9d2163099951fd1cb893bdb9dd3e293e51a7c9ebcdf5ecc9be9a6deb83c5f7a5

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
24/06/2024, 00:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9d2163099951fd1cb893bdb9dd3e293e51a7c9ebcdf5ecc9be9a6deb83c5f7a5.exe
Size

541KB
MD5

4921630dbdebbe5b48534878144b8746
SHA1

ec59357487505ff4138fdb5c9f781b8f371fae18
SHA256

9d2163099951fd1cb893bdb9dd3e293e51a7c9ebcdf5ecc9be9a6deb83c5f7a5
SHA512

38ed8f1f65e1ceda7bac759ed2f6fe406c0e2d87487633741a92fc16647cb495fa3588e10efbee5040ad3e48fe0e374399630d581b9349fd4a40993684adc327
SSDEEP

3072:TtwizQTj8CSUYf8W3nSjen++Bj88OZS0/Qe2HdOLlqw1aQnjQ1F4AE4//XVfn/:5uj8NDF3OR9/Qe2Hdklrnsl

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 34 IoCs

pid	Process
1484	casino_extensions.exe
3672	Casino_ext.exe
1548	casino_extensions.exe
2284	Casino_ext.exe
4640	casino_extensions.exe
4736	Casino_ext.exe
1212	casino_extensions.exe
552	Casino_ext.exe
2196	casino_extensions.exe
2056	Casino_ext.exe
3944	casino_extensions.exe
652	Casino_ext.exe
2040	casino_extensions.exe
2408	Casino_ext.exe
5108	casino_extensions.exe
4140	Casino_ext.exe
496	casino_extensions.exe
3560	Casino_ext.exe
1652	LiveMessageCenter.exe
3400	casino_extensions.exe
4988	Casino_ext.exe
4820	casino_extensions.exe
4396	Casino_ext.exe
4568	casino_extensions.exe
216	Casino_ext.exe
1452	casino_extensions.exe
3844	Casino_ext.exe
4740	casino_extensions.exe
2836	Casino_ext.exe
2480	casino_extensions.exe
1944	Casino_ext.exe
1728	LiveMessageCenter.exe
3088	casino_extensions.exe
2096	Casino_ext.exe

Drops file in System32 directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe

Drops file in Program Files directory 35 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File created	C:\Program Files (x86)\Internet Explorer\$$202803s.bat	casino_extensions.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
3672	Casino_ext.exe
3672	Casino_ext.exe
2284	Casino_ext.exe
2284	Casino_ext.exe
4736	Casino_ext.exe
4736	Casino_ext.exe
552	Casino_ext.exe
552	Casino_ext.exe
2056	Casino_ext.exe
2056	Casino_ext.exe
652	Casino_ext.exe
652	Casino_ext.exe
2408	Casino_ext.exe
2408	Casino_ext.exe
4140	Casino_ext.exe
4140	Casino_ext.exe
3560	Casino_ext.exe
3560	Casino_ext.exe
1652	LiveMessageCenter.exe
1652	LiveMessageCenter.exe
4988	Casino_ext.exe
4988	Casino_ext.exe
4396	Casino_ext.exe
4396	Casino_ext.exe
216	Casino_ext.exe
216	Casino_ext.exe
3844	Casino_ext.exe
3844	Casino_ext.exe
2836	Casino_ext.exe
2836	Casino_ext.exe
1944	Casino_ext.exe
1944	Casino_ext.exe
1728	LiveMessageCenter.exe
1728	LiveMessageCenter.exe
2096	Casino_ext.exe
2096	Casino_ext.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
844	9d2163099951fd1cb893bdb9dd3e293e51a7c9ebcdf5ecc9be9a6deb83c5f7a5.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 844 wrote to memory of 2412	844	9d2163099951fd1cb893bdb9dd3e293e51a7c9ebcdf5ecc9be9a6deb83c5f7a5.exe	82
PID 844 wrote to memory of 2412	844	9d2163099951fd1cb893bdb9dd3e293e51a7c9ebcdf5ecc9be9a6deb83c5f7a5.exe	82
PID 844 wrote to memory of 2412	844	9d2163099951fd1cb893bdb9dd3e293e51a7c9ebcdf5ecc9be9a6deb83c5f7a5.exe	82
PID 2412 wrote to memory of 1484	2412	casino_extensions.exe	83
PID 2412 wrote to memory of 1484	2412	casino_extensions.exe	83
PID 2412 wrote to memory of 1484	2412	casino_extensions.exe	83
PID 1484 wrote to memory of 3672	1484	casino_extensions.exe	84
PID 1484 wrote to memory of 3672	1484	casino_extensions.exe	84
PID 1484 wrote to memory of 3672	1484	casino_extensions.exe	84
PID 3672 wrote to memory of 1140	3672	Casino_ext.exe	85
PID 3672 wrote to memory of 1140	3672	Casino_ext.exe	85
PID 3672 wrote to memory of 1140	3672	Casino_ext.exe	85
PID 1140 wrote to memory of 1548	1140	casino_extensions.exe	86
PID 1140 wrote to memory of 1548	1140	casino_extensions.exe	86
PID 1140 wrote to memory of 1548	1140	casino_extensions.exe	86
PID 1548 wrote to memory of 2284	1548	casino_extensions.exe	87
PID 1548 wrote to memory of 2284	1548	casino_extensions.exe	87
PID 1548 wrote to memory of 2284	1548	casino_extensions.exe	87
PID 2284 wrote to memory of 2644	2284	Casino_ext.exe	88
PID 2284 wrote to memory of 2644	2284	Casino_ext.exe	88
PID 2284 wrote to memory of 2644	2284	Casino_ext.exe	88
PID 2644 wrote to memory of 4640	2644	casino_extensions.exe	89
PID 2644 wrote to memory of 4640	2644	casino_extensions.exe	89
PID 2644 wrote to memory of 4640	2644	casino_extensions.exe	89
PID 4640 wrote to memory of 4736	4640	casino_extensions.exe	90
PID 4640 wrote to memory of 4736	4640	casino_extensions.exe	90
PID 4640 wrote to memory of 4736	4640	casino_extensions.exe	90
PID 4736 wrote to memory of 1384	4736	Casino_ext.exe	91
PID 4736 wrote to memory of 1384	4736	Casino_ext.exe	91
PID 4736 wrote to memory of 1384	4736	Casino_ext.exe	91
PID 1384 wrote to memory of 1212	1384	casino_extensions.exe	92
PID 1384 wrote to memory of 1212	1384	casino_extensions.exe	92
PID 1384 wrote to memory of 1212	1384	casino_extensions.exe	92
PID 1212 wrote to memory of 552	1212	casino_extensions.exe	93
PID 1212 wrote to memory of 552	1212	casino_extensions.exe	93
PID 1212 wrote to memory of 552	1212	casino_extensions.exe	93
PID 552 wrote to memory of 4980	552	Casino_ext.exe	94
PID 552 wrote to memory of 4980	552	Casino_ext.exe	94
PID 552 wrote to memory of 4980	552	Casino_ext.exe	94
PID 4980 wrote to memory of 2196	4980	casino_extensions.exe	95
PID 4980 wrote to memory of 2196	4980	casino_extensions.exe	95
PID 4980 wrote to memory of 2196	4980	casino_extensions.exe	95
PID 2196 wrote to memory of 2056	2196	casino_extensions.exe	96
PID 2196 wrote to memory of 2056	2196	casino_extensions.exe	96
PID 2196 wrote to memory of 2056	2196	casino_extensions.exe	96
PID 2056 wrote to memory of 868	2056	Casino_ext.exe	97
PID 2056 wrote to memory of 868	2056	Casino_ext.exe	97
PID 2056 wrote to memory of 868	2056	Casino_ext.exe	97
PID 868 wrote to memory of 3944	868	casino_extensions.exe	98
PID 868 wrote to memory of 3944	868	casino_extensions.exe	98
PID 868 wrote to memory of 3944	868	casino_extensions.exe	98
PID 3944 wrote to memory of 652	3944	casino_extensions.exe	99
PID 3944 wrote to memory of 652	3944	casino_extensions.exe	99
PID 3944 wrote to memory of 652	3944	casino_extensions.exe	99
PID 652 wrote to memory of 3748	652	Casino_ext.exe	101
PID 652 wrote to memory of 3748	652	Casino_ext.exe	101
PID 652 wrote to memory of 3748	652	Casino_ext.exe	101
PID 3748 wrote to memory of 2040	3748	casino_extensions.exe	102
PID 3748 wrote to memory of 2040	3748	casino_extensions.exe	102
PID 3748 wrote to memory of 2040	3748	casino_extensions.exe	102
PID 2040 wrote to memory of 2408	2040	casino_extensions.exe	103
PID 2040 wrote to memory of 2408	2040	casino_extensions.exe	103
PID 2040 wrote to memory of 2408	2040	casino_extensions.exe	103
PID 2408 wrote to memory of 2200	2408	Casino_ext.exe	104

C:\Users\Admin\AppData\Local\Temp\9d2163099951fd1cb893bdb9dd3e293e51a7c9ebcdf5ecc9be9a6deb83c5f7a5.exe
"C:\Users\Admin\AppData\Local\Temp\9d2163099951fd1cb893bdb9dd3e293e51a7c9ebcdf5ecc9be9a6deb83c5f7a5.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:844
- C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
  "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2412
- - C:\Windows\SysWOW64\casino_extensions.exe
    C:\Windows\system32\casino_extensions.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:1484
  - - C:\Windows\SysWOW64\Casino_ext.exe
      C:\Windows\SysWOW64\Casino_ext.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3672
    - - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1140
      - C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        8⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        9⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:4640
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        10⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4736
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        11⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1384
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        12⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:1212
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        13⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:552
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        14⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4980
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        15⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        16⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        17⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:868
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        18⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:3944
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        19⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:652
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        20⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3748
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        21⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        22⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2408
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        23⤵
        Drops file in System32 directory
        
        PID:2200
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        24⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:5108
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        25⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:4140
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        26⤵
        Drops file in System32 directory
        
        PID:4176
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        27⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:496
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        28⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:3560
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        29⤵
        Drops file in System32 directory
        
        PID:3556
        
        C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe /part2
        30⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1652
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        31⤵
        Drops file in System32 directory
        
        PID:2020
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        32⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:3400
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        33⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:4988
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        34⤵
        Drops file in System32 directory
        
        PID:1680
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        35⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:4820
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        36⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:4396
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        37⤵
        Drops file in System32 directory
        
        PID:1736
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        38⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:4568
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        39⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:216
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        40⤵
        Drops file in System32 directory
        
        PID:848
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        41⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:1452
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        42⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:3844
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        43⤵
        Drops file in System32 directory
        
        PID:3464
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        44⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:4740
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        45⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2836
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        46⤵
        Drops file in System32 directory
        
        PID:1340
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        47⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:2480
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        48⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1944
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        49⤵
        Drops file in System32 directory
        
        PID:544
        
        C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe
        50⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1728
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        51⤵
        Drops file in System32 directory
        
        PID:4260
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        52⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:3088
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        53⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2096
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        54⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        
        PID:756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c $$2028~1.BAT
        55⤵
        
        PID:4692

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\$$202803s.bat

Filesize
81B

MD5
4777bf695815d870d27ed4a38a8f0840

SHA1
565412b5182bca7a221448dba78369c42d1c4a0c

SHA256
c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d

SHA512
87e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d

Download Submit
C:\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
544KB

MD5
7e572be2b8f72553203750f455047fc0

SHA1
077d9a795a208e226e86fb644a59d9478f7ac876

SHA256
1e0a0a70176b23d57ae08bb1e9e7dd8a8a1f0922814874a3f201369fa25d6a50

SHA512
fceda3c80363b0a5384cf04497db86a7d71dadd99af20b6f91c491ce4074dfdcc1551a577797f328b0fa99a35db3ecab4efb137ebf99753a162aeb11d0c8cdb9

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
549KB

MD5
f657c7a7e915c1e409beb53e101b2bc4

SHA1
418d3baefb184970bb5f09113f553a802b63e253

SHA256
5436ae5c2141c6d798971da39f938a14b47a78e218c977bf28497c241834ce44

SHA512
9492e8ca777c423bf31f556d8b2f187bfc8cdb321629636954571c74e31d7aac0dee83aea84d746edbf853f7dbfd944181c1e20eb3b73a2f0840822a185a898c

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
549KB

MD5
90b0d6b6b831bfcf2fd630d1c81f64b1

SHA1
b424a3de2b85ac2fa2adcf1b8469d34598e81f7e

SHA256
6522d4dff5a9dd76fe4ec402c79045a84928517087a26a37e126930cfe39638c

SHA512
f71f435cec8169e3a9a40fa48b76ac5f46ff886b9d3176159a94b7603dcedb2306d3630c05369142473184b49520ffeb3ea03dfce63f636ffc1ff6ecb88a3244

Download Submit
memory/844-8-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1484-7-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download