Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
07/03/2024, 12:51
240307-p3n2gabc99 807/03/2024, 12:49
240307-p2sy2abc82 607/03/2024, 12:47
240307-pz6gcabc42 6Analysis
-
max time kernel
80s -
max time network
165s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
07/03/2024, 12:51
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/ytisf/theZoo
Resource
win11-20240221-en
General
-
Target
https://github.com/ytisf/theZoo
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 5 raw.githubusercontent.com 10 camo.githubusercontent.com -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 salinewin.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings msedge.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 3984 reg.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\salinewin.exe-Malware-main.zip:Zone.Identifier msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2360 msedge.exe 2360 msedge.exe 1328 msedge.exe 1328 msedge.exe 2804 msedge.exe 2804 msedge.exe 3548 identity_helper.exe 3548 identity_helper.exe 1212 msedge.exe 1212 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs
pid Process 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe 1328 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2112 salinewin.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1328 wrote to memory of 4644 1328 msedge.exe 81 PID 1328 wrote to memory of 4644 1328 msedge.exe 81 PID 1328 wrote to memory of 4324 1328 msedge.exe 82 PID 1328 wrote to memory of 4324 1328 msedge.exe 82 PID 1328 wrote to memory of 4324 1328 msedge.exe 82 PID 1328 wrote to memory of 4324 1328 msedge.exe 82 PID 1328 wrote to memory of 4324 1328 msedge.exe 82 PID 1328 wrote to memory of 4324 1328 msedge.exe 82 PID 1328 wrote to memory of 4324 1328 msedge.exe 82 PID 1328 wrote to memory of 4324 1328 msedge.exe 82 PID 1328 wrote to memory of 4324 1328 msedge.exe 82 PID 1328 wrote to memory of 4324 1328 msedge.exe 82 PID 1328 wrote to memory of 4324 1328 msedge.exe 82 PID 1328 wrote to memory of 4324 1328 msedge.exe 82 PID 1328 wrote to memory of 4324 1328 msedge.exe 82 PID 1328 wrote to memory of 4324 1328 msedge.exe 82 PID 1328 wrote to memory of 4324 1328 msedge.exe 82 PID 1328 wrote to memory of 4324 1328 msedge.exe 82 PID 1328 wrote to memory of 4324 1328 msedge.exe 82 PID 1328 wrote to memory of 4324 1328 msedge.exe 82 PID 1328 wrote to memory of 4324 1328 msedge.exe 82 PID 1328 wrote to memory of 4324 1328 msedge.exe 82 PID 1328 wrote to memory of 4324 1328 msedge.exe 82 PID 1328 wrote to memory of 4324 1328 msedge.exe 82 PID 1328 wrote to memory of 4324 1328 msedge.exe 82 PID 1328 wrote to memory of 4324 1328 msedge.exe 82 PID 1328 wrote to memory of 4324 1328 msedge.exe 82 PID 1328 wrote to memory of 4324 1328 msedge.exe 82 PID 1328 wrote to memory of 4324 1328 msedge.exe 82 PID 1328 wrote to memory of 4324 1328 msedge.exe 82 PID 1328 wrote to memory of 4324 1328 msedge.exe 82 PID 1328 wrote to memory of 4324 1328 msedge.exe 82 PID 1328 wrote to memory of 4324 1328 msedge.exe 82 PID 1328 wrote to memory of 4324 1328 msedge.exe 82 PID 1328 wrote to memory of 4324 1328 msedge.exe 82 PID 1328 wrote to memory of 4324 1328 msedge.exe 82 PID 1328 wrote to memory of 4324 1328 msedge.exe 82 PID 1328 wrote to memory of 4324 1328 msedge.exe 82 PID 1328 wrote to memory of 4324 1328 msedge.exe 82 PID 1328 wrote to memory of 4324 1328 msedge.exe 82 PID 1328 wrote to memory of 4324 1328 msedge.exe 82 PID 1328 wrote to memory of 4324 1328 msedge.exe 82 PID 1328 wrote to memory of 2360 1328 msedge.exe 83 PID 1328 wrote to memory of 2360 1328 msedge.exe 83 PID 1328 wrote to memory of 3748 1328 msedge.exe 84 PID 1328 wrote to memory of 3748 1328 msedge.exe 84 PID 1328 wrote to memory of 3748 1328 msedge.exe 84 PID 1328 wrote to memory of 3748 1328 msedge.exe 84 PID 1328 wrote to memory of 3748 1328 msedge.exe 84 PID 1328 wrote to memory of 3748 1328 msedge.exe 84 PID 1328 wrote to memory of 3748 1328 msedge.exe 84 PID 1328 wrote to memory of 3748 1328 msedge.exe 84 PID 1328 wrote to memory of 3748 1328 msedge.exe 84 PID 1328 wrote to memory of 3748 1328 msedge.exe 84 PID 1328 wrote to memory of 3748 1328 msedge.exe 84 PID 1328 wrote to memory of 3748 1328 msedge.exe 84 PID 1328 wrote to memory of 3748 1328 msedge.exe 84 PID 1328 wrote to memory of 3748 1328 msedge.exe 84 PID 1328 wrote to memory of 3748 1328 msedge.exe 84 PID 1328 wrote to memory of 3748 1328 msedge.exe 84 PID 1328 wrote to memory of 3748 1328 msedge.exe 84 PID 1328 wrote to memory of 3748 1328 msedge.exe 84 PID 1328 wrote to memory of 3748 1328 msedge.exe 84 PID 1328 wrote to memory of 3748 1328 msedge.exe 84
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/ytisf/theZoo1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xa8,0x10c,0x7fff15833cb8,0x7fff15833cc8,0x7fff15833cd82⤵PID:4644
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,12144124096841924204,17646901285616836224,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:22⤵PID:4324
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1896,12144124096841924204,17646901285616836224,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2360
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1896,12144124096841924204,17646901285616836224,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:82⤵PID:3748
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12144124096841924204,17646901285616836224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:12⤵PID:2316
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12144124096841924204,17646901285616836224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:12⤵PID:2840
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12144124096841924204,17646901285616836224,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:12⤵PID:2156
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12144124096841924204,17646901285616836224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:12⤵PID:2168
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12144124096841924204,17646901285616836224,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:12⤵PID:2752
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1896,12144124096841924204,17646901285616836224,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5548 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2804
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1896,12144124096841924204,17646901285616836224,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5972 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3548
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12144124096841924204,17646901285616836224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:12⤵PID:2128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12144124096841924204,17646901285616836224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:12⤵PID:2228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12144124096841924204,17646901285616836224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:12⤵PID:1232
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12144124096841924204,17646901285616836224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:12⤵PID:2308
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12144124096841924204,17646901285616836224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:12⤵PID:4472
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12144124096841924204,17646901285616836224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:12⤵PID:2128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12144124096841924204,17646901285616836224,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4672 /prefetch:12⤵PID:728
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12144124096841924204,17646901285616836224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:12⤵PID:2168
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12144124096841924204,17646901285616836224,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6276 /prefetch:12⤵PID:2704
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1896,12144124096841924204,17646901285616836224,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6200 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:1212
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,12144124096841924204,17646901285616836224,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1300 /prefetch:22⤵PID:2676
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:884
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4364
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:896
-
C:\Users\Admin\AppData\Local\Temp\Temp1_salinewin.zip\salinewin.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_salinewin.zip\salinewin.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
PID:2112 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f2⤵PID:4200
-
C:\Windows\SysWOW64\reg.exeREG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f3⤵
- Modifies registry key
PID:3984
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004CC 0x00000000000004D81⤵PID:4592
-
C:\Users\Admin\AppData\Local\Temp\Temp1_salinewin.zip\salinewin-safety.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_salinewin.zip\salinewin-safety.exe"1⤵PID:3968
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD512b71c4e45a845b5f29a54abb695e302
SHA18699ca2c717839c385f13fb26d111e57a9e61d6f
SHA256c353020621fa6cea80eaa45215934d5f44f181ffa1a673cdb7880f20a4e898e0
SHA51209f0d1a739102816c5a29106343d3b5bb54a31d67ddbfcfa21306b1a6d87eaa35a9a2f0358e56cc0f78be15eeb481a7cc2038ce54d552b9b791e7bee78145241
-
Filesize
152B
MD5ce319bd3ed3c89069337a6292042bbe0
SHA17e058bce90e1940293044abffe993adf67d8d888
SHA25634070e3eea41c0e180cb5541de76cea15ef6f9e5c641e922d82a2d97bdce3aa3
SHA512d42f7fc32a337ecd3a24bcbf6cd6155852646cae5fb499003356f713b791881fc2e46825c4ff61d09db2289f25c0992c10d6fadb560a9bea33284bd5acc449f7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD5156f0fc10ed0e0b3ef77153028abf0d4
SHA12734786081eeaff5266a244f332b39b076412535
SHA25612d9644406821c08b3fca8a084d395b29e60f6e33c3297826ae62947f8ebab35
SHA5124b1a49d31fe18b88cc4a728b5c6b6c37b64900fa0b2f528b15cd3a2fd09791deeccf42674fc42dd9c37ca9179ea189d56e2f8e4e775a423cddfe3a5d02c3ea65
-
Filesize
1KB
MD5c6d85ca3d77e78e8e731af93dbbaabcb
SHA1a66dc6def420bebed7cf07931bbe1ded71b5e125
SHA2568745143604694c0436d55192284ace3604655ebdf729af7216109c0f16c727c8
SHA512aa9480f7086d77bedcce4996c48850605dd1e6d0092c1a8ce80e92712a50ef4eb47f90bae5bbe63ff97101fcda62d2f09f13e664723a94cc21b9126a8375d74e
-
Filesize
111B
MD5807419ca9a4734feaf8d8563a003b048
SHA1a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c
-
Filesize
780B
MD541590a2d811485d0728bb810c3350524
SHA1981a5ede633dc772445ac87c4d599c59ee1e792c
SHA25653d5a25016494bf3eae3ae21cee4e76787ee36ad14204efb2440eb8c5048c7c0
SHA512840fbe6ef32c2672659467d0b87db9db77cdf400892fdcdcc8ce2062de70d432db0034c3f4fe4cba424da995ce60c9d026eaaeac522ef17fb6e5c64e18f73fda
-
Filesize
5KB
MD5e552faa949e3aa5638abbe3586166fec
SHA171c2b738b448e327f9ab9c0194d8f621cdd48005
SHA25692cd3d10eb9fbe3e014edd9a83c0b7bf5e3eb7c9dd51fd4d628c8f4ef1a58962
SHA5123d7e6a0cbc1814ef68d908855a4e917d6ad48d9836a2d9e3c10937d1ca9348e086dbaf0bdde9d779296869d1f45b24fc22869ea931ceaaa15da15b8e4a6f96ff
-
Filesize
6KB
MD5aa486c973f68df703064bfdcce28d910
SHA15bf93c577afb6d4b03d20e50e007ee7cb506bda1
SHA256286736317de93b0c6a7b89863e454bff0f2fba03b9968a5de56e2d31c2cba008
SHA512158ad0fca98c398aabd81be7b2b1d2657c20128027ca44bdc8836f7b2aa873396d2428f33ee28ecc1a0cb3d369101f22f41154aef772e0d1367b5303bc0355e5
-
Filesize
6KB
MD5e17a1b016b6254b663cfb0f1d0229a4f
SHA1e2f83cea2fd6426de6e13bb1a55ede388cb38ec8
SHA25632321fae2fb7f9ab631bb8443503029c6059f26bcb262c290a94d5c90f522030
SHA51227976d0f30263e276d2bb4f3eaeb0615950b1397e14a865b46852ccd66f0e167943b6307e8d0fce87e6428f4030f7be7baed73e332f0d555f5940671a7c0a7ba
-
Filesize
1KB
MD576c7cb1e16c4acbf7497af3ba877414c
SHA1c391055f47454c607e562c45982ee169f897494f
SHA256fa46bddfddaece730f9256852081fab486d7aabc0f4db39cfdfd24a02968b32f
SHA51270e10786437e8de0a4d43a16436aafaf14d004c1f6e8c1801a9d9a819af76aa613bc14e496d1dd8afea9dc128bc74efcc52757b5a9848553c2e88b1a03f05b63
-
Filesize
1KB
MD54c8a528b216b387ac545edd6922e8754
SHA187630c53d6b680e26ef08b04367222dfa5dae989
SHA256a14f427f377b9e54f07488e520f93cc06e475cfeae626e88c82b32dae13d03b6
SHA5127f12cf2f144944f7fa616298d7e7ac429ed95133b26889b484aa6479ff5d530e59da6b5a17a98c09ea0c58af6da436615f9a01d65a49da0f28656abdc25795be
-
Filesize
1KB
MD57ce984ccf410ea0e43274e222b75be77
SHA1454bd15b77e975877283f82df224037cdf5d4946
SHA2569752694931332c3ef81d140f85be4df7c5baff44bfbefd1622e616aaea7a84e1
SHA5121689b6de0ccca226e6d756c07da63c1db30412109a9c30619c324e5d426619497da7bf7eb96b514380cb41a074888a3ceb113834a3de7045d62d4b1048afcd13
-
Filesize
1KB
MD5e67623e765ba6d9515df017d6aaa308f
SHA13873d9b321d014b1fe2e3a911cbbb45abca09412
SHA256ed2f1cb4e9f8a0a31a78abd606a2a739b2fc1cb71d3f305a60299ca5d5022c61
SHA51289d1bec55df5741747dedce8f9393f6a86571713646d95fcec0bbfc08c5db5d28baf2f23307f955e84319543237ef1cb28502061a46d351bf0e56c055e41ae98
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5c339b0746c063b44bdcbd32b6bcbaeec
SHA151cf66507af406091b7e91940b76f3410d27096e
SHA256c50ea08a4bb7818b04881307b5bc7cabfe730d351ecd87b96384d08d6771ddb1
SHA512f116bd501828c6b56abc1cdc2c217a7ef70b2084fed8700a36ddb25e65ddd977e1731fa6b7500fb88716bc562fb544bff9cae9cf568ea03981019d64b1bf3217
-
Filesize
11KB
MD5ac898c7571d53f83e3c0fcfc13150bf1
SHA145487f1d2a61520ab08eb47008e5ed01cb3f28fa
SHA256e69cb89ebb5ccc18af4371e26283b210dfc96682cf1aab18693f94b01d53467f
SHA512c53a1782123d9dd3ad6871ef47bad2c8bf2d2ccd9a7671cfd705a8d156e805f712c657fa138ade6a3c7f082ebcdd3058afe47eae580b4eb382c039b26c1dcfd7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize10KB
MD551fb3712a54ee7989fa979c4fbbfccbb
SHA17c14a236ebfddd640ffb84b8d15d108f1a143808
SHA256b57150d3ca3cefc8b1367dc0e638e43f44c450f771d457d5296dd590d42ed3e3
SHA512c5799a44bd4608eff95a66d6a1bc1a178e18599b64aac8119aed131f61322a31d7b71adf442c6a6de493d989ecdbd830726fc3d948069eef3d86165ca2d11df2
-
Filesize
3.5MB
MD52e17a24196b3abdaa0abd2a890607775
SHA11a1bced6ce004e6243f052a9b1b6b75a46bd37a6
SHA2560ee02d250709e55a8a442e40e684f2653f6ecd2623a7da872f61ee1c964568f7
SHA51237c54bfa9d9a56207d4090e241ac8a6da1ead91d5c022732b434552ea5d2ac782ff68688a2cb6f84fd383ffb55b693085d83a2f61263b39303d97af4ce5d14a7
-
Filesize
9.0MB
MD52fce5c9f5fb3eb3a945de24b73f54161
SHA1a5dad058dc4fd1963721d2ba69a2d2dd2ebca073
SHA256c94bedb87cb76d6690c839a56acfb26f4cb9e2c1ccf5a66e200b535687ba4cbd
SHA5122318f52818ad45df85ac8f76079ff5c5e8d3ab9380394114583173c2d0beeacaa8426cd88c77f76cd69bf9a814cbb33aae6aae944dcdf4fb8025acfff3d1686f
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98