File allah.bin

Size 536.3KB Resubmit sample
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 ebc163114e0001cc43f4a1dc6f6c41d5
SHA1 bfb2832a6af776f1da23aaf3d9c6c8e5dc15e39f
SHA256 7f17ac8d337faa56f205ceb2038ab1c07e5c521f4c34fbfeed35ecb58979bf49
SHA512
946316a37049f69bd3eb15295e872b8e632aee805a5b9794eed1b11684d8893f3a265732ed64c47c2c78af2d5f8ceefff68578b1cf2cca1f121583e51cb8e745
CRC32 DB1DDB79
ssdeep 12288:ly6PVQDg69p3F37hGjU7xNQwdtxEboDDvdD:chp3F34U3Qwdtuofx
Yara
  • IsPE32 -
  • IsWindowsGUI -
  • IsPacked - Entropy Check
  • HasOverlay - Overlay Check
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01007_MASM_TASM___sig4__h__ - [MASM/TASM - sig4 (h)]
  • PEiD_01050_Microsoft_Visual_Basic_5_0_ - [Microsoft Visual Basic 5.0]
  • PEiD_01051_Microsoft_Visual_Basic_v5_0___v6_0_ - [Microsoft Visual Basic v5.0 - v6.0]
  • PEiD_01053_Microsoft_Visual_Basic_v5_0_v6_0_ - [Microsoft Visual Basic v5.0/v6.0]
  • PEiD_01054_Microsoft_Visual_Basic_v5_0_ - [Microsoft Visual Basic v5.0]
  • PEiD_01056_Microsoft_Visual_Basic_v6_0_ - [Microsoft Visual Basic v6.0]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • SEH__vba -
  • contentis_base64 - This rule finds for base64 strings
  • Microsoft_Visual_Basic_v50v60 -
  • Microsoft_Visual_Basic_v50 -
  • Microsoft_Visual_Basic_v50_v60 -
  • Microsoft_Visual_Basic_v50_additional -
  • Microsoft_Visual_Basic_v50v60_additional -
  • maldoc_structured_exception_handling -
  • maldoc_find_kernel32_base_method_1 -

Score

This file shows numerous signs of malicious behavior.

The score of this file is 2.4 out of 10.

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Information on Execution

Category Started Completed Duration Logs
FILE Oct. 10, 2018, 5:14 a.m. Oct. 10, 2018, 5:16 a.m. 129 seconds

Machine

Name Label Started On Shutdown On
win7x64 win7x64 2018-10-10 05:14:17 2018-10-10 05:16:27

Analyzer Log

2018-10-09 22:14:15,046 [analyzer] DEBUG: Starting analyzer from: C:\slvuwqqkh
2018-10-09 22:14:15,078 [analyzer] DEBUG: Pipe server name: \\.\PIPE\YQziMkPkZOKlkKphlAybTiv
2018-10-09 22:14:15,078 [analyzer] DEBUG: Log pipe server name: \\.\PIPE\yvWgmrymdqgOVhHlQRrDeNCeFGWxysT
2018-10-09 22:14:15,092 [analyzer] DEBUG: No analysis package specified, trying to detect it automagically.
2018-10-09 22:14:15,108 [analyzer] INFO: Automatically selected analysis package "exe"
2018-10-09 22:14:17,385 [analyzer] DEBUG: Started auxiliary module Disguise
2018-10-09 22:14:17,822 [analyzer] DEBUG: Loaded monitor into process with pid 508
2018-10-09 22:14:17,822 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2018-10-09 22:14:17,822 [analyzer] DEBUG: Started auxiliary module Human
2018-10-09 22:14:17,822 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2018-10-09 22:14:17,838 [analyzer] DEBUG: Started auxiliary module Reboot
2018-10-09 22:14:18,056 [analyzer] DEBUG: Started auxiliary module RecentFiles
2018-10-09 22:14:18,056 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled
2018-10-09 22:14:18,056 [analyzer] DEBUG: Started auxiliary module Screenshots
2018-10-09 22:14:18,384 [lib.api.process] INFO: Successfully executed process from path u'C:\\Users\\zamen\\AppData\\Local\\Temp\\allah.bin' with arguments '' and pid 2288
2018-10-09 22:14:19,430 [analyzer] DEBUG: Loaded monitor into process with pid 2288
2018-10-09 22:14:20,772 [analyzer] DEBUG: Received request to inject pid=2288, but we are already injected there.
2018-10-09 22:15:23,624 [analyzer] INFO: Injected into process with pid 2596 and name u'allah.bin'
2018-10-09 22:15:23,796 [analyzer] DEBUG: Loaded monitor into process with pid 2596
2018-10-09 22:15:24,342 [analyzer] INFO: Process with pid 2288 has terminated
2018-10-09 22:15:58,818 [analyzer] INFO: Process with pid 2596 has terminated
2018-10-09 22:15:58,818 [analyzer] INFO: Process list is empty, terminating analysis.
2018-10-09 22:15:59,832 [analyzer] INFO: Terminating remaining processes before shutdown.
2018-10-09 22:15:59,832 [analyzer] INFO: Analysis completed.

Cuckoo Log

2018-10-10 05:14:17,716 [lib.cuckoo.core.scheduler] INFO: File already exists at "/opt/cuckoo/storage/binaries/7f17ac8d337faa56f205ceb2038ab1c07e5c521f4c34fbfeed35ecb58979bf49"
2018-10-10 05:14:17,730 [lib.cuckoo.core.scheduler] INFO: Task #11: acquired machine win7x64 (label=win7x64)
2018-10-10 05:14:17,739 [modules.auxiliary.sniffer] INFO: Started sniffer with PID 3600 (interface=eth2, host=192.168.128.109, pcap=/opt/cuckoo/storage/analyses/11/dump.pcap)
2018-10-10 05:14:35,689 [lib.cuckoo.core.guest] INFO: Starting analysis on guest (id=win7x64, ip=192.168.128.109)
2018-10-10 05:16:26,837 [lib.cuckoo.core.guest] INFO: win7x64: analysis completed successfully
2018-10-10 05:16:27,839 [lib.cuckoo.core.plugins] WARNING: The processing module "Suricata" returned the following error: Unable to locate Suricata binary
2018-10-10 05:16:53,453 [modules.processing.virustotal] WARNING: Error fetching results from VirusTotal for "7f17ac8d337faa56f205ceb2038ab1c07e5c521f4c34fbfeed35ecb58979bf49": Unable to fetch VirusTotal results: MaxRetryError("HTTPSConnectionPool(host='www.virustotal.com', port=443): Max retries exceeded with url: /vtapi/v2/file/report (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7f3f98df7fd0>: Failed to establish a new connection: [Errno -2] Name or service not known',))",)
2018-10-10 05:16:53,881 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f3f98595490>: Failed to establish a new connection: [Errno 111] Connection refused
2018-10-10 05:16:53,882 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f3f985957d0>: Failed to establish a new connection: [Errno 111] Connection refused
2018-10-10 05:16:53,882 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f3f98595110>: Failed to establish a new connection: [Errno 111] Connection refused
2018-10-10 05:16:53,883 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f3f98595b50>: Failed to establish a new connection: [Errno 111] Connection refused
2018-10-10 05:16:53,884 [lib.cuckoo.core.plugins] ERROR: Failed to run the reporting module "ElasticSearch":
Traceback (most recent call last):
  File "/opt/cuckoo/lib/cuckoo/core/plugins.py", line 533, in process
    current.run(self.results)
  File "/opt/cuckoo/modules/reporting/elasticsearch.py", line 196, in run
    self.connect()
  File "/opt/cuckoo/modules/reporting/elasticsearch.py", line 79, in connect
    if not self.es.indices.exists_template("cuckoo_template"):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/utils.py", line 69, in _wrapped
    return func(*args, params=params, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/indices.py", line 491, in exists_template
    name), params=params)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/transport.py", line 327, in perform_request
    status, headers, data = connection.perform_request(method, url, params, body, ignore=ignore, timeout=timeout)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 105, in perform_request
    raise ConnectionError('N/A', str(e), e)
ConnectionError: ConnectionError(<urllib3.connection.HTTPConnection object at 0x7f3f98595b50>: Failed to establish a new connection: [Errno 111] Connection refused) caused by: NewConnectionError(<urllib3.connection.HTTPConnection object at 0x7f3f98595b50>: Failed to establish a new connection: [Errno 111] Connection refused)

Signatures

Queries for the computername (2 events)
Time & API Arguments Status Return Repeated
Oct. 10, 2018, 1:15 a.m.
GetComputerNameW
computer_name: ZAMEN-PC
success 1 0
Oct. 10, 2018, 1:15 a.m.
GetComputerNameW
computer_name: ZAMEN-PC
success 1 0
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
This executable is signed
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)
Time & API Arguments Status Return Repeated
Oct. 10, 2018, 1:15 a.m.
GlobalMemoryStatusEx
success 1 0
Allocates read-write-execute memory (usually to unpack itself) (6 events)
Time & API Arguments Status Return Repeated
Oct. 10, 2018, 1:15 a.m.
NtAllocateVirtualMemory
process_identifier: 2288
region_size: 24576
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03720000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
success 0 0
Oct. 10, 2018, 1:15 a.m.
NtAllocateVirtualMemory
process_identifier: 2288
region_size: 67108864
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03730000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
success 0 0
Oct. 10, 2018, 1:15 a.m.
NtProtectVirtualMemory
base_address: 0x77cb0000
length: 876544
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 2288
process_handle: 0xffffffff
success 0 0
Oct. 10, 2018, 1:15 a.m.
NtAllocateVirtualMemory
process_identifier: 2596
region_size: 24576
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003f0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
success 0 0
Oct. 10, 2018, 1:15 a.m.
NtAllocateVirtualMemory
process_identifier: 2596
region_size: 67108864
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026d0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
success 0 0
Oct. 10, 2018, 1:15 a.m.
NtProtectVirtualMemory
base_address: 0x77cb0000
length: 876544
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 2596
process_handle: 0xffffffff
success 0 0
The binary likely contains encrypted or compressed data. (2 events)
section {u'size_of_data': u'0x0007f000', u'virtual_address': u'0x00001000', u'entropy': 7.833645119679812, u'name': u'.text', u'virtual_size': u'0x0007e7f0'} entropy 7.83364511968 description A section with a high entropy has been found
entropy 0.962121212121 description Overall entropy of this PE file is high
Generates some ICMP traffic

Screenshots

No screenshots available.

