Malware Analysis Report

2024-11-30 19:54

Sample ID 220213-lwg3ssaeek
Target d72e2560484a0a90eecf8099edfb4c7c11c53ba4ec4333066d5eea3144112b12
SHA256 d72e2560484a0a90eecf8099edfb4c7c11c53ba4ec4333066d5eea3144112b12
Tags
rms evasion persistence rat trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d72e2560484a0a90eecf8099edfb4c7c11c53ba4ec4333066d5eea3144112b12

Threat Level: Known bad

The file d72e2560484a0a90eecf8099edfb4c7c11c53ba4ec4333066d5eea3144112b12 was found to be: Known bad.

Malicious Activity Summary

rms evasion persistence rat trojan upx

UAC bypass

RMS

ACProtect 1.3x - 1.4x DLL software

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Sets file to hidden

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Runs .reg file with regedit

Modifies registry key

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Delays execution with timeout.exe

Views/modifies file attributes

Enumerates processes with tasklist

Kills process with taskkill

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-02-13 09:52

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-13 09:52

Reported

2022-02-13 09:55

Platform

win7-en-20211208

Max time kernel

151s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d72e2560484a0a90eecf8099edfb4c7c11c53ba4ec4333066d5eea3144112b12.exe"

Signatures

RMS

trojan rat rms

UAC bypass

evasion trojan

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows\build\data.exe N/A
N/A N/A C:\Folder767\cmsystem.exe N/A

Modifies Windows Firewall

evasion

Sets file to hidden

evasion

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Folder767\\cmsystem.exe" C:\Windows\SysWOW64\reg.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\4w5tb68h7t987093f4trq893f4rw89etw.txt C:\Windows\SysWOW64\wscript.exe N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Folder767\cmsystem.exe N/A
N/A N/A C:\Folder767\cmsystem.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Folder767\cmsystem.exe N/A
Token: SeTcbPrivilege N/A C:\Folder767\cmsystem.exe N/A
Token: SeTcbPrivilege N/A C:\Folder767\cmsystem.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Folder767\cmsystem.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1308 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\d72e2560484a0a90eecf8099edfb4c7c11c53ba4ec4333066d5eea3144112b12.exe C:\Users\Admin\AppData\Local\Temp\Windows\build\data.exe
PID 1308 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\d72e2560484a0a90eecf8099edfb4c7c11c53ba4ec4333066d5eea3144112b12.exe C:\Users\Admin\AppData\Local\Temp\Windows\build\data.exe
PID 1308 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\d72e2560484a0a90eecf8099edfb4c7c11c53ba4ec4333066d5eea3144112b12.exe C:\Users\Admin\AppData\Local\Temp\Windows\build\data.exe
PID 1308 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\d72e2560484a0a90eecf8099edfb4c7c11c53ba4ec4333066d5eea3144112b12.exe C:\Users\Admin\AppData\Local\Temp\Windows\build\data.exe
PID 1308 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\d72e2560484a0a90eecf8099edfb4c7c11c53ba4ec4333066d5eea3144112b12.exe C:\Users\Admin\AppData\Local\Temp\Windows\build\data.exe
PID 1308 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\d72e2560484a0a90eecf8099edfb4c7c11c53ba4ec4333066d5eea3144112b12.exe C:\Users\Admin\AppData\Local\Temp\Windows\build\data.exe
PID 1308 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\d72e2560484a0a90eecf8099edfb4c7c11c53ba4ec4333066d5eea3144112b12.exe C:\Users\Admin\AppData\Local\Temp\Windows\build\data.exe
PID 980 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\Windows\build\data.exe C:\Windows\SysWOW64\WScript.exe
PID 980 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\Windows\build\data.exe C:\Windows\SysWOW64\WScript.exe
PID 980 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\Windows\build\data.exe C:\Windows\SysWOW64\WScript.exe
PID 980 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\Windows\build\data.exe C:\Windows\SysWOW64\WScript.exe
PID 980 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\Windows\build\data.exe C:\Windows\SysWOW64\WScript.exe
PID 980 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\Windows\build\data.exe C:\Windows\SysWOW64\WScript.exe
PID 980 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\Windows\build\data.exe C:\Windows\SysWOW64\WScript.exe
PID 1116 wrote to memory of 1676 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 1116 wrote to memory of 1676 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 1116 wrote to memory of 1676 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 1116 wrote to memory of 1676 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 1116 wrote to memory of 1676 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 1116 wrote to memory of 1676 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 1116 wrote to memory of 1676 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 1116 wrote to memory of 936 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 1116 wrote to memory of 936 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 1116 wrote to memory of 936 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 1116 wrote to memory of 936 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 1116 wrote to memory of 936 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 1116 wrote to memory of 936 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 1116 wrote to memory of 936 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 1676 wrote to memory of 684 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\cmd.exe
PID 1676 wrote to memory of 684 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\cmd.exe
PID 1676 wrote to memory of 684 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\cmd.exe
PID 1676 wrote to memory of 684 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\cmd.exe
PID 1676 wrote to memory of 684 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\cmd.exe
PID 1676 wrote to memory of 684 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\cmd.exe
PID 1676 wrote to memory of 684 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\cmd.exe
PID 684 wrote to memory of 1800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 684 wrote to memory of 1800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 684 wrote to memory of 1800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 684 wrote to memory of 1800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 684 wrote to memory of 1800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 684 wrote to memory of 1800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 684 wrote to memory of 1800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 684 wrote to memory of 1120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 684 wrote to memory of 1120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 684 wrote to memory of 1120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 684 wrote to memory of 1120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 684 wrote to memory of 1120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 684 wrote to memory of 1120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 684 wrote to memory of 1120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 684 wrote to memory of 2000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 684 wrote to memory of 2000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 684 wrote to memory of 2000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 684 wrote to memory of 2000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 684 wrote to memory of 2000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 684 wrote to memory of 2000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 684 wrote to memory of 2000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 684 wrote to memory of 1276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 684 wrote to memory of 1276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 684 wrote to memory of 1276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 684 wrote to memory of 1276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 684 wrote to memory of 1276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 684 wrote to memory of 1276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 684 wrote to memory of 1276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 684 wrote to memory of 1156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d72e2560484a0a90eecf8099edfb4c7c11c53ba4ec4333066d5eea3144112b12.exe

"C:\Users\Admin\AppData\Local\Temp\d72e2560484a0a90eecf8099edfb4c7c11c53ba4ec4333066d5eea3144112b12.exe"

C:\Users\Admin\AppData\Local\Temp\Windows\build\data.exe

"C:\Users\Admin\AppData\Local\Temp\Windows\build\data.exe" -p284579G45398T745398T

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Log\install.vbs"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" "C:\Log\install.vbs" Run

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" "C:\Log\install.vbs" Run

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Log\Windows\hiscomponent\install.bat" "

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\Log"

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rutserv.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rfusclient.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im systemc.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im drivemanag.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im dumprep.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im winlogs.exe

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SYSTEM\Remote Manipulator System" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\DEVICEMAP" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_CURRENT_USER\Software\TektonIT\Remote Manipulator System" /f

C:\Windows\SysWOW64\regedit.exe

regedit /s "Windows\hiscomponent\regedit.reg"

C:\Windows\SysWOW64\timeout.exe

timeout 1

C:\Folder767\cmsystem.exe

cmsystem.exe

C:\Windows\SysWOW64\reg.exe

Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Java" /t REG_SZ /d "C:\Folder767\cmsystem.exe" /f

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\Folder767\*.*"

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\Folder767"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Folder767\process.vbs"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\System32\cmd.exe /k C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Folder767\process.bat" "

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

Network

Country Destination Domain Proto
US 8.8.8.8:53 rmansys.ru udp
RU 31.31.198.18:80 rmansys.ru tcp
RU 31.31.198.18:80 rmansys.ru tcp
US 8.8.8.8:53 rms-server.tektonit.ru udp
RU 95.213.205.83:5655 rms-server.tektonit.ru tcp

Files

memory/1308-54-0x0000000076071000-0x0000000076073000-memory.dmp

\Users\Admin\AppData\Local\Temp\Windows\build\data.exe

MD5 09d1e6f010baa5940e115cf1cf49fe4e
SHA1 6091f2f6c1b6c182daa0107e9e3ccda89ee8ad06
SHA256 7a0ba5129d25833995de6f38eb4ade26b55ddac3e22be0d3b8926a7fec3b6fa2
SHA512 0b6bb576d270dcfc067b72471a162ab8c1244b4376ffeb4fc77c0e4507684863aadc8b373d4549d433a6ceda277acf5c420dafa7696bac57ad4c17505073920a

\Users\Admin\AppData\Local\Temp\Windows\build\data.exe

MD5 09d1e6f010baa5940e115cf1cf49fe4e
SHA1 6091f2f6c1b6c182daa0107e9e3ccda89ee8ad06
SHA256 7a0ba5129d25833995de6f38eb4ade26b55ddac3e22be0d3b8926a7fec3b6fa2
SHA512 0b6bb576d270dcfc067b72471a162ab8c1244b4376ffeb4fc77c0e4507684863aadc8b373d4549d433a6ceda277acf5c420dafa7696bac57ad4c17505073920a

\Users\Admin\AppData\Local\Temp\Windows\build\data.exe

MD5 09d1e6f010baa5940e115cf1cf49fe4e
SHA1 6091f2f6c1b6c182daa0107e9e3ccda89ee8ad06
SHA256 7a0ba5129d25833995de6f38eb4ade26b55ddac3e22be0d3b8926a7fec3b6fa2
SHA512 0b6bb576d270dcfc067b72471a162ab8c1244b4376ffeb4fc77c0e4507684863aadc8b373d4549d433a6ceda277acf5c420dafa7696bac57ad4c17505073920a

C:\Users\Admin\AppData\Local\Temp\Windows\build\data.exe

MD5 09d1e6f010baa5940e115cf1cf49fe4e
SHA1 6091f2f6c1b6c182daa0107e9e3ccda89ee8ad06
SHA256 7a0ba5129d25833995de6f38eb4ade26b55ddac3e22be0d3b8926a7fec3b6fa2
SHA512 0b6bb576d270dcfc067b72471a162ab8c1244b4376ffeb4fc77c0e4507684863aadc8b373d4549d433a6ceda277acf5c420dafa7696bac57ad4c17505073920a

C:\Users\Admin\AppData\Local\Temp\Windows\build\data.exe

MD5 09d1e6f010baa5940e115cf1cf49fe4e
SHA1 6091f2f6c1b6c182daa0107e9e3ccda89ee8ad06
SHA256 7a0ba5129d25833995de6f38eb4ade26b55ddac3e22be0d3b8926a7fec3b6fa2
SHA512 0b6bb576d270dcfc067b72471a162ab8c1244b4376ffeb4fc77c0e4507684863aadc8b373d4549d433a6ceda277acf5c420dafa7696bac57ad4c17505073920a

