Malware Analysis Report

2024-07-28 05:18

Sample ID 240603-bgrnksfa54
Target 2024-06-03_935912c06997a8f013d146ae97a732d4_mafia
SHA256 c2c5cff8f7311b8eb9d0bc9f6c9509d1ce1e51e897cbe1a7e77ce6395571e73b
Tags
adware discovery spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

c2c5cff8f7311b8eb9d0bc9f6c9509d1ce1e51e897cbe1a7e77ce6395571e73b

Threat Level: Shows suspicious behavior

The file 2024-06-03_935912c06997a8f013d146ae97a732d4_mafia was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware discovery spyware stealer

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Checks installed software on the system

Installs/modifies Browser Helper Object

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Program crash

Enumerates physical storage devices

Unsigned PE

NSIS installer

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Kills process with taskkill

System policy modification

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Browser Extensions
T1176
Privilege Escalation
TA0004
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-03 01:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 01:07

Reported

2024-06-03 01:09

Platform

win7-20240508-en

Max time kernel

145s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-03_935912c06997a8f013d146ae97a732d4_mafia.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
N/A N/A C:\ProgramData\youtubegizm\tytghn.exe N/A
N/A N/A C:\ProgramData\youtubegizm\tytghn.exe N/A
N/A N/A C:\ProgramData\youtubegizm\tytghn.exe N/A
N/A N/A C:\ProgramData\youtubegizm\tytghn.exe N/A
N/A N/A C:\ProgramData\youtubegizm\tytghn.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_935912c06997a8f013d146ae97a732d4_mafia.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{963B125B-8B21-49A2-A3A8-E37092276531}\ = "Update Timer" C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{ed1e27f0-1bcd-42a4-ad62-7fc21e086e54} C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{ed1e27f0-1bcd-42a4-ad62-7fc21e086e54}\ = "script helper for ie" C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{ed1e27f0-1bcd-42a4-ad62-7fc21e086e54}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{963B125B-8B21-49A2-A3A8-E37092276531} C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\ProgramData\youtubegizm\tytghn.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\youtubegizm\uninstall.exe C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
File created C:\Program Files (x86)\youtubegizm\terms.lnk.url C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
File created C:\Program Files (x86)\youtubegizm\tdataprotocol.dll C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
File created C:\Program Files (x86)\youtubegizm\logo.ico C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
File created C:\Program Files (x86)\youtubegizm\updatebhoWin32.dll C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
File created C:\Program Files (x86)\youtubegizm\updater.ini C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
File created C:\Program Files (x86)\youtubegizm\jsloader.dll C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
File created C:\Program Files (x86)\youtubegizm\toolbar.dll C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
File created C:\Program Files (x86)\youtubegizm\widgetserv.exe C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Tasks\youtubegizm Chrome Watcher.job C:\ProgramData\youtubegizm\tytghn.exe N/A
File created C:\Windows\Tasks\youtubegizm Stats Report.job C:\ProgramData\youtubegizm\tytghn.exe N/A
File opened for modification C:\Windows\Tasks\youtubegizm Update Checker.job C:\ProgramData\youtubegizm\tytghn.exe N/A
File created C:\Windows\Tasks\youtubegizm Runner.job C:\ProgramData\youtubegizm\tytghn.exe N/A
File created C:\Windows\Tasks\youtubegizm FireFox Watcher.job C:\ProgramData\youtubegizm\tytghn.exe N/A
File opened for modification C:\Windows\Tasks\youtubegizm FireFox Watcher.job C:\ProgramData\youtubegizm\tytghn.exe N/A
File created C:\Windows\Tasks\youtubegizm Update Checker.job C:\ProgramData\youtubegizm\tytghn.exe N/A
File opened for modification C:\Windows\Tasks\youtubegizm Runner.job C:\ProgramData\youtubegizm\tytghn.exe N/A
File opened for modification C:\Windows\Tasks\youtubegizm Stats Report.job C:\ProgramData\youtubegizm\tytghn.exe N/A
File created C:\Windows\Tasks\youtubegizm Chrome Watcher.job C:\ProgramData\youtubegizm\tytghn.exe N/A
File opened for modification C:\Windows\Tasks\youtubegizm Stats Report.job C:\ProgramData\youtubegizm\tytghn.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\ProgramData\youtubegizm\tytghn.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\ProgramData\youtubegizm\tytghn.exe

