hxxps://github[.]com/pankoza2-pl/malwaredatabase-old

Resubmissions

25/03/2025, 17:08

250325-vnlkpay1fz 8

25/03/2025, 17:05

25/03/2025, 16:31

25/03/2025, 16:22

25/03/2025, 16:13

Analysis

max time kernel
74s
max time network
71s
platform
windows11-21h2_x64
resource
win11-20250314-en
resource tags

arch:x64arch:x86image:win11-20250314-enlocale:en-usos:windows11-21h2-x64system
submitted
25/03/2025, 17:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/pankoza2-pl/malwaredatabase-old

Score

10^/10

defense_evasion discovery persistence ransomware trojan upx

Malware Config

Signatures

UAC bypass 3 TTPs 2 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Disables Task Manager via registry modification
defense_evasion

Executes dropped EXE 2 IoCs

pid	Process
2312	bg.exe
1660	YSkullLock.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\YellowSkull2 Special Program = "C:\\YSkullMBRSetup.exe"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	raw.githubusercontent.com
24	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Control Panel\Desktop\Wallpaper = "c:\\yellowskull.bmp"	reg.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/5916-424-0x0000000000400000-0x0000000000DD9000-memory.dmp	upx
behavioral1/memory/5916-475-0x0000000000400000-0x0000000000DD9000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 50 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YellowSkull 2.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YSkullLock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
772	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133873959321187788"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings	cmd.exe

Modifies registry key 1 TTPs 7 IoCs

Modify Registry

T1112

pid	Process
3368	reg.exe
4268	reg.exe
72	reg.exe
3512	reg.exe
4624	reg.exe
2076	reg.exe
1080	reg.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\YellowSkull 2.0.zip:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5808	chrome.exe
Token: SeCreatePagefilePrivilege	5808	chrome.exe
Token: SeShutdownPrivilege	5808	chrome.exe
Token: SeCreatePagefilePrivilege	5808	chrome.exe
Token: SeShutdownPrivilege	5808	chrome.exe
Token: SeCreatePagefilePrivilege	5808	chrome.exe
Token: SeShutdownPrivilege	5808	chrome.exe
Token: SeCreatePagefilePrivilege	5808	chrome.exe
Token: SeShutdownPrivilege	5808	chrome.exe
Token: SeCreatePagefilePrivilege	5808	chrome.exe
Token: SeShutdownPrivilege	5808	chrome.exe
Token: SeCreatePagefilePrivilege	5808	chrome.exe
Token: SeShutdownPrivilege	5808	chrome.exe
Token: SeCreatePagefilePrivilege	5808	chrome.exe
Token: SeShutdownPrivilege	5808	chrome.exe
Token: SeCreatePagefilePrivilege	5808	chrome.exe
Token: SeShutdownPrivilege	5808	chrome.exe
Token: SeCreatePagefilePrivilege	5808	chrome.exe
Token: SeShutdownPrivilege	5808	chrome.exe
Token: SeCreatePagefilePrivilege	5808	chrome.exe
Token: SeShutdownPrivilege	5808	chrome.exe
Token: SeCreatePagefilePrivilege	5808	chrome.exe
Token: SeShutdownPrivilege	5808	chrome.exe
Token: SeCreatePagefilePrivilege	5808	chrome.exe
Token: SeShutdownPrivilege	5808	chrome.exe
Token: SeCreatePagefilePrivilege	5808	chrome.exe
Token: SeShutdownPrivilege	5808	chrome.exe
Token: SeCreatePagefilePrivilege	5808	chrome.exe
Token: SeShutdownPrivilege	5808	chrome.exe
Token: SeCreatePagefilePrivilege	5808	chrome.exe
Token: SeShutdownPrivilege	5808	chrome.exe
Token: SeCreatePagefilePrivilege	5808	chrome.exe
Token: SeShutdownPrivilege	5808	chrome.exe
Token: SeCreatePagefilePrivilege	5808	chrome.exe
Token: SeShutdownPrivilege	5808	chrome.exe
Token: SeCreatePagefilePrivilege	5808	chrome.exe
Token: SeShutdownPrivilege	5808	chrome.exe
Token: SeCreatePagefilePrivilege	5808	chrome.exe
Token: SeShutdownPrivilege	5808	chrome.exe
Token: SeCreatePagefilePrivilege	5808	chrome.exe
Token: SeShutdownPrivilege	5808	chrome.exe
Token: SeCreatePagefilePrivilege	5808	chrome.exe
Token: SeShutdownPrivilege	5808	chrome.exe
Token: SeCreatePagefilePrivilege	5808	chrome.exe
Token: SeShutdownPrivilege	5808	chrome.exe
Token: SeCreatePagefilePrivilege	5808	chrome.exe
Token: SeShutdownPrivilege	5808	chrome.exe
Token: SeCreatePagefilePrivilege	5808	chrome.exe
Token: SeShutdownPrivilege	5808	chrome.exe
Token: SeCreatePagefilePrivilege	5808	chrome.exe
Token: SeShutdownPrivilege	5808	chrome.exe
Token: SeCreatePagefilePrivilege	5808	chrome.exe
Token: SeShutdownPrivilege	5808	chrome.exe
Token: SeCreatePagefilePrivilege	5808	chrome.exe
Token: SeShutdownPrivilege	5808	chrome.exe
Token: SeCreatePagefilePrivilege	5808	chrome.exe
Token: SeShutdownPrivilege	5808	chrome.exe
Token: SeCreatePagefilePrivilege	5808	chrome.exe
Token: SeShutdownPrivilege	5808	chrome.exe
Token: SeCreatePagefilePrivilege	5808	chrome.exe
Token: SeShutdownPrivilege	5808	chrome.exe
Token: SeCreatePagefilePrivilege	5808	chrome.exe
Token: SeShutdownPrivilege	5808	chrome.exe
Token: SeCreatePagefilePrivilege	5808	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1660	YSkullLock.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5808 wrote to memory of 2300	5808	chrome.exe	78
PID 5808 wrote to memory of 2300	5808	chrome.exe	78
PID 5808 wrote to memory of 4344	5808	chrome.exe	79
PID 5808 wrote to memory of 4344	5808	chrome.exe	79
PID 5808 wrote to memory of 4344	5808	chrome.exe	79
PID 5808 wrote to memory of 4344	5808	chrome.exe	79
PID 5808 wrote to memory of 4344	5808	chrome.exe	79
PID 5808 wrote to memory of 4344	5808	chrome.exe	79
PID 5808 wrote to memory of 4344	5808	chrome.exe	79
PID 5808 wrote to memory of 4344	5808	chrome.exe	79
PID 5808 wrote to memory of 4344	5808	chrome.exe	79
PID 5808 wrote to memory of 4344	5808	chrome.exe	79
PID 5808 wrote to memory of 4344	5808	chrome.exe	79
PID 5808 wrote to memory of 4344	5808	chrome.exe	79
PID 5808 wrote to memory of 4344	5808	chrome.exe	79
PID 5808 wrote to memory of 4344	5808	chrome.exe	79
PID 5808 wrote to memory of 4344	5808	chrome.exe	79
PID 5808 wrote to memory of 4344	5808	chrome.exe	79
PID 5808 wrote to memory of 4344	5808	chrome.exe	79
PID 5808 wrote to memory of 4344	5808	chrome.exe	79
PID 5808 wrote to memory of 4344	5808	chrome.exe	79
PID 5808 wrote to memory of 4344	5808	chrome.exe	79
PID 5808 wrote to memory of 4344	5808	chrome.exe	79
PID 5808 wrote to memory of 4344	5808	chrome.exe	79
PID 5808 wrote to memory of 4344	5808	chrome.exe	79
PID 5808 wrote to memory of 4344	5808	chrome.exe	79
PID 5808 wrote to memory of 4344	5808	chrome.exe	79
PID 5808 wrote to memory of 4344	5808	chrome.exe	79
PID 5808 wrote to memory of 4344	5808	chrome.exe	79
PID 5808 wrote to memory of 4344	5808	chrome.exe	79
PID 5808 wrote to memory of 4344	5808	chrome.exe	79
PID 5808 wrote to memory of 4344	5808	chrome.exe	79
PID 5808 wrote to memory of 4076	5808	chrome.exe	80
PID 5808 wrote to memory of 4076	5808	chrome.exe	80
PID 5808 wrote to memory of 5092	5808	chrome.exe	82
PID 5808 wrote to memory of 5092	5808	chrome.exe	82
PID 5808 wrote to memory of 5092	5808	chrome.exe	82
PID 5808 wrote to memory of 5092	5808	chrome.exe	82
PID 5808 wrote to memory of 5092	5808	chrome.exe	82
PID 5808 wrote to memory of 5092	5808	chrome.exe	82
PID 5808 wrote to memory of 5092	5808	chrome.exe	82
PID 5808 wrote to memory of 5092	5808	chrome.exe	82
PID 5808 wrote to memory of 5092	5808	chrome.exe	82
PID 5808 wrote to memory of 5092	5808	chrome.exe	82
PID 5808 wrote to memory of 5092	5808	chrome.exe	82
PID 5808 wrote to memory of 5092	5808	chrome.exe	82
PID 5808 wrote to memory of 5092	5808	chrome.exe	82
PID 5808 wrote to memory of 5092	5808	chrome.exe	82
PID 5808 wrote to memory of 5092	5808	chrome.exe	82
PID 5808 wrote to memory of 5092	5808	chrome.exe	82
PID 5808 wrote to memory of 5092	5808	chrome.exe	82
PID 5808 wrote to memory of 5092	5808	chrome.exe	82
PID 5808 wrote to memory of 5092	5808	chrome.exe	82
PID 5808 wrote to memory of 5092	5808	chrome.exe	82
PID 5808 wrote to memory of 5092	5808	chrome.exe	82
PID 5808 wrote to memory of 5092	5808	chrome.exe	82
PID 5808 wrote to memory of 5092	5808	chrome.exe	82
PID 5808 wrote to memory of 5092	5808	chrome.exe	82
PID 5808 wrote to memory of 5092	5808	chrome.exe	82
PID 5808 wrote to memory of 5092	5808	chrome.exe	82
PID 5808 wrote to memory of 5092	5808	chrome.exe	82
PID 5808 wrote to memory of 5092	5808	chrome.exe	82
PID 5808 wrote to memory of 5092	5808	chrome.exe	82
PID 5808 wrote to memory of 5092	5808	chrome.exe	82

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/pankoza2-pl/malwaredatabase-old
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9e9c0dcf8,0x7ff9e9c0dd04,0x7ff9e9c0dd10
  2⤵
  PID:2300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1924,i,9661349964582733602,16853175552163821382,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=1920 /prefetch:2
  2⤵
  PID:4344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1436,i,9661349964582733602,16853175552163821382,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2240 /prefetch:11
  2⤵
  PID:4076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2332,i,9661349964582733602,16853175552163821382,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2348 /prefetch:13
  2⤵
  PID:5092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3036,i,9661349964582733602,16853175552163821382,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3084 /prefetch:1
  2⤵
  PID:2900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3028,i,9661349964582733602,16853175552163821382,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3056 /prefetch:1
  2⤵
  PID:4340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4132,i,9661349964582733602,16853175552163821382,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4176 /prefetch:9
  2⤵
  PID:4784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5484,i,9661349964582733602,16853175552163821382,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5492 /prefetch:14
  2⤵
  PID:5688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4784,i,9661349964582733602,16853175552163821382,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5440 /prefetch:14
  2⤵
  PID:3412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4776,i,9661349964582733602,16853175552163821382,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4696 /prefetch:14
  2⤵
  PID:3560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4620,i,9661349964582733602,16853175552163821382,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5500 /prefetch:14
  2⤵
  PID:2832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=212,i,9661349964582733602,16853175552163821382,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4628 /prefetch:14
  2⤵
  - NTFS ADS
  PID:1908

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:3160

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1952

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4376

C:\Users\Admin\Downloads\YellowSkull 2.0\YellowSkull 2.0.exe
"C:\Users\Admin\Downloads\YellowSkull 2.0\YellowSkull 2.0.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:5916
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2565.tmp\YellowSkull2.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2408
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\yellowskull.bmp /f
    3⤵
    - Sets desktop wallpaper using registry
    - System Location Discovery: System Language Discovery
    PID:2472
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5208
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3596
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2532
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5284
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3896
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3484
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3628
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5512
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2824
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3064
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1828
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:848
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2612
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5292
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:232
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2308
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5080
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5108
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4840
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5888
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:244
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5784
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5788
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:276
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:224
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:128
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4136
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4304
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1692
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5716
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2088
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5068
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1944
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3920
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4496
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:772
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:4268
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:72
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:3512
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:4624
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2076
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:1080
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:3368
- - C:\Users\Admin\AppData\Local\Temp\2565.tmp\bg.exe
    bg.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2312
- - C:\Users\Admin\AppData\Local\Temp\2565.tmp\YSkullLock.exe
    YSkullLock.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1660
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "YellowSkull2 Special Program" /t REG_SZ /F /D "C:\YSkullMBRSetup.exe"
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2864
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2565.tmp\k.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4904

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004B8 0x00000000000004C4
1⤵
PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
d012f5d766521cbc6553944df52f584a

SHA1
d1a57152bfccbe8ca97df67ef508a7e963646dba

SHA256
3a7a624bacc686987c1aa0b2c7f6c2eedd36b4818e45950cf8d74c8348b0c2ee

SHA512
4f03e04653e27c5c1429e789d7a7249ed1c79eb1ebf6f797b6c31bb98bbcb76da5e6604540d816d468487936190eff95b4e3c453facb4e04888bf54518272825

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
da13253cc8908925683c1edfcd878153

SHA1
b78c6a5884f84f134b85c0d8cc4b06564235277a

SHA256
d2844d356598f352af7d6fb2186773380a9bdce7e7f797f12ff6d0c89f4ac2a8

SHA512
f8d6f41d46618c14febb4d7ff6564ed4b810ccc05a73c34a13543b78155400784c6b33f95858b23e03c287c19ef8d031bc80b090977873b4605e56bc0c0524b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
fcf6e2df0c037aa51abf5903329c1060

SHA1
952d1982cd85048b05984f0beafae4cff7cd64ee

SHA256
27bf58a4a87c25c9edf1c8f93f8b4b9ec4056c195a7f48565de1088a6800b17c

SHA512
45b7baa910c896cb8a88c1fa0e0d2cd5f13c81b923abf0db4960cd07c11dedcb6d35c0431272a135b46b42454a2cfe1bdda689d74a7a4556b74200484365d8c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
2806a55ef5fec7f01aff27826a5a0331

SHA1
ab6f8e56718cea367a4fe120c05e3519a2f15226

SHA256
d2716c9af09b77cba1679486ff853fed94ed8392377edc0c8556eb1e6859c981

SHA512
719eef40fd8ed0cf52351457cbab51cf73b0c1a919334423e6ad889db4c569e24b0e31e5f60daedea9bf3ac9df7db75e1ffa6c67aee30288e25ec225d3d020b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
39b551d118555b08a4b5f960e1c0f9a1

SHA1
65794ec516b8d5a07f62ba9e8f6fbba72e1fcaeb

SHA256
12b9062954c9fa1d36124f00f595fd266d7f85e892c544bcc7fdda2777ec38ac

SHA512
ac0c2f9917ac435510e772cf10c4a3d84c8e7b584bb654721158bf01426f4584ccce64fba51894a51c4cd9dce68a3d5490b588b80c2d426f8455f4f16f0c6f6f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
d7edd8260c0c9987f1fa3ff9e67bc2af

SHA1
31272405bb3013c947fd953947c8700b2d818ce2

SHA256
bdd237ef6632934a8a27dbafa1bb6a6802b8fe588eb26a39d6af528889f17bb4

SHA512
8d15f9ad3e6b29ecf2f61079c5f3061aad869670c5947cc43bfc9f8a3301186f4bfb476441c73ce0e73ce3e21dee3111b804df38eac674ef9a640e178798bd89

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
dc83d443eb67262a1807293278356df2

