meduza | hxxps://github[.]com/irantom66bombawot/solara-roblox/releases/download/Update!/solare[.]zip

Analysis

max time kernel
92s
max time network
96s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
06-01-2025 14:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/irantom66bombawot/solara-roblox/releases/download/Update!/solare.zip

Score

10^/10

meduza discovery execution persistence stealer

Malware Config

Extracted

Family

meduza

45.130.145.152

Attributes

anti_dbg
true
anti_vm
true
build_name
Work
extensions
.txt;.doc;.docx;.pdf;.xls;.xlsx;.log;.db;.sqlite
grabber_max_size
4.194304e+06
port
15666
self_destruct
false

Signatures

Meduza
Meduza is a crypto wallet and info stealer written in C++.
stealer meduza

Meduza Stealer payload 3 IoCs

resource	yara_rule
behavioral1/memory/2832-129-0x0000000140000000-0x000000014013E000-memory.dmp	family_meduza
behavioral1/memory/2832-133-0x0000000140000000-0x000000014013E000-memory.dmp	family_meduza
behavioral1/memory/2832-132-0x0000000140000000-0x000000014013E000-memory.dmp	family_meduza

Meduza family
meduza

Executes dropped EXE 6 IoCs

pid	Process
5992	relax.exe
2832	relax.exe
3372	butty.exe
3092	butty.exe
5184	butty.exe
4092	butty.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinDiesel = "C:\\Users\\Admin\\AppData\\Local\\Temp\\copied_self.exe"	butty.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinDiesel = "C:\\Users\\Admin\\AppData\\Local\\Temp\\copied_self.exe"	butty.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5912	powershell.exe
5132	powershell.exe
4492	powershell.exe
4696	powershell.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 5992 set thread context of 2832	5992	relax.exe	103
PID 3372 set thread context of 3092	3372	butty.exe	105
PID 5184 set thread context of 4092	5184	butty.exe	115

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\solare.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2536	msedge.exe
2536	msedge.exe
5420	msedge.exe
5420	msedge.exe
2184	msedge.exe
2184	msedge.exe
2512	identity_helper.exe
2512	identity_helper.exe
3460	msedge.exe
3460	msedge.exe
5912	powershell.exe
5912	powershell.exe
5912	powershell.exe
5132	powershell.exe
5132	powershell.exe
5132	powershell.exe
4492	powershell.exe
4492	powershell.exe
4492	powershell.exe
4696	powershell.exe
4696	powershell.exe
4696	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
5420	msedge.exe
5420	msedge.exe
5420	msedge.exe
5420	msedge.exe
5420	msedge.exe
5420	msedge.exe
5420	msedge.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	5912	powershell.exe
Token: SeDebugPrivilege	5132	powershell.exe
Token: SeDebugPrivilege	4460	solare.exe
Token: SeDebugPrivilege	2832	relax.exe
Token: SeImpersonatePrivilege	2832	relax.exe
Token: SeDebugPrivilege	4492	powershell.exe
Token: SeDebugPrivilege	4696	powershell.exe
Token: SeDebugPrivilege	5000	solare.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5420	msedge.exe
5420	msedge.exe
5420	msedge.exe
5420	msedge.exe
5420	msedge.exe
5420	msedge.exe
5420	msedge.exe
5420	msedge.exe
5420	msedge.exe
5420	msedge.exe
5420	msedge.exe
5420	msedge.exe
5420	msedge.exe
5420	msedge.exe
5420	msedge.exe
5420	msedge.exe
5420	msedge.exe
5420	msedge.exe
5420	msedge.exe
5420	msedge.exe
5420	msedge.exe
5420	msedge.exe
5420	msedge.exe
5420	msedge.exe
5420	msedge.exe
5420	msedge.exe
5420	msedge.exe
5420	msedge.exe
5420	msedge.exe
5420	msedge.exe
5420	msedge.exe
5420	msedge.exe
5420	msedge.exe
5420	msedge.exe
5420	msedge.exe
5420	msedge.exe
5420	msedge.exe
5420	msedge.exe
5420	msedge.exe
5420	msedge.exe
5420	msedge.exe
5420	msedge.exe
5420	msedge.exe
5420	msedge.exe
5420	msedge.exe
5420	msedge.exe
5420	msedge.exe
5420	msedge.exe
5420	msedge.exe
5420	msedge.exe
5420	msedge.exe
5420	msedge.exe
5420	msedge.exe
5420	msedge.exe
5420	msedge.exe
5420	msedge.exe
5420	msedge.exe
5420	msedge.exe
5420	msedge.exe
5420	msedge.exe
5420	msedge.exe
5420	msedge.exe
5420	msedge.exe
5420	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
5420	msedge.exe
5420	msedge.exe
5420	msedge.exe
5420	msedge.exe
5420	msedge.exe
5420	msedge.exe
5420	msedge.exe
5420	msedge.exe
5420	msedge.exe
5420	msedge.exe
5420	msedge.exe
5420	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2832	relax.exe
3092	butty.exe
4092	butty.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5420 wrote to memory of 2740	5420	msedge.exe	77
PID 5420 wrote to memory of 2740	5420	msedge.exe	77
PID 5420 wrote to memory of 5228	5420	msedge.exe	78
PID 5420 wrote to memory of 5228	5420	msedge.exe	78
PID 5420 wrote to memory of 5228	5420	msedge.exe	78
PID 5420 wrote to memory of 5228	5420	msedge.exe	78
PID 5420 wrote to memory of 5228	5420	msedge.exe	78
PID 5420 wrote to memory of 5228	5420	msedge.exe	78
PID 5420 wrote to memory of 5228	5420	msedge.exe	78
PID 5420 wrote to memory of 5228	5420	msedge.exe	78
PID 5420 wrote to memory of 5228	5420	msedge.exe	78
PID 5420 wrote to memory of 5228	5420	msedge.exe	78
PID 5420 wrote to memory of 5228	5420	msedge.exe	78
PID 5420 wrote to memory of 5228	5420	msedge.exe	78
PID 5420 wrote to memory of 5228	5420	msedge.exe	78
PID 5420 wrote to memory of 5228	5420	msedge.exe	78
PID 5420 wrote to memory of 5228	5420	msedge.exe	78
PID 5420 wrote to memory of 5228	5420	msedge.exe	78
PID 5420 wrote to memory of 5228	5420	msedge.exe	78
PID 5420 wrote to memory of 5228	5420	msedge.exe	78
PID 5420 wrote to memory of 5228	5420	msedge.exe	78
PID 5420 wrote to memory of 5228	5420	msedge.exe	78
PID 5420 wrote to memory of 5228	5420	msedge.exe	78
PID 5420 wrote to memory of 5228	5420	msedge.exe	78
PID 5420 wrote to memory of 5228	5420	msedge.exe	78
PID 5420 wrote to memory of 5228	5420	msedge.exe	78
PID 5420 wrote to memory of 5228	5420	msedge.exe	78
PID 5420 wrote to memory of 5228	5420	msedge.exe	78
PID 5420 wrote to memory of 5228	5420	msedge.exe	78
PID 5420 wrote to memory of 5228	5420	msedge.exe	78
PID 5420 wrote to memory of 5228	5420	msedge.exe	78
