hxxps://github[.]com/TheDarkMythos/windows-malware

Resubmissions

25/03/2025, 16:06

250325-tkcb6syvbt 10

25/03/2025, 15:51

250325-tagh5sytay 8

25/03/2025, 15:46

250325-s71slsskt5 8

25/03/2025, 00:18

250325-alyf9aytby 10

Analysis

max time kernel
250s
max time network
246s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
25/03/2025, 16:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/TheDarkMythos/windows-malware

Score

10^/10

defense_evasion discovery persistence ransomware trojan upx

Malware Config

Signatures

UAC bypass 3 TTPs 2 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reg.exe

Disables Task Manager via registry modification
defense_evasion

Executes dropped EXE 2 IoCs

pid	Process
2576	bg.exe
4348	YSkullLock.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\YellowSkull2 Special Program = "C:\\YSkullMBRSetup.exe"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
35	raw.githubusercontent.com
84	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000\Control Panel\Desktop\Wallpaper = "c:\\yellowskull.bmp"	reg.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4112-721-0x0000000000400000-0x0000000000DD9000-memory.dmp	upx
behavioral1/memory/4112-761-0x0000000000400000-0x0000000000DD9000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 50 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YSkullLock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YellowSkull 2.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
6032	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133873924799571401"	chrome.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\DisplayName = "Chrome Sandbox"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\Moniker = "cr.sb.odm3E4D1A088C1F6D498C84F3C86DE73CE49F82A104"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\Children	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings	cmd.exe

Modifies registry key 1 TTPs 7 IoCs

Modify Registry

T1112

pid	Process
124	reg.exe
1148	reg.exe
3640	reg.exe
1020	reg.exe
5648	reg.exe
2056	reg.exe
696	reg.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\YellowSkull 2.0.zip:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3260	chrome.exe
3260	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4348	YSkullLock.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3088 wrote to memory of 2556	3088	chrome.exe	81
PID 3088 wrote to memory of 2556	3088	chrome.exe	81
PID 3088 wrote to memory of 5516	3088	chrome.exe	82
PID 3088 wrote to memory of 5516	3088	chrome.exe	82
PID 3088 wrote to memory of 1240	3088	chrome.exe	83
PID 3088 wrote to memory of 1240	3088	chrome.exe	83
PID 3088 wrote to memory of 5516	3088	chrome.exe	82
PID 3088 wrote to memory of 5516	3088	chrome.exe	82
PID 3088 wrote to memory of 5516	3088	chrome.exe	82
PID 3088 wrote to memory of 5516	3088	chrome.exe	82
PID 3088 wrote to memory of 5516	3088	chrome.exe	82
PID 3088 wrote to memory of 5516	3088	chrome.exe	82
PID 3088 wrote to memory of 5516	3088	chrome.exe	82
PID 3088 wrote to memory of 5516	3088	chrome.exe	82
PID 3088 wrote to memory of 5516	3088	chrome.exe	82
PID 3088 wrote to memory of 5516	3088	chrome.exe	82
PID 3088 wrote to memory of 5516	3088	chrome.exe	82
PID 3088 wrote to memory of 5516	3088	chrome.exe	82
PID 3088 wrote to memory of 5516	3088	chrome.exe	82
PID 3088 wrote to memory of 5516	3088	chrome.exe	82
PID 3088 wrote to memory of 5516	3088	chrome.exe	82
PID 3088 wrote to memory of 5516	3088	chrome.exe	82
PID 3088 wrote to memory of 5516	3088	chrome.exe	82
PID 3088 wrote to memory of 5516	3088	chrome.exe	82
PID 3088 wrote to memory of 5516	3088	chrome.exe	82
PID 3088 wrote to memory of 5516	3088	chrome.exe	82
PID 3088 wrote to memory of 5516	3088	chrome.exe	82
PID 3088 wrote to memory of 5516	3088	chrome.exe	82
PID 3088 wrote to memory of 5516	3088	chrome.exe	82
PID 3088 wrote to memory of 5516	3088	chrome.exe	82
PID 3088 wrote to memory of 5516	3088	chrome.exe	82
PID 3088 wrote to memory of 5516	3088	chrome.exe	82
PID 3088 wrote to memory of 5516	3088	chrome.exe	82
PID 3088 wrote to memory of 5516	3088	chrome.exe	82
PID 3088 wrote to memory of 4824	3088	chrome.exe	84
PID 3088 wrote to memory of 4824	3088	chrome.exe	84
PID 3088 wrote to memory of 4824	3088	chrome.exe	84
PID 3088 wrote to memory of 4824	3088	chrome.exe	84
PID 3088 wrote to memory of 4824	3088	chrome.exe	84
PID 3088 wrote to memory of 4824	3088	chrome.exe	84
PID 3088 wrote to memory of 4824	3088	chrome.exe	84
PID 3088 wrote to memory of 4824	3088	chrome.exe	84
PID 3088 wrote to memory of 4824	3088	chrome.exe	84
PID 3088 wrote to memory of 4824	3088	chrome.exe	84
PID 3088 wrote to memory of 4824	3088	chrome.exe	84
PID 3088 wrote to memory of 4824	3088	chrome.exe	84
PID 3088 wrote to memory of 4824	3088	chrome.exe	84
PID 3088 wrote to memory of 4824	3088	chrome.exe	84
PID 3088 wrote to memory of 4824	3088	chrome.exe	84
PID 3088 wrote to memory of 4824	3088	chrome.exe	84
PID 3088 wrote to memory of 4824	3088	chrome.exe	84
PID 3088 wrote to memory of 4824	3088	chrome.exe	84
PID 3088 wrote to memory of 4824	3088	chrome.exe	84
PID 3088 wrote to memory of 4824	3088	chrome.exe	84
PID 3088 wrote to memory of 4824	3088	chrome.exe	84
PID 3088 wrote to memory of 4824	3088	chrome.exe	84
PID 3088 wrote to memory of 4824	3088	chrome.exe	84
PID 3088 wrote to memory of 4824	3088	chrome.exe	84
PID 3088 wrote to memory of 4824	3088	chrome.exe	84
PID 3088 wrote to memory of 4824	3088	chrome.exe	84
PID 3088 wrote to memory of 4824	3088	chrome.exe	84
PID 3088 wrote to memory of 4824	3088	chrome.exe	84
PID 3088 wrote to memory of 4824	3088	chrome.exe	84
PID 3088 wrote to memory of 4824	3088	chrome.exe	84

