413a460fae724b972ab9c52aeab029552245555c7df5b79eb2a6529e1dd7a090

Analysis

max time kernel
43s
max time network
132s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
31-01-2023 01:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Salwyrr Launcher Installer.exe
Size

46KB
MD5

38633bfef3c1fe505a39a688b5c31828
SHA1

4e053e5ca9e8bfcf372b4331b18c36d637332bbc
SHA256

413a460fae724b972ab9c52aeab029552245555c7df5b79eb2a6529e1dd7a090
SHA512

812ebfa26ff63ade8ab4851230fe47c0ffb797b5a8c48d6ab7ad3293a4995c088bedb8ca7ad6c48a63b3c7f60cdf5b2b318b39dc232ef2096721aba7734ea8f7
SSDEEP

768:PE55gC6d1VepljbMBMxECL67qtjMGF9TtgmAtugTtyKr:svh6dTepljLEf44u4mMuAyKr

Score

8^/10

evasion

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1588	javaw.exe
1432	Process not Found

Modifies Windows Firewall 1 TTPs 12 IoCs

evasion

Modify Existing Service

T1031

pid	Process
692	netsh.exe
2044	netsh.exe
1052	netsh.exe
1260	netsh.exe
1388	netsh.exe
1780	netsh.exe
760	netsh.exe
1700	netsh.exe
1976	netsh.exe
772	netsh.exe
576	netsh.exe
1560	netsh.exe

Loads dropped DLL 14 IoCs

pid	Process
1728	Salwyrr Launcher Installer.exe
1728	Salwyrr Launcher Installer.exe
1728	Salwyrr Launcher Installer.exe
1728	Salwyrr Launcher Installer.exe
1728	Salwyrr Launcher Installer.exe
1588	javaw.exe
1588	javaw.exe
1588	javaw.exe
1588	javaw.exe
1588	javaw.exe
1432	Process not Found
1432	Process not Found
884	Process not Found
884	Process not Found

