Malware Analysis Report

2025-08-05 15:44

Sample ID 240525-bjxmlshe53
Target 99c75afcbdd73e4122db993d12627296841c22757c4b72839d0cb1a9dd94fc97
SHA256 99c75afcbdd73e4122db993d12627296841c22757c4b72839d0cb1a9dd94fc97
Tags
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

99c75afcbdd73e4122db993d12627296841c22757c4b72839d0cb1a9dd94fc97

Threat Level: Known bad

The file 99c75afcbdd73e4122db993d12627296841c22757c4b72839d0cb1a9dd94fc97 was found to be: Known bad.

Malicious Activity Summary


Detects executables packed with ASPack

Detects executables packed with ASPack

Deletes itself

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-25 01:11

Signatures

Detects executables packed with ASPack

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-25 01:11

Reported

2024-05-25 01:13

Platform

win7-20240221-en

Max time kernel

120s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\99c75afcbdd73e4122db993d12627296841c22757c4b72839d0cb1a9dd94fc97.exe"

Signatures

Detects executables packed with ASPack

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\casino_extensions.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe N/A
File opened for modification C:\Windows\SysWOW64\casino_extensions.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe N/A
File opened for modification C:\Windows\SysWOW64\LiveMessageCenter.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe N/A
File opened for modification C:\Windows\SysWOW64\casino_extensions.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe N/A
File opened for modification C:\Windows\SysWOW64\casino_extensions.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe N/A
File opened for modification C:\Windows\SysWOW64\casino_extensions.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe N/A
File created C:\Windows\SysWOW64\LiveMessageCenter.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe N/A
File opened for modification C:\Windows\SysWOW64\LiveMessageCenter.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe N/A
File opened for modification C:\Windows\SysWOW64\LiveMessageCenter.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe N/A
File created C:\Windows\SysWOW64\casino_extensions.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe N/A
File opened for modification C:\Windows\SysWOW64\casino_extensions.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe N/A
File opened for modification C:\Windows\SysWOW64\casino_extensions.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe N/A
File opened for modification C:\Windows\SysWOW64\casino_extensions.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\casino_extensions.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\Casino_ext.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\LiveMessageCenter.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\casino_extensions.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\Casino_ext.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\casino_extensions.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\Casino_ext.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\LiveMessageCenter.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\casino_extensions.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\Casino_ext.exe N/A
File created C:\Program Files (x86)\Internet Explorer\$$202803s.bat C:\Program Files (x86)\Internet Explorer\casino_extensions.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\99c75afcbdd73e4122db993d12627296841c22757c4b72839d0cb1a9dd94fc97.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2892 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\99c75afcbdd73e4122db993d12627296841c22757c4b72839d0cb1a9dd94fc97.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
PID 2892 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\99c75afcbdd73e4122db993d12627296841c22757c4b72839d0cb1a9dd94fc97.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
PID 2892 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\99c75afcbdd73e4122db993d12627296841c22757c4b72839d0cb1a9dd94fc97.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
PID 2892 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\99c75afcbdd73e4122db993d12627296841c22757c4b72839d0cb1a9dd94fc97.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
PID 1688 wrote to memory of 2900 N/A C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\casino_extensions.exe
PID 1688 wrote to memory of 2900 N/A C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\casino_extensions.exe
PID 1688 wrote to memory of 2900 N/A C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\casino_extensions.exe
PID 1688 wrote to memory of 2900 N/A C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\casino_extensions.exe
PID 2900 wrote to memory of 3024 N/A C:\Windows\SysWOW64\casino_extensions.exe C:\Windows\SysWOW64\Casino_ext.exe
PID 2900 wrote to memory of 3024 N/A C:\Windows\SysWOW64\casino_extensions.exe C:\Windows\SysWOW64\Casino_ext.exe
PID 2900 wrote to memory of 3024 N/A C:\Windows\SysWOW64\casino_extensions.exe C:\Windows\SysWOW64\Casino_ext.exe
PID 2900 wrote to memory of 3024 N/A C:\Windows\SysWOW64\casino_extensions.exe C:\Windows\SysWOW64\Casino_ext.exe
PID 3024 wrote to memory of 2492 N/A C:\Windows\SysWOW64\Casino_ext.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
PID 3024 wrote to memory of 2492 N/A C:\Windows\SysWOW64\Casino_ext.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
PID 3024 wrote to memory of 2492 N/A C:\Windows\SysWOW64\Casino_ext.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
PID 3024 wrote to memory of 2492 N/A C:\Windows\SysWOW64\Casino_ext.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
PID 2492 wrote to memory of 2668 N/A C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\casino_extensions.exe
PID 2492 wrote to memory of 2668 N/A C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\casino_extensions.exe
PID 2492 wrote to memory of 2668 N/A C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\casino_extensions.exe
PID 2492 wrote to memory of 2668 N/A C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\casino_extensions.exe
PID 2668 wrote to memory of 2796 N/A C:\Windows\SysWOW64\casino_extensions.exe C:\Windows\SysWOW64\Casino_ext.exe
PID 2668 wrote to memory of 2796 N/A C:\Windows\SysWOW64\casino_extensions.exe C:\Windows\SysWOW64\Casino_ext.exe
PID 2668 wrote to memory of 2796 N/A C:\Windows\SysWOW64\casino_extensions.exe C:\Windows\SysWOW64\Casino_ext.exe
PID 2668 wrote to memory of 2796 N/A C:\Windows\SysWOW64\casino_extensions.exe C:\Windows\SysWOW64\Casino_ext.exe
PID 2796 wrote to memory of 2292 N/A C:\Windows\SysWOW64\Casino_ext.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
PID 2796 wrote to memory of 2292 N/A C:\Windows\SysWOW64\Casino_ext.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
PID 2796 wrote to memory of 2292 N/A C:\Windows\SysWOW64\Casino_ext.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
PID 2796 wrote to memory of 2292 N/A C:\Windows\SysWOW64\Casino_ext.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
PID 2292 wrote to memory of 2672 N/A C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\casino_extensions.exe
PID 2292 wrote to memory of 2672 N/A C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\casino_extensions.exe
PID 2292 wrote to memory of 2672 N/A C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\casino_extensions.exe
PID 2292 wrote to memory of 2672 N/A C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\casino_extensions.exe
PID 2672 wrote to memory of 2144 N/A C:\Windows\SysWOW64\casino_extensions.exe C:\Windows\SysWOW64\Casino_ext.exe
PID 2672 wrote to memory of 2144 N/A C:\Windows\SysWOW64\casino_extensions.exe C:\Windows\SysWOW64\Casino_ext.exe
PID 2672 wrote to memory of 2144 N/A C:\Windows\SysWOW64\casino_extensions.exe C:\Windows\SysWOW64\Casino_ext.exe
PID 2672 wrote to memory of 2144 N/A C:\Windows\SysWOW64\casino_extensions.exe C:\Windows\SysWOW64\Casino_ext.exe
PID 2144 wrote to memory of 2604 N/A C:\Windows\SysWOW64\Casino_ext.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
PID 2144 wrote to memory of 2604 N/A C:\Windows\SysWOW64\Casino_ext.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
PID 2144 wrote to memory of 2604 N/A C:\Windows\SysWOW64\Casino_ext.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
PID 2144 wrote to memory of 2604 N/A C:\Windows\SysWOW64\Casino_ext.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
PID 2604 wrote to memory of 2716 N/A C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\LiveMessageCenter.exe
PID 2604 wrote to memory of 2716 N/A C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\LiveMessageCenter.exe
PID 2604 wrote to memory of 2716 N/A C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\LiveMessageCenter.exe
PID 2604 wrote to memory of 2716 N/A C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\LiveMessageCenter.exe
PID 2716 wrote to memory of 2628 N/A C:\Windows\SysWOW64\LiveMessageCenter.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
PID 2716 wrote to memory of 2628 N/A C:\Windows\SysWOW64\LiveMessageCenter.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
PID 2716 wrote to memory of 2628 N/A C:\Windows\SysWOW64\LiveMessageCenter.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
PID 2716 wrote to memory of 2628 N/A C:\Windows\SysWOW64\LiveMessageCenter.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
PID 2628 wrote to memory of 2532 N/A C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\casino_extensions.exe
PID 2628 wrote to memory of 2532 N/A C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\casino_extensions.exe
PID 2628 wrote to memory of 2532 N/A C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\casino_extensions.exe
PID 2628 wrote to memory of 2532 N/A C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\casino_extensions.exe
PID 2532 wrote to memory of 2660 N/A C:\Windows\SysWOW64\casino_extensions.exe C:\Windows\SysWOW64\Casino_ext.exe
PID 2532 wrote to memory of 2660 N/A C:\Windows\SysWOW64\casino_extensions.exe C:\Windows\SysWOW64\Casino_ext.exe
PID 2532 wrote to memory of 2660 N/A C:\Windows\SysWOW64\casino_extensions.exe C:\Windows\SysWOW64\Casino_ext.exe
PID 2532 wrote to memory of 2660 N/A C:\Windows\SysWOW64\casino_extensions.exe C:\Windows\SysWOW64\Casino_ext.exe
PID 2660 wrote to memory of 2360 N/A C:\Windows\SysWOW64\Casino_ext.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
PID 2660 wrote to memory of 2360 N/A C:\Windows\SysWOW64\Casino_ext.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
PID 2660 wrote to memory of 2360 N/A C:\Windows\SysWOW64\Casino_ext.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
PID 2660 wrote to memory of 2360 N/A C:\Windows\SysWOW64\Casino_ext.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
PID 2360 wrote to memory of 2384 N/A C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\LiveMessageCenter.exe
PID 2360 wrote to memory of 2384 N/A C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\LiveMessageCenter.exe
PID 2360 wrote to memory of 2384 N/A C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\LiveMessageCenter.exe
PID 2360 wrote to memory of 2384 N/A C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\LiveMessageCenter.exe

Processes

C:\Users\Admin\AppData\Local\Temp\99c75afcbdd73e4122db993d12627296841c22757c4b72839d0cb1a9dd94fc97.exe

"C:\Users\Admin\AppData\Local\Temp\99c75afcbdd73e4122db993d12627296841c22757c4b72839d0cb1a9dd94fc97.exe"

C:\Program Files (x86)\Internet Explorer\casino_extensions.exe

"C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"

C:\Windows\SysWOW64\casino_extensions.exe

C:\Windows\system32\casino_extensions.exe

C:\Windows\SysWOW64\Casino_ext.exe

C:\Windows\SysWOW64\Casino_ext.exe

C:\Program Files (x86)\Internet Explorer\casino_extensions.exe

"C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"

C:\Windows\SysWOW64\casino_extensions.exe

C:\Windows\system32\casino_extensions.exe

C:\Windows\SysWOW64\Casino_ext.exe

C:\Windows\SysWOW64\Casino_ext.exe

C:\Program Files (x86)\Internet Explorer\casino_extensions.exe

"C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"

C:\Windows\SysWOW64\casino_extensions.exe

C:\Windows\system32\casino_extensions.exe

C:\Windows\SysWOW64\Casino_ext.exe

C:\Windows\SysWOW64\Casino_ext.exe

C:\Program Files (x86)\Internet Explorer\casino_extensions.exe

"C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"

C:\Windows\SysWOW64\LiveMessageCenter.exe

C:\Windows\system32\LiveMessageCenter.exe /part2

C:\Program Files (x86)\Internet Explorer\casino_extensions.exe

"C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"

C:\Windows\SysWOW64\casino_extensions.exe

C:\Windows\system32\casino_extensions.exe

C:\Windows\SysWOW64\Casino_ext.exe

C:\Windows\SysWOW64\Casino_ext.exe

C:\Program Files (x86)\Internet Explorer\casino_extensions.exe

"C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"

C:\Windows\SysWOW64\LiveMessageCenter.exe

C:\Windows\system32\LiveMessageCenter.exe

C:\Program Files (x86)\Internet Explorer\casino_extensions.exe

"C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c $$2028~1.BAT

Network

N/A

Files

\Windows\SysWOW64\casino_extensions.exe

MD5 355a0fda6d3b0d4f2ff5a6130137fda5
SHA1 be99e7b951e899923eca9057e96f7a6cdad7ad9a
SHA256 f1b7fd371ddf4e1931f7cd96efc976dbe20649f1767fe5f0d83dacddac901a52
SHA512 98f905cf419e90f6059170fd199b45e9816bb6e289867579ee31df3b13a57c222ffece476c536e7ae4f697dbe5260562e7da5c50f0f6b53f158ec6dc1386ce31

memory/2892-13-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2900-12-0x0000000000400000-0x0000000000424000-memory.dmp

\Windows\SysWOW64\casino_extensions.exe

MD5 d4bbeb11bcbadc0d8a6f12bc5cf4ccec
SHA1 cf0aca091ba6c17c9268c518d80a719a2738c109
SHA256 d3774a8145d3083d24b9fd2cacfb6c1961deadad2b6b81c87762ce7cb722ae11
SHA512 2a25f4d8474841638783837c45105fcf3eb9aa69889058048db4a479e6e9772b5a05d97505e9a7317f092206ba99e2aecef7d881a9df8e4bd2111e852f7b2e4d

\Windows\SysWOW64\LiveMessageCenter.exe

MD5 4f8d1b18208210b4376b5907120d2ca3
SHA1 6dc886b17f0ae2499e317857dfcd70184d85f6da
SHA256 3ee4d7ca464069120e125febe12e3b55eb6f8785ab5912f1b9b34305eedec183
SHA512 edc87c629966072675f3d35455c14834a52406b8a1b3657ed3b9ffc478ae1c9459765161a4a84380a1e281368151b6f9e720f3676c94e1fb5af6b7106135f1ed

C:\Program Files (x86)\Internet Explorer\$$202803s.bat

MD5 4777bf695815d870d27ed4a38a8f0840
SHA1 565412b5182bca7a221448dba78369c42d1c4a0c
SHA256 c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d
SHA512 87e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-25 01:11

Reported

2024-05-25 01:13

Platform

win10v2004-20240508-en

Max time kernel

132s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\99c75afcbdd73e4122db993d12627296841c22757c4b72839d0cb1a9dd94fc97.exe"

Signatures

Detects executables packed with ASPack

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\casino_extensions.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe N/A
File opened for modification C:\Windows\SysWOW64\casino_extensions.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe N/A
File opened for modification C:\Windows\SysWOW64\casino_extensions.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe N/A
File opened for modification C:\Windows\SysWOW64\LiveMessageCenter.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe N/A
File opened for modification C:\Windows\SysWOW64\casino_extensions.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe N/A
File opened for modification C:\Windows\SysWOW64\casino_extensions.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe N/A
File created C:\Windows\SysWOW64\LiveMessageCenter.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe N/A
File opened for modification C:\Windows\SysWOW64\casino_extensions.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe N/A
File opened for modification C:\Windows\SysWOW64\casino_extensions.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe N/A
File opened for modification C:\Windows\SysWOW64\casino_extensions.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe N/A
File opened for modification C:\Windows\SysWOW64\LiveMessageCenter.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe N/A
File opened for modification C:\Windows\SysWOW64\casino_extensions.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe N/A
File created C:\Windows\SysWOW64\casino_extensions.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe N/A
File opened for modification C:\Windows\SysWOW64\LiveMessageCenter.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe N/A
File opened for modification C:\Windows\SysWOW64\casino_extensions.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe N/A
File created C:\Windows\SysWOW64\casino_extensions.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\Casino_ext.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\casino_extensions.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\casino_extensions.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\Casino_ext.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\Casino_ext.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\Casino_ext.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\casino_extensions.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\Casino_ext.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\casino_extensions.exe N/A
File created C:\Program Files (x86)\Internet Explorer\$$202803s.bat C:\Program Files (x86)\Internet Explorer\casino_extensions.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\casino_extensions.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\casino_extensions.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\casino_extensions.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\Casino_ext.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\LiveMessageCenter.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\Casino_ext.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\LiveMessageCenter.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\99c75afcbdd73e4122db993d12627296841c22757c4b72839d0cb1a9dd94fc97.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3856 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\99c75afcbdd73e4122db993d12627296841c22757c4b72839d0cb1a9dd94fc97.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
PID 3856 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\99c75afcbdd73e4122db993d12627296841c22757c4b72839d0cb1a9dd94fc97.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
PID 3856 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\99c75afcbdd73e4122db993d12627296841c22757c4b72839d0cb1a9dd94fc97.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
PID 2204 wrote to memory of 4864 N/A C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\casino_extensions.exe
PID 2204 wrote to memory of 4864 N/A C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\casino_extensions.exe
PID 2204 wrote to memory of 4864 N/A C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\casino_extensions.exe
PID 4864 wrote to memory of 336 N/A C:\Windows\SysWOW64\casino_extensions.exe C:\Windows\SysWOW64\Casino_ext.exe
PID 4864 wrote to memory of 336 N/A C:\Windows\SysWOW64\casino_extensions.exe C:\Windows\SysWOW64\Casino_ext.exe
PID 4864 wrote to memory of 336 N/A C:\Windows\SysWOW64\casino_extensions.exe C:\Windows\SysWOW64\Casino_ext.exe
PID 336 wrote to memory of 3376 N/A C:\Windows\SysWOW64\Casino_ext.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
PID 336 wrote to memory of 3376 N/A C:\Windows\SysWOW64\Casino_ext.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
PID 336 wrote to memory of 3376 N/A C:\Windows\SysWOW64\Casino_ext.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
PID 3376 wrote to memory of 3940 N/A C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\casino_extensions.exe
PID 3376 wrote to memory of 3940 N/A C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\casino_extensions.exe
PID 3376 wrote to memory of 3940 N/A C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\casino_extensions.exe
PID 3940 wrote to memory of 3140 N/A C:\Windows\SysWOW64\casino_extensions.exe C:\Windows\SysWOW64\Casino_ext.exe
PID 3940 wrote to memory of 3140 N/A C:\Windows\SysWOW64\casino_extensions.exe C:\Windows\SysWOW64\Casino_ext.exe
