PUP.TacticalRMM

Analysis Report

General information

Family Name: PUP.TacticalRMM
Signature status: No Signature

Known Samples

MD5: 6a5e53cda82dd4dcb0f9312bb9d70718
SHA1: 0eceeb987206961b61e4979383a24f32d24171f0
SHA256: D9957033E0C39D8B6FF8153376B097A1090E5C60A2A4E6931741DC1A66FB5C5F
File Size: 4.37 MB, 4366864 bytes
MD5: 743332c5817338609fbc4d5e85ee5c69
SHA1: 9a528ce9810ec4f79b94c59a2b7f02b61efbf9d2
SHA256: 950A12ED22261F193E658329A21A50BBF0C33C5E527B7666EA2E17B1891FA92F
File Size: 4.48 MB, 4475181 bytes
MD5: b031db0f8b1db79fe6c405c4c4a15a7a
SHA1: 2ed0d9d5c77b188ae4254e17b30e3a2e7b94bb94
SHA256: 7AD87C05FB6196021BD5F1FC73294A3616C9F81756F71FD0251E2344C52A4290
File Size: 4.89 MB, 4887552 bytes
MD5: ab07c502166906dabb3ab7830265cf88
SHA1: 659274b793ae24658ee66a9659b177064073ff16
SHA256: DF4FE51CAD23582702C2765FD1B584DFFAF1F8D8ED04EC8F5E1EF158C2CC607D
File Size: 5.27 MB, 5268992 bytes
MD5: e9ed5082f672576cf4456cf083479493
SHA1: c4f3ed149e838160a47b92fc6cc3f3358d4fb534
SHA256: F9DEF0FB9669962E0BEA9604B54A95206DB83A94EA7163BCA0E1217400A6118D
File Size: 5.27 MB, 5268992 bytes
Show More
MD5: 683bd92f0f4002a2484cb0d6f1081134
SHA1: c4ef5eef921b40ce3059add303a93e1798fc93b3
SHA256: 8DD03795B3FB1EA766DB8F3B3AD57D6F2B53C6CF1118E50BCC8D0652D71E24DF
File Size: 5.27 MB, 5268992 bytes
MD5: cfc4d8fbc2824a64d40999e4c5781759
SHA1: 22f3eb5e28aadc83e9f81af9df3d4969b658fce0
SHA256: 775AF6E2DFB604BB7C788327B75A22F566157E6F4A6364632CE85FFFA607AE67
File Size: 4.89 MB, 4887552 bytes
MD5: 8c5c4eb4a60a53b8c0a2b91574ea63f7
SHA1: 3c99835aa1f85660192b622d49c0aaebfd1430e8
SHA256: 3C63DC60492203A8F65CCD04DC94D912C3F6783FB676136238B83E3A0787E306
File Size: 5.27 MB, 5268992 bytes
MD5: d838ef4aaa462180fd51173cd45a46be
SHA1: ff371f449db384ab6b49426e9ae64f41f1b5d692
SHA256: 9C100F9F26EB495DADD490650D3EBCC8BD6BDBC9A534A3CEB40B01B051422106
File Size: 5.27 MB, 5268992 bytes
MD5: 75d38680019299cf7a828fd28ffccbc1
SHA1: 37d9efe70dbad097e0164420c19999241939cf73
SHA256: 0AA9283D20F3ABD4C50B205A2C2F0F33A4D889465D5381C8DD6E90A730BE31C9
File Size: 3.55 MB, 3551063 bytes
MD5: 6d61db050931a6185e429fc672bff2c9
SHA1: 534b29a018828a1fa6606349ab0a9139c5077cc9
SHA256: B69281DEA45F255A45E99FBBE6A0C89FC269C68B6448B04F1BDC560DEC70DE8E
File Size: 5.27 MB, 5268992 bytes
MD5: 10f7abd5fcb7e108dc1c0ae84d801c7b
SHA1: bc63156d60f96eac24a3bc494ff170a3d2d05e5e
SHA256: 7BFA865FE98EBAABD9780046358F3FEB1B37142729F37F0909DFAD5ACAEDCA32
File Size: 5.27 MB, 5268992 bytes
MD5: 2e4173f119d4f6d936f69d5ec12a9acc
SHA1: 27db7d5a916503d7f034b0ec33c3f303ff6e6a83
SHA256: 66EC01FDFC7BA17FBD87E7C03821BD7E79AE6E7641182BA67082F2868AADFF35
File Size: 5.27 MB, 5268992 bytes
MD5: f2268bfc231cf2cef0cb50a01bf8a8bb
SHA1: 9aadf79a25d20ccc38b45f7f9651352c6c1aefa7
SHA256: 4020F25C4ACF1FF39D9F894CD72B81111BD8DB32F467B8C2B6EADCC0F0E32790
File Size: 4.72 MB, 4723248 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have security information
  • File has exports table
  • File has TLS information
  • File is 32-bit executable
  • File is 64-bit executable
  • File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
Show More
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Comments This installation was built with Inno Setup.
Company Name
  • AmidaWare Inc
  • AmidaWare LLC
  • AmidaWare LLC
File Description
  • Setup/Uninstall
  • Tactical RMM Agent Setup
  • Tactical RMM Installer
File Version
  • v2.0.4.0
  • 51.1052.0.0
  • 2.10.0.0
Internal Name rmm.exe
Legal Copyright
  • Copyright (c) 2022 AmidaWare LLC
  • Copyright © 2025 AmidaWare Inc
Original File Name tacticalrmm.exe
Original Filename installer.go
Product Name
  • Tactical RMM Agent
  • Tactical RMM Installer
Product Version
  • v2.0.4.0
  • 2.10.0
  • 2.5.0
  • 2.4.4

File Traits

  • 2+ executable sections
  • golang
  • Inno
  • InnoSetup Installer
  • Installer Manifest
  • Installer Version
  • ntdll
  • VirtualQueryEx
  • x64
  • x86

Block Information

Similar Families

  • BestaFera.G
  • BlackLock.A
  • CobaltStrike.DWA
  • CobaltStrike.XAD
  • CobaltStrike.XM
Show More
  • CobaltStrike.XN
  • CobaltStrike.XV
  • CobaltStrike.XZ
  • Delf.DA
  • Filecoder.DDC
  • Filecoder.GOA
  • Go.Agent.E
  • Go.Rozena.A
  • Goshell.C
  • Goshell.F
  • Ousaban.V
  • ReverseShell.GA
  • Rozena.EA
  • TIYWEPXB.A

Files Modified

File Attributes
c:\programdata\tacticalrmm\tacticalagent-v2.10.0-windows-amd64.exe Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\programdata\tacticalrmm\tacticalagent-v2.4.4-windows-amd64.exe Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\programdata\tacticalrmm\tacticalagent-v2.4.6-windows-amd64.exe Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\programdata\tacticalrmm\tacticalagent-v2.6.1-windows-amd64.exe Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\programdata\tacticalrmm\tacticalagent-v2.8.0-windows-amd64.exe Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\programdata\tacticalrmm\tacticalagent-v2.9.1-windows-amd64.exe Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-1anae.tmp\9a528ce9810ec4f79b94c59a2b7f02b61efbf9d2_0004475181.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-c9mev.tmp\_isetup\_setup64.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-go47v.tmp\0eceeb987206961b61e4979383a24f32d24171f0_0004366864.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-k9f5m.tmp\_isetup\_setup64.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
Show More
c:\users\user\appdata\local\temp\is-n0e21.tmp\_isetup\_setup64.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-o8lu0.tmp\9aadf79a25d20ccc38b45f7f9651352c6c1aefa7_0004723248.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\setup log 2025-09-15 #001.txt Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\setup log 2026-04-21 #001.txt Generic Read,Write Data,Write Attributes,Write extended,Append data

Registry Modifications

Key::Value Data API Name
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe ܴ♑ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 똮♑ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 蠏♑ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 䤷♑ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 胇♑ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 莵髵퇻ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe ᧅ鮎퇻ǜ RegNtPreCreateKey

Windows API Usage

Category API
Process Shell Execute
  • CreateProcess
  • WriteConsole
User Data Access
  • GetUserObjectInformation
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAddAtomEx
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcConnectPort
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtAlpcSetInformation
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtAssociateWaitCompletionPacket
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
Show More
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateIoCompletion
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtCreateTimer2
  • ntdll.dll!NtCreateWaitCompletionPacket
  • ntdll.dll!NtCreateWorkerFactory
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateKey
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenProcess
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryFullAttributesFile
  • ntdll.dll!NtQueryInformationFile
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySecurityObject
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRemoveIoCompletionEx
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationFile
  • ntdll.dll!NtSetInformationKey
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSetIoCompletion
  • ntdll.dll!NtSetTimerEx
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtUnmapViewOfSectionEx
  • ntdll.dll!NtWaitForAlertByThreadId
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWaitForWorkViaWorkerFactory
  • ntdll.dll!NtWaitLowEventPair
  • ntdll.dll!NtWorkerFactoryWorkerReady
  • ntdll.dll!NtWriteFile
  • ntdll.dll!NtWriteVirtualMemory
  • ntdll.dll!NtYieldExecution
  • UNKNOWN
  • win32u.dll!NtGdiAnyLinkedFonts
  • win32u.dll!NtGdiBitBlt
  • win32u.dll!NtGdiCreateBitmap
  • win32u.dll!NtGdiCreateCompatibleBitmap
  • win32u.dll!NtGdiCreateCompatibleDC
  • win32u.dll!NtGdiCreateDIBitmapInternal
  • win32u.dll!NtGdiCreateRectRgn
  • win32u.dll!NtGdiCreateSolidBrush
  • win32u.dll!NtGdiDeleteObjectApp
  • win32u.dll!NtGdiDoPalette
  • win32u.dll!NtGdiDrawStream
  • win32u.dll!NtGdiExtGetObjectW
  • win32u.dll!NtGdiExtTextOutW
  • win32u.dll!NtGdiFontIsLinked
  • win32u.dll!NtGdiGetCharABCWidthsW
  • win32u.dll!NtGdiGetDCDword
  • win32u.dll!NtGdiGetDCforBitmap
  • win32u.dll!NtGdiGetDCObject

81 additional items are not displayed above.

Anti Debug
  • IsDebuggerPresent
Network Winsock2
  • WSAGetOverlappedResult
  • WSASend
  • WSASocket
  • WSAStartup
  • WSAttemptAutodialName
Network Winsock
  • bind
  • closesocket
  • freeaddrinfo
  • getaddrinfo
  • getpeername
  • getsockname
  • setsockopt
  • socket
Network Icmp
  • IcmpCreateFile
  • IcmpSendEcho2Ex
Process Terminate
  • TerminateProcess
Process Manipulation Evasion
  • NtUnmapViewOfSection
Other Suspicious
  • AdjustTokenPrivileges

Shell Command Execution

"C:\Users\Jrmtgdwl\AppData\Local\Temp\is-GO47V.tmp\0eceeb987206961b61e4979383a24f32d24171f0_0004366864.tmp" /SL5="$1026A,3528895,825344,c:\users\user\downloads\0eceeb987206961b61e4979383a24f32d24171f0_0004366864"
"cmd.exe" /c ping 127.0.0.1 -n 2 && net stop tacticalrpc
C:\WINDOWS\system32\PING.EXE ping 127.0.0.1 -n 2
C:\WINDOWS\system32\net.exe net stop tacticalrpc
WriteConsole: Access is denied
Show More
"cmd.exe" /c net stop tacticalagent
C:\WINDOWS\system32\net.exe net stop tacticalagent
WriteConsole: Access is denied
"cmd.exe" /c ping 127.0.0.1 -n 2 && net stop tacticalrmm
C:\WINDOWS\system32\PING.EXE ping 127.0.0.1 -n 2
C:\WINDOWS\system32\net.exe net stop tacticalrmm
WriteConsole: Access is denied
"cmd.exe" /c taskkill /F /IM tacticalrmm.exe
C:\WINDOWS\system32\taskkill.exe taskkill /F /IM tacticalrmm.exe
WriteConsole: ERROR: CoInitial
"cmd.exe" /c sc delete tacticalagent
C:\WINDOWS\system32\sc.exe sc delete tacticalagent
WriteConsole: [SC] OpenService
"cmd.exe" /c sc delete tacticalrpc
C:\WINDOWS\system32\sc.exe sc delete tacticalrpc
WriteConsole: [SC] OpenService
"C:\Users\Tqxwwhoq\AppData\Local\Temp\is-1ANAE.tmp\9a528ce9810ec4f79b94c59a2b7f02b61efbf9d2_0004475181.tmp" /SL5="$6004A,3636643,825344,c:\users\user\downloads\9a528ce9810ec4f79b94c59a2b7f02b61efbf9d2_0004475181"
"C:\Users\Xowgraho\AppData\Local\Temp\is-O8LU0.tmp\9aadf79a25d20ccc38b45f7f9651352c6c1aefa7_0004723248.tmp" /SL5="$E0040,3722619,861184,c:\users\user\downloads\9aadf79a25d20ccc38b45f7f9651352c6c1aefa7_0004723248"
WriteConsole: ERROR: The proce

Trending

Most Viewed

Loading...