5543d593c77de530e29fe0ec48a0ac4a4f797186165928b8ac50fb971f66d878

Analysis

max time kernel
104s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2024, 19:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c44ecfa7bf8a1be3eb806dc600db3c50N.exe
Size

709KB
MD5

c44ecfa7bf8a1be3eb806dc600db3c50
SHA1

a0985c9831880de3b97cb972b2eca1844973412c
SHA256

5543d593c77de530e29fe0ec48a0ac4a4f797186165928b8ac50fb971f66d878
SHA512

a68f01887540c771ff87c2605223c8fcf59668d3ee590f21715c5a90a060432f6bd3a38021a5e05b6190a3098ad8515ecd3ac123f5730d949d9068e1d98003aa
SSDEEP

3072:rntwizQTj8CSUYf8W3nSjen++Bj88OZS0/Qe2HdOylqwMykw+imi5weJn4T+B8bw:rNuj8NDF3OR9/Qe2HdJ8pSLF

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 21 IoCs

pid	Process
5012	casino_extensions.exe
8	Casino_ext.exe
3916	casino_extensions.exe
4780	Casino_ext.exe
4588	casino_extensions.exe
1636	Casino_ext.exe
1048	casino_extensions.exe
2964	Casino_ext.exe
3816	casino_extensions.exe
1532	Casino_ext.exe
916	casino_extensions.exe
628	Casino_ext.exe
4060	casino_extensions.exe
3596	Casino_ext.exe
4348	casino_extensions.exe
4292	Casino_ext.exe
2792	casino_extensions.exe
1960	Casino_ext.exe
1524	LiveMessageCenter.exe
5096	casino_extensions.exe
5048	Casino_ext.exe

Drops file in System32 directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe

Drops file in Program Files directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File created	C:\Program Files (x86)\Internet Explorer\$$202803s.bat	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe

System Location Discovery: System Language Discovery 1 TTPs 35 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	casino_extensions.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	casino_extensions.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Casino_ext.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	casino_extensions.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Casino_ext.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	casino_extensions.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	casino_extensions.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	casino_extensions.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	casino_extensions.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	casino_extensions.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Casino_ext.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	casino_extensions.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c44ecfa7bf8a1be3eb806dc600db3c50N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	casino_extensions.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	casino_extensions.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LiveMessageCenter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	casino_extensions.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Casino_ext.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	casino_extensions.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	casino_extensions.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	casino_extensions.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Casino_ext.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	casino_extensions.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	casino_extensions.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	casino_extensions.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Casino_ext.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	casino_extensions.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Casino_ext.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	casino_extensions.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Casino_ext.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	casino_extensions.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Casino_ext.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Casino_ext.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	casino_extensions.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
8	Casino_ext.exe
8	Casino_ext.exe
4780	Casino_ext.exe
4780	Casino_ext.exe
1636	Casino_ext.exe
1636	Casino_ext.exe
2964	Casino_ext.exe
2964	Casino_ext.exe
1532	Casino_ext.exe
1532	Casino_ext.exe
628	Casino_ext.exe
628	Casino_ext.exe
3596	Casino_ext.exe
3596	Casino_ext.exe
4292	Casino_ext.exe
4292	Casino_ext.exe
1960	Casino_ext.exe
1960	Casino_ext.exe
1524	LiveMessageCenter.exe
1524	LiveMessageCenter.exe
5048	Casino_ext.exe
5048	Casino_ext.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4748	c44ecfa7bf8a1be3eb806dc600db3c50N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4748 wrote to memory of 1052	4748	c44ecfa7bf8a1be3eb806dc600db3c50N.exe	84
PID 4748 wrote to memory of 1052	4748	c44ecfa7bf8a1be3eb806dc600db3c50N.exe	84
PID 4748 wrote to memory of 1052	4748	c44ecfa7bf8a1be3eb806dc600db3c50N.exe	84
PID 1052 wrote to memory of 5012	1052	casino_extensions.exe	85
PID 1052 wrote to memory of 5012	1052	casino_extensions.exe	85
PID 1052 wrote to memory of 5012	1052	casino_extensions.exe	85
PID 5012 wrote to memory of 8	5012	casino_extensions.exe	86
PID 5012 wrote to memory of 8	5012	casino_extensions.exe	86
PID 5012 wrote to memory of 8	5012	casino_extensions.exe	86
PID 8 wrote to memory of 4852	8	Casino_ext.exe	87
PID 8 wrote to memory of 4852	8	Casino_ext.exe	87
PID 8 wrote to memory of 4852	8	Casino_ext.exe	87
PID 4852 wrote to memory of 3916	4852	casino_extensions.exe	88
PID 4852 wrote to memory of 3916	4852	casino_extensions.exe	88
PID 4852 wrote to memory of 3916	4852	casino_extensions.exe	88
PID 3916 wrote to memory of 4780	3916	casino_extensions.exe	89
PID 3916 wrote to memory of 4780	3916	casino_extensions.exe	89
PID 3916 wrote to memory of 4780	3916	casino_extensions.exe	89
PID 4780 wrote to memory of 1676	4780	Casino_ext.exe	90
PID 4780 wrote to memory of 1676	4780	Casino_ext.exe	90
PID 4780 wrote to memory of 1676	4780	Casino_ext.exe	90
PID 1676 wrote to memory of 4588	1676	casino_extensions.exe	91
PID 1676 wrote to memory of 4588	1676	casino_extensions.exe	91
PID 1676 wrote to memory of 4588	1676	casino_extensions.exe	91
PID 4588 wrote to memory of 1636	4588	casino_extensions.exe	92
PID 4588 wrote to memory of 1636	4588	casino_extensions.exe	92
PID 4588 wrote to memory of 1636	4588	casino_extensions.exe	92
PID 1636 wrote to memory of 3948	1636	Casino_ext.exe	93
PID 1636 wrote to memory of 3948	1636	Casino_ext.exe	93
PID 1636 wrote to memory of 3948	1636	Casino_ext.exe	93
PID 3948 wrote to memory of 1048	3948	casino_extensions.exe	94
PID 3948 wrote to memory of 1048	3948	casino_extensions.exe	94
PID 3948 wrote to memory of 1048	3948	casino_extensions.exe	94
PID 1048 wrote to memory of 2964	1048	casino_extensions.exe	95
PID 1048 wrote to memory of 2964	1048	casino_extensions.exe	95
PID 1048 wrote to memory of 2964	1048	casino_extensions.exe	95
PID 2964 wrote to memory of 3708	2964	Casino_ext.exe	96
PID 2964 wrote to memory of 3708	2964	Casino_ext.exe	96
PID 2964 wrote to memory of 3708	2964	Casino_ext.exe	96
PID 3708 wrote to memory of 3816	3708	casino_extensions.exe	97
PID 3708 wrote to memory of 3816	3708	casino_extensions.exe	97
PID 3708 wrote to memory of 3816	3708	casino_extensions.exe	97
PID 3816 wrote to memory of 1532	3816	casino_extensions.exe	98
PID 3816 wrote to memory of 1532	3816	casino_extensions.exe	98
PID 3816 wrote to memory of 1532	3816	casino_extensions.exe	98
PID 1532 wrote to memory of 4884	1532	Casino_ext.exe	99
PID 1532 wrote to memory of 4884	1532	Casino_ext.exe	99
PID 1532 wrote to memory of 4884	1532	Casino_ext.exe	99
PID 4884 wrote to memory of 916	4884	casino_extensions.exe	100
PID 4884 wrote to memory of 916	4884	casino_extensions.exe	100
PID 4884 wrote to memory of 916	4884	casino_extensions.exe	100
PID 916 wrote to memory of 628	916	casino_extensions.exe	101
PID 916 wrote to memory of 628	916	casino_extensions.exe	101
PID 916 wrote to memory of 628	916	casino_extensions.exe	101
PID 628 wrote to memory of 3936	628	Casino_ext.exe	102
PID 628 wrote to memory of 3936	628	Casino_ext.exe	102
PID 628 wrote to memory of 3936	628	Casino_ext.exe	102
PID 3936 wrote to memory of 4060	3936	casino_extensions.exe	103
PID 3936 wrote to memory of 4060	3936	casino_extensions.exe	103
PID 3936 wrote to memory of 4060	3936	casino_extensions.exe	103
PID 4060 wrote to memory of 3596	4060	casino_extensions.exe	104
PID 4060 wrote to memory of 3596	4060	casino_extensions.exe	104
PID 4060 wrote to memory of 3596	4060	casino_extensions.exe	104
PID 3596 wrote to memory of 744	3596	Casino_ext.exe	105

C:\Users\Admin\AppData\Local\Temp\c44ecfa7bf8a1be3eb806dc600db3c50N.exe
"C:\Users\Admin\AppData\Local\Temp\c44ecfa7bf8a1be3eb806dc600db3c50N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4748
- C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
  "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1052
- - C:\Windows\SysWOW64\casino_extensions.exe
    C:\Windows\system32\casino_extensions.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5012
  - - C:\Windows\SysWOW64\Casino_ext.exe
      C:\Windows\SysWOW64\Casino_ext.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:8
    - - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        5⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4852
      - C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3916
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4780
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        8⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        9⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4588
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        10⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        11⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3948
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        12⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        13⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        14⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3708
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        15⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3816
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        16⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        17⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4884
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        18⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:916
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        19⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:628
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        20⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3936
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        21⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4060
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        22⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3596
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        23⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:744
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        24⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:4348
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        25⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4292
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        26⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2516
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        27⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:2792
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        28⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1960
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        29⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3476
        
        C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe /part2
        30⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1524
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        31⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3764
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        32⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:5096
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        33⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5048
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        34⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c $$2028~1.BAT
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:2040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\$$202803s.bat

Filesize
81B

MD5
4777bf695815d870d27ed4a38a8f0840

SHA1
565412b5182bca7a221448dba78369c42d1c4a0c

SHA256
c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d

SHA512
87e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d

Download Submit
C:\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
725KB

MD5
ae48f2a948bb07cd1aa32136165768de

SHA1
941f65974a3d56f38efa4ddd3927c28c65816d37

SHA256
aaec670876a80a1538b01addaa9d0226cc030d7864eb3e7d10ec1ee7cf280946

SHA512
d29324bb1cbfb06faaae5c8d4c4bdc93336520b4ce9fb41c7414519c31cd82430244bd610a0e03f130ba7a3dd5a3ed3f2a334171948394c23e3930455655e9b9

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
714KB

MD5
0e5beaed9626834976342631c06f0d3b

SHA1
b61d91630526a8aefa13609a27b11ca997bcc3b4

SHA256
d3ea9e546b35487d82a222351558ac77552d51cdb2a6331e4b8d83ff5e89dcae

SHA512
9a74e6e5304e640bc02f5cecaddf6832f13906a23eb407d220de87b9df7ba1f87b45426d6d4efdfd542d5b80f5858f4eb7ef9912e31ce0c9a97d203076fe5d65

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
725KB

MD5
b9f7880c126045c5f9e73c33e353e104

SHA1
bfedbf0ecad7746ded9d49e572685dd22a5bfa07

SHA256
c22da75c3369809cea2adb66dd158a106047f7b8b48e1207fedb02cd341c791e

SHA512
a392f21b99471877d46a238293c752063b29c1223eb62edfb67a83511d3861564cb295b307dad84f32b86b676a1ae4a178ec100879ffb88494632ae9f9e0a0a7

Download Submit
memory/4748-8-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5012-7-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download