hxxp://Google[.]com

max time kernel
137s
max time network
246s
platform
windows11-21h2_x64
resource
win11-20250314-en
resource tags

arch:x64arch:x86image:win11-20250314-enlocale:en-usos:windows11-21h2-x64system
submitted
25/03/2025, 03:29

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

http://Google.com

Score

8^/10

bootkit defense_evasion discovery persistence

Malware Config

Signatures

Disables Task Manager via registry modification
defense_evasion

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
17	raw.githubusercontent.com
80	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	salinewin.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	salinewin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133873470165669022"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000_Classes\Local Settings	chrome.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
3312	reg.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\salinewin.zip:Zone.Identifier	chrome.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2724	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3108	chrome.exe
3108	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe
Token: SeShutdownPrivilege	3404	chrome.exe
Token: SeCreatePagefilePrivilege	3404	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe

Suspicious use of SendNotifyMessage 14 IoCs

pid	Process
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe
3404	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4260	salinewin.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3404 wrote to memory of 4020	3404	chrome.exe	78
PID 3404 wrote to memory of 4020	3404	chrome.exe	78
PID 3404 wrote to memory of 3308	3404	chrome.exe	79
PID 3404 wrote to memory of 3308	3404	chrome.exe	79
PID 3404 wrote to memory of 3308	3404	chrome.exe	79
PID 3404 wrote to memory of 3308	3404	chrome.exe	79
PID 3404 wrote to memory of 3308	3404	chrome.exe	79
PID 3404 wrote to memory of 3308	3404	chrome.exe	79
PID 3404 wrote to memory of 3308	3404	chrome.exe	79
PID 3404 wrote to memory of 3308	3404	chrome.exe	79
PID 3404 wrote to memory of 3308	3404	chrome.exe	79
PID 3404 wrote to memory of 3308	3404	chrome.exe	79
PID 3404 wrote to memory of 3308	3404	chrome.exe	79
PID 3404 wrote to memory of 3308	3404	chrome.exe	79
PID 3404 wrote to memory of 3308	3404	chrome.exe	79
PID 3404 wrote to memory of 3308	3404	chrome.exe	79
PID 3404 wrote to memory of 3308	3404	chrome.exe	79
PID 3404 wrote to memory of 3308	3404	chrome.exe	79
PID 3404 wrote to memory of 3308	3404	chrome.exe	79
PID 3404 wrote to memory of 3308	3404	chrome.exe	79
PID 3404 wrote to memory of 3308	3404	chrome.exe	79
PID 3404 wrote to memory of 3308	3404	chrome.exe	79
PID 3404 wrote to memory of 3308	3404	chrome.exe	79
PID 3404 wrote to memory of 3308	3404	chrome.exe	79
PID 3404 wrote to memory of 3308	3404	chrome.exe	79
PID 3404 wrote to memory of 3308	3404	chrome.exe	79
PID 3404 wrote to memory of 3308	3404	chrome.exe	79
PID 3404 wrote to memory of 3308	3404	chrome.exe	79
PID 3404 wrote to memory of 3308	3404	chrome.exe	79
PID 3404 wrote to memory of 3308	3404	chrome.exe	79
PID 3404 wrote to memory of 3308	3404	chrome.exe	79
PID 3404 wrote to memory of 3308	3404	chrome.exe	79
PID 3404 wrote to memory of 5224	3404	chrome.exe	80
PID 3404 wrote to memory of 5224	3404	chrome.exe	80
PID 3404 wrote to memory of 5900	3404	chrome.exe	81
PID 3404 wrote to memory of 5900	3404	chrome.exe	81
PID 3404 wrote to memory of 5900	3404	chrome.exe	81
PID 3404 wrote to memory of 5900	3404	chrome.exe	81
PID 3404 wrote to memory of 5900	3404	chrome.exe	81
PID 3404 wrote to memory of 5900	3404	chrome.exe	81
PID 3404 wrote to memory of 5900	3404	chrome.exe	81
PID 3404 wrote to memory of 5900	3404	chrome.exe	81
PID 3404 wrote to memory of 5900	3404	chrome.exe	81
PID 3404 wrote to memory of 5900	3404	chrome.exe	81
PID 3404 wrote to memory of 5900	3404	chrome.exe	81
PID 3404 wrote to memory of 5900	3404	chrome.exe	81
PID 3404 wrote to memory of 5900	3404	chrome.exe	81
PID 3404 wrote to memory of 5900	3404	chrome.exe	81
PID 3404 wrote to memory of 5900	3404	chrome.exe	81
PID 3404 wrote to memory of 5900	3404	chrome.exe	81
PID 3404 wrote to memory of 5900	3404	chrome.exe	81
PID 3404 wrote to memory of 5900	3404	chrome.exe	81
PID 3404 wrote to memory of 5900	3404	chrome.exe	81
PID 3404 wrote to memory of 5900	3404	chrome.exe	81
PID 3404 wrote to memory of 5900	3404	chrome.exe	81
PID 3404 wrote to memory of 5900	3404	chrome.exe	81
PID 3404 wrote to memory of 5900	3404	chrome.exe	81
PID 3404 wrote to memory of 5900	3404	chrome.exe	81
PID 3404 wrote to memory of 5900	3404	chrome.exe	81
PID 3404 wrote to memory of 5900	3404	chrome.exe	81
PID 3404 wrote to memory of 5900	3404	chrome.exe	81
PID 3404 wrote to memory of 5900	3404	chrome.exe	81
PID 3404 wrote to memory of 5900	3404	chrome.exe	81
PID 3404 wrote to memory of 5900	3404	chrome.exe	81

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://Google.com
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc076cdcf8,0x7ffc076cdd04,0x7ffc076cdd10
  2⤵
  PID:4020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1940,i,7051422625557257,7033176698409380520,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1920 /prefetch:2
  2⤵
  PID:3308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1428,i,7051422625557257,7033176698409380520,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2212 /prefetch:11
  2⤵
  PID:5224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2336,i,7051422625557257,7033176698409380520,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2260 /prefetch:13
  2⤵
  PID:5900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3104,i,7051422625557257,7033176698409380520,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:2452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3100,i,7051422625557257,7033176698409380520,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3132 /prefetch:1
  2⤵
  PID:4812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3944,i,7051422625557257,7033176698409380520,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3976 /prefetch:9
  2⤵
  PID:5052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3936,i,7051422625557257,7033176698409380520,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4644 /prefetch:1
  2⤵
  PID:5108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5136,i,7051422625557257,7033176698409380520,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5148 /prefetch:14
  2⤵
  PID:2980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5156,i,7051422625557257,7033176698409380520,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5404 /prefetch:1
  2⤵
  PID:5288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5484,i,7051422625557257,7033176698409380520,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5592 /prefetch:14
  2⤵
  PID:5012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5536,i,7051422625557257,7033176698409380520,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5540 /prefetch:14
  2⤵
  PID:4504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5172,i,7051422625557257,7033176698409380520,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5640 /prefetch:14
  2⤵
  PID:4984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5572,i,7051422625557257,7033176698409380520,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5612 /prefetch:1
  2⤵
  PID:3204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5784,i,7051422625557257,7033176698409380520,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5732 /prefetch:1
  2⤵
  PID:1068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5228,i,7051422625557257,7033176698409380520,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6048 /prefetch:1
  2⤵
  PID:3864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=4020,i,7051422625557257,7033176698409380520,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4076 /prefetch:1
  2⤵
  PID:3392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5560,i,7051422625557257,7033176698409380520,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5392 /prefetch:14
  2⤵
  - NTFS ADS
  PID:4436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1004,i,7051422625557257,7033176698409380520,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6208 /prefetch:10
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=on_device_model.mojom.OnDeviceModelService --lang=en-US --service-sandbox-type=on_device_model_execution --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=1480,i,7051422625557257,7033176698409380520,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6052 /prefetch:14
  2⤵
  PID:2732

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:4780

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1036

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5776

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_salinewin.zip\readme.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2724

C:\Users\Admin\Downloads\salinewin\salinewin.exe
"C:\Users\Admin\Downloads\salinewin\salinewin.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4260
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2964
- - C:\Windows\SysWOW64\reg.exe
    REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:3312

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004DC 0x00000000000004E4
1⤵
PID:1672

C:\Users\Admin\Downloads\salinewin\salinewin-safety.exe
"C:\Users\Admin\Downloads\salinewin\salinewin-safety.exe"
1⤵
PID:4456

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
PID:1916

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39cd055 /state1:0x41c64e6d
1⤵
PID:3356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
5d85057ecd31e2ccae32816e3944b36c

SHA1
62f6e8eb58186b84374ec3a2d689b059f6e8967e

SHA256
6037eec1555aae4be8198427a80bd4bd1e007354143532424d0cfe2c9b3b7872

SHA512
961ef3b776087475431fecd15d3912fd90a3f66349262cc22c8c6a1576ab676ed179a78f6e96283f3d56250e9f47144c9d559560d5bba1a619550e99f54ba039

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
3655b5134bdfe4f4ffd55c15a58c2db7

SHA1
5810c0601071684a2fd0b574d5376b6bd6134894

SHA256
2066cfa1c5aacfca4f65049966e48a2b1988b2716259488f1127620f5b7b212d

SHA512
a55e01cbb220c64ee40f7d971c7af109193dfeb638161abc7467345fd3f6140d33d48760ae88756a3ff35238ba0c69d8d3b1397f5e08a7e9f6e2cd33b6f6f37b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
7KB

MD5
4fee61e9be3189cc43a1bd338e69c539

SHA1
c7ac3cda908a5e0ea20a668b1794a4df758aac72

SHA256
4d9e1600f3884a6224ab62b40d50999ab984d1933c16dccdd8654e693ff7b45e

SHA512
7b413d5f201b5074fe9ac0752c073fd99b57577850ce86496f6d9a7d6f2418e6782b50b3071e44b7ab7426ad74271fccc8e9a8ae957d7bfcf5766bfcbb846987

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
d15d59726f5e19588788f2b996ce32fa

SHA1
73773c0a68b9aeca1eb9a15732222d7f59e49e63

SHA256
1b5b47f9444ed51bab5ad6ca24809220958140eb62135b77a73aba2479b4e690

SHA512
164a2dbc7a2a5f4c00508bda5f40ef2b0f371304e8d7e72ac672c212bb7e48846b610756f59b23d644f291c576a313c100a8ec93987fffac00c9c2282f7ba478

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
195883664a025aa092330ee359568954

SHA1
2b168140e0b0eb5727463402432272d486fe536c

SHA256
de48bf35f38890670cf9ca082eac8abca84f89f6f901956bb04935e74cd42be1

SHA512
04cabca5e67768842041cd3580c3d7e78853e0da86131566e864d981d0a75a306de310fbdbe87525472bf8b31ffed4078fb01ec55d355a83b45bf16b96ef0ea3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
856cd1a08e114c56809170f3e9f6f64a

SHA1
2bcca78c9f86a86c5d5146a1826e8128c9512d6c

SHA256
df218c7b0d9f7d30c8d4509d45bfc55938d6ec0d3e29d4d32341305982e42f06

SHA512
969057bcbd656e1cf5ef1713931e74dddf1d3f8e9f0be066de1540e5f01e7b976692fcb5912add31f02569153bba535a92ae2e11d2345239b3c6a8ebde780368

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
87e4a4cafb39e45d4b220d59c3119485

SHA1
396a94cdbd3a862f926cdd8fd53c024c52ee26e9

SHA256
71a11a22d030675f4a6700158678d8f57bc0d88194da4882058d6f3cc3c93240

SHA512
16d227fa3dc07134020dffd068466ddd13108fab9a976ccc76e54294d6d2d4048788052753aa5fac7d22e24cf191a7b686e4b4441f7d3d9b1479cc9cae9b6785

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
32bb7f526501ec443d3303a9d7e2eefa

SHA1
de00c389729945c23670da463ead046f13428815

SHA256
0545a1d09e3ef4b1d6c514f20f1051643e4137ffdf50b63a96323911ee0a8f00

SHA512
184141a7baa44ee85814e1f678685ad1b98df9cad7a8b39bde79a3a1d243f411562e3eab41d21ec051e2f149f0b88322107615322a05ba8e12caf5487c2fac96

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
6546a1b5e583c8c12cf262609ae3e6ae

SHA1
6880792de9031405b359bee9024bc0bb7f48ed95

SHA256
6ea3d85c21653a9638e0a26da71619c692950914c0b3ca659d6d9e1a1cc4797b

SHA512
963684f3b1142b15da5ade3167c9541e85865597fd6461445c2ae5cec79b3a5c295a2c6d4692b606cd1b9f696a529ae962a2c2e316f56d45a1ace335785eecdf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
ad32b31fcc90887fc3a0b05bf68199dc

SHA1
6e1881c482c17a114d76eb64aba4f040b992b25d

SHA256
6a8ad512612cac4f72fd1aba480784ab82bad9a68c2910684b6610807431458b

SHA512
24c705f539844829b0cbfd644c724b777c76f4771aad2d8c5396bc4df883012696ff1b348e314b1264ffc9f6d4090154cc716b5948b24af70510ad583da51917

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
f2ed98027852a1bb2c2046dac230cf70

SHA1
9458d822863cea22c1ea72aa1271b0c5cf334150

SHA256
650d871dcbaed66c2159f772355857b01f319044ca4dc2e3e463c20fda2ea3f4

SHA512
308fac6026cdb7f7cce55e465f6ffc0ad0f0749d2c13081cceb159b1128fd9db9c1d62a3f94d49ecd940c9a7518e5995a8674a137e53655a3854313bd2e327b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
a5e4c71fb17e6643c54187ccd7d57b99

SHA1
429bbe090f4fdc1318e6cb47c96c216df2baa908

SHA256
7ba9cfdf39094daecd83015d2f2f3293fda8ed27d5f541007524f40881f050f6

SHA512
02683165d176736286477803b37bf49dd71cf7f377acb48f66f93408f147262523ca11e86d4314b14031711d7b5d3a19553fa339fe2f9d5dda00180aa2bb5c80

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
049123b782022622224f318056842354

SHA1
a412982afd05cb84eab8db678cfdafe912d6099b

SHA256
6983dd15e495c101dc6b77019a96ea40d9f47a24d606de2d893f9708c41202ef

SHA512
2c45eac0e382ef0a6fdfd423e6efb67400ec945fcd8a8d3c972bde8100bfccfd3fe594f69ba49ae1d84ee97a1fc29bad21bd52088bfef418551485d1548fca6d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
f2e28844afb50f4be1a17dacd8da16a1

SHA1
9f9a2b78dc63224d318aa8200aad748e655fb6f7

SHA256
40e28209edc2f88996be46285f6ae6637b5b3ae9f1946011dca4136f49ed9d70

SHA512
9d5eb24c9b183d2efa5afa6b6b524c2f775093f6ef1b7387035bda653467ea032086d8d9760ab9a21efcf84b6502ef42dbdfc47da73e036c27a370fffbe0bf60

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57e9a4.TMP

Filesize
48B

MD5
34ffb8b42ab215648e22de05d418f6a3

SHA1
ece074d2e9b4a259ec59f9d2d347d4f3a02d1547

SHA256
d1434531db356956229406b1bb04920040ff57d9b051687f6d7ff1f09940cab0

SHA512
087124966a0d1361f72a4923644b96eb20617893acf6156e07de7a8a5eac02f487443f32a90dda67f2a39b5934780a11fbde310fe703028958ffed24eaaf3aa1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
0e8d955fc31962c2a7d407daa8335591

SHA1
dfca9efd14adc079af0ead36b0e25a1089a1c978

SHA256
6dbaff2fb3b763c6d202c1b92ee1e78fde938d1981082eedd611d329dfef1ef8

SHA512
0e3712ab8bbebbeda04c4f444a2452d30c826691cdf1e28b95ee7a711ea9ccf0f57b25a84afd9fe53065873273398c35752138794ceb48a6350246e583d17804

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
9ed3fda1929e46f48ee85ddb8225334b

SHA1
05138abfc338efa95b7acb6c2fa66ed20e5ca7e4

SHA256
c34d16307fa2c9cc3607682bc7ad047c84bfedc1f61d5c9cf3124f72dd026cef

SHA512
186101f18851c1fbf8480cd54591904f4f77fd366ad5ba7d824496e8f610ee47e62934af473dabf3092ee253df6fc0b37c391547c821b1dec62ff13740e75599

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
984db935c353a453eb3b0b864a560a51

SHA1
4d18f6badb5eac57f86188024068e04a7bcbccd7

SHA256
1d84f5d45c6865ec09eddf1d9bd9ada4fa72bd0f383989352d2f2df165de4aff

SHA512
8b46688a04f703284c41c13f969abbc5e4f1524d8a3c742483045ebafdd8bc2e1dc954b0adb5879b1c7cf93ae3b71a0a6bfba1229bc2f9c0d87ee99b55c8b4a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
00af488f052b22e338cf520c89cfe5ad

SHA1
e494036f3655ff7a22e0f0dc46887ca1a2208f13

SHA256
22d98b2aed32e393362487e99fa3e3c2c7bf5300790f16a8a51ce546d4b7851e

SHA512
3f1ff11609eab4ecb672bf6486e661bc30084fc5a0f79502758b87c563efa0280ee01fc1afbf86cdadf38bf308633a2bca0ac73b3315f66ecbceadee758a6e43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
8b148f2e65f32a705365134db0c49dba

SHA1
d384aad63304d268a8ae3cde7cf00d4af0aceb62

SHA256
17037b1c68e12def3cc74f4326874b1c72e2f9a5571d918d71f30088e010dbc9

SHA512
5612c91863454c3c484cd158fc1e92558b39ae0436320fd94a63125ac8d4f6b0e3b5805278b04647adb644e537fdce47ee3508a796582c7b68136b4511009450

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\a0d58b7d-cd19-489e-b5c7-05a8ace7fb6b.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\Downloads\salinewin.zip

Filesize
203KB

MD5
19a966f0b86c67659b15364e89f3748b

SHA1
94075399f5f8c6f73258024bf442c0bf8600d52b

SHA256
b3020dd6c9ffceaba72c465c8d596cf04e2d7388b4fd58f10d78be6b91a7e99d

SHA512
60a926114d21e43c867187c6890dd1b4809c855a8011fcc921e6c20b6d1fb274c2e417747f1eef0d64919bc4f3a9b6a7725c87240c20b70e87a5ff6eba563427

Download Submit
C:\Users\Admin\Downloads\salinewin.zip:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads