Malware Analysis Report

2024-11-30 19:36

Sample ID 220213-kq8swsgae6
Target f5de6113a1933c0e60e324d400f57c8f00b3a94c46225325a8d65cad6a516bd4
SHA256 f5de6113a1933c0e60e324d400f57c8f00b3a94c46225325a8d65cad6a516bd4
Tags
rms evasion persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f5de6113a1933c0e60e324d400f57c8f00b3a94c46225325a8d65cad6a516bd4

Threat Level: Known bad

The file f5de6113a1933c0e60e324d400f57c8f00b3a94c46225325a8d65cad6a516bd4 was found to be: Known bad.

Malicious Activity Summary

rms evasion persistence rat trojan

RMS

Executes dropped EXE

Modifies Windows Firewall

Sets file to hidden

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Modifies registry class

Enumerates processes with tasklist

Views/modifies file attributes

Delays execution with timeout.exe

Kills process with taskkill

Suspicious use of WriteProcessMemory

Runs .reg file with regedit

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-02-13 08:49

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-13 08:49

Reported

2022-02-13 08:52

Platform

win7-en-20211208

Max time kernel

152s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f5de6113a1933c0e60e324d400f57c8f00b3a94c46225325a8d65cad6a516bd4.exe"

Signatures

RMS

trojan rat rms

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows\build\data.exe N/A
N/A N/A C:\Folder42\rutserv.exe N/A

Modifies Windows Firewall

evasion

Sets file to hidden

evasion

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Services = "C:\\Folder42\\rutserv.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\4w5tb68h7t987093f4trq893f4rw89etw.txt C:\Windows\SysWOW64\wscript.exe N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Folder42\rutserv.exe N/A
N/A N/A C:\Folder42\rutserv.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Folder42\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\Folder42\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\Folder42\rutserv.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Folder42\rutserv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1540 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\f5de6113a1933c0e60e324d400f57c8f00b3a94c46225325a8d65cad6a516bd4.exe C:\Users\Admin\AppData\Local\Temp\Windows\build\data.exe
PID 1540 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\f5de6113a1933c0e60e324d400f57c8f00b3a94c46225325a8d65cad6a516bd4.exe C:\Users\Admin\AppData\Local\Temp\Windows\build\data.exe
PID 1540 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\f5de6113a1933c0e60e324d400f57c8f00b3a94c46225325a8d65cad6a516bd4.exe C:\Users\Admin\AppData\Local\Temp\Windows\build\data.exe
PID 1540 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\f5de6113a1933c0e60e324d400f57c8f00b3a94c46225325a8d65cad6a516bd4.exe C:\Users\Admin\AppData\Local\Temp\Windows\build\data.exe
PID 1540 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\f5de6113a1933c0e60e324d400f57c8f00b3a94c46225325a8d65cad6a516bd4.exe C:\Users\Admin\AppData\Local\Temp\Windows\build\data.exe
PID 1540 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\f5de6113a1933c0e60e324d400f57c8f00b3a94c46225325a8d65cad6a516bd4.exe C:\Users\Admin\AppData\Local\Temp\Windows\build\data.exe
PID 1540 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\f5de6113a1933c0e60e324d400f57c8f00b3a94c46225325a8d65cad6a516bd4.exe C:\Users\Admin\AppData\Local\Temp\Windows\build\data.exe
PID 524 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\Windows\build\data.exe C:\Windows\SysWOW64\WScript.exe
PID 524 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\Windows\build\data.exe C:\Windows\SysWOW64\WScript.exe
PID 524 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\Windows\build\data.exe C:\Windows\SysWOW64\WScript.exe
PID 524 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\Windows\build\data.exe C:\Windows\SysWOW64\WScript.exe
PID 524 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\Windows\build\data.exe C:\Windows\SysWOW64\WScript.exe
PID 524 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\Windows\build\data.exe C:\Windows\SysWOW64\WScript.exe
PID 524 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\Windows\build\data.exe C:\Windows\SysWOW64\WScript.exe
PID 1644 wrote to memory of 672 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 1644 wrote to memory of 672 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 1644 wrote to memory of 672 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 1644 wrote to memory of 672 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 1644 wrote to memory of 672 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 1644 wrote to memory of 672 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 1644 wrote to memory of 672 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 1644 wrote to memory of 1620 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 1644 wrote to memory of 1620 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 1644 wrote to memory of 1620 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 1644 wrote to memory of 1620 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 1644 wrote to memory of 1620 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 1644 wrote to memory of 1620 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 1644 wrote to memory of 1620 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 1644 wrote to memory of 1568 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 1644 wrote to memory of 1568 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 1644 wrote to memory of 1568 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 1644 wrote to memory of 1568 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 1644 wrote to memory of 1568 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 1644 wrote to memory of 1568 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 1644 wrote to memory of 1568 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 1644 wrote to memory of 624 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 1644 wrote to memory of 624 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 1644 wrote to memory of 624 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 1644 wrote to memory of 624 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 1644 wrote to memory of 624 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 1644 wrote to memory of 624 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 1644 wrote to memory of 624 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 1644 wrote to memory of 1968 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 1644 wrote to memory of 1968 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 1644 wrote to memory of 1968 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 1644 wrote to memory of 1968 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 1644 wrote to memory of 1968 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 1644 wrote to memory of 1968 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 1644 wrote to memory of 1968 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 672 wrote to memory of 1744 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\cmd.exe
PID 672 wrote to memory of 1744 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\cmd.exe
PID 672 wrote to memory of 1744 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\cmd.exe
PID 672 wrote to memory of 1744 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\cmd.exe
PID 672 wrote to memory of 1744 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\cmd.exe
PID 672 wrote to memory of 1744 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\cmd.exe
PID 672 wrote to memory of 1744 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\cmd.exe
PID 1744 wrote to memory of 1484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1744 wrote to memory of 1484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1744 wrote to memory of 1484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1744 wrote to memory of 1484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1744 wrote to memory of 1484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1744 wrote to memory of 1484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1744 wrote to memory of 1484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1744 wrote to memory of 1564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f5de6113a1933c0e60e324d400f57c8f00b3a94c46225325a8d65cad6a516bd4.exe

