4fdc42b8cf1f0be7e888d8134d1ac5ae30b071f77e989fdffd6dde15f543149e

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21/05/2024, 12:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4fdc42b8cf1f0be7e888d8134d1ac5ae30b071f77e989fdffd6dde15f543149e_NeikiAnalytics.exe
Size

747KB
MD5

03e488cc52fcd1461d408c26b8340e80
SHA1

c870bff0914e7d03addd71cabb0ed4a901d13822
SHA256

4fdc42b8cf1f0be7e888d8134d1ac5ae30b071f77e989fdffd6dde15f543149e
SHA512

bf0395989b4326ba597628d8d8a4b77eb4827bf7e52acabbb765fa1b687702f8757ebdf8845bca5fbae35b0f43821553ac459c21cfb70a8302fb24000d7a384c
SSDEEP

6144:+uj8NDF3OR9/Qe2HdJ8pSioXt4II0+zzrtjBvDr:hOF3ORK3d11Xt4II0+zzrtjBv3

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 33 IoCs

pid	Process
4964	casino_extensions.exe
2596	Casino_ext.exe
2144	casino_extensions.exe
1252	Casino_ext.exe
1732	LiveMessageCenter.exe
3312	casino_extensions.exe
4928	Casino_ext.exe
1884	casino_extensions.exe
1788	Casino_ext.exe
1308	casino_extensions.exe
2836	Casino_ext.exe
2316	casino_extensions.exe
4036	Casino_ext.exe
4056	LiveMessageCenter.exe
3420	casino_extensions.exe
2708	Casino_ext.exe
2128	casino_extensions.exe
2104	Casino_ext.exe
3952	LiveMessageCenter.exe
1684	casino_extensions.exe
4764	Casino_ext.exe
2376	casino_extensions.exe
1208	Casino_ext.exe
2576	LiveMessageCenter.exe
1848	casino_extensions.exe
2832	Casino_ext.exe
3752	casino_extensions.exe
2380	Casino_ext.exe
3308	casino_extensions.exe
2932	Casino_ext.exe
548	LiveMessageCenter.exe
5040	casino_extensions.exe
4044	Casino_ext.exe

Drops file in System32 directory 29 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe

Drops file in Program Files directory 34 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File created	C:\Program Files (x86)\Internet Explorer\$$202803s.bat	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
2596	Casino_ext.exe
2596	Casino_ext.exe
1252	Casino_ext.exe
1252	Casino_ext.exe
1732	LiveMessageCenter.exe
1732	LiveMessageCenter.exe
4928	Casino_ext.exe
4928	Casino_ext.exe
1788	Casino_ext.exe
1788	Casino_ext.exe
2836	Casino_ext.exe
2836	Casino_ext.exe
4036	Casino_ext.exe
4036	Casino_ext.exe
4056	LiveMessageCenter.exe
4056	LiveMessageCenter.exe
2708	Casino_ext.exe
2708	Casino_ext.exe
2104	Casino_ext.exe
2104	Casino_ext.exe
3952	LiveMessageCenter.exe
3952	LiveMessageCenter.exe
4764	Casino_ext.exe
4764	Casino_ext.exe
1208	Casino_ext.exe
1208	Casino_ext.exe
2576	LiveMessageCenter.exe
2576	LiveMessageCenter.exe
2832	Casino_ext.exe
2832	Casino_ext.exe
2380	Casino_ext.exe
2380	Casino_ext.exe
2932	Casino_ext.exe
2932	Casino_ext.exe
548	LiveMessageCenter.exe
548	LiveMessageCenter.exe
4044	Casino_ext.exe
4044	Casino_ext.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2748	4fdc42b8cf1f0be7e888d8134d1ac5ae30b071f77e989fdffd6dde15f543149e_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 4684	2748	4fdc42b8cf1f0be7e888d8134d1ac5ae30b071f77e989fdffd6dde15f543149e_NeikiAnalytics.exe	83
PID 2748 wrote to memory of 4684	2748	4fdc42b8cf1f0be7e888d8134d1ac5ae30b071f77e989fdffd6dde15f543149e_NeikiAnalytics.exe	83
PID 2748 wrote to memory of 4684	2748	4fdc42b8cf1f0be7e888d8134d1ac5ae30b071f77e989fdffd6dde15f543149e_NeikiAnalytics.exe	83
PID 4684 wrote to memory of 4964	4684	casino_extensions.exe	84
PID 4684 wrote to memory of 4964	4684	casino_extensions.exe	84
PID 4684 wrote to memory of 4964	4684	casino_extensions.exe	84
PID 4964 wrote to memory of 2596	4964	casino_extensions.exe	85
PID 4964 wrote to memory of 2596	4964	casino_extensions.exe	85
PID 4964 wrote to memory of 2596	4964	casino_extensions.exe	85
PID 2596 wrote to memory of 3992	2596	Casino_ext.exe	86
PID 2596 wrote to memory of 3992	2596	Casino_ext.exe	86
PID 2596 wrote to memory of 3992	2596	Casino_ext.exe	86
PID 3992 wrote to memory of 2144	3992	casino_extensions.exe	87
PID 3992 wrote to memory of 2144	3992	casino_extensions.exe	87
PID 3992 wrote to memory of 2144	3992	casino_extensions.exe	87
PID 2144 wrote to memory of 1252	2144	casino_extensions.exe	88
PID 2144 wrote to memory of 1252	2144	casino_extensions.exe	88
PID 2144 wrote to memory of 1252	2144	casino_extensions.exe	88
PID 1252 wrote to memory of 4200	1252	Casino_ext.exe	89
PID 1252 wrote to memory of 4200	1252	Casino_ext.exe	89
PID 1252 wrote to memory of 4200	1252	Casino_ext.exe	89
PID 4200 wrote to memory of 1732	4200	casino_extensions.exe	90
PID 4200 wrote to memory of 1732	4200	casino_extensions.exe	90
PID 4200 wrote to memory of 1732	4200	casino_extensions.exe	90
PID 1732 wrote to memory of 2940	1732	LiveMessageCenter.exe	91
PID 1732 wrote to memory of 2940	1732	LiveMessageCenter.exe	91
PID 1732 wrote to memory of 2940	1732	LiveMessageCenter.exe	91
PID 2940 wrote to memory of 3312	2940	casino_extensions.exe	92
PID 2940 wrote to memory of 3312	2940	casino_extensions.exe	92
PID 2940 wrote to memory of 3312	2940	casino_extensions.exe	92
PID 3312 wrote to memory of 4928	3312	casino_extensions.exe	93
PID 3312 wrote to memory of 4928	3312	casino_extensions.exe	93
PID 3312 wrote to memory of 4928	3312	casino_extensions.exe	93
PID 4928 wrote to memory of 2736	4928	Casino_ext.exe	94
PID 4928 wrote to memory of 2736	4928	Casino_ext.exe	94
PID 4928 wrote to memory of 2736	4928	Casino_ext.exe	94
PID 2736 wrote to memory of 1884	2736	casino_extensions.exe	95
PID 2736 wrote to memory of 1884	2736	casino_extensions.exe	95
PID 2736 wrote to memory of 1884	2736	casino_extensions.exe	95
PID 1884 wrote to memory of 1788	1884	casino_extensions.exe	97
PID 1884 wrote to memory of 1788	1884	casino_extensions.exe	97
PID 1884 wrote to memory of 1788	1884	casino_extensions.exe	97
PID 1788 wrote to memory of 1696	1788	Casino_ext.exe	98
PID 1788 wrote to memory of 1696	1788	Casino_ext.exe	98
PID 1788 wrote to memory of 1696	1788	Casino_ext.exe	98
PID 1696 wrote to memory of 1308	1696	casino_extensions.exe	99
PID 1696 wrote to memory of 1308	1696	casino_extensions.exe	99
PID 1696 wrote to memory of 1308	1696	casino_extensions.exe	99
PID 1308 wrote to memory of 2836	1308	casino_extensions.exe	100
PID 1308 wrote to memory of 2836	1308	casino_extensions.exe	100
PID 1308 wrote to memory of 2836	1308	casino_extensions.exe	100
PID 2836 wrote to memory of 1060	2836	Casino_ext.exe	101
PID 2836 wrote to memory of 1060	2836	Casino_ext.exe	101
PID 2836 wrote to memory of 1060	2836	Casino_ext.exe	101
PID 1060 wrote to memory of 2316	1060	casino_extensions.exe	102
PID 1060 wrote to memory of 2316	1060	casino_extensions.exe	102
PID 1060 wrote to memory of 2316	1060	casino_extensions.exe	102
PID 2316 wrote to memory of 4036	2316	casino_extensions.exe	103
PID 2316 wrote to memory of 4036	2316	casino_extensions.exe	103
PID 2316 wrote to memory of 4036	2316	casino_extensions.exe	103
PID 4036 wrote to memory of 1008	4036	Casino_ext.exe	105
PID 4036 wrote to memory of 1008	4036	Casino_ext.exe	105
PID 4036 wrote to memory of 1008	4036	Casino_ext.exe	105
PID 1008 wrote to memory of 4056	1008	casino_extensions.exe	106

