Files
File Path
|
Type
|
Category
|
Malicious
|
|
---|---|---|---|---|
JtBBqKs53G.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
initial sample
|
||
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_JtBBqKs53G.exe_43d6ce5f53bd281f18a59363e8da9060d2ba981_31749536_158baf81-6414-4184-a1ea-1e0ccdfb985b\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_JtBBqKs53G.exe_43d6ce5f53bd281f18a59363e8da9060d2ba981_31749536_337f4289-2901-4a0a-8114-1c832252c4ac\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_JtBBqKs53G.exe_43d6ce5f53bd281f18a59363e8da9060d2ba981_31749536_96b2b60c-1c54-4bc6-a7a2-06bc0ed65fbd\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_JtBBqKs53G.exe_43d6ce5f53bd281f18a59363e8da9060d2ba981_31749536_b6345be3-c38a-45fe-a2e1-34d493e51155\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_JtBBqKs53G.exe_43d6ce5f53bd281f18a59363e8da9060d2ba981_31749536_c4668a89-5dfa-4b2e-8346-60fb2b69516b\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_JtBBqKs53G.exe_43d6ce5f53bd281f18a59363e8da9060d2ba981_31749536_e2ec837c-8e96-458a-987c-dc06c15e4699\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_JtBBqKs53G.exe_43d6ce5f53bd281f18a59363e8da9060d2ba981_31749536_f988a173-b8e9-414b-9cb5-1c4fef1cb4f4\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_JtBBqKs53G.exe_bf7c8ad7f1083a49e48c6263938b6f798e05de0_31749536_e45e9632-8dec-46bd-b4a8-a4b543e6c8cb\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC371.tmp.dmp
|
Mini DuMP crash report, 14 streams, Thu Mar 28 08:11:00 2024, 0x1205a4 type
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC45C.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC48C.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC6EB.tmp.dmp
|
Mini DuMP crash report, 14 streams, Thu Mar 28 08:11:01 2024, 0x1205a4 type
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC7B7.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC7D8.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC98B.tmp.dmp
|
Mini DuMP crash report, 14 streams, Thu Mar 28 08:11:02 2024, 0x1205a4 type
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC9FA.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERCA1A.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERCC0C.tmp.dmp
|
Mini DuMP crash report, 14 streams, Thu Mar 28 08:11:02 2024, 0x1205a4 type
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERCC8A.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERCCBA.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD090.tmp.dmp
|
Mini DuMP crash report, 14 streams, Thu Mar 28 08:11:03 2024, 0x1205a4 type
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD12D.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD16D.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD301.tmp.dmp
|
Mini DuMP crash report, 14 streams, Thu Mar 28 08:11:04 2024, 0x1205a4 type
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD43B.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD45B.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDA93.tmp.dmp
|
Mini DuMP crash report, 14 streams, Thu Mar 28 08:11:06 2024, 0x1205a4 type
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDB3F.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDB6F.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDD81.tmp.dmp
|
Mini DuMP crash report, 14 streams, Thu Mar 28 08:11:07 2024, 0x1205a4 type
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDE2D.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDE4E.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\ping[1].htm
|
very short file (no magic)
|
dropped
|
||
C:\Windows\appcompat\Programs\Amcache.hve
|
MS Windows registry file, NT/2000 or above
|
dropped
|
There are 25 hidden files, click here to show them.
Processes
Path
|
Cmdline
|
Malicious
|
|
---|---|---|---|
C:\Users\user\Desktop\JtBBqKs53G.exe
|
"C:\Users\user\Desktop\JtBBqKs53G.exe"
|
||
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 6960 -ip 6960
|
||
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 6960 -s 732
|
||
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 6960 -s 720
|
||
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 6960 -s 792
|
||
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 6960 -s 732
|
||
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 6960 -s 980
|
||
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 6960 -s 1020
|
||
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 6960 -s 1344
|
||
C:\Windows\SysWOW64\cmd.exe
|
"C:\Windows\System32\cmd.exe" /c taskkill /im "JtBBqKs53G.exe" /f & erase "C:\Users\user\Desktop\JtBBqKs53G.exe" & exit
|
||
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 6960 -s 1464
|
||
C:\Windows\SysWOW64\taskkill.exe
|
taskkill /im "JtBBqKs53G.exe" /f
|
There are 3 hidden processes, click here to show them.
URLs
Name
|
IP
|
Malicious
|
|
---|---|---|---|
http://185.172.128.90/cpa/ping.php?substr=one&s=two
|
185.172.128.90
|
||
http://upx.sf.net
|
unknown
|
||
http://185.172.128.90/cpa/ping.php?substr=one&s=twoV
|
unknown
|
IPs
IP
|
Domain
|
Country
|
Malicious
|
|
---|---|---|---|---|
185.172.128.90
|
unknown
|
Russian Federation
|
Registry
Path
|
Value
|
Malicious
|
|
---|---|---|---|
\REGISTRY\A\{a5d6b1e4-84b8-7172-6785-b3b9be5b1ae3}\Root\InventoryApplicationFile\jtbbqks53g.exe|ca960b32d6a0c481
|
ProgramId
|
||
\REGISTRY\A\{a5d6b1e4-84b8-7172-6785-b3b9be5b1ae3}\Root\InventoryApplicationFile\jtbbqks53g.exe|ca960b32d6a0c481
|
FileId
|
||
\REGISTRY\A\{a5d6b1e4-84b8-7172-6785-b3b9be5b1ae3}\Root\InventoryApplicationFile\jtbbqks53g.exe|ca960b32d6a0c481
|
LowerCaseLongPath
|
||
\REGISTRY\A\{a5d6b1e4-84b8-7172-6785-b3b9be5b1ae3}\Root\InventoryApplicationFile\jtbbqks53g.exe|ca960b32d6a0c481
|
LongPathHash
|
||
\REGISTRY\A\{a5d6b1e4-84b8-7172-6785-b3b9be5b1ae3}\Root\InventoryApplicationFile\jtbbqks53g.exe|ca960b32d6a0c481
|
Name
|
||
\REGISTRY\A\{a5d6b1e4-84b8-7172-6785-b3b9be5b1ae3}\Root\InventoryApplicationFile\jtbbqks53g.exe|ca960b32d6a0c481
|
OriginalFileName
|
||
\REGISTRY\A\{a5d6b1e4-84b8-7172-6785-b3b9be5b1ae3}\Root\InventoryApplicationFile\jtbbqks53g.exe|ca960b32d6a0c481
|
Publisher
|
||
\REGISTRY\A\{a5d6b1e4-84b8-7172-6785-b3b9be5b1ae3}\Root\InventoryApplicationFile\jtbbqks53g.exe|ca960b32d6a0c481
|
Version
|
||
\REGISTRY\A\{a5d6b1e4-84b8-7172-6785-b3b9be5b1ae3}\Root\InventoryApplicationFile\jtbbqks53g.exe|ca960b32d6a0c481
|
BinFileVersion
|
||
\REGISTRY\A\{a5d6b1e4-84b8-7172-6785-b3b9be5b1ae3}\Root\InventoryApplicationFile\jtbbqks53g.exe|ca960b32d6a0c481
|
BinaryType
|
||
\REGISTRY\A\{a5d6b1e4-84b8-7172-6785-b3b9be5b1ae3}\Root\InventoryApplicationFile\jtbbqks53g.exe|ca960b32d6a0c481
|
ProductName
|
||
\REGISTRY\A\{a5d6b1e4-84b8-7172-6785-b3b9be5b1ae3}\Root\InventoryApplicationFile\jtbbqks53g.exe|ca960b32d6a0c481
|
ProductVersion
|
||
\REGISTRY\A\{a5d6b1e4-84b8-7172-6785-b3b9be5b1ae3}\Root\InventoryApplicationFile\jtbbqks53g.exe|ca960b32d6a0c481
|
LinkDate
|
||
\REGISTRY\A\{a5d6b1e4-84b8-7172-6785-b3b9be5b1ae3}\Root\InventoryApplicationFile\jtbbqks53g.exe|ca960b32d6a0c481
|
BinProductVersion
|
||
\REGISTRY\A\{a5d6b1e4-84b8-7172-6785-b3b9be5b1ae3}\Root\InventoryApplicationFile\jtbbqks53g.exe|ca960b32d6a0c481
|
AppxPackageFullName
|
||
\REGISTRY\A\{a5d6b1e4-84b8-7172-6785-b3b9be5b1ae3}\Root\InventoryApplicationFile\jtbbqks53g.exe|ca960b32d6a0c481
|
AppxPackageRelativeId
|
||
\REGISTRY\A\{a5d6b1e4-84b8-7172-6785-b3b9be5b1ae3}\Root\InventoryApplicationFile\jtbbqks53g.exe|ca960b32d6a0c481
|
Size
|
||
\REGISTRY\A\{a5d6b1e4-84b8-7172-6785-b3b9be5b1ae3}\Root\InventoryApplicationFile\jtbbqks53g.exe|ca960b32d6a0c481
|
Language
|
||
\REGISTRY\A\{a5d6b1e4-84b8-7172-6785-b3b9be5b1ae3}\Root\InventoryApplicationFile\jtbbqks53g.exe|ca960b32d6a0c481
|
Usn
|
||
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
|
DeviceTicket
|
||
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
|
DeviceId
|
||
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
|
ApplicationFlags
|
||
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property
|
0018000DDABBE6B3
|
There are 13 hidden registries, click here to show them.
Memdumps
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
---|---|---|---|---|
2750000
|
direct allocation
|
page execute and read and write
|
||
400000
|
unkown
|
page execute and read and write
|
||
2780000
|
direct allocation
|
page read and write
|
||
28FE000
|
stack
|
page read and write
|
||
2F5D000
|
stack
|
page read and write
|
||
410000
|
unkown
|
page readonly
|
||
3308000
|
heap
|
page read and write
|
||
32F3000
|
heap
|
page read and write
|
||
D5F000
|
stack
|
page read and write
|
||
D70000
|
heap
|
page read and write
|
||
AE6000
|
unkown
|
page read and write
|
||
32DE000
|
stack
|
page read and write
|
||
27E0000
|
heap
|
page read and write
|
||
42F000
|
unkown
|
page write copy
|
||
29A2000
|
heap
|
page read and write
|
||
295E000
|
stack
|
page read and write
|
||
3590000
|
heap
|
page read and write
|
||
2A24000
|
heap
|
page read and write
|
||
2780000
|
heap
|
page read and write
|
||
319B000
|
stack
|
page read and write
|
||
2A0C000
|
heap
|
page read and write
|
||
FAF000
|
stack
|
page read and write
|
||
2BFF000
|
unkown
|
page read and write
|
||
36BC000
|
stack
|
page read and write
|
||
31DD000
|
stack
|
page read and write
|
||
2EEE000
|
stack
|
page read and write
|
||
27B0000
|
heap
|
page read and write
|
||
B85000
|
heap
|
page read and write
|
||
B4E000
|
stack
|
page read and write
|
||
32F0000
|
heap
|
page read and write
|
||
2A00000
|
heap
|
page read and write
|
||
27FD000
|
stack
|
page read and write
|
||
2DED000
|
stack
|
page read and write
|
||
1F0000
|
heap
|
page read and write
|
||
DA9000
|
heap
|
page read and write
|
||
2CAD000
|
stack
|
page read and write
|
||
2CFF000
|
stack
|
page read and write
|
||
2DAE000
|
stack
|
page read and write
|
||
305E000
|
stack
|
page read and write
|
||
441000
|
unkown
|
page read and write
|
||
267D000
|
stack
|
page read and write
|
||
282E000
|
unkown
|
page read and write
|
||
29A0000
|
heap
|
page read and write
|
||
400000
|
unkown
|
page readonly
|
||
2830000
|
heap
|
page read and write
|
||
3580000
|
heap
|
page read and write
|
||
E57000
|
heap
|
page read and write
|
||
277D000
|
stack
|
page read and write
|
||
401000
|
unkown
|
page execute read
|
||
AE8000
|
unkown
|
page readonly
|
||
D8D000
|
heap
|
page execute and read and write
|
||
41C000
|
unkown
|
page write copy
|
||
417000
|
unkown
|
page write copy
|
||
2A23000
|
heap
|
page read and write
|
||
E43000
|
heap
|
page read and write
|
||
309D000
|
stack
|
page read and write
|
||
198000
|
stack
|
page read and write
|
||
D7E000
|
heap
|
page read and write
|
||
3304000
|
heap
|
page read and write
|
||
D7A000
|
heap
|
page read and write
|
||
37BD000
|
stack
|
page read and write
|
||
AE8000
|
unkown
|
page readonly
|
||
B80000
|
heap
|
page read and write
|
||
9B000
|
stack
|
page read and write
|
||
2920000
|
heap
|
page read and write
|
||
2D00000
|
heap
|
page read and write
|
||
EAE000
|
stack
|
page read and write
|
||
34C0000
|
heap
|
page read and write
|
||
E2D000
|
heap
|
page read and write
|
||
B00000
|
heap
|
page read and write
|
||
2A24000
|
heap
|
page read and write
|
||
2840000
|
heap
|
page read and write
|
There are 62 hidden memdumps, click here to show them.