Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2024 21:33

General

  • Target

    90c5970f56673b5d52cf32f11096c130_JaffaCakes118.exe

  • Size

    1.2MB

  • MD5

    90c5970f56673b5d52cf32f11096c130

  • SHA1

    b28a516be658cfaf6846a7b2f2107c24a7583547

  • SHA256

    41c90ad0616b16fc303bd6603b286ac5e0a85e4daaeecf65e40608ab2592c807

  • SHA512

    e69796574fdefd075acfef86588f0964b5b0b750218d7477ce714ed5494e7e02b01b9c8cab3bfdc6521ca15a630a2831e0cdd8449112abfc5577bdf5d9c91b3d

  • SSDEEP

    24576:xbiugqOlMjQmxYIGWLREnemIMBdxdUrs/KUTZ4stkLNcsRgluoGhNj3:xbLgmjs8LRE9VdvUrC1TZXyvXD

Malware Config

Signatures

  • Panda Stealer payload 1 IoCs
  • PandaStealer

    Panda Stealer is a fork of CollectorProject Stealer written in C++.

  • Pandastealer family
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 12 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Installs/modifies Browser Helper Object 2 TTPs 5 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Drops file in Program Files directory 9 IoCs
  • Drops file in Windows directory 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • NSIS installer 2 IoCs
  • Kills process with taskkill 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • System policy modification 1 TTPs 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\90c5970f56673b5d52cf32f11096c130_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\90c5970f56673b5d52cf32f11096c130_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2680
    • C:\Users\Admin\AppData\Local\Temp\dgrn.exe
      "C:\Users\Admin\AppData\Local\Temp\dgrn.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Installs/modifies Browser Helper Object
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3940
      • C:\ProgramData\youtubegizm\tytghn.exe
        "C:\ProgramData\youtubegizm\tytghn.exe" /closebr=1 /InstallOn=7 /active=24 /update=24 /interval=2880 /pubId=10005 /affId=100105 /uId={67F3F866-F61D-4512-A659-99435E1A2F09} /version=1.0.0.5 /Override=false /Firstime=1 /IEhome=0 /IEsearch=0 /FFhome=0 /FFsearch=0 /CHhome=0 /CHsearch=0 /FFaddon=1 /CHaddon=1 /AutoSP=0 /regAppName=youtubegizm /txx=1 -regAppName=youtubegizm -txx=2
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:840
        • C:\Windows\SysWOW64\taskkill.exe
          "C:\Windows\System32\taskkill.exe" /F /IM IExplore.exe
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4192
  • C:\ProgramData\youtubegizm\tytghn.exe
    C:\ProgramData\youtubegizm\tytghn.exe /task=0 /closebr=1 /InstallOn=7 /active=24 /update=24 /interval=2880 /pubId=10005 /affId=100105 /uId={67F3F866-F61D-4512-A659-99435E1A2F09} /version=1.0.0.5 /Override=false /IEhome=0 /IEsearch=0 /FFhome=0 /FFsearch=0 /CHhome=0 /CHsearch=0 /FFaddon=1 /CHaddon=1 /AutoSP=0 /regAppName=youtubegizm /txx=1 -regAppName=youtubegizm -txx=2
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Suspicious behavior: EnumeratesProcesses
    • System policy modification
    PID:2840
  • C:\ProgramData\youtubegizm\tytghn.exe
    C:\ProgramData\youtubegizm\tytghn.exe /task=1 /closebr=1 /InstallOn=7 /active=24 /update=24 /interval=2880 /pubId=10005 /affId=100105 /uId={67F3F866-F61D-4512-A659-99435E1A2F09} /version=1.0.0.5 /Override=false /IEhome=0 /IEsearch=0 /FFhome=0 /FFsearch=0 /CHhome=0 /CHsearch=0 /FFaddon=1 /CHaddon=1 /AutoSP=0 /regAppName=youtubegizm /txx=1 -regAppName=youtubegizm -txx=2
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Suspicious behavior: EnumeratesProcesses
    • System policy modification
    PID:3120
  • C:\ProgramData\youtubegizm\tytghn.exe
    C:\ProgramData\youtubegizm\tytghn.exe /task=2 /closebr=1 /InstallOn=7 /active=24 /update=24 /interval=2880 /pubId=10005 /affId=100105 /uId={67F3F866-F61D-4512-A659-99435E1A2F09} /version=1.0.0.5 /Override=false /IEhome=0 /IEsearch=0 /FFhome=0 /FFsearch=0 /CHhome=0 /CHsearch=0 /FFaddon=1 /CHaddon=1 /AutoSP=0 /regAppName=youtubegizm /txx=1 -regAppName=youtubegizm -txx=2
    1⤵
    • Executes dropped EXE
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    PID:1820
  • C:\ProgramData\youtubegizm\tytghn.exe
    C:\ProgramData\youtubegizm\tytghn.exe /task=4 /closebr=1 /InstallOn=7 /active=24 /update=24 /interval=2880 /pubId=10005 /affId=100105 /uId={67F3F866-F61D-4512-A659-99435E1A2F09} /version=1.0.0.5 /Override=false /IEhome=0 /IEsearch=0 /FFhome=0 /FFsearch=0 /CHhome=0 /CHsearch=0 /FFaddon=1 /CHaddon=1 /AutoSP=0 /regAppName=youtubegizm /txx=1 -regAppName=youtubegizm -txx=2
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    PID:4460

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\youtubegizm\jsloader.dll

    Filesize

    215KB

    MD5

    51d72c5c44c3cadb21128c225ba7a569

    SHA1

    94da06230ffbbe9f4d22e9b0422a279004a7b848

    SHA256

    50c36830ca56b2a9ccbecd650767af742bd1a2fc4cc18ac9cd2d18d8da8259c1

    SHA512

    2ec980a01e8f237bc863686bba0f35ae291b3626356905c0889086bf71c3362411984ad2af6fbba893863105852fae36be8cdd34798f46128486eedb67b9569a

  • C:\Program Files (x86)\youtubegizm\tdataprotocol.dll

    Filesize

    149KB

    MD5

    ffdc730ec5f8b90e4dda0c7685650c9d

    SHA1

    0f052108bcef14beffb6f325981b22fc40c7d047

    SHA256

    2373e11595d02e279ed64925233f802e03f8e68f3d85649e360b0db17e1e191e

    SHA512

    172914e1c1e69da1eb1844fc2a7c10de153e7ad1c97ad5bd9821ca82a0ab37838085cdc2ae9d3301a1d900662f4b9fc0c2737ff97e02566320d08630e4ac327c

  • C:\Program Files (x86)\youtubegizm\toolbar.dll

    Filesize

    119KB

    MD5

    a4efaf7a21baac166810f9790f0c693d

    SHA1

    eebca444b31d79ad37aec6076ba487942b5df0ea

    SHA256

    a85bfacf0d2c2d5a6a4b62720a69e1e8fe0347653cf914fe82bb9c74d73bd3b1

    SHA512

    32ff2899e917c9ae3e959f1183967711067e30dfd5a2f90ab0f33f524710f137561a69c7c3d265336829b1cfe401809906acbfbc7d03dbcd1046ac517b134f40

  • C:\Program Files (x86)\youtubegizm\updatebhoWin32.dll

    Filesize

    120KB

    MD5

    4ef3b332db3d6b45c47414e056d99ad3

    SHA1

    fdec55c9fc31e9e65a832407d0e843433d75bc14

    SHA256

    601e473f4f509ebb12b3b0a47f979819ddc64cd5aa768abacdf6e67a6cb3eeb7

    SHA512

    26f924340779b52683f660468974da5d42c9dc05f9d25764527ca343054bec7f42cc90e384c1316130af67399dc60bc2ca1000738a3f214a9a9aea492ddbdc4a

  • C:\ProgramData\youtubegizm\df-ch.crx

    Filesize

    126KB

    MD5

    a1704d581f799418db15df5e91dcff59

    SHA1

    6dae4dfa59e235c0f071d70678b4311ebb407cc5

    SHA256

    3e1c383d3fc1c4cab1995ee035b0f49236641a9d7cc391e563e88b5cd39f585f

    SHA512

    b7cab05d8b571a3fbf57ed07ef873a81a9ebfb9b143ad7473f740bbe4e9947c341e650cf531c609a48947f6434935ae30e04c476fd6d7e9f85bb8239bf80ec86

  • C:\ProgramData\youtubegizm\df-le.xpi

    Filesize

    94KB

    MD5

    9b41c8cfd735e83a6ddde1b29be08e4e

    SHA1

    0db4358bba72b2c96e027f00f2368878ea9f4e35

    SHA256

    5fbdfd771cac9fe30121cb694f8dd98d9eb22f2923a9b91fd8fe69d89bf19b3b

    SHA512

    b29a204f23ffa0d7adeea5879821516b8b516d811c83fbfcc4c96d7dd1ed702f7398cf49c003331f14f4283cb5be8923d5d3b967d62c87a4bd8e2844153cf2dd

  • C:\ProgramData\youtubegizm\tytghn.exe

    Filesize

    619KB

    MD5

    611619f98af4df3bbb077f474963c9da

    SHA1

    522144139ef78abce5cd25f34dae82f0a369f572

    SHA256

    20f035d90ef228b5a6a998cec13d7bddf00ef20c60a58167fe4230297cc25b54

    SHA512

    05a01f68ae299e22b08c9c3979064ae54483fda7104ebb6409f8e9939f9f76fca9f40a707d52e356575d9ac2c99f4bcd092e93aaf4391d96d12f15b1d70125cc

  • C:\ProgramData\youtubegizm\valuese.xml

    Filesize

    1KB

    MD5

    227bdc41ed630efdb2061daa15859b68

    SHA1

    bedb6860595d0ec863bff16ac71337082a58aec2

    SHA256

    8dfb5773f05bad3c36db328cd2a352791d92c83a94f629360f9ab6ca6c719e6c

    SHA512

    64c09d8d887943b8b59f2cce210a70158b0720421a10503c29e67f134bbd690ce05572980cd3f813e31801df5aeef4c5b6b9a2d2ec2efaacbbd4a0b2c1299028

  • C:\Users\Admin\AppData\Local\Temp\dgrn.exe

    Filesize

    1.0MB

    MD5

    90f0358fcd19f2b19ff62bca3f5e34e6

    SHA1

    91309ef459708ce170c4cf260db477c9ad46569b

    SHA256

    2c068552115abb5bd8ebee6ae6f9f9c4e876b06bc0f10307a33996eaa2e48cbb

    SHA512

    32657c7a1223d065230d91a7852b904d27d65ac5b08e6b533ea9781677ab8181971d81e817bf40adbf029fe5a9b194fda0fffb4721eaccc5bba12a9c1a718387

  • C:\Users\Admin\AppData\Local\Temp\nsxCC88.tmp\KillProcDLL.dll

    Filesize

    32KB

    MD5

    83142eac84475f4ca889c73f10d9c179

    SHA1

    dbe43c0de8ef881466bd74861b2e5b17598b5ce8

    SHA256

    ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729

    SHA512

    1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

  • C:\Users\Admin\AppData\Local\Temp\nsxCC88.tmp\System.dll

    Filesize

    11KB

    MD5

    c17103ae9072a06da581dec998343fc1

    SHA1

    b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

    SHA256

    dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

    SHA512

    d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dxh7hykm.Admin\extensions\[email protected]\chrome.manifest

    Filesize

    192B

    MD5

    71a85ce537dcec64640fb478067e24c3

    SHA1

    42337f22368a2cd7cfedeb929f26222f2b2b7ae3

    SHA256

    5010be714b986edeb59eabca51c1296dd9e67138b9d965e9859d5553670a0823

    SHA512

    8cd49e8d1971623dcf83cbcca200de2296d82596f6fb96840face985c24c6d0a5c67d88d9f47a1b48f66972f4907643c3d5af344f732bfda70199b746d1cac91

  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dxh7hykm.Admin\extensions\[email protected]\chrome\content\bubble.js

    Filesize

    1KB

    MD5

    e3cf4b651109156221e2072f83be5aa2

    SHA1

    be06675125c178e3ff2fd78cf57f3d643bec5cc4

    SHA256

    73cde6a7691f5155a6ea9f8076dda8d00c3c62764331be13ec3ec6053d0c9f84

    SHA512

    976007787974080f6b30763f61b63c6212b4ca2a234e4f6d52a529c154a8325e7619160f108641e39ae7b405cfe203a092cf4fcdb72252cfa61e8a9afaf93dce

  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dxh7hykm.Admin\extensions\[email protected]\chrome\content\bubble.xul

    Filesize

    490B

    MD5

    75743b09194736b8fc79a6dd65db177d

    SHA1

    dbf38a26e0597697d0c6aad15e2515c398753e16

    SHA256

    f8ad9265fd61883ed00c3907f0f14478c8947b1ebaf1e34196efb5153cf040d6

    SHA512

    d151f8e97a213a59d3c41206c1aa606f179030c4ce1a24c5fb8aca17b7b783b46a9e1dc682366a3ddabe450d38b7b40cc714e23e0fced4e2a35b02ed20e1d30f

  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dxh7hykm.Admin\extensions\[email protected]\chrome\content\fix2.js

    Filesize

    20B

    MD5

    b5ce3889cdd24c2b2e9d540ba1aab48d

    SHA1

    30d6c76f244e7617c835b3769bfb1fd125e401f1

    SHA256

    03e704ae5142e05e367aaf51af30485eed881d0c5c581bea3b1752095e444cd0

    SHA512

    f5a4fb298b53017e212eb92859eb76b138255778cb3a44822e6d5c02791b9911be68bfc1f25eb90414f8adb5160086cae0c247278b1c288d7b0e3f75f21c3023

  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dxh7hykm.Admin\extensions\[email protected]\chrome\content\fix3.js

    Filesize

    20B

    MD5

    abdc04c0bb1bac8ee8962aa5e5fba9a8

    SHA1

    2689078d902bfa6d65483e26d122d0a30d2a6560

    SHA256

    3bb6e43e497c67e79fb3ac8520fbe07d6a43c9777c57be349a54caf9888ca482

    SHA512

    55fc2af28251c773c0def012f739e01a505867cdffb387d522f1c2fcabee4f2f8c33706c553b1ff5dc4a1dbee1bbf6926909dfb032ad813863ed2c773e0625cd

  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dxh7hykm.Admin\extensions\[email protected]\chrome\content\fix4.js

    Filesize

    20B

    MD5

    4b95306cdc01a9023a3ca1e8c7fcdd61

    SHA1

    f518c9d20ec181229d35089f685a9588a5b19e7d

    SHA256

    be576aea3b146bfc77237c2cd65911e05b987c0fc74c588b9ab07ba19ad1067d

    SHA512

    4733f3eb0f7002b49b6d448ed5f22ed6c13234df46d81014a7ffd008dc77c51e86cc49d7c49c63d7941a0f54cea8693244af0f339d0a5a864ef5a9e8bf47fca8

  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dxh7hykm.Admin\extensions\[email protected]\chrome\content\fix5.js

    Filesize

    20B

    MD5

    010d54d2fc0c7c7ae39324a6217030f2

    SHA1

    3d73cbe8cce886b2075b5cea17d136b344814992

    SHA256

    032f8af38f623f697712273292edb5268a0fa9eebd49f997450f97472794a751

    SHA512

    ae41156a78a60c472c27ebe5f45458836db8cf7850714f0ecf89414e12b21f0ec320ddc7d5a27db2aec5a6946dd7f436ff82f3d301998f8ae35eb8f979c6d59d

  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dxh7hykm.Admin\extensions\[email protected]\chrome\content\icon.png

    Filesize

    3KB

    MD5

    34d97d8507b37d0fd790c0489f102a6b

    SHA1

    89b5eba2d945d5b1bae4aa0464ca225ffad04ebf

    SHA256

    ac3717b581dd69d07a31c34fcdfbc600685ada80340ec6de2781ca30d5a869aa

    SHA512

    edfd5ec831b4aa5c379ea9e6fa6c058a04787c8d1ebc90aed1a86c7c9de23fd955baedd1929b1cde202ef4159afb9750d826668b92bcd9be166bae59b79cf3bc

  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dxh7hykm.Admin\extensions\[email protected]\chrome\content\jquery4toolbar.js

    Filesize

    92KB

    MD5

    432e6ce300e0604b682c612aa0de1c82

    SHA1

    c559ab91e420bdca977c4c4c3f7f5e8564a78fb2

    SHA256

    6dc68cfa752a170706a347a81ccb8fd5fadf8ff5837823eb9fd5486a6882e65a

    SHA512

    9a463a5a884c562cfea0afc2f9a22eca258f06c6a8ea79cf4e9612079906c5c44edd50b490c067d1f8456cb1a596636a28ac51e66a10a479302bad752c3b8dc2

  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dxh7hykm.Admin\extensions\[email protected]\chrome\content\jquery4toolbar.js_126

    Filesize

    16KB

    MD5

    e5ed6fe48ddc15b239e5e84634a81fb7

    SHA1

    ed5586cb0fdf772b957b67a15cb6deb282c12b10

    SHA256

    9fc127cbf94e191d192ede3fb9071f1ecaaea7e91cd67bbd9e317286e04156a2

    SHA512

    b9cb7da39157c574ddff42ecb15b19f5280923cf0404de670c7472064ef01c87a85928605eb00c35e08b7d42ed940f0f087ff37dbe973a94bdf80747bd1a608c

  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dxh7hykm.Admin\extensions\[email protected]\chrome\content\lock.js

    Filesize

    27B

    MD5

    02469e8f69f26729bf7373aaf83e7687

    SHA1

    cee5b53a1b7f93986b9d336ea43e640da532eba6

    SHA256

    86b85ba075a4af0c0ba4496484f0dd335e4abcb6782495dd0fb936bcf26b5c4f

    SHA512

    45b75dd965ac95768aaed7bf7ac6e5317bd5ebbfdfde4920930e8258529b25979c0f335f335053538ad0d3940203694f8cde2dc71b57e0ad60adad65f5d763ec

  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dxh7hykm.Admin\extensions\[email protected]\chrome\content\style.xul

    Filesize

    812B

    MD5

    668dec8a49b6dc8575acc0e34ecd4284

    SHA1

    9fa09a256602a30dec25e2bb83e5ab8a1ec0bafe

    SHA256

    022636895ac1faa46a586e7e03e1c9d74b1ee78d48d622f95938800a02b71965

    SHA512

    94217e798b4258960949265d3ec7f4ba4dc4fb3c6a00fbe952975ba408bcd248e1b7e85f517ed67cee5d3d56cd110c2005d875f6b910e2e4f69bd58706a227ed

  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dxh7hykm.Admin\extensions\[email protected]\chrome\content\witapi.js

    Filesize

    37KB

    MD5

    c48275070dec1182b66f0932024c41d1

    SHA1

    3093164946b041dc4b13d1e251113da232e8bdeb

    SHA256

    577d9b9f3a4ee376f6863194ed322d5cfe3ab0afcb8a2b45520f0bc32e4c97e1

    SHA512

    f25688e437f0c23f3ac0a0e452613a23a1663813e6700740ca5049d6fb36adc26f66187b903f46aaa8ff455969d46f3026c4d126fb7adeddcf0f113c7dd7e5ab

  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dxh7hykm.Admin\extensions\[email protected]\chrome\content\witmain.js

    Filesize

    949B

    MD5

    290d4e5edfc05a9c619776b927eb1550

    SHA1

    83b2901baa226905eab2f5270f79cc2b4abc285e

    SHA256

    c55490b5a4a6d386fee087275d7b3515c61ac8fa63aa2a654fb1a4424f373c27

    SHA512

    ab90caf6c4e46c690eeef44c07dc3dbf92b40d9f311acba129cf7ed6f8ed9e3473537fcbdb9da851eb889c1adac101f003631ae25c2341aae571edb83ea40e61

  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dxh7hykm.Admin\extensions\[email protected]\chrome\content\wittoolbar.js

    Filesize

    2KB

    MD5

    cda5b2727e277b095e1c802930ab9a78

    SHA1

    16898837afad35f9ea3cdb203b3881a1f1cc14b0

    SHA256

    1f4f851573263382105e35dc1c32014357ea8a5d48a2d3f97e568393ac17307f

    SHA512

    353175636f3ae56ae97f0587c4f8b819e2ae290594982bbd2a514fe7f702570b506b9d774a7627de57f9c480f80d54a4c48f845330a7a1008fb03edb55f1bf3b

  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dxh7hykm.Admin\extensions\[email protected]\chrome\content\witutils.js

    Filesize

    23KB

    MD5

    e98815b4088c11d052fce961ea863308

    SHA1

    0aa226ffcbc73b435f0bf19a4f658a111f572e3d

    SHA256

    aa7546f7a02f77a48f737644272ae18d1ec4e7fc51756d406af88e530cb8b489

    SHA512

    ee86a07cda4fc7cca9947dacadbf3d5d8eb63b7f0529c20d506bb75bd99de60c2dd7b354149d8ad2ba70f40fa133aa79fc619a410786d51f45f14a7a65a1d6c9

  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dxh7hykm.Admin\extensions\[email protected]\components\handleProtocol.js

    Filesize

    20KB

    MD5

    1f3402859b63193c40a54f466a8f7a46

    SHA1

    e4060e5def7dfe2c31123098f7e9f552a71ac993

    SHA256

    07afcbcddb1b2ee757d4e4d5367bf8f50bf7cbb0b815a83513d4a3bf1bbc2679

    SHA512

    cf3edf88d4d48905a1ba393452503142ec3e7031cd7d0645cba79a667d3642496e487d2e9d04fbec16dfd91e1fa35ca343754053a53185fe44820150e8e5eedd

  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\extensions\[email protected]\chrome\content\jquery4toolbar.js_126

    Filesize

    167KB

    MD5

    224c257265b43f4b4e5ebe21e7575dbe

    SHA1

    4a7990cfea863655aca06e4c7ee708a0641d4e35

    SHA256

    a63ca336dd561218555d730194dae3b778212d41bc3c164232f5cf627702f90a

    SHA512

    9559e1c7db6402b2803d953ddadf49195785a642cd9849d8caf3333ee829d6a9e3ee3037234b83a8a2d4fd35eaec346bf313f22874a33d6bf5690fe1ec52cdec

  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\extensions\[email protected]\install.rdf

    Filesize

    737B

    MD5

    6bcfd61c0d36e87fc9adeeba4ce9138a

    SHA1

    7a4206246fa9373802c2c139447d1748ebd433e2

    SHA256

    3f005ae8abf159343a48aca821087f34a0c52897c3d2371904bc73668b1aa7e7

    SHA512

    7e01737e70e8f2d80d040e000b0345379251ff3d0b08b965c3eb79addad38fc20231ef62ed01c29b0befd2f5e185fc184d8a8207730f81aee8b84a57ab9f4e95

  • C:\Windows\Tasks\youtubegizm Chrome Watcher.job

    Filesize

    1KB

    MD5

    c47b9411dc3a13a27ebd33b1e2107f64

    SHA1

    ae36cca5d28f9d4473651098693363d5dcabf611

    SHA256

    e8317455f4e959f20c2058e23b0b6d8cb9590f31cb3d702e13d0449fd5c43fd0

    SHA512

    f65b5283f421f69f83622b40f6e928fc14e13c0d09aee5f19bf19101fc57635879901be5677c2a407d47f8796d6db5470b13847cdf8b5a504df73ab84e41eeac

  • C:\Windows\Tasks\youtubegizm FireFox Watcher.job

    Filesize

    962B

    MD5

    550753b1e2d0c82f8f000fe096a9c51f

    SHA1

    772e757411a545d59e1e4fa4993d8745241e4715

    SHA256

    d9e684b5c20fc219b723288a5d7dcd228e0c687744ca2f3f1c56174f7f508f4e

    SHA512

    2ffc6f3ea647aab19eaf95f3c8c22aeb3ae80bbd446c0b6e6e5eb0ac102b530e97013d507af9bc12707cc1ca942adf899f94e5d1aa1c55cfa69f9df140ca33c9

  • C:\Windows\Tasks\youtubegizm FireFox Watcher.job

    Filesize

    1KB

    MD5

    7f5f994cc62ca46ad9cebd03e12cd209

    SHA1

    568a9ea795aa4c103bc9658743170297ce85aa47

    SHA256

    5e2160936c50ebd696583f57ebc02f6dd81429a33efee2ffa8ca1b3097083c6e

    SHA512

    626a1ba2adc5634d846c5cb3662beb1eebc1437dc4012328cdbfdd7ea1c4915a81a6b8b9cf6e6a8baa19b55d77c7627ca7db22311dc77af98b5a95985e4dadfb

  • C:\Windows\Tasks\youtubegizm Stats Report.job

    Filesize

    1KB

    MD5

    d613fffdc88a6cb93e26beea8df35a93

    SHA1

    3da88d0d35cea20f5f238af630d70dc57371dfdc

    SHA256

    21e2e6dd4a5a5ef57e28562aa43677df0cbcfae985152cd20cda0c4c6117157c

    SHA512

    e2ad531e914e6dd2f95d712c3fe1725985f7711aa3b30e274e9c9f8620e96c51d8c491d63649de309b220515fcee779899ed04e522cc26f8837c66886bb7754c

  • memory/840-83-0x00000000024A0000-0x00000000024A1000-memory.dmp

    Filesize

    4KB

  • memory/2680-0-0x0000000002520000-0x0000000002521000-memory.dmp

    Filesize

    4KB

  • memory/3940-67-0x0000000002410000-0x0000000002433000-memory.dmp

    Filesize

    140KB