c2c5cff8f7311b8eb9d0bc9f6c9509d1ce1e51e897cbe1a7e77ce6395571e73b

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
03-06-2024 01:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-03_935912c06997a8f013d146ae97a732d4_mafia.exe
Size

1.6MB
MD5

935912c06997a8f013d146ae97a732d4
SHA1

830839b068ae05008095192661f07d1da2327bd2
SHA256

c2c5cff8f7311b8eb9d0bc9f6c9509d1ce1e51e897cbe1a7e77ce6395571e73b
SHA512

52227a2a338418b3d7754a0f692a4f87e5bd542b452b06ae8a0626233eb6197058ec2c33fffc8113f454bcaff4ddbe9f36b58eecc6e3ebbfb4e5494d0ad1ec2c
SSDEEP

49152:uX7qjaLLPNssKbggn1m9XyEk/Ceygu1x/S5:uXeaa7bL1mAd/CzVQ

Score

7^/10

adware discovery spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2024-06-03_935912c06997a8f013d146ae97a732d4_mafia.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	tytghn.exe

Executes dropped EXE 6 IoCs

pid	Process
624	dgrn.exe
4296	tytghn.exe
1120	tytghn.exe
2916	tytghn.exe
5012	tytghn.exe
964	tytghn.exe

Loads dropped DLL 14 IoCs

pid	Process
624	dgrn.exe
624	dgrn.exe
624	dgrn.exe
624	dgrn.exe
624	dgrn.exe
624	dgrn.exe
624	dgrn.exe
624	dgrn.exe
624	dgrn.exe
624	dgrn.exe
624	dgrn.exe
624	dgrn.exe
624	dgrn.exe
624	dgrn.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 5 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ed1e27f0-1bcd-42a4-ad62-7fc21e086e54}	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ed1e27f0-1bcd-42a4-ad62-7fc21e086e54}\ = "script helper for ie"	dgrn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ed1e27f0-1bcd-42a4-ad62-7fc21e086e54}\NoExplorer = "1"	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{963B125B-8B21-49A2-A3A8-E37092276531}	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{963B125B-8B21-49A2-A3A8-E37092276531}\ = "Update Timer"	dgrn.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\youtubegizm\updatebhoWin32.dll	dgrn.exe
File created	C:\Program Files (x86)\youtubegizm\jsloader.dll	dgrn.exe
File created	C:\Program Files (x86)\youtubegizm\toolbar.dll	dgrn.exe
File created	C:\Program Files (x86)\youtubegizm\logo.ico	dgrn.exe
File created	C:\Program Files (x86)\youtubegizm\updater.ini	dgrn.exe
File created	C:\Program Files (x86)\youtubegizm\uninstall.exe	dgrn.exe
File created	C:\Program Files (x86)\youtubegizm\terms.lnk.url	dgrn.exe
File created	C:\Program Files (x86)\youtubegizm\tdataprotocol.dll	dgrn.exe
File created	C:\Program Files (x86)\youtubegizm\widgetserv.exe	dgrn.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\youtubegizm FireFox Watcher.job	tytghn.exe
File opened for modification	C:\Windows\Tasks\youtubegizm Chrome Watcher.job	tytghn.exe
File created	C:\Windows\Tasks\youtubegizm Stats Report.job	tytghn.exe
File created	C:\Windows\Tasks\youtubegizm Update Checker.job	tytghn.exe
File created	C:\Windows\Tasks\youtubegizm Runner.job	tytghn.exe
File opened for modification	C:\Windows\Tasks\youtubegizm FireFox Watcher.job	tytghn.exe
File created	C:\Windows\Tasks\youtubegizm Chrome Watcher.job	tytghn.exe
File opened for modification	C:\Windows\Tasks\youtubegizm Stats Report.job	tytghn.exe
File opened for modification	C:\Windows\Tasks\youtubegizm Stats Report.job	tytghn.exe
File opened for modification	C:\Windows\Tasks\youtubegizm Update Checker.job	tytghn.exe
File opened for modification	C:\Windows\Tasks\youtubegizm Runner.job	tytghn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x0008000000023255-5.dat	nsis_installer_1
behavioral2/files/0x0008000000023255-5.dat	nsis_installer_2

