Malware Analysis Report

2024-11-13 13:46

Sample ID 240717-ng89va1fqd
Target Riga Client.exe
SHA256 4963827ab4881382f900255fa034f5c5f369cdc11d30863c69a04ed7f6abca5e
Tags
rat dcrat infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4963827ab4881382f900255fa034f5c5f369cdc11d30863c69a04ed7f6abca5e

Threat Level: Known bad

The file Riga Client.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat infostealer persistence

Process spawned unexpected child process

DcRat

DCRat payload

Dcrat family

Modifies WinLogon for persistence

DCRat payload

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-17 11:23

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-17 11:23

Reported

2024-07-17 11:25

Platform

win7-20240705-en

Max time kernel

61s

Max time network

58s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Riga Client.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\componentCommon\\conhost.exe\", \"C:\\Users\\All Users\\Documents\\dwm.exe\", \"C:\\Windows\\Fonts\\dwm.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\lsass.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\services.exe\", \"C:\\componentCommon\\explorer.exe\", \"C:\\Windows\\AppPatch\\AppPatch64\\dllhost.exe\", \"C:\\Users\\Default User\\spoolsv.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\componentCommon\\conhost.exe\", \"C:\\Users\\All Users\\Documents\\dwm.exe\", \"C:\\Windows\\Fonts\\dwm.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\lsass.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\services.exe\", \"C:\\componentCommon\\explorer.exe\", \"C:\\Windows\\AppPatch\\AppPatch64\\dllhost.exe\", \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\componentCommon\\smss.exe\", \"C:\\Program Files\\Uninstall Information\\lsm.exe\", \"C:\\Users\\Default\\Links\\csrss.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\lsm.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\services.exe\", \"C:\\componentCommon\\explorer.exe\", \"C:\\Windows\\AppPatch\\AppPatch64\\dllhost.exe\", \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\componentCommon\\smss.exe\", \"C:\\Program Files\\Uninstall Information\\lsm.exe\", \"C:\\Users\\Default\\Links\\csrss.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\lsm.exe\"" C:\Users\Default User\spoolsv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Uninstall Information\\lsm.exe\", \"C:\\Users\\Default\\Links\\csrss.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\lsm.exe\"" C:\Users\Default User\spoolsv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\lsm.exe\"" C:\Users\Default User\spoolsv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\componentCommon\\conhost.exe\", \"C:\\Users\\All Users\\Documents\\dwm.exe\", \"C:\\Windows\\Fonts\\dwm.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\lsass.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\services.exe\", \"C:\\componentCommon\\explorer.exe\", \"C:\\Windows\\AppPatch\\AppPatch64\\dllhost.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Fonts\\dwm.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\lsass.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\services.exe\", \"C:\\componentCommon\\explorer.exe\", \"C:\\Windows\\AppPatch\\AppPatch64\\dllhost.exe\", \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\componentCommon\\smss.exe\", \"C:\\Program Files\\Uninstall Information\\lsm.exe\", \"C:\\Users\\Default\\Links\\csrss.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\lsm.exe\"" C:\Users\Default User\spoolsv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\AppPatch\\AppPatch64\\dllhost.exe\", \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\componentCommon\\smss.exe\", \"C:\\Program Files\\Uninstall Information\\lsm.exe\", \"C:\\Users\\Default\\Links\\csrss.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\lsm.exe\"" C:\Users\Default User\spoolsv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\componentCommon\\conhost.exe\", \"C:\\Users\\All Users\\Documents\\dwm.exe\", \"C:\\Windows\\Fonts\\dwm.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\lsass.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\services.exe\", \"C:\\componentCommon\\explorer.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Documents\\dwm.exe\", \"C:\\Windows\\Fonts\\dwm.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\lsass.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\services.exe\", \"C:\\componentCommon\\explorer.exe\", \"C:\\Windows\\AppPatch\\AppPatch64\\dllhost.exe\", \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\componentCommon\\smss.exe\", \"C:\\Program Files\\Uninstall Information\\lsm.exe\", \"C:\\Users\\Default\\Links\\csrss.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\lsm.exe\"" C:\Users\Default User\spoolsv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\services.exe\", \"C:\\componentCommon\\explorer.exe\", \"C:\\Windows\\AppPatch\\AppPatch64\\dllhost.exe\", \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\componentCommon\\smss.exe\", \"C:\\Program Files\\Uninstall Information\\lsm.exe\", \"C:\\Users\\Default\\Links\\csrss.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\lsm.exe\"" C:\Users\Default User\spoolsv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\componentCommon\\conhost.exe\", \"C:\\Users\\All Users\\Documents\\dwm.exe\", \"C:\\Windows\\Fonts\\dwm.