"C:\Users\Admin\AppData\Local\Temp\f5de6113a1933c0e60e324d400f57c8f00b3a94c46225325a8d65cad6a516bd4.exe"

C:\Users\Admin\AppData\Local\Temp\Windows\build\data.exe

"C:\Users\Admin\AppData\Local\Temp\Windows\build\data.exe" -p284579G45398T745398T

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Log\install.vbs"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" "C:\Log\install.vbs" Run

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" "C:\Log\install.vbs" Run

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" "C:\Log\install.vbs" Run

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" "C:\Log\install.vbs" Run

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" "C:\Log\install.vbs" Run

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Log\Windows\hiscomponent\install.bat" "

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\Log"

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rutserv.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rfusclient.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im systemc.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im drivemanag.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im dumprep.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im winlogs.exe

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SYSTEM\Remote Manipulator System" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\DEVICEMAP" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_CURRENT_USER\Software\TektonIT\Remote Manipulator System" /f

C:\Windows\SysWOW64\regedit.exe

regedit /s "Windows\hiscomponent\regedit.reg"

C:\Windows\SysWOW64\timeout.exe

timeout 1

C:\Folder42\rutserv.exe

rutserv.exe

C:\Windows\SysWOW64\reg.exe

Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Services" /t REG_SZ /d "C:\Folder42\rutserv.exe" /f

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\\Folder42\*.*"

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\\Folder42"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Folder42\process.vbs"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Folder42\process.bat" "

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 rmansys.ru udp
RU 31.31.198.18:80 rmansys.ru tcp
RU 31.31.198.18:80 rmansys.ru tcp
US 8.8.8.8:53 rms-server.tektonit.ru udp
RU 95.213.205.83:5655 rms-server.tektonit.ru tcp

Files

memory/1540-54-0x0000000075891000-0x0000000075893000-memory.dmp

\Users\Admin\AppData\Local\Temp\Windows\build\data.exe

MD5 6b75f04b804cb9a777c7af3fab915a53
SHA1 da62a9c0d2c6b566c3555d9507b0150bc42c71af
SHA256 8ff9e5598e4a3202a9a47e741033a5c3400e31cd49b9ad08c319558c7c16cc1e
SHA512 52638063fbce0510bfb18ab169577686a67bc064f45401bd35093ec03cfd66b6a8569526104a98731aab90cbb3b1c30f995efa5901719bbab0492e023415e7f1

\Users\Admin\AppData\Local\Temp\Windows\build\data.exe

MD5 6b75f04b804cb9a777c7af3fab915a53
SHA1 da62a9c0d2c6b566c3555d9507b0150bc42c71af
SHA256 8ff9e5598e4a3202a9a47e741033a5c3400e31cd49b9ad08c319558c7c16cc1e
SHA512 52638063fbce0510bfb18ab169577686a67bc064f45401bd35093ec03cfd66b6a8569526104a98731aab90cbb3b1c30f995efa5901719bbab0492e023415e7f1

\Users\Admin\AppData\Local\Temp\Windows\build\data.exe

MD5 6b75f04b804cb9a777c7af3fab915a53
SHA1 da62a9c0d2c6b566c3555d9507b0150bc42c71af
SHA256 8ff9e5598e4a3202a9a47e741033a5c3400e31cd49b9ad08c319558c7c16cc1e
SHA512 52638063fbce0510bfb18ab169577686a67bc064f45401bd35093ec03cfd66b6a8569526104a98731aab90cbb3b1c30f995efa5901719bbab0492e023415e7f1

C:\Users\Admin\AppData\Local\Temp\Windows\build\data.exe

MD5 6b75f04b804cb9a777c7af3fab915a53
SHA1 da62a9c0d2c6b566c3555d9507b0150bc42c71af
SHA256 8ff9e5598e4a3202a9a47e741033a5c3400e31cd49b9ad08c319558c7c16cc1e
SHA512 52638063fbce0510bfb18ab169577686a67bc064f45401bd35093ec03cfd66b6a8569526104a98731aab90cbb3b1c30f995efa5901719bbab0492e023415e7f1

C:\Users\Admin\AppData\Local\Temp\Windows\build\data.exe

MD5 6b75f04b804cb9a777c7af3fab915a53
SHA1 da62a9c0d2c6b566c3555d9507b0150bc42c71af
SHA256 8ff9e5598e4a3202a9a47e741033a5c3400e31cd49b9ad08c319558c7c16cc1e
SHA512 52638063fbce0510bfb18ab169577686a67bc064f45401bd35093ec03cfd66b6a8569526104a98731aab90cbb3b1c30f995efa5901719bbab0492e023415e7f1

