pandastealer | 41c90ad0616b16fc303bd6603b286ac5e0a85e4daaeecf65e40608ab2592c807

Analysis

max time kernel
143s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-11-2024 21:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

90c5970f56673b5d52cf32f11096c130_JaffaCakes118.exe
Size

1.2MB
MD5

90c5970f56673b5d52cf32f11096c130
SHA1

b28a516be658cfaf6846a7b2f2107c24a7583547
SHA256

41c90ad0616b16fc303bd6603b286ac5e0a85e4daaeecf65e40608ab2592c807
SHA512

e69796574fdefd075acfef86588f0964b5b0b750218d7477ce714ed5494e7e02b01b9c8cab3bfdc6521ca15a630a2831e0cdd8449112abfc5577bdf5d9c91b3d
SSDEEP

24576:xbiugqOlMjQmxYIGWLREnemIMBdxdUrs/KUTZ4stkLNcsRgluoGhNj3:xbLgmjs8LRE9VdvUrC1TZXyvXD

Score

10^/10

pandastealer adware discovery spyware stealer

Malware Config

Signatures

Panda Stealer payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000500000001957c-71.dat	family_pandastealer

PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
stealer pandastealer
Pandastealer family
pandastealer

Executes dropped EXE 6 IoCs

pid	Process
1936	dgrn.exe
2740	tytghn.exe
2308	tytghn.exe
1432	tytghn.exe
2456	tytghn.exe
2104	tytghn.exe

Loads dropped DLL 13 IoCs

pid	Process
2528	90c5970f56673b5d52cf32f11096c130_JaffaCakes118.exe
1936	dgrn.exe
1936	dgrn.exe
1936	dgrn.exe
1936	dgrn.exe
1936	dgrn.exe
1936	dgrn.exe
1936	dgrn.exe
1936	dgrn.exe
1936	dgrn.exe
1936	dgrn.exe
1936	dgrn.exe
1936	dgrn.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 5 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{ed1e27f0-1bcd-42a4-ad62-7fc21e086e54}	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{ed1e27f0-1bcd-42a4-ad62-7fc21e086e54}\ = "script helper for ie"	dgrn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{ed1e27f0-1bcd-42a4-ad62-7fc21e086e54}\NoExplorer = "1"	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{963B125B-8B21-49A2-A3A8-E37092276531}	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{963B125B-8B21-49A2-A3A8-E37092276531}\ = "Update Timer"	dgrn.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	tytghn.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\youtubegizm\updater.ini	dgrn.exe
File created	C:\Program Files (x86)\youtubegizm\jsloader.dll	dgrn.exe
File created	C:\Program Files (x86)\youtubegizm\toolbar.dll	dgrn.exe
File created	C:\Program Files (x86)\youtubegizm\widgetserv.exe	dgrn.exe
File created	C:\Program Files (x86)\youtubegizm\logo.ico	dgrn.exe
File created	C:\Program Files (x86)\youtubegizm\updatebhoWin32.dll	dgrn.exe
File created	C:\Program Files (x86)\youtubegizm\terms.lnk.url	dgrn.exe
File created	C:\Program Files (x86)\youtubegizm\tdataprotocol.dll	dgrn.exe
File created	C:\Program Files (x86)\youtubegizm\uninstall.exe	dgrn.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\youtubegizm FireFox Watcher.job	tytghn.exe
File opened for modification	C:\Windows\Tasks\youtubegizm FireFox Watcher.job	tytghn.exe
File created	C:\Windows\Tasks\youtubegizm Chrome Watcher.job	tytghn.exe
File opened for modification	C:\Windows\Tasks\youtubegizm Update Checker.job	tytghn.exe
File created	C:\Windows\Tasks\youtubegizm Runner.job	tytghn.exe
File opened for modification	C:\Windows\Tasks\youtubegizm Chrome Watcher.job	tytghn.exe
File created	C:\Windows\Tasks\youtubegizm Stats Report.job	tytghn.exe
File opened for modification	C:\Windows\Tasks\youtubegizm Stats Report.job	tytghn.exe
File created	C:\Windows\Tasks\youtubegizm Update Checker.job	tytghn.exe
File opened for modification	C:\Windows\Tasks\youtubegizm Runner.job	tytghn.exe
File opened for modification	C:\Windows\Tasks\youtubegizm Stats Report.job	tytghn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1960	2308	WerFault.exe	38
2096	1432	WerFault.exe	41

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tytghn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tytghn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tytghn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tytghn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	90c5970f56673b5d52cf32f11096c130_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dgrn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tytghn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral1/files/0x000b000000012029-3.dat	nsis_installer_1
behavioral1/files/0x000b000000012029-3.dat	nsis_installer_2
behavioral1/files/0x000500000001a4fe-232.dat	nsis_installer_1
behavioral1/files/0x000500000001a4fe-232.dat	nsis_installer_2

Kills process with taskkill 1 IoCs

evasion

pid	Process
3028	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	tytghn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\	tytghn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar	dgrn.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Approved Extensions	tytghn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{963B125B-8B21-49A2-A3A8-E37092276531}	tytghn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\	tytghn.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Approved Extensions	tytghn.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	tytghn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{963B125B-8B21-49A2-A3A8-E37092276531}	tytghn.exe

Modifies data under HKEY_USERS 19 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	tytghn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2021416E-D7B1-41E2-B0D3-3AC4DF5679C9}\WpadDecisionReason = "1"	tytghn.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2021416E-D7B1-41E2-B0D3-3AC4DF5679C9}\5a-36-fc-6b-a4-df	tytghn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	tytghn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	tytghn.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2021416E-D7B1-41E2-B0D3-3AC4DF5679C9}	tytghn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-36-fc-6b-a4-df\WpadDecisionTime = f0ce3358ef3ddb01	tytghn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	tytghn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	tytghn.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-36-fc-6b-a4-df	tytghn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2021416E-D7B1-41E2-B0D3-3AC4DF5679C9}\WpadDecisionTime = f0ce3358ef3ddb01	tytghn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2021416E-D7B1-41E2-B0D3-3AC4DF5679C9}\WpadDecision = "0"	tytghn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2021416E-D7B1-41E2-B0D3-3AC4DF5679C9}\WpadNetworkName = "Network 3"	tytghn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-36-fc-6b-a4-df\WpadDecisionReason = "1"	tytghn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-36-fc-6b-a4-df\WpadDecision = "0"	tytghn.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	tytghn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	tytghn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00df000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	tytghn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-36-fc-6b-a4-df\WpadDetectedUrl	tytghn.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ACE96C0-C70A-4A4D-AF14-2E7B869345E1}\ProgID	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ACE96C0-C70A-4A4D-AF14-2E7B869345E1}\InprocServer32	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{373ED12D-B306-43AC-9485-A7C5133DC34C}\ = "updatebho"	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{963B125B-8B21-49A2-A3A8-E37092276531}\TypeLib\ = "{955B782E-CDC8-4CEE-B6F6-AD7D541A8D8A}"	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9F0C17EB-EF2C-4278-9136-2D547656BC03}	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\tdataprotocol.DLL	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{830B56CB-FD22-44AA-9887-7898F4F4158D}	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9F0C17EB-EF2C-4278-9136-2D547656BC03}\ProxyStubClsid32	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9F0C17EB-EF2C-4278-9136-2D547656BC03}\TypeLib\ = "{955B782E-CDC8-4CEE-B6F6-AD7D541A8D8A}"	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{ED6535E7-F778-48A5-A060-549D30024511}\ = "tdataprotocol"	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ACE96C0-C70A-4A4D-AF14-2E7B869345E1}\VersionIndependentProgID\ = "tdataprotocol.CTData"	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{830B56CB-FD22-44AA-9887-7898F4F4158D}\1.0\FLAGS	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{963B125B-8B21-49A2-A3A8-E37092276531}	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{955B782E-CDC8-4CEE-B6F6-AD7D541A8D8A}\1.0\ = "updatebho 1.0 Type Library"	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9F0C17EB-EF2C-4278-9136-2D547656BC03}\TypeLib\ = "{955B782E-CDC8-4CEE-B6F6-AD7D541A8D8A}"	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ACE96C0-C70A-4A4D-AF14-2E7B869345E1}\ = "CTData Class"	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1FA44816-ECC1-4582-89C8-C8B043BA7656}\1.0\FLAGS	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\prox\ = "prox: pluggable protocol"	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wit4ie.WitBHO\CLSID\ = "{ed1e27f0-1bcd-42a4-ad62-7fc21e086e54}"	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{955B782E-CDC8-4CEE-B6F6-AD7D541A8D8A}\1.0\0\win32\ = "C:\\Program Files (x86)\\youtubegizm\\updatebhoWin32.dll"	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{955B782E-CDC8-4CEE-B6F6-AD7D541A8D8A}\1.0\HELPDIR	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{ED6535E7-F778-48A5-A060-549D30024511}	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ACE96C0-C70A-4A4D-AF14-2E7B869345E1}\InprocServer32\ThreadingModel = "Apartment"	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\chrome	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{830B56CB-FD22-44AA-9887-7898F4F4158D}\1.0\0	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{955B782E-CDC8-4CEE-B6F6-AD7D541A8D8A}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\youtubegizm"	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{848B6490-7D35-4482-8C9F-C1350C53C5A5}\TypeLib\Version = "1.0"	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\updatebho.DLL\AppID = "{373ED12D-B306-43AC-9485-A7C5133DC34C}"	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{830B56CB-FD22-44AA-9887-7898F4F4158D}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\youtubegizm"	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wit4ie.WitBHO.2\ = "ygBHO Class"	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wit4ie.WitBHO\CurVer	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ed1e27f0-1bcd-42a4-ad62-7fc21e086e54}\VersionIndependentProgID\ = "wit4ie.WitBHO"	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ed1e27f0-1bcd-42a4-ad62-7fc21e086e54}\InprocServer32	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{848B6490-7D35-4482-8C9F-C1350C53C5A5}\ = "IWitBHO"	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ACE96C0-C70A-4A4D-AF14-2E7B869345E1}\TypeLib	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{830B56CB-FD22-44AA-9887-7898F4F4158D}\1.0\ = "tdataprotocol 1.0 Type Library"	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{963B125B-8B21-49A2-A3A8-E37092276531}\VersionIndependentProgID	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{955B782E-CDC8-4CEE-B6F6-AD7D541A8D8A}\1.0\0\win32	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9F0C17EB-EF2C-4278-9136-2D547656BC03}\ = "ITimerBHO"	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\base64\CLSID = "{5ACE96C0-C70A-4A4D-AF14-2E7B869345E1}"	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{830B56CB-FD22-44AA-9887-7898F4F4158D}\1.0\FLAGS\ = "0"	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{830B56CB-FD22-44AA-9887-7898F4F4158D}\1.0\0\win32\ = "C:\\Program Files (x86)\\youtubegizm\\tdataprotocol.dll"	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\wit4ie.DLL\AppID = "{20EDC024-43C5-423E-B7F5-FD93523E0D9F}"	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1FA44816-ECC1-4582-89C8-C8B043BA7656}\1.0\0	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{955B782E-CDC8-4CEE-B6F6-AD7D541A8D8A}\1.0\FLAGS\ = "0"	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wit4ie.WitBHO.2	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ed1e27f0-1bcd-42a4-ad62-7fc21e086e54}	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1FA44816-ECC1-4582-89C8-C8B043BA7656}\1.0\ = "wit4ie 2.0 Type Library"	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1FA44816-ECC1-4582-89C8-C8B043BA7656}\1.0\FLAGS\ = "0"	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9F0C17EB-EF2C-4278-9136-2D547656BC03}\TypeLib\Version = "1.0"	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ACE96C0-C70A-4A4D-AF14-2E7B869345E1}\ProgID\ = "tdataprotocol.CTData.1"	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\wit4ie.DLL	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1FA44816-ECC1-4582-89C8-C8B043BA7656}\1.0	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\updatebho.TimerBHO.1\CLSID	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\updatebho.TimerBHO\CLSID	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{963B125B-8B21-49A2-A3A8-E37092276531}\VersionIndependentProgID\ = "updatebho.TimerBHO"	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9F0C17EB-EF2C-4278-9136-2D547656BC03}\TypeLib	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tdataprotocol.CTData.1\ = "CTData Class"	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{830B56CB-FD22-44AA-9887-7898F4F4158D}\1.0	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ed1e27f0-1bcd-42a4-ad62-7fc21e086e54}\InprocServer32\ThreadingModel = "Apartment"	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\updatebho.DLL	dgrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{963B125B-8B21-49A2-A3A8-E37092276531}\InprocServer32\ThreadingModel = "Apartment"	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{955B782E-CDC8-4CEE-B6F6-AD7D541A8D8A}	dgrn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tdataprotocol.CTData\CLSID	dgrn.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
1936	dgrn.exe
1936	dgrn.exe
1936	dgrn.exe
1936	dgrn.exe
1936	dgrn.exe
1936	dgrn.exe
1936	dgrn.exe
1936	dgrn.exe
1936	dgrn.exe
1936	dgrn.exe
1936	dgrn.exe
1936	dgrn.exe
2740	tytghn.exe
2308	tytghn.exe
2308	tytghn.exe
1432	tytghn.exe
1432	tytghn.exe
2456	tytghn.exe
2104	tytghn.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3028	taskkill.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 1936	2528	90c5970f56673b5d52cf32f11096c130_JaffaCakes118.exe	30
PID 2528 wrote to memory of 1936	2528	90c5970f56673b5d52cf32f11096c130_JaffaCakes118.exe	30
PID 2528 wrote to memory of 1936	2528	90c5970f56673b5d52cf32f11096c130_JaffaCakes118.exe	30
PID 2528 wrote to memory of 1936	2528	90c5970f56673b5d52cf32f11096c130_JaffaCakes118.exe	30
PID 1936 wrote to memory of 2740	1936	dgrn.exe	31
PID 1936 wrote to memory of 2740	1936	dgrn.exe	31
PID 1936 wrote to memory of 2740	1936	dgrn.exe	31
PID 1936 wrote to memory of 2740	1936	dgrn.exe	31
PID 2740 wrote to memory of 3028	2740	tytghn.exe	34
PID 2740 wrote to memory of 3028	2740	tytghn.exe	34
PID 2740 wrote to memory of 3028	2740	tytghn.exe	34
PID 2740 wrote to memory of 3028	2740	tytghn.exe	34
PID 2176 wrote to memory of 2308	2176	taskeng.exe	38
PID 2176 wrote to memory of 2308	2176	taskeng.exe	38
PID 2176 wrote to memory of 2308	2176	taskeng.exe	38
PID 2176 wrote to memory of 2308	2176	taskeng.exe	38
PID 2176 wrote to memory of 1432	2176	taskeng.exe	41
PID 2176 wrote to memory of 1432	2176	taskeng.exe	41
PID 2176 wrote to memory of 1432	2176	taskeng.exe	41
PID 2176 wrote to memory of 1432	2176	taskeng.exe	41
PID 2176 wrote to memory of 2456	2176	taskeng.exe	43
PID 2176 wrote to memory of 2456	2176	taskeng.exe	43
PID 2176 wrote to memory of 2456	2176	taskeng.exe	43
PID 2176 wrote to memory of 2456	2176	taskeng.exe	43
PID 2176 wrote to memory of 2104	2176	taskeng.exe	44
PID 2176 wrote to memory of 2104	2176	taskeng.exe	44
PID 2176 wrote to memory of 2104	2176	taskeng.exe	44
PID 2176 wrote to memory of 2104	2176	taskeng.exe	44

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext	tytghn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\DisableAddonLoadTimePerformanceNotifications = "1"	tytghn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext	tytghn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\DisableAddonLoadTimePerformanceNotifications = "1"	tytghn.exe

C:\Users\Admin\AppData\Local\Temp\90c5970f56673b5d52cf32f11096c130_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\90c5970f56673b5d52cf32f11096c130_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Users\Admin\AppData\Local\Temp\dgrn.exe
  "C:\Users\Admin\AppData\Local\Temp\dgrn.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1936
- - C:\ProgramData\youtubegizm\tytghn.exe
    "C:\ProgramData\youtubegizm\tytghn.exe" /closebr=1 /InstallOn=7 /active=24 /update=24 /interval=2880 /pubId=10005 /affId=100105 /uId={E08BCF98-9852-4EBC-92E2-FDFEB03FEED1} /version=1.0.0.5 /Override=false /Firstime=1 /IEhome=0 /IEsearch=0 /FFhome=0 /FFsearch=0 /CHhome=0 /CHsearch=0 /FFaddon=1 /CHaddon=1 /AutoSP=0 /regAppName=youtubegizm /txx=1 -regAppName=youtubegizm -txx=2
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /F /IM IExplore.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3028

C:\Windows\system32\taskeng.exe
taskeng.exe {B6E3E206-1240-49A1-AF75-841A2C42DDD6} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2176
- C:\ProgramData\youtubegizm\tytghn.exe
  C:\ProgramData\youtubegizm\tytghn.exe /task=0 /closebr=1 /InstallOn=7 /active=24 /update=24 /interval=2880 /pubId=10005 /affId=100105 /uId={E08BCF98-9852-4EBC-92E2-FDFEB03FEED1} /version=1.0.0.5 /Override=false /IEhome=0 /IEsearch=0 /FFhome=0 /FFsearch=0 /CHhome=0 /CHsearch=0 /FFaddon=1 /CHaddon=1 /AutoSP=0 /regAppName=youtubegizm /txx=1 -regAppName=youtubegizm -txx=2
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - System policy modification
  PID:2308
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2308 -s 356
    3⤵
    - Program crash
    PID:1960
- C:\ProgramData\youtubegizm\tytghn.exe
  C:\ProgramData\youtubegizm\tytghn.exe /task=1 /closebr=1 /InstallOn=7 /active=24 /update=24 /interval=2880 /pubId=10005 /affId=100105 /uId={E08BCF98-9852-4EBC-92E2-FDFEB03FEED1} /version=1.0.0.5 /Override=false /IEhome=0 /IEsearch=0 /FFhome=0 /FFsearch=0 /CHhome=0 /CHsearch=0 /FFaddon=1 /CHaddon=1 /AutoSP=0 /regAppName=youtubegizm /txx=1 -regAppName=youtubegizm -txx=2
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - System policy modification
  PID:1432
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1432 -s 364
    3⤵
    - Program crash
    PID:2096
- C:\ProgramData\youtubegizm\tytghn.exe
  C:\ProgramData\youtubegizm\tytghn.exe /task=2 /closebr=1 /InstallOn=7 /active=24 /update=24 /interval=2880 /pubId=10005 /affId=100105 /uId={E08BCF98-9852-4EBC-92E2-FDFEB03FEED1} /version=1.0.0.5 /Override=false /IEhome=0 /IEsearch=0 /FFhome=0 /FFsearch=0 /CHhome=0 /CHsearch=0 /FFaddon=1 /CHaddon=1 /AutoSP=0 /regAppName=youtubegizm /txx=1 -regAppName=youtubegizm -txx=2
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:2456
- C:\ProgramData\youtubegizm\tytghn.exe
  C:\ProgramData\youtubegizm\tytghn.exe /task=4 /closebr=1 /InstallOn=7 /active=24 /update=24 /interval=2880 /pubId=10005 /affId=100105 /uId={E08BCF98-9852-4EBC-92E2-FDFEB03FEED1} /version=1.0.0.5 /Override=false /IEhome=0 /IEsearch=0 /FFhome=0 /FFsearch=0 /CHhome=0 /CHsearch=0 /FFaddon=1 /CHaddon=1 /AutoSP=0 /regAppName=youtubegizm /txx=1 -regAppName=youtubegizm -txx=2
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\youtubegizm\uninstall.exe

Filesize
62KB

MD5
e9bfb4b02a1aaafcbf5a2ef6f91751c1

SHA1
c930d7fad8fa9e2a937d449bce5498fb303444f8

SHA256
6fd9d03718cc3dfb353e1daf2d35d4758a93fc8ef68ddbcc801f6cfdc27e1a6d

SHA512
e76d20cf5aad8f9ab05acb211212dff644f75039535fabfcf5542d76fd10f29d3508972ba20c3bb89f3f440d44c32ef485b7204b23e1faeb044ae420072048c8

Download Submit
C:\ProgramData\youtubegizm\df-ch.crx

Filesize
126KB

MD5
a1704d581f799418db15df5e91dcff59

SHA1
6dae4dfa59e235c0f071d70678b4311ebb407cc5

SHA256
3e1c383d3fc1c4cab1995ee035b0f49236641a9d7cc391e563e88b5cd39f585f

SHA512
b7cab05d8b571a3fbf57ed07ef873a81a9ebfb9b143ad7473f740bbe4e9947c341e650cf531c609a48947f6434935ae30e04c476fd6d7e9f85bb8239bf80ec86

Download Submit
C:\ProgramData\youtubegizm\df-le.xpi

Filesize
94KB

MD5
9b41c8cfd735e83a6ddde1b29be08e4e

SHA1
0db4358bba72b2c96e027f00f2368878ea9f4e35

SHA256
5fbdfd771cac9fe30121cb694f8dd98d9eb22f2923a9b91fd8fe69d89bf19b3b

SHA512
b29a204f23ffa0d7adeea5879821516b8b516d811c83fbfcc4c96d7dd1ed702f7398cf49c003331f14f4283cb5be8923d5d3b967d62c87a4bd8e2844153cf2dd

Download Submit
C:\ProgramData\youtubegizm\valuese.xml

Filesize
1KB

MD5
227bdc41ed630efdb2061daa15859b68

SHA1
bedb6860595d0ec863bff16ac71337082a58aec2

SHA256
8dfb5773f05bad3c36db328cd2a352791d92c83a94f629360f9ab6ca6c719e6c

SHA512
64c09d8d887943b8b59f2cce210a70158b0720421a10503c29e67f134bbd690ce05572980cd3f813e31801df5aeef4c5b6b9a2d2ec2efaacbbd4a0b2c1299028

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.Admin\extensions\[email protected]\chrome.manifest

Filesize
192B

MD5
71a85ce537dcec64640fb478067e24c3

SHA1
42337f22368a2cd7cfedeb929f26222f2b2b7ae3

SHA256
5010be714b986edeb59eabca51c1296dd9e67138b9d965e9859d5553670a0823

SHA512
8cd49e8d1971623dcf83cbcca200de2296d82596f6fb96840face985c24c6d0a5c67d88d9f47a1b48f66972f4907643c3d5af344f732bfda70199b746d1cac91

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.Admin\extensions\[email protected]\chrome\content\bubble.js

Filesize
1KB

MD5
e3cf4b651109156221e2072f83be5aa2

SHA1
be06675125c178e3ff2fd78cf57f3d643bec5cc4

SHA256
73cde6a7691f5155a6ea9f8076dda8d00c3c62764331be13ec3ec6053d0c9f84

SHA512
976007787974080f6b30763f61b63c6212b4ca2a234e4f6d52a529c154a8325e7619160f108641e39ae7b405cfe203a092cf4fcdb72252cfa61e8a9afaf93dce

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.Admin\extensions\[email protected]\chrome\content\bubble.xul

Filesize
490B

MD5
75743b09194736b8fc79a6dd65db177d

SHA1
dbf38a26e0597697d0c6aad15e2515c398753e16

SHA256
f8ad9265fd61883ed00c3907f0f14478c8947b1ebaf1e34196efb5153cf040d6

SHA512
d151f8e97a213a59d3c41206c1aa606f179030c4ce1a24c5fb8aca17b7b783b46a9e1dc682366a3ddabe450d38b7b40cc714e23e0fced4e2a35b02ed20e1d30f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.Admin\extensions\[email protected]\chrome\content\fix2.js

Filesize
20B

MD5
b5ce3889cdd24c2b2e9d540ba1aab48d

SHA1
30d6c76f244e7617c835b3769bfb1fd125e401f1

SHA256
03e704ae5142e05e367aaf51af30485eed881d0c5c581bea3b1752095e444cd0

SHA512
f5a4fb298b53017e212eb92859eb76b138255778cb3a44822e6d5c02791b9911be68bfc1f25eb90414f8adb5160086cae0c247278b1c288d7b0e3f75f21c3023

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.Admin\extensions\[email protected]\chrome\content\fix3.js

Filesize
20B

MD5
abdc04c0bb1bac8ee8962aa5e5fba9a8

SHA1
2689078d902bfa6d65483e26d122d0a30d2a6560

SHA256
3bb6e43e497c67e79fb3ac8520fbe07d6a43c9777c57be349a54caf9888ca482

SHA512
55fc2af28251c773c0def012f739e01a505867cdffb387d522f1c2fcabee4f2f8c33706c553b1ff5dc4a1dbee1bbf6926909dfb032ad813863ed2c773e0625cd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.Admin\extensions\[email protected]\chrome\content\fix4.js

Filesize
20B

MD5
4b95306cdc01a9023a3ca1e8c7fcdd61

SHA1
f518c9d20ec181229d35089f685a9588a5b19e7d

SHA256
be576aea3b146bfc77237c2cd65911e05b987c0fc74c588b9ab07ba19ad1067d

SHA512
4733f3eb0f7002b49b6d448ed5f22ed6c13234df46d81014a7ffd008dc77c51e86cc49d7c49c63d7941a0f54cea8693244af0f339d0a5a864ef5a9e8bf47fca8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.Admin\extensions\[email protected]\chrome\content\fix5.js

Filesize
20B

MD5
010d54d2fc0c7c7ae39324a6217030f2

SHA1
3d73cbe8cce886b2075b5cea17d136b344814992

SHA256
032f8af38f623f697712273292edb5268a0fa9eebd49f997450f97472794a751

SHA512
ae41156a78a60c472c27ebe5f45458836db8cf7850714f0ecf89414e12b21f0ec320ddc7d5a27db2aec5a6946dd7f436ff82f3d301998f8ae35eb8f979c6d59d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.Admin\extensions\[email protected]\chrome\content\icon.png

Filesize
3KB

MD5
34d97d8507b37d0fd790c0489f102a6b

SHA1
89b5eba2d945d5b1bae4aa0464ca225ffad04ebf

SHA256
ac3717b581dd69d07a31c34fcdfbc600685ada80340ec6de2781ca30d5a869aa

SHA512
edfd5ec831b4aa5c379ea9e6fa6c058a04787c8d1ebc90aed1a86c7c9de23fd955baedd1929b1cde202ef4159afb9750d826668b92bcd9be166bae59b79cf3bc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.Admin\extensions\[email protected]\chrome\content\jquery4toolbar.js

Filesize
92KB

MD5
432e6ce300e0604b682c612aa0de1c82

SHA1
c559ab91e420bdca977c4c4c3f7f5e8564a78fb2

SHA256
6dc68cfa752a170706a347a81ccb8fd5fadf8ff5837823eb9fd5486a6882e65a

SHA512
9a463a5a884c562cfea0afc2f9a22eca258f06c6a8ea79cf4e9612079906c5c44edd50b490c067d1f8456cb1a596636a28ac51e66a10a479302bad752c3b8dc2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.Admin\extensions\[email protected]\chrome\content\style.xul

Filesize
812B

MD5
668dec8a49b6dc8575acc0e34ecd4284

SHA1
9fa09a256602a30dec25e2bb83e5ab8a1ec0bafe

SHA256
022636895ac1faa46a586e7e03e1c9d74b1ee78d48d622f95938800a02b71965

SHA512
94217e798b4258960949265d3ec7f4ba4dc4fb3c6a00fbe952975ba408bcd248e1b7e85f517ed67cee5d3d56cd110c2005d875f6b910e2e4f69bd58706a227ed

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.Admin\extensions\[email protected]\chrome\content\witmain.js

Filesize
949B

MD5
290d4e5edfc05a9c619776b927eb1550

SHA1
83b2901baa226905eab2f5270f79cc2b4abc285e

SHA256
c55490b5a4a6d386fee087275d7b3515c61ac8fa63aa2a654fb1a4424f373c27

SHA512
ab90caf6c4e46c690eeef44c07dc3dbf92b40d9f311acba129cf7ed6f8ed9e3473537fcbdb9da851eb889c1adac101f003631ae25c2341aae571edb83ea40e61

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.Admin\extensions\[email protected]\chrome\content\wittoolbar.js

Filesize
2KB

MD5
cda5b2727e277b095e1c802930ab9a78

SHA1
16898837afad35f9ea3cdb203b3881a1f1cc14b0

SHA256
1f4f851573263382105e35dc1c32014357ea8a5d48a2d3f97e568393ac17307f

SHA512
353175636f3ae56ae97f0587c4f8b819e2ae290594982bbd2a514fe7f702570b506b9d774a7627de57f9c480f80d54a4c48f845330a7a1008fb03edb55f1bf3b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.Admin\extensions\[email protected]\install.rdf

Filesize
737B

MD5
6bcfd61c0d36e87fc9adeeba4ce9138a

SHA1
7a4206246fa9373802c2c139447d1748ebd433e2

SHA256
3f005ae8abf159343a48aca821087f34a0c52897c3d2371904bc73668b1aa7e7

SHA512
7e01737e70e8f2d80d040e000b0345379251ff3d0b08b965c3eb79addad38fc20231ef62ed01c29b0befd2f5e185fc184d8a8207730f81aee8b84a57ab9f4e95

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\extensions\[email protected]\chrome\content\jquery4toolbar.js_126

Filesize
167KB

MD5
224c257265b43f4b4e5ebe21e7575dbe

SHA1
4a7990cfea863655aca06e4c7ee708a0641d4e35

SHA256
a63ca336dd561218555d730194dae3b778212d41bc3c164232f5cf627702f90a

SHA512
9559e1c7db6402b2803d953ddadf49195785a642cd9849d8caf3333ee829d6a9e3ee3037234b83a8a2d4fd35eaec346bf313f22874a33d6bf5690fe1ec52cdec

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\extensions\[email protected]\chrome\content\lock.js

Filesize
27B

MD5
02469e8f69f26729bf7373aaf83e7687

SHA1
cee5b53a1b7f93986b9d336ea43e640da532eba6

SHA256
86b85ba075a4af0c0ba4496484f0dd335e4abcb6782495dd0fb936bcf26b5c4f

SHA512
45b75dd965ac95768aaed7bf7ac6e5317bd5ebbfdfde4920930e8258529b25979c0f335f335053538ad0d3940203694f8cde2dc71b57e0ad60adad65f5d763ec

Download Submit
C:\Windows\Tasks\youtubegizm Chrome Watcher.job

Filesize
1012B

MD5
0ee7c6cabaaa3aeef5dae3b38d51b0d6

SHA1
586508cf03c53799c76469affa5455366ae5ba74

SHA256
10f1b7d3644b299cd86db5d5f61213aee80861db6ce5fe712ef021741965cd0b

SHA512
bb3b2dfee375726d1ebf492d362c41ec1c8f809f112ce49947e2d0c0fad6135b9da8f90c24c40857f5d749958b5ae619d40dab2a6acc61d2cdc623b8d73e8489

Download Submit
C:\Windows\Tasks\youtubegizm Stats Report.job

Filesize
1KB

MD5
a1b7c5b8d840272c1a91d7ff68f7a96a

SHA1
66c8c2319562a485bf0b85b3735b26a62ec605f6

SHA256
fa0742d88faae21da9a329623f2a426746e2dc0aab46888bfa0bba41526eef59

SHA512
9b5399593e9f805adae5b266bcb5b15f6cc128911cb43161c0ddda5a44f06e10918cc6f0664d2ffb587d0378bd7299e778cb797e92b456f54bf1c8d45b39e562

Download Submit
\Program Files (x86)\youtubegizm\jsloader.dll

Filesize
215KB

MD5
51d72c5c44c3cadb21128c225ba7a569

SHA1
94da06230ffbbe9f4d22e9b0422a279004a7b848

SHA256
50c36830ca56b2a9ccbecd650767af742bd1a2fc4cc18ac9cd2d18d8da8259c1

SHA512
2ec980a01e8f237bc863686bba0f35ae291b3626356905c0889086bf71c3362411984ad2af6fbba893863105852fae36be8cdd34798f46128486eedb67b9569a

Download Submit
\Program Files (x86)\youtubegizm\tdataprotocol.dll

Filesize
149KB

MD5
ffdc730ec5f8b90e4dda0c7685650c9d

SHA1
0f052108bcef14beffb6f325981b22fc40c7d047

SHA256
2373e11595d02e279ed64925233f802e03f8e68f3d85649e360b0db17e1e191e

SHA512
172914e1c1e69da1eb1844fc2a7c10de153e7ad1c97ad5bd9821ca82a0ab37838085cdc2ae9d3301a1d900662f4b9fc0c2737ff97e02566320d08630e4ac327c

Download Submit
\Program Files (x86)\youtubegizm\toolbar.dll

Filesize
119KB

MD5
a4efaf7a21baac166810f9790f0c693d

SHA1
eebca444b31d79ad37aec6076ba487942b5df0ea

SHA256
a85bfacf0d2c2d5a6a4b62720a69e1e8fe0347653cf914fe82bb9c74d73bd3b1

SHA512
32ff2899e917c9ae3e959f1183967711067e30dfd5a2f90ab0f33f524710f137561a69c7c3d265336829b1cfe401809906acbfbc7d03dbcd1046ac517b134f40

Download Submit
\Program Files (x86)\youtubegizm\updatebhoWin32.dll

Filesize
120KB

MD5
4ef3b332db3d6b45c47414e056d99ad3

SHA1
fdec55c9fc31e9e65a832407d0e843433d75bc14

SHA256
601e473f4f509ebb12b3b0a47f979819ddc64cd5aa768abacdf6e67a6cb3eeb7

SHA512
26f924340779b52683f660468974da5d42c9dc05f9d25764527ca343054bec7f42cc90e384c1316130af67399dc60bc2ca1000738a3f214a9a9aea492ddbdc4a

Download Submit
\ProgramData\youtubegizm\tytghn.exe

Filesize
619KB

MD5
611619f98af4df3bbb077f474963c9da

SHA1
522144139ef78abce5cd25f34dae82f0a369f572

SHA256
20f035d90ef228b5a6a998cec13d7bddf00ef20c60a58167fe4230297cc25b54

SHA512
05a01f68ae299e22b08c9c3979064ae54483fda7104ebb6409f8e9939f9f76fca9f40a707d52e356575d9ac2c99f4bcd092e93aaf4391d96d12f15b1d70125cc

Download Submit
\Users\Admin\AppData\Local\Temp\dgrn.exe

Filesize
1.0MB

MD5
90f0358fcd19f2b19ff62bca3f5e34e6

SHA1
91309ef459708ce170c4cf260db477c9ad46569b

SHA256
2c068552115abb5bd8ebee6ae6f9f9c4e876b06bc0f10307a33996eaa2e48cbb

SHA512
32657c7a1223d065230d91a7852b904d27d65ac5b08e6b533ea9781677ab8181971d81e817bf40adbf029fe5a9b194fda0fffb4721eaccc5bba12a9c1a718387

Download Submit
\Users\Admin\AppData\Local\Temp\nsoA7C5.tmp\KillProcDLL.dll

Filesize
32KB

MD5
83142eac84475f4ca889c73f10d9c179

SHA1
dbe43c0de8ef881466bd74861b2e5b17598b5ce8

SHA256
ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729

SHA512
1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

Download Submit
\Users\Admin\AppData\Local\Temp\nsoA7C5.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
memory/1936-61-0x0000000002720000-0x0000000002743000-memory.dmp

Filesize
140KB

Download
memory/2528-0-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/2740-77-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download