4549973a16a5abc61be21508a283f5d11eed0d68f855a3c7154cfde1993a26f5

Analysis

max time kernel
151s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
06/10/2023, 15:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.587c77cfce5163e1c00da769f4578900_JC.exe
Size

59KB
MD5

587c77cfce5163e1c00da769f4578900
SHA1

7aca81479914d7e70d12aeaec2fc4777764df616
SHA256

4549973a16a5abc61be21508a283f5d11eed0d68f855a3c7154cfde1993a26f5
SHA512

fcf996d340d55ec21f4be23c2c00326ade0e884d4efae3e05ebdad7685c8f17baff2638074f25559e6698f7d9d952dc5b488c38822c82263ae79f9d790082273
SSDEEP

768:Ol2qbhmBvdoBCnS5e5GPU1CK3fJjg/UvZzddqoj+YzZ43VgQ3nb+txkiYkxYPhji:Ol2ijQCQBrR1j+YzqhSfk5kIFZ83h

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
4388	urdvxc.exe
3292	urdvxc.exe
1764	urdvxc.exe
4980	urdvxc.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\urdvxc.exe	NEAS.587c77cfce5163e1c00da769f4578900_JC.exe
File opened for modification	C:\Windows\SysWOW64\urdvxc.exe	NEAS.587c77cfce5163e1c00da769f4578900_JC.exe
File created	C:\Windows\SysWOW64\urdvxc.exe	urdvxc.exe

Drops file in Program Files directory 63 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\README-JDK.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\about.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\tsbknceh.exe	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\Welcome.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\about.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\about.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\about.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\sekbhrbe.exe	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\about.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\Welcome.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\nsstljje.exe	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\about.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\1033\MCABOUT.HTM	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\RELEASE-NOTES.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\about.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\cpyr.htm	urdvxc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\1033\rvhrjtnt.exe	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\njqrsbcq.exe	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\about.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\preface.htm	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\README.html	urdvxc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\README.HTM	urdvxc.exe
File opened for modification	C:\Program Files\UnlockFormat.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\qrhljwvn.exe	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\PersonaSpy.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh.htm	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\title.htm	urdvxc.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\jtlnctqk.exe	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh001.htm	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\about.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bklnbknw.exe	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\about.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\OSPP.HTM	urdvxc.exe

