Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
a5P4EuInKl.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
initial sample
|
 |
|
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_a5P4EuInKl.exe_2c98cfc7b53623ac16532537e2ef180e1bb9ad4_43e5b40d_0c984f7a-1fa6-4dbd-b946-45de863db889\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_a5P4EuInKl.exe_2c98cfc7b53623ac16532537e2ef180e1bb9ad4_43e5b40d_0fb89c56-9514-4a76-9e83-a65f807a4e68\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_a5P4EuInKl.exe_2c98cfc7b53623ac16532537e2ef180e1bb9ad4_43e5b40d_1d796dc6-e4ae-4373-9950-3fee1c8f1a1e\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_a5P4EuInKl.exe_2c98cfc7b53623ac16532537e2ef180e1bb9ad4_43e5b40d_8782a52a-82c8-49d5-96a9-93f9154339fc\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_a5P4EuInKl.exe_2c98cfc7b53623ac16532537e2ef180e1bb9ad4_43e5b40d_8adec5e3-83c2-423d-853f-db2317e01bed\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_a5P4EuInKl.exe_2c98cfc7b53623ac16532537e2ef180e1bb9ad4_43e5b40d_b27ead56-5379-47ba-9fbc-a669adbd1682\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_a5P4EuInKl.exe_2c98cfc7b53623ac16532537e2ef180e1bb9ad4_43e5b40d_e6af1e1a-dd49-4941-91a3-ebd3517cf353\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_a5P4EuInKl.exe_2c98cfc7b53623ac16532537e2ef180e1bb9ad4_43e5b40d_f54f7f6d-a32a-4c96-bc80-e5fc60527cca\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_a5P4EuInKl.exe_917010ab52d923570c5e7376c9870ad2db4ce_43e5b40d_7df8a1b3-85a0-47a4-8c17-deaae878e4ac\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB76.tmp.dmp
|
Mini DuMP crash report, 14 streams, Thu Mar 28 14:28:52 2024, 0x1205a4 type
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERAC52.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERAC82.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERAF4F.tmp.dmp
|
Mini DuMP crash report, 14 streams, Thu Mar 28 14:28:53 2024, 0x1205a4 type
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB03A.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB05A.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB20E.tmp.dmp
|
Mini DuMP crash report, 14 streams, Thu Mar 28 14:28:54 2024, 0x1205a4 type
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB2BB.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB2DB.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB450.tmp.dmp
|
Mini DuMP crash report, 14 streams, Thu Mar 28 14:28:54 2024, 0x1205a4 type
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB4BE.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB4DE.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB6C1.tmp.dmp
|
Mini DuMP crash report, 14 streams, Thu Mar 28 14:28:55 2024, 0x1205a4 type
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB72F.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB74F.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB990.tmp.dmp
|
Mini DuMP crash report, 14 streams, Thu Mar 28 14:28:56 2024, 0x1205a4 type
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBA3C.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBA5D.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBC10.tmp.dmp
|
Mini DuMP crash report, 14 streams, Thu Mar 28 14:28:56 2024, 0x1205a4 type
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBC8E.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBCAE.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC325.tmp.dmp
|
Mini DuMP crash report, 14 streams, Thu Mar 28 14:28:58 2024, 0x1205a4 type
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC3C2.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC411.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC661.tmp.dmp
|
Mini DuMP crash report, 14 streams, Thu Mar 28 14:28:59 2024, 0x1205a4 type
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC70E.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC73E.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\ping[1].htm
|
very short file (no magic)
|
dropped
|
||
|
C:\Windows\appcompat\Programs\Amcache.hve
|
MS Windows registry file, NT/2000 or above
|
dropped
|
There are 29 hidden files, click here to show them.
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Users\user\Desktop\a5P4EuInKl.exe
|
"C:\Users\user\Desktop\a5P4EuInKl.exe"
|
|
|
|
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 6400 -s 728
|
||
|
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 6400 -s 728
|
||
|
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 6400 -s 756
|
||
|
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 6400 -s 768
|
||
|
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 6400 -s 980
|
||
|
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 6400 -s 984
|
||
|
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 6400 -s 1080
|
||
|
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 6400 -s 1328
|
||
|
C:\Windows\SysWOW64\cmd.exe
|
"C:\Windows\System32\cmd.exe" /c taskkill /im "a5P4EuInKl.exe" /f & erase "C:\Users\user\Desktop\a5P4EuInKl.exe" & exit
|
||
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
|
C:\Windows\SysWOW64\taskkill.exe
|
taskkill /im "a5P4EuInKl.exe" /f
|
||
|
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 6400 -s 1260
|
There are 3 hidden processes, click here to show them.
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://185.172.128.90/cpa/ping.php?substr=one&s=two
|
185.172.128.90
|
|
|
|
http://upx.sf.net
|
unknown
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
185.172.128.90
|
unknown
|
Russian Federation
|
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
\REGISTRY\A\{fdc27c7a-eab9-cd0b-a389-1c6ae8e9556b}\Root\InventoryApplicationFile\a5p4euinkl.exe|de07b55a7acf814c
|
ProgramId
|
||
|
\REGISTRY\A\{fdc27c7a-eab9-cd0b-a389-1c6ae8e9556b}\Root\InventoryApplicationFile\a5p4euinkl.exe|de07b55a7acf814c
|
FileId
|
||
|
\REGISTRY\A\{fdc27c7a-eab9-cd0b-a389-1c6ae8e9556b}\Root\InventoryApplicationFile\a5p4euinkl.exe|de07b55a7acf814c
|
LowerCaseLongPath
|
||
|
\REGISTRY\A\{fdc27c7a-eab9-cd0b-a389-1c6ae8e9556b}\Root\InventoryApplicationFile\a5p4euinkl.exe|de07b55a7acf814c
|
LongPathHash
|
||
|
\REGISTRY\A\{fdc27c7a-eab9-cd0b-a389-1c6ae8e9556b}\Root\InventoryApplicationFile\a5p4euinkl.exe|de07b55a7acf814c
|
Name
|
||
|
\REGISTRY\A\{fdc27c7a-eab9-cd0b-a389-1c6ae8e9556b}\Root\InventoryApplicationFile\a5p4euinkl.exe|de07b55a7acf814c
|
OriginalFileName
|
||
|
\REGISTRY\A\{fdc27c7a-eab9-cd0b-a389-1c6ae8e9556b}\Root\InventoryApplicationFile\a5p4euinkl.exe|de07b55a7acf814c
|
Publisher
|
||
|
\REGISTRY\A\{fdc27c7a-eab9-cd0b-a389-1c6ae8e9556b}\Root\InventoryApplicationFile\a5p4euinkl.exe|de07b55a7acf814c
|
Version
|
||
|
\REGISTRY\A\{fdc27c7a-eab9-cd0b-a389-1c6ae8e9556b}\Root\InventoryApplicationFile\a5p4euinkl.exe|de07b55a7acf814c
|
BinFileVersion
|
||
|
\REGISTRY\A\{fdc27c7a-eab9-cd0b-a389-1c6ae8e9556b}\Root\InventoryApplicationFile\a5p4euinkl.exe|de07b55a7acf814c
|
BinaryType
|
||
|
\REGISTRY\A\{fdc27c7a-eab9-cd0b-a389-1c6ae8e9556b}\Root\InventoryApplicationFile\a5p4euinkl.exe|de07b55a7acf814c
|
ProductName
|
||
|
\REGISTRY\A\{fdc27c7a-eab9-cd0b-a389-1c6ae8e9556b}\Root\InventoryApplicationFile\a5p4euinkl.exe|de07b55a7acf814c
|
ProductVersion
|
||
|
\REGISTRY\A\{fdc27c7a-eab9-cd0b-a389-1c6ae8e9556b}\Root\InventoryApplicationFile\a5p4euinkl.exe|de07b55a7acf814c
|
LinkDate
|
||
|
\REGISTRY\A\{fdc27c7a-eab9-cd0b-a389-1c6ae8e9556b}\Root\InventoryApplicationFile\a5p4euinkl.exe|de07b55a7acf814c
|
BinProductVersion
|
||
|
\REGISTRY\A\{fdc27c7a-eab9-cd0b-a389-1c6ae8e9556b}\Root\InventoryApplicationFile\a5p4euinkl.exe|de07b55a7acf814c
|
AppxPackageFullName
|
||
|
\REGISTRY\A\{fdc27c7a-eab9-cd0b-a389-1c6ae8e9556b}\Root\InventoryApplicationFile\a5p4euinkl.exe|de07b55a7acf814c
|
AppxPackageRelativeId
|
||
|
\REGISTRY\A\{fdc27c7a-eab9-cd0b-a389-1c6ae8e9556b}\Root\InventoryApplicationFile\a5p4euinkl.exe|de07b55a7acf814c
|
Size
|
||
|
\REGISTRY\A\{fdc27c7a-eab9-cd0b-a389-1c6ae8e9556b}\Root\InventoryApplicationFile\a5p4euinkl.exe|de07b55a7acf814c
|
Language
|
||
|
\REGISTRY\A\{fdc27c7a-eab9-cd0b-a389-1c6ae8e9556b}\Root\InventoryApplicationFile\a5p4euinkl.exe|de07b55a7acf814c
|
Usn
|
There are 9 hidden registries, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
400000
|
unkown
|
page execute and read and write
|
|
|
|
2650000
|
direct allocation
|
page execute and read and write
|
|
|
|
2680000
|
direct allocation
|
page read and write
|
|
|
|
CCB000
|
heap
|
page read and write
|
||
|
26E0000
|
heap
|
page read and write
|
||
|
32D0000
|
heap
|
page read and write
|
||
|
306D000
|
stack
|
page read and write
|
||
|
37EC000
|
stack
|
page read and write
|
||
|
B8E000
|
stack
|
page read and write
|
||
|
1F0000
|
heap
|
page read and write
|
||
|
BB0000
|
heap
|
page read and write
|
||
|
2DEE000
|
unkown
|
page read and write
|
||
|
302E000
|
stack
|
page read and write
|
||
|
2DAE000
|
stack
|
page read and write
|
||
|
3400000
|
heap
|
page read and write
|
||
|
EAF000
|
stack
|
page read and write
|
||
|
3650000
|
heap
|
page read and write
|
||
|
2FF2000
|
heap
|
page read and write
|
||
|
2F4E000
|
stack
|
page read and write
|
||
|
41C000
|
unkown
|
page write copy
|
||
|
2680000
|
heap
|
page read and write
|
||
|
32FD000
|
stack
|
page read and write
|
||
|
441000
|
unkown
|
page read and write
|
||
|
316E000
|
stack
|
page read and write
|
||
|
2DF0000
|
heap
|
page read and write
|
||
|
AE6000
|
unkown
|
page read and write
|
||
|
2FF5000
|
heap
|
page read and write
|
||
|
198000
|
stack
|
page read and write
|
||
|
32AB000
|
stack
|
page read and write
|
||
|
CB9000
|
heap
|
page read and write
|
||
|
2FF3000
|
heap
|
page read and write
|
||
|
2FD0000
|
heap
|
page read and write
|
||
|
2860000
|
heap
|
page read and write
|
||
|
36EC000
|
stack
|
page read and write
|
||
|
BFE000
|
heap
|
page execute and read and write
|
||
|
2FDB000
|
heap
|
page read and write
|
||
|
AF0000
|
heap
|
page read and write
|
||
|
9B000
|
stack
|
page read and write
|
||
|
C1A000
|
heap
|
page read and write
|
||
|
31AD000
|
stack
|
page read and write
|
||
|
42F000
|
unkown
|
page write copy
|
||
|
282D000
|
stack
|
page read and write
|
||
|
401000
|
unkown
|
page execute read
|
||
|
417000
|
unkown
|
page write copy
|
||
|
2D3D000
|
stack
|
page read and write
|
||
|
2E00000
|
heap
|
page read and write
|
||
|
BEE000
|
heap
|
page read and write
|
||
|
2DA0000
|
heap
|
page read and write
|
||
|
410000
|
unkown
|
page readonly
|
||
|
3419000
|
heap
|
page read and write
|
||
|
33FE000
|
stack
|
page read and write
|
||
|
2DED000
|
stack
|
page read and write
|
||
|
32CF000
|
stack
|
page read and write
|
||
|
26DD000
|
stack
|
page read and write
|
||
|
2C3D000
|
stack
|
page read and write
|
||
|
CBB000
|
heap
|
page read and write
|
||
|
C9D000
|
heap
|
page read and write
|
||
|
27EF000
|
stack
|
page read and write
|
||
|
BB5000
|
heap
|
page read and write
|
||
|
2E02000
|
heap
|
page read and write
|
||
|
B3E000
|
stack
|
page read and write
|
||
|
BEA000
|
heap
|
page read and write
|
||
|
2CAE000
|
stack
|
page read and write
|
||
|
2F2D000
|
stack
|
page read and write
|
||
|
BE0000
|
heap
|
page read and write
|
||
|
AE8000
|
unkown
|
page readonly
|
||
|
31CF000
|
unkown
|
page read and write
|
||
|
2E30000
|
heap
|
page read and write
|
||
|
3415000
|
heap
|
page read and write
|
||
|
AE8000
|
unkown
|
page readonly
|
||
|
400000
|
unkown
|
page readonly
|
||
|
2EEE000
|
stack
|
page read and write
|
||
|
3404000
|
heap
|
page read and write
|
There are 63 hidden memdumps, click here to show them.