c2c5cff8f7311b8eb9d0bc9f6c9509d1ce1e51e897cbe1a7e77ce6395571e73b

Analysis

max time kernel
145s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
03-06-2024 01:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-03_935912c06997a8f013d146ae97a732d4_mafia.exe
Size

1.6MB
MD5

935912c06997a8f013d146ae97a732d4
SHA1

830839b068ae05008095192661f07d1da2327bd2
SHA256

c2c5cff8f7311b8eb9d0bc9f6c9509d1ce1e51e897cbe1a7e77ce6395571e73b
SHA512

52227a2a338418b3d7754a0f692a4f87e5bd542b452b06ae8a0626233eb6197058ec2c33fffc8113f454bcaff4ddbe9f36b58eecc6e3ebbfb4e5494d0ad1ec2c
SSDEEP

49152:uX7qjaLLPNssKbggn1m9XyEk/Ceygu1x/S5:uXeaa7bL1mAd/CzVQ

Score

7^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2664	dgrn.exe
1360	tytghn.exe
1932	tytghn.exe
112	tytghn.exe
2936	tytghn.exe
2016	tytghn.exe

Loads dropped DLL 23 IoCs

pid	Process
1728	2024-06-03_935912c06997a8f013d146ae97a732d4_mafia.exe
2664	dgrn.exe
2664	dgrn.exe
2664	dgrn.exe
2664	dgrn.exe
2664	dgrn.exe
2664	dgrn.exe
2664	dgrn.exe
2664	dgrn.exe
2664	dgrn.exe
2664	dgrn.exe
872	WerFault.exe
872	WerFault.exe
872	WerFault.exe
872	WerFault.exe
1876	WerFault.exe
1876	WerFault.exe
1876	WerFault.exe
1876	WerFault.exe
2664	dgrn.exe
2664	dgrn.exe
2664	dgrn.exe
2664	dgrn.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 5 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{963B125B-8B21-49A2-A3A8-E37092276531}\ = "Update Timer"	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{ed1e27f0-1bcd-42a4-ad62-7fc21e086e54}	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{ed1e27f0-1bcd-42a4-ad62-7fc21e086e54}\ = "script helper for ie"	dgrn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{ed1e27f0-1bcd-42a4-ad62-7fc21e086e54}\NoExplorer = "1"	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{963B125B-8B21-49A2-A3A8-E37092276531}	dgrn.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	tytghn.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\youtubegizm\uninstall.exe	dgrn.exe
File created	C:\Program Files (x86)\youtubegizm\terms.lnk.url	dgrn.exe
File created	C:\Program Files (x86)\youtubegizm\tdataprotocol.dll	dgrn.exe
File created	C:\Program Files (x86)\youtubegizm\logo.ico	dgrn.exe
File created	C:\Program Files (x86)\youtubegizm\updatebhoWin32.dll	dgrn.exe
File created	C:\Program Files (x86)\youtubegizm\updater.ini	dgrn.exe
File created	C:\Program Files (x86)\youtubegizm\jsloader.dll	dgrn.exe
File created	C:\Program Files (x86)\youtubegizm\toolbar.dll	dgrn.exe
File created	C:\Program Files (x86)\youtubegizm\widgetserv.exe	dgrn.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Tasks\youtubegizm Chrome Watcher.job	tytghn.exe
File created	C:\Windows\Tasks\youtubegizm Stats Report.job	tytghn.exe
File opened for modification	C:\Windows\Tasks\youtubegizm Update Checker.job	tytghn.exe
File created	C:\Windows\Tasks\youtubegizm Runner.job	tytghn.exe
File created	C:\Windows\Tasks\youtubegizm FireFox Watcher.job	tytghn.exe
File opened for modification	C:\Windows\Tasks\youtubegizm FireFox Watcher.job	tytghn.exe
File created	C:\Windows\Tasks\youtubegizm Update Checker.job	tytghn.exe
File opened for modification	C:\Windows\Tasks\youtubegizm Runner.job	tytghn.exe
File opened for modification	C:\Windows\Tasks\youtubegizm Stats Report.job	tytghn.exe
File created	C:\Windows\Tasks\youtubegizm Chrome Watcher.job	tytghn.exe
File opened for modification	C:\Windows\Tasks\youtubegizm Stats Report.job	tytghn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
872	1932	WerFault.exe	35
1876	112	WerFault.exe	37

