sodinokibi | faef0354ee5f7c458afa16423e9ab04d[.]bin

Sharing

Copy URL

Twitter E-mail

General

Target

faef0354ee5f7c458afa16423e9ab04d.bin
Size

41.4MB
MD5

faef0354ee5f7c458afa16423e9ab04d
SHA1

a30b5673664f797cb40cd287260136e145071b85
SHA256

2eaccf2ffad0c83282b940b5ed1e65f38acacc9e002b48e3bf4f852e1097232a
SHA512

e8f9958c346936da0b1e5a92cc8cf08fbf750029eda3ea341c0ce7e27e452b7ec937a1deb4a147e6694fbcdc60dc2280d30ca709a2d950ed6732482c2337628a
SSDEEP

786432:Ox4aSbJJZiGQkTVugwej6bryq3sdGn/lCKVEKAhiDB9+DZwX1TpIb86PRzOISnxB:OyDCkTb+XpcdMnEAHWZATpIbBPRzOZxB

Score

10^/10

upx $2a$10$hipnytfl4yad01j./dips.tdwq.qurm2fbum4pqfinkq45tak6xw6 5891 sodinokibi

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$hIPnYTfL4yAd01j./DIPs.Tdwq.QURm2fbUM4pQFInKQ45tak6xW6

Campaign

5891

Decoy

notmissingout.com

employeesurveys.com

delchacay.com.ar

sw1m.ru

sofavietxinh.com

samnewbyjax.com

pawsuppetlovers.com

panelsandwichmadrid.es

frontierweldingllc.com

antenanavi.com

nokesvilledentistry.com

partnertaxi.sk

tomaso.gr

levihotelspa.fi

myhealth.net.au

midmohandyman.com

kirkepartner.dk

zewatchers.com

lapmangfpt.info.vn

purposeadvisorsolutions.com

Attributes

net
false
pid
$2a$10$hIPnYTfL4yAd01j./DIPs.Tdwq.QURm2fbUM4pQFInKQ45tak6xW6
prc
firefox
oracle
visio
xfssvccon
steam
winword
mspub
isqlplussvc
ocssd
ocautoupds
mydesktopqos
outlook
dbeng50
sql
agntsvc
tbirdconfig
encsvc
thebat
synctime
onenote
mydesktopservice
thunderbird
excel
powerpnt
dbsnmp
sqbcoreservice
ocomm
infopath
wordpad
msaccess
ransom_oneliner
All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions
ransom_template
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
sub
5891
svc
veeam
vss
backup
sophos
svc$
mepocs
memtas
sql

Signatures

Sodinokibi family
sodinokibi

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
static1/unpack001/ransomwares/Birele/Birele.exe	upx
static1/unpack001/ransomwares/JanusPetya/JanusPetya.exe	upx
static1/unpack001/ransomwares/RedBoot/RedBoot.exe	upx
static1/unpack001/ransomwares/Rokku/Rokku.exe	upx
static1/unpack001/ransomwares/Xyeta/Xyeta.exe	upx

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
static1/unpack001/ransomwares/Windows10Update/Windows10Update.exe	autoit_exe

Unsigned PE 40 IoCs

Checks for missing Authenticode signature.

Processes:

resource
unpack001/ransomwares/7ev3n/7ev3n.exe
unpack001/ransomwares/Annabelle/Annabelle.exe
unpack001/ransomwares/Birele/Birele.exe
unpack005/out.upx
unpack001/ransomwares/Darkside/Darkside.exe
unpack001/ransomwares/DeriaLock/DeriaLock.exe
unpack001/ransomwares/Fake GoldenEye/FakeGoldenEye.exe
unpack001/ransomwares/Fake PetrWrap/FakePetrWrap.exe
unpack001/ransomwares/FakePetya/FakePetya.exe
unpack001/ransomwares/Fantom/Fantom.exe
unpack001/ransomwares/GandCrab/GandCrab.exe
unpack001/ransomwares/GoldenEye/GoldenEye.exe
unpack001/ransomwares/Huzuni/Huzuni.exe
unpack001/ransomwares/InfinityCrypt/InfinityCrypt.exe
unpack001/ransomwares/JanusPetya/JanusPetya.exe
unpack001/ransomwares/Krotten/Krotten.exe
unpack001/ransomwares/Locky/Locky.exe
unpack001/ransomwares/Mischa/Mischa.exe
unpack001/ransomwares/MischaV2/MischaV2.exe
unpack001/ransomwares/NoMoreRansom/NoMoreRansom.exe
unpack001/ransomwares/PetrWrap/PetrWrap(Patched).exe
unpack001/ransomwares/PetrWrap/PetrWrap.exe
unpack001/ransomwares/Petya.A/Petya.A.exe
unpack001/ransomwares/PetyaMFTDestroyer/PetyaMFTDestroyer.exe
unpack001/ransomwares/PolyRansom/PolyRansom.exe
unpack001/ransomwares/PowerPoint/PowerPoint.exe
unpack001/ransomwares/RansomBlox/RansomBlox.exe
unpack001/ransomwares/RedBoot/RedBoot.exe
unpack001/ransomwares/RedEye/RedEye.exe
unpack001/ransomwares/Rensenware/Rensenware.exe
unpack001/ransomwares/Rokku/Rokku.exe
unpack001/ransomwares/Seftad/Seftad.exe
unpack001/ransomwares/Sodinokibi/Sodinokibi.exe
unpack001/ransomwares/ViraLock/ViraLock.exe
unpack001/ransomwares/WannaCry 1.0/WannaCry 1.0.exe
unpack001/ransomwares/WannaCrypt0r/WannaCrypt0r.exe
unpack001/ransomwares/Wannacry (Plus)/Wannacry (Plus).exe
unpack001/ransomwares/Windows10Update/Windows10Update.exe
unpack001/ransomwares/Winlocker.VB6.Blacksod/Winlocker.VB6.Blacksod/WinlockerVB6Blacksod.exe
unpack001/ransomwares/Xyeta/Xyeta.exe

Files

faef0354ee5f7c458afa16423e9ab04d.bin
.zip

Password: infected
ransomwares/7ev3n/7ev3n.exe
.exe windows:6 windows x86 arch:x86

Password: infected

008aca28b7c001acc5e0ab32fabaad84

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

J:\Win32Project9\Release\Win32Project9.pdb

Imports

kernel32

GetCurrentProcess
ExitThread
SetEndOfFile
CreateFileW
HeapSize
WriteConsoleW
ReadConsoleW
SetStdHandle
FindFirstFileExW
FindClose
GetProcAddress
GetCommandLineW
GetCommandLineA
GetProcessHeap
SetEnvironmentVariableW
SetEnvironmentVariableA
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetOEMCP
IsValidCodePage
SetFilePointerEx
ReadFile
GetConsoleMode
GetConsoleCP
FlushFileBuffers
WinExec
CreateProcessA
GetStartupInfoA
GetModuleFileNameW
CopyFileA
GetFileAttributesA
GetModuleFileNameA
FindNextFileW
GetLocalTime
FindFirstFileW
CreateThread
GetModuleHandleW
Sleep
GetLogicalDrives
VerifyVersionInfoW
EnumSystemLocalesW
GetUserDefaultLCID
IsValidLocale
GetFileAttributesExW
GetExitCodeProcess
WaitForSingleObject
GetFileType
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
CloseHandle
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
SetEvent
ResetEvent
WaitForSingleObjectEx
CreateEventW
IsDebuggerPresent
GetStartupInfoW
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
WideCharToMultiByte
MultiByteToWideChar
GetStringTypeW
EncodePointer
DecodePointer
SetLastError
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
CompareStringW
LCMapStringW
GetLocaleInfoW
GetCPInfo
GetLastError
FreeLibrary
LoadLibraryExW
RaiseException
RtlUnwind
MoveFileExW
ExitProcess
GetModuleHandleExW
GetStdHandle
WriteFile
GetACP
HeapAlloc
HeapReAlloc
HeapFree
VerSetConditionMask

user32

ShowWindow
SendMessageW
FindWindowW
DrawTextA
CallNextHookEx
GetAsyncKeyState
DefWindowProcW
PostQuitMessage
DestroyWindow
KillTimer
InvalidateRect
SetTimer
EndPaint
SetWindowsHookExW
DrawTextW
BeginPaint
GetSystemMetrics
ShowCursor
DispatchMessageW
TranslateMessage
GetMessageW
SetForegroundWindow
SetWindowLongW
SetWindowPos
CreateWindowExW
RegisterClassExW
LoadCursorW

gdi32

MoveToEx
CreatePen
DeleteObject
SetTextColor
SetBkMode
SelectObject
CreateFontIndirectW
CreateSolidBrush
LineTo

advapi32

SystemFunction036
GetUserNameA
RegCloseKey
RegQueryValueExW
RegOpenKeyExW
GetUserNameW

shell32

ord680

wininet

InternetOpenW
InternetOpenUrlW
InternetReadFile
InternetCloseHandle

netapi32

NetUserGetInfo

Sections

.text
Size: 174KB - Virtual size: 174KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 122KB - Virtual size: 121KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 5KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 9B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 840B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 11KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
ransomwares/Annabelle/Annabelle.exe
.exe windows:4 windows x64 arch:x64

Password: infected

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

.text
Size: 15.7MB - Virtual size: 15.7MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 268KB - Virtual size: 267KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
ransomwares/BadRabbit/BadRabbit.exe
.exe windows:5 windows x86 arch:x86

Password: infected

e3bda9df66f1f9b2b9b7b068518f2af1

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21-12-2012 00:00

Not After

30-12-2020 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18-10-2012 00:00

Not After

29-12-2020 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

0e:bf:ea:68:d6:77:b3:e2:6c:ab:41:c3:3f:3e:69:de
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Not Before

16-12-2016 00:00

Not After

17-12-2017 23:59

Subject

CN=Symantec Corporation,OU=STAR Security Engines,O=Symantec Corporation,L=Mountain View,ST=California,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08-02-2010 00:00

Not After

07-02-2020 23:59

Subject

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

2e:6b:e6:bd:11:a8:67:6e:6c:57:90:9e:9b:0d:5f:57
Certificate

Issuer

CN=Symantec Class 3 SHA256 Code Signing CA - G2,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Not Before

15-03-2017 00:00

Not After

13-04-2018 23:59

Subject

CN=Symantec Corporation,OU=STAR Security Engines,O=Symantec Corporation,L=Mountain View,ST=California,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

7c:1b:35:35:4a:e7:db:74:e7:41:5f:11:69:ca:6b:a8
Certificate

Issuer

CN=VeriSign Universal Root Certification Authority,OU=VeriSign Trust Network+OU=(c) 2008 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

22-07-2014 00:00

Not After

21-07-2024 23:59

Subject

CN=Symantec Class 3 SHA256 Code Signing CA - G2,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

7b:05:b1:d4:49:68:51:44:f7:c9:89:d2:9c:19:9d:12
Certificate

Issuer

CN=VeriSign Universal Root Certification Authority,OU=VeriSign Trust Network+OU=(c) 2008 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

12-01-2016 00:00

Not After

11-01-2031 23:59

Subject

CN=Symantec SHA256 TimeStamping CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

54:58:f2:aa:d7:41:d6:44:bc:84:a9:7b:a0:96:52:e6
Certificate

Issuer

CN=Symantec SHA256 TimeStamping CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Not Before

02-01-2017 00:00

Not After

01-04-2028 23:59

Subject

CN=Symantec SHA256 TimeStamping Signer - G2,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

c9:13:30:16:a3:e5:cf:bf:b1:aa:8b:50:d1:16:0f:a5:35:73:41:3d:4f:81:f8:71:05:4e:c7:39:6d:5a:8b:17
Signer

Actual PE Digest

c9:13:30:16:a3:e5:cf:bf:b1:aa:8b:50:d1:16:0f:a5:35:73:41:3d:4f:81:f8:71:05:4e:c7:39:6d:5a:8b:17

Digest Algorithm

sha256

PE Digest Matches

false

bd:ae:90:d3:3b:42:bf:69:31:7c:f4:d9:c1:9d:fd:c2:69:86:ca:f0
Signer

Actual PE Digest

bd:ae:90:d3:3b:42:bf:69:31:7c:f4:d9:c1:9d:fd:c2:69:86:ca:f0

Digest Algorithm

sha1

PE Digest Matches

false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

ExitProcess
GetCommandLineW
GetFileSize
CreateProcessW
HeapAlloc
HeapFree
GetModuleHandleW
GetProcessHeap
WriteFile
GetSystemDirectoryW
ReadFile
GetModuleFileNameW
CreateFileW
lstrcatW
CloseHandle
UnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
SetUnhandledExceptionFilter

user32

wsprintfW

shell32

CommandLineToArgvW

msvcrt

wcsstr
memcpy
free
malloc

Sections

.text
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 12KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 828B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 28KB - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 590B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
ransomwares/Birele/Birele.exe
.exe windows:10 windows x86 arch:x86

Password: infected

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Sections

UPX0
Size: - Virtual size: 100KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 114KB - Virtual size: 116KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
out.upx
.exe windows:10 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Sections

.unp_1
Size: - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.text
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 17KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tls
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rdata
Size: 1024B - Virtual size: 788B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

BSS
Size: - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 124KB - Virtual size: 131KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

BSS
Size: - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

BSS
Size: - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

BSS
Size: - Virtual size: 1.3MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
ransomwares/Cerber 5/Cerber 5.exe
.exe windows:5 windows x86 arch:x86

Password: infected

604de9c4534997ea4f32f86753fab871

Code Sign

16:88:f0:39:25:5e:63:8e:69:14:39:07:e6:33:0b
Certificate

Issuer

CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US

Not Before

31-12-2015 00:00

Not After

09-07-2019 18:40

Subject

CN=COMODO SHA-1 Time Stamping Signer,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

90:21:24:73:c7:06:f5:23:fe:84:bd:b9:a7:8a:01:f4
Certificate

Issuer

CN=COMODO RSA Code Signing CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

17-07-2017 00:00

Not After

17-07-2018 23:59

Subject

CN=DEMUS\, OOO,OU=IT,O=DEMUS\, OOO,POSTALCODE=410010,STREET=d. 84 of. 2\, ul.Tankistov,L=Saratov,ST=RU,C=RU,2.5.4.18=#1306343130303130

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

2e:7c:87:cc:0e:93:4a:52:fe:94:fd:1c:b7:cd:34:af
Certificate

Issuer

CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

09-05-2013 00:00

Not After

08-05-2028 23:59

Subject

CN=COMODO RSA Code Signing CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

fb:f7:43:25:3a:5f:2f:99:ab:87:3e:d6:da:c8:11:b0:70:ec:8e:54
Signer

Actual PE Digest

fb:f7:43:25:3a:5f:2f:99:ab:87:3e:d6:da:c8:11:b0:70:ec:8e:54

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

CreateFileW
LoadLibraryA
lstrlenA
lstrcpyA
lstrcmpW
WriteFile
WriteConsoleInputW
WideCharToMultiByte
WaitForSingleObject
WaitForMultipleObjects
UnhandledExceptionFilter
TerminateProcess
TerminateJobObject
Sleep
SetUnhandledExceptionFilter
SetThreadPriority
SetThreadLocale
SetThreadExecutionState
SetPriorityClass
SetLastError
SetFilePointer
SetFileAttributesA
SetEvent
SetErrorMode
SetConsoleCtrlHandler
ReleaseMutex
ReadConsoleOutputCharacterA
RaiseException
QueryPerformanceCounter
OutputDebugStringW
OutputDebugStringA
OpenEventW
MultiByteToWideChar
MoveFileExW
LocalFree
LocalAlloc
LoadLibraryW
LeaveCriticalSection
IsDebuggerPresent
InterlockedIncrement
InterlockedCompareExchange
InitializeCriticalSection
HeapReAlloc
HeapFree
HeapAlloc
GetWindowsDirectoryW
GetWindowsDirectoryA
GetVersionExW
GetVersionExA
GetTickCount
GetThreadLocale
GetSystemTimeAsFileTime
GetSystemTime
GetStartupInfoA
GetProcessPriorityBoost
GetProcessHeap
GetProcAddress
GetModuleHandleW
GetModuleHandleA
GetModuleFileNameW
GetLastError
GetCurrentThreadId
GetCurrentThread
GetCurrentProcessId
GetCurrentProcess
GetConsoleAliasExesLengthA
GetComputerNameW
FreeLibrary
FormatMessageW
FormatMessageA
ExitProcess
EnterCriticalSection
DeleteFileA
DeleteCriticalSection
CreateProcessW
CreateMutexA
CreateJobObjectA
CreateFileA
CloseHandle
CreateEventW
CreateEventA
InterlockedExchange

user32

SetKeyboardState
SetForegroundWindow
SetFocus
SetCursor
SendMessageW
SendIMEMessageExW
RegisterDeviceNotificationW
RegisterClassW
PostMessageW
PeekMessageW
OpenWindowStationW
MessageBoxW
MessageBoxA
MessageBeep
MapDialogRect
LoadMenuA
LoadCursorW
KillTimer
IMPGetIMEW
GetWindowTextW
GetWindowRect
SetTimer
GetMenuItemID
GetKeyboardLayout
GetForegroundWindow
GetDlgItemTextW
GetDlgItem
GetDesktopWindow
EnumDesktopWindows
EndDialog
EnableMenuItem
DrawStateA
DispatchMessageW
DispatchMessageA
DialogBoxParamW
DestroyWindow
DestroyAcceleratorTable
DefWindowProcW
DdeQueryStringW
DdeGetLastError
CreateWindowExW
CreateDialogIndirectParamA
CreateAcceleratorTableW
SetWindowLongW
SetWindowTextW
ShowWindowAsync
TranslateMessage
UnregisterClassW
UnregisterDeviceNotification
wvsprintfW
IsWindowEnabled
LoadIconA
GetClipboardData
GetDlgCtrlID
GetOpenClipboardWindow
IsMenu
CreatePopupMenu
GetMenuItemCount
GetKBCodePage
GetMenuContextHelpId
GetFocus
GetInputState
GetShellWindow
GetAsyncKeyState
GetCapture
GetClipboardSequenceNumber
OemKeyScan
GetActiveWindow
CharUpperA
GetWindowDC
IsWindowUnicode
GetKeyboardType
EnumClipboardFormats
CopyIcon
GetMenuCheckMarkDimensions
EndMenu
GetListBoxInfo
ReleaseCapture
GetMessageExtraInfo
GetWindowLongW
CharToOemW
CharLowerW
BroadcastSystemMessageA
GetWindowContextHelpId

gdi32

SelectObject
SetBrushOrgEx
SetDCBrushColor
SetICMMode
SetPixelV
CancelDC
PathToRegion
CloseFigure
GetBkColor
AbortDoc
FlattenPath
GetObjectType
PlayMetaFileRecord
RealizePalette
WidenPath
SaveDC
BeginPath
SetMetaRgn
UnrealizeObject
AbortPath
EndPage
CreateMetaFileA
AddFontResourceA
SwapBuffers
OffsetWindowOrgEx
GetTextMetricsW
GetTextExtentPointW
GetTextCharset
GetMetaRgn
GetKerningPairsW
GetCurrentObject
GetCharWidth32A
GdiSwapBuffers
GdiStartPageEMF
GdiQueryTable
GdiGradientFill
GdiComment
GdiCleanCacheDC
FixBrushOrgEx
EngGradientFill
EngDeletePath
DescribePixelFormat
DeleteObject
DeleteDC
CreatePolygonRgn
CreateICA
CreateHatchBrush
CreateEllipticRgn
CreateDIBSection
CreateDCW
ChoosePixelFormat
AngleArc
BRUSHOBJ_pvAllocRbrush
GetTextColor

advapi32

RegEnumValueW
RegOpenKeyW
StartServiceCtrlDispatcherW
SetServiceStatus
SetSecurityDescriptorOwner
SetSecurityDescriptorDacl
SetEntriesInAclW
ReportEventW
RegisterServiceCtrlHandlerExW
RegisterEventSourceW
RegSetValueExW
RegQueryValueExW
RegOpenKeyExW
AllocateAndInitializeSid
RegDeleteValueW
RegDeleteKeyW
RegCreateKeyW
RegCloseKey
OpenServiceW
OpenSCManagerW
InitializeSecurityDescriptor
GetUserNameW
FreeSid
DeregisterEventSource
DeleteService
CreateServiceW
CloseServiceHandle

shell32

Shell_NotifyIconW
ShellExecuteExA
SHPathPrepareForWriteW
SHLoadNonloadedIconOverlayIdentifiers
SHInvokePrinterCommandW
SHGetSpecialFolderPathA
SHGetSpecialFolderLocation
SHGetSettings
SHGetPathFromIDListW
SHGetMalloc
CommandLineToArgvW
DoEnvironmentSubstA
DoEnvironmentSubstW
DragQueryFileA
DragQueryFileAorW
DragQueryFileW
ExtractAssociatedIconW
ExtractIconA
ExtractIconEx
SHAddToRecentDocs
SHBindToParent
SHBrowseForFolderW
SHCreateProcessAsUserW
SHEmptyRecycleBinW
SHGetFolderPathA
SHGetFolderPathW
ShellExecuteExW

shlwapi

StrChrW
StrCmpNIA
StrCmpNIW
StrCmpNW
StrRChrA
StrRChrIA
StrRStrIW
StrStrIA
StrChrA

comctl32

InitCommonControlsEx

msvcrt

__p__commode
__p__fmode
__set_app_type
__setusermatherr
_abnormal_termination
_acmdln
_adjust_fdiv
_c_exit
_cexit
_controlfp
_except_handler3
_exit
_initterm
_iob
_mbscmp
_mbscpy
_mbsicmp
_mbsinc
_mbslwr
_mbsnbcmp
_mbsnbicmp
_snwprintf
_vsnwprintf
_wcsicmp
_wcsnicmp
exit
fwprintf
iswctype
memmove
setlocale
wcschr
wcscmp
wcscpy
wcslen
wcsncmp
wcsrchr
_XcptFilter
__getmainargs

imm32

ImmDisableIME

Sections

.text
Size: 293KB - Virtual size: 292KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 10KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 424B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
ransomwares/Darkside/Darkside.exe
.exe windows:5 windows x86 arch:x86

Password: infected

17a4bd9c95f2898add97f309fc6f9bcd

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GetProcAddress
LoadLibraryA
ExitProcess

Sections

.text
Size: 28KB - Virtual size: 28KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 512B - Virtual size: 374B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 26KB - Virtual size: 33KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
ransomwares/DeriaLock/DeriaLock.exe
.exe windows:4 windows x86 arch:x86

Password: infected

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

C:\Windows.old\Users\ArizonaCode\Documents\Visual Studio 2013\Projects\LOGON\LOGON\obj\Debug\LOGON.pdb

Imports

mscoree

_CorExeMain

Sections

.text
Size: 313KB - Virtual size: 313KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.sdata
Size: 512B - Virtual size: 312B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 168KB - Virtual size: 168KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
ransomwares/Fake GoldenEye/FakeGoldenEye.exe
.exe windows:5 windows x86 arch:x86

Password: infected

aa59bb138ba9dcdca5ef5c1e473df22c

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GetNativeSystemInfo
FreeLibrary
HeapAlloc
HeapFree
GetModuleHandleW
VirtualFree
GetProcessHeap
IsBadReadPtr
SetLastError
GetProcAddress
VirtualAlloc
LoadLibraryA
VirtualProtect
GetLastError
EnterCriticalSection
LeaveCriticalSection
HeapReAlloc
GetCommandLineA
HeapSetInformation
GetStartupInfoW
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
GetCPInfo
InterlockedIncrement
InterlockedDecrement
GetACP
GetOEMCP
IsValidCodePage
EncodePointer
TlsAlloc
TlsGetValue
TlsSetValue
DecodePointer
TlsFree
GetCurrentThreadId
SetHandleCount
GetStdHandle
InitializeCriticalSectionAndSpinCount
GetFileType
DeleteCriticalSection
IsProcessorFeaturePresent
HeapCreate
Sleep
ExitProcess
WriteFile
GetModuleFileNameW
SetFilePointer
WideCharToMultiByte
GetConsoleCP
GetConsoleMode
FlushFileBuffers
CloseHandle
RaiseException
GetModuleFileNameA
FreeEnvironmentStringsW
GetEnvironmentStringsW
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
LCMapStringW
MultiByteToWideChar
GetStringTypeW
RtlUnwind
LoadLibraryW
SetStdHandle
WriteConsoleW
HeapSize
CreateFileW
InitializeCriticalSection

Sections

.text
Size: 35KB - Virtual size: 34KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 13KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 19KB - Virtual size: 27KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 448B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
ransomwares/Fake GoldenEye/Key.txt
ransomwares/Fake PetrWrap/FakePetrWrap.exe
.exe windows:5 windows x86 arch:x86

94f5979c154e333230727201857ca2b3

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GetNativeSystemInfo
FreeLibrary
HeapAlloc
HeapFree
GetModuleHandleW
VirtualFree
GetProcessHeap
IsBadReadPtr
SetLastError
GetProcAddress
VirtualAlloc
LoadLibraryA
VirtualProtect
InterlockedIncrement
InterlockedDecrement
EncodePointer
DecodePointer
Sleep
InitializeCriticalSection
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
GetLastError
HeapReAlloc
GetCommandLineA
HeapSetInformation
GetStartupInfoW
RaiseException
RtlUnwind
WideCharToMultiByte
LCMapStringW
MultiByteToWideChar
GetCPInfo
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
GetACP
GetOEMCP
IsValidCodePage
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetCurrentThreadId
SetHandleCount
GetStdHandle
InitializeCriticalSectionAndSpinCount
GetFileType
IsProcessorFeaturePresent
HeapCreate
ExitProcess
WriteFile
GetModuleFileNameW
SetFilePointer
GetConsoleCP
GetConsoleMode
FlushFileBuffers
CloseHandle
GetModuleFileNameA
FreeEnvironmentStringsW
GetEnvironmentStringsW
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
HeapSize
GetStringTypeW
LoadLibraryW
SetStdHandle
WriteConsoleW
CreateFileW

Sections

.text
Size: 35KB - Virtual size: 34KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 13KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 21KB - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 448B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
ransomwares/Fake PetrWrap/Key.txt
ransomwares/FakePetya/FakePetya.exe
.exe windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI

Sections

CODE
Size: 30KB - Virtual size: 29KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

DATA
Size: 9KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

BSS
Size: - Virtual size: 10KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: - Virtual size: 8B

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 512B - Virtual size: 24B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
ransomwares/Fantom/Fantom.exe
.exe windows:5 windows x86 arch:x86

bf5a4aa99e5b160f8521cadd6bfe73b8

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

Imports

kernel32

RaiseException
GetLastError
MultiByteToWideChar
lstrlenA
InterlockedDecrement
GetProcAddress
LoadLibraryA
FreeResource
SizeofResource
LockResource
LoadResource
FindResourceA
GetModuleHandleA
Module32Next
CloseHandle
Module32First
CreateToolhelp32Snapshot
GetCurrentProcessId
SetEndOfFile
GetStringTypeW
GetStringTypeA
LCMapStringW
LCMapStringA
GetLocaleInfoA
HeapFree
GetProcessHeap
HeapAlloc
GetCommandLineA
HeapCreate
VirtualFree
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
VirtualAlloc
HeapReAlloc
HeapSize
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
GetModuleHandleW
Sleep
ExitProcess
WriteFile
GetStdHandle
GetModuleFileNameA
WideCharToMultiByte
GetConsoleCP
GetConsoleMode
ReadFile
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
InterlockedIncrement
SetLastError
GetCurrentThreadId
FlushFileBuffers
SetFilePointer
SetHandleCount
GetFileType
GetStartupInfoA
RtlUnwind
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
QueryPerformanceCounter
GetTickCount
GetSystemTimeAsFileTime
InitializeCriticalSectionAndSpinCount
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
CompareStringA
CompareStringW
SetEnvironmentVariableA
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
SetStdHandle
CreateFileA

ole32

OleInitialize

oleaut32

SafeArrayCreate
SafeArrayAccessData
SafeArrayUnaccessData
SafeArrayDestroy
SafeArrayCreateVector
VariantClear
VariantInit
SysFreeString
SysAllocString

Sections

.text
Size: 102KB - Virtual size: 101KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 27KB - Virtual size: 27KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 5KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 125KB - Virtual size: 125KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
ransomwares/GandCrab/GandCrab.exe
.exe windows:4 windows x86 arch:x86

754f05425de4ad06169098be9bbe56cb

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

mfc42

ord1727
ord5261
ord2446
ord2124
ord5277
ord2982
ord3147
ord3259
ord4465
ord3136
ord3262
ord2985
ord3081
ord2976
ord3830
ord3831
ord3825
ord3079
ord4080
ord4627
ord4425
ord3597
ord641
ord324
ord825
ord2302
ord1768
ord537
ord4710
ord800
ord535
ord860
ord540
ord4275
ord5290
ord3402
ord3619
ord6055
ord1776
ord4424
ord3721
ord809
ord795
ord2614
ord556
ord567
ord3626
ord3663
ord2414
ord5875
ord1088
ord2122
ord1641
ord2860
ord6199
ord3874
ord3797
ord6358
ord858
ord6197
ord2859
ord6880
ord2864
ord941
ord5572
ord2915
ord5065
ord1771
ord6366
ord2413
ord4401
ord3639
ord692
ord823
ord3803
ord4277
ord939
ord940
ord5856
ord2784
ord4160
ord2379
ord4220
ord2584
ord3654
ord2438
ord6270
ord2863
ord1644
ord1146
ord6877
ord2763
ord6930
ord6928
ord5861
ord6883
ord6283
ord6282
ord4673
ord4274
ord6375
ord4486
ord2554
ord2512
ord5731
ord3922
ord1089
ord5199
ord2396
ord3346
ord5300
ord5302
ord2725
ord4079
ord4698
ord5307
ord5289
ord5714
ord4622
ord3738
ord561
ord815
ord2621
ord1168
ord2358
ord2301
ord2370
ord755
ord470
ord6334
ord801
ord541
ord3092
ord3749
ord6376
ord2055
ord2648
ord4441
ord4837
ord3798
ord5280
ord4353
ord6374
ord5163
ord2385
ord5241
ord4407
ord1775
ord4078
ord6052
ord2514
ord4998
ord4853
ord4376
ord5265
ord6453
ord4234
ord1576

msvcrt

_controlfp
_except_handler3
__set_app_type
__p__fmode
__p__commode
_adjust_fdiv
__setusermatherr
_initterm
__getmainargs
_acmdln
exit
_XcptFilter
_exit
_onexit
_setmbcp
__CxxFrameHandler
_mbsstr
_mbsspn
free
_mbstok
_strdup
__dllonexit

kernel32

GetModuleHandleA
LoadLibraryA
VirtualProtect
lstrcatA
lstrcpyA
GetWindowsDirectoryA
FreeLibrary
GetStartupInfoA
GlobalAlloc
GlobalUnlock
GlobalLock

user32

InflateRect
ReleaseDC
GetDC
GetParent
GetWindowRect
IsWindow
LoadCursorA
RedrawWindow
PtInRect
GetCursorPos
KillTimer
GetSystemMetrics
DrawFocusRect
GetSubMenu
LoadMenuA
EnumWindows
LoadIconA
GetSysColor
GetSystemMenu
LoadAcceleratorsA
DrawIcon
IsIconic
UpdateWindow
TranslateAcceleratorA
SetWindowLongA
GetClientRect
SetTimer
SetCursor
SendMessageA
DestroyCursor
EmptyClipboard
SetClipboardData
OpenClipboard
CloseClipboard
AppendMenuA
InvalidateRect
EnableWindow
CopyIcon

gdi32

CreateFontIndirectA
GetTextMetricsA
GetCharWidthA
GetTextExtentPoint32A
GetObjectA
GetStockObject

advapi32

RegQueryValueA
RegCloseKey
RegOpenKeyExA

shell32

ShellExecuteA

Sections

.text
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 8KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 84KB - Virtual size: 81KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 200KB - Virtual size: 199KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.xml
Size: 116KB - Virtual size: 115KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
ransomwares/GoldenEye/GoldenEye.exe
.exe windows:5 windows x86 arch:x86

eadbe699c9f56194b9bbdf2dd7631233

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

C:\src\ZoomIt\Release\ZoomIt.pdb

Imports

comctl32

ord17

winmm

PlaySoundA

gdiplus

GdipGetImageEncoders
GdipGetImageEncodersSize
GdipDrawImageRectRect
GdipSetInterpolationMode
GdipSetPixelOffsetMode
GdipDeleteGraphics
GdipCreateFromHDC
GdipCreateHBITMAPFromBitmap
GdipCreateBitmapFromFileICM
GdipCreateBitmapFromFile
GdipSaveImageToFile
GdipDisposeImage
GdipCloneImage
GdiplusShutdown
GdiplusStartup
GdipFree
GdipAlloc
GdipCreateBitmapFromHBITMAP

msimg32

AlphaBlend

kernel32

GetTickCount
FormatMessageA
lstrcpynA
CreateEventA
GetModuleFileNameA
CreateProcessA
GetCommandLineA
ExpandEnvironmentStringsA
FindResourceA
GetFileAttributesA
DeleteFileA
MultiByteToWideChar
GetStringTypeW
FatalAppExitA
CreateSemaphoreW
GetModuleHandleW
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
TerminateProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetSystemTimeAsFileTime
GetCurrentProcessId
QueryPerformanceCounter
GetStartupInfoW
MulDiv
GetFileType
GetConsoleMode
GetConsoleCP
WideCharToMultiByte
RtlUnwind
InitializeCriticalSectionAndSpinCount
LeaveCriticalSection
EnterCriticalSection
HeapSize
GetModuleFileNameW
WriteFile
GetStdHandle
AreFileApisANSI
GetModuleHandleExW
ExitProcess
GetProcessHeap
GetCurrentThreadId
SetLastError
GetCPInfo
GetOEMCP
GetACP
IsValidCodePage
InterlockedDecrement
InterlockedIncrement
IsProcessorFeaturePresent
IsDebuggerPresent
DecodePointer
EncodePointer
HeapAlloc
HeapFree
Beep
CloseHandle
SizeofResource
LoadResource
Sleep
WaitForSingleObject
GetLastError
SetThreadPriority
GetCurrentThread
GetExitCodeProcess
GetCurrentProcess
GetVersion
LockResource
GetCommandLineW
GetModuleHandleA
LoadLibraryA
LocalFree
LocalAlloc
GetProcAddress
GetLocaleInfoW
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
RaiseException
GetDateFormatW
GetTimeFormatW
CompareStringW
LCMapStringW
InterlockedExchange
FreeLibrary
LoadLibraryExW
SetConsoleCtrlHandler
OutputDebugStringW
LoadLibraryW
SetFilePointerEx
HeapReAlloc
SetStdHandle
FlushFileBuffers
WriteConsoleW
CreateFileW
ReadFile
ReadConsoleW
SetEndOfFile
DeleteCriticalSection

user32

FindWindowW
FindWindowA
GetParent
GetDesktopWindow
GetWindowLongA
SetRect
FillRect
GetSysColor
ChildWindowFromPoint
MapWindowPoints
GetClipCursor
ClipCursor
GetCursorPos
LoadIconA
MessageBoxA
GetWindowRect
GetClientRect
RedrawWindow
InvalidateRect
EndPaint
BeginPaint
ReleaseDC
GetDC
SetForegroundWindow
GetForegroundWindow
SetActiveWindow
UpdateWindow
ChangeDisplaySettingsExA
SystemParametersInfoA
EnumDisplaySettingsA
SetCursorPos
DrawTextA
TrackPopupMenu
InsertMenuA
DestroyMenu
CreatePopupMenu
TranslateAcceleratorA
LoadAcceleratorsA
EnableWindow
KillTimer
SetTimer
GetAsyncKeyState
GetKeyState
SetFocus
EmptyClipboard
SetClipboardData
CloseClipboard
OpenClipboard
IsDlgButtonChecked
CheckDlgButton
GetDlgItemTextA
SetDlgItemTextA
DialogBoxParamA
CreateDialogParamA
BringWindowToTop
IsWindowVisible
SetWindowPos
ShowWindow
DestroyWindow
CreateWindowExA
RegisterClassA
PostQuitMessage
DefWindowProcA
PostMessageA
GetMessageExtraInfo
UnregisterHotKey
RegisterHotKey
DispatchMessageA
TranslateMessage
GetMessageA
LoadCursorA
InflateRect
GetSysColorBrush
SetCursor
SetWindowTextA
GetDlgItem
EndDialog
DialogBoxIndirectParamA
SendMessageA
SetWindowLongA

gdi32

DeleteDC
DeleteObject
Ellipse
GetStockObject
LineTo
Rectangle
SelectObject
CreateSolidBrush
StretchBlt
SetROP2
SetStretchBltMode
SetTextColor
GetObjectA
MoveToEx
Polygon
CreatePen
CreateFontIndirectA
GetDeviceCaps
StartDocA
SetMapMode
EndDoc
StartPage
EndPage
BitBlt
CreateBitmap
CreateCompatibleBitmap
CreateCompatibleDC
SetBkMode
CreateDCA

comdlg32

GetSaveFileNameA
GetOpenFileNameA
PrintDlgA
ChooseFontA

advapi32

RegCreateKeyA
RegOpenKeyExA
RegDeleteValueA
RegCreateKeyExA
RegSetValueExA
RegQueryValueExA
RegCloseKey

shell32

ShellExecuteA
Shell_NotifyIconA

ole32

CoInitialize

Sections

.text
Size: 190KB - Virtual size: 189KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 43KB - Virtual size: 43KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 6KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 434B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 13KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
ransomwares/Huzuni/Huzuni.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\Users\xxx\source\repos\Huzuni\Huzuni\obj\Debug\Huzuni.pdb

Imports

mscoree

_CorExeMain

Sections

.text
Size: 59KB - Virtual size: 59KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
ransomwares/InfinityCrypt/InfinityCrypt.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

F:\DESKTOP!\ChkDsk\ChkDsk\obj\Debug\PremiereCrack.pdb

Imports

mscoree

_CorExeMain

Sections

.text
Size: 185KB - Virtual size: 184KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.sdata
Size: 512B - Virtual size: 312B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 24KB - Virtual size: 23KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
ransomwares/JanusPetya/Decryption key.txt
ransomwares/JanusPetya/JanusPetya.exe
.exe windows:5 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Sections

UPX0
Size: - Virtual size: 64KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 20KB - Virtual size: 24KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
ransomwares/Krotten/Krotten.exe
.exe windows:4 windows x86 arch:x86

79fd079e9d3e0619831be2cf92afa94a

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

user32

TranslateMessage
ShowWindow
SetWindowTextA
SetWindowPos
SetTimer
SetForegroundWindow
SetCursorPos
SetClipboardData
SendNotifyMessageA
SendMessageTimeoutA
SendMessageA
RegisterWindowMessageA
RegisterClassExA
PostQuitMessage
OpenClipboard
MoveWindow
ModifyMenuA
MessageBoxA
MapWindowPoints
LoadIconA
LoadCursorA
LoadBitmapA
UpdateWindow
IsZoomed
IsWindowVisible
IsWindowEnabled
IsWindow
IsIconic
InsertMenuItemA
GetWindowThreadProcessId
GetWindowTextLengthA
GetWindowTextA
GetWindowRect
GetWindow
GetSystemMenu
GetSubMenu
GetParent
GetMessageA
GetMenuStringA
GetMenuItemID
GetMenuItemCount
GetMenu
GetForegroundWindow
GetDesktopWindow
GetCursorPos
keybd_event
mouse_event
KillTimer
GetClipboardData
GetClientRect
GetClassNameA
GetAsyncKeyState
EnumWindows
EnumChildWindows
EnableWindow
EnableMenuItem
EmptyClipboard
DrawMenuBar
DispatchMessageA
DefWindowProcA
CreateWindowExA
CloseClipboard
wsprintfA

kernel32

lstrlenA
lstrcpynA
lstrcpyA
lstrcmpA
lstrcatA
WriteProcessMemory
WriteFile
WaitForSingleObject
VirtualProtectEx
VirtualFree
VirtualAlloc
TerminateThread
TerminateProcess
SystemTimeToFileTime
Sleep
SetPriorityClass
SetLocalTime
SetFileTime
SetFilePointer
SetFileAttributesA
SetEndOfFile
SetCurrentDirectoryA
RtlMoveMemory
ResumeThread
RemoveDirectoryA
ReadProcessMemory
ReadFile
OpenProcess
MoveFileA
LocalFileTimeToFileTime
LoadLibraryA
InterlockedIncrement
GlobalUnlock
GlobalLock
GlobalAlloc
GetWindowsDirectoryA
GetVersionExA
GetSystemDirectoryA
GetProcAddress
GetModuleHandleA
GetModuleFileNameA
GetLocalTime
GetLastError
GetFileTime
GetFileSize
GetFileAttributesA
GetExitCodeProcess
GetCurrentProcess
CloseHandle
CopyFileA
CreateDirectoryA
CreateFileA
CreateMutexA
CreateProcessA
CreateThread
DeleteFileA
ExitProcess
ExitThread
ExpandEnvironmentStringsA
FileTimeToLocalFileTime
GetCurrentDirectoryA
FindClose
FindFirstFileA
FindNextFileA
GetCommandLineA
FileTimeToSystemTime

shell32

ShellExecuteExA
DragQueryFileA
DragFinish

gdi32

DeleteObject

advapi32

RegSetValueExA
RegQueryValueExA
RegQueryInfoKeyA
RegOpenKeyExA
RegOpenKeyA
RegDeleteValueA
RegDeleteKeyA
RegCreateKeyExA
RegCloseKey
OpenProcessToken
LookupPrivilegeValueA
AdjustTokenPrivileges

winmm

timeSetEvent
timeKillEvent

Sections

.text
Size: 19KB - Virtual size: 18KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 76KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 18KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
ransomwares/Locky/Locky.exe
.exe windows:5 windows x86 arch:x86

7ff21f6c00d977be0f3e10fe2269c48f

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

advapi32

RegSaveKeyW
RegRestoreKeyW
RegEnumKeyA
RegCreateKeyExA
RegReplaceKeyA
ReadEventLogA
RegUnLoadKeyW
IsTextUnicode
CryptSignHashA
ClearEventLogW
OpenEventLogW
RegOpenKeyW
RegDeleteValueA

shell32

SHGetFileInfoA
DragFinish
SHGetMalloc
ExtractIconA
ShellMessageBoxA
FindExecutableA
SHGetDesktopFolder
SHChangeNotify
DragQueryFileA
ShellAboutA
DragQueryPoint

shlwapi

UrlIsA
UrlCompareW
PathIsURLW
PathCommonPrefixA
UrlIsOpaqueA
UrlHashW
UrlIsNoHistoryW
PathCompactPathA
UrlGetPartW
PathCombineA
UrlGetLocationW
UrlEscapeW
UrlUnescapeW
PathStripPathW

modemui

InvokeControlPanel
drvSetDefaultCommConfigA

untfs

Recover
Chkdsk
Format

kernel32

DeleteFileW
LoadLibraryA
GetProcAddress
GetProcessId
GetTickCount
WaitForSingleObject
CreateWaitableTimerA
OpenSemaphoreW
WaitNamedPipeW
InterlockedIncrement
GetProcessHeap
OpenMutexW
FindNextFileW
MoveFileExA
LoadLibraryExW

Sections

.text
Size: 49KB - Virtual size: 49KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_READ

.data
Size: 34KB - Virtual size: 34KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 566KB - Virtual size: 565KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
ransomwares/Mischa/Mischa.exe
.exe windows:5 windows x86 arch:x86

b69d08e7a9e8d45257d48420e3bd8e18

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

wsock32

recv
socket
getservbyname
WSASetLastError
closesocket
gethostbyaddr
gethostbyname
send
WSAAsyncSelect
WSACleanup
gethostname
inet_ntoa
connect
inet_addr
WSAStartup
ioctlsocket
htonl
WSAGetLastError
htons
ntohs
shutdown
getservbyport

winmm

mixerClose
mixerGetLineControlsW
mixerGetLineInfoW
mixerSetControlDetails
waveOutGetVolume
waveOutSetVolume
mixerGetDevCapsW
mixerOpen
mixerGetControlDetailsW
mciSendStringW
joyGetDevCapsW
joyGetPosEx

version

GetFileVersionInfoSizeW
VerQueryValueW
GetFileVersionInfoW

comctl32

ImageList_GetIconSize
ImageList_Create
ImageList_Destroy
ImageList_AddMasked
ImageList_ReplaceIcon
CreateStatusWindowW
InitCommonControlsEx

psapi

GetModuleBaseNameW
GetModuleFileNameExW

kernel32

OutputDebugStringW
WideCharToMultiByte
GetSystemDirectoryA
GetProcAddress
LoadLibraryA
GetCurrentThreadId
lstrcmpiW
CreateThread
SetThreadPriority
GetExitCodeThread
CloseHandle
CreateMutexW
GetLastError
GetModuleHandleW
GetVersionExW
DeleteCriticalSection
GetModuleFileNameW
GetFileAttributesW
GetFullPathNameW
GetSystemTimeAsFileTime
FindFirstFileW
FindNextFileW
FindClose
FileTimeToLocalFileTime
SetEnvironmentVariableW
Beep
MoveFileW
CreateProcessW
MultiByteToWideChar
GetExitCodeProcess
WriteProcessMemory
ReadProcessMemory
GetCurrentProcessId
OpenProcess
TerminateProcess
SetPriorityClass
SetLastError
GetLocalTime
GetDateFormatW
GetTimeFormatW
GetDiskFreeSpaceW
SetVolumeLabelW
CreateFileW
DeviceIoControl
GetDriveTypeW
FreeLibrary
CreateDirectoryW
ReadFile
WriteFile
DeleteFileW
CopyFileW
SetFileAttributesW
LocalFileTimeToFileTime
SetFileTime
GetFileSizeEx
GetSystemTime
GetSystemDefaultUILanguage
GetComputerNameW
GetWindowsDirectoryW
GetTempPathW
GetShortPathNameW
LoadLibraryW
EnterCriticalSection
LeaveCriticalSection
VirtualProtect
QueryDosDeviceW
CompareStringW
RemoveDirectoryW
GetCurrentProcess
FormatMessageW
GetPrivateProfileStringW
GetPrivateProfileSectionW
GetPrivateProfileSectionNamesW
WritePrivateProfileStringW
WritePrivateProfileSectionW
SetEndOfFile
GetACP
GetFileType
GetStdHandle
SetFilePointerEx
SystemTimeToFileTime
FileTimeToSystemTime
GetFileSize
VirtualAllocEx
VirtualFreeEx
EnumResourceNamesW
LoadLibraryExW
FindResourceW
LoadResource
LockResource
SizeofResource
GlobalSize
GetEnvironmentVariableW
GlobalUnlock
GlobalFree
GlobalAlloc
GlobalLock
GetCurrentDirectoryW
SetErrorMode
InitializeCriticalSection
GetCPInfo
SetCurrentDirectoryW
Sleep
GetTickCount
MulDiv
InterlockedIncrement
InterlockedDecrement
GetOEMCP
IsValidCodePage
HeapAlloc
HeapFree
HeapReAlloc
ExitProcess
HeapSize
HeapQueryInformation
GetCommandLineW
HeapSetInformation
GetStartupInfoW
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
GetStringTypeW
HeapCreate
InitializeCriticalSectionAndSpinCount
RaiseException
SetHandleCount
IsProcessorFeaturePresent
RtlUnwind
SetFilePointer
LCMapStringW
GetConsoleCP
GetConsoleMode
FreeEnvironmentStringsW
GetEnvironmentStringsW
QueryPerformanceCounter
FlushFileBuffers
SetStdHandle
WriteConsoleW
GetProcessHeap
GetVolumeInformationW
VirtualQuery

user32

IsIconic
RegisterWindowMessageW
GetSysColor
GetSysColorBrush
DrawIconEx
FillRect
DefWindowProcW
SetForegroundWindow
DialogBoxParamW
SendDlgItemMessageW
GetDlgItem
SetDlgItemTextW
IsWindowEnabled
MessageBeep
ClientToScreen
GetCursor
GetLastInputInfo
GetMenuItemCount
GetMenuItemID
GetSubMenu
GetMenuStringW
ExitWindowsEx
SetMenu
FlashWindow
MapWindowPoints
RedrawWindow
SetParent
GetClassInfoExW
GetAncestor
UpdateWindow
GetMessagePos
GetClassLongW
DefDlgProcW
CallWindowProcW
CheckRadioButton
IntersectRect
PtInRect
CreateAcceleratorTableW
DestroyAcceleratorTable
InsertMenuItemW
SetMenuDefaultItem
RemoveMenu
SetMenuItemInfoW
IsMenu
GetMenuItemInfoW
CreateMenu
CreatePopupMenu
SetMenuInfo
AppendMenuW
DestroyMenu
TrackPopupMenuEx
CreateIconIndirect
GetDesktopWindow
CopyImage
CreateIconFromResourceEx
EnumClipboardFormats
GetWindow
BringWindowToTop
IsZoomed
SystemParametersInfoW
AdjustWindowRectEx
DrawTextW
SetRect
GetIconInfo
SetWindowTextW
IsWindowVisible
GetMenu
CheckMenuItem
LoadImageW
GetQueueStatus
SetClipboardViewer
LoadAcceleratorsW
CreateWindowExW
RegisterClassExW
LoadCursorW
DestroyIcon
DestroyWindow
IsCharAlphaW
MapVirtualKeyW
MapVirtualKeyExW
VkKeyScanExW
GetWindowTextW
mouse_event
WindowFromPoint
GetSystemMetrics
keybd_event
SetKeyboardState
GetKeyboardState
GetCursorPos
GetAsyncKeyState
SendInput
UnregisterHotKey
RegisterHotKey
PostQuitMessage
SendMessageTimeoutW
UnhookWindowsHookEx
SetWindowsHookExW
PostThreadMessageW
IsCharUpperW
IsCharLowerW
IsCharAlphaNumericW
ToUnicodeEx
GetKeyboardLayout
CallNextHookEx
CharLowerW
ReleaseDC
GetDC
MessageBoxW
OpenClipboard
GetClipboardData
GetClipboardFormatNameW
CloseClipboard
SetClipboardData
EmptyClipboard
PostMessageW
EnumWindows
GetWindowTextLengthW
EnableWindow
InvalidateRect
SetLayeredWindowAttributes
SetWindowPos
SetWindowRgn
SetFocus
GetGUIThreadInfo
SetActiveWindow
EnumChildWindows
GetTopWindow
MoveWindow
FindWindowW
EndDialog
IsWindow
DispatchMessageW
TranslateMessage
ShowWindow
CountClipboardFormats
SetWindowLongW
ScreenToClient
IsDialogMessageW
SendMessageW
GetWindowLongW
GetKeyState
TranslateAcceleratorW
KillTimer
PeekMessageW
GetFocus
GetClassNameW
GetWindowThreadProcessId
GetForegroundWindow
GetMessageW
SetTimer
GetParent
GetDlgCtrlID
CharUpperW
IsClipboardFormatAvailable
GetWindowRect
ChangeClipboardChain
GetClientRect
AttachThreadInput

gdi32

SetBkColor
GdiFlush
CreateDIBSection
GetPixel
BitBlt
CreateCompatibleBitmap
GetSystemPaletteEntries
EnumFontFamiliesExW
SetBkMode
GetCharABCWidthsW
GetClipBox
FillRgn
GetClipRgn
ExcludeClipRect
GetDeviceCaps
DeleteObject
CreateFontW
CreateSolidBrush
GetDIBits
CreateCompatibleDC
CreatePolygonRgn
CreateRectRgn
CreateRoundRectRgn
CreateEllipticRgn
DeleteDC
GetObjectW
GetTextMetricsW
GetTextFaceW
SelectObject
GetStockObject
CreateDCW
SetTextColor

comdlg32

CommDlgExtendedError
GetOpenFileNameW
GetSaveFileNameW

advapi32

LockServiceDatabase
CloseServiceHandle
UnlockServiceDatabase
OpenSCManagerW
GetUserNameW
RegEnumKeyExW
RegEnumValueW
RegQueryInfoKeyW
RegDeleteValueW
RegDeleteKeyW
RegSetValueExW
RegCreateKeyExW
RegQueryValueExW
AdjustTokenPrivileges
LookupPrivilegeValueW
RegConnectRegistryW
RegCloseKey
RegOpenKeyExW
OpenProcessToken

shell32

DragQueryPoint
SHFileOperationW
SHGetPathFromIDListW
SHBrowseForFolderW
SHGetDesktopFolder
SHGetMalloc
SHGetFolderPathW
ShellExecuteExW
Shell_NotifyIconW
DragFinish
DragQueryFileW
ExtractIconW

ole32

OleInitialize
OleUninitialize
CoCreateInstance
CoInitialize
CoUninitialize
CLSIDFromString
CoGetObject
StringFromGUID2
CreateStreamOnHGlobal

oleaut32

SafeArrayDestroy
GetActiveObject
SysStringLen
SysFreeString
SafeArrayCreate
VariantClear
VariantChangeType
SysAllocString
SafeArrayCopy
VariantCopyInd
SafeArrayGetUBound
SafeArrayGetLBound
SafeArrayGetDim
SafeArrayLock
SafeArrayPtrOfIndex
SafeArrayUnlock
SafeArrayAccessData
SafeArrayGetElemsize
SafeArrayUnaccessData
OleLoadPicture

Sections

.text
Size: 690KB - Virtual size: 690KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 150KB - Virtual size: 149KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 13KB - Virtual size: 40KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 24KB - Virtual size: 23KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
ransomwares/MischaV2/MischaV2.exe
.exe windows:6 windows x86 arch:x86

f49f0205185750caf2c9a1ab85519307

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

ScriptedSandbox32.pdb

Imports

advapi32

RegOpenKeyExW
RegQueryValueExW
RegCloseKey

kernel32

GlobalUnlock
GlobalLock
GlobalAlloc
MulDiv
lstrcmpW
HeapDestroy
HeapSize
HeapReAlloc
HeapFree
HeapAlloc
GetProcessHeap
LoadLibraryExW
GetProcAddress
SizeofResource
LockResource
LoadResource
FindResourceW
FlushInstructionCache
CompareStringOrdinal
RaiseFailFastException
CloseHandle
ReadFile
WriteFile
CreatePipe
CreateThread
OpenProcess
GetModuleHandleW
DecodePointer
SetEvent
GetTempPathW
GetTempFileNameW
ReadProcessMemory
CreateEventW
WaitForSingleObject
WaitForMultipleObjects
ExitProcess
GetCurrentProcessId
GetVersion
GetCurrentProcess
SetLastError
GetCurrentThreadId
GetModuleFileNameW
LeaveCriticalSection
EnterCriticalSection
RaiseException
DeleteCriticalSection
InitializeCriticalSectionEx
GetLastError
FindResourceExW
FindAtomW
AddAtomW
LoadLibraryW
GetFileAttributesW
VirtualFree
VirtualAlloc
InterlockedPushEntrySList
InterlockedPopEntrySList
InitializeSListHead
ReadConsoleW
SetEndOfFile
WriteConsoleW
FlushFileBuffers
SetStdHandle
CreateFileW
GetStringTypeW
EnumSystemLocalesW
GetUserDefaultLCID
IsValidLocale
GetLocaleInfoW
LCMapStringW
SetFilePointerEx
GetConsoleMode
GetConsoleCP
OutputDebugStringW
GetCPInfo
GetOEMCP
GetACP
IsValidCodePage
RtlUnwind
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
TerminateProcess
Sleep
InitializeCriticalSectionAndSpinCount
SetUnhandledExceptionFilter
UnhandledExceptionFilter
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetSystemTimeAsFileTime
QueryPerformanceCounter
GetStartupInfoW
GetFileType
GetStdHandle
WideCharToMultiByte
MultiByteToWideChar
GetModuleHandleExW
IsProcessorFeaturePresent
IsDebuggerPresent
EncodePointer
GetCommandLineW

gdi32

CreateSolidBrush
CreateCompatibleDC
CreateCompatibleBitmap
SelectObject
DeleteObject
BitBlt
DeleteDC
GetStockObject
GetObjectW
GetDeviceCaps

user32

CallWindowProcW
InvalidateRect
GetDC
ReleaseDC
GetDesktopWindow
DestroyAcceleratorTable
GetWindowLongW
SetWindowLongW
DefWindowProcW
LoadCursorW
RegisterClassExW
UnregisterClassW
IsWindow
IsChild
GetFocus
SetFocus
GetWindow
PostMessageW
AttachThreadInput
InvalidateRgn
GetClientRect
FillRect
ReleaseCapture
SetCapture
MoveWindow
ScreenToClient
GetParent
ClientToScreen
CreateAcceleratorTableW
DestroyWindow
CreateWindowExW
GetClassInfoExW
SetTimer
KillTimer
CallNextHookEx
UnhookWindowsHookEx
SetWindowsHookExW
SetParent
GetAsyncKeyState
GetGUIThreadInfo
GetWindowThreadProcessId
SetProcessDPIAware
PostThreadMessageW
DispatchMessageW
TranslateMessage
PostQuitMessage
GetMessageW
GetDoubleClickTime
AllowSetForegroundWindow
GetMonitorInfoW
MonitorFromPoint
RegisterWindowMessageW
GetWindowTextLengthW
GetWindowTextW
SetWindowTextW
BeginPaint
EndPaint
GetDlgItem
SendMessageW
GetClassNameW
GetSysColor
CharNextW
SetWindowPos
RedrawWindow

ole32

OleLockRunning
CoTaskMemFree
CoCreateInstance
CoGetClassObject
OleUninitialize
OleInitialize
CreateStreamOnHGlobal
StringFromGUID2
CoTaskMemAlloc
CoInitializeEx
CoReleaseServerProcess
CoAddRefServerProcess
CoUninitialize
CoInitialize
IIDFromString
CreateBindCtx
CLSIDFromString
CLSIDFromProgID
CoGetMalloc

oleaut32

SysStringLen
SysFreeString
SysAllocString
OleCreateFontIndirect
SysStringByteLen
SysAllocStringByteLen
DispCallFunc
VariantChangeType
VarBstrCat
SysAllocStringLen
VariantInit
LoadTypeLi
LoadRegTypeLi
VariantClear

shlwapi

PathFindFileNameW
StrStrW
ord12

version

GetFileVersionInfoSizeW
VerQueryValueW
GetFileVersionInfoW

wer

WerReportAddFile
WerReportCloseHandle
WerReportSubmit
WerReportSetParameter
WerReportCreate

urlmon

CreateUri

Sections

.text
Size: 249KB - Virtual size: 249KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 7KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tls
Size: 512B - Virtual size: 9B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 829B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 14KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.xxxx
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
ransomwares/NoMoreRansom/NoMoreRansom.exe
.exe windows:5 windows x86 arch:x86

f4aae2cc8a2971ab9714645e85b7edb6

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

InitializeSListHead
InterlockedCompareExchange
InterlockedDecrement
InterlockedExchange
InterlockedIncrement
IsBadHugeReadPtr
IsDebuggerPresent
IsProcessorFeaturePresent
LCMapStringA
LeaveCriticalSection
LoadLibraryA
LoadLibraryExA
LoadResource
LocalAlloc
LocalFileTimeToFileTime
LocalFree
LocalReAlloc
LockResource
MoveFileExA
MulDiv
MultiByteToWideChar
OpenFileMappingW
OutputDebugStringA
OutputDebugStringW
QueryDosDeviceW
QueryPerformanceCounter
RaiseException
ReadConsoleInputW
ReadConsoleW
ReadFile
InitializeCriticalSectionAndSpinCount
RtlMoveMemory
RtlUnwind
SetCalendarInfoA
SetComputerNameA
SetEvent
SetHandleCount
SetLastError
SetThreadExecutionState
SetUnhandledExceptionFilter
SizeofResource
Sleep
TerminateProcess
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
UnhandledExceptionFilter
VirtualFree
VirtualProtect
VirtualQuery
WaitForSingleObject
WaitForSingleObjectEx
WideCharToMultiByte
WriteFile
WritePrivateProfileStringA
lstrcmpA
lstrcmpW
lstrcmpiW
lstrlenA
InitializeCriticalSection
HeapReAlloc
HeapFree
HeapDestroy
HeapCreate
HeapAlloc
GlobalUnlock
GlobalReAlloc
GlobalMemoryStatusEx
GlobalLock
GlobalHandle
GlobalGetAtomNameA
GlobalFree
GlobalFlags
GlobalFix
GlobalFindAtomA
GlobalDeleteAtom
GlobalAlloc
GlobalAddAtomA
GetWindowsDirectoryW
GetVolumePathNamesForVolumeNameW
GetVersionExA
GetVersion
GetTimeZoneInformation
GetTickCount
GetTempFileNameA
GetTapePosition
GetSystemTimes
GetSystemTimeAsFileTime
GetSystemInfo
GetStdHandle
GetStartupInfoW
GetStartupInfoA
GetProcessHeap
GetProcAddress
GetPrivateProfileStringA
GetPrivateProfileIntW
GetPrivateProfileIntA
GetModuleHandleW
GetModuleFileNameW
GetModuleFileNameA
GetLongPathNameW
GetLocaleInfoA
GetLastError
GetFullPathNameW
GetFileType
GetFileSizeEx
GetFileSize
GetFileAttributesExW
GetEnvironmentStringsW
GetEnvironmentStrings
GetDiskFreeSpaceExW
GetCurrentThreadId
GetCurrentThread
GetCurrentProcessId
GetCurrentProcess
GetConsoleAliasExesLengthA
GetCommandLineW
GetCommandLineA
GetBinaryTypeA
FreeResource
FreeLibrary
FreeEnvironmentStringsW
FreeEnvironmentStringsA
FormatMessageA
FlushFileBuffers
FindVolumeClose
FindResourceA
FindNextVolumeW
FindFirstVolumeW
FindFirstVolumeMountPointW
FindFirstFileA
FindClose
FileTimeToSystemTime
FileTimeToLocalFileTime
ExpandEnvironmentStringsW
ExitProcess
EnumResourceLanguagesA
EnumDateFormatsW
EnterCriticalSection
DosDateTimeToFileTime
DeleteFileW
DeleteFileA
DeleteCriticalSection
DeleteAtom
CreateThread
CreateFileW
CreateFileA
CreateEventW
CreateEventA
CopyFileA
ConvertDefaultLocale
CompareStringW
CompareStringA
CommConfigDialogW
CloseHandle
Beep
GetModuleHandleA
RtlFillMemory
VirtualAlloc

user32

MessageBoxW
ModifyMenuA
OpenClipboard
PeekMessageA
PostMessageA
PostMessageW
PostQuitMessage
PostThreadMessageA
PostThreadMessageW
PtInRect
RedrawWindow
RegisterClassA
RegisterClassExW
RegisterClipboardFormatA
RegisterClipboardFormatW
RegisterWindowMessageA
RegisterWindowMessageW
ReleaseDC
RemovePropA
RemovePropW
SendDlgItemMessageA
SendMessageA
SendMessageCallbackA
SendMessageTimeoutW
SendMessageW
SetActiveWindow
SetCursor
SetFocus
SetForegroundWindow
SetMenuInfo
SetMenuItemBitmaps
SetPropA
SetPropW
SetRect
SetScrollInfo
SetTimer
SetWindowLongA
SetWindowLongW
SetWindowPos
SetWindowRgn
SetWindowTextA
SetWindowsHookExA
ShowWindow
SystemParametersInfoA
SystemParametersInfoW
TabbedTextOutA
TranslateMessage
UnhookWindowsHookEx
UnionRect
UnregisterClassA
UnregisterDeviceNotification
UpdateLayeredWindow
UpdateWindow
ValidateRect
WINNLSGetEnableStatus
WaitMessage
WinHelpA
keybd_event
MessageBoxA
MapWindowPoints
MapVirtualKeyW
LoadCursorW
LoadCursorA
LoadBitmapA
KillTimer
IsWindowEnabled
IsWindow
IsDialogMessageA
IsCharAlphaNumericW
InvalidateRect
InflateRect
GrayStringA
GetWindowThreadProcessId
GetWindowTextA
GetWindowRect
GetWindowPlacement
GetWindowModuleFileNameW
GetWindowModuleFileName
GetWindowLongW
GetWindowLongA
GetWindowDC
GetWindow
GetUserObjectSecurity
GetSystemMetrics
GetSystemMenu
GetSysColorBrush
GetSubMenu
GetScrollRange
GetScrollPos
GetScrollInfo
GetScrollBarInfo
GetPropA
GetParent
GetNextDlgTabItem
GetMonitorInfoA
GetMessageW
GetMessageTime
GetMessagePos
GetMessageA
GetMenuState
GetMenuItemID
GetMenu
GetLastActivePopup
GetKeyState
GetInputState
GetIconInfo
GetFocus
GetDlgItemTextW
GetDlgItemInt
GetDlgItem
GetCursorPos
GetComboBoxInfo
GetClientRect
GetClassNameW
GetClassNameA
GetClassLongA
GetClassInfoExW
GetClassInfoExA
GetClassInfoA
GetCapture
FrameRect
FindWindowW
FillRect
EnumWindows
EnumDesktopWindows
EndPaint
EndDialog
EnableWindow
EnableMenuItem
EmptyClipboard
DrawTextW
DrawTextExA
DrawTextA
DrawMenuBar
DrawFrameControl
DlgDirListComboBoxA
DispatchMessageW
DispatchMessageA
DestroyWindow
DestroyMenu
DeregisterShellHookWindow
DefWindowProcA
DdeCmpStringHandles
CreateWindowExA
CreateDialogIndirectParamA
CopyRect
CopyImage
CloseClipboard
ClientToScreen
CheckMenuItem
CharNextA
ChangeMenuA
CallWindowProcW
CallWindowProcA
CallNextHookEx
BeginPaint
AppendMenuW
AllowSetForegroundWindow
AdjustWindowRectEx
CloseDesktop
GetCursor
GetWindowTextLengthW
PaintDesktop
GetDesktopWindow
CreatePopupMenu
GetKeyboardType
DestroyCursor
EndMenu
AnyPopup
OemKeyScan
GetTopWindow
IsCharUpperA
GetKBCodePage
GetSysColor
GetOpenClipboardWindow
GetForegroundWindow
GetDoubleClickTime
GetActiveWindow
CreateMenu
LoadIconA
IsWindowVisible
CopyIcon
GetDC
CharLowerW
IsCharLowerA
ShowCaret
IsIconic
GetMenuCheckMarkDimensions
OpenIcon
GetKeyboardLayout
GetWindowTextLengthA
ReleaseCapture
GetDlgCtrlID
CharNextW
GetDialogBaseUnits
CharUpperW
CharUpperA
LoadCursorFromFileA
GetAsyncKeyState
GetMenuItemCount

gdi32

PolyTextOutA
PtVisible
RectVisible
RemoveFontResourceExA
RestoreDC
STROBJ_bEnum
SaveDC
ScaleViewportExtEx
ScaleWindowExtEx
SelectObject
SetBkColor
PlayMetaFile
SetEnhMetaFileBits
SetICMMode
SetMapMode
SetPaletteEntries
SetRectRgn
SetTextColor
SetViewportExtEx
SetViewportOrgEx
SetWindowExtEx
TextOutA
XLATEOBJ_piVector
OffsetViewportOrgEx
GetTextFaceA
GetOutlineTextMetricsA
GetObjectA
GetGraphicsMode
GetGlyphOutlineWow
GetFontData
GetEnhMetaFilePaletteEntries
GetDeviceCaps
GetClipBox
GdiValidateHandle
GdiResetDCEMF
GdiProcessSetup
GdiInitializeLanguagePack
GdiGetLocalDC
SetDIBits
EndDoc
GdiEntry10
FrameRgn
ExtTextOutA
Escape
EqualRgn
EngStretchBltROP
EngCreateClip
EngCreateBitmap
DeleteObject
DeleteDC
CreatePalette
CreateICA
CreateFontIndirectA
CreateDIBSection
CreateBitmap
CopyMetaFileA
CLIPOBJ_ppoGetPath
AddFontMemResourceEx
RealizePalette
StrokePath
DeleteMetaFile
GetLayout
GetStretchBltMode
GetPixelFormat
AddFontResourceW
GetFontLanguageInfo
GetStockObject
UnrealizeObject
CloseEnhMetaFile
GetMapMode
AbortPath
SwapBuffers
GetEnhMetaFileW
DeleteColorSpace
SetMetaRgn
DeleteEnhMetaFile
GetSystemPaletteUse
GetTextAlign
CreateMetaFileA
AbortDoc
CancelDC
GdiFlush

advapi32

RegQueryValueExA
RegQueryValueA
RegOpenKeyExW
RegOpenKeyExA
RegOpenKeyA
RegEnumKeyA
RegDeleteValueA
RegDeleteKeyA
RegCreateKeyExA
RegCloseKey
CryptReleaseContext
CryptGenRandom
CryptAcquireContextW
RegOpenKeyW
RegQueryValueExW
RegSetValueExA

shell32

ShellExecuteW
ShellExecuteEx
ShellAboutW
SHQueryRecycleBinW
SHPathPrepareForWriteA
SHGetSpecialFolderLocation
SHGetPathFromIDListW
SHGetPathFromIDListA
SHGetPathFromIDList
SHGetFolderPathW
SHGetFolderPathA
SHGetFolderLocation
SHGetFileInfoW
SHGetFileInfo
SHGetDiskFreeSpaceExW
SHGetDiskFreeSpaceA
SHGetDesktopFolder
SHGetDataFromIDListA
SHFileOperationW
SHFileOperationA
SHEmptyRecycleBinA
SHCreateDirectoryExA
ExtractIconExW
ExtractIconA
DuplicateIcon
DragQueryFileW
DragQueryFile
DragFinish
DragAcceptFiles
DoEnvironmentSubstW
CommandLineToArgvW

ole32

OleFlushClipboard
OleInitialize
OleIsCurrentClipboard
OleUninitialize
CoSuspendClassObjects
CoRevokeClassObject
CoResumeClassObjects
CoRegisterMessageFilter
CoInitializeSecurity
CoInitializeEx
CoInitialize
CoFreeUnusedLibraries
CoCreateInstance
CoUninitialize

shlwapi

PathFindExtensionA
PathFindFileNameA
PathFindFileNameW
PathIsUNCA
PathStripToRootA
StrChrW
StrCmpNA
StrCmpNIA
StrCmpNIW

Sections

.text
Size: 980KB - Virtual size: 979KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 248KB - Virtual size: 248KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 163KB - Virtual size: 671KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
ransomwares/NotPetya/NotPetya.exe
.exe windows:5 windows x86 arch:x86

adc91e78c31ad4f7f2dc94e73db3a3f2

Code Sign

2e:ab:11:dc:50:ff:5c:9d:cb:c0
Certificate

Issuer

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

Not Before

22-08-2007 22:31

Not After

25-08-2012 07:00

Subject

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:01:cf:3e:00:00:00:00:00:0f
Certificate

Issuer

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

07-12-2009 22:40

Not After

07-03-2011 22:40

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

6a:0b:99:4f:c0:00:25:ab:11:db:45:1f:58:7a:67:a2
Certificate

Issuer

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

Not Before

16-09-2006 01:04

Not After

15-09-2019 07:00

Subject

CN=Microsoft Timestamping PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:05:a2:30:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Timestamping PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

25-07-2008 19:01

Not After

25-07-2013 19:11

Subject

CN=Microsoft Time-Stamp Service,OU=MOPR+OU=nCipher DSE ESN:85D3-305C-5BCF,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

4a:63:4e:91:74:a3:d3:73:ad:dd:d1:e4:4b:3f:4b:b2:f7:58:e5:09
Signer

Actual PE Digest

4a:63:4e:91:74:a3:d3:73:ad:dd:d1:e4:4b:3f:4b:b2:f7:58:e5:09

Digest Algorithm

sha1

PE Digest Matches

false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

ExitProcess
CreateProcessW
WriteFile
GetSystemDirectoryW
CreateFileW
CloseHandle
GetWindowsDirectoryW

user32

wsprintfW

Sections

.text
Size: 512B - Virtual size: 426B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 512B - Virtual size: 380B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 812B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

[0]
Size: 354KB - Virtual size: 353KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 840B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
ransomwares/PetrWrap/PetrWrap(Patched).exe
.exe windows:5 windows x86 arch:x86

90cfb770dd8b0646a46fc541c93185a2

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GetCurrentProcessId
GetTickCount
GetVersionExA
FreeLibrary
GetProcAddress
GlobalMemoryStatus
LoadLibraryA
HeapAlloc
HeapFree
GetCommandLineA
HeapReAlloc
IsProcessorFeaturePresent
EnterCriticalSection
LeaveCriticalSection
GetSystemTimeAsFileTime
IsDebuggerPresent
GetModuleFileNameW
GetModuleHandleExW
WriteConsoleW
ReadFile
EncodePointer
DecodePointer
InterlockedDecrement
ExitProcess
AreFileApisANSI
MultiByteToWideChar
GetProcessHeap
SetLastError
InterlockedIncrement
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
GetStartupInfoW
GetModuleFileNameA
GetEnvironmentStringsW
QueryPerformanceCounter
WideCharToMultiByte
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetModuleHandleW
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
OutputDebugStringW
LoadLibraryExW
LoadLibraryW
FlushFileBuffers
GetConsoleCP
GetConsoleMode
RtlUnwind
ReadConsoleW
SetFilePointer
SetFilePointerEx
SetStdHandle
GetStringTypeW
LCMapStringW
HeapSize
CreateFileW
SetEndOfFile
GetVersion
GetCurrentThreadId
GetLastError
GetFileType
GetStdHandle
Sleep
VirtualAlloc
CreateFileA
CloseHandle
FreeEnvironmentStringsW
WriteFile

user32

GetUserObjectInformationW
GetProcessWindowStation
wsprintfA
MessageBoxA
GetDesktopWindow

advapi32

ReportEventA
DeregisterEventSource
RegisterEventSourceA

Sections

.text
Size: 205KB - Virtual size: 205KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 82KB - Virtual size: 82KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 139KB - Virtual size: 148KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 45KB - Virtual size: 44KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
ransomwares/PetrWrap/PetrWrap.exe
.exe windows:5 windows x86 arch:x86

90cfb770dd8b0646a46fc541c93185a2

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GetCurrentProcessId
GetTickCount
GetVersionExA
FreeLibrary
GetProcAddress
GlobalMemoryStatus
LoadLibraryA
HeapAlloc
HeapFree
GetCommandLineA
HeapReAlloc
IsProcessorFeaturePresent
EnterCriticalSection
LeaveCriticalSection
GetSystemTimeAsFileTime
IsDebuggerPresent
GetModuleFileNameW
GetModuleHandleExW
WriteConsoleW
ReadFile
EncodePointer
DecodePointer
InterlockedDecrement
ExitProcess
AreFileApisANSI
MultiByteToWideChar
GetProcessHeap
SetLastError
InterlockedIncrement
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
GetStartupInfoW
GetModuleFileNameA
GetEnvironmentStringsW
QueryPerformanceCounter
WideCharToMultiByte
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetModuleHandleW
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
OutputDebugStringW
LoadLibraryExW
LoadLibraryW
FlushFileBuffers
GetConsoleCP
GetConsoleMode
RtlUnwind
ReadConsoleW
SetFilePointer
SetFilePointerEx
SetStdHandle
GetStringTypeW
LCMapStringW
HeapSize
CreateFileW
SetEndOfFile
GetVersion
GetCurrentThreadId
GetLastError
GetFileType
GetStdHandle
Sleep
VirtualAlloc
CreateFileA
CloseHandle
FreeEnvironmentStringsW
WriteFile

user32

GetUserObjectInformationW
GetProcessWindowStation
wsprintfA
MessageBoxA
GetDesktopWindow

advapi32

ReportEventA
DeregisterEventSource
RegisterEventSourceA

Sections

.text
Size: 205KB - Virtual size: 205KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 82KB - Virtual size: 82KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 139KB - Virtual size: 148KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 45KB - Virtual size: 44KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
ransomwares/Petya.A/Petya.A.exe
.exe windows:5 windows x86 arch:x86

1a63922d5931d1bb8ca5188313f78eaa

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

GoogleCrashHandler_unsigned.pdb

Imports

kernel32

GetCurrentThreadId
GetStdHandle
GetFileType
GetStartupInfoW
GetModuleFileNameW
WriteFile
QueryPerformanceCounter
GetCurrentProcessId
GetSystemTimeAsFileTime
GetEnvironmentStringsW
FreeEnvironmentStringsW
UnhandledExceptionFilter
SetUnhandledExceptionFilter
CreateEventW
Sleep
GetCurrentProcess
TerminateProcess
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetTickCount
CreateSemaphoreW
FreeLibrary
LoadLibraryExW
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
RtlUnwind
LCMapStringW
GetStringTypeW
FlushFileBuffers
GetConsoleCP
GetConsoleMode
SetStdHandle
SetFilePointerEx
WriteConsoleW
CloseHandle
CreateFileW
SizeofResource
LockResource
LoadResource
FindResourceW
FindResourceExW
LocalFree
CreateDirectoryW
DeleteFileW
GetCurrentThread
WaitForMultipleObjects
LoadLibraryW
WaitForSingleObject
GetExitCodeProcess
DuplicateHandle
ReleaseMutex
GetEnvironmentVariableW
lstrcmpiW
VirtualQuery
GetTempPathW
GetLocalTime
OutputDebugStringA
GetPrivateProfileIntW
GetPrivateProfileStringW
lstrcmpW
lstrlenW
SetFilePointer
CreateMutexW
InitializeCriticalSection
TryEnterCriticalSection
SetEvent
ResetEvent
GetFileAttributesExW
SetLastError
VerifyVersionInfoW
VerSetConditionMask
MoveFileExW
GetFileTime
ReadFile
DeviceIoControl
SetProcessWorkingSetSize
OpenProcess
CreateProcessW
ReadProcessMemory
lstrcpynW
GlobalAlloc
GlobalLock
GlobalUnlock
GlobalFree
CreateThread
DebugActiveProcess
GetThreadContext
DebugActiveProcessStop
VirtualQueryEx
GetProcessId
GetSystemInfo
ContinueDebugEvent
WaitForDebugEvent
WideCharToMultiByte
MultiByteToWideChar
GetModuleHandleExW
ExitProcess
IsProcessorFeaturePresent
GetCommandLineW
EncodePointer
LeaveCriticalSection
WaitNamedPipeW
TransactNamedPipe
SetNamedPipeHandleState
RtlCaptureContext
ReleaseSemaphore
EnterCriticalSection
OutputDebugStringW
DeleteCriticalSection
DecodePointer
HeapSize
GetProcAddress
GetLastError
RaiseException
HeapDestroy
InitializeCriticalSectionAndSpinCount
GetProcessHeap
GetModuleHandleW
HeapFree
IsDebuggerPresent
GetUserDefaultLangID
GetSystemDefaultLangID
GetComputerNameExW
GetOverlappedResult
ConnectNamedPipe
CreateNamedPipeW
DisconnectNamedPipe
UnregisterWait
GetProcessTimes
UnregisterWaitEx
RegisterWaitForSingleObject
VirtualProtect
VirtualAlloc
HeapAlloc
RemoveDirectoryW
HeapReAlloc

user32

SetClipboardData
EmptyClipboard
OpenClipboard
GetProcessWindowStation
CloseDesktop
CloseClipboard
CharUpperW
CharLowerW
PostThreadMessageW
DispatchMessageW
GetMessageW
PeekMessageW
EnumWindows
IsWindowVisible
GetWindowThreadProcessId
SetThreadDesktop
CreateWindowStationW
CloseWindowStation
GetThreadDesktop
SetProcessWindowStation
CreateDesktopW
wvsprintfW
wsprintfW
MessageBoxW

advapi32

GetSecurityDescriptorSacl
GetSecurityDescriptorDacl
GetSecurityDescriptorGroup
GetSecurityDescriptorOwner
GetSecurityDescriptorControl
GetLengthSid
CopySid
IsValidSid
GetSidSubAuthority
InitializeSid
GetSidLengthRequired
SetSecurityDescriptorDacl
AddAce
InitializeAcl
GetAclInformation
InitializeSecurityDescriptor
MakeAbsoluteSD
OpenProcessToken
GetTokenInformation
SetSecurityDescriptorOwner
SetSecurityDescriptorGroup
GetAce
MakeSelfRelativeSD
GetSecurityDescriptorLength
EqualSid
SetNamedSecurityInfoW
ConvertStringSidToSidW
OpenThreadToken
RegQueryValueExW
RegOpenKeyExW
RegDeleteKeyW
RegDeleteValueW
RegCloseKey
RegCreateKeyExW
RegSetValueExW
RegEnumKeyExW
RegQueryInfoKeyW
ConvertSidToStringSidW
AllocateAndInitializeSid
CheckTokenMembership
FreeSid
SetSecurityDescriptorSacl
GetTraceLoggerHandle
GetTraceEnableFlags
GetTraceEnableLevel
RegisterTraceGuidsW
UnregisterTraceGuids
TraceEvent
SetTokenInformation

ole32

CoCreateGuid
StringFromGUID2

shell32

SHGetFolderPathW

netapi32

NetApiBufferFree
NetWkstaGetInfo

rpcrt4

UuidCreate

shlwapi

PathRemoveExtensionW
PathRemoveFileSpecW
PathStripPathW
PathCanonicalizeW
PathIsRelativeW
SHQueryValueExW
PathAppendW

userenv

UnloadUserProfile

version

GetFileVersionInfoW
VerQueryValueW
GetFileVersionInfoSizeW

Sections

.text
Size: 156KB - Virtual size: 155KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 48KB - Virtual size: 48KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 6KB - Virtual size: 18KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
ransomwares/PetyaMFTDestroyer/Key.txt
ransomwares/PetyaMFTDestroyer/PetyaMFTDestroyer.exe
.exe windows:5 windows x86 arch:x86

21e4a55f42c2dcfd0d47cf2cda2692aa

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

CreateFileA
SetFilePointer
SetFilePointerEx
WriteFile
ReadFile
DeviceIoControl
CloseHandle
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent

Sections

.text
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 512B - Virtual size: 412B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 10KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 448B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 184B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
ransomwares/PolyRansom/PolyRansom.exe
.exe windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Sections

.text
Size: 215KB - Virtual size: 214KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
ransomwares/PowerPoint/PowerPoint.exe
.exe windows:4 windows x86 arch:x86

91b2790c505bbe69e215e722d884b1b4

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

advapi32

AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken

crtdll

sprintf

kernel32

CreateProcessA
GlobalAddAtomA
GlobalFindAtomA
GetVersion
GetTempPathA
GetTickCount
ExitProcess
GetModuleFileNameA
CopyFileA
Sleep
CloseHandle
GetModuleHandleA
GetCurrentProcess
CreateFileA
ReadFile
SetFilePointer
WriteFile
GetFileSize
GlobalAlloc
DeleteFileA

user32

ExitWindowsEx

shell32

ShellExecuteA

Sections

.text
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.data
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 127KB - Virtual size: 126KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
ransomwares/RansomBlox/RansomBlox.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

aJcA+
Size: 55KB - Virtual size: 54KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.text
Size: 47KB - Virtual size: 47KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 109KB - Virtual size: 109KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Size: 512B - Virtual size: 16B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
ransomwares/RedBoot/RedBoot.exe
.exe windows:5 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

Sections

UPX0
Size: - Virtual size: 1.4MB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 343KB - Virtual size: 344KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 873KB - Virtual size: 876KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
ransomwares/RedEye/RedEye.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 10.5MB - Virtual size: 10.5MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 106KB - Virtual size: 106KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
ransomwares/Rensenware/Rensenware.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\Users\mkang\Documents\Visual Studio 2017\Projects\renseiWare\rensenWare\obj\Release\rensenWare.pdb

Imports

mscoree

_CorExeMain

Sections

.text
Size: 94KB - Virtual size: 93KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
ransomwares/Rokku/Rokku.exe
.exe windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Sections

UPX0
Size: - Virtual size: 912KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 665KB - Virtual size: 668KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX2
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
ransomwares/Seftad/Seftad.exe
.exe windows:5 windows x86 arch:x86

45f43067991f331f7e6d9d92f382f3ef

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

CreateFileA
FindResourceA
SetFilePointer
LoadResource
WriteFile
SizeofResource
ReadFile
LockResource
CloseHandle
FlushFileBuffers
CreateFileW
IsProcessorFeaturePresent
HeapReAlloc
GetStringTypeW
GetLastError
HeapFree
HeapAlloc
GetProcAddress
GetModuleHandleW
ExitProcess
DecodePointer
GetCommandLineA
HeapSetInformation
GetStartupInfoW
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
EncodePointer
HeapCreate
GetStdHandle
GetModuleFileNameW
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
LoadLibraryW
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
InterlockedIncrement
SetLastError
GetCurrentThreadId
InterlockedDecrement
GetModuleFileNameA
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStringsW
SetHandleCount
GetFileType
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
GetConsoleCP
GetConsoleMode
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
Sleep
HeapSize
RtlUnwind
SetStdHandle
WriteConsoleW
MultiByteToWideChar
LCMapStringW

ole32

CoUninitialize
CoSetProxyBlanket
CoCreateInstance
CoInitializeSecurity
CoInitializeEx

oleaut32

VariantClear

Sections

.text
Size: 28KB - Virtual size: 27KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 10KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
ransomwares/Sodinokibi/Sodinokibi.exe
.exe windows:5 windows x86 arch:x86

3eff7b78fa879bdd7bc10b8b899e0ab3

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

lstrlenW
SetErrorMode
VerSetConditionMask
CloseHandle
GetExitCodeProcess
VerifyVersionInfoW
lstrcmpA

oleaut32

VariantClear
VariantInit

Sections

.text
Size: 46KB - Virtual size: 45KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 11KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 7KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.axh
Size: 50KB - Virtual size: 50KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
ransomwares/ViraLock/ViraLock.exe
.exe windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Sections

.text
Size: 190KB - Virtual size: 190KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
ransomwares/WannaCry 1.0/WannaCry 1.0.exe
.exe windows:4 windows x86 arch:x86

e858a14f217810d78466806d95d7fceb

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GetFileSizeEx
CreateFileA
InitializeCriticalSection
DeleteCriticalSection
GetFileSize
LeaveCriticalSection
EnterCriticalSection
SizeofResource
LockResource
LoadResource
FindResourceA
SetErrorMode
VirtualAlloc
VirtualFree
FreeLibrary
HeapAlloc
GetProcessHeap
GetModuleHandleA
SetLastError
VirtualProtect
IsBadReadPtr
HeapFree
SystemTimeToFileTime
LocalFileTimeToFileTime
CreateDirectoryA
GetStartupInfoA
ReadFile
SetFilePointer
WriteFile
SetFileTime
GetFileAttributesA
GetCurrentDirectoryA
SetCurrentDirectoryA
GlobalAlloc
LoadLibraryA
GetProcAddress
GlobalFree
GetModuleFileNameA
CloseHandle

user32

wsprintfA

advapi32

CryptDecrypt
CryptDestroyKey
CryptReleaseContext
CryptImportKey
CryptAcquireContextA

ws2_32

WSAStartup
inet_addr
WSACleanup

msvcrt

_controlfp
__set_app_type
__p__fmode
_adjust_fdiv
__setusermatherr
_initterm
__getmainargs
_acmdln
exit
_XcptFilter
_exit
??1type_info@@UAE@XZ
__p__commode
strcpy
memset
strlen
memcpy
__CxxFrameHandler
??3@YAXPAX@Z
memcmp
_except_handler3
_local_unwind2
??2@YAPAXI@Z
sscanf
strcmp
__p___argv
__p___argc
strrchr
realloc
_stricmp
free
malloc
??0exception@@QAE@ABV0@@Z
??1exception@@UAE@XZ
??0exception@@QAE@ABQBD@Z
_CxxThrowException
calloc
strcat
_mbsstr

Sections

.text
Size: 28KB - Virtual size: 24KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 24KB - Virtual size: 23KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 160KB - Virtual size: 158KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
ransomwares/WannaCrypt0r/WannaCrypt0r.exe
.exe windows:4 windows x86 arch:x86

68f013d7437aa653a8a98a05807afeb1

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GetFileAttributesW
GetFileSizeEx
CreateFileA
InitializeCriticalSection
DeleteCriticalSection
ReadFile
GetFileSize
WriteFile
LeaveCriticalSection
EnterCriticalSection
SetFileAttributesW
SetCurrentDirectoryW
CreateDirectoryW
GetTempPathW
GetWindowsDirectoryW
GetFileAttributesA
SizeofResource
LockResource
LoadResource
MultiByteToWideChar
Sleep
OpenMutexA
GetFullPathNameA
CopyFileA
GetModuleFileNameA
VirtualAlloc
VirtualFree
FreeLibrary
HeapAlloc
GetProcessHeap
GetModuleHandleA
SetLastError
VirtualProtect
IsBadReadPtr
HeapFree
SystemTimeToFileTime
LocalFileTimeToFileTime
CreateDirectoryA
GetStartupInfoA
SetFilePointer
SetFileTime
GetComputerNameW
GetCurrentDirectoryA
SetCurrentDirectoryA
GlobalAlloc
LoadLibraryA
GetProcAddress
GlobalFree
CreateProcessA
CloseHandle
WaitForSingleObject
TerminateProcess
GetExitCodeProcess
FindResourceA

user32

wsprintfA

advapi32

CreateServiceA
OpenServiceA
StartServiceA
CloseServiceHandle
CryptReleaseContext
RegCreateKeyW
RegSetValueExA
RegQueryValueExA
RegCloseKey
OpenSCManagerA

msvcrt

realloc
fclose
fwrite
fread
fopen
sprintf
rand
srand
strcpy
memset
strlen
wcscat
wcslen
__CxxFrameHandler
??3@YAXPAX@Z
memcmp
_except_handler3
_local_unwind2
wcsrchr
swprintf
??2@YAPAXI@Z
memcpy
strcmp
strrchr
__p___argv
__p___argc
_stricmp
free
malloc
??0exception@@QAE@ABV0@@Z
??1exception@@UAE@XZ
??0exception@@QAE@ABQBD@Z
_CxxThrowException
calloc
strcat
_mbsstr
??1type_info@@UAE@XZ
_exit
_XcptFilter
exit
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_controlfp

Sections

.text
Size: 28KB - Virtual size: 26KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 24KB - Virtual size: 23KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 3.3MB - Virtual size: 3.3MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
ransomwares/Wannacry (Plus)/Wannacry (Plus).exe
.dll windows:4 windows x86 arch:x86

2e5708ae5fed0403e8117c645fb23e5b

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

CloseHandle
WriteFile
CreateFileA
SizeofResource
LockResource
LoadResource
FindResourceA
CreateProcessA

msvcrt

free
_initterm
malloc
_adjust_fdiv
sprintf

Exports

Exports

PlayGame

Sections

.text
Size: 4KB - Virtual size: 652B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 472B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 340B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 5.0MB - Virtual size: 5.0MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 684B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
ransomwares/Windows10Update/Windows10Update.exe
.exe windows:5 windows x86 arch:x86

eb97e4fc5518ac300a92a11673825e0b

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

Imports

wsock32

WSACleanup
socket
inet_ntoa
setsockopt
ntohs
recvfrom
ioctlsocket
htons
WSAStartup
__WSAFDIsSet
select
accept
listen
bind
closesocket
WSAGetLastError
recv
sendto
send
inet_addr
gethostbyname
gethostname
connect

version

GetFileVersionInfoW
GetFileVersionInfoSizeW
VerQueryValueW

winmm

timeGetTime
waveOutSetVolume
mciSendStringW

comctl32

ImageList_ReplaceIcon
ImageList_Destroy
ImageList_Remove
ImageList_SetDragCursorImage
ImageList_BeginDrag
ImageList_DragEnter
ImageList_DragLeave
ImageList_EndDrag
ImageList_DragMove
InitCommonControlsEx
ImageList_Create

mpr

WNetUseConnectionW
WNetCancelConnection2W
WNetGetConnectionW
WNetAddConnection2W

wininet

InternetQueryDataAvailable
InternetCloseHandle
InternetOpenW
InternetSetOptionW
InternetCrackUrlW
HttpQueryInfoW
InternetQueryOptionW
HttpOpenRequestW
HttpSendRequestW
FtpOpenFileW
FtpGetFileSize
InternetOpenUrlW
InternetReadFile
InternetConnectW

psapi

GetProcessMemoryInfo

iphlpapi

IcmpCreateFile
IcmpCloseHandle
IcmpSendEcho

userenv

DestroyEnvironmentBlock
UnloadUserProfile
CreateEnvironmentBlock
LoadUserProfileW

uxtheme

IsThemeActive

kernel32

DuplicateHandle
CreateThread
WaitForSingleObject
HeapAlloc
GetProcessHeap
HeapFree
Sleep
GetCurrentThreadId
MultiByteToWideChar
MulDiv
GetVersionExW
IsWow64Process
GetSystemInfo
FreeLibrary
LoadLibraryA
GetProcAddress
SetErrorMode
GetModuleFileNameW
WideCharToMultiByte
lstrcpyW
lstrlenW
GetModuleHandleW
QueryPerformanceCounter
VirtualFreeEx
OpenProcess
VirtualAllocEx
WriteProcessMemory
ReadProcessMemory
CreateFileW
SetFilePointerEx
SetEndOfFile
ReadFile
WriteFile
FlushFileBuffers
TerminateProcess
CreateToolhelp32Snapshot
Process32FirstW
Process32NextW
SetFileTime
GetFileAttributesW
FindFirstFileW
SetCurrentDirectoryW
GetLongPathNameW
GetShortPathNameW
DeleteFileW
FindNextFileW
CopyFileExW
MoveFileW
CreateDirectoryW
RemoveDirectoryW
SetSystemPowerState
QueryPerformanceFrequency
FindResourceW
LoadResource
LockResource
SizeofResource
EnumResourceNamesW
OutputDebugStringW
GetTempPathW
GetTempFileNameW
DeviceIoControl
GetLocalTime
CompareStringW
GetCurrentProcess
EnterCriticalSection
LeaveCriticalSection
GetStdHandle
CreatePipe
InterlockedExchange
TerminateThread
LoadLibraryExW
FindResourceExW
CopyFileW
VirtualFree
FormatMessageW
GetExitCodeProcess
GetPrivateProfileStringW
WritePrivateProfileStringW
GetPrivateProfileSectionW
WritePrivateProfileSectionW
GetPrivateProfileSectionNamesW
FileTimeToLocalFileTime
FileTimeToSystemTime
SystemTimeToFileTime
LocalFileTimeToFileTime
GetDriveTypeW
GetDiskFreeSpaceExW
GetDiskFreeSpaceW
GetVolumeInformationW
SetVolumeLabelW
CreateHardLinkW
SetFileAttributesW
CreateEventW
SetEvent
GetEnvironmentVariableW
SetEnvironmentVariableW
GlobalLock
GlobalUnlock
GlobalAlloc
GetFileSize
GlobalFree
GlobalMemoryStatusEx
Beep
GetSystemDirectoryW
HeapReAlloc
HeapSize
GetComputerNameW
GetWindowsDirectoryW
GetCurrentProcessId
GetProcessIoCounters
CreateProcessW
GetProcessId
SetPriorityClass
LoadLibraryW
VirtualAlloc
IsDebuggerPresent
GetCurrentDirectoryW
lstrcmpiW
DecodePointer
GetLastError
RaiseException
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
InterlockedDecrement
InterlockedIncrement
GetCurrentThread
CloseHandle
GetFullPathNameW
EncodePointer
ExitProcess
GetModuleHandleExW
ExitThread
GetSystemTimeAsFileTime
ResumeThread
GetCommandLineW
IsProcessorFeaturePresent
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
SetLastError
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetStartupInfoW
GetStringTypeW
SetStdHandle
GetFileType
GetConsoleCP
GetConsoleMode
RtlUnwind
ReadConsoleW
GetTimeZoneInformation
GetDateFormatW
GetTimeFormatW
LCMapStringW
GetEnvironmentStringsW
FreeEnvironmentStringsW
WriteConsoleW
FindClose
SetEnvironmentVariableA

user32

AdjustWindowRectEx
CopyImage
SetWindowPos
GetCursorInfo
RegisterHotKey
ClientToScreen
GetKeyboardLayoutNameW
IsCharAlphaW
IsCharAlphaNumericW
IsCharLowerW
IsCharUpperW
GetMenuStringW
GetSubMenu
GetCaretPos
IsZoomed
MonitorFromPoint
GetMonitorInfoW
SetWindowLongW
SetLayeredWindowAttributes
FlashWindow
GetClassLongW
TranslateAcceleratorW
IsDialogMessageW
GetSysColor
InflateRect
DrawFocusRect
DrawTextW
FrameRect
DrawFrameControl
FillRect
PtInRect
DestroyAcceleratorTable
CreateAcceleratorTableW
SetCursor
GetWindowDC
GetSystemMetrics
GetActiveWindow
CharNextW
wsprintfW
RedrawWindow
DrawMenuBar
DestroyMenu
SetMenu
GetWindowTextLengthW
CreateMenu
IsDlgButtonChecked
DefDlgProcW
CallWindowProcW
ReleaseCapture
SetCapture
CreateIconFromResourceEx
mouse_event
ExitWindowsEx
SetActiveWindow
FindWindowExW
EnumThreadWindows
SetMenuDefaultItem
InsertMenuItemW
IsMenu
TrackPopupMenuEx
GetCursorPos
DeleteMenu
SetRect
GetMenuItemID
GetMenuItemCount
SetMenuItemInfoW
GetMenuItemInfoW
SetForegroundWindow
IsIconic
FindWindowW
MonitorFromRect
keybd_event
SendInput
GetAsyncKeyState
SetKeyboardState
GetKeyboardState
GetKeyState
VkKeyScanW
LoadStringW
DialogBoxParamW
MessageBeep
EndDialog
SendDlgItemMessageW
GetDlgItem
SetWindowTextW
CopyRect
ReleaseDC
GetDC
EndPaint
BeginPaint
GetClientRect
GetMenu
DestroyWindow
EnumWindows
GetDesktopWindow
IsWindow
IsWindowEnabled
IsWindowVisible
EnableWindow
InvalidateRect
GetWindowLongW
GetWindowThreadProcessId
AttachThreadInput
GetFocus
GetWindowTextW
ScreenToClient
SendMessageTimeoutW
EnumChildWindows
CharUpperBuffW
GetParent
GetDlgCtrlID
SendMessageW
MapVirtualKeyW
PostMessageW
GetWindowRect
SetUserObjectSecurity
CloseDesktop
CloseWindowStation
OpenDesktopW
SetProcessWindowStation
GetProcessWindowStation
OpenWindowStationW
GetUserObjectSecurity
MessageBoxW
DefWindowProcW
SetClipboardData
EmptyClipboard
CountClipboardFormats
CloseClipboard
GetClipboardData
IsClipboardFormatAvailable
OpenClipboard
BlockInput
GetMessageW
LockWindowUpdate
DispatchMessageW
TranslateMessage
PeekMessageW
UnregisterHotKey
CheckMenuRadioItem
CharLowerBuffW
MoveWindow
SetFocus
PostQuitMessage
KillTimer
CreatePopupMenu
RegisterWindowMessageW
SetTimer
ShowWindow
CreateWindowExW
RegisterClassExW
LoadIconW
LoadCursorW
GetSysColorBrush
GetForegroundWindow
MessageBoxA
DestroyIcon
SystemParametersInfoW
LoadImageW
GetClassNameW

gdi32

StrokePath
DeleteObject
GetTextExtentPoint32W
ExtCreatePen
GetDeviceCaps
EndPath
SetPixel
CloseFigure
CreateCompatibleBitmap
CreateCompatibleDC
SelectObject
StretchBlt
GetDIBits
LineTo
AngleArc
MoveToEx
Ellipse
DeleteDC
GetPixel
CreateDCW
GetStockObject
GetTextFaceW
CreateFontW
SetTextColor
PolyDraw
BeginPath
Rectangle
SetViewportOrgEx
GetObjectW
SetBkMode
RoundRect
SetBkColor
CreatePen
CreateSolidBrush
StrokeAndFillPath

comdlg32

GetOpenFileNameW
GetSaveFileNameW

advapi32

GetAce
RegEnumValueW
RegDeleteValueW
RegDeleteKeyW
RegEnumKeyExW
RegSetValueExW
RegOpenKeyExW
RegCloseKey
RegQueryValueExW
RegConnectRegistryW
InitializeSecurityDescriptor
InitializeAcl
AdjustTokenPrivileges
OpenThreadToken
OpenProcessToken
LookupPrivilegeValueW
DuplicateTokenEx
CreateProcessAsUserW
CreateProcessWithLogonW
GetLengthSid
CopySid
LogonUserW
AllocateAndInitializeSid
CheckTokenMembership
RegCreateKeyExW
FreeSid
GetTokenInformation
GetSecurityDescriptorDacl
GetAclInformation
AddAce
SetSecurityDescriptorDacl
GetUserNameW
InitiateSystemShutdownExW

shell32

DragQueryPoint
ShellExecuteExW
DragQueryFileW
SHEmptyRecycleBinW
SHGetPathFromIDListW
SHBrowseForFolderW
SHCreateShellItem
SHGetDesktopFolder
SHGetSpecialFolderLocation
SHGetFolderPathW
SHFileOperationW
ExtractIconExW
Shell_NotifyIconW
ShellExecuteW
DragFinish

ole32

CoTaskMemAlloc
CoTaskMemFree
CLSIDFromString
ProgIDFromCLSID
CLSIDFromProgID
OleSetMenuDescriptor
MkParseDisplayName
OleSetContainedObject
CoCreateInstance
IIDFromString
StringFromGUID2
CreateStreamOnHGlobal
OleInitialize
OleUninitialize
CoInitialize
CoUninitialize
GetRunningObjectTable
CoGetInstanceFromFile
CoGetObject
CoSetProxyBlanket
CoCreateInstanceEx
CoInitializeSecurity

oleaut32

LoadTypeLibEx
VariantCopyInd
SysReAllocString
SysFreeString
SafeArrayDestroyDescriptor
SafeArrayDestroyData
SafeArrayUnaccessData
SafeArrayAccessData
SafeArrayAllocData
SafeArrayAllocDescriptorEx
SafeArrayCreateVector
RegisterTypeLi
CreateStdDispatch
DispCallFunc
VariantChangeType
SysStringLen
VariantTimeToSystemTime
VarR8FromDec
SafeArrayGetVartype
VariantCopy
VariantClear
OleLoadPicture
QueryPathOfRegTypeLi
RegisterTypeLibForUser
UnRegisterTypeLibForUser
UnRegisterTypeLi
CreateDispTypeInfo
SysAllocString
VariantInit

Sections

.text
Size: 568KB - Virtual size: 567KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 191KB - Virtual size: 191KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 20KB - Virtual size: 35KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 230KB - Virtual size: 229KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 28KB - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
ransomwares/Winlocker.VB6.Blacksod/Winlocker.VB6.Blacksod/WinlockerVB6Blacksod.exe
.exe windows:5 windows x86 arch:x86

fdc840a7a99c43c34a60188ec8cc1596

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

C:\Users\victor\Desktop\BRANCH\win\Release\stubs\x86\ExternalUi.pdb

Imports

kernel32

CreateDirectoryW
GetCurrentProcessId
GetExitCodeThread
SetEvent
CreateEventW
SetLastError
LoadLibraryW
FreeLibrary
lstrlenW
GetVersionExW
CreateFileA
SetStdHandle
WriteConsoleW
WriteConsoleA
GetModuleHandleA
InitializeCriticalSectionAndSpinCount
GetStringTypeA
IsValidLocale
EnumSystemLocalesA
GetUserDefaultLCID
GetConsoleMode
GetConsoleCP
GetTickCount
QueryPerformanceCounter
GetStartupInfoA
GetFileType
SetHandleCount
GetEnvironmentStringsW
GetDiskFreeSpaceExW
IsValidCodePage
GetOEMCP
GetACP
HeapCreate
LCMapStringW
LCMapStringA
GetCPInfo
RtlUnwind
ExitProcess
lstrcmpiW
TlsSetValue
TlsAlloc
TlsGetValue
GetStartupInfoW
GetSystemTimeAsFileTime
IsDebuggerPresent
UnhandledExceptionFilter
TerminateProcess
HeapSize
HeapReAlloc
HeapDestroy
VirtualAlloc
VirtualFree
IsProcessorFeaturePresent
HeapAlloc
GetProcessHeap
HeapFree
InterlockedCompareExchange
PeekNamedPipe
OpenEventW
CopyFileExW
CompareFileTime
GetVersion
ResetEvent
MoveFileW
GetLocaleInfoA
GetStringTypeW
ConnectNamedPipe
CreateNamedPipeW
TerminateThread
GetSystemDirectoryW
GetLocalTime
OutputDebugStringW
Process32NextW
Process32FirstW
CreateToolhelp32Snapshot
GetWindowsDirectoryW
FileTimeToSystemTime
GetUserDefaultLangID
GetSystemDefaultLangID
GetDriveTypeW
CompareStringW
InterlockedDecrement
InterlockedIncrement
GetModuleFileNameW
GlobalUnlock
GlobalLock
GlobalAlloc
lstrcmpW
GetFileSize
ReadFile
GlobalFree
GetTempPathW
GetSystemTime
SystemTimeToFileTime
GetTempFileNameW
DeleteFileW
FindFirstFileW
RemoveDirectoryW
FindNextFileW
GetLogicalDriveStringsW
GetFileAttributesW
SetFileAttributesW
GetFileTime
CopyFileW
FindClose
MultiByteToWideChar
LoadLibraryExW
WideCharToMultiByte
InterlockedExchange
GetSystemInfo
TlsFree
WaitForMultipleObjects
Sleep
GetLastError
GetCurrentThreadId
WaitForSingleObject
MulDiv
lstrcpynW
FindResourceExW
FindResourceW
LoadResource
LockResource
SizeofResource
GetLocaleInfoW
EnumResourceLanguagesW
SetEndOfFile
SetCurrentDirectoryW
GetCommandLineW
GetExitCodeProcess
CreateProcessW
GetModuleFileNameA
FlushFileBuffers
LeaveCriticalSection
SetFilePointer
GetConsoleOutputCP
GetConsoleScreenBufferInfo
GetStdHandle
SetConsoleTextAttribute
GetFullPathNameW
GetCurrentThread
InitializeCriticalSection
EnterCriticalSection
DeleteCriticalSection
GetModuleHandleW
GetProcAddress
RaiseException
FlushInstructionCache
GetCurrentProcess
CloseHandle
WriteFile
CreateFileW
FreeEnvironmentStringsW
LocalAlloc
LocalFree
LoadLibraryA
GetShortPathNameW
GetEnvironmentVariableW
FormatMessageW
CreateThread
SetUnhandledExceptionFilter

user32

MapWindowPoints
GetParent
GetWindow
GetClientRect
GetWindowTextW
GetWindowTextLengthW
FillRect
IsWindow
ShowWindow
GetWindowRect
UnionRect
IsWindowVisible
BeginPaint
EndPaint
ScreenToClient
SetWindowPos
GetWindowDC
LookupIconIdFromDirectoryEx
CallWindowProcW
DefWindowProcW
GetWindowLongW
SetWindowLongW
SendMessageW
DrawFrameControl
RegisterWindowMessageW
InvalidateRgn
GetDesktopWindow
GetKeyState
DrawStateW
DrawTextExW
DrawFocusRect
ValidateRect
DestroyMenu
AppendMenuW
CreatePopupMenu
TrackPopupMenu
InflateRect
LoadBitmapW
MessageBeep
LoadImageW
CharNextW
GetClassNameW
ReleaseCapture
SetCapture
UpdateWindow
DestroyIcon
GetDlgCtrlID
GetCapture
SetScrollInfo
GetScrollPos
GetClassInfoExW
RegisterClassExW
DrawEdge
SetScrollPos
SetRect
MoveWindow
GetScrollInfo
GetMessagePos
SystemParametersInfoW
GetActiveWindow
TrackMouseEvent
GetAsyncKeyState
DestroyCursor
GetWindowRgn
IsZoomed
SetWindowRgn
GetComboBoxInfo
DestroyAcceleratorTable
CreateAcceleratorTableW
TranslateAcceleratorW
CreateDialogParamW
EndDialog
DialogBoxParamW
InvalidateRect
GetNextDlgTabItem
SetCursor
MonitorFromWindow
GetMonitorInfoW
IsDialogMessageW
IsChild
PostQuitMessage
PostMessageW
SetForegroundWindow
SetCursorPos
GetCursorPos
PeekMessageW
GetMessageW
TranslateMessage
DispatchMessageW
LoadCursorW
LoadStringW
MessageBoxW
GetFocus
EnableWindow
DestroyWindow
GetForegroundWindow
EnumWindows
GetWindowThreadProcessId
DialogBoxIndirectParamW
MsgWaitForMultipleObjects
GetPropW
GetSystemMenu
EnableMenuItem
ModifyMenuW
ExitWindowsEx
GetScrollRange
SetPropW
RemovePropW
LoadMenuW
GetSubMenu
OpenClipboard
CloseClipboard
EmptyClipboard
SetClipboardData
GetIconInfo
SendMessageTimeoutW
UnregisterClassA
DrawTextW
DrawIconEx
GetSystemMetrics
ClientToScreen
OffsetRect
SetRectEmpty
PtInRect
GetSysColorBrush
IntersectRect
IsRectEmpty
SendMessageA
IsWindowEnabled
CopyRect
RedrawWindow
SetFocus
GetSysColor
CreateWindowExW
GetDlgItem
SetWindowTextW
EqualRect
SetTimer
KillTimer
GetDC
ReleaseDC
CreateIconFromResourceEx

gdi32

GetLayout
GetBrushOrgEx
CreateFontIndirectW
CreateSolidBrush
GetRgnBox
EqualRgn
CreatePolygonRgn
CreateRectRgnIndirect
GetStockObject
CreateFontW
SetBkMode
SetTextColor
SetBrushOrgEx
CreatePatternBrush
FillRgn
SelectClipRgn
GetBitmapBits
CreateRectRgn
GetObjectW
GetDeviceCaps
Rectangle
ExcludeClipRect
CreatePen
ExtTextOutW
SetBkColor
BitBlt
SetViewportOrgEx
CreateCompatibleBitmap
CreateCompatibleDC
DeleteObject
SelectObject
DeleteDC
CreateDIBSection
CreateBitmapIndirect
CombineRgn

advapi32

RegOpenKeyW
SetSecurityDescriptorDacl
InitializeSecurityDescriptor
SetEntriesInAclW
GetSecurityDescriptorDacl
AdjustTokenPrivileges
LookupPrivilegeValueW
StartServiceW
QueryServiceStatus
OpenServiceW
RegDeleteValueA
RegQueryValueExA
RegOpenKeyA
RegDeleteValueW
RegCreateKeyExW
RegSetValueExW
RegEnumKeyExW
RegQueryInfoKeyW
RegDeleteKeyW
RegQueryValueExW
RegOpenKeyExW
RegCloseKey
RegSetValueExA
OpenSCManagerW
LockServiceDatabase
UnlockServiceDatabase
CloseServiceHandle
RegOpenKeyExA
RegEnumValueA
LookupAccountSidW
RegCreateKeyW
OpenProcessToken
GetTokenInformation
AllocateAndInitializeSid
EqualSid
FreeSid
GetUserNameW
RegDeleteKeyA
RegCreateKeyA

shell32

ShellExecuteW
ShellExecuteExW
SHGetFolderPathW
SHBrowseForFolderW
SHGetPathFromIDListW
SHGetMalloc
SHGetFileInfoW
SHGetSpecialFolderLocation

ole32

CoTaskMemRealloc
CoTaskMemFree
CoInitialize
OleInitialize
CLSIDFromString
CLSIDFromProgID
CoGetClassObject
CreateStreamOnHGlobal
OleLockRunning
StringFromGUID2
CoTaskMemAlloc
OleUninitialize
CoUninitialize
CoCreateGuid
CreateILockBytesOnHGlobal
StgCreateDocfileOnILockBytes
CoInitializeEx
CoCreateInstance

oleaut32

VarDateFromStr
VarUI4FromStr
OleLoadPicture
SysStringByteLen
SysAllocStringByteLen
SysAllocStringLen
LoadTypeLi
LoadRegTypeLi
SysStringLen
OleCreateFontIndirect
VariantCopy
VariantInit
VariantClear
SysAllocString
SysFreeString

dbghelp

SymGetLineFromAddr
SymSetSearchPath
SymCleanup
SymInitialize
SymSetOptions
SymFunctionTableAccess
StackWalk
SymGetModuleBase

shlwapi

PathIsDirectoryW
PathAddBackslashW
PathIsUNCW
PathFileExistsW

comctl32

ImageList_Destroy
DestroyPropertySheetPage
InitCommonControlsEx
ImageList_LoadImageW
ImageList_GetIcon
ImageList_AddMasked
ImageList_SetBkColor
_TrackMouseEvent
ImageList_Add
ImageList_ReplaceIcon
ImageList_Create
CreatePropertySheetPageW
PropertySheetW

msimg32

AlphaBlend
TransparentBlt

version

GetFileVersionInfoW
VerQueryValueW
GetFileVersionInfoSizeW

mpr

WNetAddConnection2W

comdlg32

GetOpenFileNameW
GetSaveFileNameW

Sections

.text
Size: 1010KB - Virtual size: 1009KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 239KB - Virtual size: 238KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 39KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 71KB - Virtual size: 70KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 96KB - Virtual size: 96KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
ransomwares/Xyeta/Xyeta.exe
.exe windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Sections

UPX0
Size: - Virtual size: 228KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 67KB - Virtual size: 68KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 16KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Extracted

Signatures

Files

Password: infected

Password: infected

008aca28b7c001acc5e0ab32fabaad84

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

user32

gdi32

advapi32

shell32

wininet

netapi32

Sections

.text Size: 174KB - Virtual size: 174KB

.rdata Size: 122KB - Virtual size: 121KB

.data Size: 5KB - Virtual size: 9KB

.tls Size: 512B - Virtual size: 9B

.rsrc Size: 1024B - Virtual size: 840B

.reloc Size: 11KB - Virtual size: 10KB

Password: infected

Headers

DLL Characteristics

File Characteristics

Sections

.text Size: 15.7MB - Virtual size: 15.7MB

.rsrc Size: 268KB - Virtual size: 267KB

Password: infected

e3bda9df66f1f9b2b9b7b068518f2af1

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50Certificate

Extended Key Usages

Key Usages

0e:bf:ea:68:d6:77:b3:e2:6c:ab:41:c3:3f:3e:69:deCertificate

Extended Key Usages

Key Usages

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7Certificate

Extended Key Usages

Key Usages

2e:6b:e6:bd:11:a8:67:6e:6c:57:90:9e:9b:0d:5f:57Certificate

Extended Key Usages

Key Usages

7c:1b:35:35:4a:e7:db:74:e7:41:5f:11:69:ca:6b:a8Certificate

Extended Key Usages

Key Usages

7b:05:b1:d4:49:68:51:44:f7:c9:89:d2:9c:19:9d:12Certificate

Extended Key Usages

Key Usages

54:58:f2:aa:d7:41:d6:44:bc:84:a9:7b:a0:96:52:e6Certificate

Extended Key Usages

Key Usages

c9:13:30:16:a3:e5:cf:bf:b1:aa:8b:50:d1:16:0f:a5:35:73:41:3d:4f:81:f8:71:05:4e:c7:39:6d:5a:8b:17Signer

bd:ae:90:d3:3b:42:bf:69:31:7c:f4:d9:c1:9d:fd:c2:69:86:ca:f0Signer

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

shell32

msvcrt

Sections

.text Size: 12KB - Virtual size: 11KB

.rdata Size: 12KB - Virtual size: 12KB

.data Size: 512B - Virtual size: 828B

.rsrc Size: 28KB - Virtual size: 28KB

.reloc Size: 1024B - Virtual size: 590B

Password: infected

Headers

.text
Size: 174KB - Virtual size: 174KB

.rdata
Size: 122KB - Virtual size: 121KB

.data
Size: 5KB - Virtual size: 9KB

.tls
Size: 512B - Virtual size: 9B

.rsrc
Size: 1024B - Virtual size: 840B

.reloc
Size: 11KB - Virtual size: 10KB

.text
Size: 15.7MB - Virtual size: 15.7MB

.rsrc
Size: 268KB - Virtual size: 267KB

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

0e:bf:ea:68:d6:77:b3:e2:6c:ab:41:c3:3f:3e:69:de
Certificate

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

2e:6b:e6:bd:11:a8:67:6e:6c:57:90:9e:9b:0d:5f:57
Certificate

7c:1b:35:35:4a:e7:db:74:e7:41:5f:11:69:ca:6b:a8
Certificate

7b:05:b1:d4:49:68:51:44:f7:c9:89:d2:9c:19:9d:12
Certificate

54:58:f2:aa:d7:41:d6:44:bc:84:a9:7b:a0:96:52:e6
Certificate

c9:13:30:16:a3:e5:cf:bf:b1:aa:8b:50:d1:16:0f:a5:35:73:41:3d:4f:81:f8:71:05:4e:c7:39:6d:5a:8b:17
Signer

bd:ae:90:d3:3b:42:bf:69:31:7c:f4:d9:c1:9d:fd:c2:69:86:ca:f0
Signer

.text
Size: 12KB - Virtual size: 11KB

.rdata
Size: 12KB - Virtual size: 12KB

.data
Size: 512B - Virtual size: 828B

.rsrc
Size: 28KB - Virtual size: 28KB

.reloc
Size: 1024B - Virtual size: 590B

UPX0
Size: - Virtual size: 100KB

UPX1
Size: 114KB - Virtual size: 116KB

.rsrc
Size: 1KB - Virtual size: 4KB

.unp_1
Size: - Virtual size: 7KB

.text
Size: 9KB - Virtual size: 8KB

.rsrc
Size: 17KB - Virtual size: 16KB

.tls
Size: 512B - Virtual size: 4KB

.rdata
Size: 512B - Virtual size: 4KB

.rdata
Size: 1024B - Virtual size: 788B

BSS
Size: - Virtual size: 7KB

.data
Size: 124KB - Virtual size: 131KB

BSS
Size: - Virtual size: 5KB

BSS
Size: - Virtual size: 3KB

BSS
Size: - Virtual size: 1.3MB

16:88:f0:39:25:5e:63:8e:69:14:39:07:e6:33:0b
Certificate

90:21:24:73:c7:06:f5:23:fe:84:bd:b9:a7:8a:01:f4
Certificate

2e:7c:87:cc:0e:93:4a:52:fe:94:fd:1c:b7:cd:34:af
Certificate

fb:f7:43:25:3a:5f:2f:99:ab:87:3e:d6:da:c8:11:b0:70:ec:8e:54
Signer

.text
Size: 293KB - Virtual size: 292KB

.rdata
Size: 10KB - Virtual size: 10KB

.data
Size: 512B - Virtual size: 424B

.rsrc
Size: 3KB - Virtual size: 2KB

.text
Size: 28KB - Virtual size: 28KB

.rdata
Size: 512B - Virtual size: 374B

.data
Size: 26KB - Virtual size: 33KB

.reloc
Size: 3KB - Virtual size: 2KB