C:\Log\install.vbs

MD5 6cab561732bb524984d25e29b8e93414
SHA1 73adabe3f5191ea01d8026b14285f0330f97fccc
SHA256 81d2721f8da28ab12ab7e6572dbfe39c78f1eb24b09ccd9ae816dbcb9f398e60
SHA512 7f001fcdf73056fb688c62be0f68b1b1c54e3f0aff05b8e03e0947716e2cd771fa9e12314cb3b6efd9f971c889405d6eccb83a6ee48280e135fc6e14e216e45d

C:\Log\Windows\hiscomponent\install.bat

MD5 eb4c588945a9dddefb6106ee8b582259
SHA1 203a96e3e7693b840405d32d6bd8f7c3a972e85b
SHA256 98c3f76263938afbbcfd5cf92968555fa548f9a2e0e1511e9a2845ab68fac476
SHA512 f5d7ab9e9935a4254b6c6b551dd1d2c33809925cde3e5f9b74ee95b1bf7abc2e360e7cf47fe1db36e9acc53f4c5534beb15e6527c674c4f4dea6a0060cb10980

C:\Log\Windows\hiscomponent\regedit.reg

MD5 2381059b5f0e4ac5535c9c45acf8a992
SHA1 626d2162499c32208ca15681f900b2603aa567c8
SHA256 6697d59c198707fbf7b83ddeb79e2ce59181e3ccd206abde5edd824724cea0f7
SHA512 9f82a2ec1b59d5c74b122dc0d1f771003c2d711f3048a1ca2c288f4248bb76ad689216057b74b85512a3a8b28b66e6fd13a7c567e8113a640fd9c2acf7488046

C:\Log\Windows\hiscomponent\rutserv.exe

MD5 80ce3eba6ae11d4e0a731f9eedd68f54
SHA1 9e6ca06d9896a84801ab4adbecbe91f91787bb32
SHA256 93730cdb5e9463ee8e1f480d94f412d9d2fee39ed1d3e332b0eff6f72b6ab695
SHA512 ee18d5e03d72cf16ee752336aee10b8979bba16ea731a5e5d236e0807c0cb857f4e4a7dcfdc75cbf9c58757d96432085082442fd771a9aac0af4b96acc853b4e

C:\Log\Windows\hiscomponent\vp8encoder.dll

MD5 6298c0af3d1d563834a218a9cc9f54bd
SHA1 0185cd591e454ed072e5a5077b25c612f6849dc9
SHA256 81af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172
SHA512 389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe

C:\Log\RDPCheck.exe

MD5 8f82226b2f24d470c02f6664f67f23f7
SHA1 66f40824b406c748846ef11e6b022958f8cbe48b
SHA256 5603338a1f8dbb46efb8e0869db3491d5db92f362711d6680f91ecc5d18bfadf
SHA512 04bc1f785bddf264699fb6bf6fce9652af8c95872f8fef93540f0b86df2e93ced910f01dc54a76a5425d2f5446d587df6ad20d8976fc4be7e9ce3511eb4b00ee

C:\Log\RDPConf.exe

MD5 1e4537b75cad6288f68d595d9c9b13c1
SHA1 9cc14ce3a3982376f454bd3833f4774d955d9bd3
SHA256 8b266c0945d003f5d0b2d6f59239e9dffb41dbccd1659d2c05bbf472ba1f0ccf
SHA512 8caa7b17ed4ec760d4e665ec8ffb543fb3a2287dbe4ba4b08daf9a46819ec662e4e3105e0f9d7ad94edb2d477551d2ca0ebce870d489a0713f8676978b0cc3ec

C:\Log\RDPWInst.exe

MD5 ce6a1d8fe9d16f4c4e2f41ef6cd3ad9b
SHA1 87a89f73faf22dbb6af94f0edbf4cf484673f572
SHA256 cb55b418cd219bcea3cb9dbfca4262d92affaabf34623e6f1e3ce8581c6cd5b2
SHA512 cea5f06d08bf5ee76aef21f05a1857dbfb240c02aff877df7a33b42d59571b4fc6358f0176e3e8ef53c8e06249e65c4e700a18e547c3071413591e4542ff0e9d

C:\Log\install.bat

MD5 cce1e07cf18ea79cc9e87922e9f5609a
SHA1 6800e3e5d42fc0e1d5834214df1958112066a626
SHA256 7afa7437b35cc7961ef51c3672e709f0aaf63b87badf1a884a6713e5749a9292
SHA512 b770d184fb371362fd6ba39e9c2462bb7fa8c7ffa4b1ffb55759fc37e5f06fb0f853e918dad5784d49cc33394c4f6295f5dda99f27304a5f0b34e9eb726fedf6

C:\Log\update.bat

MD5 29ca1c35075247b035af75c11cab78f1
SHA1 4f670d13d7532462f4b1e66d085ef8b9f065ff88
SHA256 353f2dc17a4e80564caa175f7170dbedc1b40f704444520ae671f78a5d1f2b6d
SHA512 3970adc72020194f93935fad2c17790170da7f0f4444e2bfc402f9924fdceaa4b6443e9871c3b8cda24089b84cbdcf185f0d31238c0be93c58e280cf36ab71a7

C:\Log\Windows\hiscomponent\process.vbs

MD5 7528d4ce3012284acc761d14650abc50
SHA1 cacddad01db6f784a1ee2c6163c5b801cd4b9f7f
SHA256 e5dbdd95312fd15449273bc676dd6e9b1c0cd647689ff0ca558f70bc9b40ffb1
SHA512 b6ed0a28414b18fa04c9a92e3c36d7b4ec27895213e8fc4d51b41a3a80f9b5ea6261d1d5adf502ca619c7a4da325da29439fe25a11affe972486ebfff53aaa16

C:\Log\Windows\hiscomponent\process.bat

MD5 e3af8823d2435a5f155da3fc20beb11c
SHA1 be85dc7e06a8f497c94c256fa88e64da65748714
SHA256 4579a561ef0f1ada31217283f66cfabd954cae029d0610a5e7a23cdef0108bf3
SHA512 7ceaa46db0cf586b515592f4a13f3cd409cf6c2610ef4ffe285836cddcff52960c6ccf6e55080bdca5f0260f02ca1ec1f31f2373042614aeed2d74918396d5c3

\Folder767\cmsystem.exe

MD5 80ce3eba6ae11d4e0a731f9eedd68f54
SHA1 9e6ca06d9896a84801ab4adbecbe91f91787bb32
SHA256 93730cdb5e9463ee8e1f480d94f412d9d2fee39ed1d3e332b0eff6f72b6ab695
SHA512 ee18d5e03d72cf16ee752336aee10b8979bba16ea731a5e5d236e0807c0cb857f4e4a7dcfdc75cbf9c58757d96432085082442fd771a9aac0af4b96acc853b4e

\Folder767\cmsystem.exe

MD5 80ce3eba6ae11d4e0a731f9eedd68f54
SHA1 9e6ca06d9896a84801ab4adbecbe91f91787bb32
SHA256 93730cdb5e9463ee8e1f480d94f412d9d2fee39ed1d3e332b0eff6f72b6ab695
SHA512 ee18d5e03d72cf16ee752336aee10b8979bba16ea731a5e5d236e0807c0cb857f4e4a7dcfdc75cbf9c58757d96432085082442fd771a9aac0af4b96acc853b4e

C:\Folder767\cmsystem.exe

MD5 80ce3eba6ae11d4e0a731f9eedd68f54
SHA1 9e6ca06d9896a84801ab4adbecbe91f91787bb32
SHA256 93730cdb5e9463ee8e1f480d94f412d9d2fee39ed1d3e332b0eff6f72b6ab695
SHA512 ee18d5e03d72cf16ee752336aee10b8979bba16ea731a5e5d236e0807c0cb857f4e4a7dcfdc75cbf9c58757d96432085082442fd771a9aac0af4b96acc853b4e

C:\Folder767\cmsystem.exe

MD5 80ce3eba6ae11d4e0a731f9eedd68f54
SHA1 9e6ca06d9896a84801ab4adbecbe91f91787bb32
SHA256 93730cdb5e9463ee8e1f480d94f412d9d2fee39ed1d3e332b0eff6f72b6ab695
SHA512 ee18d5e03d72cf16ee752336aee10b8979bba16ea731a5e5d236e0807c0cb857f4e4a7dcfdc75cbf9c58757d96432085082442fd771a9aac0af4b96acc853b4e

C:\Folder767\process.vbs

MD5 7528d4ce3012284acc761d14650abc50
SHA1 cacddad01db6f784a1ee2c6163c5b801cd4b9f7f
SHA256 e5dbdd95312fd15449273bc676dd6e9b1c0cd647689ff0ca558f70bc9b40ffb1
SHA512 b6ed0a28414b18fa04c9a92e3c36d7b4ec27895213e8fc4d51b41a3a80f9b5ea6261d1d5adf502ca619c7a4da325da29439fe25a11affe972486ebfff53aaa16

C:\Folder767\vp8encoder.dll

MD5 6298c0af3d1d563834a218a9cc9f54bd
SHA1 0185cd591e454ed072e5a5077b25c612f6849dc9
SHA256 81af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172
SHA512 389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe

C:\Folder767\update.bat

MD5 29ca1c35075247b035af75c11cab78f1
SHA1 4f670d13d7532462f4b1e66d085ef8b9f065ff88
SHA256 353f2dc17a4e80564caa175f7170dbedc1b40f704444520ae671f78a5d1f2b6d
SHA512 3970adc72020194f93935fad2c17790170da7f0f4444e2bfc402f9924fdceaa4b6443e9871c3b8cda24089b84cbdcf185f0d31238c0be93c58e280cf36ab71a7

C:\Folder767\RDPWInst.exe

MD5 ce6a1d8fe9d16f4c4e2f41ef6cd3ad9b
SHA1 87a89f73faf22dbb6af94f0edbf4cf484673f572
SHA256 cb55b418cd219bcea3cb9dbfca4262d92affaabf34623e6f1e3ce8581c6cd5b2
SHA512 cea5f06d08bf5ee76aef21f05a1857dbfb240c02aff877df7a33b42d59571b4fc6358f0176e3e8ef53c8e06249e65c4e700a18e547c3071413591e4542ff0e9d

C:\Folder767\RDPConf.exe

MD5 1e4537b75cad6288f68d595d9c9b13c1
SHA1 9cc14ce3a3982376f454bd3833f4774d955d9bd3
SHA256 8b266c0945d003f5d0b2d6f59239e9dffb41dbccd1659d2c05bbf472ba1f0ccf
SHA512 8caa7b17ed4ec760d4e665ec8ffb543fb3a2287dbe4ba4b08daf9a46819ec662e4e3105e0f9d7ad94edb2d477551d2ca0ebce870d489a0713f8676978b0cc3ec

C:\Folder767\RDPCheck.exe

MD5 8f82226b2f24d470c02f6664f67f23f7
SHA1 66f40824b406c748846ef11e6b022958f8cbe48b
SHA256 5603338a1f8dbb46efb8e0869db3491d5db92f362711d6680f91ecc5d18bfadf
SHA512 04bc1f785bddf264699fb6bf6fce9652af8c95872f8fef93540f0b86df2e93ced910f01dc54a76a5425d2f5446d587df6ad20d8976fc4be7e9ce3511eb4b00ee

C:\Folder767\process.bat

MD5 e3af8823d2435a5f155da3fc20beb11c
SHA1 be85dc7e06a8f497c94c256fa88e64da65748714
SHA256 4579a561ef0f1ada31217283f66cfabd954cae029d0610a5e7a23cdef0108bf3
SHA512 7ceaa46db0cf586b515592f4a13f3cd409cf6c2610ef4ffe285836cddcff52960c6ccf6e55080bdca5f0260f02ca1ec1f31f2373042614aeed2d74918396d5c3

C:\Folder767\install.bat

MD5 cce1e07cf18ea79cc9e87922e9f5609a
SHA1 6800e3e5d42fc0e1d5834214df1958112066a626
SHA256 7afa7437b35cc7961ef51c3672e709f0aaf63b87badf1a884a6713e5749a9292
SHA512 b770d184fb371362fd6ba39e9c2462bb7fa8c7ffa4b1ffb55759fc37e5f06fb0f853e918dad5784d49cc33394c4f6295f5dda99f27304a5f0b34e9eb726fedf6

memory/1892-104-0x0000000000280000-0x0000000000281000-memory.dmp

C:\Log\uninstall.bat

MD5 eccb8a01d0427ef29c2380d7dda399f3
SHA1 302601e99d6b02e2e84a0de5c0dce3df139cba31
SHA256 083cd340c800cc021d4a59388680ce0e7ab0f8b998e67def6a507070e7fa01b7
SHA512 78d51882fe04cb64f9f6a82b604ef20e4324e5bc37701747fa55b3c153baa5942774daf737ff204f9e75e81a745ed95cc7ec115da91b9e27e646ed41d3f103f9

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-13 09:52

Reported

2022-02-13 09:55

Platform

win10v2004-en-20220113

Max time kernel

152s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d72e2560484a0a90eecf8099edfb4c7c11c53ba4ec4333066d5eea3144112b12.exe"

Signatures

RMS

trojan rat rms

UAC bypass

evasion trojan

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows\build\data.exe N/A
N/A N/A C:\Folder767\cmsystem.exe N/A

Modifies Windows Firewall

evasion

Sets file to hidden

evasion

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d72e2560484a0a90eecf8099edfb4c7c11c53ba4ec4333066d5eea3144112b12.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Windows\build\data.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Folder767\\cmsystem.exe" C:\Windows\SysWOW64\reg.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\4w5tb68h7t987093f4trq893f4rw89etw.txt C:\Windows\SysWOW64\wscript.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\Logs\CBS\CBS.log C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
File opened for modification C:\Windows\WinSxS\pending.xml C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
File opened for modification C:\Windows\WindowsUpdate.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm C:\Windows\system32\svchost.exe N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\Windows\build\data.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Folder767\cmsystem.exe N/A
N/A N/A C:\Folder767\cmsystem.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Folder767\cmsystem.exe N/A
Token: SeTcbPrivilege N/A C:\Folder767\cmsystem.exe N/A
Token: SeTcbPrivilege N/A C:\Folder767\cmsystem.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Folder767\cmsystem.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3048 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\d72e2560484a0a90eecf8099edfb4c7c11c53ba4ec4333066d5eea3144112b12.exe C:\Users\Admin\AppData\Local\Temp\Windows\build\data.exe
PID 3048 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\d72e2560484a0a90eecf8099edfb4c7c11c53ba4ec4333066d5eea3144112b12.exe C:\Users\Admin\AppData\Local\Temp\Windows\build\data.exe
PID 3048 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\d72e2560484a0a90eecf8099edfb4c7c11c53ba4ec4333066d5eea3144112b12.exe C:\Users\Admin\AppData\Local\Temp\Windows\build\data.exe
PID 1604 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\Windows\build\data.exe C:\Windows\SysWOW64\WScript.exe
PID 1604 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\Windows\build\data.exe C:\Windows\SysWOW64\WScript.exe
PID 1604 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\Windows\build\data.exe C:\Windows\SysWOW64\WScript.exe
PID 4520 wrote to memory of 4348 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 4520 wrote to memory of 4348 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 4520 wrote to memory of 4348 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 4520 wrote to memory of 4576 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 4520 wrote to memory of 4576 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 4520 wrote to memory of 4576 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 4520 wrote to memory of 4244 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 4520 wrote to memory of 4244 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 4520 wrote to memory of 4244 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 4520 wrote to memory of 4188 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 4520 wrote to memory of 4188 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 4520 wrote to memory of 4188 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 4520 wrote to memory of 928 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 4520 wrote to memory of 928 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 4520 wrote to memory of 928 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\wscript.exe
PID 4348 wrote to memory of 4756 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\cmd.exe
PID 4348 wrote to memory of 4756 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\cmd.exe
PID 4348 wrote to memory of 4756 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\cmd.exe
PID 4756 wrote to memory of 1568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4756 wrote to memory of 1568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4756 wrote to memory of 1568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4756 wrote to memory of 1752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4756 wrote to memory of 1752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4756 wrote to memory of 1752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4756 wrote to memory of 3512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4756 wrote to memory of 3512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4756 wrote to memory of 3512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4756 wrote to memory of 5092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4756 wrote to memory of 5092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4756 wrote to memory of 5092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4756 wrote to memory of 2884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4756 wrote to memory of 2884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4756 wrote to memory of 2884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4756 wrote to memory of 4476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4756 wrote to memory of 4476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4756 wrote to memory of 4476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4756 wrote to memory of 3412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4756 wrote to memory of 3412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4756 wrote to memory of 3412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4756 wrote to memory of 3416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4756 wrote to memory of 3416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4756 wrote to memory of 3416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4756 wrote to memory of 3080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4756 wrote to memory of 3080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4756 wrote to memory of 3080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4756 wrote to memory of 3000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4756 wrote to memory of 3000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4756 wrote to memory of 3000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4756 wrote to memory of 3648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4756 wrote to memory of 3648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4756 wrote to memory of 3648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4756 wrote to memory of 3588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4756 wrote to memory of 3588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4756 wrote to memory of 3588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4756 wrote to memory of 3712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4756 wrote to memory of 3712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4756 wrote to memory of 3712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4756 wrote to memory of 2168 N/A C:\Windows\SysWOW64\cmd.exe C:\Folder767\cmsystem.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d72e2560484a0a90eecf8099edfb4c7c11c53ba4ec4333066d5eea3144112b12.exe

"C:\Users\Admin\AppData\Local\Temp\d72e2560484a0a90eecf8099edfb4c7c11c53ba4ec4333066d5eea3144112b12.exe"

C:\Users\Admin\AppData\Local\Temp\Windows\build\data.exe

"C:\Users\Admin\AppData\Local\Temp\Windows\build\data.exe" -p284579G45398T745398T

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Log\install.vbs"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" "C:\Log\install.vbs" Run

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" "C:\Log\install.vbs" Run

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" "C:\Log\install.vbs" Run

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" "C:\Log\install.vbs" Run

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" "C:\Log\install.vbs" Run

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Log\Windows\hiscomponent\install.bat" "

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\Log"

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rutserv.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rfusclient.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im systemc.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im drivemanag.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im dumprep.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im winlogs.exe

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SYSTEM\Remote Manipulator System" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\DEVICEMAP" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKEY_CURRENT_USER\Software\TektonIT\Remote Manipulator System" /f

C:\Windows\SysWOW64\regedit.exe

regedit /s "Windows\hiscomponent\regedit.reg"

C:\Windows\SysWOW64\timeout.exe

timeout 1

C:\Folder767\cmsystem.exe

cmsystem.exe

C:\Windows\SysWOW64\reg.exe

Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Java" /t REG_SZ /d "C:\Folder767\cmsystem.exe" /f

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\Folder767\*.*"

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\Folder767"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Folder767\process.vbs"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\System32\cmd.exe /k C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Folder767\process.bat" "

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\find.exe

find "cmsystem.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 rmansys.ru udp
RU 31.31.198.18:80 rmansys.ru tcp
RU 31.31.198.18:80 rmansys.ru tcp
US 8.8.8.8:53 rms-server.tektonit.ru udp
RU 95.213.205.83:5655 rms-server.tektonit.ru tcp

Files

C:\Users\Admin\AppData\Local\Temp\Windows\build\data.exe

MD5 09d1e6f010baa5940e115cf1cf49fe4e
SHA1 6091f2f6c1b6c182daa0107e9e3ccda89ee8ad06
SHA256 7a0ba5129d25833995de6f38eb4ade26b55ddac3e22be0d3b8926a7fec3b6fa2
SHA512 0b6bb576d270dcfc067b72471a162ab8c1244b4376ffeb4fc77c0e4507684863aadc8b373d4549d433a6ceda277acf5c420dafa7696bac57ad4c17505073920a

C:\Users\Admin\AppData\Local\Temp\Windows\build\data.exe

MD5 09d1e6f010baa5940e115cf1cf49fe4e
SHA1 6091f2f6c1b6c182daa0107e9e3ccda89ee8ad06
SHA256 7a0ba5129d25833995de6f38eb4ade26b55ddac3e22be0d3b8926a7fec3b6fa2
SHA512 0b6bb576d270dcfc067b72471a162ab8c1244b4376ffeb4fc77c0e4507684863aadc8b373d4549d433a6ceda277acf5c420dafa7696bac57ad4c17505073920a

C:\Log\install.vbs

MD5 6cab561732bb524984d25e29b8e93414
SHA1 73adabe3f5191ea01d8026b14285f0330f97fccc
SHA256 81d2721f8da28ab12ab7e6572dbfe39c78f1eb24b09ccd9ae816dbcb9f398e60
SHA512 7f001fcdf73056fb688c62be0f68b1b1c54e3f0aff05b8e03e0947716e2cd771fa9e12314cb3b6efd9f971c889405d6eccb83a6ee48280e135fc6e14e216e45d

C:\Log\Windows\hiscomponent\install.bat

MD5 eb4c588945a9dddefb6106ee8b582259
SHA1 203a96e3e7693b840405d32d6bd8f7c3a972e85b
SHA256 98c3f76263938afbbcfd5cf92968555fa548f9a2e0e1511e9a2845ab68fac476
SHA512 f5d7ab9e9935a4254b6c6b551dd1d2c33809925cde3e5f9b74ee95b1bf7abc2e360e7cf47fe1db36e9acc53f4c5534beb15e6527c674c4f4dea6a0060cb10980

memory/2928-134-0x000002B17B130000-0x000002B17B140000-memory.dmp

memory/2928-135-0x000002B17B190000-0x000002B17B1A0000-memory.dmp

memory/2928-136-0x000002B17DE80000-0x000002B17DE84000-memory.dmp

C:\Log\Windows\hiscomponent\regedit.reg

MD5 2381059b5f0e4ac5535c9c45acf8a992
SHA1 626d2162499c32208ca15681f900b2603aa567c8
SHA256 6697d59c198707fbf7b83ddeb79e2ce59181e3ccd206abde5edd824724cea0f7
SHA512 9f82a2ec1b59d5c74b122dc0d1f771003c2d711f3048a1ca2c288f4248bb76ad689216057b74b85512a3a8b28b66e6fd13a7c567e8113a640fd9c2acf7488046

