7a4e8cc3405fb1167404a9f2ad0a46f34e0fee2f73ccae1a4fc85d8e2ee09ad0

Analysis

max time kernel
136s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20/05/2024, 05:05 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b45267390724b4669440f46af1a91150_NeikiAnalytics.exe
Size

591KB
MD5

b45267390724b4669440f46af1a91150
SHA1

44fdb42ac30f77785e43a2fc901c6327f0106acb
SHA256

7a4e8cc3405fb1167404a9f2ad0a46f34e0fee2f73ccae1a4fc85d8e2ee09ad0
SHA512

0552291098e52ecae7d6d2674ef56b0007dce3c553a2e8de452b25801de9896fbb6e27bd8cd04ef6d2ccf45bf6c563110b5265aa08bce4de3d93acf36bb252d6
SSDEEP

3072:HtwizQTj8CSUYf8W3nSjen++Bj88OZS0/Qe2HdOylqwvwK42i1ZKEJAl9uy:tuj8NDF3OR9/Qe2HdJfwK4DdW9J

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 7 IoCs

pid	Process
4596	casino_extensions.exe
2708	Casino_ext.exe
1216	casino_extensions.exe
1316	Casino_ext.exe
4324	LiveMessageCenter.exe
3620	casino_extensions.exe
64	Casino_ext.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File created	C:\Program Files (x86)\Internet Explorer\$$202803s.bat	casino_extensions.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2708	Casino_ext.exe
2708	Casino_ext.exe
1316	Casino_ext.exe
1316	Casino_ext.exe
4324	LiveMessageCenter.exe
4324	LiveMessageCenter.exe
64	Casino_ext.exe
64	Casino_ext.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4920	b45267390724b4669440f46af1a91150_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 4920 wrote to memory of 1796	4920	b45267390724b4669440f46af1a91150_NeikiAnalytics.exe	83
PID 4920 wrote to memory of 1796	4920	b45267390724b4669440f46af1a91150_NeikiAnalytics.exe	83
PID 4920 wrote to memory of 1796	4920	b45267390724b4669440f46af1a91150_NeikiAnalytics.exe	83
PID 1796 wrote to memory of 4596	1796	casino_extensions.exe	84
PID 1796 wrote to memory of 4596	1796	casino_extensions.exe	84
PID 1796 wrote to memory of 4596	1796	casino_extensions.exe	84
PID 4596 wrote to memory of 2708	4596	casino_extensions.exe	85
PID 4596 wrote to memory of 2708	4596	casino_extensions.exe	85
PID 4596 wrote to memory of 2708	4596	casino_extensions.exe	85
PID 2708 wrote to memory of 2880	2708	Casino_ext.exe	86
PID 2708 wrote to memory of 2880	2708	Casino_ext.exe	86
PID 2708 wrote to memory of 2880	2708	Casino_ext.exe	86
PID 2880 wrote to memory of 1216	2880	casino_extensions.exe	87
PID 2880 wrote to memory of 1216	2880	casino_extensions.exe	87
PID 2880 wrote to memory of 1216	2880	casino_extensions.exe	87
PID 1216 wrote to memory of 1316	1216	casino_extensions.exe	88
PID 1216 wrote to memory of 1316	1216	casino_extensions.exe	88
PID 1216 wrote to memory of 1316	1216	casino_extensions.exe	88
PID 1316 wrote to memory of 2616	1316	Casino_ext.exe	89
PID 1316 wrote to memory of 2616	1316	Casino_ext.exe	89
PID 1316 wrote to memory of 2616	1316	Casino_ext.exe	89
PID 2616 wrote to memory of 4324	2616	casino_extensions.exe	90
PID 2616 wrote to memory of 4324	2616	casino_extensions.exe	90
PID 2616 wrote to memory of 4324	2616	casino_extensions.exe	90
PID 4324 wrote to memory of 600	4324	LiveMessageCenter.exe	91
PID 4324 wrote to memory of 600	4324	LiveMessageCenter.exe	91
PID 4324 wrote to memory of 600	4324	LiveMessageCenter.exe	91
PID 600 wrote to memory of 3620	600	casino_extensions.exe	92
PID 600 wrote to memory of 3620	600	casino_extensions.exe	92
PID 600 wrote to memory of 3620	600	casino_extensions.exe	92
PID 3620 wrote to memory of 64	3620	casino_extensions.exe	93
PID 3620 wrote to memory of 64	3620	casino_extensions.exe	93
PID 3620 wrote to memory of 64	3620	casino_extensions.exe	93
PID 64 wrote to memory of 2184	64	Casino_ext.exe	94
PID 64 wrote to memory of 2184	64	Casino_ext.exe	94
PID 64 wrote to memory of 2184	64	Casino_ext.exe	94
PID 2184 wrote to memory of 840	2184	casino_extensions.exe	95
PID 2184 wrote to memory of 840	2184	casino_extensions.exe	95
PID 2184 wrote to memory of 840	2184	casino_extensions.exe	95

C:\Users\Admin\AppData\Local\Temp\b45267390724b4669440f46af1a91150_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b45267390724b4669440f46af1a91150_NeikiAnalytics.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4920
- C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
  "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1796
- - C:\Windows\SysWOW64\casino_extensions.exe
    C:\Windows\system32\casino_extensions.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:4596
  - - C:\Windows\SysWOW64\Casino_ext.exe
      C:\Windows\SysWOW64\Casino_ext.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2708
    - - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2880
      - C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:1216
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1316
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        8⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe /part2
        9⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4324
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        10⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:600
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        11⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:3620
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        12⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:64
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        13⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c $$2028~1.BAT
        14⤵
        
        PID:840

Network

DNS

104.219.191.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

104.219.191.52.in-addr.arpa

IN PTR

Response
DNS

77.190.18.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

77.190.18.2.in-addr.arpa

IN PTR

Response

77.190.18.2.in-addr.arpa

IN PTR

a2-18-190-77deploystaticakamaitechnologiescom
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.dual-a-0034.a-msedge.net

g-bing-com.dual-a-0034.a-msedge.net

IN CNAME

dual-a-0034.a-msedge.net

dual-a-0034.a-msedge.net

IN A

204.79.197.237

dual-a-0034.a-msedge.net

IN A

13.107.21.237
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8_Jf9vgLsejdP15UjNLxwqDVUCUzgIzXh7Wmjb83bVfNCqU8lLeBXwmowweEmXLCp3yw2RJFHiRal1WwezCh8p46ESp0qCVxA6qFlaF5Z6476KjBbdl-lkH_d_CB21n9kQP2DYueYRGrOzbNfug0bKuO5joDVKb5QZoePlmbYMgT7dmy1%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D0e12c1ba111a13efb6e5a7817770e135&TIME=20240508T114851Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182&muid=D54583D0B3DA17FFA4370685003AFE48

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8_Jf9vgLsejdP15UjNLxwqDVUCUzgIzXh7Wmjb83bVfNCqU8lLeBXwmowweEmXLCp3yw2RJFHiRal1WwezCh8p46ESp0qCVxA6qFlaF5Z6476KjBbdl-lkH_d_CB21n9kQP2DYueYRGrOzbNfug0bKuO5joDVKb5QZoePlmbYMgT7dmy1%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D0e12c1ba111a13efb6e5a7817770e135&TIME=20240508T114851Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182&muid=D54583D0B3DA17FFA4370685003AFE48 HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=2BC6C9EE062369420687DD6B07C36827; domain=.bing.com; expires=Sat, 14-Jun-2025 05:05:24 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: C883955F80524B16BFF9ECE5DBE3F0DB Ref B: LON04EDGE1105 Ref C: 2024-05-20T05:05:24Z
date: Mon, 20 May 2024 05:05:23 GMT
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8_Jf9vgLsejdP15UjNLxwqDVUCUzgIzXh7Wmjb83bVfNCqU8lLeBXwmowweEmXLCp3yw2RJFHiRal1WwezCh8p46ESp0qCVxA6qFlaF5Z6476KjBbdl-lkH_d_CB21n9kQP2DYueYRGrOzbNfug0bKuO5joDVKb5QZoePlmbYMgT7dmy1%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D0e12c1ba111a13efb6e5a7817770e135&TIME=20240508T114851Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182&muid=D54583D0B3DA17FFA4370685003AFE48

