1145c3a90277da43c50de7574eeef316a9396d52f1b63a9bfdfe260ebf13fa33

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
08/07/2024, 19:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1145c3a90277da43c50de7574eeef316a9396d52f1b63a9bfdfe260ebf13fa33.exe
Size

56KB
MD5

8eec86f8d9617c8e997e720eeb905cad
SHA1

ff88eaa041ebf126ac34d4d0d1e2d7219cc92454
SHA256

1145c3a90277da43c50de7574eeef316a9396d52f1b63a9bfdfe260ebf13fa33
SHA512

d989ae1b067d6fcad74c7e28bb5348c5c01600440fd61f37f9fddaf26ee14f74b429764749a6b41667c32aff57413e832690a44689cd369315e2c034c6a6cbff
SSDEEP

1536:yPgZ0yZv9Zo7tSZSGfjMCsoup1sm8iiaqBa3wNI:y4Z0+ZpPjWounsmUst

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1704	urdvxc.exe

Executes dropped EXE 4 IoCs

pid	Process
2492	urdvxc.exe
4084	urdvxc.exe
4360	urdvxc.exe
1704	urdvxc.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\urdvxc.exe	1145c3a90277da43c50de7574eeef316a9396d52f1b63a9bfdfe260ebf13fa33.exe
File opened for modification	C:\Windows\SysWOW64\urdvxc.exe	1145c3a90277da43c50de7574eeef316a9396d52f1b63a9bfdfe260ebf13fa33.exe
File created	C:\Windows\SysWOW64\urdvxc.exe	urdvxc.exe

Drops file in Program Files directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\Welcome.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\chllsvtv.exe	urdvxc.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\OSPP.HTM	urdvxc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\mobile.html	urdvxc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\kznjrtew.exe	urdvxc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\hrbhlxhb.exe	urdvxc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\vlm_export.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\README.html	urdvxc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\browse_window.html	urdvxc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\create_stream.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jre-1.8\hcjzqenb.exe	urdvxc.exe
File opened for modification	C:\Program Files\JoinApprove.html	urdvxc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\1033\rvhrjtnt.exe	urdvxc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\mobile_equalizer.html	urdvxc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\view.html	urdvxc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\vlm.html	urdvxc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\tsbknceh.exe	urdvxc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\mosaic_window.html	urdvxc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\offset_window.html	urdvxc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\stream_window.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jre-1.8\Welcome.html	urdvxc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\equalizer_window.html	urdvxc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\stream_config_window.html	urdvxc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\index.html	urdvxc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\nxqsxhql.exe	urdvxc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\README.HTM	urdvxc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\mobile_browse.html	urdvxc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\Microsoft.Advertising\bootstrap.html	urdvxc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\Microsoft.Advertising\vpaid.html	urdvxc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\PersonaSpy.html	urdvxc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\1033\MCABOUT.HTM	urdvxc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\bkbbtzlb.exe	urdvxc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\vlbvwvhv.exe	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\revhnlhn.exe	urdvxc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\batch_window.html	urdvxc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\error_window.html	urdvxc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\mobile_view.html	urdvxc.exe

Modifies registry class 60 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB4470BE-3A35-A218-C7F6-4398C8694892}\LocalServer32\ = "C:\\Program Files\\Microsoft Office\\root\\vfs\\ProgramFilesCommonX64\\Microsoft Shared\\Smart Tag\\1033\\rvhrjtnt.exe"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7A1F8B4D-AC79-4B22-67EA-E30560A5BF1C}\LocalServer32\ = "C:\\Program Files\\VideoLAN\\VLC\\lua\\http\\bkbbtzlb.exe"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC84F518-2B78-BCFB-E876-EDAE640549C3}\LocalServer32\ = "C:\\Program Files\\Java\\jre-1.8\\hcjzqenb.exe"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32\ = "C:\\Windows\\SysWOW64\\urdvxc.exe"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5BFAF607-9DDA-565E-A528-64082B45FA4C}\LocalServer32\ = "C:\\Program Files\\VideoLAN\\VLC\\lua\\http\\kznjrtew.exe"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D72C442F-6EA9-BFAF-2703-0F262F8765FD}\ = "ltshescnjlsnnkkl"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8308FF82-554C-D53A-FE36-8DDED83673EF}\LocalServer32\ = "C:\\Program Files\\VideoLAN\\VLC\\lua\\http\\hrbhlxhb.exe"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5DA7E191-3518-8C5E-DAD0-E316016B7509}\ = "hvxvknhjnbkxlvtb"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4DA7BCA8-2512-8FCE-67B5-F36442F4E210}\LocalServer32\ = "C:\\Program Files\\VideoLAN\\VLC\\lua\\http\\vlbvwvhv.exe"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62B77361-C052-178D-5313-7AF2D2475E12}\LocalServer32\ = "C:\\Program Files\\VideoLAN\\VLC\\lua\\http\\nxqsxhql.exe"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9E5B2A0-6DA4-8211-3F09-7196AABBE564}	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7A1F8B4D-AC79-4B22-67EA-E30560A5BF1C}\LocalServer32	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC84F518-2B78-BCFB-E876-EDAE640549C3}	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62B77361-C052-178D-5313-7AF2D2475E12}\LocalServer32	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8308FF82-554C-D53A-FE36-8DDED83673EF}	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D72C442F-6EA9-BFAF-2703-0F262F8765FD}\LocalServer32\ = "C:\\Program Files\\Java\\jdk-1.8\\chllsvtv.exe"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC84F518-2B78-BCFB-E876-EDAE640549C3}\ = "nkkszsellhwtkhrn"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5BFAF607-9DDA-565E-A528-64082B45FA4C}\LocalServer32	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4DA7BCA8-2512-8FCE-67B5-F36442F4E210}	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62B77361-C052-178D-5313-7AF2D2475E12}	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32\ = "C:\\Windows\\SysWOW64\\urdvxc.exe"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\ = "cnwhwjrjttzekvjs"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7A1F8B4D-AC79-4B22-67EA-E30560A5BF1C}	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7A1F8B4D-AC79-4B22-67EA-E30560A5BF1C}\ = "nllstkkklbqttlxb"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4DA7BCA8-2512-8FCE-67B5-F36442F4E210}\LocalServer32	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D72C442F-6EA9-BFAF-2703-0F262F8765FD}	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9E5B2A0-6DA4-8211-3F09-7196AABBE564}\ = "jltssexlrnekhhxr"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32\ = "C:\\Windows\\SysWOW64\\urdvxc.exe"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5BFAF607-9DDA-565E-A528-64082B45FA4C}	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D72C442F-6EA9-BFAF-2703-0F262F8765FD}\LocalServer32	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC84F518-2B78-BCFB-E876-EDAE640549C3}\LocalServer32	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5DA7E191-3518-8C5E-DAD0-E316016B7509}\LocalServer32	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5BFAF607-9DDA-565E-A528-64082B45FA4C}\ = "rjletleebhvxvtte"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\ = "nkbjkhzltsqbxqzz"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8308FF82-554C-D53A-FE36-8DDED83673EF}\LocalServer32	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2321BCA6-5C1B-F12F-2C91-1C708479498D}	1145c3a90277da43c50de7574eeef316a9396d52f1b63a9bfdfe260ebf13fa33.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\ = "lnjxezcwxlltslle"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5DA7E191-3518-8C5E-DAD0-E316016B7509}\LocalServer32\ = "C:\\Program Files\\Java\\jdk-1.8\\jre\\revhnlhn.exe"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9E5B2A0-6DA4-8211-3F09-7196AABBE564}\LocalServer32	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9E5B2A0-6DA4-8211-3F09-7196AABBE564}\LocalServer32\ = "C:\\Program Files\\Microsoft Office\\root\\Office16\\PersonaSpy\\tsbknceh.exe"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2321BCA6-5C1B-F12F-2C91-1C708479498D}\LocalServer32	1145c3a90277da43c50de7574eeef316a9396d52f1b63a9bfdfe260ebf13fa33.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5DA7E191-3518-8C5E-DAD0-E316016B7509}	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB4470BE-3A35-A218-C7F6-4398C8694892}\LocalServer32	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62B77361-C052-178D-5313-7AF2D2475E12}\ = "vtwxrecssebhkbzh"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8308FF82-554C-D53A-FE36-8DDED83673EF}\ = "wxxlkscnbjerxlzk"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32\ = "C:\\Windows\\SysWOW64\\urdvxc.exe"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\ = "trzvsxkxwhekrsce"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB4470BE-3A35-A218-C7F6-4398C8694892}	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4DA7BCA8-2512-8FCE-67B5-F36442F4E210}\ = "srqcsclxwqbelken"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2321BCA6-5C1B-F12F-2C91-1C708479498D}\ = "sesbjhecrhhhbbhn"	1145c3a90277da43c50de7574eeef316a9396d52f1b63a9bfdfe260ebf13fa33.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2321BCA6-5C1B-F12F-2C91-1C708479498D}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1145c3a90277da43c50de7574eeef316a9396d52f1b63a9bfdfe260ebf13fa33.exe"	1145c3a90277da43c50de7574eeef316a9396d52f1b63a9bfdfe260ebf13fa33.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB4470BE-3A35-A218-C7F6-4398C8694892}\ = "qntwhenlswcsbhrk"	urdvxc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2492	urdvxc.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2596 wrote to memory of 2492	2596	1145c3a90277da43c50de7574eeef316a9396d52f1b63a9bfdfe260ebf13fa33.exe	85
PID 2596 wrote to memory of 2492	2596	1145c3a90277da43c50de7574eeef316a9396d52f1b63a9bfdfe260ebf13fa33.exe	85
PID 2596 wrote to memory of 2492	2596	1145c3a90277da43c50de7574eeef316a9396d52f1b63a9bfdfe260ebf13fa33.exe	85
PID 2596 wrote to memory of 4084	2596	1145c3a90277da43c50de7574eeef316a9396d52f1b63a9bfdfe260ebf13fa33.exe	87
PID 2596 wrote to memory of 4084	2596	1145c3a90277da43c50de7574eeef316a9396d52f1b63a9bfdfe260ebf13fa33.exe	87
PID 2596 wrote to memory of 4084	2596	1145c3a90277da43c50de7574eeef316a9396d52f1b63a9bfdfe260ebf13fa33.exe	87
PID 2596 wrote to memory of 1704	2596	1145c3a90277da43c50de7574eeef316a9396d52f1b63a9bfdfe260ebf13fa33.exe	89
PID 2596 wrote to memory of 1704	2596	1145c3a90277da43c50de7574eeef316a9396d52f1b63a9bfdfe260ebf13fa33.exe	89
PID 2596 wrote to memory of 1704	2596	1145c3a90277da43c50de7574eeef316a9396d52f1b63a9bfdfe260ebf13fa33.exe	89

C:\Users\Admin\AppData\Local\Temp\1145c3a90277da43c50de7574eeef316a9396d52f1b63a9bfdfe260ebf13fa33.exe
"C:\Users\Admin\AppData\Local\Temp\1145c3a90277da43c50de7574eeef316a9396d52f1b63a9bfdfe260ebf13fa33.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Windows\SysWOW64\urdvxc.exe
  C:\Windows\system32\urdvxc.exe /installservice
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:2492
- C:\Windows\SysWOW64\urdvxc.exe
  C:\Windows\system32\urdvxc.exe /start
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  PID:4084
- C:\Windows\SysWOW64\urdvxc.exe
  C:\Windows\system32\urdvxc.exe /uninstallservice patch:C:\Users\Admin\AppData\Local\Temp\1145c3a90277da43c50de7574eeef316a9396d52f1b63a9bfdfe260ebf13fa33.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies registry class
  PID:1704

C:\Windows\SysWOW64\urdvxc.exe
"C:\Windows\SysWOW64\urdvxc.exe" /service
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
PID:4360

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\urdvxc.exe

Filesize
56KB

MD5
8eec86f8d9617c8e997e720eeb905cad

SHA1
ff88eaa041ebf126ac34d4d0d1e2d7219cc92454

SHA256
1145c3a90277da43c50de7574eeef316a9396d52f1b63a9bfdfe260ebf13fa33

SHA512
d989ae1b067d6fcad74c7e28bb5348c5c01600440fd61f37f9fddaf26ee14f74b429764749a6b41667c32aff57413e832690a44689cd369315e2c034c6a6cbff

Download Submit
memory/1704-46-0x00000000001C0000-0x00000000001DF000-memory.dmp

Filesize
124KB

Download
memory/2492-5-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2492-6-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2596-0-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2596-43-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4084-8-0x00000000001C0000-0x00000000001DF000-memory.dmp

Filesize
124KB

Download
memory/4360-41-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4360-50-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4360-16-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4360-18-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4360-19-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4360-20-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4360-21-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4360-22-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4360-23-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4360-24-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4360-25-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4360-26-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4360-27-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4360-28-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4360-29-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4360-48-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4360-31-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4360-32-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4360-33-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4360-34-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4360-35-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4360-36-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4360-37-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4360-38-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4360-39-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4360-40-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4360-15-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4360-11-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4360-44-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4360-45-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4360-17-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4360-10-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4360-30-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4360-49-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4360-47-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4360-51-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4360-52-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4360-53-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4360-54-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4360-55-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4360-56-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4360-57-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4360-58-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4360-59-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4360-60-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4360-61-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4360-62-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4360-63-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4360-64-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4360-65-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4360-66-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4360-67-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4360-68-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4360-69-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4360-70-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4360-71-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4360-72-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4360-73-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4360-74-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4360-75-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4360-76-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4360-77-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4360-1302-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download