C:\Log\install.vbs

MD5 6cab561732bb524984d25e29b8e93414
SHA1 73adabe3f5191ea01d8026b14285f0330f97fccc
SHA256 81d2721f8da28ab12ab7e6572dbfe39c78f1eb24b09ccd9ae816dbcb9f398e60
SHA512 7f001fcdf73056fb688c62be0f68b1b1c54e3f0aff05b8e03e0947716e2cd771fa9e12314cb3b6efd9f971c889405d6eccb83a6ee48280e135fc6e14e216e45d

C:\Log\Windows\hiscomponent\install.bat

MD5 cae8eb14dfc32e55d732d04aafde0551
SHA1 67bd1119c2821f9eabff151f1da94404c7579e61
SHA256 0651f1c6f114509f6d10c78254a601bbfe8e3afa59e536e8bcfa050d57454b89
SHA512 4b28c9763462098954fd887e1fa7af3a436435b46710f9dd8e4f4d6c83c2608517dc2fe3e4a95037a024f4b437f93c571e4044bbfbe83d5a4890fde124038a47

C:\Log\Windows\hiscomponent\regedit.reg

MD5 ec84efa217c06b99e6ed04dc18d13dc7
SHA1 ffdfc213c57d03b6775b5791865e91de30e6af49
SHA256 68a59e0b1f8d5022bde46c887c4c4dda77250c254b8b2126d77b72e61b55cead
SHA512 57c2e3b0669af9a9dcdbccf7b56b3542a1188a21c99a8c8d504022c6ce38123d8558ebd8d2f53f16cffda3c0e2cb9ed8231d39808c475879d9a6c79ac0a2b368

C:\Log\rutserv.exe

MD5 ba33d912e92e9640696163dca2dcd86e
SHA1 c778da5fbbb87e85fc0ec41f9bff34a5212ebaf6
SHA256 658d234e2d9115a1f510b628ff9f000318918037cf49d80d47ebea9dded3c218
SHA512 2d590a07dc5e28cd3e227fc9276dbea60e8540d850464df79efa18af3e8cfe4817cc0846637cd1e7c566a4fabb771635030cdcc13722c77bc54c89981904747e

C:\Log\RDPCheck.exe

MD5 8f82226b2f24d470c02f6664f67f23f7
SHA1 66f40824b406c748846ef11e6b022958f8cbe48b
SHA256 5603338a1f8dbb46efb8e0869db3491d5db92f362711d6680f91ecc5d18bfadf
SHA512 04bc1f785bddf264699fb6bf6fce9652af8c95872f8fef93540f0b86df2e93ced910f01dc54a76a5425d2f5446d587df6ad20d8976fc4be7e9ce3511eb4b00ee

C:\Log\RDPConf.exe

MD5 1e4537b75cad6288f68d595d9c9b13c1
SHA1 9cc14ce3a3982376f454bd3833f4774d955d9bd3
SHA256 8b266c0945d003f5d0b2d6f59239e9dffb41dbccd1659d2c05bbf472ba1f0ccf
SHA512 8caa7b17ed4ec760d4e665ec8ffb543fb3a2287dbe4ba4b08daf9a46819ec662e4e3105e0f9d7ad94edb2d477551d2ca0ebce870d489a0713f8676978b0cc3ec

C:\Log\RDPWInst.exe

MD5 ce6a1d8fe9d16f4c4e2f41ef6cd3ad9b
SHA1 87a89f73faf22dbb6af94f0edbf4cf484673f572
SHA256 cb55b418cd219bcea3cb9dbfca4262d92affaabf34623e6f1e3ce8581c6cd5b2
SHA512 cea5f06d08bf5ee76aef21f05a1857dbfb240c02aff877df7a33b42d59571b4fc6358f0176e3e8ef53c8e06249e65c4e700a18e547c3071413591e4542ff0e9d

C:\Log\install.bat

MD5 cce1e07cf18ea79cc9e87922e9f5609a
SHA1 6800e3e5d42fc0e1d5834214df1958112066a626
SHA256 7afa7437b35cc7961ef51c3672e709f0aaf63b87badf1a884a6713e5749a9292
SHA512 b770d184fb371362fd6ba39e9c2462bb7fa8c7ffa4b1ffb55759fc37e5f06fb0f853e918dad5784d49cc33394c4f6295f5dda99f27304a5f0b34e9eb726fedf6

C:\Log\update.bat

MD5 29ca1c35075247b035af75c11cab78f1
SHA1 4f670d13d7532462f4b1e66d085ef8b9f065ff88
SHA256 353f2dc17a4e80564caa175f7170dbedc1b40f704444520ae671f78a5d1f2b6d
SHA512 3970adc72020194f93935fad2c17790170da7f0f4444e2bfc402f9924fdceaa4b6443e9871c3b8cda24089b84cbdcf185f0d31238c0be93c58e280cf36ab71a7

C:\Log\Windows\hiscomponent\process.vbs

MD5 7528d4ce3012284acc761d14650abc50
SHA1 cacddad01db6f784a1ee2c6163c5b801cd4b9f7f
SHA256 e5dbdd95312fd15449273bc676dd6e9b1c0cd647689ff0ca558f70bc9b40ffb1
SHA512 b6ed0a28414b18fa04c9a92e3c36d7b4ec27895213e8fc4d51b41a3a80f9b5ea6261d1d5adf502ca619c7a4da325da29439fe25a11affe972486ebfff53aaa16

