hxxps://github[.]com/xistly/Riviera

Analysis

max time kernel
300s
max time network
303s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
28/07/2024, 01:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/xistly/Riviera

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
3	raw.githubusercontent.com
46	raw.githubusercontent.com
51	raw.githubusercontent.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RivieraExecutor.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Riviera (1).zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 865703.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Riviera.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3888	msedge.exe
3888	msedge.exe
3152	msedge.exe
3152	msedge.exe
3628	identity_helper.exe
3628	identity_helper.exe
676	msedge.exe
676	msedge.exe
3024	msedge.exe
3024	msedge.exe
3948	msedge.exe
3948	msedge.exe
760	msedge.exe
760	msedge.exe
760	msedge.exe
760	msedge.exe
5020	RivieraExecutor.exe
5020	RivieraExecutor.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5020	RivieraExecutor.exe

Suspicious use of FindShellTrayWindow 50 IoCs

pid	Process
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1608	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3152 wrote to memory of 2396	3152	msedge.exe	81
PID 3152 wrote to memory of 2396	3152	msedge.exe	81
PID 3152 wrote to memory of 1628	3152	msedge.exe	83
PID 3152 wrote to memory of 1628	3152	msedge.exe	83
PID 3152 wrote to memory of 1628	3152	msedge.exe	83
PID 3152 wrote to memory of 1628	3152	msedge.exe	83
PID 3152 wrote to memory of 1628	3152	msedge.exe	83
PID 3152 wrote to memory of 1628	3152	msedge.exe	83
PID 3152 wrote to memory of 1628	3152	msedge.exe	83
PID 3152 wrote to memory of 1628	3152	msedge.exe	83
PID 3152 wrote to memory of 1628	3152	msedge.exe	83
PID 3152 wrote to memory of 1628	3152	msedge.exe	83
PID 3152 wrote to memory of 1628	3152	msedge.exe	83
PID 3152 wrote to memory of 1628	3152	msedge.exe	83
PID 3152 wrote to memory of 1628	3152	msedge.exe	83
PID 3152 wrote to memory of 1628	3152	msedge.exe	83
PID 3152 wrote to memory of 1628	3152	msedge.exe	83
PID 3152 wrote to memory of 1628	3152	msedge.exe	83
PID 3152 wrote to memory of 1628	3152	msedge.exe	83
PID 3152 wrote to memory of 1628	3152	msedge.exe	83
PID 3152 wrote to memory of 1628	3152	msedge.exe	83
PID 3152 wrote to memory of 1628	3152	msedge.exe	83
PID 3152 wrote to memory of 1628	3152	msedge.exe	83
PID 3152 wrote to memory of 1628	3152	msedge.exe	83
PID 3152 wrote to memory of 1628	3152	msedge.exe	83
PID 3152 wrote to memory of 1628	3152	msedge.exe	83
PID 3152 wrote to memory of 1628	3152	msedge.exe	83
PID 3152 wrote to memory of 1628	3152	msedge.exe	83
PID 3152 wrote to memory of 1628	3152	msedge.exe	83
PID 3152 wrote to memory of 1628	3152	msedge.exe	83
PID 3152 wrote to memory of 1628	3152	msedge.exe	83
PID 3152 wrote to memory of 1628	3152	msedge.exe	83
PID 3152 wrote to memory of 1628	3152	msedge.exe	83
PID 3152 wrote to memory of 1628	3152	msedge.exe	83
PID 3152 wrote to memory of 1628	3152	msedge.exe	83
PID 3152 wrote to memory of 1628	3152	msedge.exe	83
PID 3152 wrote to memory of 1628	3152	msedge.exe	83
PID 3152 wrote to memory of 1628	3152	msedge.exe	83
PID 3152 wrote to memory of 1628	3152	msedge.exe	83
PID 3152 wrote to memory of 1628	3152	msedge.exe	83
PID 3152 wrote to memory of 1628	3152	msedge.exe	83
PID 3152 wrote to memory of 1628	3152	msedge.exe	83
PID 3152 wrote to memory of 3888	3152	msedge.exe	84
PID 3152 wrote to memory of 3888	3152	msedge.exe	84
PID 3152 wrote to memory of 1816	3152	msedge.exe	85
PID 3152 wrote to memory of 1816	3152	msedge.exe	85
PID 3152 wrote to memory of 1816	3152	msedge.exe	85
PID 3152 wrote to memory of 1816	3152	msedge.exe	85
PID 3152 wrote to memory of 1816	3152	msedge.exe	85
PID 3152 wrote to memory of 1816	3152	msedge.exe	85
PID 3152 wrote to memory of 1816	3152	msedge.exe	85
PID 3152 wrote to memory of 1816	3152	msedge.exe	85
PID 3152 wrote to memory of 1816	3152	msedge.exe	85
PID 3152 wrote to memory of 1816	3152	msedge.exe	85
PID 3152 wrote to memory of 1816	3152	msedge.exe	85
PID 3152 wrote to memory of 1816	3152	msedge.exe	85
PID 3152 wrote to memory of 1816	3152	msedge.exe	85
PID 3152 wrote to memory of 1816	3152	msedge.exe	85
PID 3152 wrote to memory of 1816	3152	msedge.exe	85
PID 3152 wrote to memory of 1816	3152	msedge.exe	85
PID 3152 wrote to memory of 1816	3152	msedge.exe	85
PID 3152 wrote to memory of 1816	3152	msedge.exe	85
PID 3152 wrote to memory of 1816	3152	msedge.exe	85
PID 3152 wrote to memory of 1816	3152	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/xistly/Riviera