PID 5420 wrote to memory of 5228	5420	msedge.exe	78
PID 5420 wrote to memory of 5228	5420	msedge.exe	78
PID 5420 wrote to memory of 5228	5420	msedge.exe	78
PID 5420 wrote to memory of 5228	5420	msedge.exe	78
PID 5420 wrote to memory of 5228	5420	msedge.exe	78
PID 5420 wrote to memory of 5228	5420	msedge.exe	78
PID 5420 wrote to memory of 5228	5420	msedge.exe	78
PID 5420 wrote to memory of 5228	5420	msedge.exe	78
PID 5420 wrote to memory of 5228	5420	msedge.exe	78
PID 5420 wrote to memory of 5228	5420	msedge.exe	78
PID 5420 wrote to memory of 5228	5420	msedge.exe	78
PID 5420 wrote to memory of 2536	5420	msedge.exe	79
PID 5420 wrote to memory of 2536	5420	msedge.exe	79
PID 5420 wrote to memory of 1136	5420	msedge.exe	80
PID 5420 wrote to memory of 1136	5420	msedge.exe	80
PID 5420 wrote to memory of 1136	5420	msedge.exe	80
PID 5420 wrote to memory of 1136	5420	msedge.exe	80
PID 5420 wrote to memory of 1136	5420	msedge.exe	80
PID 5420 wrote to memory of 1136	5420	msedge.exe	80
PID 5420 wrote to memory of 1136	5420	msedge.exe	80
PID 5420 wrote to memory of 1136	5420	msedge.exe	80
PID 5420 wrote to memory of 1136	5420	msedge.exe	80
PID 5420 wrote to memory of 1136	5420	msedge.exe	80
PID 5420 wrote to memory of 1136	5420	msedge.exe	80
PID 5420 wrote to memory of 1136	5420	msedge.exe	80
PID 5420 wrote to memory of 1136	5420	msedge.exe	80
PID 5420 wrote to memory of 1136	5420	msedge.exe	80
PID 5420 wrote to memory of 1136	5420	msedge.exe	80
PID 5420 wrote to memory of 1136	5420	msedge.exe	80
PID 5420 wrote to memory of 1136	5420	msedge.exe	80
PID 5420 wrote to memory of 1136	5420	msedge.exe	80
PID 5420 wrote to memory of 1136	5420	msedge.exe	80
PID 5420 wrote to memory of 1136	5420	msedge.exe	80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/irantom66bombawot/solara-roblox/releases/download/Update!/solare.zip
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff994db3cb8,0x7ff994db3cc8,0x7ff994db3cd8
  2⤵
  PID:2740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1872,310227623607833688,2810798860160438734,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1884 /prefetch:2
  2⤵
  PID:5228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1872,310227623607833688,2810798860160438734,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1872,310227623607833688,2810798860160438734,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2656 /prefetch:8
  2⤵
  PID:1136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,310227623607833688,2810798860160438734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:6064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,310227623607833688,2810798860160438734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:6084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1872,310227623607833688,2810798860160438734,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4668 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,310227623607833688,2810798860160438734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4680 /prefetch:1
  2⤵
  PID:3164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,310227623607833688,2810798860160438734,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4648 /prefetch:1
  2⤵
  PID:5248
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1872,310227623607833688,2810798860160438734,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5596 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,310227623607833688,2810798860160438734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:1
  2⤵
  PID:4128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,310227623607833688,2810798860160438734,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:1
  2⤵
  PID:3696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,310227623607833688,2810798860160438734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:1336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1872,310227623607833688,2810798860160438734,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5844 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3460

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3312

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:128

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4212

C:\Users\Admin\Downloads\solare\solare.exe
"C:\Users\Admin\Downloads\solare\solare.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4460
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ExecutionPolicy Bypass -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5912
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ExecutionPolicy Bypass -Command "Set-MpPreference -UILockdown $true"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5132
- C:\Users\Admin\AppData\Local\Temp\relax.exe
  "C:\Users\Admin\AppData\Local\Temp\relax.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:5992
- - C:\Users\Admin\AppData\Local\Temp\relax.exe
    "C:\Users\Admin\AppData\Local\Temp\relax.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2832
- C:\Users\Admin\AppData\Local\Temp\butty.exe
  "C:\Users\Admin\AppData\Local\Temp\butty.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:3372
- - C:\Users\Admin\AppData\Local\Temp\butty.exe
    "C:\Users\Admin\AppData\Local\Temp\butty.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetWindowsHookEx
    PID:3092

C:\Users\Admin\Downloads\solare\solare.exe
"C:\Users\Admin\Downloads\solare\solare.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ExecutionPolicy Bypass -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4492
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ExecutionPolicy Bypass -Command "Set-MpPreference -UILockdown $true"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4696
- C:\Users\Admin\AppData\Local\Temp\butty.exe
  "C:\Users\Admin\AppData\Local\Temp\butty.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:5184
- - C:\Users\Admin\AppData\Local\Temp\butty.exe
    "C:\Users\Admin\AppData\Local\Temp\butty.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetWindowsHookEx
    PID:4092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\solare.exe.log

Filesize
1KB

MD5
b8418ed2a59189acecef48efbc2eba7d

SHA1
14f53c898215122eb28ab41c94697e63a63ff925

SHA256
e17b3fd5b8c8ac454e8fa71e04fd011f27bfab2de07e0319be1d32e916f37a84

SHA512
1ffcaa0e0e5507fdbdb06eb08be210aa3482e587f76be82f2d35ba43a218e3b8c8e8c2aa37ab9d211ebdc7be7896cc53f6064b0694500cb235ef6a720ed9d25d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
003b92b33b2eb97e6c1a0929121829b8

SHA1
6f18e96c7a2e07fb5a80acb3c9916748fd48827a

SHA256
8001f251d5932a62bfe17b0ba3686ce255ecf9adb95a06ecb954faa096be3e54

SHA512
18005c6c07475e6dd1ec310fe511353381cf0f15d086cf20dc6ed8825c872944185c767f80306e56fec9380804933aa37a8f12c720398b4b3b42cb216b41cf77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
051a939f60dced99602add88b5b71f58

SHA1
a71acd61be911ff6ff7e5a9e5965597c8c7c0765

SHA256
2cff121889a0a77f49cdc4564bdd1320cf588c9dcd36012dbc3669cf73015d10

SHA512
a9c72ed43b895089a9e036aba6da96213fedd2f05f0a69ae8d1fa07851ac8263e58af86c7103ce4b4f9cfe92f9c9d0a46085c066a54ce825ef53505fdb988d1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
265B

MD5
f5cd008cf465804d0e6f39a8d81f9a2d

SHA1
6b2907356472ed4a719e5675cc08969f30adc855

SHA256
fcea95cc39dc6c2a925f5aed739dbedaa405ee4ce127f535fcf1c751b2b8fb5d

SHA512
dc97034546a4c94bdaa6f644b5cfd1e477209de9a03a5b02a360c254a406c1d647d6f90860f385e27387b35631c41f0886cb543ede9116436941b9af6cd3285d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
fe71472d21b242c3ecd3a7ef8627069d

SHA1
84ee2e22c76ef3d15d2930d861e85dbc78162e1f

SHA256
8032745bb2f1554a8ffd69db35825c3806746342b4f8cae53ad48a8a4f7a23fc

SHA512
85b2351bc2e052e5e7c99f60c8c893280db58a86e75b52875f5c8c5c17874194e8cd858a3b02bad5280ea38cfb9d49d2ef64804e1e1efd153dfea5b885db77d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e5c2b479cd2b5d195aaa0dd9dd9c9386

SHA1
deadd6036078226001490d62d3b54c37e27687f3

SHA256
c99c4feca0817df119521f815e335fb697ccbb3ef3a7d918ccfa15c256dbd6fa

SHA512
446238c7b848fee2cc57e7731dbca081857079da9fdd4372b0face07844ba469e70c4454be5d451a5fec169082a05fd3f35351169e4ef3a393357dba12d381fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
11cad04d2f5bf19acbfc3db5ff3f3351

SHA1
8e61289aeb825a32cfe851f966f16a58dc5f0ff7

SHA256
c1d55fb0b6b646d9d44b30d30a22ca2364d4e5a8d0781e4a63ad315e7f03cc1d

SHA512
738f8cad67c0ea923a81f46fa6575aada6228d6612978fa0435e60dee653dff72295a4ad8bbf3c127d3a77a3018e5963f5b1007740724dc02ead921a4e0c2d2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1a9fa92a4f2e2ec9e244d43a6a4f8fb9