PID 3940 wrote to memory of 3140 N/A C:\Windows\SysWOW64\casino_extensions.exe C:\Windows\SysWOW64\Casino_ext.exe
PID 3140 wrote to memory of 4320 N/A C:\Windows\SysWOW64\Casino_ext.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
PID 3140 wrote to memory of 4320 N/A C:\Windows\SysWOW64\Casino_ext.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
PID 3140 wrote to memory of 4320 N/A C:\Windows\SysWOW64\Casino_ext.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
PID 4320 wrote to memory of 4108 N/A C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\casino_extensions.exe
PID 4320 wrote to memory of 4108 N/A C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\casino_extensions.exe
PID 4320 wrote to memory of 4108 N/A C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\casino_extensions.exe
PID 4108 wrote to memory of 4136 N/A C:\Windows\SysWOW64\casino_extensions.exe C:\Windows\SysWOW64\Casino_ext.exe
PID 4108 wrote to memory of 4136 N/A C:\Windows\SysWOW64\casino_extensions.exe C:\Windows\SysWOW64\Casino_ext.exe
PID 4108 wrote to memory of 4136 N/A C:\Windows\SysWOW64\casino_extensions.exe C:\Windows\SysWOW64\Casino_ext.exe
PID 4136 wrote to memory of 1280 N/A C:\Windows\SysWOW64\Casino_ext.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
PID 4136 wrote to memory of 1280 N/A C:\Windows\SysWOW64\Casino_ext.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
PID 4136 wrote to memory of 1280 N/A C:\Windows\SysWOW64\Casino_ext.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
PID 1280 wrote to memory of 3936 N/A C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\LiveMessageCenter.exe
PID 1280 wrote to memory of 3936 N/A C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\LiveMessageCenter.exe
PID 1280 wrote to memory of 3936 N/A C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\LiveMessageCenter.exe
PID 3936 wrote to memory of 4980 N/A C:\Windows\SysWOW64\LiveMessageCenter.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
PID 3936 wrote to memory of 4980 N/A C:\Windows\SysWOW64\LiveMessageCenter.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
PID 3936 wrote to memory of 4980 N/A C:\Windows\SysWOW64\LiveMessageCenter.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
PID 4980 wrote to memory of 1740 N/A C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\casino_extensions.exe
PID 4980 wrote to memory of 1740 N/A C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\casino_extensions.exe
PID 4980 wrote to memory of 1740 N/A C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\casino_extensions.exe
PID 1740 wrote to memory of 8 N/A C:\Windows\SysWOW64\casino_extensions.exe C:\Windows\SysWOW64\Casino_ext.exe
PID 1740 wrote to memory of 8 N/A C:\Windows\SysWOW64\casino_extensions.exe C:\Windows\SysWOW64\Casino_ext.exe
PID 1740 wrote to memory of 8 N/A C:\Windows\SysWOW64\casino_extensions.exe C:\Windows\SysWOW64\Casino_ext.exe
PID 8 wrote to memory of 5016 N/A C:\Windows\SysWOW64\Casino_ext.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
PID 8 wrote to memory of 5016 N/A C:\Windows\SysWOW64\Casino_ext.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
PID 8 wrote to memory of 5016 N/A C:\Windows\SysWOW64\Casino_ext.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
PID 5016 wrote to memory of 3668 N/A C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\casino_extensions.exe
PID 5016 wrote to memory of 3668 N/A C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\casino_extensions.exe
PID 5016 wrote to memory of 3668 N/A C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\casino_extensions.exe
PID 3668 wrote to memory of 4648 N/A C:\Windows\SysWOW64\casino_extensions.exe C:\Windows\SysWOW64\Casino_ext.exe
PID 3668 wrote to memory of 4648 N/A C:\Windows\SysWOW64\casino_extensions.exe C:\Windows\SysWOW64\Casino_ext.exe
PID 3668 wrote to memory of 4648 N/A C:\Windows\SysWOW64\casino_extensions.exe C:\Windows\SysWOW64\Casino_ext.exe
PID 4648 wrote to memory of 2424 N/A C:\Windows\SysWOW64\Casino_ext.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
PID 4648 wrote to memory of 2424 N/A C:\Windows\SysWOW64\Casino_ext.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
PID 4648 wrote to memory of 2424 N/A C:\Windows\SysWOW64\Casino_ext.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
PID 2424 wrote to memory of 2960 N/A C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\casino_extensions.exe
PID 2424 wrote to memory of 2960 N/A C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\casino_extensions.exe
PID 2424 wrote to memory of 2960 N/A C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\casino_extensions.exe
PID 2960 wrote to memory of 3204 N/A C:\Windows\SysWOW64\casino_extensions.exe C:\Windows\SysWOW64\Casino_ext.exe
PID 2960 wrote to memory of 3204 N/A C:\Windows\SysWOW64\casino_extensions.exe C:\Windows\SysWOW64\Casino_ext.exe
PID 2960 wrote to memory of 3204 N/A C:\Windows\SysWOW64\casino_extensions.exe C:\Windows\SysWOW64\Casino_ext.exe
PID 3204 wrote to memory of 2224 N/A C:\Windows\SysWOW64\Casino_ext.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
PID 3204 wrote to memory of 2224 N/A C:\Windows\SysWOW64\Casino_ext.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
PID 3204 wrote to memory of 2224 N/A C:\Windows\SysWOW64\Casino_ext.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
PID 2224 wrote to memory of 4536 N/A C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\LiveMessageCenter.exe

Processes

C:\Users\Admin\AppData\Local\Temp\99c75afcbdd73e4122db993d12627296841c22757c4b72839d0cb1a9dd94fc97.exe

"C:\Users\Admin\AppData\Local\Temp\99c75afcbdd73e4122db993d12627296841c22757c4b72839d0cb1a9dd94fc97.exe"

C:\Program Files (x86)\Internet Explorer\casino_extensions.exe

"C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"

C:\Windows\SysWOW64\casino_extensions.exe

C:\Windows\system32\casino_extensions.exe

C:\Windows\SysWOW64\Casino_ext.exe

C:\Windows\SysWOW64\Casino_ext.exe

C:\Program Files (x86)\Internet Explorer\casino_extensions.exe

"C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"

C:\Windows\SysWOW64\casino_extensions.exe

C:\Windows\system32\casino_extensions.exe

C:\Windows\SysWOW64\Casino_ext.exe

C:\Windows\SysWOW64\Casino_ext.exe

C:\Program Files (x86)\Internet Explorer\casino_extensions.exe

"C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"

C:\Windows\SysWOW64\casino_extensions.exe

C:\Windows\system32\casino_extensions.exe

C:\Windows\SysWOW64\Casino_ext.exe

C:\Windows\SysWOW64\Casino_ext.exe

C:\Program Files (x86)\Internet Explorer\casino_extensions.exe

"C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"

C:\Windows\SysWOW64\LiveMessageCenter.exe

C:\Windows\system32\LiveMessageCenter.exe /part2

C:\Program Files (x86)\Internet Explorer\casino_extensions.exe

"C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"

C:\Windows\SysWOW64\casino_extensions.exe

C:\Windows\system32\casino_extensions.exe

C:\Windows\SysWOW64\Casino_ext.exe

C:\Windows\SysWOW64\Casino_ext.exe

C:\Program Files (x86)\Internet Explorer\casino_extensions.exe

"C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"

C:\Windows\SysWOW64\casino_extensions.exe

C:\Windows\system32\casino_extensions.exe

C:\Windows\SysWOW64\Casino_ext.exe

C:\Windows\SysWOW64\Casino_ext.exe

C:\Program Files (x86)\Internet Explorer\casino_extensions.exe

"C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"

C:\Windows\SysWOW64\casino_extensions.exe

C:\Windows\system32\casino_extensions.exe

C:\Windows\SysWOW64\Casino_ext.exe

C:\Windows\SysWOW64\Casino_ext.exe

C:\Program Files (x86)\Internet Explorer\casino_extensions.exe

"C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"

C:\Windows\SysWOW64\LiveMessageCenter.exe

C:\Windows\system32\LiveMessageCenter.exe

C:\Program Files (x86)\Internet Explorer\casino_extensions.exe

"C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"

C:\Windows\SysWOW64\casino_extensions.exe

C:\Windows\system32\casino_extensions.exe

C:\Windows\SysWOW64\Casino_ext.exe

C:\Windows\SysWOW64\Casino_ext.exe

C:\Program Files (x86)\Internet Explorer\casino_extensions.exe

"C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c $$2028~1.BAT

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1324,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=4320 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

C:\Windows\SysWOW64\casino_extensions.exe

MD5 c3f9cc3c9af091cafdf184e5b8d694b1
SHA1 8b765d50a84df21ddb2d95cbcc1ff0855a541b74
SHA256 253c992130ec2192edf3450625c76e1615c8eeb674000bfa3010e3ec2cf95c37
SHA512 3e6e08fa1c12721cf699f4f057295fac7f496f0b66f5fa7136172ba1b882fbab84e81e614523f0b5710cc038c1b4b323d47db44e24e12826e40ca047638a87e9

memory/3856-7-0x0000000000400000-0x0000000000424000-memory.dmp

C:\Windows\SysWOW64\casino_extensions.exe

MD5 8d5a423d7d94652e41ac8320c58f8c06
SHA1 77e48518c9f079c4f0eaa11bb22fcd5a41814ece
SHA256 e3c420edf1fd0490aedbdd489629e90abe6b22d38d37208eaf28c46f27fb27a2
SHA512 57c868026482b99a5bb77a073bf58527257768684b1cf1747eda26557877c19eb84a70b2c46a667b79d0697a8670f0b77ac83a0f7d6fd35defbc0dbc9e951419

memory/4864-12-0x0000000000400000-0x0000000000424000-memory.dmp

C:\Windows\SysWOW64\LiveMessageCenter.exe

MD5 9a2071081a24fccc61d2215871a2cef1
SHA1 dcc58404d45424f9ea92e2730ea86d47272c65c1
SHA256 d1cad23f35332b85f55b2093160dcc4f5090fac3c35f9cd7110973d7d0dba24b
SHA512 4a9ea0e42dba7ec3b2ddd6a916f732be334af0a498330151a9e1a38f43e59c687f4866d342f96893d628f6838a2d164df93f3670d306cba22d361f3a04548117

C:\Program Files (x86)\Internet Explorer\$$202803s.bat

MD5 4777bf695815d870d27ed4a38a8f0840
SHA1 565412b5182bca7a221448dba78369c42d1c4a0c
SHA256 c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d
SHA512 87e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d