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration C:\ProgramData\youtubegizm\tytghn.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration C:\ProgramData\youtubegizm\tytghn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\ C:\ProgramData\youtubegizm\tytghn.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Approved Extensions C:\ProgramData\youtubegizm\tytghn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{963B125B-8B21-49A2-A3A8-E37092276531} C:\ProgramData\youtubegizm\tytghn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\ C:\ProgramData\youtubegizm\tytghn.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Approved Extensions C:\ProgramData\youtubegizm\tytghn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{963B125B-8B21-49A2-A3A8-E37092276531} C:\ProgramData\youtubegizm\tytghn.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\ProgramData\youtubegizm\tytghn.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ca-a5-a2-dd-a4-f4\WpadDecision = "0" C:\ProgramData\youtubegizm\tytghn.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\ProgramData\youtubegizm\tytghn.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\ProgramData\youtubegizm\tytghn.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8658B825-23D2-4B4C-9ED0-991047320AEB}\WpadNetworkName = "Network 3" C:\ProgramData\youtubegizm\tytghn.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8658B825-23D2-4B4C-9ED0-991047320AEB}\ca-a5-a2-dd-a4-f4 C:\ProgramData\youtubegizm\tytghn.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ca-a5-a2-dd-a4-f4\WpadDecisionTime = f0b73d6d52b5da01 C:\ProgramData\youtubegizm\tytghn.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8658B825-23D2-4B4C-9ED0-991047320AEB} C:\ProgramData\youtubegizm\tytghn.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8658B825-23D2-4B4C-9ED0-991047320AEB}\WpadDecisionTime = f0b73d6d52b5da01 C:\ProgramData\youtubegizm\tytghn.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\ProgramData\youtubegizm\tytghn.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad C:\ProgramData\youtubegizm\tytghn.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0022000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\ProgramData\youtubegizm\tytghn.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8658B825-23D2-4B4C-9ED0-991047320AEB}\WpadDecisionReason = "1" C:\ProgramData\youtubegizm\tytghn.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8658B825-23D2-4B4C-9ED0-991047320AEB}\WpadDecision = "0" C:\ProgramData\youtubegizm\tytghn.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\ProgramData\youtubegizm\tytghn.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" C:\ProgramData\youtubegizm\tytghn.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ca-a5-a2-dd-a4-f4\WpadDetectedUrl C:\ProgramData\youtubegizm\tytghn.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ca-a5-a2-dd-a4-f4 C:\ProgramData\youtubegizm\tytghn.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ca-a5-a2-dd-a4-f4\WpadDecisionReason = "1" C:\ProgramData\youtubegizm\tytghn.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ed1e27f0-1bcd-42a4-ad62-7fc21e086e54}\ProgID C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{955B782E-CDC8-4CEE-B6F6-AD7D541A8D8A}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\youtubegizm" C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9F0C17EB-EF2C-4278-9136-2D547656BC03}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\tdataprotocol.CTData\CLSID C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wit4ie.WitBHO.2 C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{963B125B-8B21-49A2-A3A8-E37092276531}\InprocServer32\ = "C:\\Program Files (x86)\\youtubegizm\\updatebhoWin32.dll" C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\tdataprotocol.CTData.1\ = "CTData Class" C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{830B56CB-FD22-44AA-9887-7898F4F4158D}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\wit4ie.WitBHO.2\CLSID\ = "{ed1e27f0-1bcd-42a4-ad62-7fc21e086e54}" C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ed1e27f0-1bcd-42a4-ad62-7fc21e086e54}\VersionIndependentProgID\ = "wit4ie.WitBHO" C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\updatebho.TimerBHO.1 C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\chrome\CLSID = "{5ACE96C0-C70A-4A4D-AF14-2E7B869345E1}" C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{848B6490-7D35-4482-8C9F-C1350C53C5A5}\ = "IWitBHO" C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{963B125B-8B21-49A2-A3A8-E37092276531}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\tdataprotocol.CTData.1\CLSID\ = "{5ACE96C0-C70A-4A4D-AF14-2E7B869345E1}" C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{830B56CB-FD22-44AA-9887-7898F4F4158D}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ed1e27f0-1bcd-42a4-ad62-7fc21e086e54} C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\updatebho.DLL\AppID = "{373ED12D-B306-43AC-9485-A7C5133DC34C}" C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ACE96C0-C70A-4A4D-AF14-2E7B869345E1}\InprocServer32\ = "C:\\Program Files (x86)\\youtubegizm\\tdataprotocol.dll" C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{848B6490-7D35-4482-8C9F-C1350C53C5A5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{373ED12D-B306-43AC-9485-A7C5133DC34C}\ = "updatebho" C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{963B125B-8B21-49A2-A3A8-E37092276531}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ed1e27f0-1bcd-42a4-ad62-7fc21e086e54}\InprocServer32\ = "C:\\Program Files (x86)\\youtubegizm\\jsloader.dll" C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ACE96C0-C70A-4A4D-AF14-2E7B869345E1}\TypeLib\ = "{830B56CB-FD22-44AA-9887-7898F4F4158D}" C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\base64 C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{830B56CB-FD22-44AA-9887-7898F4F4158D}\1.0\0\win32\ = "C:\\Program Files (x86)\\youtubegizm\\tdataprotocol.dll" C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\updatebho.TimerBHO C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ACE96C0-C70A-4A4D-AF14-2E7B869345E1}\ = "CTData Class" C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ed1e27f0-1bcd-42a4-ad62-7fc21e086e54}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{963B125B-8B21-49A2-A3A8-E37092276531}\TypeLib\ = "{955B782E-CDC8-4CEE-B6F6-AD7D541A8D8A}" C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{955B782E-CDC8-4CEE-B6F6-AD7D541A8D8A}\1.0\ = "updatebho 1.0 Type Library" C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{830B56CB-FD22-44AA-9887-7898F4F4158D}\1.0\0 C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ed1e27f0-1bcd-42a4-ad62-7fc21e086e54}\ = "ygBHO Class" C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{373ED12D-B306-43AC-9485-A7C5133DC34C} C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9F0C17EB-EF2C-4278-9136-2D547656BC03}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\tdataprotocol.CTData C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wit4ie.WitBHO\CLSID C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{848B6490-7D35-4482-8C9F-C1350C53C5A5}\TypeLib C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\updatebho.TimerBHO\CurVer C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{963B125B-8B21-49A2-A3A8-E37092276531}\ProgID C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{830B56CB-FD22-44AA-9887-7898F4F4158D}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{963B125B-8B21-49A2-A3A8-E37092276531}\VersionIndependentProgID\ = "updatebho.TimerBHO" C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{955B782E-CDC8-4CEE-B6F6-AD7D541A8D8A}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{848B6490-7D35-4482-8C9F-C1350C53C5A5}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{830B56CB-FD22-44AA-9887-7898F4F4158D}\1.0\ = "tdataprotocol 1.0 Type Library" C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{955B782E-CDC8-4CEE-B6F6-AD7D541A8D8A}\1.0\0\win32\ = "C:\\Program Files (x86)\\youtubegizm\\updatebhoWin32.dll" C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ACE96C0-C70A-4A4D-AF14-2E7B869345E1}\VersionIndependentProgID\ = "tdataprotocol.CTData" C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{848B6490-7D35-4482-8C9F-C1350C53C5A5}\TypeLib\ = "{1FA44816-ECC1-4582-89C8-C8B043BA7656}" C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{963B125B-8B21-49A2-A3A8-E37092276531}\ProgID\ = "updatebho.TimerBHO.1" C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9F0C17EB-EF2C-4278-9136-2D547656BC03}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{848B6490-7D35-4482-8C9F-C1350C53C5A5}\TypeLib C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{20EDC024-43C5-423E-B7F5-FD93523E0D9F}\ = "wit4ie" C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1FA44816-ECC1-4582-89C8-C8B043BA7656}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{848B6490-7D35-4482-8C9F-C1350C53C5A5}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\tdataprotocol.CTData\CurVer C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\tdataprotocol.CTData\CurVer\ = "tdataprotocol.CTData.1" C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ACE96C0-C70A-4A4D-AF14-2E7B869345E1}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\chrome C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{830B56CB-FD22-44AA-9887-7898F4F4158D}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\wit4ie.WitBHO\ = "ygBHO Class" C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1FA44816-ECC1-4582-89C8-C8B043BA7656}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\youtubegizm" C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\updatebho.TimerBHO\ = "ytg timer" C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\tdataprotocol.CTData.1\CLSID C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{963B125B-8B21-49A2-A3A8-E37092276531} C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
N/A N/A C:\ProgramData\youtubegizm\tytghn.exe N/A
N/A N/A C:\ProgramData\youtubegizm\tytghn.exe N/A
N/A N/A C:\ProgramData\youtubegizm\tytghn.exe N/A
N/A N/A C:\ProgramData\youtubegizm\tytghn.exe N/A
N/A N/A C:\ProgramData\youtubegizm\tytghn.exe N/A
N/A N/A C:\ProgramData\youtubegizm\tytghn.exe N/A
N/A N/A C:\ProgramData\youtubegizm\tytghn.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1728 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_935912c06997a8f013d146ae97a732d4_mafia.exe C:\Users\Admin\AppData\Local\Temp\dgrn.exe
PID 1728 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_935912c06997a8f013d146ae97a732d4_mafia.exe C:\Users\Admin\AppData\Local\Temp\dgrn.exe
PID 1728 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_935912c06997a8f013d146ae97a732d4_mafia.exe C:\Users\Admin\AppData\Local\Temp\dgrn.exe
PID 1728 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_935912c06997a8f013d146ae97a732d4_mafia.exe C:\Users\Admin\AppData\Local\Temp\dgrn.exe
PID 2664 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\dgrn.exe C:\ProgramData\youtubegizm\tytghn.exe
PID 2664 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\dgrn.exe C:\ProgramData\youtubegizm\tytghn.exe
PID 2664 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\dgrn.exe C:\ProgramData\youtubegizm\tytghn.exe
PID 2664 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\dgrn.exe C:\ProgramData\youtubegizm\tytghn.exe
PID 1360 wrote to memory of 2352 N/A C:\ProgramData\youtubegizm\tytghn.exe C:\Windows\SysWOW64\taskkill.exe
PID 1360 wrote to memory of 2352 N/A C:\ProgramData\youtubegizm\tytghn.exe C:\Windows\SysWOW64\taskkill.exe
PID 1360 wrote to memory of 2352 N/A C:\ProgramData\youtubegizm\tytghn.exe C:\Windows\SysWOW64\taskkill.exe
PID 1360 wrote to memory of 2352 N/A C:\ProgramData\youtubegizm\tytghn.exe C:\Windows\SysWOW64\taskkill.exe
PID 2376 wrote to memory of 1932 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\youtubegizm\tytghn.exe
PID 2376 wrote to memory of 1932 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\youtubegizm\tytghn.exe
PID 2376 wrote to memory of 1932 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\youtubegizm\tytghn.exe
PID 2376 wrote to memory of 1932 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\youtubegizm\tytghn.exe
PID 1932 wrote to memory of 872 N/A C:\ProgramData\youtubegizm\tytghn.exe C:\Windows\SysWOW64\WerFault.exe
PID 1932 wrote to memory of 872 N/A C:\ProgramData\youtubegizm\tytghn.exe C:\Windows\SysWOW64\WerFault.exe
PID 1932 wrote to memory of 872 N/A C:\ProgramData\youtubegizm\tytghn.exe C:\Windows\SysWOW64\WerFault.exe
PID 1932 wrote to memory of 872 N/A C:\ProgramData\youtubegizm\tytghn.exe C:\Windows\SysWOW64\WerFault.exe
PID 2376 wrote to memory of 112 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\youtubegizm\tytghn.exe
PID 2376 wrote to memory of 112 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\youtubegizm\tytghn.exe
PID 2376 wrote to memory of 112 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\youtubegizm\tytghn.exe
PID 2376 wrote to memory of 112 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\youtubegizm\tytghn.exe
PID 112 wrote to memory of 1876 N/A C:\ProgramData\youtubegizm\tytghn.exe C:\Windows\SysWOW64\WerFault.exe
PID 112 wrote to memory of 1876 N/A C:\ProgramData\youtubegizm\tytghn.exe C:\Windows\SysWOW64\WerFault.exe
PID 112 wrote to memory of 1876 N/A C:\ProgramData\youtubegizm\tytghn.exe C:\Windows\SysWOW64\WerFault.exe
PID 112 wrote to memory of 1876 N/A C:\ProgramData\youtubegizm\tytghn.exe C:\Windows\SysWOW64\WerFault.exe
PID 2376 wrote to memory of 2936 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\youtubegizm\tytghn.exe
PID 2376 wrote to memory of 2936 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\youtubegizm\tytghn.exe
PID 2376 wrote to memory of 2936 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\youtubegizm\tytghn.exe
PID 2376 wrote to memory of 2936 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\youtubegizm\tytghn.exe
PID 2376 wrote to memory of 2016 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\youtubegizm\tytghn.exe
PID 2376 wrote to memory of 2016 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\youtubegizm\tytghn.exe
PID 2376 wrote to memory of 2016 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\youtubegizm\tytghn.exe
PID 2376 wrote to memory of 2016 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\youtubegizm\tytghn.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\DisableAddonLoadTimePerformanceNotifications = "1" C:\ProgramData\youtubegizm\tytghn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext C:\ProgramData\youtubegizm\tytghn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\DisableAddonLoadTimePerformanceNotifications = "1" C:\ProgramData\youtubegizm\tytghn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext C:\ProgramData\youtubegizm\tytghn.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-03_935912c06997a8f013d146ae97a732d4_mafia.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-03_935912c06997a8f013d146ae97a732d4_mafia.exe"

C:\Users\Admin\AppData\Local\Temp\dgrn.exe

"C:\Users\Admin\AppData\Local\Temp\dgrn.exe"

C:\ProgramData\youtubegizm\tytghn.exe

"C:\ProgramData\youtubegizm\tytghn.exe" /closebr=1 /InstallOn=7 /active=24 /update=24 /interval=2880 /pubId=10001 /affId=100112 /uId={F9543BD4-AD09-4FFA-9BEB-F66AC4E54C09} /version=1.0.0.5 /Override=false /Firstime=1 /IEhome=0 /IEsearch=0 /FFhome=0 /FFsearch=0 /CHhome=0 /CHsearch=0 /FFaddon=1 /CHaddon=1 /AutoSP=0 /regAppName=youtubegizm /txx=1 -regAppName=youtubegizm -txx=2

C:\Windows\SysWOW64\taskkill.exe

"C:\Windows\System32\taskkill.exe" /F /IM IExplore.exe

C:\Windows\system32\taskeng.exe

taskeng.exe {9052A978-5316-4461-94F2-9013C08255D0} S-1-5-18:NT AUTHORITY\System:Service:

C:\ProgramData\youtubegizm\tytghn.exe

C:\ProgramData\youtubegizm\tytghn.exe /task=0 /closebr=1 /InstallOn=7 /active=24 /update=24 /interval=2880 /pubId=10001 /affId=100112 /uId={F9543BD4-AD09-4FFA-9BEB-F66AC4E54C09} /version=1.0.0.5 /Override=false /IEhome=0 /IEsearch=0 /FFhome=0 /FFsearch=0 /CHhome=0 /CHsearch=0 /FFaddon=1 /CHaddon=1 /AutoSP=0 /regAppName=youtubegizm /txx=1 -regAppName=youtubegizm -txx=2

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 356

C:\ProgramData\youtubegizm\tytghn.exe

C:\ProgramData\youtubegizm\tytghn.exe /task=1 /closebr=1 /InstallOn=7 /active=24 /update=24 /interval=2880 /pubId=10001 /affId=100112 /uId={F9543BD4-AD09-4FFA-9BEB-F66AC4E54C09} /version=1.0.0.5 /Override=false /IEhome=0 /IEsearch=0 /FFhome=0 /FFsearch=0 /CHhome=0 /CHsearch=0 /FFaddon=1 /CHaddon=1 /AutoSP=0 /regAppName=youtubegizm /txx=1 -regAppName=youtubegizm -txx=2

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 112 -s 364

C:\ProgramData\youtubegizm\tytghn.exe

C:\ProgramData\youtubegizm\tytghn.exe /task=2 /closebr=1 /InstallOn=7 /active=24 /update=24 /interval=2880 /pubId=10001 /affId=100112 /uId={F9543BD4-AD09-4FFA-9BEB-F66AC4E54C09} /version=1.0.0.5 /Override=false /IEhome=0 /IEsearch=0 /FFhome=0 /FFsearch=0 /CHhome=0 /CHsearch=0 /FFaddon=1 /CHaddon=1 /AutoSP=0 /regAppName=youtubegizm /txx=1 -regAppName=youtubegizm -txx=2

C:\ProgramData\youtubegizm\tytghn.exe

C:\ProgramData\youtubegizm\tytghn.exe /task=4 /closebr=1 /InstallOn=7 /active=24 /update=24 /interval=2880 /pubId=10001 /affId=100112 /uId={F9543BD4-AD09-4FFA-9BEB-F66AC4E54C09} /version=1.0.0.5 /Override=false /IEhome=0 /IEsearch=0 /FFhome=0 /FFsearch=0 /CHhome=0 /CHsearch=0 /FFaddon=1 /CHaddon=1 /AutoSP=0 /regAppName=youtubegizm /txx=1 -regAppName=youtubegizm -txx=2

Network

Country Destination Domain Proto
US 8.8.8.8:53 ws.xcodelib.net udp

Files

memory/1728-0-0x0000000000090000-0x0000000000091000-memory.dmp

\Users\Admin\AppData\Local\Temp\dgrn.exe

MD5 8c1dac7cbdb70e56c51c9fbba6344eac
SHA1 87db5b38a4674cad776a9ec5f519caa39237a7d6
SHA256 39a84e4d70d4bffe2be3f845a9a0af28a9f0994abdc4150dd83be2795311e632
SHA512 fbf16ae42c904831bbf510f6696cdfdcb903a168f465f0ac667aa9c99c8ba527a18f709c1bb92ceefd4ea895dbb2938735f8fdbd5faca0d993caf8fbe14e6e8a

\Users\Admin\AppData\Local\Temp\nsy1CC5.tmp\InstallerUtils.dll

MD5 35404188c755b622da09b6763fbbc67f
SHA1 2cc1aa24fc19523715abe49decd1a3d2903256f5
SHA256 6f529be86277ab86bde17438b8ea5234a5524efdc840e194ed358740ef8b8a09
SHA512 33e480071e7453d3b63cc76b7f49c42f7ce6cf71fe1736d1e0f8b55e17d16725c76a81bab81e55c449103c40859963e20de2b4fd3542453fdc817af773aaa7fc

\Users\Admin\AppData\Local\Temp\nsy1CC5.tmp\KillProcDLL.dll

MD5 83142eac84475f4ca889c73f10d9c179
SHA1 dbe43c0de8ef881466bd74861b2e5b17598b5ce8
SHA256 ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729
SHA512 1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

\Users\Admin\AppData\Local\Temp\nsy1CC5.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

\Program Files (x86)\youtubegizm\toolbar.dll

MD5 a4efaf7a21baac166810f9790f0c693d
SHA1 eebca444b31d79ad37aec6076ba487942b5df0ea
SHA256 a85bfacf0d2c2d5a6a4b62720a69e1e8fe0347653cf914fe82bb9c74d73bd3b1
SHA512 32ff2899e917c9ae3e959f1183967711067e30dfd5a2f90ab0f33f524710f137561a69c7c3d265336829b1cfe401809906acbfbc7d03dbcd1046ac517b134f40

memory/2664-67-0x0000000003D70000-0x0000000003D93000-memory.dmp

\ProgramData\youtubegizm\tytghn.exe

MD5 6848f0a5a9c58289b025087529aa9b1a
SHA1 8440fa83eab244b3fe75fcdfc60772fdfacde455
SHA256 8142a98010153dedd3d39edffba0f54c64245c90a9489b60d05063a571f54570
SHA512 08ae416e2d16e2c607eac092c28d39514c08a8602642e690ea73b754cdd98e6f7b1de77e8bb0eb8e8a5f8eac5d4745077e98e650f45be2a1b5aeb352dae21dae

C:\ProgramData\youtubegizm\valuese.xml

MD5 227bdc41ed630efdb2061daa15859b68
SHA1 bedb6860595d0ec863bff16ac71337082a58aec2
SHA256 8dfb5773f05bad3c36db328cd2a352791d92c83a94f629360f9ab6ca6c719e6c
SHA512 64c09d8d887943b8b59f2cce210a70158b0720421a10503c29e67f134bbd690ce05572980cd3f813e31801df5aeef4c5b6b9a2d2ec2efaacbbd4a0b2c1299028

C:\ProgramData\youtubegizm\df-ch.crx

MD5 823077becfad4167c3c335d3842661b9
SHA1 368217466bb9e026b03fa9a8da332fe39668ed8e
SHA256 2e29b5278d35428015c563f70b88cd1de1f02b1dd192ca3f362d736a38fb9e10
SHA512 616f4dc16c88f4fcf68262ee0e40af7b7541cf35d845260fe3b51e6e0657adeca9a6d59d376fff1becdf74d337833374e940383c471ae20ccc59426064ed880d

C:\ProgramData\youtubegizm\df-le.xpi

MD5 3595a64e2463ea58d5cb42fc31d9a020
SHA1 377b61362b26d6cec6165d7dac6d13a3ac6b64e2
SHA256 a1f130f44517453e5181fcdc9b3b350b4afca06656d108acf66f3f0254208134
SHA512 cfd9b2cc085c953df88cb06ae18a4e4192a613ab9d1904ee9fef6a4c2cc60bb9e0dfa5005450d164377130659db55946dba146b146bc3ac4465cc91ceb425592

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ox017b3g.Admin\extensions\[email protected]\chrome\content\icon.png

MD5 55c528c592d50cd1a5ef11f2d7814b68
SHA1 d8a3bc30aed31f1198996862316fdfa4a2570027
SHA256 063dc7a4bbc0761c8eb703efa32e3be77dde5a271c48a3239efa43dcc1d9c113
SHA512 c09de16451648c92adcd54f1e44e62cb0cf77e3f56ca81464e3bed841da1d4324bfdae9038bf5b6f27aff2c39e48a4da52793a49145b7a6407707618a6ffbbb1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ox017b3g.Admin\extensions\[email protected]\chrome\content\jquery4toolbar.js

MD5 432e6ce300e0604b682c612aa0de1c82
SHA1 c559ab91e420bdca977c4c4c3f7f5e8564a78fb2
SHA256 6dc68cfa752a170706a347a81ccb8fd5fadf8ff5837823eb9fd5486a6882e65a
SHA512 9a463a5a884c562cfea0afc2f9a22eca258f06c6a8ea79cf4e9612079906c5c44edd50b490c067d1f8456cb1a596636a28ac51e66a10a479302bad752c3b8dc2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ox017b3g.Admin\extensions\[email protected]\chrome\content\fix5.js

MD5 010d54d2fc0c7c7ae39324a6217030f2
SHA1 3d73cbe8cce886b2075b5cea17d136b344814992
SHA256 032f8af38f623f697712273292edb5268a0fa9eebd49f997450f97472794a751
SHA512 ae41156a78a60c472c27ebe5f45458836db8cf7850714f0ecf89414e12b21f0ec320ddc7d5a27db2aec5a6946dd7f436ff82f3d301998f8ae35eb8f979c6d59d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ox017b3g.Admin\extensions\[email protected]\chrome\content\jquery4toolbar.js_126

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ox017b3g.Admin\extensions\[email protected]\chrome\content\lock.js

MD5 02469e8f69f26729bf7373aaf83e7687
SHA1 cee5b53a1b7f93986b9d336ea43e640da532eba6
SHA256 86b85ba075a4af0c0ba4496484f0dd335e4abcb6782495dd0fb936bcf26b5c4f
SHA512 45b75dd965ac95768aaed7bf7ac6e5317bd5ebbfdfde4920930e8258529b25979c0f335f335053538ad0d3940203694f8cde2dc71b57e0ad60adad65f5d763ec

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ox017b3g.Admin\extensions\[email protected]\chrome\content\style.xul

MD5 668dec8a49b6dc8575acc0e34ecd4284
SHA1 9fa09a256602a30dec25e2bb83e5ab8a1ec0bafe
SHA256 022636895ac1faa46a586e7e03e1c9d74b1ee78d48d622f95938800a02b71965
SHA512 94217e798b4258960949265d3ec7f4ba4dc4fb3c6a00fbe952975ba408bcd248e1b7e85f517ed67cee5d3d56cd110c2005d875f6b910e2e4f69bd58706a227ed

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ox017b3g.Admin\extensions\[email protected]\chrome\content\witmain.js

MD5 4e356ed12d6a722c377b5cf30fe1f5ef
SHA1 e1fc58f2f168d12a65e0516efe82cff57237685f
SHA256 9f8baf29d62b8a37159f36e9f9640933b2b66e2a7799caefe7209ebe387ec6a4
SHA512 64df71a519406086e3b9e69a2a4ba98ea79d542414cefdd99adfc589074054b9c88ca5697c0349909628f2868ab2c21b5b256e678de2da6c2574ea6d2644df24

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ox017b3g.Admin\extensions\[email protected]\chrome\content\bubble.js

MD5 e3cf4b651109156221e2072f83be5aa2
SHA1 be06675125c178e3ff2fd78cf57f3d643bec5cc4
SHA256 73cde6a7691f5155a6ea9f8076dda8d00c3c62764331be13ec3ec6053d0c9f84
SHA512 976007787974080f6b30763f61b63c6212b4ca2a234e4f6d52a529c154a8325e7619160f108641e39ae7b405cfe203a092cf4fcdb72252cfa61e8a9afaf93dce

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ox017b3g.Admin\extensions\[email protected]\chrome\content\fix4.js

MD5 4b95306cdc01a9023a3ca1e8c7fcdd61
SHA1 f518c9d20ec181229d35089f685a9588a5b19e7d
SHA256 be576aea3b146bfc77237c2cd65911e05b987c0fc74c588b9ab07ba19ad1067d
SHA512 4733f3eb0f7002b49b6d448ed5f22ed6c13234df46d81014a7ffd008dc77c51e86cc49d7c49c63d7941a0f54cea8693244af0f339d0a5a864ef5a9e8bf47fca8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ox017b3g.Admin\extensions\[email protected]\chrome\content\wittoolbar.js

MD5 cda5b2727e277b095e1c802930ab9a78
SHA1 16898837afad35f9ea3cdb203b3881a1f1cc14b0
SHA256 1f4f851573263382105e35dc1c32014357ea8a5d48a2d3f97e568393ac17307f
SHA512 353175636f3ae56ae97f0587c4f8b819e2ae290594982bbd2a514fe7f702570b506b9d774a7627de57f9c480f80d54a4c48f845330a7a1008fb03edb55f1bf3b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ox017b3g.Admin\extensions\[email protected]\chrome\content\fix3.js

MD5 abdc04c0bb1bac8ee8962aa5e5fba9a8
SHA1 2689078d902bfa6d65483e26d122d0a30d2a6560
SHA256 3bb6e43e497c67e79fb3ac8520fbe07d6a43c9777c57be349a54caf9888ca482
SHA512 55fc2af28251c773c0def012f739e01a505867cdffb387d522f1c2fcabee4f2f8c33706c553b1ff5dc4a1dbee1bbf6926909dfb032ad813863ed2c773e0625cd

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ox017b3g.Admin\extensions\[email protected]\chrome\content\fix2.js

MD5 b5ce3889cdd24c2b2e9d540ba1aab48d
SHA1 30d6c76f244e7617c835b3769bfb1fd125e401f1
SHA256 03e704ae5142e05e367aaf51af30485eed881d0c5c581bea3b1752095e444cd0
SHA512 f5a4fb298b53017e212eb92859eb76b138255778cb3a44822e6d5c02791b9911be68bfc1f25eb90414f8adb5160086cae0c247278b1c288d7b0e3f75f21c3023

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ox017b3g.Admin\extensions\[email protected]\chrome.manifest

MD5 71a85ce537dcec64640fb478067e24c3
SHA1 42337f22368a2cd7cfedeb929f26222f2b2b7ae3
SHA256 5010be714b986edeb59eabca51c1296dd9e67138b9d965e9859d5553670a0823
SHA512 8cd49e8d1971623dcf83cbcca200de2296d82596f6fb96840face985c24c6d0a5c67d88d9f47a1b48f66972f4907643c3d5af344f732bfda70199b746d1cac91

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ox017b3g.Admin\extensions\[email protected]\install.rdf

MD5 b61f9abf919fd934d57d4e28a0ecb0a6
SHA1 71a8c728bd7e1b743d1f41d40a500a0548f5784a
SHA256 3d0f2f6c748c73a97df11aad61aa63390bb799990357ebd16a3cc93536b383c9
SHA512 ddfba27925f3f8f460e08c14bee135171dd33597555522f8da278a51a4256d1d0d2469aa42021410635654547741102248c68160920ba12c2b570b892ad107a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ox017b3g.default-release\extensions\[email protected]\chrome\content\jquery4toolbar.js_126

MD5 224c257265b43f4b4e5ebe21e7575dbe
SHA1 4a7990cfea863655aca06e4c7ee708a0641d4e35
SHA256 a63ca336dd561218555d730194dae3b778212d41bc3c164232f5cf627702f90a
SHA512 9559e1c7db6402b2803d953ddadf49195785a642cd9849d8caf3333ee829d6a9e3ee3037234b83a8a2d4fd35eaec346bf313f22874a33d6bf5690fe1ec52cdec

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ox017b3g.default-release\extensions\[email protected]\chrome\content\bubble.xul

MD5 75743b09194736b8fc79a6dd65db177d
SHA1 dbf38a26e0597697d0c6aad15e2515c398753e16
SHA256 f8ad9265fd61883ed00c3907f0f14478c8947b1ebaf1e34196efb5153cf040d6
SHA512 d151f8e97a213a59d3c41206c1aa606f179030c4ce1a24c5fb8aca17b7b783b46a9e1dc682366a3ddabe450d38b7b40cc714e23e0fced4e2a35b02ed20e1d30f

C:\Windows\Tasks\youtubegizm Chrome Watcher.job

MD5 cda413c90d1727f2acc10f9e23e4826c
SHA1 56c134c0a5cdfdd912f8e9255b2b1dfc4d477c12
SHA256 b7ed708e2ca9e7ec02db8dbaa9ebbfd525246735582ac3ed251c362a52896992
SHA512 1ecc03a4aabc4f2c4808b9e042458deda73e5322852620f721c447e6995c1ec7afab56c07170b4dfb56d365fa218bcdb8eb73743bfd1c8c6fc940ce3fda1b577

C:\Program Files (x86)\youtubegizm\uninstall.exe

MD5 e1d78645e28a354ba6befc0eeea3f9e6
SHA1 798b38664638bfbe2ef336eece6f0b07e7005383
SHA256 1136a88c7b3c8816eae66a34c5e6789252fd5e65607618d098683196e9abc44b
SHA512 491862a3443c9d0f86c7d68f07e47c4bb365a8d46aa0e705843fe298efa80ed20f3ed084bdcf2fef9effc5e194bc3fa83937281d203ec60fd87a1ecc8eb44a77

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 01:07

Reported

2024-06-03 01:09

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-03_935912c06997a8f013d146ae97a732d4_mafia.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2024-06-03_935912c06997a8f013d146ae97a732d4_mafia.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\ProgramData\youtubegizm\tytghn.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
N/A N/A C:\ProgramData\youtubegizm\tytghn.exe N/A
N/A N/A C:\ProgramData\youtubegizm\tytghn.exe N/A
N/A N/A C:\ProgramData\youtubegizm\tytghn.exe N/A
N/A N/A C:\ProgramData\youtubegizm\tytghn.exe N/A
N/A N/A C:\ProgramData\youtubegizm\tytghn.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ed1e27f0-1bcd-42a4-ad62-7fc21e086e54} C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ed1e27f0-1bcd-42a4-ad62-7fc21e086e54}\ = "script helper for ie" C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ed1e27f0-1bcd-42a4-ad62-7fc21e086e54}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{963B125B-8B21-49A2-A3A8-E37092276531} C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{963B125B-8B21-49A2-A3A8-E37092276531}\ = "Update Timer" C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\youtubegizm\updatebhoWin32.dll C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
File created C:\Program Files (x86)\youtubegizm\jsloader.dll C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
File created C:\Program Files (x86)\youtubegizm\toolbar.dll C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
File created C:\Program Files (x86)\youtubegizm\logo.ico C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
File created C:\Program Files (x86)\youtubegizm\updater.ini C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
File created C:\Program Files (x86)\youtubegizm\uninstall.exe C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
File created C:\Program Files (x86)\youtubegizm\terms.lnk.url C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
File created C:\Program Files (x86)\youtubegizm\tdataprotocol.dll C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
File created C:\Program Files (x86)\youtubegizm\widgetserv.exe C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\youtubegizm FireFox Watcher.job C:\ProgramData\youtubegizm\tytghn.exe N/A
File opened for modification C:\Windows\Tasks\youtubegizm Chrome Watcher.job C:\ProgramData\youtubegizm\tytghn.exe N/A
File created C:\Windows\Tasks\youtubegizm Stats Report.job C:\ProgramData\youtubegizm\tytghn.exe N/A
File created C:\Windows\Tasks\youtubegizm Update Checker.job C:\ProgramData\youtubegizm\tytghn.exe N/A
File created C:\Windows\Tasks\youtubegizm Runner.job C:\ProgramData\youtubegizm\tytghn.exe N/A
File opened for modification C:\Windows\Tasks\youtubegizm FireFox Watcher.job C:\ProgramData\youtubegizm\tytghn.exe N/A
File created C:\Windows\Tasks\youtubegizm Chrome Watcher.job C:\ProgramData\youtubegizm\tytghn.exe N/A
File opened for modification C:\Windows\Tasks\youtubegizm Stats Report.job C:\ProgramData\youtubegizm\tytghn.exe N/A
File opened for modification C:\Windows\Tasks\youtubegizm Stats Report.job C:\ProgramData\youtubegizm\tytghn.exe N/A
File opened for modification C:\Windows\Tasks\youtubegizm Update Checker.job C:\ProgramData\youtubegizm\tytghn.exe N/A
File opened for modification C:\Windows\Tasks\youtubegizm Runner.job C:\ProgramData\youtubegizm\tytghn.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Toolbar C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{963B125B-8B21-49A2-A3A8-E37092276531} C:\ProgramData\youtubegizm\tytghn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\ C:\ProgramData\youtubegizm\tytghn.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Approved Extensions C:\ProgramData\youtubegizm\tytghn.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration C:\ProgramData\youtubegizm\tytghn.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Approved Extensions C:\ProgramData\youtubegizm\tytghn.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration C:\ProgramData\youtubegizm\tytghn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{963B125B-8B21-49A2-A3A8-E37092276531} C:\ProgramData\youtubegizm\tytghn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\ C:\ProgramData\youtubegizm\tytghn.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\wit4ie.WitBHO.2\CLSID\ = "{ed1e27f0-1bcd-42a4-ad62-7fc21e086e54}" C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wit4ie.WitBHO\CLSID C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ed1e27f0-1bcd-42a4-ad62-7fc21e086e54}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{848B6490-7D35-4482-8C9F-C1350C53C5A5}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9F0C17EB-EF2C-4278-9136-2D547656BC03}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9F0C17EB-EF2C-4278-9136-2D547656BC03} C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\wit4ie.DLL\AppID = "{20EDC024-43C5-423E-B7F5-FD93523E0D9F}" C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{830B56CB-FD22-44AA-9887-7898F4F4158D}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\youtubegizm" C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{20EDC024-43C5-423E-B7F5-FD93523E0D9F} C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ed1e27f0-1bcd-42a4-ad62-7fc21e086e54}\VersionIndependentProgID\ = "wit4ie.WitBHO" C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1FA44816-ECC1-4582-89C8-C8B043BA7656}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{848B6490-7D35-4482-8C9F-C1350C53C5A5} C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{373ED12D-B306-43AC-9485-A7C5133DC34C}\ = "updatebho" C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\updatebho.TimerBHO\CLSID\ = "{963B125B-8B21-49A2-A3A8-E37092276531}" C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\tdataprotocol.CTData\CurVer C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{955B782E-CDC8-4CEE-B6F6-AD7D541A8D8A}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{20EDC024-43C5-423E-B7F5-FD93523E0D9F}\ = "wit4ie" C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\updatebho.TimerBHO\CLSID C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{963B125B-8B21-49A2-A3A8-E37092276531}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{963B125B-8B21-49A2-A3A8-E37092276531}\InprocServer32\ = "C:\\Program Files (x86)\\youtubegizm\\updatebhoWin32.dll" C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{955B782E-CDC8-4CEE-B6F6-AD7D541A8D8A}\1.0\0 C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9F0C17EB-EF2C-4278-9136-2D547656BC03}\TypeLib C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9F0C17EB-EF2C-4278-9136-2D547656BC03}\TypeLib\ = "{955B782E-CDC8-4CEE-B6F6-AD7D541A8D8A}" C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\tdataprotocol.CTData.1\CLSID C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wit4ie.WitBHO\CurVer C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{955B782E-CDC8-4CEE-B6F6-AD7D541A8D8A}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ACE96C0-C70A-4A4D-AF14-2E7B869345E1}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wit4ie.WitBHO.2\CLSID C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{848B6490-7D35-4482-8C9F-C1350C53C5A5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{848B6490-7D35-4482-8C9F-C1350C53C5A5} C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{963B125B-8B21-49A2-A3A8-E37092276531}\ProgID\ = "updatebho.TimerBHO.1" C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\wit4ie.WitBHO.2\ = "ygBHO Class" C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\wit4ie.WitBHO\ = "ygBHO Class" C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ed1e27f0-1bcd-42a4-ad62-7fc21e086e54}\ = "ygBHO Class" C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{848B6490-7D35-4482-8C9F-C1350C53C5A5}\TypeLib C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\prox C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ACE96C0-C70A-4A4D-AF14-2E7B869345E1}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1FA44816-ECC1-4582-89C8-C8B043BA7656}\1.0\0\win32\ = "C:\\Program Files (x86)\\youtubegizm\\jsloader.dll" C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\updatebho.TimerBHO.1 C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{963B125B-8B21-49A2-A3A8-E37092276531}\ = "ytg timer" C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ACE96C0-C70A-4A4D-AF14-2E7B869345E1}\ProgID\ = "tdataprotocol.CTData.1" C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{955B782E-CDC8-4CEE-B6F6-AD7D541A8D8A}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\chrome C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{955B782E-CDC8-4CEE-B6F6-AD7D541A8D8A}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\youtubegizm" C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\updatebho.TimerBHO C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{848B6490-7D35-4482-8C9F-C1350C53C5A5}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9F0C17EB-EF2C-4278-9136-2D547656BC03} C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{ED6535E7-F778-48A5-A060-549D30024511}\ = "tdataprotocol" C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ACE96C0-C70A-4A4D-AF14-2E7B869345E1}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{830B56CB-FD22-44AA-9887-7898F4F4158D}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{830B56CB-FD22-44AA-9887-7898F4F4158D}\1.0\0 C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{830B56CB-FD22-44AA-9887-7898F4F4158D}\1.0\0\win32\ = "C:\\Program Files (x86)\\youtubegizm\\tdataprotocol.dll" C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1FA44816-ECC1-4582-89C8-C8B043BA7656}\1.0\ = "wit4ie 2.0 Type Library" C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\updatebho.DLL\AppID = "{373ED12D-B306-43AC-9485-A7C5133DC34C}" C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\tdataprotocol.CTData\ = "CTData Class" C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\prox\CLSID = "{5ACE96C0-C70A-4A4D-AF14-2E7B869345E1}" C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wit4ie.WitBHO C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1FA44816-ECC1-4582-89C8-C8B043BA7656}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{848B6490-7D35-4482-8C9F-C1350C53C5A5}\TypeLib\ = "{1FA44816-ECC1-4582-89C8-C8B043BA7656}" C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\tdataprotocol.CTData\CurVer\ = "tdataprotocol.CTData.1" C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ed1e27f0-1bcd-42a4-ad62-7fc21e086e54}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{955B782E-CDC8-4CEE-B6F6-AD7D541A8D8A} C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{955B782E-CDC8-4CEE-B6F6-AD7D541A8D8A}\1.0\0\win32\ = "C:\\Program Files (x86)\\youtubegizm\\updatebhoWin32.dll" C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9F0C17EB-EF2C-4278-9136-2D547656BC03}\ = "ITimerBHO" C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
N/A N/A C:\ProgramData\youtubegizm\tytghn.exe N/A
N/A N/A C:\ProgramData\youtubegizm\tytghn.exe N/A
N/A N/A C:\ProgramData\youtubegizm\tytghn.exe N/A
N/A N/A C:\ProgramData\youtubegizm\tytghn.exe N/A
N/A N/A C:\ProgramData\youtubegizm\tytghn.exe N/A
N/A N/A C:\ProgramData\youtubegizm\tytghn.exe N/A
N/A N/A C:\ProgramData\youtubegizm\tytghn.exe N/A
N/A N/A C:\ProgramData\youtubegizm\tytghn.exe N/A
N/A N/A C:\ProgramData\youtubegizm\tytghn.exe N/A
N/A N/A C:\ProgramData\youtubegizm\tytghn.exe N/A
N/A N/A C:\ProgramData\youtubegizm\tytghn.exe N/A
N/A N/A C:\ProgramData\youtubegizm\tytghn.exe N/A
N/A N/A C:\ProgramData\youtubegizm\tytghn.exe N/A
N/A N/A C:\ProgramData\youtubegizm\tytghn.exe N/A
N/A N/A C:\ProgramData\youtubegizm\tytghn.exe N/A
N/A N/A C:\ProgramData\youtubegizm\tytghn.exe N/A
N/A N/A C:\ProgramData\youtubegizm\tytghn.exe N/A
N/A N/A C:\ProgramData\youtubegizm\tytghn.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dgrn.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2384 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_935912c06997a8f013d146ae97a732d4_mafia.exe C:\Users\Admin\AppData\Local\Temp\dgrn.exe
PID 2384 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_935912c06997a8f013d146ae97a732d4_mafia.exe C:\Users\Admin\AppData\Local\Temp\dgrn.exe
PID 2384 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-03_935912c06997a8f013d146ae97a732d4_mafia.exe C:\Users\Admin\AppData\Local\Temp\dgrn.exe
PID 624 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\dgrn.exe C:\ProgramData\youtubegizm\tytghn.exe
PID 624 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\dgrn.exe C:\ProgramData\youtubegizm\tytghn.exe
PID 624 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\dgrn.exe C:\ProgramData\youtubegizm\tytghn.exe
PID 4296 wrote to memory of 3816 N/A C:\ProgramData\youtubegizm\tytghn.exe C:\Windows\SysWOW64\taskkill.exe
PID 4296 wrote to memory of 3816 N/A C:\ProgramData\youtubegizm\tytghn.exe C:\Windows\SysWOW64\taskkill.exe
PID 4296 wrote to memory of 3816 N/A C:\ProgramData\youtubegizm\tytghn.exe C:\Windows\SysWOW64\taskkill.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext C:\ProgramData\youtubegizm\tytghn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\DisableAddonLoadTimePerformanceNotifications = "1" C:\ProgramData\youtubegizm\tytghn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext C:\ProgramData\youtubegizm\tytghn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\DisableAddonLoadTimePerformanceNotifications = "1" C:\ProgramData\youtubegizm\tytghn.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-03_935912c06997a8f013d146ae97a732d4_mafia.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-03_935912c06997a8f013d146ae97a732d4_mafia.exe"

C:\Users\Admin\AppData\Local\Temp\dgrn.exe

"C:\Users\Admin\AppData\Local\Temp\dgrn.exe"

C:\ProgramData\youtubegizm\tytghn.exe

"C:\ProgramData\youtubegizm\tytghn.exe" /closebr=1 /InstallOn=7 /active=24 /update=24 /interval=2880 /pubId=10001 /affId=100112 /uId={DF6B516B-78A8-4FFA-8130-9593E2949416} /version=1.0.0.5 /Override=false /Firstime=1 /IEhome=0 /IEsearch=0 /FFhome=0 /FFsearch=0 /CHhome=0 /CHsearch=0 /FFaddon=1 /CHaddon=1 /AutoSP=0 /regAppName=youtubegizm /txx=1 -regAppName=youtubegizm -txx=2

C:\Windows\SysWOW64\taskkill.exe

"C:\Windows\System32\taskkill.exe" /F /IM IExplore.exe

C:\ProgramData\youtubegizm\tytghn.exe

C:\ProgramData\youtubegizm\tytghn.exe /task=0 /closebr=1 /InstallOn=7 /active=24 /update=24 /interval=2880 /pubId=10001 /affId=100112 /uId={DF6B516B-78A8-4FFA-8130-9593E2949416} /version=1.0.0.5 /Override=false /IEhome=0 /IEsearch=0 /FFhome=0 /FFsearch=0 /CHhome=0 /CHsearch=0 /FFaddon=1 /CHaddon=1 /AutoSP=0 /regAppName=youtubegizm /txx=1 -regAppName=youtubegizm -txx=2

C:\ProgramData\youtubegizm\tytghn.exe

C:\ProgramData\youtubegizm\tytghn.exe /task=1 /closebr=1 /InstallOn=7 /active=24 /update=24 /interval=2880 /pubId=10001 /affId=100112 /uId={DF6B516B-78A8-4FFA-8130-9593E2949416} /version=1.0.0.5 /Override=false /IEhome=0 /IEsearch=0 /FFhome=0 /FFsearch=0 /CHhome=0 /CHsearch=0 /FFaddon=1 /CHaddon=1 /AutoSP=0 /regAppName=youtubegizm /txx=1 -regAppName=youtubegizm -txx=2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1344 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8

C:\ProgramData\youtubegizm\tytghn.exe

C:\ProgramData\youtubegizm\tytghn.exe /task=2 /closebr=1 /InstallOn=7 /active=24 /update=24 /interval=2880 /pubId=10001 /affId=100112 /uId={DF6B516B-78A8-4FFA-8130-9593E2949416} /version=1.0.0.5 /Override=false /IEhome=0 /IEsearch=0 /FFhome=0 /FFsearch=0 /CHhome=0 /CHsearch=0 /FFaddon=1 /CHaddon=1 /AutoSP=0 /regAppName=youtubegizm /txx=1 -regAppName=youtubegizm -txx=2

C:\ProgramData\youtubegizm\tytghn.exe

C:\ProgramData\youtubegizm\tytghn.exe /task=4 /closebr=1 /InstallOn=7 /active=24 /update=24 /interval=2880 /pubId=10001 /affId=100112 /uId={DF6B516B-78A8-4FFA-8130-9593E2949416} /version=1.0.0.5 /Override=false /IEhome=0 /IEsearch=0 /FFhome=0 /FFsearch=0 /CHhome=0 /CHsearch=0 /FFaddon=1 /CHaddon=1 /AutoSP=0 /regAppName=youtubegizm /txx=1 -regAppName=youtubegizm -txx=2

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 ws.xcodelib.net udp
US 8.8.8.8:53 ws.xcodelib.net udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 ws.xcodelib.net udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 ws.xcodelib.net udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 104.193.132.51.in-addr.arpa udp

Files

memory/2384-0-0x0000000000740000-0x0000000000741000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dgrn.exe

MD5 8c1dac7cbdb70e56c51c9fbba6344eac
SHA1 87db5b38a4674cad776a9ec5f519caa39237a7d6
SHA256 39a84e4d70d4bffe2be3f845a9a0af28a9f0994abdc4150dd83be2795311e632
SHA512 fbf16ae42c904831bbf510f6696cdfdcb903a168f465f0ac667aa9c99c8ba527a18f709c1bb92ceefd4ea895dbb2938735f8fdbd5faca0d993caf8fbe14e6e8a

C:\Users\Admin\AppData\Local\Temp\nsm7069.tmp\InstallerUtils.dll

MD5 35404188c755b622da09b6763fbbc67f
SHA1 2cc1aa24fc19523715abe49decd1a3d2903256f5
SHA256 6f529be86277ab86bde17438b8ea5234a5524efdc840e194ed358740ef8b8a09
SHA512 33e480071e7453d3b63cc76b7f49c42f7ce6cf71fe1736d1e0f8b55e17d16725c76a81bab81e55c449103c40859963e20de2b4fd3542453fdc817af773aaa7fc

C:\Users\Admin\AppData\Local\Temp\nsm7069.tmp\KillProcDLL.dll

MD5 83142eac84475f4ca889c73f10d9c179
SHA1 dbe43c0de8ef881466bd74861b2e5b17598b5ce8
SHA256 ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729
SHA512 1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

C:\Users\Admin\AppData\Local\Temp\nsm7069.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

C:\Program Files (x86)\youtubegizm\toolbar.dll

MD5 a4efaf7a21baac166810f9790f0c693d
SHA1 eebca444b31d79ad37aec6076ba487942b5df0ea
SHA256 a85bfacf0d2c2d5a6a4b62720a69e1e8fe0347653cf914fe82bb9c74d73bd3b1
SHA512 32ff2899e917c9ae3e959f1183967711067e30dfd5a2f90ab0f33f524710f137561a69c7c3d265336829b1cfe401809906acbfbc7d03dbcd1046ac517b134f40

memory/624-72-0x0000000003450000-0x0000000003473000-memory.dmp

C:\ProgramData\youtubegizm\tytghn.exe

MD5 6848f0a5a9c58289b025087529aa9b1a
SHA1 8440fa83eab244b3fe75fcdfc60772fdfacde455
SHA256 8142a98010153dedd3d39edffba0f54c64245c90a9489b60d05063a571f54570
SHA512 08ae416e2d16e2c607eac092c28d39514c08a8602642e690ea73b754cdd98e6f7b1de77e8bb0eb8e8a5f8eac5d4745077e98e650f45be2a1b5aeb352dae21dae

C:\ProgramData\youtubegizm\valuese.xml

MD5 227bdc41ed630efdb2061daa15859b68
SHA1 bedb6860595d0ec863bff16ac71337082a58aec2
SHA256 8dfb5773f05bad3c36db328cd2a352791d92c83a94f629360f9ab6ca6c719e6c
SHA512 64c09d8d887943b8b59f2cce210a70158b0720421a10503c29e67f134bbd690ce05572980cd3f813e31801df5aeef4c5b6b9a2d2ec2efaacbbd4a0b2c1299028

C:\ProgramData\youtubegizm\df-ch.crx

MD5 823077becfad4167c3c335d3842661b9
SHA1 368217466bb9e026b03fa9a8da332fe39668ed8e
SHA256 2e29b5278d35428015c563f70b88cd1de1f02b1dd192ca3f362d736a38fb9e10
SHA512 616f4dc16c88f4fcf68262ee0e40af7b7541cf35d845260fe3b51e6e0657adeca9a6d59d376fff1becdf74d337833374e940383c471ae20ccc59426064ed880d

memory/4296-88-0x0000000002B10000-0x0000000002B11000-memory.dmp

C:\ProgramData\youtubegizm\df-le.xpi

MD5 3595a64e2463ea58d5cb42fc31d9a020
SHA1 377b61362b26d6cec6165d7dac6d13a3ac6b64e2
SHA256 a1f130f44517453e5181fcdc9b3b350b4afca06656d108acf66f3f0254208134
SHA512 cfd9b2cc085c953df88cb06ae18a4e4192a613ab9d1904ee9fef6a4c2cc60bb9e0dfa5005450d164377130659db55946dba146b146bc3ac4465cc91ceb425592

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\extensions\[email protected]\chrome\content\icon.png

MD5 55c528c592d50cd1a5ef11f2d7814b68
SHA1 d8a3bc30aed31f1198996862316fdfa4a2570027
SHA256 063dc7a4bbc0761c8eb703efa32e3be77dde5a271c48a3239efa43dcc1d9c113
SHA512 c09de16451648c92adcd54f1e44e62cb0cf77e3f56ca81464e3bed841da1d4324bfdae9038bf5b6f27aff2c39e48a4da52793a49145b7a6407707618a6ffbbb1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\extensions\[email protected]\chrome\content\jquery4toolbar.js

MD5 432e6ce300e0604b682c612aa0de1c82
SHA1 c559ab91e420bdca977c4c4c3f7f5e8564a78fb2
SHA256 6dc68cfa752a170706a347a81ccb8fd5fadf8ff5837823eb9fd5486a6882e65a
SHA512 9a463a5a884c562cfea0afc2f9a22eca258f06c6a8ea79cf4e9612079906c5c44edd50b490c067d1f8456cb1a596636a28ac51e66a10a479302bad752c3b8dc2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\extensions\[email protected]\chrome\content\fix5.js

MD5 010d54d2fc0c7c7ae39324a6217030f2
SHA1 3d73cbe8cce886b2075b5cea17d136b344814992
SHA256 032f8af38f623f697712273292edb5268a0fa9eebd49f997450f97472794a751
SHA512 ae41156a78a60c472c27ebe5f45458836db8cf7850714f0ecf89414e12b21f0ec320ddc7d5a27db2aec5a6946dd7f436ff82f3d301998f8ae35eb8f979c6d59d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\extensions\[email protected]\chrome\content\jquery4toolbar.js_126

MD5 224c257265b43f4b4e5ebe21e7575dbe
SHA1 4a7990cfea863655aca06e4c7ee708a0641d4e35
SHA256 a63ca336dd561218555d730194dae3b778212d41bc3c164232f5cf627702f90a
SHA512 9559e1c7db6402b2803d953ddadf49195785a642cd9849d8caf3333ee829d6a9e3ee3037234b83a8a2d4fd35eaec346bf313f22874a33d6bf5690fe1ec52cdec

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\extensions\[email protected]\chrome\content\lock.js

MD5 02469e8f69f26729bf7373aaf83e7687
SHA1 cee5b53a1b7f93986b9d336ea43e640da532eba6
SHA256 86b85ba075a4af0c0ba4496484f0dd335e4abcb6782495dd0fb936bcf26b5c4f
SHA512 45b75dd965ac95768aaed7bf7ac6e5317bd5ebbfdfde4920930e8258529b25979c0f335f335053538ad0d3940203694f8cde2dc71b57e0ad60adad65f5d763ec

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\extensions\[email protected]\chrome\content\bubble.xul

MD5 75743b09194736b8fc79a6dd65db177d
SHA1 dbf38a26e0597697d0c6aad15e2515c398753e16
SHA256 f8ad9265fd61883ed00c3907f0f14478c8947b1ebaf1e34196efb5153cf040d6
SHA512 d151f8e97a213a59d3c41206c1aa606f179030c4ce1a24c5fb8aca17b7b783b46a9e1dc682366a3ddabe450d38b7b40cc714e23e0fced4e2a35b02ed20e1d30f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\extensions\[email protected]\chrome\content\witutils.js

MD5 e98815b4088c11d052fce961ea863308
SHA1 0aa226ffcbc73b435f0bf19a4f658a111f572e3d
SHA256 aa7546f7a02f77a48f737644272ae18d1ec4e7fc51756d406af88e530cb8b489
SHA512 ee86a07cda4fc7cca9947dacadbf3d5d8eb63b7f0529c20d506bb75bd99de60c2dd7b354149d8ad2ba70f40fa133aa79fc619a410786d51f45f14a7a65a1d6c9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\extensions\[email protected]\chrome\content\style.xul

MD5 668dec8a49b6dc8575acc0e34ecd4284
SHA1 9fa09a256602a30dec25e2bb83e5ab8a1ec0bafe
SHA256 022636895ac1faa46a586e7e03e1c9d74b1ee78d48d622f95938800a02b71965
SHA512 94217e798b4258960949265d3ec7f4ba4dc4fb3c6a00fbe952975ba408bcd248e1b7e85f517ed67cee5d3d56cd110c2005d875f6b910e2e4f69bd58706a227ed

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\extensions\[email protected]\chrome\content\witmain.js

MD5 4e356ed12d6a722c377b5cf30fe1f5ef
SHA1 e1fc58f2f168d12a65e0516efe82cff57237685f
SHA256 9f8baf29d62b8a37159f36e9f9640933b2b66e2a7799caefe7209ebe387ec6a4
SHA512 64df71a519406086e3b9e69a2a4ba98ea79d542414cefdd99adfc589074054b9c88ca5697c0349909628f2868ab2c21b5b256e678de2da6c2574ea6d2644df24

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\extensions\[email protected]\chrome\content\witapi.js

MD5 c48275070dec1182b66f0932024c41d1
SHA1 3093164946b041dc4b13d1e251113da232e8bdeb
SHA256 577d9b9f3a4ee376f6863194ed322d5cfe3ab0afcb8a2b45520f0bc32e4c97e1
SHA512 f25688e437f0c23f3ac0a0e452613a23a1663813e6700740ca5049d6fb36adc26f66187b903f46aaa8ff455969d46f3026c4d126fb7adeddcf0f113c7dd7e5ab

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\extensions\[email protected]\chrome\content\bubble.js

MD5 e3cf4b651109156221e2072f83be5aa2
SHA1 be06675125c178e3ff2fd78cf57f3d643bec5cc4
SHA256 73cde6a7691f5155a6ea9f8076dda8d00c3c62764331be13ec3ec6053d0c9f84
SHA512 976007787974080f6b30763f61b63c6212b4ca2a234e4f6d52a529c154a8325e7619160f108641e39ae7b405cfe203a092cf4fcdb72252cfa61e8a9afaf93dce

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\extensions\[email protected]\chrome\content\fix4.js

MD5 4b95306cdc01a9023a3ca1e8c7fcdd61
SHA1 f518c9d20ec181229d35089f685a9588a5b19e7d
SHA256 be576aea3b146bfc77237c2cd65911e05b987c0fc74c588b9ab07ba19ad1067d
SHA512 4733f3eb0f7002b49b6d448ed5f22ed6c13234df46d81014a7ffd008dc77c51e86cc49d7c49c63d7941a0f54cea8693244af0f339d0a5a864ef5a9e8bf47fca8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\extensions\[email protected]\chrome\content\wittoolbar.js

MD5 cda5b2727e277b095e1c802930ab9a78
SHA1 16898837afad35f9ea3cdb203b3881a1f1cc14b0
SHA256 1f4f851573263382105e35dc1c32014357ea8a5d48a2d3f97e568393ac17307f
SHA512 353175636f3ae56ae97f0587c4f8b819e2ae290594982bbd2a514fe7f702570b506b9d774a7627de57f9c480f80d54a4c48f845330a7a1008fb03edb55f1bf3b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\extensions\[email protected]\chrome\content\fix3.js

MD5 abdc04c0bb1bac8ee8962aa5e5fba9a8
SHA1 2689078d902bfa6d65483e26d122d0a30d2a6560
SHA256 3bb6e43e497c67e79fb3ac8520fbe07d6a43c9777c57be349a54caf9888ca482
SHA512 55fc2af28251c773c0def012f739e01a505867cdffb387d522f1c2fcabee4f2f8c33706c553b1ff5dc4a1dbee1bbf6926909dfb032ad813863ed2c773e0625cd

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\extensions\[email protected]\chrome\content\fix2.js

MD5 b5ce3889cdd24c2b2e9d540ba1aab48d
SHA1 30d6c76f244e7617c835b3769bfb1fd125e401f1
SHA256 03e704ae5142e05e367aaf51af30485eed881d0c5c581bea3b1752095e444cd0
SHA512 f5a4fb298b53017e212eb92859eb76b138255778cb3a44822e6d5c02791b9911be68bfc1f25eb90414f8adb5160086cae0c247278b1c288d7b0e3f75f21c3023

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\extensions\[email protected]\chrome.manifest

MD5 71a85ce537dcec64640fb478067e24c3
SHA1 42337f22368a2cd7cfedeb929f26222f2b2b7ae3
SHA256 5010be714b986edeb59eabca51c1296dd9e67138b9d965e9859d5553670a0823
SHA512 8cd49e8d1971623dcf83cbcca200de2296d82596f6fb96840face985c24c6d0a5c67d88d9f47a1b48f66972f4907643c3d5af344f732bfda70199b746d1cac91

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\extensions\[email protected]\components\handleProtocol.js

MD5 1f3402859b63193c40a54f466a8f7a46
SHA1 e4060e5def7dfe2c31123098f7e9f552a71ac993
SHA256 07afcbcddb1b2ee757d4e4d5367bf8f50bf7cbb0b815a83513d4a3bf1bbc2679
SHA512 cf3edf88d4d48905a1ba393452503142ec3e7031cd7d0645cba79a667d3642496e487d2e9d04fbec16dfd91e1fa35ca343754053a53185fe44820150e8e5eedd

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\extensions\[email protected]\install.rdf

MD5 b61f9abf919fd934d57d4e28a0ecb0a6
SHA1 71a8c728bd7e1b743d1f41d40a500a0548f5784a
SHA256 3d0f2f6c748c73a97df11aad61aa63390bb799990357ebd16a3cc93536b383c9
SHA512 ddfba27925f3f8f460e08c14bee135171dd33597555522f8da278a51a4256d1d0d2469aa42021410635654547741102248c68160920ba12c2b570b892ad107a7

C:\Windows\Tasks\youtubegizm Chrome Watcher.job

MD5 1cbf9728b997e9aeda6b06002567dee6
SHA1 188f1ecd4701f275a22eec363d82800a607d227f
SHA256 9d01e4d8f6a36984a4d09c80932f9e92b50e443afc87a5150be031c37bd3f2cb
SHA512 16636ad721fdfc4a86a0c9b9f6480dc3c850950e1e95fdfead0f639be700b950da3e06ef31745e9bdd12a95a96acb0d70daab2eeb1f61bb29970dd10143c0e35

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xvu9bdak.Admin\extensions\[email protected]\chrome\content\witutils.js

MD5 4a0ffcc5c6b8117eec0051ed49f3ea57
SHA1 34ba5afc0a359dfa005092e861c60bffe2e0ee87
SHA256 7ea8a8a9329d2752b451768ef33f1ef32a7e6e44fb0ef782a71b7c936d003876
SHA512 f21ad0156ee3640201f1d8a91695f97200eb570897ea314214977ecd61ee949998a17287c0941e49c9f16a2e787e668d2cee32da9339d9ce3b7bc4006bb0bcf4

C:\Windows\Tasks\youtubegizm Chrome Watcher.job

MD5 5ef9b439392e72568d8c8da7985b7c41
SHA1 5e374b7d6cdfad67eee4c22d2986d33038156395
SHA256 b91039eeeef89a337264408d7c2153ebf251ef09d71429c24de4ef0d6f5f42b5
SHA512 f97686a9da5a4ba487f57fbc17ae86d189918cb94e318a0761ddbc1a634b6db19941f908e9946c1adfe6c0ec64b750f5c0564a53d9e18ccd6ac573bd0cfeb7e6

C:\Windows\Tasks\youtubegizm FireFox Watcher.job

MD5 4739dd1cc17e9d740b966fefa548460c
SHA1 9d4a4c21b1ccf8761280fb13151b3c77c57e7759
SHA256 3311f5a17014bc2d503f3591cff04d6c1bb339f0c5da774062d73f664ad80c37
SHA512 36a60ab145c414d3bd2cdad52ca193c3a281281b08bb46026e7574d6a05915c129d321e0fbe18f4ea5f7c43eba3e8e24a895b807c7bd487848b8a84b68d5b649

C:\Windows\Tasks\youtubegizm Stats Report.job

MD5 39dd3e0a5133391d1fa540a0849685b1
SHA1 7769215043232084778f548c6ddf6d6d2a80e3b7
SHA256 cc2df2741d0accf3152846f323dbeec7c780d58e735ba14db22db6c164a5106a
SHA512 f37d491809056bf839ace8f12ff70842c5f5ef19cbb910efd42d870524da9500041f0252c417afe4d1bc38f2f84e59da74c655503c6c23091c54bfef4bdb75cf

C:\Program Files (x86)\youtubegizm\tdataprotocol.dll

MD5 ffdc730ec5f8b90e4dda0c7685650c9d
SHA1 0f052108bcef14beffb6f325981b22fc40c7d047
SHA256 2373e11595d02e279ed64925233f802e03f8e68f3d85649e360b0db17e1e191e
SHA512 172914e1c1e69da1eb1844fc2a7c10de153e7ad1c97ad5bd9821ca82a0ab37838085cdc2ae9d3301a1d900662f4b9fc0c2737ff97e02566320d08630e4ac327c

C:\Program Files (x86)\youtubegizm\jsloader.dll

MD5 51d72c5c44c3cadb21128c225ba7a569
SHA1 94da06230ffbbe9f4d22e9b0422a279004a7b848
SHA256 50c36830ca56b2a9ccbecd650767af742bd1a2fc4cc18ac9cd2d18d8da8259c1
SHA512 2ec980a01e8f237bc863686bba0f35ae291b3626356905c0889086bf71c3362411984ad2af6fbba893863105852fae36be8cdd34798f46128486eedb67b9569a

C:\Program Files (x86)\youtubegizm\updatebhoWin32.dll

MD5 4ef3b332db3d6b45c47414e056d99ad3
SHA1 fdec55c9fc31e9e65a832407d0e843433d75bc14
SHA256 601e473f4f509ebb12b3b0a47f979819ddc64cd5aa768abacdf6e67a6cb3eeb7
SHA512 26f924340779b52683f660468974da5d42c9dc05f9d25764527ca343054bec7f42cc90e384c1316130af67399dc60bc2ca1000738a3f214a9a9aea492ddbdc4a