IOC Report
P0A2249.exe

loading gif

Files

File Path
Type
Category
Malicious
P0A2249.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
initial sample
malicious
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\P0A2249.exe.log
ASCII text, with CRLF line terminators
dropped
malicious

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\P0A2249.exe
"C:\Users\user\Desktop\P0A2249.exe"
malicious
C:\Users\user\Desktop\P0A2249.exe
C:\Users\user\Desktop\P0A2249.exe
malicious

URLs

Name
IP
Malicious
http://checkip.dyndns.org/
193.122.130.0
malicious
http://checkip.dyndns.org4Rk0%
unknown
http://www.apache.org/licenses/LICENSE-2.0
unknown
http://www.fontbureau.com
unknown
http://www.fontbureau.com/designersG
unknown
http://www.fontbureau.com/designers/?
unknown
http://www.founder.com.cn/cn/bThe
unknown
https://api.telegram.org/bot
unknown
http://www.fontbureau.com/designers?
unknown
http://www.fontbureau.com/designers/frere-jones.html.
unknown
http://www.tiro.com
unknown
http://checkip.dyndns.org
unknown
http://www.founder.com.cn/cnP&br
unknown
http://www.fontbureau.com/designers
unknown
http://www.goodfont.co.kr
unknown
http://www.fontbureau.coma
unknown
http://www.sakkal.comu
unknown
http://www.carterandcone.coml
unknown
http://www.sajatypeworks.com
unknown
http://www.typography.netD
unknown
http://www.fontbureau.com/designers/cabarga.htmlN
unknown
http://www.founder.com.cn/cn/cThe
unknown
http://www.galapagosdesign.com/staff/dennis.htm
unknown
http://fontfabrik.com
unknown
http://www.founder.com.cn/cn
unknown
http://www.fontbureau.com/designers/frere-jones.html
unknown
http://www.fontbureau.comB.TTF
unknown
http://www.monotype.
unknown
http://www.tiro.comO
unknown
http://checkip.dyndns.org/q
unknown
http://www.jiyu-kobo.co.jp/
unknown
http://www.galapagosdesign.com/DPlease
unknown
http://www.fontbureau.com/designers8
unknown
http://www.fonts.com
unknown
http://www.sandoll.co.kr
unknown
http://checkip.dyndns.com
unknown
http://www.founder.com.cn/cnT%~s
unknown
http://www.urwpp.deDPlease
unknown
http://www.zhongyicts.com.cn
unknown
http://www.founder.com.cn/cnZ&xr
unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
unknown
http://www.sakkal.com
unknown
http://www.founder.com.cn/cnb%0s
unknown
There are 33 hidden URLs, click here to show them.

Domains

Name
IP
Malicious
checkip.dyndns.com
193.122.130.0
malicious
checkip.dyndns.org
unknown
malicious

IPs

IP
Domain
Country
Malicious
193.122.130.0
checkip.dyndns.com
United States
malicious

Registry

Path
Value
Malicious
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing
EnableConsoleTracing
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\P0A2249_RASAPI32
EnableFileTracing
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\P0A2249_RASAPI32
EnableAutoFileTracing
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\P0A2249_RASAPI32
EnableConsoleTracing
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\P0A2249_RASAPI32
FileTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\P0A2249_RASAPI32
ConsoleTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\P0A2249_RASAPI32
MaxFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\P0A2249_RASAPI32
FileDirectory
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\P0A2249_RASMANCS
EnableFileTracing
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\P0A2249_RASMANCS
EnableAutoFileTracing
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\P0A2249_RASMANCS
EnableConsoleTracing
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\P0A2249_RASMANCS
FileTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\P0A2249_RASMANCS
ConsoleTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\P0A2249_RASMANCS
MaxFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\P0A2249_RASMANCS
FileDirectory
There are 5 hidden registries, click here to show them.

Memdumps

Base Address
Regiontype
Protect
Malicious
384B000
trusted library allocation
page read and write
malicious
34B5000
trusted library allocation
page read and write
malicious
402000
remote allocation
page execute and read and write
malicious
24C8000
trusted library allocation
page read and write
malicious
58FC000
trusted library allocation
page read and write
5925000
trusted library allocation
page read and write
3445FF9000
stack
page read and write
592C000
trusted library allocation
page read and write
5928000
trusted library allocation
page read and write
4B70000
trusted library allocation
page read and write
5911000
trusted library allocation
page read and write
B70000
heap
page read and write
54D0000
trusted library allocation
page read and write
54F0000
trusted library allocation
page read and write
590F000
trusted library allocation
page read and write
5914000
trusted library allocation
page read and write