6ed0a42adc4bf773b99fc58923a0b78948e28d458a1925e65b0b72c72a1faedd

General

Target

6ed0a42adc4bf773b99fc58923a0b78948e28d458a1925e65b0b72c72a1faedd.exe
Size

721KB
MD5

148c39f140195b30df2b24bb102fa6a0
SHA1

f617320e294fbb43e7e23683f9e510de3004e0bc
SHA256

6ed0a42adc4bf773b99fc58923a0b78948e28d458a1925e65b0b72c72a1faedd
SHA512

c6cbef8ce0cac0ea7e9f6ff781a9b9ed822c8b27b307ba1d99dcd9529bbad593bb6fbc0cafe7dfdfd6c5e7d2ed679aebf76fe5e3cf4ce4591de6433620472d67
SSDEEP

3072:rtwizQTj8CSUYf8W3nSjen++Bj88OZS0/Qe2HdOLlqw1aQnj74y0+xkABerFFiWZ:huj8NDF3OR9/Qe2Hdklrn4K3eP7Z

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 27 IoCs

Processes:

casino_extensions.exeCasino_ext.execasino_extensions.exeCasino_ext.execasino_extensions.exeCasino_ext.execasino_extensions.exeCasino_ext.execasino_extensions.exeCasino_ext.execasino_extensions.exeCasino_ext.execasino_extensions.exeCasino_ext.execasino_extensions.exeCasino_ext.execasino_extensions.exeCasino_ext.execasino_extensions.exeCasino_ext.execasino_extensions.exeCasino_ext.execasino_extensions.exeCasino_ext.exeLiveMessageCenter.execasino_extensions.exeCasino_ext.exe

pid	process
408	casino_extensions.exe
2876	Casino_ext.exe
1184	casino_extensions.exe
2128	Casino_ext.exe
4232	casino_extensions.exe
1928	Casino_ext.exe
3772	casino_extensions.exe
2180	Casino_ext.exe
3688	casino_extensions.exe
3496	Casino_ext.exe
3456	casino_extensions.exe
4408	Casino_ext.exe
5012	casino_extensions.exe
5080	Casino_ext.exe
4020	casino_extensions.exe
3664	Casino_ext.exe
4904	casino_extensions.exe
3964	Casino_ext.exe
3288	casino_extensions.exe
1404	Casino_ext.exe
4376	casino_extensions.exe
3180	Casino_ext.exe
4396	casino_extensions.exe
2616	Casino_ext.exe
3024	LiveMessageCenter.exe
4384	casino_extensions.exe
4256	Casino_ext.exe

Drops file in System32 directory 20 IoCs

Processes:

casino_extensions.execasino_extensions.execasino_extensions.execasino_extensions.execasino_extensions.execasino_extensions.execasino_extensions.execasino_extensions.execasino_extensions.execasino_extensions.execasino_extensions.execasino_extensions.execasino_extensions.execasino_extensions.execasino_extensions.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe

Drops file in Program Files directory 28 IoCs

Processes:

Casino_ext.execasino_extensions.exeCasino_ext.exeCasino_ext.exeCasino_ext.execasino_extensions.execasino_extensions.exeCasino_ext.execasino_extensions.execasino_extensions.exeCasino_ext.exeCasino_ext.execasino_extensions.exeCasino_ext.execasino_extensions.execasino_extensions.execasino_extensions.execasino_extensions.exeCasino_ext.exeCasino_ext.exeCasino_ext.exeLiveMessageCenter.execasino_extensions.exeCasino_ext.exeCasino_ext.execasino_extensions.execasino_extensions.execasino_extensions.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File created	C:\Program Files (x86)\Internet Explorer\$$202803s.bat	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

Casino_ext.exeCasino_ext.exeCasino_ext.exeCasino_ext.exeCasino_ext.exeCasino_ext.exeCasino_ext.exeCasino_ext.exeCasino_ext.exeCasino_ext.exeCasino_ext.exeCasino_ext.exeLiveMessageCenter.exeCasino_ext.exe

pid	process
2876	Casino_ext.exe
2876	Casino_ext.exe
2128	Casino_ext.exe
2128	Casino_ext.exe
1928	Casino_ext.exe
1928	Casino_ext.exe
2180	Casino_ext.exe
2180	Casino_ext.exe
3496	Casino_ext.exe
3496	Casino_ext.exe
4408	Casino_ext.exe
4408	Casino_ext.exe
5080	Casino_ext.exe
5080	Casino_ext.exe
3664	Casino_ext.exe
3664	Casino_ext.exe
3964	Casino_ext.exe
3964	Casino_ext.exe
1404	Casino_ext.exe
1404	Casino_ext.exe
3180	Casino_ext.exe
3180	Casino_ext.exe
2616	Casino_ext.exe
2616	Casino_ext.exe
3024	LiveMessageCenter.exe
3024	LiveMessageCenter.exe
4256	Casino_ext.exe
4256	Casino_ext.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

6ed0a42adc4bf773b99fc58923a0b78948e28d458a1925e65b0b72c72a1faedd.exe

pid process

2788 6ed0a42adc4bf773b99fc58923a0b78948e28d458a1925e65b0b72c72a1faedd.exe

pid	process
2788	6ed0a42adc4bf773b99fc58923a0b78948e28d458a1925e65b0b72c72a1faedd.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6ed0a42adc4bf773b99fc58923a0b78948e28d458a1925e65b0b72c72a1faedd.execasino_extensions.execasino_extensions.exeCasino_ext.execasino_extensions.execasino_extensions.exeCasino_ext.execasino_extensions.execasino_extensions.exeCasino_ext.execasino_extensions.execasino_extensions.exeCasino_ext.execasino_extensions.execasino_extensions.exeCasino_ext.execasino_extensions.execasino_extensions.exeCasino_ext.execasino_extensions.execasino_extensions.exeCasino_ext.exe

description	pid	process	target process
PID 2788 wrote to memory of 2096	2788	6ed0a42adc4bf773b99fc58923a0b78948e28d458a1925e65b0b72c72a1faedd.exe	casino_extensions.exe
PID 2788 wrote to memory of 2096	2788	6ed0a42adc4bf773b99fc58923a0b78948e28d458a1925e65b0b72c72a1faedd.exe	casino_extensions.exe
PID 2788 wrote to memory of 2096	2788	6ed0a42adc4bf773b99fc58923a0b78948e28d458a1925e65b0b72c72a1faedd.exe	casino_extensions.exe
PID 2096 wrote to memory of 408	2096	casino_extensions.exe	casino_extensions.exe
PID 2096 wrote to memory of 408	2096	casino_extensions.exe	casino_extensions.exe
PID 2096 wrote to memory of 408	2096	casino_extensions.exe	casino_extensions.exe
PID 408 wrote to memory of 2876	408	casino_extensions.exe	Casino_ext.exe
PID 408 wrote to memory of 2876	408	casino_extensions.exe	Casino_ext.exe
PID 408 wrote to memory of 2876	408	casino_extensions.exe	Casino_ext.exe
PID 2876 wrote to memory of 3592	2876	Casino_ext.exe	casino_extensions.exe
PID 2876 wrote to memory of 3592	2876	Casino_ext.exe	casino_extensions.exe
PID 2876 wrote to memory of 3592	2876	Casino_ext.exe	casino_extensions.exe
PID 3592 wrote to memory of 1184	3592	casino_extensions.exe	casino_extensions.exe
PID 3592 wrote to memory of 1184	3592	casino_extensions.exe	casino_extensions.exe
PID 3592 wrote to memory of 1184	3592	casino_extensions.exe	casino_extensions.exe
PID 1184 wrote to memory of 2128	1184	casino_extensions.exe	Casino_ext.exe
PID 1184 wrote to memory of 2128	1184	casino_extensions.exe	Casino_ext.exe
PID 1184 wrote to memory of 2128	1184	casino_extensions.exe	Casino_ext.exe
PID 2128 wrote to memory of 3032	2128	Casino_ext.exe	casino_extensions.exe
PID 2128 wrote to memory of 3032	2128	Casino_ext.exe	casino_extensions.exe
PID 2128 wrote to memory of 3032	2128	Casino_ext.exe	casino_extensions.exe
PID 3032 wrote to memory of 4232	3032	casino_extensions.exe	casino_extensions.exe
PID 3032 wrote to memory of 4232	3032	casino_extensions.exe	casino_extensions.exe
PID 3032 wrote to memory of 4232	3032	casino_extensions.exe	casino_extensions.exe
PID 4232 wrote to memory of 1928	4232	casino_extensions.exe	Casino_ext.exe
PID 4232 wrote to memory of 1928	4232	casino_extensions.exe	Casino_ext.exe
PID 4232 wrote to memory of 1928	4232	casino_extensions.exe	Casino_ext.exe
PID 1928 wrote to memory of 3552	1928	Casino_ext.exe	casino_extensions.exe
PID 1928 wrote to memory of 3552	1928	Casino_ext.exe	casino_extensions.exe
PID 1928 wrote to memory of 3552	1928	Casino_ext.exe	casino_extensions.exe
PID 3552 wrote to memory of 3772	3552	casino_extensions.exe	casino_extensions.exe
PID 3552 wrote to memory of 3772	3552	casino_extensions.exe	casino_extensions.exe
PID 3552 wrote to memory of 3772	3552	casino_extensions.exe	casino_extensions.exe
PID 3772 wrote to memory of 2180	3772	casino_extensions.exe	Casino_ext.exe
PID 3772 wrote to memory of 2180	3772	casino_extensions.exe	Casino_ext.exe
PID 3772 wrote to memory of 2180	3772	casino_extensions.exe	Casino_ext.exe
PID 2180 wrote to memory of 3864	2180	Casino_ext.exe	casino_extensions.exe
PID 2180 wrote to memory of 3864	2180	Casino_ext.exe	casino_extensions.exe
PID 2180 wrote to memory of 3864	2180	Casino_ext.exe	casino_extensions.exe
PID 3864 wrote to memory of 3688	3864	casino_extensions.exe	casino_extensions.exe
PID 3864 wrote to memory of 3688	3864	casino_extensions.exe	casino_extensions.exe
PID 3864 wrote to memory of 3688	3864	casino_extensions.exe	casino_extensions.exe
PID 3688 wrote to memory of 3496	3688	casino_extensions.exe	Casino_ext.exe
PID 3688 wrote to memory of 3496	3688	casino_extensions.exe	Casino_ext.exe
PID 3688 wrote to memory of 3496	3688	casino_extensions.exe	Casino_ext.exe
PID 3496 wrote to memory of 2144	3496	Casino_ext.exe	casino_extensions.exe
PID 3496 wrote to memory of 2144	3496	Casino_ext.exe	casino_extensions.exe
PID 3496 wrote to memory of 2144	3496	Casino_ext.exe	casino_extensions.exe
PID 2144 wrote to memory of 3456	2144	casino_extensions.exe	casino_extensions.exe
PID 2144 wrote to memory of 3456	2144	casino_extensions.exe	casino_extensions.exe
PID 2144 wrote to memory of 3456	2144	casino_extensions.exe	casino_extensions.exe
PID 3456 wrote to memory of 4408	3456	casino_extensions.exe	Casino_ext.exe
PID 3456 wrote to memory of 4408	3456	casino_extensions.exe	Casino_ext.exe
PID 3456 wrote to memory of 4408	3456	casino_extensions.exe	Casino_ext.exe
PID 4408 wrote to memory of 1548	4408	Casino_ext.exe	casino_extensions.exe
PID 4408 wrote to memory of 1548	4408	Casino_ext.exe	casino_extensions.exe
PID 4408 wrote to memory of 1548	4408	Casino_ext.exe	casino_extensions.exe
PID 1548 wrote to memory of 5012	1548	casino_extensions.exe	casino_extensions.exe
PID 1548 wrote to memory of 5012	1548	casino_extensions.exe	casino_extensions.exe
PID 1548 wrote to memory of 5012	1548	casino_extensions.exe	casino_extensions.exe
PID 5012 wrote to memory of 5080	5012	casino_extensions.exe	Casino_ext.exe
PID 5012 wrote to memory of 5080	5012	casino_extensions.exe	Casino_ext.exe
PID 5012 wrote to memory of 5080	5012	casino_extensions.exe	Casino_ext.exe
PID 5080 wrote to memory of 4844	5080	Casino_ext.exe	casino_extensions.exe

C:\Users\Admin\AppData\Local\Temp\6ed0a42adc4bf773b99fc58923a0b78948e28d458a1925e65b0b72c72a1faedd.exe
"C:\Users\Admin\AppData\Local\Temp\6ed0a42adc4bf773b99fc58923a0b78948e28d458a1925e65b0b72c72a1faedd.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2788

C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
"C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2096

C:\Windows\SysWOW64\casino_extensions.exe
C:\Windows\system32\casino_extensions.exe
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:408

C:\Windows\SysWOW64\Casino_ext.exe
C:\Windows\SysWOW64\Casino_ext.exe
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2876

C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
"C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
5⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3592

C:\Windows\SysWOW64\casino_extensions.exe
C:\Windows\system32\casino_extensions.exe
6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1184

C:\Windows\SysWOW64\Casino_ext.exe
C:\Windows\SysWOW64\Casino_ext.exe
7⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2128

C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
"C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
8⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3032

C:\Windows\SysWOW64\casino_extensions.exe
C:\Windows\system32\casino_extensions.exe
9⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4232

C:\Windows\SysWOW64\Casino_ext.exe
C:\Windows\SysWOW64\Casino_ext.exe
10⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1928

C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
"C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
11⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3552

C:\Windows\SysWOW64\casino_extensions.exe
C:\Windows\system32\casino_extensions.exe
12⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3772

C:\Windows\SysWOW64\Casino_ext.exe
C:\Windows\SysWOW64\Casino_ext.exe
13⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2180

C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
"C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
14⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3864

C:\Windows\SysWOW64\casino_extensions.exe
C:\Windows\system32\casino_extensions.exe
15⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3688

C:\Windows\SysWOW64\Casino_ext.exe
C:\Windows\SysWOW64\Casino_ext.exe
16⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3496

C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
"C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
17⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2144

C:\Windows\SysWOW64\casino_extensions.exe
C:\Windows\system32\casino_extensions.exe
18⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3456

C:\Windows\SysWOW64\Casino_ext.exe
C:\Windows\SysWOW64\Casino_ext.exe
19⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4408

C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
"C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
20⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1548

C:\Windows\SysWOW64\casino_extensions.exe
C:\Windows\system32\casino_extensions.exe
21⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:5012

C:\Windows\SysWOW64\Casino_ext.exe
C:\Windows\SysWOW64\Casino_ext.exe
22⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5080

C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
"C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
23⤵
- Drops file in System32 directory
PID:4844

C:\Windows\SysWOW64\casino_extensions.exe
C:\Windows\system32\casino_extensions.exe
24⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4020

C:\Windows\SysWOW64\Casino_ext.exe
C:\Windows\SysWOW64\Casino_ext.exe
25⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:3664

C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
"C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
26⤵
- Drops file in System32 directory
PID:3352

C:\Windows\SysWOW64\casino_extensions.exe
C:\Windows\system32\casino_extensions.exe
27⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4904