C:\Log\Windows\hiscomponent\rutserv.exe

MD5 80ce3eba6ae11d4e0a731f9eedd68f54
SHA1 9e6ca06d9896a84801ab4adbecbe91f91787bb32
SHA256 93730cdb5e9463ee8e1f480d94f412d9d2fee39ed1d3e332b0eff6f72b6ab695
SHA512 ee18d5e03d72cf16ee752336aee10b8979bba16ea731a5e5d236e0807c0cb857f4e4a7dcfdc75cbf9c58757d96432085082442fd771a9aac0af4b96acc853b4e

C:\Log\Windows\hiscomponent\vp8encoder.dll

MD5 6298c0af3d1d563834a218a9cc9f54bd
SHA1 0185cd591e454ed072e5a5077b25c612f6849dc9
SHA256 81af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172
SHA512 389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe

C:\Log\RDPCheck.exe

MD5 8f82226b2f24d470c02f6664f67f23f7
SHA1 66f40824b406c748846ef11e6b022958f8cbe48b
SHA256 5603338a1f8dbb46efb8e0869db3491d5db92f362711d6680f91ecc5d18bfadf
SHA512 04bc1f785bddf264699fb6bf6fce9652af8c95872f8fef93540f0b86df2e93ced910f01dc54a76a5425d2f5446d587df6ad20d8976fc4be7e9ce3511eb4b00ee

C:\Log\RDPConf.exe

MD5 1e4537b75cad6288f68d595d9c9b13c1
SHA1 9cc14ce3a3982376f454bd3833f4774d955d9bd3
SHA256 8b266c0945d003f5d0b2d6f59239e9dffb41dbccd1659d2c05bbf472ba1f0ccf
SHA512 8caa7b17ed4ec760d4e665ec8ffb543fb3a2287dbe4ba4b08daf9a46819ec662e4e3105e0f9d7ad94edb2d477551d2ca0ebce870d489a0713f8676978b0cc3ec

C:\Log\RDPWInst.exe

MD5 ce6a1d8fe9d16f4c4e2f41ef6cd3ad9b
SHA1 87a89f73faf22dbb6af94f0edbf4cf484673f572
SHA256 cb55b418cd219bcea3cb9dbfca4262d92affaabf34623e6f1e3ce8581c6cd5b2
SHA512 cea5f06d08bf5ee76aef21f05a1857dbfb240c02aff877df7a33b42d59571b4fc6358f0176e3e8ef53c8e06249e65c4e700a18e547c3071413591e4542ff0e9d

C:\Log\install.bat

MD5 cce1e07cf18ea79cc9e87922e9f5609a
SHA1 6800e3e5d42fc0e1d5834214df1958112066a626
SHA256 7afa7437b35cc7961ef51c3672e709f0aaf63b87badf1a884a6713e5749a9292
SHA512 b770d184fb371362fd6ba39e9c2462bb7fa8c7ffa4b1ffb55759fc37e5f06fb0f853e918dad5784d49cc33394c4f6295f5dda99f27304a5f0b34e9eb726fedf6

C:\Log\update.bat

MD5 29ca1c35075247b035af75c11cab78f1
SHA1 4f670d13d7532462f4b1e66d085ef8b9f065ff88
SHA256 353f2dc17a4e80564caa175f7170dbedc1b40f704444520ae671f78a5d1f2b6d
SHA512 3970adc72020194f93935fad2c17790170da7f0f4444e2bfc402f9924fdceaa4b6443e9871c3b8cda24089b84cbdcf185f0d31238c0be93c58e280cf36ab71a7

C:\Log\Windows\hiscomponent\process.vbs

MD5 7528d4ce3012284acc761d14650abc50
SHA1 cacddad01db6f784a1ee2c6163c5b801cd4b9f7f
SHA256 e5dbdd95312fd15449273bc676dd6e9b1c0cd647689ff0ca558f70bc9b40ffb1
SHA512 b6ed0a28414b18fa04c9a92e3c36d7b4ec27895213e8fc4d51b41a3a80f9b5ea6261d1d5adf502ca619c7a4da325da29439fe25a11affe972486ebfff53aaa16

C:\Log\Windows\hiscomponent\process.bat

MD5 e3af8823d2435a5f155da3fc20beb11c
SHA1 be85dc7e06a8f497c94c256fa88e64da65748714
SHA256 4579a561ef0f1ada31217283f66cfabd954cae029d0610a5e7a23cdef0108bf3
SHA512 7ceaa46db0cf586b515592f4a13f3cd409cf6c2610ef4ffe285836cddcff52960c6ccf6e55080bdca5f0260f02ca1ec1f31f2373042614aeed2d74918396d5c3

