hxxp://Google[.]com

Resubmissions

25/03/2025, 20:32

250325-za94cawjy9 10

25/03/2025, 20:27

25/03/2025, 20:24

25/03/2025, 20:20

25/03/2025, 20:16

25/03/2025, 20:12

25/03/2025, 20:08

Analysis

max time kernel
141s
max time network
140s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
25/03/2025, 20:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://Google.com

Score

10^/10

defense_evasion discovery persistence ransomware trojan upx

Malware Config

Signatures

UAC bypass 3 TTPs 2 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Disables Task Manager via registry modification
defense_evasion

Executes dropped EXE 2 IoCs

pid	Process
4856	bg.exe
3136	YSkullLock.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\YellowSkull2 Special Program = "C:\\YSkullMBRSetup.exe"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
56	raw.githubusercontent.com
1	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000\Control Panel\Desktop\Wallpaper = "c:\\yellowskull.bmp"	reg.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1956-547-0x0000000000400000-0x0000000000DD9000-memory.dmp	upx
behavioral1/memory/1956-589-0x0000000000400000-0x0000000000DD9000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 50 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YellowSkull 2.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YSkullLock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
1120	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133874079145599720"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings	cmd.exe

Modifies registry key 1 TTPs 7 IoCs

Modify Registry

T1112

pid	Process
1376	reg.exe
2672	reg.exe
4764	reg.exe
1868	reg.exe
3184	reg.exe
4256	reg.exe
416	reg.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\YellowSkull 2.0.zip:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
1660	chrome.exe
1660	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3136	YSkullLock.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 1728	2792	chrome.exe	81
PID 2792 wrote to memory of 1728	2792	chrome.exe	81
PID 2792 wrote to memory of 3440	2792	chrome.exe	82
PID 2792 wrote to memory of 3440	2792	chrome.exe	82
PID 2792 wrote to memory of 3440	2792	chrome.exe	82
PID 2792 wrote to memory of 3440	2792	chrome.exe	82
PID 2792 wrote to memory of 3440	2792	chrome.exe	82
PID 2792 wrote to memory of 3440	2792	chrome.exe	82
PID 2792 wrote to memory of 3440	2792	chrome.exe	82
PID 2792 wrote to memory of 3440	2792	chrome.exe	82
PID 2792 wrote to memory of 3440	2792	chrome.exe	82
PID 2792 wrote to memory of 3440	2792	chrome.exe	82
PID 2792 wrote to memory of 3440	2792	chrome.exe	82
PID 2792 wrote to memory of 3440	2792	chrome.exe	82
PID 2792 wrote to memory of 3440	2792	chrome.exe	82
PID 2792 wrote to memory of 3440	2792	chrome.exe	82
PID 2792 wrote to memory of 3440	2792	chrome.exe	82
PID 2792 wrote to memory of 3440	2792	chrome.exe	82
PID 2792 wrote to memory of 3440	2792	chrome.exe	82
PID 2792 wrote to memory of 3440	2792	chrome.exe	82
PID 2792 wrote to memory of 3440	2792	chrome.exe	82
PID 2792 wrote to memory of 3440	2792	chrome.exe	82
PID 2792 wrote to memory of 3440	2792	chrome.exe	82
PID 2792 wrote to memory of 3440	2792	chrome.exe	82
PID 2792 wrote to memory of 3440	2792	chrome.exe	82
PID 2792 wrote to memory of 3440	2792	chrome.exe	82
PID 2792 wrote to memory of 3440	2792	chrome.exe	82
PID 2792 wrote to memory of 3440	2792	chrome.exe	82
PID 2792 wrote to memory of 3440	2792	chrome.exe	82
PID 2792 wrote to memory of 3440	2792	chrome.exe	82
PID 2792 wrote to memory of 3440	2792	chrome.exe	82
PID 2792 wrote to memory of 3440	2792	chrome.exe	82
PID 2792 wrote to memory of 2348	2792	chrome.exe	83
PID 2792 wrote to memory of 2348	2792	chrome.exe	83
PID 2792 wrote to memory of 232	2792	chrome.exe	85
PID 2792 wrote to memory of 232	2792	chrome.exe	85
PID 2792 wrote to memory of 232	2792	chrome.exe	85
PID 2792 wrote to memory of 232	2792	chrome.exe	85
PID 2792 wrote to memory of 232	2792	chrome.exe	85
PID 2792 wrote to memory of 232	2792	chrome.exe	85
PID 2792 wrote to memory of 232	2792	chrome.exe	85
PID 2792 wrote to memory of 232	2792	chrome.exe	85
PID 2792 wrote to memory of 232	2792	chrome.exe	85
PID 2792 wrote to memory of 232	2792	chrome.exe	85
PID 2792 wrote to memory of 232	2792	chrome.exe	85
PID 2792 wrote to memory of 232	2792	chrome.exe	85
PID 2792 wrote to memory of 232	2792	chrome.exe	85
PID 2792 wrote to memory of 232	2792	chrome.exe	85
PID 2792 wrote to memory of 232	2792	chrome.exe	85
PID 2792 wrote to memory of 232	2792	chrome.exe	85
PID 2792 wrote to memory of 232	2792	chrome.exe	85
PID 2792 wrote to memory of 232	2792	chrome.exe	85
PID 2792 wrote to memory of 232	2792	chrome.exe	85
PID 2792 wrote to memory of 232	2792	chrome.exe	85
PID 2792 wrote to memory of 232	2792	chrome.exe	85
PID 2792 wrote to memory of 232	2792	chrome.exe	85
PID 2792 wrote to memory of 232	2792	chrome.exe	85
PID 2792 wrote to memory of 232	2792	chrome.exe	85
PID 2792 wrote to memory of 232	2792	chrome.exe	85
PID 2792 wrote to memory of 232	2792	chrome.exe	85
PID 2792 wrote to memory of 232	2792	chrome.exe	85
PID 2792 wrote to memory of 232	2792	chrome.exe	85
PID 2792 wrote to memory of 232	2792	chrome.exe	85
PID 2792 wrote to memory of 232	2792	chrome.exe	85

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://Google.com
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffafa1fdcf8,0x7ffafa1fdd04,0x7ffafa1fdd10
  2⤵
  PID:1728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2012,i,10525821809352281643,9469824107600700495,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=1936 /prefetch:2
  2⤵
  PID:3440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=2224,i,10525821809352281643,9469824107600700495,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2232 /prefetch:11
  2⤵
  PID:2348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2268,i,10525821809352281643,9469824107600700495,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2536 /prefetch:13
  2⤵
  PID:232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3120,i,10525821809352281643,9469824107600700495,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:2016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,10525821809352281643,9469824107600700495,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:1772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4208,i,10525821809352281643,9469824107600700495,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4224 /prefetch:9
  2⤵
  PID:2204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3812,i,10525821809352281643,9469824107600700495,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3796 /prefetch:1
  2⤵
  PID:5004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5148,i,10525821809352281643,9469824107600700495,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5160 /prefetch:14
  2⤵
  PID:1404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5380,i,10525821809352281643,9469824107600700495,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5352 /prefetch:14
  2⤵
  PID:4332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5396,i,10525821809352281643,9469824107600700495,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5144 /prefetch:14
  2⤵
  PID:3184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5404,i,10525821809352281643,9469824107600700495,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5340 /prefetch:14
  2⤵
  PID:2832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=4244,i,10525821809352281643,9469824107600700495,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5440 /prefetch:1
  2⤵
  PID:2284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5476,i,10525821809352281643,9469824107600700495,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5464 /prefetch:14
  2⤵
  - NTFS ADS
  PID:2892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=4340,i,10525821809352281643,9469824107600700495,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2488 /prefetch:10
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1660

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:5072

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4044

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4832

C:\Users\Admin\Downloads\YellowSkull 2.0\YellowSkull 2.0.exe
"C:\Users\Admin\Downloads\YellowSkull 2.0\YellowSkull 2.0.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:1956
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\E318.tmp\YellowSkull2.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:1976
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\yellowskull.bmp /f
    3⤵
    - Sets desktop wallpaper using registry
    - System Location Discovery: System Language Discovery
    PID:2676
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3712
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4060
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3472
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1616
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3584
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4544
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:236
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1304
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1908
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3824
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4404
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2368
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:228
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1964
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3036
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3268
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3588
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1704
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2352
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2620
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2584
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3592
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1480
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2316
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2380
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2364
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1512
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3300
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3884
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:568
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4036
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3732
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1440
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2012
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3716
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:1120
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:1868
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:4256
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:3184
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:416
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:1376
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:4764
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2672
- - C:\Users\Admin\AppData\Local\Temp\E318.tmp\bg.exe
    bg.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4856
- - C:\Users\Admin\AppData\Local\Temp\E318.tmp\YSkullLock.exe
    YSkullLock.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3136
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "YellowSkull2 Special Program" /t REG_SZ /F /D "C:\YSkullMBRSetup.exe"
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:1316
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E318.tmp\k.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4480

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004C8 0x00000000000004D4
1⤵
PID:3080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
71dfdbf68488a425a00b92826a1910f7

SHA1
20452f4bc1528811e757947365aa11bdaba66c2e

SHA256
cae4cf465dde1a7888395ff0f36e2e33035fef50e4b15ebbbc943e39939efd22

SHA512
ab9db95607b2c83f6217190b6b05d33010f64297b3ab1cfb47b144076246e440a17c16876247c0bb2e3aa9eb0ca0c315bb3b2b01a9aeeff1736c08fcafc7bcba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
2KB

MD5
bfbbe9176edca16050581ebd46bd9f59

SHA1
abaa996efb0d8c174274b9ad6c07ccc304b9dba3

SHA256
05c4db3fb9f327b56d95998b807bdee1592006d4484c9c4d28efcffaacd15f44

SHA512
023be824067a56ed846398abc4b219bf4a0b4d99182433f7265490372306a6f3b3e32a40e189d3455e0484e5f6eaf4e69613c4d1f98cd822a2e529c81b2b9772

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
565a7d66969be4b9e3291df5b0b9b594

SHA1
0041e7209933d01e14492674ef3f4e726c0e2a53

SHA256
3af508b76c962c7ac2232b4aa7b2a0d2c1b937870de4214faaae566b50853e05

SHA512
b715aaaeff29c9b3a175e445a49137e557b690d821b32b9e9a9e47e2b3af5db4747a45e181d4c7bd86fb849c91035b16fbec063766a15b52feae472ad6af9ca5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
8faeb4024b7b311101c18d950fdd45a3

SHA1
a97c40794cfcaf52e484075ec19d05483be8816b

SHA256
0dc7d2f96fa602d6cb445087b02aa13a1bbc34618c15b80c41d1729c9e7836b8

SHA512
2fa6f013b599694334633c9f0d340db6018a950277b756985912e9511c1e6c015a5da2bbe8a16fdb18566cf461f626ccd2f43825aad73d4c28ba7634387640e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
c490b4570c9e5b1c96f16581612eae9d

SHA1
8fc8f3296190e593dc46557e2f00a8e868d80919

SHA256
fd732239999e67b642ed807bb2d45ec5a06206bdecd6abca0df2905e5f4b7799

SHA512
7044b8456cb050fc90f28af3af29282d0b422ba78328241d7d6d59c08eb7071cf60c5e43a6dc7012960ed5ce1449c5f23812795c189210919d9806a2e6ba9cc4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
26d48274974b370a14668d5ff3431cf3

SHA1
187972e4d239ef95fa6154b5e9560764eb4e087a

SHA256
fd2a6f17efd1e681e3c9782005ce34dd663bffeb382d42104c4d5834567439e7

SHA512
f07acaf9f5b67532ec45d54822425265a1920c8d99719ba5aa88f11a3621469b51f234edc1226ef6e940abffd49f7b98a6b83bcb1f4fd249e955caccde234893

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
7e4de8c1282a149a0105cd13970b3e71

SHA1
92c2834ffdb0fe26ada4f8e15ea7cc425b758b64

SHA256
6aac9b8d76beb6d064d29501e224f367682d3067fccc78c5e274cb84aa8e183d

SHA512
022538910fbfa8f5079bb51c3ea925444d0323f9d5c562a09754faa8c3c1a968d798049884aba99ed026385360f2c5f2c710751413a3d83e0d44ab7506c1b429

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
a08a5eda56d9a5e56cdb88a24bb54cde

SHA1
36a677790a73d9645ca42237fcd9b27af6059929

SHA256
62bf84b83bb78ffe87560d1221c057c946b3b2ed3aa23a343be9e277dfc032e7

SHA512
e2e93465a7b0afd6e84dce36704730a80047d296504f092cb401468eb47da461a7d45b6dcc3ebd9395f8a89b8c114324bc980d241b6d15803f32af04c4f657b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
640ade776398392c7118d425b7e2dd89

SHA1
0bbce15a3a4819b12b3e77d0e8da775d64665c6a

SHA256
294837a91fef89655d0490a25c87b741ee8e7ed9f1da68d91d7042904808cce5

SHA512
684b2322c586c6957b53440495536edbfb7f885fa67a739eae567f242dc806b062f53554df8b5c215933257790fde60b412ab7c2773740755142c4db4f16d5db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
e5665cc70a8d26594bef7144890165ea

SHA1
168a6ff11e598e40c9b2a4b0432e380112836691

SHA256
c879f670158dfd84b17792b4af551ff8ae567e1f1b675365e62cd38bccd00f0a

SHA512
ac7a7d3c16a69a63a40dc4de77efe35d17d4865fda1127b4c0e550f62be6498c67ccf0cd067efd2e96baa7e31aaf92d65ece6017ee49f45fbb90ded69410af6d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
a8bb56ecfe871b00ae826bbd7b4a6fd0

SHA1
6a276534042dbb3960221f93b25f02c749a66145

SHA256
2b0bfc928ea1bb191367c5d9d0ee0f850c78fbd248395df56ad9feb64ee92090

SHA512
5078e3ee603f7e08f7d3537c2cd4bc7891f3550fdb3be0498c0cbfeb6baea202b756d1b7dae2053f3fd64e05e1249ca6150fd16b6fea350a8ccdb1fe21ca5f18

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
ecaddc74d9fef65f3c4ff4359e12dd68

SHA1
cc602e5b1e7c12d8a5560f14593e2dfbbbc149f8

SHA256
aa929fe6f232b24a092500362c11f489ac918acca3a7ae74c4754a6086f19cc6

SHA512
9238a37f82599880de079e0ecb1e21f4c9dc769182c62fb2e0a53ced6eb6b5762b5474848d64551123f53159e7138731f54c64a307574267d1f40d247c35cc27

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe579eff.TMP

Filesize
48B

MD5
0c754135f204c640a9a7b475d494f061

SHA1
47ed9beee100aece772d6197478786b9db0b35fd

SHA256
4f0a06d6aea42117b3b7e1d9bd05882e0d0fceac12ffb4cf94336682bb2b1b97

SHA512
2c3e0bcff4393ffb88d43401658cb578817074ac0481ba65088116330bacd837f84cfdbbbaef04572fbfbe913c06b7aed04a46890eac177feab4e438568759b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
63c8ac8678ac51a32a9afdeaee403447

SHA1
b93ad24ec1f7714a533ae94de6ac64650899b42a

SHA256
e8daf12715fe81035f0cde8cd803d7851f432f6a09e3a29b6acb6e5b7bf44c1f

SHA512
95bd7dc663e4f50c7ef1186ea4be002629294161fc6dd2a0dea6ed5f4456acc80e9736708992e56807996921c6e6074b6b732b0d1804ffb8c2183e8bb769ab56

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
65993caa76b005fa83c1874ea24df485

SHA1
ac550cab7e83526fc73520ba3328b14c235b1740

SHA256
4898dfded0a6f6182c3ca6e14f6e0e2b3ea27529eb31919f46438fe060b5243a

SHA512
e94ba964c8376fd4f7dfb75687fac6e86eb1e4b3b51871dd3d0b7fa747b26182507439ec07cd8b0030b7dc2ad9f448f53a7d639d69437dd749743afc5f83183c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
427167f5e5d1146c082873a1c9dc99fe

SHA1
f1589aaf37de0ac832c1e6d718b0ef023cf84355

SHA256
694556c5c021676f36e8f8b863900e2f3d417ad07b653cd39ef5b830002bd4dc

SHA512
c0b1a85c7595100f219f215bf953918ca46ace2ed82cb5dd6f5498b19e046c1791366b04f086a12a5d9a851763dec3f870b535bf85b112372cf8e96feee4fa96

Download Submit
C:\Users\Admin\AppData\Local\Temp\E318.tmp\YSkullLock.exe

Filesize
2.9MB

MD5
2191c3a14b53531e82726b17dd331cef

SHA1
9fdcc1ef73bbd08ac8f4cb3bdaf4c4ed26a99737

SHA256
3b2abd3773e4678100f197f53a886ec833fd2e26aa9a94d780a2d22befdf7d44

SHA512
93dc75ae619bcac6566c6e773c3628c2ef1326d988e592e59a1c8f9be304014a970caf40bf255a52b26fb37ca1d2625c8bf95b5dc749f378a0450a74aa3421f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\E318.tmp\YSkullMBRSetup.exe

Filesize
1.3MB

MD5
220303eb72ebde4605116640fb719b26

SHA1
2021794facb35a7a23796e74835d8cf93882ddaf

SHA256
f081c913488c3f22b62f906dac2a82a38d085ebe1d28701f0059dfdfbf1ccf42

SHA512
dc811be33365049b32c3a47de9b4f4e4f77be0a9dfd14bfcfce92a6f575cf9bbd4aa56fcc92a3d8bf7bd21354f6530f3cc50a1f185a5953861d3a73a3f1738fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\E318.tmp\YellowSkull.bmp

Filesize
2.9MB

MD5
11bcda64d254ad8dc591b41f8fceb04d

SHA1
66d9dea8a7c3d0bb6e9924a4c86f5eef98317752

SHA256
84c5dad2d4cec5b636c1fae6f1e1482ada9f62363dcf269b4a86f6070d5b50fc

SHA512
b26287ed0de799b95a4bb1f18eb92e3a24dc8250eb09c669112d4b60e7e362012c564d0959ddfe128bc00a63601d9132160cc93276cb72ebc0e0ab2fc2d837b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\E318.tmp\YellowSkull2.bat

Filesize
3KB

MD5
4671d5895d88bc19645cab0fc7ca398a

SHA1
d6b1ccef99793b0dcd09156a6460027271cde082

SHA256
dd8aa9f7955674a7a1b5b222d7c1809c583c705dae8bf476cdd42efcc0afabb5

SHA512
ea21a82ccbb1647bdd45890dadb1740a8dbb7d4cd7481a252545a6db2ce7fda1ce7c808b102bbd4dbd8764a6f824d6529044002f234bb5c255504f6b85ab926b

Download Submit
C:\Users\Admin\AppData\Local\Temp\E318.tmp\bg.exe

Filesize
102KB

MD5
12cf508e9058e3e67cf8a736557c2749

SHA1
8448240c260ccef2d23854e749387b65e4b6668e

SHA256
b3670ec42931e2dea3e03053eda32240d8b6db15bf89d0c74e23e99ecb0aaf49

SHA512
7a837b5a89f29974b1e305e2082d5f7aee46bee3cef7e8a8b47a877d5bd6280c359318d6002c2c283aed13054a8ee590778e99e423a25f84f3037b0249c6403a

Download Submit
C:\Users\Admin\AppData\Local\Temp\E318.tmp\bg.wav

Filesize
2.6MB

MD5
832b350b50a07906c630a2b8819fd209

SHA1
362d4d61df27a40f975e26b3d8ace1e8fac10f94

SHA256
94e1cecf8ed740ea45c87927de31005c3b2f9db261aae04fe56a81e337d1e8da

SHA512
cf267295d0248029e4a92d1052df1e24c93d3be79adb1efa9723c64e9c7bb52108a3bc194e772ff0e6dcb5b2208e9d7787a81a86e74ee11892571760e40abcbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\E318.tmp\k.vbs

Filesize
140B

MD5
126595a4087b9e1b9bac69aab147c97f

SHA1
ef079808ab8f7b762c413c5fa5844f4285f2848c

SHA256
4c59cedcafe3f5a1025960b344107f7e18c98ca569d2e6c8aa3d685b20754089

SHA512
41cc1badee06c16a0c65cbf7f38a420ca3c8e0ea459afd208b9b01cbeeef6724b8f2c04ecb41bec9d045492f9be0361612204db77eae7e1aeece8fe3761a7eb4

Download Submit
C:\Users\Admin\Downloads\YellowSkull 2.0.zip.crdownload

Filesize
5.8MB

MD5
d700d6ccbbea18c0fe32775a65f13280

SHA1
7c159dd708efd29b1404f1b7fb8d4e3d4c0d1cfd

SHA256
0fdcd8ef8be7b2bc8b2aa44ca2dfe251e8850b0be1e0ec563bd3736d2f05a09d

SHA512
f49681c6ea7db12fef03220a8257bcab5b1fae81fdf590c08ad651057846a14017a132e042e5755651b7bff46cd42244cfac20ab4d1630b77002b4ec696f3533

Download Submit
C:\Users\Admin\Downloads\YellowSkull 2.0.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/1956-547-0x0000000000400000-0x0000000000DD9000-memory.dmp

Filesize
9.8MB

Download
memory/1956-589-0x0000000000400000-0x0000000000DD9000-memory.dmp

Filesize
9.8MB

Download
memory/4856-599-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download