cba0955688200831df25ea28cfdc52e9bab94c92ab68cf0dfc75960be0941c36

Analysis

max time kernel
160s
max time network
173s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 11:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cba0955688200831df25ea28cfdc52e9bab94c92ab68cf0dfc75960be0941c36.exe
Size

85KB
MD5

9bafd1b173c1d29541eb48f9c3f8bf6f
SHA1

0c50f69d93e00cc69df7d516a19d82640f3a19ba
SHA256

cba0955688200831df25ea28cfdc52e9bab94c92ab68cf0dfc75960be0941c36
SHA512

8504cef26463a13ce6bc113f398a3cbc5a296f62babf010be3055ac195c129fae599a425b3f64668872906ddff14b546a85a475b256ec1b0bc4582376a453fc0
SSDEEP

1536:B1/cgaS5boqudHwcQZJpWGIgSVKDA9FHpqnXs57Iah+eGtebiMU:B17aLqVrFWlri2pN5UagtRMU

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 5 IoCs

Processes:

urdvxc.exeurdvxc.exeurdvxc.exeurdvxc.exeurdvxc.exe

pid process

4356 urdvxc.exe
4864 urdvxc.exe
4588 urdvxc.exe
4944 urdvxc.exe
2400 urdvxc.exe

pid	process
4356	urdvxc.exe
4864	urdvxc.exe
4588	urdvxc.exe
4944	urdvxc.exe
2400	urdvxc.exe

Drops file in System32 directory 4 IoCs

Processes:

cba0955688200831df25ea28cfdc52e9bab94c92ab68cf0dfc75960be0941c36.exeurdvxc.exeurdvxc.exe

description	ioc	process
File created	C:\Windows\SysWOW64\urdvxc.exe	cba0955688200831df25ea28cfdc52e9bab94c92ab68cf0dfc75960be0941c36.exe
File opened for modification	C:\Windows\SysWOW64\urdvxc.exe	cba0955688200831df25ea28cfdc52e9bab94c92ab68cf0dfc75960be0941c36.exe
File created	C:\Windows\SysWOW64\urdvxc.exe	urdvxc.exe
File created	C:\Windows\SysWOW64\urdvxc.exe	urdvxc.exe

Drops file in Program Files directory 64 IoCs

Processes:

urdvxc.exeurdvxc.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\nsstljje.exe	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\about.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\qrhljwvn.exe	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\about.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\about.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bklnbknw.exe	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\about.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\Welcome.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\RELEASE-NOTES.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh.htm	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\about.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\Welcome.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\sekbhrbe.exe	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\about.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\cpyr.htm	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\README-JDK.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\jtlnctqk.exe	urdvxc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\tsbknceh.exe	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\README.HTM	urdvxc.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\Welcome.html	urdvxc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\1033\rvhrjtnt.exe	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\about.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\1033\MCABOUT.HTM	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\about.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\license.html	urdvxc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\batch_window.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\epl-v10.html	urdvxc.exe

Modifies registry class 58 IoCs

Processes:

urdvxc.execba0955688200831df25ea28cfdc52e9bab94c92ab68cf0dfc75960be0941c36.exeurdvxc.exeurdvxc.exeurdvxc.exeurdvxc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\ = "lxnnvereswrskhbe"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9E5B2A0-6DA4-8211-3F09-7196AABBE564}\LocalServer32	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB4470BE-3A35-A218-C7F6-4398C8694892}	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C803653-A26A-88C7-574B-3B28BF06C94C}\LocalServer32	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B4DEAB09-73B2-B7AB-83C2-E6C7EDE7DAC3}\ = "bxjsnkztblbtcqkt"	cba0955688200831df25ea28cfdc52e9bab94c92ab68cf0dfc75960be0941c36.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58F22A6B-E9C1-CE13-9AB2-6E6A8B42D5FD}\ = "llsjhtxxsjbtxcjt"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32\ = "C:\\Windows\\SysWOW64\\urdvxc.exe"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\ = "wcbbhscnltheberb"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58F22A6B-E9C1-CE13-9AB2-6E6A8B42D5FD}\LocalServer32	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB4470BE-3A35-A218-C7F6-4398C8694892}\ = "ztlewbvetwlvsjek"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB4470BE-3A35-A218-C7F6-4398C8694892}\LocalServer32\ = "C:\\Program Files\\Microsoft Office\\root\\vfs\\ProgramFilesCommonX64\\Microsoft Shared\\Smart Tag\\1033\\rvhrjtnt.exe"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7774BDCB-BC2A-526E-C798-34FA771E21D1}\LocalServer32\ = "C:\\Program Files\\Java\\jdk1.8.0_66\\db\\qrhljwvn.exe"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E88A8DA-6487-F103-FFE5-C2B0648486DC}\LocalServer32	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C803653-A26A-88C7-574B-3B28BF06C94C}	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7774BDCB-BC2A-526E-C798-34FA771E21D1}	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E88A8DA-6487-F103-FFE5-C2B0648486DC}	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58F22A6B-E9C1-CE13-9AB2-6E6A8B42D5FD}	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C803653-A26A-88C7-574B-3B28BF06C94C}\LocalServer32\ = "C:\\Program Files\\Java\\jdk1.8.0_66\\bklnbknw.exe"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32\ = "C:\\Windows\\SysWOW64\\urdvxc.exe"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32\ = "C:\\Windows\\SysWOW64\\urdvxc.exe"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7774BDCB-BC2A-526E-C798-34FA771E21D1}\ = "lbblewlkhqkhrres"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7774BDCB-BC2A-526E-C798-34FA771E21D1}\LocalServer32	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5CA91ECD-564C-3E29-5336-C066EB2FABF6}	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9E5B2A0-6DA4-8211-3F09-7196AABBE564}	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B4DEAB09-73B2-B7AB-83C2-E6C7EDE7DAC3}\LocalServer32	cba0955688200831df25ea28cfdc52e9bab94c92ab68cf0dfc75960be0941c36.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B4DEAB09-73B2-B7AB-83C2-E6C7EDE7DAC3}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cba0955688200831df25ea28cfdc52e9bab94c92ab68cf0dfc75960be0941c36.exe"	cba0955688200831df25ea28cfdc52e9bab94c92ab68cf0dfc75960be0941c36.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E88A8DA-6487-F103-FFE5-C2B0648486DC}\ = "nrtwjjtlxhetlkjh"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{17B30228-FEAE-52CE-E831-3379C40FDBE8}\ = "bewsjqbzreecwzsr"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32\ = "C:\\Windows\\SysWOW64\\urdvxc.exe"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\ = "ztwweebxkqjbetjr"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E88A8DA-6487-F103-FFE5-C2B0648486DC}\LocalServer32\ = "C:\\Program Files\\Java\\jdk1.8.0_66\\jre\\sekbhrbe.exe"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58F22A6B-E9C1-CE13-9AB2-6E6A8B42D5FD}\ = "nklrbqjhscbkqrzs"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C803653-A26A-88C7-574B-3B28BF06C94C}\ = "zntlrnlsnqrnehxn"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B4DEAB09-73B2-B7AB-83C2-E6C7EDE7DAC3}	cba0955688200831df25ea28cfdc52e9bab94c92ab68cf0dfc75960be0941c36.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58F22A6B-E9C1-CE13-9AB2-6E6A8B42D5FD}\LocalServer32\ = "C:\\Program Files\\Java\\jdk1.8.0_66\\lib\\missioncontrol\\features\\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\\njqrsbcq.exe"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9E5B2A0-6DA4-8211-3F09-7196AABBE564}\ = "hxhjbqbsxntesrbk"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB4470BE-3A35-A218-C7F6-4398C8694892}\LocalServer32	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32\ = "C:\\Windows\\SysWOW64\\urdvxc.exe"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{17B30228-FEAE-52CE-E831-3379C40FDBE8}\LocalServer32\ = "C:\\Program Files\\Java\\jdk1.8.0_66\\lib\\missioncontrol\\features\\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\\nsstljje.exe"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9E5B2A0-6DA4-8211-3F09-7196AABBE564}\LocalServer32\ = "C:\\Program Files\\Microsoft Office\\root\\Office16\\PersonaSpy\\tsbknceh.exe"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\ = "bhkkrjtkkblsshvb"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5CA91ECD-564C-3E29-5336-C066EB2FABF6}\LocalServer32	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{17B30228-FEAE-52CE-E831-3379C40FDBE8}	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{17B30228-FEAE-52CE-E831-3379C40FDBE8}\LocalServer32	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{17B30228-FEAE-52CE-E831-3379C40FDBE8}\ = "wbehsrswnkzwhvne"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5CA91ECD-564C-3E29-5336-C066EB2FABF6}\LocalServer32\ = "C:\\Program Files\\Java\\jre1.8.0_66\\jtlnctqk.exe"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5CA91ECD-564C-3E29-5336-C066EB2FABF6}\ = "shnhjxczjbtheknn"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\ = "hhxltkxsqvzwnntz"	urdvxc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

urdvxc.exe

description pid process

Token: SeDebugPrivilege 4356 urdvxc.exe

description	pid	process
Token: SeDebugPrivilege	4356	urdvxc.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

cba0955688200831df25ea28cfdc52e9bab94c92ab68cf0dfc75960be0941c36.exe

description	pid	process	target process
PID 2604 wrote to memory of 4356	2604	cba0955688200831df25ea28cfdc52e9bab94c92ab68cf0dfc75960be0941c36.exe	urdvxc.exe
PID 2604 wrote to memory of 4356	2604	cba0955688200831df25ea28cfdc52e9bab94c92ab68cf0dfc75960be0941c36.exe	urdvxc.exe
PID 2604 wrote to memory of 4356	2604	cba0955688200831df25ea28cfdc52e9bab94c92ab68cf0dfc75960be0941c36.exe	urdvxc.exe
PID 2604 wrote to memory of 4864	2604	cba0955688200831df25ea28cfdc52e9bab94c92ab68cf0dfc75960be0941c36.exe	urdvxc.exe
PID 2604 wrote to memory of 4864	2604	cba0955688200831df25ea28cfdc52e9bab94c92ab68cf0dfc75960be0941c36.exe	urdvxc.exe
PID 2604 wrote to memory of 4864	2604	cba0955688200831df25ea28cfdc52e9bab94c92ab68cf0dfc75960be0941c36.exe	urdvxc.exe
PID 2604 wrote to memory of 4944	2604	cba0955688200831df25ea28cfdc52e9bab94c92ab68cf0dfc75960be0941c36.exe	urdvxc.exe
PID 2604 wrote to memory of 4944	2604	cba0955688200831df25ea28cfdc52e9bab94c92ab68cf0dfc75960be0941c36.exe	urdvxc.exe
PID 2604 wrote to memory of 4944	2604	cba0955688200831df25ea28cfdc52e9bab94c92ab68cf0dfc75960be0941c36.exe	urdvxc.exe

C:\Users\Admin\AppData\Local\Temp\cba0955688200831df25ea28cfdc52e9bab94c92ab68cf0dfc75960be0941c36.exe
"C:\Users\Admin\AppData\Local\Temp\cba0955688200831df25ea28cfdc52e9bab94c92ab68cf0dfc75960be0941c36.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2604

C:\Windows\SysWOW64\urdvxc.exe
C:\Windows\system32\urdvxc.exe /installservice
2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4356

C:\Windows\SysWOW64\urdvxc.exe
C:\Windows\system32\urdvxc.exe /start
2⤵
- Executes dropped EXE
- Modifies registry class
PID:4864

C:\Windows\SysWOW64\urdvxc.exe
C:\Windows\system32\urdvxc.exe /uninstallservice patch:C:\Users\Admin\AppData\Local\Temp\cba0955688200831df25ea28cfdc52e9bab94c92ab68cf0dfc75960be0941c36.exe
2⤵
- Executes dropped EXE
- Modifies registry class
PID:4944