Network

DNS

Name Response Post-Analysis Lookup
eprco.ir

Hosts

No hosts contacted.

Summary

Process allah.bin (2288)

Process allah.bin (2596)

Process allah.bin (2288)

  • Registry keys opened

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA\Monitors
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT\UserEra
  • Registry keys read

    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\932
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\949
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\950
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\936

Process allah.bin (2596)

  • Registry keys opened

    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DnsCache\Parameters
    • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DnsClient
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\crypt32
    • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography
    • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\System\DNSClient
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc
    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\allah_RASMANCS
  • Registry keys written

    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\allah_RASMANCS\MaxFileSize
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\allah_RASMANCS\EnableConsoleTracing
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\allah_RASMANCS\ConsoleTracingMask
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\allah_RASMANCS\EnableFileTracing
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\allah_RASMANCS\FileTracingMask
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\allah_RASMANCS\FileDirectory
  • Registry keys read

    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\ProductName
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\allah_RASMANCS\MaxFileSize
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\allah_RASAPI32\ConsoleTracingMask
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DebugHeapFlags
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Hostname
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\MaxRpcSize
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\allah_RASMANCS\EnableConsoleTracing
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\allah_RASAPI32\MaxFileSize
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Domain
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\allah_RASMANCS\ConsoleTracingMask
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\allah_RASAPI32\FileTracingMask
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\DisableImprovedZoneCheck
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\allah_RASAPI32\EnableConsoleTracing
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\allah_RASAPI32\FileDirectory
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\allah_RASMANCS\FileDirectory
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\allah_RASMANCS\EnableFileTracing
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\allah_RASMANCS\FileTracingMask
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\allah_RASAPI32\EnableFileTracing
    • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_only

Process allah.bin (2288)

Process allah.bin (2596)

Process allah.bin (2288)

  • Directories enumerated

    • C:\Users\zamen\AppData\Local\Temp\Irritants3

Process allah.bin (2596)

Process allah.bin (2288)

  • Processes created

    • C:\Users\zamen\AppData\Local\Temp\allah.bin"
  • DLLs Loaded

    • shell32
    • kernel32
    • SXS.DLL
    • ntdll
    • KERNEL32.DLL
    • user32
    • OLEAUT32.DLL
    • C:\Windows\system32\kernel32.dll
    • dwmapi.dll

Process allah.bin (2596)

  • DLLs Loaded

    • C:\Windows\system32\pnrpnsp.dll
    • kernel32
    • API-MS-Win-Security-LSALookup-L1-1-0.dll
    • ntdll
    • C:\Windows\System32\mswsock.dll
    • gdi32.dll
    • DNSAPI.dll
    • kernel32.dll
    • API-MS-Win-Security-SDDL-L1-1-0.dll
    • oleaut32.dll
    • ntdll.dll
    • C:\Windows\system32\napinsp.dll
    • API-MS-WIN-Service-Management-L1-1-0.dll
    • crypt32.dll
    • user32
    • RASMAN.DLL
    • advapi32.dll
    • ole32.dll
    • crtdll.dll
    • API-MS-WIN-Service-winsvc-L1-1-0.dll
    • rtutils.dll
    • wininet.dll
    • C:\Windows\system32\crtdll.dll
    • RASAPI32.dll
    • wsock32.dll
    • shell32
    • C:\Windows\System32\winrnr.dll
    • Gdiplus.dll
    • shell32.dll
    • rpcrt4.dll
    • WS2_32.dll
    • user32.dll

PE Compile Time

2005-02-22 05:16:00

Signing Certificate

MD5 f0e280e44f443f50e915cb8700ff3a63
SHA1 38a3bb5736318890fd929c8800e4ac940b8773ee
Serial Number 00000000000000000000000000000001
Common Name Copyright © 2018 Tech Movement Inc
Country ES
Locality None

Version Infos

InternalName Lardaceous
FileVersion 3.09
CompanyName THE pidGIN DEVELOPEr COMMUNITy
LegalTrademarks blUESTACk sySTEMS YNC.
Comments stELLAR ATD
ProductName Asus
ProductVersion 3.09
OriginalFilename Lardaceous.exe

Sections

Name Virtual Address Virtual Size Size of Raw Data Entropy
.text 0x00001000 0x0007e7f0 0x0007f000 7.83364511968
.data 0x00080000 0x0000150c 0x00001000 0.0
.rsrc 0x00082000 0x00003104 0x00004000 4.87396275049

Imports

Library MSVBVM60.DLL:
0x401000 _CIcos
0x401004 _adj_fptan
0x401008 __vbaVarMove
0x40100c __vbaFreeVar
0x401010 __vbaCyMul
0x401014 __vbaStrVarMove
0x401018 __vbaLenBstr
0x40101c __vbaFreeVarList
0x401020 _adj_fdiv_m64
0x401024 None
0x401028 None
0x40102c __vbaR8Sgn
0x401030 _adj_fprem1
0x401034 __vbaStrCat
0x401038 None
0x40103c __vbaSetSystemError
0x401040 __vbaRecDestruct
0x401048 _adj_fdiv_m32
0x40104c __vbaAryDestruct
0x401050 __vbaOnError
0x401054 _adj_fdiv_m16i
0x401058 __vbaObjSetAddref
0x40105c _adj_fdivr_m16i
0x401060 __vbaFPFix
0x401064 _CIsin
0x401068 __vbaChkstk
0x40106c None
0x401070 EVENT_SINK_AddRef
0x401074 __vbaAryConstruct2
0x401078 __vbaVarTstEq
0x40107c DllFunctionCall
0x401080 _adj_fpatan
0x401084 None
0x401088 EVENT_SINK_Release
0x40108c __vbaUI1I2
0x401090 _CIsqrt
0x401098 __vbaVarMul
0x40109c __vbaExceptHandler
0x4010a0 __vbaStrToUnicode
0x4010a4 None
0x4010a8 _adj_fprem
0x4010ac _adj_fdivr_m64
0x4010b0 __vbaFPException
0x4010b4 __vbaUbound
0x4010b8 __vbaVarCat
0x4010bc __vbaDateVar
0x4010c0 None
0x4010c4 _CIlog
0x4010c8 __vbaErrorOverflow
0x4010cc None
0x4010d0 __vbaInStr
0x4010d4 __vbaNew2
0x4010d8 _adj_fdiv_m32i
0x4010dc _adj_fdivr_m32i
0x4010e0 __vbaStrCopy
0x4010e4 __vbaFreeStrList
0x4010e8 _adj_fdivr_m32
0x4010ec _adj_fdiv_r
0x4010f0 None
0x4010f4 __vbaVarTstNe
0x4010f8 __vbaI4Var
0x4010fc __vbaStrComp
0x401100 __vbaStrToAnsi
0x401104 None
0x401108 _CIatan
0x40110c __vbaStrMove
0x401110 None
0x401114 __vbaR8IntI4
0x401118 _allmul
0x40111c _CItan
0x401120 None
0x401124 _CIexp
0x401128 __vbaFreeStr
0x40112c __vbaFreeObj

!This program cannot be run in DOS mode.
`.data
MSVBVM60.DLL
Ramanujan
VB5!6&*
Lardaceous
Echinologist2
Ramanujan
Enforcement
Collimator3
Twinky7
Wignall
Ineffectibly1
Muyere5
Chylifaction6
Ornamented1
Ramanujan
C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
Pottle4
Dauntless
Epedaphic
Jebusitic2
Groleau
Rltab2
Obsignatory
Al$Substanially
Poplarbluff6
Mesogloeal3
Cynocephalus1
Partakes
Extrabuccal
Boother7
Milliarium
Winrich
Problemize5
Hovers
Serizeille
Strapped
Microscopics2
Infighter7
Ungloriously8
Polana8
Natheaux
Bacchantic3
Ozonoscope
Suspiration
Watulai1
Echinodermal
Miserliness
Lathered6
Magnifice
Sherbacha5
Namakere5
Drachmal
Chubbiness
Resizes1
Nemea7
Curiboca
Exhibitorial6
Nightwalker
Cressey
Deduae2
Microelement
Tankstoppers
Borderings
Korovin
Unstammering7
Subdivided1
Seekers
Pittsburgh5
Screenman
Detrusor3
Dermopteran1
Tipman5
Acceptably8
Biliotti
Hundredth1
Menominee0
Ligator7
Ganton
Precludable0
Untumultuous
Plowers3
Bannut6
Neighborly
Nonstaple7
Umbrine
Ostracods
Theologue
Doomage
Lentucky6
Misconstrued4
Cursoris8
KERNEL32.DLL
CreateTimerQueueTimer
kernel32
Jensen6
VerLanguageNameW
VBA6.DLL
__vbaVarMul
__vbaVarTstNe
__vbaR8Sgn
__vbaStrCopy
__vbaVarCat
__vbaErrorOverflow
__vbaAryDestruct
__vbaRecDestruct
__vbaFreeStrList
__vbaStrToUnicode
__vbaStrToAnsi
__vbaSetSystemError
__vbaI4Var
__vbaHresultCheckObj
__vbaStrComp
__vbaDateVar
__vbaCyMul
__vbaFreeVarList
__vbaR8IntI4
__vbaUI1I2
__vbaFPFix
__vbaLenBstr
__vbaOnError
__vbaFreeObj
__vbaNew2
__vbaObjSetAddref
__vbaUbound
__vbaVarMove
__vbaVarTstEq
__vbaFreeStr
__vbaStrCat
__vbaInStr
__vbaFreeVar
__vbaStrVarMove
__vbaStrMove
__vbaAryConstruct2
Collimator3
Cytosporina
??????
333333
33L333
333xtr
KK333333
333333
33333333
wro333333TPN
KKK333333LLL
>=<333333,<3
333333333333
333333333???
IGE33333333
333kfc
ooo333333333
~{333333333333333
333333333YYY
333333333333333LLL
555333333333
~{333333333333333,<3
<<<888555333
IGE333333333333333333
MMM???<<<999
}wtDCB9998887
55555444LLL
sssEEEBBB???lll
wspAAA
????L?>>>===<<<SSSkkk
xxxLLLIIIF,<NNN
SQPHHHDG
EEEOOO
}}}SSSOOOLLLIII
WOOONNNMMMLLLKK
ZZZVVV
ifdVVVUUUTTTSSSRRR
aaa]]]ZZZVVV
]]]\\4[[[ZZZYYY
gggdddaaa]]]
dddccc
bbbbbaaa
qqqnnnk,<gggddd
jjjjjjiiihhhDg
xxxuuurrrnnnkk
rrrqqqp
pooonnn
xxxwwwvvvuuuttt
,<~~}}}||4{{{
???333
333>=<
333333
wro333c33
3)3333
3333333
WBh331333
USQ333333333
444333
33333333
J<<<777sss
XTR666555444444
EEEA!ATTT
purCCCAAA@@@???yy
OOOJJJFFF
ligMJMLLLJJJ
1ZZUUUOOO
}yvXXXVVVUUU!
ddd___ZZZ
bbba)a```
nnniiiddd
|zxllljBhrr1
xx!sssnnn
~~~}}J
lJ&)WWW
OEZ,--
>9?BBE
HHLhii
`|s|ooc
Cytosporina
Umbrine
Lorenzenite
Cressey
Sitena6
Mesogloeal3
Chronicling
Lentucky6
Tactlessly
Unstammering7
Sprogoe
Problemize5
Execute
Menominee0
Untumultuous
Thesmophoric2
Strapped
Courtbaron
Ungloriously8
Pittsburgh5
Abednego
Doomage
Suspiration
Amidopyrine7
Biliotti
Roussas
Microelement
Dispatchful0
Seekers
Semblative4
Curiboca
Outstripping
Bacchantic3
Boother7
Neighborly
Telferage
Winrich
Watulai1
Plowers3
Pottle4
Resizes1
Conicity
Tipman5
Anima1
Dermopteran1
Nemea7
Woodmen6
Echinodermal
Meetly2
Cursoris8
Malcham
Subdivided1
Milliarium
Marlins1
Chubbiness
Borderings
Screenman
Puschkinow
Namakere5
Ganton
Grainland
Hovers
Exhibitorial6
Pentadecyl
Precludable0
Ornithoptera0
Miserliness
Newspeople6
Lathered6
Drachmal
Hundredth1
Theologue
Unintroitive
Ozonoscope
Ducksoup
Extrabuccal
Deduae2
Substanially
Mahasi0
Detrusor3
Imbibe2
Partakes
Coldly7
Acceptably8
Embarkment5
Natheaux
Vaalite
Poplarbluff6
Nightwalker
Phaeodarian5
Misconstrued4
Scramble
Mocovi
Magnifice
Sherbacha5
Lienfuhuang
Throbs
Walds2
Tankstoppers
Subchela
Tompion3
Quoteworthy8
Infighter7
Tetanine
Greenflies
Unaccoutered0
Agape8
Mannered
Polana8
Rende3
Ostracods
Serizeille
Buses1
Rohnertpark
Bannut6
Shades7
Ligator7
Cynocephalus1
Spiculated1
Microscopics2
Nonstaple7
Korovin
Enforcement
Scalenus6
;K%n`/zt'
.i@xPDH
[fx?[]
j6Cm[;
8Y?"K,
9fx<ebg
XL9Dyh
)Rt}~[
0{OwT{
B}m_F2
4vQ5)*RQ
KtvP:eb
t.\Po#nR
z-fM@q
RG-EU3
MP]\b(w
m 97$`
J:yA';7
A'24cB
qMt] "
T0a-J<
'`GT29gl|R
"/'*I|
|[c>6l[_z
$(ohp+
u{ 4z/
yDxj#e
Gd<l+x!
@z.Uw"
mw1`RG
( e+AO&IS$
y)#P#^
{P()\6a
f.AO&+
>1XkEd
cSg9+N\@t
TyRUW
((e-AO&I
is[c>md
z~Zg({
E?"PzD
{9DF>_
8.t;Ty
/qvS/x
jhdCp;7
fCP#y8
$p]hpA
)Q{~'HaA'
)5!@n[MLZ
"$P%rY
ifdo a
#@n[M@ZW
&!/h+xD
S`&.4D
29gWk_
{6Sn(g
0|l;hB
1K4Y$s
Q_MH9v
j+xB]>fq
y)#P#O
A@nUuL
(qS/AO
1|j;|B*
j/3`[;
1|j;|B*
FXIU4z
epK6o+U
i@4R{G
|&6G3.!sA
Gh}I.W
F":<dp
A-I.G6Z;
`;,3twa
]s Uso
NEh~QE
zc0@^r
KRoOxw(
38}Y(W
6GPewK2zQ
:9n^+$
{1|jn{
[c>.,=L!
{1|jnl
exM]U|uGb
QA]cAU
gD~Zo'
hOSR@t0
+A:x"Mdoeb
(ve|u3
I,[c<.p
3&ErK]
K9fxIebg_
Q*hVfY
l-!Xk@
5ij~.&
w-wWNE
7{m_D2fA
{63&)rI
e-AO&IS
_RU}`3A
cMzOV,
(zu|u3d
9Xkt!n
M4'dkA'
e2y>ve
H-QY;B
4i =/T
~m_D2fA
{zD#>i
+b[;l4ni
k(FJ|u3
r<{63&]
A'PG-i
"#AzEd
HI]z)n
:uKt{ :
<&ZcASU
0aKUskB
CfU:/q!{k
l53Xk%[W+hN
?A:d'Mdoeb
29g4f:
%Mdoeb
{oD2>W
Rz8W_r0
c.0{A"
|11Xkl
Yz(T_r0
X$Pzhp
R`mF:o
z$T_r0
t~1|jn{
{DF>Z
9d&y{#K
zpV_r0
x?]\[0
e-AO&I
`E/}4P
m]MHZr
@n]E 9ftKebg_
y)ty1|j|
>ve2u(
K9fdHebg_
=2aL=K
uD][t1
I0hhp#O
M/I6o+m
l~7Gl!
]]CXTskR
4'<aA'
{ <?'C'
{rD'>:
a/\6Fxz@
,.YcAU
9gx?8hbtGdJ(P
nkHVkHVkHVkHVkHVkHVkHVkHVkHVkHVkHVkHVkHVkHVkHVkHVkHVkHVkHVkHVkHVkHVkHVkHVkHVkHVkHVkHVkHVkHVkHVkHVkHVkHVkHVkHVkHVkHVkHVkHVkHVkHVkHVkHVkHVkHVkHVkHVkHVkHVkHVkHVkHVkHVkHVkHVkHVkHVkHVkHVkHVkHVkHVkHVkHVkHVkHVkHVkHVkHVkHVkHVkHVkHVkHVkHVkHVkHVkHVkHVkHVkHVkHVkHVkHVkHVkHVk~
{cDF>A
{vD2>W
\}x6GPewK
$4pip#
2'|gA'
F]/_]<SN
(qUe^.
"$Pqr<
1{=X$?
>>HUgO
TzItdY
(#mg<W
y1|jn{
]\'bZ0
kj2Kk<D'
:u:Vh~
:+h:;
<8LDtG
\~!Bi/
tzm_D;
b4FY2y
n[G{ Y
|l+Tsd
i,PS{v
nIbS)\
G-a-C*[;
Y<jhp%_
dxVyHi
ix*S{r
4'tbA'PA
CfUJ3p!{{
N|4YUu
(qUev+
+tGbJ S
.V/`R1
NE3^FA
,BYcAy
U1|@>7
H{1|jn{
x~.wJ
s=DEix
#y;#y;#y;#y;#y;#y;#y;#y;#y;#y;#y;#y;#y;#y;#y;#y;#y;#y;#y;#y;#y;#y;#y;#y;#y;#y;#y;#y;#y;#y;#y;#y;#y;#y;#y;#y;#y;#y;#y;#y;#y;#y;#y;#y;#y;#y;#y;#y;#y;#y;#y;#y;#y;#y;#y;#y;#y;#y;#y;#y;#y;#y;#y;#y;#y;#y;#y;#y;#y;#y;#y;#y;#y;#y;#y;#y;#y;#y;#y;#y;#y;#y;#y;#y;#y;#y;#y;#y;#y;!
{~D(>#
NiwW0\3
dtz_hZq
8sX\3tmST
V\3PbSTq
0GFu{?
8+W\3
(n72[:D
^p=&D!
fVzW?Mq
t}{=-z*A
k~Qq.'w
XuMzS,%+
}9r$$c#
Cy`vc ='
P\QDK0
sj|h*;-
^z_8Ev
mzYmzYmzYmzYmzYmzYmzYmzYmzYmzYmzYmzYmzYmzYmzYmzYmzYmzYmzYmzYmzYmzYmzYmzYmzYmzYmzYmzYmzYmzYmzYmzYmzYmzYmzYmzYmzYmzYmzYmzYmzYmzYmzYmzYmzYmzYmzYmzYmzYmzYmzYmzYmzYmzYmzYmzYmzYmzYmzYmzYmzYmzYmzYmzYmzYmzYmzYmzYmzYmzYmzYmzYmzYmzYmzYmzYmzYmzYmzYmzYmzYmzYmzYmzYmzYmzYmzYmzYmzYmz
^V:^V:^V:^V:^V:^V:^V:^V:^V:^V:^V:^V:^V:^V:^V:^V:^V:^V:^V:^V:^V:^V:^V:^V:^V:^V:^V:^V:^V:^V:^V:^V:^V:^V:^V:^V:^V:^V:^V:^V:^V:^V:^V:^V:^V:^V:^V:^V:^V:^V:^V:^V:^V:^V:^V:^V:^V:^V:^V:^V:^V:^V:^V:^V:^V:^V:^V:^V:^V:^V:^V:^V:^V:^V:^V:^V:^V:^V:^V:^V:^V:^V:^V:^V:^V:^V:^V:^V:
;eW;eW;eW;eW;eW;eW;eW;eW;eW;eW;eW;eW;eW;eW;eW;eW;eW;eW;eW;eW;eW;eW;eW;eW;eW;eW;eW;eW;eW;eW;eW;eW;eW;eW;eW;eW;eW;eW;eW;eW;eW;eW;eW;eW;eW;eW;eW;eW;eW;eW;eW;eW;eW;eW;eW;eW;eW;eW;eW;eW;eW;eW;eW;eW;eW;eW;eW;eW;eW;eW;eW;eW;eW;eW;eW;eW;eW;eW;eW;eW;eW;eW;eW;eW;eW;eW;eW;eW;eW;e7}
TjI[jI[jI[jI[jI[jI[jI[jI[jI[jI[jI[jI[jI[jI[jI[jI[jI[jI[jI[jI[jI[jI[jI[jI[jI[jI[jI[jI[jI[jI[jI[jI[jI[jI[jI[jI[jI[jI[jI[jI[jI[jI[jI[jI[jI[jI[jI[jI[jI[jI[jI[jI[jI[jI[jI[jI[jI[jI[jI[jI[jI[jI[jI[jI[jI[jI[jI[jI[jI[jI[jI[jI[jI[jI[jI[jI[jI[jI[jI[jI[jI[jI[jI[jI[jI[jI[jI[jI[jI[jI[
'yF%TyF%T
8=t.Y-
