0b60e8315ae0e3a4073dd8aded9829900baed8aee716ad8024246265d83e0a47

Analysis

max time kernel
161s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 22:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b60e8315ae0e3a4073dd8aded9829900baed8aee716ad8024246265d83e0a47.exe
Size

65KB
MD5

8d4fb7c8d0d9c5f1e18642616f4bcb89
SHA1

a8ab417106c39cef33d7f9d792aca148c1469e5b
SHA256

0b60e8315ae0e3a4073dd8aded9829900baed8aee716ad8024246265d83e0a47
SHA512

4d06bc372dc5cd2cbdfbc5599903401dcb96fed03ace82ee944e95823b3461b92348063d725aa83c34771696bc4d70b5a7840dbb08df14d8c7ea0b8071140f90
SSDEEP

1536:NwblRhvwzxvzdd0S7AxZPfNaqtAwcduFaMql8hUl:WbpUzdR2ABZ8s

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
2984	urdvxc.exe
3416	urdvxc.exe
2708	urdvxc.exe
5024	urdvxc.exe
4068	urdvxc.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\urdvxc.exe	urdvxc.exe
File created	C:\Windows\SysWOW64\urdvxc.exe	urdvxc.exe
File created	C:\Windows\SysWOW64\urdvxc.exe	0b60e8315ae0e3a4073dd8aded9829900baed8aee716ad8024246265d83e0a47.exe
File opened for modification	C:\Windows\SysWOW64\urdvxc.exe	0b60e8315ae0e3a4073dd8aded9829900baed8aee716ad8024246265d83e0a47.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\about.html	urdvxc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\batch_window.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\title.htm	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\cpyr.htm	urdvxc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\1033\MCABOUT.HTM	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh001.htm	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\README-JDK.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\about.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh001.htm	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\about.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\about.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\qrhljwvn.exe	urdvxc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\1033\rvhrjtnt.exe	urdvxc.exe
File opened for modification	C:\Program Files\CompressWrite.shtml	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\jtlnctqk.exe	urdvxc.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\OSPP.HTM	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\preface.htm	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\njqrsbcq.exe	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\about.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\PersonaSpy.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\about.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\Welcome.html	urdvxc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\tsbknceh.exe	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\RELEASE-NOTES.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh.htm	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bklnbknw.exe	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\about.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\about.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\preface.htm	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\README.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\nsstljje.exe	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\license.html	urdvxc.exe

Modifies registry class 58 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{17B30228-FEAE-52CE-E831-3379C40FDBE8}\ = "bkztssnjjwjtzzkz"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C803653-A26A-88C7-574B-3B28BF06C94C}\LocalServer32\ = "C:\\Program Files\\Java\\jdk1.8.0_66\\bklnbknw.exe"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB4470BE-3A35-A218-C7F6-4398C8694892}	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5CA91ECD-564C-3E29-5336-C066EB2FABF6}\ = "enjvlszjltbcrwsh"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9E5B2A0-6DA4-8211-3F09-7196AABBE564}\LocalServer32\ = "C:\\Program Files\\Microsoft Office\\root\\Office16\\PersonaSpy\\tsbknceh.exe"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32\ = "C:\\Windows\\SysWOW64\\urdvxc.exe"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{44E2A663-DF28-306D-FBEC-8D01F1996CDC}	0b60e8315ae0e3a4073dd8aded9829900baed8aee716ad8024246265d83e0a47.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{44E2A663-DF28-306D-FBEC-8D01F1996CDC}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0b60e8315ae0e3a4073dd8aded9829900baed8aee716ad8024246265d83e0a47.exe"	0b60e8315ae0e3a4073dd8aded9829900baed8aee716ad8024246265d83e0a47.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\ = "jrsrkttwtnebbbkh"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7774BDCB-BC2A-526E-C798-34FA771E21D1}\LocalServer32	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58F22A6B-E9C1-CE13-9AB2-6E6A8B42D5FD}\ = "kebjlbshelvqvlkj"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9E5B2A0-6DA4-8211-3F09-7196AABBE564}	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32\ = "C:\\Windows\\SysWOW64\\urdvxc.exe"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C803653-A26A-88C7-574B-3B28BF06C94C}	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C803653-A26A-88C7-574B-3B28BF06C94C}\ = "ztrenlshhjtlkzhh"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5CA91ECD-564C-3E29-5336-C066EB2FABF6}	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E88A8DA-6487-F103-FFE5-C2B0648486DC}\ = "qhcnksntxrcbskzq"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E88A8DA-6487-F103-FFE5-C2B0648486DC}\LocalServer32\ = "C:\\Program Files\\Java\\jdk1.8.0_66\\jre\\sekbhrbe.exe"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{17B30228-FEAE-52CE-E831-3379C40FDBE8}\ = "lhljhnxxejkhwlkh"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58F22A6B-E9C1-CE13-9AB2-6E6A8B42D5FD}\LocalServer32	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB4470BE-3A35-A218-C7F6-4398C8694892}\LocalServer32	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7774BDCB-BC2A-526E-C798-34FA771E21D1}\LocalServer32\ = "C:\\Program Files\\Java\\jdk1.8.0_66\\db\\qrhljwvn.exe"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{17B30228-FEAE-52CE-E831-3379C40FDBE8}	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5CA91ECD-564C-3E29-5336-C066EB2FABF6}\LocalServer32\ = "C:\\Program Files\\Java\\jre1.8.0_66\\jtlnctqk.exe"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9E5B2A0-6DA4-8211-3F09-7196AABBE564}\ = "krlknleehsrrhrjn"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\ = "tqqrheljtnttbswh"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E88A8DA-6487-F103-FFE5-C2B0648486DC}\LocalServer32	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C803653-A26A-88C7-574B-3B28BF06C94C}\LocalServer32	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{44E2A663-DF28-306D-FBEC-8D01F1996CDC}\LocalServer32	0b60e8315ae0e3a4073dd8aded9829900baed8aee716ad8024246265d83e0a47.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32\ = "C:\\Windows\\SysWOW64\\urdvxc.exe"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58F22A6B-E9C1-CE13-9AB2-6E6A8B42D5FD}\ = "whkkkhlblkhbrxbs"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7774BDCB-BC2A-526E-C798-34FA771E21D1}\ = "tlvrnrbrvhqhtxbs"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58F22A6B-E9C1-CE13-9AB2-6E6A8B42D5FD}\LocalServer32\ = "C:\\Program Files\\Java\\jdk1.8.0_66\\lib\\missioncontrol\\features\\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\\njqrsbcq.exe"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\ = "nbbsehtekbzbjhse"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{44E2A663-DF28-306D-FBEC-8D01F1996CDC}\ = "tttjhkhsrjbclssk"	0b60e8315ae0e3a4073dd8aded9829900baed8aee716ad8024246265d83e0a47.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32\ = "C:\\Windows\\SysWOW64\\urdvxc.exe"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{17B30228-FEAE-52CE-E831-3379C40FDBE8}\LocalServer32\ = "C:\\Program Files\\Java\\jdk1.8.0_66\\lib\\missioncontrol\\features\\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\\nsstljje.exe"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5CA91ECD-564C-3E29-5336-C066EB2FABF6}\LocalServer32	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9E5B2A0-6DA4-8211-3F09-7196AABBE564}\LocalServer32	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32\ = "C:\\Windows\\SysWOW64\\urdvxc.exe"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{17B30228-FEAE-52CE-E831-3379C40FDBE8}\LocalServer32	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E88A8DA-6487-F103-FFE5-C2B0648486DC}	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB4470BE-3A35-A218-C7F6-4398C8694892}\ = "kcsttblbzxsjtkqj"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\ = "ejktqwbsvsbnzekj"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\ = "zzwlsqjqzetznqxe"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7774BDCB-BC2A-526E-C798-34FA771E21D1}	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB4470BE-3A35-A218-C7F6-4398C8694892}\LocalServer32\ = "C:\\Program Files\\Microsoft Office\\root\\vfs\\ProgramFilesCommonX64\\Microsoft Shared\\Smart Tag\\1033\\rvhrjtnt.exe"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58F22A6B-E9C1-CE13-9AB2-6E6A8B42D5FD}	urdvxc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2984	urdvxc.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 2984	2548	0b60e8315ae0e3a4073dd8aded9829900baed8aee716ad8024246265d83e0a47.exe	79
PID 2548 wrote to memory of 2984	2548	0b60e8315ae0e3a4073dd8aded9829900baed8aee716ad8024246265d83e0a47.exe	79
PID 2548 wrote to memory of 2984	2548	0b60e8315ae0e3a4073dd8aded9829900baed8aee716ad8024246265d83e0a47.exe	79
PID 2548 wrote to memory of 3416	2548	0b60e8315ae0e3a4073dd8aded9829900baed8aee716ad8024246265d83e0a47.exe	80
PID 2548 wrote to memory of 3416	2548	0b60e8315ae0e3a4073dd8aded9829900baed8aee716ad8024246265d83e0a47.exe	80
PID 2548 wrote to memory of 3416	2548	0b60e8315ae0e3a4073dd8aded9829900baed8aee716ad8024246265d83e0a47.exe	80
PID 2548 wrote to memory of 5024	2548	0b60e8315ae0e3a4073dd8aded9829900baed8aee716ad8024246265d83e0a47.exe	82
PID 2548 wrote to memory of 5024	2548	0b60e8315ae0e3a4073dd8aded9829900baed8aee716ad8024246265d83e0a47.exe	82
PID 2548 wrote to memory of 5024	2548	0b60e8315ae0e3a4073dd8aded9829900baed8aee716ad8024246265d83e0a47.exe	82

C:\Users\Admin\AppData\Local\Temp\0b60e8315ae0e3a4073dd8aded9829900baed8aee716ad8024246265d83e0a47.exe
"C:\Users\Admin\AppData\Local\Temp\0b60e8315ae0e3a4073dd8aded9829900baed8aee716ad8024246265d83e0a47.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Windows\SysWOW64\urdvxc.exe
  C:\Windows\system32\urdvxc.exe /installservice
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:2984
- C:\Windows\SysWOW64\urdvxc.exe
  C:\Windows\system32\urdvxc.exe /start
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  PID:3416
- C:\Windows\SysWOW64\urdvxc.exe
  C:\Windows\system32\urdvxc.exe /uninstallservice patch:C:\Users\Admin\AppData\Local\Temp\0b60e8315ae0e3a4073dd8aded9829900baed8aee716ad8024246265d83e0a47.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  PID:5024

C:\Windows\SysWOW64\urdvxc.exe
"C:\Windows\SysWOW64\urdvxc.exe" /service
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
PID:2708

C:\Windows\SysWOW64\urdvxc.exe
"C:\Windows\SysWOW64\urdvxc.exe" /service
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
PID:4068

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.8.0_66\db\README-JDK.html

Filesize
1012B

MD5
661986eb37cc9cfc2f17614e81d71a6d

SHA1
6f5a8828691bfabda2656ba5435c39db61933cba

SHA256
5edb9dd67373164b6d5297e4fad9846c712451a74f8a8a965c39c61c19646a03

SHA512
11da83092eebe57cc2493d37f480bf706880883a1c4c7af910fe1e2d1fa3c923b7f6cca99d8bfc61255879ef146af94b0925cc07ca53c431b4ef1f24d36e970e

Download Submit
C:\Program Files\Java\jdk1.8.0_66\jre\Welcome.html

Filesize
1KB

MD5
126dc28a60fa70ca98434f1b6196855b

SHA1
eaeb0f2ae09670985868a7410b08df899486339a

SHA256
3475436612f6a0ef77fc91331d008090bfd53c7cc8535225762ab43234c730c7

SHA512
7d07229039cbb7eb39d5cdf3846fb41f4f2f5a829cf7c0d5c778bf50c7eaa17ab7dd4c7fe483c38d3ebb72669d117a6db122ee58f63d712f795c38ad680ae52a

Download Submit
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\about.html

Filesize
1KB

MD5
7915168e1915f03c8db93427bb9362af

SHA1
9cca121c448a9a38f815653014da4bd9f323596c

SHA256
b9b7298e796bee7942b808d120c1da2f40508b719d0f57c792f6898963036ae7

SHA512
fbae43dc5b5c1ececfcde9a92abe7caf8848b8a3d2d3a2663490bec65afbfcd0ecd2e6059e34fdc3af07c206deb45c9b3e4b85776e87ff7e19d96ee756fe843a

Download Submit
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\license.html

Filesize
6KB

MD5
f3364d26b97d6152263d8e01bb2d960d

SHA1
4d6e673fea2c60e340286892ba1db0d69a402187

SHA256
903c359ee42e9b25bb03af3e1ece37a60b5835804244a71ffbd60417cb1aad2f

SHA512
ca092b742badeaf366a5a3b417eadc4bde3ad2ec2c913abf1e018172d1cc5f21b42379ba047919255b78a53d65cc94987963a04416ae6e8e79f496e2124b85a8

Download Submit
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\about.html

Filesize
1KB

MD5
00d6bf61fdfbf3498a4b8996717797a0

SHA1
3b5855989750646b9de9d4d9c2d107121b2bacb4

SHA256
74c990493dff56a22d26eb021df6887e1d15f75f916e39440c0efb7f0a3d4250

SHA512
c3fedcbf2bb480528b03305002d2999eaf2f4057e82a95718156ecc81f0ead4ad7e92612307d19ebd5ed9a128e2cb8bf257937a12ab20c071bd8dea6835012c6

Download Submit
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\license.html

Filesize
6KB

MD5
c291301c8e09edb31d01605abe7ba7e7

SHA1
6d56946f95035e6aa779292dc5e067384a337553

SHA256
044f0d9b2aa4780fd2eb7d6f0553fcaf76c7e4eccff0b2d2d90750d52cc7fe1b

SHA512
0583e6bd105066bc95865fb0d82324e503b14b3d5229efa1ccdde70c196f1b5f4becf9f4806e72f00bf90194345224b292e23b196bfd0d4c5b87d92e358910ee

Download Submit
C:\Windows\SysWOW64\urdvxc.exe

Filesize
65KB

MD5
8d4fb7c8d0d9c5f1e18642616f4bcb89

SHA1
a8ab417106c39cef33d7f9d792aca148c1469e5b

SHA256
0b60e8315ae0e3a4073dd8aded9829900baed8aee716ad8024246265d83e0a47

SHA512
4d06bc372dc5cd2cbdfbc5599903401dcb96fed03ace82ee944e95823b3461b92348063d725aa83c34771696bc4d70b5a7840dbb08df14d8c7ea0b8071140f90

Download Submit
C:\Windows\SysWOW64\urdvxc.exe

Filesize
65KB

MD5
8d4fb7c8d0d9c5f1e18642616f4bcb89

SHA1
a8ab417106c39cef33d7f9d792aca148c1469e5b

SHA256
0b60e8315ae0e3a4073dd8aded9829900baed8aee716ad8024246265d83e0a47

SHA512
4d06bc372dc5cd2cbdfbc5599903401dcb96fed03ace82ee944e95823b3461b92348063d725aa83c34771696bc4d70b5a7840dbb08df14d8c7ea0b8071140f90

Download Submit
C:\Windows\SysWOW64\urdvxc.exe

Filesize
65KB

MD5
8d4fb7c8d0d9c5f1e18642616f4bcb89

SHA1
a8ab417106c39cef33d7f9d792aca148c1469e5b

SHA256
0b60e8315ae0e3a4073dd8aded9829900baed8aee716ad8024246265d83e0a47

SHA512
4d06bc372dc5cd2cbdfbc5599903401dcb96fed03ace82ee944e95823b3461b92348063d725aa83c34771696bc4d70b5a7840dbb08df14d8c7ea0b8071140f90

Download Submit
C:\Windows\SysWOW64\urdvxc.exe

Filesize
65KB

MD5
8d4fb7c8d0d9c5f1e18642616f4bcb89

SHA1
a8ab417106c39cef33d7f9d792aca148c1469e5b

SHA256
0b60e8315ae0e3a4073dd8aded9829900baed8aee716ad8024246265d83e0a47

SHA512
4d06bc372dc5cd2cbdfbc5599903401dcb96fed03ace82ee944e95823b3461b92348063d725aa83c34771696bc4d70b5a7840dbb08df14d8c7ea0b8071140f90

Download Submit
C:\Windows\SysWOW64\urdvxc.exe

Filesize
65KB

MD5
8d4fb7c8d0d9c5f1e18642616f4bcb89

SHA1
a8ab417106c39cef33d7f9d792aca148c1469e5b

SHA256
0b60e8315ae0e3a4073dd8aded9829900baed8aee716ad8024246265d83e0a47

SHA512
4d06bc372dc5cd2cbdfbc5599903401dcb96fed03ace82ee944e95823b3461b92348063d725aa83c34771696bc4d70b5a7840dbb08df14d8c7ea0b8071140f90

Download Submit
C:\Windows\SysWOW64\urdvxc.exe

Filesize
65KB

MD5
8d4fb7c8d0d9c5f1e18642616f4bcb89

SHA1
a8ab417106c39cef33d7f9d792aca148c1469e5b

SHA256
0b60e8315ae0e3a4073dd8aded9829900baed8aee716ad8024246265d83e0a47

SHA512
4d06bc372dc5cd2cbdfbc5599903401dcb96fed03ace82ee944e95823b3461b92348063d725aa83c34771696bc4d70b5a7840dbb08df14d8c7ea0b8071140f90

Download Submit
memory/2548-132-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2548-134-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2548-133-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2708-147-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2708-148-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2708-143-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2984-138-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/3416-142-0x00000000001C0000-0x00000000001DF000-memory.dmp

Filesize
124KB

Download
memory/4068-150-0x00000000001C0000-0x00000000001DF000-memory.dmp

Filesize
124KB

Download
memory/4068-151-0x00000000001C0000-0x00000000001DF000-memory.dmp

Filesize
124KB

Download
memory/5024-146-0x00000000001C0000-0x00000000001DF000-memory.dmp

Filesize
124KB

Download