Files
File Path
|
Type
|
Category
|
Malicious
|
|
---|---|---|---|---|
a5P4EuInKl.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
initial sample
|
||
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_a5P4EuInKl.exe_2c98cfc7b53623ac16532537e2ef180e1bb9ad4_43e5b40d_0c984f7a-1fa6-4dbd-b946-45de863db889\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_a5P4EuInKl.exe_2c98cfc7b53623ac16532537e2ef180e1bb9ad4_43e5b40d_0fb89c56-9514-4a76-9e83-a65f807a4e68\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_a5P4EuInKl.exe_2c98cfc7b53623ac16532537e2ef180e1bb9ad4_43e5b40d_1d796dc6-e4ae-4373-9950-3fee1c8f1a1e\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_a5P4EuInKl.exe_2c98cfc7b53623ac16532537e2ef180e1bb9ad4_43e5b40d_8782a52a-82c8-49d5-96a9-93f9154339fc\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_a5P4EuInKl.exe_2c98cfc7b53623ac16532537e2ef180e1bb9ad4_43e5b40d_8adec5e3-83c2-423d-853f-db2317e01bed\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_a5P4EuInKl.exe_2c98cfc7b53623ac16532537e2ef180e1bb9ad4_43e5b40d_b27ead56-5379-47ba-9fbc-a669adbd1682\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_a5P4EuInKl.exe_2c98cfc7b53623ac16532537e2ef180e1bb9ad4_43e5b40d_e6af1e1a-dd49-4941-91a3-ebd3517cf353\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_a5P4EuInKl.exe_2c98cfc7b53623ac16532537e2ef180e1bb9ad4_43e5b40d_f54f7f6d-a32a-4c96-bc80-e5fc60527cca\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_a5P4EuInKl.exe_917010ab52d923570c5e7376c9870ad2db4ce_43e5b40d_7df8a1b3-85a0-47a4-8c17-deaae878e4ac\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB76.tmp.dmp
|
Mini DuMP crash report, 14 streams, Thu Mar 28 14:28:52 2024, 0x1205a4 type
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERAC52.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERAC82.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERAF4F.tmp.dmp
|
Mini DuMP crash report, 14 streams, Thu Mar 28 14:28:53 2024, 0x1205a4 type
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB03A.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB05A.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB20E.tmp.dmp
|
Mini DuMP crash report, 14 streams, Thu Mar 28 14:28:54 2024, 0x1205a4 type
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB2BB.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB2DB.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB450.tmp.dmp
|
Mini DuMP crash report, 14 streams, Thu Mar 28 14:28:54 2024, 0x1205a4 type
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB4BE.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB4DE.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB6C1.tmp.dmp
|
Mini DuMP crash report, 14 streams, Thu Mar 28 14:28:55 2024, 0x1205a4 type
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB72F.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB74F.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB990.tmp.dmp
|
Mini DuMP crash report, 14 streams, Thu Mar 28 14:28:56 2024, 0x1205a4 type
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBA3C.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBA5D.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBC10.tmp.dmp
|
Mini DuMP crash report, 14 streams, Thu Mar 28 14:28:56 2024, 0x1205a4 type
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBC8E.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBCAE.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC325.tmp.dmp
|
Mini DuMP crash report, 14 streams, Thu Mar 28 14:28:58 2024, 0x1205a4 type
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC3C2.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC411.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC661.tmp.dmp
|
Mini DuMP crash report, 14 streams, Thu Mar 28 14:28:59 2024, 0x1205a4 type
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC70E.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC73E.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\ping[1].htm
|
very short file (no magic)
|
dropped
|
||
C:\Windows\appcompat\Programs\Amcache.hve
|
MS Windows registry file, NT/2000 or above
|
dropped
|
There are 29 hidden files, click here to show them.
Processes
Path
|
Cmdline
|
Malicious
|
|
---|---|---|---|
C:\Users\user\Desktop\a5P4EuInKl.exe
|
"C:\Users\user\Desktop\a5P4EuInKl.exe"
|
||
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 6400 -s 728
|
||
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 6400 -s 728
|
||
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 6400 -s 756
|
||
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 6400 -s 768
|
||
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 6400 -s 980
|
||
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 6400 -s 984
|
||
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 6400 -s 1080
|
||
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 6400 -s 1328
|
||
C:\Windows\SysWOW64\cmd.exe
|
"C:\Windows\System32\cmd.exe" /c taskkill /im "a5P4EuInKl.exe" /f & erase "C:\Users\user\Desktop\a5P4EuInKl.exe" & exit
|
||
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
C:\Windows\SysWOW64\taskkill.exe
|
taskkill /im "a5P4EuInKl.exe" /f
|
||
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 6400 -s 1260
|
There are 3 hidden processes, click here to show them.
URLs
Name
|
IP
|
Malicious
|
|
---|---|---|---|
http://185.172.128.90/cpa/ping.php?substr=one&s=two
|
185.172.128.90
|
||
http://upx.sf.net
|
unknown
|
IPs
IP
|
Domain
|
Country
|
Malicious
|
|
---|---|---|---|---|
185.172.128.90
|
unknown
|
Russian Federation
|
Registry
Path
|
Value
|
Malicious
|
|
---|---|---|---|
\REGISTRY\A\{fdc27c7a-eab9-cd0b-a389-1c6ae8e9556b}\Root\InventoryApplicationFile\a5p4euinkl.exe|de07b55a7acf814c
|
ProgramId
|
||
\REGISTRY\A\{fdc27c7a-eab9-cd0b-a389-1c6ae8e9556b}\Root\InventoryApplicationFile\a5p4euinkl.exe|de07b55a7acf814c
|
FileId
|
||
\REGISTRY\A\{fdc27c7a-eab9-cd0b-a389-1c6ae8e9556b}\Root\InventoryApplicationFile\a5p4euinkl.exe|de07b55a7acf814c
|
LowerCaseLongPath
|
||
\REGISTRY\A\{fdc27c7a-eab9-cd0b-a389-1c6ae8e9556b}\Root\InventoryApplicationFile\a5p4euinkl.exe|de07b55a7acf814c
|
LongPathHash
|
||
\REGISTRY\A\{fdc27c7a-eab9-cd0b-a389-1c6ae8e9556b}\Root\InventoryApplicationFile\a5p4euinkl.exe|de07b55a7acf814c
|
Name
|
||
\REGISTRY\A\{fdc27c7a-eab9-cd0b-a389-1c6ae8e9556b}\Root\InventoryApplicationFile\a5p4euinkl.exe|de07b55a7acf814c
|
OriginalFileName
|
||
\REGISTRY\A\{fdc27c7a-eab9-cd0b-a389-1c6ae8e9556b}\Root\InventoryApplicationFile\a5p4euinkl.exe|de07b55a7acf814c
|
Publisher
|
||
\REGISTRY\A\{fdc27c7a-eab9-cd0b-a389-1c6ae8e9556b}\Root\InventoryApplicationFile\a5p4euinkl.exe|de07b55a7acf814c
|
Version
|
||
\REGISTRY\A\{fdc27c7a-eab9-cd0b-a389-1c6ae8e9556b}\Root\InventoryApplicationFile\a5p4euinkl.exe|de07b55a7acf814c
|
BinFileVersion
|
||
\REGISTRY\A\{fdc27c7a-eab9-cd0b-a389-1c6ae8e9556b}\Root\InventoryApplicationFile\a5p4euinkl.exe|de07b55a7acf814c
|
BinaryType
|
||
\REGISTRY\A\{fdc27c7a-eab9-cd0b-a389-1c6ae8e9556b}\Root\InventoryApplicationFile\a5p4euinkl.exe|de07b55a7acf814c
|
ProductName
|
||
\REGISTRY\A\{fdc27c7a-eab9-cd0b-a389-1c6ae8e9556b}\Root\InventoryApplicationFile\a5p4euinkl.exe|de07b55a7acf814c
|
ProductVersion
|
||
\REGISTRY\A\{fdc27c7a-eab9-cd0b-a389-1c6ae8e9556b}\Root\InventoryApplicationFile\a5p4euinkl.exe|de07b55a7acf814c
|
LinkDate
|
||
\REGISTRY\A\{fdc27c7a-eab9-cd0b-a389-1c6ae8e9556b}\Root\InventoryApplicationFile\a5p4euinkl.exe|de07b55a7acf814c
|
BinProductVersion
|
||
\REGISTRY\A\{fdc27c7a-eab9-cd0b-a389-1c6ae8e9556b}\Root\InventoryApplicationFile\a5p4euinkl.exe|de07b55a7acf814c
|
AppxPackageFullName
|
||
\REGISTRY\A\{fdc27c7a-eab9-cd0b-a389-1c6ae8e9556b}\Root\InventoryApplicationFile\a5p4euinkl.exe|de07b55a7acf814c
|
AppxPackageRelativeId
|
||
\REGISTRY\A\{fdc27c7a-eab9-cd0b-a389-1c6ae8e9556b}\Root\InventoryApplicationFile\a5p4euinkl.exe|de07b55a7acf814c
|
Size
|
||
\REGISTRY\A\{fdc27c7a-eab9-cd0b-a389-1c6ae8e9556b}\Root\InventoryApplicationFile\a5p4euinkl.exe|de07b55a7acf814c
|
Language
|
||
\REGISTRY\A\{fdc27c7a-eab9-cd0b-a389-1c6ae8e9556b}\Root\InventoryApplicationFile\a5p4euinkl.exe|de07b55a7acf814c
|
Usn
|
There are 9 hidden registries, click here to show them.
Memdumps
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
---|---|---|---|---|
400000
|
unkown
|
page execute and read and write
|
||
2650000
|
direct allocation
|
page execute and read and write
|
||
2680000
|
direct allocation
|
page read and write
|
||
CCB000
|
heap
|
page read and write
|
||
26E0000
|
heap
|
page read and write
|
||
32D0000
|
heap
|
page read and write
|
||
306D000
|
stack
|
page read and write
|
||
37EC000
|
stack
|
page read and write
|
||
B8E000
|
stack
|
page read and write
|
||
1F0000
|
heap
|
page read and write
|
||
BB0000
|
heap
|
page read and write
|
||
2DEE000
|
unkown
|
page read and write
|
||
302E000
|
stack
|
page read and write
|
||
2DAE000
|
stack
|
page read and write
|
||
3400000
|
heap
|
page read and write
|
||
EAF000
|
stack
|
page read and write
|
||
3650000
|
heap
|
page read and write
|
||
2FF2000
|
heap
|
page read and write
|
||
2F4E000
|
stack
|
page read and write
|
||
41C000
|
unkown
|
page write copy
|
||
2680000
|
heap
|
page read and write
|
||
32FD000
|
stack
|
page read and write
|
||
441000
|
unkown
|
page read and write
|
||
316E000
|
stack
|
page read and write
|
||
2DF0000
|
heap
|
page read and write
|
||
AE6000
|
unkown
|
page read and write
|
||
2FF5000
|
heap
|
page read and write
|
||
198000
|
stack
|
page read and write
|
||
32AB000
|
stack
|
page read and write
|
||
CB9000
|
heap
|
page read and write
|
||
2FF3000
|
heap
|
page read and write
|
||
2FD0000
|
heap
|
page read and write
|
||
2860000
|
heap
|
page read and write
|
||
36EC000
|
stack
|
page read and write
|
||
BFE000
|
heap
|
page execute and read and write
|
||
2FDB000
|
heap
|
page read and write
|
||
AF0000
|
heap
|
page read and write
|
||
9B000
|
stack
|
page read and write
|
||
C1A000
|
heap
|
page read and write
|
||
31AD000
|
stack
|
page read and write
|
||
42F000
|
unkown
|
page write copy
|
||
282D000
|
stack
|
page read and write
|
||
401000
|
unkown
|
page execute read
|
||
417000
|
unkown
|
page write copy
|
||
2D3D000
|
stack
|
page read and write
|
||
2E00000
|
heap
|
page read and write
|
||
BEE000
|
heap
|
page read and write
|
||
2DA0000
|
heap
|
page read and write
|
||
410000
|
unkown
|
page readonly
|
||
3419000
|
heap
|
page read and write
|
||
33FE000
|
stack
|
page read and write
|
||
2DED000
|
stack
|
page read and write
|
||
32CF000
|
stack
|
page read and write
|
||
26DD000
|
stack
|
page read and write
|
||
2C3D000
|
stack
|
page read and write
|
||
CBB000
|
heap
|
page read and write
|
||
C9D000
|
heap
|
page read and write
|
||
27EF000
|
stack
|
page read and write
|
||
BB5000
|
heap
|
page read and write
|
||
2E02000
|
heap
|
page read and write
|
||
B3E000
|
stack
|
page read and write
|
||
BEA000
|
heap
|
page read and write
|
||
2CAE000
|
stack
|
page read and write
|
||
2F2D000
|
stack
|
page read and write
|
||
BE0000
|
heap
|
page read and write
|
||
AE8000
|
unkown
|
page readonly
|
||
31CF000
|
unkown
|
page read and write
|
||
2E30000
|
heap
|
page read and write
|
||
3415000
|
heap
|
page read and write
|
||
AE8000
|
unkown
|
page readonly
|
||
400000
|
unkown
|
page readonly
|
||
2EEE000
|
stack
|
page read and write
|
||
3404000
|
heap
|
page read and write
|
There are 63 hidden memdumps, click here to show them.