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\lsass.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\componentCommon\\conhost.exe\", \"C:\\Users\\All Users\\Documents\\dwm.exe\", \"C:\\Windows\\Fonts\\dwm.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\lsass.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\explorer.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\componentCommon\\conhost.exe\", \"C:\\Users\\All Users\\Documents\\dwm.exe\", \"C:\\Windows\\Fonts\\dwm.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\lsass.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\services.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\componentCommon\\conhost.exe\", \"C:\\Users\\All Users\\Documents\\dwm.exe\", \"C:\\Windows\\Fonts\\dwm.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\lsass.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\services.exe\", \"C:\\componentCommon\\explorer.exe\", \"C:\\Windows\\AppPatch\\AppPatch64\\dllhost.exe\", \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\componentCommon\\smss.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\componentCommon\\conhost.exe\", \"C:\\Users\\All Users\\Documents\\dwm.exe\", \"C:\\Windows\\Fonts\\dwm.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\lsass.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\services.exe\", \"C:\\componentCommon\\explorer.exe\", \"C:\\Windows\\AppPatch\\AppPatch64\\dllhost.exe\", \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\componentCommon\\smss.exe\", \"C:\\Program Files\\Uninstall Information\\lsm.exe\", \"C:\\Users\\Default\\Links\\csrss.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\lsm.exe\"" C:\Users\Default User\spoolsv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\componentCommon\\smss.exe\", \"C:\\Program Files\\Uninstall Information\\lsm.exe\", \"C:\\Users\\Default\\Links\\csrss.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\lsm.exe\"" C:\Users\Default User\spoolsv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Links\\csrss.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\lsm.exe\"" C:\Users\Default User\spoolsv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\componentCommon\\conhost.exe\", \"C:\\Users\\All Users\\Documents\\dwm.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\componentCommon\\conhost.exe\", \"C:\\Users\\All Users\\Documents\\dwm.exe\", \"C:\\Windows\\Fonts\\dwm.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\componentCommon\\conhost.exe\", \"C:\\Users\\All Users\\Documents\\dwm.exe\", \"C:\\Windows\\Fonts\\dwm.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\lsass.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\services.exe\", \"C:\\componentCommon\\explorer.exe\", \"C:\\Windows\\AppPatch\\AppPatch64\\dllhost.exe\", \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\componentCommon\\smss.exe\", \"C:\\Program Files\\Uninstall Information\\lsm.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\componentCommon\\explorer.exe\", \"C:\\Windows\\AppPatch\\AppPatch64\\dllhost.exe\", \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\componentCommon\\smss.exe\", \"C:\\Program Files\\Uninstall Information\\lsm.exe\", \"C:\\Users\\Default\\Links\\csrss.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\lsm.exe\"" C:\Users\Default User\spoolsv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\componentCommon\\smss.exe\", \"C:\\Program Files\\Uninstall Information\\lsm.exe\", \"C:\\Users\\Default\\Links\\csrss.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\lsm.exe\"" C:\Users\Default User\spoolsv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\lsass.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\services.exe\", \"C:\\componentCommon\\explorer.exe\", \"C:\\Windows\\AppPatch\\AppPatch64\\dllhost.exe\", \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\componentCommon\\smss.exe\", \"C:\\Program Files\\Uninstall Information\\lsm.exe\", \"C:\\Users\\Default\\Links\\csrss.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\lsm.exe\"" C:\Users\Default User\spoolsv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\componentCommon\\conhost.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\componentCommon\\conhost.exe\", \"C:\\Users\\All Users\\Documents\\dwm.exe\", \"C:\\Windows\\Fonts\\dwm.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\lsass.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\services.exe\", \"C:\\componentCommon\\explorer.exe\", \"C:\\Windows\\AppPatch\\AppPatch64\\dllhost.exe\", \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\componentCommon\\smss.exe\", \"C:\\Program Files\\Uninstall Information\\lsm.exe\", \"C:\\Users\\Default\\Links\\csrss.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe" C:\Users\Default User\spoolsv.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\componentCommon\ComInto.exe N/A
N/A N/A C:\Users\Default User\spoolsv.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\lsass.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\explorer.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\services.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\lsm.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\explorer.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\componentCommon\\explorer.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\AppPatch\\AppPatch64\\dllhost.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\Default User\\spoolsv.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\lsass.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\componentCommon\\smss.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default\\Links\\csrss.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\componentCommon\\conhost.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\componentCommon\\conhost.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Users\\All Users\\Documents\\dwm.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\componentCommon\\explorer.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\AppPatch\\AppPatch64\\dllhost.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\Default User\\spoolsv.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files\\Uninstall Information\\lsm.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\Fonts\\dwm.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\componentCommon\\smss.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files\\Uninstall Information\\lsm.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\services.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default\\Links\\csrss.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\lsm.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Users\\All Users\\Documents\\dwm.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\Fonts\\dwm.exe\"" C:\componentCommon\ComInto.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Uninstall Information\lsm.exe C:\componentCommon\ComInto.exe N/A
File created C:\Program Files\Uninstall Information\101b941d020240 C:\componentCommon\ComInto.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\explorer.exe C:\componentCommon\ComInto.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\7a0fd90576e088 C:\componentCommon\ComInto.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Fonts\dwm.exe C:\componentCommon\ComInto.exe N/A
File created C:\Windows\Fonts\6cb0b6c459d5d3 C:\componentCommon\ComInto.exe N/A
File created C:\Windows\AppPatch\AppPatch64\dllhost.exe C:\componentCommon\ComInto.exe N/A
File created C:\Windows\AppPatch\AppPatch64\5940a34987c991 C:\componentCommon\ComInto.exe N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\componentCommon\ComInto.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\spoolsv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1896 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\Riga Client.exe C:\Windows\SysWOW64\WScript.exe
PID 1896 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\Riga Client.exe C:\Windows\SysWOW64\WScript.exe
PID 1896 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\Riga Client.exe C:\Windows\SysWOW64\WScript.exe
PID 1896 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\Riga Client.exe C:\Windows\SysWOW64\WScript.exe
PID 3060 wrote to memory of 1980 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3060 wrote to memory of 1980 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3060 wrote to memory of 1980 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3060 wrote to memory of 1980 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1980 wrote to memory of 2804 N/A C:\Windows\SysWOW64\cmd.exe C:\componentCommon\ComInto.exe
PID 1980 wrote to memory of 2804 N/A C:\Windows\SysWOW64\cmd.exe C:\componentCommon\ComInto.exe
PID 1980 wrote to memory of 2804 N/A C:\Windows\SysWOW64\cmd.exe C:\componentCommon\ComInto.exe
PID 1980 wrote to memory of 2804 N/A C:\Windows\SysWOW64\cmd.exe C:\componentCommon\ComInto.exe
PID 2804 wrote to memory of 320 N/A C:\componentCommon\ComInto.exe C:\Users\Default User\spoolsv.exe
PID 2804 wrote to memory of 320 N/A C:\componentCommon\ComInto.exe C:\Users\Default User\spoolsv.exe
PID 2804 wrote to memory of 320 N/A C:\componentCommon\ComInto.exe C:\Users\Default User\spoolsv.exe
PID 320 wrote to memory of 1572 N/A C:\Users\Default User\spoolsv.exe C:\Windows\System32\WScript.exe
PID 320 wrote to memory of 1572 N/A C:\Users\Default User\spoolsv.exe C:\Windows\System32\WScript.exe
PID 320 wrote to memory of 1572 N/A C:\Users\Default User\spoolsv.exe C:\Windows\System32\WScript.exe
PID 320 wrote to memory of 3048 N/A C:\Users\Default User\spoolsv.exe C:\Windows\System32\WScript.exe
PID 320 wrote to memory of 3048 N/A C:\Users\Default User\spoolsv.exe C:\Windows\System32\WScript.exe
PID 320 wrote to memory of 3048 N/A C:\Users\Default User\spoolsv.exe C:\Windows\System32\WScript.exe
PID 320 wrote to memory of 1644 N/A C:\Users\Default User\spoolsv.exe C:\Windows\system32\cmd.exe
PID 320 wrote to memory of 1644 N/A C:\Users\Default User\spoolsv.exe C:\Windows\system32\cmd.exe
PID 320 wrote to memory of 1644 N/A C:\Users\Default User\spoolsv.exe C:\Windows\system32\cmd.exe
PID 1644 wrote to memory of 2904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1644 wrote to memory of 2904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1644 wrote to memory of 2904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\w32tm.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Riga Client.exe

"C:\Users\Admin\AppData\Local\Temp\Riga Client.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\componentCommon\TsZJDcKjHujznUYiyXhQefVwV2.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\componentCommon\j1nvYpGjbyEFrc.bat" "

C:\componentCommon\ComInto.exe

"C:\componentCommon\ComInto.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\componentCommon\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\componentCommon\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\componentCommon\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Documents\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\Documents\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Documents\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\Fonts\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Fonts\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Windows\Fonts\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Recovery\61b388a2-3b13-11ef-902f-d2f1755c8afd\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\61b388a2-3b13-11ef-902f-d2f1755c8afd\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Recovery\61b388a2-3b13-11ef-902f-d2f1755c8afd\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\componentCommon\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\componentCommon\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\componentCommon\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Windows\AppPatch\AppPatch64\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\AppPatch\AppPatch64\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\AppPatch\AppPatch64\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\componentCommon\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\componentCommon\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\componentCommon\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Links\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Links\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Links\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Recovery\61b388a2-3b13-11ef-902f-d2f1755c8afd\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\61b388a2-3b13-11ef-902f-d2f1755c8afd\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Recovery\61b388a2-3b13-11ef-902f-d2f1755c8afd\lsm.exe'" /rl HIGHEST /f

C:\Users\Default User\spoolsv.exe

"C:\Users\Default User\spoolsv.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8eeba68d-8cbf-45ae-8309-1c19845f098d.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\440f4fe4-9dcd-433f-a114-d591f0d5e174.vbs"

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "ComInto" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "ComIntoC" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "conhost" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "conhostc" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "dwm" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "dwmd" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "dwm" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "dwmd" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "lsass" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "lsassl" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "explorer" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "explorere" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "services" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "servicess" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "explorer" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "explorere" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "dllhost" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "dllhostd" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "spoolsv" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "spoolsvs" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "smss" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "smsss" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "lsm" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "lsml" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "csrss" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "csrssc" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "lsm" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "lsml" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "spoolsv" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "spoolsvs" /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\6M87tNVNy8.bat" "

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 ct54429.tw1.ru udp
RU 185.114.247.170:80 ct54429.tw1.ru tcp
RU 185.114.247.170:80 ct54429.tw1.ru tcp
RU 185.114.247.170:80 ct54429.tw1.ru tcp
RU 185.114.247.170:80 ct54429.tw1.ru tcp

Files

C:\componentCommon\TsZJDcKjHujznUYiyXhQefVwV2.vbe

MD5 e986ea5d4cac976a6de65d3f1ef8b332
SHA1 6465da0abcfac05b8ed1f32b9cca57e2e2f54aea
SHA256 3ad8783bacfea22158df341d1bbedf8f6f0dcc4d9504555b36a756d2fcd83831
SHA512 896934c1a2941a8edfd38b03a858fc589cfb6622ae75019a542638be0c9c4e436aacd0916196dd71442d1a90404afa29d2864c92401222ff5ec2a712d873fa11

C:\componentCommon\j1nvYpGjbyEFrc.bat

MD5 a0b9b0891c2cae67cd1beae705d09d4f
SHA1 997953188d6226de19faa0ab4e8fdbddf1fb5617
SHA256 13593fab7a2113730fdbe4cbf436dde9a26116cda0bd4a33dff27d5678e9f9fc
SHA512 bdcd0c6a765c3927180706f7b30f2ea0f7cab6f27e512433839ebe3f6cb148923a6733ae954c24fa6eedeca97b8dc01cae945eea07e1121ff74885a69b34f2bb

\componentCommon\ComInto.exe

MD5 9a0cee5a5ce317b7a70f88bb6aaa49e1
SHA1 95a779063656075a8ddc2f2164393fa59e3c93d9
SHA256 701924dd5d93b99a1e90fcd92f399c4453455e78375125f7a06aca20b84956bc
SHA512 d9c6240b6809c3decbdf4d97aca246f308670097b704b47449c53d8dc121f391d3ec6596f7947c36a01a388eeefe6f9ac9785698cf743f8a89c7cbf7b9da41a4

memory/2804-13-0x0000000000360000-0x000000000050C000-memory.dmp

memory/2804-14-0x0000000000140000-0x000000000014E000-memory.dmp

memory/2804-15-0x0000000000150000-0x000000000016C000-memory.dmp

memory/2804-16-0x0000000000170000-0x0000000000178000-memory.dmp

memory/2804-17-0x0000000000690000-0x00000000006A6000-memory.dmp

memory/2804-18-0x00000000008A0000-0x00000000008A8000-memory.dmp

memory/2804-19-0x00000000008C0000-0x00000000008D0000-memory.dmp

memory/2804-20-0x00000000008B0000-0x00000000008B8000-memory.dmp

memory/2804-21-0x0000000000A70000-0x0000000000A82000-memory.dmp

memory/2804-22-0x0000000000A80000-0x0000000000A8C000-memory.dmp

memory/2804-23-0x0000000000AA0000-0x0000000000AA8000-memory.dmp

memory/2804-24-0x00000000022F0000-0x00000000022FA000-memory.dmp

memory/2804-25-0x0000000002300000-0x000000000230E000-memory.dmp

memory/2804-26-0x0000000002310000-0x000000000231C000-memory.dmp

memory/2804-27-0x00000000023A0000-0x00000000023AC000-memory.dmp

memory/320-60-0x0000000000AE0000-0x0000000000C8C000-memory.dmp

memory/320-61-0x0000000000540000-0x0000000000552000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8eeba68d-8cbf-45ae-8309-1c19845f098d.vbs

MD5 c5d202211ff88e7e0dbe470f032b2ba0
SHA1 0a547f9e91c39c3f0e53b8d46c41e3793f9f9169
SHA256 0cbefad56c6141b03d375349d56d292de6d8f1fd3f149008b9df25cb65f41e35
SHA512 7ae5fbf97050f76cc6208acb0a13b3140bc4854e2a13e3eda8e66c061f8f2e3699ac9f29e7c4b4b67e147b8db36276adc2d3eed45768c1834c1e086e0a044d17

C:\Users\Admin\AppData\Local\Temp\440f4fe4-9dcd-433f-a114-d591f0d5e174.vbs

MD5 949a215f98fd1f7395bd0f06a3786032
SHA1 c5a0d40f88838f393f0b178e03854363bb9e610f
SHA256 4d0bf02924dd346cc2457dbb40494e5690f33a8b1fcbd79c35f158879c0305c2
SHA512 ba504d29d6189050cb5696d836f8493f4d040526b9529025d28b7c59b3a28603eca394d9fdef41d16b05811b5dd9bceeda27b10cc80ffda74ab16efe1b87b57a

C:\componentCommon\088424020bedd6

MD5 dd69a4d47560c1b488641f1ff4d6083a
SHA1 64950ad1970471eae3e16e3c0df5d72970e0a59b
SHA256 e9b15099fd01dfc6334276c27b8d90353ea29e030ffa046428c366c126fa4ac0
SHA512 74a6c957924980156327d5e8da3aaacf8d40bf21b7748a7cf582dbf2249f2288f34e419afc5319eb1526aad4e21f5d8bba12684a75b0be09b28a8c8419d36f69

C:\Users\All Users\Documents\6cb0b6c459d5d3

MD5 cff7cf832ab47a76414c576e5db3158a
SHA1 dad16bea43d57a2f5609427907cd6822e105d93c
SHA256 92ead13ab9c261536d17ebe20fa16f6993200e69db9bdf6edb746d031c6489cb
SHA512 3e9c462699f6afacfca1e36a1de373f78134e00d2743f8d583c4455b165cdc7651f87a41a35d87654ab1ddcf2273067d9bae8713819dba7d50137fb35635ad15

C:\Windows\Fonts\6cb0b6c459d5d3

MD5 db726b6c98fab37ecc15ee38db003995
SHA1 2c82b82c39b888a0eaea3ee07033b18a9142e7e1
SHA256 078522288fa7b990dd5487f2644206ed1e13ec323d79d82184d978ee09f9fc0a
SHA512 182c25fda1e189297b9cc1dcffa760417db0a1e613d63a5f64bfe997b0a24ffceb85884cb5597f8a80642eb9810a150a2f1d42c71d76af11cee323d017bf40c5

C:\Recovery\61b388a2-3b13-11ef-902f-d2f1755c8afd\6203df4a6bafc7

MD5 0f91eeb84dce2aa1ebd5a2994a17cb7a
SHA1 d563b8bc8baf522f6fe439d7c51bda45351c37e9
SHA256 6213d0e65dd80c966f424a16849ff5f9c2382e7877d1210bc081aa9f1e0c5727
SHA512 1502d5468fa5507e0d4e8584b1008df79340a5c2f933563e8e4813cccf04bacafe1eccb011e099294f4347b0b45dfed39c743f16c8d4e4be69195dcbffbe1d74

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\7a0fd90576e088

MD5 7445351786bd3cf0ebd2c2b5ef9062c4
SHA1 3c4b409cfe491042a9dd831808d260c5a3b5c3c6
SHA256 16aaaeb4d431d11ec24506018c352f616467a509548552a9ba803d2f7696f03a
SHA512 5a3e3450b00295395b9324124da560fa6f768e53459d736b24c5d02ba436c51bd27b8644e1baf6d131e6501ee77bb723f3441e2ba019935829c7d5ba5a3c37f0

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\c5b4cb5e9653cc

MD5 79a3e3eeb67d3edb02af27b72bd75321
SHA1 f4625739a92dd23b631c8bc23926e8a60c43e279
SHA256 851c6f81f9c0ea6170677086a0984120b1aca6040798674a8b6e26e3b333fd9b
SHA512 cb629955b83ed25bacfcd6707ab818c376603b559c9c7a25a185aa962cd5801fd703b5409de7acb40f371288ddf94621c1e4df7c3a3e542e97e6f273a6660650

C:\componentCommon\7a0fd90576e088

MD5 69521eff073f08bbad5ca7d2f9b131f5
SHA1 7e48c316875f6eb2686d116ca78696ad48a4ba6b
SHA256 19a444711a33ff507bd693bff214c263659f97fef5761ab1db19a20304ae8a94
SHA512 2421867c3e842977769422a34d5d31da39555f40c81e3b9faadf90bf5b8fc68a36bc533e7d7f35efc79cf83b388b511701600d094f744cd745e76003e60f4915

C:\Windows\AppPatch\AppPatch64\5940a34987c991

MD5 483293cdff6705336846afc9bb41219b
SHA1 a65f7d2b8defcf095aafce690ee7a07e8bd09b46
SHA256 25a40b6c382b886b313d97c2d28f8fe8897dbca1f18694deb4fc4f166f9a7926
SHA512 ef432d5aff5e84cbc6705fcc61fe2f4722d0388de2c64026ee78cf1544b5024ee4df02844d11c551928acc5ef8bdd2dc39e3a36714ef33e4f793887dc80f7ad6

C:\componentCommon\69ddcba757bf72

MD5 fb653a64037487546ff6e5492fbefa0d
SHA1 d033015851d5e249971712a74e2a4861a76c854a
SHA256 f662c9d47ec5031b8545482d6b27e8054d947c840902bed57c9dd67eb21fff3e
SHA512 09bcbea1eeb62888966e0980138b98fd38c11163db6442a383166a925dc3c4df032fa22ebe2d9bb827a31a60e7738cb5ff342b39fda4c1ed5e5a63f6b4e164f1

C:\Program Files\Uninstall Information\101b941d020240

MD5 ce156a0b1c72f3f79a24f4f23ae67c05
SHA1 992dbcd97efd63858e318a2a98ef2fab4ef23e9c
SHA256 85cc25acef14e7d68089867d8d03311a90051d72466109bff496af9987f7ede1
SHA512 da2984456fae1b4862f41b83331151149d34923169305b70b3ccb28289f24babbfdafaaca9649ea19a3b13875dc4e9808d298fb9f6c9bf8687fc47d217994ce2

C:\Users\Default\Links\886983d96e3d3e

MD5 c8ccb57b827e7808987f3a72338aa0a7
SHA1 ca9c3380959fca112455fed50f0436836fee02be
SHA256 5473ef49447c729790cc3f871e2c6550bdddff4047c82e8d1384c9354eaccad1
SHA512 e76a9b98fa681c69d69da19ce84ef38a2c77d153fc87f25abd1ebbbf07609af469894d6c57efced68277a850c81cbab45c8636ff90a7905fb9491a962c25fffc

C:\Recovery\61b388a2-3b13-11ef-902f-d2f1755c8afd\101b941d020240

MD5 580a8e263196690afa5c429cb74244b8
SHA1 d6202a12f60f4a2f9fca4731c833186a3f6c042f
SHA256 73b6054a682a4d3d2fb6a563a1c2941ec1870ecd81ca94c45423cdb14fe7ad64
SHA512 a553d164c154804e8075e1d5dcef6290e6c62ae5d0d27db7f5f1fcfd8b0702cb9c2f2fcd45b568add3dbdcd415a11d43ba3b12a302b3bedc5972ea8093e3ad60

C:\Users\Admin\AppData\Local\Temp\6M87tNVNy8.bat

MD5 ce4a512a2c58bba98729f49c51708e61
SHA1 ccd59ce6b3c57c990f517a230e840d90257f078d
SHA256 13ebf0b0fa972539c5b04155ff1bf4fcaf15e83b01f25b99aee9017bc0211f65
SHA512 02558040d751f88ddac7d628e35298e2d3ee8d16f27dcd9818ca48980d9da5c5ae3250962776a88caa31598605af115813c6d998f35843f6989862aceaf3ee31

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-17 11:23

Reported

2024-07-17 11:25

Platform

win10v2004-20240709-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Riga Client.exe"

Signatures

DcRat

rat infostealer dcrat

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Mail\\RuntimeBroker.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Mail\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Mail\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\smss.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Mail\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\smss.exe\", \"C:\\Recovery\\WindowsRE\\winlogon.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Mail\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\smss.exe\", \"C:\\Recovery\\WindowsRE\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Mail\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\smss.exe\", \"C:\\Recovery\\WindowsRE\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\", \"C:\\Windows\\appcompat\\Programs\\sysmon.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Mail\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\smss.exe\", \"C:\\Recovery\\WindowsRE\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\", \"C:\\Windows\\appcompat\\Programs\\sysmon.exe\", \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\upfc.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Mail\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Portable Devices\\smss.exe\", \"C:\\Recovery\\WindowsRE\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\", \"C:\\Windows\\appcompat\\Programs\\sysmon.exe\", \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\upfc.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\"" C:\componentCommon\ComInto.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Riga Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\componentCommon\ComInto.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\winlogon.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\componentCommon\ComInto.exe N/A
N/A N/A C:\Recovery\WindowsRE\winlogon.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Recovery\\WindowsRE\\TextInputHost.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Windows\\appcompat\\Programs\\sysmon.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\WindowsRE\\wininit.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Windows Mail\\RuntimeBroker.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Windows Mail\\RuntimeBroker.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\WindowsRE\\winlogon.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Recovery\\WindowsRE\\TextInputHost.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\Windows Portable Devices\\smss.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\WindowsRE\\winlogon.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\upfc.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\Windows Portable Devices\\smss.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Windows\\appcompat\\Programs\\sysmon.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\upfc.exe\"" C:\componentCommon\ComInto.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\WindowsRE\\wininit.exe\"" C:\componentCommon\ComInto.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Portable Devices\69ddcba757bf72 C:\componentCommon\ComInto.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\upfc.exe C:\componentCommon\ComInto.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\ea1d8f6d871115 C:\componentCommon\ComInto.exe N/A
File created C:\Program Files\Windows Mail\RuntimeBroker.exe C:\componentCommon\ComInto.exe N/A
File opened for modification C:\Program Files\Windows Mail\RuntimeBroker.exe C:\componentCommon\ComInto.exe N/A
File created C:\Program Files\Windows Mail\9e8d7a4ca61bd9 C:\componentCommon\ComInto.exe N/A
File created C:\Program Files\Windows Portable Devices\smss.exe C:\componentCommon\ComInto.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\appcompat\Programs\sysmon.exe C:\componentCommon\ComInto.exe N/A
File created C:\Windows\appcompat\Programs\121e5b5079f7c0 C:\componentCommon\ComInto.exe N/A
File created C:\Windows\System\Speech\cmd.exe C:\componentCommon\ComInto.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\Riga Client.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings C:\Recovery\WindowsRE\winlogon.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Recovery\WindowsRE\winlogon.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\componentCommon\ComInto.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\winlogon.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 740 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\Riga Client.exe C:\Windows\SysWOW64\WScript.exe
PID 740 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\Riga Client.exe C:\Windows\SysWOW64\WScript.exe
PID 740 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\Riga Client.exe C:\Windows\SysWOW64\WScript.exe
PID 3824 wrote to memory of 4252 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3824 wrote to memory of 4252 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3824 wrote to memory of 4252 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4252 wrote to memory of 3216 N/A C:\Windows\SysWOW64\cmd.exe C:\componentCommon\ComInto.exe
PID 4252 wrote to memory of 3216 N/A C:\Windows\SysWOW64\cmd.exe C:\componentCommon\ComInto.exe
PID 3216 wrote to memory of 4944 N/A C:\componentCommon\ComInto.exe C:\Recovery\WindowsRE\winlogon.exe
PID 3216 wrote to memory of 4944 N/A C:\componentCommon\ComInto.exe C:\Recovery\WindowsRE\winlogon.exe
PID 4944 wrote to memory of 628 N/A C:\Recovery\WindowsRE\winlogon.exe C:\Windows\System32\WScript.exe
PID 4944 wrote to memory of 628 N/A C:\Recovery\WindowsRE\winlogon.exe C:\Windows\System32\WScript.exe
PID 4944 wrote to memory of 2584 N/A C:\Recovery\WindowsRE\winlogon.exe C:\Windows\System32\WScript.exe
PID 4944 wrote to memory of 2584 N/A C:\Recovery\WindowsRE\winlogon.exe C:\Windows\System32\WScript.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Riga Client.exe

"C:\Users\Admin\AppData\Local\Temp\Riga Client.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\componentCommon\TsZJDcKjHujznUYiyXhQefVwV2.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\componentCommon\j1nvYpGjbyEFrc.bat" "

C:\componentCommon\ComInto.exe

"C:\componentCommon\ComInto.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Mail\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Portable Devices\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Windows\appcompat\Programs\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\appcompat\Programs\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Windows\appcompat\Programs\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\upfc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f

C:\Recovery\WindowsRE\winlogon.exe

"C:\Recovery\WindowsRE\winlogon.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\46d9d007-0d58-490a-8708-01b0c73edafe.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5bfc0842-4a16-4437-b38c-75357d354c6d.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 ct54429.tw1.ru udp
RU 185.114.247.170:80 ct54429.tw1.ru tcp
RU 185.114.247.170:80 ct54429.tw1.ru tcp
US 8.8.8.8:53 170.247.114.185.in-addr.arpa udp
RU 185.114.247.170:80 ct54429.tw1.ru tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
RU 185.114.247.170:80 ct54429.tw1.ru tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
RU 185.114.247.170:80 ct54429.tw1.ru tcp
US 8.8.8.8:53 28.73.42.20.in-addr.arpa udp

