=
We are hiring! Windows Kernel Developer (Remote), apply here!
flash

RIP_YOUR_PC_LOL.exe

Status: finished
Submission Time: 2022-03-08 17:54:15 +01:00
Malicious
Trojan
Adware
Spyware
Evader
HawkEye Nanocore njRat AsyncRAT Azorult

Comments

Tags

  • exe

Details

  • Analysis ID:
    585264
  • API (Web) ID:
    952781
  • Analysis Started:
    2022-03-08 17:59:22 +01:00
  • Analysis Finished:
    2022-03-08 18:16:43 +01:00
  • MD5:
    52867174362410d63215d78e708103ea
  • SHA1:
    7ae4e1048e4463a4201bdeaf224c5b6face681bf
  • SHA256:
    37d8e1ce3b6e6488942717aa78cb54785edc985143bcc8d9ba9f42d73a3dbd7a
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

malicious

System: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211

malicious
100/100

malicious
43/68

malicious
29/34

malicious
28/28

malicious

IPs

IP Country Detection
179.13.1.253
Colombia
172.98.92.42
United States
41.249.51.34
Morocco
Click to see the 2 hidden entries
52.20.78.240
United States
80.87.192.115
Russian Federation

Domains

Name IP Detection
kazya1.hopto.org
41.249.51.34
yabynennet.xyz
45.129.99.212
api.ipify.org.herokudns.com
52.20.78.240
Click to see the 13 hidden entries
whatismyipaddress.com
104.16.154.36
pool.usa-138.com
220.86.85.75
hackerinvasion.f3322.net
127.0.0.1
us-east-1.route-1000.000webhost.awex.io
145.14.144.149
gfhhjgh.duckdns.org
179.13.1.253
files.000webhost.com
0.0.0.0
22ssh.com
0.0.0.0
123.105.12.0.in-addr.arpa
0.0.0.0
store-images.s-microsoft.com
0.0.0.0
pretorian.ac.ug
0.0.0.0
api.ip.sb
0.0.0.0
api.ipify.org
0.0.0.0
prepepe.ac.ug
0.0.0.0

URLs

Name Detection
http://www.jiyu-kobo.co.jp/ls
http://www.fontbureau.comFX
http://www.fontbureau.com/designersG
Click to see the 97 hidden entries
http://www.urwpp.deMTq
http://www.fontbureau.com/designers/?
http://www.jiyu-kobo.co.jp/jp/C
http://www.founder.com.cn/cn/bThe
http://www.fontbureau.com/designers?
http://www.jiyu-kobo.co.jp/jp/J
http://www.founder.com.cn/cnT
http://www.zhongyicts.com.cnts
http://www.tiro.com
http://www.goodfont.co.kr
http://www.carterandcone.com
http://www.fontbureau.comoX
http://www.carterandcone.com.
http://www.typography.netD
http://www.fontbureau.com/designersh
http://www.galapagosdesign.com/staff/dennis.htm
http://fontfabrik.com
http://crl.thawte.com/ThawteTimestampingCA.crl0
http://www.founder.com.cn/cnv
https://login.yahoo.com/config/login
http://www.fontbureau.comrsiv
http://www.fonts.com
http://www.sandoll.co.kr
http://www.urwpp.de
http://www.sakkal.com
http://www.carterandcone.como.W
http://www.jiyu-kobo.co.jp/jp/X
http://www.fontbureau.comonyn
https://whatismyipaddress.com/
http://www.apache.org/licenses/LICENSE-2.0
http://www.fontbureau.com
http://www.fontbureau.comF
http://www.fontbureau.comsiv/C
http://www.carterandcone.comTC
http://ocsp.thawte.com0
http://www.founder.com.cp
http://www.urwpp.deR
http://www.fontbureau.comtu
https://whatismyipaddress.comx&
http://whatismyipaddress.com
http://www.jiyu-kobo.co.jp/jp/
http://www.fontbureau.com/designers/cabarga.htmlf
http://www.fontbureau.coma
http://www.fontbureau.comd
http://www.fontbureau.com/designers/cabarga.htmlN
http://www.tiro.com=
http://www.urwpp.derasg
http://www.fontbureau.comd&
http://www.fontbureau.com/designers
http://www.sajatypeworks.com
http://www.founder.com.cn/cn/cThe
http://www.sakkal.comm
https://dl.dropbox.com/s/p84aaz28t0hepul/Pass.exe?dl=0
http://www.fontbureau.comlicd
http://whatismyipaddress.com/-
http://www.galapagosdesign.com/DPlease
http://www.jiyu-kobo.co.jp/)
http://www.ascendercorp.com/typedesigners.html
http://www.site.com/logs.php
http://www.tiro.com&
http://www.urwpp.deDPlease
http://whatismyipaddress.com/
http://www.nirsoft.net/
http://www.zhongyicts.com.cn
http://schemas.microsof
http://www.i.
http://www.jiyu-kobo.co.jp/X
http://www.jiyu-kobo.co.jp/Q
http://www.carterandcone.comY
http://www.zhongyicts.com.cno.W
http://www.jiyu-kobo.co.jp/J
http://www.zhongyicts.com.cnm
http://www.carterandcone.comt
http://www.founder.com.cn/cncz
http://www.symauth.com/cps0(
http://www.carterandcone.coml
https://www.cloudflare.com/5xx-error-landing
http://www.founder.com.cn/cn/
http://www.zhongyicts.co
http://www.fontbureau.com/designers/frere-jones.html
http://www.fonts.comC
http://www.symauth.com/rpa00
http://www.jiyu-kobo.co.jp/jp/)
http://www.jiyu-kobo.co.jp/eu-e
http://www.jiyu-kobo.co.jp/n
http://www.zhongyicts.com.cnY
http://www.fontbureau.com/C
http://www.jiyu-kobo.co.jp/i
http://www.fontbureau.comitu
http://www.jiyu-kobo.co.jp/g
https://www.google.com/accounts/servicelogin
http://www.freeeim.com/D
http://www.tiro.comic
http://www.founder.com.cn/cncz$
http://api.ipify.org/?format=xml
http://www.founder.com.cn/cn$
http://www.carterandcone.comkC

Dropped files

Name File Type Hashes Detection
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RIP_YOUR_PC_LOL.exe.log
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\healastounding.exe.log
ASCII text, with CRLF line terminators
#
Click to see the 29 hidden entries
C:\Users\user\AppData\Local\Temp\Dcvxaamev.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\FFDvbcrdfqs.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\tmp4896.tmp
XML 1.0 document, ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Roaming\22.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Roaming\3.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Roaming\4.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
data
#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a797c6ca3f5e7aff8fa1149c47fe9466.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Roaming\Opus.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Roaming\Pluto Panel.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Roaming\___11.19.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Roaming\a.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Roaming\aaa.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Roaming\gay.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Roaming\healastounding.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Roaming\mediaget.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Roaming\test.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Windows\Cursors\WUDFhosts.exe
PE32+ executable (console) x86-64, for MS Windows
#
C:\Windows\Help\Winlogon.exe
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Windows\Help\active_desktop_render.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\ProgramData\kaosdma.txt
ASCII text, with no line terminators
#
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\aaa.exe.log
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\gay.exe.log
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\5JOCE52U.txt
ASCII text, with no line terminators
#
C:\Users\user\AppData\Local\Temp\tmp5D87.tmp
XML 1.0 document, ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
ASCII text, with no line terminators
#
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\21c8026919fd094ab07ec3c180a9f210_d06ed635-68f6-4e9a-955c-4899f5f57b9a
data
#