hxxps://yemozagame[.]blogspot[.]com/2024/09/yemoza-game[.]html

Analysis

max time kernel
28s
max time network
33s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2024, 02:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://yemozagame.blogspot.com/2024/09/yemoza-game.html

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 5c022479d218db01	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 17 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{BDB1A647-E725-4832-A703-C1A517E411E4}"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{68AC0900-890D-11EF-9361-CAF61997B0B0} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\RepId	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133732612000127941"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1956	chrome.exe
1956	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4752	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe

Suspicious use of AdjustPrivilegeToken 54 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe

Suspicious use of FindShellTrayWindow 46 IoCs

pid	Process
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
4472	iexplore.exe
4472	iexplore.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe

Suspicious use of SetWindowsHookEx 27 IoCs

pid	Process
4752	OpenWith.exe
4752	OpenWith.exe
4752	OpenWith.exe
4752	OpenWith.exe
4752	OpenWith.exe
4752	OpenWith.exe
4752	OpenWith.exe
4752	OpenWith.exe
4752	OpenWith.exe
4752	OpenWith.exe
4752	OpenWith.exe
4752	OpenWith.exe
4752	OpenWith.exe
4752	OpenWith.exe
4752	OpenWith.exe
4752	OpenWith.exe
4752	OpenWith.exe
4752	OpenWith.exe
4752	OpenWith.exe
4752	OpenWith.exe
4752	OpenWith.exe
4752	OpenWith.exe
4752	OpenWith.exe
4472	iexplore.exe
4472	iexplore.exe
1724	IEXPLORE.EXE
1724	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 3324	1956	chrome.exe	83
PID 1956 wrote to memory of 3324	1956	chrome.exe	83
PID 1956 wrote to memory of 3988	1956	chrome.exe	84
PID 1956 wrote to memory of 3988	1956	chrome.exe	84
PID 1956 wrote to memory of 3988	1956	chrome.exe	84
PID 1956 wrote to memory of 3988	1956	chrome.exe	84
PID 1956 wrote to memory of 3988	1956	chrome.exe	84
PID 1956 wrote to memory of 3988	1956	chrome.exe	84
PID 1956 wrote to memory of 3988	1956	chrome.exe	84
PID 1956 wrote to memory of 3988	1956	chrome.exe	84
PID 1956 wrote to memory of 3988	1956	chrome.exe	84
PID 1956 wrote to memory of 3988	1956	chrome.exe	84
PID 1956 wrote to memory of 3988	1956	chrome.exe	84
PID 1956 wrote to memory of 3988	1956	chrome.exe	84
PID 1956 wrote to memory of 3988	1956	chrome.exe	84
PID 1956 wrote to memory of 3988	1956	chrome.exe	84
PID 1956 wrote to memory of 3988	1956	chrome.exe	84
PID 1956 wrote to memory of 3988	1956	chrome.exe	84
PID 1956 wrote to memory of 3988	1956	chrome.exe	84
PID 1956 wrote to memory of 3988	1956	chrome.exe	84
PID 1956 wrote to memory of 3988	1956	chrome.exe	84
PID 1956 wrote to memory of 3988	1956	chrome.exe	84
PID 1956 wrote to memory of 3988	1956	chrome.exe	84
PID 1956 wrote to memory of 3988	1956	chrome.exe	84
PID 1956 wrote to memory of 3988	1956	chrome.exe	84
PID 1956 wrote to memory of 3988	1956	chrome.exe	84
PID 1956 wrote to memory of 3988	1956	chrome.exe	84
PID 1956 wrote to memory of 3988	1956	chrome.exe	84
PID 1956 wrote to memory of 3988	1956	chrome.exe	84
PID 1956 wrote to memory of 3988	1956	chrome.exe	84
PID 1956 wrote to memory of 3988	1956	chrome.exe	84
PID 1956 wrote to memory of 3988	1956	chrome.exe	84
PID 1956 wrote to memory of 3604	1956	chrome.exe	85
PID 1956 wrote to memory of 3604	1956	chrome.exe	85
PID 1956 wrote to memory of 436	1956	chrome.exe	86
PID 1956 wrote to memory of 436	1956	chrome.exe	86
PID 1956 wrote to memory of 436	1956	chrome.exe	86
PID 1956 wrote to memory of 436	1956	chrome.exe	86
PID 1956 wrote to memory of 436	1956	chrome.exe	86
PID 1956 wrote to memory of 436	1956	chrome.exe	86
PID 1956 wrote to memory of 436	1956	chrome.exe	86
PID 1956 wrote to memory of 436	1956	chrome.exe	86
PID 1956 wrote to memory of 436	1956	chrome.exe	86
PID 1956 wrote to memory of 436	1956	chrome.exe	86
PID 1956 wrote to memory of 436	1956	chrome.exe	86
PID 1956 wrote to memory of 436	1956	chrome.exe	86
PID 1956 wrote to memory of 436	1956	chrome.exe	86
PID 1956 wrote to memory of 436	1956	chrome.exe	86
PID 1956 wrote to memory of 436	1956	chrome.exe	86
PID 1956 wrote to memory of 436	1956	chrome.exe	86
PID 1956 wrote to memory of 436	1956	chrome.exe	86
PID 1956 wrote to memory of 436	1956	chrome.exe	86
PID 1956 wrote to memory of 436	1956	chrome.exe	86
PID 1956 wrote to memory of 436	1956	chrome.exe	86
PID 1956 wrote to memory of 436	1956	chrome.exe	86
PID 1956 wrote to memory of 436	1956	chrome.exe	86
PID 1956 wrote to memory of 436	1956	chrome.exe	86
PID 1956 wrote to memory of 436	1956	chrome.exe	86
PID 1956 wrote to memory of 436	1956	chrome.exe	86
PID 1956 wrote to memory of 436	1956	chrome.exe	86
PID 1956 wrote to memory of 436	1956	chrome.exe	86
PID 1956 wrote to memory of 436	1956	chrome.exe	86
PID 1956 wrote to memory of 436	1956	chrome.exe	86
PID 1956 wrote to memory of 436	1956	chrome.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://yemozagame.blogspot.com/2024/09/yemoza-game.html
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa6dc1cc40,0x7ffa6dc1cc4c,0x7ffa6dc1cc58
  2⤵
  PID:3324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1876,i,16884401938119687489,12882860114948070290,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1864 /prefetch:2
  2⤵
  PID:3988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2104,i,16884401938119687489,12882860114948070290,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2176 /prefetch:3
  2⤵
  PID:3604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2268,i,16884401938119687489,12882860114948070290,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2280 /prefetch:8
  2⤵
  PID:436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3124,i,16884401938119687489,12882860114948070290,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3140 /prefetch:1
  2⤵
  PID:3196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3144,i,16884401938119687489,12882860114948070290,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3180 /prefetch:1
  2⤵
  PID:3088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4616,i,16884401938119687489,12882860114948070290,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4628 /prefetch:8
  2⤵
  PID:4524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4920,i,16884401938119687489,12882860114948070290,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4912 /prefetch:1
  2⤵
  PID:1052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4472,i,16884401938119687489,12882860114948070290,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4636 /prefetch:8
  2⤵
  PID:1400

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3124

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3460

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4752
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Downloads\YemozaV77.rar
  2⤵
  - Modifies Internet Explorer Phishing Filter
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:4472
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4472 CREDAT:17410 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1724
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Downloads\YemozaV77.rar
    3⤵
    PID:3208
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4472 CREDAT:82954 /prefetch:2
    3⤵
    PID:360
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Downloads\YemozaV77 (1).rar
    3⤵
    PID:2328
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4472 CREDAT:17414 /prefetch:2
    3⤵
    PID:2556
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Downloads\YemozaV77 (1).rar
    3⤵
    PID:3420
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4472 CREDAT:82966 /prefetch:2
    3⤵
    PID:4188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
545f8550ad2f27df3068ae3a066eadf5

SHA1
d766ae99dc435429132369a2ddb9e4642929321b

SHA256
31154737d95c0f6bb888441633458dbe47e1e9ce3a932bcb9797f56c190d5c70

SHA512
a5fd5dae0f214ea95b39e58d4e9f4e5f39c030e8565fcaff2f2a3b13fafa0501f97f3ac69b7e6b7c7c064eb60bb09daac60e6829365ba67d54a77076c2ba7624

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
f005462fb602867e1a6fc50c0997709e

SHA1
9c64514631aa138463dff6570efb5f29a677697b

SHA256
8c1d5f4199cb6fecbad6f82aabdc5331d4bbd680012fb2ab44437fd69f19effc

SHA512
831452b2c48b3cef0b527e543e1dc1ce2d70ed715f5ec1fb61321bb26d6d56b410e55ba24a5165e5451aee96ef27d971b5f5e2c30abb3fe8b90af826c9bc045c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
e17c2c649c739afe35a7af455553fe31

SHA1
5c53b282a18183bd51378d4e5305acf76f02c87e

SHA256
01853c549575b1ea63c2e3ba61f2ab062c2c9f3144717709e25af2d6fd00a3e2

SHA512
d8841486aeab11b32774303c681f1ce4755f88ef7d2c424802ce54c8677a9d9553bb8a000806fbb340ae4518e57e0dd4918ae42f446876442f9d1399cbf5fcf6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
9c1078f25d257a532fd4cdabb5e0722a

SHA1
dd4bf3c77dfecc6f1839235ede20be3594e117ac

SHA256
ca9b4e2256223cf0bff1d19ebd9c9428e745ff202e09a55407a18c852054c42b

SHA512
373564fbb1c214ce035c4af629dd61257bdaee84ff40707ab50229c7248f1f0c89c28112c450ea23c5a6eca657c02cf9de3790b3b12bb96be689328c51cf50e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
40faa9ada5c93282f3c6026c7d34ec00

SHA1
4db2e029aeb76475e07de5462e1488ee942bf51d

SHA256
9bc0b80b24d2dc978e23294778ece1593d838346427a94a882e79a1e4e47d697

SHA512
3c7eb8d2dfd3e563e0e9be403f235813af1bbd7fcfcf55d88c83cfce6b4c1ec93d90be10ced44af64b1f379e85fdcbed4b3eb998d60726c89c7042eecf393823

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
55ed6d30a8b92edba54156d250e6571b

SHA1
61d7161f1c563eff6e28e1831dc6d8137933d791

SHA256
1764194c2a31e8eb7590a142af17a0e3a672bda04bd32eadf51a930693bc2b94

SHA512
86c82c05dd1e59db19d4e838ef6ee2f2aa175070f4fc622fafa8539e249039d8b995afd8fdb8d3019861ebfe487c6a8cd33ab8fc13e6badf0261a5ecfb44fb30

Download Submit