Analysis Overview
SHA256
435d7ca89b2a10c4ef440c1852835db8485145a2565612410ac491b94e450251
Threat Level: Known bad
The file 78978a36b56e68b07d49c3e380f30c7c12668edc3bb71761c2bd8b05b416fcb1.exe.zip was found to be: Known bad.
Malicious Activity Summary
Orcus main payload
Orcus family
Orcurs Rat Executable
Orcus
Orcurs Rat Executable
Executes dropped EXE
Checks computer location settings
Drops desktop.ini file(s)
Drops file in System32 directory
Drops file in Program Files directory
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-01 15:08
Signatures
Orcurs Rat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Orcus family
Orcus main payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-01 15:08
Reported
2023-12-01 16:01
Platform
win7-20231023-en
Max time kernel
253s
Max time network
304s
Command Line
Signatures
Orcus
Orcus main payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Orcurs Rat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsInput.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsInput.exe | N/A |
| N/A | N/A | C:\Program Files\Taber LLC\RMM\rmm.exe | N/A |
| N/A | N/A | C:\Program Files\Taber LLC\RMM\rmm.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\WindowsInput.exe | C:\Users\Admin\AppData\Local\Temp\78978a36b56e68b07d49c3e380f30c7c12668edc3bb71761c2bd8b05b416fcb1.exe | N/A |
| File created | C:\Windows\SysWOW64\WindowsInput.exe.config | C:\Users\Admin\AppData\Local\Temp\78978a36b56e68b07d49c3e380f30c7c12668edc3bb71761c2bd8b05b416fcb1.exe | N/A |
| File created | C:\Windows\SysWOW64\WindowsInput.InstallState | C:\Windows\SysWOW64\WindowsInput.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Taber LLC\RMM\rmm.exe | C:\Users\Admin\AppData\Local\Temp\78978a36b56e68b07d49c3e380f30c7c12668edc3bb71761c2bd8b05b416fcb1.exe | N/A |
| File created | C:\Program Files\Taber LLC\RMM\rmm.exe.config | C:\Users\Admin\AppData\Local\Temp\78978a36b56e68b07d49c3e380f30c7c12668edc3bb71761c2bd8b05b416fcb1.exe | N/A |
| File created | C:\Program Files\Taber LLC\RMM\rmm.exe | C:\Users\Admin\AppData\Local\Temp\78978a36b56e68b07d49c3e380f30c7c12668edc3bb71761c2bd8b05b416fcb1.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Taber LLC\RMM\rmm.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Taber LLC\RMM\rmm.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\78978a36b56e68b07d49c3e380f30c7c12668edc3bb71761c2bd8b05b416fcb1.exe
"C:\Users\Admin\AppData\Local\Temp\78978a36b56e68b07d49c3e380f30c7c12668edc3bb71761c2bd8b05b416fcb1.exe"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kwydawnv.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1009.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1008.tmp"
C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe" --install
C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
C:\Program Files\Taber LLC\RMM\rmm.exe
"C:\Program Files\Taber LLC\RMM\rmm.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {E02CB8D9-5935-4132-B69F-C27F92D3AC54} S-1-5-21-3425689832-2386927309-2650718742-1000:AWDHTXES\Admin:Interactive:[1]
C:\Program Files\Taber LLC\RMM\rmm.exe
"C:\Program Files\Taber LLC\RMM\rmm.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | catcher.taber.biz | udp |
| US | 172.245.142.220:42069 | catcher.taber.biz | tcp |
Files