Files

C:\componentCommon\TsZJDcKjHujznUYiyXhQefVwV2.vbe

MD5 e986ea5d4cac976a6de65d3f1ef8b332
SHA1 6465da0abcfac05b8ed1f32b9cca57e2e2f54aea
SHA256 3ad8783bacfea22158df341d1bbedf8f6f0dcc4d9504555b36a756d2fcd83831
SHA512 896934c1a2941a8edfd38b03a858fc589cfb6622ae75019a542638be0c9c4e436aacd0916196dd71442d1a90404afa29d2864c92401222ff5ec2a712d873fa11

C:\componentCommon\j1nvYpGjbyEFrc.bat

MD5 a0b9b0891c2cae67cd1beae705d09d4f
SHA1 997953188d6226de19faa0ab4e8fdbddf1fb5617
SHA256 13593fab7a2113730fdbe4cbf436dde9a26116cda0bd4a33dff27d5678e9f9fc
SHA512 bdcd0c6a765c3927180706f7b30f2ea0f7cab6f27e512433839ebe3f6cb148923a6733ae954c24fa6eedeca97b8dc01cae945eea07e1121ff74885a69b34f2bb

C:\componentCommon\ComInto.exe

MD5 9a0cee5a5ce317b7a70f88bb6aaa49e1
SHA1 95a779063656075a8ddc2f2164393fa59e3c93d9
SHA256 701924dd5d93b99a1e90fcd92f399c4453455e78375125f7a06aca20b84956bc
SHA512 d9c6240b6809c3decbdf4d97aca246f308670097b704b47449c53d8dc121f391d3ec6596f7947c36a01a388eeefe6f9ac9785698cf743f8a89c7cbf7b9da41a4

memory/3216-12-0x00007FF953743000-0x00007FF953745000-memory.dmp

memory/3216-13-0x0000000000A00000-0x0000000000BAC000-memory.dmp

memory/3216-14-0x0000000002C20000-0x0000000002C2E000-memory.dmp

memory/3216-15-0x000000001B6B0000-0x000000001B6CC000-memory.dmp

memory/3216-17-0x000000001B6D0000-0x000000001B6D8000-memory.dmp

memory/3216-16-0x000000001B720000-0x000000001B770000-memory.dmp

memory/3216-19-0x000000001B700000-0x000000001B708000-memory.dmp

memory/3216-18-0x000000001B6E0000-0x000000001B6F6000-memory.dmp

memory/3216-20-0x000000001B710000-0x000000001B720000-memory.dmp

memory/3216-21-0x000000001B770000-0x000000001B778000-memory.dmp

memory/3216-22-0x000000001B780000-0x000000001B792000-memory.dmp

memory/3216-23-0x000000001C490000-0x000000001C9B8000-memory.dmp

memory/3216-24-0x000000001B7C0000-0x000000001B7CC000-memory.dmp

memory/3216-27-0x000000001B7F0000-0x000000001B7FE000-memory.dmp

memory/3216-28-0x000000001B800000-0x000000001B80C000-memory.dmp

memory/3216-26-0x000000001B7E0000-0x000000001B7EA000-memory.dmp

memory/3216-25-0x000000001B7D0000-0x000000001B7D8000-memory.dmp

memory/3216-29-0x000000001B810000-0x000000001B81C000-memory.dmp

memory/4944-57-0x000000001BD70000-0x000000001BD82000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5bfc0842-4a16-4437-b38c-75357d354c6d.vbs

MD5 7e7cf160c65c8fe5c58ba0750fe14dde
SHA1 36d1a519bfada22cd1480d2bbc095b72c2730b91
SHA256 91ea1c344d2d32c37596fe29c14ebf6dc80c975942a3666376f4fa29ea6d1bcc
SHA512 68c0ba824e53ef879d1f95159130188ff1262fff12682c9d64ff9651334de12ab7beb1c73fa662e6eae604460fde6f93c48c7389727ce9f48f20a74db1253646

C:\Users\Admin\AppData\Local\Temp\46d9d007-0d58-490a-8708-01b0c73edafe.vbs

MD5 bdbe869b12f8789377eb3cd4ca0a246a
SHA1 26fccb025912c7a9f62ad4bf0b7f2eb43aacd4fd
SHA256 8a340b77105395593fa51ae5e7d9439cc916919159aed9c0b9a2c2c626e3e8c5
SHA512 baac5832f0400bc019de3d2b66f6ff18674e7755550d187aaef464c0b6700fb50a1166e791b97b543f67fce75e77fafcf370b51b849f95bd3f0eeb89cc90d3d7