Loading ...

Play interactive tourEdit tour

Windows Analysis Report kHCaZ06n23

Overview

General Information

Sample Name:kHCaZ06n23 (renamed file extension from none to exe)
Analysis ID:494353
MD5:2607d8cf98f5e467376e0f8669d70544
SHA1:8e20937d3b8aafe4f48ac66264e02487e9b86e9f
SHA256:b943704744a23c06174a36aa0e24ecc7ac67aad9edc9c4bd46dd1f007514796d
Tags:exeRevengeRAT
Infos:

Most interesting Screenshot:

Detection

RevengeRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Yara detected RevengeRAT
Sigma detected: Visual Basic Command Line Compiler Usage
Writes to foreign memory regions
Creates files in the recycle bin to hide itself
.NET source code references suspicious native API functions
Machine Learning detection for sample
Allocates memory in foreign processes
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
May sleep (evasive loops) to hinder dynamic analysis
Creates files inside the system directory
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Found dropped PE file which has not been started or loaded
Contains long sleeps (>= 3 min)
Enables debug privileges
PE file does not import any functions
PE file contains strange resources
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Checks if the current process is being debugged
Sigma detected: Conhost Parent Process Executions
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • kHCaZ06n23.exe (PID: 6480 cmdline: 'C:\Users\user\Desktop\kHCaZ06n23.exe' MD5: 2607D8CF98F5E467376E0F8669D70544)
    • aspnet_compiler.exe (PID: 6504 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe MD5: 17CC69238395DF61AAF483BCEF02E7C9)
      • aspnet_compiler.exe (PID: 6564 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe MD5: 17CC69238395DF61AAF483BCEF02E7C9)
        • conhost.exe (PID: 6584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • conhost.exe (PID: 6304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • vbc.exe (PID: 6848 cmdline: 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe' /noconfig @'C:\Users\user\AppData\Local\Temp\ftffrmrs\ftffrmrs.cmdline' MD5: B3A917344F5610BEEC562556F11300FA)
        • conhost.exe (PID: 6856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • cvtres.exe (PID: 6916 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RESD3BA.tmp' 'C:\Users\user~1\AppData\Local\Temp\vbc6CC564E8AA1E43828C3D8B1FF2C4435.TMP' MD5: C09985AE74F0882F208D75DE27770DFA)
      • SecurityHealthService.exe (PID: 6868 cmdline: 'C:\Users\user\AppData\Roaming\SecurityHealthService.exe' MD5: 2607D8CF98F5E467376E0F8669D70544)
        • aspnet_compiler.exe (PID: 6972 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe MD5: 17CC69238395DF61AAF483BCEF02E7C9)
          • WerFault.exe (PID: 7052 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6972 -s 188 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: RevengeRAT

{"Key": "Revenge-RAT", "Host": ["127.0.0.1:1488", "zalupa1488.ddns.net:1488"], "ID": "SecondVek", "Mutex": "RV_MUTEX"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
kHCaZ06n23.exeRevengeRAT_Sep17Detects RevengeRAT malwareFlorian Roth
  • 0x1a87b:$x1: Nuclear Explosion.g.resources
  • 0x18081:$x4: 5B1EE7CAD3DFF220A95D1D6B91435D9E1520AC41
  • 0x15c5d:$x7: Nuclear Explosion.exe
  • 0x1ab1d:$s1: {11111-22222-20001-00001}

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\SecurityHealthService.exeRevengeRAT_Sep17Detects RevengeRAT malwareFlorian Roth
  • 0x1a87b:$x1: Nuclear Explosion.g.resources
  • 0x18081:$x4: 5B1EE7CAD3DFF220A95D1D6B91435D9E1520AC41
  • 0x15c5d:$x7: Nuclear Explosion.exe
  • 0x1ab1d:$s1: {11111-22222-20001-00001}
C:\Users\user\AppData\Roaming\SecurityHealthService.exeRevengeRAT_Sep17Detects RevengeRAT malwareFlorian Roth
  • 0x1a87b:$x1: Nuclear Explosion.g.resources
  • 0x18081:$x4: 5B1EE7CAD3DFF220A95D1D6B91435D9E1520AC41
  • 0x15c5d:$x7: Nuclear Explosion.exe
  • 0x1ab1d:$s1: {11111-22222-20001-00001}

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.264317494.0000000000402000.00000040.00000001.sdmpRevengeRAT_Sep17Detects RevengeRAT malwareFlorian Roth
  • 0x1a47b:$x1: Nuclear Explosion.g.resources
  • 0x17c81:$x4: 5B1EE7CAD3DFF220A95D1D6B91435D9E1520AC41
  • 0x1585d:$x7: Nuclear Explosion.exe
  • 0x1a71d:$s1: {11111-22222-20001-00001}
00000008.00000002.268580247.0000000002701000.00000004.00000001.sdmpJoeSecurity_RevengeRATYara detected RevengeRATJoe Security
    0000000A.00000002.294042938.0000000000632000.00000020.00000001.sdmpRevengeRAT_Sep17Detects RevengeRAT malwareFlorian Roth
    • 0x1a47b:$x1: Nuclear Explosion.g.resources
    • 0x17c81:$x4: 5B1EE7CAD3DFF220A95D1D6B91435D9E1520AC41
    • 0x1585d:$x7: Nuclear Explosion.exe
    • 0x1a71d:$s1: {11111-22222-20001-00001}
    00000008.00000002.268787538.0000000003707000.00000004.00000001.sdmpRevengeRAT_Sep17Detects RevengeRAT malwareFlorian Roth
    • 0x1b67b:$x1: Nuclear Explosion.g.resources
    • 0x4009b:$x1: Nuclear Explosion.g.resources
    • 0x18e81:$x4: 5B1EE7CAD3DFF220A95D1D6B91435D9E1520AC41
    • 0x3d8a1:$x4: 5B1EE7CAD3DFF220A95D1D6B91435D9E1520AC41
    • 0x16a5d:$x7: Nuclear Explosion.exe
    • 0x3b47d:$x7: Nuclear Explosion.exe
    • 0x1b91d:$s1: {11111-22222-20001-00001}
    • 0x4033d:$s1: {11111-22222-20001-00001}
    00000000.00000000.251968084.0000000000402000.00000020.00020000.sdmpRevengeRAT_Sep17Detects RevengeRAT malwareFlorian Roth
    • 0x1a47b:$x1: Nuclear Explosion.g.resources
    • 0x17c81:$x4: 5B1EE7CAD3DFF220A95D1D6B91435D9E1520AC41
    • 0x1585d:$x7: Nuclear Explosion.exe
    • 0x1a71d:$s1: {11111-22222-20001-00001}
    Click to see the 17 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    0.0.kHCaZ06n23.exe.400000.0.unpackRevengeRAT_Sep17Detects RevengeRAT malwareFlorian Roth
    • 0x1a87b:$x1: Nuclear Explosion.g.resources
    • 0x18081:$x4: 5B1EE7CAD3DFF220A95D1D6B91435D9E1520AC41
    • 0x15c5d:$x7: Nuclear Explosion.exe
    • 0x1ab1d:$s1: {11111-22222-20001-00001}
    1.2.aspnet_compiler.exe.400000.0.unpackRevengeRAT_Sep17Detects RevengeRAT malwareFlorian Roth
    • 0x1a87b:$x1: Nuclear Explosion.g.resources
    • 0x18081:$x4: 5B1EE7CAD3DFF220A95D1D6B91435D9E1520AC41
    • 0x15c5d:$x7: Nuclear Explosion.exe
    • 0x1ab1d:$s1: {11111-22222-20001-00001}
    8.2.SecurityHealthService.exe.400000.0.unpackRevengeRAT_Sep17Detects RevengeRAT malwareFlorian Roth
    • 0x1a87b:$x1: Nuclear Explosion.g.resources
    • 0x18081:$x4: 5B1EE7CAD3DFF220A95D1D6B91435D9E1520AC41
    • 0x15c5d:$x7: Nuclear Explosion.exe
    • 0x1ab1d:$s1: {11111-22222-20001-00001}
    0.2.kHCaZ06n23.exe.400000.0.unpackRevengeRAT_Sep17Detects RevengeRAT malwareFlorian Roth
    • 0x1a87b:$x1: Nuclear Explosion.g.resources
    • 0x18081:$x4: 5B1EE7CAD3DFF220A95D1D6B91435D9E1520AC41
    • 0x15c5d:$x7: Nuclear Explosion.exe
    • 0x1ab1d:$s1: {11111-22222-20001-00001}
    0.2.kHCaZ06n23.exe.3667e00.1.unpackRevengeRAT_Sep17Detects RevengeRAT malwareFlorian Roth
    • 0x18c7b:$x1: Nuclear Explosion.g.resources
    • 0x16481:$x4: 5B1EE7CAD3DFF220A95D1D6B91435D9E1520AC41
    • 0x1405d:$x7: Nuclear Explosion.exe
    • 0x18f1d:$s1: {11111-22222-20001-00001}
    Click to see the 7 entries

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: Visual Basic Command Line Compiler UsageShow sources
    Source: Process startedAuthor: Ensar amil, @sblmsrsn, @oscd_initiative: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RESD3BA.tmp' 'C:\Users\user~1\AppData\Local\Temp\vbc6CC564E8AA1E43828C3D8B1FF2C4435.TMP', CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RESD3BA.tmp' 'C:\Users\user~1\AppData\Local\Temp\vbc6CC564E8AA1E43828C3D8B1FF2C4435.TMP', CommandLine|base64offset|contains: 8c, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe, ParentCommandLine: 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe' /noconfig @'C:\Users\user\AppData\Local\Temp\ftffrmrs\ftffrmrs.cmdline', ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe, ParentProcessId: 6848, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RESD3BA.tmp' 'C:\Users\user~1\AppData\Local\Temp\vbc6CC564E8AA1E43828C3D8B1FF2C4435.TMP', ProcessId: 6916
    Sigma detected: Conhost Parent Process ExecutionsShow sources
    Source: Process startedAuthor: omkar72: Data: Command: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine|base64offset|contains: }}, Image: C:\Windows\System32\conhost.exe, NewProcessName: C:\Windows\System32\conhost.exe, OriginalFileName: C:\Windows\System32\conhost.exe, ParentCommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, ParentImage: C:\Windows\System32\conhost.exe, ParentProcessId: 6584, ProcessCommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, ProcessId: 6304

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: 00000008.00000002.268580247.0000000002701000.00000004.00000001.sdmpMalware Configuration Extractor: RevengeRAT {"Key": "Revenge-RAT", "Host": ["127.0.0.1:1488", "zalupa1488.ddns.net:1488"], "ID": "SecondVek", "Mutex": "RV_MUTEX"}
    Multi AV Scanner detection for submitted fileShow sources
    Source: kHCaZ06n23.exeVirustotal: Detection: 70%Perma Link
    Source: kHCaZ06n23.exeReversingLabs: Detection: 77%
    Antivirus / Scanner detection for submitted sampleShow sources
    Source: kHCaZ06n23.exeAvira: detected
    Antivirus detection for dropped fileShow sources
    Source: C:\Users\user\AppData\Roaming\SecurityHealthService.exeAvira: detection malicious, Label: TR/Dropper.Gen
    Source: C:\Users\user\AppData\Roaming\SecurityHealthService.exeAvira: detection malicious, Label: TR/Dropper.Gen
    Source: C:\$Recycle.Bin.exeAvira: detection malicious, Label: HEUR/AGEN.1142426
    Multi AV Scanner detection for dropped fileShow sources
    Source: C:\Users\user\AppData\Roaming\SecurityHealthService.exeVirustotal: Detection: 70%Perma Link
    Source: C:\Users\user\AppData\Roaming\SecurityHealthService.exeReversingLabs: Detection: 77%
    Source: C:\Windows\SecurityHealthService.exeVirustotal: Detection: 70%Perma Link
    Source: C:\Windows\SecurityHealthService.exeReversingLabs: Detection: 77%
    Yara detected RevengeRATShow sources
    Source: Yara matchFile source: 00000008.00000002.268580247.0000000002701000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.265590594.0000000002EA1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.255097174.0000000002682000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.255051562.0000000002661000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000002.268694272.0000000002722000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: kHCaZ06n23.exe PID: 6480, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 6504, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: SecurityHealthService.exe PID: 6868, type: MEMORYSTR
    Machine Learning detection for sampleShow sources
    Source: kHCaZ06n23.exeJoe Sandbox ML: detected
    Machine Learning detection for dropped fileShow sources
    Source: C:\Users\user\AppData\Roaming\SecurityHealthService.exeJoe Sandbox ML: detected
    Source: C:\Users\user\AppData\Roaming\SecurityHealthService.exeJoe Sandbox ML: detected
    Source: C:\$Recycle.Bin.exeJoe Sandbox ML: detected
    Source: 0.2.kHCaZ06n23.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
    Source: 1.2.aspnet_compiler.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
    Source: 10.2.aspnet_compiler.exe.630000.0.unpackAvira: Label: TR/Dropper.Gen
    Source: 0.0.kHCaZ06n23.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
    Source: 8.0.SecurityHealthService.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
    Source: 10.0.aspnet_compiler.exe.630000.1.unpackAvira: Label: TR/Dropper.Gen
    Source: 8.2.SecurityHealthService.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
    Source: 10.0.aspnet_compiler.exe.630000.0.unpackAvira: Label: TR/Dropper.Gen
    Source: kHCaZ06n23.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
    Source: C:\Users\user\Desktop\kHCaZ06n23.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
    Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000D.00000003.276264242.0000000005121000.00000004.00000001.sdmp
    Source: Binary string: XAMLHostHwndvolumelabelmasteredudfhelpJOLIETUDFData\Program Files\$Windows.~BT\Windows\ProgramData\Program Files (x86)\Program Files\Data\Windows\Data\ProgramData\Data\Program Files (x86)\.cer.cdxml.cat.automaticdestinations-ms.appxpackage.appxbundle.appxWindows.old\.fon.etl.efi.dsft.dmp.customdestinations-ms.cookie.msm.msip.mpb.mp.p12.p10.otf.ost.olb.ocx.nst.mui.pdb.partial.p7x.p7s.p7r.p7m.p7c.p7b.psf.psd1.pfx.pfm.pem.ttc.sys.sst.spkg.spc.sft.rll.winmd.wim.wfs.vsix.vsi.vmrs.vmcxWININET.xap%s (%d).%s\shellIfExecBrowserFlagsft%06dNeverShowExtAlwaysShowExtTopicL source: aspnet_compiler.exe, 00000001.00000002.266004844.00000000063D1000.00000004.00000001.sdmp
    Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000D.00000003.276264242.0000000005121000.00000004.00000001.sdmp
    Source: Binary string: m;C:\Users\user\AppData\Local\Temp\ftffrmrs\ftffrmrs.pdb source: aspnet_compiler.exe, 00000001.00000002.265619464.0000000002EC2000.00000004.00000001.sdmp
    Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000D.00000003.276264242.0000000005121000.00000004.00000001.sdmp
    Source: Binary string: aspnet_compiler.pdb source: aspnet_compiler.exe, 00000001.00000002.265619464.0000000002EC2000.00000004.00000001.sdmp, aspnet_compiler.exe, 00000002.00000002.258440439.0000000000402000.00000040.00000001.sdmp
    Source: Binary string: shell32.pdbUGP source: aspnet_compiler.exe, 00000001.00000002.266004844.00000000063D1000.00000004.00000001.sdmp
    Source: Binary string: mscoree.pdb source: WerFault.exe, 0000000D.00000003.276264242.0000000005121000.00000004.00000001.sdmp
    Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\ftffrmrs\ftffrmrs.pdbJ, source: aspnet_compiler.exe, 00000001.00000002.265032045.000000000115B000.00000004.00000020.sdmp
    Source: Binary string: shell32.pdb source: aspnet_compiler.exe, 00000001.00000002.266004844.00000000063D1000.00000004.00000001.sdmp
    Source: aspnet_compiler.exe, 00000001.00000002.265619464.0000000002EC2000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

