Windows Analysis Report
VoRTaSs6hl

Overview

General Information

Sample Name:	VoRTaSs6hl (renamed file extension from none to exe)
Analysis ID:	679178
MD5:	6e2d9824eeebad8b1507fa4238892439
SHA1:	03a6497741b9697f9234f85644cd35aa5bf0e42e
SHA256:	f10c2bbc2319e72bc4dee452a2de176573d88eafecc30e97748b5dd087f4ea1f
Tags:	exe
Infos:

Detection

DBatLoader, Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected Remcos RAT

Yara detected DBatLoader

Antivirus detection for URL or domain

Multi AV Scanner detection for dropped file

Yara detected UAC Bypass using ComputerDefaults

Injects a PE file into a foreign processes

C2 URLs / IPs found in malware configuration

Uses dynamic DNS services

Uses 32bit PE files

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

JA3 SSL client fingerprint seen in connection with other malware

PE file contains executable resources (Code or Archives)

IP address seen in connection with other malware

Creates a DirectInput object (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Detected TCP or UDP traffic on non-standard ports

Yara detected Keylogger Generic

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: VoRTaSs6hl.exe	Virustotal: Detection: 57%	Perma Link
Source: VoRTaSs6hl.exe	Metadefender: Detection: 40%	Perma Link
Source: VoRTaSs6hl.exe	ReversingLabs: Detection: 80%

Yara detected Remcos RAT

Source: Yara match	File source: 8.0.VoRTaSs6hl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.VoRTaSs6hl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000000.458115313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.467804722.000000007F850000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.458708043.000000007F7D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: VoRTaSs6hl.exe PID: 5260, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: VoRTaSs6hl.exe PID: 2308, type: MEMORYSTR

Antivirus detection for URL or domain

Source: bestsuccess.ddns.net

Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\Users\Public\Libraries\Accyaz.exe	Metadefender: Detection: 40%			Perma Link
Source: C:\Users\Public\Libraries\Accyaz.exe	ReversingLabs: Detection: 80%

Antivirus or Machine Learning detection for unpacked file

Source: 0.3.VoRTaSs6hl.exe.4ebc008.384.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eb456c.268.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4edf258.298.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f9c210.32.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.505af20.112.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.505a810.99.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f97e58.64.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.505a81c.104.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f94548.17.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f9ec08.46.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4edc3d0.281.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ee79e8.361.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eb9678.322.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f9e8b0.40.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ebbfc8.377.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.505a810.100.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ebd264.391.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ebbfc0.381.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ee7f88.382.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4fa4008.26.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ee29d8.321.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ebfa70.422.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ebae50.338.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.2.Accyaz.exe.2a91198.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4edc3f8.284.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ebe138.408.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eb42a0.261.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.5060008.130.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f98a88.19.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f94548.16.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ee7590.352.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f9610c.30.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f975ec.41.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f9f778.55.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 12.2.Accyaz.exe.29f1198.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.506118c.147.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ebe138.407.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eea618.392.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ebd294.386.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Accyaz.exe.4eb456c.5.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ee6ba0.347.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ed97e8.263.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4edc3d0.280.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.5056f0c.78.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f9401c.3.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4edacf0.276.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f982b8.4.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.505a828.107.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.505e62c.127.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f9c210.31.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eef4e8.424.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Accyaz.exe.4eb42b4.4.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f97bc8.53.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ee6ba0.346.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.50592f4.95.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f9ebf0.44.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ee7b70.369.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ee7e98.376.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.5060008.77.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.5057d7c.81.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ee9514.388.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eea8b0.396.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f9f778.56.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4fa9970.28.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eb7928.296.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.505a828.108.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f0c01c.320.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.5060008.121.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eb9e18.327.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4edacf0.274.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f1a39c.411.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.5056f0c.76.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f97ea0.67.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eef4e8.423.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eb9678.323.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ebb5d4.344.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f97618.45.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eb42b4.258.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eb7cac.299.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.2.VoRTaSs6hl.exe.5190000.3.unpack	Avira: Label: TR/Hijacker.Gen
Source: 0.3.VoRTaSs6hl.exe.4f00008.275.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f9744c.37.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eb82d0.306.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4fa082c.9.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ee7f80.380.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f95518.11.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f9fcc8.65.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ee0008.290.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f9c568.7.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ebf75c.419.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f98290.75.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.506118c.149.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.505af04.111.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f94544.20.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ee4698.335.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4fa082c.8.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eb0008.248.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eb7928.295.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ee54d0.315.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f0e9a4.316.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4edf258.297.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f9610c.29.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ebbac4.351.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eb8008.289.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4edc3f8.285.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f9e8b0.39.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f979e8.49.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f9fff8.36.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ee7fb0.383.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f00008.277.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eb8e34.312.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f98290.74.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4fa9970.27.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ebbd08.358.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eea8b0.399.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ebf75c.417.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f97618.47.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.5060008.131.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f99a38.13.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eef0d8.418.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f982b8.5.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f97e6c.61.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ebbe2c.370.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ee75a8.357.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f0e9dc.336.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.505fffc.124.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f9c568.6.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.505e62c.129.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ebf4ac.414.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ee7590.353.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f9fc10.59.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eb94e8.318.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.5060008.120.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.5061584.83.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ee7b70.367.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f979e8.50.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f97b48.2.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4edff30.304.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eb42b4.256.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f1a130.405.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ebbee8.373.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ed97e8.262.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f93d54.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.5060008.141.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f9f58c.51.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eb69e4.293.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.504ec6c.182.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4edd3b0.294.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f0e9dc.337.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f1a130.406.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eb456c.269.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.505ebbc.134.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ebb5d4.345.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eb42a0.260.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.5058bf8.87.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.2.VoRTaSs6hl.exe.3ca1164.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eb61ec.278.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4fa246c.33.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eb42a4.254.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f97f1c.70.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eec268.410.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Accyaz.exe.4eba33c.6.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4edfae4.300.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f975ec.42.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ebb5f0.349.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ee4698.334.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4efdd28.264.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ebbfd4.379.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.50592f4.93.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ebd264.393.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Accyaz.exe.4eb42b4.4.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eb6208.282.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f22260.265.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f0e9a4.314.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.5061584.84.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eba33c.328.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.5058bf8.88.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ee79e8.359.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f9e6b4.25.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ee7da8.374.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eef0d8.420.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ee4680.330.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ebfa70.421.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f22260.267.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eba33c.329.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eb4d44.272.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eea618.394.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ebf4ac.413.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eec268.409.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eb8008.288.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eb82d0.307.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4edd3b0.292.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f9744c.38.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eb7fac.303.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eb94e8.317.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f94544.21.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f96e38.35.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ebae4c.341.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f97bc8.54.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f9ebf0.43.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eeffec.403.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f95518.10.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ee75a8.356.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.505ebbc.135.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f9fcb0.62.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eb6208.283.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ee9514.387.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ee29d8.319.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4fa246c.34.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eb801c.305.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ee7c50.371.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f98a88.18.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4fa0530.14.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f9e6b4.24.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f1a39c.412.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ee4680.331.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ebbad0.355.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f9fe68.73.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eba358.332.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ee5c98.339.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eb69e4.291.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f99a38.12.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ebbad0.354.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 8.0.VoRTaSs6hl.exe.400000.0.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 0.3.VoRTaSs6hl.exe.5058c04.91.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ee7ae0.365.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ec003c.425.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f9f58c.52.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ee7f68.378.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ebbd68.366.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ef0008.415.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ee7ae0.364.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ef0008.416.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eb9674.325.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eba358.333.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ebd3e8.397.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eec01c.404.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ebbac4.350.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.504ec6c.186.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4fa0530.15.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.505a81c.103.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Accyaz.exe.4eb456c.5.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ebd3e8.395.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ebb5f0.348.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.5060008.142.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f97b48.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ebd4e0.402.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ee54d0.313.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eb61ec.279.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eb9e0c.326.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eb9674.324.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f9fe40.71.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ebd4e0.401.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f9fd48.68.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ebd294.385.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4edfae4.302.unpack	Avira: Label: TR/Patched.Ren.Gen

Source: 8.0.VoRTaSs6hl.exe.400000.0.unpack

Malware Configuration Extractor: Remcos {"Version": null, "Host:Port:Password": "bestsuccess.ddns.net:2442:0", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Remcos-HPUD4T", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Source: VoRTaSs6hl.exe, 00000000.00000002.467804722.000000007F850000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