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/TheDarkMythos/windows-malware
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffac32adcf8,0x7ffac32add04,0x7ffac32add10
  2⤵
  PID:2556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1948,i,4193779772268473212,9954243558674091184,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=1944 /prefetch:2
  2⤵
  PID:5516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=2096,i,4193779772268473212,9954243558674091184,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2112 /prefetch:11
  2⤵
  PID:1240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2360,i,4193779772268473212,9954243558674091184,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2544 /prefetch:13
  2⤵
  PID:4824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3128,i,4193779772268473212,9954243558674091184,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:5064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3136,i,4193779772268473212,9954243558674091184,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:1048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4216,i,4193779772268473212,9954243558674091184,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4232 /prefetch:9
  2⤵
  PID:2344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4640,i,4193779772268473212,9954243558674091184,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3132 /prefetch:1
  2⤵
  PID:5768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4848,i,4193779772268473212,9954243558674091184,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4860 /prefetch:1
  2⤵
  PID:6036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5608,i,4193779772268473212,9954243558674091184,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5632 /prefetch:14
  2⤵
  PID:4516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4500,i,4193779772268473212,9954243558674091184,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5768 /prefetch:14
  2⤵
  PID:808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4168,i,4193779772268473212,9954243558674091184,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5212 /prefetch:14
  2⤵
  PID:5824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5192,i,4193779772268473212,9954243558674091184,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4964 /prefetch:14
  2⤵
  PID:2880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5256,i,4193779772268473212,9954243558674091184,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4268 /prefetch:1
  2⤵
  PID:5300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4292,i,4193779772268473212,9954243558674091184,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4616 /prefetch:1
  2⤵
  PID:3448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=3404,i,4193779772268473212,9954243558674091184,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:3536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=4684,i,4193779772268473212,9954243558674091184,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5752 /prefetch:1
  2⤵
  PID:4292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=1132,i,4193779772268473212,9954243558674091184,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3172 /prefetch:1
  2⤵
  PID:6108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1076,i,4193779772268473212,9954243558674091184,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4368 /prefetch:10
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3852,i,4193779772268473212,9954243558674091184,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4248 /prefetch:14
  2⤵
  - NTFS ADS
  PID:1856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=on_device_model.mojom.OnDeviceModelService --lang=en-US --service-sandbox-type=on_device_model_execution --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3856,i,4193779772268473212,9954243558674091184,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4544 /prefetch:14
  2⤵
  PID:2860

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:4828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1596

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2784

C:\Users\Admin\Downloads\YellowSkull 2.0\YellowSkull 2.0.exe
"C:\Users\Admin\Downloads\YellowSkull 2.0\YellowSkull 2.0.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4112
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DB43.tmp\YellowSkull2.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:5432
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\yellowskull.bmp /f
    3⤵
    - Sets desktop wallpaper using registry
    - System Location Discovery: System Language Discovery
    PID:5420
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3624
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1308
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2228
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2476
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5452
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5372
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2308
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5108
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2188
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3068
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5964
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:8
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2884
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1924
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4848
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5176
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3188
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2596
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4260
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5212
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:944
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:808
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2480
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1928
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:912
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1932
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4048
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5488
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1992
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5800
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6020
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3000
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5528
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4136
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3948
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:6032
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:1148
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:3640
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:1020
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:5648
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2056
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:124
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:696
- - C:\Users\Admin\AppData\Local\Temp\DB43.tmp\bg.exe
    bg.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2576
- - C:\Users\Admin\AppData\Local\Temp\DB43.tmp\YSkullLock.exe
    YSkullLock.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4348
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "YellowSkull2 Special Program" /t REG_SZ /F /D "C:\YSkullMBRSetup.exe"
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:4060
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\DB43.tmp\k.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1380

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D8 0x00000000000004C8
1⤵
PID:1564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
9ae2d26dc9a5abd7e3b8b0dcff0bb113

SHA1
02960fd53bd66271f85d176c331f95c625aba447

SHA256
4118e6bd95275992c7e784ecff83575f3e0d8193c45769076b22ba55ba934513

SHA512
c74ed984495760783da52693653cb1eee5d65167b79c7a28d2b1bd4be72c644db0d4baf751855fb3cfd98c1d145e115aa3f678697fb2e27d5632c1bfd139088a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000011

Filesize
72KB

MD5
7b85ce6d64312e6f0d8f712897a45a66

SHA1
431224de66f74e70ae5b37a67260b795352861eb

SHA256
03a79fc56e2b58121ca2fe5938be882582ca7c26cc4208ebf777de6220f59fe1

SHA512
b22d7680c82a5a45d0094dc16b0983ff59c5e3e0567d2854be14cde6a56af63729a1c4e041223fe26569e92961c49a80d603136e88d60f8f7b78ca1999b4fb3c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000012

Filesize
412KB

MD5
f6e5e7e1c11657c9ea680968bf271015

SHA1
73f8b5833083e36266858b2b19db0b9745f001c1

SHA256
28f37fd87721aa0e438cc53b4e9faf8390da5cc623a2d90bcd94345d18f8ce90

SHA512
b16f8f663f3571521b82a6c8ea88a3929e3f57c09c8eca180a76ca1a33606b4d12555981de737e54855606f3c4b1c244b075dd76a9a65e21409b6fd9621f5c38

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
9c48e9be38bfd91375431bc9bbe4172e

SHA1
27027642983fa1cd35ade07ebee32de9b748f470

SHA256
9d7923d06c1771b037d127fbffb59eb7d682e0e82909ec5b4bd02ce8a528ce61

SHA512
a16c3c3e08ab28e59b3af5f0611ca616d12c3cf07fd24124dc7efba2809d641c661dcdd62ca3d2ef0981b8075a77c6ba0f4aec814d787761808c4ec056aa2c7d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
275b92f5b0f3a97ba348454026efc1c0

SHA1
1f896b231dfa1a95ad7172374020a82aa73f7be1

SHA256
941f5d976d9d97b6b196b2dc43437bfc09da5b6120e65b238ff8381c107d0712

SHA512
c2c6b2f8f80fccb29eb0ed4602aa5f843e995d674f3325ef98d67d53ac96d3960065a744530ada7088f3bb9b416b08b783fa678c517366be9964ac94162a3b9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
087fec86f1255b6a2cf46a120b52f28a

SHA1
be3710ae3ef7e2a998fb52b390476e1f5ceaf916

SHA256
f7bfc8370a545f1becd6a81d06b1fc42a713c76cf0e321dd920d35a4442bf4f2

SHA512
dfc899d4e457586b92f332316e6026dc0973884e814796b0843c8b3896ff86b6de59c91fb087d3d71e92a9c5713328f8210b28ae271865b901794d3fc33b1f74

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
9ea3e2b59ac8311e957e4fc2cbaac606

SHA1
549c8b29e7dbee3106c156553fe44e42ad4b6d36

SHA256
d9153b3ead2e6ffd16ee72620b17bb195c44152c9052d3d17b22f0a832d09ea5

SHA512
d8b1d741770edde03cc62a6120e19eeaa299b46b4a39b02e17ca993410acada9f803ffdb91997124e223cf6b62a82f2b6eb243e337554e597e04e38d0cbb5df9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
d41251d749be9c7b777a6cc1325703c7

SHA1
5a38461448cc7fa80b709df206c0a47ee2ead0b4

SHA256
683e45d226bf8f42c336bebda44f8fc10989112e528f12b967060511308e1e4f

SHA512
83a6e006c159b663e9dab7ea4c63c02a98385a5cbde49284461625a71639fdf0e816f56fd1be448f47039a30ba2726b6915f8b531cf82d5e50f9a1d6e30c9217

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
7KB

MD5
9b462345344b8069c2ad1ea0d182eeba

SHA1
d193832351de455ba8a85eb4b5dfe3c3b3d7c6ec

SHA256
e7714d82c9cf5efe4244ff6539d5a134064c611882efdaaef776d69ab19955f5

SHA512
c94c85187bf0fcd01c0d4ff7ff96801561a844d68d5b3a4dcde0be71d917213177bc1f0eab24a038ced19352cdbb1b68b8cb734fa1c18ef1e402172839e55125

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
b2e1bc3d8c03a9d672bacd2633e8db41

SHA1
ee05cd4c5f41ac8015c483c18e70e3b5eb441874

SHA256
0863f42b5c7871875f1741b4ee4cb0619bf7d0f389665d68879b507104e4985b

SHA512
d3aa28863b008bc3a65d862210551e9e905802dfbafb3060caffb751b11e97f5fb0439eaf3b986c38cff48d2c856bc6951ccbc8a44e654c9bce3f43f00b6d87e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
26f4aecc6d253df4b4110a77a2203163

SHA1
c364014bca580454c9596279047b29b1a189564b

SHA256
7a8472d59a8de83dd249fdc44602148aa4903fe40a2d722f70e0e8d04c0a2afc

SHA512
2c94521552faf69c4cedfbc1192ec711652efcb3331605af24ded1ccc5a4df29f832b8f3f8a4637acd1ecfedba50f91a79d0d7f9e6ce6bdd79f68a98d9e3733a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
399170cecbb64e0de845ebe8feaecfa1

SHA1
f78bc94b25c873088c96348b511e0f636e0ba233

SHA256
d6eb4e03a0bc239606f6948f0826ef5486a312453541a48b8c274497ce8d1f21

SHA512
e84e66f4d71ef532868f4f95957cfb2222561f662567717d0bf5f66e483b214080748eb668db70d3fc23bc60a8979c403a0972bb7f5140a29afdca862986eee0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
1273c874bb444da544694c0b6d5dfce7

SHA1
ea6fb432cfc1f3b5481df6a83d025c2e52e24fbd

SHA256
ac452436e512740043a394efa3e40c6dbd333053ad0b2859d4ab8d491f36ffe3

SHA512
a73626d4f18ae5593e2213899ba392409943fe422010d88de9795be0d38dc02c8cecc410156b3121c16cd0fb4ac58bdc9a4bd6c1b023312f09e337d13718d0e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
30fa6ed6eb5da9ef39efb313d2318556

SHA1
f2f3e7e9d22d7853a7c475561e220d62e6e4ea25

SHA256
7c0432f6d9c985e4525b420bd68d8ca1ad24b584ef0178b50d9b4b74e47c8945

SHA512
f4b9c0d30c43d692ac8c4e97e98feb13874119d4bc844f2894e48ba929fce80e9385402af7468ca9d88c01be2b13ba189fd5149236741c8632e5ba7169d8278f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
bc0c4e172efb67a89ed49241296847f9

SHA1
851e5421fa763a8b13bfcede2f455ca96c76fea0

SHA256
e79967f2a9287c8719cc3f9b7a2066ab9a0f233b7958ad14ce47c8b8b6fce4b2

SHA512
93a6ccb244d1e3950284d07975e9bf7f7221fa0b254edf3eff828cb5455b692c6f579beb266d407081b387c52fb3b1c50362746792b5372b392f3fbf2fc3f5d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
de538330af36b8f4a2923bd95bbe4186

SHA1
401d5d82d34b990804907e3092e52e70ec7b408c

SHA256
be8f1d44b606ca1a937f36d9fabf854ebc48d420de244f254413915abebf73fa

SHA512
373e74b15db152e5d3508ece50bf8ccf880cfa1467efde30f92d88c56048b406670eca609ba42931b0efa931d3e276d988ddb61f32be5ba0a6fa7969382b7cfb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
07adc39b7d3a29e0b4c6f5bc3d1b89a3

SHA1
a10afdeef1cd3227a29a11df94da42a73c6ce7b5

SHA256
9d3d6e855a94af0ae713808fa99da0f412d07cd31c735aa503d6aec60cd34433

SHA512
7739b6b696e51d0b2b89ed4243dbd6db6282590caac7f8048ce0ea6f7349bf3a9941f015e2b385a703b31b9da355067c932121460695c8ddcf3d7b6a1efd0c35

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
b94f7eb4bf4efd4e1d511c625516971f

SHA1
569ff3bb8f5088ccbd846e81197a2e5db454e260

SHA256
cef9cb29d3fbd3dd9790f89a604eba2a793c10f491be684f6fffa798280a2d84

SHA512
109b6fdb3b5b562d8f2eb00cff1688fb6f20fe9250a201572ec68777e143232f488ec9ecbd564f55b23a5609e2dd100cac710479e27832fa0c9f197108185e2f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
0c5238824500e1d9863b3b3eabfd66ca

SHA1
94ce838be9c78d196437922fc373cbd257461e57

SHA256
acd2075a1a5e74a3545c6f52736a26cc020e75146ff5a1a6fb22c5316ba21605

SHA512
94793074176d21eea5f66ea0a3986870fc9c7c2491024245944e490e66e4552c83132c7628dfdba9464deeb6e317d6a14935e83b9fa88cd28a103fe029c5d4e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
a8bb56ecfe871b00ae826bbd7b4a6fd0

SHA1
6a276534042dbb3960221f93b25f02c749a66145

SHA256
2b0bfc928ea1bb191367c5d9d0ee0f850c78fbd248395df56ad9feb64ee92090

SHA512
5078e3ee603f7e08f7d3537c2cd4bc7891f3550fdb3be0498c0cbfeb6baea202b756d1b7dae2053f3fd64e05e1249ca6150fd16b6fea350a8ccdb1fe21ca5f18

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
e82c88a81d9a278907c3b8384f82a574

SHA1
9938c7aa9f65867998ffdf2ff30fe5f128b914dd

SHA256
d241078300d623e2369e50b8d79db4f821a67cda7430bb5a23936edb5303ff4a

SHA512
d42d5e979c46644ee4c9c7323018be847a941fa5b5625f7e757b56cef38ce54d493dd35d854dc1bbd27ef78fc737b98681df79014a6da1c77f9d0bdc86ad2357

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57af4b.TMP

Filesize
48B

MD5
5de9d92fc3dc9d59585aff96b689f2e4

SHA1
251618f07965aa4f1fde2dfb4641cfc87ba53db4

SHA256
a22918c3004c38240cf0c20ab0e0e8e895d4e808e2a11df879dce9f4ac25842e

SHA512
50c3b4f016bd789446c94b07ba8a54f8b262cb9d67088a1b87232264b594e1ad1f001fa1c73528608d2d917465ff83c4dcee0a2b4c3cee6c134b4eaa892d6483

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
ce17a61e0b9312254f638ae0e9738f3e

SHA1
607af1b2bc48f667bd0bac6306b05f33704224c4

SHA256
0eebd03ee75e87161cea84c02fab4d1254456ab46fb13c289554077d52d646f4

SHA512
98e1a77f33df5725f6ce873cfa56b67abfdb36126716832b34e7454320f14759115f79dc8cf4402c6e8d1d791e4252fa50c8aebeeed5bef51a29246e7ea7f301

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
dee4c3513cefcb725bb82ee0241c58a6

SHA1
742d4b92713f12dc0c8f6e7fd6b74a375f0b8359

SHA256
1f73a0be7ee70de1a8f2716a6ddd9b154b5a0bff9de7f18ab1d6dec9c206cec3

SHA512
0a6ba43b4a570ea86397071356474f40a1a0428cc9c5592b16d53359e5c2046a47b9dd98e56d69b755313755efb77da76eca51a5ae1942a12dd50ad86755746f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
c2ed9a5c32f40a8300c344fc75f1fabe

SHA1
922f80f074d49c29bc2988ec3f51a752bede30b1

SHA256
00b664790458e9cff5ca2af3c2af5f8b813a7976e24f712882afb132285d25dd

SHA512
586772b53b6fc57847f9428bfba045fbce5a235e6d64bc57eb0f56622575cbe7f1e59d3774040f5c18b8dd84f91797ee6d1e5584b708f22e051f401658b27979

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
99116386b4b8ca16982d908c22e7fed3

SHA1
9b492028ca32d3ecedbab476c5f66020adbfae05

SHA256
dfaf3311eb70736be6d026218b76aa6dba2f17dd64215027678d0899a2f808c2

SHA512
7a19badac6080b35c44704970e4ee4963850fbf2f4b56c75e74260c3e062c6133f5c388f9e4139193de4429e7aa4286c5602d277c049a594ea2d8f172085fe13

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
49c27e7a7bbb156393cf19197fbc3587

SHA1
a8c6e74c19b3ba94aa99b9f8b01cc4cead12b95b

SHA256
f2e8e353288db64cb12b60806dda7d94bce1227105f8f3e4cb46d4c009009a90

SHA512
b5124e7e036da83c4fd9c8e8dd741a6fcda09443e6b5a43800a2792de7e47dfca2f2eb8ad561c8bef0375578c3e3e7c1d470d7d90091ff2cd242cf0bf8250767

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB43.tmp\YSkullLock.exe

Filesize
2.9MB

MD5
2191c3a14b53531e82726b17dd331cef

SHA1
9fdcc1ef73bbd08ac8f4cb3bdaf4c4ed26a99737

SHA256
3b2abd3773e4678100f197f53a886ec833fd2e26aa9a94d780a2d22befdf7d44

SHA512
93dc75ae619bcac6566c6e773c3628c2ef1326d988e592e59a1c8f9be304014a970caf40bf255a52b26fb37ca1d2625c8bf95b5dc749f378a0450a74aa3421f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB43.tmp\YSkullMBRSetup.exe

Filesize
1.3MB

MD5
220303eb72ebde4605116640fb719b26

SHA1
2021794facb35a7a23796e74835d8cf93882ddaf

SHA256
f081c913488c3f22b62f906dac2a82a38d085ebe1d28701f0059dfdfbf1ccf42

SHA512
dc811be33365049b32c3a47de9b4f4e4f77be0a9dfd14bfcfce92a6f575cf9bbd4aa56fcc92a3d8bf7bd21354f6530f3cc50a1f185a5953861d3a73a3f1738fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB43.tmp\YellowSkull.bmp

Filesize
2.9MB

MD5
11bcda64d254ad8dc591b41f8fceb04d

SHA1
66d9dea8a7c3d0bb6e9924a4c86f5eef98317752

SHA256
84c5dad2d4cec5b636c1fae6f1e1482ada9f62363dcf269b4a86f6070d5b50fc

SHA512
b26287ed0de799b95a4bb1f18eb92e3a24dc8250eb09c669112d4b60e7e362012c564d0959ddfe128bc00a63601d9132160cc93276cb72ebc0e0ab2fc2d837b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB43.tmp\YellowSkull2.bat

Filesize
3KB

MD5
4671d5895d88bc19645cab0fc7ca398a

SHA1
d6b1ccef99793b0dcd09156a6460027271cde082

SHA256
dd8aa9f7955674a7a1b5b222d7c1809c583c705dae8bf476cdd42efcc0afabb5

SHA512
ea21a82ccbb1647bdd45890dadb1740a8dbb7d4cd7481a252545a6db2ce7fda1ce7c808b102bbd4dbd8764a6f824d6529044002f234bb5c255504f6b85ab926b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB43.tmp\bg.exe

Filesize
102KB

MD5
12cf508e9058e3e67cf8a736557c2749

SHA1
8448240c260ccef2d23854e749387b65e4b6668e

SHA256
b3670ec42931e2dea3e03053eda32240d8b6db15bf89d0c74e23e99ecb0aaf49

SHA512
7a837b5a89f29974b1e305e2082d5f7aee46bee3cef7e8a8b47a877d5bd6280c359318d6002c2c283aed13054a8ee590778e99e423a25f84f3037b0249c6403a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB43.tmp\bg.wav

Filesize
2.6MB

MD5
832b350b50a07906c630a2b8819fd209

SHA1
362d4d61df27a40f975e26b3d8ace1e8fac10f94

SHA256
94e1cecf8ed740ea45c87927de31005c3b2f9db261aae04fe56a81e337d1e8da

SHA512
cf267295d0248029e4a92d1052df1e24c93d3be79adb1efa9723c64e9c7bb52108a3bc194e772ff0e6dcb5b2208e9d7787a81a86e74ee11892571760e40abcbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB43.tmp\k.vbs

Filesize
140B

MD5
126595a4087b9e1b9bac69aab147c97f

SHA1
ef079808ab8f7b762c413c5fa5844f4285f2848c

SHA256
4c59cedcafe3f5a1025960b344107f7e18c98ca569d2e6c8aa3d685b20754089

SHA512
41cc1badee06c16a0c65cbf7f38a420ca3c8e0ea459afd208b9b01cbeeef6724b8f2c04ecb41bec9d045492f9be0361612204db77eae7e1aeece8fe3761a7eb4

Download Submit
C:\Users\Admin\Downloads\YellowSkull 2.0.zip.crdownload

Filesize
5.8MB

MD5
d700d6ccbbea18c0fe32775a65f13280

SHA1
7c159dd708efd29b1404f1b7fb8d4e3d4c0d1cfd

SHA256
0fdcd8ef8be7b2bc8b2aa44ca2dfe251e8850b0be1e0ec563bd3736d2f05a09d

SHA512
f49681c6ea7db12fef03220a8257bcab5b1fae81fdf590c08ad651057846a14017a132e042e5755651b7bff46cd42244cfac20ab4d1630b77002b4ec696f3533

Download Submit
C:\Users\Admin\Downloads\YellowSkull 2.0.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/2576-772-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4112-721-0x0000000000400000-0x0000000000DD9000-memory.dmp

Filesize
9.8MB

Download
memory/4112-761-0x0000000000400000-0x0000000000DD9000-memory.dmp

Filesize
9.8MB

Download