C:\Users\Admin\AppData\Local\Temp\4fdc42b8cf1f0be7e888d8134d1ac5ae30b071f77e989fdffd6dde15f543149e_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4fdc42b8cf1f0be7e888d8134d1ac5ae30b071f77e989fdffd6dde15f543149e_NeikiAnalytics.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
  "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4684
- - C:\Windows\SysWOW64\casino_extensions.exe
    C:\Windows\system32\casino_extensions.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:4964
  - - C:\Windows\SysWOW64\Casino_ext.exe
      C:\Windows\SysWOW64\Casino_ext.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2596
    - - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3992
      - C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1252
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        8⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4200
        
        C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe /part2
        9⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        10⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        11⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:3312
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        12⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4928
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        13⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        14⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:1884
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        15⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        16⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        17⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:1308
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        18⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        19⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1060
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        20⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        21⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4036
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        22⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1008
        
        C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe
        23⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:4056
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        24⤵
        Drops file in System32 directory
        
        PID:3888
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        25⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:3420
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        26⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2708
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        27⤵
        Drops file in System32 directory
        
        PID:1248
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        28⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:2128
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        29⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2104
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        30⤵
        Drops file in System32 directory
        
        PID:2232
        
        C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe
        31⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:3952
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        32⤵
        Drops file in System32 directory
        
        PID:1336
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        33⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:1684
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        34⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:4764
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        35⤵
        Drops file in System32 directory
        
        PID:4476
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        36⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:2376
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        37⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1208
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        38⤵
        Drops file in System32 directory
        
        PID:4640
        
        C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe
        39⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2576
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        40⤵
        Drops file in System32 directory
        
        PID:5096
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        41⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:1848
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        42⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2832
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        43⤵
        Drops file in System32 directory
        
        PID:884
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        44⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:3752
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        45⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2380
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        46⤵
        Drops file in System32 directory
        
        PID:1628
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        47⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:3308
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        48⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2932
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        49⤵
        Drops file in System32 directory
        
        PID:2648
        
        C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe
        50⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:548
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        51⤵
        Drops file in System32 directory
        
        PID:3640
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        52⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:5040
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        53⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:4044
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        54⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        
        PID:3336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c $$2028~1.BAT
        55⤵
        
        PID:4192

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\$$202803s.bat

Filesize
81B

MD5
4777bf695815d870d27ed4a38a8f0840

SHA1
565412b5182bca7a221448dba78369c42d1c4a0c

SHA256
c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d

SHA512
87e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d

Download Submit
C:\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
752KB

MD5
410779a711f50fa5a083dd9a7a37e92b

SHA1
3295e4b2ed8d0dd73ee36ca58ad869d895cfb1cf

SHA256
24cad3819372ebec1220781248cb04f0ea6d0b411cfbc153c5743f5c567726b1

SHA512
09c666a3c04326ab2f66490021dd5d5e967cf83b39093dea72c82778cbf211339878567bcfe8818e13a1a1f4dc0cc03d49077bf861653c47e3cfa27a7aecc9dd

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
749KB

MD5
7c8612ba69c137127926c28f7a147f46

SHA1
b972a0b6cce4cd431a5dbe3bced85a379d0e8dac

SHA256
5b88b13eb8480fd73f6c86f3f0ef7cd9b47e8ca30c4d849d0049b2b815446b18

SHA512
2735b2318de70f0807c71d201510f90bb4dc80c60357c30251aa8b541def363390282b28834b546c7cbc57730dda1c4721463fb06436132998a0e425beed32f2

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
749KB

MD5
3a05d153ff6af669ce8ccf90e8ea4a31

SHA1
3a8d45a9c41227ac5a08c7ec57f8a2f4377056b1

SHA256
24944bb553db33bb3a276e29ebc75906feece9f7361166e647b56de23a0dbe1d

SHA512
1a2476c58f084242c5b30979d240e0141eee9222c0b5fdebc8d8785239435447d8fe447a6436ecd679abbf521e2909202d70dc348c6810f9c6ed02d5c8c6fbe2

Download Submit
memory/2748-7-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4964-8-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download