    E-Banking Fraud:

    barindex
    Yara detected RevengeRATShow sources
    Source: Yara matchFile source: 00000008.00000002.268580247.0000000002701000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.265590594.0000000002EA1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.255097174.0000000002682000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.255051562.0000000002661000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000002.268694272.0000000002722000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: kHCaZ06n23.exe PID: 6480, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 6504, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: SecurityHealthService.exe PID: 6868, type: MEMORYSTR

    System Summary:

    barindex
    Malicious sample detected (through community Yara rule)Show sources
    Source: kHCaZ06n23.exe, type: SAMPLEMatched rule: Detects RevengeRAT malware Author: Florian Roth
    Source: 0.0.kHCaZ06n23.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RevengeRAT malware Author: Florian Roth
    Source: 1.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RevengeRAT malware Author: Florian Roth
    Source: 8.2.SecurityHealthService.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RevengeRAT malware Author: Florian Roth
    Source: 0.2.kHCaZ06n23.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RevengeRAT malware Author: Florian Roth
    Source: 0.2.kHCaZ06n23.exe.3667e00.1.unpack, type: UNPACKEDPEMatched rule: Detects RevengeRAT malware Author: Florian Roth
    Source: 10.0.aspnet_compiler.exe.630000.1.unpack, type: UNPACKEDPEMatched rule: Detects RevengeRAT malware Author: Florian Roth
    Source: 0.2.kHCaZ06n23.exe.3667e00.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects RevengeRAT malware Author: Florian Roth
    Source: 10.2.aspnet_compiler.exe.630000.0.unpack, type: UNPACKEDPEMatched rule: Detects RevengeRAT malware Author: Florian Roth
    Source: 10.0.aspnet_compiler.exe.630000.0.unpack, type: UNPACKEDPEMatched rule: Detects RevengeRAT malware Author: Florian Roth
    Source: 8.0.SecurityHealthService.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RevengeRAT malware Author: Florian Roth
    Source: 8.2.SecurityHealthService.exe.3707e00.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects RevengeRAT malware Author: Florian Roth
    Source: 8.2.SecurityHealthService.exe.3707e00.1.unpack, type: UNPACKEDPEMatched rule: Detects RevengeRAT malware Author: Florian Roth
    Source: 00000001.00000002.264317494.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects RevengeRAT malware Author: Florian Roth
    Source: 0000000A.00000002.294042938.0000000000632000.00000020.00000001.sdmp, type: MEMORYMatched rule: Detects RevengeRAT malware Author: Florian Roth
    Source: 00000008.00000002.268787538.0000000003707000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects RevengeRAT malware Author: Florian Roth
    Source: 00000000.00000000.251968084.0000000000402000.00000020.00020000.sdmp, type: MEMORYMatched rule: Detects RevengeRAT malware Author: Florian Roth
    Source: 00000008.00000000.263805408.0000000000402000.00000020.00020000.sdmp, type: MEMORYMatched rule: Detects RevengeRAT malware Author: Florian Roth
    Source: 0000000A.00000000.269181851.0000000000632000.00000020.00000001.sdmp, type: MEMORYMatched rule: Detects RevengeRAT malware Author: Florian Roth
    Source: 0000000A.00000000.269763706.0000000000632000.00000020.00000001.sdmp, type: MEMORYMatched rule: Detects RevengeRAT malware Author: Florian Roth
    Source: 00000008.00000002.267001553.0000000000402000.00000020.00020000.sdmp, type: MEMORYMatched rule: Detects RevengeRAT malware Author: Florian Roth
    Source: 00000001.00000003.259287377.000000000113F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects RevengeRAT malware Author: Florian Roth
    Source: 00000000.00000002.254412755.0000000000402000.00000020.00020000.sdmp, type: MEMORYMatched rule: Detects RevengeRAT malware Author: Florian Roth
    Source: 00000000.00000002.255142100.0000000003667000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects RevengeRAT malware Author: Florian Roth
    Source: Process Memory Space: aspnet_compiler.exe PID: 6504, type: MEMORYSTRMatched rule: Detects RevengeRAT malware Author: Florian Roth
    Source: Process Memory Space: SecurityHealthService.exe PID: 6868, type: MEMORYSTRMatched rule: Detects RevengeRAT malware Author: Florian Roth
    Source: Process Memory Space: aspnet_compiler.exe PID: 6972, type: MEMORYSTRMatched rule: Detects RevengeRAT malware Author: Florian Roth
    Source: C:\Users\user\AppData\Roaming\SecurityHealthService.exe, type: DROPPEDMatched rule: Detects RevengeRAT malware Author: Florian Roth
    Source: C:\Users\user\AppData\Roaming\SecurityHealthService.exe, type: DROPPEDMatched rule: Detects RevengeRAT malware Author: Florian Roth
    Source: kHCaZ06n23.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
    Source: kHCaZ06n23.exe, type: SAMPLEMatched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2020-07-27
    Source: 0.0.kHCaZ06n23.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2020-07-27
    Source: 1.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2020-07-27
    Source: 8.2.SecurityHealthService.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2020-07-27
    Source: 0.2.kHCaZ06n23.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2020-07-27
    Source: 0.2.kHCaZ06n23.exe.3667e00.1.unpack, type: UNPACKEDPEMatched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2020-07-27
    Source: 10.0.aspnet_compiler.exe.630000.1.unpack, type: UNPACKEDPEMatched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2020-07-27
    Source: 0.2.kHCaZ06n23.exe.3667e00.1.raw.unpack, type: UNPACKEDPEMatched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2020-07-27
    Source: 10.2.aspnet_compiler.exe.630000.0.unpack, type: UNPACKEDPEMatched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2020-07-27
    Source: 10.0.aspnet_compiler.exe.630000.0.unpack, type: UNPACKEDPEMatched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2020-07-27
    Source: 8.0.SecurityHealthService.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2020-07-27
    Source: 8.2.SecurityHealthService.exe.3707e00.1.raw.unpack, type: UNPACKEDPEMatched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2020-07-27
    Source: 8.2.SecurityHealthService.exe.3707e00.1.unpack, type: UNPACKEDPEMatched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2020-07-27
    Source: 00000001.00000002.264317494.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2020-07-27
    Source: 0000000A.00000002.294042938.0000000000632000.00000020.00000001.sdmp, type: MEMORYMatched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2020-07-27
    Source: 00000008.00000002.268787538.0000000003707000.00000004.00000001.sdmp, type: MEMORYMatched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2020-07-27
    Source: 00000000.00000000.251968084.0000000000402000.00000020.00020000.sdmp, type: MEMORYMatched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2020-07-27
    Source: 00000008.00000000.263805408.0000000000402000.00000020.00020000.sdmp, type: MEMORYMatched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2020-07-27
    Source: 0000000A.00000000.269181851.0000000000632000.00000020.00000001.sdmp, type: MEMORYMatched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2020-07-27
    Source: 0000000A.00000000.269763706.0000000000632000.00000020.00000001.sdmp, type: MEMORYMatched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2020-07-27
    Source: 00000008.00000002.267001553.0000000000402000.00000020.00020000.sdmp, type: MEMORYMatched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2020-07-27
    Source: 00000001.00000003.259287377.000000000113F000.00000004.00000001.sdmp, type: MEMORYMatched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2020-07-27
    Source: 00000000.00000002.254412755.0000000000402000.00000020.00020000.sdmp, type: MEMORYMatched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2020-07-27
    Source: 00000000.00000002.255142100.0000000003667000.00000004.00000001.sdmp, type: MEMORYMatched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2020-07-27
    Source: Process Memory Space: aspnet_compiler.exe PID: 6504, type: MEMORYSTRMatched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2020-07-27
    Source: Process Memory Space: SecurityHealthService.exe PID: 6868, type: MEMORYSTRMatched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2020-07-27
    Source: Process Memory Space: aspnet_compiler.exe PID: 6972, type: MEMORYSTRMatched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2020-07-27
    Source: C:\Users\user\AppData\Roaming\SecurityHealthService.exe, type: DROPPEDMatched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2020-07-27
    Source: C:\Users\user\AppData\Roaming\SecurityHealthService.exe, type: DROPPEDMatched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2020-07-27
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6972 -s 188
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile created: C:\Windows\SecurityHealthService.exeJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 1_2_02CC96D81_2_02CC96D8
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 1_2_02CCA4281_2_02CCA428
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 1_2_02CCBF601_2_02CCBF60
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 1_2_02CC0BF81_2_02CC0BF8
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 1_2_02CCCEC81_2_02CCCEC8
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 1_2_02CCBFCB1_2_02CCBFCB
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 1_2_02CCBFE61_2_02CCBFE6
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 1_2_02CCBF501_2_02CCBF50
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 1_2_02CC0C081_2_02CC0C08
    Source: $Recycle.Bin.exe.6.drStatic PE information: No import functions for PE file found
    Source: $Recycle.Bin.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: kHCaZ06n23.exeVirustotal: Detection: 70%
    Source: kHCaZ06n23.exeReversingLabs: Detection: 77%
    Source: C:\Users\user\Desktop\kHCaZ06n23.exeFile read: C:\Users\user\Desktop\kHCaZ06n23.exeJump to behavior
    Source: kHCaZ06n23.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\kHCaZ06n23.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\kHCaZ06n23.exe 'C:\Users\user\Desktop\kHCaZ06n23.exe'
    Source: C:\Users\user\Desktop\kHCaZ06n23.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe' /noconfig @'C:\Users\user\AppData\Local\Temp\ftffrmrs\ftffrmrs.cmdline'
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess created: C:\Users\user\AppData\Roaming\SecurityHealthService.exe 'C:\Users\user\AppData\Roaming\SecurityHealthService.exe'
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RESD3BA.tmp' 'C:\Users\user~1\AppData\Local\Temp\vbc6CC564E8AA1E43828C3D8B1FF2C4435.TMP'
    Source: C:\Users\user\AppData\Roaming\SecurityHealthService.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6972 -s 188
    Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\kHCaZ06n23.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe' /noconfig @'C:\Users\user\AppData\Local\Temp\ftffrmrs\ftffrmrs.cmdline'Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess created: C:\Users\user\AppData\Roaming\SecurityHealthService.exe 'C:\Users\user\AppData\Roaming\SecurityHealthService.exe' Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RESD3BA.tmp' 'C:\Users\user~1\AppData\Local\Temp\vbc6CC564E8AA1E43828C3D8B1FF2C4435.TMP'Jump to behavior
    Source: C:\Users\user\AppData\Roaming\SecurityHealthService.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
    Source: C:\Users\user\Desktop\kHCaZ06n23.exeCode function: 0_2_008FA7DA AdjustTokenPrivileges,0_2_008FA7DA
    Source: C:\Users\user\Desktop\kHCaZ06n23.exeCode function: 0_2_008FA7A3 AdjustTokenPrivileges,0_2_008FA7A3
    Source: C:\Users\user\AppData\Roaming\SecurityHealthService.exeCode function: 8_2_008FA7DA AdjustTokenPrivileges,8_2_008FA7DA
    Source: C:\Users\user\AppData\Roaming\SecurityHealthService.exeCode function: 8_2_008FA7A3 AdjustTokenPrivileges,8_2_008FA7A3
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile created: C:\Users\user\AppData\Roaming\SecurityHealthService.exeJump to behavior
    Source: C:\Users\user\Desktop\kHCaZ06n23.exeFile created: C:\Users\user\AppData\Local\Temp\paRClgZbl.txtJump to behavior
    Source: classification engineClassification label: mal100.troj.evad.winEXE@17/21@0/1
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
    Source: C:\Users\user\Desktop\kHCaZ06n23.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
    Source: C:\Users\user\Desktop\kHCaZ06n23.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
    Source: C:\Users\user\Desktop\kHCaZ06n23.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\SecurityHealthService.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\SecurityHealthService.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
    Source: C:\Users\user\AppData\Roaming\SecurityHealthService.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
    Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6304:120:WilError_01
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeMutant created: \Sessions\1\BaseNamedObjects\RV_MUTEX
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6856:120:WilError_01
    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6972
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6584:120:WilError_01
    Source: aspnet_compiler.exe, 00000001.00000002.266004844.00000000063D1000.00000004.00000001.sdmpBinary or memory string: @ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/AppExplorer.AssocActionId.BurnSelectionExplorer.AssocActionId.CloseSessionIehistoryIerssJavascriptJscriptLDAPResrloginStickyNotesExplorer.AssocActionId.EraseDiscExplorer.AssocActionId.ZipSelectionExplorer.AssocProtocol.search-msExplorer.BurnSelectionExplorer.CloseSessionExplorer.EraseDiscExplorer.ZipSelectionFile.adp.app.application.appref-ms.asp.bas.cnt.cpftelnettn3270VbscriptwindowsmediacenterappwindowsmediacentersslwindowsmediacenterwebWMP11.AssocProtocol.MMS.ade.hlp.hme.hpj.hta.ins.isp.its.jse.cpl.crd.crds.crt.csh.fxp.gadget.grp.mat.mau.mav.maw.mcf.mda.mde.mdt.ksh.mad.maf.mag.mam.maq.mar.mas.mshxml.mst.ops.pcd.pl.plg.prf.prg.mdw.mdz.msc.msh.msh1.msh1xml.msh2.msh2xml.pvw.plsc.rb.rbw.rdp.rgu.scf.scr.printerexport.provxml.ps2.ps2xml.psc2.py.pyc.pyo.vsw.webpnp.ws.wsc.wsh.xaml.xdp.xip.shb.shs.theme.tsk.vb.vbe.vbp.vsmacros.xnkBRITNLSVDAFIHUNOENDEJAKOTWCNFRHEEUISsr-Latn-CSsr-SP-Latnsr-Cyrl-CSsr-SP-Cyrlsr-Latn-BAELPLRUCSPTSKSLARbs-BA-Latnzh-Hantzh-CHTzh-Hanszh-CHSsr-BA-Latnsr-Cyrl-BAsr-BA-Cyrliu-Latn-CAiu-CA-Latnbs-Cyrl-BAbs-BA-Cyrlbs-Latn-BAdadeelenesfifrhearbgcarmroruhrsksqsvthhuisitjakonlplptfavihyazeuhsbmksttrurukbeetlvlttghimtsegayimskkkytstnvexhzuafkafotateknmlasmrsamnswtkuzttbnpaguorsdsyrsichriuamtzmksbocykmlomyglkokmniibbyoquznsobalbklignefypsfildvbinffhapaparnmohbrugmioccokromtignhawlasoiiar-SAbg-BGca-ESzh-TWcs-CZda-DKde-DEel-GRgswsahqucrwwoprsgdkuja-JPko-KRnl-NLnb-NOpl-PLpt-BRrm-CHro-ROen-USes-ES_tradnlfi-FIfr-FRhe-ILhu-HUis-ISit-ITid-IDuk-UAbe-BYsl-SIet-EElv-LVlt-LTtg-Cyrl-TJru-RUhr-HRsk-SKsq-ALsv-SEth-THtr-TRur-PKts-ZAtn-ZAve-ZAxh-ZAzu-ZAaf-ZAka-GEfo-FOfa-IRvi-VNhy-AMaz-Latn-AZeu-EShsb-DEmk-MKst-ZAtk-TMuz-Latn-UZtt-RUbn-INpa-INgu-INor-INta-INhi-INmt-MTse-NOyi-001ms-MYkk-KZky-KGsw-KEcy-GBkm-KHlo-LAmy-MMgl-ESkok-INmni-INsd-Deva-INte-INkn-INml-INas-INmr-INsa-INmn-MNbo-CNfy-NLps-AFfil-PHdv-MVbin-NGff-NGha-Latn-NGibb-NGsyr-SYsi-LKchr-Cher-USiu-Cans-CAam-ETtzm-Arab-MAks-Arabne-NPom-ETti-ETgn-PYhaw-USla-001so-SOii-CNpap-029yo-NGquz-BOnso-ZAba-RUlb-LUkl-GLig-NGkr-NGsah-RUquc-Latn-GTrw-RWwo-SNprs-AFgd-GBku-Arab-IQqps-plocarn-CLmoh-CAbr-FRug-CNmi-NZoc-FRco-FRgsw-FRit-CHnl-BEnn-NOpt-PTro-MDru-MDsv-FIur-INqps-plocaar-IQca-ES-valenciazh-CNde-CHen-GBes-MXfr-BEpa-Arab-PKta-LKmn-Mong-CNsd-Arab-PKtzm-Latn-DZks-Deva-INne-INff-Latn-SNaz-Cyrl-AZdsb-DEtn-BWse-SEga-IEms-BNuz-Cyrl-UZbn-BDes-ESfr-CAse-FImn-Mong-MNdz-BTquz-PEar-LYzh-SGquz-ECti-ERqps-Latn-x-shqps-plocmar-EGzh-HKde-ATen-AUzh-MOde-LIen-NZes-CRfr-LUsmj-SEar-MAen-IEde-LUen-CAes-GTfr-CHhr-BAsmj-NOtzm-Tfng-MAar-DZar-OMen-JMes-VEfr-REsms-FIar-YEen-029es-COes-PAfr-MCsma-NOar-TNen-ZAes-DOfr-029sma-SEar-JOen-TTes-ARfr-CMsr-Latn-MEar-LBen-ZWes-ECfr-CDsr-Latn-RSsmn-FIar-SYen-BZes-PEfr-SNsr-Cyrl-RSes-UYfr-MAar-BHen-HKes-PYfr-HTar-QAen-INfr-CIsr-Cyrl-MEar-KWen-PHes-CLfr-MLar-AEen-IDes-419es-CUbs-Cyrlbs-Latnsr-Cyrlsr-Latnsmnaz-Cyrles-BOen-MYes-SVen-SGes-HNes-NIes-PRes-USiu-Canstzm-Tfngnbsrtg-Cyrldsbsmjuz-Latnsmszhnnbsaz-Latnsmauz-Cyrlmn-Cyrlquc-Lat
    Source: kHCaZ06n23.exe, OvSZYRHr9q9CI8lcbbw/OPEdO0HVV1wKWEJQBCa.csCryptographic APIs: 'CreateDecryptor'
    Source: kHCaZ06n23.exe, OvSZYRHr9q9CI8lcbbw/OPEdO0HVV1wKWEJQBCa.csCryptographic APIs: 'CreateDecryptor'
    Source: 0.2.kHCaZ06n23.exe.400000.0.unpack, OvSZYRHr9q9CI8lcbbw/OPEdO0HVV1wKWEJQBCa.csCryptographic APIs: 'CreateDecryptor'
    Source: 0.2.kHCaZ06n23.exe.400000.0.unpack, OvSZYRHr9q9CI8lcbbw/OPEdO0HVV1wKWEJQBCa.csCryptographic APIs: 'CreateDecryptor'
    Source: 0.0.kHCaZ06n23.exe.400000.0.unpack, OvSZYRHr9q9CI8lcbbw/OPEdO0HVV1wKWEJQBCa.csCryptographic APIs: 'CreateDecryptor'
    Source: 0.0.kHCaZ06n23.exe.400000.0.unpack, OvSZYRHr9q9CI8lcbbw/OPEdO0HVV1wKWEJQBCa.csCryptographic APIs: 'CreateDecryptor'
    Source: SecurityHealthService.exe.1.dr, OvSZYRHr9q9CI8lcbbw/OPEdO0HVV1wKWEJQBCa.csCryptographic APIs: 'CreateDecryptor'
    Source: SecurityHealthService.exe.1.dr, OvSZYRHr9q9CI8lcbbw/OPEdO0HVV1wKWEJQBCa.csCryptographic APIs: 'CreateDecryptor'
    Source: SecurityHealthService.exe0.1.dr, OvSZYRHr9q9CI8lcbbw/OPEdO0HVV1wKWEJQBCa.csCryptographic APIs: 'CreateDecryptor'
    Source: SecurityHealthService.exe0.1.dr, OvSZYRHr9q9CI8lcbbw/OPEdO0HVV1wKWEJQBCa.csCryptographic APIs: 'CreateDecryptor'
    Source: 1.2.aspnet_compiler.exe.400000.0.unpack, OvSZYRHr9q9CI8lcbbw/OPEdO0HVV1wKWEJQBCa.csCryptographic APIs: 'CreateDecryptor'
    Source: 1.2.aspnet_compiler.exe.400000.0.unpack, OvSZYRHr9q9CI8lcbbw/OPEdO0HVV1wKWEJQBCa.csCryptographic APIs: 'CreateDecryptor'
    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Users\user\Desktop\kHCaZ06n23.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
    Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000D.00000003.276264242.0000000005121000.00000004.00000001.sdmp
    Source: Binary string: XAMLHostHwndvolumelabelmasteredudfhelpJOLIETUDFData\Program Files\$Windows.~BT\Windows\ProgramData\Program Files (x86)\Program Files\Data\Windows\Data\ProgramData\Data\Program Files (x86)\.cer.cdxml.cat.automaticdestinations-ms.appxpackage.appxbundle.appxWindows.old\.fon.etl.efi.dsft.dmp.customdestinations-ms.cookie.msm.msip.mpb.mp.p12.p10.otf.ost.olb.ocx.nst.mui.pdb.partial.p7x.p7s.p7r.p7m.p7c.p7b.psf.psd1.pfx.pfm.pem.ttc.sys.sst.spkg.spc.sft.rll.winmd.wim.wfs.vsix.vsi.vmrs.vmcxWININET.xap%s (%d).%s\shellIfExecBrowserFlagsft%06dNeverShowExtAlwaysShowExtTopicL source: aspnet_compiler.exe, 00000001.00000002.266004844.00000000063D1000.00000004.00000001.sdmp
    Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000D.00000003.276264242.0000000005121000.00000004.00000001.sdmp
    Source: Binary string: m;C:\Users\user\AppData\Local\Temp\ftffrmrs\ftffrmrs.pdb source: aspnet_compiler.exe, 00000001.00000002.265619464.0000000002EC2000.00000004.00000001.sdmp
    Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000D.00000003.276264242.0000000005121000.00000004.00000001.sdmp
    Source: Binary string: aspnet_compiler.pdb source: aspnet_compiler.exe, 00000001.00000002.265619464.0000000002EC2000.00000004.00000001.sdmp, aspnet_compiler.exe, 00000002.00000002.258440439.0000000000402000.00000040.00000001.sdmp
    Source: Binary string: shell32.pdbUGP source: aspnet_compiler.exe, 00000001.00000002.266004844.00000000063D1000.00000004.00000001.sdmp
    Source: Binary string: mscoree.pdb source: WerFault.exe, 0000000D.00000003.276264242.0000000005121000.00000004.00000001.sdmp
    Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\ftffrmrs\ftffrmrs.pdbJ, source: aspnet_compiler.exe, 00000001.00000002.265032045.000000000115B000.00000004.00000020.sdmp
    Source: Binary string: shell32.pdb source: aspnet_compiler.exe, 00000001.00000002.266004844.00000000063D1000.00000004.00000001.sdmp

    Data Obfuscation:

    barindex
    .NET source code contains potential unpackerShow sources
    Source: kHCaZ06n23.exe, Nuclear_Explosion/Atomic.cs.Net Code: data System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: kHCaZ06n23.exe, Nuclear_Explosion/Atomic.cs.Net Code: INV System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 0.2.kHCaZ06n23.exe.400000.0.unpack, Nuclear_Explosion/Atomic.cs.Net Code: data System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 0.2.kHCaZ06n23.exe.400000.0.unpack, Nuclear_Explosion/Atomic.cs.Net Code: INV System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 0.0.kHCaZ06n23.exe.400000.0.unpack, Nuclear_Explosion/Atomic.cs.Net Code: data System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 0.0.kHCaZ06n23.exe.400000.0.unpack, Nuclear_Explosion/Atomic.cs.Net Code: INV System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: SecurityHealthService.exe.1.dr, Nuclear_Explosion/Atomic.cs.Net Code: data System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: SecurityHealthService.exe.1.dr, Nuclear_Explosion/Atomic.cs.Net Code: INV System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: SecurityHealthService.exe0.1.dr, Nuclear_Explosion/Atomic.cs.Net Code: data System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: SecurityHealthService.exe0.1.dr, Nuclear_Explosion/Atomic.cs.Net Code: INV System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 1.2.aspnet_compiler.exe.400000.0.unpack, Nuclear_Explosion/Atomic.cs.Net Code: data System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 1.2.aspnet_compiler.exe.400000.0.unpack, Nuclear_Explosion/Atomic.cs.Net Code: INV System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 8.0.SecurityHealthService.exe.400000.0.unpack, Nuclear_Explosion/Atomic.cs.Net Code: data System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 8.0.SecurityHealthService.exe.400000.0.unpack, Nuclear_Explosion/Atomic.cs.Net Code: INV System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 8.2.SecurityHealthService.exe.400000.0.unpack, Nuclear_Explosion/Atomic.cs.Net Code: data System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 8.2.SecurityHealthService.exe.400000.0.unpack, Nuclear_Explosion/Atomic.cs.Net Code: INV System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 10.2.aspnet_compiler.exe.630000.0.unpack, Nuclear_Explosion/Atomic.cs.Net Code: data System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 10.2.aspnet_compiler.exe.630000.0.unpack, Nuclear_Explosion/Atomic.cs.Net Code: INV System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 10.0.aspnet_compiler.exe.630000.1.unpack, Nuclear_Explosion/Atomic.cs.Net Code: data System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 10.0.aspnet_compiler.exe.630000.1.unpack, Nuclear_Explosion/Atomic.cs.Net Code: INV System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: kHCaZ06n23.exe, OvSZYRHr9q9CI8lcbbw/OPEdO0HVV1wKWEJQBCa.csHigh entropy of concatenated method names: '.cctor', 'K7LGSRsyDPao0', 'TGLlvp4Ef3', 'f2GldOBlt4', 'WHplT3iWf2', 'HU4ljNnyRT', 'PMYlmvHqMs', 'MYvlR3UGmA', 'p2nlqLKvnh', 'uyllIRAgIK'
    Source: kHCaZ06n23.exe, zrZ2QDEpmGAR7hZjpL/xsAaI472chGbQLrQYH.csHigh entropy of concatenated method names: '.ctor', 'uDNqo1KM0B', 'DuPqSjdvIb', 'zEaqiZifpv', 'DHmqK8iEmn', 'o6jqa2ynIb', 'hFiqNMh7W8', 'aYWqWYkJTV', 'ut3qtYwJ8g', 'khkqC1xHA3'
    Source: kHCaZ06n23.exe, DB73XQrm8ak0wAvOaR/WJb2dlVjmO5LF4WEcY.csHigh entropy of concatenated method names: 'maYHmUdj7P', 'rUvHRkkoDB', 'AtFHqUm5Cf', 'GD0HIpphGw', 'JuVHPuoWoJ', 'qmxHMDPyH1', 'PKVHhDLN2y', 'Qw7HGwHuRy', 'PYGHt9uDnp', 'yQGH0FLhUw'
    Source: 0.2.kHCaZ06n23.exe.400000.0.unpack, OvSZYRHr9q9CI8lcbbw/OPEdO0HVV1wKWEJQBCa.csHigh entropy of concatenated method names: '.cctor', 'K7LGSRsyDPao0', 'TGLlvp4Ef3', 'f2GldOBlt4', 'WHplT3iWf2', 'HU4ljNnyRT', 'PMYlmvHqMs', 'MYvlR3UGmA', 'p2nlqLKvnh', 'uyllIRAgIK'
    Source: 0.2.kHCaZ06n23.exe.400000.0.unpack, zrZ2QDEpmGAR7hZjpL/xsAaI472chGbQLrQYH.csHigh entropy of concatenated method names: '.ctor', 'uDNqo1KM0B', 'DuPqSjdvIb', 'zEaqiZifpv', 'DHmqK8iEmn', 'o6jqa2ynIb', 'hFiqNMh7W8', 'aYWqWYkJTV', 'ut3qtYwJ8g', 'khkqC1xHA3'
    Source: 0.2.kHCaZ06n23.exe.400000.0.unpack, DB73XQrm8ak0wAvOaR/WJb2dlVjmO5LF4WEcY.csHigh entropy of concatenated method names: 'maYHmUdj7P', 'rUvHRkkoDB', 'AtFHqUm5Cf', 'GD0HIpphGw', 'JuVHPuoWoJ', 'qmxHMDPyH1', 'PKVHhDLN2y', 'Qw7HGwHuRy', 'PYGHt9uDnp', 'yQGH0FLhUw'
    Source: 0.0.kHCaZ06n23.exe.400000.0.unpack, zrZ2QDEpmGAR7hZjpL/xsAaI472chGbQLrQYH.csHigh entropy of concatenated method names: '.ctor', 'uDNqo1KM0B', 'DuPqSjdvIb', 'zEaqiZifpv', 'DHmqK8iEmn', 'o6jqa2ynIb', 'hFiqNMh7W8', 'aYWqWYkJTV', 'ut3qtYwJ8g', 'khkqC1xHA3'
    Source: 0.0.kHCaZ06n23.exe.400000.0.unpack, OvSZYRHr9q9CI8lcbbw/OPEdO0HVV1wKWEJQBCa.csHigh entropy of concatenated method names: '.cctor', 'K7LGSRsyDPao0', 'TGLlvp4Ef3', 'f2GldOBlt4', 'WHplT3iWf2', 'HU4ljNnyRT', 'PMYlmvHqMs', 'MYvlR3UGmA', 'p2nlqLKvnh', 'uyllIRAgIK'
    Source: 0.0.kHCaZ06n23.exe.400000.0.unpack, DB73XQrm8ak0wAvOaR/WJb2dlVjmO5LF4WEcY.csHigh entropy of concatenated method names: 'maYHmUdj7P', 'rUvHRkkoDB', 'AtFHqUm5Cf', 'GD0HIpphGw', 'JuVHPuoWoJ', 'qmxHMDPyH1', 'PKVHhDLN2y', 'Qw7HGwHuRy', 'PYGHt9uDnp', 'yQGH0FLhUw'
    Source: SecurityHealthService.exe.1.dr, zrZ2QDEpmGAR7hZjpL/xsAaI472chGbQLrQYH.csHigh entropy of concatenated method names: '.ctor', 'uDNqo1KM0B', 'DuPqSjdvIb', 'zEaqiZifpv', 'DHmqK8iEmn', 'o6jqa2ynIb', 'hFiqNMh7W8', 'aYWqWYkJTV', 'ut3qtYwJ8g', 'khkqC1xHA3'
    Source: SecurityHealthService.exe.1.dr, DB73XQrm8ak0wAvOaR/WJb2dlVjmO5LF4WEcY.csHigh entropy of concatenated method names: 'maYHmUdj7P', 'rUvHRkkoDB', 'AtFHqUm5Cf', 'GD0HIpphGw', 'JuVHPuoWoJ', 'qmxHMDPyH1', 'PKVHhDLN2y', 'Qw7HGwHuRy', 'PYGHt9uDnp', 'yQGH0FLhUw'
    Source: SecurityHealthService.exe.1.dr, OvSZYRHr9q9CI8lcbbw/OPEdO0HVV1wKWEJQBCa.csHigh entropy of concatenated method names: '.cctor', 'K7LGSRsyDPao0', 'TGLlvp4Ef3', 'f2GldOBlt4', 'WHplT3iWf2', 'HU4ljNnyRT', 'PMYlmvHqMs', 'MYvlR3UGmA', 'p2nlqLKvnh', 'uyllIRAgIK'
    Source: SecurityHealthService.exe0.1.dr, OvSZYRHr9q9CI8lcbbw/OPEdO0HVV1wKWEJQBCa.csHigh entropy of concatenated method names: '.cctor', 'K7LGSRsyDPao0', 'TGLlvp4Ef3', 'f2GldOBlt4', 'WHplT3iWf2', 'HU4ljNnyRT', 'PMYlmvHqMs', 'MYvlR3UGmA', 'p2nlqLKvnh', 'uyllIRAgIK'
    Source: SecurityHealthService.exe0.1.dr, zrZ2QDEpmGAR7hZjpL/xsAaI472chGbQLrQYH.csHigh entropy of concatenated method names: '.ctor', 'uDNqo1KM0B', 'DuPqSjdvIb', 'zEaqiZifpv', 'DHmqK8iEmn', 'o6jqa2ynIb', 'hFiqNMh7W8', 'aYWqWYkJTV', 'ut3qtYwJ8g', 'khkqC1xHA3'
    Source: SecurityHealthService.exe0.1.dr, DB73XQrm8ak0wAvOaR/WJb2dlVjmO5LF4WEcY.csHigh entropy of concatenated method names: 'maYHmUdj7P', 'rUvHRkkoDB', 'AtFHqUm5Cf', 'GD0HIpphGw', 'JuVHPuoWoJ', 'qmxHMDPyH1', 'PKVHhDLN2y', 'Qw7HGwHuRy', 'PYGHt9uDnp', 'yQGH0FLhUw'
    Source: 1.2.aspnet_compiler.exe.400000.0.unpack, OvSZYRHr9q9CI8lcbbw/OPEdO0HVV1wKWEJQBCa.csHigh entropy of concatenated method names: '.cctor', 'K7LGSRsyDPao0', 'TGLlvp4Ef3', 'f2GldOBlt4', 'WHplT3iWf2', 'HU4ljNnyRT', 'PMYlmvHqMs', 'MYvlR3UGmA', 'p2nlqLKvnh', 'uyllIRAgIK'
    Source: 1.2.aspnet_compiler.exe.400000.0.unpack, DB73XQrm8ak0wAvOaR/WJb2dlVjmO5LF4WEcY.csHigh entropy of concatenated method names: 'maYHmUdj7P', 'rUvHRkkoDB', 'AtFHqUm5Cf', 'GD0HIpphGw', 'JuVHPuoWoJ', 'qmxHMDPyH1', 'PKVHhDLN2y', 'Qw7HGwHuRy', 'PYGHt9uDnp', 'yQGH0FLhUw'
    Source: 1.2.aspnet_compiler.exe.400000.0.unpack, zrZ2QDEpmGAR7hZjpL/xsAaI472chGbQLrQYH.csHigh entropy of concatenated method names: '.ctor', 'uDNqo1KM0B', 'DuPqSjdvIb', 'zEaqiZifpv', 'DHmqK8iEmn', 'o6jqa2ynIb', 'hFiqNMh7W8', 'aYWqWYkJTV', 'ut3qtYwJ8g', 'khkqC1xHA3'
    Source: 8.0.SecurityHealthService.exe.400000.0.unpack, OvSZYRHr9q9CI8lcbbw/OPEdO0HVV1wKWEJQBCa.csHigh entropy of concatenated method names: '.cctor', 'K7LGSRsyDPao0', 'TGLlvp4Ef3', 'f2GldOBlt4', 'WHplT3iWf2', 'HU4ljNnyRT', 'PMYlmvHqMs', 'MYvlR3UGmA', 'p2nlqLKvnh', 'uyllIRAgIK'
    Source: 8.0.SecurityHealthService.exe.400000.0.unpack, zrZ2QDEpmGAR7hZjpL/xsAaI472chGbQLrQYH.csHigh entropy of concatenated method names: '.ctor', 'uDNqo1KM0B', 'DuPqSjdvIb', 'zEaqiZifpv', 'DHmqK8iEmn', 'o6jqa2ynIb', 'hFiqNMh7W8', 'aYWqWYkJTV', 'ut3qtYwJ8g', 'khkqC1xHA3'
    Source: 8.0.SecurityHealthService.exe.400000.0.unpack, DB73XQrm8ak0wAvOaR/WJb2dlVjmO5LF4WEcY.csHigh entropy of concatenated method names: 'maYHmUdj7P', 'rUvHRkkoDB', 'AtFHqUm5Cf', 'GD0HIpphGw', 'JuVHPuoWoJ', 'qmxHMDPyH1', 'PKVHhDLN2y', 'Qw7HGwHuRy', 'PYGHt9uDnp', 'yQGH0FLhUw'
    Source: 8.2.SecurityHealthService.exe.400000.0.unpack, zrZ2QDEpmGAR7hZjpL/xsAaI472chGbQLrQYH.csHigh entropy of concatenated method names: '.ctor', 'uDNqo1KM0B', 'DuPqSjdvIb', 'zEaqiZifpv', 'DHmqK8iEmn', 'o6jqa2ynIb', 'hFiqNMh7W8', 'aYWqWYkJTV', 'ut3qtYwJ8g', 'khkqC1xHA3'
    Source: 8.2.SecurityHealthService.exe.400000.0.unpack, DB73XQrm8ak0wAvOaR/WJb2dlVjmO5LF4WEcY.csHigh entropy of concatenated method names: 'maYHmUdj7P', 'rUvHRkkoDB', 'AtFHqUm5Cf', 'GD0HIpphGw', 'JuVHPuoWoJ', 'qmxHMDPyH1', 'PKVHhDLN2y', 'Qw7HGwHuRy', 'PYGHt9uDnp', 'yQGH0FLhUw'
    Source: 8.2.SecurityHealthService.exe.400000.0.unpack, OvSZYRHr9q9CI8lcbbw/OPEdO0HVV1wKWEJQBCa.csHigh entropy of concatenated method names: '.cctor', 'K7LGSRsyDPao0', 'TGLlvp4Ef3', 'f2GldOBlt4', 'WHplT3iWf2', 'HU4ljNnyRT', 'PMYlmvHqMs', 'MYvlR3UGmA', 'p2nlqLKvnh', 'uyllIRAgIK'
    Source: 10.2.aspnet_compiler.exe.630000.0.unpack, zrZ2QDEpmGAR7hZjpL/xsAaI472chGbQLrQYH.csHigh entropy of concatenated method names: '.ctor', 'uDNqo1KM0B', 'DuPqSjdvIb', 'zEaqiZifpv', 'DHmqK8iEmn', 'o6jqa2ynIb', 'hFiqNMh7W8', 'aYWqWYkJTV', 'ut3qtYwJ8g', 'khkqC1xHA3'
    Source: 10.2.aspnet_compiler.exe.630000.0.unpack, DB73XQrm8ak0wAvOaR/WJb2dlVjmO5LF4WEcY.csHigh entropy of concatenated method names: 'maYHmUdj7P', 'rUvHRkkoDB', 'AtFHqUm5Cf', 'GD0HIpphGw', 'JuVHPuoWoJ', 'qmxHMDPyH1', 'PKVHhDLN2y', 'Qw7HGwHuRy', 'PYGHt9uDnp', 'yQGH0FLhUw'
    Source: 10.2.aspnet_compiler.exe.630000.0.unpack, OvSZYRHr9q9CI8lcbbw/OPEdO0HVV1wKWEJQBCa.csHigh entropy of concatenated method names: '.cctor', 'K7LGSRsyDPao0', 'TGLlvp4Ef3', 'f2GldOBlt4', 'WHplT3iWf2', 'HU4ljNnyRT', 'PMYlmvHqMs', 'MYvlR3UGmA', 'p2nlqLKvnh', 'uyllIRAgIK'
    Source: 10.0.aspnet_compiler.exe.630000.1.unpack, DB73XQrm8ak0wAvOaR/WJb2dlVjmO5LF4WEcY.csHigh entropy of concatenated method names: 'maYHmUdj7P', 'rUvHRkkoDB', 'AtFHqUm5Cf', 'GD0HIpphGw', 'JuVHPuoWoJ', 'qmxHMDPyH1', 'PKVHhDLN2y', 'Qw7HGwHuRy', 'PYGHt9uDnp', 'yQGH0FLhUw'
    Source: 10.0.aspnet_compiler.exe.630000.1.unpack, zrZ2QDEpmGAR7hZjpL/xsAaI472chGbQLrQYH.csHigh entropy of concatenated method names: '.ctor', 'uDNqo1KM0B', 'DuPqSjdvIb', 'zEaqiZifpv', 'DHmqK8iEmn', 'o6jqa2ynIb', 'hFiqNMh7W8', 'aYWqWYkJTV', 'ut3qtYwJ8g', 'khkqC1xHA3'
    Source: 10.0.aspnet_compiler.exe.630000.1.unpack, OvSZYRHr9q9CI8lcbbw/OPEdO0HVV1wKWEJQBCa.csHigh entropy of concatenated method names: '.cctor', 'K7LGSRsyDPao0', 'TGLlvp4Ef3', 'f2GldOBlt4', 'WHplT3iWf2', 'HU4ljNnyRT', 'PMYlmvHqMs', 'MYvlR3UGmA', 'p2nlqLKvnh', 'uyllIRAgIK'
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile created: C:\Windows\SecurityHealthService.exeJump to dropped file
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile created: C:\Users\user\AppData\Roaming\SecurityHealthService.exeJump to dropped file
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\$Recycle.Bin.exeJump to dropped file
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile created: C:\Windows\SecurityHealthService.exeJump to dropped file

    Hooking and other Techniques for Hiding and Protection:

    bar