413a460fae724b972ab9c52aeab029552245555c7df5b79eb2a6529e1dd7a090

Analysis

max time kernel
71s
max time network
142s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
12/01/2023, 12:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Salwyrr Launcher Installer.exe
Size

46KB
MD5

38633bfef3c1fe505a39a688b5c31828
SHA1

4e053e5ca9e8bfcf372b4331b18c36d637332bbc
SHA256

413a460fae724b972ab9c52aeab029552245555c7df5b79eb2a6529e1dd7a090
SHA512

812ebfa26ff63ade8ab4851230fe47c0ffb797b5a8c48d6ab7ad3293a4995c088bedb8ca7ad6c48a63b3c7f60cdf5b2b318b39dc232ef2096721aba7734ea8f7
SSDEEP

768:PE55gC6d1VepljbMBMxECL67qtjMGF9TtgmAtugTtyKr:svh6dTepljLEf44u4mMuAyKr

Score

8^/10

evasion

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
932	javaw.exe
1212	Process not Found

Modifies Windows Firewall 1 TTPs 12 IoCs

evasion

Modify Existing Service

T1031

pid	Process
1648	netsh.exe
1092	netsh.exe
1708	netsh.exe
1232	netsh.exe
1736	netsh.exe
1488	netsh.exe
1312	netsh.exe
1664	netsh.exe
1744	netsh.exe
1284	netsh.exe
2028	netsh.exe
1656	netsh.exe

Loads dropped DLL 15 IoCs

pid	Process
2016	Salwyrr Launcher Installer.exe
2016	Salwyrr Launcher Installer.exe
2016	Salwyrr Launcher Installer.exe
2016	Salwyrr Launcher Installer.exe
2016	Salwyrr Launcher Installer.exe
932	javaw.exe
932	javaw.exe
1212	Process not Found
1212	Process not Found
868	Process not Found
868	Process not Found
932	javaw.exe
932	javaw.exe
932	javaw.exe
932	javaw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Salwyrr Launcher Installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Salwyrr Launcher Installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Salwyrr Launcher Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Salwyrr Launcher Installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Salwyrr Launcher Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	Salwyrr Launcher Installer.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2016	Salwyrr Launcher Installer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 1648	2016	Salwyrr Launcher Installer.exe	27
PID 2016 wrote to memory of 1648	2016	Salwyrr Launcher Installer.exe	27
PID 2016 wrote to memory of 1648	2016	Salwyrr Launcher Installer.exe	27
PID 2016 wrote to memory of 1648	2016	Salwyrr Launcher Installer.exe	27
PID 2016 wrote to memory of 1648	2016	Salwyrr Launcher Installer.exe	27
PID 2016 wrote to memory of 1648	2016	Salwyrr Launcher Installer.exe	27
PID 2016 wrote to memory of 1648	2016	Salwyrr Launcher Installer.exe	27
PID 2016 wrote to memory of 1092	2016	Salwyrr Launcher Installer.exe	29
PID 2016 wrote to memory of 1092	2016	Salwyrr Launcher Installer.exe	29
PID 2016 wrote to memory of 1092	2016	Salwyrr Launcher Installer.exe	29
PID 2016 wrote to memory of 1092	2016	Salwyrr Launcher Installer.exe	29
PID 2016 wrote to memory of 1092	2016	Salwyrr Launcher Installer.exe	29
PID 2016 wrote to memory of 1092	2016	Salwyrr Launcher Installer.exe	29
PID 2016 wrote to memory of 1092	2016	Salwyrr Launcher Installer.exe	29
PID 2016 wrote to memory of 1708	2016	Salwyrr Launcher Installer.exe	31
PID 2016 wrote to memory of 1708	2016	Salwyrr Launcher Installer.exe	31
PID 2016 wrote to memory of 1708	2016	Salwyrr Launcher Installer.exe	31
PID 2016 wrote to memory of 1708	2016	Salwyrr Launcher Installer.exe	31
PID 2016 wrote to memory of 1708	2016	Salwyrr Launcher Installer.exe	31
PID 2016 wrote to memory of 1708	2016	Salwyrr Launcher Installer.exe	31
PID 2016 wrote to memory of 1708	2016	Salwyrr Launcher Installer.exe	31
PID 2016 wrote to memory of 1312	2016	Salwyrr Launcher Installer.exe	33
PID 2016 wrote to memory of 1312	2016	Salwyrr Launcher Installer.exe	33
PID 2016 wrote to memory of 1312	2016	Salwyrr Launcher Installer.exe	33
PID 2016 wrote to memory of 1312	2016	Salwyrr Launcher Installer.exe	33
PID 2016 wrote to memory of 1312	2016	Salwyrr Launcher Installer.exe	33
PID 2016 wrote to memory of 1312	2016	Salwyrr Launcher Installer.exe	33
PID 2016 wrote to memory of 1312	2016	Salwyrr Launcher Installer.exe	33
PID 2016 wrote to memory of 1664	2016	Salwyrr Launcher Installer.exe	35
PID 2016 wrote to memory of 1664	2016	Salwyrr Launcher Installer.exe	35
PID 2016 wrote to memory of 1664	2016	Salwyrr Launcher Installer.exe	35
PID 2016 wrote to memory of 1664	2016	Salwyrr Launcher Installer.exe	35
PID 2016 wrote to memory of 1664	2016	Salwyrr Launcher Installer.exe	35
PID 2016 wrote to memory of 1664	2016	Salwyrr Launcher Installer.exe	35
PID 2016 wrote to memory of 1664	2016	Salwyrr Launcher Installer.exe	35
PID 2016 wrote to memory of 1744	2016	Salwyrr Launcher Installer.exe	37
PID 2016 wrote to memory of 1744	2016	Salwyrr Launcher Installer.exe	37
PID 2016 wrote to memory of 1744	2016	Salwyrr Launcher Installer.exe	37
PID 2016 wrote to memory of 1744	2016	Salwyrr Launcher Installer.exe	37
PID 2016 wrote to memory of 1744	2016	Salwyrr Launcher Installer.exe	37
PID 2016 wrote to memory of 1744	2016	Salwyrr Launcher Installer.exe	37
PID 2016 wrote to memory of 1744	2016	Salwyrr Launcher Installer.exe	37
PID 2016 wrote to memory of 1232	2016	Salwyrr Launcher Installer.exe	39
PID 2016 wrote to memory of 1232	2016	Salwyrr Launcher Installer.exe	39
PID 2016 wrote to memory of 1232	2016	Salwyrr Launcher Installer.exe	39
PID 2016 wrote to memory of 1232	2016	Salwyrr Launcher Installer.exe	39
PID 2016 wrote to memory of 1232	2016	Salwyrr Launcher Installer.exe	39
PID 2016 wrote to memory of 1232	2016	Salwyrr Launcher Installer.exe	39
PID 2016 wrote to memory of 1232	2016	Salwyrr Launcher Installer.exe	39
PID 2016 wrote to memory of 1284	2016	Salwyrr Launcher Installer.exe	41
PID 2016 wrote to memory of 1284	2016	Salwyrr Launcher Installer.exe	41
PID 2016 wrote to memory of 1284	2016	Salwyrr Launcher Installer.exe	41
PID 2016 wrote to memory of 1284	2016	Salwyrr Launcher Installer.exe	41
PID 2016 wrote to memory of 1284	2016	Salwyrr Launcher Installer.exe	41
PID 2016 wrote to memory of 1284	2016	Salwyrr Launcher Installer.exe	41
PID 2016 wrote to memory of 1284	2016	Salwyrr Launcher Installer.exe	41
PID 2016 wrote to memory of 2028	2016	Salwyrr Launcher Installer.exe	43
PID 2016 wrote to memory of 2028	2016	Salwyrr Launcher Installer.exe	43
PID 2016 wrote to memory of 2028	2016	Salwyrr Launcher Installer.exe	43
PID 2016 wrote to memory of 2028	2016	Salwyrr Launcher Installer.exe	43
PID 2016 wrote to memory of 2028	2016	Salwyrr Launcher Installer.exe	43
PID 2016 wrote to memory of 2028	2016	Salwyrr Launcher Installer.exe	43
PID 2016 wrote to memory of 2028	2016	Salwyrr Launcher Installer.exe	43
PID 2016 wrote to memory of 1656	2016	Salwyrr Launcher Installer.exe	45

C:\Users\Admin\AppData\Local\Temp\Salwyrr Launcher Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Salwyrr Launcher Installer.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall show rule name="Salwyrr Client Java 1a"
  2⤵
  - Modifies Windows Firewall
  PID:1648
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall add rule name="Salwyrr Client Java 1a" dir=in action=allow protocol=any localip=any remoteip=any program="C:\Users\Admin\AppData\Roaming\.Salwyrr\launcher\bootstrap\jre\bin\javaw.exe"
  2⤵
  - Modifies Windows Firewall
  PID:1092
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall show rule name="Salwyrr Client Java 2a"
  2⤵
  - Modifies Windows Firewall
  PID:1708
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall add rule name="Salwyrr Client Java 2a" dir=in action=allow protocol=any localip=any remoteip=any program="C:\Users\Admin\AppData\Roaming\.Salwyrr\launcher\jre\bin\javaw.exe"
  2⤵
  - Modifies Windows Firewall
  PID:1312
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall show rule name="Salwyrr Client Java 3a"
  2⤵
  - Modifies Windows Firewall
  PID:1664
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall add rule name="Salwyrr Client Java 3a" dir=in action=allow protocol=any localip=any remoteip=any program="C:\Users\Admin\AppData\Roaming\.Salwyrr\launcher\java-runtime-alpha\bin\javaw.exe"
  2⤵
  - Modifies Windows Firewall
  PID:1744
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall show rule name="Salwyrr Client Java 1b"
  2⤵
  - Modifies Windows Firewall
  PID:1232
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall add rule name="Salwyrr Client Java 1b" dir=in action=allow protocol=any localip=any remoteip=any program="C:\Users\Admin\AppData\Roaming\.Salwyrr\launcher\bootstrap\jre\bin\java.exe"
  2⤵
  - Modifies Windows Firewall
  PID:1284
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall show rule name="Salwyrr Client Java 2b"
  2⤵
  - Modifies Windows Firewall
  PID:2028
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall add rule name="Salwyrr Client Java 2b" dir=in action=allow protocol=any localip=any remoteip=any program="C:\Users\Admin\AppData\Roaming\.Salwyrr\launcher\jre\bin\java.exe"
  2⤵
  - Modifies Windows Firewall
  PID:1656
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall show rule name="Salwyrr Client Java 3b"
  2⤵
  - Modifies Windows Firewall
  PID:1488
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall add rule name="Salwyrr Client Java 3b" dir=in action=allow protocol=any localip=any remoteip=any program="C:\Users\Admin\AppData\Roaming\.Salwyrr\launcher\java-runtime-alpha\bin\java.exe"
  2⤵
  - Modifies Windows Firewall
  PID:1736
- C:\Users\Admin\AppData\Roaming\.Salwyrr\launcher\bootstrap\jre\bin\javaw.exe
  "C:\Users\Admin\AppData\Roaming\.Salwyrr/launcher/bootstrap/jre/bin/javaw.exe" -Xmx1G -jar "launcher/bootstrap/updater.jar"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\.Salwyrr\launcher\bootstrap\jre\bin\java.dll

Filesize
160KB

MD5
0c4673c6d3fbb7b62b9d83b41893ee23

SHA1
516a489686d0fab9f3223414969b347df79b3b64

SHA256
8163acdbca856f15f8cb3d532cf79d906d94b4d58250911b0600fbed8b17fefa

SHA512
0278fe0487a04d12f2c3745305506812e4d8e28c3a2d90f060e417a43129437a28809a081e371978a01499cd932497ef7e1f0c6c9675acb541ea2c5225fe32ba

Download Submit
C:\Users\Admin\AppData\Roaming\.Salwyrr\launcher\bootstrap\jre\bin\javaw.exe

Filesize
223KB

MD5
68f55ca782ebe9bb2f932e3a3d6ffd8a

SHA1
0f13e8e11ce24123bacf23a8b116bc777a0ac072

SHA256
6e6517ee65b753af161608be59bafc72ba3f670e4c48a8eb7e30170b0f0ef80b

SHA512
f6cc93e8b6f9f9ca72c870f2a1711c41bcba8d7ec7cd5d1003fb96e77f7700b1627738ed83493b863424edaba6e3821818b7977252edad3481bb4404c184c76d

Download Submit
C:\Users\Admin\AppData\Roaming\.Salwyrr\launcher\bootstrap\jre\bin\msvcp120.dll

Filesize
645KB

MD5
4e38c42ff10a1689cf277eadc895d374

SHA1
6e4934c413ff2943ab535c2f7590fda1f4ecf1c2

SHA256
bdd61f3ec686965716c4c6048aa4ef46088739c63d6f314f37f691ef13fd22c3

SHA512
b7e309e3c69a678793465af1c3041bd66adb88cc8c03362bf4b3941881d9f19905ede7fbb8e2fbc2ce0c05495aeef9af99ae17364f37661d0c635310c1b805bb

Download Submit
C:\Users\Admin\AppData\Roaming\.Salwyrr\launcher\bootstrap\jre\bin\msvcr120.dll

Filesize
944KB

MD5
e9c471b35f7cb4eeccfd7bea873262ac

SHA1
5cd7885b5e81ac9d2fed4015b1080799ead0d384

SHA256
69968e25a8f5554e7b09423a6da659ad6175a2c62725b0ae42a70c99f424cc69

SHA512
1a7351cf3f205f804eb796b57cbcce49b4bcd8c0edc9c62af130df0d3f8b61d56663b51bf1caccce8ea1862dcc1b61d85dda36ab9fd2b6eb42d7d4d550eca2ca

Download Submit
C:\Users\Admin\AppData\Roaming\.Salwyrr\launcher\bootstrap\jre\bin\server\jvm.dll

Filesize
8.4MB

MD5
62fffae8a5d1fc7cf105ae5cf0073ca5

SHA1
bf4fcddf4551a36a211670581897beeeda898f9b

SHA256
1689d8a76fd30487f63a1227a2a47d4f017a8eca0045eb4b04d06a876155e4bf

SHA512
737324142c2c0d53bd7ac4f09552241c770f58051189397b59996688a2751396209df9d8c5f442a60858728b7e31a5885c011d74733f86301b3f52573bec0d86

Download Submit
C:\Users\Admin\AppData\Roaming\.Salwyrr\launcher\bootstrap\jre\bin\verify.dll

Filesize
54KB

MD5
e550fce5ee668230ae0b71bf702fde82

SHA1
8efbe790a626d70ec59f28ba907eabd9f13e7932

SHA256
96cbf775c060744cf158d811b0f45c4abfa9a89d7ff9920ab1bbe05c283e8224

SHA512
7a5a1270391a096a81c868e8c1cd9fe2cbb0dfea53c388c636c7e5c4012b13ebc7eee1b54b563b6def263874784b57c5b131757b393a1e5831958e3f18313106

Download Submit
C:\Users\Admin\AppData\Roaming\.Salwyrr\launcher\bootstrap\jre\bin\zip.dll

Filesize
84KB

MD5
14eab665f7878d3de543e381cd6b1c59

SHA1
b8495257225ca855a38edb88111b6a5a6c457e03

SHA256
1ede94dd6c5521fbd22796ce171164c2712604eacaca0179112f5f0b93959c20

SHA512
9058133e890678246bf9249dbfdf7020e3ba069e4c4e0b368e4e2fd06606ce975e6011d3370a95b7ec3527885b53d37fc87b405e7714a77352ea32e6f7a91a2f

Download Submit
C:\Users\Admin\AppData\Roaming\.Salwyrr\launcher\bootstrap\jre\lib\amd64\jvm.cfg

Filesize
1KB

MD5
c60e77ff5f3887c743971e73e6f0e0b1

SHA1
9b0cfd38ec5b7bd5bd1c364dee2e1b452a063c02

SHA256
23f728cc2bf14e62d454190ea0139f159031b5bd9c3f141ca9237c4c5c96ec1d

SHA512
07aca3de1a03a3b64b691fd41e35e6596760baf24c4f24e86fca87d2acf3a4814b17cd9751adc2dcd0689848f3d582fb3ee01d413e3a61d1d98397d72fe545e9

Download Submit
C:\Users\Admin\AppData\Roaming\.Salwyrr\launcher\bootstrap\jre\lib\ext\meta-index

Filesize
729B

MD5
c13d39595f3ab17500d6963b323558a5

SHA1
65e8806bdc09e1433e0c9c4ccbce759a3db0df98

SHA256
f3c5b6ec18f23aabcb3c33ae6972c5f65fc3220196e4a3081e25341ce530cf64

SHA512
9e5821660a85337ad94a7d8dd488ca400e58046af7ab0785080b257c35d22462304b59d157579c3d79315a9d51bad3970988a8e45f34d8d741265f6e3ff202d1

Download Submit
C:\Users\Admin\AppData\Roaming\.Salwyrr\launcher\bootstrap\jre\lib\jfr.jar

Filesize
868KB

MD5
a5baca209f6b3e144e44029aee4ab71b

SHA1
419586d970faed52472dae63065c3d7ccc4d27c0

SHA256
58b290db3417a178c4e1d33bbfdd05f89981e328e70a83d98cc1fc91f8e7d911

SHA512
c855fdd1a1836913a07c9d1353a62d00d6e5d88f4701fdf303877a7faa59074c525e8da59a9af0072455657069bda9e51f452d6b56c34faec1c22a35aabffa5a

Download Submit
C:\Users\Admin\AppData\Roaming\.Salwyrr\launcher\bootstrap\jre\lib\meta-index

Filesize
1KB

MD5
83964354d8e8e69dfc1001f01682bd70

SHA1
1f2012a464683ccc1c284d51b20778811641b2ee

SHA256
dff270e76bd7d851cbcf79702aebd71122c3a9e93836ae4e9f650234a754b5c3

SHA512
4be6e0c8ed2bd2f59286bbfa5041676f352e32731e070d7c26511e1e570bd8d6940ff2cc59b0e1656c9c8b3f86186a34709dbf19c303d80840307dacc39d9956

Download Submit
C:\Users\Admin\AppData\Roaming\.Salwyrr\launcher\bootstrap\jre\lib\rt.jar

Filesize
60.2MB

MD5
0070af149ddf6e36268ae49ccbbb9a65

SHA1
64dd548ece5f88717b96a2bdc63d1d40cf6192ce

SHA256
5233b5c2ab1da4cba5bf180b38bfc07f086fd0228621e71f73d6e0b5fa8db85e

SHA512
1c2918114d9ae3c5ce3117168c16c85b2a877f7bf5cf734806246c254dae21f00cdf179181c7290b79be71113d5415d2b37d39ff0db195e951d3282c34e68134

Download Submit
C:\Users\Admin\AppData\Roaming\.Salwyrr\launcher\bootstrap\updater.jar

Filesize
807KB

MD5
a616e898ea735980492f41da00f88f39

SHA1
6de46eb8ddc768bb6652d45fe59904371e153c5d

SHA256
f018c09f5f093f5aa02fe54efb36d2c79382da298bdd16731f22a51ad69bf240

SHA512
130337c5738e9cee84dff629c5d4a34f9b2bbf587e7b0eaa518075a76a8086854e7604c9ae23455eca239fbbf36c3c1472b477d306a347a1dba9b1c63c61ee3d

Download Submit
\Users\Admin\AppData\Roaming\.Salwyrr\launcher\bootstrap\jre\bin\java.dll

Filesize
160KB

MD5
0c4673c6d3fbb7b62b9d83b41893ee23

SHA1
516a489686d0fab9f3223414969b347df79b3b64

SHA256
8163acdbca856f15f8cb3d532cf79d906d94b4d58250911b0600fbed8b17fefa

SHA512
0278fe0487a04d12f2c3745305506812e4d8e28c3a2d90f060e417a43129437a28809a081e371978a01499cd932497ef7e1f0c6c9675acb541ea2c5225fe32ba

Download Submit
\Users\Admin\AppData\Roaming\.Salwyrr\launcher\bootstrap\jre\bin\java.dll

Filesize
160KB

MD5
0c4673c6d3fbb7b62b9d83b41893ee23

SHA1
516a489686d0fab9f3223414969b347df79b3b64

SHA256
8163acdbca856f15f8cb3d532cf79d906d94b4d58250911b0600fbed8b17fefa

SHA512
0278fe0487a04d12f2c3745305506812e4d8e28c3a2d90f060e417a43129437a28809a081e371978a01499cd932497ef7e1f0c6c9675acb541ea2c5225fe32ba

Download Submit
\Users\Admin\AppData\Roaming\.Salwyrr\launcher\bootstrap\jre\bin\java.dll

Filesize
160KB

MD5
0c4673c6d3fbb7b62b9d83b41893ee23

SHA1
516a489686d0fab9f3223414969b347df79b3b64

SHA256
8163acdbca856f15f8cb3d532cf79d906d94b4d58250911b0600fbed8b17fefa

SHA512
0278fe0487a04d12f2c3745305506812e4d8e28c3a2d90f060e417a43129437a28809a081e371978a01499cd932497ef7e1f0c6c9675acb541ea2c5225fe32ba

Download Submit
\Users\Admin\AppData\Roaming\.Salwyrr\launcher\bootstrap\jre\bin\java.dll

Filesize
160KB

MD5
0c4673c6d3fbb7b62b9d83b41893ee23

SHA1
516a489686d0fab9f3223414969b347df79b3b64

SHA256
8163acdbca856f15f8cb3d532cf79d906d94b4d58250911b0600fbed8b17fefa

SHA512
0278fe0487a04d12f2c3745305506812e4d8e28c3a2d90f060e417a43129437a28809a081e371978a01499cd932497ef7e1f0c6c9675acb541ea2c5225fe32ba

Download Submit
\Users\Admin\AppData\Roaming\.Salwyrr\launcher\bootstrap\jre\bin\java.dll

Filesize
160KB

MD5
0c4673c6d3fbb7b62b9d83b41893ee23

SHA1
516a489686d0fab9f3223414969b347df79b3b64

SHA256
8163acdbca856f15f8cb3d532cf79d906d94b4d58250911b0600fbed8b17fefa

SHA512
0278fe0487a04d12f2c3745305506812e4d8e28c3a2d90f060e417a43129437a28809a081e371978a01499cd932497ef7e1f0c6c9675acb541ea2c5225fe32ba

Download Submit
\Users\Admin\AppData\Roaming\.Salwyrr\launcher\bootstrap\jre\bin\java.dll

Filesize
160KB

MD5
0c4673c6d3fbb7b62b9d83b41893ee23

SHA1
516a489686d0fab9f3223414969b347df79b3b64

SHA256
8163acdbca856f15f8cb3d532cf79d906d94b4d58250911b0600fbed8b17fefa

SHA512
0278fe0487a04d12f2c3745305506812e4d8e28c3a2d90f060e417a43129437a28809a081e371978a01499cd932497ef7e1f0c6c9675acb541ea2c5225fe32ba

Download Submit
\Users\Admin\AppData\Roaming\.Salwyrr\launcher\bootstrap\jre\bin\java.dll

Filesize
160KB

MD5
0c4673c6d3fbb7b62b9d83b41893ee23

SHA1
516a489686d0fab9f3223414969b347df79b3b64

SHA256
8163acdbca856f15f8cb3d532cf79d906d94b4d58250911b0600fbed8b17fefa

SHA512
0278fe0487a04d12f2c3745305506812e4d8e28c3a2d90f060e417a43129437a28809a081e371978a01499cd932497ef7e1f0c6c9675acb541ea2c5225fe32ba

Download Submit
\Users\Admin\AppData\Roaming\.Salwyrr\launcher\bootstrap\jre\bin\javaw.exe

Filesize
223KB

MD5
68f55ca782ebe9bb2f932e3a3d6ffd8a

SHA1
0f13e8e11ce24123bacf23a8b116bc777a0ac072

SHA256
6e6517ee65b753af161608be59bafc72ba3f670e4c48a8eb7e30170b0f0ef80b

SHA512
f6cc93e8b6f9f9ca72c870f2a1711c41bcba8d7ec7cd5d1003fb96e77f7700b1627738ed83493b863424edaba6e3821818b7977252edad3481bb4404c184c76d

Download Submit
\Users\Admin\AppData\Roaming\.Salwyrr\launcher\bootstrap\jre\bin\javaw.exe

Filesize
223KB

MD5
68f55ca782ebe9bb2f932e3a3d6ffd8a

SHA1
0f13e8e11ce24123bacf23a8b116bc777a0ac072

SHA256
6e6517ee65b753af161608be59bafc72ba3f670e4c48a8eb7e30170b0f0ef80b

SHA512
f6cc93e8b6f9f9ca72c870f2a1711c41bcba8d7ec7cd5d1003fb96e77f7700b1627738ed83493b863424edaba6e3821818b7977252edad3481bb4404c184c76d

Download Submit
\Users\Admin\AppData\Roaming\.Salwyrr\launcher\bootstrap\jre\bin\javaw.exe

Filesize
223KB

MD5
68f55ca782ebe9bb2f932e3a3d6ffd8a

SHA1
0f13e8e11ce24123bacf23a8b116bc777a0ac072

SHA256
6e6517ee65b753af161608be59bafc72ba3f670e4c48a8eb7e30170b0f0ef80b

SHA512
f6cc93e8b6f9f9ca72c870f2a1711c41bcba8d7ec7cd5d1003fb96e77f7700b1627738ed83493b863424edaba6e3821818b7977252edad3481bb4404c184c76d

Download Submit
\Users\Admin\AppData\Roaming\.Salwyrr\launcher\bootstrap\jre\bin\javaw.exe

Filesize
223KB

MD5
68f55ca782ebe9bb2f932e3a3d6ffd8a

SHA1
0f13e8e11ce24123bacf23a8b116bc777a0ac072

SHA256
6e6517ee65b753af161608be59bafc72ba3f670e4c48a8eb7e30170b0f0ef80b

SHA512
f6cc93e8b6f9f9ca72c870f2a1711c41bcba8d7ec7cd5d1003fb96e77f7700b1627738ed83493b863424edaba6e3821818b7977252edad3481bb4404c184c76d

Download Submit
\Users\Admin\AppData\Roaming\.Salwyrr\launcher\bootstrap\jre\bin\msvcp120.dll

Filesize
645KB

MD5
4e38c42ff10a1689cf277eadc895d374

SHA1
6e4934c413ff2943ab535c2f7590fda1f4ecf1c2

SHA256
bdd61f3ec686965716c4c6048aa4ef46088739c63d6f314f37f691ef13fd22c3

SHA512
b7e309e3c69a678793465af1c3041bd66adb88cc8c03362bf4b3941881d9f19905ede7fbb8e2fbc2ce0c05495aeef9af99ae17364f37661d0c635310c1b805bb

Download Submit
\Users\Admin\AppData\Roaming\.Salwyrr\launcher\bootstrap\jre\bin\msvcr120.dll

Filesize
944KB

MD5
e9c471b35f7cb4eeccfd7bea873262ac

SHA1
5cd7885b5e81ac9d2fed4015b1080799ead0d384

SHA256
69968e25a8f5554e7b09423a6da659ad6175a2c62725b0ae42a70c99f424cc69

SHA512
1a7351cf3f205f804eb796b57cbcce49b4bcd8c0edc9c62af130df0d3f8b61d56663b51bf1caccce8ea1862dcc1b61d85dda36ab9fd2b6eb42d7d4d550eca2ca

Download Submit
\Users\Admin\AppData\Roaming\.Salwyrr\launcher\bootstrap\jre\bin\server\jvm.dll

Filesize
8.4MB

MD5
62fffae8a5d1fc7cf105ae5cf0073ca5

SHA1
bf4fcddf4551a36a211670581897beeeda898f9b

SHA256
1689d8a76fd30487f63a1227a2a47d4f017a8eca0045eb4b04d06a876155e4bf

SHA512
737324142c2c0d53bd7ac4f09552241c770f58051189397b59996688a2751396209df9d8c5f442a60858728b7e31a5885c011d74733f86301b3f52573bec0d86

Download Submit
\Users\Admin\AppData\Roaming\.Salwyrr\launcher\bootstrap\jre\bin\verify.dll

Filesize
54KB

MD5
e550fce5ee668230ae0b71bf702fde82

SHA1
8efbe790a626d70ec59f28ba907eabd9f13e7932

SHA256
96cbf775c060744cf158d811b0f45c4abfa9a89d7ff9920ab1bbe05c283e8224

SHA512
7a5a1270391a096a81c868e8c1cd9fe2cbb0dfea53c388c636c7e5c4012b13ebc7eee1b54b563b6def263874784b57c5b131757b393a1e5831958e3f18313106

Download Submit
\Users\Admin\AppData\Roaming\.Salwyrr\launcher\bootstrap\jre\bin\zip.dll

Filesize
84KB

MD5
14eab665f7878d3de543e381cd6b1c59

SHA1
b8495257225ca855a38edb88111b6a5a6c457e03

SHA256
1ede94dd6c5521fbd22796ce171164c2712604eacaca0179112f5f0b93959c20

SHA512
9058133e890678246bf9249dbfdf7020e3ba069e4c4e0b368e4e2fd06606ce975e6011d3370a95b7ec3527885b53d37fc87b405e7714a77352ea32e6f7a91a2f

Download Submit
memory/932-125-0x00000000022A0000-0x00000000032A0000-memory.dmp

Filesize
16.0MB

Download
memory/932-116-0x00000000022A0000-0x00000000032A0000-memory.dmp

Filesize
16.0MB

Download
memory/932-91-0x000007FEFB8D1000-0x000007FEFB8D3000-memory.dmp

Filesize
8KB

Download
memory/2016-82-0x00000000005A0000-0x00000000005AA000-memory.dmp

Filesize
40KB

Download
memory/2016-57-0x0000000004D45000-0x0000000004D56000-memory.dmp

Filesize
68KB

Download
memory/2016-56-0x00000000005A0000-0x00000000005AA000-memory.dmp

Filesize
40KB

Download
memory/2016-55-0x00000000003D0000-0x00000000003DE000-memory.dmp

Filesize
56KB

Download
memory/2016-83-0x0000000004D45000-0x0000000004D56000-memory.dmp

Filesize
68KB

Download
memory/2016-54-0x0000000075561000-0x0000000075563000-memory.dmp

Filesize
8KB

Download