Kills process with taskkill 1 IoCs

evasion

pid	Process
3816	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Toolbar	dgrn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{963B125B-8B21-49A2-A3A8-E37092276531}	tytghn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\	tytghn.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Approved Extensions	tytghn.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	tytghn.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Approved Extensions	tytghn.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	tytghn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{963B125B-8B21-49A2-A3A8-E37092276531}	tytghn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\	tytghn.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wit4ie.WitBHO.2\CLSID\ = "{ed1e27f0-1bcd-42a4-ad62-7fc21e086e54}"	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wit4ie.WitBHO\CLSID	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ed1e27f0-1bcd-42a4-ad62-7fc21e086e54}\InprocServer32	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{848B6490-7D35-4482-8C9F-C1350C53C5A5}\ProxyStubClsid32	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9F0C17EB-EF2C-4278-9136-2D547656BC03}\TypeLib\Version = "1.0"	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9F0C17EB-EF2C-4278-9136-2D547656BC03}	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\wit4ie.DLL\AppID = "{20EDC024-43C5-423E-B7F5-FD93523E0D9F}"	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{830B56CB-FD22-44AA-9887-7898F4F4158D}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\youtubegizm"	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{20EDC024-43C5-423E-B7F5-FD93523E0D9F}	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ed1e27f0-1bcd-42a4-ad62-7fc21e086e54}\VersionIndependentProgID\ = "wit4ie.WitBHO"	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1FA44816-ECC1-4582-89C8-C8B043BA7656}\1.0\0\win32	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{848B6490-7D35-4482-8C9F-C1350C53C5A5}	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{373ED12D-B306-43AC-9485-A7C5133DC34C}\ = "updatebho"	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\updatebho.TimerBHO\CLSID\ = "{963B125B-8B21-49A2-A3A8-E37092276531}"	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tdataprotocol.CTData\CurVer	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{955B782E-CDC8-4CEE-B6F6-AD7D541A8D8A}\1.0\0\win32	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{20EDC024-43C5-423E-B7F5-FD93523E0D9F}\ = "wit4ie"	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\updatebho.TimerBHO\CLSID	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{963B125B-8B21-49A2-A3A8-E37092276531}\InprocServer32	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{963B125B-8B21-49A2-A3A8-E37092276531}\InprocServer32\ = "C:\\Program Files (x86)\\youtubegizm\\updatebhoWin32.dll"	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{955B782E-CDC8-4CEE-B6F6-AD7D541A8D8A}\1.0\0	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9F0C17EB-EF2C-4278-9136-2D547656BC03}\TypeLib	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9F0C17EB-EF2C-4278-9136-2D547656BC03}\TypeLib\ = "{955B782E-CDC8-4CEE-B6F6-AD7D541A8D8A}"	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tdataprotocol.CTData.1\CLSID	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wit4ie.WitBHO\CurVer	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{955B782E-CDC8-4CEE-B6F6-AD7D541A8D8A}\1.0\FLAGS\ = "0"	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ACE96C0-C70A-4A4D-AF14-2E7B869345E1}\VersionIndependentProgID	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wit4ie.WitBHO.2\CLSID	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{848B6490-7D35-4482-8C9F-C1350C53C5A5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{848B6490-7D35-4482-8C9F-C1350C53C5A5}	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{963B125B-8B21-49A2-A3A8-E37092276531}\ProgID\ = "updatebho.TimerBHO.1"	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wit4ie.WitBHO.2\ = "ygBHO Class"	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wit4ie.WitBHO\ = "ygBHO Class"	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ed1e27f0-1bcd-42a4-ad62-7fc21e086e54}\ = "ygBHO Class"	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{848B6490-7D35-4482-8C9F-C1350C53C5A5}\TypeLib	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\prox	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ACE96C0-C70A-4A4D-AF14-2E7B869345E1}\InprocServer32\ThreadingModel = "Apartment"	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1FA44816-ECC1-4582-89C8-C8B043BA7656}\1.0\0\win32\ = "C:\\Program Files (x86)\\youtubegizm\\jsloader.dll"	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\updatebho.TimerBHO.1	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{963B125B-8B21-49A2-A3A8-E37092276531}\ = "ytg timer"	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ACE96C0-C70A-4A4D-AF14-2E7B869345E1}\ProgID\ = "tdataprotocol.CTData.1"	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{955B782E-CDC8-4CEE-B6F6-AD7D541A8D8A}\1.0\HELPDIR	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\chrome	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{955B782E-CDC8-4CEE-B6F6-AD7D541A8D8A}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\youtubegizm"	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\updatebho.TimerBHO	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{848B6490-7D35-4482-8C9F-C1350C53C5A5}\ProxyStubClsid32	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9F0C17EB-EF2C-4278-9136-2D547656BC03}	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{ED6535E7-F778-48A5-A060-549D30024511}\ = "tdataprotocol"	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ACE96C0-C70A-4A4D-AF14-2E7B869345E1}\InprocServer32	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{830B56CB-FD22-44AA-9887-7898F4F4158D}\1.0\FLAGS\ = "0"	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{830B56CB-FD22-44AA-9887-7898F4F4158D}\1.0\0	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{830B56CB-FD22-44AA-9887-7898F4F4158D}\1.0\0\win32\ = "C:\\Program Files (x86)\\youtubegizm\\tdataprotocol.dll"	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1FA44816-ECC1-4582-89C8-C8B043BA7656}\1.0\ = "wit4ie 2.0 Type Library"	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\updatebho.DLL\AppID = "{373ED12D-B306-43AC-9485-A7C5133DC34C}"	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tdataprotocol.CTData\ = "CTData Class"	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\prox\CLSID = "{5ACE96C0-C70A-4A4D-AF14-2E7B869345E1}"	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wit4ie.WitBHO	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1FA44816-ECC1-4582-89C8-C8B043BA7656}\1.0\FLAGS\ = "0"	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{848B6490-7D35-4482-8C9F-C1350C53C5A5}\TypeLib\ = "{1FA44816-ECC1-4582-89C8-C8B043BA7656}"	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tdataprotocol.CTData\CurVer\ = "tdataprotocol.CTData.1"	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ed1e27f0-1bcd-42a4-ad62-7fc21e086e54}\VersionIndependentProgID	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{955B782E-CDC8-4CEE-B6F6-AD7D541A8D8A}	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{955B782E-CDC8-4CEE-B6F6-AD7D541A8D8A}\1.0\0\win32\ = "C:\\Program Files (x86)\\youtubegizm\\updatebhoWin32.dll"	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9F0C17EB-EF2C-4278-9136-2D547656BC03}\ = "ITimerBHO"	dgrn.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
624	dgrn.exe
624	dgrn.exe
624	dgrn.exe
624	dgrn.exe
624	dgrn.exe
624	dgrn.exe
624	dgrn.exe
624	dgrn.exe
624	dgrn.exe
624	dgrn.exe
624	dgrn.exe
624	dgrn.exe
4296	tytghn.exe
4296	tytghn.exe
4296	tytghn.exe
4296	tytghn.exe
1120	tytghn.exe
1120	tytghn.exe
1120	tytghn.exe
1120	tytghn.exe
2916	tytghn.exe
2916	tytghn.exe
2916	tytghn.exe
2916	tytghn.exe
5012	tytghn.exe
5012	tytghn.exe
964	tytghn.exe
964	tytghn.exe
2916	tytghn.exe
2916	tytghn.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	624	dgrn.exe
Token: SeDebugPrivilege	3816	taskkill.exe
Token: SeDebugPrivilege	624	dgrn.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 624	2384	2024-06-03_935912c06997a8f013d146ae97a732d4_mafia.exe	92
PID 2384 wrote to memory of 624	2384	2024-06-03_935912c06997a8f013d146ae97a732d4_mafia.exe	92
PID 2384 wrote to memory of 624	2384	2024-06-03_935912c06997a8f013d146ae97a732d4_mafia.exe	92
PID 624 wrote to memory of 4296	624	dgrn.exe	94
PID 624 wrote to memory of 4296	624	dgrn.exe	94
PID 624 wrote to memory of 4296	624	dgrn.exe	94
PID 4296 wrote to memory of 3816	4296	tytghn.exe	96
PID 4296 wrote to memory of 3816	4296	tytghn.exe	96
PID 4296 wrote to memory of 3816	4296	tytghn.exe	96

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext	tytghn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\DisableAddonLoadTimePerformanceNotifications = "1"	tytghn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext	tytghn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\DisableAddonLoadTimePerformanceNotifications = "1"	tytghn.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-03_935912c06997a8f013d146ae97a732d4_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-03_935912c06997a8f013d146ae97a732d4_mafia.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Users\Admin\AppData\Local\Temp\dgrn.exe
  "C:\Users\Admin\AppData\Local\Temp\dgrn.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:624
- - C:\ProgramData\youtubegizm\tytghn.exe
    "C:\ProgramData\youtubegizm\tytghn.exe" /closebr=1 /InstallOn=7 /active=24 /update=24 /interval=2880 /pubId=10001 /affId=100112 /uId={DF6B516B-78A8-4FFA-8130-9593E2949416} /version=1.0.0.5 /Override=false /Firstime=1 /IEhome=0 /IEsearch=0 /FFhome=0 /FFsearch=0 /CHhome=0 /CHsearch=0 /FFaddon=1 /CHaddon=1 /AutoSP=0 /regAppName=youtubegizm /txx=1 -regAppName=youtubegizm -txx=2
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4296
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /F /IM IExplore.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3816

C:\ProgramData\youtubegizm\tytghn.exe
C:\ProgramData\youtubegizm\tytghn.exe /task=0 /closebr=1 /InstallOn=7 /active=24 /update=24 /interval=2880 /pubId=10001 /affId=100112 /uId={DF6B516B-78A8-4FFA-8130-9593E2949416} /version=1.0.0.5 /Override=false /IEhome=0 /IEsearch=0 /FFhome=0 /FFsearch=0 /CHhome=0 /CHsearch=0 /FFaddon=1 /CHaddon=1 /AutoSP=0 /regAppName=youtubegizm /txx=1 -regAppName=youtubegizm -txx=2
1⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:1120

C:\ProgramData\youtubegizm\tytghn.exe
C:\ProgramData\youtubegizm\tytghn.exe /task=1 /closebr=1 /InstallOn=7 /active=24 /update=24 /interval=2880 /pubId=10001 /affId=100112 /uId={DF6B516B-78A8-4FFA-8130-9593E2949416} /version=1.0.0.5 /Override=false /IEhome=0 /IEsearch=0 /FFhome=0 /FFsearch=0 /CHhome=0 /CHsearch=0 /FFaddon=1 /CHaddon=1 /AutoSP=0 /regAppName=youtubegizm /txx=1 -regAppName=youtubegizm -txx=2
1⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:2916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1344 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8
1⤵
PID:2216

C:\ProgramData\youtubegizm\tytghn.exe
C:\ProgramData\youtubegizm\tytghn.exe /task=2 /closebr=1 /InstallOn=7 /active=24 /update=24 /interval=2880 /pubId=10001 /affId=100112 /uId={DF6B516B-78A8-4FFA-8130-9593E2949416} /version=1.0.0.5 /Override=false /IEhome=0 /IEsearch=0 /FFhome=0 /FFsearch=0 /CHhome=0 /CHsearch=0 /FFaddon=1 /CHaddon=1 /AutoSP=0 /regAppName=youtubegizm /txx=1 -regAppName=youtubegizm -txx=2
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:5012

C:\ProgramData\youtubegizm\tytghn.exe
C:\ProgramData\youtubegizm\tytghn.exe /task=4 /closebr=1 /InstallOn=7 /active=24 /update=24 /interval=2880 /pubId=10001 /affId=100112 /uId={DF6B516B-78A8-4FFA-8130-9593E2949416} /version=1.0.0.5 /Override=false /IEhome=0 /IEsearch=0 /FFhome=0 /FFsearch=0 /CHhome=0 /CHsearch=0 /FFaddon=1 /CHaddon=1 /AutoSP=0 /regAppName=youtubegizm /txx=1 -regAppName=youtubegizm -txx=2
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\youtubegizm\jsloader.dll

Filesize
215KB

MD5
51d72c5c44c3cadb21128c225ba7a569

SHA1
94da06230ffbbe9f4d22e9b0422a279004a7b848

SHA256
50c36830ca56b2a9ccbecd650767af742bd1a2fc4cc18ac9cd2d18d8da8259c1

SHA512
2ec980a01e8f237bc863686bba0f35ae291b3626356905c0889086bf71c3362411984ad2af6fbba893863105852fae36be8cdd34798f46128486eedb67b9569a

Download Submit
C:\Program Files (x86)\youtubegizm\tdataprotocol.dll

Filesize
149KB

MD5
ffdc730ec5f8b90e4dda0c7685650c9d

SHA1
0f052108bcef14beffb6f325981b22fc40c7d047

SHA256
2373e11595d02e279ed64925233f802e03f8e68f3d85649e360b0db17e1e191e

SHA512
172914e1c1e69da1eb1844fc2a7c10de153e7ad1c97ad5bd9821ca82a0ab37838085cdc2ae9d3301a1d900662f4b9fc0c2737ff97e02566320d08630e4ac327c

Download Submit
C:\Program Files (x86)\youtubegizm\toolbar.dll

Filesize
119KB

MD5
a4efaf7a21baac166810f9790f0c693d

SHA1
eebca444b31d79ad37aec6076ba487942b5df0ea

SHA256
a85bfacf0d2c2d5a6a4b62720a69e1e8fe0347653cf914fe82bb9c74d73bd3b1

SHA512
32ff2899e917c9ae3e959f1183967711067e30dfd5a2f90ab0f33f524710f137561a69c7c3d265336829b1cfe401809906acbfbc7d03dbcd1046ac517b134f40

Download Submit
C:\Program Files (x86)\youtubegizm\updatebhoWin32.dll

Filesize
120KB

MD5
4ef3b332db3d6b45c47414e056d99ad3

SHA1
fdec55c9fc31e9e65a832407d0e843433d75bc14

SHA256
601e473f4f509ebb12b3b0a47f979819ddc64cd5aa768abacdf6e67a6cb3eeb7

SHA512
26f924340779b52683f660468974da5d42c9dc05f9d25764527ca343054bec7f42cc90e384c1316130af67399dc60bc2ca1000738a3f214a9a9aea492ddbdc4a

Download Submit
C:\ProgramData\youtubegizm\df-ch.crx

Filesize
124KB

MD5
823077becfad4167c3c335d3842661b9

SHA1
368217466bb9e026b03fa9a8da332fe39668ed8e

SHA256
2e29b5278d35428015c563f70b88cd1de1f02b1dd192ca3f362d736a38fb9e10

SHA512
616f4dc16c88f4fcf68262ee0e40af7b7541cf35d845260fe3b51e6e0657adeca9a6d59d376fff1becdf74d337833374e940383c471ae20ccc59426064ed880d

Download Submit
C:\ProgramData\youtubegizm\df-le.xpi

Filesize
92KB

MD5
3595a64e2463ea58d5cb42fc31d9a020

SHA1
377b61362b26d6cec6165d7dac6d13a3ac6b64e2

SHA256
a1f130f44517453e5181fcdc9b3b350b4afca06656d108acf66f3f0254208134

SHA512
cfd9b2cc085c953df88cb06ae18a4e4192a613ab9d1904ee9fef6a4c2cc60bb9e0dfa5005450d164377130659db55946dba146b146bc3ac4465cc91ceb425592

Download Submit
C:\ProgramData\youtubegizm\tytghn.exe

Filesize
620KB

MD5
6848f0a5a9c58289b025087529aa9b1a

SHA1
8440fa83eab244b3fe75fcdfc60772fdfacde455

SHA256
8142a98010153dedd3d39edffba0f54c64245c90a9489b60d05063a571f54570

SHA512
08ae416e2d16e2c607eac092c28d39514c08a8602642e690ea73b754cdd98e6f7b1de77e8bb0eb8e8a5f8eac5d4745077e98e650f45be2a1b5aeb352dae21dae

Download Submit
C:\ProgramData\youtubegizm\valuese.xml

Filesize
1KB

MD5
227bdc41ed630efdb2061daa15859b68

SHA1
bedb6860595d0ec863bff16ac71337082a58aec2

SHA256
8dfb5773f05bad3c36db328cd2a352791d92c83a94f629360f9ab6ca6c719e6c

SHA512
64c09d8d887943b8b59f2cce210a70158b0720421a10503c29e67f134bbd690ce05572980cd3f813e31801df5aeef4c5b6b9a2d2ec2efaacbbd4a0b2c1299028

Download Submit
C:\Users\Admin\AppData\Local\Temp\dgrn.exe

Filesize
1.1MB

MD5
8c1dac7cbdb70e56c51c9fbba6344eac

SHA1
87db5b38a4674cad776a9ec5f519caa39237a7d6

SHA256
39a84e4d70d4bffe2be3f845a9a0af28a9f0994abdc4150dd83be2795311e632

SHA512
fbf16ae42c904831bbf510f6696cdfdcb903a168f465f0ac667aa9c99c8ba527a18f709c1bb92ceefd4ea895dbb2938735f8fdbd5faca0d993caf8fbe14e6e8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm7069.tmp\InstallerUtils.dll

Filesize
161KB

MD5
35404188c755b622da09b6763fbbc67f

SHA1
2cc1aa24fc19523715abe49decd1a3d2903256f5

SHA256
6f529be86277ab86bde17438b8ea5234a5524efdc840e194ed358740ef8b8a09

SHA512
33e480071e7453d3b63cc76b7f49c42f7ce6cf71fe1736d1e0f8b55e17d16725c76a81bab81e55c449103c40859963e20de2b4fd3542453fdc817af773aaa7fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm7069.tmp\KillProcDLL.dll

Filesize
32KB

MD5
83142eac84475f4ca889c73f10d9c179

SHA1
dbe43c0de8ef881466bd74861b2e5b17598b5ce8

SHA256
ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729

SHA512
1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm7069.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\extensions\[email protected]\chrome.manifest

Filesize
192B

MD5
71a85ce537dcec64640fb478067e24c3

SHA1
42337f22368a2cd7cfedeb929f26222f2b2b7ae3

SHA256
5010be714b986edeb59eabca51c1296dd9e67138b9d965e9859d5553670a0823

SHA512
8cd49e8d1971623dcf83cbcca200de2296d82596f6fb96840face985c24c6d0a5c67d88d9f47a1b48f66972f4907643c3d5af344f732bfda70199b746d1cac91

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\extensions\[email protected]\chrome\content\bubble.js

Filesize
1KB

MD5
e3cf4b651109156221e2072f83be5aa2

SHA1
be06675125c178e3ff2fd78cf57f3d643bec5cc4

SHA256
73cde6a7691f5155a6ea9f8076dda8d00c3c62764331be13ec3ec6053d0c9f84

SHA512
976007787974080f6b30763f61b63c6212b4ca2a234e4f6d52a529c154a8325e7619160f108641e39ae7b405cfe203a092cf4fcdb72252cfa61e8a9afaf93dce

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\extensions\[email protected]\chrome\content\bubble.xul

Filesize
490B

MD5
75743b09194736b8fc79a6dd65db177d

SHA1
dbf38a26e0597697d0c6aad15e2515c398753e16

SHA256
f8ad9265fd61883ed00c3907f0f14478c8947b1ebaf1e34196efb5153cf040d6

SHA512
d151f8e97a213a59d3c41206c1aa606f179030c4ce1a24c5fb8aca17b7b783b46a9e1dc682366a3ddabe450d38b7b40cc714e23e0fced4e2a35b02ed20e1d30f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\extensions\[email protected]\chrome\content\fix2.js

Filesize
20B

MD5
b5ce3889cdd24c2b2e9d540ba1aab48d

SHA1
30d6c76f244e7617c835b3769bfb1fd125e401f1

SHA256
03e704ae5142e05e367aaf51af30485eed881d0c5c581bea3b1752095e444cd0

SHA512
f5a4fb298b53017e212eb92859eb76b138255778cb3a44822e6d5c02791b9911be68bfc1f25eb90414f8adb5160086cae0c247278b1c288d7b0e3f75f21c3023

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\extensions\[email protected]\chrome\content\fix3.js

Filesize
20B

MD5
abdc04c0bb1bac8ee8962aa5e5fba9a8

SHA1
2689078d902bfa6d65483e26d122d0a30d2a6560

SHA256
3bb6e43e497c67e79fb3ac8520fbe07d6a43c9777c57be349a54caf9888ca482

SHA512
55fc2af28251c773c0def012f739e01a505867cdffb387d522f1c2fcabee4f2f8c33706c553b1ff5dc4a1dbee1bbf6926909dfb032ad813863ed2c773e0625cd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\extensions\[email protected]\chrome\content\fix4.js

Filesize
20B

MD5
4b95306cdc01a9023a3ca1e8c7fcdd61

SHA1
f518c9d20ec181229d35089f685a9588a5b19e7d

SHA256
be576aea3b146bfc77237c2cd65911e05b987c0fc74c588b9ab07ba19ad1067d

SHA512
4733f3eb0f7002b49b6d448ed5f22ed6c13234df46d81014a7ffd008dc77c51e86cc49d7c49c63d7941a0f54cea8693244af0f339d0a5a864ef5a9e8bf47fca8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\extensions\[email protected]\chrome\content\fix5.js

Filesize
20B

MD5
010d54d2fc0c7c7ae39324a6217030f2

SHA1
3d73cbe8cce886b2075b5cea17d136b344814992

SHA256
032f8af38f623f697712273292edb5268a0fa9eebd49f997450f97472794a751

SHA512
ae41156a78a60c472c27ebe5f45458836db8cf7850714f0ecf89414e12b21f0ec320ddc7d5a27db2aec5a6946dd7f436ff82f3d301998f8ae35eb8f979c6d59d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\extensions\[email protected]\chrome\content\icon.png

Filesize
1KB

MD5
55c528c592d50cd1a5ef11f2d7814b68

SHA1
d8a3bc30aed31f1198996862316fdfa4a2570027

SHA256
063dc7a4bbc0761c8eb703efa32e3be77dde5a271c48a3239efa43dcc1d9c113

SHA512
c09de16451648c92adcd54f1e44e62cb0cf77e3f56ca81464e3bed841da1d4324bfdae9038bf5b6f27aff2c39e48a4da52793a49145b7a6407707618a6ffbbb1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\extensions\[email protected]\chrome\content\jquery4toolbar.js

