b1865a08154364f00bc4350a99012043bfca5b14734fb8ab505ade40dd6a0cc2

Analysis

max time kernel
30s
max time network
172s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05/03/2024, 18:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Salwyrr Launcher.exe
Size

150.5MB
MD5

358fcbfda7fdc5e8966be81cd82e3fc9
SHA1

1ca3c9cd0e791c82f139c543449630653447c33a
SHA256

bcc98408be7d77e03ca6fd8f1e7e01d30f3b55e3bb236735d514037f6b2da53f
SHA512

bc26f6e9395386791a7438e2e2f25644029584e6c318775b20cf8f13d268397b6a0e2f6ad8b2ccf726dc8a1102c6b08cef9a00fbd83855b65b0626deba009956
SSDEEP

1572864:ZGdFYlhnXsryUGmVlsdBbd51I8udcDs/VgC5daNcBgBTIWfbgrLvNc3xhRsOmpe:nlhnXr7er5c+rp

Score

7^/10

spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\International\Geo\Nation	Salwyrr Launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\International\Geo\Nation	Salwyrr Launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\International\Geo\Nation	Salwyrr Launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\International\Geo\Nation	Salwyrr Launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\International\Geo\Nation	Salwyrr Launcher.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	Salwyrr Launcher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	Salwyrr Launcher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	Salwyrr Launcher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	Salwyrr Launcher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	Salwyrr Launcher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	Salwyrr Launcher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	Salwyrr Launcher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	Salwyrr Launcher.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1752	Salwyrr Launcher.exe
Token: SeShutdownPrivilege	1752	Salwyrr Launcher.exe
Token: SeShutdownPrivilege	1752	Salwyrr Launcher.exe
Token: SeShutdownPrivilege	1752	Salwyrr Launcher.exe
Token: SeShutdownPrivilege	1752	Salwyrr Launcher.exe
Token: SeShutdownPrivilege	1752	Salwyrr Launcher.exe
Token: SeShutdownPrivilege	1752	Salwyrr Launcher.exe
Token: SeShutdownPrivilege	1752	Salwyrr Launcher.exe
Token: SeShutdownPrivilege	1752	Salwyrr Launcher.exe
Token: SeShutdownPrivilege	1752	Salwyrr Launcher.exe
Token: SeShutdownPrivilege	1752	Salwyrr Launcher.exe
Token: SeShutdownPrivilege	1752	Salwyrr Launcher.exe
Token: SeShutdownPrivilege	1752	Salwyrr Launcher.exe
Token: SeShutdownPrivilege	1752	Salwyrr Launcher.exe
Token: SeShutdownPrivilege	1752	Salwyrr Launcher.exe
Token: SeShutdownPrivilege	1752	Salwyrr Launcher.exe
Token: SeShutdownPrivilege	1752	Salwyrr Launcher.exe
Token: SeShutdownPrivilege	1752	Salwyrr Launcher.exe
Token: SeShutdownPrivilege	1752	Salwyrr Launcher.exe
Token: SeShutdownPrivilege	1752	Salwyrr Launcher.exe
Token: SeShutdownPrivilege	1752	Salwyrr Launcher.exe
Token: SeShutdownPrivilege	1752	Salwyrr Launcher.exe
Token: SeShutdownPrivilege	1752	Salwyrr Launcher.exe
Token: SeShutdownPrivilege	1752	Salwyrr Launcher.exe
Token: SeShutdownPrivilege	1752	Salwyrr Launcher.exe
Token: SeShutdownPrivilege	1752	Salwyrr Launcher.exe
Token: SeShutdownPrivilege	1752	Salwyrr Launcher.exe
Token: SeShutdownPrivilege	1752	Salwyrr Launcher.exe
Token: SeShutdownPrivilege	1752	Salwyrr Launcher.exe
Token: SeShutdownPrivilege	1752	Salwyrr Launcher.exe
Token: SeShutdownPrivilege	1752	Salwyrr Launcher.exe
Token: SeShutdownPrivilege	1752	Salwyrr Launcher.exe
Token: SeShutdownPrivilege	1752	Salwyrr Launcher.exe
Token: SeShutdownPrivilege	1752	Salwyrr Launcher.exe
Token: SeShutdownPrivilege	1752	Salwyrr Launcher.exe
Token: SeShutdownPrivilege	1752	Salwyrr Launcher.exe
Token: SeShutdownPrivilege	1752	Salwyrr Launcher.exe
Token: SeShutdownPrivilege	1752	Salwyrr Launcher.exe
Token: SeShutdownPrivilege	1752	Salwyrr Launcher.exe
Token: SeShutdownPrivilege	1752	Salwyrr Launcher.exe
Token: SeShutdownPrivilege	1752	Salwyrr Launcher.exe
Token: SeShutdownPrivilege	1752	Salwyrr Launcher.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 2628	1752	Salwyrr Launcher.exe	27
PID 1752 wrote to memory of 2628	1752	Salwyrr Launcher.exe	27
PID 1752 wrote to memory of 2628	1752	Salwyrr Launcher.exe	27
PID 2628 wrote to memory of 2864	2628	cmd.exe	29
PID 2628 wrote to memory of 2864	2628	cmd.exe	29
PID 2628 wrote to memory of 2864	2628	cmd.exe	29
PID 1752 wrote to memory of 2604	1752	Salwyrr Launcher.exe	30
PID 1752 wrote to memory of 2604	1752	Salwyrr Launcher.exe	30
PID 1752 wrote to memory of 2604	1752	Salwyrr Launcher.exe	30
PID 1752 wrote to memory of 2604	1752	Salwyrr Launcher.exe	30
PID 1752 wrote to memory of 2496	1752	Salwyrr Launcher.exe	31
PID 1752 wrote to memory of 2496	1752	Salwyrr Launcher.exe	31
PID 1752 wrote to memory of 2496	1752	Salwyrr Launcher.exe	31
PID 1752 wrote to memory of 2604	1752	Salwyrr Launcher.exe	30
PID 1752 wrote to memory of 2604	1752	Salwyrr Launcher.exe	30
PID 1752 wrote to memory of 2604	1752	Salwyrr Launcher.exe	30
PID 1752 wrote to memory of 2604	1752	Salwyrr Launcher.exe	30
PID 1752 wrote to memory of 2604	1752	Salwyrr Launcher.exe	30
PID 1752 wrote to memory of 2604	1752	Salwyrr Launcher.exe	30
PID 1752 wrote to memory of 2604	1752	Salwyrr Launcher.exe	30
PID 1752 wrote to memory of 2604	1752	Salwyrr Launcher.exe	30
PID 1752 wrote to memory of 2604	1752	Salwyrr Launcher.exe	30
PID 1752 wrote to memory of 2604	1752	Salwyrr Launcher.exe	30
PID 1752 wrote to memory of 2604	1752	Salwyrr Launcher.exe	30
PID 1752 wrote to memory of 2604	1752	Salwyrr Launcher.exe	30
PID 1752 wrote to memory of 2604	1752	Salwyrr Launcher.exe	30
PID 1752 wrote to memory of 2604	1752	Salwyrr Launcher.exe	30
PID 1752 wrote to memory of 2604	1752	Salwyrr Launcher.exe	30
PID 1752 wrote to memory of 2604	1752	Salwyrr Launcher.exe	30
PID 1752 wrote to memory of 2604	1752	Salwyrr Launcher.exe	30
PID 1752 wrote to memory of 2604	1752	Salwyrr Launcher.exe	30
PID 1752 wrote to memory of 2604	1752	Salwyrr Launcher.exe	30
PID 1752 wrote to memory of 2604	1752	Salwyrr Launcher.exe	30
PID 1752 wrote to memory of 2604	1752	Salwyrr Launcher.exe	30
PID 1752 wrote to memory of 2604	1752	Salwyrr Launcher.exe	30
PID 1752 wrote to memory of 2604	1752	Salwyrr Launcher.exe	30
PID 1752 wrote to memory of 2604	1752	Salwyrr Launcher.exe	30
PID 1752 wrote to memory of 2604	1752	Salwyrr Launcher.exe	30
PID 1752 wrote to memory of 2604	1752	Salwyrr Launcher.exe	30
PID 1752 wrote to memory of 2604	1752	Salwyrr Launcher.exe	30
PID 1752 wrote to memory of 2604	1752	Salwyrr Launcher.exe	30
PID 1752 wrote to memory of 2604	1752	Salwyrr Launcher.exe	30
PID 1752 wrote to memory of 2604	1752	Salwyrr Launcher.exe	30
PID 1752 wrote to memory of 2604	1752	Salwyrr Launcher.exe	30
PID 1752 wrote to memory of 2604	1752	Salwyrr Launcher.exe	30
PID 1752 wrote to memory of 2604	1752	Salwyrr Launcher.exe	30
PID 1752 wrote to memory of 2604	1752	Salwyrr Launcher.exe	30
PID 1752 wrote to memory of 2604	1752	Salwyrr Launcher.exe	30
PID 1752 wrote to memory of 2604	1752	Salwyrr Launcher.exe	30
PID 1752 wrote to memory of 2768	1752	Salwyrr Launcher.exe	32
PID 1752 wrote to memory of 2768	1752	Salwyrr Launcher.exe	32
PID 1752 wrote to memory of 2768	1752	Salwyrr Launcher.exe	32
PID 1752 wrote to memory of 2808	1752	Salwyrr Launcher.exe	33
PID 1752 wrote to memory of 2808	1752	Salwyrr Launcher.exe	33
PID 1752 wrote to memory of 2808	1752	Salwyrr Launcher.exe	33
PID 1752 wrote to memory of 1040	1752	Salwyrr Launcher.exe	34
PID 1752 wrote to memory of 1040	1752	Salwyrr Launcher.exe	34
PID 1752 wrote to memory of 1040	1752	Salwyrr Launcher.exe	34
PID 1752 wrote to memory of 1040	1752	Salwyrr Launcher.exe	34
PID 1752 wrote to memory of 1040	1752	Salwyrr Launcher.exe	34
PID 1752 wrote to memory of 1040	1752	Salwyrr Launcher.exe	34
PID 1752 wrote to memory of 1040	1752	Salwyrr Launcher.exe	34
PID 1752 wrote to memory of 1040	1752	Salwyrr Launcher.exe	34
PID 1752 wrote to memory of 1040	1752	Salwyrr Launcher.exe	34

C:\Users\Admin\AppData\Local\Temp\Salwyrr Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Salwyrr Launcher.exe"
1⤵
- Checks computer location settings
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "%windir%\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid
    3⤵
    PID:2864
- C:\Users\Admin\AppData\Local\Temp\Salwyrr Launcher.exe
  "C:\Users\Admin\AppData\Local\Temp\Salwyrr Launcher.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Salwyrr Launcher" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1072 --field-trial-handle=1156,i,9583130686926966844,16931897545146677184,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:2604
- C:\Users\Admin\AppData\Local\Temp\Salwyrr Launcher.exe
  "C:\Users\Admin\AppData\Local\Temp\Salwyrr Launcher.exe" --type=cs "--cs-app=Salwyrr Launcher"
  2⤵
  PID:2496
- C:\Users\Admin\AppData\Local\Temp\Salwyrr Launcher.exe
  "C:\Users\Admin\AppData\Local\Temp\Salwyrr Launcher.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Salwyrr Launcher" --mojo-platform-channel-handle=1240 --field-trial-handle=1156,i,9583130686926966844,16931897545146677184,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  PID:2768
- C:\Users\Admin\AppData\Local\Temp\Salwyrr Launcher.exe
  "C:\Users\Admin\AppData\Local\Temp\Salwyrr Launcher.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Salwyrr Launcher" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1432 --field-trial-handle=1156,i,9583130686926966844,16931897545146677184,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
  2⤵
  - Checks computer location settings
  PID:2808
- C:\Users\Admin\AppData\Local\Temp\Salwyrr Launcher.exe
  "C:\Users\Admin\AppData\Local\Temp\Salwyrr Launcher.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Salwyrr Launcher" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1720 --field-trial-handle=1156,i,9583130686926966844,16931897545146677184,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:1040
- C:\Users\Admin\AppData\Local\Temp\Salwyrr Launcher.exe
  "C:\Users\Admin\AppData\Local\Temp\Salwyrr Launcher.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Salwyrr Launcher" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --enable-sandbox --enable-blink-features --disable-blink-features --js-flags=--expose_gc --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=1540 --field-trial-handle=1156,i,9583130686926966844,16931897545146677184,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
  2⤵
  - Checks computer location settings
  PID:1812
- C:\Users\Admin\AppData\Local\Temp\Salwyrr Launcher.exe
  "C:\Users\Admin\AppData\Local\Temp\Salwyrr Launcher.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Salwyrr Launcher" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --enable-sandbox --enable-blink-features --disable-blink-features --js-flags=--expose_gc --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2576 --field-trial-handle=1156,i,9583130686926966844,16931897545146677184,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
  2⤵
  - Checks computer location settings
  PID:588
- C:\Users\Admin\AppData\Local\Temp\Salwyrr Launcher.exe
  "C:\Users\Admin\AppData\Local\Temp\Salwyrr Launcher.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Salwyrr Launcher" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --enable-sandbox --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1132 --field-trial-handle=1156,i,9583130686926966844,16931897545146677184,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
  2⤵
  - Checks computer location settings
  PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A

Filesize
893B

MD5
d4ae187b4574036c2d76b6df8a8c1a30

SHA1
b06f409fa14bab33cbaf4a37811b8740b624d9e5

SHA256
a2ce3a0fa7d2a833d1801e01ec48e35b70d84f3467cc9f8fab370386e13879c7

SHA512
1f44a360e8bb8ada22bc5bfe001f1babb4e72005a46bc2a94c33c4bd149ff256cce6f35d65ca4f7fc2a5b9e15494155449830d2809c8cf218d0b9196ec646b0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F59A01A8B782D93EA6991BC172CEFFB1

Filesize
867B

MD5
c5dfb849ca051355ee2dba1ac33eb028

SHA1
d69b561148f01c77c54578c10926df5b856976ad

SHA256
cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b

SHA512
88289cdd2c2dd1f5f4c13ab2cf9bc601fc634b5945309bedf9fc5b96bf21697b4cd6da2f383497825e02272816befbac4f44955282ffbbd4dd0ddc52281082da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

Filesize
230B

MD5
911c105f58bedc2b18f29b72dd155f87

SHA1
a3439e21ae89e68eab23ee144c02be15a41952fd

SHA256
a200ecf73b1ab9e9087318f4b6ab0e334695a0f5ff809f98e7fa9dc29db0574c

SHA512
1f59c0330ff516199ae4f2ff7e221ea8179f2bde55bda12962838c8f38052ef33ef71c2ddfdd60fc28696d32798334f9cba73c5924bda441cc4b52c7ed800fe0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9d08e094e59e76827551cb4c86a4bc6c

SHA1
d567e93c02ce525be83f9f6eac3a94b0f6b9f6d2

SHA256
4b322d187329e44dd66642666064aee6c702b37e22094836516349f79cdacf73

SHA512
f92cfbc449836f74b364de734fc398c0f49d8446ec096e624fc97e0b8098e4f93e5c84d39b7d74f154dd963d0131853ada694ff194c8607a5d13b3e6c29c6e0f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
61ea25861db7965c74c8f597fafc3a03

SHA1
4e40defea7bac154ddfd24bb187ee6aba7143502

SHA256
3abaf51d8a627fec89148921f5001c5f5b2acf2236a5e2c159578b845532f3dd

SHA512
b1944b6ed40228986cf52d98ffc778a43a780c129726361a62f866cb34a1aa1250e94f1841b61a589f18f909e16480fe82add82e739a0e93916c24eb40395bae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2dec61c67b63f8e5820c946a1abbe82b

SHA1
774ac20dc63630558ab81f3f1d6ba2a52257c02c

SHA256
5d42fe8f58ee79af1a74a333616ffafa102ff0bd37f844f2ab960b034792f972

SHA512
681770640bdf8230848edbc973bc5511e0846dd413da75a4f0b1aa8ff23f732318b0646ee1c30ce33c38e0983bb5588c25a04b0de8829ec07c416e595d001d80

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
08ec39fab9c6d3672e9e8ee6b9cfc1ee

SHA1
13154bef920b803728e06d7a691e31b75432a02c

SHA256
edf7b24b092d615012ed783633d684dc8364c45be0116ef112adf17375b1c9c8

SHA512
6d1f330668ff0bdf6bef62568d1be7108a4c0508b5e20dc84a562a5770aa781af91f89287677bf00b98943350499acc711bceb1673f5edaa012124ecc488922d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d78ec31683f0803a6894d0f9fe359458

SHA1
314765e1ad8f3a7d2f14afbe64dd396441704df0

SHA256
cfad891068e7a49591406434639d69501281669a0fe15f34fbccdedf5f64a701

SHA512
477e3b5eb32a9299b72bffab8d98021bfd2898c0a2940f3eb9f397b33c319b5c79565d8db49ea89249190c2b91c87c67fae9afe42d1e46f1744420df7e584591

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7899a9f775e22101d7e196e20175213e

SHA1
29d6060ad7e707a3e047d7d53d5e64d357d883ba

SHA256
288513fa239c50f29f42d52d2c2dbba718d3ca6b2a9aec93175c3390720e4e7b

SHA512
a57aa41fcc4e403205ad66f1be522202be42bf07118636a6f291b004429bdd3a957d02c774814777a982a66374357c4204d18e44c34ceaedec9cc2103537d414

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5db087d5383e90d6911593ba4407194c

SHA1
7f0d5d73bad2ae0ba5371a7b86fec0b393e7c5af

SHA256
9aeddc125f7fa01ab1ee48e0a869ad9938127b18f0b632daa3cf6013adabb026

SHA512
58bd745012e02f329f86719d997204755a4c6925aec8e65d41f2848efbd3688ad4c357b9ac6f7c7c2225cdfd59daade4070240e8747bcf75001c69cc657d37fb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f77abd9d688251cd6c97b71d24a2e20f

SHA1
5dd3269797e06278684701138c1207bf4b7aab56

SHA256
3cd6b944c92f892dd55ea3f98081a4eff57248966565b251752f18273f33d142

SHA512
c8a1a1c47189957c147a0814730d180a5cc271d67f6b949a2cb50dff80d631f18d58dbd8d6bca4c9203ecac9e4838c0e0a489a20c9a3ed79fc6376f4949bcb7d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
85410574c7e54221ddc39af258f19d8b

SHA1
714a493cc7108d94969744df8cfbdc6ab289f572

SHA256
22ae470ceeddaff188aca8009e9829396c1f43fed6744c6963ff8ed97fda626c

SHA512
c6f61afef8b8f3a2683df4ae0fe86e8e6703482383ba4a71822c0e0226e01fca8377faea5eab37b01abb198c6b8cdab907eeced1391e31bfdd8932987bbb2f62

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b1920b2e1f7fee07733e09334200b087

SHA1
b7a8da1f4bb6c11a8ff42ff589ac35683f2ba091

SHA256
b4fbeb4ee8ef4262966fdd92bebd1465b4bb99eb0999d25663bf819b7f6a1363

SHA512
7435010b529af1e4bd178eb6deaa1fef5597599dfdb9a2ffd1ba53f73c9b8e31b612ac967bf471643788efeb4c32da3b4f6430a9d7fb65aa23816a2bb82eb805

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
45b11976c364a3eb39d18f6fe22377c4

SHA1
a75c033441e10500d5da37bfffcbcc1d36e0d8e6

SHA256
672179ac80d88b89c5bf0fdcae61a2e8c799455a743e7a1a4172210dc18e28c5

SHA512
77a4a13807693a9ce01b941947e804ce5c109a710120bbdeca0d0be080bf631dc59d86364cd3d0ce084a3b5e3d2ba062e23d3068698e61ff2e0a0427cd2fc8ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f1b021a980acb553cd8d399335d5557d

SHA1
b2f2fc3db1e2a13bb547e4fd83810c915972c837

SHA256
5b2ed735e65a46e08fe3a9232a32ada4b832fa98c204b310e0372dbefe686a02

SHA512
709730f6ff2521a178c1366a13165aa9516dc30eae2b9a70291aea318231c07fa1b3ca928bc258b4ac7285dcae73d9fd8952ab757892a8451acfb145b17bbf8c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
61ff10e78ce3dab6d2b6ac40f644dca9

SHA1
4d9573922b833ee2f2f62dba0e67366a1a1dd3bc

SHA256
39d30e43efc7282e0dce6acc807dc4ebb287a29d69202de187fec360657aba1c

SHA512
74ab52ff91de15c74ea1b2b2734935feace8ec6ec3915d51ccfd812048c8dc76b8454bb920961dfdf61fa8974a92cb3055347ff6cf074ffd3c4b5fd8b3f49e5d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3ba0eb64d72826ab42583ac83f71f651

SHA1
89f2f50e2747c6013686cc69e0619ec8f8e62001

SHA256
f5f1d1b6573c17bcd1a3b9eb3f69aa20f1f285180e00d9584838f10cd1bb80fc

SHA512
fa463b34f45056bea7fc37a6ed371638e312496144c31aeafe592184fb0ab108c91b69ccca30088a24996a1a41ff2402583f08a62b9d4e89f8274b6e39f14a21

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5a7a3cc66424ac514b85fbe1e46718b9

SHA1
9c08c750d0a789c8064120e3ae1bd180dacc37ed

SHA256
1b7f1cc2238b07fd9e19581b54f04e3815919d581a289fde1828405dd85cba5d

SHA512
db42876bf41cdfcfb82be9ad04c3e6565b927f10a11e0a75a8da431577528fabbe0d8108cf6b607e634f63cfa50fc8d642b67b59883ec5c9baa2e7bbcb857ed4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
60b043a8774dc52f3f1395023c1c0251

SHA1
514b93a0e05f0422fd8821ded028734a33be97ea

SHA256
fef754ae1bd99bd8491901257cb7b2a48fcbe42869370763223b3baa2a1587a0

SHA512
c728fe5819d7d4e46d0d6897b84eac8b3bffca9027270db89be1b05449d9d1b5d762af8b5b6b7febccb121a343bb418e5e6143f94a3ac5649dbf9768278d1ab8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
48480612b0691e10d119f275ff3b0331

SHA1
f9c6c9442ff0ee0a33fbda2bea93a4c4d3ac5465

SHA256
be08ddb4d82a103dbd297dfdadc019248575ea7b731ab307f897d3a83b7f466c

SHA512
7a50e6c8a5c72c298bed4b10f04392430c94d385ad65b1044d843856380b4a5aa51529acdc93ac04652af554ce1130b2b106cb83273619ff8b9d57f800c5c58e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
37f5e25046875f2d47f66fc9f75e7b73

SHA1
0f837f51733851fe2624ebd09abb84bc066de342

SHA256
d80799334724fd825a24bf36146579bb2af42bc717a1ff492ca483d17b7eec54

SHA512
24b37fdc5e5adccaa86df0a9bdc7e3d2c12032b5531e2a140cdec1214b9a08f7a0510b0e736e0ff4a402b060897f5b2b8e3a1a06823f27018e68305527ceb53e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
85132b0086d371741a60af9c2dcff2eb

SHA1
78244af5905b95b60c4887595491eab141889857

SHA256
da84894a16cbd71401f0ca8d42883debcd624d3f8cf1915d7fefbb6af3660db3

SHA512
357cfe263bd93b2976df215ce450b349e915c945b23494a487cc58448d43a5c0b442f8e553cc4856666bed695ef3487a1f769770ea8d41c03b53d8a8182ec625

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c42c75e323cddfbebbdbf17d7702528a

SHA1
5235c641a6328db84e49e5325c636ca22d9e95d8

SHA256
293116f11aebcab16d8a4bece9d9a597cba150d697250c7612079bc4711a0608

SHA512
ff6c49729a0d4c45aacd6d895bfd4e19710b2fb65fae790fca53d737d10dfc65989dfa28fd14bec03d95d14f061a1b05d495fbc162d1e54f459c4699b3a59b7c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f83962155de9888adf6fbda25bc5c935

SHA1
529d1fe7815134a903d37aff2ab49b8818676015

SHA256
0f8366ec3d24a4c30658ad722abd94a9af1a0c59b6bd2eee3f03888e5c9c5cd4

SHA512
771c1d0283b8cdd169177a5992ffc6bb1a0cbef793343004bca8a64712d148093c2282991b4e005e90b2369c579c4f756e44102bed44dd32e2070d1a8606d36d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
58d16eb6934cca2ee766af245b78f67e

SHA1
c96c52aa8203acc9df175d4b433babe9d3ec6fc1

SHA256
6924e0233145120603c78c64d540ad4cffbd139495eda75e16591adadd7e6463

SHA512
3982c2fd983a2c6e46369315c99f1b2e13654280994f3c94f365b499ccd72f7438d531bf9fac852ef86407889b7e81210f811190d85aefbc6f6d7642d1518246

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a6e19c65a0471e68e4e594a9545c218d

SHA1
58bc5ebdac456b04bb4f71d634acd66f6f5b5aa7

SHA256
46aa707e53a809968eb1a9bdb0cf1326b96234f07296b43005826ad88c2a9710

SHA512
2afdf4229a25f3e02b7b762cc44561b2b58c00119109fe4a90108acdaa227dd5801dc89db3fcdb7d5458d468a411a2cbdf99ce4363e8d62b5788fdee50620369

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
918399d5410142857e6bbb8af17c3e28

SHA1
2adc1468afccaca2d3929bd780fb2072049e17ef

SHA256
5a0a7807a432a604c3e27ecc1e8f4d74e15e071f6208843616411b95f87f0115

SHA512
a9310c0a43df33d2586e2928ef9e677f6db8bed65e763b7acc2c3102aab1ed5fd8f6c76fa5e8006f04d27be85de65a3f0c8c0f124357c9f49e8608b0d9a44720

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b8811560997bddb4eac19513aa5f719f

SHA1
c7c6fd2a94e0bb6961b82584e06ded9db8b1a95a

SHA256
94eb5b75656cfa3311b564f6d8086ff535ed3787a317bb693bb8715a407d2bc4

SHA512
c82ae27eb0c015d121bf64e59346f2081d8d6bfebacfc75019713e6da11e1dd749c2b642438023ee593e41d4cfd1d157a4365ef591994ebcddd29934da171a71

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5b51dbf96f941987cedfda49097ffc0b

SHA1
90396909c4fda625c032808616dc156ec732309a

SHA256
bdbe22c44dea9c0e7b5b853125654f5806f918480f21e27f5e235b8d2bef2f12

SHA512
5b10805c6482a4b083417a3d6766319a21a7b1cd5c21aaed4d9f0981d65bba38c1eb7627dd3b8f03d5dfa733b7fd0da001b8b7a0fabc224c1194a1caf3e1940b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3e460ed31abcda33ea466a26cd703ed0

SHA1
efb66c04b40e8ed10a4e3de3beb9b46b9d23ced5

SHA256
70c2f9bd973859e9e238b3991f6d8a6e5f646a96cf824710dcf5c4099382e61c

SHA512
bb820a814b76b7e8b2f98deb8577a33c85b6a5e87efcf89410a4164ddff83eb2063c379368930de1f44e073ee8e1bf478ceddf1c3efe8f0c297751dc02ce470e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ecaab3e1158d5b3d2278bc3e07551ef4

SHA1
ee425937f3707233d1a7ff8efd5be697210713c8

SHA256
7da2781794671b509492c19d402f2480284938951f0fa3139eec9eda04c335c5

SHA512
bb0b88faac704985661d25c5a5caac21e373d431781e72f53894d365d3a2acd2a45fb456f018a33ab78251a95732ee66c6d47cfc83ad4e0e7eefae6334e506d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
372aa583098c2cad27b067292eb56c6e

SHA1
d616c873cf0ba007c836f827ceaaaf8b6e21ceb8

SHA256
87d0ea1903a159ed33b78232703dfa69b08ed376162c97fecf4d50cb96b7c9a5

SHA512
ee6944c61d7517c64f177ce8788eb03d64b87765d8f881bf9edc2c4065c1548212b26ad45616b66b1008a68b4203009f28320ed85a6289cb58b192aa020f9fc1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7346a1dac9ccd950ecbef3d8d63cb4c9

SHA1
b0c0888da0c608548218d299f0dd23cb16e21d2a

SHA256
34e84dace007fa8d47e1d4d4e29d8e762c4bc610446360f6103c8153678f5bb3

SHA512
a82319151332da737114f7747bc1074918eed66de6f4ef000a2726a63f4e7a1269afb0ec7ff56bc2aeebbabb91cb0ddd7b9b68acc8101269e142eee99dc109d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A

Filesize
252B

MD5
96689a10e59042e25ee884eb22210b75

SHA1
eeb2b99fb73acb9e6fd192448f0f54fb7cca2ed9

SHA256
5e6aeca2b47eb82cbfe4b04d7ca45255f3a3ec0ccf22c2cee42698f2c8d6fc87

SHA512
b75cd48d8dd9e4ce8e345fc9e769169ac8661534496537193a916fda50f723ce8294bb86d66e7c45a5f3bcdd542cc10611fb6420fed3fcd9bd71bc3803466a4e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F59A01A8B782D93EA6991BC172CEFFB1

Filesize
242B

MD5
11a8f74de93f7fc635ddc196837e31bc

SHA1
10510c352618c7b7746b67b5f4611f42dda2a396

SHA256
c68949af3f488b98f843a59e5eaff0ecc33c3bcb6d414da8d3e48a5e999ddbda

SHA512
9e81a340dbf2821dbc49c8e647209b4f9aa6d4f330dc893180197d3891cddcf540206a7da1ac5712c4e6790e5c728f342adc001da548d65827389f818810e221

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabEAFD.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF240.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFA90.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Roaming\Salwyrr Launcher\Dictionaries\en-US-10-1.bdic

Filesize
441KB

MD5
4604e676a0a7d18770853919e24ec465

SHA1
415ef3b2ca0851e00ebaf0d6c9f6213c561ac98f

SHA256
a075b01d9b015c616511a9e87da77da3d9881621db32f584e4606ddabf1c1100

SHA512
3d89c21f20772a8bebdb70b29c42fca2f6bffcda49dff9d5644f3f3910b7c710a5c20154a7af5134c9c7a8624a1251b5e56ced9351d87463f31bed8188eb0774

Download Submit
C:\Users\Admin\AppData\Roaming\Salwyrr Launcher\Local Storage\leveldb\CURRENT~RFf76d5e5.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Roaming\Salwyrr Launcher\Network\Cookies

Filesize
28KB

MD5
ccf182eba517015b532f6f9a17958a0b

SHA1
95b431a3b0831c063651726fa3e11dc94c5e81a9

SHA256
50689921dec5daa501017f897a08d1b39a9ca2a95cb8ef53b60fd1ee0bbbb9ed

SHA512
581f833282544f223374e7e3929ff9aa301329e9fa4318c627f474d6efa7adbc699c3de5f28b4e7f69a8cf40eb535e310178dab36937fb0e0dcb1ddeb414f9c8

Download Submit
C:\Users\Admin\AppData\Roaming\Salwyrr Launcher\Network\TransportSecurity

Filesize
362B

MD5
9e38bd465858b6b162bebd1769e720b6

SHA1
c7464ccfec9a64ef714dcabba34af55989d04c58

SHA256
7b24319e8426f17eceb16ca90eaaaab68c5b46faafbcf681e268dd14ee57e995

SHA512
3e73ab477f4d287c6934d9e24ee835123b26ca563a2d28ef122983477dc487e309048aac55f7576f1a79e5b9de4187f44137a57858bac480dacdea3ec6ac77bc

Download Submit
C:\Users\Admin\AppData\Roaming\Salwyrr Launcher\Network\TransportSecurity

Filesize
1KB

MD5
d3e47d2bd06a7126fd1ddc247db94e7b

SHA1
a7d9e69a2c9591b89f280e420375e842d987fb3a

SHA256
d7d75a2186e7665f2a77d34a939e251cc732acac7b95fc6536acde9078205b41

SHA512
4b679fe2a4749a326b25713d23ccef4882ed607a21e4779da6616e303af8be0275059c23fc43888f773734f001be3a88ba3a499c8e195fb23ef856e4af1802cf

Download Submit
C:\Users\Admin\AppData\Roaming\Salwyrr Launcher\Network\TransportSecurity

Filesize
1KB

MD5
0042cf5a6b71f72a0724f4cfe18cc34c

SHA1
9fcd95dba58c69f54e4b903a1769f91d229de6ee

SHA256
3a3c094365699dcac77c7cb44194634298bd80a57a82e9fab7ba69cc1eaae154

SHA512
9554722e75b58e7fa1d5992b1f585625de37a208e19d14d4958afc897176981f0bb661090f6d680a6e4f002009493175f3f0e62ff10383049d8187abbdad3bc9

Download Submit
C:\Users\Admin\AppData\Roaming\Salwyrr Launcher\Network\TransportSecurity

Filesize
1KB

MD5
7dc92dad4c0f10806940d5350c29fa0b

SHA1
43533b4c15daef80cd07689f76abf8c23ab16f06

SHA256
b758e4905536525b5668cdba45d02ed17cec030faa9c143bbb1082bf72785673

SHA512
dac855961282bdce4342986f159a2c8f85b6dc019afccab371e06eb32fb8713d8867ef1ea3ab4e319b5a14aa3c1a3b8297d242b9de444ea6dca04fe09c668df9

Download Submit
C:\Users\Admin\AppData\Roaming\Salwyrr Launcher\Session Storage\000002.dbtmp

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Roaming\Salwyrr Launcher\config.json

Filesize
140B

MD5
2dee85ac19aebaa50662a4ba424441af

SHA1
d0b03e28e9a14d48a1a9b206e92dc1bf1266328e

SHA256
dc4d87159e452383f6e39c1b7dd2830c69457a547565c43cfd9e9b86f336f336

SHA512
651d95e57716081376c14c26852e01997c77597da0e0350620ad4cadbf14f0a02956d7b3e8cbdf52a777b64f7ef7db63066791e24074d5e5b57a38af2b7c6a6e

Download Submit
C:\Users\Admin\AppData\Roaming\Salwyrr Launcher\f98c7aa8-6b88-4daf-8f72-0a156bcc8bb4.tmp

Filesize
57B

MD5
58127c59cb9e1da127904c341d15372b

SHA1
62445484661d8036ce9788baeaba31d204e9a5fc

SHA256
be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de

SHA512
8d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a

Download Submit
memory/1752-2286-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/1752-9-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/2604-2-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/2604-80-0x0000000077590000-0x0000000077591000-memory.dmp

Filesize
4KB

Download