09b30664005e0928f1994dea76fdf30415737d1dbbedfcf3364ce25c1a20b8f2

Analysis

max time kernel
136s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20-05-2024 06:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1bd4fda6393e90a3c7aec1155734aa0_NeikiAnalytics.exe
Size

895KB
MD5

c1bd4fda6393e90a3c7aec1155734aa0
SHA1

67bd8903e8e80cb7a9e9c80fb26a7938041ec089
SHA256

09b30664005e0928f1994dea76fdf30415737d1dbbedfcf3364ce25c1a20b8f2
SHA512

357fd1fe96ff641b8bcce720a5cdcc4792ca98e9a853a30aa8f378cc7fc1f90de03e048f72de5a888b4e2d44b3839a75877aa38f17d4b5b8f74cf7534bc58746
SSDEEP

3072:QtwizQTj8CSUYf8W3nSjen++Bj88OZS0/Qe2HdOLlqw1aQS0Tm2TdFcoV2i1JLj+:wuj8NDF3OR9/Qe2HdklrSqtBVvHZc

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 29 IoCs

pid	Process
3612	casino_extensions.exe
5188	Casino_ext.exe
3916	casino_extensions.exe
4412	Casino_ext.exe
5060	casino_extensions.exe
1196	Casino_ext.exe
3360	LiveMessageCenter.exe
5624	casino_extensions.exe
1712	Casino_ext.exe
4404	casino_extensions.exe
3904	Casino_ext.exe
1416	casino_extensions.exe
4368	Casino_ext.exe
4940	casino_extensions.exe
820	Casino_ext.exe
5228	casino_extensions.exe
5072	Casino_ext.exe
3592	casino_extensions.exe
5644	Casino_ext.exe
4260	casino_extensions.exe
3344	Casino_ext.exe
5616	LiveMessageCenter.exe
3116	casino_extensions.exe
3136	Casino_ext.exe
1852	casino_extensions.exe
4052	Casino_ext.exe
5092	LiveMessageCenter.exe
5584	casino_extensions.exe
5544	Casino_ext.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe

Drops file in Program Files directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File created	C:\Program Files (x86)\Internet Explorer\$$202803s.bat	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
5188	Casino_ext.exe
5188	Casino_ext.exe
4412	Casino_ext.exe
4412	Casino_ext.exe
1196	Casino_ext.exe
1196	Casino_ext.exe
3360	LiveMessageCenter.exe
3360	LiveMessageCenter.exe
1712	Casino_ext.exe
1712	Casino_ext.exe
3904	Casino_ext.exe
3904	Casino_ext.exe
4368	Casino_ext.exe
4368	Casino_ext.exe
820	Casino_ext.exe
820	Casino_ext.exe
5072	Casino_ext.exe
5072	Casino_ext.exe
5644	Casino_ext.exe
5644	Casino_ext.exe
3344	Casino_ext.exe
3344	Casino_ext.exe
5616	LiveMessageCenter.exe
5616	LiveMessageCenter.exe
3136	Casino_ext.exe
3136	Casino_ext.exe
4052	Casino_ext.exe
4052	Casino_ext.exe
5092	LiveMessageCenter.exe
5092	LiveMessageCenter.exe
5544	Casino_ext.exe
5544	Casino_ext.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2996	c1bd4fda6393e90a3c7aec1155734aa0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2996 wrote to memory of 4608	2996	c1bd4fda6393e90a3c7aec1155734aa0_NeikiAnalytics.exe	83
PID 2996 wrote to memory of 4608	2996	c1bd4fda6393e90a3c7aec1155734aa0_NeikiAnalytics.exe	83
PID 2996 wrote to memory of 4608	2996	c1bd4fda6393e90a3c7aec1155734aa0_NeikiAnalytics.exe	83
PID 4608 wrote to memory of 3612	4608	casino_extensions.exe	84
PID 4608 wrote to memory of 3612	4608	casino_extensions.exe	84
PID 4608 wrote to memory of 3612	4608	casino_extensions.exe	84
PID 3612 wrote to memory of 5188	3612	casino_extensions.exe	85
PID 3612 wrote to memory of 5188	3612	casino_extensions.exe	85
PID 3612 wrote to memory of 5188	3612	casino_extensions.exe	85
PID 5188 wrote to memory of 4812	5188	Casino_ext.exe	86
PID 5188 wrote to memory of 4812	5188	Casino_ext.exe	86
PID 5188 wrote to memory of 4812	5188	Casino_ext.exe	86
PID 4812 wrote to memory of 3916	4812	casino_extensions.exe	87
PID 4812 wrote to memory of 3916	4812	casino_extensions.exe	87
PID 4812 wrote to memory of 3916	4812	casino_extensions.exe	87
PID 3916 wrote to memory of 4412	3916	casino_extensions.exe	88
PID 3916 wrote to memory of 4412	3916	casino_extensions.exe	88
PID 3916 wrote to memory of 4412	3916	casino_extensions.exe	88
PID 4412 wrote to memory of 1020	4412	Casino_ext.exe	89
PID 4412 wrote to memory of 1020	4412	Casino_ext.exe	89
PID 4412 wrote to memory of 1020	4412	Casino_ext.exe	89
PID 1020 wrote to memory of 5060	1020	casino_extensions.exe	90
PID 1020 wrote to memory of 5060	1020	casino_extensions.exe	90
PID 1020 wrote to memory of 5060	1020	casino_extensions.exe	90
PID 5060 wrote to memory of 1196	5060	casino_extensions.exe	91
PID 5060 wrote to memory of 1196	5060	casino_extensions.exe	91
PID 5060 wrote to memory of 1196	5060	casino_extensions.exe	91
PID 1196 wrote to memory of 1492	1196	Casino_ext.exe	92
PID 1196 wrote to memory of 1492	1196	Casino_ext.exe	92
PID 1196 wrote to memory of 1492	1196	Casino_ext.exe	92
PID 1492 wrote to memory of 3360	1492	casino_extensions.exe	93
PID 1492 wrote to memory of 3360	1492	casino_extensions.exe	93
PID 1492 wrote to memory of 3360	1492	casino_extensions.exe	93
PID 3360 wrote to memory of 5324	3360	LiveMessageCenter.exe	95
PID 3360 wrote to memory of 5324	3360	LiveMessageCenter.exe	95
PID 3360 wrote to memory of 5324	3360	LiveMessageCenter.exe	95
PID 5324 wrote to memory of 5624	5324	casino_extensions.exe	96
PID 5324 wrote to memory of 5624	5324	casino_extensions.exe	96
PID 5324 wrote to memory of 5624	5324	casino_extensions.exe	96
PID 5624 wrote to memory of 1712	5624	casino_extensions.exe	97
PID 5624 wrote to memory of 1712	5624	casino_extensions.exe	97
PID 5624 wrote to memory of 1712	5624	casino_extensions.exe	97
PID 1712 wrote to memory of 4976	1712	Casino_ext.exe	98
PID 1712 wrote to memory of 4976	1712	Casino_ext.exe	98
PID 1712 wrote to memory of 4976	1712	Casino_ext.exe	98
PID 4976 wrote to memory of 4404	4976	casino_extensions.exe	99
PID 4976 wrote to memory of 4404	4976	casino_extensions.exe	99
PID 4976 wrote to memory of 4404	4976	casino_extensions.exe	99
PID 4404 wrote to memory of 3904	4404	casino_extensions.exe	100
PID 4404 wrote to memory of 3904	4404	casino_extensions.exe	100
PID 4404 wrote to memory of 3904	4404	casino_extensions.exe	100
PID 3904 wrote to memory of 1912	3904	Casino_ext.exe	102
PID 3904 wrote to memory of 1912	3904	Casino_ext.exe	102
PID 3904 wrote to memory of 1912	3904	Casino_ext.exe	102
PID 1912 wrote to memory of 1416	1912	casino_extensions.exe	103
PID 1912 wrote to memory of 1416	1912	casino_extensions.exe	103
PID 1912 wrote to memory of 1416	1912	casino_extensions.exe	103
PID 1416 wrote to memory of 4368	1416	casino_extensions.exe	104
PID 1416 wrote to memory of 4368	1416	casino_extensions.exe	104
PID 1416 wrote to memory of 4368	1416	casino_extensions.exe	104
PID 4368 wrote to memory of 1572	4368	Casino_ext.exe	105
PID 4368 wrote to memory of 1572	4368	Casino_ext.exe	105
PID 4368 wrote to memory of 1572	4368	Casino_ext.exe	105
PID 1572 wrote to memory of 4940	1572	casino_extensions.exe	106

C:\Users\Admin\AppData\Local\Temp\c1bd4fda6393e90a3c7aec1155734aa0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\c1bd4fda6393e90a3c7aec1155734aa0_NeikiAnalytics.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
  "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4608
- - C:\Windows\SysWOW64\casino_extensions.exe
    C:\Windows\system32\casino_extensions.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:3612
  - - C:\Windows\SysWOW64\Casino_ext.exe
      C:\Windows\SysWOW64\Casino_ext.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:5188
    - - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4812
      - C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:3916
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4412
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        8⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1020
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        9⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        10⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1196
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        11⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1492
        
        C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe /part2
        12⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3360
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        13⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5324
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        14⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:5624
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        15⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1712
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        16⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4976
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        17⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:4404
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        18⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3904
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        19⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        20⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:1416
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        21⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4368
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        22⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1572
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        23⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:4940
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        24⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:820
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        25⤵
        Drops file in System32 directory
        
        PID:1076
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        26⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:5228
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        27⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:5072
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        28⤵
        Drops file in System32 directory
        
        PID:3428
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        29⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:3592
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        30⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:5644
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        31⤵
        Drops file in System32 directory
        
        PID:1980
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        32⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:4260
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        33⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:3344
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        34⤵
        Drops file in System32 directory
        
        PID:4992
        
        C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe
        35⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:5616
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        36⤵
        Drops file in System32 directory
        
        PID:4348
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        37⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:3116
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        38⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:3136
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        39⤵
        Drops file in System32 directory
        
        PID:5508
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        40⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:1852
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        41⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:4052
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        42⤵
        Drops file in System32 directory
        
        PID:5412
        
        C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe
        43⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:5092
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        44⤵
        Drops file in System32 directory
        
        PID:1824
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        45⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:5584
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        46⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:5544
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        47⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        
        PID:5684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c $$2028~1.BAT
        48⤵
        
        PID:1408

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\$$202803s.bat

Filesize
81B

MD5
4777bf695815d870d27ed4a38a8f0840

SHA1
565412b5182bca7a221448dba78369c42d1c4a0c

SHA256
c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d

SHA512
87e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d

Download Submit
C:\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
900KB

MD5
c4f4a29819aa3a095efdb51c2826243e

SHA1
2b0931dfb1e26f5dc900a53e8ae3432eaae759d7

SHA256
d04cc30ab31c71d91ed20c62da70a350cccb89e173a0cfcf767ee14ed6745015

SHA512
16029d00971cb641987b8dcfa81efef3400cd40ed6443517b714888064abfc608870ad931e821f3578527538a3f983e0c6423a213518da8e78ed847c741027c1

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
897KB

MD5
d8e3163ab175e4ea446e03c5a88bee60

SHA1
e78ce386d48e4d70b28efd38f8a5265a4c21c785

SHA256
a12f82377627f2e8ef5458a1148ef3143f5eaf16bb828af471ab7d6ee7b63fd2

SHA512
c4dd5307dd0b6df221d599b1e0db603a5ca42b719ae7e4bd53fbb020e52f951b94a83f486d842c5816b3e1c0170db100dd662fbacc0b126bc2cf09f8b8752344

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
912KB

MD5
4a05cdbfe7b51028824c1c7b8813aa34

SHA1
5d64a1049a4226cc7cec1c41439ec13d1017d9b7

SHA256
0369eb0d6b8c4bcf061c650f9c9c014f485a96adfa7401ced2a8131553677471

SHA512
83dabf1be325411271c1374d78efdd53be7d53fbde1b111ef8b1c5ee577db302a6ad665c69cfee06f1b9d4d1fec90d9a56b50683ba086fcaaaededa94466ebd5

Download Submit
memory/2996-7-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3612-8-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download