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Salwyrr Launcher Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	Salwyrr Launcher Installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Salwyrr Launcher Installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Salwyrr Launcher Installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Salwyrr Launcher Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Salwyrr Launcher Installer.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1728	Salwyrr Launcher Installer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 1260	1728	Salwyrr Launcher Installer.exe	28
PID 1728 wrote to memory of 1260	1728	Salwyrr Launcher Installer.exe	28
PID 1728 wrote to memory of 1260	1728	Salwyrr Launcher Installer.exe	28
PID 1728 wrote to memory of 1260	1728	Salwyrr Launcher Installer.exe	28
PID 1728 wrote to memory of 1260	1728	Salwyrr Launcher Installer.exe	28
PID 1728 wrote to memory of 1260	1728	Salwyrr Launcher Installer.exe	28
PID 1728 wrote to memory of 1260	1728	Salwyrr Launcher Installer.exe	28
PID 1728 wrote to memory of 1560	1728	Salwyrr Launcher Installer.exe	30
PID 1728 wrote to memory of 1560	1728	Salwyrr Launcher Installer.exe	30
PID 1728 wrote to memory of 1560	1728	Salwyrr Launcher Installer.exe	30
PID 1728 wrote to memory of 1560	1728	Salwyrr Launcher Installer.exe	30
PID 1728 wrote to memory of 1560	1728	Salwyrr Launcher Installer.exe	30
PID 1728 wrote to memory of 1560	1728	Salwyrr Launcher Installer.exe	30
PID 1728 wrote to memory of 1560	1728	Salwyrr Launcher Installer.exe	30
PID 1728 wrote to memory of 692	1728	Salwyrr Launcher Installer.exe	32
PID 1728 wrote to memory of 692	1728	Salwyrr Launcher Installer.exe	32
PID 1728 wrote to memory of 692	1728	Salwyrr Launcher Installer.exe	32
PID 1728 wrote to memory of 692	1728	Salwyrr Launcher Installer.exe	32
PID 1728 wrote to memory of 692	1728	Salwyrr Launcher Installer.exe	32
PID 1728 wrote to memory of 692	1728	Salwyrr Launcher Installer.exe	32
PID 1728 wrote to memory of 692	1728	Salwyrr Launcher Installer.exe	32
PID 1728 wrote to memory of 1388	1728	Salwyrr Launcher Installer.exe	34
PID 1728 wrote to memory of 1388	1728	Salwyrr Launcher Installer.exe	34
PID 1728 wrote to memory of 1388	1728	Salwyrr Launcher Installer.exe	34
PID 1728 wrote to memory of 1388	1728	Salwyrr Launcher Installer.exe	34
PID 1728 wrote to memory of 1388	1728	Salwyrr Launcher Installer.exe	34
PID 1728 wrote to memory of 1388	1728	Salwyrr Launcher Installer.exe	34
PID 1728 wrote to memory of 1388	1728	Salwyrr Launcher Installer.exe	34
PID 1728 wrote to memory of 1780	1728	Salwyrr Launcher Installer.exe	36
PID 1728 wrote to memory of 1780	1728	Salwyrr Launcher Installer.exe	36
PID 1728 wrote to memory of 1780	1728	Salwyrr Launcher Installer.exe	36
PID 1728 wrote to memory of 1780	1728	Salwyrr Launcher Installer.exe	36
PID 1728 wrote to memory of 1780	1728	Salwyrr Launcher Installer.exe	36
PID 1728 wrote to memory of 1780	1728	Salwyrr Launcher Installer.exe	36
PID 1728 wrote to memory of 1780	1728	Salwyrr Launcher Installer.exe	36
PID 1728 wrote to memory of 760	1728	Salwyrr Launcher Installer.exe	38
PID 1728 wrote to memory of 760	1728	Salwyrr Launcher Installer.exe	38
PID 1728 wrote to memory of 760	1728	Salwyrr Launcher Installer.exe	38
PID 1728 wrote to memory of 760	1728	Salwyrr Launcher Installer.exe	38
PID 1728 wrote to memory of 760	1728	Salwyrr Launcher Installer.exe	38
PID 1728 wrote to memory of 760	1728	Salwyrr Launcher Installer.exe	38
PID 1728 wrote to memory of 760	1728	Salwyrr Launcher Installer.exe	38
PID 1728 wrote to memory of 2044	1728	Salwyrr Launcher Installer.exe	40
PID 1728 wrote to memory of 2044	1728	Salwyrr Launcher Installer.exe	40
PID 1728 wrote to memory of 2044	1728	Salwyrr Launcher Installer.exe	40
PID 1728 wrote to memory of 2044	1728	Salwyrr Launcher Installer.exe	40
PID 1728 wrote to memory of 2044	1728	Salwyrr Launcher Installer.exe	40
PID 1728 wrote to memory of 2044	1728	Salwyrr Launcher Installer.exe	40
PID 1728 wrote to memory of 2044	1728	Salwyrr Launcher Installer.exe	40
PID 1728 wrote to memory of 1700	1728	Salwyrr Launcher Installer.exe	42
PID 1728 wrote to memory of 1700	1728	Salwyrr Launcher Installer.exe	42
PID 1728 wrote to memory of 1700	1728	Salwyrr Launcher Installer.exe	42
PID 1728 wrote to memory of 1700	1728	Salwyrr Launcher Installer.exe	42
PID 1728 wrote to memory of 1700	1728	Salwyrr Launcher Installer.exe	42
PID 1728 wrote to memory of 1700	1728	Salwyrr Launcher Installer.exe	42
PID 1728 wrote to memory of 1700	1728	Salwyrr Launcher Installer.exe	42
PID 1728 wrote to memory of 1976	1728	Salwyrr Launcher Installer.exe	44
PID 1728 wrote to memory of 1976	1728	Salwyrr Launcher Installer.exe	44
PID 1728 wrote to memory of 1976	1728	Salwyrr Launcher Installer.exe	44
PID 1728 wrote to memory of 1976	1728	Salwyrr Launcher Installer.exe	44
PID 1728 wrote to memory of 1976	1728	Salwyrr Launcher Installer.exe	44
PID 1728 wrote to memory of 1976	1728	Salwyrr Launcher Installer.exe	44
PID 1728 wrote to memory of 1976	1728	Salwyrr Launcher Installer.exe	44
PID 1728 wrote to memory of 772	1728	Salwyrr Launcher Installer.exe	46

C:\Users\Admin\AppData\Local\Temp\Salwyrr Launcher Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Salwyrr Launcher Installer.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall show rule name="Salwyrr Client Java 1a"
  2⤵
  - Modifies Windows Firewall
  PID:1260
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall add rule name="Salwyrr Client Java 1a" dir=in action=allow protocol=any localip=any remoteip=any program="C:\Users\Admin\AppData\Roaming\.Salwyrr\launcher\bootstrap\jre\bin\javaw.exe"
  2⤵
  - Modifies Windows Firewall
  PID:1560
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall show rule name="Salwyrr Client Java 2a"
  2⤵
  - Modifies Windows Firewall
  PID:692
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall add rule name="Salwyrr Client Java 2a" dir=in action=allow protocol=any localip=any remoteip=any program="C:\Users\Admin\AppData\Roaming\.Salwyrr\launcher\jre\bin\javaw.exe"
  2⤵
  - Modifies Windows Firewall
  PID:1388
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall show rule name="Salwyrr Client Java 3a"
  2⤵
  - Modifies Windows Firewall
  PID:1780
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall add rule name="Salwyrr Client Java 3a" dir=in action=allow protocol=any localip=any remoteip=any program="C:\Users\Admin\AppData\Roaming\.Salwyrr\launcher\java-runtime-alpha\bin\javaw.exe"
  2⤵
  - Modifies Windows Firewall
  PID:760
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall show rule name="Salwyrr Client Java 1b"
  2⤵
  - Modifies Windows Firewall
  PID:2044
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall add rule name="Salwyrr Client Java 1b" dir=in action=allow protocol=any localip=any remoteip=any program="C:\Users\Admin\AppData\Roaming\.Salwyrr\launcher\bootstrap\jre\bin\java.exe"
  2⤵
  - Modifies Windows Firewall
  PID:1700
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall show rule name="Salwyrr Client Java 2b"
  2⤵
  - Modifies Windows Firewall
  PID:1976
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall add rule name="Salwyrr Client Java 2b" dir=in action=allow protocol=any localip=any remoteip=any program="C:\Users\Admin\AppData\Roaming\.Salwyrr\launcher\jre\bin\java.exe"
  2⤵
  - Modifies Windows Firewall
  PID:772
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall show rule name="Salwyrr Client Java 3b"
  2⤵
  - Modifies Windows Firewall
  PID:1052
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall add rule name="Salwyrr Client Java 3b" dir=in action=allow protocol=any localip=any remoteip=any program="C:\Users\Admin\AppData\Roaming\.Salwyrr\launcher\java-runtime-alpha\bin\java.exe"
  2⤵
  - Modifies Windows Firewall
  PID:576
- C:\Users\Admin\AppData\Roaming\.Salwyrr\launcher\bootstrap\jre\bin\javaw.exe
  "C:\Users\Admin\AppData\Roaming\.Salwyrr/launcher/bootstrap/jre/bin/javaw.exe" -Xmx1G -jar "launcher/bootstrap/updater.jar"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1588

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\.Salwyrr\launcher\bootstrap\jre\bin\java.dll

Filesize
160KB

MD5
0c4673c6d3fbb7b62b9d83b41893ee23

SHA1
516a489686d0fab9f3223414969b347df79b3b64

SHA256
8163acdbca856f15f8cb3d532cf79d906d94b4d58250911b0600fbed8b17fefa

SHA512
0278fe0487a04d12f2c3745305506812e4d8e28c3a2d90f060e417a43129437a28809a081e371978a01499cd932497ef7e1f0c6c9675acb541ea2c5225fe32ba

Download Submit
C:\Users\Admin\AppData\Roaming\.Salwyrr\launcher\bootstrap\jre\bin\javaw.exe

Filesize
223KB

MD5
68f55ca782ebe9bb2f932e3a3d6ffd8a

SHA1
0f13e8e11ce24123bacf23a8b116bc777a0ac072

SHA256
6e6517ee65b753af161608be59bafc72ba3f670e4c48a8eb7e30170b0f0ef80b

SHA512
f6cc93e8b6f9f9ca72c870f2a1711c41bcba8d7ec7cd5d1003fb96e77f7700b1627738ed83493b863424edaba6e3821818b7977252edad3481bb4404c184c76d

Download Submit
C:\Users\Admin\AppData\Roaming\.Salwyrr\launcher\bootstrap\jre\bin\msvcp120.dll

Filesize
645KB

MD5
4e38c42ff10a1689cf277eadc895d374

SHA1
6e4934c413ff2943ab535c2f7590fda1f4ecf1c2

SHA256
bdd61f3ec686965716c4c6048aa4ef46088739c63d6f314f37f691ef13fd22c3

SHA512
b7e309e3c69a678793465af1c3041bd66adb88cc8c03362bf4b3941881d9f19905ede7fbb8e2fbc2ce0c05495aeef9af99ae17364f37661d0c635310c1b805bb

Download Submit
C:\Users\Admin\AppData\Roaming\.Salwyrr\launcher\bootstrap\jre\bin\msvcr120.dll

Filesize
944KB

MD5
e9c471b35f7cb4eeccfd7bea873262ac

SHA1
5cd7885b5e81ac9d2fed4015b1080799ead0d384

SHA256
69968e25a8f5554e7b09423a6da659ad6175a2c62725b0ae42a70c99f424cc69

SHA512
1a7351cf3f205f804eb796b57cbcce49b4bcd8c0edc9c62af130df0d3f8b61d56663b51bf1caccce8ea1862dcc1b61d85dda36ab9fd2b6eb42d7d4d550eca2ca

Download Submit
C:\Users\Admin\AppData\Roaming\.Salwyrr\launcher\bootstrap\jre\bin\server\jvm.dll

Filesize
8.4MB

MD5
62fffae8a5d1fc7cf105ae5cf0073ca5

SHA1
bf4fcddf4551a36a211670581897beeeda898f9b

SHA256
1689d8a76fd30487f63a1227a2a47d4f017a8eca0045eb4b04d06a876155e4bf

SHA512
737324142c2c0d53bd7ac4f09552241c770f58051189397b59996688a2751396209df9d8c5f442a60858728b7e31a5885c011d74733f86301b3f52573bec0d86

Download Submit
C:\Users\Admin\AppData\Roaming\.Salwyrr\launcher\bootstrap\jre\bin\verify.dll

Filesize
54KB

MD5
e550fce5ee668230ae0b71bf702fde82

SHA1
8efbe790a626d70ec59f28ba907eabd9f13e7932

SHA256
96cbf775c060744cf158d811b0f45c4abfa9a89d7ff9920ab1bbe05c283e8224

SHA512
7a5a1270391a096a81c868e8c1cd9fe2cbb0dfea53c388c636c7e5c4012b13ebc7eee1b54b563b6def263874784b57c5b131757b393a1e5831958e3f18313106

Download Submit
C:\Users\Admin\AppData\Roaming\.Salwyrr\launcher\bootstrap\jre\lib\amd64\jvm.cfg

Filesize
1KB

MD5
c60e77ff5f3887c743971e73e6f0e0b1

SHA1
9b0cfd38ec5b7bd5bd1c364dee2e1b452a063c02

SHA256
23f728cc2bf14e62d454190ea0139f159031b5bd9c3f141ca9237c4c5c96ec1d

SHA512
07aca3de1a03a3b64b691fd41e35e6596760baf24c4f24e86fca87d2acf3a4814b17cd9751adc2dcd0689848f3d582fb3ee01d413e3a61d1d98397d72fe545e9

Download Submit
C:\Users\Admin\AppData\Roaming\.Salwyrr\launcher\bootstrap\updater.jar

Filesize
807KB

MD5
a616e898ea735980492f41da00f88f39

SHA1
6de46eb8ddc768bb6652d45fe59904371e153c5d

SHA256
f018c09f5f093f5aa02fe54efb36d2c79382da298bdd16731f22a51ad69bf240

SHA512
130337c5738e9cee84dff629c5d4a34f9b2bbf587e7b0eaa518075a76a8086854e7604c9ae23455eca239fbbf36c3c1472b477d306a347a1dba9b1c63c61ee3d

Download Submit
\Users\Admin\AppData\Roaming\.Salwyrr\launcher\bootstrap\jre\bin\java.dll

Filesize
160KB

MD5
0c4673c6d3fbb7b62b9d83b41893ee23

SHA1
516a489686d0fab9f3223414969b347df79b3b64

SHA256
8163acdbca856f15f8cb3d532cf79d906d94b4d58250911b0600fbed8b17fefa

SHA512
0278fe0487a04d12f2c3745305506812e4d8e28c3a2d90f060e417a43129437a28809a081e371978a01499cd932497ef7e1f0c6c9675acb541ea2c5225fe32ba

Download Submit
\Users\Admin\AppData\Roaming\.Salwyrr\launcher\bootstrap\jre\bin\java.dll

Filesize
160KB

MD5
0c4673c6d3fbb7b62b9d83b41893ee23

SHA1
516a489686d0fab9f3223414969b347df79b3b64

SHA256
8163acdbca856f15f8cb3d532cf79d906d94b4d58250911b0600fbed8b17fefa

SHA512
0278fe0487a04d12f2c3745305506812e4d8e28c3a2d90f060e417a43129437a28809a081e371978a01499cd932497ef7e1f0c6c9675acb541ea2c5225fe32ba

Download Submit
\Users\Admin\AppData\Roaming\.Salwyrr\launcher\bootstrap\jre\bin\java.dll

Filesize
160KB

MD5
0c4673c6d3fbb7b62b9d83b41893ee23

SHA1
516a489686d0fab9f3223414969b347df79b3b64

SHA256
8163acdbca856f15f8cb3d532cf79d906d94b4d58250911b0600fbed8b17fefa

SHA512
0278fe0487a04d12f2c3745305506812e4d8e28c3a2d90f060e417a43129437a28809a081e371978a01499cd932497ef7e1f0c6c9675acb541ea2c5225fe32ba

Download Submit
\Users\Admin\AppData\Roaming\.Salwyrr\launcher\bootstrap\jre\bin\java.dll

Filesize
160KB

MD5
0c4673c6d3fbb7b62b9d83b41893ee23

SHA1
516a489686d0fab9f3223414969b347df79b3b64

SHA256
8163acdbca856f15f8cb3d532cf79d906d94b4d58250911b0600fbed8b17fefa

SHA512
0278fe0487a04d12f2c3745305506812e4d8e28c3a2d90f060e417a43129437a28809a081e371978a01499cd932497ef7e1f0c6c9675acb541ea2c5225fe32ba

Download Submit
\Users\Admin\AppData\Roaming\.Salwyrr\launcher\bootstrap\jre\bin\java.dll

Filesize
160KB

MD5
0c4673c6d3fbb7b62b9d83b41893ee23

SHA1
516a489686d0fab9f3223414969b347df79b3b64

SHA256
8163acdbca856f15f8cb3d532cf79d906d94b4d58250911b0600fbed8b17fefa

SHA512
0278fe0487a04d12f2c3745305506812e4d8e28c3a2d90f060e417a43129437a28809a081e371978a01499cd932497ef7e1f0c6c9675acb541ea2c5225fe32ba

Download Submit
\Users\Admin\AppData\Roaming\.Salwyrr\launcher\bootstrap\jre\bin\java.dll

Filesize
160KB

MD5
0c4673c6d3fbb7b62b9d83b41893ee23

SHA1
516a489686d0fab9f3223414969b347df79b3b64

SHA256
8163acdbca856f15f8cb3d532cf79d906d94b4d58250911b0600fbed8b17fefa

SHA512
0278fe0487a04d12f2c3745305506812e4d8e28c3a2d90f060e417a43129437a28809a081e371978a01499cd932497ef7e1f0c6c9675acb541ea2c5225fe32ba

Download Submit
\Users\Admin\AppData\Roaming\.Salwyrr\launcher\bootstrap\jre\bin\java.dll

Filesize
160KB

MD5
0c4673c6d3fbb7b62b9d83b41893ee23

SHA1
516a489686d0fab9f3223414969b347df79b3b64

SHA256
8163acdbca856f15f8cb3d532cf79d906d94b4d58250911b0600fbed8b17fefa

SHA512
0278fe0487a04d12f2c3745305506812e4d8e28c3a2d90f060e417a43129437a28809a081e371978a01499cd932497ef7e1f0c6c9675acb541ea2c5225fe32ba

Download Submit
\Users\Admin\AppData\Roaming\.Salwyrr\launcher\bootstrap\jre\bin\javaw.exe

Filesize
223KB

MD5
68f55ca782ebe9bb2f932e3a3d6ffd8a

SHA1
0f13e8e11ce24123bacf23a8b116bc777a0ac072

SHA256
6e6517ee65b753af161608be59bafc72ba3f670e4c48a8eb7e30170b0f0ef80b

SHA512
f6cc93e8b6f9f9ca72c870f2a1711c41bcba8d7ec7cd5d1003fb96e77f7700b1627738ed83493b863424edaba6e3821818b7977252edad3481bb4404c184c76d

Download Submit
\Users\Admin\AppData\Roaming\.Salwyrr\launcher\bootstrap\jre\bin\javaw.exe

Filesize
223KB

MD5
68f55ca782ebe9bb2f932e3a3d6ffd8a

SHA1
0f13e8e11ce24123bacf23a8b116bc777a0ac072

SHA256
6e6517ee65b753af161608be59bafc72ba3f670e4c48a8eb7e30170b0f0ef80b

SHA512
f6cc93e8b6f9f9ca72c870f2a1711c41bcba8d7ec7cd5d1003fb96e77f7700b1627738ed83493b863424edaba6e3821818b7977252edad3481bb4404c184c76d

Download Submit
\Users\Admin\AppData\Roaming\.Salwyrr\launcher\bootstrap\jre\bin\javaw.exe

Filesize
223KB

MD5
68f55ca782ebe9bb2f932e3a3d6ffd8a

SHA1
0f13e8e11ce24123bacf23a8b116bc777a0ac072

SHA256
6e6517ee65b753af161608be59bafc72ba3f670e4c48a8eb7e30170b0f0ef80b

SHA512
f6cc93e8b6f9f9ca72c870f2a1711c41bcba8d7ec7cd5d1003fb96e77f7700b1627738ed83493b863424edaba6e3821818b7977252edad3481bb4404c184c76d

Download Submit
\Users\Admin\AppData\Roaming\.Salwyrr\launcher\bootstrap\jre\bin\javaw.exe

Filesize
223KB

MD5
68f55ca782ebe9bb2f932e3a3d6ffd8a

SHA1
0f13e8e11ce24123bacf23a8b116bc777a0ac072

SHA256
6e6517ee65b753af161608be59bafc72ba3f670e4c48a8eb7e30170b0f0ef80b

SHA512
f6cc93e8b6f9f9ca72c870f2a1711c41bcba8d7ec7cd5d1003fb96e77f7700b1627738ed83493b863424edaba6e3821818b7977252edad3481bb4404c184c76d

Download Submit
\Users\Admin\AppData\Roaming\.Salwyrr\launcher\bootstrap\jre\bin\msvcp120.dll

Filesize
645KB

MD5
4e38c42ff10a1689cf277eadc895d374

SHA1
6e4934c413ff2943ab535c2f7590fda1f4ecf1c2

SHA256
bdd61f3ec686965716c4c6048aa4ef46088739c63d6f314f37f691ef13fd22c3

SHA512
b7e309e3c69a678793465af1c3041bd66adb88cc8c03362bf4b3941881d9f19905ede7fbb8e2fbc2ce0c05495aeef9af99ae17364f37661d0c635310c1b805bb

Download Submit
\Users\Admin\AppData\Roaming\.Salwyrr\launcher\bootstrap\jre\bin\msvcr120.dll

Filesize
944KB

MD5
e9c471b35f7cb4eeccfd7bea873262ac

SHA1
5cd7885b5e81ac9d2fed4015b1080799ead0d384

SHA256
69968e25a8f5554e7b09423a6da659ad6175a2c62725b0ae42a70c99f424cc69

SHA512
1a7351cf3f205f804eb796b57cbcce49b4bcd8c0edc9c62af130df0d3f8b61d56663b51bf1caccce8ea1862dcc1b61d85dda36ab9fd2b6eb42d7d4d550eca2ca

Download Submit
\Users\Admin\AppData\Roaming\.Salwyrr\launcher\bootstrap\jre\bin\server\jvm.dll

Filesize
8.4MB

MD5
62fffae8a5d1fc7cf105ae5cf0073ca5

SHA1
bf4fcddf4551a36a211670581897beeeda898f9b

SHA256
1689d8a76fd30487f63a1227a2a47d4f017a8eca0045eb4b04d06a876155e4bf

SHA512
737324142c2c0d53bd7ac4f09552241c770f58051189397b59996688a2751396209df9d8c5f442a60858728b7e31a5885c011d74733f86301b3f52573bec0d86

Download Submit
\Users\Admin\AppData\Roaming\.Salwyrr\launcher\bootstrap\jre\bin\verify.dll

Filesize
54KB

MD5
e550fce5ee668230ae0b71bf702fde82

SHA1
8efbe790a626d70ec59f28ba907eabd9f13e7932

SHA256
96cbf775c060744cf158d811b0f45c4abfa9a89d7ff9920ab1bbe05c283e8224

SHA512
7a5a1270391a096a81c868e8c1cd9fe2cbb0dfea53c388c636c7e5c4012b13ebc7eee1b54b563b6def263874784b57c5b131757b393a1e5831958e3f18313106

Download Submit
memory/1588-93-0x000007FEFB741000-0x000007FEFB743000-memory.dmp

Filesize
8KB

Download
memory/1728-85-0x0000000005135000-0x0000000005146000-memory.dmp

Filesize
68KB

Download
memory/1728-54-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

Filesize
8KB

Download
memory/1728-83-0x00000000003D0000-0x00000000003DA000-memory.dmp

Filesize
40KB

Download
memory/1728-84-0x00000000003D0000-0x00000000003DA000-memory.dmp

Filesize
40KB

Download
memory/1728-58-0x0000000005135000-0x0000000005146000-memory.dmp

Filesize
68KB

Download
memory/1728-57-0x00000000003D0000-0x00000000003DA000-memory.dmp

Filesize
40KB

Download
memory/1728-56-0x00000000003D0000-0x00000000003DA000-memory.dmp

Filesize
40KB

Download
memory/1728-55-0x00000000013E0000-0x00000000013EE000-memory.dmp

Filesize
56KB

Download