hxxp://Google[.]com

max time kernel
69s
max time network
139s
platform
windows11-21h2_x64
resource
win11-20250314-en
resource tags

arch:x64arch:x86image:win11-20250314-enlocale:en-usos:windows11-21h2-x64system
submitted
25/03/2025, 03:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://Google.com

Score

8^/10

bootkit defense_evasion discovery persistence

Malware Config

Signatures

Disables Task Manager via registry modification
defense_evasion

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	raw.githubusercontent.com
72	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	salinewin.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	salinewin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133873480223188104"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings	chrome.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1072	reg.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\salinewin.zip:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1808	chrome.exe
Token: SeCreatePagefilePrivilege	1808	chrome.exe
Token: SeShutdownPrivilege	1808	chrome.exe
Token: SeCreatePagefilePrivilege	1808	chrome.exe
Token: SeShutdownPrivilege	1808	chrome.exe
Token: SeCreatePagefilePrivilege	1808	chrome.exe
Token: SeShutdownPrivilege	1808	chrome.exe
Token: SeCreatePagefilePrivilege	1808	chrome.exe
Token: SeShutdownPrivilege	1808	chrome.exe
Token: SeCreatePagefilePrivilege	1808	chrome.exe
Token: SeShutdownPrivilege	1808	chrome.exe
Token: SeCreatePagefilePrivilege	1808	chrome.exe
Token: SeShutdownPrivilege	1808	chrome.exe
Token: SeCreatePagefilePrivilege	1808	chrome.exe
Token: SeShutdownPrivilege	1808	chrome.exe
Token: SeCreatePagefilePrivilege	1808	chrome.exe
Token: SeShutdownPrivilege	1808	chrome.exe
Token: SeCreatePagefilePrivilege	1808	chrome.exe
Token: SeShutdownPrivilege	1808	chrome.exe
Token: SeCreatePagefilePrivilege	1808	chrome.exe
Token: SeShutdownPrivilege	1808	chrome.exe
Token: SeCreatePagefilePrivilege	1808	chrome.exe
Token: SeShutdownPrivilege	1808	chrome.exe
Token: SeCreatePagefilePrivilege	1808	chrome.exe
Token: SeShutdownPrivilege	1808	chrome.exe
Token: SeCreatePagefilePrivilege	1808	chrome.exe
Token: SeShutdownPrivilege	1808	chrome.exe
Token: SeCreatePagefilePrivilege	1808	chrome.exe
Token: SeShutdownPrivilege	1808	chrome.exe
Token: SeCreatePagefilePrivilege	1808	chrome.exe
Token: SeShutdownPrivilege	1808	chrome.exe
Token: SeCreatePagefilePrivilege	1808	chrome.exe
Token: SeShutdownPrivilege	1808	chrome.exe
Token: SeCreatePagefilePrivilege	1808	chrome.exe
Token: SeShutdownPrivilege	1808	chrome.exe
Token: SeCreatePagefilePrivilege	1808	chrome.exe
Token: SeShutdownPrivilege	1808	chrome.exe
Token: SeCreatePagefilePrivilege	1808	chrome.exe
Token: SeShutdownPrivilege	1808	chrome.exe
Token: SeCreatePagefilePrivilege	1808	chrome.exe
Token: SeShutdownPrivilege	1808	chrome.exe
Token: SeCreatePagefilePrivilege	1808	chrome.exe
Token: SeShutdownPrivilege	1808	chrome.exe
Token: SeCreatePagefilePrivilege	1808	chrome.exe
Token: SeShutdownPrivilege	1808	chrome.exe
Token: SeCreatePagefilePrivilege	1808	chrome.exe
Token: SeShutdownPrivilege	1808	chrome.exe
Token: SeCreatePagefilePrivilege	1808	chrome.exe
Token: SeShutdownPrivilege	1808	chrome.exe
Token: SeCreatePagefilePrivilege	1808	chrome.exe
Token: SeShutdownPrivilege	1808	chrome.exe
Token: SeCreatePagefilePrivilege	1808	chrome.exe
Token: SeShutdownPrivilege	1808	chrome.exe
Token: SeCreatePagefilePrivilege	1808	chrome.exe
Token: SeShutdownPrivilege	1808	chrome.exe
Token: SeCreatePagefilePrivilege	1808	chrome.exe
Token: SeShutdownPrivilege	1808	chrome.exe
Token: SeCreatePagefilePrivilege	1808	chrome.exe
Token: SeShutdownPrivilege	1808	chrome.exe
Token: SeCreatePagefilePrivilege	1808	chrome.exe
Token: SeShutdownPrivilege	1808	chrome.exe
Token: SeCreatePagefilePrivilege	1808	chrome.exe
Token: SeShutdownPrivilege	1808	chrome.exe
Token: SeCreatePagefilePrivilege	1808	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1468	salinewin.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1808 wrote to memory of 5024	1808	chrome.exe	78
PID 1808 wrote to memory of 5024	1808	chrome.exe	78
PID 1808 wrote to memory of 1512	1808	chrome.exe	79
PID 1808 wrote to memory of 1512	1808	chrome.exe	79
PID 1808 wrote to memory of 3948	1808	chrome.exe	80
PID 1808 wrote to memory of 3948	1808	chrome.exe	80
PID 1808 wrote to memory of 3948	1808	chrome.exe	80
PID 1808 wrote to memory of 3948	1808	chrome.exe	80
PID 1808 wrote to memory of 3948	1808	chrome.exe	80
PID 1808 wrote to memory of 3948	1808	chrome.exe	80
PID 1808 wrote to memory of 3948	1808	chrome.exe	80
PID 1808 wrote to memory of 3948	1808	chrome.exe	80
PID 1808 wrote to memory of 3948	1808	chrome.exe	80
PID 1808 wrote to memory of 3948	1808	chrome.exe	80
PID 1808 wrote to memory of 3948	1808	chrome.exe	80
PID 1808 wrote to memory of 3948	1808	chrome.exe	80
PID 1808 wrote to memory of 3948	1808	chrome.exe	80
PID 1808 wrote to memory of 3948	1808	chrome.exe	80
PID 1808 wrote to memory of 3948	1808	chrome.exe	80
PID 1808 wrote to memory of 3948	1808	chrome.exe	80
PID 1808 wrote to memory of 3948	1808	chrome.exe	80
PID 1808 wrote to memory of 3948	1808	chrome.exe	80
PID 1808 wrote to memory of 3948	1808	chrome.exe	80
PID 1808 wrote to memory of 3948	1808	chrome.exe	80
PID 1808 wrote to memory of 3948	1808	chrome.exe	80
PID 1808 wrote to memory of 3948	1808	chrome.exe	80
PID 1808 wrote to memory of 3948	1808	chrome.exe	80
PID 1808 wrote to memory of 3948	1808	chrome.exe	80
PID 1808 wrote to memory of 3948	1808	chrome.exe	80
PID 1808 wrote to memory of 3948	1808	chrome.exe	80
PID 1808 wrote to memory of 3948	1808	chrome.exe	80
PID 1808 wrote to memory of 3948	1808	chrome.exe	80
PID 1808 wrote to memory of 3948	1808	chrome.exe	80
PID 1808 wrote to memory of 3948	1808	chrome.exe	80
PID 1808 wrote to memory of 4136	1808	chrome.exe	81
PID 1808 wrote to memory of 4136	1808	chrome.exe	81
PID 1808 wrote to memory of 4136	1808	chrome.exe	81
PID 1808 wrote to memory of 4136	1808	chrome.exe	81
PID 1808 wrote to memory of 4136	1808	chrome.exe	81
PID 1808 wrote to memory of 4136	1808	chrome.exe	81
PID 1808 wrote to memory of 4136	1808	chrome.exe	81
PID 1808 wrote to memory of 4136	1808	chrome.exe	81
PID 1808 wrote to memory of 4136	1808	chrome.exe	81
PID 1808 wrote to memory of 4136	1808	chrome.exe	81
PID 1808 wrote to memory of 4136	1808	chrome.exe	81
PID 1808 wrote to memory of 4136	1808	chrome.exe	81
PID 1808 wrote to memory of 4136	1808	chrome.exe	81
PID 1808 wrote to memory of 4136	1808	chrome.exe	81
PID 1808 wrote to memory of 4136	1808	chrome.exe	81
PID 1808 wrote to memory of 4136	1808	chrome.exe	81
PID 1808 wrote to memory of 4136	1808	chrome.exe	81
PID 1808 wrote to memory of 4136	1808	chrome.exe	81
PID 1808 wrote to memory of 4136	1808	chrome.exe	81
PID 1808 wrote to memory of 4136	1808	chrome.exe	81
PID 1808 wrote to memory of 4136	1808	chrome.exe	81
PID 1808 wrote to memory of 4136	1808	chrome.exe	81
PID 1808 wrote to memory of 4136	1808	chrome.exe	81
PID 1808 wrote to memory of 4136	1808	chrome.exe	81
PID 1808 wrote to memory of 4136	1808	chrome.exe	81
PID 1808 wrote to memory of 4136	1808	chrome.exe	81
PID 1808 wrote to memory of 4136	1808	chrome.exe	81
PID 1808 wrote to memory of 4136	1808	chrome.exe	81
PID 1808 wrote to memory of 4136	1808	chrome.exe	81
PID 1808 wrote to memory of 4136	1808	chrome.exe	81

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://Google.com
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa1893dcf8,0x7ffa1893dd04,0x7ffa1893dd10
  2⤵
  PID:5024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1428,i,14653802569459090453,490702170212322518,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2128 /prefetch:11
  2⤵
  PID:1512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2076,i,14653802569459090453,490702170212322518,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2072 /prefetch:2
  2⤵
  PID:3948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2260,i,14653802569459090453,490702170212322518,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2332 /prefetch:13
  2⤵
  PID:4136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3140,i,14653802569459090453,490702170212322518,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:2184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3144,i,14653802569459090453,490702170212322518,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4160,i,14653802569459090453,490702170212322518,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4172 /prefetch:9
  2⤵
  PID:3332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4568,i,14653802569459090453,490702170212322518,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4600 /prefetch:1
  2⤵
  PID:5012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5096,i,14653802569459090453,490702170212322518,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5112 /prefetch:14
  2⤵
  PID:2764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5204,i,14653802569459090453,490702170212322518,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5420 /prefetch:14
  2⤵
  PID:1208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5388,i,14653802569459090453,490702170212322518,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5404 /prefetch:14
  2⤵
  PID:5000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5384,i,14653802569459090453,490702170212322518,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5480 /prefetch:14
  2⤵
  PID:4044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5528,i,14653802569459090453,490702170212322518,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4192 /prefetch:1
  2⤵
  PID:5520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5708,i,14653802569459090453,490702170212322518,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5524 /prefetch:1
  2⤵
  PID:1828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5712,i,14653802569459090453,490702170212322518,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4300 /prefetch:14
  2⤵
  - NTFS ADS
  PID:2848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=4128,i,14653802569459090453,490702170212322518,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=6076 /prefetch:10
  2⤵
  PID:4576

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:4576

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:860

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5176

C:\Users\Admin\Downloads\salinewin\salinewin.exe
"C:\Users\Admin\Downloads\salinewin\salinewin.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1468
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2036
- - C:\Windows\SysWOW64\reg.exe
    REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:1072

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004DC 0x00000000000004E8
1⤵
PID:5052

C:\Users\Admin\Downloads\salinewin\salinewin-safety.exe
"C:\Users\Admin\Downloads\salinewin\salinewin-safety.exe"
1⤵
PID:1420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
564dc42028215bc88ea531f2fb67bbdb

SHA1
9cb2d24ac80f26c693935f6ff8fd751888dccbe4

SHA256
4b416858eb1445e4cdb12481442afb31b9fc86a8a3ca55df46d8d516339ce1f0

SHA512
a3c61891be47088397b3a6aae5effe5dd1ee77b566517b4b094920bd31bc6da6e9703a6303d00cc61057f86dcdc1b9eec624bfb7fde00eccdf1add4c5710789a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
c8995791bb9d6b9b4f3e7db423315e7b

SHA1
de18421ba2c0dde74451fb38224745cff199e082

SHA256
22c5758c8f70f1a4204925b973f35dbd9433bb99461d3148208d984047675ad7

SHA512
ca5ea8af67dacc2a6722e6765bbd10b45f29a0d88f254f2a4cafa32bc112a071c81f3dd7520eaabbf6fa260bbf7cbd8fda1b4652198a23ae4e6fe04412570bcd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
098d29e2f03169a3e6cfa335f75dc813

SHA1
45a984258ded63185cfc61738cc13513963e0f03

SHA256
805d8a2a955a107d0cfc832aeb34d83047cf5dfc7db4341d00472f54e8020b70

SHA512
768cf383df72caead73841a8e3eca868a90870ad0eb8c5d9a9facafb2f60c912512e15e1ab3343c3baf9a2844b71624ce59e0a5456cc6a7424022292984003fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\601cf7e4-44d4-45ec-a82d-a7ffd2df616c.tmp

Filesize
8KB

MD5
50719ee44af32a92fa5ec8b5b6537b5b

SHA1
99aa32e963e89fe1a1d873b86bf3a19e6ae45f79

SHA256
06a6151cc59da74d1811d9623d090119b7b7079cc051f13a5ae286978b8d3e2e

SHA512
78cc960d3c9a7bda83442824ced789338db2511a7dad86081fabf3730fed7bc091e8f46c0cb5e2cca8dff73c209ea16ff85e8207305ab0d301e683e8e66a7ecb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
9KB

MD5
c4b85e03d7cd4b903495c2071c6188f3

SHA1
8ad5597525232321bfb19b72e7714ee8fed568fb

SHA256
f3cd4178d5e905eff40cdad9c006cef1ec54b3d05e145b4093e769663393caa5

SHA512
a08e90447d9669957f06828edcff802eaa05204f645e43a65a39ae8277fe57c59e11c062d2edc3ef6b1c131714c323301691c0277b7319f8171d69ef09cfb98f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
2b5849aaada652ed6d5eb25d192fba58

SHA1
bdc61200c80275e00821508a0aab0264b55ced4b

SHA256
9c49a4d561061c74969ebfd4f5180881fe55cc733cbb780ad51e85f837c9f13d

SHA512
fc04a0b15890d90add17cd0f664c61b5499aefeda4ae7d4634b5af9181f4784382c513baa8d7b9d0384a07dae47aede109e3231904e5fcb396c9aa36f7444ec0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
705a9b12a584f2108a36c21d922b8a29

SHA1
802c213cc2605968f2cf89aebe262373316a19e5

SHA256
50e82f0fda659b1ce2f1d8b61f28746732b359034fa38e857a466308a9b90008

SHA512
d8f29e9a628747d10a069e4788f6a63ae31111d90b9bd6f2926e26042351f3da4d40444f01b789ba20696f0fefeb4fdcf00d134283acbdcd8d7023cdfbcf26fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
00968025adae27927d80563ff2de300e

SHA1
224b6872a142e318179180901b01c858f2e2fb85

SHA256
b78a67c5e346f074057ec67c05dc62809d51a1555f6aff0006bbfd33f356dbff

SHA512
7c9567bbb55baa4e2bbc43f5357f5016842a49ed25c10c7b7e9dde93a59a232d375405c75d5c71f00f37ce1504f75181a9edd442c44f33a7d25685bda953c59f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
fb8d6a767d7b27e2fa62d89c64d991a5

SHA1
3e79bc606bab947361b9079e5af1f2327cdd7050

SHA256
3d5196ecd880c957a1975c5abba262b9f96f181503fda75554ab9f45efe6980c

SHA512
a820b7d1c2b537d0036325c0c39ea2d1eadd490e541d2142be5349b1ead386ef16476abaeb453c406aafe10f17f6f25d9b6e509c3fc3012e0464ca705826c925

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
0c4ee74392bcb9c2651fb89da5d6ea38

SHA1
3b0c059f0763113bc1f02ff5dcbc7ab421b9bb30

SHA256
271186f51c93e49b8e397d63570f77ed64355ad873c825457f56c4be696da869

SHA512
0c69717b1882b08f112a904faf5b582497a6ba83dceeb00e15c8522c1557dc55e25ee27713984c27e49a24c9d84606c6cb4edd41168ee16587e07a3402257080

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
011906d730efba0f66adb267841068d7

SHA1
deb7fb7e790a9317d9eacf368ff34e891477e552

SHA256
82b3ed838e867e5b1e22250b147597c9aea29c11601269a9f6344f1520f1256f

SHA512
b5c0b254757249548ba70196ef92631e11efd11a509e883c7b35facb4c5a418b16deb7bdef8ccb1fbc06e6505f2498d6b93a0b1ba95c3923d8d1a5bd8cd018ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57c870.TMP

Filesize
48B

MD5
37da25b1370a193de637f5d4f13fd4a2

SHA1
73225582e9ee054b125d80dbfe407fbb8cba1883

SHA256
4a43da79056cc9ba2031f777a5a1f8b77eca837f6f35865565ea4f2fcc901bd7

SHA512
5a1ca297b389256babda69463bd9be3031af83c4ce430fc4ea2e45e2a1b8ba835bedf1aa950d491ce4a09d00dbd56a826d6b9208410b090bd8fec1fa4fedcaea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\CacheStorage\index.txt

Filesize
76B

MD5
a7a2f6dbe4e14a9267f786d0d5e06097

SHA1
5513aebb0bda58551acacbfc338d903316851a7b

SHA256
dd9045ea2f3beaf0282320db70fdf395854071bf212ad747e8765837ec390cbc

SHA512
aa5d81e7ee3a646afec55aee5435dc84fe06d84d3e7e1c45c934f258292c0c4dc2f2853a13d2f2b37a98fe2f1dcc7639eacf51b09e7dcccb2e29c2cbd3ba1835

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\CacheStorage\index.txt~RFe57f32a.TMP

Filesize
140B

MD5
34f06e7dde35b4bb0e4a10e5be731d65

SHA1
9e78bf97c887234b2f9a75e1a1644b6055c3bdd7

SHA256
f6e8164d78127da7d6109c66d7dd97f2879ccdceb6824db492e29d34ad4e0d6e

SHA512
5ca84d93988b818a7f30be52a7571b3d802dad773799be461728d075c9a35e6803c106ae43501afa2f0fee8d358c9e83ee3f6cbe5a9e757423c798bb47e2ccb1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
f83ce83794c95ddeecbc1f471fa96953

SHA1
3097e68fce5bbed563671f2b69bd74411a66d6c8

SHA256
11f40e0142dee7ceab03f2da83e75edc82d5991a69546e6bc3896c9cac3c5c8c

SHA512
5135e5d7e44fdd46666fc6a9b317bbb29f41c7cde50cba16d410e6d948216156a5337b070dd7de5d4f060316f7e29e62ac9e396431050e13dedcaf8e8fca1aec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
a2b1e762c4d63e8683715b09ff30ed2f

SHA1
b714c7b14fa988760b50879cd7d5d4108e5b3aa7

SHA256
b5227640ce80f5b9e31fae226b00ddc6d46631f56fbe3a310196c454ab556816

SHA512
ab39ed214c5ff82a4822b502d0937e80354d820613e308418e7c5305b9faf4324115d17eb07a728560c10e55803ec14661377f28fa53e9225dbeb39d74cae287

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
0410e4bfd882e993728f91c5692318f7

SHA1
ef029a1b60071aef14f6283f8ceefd15c77a7c41

SHA256
639301681e19e970bdc0474591d94b5eeadbf82e8900169ed9605a0e5c2916ab

SHA512
d868710e59385fcc069fb8d186d3216622d3d8e0d0d50ba1d1721a878d81072af2ade82c605778f714d3609aa3d45b143a81716dfab60219bc67e97686b7cc28

Download Submit
C:\Users\Admin\Downloads\salinewin.zip

Filesize
203KB

MD5
19a966f0b86c67659b15364e89f3748b

SHA1
94075399f5f8c6f73258024bf442c0bf8600d52b

SHA256
b3020dd6c9ffceaba72c465c8d596cf04e2d7388b4fd58f10d78be6b91a7e99d

SHA512
60a926114d21e43c867187c6890dd1b4809c855a8011fcc921e6c20b6d1fb274c2e417747f1eef0d64919bc4f3a9b6a7725c87240c20b70e87a5ff6eba563427

Download Submit