bc41543926dda3762ae39e35aba7a813_JaffaCakes118

Target

bc41543926dda3762ae39e35aba7a813_JaffaCakes118
Size

13.8MB
MD5

bc41543926dda3762ae39e35aba7a813
SHA1

81bf36d2c8c97901eb88133566838eba26d74138
SHA256

f255227fd45316c4681085f39e6da2f509af851f8cc2d2a84ea99c06b935ffe6
SHA512

29404267b0a85340a4b9e821aca8a37ee716532adb9626acc39941148c2e91f67022125a4db3d65468b6b564134bf9fa496252bd4d2aacda0be0fd54684c0291
SSDEEP

393216:LDZBIw5QnNtQs9HQYsiZfmu/GyBSye+tfLXSDOaC0zjLCrj:vlQnNSA1skfmkzdtfOi0jLA

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
static1/unpack001/Documents/Ransomware.Radamant/Ransomware.Radamant/DUMP_00A10000-00A1D000.exe.ViR	upx

Unsigned PE 22 IoCs

Checks for missing Authenticode signature.

resource
unpack001/Documents/Ransomware.Cerber/cerber.exe
unpack001/Documents/Ransomware.Cryptowall/cryptowall.exe
unpack001/Documents/Ransomware.Jigsaw/jigsaw
unpack001/Documents/Ransomware.Locky/Locky
unpack001/Documents/Ransomware.Mamba/131.exe
unpack001/Documents/Ransomware.Matsnu/Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .com_
unpack001/Documents/Ransomware.Petrwrap/Ransomware.Petrwrap/svchost.exe
unpack001/Documents/Ransomware.Petya/Ransomware.Petya/26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739.exe
unpack001/Documents/Ransomware.Petya/Ransomware.Petya/4c1dc737915d76b7ce579abddaba74ead6fdb5b519a1ea45308b8c49b950655c.bin
unpack001/Documents/Ransomware.Radamant/Ransomware.Radamant/DUMP_00A10000-00A1D000.exe.ViR
unpack005/out.upx
unpack006/Supplementary Agreement 26_01_2016.scr
unpack001/Documents/Ransomware.Satana/Ransomware.Satana/683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.bin
unpack001/Documents/Ransomware.Satana/Ransomware.Satana/unpacked.mem
unpack001/Documents/Ransomware.TeslaCrypt/Ransomware.TeslaCrypt/3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370
unpack001/Documents/Ransomware.TeslaCrypt/Ransomware.TeslaCrypt/51B4EF5DC9D26B7A26E214CEE90598631E2EAA67
unpack001/Documents/Ransomware.TeslaCrypt/Ransomware.TeslaCrypt/E906FA3D51E86A61741B3499145A114E9BFB7C56
unpack001/Documents/Ransomware.Vipasana/Ransomware.Vipasana/0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab
unpack001/Documents/Ransomware.Vipasana/Ransomware.Vipasana/c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a
unpack001/Documents/Ransomware.Vipasana/Ransomware.Vipasana/e49778d20a2f9b1f8b00ddd24b6bcee81af381ed02cfe0a3c9ab3111cda5f573
unpack007/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
unpack001/Documents/Ransomware.WannaCry/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Files

bc41543926dda3762ae39e35aba7a813_JaffaCakes118
.zip
Documents/Ransomware.Cerber/cerber.exe
.exe windows:5 windows x86 arch:x86

9d6ed8d049bc10bc45b1995cb6f7f4b6

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GetExitCodeProcess
GetFileAttributesExW
GetFileAttributesW
GetFileSize
GetFileType
GetFullPathNameW
GetLastError
GetLocalTime
GetLocaleInfoW
GetModuleFileNameA
GetModuleFileNameW
GetModuleHandleA
GetModuleHandleW
GetPrivateProfileStringW
GetProcAddress
GetProcessHeap
GetStartupInfoA
GetStdHandle
GetSystemTime
GetSystemTimeAsFileTime
GetTempFileNameW
GetTempPathW
GetThreadLocale
GetTickCount
GetTimeFormatW
GetUserDefaultLCID
GetVersion
GetVersionExA
GetVolumeInformationW
GetWindowsDirectoryW
Heap32ListFirst
HeapAlloc
HeapFree
HeapReAlloc
HeapSize
InitializeCriticalSection
InterlockedDecrement
InterlockedIncrement
IsSystemResumeAutomatic
LeaveCriticalSection
LoadLibraryA
LoadLibraryW
LocalFree
MoveFileExA
MoveFileExW
MoveFileW
MultiByteToWideChar
GetEnvironmentVariableW
QueryPerformanceCounter
QueueUserAPC
RaiseException
ReadConsoleW
ReadFile
ReadProcessMemory
RemoveDirectoryW
ScrollConsoleScreenBufferW
SearchPathW
SetConsoleCtrlHandler
SetConsoleCursorPosition
SetConsoleMode
SetConsoleTextAttribute
SetConsoleTitleW
SetCurrentDirectoryW
SetEnvironmentVariableW
SetErrorMode
SetFileAttributesW
SetFilePointer
SetFileTime
SetLastError
SetLocalTime
SetSystemTime
SetThreadLocale
SetUnhandledExceptionFilter
SetVolumeLabelA
SleepEx
SwitchToThread
SystemTimeToFileTime
TerminateProcess
TransmitCommChar
UnhandledExceptionFilter
VirtualAlloc
VirtualFree
VirtualFreeEx
VirtualQuery
WaitForSingleObject
WideCharToMultiByte
WriteConsoleW
WriteFile
WritePrivateProfileSectionA
_hwrite
lstrcmpW
lstrcmpiW
lstrcpyW
lstrlenW
GetEnvironmentStringsW
GetDriveTypeW
GetDiskFreeSpaceExW
GetDateFormatW
GetCurrentThreadId
GetCurrentThread
GetCurrentProcessId
GetCurrentProcess
GetCurrentDirectoryW
GetConsoleTitleW
GetConsoleScreenBufferInfo
GetConsoleOutputCP
GetConsoleMode
GetCompressedFileSizeW
GetCommandLineW
GetCPInfo
GetBinaryTypeW
GetBinaryType
FreeLibrary
FormatMessageW
FlushFileBuffers
FlushConsoleInputBuffer
FindNextFileW
FindNextFileA
FindFirstFileW
FindFirstFileA
FindClose
FillConsoleOutputCharacterW
FillConsoleOutputAttribute
FileTimeToSystemTime
FileTimeToLocalFileTime
ExpandEnvironmentStringsW
EraseTape
EnterCriticalSection
DuplicateHandle
DeleteFileW
DeleteFileA
CreateThread
CreateProcessW
CreateFileW
CreateFileA
CreateDirectoryW
CopyFileW
CopyFileA
ConvertDefaultLocale
CompareFileTime
CloseHandle
OpenProcess
AddAtomW

user32

DefWindowProcW
DrawFocusRect
CreateWindowStationA
CreateMenu
FillRect
FindWindowW
GetMenuCheckMarkDimensions
GetProcessWindowStation
GetSysColorBrush
GetThreadDesktop
GetUpdateRgn
GetUserObjectInformationW
InflateRect
InsertMenuItemW
IsIconic
LockWindowUpdate
MessageBeep
MessageBoxW
MonitorFromWindow
OffsetRect
PostMessageW
RealGetWindowClass
SendMessageW
SetUserObjectInformationW
ShowWindow
ToUnicode
WinHelpA
LoadCursorW
GetKBCodePage
DefMDIChildProcW
CloseWindowStation

gdi32

StartPage
SetMiterLimit
SetMapperFlags
SetBitmapBits
PtVisible
OffsetClipRgn
GetViewportOrgEx
GetTextFaceW
AddFontMemResourceEx
AnimatePalette
Arc
BRUSHOBJ_pvAllocRbrush
ColorMatchToTarget
CopyEnhMetaFileA
CreatePatternBrush
DescribePixelFormat
EngFreeModule
EngTextOut
EnumFontsW
FillRgn
GdiGetPageCount
GetGlyphOutlineW
GetMiterLimit
GetOutlineTextMetricsA

advapi32

RegOpenKeyW
SaferRecordEventLogEntry
SaferIdentifyLevel
SaferComputeTokenFromLevel
SaferCloseLevel
RevertToSelf
RegSetValueW
RegSetValueExW
RegQueryValueW
RegQueryValueExW
CreateProcessAsUserW
RegOpenKeyExW
RegEnumKeyW
RegDeleteKeyW
RegCreateKeyExW
RegCloseKey
LookupAccountSidW
ImpersonateLoggedOnUser
GetSecurityDescriptorOwner
GetFileSecurityW
FreeSid

shell32

ShellExecuteExW
ShellExecuteA
ShellAboutA
SHIsFileAvailableOffline
SHGetSettings
CheckEscapesW
DragQueryFile
DragQueryFileAorW
ExtractIconExW
SHAppBarMessage
SHBrowseForFolderA
SHChangeNotify
SHCreateProcessAsUserW
SHEmptyRecycleBinA
SHFileOperationA
SHGetDataFromIDListA
SHGetDiskFreeSpaceA
SHGetMalloc
WOWShellExecute

shlwapi

StrCmpNW
StrStrIA
StrStrIW
StrCmpNA
StrChrIA

comctl32

ImageList_Create

msvcrt

_XcptFilter
__getmainargs
__initenv
__p__commode
__p__fmode
__set_app_type
__setusermatherr
_adjust_fdiv
_c_exit
_cexit
_close
_controlfp
_dup
_dup2
_errno
_except_handler3
_exit
_get_osfhandle
_getch
_initterm
_iob
_open_osfhandle
_pclose
_pipe
_seh_longjmp_unwind
_setjmp3
_setmode
_snwprintf
_tell
_ultoa
_vsnwprintf
_wcsicmp
_wcslwr
_wcsnicmp
_wcsupr
_wpopen
_wtol
calloc
exit
fflush
fgets
fprintf
free
iswalpha
iswdigit
iswspace
iswxdigit
longjmp
malloc
memmove
printf
qsort
rand
realloc
setlocale
srand
swprintf
swscanf
time
towlower
towupper
wcscat
wcschr
wcscmp
wcscpy
wcslen
wcsncmp
wcsncpy
wcsrchr
wcsspn
wcsstr
wcstol
wcstoul

Sections

.text
Size: 315KB - Virtual size: 315KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 234KB - Virtual size: 234KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 49KB - Virtual size: 48KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Documents/Ransomware.Cryptowall/cryptowall.exe
.exe windows:5 windows x86 arch:x86

edbc0337cc897a187d263d79c09c15c7

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

user32

EnableMenuItem
GetDlgItem
SendDlgItemMessageA
AppendMenuA
GetWindowLongA
wvsprintfA
SetWindowPos
FindWindowA
RedrawWindow
GetWindowTextA
EnableWindow
GetSystemMetrics
IsWindow
CheckRadioButton
UnregisterClassA
SetCursor
GetSysColorBrush
DialogBoxParamA
DestroyAcceleratorTable
DispatchMessageA
TranslateMessage
LoadIconA
EmptyClipboard
SetClipboardData
SetFocus
CharUpperA
OpenClipboard
IsDialogMessageA
TranslateAcceleratorA
GetMessageA
LoadAcceleratorsA
RemoveMenu
InvalidateRect
ChildWindowFromPoint
PostMessageA
DestroyCursor
CreateDialogParamA
GetWindowRect
IsMenu
GetSubMenu
SetDlgItemInt
GetWindowPlacement
CharLowerBuffA
LoadCursorA
CheckMenuRadioItem
GetSysColor
KillTimer
DestroyIcon
DestroyWindow
PostQuitMessage
GetClientRect
MoveWindow
GetSystemMenu
SetTimer
SetWindowPlacement
InsertMenuItemA
GetMenu
CheckMenuItem
SetMenuItemInfoA
SetActiveWindow
DefDlgProcA
RegisterClassA
EndDialog
SetDlgItemTextA
EnumClipboardFormats
GetClipboardData
CloseClipboard
GetClassInfoA
CallWindowProcA
SetWindowLongA
IsDlgButtonChecked
SetWindowTextA
CheckDlgButton
GetActiveWindow
MessageBoxA
wsprintfA
GetDlgItemTextA
SendMessageA
GetCursorPos
TrackPopupMenu
ClientToScreen
DestroyMenu
CreatePopupMenu

comdlg32

GetSaveFileNameA
GetOpenFileNameA

advapi32

RegSetValueA
RegQueryValueExA
OpenProcessToken
LookupPrivilegeValueA
AdjustTokenPrivileges
RegOpenKeyExA
RegCloseKey
RegCreateKeyA
RegDeleteKeyA
GetUserNameA

dbghelp

ImageNtHeader
ImageRvaToSection
ImageRvaToVa

comctl32

ImageList_Destroy
InitCommonControlsEx
ImageList_ReplaceIcon
ImageList_Remove
CreateToolbarEx
ImageList_SetBkColor
ImageList_Create

kernel32

IsValidCodePage
GetOEMCP
GetACP
GetCPInfo
GetSystemTimeAsFileTime
GetCurrentProcessId
GetTickCount
QueryPerformanceCounter
HeapFree
VirtualFree
HeapCreate
GetFileType
SetHandleCount
GetEnvironmentStringsW
WideCharToMultiByte
FreeEnvironmentStringsW
GetEnvironmentStrings
FreeEnvironmentStringsA
InitializeCriticalSectionAndSpinCount
LoadLibraryA
IsDebuggerPresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
EnterCriticalSection
HeapSize
LeaveCriticalSection
DeleteCriticalSection
GetLocaleInfoA
WriteFile
InterlockedDecrement
GetLastError
GetCurrentThreadId
SetLastError
InterlockedIncrement
TlsFree
TlsSetValue
TlsAlloc
TlsGetValue
GetStartupInfoA
ExitProcess
GetProcAddress
Sleep
GetModuleHandleW
GlobalCompact
SetProcessWorkingSetSize
EncodePointer
OpenProcess
GlobalUnWire
GetStdHandle
IsWow64Process
GetProcessHandleCount
GetProcessHeap
FlushFileBuffers
PulseEvent
GetVersion
RtlUnwind
HeapAlloc
VirtualAlloc
HeapReAlloc
GetStringTypeA
MultiByteToWideChar
GetStringTypeW
GetCommandLineA
GetProcessId
LockResource
GlobalDeleteAtom
LCMapStringA
LCMapStringW
GetModuleFileNameA
SetProcessPriorityBoost
GlobalUnfix
RequestWakeupLatency
IsProcessInJob
GetThreadTimes
GetProcessTimes
PeekNamedPipe

Sections

.text
Size: 34KB - Virtual size: 33KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 10KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 104KB - Virtual size: 51.8MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 90KB - Virtual size: 90KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Documents/Ransomware.Jigsaw/jigsaw
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

!mmUPp
Size: 209KB - Virtual size: 208KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.text
Size: 70KB - Virtual size: 70KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Size: 512B - Virtual size: 16B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Documents/Ransomware.Locky/Locky
.exe windows:4 windows x86 arch:x86

0fcea3af550ad0a893e93808dccf17f4

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

advapi32

GetSecurityDescriptorDacl
RegisterEventSourceA
RegQueryInfoKeyA
GetSidSubAuthorityCount
RegSetValueExA
RegDeleteKeyA
GetKernelObjectSecurity
RegCloseKey
RegQueryValueA
RegLoadKeyA
GetSidSubAuthority
RegConnectRegistryA
LookupPrivilegeValueA
InitiateSystemShutdownA
CreateProcessAsUserA
GetSidIdentifierAuthority
OpenThreadToken
LsaQueryInformationPolicy
RegQueryValueW
EncryptFileW
RegSetValueW
MakeAbsoluteSD
RegOpenKeyExA
RegCreateKeyExW
AddAce
SetNamedSecurityInfoW
OpenEventLogW
GetUserNameW
SetSecurityDescriptorSacl
MakeSelfRelativeSD
RegFlushKey
InitializeSecurityDescriptor
InitializeAcl
SetEntriesInAclA
GetSidLengthRequired
RegSetValueA
SetEntriesInAclW
GetAclInformation

user32

DrawIconEx
IsDialogMessageA
OffsetRect
PostThreadMessageW
DialogBoxParamA
GetLastActivePopup
GetGUIThreadInfo
DrawStateA
IsWindow
OpenClipboard
InSendMessage
FindWindowW
IsMenu
EnumDisplaySettingsA
DrawAnimatedRects
FrameRect
SetMenuDefaultItem
GrayStringW
CreateDialogIndirectParamW
ClientToScreen
GetParent
TranslateMDISysAccel
CreateDesktopW
ShowCaret
GetProcessWindowStation
TrackPopupMenu
IntersectRect
DialogBoxIndirectParamA
DefWindowProcA
ReuseDDElParam
NotifyWinEvent
SetClipboardData
CloseClipboard
DdeDisconnect
GetClassNameA
GetCaretPos
CharLowerW
GetWindowModuleFileNameA
IsWindowVisible
wvsprintfA
ModifyMenuA
SendDlgItemMessageW
SetCaretBlinkTime
LoadMenuW
GetMenuState
DrawTextExA
ChangeDisplaySettingsW
CreateWindowExW
GetCapture
CreatePopupMenu
SetMenu
CharUpperBuffW
DrawStateW
LoadImageA
GetScrollPos
GetDlgItem
GetClipboardFormatNameW
ValidateRgn
GetWindowThreadProcessId
GetClassInfoExW
DdeAccessData
ShowWindow
GetKeyboardLayout
GetClassInfoW
SetCaretPos
LoadCursorA
FillRect
LoadMenuA
mouse_event
ModifyMenuW
InvalidateRgn
GetMenuItemID
IsIconic
OemToCharA
LoadCursorFromFileW
RegisterWindowMessageA
DispatchMessageW
GetCursorPos
CharPrevA
GetWindowWord

imm32

ImmGetProperty
ImmGetCandidateListCountA
ImmGetCompositionStringA
ImmSetConversionStatus
ImmSetOpenStatus
ImmCreateContext
ImmGetOpenStatus
ImmNotifyIME
ImmInstallIMEA
ImmGetContext
ImmDestroyContext
ImmSimulateHotKey
ImmConfigureIMEA
ImmAssociateContext

rasapi32

RasDialA
RasGetProjectionInfoA

kernel32

WriteFileGather
PulseEvent
GetLongPathNameA

Sections

.text
Size: 48KB - Virtual size: 44KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 8KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 16KB - Virtual size: 3.7MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 104KB - Virtual size: 100KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Documents/Ransomware.Mamba/131.exe
.exe windows:5 windows x86 arch:x86

dd8fd079a980cb9227eb869f7da9b258

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

Imports

shlwapi

PathFileExistsW
PathFileExistsA

kernel32

Sleep
SizeofResource
GetConsoleWindow
GetVersionExW
GetModuleFileNameW
CreateFileW
MultiByteToWideChar
GetLastError
GetProcAddress
GetSystemDirectoryW
CreateEventW
GetModuleFileNameA
GetModuleHandleA
CloseHandle
CreateThread
CreateProcessA
GetExitCodeProcess
WriteConsoleW
WriteFile
GetModuleHandleW
SetEvent
WaitForSingleObject
CreateDirectoryW
GetCurrentProcess
LoadResource
FindResourceW
GetNativeSystemInfo
GetCommandLineW
GetFileAttributesExW
SetEnvironmentVariableA
LockResource
GetModuleHandleExW
SetStdHandle
ReadConsoleW
LoadLibraryW
InterlockedIncrement
InterlockedDecrement
EncodePointer
DecodePointer
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
WideCharToMultiByte
GetStringTypeW
HeapFree
HeapAlloc
ExitProcess
SetEndOfFile
AreFileApisANSI
GetCommandLineA
RaiseException
RtlUnwind
InitializeCriticalSectionAndSpinCount
GetCPInfo
IsProcessorFeaturePresent
UnhandledExceptionFilter
SetUnhandledExceptionFilter
SetLastError
TerminateProcess
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetStartupInfoW
CompareStringW
LCMapStringW
GetLocaleInfoW
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
IsDebuggerPresent
GetStdHandle
GetFileType
GetProcessHeap
ReadFile
SetFilePointerEx
FlushFileBuffers
GetConsoleCP
GetConsoleMode
HeapSize
LoadLibraryExW
IsValidCodePage
GetACP
GetOEMCP
GetCurrentThreadId
QueryPerformanceCounter
GetCurrentProcessId
GetSystemTimeAsFileTime
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetFilePointer
HeapReAlloc
OutputDebugStringW

user32

ExitWindowsEx
ShowWindow

advapi32

RegisterServiceCtrlHandlerW
RevertToSelf
SetServiceStatus
ImpersonateLoggedOnUser
ChangeServiceConfig2W
LookupPrivilegeValueW
CreateProcessAsUserW
LogonUserW
StartServiceCtrlDispatcherW
OpenSCManagerW
OpenProcessToken
CreateServiceW
AdjustTokenPrivileges

shell32

ShellExecuteW
ShellExecuteA

Sections

.text
Size: 120KB - Virtual size: 119KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 38KB - Virtual size: 37KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 7KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2.1MB - Virtual size: 2.1MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 39KB - Virtual size: 39KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Documents/Ransomware.Matsnu/Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .com_
.exe windows:5 windows x86 arch:x86

bd52eaa585e8f1c2fba85e8df7a2e191

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

advapi32

LookupPrivilegeDisplayNameW

gdi32

AbortPath
AbortDoc

dbghelp

SymLoadModule64
FindFileInSearchPath
SymGetLineFromAddr64
SymGetSymFromAddr64

clusapi

FailClusterResource
GetClusterFromNetwork
ClusterRegEnumKey
ClusterGroupGetEnumCount
RestoreClusterDatabase
GetClusterNodeId
ClusterRegDeleteValue
CloseClusterResource
ClusterOpenEnum

kernel32

HeapSize
GetLastError
MoveFileA
GetCommandLineA
HeapSetInformation
GetStartupInfoW
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
EncodePointer
DecodePointer
TerminateProcess
GetCurrentProcess
HeapFree
GetFileAttributesA
EnterCriticalSection
LeaveCriticalSection
SetStdHandle
InitializeCriticalSectionAndSpinCount
GetFileType
WriteFile
WideCharToMultiByte
GetConsoleCP
GetConsoleMode
SetHandleCount
GetStdHandle
DeleteCriticalSection
GetProcAddress
GetModuleHandleW
ExitProcess
GetModuleFileNameW
GetModuleFileNameA
FreeEnvironmentStringsW
GetEnvironmentStringsW
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
InterlockedIncrement
SetLastError
GetCurrentThreadId
InterlockedDecrement
HeapCreate
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
Sleep
GetExitCodeProcess
WaitForSingleObject
CloseHandle
CreateProcessA
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
RtlUnwind
WriteConsoleW
MultiByteToWideChar
SetFilePointer
LoadLibraryW
IsProcessorFeaturePresent
HeapAlloc
HeapReAlloc
CompareStringW
SetEnvironmentVariableA
FlushFileBuffers
LCMapStringW
GetStringTypeW
CreateFileW

Sections

.text
Size: 37KB - Virtual size: 36KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 11KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 6KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 44KB - Virtual size: 43KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Documents/Ransomware.Petrwrap/Ransomware.Petrwrap/027cc450ef5f8c5f653329641ec1fed9.exe
.dll windows:5 windows x86 arch:x86

52dd60b5f3c9e2f17c2e303e8c8d4eab

Code Sign

2e:ab:11:dc:50:ff:5c:9d:cb:c0
Certificate

Issuer

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

Not Before

22/08/2007, 22:31 UTC

Not After

25/08/2012, 07:00 UTC

Subject

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:01:cf:3e:00:00:00:00:00:0f
Certificate

Issuer

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

07/12/2009, 22:40 UTC

Not After

07/03/2011, 22:40 UTC

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

6a:0b:99:4f:c0:00:25:ab:11:db:45:1f:58:7a:67:a2
Certificate

Issuer

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

Not Before

16/09/2006, 01:04 UTC

Not After

15/09/2019, 07:00 UTC

Subject

CN=Microsoft Timestamping PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:05:a2:30:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Timestamping PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

25/07/2008, 19:01 UTC

Not After

25/07/2013, 19:11 UTC

Subject

CN=Microsoft Time-Stamp Service,OU=MOPR+OU=nCipher DSE ESN:85D3-305C-5BCF,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

3b:65:0e:49:c6:e9:34:29:f5:80:58:4e:cc:af:af:dd:dd:e9:ce:e5
Signer

Actual PE Digest

3b:65:0e:49:c6:e9:34:29:f5:80:58:4e:cc:af:af:dd:dd:e9:ce:e5

Digest Algorithm

sha1

PE Digest Matches

false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

ConnectNamedPipe
GetModuleHandleW
CreateNamedPipeW
TerminateThread
DisconnectNamedPipe
FlushFileBuffers
GetTempPathW
GetProcAddress
DeleteFileW
FreeLibrary
GlobalAlloc
LoadLibraryW
GetComputerNameExW
GlobalFree
ExitProcess
GetVersionExW
GetModuleFileNameW
DisableThreadLibraryCalls
ResumeThread
GetEnvironmentVariableW
GetFileSize
SetFilePointer
SetLastError
LoadResource
GetCurrentThread
OpenProcess
GetSystemDirectoryW
SizeofResource
GetLocalTime
Process32FirstW
LockResource
Process32NextW
GetModuleHandleA
lstrcatW
CreateToolhelp32Snapshot
GetCurrentProcess
VirtualFree
VirtualAlloc
LoadLibraryA
VirtualProtect
WideCharToMultiByte
GetExitCodeProcess
WaitForMultipleObjects
CreateProcessW
PeekNamedPipe
GetTempFileNameW
InterlockedExchange
LeaveCriticalSection
MultiByteToWideChar
CreateFileA
GetTickCount
CreateThread
LocalFree
FindNextFileW
CreateFileMappingW
LocalAlloc
FindClose
GetFileSizeEx
CreateFileW
Sleep
FlushViewOfFile
GetLogicalDrives
WaitForSingleObject
GetDriveTypeW
UnmapViewOfFile
MapViewOfFile
FindFirstFileW
CloseHandle
DeviceIoControl
GetLastError
GetSystemDirectoryA
ReadFile
WriteFile
GetProcessHeap
InitializeCriticalSection
HeapReAlloc
GetWindowsDirectoryW
EnterCriticalSection
HeapFree
SetFilePointerEx
HeapAlloc
FindResourceW

user32

ExitWindowsEx
wsprintfA
wsprintfW

advapi32

CryptGenRandom
CryptAcquireContextA
CryptExportKey
CryptAcquireContextW
CreateProcessAsUserW
InitiateSystemShutdownExW
DuplicateTokenEx
SetTokenInformation
GetTokenInformation
GetSidSubAuthorityCount
OpenThreadToken
GetSidSubAuthority
AdjustTokenPrivileges
LookupPrivilegeValueW
OpenProcessToken
SetThreadToken
CredEnumerateW
CredFree
SetSecurityDescriptorDacl
InitializeSecurityDescriptor
CryptDestroyKey
CryptGenKey
CryptEncrypt
CryptImportKey
CryptSetKeyParam
CryptReleaseContext

shell32

CommandLineToArgvW
SHGetFolderPathW

ole32

CoCreateGuid
CoTaskMemFree
StringFromCLSID

crypt32

CryptStringToBinaryW
CryptBinaryToStringW
CryptDecodeObjectEx

shlwapi

PathAppendW
StrToIntW
PathFindFileNameW
PathFileExistsW
StrCmpW
StrCmpIW
StrChrW
StrCatW
StrStrW
PathFindExtensionW
PathCombineW
StrStrIW

iphlpapi

GetIpNetTable
GetAdaptersInfo

ws2_32

inet_ntoa
gethostbyname
__WSAFDIsSet
ntohl
ioctlsocket
connect
inet_addr
select
recv
send
htons
closesocket
socket
WSAStartup

mpr

WNetOpenEnumW
WNetEnumResourceW
WNetCancelConnection2W
WNetAddConnection2W
WNetCloseEnum

netapi32

NetServerEnum
NetApiBufferFree
NetServerGetInfo

dhcpsapi

DhcpEnumSubnetClients
DhcpRpcFreeMemory
DhcpGetSubnetInfo
DhcpEnumSubnets

msvcrt

malloc
_itoa
free
memset
rand
memcpy

Sections

.text
Size: 47KB - Virtual size: 47KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 33KB - Virtual size: 33KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 20KB - Virtual size: 38KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 242KB - Virtual size: 241KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Documents/Ransomware.Petrwrap/Ransomware.Petrwrap/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745_98STJd8lju.bin.gz
.gz
027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745_98STJd8lju.bin
.dll windows:5 windows x86 arch:x86

52dd60b5f3c9e2f17c2e303e8c8d4eab

Code Sign

2e:ab:11:dc:50:ff:5c:9d:cb:c0
Certificate

Issuer

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

Not Before

22/08/2007, 22:31 UTC

Not After

25/08/2012, 07:00 UTC

Subject

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:01:cf:3e:00:00:00:00:00:0f
Certificate

Issuer

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

07/12/2009, 22:40 UTC

Not After

07/03/2011, 22:40 UTC

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

6a:0b:99:4f:c0:00:25:ab:11:db:45:1f:58:7a:67:a2
Certificate

Issuer

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

Not Before

16/09/2006, 01:04 UTC

Not After

15/09/2019, 07:00 UTC

Subject

CN=Microsoft Timestamping PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:05:a2:30:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Timestamping PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

25/07/2008, 19:01 UTC

Not After

25/07/2013, 19:11 UTC

Subject

CN=Microsoft Time-Stamp Service,OU=MOPR+OU=nCipher DSE ESN:85D3-305C-5BCF,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

3b:65:0e:49:c6:e9:34:29:f5:80:58:4e:cc:af:af:dd:dd:e9:ce:e5
Signer

Actual PE Digest

3b:65:0e:49:c6:e9:34:29:f5:80:58:4e:cc:af:af:dd:dd:e9:ce:e5

Digest Algorithm

sha1

PE Digest Matches

false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

ConnectNamedPipe
GetModuleHandleW
CreateNamedPipeW
TerminateThread
DisconnectNamedPipe
FlushFileBuffers
GetTempPathW
GetProcAddress
DeleteFileW
FreeLibrary
GlobalAlloc
LoadLibraryW
GetComputerNameExW
GlobalFree
ExitProcess
GetVersionExW
GetModuleFileNameW
DisableThreadLibraryCalls
ResumeThread
GetEnvironmentVariableW
GetFileSize
SetFilePointer
SetLastError
LoadResource
GetCurrentThread
OpenProcess
GetSystemDirectoryW
SizeofResource
GetLocalTime
Process32FirstW
LockResource
Process32NextW
GetModuleHandleA
lstrcatW
CreateToolhelp32Snapshot
GetCurrentProcess
VirtualFree
VirtualAlloc
LoadLibraryA
VirtualProtect
WideCharToMultiByte
GetExitCodeProcess
WaitForMultipleObjects
CreateProcessW
PeekNamedPipe
GetTempFileNameW
InterlockedExchange
LeaveCriticalSection
MultiByteToWideChar
CreateFileA
GetTickCount
CreateThread
LocalFree
FindNextFileW
CreateFileMappingW
LocalAlloc
FindClose
GetFileSizeEx
CreateFileW
Sleep
FlushViewOfFile
GetLogicalDrives
WaitForSingleObject
GetDriveTypeW
UnmapViewOfFile
MapViewOfFile
FindFirstFileW
CloseHandle
DeviceIoControl
GetLastError
GetSystemDirectoryA
ReadFile
WriteFile
GetProcessHeap
InitializeCriticalSection
HeapReAlloc
GetWindowsDirectoryW
EnterCriticalSection
HeapFree
SetFilePointerEx
HeapAlloc
FindResourceW

user32

ExitWindowsEx
wsprintfA
wsprintfW

advapi32

CryptGenRandom
CryptAcquireContextA
CryptExportKey
CryptAcquireContextW
CreateProcessAsUserW
InitiateSystemShutdownExW
DuplicateTokenEx
SetTokenInformation
GetTokenInformation
GetSidSubAuthorityCount
OpenThreadToken
GetSidSubAuthority
AdjustTokenPrivileges
LookupPrivilegeValueW
OpenProcessToken
SetThreadToken
CredEnumerateW
CredFree
SetSecurityDescriptorDacl
InitializeSecurityDescriptor
CryptDestroyKey
CryptGenKey
CryptEncrypt
CryptImportKey
CryptSetKeyParam
CryptReleaseContext

shell32

CommandLineToArgvW
SHGetFolderPathW

ole32

CoCreateGuid
CoTaskMemFree
StringFromCLSID

crypt32

CryptStringToBinaryW
CryptBinaryToStringW
CryptDecodeObjectEx

shlwapi

PathAppendW
StrToIntW
PathFindFileNameW
PathFileExistsW
StrCmpW
StrCmpIW
StrChrW
StrCatW
StrStrW
PathFindExtensionW
PathCombineW
StrStrIW

iphlpapi

GetIpNetTable
GetAdaptersInfo

ws2_32

inet_ntoa
gethostbyname
__WSAFDIsSet
ntohl
ioctlsocket
connect
inet_addr
select
recv
send
htons
closesocket
socket
WSAStartup

mpr

WNetOpenEnumW
WNetEnumResourceW
WNetCancelConnection2W
WNetAddConnection2W
WNetCloseEnum

netapi32

NetServerEnum
NetApiBufferFree
NetServerGetInfo

dhcpsapi

DhcpEnumSubnetClients
DhcpRpcFreeMemory
DhcpGetSubnetInfo
DhcpEnumSubnets

msvcrt

malloc
_itoa
free
memset
rand
memcpy

Sections

.text
Size: 47KB - Virtual size: 47KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 33KB - Virtual size: 33KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 20KB - Virtual size: 38KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 242KB - Virtual size: 241KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Documents/Ransomware.Petrwrap/Ransomware.Petrwrap/ee29b9c01318a1e23836b949942db14d4811246fdae2f41df9f0dcd922c63bc6.bin.gz
.gz
ee29b9c01318a1e23836b949942db14d4811246fdae2f41df9f0dcd922c63bc6.bin
.js
Documents/Ransomware.Petrwrap/Ransomware.Petrwrap/fe2e5d0543b4c8769e401ec216d78a5a3547dfd426fd47e097df04a5f7d6d206_OFkNP1kKL9.bin.gz
.gz
fe2e5d0543b4c8769e401ec216d78a5a3547dfd426fd47e097df04a5f7d6d206_OFkNP1kKL9.bin
.rtf
Documents/Ransomware.Petrwrap/Ransomware.Petrwrap/myguy.hta
.js
Documents/Ransomware.Petrwrap/Ransomware.Petrwrap/svchost.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 587KB - Virtual size: 587KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 115KB - Virtual size: 115KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Documents/Ransomware.Petya/Ransomware.Petya/26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739.exe
.exe windows:5 windows x86 arch:x86

1a63922d5931d1bb8ca5188313f78eaa

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

GoogleCrashHandler_unsigned.pdb

Imports

kernel32

GetCurrentThreadId
GetStdHandle
GetFileType
GetStartupInfoW
GetModuleFileNameW
WriteFile
QueryPerformanceCounter
GetCurrentProcessId
GetSystemTimeAsFileTime
GetEnvironmentStringsW
FreeEnvironmentStringsW
UnhandledExceptionFilter
SetUnhandledExceptionFilter
CreateEventW
Sleep
GetCurrentProcess
TerminateProcess
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetTickCount
CreateSemaphoreW
FreeLibrary
LoadLibraryExW
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
RtlUnwind
LCMapStringW
GetStringTypeW
FlushFileBuffers
GetConsoleCP
GetConsoleMode
SetStdHandle
SetFilePointerEx
WriteConsoleW
CloseHandle
CreateFileW
SizeofResource
LockResource
LoadResource
FindResourceW
FindResourceExW
LocalFree
CreateDirectoryW
DeleteFileW
GetCurrentThread
WaitForMultipleObjects
LoadLibraryW
WaitForSingleObject
GetExitCodeProcess
DuplicateHandle
ReleaseMutex
GetEnvironmentVariableW
lstrcmpiW
VirtualQuery
GetTempPathW
GetLocalTime
OutputDebugStringA
GetPrivateProfileIntW
GetPrivateProfileStringW
lstrcmpW
lstrlenW
SetFilePointer
CreateMutexW
InitializeCriticalSection
TryEnterCriticalSection
SetEvent
ResetEvent
GetFileAttributesExW
SetLastError
VerifyVersionInfoW
VerSetConditionMask
MoveFileExW
GetFileTime
ReadFile
DeviceIoControl
SetProcessWorkingSetSize
OpenProcess
CreateProcessW
ReadProcessMemory
lstrcpynW
GlobalAlloc
GlobalLock
GlobalUnlock
GlobalFree
CreateThread
DebugActiveProcess
GetThreadContext
DebugActiveProcessStop
VirtualQueryEx
GetProcessId
GetSystemInfo
ContinueDebugEvent
WaitForDebugEvent
WideCharToMultiByte
MultiByteToWideChar
GetModuleHandleExW
ExitProcess
IsProcessorFeaturePresent
GetCommandLineW
EncodePointer
LeaveCriticalSection
WaitNamedPipeW
TransactNamedPipe
SetNamedPipeHandleState
RtlCaptureContext
ReleaseSemaphore
EnterCriticalSection
OutputDebugStringW
DeleteCriticalSection
DecodePointer
HeapSize
GetProcAddress
GetLastError
RaiseException
HeapDestroy
InitializeCriticalSectionAndSpinCount
GetProcessHeap
GetModuleHandleW
HeapFree
IsDebuggerPresent
GetUserDefaultLangID
GetSystemDefaultLangID
GetComputerNameExW
GetOverlappedResult
ConnectNamedPipe
CreateNamedPipeW
DisconnectNamedPipe
UnregisterWait
GetProcessTimes
UnregisterWaitEx
RegisterWaitForSingleObject
VirtualProtect
VirtualAlloc
HeapAlloc
RemoveDirectoryW
HeapReAlloc

user32

SetClipboardData
EmptyClipboard
OpenClipboard
GetProcessWindowStation
CloseDesktop
CloseClipboard
CharUpperW
CharLowerW
PostThreadMessageW
DispatchMessageW
GetMessageW
PeekMessageW
EnumWindows
IsWindowVisible
GetWindowThreadProcessId
SetThreadDesktop
CreateWindowStationW
CloseWindowStation
GetThreadDesktop
SetProcessWindowStation
CreateDesktopW
wvsprintfW
wsprintfW
MessageBoxW

advapi32

GetSecurityDescriptorSacl
GetSecurityDescriptorDacl
GetSecurityDescriptorGroup
GetSecurityDescriptorOwner
GetSecurityDescriptorControl
GetLengthSid
CopySid
IsValidSid
GetSidSubAuthority
InitializeSid
GetSidLengthRequired
SetSecurityDescriptorDacl
AddAce
InitializeAcl
GetAclInformation
InitializeSecurityDescriptor
MakeAbsoluteSD
OpenProcessToken
GetTokenInformation
SetSecurityDescriptorOwner
SetSecurityDescriptorGroup
GetAce
MakeSelfRelativeSD
GetSecurityDescriptorLength
EqualSid
SetNamedSecurityInfoW
ConvertStringSidToSidW
OpenThreadToken
RegQueryValueExW
RegOpenKeyExW
RegDeleteKeyW
RegDeleteValueW
RegCloseKey
RegCreateKeyExW
RegSetValueExW
RegEnumKeyExW
RegQueryInfoKeyW
ConvertSidToStringSidW
AllocateAndInitializeSid
CheckTokenMembership
FreeSid
SetSecurityDescriptorSacl
GetTraceLoggerHandle
GetTraceEnableFlags
GetTraceEnableLevel
RegisterTraceGuidsW
UnregisterTraceGuids
TraceEvent
SetTokenInformation

ole32

CoCreateGuid
StringFromGUID2

shell32

SHGetFolderPathW

netapi32

NetApiBufferFree
NetWkstaGetInfo

rpcrt4

UuidCreate

shlwapi

PathRemoveExtensionW
PathRemoveFileSpecW
PathStripPathW
PathCanonicalizeW
PathIsRelativeW
SHQueryValueExW
PathAppendW

userenv

UnloadUserProfile

version

GetFileVersionInfoW
VerQueryValueW
GetFileVersionInfoSizeW

Sections

.text
Size: 156KB - Virtual size: 155KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 48KB - Virtual size: 48KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 6KB - Virtual size: 18KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Documents/Ransomware.Petya/Ransomware.Petya/4c1dc737915d76b7ce579abddaba74ead6fdb5b519a1ea45308b8c49b950655c.bin
.exe windows:5 windows x86 arch:x86

bf084102e13441ce39f8d51d9bf55857

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

ole32

IIDFromString
StringFromGUID2
OleUninitialize
OleInitialize
OleRun
OleSetContainedObject
CoInitializeEx
CoTaskMemAlloc
CoTaskMemFree
CoInitialize
CoTaskMemRealloc
CoUninitialize
CoCreateInstance

shell32

SHGetFolderPathW
FindExecutableA
Shell_NotifyIconA
SHGetFolderPathA
ShellExecuteExA

wininet

InternetTimeFromSystemTime
InternetTimeToSystemTime
InternetCrackUrlA
HttpQueryInfoA
InternetConnectA
InternetReadFile
HttpOpenRequestA
InternetGetConnectedState
InternetErrorDlg
HttpSendRequestA
InternetOpenA
InternetCloseHandle

user32

IsChild
SetFocus
SetRect
GetWindowThreadProcessId
RegisterClassExA
GetFocus
GetAncestor
GetSystemMenu
GetWindowRect
GetParent
GetClientRect
SendMessageA
GetClassInfoExW
GetDC
TranslateMessage
RegisterClassExW
GetWindowLongW
ReleaseDC
EnableMenuItem
SetWindowLongW
GetDesktopWindow
SetWindowPos
CreateWindowExW
AdjustWindowRectEx
LoadCursorA
SetWindowLongA
GetWindowLongA
CreateWindowExA
MessageBoxA
CharNextA
DispatchMessageW
RegisterClassA
LoadImageA
GetSystemMetrics
DispatchMessageA
PostMessageA
AppendMenuA
CreatePopupMenu
ShowWindow
MsgWaitForMultipleObjectsEx
GetCursorPos
DefWindowProcA
IsWindowUnicode
SetWindowTextW
DefWindowProcW
wsprintfA
LoadStringA
DestroyWindow
GetMessageA
GetMessageW
PostQuitMessage
TrackPopupMenu
SetForegroundWindow
PeekMessageA

comctl32

InitCommonControlsEx

version

GetFileVersionInfoA
GetFileVersionInfoSizeA
VerQueryValueW
VerQueryValueA

kernel32

GetStdHandle
WriteConsoleW
GetConsoleMode
GetConsoleCP
GetFileType
GetStartupInfoW
HeapSetInformation
GetSystemTimeAsFileTime
VirtualQuery
GetSystemInfo
GetModuleHandleW
VirtualAlloc
GetModuleFileNameW
HeapAlloc
HeapFree
FileTimeToLocalFileTime
GetDriveTypeW
FindFirstFileExW
SetStdHandle
HeapReAlloc
GetCPInfo
RtlUnwind
LCMapStringW
UnhandledExceptionFilter
SetUnhandledExceptionFilter
ExitThread
CreateDirectoryW
VirtualProtect
GetFullPathNameW
HeapCreate
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
SetLastError
HeapSize
GetLocaleInfoW
SetHandleCount
GetTimeZoneInformation
SetFilePointer
FlushFileBuffers
IsDebuggerPresent
IsProcessorFeaturePresent
GetACP
GetOEMCP
IsValidCodePage
FreeEnvironmentStringsW
GetEnvironmentStringsW
lstrcmpA
GetModuleHandleA
FindResourceA
lstrlenA
GetModuleHandleExA
FreeLibrary
LoadResource
SetEndOfFile
InterlockedDecrement
GetCommandLineA
WideCharToMultiByte
InitializeCriticalSectionAndSpinCount
SizeofResource
SetDllDirectoryA
IsDBCSLeadByte
MultiByteToWideChar
lstrlenW
RaiseException
GetLastError
lstrcmpiA
GetProcAddress
GetModuleFileNameA
LoadLibraryExA
CreateMutexA
DeleteCriticalSection
CloseHandle
WaitForSingleObject
FormatMessageA
GetExitCodeProcess
LocalFree
DeleteFileA
SetEvent
CreateEventA
lstrcatA
ResetEvent
WaitForMultipleObjects
CreateThread
lstrcpyA
lstrcpynA
CreateFileA
WriteFile
Sleep
ReadFile
OpenEventA
GetSystemTime
GetCurrentProcess
GetTickCount
GetCurrentProcessId
GetTempPathA
SystemTimeToFileTime
FileTimeToSystemTime
MulDiv
InterlockedExchange
InterlockedExchangeAdd
LocalAlloc
GetCurrentThreadId
FormatMessageW
GetLocalTime
ExitProcess
GetLocaleInfoA
GetWindowsDirectoryA
OpenProcess
TerminateProcess
GetSystemDirectoryA
FindFirstFileA
FindClose
LoadLibraryA
LockResource
GetNativeSystemInfo
PeekNamedPipe
SetHandleInformation
CreateProcessA
CreateDirectoryA
GetProcessHeap
CreatePipe
GetSystemDefaultUILanguage
GetThreadLocale
GetUserDefaultUILanguage
MoveFileExA
GetFileAttributesA
FindNextFileA
OpenThread
GetExitCodeThread
GetModuleHandleExW
LoadLibraryW
LoadLibraryExW
ReleaseMutex
QueryPerformanceCounter
QueryPerformanceFrequency
CreateFileW
SetFilePointerEx
InitializeCriticalSection
LeaveCriticalSection
EnterCriticalSection
InterlockedCompareExchange
GetStringTypeW
EncodePointer
DecodePointer
GetCurrentDirectoryW
GetFileInformationByHandle
GetUserDefaultLCID
EnumSystemLocalesA
IsValidLocale
CompareStringW
SetEnvironmentVariableA
InterlockedIncrement
RemoveDirectoryA

advapi32

SetSecurityDescriptorDacl
InitializeSecurityDescriptor
RegCloseKey
RegDeleteValueA
RegOpenKeyExA
RegCreateKeyExA
RegEnumKeyExA
RegDeleteKeyA
RegQueryInfoKeyW
RegSetValueExA
CryptGetHashParam
RegQueryInfoKeyA
GetTokenInformation
CopySid
GetWindowsAccountDomainSid
CreateWellKnownSid
ConvertStringSecurityDescriptorToSecurityDescriptorW
ConvertSidToStringSidW
RegQueryValueExA
CryptReleaseContext
CryptAcquireContextA
CryptCreateHash
CryptDestroyHash
CryptHashData
RegEnumKeyA
OpenProcessToken

oleaut32

SysFreeString
VarUI4FromStr
VariantClear
SysAllocString
VariantCopy
VariantInit
VariantChangeType
GetErrorInfo
SysStringByteLen

shlwapi

ord12

gdi32

GetStockObject
GetDeviceCaps

wintrust

WinVerifyTrust

crypt32

CryptMsgClose
CryptQueryObject
CertGetNameStringW
CertFindCertificateInStore
CertCloseStore
CryptMsgGetParam
CryptStringToBinaryA
CryptBinaryToStringA
CryptProtectData
CryptUnprotectData

msi

ord141
ord168
ord160
ord158
ord115
ord159
ord117
ord8
ord44
ord204
ord189
ord67
ord31
ord137
ord91

Sections

.text
Size: 447KB - Virtual size: 446KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 138KB - Virtual size: 137KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 15KB - Virtual size: 26KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 146KB - Virtual size: 145KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 40KB - Virtual size: 40KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Documents/Ransomware.Radamant/Ransomware.Radamant/DUMP_00A10000-00A1D000.exe.ViR
.exe windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Sections

UPX0
Size: - Virtual size: 76KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 14KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
out.upx
.exe windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Sections

.text
Size: 42KB - Virtual size: 42KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 736B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.bss
Size: - Virtual size: 23KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 860B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Documents/Ransomware.Radamant/Ransomware.Radamant/Supplementary Agreement 26_01_2016.zip.ViR
.zip
Supplementary Agreement 26_01_2016.scr
.exe windows:5 windows x86 arch:x86

67ef42078ff0fa6e633d4e8d0e87faba

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NO_ISOLATION

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

J:\Krypton_15.0_SR\Bin\StubNew.pdb

Imports

kernel32

GetProcAddress
LoadLibraryA
LocalAlloc
GetExitCodeThread
LocalFree
RtlZeroMemory
CreateThread
lstrcpyA
SwitchToThread
WaitForSingleObject
OutputDebugStringW
ExitProcess
LoadLibraryW

user32

OpenClipboard
GetActiveWindow
MessageBoxA

advapi32

RegCreateKeyExA
SetEntriesInAclA
RegCloseKey
FreeSid
AllocateAndInitializeSid
AbortSystemShutdownA
SetSecurityDescriptorDacl
InitializeSecurityDescriptor
RegDeleteKeyA

winmm

mciSendStringA
mciGetErrorStringA

userenv

GetDefaultUserProfileDirectoryW

winspool.drv

ClosePrinter
OpenPrinterA
EndDocPrinter
ord201
StartDocPrinterA
EndPagePrinter
WritePrinter
StartPagePrinter

Sections

.text
Size: 44KB - Virtual size: 43KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 14KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Documents/Ransomware.Rex/WTEpZSFwgb
.elf linux x86
Documents/Ransomware.Satana/Ransomware.Satana/683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.bin
.exe windows:5 windows x86 arch:x86

a3bc0305643e7601d6deca72652f4ab5

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NO_ISOLATION
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

Imports

ntdll

vsprintf
memmove
NtYieldExecution
strchr
strncpy
_stricmp
memset

kernel32

GetLocalTime
OutputDebugStringA

user32

MessageBoxA

opengl32

glEnd
glEnable
glLineWidth
glPolygonMode
glColor3d
glBegin
glDisable
glClear
glPointSize
glLineStipple
glVertex3d

Sections

.text
Size: 8KB - Virtual size: 12KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 38KB - Virtual size: 40KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 930B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Documents/Ransomware.Satana/Ransomware.Satana/unpacked.mem
.exe windows:5 windows x86 arch:x86

d99e35e9d4559cb6df0e1eb507b928cc

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

Imports

ntdll

RtlGetNtVersionNumbers
strrchr
wcsncmp
wcstombs
_vsnwprintf
wcsstr
wcsrchr
NtQueryInformationProcess
RtlGetCurrentPeb
NtYieldExecution
vsprintf
mbstowcs
sprintf
_stricmp
_chkstk
memset
memcpy
_allrem
RtlUnwind

msvcrt

??3@YAXPAX@Z
free
??2@YAPAXI@Z
malloc

kernel32

GetTempPathW
SwitchToThread
ExpandEnvironmentStringsW
CreateThread
DeleteFileA
SetFileAttributesW
ResumeThread
WriteProcessMemory
LocalFree
DeleteFileW
GetWindowsDirectoryW
CloseHandle
GetFullPathNameW
ExitProcess
GetCommandLineW
GetComputerNameA
CreateFileA
GetFileSize
SetPriorityClass
FindFirstFileW
SetFilePointer
GetLocaleInfoA
MapViewOfFile
UnmapViewOfFile
GetDriveTypeW
FreeLibrary
HeapAlloc
SetUnhandledExceptionFilter
InterlockedIncrement
MoveFileExW
InterlockedDecrement
GetCurrentProcess
GetLogicalDriveStringsW
HeapFree
WaitForSingleObject
GetSystemDefaultLCID
OutputDebugStringW
GetTickCount
GetProcessHeap
FormatMessageA
WriteFile
InitializeCriticalSection
GetSystemDirectoryW
Sleep
CopyFileW
LeaveCriticalSection
HeapCreate
CreateProcessA
ReadFile
CreateFileW
SetThreadPriority
FlushFileBuffers
OutputDebugStringA
GetFileSizeEx
GetLastError
GetProcAddress
QueueUserAPC
MoveFileW
EnterCriticalSection
VirtualAllocEx
FindClose
GetLocalTime
LoadLibraryA
CreateFileMappingA
LocalAlloc
DeviceIoControl
WaitForMultipleObjects
GetModuleFileNameA
GetModuleHandleA
FindNextFileW
GetShortPathNameW

mpr

WNetOpenEnumW
WNetEnumResourceW
WNetCloseEnum

ws2_32

WSAStartup
connect
send
gethostbyname
closesocket
socket
htons

user32

MessageBoxA
wsprintfW

advapi32

GetUserNameA
RegSetValueExW
RegCloseKey
GetCurrentHwProfileW
RegSetValueExA
RegOpenKeyExA
RegCreateKeyExA
RegQueryValueExA

shell32

CommandLineToArgvW

Sections

.text
Size: 22KB - Virtual size: 21KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 70KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Documents/Ransomware.TeslaCrypt/Ransomware.TeslaCrypt/3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370
.exe windows:4 windows x86 arch:x86

41bde7e296ed20c37e477bd256a1b6dc

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

shlwapi

PathFindFileNameW

psapi

EnumProcesses
GetProcessImageFileNameW

msimg32

GradientFill

kernel32

GetLogicalDriveStringsW
CreateProcessA
CreateThread
GetLastError
GlobalUnlock
GlobalLock
GlobalAlloc
LocalFree
LocalAlloc
GetCurrentProcess
SetLastError
GetEnvironmentVariableW
lstrcatW
lstrcpyW
GetShortPathNameW
GetModuleFileNameW
lstrlenW
Sleep
TerminateProcess
OpenProcess
GetCurrentProcessId
GetModuleHandleW
CreateProcessW
CopyFileW
GetFullPathNameW
LoadLibraryW
AllocConsole
GetVersionExW
CreateMutexW
GetSystemInfo
GetTickCount
QueryPerformanceCounter
GlobalMemoryStatus
FreeLibrary
GetProcAddress
GetDriveTypeW
GetStringTypeW
GetStringTypeA
HeapSize
WriteConsoleW
GetConsoleOutputCP
WriteConsoleA
SetStdHandle
LoadLibraryA
InitializeCriticalSection
GetCommandLineW
GetCommandLineA
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetEnvironmentStrings
FreeEnvironmentStringsA
LCMapStringW
LCMapStringA
GetOEMCP
GetACP
GetCPInfo
GetStartupInfoA
GetFileType
SetHandleCount
FlushFileBuffers
MultiByteToWideChar
InterlockedDecrement
GetCurrentThreadId
InterlockedIncrement
TlsFree
TlsSetValue
ExitThread
FindFirstFileW
FindNextFileW
FindClose
DeleteFileW
CreateFileW
GetFileSize
CloseHandle
ReadFile
SetFilePointer
WriteFile
MoveFileW
GetSystemTimeAsFileTime
GetLocalTime
CreateFileA
SetEndOfFile
GetLocaleInfoA
TlsAlloc
TlsGetValue
GetConsoleMode
GetConsoleCP
WideCharToMultiByte
GetModuleFileNameA
GetStdHandle
ExitProcess
GetModuleHandleA
VirtualAlloc
DeleteCriticalSection
VirtualFree
HeapCreate
HeapDestroy
GetStartupInfoW
HeapFree
HeapAlloc
HeapReAlloc
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
RaiseException
RtlUnwind
EnterCriticalSection
LeaveCriticalSection
GetVersionExA
GetProcessHeap

user32

CloseClipboard
PostMessageW
SetClipboardData
EmptyClipboard
LoadCursorW
GetMessageW
TranslateMessage
DispatchMessageW
RegisterClassExW
ShowWindow
PostQuitMessage
EnableWindow
DefWindowProcW
UpdateWindow
SendMessageW
PtInRect
SetCursor
DrawIconEx
OpenClipboard
EnableMenuItem
LookupIconIdFromDirectoryEx
CreateIconFromResourceEx
DialogBoxIndirectParamW
BeginPaint
EndPaint
DestroyWindow
EndDialog
GetWindowTextA
MessageBoxW
CreateWindowExW
GetDC
ReleaseDC
SystemParametersInfoW
GetClientRect
DrawTextW
GetSystemMenu

gdi32

RoundRect
GetDIBits
CreateCompatibleDC
SetBkMode
SetTextColor
DeleteDC
CreateFontW
SelectObject
GetStockObject
DeleteObject
CreateCompatibleBitmap

advapi32

RegOpenKeyExW
RegCreateKeyExW
RegSetValueExW
RegCloseKey
OpenProcessToken
GetTokenInformation
GetSidSubAuthority

shell32

SHGetFolderPathW
ShellExecuteW
ShellExecuteA
ShellExecuteExW

ole32

CoInitializeEx
CoCreateInstance

wininet

InternetCloseHandle
InternetReadFile
HttpSendRequestA
HttpOpenRequestA
InternetConnectA
InternetSetCookieW
InternetOpenA

Sections

.text
Size: 216KB - Virtual size: 214KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 32KB - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 28KB - Virtual size: 108KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 852B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Documents/Ransomware.TeslaCrypt/Ransomware.TeslaCrypt/51B4EF5DC9D26B7A26E214CEE90598631E2EAA67
.exe windows:4 windows x86 arch:x86

5656329acd9893a7babdc7ca571a6139

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Imports

kernel32

CreateProcessW
DeleteCriticalSection
EnterCriticalSection
ExitProcess
FindClose
FindFirstFileA
FindNextFileA
FindResourceW
GetCommandLineA
GetCommandLineW
GetLastError
GetModuleHandleA
GetProcAddress
GetStartupInfoA
GetThreadContext
InitializeCriticalSection
InterlockedExchange
IsDBCSLeadByteEx
LeaveCriticalSection
LoadLibraryA
LoadLibraryW
LoadResource
LockResource
MultiByteToWideChar
SetUnhandledExceptionFilter
SizeofResource
Sleep
TlsGetValue
VirtualProtect
VirtualQuery
WideCharToMultiByte

msvcrt

_strdup
_stricoll
__getmainargs
__mb_cur_max
__p__environ
__p__fmode
__set_app_type
_cexit
_errno
_fullpath
_iob
_onexit
_setmode
abort
atexit
atoi
calloc
exit
fputc
free
fwrite
getenv
isspace
localeconv
malloc
mbstowcs
memcpy
realloc
setlocale
signal
sprintf
strchr
strcoll
strlen
tolower
vfprintf
wcslen
wcstombs

shell32

CommandLineToArgvW

Sections

.text
Size: 38KB - Virtual size: 38KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 48B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 17KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.eh_fram
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.bss
Size: - Virtual size: 2KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.CRT
Size: 512B - Virtual size: 24B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 32B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 190KB - Virtual size: 189KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Documents/Ransomware.TeslaCrypt/Ransomware.TeslaCrypt/E906FA3D51E86A61741B3499145A114E9BFB7C56
.exe windows:4 windows x86 arch:x86

99bff35f43bcff8998b2001d6df68577

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Imports

gdi32

DeleteObject
GetStockObject

kernel32

CreateProcessW
DeleteCriticalSection
EnterCriticalSection
ExitProcess
FindClose
FindFirstFileA
FindNextFileA
FindResourceW
GetCommandLineA
GetLastError
GetModuleFileNameW
GetModuleHandleA
GetProcAddress
GetStartupInfoA
InitializeCriticalSection
InterlockedExchange
IsDBCSLeadByteEx
LeaveCriticalSection
LoadLibraryA
LoadResource
MultiByteToWideChar
SetUnhandledExceptionFilter
Sleep
TlsGetValue
VirtualProtect
VirtualQuery
WideCharToMultiByte

msvcrt

_strdup
_stricoll
__getmainargs
__mb_cur_max
__p__environ
__p__fmode
__set_app_type
_cexit
_errno
_fullpath
_iob
_onexit
_setmode
abort
atexit
atoi
calloc
exit
fputc
free
fwrite
getenv
isspace
localeconv
malloc
mbstowcs
memcpy
realloc
setlocale
signal
sprintf
strchr
strcoll
strlen
tolower
vfprintf
wcslen
wcstombs

ole32

CoInitializeEx

shell32

SHGetFolderPathA

user32

DispatchMessageA
GetMessageA
ShowWindow
TranslateMessage
UpdateWindow

Sections

.text
Size: 42KB - Virtual size: 41KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 48B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 17KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

/4
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.bss
Size: - Virtual size: 2KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.CRT
Size: 512B - Virtual size: 24B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 32B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 189KB - Virtual size: 189KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Documents/Ransomware.Vipasana/Ransomware.Vipasana/0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab
.exe windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI

Sections

CODE
Size: 245KB - Virtual size: 245KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

DATA
Size: 9KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

BSS
Size: - Virtual size: 4KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: - Virtual size: 12B

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 512B - Virtual size: 24B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 11KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 97KB - Virtual size: 100KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Documents/Ransomware.Vipasana/Ransomware.Vipasana/c0cf40b8830d666a24bdd4febdc162e95aa30ed968fa3675e26ad97b2e88e03a
.exe windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI

Sections

CODE
Size: 245KB - Virtual size: 245KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

DATA
Size: 9KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

BSS
Size: - Virtual size: 4KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: - Virtual size: 12B

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 512B - Virtual size: 24B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 11KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 97KB - Virtual size: 100KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Documents/Ransomware.Vipasana/Ransomware.Vipasana/e49778d20a2f9b1f8b00ddd24b6bcee81af381ed02cfe0a3c9ab3111cda5f573
.exe windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI

Sections

CODE
Size: 245KB - Virtual size: 245KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

DATA
Size: 9KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

BSS
Size: - Virtual size: 4KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: - Virtual size: 12B

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 512B - Virtual size: 24B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 11KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 56KB - Virtual size: 56KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Documents/Ransomware.WannaCry/Ransomware.WannaCry.zip
.zip

Password: infected
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
.exe windows:4 windows x86 arch:x86

68f013d7437aa653a8a98a05807afeb1

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GetFileAttributesW
GetFileSizeEx
CreateFileA
InitializeCriticalSection
DeleteCriticalSection
ReadFile
GetFileSize
WriteFile
LeaveCriticalSection
EnterCriticalSection
SetFileAttributesW
SetCurrentDirectoryW
CreateDirectoryW
GetTempPathW
GetWindowsDirectoryW
GetFileAttributesA
SizeofResource
LockResource
LoadResource
MultiByteToWideChar
Sleep
OpenMutexA
GetFullPathNameA
CopyFileA
GetModuleFileNameA
VirtualAlloc
VirtualFree
FreeLibrary
HeapAlloc
GetProcessHeap
GetModuleHandleA
SetLastError
VirtualProtect
IsBadReadPtr
HeapFree
SystemTimeToFileTime
LocalFileTimeToFileTime
CreateDirectoryA
GetStartupInfoA
SetFilePointer
SetFileTime
GetComputerNameW
GetCurrentDirectoryA
SetCurrentDirectoryA
GlobalAlloc
LoadLibraryA
GetProcAddress
GlobalFree
CreateProcessA
CloseHandle
WaitForSingleObject
TerminateProcess
GetExitCodeProcess
FindResourceA

user32

wsprintfA

advapi32

CreateServiceA
OpenServiceA
StartServiceA
CloseServiceHandle
CryptReleaseContext
RegCreateKeyW
RegSetValueExA
RegQueryValueExA
RegCloseKey
OpenSCManagerA

msvcrt

realloc
fclose
fwrite
fread
fopen
sprintf
rand
srand
strcpy
memset
strlen
wcscat
wcslen
__CxxFrameHandler
??3@YAXPAX@Z
memcmp
_except_handler3
_local_unwind2
wcsrchr
swprintf
??2@YAPAXI@Z
memcpy
strcmp
strrchr
__p___argv
__p___argc
_stricmp
free
malloc
??0exception@@QAE@ABV0@@Z
??1exception@@UAE@XZ
??0exception@@QAE@ABQBD@Z
_CxxThrowException
calloc
strcat
_mbsstr
??1type_info@@UAE@XZ
_exit
_XcptFilter
exit
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_controlfp

Sections

.text
Size: 28KB - Virtual size: 26KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 24KB - Virtual size: 23KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 3.3MB - Virtual size: 3.3MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Documents/Ransomware.WannaCry/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
.exe windows:4 windows x86 arch:x86

68f013d7437aa653a8a98a05807afeb1

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GetFileAttributesW
GetFileSizeEx
CreateFileA
InitializeCriticalSection
DeleteCriticalSection
ReadFile
GetFileSize
WriteFile
LeaveCriticalSection
EnterCriticalSection
SetFileAttributesW
SetCurrentDirectoryW
CreateDirectoryW
GetTempPathW
GetWindowsDirectoryW
GetFileAttributesA
SizeofResource
LockResource
LoadResource
MultiByteToWideChar
Sleep
OpenMutexA
GetFullPathNameA
CopyFileA
GetModuleFileNameA
VirtualAlloc
VirtualFree
FreeLibrary
HeapAlloc
GetProcessHeap
GetModuleHandleA
SetLastError
VirtualProtect
IsBadReadPtr
HeapFree
SystemTimeToFileTime
LocalFileTimeToFileTime
CreateDirectoryA
GetStartupInfoA
SetFilePointer
SetFileTime
GetComputerNameW
GetCurrentDirectoryA
SetCurrentDirectoryA
GlobalAlloc
LoadLibraryA
GetProcAddress
GlobalFree
CreateProcessA
CloseHandle
WaitForSingleObject
TerminateProcess
GetExitCodeProcess
FindResourceA

user32

wsprintfA

advapi32

CreateServiceA
OpenServiceA
StartServiceA
CloseServiceHandle
CryptReleaseContext
RegCreateKeyW
RegSetValueExA
RegQueryValueExA
RegCloseKey
OpenSCManagerA

msvcrt

realloc
fclose
fwrite
fread
fopen
sprintf
rand
srand
strcpy
memset
strlen
wcscat
wcslen
__CxxFrameHandler
??3@YAXPAX@Z
memcmp
_except_handler3
_local_unwind2
wcsrchr
swprintf
??2@YAPAXI@Z
memcpy
strcmp
strrchr
__p___argv
__p___argc
_stricmp
free
malloc
??0exception@@QAE@ABV0@@Z
??1exception@@UAE@XZ
??0exception@@QAE@ABQBD@Z
_CxxThrowException
calloc
strcat
_mbsstr
??1type_info@@UAE@XZ
_exit
_XcptFilter
exit
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_controlfp

Sections

.text
Size: 28KB - Virtual size: 26KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 24KB - Virtual size: 23KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 3.3MB - Virtual size: 3.3MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Resubmissions

Sharing

General

Malware Config

Signatures

Files

9d6ed8d049bc10bc45b1995cb6f7f4b6

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

gdi32

advapi32

shell32

shlwapi

comctl32

msvcrt

Sections

.text Size: 315KB - Virtual size: 315KB

.rdata Size: 234KB - Virtual size: 234KB

.data Size: 4KB - Virtual size: 4KB

.rsrc Size: 49KB - Virtual size: 48KB

edbc0337cc897a187d263d79c09c15c7

Headers

DLL Characteristics

File Characteristics

Imports

user32

comdlg32

advapi32

dbghelp

comctl32

kernel32

Sections

.text Size: 34KB - Virtual size: 33KB

.rdata Size: 10KB - Virtual size: 10KB

.data Size: 104KB - Virtual size: 51.8MB

.rsrc Size: 90KB - Virtual size: 90KB

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

File Characteristics

Imports

mscoree

Sections

!mmUPp Size: 209KB - Virtual size: 208KB

.text Size: 70KB - Virtual size: 70KB

.rsrc Size: 2KB - Virtual size: 1KB

.reloc Size: 512B - Virtual size: 12B

Size: 512B - Virtual size: 16B

0fcea3af550ad0a893e93808dccf17f4

Headers

File Characteristics

Imports

advapi32

user32

imm32

rasapi32

kernel32

Sections

.text Size: 48KB - Virtual size: 44KB

.rdata Size: 8KB - Virtual size: 4KB

.data Size: 16KB - Virtual size: 3.7MB

.rsrc Size: 104KB - Virtual size: 100KB

dd8fd079a980cb9227eb869f7da9b258

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

shlwapi

kernel32

user32

advapi32

shell32

Sections

.text Size: 120KB - Virtual size: 119KB

.rdata Size: 38KB - Virtual size: 37KB

.text
Size: 315KB - Virtual size: 315KB

.rdata
Size: 234KB - Virtual size: 234KB

.data
Size: 4KB - Virtual size: 4KB

.rsrc
Size: 49KB - Virtual size: 48KB

.text
Size: 34KB - Virtual size: 33KB

.rdata
Size: 10KB - Virtual size: 10KB

.data
Size: 104KB - Virtual size: 51.8MB

.rsrc
Size: 90KB - Virtual size: 90KB

!mmUPp
Size: 209KB - Virtual size: 208KB

.text
Size: 70KB - Virtual size: 70KB

.rsrc
Size: 2KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 12B

.text
Size: 48KB - Virtual size: 44KB

.rdata
Size: 8KB - Virtual size: 4KB

.data
Size: 16KB - Virtual size: 3.7MB

.rsrc
Size: 104KB - Virtual size: 100KB

.text
Size: 120KB - Virtual size: 119KB

.rdata
Size: 38KB - Virtual size: 37KB

.data
Size: 7KB - Virtual size: 15KB

.rsrc
Size: 2.1MB - Virtual size: 2.1MB

.reloc
Size: 39KB - Virtual size: 39KB

.text
Size: 37KB - Virtual size: 36KB

.rdata
Size: 11KB - Virtual size: 10KB

.data
Size: 6KB - Virtual size: 13KB

.rsrc
Size: 44KB - Virtual size: 43KB

.reloc
Size: 3KB - Virtual size: 3KB

2e:ab:11:dc:50:ff:5c:9d:cb:c0
Certificate

61:01:cf:3e:00:00:00:00:00:0f
Certificate

6a:0b:99:4f:c0:00:25:ab:11:db:45:1f:58:7a:67:a2
Certificate

61:05:a2:30:00:00:00:00:00:08
Certificate

3b:65:0e:49:c6:e9:34:29:f5:80:58:4e:cc:af:af:dd:dd:e9:ce:e5
Signer

.text
Size: 47KB - Virtual size: 47KB

.rdata
Size: 33KB - Virtual size: 33KB

.data
Size: 20KB - Virtual size: 38KB

.rsrc
Size: 242KB - Virtual size: 241KB

.reloc
Size: 3KB - Virtual size: 3KB

2e:ab:11:dc:50:ff:5c:9d:cb:c0
Certificate

61:01:cf:3e:00:00:00:00:00:0f
Certificate

6a:0b:99:4f:c0:00:25:ab:11:db:45:1f:58:7a:67:a2
Certificate

61:05:a2:30:00:00:00:00:00:08
Certificate