8992cf2085f2efdd05624348688e5c642f1c4b190ea9c13e6b3b0c365f64a295

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 10:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1457b8f9e49f44cf97097bd1e9d73bd0_NeikiAnalytics.exe
Size

486KB
MD5

1457b8f9e49f44cf97097bd1e9d73bd0
SHA1

97aa30049db5dc06422911f95cb7708eb7262208
SHA256

8992cf2085f2efdd05624348688e5c642f1c4b190ea9c13e6b3b0c365f64a295
SHA512

8da976b3ece8fc34218492584b9759c35630c8979f23609848558d58c037408349851c9147b3bd5ad1f58a075eec96a84544caa74fb8d1560e61867a10d28a49
SSDEEP

3072:FtwizQTj8CSUYf8W3nSjen++Bj88OZS0/Qe2HdOLlqw1aQS0Tm2TdwnN0gUydt28:Puj8NDF3OR9/Qe2HdklrSqZghdtV

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 44 IoCs

pid	Process
812	casino_extensions.exe
4020	Casino_ext.exe
3948	casino_extensions.exe
3992	Casino_ext.exe
1252	LiveMessageCenter.exe
4204	casino_extensions.exe
1732	Casino_ext.exe
3312	casino_extensions.exe
4928	Casino_ext.exe
4544	casino_extensions.exe
2816	Casino_ext.exe
2264	LiveMessageCenter.exe
2456	casino_extensions.exe
3200	Casino_ext.exe
2228	casino_extensions.exe
1780	Casino_ext.exe
4056	LiveMessageCenter.exe
4332	casino_extensions.exe
3648	Casino_ext.exe
2128	casino_extensions.exe
2968	Casino_ext.exe
3952	casino_extensions.exe
3228	Casino_ext.exe
3680	casino_extensions.exe
968	Casino_ext.exe
1976	casino_extensions.exe
1928	Casino_ext.exe
4640	casino_extensions.exe
5096	Casino_ext.exe
4720	casino_extensions.exe
5104	Casino_ext.exe
2068	casino_extensions.exe
1708	Casino_ext.exe
1348	casino_extensions.exe
1584	Casino_ext.exe
3672	casino_extensions.exe
5040	Casino_ext.exe
3336	casino_extensions.exe
3556	Casino_ext.exe
4600	casino_extensions.exe
4688	Casino_ext.exe
4316	LiveMessageCenter.exe
468	casino_extensions.exe
3432	Casino_ext.exe

Drops file in System32 directory 33 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe

Drops file in Program Files directory 45 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File created	C:\Program Files (x86)\Internet Explorer\$$202803s.bat	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
4020	Casino_ext.exe
4020	Casino_ext.exe
3992	Casino_ext.exe
3992	Casino_ext.exe
1252	LiveMessageCenter.exe
1252	LiveMessageCenter.exe
1732	Casino_ext.exe
1732	Casino_ext.exe
4928	Casino_ext.exe
4928	Casino_ext.exe
2816	Casino_ext.exe
2816	Casino_ext.exe
2264	LiveMessageCenter.exe
2264	LiveMessageCenter.exe
3200	Casino_ext.exe
3200	Casino_ext.exe
1780	Casino_ext.exe
1780	Casino_ext.exe
4056	LiveMessageCenter.exe
4056	LiveMessageCenter.exe
3648	Casino_ext.exe
3648	Casino_ext.exe
2968	Casino_ext.exe
2968	Casino_ext.exe
3228	Casino_ext.exe
3228	Casino_ext.exe
968	Casino_ext.exe
968	Casino_ext.exe
1928	Casino_ext.exe
1928	Casino_ext.exe
5096	Casino_ext.exe
5096	Casino_ext.exe
5104	Casino_ext.exe
5104	Casino_ext.exe
1708	Casino_ext.exe
1708	Casino_ext.exe
1584	Casino_ext.exe
1584	Casino_ext.exe
5040	Casino_ext.exe
5040	Casino_ext.exe
3556	Casino_ext.exe
3556	Casino_ext.exe
4688	Casino_ext.exe
4688	Casino_ext.exe
4316	LiveMessageCenter.exe
4316	LiveMessageCenter.exe
3432	Casino_ext.exe
3432	Casino_ext.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2240	1457b8f9e49f44cf97097bd1e9d73bd0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 4520	2240	1457b8f9e49f44cf97097bd1e9d73bd0_NeikiAnalytics.exe	82
PID 2240 wrote to memory of 4520	2240	1457b8f9e49f44cf97097bd1e9d73bd0_NeikiAnalytics.exe	82
PID 2240 wrote to memory of 4520	2240	1457b8f9e49f44cf97097bd1e9d73bd0_NeikiAnalytics.exe	82
PID 4520 wrote to memory of 812	4520	casino_extensions.exe	83
PID 4520 wrote to memory of 812	4520	casino_extensions.exe	83
PID 4520 wrote to memory of 812	4520	casino_extensions.exe	83
PID 812 wrote to memory of 4020	812	casino_extensions.exe	84
PID 812 wrote to memory of 4020	812	casino_extensions.exe	84
PID 812 wrote to memory of 4020	812	casino_extensions.exe	84
PID 4020 wrote to memory of 2840	4020	Casino_ext.exe	85
PID 4020 wrote to memory of 2840	4020	Casino_ext.exe	85
PID 4020 wrote to memory of 2840	4020	Casino_ext.exe	85
PID 2840 wrote to memory of 3948	2840	casino_extensions.exe	86
PID 2840 wrote to memory of 3948	2840	casino_extensions.exe	86
PID 2840 wrote to memory of 3948	2840	casino_extensions.exe	86
PID 3948 wrote to memory of 3992	3948	casino_extensions.exe	88
PID 3948 wrote to memory of 3992	3948	casino_extensions.exe	88
PID 3948 wrote to memory of 3992	3948	casino_extensions.exe	88
PID 3992 wrote to memory of 3520	3992	Casino_ext.exe	90
PID 3992 wrote to memory of 3520	3992	Casino_ext.exe	90
PID 3992 wrote to memory of 3520	3992	Casino_ext.exe	90
PID 3520 wrote to memory of 1252	3520	casino_extensions.exe	91
PID 3520 wrote to memory of 1252	3520	casino_extensions.exe	91
PID 3520 wrote to memory of 1252	3520	casino_extensions.exe	91
PID 1252 wrote to memory of 3360	1252	LiveMessageCenter.exe	92
PID 1252 wrote to memory of 3360	1252	LiveMessageCenter.exe	92
PID 1252 wrote to memory of 3360	1252	LiveMessageCenter.exe	92
PID 3360 wrote to memory of 4204	3360	casino_extensions.exe	93
PID 3360 wrote to memory of 4204	3360	casino_extensions.exe	93
PID 3360 wrote to memory of 4204	3360	casino_extensions.exe	93
PID 4204 wrote to memory of 1732	4204	casino_extensions.exe	94
PID 4204 wrote to memory of 1732	4204	casino_extensions.exe	94
PID 4204 wrote to memory of 1732	4204	casino_extensions.exe	94
PID 1732 wrote to memory of 3364	1732	Casino_ext.exe	95
PID 1732 wrote to memory of 3364	1732	Casino_ext.exe	95
PID 1732 wrote to memory of 3364	1732	Casino_ext.exe	95
PID 3364 wrote to memory of 3312	3364	casino_extensions.exe	96
PID 3364 wrote to memory of 3312	3364	casino_extensions.exe	96
PID 3364 wrote to memory of 3312	3364	casino_extensions.exe	96
PID 3312 wrote to memory of 4928	3312	casino_extensions.exe	97
PID 3312 wrote to memory of 4928	3312	casino_extensions.exe	97
PID 3312 wrote to memory of 4928	3312	casino_extensions.exe	97
PID 4928 wrote to memory of 3040	4928	Casino_ext.exe	98
PID 4928 wrote to memory of 3040	4928	Casino_ext.exe	98
PID 4928 wrote to memory of 3040	4928	Casino_ext.exe	98
PID 3040 wrote to memory of 4544	3040	casino_extensions.exe	99
PID 3040 wrote to memory of 4544	3040	casino_extensions.exe	99
PID 3040 wrote to memory of 4544	3040	casino_extensions.exe	99
PID 4544 wrote to memory of 2816	4544	casino_extensions.exe	101
PID 4544 wrote to memory of 2816	4544	casino_extensions.exe	101
PID 4544 wrote to memory of 2816	4544	casino_extensions.exe	101
PID 2816 wrote to memory of 3160	2816	Casino_ext.exe	102
PID 2816 wrote to memory of 3160	2816	Casino_ext.exe	102
PID 2816 wrote to memory of 3160	2816	Casino_ext.exe	102
PID 3160 wrote to memory of 2264	3160	casino_extensions.exe	103
PID 3160 wrote to memory of 2264	3160	casino_extensions.exe	103
PID 3160 wrote to memory of 2264	3160	casino_extensions.exe	103
PID 2264 wrote to memory of 4272	2264	LiveMessageCenter.exe	104
PID 2264 wrote to memory of 4272	2264	LiveMessageCenter.exe	104
PID 2264 wrote to memory of 4272	2264	LiveMessageCenter.exe	104
PID 4272 wrote to memory of 2456	4272	casino_extensions.exe	105
PID 4272 wrote to memory of 2456	4272	casino_extensions.exe	105
PID 4272 wrote to memory of 2456	4272	casino_extensions.exe	105
PID 2456 wrote to memory of 3200	2456	casino_extensions.exe	106

C:\Users\Admin\AppData\Local\Temp\1457b8f9e49f44cf97097bd1e9d73bd0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1457b8f9e49f44cf97097bd1e9d73bd0_NeikiAnalytics.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
  "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4520
- - C:\Windows\SysWOW64\casino_extensions.exe
    C:\Windows\system32\casino_extensions.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:812
  - - C:\Windows\SysWOW64\Casino_ext.exe
      C:\Windows\SysWOW64\Casino_ext.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4020
    - - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2840
      - C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:3948
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3992
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        8⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3520
        
        C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe /part2
        9⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1252
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        10⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3360
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        11⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:4204
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        12⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        13⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3364
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        14⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:3312
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        15⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4928
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        16⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        17⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:4544
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        18⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        19⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3160
        
        C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe
        20⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        21⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4272
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        22⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        23⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:3200
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        24⤵
        Drops file in System32 directory
        
        PID:4036
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        25⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:2228
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        26⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1780
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        27⤵
        Drops file in System32 directory
        
        PID:1008
        
        C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe
        28⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:4056
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        29⤵
        Drops file in System32 directory
        
        PID:4608
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        30⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:4332
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        31⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:3648
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        32⤵
        Drops file in System32 directory
        
        PID:2900
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        33⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:2128
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        34⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2968
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        35⤵
        Drops file in System32 directory
        
        PID:2232
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        36⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:3952
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        37⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:3228
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        38⤵
        Drops file in System32 directory
        
        PID:2080
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        39⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:3680
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        40⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:968
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        41⤵
        Drops file in System32 directory
        
        PID:4900
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        42⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:1976
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        43⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1928
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        44⤵
        Drops file in System32 directory
        
        PID:4804
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        45⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:4640
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        46⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:5096
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        47⤵
        Drops file in System32 directory
        
        PID:412
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        48⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:4720
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        49⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:5104
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        50⤵
        Drops file in System32 directory
        
        PID:2732
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        51⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:2068
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        52⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1708
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        53⤵
        Drops file in System32 directory
        
        PID:3208
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        54⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:1348
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        55⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1584
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        56⤵
        Drops file in System32 directory
        
        PID:548
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        57⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:3672
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        58⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:5040
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        59⤵
        Drops file in System32 directory
        
        PID:4988
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        60⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:3336
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        61⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:3556
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        62⤵
        Drops file in System32 directory
        
        PID:5108
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        63⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:4600
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        64⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:4688
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        65⤵
        Drops file in System32 directory
        
        PID:876
        
        C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe
        66⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:4316
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        67⤵
        Drops file in System32 directory
        
        PID:3508
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        68⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:468
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        69⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:3432
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        70⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        
        PID:3500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c $$2028~1.BAT
        71⤵
        
        PID:4024

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\$$202803s.bat

Filesize
81B

MD5
4777bf695815d870d27ed4a38a8f0840

SHA1
565412b5182bca7a221448dba78369c42d1c4a0c

SHA256
c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d

SHA512
87e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d

Download Submit
C:\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
498KB

MD5
9df2231f122b32e32c93a6098ab008fb

SHA1
b1b83cf92a0f8fc74d10f2d3ec20998f26f19c3a

SHA256
c1ab655b0780c20fb4d1a3f6b7d42f5eacff8c5bae62b5db189b0716b874a32d

SHA512
0b183401e43093e850b2c8b5c66ba76410175d9fa3040b766f5c26e802be7f720864e35b1f3c96de31afe4c4d3e28923c6ed5c879c718223380fe48dc86b1b00

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
490KB

MD5
30f45abd8f9960b614d4cb5e24d6fa74

SHA1
df96fa337d985ef92b1da8a98dee714f86a5e829

SHA256
b231ba5a334896dbf3351e765610476b731557918c28b01641665429d31f6a2f

SHA512
b867c01be36cea1afff621bb494e8503ceb5056fe7cf6921d13a4a9b6c23a56f419fedf4c633fe5fed1d40543c4e688fd106e726f95778e36360fa16c7d1dfce

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
495KB

MD5
bfc2af1620af51f374638644afbb02b3

SHA1
49afb8c691e03e31302c2558cdfb1e3be104a46b

SHA256
e4bb7442d271abef6fed36d2cd812df68b404ce4f443967f5cf50f975a66c35d

SHA512
48ab1518f43c1f6ed31e51abe5e86e177622d0b5e12c64acddafcfe4c88efc75994756bd283f21b0b03e1bd62382212f1089db6204888d0606abd58740a302b1

Download Submit
memory/812-8-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2240-7-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download