Exploits

Yara detected UAC Bypass using ComputerDefaults

Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee9514.387.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebbad0.354.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebb5d4.344.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebae4c.341.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4f025ec.286.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebbe2c.370.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee79e8.361.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb9678.322.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee7f88.382.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4edc3d0.281.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebbfc0.381.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb8584.310.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebc008.384.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebf4ac.413.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebbfc8.377.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebae50.338.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eba33c.328.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4f025ec.287.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4edc3f8.284.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb94e8.317.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb42a0.261.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4edf258.298.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebd264.391.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb82d0.306.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebfa70.422.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee7590.352.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb7fac.303.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee29d8.321.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb456c.268.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebe138.408.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.Accyaz.exe.4eb456c.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eea618.392.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebbac4.350.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ed97e8.263.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebbfc0.381.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebd3e8.395.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4edc3d0.280.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebe138.407.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebd294.386.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee6ba0.347.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.Accyaz.exe.4eb42b4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4f0e9dc.336.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebf75c.417.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4edacf0.276.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee7b70.369.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee6ba0.346.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee7e98.376.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebfa70.421.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eef4e8.424.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eea8b0.396.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb7928.296.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee9514.388.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4f0c01c.320.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb69e4.291.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee0840.308.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebb5d4.344.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eef4e8.423.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb9678.323.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb9e18.327.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebbfd4.379.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ec003c.425.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.VoRTaSs6hl.exe.5190000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee0008.290.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee7f80.380.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb42b4.258.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4f00008.275.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb7cac.299.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebb5f0.348.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee4698.335.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb9678.322.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eef0d8.418.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4edacf0.274.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb7928.295.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee7fb0.383.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4edf258.297.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb82d0.306.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee54d0.315.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebbac4.351.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4f00008.277.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb8008.289.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee7fb0.383.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eea8b0.399.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eef0d8.418.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eba358.332.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb0008.248.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ed8540.257.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee75a8.357.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebf75c.419.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebbe2c.370.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb8e34.312.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebbfc8.377.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebbee8.373.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebf75c.417.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee7590.353.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee7f68.378.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4edc3f8.285.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee7b70.367.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee7da8.374.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebe138.407.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb94e8.318.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb9674.324.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4edff30.304.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb7928.295.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ed97e8.262.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb42b4.256.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebae50.338.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebbee8.373.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb69e4.293.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4edd3b0.294.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee4680.330.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4edd3b0.292.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee7e98.376.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb456c.269.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb42a0.260.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebbd08.358.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebb5d4.345.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb61ec.278.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ed8534.253.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.Accyaz.exe.4eba33c.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eec268.410.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4edfae4.300.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee75a8.356.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee4698.334.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee29d8.319.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebb5f0.349.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb7cac.299.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.Accyaz.exe.4eb42b4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebbfd4.379.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4efdd28.264.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee7b70.367.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee4698.334.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebf4ac.414.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebbd08.358.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb9e0c.326.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee7da8.374.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebd264.393.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eba33c.328.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee79e8.359.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eef0d8.420.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb42a4.254.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb6208.282.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee4680.330.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebfa70.421.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebbd68.366.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb9e18.327.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebd294.385.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eea618.394.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb8008.288.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee7ae0.364.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4edd3b0.292.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eec268.409.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee5c98.339.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb94e8.317.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb82d0.307.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb7fac.303.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebf4ac.413.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee75a8.356.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee54d0.313.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eeffec.403.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee7f80.380.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4edfae4.300.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb801c.305.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee9514.387.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb8e34.312.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eba33c.329.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee7c50.371.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee4680.331.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eba358.332.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb4d44.272.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee7f88.382.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ed8534.255.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebbad0.355.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee5c98.339.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb69e4.291.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee7590.352.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee7ae0.365.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee7f68.378.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee7c50.371.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ed8540.259.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebae4c.341.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ef0008.415.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ec003c.425.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee7ae0.364.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebbd68.366.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee29d8.319.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebbad0.354.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb9674.325.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb8584.311.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4f1a130.405.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eec01c.404.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eba358.333.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eeffec.403.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebd3e8.397.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4edff30.304.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebbac4.350.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb6208.283.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4f1a39c.411.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.Accyaz.exe.4eb456c.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee6ba0.346.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eec268.409.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebd3e8.395.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebd264.391.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebb5f0.348.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ef0008.416.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb9674.324.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee54d0.313.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebd4e0.401.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb61ec.279.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebd4e0.402.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.Accyaz.exe.4eba33c.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee0840.309.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb9e0c.326.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebd294.385.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4edfae4.302.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000003.582204025.0000000004EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.421448081.0000000004EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.423565768.0000000004EB9000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.425205260.0000000004EBA000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.446082664.0000000004EC6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.422842752.0000000004EB9000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.420930342.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.580602042.0000000004EDE000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.426416005.0000000004EE6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.538052308.0000000004EDE000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.421611443.0000000004EB7000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.429302112.0000000004EBB000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.441630278.0000000004EE7000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.424088325.0000000004EB9000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.424263669.0000000004EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.428670042.0000000004EE7000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.423831641.0000000004EB9000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.440372282.0000000004EE7000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.447220742.0000000004EBE000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.466541505.00000000051B7000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.420521359.0000000004EB7000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.421139675.0000000004EDF000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.440055510.0000000004EE7000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.421380367.0000000004ED1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.444028422.0000000004EE9000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.447988992.0000000004EBF000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.580685332.0000000004F06000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.443079525.0000000004EE2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.441900734.0000000004EBB000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.425513640.0000000004EBA000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.423304480.0000000004EB9000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.425654430.0000000004EF9000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.465887474.0000000005072000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.425343370.0000000004EE5000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.420336696.0000000004EEF000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.422375227.0000000004ECF000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.420130969.0000000004F03000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.595767562.00000000051B7000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.420178229.0000000004EB6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.445382300.0000000004ECA000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.438540568.0000000004EBB000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.445825106.0000000004EED000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.423974434.0000000004EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.421833599.0000000004EC1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.433295092.0000000004EC5000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.424380214.0000000004EB9000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.419687348.0000000004F06000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.420822848.0000000004EC4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.432381321.0000000004EEF000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.427566345.0000000004EBB000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.428247847.0000000004EBB000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.419836780.0000000004EB6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.431995499.0000000004EBB000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.420097163.0000000004F03000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.420051029.0000000004EDC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.443553181.0000000004F1D000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.446313946.0000000004F1A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.425857531.0000000004EBA000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.444837358.0000000004EBD000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.424704122.0000000004EBA000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.447710826.0000000004EEE000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.423014738.0000000004EE2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.538087740.0000000004F06000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.424846610.0000000004EE4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.444560120.0000000004EF1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.446991014.0000000004F1A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.421710790.0000000004EF9000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.419670146.0000000004EDE000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.580570716.0000000004EDE000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.435578658.0000000004EE7000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.444372383.0000000004EBC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.419745952.0000000004F06000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.440268577.0000000004EBB000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.421045537.0000000004EB7000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.439097674.0000000004EE7000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.447510992.0000000004EBF000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.443833987.0000000004EBB000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.538014940.0000000004EDE000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.442822205.0000000004EE7000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.422051220.0000000004EB8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.419778188.0000000004F06000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.540280031.0000000004EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.446843436.0000000004EEC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.446601078.0000000004EBD000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.580625740.0000000004F06000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.420630780.0000000004EDF000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.439882924.0000000004EBB000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.422476902.0000000004EE5000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.441452071.0000000004EBB000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.420031016.0000000004EB6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.419921422.0000000004EDD000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.574705629.00000000051B7000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.442490830.0000000004EE7000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.443347589.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.540137538.0000000004EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.538131765.0000000004F06000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.440663754.0000000004EC3000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.424983781.0000000004F0E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.442278261.0000000004EBB000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.448431482.0000000004EBF000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.429850363.0000000004EE7000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.424498285.0000000004EE4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.440791192.0000000004EE7000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.422596998.0000000004F1E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.582328830.0000000004EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.442020432.0000000004EE7000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.419722916.0000000004EDE000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.445012228.0000000004EF1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: VoRTaSs6hl.exe PID: 5260, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Accyaz.exe PID: 4684, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Accyaz.exe PID: 3300, type: MEMORYSTR

Uses 32bit PE files

Source: VoRTaSs6hl.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: unknown

HTTPS traffic detected: 13.107.43.12:443 -> 192.168.2.6:49808 version: TLS 1.2

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: bestsuccess.ddns.net

Uses dynamic DNS services

Source: unknown

DNS query: name: bestsuccess.ddns.net

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: RISS-ASRU RISS-ASRU

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 13.107.43.12 13.107.43.12
Source: Joe Sandbox View	IP Address: 87.251.79.109 87.251.79.109

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.6:49784 -> 87.251.79.109:2442

Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811

Source: VoRTaSs6hl.exe, 00000000.00000003.359930943.00000000008A8000.00000004.00000020.00020000.00000000.sdmp, VoRTaSs6hl.exe, 00000000.00000003.394838399.00000000008BC000.00000004.00000020.00020000.00000000.sdmp, Accyaz.exe, 0000000A.00000002.551089962.00000000008ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: VoRTaSs6hl.exe, 00000000.00000002.460797006.00000000008E1000.00000004.00000020.00020000.00000000.sdmp, VoRTaSs6hl.exe, 00000000.00000002.460195306.0000000000843000.00000004.00000020.00020000.00000000.sdmp, Accyaz.exe, 0000000A.00000002.558218436.0000000000980000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702
Source: Accyaz.exe, 0000000A.00000002.558218436.0000000000980000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702s.DLLo
Source: VoRTaSs6hl.exe, 00000000.00000002.460370541.000000000087B000.00000004.00000020.00020000.00000000.sdmp, Accyaz.exe, 0000000A.00000002.551089962.00000000008ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512
Source: VoRTaSs6hl.exe, 00000000.00000002.460195306.0000000000843000.00000004.00000020.00020000.00000000.sdmp, Accyaz.exe, 0000000A.00000002.558218436.0000000000980000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: Accyaz.exe, 0000000A.00000002.558218436.0000000000980000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdL
Source: Accyaz.exe, 0000000A.00000002.558218436.0000000000980000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdU
Source: VoRTaSs6hl.exe, 00000000.00000002.467804722.000000007F850000.00000004.00001000.00020000.00000000.sdmp, VoRTaSs6hl.exe, 00000000.00000003.458708043.000000007F7D0000.00000004.00001000.00020000.00000000.sdmp, VoRTaSs6hl.exe, 00000008.00000000.458115313.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: VoRTaSs6hl.exe, 00000000.00000002.460733365.00000000008D0000.00000004.00000020.00020000.00000000.sdmp, Accyaz.exe, 0000000A.00000002.551089962.00000000008ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: VoRTaSs6hl.exe, 00000000.00000002.460733365.00000000008D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy6
Source: VoRTaSs6hl.exe, 00000000.00000002.460733365.00000000008D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policyZ
Source: Accyaz.exe, 0000000A.00000002.551089962.00000000008ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policyv8
Source: VoRTaSs6hl.exe, 00000000.00000002.460733365.00000000008D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: Accyaz.exe, 0000000A.00000002.551089962.00000000008ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trustNcv8F
Source: VoRTaSs6hl.exe, 00000000.00000002.460370541.000000000087B000.00000004.00000020.00020000.00000000.sdmp, Accyaz.exe, 0000000A.00000002.551089962.00000000008ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
Source: VoRTaSs6hl.exe, 00000000.00000002.460370541.000000000087B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicyd
Source: VoRTaSs6hl.exe, 00000000.00000002.460700771.00000000008C1000.00000004.00000020.00020000.00000000.sdmp, Accyaz.exe, 0000000A.00000002.556942864.0000000000960000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: Accyaz.exe, 0000000A.00000002.556942864.0000000000960000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/.muiwo
Source: Accyaz.exe, 0000000A.00000002.556942864.0000000000960000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/H
Source: VoRTaSs6hl.exe, 00000000.00000002.460700771.00000000008C1000.00000004.00000020.00020000.00000000.sdmp, Accyaz.exe, 0000000A.00000002.556942864.0000000000960000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/
Source: VoRTaSs6hl.exe, 00000000.00000002.460700771.00000000008C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/P
Source: Accyaz.exe, 0000000A.00000002.556942864.0000000000960000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/x_1
Source: VoRTaSs6hl.exe, Accyaz.exe	String found in binary or memory: http://www.emerge.de
Source: Accyaz.exe, 0000000A.00000003.482343233.0000000002A77000.00000004.00001000.00020000.00000000.sdmp, Accyaz.exe, 0000000A.00000002.567944613.0000000002A1F000.00000004.00001000.00020000.00000000.sdmp, Accyaz.exe, 0000000A.00000002.568520309.0000000002A90000.00000004.00001000.00020000.00000000.sdmp, Accyaz.exe, 0000000A.00000002.568363012.0000000002A77000.00000004.00001000.00020000.00000000.sdmp, Accyaz.exe, 0000000C.00000002.594867926.0000000002B47000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.emerge.deDVarFileInfo$
Source: VoRTaSs6hl.exe, VoRTaSs6hl.exe, 00000000.00000003.354434187.0000000003BD8000.00000004.00001000.00020000.00000000.sdmp, VoRTaSs6hl.exe, 00000000.00000003.353954590.0000000003C18000.00000004.00001000.00020000.00000000.sdmp, VoRTaSs6hl.exe, 00000000.00000002.464462396.0000000004960000.00000004.00001000.00020000.00000000.sdmp, VoRTaSs6hl.exe, 00000000.00000003.356308137.0000000004A60000.00000004.00001000.00020000.00000000.sdmp, VoRTaSs6hl.exe, 00000000.00000002.463020055.0000000003CE0000.00000004.00001000.00020000.00000000.sdmp, VoRTaSs6hl.exe, 00000000.00000000.352653118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Accyaz.exe, Accyaz.exe, 0000000A.00000003.481556918.00000000029D0000.00000004.00001000.00020000.00000000.sdmp, Accyaz.exe, 0000000A.00000003.482284576.00000000029C8000.00000004.00001000.00020000.00000000.sdmp, Accyaz.exe, 0000000A.00000002.569127640.0000000002AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.pregrad.net
Source: VoRTaSs6hl.exe, 00000000.00000003.354434187.0000000003BD8000.00000004.00001000.00020000.00000000.sdmp, VoRTaSs6hl.exe, 00000000.00000003.353954590.0000000003C18000.00000004.00001000.00020000.00000000.sdmp, VoRTaSs6hl.exe, 00000000.00000002.464462396.0000000004960000.00000004.00001000.00020000.00000000.sdmp, VoRTaSs6hl.exe, 00000000.00000003.356308137.0000000004A60000.00000004.00001000.00020000.00000000.sdmp, VoRTaSs6hl.exe, 00000000.00000002.463020055.0000000003CE0000.00000004.00001000.00020000.00000000.sdmp, VoRTaSs6hl.exe, 00000000.00000000.352653118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Accyaz.exe, 0000000A.00000003.481556918.00000000029D0000.00000004.00001000.00020000.00000000.sdmp, Accyaz.exe, 0000000A.00000003.482284576.00000000029C8000.00000004.00001000.00020000.00000000.sdmp, Accyaz.exe, 0000000A.00000002.569127640.0000000002AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.pregrad.netopenU
Source: VoRTaSs6hl.exe, 00000000.00000002.460195306.0000000000843000.00000004.00000020.00020000.00000000.sdmp, Accyaz.exe, 0000000A.00000002.551089962.00000000008ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com/
Source: Accyaz.exe, 0000000A.00000002.551089962.00000000008ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com/F&resid=26943FEBC022618F%21144&authkey=AJQN0QmJX8uNcv8
Source: Accyaz.exe, 0000000A.00000002.551089962.00000000008ED000.00000004.00000020.00020000.00000000.sdmp, Accyaz.exe, 0000000A.00000002.556942864.0000000000960000.00000004.00000020.00020000.00000000.sdmp, Accyaz.exe, 0000000A.00000003.510739598.0000000000982000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com/download?cid=26943FEBC022618F&resid=26943FEBC022618F%21144&authkey=AJQN0Qm
Source: Accyaz.exe, 0000000A.00000002.551089962.00000000008ED000.00000004.00000020.00020000.00000000.sdmp, Accyaz.exe, 0000000A.00000003.510739598.0000000000982000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://qkvera.am.files.1drv.com/
Source: Accyaz.exe, 0000000A.00000003.510739598.0000000000982000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://qkvera.am.files.1drv.com/-
Source: VoRTaSs6hl.exe, 00000000.00000002.460700771.00000000008C1000.00000004.00000020.00020000.00000000.sdmp, VoRTaSs6hl.exe, 00000000.00000003.360774189.00000000008C2000.00000004.00000020.00020000.00000000.sdmp, VoRTaSs6hl.exe, 00000000.00000003.394865190.00000000008C2000.00000004.00000020.00020000.00000000.sdmp, Accyaz.exe, 0000000A.00000003.487521560.0000000000980000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://qkvera.am.files.1drv.com/o
Source: Accyaz.exe, 0000000A.00000002.551089962.00000000008ED000.00000004.00000020.00020000.00000000.sdmp, Accyaz.exe, 0000000A.00000003.490601183.0000000000993000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://qkvera.am.files.1drv.com/y4m6X9azireYGB5vWYP6H3S1U6wAPPTYdikVkLzvd_47vS0TaVf0JUb83MeKqofbXTM
Source: Accyaz.exe, 0000000A.00000003.487521560.0000000000980000.00000004.00000020.00020000.00000000.sdmp, Accyaz.exe, 0000000A.00000002.551089962.00000000008ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://qkvera.am.files.1drv.com/y4mEqsfDyLbLg_BIMCl3qtV1BiAL20N5mndyfdPbct9frsx0nho4awxehBKjGtDKXaa
Source: VoRTaSs6hl.exe, 00000000.00000002.460832671.00000000008E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://qkvera.am.files.1drv.com/y4mLYGL4YEm4ocBoTqKRIz5az3J9i9gOhnCysY8sBkYur2wf2ks5JFqfc2xANHxQguz
Source: VoRTaSs6hl.exe, 00000000.00000003.394988245.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, VoRTaSs6hl.exe, 00000000.00000002.460832671.00000000008E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://qkvera.am.files.1drv.com/y4mSvt4YTOQG3cAs7BCLAepDOee_scueByoo4ayz6ZeuIsZXBxphT6Goo2E7CuQUMVl
Source: VoRTaSs6hl.exe, 00000000.00000002.460407228.0000000000884000.00000004.00000020.00020000.00000000.sdmp, VoRTaSs6hl.exe, 00000000.00000003.360748552.00000000008A3000.00000004.00000020.00020000.00000000.sdmp, VoRTaSs6hl.exe, 00000000.00000003.360793891.00000000008E1000.00000004.00000020.00020000.00000000.sdmp, Accyaz.exe, 0000000A.00000003.488651644.000000000098E000.00000004.00000020.00020000.00000000.sdmp, Accyaz.exe, 0000000A.00000003.510806395.0000000000994000.00000004.00000020.00020000.00000000.sdmp, Accyaz.exe, 0000000A.00000003.510756515.0000000000986000.00000004.00000020.00020000.00000000.sdmp, Accyaz.exe, 0000000A.00000002.551089962.00000000008ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://qkvera.am.files.1drv.com/y4mp0J_hrjkY_ULP4q8yEN2WL9vZeBGm_IqLzlvV6rg6waLdlAGdzG0h00ZcMNpTPla

Source: unknown

DNS traffic detected: queries for: onedrive.live.com

Source: global traffic	HTTP traffic detected: GET /y4mA6YBAUOEcMgSRDQJ56K_UvKohvu8k_Y2-nVr27j9tNTSGtPV-P8bARuBZbALFxy7bbi34O90p78phUVUfHBWUah4IdDg38Lz87qrTVSfsdA61Bp2Yts3yrbJkuzUjF_S62vrADg1nIYrGUxMRnchNSwk7AjKhCGN_HMuiZy0rs3wzZsoNJPho0Kq-8TWHtDPMqjLBPW6zko3UHaL4HOXLw/Accyazbvbxqszzrfjnimerlsovywpte?download&psid=1 HTTP/1.1User-Agent: lValiHost: qkvera.am.files.1drv.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /y4mcHjzZh6rwB7Ooj5k0et5AstN3nUJ__HvCrv1rh4l_DklMsBKRgBfJGblrKjPVJzKrXPiNdsjv--QNvwGIq0QVsgnQt4qRLAds0A5tb7o07ZkiBrOwdOeTXxcQs_8lJjPBJjhnHrOqCN-E5MlEWW8yXkE_Q7MTOD6HGoupzFeR9l2pazkmsTcKxZ3S0vQJCHXsOr9-7ud8pyeca6LHk4GmA/Accyazbvbxqszzrfjnimerlsovywpte?download&psid=1 HTTP/1.1User-Agent: 67Cache-Control: no-cacheHost: qkvera.am.files.1drv.comConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 13.107.43.12:443 -> 192.168.2.6:49808 version: TLS 1.2

Creates a DirectInput object (often for capturing keystrokes)

Source: Accyaz.exe, 0000000A.00000002.550500312.00000000008BA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Yara detected Keylogger Generic

Source: Yara match	File source: Process Memory Space: VoRTaSs6hl.exe PID: 5260, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Accyaz.exe PID: 4684, type: MEMORYSTR

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 8.0.VoRTaSs6hl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.VoRTaSs6hl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000000.458115313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.467804722.000000007F850000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.458708043.000000007F7D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: VoRTaSs6hl.exe PID: 5260, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: VoRTaSs6hl.exe PID: 2308, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 8.0.VoRTaSs6hl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 8.0.VoRTaSs6hl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 8.0.VoRTaSs6hl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 8.0.VoRTaSs6hl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 8.0.VoRTaSs6hl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 8.0.VoRTaSs6hl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000008.00000000.458115313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 00000008.00000000.458115313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000008.00000000.458115313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000000.00000002.467804722.000000007F850000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000003.458708043.000000007F7D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: VoRTaSs6hl.exe PID: 5260, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: VoRTaSs6hl.exe PID: 2308, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Uses 32bit PE files

Source: VoRTaSs6hl.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Yara signature match

Source: 8.0.VoRTaSs6hl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 8.0.VoRTaSs6hl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 8.0.VoRTaSs6hl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.0.VoRTaSs6hl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 8.0.VoRTaSs6hl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 8.0.VoRTaSs6hl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000000.00000003.419705312.0000000004EDC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 0000000C.00000003.580999865.0000000004F04000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 00000008.00000000.458115313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 00000008.00000000.458115313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000008.00000000.458115313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000C.00000003.581199488.0000000004F04000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 0000000C.00000003.580263947.0000000004F24000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 00000000.00000003.419762416.0000000004F04000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 0000000A.00000003.538665622.0000000004EDC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 0000000C.00000003.580963468.0000000004EDC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 00000000.00000003.421265288.0000000004EB4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 0000000A.00000003.538496796.0000000004EB4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 0000000C.00000003.580859204.0000000004F04000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 0000000A.00000003.537712061.0000000004F24000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 0000000C.00000003.580417015.0000000004EB4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 00000000.00000003.418607850.0000000004EFF000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 00000000.00000003.420017830.0000000004EB4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 00000000.00000003.420887133.0000000004EB4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 0000000C.00000003.580316852.0000000004EB4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 00000000.00000003.419639825.0000000004EB4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 00000000.00000003.420471494.0000000004F04000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 00000000.00000003.421419481.0000000004F04000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 00000000.00000003.418872999.0000000004EB4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 0000000C.00000003.581044865.0000000004EB4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 0000000C.00000003.581079211.0000000004EDC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 0000000A.00000003.538459007.0000000004F04000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 0000000A.00000003.538422764.0000000004EDC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 00000000.00000003.421009905.0000000004F04000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 0000000C.00000003.580653277.0000000004F04000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 0000000A.00000003.537748466.0000000004EB4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 00000000.00000003.420404834.0000000004EDC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 0000000A.00000003.538397344.0000000004EB4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 0000000A.00000003.538739349.0000000004F04000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 00000000.00000003.420750862.0000000004EDC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 00000000.00000003.418684559.0000000004EFF000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 0000000A.00000003.537845109.0000000004EB4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 0000000A.00000003.538621513.0000000004F04000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 00000000.00000003.418652293.0000000004ED8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 00000000.00000003.421291230.0000000004EDC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 0000000C.00000003.581161132.0000000004EDC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 00000000.00000003.420692670.0000000004EB4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 0000000C.00000003.580162776.0000000004ED9000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 0000000C.00000003.581124040.0000000004F04000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 0000000C.00000003.580197984.0000000004ED8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 00000000.00000002.467804722.000000007F850000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000A.00000003.537639611.0000000004ED8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 00000000.00000003.418713419.0000000004F24000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 00000000.00000003.420971778.0000000004EDC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 00000000.00000003.420775485.0000000004F04000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 00000000.00000003.458708043.000000007F7D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000A.00000003.538105093.0000000004F04000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 0000000A.00000003.538570037.0000000004EDC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 0000000A.00000003.538327621.0000000004F04000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 00000000.00000003.420274641.0000000004EB4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 0000000A.00000003.537551715.0000000004ED9000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 00000000.00000003.419212427.0000000004EB4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 0000000C.00000003.580934873.0000000004EB4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: Process Memory Space: VoRTaSs6hl.exe PID: 5260, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: VoRTaSs6hl.exe PID: 2308, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: C:\Users\Public\Libraries\zayccA.url, type: DROPPED	Matched rule: Methodology_Shortcut_HotKey author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: C:\Users\Public\Libraries\zayccA.url, type: DROPPED	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044

Detected potential crypto function

Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Code function: 0_3_03C3088D	0_3_03C3088D
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Code function: 0_3_03BDFB5C	0_3_03BDFB5C
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Code function: 0_3_03BD88E3	0_3_03BD88E3
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Code function: 0_3_03BDFAE2	0_3_03BDFAE2
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Code function: 0_3_03BD8214	0_3_03BD8214
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Code function: 0_3_03C3088D	0_3_03C3088D
Source: C:\Users\Public\Libraries\Accyaz.exe	Code function: 10_3_029D1B8F	10_3_029D1B8F
Source: C:\Users\Public\Libraries\Accyaz.exe	Code function: 10_3_02A208C1	10_3_02A208C1
Source: C:\Users\Public\Libraries\Accyaz.exe	Code function: 10_3_029CFB90	10_3_029CFB90
Source: C:\Users\Public\Libraries\Accyaz.exe	Code function: 10_3_029CFB16	10_3_029CFB16
Source: C:\Users\Public\Libraries\Accyaz.exe	Code function: 10_3_029C8917	10_3_029C8917
Source: C:\Users\Public\Libraries\Accyaz.exe	Code function: 10_3_029C8248	10_3_029C8248
Source: C:\Users\Public\Libraries\Accyaz.exe	Code function: 10_3_029D1B8F	10_3_029D1B8F
Source: C:\Users\Public\Libraries\Accyaz.exe	Code function: 10_3_02A208C1	10_3_02A208C1

PE file contains executable resources (Code or Archives)

Source: VoRTaSs6hl.exe	Static PE information: Resource name: RT_STRING type: COM executable for DOS
Source: Accyaz.exe.0.dr	Static PE information: Resource name: RT_STRING type: COM executable for DOS

Sample file is different than original file name gathered from version info

Source: VoRTaSs6hl.exe	Binary or memory string: OriginalFilename vs VoRTaSs6hl.exe
Source: VoRTaSs6hl.exe, 00000000.00000003.353954590.0000000003C18000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePaintDotNet.exe4 vs VoRTaSs6hl.exe
Source: VoRTaSs6hl.exe, 00000000.00000003.353954590.0000000003C18000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename`@ vs VoRTaSs6hl.exe
Source: VoRTaSs6hl.exe, 00000000.00000002.462906317.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePaintDotNet.exe4 vs VoRTaSs6hl.exe
Source: VoRTaSs6hl.exe, 00000000.00000002.462906317.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename`@ vs VoRTaSs6hl.exe
Source: VoRTaSs6hl.exe, 00000000.00000003.450427149.00000000054B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePaintDotNet.exe4 vs VoRTaSs6hl.exe
Source: VoRTaSs6hl.exe, 00000000.00000003.450427149.00000000054B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename`@ vs VoRTaSs6hl.exe
Source: VoRTaSs6hl.exe, 00000000.00000003.356308137.0000000004A60000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePaintDotNet.exe4 vs VoRTaSs6hl.exe
Source: VoRTaSs6hl.exe, 00000000.00000003.356308137.0000000004A60000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename`@ vs VoRTaSs6hl.exe
Source: VoRTaSs6hl.exe, 00000000.00000003.353448049.0000000002374000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCOMCTL32.DLL.MUIj% vs VoRTaSs6hl.exe
Source: VoRTaSs6hl.exe, 00000000.00000002.465214747.0000000004A40000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePaintDotNet.exe4 vs VoRTaSs6hl.exe
Source: VoRTaSs6hl.exe, 00000000.00000002.465214747.0000000004A40000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename`@ vs VoRTaSs6hl.exe
Source: VoRTaSs6hl.exe, 00000000.00000002.463020055.0000000003CE0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePaintDotNet.exe4 vs VoRTaSs6hl.exe
Source: VoRTaSs6hl.exe, 00000000.00000002.463020055.0000000003CE0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename`@ vs VoRTaSs6hl.exe
Source: VoRTaSs6hl.exe, 00000000.00000003.354456277.0000000003C87000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePaintDotNet.exe4 vs VoRTaSs6hl.exe
Source: VoRTaSs6hl.exe, 00000000.00000003.354456277.0000000003C87000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename`@ vs VoRTaSs6hl.exe
Source: VoRTaSs6hl.exe, 00000000.00000000.352894484.00000000004AC000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamePaintDotNet.exe4 vs VoRTaSs6hl.exe
Source: VoRTaSs6hl.exe, 00000000.00000000.352894484.00000000004AC000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename`@ vs VoRTaSs6hl.exe

PE file contains strange resources

Source: VoRTaSs6hl.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: VoRTaSs6hl.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Accyaz.exe.0.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Accyaz.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Tries to load missing DLLs

Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Section loaded: system.dll	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Section loaded: system.dll	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Section loaded: ahadmin.dll	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Section loaded: ahadmin.dll	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Section loaded: racertmgr.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Section loaded: system.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Section loaded: system.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Section loaded: ahadmin.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Section loaded: ahadmin.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Section loaded: racertmgr.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Section loaded: system.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Section loaded: system.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Section loaded: ahadmin.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Section loaded: ahadmin.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Section loaded: racertmgr.dll	Jump to behavior

Source: VoRTaSs6hl.exe	Virustotal: Detection: 57%
Source: VoRTaSs6hl.exe	Metadefender: Detection: 40%
Source: VoRTaSs6hl.exe	ReversingLabs: Detection: 80%

Source: C:\Users\user\Desktop\VoRTaSs6hl.exe

File read: C:\Users\user\Desktop\VoRTaSs6hl.exe

Jump to behavior

Source: C:\Users\user\Desktop\VoRTaSs6hl.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\VoRTaSs6hl.exe "C:\Users\user\Desktop\VoRTaSs6hl.exe"
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process created: C:\Users\user\Desktop\VoRTaSs6hl.exe C:\Users\user\Desktop\VoRTaSs6hl.exe
Source: unknown	Process created: C:\Users\Public\Libraries\Accyaz.exe "C:\Users\Public\Libraries\Accyaz.exe"
Source: unknown	Process created: C:\Users\Public\Libraries\Accyaz.exe "C:\Users\Public\Libraries\Accyaz.exe"
Source: C:\Users\Public\Libraries\Accyaz.exe	Process created: C:\Users\Public\Libraries\Accyaz.exe C:\Users\Public\Libraries\Accyaz.exe
Source: C:\Users\Public\Libraries\Accyaz.exe	Process created: C:\Users\Public\Libraries\Accyaz.exe C:\Users\Public\Libraries\Accyaz.exe
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process created: C:\Users\user\Desktop\VoRTaSs6hl.exe C:\Users\user\Desktop\VoRTaSs6hl.exe	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process created: C:\Users\Public\Libraries\Accyaz.exe C:\Users\Public\Libraries\Accyaz.exe	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process created: C:\Users\Public\Libraries\Accyaz.exe C:\Users\Public\Libraries\Accyaz.exe	Jump to behavior

Source: C:\Users\user\Desktop\VoRTaSs6hl.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B091E540-83E3-11CF-A713-0020AFD79762}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\VoRTaSs6hl.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\Accyazbvbxqszzrfjnimerlsovywpte[1]

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winEXE@9/6@39/3

Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\Desktop\VoRTaSs6hl.exe

Mutant created: \Sessions\1\BaseNamedObjects\Remcos-HPUD4T

Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Data Obfuscation

Yara detected DBatLoader

Source: Yara match	File source: VoRTaSs6hl.exe, type: SAMPLE
Source: Yara match	File source: 0.0.VoRTaSs6hl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.461214489.0000000002370000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.563398012.0000000002350000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.569127640.0000000002AD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.352653118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.463020055.0000000003CE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\Public\Libraries\Accyaz.exe, type: DROPPED

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Code function: 0_3_03C2FE71 push 004A0C11h; ret	0_3_03C30122
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Code function: 0_3_03C32DC5 push 004A38D2h; ret	0_3_03C32DE3
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Code function: 0_3_03C32D81 push 004A38A0h; ret	0_3_03C32DB1
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Code function: 0_3_03C309A1 push 004A14B3h; ret	0_3_03C309C4
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Code function: 0_3_03C32D09 push 004A3816h; ret	0_3_03C32D27
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Code function: 0_3_03C32D35 push 004A385Eh; ret	0_3_03C32D6F
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Code function: 0_3_03BDAD8B push 004A385Eh; ret	0_3_03BDADC5
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Code function: 0_3_03BD89F7 push 004A14B3h; ret	0_3_03BD8A1A
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Code function: 0_3_03BDADD7 push 004A38A0h; ret	0_3_03BDAE07
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Code function: 0_3_03BDAD5F push 004A3816h; ret	0_3_03BDAD7D
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Code function: 0_3_03BDAF43 push 380043CAh; retf 0043h	0_3_03BDAF48
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Code function: 0_3_03BDAE1B push 004A38D2h; ret	0_3_03BDAE39
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Code function: 0_3_03BD8000 push 004A0C11h; ret	0_3_03BD8178
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Code function: 0_3_03C2FE71 push 004A0C11h; ret	0_3_03C30122
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Code function: 0_3_03C32DC5 push 004A38D2h; ret	0_3_03C32DE3
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Code function: 0_3_03C32D81 push 004A38A0h; ret	0_3_03C32DB1
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Code function: 0_3_03C309A1 push 004A14B3h; ret	0_3_03C309C4
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Code function: 0_3_03C32D09 push 004A3816h; ret	0_3_03C32D27
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Code function: 0_3_03C32D35 push 004A385Eh; ret	0_3_03C32D6F
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Code function: 0_3_04A5CC6C push edi; ret	0_3_04A5CC6E
Source: C:\Users\Public\Libraries\Accyaz.exe	Code function: 10_3_02A1FEA5 push 004A0C11h; ret	10_3_02A20156
Source: C:\Users\Public\Libraries\Accyaz.exe	Code function: 10_3_02A22DB5 push 004A38A0h; ret	10_3_02A22DE5
Source: C:\Users\Public\Libraries\Accyaz.exe	Code function: 10_3_02A22D3D push 004A3816h; ret	10_3_02A22D5B
Source: C:\Users\Public\Libraries\Accyaz.exe	Code function: 10_3_02A22D69 push 004A385Eh; ret	10_3_02A22DA3
Source: C:\Users\Public\Libraries\Accyaz.exe	Code function: 10_3_02A22DF9 push 004A38D2h; ret	10_3_02A22E17
Source: C:\Users\Public\Libraries\Accyaz.exe	Code function: 10_3_02A209D5 push 004A14B3h; ret	10_3_02A209F8
Source: C:\Users\Public\Libraries\Accyaz.exe	Code function: 10_3_029CAD93 push 004A3816h; ret	10_3_029CADB1
Source: C:\Users\Public\Libraries\Accyaz.exe	Code function: 10_3_029CADBF push 004A385Eh; ret	10_3_029CADF9
Source: C:\Users\Public\Libraries\Accyaz.exe	Code function: 10_3_029CAE0B push 004A38A0h; ret	10_3_029CAE3B
Source: C:\Users\Public\Libraries\Accyaz.exe	Code function: 10_3_029C8000 push 004A0C11h; ret	10_3_029C81AC
Source: C:\Users\Public\Libraries\Accyaz.exe	Code function: 10_3_029C8A2B push 004A14B3h; ret	10_3_029C8A4E

Drops PE files

Source: C:\Users\user\Desktop\VoRTaSs6hl.exe

File created: C:\Users\Public\Libraries\Accyaz.exe

Jump to dropped file

Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Accyaz			Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Accyaz			Jump to behavior

Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior

Source: VoRTaSs6hl.exe, 00000000.00000002.460448607.0000000000888000.00000004.00000020.00020000.00000000.sdmp, VoRTaSs6hl.exe, 00000000.00000002.460195306.0000000000843000.00000004.00000020.00020000.00000000.sdmp, Accyaz.exe, 0000000A.00000002.557399261.000000000096E000.00000004.00000020.00020000.00000000.sdmp, Accyaz.exe, 0000000A.00000002.551089962.00000000008ED000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Memory written: C:\Users\user\Desktop\VoRTaSs6hl.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Memory written: C:\Users\Public\Libraries\Accyaz.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Memory written: C:\Users\Public\Libraries\Accyaz.exe base: 400000 value starts with: 4D5A	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process created: C:\Users\user\Desktop\VoRTaSs6hl.exe C:\Users\user\Desktop\VoRTaSs6hl.exe	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process created: C:\Users\Public\Libraries\Accyaz.exe C:\Users\Public\Libraries\Accyaz.exe	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process created: C:\Users\Public\Libraries\Accyaz.exe C:\Users\Public\Libraries\Accyaz.exe	Jump to behavior

Source: C:\Users\Public\Libraries\Accyaz.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 8.0.VoRTaSs6hl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.VoRTaSs6hl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000000.458115313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.467804722.000000007F850000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.458708043.000000007F7D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: VoRTaSs6hl.exe PID: 5260, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: VoRTaSs6hl.exe PID: 2308, type: MEMORYSTR

Remote Access Functionality

Yara detected Remcos RAT

Source: Yara match	File source: 8.0.VoRTaSs6hl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.VoRTaSs6hl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000000.458115313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.467804722.000000007F850000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.458708043.000000007F7D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: VoRTaSs6hl.exe PID: 5260, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: VoRTaSs6hl.exe PID: 2308, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
13.107.43.12	l-0003.l-dc-msedge.net	United States		8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
87.251.79.109	bestsuccess.ddns.net	Russian Federation		20803	RISS-ASRU	true

Private

IP
192.168.2.1

Contacted Domains

Name	IP	Active
l-0003.l-dc-msedge.net	13.107.43.12	true
bestsuccess.ddns.net	87.251.79.109	true
qkvera.am.files.1drv.com	unknown	unknown
onedrive.live.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://qkvera.am.files.1drv.com/y4mA6YBAUOEcMgSRDQJ56K_UvKohvu8k_Y2-nVr27j9tNTSGtPV-P8bARuBZbALFxy7bbi34O90p78phUVUfHBWUah4IdDg38Lz87qrTVSfsdA61Bp2Yts3yrbJkuzUjF_S62vrADg1nIYrGUxMRnchNSwk7AjKhCGN_HMuiZy0rs3wzZsoNJPho0Kq-8TWHtDPMqjLBPW6zko3UHaL4HOXLw/Accyazbvbxqszzrfjnimerlsovywpte?download&psid=1	false		high
bestsuccess.ddns.net	true	Avira URL Cloud: malware	unknown

AV Detection

Multi AV Scanner detection for submitted file

Source: VoRTaSs6hl.exe	Virustotal: Detection: 57%	Perma Link
Source: VoRTaSs6hl.exe	Metadefender: Detection: 40%	Perma Link
Source: VoRTaSs6hl.exe	ReversingLabs: Detection: 80%

Yara detected Remcos RAT

Source: Yara match	File source: 8.0.VoRTaSs6hl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.VoRTaSs6hl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000000.458115313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.467804722.000000007F850000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.458708043.000000007F7D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: VoRTaSs6hl.exe PID: 5260, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: VoRTaSs6hl.exe PID: 2308, type: MEMORYSTR

Antivirus detection for URL or domain

Source: bestsuccess.ddns.net

Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\Users\Public\Libraries\Accyaz.exe	Metadefender: Detection: 40%			Perma Link
Source: C:\Users\Public\Libraries\Accyaz.exe	ReversingLabs: Detection: 80%

Antivirus or Machine Learning detection for unpacked file

Source: 0.3.VoRTaSs6hl.exe.4ebc008.384.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eb456c.268.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4edf258.298.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f9c210.32.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.505af20.112.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.505a810.99.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f97e58.64.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.505a81c.104.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f94548.17.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f9ec08.46.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4edc3d0.281.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ee79e8.361.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eb9678.322.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f9e8b0.40.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ebbfc8.377.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.505a810.100.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ebd264.391.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ebbfc0.381.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ee7f88.382.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4fa4008.26.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ee29d8.321.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ebfa70.422.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ebae50.338.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.2.Accyaz.exe.2a91198.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4edc3f8.284.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ebe138.408.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eb42a0.261.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.5060008.130.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f98a88.19.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f94548.16.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ee7590.352.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f9610c.30.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f975ec.41.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f9f778.55.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 12.2.Accyaz.exe.29f1198.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.506118c.147.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ebe138.407.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eea618.392.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ebd294.386.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Accyaz.exe.4eb456c.5.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ee6ba0.347.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ed97e8.263.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4edc3d0.280.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.5056f0c.78.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f9401c.3.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4edacf0.276.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f982b8.4.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.505a828.107.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.505e62c.127.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f9c210.31.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eef4e8.424.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Accyaz.exe.4eb42b4.4.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f97bc8.53.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ee6ba0.346.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.50592f4.95.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f9ebf0.44.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ee7b70.369.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ee7e98.376.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.5060008.77.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.5057d7c.81.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ee9514.388.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eea8b0.396.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f9f778.56.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4fa9970.28.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eb7928.296.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.505a828.108.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f0c01c.320.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.5060008.121.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eb9e18.327.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4edacf0.274.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f1a39c.411.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.5056f0c.76.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f97ea0.67.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eef4e8.423.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eb9678.323.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ebb5d4.344.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f97618.45.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eb42b4.258.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eb7cac.299.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.2.VoRTaSs6hl.exe.5190000.3.unpack	Avira: Label: TR/Hijacker.Gen
Source: 0.3.VoRTaSs6hl.exe.4f00008.275.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f9744c.37.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eb82d0.306.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4fa082c.9.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ee7f80.380.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f95518.11.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f9fcc8.65.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ee0008.290.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f9c568.7.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ebf75c.419.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f98290.75.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.506118c.149.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.505af04.111.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f94544.20.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ee4698.335.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4fa082c.8.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eb0008.248.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eb7928.295.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ee54d0.315.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f0e9a4.316.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4edf258.297.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f9610c.29.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ebbac4.351.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eb8008.289.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4edc3f8.285.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f9e8b0.39.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f979e8.49.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f9fff8.36.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ee7fb0.383.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f00008.277.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eb8e34.312.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f98290.74.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4fa9970.27.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ebbd08.358.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eea8b0.399.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ebf75c.417.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f97618.47.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.5060008.131.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f99a38.13.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eef0d8.418.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f982b8.5.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f97e6c.61.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ebbe2c.370.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ee75a8.357.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f0e9dc.336.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.505fffc.124.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f9c568.6.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.505e62c.129.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ebf4ac.414.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ee7590.353.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f9fc10.59.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eb94e8.318.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.5060008.120.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.5061584.83.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ee7b70.367.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f979e8.50.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f97b48.2.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4edff30.304.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eb42b4.256.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f1a130.405.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ebbee8.373.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ed97e8.262.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f93d54.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.5060008.141.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f9f58c.51.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eb69e4.293.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.504ec6c.182.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4edd3b0.294.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f0e9dc.337.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f1a130.406.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eb456c.269.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.505ebbc.134.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ebb5d4.345.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eb42a0.260.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.5058bf8.87.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.2.VoRTaSs6hl.exe.3ca1164.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eb61ec.278.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4fa246c.33.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eb42a4.254.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f97f1c.70.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eec268.410.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Accyaz.exe.4eba33c.6.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4edfae4.300.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f975ec.42.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ebb5f0.349.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ee4698.334.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4efdd28.264.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ebbfd4.379.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.50592f4.93.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ebd264.393.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.Accyaz.exe.4eb42b4.4.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eb6208.282.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f22260.265.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f0e9a4.314.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.5061584.84.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eba33c.328.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.5058bf8.88.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ee79e8.359.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f9e6b4.25.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ee7da8.374.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eef0d8.420.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ee4680.330.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ebfa70.421.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f22260.267.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eba33c.329.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eb4d44.272.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eea618.394.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ebf4ac.413.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eec268.409.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eb8008.288.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eb82d0.307.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4edd3b0.292.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f9744c.38.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eb7fac.303.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eb94e8.317.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f94544.21.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f96e38.35.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ebae4c.341.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f97bc8.54.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f9ebf0.43.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eeffec.403.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f95518.10.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ee75a8.356.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.505ebbc.135.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f9fcb0.62.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eb6208.283.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ee9514.387.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ee29d8.319.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4fa246c.34.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eb801c.305.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ee7c50.371.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f98a88.18.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4fa0530.14.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f9e6b4.24.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f1a39c.412.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ee4680.331.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ebbad0.355.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f9fe68.73.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eba358.332.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ee5c98.339.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eb69e4.291.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f99a38.12.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ebbad0.354.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 8.0.VoRTaSs6hl.exe.400000.0.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 0.3.VoRTaSs6hl.exe.5058c04.91.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ee7ae0.365.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ec003c.425.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f9f58c.52.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ee7f68.378.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ebbd68.366.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ef0008.415.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ee7ae0.364.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ef0008.416.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eb9674.325.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eba358.333.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ebd3e8.397.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eec01c.404.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ebbac4.350.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.504ec6c.186.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4fa0530.15.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.505a81c.103.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.3.Accyaz.exe.4eb456c.5.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ebd3e8.395.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ebb5f0.348.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.5060008.142.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f97b48.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ebd4e0.402.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ee54d0.313.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eb61ec.279.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eb9e0c.326.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4eb9674.324.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f9fe40.71.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ebd4e0.401.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4f9fd48.68.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4ebd294.385.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.VoRTaSs6hl.exe.4edfae4.302.unpack	Avira: Label: TR/Patched.Ren.Gen

Source: 8.0.VoRTaSs6hl.exe.400000.0.unpack

Source: VoRTaSs6hl.exe, 00000000.00000002.467804722.000000007F850000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

Exploits

Yara detected UAC Bypass using ComputerDefaults

Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee9514.387.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebbad0.354.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebb5d4.344.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebae4c.341.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4f025ec.286.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebbe2c.370.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee79e8.361.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb9678.322.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee7f88.382.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4edc3d0.281.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebbfc0.381.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb8584.310.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebc008.384.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebf4ac.413.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebbfc8.377.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebae50.338.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eba33c.328.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4f025ec.287.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4edc3f8.284.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb94e8.317.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb42a0.261.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4edf258.298.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebd264.391.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb82d0.306.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebfa70.422.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee7590.352.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb7fac.303.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee29d8.321.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb456c.268.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebe138.408.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.Accyaz.exe.4eb456c.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eea618.392.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebbac4.350.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ed97e8.263.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebbfc0.381.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebd3e8.395.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4edc3d0.280.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebe138.407.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebd294.386.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee6ba0.347.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.Accyaz.exe.4eb42b4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4f0e9dc.336.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebf75c.417.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4edacf0.276.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee7b70.369.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee6ba0.346.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee7e98.376.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebfa70.421.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eef4e8.424.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eea8b0.396.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb7928.296.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee9514.388.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4f0c01c.320.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb69e4.291.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee0840.308.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebb5d4.344.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eef4e8.423.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb9678.323.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb9e18.327.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebbfd4.379.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ec003c.425.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.VoRTaSs6hl.exe.5190000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee0008.290.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee7f80.380.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb42b4.258.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4f00008.275.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb7cac.299.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebb5f0.348.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee4698.335.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb9678.322.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eef0d8.418.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4edacf0.274.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb7928.295.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee7fb0.383.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4edf258.297.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb82d0.306.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee54d0.315.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebbac4.351.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4f00008.277.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb8008.289.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee7fb0.383.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eea8b0.399.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eef0d8.418.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eba358.332.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb0008.248.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ed8540.257.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee75a8.357.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebf75c.419.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebbe2c.370.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb8e34.312.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebbfc8.377.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebbee8.373.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebf75c.417.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee7590.353.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee7f68.378.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4edc3f8.285.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee7b70.367.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee7da8.374.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebe138.407.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb94e8.318.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb9674.324.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4edff30.304.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb7928.295.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ed97e8.262.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb42b4.256.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebae50.338.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebbee8.373.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb69e4.293.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4edd3b0.294.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee4680.330.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4edd3b0.292.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee7e98.376.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb456c.269.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb42a0.260.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebbd08.358.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebb5d4.345.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb61ec.278.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ed8534.253.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.Accyaz.exe.4eba33c.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eec268.410.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4edfae4.300.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee75a8.356.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee4698.334.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee29d8.319.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebb5f0.349.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb7cac.299.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.Accyaz.exe.4eb42b4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebbfd4.379.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4efdd28.264.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee7b70.367.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee4698.334.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebf4ac.414.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebbd08.358.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb9e0c.326.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee7da8.374.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebd264.393.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eba33c.328.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee79e8.359.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eef0d8.420.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb42a4.254.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb6208.282.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee4680.330.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebfa70.421.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebbd68.366.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb9e18.327.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebd294.385.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eea618.394.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb8008.288.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee7ae0.364.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4edd3b0.292.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eec268.409.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee5c98.339.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb94e8.317.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb82d0.307.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb7fac.303.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebf4ac.413.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee75a8.356.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee54d0.313.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eeffec.403.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee7f80.380.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4edfae4.300.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb801c.305.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee9514.387.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb8e34.312.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eba33c.329.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee7c50.371.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee4680.331.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eba358.332.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb4d44.272.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee7f88.382.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ed8534.255.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebbad0.355.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee5c98.339.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb69e4.291.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee7590.352.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee7ae0.365.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee7f68.378.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee7c50.371.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ed8540.259.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebae4c.341.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ef0008.415.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ec003c.425.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee7ae0.364.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebbd68.366.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee29d8.319.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebbad0.354.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb9674.325.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb8584.311.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4f1a130.405.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eec01c.404.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eba358.333.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eeffec.403.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebd3e8.397.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4edff30.304.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebbac4.350.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb6208.283.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4f1a39c.411.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.Accyaz.exe.4eb456c.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee6ba0.346.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eec268.409.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebd3e8.395.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebd264.391.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebb5f0.348.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ef0008.416.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb9674.324.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee54d0.313.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebd4e0.401.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb61ec.279.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebd4e0.402.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.Accyaz.exe.4eba33c.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ee0840.309.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4eb9e0c.326.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4ebd294.385.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.VoRTaSs6hl.exe.4edfae4.302.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000003.582204025.0000000004EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.421448081.0000000004EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.423565768.0000000004EB9000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.425205260.0000000004EBA000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.446082664.0000000004EC6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.422842752.0000000004EB9000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.420930342.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.580602042.0000000004EDE000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.426416005.0000000004EE6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.538052308.0000000004EDE000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.421611443.0000000004EB7000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.429302112.0000000004EBB000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.441630278.0000000004EE7000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.424088325.0000000004EB9000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.424263669.0000000004EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.428670042.0000000004EE7000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.423831641.0000000004EB9000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.440372282.0000000004EE7000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.447220742.0000000004EBE000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.466541505.00000000051B7000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.420521359.0000000004EB7000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.421139675.0000000004EDF000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.440055510.0000000004EE7000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.421380367.0000000004ED1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.444028422.0000000004EE9000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.447988992.0000000004EBF000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.580685332.0000000004F06000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.443079525.0000000004EE2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.441900734.0000000004EBB000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.425513640.0000000004EBA000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.423304480.0000000004EB9000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.425654430.0000000004EF9000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.465887474.0000000005072000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.425343370.0000000004EE5000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.420336696.0000000004EEF000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.422375227.0000000004ECF000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.420130969.0000000004F03000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.595767562.00000000051B7000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.420178229.0000000004EB6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.445382300.0000000004ECA000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.438540568.0000000004EBB000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.445825106.0000000004EED000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.423974434.0000000004EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.421833599.0000000004EC1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.433295092.0000000004EC5000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.424380214.0000000004EB9000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.419687348.0000000004F06000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.420822848.0000000004EC4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.432381321.0000000004EEF000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.427566345.0000000004EBB000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.428247847.0000000004EBB000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.419836780.0000000004EB6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.431995499.0000000004EBB000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.420097163.0000000004F03000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.420051029.0000000004EDC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.443553181.0000000004F1D000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.446313946.0000000004F1A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.425857531.0000000004EBA000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.444837358.0000000004EBD000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.424704122.0000000004EBA000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.447710826.0000000004EEE000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.423014738.0000000004EE2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.538087740.0000000004F06000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.424846610.0000000004EE4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.444560120.0000000004EF1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.446991014.0000000004F1A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.421710790.0000000004EF9000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.419670146.0000000004EDE000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.580570716.0000000004EDE000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.435578658.0000000004EE7000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.444372383.0000000004EBC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.419745952.0000000004F06000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.440268577.0000000004EBB000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.421045537.0000000004EB7000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.439097674.0000000004EE7000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.447510992.0000000004EBF000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.443833987.0000000004EBB000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.538014940.0000000004EDE000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.442822205.0000000004EE7000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.422051220.0000000004EB8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.419778188.0000000004F06000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.540280031.0000000004EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.446843436.0000000004EEC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.446601078.0000000004EBD000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.580625740.0000000004F06000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.420630780.0000000004EDF000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.439882924.0000000004EBB000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.422476902.0000000004EE5000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.441452071.0000000004EBB000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.420031016.0000000004EB6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.419921422.0000000004EDD000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.574705629.00000000051B7000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.442490830.0000000004EE7000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.443347589.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.540137538.0000000004EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.538131765.0000000004F06000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.440663754.0000000004EC3000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.424983781.0000000004F0E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.442278261.0000000004EBB000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.448431482.0000000004EBF000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.429850363.0000000004EE7000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.424498285.0000000004EE4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.440791192.0000000004EE7000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.422596998.0000000004F1E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.582328830.0000000004EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.442020432.0000000004EE7000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.419722916.0000000004EDE000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.445012228.0000000004EF1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: VoRTaSs6hl.exe PID: 5260, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Accyaz.exe PID: 4684, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Accyaz.exe PID: 3300, type: MEMORYSTR

Uses 32bit PE files

Source: VoRTaSs6hl.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: unknown

HTTPS traffic detected: 13.107.43.12:443 -> 192.168.2.6:49808 version: TLS 1.2

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: bestsuccess.ddns.net

Uses dynamic DNS services

Source: unknown

DNS query: name: bestsuccess.ddns.net

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: RISS-ASRU RISS-ASRU

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 13.107.43.12 13.107.43.12
Source: Joe Sandbox View	IP Address: 87.251.79.109 87.251.79.109

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.6:49784 -> 87.251.79.109:2442

Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811

Source: VoRTaSs6hl.exe, 00000000.00000003.359930943.00000000008A8000.00000004.00000020.00020000.00000000.sdmp, VoRTaSs6hl.exe, 00000000.00000003.394838399.00000000008BC000.00000004.00000020.00020000.00000000.sdmp, Accyaz.exe, 0000000A.00000002.551089962.00000000008ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: VoRTaSs6hl.exe, 00000000.00000002.460797006.00000000008E1000.00000004.00000020.00020000.00000000.sdmp, VoRTaSs6hl.exe, 00000000.00000002.460195306.0000000000843000.00000004.00000020.00020000.00000000.sdmp, Accyaz.exe, 0000000A.00000002.558218436.0000000000980000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702
Source: Accyaz.exe, 0000000A.00000002.558218436.0000000000980000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702s.DLLo
Source: VoRTaSs6hl.exe, 00000000.00000002.460370541.000000000087B000.00000004.00000020.00020000.00000000.sdmp, Accyaz.exe, 0000000A.00000002.551089962.00000000008ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512
Source: VoRTaSs6hl.exe, 00000000.00000002.460195306.0000000000843000.00000004.00000020.00020000.00000000.sdmp, Accyaz.exe, 0000000A.00000002.558218436.0000000000980000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: Accyaz.exe, 0000000A.00000002.558218436.0000000000980000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdL
Source: Accyaz.exe, 0000000A.00000002.558218436.0000000000980000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdU
Source: VoRTaSs6hl.exe, 00000000.00000002.467804722.000000007F850000.00000004.00001000.00020000.00000000.sdmp, VoRTaSs6hl.exe, 00000000.00000003.458708043.000000007F7D0000.00000004.00001000.00020000.00000000.sdmp, VoRTaSs6hl.exe, 00000008.00000000.458115313.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: VoRTaSs6hl.exe, 00000000.00000002.460733365.00000000008D0000.00000004.00000020.00020000.00000000.sdmp, Accyaz.exe, 0000000A.00000002.551089962.00000000008ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: VoRTaSs6hl.exe, 00000000.00000002.460733365.00000000008D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy6
Source: VoRTaSs6hl.exe, 00000000.00000002.460733365.00000000008D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policyZ
Source: Accyaz.exe, 0000000A.00000002.551089962.00000000008ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policyv8
Source: VoRTaSs6hl.exe, 00000000.00000002.460733365.00000000008D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: Accyaz.exe, 0000000A.00000002.551089962.00000000008ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trustNcv8F
Source: VoRTaSs6hl.exe, 00000000.00000002.460370541.000000000087B000.00000004.00000020.00020000.00000000.sdmp, Accyaz.exe, 0000000A.00000002.551089962.00000000008ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
Source: VoRTaSs6hl.exe, 00000000.00000002.460370541.000000000087B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicyd
Source: VoRTaSs6hl.exe, 00000000.00000002.460700771.00000000008C1000.00000004.00000020.00020000.00000000.sdmp, Accyaz.exe, 0000000A.00000002.556942864.0000000000960000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: Accyaz.exe, 0000000A.00000002.556942864.0000000000960000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/.muiwo
Source: Accyaz.exe, 0000000A.00000002.556942864.0000000000960000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/H
Source: VoRTaSs6hl.exe, 00000000.00000002.460700771.00000000008C1000.00000004.00000020.00020000.00000000.sdmp, Accyaz.exe, 0000000A.00000002.556942864.0000000000960000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/
Source: VoRTaSs6hl.exe, 00000000.00000002.460700771.00000000008C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/P
Source: Accyaz.exe, 0000000A.00000002.556942864.0000000000960000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/x_1
Source: VoRTaSs6hl.exe, Accyaz.exe	String found in binary or memory: http://www.emerge.de
Source: Accyaz.exe, 0000000A.00000003.482343233.0000000002A77000.00000004.00001000.00020000.00000000.sdmp, Accyaz.exe, 0000000A.00000002.567944613.0000000002A1F000.00000004.00001000.00020000.00000000.sdmp, Accyaz.exe, 0000000A.00000002.568520309.0000000002A90000.00000004.00001000.00020000.00000000.sdmp, Accyaz.exe, 0000000A.00000002.568363012.0000000002A77000.00000004.00001000.00020000.00000000.sdmp, Accyaz.exe, 0000000C.00000002.594867926.0000000002B47000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.emerge.deDVarFileInfo$
Source: VoRTaSs6hl.exe, VoRTaSs6hl.exe, 00000000.00000003.354434187.0000000003BD8000.00000004.00001000.00020000.00000000.sdmp, VoRTaSs6hl.exe, 00000000.00000003.353954590.0000000003C18000.00000004.00001000.00020000.00000000.sdmp, VoRTaSs6hl.exe, 00000000.00000002.464462396.0000000004960000.00000004.00001000.00020000.00000000.sdmp, VoRTaSs6hl.exe, 00000000.00000003.356308137.0000000004A60000.00000004.00001000.00020000.00000000.sdmp, VoRTaSs6hl.exe, 00000000.00000002.463020055.0000000003CE0000.00000004.00001000.00020000.00000000.sdmp, VoRTaSs6hl.exe, 00000000.00000000.352653118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Accyaz.exe, Accyaz.exe, 0000000A.00000003.481556918.00000000029D0000.00000004.00001000.00020000.00000000.sdmp, Accyaz.exe, 0000000A.00000003.482284576.00000000029C8000.00000004.00001000.00020000.00000000.sdmp, Accyaz.exe, 0000000A.00000002.569127640.0000000002AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.pregrad.net
Source: VoRTaSs6hl.exe, 00000000.00000003.354434187.0000000003BD8000.00000004.00001000.00020000.00000000.sdmp, VoRTaSs6hl.exe, 00000000.00000003.353954590.0000000003C18000.00000004.00001000.00020000.00000000.sdmp, VoRTaSs6hl.exe, 00000000.00000002.464462396.0000000004960000.00000004.00001000.00020000.00000000.sdmp, VoRTaSs6hl.exe, 00000000.00000003.356308137.0000000004A60000.00000004.00001000.00020000.00000000.sdmp, VoRTaSs6hl.exe, 00000000.00000002.463020055.0000000003CE0000.00000004.00001000.00020000.00000000.sdmp, VoRTaSs6hl.exe, 00000000.00000000.352653118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Accyaz.exe, 0000000A.00000003.481556918.00000000029D0000.00000004.00001000.00020000.00000000.sdmp, Accyaz.exe, 0000000A.00000003.482284576.00000000029C8000.00000004.00001000.00020000.00000000.sdmp, Accyaz.exe, 0000000A.00000002.569127640.0000000002AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.pregrad.netopenU
Source: VoRTaSs6hl.exe, 00000000.00000002.460195306.0000000000843000.00000004.00000020.00020000.00000000.sdmp, Accyaz.exe, 0000000A.00000002.551089962.00000000008ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com/
Source: Accyaz.exe, 0000000A.00000002.551089962.00000000008ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com/F&resid=26943FEBC022618F%21144&authkey=AJQN0QmJX8uNcv8
Source: Accyaz.exe, 0000000A.00000002.551089962.00000000008ED000.00000004.00000020.00020000.00000000.sdmp, Accyaz.exe, 0000000A.00000002.556942864.0000000000960000.00000004.00000020.00020000.00000000.sdmp, Accyaz.exe, 0000000A.00000003.510739598.0000000000982000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com/download?cid=26943FEBC022618F&resid=26943FEBC022618F%21144&authkey=AJQN0Qm
Source: Accyaz.exe, 0000000A.00000002.551089962.00000000008ED000.00000004.00000020.00020000.00000000.sdmp, Accyaz.exe, 0000000A.00000003.510739598.0000000000982000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://qkvera.am.files.1drv.com/
Source: Accyaz.exe, 0000000A.00000003.510739598.0000000000982000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://qkvera.am.files.1drv.com/-
Source: VoRTaSs6hl.exe, 00000000.00000002.460700771.00000000008C1000.00000004.00000020.00020000.00000000.sdmp, VoRTaSs6hl.exe, 00000000.00000003.360774189.00000000008C2000.00000004.00000020.00020000.00000000.sdmp, VoRTaSs6hl.exe, 00000000.00000003.394865190.00000000008C2000.00000004.00000020.00020000.00000000.sdmp, Accyaz.exe, 0000000A.00000003.487521560.0000000000980000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://qkvera.am.files.1drv.com/o
Source: Accyaz.exe, 0000000A.00000002.551089962.00000000008ED000.00000004.00000020.00020000.00000000.sdmp, Accyaz.exe, 0000000A.00000003.490601183.0000000000993000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://qkvera.am.files.1drv.com/y4m6X9azireYGB5vWYP6H3S1U6wAPPTYdikVkLzvd_47vS0TaVf0JUb83MeKqofbXTM
Source: Accyaz.exe, 0000000A.00000003.487521560.0000000000980000.00000004.00000020.00020000.00000000.sdmp, Accyaz.exe, 0000000A.00000002.551089962.00000000008ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://qkvera.am.files.1drv.com/y4mEqsfDyLbLg_BIMCl3qtV1BiAL20N5mndyfdPbct9frsx0nho4awxehBKjGtDKXaa
Source: VoRTaSs6hl.exe, 00000000.00000002.460832671.00000000008E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://qkvera.am.files.1drv.com/y4mLYGL4YEm4ocBoTqKRIz5az3J9i9gOhnCysY8sBkYur2wf2ks5JFqfc2xANHxQguz
Source: VoRTaSs6hl.exe, 00000000.00000003.394988245.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, VoRTaSs6hl.exe, 00000000.00000002.460832671.00000000008E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://qkvera.am.files.1drv.com/y4mSvt4YTOQG3cAs7BCLAepDOee_scueByoo4ayz6ZeuIsZXBxphT6Goo2E7CuQUMVl
Source: VoRTaSs6hl.exe, 00000000.00000002.460407228.0000000000884000.00000004.00000020.00020000.00000000.sdmp, VoRTaSs6hl.exe, 00000000.00000003.360748552.00000000008A3000.00000004.00000020.00020000.00000000.sdmp, VoRTaSs6hl.exe, 00000000.00000003.360793891.00000000008E1000.00000004.00000020.00020000.00000000.sdmp, Accyaz.exe, 0000000A.00000003.488651644.000000000098E000.00000004.00000020.00020000.00000000.sdmp, Accyaz.exe, 0000000A.00000003.510806395.0000000000994000.00000004.00000020.00020000.00000000.sdmp, Accyaz.exe, 0000000A.00000003.510756515.0000000000986000.00000004.00000020.00020000.00000000.sdmp, Accyaz.exe, 0000000A.00000002.551089962.00000000008ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://qkvera.am.files.1drv.com/y4mp0J_hrjkY_ULP4q8yEN2WL9vZeBGm_IqLzlvV6rg6waLdlAGdzG0h00ZcMNpTPla

Source: unknown

DNS traffic detected: queries for: onedrive.live.com

Source: global traffic	HTTP traffic detected: GET /y4mA6YBAUOEcMgSRDQJ56K_UvKohvu8k_Y2-nVr27j9tNTSGtPV-P8bARuBZbALFxy7bbi34O90p78phUVUfHBWUah4IdDg38Lz87qrTVSfsdA61Bp2Yts3yrbJkuzUjF_S62vrADg1nIYrGUxMRnchNSwk7AjKhCGN_HMuiZy0rs3wzZsoNJPho0Kq-8TWHtDPMqjLBPW6zko3UHaL4HOXLw/Accyazbvbxqszzrfjnimerlsovywpte?download&psid=1 HTTP/1.1User-Agent: lValiHost: qkvera.am.files.1drv.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /y4mcHjzZh6rwB7Ooj5k0et5AstN3nUJ__HvCrv1rh4l_DklMsBKRgBfJGblrKjPVJzKrXPiNdsjv--QNvwGIq0QVsgnQt4qRLAds0A5tb7o07ZkiBrOwdOeTXxcQs_8lJjPBJjhnHrOqCN-E5MlEWW8yXkE_Q7MTOD6HGoupzFeR9l2pazkmsTcKxZ3S0vQJCHXsOr9-7ud8pyeca6LHk4GmA/Accyazbvbxqszzrfjnimerlsovywpte?download&psid=1 HTTP/1.1User-Agent: 67Cache-Control: no-cacheHost: qkvera.am.files.1drv.comConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 13.107.43.12:443 -> 192.168.2.6:49808 version: TLS 1.2

Creates a DirectInput object (often for capturing keystrokes)

Source: Accyaz.exe, 0000000A.00000002.550500312.00000000008BA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Yara detected Keylogger Generic

Source: Yara match	File source: Process Memory Space: VoRTaSs6hl.exe PID: 5260, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Accyaz.exe PID: 4684, type: MEMORYSTR

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 8.0.VoRTaSs6hl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.VoRTaSs6hl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000000.458115313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.467804722.000000007F850000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.458708043.000000007F7D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: VoRTaSs6hl.exe PID: 5260, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: VoRTaSs6hl.exe PID: 2308, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 8.0.VoRTaSs6hl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 8.0.VoRTaSs6hl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 8.0.VoRTaSs6hl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 8.0.VoRTaSs6hl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 8.0.VoRTaSs6hl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 8.0.VoRTaSs6hl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000008.00000000.458115313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 00000008.00000000.458115313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000008.00000000.458115313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000000.00000002.467804722.000000007F850000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000003.458708043.000000007F7D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: VoRTaSs6hl.exe PID: 5260, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: VoRTaSs6hl.exe PID: 2308, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Uses 32bit PE files

Source: VoRTaSs6hl.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Yara signature match

Source: 8.0.VoRTaSs6hl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 8.0.VoRTaSs6hl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 8.0.VoRTaSs6hl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.0.VoRTaSs6hl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 8.0.VoRTaSs6hl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 8.0.VoRTaSs6hl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000000.00000003.419705312.0000000004EDC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 0000000C.00000003.580999865.0000000004F04000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 00000008.00000000.458115313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 00000008.00000000.458115313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000008.00000000.458115313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000C.00000003.581199488.0000000004F04000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 0000000C.00000003.580263947.0000000004F24000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 00000000.00000003.419762416.0000000004F04000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 0000000A.00000003.538665622.0000000004EDC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 0000000C.00000003.580963468.0000000004EDC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 00000000.00000003.421265288.0000000004EB4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 0000000A.00000003.538496796.0000000004EB4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 0000000C.00000003.580859204.0000000004F04000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 0000000A.00000003.537712061.0000000004F24000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 0000000C.00000003.580417015.0000000004EB4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 00000000.00000003.418607850.0000000004EFF000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 00000000.00000003.420017830.0000000004EB4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 00000000.00000003.420887133.0000000004EB4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 0000000C.00000003.580316852.0000000004EB4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 00000000.00000003.419639825.0000000004EB4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 00000000.00000003.420471494.0000000004F04000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 00000000.00000003.421419481.0000000004F04000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 00000000.00000003.418872999.0000000004EB4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 0000000C.00000003.581044865.0000000004EB4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 0000000C.00000003.581079211.0000000004EDC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 0000000A.00000003.538459007.0000000004F04000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 0000000A.00000003.538422764.0000000004EDC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 00000000.00000003.421009905.0000000004F04000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 0000000C.00000003.580653277.0000000004F04000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 0000000A.00000003.537748466.0000000004EB4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 00000000.00000003.420404834.0000000004EDC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 0000000A.00000003.538397344.0000000004EB4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 0000000A.00000003.538739349.0000000004F04000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 00000000.00000003.420750862.0000000004EDC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 00000000.00000003.418684559.0000000004EFF000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 0000000A.00000003.537845109.0000000004EB4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 0000000A.00000003.538621513.0000000004F04000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 00000000.00000003.418652293.0000000004ED8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 00000000.00000003.421291230.0000000004EDC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 0000000C.00000003.581161132.0000000004EDC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 00000000.00000003.420692670.0000000004EB4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 0000000C.00000003.580162776.0000000004ED9000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 0000000C.00000003.581124040.0000000004F04000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 0000000C.00000003.580197984.0000000004ED8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 00000000.00000002.467804722.000000007F850000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000A.00000003.537639611.0000000004ED8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 00000000.00000003.418713419.0000000004F24000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 00000000.00000003.420971778.0000000004EDC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 00000000.00000003.420775485.0000000004F04000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 00000000.00000003.458708043.000000007F7D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000A.00000003.538105093.0000000004F04000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 0000000A.00000003.538570037.0000000004EDC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 0000000A.00000003.538327621.0000000004F04000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 00000000.00000003.420274641.0000000004EB4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 0000000A.00000003.537551715.0000000004ED9000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 00000000.00000003.419212427.0000000004EB4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: 0000000C.00000003.580934873.0000000004EB4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: Process Memory Space: VoRTaSs6hl.exe PID: 5260, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: VoRTaSs6hl.exe PID: 2308, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: C:\Users\Public\Libraries\zayccA.url, type: DROPPED	Matched rule: Methodology_Shortcut_HotKey author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: C:\Users\Public\Libraries\zayccA.url, type: DROPPED	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044

Detected potential crypto function

Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Code function: 0_3_03C3088D	0_3_03C3088D
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Code function: 0_3_03BDFB5C	0_3_03BDFB5C
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Code function: 0_3_03BD88E3	0_3_03BD88E3
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Code function: 0_3_03BDFAE2	0_3_03BDFAE2
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Code function: 0_3_03BD8214	0_3_03BD8214
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Code function: 0_3_03C3088D	0_3_03C3088D
Source: C:\Users\Public\Libraries\Accyaz.exe	Code function: 10_3_029D1B8F	10_3_029D1B8F
Source: C:\Users\Public\Libraries\Accyaz.exe	Code function: 10_3_02A208C1	10_3_02A208C1
Source: C:\Users\Public\Libraries\Accyaz.exe	Code function: 10_3_029CFB90	10_3_029CFB90
Source: C:\Users\Public\Libraries\Accyaz.exe	Code function: 10_3_029CFB16	10_3_029CFB16
Source: C:\Users\Public\Libraries\Accyaz.exe	Code function: 10_3_029C8917	10_3_029C8917
Source: C:\Users\Public\Libraries\Accyaz.exe	Code function: 10_3_029C8248	10_3_029C8248
Source: C:\Users\Public\Libraries\Accyaz.exe	Code function: 10_3_029D1B8F	10_3_029D1B8F
Source: C:\Users\Public\Libraries\Accyaz.exe	Code function: 10_3_02A208C1	10_3_02A208C1

PE file contains executable resources (Code or Archives)

Source: VoRTaSs6hl.exe	Static PE information: Resource name: RT_STRING type: COM executable for DOS
Source: Accyaz.exe.0.dr	Static PE information: Resource name: RT_STRING type: COM executable for DOS

Sample file is different than original file name gathered from version info

Source: VoRTaSs6hl.exe	Binary or memory string: OriginalFilename vs VoRTaSs6hl.exe
Source: VoRTaSs6hl.exe, 00000000.00000003.353954590.0000000003C18000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePaintDotNet.exe4 vs VoRTaSs6hl.exe
Source: VoRTaSs6hl.exe, 00000000.00000003.353954590.0000000003C18000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename`@ vs VoRTaSs6hl.exe
Source: VoRTaSs6hl.exe, 00000000.00000002.462906317.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePaintDotNet.exe4 vs VoRTaSs6hl.exe
Source: VoRTaSs6hl.exe, 00000000.00000002.462906317.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename`@ vs VoRTaSs6hl.exe
Source: VoRTaSs6hl.exe, 00000000.00000003.450427149.00000000054B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePaintDotNet.exe4 vs VoRTaSs6hl.exe
Source: VoRTaSs6hl.exe, 00000000.00000003.450427149.00000000054B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename`@ vs VoRTaSs6hl.exe
Source: VoRTaSs6hl.exe, 00000000.00000003.356308137.0000000004A60000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePaintDotNet.exe4 vs VoRTaSs6hl.exe
Source: VoRTaSs6hl.exe, 00000000.00000003.356308137.0000000004A60000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename`@ vs VoRTaSs6hl.exe
Source: VoRTaSs6hl.exe, 00000000.00000003.353448049.0000000002374000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCOMCTL32.DLL.MUIj% vs VoRTaSs6hl.exe
Source: VoRTaSs6hl.exe, 00000000.00000002.465214747.0000000004A40000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePaintDotNet.exe4 vs VoRTaSs6hl.exe
Source: VoRTaSs6hl.exe, 00000000.00000002.465214747.0000000004A40000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename`@ vs VoRTaSs6hl.exe
Source: VoRTaSs6hl.exe, 00000000.00000002.463020055.0000000003CE0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePaintDotNet.exe4 vs VoRTaSs6hl.exe
Source: VoRTaSs6hl.exe, 00000000.00000002.463020055.0000000003CE0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename`@ vs VoRTaSs6hl.exe
Source: VoRTaSs6hl.exe, 00000000.00000003.354456277.0000000003C87000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePaintDotNet.exe4 vs VoRTaSs6hl.exe
Source: VoRTaSs6hl.exe, 00000000.00000003.354456277.0000000003C87000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename`@ vs VoRTaSs6hl.exe
Source: VoRTaSs6hl.exe, 00000000.00000000.352894484.00000000004AC000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamePaintDotNet.exe4 vs VoRTaSs6hl.exe
Source: VoRTaSs6hl.exe, 00000000.00000000.352894484.00000000004AC000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename`@ vs VoRTaSs6hl.exe

PE file contains strange resources

Source: VoRTaSs6hl.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: VoRTaSs6hl.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Accyaz.exe.0.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Accyaz.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Tries to load missing DLLs

Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Section loaded: system.dll	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Section loaded: system.dll	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Section loaded: ahadmin.dll	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Section loaded: ahadmin.dll	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Section loaded: racertmgr.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Section loaded: system.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Section loaded: system.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Section loaded: ahadmin.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Section loaded: ahadmin.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Section loaded: racertmgr.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Section loaded: system.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Section loaded: system.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Section loaded: ahadmin.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Section loaded: ahadmin.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Section loaded: racertmgr.dll	Jump to behavior

Source: VoRTaSs6hl.exe	Virustotal: Detection: 57%
Source: VoRTaSs6hl.exe	Metadefender: Detection: 40%
Source: VoRTaSs6hl.exe	ReversingLabs: Detection: 80%

Source: C:\Users\user\Desktop\VoRTaSs6hl.exe

File read: C:\Users\user\Desktop\VoRTaSs6hl.exe

Jump to behavior

Source: C:\Users\user\Desktop\VoRTaSs6hl.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\VoRTaSs6hl.exe "C:\Users\user\Desktop\VoRTaSs6hl.exe"
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process created: C:\Users\user\Desktop\VoRTaSs6hl.exe C:\Users\user\Desktop\VoRTaSs6hl.exe
Source: unknown	Process created: C:\Users\Public\Libraries\Accyaz.exe "C:\Users\Public\Libraries\Accyaz.exe"
Source: unknown	Process created: C:\Users\Public\Libraries\Accyaz.exe "C:\Users\Public\Libraries\Accyaz.exe"
Source: C:\Users\Public\Libraries\Accyaz.exe	Process created: C:\Users\Public\Libraries\Accyaz.exe C:\Users\Public\Libraries\Accyaz.exe
Source: C:\Users\Public\Libraries\Accyaz.exe	Process created: C:\Users\Public\Libraries\Accyaz.exe C:\Users\Public\Libraries\Accyaz.exe
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process created: C:\Users\user\Desktop\VoRTaSs6hl.exe C:\Users\user\Desktop\VoRTaSs6hl.exe	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process created: C:\Users\Public\Libraries\Accyaz.exe C:\Users\Public\Libraries\Accyaz.exe	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process created: C:\Users\Public\Libraries\Accyaz.exe C:\Users\Public\Libraries\Accyaz.exe	Jump to behavior

Source: C:\Users\user\Desktop\VoRTaSs6hl.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B091E540-83E3-11CF-A713-0020AFD79762}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\VoRTaSs6hl.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\Accyazbvbxqszzrfjnimerlsovywpte[1]

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winEXE@9/6@39/3

Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\Desktop\VoRTaSs6hl.exe

Mutant created: \Sessions\1\BaseNamedObjects\Remcos-HPUD4T

Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Data Obfuscation

Yara detected DBatLoader

Source: Yara match	File source: VoRTaSs6hl.exe, type: SAMPLE
Source: Yara match	File source: 0.0.VoRTaSs6hl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.461214489.0000000002370000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.563398012.0000000002350000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.569127640.0000000002AD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.352653118.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.463020055.0000000003CE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\Public\Libraries\Accyaz.exe, type: DROPPED

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Code function: 0_3_03C2FE71 push 004A0C11h; ret	0_3_03C30122
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Code function: 0_3_03C32DC5 push 004A38D2h; ret	0_3_03C32DE3
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Code function: 0_3_03C32D81 push 004A38A0h; ret	0_3_03C32DB1
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Code function: 0_3_03C309A1 push 004A14B3h; ret	0_3_03C309C4
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Code function: 0_3_03C32D09 push 004A3816h; ret	0_3_03C32D27
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Code function: 0_3_03C32D35 push 004A385Eh; ret	0_3_03C32D6F
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Code function: 0_3_03BDAD8B push 004A385Eh; ret	0_3_03BDADC5
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Code function: 0_3_03BD89F7 push 004A14B3h; ret	0_3_03BD8A1A
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Code function: 0_3_03BDADD7 push 004A38A0h; ret	0_3_03BDAE07
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Code function: 0_3_03BDAD5F push 004A3816h; ret	0_3_03BDAD7D
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Code function: 0_3_03BDAF43 push 380043CAh; retf 0043h	0_3_03BDAF48
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Code function: 0_3_03BDAE1B push 004A38D2h; ret	0_3_03BDAE39
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Code function: 0_3_03BD8000 push 004A0C11h; ret	0_3_03BD8178
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Code function: 0_3_03C2FE71 push 004A0C11h; ret	0_3_03C30122
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Code function: 0_3_03C32DC5 push 004A38D2h; ret	0_3_03C32DE3
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Code function: 0_3_03C32D81 push 004A38A0h; ret	0_3_03C32DB1
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Code function: 0_3_03C309A1 push 004A14B3h; ret	0_3_03C309C4
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Code function: 0_3_03C32D09 push 004A3816h; ret	0_3_03C32D27
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Code function: 0_3_03C32D35 push 004A385Eh; ret	0_3_03C32D6F
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Code function: 0_3_04A5CC6C push edi; ret	0_3_04A5CC6E
Source: C:\Users\Public\Libraries\Accyaz.exe	Code function: 10_3_02A1FEA5 push 004A0C11h; ret	10_3_02A20156
Source: C:\Users\Public\Libraries\Accyaz.exe	Code function: 10_3_02A22DB5 push 004A38A0h; ret	10_3_02A22DE5
Source: C:\Users\Public\Libraries\Accyaz.exe	Code function: 10_3_02A22D3D push 004A3816h; ret	10_3_02A22D5B
Source: C:\Users\Public\Libraries\Accyaz.exe	Code function: 10_3_02A22D69 push 004A385Eh; ret	10_3_02A22DA3
Source: C:\Users\Public\Libraries\Accyaz.exe	Code function: 10_3_02A22DF9 push 004A38D2h; ret	10_3_02A22E17
Source: C:\Users\Public\Libraries\Accyaz.exe	Code function: 10_3_02A209D5 push 004A14B3h; ret	10_3_02A209F8
Source: C:\Users\Public\Libraries\Accyaz.exe	Code function: 10_3_029CAD93 push 004A3816h; ret	10_3_029CADB1
Source: C:\Users\Public\Libraries\Accyaz.exe	Code function: 10_3_029CADBF push 004A385Eh; ret	10_3_029CADF9
Source: C:\Users\Public\Libraries\Accyaz.exe	Code function: 10_3_029CAE0B push 004A38A0h; ret	10_3_029CAE3B
Source: C:\Users\Public\Libraries\Accyaz.exe	Code function: 10_3_029C8000 push 004A0C11h; ret	10_3_029C81AC
Source: C:\Users\Public\Libraries\Accyaz.exe	Code function: 10_3_029C8A2B push 004A14B3h; ret	10_3_029C8A4E

Drops PE files

Source: C:\Users\user\Desktop\VoRTaSs6hl.exe

File created: C:\Users\Public\Libraries\Accyaz.exe

Jump to dropped file

Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Accyaz			Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Accyaz			Jump to behavior

Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior

Binary or memory string: Hyper-V RAW

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Memory written: C:\Users\user\Desktop\VoRTaSs6hl.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Memory written: C:\Users\Public\Libraries\Accyaz.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Memory written: C:\Users\Public\Libraries\Accyaz.exe base: 400000 value starts with: 4D5A	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\VoRTaSs6hl.exe	Process created: C:\Users\user\Desktop\VoRTaSs6hl.exe C:\Users\user\Desktop\VoRTaSs6hl.exe	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process created: C:\Users\Public\Libraries\Accyaz.exe C:\Users\Public\Libraries\Accyaz.exe	Jump to behavior
Source: C:\Users\Public\Libraries\Accyaz.exe	Process created: C:\Users\Public\Libraries\Accyaz.exe C:\Users\Public\Libraries\Accyaz.exe	Jump to behavior

Source: C:\Users\Public\Libraries\Accyaz.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 8.0.VoRTaSs6hl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.VoRTaSs6hl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000000.458115313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.467804722.000000007F850000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.458708043.000000007F7D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: VoRTaSs6hl.exe PID: 5260, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: VoRTaSs6hl.exe PID: 2308, type: MEMORYSTR

Remote Access Functionality

Yara detected Remcos RAT

Source: Yara match	File source: 8.0.VoRTaSs6hl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.VoRTaSs6hl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000000.458115313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.467804722.000000007F850000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.458708043.000000007F7D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: VoRTaSs6hl.exe PID: 5260, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: VoRTaSs6hl.exe PID: 2308, type: MEMORYSTR

ID:	679178
Product:	CloudBasic
Start time:	11:27:07
Start date:	05.08.2022
Sample:	VoRTaSs6hl
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	6e2d9824eeebad8b1507fa4238892439
SHA1:	03a6497741b9697f9234f85644cd35aa5bf0e42e
SHA256:	f10c2bbc2319e72bc4dee452a2de176573d88eafecc30e97748b5dd087f4ea1f
Filetype:	Win32 Executable (generic) a (10002005/4) 92.46%

Name	Type	MD5	SHA1	SHA256
C:\Users\Public\Libraries\Accyaz.exe	PE32 executable (GUI) Intel 80386, for MS Windows	6E2D9824EEEBAD8B1507FA4238892439	03A6497741B9697F9234F85644CD35AA5BF0E42E	F10C2BBC2319E72BC4DEE452A2DE176573D88EAFECC30E97748B5DD087F4EA1F
C:\Users\Public\Libraries\Accyaz.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\Public\Libraries\zayccA.url	MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Accyaz.exe">), ASCII text, with CRLF line terminators	3C9A5A6C482B7C7255FDB1B14B3A52C2	9525DFA127BB3F55C3614E05CC1E555212B4384F	13303C584783D3060D79EF79C04B0314446D0260209C5FB3F2F7E2E7FBC6EEAE
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\Accyazbvbxqszzrfjnimerlsovywpte[1]	data	ECD16DEF98C8314CBBFF01DC87DF9471	6986577AA36365136AD7A1C9E9CF565143520630	28ED385B048DF555C5FEB080262F490DD31A95B787675BBA145B365C92015E30
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\Accyazbvbxqszzrfjnimerlsovywpte[2]	data	ECD16DEF98C8314CBBFF01DC87DF9471	6986577AA36365136AD7A1C9E9CF565143520630	28ED385B048DF555C5FEB080262F490DD31A95B787675BBA145B365C92015E30
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\Accyazbvbxqszzrfjnimerlsovywpte[2]	data	ECD16DEF98C8314CBBFF01DC87DF9471	6986577AA36365136AD7A1C9E9CF565143520630	28ED385B048DF555C5FEB080262F490DD31A95B787675BBA145B365C92015E30

Windows Analysis Report
VoRTaSs6hl

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Exploits

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report VoRTaSs6hl

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Exploits

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
VoRTaSs6hl