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8_Jf9vgLsejdP15UjNLxwqDVUCUzgIzXh7Wmjb83bVfNCqU8lLeBXwmowweEmXLCp3yw2RJFHiRal1WwezCh8p46ESp0qCVxA6qFlaF5Z6476KjBbdl-lkH_d_CB21n9kQP2DYueYRGrOzbNfug0bKuO5joDVKb5QZoePlmbYMgT7dmy1%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D0e12c1ba111a13efb6e5a7817770e135&TIME=20240508T114851Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182&muid=D54583D0B3DA17FFA4370685003AFE48 HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=2BC6C9EE062369420687DD6B07C36827; _EDGE_S=SID=373D7301541960211907678455756164

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=00RESpZFfPZDehg1kKeBDqawWJPx2316LpIPPaieUIE; domain=.bing.com; expires=Sat, 14-Jun-2025 05:05:24 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: E4A4212E0D1D4A2785215022EE3E5684 Ref B: LON04EDGE1105 Ref C: 2024-05-20T05:05:24Z
date: Mon, 20 May 2024 05:05:23 GMT
GET

https://www.bing.com/aes/c.gif?RG=0d25d502ec774f55bedebe3012b01aa8&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240508T114851Z&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182

Remote address:

2.17.107.123:443

Request

GET /aes/c.gif?RG=0d25d502ec774f55bedebe3012b01aa8&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240508T114851Z&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182 HTTP/2.0
host: www.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=2BC6C9EE062369420687DD6B07C36827

Response

HTTP/2.0 200

cache-control: private,no-store
pragma: no-cache
vary: Origin
p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: FD9441E6D2FF40B4AD7A68E5F7616052 Ref B: BRU30EDGE0609 Ref C: 2024-05-20T05:05:24Z
content-length: 0
date: Mon, 20 May 2024 05:05:24 GMT
set-cookie: _EDGE_S=SID=373D7301541960211907678455756164; path=/; httponly; domain=bing.com
set-cookie: MUIDB=2BC6C9EE062369420687DD6B07C36827; path=/; httponly; expires=Sat, 14-Jun-2025 05:05:24 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.776b1102.1716181524.1c433a63
DNS

76.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

76.32.126.40.in-addr.arpa

IN PTR

Response
DNS

237.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

237.197.79.204.in-addr.arpa

IN PTR

Response
GET

https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

Remote address:

2.17.107.123:443

Request

GET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
host: www.bing.com
accept: */*
cookie: MUID=2BC6C9EE062369420687DD6B07C36827; _EDGE_S=SID=373D7301541960211907678455756164; MSPTC=00RESpZFfPZDehg1kKeBDqawWJPx2316LpIPPaieUIE; MUIDB=2BC6C9EE062369420687DD6B07C36827
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-type: image/png
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
content-length: 1107
date: Mon, 20 May 2024 05:05:25 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.776b1102.1716181525.1c434027
DNS

123.107.17.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

123.107.17.2.in-addr.arpa

IN PTR

Response

123.107.17.2.in-addr.arpa

IN PTR

a2-17-107-123deploystaticakamaitechnologiescom
DNS

209.205.72.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

209.205.72.20.in-addr.arpa

IN PTR

Response
DNS

133.211.185.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.211.185.52.in-addr.arpa

IN PTR

Response
DNS

183.59.114.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

183.59.114.20.in-addr.arpa

IN PTR

Response
DNS

171.39.242.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

171.39.242.20.in-addr.arpa

IN PTR

Response
DNS

205.47.74.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

205.47.74.20.in-addr.arpa

IN PTR

Response
DNS

43.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.229.111.52.in-addr.arpa

IN PTR

Response
DNS

79.190.18.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

79.190.18.2.in-addr.arpa

IN PTR

Response

79.190.18.2.in-addr.arpa

IN PTR

a2-18-190-79deploystaticakamaitechnologiescom
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
GET

https://tse1.mm.bing.net/th?id=OADD2.10239371372355_1WLRVFTZ079W9XPFC&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239371372355_1WLRVFTZ079W9XPFC&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 329579
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: CAF766F311A443A5888692EC56D6C4FF Ref B: LON04EDGE0717 Ref C: 2024-05-20T05:06:58Z
date: Mon, 20 May 2024 05:06:57 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239371372356_1N2G93XRLJ1Y5GWC9&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239371372356_1N2G93XRLJ1Y5GWC9&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 381531
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: B9C3D8F3C97D4FEB80293C8489BA6DDD Ref B: LON04EDGE0717 Ref C: 2024-05-20T05:06:58Z
date: Mon, 20 May 2024 05:06:57 GMT
DNS

200.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

200.197.79.204.in-addr.arpa

IN PTR

Response

200.197.79.204.in-addr.arpa

IN PTR

a-0001a-msedgenet

204.79.197.237:443

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8_Jf9vgLsejdP15UjNLxwqDVUCUzgIzXh7Wmjb83bVfNCqU8lLeBXwmowweEmXLCp3yw2RJFHiRal1WwezCh8p46ESp0qCVxA6qFlaF5Z6476KjBbdl-lkH_d_CB21n9kQP2DYueYRGrOzbNfug0bKuO5joDVKb5QZoePlmbYMgT7dmy1%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D0e12c1ba111a13efb6e5a7817770e135&TIME=20240508T114851Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182&muid=D54583D0B3DA17FFA4370685003AFE48

tls, http2

2.5kB
9.0kB
19
17

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8_Jf9vgLsejdP15UjNLxwqDVUCUzgIzXh7Wmjb83bVfNCqU8lLeBXwmowweEmXLCp3yw2RJFHiRal1WwezCh8p46ESp0qCVxA6qFlaF5Z6476KjBbdl-lkH_d_CB21n9kQP2DYueYRGrOzbNfug0bKuO5joDVKb5QZoePlmbYMgT7dmy1%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D0e12c1ba111a13efb6e5a7817770e135&TIME=20240508T114851Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182&muid=D54583D0B3DA17FFA4370685003AFE48

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8_Jf9vgLsejdP15UjNLxwqDVUCUzgIzXh7Wmjb83bVfNCqU8lLeBXwmowweEmXLCp3yw2RJFHiRal1WwezCh8p46ESp0qCVxA6qFlaF5Z6476KjBbdl-lkH_d_CB21n9kQP2DYueYRGrOzbNfug0bKuO5joDVKb5QZoePlmbYMgT7dmy1%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D0e12c1ba111a13efb6e5a7817770e135&TIME=20240508T114851Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182&muid=D54583D0B3DA17FFA4370685003AFE48

HTTP Response

204
2.17.107.123:443

https://www.bing.com/aes/c.gif?RG=0d25d502ec774f55bedebe3012b01aa8&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240508T114851Z&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182

tls, http2

1.4kB
5.3kB
16
11

HTTP Request

GET https://www.bing.com/aes/c.gif?RG=0d25d502ec774f55bedebe3012b01aa8&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240508T114851Z&adUnitId=11730597&localId=w:D54583D0-B3DA-17FF-A437-0685003AFE48&deviceId=6966565253439182

HTTP Response

200
2.17.107.123:443

https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

tls, http2

1.6kB
6.3kB
17
12

HTTP Request

GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

HTTP Response

200
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.1kB
16
14
204.79.197.200:443

https://tse1.mm.bing.net/th?id=OADD2.10239371372356_1N2G93XRLJ1Y5GWC9&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

tls, http2

25.9kB
743.6kB
546
544

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239371372355_1WLRVFTZ079W9XPFC&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239371372356_1N2G93XRLJ1Y5GWC9&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200

8.8.8.8:53

104.219.191.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

104.219.191.52.in-addr.arpa
8.8.8.8:53

77.190.18.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

77.190.18.2.in-addr.arpa
8.8.8.8:53

g.bing.com

dns

56 B
151 B
1
1

DNS Request

g.bing.com

DNS Response

204.79.197.237

13.107.21.237
8.8.8.8:53

76.32.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

76.32.126.40.in-addr.arpa
8.8.8.8:53

237.197.79.204.in-addr.arpa

dns

73 B
143 B
1
1

DNS Request

237.197.79.204.in-addr.arpa
8.8.8.8:53

123.107.17.2.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

123.107.17.2.in-addr.arpa
8.8.8.8:53

209.205.72.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

209.205.72.20.in-addr.arpa
8.8.8.8:53

133.211.185.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

133.211.185.52.in-addr.arpa
8.8.8.8:53

183.59.114.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

183.59.114.20.in-addr.arpa
8.8.8.8:53

171.39.242.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

171.39.242.20.in-addr.arpa
8.8.8.8:53

205.47.74.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

205.47.74.20.in-addr.arpa
8.8.8.8:53

43.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

43.229.111.52.in-addr.arpa
8.8.8.8:53

79.190.18.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

79.190.18.2.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
173 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53

200.197.79.204.in-addr.arpa

dns

73 B
106 B
1
1

DNS Request

200.197.79.204.in-addr.arpa

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\$$202803s.bat

Filesize
81B

MD5
4777bf695815d870d27ed4a38a8f0840

SHA1
565412b5182bca7a221448dba78369c42d1c4a0c

SHA256
c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d

SHA512
87e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d

Download Submit
C:\Windows\SysWOW64\Casino_ext.exe

Filesize
607KB

MD5
4f8d69d9d73e6daff5c7a1a68045733d

SHA1
ef0f896641d2297571e41d14735f5dc7639404b7

SHA256
095e5da4831d6df5a65981ebafa744b04d14c88e7a9c5ec648df08e2eb2a205f

SHA512
3a4f66aee9c74dfcbff621db7cc74ea8a05f1b8693cc9e3a9189dd31a331658e9731b3501f9c0a6fce9fac97a08fbd7afca821523492a1a7d343f46a339e135d

Download Submit
C:\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
595KB

MD5
7d2938901a4436c0f4ba8f0cf33d979e

SHA1
455d06a20e719d8f91ed6cf1d544127800b836c0

SHA256
ab89ea1d431a704f274250ffd253b68300c752a2e4ac9e7b77a1bf533435f268

SHA512
fd7fc67852e8def01d34f6d278d96e77e34c05bf849d3a91b5f31b94c63f0fff5217390913a1781dd54eb8838570e4c41ae471255927410e28a8eeb36a2e209f

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
604KB

MD5
254791470186688e97aeb35d574b7463

SHA1
682fc7ba8024733008d4a153f0dd1560e19ab65d

SHA256
359baa4e1495f5dfc167c85779546fc5c486e81a312bbf5991350a819dab2b23

SHA512
70d401c30b486b6d336d05817c1d03fd2a4911c29095d26a5fe234ca4522077c29d21863e00b74f39c616968604377ec1180ad70d5b6624c82f4f8be06ec7ea2

Download Submit
memory/4596-8-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4920-7-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Response

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.