SHA1
8d1b75d17ed9a0f194c1116647fc4fec7dec39df

SHA256
a6e6d92753046610ed8ee4609c90b95ebd4f4f0c8d754dc45dd631cd64dc5592

SHA512
3be7426bf425466d12584c944e2fa4c02c9580b8b1fa03992b0987dada26066d091c09b897b7f0e4719ddd644fcd4da9e165d07a0968562b8760880d784fd2e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
0c4ee74392bcb9c2651fb89da5d6ea38

SHA1
3b0c059f0763113bc1f02ff5dcbc7ab421b9bb30

SHA256
271186f51c93e49b8e397d63570f77ed64355ad873c825457f56c4be696da869

SHA512
0c69717b1882b08f112a904faf5b582497a6ba83dceeb00e15c8522c1557dc55e25ee27713984c27e49a24c9d84606c6cb4edd41168ee16587e07a3402257080

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
fab407fb598fe833be8fda63428114bb

SHA1
8f103df8b68a6933f73645626802b22e1d377f62

SHA256
af9e02ba1e1fba42a0beedb263351fffa599f42510333783f6fa00ee19d8953f

SHA512
668a6f41070675190037fc2ff66705bc08cf8047b0649ee432b6625fe4e93ea4780d1333583b51d0138058698cf326e3e7c7b8c537682100ae3f63665dfddeda

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe579c30.TMP

Filesize
48B

MD5
8a31d43445c56d63dec4bb0e240430c2

SHA1
8bc8a43b7606b340aa3939637cd7e3785c9a8612

SHA256
1597ea35311ccb8e517b408332a40e1024b6e3ef084e8664e47638f3322d6709

SHA512
6d8e6a3e54e90ef8ae05c597a0cbd191a33efdf7e9fed94b9243372250428a73f1c92ea0fb5206f1aebb60490d9ffa44a798ce258a50c70d335f638f4994f371

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
e9956afc6a11d83e873acec2801d8889

SHA1
05dcfe88628dcdab90cfaf079210e3e2deea1b4b

SHA256
4a2a068f6c0b0c81c2173b7432c25ead6f88e0e069a33b6e57ed3bdb14a64eef

SHA512
250c79346243d1d641bac900216f716d9f691746aa48870fa9d506e41b77fccfe17552da373c664740f54caa018264f2c0338ab1aa19755a36e3e92ce6579f11

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
85bbb1798afad08a62e4b9248413de79

SHA1
219ec374f1cc56645ada26d649d4471db4377a04

SHA256
ad2f9ac62a94b376f467ed25b0b4ee3cf27cfb016804e51fc45c808fa0a16168

SHA512
929749ee7730562338d3944b0aea839bc6aeedc14e382f383d450b25d4d8e32e491a3a92b166f0bc5035ebccc77e8e57b76222ec8bf3f179b0def8ff34ac937c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
ffb11dc97a59bbf88ed933bd86aeaa7a

SHA1
734b17e385775f3a357abdf843016281ca449631

SHA256
c6b59c2fe54cb61e746b02b410a226c433582c7d43af4ab949ab0fef43159895

SHA512
08e7a965d352b077b28b3c3b134da4ca53e22b2dba2c0d1d88a3799cd1f348d50cbc7d4ddec2e9588b94d8c1a7119966e962ed8e07380858d08682c3fe123fef

Download Submit
C:\Users\Admin\AppData\Local\Temp\2565.tmp\YSkullLock.exe

Filesize
2.9MB

MD5
2191c3a14b53531e82726b17dd331cef

SHA1
9fdcc1ef73bbd08ac8f4cb3bdaf4c4ed26a99737

SHA256
3b2abd3773e4678100f197f53a886ec833fd2e26aa9a94d780a2d22befdf7d44

SHA512
93dc75ae619bcac6566c6e773c3628c2ef1326d988e592e59a1c8f9be304014a970caf40bf255a52b26fb37ca1d2625c8bf95b5dc749f378a0450a74aa3421f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\2565.tmp\YSkullMBRSetup.exe

Filesize
1.3MB

MD5
220303eb72ebde4605116640fb719b26

SHA1
2021794facb35a7a23796e74835d8cf93882ddaf

SHA256
f081c913488c3f22b62f906dac2a82a38d085ebe1d28701f0059dfdfbf1ccf42

SHA512
dc811be33365049b32c3a47de9b4f4e4f77be0a9dfd14bfcfce92a6f575cf9bbd4aa56fcc92a3d8bf7bd21354f6530f3cc50a1f185a5953861d3a73a3f1738fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\2565.tmp\YellowSkull.bmp

Filesize
2.9MB

MD5
11bcda64d254ad8dc591b41f8fceb04d

SHA1
66d9dea8a7c3d0bb6e9924a4c86f5eef98317752

SHA256
84c5dad2d4cec5b636c1fae6f1e1482ada9f62363dcf269b4a86f6070d5b50fc

SHA512
b26287ed0de799b95a4bb1f18eb92e3a24dc8250eb09c669112d4b60e7e362012c564d0959ddfe128bc00a63601d9132160cc93276cb72ebc0e0ab2fc2d837b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\2565.tmp\YellowSkull2.bat

Filesize
3KB

MD5
4671d5895d88bc19645cab0fc7ca398a

SHA1
d6b1ccef99793b0dcd09156a6460027271cde082

SHA256
dd8aa9f7955674a7a1b5b222d7c1809c583c705dae8bf476cdd42efcc0afabb5

SHA512
ea21a82ccbb1647bdd45890dadb1740a8dbb7d4cd7481a252545a6db2ce7fda1ce7c808b102bbd4dbd8764a6f824d6529044002f234bb5c255504f6b85ab926b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2565.tmp\bg.exe

Filesize
102KB

MD5
12cf508e9058e3e67cf8a736557c2749

SHA1
8448240c260ccef2d23854e749387b65e4b6668e

SHA256
b3670ec42931e2dea3e03053eda32240d8b6db15bf89d0c74e23e99ecb0aaf49

SHA512
7a837b5a89f29974b1e305e2082d5f7aee46bee3cef7e8a8b47a877d5bd6280c359318d6002c2c283aed13054a8ee590778e99e423a25f84f3037b0249c6403a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2565.tmp\bg.wav

Filesize
2.6MB

MD5
832b350b50a07906c630a2b8819fd209

SHA1
362d4d61df27a40f975e26b3d8ace1e8fac10f94

SHA256
94e1cecf8ed740ea45c87927de31005c3b2f9db261aae04fe56a81e337d1e8da

SHA512
cf267295d0248029e4a92d1052df1e24c93d3be79adb1efa9723c64e9c7bb52108a3bc194e772ff0e6dcb5b2208e9d7787a81a86e74ee11892571760e40abcbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\2565.tmp\k.vbs

Filesize
140B

MD5
126595a4087b9e1b9bac69aab147c97f

SHA1
ef079808ab8f7b762c413c5fa5844f4285f2848c

SHA256
4c59cedcafe3f5a1025960b344107f7e18c98ca569d2e6c8aa3d685b20754089

SHA512
41cc1badee06c16a0c65cbf7f38a420ca3c8e0ea459afd208b9b01cbeeef6724b8f2c04ecb41bec9d045492f9be0361612204db77eae7e1aeece8fe3761a7eb4

Download Submit
C:\Users\Admin\Downloads\YellowSkull 2.0.zip.crdownload

Filesize
5.8MB

MD5
d700d6ccbbea18c0fe32775a65f13280

SHA1
7c159dd708efd29b1404f1b7fb8d4e3d4c0d1cfd

SHA256
0fdcd8ef8be7b2bc8b2aa44ca2dfe251e8850b0be1e0ec563bd3736d2f05a09d

SHA512
f49681c6ea7db12fef03220a8257bcab5b1fae81fdf590c08ad651057846a14017a132e042e5755651b7bff46cd42244cfac20ab4d1630b77002b4ec696f3533

Download Submit
C:\Users\Admin\Downloads\YellowSkull 2.0.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/2312-495-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/5916-424-0x0000000000400000-0x0000000000DD9000-memory.dmp

Filesize
9.8MB

Download
memory/5916-475-0x0000000000400000-0x0000000000DD9000-memory.dmp

Filesize
9.8MB

Download