0ab664af8e4b78f6dba2e5900780712d51d49ec50e502596595959b8f9894f2f

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
20/05/2024, 00:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7402040f6536e370b9ef36f8a4cd4ad0_NeikiAnalytics.exe
Size

570KB
MD5

7402040f6536e370b9ef36f8a4cd4ad0
SHA1

82628abfabbd2743b151bec3092e3869f461a814
SHA256

0ab664af8e4b78f6dba2e5900780712d51d49ec50e502596595959b8f9894f2f
SHA512

745826888a4ad7b44ded60923c0ca9785fa7e63e774464caa75e4ab54715bfea978c5b9bbcdd21b66fbf8ecfa057583f5c925c608b9a342cde0005ea2fe0263b
SSDEEP

3072:vtwizQTj8CSUYf8W3nSjen++Bj88OZS0/Qe2HdOLlqw1aQnjQ1F4AE4v9tihxM:luj8NDF3OR9/Qe2HdklrnsKM

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
4124	casino_extensions.exe
4792	Casino_ext.exe
4856	casino_extensions.exe
3048	Casino_ext.exe
512	casino_extensions.exe
4752	Casino_ext.exe
1464	LiveMessageCenter.exe
2412	casino_extensions.exe
4244	Casino_ext.exe
4024	casino_extensions.exe
1448	Casino_ext.exe
1384	casino_extensions.exe
728	Casino_ext.exe
4804	LiveMessageCenter.exe
2084	casino_extensions.exe
3932	Casino_ext.exe
4708	casino_extensions.exe
2676	Casino_ext.exe
2168	LiveMessageCenter.exe
3752	casino_extensions.exe
636	Casino_ext.exe
2712	casino_extensions.exe
1356	Casino_ext.exe
1756	LiveMessageCenter.exe
1372	casino_extensions.exe
632	Casino_ext.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe

Drops file in Program Files directory 27 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File created	C:\Program Files (x86)\Internet Explorer\$$202803s.bat	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
4792	Casino_ext.exe
4792	Casino_ext.exe
3048	Casino_ext.exe
3048	Casino_ext.exe
4752	Casino_ext.exe
4752	Casino_ext.exe
1464	LiveMessageCenter.exe
1464	LiveMessageCenter.exe
4244	Casino_ext.exe
4244	Casino_ext.exe
1448	Casino_ext.exe
1448	Casino_ext.exe
728	Casino_ext.exe
728	Casino_ext.exe
4804	LiveMessageCenter.exe
4804	LiveMessageCenter.exe
3932	Casino_ext.exe
3932	Casino_ext.exe
2676	Casino_ext.exe
2676	Casino_ext.exe
2168	LiveMessageCenter.exe
2168	LiveMessageCenter.exe
636	Casino_ext.exe
636	Casino_ext.exe
1356	Casino_ext.exe
1356	Casino_ext.exe
1756	LiveMessageCenter.exe
1756	LiveMessageCenter.exe
632	Casino_ext.exe
632	Casino_ext.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
5068	7402040f6536e370b9ef36f8a4cd4ad0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5068 wrote to memory of 3328	5068	7402040f6536e370b9ef36f8a4cd4ad0_NeikiAnalytics.exe	84
PID 5068 wrote to memory of 3328	5068	7402040f6536e370b9ef36f8a4cd4ad0_NeikiAnalytics.exe	84
PID 5068 wrote to memory of 3328	5068	7402040f6536e370b9ef36f8a4cd4ad0_NeikiAnalytics.exe	84
PID 3328 wrote to memory of 4124	3328	casino_extensions.exe	85
PID 3328 wrote to memory of 4124	3328	casino_extensions.exe	85
PID 3328 wrote to memory of 4124	3328	casino_extensions.exe	85
PID 4124 wrote to memory of 4792	4124	casino_extensions.exe	86
PID 4124 wrote to memory of 4792	4124	casino_extensions.exe	86
PID 4124 wrote to memory of 4792	4124	casino_extensions.exe	86
PID 4792 wrote to memory of 4300	4792	Casino_ext.exe	87
PID 4792 wrote to memory of 4300	4792	Casino_ext.exe	87
PID 4792 wrote to memory of 4300	4792	Casino_ext.exe	87
PID 4300 wrote to memory of 4856	4300	casino_extensions.exe	88
PID 4300 wrote to memory of 4856	4300	casino_extensions.exe	88
PID 4300 wrote to memory of 4856	4300	casino_extensions.exe	88
PID 4856 wrote to memory of 3048	4856	casino_extensions.exe	89
PID 4856 wrote to memory of 3048	4856	casino_extensions.exe	89
PID 4856 wrote to memory of 3048	4856	casino_extensions.exe	89
PID 3048 wrote to memory of 1212	3048	Casino_ext.exe	90
PID 3048 wrote to memory of 1212	3048	Casino_ext.exe	90
PID 3048 wrote to memory of 1212	3048	Casino_ext.exe	90
PID 1212 wrote to memory of 512	1212	casino_extensions.exe	91
PID 1212 wrote to memory of 512	1212	casino_extensions.exe	91
PID 1212 wrote to memory of 512	1212	casino_extensions.exe	91
PID 512 wrote to memory of 4752	512	casino_extensions.exe	92
PID 512 wrote to memory of 4752	512	casino_extensions.exe	92
PID 512 wrote to memory of 4752	512	casino_extensions.exe	92
PID 4752 wrote to memory of 2068	4752	Casino_ext.exe	93
PID 4752 wrote to memory of 2068	4752	Casino_ext.exe	93
PID 4752 wrote to memory of 2068	4752	Casino_ext.exe	93
PID 2068 wrote to memory of 1464	2068	casino_extensions.exe	94
PID 2068 wrote to memory of 1464	2068	casino_extensions.exe	94
PID 2068 wrote to memory of 1464	2068	casino_extensions.exe	94
PID 1464 wrote to memory of 3820	1464	LiveMessageCenter.exe	95
PID 1464 wrote to memory of 3820	1464	LiveMessageCenter.exe	95
PID 1464 wrote to memory of 3820	1464	LiveMessageCenter.exe	95
PID 3820 wrote to memory of 2412	3820	casino_extensions.exe	96
PID 3820 wrote to memory of 2412	3820	casino_extensions.exe	96
PID 3820 wrote to memory of 2412	3820	casino_extensions.exe	96
PID 2412 wrote to memory of 4244	2412	casino_extensions.exe	97
PID 2412 wrote to memory of 4244	2412	casino_extensions.exe	97
PID 2412 wrote to memory of 4244	2412	casino_extensions.exe	97
PID 4244 wrote to memory of 4820	4244	Casino_ext.exe	98
PID 4244 wrote to memory of 4820	4244	Casino_ext.exe	98
PID 4244 wrote to memory of 4820	4244	Casino_ext.exe	98
PID 4820 wrote to memory of 4024	4820	casino_extensions.exe	99
PID 4820 wrote to memory of 4024	4820	casino_extensions.exe	99
PID 4820 wrote to memory of 4024	4820	casino_extensions.exe	99
PID 4024 wrote to memory of 1448	4024	casino_extensions.exe	100
PID 4024 wrote to memory of 1448	4024	casino_extensions.exe	100
PID 4024 wrote to memory of 1448	4024	casino_extensions.exe	100
PID 1448 wrote to memory of 1620	1448	Casino_ext.exe	101
PID 1448 wrote to memory of 1620	1448	Casino_ext.exe	101
PID 1448 wrote to memory of 1620	1448	Casino_ext.exe	101
PID 1620 wrote to memory of 1384	1620	casino_extensions.exe	102
PID 1620 wrote to memory of 1384	1620	casino_extensions.exe	102
PID 1620 wrote to memory of 1384	1620	casino_extensions.exe	102
PID 1384 wrote to memory of 728	1384	casino_extensions.exe	103
PID 1384 wrote to memory of 728	1384	casino_extensions.exe	103
PID 1384 wrote to memory of 728	1384	casino_extensions.exe	103
PID 728 wrote to memory of 2860	728	Casino_ext.exe	104
PID 728 wrote to memory of 2860	728	Casino_ext.exe	104
PID 728 wrote to memory of 2860	728	Casino_ext.exe	104
PID 2860 wrote to memory of 4804	2860	casino_extensions.exe	105

C:\Users\Admin\AppData\Local\Temp\7402040f6536e370b9ef36f8a4cd4ad0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7402040f6536e370b9ef36f8a4cd4ad0_NeikiAnalytics.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:5068
- C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
  "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3328
- - C:\Windows\SysWOW64\casino_extensions.exe
    C:\Windows\system32\casino_extensions.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:4124
  - - C:\Windows\SysWOW64\Casino_ext.exe
      C:\Windows\SysWOW64\Casino_ext.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4792
    - - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4300
      - C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:4856
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        8⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1212
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        9⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:512
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        10⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4752
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        11⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe /part2
        12⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1464
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        13⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3820
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        14⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        15⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4244
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        16⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4820
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        17⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:4024
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        18⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1448
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        19⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        20⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:1384
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        21⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:728
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        22⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe
        23⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:4804
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        24⤵
        Drops file in System32 directory
        
        PID:1500
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        25⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:2084
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        26⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:3932
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        27⤵
        Drops file in System32 directory
        
        PID:4764
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        28⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:4708
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        29⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2676
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        30⤵
        Drops file in System32 directory
        
        PID:660
        
        C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe
        31⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2168
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        32⤵
        Drops file in System32 directory
        
        PID:2900
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        33⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:3752
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        34⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:636
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        35⤵
        Drops file in System32 directory
        
        PID:908
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        36⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:2712
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        37⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1356
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        38⤵
        Drops file in System32 directory
        
        PID:3376
        
        C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe
        39⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1756
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        40⤵
        Drops file in System32 directory
        
        PID:1300
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        41⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:1372
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        42⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:632
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        43⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        
        PID:4548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c $$2028~1.BAT
        44⤵
        
        PID:616

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\$$202803s.bat

Filesize
81B

MD5
4777bf695815d870d27ed4a38a8f0840

SHA1
565412b5182bca7a221448dba78369c42d1c4a0c

SHA256
c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d

SHA512
87e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d

Download Submit
C:\Windows\SysWOW64\Casino_ext.exe

Filesize
585KB

MD5
e3bc4b0257d6d9cc2f6e0eea05c9c87f

SHA1
2882badee817f0919c3cf56b5e1b6d17a6edac07

SHA256
16ec5745f8d50beee810affe1b1ef295690cc5818dd7c9479a9a164c6a4c8de5

SHA512
1951719381f708d05d8c538908304eb468bc917ffc094b436ef2fe13cd3cbd52a6a3f2c02a1209ff8870824e6bbe2e5ef6c851933afc338ccc6a953d1291d709

Download Submit
C:\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
580KB

MD5
49ee0ca52dd437d5e5be96f49970a16b

SHA1
9f18b084876c721a4a757e5a045f457d16854058

SHA256
acb4dddfc8a59cb2815d45180aa365e82109c59108873c6bf9864bcacb22c08d

SHA512
f6ecdb80c29774b55205160c17296753e48684c64193220dbc1ee358ad334713578adf75746a10f0f3744feb286469493e4cb059938ab18b1d47bdba30ab458a

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
582KB

MD5
92119dbfac460c19ee65e8910ffcf629

SHA1
af015ae121d3b110230c170d35e2b97e9159342d

SHA256
e751a5b7fd808feb332ad2471363d0c067dcff22f7c5da857c9b9d6c013544c0

SHA512
edb7dfacb8b249ac6800a8a16f60258f78aecb21cd890e4b6225fe8c46561bdb10d5143f94592dd144a245ae3f0c80744c0bce7ef0c359617cfde3ae3ba7c062

Download Submit
memory/4124-12-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/5068-10-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download