hxxp://Google[.]com

Resubmissions

25/03/2025, 20:32

250325-za94cawjy9 10

25/03/2025, 20:27

25/03/2025, 20:24

25/03/2025, 20:20

25/03/2025, 20:16

25/03/2025, 20:12

25/03/2025, 20:08

Analysis

max time kernel
96s
max time network
185s
platform
windows11-21h2_x64
resource
win11-20250314-en
resource tags

arch:x64arch:x86image:win11-20250314-enlocale:en-usos:windows11-21h2-x64system
submitted
25/03/2025, 20:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://Google.com

Score

8^/10

bootkit defense_evasion discovery persistence

Malware Config

Signatures

Disables Task Manager via registry modification
defense_evasion

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
55	raw.githubusercontent.com
80	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	salinewin.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	salinewin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133874069323440904"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings	chrome.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2024	reg.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\salinewin.zip:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5364	chrome.exe
5364	chrome.exe
5364	chrome.exe
5364	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
5364	chrome.exe
5364	chrome.exe
5364	chrome.exe
5364	chrome.exe
5364	chrome.exe
5364	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5364	chrome.exe
Token: SeCreatePagefilePrivilege	5364	chrome.exe
Token: SeShutdownPrivilege	5364	chrome.exe
Token: SeCreatePagefilePrivilege	5364	chrome.exe
Token: SeShutdownPrivilege	5364	chrome.exe
Token: SeCreatePagefilePrivilege	5364	chrome.exe
Token: SeShutdownPrivilege	5364	chrome.exe
Token: SeCreatePagefilePrivilege	5364	chrome.exe
Token: SeShutdownPrivilege	5364	chrome.exe
Token: SeCreatePagefilePrivilege	5364	chrome.exe
Token: SeShutdownPrivilege	5364	chrome.exe
Token: SeCreatePagefilePrivilege	5364	chrome.exe
Token: SeShutdownPrivilege	5364	chrome.exe
Token: SeCreatePagefilePrivilege	5364	chrome.exe
Token: SeShutdownPrivilege	5364	chrome.exe
Token: SeCreatePagefilePrivilege	5364	chrome.exe
Token: SeShutdownPrivilege	5364	chrome.exe
Token: SeCreatePagefilePrivilege	5364	chrome.exe
Token: SeShutdownPrivilege	5364	chrome.exe
Token: SeCreatePagefilePrivilege	5364	chrome.exe
Token: SeShutdownPrivilege	5364	chrome.exe
Token: SeCreatePagefilePrivilege	5364	chrome.exe
Token: SeShutdownPrivilege	5364	chrome.exe
Token: SeCreatePagefilePrivilege	5364	chrome.exe
Token: SeShutdownPrivilege	5364	chrome.exe
Token: SeCreatePagefilePrivilege	5364	chrome.exe
Token: SeShutdownPrivilege	5364	chrome.exe
Token: SeCreatePagefilePrivilege	5364	chrome.exe
Token: SeShutdownPrivilege	5364	chrome.exe
Token: SeCreatePagefilePrivilege	5364	chrome.exe
Token: SeShutdownPrivilege	5364	chrome.exe
Token: SeCreatePagefilePrivilege	5364	chrome.exe
Token: SeShutdownPrivilege	5364	chrome.exe
Token: SeCreatePagefilePrivilege	5364	chrome.exe
Token: SeShutdownPrivilege	5364	chrome.exe
Token: SeCreatePagefilePrivilege	5364	chrome.exe
Token: SeShutdownPrivilege	5364	chrome.exe
Token: SeCreatePagefilePrivilege	5364	chrome.exe
Token: SeShutdownPrivilege	5364	chrome.exe
Token: SeCreatePagefilePrivilege	5364	chrome.exe
Token: SeShutdownPrivilege	5364	chrome.exe
Token: SeCreatePagefilePrivilege	5364	chrome.exe
Token: SeShutdownPrivilege	5364	chrome.exe
Token: SeCreatePagefilePrivilege	5364	chrome.exe
Token: SeShutdownPrivilege	5364	chrome.exe
Token: SeCreatePagefilePrivilege	5364	chrome.exe
Token: SeShutdownPrivilege	5364	chrome.exe
Token: SeCreatePagefilePrivilege	5364	chrome.exe
Token: SeShutdownPrivilege	5364	chrome.exe
Token: SeCreatePagefilePrivilege	5364	chrome.exe
Token: SeShutdownPrivilege	5364	chrome.exe
Token: SeCreatePagefilePrivilege	5364	chrome.exe
Token: SeShutdownPrivilege	5364	chrome.exe
Token: SeCreatePagefilePrivilege	5364	chrome.exe
Token: SeShutdownPrivilege	5364	chrome.exe
Token: SeCreatePagefilePrivilege	5364	chrome.exe
Token: SeShutdownPrivilege	5364	chrome.exe
Token: SeCreatePagefilePrivilege	5364	chrome.exe
Token: SeShutdownPrivilege	5364	chrome.exe
Token: SeCreatePagefilePrivilege	5364	chrome.exe
Token: SeShutdownPrivilege	5364	chrome.exe
Token: SeCreatePagefilePrivilege	5364	chrome.exe
Token: SeShutdownPrivilege	5364	chrome.exe
