ce6c4f227738a831300b6d96805ea0335d8df0b873269c209f6a25eaf80f5f88

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2024, 13:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ce6c4f227738a831300b6d96805ea0335d8df0b873269c209f6a25eaf80f5f88N.exe
Size

723KB
MD5

a1702156dd17ab880974c5deb8411490
SHA1

6911a82e2a3990998ffd56b01314e3e825863d13
SHA256

ce6c4f227738a831300b6d96805ea0335d8df0b873269c209f6a25eaf80f5f88
SHA512

fc120f221c6d90eeceb62c8b0b3cd1c87ad8b24b9356588c9add4dedcd7e33d3208c25bd0b16eeed04130d3abf5ef205a2150369518b555f8e75ca363ac194bd
SSDEEP

3072:stwizQTj8CSUYf8W3nSjen++Bj88OZS0/Qe2HdO5lqwDwy0lR6ATYPlrZWqwlm5I:8uj8NDF3OR9/Qe2HdezwXlwWdipW

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 23 IoCs

pid	Process
640	casino_extensions.exe
2520	Casino_ext.exe
2612	casino_extensions.exe
3032	Casino_ext.exe
3596	casino_extensions.exe
4800	Casino_ext.exe
3056	casino_extensions.exe
3028	Casino_ext.exe
2972	LiveMessageCenter.exe
1660	casino_extensions.exe
1088	Casino_ext.exe
3228	LiveMessageCenter.exe
1768	casino_extensions.exe
2332	Casino_ext.exe
4060	casino_extensions.exe
1568	Casino_ext.exe
1688	casino_extensions.exe
2732	Casino_ext.exe
2384	casino_extensions.exe
3260	Casino_ext.exe
868	LiveMessageCenter.exe
816	casino_extensions.exe
4172	Casino_ext.exe

Drops file in System32 directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe

Drops file in Program Files directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File created	C:\Program Files (x86)\Internet Explorer\$$202803s.bat	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe

System Location Discovery: System Language Discovery 1 TTPs 39 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	casino_extensions.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Casino_ext.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	casino_extensions.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	casino_extensions.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	casino_extensions.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LiveMessageCenter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LiveMessageCenter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	casino_extensions.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	casino_extensions.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	casino_extensions.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	casino_extensions.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	casino_extensions.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	casino_extensions.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	casino_extensions.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	casino_extensions.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	casino_extensions.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Casino_ext.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	casino_extensions.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Casino_ext.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LiveMessageCenter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	casino_extensions.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	casino_extensions.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	casino_extensions.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Casino_ext.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	casino_extensions.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	casino_extensions.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	casino_extensions.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	casino_extensions.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	casino_extensions.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Casino_ext.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	casino_extensions.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Casino_ext.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ce6c4f227738a831300b6d96805ea0335d8df0b873269c209f6a25eaf80f5f88N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Casino_ext.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Casino_ext.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	casino_extensions.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Casino_ext.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Casino_ext.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2520	Casino_ext.exe
2520	Casino_ext.exe
3032	Casino_ext.exe
3032	Casino_ext.exe
4800	Casino_ext.exe
4800	Casino_ext.exe
3028	Casino_ext.exe
3028	Casino_ext.exe
2972	LiveMessageCenter.exe
2972	LiveMessageCenter.exe
1088	Casino_ext.exe
1088	Casino_ext.exe
3228	LiveMessageCenter.exe
3228	LiveMessageCenter.exe
2332	Casino_ext.exe
2332	Casino_ext.exe
1568	Casino_ext.exe
1568	Casino_ext.exe
2732	Casino_ext.exe
2732	Casino_ext.exe
3260	Casino_ext.exe
3260	Casino_ext.exe
868	LiveMessageCenter.exe
868	LiveMessageCenter.exe
4172	Casino_ext.exe
4172	Casino_ext.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1976	ce6c4f227738a831300b6d96805ea0335d8df0b873269c209f6a25eaf80f5f88N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 3516	1976	ce6c4f227738a831300b6d96805ea0335d8df0b873269c209f6a25eaf80f5f88N.exe	82
PID 1976 wrote to memory of 3516	1976	ce6c4f227738a831300b6d96805ea0335d8df0b873269c209f6a25eaf80f5f88N.exe	82
PID 1976 wrote to memory of 3516	1976	ce6c4f227738a831300b6d96805ea0335d8df0b873269c209f6a25eaf80f5f88N.exe	82
PID 3516 wrote to memory of 640	3516	casino_extensions.exe	83
PID 3516 wrote to memory of 640	3516	casino_extensions.exe	83
PID 3516 wrote to memory of 640	3516	casino_extensions.exe	83
PID 640 wrote to memory of 2520	640	casino_extensions.exe	84
PID 640 wrote to memory of 2520	640	casino_extensions.exe	84
PID 640 wrote to memory of 2520	640	casino_extensions.exe	84
PID 2520 wrote to memory of 4804	2520	Casino_ext.exe	85
PID 2520 wrote to memory of 4804	2520	Casino_ext.exe	85
PID 2520 wrote to memory of 4804	2520	Casino_ext.exe	85
PID 4804 wrote to memory of 2612	4804	casino_extensions.exe	86
PID 4804 wrote to memory of 2612	4804	casino_extensions.exe	86
PID 4804 wrote to memory of 2612	4804	casino_extensions.exe	86
PID 2612 wrote to memory of 3032	2612	casino_extensions.exe	87
PID 2612 wrote to memory of 3032	2612	casino_extensions.exe	87
PID 2612 wrote to memory of 3032	2612	casino_extensions.exe	87
PID 3032 wrote to memory of 2116	3032	Casino_ext.exe	88
PID 3032 wrote to memory of 2116	3032	Casino_ext.exe	88
PID 3032 wrote to memory of 2116	3032	Casino_ext.exe	88
PID 2116 wrote to memory of 3596	2116	casino_extensions.exe	89
PID 2116 wrote to memory of 3596	2116	casino_extensions.exe	89
PID 2116 wrote to memory of 3596	2116	casino_extensions.exe	89
PID 3596 wrote to memory of 4800	3596	casino_extensions.exe	90
PID 3596 wrote to memory of 4800	3596	casino_extensions.exe	90
PID 3596 wrote to memory of 4800	3596	casino_extensions.exe	90
PID 4800 wrote to memory of 392	4800	Casino_ext.exe	91
PID 4800 wrote to memory of 392	4800	Casino_ext.exe	91
PID 4800 wrote to memory of 392	4800	Casino_ext.exe	91
PID 392 wrote to memory of 3056	392	casino_extensions.exe	92
PID 392 wrote to memory of 3056	392	casino_extensions.exe	92
PID 392 wrote to memory of 3056	392	casino_extensions.exe	92
PID 3056 wrote to memory of 3028	3056	casino_extensions.exe	93
PID 3056 wrote to memory of 3028	3056	casino_extensions.exe	93
PID 3056 wrote to memory of 3028	3056	casino_extensions.exe	93
PID 3028 wrote to memory of 3884	3028	Casino_ext.exe	94
PID 3028 wrote to memory of 3884	3028	Casino_ext.exe	94
PID 3028 wrote to memory of 3884	3028	Casino_ext.exe	94
PID 3884 wrote to memory of 2972	3884	casino_extensions.exe	95
PID 3884 wrote to memory of 2972	3884	casino_extensions.exe	95
PID 3884 wrote to memory of 2972	3884	casino_extensions.exe	95
PID 2972 wrote to memory of 1044	2972	LiveMessageCenter.exe	96
PID 2972 wrote to memory of 1044	2972	LiveMessageCenter.exe	96
PID 2972 wrote to memory of 1044	2972	LiveMessageCenter.exe	96
PID 1044 wrote to memory of 1660	1044	casino_extensions.exe	97
PID 1044 wrote to memory of 1660	1044	casino_extensions.exe	97
PID 1044 wrote to memory of 1660	1044	casino_extensions.exe	97
PID 1660 wrote to memory of 1088	1660	casino_extensions.exe	98
PID 1660 wrote to memory of 1088	1660	casino_extensions.exe	98
PID 1660 wrote to memory of 1088	1660	casino_extensions.exe	98
PID 1088 wrote to memory of 4980	1088	Casino_ext.exe	99
PID 1088 wrote to memory of 4980	1088	Casino_ext.exe	99
PID 1088 wrote to memory of 4980	1088	Casino_ext.exe	99
PID 4980 wrote to memory of 3228	4980	casino_extensions.exe	100
PID 4980 wrote to memory of 3228	4980	casino_extensions.exe	100
PID 4980 wrote to memory of 3228	4980	casino_extensions.exe	100
PID 3228 wrote to memory of 5112	3228	LiveMessageCenter.exe	101
PID 3228 wrote to memory of 5112	3228	LiveMessageCenter.exe	101
PID 3228 wrote to memory of 5112	3228	LiveMessageCenter.exe	101
PID 5112 wrote to memory of 1768	5112	casino_extensions.exe	102
PID 5112 wrote to memory of 1768	5112	casino_extensions.exe	102
PID 5112 wrote to memory of 1768	5112	casino_extensions.exe	102
PID 1768 wrote to memory of 2332	1768	casino_extensions.exe	103