memory/2700-1-0x000007FEF5BF0000-0x000007FEF658D000-memory.dmp
memory/2700-0-0x0000000000A40000-0x0000000000A9C000-memory.dmp
memory/2700-3-0x00000000021F0000-0x0000000002270000-memory.dmp
memory/2700-2-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2700-4-0x000007FEF5BF0000-0x000007FEF658D000-memory.dmp
memory/2700-7-0x000007FEF5BF0000-0x000007FEF658D000-memory.dmp
memory/2700-9-0x00000000021F0000-0x0000000002270000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\kwydawnv.cmdline
| MD5 | 089b82db18c352b7fdf28ffd26729f6a |
| SHA1 | b5413e5359a220fbabcb67cf42c0350afaa2e9ed |
| SHA256 | 441e90c06e1eefafd20caba314474f4162aa1149a6e02f570a4b550c54891839 |
| SHA512 | fcb7deb2b17de5831950149384f7aa572dc071c4332205291490f57d09220693d8045a0c461612e9b3053f061492550b2332051bd3fde273d215746439fcdf97 |
\??\c:\Users\Admin\AppData\Local\Temp\kwydawnv.0.cs
| MD5 | 93d26a810d7ff3f695cb1baab0dc139f |
| SHA1 | 53160d8bd8ef01018ad2e196fa12486eacb0901c |
| SHA256 | 8e3249583a776f03a5c62855321d7ef00b38d6869a1de47b0498ead8520f0f36 |
| SHA512 | 020dfa4d66b4732d3df8453342069126c8607e1ea8a71e1879a231901e0941b56f39cb5fcc3dcf736005cb2f1cef27c26b549fe5554037cd2f7318cbe1594631 |
\??\c:\Users\Admin\AppData\Local\Temp\CSC1008.tmp
| MD5 | 07fd38a6173a015867486f54a8214e6c |
| SHA1 | c0cd2db4be0a94813ca4668052cda6e3c41b4172 |
| SHA256 | c682383c3d12658a64df0f2626b03e4d0b6bb09bdf07ed21773a1c72769f8268 |
| SHA512 | a55af99a86cfdb5e68d36e0b83d25804b48c6f5853cea4d03aae583c55674b7ca4605f8ce8e398610477f6672005feee71afd8ea030ff0edee7b8afa385986ca |
C:\Users\Admin\AppData\Local\Temp\RES1009.tmp
| MD5 | da8ef203933c7695a718ce1cd3a7a752 |
| SHA1 | f201e88556c09dce532f8868fcfba4ed7b9cf191 |
| SHA256 | cba90c4076ad69d475eb2382cad107c6770cbd65a862fde1f4ca74ca1c7ea00f |
| SHA512 | 9c61cedbbe5b8893e77a7fe8a2d83a3027a8e5c6b7d7d7c567963de5262c36804cb0267e86ae6a1e55ca4dacc3ab55ec60b05628e9e30c3309949dbd5863a19e |
C:\Users\Admin\AppData\Local\Temp\kwydawnv.dll
| MD5 | b47a86fd1aedca0be836be66f865b63f |
| SHA1 | 5019c7ad4a334da3a0a32290fdf0cfa78a596828 |
| SHA256 | b102906dd820ac9c594e76d5edb69f26fd4247cac7ebec65f8ac514188158cef |
| SHA512 | da4417db1b233964a0c676a8e6649054eddc6637017d4fbb02d14bb5b5929c6f6956d2c40905ab58f82c7caa5606302de12d48e0424199fae7eb6b14187f1112 |
memory/2700-19-0x0000000000AC0000-0x0000000000AD6000-memory.dmp
memory/2700-21-0x0000000000430000-0x0000000000442000-memory.dmp
C:\Windows\SysWOW64\WindowsInput.exe
| MD5 | e6fcf516d8ed8d0d4427f86e08d0d435 |
| SHA1 | c7691731583ab7890086635cb7f3e4c22ca5e409 |
| SHA256 | 8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337 |
| SHA512 | c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e |
C:\Windows\SysWOW64\WindowsInput.exe.config
| MD5 | a2b76cea3a59fa9af5ea21ff68139c98 |
| SHA1 | 35d76475e6a54c168f536e30206578babff58274 |
| SHA256 | f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839 |
| SHA512 | b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad |
C:\Windows\SysWOW64\WindowsInput.exe
| MD5 | e6fcf516d8ed8d0d4427f86e08d0d435 |
| SHA1 | c7691731583ab7890086635cb7f3e4c22ca5e409 |
| SHA256 | 8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337 |
| SHA512 | c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e |
memory/2556-29-0x0000000000990000-0x000000000099C000-memory.dmp
memory/2556-30-0x000007FEEEED0000-0x000007FEEF8BC000-memory.dmp
memory/2556-31-0x000007FEEEED0000-0x000007FEEF8BC000-memory.dmp
memory/2556-32-0x000000001B310000-0x000000001B390000-memory.dmp
C:\Windows\SysWOW64\WindowsInput.exe
| MD5 | e6fcf516d8ed8d0d4427f86e08d0d435 |
| SHA1 | c7691731583ab7890086635cb7f3e4c22ca5e409 |
| SHA256 | 8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337 |
| SHA512 | c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e |
memory/3064-34-0x000007FEEEED0000-0x000007FEEF8BC000-memory.dmp
C:\Program Files\Taber LLC\RMM\rmm.exe
| MD5 | 4e959e6b6bcb3b88d1b791f397009ace |
| SHA1 | 03c6825264db0b9f7e84984e4833fa3450f11a9d |
| SHA256 | 78978a36b56e68b07d49c3e380f30c7c12668edc3bb71761c2bd8b05b416fcb1 |
| SHA512 | 646b91c8ef0b1ef51c9473ce8ac21a91f0596433604c8afdf1bef76c980190a60172cc1c50dec92d5c9eeb726e0c771f186254ce1e499c5992848d1c202f0188 |
C:\Program Files\Taber LLC\RMM\rmm.exe.config
| MD5 | a2b76cea3a59fa9af5ea21ff68139c98 |
| SHA1 | 35d76475e6a54c168f536e30206578babff58274 |
| SHA256 | f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839 |
| SHA512 | b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad |
C:\Program Files\Taber LLC\RMM\rmm.exe
| MD5 | 4e959e6b6bcb3b88d1b791f397009ace |
| SHA1 | 03c6825264db0b9f7e84984e4833fa3450f11a9d |
| SHA256 | 78978a36b56e68b07d49c3e380f30c7c12668edc3bb71761c2bd8b05b416fcb1 |
| SHA512 | 646b91c8ef0b1ef51c9473ce8ac21a91f0596433604c8afdf1bef76c980190a60172cc1c50dec92d5c9eeb726e0c771f186254ce1e499c5992848d1c202f0188 |
memory/2876-43-0x0000000000980000-0x0000000000A6A000-memory.dmp
memory/2876-44-0x000007FEEEED0000-0x000007FEEF8BC000-memory.dmp
memory/2700-45-0x000007FEF5BF0000-0x000007FEF658D000-memory.dmp
memory/3064-46-0x000007FEEEED0000-0x000007FEEF8BC000-memory.dmp
memory/2876-47-0x0000000000670000-0x00000000006BE000-memory.dmp
memory/2556-50-0x000007FEEEED0000-0x000007FEEF8BC000-memory.dmp
memory/2876-51-0x000007FEEEED0000-0x000007FEEF8BC000-memory.dmp
memory/2876-52-0x000000001AF00000-0x000000001AF80000-memory.dmp
memory/2876-53-0x0000000002020000-0x0000000002038000-memory.dmp
C:\Program Files\Taber LLC\RMM\rmm.exe
| MD5 | 4e959e6b6bcb3b88d1b791f397009ace |
| SHA1 | 03c6825264db0b9f7e84984e4833fa3450f11a9d |
| SHA256 | 78978a36b56e68b07d49c3e380f30c7c12668edc3bb71761c2bd8b05b416fcb1 |
| SHA512 | 646b91c8ef0b1ef51c9473ce8ac21a91f0596433604c8afdf1bef76c980190a60172cc1c50dec92d5c9eeb726e0c771f186254ce1e499c5992848d1c202f0188 |
memory/2800-55-0x000007FEEEED0000-0x000007FEEF8BC000-memory.dmp
memory/2876-56-0x0000000002050000-0x0000000002060000-memory.dmp
memory/2800-57-0x000000001AE10000-0x000000001AE90000-memory.dmp
memory/2876-58-0x000000001AF00000-0x000000001AF80000-memory.dmp
memory/2800-59-0x000007FEEEED0000-0x000007FEEF8BC000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-01 15:08
Reported
2023-12-01 15:57
Platform
win10v2004-20231127-en
Max time kernel
164s
Max time network
190s
Command Line
Signatures
Orcus
Orcus main payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Orcurs Rat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\78978a36b56e68b07d49c3e380f30c7c12668edc3bb71761c2bd8b05b416fcb1.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsInput.exe | N/A |
| N/A | N/A | C:\Program Files\Taber LLC\RMM\rmm.exe | N/A |
| N/A | N/A | C:\Program Files\Taber LLC\RMM\rmm.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\78978a36b56e68b07d49c3e380f30c7c12668edc3bb71761c2bd8b05b416fcb1.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\78978a36b56e68b07d49c3e380f30c7c12668edc3bb71761c2bd8b05b416fcb1.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\WindowsInput.exe | C:\Users\Admin\AppData\Local\Temp\78978a36b56e68b07d49c3e380f30c7c12668edc3bb71761c2bd8b05b416fcb1.exe | N/A |
| File created | C:\Windows\SysWOW64\WindowsInput.exe.config | C:\Users\Admin\AppData\Local\Temp\78978a36b56e68b07d49c3e380f30c7c12668edc3bb71761c2bd8b05b416fcb1.exe | N/A |
| File created | C:\Windows\SysWOW64\WindowsInput.InstallState | C:\Windows\SysWOW64\WindowsInput.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Taber LLC\RMM\rmm.exe | C:\Users\Admin\AppData\Local\Temp\78978a36b56e68b07d49c3e380f30c7c12668edc3bb71761c2bd8b05b416fcb1.exe | N/A |
| File created | C:\Program Files\Taber LLC\RMM\rmm.exe.config | C:\Users\Admin\AppData\Local\Temp\78978a36b56e68b07d49c3e380f30c7c12668edc3bb71761c2bd8b05b416fcb1.exe | N/A |
| File created | C:\Program Files\Taber LLC\RMM\rmm.exe | C:\Users\Admin\AppData\Local\Temp\78978a36b56e68b07d49c3e380f30c7c12668edc3bb71761c2bd8b05b416fcb1.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\assembly | C:\Users\Admin\AppData\Local\Temp\78978a36b56e68b07d49c3e380f30c7c12668edc3bb71761c2bd8b05b416fcb1.exe | N/A |
| File created | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\78978a36b56e68b07d49c3e380f30c7c12668edc3bb71761c2bd8b05b416fcb1.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\78978a36b56e68b07d49c3e380f30c7c12668edc3bb71761c2bd8b05b416fcb1.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Taber LLC\RMM\rmm.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Taber LLC\RMM\rmm.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\78978a36b56e68b07d49c3e380f30c7c12668edc3bb71761c2bd8b05b416fcb1.exe
"C:\Users\Admin\AppData\Local\Temp\78978a36b56e68b07d49c3e380f30c7c12668edc3bb71761c2bd8b05b416fcb1.exe"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lf5krzfi.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES607B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC607A.tmp"
C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe" --install
C:\Program Files\Taber LLC\RMM\rmm.exe
"C:\Program Files\Taber LLC\RMM\rmm.exe"
C:\Program Files\Taber LLC\RMM\rmm.exe
"C:\Program Files\Taber LLC\RMM\rmm.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 152.78.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | catcher.taber.biz | udp |
| US | 172.245.142.220:42069 | catcher.taber.biz | tcp |
| US | 8.8.8.8:53 | 209.78.101.95.in-addr.arpa | udp |
| US | 216.170.120.141:42069 | tcp | |
| US | 172.245.142.220:42069 | catcher.taber.biz | tcp |
| US | 216.170.120.141:42069 | tcp | |
| US | 8.8.8.8:53 | 13.173.189.20.in-addr.arpa | udp |
| US | 172.245.142.220:42069 | catcher.taber.biz | tcp |
| US | 216.170.120.141:42069 | tcp | |
| US | 172.245.142.220:42069 | catcher.taber.biz | tcp |
Files
memory/2968-0-0x00007FFE47290000-0x00007FFE47C31000-memory.dmp
memory/2968-1-0x00007FFE47290000-0x00007FFE47C31000-memory.dmp
memory/2968-2-0x0000000000640000-0x0000000000650000-memory.dmp
memory/2968-3-0x000000001B1D0000-0x000000001B22C000-memory.dmp
memory/2968-6-0x000000001B270000-0x000000001B27E000-memory.dmp
memory/2968-7-0x000000001B880000-0x000000001BD4E000-memory.dmp
memory/2968-8-0x000000001BDF0000-0x000000001BE8C000-memory.dmp
memory/2968-9-0x00007FFE47290000-0x00007FFE47C31000-memory.dmp
memory/2968-12-0x0000000000640000-0x0000000000650000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\lf5krzfi.cmdline
| MD5 | eaea31579fd69300042920ac86b18cfe |
| SHA1 | e86931a9273d54f5f4645521163c821bff6d2cbb |
| SHA256 | b403b523b853d715f4053d7b73bb79753cf535626644dac9239de2b9c798c5da |
| SHA512 | 3a9c4907c3ca2594db48882f2e83072ed9aeb682ed204838208b5790cd51cce60bbeed62e4f4491beb067dbdc86f7e019dd65ed3ac379e97d7b3e234a345fd91 |
\??\c:\Users\Admin\AppData\Local\Temp\lf5krzfi.0.cs
| MD5 | e34abb9dc0bd7f19d26b2d6f3ec44e4e |
| SHA1 | f8af8c41d442a547519cc0707fdd3132136a9e56 |
| SHA256 | ac700db8854eb0f68c5cf85e61f15d2f87a5ee78b3f145c312d8497228ed16ad |
| SHA512 | f5807a0aec99bd96ccf1ebca28da4bb5bbe69b790a6e869ca272231240dee22980bfe7dbc9ab31de3f301bee73d65e63b407131a729cf94d200cec829f1c8ef9 |
memory/2224-16-0x0000000000A00000-0x0000000000A10000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\CSC607A.tmp
| MD5 | ffa0f5817524f725c99344344689f61b |
| SHA1 | 71bdeda1aa5e03dba4406c6bd6b82a9bf10209fb |
| SHA256 | 94fb66564c2a1660c7b9c3c6900fd46127c0c21b45c794dffa91fd721b11f993 |
| SHA512 | 7c968460f48a3140891264f2ec825263ce023587f19551949207460e6109e9e65113073756685432ea094be6bbd30951c86f5a09fa14313126bc91d55389760d |
C:\Users\Admin\AppData\Local\Temp\RES607B.tmp
| MD5 | d6e020456afd794f6f3b2efdea68a410 |
| SHA1 | 2c3c2e825cf022e53de6c2079e421c941c391e35 |
| SHA256 | a9721046573440d7937a6f0a567bb65f9a1413c0724dbfb63ad2b40c6bdd0dbf |
| SHA512 | b4648efab5ac1acad42772f293c867ab9a8521b0cea85388725d547976149b27b1a44917ada93236f74e9041bc2281fe8fbb716e80803c8945ecd8f4de0d1740 |
memory/2968-24-0x000000001C480000-0x000000001C496000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\lf5krzfi.dll
| MD5 | b7a0c22a584724b125419efb4798a50f |
| SHA1 | 98b598b009390cc28ab4e247d3e93948dc0d2ba3 |
| SHA256 | 7e28d1a310a9756934ecf48a3a23152ad9c1d201032491bb07ea4d46dc3178d5 |
| SHA512 | af165ced9a93ab3fc495e9ff42661ff34e531f60cd2ce0e87d94299acc0047b8cd50606b54fea389bed6461f20cd37cbc5f4267b35f27288a23c4a77cec61607 |
memory/2968-26-0x000000001B150000-0x000000001B162000-memory.dmp
memory/2968-27-0x000000001C800000-0x000000001C820000-memory.dmp
C:\Windows\SysWOW64\WindowsInput.exe
| MD5 | e6fcf516d8ed8d0d4427f86e08d0d435 |
| SHA1 | c7691731583ab7890086635cb7f3e4c22ca5e409 |
| SHA256 | 8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337 |
| SHA512 | c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e |
C:\Windows\SysWOW64\WindowsInput.exe
| MD5 | e6fcf516d8ed8d0d4427f86e08d0d435 |
| SHA1 | c7691731583ab7890086635cb7f3e4c22ca5e409 |
| SHA256 | 8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337 |
| SHA512 | c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e |
C:\Windows\SysWOW64\WindowsInput.exe
| MD5 | e6fcf516d8ed8d0d4427f86e08d0d435 |
| SHA1 | c7691731583ab7890086635cb7f3e4c22ca5e409 |
| SHA256 | 8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337 |
| SHA512 | c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e |
C:\Windows\SysWOW64\WindowsInput.exe.config
