00e525e8289b5eeb51060ce4872e7a2cfbdb739ca3746a56d397888a006663a2

Analysis

max time kernel
128s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
25-06-2024 16:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00e525e8289b5eeb51060ce4872e7a2cfbdb739ca3746a56d397888a006663a2_NeikiAnalytics.exe
Size

626KB
MD5

f121065db8075ab96b7c1480202dd560
SHA1

3174e918ee1f2259e52f1fe6cdf02e8f0cdba3d1
SHA256

00e525e8289b5eeb51060ce4872e7a2cfbdb739ca3746a56d397888a006663a2
SHA512

a2893739d766ad14f18444e383f0da050a7e26a251fc06070b9ab4e44b660da53cb96b4e62770bc3fc63b27805d3cbaf0292b7de712d13d243dbf3545c42dfe1
SSDEEP

3072:6twizQTj8CSUYf8W3nSjen++Bj88OZS0/Qe2HdOylqwvwK42i1ZKEJAl9Yf1Mi8c:+uj8NDF3OR9/Qe2HdJfwK4DdW9p5Y

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
2940	casino_extensions.exe
3412	Casino_ext.exe
1060	casino_extensions.exe
1264	Casino_ext.exe
832	casino_extensions.exe
2628	Casino_ext.exe
2852	casino_extensions.exe
3988	Casino_ext.exe
3120	casino_extensions.exe
3464	Casino_ext.exe
4136	casino_extensions.exe
4368	Casino_ext.exe
1624	casino_extensions.exe
764	Casino_ext.exe
1436	casino_extensions.exe
2360	Casino_ext.exe
4444	LiveMessageCenter.exe
4656	casino_extensions.exe
3912	Casino_ext.exe
1352	casino_extensions.exe
1472	Casino_ext.exe
2896	casino_extensions.exe
1124	Casino_ext.exe
1136	LiveMessageCenter.exe
2636	casino_extensions.exe
4848	Casino_ext.exe

Drops file in System32 directory 21 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe

Drops file in Program Files directory 27 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File created	C:\Program Files (x86)\Internet Explorer\$$202803s.bat	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
3412	Casino_ext.exe
3412	Casino_ext.exe
1264	Casino_ext.exe
1264	Casino_ext.exe
2628	Casino_ext.exe
2628	Casino_ext.exe
3988	Casino_ext.exe
3988	Casino_ext.exe
3464	Casino_ext.exe
3464	Casino_ext.exe
4368	Casino_ext.exe
4368	Casino_ext.exe
764	Casino_ext.exe
764	Casino_ext.exe
2360	Casino_ext.exe
2360	Casino_ext.exe
4444	LiveMessageCenter.exe
4444	LiveMessageCenter.exe
3912	Casino_ext.exe
3912	Casino_ext.exe
1472	Casino_ext.exe
1472	Casino_ext.exe
1124	Casino_ext.exe
1124	Casino_ext.exe
1136	LiveMessageCenter.exe
1136	LiveMessageCenter.exe
4848	Casino_ext.exe
4848	Casino_ext.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3864	00e525e8289b5eeb51060ce4872e7a2cfbdb739ca3746a56d397888a006663a2_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3864 wrote to memory of 1816	3864	00e525e8289b5eeb51060ce4872e7a2cfbdb739ca3746a56d397888a006663a2_NeikiAnalytics.exe	93
PID 3864 wrote to memory of 1816	3864	00e525e8289b5eeb51060ce4872e7a2cfbdb739ca3746a56d397888a006663a2_NeikiAnalytics.exe	93
PID 3864 wrote to memory of 1816	3864	00e525e8289b5eeb51060ce4872e7a2cfbdb739ca3746a56d397888a006663a2_NeikiAnalytics.exe	93
PID 1816 wrote to memory of 2940	1816	casino_extensions.exe	94
PID 1816 wrote to memory of 2940	1816	casino_extensions.exe	94
PID 1816 wrote to memory of 2940	1816	casino_extensions.exe	94
PID 2940 wrote to memory of 3412	2940	casino_extensions.exe	95
PID 2940 wrote to memory of 3412	2940	casino_extensions.exe	95
PID 2940 wrote to memory of 3412	2940	casino_extensions.exe	95
PID 3412 wrote to memory of 4904	3412	Casino_ext.exe	96
PID 3412 wrote to memory of 4904	3412	Casino_ext.exe	96
PID 3412 wrote to memory of 4904	3412	Casino_ext.exe	96
PID 4904 wrote to memory of 1060	4904	casino_extensions.exe	97
PID 4904 wrote to memory of 1060	4904	casino_extensions.exe	97
PID 4904 wrote to memory of 1060	4904	casino_extensions.exe	97
PID 1060 wrote to memory of 1264	1060	casino_extensions.exe	98
PID 1060 wrote to memory of 1264	1060	casino_extensions.exe	98
PID 1060 wrote to memory of 1264	1060	casino_extensions.exe	98
PID 1264 wrote to memory of 4888	1264	Casino_ext.exe	99
PID 1264 wrote to memory of 4888	1264	Casino_ext.exe	99
PID 1264 wrote to memory of 4888	1264	Casino_ext.exe	99
PID 4888 wrote to memory of 832	4888	casino_extensions.exe	100
PID 4888 wrote to memory of 832	4888	casino_extensions.exe	100
PID 4888 wrote to memory of 832	4888	casino_extensions.exe	100
PID 832 wrote to memory of 2628	832	casino_extensions.exe	101
PID 832 wrote to memory of 2628	832	casino_extensions.exe	101
PID 832 wrote to memory of 2628	832	casino_extensions.exe	101
PID 2628 wrote to memory of 1964	2628	Casino_ext.exe	102
PID 2628 wrote to memory of 1964	2628	Casino_ext.exe	102
PID 2628 wrote to memory of 1964	2628	Casino_ext.exe	102
PID 1964 wrote to memory of 2852	1964	casino_extensions.exe	103
PID 1964 wrote to memory of 2852	1964	casino_extensions.exe	103
PID 1964 wrote to memory of 2852	1964	casino_extensions.exe	103
PID 2852 wrote to memory of 3988	2852	casino_extensions.exe	104
PID 2852 wrote to memory of 3988	2852	casino_extensions.exe	104
PID 2852 wrote to memory of 3988	2852	casino_extensions.exe	104
PID 3988 wrote to memory of 4316	3988	Casino_ext.exe	105
PID 3988 wrote to memory of 4316	3988	Casino_ext.exe	105
PID 3988 wrote to memory of 4316	3988	Casino_ext.exe	105
PID 4316 wrote to memory of 3120	4316	casino_extensions.exe	106
PID 4316 wrote to memory of 3120	4316	casino_extensions.exe	106
PID 4316 wrote to memory of 3120	4316	casino_extensions.exe	106
PID 3120 wrote to memory of 3464	3120	casino_extensions.exe	107
PID 3120 wrote to memory of 3464	3120	casino_extensions.exe	107
PID 3120 wrote to memory of 3464	3120	casino_extensions.exe	107
PID 3464 wrote to memory of 3948	3464	Casino_ext.exe	108
PID 3464 wrote to memory of 3948	3464	Casino_ext.exe	108
PID 3464 wrote to memory of 3948	3464	Casino_ext.exe	108
PID 3948 wrote to memory of 4136	3948	casino_extensions.exe	109
PID 3948 wrote to memory of 4136	3948	casino_extensions.exe	109
PID 3948 wrote to memory of 4136	3948	casino_extensions.exe	109
PID 4136 wrote to memory of 4368	4136	casino_extensions.exe	110
PID 4136 wrote to memory of 4368	4136	casino_extensions.exe	110
PID 4136 wrote to memory of 4368	4136	casino_extensions.exe	110
PID 4368 wrote to memory of 2816	4368	Casino_ext.exe	111
PID 4368 wrote to memory of 2816	4368	Casino_ext.exe	111
PID 4368 wrote to memory of 2816	4368	Casino_ext.exe	111
PID 2816 wrote to memory of 1624	2816	casino_extensions.exe	112
PID 2816 wrote to memory of 1624	2816	casino_extensions.exe	112
PID 2816 wrote to memory of 1624	2816	casino_extensions.exe	112
PID 1624 wrote to memory of 764	1624	casino_extensions.exe	113
PID 1624 wrote to memory of 764	1624	casino_extensions.exe	113
PID 1624 wrote to memory of 764	1624	casino_extensions.exe	113
PID 764 wrote to memory of 3416	764	Casino_ext.exe	114

