hxxps://github[.]com/compy12312314/synapse-remasterd

Analysis

max time kernel
1799s
max time network
1685s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 19:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/compy12312314/synapse-remasterd

Score

10^/10

evasion persistence ransomware trojan upx

Malware Config

Signatures

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

YellowSkull 2.0.execmd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	YellowSkull 2.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 3 IoCs

Processes:

YellowSkull 2.0.exebg.exeYSkullLock.exe

pid process

1324 YellowSkull 2.0.exe
4960 bg.exe
404 YSkullLock.exe

pid	process
1324	YellowSkull 2.0.exe
4960	bg.exe
404	YSkullLock.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\YellowSkullVirus-main\YellowSkullVirus-main\YellowSkull 2.0\YellowSkull 2.0.exe	upx
behavioral1/memory/1324-328-0x0000000000400000-0x0000000000DD9000-memory.dmp	upx
behavioral1/memory/1324-373-0x0000000000400000-0x0000000000DD9000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\YellowSkull2 Special Program = "C:\\YSkullMBRSetup.exe"	reg.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Desktop\Wallpaper = "c:\\yellowskull.bmp"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4900 taskkill.exe

pid	process
4900	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133609675961485294"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 3 IoCs

Processes:

chrome.execmd.exeSearchApp.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\MuiCache	SearchApp.exe

Modifies registry key 1 TTPs 7 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid process

3108 reg.exe
3408 reg.exe
5000 reg.exe
2744 reg.exe
2752 reg.exe
3332 reg.exe
1232 reg.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

1804 chrome.exe
1804 chrome.exe
3508 chrome.exe
3508 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

1804 chrome.exe
1804 chrome.exe

pid	process
3108	reg.exe
3408	reg.exe
5000	reg.exe
2744	reg.exe
2752	reg.exe
3332	reg.exe
1232	reg.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe

Suspicious use of FindShellTrayWindow 42 IoCs

Processes:

chrome.exe7zG.exe

pid	process
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
5000	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

YSkullLock.exe

pid process

404 YSkullLock.exe

pid	process
404	YSkullLock.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1804 wrote to memory of 1728	1804	chrome.exe	chrome.exe
PID 1804 wrote to memory of 1728	1804	chrome.exe	chrome.exe
PID 1804 wrote to memory of 64	1804	chrome.exe	chrome.exe
PID 1804 wrote to memory of 64	1804	chrome.exe	chrome.exe
PID 1804 wrote to memory of 64	1804	chrome.exe	chrome.exe
PID 1804 wrote to memory of 64	1804	chrome.exe	chrome.exe
PID 1804 wrote to memory of 64	1804	chrome.exe	chrome.exe
PID 1804 wrote to memory of 64	1804	chrome.exe	chrome.exe
PID 1804 wrote to memory of 64	1804	chrome.exe	chrome.exe
PID 1804 wrote to memory of 64	1804	chrome.exe	chrome.exe
PID 1804 wrote to memory of 64	1804	chrome.exe	chrome.exe
PID 1804 wrote to memory of 64	1804	chrome.exe	chrome.exe
PID 1804 wrote to memory of 64	1804	chrome.exe	chrome.exe
PID 1804 wrote to memory of 64	1804	chrome.exe	chrome.exe
PID 1804 wrote to memory of 64	1804	chrome.exe	chrome.exe
PID 1804 wrote to memory of 64	1804	chrome.exe	chrome.exe
PID 1804 wrote to memory of 64	1804	chrome.exe	chrome.exe
PID 1804 wrote to memory of 64	1804	chrome.exe	chrome.exe
PID 1804 wrote to memory of 64	1804	chrome.exe	chrome.exe
PID 1804 wrote to memory of 64	1804	chrome.exe	chrome.exe
PID 1804 wrote to memory of 64	1804	chrome.exe	chrome.exe
PID 1804 wrote to memory of 64	1804	chrome.exe	chrome.exe
PID 1804 wrote to memory of 64	1804	chrome.exe	chrome.exe
PID 1804 wrote to memory of 64	1804	chrome.exe	chrome.exe
PID 1804 wrote to memory of 64	1804	chrome.exe	chrome.exe
PID 1804 wrote to memory of 64	1804	chrome.exe	chrome.exe
PID 1804 wrote to memory of 64	1804	chrome.exe	chrome.exe
PID 1804 wrote to memory of 64	1804	chrome.exe	chrome.exe
PID 1804 wrote to memory of 64	1804	chrome.exe	chrome.exe
PID 1804 wrote to memory of 64	1804	chrome.exe	chrome.exe
PID 1804 wrote to memory of 64	1804	chrome.exe	chrome.exe
PID 1804 wrote to memory of 64	1804	chrome.exe	chrome.exe
PID 1804 wrote to memory of 64	1804	chrome.exe	chrome.exe
PID 1804 wrote to memory of 3100	1804	chrome.exe	chrome.exe
PID 1804 wrote to memory of 3100	1804	chrome.exe	chrome.exe
PID 1804 wrote to memory of 3396	1804	chrome.exe	chrome.exe
PID 1804 wrote to memory of 3396	1804	chrome.exe	chrome.exe
PID 1804 wrote to memory of 3396	1804	chrome.exe	chrome.exe
PID 1804 wrote to memory of 3396	1804	chrome.exe	chrome.exe
PID 1804 wrote to memory of 3396	1804	chrome.exe	chrome.exe
PID 1804 wrote to memory of 3396	1804	chrome.exe	chrome.exe
PID 1804 wrote to memory of 3396	1804	chrome.exe	chrome.exe
PID 1804 wrote to memory of 3396	1804	chrome.exe	chrome.exe
PID 1804 wrote to memory of 3396	1804	chrome.exe	chrome.exe
PID 1804 wrote to memory of 3396	1804	chrome.exe	chrome.exe
PID 1804 wrote to memory of 3396	1804	chrome.exe	chrome.exe
PID 1804 wrote to memory of 3396	1804	chrome.exe	chrome.exe
PID 1804 wrote to memory of 3396	1804	chrome.exe	chrome.exe
PID 1804 wrote to memory of 3396	1804	chrome.exe	chrome.exe
PID 1804 wrote to memory of 3396	1804	chrome.exe	chrome.exe
PID 1804 wrote to memory of 3396	1804	chrome.exe	chrome.exe
PID 1804 wrote to memory of 3396	1804	chrome.exe	chrome.exe
PID 1804 wrote to memory of 3396	1804	chrome.exe	chrome.exe
PID 1804 wrote to memory of 3396	1804	chrome.exe	chrome.exe
PID 1804 wrote to memory of 3396	1804	chrome.exe	chrome.exe
PID 1804 wrote to memory of 3396	1804	chrome.exe	chrome.exe
PID 1804 wrote to memory of 3396	1804	chrome.exe	chrome.exe
PID 1804 wrote to memory of 3396	1804	chrome.exe	chrome.exe
PID 1804 wrote to memory of 3396	1804	chrome.exe	chrome.exe
PID 1804 wrote to memory of 3396	1804	chrome.exe	chrome.exe
PID 1804 wrote to memory of 3396	1804	chrome.exe	chrome.exe
PID 1804 wrote to memory of 3396	1804	chrome.exe	chrome.exe
PID 1804 wrote to memory of 3396	1804	chrome.exe	chrome.exe
PID 1804 wrote to memory of 3396	1804	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/compy12312314/synapse-remasterd
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xfc,0x10c,0x7ffb343aab58,0x7ffb343aab68,0x7ffb343aab78
2⤵
PID:1728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1684 --field-trial-handle=1932,i,6471143202513487904,7334662796309868619,131072 /prefetch:2
2⤵
PID:64

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2024 --field-trial-handle=1932,i,6471143202513487904,7334662796309868619,131072 /prefetch:8
2⤵
PID:3100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2224 --field-trial-handle=1932,i,6471143202513487904,7334662796309868619,131072 /prefetch:8
2⤵
PID:3396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2036 --field-trial-handle=1932,i,6471143202513487904,7334662796309868619,131072 /prefetch:1
2⤵
PID:2524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3024 --field-trial-handle=1932,i,6471143202513487904,7334662796309868619,131072 /prefetch:1
2⤵
PID:5100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4344 --field-trial-handle=1932,i,6471143202513487904,7334662796309868619,131072 /prefetch:8
2⤵
PID:1424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4516 --field-trial-handle=1932,i,6471143202513487904,7334662796309868619,131072 /prefetch:8
2⤵
PID:2836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4560 --field-trial-handle=1932,i,6471143202513487904,7334662796309868619,131072 /prefetch:8
2⤵
PID:1164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=212 --field-trial-handle=1932,i,6471143202513487904,7334662796309868619,131072 /prefetch:8
2⤵
PID:1212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4560 --field-trial-handle=1932,i,6471143202513487904,7334662796309868619,131072 /prefetch:8
2⤵
PID:4856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1552 --field-trial-handle=1932,i,6471143202513487904,7334662796309868619,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3508

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2152

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4664

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\YellowSkullVirus-main\YellowSkullVirus-main\YellowSkull 2.0\" -ad -an -ai#7zMap4205:180:7zEvent30257
1⤵
- Suspicious use of FindShellTrayWindow
PID:5000

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\YellowSkullVirus-main\YellowSkullVirus-main\YellowSkull 2.0\readme.txt
1⤵
PID:1616

C:\Users\Admin\Downloads\YellowSkullVirus-main\YellowSkullVirus-main\YellowSkull 2.0\YellowSkull 2.0.exe
"C:\Users\Admin\Downloads\YellowSkullVirus-main\YellowSkullVirus-main\YellowSkull 2.0\YellowSkull 2.0.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:1324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2428.tmp\YellowSkull2.bat" "
2⤵
- Checks computer location settings
- Modifies registry class
PID:4504

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\yellowskull.bmp /f
3⤵
- Sets desktop wallpaper using registry
PID:4960

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
PID:4884

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
PID:1212

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
PID:3896

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
PID:3748

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
PID:1004

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
PID:4848

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
PID:2660

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
PID:4736

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
PID:396

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
PID:3924

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
PID:3788

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
PID:1460

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
PID:4176

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
PID:3284

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
PID:5024

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
PID:4988

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
PID:5040

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
PID:3156

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
PID:2184

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
PID:884

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
PID:3832

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
PID:1408

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
PID:412

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
PID:4292

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
PID:3520

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
PID:2512

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
PID:2892

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
PID:4888

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
PID:2696

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
PID:2060

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
PID:2528

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
PID:4856

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
PID:4112

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
PID:2244

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
PID:208

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im explorer.exe
3⤵
- Kills process with taskkill
PID:4900

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
3⤵
- Modifies registry key
PID:2744

C:\Windows\SysWOW64\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
3⤵
- Modifies registry key
PID:2752

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
3⤵
- Modifies registry key
PID:3332

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
3⤵
- Modifies registry key
PID:1232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
3⤵
- Modifies registry key
PID:3108

C:\Windows\SysWOW64\reg.exe
reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f
3⤵
- UAC bypass
- Modifies registry key
PID:3408

C:\Windows\SysWOW64\reg.exe
reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
3⤵
- UAC bypass
- Modifies registry key
PID:5000

C:\Users\Admin\AppData\Local\Temp\2428.tmp\bg.exe
bg.exe
3⤵
- Executes dropped EXE
PID:4960

C:\Users\Admin\AppData\Local\Temp\2428.tmp\YSkullLock.exe
YSkullLock.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:404

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "YellowSkull2 Special Program" /t REG_SZ /F /D "C:\YSkullMBRSetup.exe"
3⤵
- Adds Run key to start application
PID:2852

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2428.tmp\k.vbs"
3⤵
PID:2028

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x460 0x4b0
1⤵
PID:4848

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies registry class
PID:5008

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\31e24f78-d9ac-4f34-a696-8646d9393819.tmp
Filesize
98KB

MD5
a1e6665f8831d3867415e5d0f8ebbc9c

SHA1
13245bd0419ff2d0007ab6ea8b3b4402ceb03621

SHA256
e7d9dd08c6c3d557b9a94060dfc7aa51c514557102c5ced57c1baaf6b1f513d3

SHA512
a36ff2a06a5af7d00241a37bbc4d40a7dfc6b0685b80676932bbadeae59d77262355faf9dc154474732f6f153b5effdad1db9043c217273458282ab0cbab11ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
5b6ed215ef6ed26974656d3240316d80

SHA1
5606f46799a2a2cd88b575cae93b73fbf7a78825

SHA256
4c623b4ab26ca0b77d8716846fea6213deb1b110df5c91c417ad6e922b377eb2

SHA512
a2ba55531684af656c32621dc08872c99ad73c98f7d58de6894cf03c3c3ff66354ffa8c9c9b911b9e86e0c7b79559a6c806cefb351b034f96e9e45e4f2996e35

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
c393f59d8d2aa4767e68677ca1f3e93d

SHA1
9c05649c240fa9958e974d89e577fbcdc7b28f17

SHA256
ba24aa866da70ee3e37e3a27f5b26f3843cf896705c2b57270724e1c9f809bf8

SHA512
5c44af24c5308c3539eeb6f78450e8b54e79a9e3a3f4b1524c24dc5e78759157937c84ac7cec2074c07401a805b58c9920415b91f44c06a6607a483249fe400e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
4ac4f4ee7bd06182a9a1eee4ece211f0