C:\Users\Admin\AppData\Local\Temp\ce6c4f227738a831300b6d96805ea0335d8df0b873269c209f6a25eaf80f5f88N.exe
"C:\Users\Admin\AppData\Local\Temp\ce6c4f227738a831300b6d96805ea0335d8df0b873269c209f6a25eaf80f5f88N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
  "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3516
- - C:\Windows\SysWOW64\casino_extensions.exe
    C:\Windows\system32\casino_extensions.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:640
  - - C:\Windows\SysWOW64\Casino_ext.exe
      C:\Windows\SysWOW64\Casino_ext.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2520
    - - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        5⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4804
      - C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        8⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        9⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3596
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        10⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4800
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        11⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:392
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        12⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        13⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        14⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3884
        
        C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe /part2
        15⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        16⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1044
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        17⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        18⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1088
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        19⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4980
        
        C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe
        20⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3228
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        21⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5112
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        22⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        23⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2332
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        24⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4760
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        25⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:4060
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        26⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1568
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        27⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2760
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        28⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:1688
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        29⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2732
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        30⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4940
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        31⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:2384
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        32⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3260
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        33⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4668
        
        C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe
        34⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:868
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        35⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3328
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        36⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:816
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        37⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4172
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        38⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:3924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c $$2028~1.BAT
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:3196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\$$202803s.bat

Filesize
81B

MD5
4777bf695815d870d27ed4a38a8f0840

SHA1
565412b5182bca7a221448dba78369c42d1c4a0c

SHA256
c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d

SHA512
87e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d

Download Submit
C:\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
730KB

MD5
4851db86e4a5e00485f60ff7a0533dcb

SHA1
f896e9ef5c0be91f79d3313d9e970445004e519d

SHA256
38612044780904a6dba79840afcf971e314efe0c492e26a1c76df9ef9294c16a

SHA512
5844fe6756b42ce3bb72491d4534192af762e996d8dd7201b32d7c505851d1c765074b1d8578fe6450ca453e284cd817b48f16445733eaf0fb3375d85c7577fd

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
725KB

MD5
ac14098be106849a4ae34a24e69439fe

SHA1
76438fe14eb14423525d1b67954bb9f10ed79640

SHA256
62abff86253a9e10c6aab45f35a4c1a4fcd2ab717b01379bcdbf69242495173f

SHA512
7ce6664958243c962117407af61c7fbd88464f3bf1239cb57c993a74d3eea9e82f6066fa9efecf6d8aab635e8d08cc588e0457ebdef88b95488635f045b06b6b

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
739KB

MD5
80e44d03bf3d14c39d5d2b92af5e977c

SHA1
9546b5c9b7c3364553302f531e636437537a6ccb

SHA256
f02e4efa62c8a0244c6c9ff44080c993b4ec69c53ed45f2bace2a1d5b654b633

SHA512
c8395b2685289f8dbab9b6940c9065869e123488a708abce64d0751909818e7e9c1b501efa7f5444c93f292c9479c44905a06412718c4ea5f3b5e2db8f0d095f

Download Submit
memory/392-37-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/640-7-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/640-10-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/816-88-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/816-82-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/868-87-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/868-78-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1044-45-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1088-54-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1568-70-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1660-47-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1688-67-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1768-57-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1976-0-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1976-11-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2116-27-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2332-65-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2384-74-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2520-23-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2612-18-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2612-22-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2732-76-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2760-69-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2972-49-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2972-43-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3028-44-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3028-33-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3032-29-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3056-31-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3228-52-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3228-59-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3260-81-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3328-79-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3516-1-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3516-12-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3596-28-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3884-38-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3924-92-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3924-90-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4060-63-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4172-84-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4172-89-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4668-75-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4760-64-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4760-60-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4800-40-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4800-26-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4804-21-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4940-73-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4980-53-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4980-50-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/5112-58-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download