Malware Analysis Report

2025-08-05 15:44

Sample ID 240525-bjk9kshb8x
Target 99b1768180e2fb86c530c5e318db1cfee08be67f3d56f1dbb65d844341c1dc17
SHA256 99b1768180e2fb86c530c5e318db1cfee08be67f3d56f1dbb65d844341c1dc17
Tags
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

99b1768180e2fb86c530c5e318db1cfee08be67f3d56f1dbb65d844341c1dc17

Threat Level: Known bad

The file 99b1768180e2fb86c530c5e318db1cfee08be67f3d56f1dbb65d844341c1dc17 was found to be: Known bad.

Malicious Activity Summary


Detects executables packed with ASPack

Detects executables packed with ASPack

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Drops file in Program Files directory

Program crash

Unsigned PE

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-25 01:10

Signatures

Detects executables packed with ASPack

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-25 01:10

Reported

2024-05-25 01:13

Platform

win7-20240221-en

Max time kernel

150s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\99b1768180e2fb86c530c5e318db1cfee08be67f3d56f1dbb65d844341c1dc17.exe"

Signatures

Detects executables packed with ASPack

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\casino_extensions.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\casino_extensions.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe N/A
File opened for modification C:\Windows\SysWOW64\casino_extensions.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe N/A
File created C:\Windows\SysWOW64\LiveMessageCenter.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe N/A
File opened for modification C:\Windows\SysWOW64\LiveMessageCenter.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe N/A
File opened for modification C:\Windows\SysWOW64\LiveMessageCenter.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe N/A
File created C:\Windows\SysWOW64\casino_extensions.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\casino_extensions.exe N/A
File created C:\Program Files (x86)\Internet Explorer\$$202803s.bat C:\Program Files (x86)\Internet Explorer\casino_extensions.exe N/A
File created C:\Program Files (x86)\Internet Explorer\$$202803s.bat C:\Program Files (x86)\Internet Explorer\casino_extensions.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\99b1768180e2fb86c530c5e318db1cfee08be67f3d56f1dbb65d844341c1dc17.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2756 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\99b1768180e2fb86c530c5e318db1cfee08be67f3d56f1dbb65d844341c1dc17.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
PID 2756 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\99b1768180e2fb86c530c5e318db1cfee08be67f3d56f1dbb65d844341c1dc17.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
PID 2756 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\99b1768180e2fb86c530c5e318db1cfee08be67f3d56f1dbb65d844341c1dc17.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
PID 2756 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\99b1768180e2fb86c530c5e318db1cfee08be67f3d56f1dbb65d844341c1dc17.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
PID 2076 wrote to memory of 1708 N/A C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\casino_extensions.exe
PID 2076 wrote to memory of 1708 N/A C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\casino_extensions.exe
PID 2076 wrote to memory of 1708 N/A C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\casino_extensions.exe
PID 2076 wrote to memory of 1708 N/A C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\casino_extensions.exe
PID 1708 wrote to memory of 2620 N/A C:\Windows\SysWOW64\casino_extensions.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
PID 1708 wrote to memory of 2620 N/A C:\Windows\SysWOW64\casino_extensions.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
PID 1708 wrote to memory of 2620 N/A C:\Windows\SysWOW64\casino_extensions.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
PID 1708 wrote to memory of 2620 N/A C:\Windows\SysWOW64\casino_extensions.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
PID 2620 wrote to memory of 2536 N/A C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 2536 N/A C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 2536 N/A C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 2536 N/A C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\cmd.exe
PID 2076 wrote to memory of 2648 N/A C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\WerFault.exe
PID 2076 wrote to memory of 2648 N/A C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\WerFault.exe
PID 2076 wrote to memory of 2648 N/A C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\WerFault.exe
PID 2076 wrote to memory of 2648 N/A C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\99b1768180e2fb86c530c5e318db1cfee08be67f3d56f1dbb65d844341c1dc17.exe

"C:\Users\Admin\AppData\Local\Temp\99b1768180e2fb86c530c5e318db1cfee08be67f3d56f1dbb65d844341c1dc17.exe"

C:\Program Files (x86)\Internet Explorer\casino_extensions.exe

"C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"

C:\Windows\SysWOW64\casino_extensions.exe

C:\Windows\system32\casino_extensions.exe

C:\Program Files (x86)\Internet Explorer\casino_extensions.exe

"C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c $$2028~1.BAT

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 236

Network

N/A

Files

\Windows\SysWOW64\casino_extensions.exe

MD5 04ca26dd1d4c47f762472821939ce72b
SHA1 6f2a9d11a61b584001f83b584287928c10fc133f
SHA256 5a40580bbb3a3812523c0bd08dc5035deca878992b8b1b7e585f897a9ba9d15a
SHA512 d237225187ea608fa7c8d14222512fd2c7b190fcea89882bc5bb1476b041feb885c0d1fb437803ad8b88d2363591c322bb2be2ab6dee2d3c947bf2ff22a1e5ee

C:\Program Files (x86)\Internet Explorer\$$202803s.bat

MD5 4777bf695815d870d27ed4a38a8f0840
SHA1 565412b5182bca7a221448dba78369c42d1c4a0c
SHA256 c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d
SHA512 87e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d

C:\Windows\SysWOW64\LiveMessageCenter.exe

MD5 b5f50169d28bad7fcf9933e501073a3a
SHA1 694839ad32c783cae3b9c3bb348f2119e51b7af2
SHA256 723e8dd5cff6f58f118a4ccd240289ce51baf6df9e09bf76182a776694bef106
SHA512 a1719068603a7fa57149c48257eaf2a16659c44e4b9e2b6be349d006189af1e74a400145a95cf94834f0d761024fdc1c64e9d80ed0ec53392fc1f5a6a3a45231

memory/2756-23-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2756-26-0x0000000000400000-0x0000000000424000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-25 01:10

Reported

2024-05-25 01:13

Platform

win10v2004-20240508-en

Max time kernel

132s

Max time network

104s

Command Line

"C:\Users\Admin\AppData\Local\Temp\99b1768180e2fb86c530c5e318db1cfee08be67f3d56f1dbb65d844341c1dc17.exe"