{;\-Yf
K]-h@T
6be\u+
6be\u+,
6be\u+
6be\u+
6be\u+
6be\u+,
6be\u+
J1C .5
J1CA,5
c!]'f!]#
muUu#bB
XemGW5
`sM+~#U
sx+~#u
!L#9!T#=!\#1/
O%#L#=#\#1
G=!X;4i
)@_?!x
Scalenus6
Dauntless
Dimensioned
X .!Z%
Obsignatory
Tragulus
Epedaphic
Chaurasia
Groleau
Chiasm3
Jebusitic2
Rltab2
Aspermatic2
Disentrammel0
} jPh\/@
MSVBVM60.DLL
_CIcos
_adj_fptan
__vbaVarMove
__vbaFreeVar
__vbaCyMul
__vbaStrVarMove
__vbaLenBstr
__vbaFreeVarList
_adj_fdiv_m64
__vbaR8Sgn
_adj_fprem1
__vbaStrCat
__vbaSetSystemError
__vbaRecDestruct
__vbaHresultCheckObj
_adj_fdiv_m32
__vbaAryDestruct
__vbaOnError
_adj_fdiv_m16i
__vbaObjSetAddref
_adj_fdivr_m16i
__vbaFPFix
_CIsin
__vbaChkstk
EVENT_SINK_AddRef
__vbaAryConstruct2
__vbaVarTstEq
DllFunctionCall
_adj_fpatan
EVENT_SINK_Release
__vbaUI1I2
_CIsqrt
EVENT_SINK_QueryInterface
__vbaVarMul
__vbaExceptHandler
__vbaStrToUnicode
_adj_fprem
_adj_fdivr_m64
__vbaFPException
__vbaUbound
__vbaVarCat
__vbaDateVar
_CIlog
__vbaErrorOverflow
__vbaInStr
__vbaNew2
_adj_fdiv_m32i
_adj_fdivr_m32i
__vbaStrCopy
__vbaFreeStrList
_adj_fdivr_m32
_adj_fdiv_r
__vbaVarTstNe
__vbaI4Var
__vbaStrComp
__vbaStrToAnsi
_CIatan
__vbaStrMove
__vbaR8IntI4
_allmul
_CItan
_CIexp
__vbaFreeStr
__vbaFreeObj
lJ&)WWW
OEZ,--
>9?BBE
HHLhii
`|s|ooc
???333
333>=<
333333
wro333c33
3)3333
3333333
WBh331333
USQ333333333
444333
33333333
J<<<777sss
XTR666555444444
EEEA!ATTT
purCCCAAA@@@???yy
OOOJJJFFF
ligMJMLLLJJJ
1ZZUUUOOO
}yvXXXVVVUUU!
ddd___ZZZ
bbba)a```
nnniiiddd
|zxllljBhrr1
xx!sssnnn
~~~}}J
??????
333333
33L333
333xtr
KK333333
333333
33333333
wro333333TPN
KKK333333LLL
>=<333333,<3
333333333333
333333333???
IGE33333333
333kfc
ooo333333333
~{333333333333333
333333333YYY
333333333333333LLL
555333333333
~{333333333333333,<3
<<<888555333
IGE333333333333333333
MMM???<<<999
}wtDCB9998887
55555444LLL
sssEEEBBB???lll
wspAAA
????L?>>>===<<<SSSkkk
xxxLLLIIIF,<NNN
SQPHHHDG
EEEOOO
}}}SSSOOOLLLIII
WOOONNNMMMLLLKK
ZZZVVV
ifdVVVUUUTTTSSSRRR
aaa]]]ZZZVVV
]]]\\4[[[ZZZYYY
gggdddaaa]]]
dddccc
bbbbbaaa
qqqnnnk,<gggddd
jjjjjjiiihhhDg
xxxuuurrrnnnkk
rrrqqqp
pooonnn
xxxwwwvvvuuuttt
,<~~}}}||4{{{
ES1*0(
!Secure, manage, and trade assets.1,0*
#Copyright
2018 Tech Movement Inc0
180910121040Z
200909121040Z0g1
ES1*0(
!Secure, manage, and trade assets.1,0*
#Copyright
2018 Tech Movement Inc0
o#[zvM
X"7{H5
B1qDS
ES1*0(
!Secure, manage, and trade assets.1,0*
#Copyright
2018 Tech Movement Inc
rYG1?Mx
j h}nY
20180911094520Z
Greater Manchester1
Salford1
COMODO CA Limited1,0*
#COMODO SHA-256 Time Stamping Signer
Salt Lake City1
The USERTRUST Network1!0
http://www.usertrust.com1
UTN-USERFirst-Object0
151231000000Z
190709184036Z0
Greater Manchester1
Salford1
COMODO CA Limited1,0*
#COMODO SHA-256 Time Stamping Signer0
fO\r6{
'1Oqtn
lZGfD{
1http://crl.usertrust.com/UTN-USERFirst-Object.crl05
http://ocsp.usertrust.com0
Salt Lake City1
The USERTRUST Network1!0
http://www.usertrust.com1
UTN-USERFirst-Object
180911094520Z0+
Knittel
Coatimundi0
Commencing
Furnbacher
Pleurotomoid
Brassware
Leaven
Verifying
Handcraft
Atura7
Tabourin8
Outrant
Overplain
Sandboy7
Recompetitor
Lionakis
Argons6
Carpetweb7
Appropriate
Parvanimity5
Hosston3
Fruggan4
Unrazored
Insets3
Wwwwww
Pessimizing
Nablus
Bathmic
Paintedpost6
Nonukan
No Version Info available!
Irritants3
Amidopyrine7
Roussas
Ducksoup
Vaalite
VS_VERSION_INFO
VarFileInfo
Translation
StringFileInfo
040904B0
Comments
stELLAR ATD
CompanyName
THE pidGIN DEVELOPEr COMMUNITy
LegalTrademarks
blUESTACk sySTEMS YNC.
ProductName
FileVersion
ProductVersion
InternalName
Lardaceous
OriginalFilename
Lardaceous.exe
No antivirus signatures available.

Process Tree


allah.bin, PID: 2288, Parent PID: 2264

default registry file network process services synchronisation iexplore office pdf

allah.bin, PID: 2596, Parent PID: 2288

default registry file network process services synchronisation iexplore office pdf

Deprecation note: While processing this analysis you did not have the httpreplay Python library installed. Installing this library (i.e., pip install httpreplay) will allow Cuckoo to do more proper PCAP analysis including but not limited to showing full HTTP and HTTPS (!) requests and responses. It is recommended that you install this library and possibly reprocess any interesting analysis tasks.

Hosts

No hosts contacted.

DNS

Name Response Post-Analysis Lookup
eprco.ir

TCP

Source Source Port Destination Destination Port
192.168.128.109 49162 192.168.128.112 139
192.168.128.109 49163 192.168.128.112 139

UDP

Source Source Port Destination Destination Port
192.168.128.109 60112 192.168.128.111 53
192.168.128.109 64209 192.168.128.111 53
192.168.128.109 137 192.168.128.255 137
192.168.128.109 138 192.168.128.255 138
192.168.128.109 50839 224.0.0.252 5355
192.168.128.109 60037 224.0.0.252 5355
192.168.128.112 137 192.168.128.109 137
192.168.128.112 5355 192.168.128.109 50839
192.168.128.112 5355 192.168.128.109 60037

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

Source Destination ICMP Type Data
192.168.128.109 192.168.128.112 3

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.
Task ID 11
Mongo ID 5bbdc38611d3080d7740fc01
Cuckoo release 2.0-dev