C:\Windows\SysWOW64\urdvxc.exe
"C:\Windows\SysWOW64\urdvxc.exe" /service
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
PID:4588

C:\Windows\SysWOW64\urdvxc.exe
"C:\Windows\SysWOW64\urdvxc.exe" /service
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
PID:2400

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.8.0_66\db\README-JDK.html

Filesize
1013B

MD5
e5dd4037f36e6516a8834396c7059a3c

SHA1
09718ef8bae0d6ca87517df56c808bd46db77194

SHA256
d27c3b9fdc71a044696de1a59917b261bbc879bbd2efe1cc4ae883e7420ca5d6

SHA512
2804253551dbd1a3fb48e4a1d7028735f0ff7516be3ecaf250aa4ee00de93448208b9aec49c771705fd2bc355dbfc10a83ce6e623e4fd638fbd98a2a7777088b

Download Submit
C:\Program Files\Java\jdk1.8.0_66\jre\Welcome.html

Filesize
1KB

MD5
4d020be7148f16ebf63e8959951fd72f

SHA1
fd57f6ae237ede0a4167bcbf405ac1309a78f98d

SHA256
3d86caa8ef08abb2639983341660b2d359f88eff74da15bc5c93a591b98584f8

SHA512
455a5cfbd9221d8d39c45b7488a1b8f96458a6730feb23f363a8a32c6e4e6698db98d1ded4a38b8018ab3b3057d0a1a14d8f5a2e1fed90a61d9f1505332f1c42

Download Submit
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\about.html

Filesize
1KB

MD5
be5ae053c2e7447b4aa28a4eedd2596f

SHA1
f3ec765d9a5cfef8126c3c0cca17f83bc3f30083

SHA256
7b81f3095140ad8ff3083edd17f58f358464a6de33fe8b7d7059bf83b17621c3

SHA512
8d77e56cc34fc9bbe5e1d2b0007b76a4899e522aa1be7473d2277547898ab122490d5c3a81415f20bf4efbee36560dd643f04d6f4639c309a3a50cac124d9d27

Download Submit
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\license.html

Filesize
6KB

MD5
9d8c3b7a6e148fcb80dc96f1dcd9be49

SHA1
e62d23ff3452c7359b5a8e3a7d9974235924ddb7

SHA256
cb5fafd5b45e6f803be7f8e523e9753cb3718d6cceee9a0057b048d9be86b997

SHA512
c64a906bc6046de5fc12a248993d88bb3342dd6cb7893dea47468e627e893e3fee0364ca41a7f14a3ae4bac1c77110d460edb204e665bae9c6382fc9c617f035

Download Submit
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\about.html

Filesize
1KB

MD5
17fb1125d8d7b6ed5f7fa28d774b076a

SHA1
ebb3482859f785645178ee324257fb4df4bff1a1

SHA256
500ca07ef68cc817d8352d142944089fdc1391e78bea103ae9a87c7e4aa12317

SHA512
5016b950aad0006f62f443d1ef75baa88b44a810bd270b9c3140f417edc2372e18b2464f73c9b0f06b73f1208f6a9fad3b85fee9b6d8a785b788d34a6b1197c6

Download Submit
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\license.html

Filesize
6KB

MD5
8c7ddb650ddac7086bb27f15926be42d

SHA1
0f63c9a19b5280943a84ec736c367c7ffbb1ab72

SHA256
0012323d78643fe60101fe8b670d714dbb402f8f42fe839fec0ecc07900ef928

SHA512
fbd03c73f8f7662165fff345b7d960e7d3e12f3ae3046e7d3df3d219338ba1cabe932d66ab48a64374fc2ae74968ec30700683dc6810325bf4e6721116df64c6

Download Submit
C:\Windows\SysWOW64\urdvxc.exe

Filesize
85KB

MD5
9bafd1b173c1d29541eb48f9c3f8bf6f

SHA1
0c50f69d93e00cc69df7d516a19d82640f3a19ba

SHA256
cba0955688200831df25ea28cfdc52e9bab94c92ab68cf0dfc75960be0941c36

SHA512
8504cef26463a13ce6bc113f398a3cbc5a296f62babf010be3055ac195c129fae599a425b3f64668872906ddff14b546a85a475b256ec1b0bc4582376a453fc0

Download Submit
C:\Windows\SysWOW64\urdvxc.exe

Filesize
85KB

MD5
9bafd1b173c1d29541eb48f9c3f8bf6f

SHA1
0c50f69d93e00cc69df7d516a19d82640f3a19ba

SHA256
cba0955688200831df25ea28cfdc52e9bab94c92ab68cf0dfc75960be0941c36

SHA512
8504cef26463a13ce6bc113f398a3cbc5a296f62babf010be3055ac195c129fae599a425b3f64668872906ddff14b546a85a475b256ec1b0bc4582376a453fc0

Download Submit
C:\Windows\SysWOW64\urdvxc.exe

Filesize
85KB

MD5
9bafd1b173c1d29541eb48f9c3f8bf6f

SHA1
0c50f69d93e00cc69df7d516a19d82640f3a19ba

SHA256
cba0955688200831df25ea28cfdc52e9bab94c92ab68cf0dfc75960be0941c36

SHA512
8504cef26463a13ce6bc113f398a3cbc5a296f62babf010be3055ac195c129fae599a425b3f64668872906ddff14b546a85a475b256ec1b0bc4582376a453fc0

Download Submit
C:\Windows\SysWOW64\urdvxc.exe

Filesize
85KB

MD5
9bafd1b173c1d29541eb48f9c3f8bf6f

SHA1
0c50f69d93e00cc69df7d516a19d82640f3a19ba

SHA256
cba0955688200831df25ea28cfdc52e9bab94c92ab68cf0dfc75960be0941c36

SHA512
8504cef26463a13ce6bc113f398a3cbc5a296f62babf010be3055ac195c129fae599a425b3f64668872906ddff14b546a85a475b256ec1b0bc4582376a453fc0

Download Submit
C:\Windows\SysWOW64\urdvxc.exe

Filesize
85KB

MD5
9bafd1b173c1d29541eb48f9c3f8bf6f

SHA1
0c50f69d93e00cc69df7d516a19d82640f3a19ba

SHA256
cba0955688200831df25ea28cfdc52e9bab94c92ab68cf0dfc75960be0941c36

SHA512
8504cef26463a13ce6bc113f398a3cbc5a296f62babf010be3055ac195c129fae599a425b3f64668872906ddff14b546a85a475b256ec1b0bc4582376a453fc0

Download Submit
C:\Windows\SysWOW64\urdvxc.exe

Filesize
85KB

MD5
9bafd1b173c1d29541eb48f9c3f8bf6f

SHA1
0c50f69d93e00cc69df7d516a19d82640f3a19ba

SHA256
cba0955688200831df25ea28cfdc52e9bab94c92ab68cf0dfc75960be0941c36

SHA512
8504cef26463a13ce6bc113f398a3cbc5a296f62babf010be3055ac195c129fae599a425b3f64668872906ddff14b546a85a475b256ec1b0bc4582376a453fc0

Download Submit
memory/2400-150-0x00000000001C0000-0x00000000001DF000-memory.dmp

Filesize
124KB

Download
memory/2400-151-0x00000000001C0000-0x00000000001DF000-memory.dmp

Filesize
124KB

Download
memory/2604-133-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2604-145-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2604-132-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4356-134-0x0000000000000000-mapping.dmp

Download
memory/4356-137-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4588-148-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4588-142-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4588-147-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4864-141-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4864-138-0x0000000000000000-mapping.dmp

Download
memory/4944-143-0x0000000000000000-mapping.dmp

Download
memory/4944-146-0x00000000001C0000-0x00000000001DF000-memory.dmp

Filesize
124KB

Download