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffaf1103cb8,0x7ffaf1103cc8,0x7ffaf1103cd8
  2⤵
  PID:2396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,8413093745161321339,12027191871819890137,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1940 /prefetch:2
  2⤵
  PID:1628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1924,8413093745161321339,12027191871819890137,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2340 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1924,8413093745161321339,12027191871819890137,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2644 /prefetch:8
  2⤵
  PID:1816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,8413093745161321339,12027191871819890137,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:3980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,8413093745161321339,12027191871819890137,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:5044
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1924,8413093745161321339,12027191871819890137,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5624 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1924,8413093745161321339,12027191871819890137,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5660 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,8413093745161321339,12027191871819890137,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:1
  2⤵
  PID:4060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1924,8413093745161321339,12027191871819890137,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5124 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,8413093745161321339,12027191871819890137,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
  2⤵
  PID:2092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,8413093745161321339,12027191871819890137,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6128 /prefetch:1
  2⤵
  PID:2536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,8413093745161321339,12027191871819890137,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
  2⤵
  PID:2792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,8413093745161321339,12027191871819890137,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:1
  2⤵
  PID:3936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,8413093745161321339,12027191871819890137,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2948 /prefetch:1
  2⤵
  PID:544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1924,8413093745161321339,12027191871819890137,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6308 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,8413093745161321339,12027191871819890137,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6180 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,8413093745161321339,12027191871819890137,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4532 /prefetch:1
  2⤵
  PID:1596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,8413093745161321339,12027191871819890137,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1708 /prefetch:1
  2⤵
  PID:3020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,8413093745161321339,12027191871819890137,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6428 /prefetch:1
  2⤵
  PID:2104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1924,8413093745161321339,12027191871819890137,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6452 /prefetch:8
  2⤵
  PID:4784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,8413093745161321339,12027191871819890137,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6780 /prefetch:1
  2⤵
  PID:4420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,8413093745161321339,12027191871819890137,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6400 /prefetch:1
  2⤵
  PID:4320

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4968

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1052

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3752

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1608

C:\Users\Admin\Downloads\rat\Riviera\RivieraExecutor.exe
"C:\Users\Admin\Downloads\rat\Riviera\RivieraExecutor.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b0499f1feacbab5a863b23b1440161a5

SHA1
37a982ece8255b9e0baadb9c596112395caf9c12

SHA256
41799b5bbdb95da6a57ae553b90de65b80264ca65406f11eea46bcb87a5882a7

SHA512
4cf9a8547a1527b1df13905c2a206a6e24e706e0bc174550caeefabfc8c1c8a40030e8958680cd7d34e815873a7a173abe40c03780b1c4c2564382f1ceed9260

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f53eb880cad5acef8c91684b1a94eed6

SHA1
afab2b1015fecbc986c1f4a8a6d27adff6f6fde9

SHA256
5cb8554e763313f3d46766ab868f9d481e3644bfc037f7b8fe43d75d87405a27

SHA512
d53f3965428f73c0dfed1d941a9ff06eb70b254732410b815bc759b8c7904e11292ad7e9624c12cccaed6763e7bea68208bc0b67fc70b7616d25bda143833794

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
23KB

MD5
1fb9778c1b6c11a8657b1f790c417fe1

SHA1
69ddd32e23141f0d80a36036dde5e51ae6bae844

SHA256
7ad7003248a2baf7d9a5ebd25e79ec8a00bb13e6fb7f072d0f49d8a0c7d8f36d

SHA512
c429eead446f80f76693195a49d62f0d0831cc837bab4dffa40d77397d1968b9c1a01f2f1c20573bc2f89d0cd814b35812b1870c70226e226f7663a50ba716e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
4fb85e55d8286c1240913dd1ee6dcf1b

SHA1
98ef9cdce891f410b9c37c0caff4bfa9dbc711a5

SHA256
cddc209722c13df6cab0be73af9b52f9b96aba5bc594bd537a48842cec67ce15

SHA512
3ab0f11a97432d2db7036180b7327a50c9fe0d8a63a8b82265ee2c35a63e87b8a7c2be447929e68a5f06a323874504c582b2f6543cc4af8b565c62be1c63be28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
36449faf3119c81d1bc334f1383bbe22

SHA1
4cd4a54cf72ea32857e979f3c327e958a9d53511

SHA256
b89755d373b636e157aee2a1c3e4eecabea6b519efeb06f3fc8aae8245c06927

SHA512
7e74de71e043ec31c1c71bf1d12ce982cef0fdc01d62551572c79307998e1d4d2a34b8327195312923a3266ce8fffb4b847dad0209f65bfb5754e3d7af8b6d3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
6bcd8beaf3e3d9bcee17f33de0609dd5

SHA1
d98fde0082c0acbc24710ec80d38739a490a57bb

SHA256
19ddcdb36f729e228734a20e672144fb1bec14935c9627912b944b43e7bb8244

SHA512
c8624d4b84bf80b182abceb8f27f78a54a994788adb25fc5c3c782a19c357c20e54c224b69b4fdced447df541665fa0ab51a07b01e243b7ffff08aa8209b0681

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
496B

MD5
aadae93b8d636d034aee972c3635d7b5

SHA1
d8c1119ed585b5403056f37515b98d32d3275ab9

SHA256
baf498aa585a836559bfdfeba511aa8392d8fac7d57e594062dbad9bbd5c8327

SHA512
0a27888dc32f54cf0f1dff75e1f38813c60a0e0d04c16eb2f0a6bd898455f31f0008aa550b1e36f342527d777e71d9ef3e7e88788366f6b64cfdf8ece6e7bd81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
46fa4f5f7344089589d117bd7599b3a9

SHA1
b6cc1fe19e527d4a372c97e4d195ed94eee40030

SHA256
223280d95a13f1af6af06459bbf230874500c212a2e16f63914eff3f22e8b57a

SHA512
6b680aedde7e806802652aab9ab31cb21438bc8756b063955e6f03bbbdf1273f7d47c40ec1a19fe27537afeb8d6cc219a246d31f7c6822b481649fe296e2a45c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
8567e1f2692c0b6b22ff80d629299c19

SHA1
58cddc76e9ff5e87f484897575c3a00f748d903e

SHA256
401da02959aad39d1b085fb55389b5f8ca4ee9724f7ced382eda6517490bcfaf

SHA512
4c94507f7f61227a4f10c6380e132df75d8698fb737b635e78c1c2a280b3313f61069eab4117641ae862b228e791e207960ea267fbf201618f6c2a7671a505e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
28d6009d0f60b8f33c80506f13bc4e9a

SHA1
395ff49c4781383df704a83af588c1cfc3bb824c

SHA256
aa7c497c831424f703824c64f03986b9512f85fc5d62347e426d4a831d4e7a93

SHA512
798290054ebca1a4bf62f170b42d1ae954a4156c8f1bbb2fdf967fe82d041b2f8dcf21e5ff6820bb1931b83a98278f745af964bab460bb9bf165d010558f57b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bf4db6092e03bd7f96ef3cd33c23ba22

SHA1
9bb74ff02b93b4433abc115d7649b0a7ddf8bcea

SHA256
85f4735516dddafc577b7b2e66117e2f5e0b3787bbe9f5529071c67757ea72bf

SHA512
3b2c654a7d5eecaf03422635945f238ab5c2717af0ba884099c21a20263741be8be4c93576fff46c318facbf6b93bf6a24290416471c6390a2a9e66ba59a2c87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b042d9751b5912a5599df69b083c1a1f

SHA1
44672a7d997338229874c92e28647a3feeae3fab

SHA256
73ee51db9c487ecfda671fd0a90877ed00e7be25b888c5a7a2be13e84e89dc95

SHA512
26ea6664bfcb1922a3db8782625c26cdf403f1d55f4e570b28ccf68b1804e59c5acc14a0776e4ec255791bb28845dba76571dcd95f19f3dce9557ba4a985d861

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d45f5c4b78d4199d2f23f1c8e42a4b8b

SHA1
87e36385503eb26eb8e9053ed6607b728f7fcd49

SHA256
79c766f78ab21671f728f819709411e671b3ce93b91d4a245d7c910ff269a59f

SHA512
8c2ce73794c80f3d55fcfdb9670518352c3f4866360cb2af15f0e1c5d5e4483a92d0a15614a1fbc23eddd2c15131864157a3f3eeb907cf1aa8efedeeb0456e29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
25ace80b4e134460703a61bb2e1d6358

SHA1
e09866e01ef9b3d544c158228682d95a54720706

SHA256
36d9d36aa1a30b4cf863e3f45169e7fe1c03f851b6d0c6ddb53f5dc736db2d57

SHA512
0431df47cb01c804d705a1499dae618734d370fca08ea45aaf7dec7a86857e30b16a8418bb9c7473c2c645e46b2a5a4df800af013f2ec345c63930037a086c01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
9fa8d7c78c3b7b2de7ce43225f86e5db

SHA1
517e32a0b2b22530e40e25e8a7f6f50895ebc623

SHA256
b6ffb0c0a87c10439e93fe1490c45a8b8c61ce81ca2bb9adc4e7bccd1908f889

SHA512
02c2ecc4d74bd436f81782cd6d23da020bfc028ed54dc53df64cd9a734a6652c51f273b80ab3e42014a24b4d669c93327d9e63f26ef9c11e40f655b6226fa11b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
39b6133e1aacfbf30d0f0990009ecc27

SHA1
c112b8015c226949b35e34d0d02b4aa332bca3f4

SHA256
a919bcf7d7dd1b57bbed46c08881bb889e84a6ef54efa1a84e8ba2b1f3a4646b

SHA512
9946cb90ff9a0d2c95fb86c44c8b31ace284550e2a9b5a39cb17d3b8ff634fc19f8ca0a5d76e7153406e90d18487d2193ff61f9709a1e2e1b15e01d6cd6a8d32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
c5c91545880c85c2a3c46fd2167893f1

SHA1
8980ea9c494dff8e05cd2942c0b4b6aacf04a77b

SHA256
82f6f9fe3867e2d2cdf55e76f834ed3112b674ac888629c8ba59c8f5bfd0efe5

SHA512
f53d4a079968731d08952517b3ffd35ee347ed2d2364d299681aca73c502470251de2595c267b5232c52357562114d2791f7a4276eed4ec93720e121642f5bac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f096b3f030f7cb80967960ee923cd43b

SHA1
1fe88a1ee7daa9241e9845a7941830971b512dc3

SHA256
c1d3836283caf3d61e6fae2a9b9b0ed041dfb1fb3ec1e5a49cdbe464012fbfd8

SHA512
05433db3c38bc71d65fa7f026a75d67491e1625c3ba15edbe874439e46456ef167be2d01695614b1c286592d1cc49a051a86d32b2e4839318ca2d70448ff6bdc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
fdaea3a3d544985adf909f99dcf9bce4

SHA1
f551b674cf16b715dfc7126e8f406bc48d4d8b8e

SHA256
1921be11afb55be51e808ae22684ba3fd19a1dbfa83b4bbc42e51f3dcfddfc45

SHA512
eefdb828c65f7f68f6a99bfc38132f8d9f8138a5bd9455b09cb07b9825e834f64017b1202ac17f389b4e4b8bdd7b2adc0c9bfd3d9ef6e773658c5f3891890f7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
ef1602a143823abc80ae3045df31ceb8

SHA1
dfd5e2f6d0d4b35c79cde1108a575cf10627de1a

SHA256
45de4b4c4d1ab18d86608adeec8015144e8f90af4bd8c383ade5a2a0690dec9c

SHA512
d021b9ed52f4b647cc6f8ce905d62f02a7a2925bceb969e2ea806afe0deb0f9b4ddf4faa6d09be05c555e00a5146124f51ab8f0abb7bb7dcaf84763f147e9771

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5b29b2f7b4c9b13b0b2f524d8d55afef

SHA1
0053eb42a0f7d98b59bba40b3f7e41f6be5b0c2c

SHA256
c99ad4d881ee42b87a0a6e2b11d85fe6cc357939c28054fb300aadf828ccab6a

SHA512
43a48f83e35675b781666f06cef4d60c6a5662219657ec2791b36a8f9159abfb18882376426b3c6064e1e273637469b85820bb859b32c061893adf5957775f7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c62bb32f56be1dba0aabfa3352659557

SHA1
77abf6fcf40aaa1bddb8661d920d81cf77d28e01

SHA256
28e3c94731709a7465ec92db226bcb2ba7965f235eedee4a150605a656d149a2

SHA512
21a35883f0984f30601366ae987cd96c8e71f2fb6198cbc02b9863e3de880d6568d2dbfdf601c16850dd4e01f940dd48fd85b0accca4e2c482cd77491aee65b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe586e17.TMP

Filesize
371B

MD5
3b9820fc0dee99e8e8a97f137e75700b

SHA1
2d8a5b6d8c0b3210b85ab0ebd6be1c1d94f77fb6

SHA256
e912d68c4966a504cd099047e0f329017b35ec00bff67b06009bf96209830f69

SHA512
108313cf8ab2b72e29032d39c40fb75bd0c2a99c6c843a7ce98bb4809191cb7fe30475789398b1b270cf35e064eb35f2f0403faf8da88c88e235336d6345ab13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f1e46210ce15ee83f77a84f96f33d053

SHA1
8a8dd23a01b069dfeb94d6d159afac7048bb21bf

SHA256
c3fa5ba5484471d619b3d739fefc2c2891f9fd1182604807040aacffb8897517

SHA512
1addd7a992fe2e5ab351c568664083414533a2c175a3eac4203e491fc0227fc5f8d1b2be269efc87cb855bceeec1ab2e9c39fa57265e82d10c30867bb56d8654

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
76b9f23c5e0381262c2938840e01195b

SHA1
933e5b62eb870bfd2044a5b5a8c5dabe291d7ac9

SHA256
6ae113329ef1a31e3e6e4005035d07647306f4dd6234b7855fa8b4a6455abc10

SHA512
3568fb86e14c9bf23b53e9b1a481833aa51e19ad3eee0b60f0a46351caabb8c008bda149c4095fa70c951daaaebfdee5d1bef87740dac7f0b41f5239c49e3c59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
92002b1036b2c2c4822053d020f8a5f9

SHA1
6e60a5c51b56b4f50250bde4b0b345ad8ac0fffd

SHA256
64d79e71de3651f33bd6b69f9f563d1ba965790b1ddad78ca081dea83d62de77

SHA512
902c099f8c50cd02e65ff7eed6ee021342c8c3e91215fc4924f445a4c9b9eee6ff2bdda15c282f04a2215ec4c693cfdc1134aea7de356c5736f83bf9c7b45831

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
73dfb3ea9b9576366621d26eb74c1a58

SHA1
e4341d52ebaf501ca2d202c03fe37b3c33b010a5

SHA256
b46f12b76508a9a1cd3eac27c52097dccee741c7274e1d1ed510eaedb4414a95

SHA512
93a19078d6c89d4f8a00298dff0c67bbd75e772dc8d21bb9cd1157627d185dd22f4c5fc18b0b778abf3ce4bb0fdedfa4fb75fbe7ea0e77fbb4446f4a48e33b03

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
c7e6c4fe75def133faaad5143dd9866b

SHA1
16c306f0f07a1eb20a184a055e7d00dae5c1be2e

SHA256
93a3517d19755945a0e9a7f896bb4df74f0872ab515779b5919f8a06eb5732ed

SHA512
3f32f7d849fd6d5e064a4f67733f1d8cba9ede77e515e175283682055a4e2f9bce65dd5ef82239266c1dc58aa708905f677fa557f3261d20c5de55b64a9182e9

Download Submit
C:\Users\Admin\Downloads\Riviera (1).zip

Filesize
1.6MB

MD5
ccd64e333745864a1cd8e8943824c006

SHA1
3fb256d3a9fd1817730817148112947e5736674b

SHA256
ff409b96e6591fd73307d2b5dc153f6e60fbf05b21c18566b08e0fd90c38c76d

SHA512
089ed318413580fdc55f1c2845661a5a4addf62ba297c327b523d3a7a70a3671cf7fd3d70e4eb103b013547977e73bc90c98111c0066196ea1223d2583d58eb3

Download Submit
C:\Users\Admin\Downloads\Riviera (1).zip:Zone.Identifier

Filesize
170B

MD5
04e06f8a496c368e595891148d5038c3

SHA1
c6320e8afb1252441a215001e27427b44fd4f1cf

SHA256
23950bcfca322e0cd871dee5bda10c2c6e70a7b617a37118d87a041e6ea8aff8

SHA512
0bde0b165c7b41f63d8ae68ded2482cadd2ca534a6016352c8b0e8b50c978094607d9ab2732cf25fdd1da0b3d934d5c1f75d241ab6ca54789a5b353c511d7631

Download Submit
C:\Users\Admin\Downloads\Riviera.zip

Filesize
161KB

MD5
cb6f2b4aef9d3384f7a3470c5f6b0d0f

SHA1
a814de79a49e6794239111d89f24adadf3787177

SHA256
08cc0155d6027ede8fa31b5f37fa666a07b7f15989b1c9c2152bac44ee35d85a

SHA512
ead8f382d50a8cf5f4503eb4f3d2b8742c6c8a872f67cfaa923a8e6e60a651a7c8ee74c450a0a7f417b49f36a9734ceb4fdd0910d4d568359689e0e25cf5eb84

Download Submit
C:\Users\Admin\Downloads\Riviera.zip:Zone.Identifier

Filesize
138B

MD5
e3ef3ca50698f2e0b17d6df5db034dc0

SHA1
ad01d5f6c184a4b43d76a2bdb3935d999b5138d7

SHA256
a8732763adaa6b7b08329a809601867745e3f850009f9079e81219119a342098

SHA512
37bdd7cfa50644108534beb722095130a96469ad556c61fefdbdca3ee667cf97fedf1243bedcc5bc2def82e539b866bbe9f6d0e7b02dc9bf1eca0c7ec2fad1cc

Download Submit
memory/5020-526-0x0000000004AC0000-0x0000000004ACA000-memory.dmp

Filesize
40KB

Download
memory/5020-544-0x0000000007D60000-0x0000000007DDC000-memory.dmp

Filesize
496KB

Download
memory/5020-527-0x0000000004C90000-0x0000000004CDE000-memory.dmp

Filesize
312KB

Download
memory/5020-525-0x0000000004A20000-0x0000000004AB2000-memory.dmp

Filesize
584KB

Download
memory/5020-524-0x00000000050B0000-0x0000000005656000-memory.dmp

Filesize
5.6MB

Download
memory/5020-523-0x0000000000070000-0x00000000000BC000-memory.dmp

Filesize
304KB

Download