Modifies registry class 54 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7774BDCB-BC2A-526E-C798-34FA771E21D1}\LocalServer32	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\ = "jkrwtjwnsswqtvhq"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32\ = "C:\\Windows\\SysWOW64\\urdvxc.exe"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9E5B2A0-6DA4-8211-3F09-7196AABBE564}\ = "wjklnhtbsvnrnlkn"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C803653-A26A-88C7-574B-3B28BF06C94C}\LocalServer32	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32\ = "C:\\Windows\\SysWOW64\\urdvxc.exe"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E88A8DA-6487-F103-FFE5-C2B0648486DC}	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58F22A6B-E9C1-CE13-9AB2-6E6A8B42D5FD}\LocalServer32	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5CA91ECD-564C-3E29-5336-C066EB2FABF6}\LocalServer32	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA786BA8-8408-A4C4-E62F-E8969CD0195A}	NEAS.587c77cfce5163e1c00da769f4578900_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C803653-A26A-88C7-574B-3B28BF06C94C}	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5CA91ECD-564C-3E29-5336-C066EB2FABF6}\LocalServer32\ = "C:\\Program Files\\Java\\jre1.8.0_66\\jtlnctqk.exe"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA786BA8-8408-A4C4-E62F-E8969CD0195A}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.587c77cfce5163e1c00da769f4578900_JC.exe"	NEAS.587c77cfce5163e1c00da769f4578900_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5CA91ECD-564C-3E29-5336-C066EB2FABF6}\ = "hjeljjwvtbxjlbvt"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9E5B2A0-6DA4-8211-3F09-7196AABBE564}\LocalServer32\ = "C:\\Program Files\\Microsoft Office\\root\\Office16\\PersonaSpy\\tsbknceh.exe"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{17B30228-FEAE-52CE-E831-3379C40FDBE8}\LocalServer32\ = "C:\\Program Files\\Java\\jdk1.8.0_66\\lib\\missioncontrol\\features\\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\\nsstljje.exe"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C803653-A26A-88C7-574B-3B28BF06C94C}\ = "sezjhssxswbzjebq"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C803653-A26A-88C7-574B-3B28BF06C94C}\LocalServer32\ = "C:\\Program Files\\Java\\jdk1.8.0_66\\bklnbknw.exe"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\ = "tsqvclhcthnvjlej"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7774BDCB-BC2A-526E-C798-34FA771E21D1}	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7774BDCB-BC2A-526E-C798-34FA771E21D1}\ = "vcsrthrblckbvtjj"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58F22A6B-E9C1-CE13-9AB2-6E6A8B42D5FD}	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32\ = "C:\\Windows\\SysWOW64\\urdvxc.exe"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\ = "jtxecznrxtsecnns"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7774BDCB-BC2A-526E-C798-34FA771E21D1}\LocalServer32\ = "C:\\Program Files\\Java\\jdk1.8.0_66\\db\\qrhljwvn.exe"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E88A8DA-6487-F103-FFE5-C2B0648486DC}\LocalServer32\ = "C:\\Program Files\\Java\\jdk1.8.0_66\\jre\\sekbhrbe.exe"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5CA91ECD-564C-3E29-5336-C066EB2FABF6}	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA786BA8-8408-A4C4-E62F-E8969CD0195A}\ = "kkkjezxqjknsjwtj"	NEAS.587c77cfce5163e1c00da769f4578900_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{17B30228-FEAE-52CE-E831-3379C40FDBE8}	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{17B30228-FEAE-52CE-E831-3379C40FDBE8}\LocalServer32	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA786BA8-8408-A4C4-E62F-E8969CD0195A}\LocalServer32	NEAS.587c77cfce5163e1c00da769f4578900_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58F22A6B-E9C1-CE13-9AB2-6E6A8B42D5FD}\ = "qjekvrjvjkcvnjbc"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB4470BE-3A35-A218-C7F6-4398C8694892}	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB4470BE-3A35-A218-C7F6-4398C8694892}\LocalServer32\ = "C:\\Program Files\\Microsoft Office\\root\\vfs\\ProgramFilesCommonX64\\Microsoft Shared\\Smart Tag\\1033\\rvhrjtnt.exe"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\ = "xrjbrlnxkclqkrsh"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E88A8DA-6487-F103-FFE5-C2B0648486DC}\ = "jbexntsjkkcrcwbw"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9E5B2A0-6DA4-8211-3F09-7196AABBE564}\LocalServer32	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9E5B2A0-6DA4-8211-3F09-7196AABBE564}	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{17B30228-FEAE-52CE-E831-3379C40FDBE8}\ = "nsbxwntxzvljbzkc"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58F22A6B-E9C1-CE13-9AB2-6E6A8B42D5FD}\ = "eketjezlbrcsewvn"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB4470BE-3A35-A218-C7F6-4398C8694892}\ = "wtknjvxeettreten"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58F22A6B-E9C1-CE13-9AB2-6E6A8B42D5FD}\LocalServer32\ = "C:\\Program Files\\Java\\jdk1.8.0_66\\lib\\missioncontrol\\features\\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\\njqrsbcq.exe"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB4470BE-3A35-A218-C7F6-4398C8694892}\LocalServer32	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{17B30228-FEAE-52CE-E831-3379C40FDBE8}\ = "stctevjbwsrllnhr"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E88A8DA-6487-F103-FFE5-C2B0648486DC}\LocalServer32	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32\ = "C:\\Windows\\SysWOW64\\urdvxc.exe"	urdvxc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4388	urdvxc.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3356 wrote to memory of 4388	3356	NEAS.587c77cfce5163e1c00da769f4578900_JC.exe	86
PID 3356 wrote to memory of 4388	3356	NEAS.587c77cfce5163e1c00da769f4578900_JC.exe	86
PID 3356 wrote to memory of 4388	3356	NEAS.587c77cfce5163e1c00da769f4578900_JC.exe	86
PID 3356 wrote to memory of 3292	3356	NEAS.587c77cfce5163e1c00da769f4578900_JC.exe	88
PID 3356 wrote to memory of 3292	3356	NEAS.587c77cfce5163e1c00da769f4578900_JC.exe	88
PID 3356 wrote to memory of 3292	3356	NEAS.587c77cfce5163e1c00da769f4578900_JC.exe	88
PID 3356 wrote to memory of 4980	3356	NEAS.587c77cfce5163e1c00da769f4578900_JC.exe	90
PID 3356 wrote to memory of 4980	3356	NEAS.587c77cfce5163e1c00da769f4578900_JC.exe	90
PID 3356 wrote to memory of 4980	3356	NEAS.587c77cfce5163e1c00da769f4578900_JC.exe	90

C:\Users\Admin\AppData\Local\Temp\NEAS.587c77cfce5163e1c00da769f4578900_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.587c77cfce5163e1c00da769f4578900_JC.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3356
- C:\Windows\SysWOW64\urdvxc.exe
  C:\Windows\system32\urdvxc.exe /installservice
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:4388
- C:\Windows\SysWOW64\urdvxc.exe
  C:\Windows\system32\urdvxc.exe /start
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  PID:3292
- C:\Windows\SysWOW64\urdvxc.exe
  C:\Windows\system32\urdvxc.exe /uninstallservice patch:C:\Users\Admin\AppData\Local\Temp\NEAS.587c77cfce5163e1c00da769f4578900_JC.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  PID:4980

C:\Windows\SysWOW64\urdvxc.exe
"C:\Windows\SysWOW64\urdvxc.exe" /service
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
PID:1764

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\urdvxc.exe

Filesize
59KB

MD5
587c77cfce5163e1c00da769f4578900

SHA1
7aca81479914d7e70d12aeaec2fc4777764df616

SHA256
4549973a16a5abc61be21508a283f5d11eed0d68f855a3c7154cfde1993a26f5

SHA512
fcf996d340d55ec21f4be23c2c00326ade0e884d4efae3e05ebdad7685c8f17baff2638074f25559e6698f7d9d952dc5b488c38822c82263ae79f9d790082273

Download Submit
C:\Windows\SysWOW64\urdvxc.exe

Filesize
59KB

MD5
587c77cfce5163e1c00da769f4578900

SHA1
7aca81479914d7e70d12aeaec2fc4777764df616

SHA256
4549973a16a5abc61be21508a283f5d11eed0d68f855a3c7154cfde1993a26f5

SHA512
fcf996d340d55ec21f4be23c2c00326ade0e884d4efae3e05ebdad7685c8f17baff2638074f25559e6698f7d9d952dc5b488c38822c82263ae79f9d790082273

Download Submit
C:\Windows\SysWOW64\urdvxc.exe

Filesize
59KB

MD5
587c77cfce5163e1c00da769f4578900

SHA1
7aca81479914d7e70d12aeaec2fc4777764df616

SHA256
4549973a16a5abc61be21508a283f5d11eed0d68f855a3c7154cfde1993a26f5

SHA512
fcf996d340d55ec21f4be23c2c00326ade0e884d4efae3e05ebdad7685c8f17baff2638074f25559e6698f7d9d952dc5b488c38822c82263ae79f9d790082273

Download Submit
C:\Windows\SysWOW64\urdvxc.exe

Filesize
59KB

MD5
587c77cfce5163e1c00da769f4578900

SHA1
7aca81479914d7e70d12aeaec2fc4777764df616

SHA256
4549973a16a5abc61be21508a283f5d11eed0d68f855a3c7154cfde1993a26f5

SHA512
fcf996d340d55ec21f4be23c2c00326ade0e884d4efae3e05ebdad7685c8f17baff2638074f25559e6698f7d9d952dc5b488c38822c82263ae79f9d790082273

Download Submit
C:\Windows\SysWOW64\urdvxc.exe

Filesize
59KB

MD5
587c77cfce5163e1c00da769f4578900

SHA1
7aca81479914d7e70d12aeaec2fc4777764df616

SHA256
4549973a16a5abc61be21508a283f5d11eed0d68f855a3c7154cfde1993a26f5

SHA512
fcf996d340d55ec21f4be23c2c00326ade0e884d4efae3e05ebdad7685c8f17baff2638074f25559e6698f7d9d952dc5b488c38822c82263ae79f9d790082273

Download Submit
memory/1764-43-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/1764-62-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/1764-12-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/1764-353-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/1764-14-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/1764-15-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/1764-16-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/1764-20-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/1764-44-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/1764-22-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/1764-23-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/1764-24-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/1764-25-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/1764-80-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/1764-79-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/1764-28-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/1764-78-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/1764-77-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/1764-76-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/1764-75-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/1764-30-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/1764-31-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/1764-32-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/1764-33-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/1764-34-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/1764-46-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/1764-36-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/1764-37-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/1764-38-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/1764-39-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/1764-40-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/1764-41-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/1764-42-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/1764-74-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/1764-21-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/1764-47-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/1764-35-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/1764-45-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/1764-48-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/1764-49-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/1764-50-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/1764-51-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/1764-52-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/1764-53-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/1764-54-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/1764-55-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/1764-56-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/1764-57-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/1764-58-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/1764-59-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/1764-60-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/1764-61-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/1764-73-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/1764-63-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/1764-64-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/1764-65-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/1764-66-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/1764-67-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/1764-68-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/1764-69-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/1764-70-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/1764-71-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/1764-72-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/3292-10-0x00000000001C0000-0x00000000001DF000-memory.dmp

Filesize
124KB

Download
memory/3292-13-0x00000000001C0000-0x00000000001DF000-memory.dmp

Filesize
124KB

Download
memory/3356-1-0x0000000000440000-0x000000000045F000-memory.dmp

Filesize
124KB

Download
memory/3356-27-0x0000000000440000-0x000000000045F000-memory.dmp

Filesize
124KB

Download
memory/3356-0-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4388-8-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4388-7-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4388-6-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4980-29-0x00000000001C0000-0x00000000001DF000-memory.dmp

Filesize
124KB

Download