SHA1
9910190edfaccece1dfcc1d92e357772f5dae8f7

SHA256
0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

SHA512
5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4914eb0b2ff51bfa48484b5cc8454218

SHA1
6a7c3e36ce53b42497884d4c4a3bda438dd4374b

SHA256
7e510fc9344ef239ab1ab650dc95bb25fd44e2efba8b8246a3ac17880ee8b69e

SHA512
83ab35f622f4a5040ca5cb615a30f83bb0741449225f1fd1815b6923e225c28241d0c02d34f83f743349a5e57f84ca1c6f44016797a93d5985be41d11be79500

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e07eea85a8893f23fb814cf4b3ed974c

SHA1
8a8125b2890bbddbfc3531d0ee4393dbbf5936fe

SHA256
83387ce468d717a7b4ba238af2273da873b731a13cc35604f775a31fa0ac70ea

SHA512
9d4808d8a261005391388b85da79e4c5396bdded6e7e5ce3a3a23e7359d1aa1fb983b4324f97e0afec6e8ed9d898322ca258dd7cda654456dd7e84c9cbd509df

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_flt340mu.uzv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\butty.exe

Filesize
3.1MB

MD5
3c3a898442526b47ad166a3774263e3e

SHA1
3e468fdc7ca16461f934559391d70b7296693d97

SHA256
5be48844ce2ddefeac5d05580d420cb64990e82e89504b930cfb30962a5ce441

SHA512
22ccaed307c4a2ab16ab3eb1dc00deff233f3d734730193d65c2a52bb208da8ab68c98e4605b3846c28fcc6b0106e5e2e31c52161d073e6eae75cd955beb89fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\relax.exe

Filesize
3.1MB

MD5
bec59ef4a85d4996622a0cad150f752c

SHA1
4414781aed2bad425cad3d36e3748f3e3d211747

SHA256
60e66e1f5f94ae12b02e0198be4b70ec2b2abaa0e98df8d74f9583c8764fdca9

SHA512
9bc032eef38daf863cb3425aeb2901d80c8cca269f3b47c2466338568e6ed22764b8230d391921c9de6df9dcd33fd35b87201fd73f35e200c70cfcec9a67d643

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 152674.crdownload

Filesize
837KB

MD5
d1afe06b680300ee6d7391acd7821934

SHA1
c80ba87c7bc836eba8964a6a33581116ede22fd8

SHA256
30423de0f514b2796ccfe1863e5a0d88e9648c13967aad4b01e07b4db54b734b

SHA512
bba8a9a613a0760ef81aae6f2919961acba92d5dce0efebe549ea7cb19742a4dd99ddd64ddd9dac5fb71669c93d3c7c12de656e941f85d5cd1574cba251b1204

Download Submit
C:\Users\Admin\Downloads\solare.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/2832-129-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/2832-132-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/2832-133-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/3092-142-0x0000000140000000-0x0000000140080000-memory.dmp

Filesize
512KB

Download
memory/3092-144-0x0000000140000000-0x0000000140080000-memory.dmp

Filesize
512KB

Download
memory/3092-146-0x0000000140000000-0x0000000140080000-memory.dmp

Filesize
512KB

Download
memory/3092-147-0x0000000140000000-0x0000000140080000-memory.dmp

Filesize
512KB

Download
memory/4092-204-0x0000000140000000-0x0000000140080000-memory.dmp

Filesize
512KB

Download
memory/4092-207-0x0000000140000000-0x0000000140080000-memory.dmp

Filesize
512KB

Download
memory/4092-213-0x0000000140000000-0x0000000140080000-memory.dmp

Filesize
512KB

Download
memory/4460-98-0x00000208316B0000-0x00000208326B0000-memory.dmp

Filesize
16.0MB

Download
memory/5912-104-0x000001E52E710000-0x000001E52E732000-memory.dmp

Filesize
136KB

Download