xtremerat | f8a7c578d72778843b9f17a61e4f4ccaf1df6e580674e6322c461ed392e384fb

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
14/07/2024, 18:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

46f2fc50ccc3005e3f7fd4719a86e3d4_JaffaCakes118.exe
Size

1.1MB
MD5

46f2fc50ccc3005e3f7fd4719a86e3d4
SHA1

e91f34cd9c8b73c2a06e084c3f371979362d35fd
SHA256

f8a7c578d72778843b9f17a61e4f4ccaf1df6e580674e6322c461ed392e384fb
SHA512

3a3cb047b6abd76bf726e04c4ace9c23c43aa8a9bb88df0c87e3b85ced196114d6984eb9b3bfd2614f7aa5dd3b0fa5182b0d3708dd8e06187a6bb78b162dfe93
SSDEEP

24576:ZNLo217GSEffKfkIJrTlQdfH3aygWXWx3gE4gNGr8:ZNLo217VBNvlOqIW3fNGr8

Score

10^/10

xtremerat persistence rat spyware

Malware Config

Extracted

Family

xtremerat

bbebbo.no-ip.org

Signatures

Detect XtremeRAT payload 4 IoCs

resource	yara_rule
behavioral1/memory/2580-9-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/2580-11-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/2580-10-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/2220-21-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 64 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Gamdsz.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Gamdsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\SysWOW64\\InstallDir\\Gamdsz.exe restart"	Gamdsz.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Gamdsz.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Gamdsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\InstallDir\\Gamdsz.exe restart"	Gamdsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Gamdsz.exe restart"	Gamdsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\SysWOW64\\InstallDir\\Gamdsz.exe restart"	Gamdsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Gamdsz.exe restart"	Gamdsz.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Gamdsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Gamdsz.exe restart"	Gamdsz.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Gamdsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\InstallDir\\Gamdsz.exe restart"	Gamdsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Gamdsz.exe restart"	Gamdsz.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Gamdsz.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Gamdsz.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Gamdsz.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Gamdsz.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Gamdsz.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Gamdsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\InstallDir\\Gamdsz.exe restart"	Gamdsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Gamdsz.exe restart"	Gamdsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\InstallDir\\Gamdsz.exe restart"	Gamdsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Gamdsz.exe restart"	Gamdsz.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Gamdsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Gamdsz.exe restart"	Gamdsz.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Gamdsz.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Gamdsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\InstallDir\\Gamdsz.exe restart"	Gamdsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\SysWOW64\\InstallDir\\Gamdsz.exe restart"	Gamdsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Gamdsz.exe restart"	Gamdsz.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Gamdsz.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Gamdsz.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Gamdsz.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Gamdsz.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Gamdsz.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Gamdsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\InstallDir\\Gamdsz.exe restart"	46f2fc50ccc3005e3f7fd4719a86e3d4_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Gamdsz.exe restart"	Gamdsz.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Gamdsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\InstallDir\\Gamdsz.exe restart"	Gamdsz.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Gamdsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\SysWOW64\\InstallDir\\Gamdsz.exe restart"	Gamdsz.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Gamdsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\InstallDir\\Gamdsz.exe restart"	Gamdsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Gamdsz.exe restart"	Gamdsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\InstallDir\\Gamdsz.exe restart"	Gamdsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\SysWOW64\\InstallDir\\Gamdsz.exe restart"	Gamdsz.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Gamdsz.exe restart"	Gamdsz.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Gamdsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\SysWOW64\\InstallDir\\Gamdsz.exe restart"	Gamdsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\SysWOW64\\InstallDir\\Gamdsz.exe restart"	Gamdsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Gamdsz.exe restart"	Gamdsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\InstallDir\\Gamdsz.exe restart"	Gamdsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\SysWOW64\\InstallDir\\Gamdsz.exe restart"	Gamdsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Gamdsz.exe restart"	Gamdsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\SysWOW64\\InstallDir\\Gamdsz.exe restart"	Gamdsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\SysWOW64\\InstallDir\\Gamdsz.exe restart"	Gamdsz.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Gamdsz.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Gamdsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Gamdsz.exe restart"	Gamdsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Gamdsz.exe restart"	Gamdsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Gamdsz.exe restart"	Gamdsz.exe

Executes dropped EXE 64 IoCs

pid	Process
2732	Gamdsz.exe
2904	Gamdsz.exe
680	Gamdsz.exe
1500	Gamdsz.exe
332	Gamdsz.exe
268	Gamdsz.exe
2972	Gamdsz.exe
2984	Gamdsz.exe
1992	Gamdsz.exe
836	Gamdsz.exe
1364	Gamdsz.exe
828	Gamdsz.exe
960	Gamdsz.exe
2428	Gamdsz.exe
3068	Gamdsz.exe
1676	Gamdsz.exe
472	Gamdsz.exe
1644	Gamdsz.exe
2844	Gamdsz.exe
1936	Gamdsz.exe
2960	Gamdsz.exe
1700	Gamdsz.exe
2920	Gamdsz.exe
1168	Gamdsz.exe
1372	Gamdsz.exe
2668	Gamdsz.exe
3012	Gamdsz.exe
2248	Gamdsz.exe
2160	Gamdsz.exe
916	Gamdsz.exe
1656	Gamdsz.exe
3016	Gamdsz.exe
1504	Gamdsz.exe
1480	Gamdsz.exe
2520	Gamdsz.exe
2928	Gamdsz.exe
332	Gamdsz.exe
2696	Gamdsz.exe
2984	Gamdsz.exe
2404	Gamdsz.exe
3036	Gamdsz.exe
1656	Gamdsz.exe
2340	Gamdsz.exe
912	Gamdsz.exe
2076	Gamdsz.exe
1936	Gamdsz.exe
572	Gamdsz.exe
2080	Gamdsz.exe
2668	Gamdsz.exe
2788	Gamdsz.exe
2380	Gamdsz.exe
2768	Gamdsz.exe
2604	Gamdsz.exe
3092	Gamdsz.exe
3248	Gamdsz.exe
3268	Gamdsz.exe
3344	Gamdsz.exe
3364	Gamdsz.exe
3416	Gamdsz.exe
3436	Gamdsz.exe
3552	Gamdsz.exe
3572	Gamdsz.exe
3700	Gamdsz.exe
3732	Gamdsz.exe

Loads dropped DLL 64 IoCs

pid	Process
2580	46f2fc50ccc3005e3f7fd4719a86e3d4_JaffaCakes118.exe
2580	46f2fc50ccc3005e3f7fd4719a86e3d4_JaffaCakes118.exe
2904	Gamdsz.exe
2904	Gamdsz.exe
2220	svchost.exe
2220	svchost.exe
1500	Gamdsz.exe
1500	Gamdsz.exe
2220	svchost.exe
2220	svchost.exe
2984	Gamdsz.exe
836	Gamdsz.exe
828	Gamdsz.exe
1644	Gamdsz.exe
1644	Gamdsz.exe
2220	svchost.exe
2220	svchost.exe
2220	svchost.exe
2220	svchost.exe
2248	Gamdsz.exe
916	Gamdsz.exe
2220	svchost.exe
2220	svchost.exe
2928	Gamdsz.exe
2928	Gamdsz.exe
2220	svchost.exe
2220	svchost.exe
2220	svchost.exe
2220	svchost.exe
2768	Gamdsz.exe
3092	Gamdsz.exe
2220	svchost.exe
2220	svchost.exe
3572	Gamdsz.exe
2220	svchost.exe
2220	svchost.exe
3948	Gamdsz.exe
2220	svchost.exe
2220	svchost.exe
3428	Gamdsz.exe
2220	svchost.exe
2220	svchost.exe
3940	Gamdsz.exe
2220	svchost.exe
2220	svchost.exe
3716	Gamdsz.exe
2220	svchost.exe
2220	svchost.exe
2220	svchost.exe
2220	svchost.exe
3356	Gamdsz.exe
3740	Gamdsz.exe
3428	Gamdsz.exe
3428	Gamdsz.exe
2220	svchost.exe
2220	svchost.exe
4140	Gamdsz.exe
4140	Gamdsz.exe
4464	Gamdsz.exe
4564	Gamdsz.exe
2220	svchost.exe
2220	svchost.exe
2220	svchost.exe
2220	svchost.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Gamdsz.exe"	Gamdsz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Gamdsz.exe"	Gamdsz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\InstallDir\\Gamdsz.exe"	Gamdsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Gamdsz.exe"	Gamdsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\InstallDir\\Gamdsz.exe"	Gamdsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Gamdsz.exe"	Gamdsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Gamdsz.exe"	Gamdsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Gamdsz.exe"	Gamdsz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Gamdsz.exe"	Gamdsz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Gamdsz.exe"	Gamdsz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Gamdsz.exe"	46f2fc50ccc3005e3f7fd4719a86e3d4_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Gamdsz.exe"	Gamdsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Gamdsz.exe"	Gamdsz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Gamdsz.exe"	Gamdsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Gamdsz.exe"	Gamdsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\InstallDir\\Gamdsz.exe"	Gamdsz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Gamdsz.exe"	Gamdsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Gamdsz.exe"	Gamdsz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Gamdsz.exe"	Gamdsz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Gamdsz.exe"	Gamdsz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Gamdsz.exe"	Gamdsz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\InstallDir\\Gamdsz.exe"	Gamdsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Gamdsz.exe"	Gamdsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Gamdsz.exe"	Gamdsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\InstallDir\\Gamdsz.exe"	Gamdsz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Gamdsz.exe"	Gamdsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Gamdsz.exe"	Gamdsz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Gamdsz.exe"	Gamdsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Gamdsz.exe"	Gamdsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\InstallDir\\Gamdsz.exe"	Gamdsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Gamdsz.exe"	Gamdsz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Gamdsz.exe"	Gamdsz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\InstallDir\\Gamdsz.exe"	Gamdsz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Gamdsz.exe"	Gamdsz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\InstallDir\\Gamdsz.exe"	Gamdsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\InstallDir\\Gamdsz.exe"	Gamdsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\InstallDir\\Gamdsz.exe"	Gamdsz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\InstallDir\\Gamdsz.exe"	Gamdsz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Gamdsz.exe"	Gamdsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Gamdsz.exe"	Gamdsz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Gamdsz.exe"	Gamdsz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Gamdsz.exe"	Gamdsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\InstallDir\\Gamdsz.exe"	Gamdsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\InstallDir\\Gamdsz.exe"	Gamdsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Gamdsz.exe"	Gamdsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Gamdsz.exe"	Gamdsz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\InstallDir\\Gamdsz.exe"	Gamdsz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Gamdsz.exe"	Gamdsz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Gamdsz.exe"	Gamdsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\InstallDir\\Gamdsz.exe"	Gamdsz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\InstallDir\\Gamdsz.exe"	Gamdsz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\InstallDir\\Gamdsz.exe"	Gamdsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\InstallDir\\Gamdsz.exe"	Gamdsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Gamdsz.exe"	Gamdsz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Gamdsz.exe"	Gamdsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Gamdsz.exe"	Gamdsz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\InstallDir\\Gamdsz.exe"	Gamdsz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\Gamdsz.exe"	Gamdsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\InstallDir\\Gamdsz.exe"	Gamdsz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Gamdsz.exe"	Gamdsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Gamdsz.exe"	Gamdsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Gamdsz.exe"	46f2fc50ccc3005e3f7fd4719a86e3d4_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Gamdsz.exe"	Gamdsz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\InstallDir\\Gamdsz.exe"	Gamdsz.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\InstallDir\Gamdsz.exe	Gamdsz.exe
File created	C:\Windows\SysWOW64\InstallDir\Gamdsz.exe	Gamdsz.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Gamdsz.exe	Gamdsz.exe
File created	C:\Windows\SysWOW64\InstallDir\Gamdsz.exe	Gamdsz.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Gamdsz.exe	Gamdsz.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Gamdsz.exe	Gamdsz.exe
File created	C:\Windows\SysWOW64\InstallDir\Gamdsz.exe	Gamdsz.exe
File created	C:\Windows\SysWOW64\InstallDir\Gamdsz.exe	Gamdsz.exe
File created	C:\Windows\SysWOW64\InstallDir\Gamdsz.exe	Gamdsz.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Gamdsz.exe	Gamdsz.exe
File created	C:\Windows\SysWOW64\InstallDir\Gamdsz.exe	Gamdsz.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Gamdsz.exe	Gamdsz.exe
File created	C:\Windows\SysWOW64\InstallDir\Gamdsz.exe	Gamdsz.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Gamdsz.exe	Gamdsz.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Gamdsz.exe	Gamdsz.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Gamdsz.exe	Gamdsz.exe
File created	C:\Windows\SysWOW64\InstallDir\Gamdsz.exe	Gamdsz.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Gamdsz.exe	Gamdsz.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Gamdsz.exe	Gamdsz.exe
File created	C:\Windows\SysWOW64\InstallDir\Gamdsz.exe	Gamdsz.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Gamdsz.exe	Gamdsz.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Gamdsz.exe	Gamdsz.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Gamdsz.exe	Gamdsz.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Gamdsz.exe	Gamdsz.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Gamdsz.exe	Gamdsz.exe
File created	C:\Windows\SysWOW64\InstallDir\Gamdsz.exe	Gamdsz.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Gamdsz.exe	Gamdsz.exe
File created	C:\Windows\SysWOW64\InstallDir\Gamdsz.exe	Gamdsz.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Gamdsz.exe	Gamdsz.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Gamdsz.exe	Gamdsz.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Gamdsz.exe	Gamdsz.exe
File created	C:\Windows\SysWOW64\InstallDir\Gamdsz.exe	Gamdsz.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Gamdsz.exe	Gamdsz.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Gamdsz.exe	Gamdsz.exe
File created	C:\Windows\SysWOW64\InstallDir\Gamdsz.exe	Gamdsz.exe
File created	C:\Windows\SysWOW64\InstallDir\Gamdsz.exe	46f2fc50ccc3005e3f7fd4719a86e3d4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Gamdsz.exe	Gamdsz.exe
File created	C:\Windows\SysWOW64\InstallDir\Gamdsz.exe	Gamdsz.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Gamdsz.exe	Gamdsz.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Gamdsz.exe	Gamdsz.exe
File created	C:\Windows\SysWOW64\InstallDir\Gamdsz.exe	Gamdsz.exe
File created	C:\Windows\SysWOW64\InstallDir\Gamdsz.exe	Gamdsz.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Gamdsz.exe	Gamdsz.exe
File created	C:\Windows\SysWOW64\InstallDir\Gamdsz.exe	Gamdsz.exe
File created	C:\Windows\SysWOW64\InstallDir\Gamdsz.exe	Gamdsz.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Gamdsz.exe	Gamdsz.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Gamdsz.exe	Gamdsz.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Gamdsz.exe	Gamdsz.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Gamdsz.exe	Gamdsz.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Gamdsz.exe	Gamdsz.exe
File created	C:\Windows\SysWOW64\InstallDir\Gamdsz.exe	Gamdsz.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Gamdsz.exe	46f2fc50ccc3005e3f7fd4719a86e3d4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\InstallDir\Gamdsz.exe	Gamdsz.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Gamdsz.exe	Gamdsz.exe
File created	C:\Windows\SysWOW64\InstallDir\Gamdsz.exe	Gamdsz.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Gamdsz.exe	Gamdsz.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Gamdsz.exe	Gamdsz.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Gamdsz.exe	Gamdsz.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Gamdsz.exe	Gamdsz.exe
File created	C:\Windows\SysWOW64\InstallDir\Gamdsz.exe	Gamdsz.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Gamdsz.exe	Gamdsz.exe
File created	C:\Windows\SysWOW64\InstallDir\Gamdsz.exe	Gamdsz.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\Gamdsz.exe	Gamdsz.exe
File created	C:\Windows\SysWOW64\InstallDir\Gamdsz.exe	Gamdsz.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 2116 set thread context of 2580	2116	46f2fc50ccc3005e3f7fd4719a86e3d4_JaffaCakes118.exe	30
PID 2732 set thread context of 2904	2732	Gamdsz.exe	41
PID 680 set thread context of 1500	680	Gamdsz.exe	52
PID 332 set thread context of 268	332	Gamdsz.exe	55
PID 2972 set thread context of 2984	2972	Gamdsz.exe	71
PID 1992 set thread context of 836	1992	Gamdsz.exe	75
PID 1364 set thread context of 828	1364	Gamdsz.exe	78
PID 960 set thread context of 2428	960	Gamdsz.exe	100
PID 3068 set thread context of 1676	3068	Gamdsz.exe	104
PID 472 set thread context of 1644	472	Gamdsz.exe	108
PID 2844 set thread context of 1936	2844	Gamdsz.exe	130
PID 2960 set thread context of 1700	2960	Gamdsz.exe	134
PID 2920 set thread context of 1168	2920	Gamdsz.exe	138
PID 1372 set thread context of 2668	1372	Gamdsz.exe	141
PID 3012 set thread context of 2248	3012	Gamdsz.exe	158
PID 2160 set thread context of 916	2160	Gamdsz.exe	161
PID 1656 set thread context of 3016	1656	Gamdsz.exe	164
PID 1504 set thread context of 1480	1504	Gamdsz.exe	187
PID 2520 set thread context of 2928	2520	Gamdsz.exe	190
PID 332 set thread context of 2696	332	Gamdsz.exe	193
PID 2984 set thread context of 2404	2984	Gamdsz.exe	210
PID 3036 set thread context of 1656	3036	Gamdsz.exe	213
PID 2340 set thread context of 912	2340	Gamdsz.exe	218
PID 2076 set thread context of 1936	2076	Gamdsz.exe	238
PID 572 set thread context of 2080	572	Gamdsz.exe	241
PID 2668 set thread context of 2788	2668	Gamdsz.exe	246
PID 2380 set thread context of 2768	2380	Gamdsz.exe	260
PID 2604 set thread context of 3092	2604	Gamdsz.exe	266
PID 3248 set thread context of 3268	3248	Gamdsz.exe	280
PID 3344 set thread context of 3364	3344	Gamdsz.exe	286
PID 3416 set thread context of 3436	3416	Gamdsz.exe	289
PID 3552 set thread context of 3572	3552	Gamdsz.exe	299
PID 3700 set thread context of 3732	3700	Gamdsz.exe	309
PID 3784 set thread context of 3804	3784	Gamdsz.exe	312
PID 3928 set thread context of 3948	3928	Gamdsz.exe	322
PID 4088 set thread context of 3080	4088	Gamdsz.exe	332
PID 1532 set thread context of 3256	1532	Gamdsz.exe	335
PID 3292 set thread context of 3428	3292	Gamdsz.exe	345
PID 3608 set thread context of 3576	3608	Gamdsz.exe	355
PID 3672 set thread context of 3800	3672	Gamdsz.exe	358
PID 3824 set thread context of 3940	3824	Gamdsz.exe	368
PID 4092 set thread context of 1204	4092	Gamdsz.exe	378
PID 3104 set thread context of 3112	3104	Gamdsz.exe	381
PID 3600 set thread context of 3716	3600	Gamdsz.exe	391
PID 3808 set thread context of 3968	3808	Gamdsz.exe	401
PID 3088 set thread context of 1512	3088	Gamdsz.exe	404
PID 3444 set thread context of 3356	3444	Gamdsz.exe	414
PID 3712 set thread context of 3740	3712	Gamdsz.exe	417
PID 3452 set thread context of 3444	3452	Gamdsz.exe	433
PID 3824 set thread context of 3428	3824	Gamdsz.exe	437
PID 4120 set thread context of 4140	4120	Gamdsz.exe	453
PID 4200 set thread context of 4220	4200	Gamdsz.exe	457
PID 4276 set thread context of 4296	4276	Gamdsz.exe	461
PID 4444 set thread context of 4464	4444	Gamdsz.exe	475
PID 4544 set thread context of 4564	4544	Gamdsz.exe	481
PID 4720 set thread context of 4740	4720	Gamdsz.exe	495
PID 4812 set thread context of 4832	4812	Gamdsz.exe	501
PID 4892 set thread context of 4912	4892	Gamdsz.exe	505
PID 5044 set thread context of 5064	5044	Gamdsz.exe	517
PID 4124 set thread context of 4180	4124	Gamdsz.exe	525
PID 4204 set thread context of 4284	4204	Gamdsz.exe	528
PID 4548 set thread context of 4600	4548	Gamdsz.exe	544
PID 4736 set thread context of 4748	4736	Gamdsz.exe	547
PID 4740 set thread context of 5076	4740	Gamdsz.exe	563

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2116	46f2fc50ccc3005e3f7fd4719a86e3d4_JaffaCakes118.exe
2732	Gamdsz.exe
680	Gamdsz.exe
332	Gamdsz.exe
2972	Gamdsz.exe
1992	Gamdsz.exe
1364	Gamdsz.exe
960	Gamdsz.exe
3068	Gamdsz.exe
472	Gamdsz.exe
2844	Gamdsz.exe
2960	Gamdsz.exe
2920	Gamdsz.exe
1372	Gamdsz.exe
3012	Gamdsz.exe
2160	Gamdsz.exe
1656	Gamdsz.exe
1504	Gamdsz.exe
2520	Gamdsz.exe
332	Gamdsz.exe
2984	Gamdsz.exe
3036	Gamdsz.exe
2340	Gamdsz.exe
2076	Gamdsz.exe
572	Gamdsz.exe
2668	Gamdsz.exe
2380	Gamdsz.exe
2604	Gamdsz.exe
3248	Gamdsz.exe
3344	Gamdsz.exe
3416	Gamdsz.exe
3552	Gamdsz.exe
3700	Gamdsz.exe
3784	Gamdsz.exe
3928	Gamdsz.exe
4088	Gamdsz.exe
1532	Gamdsz.exe
3292	Gamdsz.exe
3608	Gamdsz.exe
3672	Gamdsz.exe
3824	Gamdsz.exe
4092	Gamdsz.exe
3104	Gamdsz.exe
3600	Gamdsz.exe
3808	Gamdsz.exe
3088	Gamdsz.exe
3444	Gamdsz.exe
3712	Gamdsz.exe
3452	Gamdsz.exe
3824	Gamdsz.exe
4120	Gamdsz.exe
4200	Gamdsz.exe
4276	Gamdsz.exe
4444	Gamdsz.exe
4544	Gamdsz.exe
4720	Gamdsz.exe
4812	Gamdsz.exe
4892	Gamdsz.exe
5044	Gamdsz.exe
4124	Gamdsz.exe
4204	Gamdsz.exe
4548	Gamdsz.exe
4736	Gamdsz.exe
4740	Gamdsz.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 2580	2116	46f2fc50ccc3005e3f7fd4719a86e3d4_JaffaCakes118.exe	30
PID 2116 wrote to memory of 2580	2116	46f2fc50ccc3005e3f7fd4719a86e3d4_JaffaCakes118.exe	30
PID 2116 wrote to memory of 2580	2116	46f2fc50ccc3005e3f7fd4719a86e3d4_JaffaCakes118.exe	30
PID 2116 wrote to memory of 2580	2116	46f2fc50ccc3005e3f7fd4719a86e3d4_JaffaCakes118.exe	30
PID 2116 wrote to memory of 2580	2116	46f2fc50ccc3005e3f7fd4719a86e3d4_JaffaCakes118.exe	30
PID 2116 wrote to memory of 2580	2116	46f2fc50ccc3005e3f7fd4719a86e3d4_JaffaCakes118.exe	30
PID 2116 wrote to memory of 2580	2116	46f2fc50ccc3005e3f7fd4719a86e3d4_JaffaCakes118.exe	30
PID 2116 wrote to memory of 2580	2116	46f2fc50ccc3005e3f7fd4719a86e3d4_JaffaCakes118.exe	30
PID 2116 wrote to memory of 2580	2116	46f2fc50ccc3005e3f7fd4719a86e3d4_JaffaCakes118.exe	30
PID 2116 wrote to memory of 2580	2116	46f2fc50ccc3005e3f7fd4719a86e3d4_JaffaCakes118.exe	30
PID 2116 wrote to memory of 2580	2116	46f2fc50ccc3005e3f7fd4719a86e3d4_JaffaCakes118.exe	30
PID 2116 wrote to memory of 2580	2116	46f2fc50ccc3005e3f7fd4719a86e3d4_JaffaCakes118.exe	30
PID 2116 wrote to memory of 2580	2116	46f2fc50ccc3005e3f7fd4719a86e3d4_JaffaCakes118.exe	30
PID 2116 wrote to memory of 2580	2116	46f2fc50ccc3005e3f7fd4719a86e3d4_JaffaCakes118.exe	30
PID 2580 wrote to memory of 2220	2580	46f2fc50ccc3005e3f7fd4719a86e3d4_JaffaCakes118.exe	31
PID 2580 wrote to memory of 2220	2580	46f2fc50ccc3005e3f7fd4719a86e3d4_JaffaCakes118.exe	31
PID 2580 wrote to memory of 2220	2580	46f2fc50ccc3005e3f7fd4719a86e3d4_JaffaCakes118.exe	31
PID 2580 wrote to memory of 2220	2580	46f2fc50ccc3005e3f7fd4719a86e3d4_JaffaCakes118.exe	31
PID 2580 wrote to memory of 2220	2580	46f2fc50ccc3005e3f7fd4719a86e3d4_JaffaCakes118.exe	31
PID 2580 wrote to memory of 2440	2580	46f2fc50ccc3005e3f7fd4719a86e3d4_JaffaCakes118.exe	32
PID 2580 wrote to memory of 2440	2580	46f2fc50ccc3005e3f7fd4719a86e3d4_JaffaCakes118.exe	32
PID 2580 wrote to memory of 2440	2580	46f2fc50ccc3005e3f7fd4719a86e3d4_JaffaCakes118.exe	32
PID 2580 wrote to memory of 2440	2580	46f2fc50ccc3005e3f7fd4719a86e3d4_JaffaCakes118.exe	32
PID 2580 wrote to memory of 2440	2580	46f2fc50ccc3005e3f7fd4719a86e3d4_JaffaCakes118.exe	32
PID 2580 wrote to memory of 2736	2580	46f2fc50ccc3005e3f7fd4719a86e3d4_JaffaCakes118.exe	33
PID 2580 wrote to memory of 2736	2580	46f2fc50ccc3005e3f7fd4719a86e3d4_JaffaCakes118.exe	33
PID 2580 wrote to memory of 2736	2580	46f2fc50ccc3005e3f7fd4719a86e3d4_JaffaCakes118.exe	33
PID 2580 wrote to memory of 2736	2580	46f2fc50ccc3005e3f7fd4719a86e3d4_JaffaCakes118.exe	33
PID 2580 wrote to memory of 2736	2580	46f2fc50ccc3005e3f7fd4719a86e3d4_JaffaCakes118.exe	33
PID 2580 wrote to memory of 2864	2580	46f2fc50ccc3005e3f7fd4719a86e3d4_JaffaCakes118.exe	34
PID 2580 wrote to memory of 2864	2580	46f2fc50ccc3005e3f7fd4719a86e3d4_JaffaCakes118.exe	34
PID 2580 wrote to memory of 2864	2580	46f2fc50ccc3005e3f7fd4719a86e3d4_JaffaCakes118.exe	34
PID 2580 wrote to memory of 2864	2580	46f2fc50ccc3005e3f7fd4719a86e3d4_JaffaCakes118.exe	34
PID 2580 wrote to memory of 2864	2580	46f2fc50ccc3005e3f7fd4719a86e3d4_JaffaCakes118.exe	34
PID 2580 wrote to memory of 2840	2580	46f2fc50ccc3005e3f7fd4719a86e3d4_JaffaCakes118.exe	35
PID 2580 wrote to memory of 2840	2580	46f2fc50ccc3005e3f7fd4719a86e3d4_JaffaCakes118.exe	35
PID 2580 wrote to memory of 2840	2580	46f2fc50ccc3005e3f7fd4719a86e3d4_JaffaCakes118.exe	35
PID 2580 wrote to memory of 2840	2580	46f2fc50ccc3005e3f7fd4719a86e3d4_JaffaCakes118.exe	35
PID 2580 wrote to memory of 2840	2580	46f2fc50ccc3005e3f7fd4719a86e3d4_JaffaCakes118.exe	35
PID 2580 wrote to memory of 3008	2580	46f2fc50ccc3005e3f7fd4719a86e3d4_JaffaCakes118.exe	36
PID 2580 wrote to memory of 3008	2580	46f2fc50ccc3005e3f7fd4719a86e3d4_JaffaCakes118.exe	36
PID 2580 wrote to memory of 3008	2580	46f2fc50ccc3005e3f7fd4719a86e3d4_JaffaCakes118.exe	36
PID 2580 wrote to memory of 3008	2580	46f2fc50ccc3005e3f7fd4719a86e3d4_JaffaCakes118.exe	36
PID 2580 wrote to memory of 3008	2580	46f2fc50ccc3005e3f7fd4719a86e3d4_JaffaCakes118.exe	36
PID 2580 wrote to memory of 2760	2580	46f2fc50ccc3005e3f7fd4719a86e3d4_JaffaCakes118.exe	37
PID 2580 wrote to memory of 2760	2580	46f2fc50ccc3005e3f7fd4719a86e3d4_JaffaCakes118.exe	37
PID 2580 wrote to memory of 2760	2580	46f2fc50ccc3005e3f7fd4719a86e3d4_JaffaCakes118.exe	37
PID 2580 wrote to memory of 2760	2580	46f2fc50ccc3005e3f7fd4719a86e3d4_JaffaCakes118.exe	37
PID 2580 wrote to memory of 2760	2580	46f2fc50ccc3005e3f7fd4719a86e3d4_JaffaCakes118.exe	37
PID 2580 wrote to memory of 1236	2580	46f2fc50ccc3005e3f7fd4719a86e3d4_JaffaCakes118.exe	38
PID 2580 wrote to memory of 1236	2580	46f2fc50ccc3005e3f7fd4719a86e3d4_JaffaCakes118.exe	38
PID 2580 wrote to memory of 1236	2580	46f2fc50ccc3005e3f7fd4719a86e3d4_JaffaCakes118.exe	38
PID 2580 wrote to memory of 1236	2580	46f2fc50ccc3005e3f7fd4719a86e3d4_JaffaCakes118.exe	38
PID 2580 wrote to memory of 1236	2580	46f2fc50ccc3005e3f7fd4719a86e3d4_JaffaCakes118.exe	38
PID 2580 wrote to memory of 2288	2580	46f2fc50ccc3005e3f7fd4719a86e3d4_JaffaCakes118.exe	39
PID 2580 wrote to memory of 2288	2580	46f2fc50ccc3005e3f7fd4719a86e3d4_JaffaCakes118.exe	39
PID 2580 wrote to memory of 2288	2580	46f2fc50ccc3005e3f7fd4719a86e3d4_JaffaCakes118.exe	39
PID 2580 wrote to memory of 2288	2580	46f2fc50ccc3005e3f7fd4719a86e3d4_JaffaCakes118.exe	39
PID 2580 wrote to memory of 2732	2580	46f2fc50ccc3005e3f7fd4719a86e3d4_JaffaCakes118.exe	40
PID 2580 wrote to memory of 2732	2580	46f2fc50ccc3005e3f7fd4719a86e3d4_JaffaCakes118.exe	40
PID 2580 wrote to memory of 2732	2580	46f2fc50ccc3005e3f7fd4719a86e3d4_JaffaCakes118.exe	40
PID 2580 wrote to memory of 2732	2580	46f2fc50ccc3005e3f7fd4719a86e3d4_JaffaCakes118.exe	40
PID 2732 wrote to memory of 2904	2732	Gamdsz.exe	41
PID 2732 wrote to memory of 2904	2732	Gamdsz.exe	41

C:\Users\Admin\AppData\Local\Temp\46f2fc50ccc3005e3f7fd4719a86e3d4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\46f2fc50ccc3005e3f7fd4719a86e3d4_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Users\Admin\AppData\Local\Temp\46f2fc50ccc3005e3f7fd4719a86e3d4_JaffaCakes118.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Loads dropped DLL
    PID:2220
  - - C:\Windows\SysWOW64\InstallDir\Gamdsz.exe
      "C:\Windows\system32\InstallDir\Gamdsz.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:332
    - - C:\Windows\SysWOW64\InstallDir\Gamdsz.exe
        
        5⤵
        Executes dropped EXE
        
        PID:268
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1756
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1980
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:768
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2452
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1684
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1932
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1916
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2492
      - C:\Windows\SysWOW64\InstallDir\Gamdsz.exe
        
        "C:\Windows\SysWOW64\InstallDir\Gamdsz.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1992
        
        C:\Windows\SysWOW64\InstallDir\Gamdsz.exe
        
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:836
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2980
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1408
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1164
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1216
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1052
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2484
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1780
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1032
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Gamdsz.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Gamdsz.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3068
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Gamdsz.exe
        
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1676
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2260
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2120
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1956
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2532
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2096
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2056
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2196
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2900
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Gamdsz.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Gamdsz.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2960
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Gamdsz.exe
        
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1700
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:1120
  - - C:\Windows\SysWOW64\InstallDir\Gamdsz.exe
      "C:\Windows\system32\InstallDir\Gamdsz.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:1364
    - - C:\Windows\SysWOW64\InstallDir\Gamdsz.exe
        
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:828
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:964
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1076
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1920
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1792
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1212
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1376
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1544
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2572
      - C:\Users\Admin\AppData\Roaming\InstallDir\Gamdsz.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Gamdsz.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:472
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Gamdsz.exe
        
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:1644
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2364
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1608
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1996
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1192
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2692
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2000
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2752
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\InstallDir\Gamdsz.exe
        
        "C:\Windows\system32\InstallDir\Gamdsz.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2920
        
        C:\Windows\SysWOW64\InstallDir\Gamdsz.exe
        
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1168
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2516
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2456
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:264
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2252
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2360
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1824
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:660
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\InstallDir\Gamdsz.exe
        
        "C:\Windows\SysWOW64\InstallDir\Gamdsz.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3012
        
        C:\Windows\SysWOW64\InstallDir\Gamdsz.exe
        
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2248
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2212
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:1628
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:556
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2580
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2852
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2896
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2232
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2064
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Gamdsz.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Gamdsz.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1504
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Gamdsz.exe
        
        13⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1480
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:1868
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:564
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2684
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:992
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2184
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:1516
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3012
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Gamdsz.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Gamdsz.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2984
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Gamdsz.exe
        
        15⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2404
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:1564
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:2348
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:2520
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3016
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:2796
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:1556
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:2308
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Gamdsz.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Gamdsz.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2076
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Gamdsz.exe
        
        17⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1936
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:472
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:2744
  - - C:\Windows\SysWOW64\InstallDir\Gamdsz.exe
      "C:\Windows\system32\InstallDir\Gamdsz.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:1372
    - - C:\Windows\SysWOW64\InstallDir\Gamdsz.exe
        
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2668
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2328
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2016
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1864
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2264
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1852
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2028
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2432
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1632
      - C:\Windows\SysWOW64\InstallDir\Gamdsz.exe
        
        "C:\Windows\SysWOW64\InstallDir\Gamdsz.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2160
        
        C:\Windows\SysWOW64\InstallDir\Gamdsz.exe
        
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:916
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2012
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:884
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1612
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2428
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2612
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2628
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:716
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1100
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Gamdsz.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Gamdsz.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2520
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Gamdsz.exe
        
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2928
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1836
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2228
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2672
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2956
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1168
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1812
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2320
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\InstallDir\Gamdsz.exe
        
        "C:\Windows\system32\InstallDir\Gamdsz.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3036
        
        C:\Windows\SysWOW64\InstallDir\Gamdsz.exe
        
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1656
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2424
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:1504
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:1044
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:1292
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2964
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2500
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:1652
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:932
        
        C:\Windows\SysWOW64\InstallDir\Gamdsz.exe
        
        "C:\Windows\SysWOW64\InstallDir\Gamdsz.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:572
        
        C:\Windows\SysWOW64\InstallDir\Gamdsz.exe
        
        13⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2080
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:1488
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2588
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:1740
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:912
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:788
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2624
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:836
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\InstallDir\Gamdsz.exe
        
        "C:\Windows\SysWOW64\InstallDir\Gamdsz.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2380
        
        C:\Windows\SysWOW64\InstallDir\Gamdsz.exe
        
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2768
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:2080
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:1720
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3148
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3164
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3184
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3200
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3220
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3236
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Gamdsz.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Gamdsz.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3248
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Gamdsz.exe
        
        17⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3268
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:3304
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:3324
  - - C:\Windows\SysWOW64\InstallDir\Gamdsz.exe
      "C:\Windows\system32\InstallDir\Gamdsz.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:1656
    - - C:\Windows\SysWOW64\InstallDir\Gamdsz.exe
        
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3016
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1808
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2548
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2280
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2632
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2996
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2732
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2072
  - - C:\Windows\SysWOW64\InstallDir\Gamdsz.exe
      "C:\Windows\system32\InstallDir\Gamdsz.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:332
    - - C:\Windows\SysWOW64\InstallDir\Gamdsz.exe
        
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2696
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1648
  - - C:\Windows\SysWOW64\InstallDir\Gamdsz.exe
      "C:\Windows\system32\InstallDir\Gamdsz.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:2340
    - - C:\Windows\SysWOW64\InstallDir\Gamdsz.exe
        
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:912
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:400
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:828
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:584
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1800
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2916
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2812
  - - C:\Windows\SysWOW64\InstallDir\Gamdsz.exe
      "C:\Windows\system32\InstallDir\Gamdsz.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:2668
    - - C:\Windows\SysWOW64\InstallDir\Gamdsz.exe
        
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2788
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1656
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2592
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2408
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2284
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:960
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:588
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3040
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2476
      - C:\Windows\SysWOW64\InstallDir\Gamdsz.exe
        
        "C:\Windows\SysWOW64\InstallDir\Gamdsz.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2604
        
        C:\Windows\SysWOW64\InstallDir\Gamdsz.exe
        
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:3092
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3128
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3156
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3172
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3192
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3208
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3228
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3312
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3332
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Gamdsz.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Gamdsz.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3344
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Gamdsz.exe
        
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3364
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3404
  - - C:\Windows\SysWOW64\InstallDir\Gamdsz.exe
      "C:\Windows\system32\InstallDir\Gamdsz.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:3416
    - - C:\Windows\SysWOW64\InstallDir\Gamdsz.exe
        
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3436
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3468
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3480
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3492
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3500
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3512
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3520
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3532
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3540
      - C:\Windows\SysWOW64\InstallDir\Gamdsz.exe
        
        "C:\Windows\SysWOW64\InstallDir\Gamdsz.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3552
        
        C:\Windows\SysWOW64\InstallDir\Gamdsz.exe
        
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3572
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3612
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3624
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3636
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3644
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3656
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3664
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3676
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3684
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Gamdsz.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Gamdsz.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3700
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Gamdsz.exe
        
        9⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3732
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3768
  - - C:\Windows\SysWOW64\InstallDir\Gamdsz.exe
      "C:\Windows\system32\InstallDir\Gamdsz.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:3784
    - - C:\Windows\SysWOW64\InstallDir\Gamdsz.exe
        
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3804
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3840
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3848
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3864
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3872
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3888
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3896
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3908
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3916
      - C:\Windows\SysWOW64\InstallDir\Gamdsz.exe
        
        "C:\Windows\SysWOW64\InstallDir\Gamdsz.exe"
        6⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3928
        
        C:\Windows\SysWOW64\InstallDir\Gamdsz.exe
        
        7⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:3948
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3992
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4000
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4012
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4020
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4032
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4040
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4052
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4072
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Gamdsz.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Gamdsz.exe"
        8⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4088
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Gamdsz.exe
        
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in System32 directory
        
        PID:3080
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3144
  - - C:\Windows\SysWOW64\InstallDir\Gamdsz.exe
      "C:\Windows\system32\InstallDir\Gamdsz.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:1532
    - - C:\Windows\SysWOW64\InstallDir\Gamdsz.exe
        
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:3256
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3216
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3140
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3340
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3092
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3360
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3344
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3380
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3396
      - C:\Windows\SysWOW64\InstallDir\Gamdsz.exe
        
        "C:\Windows\SysWOW64\InstallDir\Gamdsz.exe"
        6⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3292
        
        C:\Windows\SysWOW64\InstallDir\Gamdsz.exe
        
        7⤵
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3428
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3368
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3412
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3528
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3456
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3436
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3564
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3584
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3552
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Gamdsz.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Gamdsz.exe"
        8⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3608
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Gamdsz.exe
        
        9⤵
        Adds Run key to start application
        
        PID:3576
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3744
  - - C:\Windows\SysWOW64\InstallDir\Gamdsz.exe
      "C:\Windows\system32\InstallDir\Gamdsz.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:3672
    - - C:\Windows\SysWOW64\InstallDir\Gamdsz.exe
        
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in System32 directory
        
        PID:3800
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3752
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3732
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3064
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2324
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3052
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2176
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2112
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3880
      - C:\Windows\SysWOW64\InstallDir\Gamdsz.exe
        
        "C:\Windows\SysWOW64\InstallDir\Gamdsz.exe"
        6⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3824
        
        C:\Windows\SysWOW64\InstallDir\Gamdsz.exe
        
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3940
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4008
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4064
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2168
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:924
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4080
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3948
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2904
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2076
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Gamdsz.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Gamdsz.exe"
        8⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4092
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Gamdsz.exe
        
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1204
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2664
  - - C:\Windows\SysWOW64\InstallDir\Gamdsz.exe
      "C:\Windows\system32\InstallDir\Gamdsz.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:3104
    - - C:\Windows\SysWOW64\InstallDir\Gamdsz.exe
        
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3112
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3272
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3288
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3420
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3464
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3416
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3440
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3432
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3632
      - C:\Windows\SysWOW64\InstallDir\Gamdsz.exe
        
        "C:\Windows\SysWOW64\InstallDir\Gamdsz.exe"
        6⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3600
        
        C:\Windows\SysWOW64\InstallDir\Gamdsz.exe
        
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3716
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3812
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3756
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3836
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3700
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3576
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1156
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2804
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3820
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Gamdsz.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Gamdsz.exe"
        8⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3808
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Gamdsz.exe
        
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:3968
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3944
  - - C:\Windows\SysWOW64\InstallDir\Gamdsz.exe
      "C:\Windows\system32\InstallDir\Gamdsz.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:3088
    - - C:\Windows\SysWOW64\InstallDir\Gamdsz.exe
        
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1512
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3080
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2604
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3376
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3256
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2340
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3244
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2420
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2296
      - C:\Windows\SysWOW64\InstallDir\Gamdsz.exe
        
        "C:\Windows\SysWOW64\InstallDir\Gamdsz.exe"
        6⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3444
        
        C:\Windows\SysWOW64\InstallDir\Gamdsz.exe
        
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:3356
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3760
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3808
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3964
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3116
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3280
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3984
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3108
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1080
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Gamdsz.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Gamdsz.exe"
        8⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3452
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Gamdsz.exe
        
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3444
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3592
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3452
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3724
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3716
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1936
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1512
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1380
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4108
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Gamdsz.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Gamdsz.exe"
        10⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4120
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Gamdsz.exe
        
        11⤵
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4140
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4184
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4268
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4340
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4360
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4376
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4396
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4412
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\InstallDir\Gamdsz.exe
        
        "C:\Windows\system32\InstallDir\Gamdsz.exe"
        12⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4444
        
        C:\Windows\SysWOW64\InstallDir\Gamdsz.exe
        
        13⤵
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:4464
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4512
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4528
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4612
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4628
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4652
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4668
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4688
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4704
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Gamdsz.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Gamdsz.exe"
        14⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4720
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Gamdsz.exe
        
        15⤵
        Adds Run key to start application
        
        PID:4740
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4780
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4800
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4884
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4956
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4976
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4992
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:5012
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Gamdsz.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Gamdsz.exe"
        16⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:5044
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Gamdsz.exe
        
        17⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:5064
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:5108
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:4116
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:4136
  - - C:\Windows\SysWOW64\InstallDir\Gamdsz.exe
      "C:\Windows\system32\InstallDir\Gamdsz.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:3712
    - - C:\Windows\SysWOW64\InstallDir\Gamdsz.exe
        
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:3740
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3932
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:940
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3120
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3088
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3100
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3076
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3252
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3792
      - C:\Users\Admin\AppData\Roaming\InstallDir\Gamdsz.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Gamdsz.exe"
        6⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3824
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Gamdsz.exe
        
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3428
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3384
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3580
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3936
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3596
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3608
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3400
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4100
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\InstallDir\Gamdsz.exe
        
        "C:\Windows\system32\InstallDir\Gamdsz.exe"
        8⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4200
        
        C:\Windows\SysWOW64\InstallDir\Gamdsz.exe
        
        9⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4220
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4256
  - - C:\Windows\SysWOW64\InstallDir\Gamdsz.exe
      "C:\Windows\system32\InstallDir\Gamdsz.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:4276
    - - C:\Windows\SysWOW64\InstallDir\Gamdsz.exe
        
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4296
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4328
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4348
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4368
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4384
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4404
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4420
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4484
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4520
      - C:\Windows\SysWOW64\InstallDir\Gamdsz.exe
        
        "C:\Windows\SysWOW64\InstallDir\Gamdsz.exe"
        6⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4544
        
        C:\Windows\SysWOW64\InstallDir\Gamdsz.exe
        
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4564
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4604
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4620
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4644
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4660
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4680
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4696
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4760
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4792
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Gamdsz.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Gamdsz.exe"
        8⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4812
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Gamdsz.exe
        
        9⤵
        Adds Run key to start application
        
        PID:4832
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4872
  - - C:\Windows\SysWOW64\InstallDir\Gamdsz.exe
      "C:\Windows\system32\InstallDir\Gamdsz.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:4892
    - - C:\Windows\SysWOW64\InstallDir\Gamdsz.exe
        
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in System32 directory
        
        PID:4912
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4944
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4964
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4984
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5000
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5020
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5080
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3712
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3444
      - C:\Windows\SysWOW64\InstallDir\Gamdsz.exe
        
        "C:\Windows\SysWOW64\InstallDir\Gamdsz.exe"
        6⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4124
        
        C:\Windows\SysWOW64\InstallDir\Gamdsz.exe
        
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4180
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4228
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4220
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4144
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4452
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4444
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4504
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4316
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\InstallDir\Gamdsz.exe
        
        "C:\Windows\SysWOW64\InstallDir\Gamdsz.exe"
        8⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4548
        
        C:\Windows\SysWOW64\InstallDir\Gamdsz.exe
        
        9⤵
        Drops file in System32 directory
        
        PID:4600
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4468
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4588
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4816
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4868
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4896
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4936
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4836
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5008
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Gamdsz.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Gamdsz.exe"
        10⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4740
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Gamdsz.exe
        
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:5076
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4952
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4252
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4576
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4492
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4284
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4736
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4848
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4600
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Gamdsz.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Gamdsz.exe"
        12⤵
        
        PID:5088
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Gamdsz.exe
        
        13⤵
        
        PID:5092
  - - C:\Windows\SysWOW64\InstallDir\Gamdsz.exe
      "C:\Windows\system32\InstallDir\Gamdsz.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:4204
    - - C:\Windows\SysWOW64\InstallDir\Gamdsz.exe
        
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4284
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4244
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4392
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4192
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4472
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4476
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4428
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4540
  - - C:\Windows\SysWOW64\InstallDir\Gamdsz.exe
      "C:\Windows\system32\InstallDir\Gamdsz.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:4736
    - - C:\Windows\SysWOW64\InstallDir\Gamdsz.exe
        
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4748
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4828
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4860
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4904
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4928
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4880
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4972
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4768
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4912
      - C:\Users\Admin\AppData\Roaming\InstallDir\Gamdsz.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Gamdsz.exe"
        6⤵
        
        PID:4176
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Gamdsz.exe
        
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:3600
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4280
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4544
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4308
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4720
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4808
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4640
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5060
  - - C:\Windows\SysWOW64\InstallDir\Gamdsz.exe
      "C:\Windows\system32\InstallDir\Gamdsz.exe"
      4⤵
      PID:5116
    - - C:\Windows\SysWOW64\InstallDir\Gamdsz.exe
        
        5⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4356
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4572
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:448
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4312
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4776
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4820
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4744
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2440
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2736
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2864
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2840
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:3008
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2760
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:1236
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2288
- - C:\Windows\SysWOW64\InstallDir\Gamdsz.exe
    "C:\Windows\system32\InstallDir\Gamdsz.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Windows\SysWOW64\InstallDir\Gamdsz.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      PID:2904
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2828
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2652
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2888
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2608
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2616
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2648
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2208
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2164
    - - C:\Users\Admin\AppData\Roaming\InstallDir\Gamdsz.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Gamdsz.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:680
      - C:\Users\Admin\AppData\Roaming\InstallDir\Gamdsz.exe
        
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1500
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2144
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:444
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1948
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2448
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1696
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2936
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:764
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\InstallDir\Gamdsz.exe
        
        "C:\Windows\system32\InstallDir\Gamdsz.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2972
        
        C:\Windows\SysWOW64\InstallDir\Gamdsz.exe
        
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2984
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:2216
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:2584
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1624
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1680
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1728
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:2136
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:352
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:888
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Gamdsz.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Gamdsz.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:960
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Gamdsz.exe
        
        10⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2428
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2416
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2004
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:1604
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:1304
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:1320
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2116
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2560
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2860
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Gamdsz.exe
        
        "C:\Users\Admin\AppData\Roaming\InstallDir\Gamdsz.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2844
        
        C:\Users\Admin\AppData\Roaming\InstallDir\Gamdsz.exe
        
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1936
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\InstallDir\Gamdsz.exe

Filesize
64KB

MD5
0f56c782627d30a57bba99080332ff38

SHA1
0c0521071e8be7c18f963770ee23ed6714ed3e34

SHA256
a3c030d16a1f845369397712ba1076a3b829d4312391a69759e6825ef6832fc3

SHA512
36713032adfb41e858f49f24359f66519191363eee3565ea18fa52fa5ed845f589d2861ff224a00d9657feb9d80096201f0a42e64d5f07558da80863a12dc2bc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\((Mutex)).cfg

Filesize
1KB

MD5
7c742b66e7f04bb770a5fb4ffe26e83a

SHA1
eca02140268f17cd3806961e8aa71200839b49e2

SHA256
4701128f6a568118e43feb4e61e278c91c076526e32fe065c9c506c20624bebd

SHA512
a7f55b3c537878063d01c5842846ab754965da3fc81738cef135a2767839b1bc6e057fa2c8599f3215cb583d241fbfc90b70fdd2bbd3baaada0afa5cb7c17259

Download Submit
C:\Windows\SysWOW64\InstallDir\Gamdsz.exe

Filesize
384KB

MD5
44eae88895ea1bc0c29dfa1e141c58db

SHA1
0eef4fb3d4d5c118756ac54c48b11e55a878b15b

SHA256
76c9fdbfc42e067572fd2e95054a26ea563bc5401c4404167d4bbebc9a7dacf2

SHA512
271dc40371daee7cedb3035e44ab2a5b8c07ae718652bcf8e7f9545b750cd47a3faf204937d052060af0f02b28397341283151741c3011101b86a2793a649bd0

Download Submit
C:\Windows\SysWOW64\InstallDir\Gamdsz.exe

Filesize
1.1MB

MD5
46f2fc50ccc3005e3f7fd4719a86e3d4

SHA1
e91f34cd9c8b73c2a06e084c3f371979362d35fd

SHA256
f8a7c578d72778843b9f17a61e4f4ccaf1df6e580674e6322c461ed392e384fb

SHA512
3a3cb047b6abd76bf726e04c4ace9c23c43aa8a9bb88df0c87e3b85ced196114d6984eb9b3bfd2614f7aa5dd3b0fa5182b0d3708dd8e06187a6bb78b162dfe93

Download Submit
memory/332-70-0x0000000000400000-0x0000000000633000-memory.dmp

Filesize
2.2MB

Download
memory/332-76-0x0000000000400000-0x0000000000633000-memory.dmp

Filesize
2.2MB

Download
memory/472-141-0x0000000000400000-0x0000000000633000-memory.dmp

Filesize
2.2MB

Download
memory/472-146-0x0000000000400000-0x0000000000633000-memory.dmp

Filesize
2.2MB

Download
memory/680-62-0x0000000000400000-0x0000000000633000-memory.dmp

Filesize
2.2MB

Download
memory/680-56-0x0000000000400000-0x0000000000633000-memory.dmp

Filesize
2.2MB

Download
memory/960-119-0x0000000000400000-0x0000000000633000-memory.dmp

Filesize
2.2MB

Download
memory/960-124-0x0000000000400000-0x0000000000633000-memory.dmp

Filesize
2.2MB

Download
memory/1364-105-0x0000000000400000-0x0000000000633000-memory.dmp

Filesize
2.2MB

Download
memory/1364-110-0x0000000000400000-0x0000000000633000-memory.dmp

Filesize
2.2MB

Download
memory/1372-197-0x0000000000400000-0x0000000000633000-memory.dmp

Filesize
2.2MB

Download
memory/1372-191-0x0000000000400000-0x0000000000633000-memory.dmp

Filesize
2.2MB

Download
memory/1992-92-0x0000000000400000-0x0000000000633000-memory.dmp

Filesize
2.2MB

Download
memory/1992-97-0x0000000000400000-0x0000000000633000-memory.dmp

Filesize
2.2MB

Download
memory/2116-3-0x00000000021F0000-0x0000000002200000-memory.dmp

Filesize
64KB

Download
memory/2116-13-0x0000000000260000-0x00000000002AE000-memory.dmp

Filesize
312KB

Download
memory/2116-2-0x0000000000400000-0x0000000000633000-memory.dmp

Filesize
2.2MB

Download
memory/2116-0-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2116-12-0x0000000000400000-0x0000000000633000-memory.dmp

Filesize
2.2MB

Download
memory/2116-14-0x0000000075130000-0x0000000075240000-memory.dmp

Filesize
1.1MB

Download
memory/2116-4-0x00000000772F0000-0x00000000772F1000-memory.dmp

Filesize
4KB

Download
memory/2116-5-0x0000000075141000-0x0000000075142000-memory.dmp

Filesize
4KB

Download
memory/2116-6-0x0000000075130000-0x0000000075240000-memory.dmp

Filesize
1.1MB

Download
memory/2116-1-0x0000000000260000-0x00000000002AE000-memory.dmp

Filesize
312KB

Download
memory/2220-21-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2220-20-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2580-26-0x0000000075130000-0x0000000075240000-memory.dmp

Filesize
1.1MB

Download
memory/2580-9-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2580-11-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2580-10-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2580-15-0x0000000075130000-0x0000000075240000-memory.dmp

Filesize
1.1MB

Download
memory/2732-29-0x0000000075130000-0x0000000075240000-memory.dmp

Filesize
1.1MB

Download
memory/2732-30-0x0000000075130000-0x0000000075240000-memory.dmp

Filesize
1.1MB

Download
memory/2732-42-0x0000000000400000-0x0000000000633000-memory.dmp

Filesize
2.2MB

Download
memory/2732-36-0x0000000075130000-0x0000000075240000-memory.dmp

Filesize
1.1MB

Download
memory/2732-37-0x0000000075130000-0x0000000075240000-memory.dmp

Filesize
1.1MB

Download
memory/2732-35-0x0000000075130000-0x0000000075240000-memory.dmp

Filesize
1.1MB

Download
memory/2732-28-0x0000000075130000-0x0000000075240000-memory.dmp

Filesize
1.1MB

Download
memory/2732-31-0x0000000075130000-0x0000000075240000-memory.dmp

Filesize
1.1MB

Download
memory/2732-44-0x0000000075130000-0x0000000075240000-memory.dmp

Filesize
1.1MB

Download
memory/2732-34-0x0000000075130000-0x0000000075240000-memory.dmp

Filesize
1.1MB

Download
memory/2732-27-0x0000000000400000-0x0000000000633000-memory.dmp

Filesize
2.2MB

Download
memory/2732-32-0x0000000075130000-0x0000000075240000-memory.dmp

Filesize
1.1MB

Download
memory/2732-33-0x0000000075130000-0x0000000075240000-memory.dmp

Filesize
1.1MB

Download
memory/2844-152-0x0000000000400000-0x0000000000633000-memory.dmp

Filesize
2.2MB

Download
memory/2920-184-0x0000000000400000-0x0000000000633000-memory.dmp

Filesize
2.2MB

Download
memory/2920-179-0x0000000000400000-0x0000000000633000-memory.dmp

Filesize
2.2MB

Download
memory/2960-165-0x0000000000400000-0x0000000000633000-memory.dmp

Filesize
2.2MB

Download
memory/2972-81-0x0000000000400000-0x0000000000633000-memory.dmp

Filesize
2.2MB

Download
memory/2972-87-0x0000000000400000-0x0000000000633000-memory.dmp

Filesize
2.2MB

Download
memory/3012-200-0x0000000000400000-0x0000000000633000-memory.dmp

Filesize
2.2MB

Download
memory/3012-206-0x0000000000400000-0x0000000000633000-memory.dmp

Filesize
2.2MB

Download
memory/3068-135-0x0000000000400000-0x0000000000633000-memory.dmp

Filesize
2.2MB

Download
memory/3068-131-0x0000000000400000-0x0000000000633000-memory.dmp

Filesize
2.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads