66251b30db7b4c7d47cfcea9872b37d789d3ff7591996b1ddac5ad85106bf381

Analysis

max time kernel
150s
max time network
135s
platform
windows10_x64
resource
win10v200430
submitted
16/07/2020, 18:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

838111ab2eddfdd565bf1bd43c7af7c3.exe
Size

703KB
MD5

838111ab2eddfdd565bf1bd43c7af7c3
SHA1

0c3959714516584b1890096d1bee6815b751c392
SHA256

66251b30db7b4c7d47cfcea9872b37d789d3ff7591996b1ddac5ad85106bf381
SHA512

7c53e746502ddebd8b01c96405c883cfe108786e195bfee554e20dedf96937d9356ecfd4b310e1b637fb52d41f402d37ee6e55885be06c4eee38a3163e1feb49

Score

8^/10

spyware persistence

Malware Config

Signatures

Suspicious use of SetThreadContext 66 IoCs

description	pid	Process	procid_target
PID 512 set thread context of 820	512	fgtdhg.exe	68
PID 820 set thread context of 3008	820	fgtdhg.exe	56
PID 820 set thread context of 3008	820	fgtdhg.exe	56
PID 1132 set thread context of 1316	1132	fgtdhg.exe	72
PID 1316 set thread context of 3008	1316	fgtdhg.exe	56
PID 2108 set thread context of 2176	2108	fgtdhg.exe	78
PID 2176 set thread context of 3008	2176	fgtdhg.exe	56
PID 776 set thread context of 1612	776	fgtdhg.exe	84
PID 372 set thread context of 3008	372	raserver.exe	56
PID 1612 set thread context of 3008	1612	fgtdhg.exe	56
PID 1612 set thread context of 3008	1612	fgtdhg.exe	56
PID 3604 set thread context of 3180	3604	fgtdhg.exe	93
PID 3180 set thread context of 3008	3180	fgtdhg.exe	56
PID 3180 set thread context of 3008	3180	fgtdhg.exe	56
PID 1364 set thread context of 1360	1364	fgtdhg.exe	97
PID 1360 set thread context of 3008	1360	fgtdhg.exe	56
PID 2152 set thread context of 2208	2152	fgtdhg.exe	101
PID 2208 set thread context of 3008	2208	fgtdhg.exe	56
PID 2664 set thread context of 3568	2664	fgtdhg.exe	105
PID 3568 set thread context of 3008	3568	fgtdhg.exe	56
PID 3568 set thread context of 3008	3568	fgtdhg.exe	56
PID 1436 set thread context of 2740	1436	fgtdhg.exe	109
PID 2740 set thread context of 3008	2740	fgtdhg.exe	56
PID 2988 set thread context of 1984	2988	fgtdhg.exe	113
PID 1984 set thread context of 3008	1984	fgtdhg.exe	56
PID 1000 set thread context of 704	1000	fgtdhg.exe	117
PID 704 set thread context of 3008	704	fgtdhg.exe	56
PID 864 set thread context of 2052	864	fgtdhg.exe	121
PID 2052 set thread context of 3008	2052	fgtdhg.exe	56
PID 2164 set thread context of 3856	2164	fgtdhg.exe	125
PID 3856 set thread context of 3008	3856	fgtdhg.exe	56
PID 2664 set thread context of 940	2664	fgtdhg.exe	129
PID 940 set thread context of 3008	940	fgtdhg.exe	56
PID 1908 set thread context of 4008	1908	fgtdhg.exe	133
PID 4008 set thread context of 3008	4008	fgtdhg.exe	56
PID 3848 set thread context of 1824	3848	fgtdhg.exe	137
PID 1824 set thread context of 3008	1824	fgtdhg.exe	56
PID 1148 set thread context of 1004	1148	fgtdhg.exe	141
PID 1004 set thread context of 3008	1004	fgtdhg.exe	56
PID 512 set thread context of 1916	512	fgtdhg.exe	145
PID 1916 set thread context of 3008	1916	fgtdhg.exe	56
PID 1916 set thread context of 3008	1916	fgtdhg.exe	56
PID 2152 set thread context of 3000	2152	fgtdhg.exe	149
PID 3000 set thread context of 3008	3000	fgtdhg.exe	56
PID 2880 set thread context of 1444	2880	fgtdhg.exe	153
PID 1444 set thread context of 3008	1444	fgtdhg.exe	56
PID 3840 set thread context of 3956	3840	fgtdhg.exe	157
PID 3956 set thread context of 3008	3956	fgtdhg.exe	56
PID 3396 set thread context of 1276	3396	fgtdhg.exe	161
PID 1276 set thread context of 3008	1276	fgtdhg.exe	56
PID 1192 set thread context of 1364	1192	fgtdhg.exe	165
PID 1364 set thread context of 3008	1364	fgtdhg.exe	56
PID 1132 set thread context of 1408	1132	fgtdhg.exe	170
PID 1408 set thread context of 3008	1408	fgtdhg.exe	56
PID 3068 set thread context of 2136	3068	fgtdhg.exe	174
PID 2136 set thread context of 3008	2136	fgtdhg.exe	56
PID 2412 set thread context of 2488	2412	fgtdhg.exe	178
PID 2488 set thread context of 3008	2488	fgtdhg.exe	56
PID 3572 set thread context of 1552	3572	fgtdhg.exe	182
PID 1552 set thread context of 3008	1552	fgtdhg.exe	56
PID 4068 set thread context of 500	4068	fgtdhg.exe	186
PID 500 set thread context of 3008	500	fgtdhg.exe	56
PID 3888 set thread context of 1420	3888	fgtdhg.exe	192
PID 1420 set thread context of 3008	1420	fgtdhg.exe	56
PID 3764 set thread context of 3864	3764	fgtdhg.exe	196
PID 3864 set thread context of 3008	3864	fgtdhg.exe	56

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-1231583446-2617009595-2137880041-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	raserver.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\OV1H7BMX = "C:\\Users\\Admin\\AppData\\Roaming\\gdher\\fgtdhg.exe"	raserver.exe

Suspicious behavior: MapViewOfSection 127 IoCs

pid	Process
512	fgtdhg.exe
820	fgtdhg.exe
820	fgtdhg.exe
820	fgtdhg.exe
820	fgtdhg.exe
1132	fgtdhg.exe
1316	fgtdhg.exe
372	raserver.exe
1316	fgtdhg.exe
1316	fgtdhg.exe
2108	fgtdhg.exe
2176	fgtdhg.exe
2176	fgtdhg.exe
2176	fgtdhg.exe
776	fgtdhg.exe
372	raserver.exe
1612	fgtdhg.exe
372	raserver.exe
1612	fgtdhg.exe
1612	fgtdhg.exe
1612	fgtdhg.exe
3604	fgtdhg.exe
3180	fgtdhg.exe
372	raserver.exe
3180	fgtdhg.exe
3180	fgtdhg.exe
3180	fgtdhg.exe
1364	fgtdhg.exe
1360	fgtdhg.exe
1360	fgtdhg.exe
1360	fgtdhg.exe
2152	fgtdhg.exe
2208	fgtdhg.exe
2208	fgtdhg.exe
2208	fgtdhg.exe
2664	fgtdhg.exe
3568	fgtdhg.exe
3568	fgtdhg.exe
3568	fgtdhg.exe
3568	fgtdhg.exe
1436	fgtdhg.exe
2740	fgtdhg.exe
2740	fgtdhg.exe
2740	fgtdhg.exe
2988	fgtdhg.exe
1984	fgtdhg.exe
1984	fgtdhg.exe
1984	fgtdhg.exe
1000	fgtdhg.exe
704	fgtdhg.exe
704	fgtdhg.exe
704	fgtdhg.exe
864	fgtdhg.exe
2052	fgtdhg.exe
2052	fgtdhg.exe
2052	fgtdhg.exe
2164	fgtdhg.exe
3856	fgtdhg.exe
3856	fgtdhg.exe
3856	fgtdhg.exe
2664	fgtdhg.exe
940	fgtdhg.exe
940	fgtdhg.exe
940	fgtdhg.exe
1908	fgtdhg.exe
4008	fgtdhg.exe
4008	fgtdhg.exe
4008	fgtdhg.exe
3848	fgtdhg.exe
1824	fgtdhg.exe
1824	fgtdhg.exe
1824	fgtdhg.exe
1148	fgtdhg.exe
1004	fgtdhg.exe
1004	fgtdhg.exe
1004	fgtdhg.exe
512	fgtdhg.exe
1916	fgtdhg.exe
1916	fgtdhg.exe
1916	fgtdhg.exe
1916	fgtdhg.exe
2152	fgtdhg.exe
3000	fgtdhg.exe
3000	fgtdhg.exe
3000	fgtdhg.exe
2880	fgtdhg.exe
1444	fgtdhg.exe
1444	fgtdhg.exe
1444	fgtdhg.exe
3840	fgtdhg.exe
3956	fgtdhg.exe
3956	fgtdhg.exe
3956	fgtdhg.exe
3396	fgtdhg.exe
1276	fgtdhg.exe
1276	fgtdhg.exe
1276	fgtdhg.exe
1192	fgtdhg.exe
1364	fgtdhg.exe
1364	fgtdhg.exe
1364	fgtdhg.exe
1132	fgtdhg.exe
1408	fgtdhg.exe
1408	fgtdhg.exe
1408	fgtdhg.exe
3068	fgtdhg.exe
2136	fgtdhg.exe
2136	fgtdhg.exe
2136	fgtdhg.exe
2412	fgtdhg.exe
2488	fgtdhg.exe
2488	fgtdhg.exe
2488	fgtdhg.exe
3572	fgtdhg.exe
1552	fgtdhg.exe
1552	fgtdhg.exe
1552	fgtdhg.exe
4068	fgtdhg.exe
500	fgtdhg.exe
500	fgtdhg.exe
500	fgtdhg.exe
3888	fgtdhg.exe
1420	fgtdhg.exe
1420	fgtdhg.exe
1420	fgtdhg.exe
3764	fgtdhg.exe
3864	fgtdhg.exe

Suspicious use of WriteProcessMemory 368 IoCs

description	pid	Process	procid_target
PID 3824 wrote to memory of 3180	3824	838111ab2eddfdd565bf1bd43c7af7c3.exe	66
PID 3824 wrote to memory of 3180	3824	838111ab2eddfdd565bf1bd43c7af7c3.exe	66
PID 3824 wrote to memory of 3180	3824	838111ab2eddfdd565bf1bd43c7af7c3.exe	66
PID 3824 wrote to memory of 3180	3824	838111ab2eddfdd565bf1bd43c7af7c3.exe	66
PID 3824 wrote to memory of 3180	3824	838111ab2eddfdd565bf1bd43c7af7c3.exe	66
PID 3180 wrote to memory of 512	3180	notepad.exe	67
PID 3180 wrote to memory of 512	3180	notepad.exe	67
PID 3180 wrote to memory of 512	3180	notepad.exe	67
PID 512 wrote to memory of 820	512	fgtdhg.exe	68
PID 512 wrote to memory of 820	512	fgtdhg.exe	68
PID 512 wrote to memory of 820	512	fgtdhg.exe	68
PID 512 wrote to memory of 904	512	fgtdhg.exe	69
PID 512 wrote to memory of 904	512	fgtdhg.exe	69
PID 512 wrote to memory of 904	512	fgtdhg.exe	69
PID 3008 wrote to memory of 372	3008	Explorer.EXE	70
PID 3008 wrote to memory of 372	3008	Explorer.EXE	70
PID 3008 wrote to memory of 372	3008	Explorer.EXE	70
PID 904 wrote to memory of 1132	904	fgtdhg.exe	71
PID 904 wrote to memory of 1132	904	fgtdhg.exe	71
PID 904 wrote to memory of 1132	904	fgtdhg.exe	71
PID 1132 wrote to memory of 1316	1132	fgtdhg.exe	72
PID 1132 wrote to memory of 1316	1132	fgtdhg.exe	72
PID 1132 wrote to memory of 1316	1132	fgtdhg.exe	72
PID 1132 wrote to memory of 1408	1132	fgtdhg.exe	73
PID 1132 wrote to memory of 1408	1132	fgtdhg.exe	73
PID 1132 wrote to memory of 1408	1132	fgtdhg.exe	73
PID 3008 wrote to memory of 1648	3008	Explorer.EXE	74
PID 3008 wrote to memory of 1648	3008	Explorer.EXE	74
PID 3008 wrote to memory of 1648	3008	Explorer.EXE	74
PID 372 wrote to memory of 1788	372	raserver.exe	75
PID 372 wrote to memory of 1788	372	raserver.exe	75
PID 372 wrote to memory of 1788	372	raserver.exe	75
PID 1408 wrote to memory of 2108	1408	fgtdhg.exe	77
PID 1408 wrote to memory of 2108	1408	fgtdhg.exe	77
PID 1408 wrote to memory of 2108	1408	fgtdhg.exe	77
PID 2108 wrote to memory of 2176	2108	fgtdhg.exe	78
PID 2108 wrote to memory of 2176	2108	fgtdhg.exe	78
PID 2108 wrote to memory of 2176	2108	fgtdhg.exe	78
PID 2108 wrote to memory of 2468	2108	fgtdhg.exe	79
PID 2108 wrote to memory of 2468	2108	fgtdhg.exe	79
PID 2108 wrote to memory of 2468	2108	fgtdhg.exe	79
PID 3008 wrote to memory of 2792	3008	Explorer.EXE	80
PID 3008 wrote to memory of 2792	3008	Explorer.EXE	80
PID 3008 wrote to memory of 2792	3008	Explorer.EXE	80
PID 2468 wrote to memory of 776	2468	fgtdhg.exe	83
PID 2468 wrote to memory of 776	2468	fgtdhg.exe	83
PID 2468 wrote to memory of 776	2468	fgtdhg.exe	83
PID 776 wrote to memory of 1612	776	fgtdhg.exe	84
PID 776 wrote to memory of 1612	776	fgtdhg.exe	84
PID 776 wrote to memory of 1612	776	fgtdhg.exe	84
PID 776 wrote to memory of 2160	776	fgtdhg.exe	85
PID 776 wrote to memory of 2160	776	fgtdhg.exe	85
PID 776 wrote to memory of 2160	776	fgtdhg.exe	85
PID 372 wrote to memory of 2276	372	raserver.exe	87
PID 372 wrote to memory of 2276	372	raserver.exe	87
PID 3008 wrote to memory of 4040	3008	Explorer.EXE	88
PID 3008 wrote to memory of 4040	3008	Explorer.EXE	88
PID 3008 wrote to memory of 4040	3008	Explorer.EXE	88
PID 2160 wrote to memory of 3604	2160	fgtdhg.exe	92
PID 2160 wrote to memory of 3604	2160	fgtdhg.exe	92
PID 2160 wrote to memory of 3604	2160	fgtdhg.exe	92
PID 3604 wrote to memory of 3180	3604	fgtdhg.exe	93
PID 3604 wrote to memory of 3180	3604	fgtdhg.exe	93
PID 3604 wrote to memory of 3180	3604	fgtdhg.exe	93
PID 3604 wrote to memory of 860	3604	fgtdhg.exe	94
PID 3604 wrote to memory of 860	3604	fgtdhg.exe	94
PID 3604 wrote to memory of 860	3604	fgtdhg.exe	94
PID 372 wrote to memory of 2276	372	raserver.exe	87
PID 3008 wrote to memory of 360	3008	Explorer.EXE	95
PID 3008 wrote to memory of 360	3008	Explorer.EXE	95
PID 3008 wrote to memory of 360	3008	Explorer.EXE	95
PID 860 wrote to memory of 1364	860	fgtdhg.exe	96
PID 860 wrote to memory of 1364	860	fgtdhg.exe	96
PID 860 wrote to memory of 1364	860	fgtdhg.exe	96
PID 1364 wrote to memory of 1360	1364	fgtdhg.exe	97
PID 1364 wrote to memory of 1360	1364	fgtdhg.exe	97
PID 1364 wrote to memory of 1360	1364	fgtdhg.exe	97
PID 1364 wrote to memory of 1544	1364	fgtdhg.exe	98
PID 1364 wrote to memory of 1544	1364	fgtdhg.exe	98
PID 1364 wrote to memory of 1544	1364	fgtdhg.exe	98
PID 3008 wrote to memory of 2056	3008	Explorer.EXE	99
PID 3008 wrote to memory of 2056	3008	Explorer.EXE	99
PID 3008 wrote to memory of 2056	3008	Explorer.EXE	99
PID 1544 wrote to memory of 2152	1544	fgtdhg.exe	100
PID 1544 wrote to memory of 2152	1544	fgtdhg.exe	100
PID 1544 wrote to memory of 2152	1544	fgtdhg.exe	100
PID 2152 wrote to memory of 2208	2152	fgtdhg.exe	101
PID 2152 wrote to memory of 2208	2152	fgtdhg.exe	101
PID 2152 wrote to memory of 2208	2152	fgtdhg.exe	101
PID 2152 wrote to memory of 2108	2152	fgtdhg.exe	102
PID 2152 wrote to memory of 2108	2152	fgtdhg.exe	102
PID 2152 wrote to memory of 2108	2152	fgtdhg.exe	102
PID 3008 wrote to memory of 2700	3008	Explorer.EXE	103
PID 3008 wrote to memory of 2700	3008	Explorer.EXE	103
PID 3008 wrote to memory of 2700	3008	Explorer.EXE	103
PID 2108 wrote to memory of 2664	2108	fgtdhg.exe	104
PID 2108 wrote to memory of 2664	2108	fgtdhg.exe	104
PID 2108 wrote to memory of 2664	2108	fgtdhg.exe	104
PID 2664 wrote to memory of 3568	2664	fgtdhg.exe	105
PID 2664 wrote to memory of 3568	2664	fgtdhg.exe	105
PID 2664 wrote to memory of 3568	2664	fgtdhg.exe	105
PID 2664 wrote to memory of 752	2664	fgtdhg.exe	106
PID 2664 wrote to memory of 752	2664	fgtdhg.exe	106
PID 2664 wrote to memory of 752	2664	fgtdhg.exe	106
PID 3008 wrote to memory of 1324	3008	Explorer.EXE	107
PID 3008 wrote to memory of 1324	3008	Explorer.EXE	107
PID 3008 wrote to memory of 1324	3008	Explorer.EXE	107
PID 752 wrote to memory of 1436	752	fgtdhg.exe	108
PID 752 wrote to memory of 1436	752	fgtdhg.exe	108
PID 752 wrote to memory of 1436	752	fgtdhg.exe	108
PID 1436 wrote to memory of 2740	1436	fgtdhg.exe	109
PID 1436 wrote to memory of 2740	1436	fgtdhg.exe	109
PID 1436 wrote to memory of 2740	1436	fgtdhg.exe	109
PID 1436 wrote to memory of 3868	1436	fgtdhg.exe	110
PID 1436 wrote to memory of 3868	1436	fgtdhg.exe	110
PID 1436 wrote to memory of 3868	1436	fgtdhg.exe	110
PID 3008 wrote to memory of 3280	3008	Explorer.EXE	111
PID 3008 wrote to memory of 3280	3008	Explorer.EXE	111
PID 3008 wrote to memory of 3280	3008	Explorer.EXE	111
PID 3868 wrote to memory of 2988	3868	fgtdhg.exe	112
PID 3868 wrote to memory of 2988	3868	fgtdhg.exe	112
PID 3868 wrote to memory of 2988	3868	fgtdhg.exe	112
PID 2988 wrote to memory of 1984	2988	fgtdhg.exe	113
PID 2988 wrote to memory of 1984	2988	fgtdhg.exe	113
PID 2988 wrote to memory of 1984	2988	fgtdhg.exe	113
PID 2988 wrote to memory of 3080	2988	fgtdhg.exe	114
PID 2988 wrote to memory of 3080	2988	fgtdhg.exe	114
PID 2988 wrote to memory of 3080	2988	fgtdhg.exe	114
PID 3008 wrote to memory of 640	3008	Explorer.EXE	115
PID 3008 wrote to memory of 640	3008	Explorer.EXE	115
PID 3008 wrote to memory of 640	3008	Explorer.EXE	115
PID 3080 wrote to memory of 1000	3080	fgtdhg.exe	116
PID 3080 wrote to memory of 1000	3080	fgtdhg.exe	116
PID 3080 wrote to memory of 1000	3080	fgtdhg.exe	116
PID 1000 wrote to memory of 704	1000	fgtdhg.exe	117
PID 1000 wrote to memory of 704	1000	fgtdhg.exe	117
PID 1000 wrote to memory of 704	1000	fgtdhg.exe	117
PID 1000 wrote to memory of 1052	1000	fgtdhg.exe	118
PID 1000 wrote to memory of 1052	1000	fgtdhg.exe	118
PID 1000 wrote to memory of 1052	1000	fgtdhg.exe	118
PID 3008 wrote to memory of 1176	3008	Explorer.EXE	119
PID 3008 wrote to memory of 1176	3008	Explorer.EXE	119
PID 3008 wrote to memory of 1176	3008	Explorer.EXE	119
PID 1052 wrote to memory of 864	1052	fgtdhg.exe	120
PID 1052 wrote to memory of 864	1052	fgtdhg.exe	120
PID 1052 wrote to memory of 864	1052	fgtdhg.exe	120
PID 864 wrote to memory of 2052	864	fgtdhg.exe	121
PID 864 wrote to memory of 2052	864	fgtdhg.exe	121
PID 864 wrote to memory of 2052	864	fgtdhg.exe	121
PID 864 wrote to memory of 1416	864	fgtdhg.exe	122
PID 864 wrote to memory of 1416	864	fgtdhg.exe	122
PID 864 wrote to memory of 1416	864	fgtdhg.exe	122
PID 3008 wrote to memory of 1544	3008	Explorer.EXE	123
PID 3008 wrote to memory of 1544	3008	Explorer.EXE	123
PID 3008 wrote to memory of 1544	3008	Explorer.EXE	123
PID 1416 wrote to memory of 2164	1416	fgtdhg.exe	124
PID 1416 wrote to memory of 2164	1416	fgtdhg.exe	124
PID 1416 wrote to memory of 2164	1416	fgtdhg.exe	124
PID 2164 wrote to memory of 3856	2164	fgtdhg.exe	125
PID 2164 wrote to memory of 3856	2164	fgtdhg.exe	125
PID 2164 wrote to memory of 3856	2164	fgtdhg.exe	125
PID 2164 wrote to memory of 3556	2164	fgtdhg.exe	126
PID 2164 wrote to memory of 3556	2164	fgtdhg.exe	126
PID 2164 wrote to memory of 3556	2164	fgtdhg.exe	126
PID 3008 wrote to memory of 780	3008	Explorer.EXE	127
PID 3008 wrote to memory of 780	3008	Explorer.EXE	127
PID 3008 wrote to memory of 780	3008	Explorer.EXE	127
PID 3556 wrote to memory of 2664	3556	fgtdhg.exe	128
PID 3556 wrote to memory of 2664	3556	fgtdhg.exe	128
PID 3556 wrote to memory of 2664	3556	fgtdhg.exe	128
PID 2664 wrote to memory of 940	2664	fgtdhg.exe	129
PID 2664 wrote to memory of 940	2664	fgtdhg.exe	129
PID 2664 wrote to memory of 940	2664	fgtdhg.exe	129
PID 2664 wrote to memory of 1240	2664	fgtdhg.exe	130
PID 2664 wrote to memory of 1240	2664	fgtdhg.exe	130
PID 2664 wrote to memory of 1240	2664	fgtdhg.exe	130
PID 3008 wrote to memory of 1948	3008	Explorer.EXE	131
PID 3008 wrote to memory of 1948	3008	Explorer.EXE	131
PID 3008 wrote to memory of 1948	3008	Explorer.EXE	131
PID 1240 wrote to memory of 1908	1240	fgtdhg.exe	132
PID 1240 wrote to memory of 1908	1240	fgtdhg.exe	132
PID 1240 wrote to memory of 1908	1240	fgtdhg.exe	132
PID 1908 wrote to memory of 4008	1908	fgtdhg.exe	133
PID 1908 wrote to memory of 4008	1908	fgtdhg.exe	133
PID 1908 wrote to memory of 4008	1908	fgtdhg.exe	133
PID 1908 wrote to memory of 3244	1908	fgtdhg.exe	134
PID 1908 wrote to memory of 3244	1908	fgtdhg.exe	134
PID 1908 wrote to memory of 3244	1908	fgtdhg.exe	134
PID 3008 wrote to memory of 3868	3008	Explorer.EXE	135
PID 3008 wrote to memory of 3868	3008	Explorer.EXE	135
PID 3008 wrote to memory of 3868	3008	Explorer.EXE	135
PID 3244 wrote to memory of 3848	3244	fgtdhg.exe	136
PID 3244 wrote to memory of 3848	3244	fgtdhg.exe	136
PID 3244 wrote to memory of 3848	3244	fgtdhg.exe	136
PID 3848 wrote to memory of 1824	3848	fgtdhg.exe	137
PID 3848 wrote to memory of 1824	3848	fgtdhg.exe	137
PID 3848 wrote to memory of 1824	3848	fgtdhg.exe	137
PID 3848 wrote to memory of 504	3848	fgtdhg.exe	138
PID 3848 wrote to memory of 504	3848	fgtdhg.exe	138
PID 3848 wrote to memory of 504	3848	fgtdhg.exe	138
PID 3008 wrote to memory of 3724	3008	Explorer.EXE	139
PID 3008 wrote to memory of 3724	3008	Explorer.EXE	139
PID 3008 wrote to memory of 3724	3008	Explorer.EXE	139
PID 504 wrote to memory of 1148	504	fgtdhg.exe	140
PID 504 wrote to memory of 1148	504	fgtdhg.exe	140
PID 504 wrote to memory of 1148	504	fgtdhg.exe	140
PID 1148 wrote to memory of 1004	1148	fgtdhg.exe	141
PID 1148 wrote to memory of 1004	1148	fgtdhg.exe	141
PID 1148 wrote to memory of 1004	1148	fgtdhg.exe	141
PID 1148 wrote to memory of 908	1148	fgtdhg.exe	142
PID 1148 wrote to memory of 908	1148	fgtdhg.exe	142
PID 1148 wrote to memory of 908	1148	fgtdhg.exe	142
PID 3008 wrote to memory of 864	3008	Explorer.EXE	143
PID 3008 wrote to memory of 864	3008	Explorer.EXE	143
PID 3008 wrote to memory of 864	3008	Explorer.EXE	143
PID 908 wrote to memory of 512	908	fgtdhg.exe	144
PID 908 wrote to memory of 512	908	fgtdhg.exe	144
PID 908 wrote to memory of 512	908	fgtdhg.exe	144
PID 512 wrote to memory of 1916	512	fgtdhg.exe	145
PID 512 wrote to memory of 1916	512	fgtdhg.exe	145
PID 512 wrote to memory of 1916	512	fgtdhg.exe	145
PID 512 wrote to memory of 1416	512	fgtdhg.exe	146
PID 512 wrote to memory of 1416	512	fgtdhg.exe	146
PID 512 wrote to memory of 1416	512	fgtdhg.exe	146
PID 3008 wrote to memory of 1500	3008	Explorer.EXE	147
PID 3008 wrote to memory of 1500	3008	Explorer.EXE	147
PID 3008 wrote to memory of 1500	3008	Explorer.EXE	147
PID 1416 wrote to memory of 2152	1416	fgtdhg.exe	148
PID 1416 wrote to memory of 2152	1416	fgtdhg.exe	148
PID 1416 wrote to memory of 2152	1416	fgtdhg.exe	148
PID 2152 wrote to memory of 3000	2152	fgtdhg.exe	149
PID 2152 wrote to memory of 3000	2152	fgtdhg.exe	149
PID 2152 wrote to memory of 3000	2152	fgtdhg.exe	149
PID 2152 wrote to memory of 2588	2152	fgtdhg.exe	150
PID 2152 wrote to memory of 2588	2152	fgtdhg.exe	150
PID 2152 wrote to memory of 2588	2152	fgtdhg.exe	150
PID 3008 wrote to memory of 496	3008	Explorer.EXE	151
PID 3008 wrote to memory of 496	3008	Explorer.EXE	151
PID 3008 wrote to memory of 496	3008	Explorer.EXE	151
PID 2588 wrote to memory of 2880	2588	fgtdhg.exe	152
PID 2588 wrote to memory of 2880	2588	fgtdhg.exe	152
PID 2588 wrote to memory of 2880	2588	fgtdhg.exe	152
PID 2880 wrote to memory of 1444	2880	fgtdhg.exe	153
PID 2880 wrote to memory of 1444	2880	fgtdhg.exe	153
PID 2880 wrote to memory of 1444	2880	fgtdhg.exe	153
PID 2880 wrote to memory of 3860	2880	fgtdhg.exe	154
PID 2880 wrote to memory of 3860	2880	fgtdhg.exe	154
PID 2880 wrote to memory of 3860	2880	fgtdhg.exe	154
PID 3008 wrote to memory of 1908	3008	Explorer.EXE	155
PID 3008 wrote to memory of 1908	3008	Explorer.EXE	155
PID 3008 wrote to memory of 1908	3008	Explorer.EXE	155
PID 3860 wrote to memory of 3840	3860	fgtdhg.exe	156
PID 3860 wrote to memory of 3840	3860	fgtdhg.exe	156
PID 3860 wrote to memory of 3840	3860	fgtdhg.exe	156
PID 3840 wrote to memory of 3956	3840	fgtdhg.exe	157
PID 3840 wrote to memory of 3956	3840	fgtdhg.exe	157
PID 3840 wrote to memory of 3956	3840	fgtdhg.exe	157
PID 3840 wrote to memory of 3912	3840	fgtdhg.exe	158
PID 3840 wrote to memory of 3912	3840	fgtdhg.exe	158
PID 3840 wrote to memory of 3912	3840	fgtdhg.exe	158
PID 3008 wrote to memory of 3832	3008	Explorer.EXE	159
PID 3008 wrote to memory of 3832	3008	Explorer.EXE	159
PID 3008 wrote to memory of 3832	3008	Explorer.EXE	159
PID 3912 wrote to memory of 3396	3912	fgtdhg.exe	160
PID 3912 wrote to memory of 3396	3912	fgtdhg.exe	160
PID 3912 wrote to memory of 3396	3912	fgtdhg.exe	160
PID 3396 wrote to memory of 1276	3396	fgtdhg.exe	161
PID 3396 wrote to memory of 1276	3396	fgtdhg.exe	161
PID 3396 wrote to memory of 1276	3396	fgtdhg.exe	161
PID 3396 wrote to memory of 3080	3396	fgtdhg.exe	162
PID 3396 wrote to memory of 3080	3396	fgtdhg.exe	162
PID 3396 wrote to memory of 3080	3396	fgtdhg.exe	162
PID 3008 wrote to memory of 3664	3008	Explorer.EXE	163
PID 3008 wrote to memory of 3664	3008	Explorer.EXE	163
PID 3008 wrote to memory of 3664	3008	Explorer.EXE	163
PID 3080 wrote to memory of 1192	3080	fgtdhg.exe	164
PID 3080 wrote to memory of 1192	3080	fgtdhg.exe	164
PID 3080 wrote to memory of 1192	3080	fgtdhg.exe	164
PID 1192 wrote to memory of 1364	1192	fgtdhg.exe	165
PID 1192 wrote to memory of 1364	1192	fgtdhg.exe	165
PID 1192 wrote to memory of 1364	1192	fgtdhg.exe	165
PID 1192 wrote to memory of 1492	1192	fgtdhg.exe	166
PID 1192 wrote to memory of 1492	1192	fgtdhg.exe	166
PID 1192 wrote to memory of 1492	1192	fgtdhg.exe	166
PID 3008 wrote to memory of 1912	3008	Explorer.EXE	168
PID 3008 wrote to memory of 1912	3008	Explorer.EXE	168
PID 3008 wrote to memory of 1912	3008	Explorer.EXE	168
PID 1492 wrote to memory of 1132	1492	fgtdhg.exe	169
PID 1492 wrote to memory of 1132	1492	fgtdhg.exe	169
PID 1492 wrote to memory of 1132	1492	fgtdhg.exe	169
PID 1132 wrote to memory of 1408	1132	fgtdhg.exe	170
PID 1132 wrote to memory of 1408	1132	fgtdhg.exe	170
PID 1132 wrote to memory of 1408	1132	fgtdhg.exe	170
PID 1132 wrote to memory of 1420	1132	fgtdhg.exe	171
PID 1132 wrote to memory of 1420	1132	fgtdhg.exe	171
PID 1132 wrote to memory of 1420	1132	fgtdhg.exe	171
PID 3008 wrote to memory of 2500	3008	Explorer.EXE	172
PID 3008 wrote to memory of 2500	3008	Explorer.EXE	172
PID 3008 wrote to memory of 2500	3008	Explorer.EXE	172
PID 1420 wrote to memory of 3068	1420	fgtdhg.exe	173
PID 1420 wrote to memory of 3068	1420	fgtdhg.exe	173
PID 1420 wrote to memory of 3068	1420	fgtdhg.exe	173
PID 3068 wrote to memory of 2136	3068	fgtdhg.exe	174
PID 3068 wrote to memory of 2136	3068	fgtdhg.exe	174
PID 3068 wrote to memory of 2136	3068	fgtdhg.exe	174
PID 3068 wrote to memory of 3808	3068	fgtdhg.exe	175
PID 3068 wrote to memory of 3808	3068	fgtdhg.exe	175
PID 3068 wrote to memory of 3808	3068	fgtdhg.exe	175
PID 3008 wrote to memory of 2000	3008	Explorer.EXE	176
PID 3008 wrote to memory of 2000	3008	Explorer.EXE	176
PID 3008 wrote to memory of 2000	3008	Explorer.EXE	176
PID 3808 wrote to memory of 2412	3808	fgtdhg.exe	177
PID 3808 wrote to memory of 2412	3808	fgtdhg.exe	177
PID 3808 wrote to memory of 2412	3808	fgtdhg.exe	177
PID 2412 wrote to memory of 2488	2412	fgtdhg.exe	178
PID 2412 wrote to memory of 2488	2412	fgtdhg.exe	178
PID 2412 wrote to memory of 2488	2412	fgtdhg.exe	178
PID 2412 wrote to memory of 3960	2412	fgtdhg.exe	179
PID 2412 wrote to memory of 3960	2412	fgtdhg.exe	179
PID 2412 wrote to memory of 3960	2412	fgtdhg.exe	179
PID 3008 wrote to memory of 1436	3008	Explorer.EXE	180
PID 3008 wrote to memory of 1436	3008	Explorer.EXE	180
PID 3008 wrote to memory of 1436	3008	Explorer.EXE	180
PID 3960 wrote to memory of 3572	3960	fgtdhg.exe	181
PID 3960 wrote to memory of 3572	3960	fgtdhg.exe	181
PID 3960 wrote to memory of 3572	3960	fgtdhg.exe	181
PID 3572 wrote to memory of 1552	3572	fgtdhg.exe	182
PID 3572 wrote to memory of 1552	3572	fgtdhg.exe	182
PID 3572 wrote to memory of 1552	3572	fgtdhg.exe	182
PID 3572 wrote to memory of 644	3572	fgtdhg.exe	183
PID 3572 wrote to memory of 644	3572	fgtdhg.exe	183
PID 3572 wrote to memory of 644	3572	fgtdhg.exe	183
PID 3008 wrote to memory of 3560	3008	Explorer.EXE	184
PID 3008 wrote to memory of 3560	3008	Explorer.EXE	184
PID 3008 wrote to memory of 3560	3008	Explorer.EXE	184
PID 644 wrote to memory of 4068	644	fgtdhg.exe	185
PID 644 wrote to memory of 4068	644	fgtdhg.exe	185
PID 644 wrote to memory of 4068	644	fgtdhg.exe	185
PID 4068 wrote to memory of 500	4068	fgtdhg.exe	186
PID 4068 wrote to memory of 500	4068	fgtdhg.exe	186
PID 4068 wrote to memory of 500	4068	fgtdhg.exe	186
PID 4068 wrote to memory of 1328	4068	fgtdhg.exe	187
PID 4068 wrote to memory of 1328	4068	fgtdhg.exe	187
PID 4068 wrote to memory of 1328	4068	fgtdhg.exe	187
PID 3008 wrote to memory of 1660	3008	Explorer.EXE	188
PID 3008 wrote to memory of 1660	3008	Explorer.EXE	188
PID 3008 wrote to memory of 1660	3008	Explorer.EXE	188
PID 1328 wrote to memory of 3888	1328	fgtdhg.exe	191
PID 1328 wrote to memory of 3888	1328	fgtdhg.exe	191
PID 1328 wrote to memory of 3888	1328	fgtdhg.exe	191
PID 3888 wrote to memory of 1420	3888	fgtdhg.exe	192
PID 3888 wrote to memory of 1420	3888	fgtdhg.exe	192
PID 3888 wrote to memory of 1420	3888	fgtdhg.exe	192
PID 3888 wrote to memory of 3584	3888	fgtdhg.exe	193
PID 3888 wrote to memory of 3584	3888	fgtdhg.exe	193
PID 3888 wrote to memory of 3584	3888	fgtdhg.exe	193
PID 3008 wrote to memory of 2468	3008	Explorer.EXE	194
PID 3008 wrote to memory of 2468	3008	Explorer.EXE	194
PID 3008 wrote to memory of 2468	3008	Explorer.EXE	194
PID 3584 wrote to memory of 3764	3584	fgtdhg.exe	195
PID 3584 wrote to memory of 3764	3584	fgtdhg.exe	195
PID 3584 wrote to memory of 3764	3584	fgtdhg.exe	195
PID 3764 wrote to memory of 3864	3764	fgtdhg.exe	196
PID 3764 wrote to memory of 3864	3764	fgtdhg.exe	196
PID 3764 wrote to memory of 3864	3764	fgtdhg.exe	196
PID 3764 wrote to memory of 1320	3764	fgtdhg.exe	197
PID 3764 wrote to memory of 1320	3764	fgtdhg.exe	197
PID 3764 wrote to memory of 1320	3764	fgtdhg.exe	197

Executes dropped EXE 90 IoCs

pid	Process
512	fgtdhg.exe
820	fgtdhg.exe
904	fgtdhg.exe
1132	fgtdhg.exe
1316	fgtdhg.exe
1408	fgtdhg.exe
2108	fgtdhg.exe
2176	fgtdhg.exe
2468	fgtdhg.exe
776	fgtdhg.exe
1612	fgtdhg.exe
2160	fgtdhg.exe
3604	fgtdhg.exe
3180	fgtdhg.exe
860	fgtdhg.exe
1364	fgtdhg.exe
1360	fgtdhg.exe
1544	fgtdhg.exe
2152	fgtdhg.exe
2208	fgtdhg.exe
2108	fgtdhg.exe
2664	fgtdhg.exe
3568	fgtdhg.exe
752	fgtdhg.exe
1436	fgtdhg.exe
2740	fgtdhg.exe
3868	fgtdhg.exe
2988	fgtdhg.exe
1984	fgtdhg.exe
3080	fgtdhg.exe
1000	fgtdhg.exe
704	fgtdhg.exe
1052	fgtdhg.exe
864	fgtdhg.exe
2052	fgtdhg.exe
1416	fgtdhg.exe
2164	fgtdhg.exe
3856	fgtdhg.exe
3556	fgtdhg.exe
2664	fgtdhg.exe
940	fgtdhg.exe
1240	fgtdhg.exe
1908	fgtdhg.exe
4008	fgtdhg.exe
3244	fgtdhg.exe
3848	fgtdhg.exe
1824	fgtdhg.exe
504	fgtdhg.exe
1148	fgtdhg.exe
1004	fgtdhg.exe
908	fgtdhg.exe
512	fgtdhg.exe
1916	fgtdhg.exe
1416	fgtdhg.exe
2152	fgtdhg.exe
3000	fgtdhg.exe
2588	fgtdhg.exe
2880	fgtdhg.exe
1444	fgtdhg.exe
3860	fgtdhg.exe
3840	fgtdhg.exe
3956	fgtdhg.exe
3912	fgtdhg.exe
3396	fgtdhg.exe
1276	fgtdhg.exe
3080	fgtdhg.exe
1192	fgtdhg.exe
1364	fgtdhg.exe
1492	fgtdhg.exe
1132	fgtdhg.exe
1408	fgtdhg.exe
1420	fgtdhg.exe
3068	fgtdhg.exe
2136	fgtdhg.exe
3808	fgtdhg.exe
2412	fgtdhg.exe
2488	fgtdhg.exe
3960	fgtdhg.exe
3572	fgtdhg.exe
1552	fgtdhg.exe
644	fgtdhg.exe
4068	fgtdhg.exe
500	fgtdhg.exe
1328	fgtdhg.exe
3888	fgtdhg.exe
1420	fgtdhg.exe
3584	fgtdhg.exe
3764	fgtdhg.exe
3864	fgtdhg.exe
1320	fgtdhg.exe

Suspicious use of AdjustPrivilegeToken 183 IoCs

description	pid	Process
Token: SeDebugPrivilege	820	fgtdhg.exe
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeDebugPrivilege	372	raserver.exe
Token: SeDebugPrivilege	1316	fgtdhg.exe
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeDebugPrivilege	2176	fgtdhg.exe
Token: SeDebugPrivilege	1648	msiexec.exe
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeDebugPrivilege	2792	ipconfig.exe
Token: SeDebugPrivilege	1612	fgtdhg.exe
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeDebugPrivilege	4040	rundll32.exe
Token: SeDebugPrivilege	3180	fgtdhg.exe
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeDebugPrivilege	360	rundll32.exe
Token: SeDebugPrivilege	1360	fgtdhg.exe
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeDebugPrivilege	2056	rundll32.exe
Token: SeDebugPrivilege	2208	fgtdhg.exe
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeDebugPrivilege	2700	control.exe
Token: SeDebugPrivilege	3568	fgtdhg.exe
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeDebugPrivilege	1324	msiexec.exe
Token: SeDebugPrivilege	2740	fgtdhg.exe
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeDebugPrivilege	3280	systray.exe
Token: SeDebugPrivilege	1984	fgtdhg.exe
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeDebugPrivilege	640	raserver.exe
Token: SeDebugPrivilege	704	fgtdhg.exe
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeDebugPrivilege	2052	fgtdhg.exe
Token: SeDebugPrivilege	1176	msdt.exe
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeDebugPrivilege	1544	msdt.exe
Token: SeDebugPrivilege	3856	fgtdhg.exe
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeDebugPrivilege	780	help.exe
Token: SeDebugPrivilege	940	fgtdhg.exe
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeDebugPrivilege	4008	fgtdhg.exe
Token: SeDebugPrivilege	1948	explorer.exe
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeDebugPrivilege	3868	netsh.exe
Token: SeDebugPrivilege	1824	fgtdhg.exe
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeDebugPrivilege	3724	raserver.exe
Token: SeDebugPrivilege	1004	fgtdhg.exe
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeDebugPrivilege	864	raserver.exe
Token: SeDebugPrivilege	1916	fgtdhg.exe
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeDebugPrivilege	1500	NETSTAT.EXE
Token: SeDebugPrivilege	3000	fgtdhg.exe
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeDebugPrivilege	496	wlanext.exe
Token: SeDebugPrivilege	1444	fgtdhg.exe
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeDebugPrivilege	1908	colorcpl.exe
Token: SeDebugPrivilege	3956	fgtdhg.exe
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeDebugPrivilege	3832	wscript.exe
Token: SeDebugPrivilege	1276	fgtdhg.exe
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeDebugPrivilege	3664	colorcpl.exe
Token: SeDebugPrivilege	1364	fgtdhg.exe
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeDebugPrivilege	1912	msiexec.exe
Token: SeDebugPrivilege	1408	fgtdhg.exe
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeDebugPrivilege	2500	control.exe
Token: SeDebugPrivilege	2136	fgtdhg.exe
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeDebugPrivilege	2000	wscript.exe
Token: SeDebugPrivilege	2488	fgtdhg.exe
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeDebugPrivilege	1436	cmmon32.exe
Token: SeDebugPrivilege	1552	fgtdhg.exe
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeDebugPrivilege	3560	netsh.exe
Token: SeDebugPrivilege	500	fgtdhg.exe
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeDebugPrivilege	1660	cscript.exe
Token: SeDebugPrivilege	1420	fgtdhg.exe
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeDebugPrivilege	2468	msdt.exe
Token: SeDebugPrivilege	3864	fgtdhg.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
2792	ipconfig.exe
1500	NETSTAT.EXE

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe:ZoneIdentifier	notepad.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shndg.vbs	notepad.exe

Suspicious behavior: EnumeratesProcesses 2792 IoCs

pid	Process
3824	838111ab2eddfdd565bf1bd43c7af7c3.exe
3824	838111ab2eddfdd565bf1bd43c7af7c3.exe
512	fgtdhg.exe
512	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
820	fgtdhg.exe
820	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
820	fgtdhg.exe
820	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
820	fgtdhg.exe
820	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
904	fgtdhg.exe
1132	fgtdhg.exe
1132	fgtdhg.exe
1408	fgtdhg.exe
1408	fgtdhg.exe
1408	fgtdhg.exe
1408	fgtdhg.exe
372	raserver.exe
372	raserver.exe
1408	fgtdhg.exe
1408	fgtdhg.exe
1316	fgtdhg.exe
1316	fgtdhg.exe
1408	fgtdhg.exe
1408	fgtdhg.exe
1316	fgtdhg.exe
1316	fgtdhg.exe
1408	fgtdhg.exe
1408	fgtdhg.exe
1408	fgtdhg.exe
1408	fgtdhg.exe
1408	fgtdhg.exe
1408	fgtdhg.exe
1408	fgtdhg.exe
1408	fgtdhg.exe
372	raserver.exe
372	raserver.exe
1408	fgtdhg.exe
1408	fgtdhg.exe
1408	fgtdhg.exe
1408	fgtdhg.exe
1408	fgtdhg.exe
1408	fgtdhg.exe
1408	fgtdhg.exe
1408	fgtdhg.exe
1408	fgtdhg.exe
1408	fgtdhg.exe
1408	fgtdhg.exe
1408	fgtdhg.exe
1408	fgtdhg.exe
1408	fgtdhg.exe
1408	fgtdhg.exe
1408	fgtdhg.exe
1408	fgtdhg.exe
1408	fgtdhg.exe
1408	fgtdhg.exe
1408	fgtdhg.exe
1408	fgtdhg.exe
1408	fgtdhg.exe
1408	fgtdhg.exe
1408	fgtdhg.exe
1408	fgtdhg.exe
1408	fgtdhg.exe
1408	fgtdhg.exe
1408	fgtdhg.exe
1408	fgtdhg.exe
1408	fgtdhg.exe
1408	fgtdhg.exe
1408	fgtdhg.exe
1408	fgtdhg.exe
1408	fgtdhg.exe
1408	fgtdhg.exe
1408	fgtdhg.exe
1408	fgtdhg.exe
1408	fgtdhg.exe
1408	fgtdhg.exe
1408	fgtdhg.exe
1408	fgtdhg.exe
1408	fgtdhg.exe
1408	fgtdhg.exe
1408	fgtdhg.exe
1408	fgtdhg.exe
1408	fgtdhg.exe
1408	fgtdhg.exe
1408	fgtdhg.exe
1408	fgtdhg.exe
1408	fgtdhg.exe
2108	fgtdhg.exe
2108	fgtdhg.exe
2468	fgtdhg.exe
2468	fgtdhg.exe
2468	fgtdhg.exe
2468	fgtdhg.exe
2468	fgtdhg.exe
2468	fgtdhg.exe
2468	fgtdhg.exe
2468	fgtdhg.exe
2176	fgtdhg.exe
2176	fgtdhg.exe
2468	fgtdhg.exe
2468	fgtdhg.exe
2176	fgtdhg.exe
2176	fgtdhg.exe
1648	msiexec.exe
1648	msiexec.exe
2468	fgtdhg.exe
2468	fgtdhg.exe
2468	fgtdhg.exe
2468	fgtdhg.exe
2468	fgtdhg.exe
2468	fgtdhg.exe
2468	fgtdhg.exe
2468	fgtdhg.exe
2468	fgtdhg.exe
2468	fgtdhg.exe
2468	fgtdhg.exe
2468	fgtdhg.exe
2468	fgtdhg.exe
2468	fgtdhg.exe
2468	fgtdhg.exe
2468	fgtdhg.exe
2468	fgtdhg.exe
2468	fgtdhg.exe
2468	fgtdhg.exe
2468	fgtdhg.exe
2468	fgtdhg.exe
2468	fgtdhg.exe
2468	fgtdhg.exe
2468	fgtdhg.exe
2468	fgtdhg.exe
2468	fgtdhg.exe
2468	fgtdhg.exe
2468	fgtdhg.exe
2468	fgtdhg.exe
2468	fgtdhg.exe
2468	fgtdhg.exe
2468	fgtdhg.exe
2468	fgtdhg.exe
2468	fgtdhg.exe
2468	fgtdhg.exe
2468	fgtdhg.exe
2468	fgtdhg.exe
2468	fgtdhg.exe
2468	fgtdhg.exe
2468	fgtdhg.exe
2468	fgtdhg.exe
2468	fgtdhg.exe
2468	fgtdhg.exe
2468	fgtdhg.exe
2468	fgtdhg.exe
2468	fgtdhg.exe
2468	fgtdhg.exe
2468	fgtdhg.exe
2468	fgtdhg.exe
2468	fgtdhg.exe
2468	fgtdhg.exe
2468	fgtdhg.exe
2468	fgtdhg.exe
2468	fgtdhg.exe
2468	fgtdhg.exe
2468	fgtdhg.exe
2468	fgtdhg.exe
2468	fgtdhg.exe
776	fgtdhg.exe
776	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2792	ipconfig.exe
2792	ipconfig.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
1612	fgtdhg.exe
1612	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
1612	fgtdhg.exe
1612	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
1612	fgtdhg.exe
1612	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
2160	fgtdhg.exe
3604	fgtdhg.exe
3604	fgtdhg.exe
4040	rundll32.exe
4040	rundll32.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
3180	fgtdhg.exe
3180	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
3180	fgtdhg.exe
3180	fgtdhg.exe
372	raserver.exe
372	raserver.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
372	raserver.exe
372	raserver.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
3180	fgtdhg.exe
860	fgtdhg.exe
3180	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
860	fgtdhg.exe
1364	fgtdhg.exe
1364	fgtdhg.exe
360	rundll32.exe
360	rundll32.exe
1544	fgtdhg.exe
1544	fgtdhg.exe
1544	fgtdhg.exe
1544	fgtdhg.exe
1544	fgtdhg.exe
1544	fgtdhg.exe
1360	fgtdhg.exe
1360	fgtdhg.exe
1360	fgtdhg.exe
1360	fgtdhg.exe
1544	fgtdhg.exe
1544	fgtdhg.exe
1544	fgtdhg.exe
1544	fgtdhg.exe
1544	fgtdhg.exe
372	raserver.exe
1544	fgtdhg.exe
372	raserver.exe
1544	fgtdhg.exe
1544	fgtdhg.exe
1544	fgtdhg.exe
1544	fgtdhg.exe
1544	fgtdhg.exe
1544	fgtdhg.exe
1544	fgtdhg.exe
1544	fgtdhg.exe
1544	fgtdhg.exe
1544	fgtdhg.exe
1544	fgtdhg.exe
1544	fgtdhg.exe
1544	fgtdhg.exe
1544	fgtdhg.exe
1544	fgtdhg.exe
1544	fgtdhg.exe
1544	fgtdhg.exe
1544	fgtdhg.exe
1544	fgtdhg.exe
1544	fgtdhg.exe
1544	fgtdhg.exe
1544	fgtdhg.exe
1544	fgtdhg.exe
1544	fgtdhg.exe
1544	fgtdhg.exe
1544	fgtdhg.exe
1544	fgtdhg.exe
1544	fgtdhg.exe
1544	fgtdhg.exe
1544	fgtdhg.exe
1544	fgtdhg.exe
1544	fgtdhg.exe
1544	fgtdhg.exe
1544	fgtdhg.exe
1544	fgtdhg.exe
1544	fgtdhg.exe
1544	fgtdhg.exe
1544	fgtdhg.exe
1544	fgtdhg.exe
1544	fgtdhg.exe
1544	fgtdhg.exe
1544	fgtdhg.exe
1544	fgtdhg.exe
1544	fgtdhg.exe
1544	fgtdhg.exe
1544	fgtdhg.exe
1544	fgtdhg.exe
1544	fgtdhg.exe
1544	fgtdhg.exe
1544	fgtdhg.exe
1544	fgtdhg.exe
1544	fgtdhg.exe
1544	fgtdhg.exe
1544	fgtdhg.exe
2152	fgtdhg.exe
2152	fgtdhg.exe
2108	fgtdhg.exe
2108	fgtdhg.exe
2108	fgtdhg.exe
2108	fgtdhg.exe
2056	rundll32.exe
2056	rundll32.exe
2208	fgtdhg.exe
2208	fgtdhg.exe
2108	fgtdhg.exe
2108	fgtdhg.exe
2208	fgtdhg.exe
2208	fgtdhg.exe
2108	fgtdhg.exe
2108	fgtdhg.exe
2108	fgtdhg.exe
2108	fgtdhg.exe
2108	fgtdhg.exe
2108	fgtdhg.exe
2108	fgtdhg.exe
2108	fgtdhg.exe
2108	fgtdhg.exe
2108	fgtdhg.exe
2108	fgtdhg.exe
2108	fgtdhg.exe
2108	fgtdhg.exe
2108	fgtdhg.exe
2108	fgtdhg.exe
2108	fgtdhg.exe
2108	fgtdhg.exe
2108	fgtdhg.exe
2108	fgtdhg.exe
2108	fgtdhg.exe
2108	fgtdhg.exe
2108	fgtdhg.exe
2108	fgtdhg.exe
2108	fgtdhg.exe
2108	fgtdhg.exe
2108	fgtdhg.exe
372	raserver.exe
372	raserver.exe
2108	fgtdhg.exe
2108	fgtdhg.exe
2108	fgtdhg.exe
2108	fgtdhg.exe
2108	fgtdhg.exe
2108	fgtdhg.exe
2108	fgtdhg.exe
2108	fgtdhg.exe
2108	fgtdhg.exe
2108	fgtdhg.exe
2108	fgtdhg.exe
2108	fgtdhg.exe
2108	fgtdhg.exe
2108	fgtdhg.exe
2108	fgtdhg.exe
2108	fgtdhg.exe
2108	fgtdhg.exe
2108	fgtdhg.exe
2108	fgtdhg.exe
2108	fgtdhg.exe
2108	fgtdhg.exe
2108	fgtdhg.exe
2108	fgtdhg.exe
2108	fgtdhg.exe
2108	fgtdhg.exe
2108	fgtdhg.exe
2108	fgtdhg.exe
2108	fgtdhg.exe
2108	fgtdhg.exe
2108	fgtdhg.exe
2108	fgtdhg.exe
2108	fgtdhg.exe
2664	fgtdhg.exe
2664	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
2700	control.exe
2700	control.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
3568	fgtdhg.exe
3568	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
3568	fgtdhg.exe
3568	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
372	raserver.exe
372	raserver.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
3568	fgtdhg.exe
3568	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
372	raserver.exe
372	raserver.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
752	fgtdhg.exe
1436	fgtdhg.exe
1436	fgtdhg.exe
1324	msiexec.exe
1324	msiexec.exe
3868	fgtdhg.exe
3868	fgtdhg.exe
3868	fgtdhg.exe
3868	fgtdhg.exe
3868	fgtdhg.exe
3868	fgtdhg.exe
2740	fgtdhg.exe
2740	fgtdhg.exe
2740	fgtdhg.exe
2740	fgtdhg.exe
3868	fgtdhg.exe
3868	fgtdhg.exe
3868	fgtdhg.exe
3868	fgtdhg.exe
3868	fgtdhg.exe
3868	fgtdhg.exe
3868	fgtdhg.exe
3868	fgtdhg.exe
3868	fgtdhg.exe
3868	fgtdhg.exe
3868	fgtdhg.exe
3868	fgtdhg.exe
3868	fgtdhg.exe
3868	fgtdhg.exe
3868	fgtdhg.exe
3868	fgtdhg.exe
3868	fgtdhg.exe
3868	fgtdhg.exe
3868	fgtdhg.exe
3868	fgtdhg.exe
3868	fgtdhg.exe
3868	fgtdhg.exe
3868	fgtdhg.exe
3868	fgtdhg.exe
3868	fgtdhg.exe
3868	fgtdhg.exe
3868	fgtdhg.exe
3868	fgtdhg.exe
3868	fgtdhg.exe
3868	fgtdhg.exe
3868	fgtdhg.exe
3868	fgtdhg.exe
3868	fgtdhg.exe
3868	fgtdhg.exe
3868	fgtdhg.exe
3868	fgtdhg.exe
3868	fgtdhg.exe
3868	fgtdhg.exe
3868	fgtdhg.exe
3868	fgtdhg.exe
3868	fgtdhg.exe
3868	fgtdhg.exe
3868	fgtdhg.exe
3868	fgtdhg.exe
3868	fgtdhg.exe
3868	fgtdhg.exe
372	raserver.exe
372	raserver.exe
3868	fgtdhg.exe
3868	fgtdhg.exe
3868	fgtdhg.exe
3868	fgtdhg.exe
3868	fgtdhg.exe
3868	fgtdhg.exe
3868	fgtdhg.exe
3868	fgtdhg.exe
3868	fgtdhg.exe
3868	fgtdhg.exe
3868	fgtdhg.exe
3868	fgtdhg.exe
3868	fgtdhg.exe
3868	fgtdhg.exe
2988	fgtdhg.exe
2988	fgtdhg.exe
3280	systray.exe
3280	systray.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
1984	fgtdhg.exe
1984	fgtdhg.exe
1984	fgtdhg.exe
1984	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
1000	fgtdhg.exe
1000	fgtdhg.exe
640	raserver.exe
640	raserver.exe
1052	fgtdhg.exe
1052	fgtdhg.exe
1052	fgtdhg.exe
1052	fgtdhg.exe
372	raserver.exe
372	raserver.exe
1052	fgtdhg.exe
1052	fgtdhg.exe
704	fgtdhg.exe
704	fgtdhg.exe
704	fgtdhg.exe
704	fgtdhg.exe
1052	fgtdhg.exe
1052	fgtdhg.exe
1052	fgtdhg.exe
1052	fgtdhg.exe
1052	fgtdhg.exe
1052	fgtdhg.exe
1052	fgtdhg.exe
1052	fgtdhg.exe
1052	fgtdhg.exe
1052	fgtdhg.exe
1052	fgtdhg.exe
1052	fgtdhg.exe
1052	fgtdhg.exe
1052	fgtdhg.exe
1052	fgtdhg.exe
1052	fgtdhg.exe
1052	fgtdhg.exe
1052	fgtdhg.exe
1052	fgtdhg.exe
1052	fgtdhg.exe
1052	fgtdhg.exe
1052	fgtdhg.exe
1052	fgtdhg.exe
1052	fgtdhg.exe
1052	fgtdhg.exe
1052	fgtdhg.exe
1052	fgtdhg.exe
1052	fgtdhg.exe
1052	fgtdhg.exe
1052	fgtdhg.exe
1052	fgtdhg.exe
1052	fgtdhg.exe
1052	fgtdhg.exe
1052	fgtdhg.exe
1052	fgtdhg.exe
1052	fgtdhg.exe
1052	fgtdhg.exe
1052	fgtdhg.exe
1052	fgtdhg.exe
1052	fgtdhg.exe
1052	fgtdhg.exe
1052	fgtdhg.exe
1052	fgtdhg.exe
1052	fgtdhg.exe
1052	fgtdhg.exe
1052	fgtdhg.exe
1052	fgtdhg.exe
1052	fgtdhg.exe
1052	fgtdhg.exe
1052	fgtdhg.exe
1052	fgtdhg.exe
1052	fgtdhg.exe
1052	fgtdhg.exe
1052	fgtdhg.exe
1052	fgtdhg.exe
1052	fgtdhg.exe
1052	fgtdhg.exe
1052	fgtdhg.exe
1052	fgtdhg.exe
1052	fgtdhg.exe
1052	fgtdhg.exe
1052	fgtdhg.exe
864	fgtdhg.exe
864	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
2052	fgtdhg.exe
2052	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1176	msdt.exe
1176	msdt.exe
2052	fgtdhg.exe
2052	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
372	raserver.exe
372	raserver.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
2164	fgtdhg.exe
2164	fgtdhg.exe
1544	msdt.exe
1544	msdt.exe
3556	fgtdhg.exe
3556	fgtdhg.exe
3556	fgtdhg.exe
3556	fgtdhg.exe
3556	fgtdhg.exe
3556	fgtdhg.exe
3856	fgtdhg.exe
3856	fgtdhg.exe
3856	fgtdhg.exe
3856	fgtdhg.exe
3556	fgtdhg.exe
3556	fgtdhg.exe
3556	fgtdhg.exe
3556	fgtdhg.exe
3556	fgtdhg.exe
3556	fgtdhg.exe
3556	fgtdhg.exe
3556	fgtdhg.exe
3556	fgtdhg.exe
3556	fgtdhg.exe
3556	fgtdhg.exe
3556	fgtdhg.exe
3556	fgtdhg.exe
3556	fgtdhg.exe
3556	fgtdhg.exe
3556	fgtdhg.exe
3556	fgtdhg.exe
3556	fgtdhg.exe
3556	fgtdhg.exe
3556	fgtdhg.exe
3556	fgtdhg.exe
3556	fgtdhg.exe
3556	fgtdhg.exe
3556	fgtdhg.exe
3556	fgtdhg.exe
3556	fgtdhg.exe
3556	fgtdhg.exe
3556	fgtdhg.exe
372	raserver.exe
372	raserver.exe
3556	fgtdhg.exe
3556	fgtdhg.exe
3556	fgtdhg.exe
3556	fgtdhg.exe
3556	fgtdhg.exe
3556	fgtdhg.exe
3556	fgtdhg.exe
3556	fgtdhg.exe
3556	fgtdhg.exe
3556	fgtdhg.exe
3556	fgtdhg.exe
3556	fgtdhg.exe
3556	fgtdhg.exe
3556	fgtdhg.exe
3556	fgtdhg.exe
3556	fgtdhg.exe
3556	fgtdhg.exe
3556	fgtdhg.exe
3556	fgtdhg.exe
3556	fgtdhg.exe
3556	fgtdhg.exe
3556	fgtdhg.exe
3556	fgtdhg.exe
3556	fgtdhg.exe
3556	fgtdhg.exe
3556	fgtdhg.exe
3556	fgtdhg.exe
3556	fgtdhg.exe
3556	fgtdhg.exe
3556	fgtdhg.exe
3556	fgtdhg.exe
3556	fgtdhg.exe
3556	fgtdhg.exe
3556	fgtdhg.exe
2664	fgtdhg.exe
2664	fgtdhg.exe
1240	fgtdhg.exe
1240	fgtdhg.exe
1240	fgtdhg.exe
1240	fgtdhg.exe
780	help.exe
780	help.exe
1240	fgtdhg.exe
1240	fgtdhg.exe
940	fgtdhg.exe
940	fgtdhg.exe
1240	fgtdhg.exe
1240	fgtdhg.exe
940	fgtdhg.exe
940	fgtdhg.exe
1240	fgtdhg.exe
1240	fgtdhg.exe
1240	fgtdhg.exe
1240	fgtdhg.exe
1240	fgtdhg.exe
1240	fgtdhg.exe
1240	fgtdhg.exe
1240	fgtdhg.exe
1240	fgtdhg.exe
1240	fgtdhg.exe
1240	fgtdhg.exe
1240	fgtdhg.exe
1240	fgtdhg.exe
1240	fgtdhg.exe
1240	fgtdhg.exe
1240	fgtdhg.exe
1240	fgtdhg.exe
1240	fgtdhg.exe
1240	fgtdhg.exe
1240	fgtdhg.exe
1240	fgtdhg.exe
1240	fgtdhg.exe
1240	fgtdhg.exe
1240	fgtdhg.exe
1240	fgtdhg.exe
1240	fgtdhg.exe
1240	fgtdhg.exe
1240	fgtdhg.exe
1240	fgtdhg.exe
1240	fgtdhg.exe
1240	fgtdhg.exe
1240	fgtdhg.exe
1240	fgtdhg.exe
1240	fgtdhg.exe
1240	fgtdhg.exe
1240	fgtdhg.exe
1240	fgtdhg.exe
1240	fgtdhg.exe
1240	fgtdhg.exe
1240	fgtdhg.exe
1240	fgtdhg.exe
1240	fgtdhg.exe
1240	fgtdhg.exe
1240	fgtdhg.exe
1240	fgtdhg.exe
1240	fgtdhg.exe
1240	fgtdhg.exe
1240	fgtdhg.exe
372	raserver.exe
372	raserver.exe
1240	fgtdhg.exe
1240	fgtdhg.exe
1240	fgtdhg.exe
1240	fgtdhg.exe
1240	fgtdhg.exe
1240	fgtdhg.exe
1240	fgtdhg.exe
1240	fgtdhg.exe
1240	fgtdhg.exe
1240	fgtdhg.exe
1240	fgtdhg.exe
1240	fgtdhg.exe
1908	fgtdhg.exe
1908	fgtdhg.exe
3244	fgtdhg.exe
3244	fgtdhg.exe
3244	fgtdhg.exe
3244	fgtdhg.exe
4008	fgtdhg.exe
4008	fgtdhg.exe
3244	fgtdhg.exe
3244	fgtdhg.exe
4008	fgtdhg.exe
4008	fgtdhg.exe
3244	fgtdhg.exe
3244	fgtdhg.exe
1948	explorer.exe
1948	explorer.exe
3244	fgtdhg.exe
3244	fgtdhg.exe
3244	fgtdhg.exe
3244	fgtdhg.exe
3244	fgtdhg.exe
3244	fgtdhg.exe
3244	fgtdhg.exe
3244	fgtdhg.exe
3244	fgtdhg.exe
3244	fgtdhg.exe
3244	fgtdhg.exe
3244	fgtdhg.exe
3244	fgtdhg.exe
3244	fgtdhg.exe
3244	fgtdhg.exe
3244	fgtdhg.exe
3244	fgtdhg.exe
3244	fgtdhg.exe
3244	fgtdhg.exe
3244	fgtdhg.exe
3244	fgtdhg.exe
3244	fgtdhg.exe
3244	fgtdhg.exe
3244	fgtdhg.exe
3244	fgtdhg.exe
3244	fgtdhg.exe
3244	fgtdhg.exe
3244	fgtdhg.exe
3244	fgtdhg.exe
3244	fgtdhg.exe
3244	fgtdhg.exe
3244	fgtdhg.exe
3244	fgtdhg.exe
3244	fgtdhg.exe
3244	fgtdhg.exe
3244	fgtdhg.exe
3244	fgtdhg.exe
3244	fgtdhg.exe
3244	fgtdhg.exe
3244	fgtdhg.exe
3244	fgtdhg.exe
3244	fgtdhg.exe
3244	fgtdhg.exe
3244	fgtdhg.exe
3244	fgtdhg.exe
3244	fgtdhg.exe
3244	fgtdhg.exe
3244	fgtdhg.exe
3244	fgtdhg.exe
3244	fgtdhg.exe
3244	fgtdhg.exe
3244	fgtdhg.exe
3244	fgtdhg.exe
3244	fgtdhg.exe
3244	fgtdhg.exe
3244	fgtdhg.exe
3848	fgtdhg.exe
3848	fgtdhg.exe
504	fgtdhg.exe
504	fgtdhg.exe
504	fgtdhg.exe
504	fgtdhg.exe
504	fgtdhg.exe
504	fgtdhg.exe
3868	netsh.exe
3868	netsh.exe
504	fgtdhg.exe
504	fgtdhg.exe
1824	fgtdhg.exe
1824	fgtdhg.exe
504	fgtdhg.exe
504	fgtdhg.exe
1824	fgtdhg.exe
1824	fgtdhg.exe
504	fgtdhg.exe
504	fgtdhg.exe
504	fgtdhg.exe
504	fgtdhg.exe
504	fgtdhg.exe
504	fgtdhg.exe
504	fgtdhg.exe
504	fgtdhg.exe
504	fgtdhg.exe
504	fgtdhg.exe
504	fgtdhg.exe
504	fgtdhg.exe
504	fgtdhg.exe
504	fgtdhg.exe
504	fgtdhg.exe
504	fgtdhg.exe
504	fgtdhg.exe
504	fgtdhg.exe
504	fgtdhg.exe
504	fgtdhg.exe
504	fgtdhg.exe
504	fgtdhg.exe
504	fgtdhg.exe
504	fgtdhg.exe
504	fgtdhg.exe
504	fgtdhg.exe
504	fgtdhg.exe
504	fgtdhg.exe
504	fgtdhg.exe
504	fgtdhg.exe
504	fgtdhg.exe
504	fgtdhg.exe
504	fgtdhg.exe
504	fgtdhg.exe
504	fgtdhg.exe
504	fgtdhg.exe
504	fgtdhg.exe
504	fgtdhg.exe
504	fgtdhg.exe
504	fgtdhg.exe
504	fgtdhg.exe
504	fgtdhg.exe
504	fgtdhg.exe
504	fgtdhg.exe
504	fgtdhg.exe
504	fgtdhg.exe
504	fgtdhg.exe
504	fgtdhg.exe
504	fgtdhg.exe
504	fgtdhg.exe
504	fgtdhg.exe
504	fgtdhg.exe
504	fgtdhg.exe
504	fgtdhg.exe
504	fgtdhg.exe
504	fgtdhg.exe
504	fgtdhg.exe
504	fgtdhg.exe
504	fgtdhg.exe
504	fgtdhg.exe
1148	fgtdhg.exe
1148	fgtdhg.exe
3724	raserver.exe
3724	raserver.exe
908	fgtdhg.exe
908	fgtdhg.exe
908	fgtdhg.exe
908	fgtdhg.exe
1004	fgtdhg.exe
908	fgtdhg.exe
908	fgtdhg.exe
1004	fgtdhg.exe
1004	fgtdhg.exe
1004	fgtdhg.exe
908	fgtdhg.exe
908	fgtdhg.exe
372	raserver.exe
372	raserver.exe
908	fgtdhg.exe
908	fgtdhg.exe
908	fgtdhg.exe
908	fgtdhg.exe
908	fgtdhg.exe
908	fgtdhg.exe
908	fgtdhg.exe
908	fgtdhg.exe
908	fgtdhg.exe
908	fgtdhg.exe
908	fgtdhg.exe
908	fgtdhg.exe
908	fgtdhg.exe
908	fgtdhg.exe
908	fgtdhg.exe
908	fgtdhg.exe
908	fgtdhg.exe
908	fgtdhg.exe
908	fgtdhg.exe
908	fgtdhg.exe
908	fgtdhg.exe
908	fgtdhg.exe
908	fgtdhg.exe
908	fgtdhg.exe
908	fgtdhg.exe
908	fgtdhg.exe
908	fgtdhg.exe
908	fgtdhg.exe
908	fgtdhg.exe
908	fgtdhg.exe
908	fgtdhg.exe
908	fgtdhg.exe
908	fgtdhg.exe
908	fgtdhg.exe
908	fgtdhg.exe
908	fgtdhg.exe
908	fgtdhg.exe
908	fgtdhg.exe
908	fgtdhg.exe
908	fgtdhg.exe
908	fgtdhg.exe
908	fgtdhg.exe
908	fgtdhg.exe
908	fgtdhg.exe
908	fgtdhg.exe
908	fgtdhg.exe
908	fgtdhg.exe
908	fgtdhg.exe
908	fgtdhg.exe
908	fgtdhg.exe
908	fgtdhg.exe
908	fgtdhg.exe
908	fgtdhg.exe
908	fgtdhg.exe
908	fgtdhg.exe
908	fgtdhg.exe
908	fgtdhg.exe
908	fgtdhg.exe
512	fgtdhg.exe
512	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
864	raserver.exe
864	raserver.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1916	fgtdhg.exe
1916	fgtdhg.exe
1916	fgtdhg.exe
1916	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
372	raserver.exe
1416	fgtdhg.exe
372	raserver.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1916	fgtdhg.exe
1916	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
372	raserver.exe
372	raserver.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
1416	fgtdhg.exe
2152	fgtdhg.exe
2152	fgtdhg.exe
2588	fgtdhg.exe
2588	fgtdhg.exe
2588	fgtdhg.exe
2588	fgtdhg.exe
2588	fgtdhg.exe
2588	fgtdhg.exe
1500	NETSTAT.EXE
1500	NETSTAT.EXE
2588	fgtdhg.exe
2588	fgtdhg.exe
3000	fgtdhg.exe
3000	fgtdhg.exe
2588	fgtdhg.exe
2588	fgtdhg.exe
3000	fgtdhg.exe
3000	fgtdhg.exe
2588	fgtdhg.exe
2588	fgtdhg.exe
2588	fgtdhg.exe
2588	fgtdhg.exe
2588	fgtdhg.exe
2588	fgtdhg.exe
2588	fgtdhg.exe
2588	fgtdhg.exe
2588	fgtdhg.exe
2588	fgtdhg.exe
2588	fgtdhg.exe
2588	fgtdhg.exe
2588	fgtdhg.exe
2588	fgtdhg.exe
2588	fgtdhg.exe
2588	fgtdhg.exe
2588	fgtdhg.exe
2588	fgtdhg.exe
2588	fgtdhg.exe
2588	fgtdhg.exe
2588	fgtdhg.exe
372	raserver.exe
2588	fgtdhg.exe
372	raserver.exe
2588	fgtdhg.exe
2588	fgtdhg.exe
2588	fgtdhg.exe
2588	fgtdhg.exe
2588	fgtdhg.exe
2588	fgtdhg.exe
2588	fgtdhg.exe
2588	fgtdhg.exe
2588	fgtdhg.exe
2588	fgtdhg.exe
2588	fgtdhg.exe
2588	fgtdhg.exe
2588	fgtdhg.exe
2588	fgtdhg.exe
2588	fgtdhg.exe
2588	fgtdhg.exe
2588	fgtdhg.exe
2588	fgtdhg.exe
2588	fgtdhg.exe
2588	fgtdhg.exe
2588	fgtdhg.exe
2588	fgtdhg.exe
2588	fgtdhg.exe
2588	fgtdhg.exe
2588	fgtdhg.exe
2588	fgtdhg.exe
2588	fgtdhg.exe
2588	fgtdhg.exe
2588	fgtdhg.exe
2588	fgtdhg.exe
2588	fgtdhg.exe
2588	fgtdhg.exe
2588	fgtdhg.exe
2588	fgtdhg.exe
2588	fgtdhg.exe
2588	fgtdhg.exe
2880	fgtdhg.exe
2880	fgtdhg.exe
3860	fgtdhg.exe
3860	fgtdhg.exe
3860	fgtdhg.exe
3860	fgtdhg.exe
496	wlanext.exe
496	wlanext.exe
3860	fgtdhg.exe
3860	fgtdhg.exe
1444	fgtdhg.exe
1444	fgtdhg.exe
3860	fgtdhg.exe
3860	fgtdhg.exe
1444	fgtdhg.exe
1444	fgtdhg.exe
3860	fgtdhg.exe
3860	fgtdhg.exe
3860	fgtdhg.exe
3860	fgtdhg.exe
3860	fgtdhg.exe
3860	fgtdhg.exe
3860	fgtdhg.exe
3860	fgtdhg.exe
3860	fgtdhg.exe
3860	fgtdhg.exe
3860	fgtdhg.exe
3860	fgtdhg.exe
3860	fgtdhg.exe
3860	fgtdhg.exe
3860	fgtdhg.exe
3860	fgtdhg.exe
3860	fgtdhg.exe
3860	fgtdhg.exe
3860	fgtdhg.exe
3860	fgtdhg.exe
3860	fgtdhg.exe
3860	fgtdhg.exe
3860	fgtdhg.exe
3860	fgtdhg.exe
3860	fgtdhg.exe
3860	fgtdhg.exe
3860	fgtdhg.exe
3860	fgtdhg.exe
3860	fgtdhg.exe
3860	fgtdhg.exe
3860	fgtdhg.exe
3860	fgtdhg.exe
3860	fgtdhg.exe
3860	fgtdhg.exe
3860	fgtdhg.exe
3860	fgtdhg.exe
3860	fgtdhg.exe
3860	fgtdhg.exe
3860	fgtdhg.exe
3860	fgtdhg.exe
372	raserver.exe
372	raserver.exe
3860	fgtdhg.exe
3860	fgtdhg.exe
3860	fgtdhg.exe
3860	fgtdhg.exe
3860	fgtdhg.exe
3860	fgtdhg.exe
3860	fgtdhg.exe
3860	fgtdhg.exe
3860	fgtdhg.exe
3860	fgtdhg.exe
3860	fgtdhg.exe
3860	fgtdhg.exe
3860	fgtdhg.exe
3860	fgtdhg.exe
3860	fgtdhg.exe
3860	fgtdhg.exe
3860	fgtdhg.exe
3860	fgtdhg.exe
3840	fgtdhg.exe
3840	fgtdhg.exe
3912	fgtdhg.exe
3912	fgtdhg.exe
3912	fgtdhg.exe
3912	fgtdhg.exe
1908	colorcpl.exe
1908	colorcpl.exe
3956	fgtdhg.exe
3956	fgtdhg.exe
3912	fgtdhg.exe
3912	fgtdhg.exe
3956	fgtdhg.exe
3956	fgtdhg.exe
3912	fgtdhg.exe
3912	fgtdhg.exe
3912	fgtdhg.exe
3912	fgtdhg.exe
3912	fgtdhg.exe
3912	fgtdhg.exe
3912	fgtdhg.exe
3912	fgtdhg.exe
3912	fgtdhg.exe
3912	fgtdhg.exe
3912	fgtdhg.exe
3912	fgtdhg.exe
3912	fgtdhg.exe
3912	fgtdhg.exe
3912	fgtdhg.exe
3912	fgtdhg.exe
3912	fgtdhg.exe
3912	fgtdhg.exe
3912	fgtdhg.exe
3912	fgtdhg.exe
3912	fgtdhg.exe
3912	fgtdhg.exe
3912	fgtdhg.exe
3912	fgtdhg.exe
3912	fgtdhg.exe
3912	fgtdhg.exe
3912	fgtdhg.exe
3912	fgtdhg.exe
3912	fgtdhg.exe
3912	fgtdhg.exe
3912	fgtdhg.exe
3912	fgtdhg.exe
3912	fgtdhg.exe
3912	fgtdhg.exe
3912	fgtdhg.exe
3912	fgtdhg.exe
3912	fgtdhg.exe
3912	fgtdhg.exe
3912	fgtdhg.exe
3912	fgtdhg.exe
3912	fgtdhg.exe
3912	fgtdhg.exe
3912	fgtdhg.exe
3912	fgtdhg.exe
3912	fgtdhg.exe
3912	fgtdhg.exe
3912	fgtdhg.exe
3912	fgtdhg.exe
3912	fgtdhg.exe
3912	fgtdhg.exe
3912	fgtdhg.exe
3912	fgtdhg.exe
3912	fgtdhg.exe
3912	fgtdhg.exe
3912	fgtdhg.exe
3912	fgtdhg.exe
3912	fgtdhg.exe
3912	fgtdhg.exe
3912	fgtdhg.exe
3912	fgtdhg.exe
3396	fgtdhg.exe
3396	fgtdhg.exe
372	raserver.exe
372	raserver.exe
3832	wscript.exe
3832	wscript.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
1276	fgtdhg.exe
1276	fgtdhg.exe
1276	fgtdhg.exe
1276	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
3080	fgtdhg.exe
1192	fgtdhg.exe
1192	fgtdhg.exe
3664	colorcpl.exe
3664	colorcpl.exe
1492	fgtdhg.exe
1492	fgtdhg.exe
1492	fgtdhg.exe
1492	fgtdhg.exe
1492	fgtdhg.exe
1492	fgtdhg.exe
1364	fgtdhg.exe
1364	fgtdhg.exe
1364	fgtdhg.exe
1364	fgtdhg.exe
1492	fgtdhg.exe
1492	fgtdhg.exe
1492	fgtdhg.exe
1492	fgtdhg.exe
1492	fgtdhg.exe
1492	fgtdhg.exe
1492	fgtdhg.exe
1492	fgtdhg.exe
1492	fgtdhg.exe
1492	fgtdhg.exe
372	raserver.exe
372	raserver.exe
1492	fgtdhg.exe
1492	fgtdhg.exe
1492	fgtdhg.exe
1492	fgtdhg.exe
1492	fgtdhg.exe
1492	fgtdhg.exe
1492	fgtdhg.exe
1492	fgtdhg.exe
1492	fgtdhg.exe
1492	fgtdhg.exe
1492	fgtdhg.exe
1492	fgtdhg.exe
1492	fgtdhg.exe
1492	fgtdhg.exe
1492	fgtdhg.exe
1492	fgtdhg.exe
1492	fgtdhg.exe
1492	fgtdhg.exe
1492	fgtdhg.exe
1492	fgtdhg.exe
1492	fgtdhg.exe
1492	fgtdhg.exe
1492	fgtdhg.exe
1492	fgtdhg.exe
1492	fgtdhg.exe
1492	fgtdhg.exe
1492	fgtdhg.exe
1492	fgtdhg.exe
1492	fgtdhg.exe
1492	fgtdhg.exe
1492	fgtdhg.exe
1492	fgtdhg.exe
1492	fgtdhg.exe
1492	fgtdhg.exe
1492	fgtdhg.exe
1492	fgtdhg.exe
1492	fgtdhg.exe
1492	fgtdhg.exe
1492	fgtdhg.exe
1492	fgtdhg.exe
1492	fgtdhg.exe
1492	fgtdhg.exe
1492	fgtdhg.exe
1492	fgtdhg.exe
1492	fgtdhg.exe
1492	fgtdhg.exe
1492	fgtdhg.exe
1492	fgtdhg.exe
1492	fgtdhg.exe
1492	fgtdhg.exe
1132	fgtdhg.exe
1132	fgtdhg.exe
1912	msiexec.exe
1912	msiexec.exe
1420	fgtdhg.exe
1420	fgtdhg.exe
1420	fgtdhg.exe
1420	fgtdhg.exe
1408	fgtdhg.exe
1420	fgtdhg.exe
1420	fgtdhg.exe
1408	fgtdhg.exe
1408	fgtdhg.exe
1408	fgtdhg.exe
1420	fgtdhg.exe
1420	fgtdhg.exe
1420	fgtdhg.exe
1420	fgtdhg.exe
1420	fgtdhg.exe
1420	fgtdhg.exe
1420	fgtdhg.exe
1420	fgtdhg.exe
1420	fgtdhg.exe
1420	fgtdhg.exe
1420	fgtdhg.exe
1420	fgtdhg.exe
1420	fgtdhg.exe
1420	fgtdhg.exe
1420	fgtdhg.exe
1420	fgtdhg.exe
1420	fgtdhg.exe
1420	fgtdhg.exe
1420	fgtdhg.exe
1420	fgtdhg.exe
1420	fgtdhg.exe
1420	fgtdhg.exe
1420	fgtdhg.exe
1420	fgtdhg.exe
1420	fgtdhg.exe
1420	fgtdhg.exe
1420	fgtdhg.exe
1420	fgtdhg.exe
1420	fgtdhg.exe
1420	fgtdhg.exe
1420	fgtdhg.exe
1420	fgtdhg.exe
372	raserver.exe
372	raserver.exe
1420	fgtdhg.exe
1420	fgtdhg.exe
1420	fgtdhg.exe
1420	fgtdhg.exe
1420	fgtdhg.exe
1420	fgtdhg.exe
1420	fgtdhg.exe
1420	fgtdhg.exe
1420	fgtdhg.exe
1420	fgtdhg.exe
1420	fgtdhg.exe
1420	fgtdhg.exe
1420	fgtdhg.exe
1420	fgtdhg.exe
1420	fgtdhg.exe
1420	fgtdhg.exe
1420	fgtdhg.exe
1420	fgtdhg.exe
1420	fgtdhg.exe
1420	fgtdhg.exe
1420	fgtdhg.exe
1420	fgtdhg.exe
1420	fgtdhg.exe
1420	fgtdhg.exe
1420	fgtdhg.exe
1420	fgtdhg.exe
1420	fgtdhg.exe
1420	fgtdhg.exe
3068	fgtdhg.exe
3068	fgtdhg.exe
2500	control.exe
2500	control.exe
3808	fgtdhg.exe
3808	fgtdhg.exe
3808	fgtdhg.exe
3808	fgtdhg.exe
3808	fgtdhg.exe
3808	fgtdhg.exe
2136	fgtdhg.exe
2136	fgtdhg.exe
3808	fgtdhg.exe
3808	fgtdhg.exe
2136	fgtdhg.exe
2136	fgtdhg.exe
3808	fgtdhg.exe
3808	fgtdhg.exe
3808	fgtdhg.exe
3808	fgtdhg.exe
3808	fgtdhg.exe
3808	fgtdhg.exe
3808	fgtdhg.exe
3808	fgtdhg.exe
3808	fgtdhg.exe
3808	fgtdhg.exe
3808	fgtdhg.exe
3808	fgtdhg.exe
3808	fgtdhg.exe
3808	fgtdhg.exe
3808	fgtdhg.exe
3808	fgtdhg.exe
3808	fgtdhg.exe
3808	fgtdhg.exe
3808	fgtdhg.exe
3808	fgtdhg.exe
3808	fgtdhg.exe
3808	fgtdhg.exe
3808	fgtdhg.exe
3808	fgtdhg.exe
3808	fgtdhg.exe
3808	fgtdhg.exe
3808	fgtdhg.exe
3808	fgtdhg.exe
3808	fgtdhg.exe
3808	fgtdhg.exe
3808	fgtdhg.exe
3808	fgtdhg.exe
3808	fgtdhg.exe
3808	fgtdhg.exe
3808	fgtdhg.exe
3808	fgtdhg.exe
3808	fgtdhg.exe
3808	fgtdhg.exe
3808	fgtdhg.exe
3808	fgtdhg.exe
3808	fgtdhg.exe
3808	fgtdhg.exe
3808	fgtdhg.exe
3808	fgtdhg.exe
3808	fgtdhg.exe
3808	fgtdhg.exe
3808	fgtdhg.exe
3808	fgtdhg.exe
3808	fgtdhg.exe
3808	fgtdhg.exe
372	raserver.exe
372	raserver.exe
3808	fgtdhg.exe
3808	fgtdhg.exe
3808	fgtdhg.exe
3808	fgtdhg.exe
3808	fgtdhg.exe
3808	fgtdhg.exe
3808	fgtdhg.exe
3808	fgtdhg.exe
2412	fgtdhg.exe
2412	fgtdhg.exe
2000	wscript.exe
2000	wscript.exe
3960	fgtdhg.exe
3960	fgtdhg.exe
3960	fgtdhg.exe
3960	fgtdhg.exe
3960	fgtdhg.exe
3960	fgtdhg.exe
2488	fgtdhg.exe
2488	fgtdhg.exe
2488	fgtdhg.exe
2488	fgtdhg.exe
3960	fgtdhg.exe
3960	fgtdhg.exe
3960	fgtdhg.exe
3960	fgtdhg.exe
3960	fgtdhg.exe
3960	fgtdhg.exe
3960	fgtdhg.exe
3960	fgtdhg.exe
3960	fgtdhg.exe
3960	fgtdhg.exe
3960	fgtdhg.exe
3960	fgtdhg.exe
3960	fgtdhg.exe
3960	fgtdhg.exe
3960	fgtdhg.exe
3960	fgtdhg.exe
3960	fgtdhg.exe
3960	fgtdhg.exe
3960	fgtdhg.exe
3960	fgtdhg.exe
3960	fgtdhg.exe
3960	fgtdhg.exe
3960	fgtdhg.exe
3960	fgtdhg.exe
3960	fgtdhg.exe
3960	fgtdhg.exe
3960	fgtdhg.exe
3960	fgtdhg.exe
3960	fgtdhg.exe
3960	fgtdhg.exe
3960	fgtdhg.exe
3960	fgtdhg.exe
3960	fgtdhg.exe
3960	fgtdhg.exe
3960	fgtdhg.exe
3960	fgtdhg.exe
3960	fgtdhg.exe
3960	fgtdhg.exe
3960	fgtdhg.exe
3960	fgtdhg.exe
3960	fgtdhg.exe
3960	fgtdhg.exe
3960	fgtdhg.exe
3960	fgtdhg.exe
3960	fgtdhg.exe
3960	fgtdhg.exe
3960	fgtdhg.exe
3960	fgtdhg.exe
3960	fgtdhg.exe
3960	fgtdhg.exe
3960	fgtdhg.exe
3960	fgtdhg.exe
3960	fgtdhg.exe
3960	fgtdhg.exe
3960	fgtdhg.exe
3960	fgtdhg.exe
3960	fgtdhg.exe
3960	fgtdhg.exe
3960	fgtdhg.exe
3960	fgtdhg.exe
3572	fgtdhg.exe
3572	fgtdhg.exe
644	fgtdhg.exe
644	fgtdhg.exe
644	fgtdhg.exe
644	fgtdhg.exe
1436	cmmon32.exe
1436	cmmon32.exe
372	raserver.exe
372	raserver.exe
644	fgtdhg.exe
644	fgtdhg.exe
644	fgtdhg.exe
644	fgtdhg.exe
1552	fgtdhg.exe
1552	fgtdhg.exe
1552	fgtdhg.exe
1552	fgtdhg.exe
644	fgtdhg.exe
644	fgtdhg.exe
644	fgtdhg.exe
644	fgtdhg.exe
644	fgtdhg.exe
644	fgtdhg.exe
644	fgtdhg.exe
644	fgtdhg.exe
644	fgtdhg.exe
644	fgtdhg.exe
644	fgtdhg.exe
644	fgtdhg.exe
644	fgtdhg.exe
644	fgtdhg.exe
644	fgtdhg.exe
644	fgtdhg.exe
644	fgtdhg.exe
644	fgtdhg.exe
644	fgtdhg.exe
644	fgtdhg.exe
644	fgtdhg.exe
644	fgtdhg.exe
644	fgtdhg.exe
644	fgtdhg.exe
644	fgtdhg.exe
644	fgtdhg.exe
644	fgtdhg.exe
644	fgtdhg.exe
644	fgtdhg.exe
644	fgtdhg.exe
644	fgtdhg.exe
644	fgtdhg.exe
644	fgtdhg.exe
644	fgtdhg.exe
644	fgtdhg.exe
644	fgtdhg.exe
644	fgtdhg.exe
644	fgtdhg.exe
644	fgtdhg.exe
644	fgtdhg.exe
644	fgtdhg.exe
644	fgtdhg.exe
644	fgtdhg.exe
644	fgtdhg.exe
644	fgtdhg.exe
644	fgtdhg.exe
644	fgtdhg.exe
644	fgtdhg.exe
644	fgtdhg.exe
644	fgtdhg.exe
644	fgtdhg.exe
644	fgtdhg.exe
644	fgtdhg.exe
644	fgtdhg.exe
644	fgtdhg.exe
644	fgtdhg.exe
644	fgtdhg.exe
644	fgtdhg.exe
644	fgtdhg.exe
644	fgtdhg.exe
4068	fgtdhg.exe
4068	fgtdhg.exe
1328	fgtdhg.exe
1328	fgtdhg.exe
1328	fgtdhg.exe
1328	fgtdhg.exe
3560	netsh.exe
3560	netsh.exe
1328	fgtdhg.exe
1328	fgtdhg.exe
500	fgtdhg.exe
500	fgtdhg.exe
500	fgtdhg.exe
500	fgtdhg.exe
1328	fgtdhg.exe
1328	fgtdhg.exe
1328	fgtdhg.exe
1328	fgtdhg.exe
1328	fgtdhg.exe
1328	fgtdhg.exe
1328	fgtdhg.exe
1328	fgtdhg.exe
1328	fgtdhg.exe
1328	fgtdhg.exe
1328	fgtdhg.exe
1328	fgtdhg.exe
1328	fgtdhg.exe
1328	fgtdhg.exe
372	raserver.exe
372	raserver.exe
1328	fgtdhg.exe
1328	fgtdhg.exe
1328	fgtdhg.exe
1328	fgtdhg.exe
1328	fgtdhg.exe
1328	fgtdhg.exe
1328	fgtdhg.exe
1328	fgtdhg.exe
1328	fgtdhg.exe
1328	fgtdhg.exe
1328	fgtdhg.exe
1328	fgtdhg.exe
1328	fgtdhg.exe
1328	fgtdhg.exe
1328	fgtdhg.exe
1328	fgtdhg.exe
1328	fgtdhg.exe
1328	fgtdhg.exe
1328	fgtdhg.exe
1328	fgtdhg.exe
1328	fgtdhg.exe
1328	fgtdhg.exe
1328	fgtdhg.exe
1328	fgtdhg.exe
1328	fgtdhg.exe
1328	fgtdhg.exe
1328	fgtdhg.exe
1328	fgtdhg.exe
1328	fgtdhg.exe
1328	fgtdhg.exe
1328	fgtdhg.exe
1328	fgtdhg.exe
1328	fgtdhg.exe
1328	fgtdhg.exe
1328	fgtdhg.exe
1328	fgtdhg.exe
1328	fgtdhg.exe
1328	fgtdhg.exe
1328	fgtdhg.exe
1328	fgtdhg.exe
1328	fgtdhg.exe
1328	fgtdhg.exe
1328	fgtdhg.exe
1328	fgtdhg.exe
1328	fgtdhg.exe
1328	fgtdhg.exe
3888	fgtdhg.exe
3888	fgtdhg.exe
3584	fgtdhg.exe
3584	fgtdhg.exe
3584	fgtdhg.exe
3584	fgtdhg.exe
1660	cscript.exe
1660	cscript.exe
3584	fgtdhg.exe
3584	fgtdhg.exe
1420	fgtdhg.exe
1420	fgtdhg.exe
1420	fgtdhg.exe
1420	fgtdhg.exe
3584	fgtdhg.exe
3584	fgtdhg.exe
3584	fgtdhg.exe
3584	fgtdhg.exe
3584	fgtdhg.exe
3584	fgtdhg.exe
3584	fgtdhg.exe
3584	fgtdhg.exe
3584	fgtdhg.exe
3584	fgtdhg.exe
3584	fgtdhg.exe
3584	fgtdhg.exe
3584	fgtdhg.exe
3584	fgtdhg.exe
3584	fgtdhg.exe
3584	fgtdhg.exe
3584	fgtdhg.exe
3584	fgtdhg.exe
3584	fgtdhg.exe
3584	fgtdhg.exe
3584	fgtdhg.exe
3584	fgtdhg.exe
3584	fgtdhg.exe
3584	fgtdhg.exe
3584	fgtdhg.exe
3584	fgtdhg.exe
3584	fgtdhg.exe
3584	fgtdhg.exe
3584	fgtdhg.exe
3584	fgtdhg.exe
3584	fgtdhg.exe
3584	fgtdhg.exe
3584	fgtdhg.exe
3584	fgtdhg.exe
372	raserver.exe
372	raserver.exe
3584	fgtdhg.exe
3584	fgtdhg.exe
3584	fgtdhg.exe
3584	fgtdhg.exe
3584	fgtdhg.exe
3584	fgtdhg.exe
3584	fgtdhg.exe
3584	fgtdhg.exe
3584	fgtdhg.exe
3584	fgtdhg.exe
3584	fgtdhg.exe
3584	fgtdhg.exe
3584	fgtdhg.exe
3584	fgtdhg.exe
3584	fgtdhg.exe
3584	fgtdhg.exe
3584	fgtdhg.exe
3584	fgtdhg.exe
3584	fgtdhg.exe
3584	fgtdhg.exe
3584	fgtdhg.exe
3584	fgtdhg.exe
3584	fgtdhg.exe
3584	fgtdhg.exe
3584	fgtdhg.exe
3584	fgtdhg.exe
3764	fgtdhg.exe
3764	fgtdhg.exe
1320	fgtdhg.exe
1320	fgtdhg.exe
1320	fgtdhg.exe
1320	fgtdhg.exe
2468	msdt.exe
2468	msdt.exe
1320	fgtdhg.exe
1320	fgtdhg.exe
3864	fgtdhg.exe
3864	fgtdhg.exe
1320	fgtdhg.exe
1320	fgtdhg.exe
3864	fgtdhg.exe
3864	fgtdhg.exe
1320	fgtdhg.exe
1320	fgtdhg.exe
1320	fgtdhg.exe
1320	fgtdhg.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-1231583446-2617009595-2137880041-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	raserver.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-1231583446-2617009595-2137880041-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	raserver.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
PID:3008
- C:\Users\Admin\AppData\Local\Temp\838111ab2eddfdd565bf1bd43c7af7c3.exe
  "C:\Users\Admin\AppData\Local\Temp\838111ab2eddfdd565bf1bd43c7af7c3.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  - Suspicious behavior: EnumeratesProcesses
  PID:3824
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\system32\notepad.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    - NTFS ADS
    - Drops startup file
    PID:3180
  - - C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
      "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:512
    - - C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"
        5⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious behavior: EnumeratesProcesses
        
        PID:820
    - - C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe" 2 820 104687
        5⤵
        Suspicious use of WriteProcessMemory
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:904
      - C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"
        6⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        Executes dropped EXE
        
        PID:1132
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"
        7⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1316
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe" 2 1316 114812
        7⤵
        Suspicious use of WriteProcessMemory
        Executes dropped EXE
        
        PID:1408
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"
        8⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        Executes dropped EXE
        
        PID:2108
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"
        9⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2176
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe" 2 2176 118640
        9⤵
        Suspicious use of WriteProcessMemory
        Executes dropped EXE
        
        PID:2468
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"
        10⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        Executes dropped EXE
        
        PID:776
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"
        11⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1612
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe" 2 1612 122718
        11⤵
        Suspicious use of WriteProcessMemory
        Executes dropped EXE
        
        PID:2160
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"
        12⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        Executes dropped EXE
        
        PID:3604
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"
        13⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3180
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe" 2 3180 132750
        13⤵
        Executes dropped EXE
        
        PID:860
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"
        14⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Executes dropped EXE
        
        PID:1364
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"
        15⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1360
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe" 2 1360 142718
        15⤵
        Executes dropped EXE
        
        PID:1544
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"
        16⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Executes dropped EXE
        
        PID:2152
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"
        17⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2208
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe" 2 2208 146640
        17⤵
        Executes dropped EXE
        
        PID:2108
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"
        18⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Executes dropped EXE
        
        PID:2664
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"
        19⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3568
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe" 2 3568 150593
        19⤵
        Executes dropped EXE
        
        PID:752
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"
        20⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Executes dropped EXE
        
        PID:1436
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"
        21⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2740
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe" 2 2740 160781
        21⤵
        Executes dropped EXE
        
        PID:3868
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"
        22⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Executes dropped EXE
        
        PID:2988
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"
        23⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1984
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe" 2 1984 164656
        23⤵
        Executes dropped EXE
        
        PID:3080
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"
        24⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Executes dropped EXE
        
        PID:1000
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"
        25⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Executes dropped EXE
        
        PID:704
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe" 2 704 168484
        25⤵
        Executes dropped EXE
        
        PID:1052
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"
        26⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Executes dropped EXE
        
        PID:864
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"
        27⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Executes dropped EXE
        
        PID:2052
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe" 2 2052 172656
        27⤵
        Executes dropped EXE
        
        PID:1416
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"
        28⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Executes dropped EXE
        
        PID:2164
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"
        29⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Executes dropped EXE
        
        PID:3856
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe" 2 3856 177062
        29⤵
        Executes dropped EXE
        
        PID:3556
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"
        30⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Executes dropped EXE
        
        PID:2664
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"
        31⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Executes dropped EXE
        
        PID:940
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe" 2 940 180937
        31⤵
        Executes dropped EXE
        
        PID:1240
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"
        32⤵
        Suspicious use of SetThreadContext
        Executes dropped EXE
        
        PID:1908
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"
        33⤵
        Suspicious use of SetThreadContext
        Executes dropped EXE
        
        PID:4008
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe" 2 4008 185500
        33⤵
        Executes dropped EXE
        
        PID:3244
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"
        34⤵
        Suspicious use of SetThreadContext
        Executes dropped EXE
        
        PID:3848
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"
        35⤵
        Suspicious use of SetThreadContext
        Executes dropped EXE
        
        PID:1824
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe" 2 1824 189343
        35⤵
        Executes dropped EXE
        
        PID:504
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"
        36⤵
        Suspicious use of SetThreadContext
        Executes dropped EXE
        
        PID:1148
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"
        37⤵
        Suspicious use of SetThreadContext
        Executes dropped EXE
        
        PID:1004
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe" 2 1004 193593
        37⤵
        Executes dropped EXE
        
        PID:908
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"
        38⤵
        Suspicious use of SetThreadContext
        Executes dropped EXE
        
        PID:512
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"
        39⤵
        Suspicious use of SetThreadContext
        Executes dropped EXE
        
        PID:1916
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe" 2 1916 197500
        39⤵
        Executes dropped EXE
        
        PID:1416
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"
        40⤵
        Suspicious use of SetThreadContext
        Executes dropped EXE
        
        PID:2152
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"
        41⤵
        Suspicious use of SetThreadContext
        Executes dropped EXE
        
        PID:3000
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe" 2 3000 207421
        41⤵
        Executes dropped EXE
        
        PID:2588
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"
        42⤵
        Suspicious use of SetThreadContext
        Executes dropped EXE
        
        PID:2880
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"
        43⤵
        Suspicious use of SetThreadContext
        Executes dropped EXE
        
        PID:1444
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe" 2 1444 211546
        43⤵
        Executes dropped EXE
        
        PID:3860
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"
        44⤵
        Suspicious use of SetThreadContext
        Executes dropped EXE
        
        PID:3840
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"
        45⤵
        Suspicious use of SetThreadContext
        Executes dropped EXE
        
        PID:3956
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe" 2 3956 215562
        45⤵
        Executes dropped EXE
        
        PID:3912
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"
        46⤵
        Suspicious use of SetThreadContext
        Executes dropped EXE
        
        PID:3396
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"
        47⤵
        Suspicious use of SetThreadContext
        
        PID:1276
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe" 2 1276 219468
        47⤵
        
        PID:3080
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"
        48⤵
        Suspicious use of SetThreadContext
        
        PID:1192
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"
        49⤵
        Suspicious use of SetThreadContext
        
        PID:1364
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe" 2 1364 223625
        49⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"
        50⤵
        Suspicious use of SetThreadContext
        
        PID:1132
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"
        51⤵
        Suspicious use of SetThreadContext
        
        PID:1408
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe" 2 1408 227625
        51⤵
        
        PID:1420
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"
        52⤵
        Suspicious use of SetThreadContext
        
        PID:3068
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"
        53⤵
        Suspicious use of SetThreadContext
        
        PID:2136
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe" 2 2136 231656
        53⤵
        
        PID:3808
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"
        54⤵
        Suspicious use of SetThreadContext
        
        PID:2412
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"
        55⤵
        Suspicious use of SetThreadContext
        
        PID:2488
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe" 2 2488 235562
        55⤵
        
        PID:3960
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"
        56⤵
        Suspicious use of SetThreadContext
        
        PID:3572
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"
        57⤵
        Suspicious use of SetThreadContext
        
        PID:1552
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe" 2 1552 239578
        57⤵
        
        PID:644
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"
        58⤵
        Suspicious use of SetThreadContext
        
        PID:4068
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"
        59⤵
        Suspicious use of SetThreadContext
        
        PID:500
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe" 2 500 243796
        59⤵
        
        PID:1328
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"
        60⤵
        Suspicious use of SetThreadContext
        
        PID:3888
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"
        61⤵
        Suspicious use of SetThreadContext
        
        PID:1420
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe" 2 1420 247703
        61⤵
        
        PID:3584
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"
        62⤵
        
        PID:3764
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe"
        63⤵
        
        PID:3864
        
        C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe
        
        "C:\Users\Admin\AppData\Roaming\gdher\fgtdhg.exe" 2 3864 251984
        63⤵
        
        PID:1320
- C:\Windows\SysWOW64\raserver.exe
  "C:\Windows\SysWOW64\raserver.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Adds policy Run key to start application
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  - Suspicious use of AdjustPrivilegeToken
  - Modifies Internet Explorer settings
  - Adds Run key to start application
  PID:372
- - C:\Windows\SysWOW64\cmd.exe
    /c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
    3⤵
    PID:1788
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:2276
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1648
- C:\Windows\SysWOW64\ipconfig.exe
  "C:\Windows\SysWOW64\ipconfig.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Gathers network information
  PID:2792
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\SysWOW64\rundll32.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4040
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\SysWOW64\rundll32.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:360
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\SysWOW64\rundll32.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2056
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\SysWOW64\control.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2700
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1324
- C:\Windows\SysWOW64\systray.exe
  "C:\Windows\SysWOW64\systray.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3280
- C:\Windows\SysWOW64\raserver.exe
  "C:\Windows\SysWOW64\raserver.exe"
  2⤵
  PID:640
- C:\Windows\SysWOW64\msdt.exe
  "C:\Windows\SysWOW64\msdt.exe"
  2⤵
  PID:1176
- C:\Windows\SysWOW64\msdt.exe
  "C:\Windows\SysWOW64\msdt.exe"
  2⤵
  PID:1544
- C:\Windows\SysWOW64\help.exe
  "C:\Windows\SysWOW64\help.exe"
  2⤵
  PID:780
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\SysWOW64\explorer.exe"
  2⤵
  PID:1948
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\SysWOW64\netsh.exe"
  2⤵
  PID:3868
- C:\Windows\SysWOW64\raserver.exe
  "C:\Windows\SysWOW64\raserver.exe"
  2⤵
  PID:3724
- C:\Windows\SysWOW64\raserver.exe
  "C:\Windows\SysWOW64\raserver.exe"
  2⤵
  PID:864
- C:\Windows\SysWOW64\NETSTAT.EXE
  "C:\Windows\SysWOW64\NETSTAT.EXE"
  2⤵
  - Gathers network information
  PID:1500
- C:\Windows\SysWOW64\wlanext.exe
  "C:\Windows\SysWOW64\wlanext.exe"
  2⤵
  PID:496
- C:\Windows\SysWOW64\colorcpl.exe
  "C:\Windows\SysWOW64\colorcpl.exe"
  2⤵
  PID:1908
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\SysWOW64\wscript.exe"
  2⤵
  PID:3832
- C:\Windows\SysWOW64\colorcpl.exe
  "C:\Windows\SysWOW64\colorcpl.exe"
  2⤵
  PID:3664
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:1660
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  PID:1912
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\SysWOW64\control.exe"
  2⤵
  PID:2500
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\SysWOW64\wscript.exe"
  2⤵
  PID:2000
- C:\Windows\SysWOW64\cmmon32.exe
  "C:\Windows\SysWOW64\cmmon32.exe"
  2⤵
  PID:1436
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\SysWOW64\netsh.exe"
  2⤵
  PID:3560
- C:\Windows\SysWOW64\cscript.exe
  "C:\Windows\SysWOW64\cscript.exe"
  2⤵
  PID:1660
- C:\Windows\SysWOW64\msdt.exe
  "C:\Windows\SysWOW64\msdt.exe"
  2⤵
  PID:2468

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/360-61-0x0000000000E10000-0x0000000000E23000-memory.dmp

Filesize
76KB

Download
memory/360-60-0x0000000000E10000-0x0000000000E23000-memory.dmp

Filesize
76KB

Download
memory/372-10-0x00000000000F0000-0x000000000010F000-memory.dmp

Filesize
124KB

Download
memory/372-11-0x00000000000F0000-0x000000000010F000-memory.dmp

Filesize
124KB

Download
memory/372-43-0x0000000005F40000-0x000000000608E000-memory.dmp

Filesize
1.3MB

Download
memory/496-213-0x0000000000380000-0x0000000000397000-memory.dmp

Filesize
92KB

Download
memory/496-214-0x0000000000380000-0x0000000000397000-memory.dmp

Filesize
92KB

Download
memory/640-120-0x00000000000F0000-0x000000000010F000-memory.dmp

Filesize
124KB

Download
memory/640-119-0x00000000000F0000-0x000000000010F000-memory.dmp

Filesize
124KB

Download
memory/780-150-0x0000000001190000-0x0000000001197000-memory.dmp

Filesize
28KB

Download
memory/780-151-0x0000000001190000-0x0000000001197000-memory.dmp

Filesize
28KB

Download
memory/820-4-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/864-193-0x00000000000F0000-0x000000000010F000-memory.dmp

Filesize
124KB

Download
memory/864-194-0x00000000000F0000-0x000000000010F000-memory.dmp

Filesize
124KB

Download
memory/1176-129-0x0000000000D60000-0x0000000000ED3000-memory.dmp

Filesize
1.4MB

Download
memory/1176-133-0x0000000000D60000-0x0000000000ED3000-memory.dmp

Filesize
1.4MB

Download
memory/1324-97-0x0000000000200000-0x0000000000212000-memory.dmp

Filesize
72KB

Download
memory/1324-99-0x0000000000200000-0x0000000000212000-memory.dmp

Filesize
72KB

Download
memory/1436-287-0x0000000000B80000-0x0000000000B8C000-memory.dmp

Filesize
48KB

Download
memory/1436-288-0x0000000000B80000-0x0000000000B8C000-memory.dmp

Filesize
48KB

Download
memory/1500-203-0x0000000001150000-0x000000000115B000-memory.dmp

Filesize
44KB

Download
memory/1500-206-0x0000000001150000-0x000000000115B000-memory.dmp

Filesize
44KB

Download
memory/1544-139-0x0000000000D60000-0x0000000000ED3000-memory.dmp

Filesize
1.4MB

Download
memory/1544-141-0x0000000000D60000-0x0000000000ED3000-memory.dmp

Filesize
1.4MB

Download
memory/1648-24-0x0000000000200000-0x0000000000212000-memory.dmp

Filesize
72KB

Download
memory/1648-32-0x0000000000200000-0x0000000000212000-memory.dmp

Filesize
72KB

Download
memory/1660-310-0x0000000000930000-0x0000000000957000-memory.dmp

Filesize
156KB

Download
memory/1660-312-0x0000000000930000-0x0000000000957000-memory.dmp

Filesize
156KB

Download
memory/1908-224-0x00000000010A0000-0x00000000010B9000-memory.dmp

Filesize
100KB

Download
memory/1908-227-0x00000000010A0000-0x00000000010B9000-memory.dmp

Filesize
100KB

Download
memory/1912-257-0x0000000000200000-0x0000000000212000-memory.dmp

Filesize
72KB

Download
memory/1912-258-0x0000000000200000-0x0000000000212000-memory.dmp

Filesize
72KB

Download
memory/1948-167-0x0000000001370000-0x00000000017AF000-memory.dmp

Filesize
4.2MB

Download
memory/1948-160-0x0000000001370000-0x00000000017AF000-memory.dmp

Filesize
4.2MB

Download
memory/2000-278-0x0000000001260000-0x0000000001287000-memory.dmp

Filesize
156KB

Download
memory/2000-277-0x0000000001260000-0x0000000001287000-memory.dmp

Filesize
156KB

Download
memory/2056-71-0x0000000000E10000-0x0000000000E23000-memory.dmp

Filesize
76KB

Download
memory/2056-70-0x0000000000E10000-0x0000000000E23000-memory.dmp

Filesize
76KB

Download
memory/2276-58-0x00007FF77C310000-0x00007FF77C3A3000-memory.dmp

Filesize
588KB

Download
memory/2276-56-0x00007FF77C310000-0x00007FF77C3A3000-memory.dmp

Filesize
588KB

Download
memory/2276-57-0x00007FF77C310000-0x00007FF77C3A3000-memory.dmp

Filesize
588KB

Download
memory/2468-321-0x0000000000D60000-0x0000000000ED3000-memory.dmp

Filesize
1.4MB

Download
memory/2468-323-0x0000000000D60000-0x0000000000ED3000-memory.dmp

Filesize
1.4MB

Download
memory/2500-268-0x0000000001110000-0x0000000001130000-memory.dmp

Filesize
128KB

Download
memory/2500-267-0x0000000001110000-0x0000000001130000-memory.dmp

Filesize
128KB

Download
memory/2700-81-0x0000000001110000-0x0000000001130000-memory.dmp

Filesize
128KB

Download
memory/2700-83-0x0000000001110000-0x0000000001130000-memory.dmp

Filesize
128KB

Download
memory/2792-34-0x0000000000BA0000-0x0000000000BAB000-memory.dmp

Filesize
44KB

Download
memory/2792-37-0x0000000000BA0000-0x0000000000BAB000-memory.dmp

Filesize
44KB

Download
memory/3008-90-0x0000000006C00000-0x0000000006D7B000-memory.dmp

Filesize
1.5MB

Download
memory/3008-307-0x0000000008750000-0x0000000008841000-memory.dmp

Filesize
964KB

Download
memory/3008-19-0x0000000004C50000-0x0000000004D5C000-memory.dmp

Filesize
1.0MB

Download
memory/3008-180-0x0000000009240000-0x00000000093A6000-memory.dmp

Filesize
1.4MB

Download
memory/3008-148-0x00000000090E0000-0x0000000009236000-memory.dmp

Filesize
1.3MB

Download
memory/3008-296-0x000000000AB00000-0x000000000AC40000-memory.dmp

Filesize
1.2MB

Download
memory/3008-233-0x0000000009700000-0x000000000981B000-memory.dmp

Filesize
1.1MB

Download
memory/3008-169-0x0000000006D80000-0x0000000006E3F000-memory.dmp

Filesize
764KB

Download
memory/3008-191-0x0000000007500000-0x00000000075C1000-memory.dmp

Filesize
772KB

Download
memory/3280-109-0x0000000000F40000-0x0000000000F46000-memory.dmp

Filesize
24KB

Download
memory/3280-108-0x0000000000F40000-0x0000000000F46000-memory.dmp

Filesize
24KB

Download
memory/3560-298-0x0000000000E30000-0x0000000000E4E000-memory.dmp

Filesize
120KB

Download
memory/3560-299-0x0000000000E30000-0x0000000000E4E000-memory.dmp

Filesize
120KB

Download
memory/3664-247-0x00000000010A0000-0x00000000010B9000-memory.dmp

Filesize
100KB

Download
memory/3664-246-0x00000000010A0000-0x00000000010B9000-memory.dmp

Filesize
100KB

Download
memory/3724-182-0x00000000000F0000-0x000000000010F000-memory.dmp

Filesize
124KB

Download
memory/3724-183-0x00000000000F0000-0x000000000010F000-memory.dmp

Filesize
124KB

Download
memory/3832-236-0x0000000001260000-0x0000000001287000-memory.dmp

Filesize
156KB

Download
memory/3832-235-0x0000000001260000-0x0000000001287000-memory.dmp

Filesize
156KB

Download
memory/3868-171-0x0000000000E30000-0x0000000000E4E000-memory.dmp

Filesize
120KB

Download
memory/3868-172-0x0000000000E30000-0x0000000000E4E000-memory.dmp

Filesize
120KB

Download
memory/4040-45-0x0000000000E10000-0x0000000000E23000-memory.dmp

Filesize
76KB

Download
memory/4040-48-0x0000000000E10000-0x0000000000E23000-memory.dmp

Filesize
76KB

Download