C:\Folder767\cmsystem.exe

MD5 80ce3eba6ae11d4e0a731f9eedd68f54
SHA1 9e6ca06d9896a84801ab4adbecbe91f91787bb32
SHA256 93730cdb5e9463ee8e1f480d94f412d9d2fee39ed1d3e332b0eff6f72b6ab695
SHA512 ee18d5e03d72cf16ee752336aee10b8979bba16ea731a5e5d236e0807c0cb857f4e4a7dcfdc75cbf9c58757d96432085082442fd771a9aac0af4b96acc853b4e

C:\Folder767\cmsystem.exe

MD5 80ce3eba6ae11d4e0a731f9eedd68f54
SHA1 9e6ca06d9896a84801ab4adbecbe91f91787bb32
SHA256 93730cdb5e9463ee8e1f480d94f412d9d2fee39ed1d3e332b0eff6f72b6ab695
SHA512 ee18d5e03d72cf16ee752336aee10b8979bba16ea731a5e5d236e0807c0cb857f4e4a7dcfdc75cbf9c58757d96432085082442fd771a9aac0af4b96acc853b4e

C:\Folder767\RDPCheck.exe

MD5 8f82226b2f24d470c02f6664f67f23f7
SHA1 66f40824b406c748846ef11e6b022958f8cbe48b
SHA256 5603338a1f8dbb46efb8e0869db3491d5db92f362711d6680f91ecc5d18bfadf
SHA512 04bc1f785bddf264699fb6bf6fce9652af8c95872f8fef93540f0b86df2e93ced910f01dc54a76a5425d2f5446d587df6ad20d8976fc4be7e9ce3511eb4b00ee

C:\Folder767\vp8encoder.dll

MD5 6298c0af3d1d563834a218a9cc9f54bd
SHA1 0185cd591e454ed072e5a5077b25c612f6849dc9
SHA256 81af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172
SHA512 389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe

C:\Folder767\update.bat

MD5 29ca1c35075247b035af75c11cab78f1
SHA1 4f670d13d7532462f4b1e66d085ef8b9f065ff88
SHA256 353f2dc17a4e80564caa175f7170dbedc1b40f704444520ae671f78a5d1f2b6d
SHA512 3970adc72020194f93935fad2c17790170da7f0f4444e2bfc402f9924fdceaa4b6443e9871c3b8cda24089b84cbdcf185f0d31238c0be93c58e280cf36ab71a7

C:\Folder767\RDPConf.exe

MD5 1e4537b75cad6288f68d595d9c9b13c1
SHA1 9cc14ce3a3982376f454bd3833f4774d955d9bd3
SHA256 8b266c0945d003f5d0b2d6f59239e9dffb41dbccd1659d2c05bbf472ba1f0ccf
SHA512 8caa7b17ed4ec760d4e665ec8ffb543fb3a2287dbe4ba4b08daf9a46819ec662e4e3105e0f9d7ad94edb2d477551d2ca0ebce870d489a0713f8676978b0cc3ec

C:\Folder767\RDPWInst.exe

MD5 ce6a1d8fe9d16f4c4e2f41ef6cd3ad9b
SHA1 87a89f73faf22dbb6af94f0edbf4cf484673f572
SHA256 cb55b418cd219bcea3cb9dbfca4262d92affaabf34623e6f1e3ce8581c6cd5b2
SHA512 cea5f06d08bf5ee76aef21f05a1857dbfb240c02aff877df7a33b42d59571b4fc6358f0176e3e8ef53c8e06249e65c4e700a18e547c3071413591e4542ff0e9d

C:\Folder767\process.bat

MD5 e3af8823d2435a5f155da3fc20beb11c
SHA1 be85dc7e06a8f497c94c256fa88e64da65748714
SHA256 4579a561ef0f1ada31217283f66cfabd954cae029d0610a5e7a23cdef0108bf3
SHA512 7ceaa46db0cf586b515592f4a13f3cd409cf6c2610ef4ffe285836cddcff52960c6ccf6e55080bdca5f0260f02ca1ec1f31f2373042614aeed2d74918396d5c3

C:\Folder767\install.bat

MD5 cce1e07cf18ea79cc9e87922e9f5609a
SHA1 6800e3e5d42fc0e1d5834214df1958112066a626
SHA256 7afa7437b35cc7961ef51c3672e709f0aaf63b87badf1a884a6713e5749a9292
SHA512 b770d184fb371362fd6ba39e9c2462bb7fa8c7ffa4b1ffb55759fc37e5f06fb0f853e918dad5784d49cc33394c4f6295f5dda99f27304a5f0b34e9eb726fedf6

C:\Folder767\process.vbs

MD5 7528d4ce3012284acc761d14650abc50
SHA1 cacddad01db6f784a1ee2c6163c5b801cd4b9f7f
SHA256 e5dbdd95312fd15449273bc676dd6e9b1c0cd647689ff0ca558f70bc9b40ffb1
SHA512 b6ed0a28414b18fa04c9a92e3c36d7b4ec27895213e8fc4d51b41a3a80f9b5ea6261d1d5adf502ca619c7a4da325da29439fe25a11affe972486ebfff53aaa16

C:\Log\uninstall.bat

MD5 eccb8a01d0427ef29c2380d7dda399f3
SHA1 302601e99d6b02e2e84a0de5c0dce3df139cba31
SHA256 083cd340c800cc021d4a59388680ce0e7ab0f8b998e67def6a507070e7fa01b7
SHA512 78d51882fe04cb64f9f6a82b604ef20e4324e5bc37701747fa55b3c153baa5942774daf737ff204f9e75e81a745ed95cc7ec115da91b9e27e646ed41d3f103f9

memory/2168-158-0x0000000002810000-0x0000000002811000-memory.dmp