Token: SeCreatePagefilePrivilege	5364	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
5364	chrome.exe
5364	chrome.exe
5364	chrome.exe
5364	chrome.exe
5364	chrome.exe
5364	chrome.exe
5364	chrome.exe
5364	chrome.exe
5364	chrome.exe
5364	chrome.exe
5364	chrome.exe
5364	chrome.exe
5364	chrome.exe
5364	chrome.exe
5364	chrome.exe
5364	chrome.exe
5364	chrome.exe
5364	chrome.exe
5364	chrome.exe
5364	chrome.exe
5364	chrome.exe
5364	chrome.exe
5364	chrome.exe
5364	chrome.exe
5364	chrome.exe
5364	chrome.exe
5364	chrome.exe
5364	chrome.exe
5364	chrome.exe
5364	chrome.exe
5364	chrome.exe
5364	chrome.exe
5364	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
5364	chrome.exe
5364	chrome.exe
5364	chrome.exe
5364	chrome.exe
5364	chrome.exe
5364	chrome.exe
5364	chrome.exe
5364	chrome.exe
5364	chrome.exe
5364	chrome.exe
5364	chrome.exe
5364	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1152	salinewin.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5364 wrote to memory of 5520	5364	chrome.exe	78
PID 5364 wrote to memory of 5520	5364	chrome.exe	78
PID 5364 wrote to memory of 3076	5364	chrome.exe	79
PID 5364 wrote to memory of 3076	5364	chrome.exe	79
PID 5364 wrote to memory of 3076	5364	chrome.exe	79
PID 5364 wrote to memory of 3076	5364	chrome.exe	79
PID 5364 wrote to memory of 3076	5364	chrome.exe	79
PID 5364 wrote to memory of 3076	5364	chrome.exe	79
PID 5364 wrote to memory of 3076	5364	chrome.exe	79
PID 5364 wrote to memory of 3076	5364	chrome.exe	79
PID 5364 wrote to memory of 3076	5364	chrome.exe	79
PID 5364 wrote to memory of 3076	5364	chrome.exe	79
PID 5364 wrote to memory of 3076	5364	chrome.exe	79
PID 5364 wrote to memory of 3076	5364	chrome.exe	79
PID 5364 wrote to memory of 3076	5364	chrome.exe	79
PID 5364 wrote to memory of 3076	5364	chrome.exe	79
PID 5364 wrote to memory of 3076	5364	chrome.exe	79
PID 5364 wrote to memory of 3076	5364	chrome.exe	79
PID 5364 wrote to memory of 3076	5364	chrome.exe	79
PID 5364 wrote to memory of 3076	5364	chrome.exe	79
PID 5364 wrote to memory of 3076	5364	chrome.exe	79
PID 5364 wrote to memory of 3076	5364	chrome.exe	79
PID 5364 wrote to memory of 3076	5364	chrome.exe	79
PID 5364 wrote to memory of 3076	5364	chrome.exe	79
PID 5364 wrote to memory of 3076	5364	chrome.exe	79
PID 5364 wrote to memory of 3076	5364	chrome.exe	79
PID 5364 wrote to memory of 3076	5364	chrome.exe	79
PID 5364 wrote to memory of 3076	5364	chrome.exe	79
PID 5364 wrote to memory of 3076	5364	chrome.exe	79
PID 5364 wrote to memory of 3076	5364	chrome.exe	79
PID 5364 wrote to memory of 3076	5364	chrome.exe	79
PID 5364 wrote to memory of 3076	5364	chrome.exe	79
PID 5364 wrote to memory of 1820	5364	chrome.exe	80
PID 5364 wrote to memory of 1820	5364	chrome.exe	80
PID 5364 wrote to memory of 6088	5364	chrome.exe	81
PID 5364 wrote to memory of 6088	5364	chrome.exe	81
PID 5364 wrote to memory of 6088	5364	chrome.exe	81
PID 5364 wrote to memory of 6088	5364	chrome.exe	81
PID 5364 wrote to memory of 6088	5364	chrome.exe	81
PID 5364 wrote to memory of 6088	5364	chrome.exe	81
PID 5364 wrote to memory of 6088	5364	chrome.exe	81
PID 5364 wrote to memory of 6088	5364	chrome.exe	81
PID 5364 wrote to memory of 6088	5364	chrome.exe	81
PID 5364 wrote to memory of 6088	5364	chrome.exe	81
PID 5364 wrote to memory of 6088	5364	chrome.exe	81
PID 5364 wrote to memory of 6088	5364	chrome.exe	81
PID 5364 wrote to memory of 6088	5364	chrome.exe	81
PID 5364 wrote to memory of 6088	5364	chrome.exe	81
PID 5364 wrote to memory of 6088	5364	chrome.exe	81
PID 5364 wrote to memory of 6088	5364	chrome.exe	81
PID 5364 wrote to memory of 6088	5364	chrome.exe	81
PID 5364 wrote to memory of 6088	5364	chrome.exe	81
PID 5364 wrote to memory of 6088	5364	chrome.exe	81
PID 5364 wrote to memory of 6088	5364	chrome.exe	81
PID 5364 wrote to memory of 6088	5364	chrome.exe	81
PID 5364 wrote to memory of 6088	5364	chrome.exe	81
PID 5364 wrote to memory of 6088	5364	chrome.exe	81
PID 5364 wrote to memory of 6088	5364	chrome.exe	81
PID 5364 wrote to memory of 6088	5364	chrome.exe	81
PID 5364 wrote to memory of 6088	5364	chrome.exe	81
PID 5364 wrote to memory of 6088	5364	chrome.exe	81
PID 5364 wrote to memory of 6088	5364	chrome.exe	81
PID 5364 wrote to memory of 6088	5364	chrome.exe	81
PID 5364 wrote to memory of 6088	5364	chrome.exe	81

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://Google.com
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdb15adcf8,0x7ffdb15add04,0x7ffdb15add10
  2⤵
  PID:5520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1872,i,3327175283319942308,14935363395862300593,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=1884 /prefetch:2
  2⤵
  PID:3076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1428,i,3327175283319942308,14935363395862300593,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2212 /prefetch:11
  2⤵
  PID:1820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2336,i,3327175283319942308,14935363395862300593,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2480 /prefetch:13
  2⤵
  PID:6088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3104,i,3327175283319942308,14935363395862300593,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:1552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3108,i,3327175283319942308,14935363395862300593,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:2724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4204,i,3327175283319942308,14935363395862300593,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4216 /prefetch:9
  2⤵
  PID:976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4208,i,3327175283319942308,14935363395862300593,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4652 /prefetch:1
  2⤵
  PID:2544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5140,i,3327175283319942308,14935363395862300593,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5152 /prefetch:14
  2⤵
  PID:2764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5460,i,3327175283319942308,14935363395862300593,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5424 /prefetch:14
  2⤵
  PID:5900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5444,i,3327175283319942308,14935363395862300593,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5364 /prefetch:14
  2⤵
  PID:3296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5468,i,3327175283319942308,14935363395862300593,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5464 /prefetch:14
  2⤵
  PID:2936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=4324,i,3327175283319942308,14935363395862300593,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4300 /prefetch:1
  2⤵
  PID:1104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4232,i,3327175283319942308,14935363395862300593,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5428 /prefetch:1
  2⤵
  PID:656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5804,i,3327175283319942308,14935363395862300593,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5812 /prefetch:14
  2⤵
  - NTFS ADS
  PID:1240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=4612,i,3327175283319942308,14935363395862300593,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5308 /prefetch:10
  2⤵
  PID:2032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=on_device_model.mojom.OnDeviceModelService --lang=en-US --service-sandbox-type=on_device_model_execution --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5844,i,3327175283319942308,14935363395862300593,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=6164 /prefetch:14
  2⤵
  PID:5068

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:2032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2892

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4560

C:\Users\Admin\Downloads\salinewin\salinewin.exe
"C:\Users\Admin\Downloads\salinewin\salinewin.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1152
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3688
- - C:\Windows\SysWOW64\reg.exe
    REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2024

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004DC 0x00000000000004C8
1⤵
PID:1792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
45b8481362e2e4c5f53706b36a62e75a

SHA1
bee980842cad4753a6bf4b2d57855c38d81b0388

SHA256
10213e4a7b87ed39c96af0fe9a028f0ff72e0fb8126cfff220f7a263f81b3d75

SHA512
371b0633b18632ac187344fd72744b5e158d0b74aa3608cb813d684d8fa0b42ba7a4c6d6dec2073e8fdfdb60a0794000e5d8e5c2f4d7f95f59501e8c1f9bc136

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
cdef228a508b370b3d4927e39396b02d

SHA1
bffbc50d14ba502fd83c44c551dc6cd98419457f

SHA256
dc5236b3b76ff94516ba30388984edc84dfda17b776533415a86f84a1caae9c0

SHA512
9922d730c3a7b05e8cc80473fcf953c8047c7e721fcb4b1827fcc0deba72475eab8c464ef4a77b77b70441010fc3c0855da2a8ad8b00ce5f1487cf1367c3fe16

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
1191447507f593e7c4f795cc060b3d1f

SHA1
0888bfb5e7919adc21188be1845c30a7a78df8de

SHA256
89106226c61783a89c132f9a5c2101dd20a20d67075f935adf44247742b34c6d

SHA512
fbd4a9645dafcf8f3a2b27d8ced8bbd5da10ef2a55b8f743b529bf44c322e8a70ca2ef3540b87a9d96204fa3c422547f8db88125f816ea9418fac54ab46bce31

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
9KB

MD5
4b7a4e80152a6f34aeee241237a19635

SHA1
2ba9e07e00af611adc5aaa135b92d127864bb700

SHA256
a18857a92a7579133e027c80018ef94aaa25592639a631ca3450e7adf5ade90e

SHA512
5cca93decfc4a06e0a0e2657ca271310121d34cb757187d7171061654813550eecdbff0fb3b515e7f43546a828a7d989f45bdc503e982968b53d4207bdb6ce7e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
8KB

MD5
48a327feeb70f955c1a7f69f6a1f406a

SHA1
e8c5020908e84e986898b76bf800d44f95568a82

SHA256
69effec0da2586cda97b8ccc9afceb2d86559035ebab9bd7dcbc900d40d6b757

SHA512
43717282467cdf460e4ea3063d8d925f89afdc7fe53a46efc7ca79e1b09dabc681ab79242bf5876aaa787d9ba2501ca8158582b47c71df3a7daa65b33fdbda6f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
a916785c417bdf60b7ecfd15c01e4d5e

SHA1
de2ed4da218f7a76496c81eb63de8fa6e646557c

SHA256
bc4709847cc017b408ad3ab2c299fb81415c4b998884e3fce91bdf2654505dad

SHA512
0aa90eda0c96459a83ef837078ea7c5c00d09838da4b64615fd239594f28d6b8f109acc33e11c1e5c35e616036c3314b27e4c871d0e2eba5199474252a419283

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
3a61f81d1ecb9386cdd03feecc758abf

SHA1
30cfd38a81b5767ef8285be3eea36feac361954d

SHA256
769475c85898995f39293d0bf185864c209ffccfe49e4a7e2a6193cd9d61e4c6

SHA512
c0729b7caf559127f0e8d4ae789c40caef5aa992aab72cd64f970fba19995acf61722ccc4bc6ab9ae056e000d1c4ad3304a64aa7c36922c2f21a9abc960e53df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
199ab4dd30ea65cda5c93108bf3da349

SHA1
974cb475a0e850c8c8e1b16a64554965367e3202

SHA256
5a5cf3c573489ff299b7bf1e381e8555e73807e82633aeeaf0ef9c2bbcff9b08

SHA512
903c1d566101f8e67fe4d0af7bfb32dba0bc9dcc150b44ceaf74436ca7bd79f1680b5757bf178079d5fa808a5500e4017a0ebe985d6378a0c7a32fe4ebe6fa14

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
cf293ba5cab04e28615bc8193430f5d3

SHA1
39410b3bfd1969ec1baef510036ac7390b5817ab

SHA256
3b42797a00eb91d0e0670d9c42512f9495c1c355588c92675ee493735fb6cf47

SHA512
6d2517a61e6e87ea4409f7b19875fb29583d90cdcd07ba395b8bbdc075aa4dc32d33130dc5d426e8075ebc233a0ca83b799eba5457ac5866ca4f9b90282b631c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
0c4ee74392bcb9c2651fb89da5d6ea38

SHA1
3b0c059f0763113bc1f02ff5dcbc7ab421b9bb30

SHA256
271186f51c93e49b8e397d63570f77ed64355ad873c825457f56c4be696da869

SHA512
0c69717b1882b08f112a904faf5b582497a6ba83dceeb00e15c8522c1557dc55e25ee27713984c27e49a24c9d84606c6cb4edd41168ee16587e07a3402257080

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
ad19b4300e4c7e0bcca59b1402437429

SHA1
736fb944da5084ba1cdd7178feb75b5380e3906c

SHA256
6e6d03875847ae2ac8cc7f5b63a3024f4a0e2c7a66ca5a34cc474c3cbc5eab81

SHA512
f5aae540d66599a8f0ca10a3be2f31ed7be91d1a3512312cea61879aa85ef02d060bca02b572edd1128f209ed29be920cbbc821438c5a8aedd3b9e4409e19910

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57c1d9.TMP

Filesize
48B

MD5
eb5515dcb9d8d4ebe097f23f2732462f

SHA1
d99264a1e96721ef8ec2d71c06d75b57488fd82e

SHA256
ed3e646a57c18a9765e1b150732cc22ecec33aebebca0bcbbefbf2b8064e334a

SHA512
ebec898971d2d4c23c205da522aed587552dcc32c6662c808bdad38f4a0eef7c9e83d2ac2d45f7faa4bdb842e5533569547e80dedbb32c8a54c80865a4b62c59

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\CacheStorage\index.txt

Filesize
76B

MD5
a7a2f6dbe4e14a9267f786d0d5e06097

SHA1
5513aebb0bda58551acacbfc338d903316851a7b

SHA256
dd9045ea2f3beaf0282320db70fdf395854071bf212ad747e8765837ec390cbc

SHA512
aa5d81e7ee3a646afec55aee5435dc84fe06d84d3e7e1c45c934f258292c0c4dc2f2853a13d2f2b37a98fe2f1dcc7639eacf51b09e7dcccb2e29c2cbd3ba1835

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\CacheStorage\index.txt~RFe58172d.TMP

Filesize
140B

MD5
ff5fc932ae38b10aa2f814d032607c93

SHA1
ef80d71cbe3be9caa5b0e588697cf25186592340

SHA256
306fc571f04f6a8c9495c3cb869656c5bda51aff78c27abd09edb9c26dd47e29

SHA512
22b2f3c3e30e279a88d8dd068fbea1bb9d39f6b4dec09732792c5f3551b674da937cb523edc77235a3b1f35d9711a9b10af322c19c3d0531f7b1dc9dfabd730f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
1badbbbd9e6c77ddac904cfb35a356ce

SHA1
d657c3354e3efdc2926f5bb11d0f97572ce9b946

SHA256
826ccf8b01c5f3d0680611949a8680fdd528d87823d3e88de17ee89203012a2d

SHA512
bfb698641d4682085c6ed9abefb8ee8d27713ae173adbb49e5d869d3487b84a20ad5b9248d9a13dc4023ee43d6310ab6cdf03d6b0dc29319ed8fe5f370e6effc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
98df83e82649a1cbaf40fdd3b4ddf4bf

SHA1
e9789716aabbb555e31717a2c31d8501eb16f159

SHA256
d86b18d2a8f18dfe897837da6e575a82b8b6e12fffabd93dd51582bdae61e030

SHA512
8629418961ec602caf6b9f3090e3bcb11df91c53a02670539400dc02ec345eeb0558a9c50815beb58ea7071c5c3e75068083bd123ca4bd18a0bc13a41e33e757

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
4e37a52d336224410c5b3f4436bf4500

SHA1
baf7fea28cb33ee9356066608af748690daed61b

SHA256
d071085bcd86d1487e43b81027d515b26e79d50d322f1b9b8acbd74431e98404

SHA512
684241ff971dad917f9609daacb1f8ac43e47c3177e688a79dd961fbe00a0e5c998290d9c1219e2e5bfb2aa5e0c70cc8f56faaecb1b80927e20fbbe00b4a0937

Download Submit
C:\Users\Admin\Downloads\salinewin.zip

Filesize
203KB

MD5
19a966f0b86c67659b15364e89f3748b

SHA1
94075399f5f8c6f73258024bf442c0bf8600d52b

SHA256
b3020dd6c9ffceaba72c465c8d596cf04e2d7388b4fd58f10d78be6b91a7e99d

SHA512
60a926114d21e43c867187c6890dd1b4809c855a8011fcc921e6c20b6d1fb274c2e417747f1eef0d64919bc4f3a9b6a7725c87240c20b70e87a5ff6eba563427

Download Submit
C:\Users\Admin\Downloads\salinewin.zip:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit