Malware Analysis Report

2025-03-15 06:53

Sample ID 231201-sc15wsaf2z
Target b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe.zip
SHA256 ec77f944e611cea60295de5b42e23a32c688b2d7ecadcb0a01977e38504ada86
Tags
newpro orcus rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ec77f944e611cea60295de5b42e23a32c688b2d7ecadcb0a01977e38504ada86

Threat Level: Known bad

The file b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe.zip was found to be: Known bad.

Malicious Activity Summary

newpro orcus rat spyware stealer

Orcus main payload

Orcurs Rat Executable

Orcus

Orcus family

Orcurs Rat Executable

Executes dropped EXE

Checks computer location settings

Drops desktop.ini file(s)

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-01 14:59

Signatures

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Orcus family

orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-01 14:59

Reported

2023-12-01 15:03

Platform

win7-20231023-en

Max time kernel

137s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WindowsInput.exe C:\Users\Admin\AppData\Local\Temp\b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.exe.config C:\Users\Admin\AppData\Local\Temp\b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.InstallState C:\Windows\SysWOW64\WindowsInput.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Taber LLC\RMM\rmm.exe C:\Users\Admin\AppData\Local\Temp\b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe N/A
File opened for modification C:\Program Files\Taber LLC\RMM\rmm.exe C:\Users\Admin\AppData\Local\Temp\b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe N/A
File created C:\Program Files\Taber LLC\RMM\rmm.exe.config C:\Users\Admin\AppData\Local\Temp\b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Taber LLC\RMM\rmm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Taber LLC\RMM\rmm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2852 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2852 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2852 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2776 wrote to memory of 2368 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2776 wrote to memory of 2368 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2776 wrote to memory of 2368 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2852 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 2852 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 2852 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 2852 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe C:\Program Files\Taber LLC\RMM\rmm.exe
PID 2852 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe C:\Program Files\Taber LLC\RMM\rmm.exe
PID 2852 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe C:\Program Files\Taber LLC\RMM\rmm.exe
PID 1472 wrote to memory of 2004 N/A C:\Windows\system32\taskeng.exe C:\Program Files\Taber LLC\RMM\rmm.exe
PID 1472 wrote to memory of 2004 N/A C:\Windows\system32\taskeng.exe C:\Program Files\Taber LLC\RMM\rmm.exe
PID 1472 wrote to memory of 2004 N/A C:\Windows\system32\taskeng.exe C:\Program Files\Taber LLC\RMM\rmm.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe

"C:\Users\Admin\AppData\Local\Temp\b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\atvwerh0.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES98F6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC98F5.tmp"

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe" --install

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe"

C:\Program Files\Taber LLC\RMM\rmm.exe

"C:\Program Files\Taber LLC\RMM\rmm.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {689BE8B3-724E-4FD9-AFF3-8DD842B09167} S-1-5-21-2085049433-1067986815-1244098655-1000:AHLBRYJO\Admin:Interactive:[1]

C:\Program Files\Taber LLC\RMM\rmm.exe

"C:\Program Files\Taber LLC\RMM\rmm.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 catcher.taber.biz udp
US 172.245.142.220:42069 catcher.taber.biz tcp
US 216.170.120.141:42069 tcp
US 172.245.142.220:42069 catcher.taber.biz tcp
US 216.170.120.141:42069 tcp
US 172.245.142.220:42069 catcher.taber.biz tcp
US 216.170.120.141:42069 tcp
US 172.245.142.220:42069 catcher.taber.biz tcp
US 216.170.120.141:42069 tcp
US 172.245.142.220:42069 catcher.taber.biz tcp
US 216.170.120.141:42069 tcp
US 172.245.142.220:42069 catcher.taber.biz tcp

Files

memory/2852-0-0x00000000007D0000-0x000000000082C000-memory.dmp

memory/2852-1-0x0000000000280000-0x000000000028E000-memory.dmp

memory/2852-3-0x0000000002190000-0x0000000002210000-memory.dmp

memory/2852-2-0x000007FEF5EE0000-0x000007FEF687D000-memory.dmp

memory/2852-4-0x000007FEF5EE0000-0x000007FEF687D000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\atvwerh0.0.cs

MD5 6011503497b1b9250a05debf9690e52c
SHA1 897aea61e9bffc82d7031f1b3da12fb83efc6d82
SHA256 08f42b8d57bb61bc8f9628c8a80953b06ca4149d50108083fca6dc26bdd49434
SHA512 604c33e82e8b5bb5c54389c2899c81e5482a06e69db08268173a5b4574327ee5de656d312011d07e50a2e398a4c9b0cd79029013f76e05e18cf67ce5a916ffd9

\??\c:\Users\Admin\AppData\Local\Temp\atvwerh0.cmdline

MD5 cb4bfd74272b946c47ee437cb3e36dd0
SHA1 f32b594580bcb3545a9753ace6f84bffc5eb4cc3
SHA256 83d1739a740dde70362af9162e75ff8854ac63e50495ba30d14fe4fdb6302e8d
SHA512 f913d554412a5d978d70133ae6cc5b713f159e2064db915cd4038a7defdad037fd45f8ea1983a4fb92865703d089942fbaa94544c349bcf828c6cbaa27c37757

memory/2776-10-0x00000000020D0000-0x0000000002150000-memory.dmp

memory/2852-18-0x0000000002420000-0x0000000002436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\atvwerh0.dll

MD5 65c70a1bba89d0e15fedf098b6adc433
SHA1 aa1a98a7a6c161a84b3dd7dee5f6e85cf9ba7a43
SHA256 f202072de0f0914288bd5d68630eb5bbd22ac570ca59760de7d58f9cb29a063b
SHA512 7595e395e774566b4036d26648ea6392b0ebbc77cbe460af731772d3c05308cb479f1368288431f8b5105724d6f1e08a3dcf5e83af4600b20e02c8aacc2332e2

C:\Users\Admin\AppData\Local\Temp\RES98F6.tmp

MD5 85a49af7252828ce5393dc057fdde298
SHA1 21fefe1aacd728269565152b12802f60e715ab80
SHA256 60436d9e2e62fb5bfc3d721b3e7e80e75b6c88d1ef26a8be422f114b04f3c6e0
SHA512 49e179819791860830e94f17ccabfdc617b1d69be4cb6e36ecd548c75dc3ee575bcf5638d3c7e7ba09d95d3cfb4884279415a7c4faa12f949cd5adaa38eb0b2b

memory/2852-20-0x00000000002A0000-0x00000000002B2000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\CSC98F5.tmp

MD5 29597c927c9e70ed703a5fd8747e353b
SHA1 7d413d085a94a8bad878964adb00d5abf8046059
SHA256 fb9b4ebc95d71978da8eb1c679c4f90cf35a9595027beeb65e001791c2814ec7
SHA512 7e0a6eb8599a9607e8780e35ce55a4bbacf73d3d2f246ef721af855ab27891fba084281f4f9472fd746a580f11fe45eceeca45e202be5779bf8d7ce66c867dc3

C:\Windows\SysWOW64\WindowsInput.exe

MD5 e6fcf516d8ed8d0d4427f86e08d0d435
SHA1 c7691731583ab7890086635cb7f3e4c22ca5e409
SHA256 8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512 c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

C:\Windows\SysWOW64\WindowsInput.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

memory/2584-28-0x0000000000AB0000-0x0000000000ABC000-memory.dmp

C:\Windows\SysWOW64\WindowsInput.exe

MD5 e6fcf516d8ed8d0d4427f86e08d0d435
SHA1 c7691731583ab7890086635cb7f3e4c22ca5e409
SHA256 8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512 c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

memory/2584-29-0x000007FEEE940000-0x000007FEEF32C000-memory.dmp

memory/2584-30-0x000000001B090000-0x000000001B110000-memory.dmp

C:\Windows\SysWOW64\WindowsInput.exe

MD5 e6fcf516d8ed8d0d4427f86e08d0d435
SHA1 c7691731583ab7890086635cb7f3e4c22ca5e409
SHA256 8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512 c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

memory/2584-33-0x000007FEEE940000-0x000007FEEF32C000-memory.dmp

memory/2752-35-0x0000000000290000-0x000000000029C000-memory.dmp

memory/2752-36-0x000007FEEDF50000-0x000007FEEE93C000-memory.dmp

memory/2752-37-0x00000000199F0000-0x0000000019A70000-memory.dmp

memory/2424-46-0x0000000001370000-0x000000000145A000-memory.dmp

C:\Program Files\Taber LLC\RMM\rmm.exe

MD5 1b752392a6ce80a4fd406d61589396a3
SHA1 d3394b46da9fa47263071971355c4cbf543c8f17
SHA256 b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547
SHA512 3c9084d2eb4ef936e985316dd7250f68a1934d07332429c896cff7dc982513b02e643175ffc56b1341ea3027f99f251b42f717c630c3f6f76087d71cac6db878

memory/2852-47-0x000007FEF5EE0000-0x000007FEF687D000-memory.dmp

C:\Program Files\Taber LLC\RMM\rmm.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

memory/2424-48-0x000007FEEDF50000-0x000007FEEE93C000-memory.dmp

C:\Program Files\Taber LLC\RMM\rmm.exe

MD5 1b752392a6ce80a4fd406d61589396a3
SHA1 d3394b46da9fa47263071971355c4cbf543c8f17
SHA256 b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547
SHA512 3c9084d2eb4ef936e985316dd7250f68a1934d07332429c896cff7dc982513b02e643175ffc56b1341ea3027f99f251b42f717c630c3f6f76087d71cac6db878

memory/2424-49-0x000000001AF80000-0x000000001B000000-memory.dmp

memory/2424-50-0x0000000000B90000-0x0000000000BDE000-memory.dmp

memory/2424-51-0x0000000000DA0000-0x0000000000DB8000-memory.dmp

memory/2424-52-0x000000001AF80000-0x000000001B000000-memory.dmp

C:\Program Files\Taber LLC\RMM\rmm.exe

MD5 1b752392a6ce80a4fd406d61589396a3
SHA1 d3394b46da9fa47263071971355c4cbf543c8f17
SHA256 b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547
SHA512 3c9084d2eb4ef936e985316dd7250f68a1934d07332429c896cff7dc982513b02e643175ffc56b1341ea3027f99f251b42f717c630c3f6f76087d71cac6db878

memory/2424-55-0x0000000000DC0000-0x0000000000DD0000-memory.dmp

memory/2004-54-0x000007FEEDF50000-0x000007FEEE93C000-memory.dmp

memory/2424-57-0x000000001AF80000-0x000000001B000000-memory.dmp

memory/2004-56-0x000000001AD00000-0x000000001AD80000-memory.dmp

memory/2004-58-0x000007FEEDF50000-0x000007FEEE93C000-memory.dmp

memory/2752-59-0x000007FEEDF50000-0x000007FEEE93C000-memory.dmp

memory/2424-60-0x000007FEEDF50000-0x000007FEEE93C000-memory.dmp

memory/2424-61-0x000000001AF80000-0x000000001B000000-memory.dmp

memory/2424-62-0x000000001AF80000-0x000000001B000000-memory.dmp

memory/2424-63-0x000000001AF80000-0x000000001B000000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-01 14:59

Reported

2023-12-01 15:03

Platform

win10v2004-20231127-en

Max time kernel

145s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WindowsInput.exe C:\Users\Admin\AppData\Local\Temp\b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.exe.config C:\Users\Admin\AppData\Local\Temp\b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.InstallState C:\Windows\SysWOW64\WindowsInput.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Taber LLC\RMM\rmm.exe C:\Users\Admin\AppData\Local\Temp\b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe N/A
File opened for modification C:\Program Files\Taber LLC\RMM\rmm.exe C:\Users\Admin\AppData\Local\Temp\b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe N/A
File created C:\Program Files\Taber LLC\RMM\rmm.exe.config C:\Users\Admin\AppData\Local\Temp\b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Taber LLC\RMM\rmm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Taber LLC\RMM\rmm.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe

"C:\Users\Admin\AppData\Local\Temp\b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\inggx1eb.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES883C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC883B.tmp"

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe" --install

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe"

C:\Program Files\Taber LLC\RMM\rmm.exe

"C:\Program Files\Taber LLC\RMM\rmm.exe"

C:\Program Files\Taber LLC\RMM\rmm.exe

"C:\Program Files\Taber LLC\RMM\rmm.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 193.78.101.95.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 catcher.taber.biz udp
US 172.245.142.220:42069 catcher.taber.biz tcp
US 216.170.120.141:42069 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 58.252.72.23.in-addr.arpa udp
US 172.245.142.220:42069 catcher.taber.biz tcp
US 216.170.120.141:42069 tcp
US 8.8.8.8:53 209.78.101.95.in-addr.arpa udp
US 172.245.142.220:42069 catcher.taber.biz tcp
US 216.170.120.141:42069 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 172.245.142.220:42069 catcher.taber.biz tcp
US 8.8.8.8:53 152.78.101.95.in-addr.arpa udp
US 216.170.120.141:42069 tcp
US 172.245.142.220:42069 catcher.taber.biz tcp
US 216.170.120.141:42069 tcp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp
US 172.245.142.220:42069 catcher.taber.biz tcp

Files

memory/456-0-0x00007FFD83440000-0x00007FFD83DE1000-memory.dmp

memory/456-1-0x0000000001380000-0x0000000001390000-memory.dmp

memory/456-2-0x00007FFD83440000-0x00007FFD83DE1000-memory.dmp

memory/456-3-0x000000001BF30000-0x000000001BF8C000-memory.dmp

memory/456-6-0x000000001C120000-0x000000001C12E000-memory.dmp

memory/456-7-0x000000001C670000-0x000000001CB3E000-memory.dmp

memory/456-8-0x000000001CBE0000-0x000000001CC7C000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\inggx1eb.cmdline

MD5 963c696ed467a1582b07476449d63dcf
SHA1 e76c8867c9b2a3f3d3b2237df99d1be2e25b41c3
SHA256 4b060ded1e510541c01efc9751095cfed43d1171de6a8ec40969f8810ca0231c
SHA512 d675869db2a498bb7dbcc3faad05f0b80abf9d0c16045a16453e6fc1a0850220af89082ed9728ad3b69d79c69d09595df2551f96a4ae8009697f02f3a0b22a06

\??\c:\Users\Admin\AppData\Local\Temp\inggx1eb.0.cs

MD5 88abb8b0eb4adac94738adb42c1ffe0f
SHA1 5ddcddf573fbd26957a5a160a934832a80cc50c3
SHA256 70004d6eb4348b65f50ad330795c5200f50673f12a92510c95e0babbaf7d6330
SHA512 d9aaaa90e2c955687c2935aa20592067d11f5a3bd146dc28ab5d845ad2c2626d4114b9ce411e06451f95e4e9a42339e85f99a7f4751e0a765c70e9c568aa9f31

memory/3008-14-0x0000000002470000-0x0000000002480000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\CSC883B.tmp

MD5 bfb78b2cdda510b215826f73aa73a2a2
SHA1 e2696515ad40fd1f2e01e690ede91a19e09cc9e5
SHA256 26f0b5bf41c82782a5d0a1591aa147232220ec035c7ec61f86f2f80e97641c62
SHA512 dcc3f68786e1efd6be26e7256f5b68c057d3fc4b3e163efd14b79a959a68c6292d2cf597a93fcbf874f971db080e4f6487dd82d678566eeba64c0ea9a58e476e

C:\Users\Admin\AppData\Local\Temp\RES883C.tmp

MD5 3be944b47a2e3a41f3f07c9694785c54
SHA1 6479c0bd339046743235c7eb8514aaf24e1bc04d
SHA256 4aeca4147d3103637aec1abe6ed6ec57d437d387f03bddf7846ffd2d95f2100e
SHA512 54df76ec4e0636dd1844f500f578c5c40e2364c0fcaa705780512115c887a2ecda9af4abde62ffb781f9e42b7484b8ac198977df7d216c7586db5dafe78ef103

memory/456-22-0x000000001C160000-0x000000001C176000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\inggx1eb.dll

MD5 8444f1c51e421e8848b15d37951b4919
SHA1 9f1fa34b8e95fa0e2e1b83760d532a85931b594d
SHA256 4ceb7f20e85c70ce936058af0463c28a4d97c5f16a7689f28ff8bad74d40741e
SHA512 50b14f19e6b266ad10467a7ec81f93c89fcdb94f8fbd0f430851e1bed75cee93e66a729d3ca2ad8fdacf9ec0f3edbe395a4e2a6c5f26700f1055b380cae6f558

memory/456-24-0x000000001BF10000-0x000000001BF22000-memory.dmp

memory/456-25-0x000000001D5C0000-0x000000001D5E0000-memory.dmp

C:\Windows\SysWOW64\WindowsInput.exe

MD5 e6fcf516d8ed8d0d4427f86e08d0d435
SHA1 c7691731583ab7890086635cb7f3e4c22ca5e409
SHA256 8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512 c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

C:\Windows\SysWOW64\WindowsInput.exe

MD5 e6fcf516d8ed8d0d4427f86e08d0d435
SHA1 c7691731583ab7890086635cb7f3e4c22ca5e409
SHA256 8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512 c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

C:\Windows\SysWOW64\WindowsInput.exe

MD5 e6fcf516d8ed8d0d4427f86e08d0d435
SHA1 c7691731583ab7890086635cb7f3e4c22ca5e409
SHA256 8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512 c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

C:\Windows\SysWOW64\WindowsInput.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

memory/4868-39-0x0000000000B20000-0x0000000000B2C000-memory.dmp

memory/4868-40-0x00007FFD7FF70000-0x00007FFD80A31000-memory.dmp

memory/4868-41-0x000000001B820000-0x000000001B830000-memory.dmp

memory/4868-42-0x0000000002DE0000-0x0000000002DF2000-memory.dmp

memory/4868-43-0x000000001B750000-0x000000001B78C000-memory.dmp

memory/4868-47-0x00007FFD7FF70000-0x00007FFD80A31000-memory.dmp

C:\Windows\SysWOW64\WindowsInput.exe

MD5 e6fcf516d8ed8d0d4427f86e08d0d435
SHA1 c7691731583ab7890086635cb7f3e4c22ca5e409
SHA256 8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512 c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

memory/752-49-0x00007FFD7FF70000-0x00007FFD80A31000-memory.dmp

memory/752-50-0x000000001A120000-0x000000001A130000-memory.dmp

memory/752-51-0x000000001A640000-0x000000001A74A000-memory.dmp

C:\Program Files\Taber LLC\RMM\rmm.exe

MD5 1b752392a6ce80a4fd406d61589396a3
SHA1 d3394b46da9fa47263071971355c4cbf543c8f17
SHA256 b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547
SHA512 3c9084d2eb4ef936e985316dd7250f68a1934d07332429c896cff7dc982513b02e643175ffc56b1341ea3027f99f251b42f717c630c3f6f76087d71cac6db878

C:\Program Files\Taber LLC\RMM\rmm.exe

MD5 1b752392a6ce80a4fd406d61589396a3
SHA1 d3394b46da9fa47263071971355c4cbf543c8f17
SHA256 b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547
SHA512 3c9084d2eb4ef936e985316dd7250f68a1934d07332429c896cff7dc982513b02e643175ffc56b1341ea3027f99f251b42f717c630c3f6f76087d71cac6db878

C:\Program Files\Taber LLC\RMM\rmm.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

C:\Program Files\Taber LLC\RMM\rmm.exe

MD5 1b752392a6ce80a4fd406d61589396a3
SHA1 d3394b46da9fa47263071971355c4cbf543c8f17
SHA256 b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547
SHA512 3c9084d2eb4ef936e985316dd7250f68a1934d07332429c896cff7dc982513b02e643175ffc56b1341ea3027f99f251b42f717c630c3f6f76087d71cac6db878

memory/784-68-0x00007FFD7FF70000-0x00007FFD80A31000-memory.dmp

memory/456-67-0x00007FFD83440000-0x00007FFD83DE1000-memory.dmp

memory/784-69-0x0000000000E40000-0x0000000000F2A000-memory.dmp

memory/784-70-0x000000001BBD0000-0x000000001BBE0000-memory.dmp

memory/784-71-0x000000001BBE0000-0x000000001BC2E000-memory.dmp

C:\Program Files\Taber LLC\RMM\rmm.exe

MD5 1b752392a6ce80a4fd406d61589396a3
SHA1 d3394b46da9fa47263071971355c4cbf543c8f17
SHA256 b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547
SHA512 3c9084d2eb4ef936e985316dd7250f68a1934d07332429c896cff7dc982513b02e643175ffc56b1341ea3027f99f251b42f717c630c3f6f76087d71cac6db878

memory/784-73-0x000000001BC30000-0x000000001BC48000-memory.dmp

memory/4572-74-0x00007FFD7FF70000-0x00007FFD80A31000-memory.dmp

memory/784-75-0x000000001BBD0000-0x000000001BBE0000-memory.dmp

memory/4572-76-0x00000000026D0000-0x00000000026E0000-memory.dmp

memory/784-77-0x000000001C3D0000-0x000000001C592000-memory.dmp

memory/784-78-0x000000001BC50000-0x000000001BC60000-memory.dmp

memory/4572-80-0x00007FFD7FF70000-0x00007FFD80A31000-memory.dmp

memory/752-81-0x00007FFD7FF70000-0x00007FFD80A31000-memory.dmp

memory/752-82-0x000000001A120000-0x000000001A130000-memory.dmp

memory/784-83-0x00007FFD7FF70000-0x00007FFD80A31000-memory.dmp

memory/784-84-0x000000001BBD0000-0x000000001BBE0000-memory.dmp

memory/784-85-0x000000001BBD0000-0x000000001BBE0000-memory.dmp