpTELMAkGA1UEBhMCVVMxDjAMBgNVBBEMBTk1MTI4MRMwEQYDVQQIDApDYWxpZm9ybmlhMREwDwYDVQQHDAhTYW4gSm9zZTEXMBUGA1UECQwOMTEwIFBsYXphIFdlc3QxFzAVBgNVBAkMDjMwMzEgVGlzY2ggV2F5MRUwEwYDVQQKDAxTaG93TXlQQyBJTkMxFTATBgNVBAMMDFNob3dNeVBDIElOQzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJD4R34veCdIr/6/4fZLUdLPM0I+BzmCCcarH4u3OkhzLl7jIpgHifHezk023mgPyva2ZggaqfpSLPykLCk9itzljFID0th8cV1ZuuIEnEfpjtPYzFG0AspVC5dOqiHKIhkKYUap8rzWvvfzOHDT7Po/+P48NzagsqCeXaRywNC852yejZoEcP5oPQhB7RkpZXU3TDQEuAGoVlTsj8+fvOlmXmi3pQag3X6+e/vAw0LZzpjD6zg5ICW57+NhaFJuWSYrQph6SSJ7Qucp74ycLBT3orYNcdzrY/ptGyuCCgRLCWOItSemEb2isx9hU+xbT4ggBj3wwT1b8ZaQIivbhBECAwEAAaOCAbEwggGtMB8GA1UdIwQYMBaAFA7hOqhTOjHVir7Bu61nGgOFrTQOMB0GA1UdDgQWBBTCAhDsnR+SXnz/Lav43o7X12d1cTAOBgNVHQ8BAf8EBAMCB4AwDAYDVR0TAQH/BAIwADATBgNVHSUEDDAKBggrBgEFBQcDAzARBglghkgBhvhCAQEEBAMCBBAwSgYDVR0gBEMwQTA1BgwrBgEEAbIxAQIBAwIwJTAjBggrBgEFBQcCARYXaHR0cHM6Ly9zZWN0aWdvLmNvbS9DUFMwCAYGZ4EMAQQBMEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly9jcmwuc2VjdGlnby5jb20vU2VjdGlnb1JTQUNvZGVTaWduaW5nQ0EuY3JsMHMGCCsGAQUFBwEBBGcwZTA+BggrBgEFBQcwAoYyaHR0cDovL2NydC5zZWN0aWdvLmNvbS9TZWN0aWdvUlNBQ29kZVNpZ25pbmdDQS5jcnQwIwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLnNlY3RpZ28uY29tMB8GA1UdEQQYMBaBFHN1cHBvcnRAc2hvd215cGMuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQBCVSAQ1Qbreof1s2kqXgj2zoOOgnpL5asFzOCxqRal8O4Nw29Px4RR4eI13WKaSHqlomSZx5hwlvFHrEG4GnhjhPOG9jT9BTMslVdO5686ofstj/70cZcUqhlvro97oY+Vn8fnng/AZETTIJjjq/uSXQ97ORC+ExWW/736pYHYpH7KtO6kLcK7ndT6VAUzZ3gJqkZqOYbjWlEvoJntuY4wSHnS8KK3DYVkzsBtKT3gdDgZOzoi7amum+zhcL5LQpj/9NzpykXiGXhCG18Sxnj1jmrQ4llzAhaVZEh0zBQ8u1+xzBc95ALt86RvceVXVtieKHNZ600IapDXqwgE0i4A"
}
]
}
},
{
"Name": "Laplink Gold",
"Category": "RMM",
"Description": "Laplink Gold is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2025-12-14",
"Details": {
"Website": "https://web.laplink.com/product/laplink-gold",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"tsircusr.exe",
"laplink.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"user_managed",
"web.laplink.com/product/laplink-gold"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_gold_network_sigma.yml",
"Description": "Detects potential network activity of Laplink Gold RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_gold_processes_sigma.yml",
"Description": "Detects potential processes activity of Laplink Gold RMM tool"
}
],
"References": [
"https://web.laplink.com/product/laplink-gold"
],
"Acknowledgement": [],
"CodeSigning": {
"search_names": [
"tsircusr",
"welcome.exe",
"welcres.dll"
],
"company_names": [],
"signer_names": [
"Outbyte Computing Pty Ltd"
],
"certificates": [
{
"signer_name": "Outbyte Computing Pty Ltd",
"certificate_thumbprint": "N/A",
"tbs_sha256": "20AEF3F8CE217A4F1CBBE73321B97DC97E7DA76A82ED88FD3F21E5AAB91719B0",
"tbs_sha1": ""
}
]
},
"FileHashes": {
"authenticode": [
{
"file_name": "welcres.dll",
"sha256": "253526E0D9CA962CF1C63A2393E4080A4CAB40109368F87535C47A1924BBC8E1",
"sha1": "410A8E54B9F666FBD3926E5F84627496C85464EF"
},
{
"file_name": "TSIRCUSR",
"sha256": "5727381CC72576FF024CD9D8AC2DDF319BFBE8C0BA047978168983EF5A46D8A0",
"sha1": "A75A8804DDC2FEC98338CB9983A4DBD744CF6C8C"
},
{
"file_name": "welcome.exe",
"sha256": "9A2E54A5FECA1884D72A92C023873D67A11BC8E03B5285782B08D78794544BD3",
"sha1": "3F36B10BD8EE626C268217136E6D9C05AC9B61CB"
}
],
"page": [
{
"file_name": "welcres.dll",
"sha256": "806FF080BA028A0534F58FF28588DE123BDDC6BA44F13674751B5C614FC96653",
"sha1": "2735A89D5EAB557343F510376C01461ECF8F277B"
},
{
"file_name": "TSIRCUSR",
"sha256": "ABE4604DCE28077419994EBC8165C80F2D300452CFB74AF1BAAFA0E39F04854C",
"sha1": "5DCA73F709D8408E7F41C0851C3D0AD8CCC8F779"
},
{
"file_name": "welcome.exe",
"sha256": "C75C7DCCD6B8525EC3C5D90B4A667DF052FF25A80DE8F4FCF8411E75BF2F5555",
"sha1": "689F8DBC71F9A152B1716206ABFED15C80F2AD80"
}
]
}
},
{
"Name": "Syspectr",
"Category": "RMM",
"Description": "Syspectr is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.syspectr.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"oolocker.exe",
"oosyspectr.exe",
"syspectr.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*.syspectr.com",
"syspectr.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syspectr_network_sigma.yml",
"Description": "Detects potential network activity of Syspectr RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syspectr_processes_sigma.yml",
"Description": "Detects potential processes activity of Syspectr RMM tool"
}
],
"References": [
"https://syspectr.com"
],
"Acknowledgement": []
},
{
"Name": "Alpemix",
"Category": "RMM",
"Description": "Alpemix is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.\n",
"Author": "Nasreddine Bencherchali",
"Created": "2024-08-05",
"LastModified": "2024-08-05",
"Details": {
"Website": "https://www.alpemix.com/en/Home",
"PEMetadata": [
{
"Filename": "Alpemix.exe",
"OriginalFileName": "Alpemix",
"Description": "Alpemix",
"Product": "Alpemix",
"InternalName": "Alpemix"
}
],
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [
"Windows",
"Linux",
"Android",
"Mac",
"IOS"
],
"Capabilities": [
"5 Different Solutions for Remote Support",
"Access to Unattended Computers",
"Access to User Account Control (UAC) Screens",
"Add Your Own Logo",
"Auto Sizing",
"Automatic Update",
"Clipboard Transfer",
"Computer Independent Licensing",
"Contact List and Groups",
"Encrypted Communication",
"External Communication Barrier",
"File Transfer",
"Instant Messaging",
"Multi-Platform Support",
"Multiple Chat",
"Multiple Connections",
"No Port Forwarding Required",
"Peer to Peer Connection (p2p)",
"Receiving Offline Message",
"Remote Restart",
"ReportingRestricting The Authority",
"Screen Sharing",
"Sending Announcement Message",
"Sharing a certain part of the screen",
"Video Recording",
"Voice Communication",
"Who is currently supporting?",
"Working in Black Screen Mode"
],
"Vulnerabilities": [],
"InstallationPaths": [
"C:\\AlpemixService.exe",
"C:\\AlpemixSrvc\\"
]
},
"Artifacts": {
"Disk": [
{
"File": "%localappdata%\\Alpemix\\Alpemix.ini",
"Description": "N/A",
"OS": "Windows"
}
],
"EventLog": [
{
"EventID": 7045,
"ProviderName": "Service Control Manager",
"LogFile": "System.evtx",
"ServiceName": "AlpemixSrvc",
"ImagePath": "*\\Alpemix.exe servicestartxxx",
"Description": "Service installation event as result of Alpemix installation."
}
],
"Registry": [
{
"Path": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\AlpemixSrvcx",
"Description": "N/A"
}
],
"Network": [
{
"Domains": [
"*.alpemix.com"
],
"Ports": [
443
],
"Description": "N/A"
},
{
"Domains": [
"*.teknopars.com"
],
"Ports": [
80
],
"Description": "N/A"
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_registry_sigma.yml",
"Description": "Detects potential registry activity of Alpemix RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_network_sigma.yml",
"Description": "Detects potential network activity of Alpemix RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_files_sigma.yml",
"Description": "Detects potential files activity of Alpemix RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_processes_sigma.yml",
"Description": "Detects potential processes activity of Alpemix RMM tool"
}
],
"References": [
"https://www.alpemix.com/en/remote-access"
],
"Acknowledgement": [
{
"Person": "Nasreddine Bencherchali",
"Handle": "@nas_bench"
}
],
"CodeSigning": {
"certificates": [
{
"signer_name": "TEKNOPARS BİLİŞİM TEKNOLOJİLERİ SANAYİ VE TİCARET LTD.ŞTİ.",
"certificate_thumbprint": "791EEC3C65240BFC4C6C3BE5469516A468DB61E9",
"certificate_der_base64": "MIIHqDCCBZCgAwIBAgIMcTfZEE9wX96SBP4aMA0GCSqGSIb3DQEBCwUAMFkxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMS8wLQYDVQQDEyZHbG9iYWxTaWduIEdDQyBSNDUgQ29kZVNpZ25pbmcgQ0EgMjAyMDAeFw0yNTA1MjcxMTA4MjZaFw0yNjA2MjcxMTA4MjZaMIH1MQswCQYDVQQGEwJUUjESMBAGA1UECAwJxLBTVEFOQlVMMRAwDgYDVQQHEwdFU0VOTEVSMU0wSwYDVQQKDERURUtOT1BBUlMgQsSwTMSwxZ7EsE0gVEVLTk9MT0rEsExFUsSwIFNBTkFZxLAgVkUgVMSwQ0FSRVQgTFRELsWeVMSwLjFNMEsGA1UEAwxEVEVLTk9QQVJTIELEsEzEsMWexLBNIFRFS05PTE9KxLBMRVLEsCBTQU5BWcSwIFZFIFTEsENBUkVUIExURC7FnlTEsC4xIjAgBgkqhkiG9w0BCQEWE2JpbGdpQHRla25vcGFycy5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCvIq1VAfHQabDNxnyHUdy1T647Hh2a21D3/AxGQoxHNv8eeCdqUkKiEBnxZd8jRQvq1MqKBXsWSV0M9Kj5jI3MXuMHMtCPSW+7xGI1toT4Fgz/jYiqmO0wVMTArVCj7pbfkc8B+Lc2oDEMSiS0Bg5WFR9Rw9iBT+nyuChLb/7nQyrk/pDwY1W7u3uhU55q75n7M+mXyJbV3Om8liPVCdmNIeYkZaSlfxezZPbZR/exYAFGc9S4uPqXym36rITMnz+jJ7ZCStWktMjQXeynwDPCbaPYwmFTf8vXJOOdWY4zAd0o0oX5n0fNDn8m8Z3Z+N31g70kREhdtS813TPRJ2B3DSFe2djjk5lWcMVNJPzr/HVJ+wANRpTitLqLyJrn/UYxySnURGvebWjSsJs2SXoonU83n8janpV0mLQ4tQZKhMi/6MwZRtONq6vvuNWJgzCQhWaSrbeNlKwGYW5gBPYRSFALIuMsXx3GmwbF7Is6ejNZuksKpdhDqAN+DvDTHfog228mfFE5dIArN0AA1XtMboC/Ks7D//wFqs6S83S/9sSszoFIbESCl/8N7qggja+GZkW62Q75iCay7GDkbsFopG6x07KbKk0iJfEMcjVhQ5eVgwKtmmE4r1JXce6V7NE0vyInngz/QVv4RYY0e0kSkUd3KR6IAv0Wvk3tdZOl7QIDAQABo4IB0TCCAc0wDgYDVR0PAQH/BAQDAgeAMIGbBggrBgEFBQcBAQSBjjCBizBKBggrBgEFBQcwAoY+aHR0cDovL3NlY3VyZS5nbG9iYWxzaWduLmNvbS9jYWNlcnQvZ3NnY2NyNDVjb2Rlc2lnbmNhMjAyMC5jcnQwPQYIKwYBBQUHMAGGMWh0dHA6Ly9vY3NwLmdsb2JhbHNpZ24uY29tL2dzZ2NjcjQ1Y29kZXNpZ25jYTIwMjAwVgYDVR0gBE8wTTBBBgkrBgEEAaAyATIwNDAyBggrBgEFBQcCARYmaHR0cHM6Ly93d3cuZ2xvYmFsc2lnbi5jb20vcmVwb3NpdG9yeS8wCAYGZ4EMAQQBMAkGA1UdEwQCMAAwRQYDVR0fBD4wPDA6oDigNoY0aHR0cDovL2NybC5nbG9iYWxzaWduLmNvbS9nc2djY3I0NWNvZGVzaWduY2EyMDIwLmNybDAeBgNVHREEFzAVgRNiaWxnaUB0ZWtub3BhcnMuY29tMBMGA1UdJQQMMAoGCCsGAQUFBwMDMB8GA1UdIwQYMBaAFNqzjcAkkKNrd9MMoFndIWdkdgt4MB0GA1UdDgQWBBQgO7N1BwCVXmzrWKqj/zvz1abz0jANBgkqhkiG9w0BAQsFAAOCAgEAIwj6b/4mw2RCqr/TD1zYIi/5Kjc1k/U6T/pR3d3VELkg5u9v9NgXbihpE8RyoFQIVzGfdwRG7lfTJbk3oTXCQ2ebx3O7ea1GpPOOeD7UTBEmb/7yUVFjVaf54v8sJ6cLjBAgxJGlSaCdV27LojwZgBiH1t1P87Y3Ew9ZgvB8zDQkuvoa5V23UYpGc14EPJ5sFYmr9qVbvtih5lmbnPrjPtA8MeiT9ZVyMhjtaBbFEQac3jT/hktpN2BFCyV91tCjWawWOD48OaBdt8F/VFEkBXcQoIawJPhVSlsbAVMotmUedndfpSjVlwKLWgH9Vx2I5isWm3r/vYnqmdm3Qh4hT81VrbrmvF/z8nu2a4xhSg8X8bPkD9xZWYLaC/9qyRyT5bXR+czlHlaJxM5MEui3M+HZte4dIGDorpfDkvIQ3JOEZg0dkppRPA6UrhKDF6CUHAegwXcUkg0/BikXdTN8ho9MYzAdxsgyFv4AHnsODZNiqDuTVwJqwyzJiEqFfsyydXXJrnSLBnfAGd1NDSycQX5FBNRBN1fnQYxA1VqEIVOcFSUJE3G5VHpRQoAPYIq29qvnHvdRO005psVDkJALY7A1rgJR9IHm3BDzS1c9yp/SyYcaMwaVQAufFITg3D9SSwaG0BHlRIPKgc0RWR4cfaKmChykBFFuKj+xSmtQcW0=",
"src_file_sha256": "6893d9ca56c9a8ff7f40cabb737996ed419b288f5bb571d6c1cc6effa9e888d9",
"src_file_path": "downloaded_files/alpemix/6893d9ca56c9a8ff7f40cabb737996ed419b288f5bb571d6c1cc6effa9e888d9",
"src_file_company": "Teknopars Bilisim"
}
]
}
},
{
"Name": "MEGAsync",
"Category": "RAT",
"Description": "MEGAsync is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://mega.io/desktop",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"C:\\Users\\*\\AppData\\Local\\MEGAsync\\*",
"*Users\\*\\AppData\\Local\\MEGAsync\\*",
"*ProgramData\\MEGAsync\\*",
"*\\MEGAsyncSetup64.exe",
"*\\MEGAupdater.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": []
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/megasync_processes_sigma.yml",
"Description": "Detects potential processes activity of MEGAsync RMM tool"
}
],
"References": [],
"Acknowledgement": [],
"CodeSigning": {
"certificates": [
{
"signer_name": "Mega Limited",
"certificate_thumbprint": "E65A1FC65C29578B54AA826AFF6E2310C5255EF9",
"certificate_der_base64": "MIIHiTCCBXGgAwIBAgIMOz7xA2kdFSP3SPj4MA0GCSqGSIb3DQEBCwUAMFwxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTIwMAYDVQQDEylHbG9iYWxTaWduIEdDQyBSNDUgRVYgQ29kZVNpZ25pbmcgQ0EgMjAyMDAeFw0yNTEwMTMwMjIwMjVaFw0yNjEwMTQwMjIwMjVaMIHuMR0wGwYDVQQPDBRQcml2YXRlIE9yZ2FuaXphdGlvbjEWMBQGA1UEBRMNOTQyOTA0ODE0NjEyODETMBEGCysGAQQBgjc8AgEDEwJOWjELMAkGA1UEBhMCTloxETAPBgNVBAgTCEF1Y2tsYW5kMREwDwYDVQQHEwhBdWNrbGFuZDEyMDAGA1UECRMpTGV2ZWwgMjEsIEh1YXdlaSBDZW50cmUgMTIwIEFsYmVydCBTdHJlZXQxFTATBgNVBAoTDE1lZ2EgTGltaXRlZDELMAkGA1UECxMCSVQxFTATBgNVBAMTDE1lZ2EgTGltaXRlZDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALnSuRJsIFqD7vlghzm0LjDF1F8fWI0tysJajtCgZZWJ4CZS2e+BnppnFIKMTWhu+n43d0ryhVnEs0Wfazpp2ttKV14qi1VbhZfjzyuZJtGGsLkiNHK//3s14oViSUuOiRfP+K6MeWOUQHAX9U8hHxcGuwDX/YG6F+Yg5Vl8dpCbExaNSqUypqtrKj7cFTAWuM3P+Z2Z7qYak9WvitgBZpmxpvAvoRE/2vcpiFFID/f+YxTstTdvixixFWOGJMPWxrcrtvDzConxV0dnqfkhEgtyTKZpTZFpF47YLOLXPNktZDZbeRBY24efOcwwsovimAHFF5iL/o9IWdZV5yH/JRgL1yWBs7yLcREkfBclw2KOUZK/7fpRQCFuvy87y/IAaW9NUujXyVS6W+M8TGmDldVnyFMlvG62PsqoUXGw2YPlymtIkx4jga8euIFHiHrqqvIYWCSH5wJp/t9W+VaJbqKsZcrsAoV0c4TqupNjB6s+Q7ZBeGQ1DSfd/qfrpjSB42haEpbKFqmkUCcJTh0BC79iKjRFRTv5QQeTPG8np+cbmpTs1J4WEvxi31MBJjF1vCDKaKdzwdhryOxP2Z6d1PUvyv5bVLgWQKHouhCTfNw6QZVzfA4tBIcUeGR9wB4gQZKtG+YVSvCLvwP88s0rUdLQg5+7fuaAkkwCM9LmSmolAgMBAAGjggG2MIIBsjAOBgNVHQ8BAf8EBAMCB4AwgZ8GCCsGAQUFBwEBBIGSMIGPMEwGCCsGAQUFBzAChkBodHRwOi8vc2VjdXJlLmdsb2JhbHNpZ24uY29tL2NhY2VydC9nc2djY3I0NWV2Y29kZXNpZ25jYTIwMjAuY3J0MD8GCCsGAQUFBzABhjNodHRwOi8vb2NzcC5nbG9iYWxzaWduLmNvbS9nc2djY3I0NWV2Y29kZXNpZ25jYTIwMjAwVQYDVR0gBE4wTDBBBgkrBgEEAaAyAQIwNDAyBggrBgEFBQcCARYmaHR0cHM6Ly93d3cuZ2xvYmFsc2lnbi5jb20vcmVwb3NpdG9yeS8wBwYFZ4EMAQMwCQYDVR0TBAIwADBHBgNVHR8EQDA+MDygOqA4hjZodHRwOi8vY3JsLmdsb2JhbHNpZ24uY29tL2dzZ2NjcjQ1ZXZjb2Rlc2lnbmNhMjAyMC5jcmwwEwYDVR0lBAwwCgYIKwYBBQUHAwMwHwYDVR0jBBgwFoAUJZ3Q/FkJhmPF7POxEztXHAOSNhEwHQYDVR0OBBYEFJyuH+MLm8garcMiUPndnZ7dTpJjMA0GCSqGSIb3DQEBCwUAA4ICAQCygJzzgim65+hkKfK4VK9Fu83Xf2EYJAgkmV3iBCLYYdDlxDn0wmOOcjbFSdrx1miKD5kX8arBxfjVnxE8TvTV2n6ZhekHD/8Eqxy+jVpejOS2JwF2PsRbuQt06lFlrdTVsF6/D1aW/2RxLvjrQ9Hsi/guKhZCs3QJ/vt2cHqfUAeOQUtZ5J9R7zuXov5+eCe6GCiJy7X3osF2XzvGyY2V3oi2ETNve4CqBqTDgbiSY7aXQGqs/WIAazceQeBomVWm2QSR+6OGWi0RzFjhn3o7EuB9jQSawDaokeCfX6hpJBqN9cs77IZcvk8I7AIa0YjpH8cdEL/vHKZg5evcS5EhHO/XHb85Xs84r+QPgIh6a+St0CL6QaAw4lES+kV14N0HdXVqwfg5hP8Lpc/ksRhTFPPYmYzmGohp+YgspIAgc3w7frFBO+m4szuud+ig+41PVUxjTKo6fHFC6Pa5CtIif8I0Q5Z1xf7Tgvij3+K6UjsbTjiSl6rVd6U6WqEGaC7cHWDhHDZJiqI+cCfGFxQxTrwKkixODgdkUdnk559UN/R1i+G5+Mv6+wx2E3Bt+G5cSXKbt2Y8+9EViMYVYtH82cs9v4vj/Br5ACmyHmOFcBBCGRZJe79iD8E10YGvCj4yezJN1q0ObWd4P/GnPQuDximiNGNiuBZ1sdngSPiwpQ==",
"src_file_sha256": "6ffa84575a19e64a21e26f6a752854212b5c73555db1e20cee78ee44efe7781d",
"src_file_path": "downloaded_files/megasync/6ffa84575a19e64a21e26f6a752854212b5c73555db1e20cee78ee44efe7781d",
"src_file_company": "MEGA Limited"
}
]
}
},
{
"Name": "NetLock RMM",
"Category": "RMM",
"Description": "NetLock RMM is an open source Remote Management and Monitoring tool with a paid support and cloud offering.",
"Author": "Tyler Schultz",
"Created": "2025-07-18",
"LastModified": "2025-07-18",
"Details": {
"Website": "https://www.netlockrmm.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [
"Windows",
"Linux",
"MacOS"
],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"NetLock_RMM_Agent_Installer.exe",
"NetLock_RMM_Agent_Installer",
"/var/0x101_Cyber_Security/*",
"/Library/Application Support/0x101_Cyber_Security/*",
"/usr/local/bin/0x101_Cyber_Security/Netlock_RMM/*",
"/usr/0x101_Cyber_Security/Netlock_RMM/*",
"C:\\ProgramData\\0x101 Cyber Security\\NetLock RMM\\Comm Agent\\*",
"C:\\Program Files\\0x101 Cyber Security\\NetLock RMM\\UserAgent\\NetLock_RMM_User_Process.exe",
"C:\\Program Files\\0x101 Cyber Security\\NetLock RMM\\UserAgent\\NetLock_RMM_User_UAC.exe"
]
},
"Artifacts": {
"Disk": [
{
"File": "C:\\temp\\netlock rmm\\installer\\logs\\*",
"Description": "Debug and error logs related to installation",
"OS": "Windows"
},
{
"File": "C:\\ProgramData\\0x101 Cyber Security\\NetLock RMM\\Comm Agent\\server_config.json",
"Description": "Server Configuration File",
"OS": "Windows"
},
{
"File": "/etc/systemd/system/netlock-rmm-agent-comm.service",
"Description": "Netlock RMM Agent comm agent service",
"OS": "Linux"
},
{
"File": "/Library/LaunchDaemons/com.netlock.rmm.agentcomm.plist",
"Description": "macOS LaunchDaemon plist File",
"OS": "macOS"
},
{
"File": "/var/log/netlock-rmm-agent-comm.log",
"Description": "RMM agent comm log (Non-Windows)",
"OS": "Linux"
}
],
"EventLog": [],
"Registry": [],
"Network": []
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netlock_rmm_files_sigma.yml",
"Description": "Detects potential files activity of NetLock RMM RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netlock_rmm_processes_sigma.yml",
"Description": "Detects potential processes activity of NetLock RMM RMM tool"
}
],
"References": [
"https://www.netlockrmm.com",
"https://github.com/0x101-Cyber-Security/NetLock-RMM"
],
"Acknowledgement": [
{
"Person": "Tyler Schultz",
"Handle": "@shockwave_ts"
}
]
},
{
"Name": "FreeNX",
"Category": "RAT",
"Description": "FreeNX is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [
"Windows"
],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"C:\\*\\nxplayer.exe",
"*\\nxplayer.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": []
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/freenx_processes_sigma.yml",
"Description": "Detects potential processes activity of FreeNX RMM tool"
}
],
"References": [],
"Acknowledgement": [],
"CodeSigning": {
"certificates": [
{
"signer_name": "NoMachine S.à r.l",
"certificate_thumbprint": "08E7F3C348651CFEAB2C2F123FCE83AD1E5CA3CD",
"certificate_der_base64": "MIIHnzCCBYegAwIBAgIQBnKmqOV/UjkBpR3CZpevfjANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTI1MTAxMzAwMDAwMFoXDTI4MTAwNzIzNTk1OVowgacxEzARBgsrBgEEAYI3PAIBAxMCTFUxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRAwDgYDVQQFEwdCMTcxNzA0MQswCQYDVQQGEwJMVTEYMBYGA1UEBxMPTHV4ZW1ib3VyZyBDaXR5MRswGQYDVQQKDBJOb01hY2hpbmUgUy7DoCByLmwxGzAZBgNVBAMMEk5vTWFjaGluZSBTLsOgIHIubDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMpldU/aZL9gS4osNUwqlRCUeQfUN/uRxHA11CewzZbWcf3hfNs7orysBEzdyMMGv65paI+locoddtNrRo3fN6dD97uHuz2TpmFp4+CM+B4yr5X+DqvIqLxW/dnwv0GjbVxI7YhmWRgAvsu4bihnHOWQ+HjGeNSeVMA8aCUkY8yC48RAAwbNYudCDc3gL/HE38fWz9Td1d09ZGVv+K/ibHSUYoqt4kBcMHjyoyLJ/qFe9Vu1DQBVZHg9HvX4GIWxmjMgueQk18PJBRG8pc/wIo2xfkofyYRbsrBqEMUTpRy/xdrEq7gR9oVEJpI9uGcR2ANnH17o61MxXdsaVKaRzW68rOQLrBPMzWwk74M/sTNiJ4XYfESwgLIJRDkTIUgVf+ZEd1J/Urx78KYENQbTiKGwAh4FnvfACZShYRjLXcijF1yunEqh6Ago2U/Ps1SYEbuzi+Vl+fMOLyLCQdwRHcDmqPj566x70HBClMYuMUHQ4F1xdAGGWiVjNzq8WwZKxRvOahVjAYUuQGNhRFDjHfwGiD6TDn+MYn9FyTObjzpJbLxq29eF63FjILEo/ZJHyYA5vEjz4AbMXau6yr7jCT/TIpzflN42MdZBxYiVMHX/zw4bwz58MFRIbU3mLL344WW0nXCdWpOr9NRtO1bfJQJ04DILVU0Z4fVSU2x/xZOJAgMBAAGjggICMIIB/jAfBgNVHSMEGDAWgBRoN+Drtjv4XxGG+/5hewiIZfROQjAdBgNVHQ4EFgQUim7xbqIgMtwdecpGkH3h8sHoeuowPQYDVR0gBDYwNDAyBgVngQwBAzApMCcGCCsGAQUFBwIBFhtodHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMIG1BgNVHR8Ega0wgaowU6BRoE+GTWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3JsMFOgUaBPhk1odHRwOi8vY3JsNC5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDCBlAYIKwYBBQUHAQEEgYcwgYQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBcBggrBgEFBQcwAoZQaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcnQwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAgEApnfhnHdyjPrAcWVdWQBcII80CwMiH2K603bF/7CemqKUZZT/qfNrFibsrzcpLQdeEY4uK5Qmps7ONyH/uR/v12gecnuzPnQfKXb88ht1I32mzC/VCHVImjQGbo//lq1JYRzU+2/IkNBjjsqW/3Jl+F9QEaRK3r7FshJ0puQ/cNZx+q6QynwTZgO8BBE6M0Pu5DdpIeFJ5gOrWme+/0516g7/eTKhZILb1Cgbozhp3x/0RsQdBkVBFbmra/BQXo087pY9GeXNKGq6yzFnvzoORH5TKywcsqgNWd/nVjxY5HRYOQFO3I3NiExyXnzO3Kpgi05sQIqB9DEJg3B5puGBZwYAkfwgx6etVDxRiNBX0KXMYkq2g/+pFZH/LRgG7A3TbxehyZkTi9ChQxpe88hArMZRF1H2GNoNcYwUzrq0uGS5INYSNAJV3pVXZ0FKFhLG3E7/fNYmNIo8HyyIh3Xk+ipXqObZxxkve+e66kzt3Xs5L9yvy4rO8ux3fsJfCahNk3IGeznoPflheElBks6pmE5VyU4uzCh5kgzIE3f+9MC3FzUDAPiY1Xb87oBiXCAicyadQcakfPZ6Dp8K3Tz6uD2HRTFDJdTljr1A/dS1D4GSQ6pa8yjHOAaciB6GkytB30m9r0l6kJlTSNWx5mW/J2JNz9F/45o5Yxk1B2VTGEs=",
"src_file_sha256": "a4adfcbab8aa773f1d91116beef5c15605cd855ff9680281ae9d4dcafe7443ee",
"src_file_path": "downloaded_files/freenx/a4adfcbab8aa773f1d91116beef5c15605cd855ff9680281ae9d4dcafe7443ee",
"src_file_company": "NoMachine"
},
{
"signer_name": "NoMachine S.a.r.l.",
"certificate_thumbprint": "B10BE4C8C9132A19607B268D5176EFCB43A0654E",
"certificate_der_base64": "MIIHmjCCBYKgAwIBAgIQCucg57cCmoIHNphL21PEOzANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTI0MDkxMDAwMDAwMFoXDTI3MTAxMjIzNTk1OVowgaIxEzARBgsrBgEEAYI3PAIBAxMCTFUxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRAwDgYDVQQFEwdCMTcxNzA0MQswCQYDVQQGEwJMVTETMBEGA1UEBxMKTHV4ZW1ib3VyZzEbMBkGA1UEChMSTm9NYWNoaW5lIFMuYS5yLmwuMRswGQYDVQQDExJOb01hY2hpbmUgUy5hLnIubC4wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC1inZHH8ZxVKipOVZ0gMQrDzpDIzJmSfF91PvbOrYyVi4eurHa1LWAHbhEshBHkkwilhVmDCaCfFayIOK64shGMrsn5OvFe72afLBUrxgmSF4PiGjL/2bPAuNAEiOpd6We3bpbU7IHHf9kHxw7d7Qydvv0OYa0kkFzALh+3s5Ei1Qps/GIjusdEtJhuClc0mHosPEgAHpb7F6vU7Nm8iT6Lcgm2rM8Q7iXr7Oln2KKUYPgVFLzxUKLWA0vtJD6SpCdMxzcy4+d8Jjj6rdW0EQKbafXqYPrxQ/2bdMXnWxqWQ083yOqqNy28KgpjruaqhbAUP7FHKYBBtuhbNzbzZ+gBS7Iunz01QC1mIhiTUwX7pzx5+Nf7mnpH4BnzUfrrso3U+ppBoCUJ4hnvYNf3xWfa5ZzklIUIoQn862eW/P3z42kQqwMwx/dBq6TLorgkOK2Pc8bmpFdrY+qS4iYqnaoY+ltF2IzapPNR2JD+H/pGHtWFuax/6EWkdpfLChAuaftd2JD9GtQBIXZq8dtW8Xm7Dfu5KaK2eFSF7W5U5S5ex8PRAOF9YNMyWA8zATlEtNeIbpcnsVVLGIOFcZg9bn3K1JuKJ/6j9EJEHbFyMyqEYZBQZrewWXdEqvq6RgXPqSC2OQ16rzyebG3Ju2s078asvQRfwWpOBHLIJFsb0gS5QIDAQABo4ICAjCCAf4wHwYDVR0jBBgwFoAUaDfg67Y7+F8Rhvv+YXsIiGX0TkIwHQYDVR0OBBYEFFMwxf3pU92kg6+jjCW+xUn4mnwMMD0GA1UdIAQ2MDQwMgYFZ4EMAQMwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpY2VydC5jb20vQ1BTMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzCBtQYDVR0fBIGtMIGqMFOgUaBPhk1odHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDBToFGgT4ZNaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcmwwgZQGCCsGAQUFBwEBBIGHMIGEMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wXAYIKwYBBQUHMAKGUGh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3J0MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggIBALEGhWIDXINX7RPifA4DSriTLAgHI/6fcuO/L+Kz0rtVrc4NSR48L7w63Qj0dE201d6sr2AuWKm+Oisi6X4wRGAHjpJGBY8RgMp1yaOs67WJ3BXZSzFK/P9T4eep9eCb51/VcWJ0GVUalTtKQNkv18qiVf7q3Ll7+wqemyi/EeK7rKE0kkaMYhMU7Bqx16OlnS+ufm9WFDtSS7LfyBQJjAbOipfe/lMgoMWNjo2EqaR6A6hM7vWBX4CmrkORZUr5WkVk52tZvDa/HSOxwhZoa8YiNpeq2J8D8SaReTxHcrLRqEqHp86JfdU1XSfLGomuGlB7ySMO1t7zKx1KeEr8JSKjZAX4vG1FGEeZKv7Dff8wKqZEy28DSAWTuOuNN5ohEZSYYvXp0Yyy72vIUsZ5rbIU5KrwkBH/6si7L+g7IlU42dAZJjwIWlJAhOmglwmN7bcmt9ZCAMDTEfGlxZW2iSFO+sNq1bnAKoBftUMEwYpUHMWXxxYd7YRBQlee5bg+C7whYSD2gHWylAvZ5XQSrVbzVoVgkFNxx6HKTrM3XokYDnjwWdmF+W0TCvMFPZ3ELFsAuFMXQGMPJXxkLzTMsd1IpdVXkrcZMatAc3loqjX8Ng/OPX/WQF4w8EpbAuu4zWF09K8bEPO+Z7F0KHg6TnwtzvzeNveTLiIJaMfu8xSA",
"src_file_sha256": "338194b2e5e40d0830e6ec55845fd96ca3346d6c1eeafb7b7c5596568b87eff1",
"src_file_path": "downloaded_files/freenx/338194b2e5e40d0830e6ec55845fd96ca3346d6c1eeafb7b7c5596568b87eff1",
"src_file_company": "NoMachine"
}
]
}
},
{
"Name": "Xpra",
"Category": "RAT",
"Description": "Xpra is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://github.com/Xpra-org/xpra/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [
"Windows"
],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"C:\\Program Files (x86)\\Xpra\\*",
"*\\Xpra\\*",
"*\\Xpra-Launcher.exe",
"*\\Xpra-x86_64_Setup.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": []
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xpra_processes_sigma.yml",
"Description": "Detects potential processes activity of Xpra RMM tool"
}
],
"References": [],
"Acknowledgement": []
},
{
"Name": "Devolutions Remote Desktop Manager",
"Category": "RAT",
"Description": "Devolutions Remote Desktop Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "ogmini",
"Created": "2025-06-02",
"LastModified": "2025-06-02",
"Details": {
"Website": "https://devolutions.net/remote-desktop-manager/",
"PEMetadata": {
"Filename": "RemoteDesktopManager.exe",
"OriginalFileName": "RemoteDesktopManager",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [
"Windows",
"Linux",
"Android",
"Mac",
"IOS"
],
"Capabilities": [],
"Vulnerabilities": [
"https://www.cvedetails.com/version-list/22913/177721/1/Devolutions-Remote-Desktop-Manager-Powershell.html"
],
"InstallationPaths": [
"C:\\Program Files\\Devolutions\\Remote Desktop Manager",
"*\\RemoteDesktopManager.exe"
]
},
"Artifacts": {
"Disk": [
{
"File": "%localappdata%\\Devolutions\\RemoteDesktopManager\\Connections.log",
"Description": "Log file showing connections, disconnections, actions on saved passwords and attachments, and other changes",
"OS": "Windows",
"Example": [
"[5/20/2025 12:48:58 PM] Entry added - '192.168.0.xx' (RDP (Microsoft Remote Desktop))",
"[5/20/2025 12:49:02 PM] Connecting - '192.168.0.xx' (RDP (Microsoft Remote Desktop))",
"[5/20/2025 12:49:58 PM] Disconnected - '192.168.0.xx' (RDP (Microsoft Remote Desktop))",
"[5/22/2025 11:07:39 AM] Password viewed - '192.168.0.xx' (RDP (Microsoft Remote Desktop))"
]
},
{
"File": "%localappdata%\\Devolutions\\RemoteDesktopManager[GUID]\\Mru.xml",
"Description": "Most recently used Connections",
"OS": "Windows"
},
{
"File": "%localappdata%\\Devolutions\\RemoteDesktopManager\\Connections.db",
"Description": "Default connections database. There can be others. Holds information and configuration about the connections",
"OS": "Windows"
}
],
"EventLog": [],
"Registry": [],
"Network": []
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/devolutions_remote_desktop_manager_files_sigma.yml",
"Description": "Detects potential files activity of Devolutions Remote Desktop Manager RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/devolutions_remote_desktop_manager_processes_sigma.yml",
"Description": "Detects potential processes activity of Devolutions Remote Desktop Manager RMM tool"
}
],
"References": [
"https://devolutions.net/remote-desktop-manager/",
"https://ogmini.github.io/research#remote-desktop-manager"
],
"Acknowledgement": [
{
"Person": "ogmini",
"Handle": "https://ogmini.github.io/"
}
],
"CodeSigning": {
"certificates": [
{
"signer_name": "Devolutions Inc",
"certificate_thumbprint": "8DB5A43BB8AFE4D2FFB92DA9007D8997A4CC4E13",
"certificate_der_base64": "MIIHsTCCBZmgAwIBAgIMc9PDNgP/i7RCJPJeMA0GCSqGSIb3DQEBCwUAMFwxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTIwMAYDVQQDEylHbG9iYWxTaWduIEdDQyBSNDUgRVYgQ29kZVNpZ25pbmcgQ0EgMjAyMDAeFw0yMzEwMzAxNzUxMThaFw0yNjEwMzAxNzUxMThaMIHxMR0wGwYDVQQPDBRQcml2YXRlIE9yZ2FuaXphdGlvbjETMBEGA1UEBRMKMTE2MjU0NDY4OTETMBEGCysGAQQBgjc8AgEDEwJDQTEXMBUGCysGAQQBgjc8AgECEwZRdWViZWMxCzAJBgNVBAYTAkNBMQ8wDQYDVQQIEwZRdWViZWMxEjAQBgNVBAcTCUxhdmFsdHJpZTEYMBYGA1UEChMPRGV2b2x1dGlvbnMgSW5jMRgwFgYDVQQDEw9EZXZvbHV0aW9ucyBJbmMxJzAlBgkqhkiG9w0BCQEWGHNlY3VyaXR5QGRldm9sdXRpb25zLm5ldDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJ8OTpzV4Iv2tO+rUPWWrUaZTTxkrJhAlDsRv+ZEWlFeqk4WLJKd/wHKxhtnjLgyciXszZaNzmfUlxdH0E9aaQkucjusVPCmr87nEpTBbbT8RjI64XtNqxGrqiWWObvd1wuOu3nP9ra7aA768xLwtVjpRcoAZkYiKAyg9L3Z/YySQqZ0SYDl2nBsAtR+8f2zLSqSdR9Bjp2yWkjw9uNMLH0ZjnGoJMy0FBxYHmwGf8jRgCWnnK46f7aBri9Ry5wBlNWx6hEj8myfkpZZvSIz3Ctu/4M4LNwC0EX5iPYqnzAdFZ8wK6a7hi5hzBNjeFsi41GhSLyPicum2MZrPtHdR8Cvhv+sfhWDz+X258/rVntulKRlsiWeHcaPL1QkKPDnCC5C5yeWVJs02DlkF3u/cNFQrAq/MX1Nig4RHAZ15jy5Lh+dJg/te4YX1v5yhn8PmC4Zp5uIkkSh1EmQZ2I/k/7qMs7jd3OCYHiGZZu4XnCh9Fhd3WKEU5/hoEfarMecWQO+nnN5yUyWCgu7ElVviZTfpnzgqcm5Pt89OEr1Fs0Sio8/N3UFhwJxGZVosJgfD7oCCZVebduAKy/jMz8OqTJx89fXWwFd51h1Mni2KG0WjV5Gp9CxcSK835djBQgn8R18dSZodT7t5iGBI9XKc+b0WrWYAALcqof7pG0ikSalAgMBAAGjggHbMIIB1zAOBgNVHQ8BAf8EBAMCB4AwgZ8GCCsGAQUFBwEBBIGSMIGPMEwGCCsGAQUFBzAChkBodHRwOi8vc2VjdXJlLmdsb2JhbHNpZ24uY29tL2NhY2VydC9nc2djY3I0NWV2Y29kZXNpZ25jYTIwMjAuY3J0MD8GCCsGAQUFBzABhjNodHRwOi8vb2NzcC5nbG9iYWxzaWduLmNvbS9nc2djY3I0NWV2Y29kZXNpZ25jYTIwMjAwVQYDVR0gBE4wTDBBBgkrBgEEAaAyAQIwNDAyBggrBgEFBQcCARYmaHR0cHM6Ly93d3cuZ2xvYmFsc2lnbi5jb20vcmVwb3NpdG9yeS8wBwYFZ4EMAQMwCQYDVR0TBAIwADBHBgNVHR8EQDA+MDygOqA4hjZodHRwOi8vY3JsLmdsb2JhbHNpZ24uY29tL2dzZ2NjcjQ1ZXZjb2Rlc2lnbmNhMjAyMC5jcmwwIwYDVR0RBBwwGoEYc2VjdXJpdHlAZGV2b2x1dGlvbnMubmV0MBMGA1UdJQQMMAoGCCsGAQUFBwMDMB8GA1UdIwQYMBaAFCWd0PxZCYZjxezzsRM7VxwDkjYRMB0GA1UdDgQWBBT5ymf4g+pZGcTmsd4j5s7xv9fz2jANBgkqhkiG9w0BAQsFAAOCAgEAGvu6RRlge5FgpvQl2hWH0vCeCfjmb8EGD3SNMvkIXpk/jFgHaRoo3frqx8Bu+YpOFuB9wi83bo2NLX9wVdp3lp/qzk7MZSJz6YAVk6FulfzUZ52wCfGXUPgEomzb6JaH94ra9tr8rcnlXZntLtgWAeoXS+WYO03GcFDyOwjfTOtty5gmjB+3xYuN9biGvRJ0AiTYXhfUJMaG0lUy49zHJS6+uaSenWDbL32Nzl5cDqqnQKJRsULVHcLWSllhPizGK7zoHeRtjompM7Z/Ty2O+mKHfpR4UIL8HJkHNvUPwUUhoqISuOUMdUwgEJjVesQQMQmkjIxHKhtewi6KzKfhOkrwmpFvQLSikPO8TwGUq+qWqYd9p9s5RcUfmDP8X1qIkAx8fKHh11SD2cVwX5gpYqnyGl1ohb7mm2WwLYtJLm3O0xRdGKxR//MJN4tDYwBdztWXSxzxkP1Spv3Cb62Yrdka+cMoKKTATxhT7L3qiAVTJsZwRZdRiTdC+5cp5LT3+/pA7BuBjejkSSs1DI9S6AjYezJa2YuFN0Mz8+eP47Y0M2Q9e8aKyzZvQ7zJQxWSH0LQcbhZLcv8TGgzWR43Vh3ngVoWGTXNC/cpBoLswlTy5muasgks810Q8YqIV8jwIshX/TiMAitH4DhINoKkNPP5cNkXuQ/jYobJsmJIPWo=",
"src_file_sha256": "b4dc03f646a3212aae9769e146b35bad4d0ddea71807afc97a3494215ecb0219",
"src_file_path": "downloaded_files/devolutions_remote_desktop_manager/b4dc03f646a3212aae9769e146b35bad4d0ddea71807afc97a3494215ecb0219",
"src_file_company": "Devolutions inc."
}
]
}
},
{
"Name": "Ericom Connect",
"Category": "RMM",
"Description": "Ericom Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2025-12-14",
"Details": {
"Website": "https://www.ericom.com/connect-accessnow/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"EricomConnectRemoteHost*.exe",
"ericomconnnectconfigurationtool.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"user_managed",
"ericom.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_connect_network_sigma.yml",
"Description": "Detects potential network activity of Ericom Connect RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_connect_processes_sigma.yml",
"Description": "Detects potential processes activity of Ericom Connect RMM tool"
}
],
"References": [
"https://www.ericom.com/connect-accessnow/"
],
"Acknowledgement": [],
"CodeSigning": {
"search_names": [
"setupsuite"
],
"company_names": [],
"signer_names": [],
"certificates": []
},
"FileHashes": {
"authenticode": [
{
"file_name": "SetupSuite",
"sha256": "8192BE693F725A6894110756A4AC198EA9D7A9A206FA0AAB4B6D550631469DEE",
"sha1": "B7FA745F634101966C7806CAEFC503546D10D42F"
}
],
"page": []
}
},
{
"Name": "Ultra VNC",
"Category": "RAT",
"Description": "Ultra VNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://uvnc.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"C:\\Program Files\\uvnc bvba\\UltraVNC\\*",
"*\\uvnc bvba\\UltraVNC\\*",
"*\\UVNC_Launch.exe",
"*\\winvnc.exe",
"*\\vncviewer.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": []
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultra_vnc_processes_sigma.yml",
"Description": "Detects potential processes activity of Ultra VNC RMM tool"
}
],
"References": [],
"Acknowledgement": [],
"CodeSigning": {
"search_names": [],
"company_names": [],
"signer_names": [
"uvnc bvba"
],
"certificates": [
{
"signer_name": "uvnc bvba",
"certificate_thumbprint": "N/A",
"tbs_sha256": "",
"tbs_sha1": "",
"tbs_sha384": "0841701E5F698337DDA293B925112D3B1CF5A17DEDB90743B52379310184840C2B1E377BCF6AC4B1008D38D248920BD9"
},
{
"signer_name": "RealVNC Ltd",
"certificate_thumbprint": "787E284FC93F1F03001F0F9F54467D580B7B7B57",
"certificate_der_base64": "MIIGxTCCBK2gAwIBAgIQBIb/sCALcx6rsUGuqS1l8zANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTIzMTAyNDAwMDAwMFoXDTI2MTAzMTIzNTk1OVowTTELMAkGA1UEBhMCR0IxEjAQBgNVBAcTCUNhbWJyaWRnZTEUMBIGA1UEChMLUmVhbFZOQyBMdGQxFDASBgNVBAMTC1JlYWxWTkMgTHRkMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAx9s3RDuoCT8hVOjd62+9kqJVdy0tQfsUXSdHSWcjalvwQeEbVHqRi4RgolpMCOd6DoK2jLe4qmx/knPEdscV54Z2zrnGe8NVRTNnbflHEqe/k4/pYdruR9Zpv61RwiLYSQmEZoQDCc2MRnCSRcbAJ9o6gwOfL6xZ+UQt35X1+cHGYmg/4oMyg+nrprxCwErBP0H2Vj63eD1fhzk6ubhge3Erss9Q69aeWds/DyQ0kPtmi2Z1TLaQLWTn0EJ/YQ95wgbmn/231ApL5Nq3Qlpa/IWtpPDHD4iy0917BqGpwf0CJUariQTsLgcUcnpincP9DIqDhiXvXIZq/0VU0EWwrkhUOjRlUU0Z1U8U52+N8I5qdsocX7N6r6P38fw+uEqdeO9YeSC+N3XzQZBn2Pm0856l6WoelslJolubgUXMc02B/Lul6utnBEOKMFi2AheoJu4K6EH8qUBDvjyDFd7NxRA0bQgMFHieQ0Gz+dcYt/NY7T2GOiTb9lorM4ZTIuhXAgMBAAGjggIDMIIB/zAfBgNVHSMEGDAWgBRoN+Drtjv4XxGG+/5hewiIZfROQjAdBgNVHQ4EFgQUmV5+B4IpzhZNaVWQYxV+yqoT8SgwPgYDVR0gBDcwNTAzBgZngQwBBAEwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpY2VydC5jb20vQ1BTMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzCBtQYDVR0fBIGtMIGqMFOgUaBPhk1odHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDBToFGgT4ZNaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcmwwgZQGCCsGAQUFBwEBBIGHMIGEMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wXAYIKwYBBQUHMAKGUGh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3J0MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggIBANVNw88OY8ancWFGrzIsznlvb8C/l3GHqv0FrF0unMqskHW9LRVElUQeaWCMg6uPVztU4WEo3KVam65MaX64TR+UCEdwGxLcAdrj7PTNTFJT5ZqPf0bi60G1FNfTl5kZOOqDireFs+NHAIriaLaQ64W+nS2CP4T781sesmLKvJawTME7Ed7qsyMtg9qiptTwvzj8r2fnXPYP+APVxOA6RT5p2sA1+hmZjf5bixSo1ye9OjqlSJReoIBhoImXAFIUn+jXHz6Cx5U+m7xNBAmaO6MviQek4lK45YpfTy9BGzvKReVDHTAWHX3XLkVH8pm6O5Y3ObMTtFHNgWF5qH9mvHeEdK8RDkxsBZpWSdLJ/wNaHMfpHAKXQ1xcBt3mPOBGFxWy0VnihB3D+RwcdW49zhWaRng9oVJuSV7w/E1iT1uJ1fa0FRQqBs2R/nT6P4K+R6slfrxo00HYQIGQujtO6Uye531hzLNW5dA1//Hv9HhoQ8mtGR7G6qrVPy0lDHb8LoJb1H34sfKVWNTiowvsIIftnJj8N3F284LbdovMDwKonautgOVviAzbiJT2yoXLEnecQQDMZDnbPI9fNpepD38aO5Kl9cL83hY9RDk3VfD/od38W4Pi40zrTrg4T11Brwd17dXzn0PrCoi73/ceES9CMna23DKG0Nzp+U9QVJ6D",
"src_file_sha256": "39195c0abe53dc8fc2a57beeb6df9accf72226d46688845bf864c4d639030d84",
"src_file_path": "downloaded_files/ultra_vnc/39195c0abe53dc8fc2a57beeb6df9accf72226d46688845bf864c4d639030d84",
"src_file_company": "RealVNC"
}
]
}
},
{
"Name": "RemotePass",
"Category": "RMM",
"Description": "RemotePass is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.remotepass.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [
"Windows"
],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"remotepass-access.exe",
"rpaccess.exe",
"rpwhostscr.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"remotepass.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepass_network_sigma.yml",
"Description": "Detects potential network activity of RemotePass RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepass_processes_sigma.yml",
"Description": "Detects potential processes activity of RemotePass RMM tool"
}
],
"References": [
"https://www.remotepass.com/rpaccess.html - DOA as of 2024"
],
"Acknowledgement": []
},
{
"Name": "Atera",
"Category": "RMM",
"Description": "Atera is a remote monitoring and management (RMM) tool. It is used by threat actors to deploy ransomware or facilitate command execution and lateral movement.\n",
"Created": "2024-08-03",
"LastModified": "2025-12-14",
"Details": {
"Website": "https://www.atera.com/",
"PEMetadata": [
{
"Filename": "AteraAgent.exe",
"OriginalFileName": "AteraAgent.exe",
"Description": "AteraAgent"
}
],
"Privileges": "SYSTEM",
"Free": "30 day trial",
"Verification": "None",
"SupportedOS": [
"Windows",
"MacOS",
"Linux"
],
"Capabilities": [
"Integrated remote access with Splashtop and AnyDesk",
"Remote monitoring and management",
"Patch management",
"Network discovery",
"Backup and disaster recovery",
"Helpdesk and ticketing",
"Reporting and analytics",
"Billing and invoicing",
"Customer portal",
"Mobile app"
],
"Vulnerabilities": [
"CVE-2023-26078",
"CVE-2023-26077"
],
"InstallationPaths": [
"*\\AgentPackageNetworkDiscovery.exe",
"*\\AgentPackageTaskScheduler.exe",
"*\\ATERA Networks\\AteraAgent\\*",
"*\\AteraAgent.exe",
"atera_agent.exe",
"atera_agent.exe",
"ateraagent.exe",
"C:\\Program Files\\ATERA Networks\\AteraAgent\\*",
"C:\\Program Files\\Atera Networks",
"C:\\Program Files (x86)\\Atera Networks",
"syncrosetup.exe"
]
},
"Artifacts": {
"Disk": [
{
"File": "C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageRunCommandInteractive\\log.txt",
"Description": "N/A",
"OS": "Windows"
},
{
"File": "C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\*",
"Description": "N/A",
"OS": "Windows"
},
{
"File": "C:\\Program Files\\ATERA Networks\\AteraAgent\\AteraAgent.exe",
"Description": "Atera service binary",
"OS": "Windows"
},
{
"File": "C:\\Program Files\\Atera Networks\\AlphaAgent.exe",
"Description": "Atera service binary",
"OS": "Windows"
},
{
"File": "C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageSTRemote\\AgentPackageSTRemote.exe",
"Description": "N/A",
"OS": "Windows"
},
{
"File": "C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageMonitoring\\AgentPackageMonitoring.exe",
"Description": "N/A",
"OS": "Windows"
},
{
"File": "C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageHeartbeat\\AgentPackageHeartbeat.exe",
"Description": "N/A",
"OS": "Windows"
},
{
"File": "C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageFileExplorer\\AgentPackageFileExplorer.exe",
"Description": "N/A",
"OS": "Windows"
},
{
"File": "C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageRunCommandInteractive\\AgentPackageRunCommandInteractive.exe",
"Description": "N/A",
"OS": "Windows"
}
],
"EventLog": [
{
"EventID": 7045,
"ProviderName": "Service Control Manager",
"LogFile": "System.evtx",
"ServiceName": "AteraAgent",
"ImagePath": "\"C:\\\\Program Files (x86)\\\\ATERA Networks\\\\AteraAgent\\\\AteraAgent.exe\"",
"Description": "Service installation event as result of AteraAgent installation."
},
{
"EventID": 7045,
"ProviderName": "Service Control Manager",
"LogFile": "System.evtx",
"ServiceName": "WinRing0_1_2_0",
"ImagePath": "\"C:\\\\Program Files (x86)\\\\ATERA Networks\\\\AteraAgent\\\\Packages\\\\AgentPackageMonitoring\\\\OpenHardwareMonitorLib.sys\"",
"Description": "Service installation event as result of Atera pakcage manager installation."
},
{
"EventID": 11707,
"ProviderName": "MsiInstaller",
"LogFile": "Application.evtx",
"Data": "Product: AteraAgent -- Installation completed successfully.",
"Description": "Service installation event as result of AteraAgent installation."
},
{
"EventID": 4697,
"ProviderName": "Microsoft-Security-Auditing",
"LogFile": "Security.evtx",
"CommandLine": "C:\\\\Program Files\\\\ATERA Networks\\\\AteraAgent\\\\Packages\\\\AgentPackageFileExplorer\\\\AgentPackageFileExplorer.exe XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX agent-api.atera.com/Production 443 [BASE64BLOB]",
"Description": "Service installation event as result of AteraAgent installation."
}
],
"Registry": [
{
"Path": "HKLM\\SOFTWARE\\ATERA Networks\\AlphaAgent",
"Description": null
},
{
"Path": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\AteraAgent",
"Description": null
},
{
"Path": "KLM\\SOFTWARE\\WOW6432Node\\Splashtop Inc.",
"Description": null
},
{
"Path": "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Splashtop Software Updater",
"Description": null
},
{
"Path": "HKLM\\SYSTEM\\ControlSet\\Services\\EventLog\\Application\\AlphaAgent",
"Description": null
},
{
"Path": "HKLM\\SYSTEM\\ControlSet\\Services\\EventLog\\Application\\AteraAgent",
"Description": null
},
{
"Path": "HKLM\\SOFTWARE\\Microsoft\\Tracing\\AteraAgent_RASAPI32",
"Description": null
},
{
"Path": "HKLM\\SOFTWARE\\Microsoft\\Tracing\\AteraAgent_RASMANCS",
"Description": null
},
{
"Path": "HKLM\\SOFTWARE\\ATERA Networks\\*",
"Description": null
}
],
"Network": [
{
"Description": "N/A",
"Domains": [
"pubsub.atera.com"
],
"Ports": [
"N/A"
]
},
{
"Description": "N/A",
"Domains": [
"pubsub.pubnub.com"
],
"Ports": [
"N/A"
]
},
{
"Description": "N/A",
"Domains": [
"agentreporting.atera.com"
],
"Ports": [
"N/A"
]
},
{
"Description": "N/A",
"Domains": [
"getalphacontrol.com"
],
"Ports": [
"N/A"
]
},
{
"Description": "N/A",
"Domains": [
"app.atera.com"
],
"Ports": [
"N/A"
]
},
{
"Description": "N/A",
"Domains": [
"agenthb.atera.com"
],
"Ports": [
"N/A"
]
},
{
"Description": "N/A",
"Domains": [
"packagesstore.blob.core.windows.net"
],
"Ports": [
"N/A"
]
},
{
"Description": "N/A",
"Domains": [
"ps.pndsn.com"
],
"Ports": [
"N/A"
]
},
{
"Description": "N/A",
"Domains": [
"agent-api.atera.com"
],
"Ports": [
"N/A"
]
},
{
"Description": "N/A",
"Domains": [
"agentreportingstore.blob.core.windows.net"
],
"Ports": [
"N/A"
]
},
{
"Description": "N/A",
"Domains": [
"atera-agent-heartbeat.servicebus.windows.net"
],
"Ports": [
"N/A"
]
},
{
"Description": "N/A",
"Domains": [
"ps.atera.com"
],
"Ports": [
"N/A"
]
},
{
"Description": "N/A",
"Domains": [
"atera.pubnubapi.com"
],
"Ports": [
"N/A"
]
},
{
"Description": "N/A",
"Domains": [
"appcdn.atera.com"
],
"Ports": [
"N/A"
]
}
]
},
"Detections": [
{
"Sigma": "https://github.com/The-DFIR-Report/Sigma-Rules/blob/d67407d357ad32b247e2a303abc5a38bb30fd576/rules/windows/process_creation/proc_creation_win_ateraagent_malicious_installations.yml",
"Name": "AteraAgent malicious installations",
"Description": "Detects AteraAgent installations with suspicious command line arguments."
},
{
"Sigma": "https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/builtin/application/msiinstaller/win_software_atera_rmm_agent_install.yml",
"Name": "Atera Agent Installation",
"Description": "Detects Atera Agent installation."
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/atera_registry_sigma.yml",
"Description": "Detects potential registry activity of Atera RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/atera_network_sigma.yml",
"Description": "Detects potential network activity of Atera RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/atera_files_sigma.yml",
"Description": "Detects potential files activity of Atera RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/atera_processes_sigma.yml",
"Description": "Detects potential processes activity of Atera RMM tool"
}
],
"References": [
"https://support.atera.com/hc/en-us/articles/360015461139-Firewall-Settings-for-Atera-s-Integrations",
"https://support.atera.com/hc/en-us/articles/215955967-Troubleshoot-Atera-s-Windows-agent",
"https://support.atera.com/hc/en-us/articles/115015619747-Release-Notes-February-2018",
"https://thedfirreport.com/?s=ateraagent"
],
"Acknowledgement": [
{
"Person": "Théo Letailleur",
"Handle": "in/theosyn"
},
{
"Person": "Nasreddine Bencherchali",
"Handle": "@nas_bench"
},
{
"Person": "Kostas",
"Handle": "@kostastsale"
}
],
"CodeSigning": {
"search_names": [
"agentpackagenetworkdiscovery.exe",
"agentpackagetaskscheduler.exe",
"atera_agent.exe",
"ateraagent.exe",
"syncrosetup.exe"
],
"company_names": [],
"signer_names": [
".NET",
"Atera Networks Ltd"
],
"certificates": [
{
"signer_name": "Atera Networks Ltd",
"certificate_thumbprint": "E2D5CC46541C8FC8E9E619175516C5616B84D8D8",
"tbs_sha256": "C81C87870D6F0DD87F6E02E5D6EE09886DE73BECB81B06A3C92626E24F174A3D",
"tbs_sha1": "",
"certificate_der_base64": "MIIHHzCCBQegAwIBAgIQDlQ5zImHHubUgiQG4rydVzANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTI1MDgxMzAwMDAwMFoXDTI4MDgxNTIzNTk1OVowgacxEzARBgsrBgEEAYI3PAIBAxMCSUwxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRIwEAYDVQQFEwk1MTM0MDk2MzExCzAJBgNVBAYTAklMMRYwFAYDVQQHEw1UZWwgQXZpdi1ZYWZvMRswGQYDVQQKExJBdGVyYSBOZXR3b3JrcyBMdGQxGzAZBgNVBAMTEkF0ZXJhIE5ldHdvcmtzIEx0ZDCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAKTV4N0rWrgtiwP1BOMTMXddhLmpxtaDvL+J2wYt2L0JJ2MEdfDHCw42A/FGifFvOkLK+yV+mRlHqOPJ8ThBGx11/8YdRhYaq3yv5A5pp/yZYtypjVQbmMAKihGo47nprC8ylptL1K/IJgWDoCH8vo23ErlXPrvuccPHaPCtbgGvifO3JdTg1yDLeF+G2QB30CmBO7yQn9RKZNrQlxaYeoqpurAMnMddEa+JHL+uc37Xhej8FRIv2mlZzXtts8yePO/wJDiKvzE2R0kXJS80iytNyUAaKiB99Sxw3GtpkpBDY3f1mdm36mwH/VhdxUnBkgULyRnhFifcfejFK/FskAbVjPoGMFUBVWuiPtz+HX3DfyphoSN4s/8hhsCxoGpPeI9eD3768OVZ/YXnr8IEPQu+HBEpTR+pofG/PHENHS8pnfMYCwJ3A2doTMj5aHyRAZj3kj6mCoLzRA1kdgwWgTbmVtg63Yol7R8ZWwEtw/FqG/NWp/qDsPUvROOel3bALQIDAQABo4ICAjCCAf4wHwYDVR0jBBgwFoAUaDfg67Y7+F8Rhvv+YXsIiGX0TkIwHQYDVR0OBBYEFM18K+pGIZT3clf/+ei1536EyW1IMD0GA1UdIAQ2MDQwMgYFZ4EMAQMwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpY2VydC5jb20vQ1BTMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzCBtQYDVR0fBIGtMIGqMFOgUaBPhk1odHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDBToFGgT4ZNaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcmwwgZQGCCsGAQUFBwEBBIGHMIGEMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wXAYIKwYBBQUHMAKGUGh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3J0MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggIBAEupAJ0pU4vsbU7m27FmgJrJjHmEnCOB7CFcxTDsNR3LTYsLVCZZNF0yAxpSjQ/jGjn+gBGKmokrhUtLRMM6ij7YPFwCpOY/h7Swe04F0Ql2tZHaCbwL/RqFmsmEVZ3MlGcouoB8qpUghAHvpgoe9ZVVXIk3D1R2/SPfVlgbAEA3iZA14rHUCmrx5EW5nXaim81t8DZbLMLgyR+LC/jRjLXGA+lgBHkK0c/dtxvMF2259T4fgdec5Ha6IZRg/kqp4C9ok/B0vK8NkxX/YizWcTp4ub6SxBYyLrIUUxOA5W1S4U93CO+okHn05GjIZaI6qEWwmTNe1ez/U1k+TUPUNUUbnsWhkoDVvaamQbGU/1a5LM02JzcB0S7q7hVyIaYr3tqnRrSd8nWqwVSW9Gh2affiA66f39aTO+R7+A85+ekU2fsz/LAXqLwh5BIyCw39pmnLWbEJre2pwr/psMmRru/cR6dBhno4chBvzqMFwMZ9Dx2tNx+ZdwXn1O36OKkeQfLBfejSWlxAPCKgXEwVhEW9XX/1KGSYdM3iFYbr/q/JLHsKn8FeAnA3kpKkN2lEnk6yKS5IlJGEweWqaszQLGNsEekyNt++rA2rzX8sKowQHpzkJrIPF8qCybeq7s4CszqHez1NNX3mRqTk2hY68fR5Ey+e4YkaLaP88xBF1N1O"
},
{
"signer_name": "Atera Networks Ltd",
"certificate_thumbprint": "7908DDC749BBCA22273E8CB58101BAC915E9B8D9",
"tbs_sha256": "97D2940D1BA0DBAF84280371A267A1BC689DEC0E224010EC7963D9DE45A5BCD1",
"tbs_sha1": "",
"certificate_der_base64": "MIIHWTCCBUGgAwIBAgIQBn9gR5VmJKcVmWF0PYGUkzANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTIyMDIxNzAwMDAwMFoXDTI0MDMxNjIzNTk1OVowgbUxEzARBgsrBgEEAYI3PAIBAxMCSUwxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRIwEAYDVQQFEwk1MTM0MDk2MzExCzAJBgNVBAYTAklMMRYwFAYDVQQHEw1UZWwgQXZpdi1ZYWZvMRswGQYDVQQKExJBdGVyYSBOZXR3b3JrcyBMdGQxDDAKBgNVBAsMA1ImRDEbMBkGA1UEAxMSQXRlcmEgTmV0d29ya3MgTHRkMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAsmnussRCL8H4xWvZbnmJJhyt9VoMrUSzx+8JabdoQAz3yAiHiptVD4sLqPQNKeWu+rXS1rLUOjlMDt0eHShhiw9l623rQGPX6LEqb569vtpDnX2uVMcse76ShZSwULbHIIjVmlmfTTtxVn3eKLfwVf14I+2Uuk7SYep7nGwX+ONxspmSknw8XUHuFQ8ioih0R0SaOU8DF3oIMjyI0ZMIEPdRSMdtrL/4rjKvYnYV32L4PXlYnMiMTXPzpckczvM8FBYbVy6TihrcPL0zB6h70js9v41FquH50ekLL8I9Djj5N0km5ke0vhKE+ecXrTfSYWk/9JSQCdgOGhuj87Sn4ODCB/I9hkLR3MRvHU/epIIPO8FbmQalmpAESGWoLBb2ahsCC3l1RXB+aVQi7C/th6obkpn7FRB9TpISSSlcLmver80QatJ1PrBwv/LI6Z/MKsS62c1nYsrFCuMTEc9nUek9WAdzZJ9Rrs0xl6EObo/DEBiMj5w4HcEsyJXApAMBAgMBAAGjggIuMIICKjAfBgNVHSMEGDAWgBRoN+Drtjv4XxGG+/5hewiIZfROQjAdBgNVHQ4EFgQUS/mH/Su6F9cIq+lmqcEXTFFdpxIwJwYDVR0RBCAwHqAcBggrBgEFBQcIA6AQMA4MDElMLTUxMzQwOTYzMTAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwgbUGA1UdHwSBrTCBqjBToFGgT4ZNaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcmwwU6BRoE+GTWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3JsMD0GA1UdIAQ2MDQwMgYFZ4EMAQMwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpY2VydC5jb20vQ1BTMIGUBggrBgEFBQcBAQSBhzCBhDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMFwGCCsGAQUFBzAChlBodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNydDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4ICAQCVAyX+oEKOZ4qA1qZd15cQwxuYZ4TZVdMvczTlWks/Epw09tft4193/gf1lfu8gzDM9DRARdziMbC7DvaTg0L8nz7HlwWppI/5AA1tE9dRxvhlZlR/z8eVh0eGZ/yDcX2glbbAT+dWNpkY/W1XXFwDnpZ1jFK/3IZZTSQJ24uKYGxMBmGVA9slGS1EZSZv7RWkI02EubFjki+UZanSKD+8DcomPjfaAmgFlLKk2ZRpf6m4uJZ9U6vxAV1TbYHDFkNXa767+USsHJKPknVHUrt2fzhsFhm5Gaf192gxgQmzfGDe4r/wGgAvfB6X7xwFD++ilFUcwGZH5LX2MFfNTdVuXNfXBmd/mAPq86FTHS3yEF0rihougQvFoBDfJYb6bu8a7MOdOQRsxFo5I2XVD0VkcqOyqtFVIFRQ2RIMrKHE3Ibf9FTW9YghT1K/RFOIs8blrBfkRzgUd3fu4E8Fio1KaztezyJ6XTupMFCnF79oqXSqfsHV8kotOx+LsVYaM17AIdAn2n7MD8OzzsidT03+EyqOwGM2QhMf0t04OjMEW7lIMPzch/t2DeEsDg3B46MuRRYmK2RdIc/pdwMm8CNg92O24zkhNG0s81umSta9rlrHQX7vKmCK+3SYAd1tXwdwMJNO01CCrPjLdBZw/8CJjOeesz3CQwvj2QjS6K8aIQ=="
},
{
"signer_name": ".NET",
"issuer": "CN=Microsoft Code Signing PCA 2011",
"certificate_thumbprint": "860AB2B78578D8EF61F692CF81AE4B1198CCBC94",
"tbs_sha256": "7F0D0E92811AC3A99C25B3DDA0BDDEFA767475CF8FD22D3496CBF79F92B11878",
"tbs_sha1": "3D04A28E763E746DBBE3D2F8485AA3A6D114E1F4",
"valid_from": "2025-09-18T17:58:59+00:00",
"valid_to": "2026-07-06T17:58:59+00:00",
"certificate_der_base64": "MIIGYzCCBEugAwIBAgITMwAABKx2L/5u0oyEaAAAAAAErDANBgkqhkiG9w0BAQwFADB+MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSgwJgYDVQQDEx9NaWNyb3NvZnQgQ29kZSBTaWduaW5nIFBDQSAyMDExMB4XDTI1MDkxODE3NTg1OVoXDTI2MDcwNjE3NTg1OVowYzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjENMAsGA1UEAxMELk5FVDCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBALuFEy75KfVcG2h5jV0iKaYZVCj66T6iHA4wmiIfEEj395MLfCL0DzfllnBDCG6IYYOBx6S2NQWioqOnxW5sVtKAV/XFEo9jUPdD3KrjYaSJ2RmDVaG7DfqYuFYGaAoiOu8S2AABRVOJDBXccisvpm7Rj6eUN7KAhkhMIpCYr3g4e8DyUY4oD+XeEavEOTNM+u+zrq/u2hBfE5lUFuPLX6q5/Mfvd5b3rBCQe55Cw0Cr5sxjkcnZasgg6NpWaAXzi/fZYMVvZKQMbpvBUVl7e38xtQbjn+0jPxg8EZDQVpDsnuIX00BwJuVqPJ/+fsTyGiXc4UjVZjFPfAZAzyQQzUiZz3hcoj63M4oc5Ppwa24Xo/h3d5LNl8WcduJ5zB6B1JdcW8nnX2OTKJV7RkEufA8z1/VdSuet3LYKqvUDls+twfp6+Pp7gKK5PVV+NmxM1CwsJrVExkL0AtryAoCEk33xKV4YDdhJkfyEWOe4XfKX8SdoIiWjzc2Ji4h0GKMMnQIDAQABo4IBczCCAW8wHwYDVR0lBBgwFgYKKwYBBAGCN0wIAQYIKwYBBQUHAwMwHQYDVR0OBBYEFLt6EqlHMQADV5J7JQApJK7bkFLXMEUGA1UdEQQ+MDykOjA4MR4wHAYDVQQLExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xFjAUBgNVBAUTDTQ2NDIyMys1MDYwODEwHwYDVR0jBBgwFoAUSG5k5VAF04KqFzc3IrVtqMp1ApUwVAYDVR0fBE0wSzBJoEegRYZDaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9jcmwvTWljQ29kU2lnUENBMjAxMV8yMDExLTA3LTA4LmNybDBhBggrBgEFBQcBAQRVMFMwUQYIKwYBBQUHMAKGRWh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2lvcHMvY2VydHMvTWljQ29kU2lnUENBMjAxMV8yMDExLTA3LTA4LmNydDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBDAUAA4ICAQBZqC3dc2aDYyQyTf7Rd+JF0U4aF6+ry5PTFMP3q9NQxswxYjWkDaA+YQuOCHXFvneBMFKiDrsV26QJfDoraWOmIqQAqBUxKmCY+94Yhq2HtQqvnbdCwrKBwbzuUiyb33D60UBFuqifb6bVTiyo95MYu5GcuYj9jcAmegGgsshKDL0HS6GyDG5iBNiFtdOCm8Q3PiCwLkU+gP8qeke5McDHjvR/L3KBdcWPhEpG/HEK6RG9Q75JZAtQguX8iiZiG9Ei+yt/iiVBnuaiDjEOfi8x+tmN0teAwvzpj2xPjTAStEUCSjCZWmFKkxsrYmNpNQtG3CttnHxWzinAuqbogvSr5H4MtirS3R2gZQoVly+7S4h5jvf7MyH810Q9wy7hhBLmC+whhg3WmAoBUvDzBKM9f4TJZvSzxlq2KlhR1i+x91POB4FW+YPTrKlJ4vaClHJGKOGNbH9M8ktR8Yh5o1CFRrceNiQ+LjAvHofJx9zGMbR82vFF3rEEIp1dfDD6KirePgtejlLLryV/rQ7vY/RCHXzNlb2VhL7lcpHqFZSQu9QqKG79TPBEN+3yggx6z4SFg6nrQ7UdQyz7U/rVggORT+Z6x+Iqswjkqme+BRoppUW77TYxOvcz8Z+wXvSCQIbLc4DT+wTo4eyD9FI6OFi3qyEKz0Bq92R6w4kh2YHgLw=="
}
]
}
},
{
"Name": "Any Support",
"Category": "RMM",
"Description": "Any Support is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://anysupport.net/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [
"Windows"
],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"ManualLauncher.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*.anysupport.net"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/any_support_network_sigma.yml",
"Description": "Detects potential network activity of Any Support RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/any_support_processes_sigma.yml",
"Description": "Detects potential processes activity of Any Support RMM tool"
}
],
"References": [
"https://www.anysupport.net/introduce_howto.php"
],
"Acknowledgement": [],
"CodeSigning": {
"certificates": [
{
"signer_name": "LinkMeMine Inc.",
"certificate_thumbprint": "BF947F2204865E89C83799764ACA1282E12D25A4",
"certificate_der_base64": "MIIHxjCCBa6gAwIBAgIQAz+FG0TdTHNZ3KBGg2yvNzANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTI0MDgyMjAwMDAwMFoXDTI3MDkyNTIzNTk1OVowgc4xEzARBgsrBgEEAYI3PAIBAxMCS1IxFjAUBgsrBgEEAYI3PAIBAhMFU2VvdWwxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRcwFQYDVQQFEw4xMTAxMTEtNjAyNzA3NjELMAkGA1UEBhMCS1IxDjAMBgNVBAgTBVNlb3VsMRYwFAYDVQQHEw1HdXJvIERpc3RyaWN0MRgwFgYDVQQKEw9MaW5rTWVNaW5lIEluYy4xGDAWBgNVBAMTD0xpbmtNZU1pbmUgSW5jLjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANH5oYF0ycfzjSSLDXOmBzxbTfY7KbOlOj6d8AdZAdKHeFwe+mT79eQetjcFcYulKCjUmMJ6xFJH42FwTZERxJNQ/xNnDntKvEtgFSijNGF8MAX/YqQHvrECvUUJUq27fnKuMlP/Iyq2PiTgYQJRvruMJsY/Pq5w+tAdEP+4krbeaFl5RzrJhRcCIaF9TvFn4ZK9KwoGaQqyuaiymqEiW5nKMh8lvnyhO++jAhd0umt5fE9gr6a1jpBNjfD49dlYMHOcvCNitzUiTnGzFYrTMKbmcFr9klGxvJSxDWHCXShKql2hsuDqfoNYfRXuu4vvk2CWS/q9q+pDqBEajAu8cDECJNVz5uKP30qWtqnnXUxtr1g7bwaW4MGgzBIgXJCVzHovrz6xmx70zRjqh2JHxhOis9lvqDEVRIa7OFjQb3kPeOOggKpevR88y3oPeTCBU68lxC2aPnqPcATTV4ZYoYVKLj25YIEdvsz/xDqpt//kBg7xbnhRsXMBjINBd52B24kPUfxHYIouG4hE1u+JFNHEhmQ+oNl/YSwZsL7i1mUV6b4c3xxlwzZ1def5ZvEKEzc133BIuhYGZXQipERcvh6QWaQQrvZnyWqOMimUDIUUbfQxl6ALt7AcgModAfvGdD5vN1HMbGyvG8JM8MQu8vmcbNVfeTF9SwlunlqMFh1zAgMBAAGjggICMIIB/jAfBgNVHSMEGDAWgBRoN+Drtjv4XxGG+/5hewiIZfROQjAdBgNVHQ4EFgQUz+Ex6PPJxEqGvymobsfqQ2ndp5swPQYDVR0gBDYwNDAyBgVngQwBAzApMCcGCCsGAQUFBwIBFhtodHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMIG1BgNVHR8Ega0wgaowU6BRoE+GTWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3JsMFOgUaBPhk1odHRwOi8vY3JsNC5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDCBlAYIKwYBBQUHAQEEgYcwgYQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBcBggrBgEFBQcwAoZQaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcnQwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAgEAgXEFn639LYeh239xD3Nxc8Neu8szRD0mbcjNwKjd43itT2siJrrqvp3+f9su0YLBY6EpbzYnE/57Budtp+xro4yZnrmSzHOqCXV05DaOoKBZS9SiwqB1DvBpyijbUGr4+OhKwNhzvh21Ru2czNJoIRFCA94iijrBuHZCAJGOf0eUZMCeFbmNnOsN0Igzro6KubRU+nKuoxsJ6+0Sy5NF0x3IXg+bvylP4hjgv4HCHJbqzahoXWGiA/zjbvD0p2kLNCyyzZIYNTSCsfNSTFHRfR2zpGr43vXrk0c1wrd2/ePX9d98JSjzgon1oPdkDLi0eAGQMLENhMDXhpYSGrxcIW0LgMUAlaNG3xVi12wNO9R4U0vQ9KDgyVHnWo3CTk8n1ddeQUokPK6AKhGMe+ionZFHA3fFdDqJxM2XN+aF47toFnHtEDb5WJw5tZr10n2W0ukgPFdrOG1ytyRltrbXcT0nFhTuAyDdHAFdcvbjWZZa65/IQLm1kcMHMrw3vwD4yD+1u3xcnaURCLjKAjFg6UZ8IUPaEZeOEaVBM5u8F1DU3y2QlqQzlGBTlG6FQTobptuMQ1SFSKPxDO7m6QcSOAR/NCodYSzVwYNZgfSjSvF5rJFyb7ArWLkFOgNzVEw7rhmwYRF1qnvs9EDBaMl1QTJ9q/DqN1hUbagtB6PdGvo=",
"src_file_sha256": "948e074ca4b5957a3cac40db6b88b6735dd635b841f510ccb50d507783170833",
"src_file_path": "downloaded_files/any_support/948e074ca4b5957a3cac40db6b88b6735dd635b841f510ccb50d507783170833",
"src_file_company": "Koino Co., Ltd."
},
{
"signer_name": "KOINO Co., Ltd.",
"certificate_thumbprint": "5192D3B41D87514CDF5EFD5649A4307A024E25BD",
"certificate_der_base64": "MIIHwzCCBaugAwIBAgIQB0TT7vpsb+RfziHoZT+xQTANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTIzMTEzMDAwMDAwMFoXDTI2MDQwNTIzNTk1OVowgcsxEzARBgsrBgEEAYI3PAIBAxMCS1IxFjAUBgsrBgEEAYI3PAIBAhMFU2VvdWwxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRcwFQYDVQQFEw4xNjAxMTEtMDA5ODQ5NTELMAkGA1UEBhMCS1IxDjAMBgNVBAgTBVNlb3VsMRMwEQYDVQQHEwpHYW5nc2VvLWd1MRgwFgYDVQQKEw9LT0lOTyBDby4sIEx0ZC4xGDAWBgNVBAMTD0tPSU5PIENvLiwgTHRkLjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMyw54p7LHjrC1Nc5EqFAqwyUqZBU/BCNskfFegJRjC8b4kmHiinooqk95sjYA70KJOaR56GMwfozoXofhmpj/+5scJYZo8LqyDITIQ8qtebUoxY8gedI4cnRKPBKeJOb6KD0VJ8Fq6k7X78sCcdNePWEycdNDjUcsqn4h5gY0VXPIM6UVcx/NPEq/wijX00knJRW8Ivwtx/A5s4Q+/WEqU7ydRbz49UWtNGrnjzdN1mHlKJchgz1LGe/4N5e1tZLGdI+9RA21ltPk5wW44uGbKRpH33GzMsvVRdv98XN5fopsE/qhoBW+5FfgN9XPOJWvqyWoE6BmQlZislqYlmHTy8INp/ELpij9yxDrOSNdm66hKi5h39Xdgw8IrtaE5d5fAgSF8I+fzZSuRSxYX5Do2PRDb2ENqASysFPNEvKvjKyBU8TuGHeTazmncS0VTzDXFK5SUiMwnW+56H9Q7EXRHEh5yNcX2Hj2Pfer1lZfjDdJTiy49NfpupuAtjHMkz3ajGWvca1g0C0KNnKypfn4EP3tIqp+FY2g8VVgiafbKD1No8v7BlKACOlqYz4GISqmspX50Mw1YfNqRtt4E7qApj6AnUyCWPublGGEE7ZOxfKykH8nE3eJwzzEvPtzCcS/TxOFgDZs3rHtFhKrdW8lz11eSWbCNn/9QIScF9SPOvAgMBAAGjggICMIIB/jAfBgNVHSMEGDAWgBRoN+Drtjv4XxGG+/5hewiIZfROQjAdBgNVHQ4EFgQU5TkVDUgHT1DQlM5cf+sa+WbXpBQwPQYDVR0gBDYwNDAyBgVngQwBAzApMCcGCCsGAQUFBwIBFhtodHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMIG1BgNVHR8Ega0wgaowU6BRoE+GTWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3JsMFOgUaBPhk1odHRwOi8vY3JsNC5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDCBlAYIKwYBBQUHAQEEgYcwgYQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBcBggrBgEFBQcwAoZQaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcnQwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAgEAZwkhtqKJBOwYmaW1A/JS3Ej1vTkZE1QnkWM4UmxAhZhGpL+24KNauglpcsZR+31tB9DJW15TmWEVFfyetsHmSdWtPyxfLd2ifGDJGEr9FNTNwkt4868wPff19mm4bVqCBPfPeawagFtCE7VSHqRqzutWR+xikku3QR4RFffCnwwGwUa3Vf+DCSjF+bPIofPckKJmCBx2s2e/x50PYcykRwUcx6Fmce8iCxPJopBmnVsew0KGYTaNxLBgd/4iBtU3mVkQRCFV1MzwSzbALcSdYzCKIs+AgInxi4IIjQTutZ6C0x+mJ5Za4PU7/9muDT3AGe5DnshPbdk+Y5k5UzbLFU8fBu7JucDfeKoYPOVE+8n/FICmXotnhXIYjrsnOIVFSWgcylg2CtBqNhqKHHX78c6H5OJFTIPWAQjWBEGZS9px8OjafG2Tg3EbmxAKosKhC8zk6vuVRIkk6TFDB+1U2Frfl1q1DmzyVjSU/YIaCX2EmCnKCu5ln3q0zeWZNZSfkqGRxBttBmcklKQ0PYBqyM+v3D/JaVWK+TBCOHgIjNsI2rr9zJYwKKNjCa+U6djxIdug/9Eept5QwuxBcV5d1UgumWpPL5GGX47TGnIET41j4dIWQ3Ju7ZysiPahKZZBUTdx+7bXhJ8L1XBarHiBRNC7OvX+K0bbJ7q2PdAEdew=",
"src_file_sha256": "6cc5985ad284992d6f59ff3336e5ce9065a01988322b015ae128d0899a75c14b",
"src_file_path": "downloaded_files/any_support/6cc5985ad284992d6f59ff3336e5ce9065a01988322b015ae128d0899a75c14b",
"src_file_company": "Koino Co., Ltd."
},
{
"signer_name": "KOINO Co., Ltd.",
"certificate_thumbprint": "4E447B576E1A3150D660BD3BCFED61E7F403FEAF",
"certificate_der_base64": "MIIHwzCCBaugAwIBAgIQDmwxArtS2jqSr0t0DXH3MTANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTIzMDQwNjAwMDAwMFoXDTI2MDQwNTIzNTk1OVowgcsxEzARBgsrBgEEAYI3PAIBAxMCS1IxFjAUBgsrBgEEAYI3PAIBAhMFU2VvdWwxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRcwFQYDVQQFEw4xNjAxMTEtMDA5ODQ5NTELMAkGA1UEBhMCS1IxDjAMBgNVBAgTBVNlb3VsMRMwEQYDVQQHEwpHYW5nc2VvLWd1MRgwFgYDVQQKEw9LT0lOTyBDby4sIEx0ZC4xGDAWBgNVBAMTD0tPSU5PIENvLiwgTHRkLjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALQa2U/fTqCN7VO5j+zhg/NC45RTzB7AVv56PyXf5oTI/AuJDkCTB4hekCNKkHIw+keyCTyEuV2ibrAC9hAm/XYEC9qWcN8i8ANndalqFeNqG1I3ZkZoqmNXpdN74lwBHT+nzCuI9CuIXdRAax87wLJ/fj5mB2jLm863D/4K8jkleEt6ZDudmd+QQb/8gyu+kbktdcYm0z0vju7H7xBbWhrAklaB5nZN8oRaz3jssoH8y+OsUHkjdFul1VdUPWUrQEpIzrmj3fTFdJmeCOC4XkoEGE+7JZyGkcKTXo5tbbHfEFj9Rki7gM1TcKI8LOFjNsg72GaQRUCqYCDjCvryQmJQZsojSDKH1zkdahE42Rceuq1/NRC6M0lIeD2MpeUVhku6nqj432HL00w00VWHJxt2PvAT0WOdpkqgoRooqJYdAloK5aSQe3BG3JWumI8M5whrp2QE6UfFPTbgmDby1qeYfqjW9XympUVW6t3MjLx8wiONUqptEUI3vKJdceZVYteinS0SPQJaSZtj3OfXNrM52wS21eAu9yLfhHLBZ9TBD9BUGOovBAaaD41X60sucnSj4w2NdrTZupziNOMC8HO6ZZsS6FBQNtFoai6Zb66+bCDAZTyW70vY9ysyUb/m1G9ZN9FlhfDCiZUwVh1oo9zO52FgSi5dL2byVPELidb/AgMBAAGjggICMIIB/jAfBgNVHSMEGDAWgBRoN+Drtjv4XxGG+/5hewiIZfROQjAdBgNVHQ4EFgQUSXVFJr0ZAh/l/lj04WtBlEhkTccwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMIG1BgNVHR8Ega0wgaowU6BRoE+GTWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3JsMFOgUaBPhk1odHRwOi8vY3JsNC5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDA9BgNVHSAENjA0MDIGBWeBDAEDMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzCBlAYIKwYBBQUHAQEEgYcwgYQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBcBggrBgEFBQcwAoZQaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcnQwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAgEAMT2C3l9YvWqz48glFm6WmM5KAPDwIJwOtuMdPjs26dru1LoOlWLS6ki6/xG8hYt0fy33Y9lUF07lji+3SyrXj5BJ7bl18ChjY3sef1vUVMRnE81LEGYF/7IXYNkS7KEbZ6rGUwnpt1dgwKKpSKc/P4nuswejwAR08qWLn6rBvDlRj8MNuN54N6ykT1+5Jwb1ZtNVBbHBQYPNSivAfGftZzwmr0l1wQtYuHxfvRmpkV/nPlPvYYvTzjy1n3MEqBfMVu1vc7Q4zTy6yZSRNZPX1h6zm7VCfkMVimi6tsU+sbp2VdDpn3zuahPA2VYkQxP7lJeIOKk2M+Mvo6X3qQ0wrjKV/AfVbz41l2nc8Stq+IIybS1nOvO6M14ASmeqAXJwLz2bEPoMysLyiqNlsDhSRgJVXi3zIxslQpAs6726n+itJF8/KE90f4EQMbmNlYCy8vCpMFDqInrR0HtzB3VS8faOrIfFQq9sEIsYy18gAjphcVjEfZCmUokS82cW3LtSitgzycRyVmWchQo+nQtlUHKYksDcbibf789qLSQzilDLBR6UX2RWHTik7GxNcBQmb72C3dmexmf4scFRwj0wQkHZK47OYTJX0mkXqAzUFNFlYFWHEk17KEP8E4kcPDP7aW6KtDJBaMKefZWcWqBzqBXW+0hsD5Vhq8YeGvcqxxQ=",
"src_file_sha256": "7ffc8c8f47f3dd18d1d3e51d078093aed7915093c6dadafcd1ada2d1c43a21ad",
"src_file_path": "downloaded_files/any_support/7ffc8c8f47f3dd18d1d3e51d078093aed7915093c6dadafcd1ada2d1c43a21ad",
"src_file_company": "Koino Co., Ltd."
}
]
}
},
{
"Name": "Absolute (Computrace)",
"Category": "RMM",
"Description": "Absolute (Computrace) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.absolute.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"rpcnet.exe",
"ctes.exe",
"ctespersitence.exe",
"cteshostsvc.exe",
"rpcld.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"*search.namequery.com",
"*server.absolute.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/absolute__computrace__network_sigma.yml",
"Description": "Detects potential network activity of Absolute (Computrace) RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/absolute__computrace__processes_sigma.yml",
"Description": "Detects potential processes activity of Absolute (Computrace) RMM tool"
}
],
"References": [
"https://community.absolute.com/s/article/Understanding-Absolutes-Endpoint-Agents-Rpcnet-CTES-and-search-namequery-com"
],
"Acknowledgement": [],
"CodeSigning": {
"certificates": [
{
"signer_name": "Absolute Software Corp.",
"certificate_thumbprint": "7F15551E564615F929E65B19B1C695D78DB51810",
"certificate_der_base64": "MIIHDTCCBPWgAwIBAgIQDHHem87X1Itv1IhZk/COwzANBgkqhkiG9w0BAQsFADB7MQswCQYDVQQGEwJVUzEOMAwGA1UECAwFVGV4YXMxEDAOBgNVBAcMB0hvdXN0b24xETAPBgNVBAoMCFNTTCBDb3JwMTcwNQYDVQQDDC5TU0wuY29tIEVWIENvZGUgU2lnbmluZyBJbnRlcm1lZGlhdGUgQ0EgUlNBIFIzMB4XDTI0MTIxOTIyMTUyNFoXDTI3MTIxOTIyMTUyNFowgesxCzAJBgNVBAYTAkNBMRkwFwYDVQQIDBBCcml0aXNoIENvbHVtYmlhMRIwEAYDVQQHDAlWYW5jb3V2ZXIxIDAeBgNVBAoMF0Fic29sdXRlIFNvZnR3YXJlIENvcnAuMRIwEAYDVQQFEwlCQzE0MzA5OTExIDAeBgNVBAMMF0Fic29sdXRlIFNvZnR3YXJlIENvcnAuMR0wGwYDVQQPDBRQcml2YXRlIE9yZ2FuaXphdGlvbjEhMB8GCysGAQQBgjc8AgECDBBCcml0aXNoIENvbHVtYmlhMRMwEQYLKwYBBAGCNzwCAQMTAkNBMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAou4xEUJCc0Wv0/F/ZMh2XtBYpFd8L5rj+Gl2Eu4tLUzKY/Hyn3kYa1eLQ+U+gkdS+0XG9H75ocT2MT7ds0PWP/eUe6TYY2WGEUsTmMllQkMNVw75dfsxe6QJG2AYiI0E9mtF3p1AGfWHobHWEUBVjk5vEoFXwR/H8GQkaBL2eB1aD0IUUajpBpdTdRKdWellzfHyLfaq5CvXu4jp4VVt4EdvCfjcBpZTjZnYj5dmTaNSz09WU8CcgiYDzKsbhoPDDz6HlBC6gVSN0fVX1M7oyEJOdy3nFFCRIHU5mXUAku6SZgPiR4bH8jexhrTDmZtCas86+VXt1XEKdjO3ZdJ8blZG7kfgppJruwkfvJ644MlRk4dOu//kUrl8u1ZNFPTP/JzoOSli8LzdKsezPpjTtkGzJu2ZjO/KrKGcDa9MnBxFI2HCA3JW31cN+Hgm7MNq3AKc/XPkgaYT11IJFf8VLDTF5+HDd1aPzZud85kc7aDpu6zzuekIc+J+zrbu69ZlAgMBAAGjggGaMIIBljAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFDa9Sf8xLOuvakD+mcAW7br8SN1fMH0GCCsGAQUFBwEBBHEwbzBLBggrBgEFBQcwAoY/aHR0cDovL2NlcnQuc3NsLmNvbS9TU0xjb20tU3ViQ0EtRVYtQ29kZVNpZ25pbmctUlNBLTQwOTYtUjMuY2VyMCAGCCsGAQUFBzABhhRodHRwOi8vb2NzcHMuc3NsLmNvbTBQBgNVHSAESTBHMAcGBWeBDAEDMDwGDCsGAQQBgqkwAQMDAjAsMCoGCCsGAQUFBwIBFh5odHRwczovL3d3dy5zc2wuY29tL3JlcG9zaXRvcnkwEwYDVR0lBAwwCgYIKwYBBQUHAwMwUAYDVR0fBEkwRzBFoEOgQYY/aHR0cDovL2NybHMuc3NsLmNvbS9TU0xjb20tU3ViQ0EtRVYtQ29kZVNpZ25pbmctUlNBLTQwOTYtUjMuY3JsMB0GA1UdDgQWBBTEv0+NTT8ukvFlkofaeEyCBCxYgTAOBgNVHQ8BAf8EBAMCB4AwDQYJKoZIhvcNAQELBQADggIBAB3rOwwuYFR6I5uL1SlwDWW+AsIBCMXRvQLqE9/Ic318ufnvnMTYvwPsl9X6Fvq1+42cfcerWHCGHPbLtVpZNx4+7gf75cRSuwGjo0KTbrPQi2oxeWT4+rCdwNIIvgQvz7pBjclsF9/qwFrfQdgbK1o/qtOvItt1wI2UJ+6iOX19xwd2i/6MistU2E5einlvHzW5alvAEyyJjhRQZf0vHWVTGCcAd3R1Ani0hpkiQXPOXUDt/ZIluqnRTjCsxIrTOZU7BfojCpBBFQ3CIv9Q4zJlx0Cxd9WYT/3R/3d8wHnTG4jWMHDfTTJ+qdWvlUZ8hgAEwHCatmOzu5ePjSUDKKpbNHcDyfM31VwB9pzJERQx7gtjtN/0tA8sjEzAIQyMS3rR8M/UZRJeW0o4yeoc7T6i95fnsYBs6t4rdHrWtR5jwKZ7BginQJw7r6tFmSux++zcPmGAROxZqYO8z8V9YiTNQqwf24xN5i2OchPpIgtNSHhCt5dPAq/NfXpKGXN+SkOfPWU7tmRTh1gGborgPGkLGOgb5uKfq6OhYb3qW/QsLw6nYP82Gc0r1r+EVCApQn+km8GJ7OtIrIlKMJ002dBpr01PiOdVP7pDg75EMUAb4khSXY48KRm4jmoZkySwCChPtYWZWBNDa8ib676+NEmpdpPqwALD4avkHGz+Nyca",
"src_file_sha256": "76a4272310b3f5151939eee0e63b61cee712d88af5b1606202360147082adbc1",
"src_file_path": "downloaded_files/absolute_(computrace)/76a4272310b3f5151939eee0e63b61cee712d88af5b1606202360147082adbc1",
"src_file_company": "Absolute Software Corporation"
}
]
}
},
{
"Name": "Site24x7",
"Category": "RMM",
"Description": "Site24x7 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://www.site24x7.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"MEAgentHelper.exe",
"MonitoringAgent.exe",
"Site24x7WindowsAgentTrayIcon.exe",
"Site24x7PluginAgent.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"plus*.site24x7.com",
"plus*.site24x7.eu",
"plus*.site24x7.in",
"plus*.site24x7.cn",
"plus*.site24x7.net.au",
"site24x7.com/msp"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/site24x7_network_sigma.yml",
"Description": "Detects potential network activity of Site24x7 RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/site24x7_processes_sigma.yml",
"Description": "Detects potential processes activity of Site24x7 RMM tool"
}
],
"References": [
"https://support.site24x7.com/portal/en/kb/articles/which-ports-do-i-need-to-allow-access-in-my-firewall-to-use-site24x7-agent"
],
"Acknowledgement": [],
"CodeSigning": {
"certificates": [
{
"signer_name": "ZOHO Corporation Private Limited",
"certificate_thumbprint": "039B7B91AFEFDB68B36E6A2D246545D581D1BF0D",
"certificate_der_base64": "MIIHHTCCBQWgAwIBAgIMJLsRnOfnHVmJ4Mb2MA0GCSqGSIb3DQEBCwUAMFkxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMS8wLQYDVQQDEyZHbG9iYWxTaWduIEdDQyBSNDUgQ29kZVNpZ25pbmcgQ0EgMjAyMDAeFw0yNTAyMjEwOTQwNTBaFw0yNjEwMDkwNzQwNThaMIGKMQswCQYDVQQGEwJJTjETMBEGA1UECBMKVGFtaWwgTmFkdTEQMA4GA1UEBxMHQ2hlbm5haTEpMCcGA1UEChMgWk9ITyBDb3Jwb3JhdGlvbiBQcml2YXRlIExpbWl0ZWQxKTAnBgNVBAMTIFpPSE8gQ29ycG9yYXRpb24gUHJpdmF0ZSBMaW1pdGVkMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtnRtnGmOSz83W/xFrNqPV6bvmT2EDvWLACUb00a+4lYlmoBpdxMAEMoFyT6C1wsknR+yDzD3Fvv3ZakDDtAyMlcaHwDEGL++B8nGcjcw7K1+apL7x8TcQzekrSBsTr8KAaz6u5kL2ba0AMLkLm183u2CKpjaxl8Yq4QTwpHd468pNuVqTHPin/mWJgrG/ME2+oqoLrw+53z5UH+3O2gFHefvgmVCic6jALPZ/y/IdJyq3ga+gWa+nWb0Xp4vyq2d02pQ0vRpXCiGxNVbO96Z6VcqkSyYifeuOJ160FPSh2y2kptPSgbg+DRJlgoZ7B9aUeZJ0OuiOshSHq/F7nff0+BFmnhVmVP4zyshIfS9BJMC/A2PMVWTqc2nfdQirBwA9KChPUu+LOOI0E6oRCXl5DqIPmORzAUYGenmvcdztvlAfm4yuHDORBIX1S/CfrMLJE6P0TQRdOWUit7gENgZNEGELwth6JiKxw+bUvhmxmcKJOTbBERYsaTChVpSnq1/NqRZlzOuh2DlzTs8IxZ9Ze6q29iKBobFrOgjesyZRONV6CQQvZ43HW1OZsakYmjG0XnxBPWtOJ1yJgvJrkJAb4xTPU66oziBTztmJvJcWMlLPAGMfdF+jFI0C9wREh4vthwM3vOATNG3BknjgKLMETQWMnYEc91cE66EstD2N9ECAwEAAaOCAbEwggGtMA4GA1UdDwEB/wQEAwIHgDCBmwYIKwYBBQUHAQEEgY4wgYswSgYIKwYBBQUHMAKGPmh0dHA6Ly9zZWN1cmUuZ2xvYmFsc2lnbi5jb20vY2FjZXJ0L2dzZ2NjcjQ1Y29kZXNpZ25jYTIwMjAuY3J0MD0GCCsGAQUFBzABhjFodHRwOi8vb2NzcC5nbG9iYWxzaWduLmNvbS9nc2djY3I0NWNvZGVzaWduY2EyMDIwMFYGA1UdIARPME0wQQYJKwYBBAGgMgEyMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMAgGBmeBDAEEATAJBgNVHRMEAjAAMEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5jb20vZ3NnY2NyNDVjb2Rlc2lnbmNhMjAyMC5jcmwwEwYDVR0lBAwwCgYIKwYBBQUHAwMwHwYDVR0jBBgwFoAU2rONwCSQo2t30wygWd0hZ2R2C3gwHQYDVR0OBBYEFOEVX0xefVGKmOHi/uHr17eQOdG4MA0GCSqGSIb3DQEBCwUAA4ICAQB9ErI0zm8zbr2borpvUdDBZusx0w11dlAO1Gx0WRz40hwLPZ2ygUyPChSl8GC1RV8aggNwQG8AQ+v4D/nbTu/62tEgIFS3CB/0g6thdZXWz1gaUWdS7C5IvXDFdJygnMUImM/pvNZNCDbRGjmHPufM9qa7z6OyMwUUeiw1/ITYrW7TYU0fE22u7jHuJdZCJjkSysT/ITjB/reDqadzXgd/vsQhmzw6poyVLoUfRc6l6sZXwqGtD8gJbA0tJ26+tzYRP7P7P5wBFYU8pFGi4fG6cTKFsoJJEI6UfiYBiI1v67l8TEABgG0XKzz+LTwiz51Z3xP+U68GioeZYim68fsbcqTdthm+V6E4CAvQpr4Kn+fOwFZ/hVD1BrlYy6iHSDT2SnhLckkg1cBTLG3sVeek6KWB0KyfzOxO9hIKNttQFkN4aOGigTA/VSpU53SPsjJ1tjaauxo1Ytug4+aWe6XypUi1UaCFUu91lTtlUtI4PSCuhbf56oYB6dTc0w44O6f2d8M4jOSTNmhF1fiWQ9MnRgD/UUpRxdSLvxJEj7D1bUfGzPs7pjJyJNRTA0BeY5FpyuxxllBytLMjptt8CKXK8Uu5o+l6F30nyOENNfbqx62GXpkSiplOv6p0vOGVGJ9NrD9WuKiEHmwadwlqOWnka0HBF2iLQGrf0V7mF2+Lkw==",
"src_file_sha256": "66226654281414efabf4ba96151f1c8c8000f0fe68e6ca0346e3e50635560771",
"src_file_path": "downloaded_files/site24x7/66226654281414efabf4ba96151f1c8c8000f0fe68e6ca0346e3e50635560771"
},
{
"signer_name": "ZOHO Corporation Private Limited",
"certificate_thumbprint": "9CFE33A8A1FB933BEDF943EF4263D03B6A5F828E",
"certificate_der_base64": "MIIHHTCCBQWgAwIBAgIMDGsl8hryZ5tnz4h0MA0GCSqGSIb3DQEBCwUAMFkxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMS8wLQYDVQQDEyZHbG9iYWxTaWduIEdDQyBSNDUgQ29kZVNpZ25pbmcgQ0EgMjAyMDAeFw0yNTAyMTgxMzU5NDBaFw0yNjEwMDkwNzQwNThaMIGKMQswCQYDVQQGEwJJTjETMBEGA1UECBMKVGFtaWwgTmFkdTEQMA4GA1UEBxMHQ2hlbm5haTEpMCcGA1UEChMgWk9ITyBDb3Jwb3JhdGlvbiBQcml2YXRlIExpbWl0ZWQxKTAnBgNVBAMTIFpPSE8gQ29ycG9yYXRpb24gUHJpdmF0ZSBMaW1pdGVkMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAz09Cd5TDWpRU90iuUgEngTp7kHP4WsQlU5MroTyh0/57BWlmg+/Ve/GoDiwWWfX9zHl3Qi1KQEquw8AhkzzwLCSn634vUTM5kEleezZDAvaS2QjrcvOY4tydRgejobpWJHdrJIWiNPBEM5uBzF8LSFEB6nUgF24QuG3MW1MYjC1s7xRgUZeqPBKvaL3qzdm1A5DezRXOJ9bgeFy9e9m1s+6ts39yO+2cyAc9/nhGmio0sWvaGpbPDCssHIcInGQGw8lW9FCIqhERgTBGsi8QC3vdWWi/dHju6Akt3497dCA9PbXVwkcMS5PSuoC5iKrQjnUvQO1/mlEyd6CR2NC4D+DGYIynSvet1ceaaOUUriI6f8MiAKMYDmGa1lOGVhbR7CRO5BjkPEPzczHuffYchPNtiYE6VRSd05zysSwpIYYZfiIHQptIhW/I2DoSIrDKo1WVG3jNrYiAL6t68P8xoL2hHvwekV9RAqMVYHxKVA0Ur+DKCPrCDS01/NXKD6jeBoWyGEKE11J65nXuphTbsZmp+T3ATPJepkiN2qXmzW2SQD9YC8FW2BsTQx6lKwjMRNA5WcpYbm8P0l+eo9ck1uwDwq6W1fYuhBGebG7FTUAUj73b47TxeKf2AG5YD5x+xrOf463q06lbIYn61lbUJjMF/Dwd3woLV/VxHShciI8CAwEAAaOCAbEwggGtMA4GA1UdDwEB/wQEAwIHgDCBmwYIKwYBBQUHAQEEgY4wgYswSgYIKwYBBQUHMAKGPmh0dHA6Ly9zZWN1cmUuZ2xvYmFsc2lnbi5jb20vY2FjZXJ0L2dzZ2NjcjQ1Y29kZXNpZ25jYTIwMjAuY3J0MD0GCCsGAQUFBzABhjFodHRwOi8vb2NzcC5nbG9iYWxzaWduLmNvbS9nc2djY3I0NWNvZGVzaWduY2EyMDIwMFYGA1UdIARPME0wQQYJKwYBBAGgMgEyMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMAgGBmeBDAEEATAJBgNVHRMEAjAAMEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5jb20vZ3NnY2NyNDVjb2Rlc2lnbmNhMjAyMC5jcmwwEwYDVR0lBAwwCgYIKwYBBQUHAwMwHwYDVR0jBBgwFoAU2rONwCSQo2t30wygWd0hZ2R2C3gwHQYDVR0OBBYEFDqaXb/UoQJmwU/awDe9Pdx+MvqYMA0GCSqGSIb3DQEBCwUAA4ICAQAGEr1oLiiri9QNjpj9GX0NzyGumOynnfJB8X6M8SuLsdmTJWHKKp/mjXcYLT4Ce0tAmHgkHRt2hel9ANzdcjl8RjPWsYScVn5cZ3sfSGmH9dwPNSCp9gdRUwwT9jDU+B4KMd4rz6XrtL+kVgbTVGzRpnnoCz/9PVRApRP7xcLsgdbrVolr2A37OOkVEdaY5XW2orW+mw+a7Q1vdeJDt/rmXnUf/E8txo9gpPcCK6D3Ufi9g89qBHU8IOvDXrvlYjcgiRsPa4QzTwtBaXNrCuI3vjycQe/eoAL8XJHNwuPeG8UimO/OlQuaofa9pgCmyMH5TL9JayS2r1oqdxXQySTii9v7Djk35WVxhnBumAZQa9uO5aoGcMWX9XGKe8BIpxgA16Wg+/K6JQyRzgIy3eaKxkZFXtJhzu2Qd+NIPpDOmCxBRcwHE5T/kV1bq/xR4MX+WUrU3YS1TQoi6y4pXzeKEYjkWrZZDk3rY1/oZh5LIA/FSME4klrpaxJCYjMlABeWQeEuCEKJEbRYrV7TxT180M1NKTQatBSSjKWIWFE14GIlBWgs+9OmLR+09Q2pplEKUFw3OW7hqTMN8PRk3ZwYEBwNiAbSdRhCj6Zy8eRPBBCLksWJo44IJcniqGhmFdD07ALvRwudvItKPvajzqtaTMZAOaLZia5AXWbxRpCHdg==",