C:\Windows\SysWOW64\Casino_ext.exe
C:\Windows\SysWOW64\Casino_ext.exe
28⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:3964

C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
"C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
29⤵
- Drops file in System32 directory
PID:5084

C:\Windows\SysWOW64\casino_extensions.exe
C:\Windows\system32\casino_extensions.exe
30⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3288

C:\Windows\SysWOW64\Casino_ext.exe
C:\Windows\SysWOW64\Casino_ext.exe
31⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1404

C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
"C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
32⤵
- Drops file in System32 directory
PID:3224

C:\Windows\SysWOW64\casino_extensions.exe
C:\Windows\system32\casino_extensions.exe
33⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4376

C:\Windows\SysWOW64\Casino_ext.exe
C:\Windows\SysWOW64\Casino_ext.exe
34⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:3180

C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
"C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
35⤵
- Drops file in System32 directory
PID:4972

C:\Windows\SysWOW64\casino_extensions.exe
C:\Windows\system32\casino_extensions.exe
36⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4396

C:\Windows\SysWOW64\Casino_ext.exe
C:\Windows\SysWOW64\Casino_ext.exe
37⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2616

C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
"C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
38⤵
- Drops file in System32 directory
PID:4860

C:\Windows\SysWOW64\LiveMessageCenter.exe
C:\Windows\system32\LiveMessageCenter.exe /part2
39⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:3024

C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
"C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
40⤵
- Drops file in System32 directory
PID:4524

C:\Windows\SysWOW64\casino_extensions.exe
C:\Windows\system32\casino_extensions.exe
41⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4384

C:\Windows\SysWOW64\Casino_ext.exe
C:\Windows\SysWOW64\Casino_ext.exe
42⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:4256

C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
"C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
43⤵
- Drops file in System32 directory
- Drops file in Program Files directory
PID:2132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c $$2028~1.BAT
44⤵
PID:516

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\$$202803s.bat
Filesize
81B

MD5
4777bf695815d870d27ed4a38a8f0840

SHA1
565412b5182bca7a221448dba78369c42d1c4a0c

SHA256
c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d

SHA512
87e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d

Download Submit
C:\Windows\SysWOW64\LiveMessageCenter.exe
Filesize
726KB

MD5
2bac9b2c84898c65adae787f43830420

SHA1
105f365156db74220c6392ad079a97b17881849e

SHA256
4f6edd6fd338ec7e1058b7d1b9e18e7dffe056a6a9dc782f4ce2388d13dac124

SHA512
deff3371d137cd9bd153c522174a55c27658db21060b320d95b1442879fe86cdf1a669eaccb79e8d6db372ab5ea8d370528eaec2db9fd96cf7c0b12a30ee6bfc

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe
Filesize
734KB

MD5
6d5fc0bcd2b10ad1f6b3ea0f60b5d38d

SHA1
936c0c2a0a80ac9369806dfa94652b2dd7fcba20

SHA256
2b2f2f2dcc90ff069bdbc1d3bf2e2558fd033667cccc74b5288a4db4a44860b5

SHA512
b8c6b4b683c9ae003fb61f703dc2a72ca5c2dc31ae96b2946135d28d78bcccfd02cc12e0799a70fec85fc95077cdce439e46454758acb266c4db9f3c41d25dbe

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe
Filesize
736KB

MD5
d890d48e2cbe16d56953b86ee8addf69

SHA1
69579ddb1d9a982f05690ddf58d551afb505694f

SHA256
79f8bc206d5afb66d4ab379d697b3d8fa619bd112daa6f413a8397be84c4e595

SHA512
765c42371797e5007c485ea579a86615cb75d16c02ea775b6e086050ee4da7747cf07a2d7db37018ed96a75c5442861de3901fbad9dc258f3ddaceb3193dced9

Download Submit
memory/408-7-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2788-8-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads