Analysis Overview
SHA256
41c90ad0616b16fc303bd6603b286ac5e0a85e4daaeecf65e40608ab2592c807
Threat Level: Known bad
The file 90c5970f56673b5d52cf32f11096c130_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
PandaStealer
Panda Stealer payload
Pandastealer family
Executes dropped EXE
Checks computer location settings
Reads user/profile data of web browsers
Loads dropped DLL
Installs/modifies Browser Helper Object
Checks installed software on the system
Drops file in System32 directory
Drops file in Program Files directory
Drops file in Windows directory
System Location Discovery: System Language Discovery
Unsigned PE
Program crash
Enumerates physical storage devices
NSIS installer
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Kills process with taskkill
Modifies Internet Explorer settings
Suspicious use of AdjustPrivilegeToken
System policy modification
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-23 21:33
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-23 21:33
Reported
2024-11-23 21:35
Platform
win7-20240903-en
Max time kernel
143s
Max time network
122s
Command Line
Signatures
Panda Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
PandaStealer
Pandastealer family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| N/A | N/A | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
| N/A | N/A | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
| N/A | N/A | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
| N/A | N/A | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
| N/A | N/A | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\90c5970f56673b5d52cf32f11096c130_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{ed1e27f0-1bcd-42a4-ad62-7fc21e086e54} | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{ed1e27f0-1bcd-42a4-ad62-7fc21e086e54}\ = "script helper for ie" | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{ed1e27f0-1bcd-42a4-ad62-7fc21e086e54}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{963B125B-8B21-49A2-A3A8-E37092276531} | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{963B125B-8B21-49A2-A3A8-E37092276531}\ = "Update Timer" | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\youtubegizm\updater.ini | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| File created | C:\Program Files (x86)\youtubegizm\jsloader.dll | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| File created | C:\Program Files (x86)\youtubegizm\toolbar.dll | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| File created | C:\Program Files (x86)\youtubegizm\widgetserv.exe | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| File created | C:\Program Files (x86)\youtubegizm\logo.ico | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| File created | C:\Program Files (x86)\youtubegizm\updatebhoWin32.dll | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| File created | C:\Program Files (x86)\youtubegizm\terms.lnk.url | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| File created | C:\Program Files (x86)\youtubegizm\tdataprotocol.dll | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| File created | C:\Program Files (x86)\youtubegizm\uninstall.exe | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\youtubegizm FireFox Watcher.job | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
| File opened for modification | C:\Windows\Tasks\youtubegizm FireFox Watcher.job | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
| File created | C:\Windows\Tasks\youtubegizm Chrome Watcher.job | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
| File opened for modification | C:\Windows\Tasks\youtubegizm Update Checker.job | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
| File created | C:\Windows\Tasks\youtubegizm Runner.job | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
| File opened for modification | C:\Windows\Tasks\youtubegizm Chrome Watcher.job | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
| File created | C:\Windows\Tasks\youtubegizm Stats Report.job | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
| File opened for modification | C:\Windows\Tasks\youtubegizm Stats Report.job | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
| File created | C:\Windows\Tasks\youtubegizm Update Checker.job | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
| File opened for modification | C:\Windows\Tasks\youtubegizm Runner.job | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
| File opened for modification | C:\Windows\Tasks\youtubegizm Stats Report.job | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\ProgramData\youtubegizm\tytghn.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\ProgramData\youtubegizm\tytghn.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\90c5970f56673b5d52cf32f11096c130_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\ | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Approved Extensions | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{963B125B-8B21-49A2-A3A8-E37092276531} | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\ | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Approved Extensions | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{963B125B-8B21-49A2-A3A8-E37092276531} | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2021416E-D7B1-41E2-B0D3-3AC4DF5679C9}\WpadDecisionReason = "1" | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2021416E-D7B1-41E2-B0D3-3AC4DF5679C9}\5a-36-fc-6b-a4-df | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2021416E-D7B1-41E2-B0D3-3AC4DF5679C9} | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-36-fc-6b-a4-df\WpadDecisionTime = f0ce3358ef3ddb01 | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-36-fc-6b-a4-df | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2021416E-D7B1-41E2-B0D3-3AC4DF5679C9}\WpadDecisionTime = f0ce3358ef3ddb01 | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2021416E-D7B1-41E2-B0D3-3AC4DF5679C9}\WpadDecision = "0" | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2021416E-D7B1-41E2-B0D3-3AC4DF5679C9}\WpadNetworkName = "Network 3" | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-36-fc-6b-a4-df\WpadDecisionReason = "1" | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-36-fc-6b-a4-df\WpadDecision = "0" | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00df000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-36-fc-6b-a4-df\WpadDetectedUrl | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ACE96C0-C70A-4A4D-AF14-2E7B869345E1}\ProgID | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ACE96C0-C70A-4A4D-AF14-2E7B869345E1}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{373ED12D-B306-43AC-9485-A7C5133DC34C}\ = "updatebho" | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{963B125B-8B21-49A2-A3A8-E37092276531}\TypeLib\ = "{955B782E-CDC8-4CEE-B6F6-AD7D541A8D8A}" | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9F0C17EB-EF2C-4278-9136-2D547656BC03} | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\tdataprotocol.DLL | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{830B56CB-FD22-44AA-9887-7898F4F4158D} | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9F0C17EB-EF2C-4278-9136-2D547656BC03}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9F0C17EB-EF2C-4278-9136-2D547656BC03}\TypeLib\ = "{955B782E-CDC8-4CEE-B6F6-AD7D541A8D8A}" | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{ED6535E7-F778-48A5-A060-549D30024511}\ = "tdataprotocol" | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ACE96C0-C70A-4A4D-AF14-2E7B869345E1}\VersionIndependentProgID\ = "tdataprotocol.CTData" | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{830B56CB-FD22-44AA-9887-7898F4F4158D}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{963B125B-8B21-49A2-A3A8-E37092276531} | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{955B782E-CDC8-4CEE-B6F6-AD7D541A8D8A}\1.0\ = "updatebho 1.0 Type Library" | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9F0C17EB-EF2C-4278-9136-2D547656BC03}\TypeLib\ = "{955B782E-CDC8-4CEE-B6F6-AD7D541A8D8A}" | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ACE96C0-C70A-4A4D-AF14-2E7B869345E1}\ = "CTData Class" | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1FA44816-ECC1-4582-89C8-C8B043BA7656}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\prox\ = "prox: pluggable protocol" | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\wit4ie.WitBHO\CLSID\ = "{ed1e27f0-1bcd-42a4-ad62-7fc21e086e54}" | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{955B782E-CDC8-4CEE-B6F6-AD7D541A8D8A}\1.0\0\win32\ = "C:\\Program Files (x86)\\youtubegizm\\updatebhoWin32.dll" | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{955B782E-CDC8-4CEE-B6F6-AD7D541A8D8A}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{ED6535E7-F778-48A5-A060-549D30024511} | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ACE96C0-C70A-4A4D-AF14-2E7B869345E1}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\chrome | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{830B56CB-FD22-44AA-9887-7898F4F4158D}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{955B782E-CDC8-4CEE-B6F6-AD7D541A8D8A}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\youtubegizm" | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{848B6490-7D35-4482-8C9F-C1350C53C5A5}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\updatebho.DLL\AppID = "{373ED12D-B306-43AC-9485-A7C5133DC34C}" | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{830B56CB-FD22-44AA-9887-7898F4F4158D}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\youtubegizm" | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\wit4ie.WitBHO.2\ = "ygBHO Class" | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\wit4ie.WitBHO\CurVer | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ed1e27f0-1bcd-42a4-ad62-7fc21e086e54}\VersionIndependentProgID\ = "wit4ie.WitBHO" | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ed1e27f0-1bcd-42a4-ad62-7fc21e086e54}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{848B6490-7D35-4482-8C9F-C1350C53C5A5}\ = "IWitBHO" | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ACE96C0-C70A-4A4D-AF14-2E7B869345E1}\TypeLib | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{830B56CB-FD22-44AA-9887-7898F4F4158D}\1.0\ = "tdataprotocol 1.0 Type Library" | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{963B125B-8B21-49A2-A3A8-E37092276531}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{955B782E-CDC8-4CEE-B6F6-AD7D541A8D8A}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9F0C17EB-EF2C-4278-9136-2D547656BC03}\ = "ITimerBHO" | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\base64\CLSID = "{5ACE96C0-C70A-4A4D-AF14-2E7B869345E1}" | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{830B56CB-FD22-44AA-9887-7898F4F4158D}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{830B56CB-FD22-44AA-9887-7898F4F4158D}\1.0\0\win32\ = "C:\\Program Files (x86)\\youtubegizm\\tdataprotocol.dll" | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\wit4ie.DLL\AppID = "{20EDC024-43C5-423E-B7F5-FD93523E0D9F}" | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1FA44816-ECC1-4582-89C8-C8B043BA7656}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{955B782E-CDC8-4CEE-B6F6-AD7D541A8D8A}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\wit4ie.WitBHO.2 | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ed1e27f0-1bcd-42a4-ad62-7fc21e086e54} | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1FA44816-ECC1-4582-89C8-C8B043BA7656}\1.0\ = "wit4ie 2.0 Type Library" | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1FA44816-ECC1-4582-89C8-C8B043BA7656}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9F0C17EB-EF2C-4278-9136-2D547656BC03}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ACE96C0-C70A-4A4D-AF14-2E7B869345E1}\ProgID\ = "tdataprotocol.CTData.1" | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\wit4ie.DLL | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1FA44816-ECC1-4582-89C8-C8B043BA7656}\1.0 | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\updatebho.TimerBHO.1\CLSID | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\updatebho.TimerBHO\CLSID | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{963B125B-8B21-49A2-A3A8-E37092276531}\VersionIndependentProgID\ = "updatebho.TimerBHO" | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9F0C17EB-EF2C-4278-9136-2D547656BC03}\TypeLib | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\tdataprotocol.CTData.1\ = "CTData Class" | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{830B56CB-FD22-44AA-9887-7898F4F4158D}\1.0 | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ed1e27f0-1bcd-42a4-ad62-7fc21e086e54}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\updatebho.DLL | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{963B125B-8B21-49A2-A3A8-E37092276531}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{955B782E-CDC8-4CEE-B6F6-AD7D541A8D8A} | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\tdataprotocol.CTData\CLSID | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\DisableAddonLoadTimePerformanceNotifications = "1" | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\DisableAddonLoadTimePerformanceNotifications = "1" | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\90c5970f56673b5d52cf32f11096c130_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\90c5970f56673b5d52cf32f11096c130_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\dgrn.exe
"C:\Users\Admin\AppData\Local\Temp\dgrn.exe"
C:\ProgramData\youtubegizm\tytghn.exe
"C:\ProgramData\youtubegizm\tytghn.exe" /closebr=1 /InstallOn=7 /active=24 /update=24 /interval=2880 /pubId=10005 /affId=100105 /uId={E08BCF98-9852-4EBC-92E2-FDFEB03FEED1} /version=1.0.0.5 /Override=false /Firstime=1 /IEhome=0 /IEsearch=0 /FFhome=0 /FFsearch=0 /CHhome=0 /CHsearch=0 /FFaddon=1 /CHaddon=1 /AutoSP=0 /regAppName=youtubegizm /txx=1 -regAppName=youtubegizm -txx=2
C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /F /IM IExplore.exe
C:\Windows\system32\taskeng.exe
taskeng.exe {B6E3E206-1240-49A1-AF75-841A2C42DDD6} S-1-5-18:NT AUTHORITY\System:Service:
C:\ProgramData\youtubegizm\tytghn.exe
C:\ProgramData\youtubegizm\tytghn.exe /task=0 /closebr=1 /InstallOn=7 /active=24 /update=24 /interval=2880 /pubId=10005 /affId=100105 /uId={E08BCF98-9852-4EBC-92E2-FDFEB03FEED1} /version=1.0.0.5 /Override=false /IEhome=0 /IEsearch=0 /FFhome=0 /FFsearch=0 /CHhome=0 /CHsearch=0 /FFaddon=1 /CHaddon=1 /AutoSP=0 /regAppName=youtubegizm /txx=1 -regAppName=youtubegizm -txx=2
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2308 -s 356
C:\ProgramData\youtubegizm\tytghn.exe
C:\ProgramData\youtubegizm\tytghn.exe /task=1 /closebr=1 /InstallOn=7 /active=24 /update=24 /interval=2880 /pubId=10005 /affId=100105 /uId={E08BCF98-9852-4EBC-92E2-FDFEB03FEED1} /version=1.0.0.5 /Override=false /IEhome=0 /IEsearch=0 /FFhome=0 /FFsearch=0 /CHhome=0 /CHsearch=0 /FFaddon=1 /CHaddon=1 /AutoSP=0 /regAppName=youtubegizm /txx=1 -regAppName=youtubegizm -txx=2
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1432 -s 364
C:\ProgramData\youtubegizm\tytghn.exe
C:\ProgramData\youtubegizm\tytghn.exe /task=2 /closebr=1 /InstallOn=7 /active=24 /update=24 /interval=2880 /pubId=10005 /affId=100105 /uId={E08BCF98-9852-4EBC-92E2-FDFEB03FEED1} /version=1.0.0.5 /Override=false /IEhome=0 /IEsearch=0 /FFhome=0 /FFsearch=0 /CHhome=0 /CHsearch=0 /FFaddon=1 /CHaddon=1 /AutoSP=0 /regAppName=youtubegizm /txx=1 -regAppName=youtubegizm -txx=2
C:\ProgramData\youtubegizm\tytghn.exe
C:\ProgramData\youtubegizm\tytghn.exe /task=4 /closebr=1 /InstallOn=7 /active=24 /update=24 /interval=2880 /pubId=10005 /affId=100105 /uId={E08BCF98-9852-4EBC-92E2-FDFEB03FEED1} /version=1.0.0.5 /Override=false /IEhome=0 /IEsearch=0 /FFhome=0 /FFsearch=0 /CHhome=0 /CHsearch=0 /FFaddon=1 /CHaddon=1 /AutoSP=0 /regAppName=youtubegizm /txx=1 -regAppName=youtubegizm -txx=2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ws.xcodelib.net | udp |
Files
memory/2528-0-0x0000000000150000-0x0000000000151000-memory.dmp
\Users\Admin\AppData\Local\Temp\dgrn.exe
| MD5 | 90f0358fcd19f2b19ff62bca3f5e34e6 |
| SHA1 | 91309ef459708ce170c4cf260db477c9ad46569b |
| SHA256 | 2c068552115abb5bd8ebee6ae6f9f9c4e876b06bc0f10307a33996eaa2e48cbb |
| SHA512 | 32657c7a1223d065230d91a7852b904d27d65ac5b08e6b533ea9781677ab8181971d81e817bf40adbf029fe5a9b194fda0fffb4721eaccc5bba12a9c1a718387 |
\Users\Admin\AppData\Local\Temp\nsoA7C5.tmp\KillProcDLL.dll
| MD5 | 83142eac84475f4ca889c73f10d9c179 |
| SHA1 | dbe43c0de8ef881466bd74861b2e5b17598b5ce8 |
| SHA256 | ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729 |
| SHA512 | 1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1 |
\Users\Admin\AppData\Local\Temp\nsoA7C5.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
memory/1936-61-0x0000000002720000-0x0000000002743000-memory.dmp
\Program Files (x86)\youtubegizm\toolbar.dll
| MD5 | a4efaf7a21baac166810f9790f0c693d |
| SHA1 | eebca444b31d79ad37aec6076ba487942b5df0ea |
| SHA256 | a85bfacf0d2c2d5a6a4b62720a69e1e8fe0347653cf914fe82bb9c74d73bd3b1 |
| SHA512 | 32ff2899e917c9ae3e959f1183967711067e30dfd5a2f90ab0f33f524710f137561a69c7c3d265336829b1cfe401809906acbfbc7d03dbcd1046ac517b134f40 |
\ProgramData\youtubegizm\tytghn.exe
| MD5 | 611619f98af4df3bbb077f474963c9da |
| SHA1 | 522144139ef78abce5cd25f34dae82f0a369f572 |
| SHA256 | 20f035d90ef228b5a6a998cec13d7bddf00ef20c60a58167fe4230297cc25b54 |
| SHA512 | 05a01f68ae299e22b08c9c3979064ae54483fda7104ebb6409f8e9939f9f76fca9f40a707d52e356575d9ac2c99f4bcd092e93aaf4391d96d12f15b1d70125cc |
C:\ProgramData\youtubegizm\valuese.xml
| MD5 | 227bdc41ed630efdb2061daa15859b68 |
| SHA1 | bedb6860595d0ec863bff16ac71337082a58aec2 |
| SHA256 | 8dfb5773f05bad3c36db328cd2a352791d92c83a94f629360f9ab6ca6c719e6c |
| SHA512 | 64c09d8d887943b8b59f2cce210a70158b0720421a10503c29e67f134bbd690ce05572980cd3f813e31801df5aeef4c5b6b9a2d2ec2efaacbbd4a0b2c1299028 |
C:\ProgramData\youtubegizm\df-ch.crx
| MD5 | a1704d581f799418db15df5e91dcff59 |
| SHA1 | 6dae4dfa59e235c0f071d70678b4311ebb407cc5 |
| SHA256 | 3e1c383d3fc1c4cab1995ee035b0f49236641a9d7cc391e563e88b5cd39f585f |
| SHA512 | b7cab05d8b571a3fbf57ed07ef873a81a9ebfb9b143ad7473f740bbe4e9947c341e650cf531c609a48947f6434935ae30e04c476fd6d7e9f85bb8239bf80ec86 |
memory/2740-77-0x0000000000450000-0x0000000000451000-memory.dmp
C:\ProgramData\youtubegizm\df-le.xpi
| MD5 | 9b41c8cfd735e83a6ddde1b29be08e4e |
| SHA1 | 0db4358bba72b2c96e027f00f2368878ea9f4e35 |
| SHA256 | 5fbdfd771cac9fe30121cb694f8dd98d9eb22f2923a9b91fd8fe69d89bf19b3b |
| SHA512 | b29a204f23ffa0d7adeea5879821516b8b516d811c83fbfcc4c96d7dd1ed702f7398cf49c003331f14f4283cb5be8923d5d3b967d62c87a4bd8e2844153cf2dd |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.Admin\extensions\[email protected]\chrome\content\icon.png
| MD5 | 34d97d8507b37d0fd790c0489f102a6b |
| SHA1 | 89b5eba2d945d5b1bae4aa0464ca225ffad04ebf |
| SHA256 | ac3717b581dd69d07a31c34fcdfbc600685ada80340ec6de2781ca30d5a869aa |
| SHA512 | edfd5ec831b4aa5c379ea9e6fa6c058a04787c8d1ebc90aed1a86c7c9de23fd955baedd1929b1cde202ef4159afb9750d826668b92bcd9be166bae59b79cf3bc |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.Admin\extensions\[email protected]\chrome\content\jquery4toolbar.js
| MD5 | 432e6ce300e0604b682c612aa0de1c82 |
| SHA1 | c559ab91e420bdca977c4c4c3f7f5e8564a78fb2 |
| SHA256 | 6dc68cfa752a170706a347a81ccb8fd5fadf8ff5837823eb9fd5486a6882e65a |
| SHA512 | 9a463a5a884c562cfea0afc2f9a22eca258f06c6a8ea79cf4e9612079906c5c44edd50b490c067d1f8456cb1a596636a28ac51e66a10a479302bad752c3b8dc2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.Admin\extensions\[email protected]\chrome\content\fix5.js
| MD5 | 010d54d2fc0c7c7ae39324a6217030f2 |
| SHA1 | 3d73cbe8cce886b2075b5cea17d136b344814992 |
| SHA256 | 032f8af38f623f697712273292edb5268a0fa9eebd49f997450f97472794a751 |
| SHA512 | ae41156a78a60c472c27ebe5f45458836db8cf7850714f0ecf89414e12b21f0ec320ddc7d5a27db2aec5a6946dd7f436ff82f3d301998f8ae35eb8f979c6d59d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.Admin\extensions\[email protected]\chrome\content\jquery4toolbar.js_126
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.Admin\extensions\[email protected]\chrome\content\bubble.xul
| MD5 | 75743b09194736b8fc79a6dd65db177d |
| SHA1 | dbf38a26e0597697d0c6aad15e2515c398753e16 |
| SHA256 | f8ad9265fd61883ed00c3907f0f14478c8947b1ebaf1e34196efb5153cf040d6 |
| SHA512 | d151f8e97a213a59d3c41206c1aa606f179030c4ce1a24c5fb8aca17b7b783b46a9e1dc682366a3ddabe450d38b7b40cc714e23e0fced4e2a35b02ed20e1d30f |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.Admin\extensions\[email protected]\chrome\content\style.xul
| MD5 | 668dec8a49b6dc8575acc0e34ecd4284 |
| SHA1 | 9fa09a256602a30dec25e2bb83e5ab8a1ec0bafe |
| SHA256 | 022636895ac1faa46a586e7e03e1c9d74b1ee78d48d622f95938800a02b71965 |
| SHA512 | 94217e798b4258960949265d3ec7f4ba4dc4fb3c6a00fbe952975ba408bcd248e1b7e85f517ed67cee5d3d56cd110c2005d875f6b910e2e4f69bd58706a227ed |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.Admin\extensions\[email protected]\chrome\content\witmain.js
| MD5 | 290d4e5edfc05a9c619776b927eb1550 |
| SHA1 | 83b2901baa226905eab2f5270f79cc2b4abc285e |
| SHA256 | c55490b5a4a6d386fee087275d7b3515c61ac8fa63aa2a654fb1a4424f373c27 |
| SHA512 | ab90caf6c4e46c690eeef44c07dc3dbf92b40d9f311acba129cf7ed6f8ed9e3473537fcbdb9da851eb889c1adac101f003631ae25c2341aae571edb83ea40e61 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.Admin\extensions\[email protected]\chrome\content\bubble.js
| MD5 | e3cf4b651109156221e2072f83be5aa2 |
| SHA1 | be06675125c178e3ff2fd78cf57f3d643bec5cc4 |
| SHA256 | 73cde6a7691f5155a6ea9f8076dda8d00c3c62764331be13ec3ec6053d0c9f84 |
| SHA512 | 976007787974080f6b30763f61b63c6212b4ca2a234e4f6d52a529c154a8325e7619160f108641e39ae7b405cfe203a092cf4fcdb72252cfa61e8a9afaf93dce |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.Admin\extensions\[email protected]\chrome\content\fix4.js
| MD5 | 4b95306cdc01a9023a3ca1e8c7fcdd61 |
| SHA1 | f518c9d20ec181229d35089f685a9588a5b19e7d |
| SHA256 | be576aea3b146bfc77237c2cd65911e05b987c0fc74c588b9ab07ba19ad1067d |
| SHA512 | 4733f3eb0f7002b49b6d448ed5f22ed6c13234df46d81014a7ffd008dc77c51e86cc49d7c49c63d7941a0f54cea8693244af0f339d0a5a864ef5a9e8bf47fca8 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.Admin\extensions\[email protected]\chrome\content\wittoolbar.js
| MD5 | cda5b2727e277b095e1c802930ab9a78 |
| SHA1 | 16898837afad35f9ea3cdb203b3881a1f1cc14b0 |
| SHA256 | 1f4f851573263382105e35dc1c32014357ea8a5d48a2d3f97e568393ac17307f |
| SHA512 | 353175636f3ae56ae97f0587c4f8b819e2ae290594982bbd2a514fe7f702570b506b9d774a7627de57f9c480f80d54a4c48f845330a7a1008fb03edb55f1bf3b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.Admin\extensions\[email protected]\chrome\content\fix3.js
| MD5 | abdc04c0bb1bac8ee8962aa5e5fba9a8 |
| SHA1 | 2689078d902bfa6d65483e26d122d0a30d2a6560 |
| SHA256 | 3bb6e43e497c67e79fb3ac8520fbe07d6a43c9777c57be349a54caf9888ca482 |
| SHA512 | 55fc2af28251c773c0def012f739e01a505867cdffb387d522f1c2fcabee4f2f8c33706c553b1ff5dc4a1dbee1bbf6926909dfb032ad813863ed2c773e0625cd |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.Admin\extensions\[email protected]\chrome\content\fix2.js
| MD5 | b5ce3889cdd24c2b2e9d540ba1aab48d |
| SHA1 | 30d6c76f244e7617c835b3769bfb1fd125e401f1 |
| SHA256 | 03e704ae5142e05e367aaf51af30485eed881d0c5c581bea3b1752095e444cd0 |
| SHA512 | f5a4fb298b53017e212eb92859eb76b138255778cb3a44822e6d5c02791b9911be68bfc1f25eb90414f8adb5160086cae0c247278b1c288d7b0e3f75f21c3023 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.Admin\extensions\[email protected]\chrome.manifest
| MD5 | 71a85ce537dcec64640fb478067e24c3 |
| SHA1 | 42337f22368a2cd7cfedeb929f26222f2b2b7ae3 |
| SHA256 | 5010be714b986edeb59eabca51c1296dd9e67138b9d965e9859d5553670a0823 |
| SHA512 | 8cd49e8d1971623dcf83cbcca200de2296d82596f6fb96840face985c24c6d0a5c67d88d9f47a1b48f66972f4907643c3d5af344f732bfda70199b746d1cac91 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.Admin\extensions\[email protected]\install.rdf
| MD5 | 6bcfd61c0d36e87fc9adeeba4ce9138a |
| SHA1 | 7a4206246fa9373802c2c139447d1748ebd433e2 |
| SHA256 | 3f005ae8abf159343a48aca821087f34a0c52897c3d2371904bc73668b1aa7e7 |
| SHA512 | 7e01737e70e8f2d80d040e000b0345379251ff3d0b08b965c3eb79addad38fc20231ef62ed01c29b0befd2f5e185fc184d8a8207730f81aee8b84a57ab9f4e95 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\extensions\[email protected]\chrome\content\jquery4toolbar.js_126
| MD5 | 224c257265b43f4b4e5ebe21e7575dbe |
| SHA1 | 4a7990cfea863655aca06e4c7ee708a0641d4e35 |
| SHA256 | a63ca336dd561218555d730194dae3b778212d41bc3c164232f5cf627702f90a |
| SHA512 | 9559e1c7db6402b2803d953ddadf49195785a642cd9849d8caf3333ee829d6a9e3ee3037234b83a8a2d4fd35eaec346bf313f22874a33d6bf5690fe1ec52cdec |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\extensions\[email protected]\chrome\content\lock.js
| MD5 | 02469e8f69f26729bf7373aaf83e7687 |
| SHA1 | cee5b53a1b7f93986b9d336ea43e640da532eba6 |
| SHA256 | 86b85ba075a4af0c0ba4496484f0dd335e4abcb6782495dd0fb936bcf26b5c4f |
| SHA512 | 45b75dd965ac95768aaed7bf7ac6e5317bd5ebbfdfde4920930e8258529b25979c0f335f335053538ad0d3940203694f8cde2dc71b57e0ad60adad65f5d763ec |
C:\Windows\Tasks\youtubegizm Chrome Watcher.job
| MD5 | 0ee7c6cabaaa3aeef5dae3b38d51b0d6 |
| SHA1 | 586508cf03c53799c76469affa5455366ae5ba74 |
| SHA256 | 10f1b7d3644b299cd86db5d5f61213aee80861db6ce5fe712ef021741965cd0b |
| SHA512 | bb3b2dfee375726d1ebf492d362c41ec1c8f809f112ce49947e2d0c0fad6135b9da8f90c24c40857f5d749958b5ae619d40dab2a6acc61d2cdc623b8d73e8489 |
\Program Files (x86)\youtubegizm\tdataprotocol.dll
| MD5 | ffdc730ec5f8b90e4dda0c7685650c9d |
| SHA1 | 0f052108bcef14beffb6f325981b22fc40c7d047 |
| SHA256 | 2373e11595d02e279ed64925233f802e03f8e68f3d85649e360b0db17e1e191e |
| SHA512 | 172914e1c1e69da1eb1844fc2a7c10de153e7ad1c97ad5bd9821ca82a0ab37838085cdc2ae9d3301a1d900662f4b9fc0c2737ff97e02566320d08630e4ac327c |
\Program Files (x86)\youtubegizm\jsloader.dll
| MD5 | 51d72c5c44c3cadb21128c225ba7a569 |
| SHA1 | 94da06230ffbbe9f4d22e9b0422a279004a7b848 |
| SHA256 | 50c36830ca56b2a9ccbecd650767af742bd1a2fc4cc18ac9cd2d18d8da8259c1 |
| SHA512 | 2ec980a01e8f237bc863686bba0f35ae291b3626356905c0889086bf71c3362411984ad2af6fbba893863105852fae36be8cdd34798f46128486eedb67b9569a |
\Program Files (x86)\youtubegizm\updatebhoWin32.dll
| MD5 | 4ef3b332db3d6b45c47414e056d99ad3 |
| SHA1 | fdec55c9fc31e9e65a832407d0e843433d75bc14 |
| SHA256 | 601e473f4f509ebb12b3b0a47f979819ddc64cd5aa768abacdf6e67a6cb3eeb7 |
| SHA512 | 26f924340779b52683f660468974da5d42c9dc05f9d25764527ca343054bec7f42cc90e384c1316130af67399dc60bc2ca1000738a3f214a9a9aea492ddbdc4a |
C:\Program Files (x86)\youtubegizm\uninstall.exe
| MD5 | e9bfb4b02a1aaafcbf5a2ef6f91751c1 |
| SHA1 | c930d7fad8fa9e2a937d449bce5498fb303444f8 |
| SHA256 | 6fd9d03718cc3dfb353e1daf2d35d4758a93fc8ef68ddbcc801f6cfdc27e1a6d |
| SHA512 | e76d20cf5aad8f9ab05acb211212dff644f75039535fabfcf5542d76fd10f29d3508972ba20c3bb89f3f440d44c32ef485b7204b23e1faeb044ae420072048c8 |
C:\Windows\Tasks\youtubegizm Stats Report.job
| MD5 | a1b7c5b8d840272c1a91d7ff68f7a96a |
| SHA1 | 66c8c2319562a485bf0b85b3735b26a62ec605f6 |
| SHA256 | fa0742d88faae21da9a329623f2a426746e2dc0aab46888bfa0bba41526eef59 |
| SHA512 | 9b5399593e9f805adae5b266bcb5b15f6cc128911cb43161c0ddda5a44f06e10918cc6f0664d2ffb587d0378bd7299e778cb797e92b456f54bf1c8d45b39e562 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-23 21:33
Reported
2024-11-23 21:35
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Panda Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
PandaStealer
Pandastealer family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\90c5970f56673b5d52cf32f11096c130_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| N/A | N/A | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
| N/A | N/A | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
| N/A | N/A | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
| N/A | N/A | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
| N/A | N/A | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ed1e27f0-1bcd-42a4-ad62-7fc21e086e54} | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ed1e27f0-1bcd-42a4-ad62-7fc21e086e54}\ = "script helper for ie" | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ed1e27f0-1bcd-42a4-ad62-7fc21e086e54}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{963B125B-8B21-49A2-A3A8-E37092276531} | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{963B125B-8B21-49A2-A3A8-E37092276531}\ = "Update Timer" | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\youtubegizm\terms.lnk.url | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| File created | C:\Program Files (x86)\youtubegizm\toolbar.dll | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| File created | C:\Program Files (x86)\youtubegizm\logo.ico | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| File created | C:\Program Files (x86)\youtubegizm\updatebhoWin32.dll | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| File created | C:\Program Files (x86)\youtubegizm\uninstall.exe | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| File created | C:\Program Files (x86)\youtubegizm\jsloader.dll | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| File created | C:\Program Files (x86)\youtubegizm\tdataprotocol.dll | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| File created | C:\Program Files (x86)\youtubegizm\widgetserv.exe | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| File created | C:\Program Files (x86)\youtubegizm\updater.ini | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Tasks\youtubegizm Chrome Watcher.job | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
| File created | C:\Windows\Tasks\youtubegizm Stats Report.job | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
| File opened for modification | C:\Windows\Tasks\youtubegizm Stats Report.job | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
| File opened for modification | C:\Windows\Tasks\youtubegizm Stats Report.job | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
| File created | C:\Windows\Tasks\youtubegizm Update Checker.job | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
| File opened for modification | C:\Windows\Tasks\youtubegizm Update Checker.job | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
| File created | C:\Windows\Tasks\youtubegizm FireFox Watcher.job | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
| File opened for modification | C:\Windows\Tasks\youtubegizm FireFox Watcher.job | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
| File opened for modification | C:\Windows\Tasks\youtubegizm Runner.job | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
| File created | C:\Windows\Tasks\youtubegizm Chrome Watcher.job | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
| File created | C:\Windows\Tasks\youtubegizm Runner.job | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\90c5970f56673b5d52cf32f11096c130_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\ | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Approved Extensions | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Approved Extensions | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{963B125B-8B21-49A2-A3A8-E37092276531} | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\ | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Toolbar | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{963B125B-8B21-49A2-A3A8-E37092276531} | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{848B6490-7D35-4482-8C9F-C1350C53C5A5} | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{848B6490-7D35-4482-8C9F-C1350C53C5A5}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\updatebho.TimerBHO\ = "ytg timer" | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\tdataprotocol.DLL\AppID = "{ED6535E7-F778-48A5-A060-549D30024511}" | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1FA44816-ECC1-4582-89C8-C8B043BA7656}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\updatebho.TimerBHO.1\CLSID\ = "{963B125B-8B21-49A2-A3A8-E37092276531}" | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9F0C17EB-EF2C-4278-9136-2D547656BC03}\TypeLib\ = "{955B782E-CDC8-4CEE-B6F6-AD7D541A8D8A}" | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{373ED12D-B306-43AC-9485-A7C5133DC34C}\ = "updatebho" | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\tdataprotocol.CTData\CLSID\ = "{5ACE96C0-C70A-4A4D-AF14-2E7B869345E1}" | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ACE96C0-C70A-4A4D-AF14-2E7B869345E1}\ = "CTData Class" | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ACE96C0-C70A-4A4D-AF14-2E7B869345E1}\ProgID | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ACE96C0-C70A-4A4D-AF14-2E7B869345E1}\VersionIndependentProgID\ = "tdataprotocol.CTData" | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\chrome\ = "chrome: pluggable protocol" | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ed1e27f0-1bcd-42a4-ad62-7fc21e086e54}\TypeLib\ = "{1fa44816-ecc1-4582-89c8-c8b043ba7656}" | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{ED6535E7-F778-48A5-A060-549D30024511} | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{830B56CB-FD22-44AA-9887-7898F4F4158D}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9F0C17EB-EF2C-4278-9136-2D547656BC03}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\tdataprotocol.CTData\CurVer | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ed1e27f0-1bcd-42a4-ad62-7fc21e086e54}\ProgID\ = "wit4ie.WitBHO.2" | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ed1e27f0-1bcd-42a4-ad62-7fc21e086e54}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1FA44816-ECC1-4582-89C8-C8B043BA7656}\1.0\ = "wit4ie 2.0 Type Library" | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{848B6490-7D35-4482-8C9F-C1350C53C5A5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\updatebho.DLL\AppID = "{373ED12D-B306-43AC-9485-A7C5133DC34C}" | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ACE96C0-C70A-4A4D-AF14-2E7B869345E1}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ed1e27f0-1bcd-42a4-ad62-7fc21e086e54}\InprocServer32\ = "C:\\Program Files (x86)\\youtubegizm\\jsloader.dll" | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{848B6490-7D35-4482-8C9F-C1350C53C5A5}\ = "IWitBHO" | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{848B6490-7D35-4482-8C9F-C1350C53C5A5}\TypeLib\ = "{1FA44816-ECC1-4582-89C8-C8B043BA7656}" | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\updatebho.TimerBHO | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\base64 | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{830B56CB-FD22-44AA-9887-7898F4F4158D}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\youtubegizm" | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{955B782E-CDC8-4CEE-B6F6-AD7D541A8D8A}\1.0\0\win32\ = "C:\\Program Files (x86)\\youtubegizm\\updatebhoWin32.dll" | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ACE96C0-C70A-4A4D-AF14-2E7B869345E1} | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\wit4ie.DLL\AppID = "{20EDC024-43C5-423E-B7F5-FD93523E0D9F}" | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ed1e27f0-1bcd-42a4-ad62-7fc21e086e54}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ed1e27f0-1bcd-42a4-ad62-7fc21e086e54}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1FA44816-ECC1-4582-89C8-C8B043BA7656} | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\updatebho.TimerBHO\CLSID\ = "{963B125B-8B21-49A2-A3A8-E37092276531}" | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ACE96C0-C70A-4A4D-AF14-2E7B869345E1}\TypeLib | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\wit4ie.WitBHO\CurVer | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ed1e27f0-1bcd-42a4-ad62-7fc21e086e54}\ = "ygBHO Class" | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{848B6490-7D35-4482-8C9F-C1350C53C5A5}\TypeLib | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{963B125B-8B21-49A2-A3A8-E37092276531}\InprocServer32\ = "C:\\Program Files (x86)\\youtubegizm\\updatebhoWin32.dll" | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9F0C17EB-EF2C-4278-9136-2D547656BC03}\TypeLib\ = "{955B782E-CDC8-4CEE-B6F6-AD7D541A8D8A}" | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ACE96C0-C70A-4A4D-AF14-2E7B869345E1}\TypeLib\ = "{830B56CB-FD22-44AA-9887-7898F4F4158D}" | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{848B6490-7D35-4482-8C9F-C1350C53C5A5} | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\base64\ = "base64: pluggable protocol" | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{830B56CB-FD22-44AA-9887-7898F4F4158D}\1.0\ = "tdataprotocol 1.0 Type Library" | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{830B56CB-FD22-44AA-9887-7898F4F4158D}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ed1e27f0-1bcd-42a4-ad62-7fc21e086e54}\Programmable | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1FA44816-ECC1-4582-89C8-C8B043BA7656}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\tdataprotocol.CTData\CurVer\ = "tdataprotocol.CTData.1" | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\wit4ie.WitBHO | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{848B6490-7D35-4482-8C9F-C1350C53C5A5}\TypeLib | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{963B125B-8B21-49A2-A3A8-E37092276531} | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{963B125B-8B21-49A2-A3A8-E37092276531}\ProgID\ = "updatebho.TimerBHO.1" | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{ED6535E7-F778-48A5-A060-549D30024511}\ = "tdataprotocol" | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\tdataprotocol.CTData\CLSID | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\chrome\CLSID = "{5ACE96C0-C70A-4A4D-AF14-2E7B869345E1}" | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1FA44816-ECC1-4582-89C8-C8B043BA7656}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\youtubegizm" | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{963B125B-8B21-49A2-A3A8-E37092276531}\TypeLib\ = "{955B782E-CDC8-4CEE-B6F6-AD7D541A8D8A}" | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{955B782E-CDC8-4CEE-B6F6-AD7D541A8D8A}\1.0\ = "updatebho 1.0 Type Library" | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9F0C17EB-EF2C-4278-9136-2D547656BC03}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ACE96C0-C70A-4A4D-AF14-2E7B869345E1}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\base64\CLSID = "{5ACE96C0-C70A-4A4D-AF14-2E7B869345E1}" | C:\Users\Admin\AppData\Local\Temp\dgrn.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\DisableAddonLoadTimePerformanceNotifications = "1" | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\DisableAddonLoadTimePerformanceNotifications = "1" | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext | C:\ProgramData\youtubegizm\tytghn.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\90c5970f56673b5d52cf32f11096c130_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\90c5970f56673b5d52cf32f11096c130_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\dgrn.exe
"C:\Users\Admin\AppData\Local\Temp\dgrn.exe"
C:\ProgramData\youtubegizm\tytghn.exe
"C:\ProgramData\youtubegizm\tytghn.exe" /closebr=1 /InstallOn=7 /active=24 /update=24 /interval=2880 /pubId=10005 /affId=100105 /uId={6C9E35DE-44D5-4650-8C83-BB370D80EDE5} /version=1.0.0.5 /Override=false /Firstime=1 /IEhome=0 /IEsearch=0 /FFhome=0 /FFsearch=0 /CHhome=0 /CHsearch=0 /FFaddon=1 /CHaddon=1 /AutoSP=0 /regAppName=youtubegizm /txx=1 -regAppName=youtubegizm -txx=2
C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /F /IM IExplore.exe
C:\ProgramData\youtubegizm\tytghn.exe
C:\ProgramData\youtubegizm\tytghn.exe /task=0 /closebr=1 /InstallOn=7 /active=24 /update=24 /interval=2880 /pubId=10005 /affId=100105 /uId={6C9E35DE-44D5-4650-8C83-BB370D80EDE5} /version=1.0.0.5 /Override=false /IEhome=0 /IEsearch=0 /FFhome=0 /FFsearch=0 /CHhome=0 /CHsearch=0 /FFaddon=1 /CHaddon=1 /AutoSP=0 /regAppName=youtubegizm /txx=1 -regAppName=youtubegizm -txx=2
C:\ProgramData\youtubegizm\tytghn.exe
C:\ProgramData\youtubegizm\tytghn.exe /task=1 /closebr=1 /InstallOn=7 /active=24 /update=24 /interval=2880 /pubId=10005 /affId=100105 /uId={6C9E35DE-44D5-4650-8C83-BB370D80EDE5} /version=1.0.0.5 /Override=false /IEhome=0 /IEsearch=0 /FFhome=0 /FFsearch=0 /CHhome=0 /CHsearch=0 /FFaddon=1 /CHaddon=1 /AutoSP=0 /regAppName=youtubegizm /txx=1 -regAppName=youtubegizm -txx=2
C:\ProgramData\youtubegizm\tytghn.exe
C:\ProgramData\youtubegizm\tytghn.exe /task=2 /closebr=1 /InstallOn=7 /active=24 /update=24 /interval=2880 /pubId=10005 /affId=100105 /uId={6C9E35DE-44D5-4650-8C83-BB370D80EDE5} /version=1.0.0.5 /Override=false /IEhome=0 /IEsearch=0 /FFhome=0 /FFsearch=0 /CHhome=0 /CHsearch=0 /FFaddon=1 /CHaddon=1 /AutoSP=0 /regAppName=youtubegizm /txx=1 -regAppName=youtubegizm -txx=2
C:\ProgramData\youtubegizm\tytghn.exe
C:\ProgramData\youtubegizm\tytghn.exe /task=4 /closebr=1 /InstallOn=7 /active=24 /update=24 /interval=2880 /pubId=10005 /affId=100105 /uId={6C9E35DE-44D5-4650-8C83-BB370D80EDE5} /version=1.0.0.5 /Override=false /IEhome=0 /IEsearch=0 /FFhome=0 /FFsearch=0 /CHhome=0 /CHsearch=0 /FFaddon=1 /CHaddon=1 /AutoSP=0 /regAppName=youtubegizm /txx=1 -regAppName=youtubegizm -txx=2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ws.xcodelib.net | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ws.xcodelib.net | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
memory/736-0-0x0000000002E30000-0x0000000002E31000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\dgrn.exe
| MD5 | 90f0358fcd19f2b19ff62bca3f5e34e6 |
| SHA1 | 91309ef459708ce170c4cf260db477c9ad46569b |
| SHA256 | 2c068552115abb5bd8ebee6ae6f9f9c4e876b06bc0f10307a33996eaa2e48cbb |
| SHA512 | 32657c7a1223d065230d91a7852b904d27d65ac5b08e6b533ea9781677ab8181971d81e817bf40adbf029fe5a9b194fda0fffb4721eaccc5bba12a9c1a718387 |
C:\Users\Admin\AppData\Local\Temp\nsd7418.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
C:\Users\Admin\AppData\Local\Temp\nsd7418.tmp\KillProcDLL.dll
| MD5 | 83142eac84475f4ca889c73f10d9c179 |
| SHA1 | dbe43c0de8ef881466bd74861b2e5b17598b5ce8 |
| SHA256 | ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729 |
| SHA512 | 1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1 |
C:\Program Files (x86)\youtubegizm\toolbar.dll
| MD5 | a4efaf7a21baac166810f9790f0c693d |
| SHA1 | eebca444b31d79ad37aec6076ba487942b5df0ea |
| SHA256 | a85bfacf0d2c2d5a6a4b62720a69e1e8fe0347653cf914fe82bb9c74d73bd3b1 |
| SHA512 | 32ff2899e917c9ae3e959f1183967711067e30dfd5a2f90ab0f33f524710f137561a69c7c3d265336829b1cfe401809906acbfbc7d03dbcd1046ac517b134f40 |
memory/4364-67-0x00000000023B0000-0x00000000023D3000-memory.dmp
C:\ProgramData\youtubegizm\tytghn.exe
| MD5 | 611619f98af4df3bbb077f474963c9da |
| SHA1 | 522144139ef78abce5cd25f34dae82f0a369f572 |
| SHA256 | 20f035d90ef228b5a6a998cec13d7bddf00ef20c60a58167fe4230297cc25b54 |
| SHA512 | 05a01f68ae299e22b08c9c3979064ae54483fda7104ebb6409f8e9939f9f76fca9f40a707d52e356575d9ac2c99f4bcd092e93aaf4391d96d12f15b1d70125cc |
C:\ProgramData\youtubegizm\valuese.xml
| MD5 | 227bdc41ed630efdb2061daa15859b68 |
| SHA1 | bedb6860595d0ec863bff16ac71337082a58aec2 |
| SHA256 | 8dfb5773f05bad3c36db328cd2a352791d92c83a94f629360f9ab6ca6c719e6c |
| SHA512 | 64c09d8d887943b8b59f2cce210a70158b0720421a10503c29e67f134bbd690ce05572980cd3f813e31801df5aeef4c5b6b9a2d2ec2efaacbbd4a0b2c1299028 |
C:\ProgramData\youtubegizm\df-ch.crx
| MD5 | a1704d581f799418db15df5e91dcff59 |
| SHA1 | 6dae4dfa59e235c0f071d70678b4311ebb407cc5 |
| SHA256 | 3e1c383d3fc1c4cab1995ee035b0f49236641a9d7cc391e563e88b5cd39f585f |
| SHA512 | b7cab05d8b571a3fbf57ed07ef873a81a9ebfb9b143ad7473f740bbe4e9947c341e650cf531c609a48947f6434935ae30e04c476fd6d7e9f85bb8239bf80ec86 |
memory/3652-83-0x0000000002F60000-0x0000000002F61000-memory.dmp
C:\ProgramData\youtubegizm\df-le.xpi
| MD5 | 9b41c8cfd735e83a6ddde1b29be08e4e |
| SHA1 | 0db4358bba72b2c96e027f00f2368878ea9f4e35 |
| SHA256 | 5fbdfd771cac9fe30121cb694f8dd98d9eb22f2923a9b91fd8fe69d89bf19b3b |
| SHA512 | b29a204f23ffa0d7adeea5879821516b8b516d811c83fbfcc4c96d7dd1ed702f7398cf49c003331f14f4283cb5be8923d5d3b967d62c87a4bd8e2844153cf2dd |
C:\Windows\Tasks\youtubegizm FireFox Watcher.job
| MD5 | faa8aff8b56ea022d7fef632b365fff4 |
| SHA1 | 8374adedccdae53d097a27b5d2e85cd072718a8a |
| SHA256 | 414a78eadd92bd9f563a85539d4b93eb722e1b2a0a7bef4c8f4db9bf6bb9a49d |
| SHA512 | 7c13d7beb94c3c7b526e04ffd067be057361c3f12369a9c6e06382ab17809678003fe1abb162f1ba1e2b26715e81d67ec30ec3fe92ff14d172d6e4de90b1cb3f |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5keoqj3l.Admin\extensions\[email protected]\chrome\content\icon.png
| MD5 | 34d97d8507b37d0fd790c0489f102a6b |
| SHA1 | 89b5eba2d945d5b1bae4aa0464ca225ffad04ebf |
| SHA256 | ac3717b581dd69d07a31c34fcdfbc600685ada80340ec6de2781ca30d5a869aa |
| SHA512 | edfd5ec831b4aa5c379ea9e6fa6c058a04787c8d1ebc90aed1a86c7c9de23fd955baedd1929b1cde202ef4159afb9750d826668b92bcd9be166bae59b79cf3bc |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5keoqj3l.Admin\extensions\[email protected]\chrome\content\jquery4toolbar.js
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5keoqj3l.Admin\extensions\[email protected]\chrome\content\fix5.js
| MD5 | 010d54d2fc0c7c7ae39324a6217030f2 |
| SHA1 | 3d73cbe8cce886b2075b5cea17d136b344814992 |
| SHA256 | 032f8af38f623f697712273292edb5268a0fa9eebd49f997450f97472794a751 |
| SHA512 | ae41156a78a60c472c27ebe5f45458836db8cf7850714f0ecf89414e12b21f0ec320ddc7d5a27db2aec5a6946dd7f436ff82f3d301998f8ae35eb8f979c6d59d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5keoqj3l.Admin\extensions\[email protected]\chrome\content\jquery4toolbar.js_126
| MD5 | 224c257265b43f4b4e5ebe21e7575dbe |
| SHA1 | 4a7990cfea863655aca06e4c7ee708a0641d4e35 |
| SHA256 | a63ca336dd561218555d730194dae3b778212d41bc3c164232f5cf627702f90a |
| SHA512 | 9559e1c7db6402b2803d953ddadf49195785a642cd9849d8caf3333ee829d6a9e3ee3037234b83a8a2d4fd35eaec346bf313f22874a33d6bf5690fe1ec52cdec |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5keoqj3l.Admin\extensions\[email protected]\chrome\content\witutils.js
| MD5 | e98815b4088c11d052fce961ea863308 |
| SHA1 | 0aa226ffcbc73b435f0bf19a4f658a111f572e3d |
| SHA256 | aa7546f7a02f77a48f737644272ae18d1ec4e7fc51756d406af88e530cb8b489 |
| SHA512 | ee86a07cda4fc7cca9947dacadbf3d5d8eb63b7f0529c20d506bb75bd99de60c2dd7b354149d8ad2ba70f40fa133aa79fc619a410786d51f45f14a7a65a1d6c9 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5keoqj3l.Admin\extensions\[email protected]\chrome\content\bubble.xul
| MD5 | 75743b09194736b8fc79a6dd65db177d |
| SHA1 | dbf38a26e0597697d0c6aad15e2515c398753e16 |
| SHA256 | f8ad9265fd61883ed00c3907f0f14478c8947b1ebaf1e34196efb5153cf040d6 |
| SHA512 | d151f8e97a213a59d3c41206c1aa606f179030c4ce1a24c5fb8aca17b7b783b46a9e1dc682366a3ddabe450d38b7b40cc714e23e0fced4e2a35b02ed20e1d30f |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5keoqj3l.Admin\extensions\[email protected]\chrome\content\style.xul
| MD5 | 668dec8a49b6dc8575acc0e34ecd4284 |
| SHA1 | 9fa09a256602a30dec25e2bb83e5ab8a1ec0bafe |
| SHA256 | 022636895ac1faa46a586e7e03e1c9d74b1ee78d48d622f95938800a02b71965 |
| SHA512 | 94217e798b4258960949265d3ec7f4ba4dc4fb3c6a00fbe952975ba408bcd248e1b7e85f517ed67cee5d3d56cd110c2005d875f6b910e2e4f69bd58706a227ed |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5keoqj3l.Admin\extensions\[email protected]\chrome\content\lock.js
| MD5 | 02469e8f69f26729bf7373aaf83e7687 |
| SHA1 | cee5b53a1b7f93986b9d336ea43e640da532eba6 |
| SHA256 | 86b85ba075a4af0c0ba4496484f0dd335e4abcb6782495dd0fb936bcf26b5c4f |
| SHA512 | 45b75dd965ac95768aaed7bf7ac6e5317bd5ebbfdfde4920930e8258529b25979c0f335f335053538ad0d3940203694f8cde2dc71b57e0ad60adad65f5d763ec |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5keoqj3l.Admin\extensions\[email protected]\chrome\content\witmain.js
| MD5 | 290d4e5edfc05a9c619776b927eb1550 |
| SHA1 | 83b2901baa226905eab2f5270f79cc2b4abc285e |
| SHA256 | c55490b5a4a6d386fee087275d7b3515c61ac8fa63aa2a654fb1a4424f373c27 |
| SHA512 | ab90caf6c4e46c690eeef44c07dc3dbf92b40d9f311acba129cf7ed6f8ed9e3473537fcbdb9da851eb889c1adac101f003631ae25c2341aae571edb83ea40e61 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5keoqj3l.Admin\extensions\[email protected]\chrome\content\witapi.js
| MD5 | c48275070dec1182b66f0932024c41d1 |
| SHA1 | 3093164946b041dc4b13d1e251113da232e8bdeb |
| SHA256 | 577d9b9f3a4ee376f6863194ed322d5cfe3ab0afcb8a2b45520f0bc32e4c97e1 |
| SHA512 | f25688e437f0c23f3ac0a0e452613a23a1663813e6700740ca5049d6fb36adc26f66187b903f46aaa8ff455969d46f3026c4d126fb7adeddcf0f113c7dd7e5ab |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5keoqj3l.Admin\extensions\[email protected]\chrome\content\bubble.js
| MD5 | e3cf4b651109156221e2072f83be5aa2 |
| SHA1 | be06675125c178e3ff2fd78cf57f3d643bec5cc4 |
| SHA256 | 73cde6a7691f5155a6ea9f8076dda8d00c3c62764331be13ec3ec6053d0c9f84 |
| SHA512 | 976007787974080f6b30763f61b63c6212b4ca2a234e4f6d52a529c154a8325e7619160f108641e39ae7b405cfe203a092cf4fcdb72252cfa61e8a9afaf93dce |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5keoqj3l.Admin\extensions\[email protected]\chrome\content\fix4.js
| MD5 | 4b95306cdc01a9023a3ca1e8c7fcdd61 |
| SHA1 | f518c9d20ec181229d35089f685a9588a5b19e7d |
| SHA256 | be576aea3b146bfc77237c2cd65911e05b987c0fc74c588b9ab07ba19ad1067d |
| SHA512 | 4733f3eb0f7002b49b6d448ed5f22ed6c13234df46d81014a7ffd008dc77c51e86cc49d7c49c63d7941a0f54cea8693244af0f339d0a5a864ef5a9e8bf47fca8 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5keoqj3l.Admin\extensions\[email protected]\chrome.manifest
| MD5 | 71a85ce537dcec64640fb478067e24c3 |
| SHA1 | 42337f22368a2cd7cfedeb929f26222f2b2b7ae3 |
| SHA256 | 5010be714b986edeb59eabca51c1296dd9e67138b9d965e9859d5553670a0823 |
| SHA512 | 8cd49e8d1971623dcf83cbcca200de2296d82596f6fb96840face985c24c6d0a5c67d88d9f47a1b48f66972f4907643c3d5af344f732bfda70199b746d1cac91 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5keoqj3l.Admin\extensions\[email protected]\components\handleProtocol.js
| MD5 | 1f3402859b63193c40a54f466a8f7a46 |
| SHA1 | e4060e5def7dfe2c31123098f7e9f552a71ac993 |
| SHA256 | 07afcbcddb1b2ee757d4e4d5367bf8f50bf7cbb0b815a83513d4a3bf1bbc2679 |
| SHA512 | cf3edf88d4d48905a1ba393452503142ec3e7031cd7d0645cba79a667d3642496e487d2e9d04fbec16dfd91e1fa35ca343754053a53185fe44820150e8e5eedd |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5keoqj3l.Admin\extensions\[email protected]\install.rdf
| MD5 | 6bcfd61c0d36e87fc9adeeba4ce9138a |
| SHA1 | 7a4206246fa9373802c2c139447d1748ebd433e2 |
| SHA256 | 3f005ae8abf159343a48aca821087f34a0c52897c3d2371904bc73668b1aa7e7 |
| SHA512 | 7e01737e70e8f2d80d040e000b0345379251ff3d0b08b965c3eb79addad38fc20231ef62ed01c29b0befd2f5e185fc184d8a8207730f81aee8b84a57ab9f4e95 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\[email protected]\chrome\content\jquery4toolbar.js
| MD5 | 35f9e57cbae859127da1f423565c6624 |
| SHA1 | d749e3f956fac21f75346a7f8d22c06832595a74 |
| SHA256 | 74aee757e979cac5edde3546ec2f1306c359481f176b337c470e121cf41a8666 |
| SHA512 | 9e773ae7405ca178e0db38a63aecf86904cd8c0ffd7fe9f2b8b0410345ba813ab9d352c27ac64363b70bd85de1d039db1fd22e2c595d94e1bd3bfe08eed5e95a |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\[email protected]\chrome\content\jquery4toolbar.js
| MD5 | 432e6ce300e0604b682c612aa0de1c82 |
| SHA1 | c559ab91e420bdca977c4c4c3f7f5e8564a78fb2 |
| SHA256 | 6dc68cfa752a170706a347a81ccb8fd5fadf8ff5837823eb9fd5486a6882e65a |
| SHA512 | 9a463a5a884c562cfea0afc2f9a22eca258f06c6a8ea79cf4e9612079906c5c44edd50b490c067d1f8456cb1a596636a28ac51e66a10a479302bad752c3b8dc2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\[email protected]\chrome\content\wittoolbar.js
| MD5 | cda5b2727e277b095e1c802930ab9a78 |
| SHA1 | 16898837afad35f9ea3cdb203b3881a1f1cc14b0 |
| SHA256 | 1f4f851573263382105e35dc1c32014357ea8a5d48a2d3f97e568393ac17307f |
| SHA512 | 353175636f3ae56ae97f0587c4f8b819e2ae290594982bbd2a514fe7f702570b506b9d774a7627de57f9c480f80d54a4c48f845330a7a1008fb03edb55f1bf3b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\[email protected]\chrome\content\fix3.js
| MD5 | abdc04c0bb1bac8ee8962aa5e5fba9a8 |
| SHA1 | 2689078d902bfa6d65483e26d122d0a30d2a6560 |
| SHA256 | 3bb6e43e497c67e79fb3ac8520fbe07d6a43c9777c57be349a54caf9888ca482 |
| SHA512 | 55fc2af28251c773c0def012f739e01a505867cdffb387d522f1c2fcabee4f2f8c33706c553b1ff5dc4a1dbee1bbf6926909dfb032ad813863ed2c773e0625cd |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\[email protected]\chrome\content\fix2.js
| MD5 | b5ce3889cdd24c2b2e9d540ba1aab48d |
| SHA1 | 30d6c76f244e7617c835b3769bfb1fd125e401f1 |
| SHA256 | 03e704ae5142e05e367aaf51af30485eed881d0c5c581bea3b1752095e444cd0 |
| SHA512 | f5a4fb298b53017e212eb92859eb76b138255778cb3a44822e6d5c02791b9911be68bfc1f25eb90414f8adb5160086cae0c247278b1c288d7b0e3f75f21c3023 |
C:\Windows\Tasks\youtubegizm FireFox Watcher.job
| MD5 | 9a9140e0d7fc10b6cd446ecd1e12e1a4 |
| SHA1 | add08e421e2ced834bd88be2c4c6a3d67c02ff69 |
| SHA256 | 18c8bf4b9339b1fc101849b8af29bd3e480f12d875ba44a991e71249ac80782d |
| SHA512 | ae3c47e88165d57e74508c4fcdf83a6fab9f51957e50342dd65b8b49b3b9617886d70fa85ca46d8a1bbdf8410481b30995bff5199d4310d800ec534fd3a5fc56 |
C:\Windows\Tasks\youtubegizm Chrome Watcher.job
| MD5 | 7e8ae8c5b491316108282df17d83d377 |
| SHA1 | 9a7aa7a07d6789fab3469deebe124973976509b5 |
| SHA256 | d5a12314c8677c1a86f4ed9514e7419ab7c9972de9885bdaa5afc5dac4865c8d |
| SHA512 | aa5c3e3af94864b580fce46c81c24f2efcf3a502014548db9869812026bff846d239921b6727877c08b37da9d8b0e6dff6c7d87c932931f8ff361f766c33dc36 |
C:\Windows\Tasks\youtubegizm Stats Report.job
| MD5 | fcb7f560df936267af73ed8fc2a04ef3 |
| SHA1 | 511b7c4cdc6980efadcbc8ea76107726901daa54 |
| SHA256 | 1c3ba20d4e495a77009fc9eb117c8d501466a2c439acd1b2e177216c54c2a710 |
| SHA512 | fc36e069fb47bf3682af34013b1eb9fd77a4fd41c057dab41e5b2ba4213235686297cbe91fa0caa23b5943f8b2c2ae85e675e278756af6bf566ef1592fdfcb59 |
C:\Program Files (x86)\youtubegizm\tdataprotocol.dll
| MD5 | ffdc730ec5f8b90e4dda0c7685650c9d |
| SHA1 | 0f052108bcef14beffb6f325981b22fc40c7d047 |
| SHA256 | 2373e11595d02e279ed64925233f802e03f8e68f3d85649e360b0db17e1e191e |
| SHA512 | 172914e1c1e69da1eb1844fc2a7c10de153e7ad1c97ad5bd9821ca82a0ab37838085cdc2ae9d3301a1d900662f4b9fc0c2737ff97e02566320d08630e4ac327c |
C:\Program Files (x86)\youtubegizm\jsloader.dll
| MD5 | 51d72c5c44c3cadb21128c225ba7a569 |
| SHA1 | 94da06230ffbbe9f4d22e9b0422a279004a7b848 |
| SHA256 | 50c36830ca56b2a9ccbecd650767af742bd1a2fc4cc18ac9cd2d18d8da8259c1 |
| SHA512 | 2ec980a01e8f237bc863686bba0f35ae291b3626356905c0889086bf71c3362411984ad2af6fbba893863105852fae36be8cdd34798f46128486eedb67b9569a |
C:\Program Files (x86)\youtubegizm\updatebhoWin32.dll
| MD5 | 4ef3b332db3d6b45c47414e056d99ad3 |
| SHA1 | fdec55c9fc31e9e65a832407d0e843433d75bc14 |
| SHA256 | 601e473f4f509ebb12b3b0a47f979819ddc64cd5aa768abacdf6e67a6cb3eeb7 |
| SHA512 | 26f924340779b52683f660468974da5d42c9dc05f9d25764527ca343054bec7f42cc90e384c1316130af67399dc60bc2ca1000738a3f214a9a9aea492ddbdc4a |