2d6c318fff9788e303fa7445ea97b75eef6e6a2a5e95ab388ef0f86391379da4

Analysis

max time kernel
122s
max time network
132s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07/03/2024, 18:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d6c318fff9788e303fa7445ea97b75eef6e6a2a5e95ab388ef0f86391379da4.exe
Size

419KB
MD5

2bb5ad04b72fcaae14ff3f467e2e6396
SHA1

b90b219b3480dd90f6f0ce3ac6bd24245bd5c8d7
SHA256

2d6c318fff9788e303fa7445ea97b75eef6e6a2a5e95ab388ef0f86391379da4
SHA512

c8ff456bf5a63d3720312f39e5c6e8217ec90b7f5167e6e98c46a40169ebf9d964eca14bbb47df28efb2d50322fac140f79f4d62013e8e8de82e13d7236fbfcf
SSDEEP

3072:XtwizQTj8CSUYf8W3nSjen++Bj88OZS0/Qe2HdOLlqw1aQ2c1HdLmkbbCBwx5:duj8NDF3OR9/Qe2HdklrtDEwx5

Score

9^/10

Malware Config

Signatures

Detects executables packed with ASPack 23 IoCs

resource	yara_rule
behavioral1/files/0x000d0000000122e2-3.dat	INDICATOR_EXE_Packed_ASPack
behavioral1/files/0x0035000000015c29-16.dat	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2624-26-0x0000000000400000-0x0000000000425000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/files/0x0034000000015c31-30.dat	INDICATOR_EXE_Packed_ASPack
behavioral1/files/0x000e0000000122e2-47.dat	INDICATOR_EXE_Packed_ASPack
behavioral1/files/0x000e000000015c54-63.dat	INDICATOR_EXE_Packed_ASPack
behavioral1/files/0x0034000000015c31-86.dat	INDICATOR_EXE_Packed_ASPack
behavioral1/files/0x0036000000015c29-90.dat	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2656-105-0x0000000000400000-0x0000000000425000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/files/0x0035000000015c31-109.dat	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/1484-115-0x0000000000400000-0x0000000000425000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/files/0x000f000000015c54-120.dat	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/1700-123-0x0000000000400000-0x0000000000425000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/files/0x0037000000015c29-128.dat	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/1188-131-0x0000000000400000-0x0000000000425000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/files/0x0036000000015c31-136.dat	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2080-139-0x0000000000400000-0x0000000000425000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/files/0x0010000000015c54-144.dat	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/944-147-0x0000000000400000-0x0000000000425000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/files/0x0038000000015c29-153.dat	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/1904-155-0x0000000000400000-0x0000000000425000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/files/0x0037000000015c31-160.dat	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2128-163-0x0000000000400000-0x0000000000425000-memory.dmp	INDICATOR_EXE_Packed_ASPack

Deletes itself 1 IoCs

pid	Process
2624	Casino_ext.exe

Executes dropped EXE 64 IoCs

pid	Process
2892	casino_extensions.exe
2624	Casino_ext.exe
2640	casino_extensions.exe
2796	casino_extensions.exe
2660	Casino_ext.exe
2576	casino_extensions.exe
2760	casino_extensions.exe
2636	Casino_ext.exe
1572	casino_extensions.exe
2664	casino_extensions.exe
2428	casino_extensions.exe
2488	LiveMessageCenter.exe
2932	casino_extensions.exe
3016	casino_extensions.exe
2400	Casino_ext.exe
1932	casino_extensions.exe
576	casino_extensions.exe
2740	Casino_ext.exe
2764	casino_extensions.exe
3012	casino_extensions.exe
2296	casino_extensions.exe
2248	LiveMessageCenter.exe
2256	casino_extensions.exe
1972	casino_extensions.exe
1184	Casino_ext.exe
2032	casino_extensions.exe
1604	casino_extensions.exe
2656	Casino_ext.exe
952	casino_extensions.exe
1820	casino_extensions.exe
1872	Casino_ext.exe
2708	casino_extensions.exe
1020	casino_extensions.exe
1484	Casino_ext.exe
904	casino_extensions.exe
960	casino_extensions.exe
2276	Casino_ext.exe
2716	casino_extensions.exe
1268	casino_extensions.exe
1700	Casino_ext.exe
1208	casino_extensions.exe
1252	casino_extensions.exe
2272	Casino_ext.exe
1204	casino_extensions.exe
1764	casino_extensions.exe
1188	Casino_ext.exe
1192	casino_extensions.exe
1124	casino_extensions.exe
2084	Casino_ext.exe
2268	casino_extensions.exe
2960	casino_extensions.exe
2080	Casino_ext.exe
2972	casino_extensions.exe
2968	casino_extensions.exe
2956	Casino_ext.exe
2372	casino_extensions.exe
1916	casino_extensions.exe
108	Casino_ext.exe
436	casino_extensions.exe
956	casino_extensions.exe
944	Casino_ext.exe
2880	casino_extensions.exe
2828	casino_extensions.exe
2836	Casino_ext.exe

