Windows Analysis Report
7056ZCiFdE.exe

Overview

General Information

Sample name:	7056ZCiFdE.exe renamed because original name is a hash value
Original sample name:	6f0604f8a16b94b61d714dfec11d0358.exe
Analysis ID:	1570884
MD5:	6f0604f8a16b94b61d714dfec11d0358
SHA1:	558828c2ead68ea5883655299a3f0bfad1981ae5
SHA256:	28331e2705bf58bd76a9f8ba0f0a431b762eaf6e4284dbf12f1453dd3fecf281
Tags:	exeuser-abuse_ch
Infos:

Detection

Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Contains functionality to bypass UAC (CMSTPLUA)

Detected Remcos RAT

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Sigma detected: Remcos

Suricata IDS alerts for network traffic

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

C2 URLs / IPs found in malware configuration

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Delayed program exit found

Drops VBS files to the startup folder

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: WScript or CScript Dropper

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to enumerate running services

Contains functionality to execute programs as a different user

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Signatures

AV Detection

Found malware configuration

Source: 00000004.00000002.1920045593.0000000001948000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Remcos {"Host:Port:Password": ["192.210.150.26:8787:0"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-R1T905", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": ""}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Virustotal: Detection: 66%			Perma Link

Multi AV Scanner detection for submitted file

Source: 7056ZCiFdE.exe	ReversingLabs: Detection: 55%
Source: 7056ZCiFdE.exe	Virustotal: Detection: 66%			Perma Link

Yara detected Remcos RAT

Source: Yara match	File source: 4.2.Allene.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Allene.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Allene.exe.3920000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Allene.exe.3920000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Allene.exe.18b0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Allene.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Allene.exe.18b0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Allene.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.4155512160.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1920045593.0000000001948000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4156569703.00000000012B3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1919987718.00000000018B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1919363155.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4156176304.0000000001058000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4157121061.0000000003DDE000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4157009146.0000000003920000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4156339648.00000000010FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Allene.exe PID: 7132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Allene.exe PID: 2872, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.5% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Milburr\Allene.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 7056ZCiFdE.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Local\Milburr\Allene.exe

Code function: 1_2_0043293A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,

1_2_0043293A

Source: Allene.exe

Binary or memory string: -----BEGIN PUBLIC KEY-----

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 4.2.Allene.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Allene.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Allene.exe.3920000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Allene.exe.3920000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Allene.exe.18b0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Allene.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Allene.exe.18b0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Allene.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.4155512160.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1919987718.00000000018B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1919363155.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4157009146.0000000003920000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Allene.exe PID: 7132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Allene.exe PID: 2872, type: MEMORYSTR

Privilege Escalation

Contains functionality to bypass UAC (CMSTPLUA)

Source: C:\Users\user\AppData\Local\Milburr\Allene.exe

Code function: 1_2_00406764 _wcslen,CoGetObject,

1_2_00406764

Uses 32bit PE files

Source: 7056ZCiFdE.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008E445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_008E445A
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008EC6D1 FindFirstFileW,FindClose,	0_2_008EC6D1
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008EC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_008EC75C
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008EEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_008EEF95
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008EF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_008EF0F2
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008EF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_008EF3F3
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008E37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_008E37EF
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008E3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_008E3B12
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008EBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_008EBCBC
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	1_2_0040B335
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	1_2_0041B42F
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	1_2_0040B53A
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	1_2_004089A9
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_00406AC2 FindFirstFileW,FindNextFileW,	1_2_00406AC2
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	1_2_00407A8C
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,	1_2_00418C69
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	1_2_00408DA7
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0063445A GetFileAttributesW,FindFirstFileW,FindClose,	1_2_0063445A
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0063C6D1 FindFirstFileW,FindClose,	1_2_0063C6D1
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0063C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	1_2_0063C75C
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0063EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_0063EF95
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0063F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_0063F0F2
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0063F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_0063F3F3
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_006337EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_006337EF
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_00633B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_00633B12
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0063BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_0063BCBC

Source: C:\Users\user\AppData\Local\Milburr\Allene.exe

Code function: 1_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

1_2_00406F06

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49730 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49736 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49746 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49747 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49733 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49750 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49744 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49745 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49743 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49731 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49742 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49766 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49749 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49772 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49789 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49752 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49748 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49823 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49760 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49800 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49806 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49829 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49839 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49862 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49751 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49732 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49740 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49869 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49879 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49885 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49783 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49845 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49813 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49895 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49902 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49909 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49925 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49947 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49931 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49918 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49953 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49940 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49973 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49991 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49997 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49986 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49968 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49855 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50019 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50025 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49961 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49978 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50045 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50032 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50067 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50052 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50065 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50064 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50077 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50063 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50078 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50072 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50003 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50061 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50084 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50083 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50070 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50075 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50060 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50038 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50086 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50071 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50087 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50088 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50089 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50062 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50079 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50068 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50073 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50080 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50012 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50082 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50081 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50066 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50069 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50074 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50076 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50085 -> 192.210.150.26:8787

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

IPs: 192.210.150.26

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 192.210.150.26 192.210.150.26

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

Source: C:\Users\user\Desktop\7056ZCiFdE.exe

Code function: 0_2_008F22EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_008F22EE

Source: Allene.exe	String found in binary or memory: http://geoplugin.net/json.gp
Source: Allene.exe, 00000001.00000002.4155512160.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Allene.exe, 00000001.00000002.4157009146.0000000003920000.00000004.00001000.00020000.00000000.sdmp, Allene.exe, 00000004.00000002.1919987718.00000000018B0000.00000004.00001000.00020000.00000000.sdmp, Allene.exe, 00000004.00000002.1919363155.0000000000400000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\AppData\Local\Milburr\Allene.exe

Code function: 1_2_004099E4 SetWindowsHookExA 0000000D,004099D0,00000000

1_2_004099E4

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\7056ZCiFdE.exe

Code function: 0_2_008F4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_008F4164

Contains functionality to modify clipboard data

Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008F4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,	0_2_008F4164
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,	1_2_004159C6
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_00644164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,	1_2_00644164

Contains functionality to read the clipboard data

Source: C:\Users\user\Desktop\7056ZCiFdE.exe

Code function: 0_2_008F3F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_008F3F66

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\7056ZCiFdE.exe

Code function: 0_2_008E001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_008E001C

Potential key logger detected (key state polling based)

Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_0090CABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		0_2_0090CABC
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0065CABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		1_2_0065CABC

Yara detected Keylogger Generic

Source: Yara match	File source: 4.2.Allene.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Allene.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Allene.exe.3920000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Allene.exe.3920000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Allene.exe.18b0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Allene.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Allene.exe.18b0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Allene.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.4155512160.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1919987718.00000000018B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1919363155.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4157009146.0000000003920000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Allene.exe PID: 7132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Allene.exe PID: 2872, type: MEMORYSTR

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 4.2.Allene.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Allene.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Allene.exe.3920000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Allene.exe.3920000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Allene.exe.18b0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Allene.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Allene.exe.18b0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Allene.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.4155512160.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1920045593.0000000001948000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4156569703.00000000012B3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1919987718.00000000018B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1919363155.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4156176304.0000000001058000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4157121061.0000000003DDE000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4157009146.0000000003920000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4156339648.00000000010FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Allene.exe PID: 7132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Allene.exe PID: 2872, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0041BB71 SystemParametersInfoW,		1_2_0041BB71
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0041BB77 SystemParametersInfoW,		1_2_0041BB77

System Summary

Malicious sample detected (through community Yara rule)

Source: 4.2.Allene.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 4.2.Allene.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.2.Allene.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 4.2.Allene.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 4.2.Allene.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.2.Allene.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 1.2.Allene.exe.3920000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 1.2.Allene.exe.3920000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 1.2.Allene.exe.3920000.2.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 1.2.Allene.exe.3920000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 1.2.Allene.exe.3920000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 1.2.Allene.exe.3920000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 4.2.Allene.exe.18b0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 4.2.Allene.exe.18b0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.2.Allene.exe.18b0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 1.2.Allene.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 1.2.Allene.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 1.2.Allene.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 4.2.Allene.exe.18b0000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 4.2.Allene.exe.18b0000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.2.Allene.exe.18b0000.2.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 1.2.Allene.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 1.2.Allene.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 1.2.Allene.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000001.00000002.4155512160.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000001.00000002.4155512160.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000001.00000002.4155512160.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000004.00000002.1919987718.00000000018B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000004.00000002.1919987718.00000000018B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000004.00000002.1919987718.00000000018B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000004.00000002.1919363155.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000004.00000002.1919363155.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000004.00000002.1919363155.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000001.00000002.4157009146.0000000003920000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000001.00000002.4157009146.0000000003920000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000001.00000002.4157009146.0000000003920000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: Process Memory Space: Allene.exe PID: 7132, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: Allene.exe PID: 2872, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00883B3A
Source: 7056ZCiFdE.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: 7056ZCiFdE.exe, 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_5802f912-5
Source: 7056ZCiFdE.exe, 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_e5fa5dba-5
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: This is a third-party compiled AutoIt script.	1_2_005D3B3A
Source: Allene.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: Allene.exe, 00000001.00000002.4155616853.0000000000684000.00000040.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_3654c9d2-4
Source: Allene.exe, 00000001.00000002.4155616853.0000000000684000.00000040.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_6f9caac4-8
Source: Allene.exe, 00000004.00000002.1919469392.0000000000684000.00000040.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_64b6de13-5
Source: Allene.exe, 00000004.00000002.1919469392.0000000000684000.00000040.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_880d2325-c

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Abnormal high CPU Usage

Source: C:\Users\user\AppData\Local\Milburr\Allene.exe

Process Stats: CPU usage > 49%

Contains functionality to call native functions

Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_00883633 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,	0_2_00883633
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_0090C1AC PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,	0_2_0090C1AC
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_0090C498 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,	0_2_0090C498
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_0090C5FE DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,	0_2_0090C5FE
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_0090C57D SendMessageW,NtdllDialogWndProc_W,	0_2_0090C57D
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_0090C88F NtdllDialogWndProc_W,	0_2_0090C88F
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_0090C8BE NtdllDialogWndProc_W,	0_2_0090C8BE
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_0090C860 NtdllDialogWndProc_W,	0_2_0090C860
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_0090C909 NtdllDialogWndProc_W,	0_2_0090C909
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_0090C93E ClientToScreen,NtdllDialogWndProc_W,	0_2_0090C93E
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_0090CABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	0_2_0090CABC
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_0090CA7C GetWindowLongW,NtdllDialogWndProc_W,	0_2_0090CA7C
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_00881287 NtdllDialogWndProc_W,GetSysColor,SetBkColor,745EC8D0,NtdllDialogWndProc_W,	0_2_00881287
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_00881290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,	0_2_00881290
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_0090D3B8 NtdllDialogWndProc_W,	0_2_0090D3B8
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_0090D43E GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,	0_2_0090D43E
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008816B5 NtdllDialogWndProc_W,	0_2_008816B5
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008816DE GetParent,NtdllDialogWndProc_W,	0_2_008816DE
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_0088167D NtdllDialogWndProc_W,	0_2_0088167D
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_0090D78C NtdllDialogWndProc_W,	0_2_0090D78C
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_0088189B NtdllDialogWndProc_W,	0_2_0088189B
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_0090BC5D NtdllDialogWndProc_W,CallWindowProcW,	0_2_0090BC5D
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_0090BF8C ReleaseCapture,ChrCmpIA,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,	0_2_0090BF8C
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_0090BF30 NtdllDialogWndProc_W,	0_2_0090BF30
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0041CA9E NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,	1_2_0041CA9E
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0041ACC1 OpenProcess,NtSuspendProcess,CloseHandle,	1_2_0041ACC1
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0041ACED OpenProcess,NtResumeProcess,CloseHandle,	1_2_0041ACED
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_005D3633 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,	1_2_005D3633
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0065C1AC PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,	1_2_0065C1AC
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0065C498 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,	1_2_0065C498
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0065C57D SendMessageW,NtdllDialogWndProc_W,	1_2_0065C57D
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0065C5FE DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,	1_2_0065C5FE
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0065C860 NtdllDialogWndProc_W,	1_2_0065C860
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0065C8BE NtdllDialogWndProc_W,	1_2_0065C8BE
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0065C88F NtdllDialogWndProc_W,	1_2_0065C88F
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0065C93E ClientToScreen,NtdllDialogWndProc_W,	1_2_0065C93E
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0065C909 NtdllDialogWndProc_W,	1_2_0065C909
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0065CA7C GetWindowLongW,NtdllDialogWndProc_W,	1_2_0065CA7C
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0065CABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	1_2_0065CABC
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_005D1290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,	1_2_005D1290
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_005D1287 NtdllDialogWndProc_W,GetSysColor,SetBkColor,745EC8D0,NtdllDialogWndProc_W,	1_2_005D1287
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0065D3B8 NtdllDialogWndProc_W,	1_2_0065D3B8
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0065D43E GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,	1_2_0065D43E
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_005D167D NtdllDialogWndProc_W,	1_2_005D167D
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_005D16DE GetParent,NtdllDialogWndProc_W,	1_2_005D16DE
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_005D16B5 NtdllDialogWndProc_W,	1_2_005D16B5
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0065D78C NtdllDialogWndProc_W,	1_2_0065D78C
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_005D189B NtdllDialogWndProc_W,	1_2_005D189B
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0065BC5D NtdllDialogWndProc_W,CallWindowProcW,	1_2_0065BC5D
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0065BF30 NtdllDialogWndProc_W,	1_2_0065BF30
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0065BF8C ReleaseCapture,ChrCmpIA,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,	1_2_0065BF8C

Contains functionality to communicate with device drivers

Source: C:\Users\user\Desktop\7056ZCiFdE.exe

Code function: 0_2_008EA1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_008EA1EF

Contains functionality to launch a process as a different user

Source: C:\Users\user\Desktop\7056ZCiFdE.exe

Code function: 0_2_008D8310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,74AF5590,CreateProcessAsUserW,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,

0_2_008D8310

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008E51BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	0_2_008E51BD
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_004158B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,	1_2_004158B9
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_006351BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	1_2_006351BD

Detected potential crypto function

Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_0088E6A0	0_2_0088E6A0
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008AD975	0_2_008AD975
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_0088FCE0	0_2_0088FCE0
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008A21C5	0_2_008A21C5
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008B62D2	0_2_008B62D2
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_009003DA	0_2_009003DA
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008B242E	0_2_008B242E
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008A25FA	0_2_008A25FA
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008966E1	0_2_008966E1
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008DE616	0_2_008DE616
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008B878F	0_2_008B878F
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008E8889	0_2_008E8889
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_00898808	0_2_00898808
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_00900857	0_2_00900857
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008B6844	0_2_008B6844
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008ACB21	0_2_008ACB21
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008B6DB6	0_2_008B6DB6
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_00896F9E	0_2_00896F9E
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_00893030	0_2_00893030
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008A3187	0_2_008A3187
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008AF1D9	0_2_008AF1D9
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_00881287	0_2_00881287
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008A1484	0_2_008A1484
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_00895520	0_2_00895520
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008A7696	0_2_008A7696
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_00895760	0_2_00895760
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008A1978	0_2_008A1978
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008B9AB5	0_2_008B9AB5
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008A1D90	0_2_008A1D90
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008ABDA6	0_2_008ABDA6
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_00907DDB	0_2_00907DDB
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_00893FE0	0_2_00893FE0
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_0088DF00	0_2_0088DF00
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_015FBF30	0_2_015FBF30
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0041D071	1_2_0041D071
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_004520D2	1_2_004520D2
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0043D098	1_2_0043D098
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_00437150	1_2_00437150
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_004361AA	1_2_004361AA
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_00426254	1_2_00426254
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0043651C	1_2_0043651C
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0044C739	1_2_0044C739
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_004367C6	1_2_004367C6
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_004267CB	1_2_004267CB
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0043C9DD	1_2_0043C9DD
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_00432A49	1_2_00432A49
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_00436A8D	1_2_00436A8D
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0043CC0C	1_2_0043CC0C
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_00436D48	1_2_00436D48
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_00434D22	1_2_00434D22
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_00426E73	1_2_00426E73
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_00440E20	1_2_00440E20
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0043CE3B	1_2_0043CE3B
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_00412F45	1_2_00412F45
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_00452F00	1_2_00452F00
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_00426FAD	1_2_00426FAD
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_005DE6A0	1_2_005DE6A0
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_005FD975	1_2_005FD975
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_005DFCE0	1_2_005DFCE0
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_005F21C5	1_2_005F21C5
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_006062D2	1_2_006062D2
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_006503DA	1_2_006503DA
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0060242E	1_2_0060242E
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_005F25FA	1_2_005F25FA
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0062E616	1_2_0062E616
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_005E66E1	1_2_005E66E1
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0060878F	1_2_0060878F
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_00606844	1_2_00606844
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_00650857	1_2_00650857
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_005E8808	1_2_005E8808
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_00638889	1_2_00638889
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_005FCB21	1_2_005FCB21
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_00606DB6	1_2_00606DB6
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_005E6F9E	1_2_005E6F9E
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_005E3030	1_2_005E3030
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_005FF1D9	1_2_005FF1D9
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_005F3187	1_2_005F3187
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_005D1287	1_2_005D1287
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_005F1484	1_2_005F1484
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_005E5520	1_2_005E5520
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_005F7696	1_2_005F7696
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_005E5760	1_2_005E5760
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_005F1978	1_2_005F1978
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_00609AB5	1_2_00609AB5
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_00657DDB	1_2_00657DDB
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_005F1D90	1_2_005F1D90
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_005FBDA6	1_2_005FBDA6
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_005DDF00	1_2_005DDF00
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_005E3FE0	1_2_005E3FE0
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_010FBE90	1_2_010FBE90