| MD5 | a2b76cea3a59fa9af5ea21ff68139c98 |
| SHA1 | 35d76475e6a54c168f536e30206578babff58274 |
| SHA256 | f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839 |
| SHA512 | b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad |
memory/3184-41-0x00000000008E0000-0x00000000008EC000-memory.dmp
C:\Program Files\Taber LLC\RMM\rmm.exe
| MD5 | 4e959e6b6bcb3b88d1b791f397009ace |
| SHA1 | 03c6825264db0b9f7e84984e4833fa3450f11a9d |
| SHA256 | 78978a36b56e68b07d49c3e380f30c7c12668edc3bb71761c2bd8b05b416fcb1 |
| SHA512 | 646b91c8ef0b1ef51c9473ce8ac21a91f0596433604c8afdf1bef76c980190a60172cc1c50dec92d5c9eeb726e0c771f186254ce1e499c5992848d1c202f0188 |
C:\Program Files\Taber LLC\RMM\rmm.exe
| MD5 | 4e959e6b6bcb3b88d1b791f397009ace |
| SHA1 | 03c6825264db0b9f7e84984e4833fa3450f11a9d |
| SHA256 | 78978a36b56e68b07d49c3e380f30c7c12668edc3bb71761c2bd8b05b416fcb1 |
| SHA512 | 646b91c8ef0b1ef51c9473ce8ac21a91f0596433604c8afdf1bef76c980190a60172cc1c50dec92d5c9eeb726e0c771f186254ce1e499c5992848d1c202f0188 |
C:\Program Files\Taber LLC\RMM\rmm.exe.config
| MD5 | a2b76cea3a59fa9af5ea21ff68139c98 |
| SHA1 | 35d76475e6a54c168f536e30206578babff58274 |
| SHA256 | f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839 |
| SHA512 | b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad |
C:\Program Files\Taber LLC\RMM\rmm.exe
| MD5 | 4e959e6b6bcb3b88d1b791f397009ace |
| SHA1 | 03c6825264db0b9f7e84984e4833fa3450f11a9d |
| SHA256 | 78978a36b56e68b07d49c3e380f30c7c12668edc3bb71761c2bd8b05b416fcb1 |
| SHA512 | 646b91c8ef0b1ef51c9473ce8ac21a91f0596433604c8afdf1bef76c980190a60172cc1c50dec92d5c9eeb726e0c771f186254ce1e499c5992848d1c202f0188 |
memory/3920-57-0x0000000000FA0000-0x000000000108A000-memory.dmp
memory/2968-58-0x00007FFE47290000-0x00007FFE47C31000-memory.dmp
memory/3184-59-0x00007FFE43850000-0x00007FFE44311000-memory.dmp
memory/3920-60-0x00007FFE43850000-0x00007FFE44311000-memory.dmp
memory/3920-61-0x000000001BE80000-0x000000001BE90000-memory.dmp
memory/3184-62-0x000000001B620000-0x000000001B630000-memory.dmp
memory/3184-63-0x0000000002B80000-0x0000000002B92000-memory.dmp
memory/3184-64-0x0000000002D00000-0x0000000002D3C000-memory.dmp
memory/3184-68-0x00007FFE43850000-0x00007FFE44311000-memory.dmp
memory/3920-69-0x0000000003220000-0x000000000326E000-memory.dmp
C:\Program Files\Taber LLC\RMM\rmm.exe
| MD5 | 4e959e6b6bcb3b88d1b791f397009ace |
| SHA1 | 03c6825264db0b9f7e84984e4833fa3450f11a9d |
| SHA256 | 78978a36b56e68b07d49c3e380f30c7c12668edc3bb71761c2bd8b05b416fcb1 |
| SHA512 | 646b91c8ef0b1ef51c9473ce8ac21a91f0596433604c8afdf1bef76c980190a60172cc1c50dec92d5c9eeb726e0c771f186254ce1e499c5992848d1c202f0188 |
memory/3920-71-0x00000000033C0000-0x00000000033D8000-memory.dmp
memory/3920-72-0x000000001BE80000-0x000000001BE90000-memory.dmp
memory/3436-74-0x00007FFE43850000-0x00007FFE44311000-memory.dmp
memory/3920-73-0x000000001C5A0000-0x000000001C762000-memory.dmp
memory/3920-75-0x0000000003400000-0x0000000003410000-memory.dmp
memory/3436-76-0x0000000002D90000-0x0000000002DA0000-memory.dmp
memory/3436-78-0x00007FFE43850000-0x00007FFE44311000-memory.dmp
memory/3920-79-0x00007FFE43850000-0x00007FFE44311000-memory.dmp
memory/3920-80-0x000000001BE80000-0x000000001BE90000-memory.dmp
memory/3920-81-0x000000001BE80000-0x000000001BE90000-memory.dmp