SHA1
aaa8cc830dcdba44d1bb46cecbb209ab98ae81b2

SHA256
2a5e6d1b38055d299db49fc6deeb6ef13a658bcb0487c3d174a1709a7589c1ac

SHA512
c103d6efea5cd21522899cf687e31d1319d98a095740dbcdd9cb9a261194e451d0a7cf407470d39839224af3d8378832fb4dee9991524e3dbecd85c261bd4ec4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
15415adaff9e13fa85d20e74a7c92efd

SHA1
166edf684a4cc4f479047bd080e233108eae512a

SHA256
09c219e0e0472a467792df4ecf873266ecfbb8dc9a18cde5c070e2f1de300660

SHA512
21dc73b111f414b17e9227b4fd31c79b8269cc1f59b2062346df9be75624f57e8cc0a83a5e625e192ab129c492ae5eb2092b984f0ac4b923d5cf28f24833ecae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
471b853354b2857d3b3773a66817e6cf

SHA1
88182a1abd0f9f12855857e9a33d9cd083610bc5

SHA256
9c50b6d3efd065689dc67e5e751d23949d4b8bc929f4070f1a01d1b8d6319832

SHA512
cb53f030ae9593f18835985a5e5c75b93cba68d1cd06677c87dc3add687085180a7b98be78f4fbab185de45758fcd220dbedb63763f612b876dad89e00f8bb24

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
b64eb35fce8926ed97db32cd9e6299f4

SHA1
5862e517f22746900afdc698d9f0111a1d4a5dcd

SHA256
194a51224e46c488ce95c9a54b873642bb0928abd35c2014b4c16cf43713ae09

SHA512
c5cac60ed5530788cf7ef45ad5acc34073ef217ee28532215883ec557eb8a03c2dcac2eb65c16feb5ffff104128d4e3b05878b45c844b4f356a3685b4dc94f7b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
19f755fc875b8c082bbf34fcae39df94

SHA1
660d24174de9bf3f8a56959885470fcd00ee7f1d

SHA256
32a0e1bc8f0629b008b53744b20037aac1fc984598261b04c583a1ba674bbfca

SHA512
16cb0c125741978939dd7c4e35401d9db9843b07f4c0db1513bfca4f5deb5bf133073a78c0cabfe644187c7fe6f94aefbef3383aa546e4a658e3d435ada138d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
e319494ebc2c9c646dbdb6b738987aa0

SHA1
07dd987f376deaffb1a629676f1438b4678c4a29

SHA256
aff64f87ce0ccfa9eec1d9a66c5c3f4f20daa754d153eb127aef4d95195db756

SHA512
ff50d8867fd0bd016bd7fb1e2d1ade23c308d256303f1039244e5c4272f1ad2a4ff5df4c77fa42369ee847f950c378c9bcb791cd7b39487b00c7a9bdffe07912

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
eddd3a49f9941c34e6c3efeb1329ab1d

SHA1
b7f2aaa29b4a45192780802ab193d36a517bbec6

SHA256
a36a3b5c1f0af273e5ac4f28ed2292366c078dd82f25c67d16ad708a4a6e33e4

SHA512
a5d0183e9ae37b8f9ee40c5747fd65f58cc74aabe7cdbd86f27d456f5cc14efdac54b18256f90872559704916b6d122314c789b147b75db8273c1eaf45f13d70

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
6924c2ca88333597f5fb726cccdd2df0

SHA1
43457dfea3a4bb3d3dfd48d251d0da77315a3c64

SHA256
1697e7a86b5bc8cbd614bcde6a42b5c97af72a7f1bcdd9c611b451fd3b8e8630

SHA512
1cb5a864f81a215e9d8c4d6b42d041f48046fc2ac2778874f290ae727a9daa9f7899c7f4bd9096b57c8d0f8b49f14c3d1678c5d0b58532e9c28cccb66cb5100e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
c66fd77e6d0d21c499e1985e354386a6

SHA1
d382f2170736a68f4c95b267db368080e68b6d73

SHA256
cdc770c5a78bb666a91a801baf1bd1d3e5f84ba804d0cd935cfbfa30cce8ba69

SHA512
ffacc10890b85e7fb958f52c26bc756a3478d3011d66bdb5d3f23c7bfcd0109c7266db18495ea9edb90d404b77cf588125f91e5cba9f119eb1badf58f78b5613

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
ba8cbc188325177ec0eeddf3dab940de

SHA1
fa6d7e65758264ff7eaa11a8d5ba2fecb993ad4b

SHA256
dabbf86fb151a23880054f48d7ddc269d1a90b68792d85a364df12a657a948c7

SHA512
1b18a0fe005e7f13b88d808b667f284f8782b822bb149ca4b76a7d147dee2ce07089c184150a07c9c35eb4466cb0a13d0ed2c55c478286a7c26804f6a4518bb0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
e90b2e03ba7a80a8d050bcdfec9a20c8

SHA1
b9177cceb500fa366892a8738fd2c5c322f84f6e

SHA256
de9f7ac43776a76abf5267b8db663fbb49d95b6f188d4c249a67e51482830241

SHA512
664cd331f8492f7f5ff165c8142c5f92b4f241b04dee44b421c71bff17c2c364087133547aa2dd5769689d9ec93a81b251a7348acb50389f937aebbe7d9f11dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
129KB

MD5
60a507882e7870ba91d8a1f173cfeff0

SHA1
410704cffcaa7b64e54ba15c55a1423f705c7c5f

SHA256
b25f1b76415eafdd541235eb6ec0b17491724c0072a83e606923f424ff076a15

SHA512
1a528b4615dec8b6c47a5ec5c9b88fb4c0c6cd0bfad524c3bd0179fc0023db13bc6942dda995e3be06e8451cef3a4aad56a402ecb5b81ce09123ceee6104ff44

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe586ef1.TMP
Filesize
88KB

MD5
7e03946ae9578d34d8cccbc586eb4c4b

SHA1
777ad1414a22848131b586dc9982ba0bef0348c2

SHA256
81f450729f2e1d1712a54d43233b5720c4e0aedc473032239a42117bb15aa78a

SHA512
e03fab80e3f7d3efa99b5665e2e6abf4a78233ce58a1a1596f63cb3b4e3b105789cdb61c25cff6f813785e6a5b2177beafa1b0ab2f36eddb87a76ff76f0a3628

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133609689393809591.txt
Filesize
75KB

MD5
7e7173177299fa6f69248f0d67e6e370

SHA1
a24f46d1cc8355b6fd2f45136dddb656c925ee5d

SHA256
e8ca2a8ef10de00a3843dbcb5f73e5a8c4b96b7ddfc36882297d2c92457757a5

SHA512
2d5db066ddaae038211b7368c4ca1aab455fa018ac256aee7a405975c81bf02143c75870e41b61c309aaaa065e576f77b0c772fbef01d591e5529109fca64e67

Download Submit
C:\Users\Admin\AppData\Local\Temp\2428.tmp\YSkullLock.exe
Filesize
2.9MB

MD5
2191c3a14b53531e82726b17dd331cef

SHA1
9fdcc1ef73bbd08ac8f4cb3bdaf4c4ed26a99737

SHA256
3b2abd3773e4678100f197f53a886ec833fd2e26aa9a94d780a2d22befdf7d44

SHA512
93dc75ae619bcac6566c6e773c3628c2ef1326d988e592e59a1c8f9be304014a970caf40bf255a52b26fb37ca1d2625c8bf95b5dc749f378a0450a74aa3421f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\2428.tmp\YSkullMBRSetup.exe
Filesize
1.3MB

MD5
220303eb72ebde4605116640fb719b26

SHA1
2021794facb35a7a23796e74835d8cf93882ddaf

SHA256
f081c913488c3f22b62f906dac2a82a38d085ebe1d28701f0059dfdfbf1ccf42

SHA512
dc811be33365049b32c3a47de9b4f4e4f77be0a9dfd14bfcfce92a6f575cf9bbd4aa56fcc92a3d8bf7bd21354f6530f3cc50a1f185a5953861d3a73a3f1738fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\2428.tmp\YellowSkull.bmp
Filesize
2.9MB

MD5
11bcda64d254ad8dc591b41f8fceb04d

SHA1
66d9dea8a7c3d0bb6e9924a4c86f5eef98317752

SHA256
84c5dad2d4cec5b636c1fae6f1e1482ada9f62363dcf269b4a86f6070d5b50fc

SHA512
b26287ed0de799b95a4bb1f18eb92e3a24dc8250eb09c669112d4b60e7e362012c564d0959ddfe128bc00a63601d9132160cc93276cb72ebc0e0ab2fc2d837b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\2428.tmp\YellowSkull2.bat
Filesize
3KB

MD5
4671d5895d88bc19645cab0fc7ca398a

SHA1
d6b1ccef99793b0dcd09156a6460027271cde082

SHA256
dd8aa9f7955674a7a1b5b222d7c1809c583c705dae8bf476cdd42efcc0afabb5

SHA512
ea21a82ccbb1647bdd45890dadb1740a8dbb7d4cd7481a252545a6db2ce7fda1ce7c808b102bbd4dbd8764a6f824d6529044002f234bb5c255504f6b85ab926b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2428.tmp\bg.exe
Filesize
102KB

MD5
12cf508e9058e3e67cf8a736557c2749

SHA1
8448240c260ccef2d23854e749387b65e4b6668e

SHA256
b3670ec42931e2dea3e03053eda32240d8b6db15bf89d0c74e23e99ecb0aaf49

SHA512
7a837b5a89f29974b1e305e2082d5f7aee46bee3cef7e8a8b47a877d5bd6280c359318d6002c2c283aed13054a8ee590778e99e423a25f84f3037b0249c6403a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2428.tmp\bg.wav
Filesize
2.6MB

MD5
832b350b50a07906c630a2b8819fd209

SHA1
362d4d61df27a40f975e26b3d8ace1e8fac10f94

SHA256
94e1cecf8ed740ea45c87927de31005c3b2f9db261aae04fe56a81e337d1e8da

SHA512
cf267295d0248029e4a92d1052df1e24c93d3be79adb1efa9723c64e9c7bb52108a3bc194e772ff0e6dcb5b2208e9d7787a81a86e74ee11892571760e40abcbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\2428.tmp\k.vbs
Filesize
140B

MD5
126595a4087b9e1b9bac69aab147c97f

SHA1
ef079808ab8f7b762c413c5fa5844f4285f2848c

SHA256
4c59cedcafe3f5a1025960b344107f7e18c98ca569d2e6c8aa3d685b20754089

SHA512
41cc1badee06c16a0c65cbf7f38a420ca3c8e0ea459afd208b9b01cbeeef6724b8f2c04ecb41bec9d045492f9be0361612204db77eae7e1aeece8fe3761a7eb4

Download Submit
C:\Users\Admin\Downloads\YellowSkullVirus-main.zip.crdownload
Filesize
11.9MB

MD5
6a57ef3c51bebf8a4ecfa427146ac6a3

SHA1
44823bfbbddef0895b9553c9738de0f9f81c1a90

SHA256
54b92b1e602895a3c7f1b892e45d5120b21264f80ceec0447910531e4b84faae

SHA512
fe333ae5025a75ae8f2828a564dff1a946f02cb8009868bd8907612293af510692a7c9ab584022d05cd9eba5a9a48ba2c95fa8d3deae755340a26369ff7efee1

Download Submit
C:\Users\Admin\Downloads\YellowSkullVirus-main\YellowSkullVirus-main\YellowSkull 2.0\YellowSkull 2.0.exe
Filesize
2.5MB

MD5
660e26001a8891e78135a09d3ec2623f

SHA1
bd95c1955be08eaecefa7b3dd1cbdac7387b6d06

SHA256
1811c7b5ddcc6637a782bf32db70b60bd0bf3ec2b3498716591f718cda25fd14

SHA512
590df723aaa52806f664adec89bf6e8e570a9c88b4858131fb59f23e31ab3302189393bceb58fe1aa71475065aefab2d093d5f8ad6296693d4124e5a10a34e92

Download Submit
C:\Users\Admin\Downloads\YellowSkullVirus-main\YellowSkullVirus-main\YellowSkull 2.0\readme.txt
Filesize
394B

MD5
a2a8f6716fe5889f704616038368de82

SHA1
62491e8b079e97a371904c803fe0f11cbb0d8c96

SHA256
3c26f7e09e30073ae5609073a7b711089f03a0731bc6616b8366496da67fdf88

SHA512
037c57940eefc2a756878b9fc81f9d90f76696d9c515ffa11e8f6d334c18481f9d64d0a3d940f5f35b4580d75e83eb7999091879ae225d08d393d1cca0e89369

Download Submit
\??\pipe\crashpad_1804_ZJORMQGYLGKSUNUR
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1324-328-0x0000000000400000-0x0000000000DD9000-memory.dmp

Filesize
9.8MB

Download
memory/1324-373-0x0000000000400000-0x0000000000DD9000-memory.dmp

Filesize
9.8MB

Download
memory/4960-393-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download