"src_file_sha256": "d86a0059fb121516da482deec1e2a56abbb9befe929cd66ff76f9d58fdc17398",
"src_file_path": "downloaded_files/site24x7/d86a0059fb121516da482deec1e2a56abbb9befe929cd66ff76f9d58fdc17398"
},
{
"signer_name": "ZOHO Corporation Private Limited",
"certificate_thumbprint": "03498B4CC5B51DB6CE80699F23CAC1724BB36B69",
"certificate_der_base64": "MIIHHTCCBQWgAwIBAgIMRIVZ6NWf4FYpnm6PMA0GCSqGSIb3DQEBCwUAMFkxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMS8wLQYDVQQDEyZHbG9iYWxTaWduIEdDQyBSNDUgQ29kZVNpZ25pbmcgQ0EgMjAyMDAeFw0yMzEyMTExNzAwMzZaFw0yNjEwMDkwNzQwNThaMIGKMQswCQYDVQQGEwJJTjETMBEGA1UECBMKVGFtaWwgTmFkdTEQMA4GA1UEBxMHQ2hlbm5haTEpMCcGA1UEChMgWk9ITyBDb3Jwb3JhdGlvbiBQcml2YXRlIExpbWl0ZWQxKTAnBgNVBAMTIFpPSE8gQ29ycG9yYXRpb24gUHJpdmF0ZSBMaW1pdGVkMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAi/dpUgQBQva56fCAkCCzDp/8w91w1v2DXP8H91K2zNZzqe/e/nT54W3+k8Zmm10c8bTINu9cv4i71njHhImaAM768y0fNPKZ2uLS2Fn5jlefmwcNj0iGuqIXaIai4C8b1iLFf7tnAmvv8HACZ6/gfhV4diRPYsCWF+0ouJaFOfDPrPbDV0Zd6GCvQhe62ByVWy0NhcsE4VFSN/xlVsjs4X3L9dr1I3AjA9EHO3Cf6PrqqdMGEGveRwCfSaiXuQ7YLlnABKRXxucX3XX+RGE2tbFJ9ClYf5BmEBfBTOgpBxPNmJdyDOTZOpsq8OWj4BGYq9Mmtm3uS+VVp9cTgwgHquSJQYkcCpI1zbqlllNXKMH7a4gD7chhB/Y2aQUfweDXNZvviFDRf3YXiluViFnPMdgOm7qluaW8IyxHoCLLALDoEvwvAHpzTrPRhYwZYMl8459upNWC1AdufZhBcO2vAxLmGBRLeotnngKjBtjURLz1RyIBM0VnKD+0kS07Sj3MXLxJpRUZFE/1mjPd0LjUP5rFpjMmQUPS/Dgvh7dWRkfUzAC/yZiHtCiz/SMBBHCYsZAMNpwicaxkFwedzwLvjia3g8In+9iXWMsfgJDeKgaTfzgBgc/Qf9aAIBcUU068hgFYEZc8lXzSDVu+ZQZ905w4/6MaAdfWg/qaNpfRft0CAwEAAaOCAbEwggGtMA4GA1UdDwEB/wQEAwIHgDCBmwYIKwYBBQUHAQEEgY4wgYswSgYIKwYBBQUHMAKGPmh0dHA6Ly9zZWN1cmUuZ2xvYmFsc2lnbi5jb20vY2FjZXJ0L2dzZ2NjcjQ1Y29kZXNpZ25jYTIwMjAuY3J0MD0GCCsGAQUFBzABhjFodHRwOi8vb2NzcC5nbG9iYWxzaWduLmNvbS9nc2djY3I0NWNvZGVzaWduY2EyMDIwMFYGA1UdIARPME0wQQYJKwYBBAGgMgEyMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMAgGBmeBDAEEATAJBgNVHRMEAjAAMEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5jb20vZ3NnY2NyNDVjb2Rlc2lnbmNhMjAyMC5jcmwwEwYDVR0lBAwwCgYIKwYBBQUHAwMwHwYDVR0jBBgwFoAU2rONwCSQo2t30wygWd0hZ2R2C3gwHQYDVR0OBBYEFAARgUPptWUtWWkph2EsCOn0mA6dMA0GCSqGSIb3DQEBCwUAA4ICAQCG8wXa2OeXAGcSQchK4csNRA8D1i0JfXHFQcVQy9/zkWXPRYWlbcagbLRmPzfWza1JVtXuYim1eOQzHvJQcyB67TWm0RY+oQR8CYonP17BJvI/TG3xsMd0b9g2dXpX66ZsFFHeppGqcSs5enhmcYoICgPle1nCq+dxam9hQbMuHWTNT1OEKb9+fTLC/n+l2/O3ROhAUHFPC+xuFg/6n2Jyix7N1JX7cWvgtPeQCz/ptcRCMF3a1l0FLRb3cYq9dMlBMYiDbnXmvKDASPRH6wA7LE3LfVFROCLnj/Y6FEnetBQbDFn0iidN9MGnrn0ndeT4k+82Gx0gRVyv083L1XcJnsylDBQE6qJpQtiv7lYo6ttt5kpQj7NUhEfQ/IqvTPnLeGR6bluEOyN+4pCKCdXWwgyeAL76BBojbuDP9EsMLGy9f7oh6WwNoAA+dgZ6+8OrI3uSwjDb6MGzsFYyT9JGPEcIFve7dTcFl9V9HcmMmeDh0yLkRXTCvCzZ8YyYV09lOmzYzVqTDqu7ADukJzr19o4ZupwvDnbLj6jE58ckz/OmBDvkC2aBg3eeHUb8v5mw1rkgjp7zCwJvCvLDq9W7SDZPF1DZFpN42N7ZE4qCir75zApSnsBhC/NUsHU512xNjGGqRe5WlAS2C9apk4C/1JGLeVFqnVhyDTjm4xKHCg==",
"src_file_sha256": "b032de2cad86dcd97903552668f292e7ee07a2a6a2bf413ea5dac2f34ffda443",
"src_file_path": "downloaded_files/site24x7/b032de2cad86dcd97903552668f292e7ee07a2a6a2bf413ea5dac2f34ffda443"
},
{
"signer_name": "ZOHO Corporation Private Limited",
"certificate_thumbprint": "99869B5E06680A842469CC3DA2F2DFFFE75AC930",
"certificate_der_base64": "MIIHHTCCBQWgAwIBAgIMMnoO3E5vR9q9dJ9uMA0GCSqGSIb3DQEBCwUAMFkxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMS8wLQYDVQQDEyZHbG9iYWxTaWduIEdDQyBSNDUgQ29kZVNpZ25pbmcgQ0EgMjAyMDAeFw0yMzEwMDkwNzQwNThaFw0yNjEwMDkwNzQwNThaMIGKMQswCQYDVQQGEwJJTjETMBEGA1UECBMKVGFtaWwgTmFkdTEQMA4GA1UEBxMHQ2hlbm5haTEpMCcGA1UEChMgWk9ITyBDb3Jwb3JhdGlvbiBQcml2YXRlIExpbWl0ZWQxKTAnBgNVBAMTIFpPSE8gQ29ycG9yYXRpb24gUHJpdmF0ZSBMaW1pdGVkMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA2ZsurSF1sR+u4K21jaloeoA+zF+t9kmddLFLCaU1PYwce62qf9r9bdt1T4zEtOG4TM7YgCL/EDj/HB4FEeO70nV8UBny6ckvn5nvv2exmwgxcMipzMNUVKH25KkJqKVDeQs8W3c4H19gy2jMD5b++J091hWGLzYYDWzfZ6Os129zerhiPDptrmjY3ORH5amPuoIWqJQhc+W/CT8Zp5qbumAWeRxJVuZ9moUeVl4QlKYblLmPvjLABotdY8tJpiE+9Tn23/qIfNs80tiL4zYfjXjlJ6MYI6WCZ4UTrBHFrMlu5/RYNIujpkiVPMKgW7a5uysislNMs+r+I20ObKRJLRgyoM5decHS+EKnYpDsBAA8ypAf6Ih7L/IiVzypHyMY/FY+R/KbFpygksV8fhIGcislIkvAsqqEzn68IFOUBPsxBq4XzzfnK/7uq+4HQSnPXt9xTU6tiSulM6Ixq6Wqjfpgfm/kz+biNSFTcTCF6EIhUEqQHkXpobQdMDimn1s7dQbBROTzy1IMdSvnxNKMY28T/oSk+QJMFJduZZR3q64H9dtD7bMB3NvF+/z5fGsmOOf52aEOLaxLvGRq/nekIND4etKolKXfPdqvsjx5VCn6Uh2zCgISDZpq2kTmL54n/yBzoBjTidQviR9GmIwkXyGO76i8cUQWjHbEdiF5988CAwEAAaOCAbEwggGtMA4GA1UdDwEB/wQEAwIHgDCBmwYIKwYBBQUHAQEEgY4wgYswSgYIKwYBBQUHMAKGPmh0dHA6Ly9zZWN1cmUuZ2xvYmFsc2lnbi5jb20vY2FjZXJ0L2dzZ2NjcjQ1Y29kZXNpZ25jYTIwMjAuY3J0MD0GCCsGAQUFBzABhjFodHRwOi8vb2NzcC5nbG9iYWxzaWduLmNvbS9nc2djY3I0NWNvZGVzaWduY2EyMDIwMFYGA1UdIARPME0wQQYJKwYBBAGgMgEyMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMAgGBmeBDAEEATAJBgNVHRMEAjAAMEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5jb20vZ3NnY2NyNDVjb2Rlc2lnbmNhMjAyMC5jcmwwEwYDVR0lBAwwCgYIKwYBBQUHAwMwHwYDVR0jBBgwFoAU2rONwCSQo2t30wygWd0hZ2R2C3gwHQYDVR0OBBYEFBgOy6C7VZ1De/CjFsum904Aq+UaMA0GCSqGSIb3DQEBCwUAA4ICAQDIjjnCrMBToMqCwbTVNcV6ngh+MFKX1KVkyYCJmbT2GGA4WIFdOeLgxB9zi6M1+TSYCBS1GipSSREI841Ot+PMQpbdaMaqkIbOyupUfLkJ4LqBQH5stxy6goERm4EiH95bZ096w2b2RrEimokyk3vvY92NO3j3TSUYjq5QwhY8bIc6dFRoAl2sr2RXP7cGR0wGwsI41sGGB+fp1MBXxe5fp/xdcm0aYL1+UHQSIrNoRv81OSi/Sa3qWc3fAaHn+rNEJd750ILA7bCub4l0+Rdm7b7NZjydVxPLebq+4wdsexVPth3shg8TPX+mAS/DsrDJr8IawyTNfS/u/PdUahepeAtlqoyrZgbOdVeF27d5FRH8RoPaDrOC79Sija3/m0XApkls8h3YpOUt7j9llOkUKXwwox/Ng56/ZNzBuUhzLHTqfBwGXCu9wZK2Hh6PbU5MyIy1NFGU3JJFGZob2MOXsLgdwr08jdmIGzPsMcXbGHgP5Q0RrR8COjwag4fsaO3s4CJ7tbv5ewGbf7OeQcuIp5AdrylE40jfpWgcSGUgK3dDD6tKtA55WgWjqSaNqXvC3iBimySUdoNUKnKTbT0bE7D8Q2vQ14FKdRY+m5HaHU/GsYjOIBoAZQchvRyqmGONFv3U7HdFhkvxY4TnoxHELZTv+3YIeacabTrUjCz1Pg==",
"src_file_sha256": "e9de4c481cdd5eae6f7c6e5b6275dab75f7a19550d878fc7c65671d24e8dea63",
"src_file_path": "downloaded_files/site24x7/e9de4c481cdd5eae6f7c6e5b6275dab75f7a19550d878fc7c65671d24e8dea63"
},
{
"signer_name": "ZOHO Corporation Private Limited",
"certificate_thumbprint": "C70830D17ABB7119FCE1A1DD2DC9FD0E92E33241",
"certificate_der_base64": "MIIHHTCCBQWgAwIBAgIMUTKvkMxVHmhbG2urMA0GCSqGSIb3DQEBCwUAMFkxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMS8wLQYDVQQDEyZHbG9iYWxTaWduIEdDQyBSNDUgQ29kZVNpZ25pbmcgQ0EgMjAyMDAeFw0yMzExMjAxMzIzNTdaFw0yNjEwMDkwNzQwNThaMIGKMQswCQYDVQQGEwJJTjETMBEGA1UECBMKVGFtaWwgTmFkdTEQMA4GA1UEBxMHQ2hlbm5haTEpMCcGA1UEChMgWk9ITyBDb3Jwb3JhdGlvbiBQcml2YXRlIExpbWl0ZWQxKTAnBgNVBAMTIFpPSE8gQ29ycG9yYXRpb24gUHJpdmF0ZSBMaW1pdGVkMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA9kC4vMrdY8My73T7+5srPt9QSKydxWv1QBIufJkNfgwg1swO3WltLDn73RcYEjpgb9oTqlGpyLrmrPinpiN2yopcY6zx1LtauPnpLkkWEFnISTRI8M8viShjgEs5f39wbHKJq1C4BbTDJjyN/qtBdfrSC9aW2kLLpBf5krBOlsgPYwWhqI+5lorqEM/7P8PROv7o3WazqEJi1DvxrPDhZDj2RWaWKbocXS5B/LIZ5g+IuWHvjAeVlTL7NhFzuZ32picea3Ic2Ym1+gsfbuZe0Oc/7rYt3x39IPwqMkdYFjMtwxm9dDIVwOWmpJbLPk8/qZQU3acJdg9b16DkDHSaSJ6VuFjlSMjdDICvuZhv4zKqOHLT2zR9SUIAmnrh3Q4VPZzONU4Q2s7JUYpGHZk4dmDf+ANkPYEleoW6yth9MHW+c01u6yBBYsz3DrlH+vNF+gFEUPeiAxS9WTtqjYZPT5RgtlyzVbnFwcTN9GhC5+RD9WDxb4XabwYtZCyjcLgdbutsNbObGA2W3vcMr7wL3I7Z4tEmm8OPqgYQhtjWxdaj4QIF+ucp8g0alS8oOg2b+7/3lxs9XB6er2zVeWwDrE3k8dThpywjcr/ZyZMq/3PaqaRX19nlJQK6h0nn04/Dvxt1zE0yb5S3OrfuUYiyhZm1N3zLzH6fG8t7wGWgKZ0CAwEAAaOCAbEwggGtMA4GA1UdDwEB/wQEAwIHgDCBmwYIKwYBBQUHAQEEgY4wgYswSgYIKwYBBQUHMAKGPmh0dHA6Ly9zZWN1cmUuZ2xvYmFsc2lnbi5jb20vY2FjZXJ0L2dzZ2NjcjQ1Y29kZXNpZ25jYTIwMjAuY3J0MD0GCCsGAQUFBzABhjFodHRwOi8vb2NzcC5nbG9iYWxzaWduLmNvbS9nc2djY3I0NWNvZGVzaWduY2EyMDIwMFYGA1UdIARPME0wQQYJKwYBBAGgMgEyMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMAgGBmeBDAEEATAJBgNVHRMEAjAAMEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5jb20vZ3NnY2NyNDVjb2Rlc2lnbmNhMjAyMC5jcmwwEwYDVR0lBAwwCgYIKwYBBQUHAwMwHwYDVR0jBBgwFoAU2rONwCSQo2t30wygWd0hZ2R2C3gwHQYDVR0OBBYEFCMn0QszddJ9k7wXrDqrFjMqYforMA0GCSqGSIb3DQEBCwUAA4ICAQAl/RdqXQUt+frZzvsWqSA5LnTScB8kL0ffFGnm8VaPWISnDG9brVVnyeyRNTQ8zCkgjQzZ0UgRe03xx9az+vhbbJ3NrIMZLajD4fz4R4ZJCAos4Vp103wwlTOHBethluckXWW4qzBi69JDOCt8puRcNCchqeqTmK401Lp8Zdzm6nY3zefiVgY4VZKw8YtBbeKn6da+7lrTtfvx7nc/w3TZT6jo7QCfZjr8WQBrwt/Xn2mIjzKgvyI/bnxZhve7DhXPD0+OI0xnkEWvqRx39B7WjMPpq0HrpB9BDOeAFh9i/j3Em1/TaXfIAhpR4CTbkImIbc7YS5qZAZ2mVl02Jy73JFCOrI+wZ6FcWrjMiemHPfzx5xO7Vt3kLG+u81Ly3Sb8Soa16sVKOVc4tGIs2ZOELi6YWJXVDNaiyHtGr1LMWNa+YLbU9J4SURobwq3kg9X+kVX0W3PI+WnTTfbzAcRBmfMlFW9XnDS6zvmI/mhjYFI1UliH81Kn1kGni1txsqhS3A86/3qJOXl0YV5Dql9LUts5Aoml2qqiGansKgNG5C12ZrDOmyPFH9FwBxsAtcvwO/yRpfjHj+s5RvJONHZcFJL+p6eOZB9Neh/50y5MWj60uhxAojt2qOIq74BWBvwycSr5cGrG0Bc+W5PNfOTZgDC1NxnFcL31A+Q2OMDazw==",
"src_file_sha256": "4d1a0fe967d379f6de9fbd8bec1760a1e83e6a4511efdf4238409ca4d60e94fe",
"src_file_path": "downloaded_files/site24x7/4d1a0fe967d379f6de9fbd8bec1760a1e83e6a4511efdf4238409ca4d60e94fe"
},
{
"signer_name": "ZOHO Corporation Private Limited",
"certificate_thumbprint": "1FFC1D0860B748F0E9D53297B716E497C81D687B",
"certificate_der_base64": "MIIHHTCCBQWgAwIBAgIMA45xUryaeKB6Oa9HMA0GCSqGSIb3DQEBCwUAMFkxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMS8wLQYDVQQDEyZHbG9iYWxTaWduIEdDQyBSNDUgQ29kZVNpZ25pbmcgQ0EgMjAyMDAeFw0yNDAxMTQwNjQ5MDhaFw0yNjEwMDkwNzQwNThaMIGKMQswCQYDVQQGEwJJTjETMBEGA1UECBMKVGFtaWwgTmFkdTEQMA4GA1UEBxMHQ2hlbm5haTEpMCcGA1UEChMgWk9ITyBDb3Jwb3JhdGlvbiBQcml2YXRlIExpbWl0ZWQxKTAnBgNVBAMTIFpPSE8gQ29ycG9yYXRpb24gUHJpdmF0ZSBMaW1pdGVkMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtIL3ByQto2SDD7yn/6sAHCPqWRPur/a+UzLglMhIQQIkoerBIDJ26kVNYpSs7HEyaTgbOqHWF+Ms356LcxGDUBp8XvCtgQpLXs/Nr33gqHSQpxpWjQ1CifWqrHHjnwWl/J1BtQ2Rb/UN1+X3S7+Fcu5ht9mpG97LuaLjhnt8KhyD9bNwYwTqcj4LVuMUi//64wyy1sgEfQaQNZHh5QkUnOUg2H4oBAe7EDcI13Rj8T9GmA8IPqlCv267UL9nnTfiPHfOc6mGoFSLyhV+bNlcY2ZCy8pQchu0+dGUkzby1SZP1QuOsjDgbicKyxIw2H082sF2bLUVMEmDbU5oaJ5QuBDhl6S0fkAqvE+8HtzHXXtA1IxR9fnmnq3IWS0gVSRaNx9lxGCHgfzKwNbSzxcQoBu88y5nXpUmgZKir0MzTWUnEFW1yOoXd6bFadwjTqTxH4f5g8bFIMaHLw4Q7oqotfvSn6pcLFqNBHtDKRf4aLU1HVNudIpiWD70PFfdw0eG79RNmZjzZcZdijYZ56GFsgtOpFVYkY3pcYWfCoEMnF5t+4ZLZRLk1zifNo4OexTMkS84y+3QK7u4alSn5yPQbjThXCTOAlWnJpvN3BNO8MMSf1/v/csXk6a1Nk5dqzvdey61HToBpv4eqFxyKjuI4sc/FKh14xBycZCqziAnSRMCAwEAAaOCAbEwggGtMA4GA1UdDwEB/wQEAwIHgDCBmwYIKwYBBQUHAQEEgY4wgYswSgYIKwYBBQUHMAKGPmh0dHA6Ly9zZWN1cmUuZ2xvYmFsc2lnbi5jb20vY2FjZXJ0L2dzZ2NjcjQ1Y29kZXNpZ25jYTIwMjAuY3J0MD0GCCsGAQUFBzABhjFodHRwOi8vb2NzcC5nbG9iYWxzaWduLmNvbS9nc2djY3I0NWNvZGVzaWduY2EyMDIwMFYGA1UdIARPME0wQQYJKwYBBAGgMgEyMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMAgGBmeBDAEEATAJBgNVHRMEAjAAMEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5jb20vZ3NnY2NyNDVjb2Rlc2lnbmNhMjAyMC5jcmwwEwYDVR0lBAwwCgYIKwYBBQUHAwMwHwYDVR0jBBgwFoAU2rONwCSQo2t30wygWd0hZ2R2C3gwHQYDVR0OBBYEFCRVE30wXvY9bzq9B8MYzbwS8uSHMA0GCSqGSIb3DQEBCwUAA4ICAQDH8lxo3zFJmtU5uLkyQ43HIYvOtcNJVuSRe9PG3035vRGqg4QuOLIbm1dZUoStUiszYmOJwDSP2UkU6nZvBTKFSVI4ludsDspxhjDNwRLpS4/v0yDiyVWqWFbVP7mm7R/GdMxkPcUDafroQph0ICfFQ3t6Vf5sPLc+wqHMbWHP7TVzbAcBK+mLsJZVzx/C6eklua8Nfn1NgNGcITHCdX5Z8IqjcAChtNSvEOeWa7Z8k9CIXsYzkg9JCT+Twr6DlaXK5mlseWIbCKpxBT3uuN9pDiacFFLAugpv7RCVG7MWwPU3tzWAXzsTmEgvQNlQsWkAu1uEnGy6JfRo/9tr33deOD5zxhj5GEkV9xMFVk5ey8JUOiDlORDV2DinZvYoRlGLtkbZd2cHhrYl6WKBfPsADkCIswdM7TsDqWE7y1l+z/dqHhzrhHlY0bAuy+Ik0fiIu82mikGCAuKjWkBrTTKG5pLCT8w0mCIXg7VM7vwS25yDIAzwWBABPlovdh0ZPCH5+4eL4wJzVtwaszZQkHbeHmsT1XXpbIV3bWPmCLJgZvI9HlIrasXeo4LVRbbZZa4Q+iFcfyKUrKzU+ITEpuTwusbv4kIlgf7FSRYVvXKA9oFqiNH2y/IigOZDj13R7uMp7Ubjawtz+VGAooMMbU0DArC3M6pp5QaOn49E/YvgFQ==",