C:\Users\Admin\AppData\Local\Temp\00e525e8289b5eeb51060ce4872e7a2cfbdb739ca3746a56d397888a006663a2_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\00e525e8289b5eeb51060ce4872e7a2cfbdb739ca3746a56d397888a006663a2_NeikiAnalytics.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3864
- C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
  "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1816
- - C:\Windows\SysWOW64\casino_extensions.exe
    C:\Windows\system32\casino_extensions.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:2940
  - - C:\Windows\SysWOW64\Casino_ext.exe
      C:\Windows\SysWOW64\Casino_ext.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3412
    - - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4904
      - C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:1060
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1264
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        8⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4888
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        9⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:832
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        10⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        11⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        12⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        13⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3988
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        14⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4316
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        15⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:3120
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        16⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3464
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        17⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3948
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        18⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:4136
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        19⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4368
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        20⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        21⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        22⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:764
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        23⤵
        Drops file in System32 directory
        
        PID:3416
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        24⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:1436
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        25⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2360
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        26⤵
        Drops file in System32 directory
        
        PID:3508
        
        C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe /part2
        27⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:4444
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        28⤵
        Drops file in System32 directory
        
        PID:2404
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        29⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:4656
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        30⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:3912
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        31⤵
        Drops file in System32 directory
        
        PID:3652
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        32⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:1352
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        33⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1472
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        34⤵
        Drops file in System32 directory
        
        PID:4872
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        35⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:2896
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        36⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1124
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        37⤵
        Drops file in System32 directory
        
        PID:4640
        
        C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe
        38⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1136
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        39⤵
        Drops file in System32 directory
        
        PID:1512
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        40⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:2636
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        41⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:4848
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        42⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c $$2028~1.BAT
        43⤵
        
        PID:4164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3840,i,6522675234395427298,2952738987384583032,262144 --variations-seed-version --mojo-platform-channel-handle=1308 /prefetch:8
1⤵
PID:1484

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\$$202803s.bat

Filesize
81B

MD5
4777bf695815d870d27ed4a38a8f0840

SHA1
565412b5182bca7a221448dba78369c42d1c4a0c

SHA256
c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d

SHA512
87e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d

Download Submit
C:\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
630KB

MD5
d9dcd15f3a1e3f9256dd78d2b01d2b12

SHA1
b9d44559cb3b34e1b4061f91bb5f2742df14e538

SHA256
6a42fc12f0cfccb7aeb21aa8c512ce86769f870cc1eb14b7e50fda0eec6936f1

SHA512
f2cdd22f4c1a1ca792311e59e19df42d2b7751da7723f45fb7cb58901d5a715031a0d2182211f1b2ae99648adb7d63b4180958fa2afee6f7d25ab9337a7fce67

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
635KB

MD5
21061fee87f30a3a1ef3d823687942b8

SHA1
bf7d0ec0967b094e0bb80352314074095300c47e

SHA256
e93c2d3f0483359de23de84dffb5de1de4f46e14923a4ccf9bec5c9ee8f17ec8

SHA512
5eb7ad17fb37599eff0857a09a3022faa410de4d83f23734ae1070a672960e822573249c6a91d43cae4b28ac960b5fbec2649b6b26cb3558bcf206260be03c51

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
637KB

MD5
f1222abfa09b9c1fa066a5dd99dde439

SHA1
a529759136e0c4619ddacaf8ab00377da0dce058

SHA256
0929b0013a78b4ab5a987bb3ad92ed752f74bc2d1e17432ebb7dc8c627ef84da

SHA512
03a26790c912f2f3064aa241bd7b9d9787e58ebc65e720788e568b1dcf11269b32e575675d9ef23088e43cd01f170d00ffe171a5b112829a66ee22fd8b00bab2

Download Submit
memory/2940-7-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3864-8-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download