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral1/files/0x00330000000134e6-3.dat	nsis_installer_1
behavioral1/files/0x00330000000134e6-3.dat	nsis_installer_2
behavioral1/files/0x00060000000193d2-244.dat	nsis_installer_1
behavioral1/files/0x00060000000193d2-244.dat	nsis_installer_2

Kills process with taskkill 1 IoCs

evasion

pid	Process
2352	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar	dgrn.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	tytghn.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	tytghn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\	tytghn.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Approved Extensions	tytghn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{963B125B-8B21-49A2-A3A8-E37092276531}	tytghn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\	tytghn.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Approved Extensions	tytghn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{963B125B-8B21-49A2-A3A8-E37092276531}	tytghn.exe

Modifies data under HKEY_USERS 19 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	tytghn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ca-a5-a2-dd-a4-f4\WpadDecision = "0"	tytghn.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	tytghn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	tytghn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8658B825-23D2-4B4C-9ED0-991047320AEB}\WpadNetworkName = "Network 3"	tytghn.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8658B825-23D2-4B4C-9ED0-991047320AEB}\ca-a5-a2-dd-a4-f4	tytghn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ca-a5-a2-dd-a4-f4\WpadDecisionTime = f0b73d6d52b5da01	tytghn.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8658B825-23D2-4B4C-9ED0-991047320AEB}	tytghn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8658B825-23D2-4B4C-9ED0-991047320AEB}\WpadDecisionTime = f0b73d6d52b5da01	tytghn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	tytghn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	tytghn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0022000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	tytghn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8658B825-23D2-4B4C-9ED0-991047320AEB}\WpadDecisionReason = "1"	tytghn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8658B825-23D2-4B4C-9ED0-991047320AEB}\WpadDecision = "0"	tytghn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	tytghn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	tytghn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ca-a5-a2-dd-a4-f4\WpadDetectedUrl	tytghn.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ca-a5-a2-dd-a4-f4	tytghn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ca-a5-a2-dd-a4-f4\WpadDecisionReason = "1"	tytghn.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ed1e27f0-1bcd-42a4-ad62-7fc21e086e54}\ProgID	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{955B782E-CDC8-4CEE-B6F6-AD7D541A8D8A}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\youtubegizm"	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9F0C17EB-EF2C-4278-9136-2D547656BC03}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tdataprotocol.CTData\CLSID	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wit4ie.WitBHO.2	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{963B125B-8B21-49A2-A3A8-E37092276531}\InprocServer32\ = "C:\\Program Files (x86)\\youtubegizm\\updatebhoWin32.dll"	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tdataprotocol.CTData.1\ = "CTData Class"	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{830B56CB-FD22-44AA-9887-7898F4F4158D}\1.0\FLAGS	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wit4ie.WitBHO.2\CLSID\ = "{ed1e27f0-1bcd-42a4-ad62-7fc21e086e54}"	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ed1e27f0-1bcd-42a4-ad62-7fc21e086e54}\VersionIndependentProgID\ = "wit4ie.WitBHO"	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\updatebho.TimerBHO.1	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\chrome\CLSID = "{5ACE96C0-C70A-4A4D-AF14-2E7B869345E1}"	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{848B6490-7D35-4482-8C9F-C1350C53C5A5}\ = "IWitBHO"	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{963B125B-8B21-49A2-A3A8-E37092276531}\InprocServer32\ThreadingModel = "Apartment"	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tdataprotocol.CTData.1\CLSID\ = "{5ACE96C0-C70A-4A4D-AF14-2E7B869345E1}"	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{830B56CB-FD22-44AA-9887-7898F4F4158D}\1.0\FLAGS\ = "0"	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ed1e27f0-1bcd-42a4-ad62-7fc21e086e54}	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\updatebho.DLL\AppID = "{373ED12D-B306-43AC-9485-A7C5133DC34C}"	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ACE96C0-C70A-4A4D-AF14-2E7B869345E1}\InprocServer32\ = "C:\\Program Files (x86)\\youtubegizm\\tdataprotocol.dll"	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{848B6490-7D35-4482-8C9F-C1350C53C5A5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{373ED12D-B306-43AC-9485-A7C5133DC34C}\ = "updatebho"	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{963B125B-8B21-49A2-A3A8-E37092276531}\InprocServer32	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ed1e27f0-1bcd-42a4-ad62-7fc21e086e54}\InprocServer32\ = "C:\\Program Files (x86)\\youtubegizm\\jsloader.dll"	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ACE96C0-C70A-4A4D-AF14-2E7B869345E1}\TypeLib\ = "{830B56CB-FD22-44AA-9887-7898F4F4158D}"	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\base64	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{830B56CB-FD22-44AA-9887-7898F4F4158D}\1.0\0\win32\ = "C:\\Program Files (x86)\\youtubegizm\\tdataprotocol.dll"	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\updatebho.TimerBHO	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ACE96C0-C70A-4A4D-AF14-2E7B869345E1}\ = "CTData Class"	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ed1e27f0-1bcd-42a4-ad62-7fc21e086e54}\InprocServer32	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{963B125B-8B21-49A2-A3A8-E37092276531}\TypeLib\ = "{955B782E-CDC8-4CEE-B6F6-AD7D541A8D8A}"	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{955B782E-CDC8-4CEE-B6F6-AD7D541A8D8A}\1.0\ = "updatebho 1.0 Type Library"	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{830B56CB-FD22-44AA-9887-7898F4F4158D}\1.0\0	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ed1e27f0-1bcd-42a4-ad62-7fc21e086e54}\ = "ygBHO Class"	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{373ED12D-B306-43AC-9485-A7C5133DC34C}	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9F0C17EB-EF2C-4278-9136-2D547656BC03}\TypeLib\Version = "1.0"	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tdataprotocol.CTData	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wit4ie.WitBHO\CLSID	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{848B6490-7D35-4482-8C9F-C1350C53C5A5}\TypeLib	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\updatebho.TimerBHO\CurVer	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{963B125B-8B21-49A2-A3A8-E37092276531}\ProgID	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{830B56CB-FD22-44AA-9887-7898F4F4158D}\1.0\0\win32	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{963B125B-8B21-49A2-A3A8-E37092276531}\VersionIndependentProgID\ = "updatebho.TimerBHO"	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{955B782E-CDC8-4CEE-B6F6-AD7D541A8D8A}\1.0\FLAGS	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{848B6490-7D35-4482-8C9F-C1350C53C5A5}\ProxyStubClsid32	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{830B56CB-FD22-44AA-9887-7898F4F4158D}\1.0\ = "tdataprotocol 1.0 Type Library"	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{955B782E-CDC8-4CEE-B6F6-AD7D541A8D8A}\1.0\0\win32\ = "C:\\Program Files (x86)\\youtubegizm\\updatebhoWin32.dll"	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ACE96C0-C70A-4A4D-AF14-2E7B869345E1}\VersionIndependentProgID\ = "tdataprotocol.CTData"	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{848B6490-7D35-4482-8C9F-C1350C53C5A5}\TypeLib\ = "{1FA44816-ECC1-4582-89C8-C8B043BA7656}"	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{963B125B-8B21-49A2-A3A8-E37092276531}\ProgID\ = "updatebho.TimerBHO.1"	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9F0C17EB-EF2C-4278-9136-2D547656BC03}\ProxyStubClsid32	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{848B6490-7D35-4482-8C9F-C1350C53C5A5}\TypeLib	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{20EDC024-43C5-423E-B7F5-FD93523E0D9F}\ = "wit4ie"	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1FA44816-ECC1-4582-89C8-C8B043BA7656}\1.0\FLAGS	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{848B6490-7D35-4482-8C9F-C1350C53C5A5}\TypeLib\Version = "1.0"	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tdataprotocol.CTData\CurVer	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tdataprotocol.CTData\CurVer\ = "tdataprotocol.CTData.1"	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ACE96C0-C70A-4A4D-AF14-2E7B869345E1}\InprocServer32	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\chrome	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{830B56CB-FD22-44AA-9887-7898F4F4158D}\1.0\HELPDIR	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wit4ie.WitBHO\ = "ygBHO Class"	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1FA44816-ECC1-4582-89C8-C8B043BA7656}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\youtubegizm"	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\updatebho.TimerBHO\ = "ytg timer"	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tdataprotocol.CTData.1\CLSID	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{963B125B-8B21-49A2-A3A8-E37092276531}	dgrn.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
2664	dgrn.exe
2664	dgrn.exe
2664	dgrn.exe
2664	dgrn.exe
2664	dgrn.exe
2664	dgrn.exe
2664	dgrn.exe
2664	dgrn.exe
2664	dgrn.exe
2664	dgrn.exe
2664	dgrn.exe
2664	dgrn.exe
1360	tytghn.exe
1932	tytghn.exe
1932	tytghn.exe
112	tytghn.exe
112	tytghn.exe
2936	tytghn.exe
2016	tytghn.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2664	dgrn.exe
Token: SeDebugPrivilege	2352	taskkill.exe
Token: SeDebugPrivilege	2664	dgrn.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 2664	1728	2024-06-03_935912c06997a8f013d146ae97a732d4_mafia.exe	29
PID 1728 wrote to memory of 2664	1728	2024-06-03_935912c06997a8f013d146ae97a732d4_mafia.exe	29
PID 1728 wrote to memory of 2664	1728	2024-06-03_935912c06997a8f013d146ae97a732d4_mafia.exe	29
PID 1728 wrote to memory of 2664	1728	2024-06-03_935912c06997a8f013d146ae97a732d4_mafia.exe	29
PID 2664 wrote to memory of 1360	2664	dgrn.exe	30
PID 2664 wrote to memory of 1360	2664	dgrn.exe	30
PID 2664 wrote to memory of 1360	2664	dgrn.exe	30
PID 2664 wrote to memory of 1360	2664	dgrn.exe	30
PID 1360 wrote to memory of 2352	1360	tytghn.exe	31
PID 1360 wrote to memory of 2352	1360	tytghn.exe	31
PID 1360 wrote to memory of 2352	1360	tytghn.exe	31
PID 1360 wrote to memory of 2352	1360	tytghn.exe	31
PID 2376 wrote to memory of 1932	2376	taskeng.exe	35
PID 2376 wrote to memory of 1932	2376	taskeng.exe	35
PID 2376 wrote to memory of 1932	2376	taskeng.exe	35
PID 2376 wrote to memory of 1932	2376	taskeng.exe	35
PID 1932 wrote to memory of 872	1932	tytghn.exe	36
PID 1932 wrote to memory of 872	1932	tytghn.exe	36
PID 1932 wrote to memory of 872	1932	tytghn.exe	36
PID 1932 wrote to memory of 872	1932	tytghn.exe	36
PID 2376 wrote to memory of 112	2376	taskeng.exe	37
PID 2376 wrote to memory of 112	2376	taskeng.exe	37
PID 2376 wrote to memory of 112	2376	taskeng.exe	37
PID 2376 wrote to memory of 112	2376	taskeng.exe	37
PID 112 wrote to memory of 1876	112	tytghn.exe	38
PID 112 wrote to memory of 1876	112	tytghn.exe	38
PID 112 wrote to memory of 1876	112	tytghn.exe	38
PID 112 wrote to memory of 1876	112	tytghn.exe	38
PID 2376 wrote to memory of 2936	2376	taskeng.exe	39
PID 2376 wrote to memory of 2936	2376	taskeng.exe	39
PID 2376 wrote to memory of 2936	2376	taskeng.exe	39
PID 2376 wrote to memory of 2936	2376	taskeng.exe	39
PID 2376 wrote to memory of 2016	2376	taskeng.exe	40
PID 2376 wrote to memory of 2016	2376	taskeng.exe	40
PID 2376 wrote to memory of 2016	2376	taskeng.exe	40
PID 2376 wrote to memory of 2016	2376	taskeng.exe	40

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\DisableAddonLoadTimePerformanceNotifications = "1"	tytghn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext	tytghn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\DisableAddonLoadTimePerformanceNotifications = "1"	tytghn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext	tytghn.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-03_935912c06997a8f013d146ae97a732d4_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-03_935912c06997a8f013d146ae97a732d4_mafia.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Users\Admin\AppData\Local\Temp\dgrn.exe
  "C:\Users\Admin\AppData\Local\Temp\dgrn.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\ProgramData\youtubegizm\tytghn.exe
    "C:\ProgramData\youtubegizm\tytghn.exe" /closebr=1 /InstallOn=7 /active=24 /update=24 /interval=2880 /pubId=10001 /affId=100112 /uId={F9543BD4-AD09-4FFA-9BEB-F66AC4E54C09} /version=1.0.0.5 /Override=false /Firstime=1 /IEhome=0 /IEsearch=0 /FFhome=0 /FFsearch=0 /CHhome=0 /CHsearch=0 /FFaddon=1 /CHaddon=1 /AutoSP=0 /regAppName=youtubegizm /txx=1 -regAppName=youtubegizm -txx=2
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1360
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /F /IM IExplore.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2352

C:\Windows\system32\taskeng.exe
taskeng.exe {9052A978-5316-4461-94F2-9013C08255D0} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2376
- C:\ProgramData\youtubegizm\tytghn.exe
  C:\ProgramData\youtubegizm\tytghn.exe /task=0 /closebr=1 /InstallOn=7 /active=24 /update=24 /interval=2880 /pubId=10001 /affId=100112 /uId={F9543BD4-AD09-4FFA-9BEB-F66AC4E54C09} /version=1.0.0.5 /Override=false /IEhome=0 /IEsearch=0 /FFhome=0 /FFsearch=0 /CHhome=0 /CHsearch=0 /FFaddon=1 /CHaddon=1 /AutoSP=0 /regAppName=youtubegizm /txx=1 -regAppName=youtubegizm -txx=2
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1932
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 356
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:872
- C:\ProgramData\youtubegizm\tytghn.exe
  C:\ProgramData\youtubegizm\tytghn.exe /task=1 /closebr=1 /InstallOn=7 /active=24 /update=24 /interval=2880 /pubId=10001 /affId=100112 /uId={F9543BD4-AD09-4FFA-9BEB-F66AC4E54C09} /version=1.0.0.5 /Override=false /IEhome=0 /IEsearch=0 /FFhome=0 /FFsearch=0 /CHhome=0 /CHsearch=0 /FFaddon=1 /CHaddon=1 /AutoSP=0 /regAppName=youtubegizm /txx=1 -regAppName=youtubegizm -txx=2
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:112
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 112 -s 364
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1876
- C:\ProgramData\youtubegizm\tytghn.exe
  C:\ProgramData\youtubegizm\tytghn.exe /task=2 /closebr=1 /InstallOn=7 /active=24 /update=24 /interval=2880 /pubId=10001 /affId=100112 /uId={F9543BD4-AD09-4FFA-9BEB-F66AC4E54C09} /version=1.0.0.5 /Override=false /IEhome=0 /IEsearch=0 /FFhome=0 /FFsearch=0 /CHhome=0 /CHsearch=0 /FFaddon=1 /CHaddon=1 /AutoSP=0 /regAppName=youtubegizm /txx=1 -regAppName=youtubegizm -txx=2
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:2936
- C:\ProgramData\youtubegizm\tytghn.exe
  C:\ProgramData\youtubegizm\tytghn.exe /task=4 /closebr=1 /InstallOn=7 /active=24 /update=24 /interval=2880 /pubId=10001 /affId=100112 /uId={F9543BD4-AD09-4FFA-9BEB-F66AC4E54C09} /version=1.0.0.5 /Override=false /IEhome=0 /IEsearch=0 /FFhome=0 /FFsearch=0 /CHhome=0 /CHsearch=0 /FFaddon=1 /CHaddon=1 /AutoSP=0 /regAppName=youtubegizm /txx=1 -regAppName=youtubegizm -txx=2
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\youtubegizm\uninstall.exe

Filesize
62KB

MD5
e1d78645e28a354ba6befc0eeea3f9e6

SHA1
798b38664638bfbe2ef336eece6f0b07e7005383

SHA256
1136a88c7b3c8816eae66a34c5e6789252fd5e65607618d098683196e9abc44b

SHA512
491862a3443c9d0f86c7d68f07e47c4bb365a8d46aa0e705843fe298efa80ed20f3ed084bdcf2fef9effc5e194bc3fa83937281d203ec60fd87a1ecc8eb44a77

Download Submit
C:\ProgramData\youtubegizm\df-ch.crx

Filesize
124KB

MD5
823077becfad4167c3c335d3842661b9

SHA1
368217466bb9e026b03fa9a8da332fe39668ed8e

SHA256
2e29b5278d35428015c563f70b88cd1de1f02b1dd192ca3f362d736a38fb9e10

SHA512
616f4dc16c88f4fcf68262ee0e40af7b7541cf35d845260fe3b51e6e0657adeca9a6d59d376fff1becdf74d337833374e940383c471ae20ccc59426064ed880d

Download Submit
C:\ProgramData\youtubegizm\df-le.xpi

Filesize
92KB

MD5
3595a64e2463ea58d5cb42fc31d9a020

SHA1
377b61362b26d6cec6165d7dac6d13a3ac6b64e2

SHA256
a1f130f44517453e5181fcdc9b3b350b4afca06656d108acf66f3f0254208134

SHA512
cfd9b2cc085c953df88cb06ae18a4e4192a613ab9d1904ee9fef6a4c2cc60bb9e0dfa5005450d164377130659db55946dba146b146bc3ac4465cc91ceb425592

Download Submit
C:\ProgramData\youtubegizm\valuese.xml

Filesize
1KB

MD5
227bdc41ed630efdb2061daa15859b68

SHA1
bedb6860595d0ec863bff16ac71337082a58aec2

SHA256
8dfb5773f05bad3c36db328cd2a352791d92c83a94f629360f9ab6ca6c719e6c

SHA512
64c09d8d887943b8b59f2cce210a70158b0720421a10503c29e67f134bbd690ce05572980cd3f813e31801df5aeef4c5b6b9a2d2ec2efaacbbd4a0b2c1299028

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ox017b3g.Admin\extensions\[email protected]\chrome.manifest

Filesize
192B

MD5
71a85ce537dcec64640fb478067e24c3

SHA1
42337f22368a2cd7cfedeb929f26222f2b2b7ae3

SHA256
5010be714b986edeb59eabca51c1296dd9e67138b9d965e9859d5553670a0823

SHA512
8cd49e8d1971623dcf83cbcca200de2296d82596f6fb96840face985c24c6d0a5c67d88d9f47a1b48f66972f4907643c3d5af344f732bfda70199b746d1cac91

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ox017b3g.Admin\extensions\[email protected]\chrome\content\bubble.js

Filesize
1KB

MD5
e3cf4b651109156221e2072f83be5aa2

SHA1
be06675125c178e3ff2fd78cf57f3d643bec5cc4

SHA256
73cde6a7691f5155a6ea9f8076dda8d00c3c62764331be13ec3ec6053d0c9f84

SHA512
976007787974080f6b30763f61b63c6212b4ca2a234e4f6d52a529c154a8325e7619160f108641e39ae7b405cfe203a092cf4fcdb72252cfa61e8a9afaf93dce

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ox017b3g.Admin\extensions\[email protected]\chrome\content\fix2.js

Filesize
20B

MD5
b5ce3889cdd24c2b2e9d540ba1aab48d

SHA1
30d6c76f244e7617c835b3769bfb1fd125e401f1

SHA256
03e704ae5142e05e367aaf51af30485eed881d0c5c581bea3b1752095e444cd0

SHA512
f5a4fb298b53017e212eb92859eb76b138255778cb3a44822e6d5c02791b9911be68bfc1f25eb90414f8adb5160086cae0c247278b1c288d7b0e3f75f21c3023

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ox017b3g.Admin\extensions\[email protected]\chrome\content\fix3.js

Filesize
20B

MD5
abdc04c0bb1bac8ee8962aa5e5fba9a8

SHA1
2689078d902bfa6d65483e26d122d0a30d2a6560

SHA256
3bb6e43e497c67e79fb3ac8520fbe07d6a43c9777c57be349a54caf9888ca482

SHA512
55fc2af28251c773c0def012f739e01a505867cdffb387d522f1c2fcabee4f2f8c33706c553b1ff5dc4a1dbee1bbf6926909dfb032ad813863ed2c773e0625cd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ox017b3g.Admin\extensions\[email protected]\chrome\content\fix4.js

Filesize
20B

MD5
4b95306cdc01a9023a3ca1e8c7fcdd61

SHA1
f518c9d20ec181229d35089f685a9588a5b19e7d

SHA256
be576aea3b146bfc77237c2cd65911e05b987c0fc74c588b9ab07ba19ad1067d

SHA512
4733f3eb0f7002b49b6d448ed5f22ed6c13234df46d81014a7ffd008dc77c51e86cc49d7c49c63d7941a0f54cea8693244af0f339d0a5a864ef5a9e8bf47fca8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ox017b3g.Admin\extensions\[email protected]\chrome\content\fix5.js

Filesize
20B

MD5
010d54d2fc0c7c7ae39324a6217030f2

SHA1
3d73cbe8cce886b2075b5cea17d136b344814992

SHA256
032f8af38f623f697712273292edb5268a0fa9eebd49f997450f97472794a751

SHA512
ae41156a78a60c472c27ebe5f45458836db8cf7850714f0ecf89414e12b21f0ec320ddc7d5a27db2aec5a6946dd7f436ff82f3d301998f8ae35eb8f979c6d59d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ox017b3g.Admin\extensions\[email protected]\chrome\content\icon.png

Filesize
1KB

MD5
55c528c592d50cd1a5ef11f2d7814b68

SHA1
d8a3bc30aed31f1198996862316fdfa4a2570027

SHA256
063dc7a4bbc0761c8eb703efa32e3be77dde5a271c48a3239efa43dcc1d9c113

SHA512
c09de16451648c92adcd54f1e44e62cb0cf77e3f56ca81464e3bed841da1d4324bfdae9038bf5b6f27aff2c39e48a4da52793a49145b7a6407707618a6ffbbb1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ox017b3g.Admin\extensions\[email protected]\chrome\content\jquery4toolbar.js

Filesize
92KB

MD5
432e6ce300e0604b682c612aa0de1c82

SHA1
c559ab91e420bdca977c4c4c3f7f5e8564a78fb2

SHA256
6dc68cfa752a170706a347a81ccb8fd5fadf8ff5837823eb9fd5486a6882e65a

SHA512
9a463a5a884c562cfea0afc2f9a22eca258f06c6a8ea79cf4e9612079906c5c44edd50b490c067d1f8456cb1a596636a28ac51e66a10a479302bad752c3b8dc2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ox017b3g.Admin\extensions\[email protected]\chrome\content\lock.js

Filesize
27B

MD5
02469e8f69f26729bf7373aaf83e7687

SHA1
cee5b53a1b7f93986b9d336ea43e640da532eba6

SHA256
86b85ba075a4af0c0ba4496484f0dd335e4abcb6782495dd0fb936bcf26b5c4f

SHA512
45b75dd965ac95768aaed7bf7ac6e5317bd5ebbfdfde4920930e8258529b25979c0f335f335053538ad0d3940203694f8cde2dc71b57e0ad60adad65f5d763ec

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ox017b3g.Admin\extensions\[email protected]\chrome\content\style.xul

Filesize
812B

MD5
668dec8a49b6dc8575acc0e34ecd4284

SHA1
9fa09a256602a30dec25e2bb83e5ab8a1ec0bafe

SHA256
022636895ac1faa46a586e7e03e1c9d74b1ee78d48d622f95938800a02b71965

SHA512
94217e798b4258960949265d3ec7f4ba4dc4fb3c6a00fbe952975ba408bcd248e1b7e85f517ed67cee5d3d56cd110c2005d875f6b910e2e4f69bd58706a227ed

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ox017b3g.Admin\extensions\[email protected]\chrome\content\witmain.js

Filesize
949B

MD5
4e356ed12d6a722c377b5cf30fe1f5ef

SHA1
e1fc58f2f168d12a65e0516efe82cff57237685f

SHA256
9f8baf29d62b8a37159f36e9f9640933b2b66e2a7799caefe7209ebe387ec6a4

SHA512
64df71a519406086e3b9e69a2a4ba98ea79d542414cefdd99adfc589074054b9c88ca5697c0349909628f2868ab2c21b5b256e678de2da6c2574ea6d2644df24

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ox017b3g.Admin\extensions\[email protected]\chrome\content\wittoolbar.js

Filesize
2KB

MD5
cda5b2727e277b095e1c802930ab9a78

SHA1
16898837afad35f9ea3cdb203b3881a1f1cc14b0

SHA256
1f4f851573263382105e35dc1c32014357ea8a5d48a2d3f97e568393ac17307f

SHA512
353175636f3ae56ae97f0587c4f8b819e2ae290594982bbd2a514fe7f702570b506b9d774a7627de57f9c480f80d54a4c48f845330a7a1008fb03edb55f1bf3b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ox017b3g.Admin\extensions\[email protected]\install.rdf

Filesize
737B

MD5
b61f9abf919fd934d57d4e28a0ecb0a6

SHA1
71a8c728bd7e1b743d1f41d40a500a0548f5784a

SHA256
3d0f2f6c748c73a97df11aad61aa63390bb799990357ebd16a3cc93536b383c9

SHA512
ddfba27925f3f8f460e08c14bee135171dd33597555522f8da278a51a4256d1d0d2469aa42021410635654547741102248c68160920ba12c2b570b892ad107a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ox017b3g.default-release\extensions\[email protected]\chrome\content\bubble.xul

Filesize
490B

MD5
75743b09194736b8fc79a6dd65db177d

SHA1
dbf38a26e0597697d0c6aad15e2515c398753e16

SHA256
f8ad9265fd61883ed00c3907f0f14478c8947b1ebaf1e34196efb5153cf040d6

SHA512
d151f8e97a213a59d3c41206c1aa606f179030c4ce1a24c5fb8aca17b7b783b46a9e1dc682366a3ddabe450d38b7b40cc714e23e0fced4e2a35b02ed20e1d30f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ox017b3g.default-release\extensions\[email protected]\chrome\content\jquery4toolbar.js_126

Filesize
167KB

MD5
224c257265b43f4b4e5ebe21e7575dbe

SHA1
4a7990cfea863655aca06e4c7ee708a0641d4e35

SHA256
a63ca336dd561218555d730194dae3b778212d41bc3c164232f5cf627702f90a

SHA512
9559e1c7db6402b2803d953ddadf49195785a642cd9849d8caf3333ee829d6a9e3ee3037234b83a8a2d4fd35eaec346bf313f22874a33d6bf5690fe1ec52cdec

Download Submit
C:\Windows\Tasks\youtubegizm Chrome Watcher.job

Filesize
1012B

MD5
cda413c90d1727f2acc10f9e23e4826c

SHA1
56c134c0a5cdfdd912f8e9255b2b1dfc4d477c12

SHA256
b7ed708e2ca9e7ec02db8dbaa9ebbfd525246735582ac3ed251c362a52896992

SHA512
1ecc03a4aabc4f2c4808b9e042458deda73e5322852620f721c447e6995c1ec7afab56c07170b4dfb56d365fa218bcdb8eb73743bfd1c8c6fc940ce3fda1b577

Download Submit
\Program Files (x86)\youtubegizm\toolbar.dll

Filesize
119KB

MD5
a4efaf7a21baac166810f9790f0c693d

SHA1
eebca444b31d79ad37aec6076ba487942b5df0ea

SHA256
a85bfacf0d2c2d5a6a4b62720a69e1e8fe0347653cf914fe82bb9c74d73bd3b1

SHA512
32ff2899e917c9ae3e959f1183967711067e30dfd5a2f90ab0f33f524710f137561a69c7c3d265336829b1cfe401809906acbfbc7d03dbcd1046ac517b134f40

Download Submit
\ProgramData\youtubegizm\tytghn.exe

Filesize
620KB

MD5
6848f0a5a9c58289b025087529aa9b1a

SHA1
8440fa83eab244b3fe75fcdfc60772fdfacde455

SHA256
8142a98010153dedd3d39edffba0f54c64245c90a9489b60d05063a571f54570

SHA512
08ae416e2d16e2c607eac092c28d39514c08a8602642e690ea73b754cdd98e6f7b1de77e8bb0eb8e8a5f8eac5d4745077e98e650f45be2a1b5aeb352dae21dae

Download Submit
\Users\Admin\AppData\Local\Temp\dgrn.exe

Filesize
1.1MB

MD5
8c1dac7cbdb70e56c51c9fbba6344eac

SHA1
87db5b38a4674cad776a9ec5f519caa39237a7d6

SHA256
39a84e4d70d4bffe2be3f845a9a0af28a9f0994abdc4150dd83be2795311e632

SHA512
fbf16ae42c904831bbf510f6696cdfdcb903a168f465f0ac667aa9c99c8ba527a18f709c1bb92ceefd4ea895dbb2938735f8fdbd5faca0d993caf8fbe14e6e8a

Download Submit
\Users\Admin\AppData\Local\Temp\nsy1CC5.tmp\InstallerUtils.dll

Filesize
161KB

MD5
35404188c755b622da09b6763fbbc67f

SHA1
2cc1aa24fc19523715abe49decd1a3d2903256f5

SHA256
6f529be86277ab86bde17438b8ea5234a5524efdc840e194ed358740ef8b8a09

SHA512
33e480071e7453d3b63cc76b7f49c42f7ce6cf71fe1736d1e0f8b55e17d16725c76a81bab81e55c449103c40859963e20de2b4fd3542453fdc817af773aaa7fc

Download Submit
\Users\Admin\AppData\Local\Temp\nsy1CC5.tmp\KillProcDLL.dll

Filesize
32KB

MD5
83142eac84475f4ca889c73f10d9c179

SHA1
dbe43c0de8ef881466bd74861b2e5b17598b5ce8

SHA256
ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729

SHA512
1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

Download Submit
\Users\Admin\AppData\Local\Temp\nsy1CC5.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
memory/1728-0-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2664-67-0x0000000003D70000-0x0000000003D93000-memory.dmp

Filesize
140KB

Download