C:\Log\Windows\hiscomponent\process.bat

MD5 46aa6619c435a15ed2a1b97e21cbbb76
SHA1 abf5306e1bfba919c2011271555e16a0590083d3
SHA256 a66e27b1282fb1e6aeb088f8aefd34ad85b23bffc98de5bedb3a5d599fa1b19a
SHA512 ef0d63a84f43215fcb7fbfd8ccdf22f04c7db78a5a369d5b210c0b8a5c9305a3065af36a3cded7a7b146f9a37bd8349e7c8a5bd1ac7451529e61222e274bf201

\Folder42\rutserv.exe

MD5 ba33d912e92e9640696163dca2dcd86e
SHA1 c778da5fbbb87e85fc0ec41f9bff34a5212ebaf6
SHA256 658d234e2d9115a1f510b628ff9f000318918037cf49d80d47ebea9dded3c218
SHA512 2d590a07dc5e28cd3e227fc9276dbea60e8540d850464df79efa18af3e8cfe4817cc0846637cd1e7c566a4fabb771635030cdcc13722c77bc54c89981904747e

\Folder42\rutserv.exe

MD5 ba33d912e92e9640696163dca2dcd86e
SHA1 c778da5fbbb87e85fc0ec41f9bff34a5212ebaf6
SHA256 658d234e2d9115a1f510b628ff9f000318918037cf49d80d47ebea9dded3c218
SHA512 2d590a07dc5e28cd3e227fc9276dbea60e8540d850464df79efa18af3e8cfe4817cc0846637cd1e7c566a4fabb771635030cdcc13722c77bc54c89981904747e

C:\Folder42\rutserv.exe

MD5 ba33d912e92e9640696163dca2dcd86e
SHA1 c778da5fbbb87e85fc0ec41f9bff34a5212ebaf6
SHA256 658d234e2d9115a1f510b628ff9f000318918037cf49d80d47ebea9dded3c218
SHA512 2d590a07dc5e28cd3e227fc9276dbea60e8540d850464df79efa18af3e8cfe4817cc0846637cd1e7c566a4fabb771635030cdcc13722c77bc54c89981904747e

C:\Folder42\RDPCheck.exe

MD5 8f82226b2f24d470c02f6664f67f23f7
SHA1 66f40824b406c748846ef11e6b022958f8cbe48b
SHA256 5603338a1f8dbb46efb8e0869db3491d5db92f362711d6680f91ecc5d18bfadf
SHA512 04bc1f785bddf264699fb6bf6fce9652af8c95872f8fef93540f0b86df2e93ced910f01dc54a76a5425d2f5446d587df6ad20d8976fc4be7e9ce3511eb4b00ee

C:\Folder42\process.vbs

MD5 7528d4ce3012284acc761d14650abc50
SHA1 cacddad01db6f784a1ee2c6163c5b801cd4b9f7f
SHA256 e5dbdd95312fd15449273bc676dd6e9b1c0cd647689ff0ca558f70bc9b40ffb1
SHA512 b6ed0a28414b18fa04c9a92e3c36d7b4ec27895213e8fc4d51b41a3a80f9b5ea6261d1d5adf502ca619c7a4da325da29439fe25a11affe972486ebfff53aaa16

C:\Folder42\process.bat

MD5 46aa6619c435a15ed2a1b97e21cbbb76
SHA1 abf5306e1bfba919c2011271555e16a0590083d3
SHA256 a66e27b1282fb1e6aeb088f8aefd34ad85b23bffc98de5bedb3a5d599fa1b19a
SHA512 ef0d63a84f43215fcb7fbfd8ccdf22f04c7db78a5a369d5b210c0b8a5c9305a3065af36a3cded7a7b146f9a37bd8349e7c8a5bd1ac7451529e61222e274bf201

C:\Folder42\install.bat

MD5 cce1e07cf18ea79cc9e87922e9f5609a
SHA1 6800e3e5d42fc0e1d5834214df1958112066a626
SHA256 7afa7437b35cc7961ef51c3672e709f0aaf63b87badf1a884a6713e5749a9292
SHA512 b770d184fb371362fd6ba39e9c2462bb7fa8c7ffa4b1ffb55759fc37e5f06fb0f853e918dad5784d49cc33394c4f6295f5dda99f27304a5f0b34e9eb726fedf6

C:\Folder42\rutserv.exe

MD5 ba33d912e92e9640696163dca2dcd86e
SHA1 c778da5fbbb87e85fc0ec41f9bff34a5212ebaf6
SHA256 658d234e2d9115a1f510b628ff9f000318918037cf49d80d47ebea9dded3c218
SHA512 2d590a07dc5e28cd3e227fc9276dbea60e8540d850464df79efa18af3e8cfe4817cc0846637cd1e7c566a4fabb771635030cdcc13722c77bc54c89981904747e

C:\Folder42\update.bat

MD5 29ca1c35075247b035af75c11cab78f1
SHA1 4f670d13d7532462f4b1e66d085ef8b9f065ff88
SHA256 353f2dc17a4e80564caa175f7170dbedc1b40f704444520ae671f78a5d1f2b6d
SHA512 3970adc72020194f93935fad2c17790170da7f0f4444e2bfc402f9924fdceaa4b6443e9871c3b8cda24089b84cbdcf185f0d31238c0be93c58e280cf36ab71a7

C:\Folder42\RDPWInst.exe

MD5 ce6a1d8fe9d16f4c4e2f41ef6cd3ad9b
SHA1 87a89f73faf22dbb6af94f0edbf4cf484673f572
SHA256 cb55b418cd219bcea3cb9dbfca4262d92affaabf34623e6f1e3ce8581c6cd5b2
SHA512 cea5f06d08bf5ee76aef21f05a1857dbfb240c02aff877df7a33b42d59571b4fc6358f0176e3e8ef53c8e06249e65c4e700a18e547c3071413591e4542ff0e9d

C:\Folder42\RDPConf.exe

MD5 1e4537b75cad6288f68d595d9c9b13c1
SHA1 9cc14ce3a3982376f454bd3833f4774d955d9bd3
SHA256 8b266c0945d003f5d0b2d6f59239e9dffb41dbccd1659d2c05bbf472ba1f0ccf
SHA512 8caa7b17ed4ec760d4e665ec8ffb543fb3a2287dbe4ba4b08daf9a46819ec662e4e3105e0f9d7ad94edb2d477551d2ca0ebce870d489a0713f8676978b0cc3ec

C:\Log\uninstall.bat

MD5 eccb8a01d0427ef29c2380d7dda399f3
SHA1 302601e99d6b02e2e84a0de5c0dce3df139cba31
SHA256 083cd340c800cc021d4a59388680ce0e7ab0f8b998e67def6a507070e7fa01b7
SHA512 78d51882fe04cb64f9f6a82b604ef20e4324e5bc37701747fa55b3c153baa5942774daf737ff204f9e75e81a745ed95cc7ec115da91b9e27e646ed41d3f103f9

memory/592-154-0x0000000000400000-0x0000000000A94000-memory.dmp

memory/592-156-0x0000000000240000-0x0000000000242000-memory.dmp

memory/592-155-0x0000000000A92000-0x0000000000A93000-memory.dmp

memory/592-157-0x0000000000250000-0x0000000000251000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-13 08:49

Reported

2022-02-13 08:52

Platform

win10v2004-en-20220113

Max time kernel

156s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f5de6113a1933c0e60e324d400f57c8f00b3a94c46225325a8d65cad6a516bd4.exe"

Signatures

RMS

trojan rat rms

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows\build\data.exe N/A
N/A N/A C:\Folder42\rutserv.exe N/A

Modifies Windows Firewall

evasion

Sets file to hidden

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f5de6113a1933c0e60e324d400f57c8f00b3a94c46225325a8d65cad6a516bd4.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Windows\build\data.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Services = "C:\\Folder42\\rutserv.exe" C:\Windows\SysWOW64\reg.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\WindowsUpdate.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\Logs\CBS\CBS.log C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
File opened for modification C:\Windows\WinSxS\pending.xml C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
File created C:\Windows\4w5tb68h7t987093f4trq893f4rw89etw.txt C:\Windows\SysWOW64\wscript.exe N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\Windows\build\data.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings C:\Windows\SysWOW64\cmd.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Folder42\rutserv.exe N/A
N/A N/A C:\Folder42\rutserv.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Folder42\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\Folder42\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\Folder42\rutserv.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Folder42\rutserv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1196 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\f5de6113a1933c0e60e324d400f57c8f00b3a94c46225325a8d65cad6a516bd4.exe C:\Users\Admin\AppData\Local\Temp\Windows\build\data.exe
PID 1196 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\f5de6113a1933c0e60e324d400f57c8f00b3a94c46225325a8d65cad6a516bd4.exe C:\Users\Admin\AppData\Local\Temp\Windows\build\data.exe
PID 1196 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\f5de6113a1933c0e60e324d400f57c8f00b3a94c46225325a8d65cad6a516bd4.exe C:\Users\Admin\AppData\Local\Temp\Windows\build\data.exe
PID 1864 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\Windows\build\data.exe C:\Windows\SysWOW64\WScript.exe
PID 1864 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\Windows\build\data.exe C:\Windows\SysWOW64\WScript.exe
PID 1864 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\Windows\build\data.exe C:\Windows\SysWOW64\WScript.exe
PID 4464 wrote to memory of 4940 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 4464 wrote to memory of 4940 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 4464 wrote to memory of 4940 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 4464 wrote to memory of 692 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 4464 wrote to memory of 692 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 4464 wrote to memory of 692 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 4464 wrote to memory of 1792 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 4464 wrote to memory of 1792 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 4464 wrote to memory of 1792 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 4464 wrote to memory of 4652 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 4464 wrote to memory of 4652 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 4464 wrote to memory of 4652 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 4940 wrote to memory of 2976 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\cmd.exe
PID 4940 wrote to memory of 2976 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\cmd.exe
PID 4940 wrote to memory of 2976 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\cmd.exe
PID 2976 wrote to memory of 3704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2976 wrote to memory of 3704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2976 wrote to memory of 3704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2976 wrote to memory of 852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2976 wrote to memory of 852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2976 wrote to memory of 852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2976 wrote to memory of 4060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2976 wrote to memory of 4060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2976 wrote to memory of 4060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2976 wrote to memory of 4388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2976 wrote to memory of 4388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2976 wrote to memory of 4388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2976 wrote to memory of 2044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2976 wrote to memory of 2044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2976 wrote to memory of 2044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2976 wrote to memory of 2120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2976 wrote to memory of 2120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2976 wrote to memory of 2120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2976 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2976 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2976 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2976 wrote to memory of 2956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2976 wrote to memory of 2956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2976 wrote to memory of 2956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2976 wrote to memory of 4680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2976 wrote to memory of 4680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2976 wrote to memory of 4680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2976 wrote to memory of 2952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2976 wrote to memory of 2952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2976 wrote to memory of 2952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2976 wrote to memory of 3916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2976 wrote to memory of 3916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2976 wrote to memory of 3916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2976 wrote to memory of 1336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2976 wrote to memory of 1336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2976 wrote to memory of 1336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2976 wrote to memory of 564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2976 wrote to memory of 564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2976 wrote to memory of 564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2976 wrote to memory of 1932 N/A C:\Windows\SysWOW64\cmd.exe C:\Folder42\rutserv.exe
PID 2976 wrote to memory of 1932 N/A C:\Windows\SysWOW64\cmd.exe C:\Folder42\rutserv.exe
PID 2976 wrote to memory of 1932 N/A C:\Windows\SysWOW64\cmd.exe C:\Folder42\rutserv.exe
PID 2976 wrote to memory of 2168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f5de6113a1933c0e60e324d400f57c8f00b3a94c46225325a8d65cad6a516bd4.exe

"C:\Users\Admin\AppData\Local\Temp\f5de6113a1933c0e60e324d400f57c8f00b3a94c46225325a8d65cad6a516bd4.exe"

C:\Users\Admin\AppData\Local\Temp\Windows\build\data.exe

"C:\Users\Admin\AppData\Local\Temp\Windows\build\data.exe" -p284579G45398T745398T

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Log\install.vbs"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" "C:\Log\install.vbs" Run

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" "C:\Log\install.vbs" Run

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" "C:\Log\install.vbs" Run

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" "C:\Log\install.vbs" Run

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Log\Windows\hiscomponent\install.bat" "

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\Log"

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rutserv.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rfusclient.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im systemc.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im drivemanag.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im dumprep.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im winlogs.exe

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SYSTEM\Remote Manipulator System" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\DEVICEMAP" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_CURRENT_USER\Software\TektonIT\Remote Manipulator System" /f

C:\Windows\SysWOW64\regedit.exe

regedit /s "Windows\hiscomponent\regedit.reg"

C:\Windows\SysWOW64\timeout.exe

timeout 1

C:\Folder42\rutserv.exe

rutserv.exe

C:\Windows\SysWOW64\reg.exe

Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Services" /t REG_SZ /d "C:\Folder42\rutserv.exe" /f

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\\Folder42\*.*"

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\\Folder42"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Folder42\process.vbs"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Folder42\process.bat" "

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "rutserv.exe"

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 8.8.8.8:53 rmansys.ru udp
RU 31.31.198.18:80 rmansys.ru tcp
RU 31.31.198.18:80 rmansys.ru tcp
US 8.8.8.8:53 rms-server.tektonit.ru udp
RU 95.213.205.83:5655 rms-server.tektonit.ru tcp
US 209.197.3.8:80 tcp
US 20.189.173.14:443 tcp

Files

C:\Users\Admin\AppData\Local\Temp\Windows\build\data.exe

MD5 6b75f04b804cb9a777c7af3fab915a53
SHA1 da62a9c0d2c6b566c3555d9507b0150bc42c71af
SHA256 8ff9e5598e4a3202a9a47e741033a5c3400e31cd49b9ad08c319558c7c16cc1e
SHA512 52638063fbce0510bfb18ab169577686a67bc064f45401bd35093ec03cfd66b6a8569526104a98731aab90cbb3b1c30f995efa5901719bbab0492e023415e7f1

C:\Users\Admin\AppData\Local\Temp\Windows\build\data.exe

MD5 6b75f04b804cb9a777c7af3fab915a53
SHA1 da62a9c0d2c6b566c3555d9507b0150bc42c71af
SHA256 8ff9e5598e4a3202a9a47e741033a5c3400e31cd49b9ad08c319558c7c16cc1e
SHA512 52638063fbce0510bfb18ab169577686a67bc064f45401bd35093ec03cfd66b6a8569526104a98731aab90cbb3b1c30f995efa5901719bbab0492e023415e7f1

C:\Log\install.vbs

MD5 6cab561732bb524984d25e29b8e93414
SHA1 73adabe3f5191ea01d8026b14285f0330f97fccc
SHA256 81d2721f8da28ab12ab7e6572dbfe39c78f1eb24b09ccd9ae816dbcb9f398e60
SHA512 7f001fcdf73056fb688c62be0f68b1b1c54e3f0aff05b8e03e0947716e2cd771fa9e12314cb3b6efd9f971c889405d6eccb83a6ee48280e135fc6e14e216e45d