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: String function: 00887DE1 appears 35 times
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: String function: 008A0AE3 appears 70 times
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: String function: 008A8900 appears 42 times
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: String function: 004020E7 appears 40 times
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: String function: 005F0AE3 appears 70 times
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: String function: 005D7DE1 appears 36 times
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: String function: 00401F66 appears 50 times
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: String function: 005F8900 appears 42 times
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: String function: 004338A5 appears 41 times
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: String function: 00433FB0 appears 55 times

Uses 32bit PE files

Source: 7056ZCiFdE.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Yara signature match

Source: 4.2.Allene.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 4.2.Allene.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.2.Allene.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 4.2.Allene.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 4.2.Allene.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.2.Allene.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 1.2.Allene.exe.3920000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 1.2.Allene.exe.3920000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 1.2.Allene.exe.3920000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 1.2.Allene.exe.3920000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 1.2.Allene.exe.3920000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 1.2.Allene.exe.3920000.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 4.2.Allene.exe.18b0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 4.2.Allene.exe.18b0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.2.Allene.exe.18b0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 1.2.Allene.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 1.2.Allene.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 1.2.Allene.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 4.2.Allene.exe.18b0000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 4.2.Allene.exe.18b0000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.2.Allene.exe.18b0000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 1.2.Allene.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 1.2.Allene.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 1.2.Allene.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000001.00000002.4155512160.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000001.00000002.4155512160.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000001.00000002.4155512160.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000004.00000002.1919987718.00000000018B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000004.00000002.1919987718.00000000018B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000004.00000002.1919987718.00000000018B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000004.00000002.1919363155.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000004.00000002.1919363155.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000004.00000002.1919363155.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000001.00000002.4157009146.0000000003920000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000001.00000002.4157009146.0000000003920000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000001.00000002.4157009146.0000000003920000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: Process Memory Space: Allene.exe PID: 7132, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: Allene.exe PID: 2872, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.rans.troj.spyw.expl.evad.winEXE@6/7@0/1

Source: C:\Users\user\Desktop\7056ZCiFdE.exe

Code function: 0_2_008EA06A GetLastError,FormatMessageW,

0_2_008EA06A

Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008D81CB AdjustTokenPrivileges,CloseHandle,	0_2_008D81CB
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008D87E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	0_2_008D87E1
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_00416AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,	1_2_00416AB7
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_006281CB AdjustTokenPrivileges,CloseHandle,	1_2_006281CB
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_006287E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	1_2_006287E1

Source: C:\Users\user\Desktop\7056ZCiFdE.exe

Code function: 0_2_008EB3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_008EB3FB

Source: C:\Users\user\Desktop\7056ZCiFdE.exe

Code function: 0_2_008FEE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_008FEE0D

Source: C:\Users\user\Desktop\7056ZCiFdE.exe

Code function: 0_2_008EC397 CoInitialize,CoCreateInstance,CoUninitialize,

0_2_008EC397

Source: C:\Users\user\Desktop\7056ZCiFdE.exe

Code function: 0_2_00884E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00884E89

Source: C:\Users\user\AppData\Local\Milburr\Allene.exe

Code function: 1_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

1_2_00419BC4

Source: C:\Users\user\Desktop\7056ZCiFdE.exe

File created: C:\Users\user\AppData\Local\Milburr

Jump to behavior

Source: C:\Users\user\AppData\Local\Milburr\Allene.exe

Mutant created: \Sessions\1\BaseNamedObjects\Rmc-R1T905

Source: C:\Users\user\Desktop\7056ZCiFdE.exe

File created: C:\Users\user\AppData\Local\Temp\autE914.tmp

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Allene.vbs"

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\7056ZCiFdE.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 7056ZCiFdE.exe	ReversingLabs: Detection: 55%
Source: 7056ZCiFdE.exe	Virustotal: Detection: 66%

Source: C:\Users\user\Desktop\7056ZCiFdE.exe

File read: C:\Users\user\Desktop\7056ZCiFdE.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\7056ZCiFdE.exe "C:\Users\user\Desktop\7056ZCiFdE.exe"
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Process created: C:\Users\user\AppData\Local\Milburr\Allene.exe "C:\Users\user\Desktop\7056ZCiFdE.exe"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Allene.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Milburr\Allene.exe "C:\Users\user\AppData\Local\Milburr\Allene.exe"
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Process created: C:\Users\user\AppData\Local\Milburr\Allene.exe "C:\Users\user\Desktop\7056ZCiFdE.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Milburr\Allene.exe "C:\Users\user\AppData\Local\Milburr\Allene.exe"	Jump to behavior

Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\7056ZCiFdE.exe

Code function: 0_2_009D9A50 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,

0_2_009D9A50

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008E848F push FFFFFF8Bh; iretd	0_2_008E8491
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008AE70F push edi; ret	0_2_008AE711
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008AE828 push esi; ret	0_2_008AE82A
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008A8945 push ecx; ret	0_2_008A8958
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008AEAEC push edi; ret	0_2_008AEAEE
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008AEA03 push esi; ret	0_2_008AEA05
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_004567E0 push eax; ret	1_2_004567FE
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_00455EAF push ecx; ret	1_2_00455EC2
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_00433FF6 push ecx; ret	1_2_00434009
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_005DC4C6 push A3005DBAh; retn 005Dh	1_2_005DC50D
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0063848F push FFFFFF8Bh; iretd	1_2_00638491
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_005FE70F push edi; ret	1_2_005FE711
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_005FE828 push esi; ret	1_2_005FE82A
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_005F8945 push ecx; ret	1_2_005F8958
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_005FEA03 push esi; ret	1_2_005FEA05
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_005FEAEC push edi; ret	1_2_005FEAEE
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_005D2F12 push es; retf	1_2_005D2F13

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Contains functionality to download and launch executables

Source: C:\Users\user\AppData\Local\Milburr\Allene.exe

Code function: 1_2_00406128 ShellExecuteW,URLDownloadToFileW,

1_2_00406128

Drops PE files

Source: C:\Users\user\Desktop\7056ZCiFdE.exe

File created: C:\Users\user\AppData\Local\Milburr\Allene.exe

Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\AppData\Local\Milburr\Allene.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Allene.vbs

Jump to dropped file

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\user\AppData\Local\Milburr\Allene.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Allene.vbs

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Users\user\AppData\Local\Milburr\Allene.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Allene.vbs

Jump to behavior

Source: C:\Users\user\AppData\Local\Milburr\Allene.exe

Code function: 1_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

1_2_00419BC4

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008848D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	0_2_008848D7
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_00905376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	0_2_00905376
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_005D48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	1_2_005D48D7
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_00655376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	1_2_00655376

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\7056ZCiFdE.exe

Code function: 0_2_008A3187 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_008A3187

Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Delayed program exit found

Source: C:\Users\user\AppData\Local\Milburr\Allene.exe

Code function: 1_2_0040E54F Sleep,ExitProcess,

1_2_0040E54F

Contains functionality to enumerate running services

Source: C:\Users\user\AppData\Local\Milburr\Allene.exe

Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,

1_2_004198C2

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Window / User API: threadDelayed 9431			Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Window / User API: foregroundWindowGot 1745			Jump to behavior

Found evasive API chain (date check)

Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\7056ZCiFdE.exe	API coverage: 4.8 %
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	API coverage: 6.3 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Milburr\Allene.exe TID: 6180	Thread sleep count: 189 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe TID: 6180	Thread sleep time: -94500s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe TID: 6324	Thread sleep count: 73 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe TID: 6324	Thread sleep time: -219000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe TID: 6324	Thread sleep count: 9431 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe TID: 6324	Thread sleep time: -28293000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008E445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_008E445A
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008EC6D1 FindFirstFileW,FindClose,	0_2_008EC6D1
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008EC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_008EC75C
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008EEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_008EEF95
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008EF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_008EF0F2
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008EF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_008EF3F3
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008E37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_008E37EF
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008E3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_008E3B12
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008EBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_008EBCBC
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	1_2_0040B335
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	1_2_0041B42F
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	1_2_0040B53A
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	1_2_004089A9
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_00406AC2 FindFirstFileW,FindNextFileW,	1_2_00406AC2
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	1_2_00407A8C
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,	1_2_00418C69
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	1_2_00408DA7
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0063445A GetFileAttributesW,FindFirstFileW,FindClose,	1_2_0063445A
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0063C6D1 FindFirstFileW,FindClose,	1_2_0063C6D1
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0063C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	1_2_0063C75C
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0063EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_0063EF95
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0063F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_0063F0F2
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0063F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_0063F3F3
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_006337EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_006337EF
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_00633B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_00633B12
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0063BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_0063BCBC

Source: C:\Users\user\AppData\Local\Milburr\Allene.exe

Code function: 1_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

1_2_00406F06

Source: C:\Users\user\Desktop\7056ZCiFdE.exe

Code function: 0_2_008849A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008849A0

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior

Source: wscript.exe, 00000003.00000002.1879008239.000002A92EFA5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: wscript.exe, 00000003.00000002.1879008239.000002A92EFA5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}%
Source: wscript.exe, 00000003.00000002.1879008239.000002A92EFA5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Allene.exe, 00000001.00000002.4156569703.00000000012B3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\7056ZCiFdE.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	API call chain: ExitProcess graph end node