Loads dropped DLL 62 IoCs

pid	Process
2980	casino_extensions.exe
2980	casino_extensions.exe
2640	casino_extensions.exe
2640	casino_extensions.exe
2576	casino_extensions.exe
2576	casino_extensions.exe
1572	casino_extensions.exe
1572	casino_extensions.exe
2428	casino_extensions.exe
2428	casino_extensions.exe
2932	casino_extensions.exe
2932	casino_extensions.exe
1932	casino_extensions.exe
1932	casino_extensions.exe
2764	casino_extensions.exe
2764	casino_extensions.exe
2296	casino_extensions.exe
2296	casino_extensions.exe
2256	casino_extensions.exe
2256	casino_extensions.exe
2032	casino_extensions.exe
2032	casino_extensions.exe
952	casino_extensions.exe
952	casino_extensions.exe
2708	casino_extensions.exe
2708	casino_extensions.exe
904	casino_extensions.exe
904	casino_extensions.exe
2716	casino_extensions.exe
2716	casino_extensions.exe
1208	casino_extensions.exe
1208	casino_extensions.exe
1204	casino_extensions.exe
1204	casino_extensions.exe
1192	casino_extensions.exe
1192	casino_extensions.exe
2268	casino_extensions.exe
2268	casino_extensions.exe
2972	casino_extensions.exe
2972	casino_extensions.exe
2372	casino_extensions.exe
2372	casino_extensions.exe
436	casino_extensions.exe
436	casino_extensions.exe
2880	casino_extensions.exe
2880	casino_extensions.exe
1920	casino_extensions.exe
1920	casino_extensions.exe
1728	casino_extensions.exe
1728	casino_extensions.exe
1300	casino_extensions.exe
1300	casino_extensions.exe
972	casino_extensions.exe
972	casino_extensions.exe
1704	casino_extensions.exe
1704	casino_extensions.exe
1392	casino_extensions.exe
1392	casino_extensions.exe
2136	casino_extensions.exe
2136	casino_extensions.exe
2336	casino_extensions.exe
2336	casino_extensions.exe

Drops file in System32 directory 50 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe

Drops file in Program Files directory 58 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File created	C:\Program Files (x86)\Internet Explorer\$$202803s.bat	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
2624	Casino_ext.exe
2660	Casino_ext.exe
2636	Casino_ext.exe
2488	LiveMessageCenter.exe
2400	Casino_ext.exe
2740	Casino_ext.exe
2248	LiveMessageCenter.exe
1184	Casino_ext.exe
2656	Casino_ext.exe
1872	Casino_ext.exe
1484	Casino_ext.exe
2276	Casino_ext.exe
1700	Casino_ext.exe
2272	Casino_ext.exe
1188	Casino_ext.exe
2084	Casino_ext.exe
2080	Casino_ext.exe
2956	Casino_ext.exe
108	Casino_ext.exe
944	Casino_ext.exe
2836	Casino_ext.exe
1552	Casino_ext.exe
1904	Casino_ext.exe
768	Casino_ext.exe
884	Casino_ext.exe
280	Casino_ext.exe
2128	Casino_ext.exe
3000	Casino_ext.exe
2260	LiveMessageCenter.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1600	2d6c318fff9788e303fa7445ea97b75eef6e6a2a5e95ab388ef0f86391379da4.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1600 wrote to memory of 2980	1600	2d6c318fff9788e303fa7445ea97b75eef6e6a2a5e95ab388ef0f86391379da4.exe	28
PID 1600 wrote to memory of 2980	1600	2d6c318fff9788e303fa7445ea97b75eef6e6a2a5e95ab388ef0f86391379da4.exe	28
PID 1600 wrote to memory of 2980	1600	2d6c318fff9788e303fa7445ea97b75eef6e6a2a5e95ab388ef0f86391379da4.exe	28
PID 1600 wrote to memory of 2980	1600	2d6c318fff9788e303fa7445ea97b75eef6e6a2a5e95ab388ef0f86391379da4.exe	28
PID 2980 wrote to memory of 2892	2980	casino_extensions.exe	29
PID 2980 wrote to memory of 2892	2980	casino_extensions.exe	29
PID 2980 wrote to memory of 2892	2980	casino_extensions.exe	29
PID 2980 wrote to memory of 2892	2980	casino_extensions.exe	29
PID 2892 wrote to memory of 2624	2892	casino_extensions.exe	30
PID 2892 wrote to memory of 2624	2892	casino_extensions.exe	30
PID 2892 wrote to memory of 2624	2892	casino_extensions.exe	30
PID 2892 wrote to memory of 2624	2892	casino_extensions.exe	30
PID 2624 wrote to memory of 2640	2624	Casino_ext.exe	31
PID 2624 wrote to memory of 2640	2624	Casino_ext.exe	31
PID 2624 wrote to memory of 2640	2624	Casino_ext.exe	31
PID 2624 wrote to memory of 2640	2624	Casino_ext.exe	31
PID 2640 wrote to memory of 2796	2640	casino_extensions.exe	32
PID 2640 wrote to memory of 2796	2640	casino_extensions.exe	32
PID 2640 wrote to memory of 2796	2640	casino_extensions.exe	32
PID 2640 wrote to memory of 2796	2640	casino_extensions.exe	32
PID 2796 wrote to memory of 2660	2796	casino_extensions.exe	33
PID 2796 wrote to memory of 2660	2796	casino_extensions.exe	33
PID 2796 wrote to memory of 2660	2796	casino_extensions.exe	33
PID 2796 wrote to memory of 2660	2796	casino_extensions.exe	33
PID 2660 wrote to memory of 2576	2660	Casino_ext.exe	34
PID 2660 wrote to memory of 2576	2660	Casino_ext.exe	34
PID 2660 wrote to memory of 2576	2660	Casino_ext.exe	34
PID 2660 wrote to memory of 2576	2660	Casino_ext.exe	34
PID 2576 wrote to memory of 2760	2576	casino_extensions.exe	35
PID 2576 wrote to memory of 2760	2576	casino_extensions.exe	35
PID 2576 wrote to memory of 2760	2576	casino_extensions.exe	35
PID 2576 wrote to memory of 2760	2576	casino_extensions.exe	35
PID 2760 wrote to memory of 2636	2760	casino_extensions.exe	36
PID 2760 wrote to memory of 2636	2760	casino_extensions.exe	36
PID 2760 wrote to memory of 2636	2760	casino_extensions.exe	36
PID 2760 wrote to memory of 2636	2760	casino_extensions.exe	36
PID 2636 wrote to memory of 1572	2636	Casino_ext.exe	37
PID 2636 wrote to memory of 1572	2636	Casino_ext.exe	37
PID 2636 wrote to memory of 1572	2636	Casino_ext.exe	37
PID 2636 wrote to memory of 1572	2636	Casino_ext.exe	37
PID 1572 wrote to memory of 2664	1572	casino_extensions.exe	38
PID 1572 wrote to memory of 2664	1572	casino_extensions.exe	38
PID 1572 wrote to memory of 2664	1572	casino_extensions.exe	38
PID 1572 wrote to memory of 2664	1572	casino_extensions.exe	38
PID 2664 wrote to memory of 2428	2664	casino_extensions.exe	39
PID 2664 wrote to memory of 2428	2664	casino_extensions.exe	39
PID 2664 wrote to memory of 2428	2664	casino_extensions.exe	39
PID 2664 wrote to memory of 2428	2664	casino_extensions.exe	39
PID 2428 wrote to memory of 2488	2428	casino_extensions.exe	40
PID 2428 wrote to memory of 2488	2428	casino_extensions.exe	40
PID 2428 wrote to memory of 2488	2428	casino_extensions.exe	40
PID 2428 wrote to memory of 2488	2428	casino_extensions.exe	40
PID 2488 wrote to memory of 2932	2488	LiveMessageCenter.exe	41
PID 2488 wrote to memory of 2932	2488	LiveMessageCenter.exe	41
PID 2488 wrote to memory of 2932	2488	LiveMessageCenter.exe	41
PID 2488 wrote to memory of 2932	2488	LiveMessageCenter.exe	41
PID 2932 wrote to memory of 3016	2932	casino_extensions.exe	42
PID 2932 wrote to memory of 3016	2932	casino_extensions.exe	42
PID 2932 wrote to memory of 3016	2932	casino_extensions.exe	42
PID 2932 wrote to memory of 3016	2932	casino_extensions.exe	42
PID 3016 wrote to memory of 2400	3016	casino_extensions.exe	43
PID 3016 wrote to memory of 2400	3016	casino_extensions.exe	43
PID 3016 wrote to memory of 2400	3016	casino_extensions.exe	43
PID 3016 wrote to memory of 2400	3016	casino_extensions.exe	43

C:\Users\Admin\AppData\Local\Temp\2d6c318fff9788e303fa7445ea97b75eef6e6a2a5e95ab388ef0f86391379da4.exe
"C:\Users\Admin\AppData\Local\Temp\2d6c318fff9788e303fa7445ea97b75eef6e6a2a5e95ab388ef0f86391379da4.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
  "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Windows\SysWOW64\casino_extensions.exe
    C:\Windows\system32\casino_extensions.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:2892
  - - C:\Windows\SysWOW64\Casino_ext.exe
      C:\Windows\SysWOW64\Casino_ext.exe
      4⤵
      Deletes itself
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2624
    - - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2640
      - C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        9⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        10⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1572
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        12⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe /part2
        14⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2488
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        16⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        17⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2400
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1932
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        19⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:576
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        20⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2740
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2764
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        22⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:3012
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2296
        
        C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe
        24⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2248
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2256
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        26⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:1972
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        27⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1184
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2032
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        29⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:1604
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        30⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2656
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:952
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        32⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:1820
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        33⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1872
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        34⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2708
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        35⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:1020
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        36⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1484
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        37⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:904
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        38⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:960
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        39⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2276
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        40⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2716
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        41⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:1268
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        42⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1700
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        43⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1208
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        44⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:1252
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        45⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2272
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        46⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1204
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        47⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:1764
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        48⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1188
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        49⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1192
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        50⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:1124
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        51⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2084
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        52⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2268
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        53⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:2960
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        54⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2080
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        55⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2972
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        56⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:2968
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        57⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2956
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        58⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2372
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        59⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:1916
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        60⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:108
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        61⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:436
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        62⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:956
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        63⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:944
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        64⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2880
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        65⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:2828
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        66⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2836
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        67⤵
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1920
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        68⤵
        Drops file in Program Files directory
        
        PID:368
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        69⤵
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1552
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        70⤵
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1728
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        71⤵
        Drops file in Program Files directory
        
        PID:2908
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        72⤵
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1904
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        73⤵
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1300
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        74⤵
        Drops file in Program Files directory
        
        PID:1632
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        75⤵
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:768
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        76⤵
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:972
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        77⤵
        Drops file in Program Files directory
        
        PID:808
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        78⤵
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:884
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        79⤵
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1704
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        80⤵
        Drops file in Program Files directory
        
        PID:900
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        81⤵
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:280
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        82⤵
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1392
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        83⤵
        Drops file in Program Files directory
        
        PID:688
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        84⤵
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2128
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        85⤵
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2136
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        86⤵
        Drops file in Program Files directory
        
        PID:1752
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        87⤵
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:3000
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        88⤵
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2336
        
        C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe
        89⤵
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2260
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        90⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c $$2028~1.BAT
        91⤵
        
        PID:1080

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\$$202803s.bat

Filesize
81B

MD5
4777bf695815d870d27ed4a38a8f0840

SHA1
565412b5182bca7a221448dba78369c42d1c4a0c

SHA256
c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d

SHA512
87e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d

Download Submit
C:\Program Files (x86)\Internet Explorer\casino_extensions.exe

Filesize
136KB

MD5
f0c9cc8ff82c484a994ad234962081a3

SHA1
079cb266e16a7c590d3fb3732d4e14d006388611

SHA256
abfeaa32df05bd55ae3903c6ef280b08784bbfa4e0afc25d64115586f674b4db

SHA512
028044877b7070090d04544ca525c21fa24d4f5064340418e30f9311d445035ab331ca5a10d0d659398df63f3b09f76c07200e223d416c9cdd174aebb516f9d9

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
435KB

MD5
ef43c99b9f21e02412286e0e846e1a69

SHA1
5cf6b42a4bd397679309db9123a90d2949c7743c

SHA256
ef68aca57c2d222a40f7dfdc1a64ece30ef2bcfb2459095ac87a4a71297ba2ef

SHA512
3ae56dd8e4f6de8d11a55dcdf7d90c534e9ae9614cecbddfc34005b61c4b9a891d220f38a632916bd46cf5f0497150aeb7ff0ff7cff3449a15c5299ee5af63cf

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
472KB

MD5
cc895616c37678ab406177c3e76d8df5

SHA1
7dc773c21ed11496882af1a040383537b3f8eadf

SHA256
3d4ac7b4c11ae8490c8ae3fd69cb35e4fb98088f02243c734b0975c24569acd4

SHA512
a15891089fd05e5bc537e56325770dc729976025e61144f09aedd2fc944279102dbe3545d107b70d012cf14ce29473d25ff58dfaafa2b1dac1e349e6ab3396ae

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
442KB

MD5
fd3487d18db77a55406bb5ece7737a27

SHA1
c57261e73fc1dc2f3390f2ea575ad01b02e2da3d

SHA256
dc94e90a84e3b7dcad8bc546406a26a8bf4924fcb837c01a28c601ff24164eac

SHA512
772046f368c98efdcf72abfe9125749760fa9ddeec26f1939584c35e2b348e82bac8184f07c09dcfe45e5ca3cc3c7212bf286501543580c352414fc834e1a8c4

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
470KB

MD5
6639ef9108ec93cf0fd0975c009b3868

SHA1
738392119977769f80804611d9f0b636ee319e13

SHA256
d3150636ede5494de3cff183fb0e2133ef331c134827fe3c20228c3cd5543640

SHA512
2af65df2c653bba425e720cf12467694b100236b8303d8ef82ce755410bb68183d11d3a2aab340c02a22eeb4fe4550244e2b86dd47ce68266906927dcf85507f

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
480KB

MD5
a1b58ed742224ef4fd178bf010bf316b

SHA1
bcd4adeef4c219ce7ecbc872bedc73571944b314

SHA256
7765ad24eaf3ad178d557ffe14f2d1c66a0728f107aa330308bff5666a58b2dd

SHA512
0135aeea191d589e1df7cac711f272eb9c886e355c1ed02d0cc5d4ed67bf12e4b65bd64bfdf95cdcb822fe30cfc7c4954ee1de06387a7127d67c47bf111135fc

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
455KB

MD5
3873ca97ea527219057a8b33e28ee6fb

SHA1
8b21c77e2b8033eb07673d2f1e2eaf7d452acb07

SHA256
ffdea62259b77babcc5ffc1d1ec24765be2133e3e3f311d35258e2cee2a0f8a5

SHA512
308e4d7ffc5a93f94c97c4a9690001f281f10f16eb089615b1eac78e628df86b5d0bcadcda464495d0b6a09e27624bf96b8599c52e44e30f5dbdb40a1096984c

Download Submit
\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
443KB

MD5
cfb929846f729671c21b9f6044e99309

SHA1
762b3b168bcc8c66dbe350d15e1133f5fe2039c9

SHA256
1099de01b0d51646516f6d8f81650df1f4c7968b9f523f991a8c490b8208df2d

SHA512
0da86487e1b4364b9744ba542a0a6e464becae4b8eb48483417fdac4d400affd0673d6adb45d90014cd8a606fda277c8ef8a680706b04562c3f299c3f48f61a6

Download Submit
\Windows\SysWOW64\casino_extensions.exe

Filesize
429KB

MD5
7867411f553d2b7f4c3f40bd626e6467

SHA1
6f74c5113885226196ba3e89de8328002cc9002f

SHA256
128a994b5e5266788920b368fa7a2053cbc469f5e010d8d193c64d6267203108

SHA512
8846af5b1bc0c7338d4aab19241d23b38ba8d8fbfe0cef6729efaf31035101814f9429fd16927afb5aa577f4affcc4b7fbef65b5be532398b34949e7a603dc8d

Download Submit
\Windows\SysWOW64\casino_extensions.exe

Filesize
448KB

MD5
731a8acbfc0119695abfb79d60b74a20

SHA1
672b19a8e7630f8273aba5e36b57a97e97a47f48

SHA256
1962db25d94c661ecf6f599beb424b9aa50db91fe1d2aa774bf94af523fc7f4b

SHA512
3d96683ac321bf4764bd3a4842ff4f8d0645ede4dce57743a3bbaf38be381a4c2faacf473e85624cd15cb1f8713b124222ac09575259c4c7028114d73da303be

Download Submit
\Windows\SysWOW64\casino_extensions.exe

Filesize
432KB

MD5
ebab25dd6bf635288afcb03d8c09b516

SHA1
5394e3e879e9e34dfd23ae698a6a2d2eb53950ac

SHA256
d6778c15ec68a121558183360deac9604012387f74e59d29db0e881b277baf68

SHA512
e00de6bb9d80321f0df0a6a7ff2943963acd5842930da052cdedf981546135e88d0d6607205d44c00736bd165b0db3bf2aa10964ddb7d9a9df2f200d80733c2c

Download Submit
\Windows\SysWOW64\casino_extensions.exe

Filesize
439KB

MD5
03841bbbd235dce2356c3f6947fbe013

SHA1
f2b3063d8ce4c323ba8a37368eeb261b99e2efeb

SHA256
f856e72024e3210a1ee71359116e0c16fff5c9046c47e355928bad6f6e5b4a28

SHA512
ff90edc0aa99352559224e531369f99f82be1779227f852b32c4d5bce4609c6e1ab7ea2468179c5ae3de1403eebe92ff1e9f1936fb673965fb2e4947e4f9a617

Download Submit
\Windows\SysWOW64\casino_extensions.exe

Filesize
452KB

MD5
154a11f61d2ca619a59a1ede9c7b6485

SHA1
ef942c23dc60303bbb84348dd411d4fca6b36ee8

SHA256
640aa93e09b531df8fbf8b2f996dc3b05dee15a3bde78413dc5467bbb7478f15

SHA512
3c221a6ea8a4c3b6143ef0e03997553d5e0121bbb56be8c3dda025dd4e563bf3f00a3daf7bb90334693699b5ecbc8f2a5a711ddec5cd7aff46c806e6ab9b8958

Download Submit
\Windows\SysWOW64\casino_extensions.exe

Filesize
433KB

MD5
0cb4a435f150d856a9d90a1e2b82b5f4

SHA1
3a819b7ecd4e88810c32134aa0b3c9efd19f0788

SHA256
95b74c93ab10c0b3a3c328ab7ab6a6dae1f736c70d7334268cc94cb28c32055a

SHA512
8b1c8463be0e1dfb3fe1d145553cf6c0473c399cfaaa27f05c91be6435e1678194e0d9218d011e8050f7b364835012844492567fbad82fa908607ed31dad1c78

Download Submit
memory/944-147-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1188-131-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1484-115-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1700-123-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1904-155-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2080-139-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2128-163-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2624-26-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2656-105-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download