Filesize
92KB

MD5
432e6ce300e0604b682c612aa0de1c82

SHA1
c559ab91e420bdca977c4c4c3f7f5e8564a78fb2

SHA256
6dc68cfa752a170706a347a81ccb8fd5fadf8ff5837823eb9fd5486a6882e65a

SHA512
9a463a5a884c562cfea0afc2f9a22eca258f06c6a8ea79cf4e9612079906c5c44edd50b490c067d1f8456cb1a596636a28ac51e66a10a479302bad752c3b8dc2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\extensions\[email protected]\chrome\content\jquery4toolbar.js_126

Filesize
167KB

MD5
224c257265b43f4b4e5ebe21e7575dbe

SHA1
4a7990cfea863655aca06e4c7ee708a0641d4e35

SHA256
a63ca336dd561218555d730194dae3b778212d41bc3c164232f5cf627702f90a

SHA512
9559e1c7db6402b2803d953ddadf49195785a642cd9849d8caf3333ee829d6a9e3ee3037234b83a8a2d4fd35eaec346bf313f22874a33d6bf5690fe1ec52cdec

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\extensions\[email protected]\chrome\content\lock.js

Filesize
27B

MD5
02469e8f69f26729bf7373aaf83e7687

SHA1
cee5b53a1b7f93986b9d336ea43e640da532eba6

SHA256
86b85ba075a4af0c0ba4496484f0dd335e4abcb6782495dd0fb936bcf26b5c4f

SHA512
45b75dd965ac95768aaed7bf7ac6e5317bd5ebbfdfde4920930e8258529b25979c0f335f335053538ad0d3940203694f8cde2dc71b57e0ad60adad65f5d763ec

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\extensions\[email protected]\chrome\content\style.xul

Filesize
812B

MD5
668dec8a49b6dc8575acc0e34ecd4284

SHA1
9fa09a256602a30dec25e2bb83e5ab8a1ec0bafe

SHA256
022636895ac1faa46a586e7e03e1c9d74b1ee78d48d622f95938800a02b71965

SHA512
94217e798b4258960949265d3ec7f4ba4dc4fb3c6a00fbe952975ba408bcd248e1b7e85f517ed67cee5d3d56cd110c2005d875f6b910e2e4f69bd58706a227ed

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\extensions\[email protected]\chrome\content\witapi.js

Filesize
37KB

MD5
c48275070dec1182b66f0932024c41d1

SHA1
3093164946b041dc4b13d1e251113da232e8bdeb

SHA256
577d9b9f3a4ee376f6863194ed322d5cfe3ab0afcb8a2b45520f0bc32e4c97e1

SHA512
f25688e437f0c23f3ac0a0e452613a23a1663813e6700740ca5049d6fb36adc26f66187b903f46aaa8ff455969d46f3026c4d126fb7adeddcf0f113c7dd7e5ab

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\extensions\[email protected]\chrome\content\witmain.js

Filesize
949B

MD5
4e356ed12d6a722c377b5cf30fe1f5ef

SHA1
e1fc58f2f168d12a65e0516efe82cff57237685f

SHA256
9f8baf29d62b8a37159f36e9f9640933b2b66e2a7799caefe7209ebe387ec6a4

SHA512
64df71a519406086e3b9e69a2a4ba98ea79d542414cefdd99adfc589074054b9c88ca5697c0349909628f2868ab2c21b5b256e678de2da6c2574ea6d2644df24

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\extensions\[email protected]\chrome\content\wittoolbar.js

Filesize
2KB

MD5
cda5b2727e277b095e1c802930ab9a78

SHA1
16898837afad35f9ea3cdb203b3881a1f1cc14b0

SHA256
1f4f851573263382105e35dc1c32014357ea8a5d48a2d3f97e568393ac17307f

SHA512
353175636f3ae56ae97f0587c4f8b819e2ae290594982bbd2a514fe7f702570b506b9d774a7627de57f9c480f80d54a4c48f845330a7a1008fb03edb55f1bf3b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\extensions\[email protected]\chrome\content\witutils.js

Filesize
23KB

MD5
e98815b4088c11d052fce961ea863308

SHA1
0aa226ffcbc73b435f0bf19a4f658a111f572e3d

SHA256
aa7546f7a02f77a48f737644272ae18d1ec4e7fc51756d406af88e530cb8b489

SHA512
ee86a07cda4fc7cca9947dacadbf3d5d8eb63b7f0529c20d506bb75bd99de60c2dd7b354149d8ad2ba70f40fa133aa79fc619a410786d51f45f14a7a65a1d6c9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\extensions\[email protected]\components\handleProtocol.js

Filesize
20KB

MD5
1f3402859b63193c40a54f466a8f7a46

SHA1
e4060e5def7dfe2c31123098f7e9f552a71ac993

SHA256
07afcbcddb1b2ee757d4e4d5367bf8f50bf7cbb0b815a83513d4a3bf1bbc2679

SHA512
cf3edf88d4d48905a1ba393452503142ec3e7031cd7d0645cba79a667d3642496e487d2e9d04fbec16dfd91e1fa35ca343754053a53185fe44820150e8e5eedd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\extensions\[email protected]\install.rdf

Filesize
737B

MD5
b61f9abf919fd934d57d4e28a0ecb0a6

SHA1
71a8c728bd7e1b743d1f41d40a500a0548f5784a

SHA256
3d0f2f6c748c73a97df11aad61aa63390bb799990357ebd16a3cc93536b383c9

SHA512
ddfba27925f3f8f460e08c14bee135171dd33597555522f8da278a51a4256d1d0d2469aa42021410635654547741102248c68160920ba12c2b570b892ad107a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xvu9bdak.Admin\extensions\[email protected]\chrome\content\witutils.js

Filesize
16KB

MD5
4a0ffcc5c6b8117eec0051ed49f3ea57

SHA1
34ba5afc0a359dfa005092e861c60bffe2e0ee87

SHA256
7ea8a8a9329d2752b451768ef33f1ef32a7e6e44fb0ef782a71b7c936d003876

SHA512
f21ad0156ee3640201f1d8a91695f97200eb570897ea314214977ecd61ee949998a17287c0941e49c9f16a2e787e668d2cee32da9339d9ce3b7bc4006bb0bcf4

Download Submit
C:\Windows\Tasks\youtubegizm Chrome Watcher.job

Filesize
962B

MD5
1cbf9728b997e9aeda6b06002567dee6

SHA1
188f1ecd4701f275a22eec363d82800a607d227f

SHA256
9d01e4d8f6a36984a4d09c80932f9e92b50e443afc87a5150be031c37bd3f2cb

SHA512
16636ad721fdfc4a86a0c9b9f6480dc3c850950e1e95fdfead0f639be700b950da3e06ef31745e9bdd12a95a96acb0d70daab2eeb1f61bb29970dd10143c0e35

Download Submit
C:\Windows\Tasks\youtubegizm Chrome Watcher.job

Filesize
1KB

MD5
5ef9b439392e72568d8c8da7985b7c41

SHA1
5e374b7d6cdfad67eee4c22d2986d33038156395

SHA256
b91039eeeef89a337264408d7c2153ebf251ef09d71429c24de4ef0d6f5f42b5

SHA512
f97686a9da5a4ba487f57fbc17ae86d189918cb94e318a0761ddbc1a634b6db19941f908e9946c1adfe6c0ec64b750f5c0564a53d9e18ccd6ac573bd0cfeb7e6

Download Submit
C:\Windows\Tasks\youtubegizm FireFox Watcher.job

Filesize
1KB

MD5
4739dd1cc17e9d740b966fefa548460c

SHA1
9d4a4c21b1ccf8761280fb13151b3c77c57e7759

SHA256
3311f5a17014bc2d503f3591cff04d6c1bb339f0c5da774062d73f664ad80c37

SHA512
36a60ab145c414d3bd2cdad52ca193c3a281281b08bb46026e7574d6a05915c129d321e0fbe18f4ea5f7c43eba3e8e24a895b807c7bd487848b8a84b68d5b649

Download Submit
C:\Windows\Tasks\youtubegizm Stats Report.job

Filesize
1KB

MD5
39dd3e0a5133391d1fa540a0849685b1

SHA1
7769215043232084778f548c6ddf6d6d2a80e3b7

SHA256
cc2df2741d0accf3152846f323dbeec7c780d58e735ba14db22db6c164a5106a

SHA512
f37d491809056bf839ace8f12ff70842c5f5ef19cbb910efd42d870524da9500041f0252c417afe4d1bc38f2f84e59da74c655503c6c23091c54bfef4bdb75cf

Download Submit
memory/624-72-0x0000000003450000-0x0000000003473000-memory.dmp

Filesize
140KB

Download
memory/2384-0-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/4296-88-0x0000000002B10000-0x0000000002B11000-memory.dmp

Filesize
4KB

Download