flash

POinv00393.exe

Status: finished
Submission Time: 01.02.2021 13:28:14
Malicious
Trojan
Adware
Spyware
Evader
HawkEye MailPassView

Comments

Tags

  • exe
  • HawkEye

Details

  • Analysis ID:
    346695
  • API (Web) ID:
    595317
  • Analysis Started:
    01.02.2021 13:28:16
  • Analysis Finished:
    01.02.2021 13:46:08
  • MD5:
    e0db9d12220a5099bd1ebfefc0ccdcfe
  • SHA1:
    b0af96f187273082687f2c58faca71b837876429
  • SHA256:
    09969e8d7af6e0c3ef34c344fe378dd23b6f93abcda793c052e36d1777c35ce7
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

malicious

System: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211

malicious
100/100

malicious
24/70

malicious
8/45

IPs

IP Country Detection
104.23.99.190
United States
104.23.98.190
United States
198.54.122.60
United States

Domains

Name IP Detection
84.102.13.0.in-addr.arpa
0.0.0.0
mail.privateemail.com
198.54.122.60
pastebin.com
104.23.98.190

URLs

Name Detection
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
http://www.fontbureau.comI.TTF
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
Click to see the 80 hidden entries
http://www.fontbureau.comgritaU
http://www.tiro.com
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
http://www.fontbureau.com/designers
http://www.fontbureau.comessed
http://www.goodfont.co.kr
http://www.carterandcone.com
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
http://www.monotype.X
http://www.fontbureau.comednxn
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
http://www.founder.com.cn/cnOx
http://www.sandoll.co.krW
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
http://www.fontbureau.com(
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
http://whatismyipaddress.com/-
http://www.fontbureau.com/
http://www.sandoll.co.kr
http://www.nirsoft.net/
http://www.urwpp.de
http://www.zhongyicts.com.cn
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
http://www.sakkal.com
http://www.fontbureau.com.TTF
http://www.fontbureau.comueed
http://www.fontbureau.com/designerss
http://www.fontbureau.com/designersr
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
http://www.fontbureau.com
http://www.galapagosdesign.com/
http://www.fontbureau.comF
http://www.jiyu-kobo.co.jp/U
http://pesterbdd.com/images/Pester.png
http://schemas.xmlsoap.org/soap/encoding/
http://www.apache.org/licenses/LICENSE-2.0.html
http://www.founder.com.c
http://www.jiyu-kobo.co.jp/sl-s
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
http://www.goodfont.co.krF4
http://www.goodfont.co.krK
http://www.fontbureau.comion
http://en.wikipedia
http://schemas.micr
http://www.jiyu-kobo.co.jp/jp/
http://www.fontbureau.coma
http://www.sandoll.cQ
http://en.wikip
http://www.fontbureau.comd
https://github.com/Pester/Pester
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
http://www.founder.com.cn/cnl-nO
http://www.carterandcone.coml
http://www.founder.com.cn/cn/
http://www.jiyu-kobo.co.jp/y
http://www.founder.com.cn/cn
http://www.fontbureau.com/designers/frere-jones.html
http://www.galapagosdesign.com/2
http://www.fontbureau.com/designers/cabarga.html
http://www.monotype.
http://www.fontbureau.comoitu:
http://schemas.xmlsoap.org/wsdl/
http://www.jiyu-kobo.co.jp/
http://www.fontbureau.com.TTF:
http://www.galapagosdesign.com/:
http://www.sandoll.co.krim
http://www.fontbureau.com/designers8
http://www.fontbureau.comy
http://www.jiyu-kobo.co.jp/h
http://www.fontbureau.com/designers=
http://www.urwpp.del
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
http://www.fontbureau.com/designers/o
http://www.fontbureau.com/designers0
http://www.fontbureau.com/designers/
http://www.carterandcone.comnxa
http://www.fontbureau.comitud
http://www.galapagosdesign.com/staff/dennis.htmWQ

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\POinv00393.exe.log
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe:Zone.Identifier
ASCII text, with CRLF line terminators
#
Click to see the 19 hidden entries
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4AF9.tmp.dmp
Mini DuMP crash report, 14 streams, Mon Feb 1 21:30:59 2021, 0x1205a4 type
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBC13.tmp.WERInternalMetadata.xml
XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDC7D.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
data
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1jbb1rur.kxs.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3gd4shtk.lf5.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ap14tuqv.fkf.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_btp5zmxs.mrt.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_igqs5mg1.0fv.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ita4axrx.vfc.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q0eyjx0q.um5.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rrwl3rrp.fl5.psm1
very short file (no magic)
#
C:\Users\user\AppData\Roaming\pid.txt
ASCII text, with no line terminators
#
C:\Users\user\AppData\Roaming\pidloc.txt
ASCII text, with no line terminators
#
C:\Users\user\Documents\20210201\PowerShell_transcript.878164.GqBDotby.20210201132918.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\Documents\20210201\PowerShell_transcript.878164.RDa_5qiQ.20210201132920.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\Documents\20210201\PowerShell_transcript.878164.RU3nUHy1.20210201132916.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\Documents\20210201\PowerShell_transcript.878164.c22VO1SZ.20210201132917.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#