Signatures

Detects executables packed with ASPack

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\casino_extensions.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe N/A
File opened for modification C:\Windows\SysWOW64\casino_extensions.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe N/A
File opened for modification C:\Windows\SysWOW64\LiveMessageCenter.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe N/A
File opened for modification C:\Windows\SysWOW64\casino_extensions.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe N/A
File opened for modification C:\Windows\SysWOW64\LiveMessageCenter.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe N/A
File created C:\Windows\SysWOW64\casino_extensions.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe N/A
File opened for modification C:\Windows\SysWOW64\casino_extensions.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe N/A
File opened for modification C:\Windows\SysWOW64\casino_extensions.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe N/A
File created C:\Windows\SysWOW64\LiveMessageCenter.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe N/A
File opened for modification C:\Windows\SysWOW64\casino_extensions.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\Casino_ext.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\LiveMessageCenter.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\casino_extensions.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\Casino_ext.exe N/A
File created C:\Program Files (x86)\Internet Explorer\$$202803s.bat C:\Program Files (x86)\Internet Explorer\casino_extensions.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\casino_extensions.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\Casino_ext.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\casino_extensions.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\99b1768180e2fb86c530c5e318db1cfee08be67f3d56f1dbb65d844341c1dc17.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2876 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\99b1768180e2fb86c530c5e318db1cfee08be67f3d56f1dbb65d844341c1dc17.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
PID 2876 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\99b1768180e2fb86c530c5e318db1cfee08be67f3d56f1dbb65d844341c1dc17.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
PID 2876 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\99b1768180e2fb86c530c5e318db1cfee08be67f3d56f1dbb65d844341c1dc17.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
PID 2600 wrote to memory of 1312 N/A C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\casino_extensions.exe
PID 2600 wrote to memory of 1312 N/A C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\casino_extensions.exe
PID 2600 wrote to memory of 1312 N/A C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\casino_extensions.exe
PID 1312 wrote to memory of 2320 N/A C:\Windows\SysWOW64\casino_extensions.exe C:\Windows\SysWOW64\Casino_ext.exe
PID 1312 wrote to memory of 2320 N/A C:\Windows\SysWOW64\casino_extensions.exe C:\Windows\SysWOW64\Casino_ext.exe
PID 1312 wrote to memory of 2320 N/A C:\Windows\SysWOW64\casino_extensions.exe C:\Windows\SysWOW64\Casino_ext.exe
PID 2320 wrote to memory of 1516 N/A C:\Windows\SysWOW64\Casino_ext.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
PID 2320 wrote to memory of 1516 N/A C:\Windows\SysWOW64\Casino_ext.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
PID 2320 wrote to memory of 1516 N/A C:\Windows\SysWOW64\Casino_ext.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
PID 1516 wrote to memory of 4936 N/A C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\casino_extensions.exe
PID 1516 wrote to memory of 4936 N/A C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\casino_extensions.exe
PID 1516 wrote to memory of 4936 N/A C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\casino_extensions.exe
PID 4936 wrote to memory of 4968 N/A C:\Windows\SysWOW64\casino_extensions.exe C:\Windows\SysWOW64\Casino_ext.exe
PID 4936 wrote to memory of 4968 N/A C:\Windows\SysWOW64\casino_extensions.exe C:\Windows\SysWOW64\Casino_ext.exe
PID 4936 wrote to memory of 4968 N/A C:\Windows\SysWOW64\casino_extensions.exe C:\Windows\SysWOW64\Casino_ext.exe
PID 4968 wrote to memory of 4784 N/A C:\Windows\SysWOW64\Casino_ext.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
PID 4968 wrote to memory of 4784 N/A C:\Windows\SysWOW64\Casino_ext.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
PID 4968 wrote to memory of 4784 N/A C:\Windows\SysWOW64\Casino_ext.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
PID 4784 wrote to memory of 1964 N/A C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\LiveMessageCenter.exe
PID 4784 wrote to memory of 1964 N/A C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\LiveMessageCenter.exe
PID 4784 wrote to memory of 1964 N/A C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\LiveMessageCenter.exe
PID 1964 wrote to memory of 2860 N/A C:\Windows\SysWOW64\LiveMessageCenter.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
PID 1964 wrote to memory of 2860 N/A C:\Windows\SysWOW64\LiveMessageCenter.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
PID 1964 wrote to memory of 2860 N/A C:\Windows\SysWOW64\LiveMessageCenter.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
PID 2860 wrote to memory of 2420 N/A C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\casino_extensions.exe
PID 2860 wrote to memory of 2420 N/A C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\casino_extensions.exe
PID 2860 wrote to memory of 2420 N/A C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\casino_extensions.exe
PID 2420 wrote to memory of 5056 N/A C:\Windows\SysWOW64\casino_extensions.exe C:\Windows\SysWOW64\Casino_ext.exe
PID 2420 wrote to memory of 5056 N/A C:\Windows\SysWOW64\casino_extensions.exe C:\Windows\SysWOW64\Casino_ext.exe
PID 2420 wrote to memory of 5056 N/A C:\Windows\SysWOW64\casino_extensions.exe C:\Windows\SysWOW64\Casino_ext.exe
PID 5056 wrote to memory of 1392 N/A C:\Windows\SysWOW64\Casino_ext.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
PID 5056 wrote to memory of 1392 N/A C:\Windows\SysWOW64\Casino_ext.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
PID 5056 wrote to memory of 1392 N/A C:\Windows\SysWOW64\Casino_ext.exe C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
PID 1392 wrote to memory of 3700 N/A C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\cmd.exe
PID 1392 wrote to memory of 3700 N/A C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\cmd.exe
PID 1392 wrote to memory of 3700 N/A C:\Program Files (x86)\Internet Explorer\casino_extensions.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\99b1768180e2fb86c530c5e318db1cfee08be67f3d56f1dbb65d844341c1dc17.exe

"C:\Users\Admin\AppData\Local\Temp\99b1768180e2fb86c530c5e318db1cfee08be67f3d56f1dbb65d844341c1dc17.exe"

C:\Program Files (x86)\Internet Explorer\casino_extensions.exe

"C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"

C:\Windows\SysWOW64\casino_extensions.exe

C:\Windows\system32\casino_extensions.exe

C:\Windows\SysWOW64\Casino_ext.exe

C:\Windows\SysWOW64\Casino_ext.exe

C:\Program Files (x86)\Internet Explorer\casino_extensions.exe

"C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"

C:\Windows\SysWOW64\casino_extensions.exe

C:\Windows\system32\casino_extensions.exe

C:\Windows\SysWOW64\Casino_ext.exe

C:\Windows\SysWOW64\Casino_ext.exe

C:\Program Files (x86)\Internet Explorer\casino_extensions.exe

"C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"

C:\Windows\SysWOW64\LiveMessageCenter.exe

C:\Windows\system32\LiveMessageCenter.exe /part2

C:\Program Files (x86)\Internet Explorer\casino_extensions.exe

"C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"

C:\Windows\SysWOW64\casino_extensions.exe

C:\Windows\system32\casino_extensions.exe

C:\Windows\SysWOW64\Casino_ext.exe

C:\Windows\SysWOW64\Casino_ext.exe

C:\Program Files (x86)\Internet Explorer\casino_extensions.exe

"C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c $$2028~1.BAT

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

C:\Windows\SysWOW64\casino_extensions.exe

MD5 9ac2e818814ab94f01c4930469bf7132
SHA1 9e53a54502809d1b1b5082e10c6318d76d3262a1
SHA256 5a298b06e0f2f85f770c4a96a6c69a7e0d200eb555455440e2db7a6526381694
SHA512 2094741ba1c3e6c29003869815d8b47fee3a7b61cb1576b1b532d0605e2a9471f3996252f1d56a17333190d90f535db57795191a8766f961ec712ee90842c6cd

memory/1312-8-0x0000000000400000-0x0000000000424000-memory.dmp

C:\Windows\SysWOW64\casino_extensions.exe

MD5 0eeb1c5835c01712d6b08260aec5d3df
SHA1 19d98b74138bc55671a438eb6c6d817ebd150342
SHA256 49ac766c057f4e19fc404bdd56ffadf7e230463e5a61f9e4c5a435692534436c
SHA512 1782166620f1d584c0bda10470794e4411fb7cfdf47e8e0b2b169046e5d835389629ee8c1f433d19964c2993428ed2dfd726418e2606195daf621f68685cc5c2

C:\Windows\SysWOW64\LiveMessageCenter.exe

MD5 0aef1c727cb8ab33963b1a3e2575723a
SHA1 31d82d43781322b9454e6c8cc9d264bb77b3101c
SHA256 bdbe5bc6d6b59bb3f97e2840f6e6d198e907335f2992461dad49b9db34c6d588
SHA512 e1d5c72b4e4df724d5ecdff75dd590022f607c181fd02974fc157715bfa275b80988fbf50ae6d567814b68a2340ad0330db6cab10fdeda6d1fc9c61b3cad743f

C:\Program Files (x86)\Internet Explorer\$$202803s.bat

MD5 4777bf695815d870d27ed4a38a8f0840
SHA1 565412b5182bca7a221448dba78369c42d1c4a0c
SHA256 c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d
SHA512 87e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d

memory/2876-7-0x0000000000400000-0x0000000000424000-memory.dmp