C:\Log\Windows\hiscomponent\install.bat

MD5 cae8eb14dfc32e55d732d04aafde0551
SHA1 67bd1119c2821f9eabff151f1da94404c7579e61
SHA256 0651f1c6f114509f6d10c78254a601bbfe8e3afa59e536e8bcfa050d57454b89
SHA512 4b28c9763462098954fd887e1fa7af3a436435b46710f9dd8e4f4d6c83c2608517dc2fe3e4a95037a024f4b437f93c571e4044bbfbe83d5a4890fde124038a47

memory/216-135-0x00000258D9B20000-0x00000258D9B30000-memory.dmp

memory/216-134-0x00000258D9590000-0x00000258D95A0000-memory.dmp

memory/216-136-0x00000258DC210000-0x00000258DC214000-memory.dmp

C:\Log\Windows\hiscomponent\regedit.reg

MD5 ec84efa217c06b99e6ed04dc18d13dc7
SHA1 ffdfc213c57d03b6775b5791865e91de30e6af49
SHA256 68a59e0b1f8d5022bde46c887c4c4dda77250c254b8b2126d77b72e61b55cead
SHA512 57c2e3b0669af9a9dcdbccf7b56b3542a1188a21c99a8c8d504022c6ce38123d8558ebd8d2f53f16cffda3c0e2cb9ed8231d39808c475879d9a6c79ac0a2b368

C:\Log\rutserv.exe

MD5 ba33d912e92e9640696163dca2dcd86e
SHA1 c778da5fbbb87e85fc0ec41f9bff34a5212ebaf6
SHA256 658d234e2d9115a1f510b628ff9f000318918037cf49d80d47ebea9dded3c218
SHA512 2d590a07dc5e28cd3e227fc9276dbea60e8540d850464df79efa18af3e8cfe4817cc0846637cd1e7c566a4fabb771635030cdcc13722c77bc54c89981904747e

C:\Log\RDPCheck.exe

MD5 8f82226b2f24d470c02f6664f67f23f7
SHA1 66f40824b406c748846ef11e6b022958f8cbe48b
SHA256 5603338a1f8dbb46efb8e0869db3491d5db92f362711d6680f91ecc5d18bfadf
SHA512 04bc1f785bddf264699fb6bf6fce9652af8c95872f8fef93540f0b86df2e93ced910f01dc54a76a5425d2f5446d587df6ad20d8976fc4be7e9ce3511eb4b00ee

C:\Log\RDPConf.exe

MD5 1e4537b75cad6288f68d595d9c9b13c1
SHA1 9cc14ce3a3982376f454bd3833f4774d955d9bd3
SHA256 8b266c0945d003f5d0b2d6f59239e9dffb41dbccd1659d2c05bbf472ba1f0ccf
SHA512 8caa7b17ed4ec760d4e665ec8ffb543fb3a2287dbe4ba4b08daf9a46819ec662e4e3105e0f9d7ad94edb2d477551d2ca0ebce870d489a0713f8676978b0cc3ec

C:\Log\RDPWInst.exe

MD5 ce6a1d8fe9d16f4c4e2f41ef6cd3ad9b
SHA1 87a89f73faf22dbb6af94f0edbf4cf484673f572
SHA256 cb55b418cd219bcea3cb9dbfca4262d92affaabf34623e6f1e3ce8581c6cd5b2
SHA512 cea5f06d08bf5ee76aef21f05a1857dbfb240c02aff877df7a33b42d59571b4fc6358f0176e3e8ef53c8e06249e65c4e700a18e547c3071413591e4542ff0e9d

C:\Log\install.bat

MD5 cce1e07cf18ea79cc9e87922e9f5609a
SHA1 6800e3e5d42fc0e1d5834214df1958112066a626
SHA256 7afa7437b35cc7961ef51c3672e709f0aaf63b87badf1a884a6713e5749a9292
SHA512 b770d184fb371362fd6ba39e9c2462bb7fa8c7ffa4b1ffb55759fc37e5f06fb0f853e918dad5784d49cc33394c4f6295f5dda99f27304a5f0b34e9eb726fedf6

C:\Log\update.bat

MD5 29ca1c35075247b035af75c11cab78f1
SHA1 4f670d13d7532462f4b1e66d085ef8b9f065ff88
SHA256 353f2dc17a4e80564caa175f7170dbedc1b40f704444520ae671f78a5d1f2b6d
SHA512 3970adc72020194f93935fad2c17790170da7f0f4444e2bfc402f9924fdceaa4b6443e9871c3b8cda24089b84cbdcf185f0d31238c0be93c58e280cf36ab71a7

C:\Log\Windows\hiscomponent\process.vbs

MD5 7528d4ce3012284acc761d14650abc50
SHA1 cacddad01db6f784a1ee2c6163c5b801cd4b9f7f
SHA256 e5dbdd95312fd15449273bc676dd6e9b1c0cd647689ff0ca558f70bc9b40ffb1
SHA512 b6ed0a28414b18fa04c9a92e3c36d7b4ec27895213e8fc4d51b41a3a80f9b5ea6261d1d5adf502ca619c7a4da325da29439fe25a11affe972486ebfff53aaa16

C:\Log\Windows\hiscomponent\process.bat

MD5 46aa6619c435a15ed2a1b97e21cbbb76
SHA1 abf5306e1bfba919c2011271555e16a0590083d3
SHA256 a66e27b1282fb1e6aeb088f8aefd34ad85b23bffc98de5bedb3a5d599fa1b19a
SHA512 ef0d63a84f43215fcb7fbfd8ccdf22f04c7db78a5a369d5b210c0b8a5c9305a3065af36a3cded7a7b146f9a37bd8349e7c8a5bd1ac7451529e61222e274bf201

C:\Folder42\rutserv.exe

MD5 ba33d912e92e9640696163dca2dcd86e
SHA1 c778da5fbbb87e85fc0ec41f9bff34a5212ebaf6
SHA256 658d234e2d9115a1f510b628ff9f000318918037cf49d80d47ebea9dded3c218
SHA512 2d590a07dc5e28cd3e227fc9276dbea60e8540d850464df79efa18af3e8cfe4817cc0846637cd1e7c566a4fabb771635030cdcc13722c77bc54c89981904747e