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Source: C:\Users\user\Desktop\7056ZCiFdE.exe

Code function: 0_2_008F3F09 BlockInput,

0_2_008F3F09

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\7056ZCiFdE.exe

Code function: 0_2_00883B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00883B3A

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\Desktop\7056ZCiFdE.exe

Code function: 0_2_008B5A7C RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,

0_2_008B5A7C

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\7056ZCiFdE.exe

Code function: 0_2_009D9A50 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,

0_2_009D9A50

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_015FA75E mov eax, dword ptr fs:[00000030h]	0_2_015FA75E
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_015FA770 mov eax, dword ptr fs:[00000030h]	0_2_015FA770
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_015FBDC0 mov eax, dword ptr fs:[00000030h]	0_2_015FBDC0
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_015FBE20 mov eax, dword ptr fs:[00000030h]	0_2_015FBE20
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_00442554 mov eax, dword ptr fs:[00000030h]	1_2_00442554
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_010FA6BE mov eax, dword ptr fs:[00000030h]	1_2_010FA6BE
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_010FA6D0 mov eax, dword ptr fs:[00000030h]	1_2_010FA6D0
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_010FBD20 mov eax, dword ptr fs:[00000030h]	1_2_010FBD20
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_010FBD80 mov eax, dword ptr fs:[00000030h]	1_2_010FBD80

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\7056ZCiFdE.exe

Code function: 0_2_008D80A9 GetTokenInformation,GetLastError,GetProcessHeap,RtlAllocateHeap,GetTokenInformation,

0_2_008D80A9

Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008AA124 SetUnhandledExceptionFilter,	0_2_008AA124
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008AA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_008AA155
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_00434168 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00434168
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_0043A65D
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_00433B44 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00433B44
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_00433CD7 SetUnhandledExceptionFilter,	1_2_00433CD7
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_005FA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_005FA155
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_005FA124 SetUnhandledExceptionFilter,	1_2_005FA124

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Source: C:\Users\user\AppData\Local\Milburr\Allene.exe

Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe

1_2_00410F36

Contains functionality to execute programs as a different user

Source: C:\Users\user\Desktop\7056ZCiFdE.exe

Code function: 0_2_008D87B1 LogonUserW,

0_2_008D87B1

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\Desktop\7056ZCiFdE.exe

Code function: 0_2_00883B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00883B3A

Contains functionality to simulate keystroke presses

Source: C:\Users\user\Desktop\7056ZCiFdE.exe

Code function: 0_2_008848D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_008848D7

Contains functionality to simulate mouse events

Source: C:\Users\user\Desktop\7056ZCiFdE.exe

Code function: 0_2_008E4C27 mouse_event,

0_2_008E4C27

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\wscript.exe

Process created: C:\Users\user\AppData\Local\Milburr\Allene.exe "C:\Users\user\AppData\Local\Milburr\Allene.exe"

Jump to behavior

Source: C:\Users\user\Desktop\7056ZCiFdE.exe

Code function: 0_2_008D7CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_008D7CAF

Source: C:\Users\user\Desktop\7056ZCiFdE.exe

Code function: 0_2_008D874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_008D874B

Source: 7056ZCiFdE.exe, 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmp, Allene.exe, 00000001.00000002.4155616853.0000000000684000.00000040.00000001.01000000.00000004.sdmp, Allene.exe, 00000004.00000002.1919469392.0000000000684000.00000040.00000001.01000000.00000004.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Allene.exe, 00000001.00000002.4156339648.00000000010FD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager0.26:8787
Source: Allene.exe, 00000001.00000002.4156569703.000000000121A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: 7056ZCiFdE.exe, Allene.exe	Binary or memory string: Shell_TrayWnd
Source: Allene.exe, 00000001.00000002.4156339648.00000000010FD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager05\
Source: Allene.exe, 00000001.00000002.4156339648.00000000010FD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager0.26
Source: Allene.exe, 00000001.00000002.4156339648.00000000010FD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manageres\|
Source: Allene.exe, 00000001.00000002.4156569703.00000000012B3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager0006689P
Source: Allene.exe, 00000001.00000002.4156569703.000000000121A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerv
Source: Allene.exe, 00000001.00000002.4156339648.00000000010FD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager05\7GB
Source: Allene.exe, 00000001.00000002.4156569703.00000000012B3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|
Source: Allene.exe, 00000001.00000002.4156176304.0000000001058000.00000004.00000020.00020000.00000000.sdmp, logs.dat.1.dr	Binary or memory string: [Program Manager]

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\7056ZCiFdE.exe

Code function: 0_2_008A862B cpuid

0_2_008A862B

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: EnumSystemLocalesW,	1_2_004470AE
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: GetLocaleInfoW,	1_2_004510BA
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	1_2_004511E3
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: GetLocaleInfoW,	1_2_004512EA
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	1_2_004513B7
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: GetLocaleInfoW,	1_2_00447597
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: GetLocaleInfoA,	1_2_0040E679
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	1_2_00450A7F
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: EnumSystemLocalesW,	1_2_00450CF7
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: EnumSystemLocalesW,	1_2_00450D42
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: EnumSystemLocalesW,	1_2_00450DDD
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	1_2_00450E6A

Source: C:\Users\user\Desktop\7056ZCiFdE.exe

Code function: 0_2_008B4E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_008B4E87

Source: C:\Users\user\Desktop\7056ZCiFdE.exe

Code function: 0_2_008C1E06 GetUserNameW,

0_2_008C1E06

Source: C:\Users\user\Desktop\7056ZCiFdE.exe

Code function: 0_2_008B3F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_008B3F3A

Source: C:\Users\user\Desktop\7056ZCiFdE.exe

Code function: 0_2_008849A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008849A0

Source: C:\Users\user\Desktop\7056ZCiFdE.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 4.2.Allene.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Allene.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Allene.exe.3920000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Allene.exe.3920000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Allene.exe.18b0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Allene.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Allene.exe.18b0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Allene.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.4155512160.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1920045593.0000000001948000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4156569703.00000000012B3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1919987718.00000000018B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1919363155.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4156176304.0000000001058000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4157121061.0000000003DDE000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4157009146.0000000003920000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4156339648.00000000010FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Allene.exe PID: 7132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Allene.exe PID: 2872, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Contains functionality to steal Chrome passwords or cookies

Source: C:\Users\user\AppData\Local\Milburr\Allene.exe

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

1_2_0040B21B

Contains functionality to steal Firefox passwords or cookies

Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\		1_2_0040B335
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: \key3.db		1_2_0040B335

OS version to string mapping found (often used in BOTs)

Source: Allene.exe	Binary or memory string: WIN_81
Source: Allene.exe	Binary or memory string: WIN_XP
Source: Allene.exe	Binary or memory string: WIN_XPe
Source: Allene.exe	Binary or memory string: WIN_VISTA
Source: Allene.exe	Binary or memory string: WIN_7
Source: Allene.exe	Binary or memory string: WIN_8
Source: Allene.exe, 00000004.00000002.1919469392.0000000000684000.00000040.00000001.01000000.00000004.sdmp	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Detected Remcos RAT

Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-R1T905			Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-R1T905			Jump to behavior

Yara detected Remcos RAT

Source: Yara match	File source: 4.2.Allene.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Allene.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Allene.exe.3920000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Allene.exe.3920000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Allene.exe.18b0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Allene.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Allene.exe.18b0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Allene.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.4155512160.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1920045593.0000000001948000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4156569703.00000000012B3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1919987718.00000000018B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1919363155.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4156176304.0000000001058000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4157121061.0000000003DDE000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4157009146.0000000003920000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4156339648.00000000010FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Allene.exe PID: 7132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Allene.exe PID: 2872, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Contains functionality to launch a control a shell (cmd.exe)

Source: C:\Users\user\AppData\Local\Milburr\Allene.exe

Code function: cmd.exe

1_2_00405042

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008F6283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	0_2_008F6283
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008F6747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_008F6747
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_00646283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	1_2_00646283
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_00646747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	1_2_00646747

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
192.210.150.26	unknown	United States		36352	AS-COLOCROSSINGUS	true

AV Detection

Found malware configuration

Source: 00000004.00000002.1920045593.0000000001948000.00000004.00000020.00020000.00000000.sdmp

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Virustotal: Detection: 66%			Perma Link

Multi AV Scanner detection for submitted file

Source: 7056ZCiFdE.exe	ReversingLabs: Detection: 55%
Source: 7056ZCiFdE.exe	Virustotal: Detection: 66%			Perma Link

Yara detected Remcos RAT

Source: Yara match	File source: 4.2.Allene.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Allene.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Allene.exe.3920000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Allene.exe.3920000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Allene.exe.18b0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Allene.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Allene.exe.18b0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Allene.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.4155512160.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1920045593.0000000001948000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4156569703.00000000012B3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1919987718.00000000018B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1919363155.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4156176304.0000000001058000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4157121061.0000000003DDE000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4157009146.0000000003920000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4156339648.00000000010FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Allene.exe PID: 7132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Allene.exe PID: 2872, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.5% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Milburr\Allene.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 7056ZCiFdE.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Local\Milburr\Allene.exe

Code function: 1_2_0043293A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,

1_2_0043293A

Source: Allene.exe

Binary or memory string: -----BEGIN PUBLIC KEY-----

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 4.2.Allene.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Allene.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Allene.exe.3920000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Allene.exe.3920000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Allene.exe.18b0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Allene.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Allene.exe.18b0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Allene.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.4155512160.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1919987718.00000000018B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1919363155.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4157009146.0000000003920000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Allene.exe PID: 7132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Allene.exe PID: 2872, type: MEMORYSTR

Privilege Escalation

Contains functionality to bypass UAC (CMSTPLUA)

Source: C:\Users\user\AppData\Local\Milburr\Allene.exe

Code function: 1_2_00406764 _wcslen,CoGetObject,

1_2_00406764

Uses 32bit PE files

Source: 7056ZCiFdE.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008E445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_008E445A
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008EC6D1 FindFirstFileW,FindClose,	0_2_008EC6D1
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008EC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_008EC75C
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008EEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_008EEF95
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008EF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_008EF0F2
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008EF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_008EF3F3
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008E37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_008E37EF
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008E3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_008E3B12
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008EBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_008EBCBC
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	1_2_0040B335
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	1_2_0041B42F
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	1_2_0040B53A
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	1_2_004089A9
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_00406AC2 FindFirstFileW,FindNextFileW,	1_2_00406AC2
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	1_2_00407A8C
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,	1_2_00418C69
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	1_2_00408DA7
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0063445A GetFileAttributesW,FindFirstFileW,FindClose,	1_2_0063445A
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0063C6D1 FindFirstFileW,FindClose,	1_2_0063C6D1
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0063C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	1_2_0063C75C
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0063EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_0063EF95
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0063F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_0063F0F2
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0063F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_0063F3F3
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_006337EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_006337EF
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_00633B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_00633B12
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0063BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_0063BCBC

Source: C:\Users\user\AppData\Local\Milburr\Allene.exe

Code function: 1_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

1_2_00406F06

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49730 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49736 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49746 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49747 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49733 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49750 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49744 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49745 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49743 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49731 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49742 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49766 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49749 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49772 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49789 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49752 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49748 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49823 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49760 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49800 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49806 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49829 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49839 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49862 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49751 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49732 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49740 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49869 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49879 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49885 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49783 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49845 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49813 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49895 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49902 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49909 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49925 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49947 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49931 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49918 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49953 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49940 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49973 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49991 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49997 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49986 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49968 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49855 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50019 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50025 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49961 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49978 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50045 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50032 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50067 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50052 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50065 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50064 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50077 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50063 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50078 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50072 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50003 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50061 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50084 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50083 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50070 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50075 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50060 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50038 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50086 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50071 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50087 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50088 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50089 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50062 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50079 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50068 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50073 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50080 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50012 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50082 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50081 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50066 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50069 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50074 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50076 -> 192.210.150.26:8787
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50085 -> 192.210.150.26:8787

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

IPs: 192.210.150.26

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 192.210.150.26 192.210.150.26

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

Source: C:\Users\user\Desktop\7056ZCiFdE.exe

Code function: 0_2_008F22EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_008F22EE

Source: Allene.exe	String found in binary or memory: http://geoplugin.net/json.gp
Source: Allene.exe, 00000001.00000002.4155512160.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Allene.exe, 00000001.00000002.4157009146.0000000003920000.00000004.00001000.00020000.00000000.sdmp, Allene.exe, 00000004.00000002.1919987718.00000000018B0000.00000004.00001000.00020000.00000000.sdmp, Allene.exe, 00000004.00000002.1919363155.0000000000400000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\AppData\Local\Milburr\Allene.exe

Code function: 1_2_004099E4 SetWindowsHookExA 0000000D,004099D0,00000000

1_2_004099E4

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\7056ZCiFdE.exe

Code function: 0_2_008F4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_008F4164

Contains functionality to modify clipboard data

Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008F4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,	0_2_008F4164
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,	1_2_004159C6
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_00644164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,	1_2_00644164

Contains functionality to read the clipboard data

Source: C:\Users\user\Desktop\7056ZCiFdE.exe

0_2_008F3F66

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\7056ZCiFdE.exe

0_2_008E001C

Potential key logger detected (key state polling based)

Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_0090CABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		0_2_0090CABC
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0065CABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		1_2_0065CABC

Yara detected Keylogger Generic

Source: Yara match	File source: 4.2.Allene.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Allene.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Allene.exe.3920000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Allene.exe.3920000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Allene.exe.18b0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Allene.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Allene.exe.18b0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Allene.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.4155512160.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1919987718.00000000018B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1919363155.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4157009146.0000000003920000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Allene.exe PID: 7132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Allene.exe PID: 2872, type: MEMORYSTR

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 4.2.Allene.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Allene.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Allene.exe.3920000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Allene.exe.3920000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Allene.exe.18b0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Allene.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Allene.exe.18b0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Allene.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.4155512160.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1920045593.0000000001948000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4156569703.00000000012B3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1919987718.00000000018B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1919363155.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4156176304.0000000001058000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4157121061.0000000003DDE000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4157009146.0000000003920000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4156339648.00000000010FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Allene.exe PID: 7132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Allene.exe PID: 2872, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0041BB71 SystemParametersInfoW,		1_2_0041BB71
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0041BB77 SystemParametersInfoW,		1_2_0041BB77

System Summary

Malicious sample detected (through community Yara rule)

Source: 4.2.Allene.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 4.2.Allene.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.2.Allene.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 4.2.Allene.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 4.2.Allene.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.2.Allene.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 1.2.Allene.exe.3920000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 1.2.Allene.exe.3920000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 1.2.Allene.exe.3920000.2.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 1.2.Allene.exe.3920000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 1.2.Allene.exe.3920000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 1.2.Allene.exe.3920000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 4.2.Allene.exe.18b0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 4.2.Allene.exe.18b0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.2.Allene.exe.18b0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 1.2.Allene.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 1.2.Allene.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 1.2.Allene.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 4.2.Allene.exe.18b0000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 4.2.Allene.exe.18b0000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.2.Allene.exe.18b0000.2.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 1.2.Allene.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 1.2.Allene.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 1.2.Allene.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000001.00000002.4155512160.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000001.00000002.4155512160.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000001.00000002.4155512160.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000004.00000002.1919987718.00000000018B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000004.00000002.1919987718.00000000018B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000004.00000002.1919987718.00000000018B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000004.00000002.1919363155.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000004.00000002.1919363155.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000004.00000002.1919363155.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000001.00000002.4157009146.0000000003920000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000001.00000002.4157009146.0000000003920000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000001.00000002.4157009146.0000000003920000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: Process Memory Space: Allene.exe PID: 7132, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: Allene.exe PID: 2872, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00883B3A
Source: 7056ZCiFdE.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: 7056ZCiFdE.exe, 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_5802f912-5
Source: 7056ZCiFdE.exe, 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_e5fa5dba-5
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: This is a third-party compiled AutoIt script.	1_2_005D3B3A
Source: Allene.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: Allene.exe, 00000001.00000002.4155616853.0000000000684000.00000040.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_3654c9d2-4
Source: Allene.exe, 00000001.00000002.4155616853.0000000000684000.00000040.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_6f9caac4-8
Source: Allene.exe, 00000004.00000002.1919469392.0000000000684000.00000040.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_64b6de13-5
Source: Allene.exe, 00000004.00000002.1919469392.0000000000684000.00000040.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_880d2325-c

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Abnormal high CPU Usage

Source: C:\Users\user\AppData\Local\Milburr\Allene.exe

Process Stats: CPU usage > 49%

Contains functionality to call native functions

Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_00883633 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,	0_2_00883633
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_0090C1AC PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,	0_2_0090C1AC
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_0090C498 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,	0_2_0090C498
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_0090C5FE DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,	0_2_0090C5FE
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_0090C57D SendMessageW,NtdllDialogWndProc_W,	0_2_0090C57D
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_0090C88F NtdllDialogWndProc_W,	0_2_0090C88F
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_0090C8BE NtdllDialogWndProc_W,	0_2_0090C8BE
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_0090C860 NtdllDialogWndProc_W,	0_2_0090C860
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_0090C909 NtdllDialogWndProc_W,	0_2_0090C909
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_0090C93E ClientToScreen,NtdllDialogWndProc_W,	0_2_0090C93E
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_0090CABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	0_2_0090CABC
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_0090CA7C GetWindowLongW,NtdllDialogWndProc_W,	0_2_0090CA7C
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_00881287 NtdllDialogWndProc_W,GetSysColor,SetBkColor,745EC8D0,NtdllDialogWndProc_W,	0_2_00881287
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_00881290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,	0_2_00881290
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_0090D3B8 NtdllDialogWndProc_W,	0_2_0090D3B8
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_0090D43E GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,	0_2_0090D43E
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008816B5 NtdllDialogWndProc_W,	0_2_008816B5
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008816DE GetParent,NtdllDialogWndProc_W,	0_2_008816DE
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_0088167D NtdllDialogWndProc_W,	0_2_0088167D
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_0090D78C NtdllDialogWndProc_W,	0_2_0090D78C
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_0088189B NtdllDialogWndProc_W,	0_2_0088189B
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_0090BC5D NtdllDialogWndProc_W,CallWindowProcW,	0_2_0090BC5D
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_0090BF8C ReleaseCapture,ChrCmpIA,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,	0_2_0090BF8C
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_0090BF30 NtdllDialogWndProc_W,	0_2_0090BF30
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0041CA9E NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,	1_2_0041CA9E
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0041ACC1 OpenProcess,NtSuspendProcess,CloseHandle,	1_2_0041ACC1
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0041ACED OpenProcess,NtResumeProcess,CloseHandle,	1_2_0041ACED
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_005D3633 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,	1_2_005D3633
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0065C1AC PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,	1_2_0065C1AC
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0065C498 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,	1_2_0065C498
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0065C57D SendMessageW,NtdllDialogWndProc_W,	1_2_0065C57D
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0065C5FE DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,	1_2_0065C5FE
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0065C860 NtdllDialogWndProc_W,	1_2_0065C860
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0065C8BE NtdllDialogWndProc_W,	1_2_0065C8BE
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0065C88F NtdllDialogWndProc_W,	1_2_0065C88F
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0065C93E ClientToScreen,NtdllDialogWndProc_W,	1_2_0065C93E
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0065C909 NtdllDialogWndProc_W,	1_2_0065C909
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0065CA7C GetWindowLongW,NtdllDialogWndProc_W,	1_2_0065CA7C
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0065CABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	1_2_0065CABC
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_005D1290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,	1_2_005D1290
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_005D1287 NtdllDialogWndProc_W,GetSysColor,SetBkColor,745EC8D0,NtdllDialogWndProc_W,	1_2_005D1287
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0065D3B8 NtdllDialogWndProc_W,	1_2_0065D3B8
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0065D43E GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,	1_2_0065D43E
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_005D167D NtdllDialogWndProc_W,	1_2_005D167D
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_005D16DE GetParent,NtdllDialogWndProc_W,	1_2_005D16DE
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_005D16B5 NtdllDialogWndProc_W,	1_2_005D16B5
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0065D78C NtdllDialogWndProc_W,	1_2_0065D78C
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_005D189B NtdllDialogWndProc_W,	1_2_005D189B
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0065BC5D NtdllDialogWndProc_W,CallWindowProcW,	1_2_0065BC5D
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0065BF30 NtdllDialogWndProc_W,	1_2_0065BF30
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0065BF8C ReleaseCapture,ChrCmpIA,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,	1_2_0065BF8C

Contains functionality to communicate with device drivers

Source: C:\Users\user\Desktop\7056ZCiFdE.exe

Code function: 0_2_008EA1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_008EA1EF

Contains functionality to launch a process as a different user

Source: C:\Users\user\Desktop\7056ZCiFdE.exe

0_2_008D8310

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008E51BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	0_2_008E51BD
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_004158B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,	1_2_004158B9
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_006351BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	1_2_006351BD

Detected potential crypto function

Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_0088E6A0	0_2_0088E6A0
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008AD975	0_2_008AD975
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_0088FCE0	0_2_0088FCE0
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008A21C5	0_2_008A21C5
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008B62D2	0_2_008B62D2
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_009003DA	0_2_009003DA
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008B242E	0_2_008B242E
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008A25FA	0_2_008A25FA
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008966E1	0_2_008966E1
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008DE616	0_2_008DE616
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008B878F	0_2_008B878F
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008E8889	0_2_008E8889
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_00898808	0_2_00898808
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_00900857	0_2_00900857
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008B6844	0_2_008B6844
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008ACB21	0_2_008ACB21
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008B6DB6	0_2_008B6DB6
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_00896F9E	0_2_00896F9E
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_00893030	0_2_00893030
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008A3187	0_2_008A3187
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008AF1D9	0_2_008AF1D9
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_00881287	0_2_00881287
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008A1484	0_2_008A1484
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_00895520	0_2_00895520
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008A7696	0_2_008A7696
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_00895760	0_2_00895760
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008A1978	0_2_008A1978
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008B9AB5	0_2_008B9AB5
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008A1D90	0_2_008A1D90
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008ABDA6	0_2_008ABDA6
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_00907DDB	0_2_00907DDB
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_00893FE0	0_2_00893FE0
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_0088DF00	0_2_0088DF00
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_015FBF30	0_2_015FBF30
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0041D071	1_2_0041D071
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_004520D2	1_2_004520D2
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0043D098	1_2_0043D098
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_00437150	1_2_00437150
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_004361AA	1_2_004361AA
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_00426254	1_2_00426254
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0043651C	1_2_0043651C
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0044C739	1_2_0044C739
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_004367C6	1_2_004367C6
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_004267CB	1_2_004267CB
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0043C9DD	1_2_0043C9DD
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_00432A49	1_2_00432A49
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_00436A8D	1_2_00436A8D
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0043CC0C	1_2_0043CC0C
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_00436D48	1_2_00436D48
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_00434D22	1_2_00434D22
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_00426E73	1_2_00426E73
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_00440E20	1_2_00440E20
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0043CE3B	1_2_0043CE3B
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_00412F45	1_2_00412F45
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_00452F00	1_2_00452F00
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_00426FAD	1_2_00426FAD
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_005DE6A0	1_2_005DE6A0
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_005FD975	1_2_005FD975
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_005DFCE0	1_2_005DFCE0
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_005F21C5	1_2_005F21C5
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_006062D2	1_2_006062D2
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_006503DA	1_2_006503DA
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0060242E	1_2_0060242E
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_005F25FA	1_2_005F25FA
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0062E616	1_2_0062E616
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_005E66E1	1_2_005E66E1
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0060878F	1_2_0060878F
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_00606844	1_2_00606844
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_00650857	1_2_00650857
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_005E8808	1_2_005E8808
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_00638889	1_2_00638889
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_005FCB21	1_2_005FCB21
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_00606DB6	1_2_00606DB6
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_005E6F9E	1_2_005E6F9E
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_005E3030	1_2_005E3030
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_005FF1D9	1_2_005FF1D9
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_005F3187	1_2_005F3187
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_005D1287	1_2_005D1287
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_005F1484	1_2_005F1484
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_005E5520	1_2_005E5520
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_005F7696	1_2_005F7696
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_005E5760	1_2_005E5760
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_005F1978	1_2_005F1978
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_00609AB5	1_2_00609AB5
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_00657DDB	1_2_00657DDB
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_005F1D90	1_2_005F1D90
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_005FBDA6	1_2_005FBDA6
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_005DDF00	1_2_005DDF00
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_005E3FE0	1_2_005E3FE0
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_010FBE90	1_2_010FBE90

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: String function: 00887DE1 appears 35 times
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: String function: 008A0AE3 appears 70 times
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: String function: 008A8900 appears 42 times
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: String function: 004020E7 appears 40 times
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: String function: 005F0AE3 appears 70 times
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: String function: 005D7DE1 appears 36 times
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: String function: 00401F66 appears 50 times
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: String function: 005F8900 appears 42 times
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: String function: 004338A5 appears 41 times
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: String function: 00433FB0 appears 55 times

Uses 32bit PE files

Source: 7056ZCiFdE.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Yara signature match

Source: 4.2.Allene.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 4.2.Allene.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.2.Allene.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 4.2.Allene.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 4.2.Allene.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.2.Allene.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 1.2.Allene.exe.3920000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 1.2.Allene.exe.3920000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 1.2.Allene.exe.3920000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 1.2.Allene.exe.3920000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 1.2.Allene.exe.3920000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 1.2.Allene.exe.3920000.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 4.2.Allene.exe.18b0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 4.2.Allene.exe.18b0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.2.Allene.exe.18b0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 1.2.Allene.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 1.2.Allene.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 1.2.Allene.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 4.2.Allene.exe.18b0000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 4.2.Allene.exe.18b0000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.2.Allene.exe.18b0000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 1.2.Allene.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 1.2.Allene.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 1.2.Allene.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000001.00000002.4155512160.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000001.00000002.4155512160.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000001.00000002.4155512160.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000004.00000002.1919987718.00000000018B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000004.00000002.1919987718.00000000018B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000004.00000002.1919987718.00000000018B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000004.00000002.1919363155.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000004.00000002.1919363155.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000004.00000002.1919363155.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000001.00000002.4157009146.0000000003920000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000001.00000002.4157009146.0000000003920000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000001.00000002.4157009146.0000000003920000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: Process Memory Space: Allene.exe PID: 7132, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: Allene.exe PID: 2872, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.rans.troj.spyw.expl.evad.winEXE@6/7@0/1

Source: C:\Users\user\Desktop\7056ZCiFdE.exe

Code function: 0_2_008EA06A GetLastError,FormatMessageW,

0_2_008EA06A

Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008D81CB AdjustTokenPrivileges,CloseHandle,	0_2_008D81CB
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008D87E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	0_2_008D87E1
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_00416AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,	1_2_00416AB7
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_006281CB AdjustTokenPrivileges,CloseHandle,	1_2_006281CB
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_006287E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	1_2_006287E1

Source: C:\Users\user\Desktop\7056ZCiFdE.exe

Code function: 0_2_008EB3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_008EB3FB

Source: C:\Users\user\Desktop\7056ZCiFdE.exe

Code function: 0_2_008FEE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_008FEE0D

Source: C:\Users\user\Desktop\7056ZCiFdE.exe

Code function: 0_2_008EC397 CoInitialize,CoCreateInstance,CoUninitialize,

0_2_008EC397

Source: C:\Users\user\Desktop\7056ZCiFdE.exe

Code function: 0_2_00884E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00884E89

Source: C:\Users\user\AppData\Local\Milburr\Allene.exe

Code function: 1_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

1_2_00419BC4

Source: C:\Users\user\Desktop\7056ZCiFdE.exe

File created: C:\Users\user\AppData\Local\Milburr

Jump to behavior

Source: C:\Users\user\AppData\Local\Milburr\Allene.exe

Mutant created: \Sessions\1\BaseNamedObjects\Rmc-R1T905

Source: C:\Users\user\Desktop\7056ZCiFdE.exe

File created: C:\Users\user\AppData\Local\Temp\autE914.tmp

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Allene.vbs"

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\7056ZCiFdE.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 7056ZCiFdE.exe	ReversingLabs: Detection: 55%
Source: 7056ZCiFdE.exe	Virustotal: Detection: 66%

Source: C:\Users\user\Desktop\7056ZCiFdE.exe

File read: C:\Users\user\Desktop\7056ZCiFdE.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\7056ZCiFdE.exe "C:\Users\user\Desktop\7056ZCiFdE.exe"
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Process created: C:\Users\user\AppData\Local\Milburr\Allene.exe "C:\Users\user\Desktop\7056ZCiFdE.exe"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Allene.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Milburr\Allene.exe "C:\Users\user\AppData\Local\Milburr\Allene.exe"
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Process created: C:\Users\user\AppData\Local\Milburr\Allene.exe "C:\Users\user\Desktop\7056ZCiFdE.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Milburr\Allene.exe "C:\Users\user\AppData\Local\Milburr\Allene.exe"	Jump to behavior

Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\7056ZCiFdE.exe

Code function: 0_2_009D9A50 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,

0_2_009D9A50

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008E848F push FFFFFF8Bh; iretd	0_2_008E8491
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008AE70F push edi; ret	0_2_008AE711
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008AE828 push esi; ret	0_2_008AE82A
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008A8945 push ecx; ret	0_2_008A8958
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008AEAEC push edi; ret	0_2_008AEAEE
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008AEA03 push esi; ret	0_2_008AEA05
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_004567E0 push eax; ret	1_2_004567FE
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_00455EAF push ecx; ret	1_2_00455EC2
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_00433FF6 push ecx; ret	1_2_00434009
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_005DC4C6 push A3005DBAh; retn 005Dh	1_2_005DC50D
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0063848F push FFFFFF8Bh; iretd	1_2_00638491
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_005FE70F push edi; ret	1_2_005FE711
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_005FE828 push esi; ret	1_2_005FE82A
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_005F8945 push ecx; ret	1_2_005F8958
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_005FEA03 push esi; ret	1_2_005FEA05
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_005FEAEC push edi; ret	1_2_005FEAEE
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_005D2F12 push es; retf	1_2_005D2F13

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Contains functionality to download and launch executables

Source: C:\Users\user\AppData\Local\Milburr\Allene.exe

Code function: 1_2_00406128 ShellExecuteW,URLDownloadToFileW,

1_2_00406128

Drops PE files

Source: C:\Users\user\Desktop\7056ZCiFdE.exe

File created: C:\Users\user\AppData\Local\Milburr\Allene.exe

Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\AppData\Local\Milburr\Allene.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Allene.vbs

Jump to dropped file

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\user\AppData\Local\Milburr\Allene.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Allene.vbs

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Users\user\AppData\Local\Milburr\Allene.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Allene.vbs

Jump to behavior

Source: C:\Users\user\AppData\Local\Milburr\Allene.exe

Code function: 1_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

1_2_00419BC4

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008848D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	0_2_008848D7
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_00905376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	0_2_00905376
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_005D48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	1_2_005D48D7
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_00655376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	1_2_00655376

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\7056ZCiFdE.exe

0_2_008A3187

Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Delayed program exit found

Source: C:\Users\user\AppData\Local\Milburr\Allene.exe

Code function: 1_2_0040E54F Sleep,ExitProcess,

1_2_0040E54F

Contains functionality to enumerate running services

Source: C:\Users\user\AppData\Local\Milburr\Allene.exe

Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,

1_2_004198C2

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Window / User API: threadDelayed 9431			Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Window / User API: foregroundWindowGot 1745			Jump to behavior

Found evasive API chain (date check)

Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\7056ZCiFdE.exe	API coverage: 4.8 %
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	API coverage: 6.3 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Milburr\Allene.exe TID: 6180	Thread sleep count: 189 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe TID: 6180	Thread sleep time: -94500s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe TID: 6324	Thread sleep count: 73 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe TID: 6324	Thread sleep time: -219000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe TID: 6324	Thread sleep count: 9431 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe TID: 6324	Thread sleep time: -28293000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008E445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_008E445A
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008EC6D1 FindFirstFileW,FindClose,	0_2_008EC6D1
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008EC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_008EC75C
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008EEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_008EEF95
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008EF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_008EF0F2
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008EF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_008EF3F3
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008E37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_008E37EF
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008E3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_008E3B12
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008EBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_008EBCBC
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	1_2_0040B335
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	1_2_0041B42F
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	1_2_0040B53A
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	1_2_004089A9
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_00406AC2 FindFirstFileW,FindNextFileW,	1_2_00406AC2
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	1_2_00407A8C
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,	1_2_00418C69
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	1_2_00408DA7
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0063445A GetFileAttributesW,FindFirstFileW,FindClose,	1_2_0063445A
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0063C6D1 FindFirstFileW,FindClose,	1_2_0063C6D1
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0063C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	1_2_0063C75C
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0063EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_0063EF95
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0063F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_0063F0F2
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0063F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_0063F3F3
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_006337EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_006337EF
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_00633B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_00633B12
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0063BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_0063BCBC

Source: C:\Users\user\AppData\Local\Milburr\Allene.exe

Code function: 1_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

1_2_00406F06

Source: C:\Users\user\Desktop\7056ZCiFdE.exe

Code function: 0_2_008849A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008849A0

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior

Source: wscript.exe, 00000003.00000002.1879008239.000002A92EFA5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: wscript.exe, 00000003.00000002.1879008239.000002A92EFA5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}%
Source: wscript.exe, 00000003.00000002.1879008239.000002A92EFA5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Allene.exe, 00000001.00000002.4156569703.00000000012B3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\7056ZCiFdE.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	API call chain: ExitProcess graph end node

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Source: C:\Users\user\Desktop\7056ZCiFdE.exe

Code function: 0_2_008F3F09 BlockInput,

0_2_008F3F09

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\7056ZCiFdE.exe

Code function: 0_2_00883B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00883B3A

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\Desktop\7056ZCiFdE.exe

0_2_008B5A7C

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\7056ZCiFdE.exe

Code function: 0_2_009D9A50 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,

0_2_009D9A50

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_015FA75E mov eax, dword ptr fs:[00000030h]	0_2_015FA75E
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_015FA770 mov eax, dword ptr fs:[00000030h]	0_2_015FA770
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_015FBDC0 mov eax, dword ptr fs:[00000030h]	0_2_015FBDC0
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_015FBE20 mov eax, dword ptr fs:[00000030h]	0_2_015FBE20
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_00442554 mov eax, dword ptr fs:[00000030h]	1_2_00442554
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_010FA6BE mov eax, dword ptr fs:[00000030h]	1_2_010FA6BE
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_010FA6D0 mov eax, dword ptr fs:[00000030h]	1_2_010FA6D0
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_010FBD20 mov eax, dword ptr fs:[00000030h]	1_2_010FBD20
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_010FBD80 mov eax, dword ptr fs:[00000030h]	1_2_010FBD80

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\7056ZCiFdE.exe

Code function: 0_2_008D80A9 GetTokenInformation,GetLastError,GetProcessHeap,RtlAllocateHeap,GetTokenInformation,

0_2_008D80A9

Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008AA124 SetUnhandledExceptionFilter,	0_2_008AA124
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008AA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_008AA155
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_00434168 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00434168
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_0043A65D
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_00433B44 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00433B44
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_00433CD7 SetUnhandledExceptionFilter,	1_2_00433CD7
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_005FA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_005FA155
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_005FA124 SetUnhandledExceptionFilter,	1_2_005FA124

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Source: C:\Users\user\AppData\Local\Milburr\Allene.exe

Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe

1_2_00410F36

Contains functionality to execute programs as a different user

Source: C:\Users\user\Desktop\7056ZCiFdE.exe

Code function: 0_2_008D87B1 LogonUserW,

0_2_008D87B1

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\Desktop\7056ZCiFdE.exe

Code function: 0_2_00883B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00883B3A

Contains functionality to simulate keystroke presses

Source: C:\Users\user\Desktop\7056ZCiFdE.exe

0_2_008848D7

Contains functionality to simulate mouse events

Source: C:\Users\user\Desktop\7056ZCiFdE.exe

Code function: 0_2_008E4C27 mouse_event,

0_2_008E4C27

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\wscript.exe

Process created: C:\Users\user\AppData\Local\Milburr\Allene.exe "C:\Users\user\AppData\Local\Milburr\Allene.exe"

Jump to behavior

Source: C:\Users\user\Desktop\7056ZCiFdE.exe

0_2_008D7CAF

Source: C:\Users\user\Desktop\7056ZCiFdE.exe

Code function: 0_2_008D874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_008D874B

Source: 7056ZCiFdE.exe, 00000000.00000002.1732158041.0000000000934000.00000040.00000001.01000000.00000003.sdmp, Allene.exe, 00000001.00000002.4155616853.0000000000684000.00000040.00000001.01000000.00000004.sdmp, Allene.exe, 00000004.00000002.1919469392.0000000000684000.00000040.00000001.01000000.00000004.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Allene.exe, 00000001.00000002.4156339648.00000000010FD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager0.26:8787
Source: Allene.exe, 00000001.00000002.4156569703.000000000121A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: 7056ZCiFdE.exe, Allene.exe	Binary or memory string: Shell_TrayWnd
Source: Allene.exe, 00000001.00000002.4156339648.00000000010FD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager05\
Source: Allene.exe, 00000001.00000002.4156339648.00000000010FD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager0.26
Source: Allene.exe, 00000001.00000002.4156339648.00000000010FD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manageres\|
Source: Allene.exe, 00000001.00000002.4156569703.00000000012B3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager0006689P
Source: Allene.exe, 00000001.00000002.4156569703.000000000121A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerv
Source: Allene.exe, 00000001.00000002.4156339648.00000000010FD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager05\7GB
Source: Allene.exe, 00000001.00000002.4156569703.00000000012B3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|
Source: Allene.exe, 00000001.00000002.4156176304.0000000001058000.00000004.00000020.00020000.00000000.sdmp, logs.dat.1.dr	Binary or memory string: [Program Manager]

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\7056ZCiFdE.exe

Code function: 0_2_008A862B cpuid

0_2_008A862B

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: EnumSystemLocalesW,	1_2_004470AE
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: GetLocaleInfoW,	1_2_004510BA
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	1_2_004511E3
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: GetLocaleInfoW,	1_2_004512EA
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	1_2_004513B7
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: GetLocaleInfoW,	1_2_00447597
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: GetLocaleInfoA,	1_2_0040E679
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	1_2_00450A7F
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: EnumSystemLocalesW,	1_2_00450CF7
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: EnumSystemLocalesW,	1_2_00450D42
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: EnumSystemLocalesW,	1_2_00450DDD
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	1_2_00450E6A

Source: C:\Users\user\Desktop\7056ZCiFdE.exe

Code function: 0_2_008B4E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_008B4E87

Source: C:\Users\user\Desktop\7056ZCiFdE.exe

Code function: 0_2_008C1E06 GetUserNameW,

0_2_008C1E06

Source: C:\Users\user\Desktop\7056ZCiFdE.exe

Code function: 0_2_008B3F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_008B3F3A

Source: C:\Users\user\Desktop\7056ZCiFdE.exe

Code function: 0_2_008849A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008849A0

Source: C:\Users\user\Desktop\7056ZCiFdE.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 4.2.Allene.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Allene.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Allene.exe.3920000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Allene.exe.3920000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Allene.exe.18b0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Allene.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Allene.exe.18b0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Allene.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.4155512160.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1920045593.0000000001948000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4156569703.00000000012B3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1919987718.00000000018B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1919363155.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4156176304.0000000001058000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4157121061.0000000003DDE000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4157009146.0000000003920000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4156339648.00000000010FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Allene.exe PID: 7132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Allene.exe PID: 2872, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Contains functionality to steal Chrome passwords or cookies

Source: C:\Users\user\AppData\Local\Milburr\Allene.exe

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

1_2_0040B21B

Contains functionality to steal Firefox passwords or cookies

Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\		1_2_0040B335
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: \key3.db		1_2_0040B335

OS version to string mapping found (often used in BOTs)

Source: Allene.exe	Binary or memory string: WIN_81
Source: Allene.exe	Binary or memory string: WIN_XP
Source: Allene.exe	Binary or memory string: WIN_XPe
Source: Allene.exe	Binary or memory string: WIN_VISTA
Source: Allene.exe	Binary or memory string: WIN_7
Source: Allene.exe	Binary or memory string: WIN_8
Source: Allene.exe, 00000004.00000002.1919469392.0000000000684000.00000040.00000001.01000000.00000004.sdmp	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Detected Remcos RAT

Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-R1T905			Jump to behavior
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-R1T905			Jump to behavior

Yara detected Remcos RAT

Source: Yara match	File source: 4.2.Allene.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Allene.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Allene.exe.3920000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Allene.exe.3920000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Allene.exe.18b0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Allene.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Allene.exe.18b0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Allene.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.4155512160.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1920045593.0000000001948000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4156569703.00000000012B3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1919987718.00000000018B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1919363155.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4156176304.0000000001058000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4157121061.0000000003DDE000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4157009146.0000000003920000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4156339648.00000000010FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Allene.exe PID: 7132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Allene.exe PID: 2872, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Contains functionality to launch a control a shell (cmd.exe)

Source: C:\Users\user\AppData\Local\Milburr\Allene.exe

Code function: cmd.exe

1_2_00405042

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008F6283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	0_2_008F6283
Source: C:\Users\user\Desktop\7056ZCiFdE.exe	Code function: 0_2_008F6747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_008F6747
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_00646283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	1_2_00646283
Source: C:\Users\user\AppData\Local\Milburr\Allene.exe	Code function: 1_2_00646747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	1_2_00646747

ID:	1570884
Product:	CloudBasic
Start time:	09:30:25
Start date:	08.12.2024
Sample:	7056ZCiFdE.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	6f0604f8a16b94b61d714dfec11d0358
SHA1:	558828c2ead68ea5883655299a3f0bfad1981ae5
SHA256:	28331e2705bf58bd76a9f8ba0f0a431b762eaf6e4284dbf12f1453dd3fecf281
Filetype:	Win32 Executable (generic) a (10002005/4) 99.39%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\remcos\logs.dat	data	CB176B70DAA2CC265D36380D483E945F	CDA860866DC427EF3FD6BF09234812931D8470AD	309E1CA9340FF21BF92AB0216B9C6E45B4F61A43CA5A4EF636A508CE56D423D4
C:\Users\user\AppData\Local\Milburr\Allene.exe	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed	6F0604F8A16B94B61D714DFEC11D0358	558828C2EAD68EA5883655299A3F0BFAD1981AE5	28331E2705BF58BD76A9F8BA0F0A431B762EAF6E4284DBF12F1453DD3FECF281
C:\Users\user\AppData\Local\Temp\Anglophile	data	3CB6ABD40FBA1EDDD8A7DDA9994BA7F7	2C563FAD704A5E5407F38AFF2E47C72138944106	4B2E35D8CD82164975B338E118EBFBD621D1AFB5E768A12936F7F9D0B6C1B9E0
C:\Users\user\AppData\Local\Temp\aut30FA.tmp	data	CBDEE7E56FE6E632838A31ADF1435807	9AC24BD12E4369785742E075F81B9B6A50EBABBD	DC44AEE08535CFCA123FE35EC2EE62E4D0457A82A370F709E6BDC95B9F26F11C
C:\Users\user\AppData\Local\Temp\autE914.tmp	data	CBDEE7E56FE6E632838A31ADF1435807	9AC24BD12E4369785742E075F81B9B6A50EBABBD	DC44AEE08535CFCA123FE35EC2EE62E4D0457A82A370F709E6BDC95B9F26F11C
C:\Users\user\AppData\Local\Temp\autF7AA.tmp	data	CBDEE7E56FE6E632838A31ADF1435807	9AC24BD12E4369785742E075F81B9B6A50EBABBD	DC44AEE08535CFCA123FE35EC2EE62E4D0457A82A370F709E6BDC95B9F26F11C
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Allene.vbs	data	9ADBEDC65F332D0F3CB23DF19C449A76	C8BCEB35573CAB38C15BCF700483AD757ACB35CD	CF46956B53F2A99BB538A9E6F04B3086ECDDE52A903B9ED61C9FDCF96E8E45C0

Windows Analysis Report
7056ZCiFdE.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Exploits

Privilege Escalation

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Windows Analysis Report 7056ZCiFdE.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Exploits

Privilege Escalation

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Windows Analysis Report
7056ZCiFdE.exe

Malware Threat Intel
Provided by