5834f6ae3522131494c225a93c30173430be80b5c144519b265395c54f35172b

Analysis

max time kernel
217s
max time network
271s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
11-08-2024 04:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$PLUGINSDIR/InstallOptions.dll
Size

14KB
MD5

0dc0cc7a6d9db685bf05a7e5f3ea4781
SHA1

5d8b6268eeec9d8d904bc9d988a4b588b392213f
SHA256

8e287326f1cdd5ef2dcd7a72537c68cbe4299ceb1f820707c5820f3aa6d8206c
SHA512

814dd17ebb434f4a3356f716c783ab7f569f9ee34ce5274fa50392526925f044798f8006198ac7afe3d1c2ca83a2ca8c472ca53fec5f12bbfbbe0707abacd6b0
SSDEEP

192:n6d+dHXLHQOPiY53uiUdigyU+WsPdc/A1A+2jPK72dwF7dBEnbok:n6UdHXcIiY535zBt2jP+BEnbo

Score

8^/10

bootkit discovery evasion persistence

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	salinewin.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 1 IoCs

pid	pid_target	Process	procid_target
748	2464	WerFault.exe	79

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	salinewin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3761892313-3378554128-2287991803-1000\{BECB6367-9274-42C2-A6EB-10901E4EE7B8}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings	msedge.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
4184	reg.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\salinewin.exe-Malware-main.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2028	msedge.exe
2028	msedge.exe
4436	msedge.exe
4436	msedge.exe
1008	identity_helper.exe
1008	identity_helper.exe
2608	msedge.exe
2608	msedge.exe
964	msedge.exe
964	msedge.exe
2064	msedge.exe
2064	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe

Suspicious use of FindShellTrayWindow 51 IoCs

pid	Process
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2940	salinewin.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 2464	2064	rundll32.exe	79
PID 2064 wrote to memory of 2464	2064	rundll32.exe	79
PID 2064 wrote to memory of 2464	2064	rundll32.exe	79
PID 4436 wrote to memory of 3416	4436	msedge.exe	86
PID 4436 wrote to memory of 3416	4436	msedge.exe	86
PID 4436 wrote to memory of 1924	4436	msedge.exe	87
PID 4436 wrote to memory of 1924	4436	msedge.exe	87
PID 4436 wrote to memory of 1924	4436	msedge.exe	87
PID 4436 wrote to memory of 1924	4436	msedge.exe	87
PID 4436 wrote to memory of 1924	4436	msedge.exe	87
PID 4436 wrote to memory of 1924	4436	msedge.exe	87
PID 4436 wrote to memory of 1924	4436	msedge.exe	87
PID 4436 wrote to memory of 1924	4436	msedge.exe	87
PID 4436 wrote to memory of 1924	4436	msedge.exe	87
PID 4436 wrote to memory of 1924	4436	msedge.exe	87
PID 4436 wrote to memory of 1924	4436	msedge.exe	87
PID 4436 wrote to memory of 1924	4436	msedge.exe	87
PID 4436 wrote to memory of 1924	4436	msedge.exe	87
PID 4436 wrote to memory of 1924	4436	msedge.exe	87
PID 4436 wrote to memory of 1924	4436	msedge.exe	87
PID 4436 wrote to memory of 1924	4436	msedge.exe	87
PID 4436 wrote to memory of 1924	4436	msedge.exe	87
PID 4436 wrote to memory of 1924	4436	msedge.exe	87
PID 4436 wrote to memory of 1924	4436	msedge.exe	87
PID 4436 wrote to memory of 1924	4436	msedge.exe	87
PID 4436 wrote to memory of 1924	4436	msedge.exe	87
PID 4436 wrote to memory of 1924	4436	msedge.exe	87
PID 4436 wrote to memory of 1924	4436	msedge.exe	87
PID 4436 wrote to memory of 1924	4436	msedge.exe	87
PID 4436 wrote to memory of 1924	4436	msedge.exe	87
PID 4436 wrote to memory of 1924	4436	msedge.exe	87
PID 4436 wrote to memory of 1924	4436	msedge.exe	87
PID 4436 wrote to memory of 1924	4436	msedge.exe	87
PID 4436 wrote to memory of 1924	4436	msedge.exe	87
PID 4436 wrote to memory of 1924	4436	msedge.exe	87
PID 4436 wrote to memory of 1924	4436	msedge.exe	87
PID 4436 wrote to memory of 1924	4436	msedge.exe	87
PID 4436 wrote to memory of 1924	4436	msedge.exe	87
PID 4436 wrote to memory of 1924	4436	msedge.exe	87
PID 4436 wrote to memory of 1924	4436	msedge.exe	87
PID 4436 wrote to memory of 1924	4436	msedge.exe	87
PID 4436 wrote to memory of 1924	4436	msedge.exe	87
PID 4436 wrote to memory of 1924	4436	msedge.exe	87
PID 4436 wrote to memory of 1924	4436	msedge.exe	87
PID 4436 wrote to memory of 1924	4436	msedge.exe	87
PID 4436 wrote to memory of 2028	4436	msedge.exe	88
PID 4436 wrote to memory of 2028	4436	msedge.exe	88
PID 4436 wrote to memory of 792	4436	msedge.exe	89
PID 4436 wrote to memory of 792	4436	msedge.exe	89
PID 4436 wrote to memory of 792	4436	msedge.exe	89
PID 4436 wrote to memory of 792	4436	msedge.exe	89
PID 4436 wrote to memory of 792	4436	msedge.exe	89
PID 4436 wrote to memory of 792	4436	msedge.exe	89
PID 4436 wrote to memory of 792	4436	msedge.exe	89
PID 4436 wrote to memory of 792	4436	msedge.exe	89
PID 4436 wrote to memory of 792	4436	msedge.exe	89
PID 4436 wrote to memory of 792	4436	msedge.exe	89
PID 4436 wrote to memory of 792	4436	msedge.exe	89
PID 4436 wrote to memory of 792	4436	msedge.exe	89
PID 4436 wrote to memory of 792	4436	msedge.exe	89
PID 4436 wrote to memory of 792	4436	msedge.exe	89
PID 4436 wrote to memory of 792	4436	msedge.exe	89
PID 4436 wrote to memory of 792	4436	msedge.exe	89
PID 4436 wrote to memory of 792	4436	msedge.exe	89