C:\Folder42\rutserv.exe

MD5 ba33d912e92e9640696163dca2dcd86e
SHA1 c778da5fbbb87e85fc0ec41f9bff34a5212ebaf6
SHA256 658d234e2d9115a1f510b628ff9f000318918037cf49d80d47ebea9dded3c218
SHA512 2d590a07dc5e28cd3e227fc9276dbea60e8540d850464df79efa18af3e8cfe4817cc0846637cd1e7c566a4fabb771635030cdcc13722c77bc54c89981904747e

C:\Folder42\RDPConf.exe

MD5 1e4537b75cad6288f68d595d9c9b13c1
SHA1 9cc14ce3a3982376f454bd3833f4774d955d9bd3
SHA256 8b266c0945d003f5d0b2d6f59239e9dffb41dbccd1659d2c05bbf472ba1f0ccf
SHA512 8caa7b17ed4ec760d4e665ec8ffb543fb3a2287dbe4ba4b08daf9a46819ec662e4e3105e0f9d7ad94edb2d477551d2ca0ebce870d489a0713f8676978b0cc3ec

C:\Folder42\update.bat

MD5 29ca1c35075247b035af75c11cab78f1
SHA1 4f670d13d7532462f4b1e66d085ef8b9f065ff88
SHA256 353f2dc17a4e80564caa175f7170dbedc1b40f704444520ae671f78a5d1f2b6d
SHA512 3970adc72020194f93935fad2c17790170da7f0f4444e2bfc402f9924fdceaa4b6443e9871c3b8cda24089b84cbdcf185f0d31238c0be93c58e280cf36ab71a7

C:\Folder42\RDPWInst.exe

MD5 ce6a1d8fe9d16f4c4e2f41ef6cd3ad9b
SHA1 87a89f73faf22dbb6af94f0edbf4cf484673f572
SHA256 cb55b418cd219bcea3cb9dbfca4262d92affaabf34623e6f1e3ce8581c6cd5b2
SHA512 cea5f06d08bf5ee76aef21f05a1857dbfb240c02aff877df7a33b42d59571b4fc6358f0176e3e8ef53c8e06249e65c4e700a18e547c3071413591e4542ff0e9d

C:\Folder42\RDPCheck.exe

MD5 8f82226b2f24d470c02f6664f67f23f7
SHA1 66f40824b406c748846ef11e6b022958f8cbe48b
SHA256 5603338a1f8dbb46efb8e0869db3491d5db92f362711d6680f91ecc5d18bfadf
SHA512 04bc1f785bddf264699fb6bf6fce9652af8c95872f8fef93540f0b86df2e93ced910f01dc54a76a5425d2f5446d587df6ad20d8976fc4be7e9ce3511eb4b00ee

C:\Folder42\process.vbs

MD5 7528d4ce3012284acc761d14650abc50
SHA1 cacddad01db6f784a1ee2c6163c5b801cd4b9f7f
SHA256 e5dbdd95312fd15449273bc676dd6e9b1c0cd647689ff0ca558f70bc9b40ffb1
SHA512 b6ed0a28414b18fa04c9a92e3c36d7b4ec27895213e8fc4d51b41a3a80f9b5ea6261d1d5adf502ca619c7a4da325da29439fe25a11affe972486ebfff53aaa16

C:\Folder42\process.bat

MD5 46aa6619c435a15ed2a1b97e21cbbb76
SHA1 abf5306e1bfba919c2011271555e16a0590083d3
SHA256 a66e27b1282fb1e6aeb088f8aefd34ad85b23bffc98de5bedb3a5d599fa1b19a
SHA512 ef0d63a84f43215fcb7fbfd8ccdf22f04c7db78a5a369d5b210c0b8a5c9305a3065af36a3cded7a7b146f9a37bd8349e7c8a5bd1ac7451529e61222e274bf201

C:\Folder42\install.bat

MD5 cce1e07cf18ea79cc9e87922e9f5609a
SHA1 6800e3e5d42fc0e1d5834214df1958112066a626
SHA256 7afa7437b35cc7961ef51c3672e709f0aaf63b87badf1a884a6713e5749a9292
SHA512 b770d184fb371362fd6ba39e9c2462bb7fa8c7ffa4b1ffb55759fc37e5f06fb0f853e918dad5784d49cc33394c4f6295f5dda99f27304a5f0b34e9eb726fedf6

C:\Log\uninstall.bat

MD5 eccb8a01d0427ef29c2380d7dda399f3
SHA1 302601e99d6b02e2e84a0de5c0dce3df139cba31
SHA256 083cd340c800cc021d4a59388680ce0e7ab0f8b998e67def6a507070e7fa01b7
SHA512 78d51882fe04cb64f9f6a82b604ef20e4324e5bc37701747fa55b3c153baa5942774daf737ff204f9e75e81a745ed95cc7ec115da91b9e27e646ed41d3f103f9

memory/1932-156-0x0000000000400000-0x0000000000A94000-memory.dmp

memory/1932-157-0x0000000000BE0000-0x0000000000BE2000-memory.dmp

memory/1932-158-0x0000000000C90000-0x0000000000C91000-memory.dmp