Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7 -
submitted
16/07/2020, 18:56
Static task
static1
Behavioral task
behavioral1
Sample
838111ab2eddfdd565bf1bd43c7af7c3.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
838111ab2eddfdd565bf1bd43c7af7c3.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
838111ab2eddfdd565bf1bd43c7af7c3.exe
-
Size
703KB
-
MD5
838111ab2eddfdd565bf1bd43c7af7c3
-
SHA1
0c3959714516584b1890096d1bee6815b751c392
-
SHA256
66251b30db7b4c7d47cfcea9872b37d789d3ff7591996b1ddac5ad85106bf381
-
SHA512
7c53e746502ddebd8b01c96405c883cfe108786e195bfee554e20dedf96937d9356ecfd4b310e1b637fb52d41f402d37ee6e55885be06c4eee38a3163e1feb49
Score
8/10
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \Registry\User\S-1-5-21-1131729243-447456001-3632642222-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run colorcpl.exe Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\XTKDQ0Q8WL = "C:\\Users\\Admin\\AppData\\Roaming\\gdher\\fgtdhg.exe" colorcpl.exe -
Adds policy Run key to start application 2 TTPs 1 IoCs
description ioc Process Key created \Registry\User\S-1-5-21-1131729243-447456001-3632642222-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run colorcpl.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of WriteProcessMemory 426 IoCs
description pid Process procid_target PID 1060 wrote to memory of 1084 1060 838111ab2eddfdd565bf1bd43c7af7c3.exe 24 PID 1060 wrote to memory of 1084 1060 838111ab2eddfdd565bf1bd43c7af7c3.exe 24 PID 1060 wrote to memory of 1084 1060 838111ab2eddfdd565bf1bd43c7af7c3.exe 24 PID 1060 wrote to memory of 1084 1060 838111ab2eddfdd565bf1bd43c7af7c3.exe 24 PID 1060 wrote to memory of 1084 1060 838111ab2eddfdd565bf1bd43c7af7c3.exe 24 PID 1060 wrote to memory of 1084 1060 838111ab2eddfdd565bf1bd43c7af7c3.exe 24 PID 1084 wrote to memory of 836 1084 notepad.exe 25 PID 1084 wrote to memory of 836 1084 notepad.exe 25 PID 1084 wrote to memory of 836 1084 notepad.exe 25 PID 1084 wrote to memory of 836 1084 notepad.exe 25 PID 836 wrote to memory of 1432 836 fgtdhg.exe 26 PID 836 wrote to memory of 1432 836 fgtdhg.exe 26 PID 836 wrote to memory of 1432 836 fgtdhg.exe 26 PID 836 wrote to memory of 1432 836 fgtdhg.exe 26 PID 836 wrote to memory of 1496 836 fgtdhg.exe 27 PID 836 wrote to memory of 1496 836 fgtdhg.exe 27 PID 836 wrote to memory of 1496 836 fgtdhg.exe 27 PID 836 wrote to memory of 1496 836 fgtdhg.exe 27 PID 1324 wrote to memory of 888 1324 Explorer.EXE 28 PID 1324 wrote to memory of 888 1324 Explorer.EXE 28 PID 1324 wrote to memory of 888 1324 Explorer.EXE 28 PID 1324 wrote to memory of 888 1324 Explorer.EXE 28 PID 1496 wrote to memory of 644 1496 fgtdhg.exe 29 PID 1496 wrote to memory of 644 1496 fgtdhg.exe 29 PID 1496 wrote to memory of 644 1496 fgtdhg.exe 29 PID 1496 wrote to memory of 644 1496 fgtdhg.exe 29 PID 644 wrote to memory of 532 644 fgtdhg.exe 30 PID 644 wrote to memory of 532 644 fgtdhg.exe 30 PID 644 wrote to memory of 532 644 fgtdhg.exe 30 PID 644 wrote to memory of 532 644 fgtdhg.exe 30 PID 644 wrote to memory of 1048 644 fgtdhg.exe 31 PID 644 wrote to memory of 1048 644 fgtdhg.exe 31 PID 644 wrote to memory of 1048 644 fgtdhg.exe 31 PID 644 wrote to memory of 1048 644 fgtdhg.exe 31 PID 532 wrote to memory of 1392 532 fgtdhg.exe 33 PID 532 wrote to memory of 1392 532 fgtdhg.exe 33 PID 532 wrote to memory of 1392 532 fgtdhg.exe 33 PID 532 wrote to memory of 1392 532 fgtdhg.exe 33 PID 1048 wrote to memory of 1260 1048 fgtdhg.exe 34 PID 1048 wrote to memory of 1260 1048 fgtdhg.exe 34 PID 1048 wrote to memory of 1260 1048 fgtdhg.exe 34 PID 1048 wrote to memory of 1260 1048 fgtdhg.exe 34 PID 1260 wrote to memory of 1792 1260 fgtdhg.exe 35 PID 1260 wrote to memory of 1792 1260 fgtdhg.exe 35 PID 1260 wrote to memory of 1792 1260 fgtdhg.exe 35 PID 1260 wrote to memory of 1792 1260 fgtdhg.exe 35 PID 1260 wrote to memory of 1852 1260 fgtdhg.exe 36 PID 1260 wrote to memory of 1852 1260 fgtdhg.exe 36 PID 1260 wrote to memory of 1852 1260 fgtdhg.exe 36 PID 1260 wrote to memory of 1852 1260 fgtdhg.exe 36 PID 888 wrote to memory of 1648 888 colorcpl.exe 37 PID 888 wrote to memory of 1648 888 colorcpl.exe 37 PID 888 wrote to memory of 1648 888 colorcpl.exe 37 PID 888 wrote to memory of 1648 888 colorcpl.exe 37 PID 1324 wrote to memory of 1604 1324 Explorer.EXE 38 PID 1324 wrote to memory of 1604 1324 Explorer.EXE 38 PID 1324 wrote to memory of 1604 1324 Explorer.EXE 38 PID 1324 wrote to memory of 1604 1324 Explorer.EXE 38 PID 1852 wrote to memory of 1656 1852 fgtdhg.exe 39 PID 1852 wrote to memory of 1656 1852 fgtdhg.exe 39 PID 1852 wrote to memory of 1656 1852 fgtdhg.exe 39 PID 1852 wrote to memory of 1656 1852 fgtdhg.exe 39 PID 1656 wrote to memory of 1576 1656 fgtdhg.exe 40 PID 1656 wrote to memory of 1576 1656 fgtdhg.exe 40 PID 1656 wrote to memory of 1576 1656 fgtdhg.exe 40 PID 1656 wrote to memory of 1576 1656 fgtdhg.exe 40 PID 1656 wrote to memory of 1920 1656 fgtdhg.exe 41 PID 1656 wrote to memory of 1920 1656 fgtdhg.exe 41 PID 1656 wrote to memory of 1920 1656 fgtdhg.exe 41 PID 1656 wrote to memory of 1920 1656 fgtdhg.exe 41 PID 1324 wrote to memory of 1908 1324 Explorer.EXE 42 PID 1324 wrote to memory of 1908 1324 Explorer.EXE 42 PID 1324 wrote to memory of 1908 1324 Explorer.EXE 42 PID 1324 wrote to memory of 1908 1324 Explorer.EXE 42 PID 888 wrote to memory of 1648 888 colorcpl.exe 37 PID 1920 wrote to memory of 1940 1920 fgtdhg.exe 43 PID 1920 wrote to memory of 1940 1920 fgtdhg.exe 43 PID 1920 wrote to memory of 1940 1920 fgtdhg.exe 43 PID 1920 wrote to memory of 1940 1920 fgtdhg.exe 43 PID 1940 wrote to memory of 1944 1940 fgtdhg.exe 44 PID 1940 wrote to memory of 1944 1940 fgtdhg.exe 44 PID 1940 wrote to memory of 1944 1940 fgtdhg.exe 44 PID 1940 wrote to memory of 1944 1940 fgtdhg.exe 44 PID 1940 wrote to memory of 1996 1940 fgtdhg.exe 45 PID 1940 wrote to memory of 1996 1940 fgtdhg.exe 45 PID 1940 wrote to memory of 1996 1940 fgtdhg.exe 45 PID 1940 wrote to memory of 1996 1940 fgtdhg.exe 45 PID 1324 wrote to memory of 1028 1324 Explorer.EXE 46 PID 1324 wrote to memory of 1028 1324 Explorer.EXE 46 PID 1324 wrote to memory of 1028 1324 Explorer.EXE 46 PID 1324 wrote to memory of 1028 1324 Explorer.EXE 46 PID 1996 wrote to memory of 1040 1996 fgtdhg.exe 47 PID 1996 wrote to memory of 1040 1996 fgtdhg.exe 47 PID 1996 wrote to memory of 1040 1996 fgtdhg.exe 47 PID 1996 wrote to memory of 1040 1996 fgtdhg.exe 47 PID 1040 wrote to memory of 1504 1040 fgtdhg.exe 48 PID 1040 wrote to memory of 1504 1040 fgtdhg.exe 48 PID 1040 wrote to memory of 1504 1040 fgtdhg.exe 48 PID 1040 wrote to memory of 1504 1040 fgtdhg.exe 48 PID 1040 wrote to memory of 1072 1040 fgtdhg.exe 49 PID 1040 wrote to memory of 1072 1040 fgtdhg.exe 49 PID 1040 wrote to memory of 1072 1040 fgtdhg.exe 49 PID 1040 wrote to memory of 1072 1040 fgtdhg.exe 49 PID 1324 wrote to memory of 612 1324 Explorer.EXE 50 PID 1324 wrote to memory of 612 1324 Explorer.EXE 50 PID 1324 wrote to memory of 612 1324 Explorer.EXE 50 PID 1324 wrote to memory of 612 1324 Explorer.EXE 50 PID 1072 wrote to memory of 1424 1072 fgtdhg.exe 51 PID 1072 wrote to memory of 1424 1072 fgtdhg.exe 51 PID 1072 wrote to memory of 1424 1072 fgtdhg.exe 51 PID 1072 wrote to memory of 1424 1072 fgtdhg.exe 51 PID 1424 wrote to memory of 1476 1424 fgtdhg.exe 52 PID 1424 wrote to memory of 1476 1424 fgtdhg.exe 52 PID 1424 wrote to memory of 1476 1424 fgtdhg.exe 52 PID 1424 wrote to memory of 1476 1424 fgtdhg.exe 52 PID 1424 wrote to memory of 1632 1424 fgtdhg.exe 53 PID 1424 wrote to memory of 1632 1424 fgtdhg.exe 53 PID 1424 wrote to memory of 1632 1424 fgtdhg.exe 53 PID 1424 wrote to memory of 1632 1424 fgtdhg.exe 53 PID 1324 wrote to memory of 1628 1324 Explorer.EXE 54 PID 1324 wrote to memory of 1628 1324 Explorer.EXE 54 PID 1324 wrote to memory of 1628 1324 Explorer.EXE 54 PID 1324 wrote to memory of 1628 1324 Explorer.EXE 54 PID 1632 wrote to memory of 656 1632 fgtdhg.exe 55 PID 1632 wrote to memory of 656 1632 fgtdhg.exe 55 PID 1632 wrote to memory of 656 1632 fgtdhg.exe 55 PID 1632 wrote to memory of 656 1632 fgtdhg.exe 55 PID 656 wrote to memory of 308 656 fgtdhg.exe 56 PID 656 wrote to memory of 308 656 fgtdhg.exe 56 PID 656 wrote to memory of 308 656 fgtdhg.exe 56 PID 656 wrote to memory of 308 656 fgtdhg.exe 56 PID 656 wrote to memory of 580 656 fgtdhg.exe 57 PID 656 wrote to memory of 580 656 fgtdhg.exe 57 PID 656 wrote to memory of 580 656 fgtdhg.exe 57 PID 656 wrote to memory of 580 656 fgtdhg.exe 57 PID 1324 wrote to memory of 560 1324 Explorer.EXE 58 PID 1324 wrote to memory of 560 1324 Explorer.EXE 58 PID 1324 wrote to memory of 560 1324 Explorer.EXE 58 PID 1324 wrote to memory of 560 1324 Explorer.EXE 58 PID 580 wrote to memory of 1532 580 fgtdhg.exe 59 PID 580 wrote to memory of 1532 580 fgtdhg.exe 59 PID 580 wrote to memory of 1532 580 fgtdhg.exe 59 PID 580 wrote to memory of 1532 580 fgtdhg.exe 59 PID 1532 wrote to memory of 364 1532 fgtdhg.exe 60 PID 1532 wrote to memory of 364 1532 fgtdhg.exe 60 PID 1532 wrote to memory of 364 1532 fgtdhg.exe 60 PID 1532 wrote to memory of 364 1532 fgtdhg.exe 60 PID 1532 wrote to memory of 1048 1532 fgtdhg.exe 61 PID 1532 wrote to memory of 1048 1532 fgtdhg.exe 61 PID 1532 wrote to memory of 1048 1532 fgtdhg.exe 61 PID 1532 wrote to memory of 1048 1532 fgtdhg.exe 61 PID 1324 wrote to memory of 1164 1324 Explorer.EXE 110 PID 1324 wrote to memory of 1164 1324 Explorer.EXE 110 PID 1324 wrote to memory of 1164 1324 Explorer.EXE 110 PID 1324 wrote to memory of 1164 1324 Explorer.EXE 110 PID 1048 wrote to memory of 1660 1048 fgtdhg.exe 111 PID 1048 wrote to memory of 1660 1048 fgtdhg.exe 111 PID 1048 wrote to memory of 1660 1048 fgtdhg.exe 111 PID 1048 wrote to memory of 1660 1048 fgtdhg.exe 111 PID 1660 wrote to memory of 1600 1660 fgtdhg.exe 112 PID 1660 wrote to memory of 1600 1660 fgtdhg.exe 112 PID 1660 wrote to memory of 1600 1660 fgtdhg.exe 112 PID 1660 wrote to memory of 1600 1660 fgtdhg.exe 112 PID 1660 wrote to memory of 1800 1660 fgtdhg.exe 113 PID 1660 wrote to memory of 1800 1660 fgtdhg.exe 113 PID 1660 wrote to memory of 1800 1660 fgtdhg.exe 113 PID 1660 wrote to memory of 1800 1660 fgtdhg.exe 113 PID 1324 wrote to memory of 1864 1324 Explorer.EXE 114 PID 1324 wrote to memory of 1864 1324 Explorer.EXE 114 PID 1324 wrote to memory of 1864 1324 Explorer.EXE 114 PID 1324 wrote to memory of 1864 1324 Explorer.EXE 114 PID 1800 wrote to memory of 1868 1800 fgtdhg.exe 115 PID 1800 wrote to memory of 1868 1800 fgtdhg.exe 115 PID 1800 wrote to memory of 1868 1800 fgtdhg.exe 115 PID 1800 wrote to memory of 1868 1800 fgtdhg.exe 115 PID 1868 wrote to memory of 1900 1868 fgtdhg.exe 116 PID 1868 wrote to memory of 1900 1868 fgtdhg.exe 116 PID 1868 wrote to memory of 1900 1868 fgtdhg.exe 116 PID 1868 wrote to memory of 1900 1868 fgtdhg.exe 116 PID 1868 wrote to memory of 1952 1868 fgtdhg.exe 117 PID 1868 wrote to memory of 1952 1868 fgtdhg.exe 117 PID 1868 wrote to memory of 1952 1868 fgtdhg.exe 117 PID 1868 wrote to memory of 1952 1868 fgtdhg.exe 117 PID 1324 wrote to memory of 1928 1324 Explorer.EXE 118 PID 1324 wrote to memory of 1928 1324 Explorer.EXE 118 PID 1324 wrote to memory of 1928 1324 Explorer.EXE 118 PID 1324 wrote to memory of 1928 1324 Explorer.EXE 118 PID 1952 wrote to memory of 1924 1952 fgtdhg.exe 119 PID 1952 wrote to memory of 1924 1952 fgtdhg.exe 119 PID 1952 wrote to memory of 1924 1952 fgtdhg.exe 119 PID 1952 wrote to memory of 1924 1952 fgtdhg.exe 119 PID 1924 wrote to memory of 2020 1924 fgtdhg.exe 120 PID 1924 wrote to memory of 2020 1924 fgtdhg.exe 120 PID 1924 wrote to memory of 2020 1924 fgtdhg.exe 120 PID 1924 wrote to memory of 2020 1924 fgtdhg.exe 120 PID 1924 wrote to memory of 1064 1924 fgtdhg.exe 121 PID 1924 wrote to memory of 1064 1924 fgtdhg.exe 121 PID 1924 wrote to memory of 1064 1924 fgtdhg.exe 121 PID 1924 wrote to memory of 1064 1924 fgtdhg.exe 121 PID 1324 wrote to memory of 1212 1324 Explorer.EXE 122 PID 1324 wrote to memory of 1212 1324 Explorer.EXE 122 PID 1324 wrote to memory of 1212 1324 Explorer.EXE 122 PID 1324 wrote to memory of 1212 1324 Explorer.EXE 122 PID 1064 wrote to memory of 1568 1064 fgtdhg.exe 123 PID 1064 wrote to memory of 1568 1064 fgtdhg.exe 123 PID 1064 wrote to memory of 1568 1064 fgtdhg.exe 123 PID 1064 wrote to memory of 1568 1064 fgtdhg.exe 123 PID 1568 wrote to memory of 1308 1568 fgtdhg.exe 124 PID 1568 wrote to memory of 1308 1568 fgtdhg.exe 124 PID 1568 wrote to memory of 1308 1568 fgtdhg.exe 124 PID 1568 wrote to memory of 1308 1568 fgtdhg.exe 124 PID 1568 wrote to memory of 1616 1568 fgtdhg.exe 125 PID 1568 wrote to memory of 1616 1568 fgtdhg.exe 125 PID 1568 wrote to memory of 1616 1568 fgtdhg.exe 125 PID 1568 wrote to memory of 1616 1568 fgtdhg.exe 125 PID 1324 wrote to memory of 776 1324 Explorer.EXE 126 PID 1324 wrote to memory of 776 1324 Explorer.EXE 126 PID 1324 wrote to memory of 776 1324 Explorer.EXE 126 PID 1324 wrote to memory of 776 1324 Explorer.EXE 126 PID 1616 wrote to memory of 620 1616 fgtdhg.exe 127 PID 1616 wrote to memory of 620 1616 fgtdhg.exe 127 PID 1616 wrote to memory of 620 1616 fgtdhg.exe 127 PID 1616 wrote to memory of 620 1616 fgtdhg.exe 127 PID 620 wrote to memory of 1764 620 fgtdhg.exe 128 PID 620 wrote to memory of 1764 620 fgtdhg.exe 128 PID 620 wrote to memory of 1764 620 fgtdhg.exe 128 PID 620 wrote to memory of 1764 620 fgtdhg.exe 128 PID 620 wrote to memory of 1392 620 fgtdhg.exe 129 PID 620 wrote to memory of 1392 620 fgtdhg.exe 129 PID 620 wrote to memory of 1392 620 fgtdhg.exe 129 PID 620 wrote to memory of 1392 620 fgtdhg.exe 129 PID 1324 wrote to memory of 1760 1324 Explorer.EXE 130 PID 1324 wrote to memory of 1760 1324 Explorer.EXE 130 PID 1324 wrote to memory of 1760 1324 Explorer.EXE 130 PID 1324 wrote to memory of 1760 1324 Explorer.EXE 130 PID 1392 wrote to memory of 1768 1392 fgtdhg.exe 131 PID 1392 wrote to memory of 1768 1392 fgtdhg.exe 131 PID 1392 wrote to memory of 1768 1392 fgtdhg.exe 131 PID 1392 wrote to memory of 1768 1392 fgtdhg.exe 131 PID 1768 wrote to memory of 1116 1768 fgtdhg.exe 132 PID 1768 wrote to memory of 1116 1768 fgtdhg.exe 132 PID 1768 wrote to memory of 1116 1768 fgtdhg.exe 132 PID 1768 wrote to memory of 1116 1768 fgtdhg.exe 132 PID 1768 wrote to memory of 1844 1768 fgtdhg.exe 133 PID 1768 wrote to memory of 1844 1768 fgtdhg.exe 133 PID 1768 wrote to memory of 1844 1768 fgtdhg.exe 133 PID 1768 wrote to memory of 1844 1768 fgtdhg.exe 133 PID 1324 wrote to memory of 1448 1324 Explorer.EXE 141 PID 1324 wrote to memory of 1448 1324 Explorer.EXE 141 PID 1324 wrote to memory of 1448 1324 Explorer.EXE 141 PID 1324 wrote to memory of 1448 1324 Explorer.EXE 141 PID 1844 wrote to memory of 1884 1844 fgtdhg.exe 142 PID 1844 wrote to memory of 1884 1844 fgtdhg.exe 142 PID 1844 wrote to memory of 1884 1844 fgtdhg.exe 142 PID 1844 wrote to memory of 1884 1844 fgtdhg.exe 142 PID 1884 wrote to memory of 1916 1884 fgtdhg.exe 143 PID 1884 wrote to memory of 1916 1884 fgtdhg.exe 143 PID 1884 wrote to memory of 1916 1884 fgtdhg.exe 143 PID 1884 wrote to memory of 1916 1884 fgtdhg.exe 143 PID 1884 wrote to memory of 2028 1884 fgtdhg.exe 144 PID 1884 wrote to memory of 2028 1884 fgtdhg.exe 144 PID 1884 wrote to memory of 2028 1884 fgtdhg.exe 144 PID 1884 wrote to memory of 2028 1884 fgtdhg.exe 144 PID 1324 wrote to memory of 1508 1324 Explorer.EXE 145 PID 1324 wrote to memory of 1508 1324 Explorer.EXE 145 PID 1324 wrote to memory of 1508 1324 Explorer.EXE 145 PID 1324 wrote to memory of 1508 1324 Explorer.EXE 145 PID 2028 wrote to memory of 1492 2028 fgtdhg.exe 146 PID 2028 wrote to memory of 1492 2028 fgtdhg.exe 146 PID 2028 wrote to memory of 1492 2028 fgtdhg.exe 146 PID 2028 wrote to memory of 1492 2028 fgtdhg.exe 146 PID 1492 wrote to memory of 1040 1492 fgtdhg.exe 147 PID 1492 wrote to memory of 1040 1492 fgtdhg.exe 147 PID 1492 wrote to memory of 1040 1492 fgtdhg.exe 147 PID 1492 wrote to memory of 1040 1492 fgtdhg.exe 147 PID 1492 wrote to memory of 1556 1492 fgtdhg.exe 148 PID 1492 wrote to memory of 1556 1492 fgtdhg.exe 148 PID 1492 wrote to memory of 1556 1492 fgtdhg.exe 148 PID 1492 wrote to memory of 1556 1492 fgtdhg.exe 148 PID 1324 wrote to memory of 316 1324 Explorer.EXE 149 PID 1324 wrote to memory of 316 1324 Explorer.EXE 149 PID 1324 wrote to memory of 316 1324 Explorer.EXE 149 PID 1324 wrote to memory of 316 1324 Explorer.EXE 149 PID 1324 wrote to memory of 316 1324 Explorer.EXE 149 PID 1324 wrote to memory of 316 1324 Explorer.EXE 149 PID 1324 wrote to memory of 316 1324 Explorer.EXE 149 PID 1556 wrote to memory of 1436 1556 fgtdhg.exe 150 PID 1556 wrote to memory of 1436 1556 fgtdhg.exe 150 PID 1556 wrote to memory of 1436 1556 fgtdhg.exe 150 PID 1556 wrote to memory of 1436 1556 fgtdhg.exe 150 PID 1436 wrote to memory of 1096 1436 fgtdhg.exe 151 PID 1436 wrote to memory of 1096 1436 fgtdhg.exe 151 PID 1436 wrote to memory of 1096 1436 fgtdhg.exe 151 PID 1436 wrote to memory of 1096 1436 fgtdhg.exe 151 PID 1436 wrote to memory of 1356 1436 fgtdhg.exe 152 PID 1436 wrote to memory of 1356 1436 fgtdhg.exe 152 PID 1436 wrote to memory of 1356 1436 fgtdhg.exe 152 PID 1436 wrote to memory of 1356 1436 fgtdhg.exe 152 PID 1324 wrote to memory of 1148 1324 Explorer.EXE 153 PID 1324 wrote to memory of 1148 1324 Explorer.EXE 153 PID 1324 wrote to memory of 1148 1324 Explorer.EXE 153 PID 1324 wrote to memory of 1148 1324 Explorer.EXE 153 PID 1324 wrote to memory of 1148 1324 Explorer.EXE 153 PID 1324 wrote to memory of 1148 1324 Explorer.EXE 153 PID 1324 wrote to memory of 1148 1324 Explorer.EXE 153 PID 1356 wrote to memory of 1516 1356 fgtdhg.exe 154 PID 1356 wrote to memory of 1516 1356 fgtdhg.exe 154 PID 1356 wrote to memory of 1516 1356 fgtdhg.exe 154 PID 1356 wrote to memory of 1516 1356 fgtdhg.exe 154 PID 1516 wrote to memory of 1036 1516 fgtdhg.exe 155 PID 1516 wrote to memory of 1036 1516 fgtdhg.exe 155 PID 1516 wrote to memory of 1036 1516 fgtdhg.exe 155 PID 1516 wrote to memory of 1036 1516 fgtdhg.exe 155 PID 1516 wrote to memory of 468 1516 fgtdhg.exe 156 PID 1516 wrote to memory of 468 1516 fgtdhg.exe 156 PID 1516 wrote to memory of 468 1516 fgtdhg.exe 156 PID 1516 wrote to memory of 468 1516 fgtdhg.exe 156 PID 1324 wrote to memory of 788 1324 Explorer.EXE 157 PID 1324 wrote to memory of 788 1324 Explorer.EXE 157 PID 1324 wrote to memory of 788 1324 Explorer.EXE 157 PID 1324 wrote to memory of 788 1324 Explorer.EXE 157 PID 468 wrote to memory of 1332 468 fgtdhg.exe 158 PID 468 wrote to memory of 1332 468 fgtdhg.exe 158 PID 468 wrote to memory of 1332 468 fgtdhg.exe 158 PID 468 wrote to memory of 1332 468 fgtdhg.exe 158 PID 1332 wrote to memory of 1644 1332 fgtdhg.exe 159 PID 1332 wrote to memory of 1644 1332 fgtdhg.exe 159 PID 1332 wrote to memory of 1644 1332 fgtdhg.exe 159 PID 1332 wrote to memory of 1644 1332 fgtdhg.exe 159 PID 1332 wrote to memory of 1968 1332 fgtdhg.exe 160 PID 1332 wrote to memory of 1968 1332 fgtdhg.exe 160 PID 1332 wrote to memory of 1968 1332 fgtdhg.exe 160 PID 1332 wrote to memory of 1968 1332 fgtdhg.exe 160 PID 1324 wrote to memory of 1656 1324 Explorer.EXE 161 PID 1324 wrote to memory of 1656 1324 Explorer.EXE 161 PID 1324 wrote to memory of 1656 1324 Explorer.EXE 161 PID 1324 wrote to memory of 1656 1324 Explorer.EXE 161 PID 1324 wrote to memory of 1656 1324 Explorer.EXE 161 PID 1324 wrote to memory of 1656 1324 Explorer.EXE 161 PID 1324 wrote to memory of 1656 1324 Explorer.EXE 161 PID 1968 wrote to memory of 2040 1968 fgtdhg.exe 162 PID 1968 wrote to memory of 2040 1968 fgtdhg.exe 162 PID 1968 wrote to memory of 2040 1968 fgtdhg.exe 162 PID 1968 wrote to memory of 2040 1968 fgtdhg.exe 162 PID 2040 wrote to memory of 1920 2040 fgtdhg.exe 163 PID 2040 wrote to memory of 1920 2040 fgtdhg.exe 163 PID 2040 wrote to memory of 1920 2040 fgtdhg.exe 163 PID 2040 wrote to memory of 1920 2040 fgtdhg.exe 163 PID 2040 wrote to memory of 2008 2040 fgtdhg.exe 164 PID 2040 wrote to memory of 2008 2040 fgtdhg.exe 164 PID 2040 wrote to memory of 2008 2040 fgtdhg.exe 164 PID 2040 wrote to memory of 2008 2040 fgtdhg.exe 164 PID 1324 wrote to memory of 1408 1324 Explorer.EXE 165 PID 1324 wrote to memory of 1408 1324 Explorer.EXE 165 PID 1324 wrote to memory of 1408 1324 Explorer.EXE 165 PID 1324 wrote to memory of 1408 1324 Explorer.EXE 165 PID 1324 wrote to memory of 1408 1324 Explorer.EXE 165 PID 1324 wrote to memory of 1408 1324 Explorer.EXE 165 PID 1324 wrote to memory of 1408 1324 Explorer.EXE 165 PID 2008 wrote to memory of 1924 2008 fgtdhg.exe 166 PID 2008 wrote to memory of 1924 2008 fgtdhg.exe 166 PID 2008 wrote to memory of 1924 2008 fgtdhg.exe 166 PID 2008 wrote to memory of 1924 2008 fgtdhg.exe 166 PID 1924 wrote to memory of 1572 1924 fgtdhg.exe 167 PID 1924 wrote to memory of 1572 1924 fgtdhg.exe 167 PID 1924 wrote to memory of 1572 1924 fgtdhg.exe 167 PID 1924 wrote to memory of 1572 1924 fgtdhg.exe 167 PID 1924 wrote to memory of 1568 1924 fgtdhg.exe 168 PID 1924 wrote to memory of 1568 1924 fgtdhg.exe 168 PID 1924 wrote to memory of 1568 1924 fgtdhg.exe 168 PID 1924 wrote to memory of 1568 1924 fgtdhg.exe 168 PID 1324 wrote to memory of 1424 1324 Explorer.EXE 169 PID 1324 wrote to memory of 1424 1324 Explorer.EXE 169 PID 1324 wrote to memory of 1424 1324 Explorer.EXE 169 PID 1324 wrote to memory of 1424 1324 Explorer.EXE 169 PID 1324 wrote to memory of 1424 1324 Explorer.EXE 169 PID 1324 wrote to memory of 1424 1324 Explorer.EXE 169 PID 1324 wrote to memory of 1424 1324 Explorer.EXE 169 PID 1568 wrote to memory of 908 1568 fgtdhg.exe 170 PID 1568 wrote to memory of 908 1568 fgtdhg.exe 170 PID 1568 wrote to memory of 908 1568 fgtdhg.exe 170 PID 1568 wrote to memory of 908 1568 fgtdhg.exe 170 PID 908 wrote to memory of 1048 908 fgtdhg.exe 171 PID 908 wrote to memory of 1048 908 fgtdhg.exe 171 PID 908 wrote to memory of 1048 908 fgtdhg.exe 171 PID 908 wrote to memory of 1048 908 fgtdhg.exe 171 PID 908 wrote to memory of 1400 908 fgtdhg.exe 172 PID 908 wrote to memory of 1400 908 fgtdhg.exe 172 PID 908 wrote to memory of 1400 908 fgtdhg.exe 172 PID 908 wrote to memory of 1400 908 fgtdhg.exe 172 PID 1324 wrote to memory of 1588 1324 Explorer.EXE 173 PID 1324 wrote to memory of 1588 1324 Explorer.EXE 173 PID 1324 wrote to memory of 1588 1324 Explorer.EXE 173 PID 1324 wrote to memory of 1588 1324 Explorer.EXE 173 PID 1400 wrote to memory of 1516 1400 fgtdhg.exe 174 PID 1400 wrote to memory of 1516 1400 fgtdhg.exe 174 PID 1400 wrote to memory of 1516 1400 fgtdhg.exe 174 PID 1400 wrote to memory of 1516 1400 fgtdhg.exe 174 PID 1516 wrote to memory of 1808 1516 fgtdhg.exe 175 PID 1516 wrote to memory of 1808 1516 fgtdhg.exe 175 PID 1516 wrote to memory of 1808 1516 fgtdhg.exe 175 PID 1516 wrote to memory of 1808 1516 fgtdhg.exe 175 PID 1516 wrote to memory of 1128 1516 fgtdhg.exe 176 PID 1516 wrote to memory of 1128 1516 fgtdhg.exe 176 PID 1516 wrote to memory of 1128 1516 fgtdhg.exe 176 PID 1516 wrote to memory of 1128 1516 fgtdhg.exe 176 PID 1324 wrote to memory of 1132 1324 Explorer.EXE 177 PID 1324 wrote to memory of 1132 1324 Explorer.EXE 177 PID 1324 wrote to memory of 1132 1324 Explorer.EXE 177 PID 1324 wrote to memory of 1132 1324 Explorer.EXE 177 PID 1128 wrote to memory of 468 1128 fgtdhg.exe 178 PID 1128 wrote to memory of 468 1128 fgtdhg.exe 178 PID 1128 wrote to memory of 468 1128 fgtdhg.exe 178 PID 1128 wrote to memory of 468 1128 fgtdhg.exe 178 PID 468 wrote to memory of 1332 468 fgtdhg.exe 179 PID 468 wrote to memory of 1332 468 fgtdhg.exe 179 PID 468 wrote to memory of 1332 468 fgtdhg.exe 179 PID 468 wrote to memory of 1332 468 fgtdhg.exe 179 PID 468 wrote to memory of 1868 468 fgtdhg.exe 180 PID 468 wrote to memory of 1868 468 fgtdhg.exe 180 PID 468 wrote to memory of 1868 468 fgtdhg.exe 180 PID 468 wrote to memory of 1868 468 fgtdhg.exe 180 PID 1324 wrote to memory of 1956 1324 Explorer.EXE 181 PID 1324 wrote to memory of 1956 1324 Explorer.EXE 181 PID 1324 wrote to memory of 1956 1324 Explorer.EXE 181 PID 1324 wrote to memory of 1956 1324 Explorer.EXE 181 -
Suspicious behavior: MapViewOfSection 110 IoCs
pid Process 836 fgtdhg.exe 1432 fgtdhg.exe 1432 fgtdhg.exe 1432 fgtdhg.exe 644 fgtdhg.exe 532 fgtdhg.exe 888 colorcpl.exe 532 fgtdhg.exe 888 colorcpl.exe 532 fgtdhg.exe 532 fgtdhg.exe 1260 fgtdhg.exe 888 colorcpl.exe 1792 fgtdhg.exe 1792 fgtdhg.exe 1792 fgtdhg.exe 1656 fgtdhg.exe 1576 fgtdhg.exe 888 colorcpl.exe 1576 fgtdhg.exe 1576 fgtdhg.exe 1940 fgtdhg.exe 1944 fgtdhg.exe 1944 fgtdhg.exe 1944 fgtdhg.exe 1040 fgtdhg.exe 1504 fgtdhg.exe 1504 fgtdhg.exe 1504 fgtdhg.exe 1504 fgtdhg.exe 1424 fgtdhg.exe 1476 fgtdhg.exe 1476 fgtdhg.exe 1476 fgtdhg.exe 656 fgtdhg.exe 308 fgtdhg.exe 308 fgtdhg.exe 308 fgtdhg.exe 308 fgtdhg.exe 1532 fgtdhg.exe 364 fgtdhg.exe 364 fgtdhg.exe 364 fgtdhg.exe 364 fgtdhg.exe 1660 fgtdhg.exe 1600 fgtdhg.exe 1600 fgtdhg.exe 1600 fgtdhg.exe 1600 fgtdhg.exe 1868 fgtdhg.exe 1900 fgtdhg.exe 1900 fgtdhg.exe 1900 fgtdhg.exe 1924 fgtdhg.exe 2020 fgtdhg.exe 2020 fgtdhg.exe 2020 fgtdhg.exe 1568 fgtdhg.exe 1308 fgtdhg.exe 1308 fgtdhg.exe 1308 fgtdhg.exe 620 fgtdhg.exe 1764 fgtdhg.exe 1764 fgtdhg.exe 1764 fgtdhg.exe 1764 fgtdhg.exe 1768 fgtdhg.exe 1116 fgtdhg.exe 1116 fgtdhg.exe 1116 fgtdhg.exe 1116 fgtdhg.exe 1884 fgtdhg.exe 1916 fgtdhg.exe 1916 fgtdhg.exe 1916 fgtdhg.exe 1492 fgtdhg.exe 1040 fgtdhg.exe 1040 fgtdhg.exe 1040 fgtdhg.exe 1436 fgtdhg.exe 1096 fgtdhg.exe 1096 fgtdhg.exe 1096 fgtdhg.exe 1516 fgtdhg.exe 1036 fgtdhg.exe 1036 fgtdhg.exe 1036 fgtdhg.exe 1036 fgtdhg.exe 1332 fgtdhg.exe 1644 fgtdhg.exe 1644 fgtdhg.exe 1644 fgtdhg.exe 2040 fgtdhg.exe 1920 fgtdhg.exe 1920 fgtdhg.exe 1920 fgtdhg.exe 1924 fgtdhg.exe 1572 fgtdhg.exe 1572 fgtdhg.exe 1572 fgtdhg.exe 908 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1516 fgtdhg.exe 1808 fgtdhg.exe 1808 fgtdhg.exe 1808 fgtdhg.exe 468 fgtdhg.exe 1332 fgtdhg.exe -
Suspicious use of SetThreadContext 59 IoCs
description pid Process procid_target PID 836 set thread context of 1432 836 fgtdhg.exe 26 PID 1432 set thread context of 1324 1432 fgtdhg.exe 20 PID 644 set thread context of 532 644 fgtdhg.exe 30 PID 532 set thread context of 1324 532 fgtdhg.exe 20 PID 532 set thread context of 1324 532 fgtdhg.exe 20 PID 888 set thread context of 1324 888 colorcpl.exe 20 PID 1260 set thread context of 1792 1260 fgtdhg.exe 35 PID 1792 set thread context of 1324 1792 fgtdhg.exe 20 PID 1656 set thread context of 1576 1656 fgtdhg.exe 40 PID 1576 set thread context of 1324 1576 fgtdhg.exe 20 PID 1940 set thread context of 1944 1940 fgtdhg.exe 44 PID 1944 set thread context of 1324 1944 fgtdhg.exe 20 PID 1040 set thread context of 1504 1040 fgtdhg.exe 48 PID 1504 set thread context of 1324 1504 fgtdhg.exe 20 PID 1504 set thread context of 1324 1504 fgtdhg.exe 20 PID 1424 set thread context of 1476 1424 fgtdhg.exe 52 PID 1476 set thread context of 1324 1476 fgtdhg.exe 20 PID 656 set thread context of 308 656 fgtdhg.exe 56 PID 308 set thread context of 1324 308 fgtdhg.exe 20 PID 308 set thread context of 1324 308 fgtdhg.exe 20 PID 1532 set thread context of 364 1532 fgtdhg.exe 60 PID 364 set thread context of 1324 364 fgtdhg.exe 20 PID 364 set thread context of 1324 364 fgtdhg.exe 20 PID 1660 set thread context of 1600 1660 fgtdhg.exe 112 PID 1600 set thread context of 1324 1600 fgtdhg.exe 20 PID 1600 set thread context of 1324 1600 fgtdhg.exe 20 PID 1868 set thread context of 1900 1868 fgtdhg.exe 116 PID 1900 set thread context of 1324 1900 fgtdhg.exe 20 PID 1924 set thread context of 2020 1924 fgtdhg.exe 120 PID 2020 set thread context of 1324 2020 fgtdhg.exe 20 PID 1568 set thread context of 1308 1568 fgtdhg.exe 124 PID 1308 set thread context of 1324 1308 fgtdhg.exe 20 PID 620 set thread context of 1764 620 fgtdhg.exe 128 PID 1764 set thread context of 1324 1764 fgtdhg.exe 20 PID 1764 set thread context of 1324 1764 fgtdhg.exe 20 PID 1768 set thread context of 1116 1768 fgtdhg.exe 132 PID 1116 set thread context of 1324 1116 fgtdhg.exe 20 PID 1116 set thread context of 1324 1116 fgtdhg.exe 20 PID 1884 set thread context of 1916 1884 fgtdhg.exe 143 PID 1916 set thread context of 1324 1916 fgtdhg.exe 20 PID 1492 set thread context of 1040 1492 fgtdhg.exe 147 PID 1040 set thread context of 1324 1040 fgtdhg.exe 20 PID 1436 set thread context of 1096 1436 fgtdhg.exe 151 PID 1096 set thread context of 1324 1096 fgtdhg.exe 20 PID 1516 set thread context of 1036 1516 fgtdhg.exe 155 PID 1036 set thread context of 1324 1036 fgtdhg.exe 20 PID 1036 set thread context of 1324 1036 fgtdhg.exe 20 PID 1332 set thread context of 1644 1332 fgtdhg.exe 159 PID 1644 set thread context of 1324 1644 fgtdhg.exe 20 PID 2040 set thread context of 1920 2040 fgtdhg.exe 163 PID 1920 set thread context of 1324 1920 fgtdhg.exe 20 PID 1924 set thread context of 1572 1924 fgtdhg.exe 167 PID 1572 set thread context of 1324 1572 fgtdhg.exe 20 PID 908 set thread context of 1048 908 fgtdhg.exe 171 PID 1048 set thread context of 1324 1048 fgtdhg.exe 20 PID 1516 set thread context of 1808 1516 fgtdhg.exe 175 PID 1808 set thread context of 1324 1808 fgtdhg.exe 20 PID 468 set thread context of 1332 468 fgtdhg.exe 179 PID 1332 set thread context of 1324 1332 fgtdhg.exe 20 -
Suspicious use of AdjustPrivilegeToken 50 IoCs
description pid Process Token: SeDebugPrivilege 1432 fgtdhg.exe Token: SeDebugPrivilege 888 colorcpl.exe Token: SeDebugPrivilege 532 fgtdhg.exe Token: SeDebugPrivilege 1392 explorer.exe Token: SeDebugPrivilege 1792 fgtdhg.exe Token: SeDebugPrivilege 1604 cscript.exe Token: SeDebugPrivilege 1576 fgtdhg.exe Token: SeDebugPrivilege 1908 cmmon32.exe Token: SeDebugPrivilege 1944 fgtdhg.exe Token: SeDebugPrivilege 1028 systray.exe Token: SeDebugPrivilege 1504 fgtdhg.exe Token: SeDebugPrivilege 612 help.exe Token: SeDebugPrivilege 1476 fgtdhg.exe Token: SeDebugPrivilege 1628 mstsc.exe Token: SeDebugPrivilege 308 fgtdhg.exe Token: SeShutdownPrivilege 1324 Explorer.EXE Token: SeDebugPrivilege 560 control.exe Token: SeDebugPrivilege 364 fgtdhg.exe Token: SeDebugPrivilege 1164 chkdsk.exe Token: SeDebugPrivilege 1600 fgtdhg.exe Token: SeDebugPrivilege 1864 help.exe Token: SeDebugPrivilege 1900 fgtdhg.exe Token: SeDebugPrivilege 1928 svchost.exe Token: SeDebugPrivilege 2020 fgtdhg.exe Token: SeDebugPrivilege 1212 chkdsk.exe Token: SeDebugPrivilege 1308 fgtdhg.exe Token: SeDebugPrivilege 776 wscript.exe Token: SeDebugPrivilege 1764 fgtdhg.exe Token: SeDebugPrivilege 1760 svchost.exe Token: SeDebugPrivilege 1116 fgtdhg.exe Token: SeDebugPrivilege 1448 systray.exe Token: SeDebugPrivilege 1916 fgtdhg.exe Token: SeDebugPrivilege 1508 help.exe Token: SeDebugPrivilege 1040 fgtdhg.exe Token: SeDebugPrivilege 316 rundll32.exe Token: SeDebugPrivilege 1096 fgtdhg.exe Token: SeDebugPrivilege 1148 wuapp.exe Token: SeDebugPrivilege 1036 fgtdhg.exe Token: SeDebugPrivilege 788 cmd.exe Token: SeDebugPrivilege 1644 fgtdhg.exe Token: SeDebugPrivilege 1656 cmstp.exe Token: SeDebugPrivilege 1920 fgtdhg.exe Token: SeDebugPrivilege 1408 rundll32.exe Token: SeDebugPrivilege 1572 fgtdhg.exe Token: SeDebugPrivilege 1424 msiexec.exe Token: SeDebugPrivilege 1048 fgtdhg.exe Token: SeDebugPrivilege 1588 NAPSTAT.EXE Token: SeDebugPrivilege 1808 fgtdhg.exe Token: SeDebugPrivilege 1132 chkdsk.exe Token: SeDebugPrivilege 1332 fgtdhg.exe -
NTFS ADS 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe:ZoneIdentifier notepad.exe -
Suspicious behavior: EnumeratesProcesses 1446 IoCs
pid Process 1060 838111ab2eddfdd565bf1bd43c7af7c3.exe 836 fgtdhg.exe 1496 fgtdhg.exe 1496 fgtdhg.exe 1496 fgtdhg.exe 1496 fgtdhg.exe 1432 fgtdhg.exe 1496 fgtdhg.exe 1432 fgtdhg.exe 1496 fgtdhg.exe 1496 fgtdhg.exe 1496 fgtdhg.exe 1496 fgtdhg.exe 1496 fgtdhg.exe 1496 fgtdhg.exe 1496 fgtdhg.exe 1496 fgtdhg.exe 1496 fgtdhg.exe 1496 fgtdhg.exe 1496 fgtdhg.exe 1496 fgtdhg.exe 1496 fgtdhg.exe 1496 fgtdhg.exe 1496 fgtdhg.exe 1496 fgtdhg.exe 1496 fgtdhg.exe 1496 fgtdhg.exe 1496 fgtdhg.exe 1496 fgtdhg.exe 1496 fgtdhg.exe 1496 fgtdhg.exe 1496 fgtdhg.exe 1496 fgtdhg.exe 1496 fgtdhg.exe 1496 fgtdhg.exe 1496 fgtdhg.exe 1496 fgtdhg.exe 1496 fgtdhg.exe 1496 fgtdhg.exe 644 fgtdhg.exe 888 colorcpl.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 532 fgtdhg.exe 1048 fgtdhg.exe 532 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 888 colorcpl.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 532 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1260 fgtdhg.exe 1852 fgtdhg.exe 1852 fgtdhg.exe 1392 explorer.exe 1852 fgtdhg.exe 1852 fgtdhg.exe 1792 fgtdhg.exe 1852 fgtdhg.exe 1792 fgtdhg.exe 1852 fgtdhg.exe 1852 fgtdhg.exe 1852 fgtdhg.exe 1852 fgtdhg.exe 1852 fgtdhg.exe 1852 fgtdhg.exe 1852 fgtdhg.exe 1852 fgtdhg.exe 1852 fgtdhg.exe 1852 fgtdhg.exe 1852 fgtdhg.exe 1852 fgtdhg.exe 1852 fgtdhg.exe 1852 fgtdhg.exe 1852 fgtdhg.exe 1852 fgtdhg.exe 1852 fgtdhg.exe 1852 fgtdhg.exe 1852 fgtdhg.exe 1852 fgtdhg.exe 1852 fgtdhg.exe 1852 fgtdhg.exe 1852 fgtdhg.exe 1852 fgtdhg.exe 1852 fgtdhg.exe 1852 fgtdhg.exe 1852 fgtdhg.exe 1852 fgtdhg.exe 1852 fgtdhg.exe 1852 fgtdhg.exe 1604 cscript.exe 1656 fgtdhg.exe 1576 fgtdhg.exe 1920 fgtdhg.exe 1920 fgtdhg.exe 1576 fgtdhg.exe 1920 fgtdhg.exe 1920 fgtdhg.exe 1920 fgtdhg.exe 1920 fgtdhg.exe 1920 fgtdhg.exe 1920 fgtdhg.exe 888 colorcpl.exe 1920 fgtdhg.exe 1920 fgtdhg.exe 1920 fgtdhg.exe 1920 fgtdhg.exe 1920 fgtdhg.exe 1920 fgtdhg.exe 1920 fgtdhg.exe 1920 fgtdhg.exe 1920 fgtdhg.exe 1920 fgtdhg.exe 1920 fgtdhg.exe 1920 fgtdhg.exe 1920 fgtdhg.exe 1920 fgtdhg.exe 1920 fgtdhg.exe 1920 fgtdhg.exe 1920 fgtdhg.exe 1920 fgtdhg.exe 1920 fgtdhg.exe 1920 fgtdhg.exe 1920 fgtdhg.exe 1920 fgtdhg.exe 1920 fgtdhg.exe 1920 fgtdhg.exe 1940 fgtdhg.exe 1908 cmmon32.exe 1996 fgtdhg.exe 1996 fgtdhg.exe 1996 fgtdhg.exe 1944 fgtdhg.exe 1996 fgtdhg.exe 1944 fgtdhg.exe 1996 fgtdhg.exe 1996 fgtdhg.exe 1996 fgtdhg.exe 1996 fgtdhg.exe 1996 fgtdhg.exe 1996 fgtdhg.exe 1996 fgtdhg.exe 1996 fgtdhg.exe 1996 fgtdhg.exe 1996 fgtdhg.exe 1996 fgtdhg.exe 1996 fgtdhg.exe 1996 fgtdhg.exe 1996 fgtdhg.exe 1996 fgtdhg.exe 1996 fgtdhg.exe 888 colorcpl.exe 1996 fgtdhg.exe 1996 fgtdhg.exe 1996 fgtdhg.exe 1996 fgtdhg.exe 1996 fgtdhg.exe 1996 fgtdhg.exe 1996 fgtdhg.exe 1996 fgtdhg.exe 1996 fgtdhg.exe 1996 fgtdhg.exe 1996 fgtdhg.exe 1996 fgtdhg.exe 1996 fgtdhg.exe 1996 fgtdhg.exe 1040 fgtdhg.exe 1028 systray.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 1504 fgtdhg.exe 1072 fgtdhg.exe 1504 fgtdhg.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 888 colorcpl.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 1504 fgtdhg.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 888 colorcpl.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 1072 fgtdhg.exe 1424 fgtdhg.exe 612 help.exe 1632 fgtdhg.exe 1632 fgtdhg.exe 1632 fgtdhg.exe 1632 fgtdhg.exe 1476 fgtdhg.exe 1476 fgtdhg.exe 1632 fgtdhg.exe 1632 fgtdhg.exe 1632 fgtdhg.exe 1632 fgtdhg.exe 1632 fgtdhg.exe 1632 fgtdhg.exe 1632 fgtdhg.exe 1632 fgtdhg.exe 1632 fgtdhg.exe 1632 fgtdhg.exe 1632 fgtdhg.exe 1632 fgtdhg.exe 1632 fgtdhg.exe 1632 fgtdhg.exe 1632 fgtdhg.exe 1632 fgtdhg.exe 1632 fgtdhg.exe 1632 fgtdhg.exe 1632 fgtdhg.exe 1632 fgtdhg.exe 1632 fgtdhg.exe 1632 fgtdhg.exe 1632 fgtdhg.exe 1632 fgtdhg.exe 1632 fgtdhg.exe 1632 fgtdhg.exe 888 colorcpl.exe 1632 fgtdhg.exe 1632 fgtdhg.exe 1632 fgtdhg.exe 1632 fgtdhg.exe 656 fgtdhg.exe 1628 mstsc.exe 580 fgtdhg.exe 580 fgtdhg.exe 308 fgtdhg.exe 580 fgtdhg.exe 308 fgtdhg.exe 580 fgtdhg.exe 580 fgtdhg.exe 580 fgtdhg.exe 580 fgtdhg.exe 580 fgtdhg.exe 580 fgtdhg.exe 580 fgtdhg.exe 580 fgtdhg.exe 580 fgtdhg.exe 580 fgtdhg.exe 580 fgtdhg.exe 580 fgtdhg.exe 580 fgtdhg.exe 580 fgtdhg.exe 580 fgtdhg.exe 580 fgtdhg.exe 580 fgtdhg.exe 580 fgtdhg.exe 580 fgtdhg.exe 580 fgtdhg.exe 580 fgtdhg.exe 580 fgtdhg.exe 580 fgtdhg.exe 580 fgtdhg.exe 580 fgtdhg.exe 580 fgtdhg.exe 580 fgtdhg.exe 580 fgtdhg.exe 580 fgtdhg.exe 580 fgtdhg.exe 580 fgtdhg.exe 580 fgtdhg.exe 580 fgtdhg.exe 580 fgtdhg.exe 580 fgtdhg.exe 580 fgtdhg.exe 888 colorcpl.exe 580 fgtdhg.exe 580 fgtdhg.exe 580 fgtdhg.exe 580 fgtdhg.exe 580 fgtdhg.exe 580 fgtdhg.exe 580 fgtdhg.exe 580 fgtdhg.exe 580 fgtdhg.exe 580 fgtdhg.exe 580 fgtdhg.exe 580 fgtdhg.exe 580 fgtdhg.exe 580 fgtdhg.exe 580 fgtdhg.exe 580 fgtdhg.exe 580 fgtdhg.exe 580 fgtdhg.exe 580 fgtdhg.exe 580 fgtdhg.exe 308 fgtdhg.exe 580 fgtdhg.exe 580 fgtdhg.exe 580 fgtdhg.exe 580 fgtdhg.exe 580 fgtdhg.exe 580 fgtdhg.exe 580 fgtdhg.exe 580 fgtdhg.exe 580 fgtdhg.exe 580 fgtdhg.exe 580 fgtdhg.exe 580 fgtdhg.exe 580 fgtdhg.exe 580 fgtdhg.exe 580 fgtdhg.exe 580 fgtdhg.exe 580 fgtdhg.exe 580 fgtdhg.exe 580 fgtdhg.exe 580 fgtdhg.exe 580 fgtdhg.exe 580 fgtdhg.exe 580 fgtdhg.exe 580 fgtdhg.exe 580 fgtdhg.exe 580 fgtdhg.exe 888 colorcpl.exe 580 fgtdhg.exe 580 fgtdhg.exe 580 fgtdhg.exe 1532 fgtdhg.exe 560 control.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 364 fgtdhg.exe 1048 fgtdhg.exe 364 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 888 colorcpl.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 364 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 888 colorcpl.exe 1048 fgtdhg.exe 1048 fgtdhg.exe 1660 fgtdhg.exe 1164 chkdsk.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1600 fgtdhg.exe 1800 fgtdhg.exe 1600 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 888 colorcpl.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1600 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 888 colorcpl.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1800 fgtdhg.exe 1868 fgtdhg.exe 1864 help.exe 1952 fgtdhg.exe 1952 fgtdhg.exe 1952 fgtdhg.exe 1900 fgtdhg.exe 1900 fgtdhg.exe 1952 fgtdhg.exe 1952 fgtdhg.exe 1952 fgtdhg.exe 1952 fgtdhg.exe 1952 fgtdhg.exe 1952 fgtdhg.exe 1952 fgtdhg.exe 1952 fgtdhg.exe 1952 fgtdhg.exe 1952 fgtdhg.exe 1952 fgtdhg.exe 1952 fgtdhg.exe 1952 fgtdhg.exe 1952 fgtdhg.exe 1952 fgtdhg.exe 1952 fgtdhg.exe 1952 fgtdhg.exe 1952 fgtdhg.exe 1952 fgtdhg.exe 1952 fgtdhg.exe 1952 fgtdhg.exe 1952 fgtdhg.exe 1952 fgtdhg.exe 1952 fgtdhg.exe 1952 fgtdhg.exe 1952 fgtdhg.exe 1952 fgtdhg.exe 1952 fgtdhg.exe 1952 fgtdhg.exe 1952 fgtdhg.exe 1924 fgtdhg.exe 1928 svchost.exe 1064 fgtdhg.exe 1064 fgtdhg.exe 1064 fgtdhg.exe 2020 fgtdhg.exe 2020 fgtdhg.exe 1064 fgtdhg.exe 1064 fgtdhg.exe 1064 fgtdhg.exe 888 colorcpl.exe 1064 fgtdhg.exe 1064 fgtdhg.exe 1064 fgtdhg.exe 1064 fgtdhg.exe 1064 fgtdhg.exe 1064 fgtdhg.exe 1064 fgtdhg.exe 1064 fgtdhg.exe 1064 fgtdhg.exe 1064 fgtdhg.exe 1064 fgtdhg.exe 1064 fgtdhg.exe 1064 fgtdhg.exe 1064 fgtdhg.exe 1064 fgtdhg.exe 1064 fgtdhg.exe 1064 fgtdhg.exe 1064 fgtdhg.exe 1064 fgtdhg.exe 1064 fgtdhg.exe 1064 fgtdhg.exe 1064 fgtdhg.exe 1064 fgtdhg.exe 1064 fgtdhg.exe 1064 fgtdhg.exe 1064 fgtdhg.exe 1064 fgtdhg.exe 1064 fgtdhg.exe 1568 fgtdhg.exe 1212 chkdsk.exe 1616 fgtdhg.exe 1616 fgtdhg.exe 1616 fgtdhg.exe 1616 fgtdhg.exe 1308 fgtdhg.exe 1616 fgtdhg.exe 1308 fgtdhg.exe 1616 fgtdhg.exe 1616 fgtdhg.exe 1616 fgtdhg.exe 1616 fgtdhg.exe 1616 fgtdhg.exe 1616 fgtdhg.exe 1616 fgtdhg.exe 1616 fgtdhg.exe 1616 fgtdhg.exe 1616 fgtdhg.exe 1616 fgtdhg.exe 1616 fgtdhg.exe 888 colorcpl.exe 1616 fgtdhg.exe 1616 fgtdhg.exe 1616 fgtdhg.exe 1616 fgtdhg.exe 1616 fgtdhg.exe 1616 fgtdhg.exe 1616 fgtdhg.exe 1616 fgtdhg.exe 1616 fgtdhg.exe 1616 fgtdhg.exe 1616 fgtdhg.exe 1616 fgtdhg.exe 1616 fgtdhg.exe 1616 fgtdhg.exe 1616 fgtdhg.exe 1616 fgtdhg.exe 1616 fgtdhg.exe 1616 fgtdhg.exe 620 fgtdhg.exe 776 wscript.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1764 fgtdhg.exe 1764 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 888 colorcpl.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1764 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 888 colorcpl.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1392 fgtdhg.exe 1768 fgtdhg.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 1760 svchost.exe 1844 fgtdhg.exe 1116 fgtdhg.exe 1844 fgtdhg.exe 1116 fgtdhg.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 888 colorcpl.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 1116 fgtdhg.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 888 colorcpl.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 1844 fgtdhg.exe 1884 fgtdhg.exe 1448 systray.exe 2028 fgtdhg.exe 2028 fgtdhg.exe 2028 fgtdhg.exe 1916 fgtdhg.exe 2028 fgtdhg.exe 1916 fgtdhg.exe 2028 fgtdhg.exe 2028 fgtdhg.exe 2028 fgtdhg.exe 2028 fgtdhg.exe 2028 fgtdhg.exe 2028 fgtdhg.exe 2028 fgtdhg.exe 2028 fgtdhg.exe 2028 fgtdhg.exe 2028 fgtdhg.exe 2028 fgtdhg.exe 2028 fgtdhg.exe 2028 fgtdhg.exe 2028 fgtdhg.exe 2028 fgtdhg.exe 2028 fgtdhg.exe 2028 fgtdhg.exe 2028 fgtdhg.exe 2028 fgtdhg.exe 2028 fgtdhg.exe 2028 fgtdhg.exe 2028 fgtdhg.exe 2028 fgtdhg.exe 2028 fgtdhg.exe 888 colorcpl.exe 2028 fgtdhg.exe 2028 fgtdhg.exe 2028 fgtdhg.exe 2028 fgtdhg.exe 2028 fgtdhg.exe 2028 fgtdhg.exe 2028 fgtdhg.exe 1492 fgtdhg.exe 1508 help.exe 1556 fgtdhg.exe 1556 fgtdhg.exe 1556 fgtdhg.exe 1556 fgtdhg.exe 1040 fgtdhg.exe 1556 fgtdhg.exe 1040 fgtdhg.exe 1556 fgtdhg.exe 1556 fgtdhg.exe 1556 fgtdhg.exe 1556 fgtdhg.exe 1556 fgtdhg.exe 1556 fgtdhg.exe 1556 fgtdhg.exe 1556 fgtdhg.exe 1556 fgtdhg.exe 1556 fgtdhg.exe 1556 fgtdhg.exe 1556 fgtdhg.exe 1556 fgtdhg.exe 1556 fgtdhg.exe 1556 fgtdhg.exe 1556 fgtdhg.exe 1556 fgtdhg.exe 1556 fgtdhg.exe 1556 fgtdhg.exe 1556 fgtdhg.exe 1556 fgtdhg.exe 1556 fgtdhg.exe 1556 fgtdhg.exe 1556 fgtdhg.exe 1556 fgtdhg.exe 1556 fgtdhg.exe 1556 fgtdhg.exe 1556 fgtdhg.exe 1556 fgtdhg.exe 1436 fgtdhg.exe 316 rundll32.exe 888 colorcpl.exe 1356 fgtdhg.exe 1356 fgtdhg.exe 1356 fgtdhg.exe 1096 fgtdhg.exe 1356 fgtdhg.exe 1096 fgtdhg.exe 1356 fgtdhg.exe 1356 fgtdhg.exe 1356 fgtdhg.exe 1356 fgtdhg.exe 1356 fgtdhg.exe 1356 fgtdhg.exe 1356 fgtdhg.exe 1356 fgtdhg.exe 1356 fgtdhg.exe 1356 fgtdhg.exe 1356 fgtdhg.exe 1356 fgtdhg.exe 1356 fgtdhg.exe 1356 fgtdhg.exe 1356 fgtdhg.exe 1356 fgtdhg.exe 1356 fgtdhg.exe 1356 fgtdhg.exe 1356 fgtdhg.exe 1356 fgtdhg.exe 1356 fgtdhg.exe 1356 fgtdhg.exe 1356 fgtdhg.exe 1356 fgtdhg.exe 1356 fgtdhg.exe 1356 fgtdhg.exe 1356 fgtdhg.exe 1356 fgtdhg.exe 1356 fgtdhg.exe 1356 fgtdhg.exe 1516 fgtdhg.exe 1148 wuapp.exe 468 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 1036 fgtdhg.exe 468 fgtdhg.exe 1036 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 888 colorcpl.exe 468 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 888 colorcpl.exe 468 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 1036 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 468 fgtdhg.exe 1332 fgtdhg.exe 788 cmd.exe 1968 fgtdhg.exe 1968 fgtdhg.exe 1968 fgtdhg.exe 1968 fgtdhg.exe 1644 fgtdhg.exe 1968 fgtdhg.exe 1644 fgtdhg.exe 1968 fgtdhg.exe 1968 fgtdhg.exe 1968 fgtdhg.exe 1968 fgtdhg.exe 1968 fgtdhg.exe 888 colorcpl.exe 1968 fgtdhg.exe 1968 fgtdhg.exe 1968 fgtdhg.exe 1968 fgtdhg.exe 1968 fgtdhg.exe 1968 fgtdhg.exe 1968 fgtdhg.exe 1968 fgtdhg.exe 1968 fgtdhg.exe 1968 fgtdhg.exe 1968 fgtdhg.exe 1968 fgtdhg.exe 1968 fgtdhg.exe 1968 fgtdhg.exe 1968 fgtdhg.exe 1968 fgtdhg.exe 1968 fgtdhg.exe 1968 fgtdhg.exe 1968 fgtdhg.exe 1968 fgtdhg.exe 1968 fgtdhg.exe 1968 fgtdhg.exe 1968 fgtdhg.exe 1968 fgtdhg.exe 1968 fgtdhg.exe 2040 fgtdhg.exe 1656 cmstp.exe 2008 fgtdhg.exe 2008 fgtdhg.exe 2008 fgtdhg.exe 1920 fgtdhg.exe 2008 fgtdhg.exe 1920 fgtdhg.exe 2008 fgtdhg.exe 2008 fgtdhg.exe 2008 fgtdhg.exe 2008 fgtdhg.exe 2008 fgtdhg.exe 2008 fgtdhg.exe 2008 fgtdhg.exe 2008 fgtdhg.exe 2008 fgtdhg.exe 2008 fgtdhg.exe 2008 fgtdhg.exe 2008 fgtdhg.exe 2008 fgtdhg.exe 2008 fgtdhg.exe 2008 fgtdhg.exe 888 colorcpl.exe 2008 fgtdhg.exe 2008 fgtdhg.exe 2008 fgtdhg.exe 2008 fgtdhg.exe 2008 fgtdhg.exe 2008 fgtdhg.exe 2008 fgtdhg.exe 2008 fgtdhg.exe 2008 fgtdhg.exe 2008 fgtdhg.exe 2008 fgtdhg.exe 2008 fgtdhg.exe 2008 fgtdhg.exe 2008 fgtdhg.exe 1924 fgtdhg.exe 1408 rundll32.exe 1568 fgtdhg.exe 1568 fgtdhg.exe 1568 fgtdhg.exe 1572 fgtdhg.exe 1568 fgtdhg.exe 1572 fgtdhg.exe 1568 fgtdhg.exe 1568 fgtdhg.exe 1568 fgtdhg.exe 1568 fgtdhg.exe 1568 fgtdhg.exe 1568 fgtdhg.exe 1568 fgtdhg.exe 1568 fgtdhg.exe 1568 fgtdhg.exe 1568 fgtdhg.exe 1568 fgtdhg.exe 1568 fgtdhg.exe 1568 fgtdhg.exe 1568 fgtdhg.exe 1568 fgtdhg.exe 1568 fgtdhg.exe 1568 fgtdhg.exe 1568 fgtdhg.exe 1568 fgtdhg.exe 1568 fgtdhg.exe 1568 fgtdhg.exe 1568 fgtdhg.exe 1568 fgtdhg.exe 1568 fgtdhg.exe 1568 fgtdhg.exe 1568 fgtdhg.exe 888 colorcpl.exe 1568 fgtdhg.exe 1568 fgtdhg.exe 1568 fgtdhg.exe 908 fgtdhg.exe 1400 fgtdhg.exe 1400 fgtdhg.exe 1400 fgtdhg.exe 1400 fgtdhg.exe 1424 msiexec.exe 1400 fgtdhg.exe 1048 fgtdhg.exe 1400 fgtdhg.exe 1048 fgtdhg.exe 1400 fgtdhg.exe 1400 fgtdhg.exe 1400 fgtdhg.exe 1400 fgtdhg.exe 1400 fgtdhg.exe 1400 fgtdhg.exe 1400 fgtdhg.exe 1400 fgtdhg.exe 1400 fgtdhg.exe 1400 fgtdhg.exe 1400 fgtdhg.exe 1400 fgtdhg.exe 1400 fgtdhg.exe 1400 fgtdhg.exe 1400 fgtdhg.exe 1400 fgtdhg.exe 1400 fgtdhg.exe 1400 fgtdhg.exe 1400 fgtdhg.exe 1400 fgtdhg.exe 1400 fgtdhg.exe 1400 fgtdhg.exe 1400 fgtdhg.exe 1400 fgtdhg.exe 1400 fgtdhg.exe 1400 fgtdhg.exe 1400 fgtdhg.exe 1400 fgtdhg.exe 1400 fgtdhg.exe 1400 fgtdhg.exe 1516 fgtdhg.exe 1588 NAPSTAT.EXE 1128 fgtdhg.exe 1128 fgtdhg.exe 1128 fgtdhg.exe 1128 fgtdhg.exe 1808 fgtdhg.exe 1128 fgtdhg.exe 1808 fgtdhg.exe 888 colorcpl.exe 1128 fgtdhg.exe 1128 fgtdhg.exe 1128 fgtdhg.exe 1128 fgtdhg.exe 1128 fgtdhg.exe 1128 fgtdhg.exe 1128 fgtdhg.exe 1128 fgtdhg.exe 1128 fgtdhg.exe 1128 fgtdhg.exe 1128 fgtdhg.exe 1128 fgtdhg.exe 1128 fgtdhg.exe 1128 fgtdhg.exe 1128 fgtdhg.exe 1128 fgtdhg.exe 1128 fgtdhg.exe 1128 fgtdhg.exe 1128 fgtdhg.exe 1128 fgtdhg.exe 1128 fgtdhg.exe 1128 fgtdhg.exe 1128 fgtdhg.exe 1128 fgtdhg.exe 1128 fgtdhg.exe 1128 fgtdhg.exe 1128 fgtdhg.exe 1128 fgtdhg.exe 1128 fgtdhg.exe 468 fgtdhg.exe 1132 chkdsk.exe 1868 fgtdhg.exe 1868 fgtdhg.exe 1868 fgtdhg.exe 1332 fgtdhg.exe 1332 fgtdhg.exe 1868 fgtdhg.exe 1868 fgtdhg.exe 1868 fgtdhg.exe 1868 fgtdhg.exe 1868 fgtdhg.exe 1868 fgtdhg.exe 1868 fgtdhg.exe 1868 fgtdhg.exe 1868 fgtdhg.exe 1868 fgtdhg.exe 1868 fgtdhg.exe 1868 fgtdhg.exe 888 colorcpl.exe 1868 fgtdhg.exe 1868 fgtdhg.exe 1868 fgtdhg.exe 1868 fgtdhg.exe -
Executes dropped EXE 75 IoCs
pid Process 836 fgtdhg.exe 1432 fgtdhg.exe 1496 fgtdhg.exe 644 fgtdhg.exe 532 fgtdhg.exe 1048 fgtdhg.exe 1260 fgtdhg.exe 1792 fgtdhg.exe 1852 fgtdhg.exe 1656 fgtdhg.exe 1576 fgtdhg.exe 1920 fgtdhg.exe 1940 fgtdhg.exe 1944 fgtdhg.exe 1996 fgtdhg.exe 1040 fgtdhg.exe 1504 fgtdhg.exe 1072 fgtdhg.exe 1424 fgtdhg.exe 1476 fgtdhg.exe 1632 fgtdhg.exe 656 fgtdhg.exe 308 fgtdhg.exe 580 fgtdhg.exe 1532 fgtdhg.exe 364 fgtdhg.exe 1048 fgtdhg.exe 1660 fgtdhg.exe 1600 fgtdhg.exe 1800 fgtdhg.exe 1868 fgtdhg.exe 1900 fgtdhg.exe 1952 fgtdhg.exe 1924 fgtdhg.exe 2020 fgtdhg.exe 1064 fgtdhg.exe 1568 fgtdhg.exe 1308 fgtdhg.exe 1616 fgtdhg.exe 620 fgtdhg.exe 1764 fgtdhg.exe 1392 fgtdhg.exe 1768 fgtdhg.exe 1116 fgtdhg.exe 1844 fgtdhg.exe 1884 fgtdhg.exe 1916 fgtdhg.exe 2028 fgtdhg.exe 1492 fgtdhg.exe 1040 fgtdhg.exe 1556 fgtdhg.exe 1436 fgtdhg.exe 1096 fgtdhg.exe 1356 fgtdhg.exe 1516 fgtdhg.exe 1036 fgtdhg.exe 468 fgtdhg.exe 1332 fgtdhg.exe 1644 fgtdhg.exe 1968 fgtdhg.exe 2040 fgtdhg.exe 1920 fgtdhg.exe 2008 fgtdhg.exe 1924 fgtdhg.exe 1572 fgtdhg.exe 1568 fgtdhg.exe 908 fgtdhg.exe 1048 fgtdhg.exe 1400 fgtdhg.exe 1516 fgtdhg.exe 1808 fgtdhg.exe 1128 fgtdhg.exe 468 fgtdhg.exe 1332 fgtdhg.exe 1868 fgtdhg.exe -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 1324 Explorer.EXE 1324 Explorer.EXE 1324 Explorer.EXE 1324 Explorer.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe -
Loads dropped DLL 2 IoCs
pid Process 1084 notepad.exe 1084 notepad.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
pid Process 1324 Explorer.EXE 1324 Explorer.EXE 1324 Explorer.EXE 1324 Explorer.EXE 1324 Explorer.EXE -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shndg.vbs notepad.exe -
description ioc Process Key created \Registry\User\S-1-5-21-1131729243-447456001-3632642222-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 colorcpl.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
- Suspicious use of FindShellTrayWindow
- Checks whether UAC is enabled
PID:1324 -
C:\Users\Admin\AppData\Local\Temp\838111ab2eddfdd565bf1bd43c7af7c3.exe"C:\Users\Admin\AppData\Local\Temp\838111ab2eddfdd565bf1bd43c7af7c3.exe"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
PID:1060 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"3⤵
- Suspicious use of WriteProcessMemory
- NTFS ADS
- Loads dropped DLL
- Drops startup file
PID:1084 -
C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"4⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
PID:836 -
C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"5⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
PID:1432
-
-
C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe" 2 1432 652245⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
PID:1496 -
C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"6⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
PID:644 -
C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"7⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
PID:532 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"8⤵
- Suspicious use of AdjustPrivilegeToken
PID:1392
-
-
-
C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe" 2 532 692027⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
PID:1048 -
C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"8⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Executes dropped EXE
PID:1260 -
C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"9⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
PID:1792
-
-
C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe" 2 1792 822909⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:1852 -
C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"10⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Executes dropped EXE
PID:1656 -
C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"11⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
PID:1576
-
-
C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe" 2 1576 8690811⤵
- Executes dropped EXE
PID:1920 -
C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"12⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Executes dropped EXE
PID:1940 -
C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"13⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
PID:1944
-
-
C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe" 2 1944 9083913⤵
- Executes dropped EXE
PID:1996 -
C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"14⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Executes dropped EXE
PID:1040 -
C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"15⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
PID:1504
-
-
C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe" 2 1504 9486415⤵
- Executes dropped EXE
PID:1072 -
C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"16⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Executes dropped EXE
PID:1424 -
C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"17⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
PID:1476
-
-
C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe" 2 1476 10481717⤵
- Executes dropped EXE
PID:1632 -
C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"18⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Executes dropped EXE
PID:656 -
C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"19⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
PID:308
-
-
C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe" 2 308 10882619⤵
- Executes dropped EXE
PID:580 -
C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"20⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Executes dropped EXE
PID:1532 -
C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"21⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
PID:364
-
-
C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe" 2 364 11879421⤵
- Executes dropped EXE
PID:1048 -
C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"22⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Executes dropped EXE
PID:1660 -
C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"23⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
PID:1600
-
-
C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe" 2 1600 12884123⤵
- Executes dropped EXE
PID:1800 -
C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"24⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Executes dropped EXE
PID:1868 -
C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"25⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
PID:1900
-
-
C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe" 2 1900 13895025⤵
- Executes dropped EXE
PID:1952 -
C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"26⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Executes dropped EXE
PID:1924 -
C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"27⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
PID:2020
-
-
C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe" 2 2020 14278727⤵
- Executes dropped EXE
PID:1064 -
C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"28⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Executes dropped EXE
PID:1568 -
C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"29⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
PID:1308
-
-
C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe" 2 1308 14676529⤵
- Executes dropped EXE
PID:1616 -
C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"30⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Executes dropped EXE
PID:620 -
C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"31⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
PID:1764
-
-
C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe" 2 1764 15072831⤵
- Executes dropped EXE
PID:1392 -
C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"32⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
PID:1768 -
C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"33⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
PID:1116
-
-
C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe" 2 1116 16069633⤵
- Executes dropped EXE
PID:1844 -
C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"34⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
PID:1884 -
C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"35⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
PID:1916
-
-
C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe" 2 1916 17068035⤵
- Executes dropped EXE
PID:2028 -
C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"36⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
PID:1492 -
C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"37⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
PID:1040
-
-
C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe" 2 1040 17464337⤵
- Executes dropped EXE
PID:1556 -
C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"38⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
PID:1436 -
C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"39⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
PID:1096
-
-
C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe" 2 1096 17852739⤵
- Executes dropped EXE
PID:1356 -
C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"40⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
PID:1516 -
C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"41⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
PID:1036
-
-
C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe" 2 1036 18255241⤵
- Executes dropped EXE
PID:468 -
C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"42⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
PID:1332 -
C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"43⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
PID:1644
-
-
C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe" 2 1644 19272343⤵
- Executes dropped EXE
PID:1968 -
C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"44⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
PID:2040 -
C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"45⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
PID:1920
-
-
C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe" 2 1920 19677945⤵
- Executes dropped EXE
PID:2008 -
C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"46⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
PID:1924 -
C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"47⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1572
-
-
C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe" 2 1572 20063247⤵PID:1568
-
C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"48⤵
- Suspicious use of SetThreadContext
PID:908 -
C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"49⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1048
-
-
C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe" 2 1048 20434549⤵PID:1400
-
C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"50⤵
- Suspicious use of SetThreadContext
PID:1516 -
C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"51⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1808
-
-
C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe" 2 1808 20840151⤵PID:1128
-
C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"52⤵
- Suspicious use of SetThreadContext
PID:468 -
C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"53⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1332
-
-
C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe" 2 1332 21228653⤵PID:1868
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\colorcpl.exe"C:\Windows\SysWOW64\colorcpl.exe"2⤵
- Adds Run key to start application
- Adds policy Run key to start application
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Modifies Internet Explorer settings
PID:888 -
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:1648
-
-
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\SysWOW64\cscript.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1604
-
-
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1908
-
-
C:\Windows\SysWOW64\systray.exe"C:\Windows\SysWOW64\systray.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1028
-
-
C:\Windows\SysWOW64\help.exe"C:\Windows\SysWOW64\help.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:612
-
-
C:\Windows\SysWOW64\mstsc.exe"C:\Windows\SysWOW64\mstsc.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1628
-
-
C:\Windows\SysWOW64\control.exe"C:\Windows\SysWOW64\control.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:560
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:1796
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:1660
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:1836
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:1356
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:1804
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:1488
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:1800
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:1856
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:1672
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:1644
-
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:1872
-
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:1664
-
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:1876
-
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:1596
-
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:1912
-
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:1964
-
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:1900
-
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:1968
-
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:1904
-
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:1920
-
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:1956
-
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:2040
-
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:1928
-
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:284
-
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:1972
-
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:452
-
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:2028
-
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:2020
-
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:2000
-
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:1996
-
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:1572
-
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:2024
-
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:1508
-
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:1212
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:884
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:1320
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:1556
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:1288
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:1308
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:1072
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:1580
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:292
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:836
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:1424
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:776
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:1436
-
-
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Enumerates system info in registry
PID:1164
-
-
C:\Windows\SysWOW64\help.exe"C:\Windows\SysWOW64\help.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1864
-
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1928
-
-
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Enumerates system info in registry
PID:1212
-
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\SysWOW64\wscript.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:776
-
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1760
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:1636
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:1644
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:1852
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:1672
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:1964
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:1912
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:1868
-
-
C:\Windows\SysWOW64\systray.exe"C:\Windows\SysWOW64\systray.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1448
-
-
C:\Windows\SysWOW64\help.exe"C:\Windows\SysWOW64\help.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1508
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:316
-
-
C:\Windows\SysWOW64\wuapp.exe"C:\Windows\SysWOW64\wuapp.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1148
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:788
-
-
C:\Windows\SysWOW64\cmstp.exe"C:\Windows\SysWOW64\cmstp.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1656
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1408
-
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1424
-
-
C:\Windows\SysWOW64\NAPSTAT.EXE"C:\Windows\SysWOW64\NAPSTAT.EXE"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1588
-
-
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Enumerates system info in registry
PID:1132
-
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\SysWOW64\wscript.exe"2⤵PID:1956
-