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2464
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 544
    3⤵
    - Program crash
    PID:748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2464 -ip 2464
1⤵
PID:3220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe29713cb8,0x7ffe29713cc8,0x7ffe29713cd8
  2⤵
  PID:3416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,7871040140894907018,13319084962827375935,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1900 /prefetch:2
  2⤵
  PID:1924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1884,7871040140894907018,13319084962827375935,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1884,7871040140894907018,13319084962827375935,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2512 /prefetch:8
  2⤵
  PID:792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,7871040140894907018,13319084962827375935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
  2⤵
  PID:2556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,7871040140894907018,13319084962827375935,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,7871040140894907018,13319084962827375935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:1
  2⤵
  PID:2932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,7871040140894907018,13319084962827375935,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:1
  2⤵
  PID:4840
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1884,7871040140894907018,13319084962827375935,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1884,7871040140894907018,13319084962827375935,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3948 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,7871040140894907018,13319084962827375935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
  2⤵
  PID:1832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,7871040140894907018,13319084962827375935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:1
  2⤵
  PID:2296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1884,7871040140894907018,13319084962827375935,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5368 /prefetch:8
  2⤵
  PID:1604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1884,7871040140894907018,13319084962827375935,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5340 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,7871040140894907018,13319084962827375935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3980 /prefetch:1
  2⤵
  PID:1412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,7871040140894907018,13319084962827375935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3956 /prefetch:1
  2⤵
  PID:1896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,7871040140894907018,13319084962827375935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
  2⤵
  PID:5040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,7871040140894907018,13319084962827375935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
  2⤵
  PID:1152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,7871040140894907018,13319084962827375935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6488 /prefetch:1
  2⤵
  PID:1796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,7871040140894907018,13319084962827375935,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6500 /prefetch:1
  2⤵
  PID:3372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,7871040140894907018,13319084962827375935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6520 /prefetch:1
  2⤵
  PID:2040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,7871040140894907018,13319084962827375935,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6928 /prefetch:1
  2⤵
  PID:1208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1884,7871040140894907018,13319084962827375935,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6640 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2064

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5104

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2984

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4164

C:\Users\Admin\AppData\Local\Temp\Temp1_salinewin.zip\salinewin.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_salinewin.zip\salinewin.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2940
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3480
- - C:\Windows\SysWOW64\reg.exe
    REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:4184

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004C0 0x00000000000004CC
1⤵
PID:1476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4c3889d3f0d2246f800c495aec7c3f7c

SHA1
dd38e6bf74617bfcf9d6cceff2f746a094114220

SHA256
0a4781bca132edf11500537cbf95ff840c2b6fd33cd94809ca9929f00044bea4

SHA512
2d6cb23e2977c0890f69751a96daeb71e0f12089625f32b34b032615435408f21047b90c19de09f83ef99957681440fdc0c985e079bb196371881b5fdca68a37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c4a10f6df4922438ca68ada540730100

SHA1
4c7bfbe3e2358a28bf5b024c4be485fa6773629e

SHA256
f286c908fea67163f02532503b5555a939f894c6f2e683d80679b7e5726a7c02

SHA512
b4d407341989e0bbbe0cdd64f7757bea17f0141a89104301dd7ffe45e7511d3ea27c53306381a29c24df68bdb9677eb8c07d4d88874d86aba41bb6f0ce7a942c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
c13fce3082fc17b36fec29b6d0fc36b9

SHA1
31bfac7d1feedb8e4a621e173fa33e09b0796e07

SHA256
fa749d92f850d258f0c373cae3f7574ee89759d30e3fd6a53396b102bcc8e45e

SHA512
b5e9360620df5c99577d50d84cae929c36047f70d11a58dbe3d334f1dc695db79ee27e46db4ef523ed8a0f7de544d9f6c21c076b88a2cb1616b7c4502782c82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
8c82e944a30fb1e0e5c931a7678f8f24

SHA1
7b6c1028e6d4b6b645d8eb93f6e7d03fbe46a5d7

SHA256
96de4486b630d4ee4998a56639327f66e149a20f589ac35d3a7e3c3b0e228bbc

SHA512
4d94db4a4df112e844e2ad46b8f451dd98c5d63e99d3bbe8b17ed0bdb6b5cebad7cef96a08ca4cdd7e730f0680458c5f8d68633ce25c7245310adb2e48775cc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
873B

MD5
f703392701b97e06a502020c637d2a55

SHA1
dfc2a0bbfe0192464b7ba9083e7cd99fbc376f7f

SHA256
0951ac53445e50babc8425c1db0a3915762154bc67cba790365605e656dbd4e1

SHA512
bf0d70d91dd7ccfdb16c3671c6af85aa82b439e8bc5cabfa341b0683b9e5de0be587f5e0a1793acb30837a709cae45a05057f1862158c2233f94da9b882d97e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f2fa8ea63ff586e819a07663cad59940

SHA1
b8976f64885bd2c32286d0cc0049bf29081bc9ad

SHA256
097eb82c2329e69bec92882ebab70ef7c65a44bb0f32a362f9d2d80e6d4f4bdd

SHA512
6b8056df64be73becd7672c613c6b8f9a694dfae1089bd69fca22d2bfbda8b123901c156b78c4870aa8fc5fdf798aa167a8811c0abc7b18e4215a8832885c5d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f4b5ea2058db148ae7b2c924b620c9d0

SHA1
61e86187cca8ee6a1b073529983d6aa291fe999c

SHA256
7f95c24ef1cd7d52e64a82b4421759d6ccfa6908f5ad048ae8693a8ef223468f

SHA512
a6e391572e349041b0ccde28a50829e0204d29944052e0953e2e56c45f37b02fac69d98cdb3825d371a661862535bf3d549d6ebac5582980ea721fae8c90b542

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e70574d4067d61e1b6e5ce8a551a9447

SHA1
70d613e2fd894f5e4cca50fcc70fe137cb5aae20

SHA256
9657ba5eeb5c37af8792bb0e2a10423135d7d961f41daf35ac299fb638434238

SHA512
144f8f6150063d6f8189af5d65b6875cdf267b68b4c13a4981516637007b2f83334a9f9c59951bfb8e8495211411837eafe786006408def49047b5d1a3b281d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cf62f9d38269e15c8edcf94179049b68

SHA1
9e3f35eec562f242f33ac0c705f543ef39e30b71

SHA256
dd9bebc393168b8b1b7f9a319d291afbb7bc65ce3f3a836834968075d5d395b4

SHA512
a9a9c2c437fd71386c2b311f5d3a0985119f8963e78d1747efd6827632246c3ad464543eff133a8d493a32217acd30214cf1c04e04897e699636fdd2efd09b16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
79ada5a2add2642008ac3eecf1101191

SHA1
ddbda901d0d088acac07787f052116b4d90dc441

SHA256
3f653e021fb60b6dd72df4b9857388ab75d9694ebe061cfc6668f26b9d4c3ec4

SHA512
879851741d922405d497044fd6b868f2a9be049fd6ff4f369cf8c7d5128a8159db0ff171d6f20df35c1d70ef0d4c6b02b519a53da1ec05f4d2a61875bedfe40e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b9edc94c1f23749bc34125a89de2f4bf

SHA1
21bc6adf77fff6d582e3b686cc5a6a9b88e17e33

SHA256
020c20ba911f5272d7a15c5ebf2c06b7a6c574d2f7d5ff7c2dc9e3608272a1bd

SHA512
7d5d0a76dde345ccdc4ee626ba1db34b1eb1f248c81dd243e065ab276a46585e650b6cbcefd877432f189b58dfada2afed7a191e832700a7b8b25aee9ed4261b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5a8f12.TMP

Filesize
1KB

MD5
ee5a7c4d695746994cef2e443f1cff81

SHA1
404a38c718320701898d1fd5d17269ce6661e129

SHA256
466532cbba48e94fc7be5f0eabf5d48026b467848a567755e8c4e2eaf3a9f587

SHA512
41c292f470b86094f4fd54aae3e03c9f20df8cf1cb21c1eb0948ba9e7b45fcb1cf5718b68049f75dbc7cd3b9c6df12b8f8373bc2a2af93b64ffc1eeebfdd880c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b4d44c3114a8fbf3dadf1c6a9b8b8b64

SHA1
3016f56539d49056e0caaf85063171e61a458cf2

SHA256
939c54adaf57b2ddf5b28f996c6ec89fb8ed641f7143322d7b73a9f55334c098

SHA512
0863adb9905b42c8ac88622401cde4c705b6f6212cd0b5733a3b88076be824e99d73ead9282450d03c4d3097e2e84b22199cf6265f18123dd09ffc7b64301909

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e4a641e9cc29de1cc32f6feec8fbce74

SHA1
63e790430e2b611c0a3660700cb907746109551f

SHA256
4752719048f8877e953e4f9263f7d071f6b649a1ce00e52cef3c319102f0eeef

SHA512
84d4cd12cfac4653e3406aa1f4009306ec8eb757bc59cb33eb32bbad403001c384a7ad41818a717635b761a4545e2fe03adce908e2e85261f18cd29b7beee3a3

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 870730.crdownload

Filesize
12.1MB

MD5
c8bf514a334eaa148cb3c6135c2fb394

SHA1
0e47a89c3729db5a6f195c6abb04e5129d788df8

SHA256
9127560918eaefe69f1959bcb7f7e13b7e3a7ac156b564922829faaec9b96f67

SHA512
9879a258f429ef492cf495dbddd4f2b9c9fbc061e325aa8ad870ed05049b7ad595b26d223d20c55fc99f403fc9b5d0235353d71bf5d9a39ee4462838feb247ff

Download Submit
C:\Users\Admin\Downloads\salinewin.exe-Malware-main.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit