hxxps://github[.]com/ytisf/theZoo

Resubmissions

07/03/2024, 12:51

240307-p3n2gabc99 8

07/03/2024, 12:49

240307-p2sy2abc82 6

07/03/2024, 12:47

240307-pz6gcabc42 6

Analysis

max time kernel
80s
max time network
165s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
07/03/2024, 12:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/ytisf/theZoo

Score

8^/10

bootkit evasion persistence

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
10	camo.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	salinewin.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings	msedge.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
3984	reg.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\salinewin.exe-Malware-main.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2360	msedge.exe
2360	msedge.exe
1328	msedge.exe
1328	msedge.exe
2804	msedge.exe
2804	msedge.exe
3548	identity_helper.exe
3548	identity_helper.exe
1212	msedge.exe
1212	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2112	salinewin.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1328 wrote to memory of 4644	1328	msedge.exe	81
PID 1328 wrote to memory of 4644	1328	msedge.exe	81
PID 1328 wrote to memory of 4324	1328	msedge.exe	82
PID 1328 wrote to memory of 4324	1328	msedge.exe	82
PID 1328 wrote to memory of 4324	1328	msedge.exe	82
PID 1328 wrote to memory of 4324	1328	msedge.exe	82
PID 1328 wrote to memory of 4324	1328	msedge.exe	82
PID 1328 wrote to memory of 4324	1328	msedge.exe	82
PID 1328 wrote to memory of 4324	1328	msedge.exe	82
PID 1328 wrote to memory of 4324	1328	msedge.exe	82
PID 1328 wrote to memory of 4324	1328	msedge.exe	82
PID 1328 wrote to memory of 4324	1328	msedge.exe	82
PID 1328 wrote to memory of 4324	1328	msedge.exe	82
PID 1328 wrote to memory of 4324	1328	msedge.exe	82
PID 1328 wrote to memory of 4324	1328	msedge.exe	82
PID 1328 wrote to memory of 4324	1328	msedge.exe	82
PID 1328 wrote to memory of 4324	1328	msedge.exe	82
PID 1328 wrote to memory of 4324	1328	msedge.exe	82
PID 1328 wrote to memory of 4324	1328	msedge.exe	82
PID 1328 wrote to memory of 4324	1328	msedge.exe	82
PID 1328 wrote to memory of 4324	1328	msedge.exe	82
PID 1328 wrote to memory of 4324	1328	msedge.exe	82
PID 1328 wrote to memory of 4324	1328	msedge.exe	82
PID 1328 wrote to memory of 4324	1328	msedge.exe	82
PID 1328 wrote to memory of 4324	1328	msedge.exe	82
PID 1328 wrote to memory of 4324	1328	msedge.exe	82
PID 1328 wrote to memory of 4324	1328	msedge.exe	82
PID 1328 wrote to memory of 4324	1328	msedge.exe	82
PID 1328 wrote to memory of 4324	1328	msedge.exe	82
PID 1328 wrote to memory of 4324	1328	msedge.exe	82
PID 1328 wrote to memory of 4324	1328	msedge.exe	82
PID 1328 wrote to memory of 4324	1328	msedge.exe	82
PID 1328 wrote to memory of 4324	1328	msedge.exe	82
PID 1328 wrote to memory of 4324	1328	msedge.exe	82
PID 1328 wrote to memory of 4324	1328	msedge.exe	82
PID 1328 wrote to memory of 4324	1328	msedge.exe	82
PID 1328 wrote to memory of 4324	1328	msedge.exe	82
PID 1328 wrote to memory of 4324	1328	msedge.exe	82
PID 1328 wrote to memory of 4324	1328	msedge.exe	82
PID 1328 wrote to memory of 4324	1328	msedge.exe	82
PID 1328 wrote to memory of 4324	1328	msedge.exe	82
PID 1328 wrote to memory of 4324	1328	msedge.exe	82
PID 1328 wrote to memory of 2360	1328	msedge.exe	83
PID 1328 wrote to memory of 2360	1328	msedge.exe	83
PID 1328 wrote to memory of 3748	1328	msedge.exe	84
PID 1328 wrote to memory of 3748	1328	msedge.exe	84
PID 1328 wrote to memory of 3748	1328	msedge.exe	84
PID 1328 wrote to memory of 3748	1328	msedge.exe	84
PID 1328 wrote to memory of 3748	1328	msedge.exe	84
PID 1328 wrote to memory of 3748	1328	msedge.exe	84
PID 1328 wrote to memory of 3748	1328	msedge.exe	84
PID 1328 wrote to memory of 3748	1328	msedge.exe	84
PID 1328 wrote to memory of 3748	1328	msedge.exe	84
PID 1328 wrote to memory of 3748	1328	msedge.exe	84
PID 1328 wrote to memory of 3748	1328	msedge.exe	84
PID 1328 wrote to memory of 3748	1328	msedge.exe	84
PID 1328 wrote to memory of 3748	1328	msedge.exe	84
