a1465a6c79d927b7c539f74712589dbbf17cf6cc49663918a4f20d6c506e9dcd

Analysis

max time kernel
195s
max time network
204s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2023, 20:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.4a6c8db57361c9ad2b091bc8befc6ad0.exe
Size

66KB
MD5

4a6c8db57361c9ad2b091bc8befc6ad0
SHA1

fac346321199e5931c3c0e695490751a8132cfe4
SHA256

a1465a6c79d927b7c539f74712589dbbf17cf6cc49663918a4f20d6c506e9dcd
SHA512

265d6fb3b2fd391ed76af62dfdbea0032886924ae28c38210ec9a8686104305318c978383a0b55aa59bb4b018c8b7978e90b887333caba996161ead58990909e
SSDEEP

768:SrmZsZxwmP1ap8FZjM39zN2MQuqWl9Tg8IRix8CBcwdLBtaQsnuIxbkgsr2e+YQ/:/szXm67WjIcHcYNsF+gT0QvwXwsA4Q

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1464	urdvxc.exe
3120	urdvxc.exe
3132	urdvxc.exe
5088	urdvxc.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\urdvxc.exe	NEAS.4a6c8db57361c9ad2b091bc8befc6ad0.exe
File created	C:\Windows\SysWOW64\urdvxc.exe	urdvxc.exe
File created	C:\Windows\SysWOW64\urdvxc.exe	NEAS.4a6c8db57361c9ad2b091bc8befc6ad0.exe

Drops file in Program Files directory 62 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\about.html	urdvxc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\PersonaSpy.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\about.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\about.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\about.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\about.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\preface.htm	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\README.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\cpyr.htm	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh001.htm	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bklnbknw.exe	urdvxc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\1033\rvhrjtnt.exe	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\title.htm	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\about.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\about.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\tsbknceh.exe	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\jtlnctqk.exe	urdvxc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\README.HTM	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\README-JDK.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\OSPP.HTM	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\nsstljje.exe	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\1033\MCABOUT.HTM	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\Welcome.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\about.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\qrhljwvn.exe	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh.htm	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\about.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\about.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\Welcome.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\RELEASE-NOTES.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\sekbhrbe.exe	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\njqrsbcq.exe	urdvxc.exe

Modifies registry class 54 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB4470BE-3A35-A218-C7F6-4398C8694892}\LocalServer32	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C803653-A26A-88C7-574B-3B28BF06C94C}\ = "btvlwhzbejrtlwln"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB4470BE-3A35-A218-C7F6-4398C8694892}\LocalServer32\ = "C:\\Program Files\\Microsoft Office\\root\\vfs\\ProgramFilesCommonX64\\Microsoft Shared\\Smart Tag\\1033\\rvhrjtnt.exe"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32\ = "C:\\Windows\\SysWOW64\\urdvxc.exe"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7774BDCB-BC2A-526E-C798-34FA771E21D1}	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7774BDCB-BC2A-526E-C798-34FA771E21D1}\LocalServer32\ = "C:\\Program Files\\Java\\jdk1.8.0_66\\db\\qrhljwvn.exe"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E88A8DA-6487-F103-FFE5-C2B0648486DC}\LocalServer32	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{17B30228-FEAE-52CE-E831-3379C40FDBE8}\ = "veejscnsjthbjhrk"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58F22A6B-E9C1-CE13-9AB2-6E6A8B42D5FD}	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9E5B2A0-6DA4-8211-3F09-7196AABBE564}\LocalServer32\ = "C:\\Program Files\\Microsoft Office\\root\\Office16\\PersonaSpy\\tsbknceh.exe"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\ = "rqjlhelrncrskhkl"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7774BDCB-BC2A-526E-C798-34FA771E21D1}\LocalServer32	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{07185A04-82F9-14AB-51B6-AD83A271DEB3}\ = "xkcjtbwlhklrrnkr"	NEAS.4a6c8db57361c9ad2b091bc8befc6ad0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58F22A6B-E9C1-CE13-9AB2-6E6A8B42D5FD}\ = "hbqjrklchjzbtcnt"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32\ = "C:\\Windows\\SysWOW64\\urdvxc.exe"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32\ = "C:\\Windows\\SysWOW64\\urdvxc.exe"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C803653-A26A-88C7-574B-3B28BF06C94C}\LocalServer32\ = "C:\\Program Files\\Java\\jdk1.8.0_66\\bklnbknw.exe"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9E5B2A0-6DA4-8211-3F09-7196AABBE564}\ = "cwnrvlhckxzqknlj"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB4470BE-3A35-A218-C7F6-4398C8694892}	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7774BDCB-BC2A-526E-C798-34FA771E21D1}\ = "hkqlkstlrvbkzjzc"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E88A8DA-6487-F103-FFE5-C2B0648486DC}\LocalServer32\ = "C:\\Program Files\\Java\\jdk1.8.0_66\\jre\\sekbhrbe.exe"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9E5B2A0-6DA4-8211-3F09-7196AABBE564}	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9E5B2A0-6DA4-8211-3F09-7196AABBE564}\LocalServer32	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58F22A6B-E9C1-CE13-9AB2-6E6A8B42D5FD}\ = "knnlknbttrhkhkcv"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB4470BE-3A35-A218-C7F6-4398C8694892}\ = "kjnstknlxwrsqkew"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\ = "jhhsschckwnskvnt"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58F22A6B-E9C1-CE13-9AB2-6E6A8B42D5FD}\LocalServer32	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{07185A04-82F9-14AB-51B6-AD83A271DEB3}	NEAS.4a6c8db57361c9ad2b091bc8befc6ad0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C803653-A26A-88C7-574B-3B28BF06C94C}	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\ = "ebexseqtnreknbxb"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E88A8DA-6487-F103-FFE5-C2B0648486DC}\ = "xclrkletblhbcbks"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{17B30228-FEAE-52CE-E831-3379C40FDBE8}	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{17B30228-FEAE-52CE-E831-3379C40FDBE8}\LocalServer32	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{17B30228-FEAE-52CE-E831-3379C40FDBE8}\ = "vhswnnbzbssnsrxj"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\ = "ktlsteebnntjrclt"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58F22A6B-E9C1-CE13-9AB2-6E6A8B42D5FD}\LocalServer32\ = "C:\\Program Files\\Java\\jdk1.8.0_66\\lib\\missioncontrol\\features\\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\\njqrsbcq.exe"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C803653-A26A-88C7-574B-3B28BF06C94C}\LocalServer32	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5CA91ECD-564C-3E29-5336-C066EB2FABF6}\ = "jexjeltbxvjhlrbh"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{07185A04-82F9-14AB-51B6-AD83A271DEB3}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.4a6c8db57361c9ad2b091bc8befc6ad0.exe"	NEAS.4a6c8db57361c9ad2b091bc8befc6ad0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32\ = "C:\\Windows\\SysWOW64\\urdvxc.exe"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{17B30228-FEAE-52CE-E831-3379C40FDBE8}\LocalServer32\ = "C:\\Program Files\\Java\\jdk1.8.0_66\\lib\\missioncontrol\\features\\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\\nsstljje.exe"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5CA91ECD-564C-3E29-5336-C066EB2FABF6}	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5CA91ECD-564C-3E29-5336-C066EB2FABF6}\LocalServer32	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5CA91ECD-564C-3E29-5336-C066EB2FABF6}\LocalServer32\ = "C:\\Program Files\\Java\\jre1.8.0_66\\jtlnctqk.exe"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{07185A04-82F9-14AB-51B6-AD83A271DEB3}\LocalServer32	NEAS.4a6c8db57361c9ad2b091bc8befc6ad0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E88A8DA-6487-F103-FFE5-C2B0648486DC}	urdvxc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1464	urdvxc.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 1464	1940	NEAS.4a6c8db57361c9ad2b091bc8befc6ad0.exe	87
PID 1940 wrote to memory of 1464	1940	NEAS.4a6c8db57361c9ad2b091bc8befc6ad0.exe	87
PID 1940 wrote to memory of 1464	1940	NEAS.4a6c8db57361c9ad2b091bc8befc6ad0.exe	87
PID 1940 wrote to memory of 3120	1940	NEAS.4a6c8db57361c9ad2b091bc8befc6ad0.exe	88
PID 1940 wrote to memory of 3120	1940	NEAS.4a6c8db57361c9ad2b091bc8befc6ad0.exe	88
PID 1940 wrote to memory of 3120	1940	NEAS.4a6c8db57361c9ad2b091bc8befc6ad0.exe	88
PID 1940 wrote to memory of 5088	1940	NEAS.4a6c8db57361c9ad2b091bc8befc6ad0.exe	90
PID 1940 wrote to memory of 5088	1940	NEAS.4a6c8db57361c9ad2b091bc8befc6ad0.exe	90
PID 1940 wrote to memory of 5088	1940	NEAS.4a6c8db57361c9ad2b091bc8befc6ad0.exe	90

C:\Users\Admin\AppData\Local\Temp\NEAS.4a6c8db57361c9ad2b091bc8befc6ad0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.4a6c8db57361c9ad2b091bc8befc6ad0.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Windows\SysWOW64\urdvxc.exe
  C:\Windows\system32\urdvxc.exe /installservice
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:1464
- C:\Windows\SysWOW64\urdvxc.exe
  C:\Windows\system32\urdvxc.exe /start
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  PID:3120
- C:\Windows\SysWOW64\urdvxc.exe
  C:\Windows\system32\urdvxc.exe /uninstallservice patch:C:\Users\Admin\AppData\Local\Temp\NEAS.4a6c8db57361c9ad2b091bc8befc6ad0.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  PID:5088

C:\Windows\SysWOW64\urdvxc.exe
"C:\Windows\SysWOW64\urdvxc.exe" /service
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
PID:3132

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\urdvxc.exe

Filesize
66KB

MD5
4a6c8db57361c9ad2b091bc8befc6ad0

SHA1
fac346321199e5931c3c0e695490751a8132cfe4

SHA256
a1465a6c79d927b7c539f74712589dbbf17cf6cc49663918a4f20d6c506e9dcd

SHA512
265d6fb3b2fd391ed76af62dfdbea0032886924ae28c38210ec9a8686104305318c978383a0b55aa59bb4b018c8b7978e90b887333caba996161ead58990909e

Download Submit
C:\Windows\SysWOW64\urdvxc.exe

Filesize
66KB

MD5
4a6c8db57361c9ad2b091bc8befc6ad0

SHA1
fac346321199e5931c3c0e695490751a8132cfe4

SHA256
a1465a6c79d927b7c539f74712589dbbf17cf6cc49663918a4f20d6c506e9dcd

SHA512
265d6fb3b2fd391ed76af62dfdbea0032886924ae28c38210ec9a8686104305318c978383a0b55aa59bb4b018c8b7978e90b887333caba996161ead58990909e

Download Submit
C:\Windows\SysWOW64\urdvxc.exe

Filesize
66KB

MD5
4a6c8db57361c9ad2b091bc8befc6ad0

SHA1
fac346321199e5931c3c0e695490751a8132cfe4

SHA256
a1465a6c79d927b7c539f74712589dbbf17cf6cc49663918a4f20d6c506e9dcd

SHA512
265d6fb3b2fd391ed76af62dfdbea0032886924ae28c38210ec9a8686104305318c978383a0b55aa59bb4b018c8b7978e90b887333caba996161ead58990909e

Download Submit
C:\Windows\SysWOW64\urdvxc.exe

Filesize
66KB

MD5
4a6c8db57361c9ad2b091bc8befc6ad0

SHA1
fac346321199e5931c3c0e695490751a8132cfe4

SHA256
a1465a6c79d927b7c539f74712589dbbf17cf6cc49663918a4f20d6c506e9dcd

SHA512
265d6fb3b2fd391ed76af62dfdbea0032886924ae28c38210ec9a8686104305318c978383a0b55aa59bb4b018c8b7978e90b887333caba996161ead58990909e

Download Submit
C:\Windows\SysWOW64\urdvxc.exe

Filesize
66KB

MD5
4a6c8db57361c9ad2b091bc8befc6ad0

SHA1
fac346321199e5931c3c0e695490751a8132cfe4

SHA256
a1465a6c79d927b7c539f74712589dbbf17cf6cc49663918a4f20d6c506e9dcd

SHA512
265d6fb3b2fd391ed76af62dfdbea0032886924ae28c38210ec9a8686104305318c978383a0b55aa59bb4b018c8b7978e90b887333caba996161ead58990909e

Download Submit
memory/1464-6-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/1464-7-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1464-8-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/1940-29-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/1940-0-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1940-1-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/3120-10-0x00000000001C0000-0x00000000001DF000-memory.dmp

Filesize
124KB

Download
memory/3132-43-0x0000000000500000-0x000000000051F000-memory.dmp

Filesize
124KB

Download
memory/3132-48-0x0000000000500000-0x000000000051F000-memory.dmp

Filesize
124KB

Download
memory/3132-15-0x0000000000500000-0x000000000051F000-memory.dmp

Filesize
124KB

Download
memory/3132-19-0x0000000000500000-0x000000000051F000-memory.dmp

Filesize
124KB

Download
memory/3132-20-0x0000000000500000-0x000000000051F000-memory.dmp

Filesize
124KB

Download
memory/3132-21-0x0000000000500000-0x000000000051F000-memory.dmp

Filesize
124KB

Download
memory/3132-22-0x0000000000500000-0x000000000051F000-memory.dmp

Filesize
124KB

Download
memory/3132-23-0x0000000000500000-0x000000000051F000-memory.dmp

Filesize
124KB

Download
memory/3132-24-0x0000000000500000-0x000000000051F000-memory.dmp

Filesize
124KB

Download
memory/3132-25-0x0000000000500000-0x000000000051F000-memory.dmp

Filesize
124KB

Download
memory/3132-297-0x0000000000500000-0x000000000051F000-memory.dmp

Filesize
124KB

Download
memory/3132-14-0x0000000000500000-0x000000000051F000-memory.dmp

Filesize
124KB

Download
memory/3132-27-0x0000000000500000-0x000000000051F000-memory.dmp

Filesize
124KB

Download
memory/3132-30-0x0000000000500000-0x000000000051F000-memory.dmp

Filesize
124KB

Download
memory/3132-31-0x0000000000500000-0x000000000051F000-memory.dmp

Filesize
124KB

Download
memory/3132-32-0x0000000000500000-0x000000000051F000-memory.dmp

Filesize
124KB

Download
memory/3132-33-0x0000000000500000-0x000000000051F000-memory.dmp

Filesize
124KB

Download
memory/3132-34-0x0000000000500000-0x000000000051F000-memory.dmp

Filesize
124KB

Download
memory/3132-35-0x0000000000500000-0x000000000051F000-memory.dmp

Filesize
124KB

Download
memory/3132-36-0x0000000000500000-0x000000000051F000-memory.dmp

Filesize
124KB

Download
memory/3132-37-0x0000000000500000-0x000000000051F000-memory.dmp

Filesize
124KB

Download
memory/3132-38-0x0000000000500000-0x000000000051F000-memory.dmp

Filesize
124KB

Download
memory/3132-39-0x0000000000500000-0x000000000051F000-memory.dmp

Filesize
124KB

Download
memory/3132-40-0x0000000000500000-0x000000000051F000-memory.dmp

Filesize
124KB

Download
memory/3132-41-0x0000000000500000-0x000000000051F000-memory.dmp

Filesize
124KB

Download
memory/3132-42-0x0000000000500000-0x000000000051F000-memory.dmp

Filesize
124KB

Download
memory/3132-12-0x0000000000500000-0x000000000051F000-memory.dmp

Filesize
124KB

Download
memory/3132-44-0x0000000000500000-0x000000000051F000-memory.dmp

Filesize
124KB

Download
memory/3132-45-0x0000000000500000-0x000000000051F000-memory.dmp

Filesize
124KB

Download
memory/3132-46-0x0000000000500000-0x000000000051F000-memory.dmp

Filesize
124KB

Download
memory/3132-47-0x0000000000500000-0x000000000051F000-memory.dmp

Filesize
124KB

Download
memory/3132-13-0x0000000000500000-0x000000000051F000-memory.dmp

Filesize
124KB

Download
memory/3132-49-0x0000000000500000-0x000000000051F000-memory.dmp

Filesize
124KB

Download
memory/3132-50-0x0000000000500000-0x000000000051F000-memory.dmp

Filesize
124KB

Download
memory/3132-51-0x0000000000500000-0x000000000051F000-memory.dmp

Filesize
124KB

Download
memory/3132-52-0x0000000000500000-0x000000000051F000-memory.dmp

Filesize
124KB

Download
memory/3132-53-0x0000000000500000-0x000000000051F000-memory.dmp

Filesize
124KB

Download
memory/3132-54-0x0000000000500000-0x000000000051F000-memory.dmp

Filesize
124KB

Download
memory/3132-55-0x0000000000500000-0x000000000051F000-memory.dmp

Filesize
124KB

Download
memory/3132-56-0x0000000000500000-0x000000000051F000-memory.dmp

Filesize
124KB

Download
memory/3132-57-0x0000000000500000-0x000000000051F000-memory.dmp

Filesize
124KB

Download
memory/3132-58-0x0000000000500000-0x000000000051F000-memory.dmp

Filesize
124KB

Download
memory/3132-59-0x0000000000500000-0x000000000051F000-memory.dmp

Filesize
124KB

Download
memory/3132-60-0x0000000000500000-0x000000000051F000-memory.dmp

Filesize
124KB

Download
memory/3132-61-0x0000000000500000-0x000000000051F000-memory.dmp

Filesize
124KB

Download
memory/3132-62-0x0000000000500000-0x000000000051F000-memory.dmp

Filesize
124KB

Download
memory/3132-63-0x0000000000500000-0x000000000051F000-memory.dmp

Filesize
124KB

Download
memory/3132-64-0x0000000000500000-0x000000000051F000-memory.dmp

Filesize
124KB

Download
memory/3132-65-0x0000000000500000-0x000000000051F000-memory.dmp

Filesize
124KB

Download
memory/3132-66-0x0000000000500000-0x000000000051F000-memory.dmp

Filesize
124KB

Download
memory/3132-67-0x0000000000500000-0x000000000051F000-memory.dmp

Filesize
124KB

Download
memory/3132-68-0x0000000000500000-0x000000000051F000-memory.dmp

Filesize
124KB

Download
memory/3132-69-0x0000000000500000-0x000000000051F000-memory.dmp

Filesize
124KB

Download
memory/3132-70-0x0000000000500000-0x000000000051F000-memory.dmp

Filesize
124KB

Download
memory/3132-71-0x0000000000500000-0x000000000051F000-memory.dmp

Filesize
124KB

Download
memory/3132-72-0x0000000000500000-0x000000000051F000-memory.dmp

Filesize
124KB

Download
memory/3132-73-0x0000000000500000-0x000000000051F000-memory.dmp

Filesize
124KB

Download
memory/3132-74-0x0000000000500000-0x000000000051F000-memory.dmp

Filesize
124KB

Download
memory/3132-75-0x0000000000500000-0x000000000051F000-memory.dmp

Filesize
124KB

Download
memory/3132-76-0x0000000000500000-0x000000000051F000-memory.dmp

Filesize
124KB

Download
memory/3132-77-0x0000000000500000-0x000000000051F000-memory.dmp

Filesize
124KB

Download
memory/3132-78-0x0000000000500000-0x000000000051F000-memory.dmp

Filesize
124KB

Download
memory/3132-79-0x0000000000500000-0x000000000051F000-memory.dmp

Filesize
124KB

Download
memory/5088-28-0x00000000001C0000-0x00000000001DF000-memory.dmp

Filesize
124KB

Download