"src_file_sha256": "da9ca2544a4e3bfa7468605bfdb44098a07f05517f51c59fc9e98cd5abef4d62",
"src_file_path": "downloaded_files/site24x7/da9ca2544a4e3bfa7468605bfdb44098a07f05517f51c59fc9e98cd5abef4d62",
"src_file_company": "Zoho Corporation"
}
]
}
},
{
"Name": "WinSCP",
"Category": "RAT",
"Description": "WinSCP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://winscp.net/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"C:\\Users\\IEUser\\Downloads\\WinSCP-5.21.6-Portable\\*",
"*\\WinSCP*Portable\\*",
"*\\WinSCP.exe",
"*\\WinSCP\\*"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": []
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/winscp_processes_sigma.yml",
"Description": "Detects potential processes activity of WinSCP RMM tool"
}
],
"References": [],
"Acknowledgement": [],
"CodeSigning": {
"search_names": [
"39a4d16980a27a88493f519aa458e837856ac60a7037afe10985f8947991ef72-dropped.bin"
],
"company_names": [],
"signer_names": [
"Martin Prikryl",
"RARE IDEAS, LLC"
],
"certificates": [
{
"signer_name": "Martin Prikryl",
"certificate_thumbprint": "FB845245CFBB0EE97E76C775348CAA31D74BEC4C",
"tbs_sha256": "74EEE4DFE920C6143FD736784DCFB3940980CC4146631D445F9BB116497B16E6",
"tbs_sha1": "",
"certificate_der_base64": "MIIFeTCCBGGgAwIBAgIQAjJGbclbQOydIdkymr/NXTANBgkqhkiG9w0BAQsFADBsMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBFViBDb2RlIFNpZ25pbmcgQ0EgKFNIQTIpMB4XDTIwMDIxMDAwMDAwMFoXDTIzMDIxNzEyMDAwMFowgZcxEzARBgsrBgEEAYI3PAIBAxMCQ1oxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMREwDwYDVQQFEwg4NzMzMTUxOTELMAkGA1UEBhMCQ1oxDzANBgNVBAcTBlByYWd1ZTEXMBUGA1UEChMOTWFydGluIFByaWtyeWwxFzAVBgNVBAMTDk1hcnRpbiBQcmlrcnlsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArjgofJe/Yqm1CDbY+bsHzq51KVtLZiHMP4vf6u9wNfdsZ93Zr4Z7BS85U/cac0ab7v+zfQSb9SApv8K9heu/s02D/5u1St2NFrW9uztFfZeE9L5Vy7IHhqFAdk1ZDTgM5zkuu1DsK/g81vjYHFulKdCM/4DVO8dXNQiQfU1o1mMMTIh+ygudKvZtRwQdpJUTkKu26Y4HSDYwGTtB/BwzTX1T3TCCCOmGSXaqBNrXgQgfgjAs9Zfa5GCoaQOUo8SlH8emNiVuHzJ4yDixNeiTOLQvJNfLGHAPZShXnrf2BSbYrpBxKCDmucuhMQfgI3VUboR1ohPzZUQ6eRYSLltk7wIDAQABo4IB6TCCAeUwHwYDVR0jBBgwFoAUj+h+8G0yagAFI8dwl2o6kP9r6tQwHQYDVR0OBBYEFB6VJN3DGK95aOAEc/7thaBFoj6lMCYGA1UdEQQfMB2gGwYIKwYBBQUHCAOgDzANDAtDWi04NzMzMTUxOTAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwewYDVR0fBHQwcjA3oDWgM4YxaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0VWQ29kZVNpZ25pbmdTSEEyLWcxLmNybDA3oDWgM4YxaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0VWQ29kZVNpZ25pbmdTSEEyLWcxLmNybDBLBgNVHSAERDBCMDcGCWCGSAGG/WwDAjAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMAcGBWeBDAEDMH4GCCsGAQUFBwEBBHIwcDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMEgGCCsGAQUFBzAChjxodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRFVkNvZGVTaWduaW5nQ0EtU0hBMi5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAQEAkACN0vCCRLPCJfpMyMIXIIYysXez4+ODX4xvUQfWZIrCqzvs+d15rK+KrD2YYyQUdf+isBkVGX0jtTT3jP6KQXRZFPo+esnHKv2NPGh3feDRP7w8iSc//PHMD9uuUuGndvIlYaRgqVNlZ4Ne11PKXL8szR1b/6MbkpdK1cbx/zTnG5UY4/oeAIz1CBUqFh6OIVLPO3KrJO5afSjnP0KH5Vq4ha9JzwIWMKgJY22CI8OFgRLMpajNbriLdoXCLWkiM4tvoM/jzrqIOSATO6+cXRF1x0abIGl3mVCL1XfIqdYmrtuHx1m5FOG7uhBdE1sWer7yEGdvHzDGZOCZFPW7Uw=="
},
{
"signer_name": "Martin Prikryl",
"certificate_thumbprint": "N/A",
"tbs_sha256": "",
"tbs_sha1": "D2F63F6BE83E61B9E64E25752802F7F06F8B5BE5"
},
{
"signer_name": "Martin Prikryl",
"certificate_thumbprint": "0DEE8F52D6B8D8C4B2C9573F4299FD97D707BAB7",
"tbs_sha256": "C90767BFCA208A4FC3C990310D616C50B6E79AE77085E46A53EFA484A4E142F6",
"tbs_sha1": "",
"certificate_der_base64": "MIIHujCCBaKgAwIBAgIQBCkuRRJQlv5tV6t8ZIqhGDANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTIyMTEyNDAwMDAwMFoXDTI2MDIxNzIzNTk1OVowgZcxEzARBgsrBgEEAYI3PAIBAxMCQ1oxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMREwDwYDVQQFEwg4NzMzMTUxOTELMAkGA1UEBhMCQ1oxDzANBgNVBAcTBlByYWd1ZTEXMBUGA1UEChMOTWFydGluIFByaWtyeWwxFzAVBgNVBAMTDk1hcnRpbiBQcmlrcnlsMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuIXbaPyJDi84EHP2GMrWcxAq2Zg/s2IzaPxHsdnzxk5vGZ3q3ce6EGf/7h9xUmwO/s9EnS1N1ZMmtFzhuGlDOp3ZPH/WC1jrMMfp2DNnF1S0WrV4q+5QdFJrr8G/y3TzdXWSNgQoLR0DZRaM62m09sutjMmOvNk0EJunyFqglo6LbahDrY0mEwqAqIPDaFO2wuQBThx2IfQ/bSbwH9C3mIJs37KY52RJetGtKOmJGsoPpGFXfYnobZF4eboWfQvJrmVwqpbqswwgyQctLjCrKEV2setVzdtlLw0U3TsPFMWrJ7hgeYSk3bxm9aG8PbDu094enicI0x6h7jzuVN+10aweNg1FBydZivnS8ZQSothtZ9hLnEaWoOAplte+/FPs8qKkbtfrl56VongXOCO8HS5iiLTkQ4/gR5IGkCXba0fVufrIWB/Ex0QUOTaCcDyqufu5RLdNnAGsXsW0a0req72iY/FE1HQwOCXS6ZEdXZjkmjWbuG/LRwelbLq5sYLqUnb2/A37b7B4r8hAq0MdC9KNt7B1gdk1UPIo7l3SBrymEsfHPrTHCVbpChPx6IdGpkV5e7PtdfYJQ2br3TI3chU+iH7Gr9xu1Ax4yoelZjhUxA9FA6O2bYXiLBj1BuEzGeCbuYnk6YjHVPVU7WLpHO6/2BZDYiCIhv9/j0J6cPkCAwEAAaOCAi0wggIpMB8GA1UdIwQYMBaAFGg34Ou2O/hfEYb7/mF7CIhl9E5CMB0GA1UdDgQWBBROB3f3JYIcV2gOaq0AN3CCC/WFuzAmBgNVHREEHzAdoBsGCCsGAQUFBwgDoA8wDQwLQ1otODczMzE1MTkwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMIG1BgNVHR8Ega0wgaowU6BRoE+GTWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3JsMFOgUaBPhk1odHRwOi8vY3JsNC5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDA9BgNVHSAENjA0MDIGBWeBDAEDMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzCBlAYIKwYBBQUHAQEEgYcwgYQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBcBggrBgEFBQcwAoZQaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAgEAcDtIqZsbEBbnaaNj0e0Hu7Cvk+f9n8W5gXO855wLhMpDpTXVhw1h2gXU3emiA6Jp3Ng5cCTf7SDIt78Eykk+NMOy72o+p2lnkN9Lv9Owrepk6leCYx2dQEFZYGgi3xwOZsoW5dCYY+7/ILwfbDikTclNuG3PoXKjmnNBhwfP8iyiDs6Z80NJnPI+6UXGFekuA1/QERk6IkvwvL10kC26z5n+dIyBKUsRrFzrCyI8CNNljUrlap420fXz+NMPDj3lnC3SnUp1SACl8yUnQnRa6bPf3gYwe1/G9RcIf1ETsmN1lbRhF1nRD+SO+fcrh4CgGJftcxvdusjvDzJWJplDGl0fdsWBy7X+oR+vT5zXx+mW6M1kzcuTPOjkPxTAK5kHGqgCH0j02quq12eoH9qOsdJ89PpDEjHTvr9Wgr+fead3FCLRi564AmCHtrfAgysa0rCnqJsuprQXWxu6Z14oTSMp97EF7iQpE956+XsEjXzVZAi4mwLvcEvBceqXFt2ewdY8Qbfs8DmB/8e70Y+3tD/SpBcrgUmDbfh73RP1Yli08S+4BPZ41eRHCKyXo+pU0DQNzfmgk7aY8UOgS9KxTbdtzb6IjKxVgfjrAiszorb8JfOr9scxoBNQstqfbBSCjz+YyVM11S9ei/JVZnu9d3x+JmHYeRtbyYqOQOFspbA="
},
{
"signer_name": "RARE IDEAS, LLC",
"certificate_thumbprint": "436F0AAD2181EDA5B606CA9BDD8D7B259833306A",
"tbs_sha256": "791D415EAA0D30EEC874E1CC045F5076A41C741F792D6B9789F7E28DFB9127BD",
"tbs_sha1": "",
"certificate_der_base64": "MIIHQjCCBSqgAwIBAgIMFzUIrHJ2QYffAytYMA0GCSqGSIb3DQEBCwUAMFkxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMS8wLQYDVQQDEyZHbG9iYWxTaWduIEdDQyBSNDUgQ29kZVNpZ25pbmcgQ0EgMjAyMDAeFw0yNTAyMTcxNTE1MzRaFw0yNjAzMjAxNTE1MzRaMIGNMQswCQYDVQQGEwJVUzERMA8GA1UECBMITmV3IFlvcmsxETAPBgNVBAcTCE5ldyBZb3JrMRgwFgYDVQQKEw9SQVJFIElERUFTLCBMTEMxGDAWBgNVBAMTD1JBUkUgSURFQVMsIExMQzEkMCIGCSqGSIb3DQEJARYVY29udGFjdEByYXJlaWRlYXMuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwdJNsgxNiWGR4ycWFG03sWEY6itLoinKU9FkZIm+p4ftk44gmFZP/tVzXBcvnfhqiVodPHD5sgsGsczDBVaUWM7oQdHJUSmd+MDn5xBiX81nN9PMLpn3+nN7cy2C4Oh/qFG8SMO2lA3xKQqewq8L/wZrjp8bNRXirlyBuYoWNzVrTCzPNEROPjAxsBmeSajBpLcvgw72dUdT87z6yXVtxHBfWs3JcR3UqJqd1ojTqbcqYsh3oud9fOYXARNlgCfJY4aMRZUG9sAMwvJjJn6zjvkXmvaD1EVBGvWNaETyBxdDdG6YGu0qMilTzOXnjJNpiVsaT091oo/RSGjQpJHrROlV9I/0R7OxorU/mwHZZL8h6y+pMycBs9/n2kzLv+BPMFQScXt7NA4NQrR44fcEdMzqTxzg43DUSZ6CuXTEYWcjfB1shpMmpt+uvTaDLnvmiNFtN9sxVUilVZY92tUnuTwTLl/gOeLxc9jkt3jppEWA50wJTidREdHhWNuJ4oDm4o/y+MUdH21gH8LMkE26VVtDy3nGEM8QFVNu8lRrixE12aOHbBFexDXu/AX2bI5dma4/WLWdGl3yu5BGAkpOxTShPqaJeIwvb3pjZM08dToCVtpBdAUltuBodih/mxBaSoOT2yegz5ZKwbQZWzoq/b+OC2IXFwYTkGs3m58M/CMCAwEAAaOCAdMwggHPMA4GA1UdDwEB/wQEAwIHgDCBmwYIKwYBBQUHAQEEgY4wgYswSgYIKwYBBQUHMAKGPmh0dHA6Ly9zZWN1cmUuZ2xvYmFsc2lnbi5jb20vY2FjZXJ0L2dzZ2NjcjQ1Y29kZXNpZ25jYTIwMjAuY3J0MD0GCCsGAQUFBzABhjFodHRwOi8vb2NzcC5nbG9iYWxzaWduLmNvbS9nc2djY3I0NWNvZGVzaWduY2EyMDIwMFYGA1UdIARPME0wQQYJKwYBBAGgMgEyMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMAgGBmeBDAEEATAJBgNVHRMEAjAAMEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5jb20vZ3NnY2NyNDVjb2Rlc2lnbmNhMjAyMC5jcmwwIAYDVR0RBBkwF4EVY29udGFjdEByYXJlaWRlYXMuY29tMBMGA1UdJQQMMAoGCCsGAQUFBwMDMB8GA1UdIwQYMBaAFNqzjcAkkKNrd9MMoFndIWdkdgt4MB0GA1UdDgQWBBTerYhWpShkjFXZKdIV9A31cublrDANBgkqhkiG9w0BAQsFAAOCAgEABKpHoIZsZ9IrHlLVIHdMg+BmTb24YVApKRbNXp1a+x3lvZ0uBVOrWY7ao97UmQpv1vhS4r6TJ6yhgcDVu/aqvfhk+BZV3soP0lheJPqluhLlpqLYXfYEuGXe3OsKvD7EO3CbZTztAhB9W9YqKlBsTsMEdjaqWPCqKSk81gn6iCyNX+gr9dzzIUno9oAlb5WPUgTdK53O+HcxPbadsQgXMEemVwwNtnsMswPYjqvHENC2yQRmJNUIHt5vjcGn/v+5Y96H/gqVEHs5VNSVNJ1W4s5BImLid9vj2MjTVQWp98um2Uf3chi5BimcCNUnKq/raLqByA71u/yHJY9iVPzefN7PxtzE/mf+ySzBZsif3YcmmBuARXVlmORTCmBoryYxjyEf2qrINvBtS8auT/OL+63wt/NI/T9FhnZBf49u4EVRiUTiltDYO61/dgvSXv5PbIsFHa7Wm3G2HiDjTXnQ5lohO6P59V7WDlJLRj/rrnFnNj/Q5hfCU0SKlZUa3I4Ry19lBItmMSMXvtIOuzrhhr6T5GEFg7TQvPSNLEyfHIqK1rtZPj/PL0o3kBM2pQmynOTi40UpmAzNAR4F8OyhnpHrTzSiopmQg1MbOd/IaX2ZAxiaKAEgWKmcCR4yst5/wWpRfl2ggZCBu3hurHsqIfDeGfbVPA13AXMW3chyIzU="
}
]
},
"FileHashes": {
"authenticode": [
{
"file_name": "39a4d16980a27a88493f519aa458e837856ac60a7037afe10985f8947991ef72-dropped.bin",
"sha256": "39A4D16980A27A88493F519AA458E837856AC60A7037AFE10985F8947991EF72",
"sha1": "6AA74A53453EBA483CF564C22129763D9D96FB07"
}
],
"page": []
}
},
{
"Name": "PuTTY Tray",
"Category": "RAT",
"Description": "PuTTY Tray is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://github.com/FauxFaux/PuTTYTray",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"C:\\*\\puttytray.exe",
"*\\puttytray.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": []
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/putty_tray_processes_sigma.yml",
"Description": "Detects potential processes activity of PuTTY Tray RMM tool"
}
],
"References": [],
"Acknowledgement": [],
"CodeSigning": {
"search_names": [
"putty",
"putty.exe",
"puttytray.exe"
],
"company_names": [],
"signer_names": [
"Christopher West"
],
"certificates": [
{
"signer_name": "Christopher West",
"issuer": "CN=StartCom Class 2 Primary Intermediate Object CA",
"certificate_thumbprint": "83191137CDEEF81C30E354873FECF014729C2FDF",
"tbs_sha256": "BF98620649A90682F39538F9A9DB76B90CD49FFD11AE96385A9D7113E1F70099",
"tbs_sha1": "A306499CEC6AF8C46C2F959731D0D41C6090D06C",
"valid_from": "2014-02-25T22:22:24+00:00",
"valid_to": "2016-02-26T05:05:17+00:00",
"certificate_der_base64": "MIIGbDCCBVSgAwIBAgICDTswDQYJKoZIhvcNAQEFBQAwgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIE9iamVjdCBDQTAeFw0xNDAyMjUyMjIyMjRaFw0xNjAyMjYwNTA1MTdaMIGYMRkwFwYDVQQNExAzc1B0WW82U3BRbm5oTTlsMQswCQYDVQQGEwJHQjEXMBUGA1UECBMOR3JlYXRlciBMb25kb24xDzANBgNVBAcTBkxvbmRvbjEZMBcGA1UEAxMQQ2hyaXN0b3BoZXIgV2VzdDEpMCcGCSqGSIb3DQEJARYacGZ4LXN0YXJ0c3NsQGdvZXN3aGVyZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDehd6G/ePmj8r0Ywil6eedpISSmdIZU4sf7ueYBPCGx40ekKKO14QQm0V1oOYp1CjLu2xUTWKSV5Id+CLavRdkUDezUn3YUPeQwQ4EsRRKGGVJ25uO2Rd72PBnxA1Ymsy2rCpFXz/MjcBCZ7Lkh/tGJBJ/Bt/ikRj89uZAKGLSFcZyWaIdCA+lnPdMgpLOrYt7Qxxee8BarJ5RqrvZD2HhiG4r8HlkzuP2rFBH8iSYTHbLEC+EJcn7pP8mVyS+VNSYCzlNb/fUhWx+yAV5b2BRMwHiBoZYBLM53t0mn+gngwaWiXYjdZefm9+p3h8cCNvPaaeUXh6GFMSRbPW48frZAgMBAAGjggLIMIICxDAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIHgDAuBgNVHSUBAf8EJDAiBggrBgEFBQcDAwYKKwYBBAGCNwIBFQYKKwYBBAGCNwoDDTAdBgNVHQ4EFgQUUw3qyiEAHP8RVjYPTHTy1cMK1Z8wHwYDVR0jBBgwFoAU0E4PQJlsuEsZbzsouODjiAc0qrcwggFMBgNVHSAEggFDMIIBPzCCATsGCysGAQQBgbU3AQIDMIIBKjAuBggrBgEFBQcCARYiaHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5LnBkZjCB9wYIKwYBBQUHAgIwgeowJxYgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwAwIBARqBvlRoaXMgY2VydGlmaWNhdGUgd2FzIGlzc3VlZCBhY2NvcmRpbmcgdG8gdGhlIENsYXNzIDIgVmFsaWRhdGlvbiByZXF1aXJlbWVudHMgb2YgdGhlIFN0YXJ0Q29tIENBIHBvbGljeSwgcmVsaWFuY2Ugb25seSBmb3IgdGhlIGludGVuZGVkIHB1cnBvc2UgaW4gY29tcGxpYW5jZSBvZiB0aGUgcmVseWluZyBwYXJ0eSBvYmxpZ2F0aW9ucy4wNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2NybC5zdGFydHNzbC5jb20vY3J0YzItY3JsLmNybDCBiQYIKwYBBQUHAQEEfTB7MDcGCCsGAQUFBzABhitodHRwOi8vb2NzcC5zdGFydHNzbC5jb20vc3ViL2NsYXNzMi9jb2RlL2NhMEAGCCsGAQUFBzAChjRodHRwOi8vYWlhLnN0YXJ0c3NsLmNvbS9jZXJ0cy9zdWIuY2xhc3MyLmNvZGUuY2EuY3J0MCMGA1UdEgQcMBqGGGh0dHA6Ly93d3cuc3RhcnRzc2wuY29tLzANBgkqhkiG9w0BAQUFAAOCAQEAtrt4/DE8y7rGHYqK3wGs8YOj3tZo/RR/UUWs1WaUu1WxvrftB+0rn77JAPsRaWd1JEObAFuNbLOCggrWNL+EsnYEQ4peM3/QydacSLRD+Jf5O7+oYI0yCIur0A/b1jTPEB/wzhFzGeCOyGJDPxDKN83GwaT8XxXLKq6zZk7tXzBbR4UtpvgGCwxK6Hwcm65vFrXu5Lqp+n/DRw349SmB9rdDFAMmw3z0OoFjA+IX5hoUGooPxN2CbhHfdXoNK4oLQ4/Df7Kb0h2IDWGHgRziqzMRkWP23sB49neO9K4XEgeeXvixJkTv9AYzxbtX1UaYServLCIU+CmPR/eewvQLFg=="
}
]
},
"FileHashes": {
"authenticode": [
{
"file_name": "PuTTY",
"sha256": "264444C790AF00AA0830BE764FE3EC4613B0F16D9AEEA9C480C27D418679650A",
"sha1": "1CF0A22F3C317E7D53ABC5003ECC7136768F4F1F"
},
{
"file_name": "putty.exe",
"sha256": "A342E96AA7631BCC98AF33E781C239B486E5417C7CB665A79F66841B41C50360",
"sha1": "D9494272E8A7EE2A491D3C57E059A7A7F6EE7017"
}
],
"page": [
{
"file_name": "PuTTY",
"sha256": "75CA90063D40A7B88F9092A7DF12017592266CF4BC9F2FBEA0E96E8333AD7A53",
"sha1": "3444BD923A9B08273DBE3F302B2A569A210E44DA"
},
{
"file_name": "putty.exe",
"sha256": "69C73E6DD1F2460762962DCE98774CED99AFF86E1FC715103114A004816FF4A1",
"sha1": "5249C8F956D087A90A5BDA1E3149F4E90BCA59C1"
}
]
}
},
{
"Name": "GoToAssist",
"Category": "RMM",
"Description": "GoToAssist is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://start.gotoassist.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [
"Windows"
],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"gotoassist.exe",
"g2a*.exe",
"GoTo Assist Opener.exe",
"g2mcomm.exe",
"g2mupdate.com",
"goto opener.exe",
"g2ax_comm_customer.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"goto.com",
"*.getgo.com",
"*.fastsupport.com",
"*.gotoassist.com",
"helpme.net",
"*.gotoassist.me",
"*.gotoassist.at",
"*.desktopstreaming.com",
"*.cdn.getgo.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotoassist_network_sigma.yml",
"Description": "Detects potential network activity of GoToAssist RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotoassist_processes_sigma.yml",
"Description": "Detects potential processes activity of GoToAssist RMM tool"
}
],
"References": [
"https://help.gotoassist.com/remote-support/help/what-should-i-allow-on-my-firewall-for-gotoassist-remote-support-v5"
],
"Acknowledgement": [],
"CodeSigning": {
"certificates": [
{
"signer_name": "GoTo Technologies USA, LLC",
"certificate_thumbprint": "33023C0243016946C78CCB9B15AC6C203882E5D9",
"certificate_der_base64": "MIIH2TCCBcGgAwIBAgIQDq06P/pwwKIK4jaBiZNRUzANBgkqhkiG9w0BAQwFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTI1MDgyMTAwMDAwMFoXDTI4MDgyMjIzNTk1OVowgeExEzARBgsrBgEEAYI3PAIBAxMCVVMxGTAXBgsrBgEEAYI3PAIBAhMIRGVsYXdhcmUxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRAwDgYDVQQFEwc1OTg0MTEyMQswCQYDVQQGEwJVUzEWMBQGA1UECBMNTWFzc2FjaHVzZXR0czEPMA0GA1UEBxMGQm9zdG9uMSMwIQYDVQQKExpHb1RvIFRlY2hub2xvZ2llcyBVU0EsIExMQzEjMCEGA1UEAxMaR29UbyBUZWNobm9sb2dpZXMgVVNBLCBMTEMwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDXBnwWFr1Haugt1kOHarj31h9QgazDGc0Ijs8ownMkZ9WxjYhDNd1AfzNc6Rv1IWM52EYnFZfsP24vfDSXsMWQVPqNSAeP6HcNF3zZ3vVVNpydrbX43l2ZqIs3WIw1Y9QFJxRiDgJaPHC8S3XmXvrEGIWMGEUidteAm5c7lAEkklohrxWWnvYZQ6Bk6TrVAqkDKzlXovqL39ERdX1b3vprbudHhZHQAyax5sYb24nlA4y9NpzYKAY7KivhhOQNDJ46TjMCsGfQuyo0Ni21+KjNvMcRcVOh3G/VSSEpg2AIUV6GWa3/XQXBuXyTPj2h5wf6x84d2wzV6XJ9GyxpD8eZLf/9QxMoqAxS0/tlOKpPgEVGh9BhlFyLVaX4AolLE48qhZSL6tIs74965yyrp0OzRierAh2VXoF79Cp5wKdu9id9ztlP72sY5Qf0EUSMFFEe5aS9RY0Fu2PxT5CR2ZdKtSBtYK1nwagYYPjmNW8bO5FC89JiZlcLDVeIyQeAPo3ZSuMhZCz0S12t2QpktFZvEJ1VIayQTC63N9S4VrQRnusnlxJLImrrfu0bI8F9fUoaUwJo14/2lwSczOdmfZxo3bKqQSkrMSBeNixUWeiyrPUczLe5DfgUdzmtJ4fJOTkEQEkNaQ9ed+u4ItEZACUX7ujgYZsJ8a8ClUmrx62yPQIDAQABo4ICAjCCAf4wHwYDVR0jBBgwFoAUaDfg67Y7+F8Rhvv+YXsIiGX0TkIwHQYDVR0OBBYEFLYSDl2IK7QIyBrxGqwuqqHXUmXDMD0GA1UdIAQ2MDQwMgYFZ4EMAQMwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpY2VydC5jb20vQ1BTMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzCBtQYDVR0fBIGtMIGqMFOgUaBPhk1odHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDBToFGgT4ZNaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcmwwgZQGCCsGAQUFBwEBBIGHMIGEMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wXAYIKwYBBQUHMAKGUGh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3J0MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQEMBQADggIBALVnUZsOeb8GoGLjBT3VRdyLnQEuKwn41b8I6fWfIF5jnYtOzW/dJqOuIXvs0LSQ8FHHpvWYUPqjL94pp+SHWCreuCZ6iLrt/tXCmWYUkhU4DY2m4ddNEAvuJaqzcwg8xjrzlHvpyKInfeB8jUujc8Rf/oWVLsgPaI/mp9wkSmVwytA9vnS8mi/BH14/wICihbwuNN9N+uHbeJowiw8NZGxteanaHgoLTZ76adJEOGoHkbtyXDZL7YII8d1HUvwMjB1h1ZxEtFtpYZesvRfSa99pt+jbyeYOXXTxYwyHGtDqTmX3RAKTETtPEsqlY/IZ+MPqLZs/YQORlVrUEC3VCWdUvQvCZpItxAX9Y98bBQzjCAUSqFP7RznSbvtwJwmQaXR1ul2sn22rV2HUpF+C4JuWd1Aq/aD+UQcZcqtiQVag+vBVmXYevdPRFr7v+TauGPIqdSH/igbj2vl/mAV6aG49VSYgz9GMNM33CoLSzydASa2ifgybt4tDsmlqjP2FE1JKVSXN6YxrhEOC0YOi7eugU1JSJrHubaUvRCiUBD5qfN8HOzR6CzOy82FEAurAG4EB56H7W+L1rQhqG5J8/gkPK50kZobrCS/cQ2iK3S7735myNL8zkXfjrwjFuFqpy69crtvDqmlYWsBxlkYdg8EKb/yTlCAicCQyCG5Y4YD3",
"src_file_sha256": "a15638d6c615001cc15d1a4d382593dc3ddd62d4ae98691ae43e5845f468c380",
"src_file_path": "downloaded_files/gotoassist/a15638d6c615001cc15d1a4d382593dc3ddd62d4ae98691ae43e5845f468c380",
"src_file_company": "GoTo, Inc."
},
{
"signer_name": "GoTo Technologies USA, LLC",
"certificate_thumbprint": "8D3FA6EEEBFC68A0FA76CDC4C6AD5982FE07DE91",
"certificate_der_base64": "MIIHWTCCBUGgAwIBAgIQDgyHZ7stT+/C1hffEc4biTANBgkqhkiG9w0BAQwFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTI0MDUxMzAwMDAwMFoXDTI3MDUxMjIzNTk1OVowgeExEzARBgsrBgEEAYI3PAIBAxMCVVMxGTAXBgsrBgEEAYI3PAIBAhMIRGVsYXdhcmUxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRAwDgYDVQQFEwc1OTg0MTEyMQswCQYDVQQGEwJVUzEWMBQGA1UECBMNTWFzc2FjaHVzZXR0czEPMA0GA1UEBxMGQm9zdG9uMSMwIQYDVQQKExpHb1RvIFRlY2hub2xvZ2llcyBVU0EsIExMQzEjMCEGA1UEAxMaR29UbyBUZWNobm9sb2dpZXMgVVNBLCBMTEMwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQDc511p+U4/ceMa+9gCeidFo8xSj0RQ1VyClI4OP3etR4zxyPnjb4hyLm72YUTyqkJ0Y3b2LOde6UkUuxEG1gT9H0VNZhcKrxmWZ21Ir0vmqXUkfooGRis19bQq1GXnxUyMnhco8auWC4lZJVHsz+dfV88cHLeLvlLT3YXxawpl/uLvH9Vu+tI5CS9asbfzYGBZic6lQaZ+U2nz1QUlN0WWOuWFqL0GiEIlJ+a+avoouNeJpyUThxThX0IKwRUD4LNAzTfyaMiAJXcwARnNgMgcW6YrWEkb0x8BQ3hNVuVizzDEMrMUF1UiGXk+rYefPGdA51wt6wENKXucYHcny6zET0IHVit9zhyXscmtYgz6hwEWV1ale6Zjm2hI1uLNlALB00SDzi4qXMlhWA3bggboQwCrBpO584EXR4955wSuo05Ug7CP+bdCBpDIgG2rB+BeXcnCRFDzilQXt7nRjO050o4tg3K0zdzpXnrSM1mrd/UYw7cfnKy1A6WHK/IMGAECAwEAAaOCAgIwggH+MB8GA1UdIwQYMBaAFGg34Ou2O/hfEYb7/mF7CIhl9E5CMB0GA1UdDgQWBBSnyrp99WDe7wuDoNKOpFjILc5AfDA9BgNVHSAENjA0MDIGBWeBDAEDMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwgbUGA1UdHwSBrTCBqjBToFGgT4ZNaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcmwwU6BRoE+GTWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3JsMIGUBggrBgEFBQcBAQSBhzCBhDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMFwGCCsGAQUFBzAChlBodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNydDAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBDAUAA4ICAQAB5/85dwc018g+cEZViyy1TAraBLqm/YWb/ZVqc1L8C2a/XRReSW5h4w8QtXHOu9kqxVhk20WILztg22kzwH8vJcTHmnGZ2g3OWHufQV/r8pPHM+XedATAZ/v5hSs8BeySPQkessVmmGR8jdk1UzQtXbwbhfhGJc2luPhz9SWW/PG7lZaX6NmD3VtFkf5fjwj0JXO7O/UbKwJVX1jBhc9t0AfuPrpSZjZ/XYIPKA4HXJQjecxIbHxjDBQqyiGs2A8OgibT6dOHT0wh8gJ/lzqNMMae44ToDXj4V736e2L9lllQVMCo3KPjGk0nDE+sYTqoU0kODwUyrW9DbNUUqjolvJxFTQVFcINkLDxOq0KxlXqmZ7V9Rjd939skXYvK2qe29HxHIkH1iEoZIP/WmrZdwa5B8HiWEl7G2Qsz6vT78D4llJOaNVXHFHONE4OLOoC5vcMEO5s4Xxbay7IBkXBm5f49fKuPY3j7+PMpeXqAYkKhcJURPFklu4AyoRq+YCN7S4/WtRpke3nLK6t1yLdqaQ6vxQAWmIdXIpIqEqGnnED4IdH6ROi4h2J8FMunZcBpQfyiIYMfZgKn4Y5VeeNlqdPpbxPT0Zc4AIQ8b9guG1R2hnfntqt6uOVSCPPMMSTLzEKvYtButJ29lG3M2M+7eJ2NuCPcoCMMKwTxRSa/Qw==",
"src_file_sha256": "df63edd5e58d2f1dbefc24dc863eeb3e7b4d8f6002dc9b5cf69a847e831d3cd2",
"src_file_path": "downloaded_files/gotoassist/df63edd5e58d2f1dbefc24dc863eeb3e7b4d8f6002dc9b5cf69a847e831d3cd2",
"src_file_company": "GoTo"
}
]
}
},
{
"Name": "Syncro",
"Category": "RMM",
"Description": "Syncro is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://syncromsp.com/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": [
"Syncro.Installer.exe",
"Kabuto.App.Runner.exe",
"Syncro.Overmind.Service.exe",
"Kabuto.Installer.exe",
"KabutoSetup.exe",
"Syncro.Service.exe",
"Kabuto.Service.Runner.exe",
"Syncro.App.Runner.exe",
"SyncroLive.Service.exe",
"SyncroLive.Agent.exe"
]
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": [
{
"Description": "Known remote domains",
"Domains": [
"kabuto.io",
"*.syncromsp.com",
"*.syncroapi.com",
"syncromsp.com",
"servably.com",
"ld.aurelius.host",
"app.kabuto.io ",
"*.kabutoservices.com",
"repairshopr.com",
"kabutoservices.com",
"attachments.servably.com"
],
"Ports": []
}
]
},
"Detections": [
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syncro_network_sigma.yml",
"Description": "Detects potential network activity of Syncro RMM tool"
},
{
"Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syncro_processes_sigma.yml",
"Description": "Detects potential processes activity of Syncro RMM tool"
}
],
"References": [
"https://community.syncromsp.com/t/syncro-exceptions-and-allowlists/2004"
],
"Acknowledgement": [],
"CodeSigning": {
"certificates": [
{
"signer_name": "Servably Inc.",
"certificate_thumbprint": "F358811B0C1EF911D4E3C9AA60056FC93FA5DB2C",
"certificate_der_base64": "MIIHXDCCBUSgAwIBAgIQDfrUyhh2f0Wzyfx1ZTlXCTANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMB4XDTI0MDUwNjAwMDAwMFoXDTI3MDUwNTIzNTk1OVowZDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1NlYXR0bGUxFjAUBgNVBAoTDVNlcnZhYmx5IEluYy4xFjAUBgNVBAMTDVNlcnZhYmx5IEluYy4wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCL9UNNc1QcLGNKoDSlVW951JXeviCjE+NqyQWYdDtcp4KfQk9+QT1XtQBALhuMtEA4VjuY5W7MONxqL2jOLnJgNkbxsT0ZQThG6nht5WHV3DmqTSux4dfXrS/Aoz4hM/PasqE6w5ViH00OMgjUavb1648Wy+uA5qQk8FLtmGkyoNoha1/gktEk+NQvxJFpoDroHcRR/ZFf4gZNgajnUrchhh/vvutetjyPaR/OiZ5YCUYKB+wDe7/Ma5LBc2LH+ZKqX99OgTsb6//RzcI/yFxYxFNkWGlXkDSGAFuC+1ewYwZGwfXYPi5CPksvC8xSO8M1uCgEiWbjapdyEHlL1b6P+sovBJ3q6f/en6REIH8WukYAbYaySIgnUx+c17VRl8zcjX3TGyvhS7EZtG4EcGCu1es/F/aMtF0etJksZ+oNma3pOpJXzapFLV+i5kmk67Q89FjgKrs2Uw2PcaMDQyglr++GW80c59bOCnuh3ViY0MMS25B2rDpB3W2LB/c+sRQsmf51Ia+Wvb0eoozUEe9iOITO3pNHA3jtb7P9Y71iSY7tD9KcVqhryRiJR4M9/0sN/QUkLQBpeUTjuWXoCU/e+h/tZCU/tGhEaa9K+1ufgUi6KuqgnBBZH0zXHPpbxZ0O7DSVlLF0lQTFrLwoTaFIk8uG2l7pmPlUXgBhKKbOPQIDAQABo4ICAzCCAf8wHwYDVR0jBBgwFoAUaDfg67Y7+F8Rhvv+YXsIiGX0TkIwHQYDVR0OBBYEFNfHMKh7fxjoMImeRKfA8QTVZ+A2MD4GA1UdIAQ3MDUwMwYGZ4EMAQQBMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwgbUGA1UdHwSBrTCBqjBToFGgT4ZNaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcmwwU6BRoE+GTWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3JsMIGUBggrBgEFBQcBAQSBhzCBhDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMFwGCCsGAQUFBzAChlBodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNydDAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4ICAQBSjVPJrzAF7gToFZS6sjIHBKLkCkcnyB9rxCNkNs21XCNkAL+L6tFIzEmhvV4FP++KMrtGeqMtwBbchQNfkD11IH8WToZswvybbKiMrLI8qznkRVV0QC7W3kjKrGZqqfJ+5rn/fqxf0Er8OOUIvgYZOcMUJwaF8LDDXnSmXW8Pc+9xJEeSoyOAT8rxXeaHnPFs7GfjjVuVe4ijsRlUJ2QPH331NXrLvWDNIlOaJUgItfNrE4eG9RH60TzCu+Oca3KM8++cOVQCitTzIOoKRk2WxEJGYUWeq0SsmiVVPBSlbxqykYO+HxB4Isnhjgw72r4Mpricz7tmbb3mXUjHEsVllUd0NLunAiWLOJuLTgC3kIg6DAUfDTmovvw0WTDO+L2jkwL/3iKaKnPPVoN1W0xXq1ZKi0dEhAFg7HfMudGoYrIWjDN9hAm3qo5R+47ObTi9SsBanw+iMTVGqo+Mgh9U22gFx3TdLPWkzgsOEivHiaNmcmEAHBPbO1BoUKNKJIGD8ECD8AWcaqAYLtQCSvw+jS1/2aATW04wcQqDIcriARJfrTs5VxthCTZaUNWTScjXaz4ha1FvIN73zHeFHwt+e90anHaIjm8u6NJwGq3uUTRmiUMo5gHkZvS3m2F5JrIWIN9ZzMmoMWbbYVPZCdyQj646a/GbBh1mU98PI8LE6g==",
"src_file_sha256": "de8c1b54a83ffdeba275cac978af0d0e4cefb4b03686d28db5558b33e7e6106a",
"src_file_path": "downloaded_files/syncro/de8c1b54a83ffdeba275cac978af0d0e4cefb4b03686d28db5558b33e7e6106a",
"src_file_company": "Servably, Inc."
}
]
}
},
{
"Name": "Remote Desktop Manager (Devolutions)",
"Category": "RAT",
"Description": "Remote Desktop Manager (Devolutions) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.",
"Author": "",
"Created": "2024-08-02",
"LastModified": "2024-08-02",
"Details": {
"Website": "https://devolutions.net/",
"PEMetadata": {
"Filename": "",
"OriginalFileName": "",
"Description": ""
},
"Privileges": "",
"Free": "",
"Verification": "",
"SupportedOS": [],
"Capabilities": [],
"Vulnerabilities": [],
"InstallationPaths": []
},
"Artifacts": {
"Disk": [],
"EventLog": [],
"Registry": [],
"Network": []
},
"Detections": [],
"References": [],
"Acknowledgement": []
}
]