PID 1328 wrote to memory of 3748	1328	msedge.exe	84
PID 1328 wrote to memory of 3748	1328	msedge.exe	84
PID 1328 wrote to memory of 3748	1328	msedge.exe	84
PID 1328 wrote to memory of 3748	1328	msedge.exe	84
PID 1328 wrote to memory of 3748	1328	msedge.exe	84
PID 1328 wrote to memory of 3748	1328	msedge.exe	84
PID 1328 wrote to memory of 3748	1328	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/ytisf/theZoo
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xa8,0x10c,0x7fff15833cb8,0x7fff15833cc8,0x7fff15833cd8
  2⤵
  PID:4644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,12144124096841924204,17646901285616836224,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:2
  2⤵
  PID:4324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1896,12144124096841924204,17646901285616836224,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1896,12144124096841924204,17646901285616836224,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8
  2⤵
  PID:3748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12144124096841924204,17646901285616836224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:2316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12144124096841924204,17646901285616836224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
  2⤵
  PID:2840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12144124096841924204,17646901285616836224,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1
  2⤵
  PID:2156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12144124096841924204,17646901285616836224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
  2⤵
  PID:2168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12144124096841924204,17646901285616836224,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1
  2⤵
  PID:2752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1896,12144124096841924204,17646901285616836224,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5548 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2804
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1896,12144124096841924204,17646901285616836224,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5972 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12144124096841924204,17646901285616836224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
  2⤵
  PID:2128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12144124096841924204,17646901285616836224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:1
  2⤵
  PID:2228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12144124096841924204,17646901285616836224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
  2⤵
  PID:1232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12144124096841924204,17646901285616836224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
  2⤵
  PID:2308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12144124096841924204,17646901285616836224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
  2⤵
  PID:4472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12144124096841924204,17646901285616836224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:1
  2⤵
  PID:2128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12144124096841924204,17646901285616836224,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4672 /prefetch:1
  2⤵
  PID:728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12144124096841924204,17646901285616836224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1
  2⤵
  PID:2168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12144124096841924204,17646901285616836224,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6276 /prefetch:1
  2⤵
  PID:2704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1896,12144124096841924204,17646901285616836224,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6200 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,12144124096841924204,17646901285616836224,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1300 /prefetch:2
  2⤵
  PID:2676

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:884

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4364

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:896

C:\Users\Admin\AppData\Local\Temp\Temp1_salinewin.zip\salinewin.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_salinewin.zip\salinewin.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
PID:2112
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f
  2⤵
  PID:4200
- - C:\Windows\SysWOW64\reg.exe
    REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f
    3⤵
    - Modifies registry key
    PID:3984

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004CC 0x00000000000004D8
1⤵
PID:4592

C:\Users\Admin\AppData\Local\Temp\Temp1_salinewin.zip\salinewin-safety.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_salinewin.zip\salinewin-safety.exe"
1⤵
PID:3968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
12b71c4e45a845b5f29a54abb695e302

SHA1
8699ca2c717839c385f13fb26d111e57a9e61d6f

SHA256
c353020621fa6cea80eaa45215934d5f44f181ffa1a673cdb7880f20a4e898e0

SHA512
09f0d1a739102816c5a29106343d3b5bb54a31d67ddbfcfa21306b1a6d87eaa35a9a2f0358e56cc0f78be15eeb481a7cc2038ce54d552b9b791e7bee78145241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ce319bd3ed3c89069337a6292042bbe0

SHA1
7e058bce90e1940293044abffe993adf67d8d888

SHA256
34070e3eea41c0e180cb5541de76cea15ef6f9e5c641e922d82a2d97bdce3aa3

SHA512
d42f7fc32a337ecd3a24bcbf6cd6155852646cae5fb499003356f713b791881fc2e46825c4ff61d09db2289f25c0992c10d6fadb560a9bea33284bd5acc449f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
156f0fc10ed0e0b3ef77153028abf0d4

SHA1
2734786081eeaff5266a244f332b39b076412535

SHA256
12d9644406821c08b3fca8a084d395b29e60f6e33c3297826ae62947f8ebab35

SHA512
4b1a49d31fe18b88cc4a728b5c6b6c37b64900fa0b2f528b15cd3a2fd09791deeccf42674fc42dd9c37ca9179ea189d56e2f8e4e775a423cddfe3a5d02c3ea65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
c6d85ca3d77e78e8e731af93dbbaabcb

SHA1
a66dc6def420bebed7cf07931bbe1ded71b5e125

SHA256
8745143604694c0436d55192284ace3604655ebdf729af7216109c0f16c727c8

SHA512
aa9480f7086d77bedcce4996c48850605dd1e6d0092c1a8ce80e92712a50ef4eb47f90bae5bbe63ff97101fcda62d2f09f13e664723a94cc21b9126a8375d74e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
780B

MD5
41590a2d811485d0728bb810c3350524

SHA1
981a5ede633dc772445ac87c4d599c59ee1e792c

SHA256
53d5a25016494bf3eae3ae21cee4e76787ee36ad14204efb2440eb8c5048c7c0

SHA512
840fbe6ef32c2672659467d0b87db9db77cdf400892fdcdcc8ce2062de70d432db0034c3f4fe4cba424da995ce60c9d026eaaeac522ef17fb6e5c64e18f73fda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e552faa949e3aa5638abbe3586166fec

SHA1
71c2b738b448e327f9ab9c0194d8f621cdd48005

SHA256
92cd3d10eb9fbe3e014edd9a83c0b7bf5e3eb7c9dd51fd4d628c8f4ef1a58962

SHA512
3d7e6a0cbc1814ef68d908855a4e917d6ad48d9836a2d9e3c10937d1ca9348e086dbaf0bdde9d779296869d1f45b24fc22869ea931ceaaa15da15b8e4a6f96ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
aa486c973f68df703064bfdcce28d910

SHA1
5bf93c577afb6d4b03d20e50e007ee7cb506bda1

SHA256
286736317de93b0c6a7b89863e454bff0f2fba03b9968a5de56e2d31c2cba008

SHA512
158ad0fca98c398aabd81be7b2b1d2657c20128027ca44bdc8836f7b2aa873396d2428f33ee28ecc1a0cb3d369101f22f41154aef772e0d1367b5303bc0355e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e17a1b016b6254b663cfb0f1d0229a4f

SHA1
e2f83cea2fd6426de6e13bb1a55ede388cb38ec8

SHA256
32321fae2fb7f9ab631bb8443503029c6059f26bcb262c290a94d5c90f522030

SHA512
27976d0f30263e276d2bb4f3eaeb0615950b1397e14a865b46852ccd66f0e167943b6307e8d0fce87e6428f4030f7be7baed73e332f0d555f5940671a7c0a7ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
76c7cb1e16c4acbf7497af3ba877414c

SHA1
c391055f47454c607e562c45982ee169f897494f

SHA256
fa46bddfddaece730f9256852081fab486d7aabc0f4db39cfdfd24a02968b32f

SHA512
70e10786437e8de0a4d43a16436aafaf14d004c1f6e8c1801a9d9a819af76aa613bc14e496d1dd8afea9dc128bc74efcc52757b5a9848553c2e88b1a03f05b63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4c8a528b216b387ac545edd6922e8754

SHA1
87630c53d6b680e26ef08b04367222dfa5dae989

SHA256
a14f427f377b9e54f07488e520f93cc06e475cfeae626e88c82b32dae13d03b6

SHA512
7f12cf2f144944f7fa616298d7e7ac429ed95133b26889b484aa6479ff5d530e59da6b5a17a98c09ea0c58af6da436615f9a01d65a49da0f28656abdc25795be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7ce984ccf410ea0e43274e222b75be77

SHA1
454bd15b77e975877283f82df224037cdf5d4946

SHA256
9752694931332c3ef81d140f85be4df7c5baff44bfbefd1622e616aaea7a84e1

SHA512
1689b6de0ccca226e6d756c07da63c1db30412109a9c30619c324e5d426619497da7bf7eb96b514380cb41a074888a3ceb113834a3de7045d62d4b1048afcd13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e67623e765ba6d9515df017d6aaa308f

SHA1
3873d9b321d014b1fe2e3a911cbbb45abca09412

SHA256
ed2f1cb4e9f8a0a31a78abd606a2a739b2fc1cb71d3f305a60299ca5d5022c61

SHA512
89d1bec55df5741747dedce8f9393f6a86571713646d95fcec0bbfc08c5db5d28baf2f23307f955e84319543237ef1cb28502061a46d351bf0e56c055e41ae98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c339b0746c063b44bdcbd32b6bcbaeec

SHA1
51cf66507af406091b7e91940b76f3410d27096e

SHA256
c50ea08a4bb7818b04881307b5bc7cabfe730d351ecd87b96384d08d6771ddb1

SHA512
f116bd501828c6b56abc1cdc2c217a7ef70b2084fed8700a36ddb25e65ddd977e1731fa6b7500fb88716bc562fb544bff9cae9cf568ea03981019d64b1bf3217

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ac898c7571d53f83e3c0fcfc13150bf1

SHA1
45487f1d2a61520ab08eb47008e5ed01cb3f28fa

SHA256
e69cb89ebb5ccc18af4371e26283b210dfc96682cf1aab18693f94b01d53467f

SHA512
c53a1782123d9dd3ad6871ef47bad2c8bf2d2ccd9a7671cfd705a8d156e805f712c657fa138ade6a3c7f082ebcdd3058afe47eae580b4eb382c039b26c1dcfd7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
51fb3712a54ee7989fa979c4fbbfccbb

SHA1
7c14a236ebfddd640ffb84b8d15d108f1a143808

SHA256
b57150d3ca3cefc8b1367dc0e638e43f44c450f771d457d5296dd590d42ed3e3

SHA512
c5799a44bd4608eff95a66d6a1bc1a178e18599b64aac8119aed131f61322a31d7b71adf442c6a6de493d989ecdbd830726fc3d948069eef3d86165ca2d11df2

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 994294.crdownload

Filesize
3.5MB

MD5
2e17a24196b3abdaa0abd2a890607775

SHA1
1a1bced6ce004e6243f052a9b1b6b75a46bd37a6

SHA256
0ee02d250709e55a8a442e40e684f2653f6ecd2623a7da872f61ee1c964568f7

SHA512
37c54bfa9d9a56207d4090e241ac8a6da1ead91d5c022732b434552ea5d2ac782ff68688a2cb6f84fd383ffb55b693085d83a2f61263b39303d97af4ce5d14a7

Download Submit
C:\Users\Admin\Downloads\salinewin.exe-Malware-main.zip

Filesize
9.0MB

MD5
2fce5c9f5fb3eb3a945de24b73f54161

SHA1
a5dad058dc4fd1963721d2ba69a2d2dd2ebca073

SHA256
c94bedb87cb76d6690c839a56acfb26f4cb9e2c1ccf5a66e200b535687ba4cbd

SHA512
2318f52818ad45df85ac8f76079ff5c5e8d3ab9380394114583173c2d0beeacaa8426cd88c77f76cd69bf9a814cbb33aae6aae944dcdf4fb8025acfff3d1686f

Download Submit
C:\Users\Admin\Downloads\salinewin.exe-Malware-main.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit