ransomware_deployed[.]zip

Sharing

Copy URL Twitter E-mail

General

Target

ransomware_deployed.zip
Size

7.2MB
MD5

2d591ffbfc76aa9f04cfc449e84969de
SHA1

38d18e23ebbdb9208851512b1ef39320e775ec28
SHA256

4cf5c6f9ceef1b514a047e10e17723d840f26ebd81be44f7e24b71b2cc755c8f
SHA512

a100a9237a75fc0907b88b61e5d4b6cdf16a586607f78e20dad22d541babc2a83098d550f31b195cc6f2527a2fb743c674a9697fb9cc251831266781276eed05
SSDEEP

196608:4KAZ+94tTA4qhyGITrTLJmjApKBTVMZnXho:4U4tTAdmTLASKBTVMZXho

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/ransomware_deployed/xlstat4.dll

Files

ransomware_deployed.zip
.zip
__MACOSX/._ransomware_deployed
__MACOSX/ransomware_deployed/._NH.TXT
__MACOSX/ransomware_deployed/._Txzmk.exe
__MACOSX/ransomware_deployed/._XLLiveUpdateAgent.dll
__MACOSX/ransomware_deployed/._libcurl.dll
__MACOSX/ransomware_deployed/._libeay32.dll
__MACOSX/ransomware_deployed/._libexpat.dll
__MACOSX/ransomware_deployed/._ssleay32.dll
__MACOSX/ransomware_deployed/._xlstat4.dll
__MACOSX/ransomware_deployed/._zlib1.dll
ransomware_deployed/NH.TXT
ransomware_deployed/Txzmk.exe
.exe windows:6 windows x86 arch:x86

f776b0e992655d8e07b0f86cab404ffa

Code Sign

04:00:00:00:00:01:2f:4e:e1:52:d7
Certificate

Issuer

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Not Before

13/04/2011, 10:00

Not After

28/01/2028, 12:00

Subject

CN=GlobalSign Timestamping CA - G2,O=GlobalSign nv-sa,C=BE

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

11:21:d6:99:a7:64:97:3e:f1:f8:42:7e:e9:19:cc:53:41:14
Certificate

Issuer

CN=GlobalSign Timestamping CA - G2,O=GlobalSign nv-sa,C=BE

Not Before

24/05/2016, 00:00

Not After

24/06/2027, 00:00

Subject

CN=GlobalSign TSA for MS Authenticode - G2,O=GMO GlobalSign Pte Ltd,C=SG

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

19:1a:32:cb:75:9c:97:b8:cf:ac:11:8d:d5:12:7f:49
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

04/03/2014, 00:00

Not After

03/03/2024, 23:59

Subject

CN=Symantec Class 3 Extended Validation Code Signing CA - G2,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

48:71:dd:fd:2e:98:d4:c3:c9:fd:c2:c8:b4:52:c6:fc
Certificate

Issuer

CN=Symantec Class 3 Extended Validation Code Signing CA - G2,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Not Before

29/03/2018, 00:00

Not After

28/03/2020, 23:59

Subject

SERIALNUMBER=91440300746612636Q,CN=ShenZhen Thunder Networking Technologies Ltd.,OU=IT,O=ShenZhen Thunder Networking Technologies Ltd.,L=Shenzhen,ST=Guangdong,C=CN,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e,1.3.6.1.4.1.311.60.2.1.1=#13085368656e5a68656e,1.3.6.1.4.1.311.60.2.1.2=#13084775616e446f6e67,1.3.6.1.4.1.311.60.2.1.3=#1302434e

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

19:1a:32:cb:75:9c:97:b8:cf:ac:11:8d:d5:12:7f:49
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

04/03/2014, 00:00

Not After

03/03/2024, 23:59

Subject

CN=Symantec Class 3 Extended Validation Code Signing CA - G2,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

61:19:93:e4:00:00:00:00:00:1c
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

22/02/2011, 19:25

Not After

22/02/2021, 19:35

Subject

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

48:71:dd:fd:2e:98:d4:c3:c9:fd:c2:c8:b4:52:c6:fc
Certificate

Issuer

CN=Symantec Class 3 Extended Validation Code Signing CA - G2,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Not Before

29/03/2018, 00:00

Not After

28/03/2020, 23:59

Subject

SERIALNUMBER=91440300746612636Q,CN=ShenZhen Thunder Networking Technologies Ltd.,OU=IT,O=ShenZhen Thunder Networking Technologies Ltd.,L=Shenzhen,ST=Guangdong,C=CN,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e,1.3.6.1.4.1.311.60.2.1.1=#13085368656e5a68656e,1.3.6.1.4.1.311.60.2.1.2=#13084775616e446f6e67,1.3.6.1.4.1.311.60.2.1.3=#1302434e

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

0c:a7:cf:5d:07:07:24:ac:89:e7:9a:3a
Certificate

Issuer

CN=GlobalSign Timestamping CA - SHA256 - G2,O=GlobalSign nv-sa,C=BE

Not Before

19/02/2018, 00:00

Not After

18/03/2029, 10:00

Subject

CN=GlobalSign TSA for Advanced - G2

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

04:00:00:00:00:01:31:89:c6:50:04
Certificate

Issuer

CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSign

Not Before

02/08/2011, 10:00

Not After

29/03/2029, 10:00

Subject

CN=GlobalSign Timestamping CA - SHA256 - G2,O=GlobalSign nv-sa,C=BE

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

00:ae:d8:30:b8:4c:b5:19:20:57:b2:42:a7:8e:92:41:f5:5b:c9:d3:bd:e2:1f:69:56:8f:6d:0f:59:23:49:6b
Signer

Actual PE Digest

00:ae:d8:30:b8:4c:b5:19:20:57:b2:42:a7:8e:92:41:f5:5b:c9:d3:bd:e2:1f:69:56:8f:6d:0f:59:23:49:6b

Digest Algorithm

sha256

PE Digest Matches

true

d7:25:e0:38:89:7d:cd:74:13:f8:d7:27:a4:a5:c5:67:19:05:c3:3c
Signer

Actual PE Digest

d7:25:e0:38:89:7d:cd:74:13:f8:d7:27:a4:a5:c5:67:19:05:c3:3c

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

F:\Xmp_Xdas\xmp_xdas\setup\XmpLiveUD\ProductRelease\XmpLiveUD.pdb

Imports

xlliveupdateagent

??4TbcString@@QAEAAV0@PB_W@Z
??0TbcString@@QAE@PB_W@Z
??YTbcString@@QAEAAV0@PB_W@Z
?c_str@TbcString@@QBEPB_WXZ
??0TbcString@@QAE@ABV0@@Z
??4TbcString@@QAEAAV0@ABV0@@Z
??1TbcString@@QAE@XZ
??YTbcString@@QAEAAV0@ABV0@@Z
?GetInstance@XLLiveUpdateAgent@XLLiveUpdate@@SAPAV12@XZ
??0TbcString@@QAE@XZ

version

GetFileVersionInfoSizeW
GetFileVersionInfoW
VerQueryValueW

ws2_32

gethostname
WSAStartup
gethostbyname

iphlpapi

GetAdaptersInfo

kernel32

RemoveDirectoryW
SetFileAttributesW
FormatMessageW
lstrcatA
GetFileAttributesA
lstrcpyA
WritePrivateProfileStringA
CreateDirectoryA
GetPrivateProfileStringA
SetPriorityClass
DeviceIoControl
GetVolumeInformationA
CreateFileA
GetVersionExA
UnmapViewOfFile
CreateFileMappingW
VerifyVersionInfoW
VerSetConditionMask
FindClose
CreateDirectoryW
GetPrivateProfileStringW
SetDllDirectoryW
WriteFile
SetFilePointer
CreateMutexW
Sleep
Process32NextW
Process32FirstW
CreateToolhelp32Snapshot
ReadProcessMemory
OpenProcess
GetCurrentThread
GetProcessHeap
GetFileAttributesW
HeapReAlloc
HeapFree
HeapDestroy
WaitForSingleObject
SetEvent
CreateFileW
LoadLibraryW
LoadLibraryExW
DecodePointer
GetProcAddress
GetModuleHandleW
FindResourceW
SizeofResource
LockResource
LoadResource
InitializeCriticalSectionEx
RaiseException
WideCharToMultiByte
MultiByteToWideChar
LocalFree
GetCommandLineW
CopyFileW
GetCurrentProcess
TerminateProcess
DeleteFileW
FindNextFileW
FindFirstFileW
CloseHandle
GetTempPathW
GetModuleFileNameW
GetCurrentThreadId
GetSystemTime
SystemTimeToTzSpecificLocalTime
DeleteCriticalSection
InitializeCriticalSection
EnterCriticalSection
SetLastError
GetLastError
LeaveCriticalSection
HeapSize
GetCurrentDirectoryW
WriteConsoleW
SetFilePointerEx
GetUserDefaultLCID
GetConsoleCP
CreateEventW
WritePrivateProfileStringW
HeapAlloc
MapViewOfFile
FlushFileBuffers
EncodePointer
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetSystemTimeAsFileTime
GetTickCount
LCMapStringW
GetLocaleInfoW
GetStringTypeW
GetCPInfo
GlobalLock
GlobalUnlock
MulDiv
lstrlenW
GetACP
ExitProcess
GetCurrentProcessId
GetFileType
ReadFile
SetFileTime
DuplicateHandle
DosDateTimeToFileTime
SystemTimeToFileTime
GetFileSize
FreeResource
GlobalAlloc
GetLocalTime
lstrcpyW
MoveFileExW
ResetEvent
WaitForSingleObjectEx
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
IsDebuggerPresent
GetStartupInfoW
QueryPerformanceCounter
InitializeSListHead
OutputDebugStringW
RtlUnwind
FreeLibrary
CreateThread
ExitThread
FreeLibraryAndExitThread
GetModuleHandleExW
GetStdHandle
IsValidLocale
SetStdHandle
EnumSystemLocalesW
GetConsoleMode
FindFirstFileExW
IsValidCodePage
GetOEMCP
GetCommandLineA
GetEnvironmentStringsW
FreeEnvironmentStringsW

user32

CreateCaret
GetCaretBlinkTime
SetCaretPos
ScreenToClient
MapWindowPoints
GetSysColor
IntersectRect
UnionRect
IsRectEmpty
PtInRect
GetWindowLongW
SetWindowLongW
GetParent
GetWindow
LoadImageW
SetCursor
InflateRect
OffsetRect
LoadCursorW
SetWindowRgn
MonitorFromWindow
GetMonitorInfoW
DefWindowProcW
CallWindowProcW
RegisterClassW
RegisterClassExW
GetClassInfoExW
EnableWindow
SetPropW
GetPropW
MonitorFromPoint
GetCursorPos
ReleaseCapture
GetWindowRgn
LoadIconW
CharPrevW
DrawTextW
FillRect
SetRect
CreatePopupMenu
DestroyMenu
AppendMenuW
TrackPopupMenu
HideCaret
ShowCaret
GetCaretPos
ClientToScreen
SystemParametersInfoW
SetWindowTextW
GetWindowTextW
GetWindowTextLengthW
IsWindowEnabled
CreateAcceleratorTableW
InvalidateRgn
GetGUIThreadInfo
SetForegroundWindow
GetKeyboardLayout
GetKeyNameTextW
MapVirtualKeyExW
IsIconic
DestroyWindow
CreateWindowExW
SetCapture
GetKeyState
BringWindowToTop
KillTimer
GetWindowRect
GetClientRect
InvalidateRect
GetUpdateRect
EndPaint
BeginPaint
ReleaseDC
UpdateLayeredWindow
GetDC
EnableMenuItem
GetSystemMenu
IsWindow
GetFocus
GetActiveWindow
SetFocus
CharNextW
IsZoomed
MoveWindow
GetDesktopWindow
FindWindowExW
PostThreadMessageW
PostMessageW
SendMessageW
GetWindowThreadProcessId
FindWindowW
TranslateMessage
PeekMessageW
DispatchMessageW
GetMessageW
PostQuitMessage
ShowWindow
SetWindowPos
IsWindowVisible
SetTimer

advapi32

RegisterTraceGuidsW
GetTraceLoggerHandle
UnregisterTraceGuids
TraceEvent
GetSidLengthRequired
InitializeSid
GetSidSubAuthority
CopySid
GetLengthSid
IsValidSid
EqualSid
InitializeAcl
AddAce
GetAclInformation
GetAce
GetTokenInformation
CheckTokenMembership
DuplicateToken
OpenProcessToken
OpenThreadToken
GetNamedSecurityInfoW
SetNamedSecurityInfoW
AllocateAndInitializeSid
FreeSid
GetTraceEnableLevel

shell32

ShellExecuteExW
SHCreateDirectoryExW
SHGetSpecialFolderPathA
DragQueryFileW
Shell_NotifyIconW
CommandLineToArgvW

ole32

OleLockRunning
CLSIDFromProgID
CLSIDFromString
CoCreateInstance
CreateStreamOnHGlobal
ReleaseStgMedium
OleDuplicateData
DoDragDrop
RegisterDragDrop
CoUninitialize
CoInitialize

shlwapi

PathAppendW
PathFileExistsW
PathCombineW
PathRemoveBackslashW
PathIsDirectoryW
StrCmpW
StrCmpIW
PathAddBackslashW

userenv

UnloadUserProfile

gdi32

SetWindowOrgEx
GetObjectW
GetTextMetricsW
PlayEnhMetaFile
GetEnhMetaFileHeader
CreateEnhMetaFileW
CloseEnhMetaFile
CreateRoundRectRgn
SaveDC
RestoreDC
GetStockObject
GetDeviceCaps
DeleteObject
DeleteDC
CreatePen
CreateFontIndirectW
CombineRgn
CreateRectRgn
SelectObject
PtInRegion
CreateDIBitmap
CreateCompatibleDC
BitBlt
CreateCompatibleBitmap
CreateDIBSection
CreatePenIndirect
CreateRectRgnIndirect
CreateSolidBrush
GetCharABCWidthsW
GetClipBox
GetTextExtentPoint32W
LineTo
RoundRect
SelectClipRgn
ExtSelectClipRgn
SetBkColor
SetBkMode
StretchBlt
SetTextColor
GetObjectA
MoveToEx
TextOutW
GdiFlush
EnumFontFamiliesExW
GetBitmapBits
SetBitmapBits
SetStretchBltMode

oleaut32

VariantInit
SysFreeString
SysAllocString
VariantClear

imm32

ImmReleaseContext
ImmGetContext
ImmSetCompositionWindow

comctl32

_TrackMouseEvent
ord17
InitCommonControlsEx

gdiplus

GdipImageGetFrameCount
GdipImageSelectActiveFrame
GdipGetPropertyItemSize
GdipGetPropertyItem
GdipDrawImageRectI
GdipImageGetFrameDimensionsList
GdipImageGetFrameDimensionsCount
GdiplusStartup
GdiplusShutdown
GdipAlloc
GdipFree
GdipCloneBrush
GdipDeleteBrush
GdipCreateSolidFill
GdipCreatePen1
GdipDeletePen
GdipSetPenMode
GdipLoadImageFromFile
GdipLoadImageFromFileICM
GdipCloneImage
GdipDisposeImage
GdipGetImageWidth
GdipGetImageHeight
GdipCreateImageAttributes
GdipDisposeImageAttributes
GdipSetImageAttributesColorMatrix
GdipSetImageAttributesColorKeys
GdipSetImageAttributesWrapMode
GdipCreateFromHDC
GdipDeleteGraphics
GdipSetSmoothingMode
GdipSetPixelOffsetMode
GdipSetTextRenderingHint
GdipSetInterpolationMode
GdipDrawRectangleI
GdipFillRectangleI
GdipDrawImageRectRect
GdipCreateFontFromDC
GdipCreateFontFromLogfontA
GdipDeleteFont
GdipDrawString
GdipMeasureString
GdipStringFormatGetGenericTypographic
GdipDeleteStringFormat
GdipCloneStringFormat
GdipSetStringFormatFlags
GdipSetStringFormatAlign
GdipSetStringFormatLineAlign
GdipSetStringFormatTrimming
GdipLoadImageFromStream
GdipLoadImageFromStreamICM

Exports

Exports

??0UpdateInfo@XLLiveUpdate@@QAE@$$QAU01@@Z
??0UpdateInfo@XLLiveUpdate@@QAE@ABU01@@Z
??0UpdateInfo@XLLiveUpdate@@QAE@XZ
??0XLLiveUpdateAgent@XLLiveUpdate@@QAE@$$QAV01@@Z
??0XLLiveUpdateAgent@XLLiveUpdate@@QAE@ABV01@@Z
??0XLLiveUpdateAgent@XLLiveUpdate@@QAE@XZ
??1UpdateInfo@XLLiveUpdate@@QAE@XZ
??4UpdateInfo@XLLiveUpdate@@QAEAAU01@$$QAU01@@Z
??4UpdateInfo@XLLiveUpdate@@QAEAAU01@ABU01@@Z
??4XLLiveUpdateAgent@XLLiveUpdate@@QAEAAV01@$$QAV01@@Z
??4XLLiveUpdateAgent@XLLiveUpdate@@QAEAAV01@ABV01@@Z
??_7XLLiveUpdateAgent@XLLiveUpdate@@6B@
?__autoclassinit2@TbcString@@QAEXI@Z

Sections

.text
Size: 827KB - Virtual size: 827KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 166KB - Virtual size: 165KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 9KB - Virtual size: 23KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.gfids
Size: 1024B - Virtual size: 652B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tls
Size: 512B - Virtual size: 9B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 3.8MB - Virtual size: 3.8MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 42KB - Virtual size: 41KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
ransomware_deployed/XLLiveUpdateAgent.dll
.dll windows:6 windows x86 arch:x86

b3a54058d7d1d9961836432102b991bb

Code Sign

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:dd
Certificate

Issuer

CN=DigiCert SHA2 Assured ID Timestamping CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01/01/2021, 00:00

Not After

06/01/2031, 00:00

Subject

CN=DigiCert Timestamp 2021,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

07/01/2016, 12:00

Not After

07/01/2031, 12:00

Subject

CN=DigiCert SHA2 Assured ID Timestamping CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0d:ee:cc:f7:3f:05:11:35:54:88:70:d3:38:6e:4a:9c
Certificate

Issuer

CN=DigiCert Assured ID Code Signing CA-1,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

24/12/2019, 00:00

Not After

04/01/2023, 12:00

Subject

CN=SHENZHEN THUNDER NETWORKING TECHNOLOGIES LTD.,O=SHENZHEN THUNDER NETWORKING TECHNOLOGIES LTD.,L=Shenzhen,ST=Guangdong,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

0f:a8:49:06:15:d7:00:a0:be:21:76:fd:c5:ec:6d:bd
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

11/02/2011, 12:00

Not After

10/02/2026, 12:00

Subject

CN=DigiCert Assured ID Code Signing CA-1,OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

07:8b:b5:c7:e9:a7:cb:34:5e:78:d0:20:04:20:24:00
Certificate

Issuer

CN=DigiCert EV Code Signing CA (SHA2),OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

25/12/2019, 00:00

Not After

04/01/2023, 12:00

Subject

SERIALNUMBER=91440300746612636Q,CN=SHENZHEN THUNDER NETWORKING TECHNOLOGIES LTD.,O=SHENZHEN THUNDER NETWORKING TECHNOLOGIES LTD.,L=Shenzhen,ST=Guangdong,C=CN,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e,1.3.6.1.4.1.311.60.2.1.3=#1302434e

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

03:f1:b4:e1:5f:3a:82:f1:14:96:78:b3:d7:d8:47:5c
Certificate

Issuer

CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

18/04/2012, 12:00

Not After

18/04/2027, 12:00

Subject

CN=DigiCert EV Code Signing CA (SHA2),OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:dd
Certificate

Issuer

CN=DigiCert SHA2 Assured ID Timestamping CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01/01/2021, 00:00

Not After

06/01/2031, 00:00

Subject

CN=DigiCert Timestamp 2021,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

07/01/2016, 12:00

Not After

07/01/2031, 12:00

Subject

CN=DigiCert SHA2 Assured ID Timestamping CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

43:bb:ab:1e:a5:62:d1:77:09:32:9e:26:73:dd:ab:25:bc:9f:66:ac:a7:0c:d8:02:06:61:92:c8:a8:90:13:17
Signer

Actual PE Digest

43:bb:ab:1e:a5:62:d1:77:09:32:9e:26:73:dd:ab:25:bc:9f:66:ac:a7:0c:d8:02:06:61:92:c8:a8:90:13:17

Digest Algorithm

sha256

PE Digest Matches

true

11:8e:c2:d6:ed:ad:07:8d:4d:e2:9c:23:85:a3:12:af:58:21:b7:b7
Signer

Actual PE Digest

11:8e:c2:d6:ed:ad:07:8d:4d:e2:9c:23:85:a3:12:af:58:21:b7:b7

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

D:\work\XLLiveUD_2015\bin_ProductRelease\XLLiveUpdateAgent.pdb

Imports

psapi

GetProcessImageFileNameW

imm32

ImmDisableIME

ws2_32

WSAAsyncGetHostByName
recv
send
socket
WSAGetLastError
WSACancelAsyncRequest
WSAAsyncSelect
inet_addr
htons
WSAStartup
WSACleanup
closesocket
connect
getpeername
getsockname
ntohs

version

VerQueryValueW
GetFileVersionInfoW
GetFileVersionInfoSizeW

xlstat4

XLSTAT4_InitParam
XLSTAT4_PrepareParam
XLSTAT4_SyncSendAllStat
XLSTAT4_Uninit

libeay32

ord1804
ord197
ord464
ord196

libcurl

curl_easy_setopt
curl_easy_perform
curl_easy_getinfo
curl_easy_cleanup
curl_global_init
curl_global_cleanup
curl_easy_init
curl_slist_append

libexpat

ord50
ord25
ord48
ord16
ord20
ord52
ord21
ord35

kernel32

GetCommandLineA
GetModuleHandleExW
FreeLibraryAndExitThread
ExitThread
InterlockedFlushSList
LoadLibraryExW
FreeLibrary
RtlUnwind
QueryPerformanceCounter
GetStartupInfoW
SetUnhandledExceptionFilter
UnhandledExceptionFilter
WaitForSingleObjectEx
GetCommandLineW
GetFileType
HeapFree
SetLastError
GetTempPathW
InitializeCriticalSectionEx
WaitForSingleObject
HeapSize
GetLastError
HeapReAlloc
CloseHandle
RaiseException
HeapAlloc
DecodePointer
HeapDestroy
LocalFree
DeleteCriticalSection
VerSetConditionMask
GetProcessHeap
VerifyVersionInfoW
GetExitCodeProcess
MoveFileA
EnterCriticalSection
LeaveCriticalSection
CreateEventW
Sleep
SetEvent
DeleteFileW
LoadLibraryW
GetCurrentDirectoryW
SetCurrentDirectoryW
GetProcAddress
CopyFileW
SystemTimeToTzSpecificLocalTime
GetSystemTime
TerminateProcess
CreateMutexW
GetCurrentThreadId
OpenProcess
MoveFileExW
InitializeCriticalSection
TerminateThread
CreateThread
GetModuleFileNameA
GetPrivateProfileIntW
GetModuleFileNameW
LocalAlloc
ExitProcess
OpenEventW
OpenFileMappingW
ResetEvent
CreateFileMappingW
GetTickCount
WaitForMultipleObjects
ResumeThread
GetCurrentProcessId
MapViewOfFile
GetCurrentProcess
GetCurrentThread
GetVersionExW
ReadFile
FindFirstVolumeW
QueryDosDeviceW
GetVolumePathNamesForVolumeNameW
FindNextVolumeW
FindVolumeClose
CreateToolhelp32Snapshot
Process32FirstW
Process32NextW
GetVersion
CreateDirectoryW
FindClose
FindFirstFileW
FindNextFileW
GetFileAttributesW
RemoveDirectoryW
SetFileAttributesW
MultiByteToWideChar
WideCharToMultiByte
SetFileTime
WriteFile
MoveFileW
SystemTimeToFileTime
GetFileAttributesExW
GetFileSizeEx
VirtualQuery
lstrcatW
IsBadCodePtr
FormatMessageW
EncodePointer
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetSystemTimeAsFileTime
GetModuleHandleW
CompareStringW
LCMapStringW
GetLocaleInfoW
OutputDebugStringA
GetCPInfo
IsDebuggerPresent
OutputDebugStringW
InitializeSListHead
InterlockedPopEntrySList
InterlockedPushEntrySList
FlushInstructionCache
IsProcessorFeaturePresent
VirtualAlloc
VirtualFree
LoadLibraryExA
GetConsoleMode
ReadConsoleW
SetFilePointerEx
GetDriveTypeW
PeekNamedPipe
GetACP
GetStdHandle
GetDateFormatW
GetTimeFormatW
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
GetConsoleCP
SetConsoleCtrlHandler
FlushFileBuffers
SetStdHandle
SetEndOfFile
GetFullPathNameW
GetFullPathNameA
GetTimeZoneInformation
FindFirstFileExA
FindFirstFileExW
FindNextFileA
IsValidCodePage
GetOEMCP
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableA
SetEnvironmentVariableW
GetLocalTime
FileTimeToSystemTime
WriteConsoleW
CreateFileW
GetStringTypeW

user32

LoadCursorW
SetWindowLongW
GetDesktopWindow
WindowFromPoint
RegisterClassExW
GetMessageW
DispatchMessageW
GetSystemMetrics
SendMessageW
CreateWindowExW
CallWindowProcW
DefWindowProcW
GetWindowLongW
GetAncestor
GetWindowThreadProcessId
DestroyWindow
GetForegroundWindow
GetWindowTextW
PostThreadMessageW
GetParent
PostMessageW
IsWindow
SetTimer
KillTimer
GetClassInfoExW
wsprintfW
UnregisterClassW
PostQuitMessage
TranslateMessage
PeekMessageW

advapi32

AddAce
GetLengthSid
IsValidSid
InitializeSid
GetNamedSecurityInfoW
CopySid
SetNamedSecurityInfoW
GetSidLengthRequired
GetSidSubAuthority
EqualSid
GetAce
GetAclInformation
TraceEvent
UnregisterTraceGuids
RegisterTraceGuidsW
GetTraceEnableLevel
GetTraceLoggerHandle
RegOpenKeyExW
RegCloseKey
RegQueryValueExW
GetTokenInformation
CheckTokenMembership
DuplicateToken
OpenProcessToken
OpenThreadToken
AllocateAndInitializeSid
FreeSid
InitializeAcl

shell32

SHGetFolderPathW
ShellExecuteW
SHGetSpecialFolderPathW
SHCreateDirectoryExW
ShellExecuteExW

oleaut32

SysFreeString

shlwapi

PathFileExistsW
PathCombineW
PathCombineA

userenv

UnloadUserProfile

wintrust

CryptCATAdminCalcHashFromFileHandle
WinVerifyTrust
CryptCATAdminEnumCatalogFromHash
CryptCATAdminReleaseCatalogContext
CryptCATAdminReleaseContext
CryptCATCatalogInfoFromContext
CryptCATAdminAcquireContext

crypt32

CryptMsgGetParam
CryptMsgClose
CryptQueryObject
CertCloseStore
CertFindCertificateInStore
CertGetNameStringW

Exports

Exports

??0TbcString@@QAE@ABV0@@Z
??0TbcString@@QAE@ABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z
??0TbcString@@QAE@PB_W@Z
??0TbcString@@QAE@XZ
??0UpdateInfo@XLLiveUpdate@@QAE@$$QAU01@@Z
??0UpdateInfo@XLLiveUpdate@@QAE@ABU01@@Z
??0UpdateInfo@XLLiveUpdate@@QAE@XZ
??0XLLiveUpdateAgent@XLLiveUpdate@@QAE@$$QAV01@@Z
??0XLLiveUpdateAgent@XLLiveUpdate@@QAE@ABV01@@Z
??0XLLiveUpdateAgent@XLLiveUpdate@@QAE@XZ
??1TbcString@@QAE@XZ
??1UpdateInfo@XLLiveUpdate@@QAE@XZ
??4TbcString@@QAEAAV0@ABV0@@Z
??4TbcString@@QAEAAV0@ABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z
??4TbcString@@QAEAAV0@PB_W@Z
??4UpdateInfo@XLLiveUpdate@@QAEAAU01@$$QAU01@@Z
??4UpdateInfo@XLLiveUpdate@@QAEAAU01@ABU01@@Z
??4XLLiveUpdateAgent@XLLiveUpdate@@QAEAAV01@$$QAV01@@Z
??4XLLiveUpdateAgent@XLLiveUpdate@@QAEAAV01@ABV01@@Z
??8TbcString@@QBE_NABV0@@Z
??8TbcString@@QBE_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z
??8TbcString@@QBE_NPB_W@Z
??9TbcString@@QBE_NABV0@@Z
??9TbcString@@QBE_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z
??9TbcString@@QBE_NPB_W@Z
??YTbcString@@QAEAAV0@ABV0@@Z
??YTbcString@@QAEAAV0@ABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z
??YTbcString@@QAEAAV0@PB_W@Z
??_7XLLiveUpdateAgent@XLLiveUpdate@@6B@
?Empty@TbcString@@QBE_NXZ
?GetInstance@XLLiveUpdateAgent@XLLiveUpdate@@SAPAV12@XZ
?Length@TbcString@@QBEHXZ
?ToString@TbcString@@QBE?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@XZ
?c_str@TbcString@@QBEPB_WXZ

Sections

.text
Size: 723KB - Virtual size: 722KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 150KB - Virtual size: 150KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 10KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.gfids
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tls
Size: 512B - Virtual size: 9B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 32KB - Virtual size: 31KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
ransomware_deployed/libcurl.dll
.dll windows:6 windows x86 arch:x86

44485b3862b33de61e5a93a67ede4a86

Code Sign

04:00:00:00:00:01:2f:4e:e1:52:d7
Certificate

Issuer

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Not Before

13/04/2011, 10:00

Not After

28/01/2028, 12:00

Subject

CN=GlobalSign Timestamping CA - G2,O=GlobalSign nv-sa,C=BE

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

11:21:d6:99:a7:64:97:3e:f1:f8:42:7e:e9:19:cc:53:41:14
Certificate

Issuer

CN=GlobalSign Timestamping CA - G2,O=GlobalSign nv-sa,C=BE

Not Before

24/05/2016, 00:00

Not After

24/06/2027, 00:00

Subject

CN=GlobalSign TSA for MS Authenticode - G2,O=GMO GlobalSign Pte Ltd,C=SG

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

19:1a:32:cb:75:9c:97:b8:cf:ac:11:8d:d5:12:7f:49
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

04/03/2014, 00:00

Not After

03/03/2024, 23:59

Subject

CN=Symantec Class 3 Extended Validation Code Signing CA - G2,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

48:71:dd:fd:2e:98:d4:c3:c9:fd:c2:c8:b4:52:c6:fc
Certificate

Issuer

CN=Symantec Class 3 Extended Validation Code Signing CA - G2,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Not Before

29/03/2018, 00:00

Not After

28/03/2020, 23:59

Subject

SERIALNUMBER=91440300746612636Q,CN=ShenZhen Thunder Networking Technologies Ltd.,OU=IT,O=ShenZhen Thunder Networking Technologies Ltd.,L=Shenzhen,ST=Guangdong,C=CN,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e,1.3.6.1.4.1.311.60.2.1.1=#13085368656e5a68656e,1.3.6.1.4.1.311.60.2.1.2=#13084775616e446f6e67,1.3.6.1.4.1.311.60.2.1.3=#1302434e

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

19:1a:32:cb:75:9c:97:b8:cf:ac:11:8d:d5:12:7f:49
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

04/03/2014, 00:00

Not After

03/03/2024, 23:59

Subject

CN=Symantec Class 3 Extended Validation Code Signing CA - G2,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

61:19:93:e4:00:00:00:00:00:1c
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

22/02/2011, 19:25

Not After

22/02/2021, 19:35

Subject

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

48:71:dd:fd:2e:98:d4:c3:c9:fd:c2:c8:b4:52:c6:fc
Certificate

Issuer

CN=Symantec Class 3 Extended Validation Code Signing CA - G2,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Not Before

29/03/2018, 00:00

Not After

28/03/2020, 23:59

Subject

SERIALNUMBER=91440300746612636Q,CN=ShenZhen Thunder Networking Technologies Ltd.,OU=IT,O=ShenZhen Thunder Networking Technologies Ltd.,L=Shenzhen,ST=Guangdong,C=CN,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e,1.3.6.1.4.1.311.60.2.1.1=#13085368656e5a68656e,1.3.6.1.4.1.311.60.2.1.2=#13084775616e446f6e67,1.3.6.1.4.1.311.60.2.1.3=#1302434e

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

0c:a7:cf:5d:07:07:24:ac:89:e7:9a:3a
Certificate

Issuer

CN=GlobalSign Timestamping CA - SHA256 - G2,O=GlobalSign nv-sa,C=BE

Not Before

19/02/2018, 00:00

Not After

18/03/2029, 10:00

Subject

CN=GlobalSign TSA for Advanced - G2

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

04:00:00:00:00:01:31:89:c6:50:04
Certificate

Issuer

CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSign

Not Before

02/08/2011, 10:00

Not After

29/03/2029, 10:00

Subject

CN=GlobalSign Timestamping CA - SHA256 - G2,O=GlobalSign nv-sa,C=BE

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

39:f6:d4:b3:d8:07:93:5b:02:bb:98:bc:48:a9:c7:ab:74:14:c5:4a:c7:76:80:d4:85:81:dc:3f:79:71:e9:ff
Signer

Actual PE Digest

39:f6:d4:b3:d8:07:93:5b:02:bb:98:bc:48:a9:c7:ab:74:14:c5:4a:c7:76:80:d4:85:81:dc:3f:79:71:e9:ff

Digest Algorithm

sha256

PE Digest Matches

true

f6:02:34:0e:e0:3e:98:e8:11:c9:d5:61:d3:c5:d7:5d:f2:8e:d2:2f
Signer

Actual PE Digest

f6:02:34:0e:e0:3e:98:e8:11:c9:d5:61:d3:c5:d7:5d:f2:8e:d2:2f

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

D:\Work\curl\curl-7.61.0\build\Win32\VC14\DLL Release - DLL OpenSSL\libcurl.pdb

Imports

ws2_32

sendto
recvfrom
send
select
__WSAFDIsSet
ioctlsocket
listen
accept
WSACleanup
WSAStartup
gethostname
freeaddrinfo
getaddrinfo
WSAIoctl
WSASetLastError
socket
setsockopt
recv
ntohs
htons
getsockopt
getsockname
getpeername
connect
closesocket
bind
WSAGetLastError

wldap32

ord301
ord200
ord30
ord79
ord35
ord33
ord32
ord27
ord26
ord22
ord41
ord50
ord60
ord211
ord46
ord143

libeay32

ord543
ord401
ord421
ord464
ord2201
ord467
ord466
ord2254
ord3182
ord544
ord3214
ord1216
ord1180
ord2454
ord227
ord248
ord222
ord2291
ord224
ord4445
ord1291
ord1301
ord1304
ord1308
ord2561
ord3164
ord3025
ord2593
ord2989
ord2971
ord2838
ord3173
ord3020
ord2598
ord2647
ord2844
ord3048
ord2783
ord2947
ord3144
ord2857
ord3140
ord3102
ord3174
ord2558
ord2979
ord2946
ord3013
ord3045
ord2916
ord2723
ord3016
ord2492
ord2504
ord2493
ord2481
ord2900
ord2502
ord2516
ord2475
ord2478
ord2498
ord2490
ord1958
ord566
ord578
ord579
ord2431
ord654
ord657
ord653
ord656
ord641
ord869
ord680
ord958
ord556
ord625
ord2596
ord956
ord484
ord280
ord281
ord2034
ord298
ord3212
ord3315
ord323
ord2936
ord269
ord3109
ord2925
ord2712
ord18
ord1161
ord2442
ord7
ord979
ord816
ord2075
ord1951
ord2023
ord154
ord151
ord86
ord95
ord52
ord88
ord66
ord78
ord93
ord181
ord188
ord1
ord908
ord909
ord1653
ord1654
ord3712
ord3765
ord3479
ord341
ord340
ord342
ord2435
ord2436
ord2437
ord808
ord809
ord784
ord3226

ssleay32

ord407
ord157
ord242
ord154
ord141
ord164
ord126
ord49
ord183
ord86
ord3
ord96
ord110
ord116
ord58
ord6
ord45
ord108
ord78
ord43
ord48
ord75
ord5
ord235
ord17
ord28
ord22
ord21
ord60
ord61
ord90
ord31
ord74
ord222
ord30
ord24
ord83
ord87
ord77
ord130
ord127
ord180
ord8
ord12
ord15
ord121
ord385
ord387
ord361
ord266

kernel32

DecodePointer
EncodePointer
OutputDebugStringW
OutputDebugStringA
HeapSize
GetTimeZoneInformation
WriteConsoleW
GetFileAttributesExW
SetEndOfFile
SetConsoleCtrlHandler
GetProcessHeap
SetEnvironmentVariableW
SetEnvironmentVariableA
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineW
GetCommandLineA
GetCPInfo
GetOEMCP
IsValidCodePage
FindNextFileW
FindNextFileA
FindFirstFileExW
FindFirstFileExA
FindClose
FlushFileBuffers
GetFullPathNameA
GetFullPathNameW
GetCurrentDirectoryW
SetCurrentDirectoryW
SetStdHandle
HeapReAlloc
EnumSystemLocalesW
GetUserDefaultLCID
IsValidLocale
GetLocaleInfoW
LCMapStringW
CompareStringW
GetTimeFormatW
GetDateFormatW
GetACP
GetStringTypeW
GetCurrentThread
HeapAlloc
HeapFree
GetProcAddress
GetModuleHandleA
GetSystemDirectoryA
VerSetConditionMask
FormatMessageA
SetLastError
GetLastError
Sleep
ExpandEnvironmentStringsA
WaitForSingleObjectEx
CloseHandle
SleepEx
DeleteCriticalSection
InitializeCriticalSectionEx
LeaveCriticalSection
EnterCriticalSection
VerifyVersionInfoA
GetStdHandle
GetFileType
ReadFile
PeekNamedPipe
FreeLibrary
WaitForMultipleObjects
GetTickCount64
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
GetStartupInfoW
GetModuleHandleW
InterlockedPushEntrySList
InterlockedFlushSList
RtlUnwind
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
LoadLibraryExW
CreateThread
ExitThread
ResumeThread
FreeLibraryAndExitThread
GetModuleHandleExW
SetFilePointerEx
CreateFileW
GetDriveTypeW
SystemTimeToTzSpecificLocalTime
FileTimeToSystemTime
RaiseException
ExitProcess
GetModuleFileNameA
GetModuleFileNameW
MultiByteToWideChar
WideCharToMultiByte
GetConsoleMode
ReadConsoleW
WriteFile
GetConsoleCP
LoadLibraryA

Exports

Exports

curl_easy_cleanup
curl_easy_duphandle
curl_easy_escape
curl_easy_getinfo
curl_easy_init
curl_easy_pause
curl_easy_perform
curl_easy_recv
curl_easy_reset
curl_easy_send
curl_easy_setopt
curl_easy_strerror
curl_easy_unescape
curl_escape
curl_formadd
curl_formfree
curl_formget
curl_free
curl_getdate
curl_getenv
curl_global_cleanup
curl_global_init
curl_global_init_mem
curl_global_sslset
curl_maprintf
curl_mfprintf
curl_mime_addpart
curl_mime_data
curl_mime_data_cb
curl_mime_encoder
curl_mime_filedata
curl_mime_filename
curl_mime_free
curl_mime_headers
curl_mime_init
curl_mime_name
curl_mime_subparts
curl_mime_type
curl_mprintf
curl_msnprintf
curl_msprintf
curl_multi_add_handle
curl_multi_assign
curl_multi_cleanup
curl_multi_fdset
curl_multi_info_read
curl_multi_init
curl_multi_perform
curl_multi_remove_handle
curl_multi_setopt
curl_multi_socket
curl_multi_socket_action
curl_multi_socket_all
curl_multi_strerror
curl_multi_timeout
curl_multi_wait
curl_mvaprintf
curl_mvfprintf
curl_mvprintf
curl_mvsnprintf
curl_mvsprintf
curl_pushheader_byname
curl_pushheader_bynum
curl_share_cleanup
curl_share_init
curl_share_setopt
curl_share_strerror
curl_slist_append
curl_slist_free_all
curl_strequal
curl_strnequal
curl_unescape
curl_version
curl_version_info

Sections

.text
Size: 584KB - Virtual size: 583KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 82KB - Virtual size: 81KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.gfids
Size: 512B - Virtual size: 368B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 20KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
ransomware_deployed/libeay32.dll
.dll windows:6 windows x86 arch:x86

60e0144ff8593a3526a36f1acdb165ed

Code Sign

04:00:00:00:00:01:2f:4e:e1:52:d7
Certificate

Issuer

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Not Before

13/04/2011, 10:00

Not After

28/01/2028, 12:00

Subject

CN=GlobalSign Timestamping CA - G2,O=GlobalSign nv-sa,C=BE

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

11:21:d6:99:a7:64:97:3e:f1:f8:42:7e:e9:19:cc:53:41:14
Certificate

Issuer

CN=GlobalSign Timestamping CA - G2,O=GlobalSign nv-sa,C=BE

Not Before

24/05/2016, 00:00

Not After

24/06/2027, 00:00

Subject

CN=GlobalSign TSA for MS Authenticode - G2,O=GMO GlobalSign Pte Ltd,C=SG

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

19:1a:32:cb:75:9c:97:b8:cf:ac:11:8d:d5:12:7f:49
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

04/03/2014, 00:00

Not After

03/03/2024, 23:59

Subject

CN=Symantec Class 3 Extended Validation Code Signing CA - G2,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

48:71:dd:fd:2e:98:d4:c3:c9:fd:c2:c8:b4:52:c6:fc
Certificate

Issuer

CN=Symantec Class 3 Extended Validation Code Signing CA - G2,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Not Before

29/03/2018, 00:00

Not After

28/03/2020, 23:59

Subject

SERIALNUMBER=91440300746612636Q,CN=ShenZhen Thunder Networking Technologies Ltd.,OU=IT,O=ShenZhen Thunder Networking Technologies Ltd.,L=Shenzhen,ST=Guangdong,C=CN,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e,1.3.6.1.4.1.311.60.2.1.1=#13085368656e5a68656e,1.3.6.1.4.1.311.60.2.1.2=#13084775616e446f6e67,1.3.6.1.4.1.311.60.2.1.3=#1302434e

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

19:1a:32:cb:75:9c:97:b8:cf:ac:11:8d:d5:12:7f:49
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

04/03/2014, 00:00

Not After

03/03/2024, 23:59

Subject

CN=Symantec Class 3 Extended Validation Code Signing CA - G2,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

61:19:93:e4:00:00:00:00:00:1c
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

22/02/2011, 19:25

Not After

22/02/2021, 19:35

Subject

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

48:71:dd:fd:2e:98:d4:c3:c9:fd:c2:c8:b4:52:c6:fc
Certificate

Issuer

CN=Symantec Class 3 Extended Validation Code Signing CA - G2,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Not Before

29/03/2018, 00:00

Not After

28/03/2020, 23:59

Subject

SERIALNUMBER=91440300746612636Q,CN=ShenZhen Thunder Networking Technologies Ltd.,OU=IT,O=ShenZhen Thunder Networking Technologies Ltd.,L=Shenzhen,ST=Guangdong,C=CN,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e,1.3.6.1.4.1.311.60.2.1.1=#13085368656e5a68656e,1.3.6.1.4.1.311.60.2.1.2=#13084775616e446f6e67,1.3.6.1.4.1.311.60.2.1.3=#1302434e

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

0c:a7:cf:5d:07:07:24:ac:89:e7:9a:3a
Certificate

Issuer

CN=GlobalSign Timestamping CA - SHA256 - G2,O=GlobalSign nv-sa,C=BE

Not Before

19/02/2018, 00:00

Not After

18/03/2029, 10:00

Subject

CN=GlobalSign TSA for Advanced - G2

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

04:00:00:00:00:01:31:89:c6:50:04
Certificate

Issuer

CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSign

Not Before

02/08/2011, 10:00

Not After

29/03/2029, 10:00

Subject

CN=GlobalSign Timestamping CA - SHA256 - G2,O=GlobalSign nv-sa,C=BE

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

2f:bd:8a:49:41:7e:80:b4:9e:1d:9e:13:af:e9:f8:0d:e9:09:69:78:05:72:ae:9b:0d:de:c6:94:6c:b2:5d:d3
Signer

Actual PE Digest

2f:bd:8a:49:41:7e:80:b4:9e:1d:9e:13:af:e9:f8:0d:e9:09:69:78:05:72:ae:9b:0d:de:c6:94:6c:b2:5d:d3

Digest Algorithm

sha256

PE Digest Matches

true

6d:c6:9a:48:a4:27:32:7c:7f:5b:e5:a6:52:6f:ce:db:92:46:4f:58
Signer

Actual PE Digest

6d:c6:9a:48:a4:27:32:7c:7f:5b:e5:a6:52:6f:ce:db:92:46:4f:58

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

D:\Work\openssl-1.0.2o\out32dll\libeay32.pdb

Imports

ws2_32

sendto
recvfrom
WSACleanup
WSAStartup
getservbyname
gethostbyname
ntohs
ntohl
listen
getsockopt
ioctlsocket
bind
accept
socket
setsockopt
htons
htonl
connect
WSAGetLastError
WSASetLastError
shutdown
send
recv
closesocket

gdi32

GetDIBits
GetDeviceCaps
DeleteObject
CreateCompatibleBitmap
GetObjectA

advapi32

RegisterEventSourceA
DeregisterEventSource
ReportEventA

user32

ReleaseDC
GetDC
MessageBoxA
GetUserObjectInformationW
GetProcessWindowStation

kernel32

GetEnvironmentStringsW
GetCommandLineW
GetCommandLineA
GetCPInfo
GetOEMCP
IsValidCodePage
FreeEnvironmentStringsW
FindFirstFileExA
GetFullPathNameW
GetCurrentDirectoryW
SetEndOfFile
SetFileAttributesW
SetEnvironmentVariableA
GetProcessHeap
HeapSize
DecodePointer
GetFileAttributesExW
FlushFileBuffers
WriteConsoleW
SetFilePointerEx
SetStdHandle
GetTimeZoneInformation
ExitProcess
GetModuleHandleA
GetProcAddress
GetStdHandle
GetFileType
WriteFile
GetLastError
GetCurrentThreadId
FindClose
FindFirstFileA
FindNextFileA
CloseHandle
FreeLibrary
LoadLibraryA
SetLastError
MultiByteToWideChar
GetSystemTime
SystemTimeToFileTime
QueryPerformanceCounter
GetCurrentProcessId
GetTickCount
GlobalMemoryStatus
FlushConsoleInputBuffer
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
GetStartupInfoW
GetModuleHandleW
RaiseException
InterlockedFlushSList
RtlUnwind
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
LoadLibraryExW
GetModuleHandleExW
SetConsoleCtrlHandler
ReadFile
GetConsoleMode
ReadConsoleW
WideCharToMultiByte
GetConsoleCP
CreateFileW
GetDriveTypeW
GetFileInformationByHandle
PeekNamedPipe
SystemTimeToTzSpecificLocalTime
FileTimeToSystemTime
ReadConsoleInputA
SetConsoleMode
GetModuleFileNameA
HeapFree
HeapAlloc
GetACP
GetStringTypeW
CompareStringW
LCMapStringW
HeapReAlloc

Exports

Exports

ACCESS_DESCRIPTION_free
ACCESS_DESCRIPTION_it
ACCESS_DESCRIPTION_new
AES_bi_ige_encrypt
AES_cbc_encrypt
AES_cfb128_encrypt
AES_cfb1_encrypt
AES_cfb8_encrypt
AES_ctr128_encrypt
AES_decrypt
AES_ecb_encrypt
AES_encrypt
AES_ige_encrypt
AES_ofb128_encrypt
AES_options
AES_set_decrypt_key
AES_set_encrypt_key
AES_unwrap_key
AES_wrap_key
ASN1_ANY_it
ASN1_BIT_STRING_check
ASN1_BIT_STRING_free
ASN1_BIT_STRING_get_bit
ASN1_BIT_STRING_it
ASN1_BIT_STRING_name_print
ASN1_BIT_STRING_new
ASN1_BIT_STRING_num_asc
ASN1_BIT_STRING_set
ASN1_BIT_STRING_set_asc
ASN1_BIT_STRING_set_bit
ASN1_BMPSTRING_free
ASN1_BMPSTRING_it
ASN1_BMPSTRING_new
ASN1_BOOLEAN_it
ASN1_ENUMERATED_free
ASN1_ENUMERATED_get
ASN1_ENUMERATED_it
ASN1_ENUMERATED_new
ASN1_ENUMERATED_set
ASN1_ENUMERATED_to_BN
ASN1_FBOOLEAN_it
ASN1_GENERALIZEDTIME_adj
ASN1_GENERALIZEDTIME_check
ASN1_GENERALIZEDTIME_free
ASN1_GENERALIZEDTIME_it
ASN1_GENERALIZEDTIME_new
ASN1_GENERALIZEDTIME_print
ASN1_GENERALIZEDTIME_set
ASN1_GENERALIZEDTIME_set_string
ASN1_GENERALSTRING_free
ASN1_GENERALSTRING_it
ASN1_GENERALSTRING_new
ASN1_IA5STRING_free
ASN1_IA5STRING_it
ASN1_IA5STRING_new
ASN1_INTEGER_cmp
ASN1_INTEGER_dup
ASN1_INTEGER_free
ASN1_INTEGER_get
ASN1_INTEGER_it
ASN1_INTEGER_new
ASN1_INTEGER_set
ASN1_INTEGER_to_BN
ASN1_NULL_free
ASN1_NULL_it
ASN1_NULL_new
ASN1_OBJECT_create
ASN1_OBJECT_free
ASN1_OBJECT_it
ASN1_OBJECT_new
ASN1_OCTET_STRING_NDEF_it
ASN1_OCTET_STRING_cmp
ASN1_OCTET_STRING_dup
ASN1_OCTET_STRING_free
ASN1_OCTET_STRING_it
ASN1_OCTET_STRING_new
ASN1_OCTET_STRING_set
ASN1_PCTX_free
ASN1_PCTX_get_cert_flags
ASN1_PCTX_get_flags
ASN1_PCTX_get_nm_flags
ASN1_PCTX_get_oid_flags
ASN1_PCTX_get_str_flags
ASN1_PCTX_new
ASN1_PCTX_set_cert_flags
ASN1_PCTX_set_flags
ASN1_PCTX_set_nm_flags
ASN1_PCTX_set_oid_flags
ASN1_PCTX_set_str_flags
ASN1_PRINTABLESTRING_free
ASN1_PRINTABLESTRING_it
ASN1_PRINTABLESTRING_new
ASN1_PRINTABLE_free
ASN1_PRINTABLE_it
ASN1_PRINTABLE_new
ASN1_PRINTABLE_type
ASN1_SEQUENCE_ANY_it
ASN1_SEQUENCE_it
ASN1_SET_ANY_it
ASN1_STRING_TABLE_add
ASN1_STRING_TABLE_cleanup
ASN1_STRING_TABLE_get
ASN1_STRING_clear_free
ASN1_STRING_cmp
ASN1_STRING_copy
ASN1_STRING_data
ASN1_STRING_dup
ASN1_STRING_free
ASN1_STRING_get_default_mask
ASN1_STRING_length
ASN1_STRING_length_set
ASN1_STRING_new
ASN1_STRING_print
ASN1_STRING_print_ex
ASN1_STRING_print_ex_fp
ASN1_STRING_set
ASN1_STRING_set0
ASN1_STRING_set_by_NID
ASN1_STRING_set_default_mask
ASN1_STRING_set_default_mask_asc
ASN1_STRING_to_UTF8
ASN1_STRING_type
ASN1_STRING_type_new
ASN1_T61STRING_free
ASN1_T61STRING_it
ASN1_T61STRING_new
ASN1_TBOOLEAN_it
ASN1_TIME_adj
ASN1_TIME_check
ASN1_TIME_diff
ASN1_TIME_free
ASN1_TIME_it
ASN1_TIME_new
ASN1_TIME_print
ASN1_TIME_set
ASN1_TIME_set_string
ASN1_TIME_to_generalizedtime
ASN1_TYPE_cmp
ASN1_TYPE_free
ASN1_TYPE_get
ASN1_TYPE_get_int_octetstring
ASN1_TYPE_get_octetstring
ASN1_TYPE_new
ASN1_TYPE_set
ASN1_TYPE_set1
ASN1_TYPE_set_int_octetstring
ASN1_TYPE_set_octetstring
ASN1_UNIVERSALSTRING_free
ASN1_UNIVERSALSTRING_it
ASN1_UNIVERSALSTRING_new
ASN1_UNIVERSALSTRING_to_string
ASN1_UTCTIME_adj
ASN1_UTCTIME_check
ASN1_UTCTIME_cmp_time_t
ASN1_UTCTIME_free
ASN1_UTCTIME_it
ASN1_UTCTIME_new
ASN1_UTCTIME_print
ASN1_UTCTIME_set
ASN1_UTCTIME_set_string
ASN1_UTF8STRING_free
ASN1_UTF8STRING_it
ASN1_UTF8STRING_new
ASN1_VISIBLESTRING_free
ASN1_VISIBLESTRING_it
ASN1_VISIBLESTRING_new
ASN1_add_oid_module
ASN1_bn_print
ASN1_check_infinite_end
ASN1_const_check_infinite_end
ASN1_d2i_bio
ASN1_d2i_fp
ASN1_digest
ASN1_dup
ASN1_generate_nconf
ASN1_generate_v3
ASN1_get_object
ASN1_i2d_bio
ASN1_i2d_fp
ASN1_item_d2i
ASN1_item_d2i_bio
ASN1_item_d2i_fp
ASN1_item_digest
ASN1_item_dup
ASN1_item_ex_d2i
ASN1_item_ex_free
ASN1_item_ex_i2d
ASN1_item_ex_new
ASN1_item_free
ASN1_item_i2d
ASN1_item_i2d_bio
ASN1_item_i2d_fp
ASN1_item_ndef_i2d
ASN1_item_new
ASN1_item_pack
ASN1_item_print
ASN1_item_sign
ASN1_item_sign_ctx
ASN1_item_unpack
ASN1_item_verify
ASN1_mbstring_copy
ASN1_mbstring_ncopy
ASN1_object_size
ASN1_pack_string
ASN1_parse
ASN1_parse_dump
ASN1_primitive_free
ASN1_primitive_new
ASN1_put_eoc
ASN1_put_object
ASN1_seq_pack
ASN1_seq_unpack
ASN1_sign
ASN1_tag2bit
ASN1_tag2str
ASN1_template_d2i
ASN1_template_free
ASN1_template_i2d
ASN1_template_new
ASN1_unpack_string
ASN1_verify
AUTHORITY_INFO_ACCESS_free
AUTHORITY_INFO_ACCESS_it
AUTHORITY_INFO_ACCESS_new
AUTHORITY_KEYID_free
AUTHORITY_KEYID_it
AUTHORITY_KEYID_new
BASIC_CONSTRAINTS_free
BASIC_CONSTRAINTS_it
BASIC_CONSTRAINTS_new
BF_cbc_encrypt
BF_cfb64_encrypt
BF_decrypt
BF_ecb_encrypt
BF_encrypt
BF_ofb64_encrypt
BF_options
BF_set_key
BIGNUM_it
BIO_accept
BIO_asn1_get_prefix
BIO_asn1_get_suffix
BIO_asn1_set_prefix
BIO_asn1_set_suffix
BIO_callback_ctrl
BIO_clear_flags
BIO_copy_next_retry
BIO_ctrl
BIO_ctrl_get_read_request
BIO_ctrl_get_write_guarantee
BIO_ctrl_pending
BIO_ctrl_reset_read_request
BIO_ctrl_wpending
BIO_debug_callback
BIO_dgram_non_fatal_error
BIO_dump
BIO_dump_cb
BIO_dump_fp
BIO_dump_indent
BIO_dump_indent_cb
BIO_dump_indent_fp
BIO_dup_chain
BIO_f_asn1
BIO_f_base64
BIO_f_buffer
BIO_f_cipher
BIO_f_md
BIO_f_nbio_test
BIO_f_null
BIO_f_reliable
BIO_fd_non_fatal_error
BIO_fd_should_retry
BIO_find_type
BIO_free
BIO_free_all
BIO_get_accept_socket
BIO_get_callback
BIO_get_callback_arg
BIO_get_ex_data
BIO_get_ex_new_index
BIO_get_host_ip
BIO_get_port
BIO_get_retry_BIO
BIO_get_retry_reason
BIO_gethostbyname
BIO_gets
BIO_hex_string
BIO_indent
BIO_int_ctrl
BIO_method_name
BIO_method_type
BIO_new
BIO_new_CMS
BIO_new_NDEF
BIO_new_PKCS7
BIO_new_accept
BIO_new_bio_pair
BIO_new_connect
BIO_new_dgram
BIO_new_fd
BIO_new_file
BIO_new_fp
BIO_new_mem_buf
BIO_new_socket
BIO_next
BIO_nread
BIO_nread0
BIO_number_read
BIO_number_written
BIO_nwrite
BIO_nwrite0
BIO_pop
BIO_printf
BIO_ptr_ctrl
BIO_push
BIO_puts
BIO_read
BIO_s_accept
BIO_s_bio
BIO_s_connect
BIO_s_datagram
BIO_s_fd
BIO_s_file
BIO_s_mem
BIO_s_null
BIO_s_socket
BIO_set
BIO_set_callback
BIO_set_callback_arg
BIO_set_cipher
BIO_set_ex_data
BIO_set_flags
BIO_set_tcp_ndelay
BIO_snprintf
BIO_sock_cleanup
BIO_sock_error
BIO_sock_init
BIO_sock_non_fatal_error
BIO_sock_should_retry
BIO_socket_ioctl
BIO_socket_nbio
BIO_test_flags
BIO_vfree
BIO_vprintf
BIO_vsnprintf
BIO_write
BN_BLINDING_convert
BN_BLINDING_convert_ex
BN_BLINDING_create_param
BN_BLINDING_free
BN_BLINDING_get_flags
BN_BLINDING_get_thread_id
BN_BLINDING_invert
BN_BLINDING_invert_ex
BN_BLINDING_new
BN_BLINDING_set_flags
BN_BLINDING_set_thread_id
BN_BLINDING_thread_id
BN_BLINDING_update
BN_CTX_end
BN_CTX_free
BN_CTX_get
BN_CTX_init
BN_CTX_new
BN_CTX_start
BN_GENCB_call
BN_GF2m_add
BN_GF2m_arr2poly
BN_GF2m_mod
BN_GF2m_mod_arr
BN_GF2m_mod_div
BN_GF2m_mod_div_arr
BN_GF2m_mod_exp
BN_GF2m_mod_exp_arr
BN_GF2m_mod_inv
BN_GF2m_mod_inv_arr
BN_GF2m_mod_mul
BN_GF2m_mod_mul_arr
BN_GF2m_mod_solve_quad
BN_GF2m_mod_solve_quad_arr
BN_GF2m_mod_sqr
BN_GF2m_mod_sqr_arr
BN_GF2m_mod_sqrt
BN_GF2m_mod_sqrt_arr
BN_GF2m_poly2arr
BN_MONT_CTX_copy
BN_MONT_CTX_free
BN_MONT_CTX_init
BN_MONT_CTX_new
BN_MONT_CTX_set
BN_MONT_CTX_set_locked
BN_RECP_CTX_free
BN_RECP_CTX_init
BN_RECP_CTX_new
BN_RECP_CTX_set
BN_X931_derive_prime_ex
BN_X931_generate_Xpq
BN_X931_generate_prime_ex
BN_add
BN_add_word
BN_asc2bn
BN_bin2bn
BN_bn2bin
BN_bn2dec
BN_bn2hex
BN_bn2mpi
BN_bntest_rand
BN_clear
BN_clear_bit
BN_clear_free
BN_cmp
BN_consttime_swap
BN_copy
BN_dec2bn
BN_div
BN_div_recp
BN_div_word
BN_dup
BN_exp
BN_free
BN_from_montgomery
BN_gcd
BN_generate_prime
BN_generate_prime_ex
BN_get0_nist_prime_192
BN_get0_nist_prime_224
BN_get0_nist_prime_256
BN_get0_nist_prime_384
BN_get0_nist_prime_521
BN_get_params
BN_get_word
BN_hex2bn
BN_init
BN_is_bit_set
BN_is_prime
BN_is_prime_ex
BN_is_prime_fasttest
BN_is_prime_fasttest_ex
BN_kronecker
BN_lshift
BN_lshift1
BN_mask_bits
BN_mod_add
BN_mod_add_quick
BN_mod_exp
BN_mod_exp2_mont
BN_mod_exp_mont
BN_mod_exp_mont_consttime
BN_mod_exp_mont_word
BN_mod_exp_recp
BN_mod_exp_simple
BN_mod_inverse
BN_mod_lshift
BN_mod_lshift1
BN_mod_lshift1_quick
BN_mod_lshift_quick
BN_mod_mul
BN_mod_mul_montgomery
BN_mod_mul_reciprocal
BN_mod_sqr
BN_mod_sqrt
BN_mod_sub
BN_mod_sub_quick
BN_mod_word
BN_mpi2bn
BN_mul
BN_mul_word
BN_new
BN_nist_mod_192
BN_nist_mod_224
BN_nist_mod_256
BN_nist_mod_384
BN_nist_mod_521
BN_nnmod
BN_num_bits
BN_num_bits_word
BN_options
BN_print
BN_print_fp
BN_pseudo_rand
BN_pseudo_rand_range
BN_rand
BN_rand_range
BN_reciprocal
BN_rshift
BN_rshift1
BN_set_bit
BN_set_negative
BN_set_params
BN_set_word
BN_sqr
BN_sub
BN_sub_word
BN_swap
BN_to_ASN1_ENUMERATED
BN_to_ASN1_INTEGER
BN_uadd
BN_ucmp
BN_usub
BN_value_one

Sections

.text
Size: 949KB - Virtual size: 949KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 360KB - Virtual size: 360KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 26KB - Virtual size: 37KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.gfids
Size: 512B - Virtual size: 172B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 43KB - Virtual size: 42KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
ransomware_deployed/libexpat.dll
.dll windows:6 windows x86 arch:x86

b8a82892ba244ad91efe22d229623ec3

Code Sign

04:00:00:00:00:01:2f:4e:e1:52:d7
Certificate

Issuer

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Not Before

13/04/2011, 10:00

Not After

28/01/2028, 12:00

Subject

CN=GlobalSign Timestamping CA - G2,O=GlobalSign nv-sa,C=BE

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

11:21:d6:99:a7:64:97:3e:f1:f8:42:7e:e9:19:cc:53:41:14
Certificate

Issuer

CN=GlobalSign Timestamping CA - G2,O=GlobalSign nv-sa,C=BE

Not Before

24/05/2016, 00:00

Not After

24/06/2027, 00:00

Subject

CN=GlobalSign TSA for MS Authenticode - G2,O=GMO GlobalSign Pte Ltd,C=SG

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

19:1a:32:cb:75:9c:97:b8:cf:ac:11:8d:d5:12:7f:49
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

04/03/2014, 00:00

Not After

03/03/2024, 23:59

Subject

CN=Symantec Class 3 Extended Validation Code Signing CA - G2,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

48:71:dd:fd:2e:98:d4:c3:c9:fd:c2:c8:b4:52:c6:fc
Certificate

Issuer

CN=Symantec Class 3 Extended Validation Code Signing CA - G2,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Not Before

29/03/2018, 00:00

Not After

28/03/2020, 23:59

Subject

SERIALNUMBER=91440300746612636Q,CN=ShenZhen Thunder Networking Technologies Ltd.,OU=IT,O=ShenZhen Thunder Networking Technologies Ltd.,L=Shenzhen,ST=Guangdong,C=CN,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e,1.3.6.1.4.1.311.60.2.1.1=#13085368656e5a68656e,1.3.6.1.4.1.311.60.2.1.2=#13084775616e446f6e67,1.3.6.1.4.1.311.60.2.1.3=#1302434e

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

26:75:54:07:3f:c5:03:a4:14:1f:2e:e9:cc:f4:ea:33:c7:d9:10:e2
Signer

Actual PE Digest

26:75:54:07:3f:c5:03:a4:14:1f:2e:e9:cc:f4:ea:33:c7:d9:10:e2

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

D:\work\xlca_3rd\libexpat_15\bin\vc9\Release\expat.pdb

Imports

kernel32

UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
GetStartupInfoW
GetModuleHandleW
InterlockedPushEntrySList
InterlockedFlushSList
RtlUnwind
GetLastError
SetLastError
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
FreeLibrary
GetProcAddress
LoadLibraryExW
ExitProcess
GetModuleHandleExW
GetModuleFileNameA
GetModuleFileNameW
MultiByteToWideChar
WideCharToMultiByte
HeapFree
HeapAlloc
GetDateFormatW
GetTimeFormatW
CompareStringW
LCMapStringW
GetLocaleInfoW
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
HeapReAlloc
GetCurrentThread
FindClose
FindFirstFileExA
FindFirstFileExW
FindNextFileA
FindNextFileW
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
GetCommandLineA
GetCommandLineW
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableA
SetEnvironmentVariableW
GetProcessHeap
GetStdHandle
GetFileType
SetConsoleCtrlHandler
GetStringTypeW
HeapSize
SetStdHandle
WriteFile
FlushFileBuffers
GetConsoleCP
GetConsoleMode
SetFilePointerEx
OutputDebugStringA
OutputDebugStringW
CloseHandle
WaitForSingleObjectEx
CreateThread
WriteConsoleW
EncodePointer
DecodePointer
CreateFileW
RaiseException

Exports

Exports

XML_DefaultCurrent
XML_ErrorString
XML_ExpatVersion
XML_ExpatVersionInfo
XML_ExternalEntityParserCreate
XML_FreeContentModel
XML_GetBase
XML_GetBuffer
XML_GetCurrentByteCount
XML_GetCurrentByteIndex
XML_GetCurrentColumnNumber
XML_GetCurrentLineNumber
XML_GetErrorCode
XML_GetFeatureList
XML_GetIdAttributeIndex
XML_GetInputContext
XML_GetParsingStatus
XML_GetSpecifiedAttributeCount
XML_MemFree
XML_MemMalloc
XML_MemRealloc
XML_Parse
XML_ParseBuffer
XML_ParserCreate
XML_ParserCreateNS
XML_ParserCreate_MM
XML_ParserFree
XML_ParserReset
XML_ResumeParser
XML_SetAttlistDeclHandler
XML_SetBase
XML_SetCdataSectionHandler
XML_SetCharacterDataHandler
XML_SetCommentHandler
XML_SetDefaultHandler
XML_SetDefaultHandlerExpand
XML_SetDoctypeDeclHandler
XML_SetElementDeclHandler
XML_SetElementHandler
XML_SetEncoding
XML_SetEndCdataSectionHandler
XML_SetEndDoctypeDeclHandler
XML_SetEndElementHandler
XML_SetEndNamespaceDeclHandler
XML_SetEntityDeclHandler
XML_SetExternalEntityRefHandler
XML_SetExternalEntityRefHandlerArg
XML_SetNamespaceDeclHandler
XML_SetNotStandaloneHandler
XML_SetNotationDeclHandler
XML_SetParamEntityParsing
XML_SetProcessingInstructionHandler
XML_SetReturnNSTriplet
XML_SetSkippedEntityHandler
XML_SetStartCdataSectionHandler
XML_SetStartDoctypeDeclHandler
XML_SetStartElementHandler
XML_SetStartNamespaceDeclHandler
XML_SetUnknownEncodingHandler
XML_SetUnparsedEntityDeclHandler
XML_SetUserData
XML_SetXmlDeclHandler
XML_StopParser
XML_UseForeignDTD
XML_UseParserAsHandlerArg

Sections

.text
Size: 312KB - Virtual size: 311KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 44KB - Virtual size: 44KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.gfids
Size: 512B - Virtual size: 356B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 12KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
ransomware_deployed/ssleay32.dll
.dll windows:6 windows x86 arch:x86

777db3773e23ffb83edd2e998f829ba5

Code Sign

04:00:00:00:00:01:2f:4e:e1:52:d7
Certificate

Issuer

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Not Before

13/04/2011, 10:00

Not After

28/01/2028, 12:00

Subject

CN=GlobalSign Timestamping CA - G2,O=GlobalSign nv-sa,C=BE

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

11:21:d6:99:a7:64:97:3e:f1:f8:42:7e:e9:19:cc:53:41:14
Certificate

Issuer

CN=GlobalSign Timestamping CA - G2,O=GlobalSign nv-sa,C=BE

Not Before

24/05/2016, 00:00

Not After

24/06/2027, 00:00

Subject

CN=GlobalSign TSA for MS Authenticode - G2,O=GMO GlobalSign Pte Ltd,C=SG

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

19:1a:32:cb:75:9c:97:b8:cf:ac:11:8d:d5:12:7f:49
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

04/03/2014, 00:00

Not After

03/03/2024, 23:59

Subject

CN=Symantec Class 3 Extended Validation Code Signing CA - G2,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

48:71:dd:fd:2e:98:d4:c3:c9:fd:c2:c8:b4:52:c6:fc
Certificate

Issuer

CN=Symantec Class 3 Extended Validation Code Signing CA - G2,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Not Before

29/03/2018, 00:00

Not After

28/03/2020, 23:59

Subject

SERIALNUMBER=91440300746612636Q,CN=ShenZhen Thunder Networking Technologies Ltd.,OU=IT,O=ShenZhen Thunder Networking Technologies Ltd.,L=Shenzhen,ST=Guangdong,C=CN,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e,1.3.6.1.4.1.311.60.2.1.1=#13085368656e5a68656e,1.3.6.1.4.1.311.60.2.1.2=#13084775616e446f6e67,1.3.6.1.4.1.311.60.2.1.3=#1302434e

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

19:1a:32:cb:75:9c:97:b8:cf:ac:11:8d:d5:12:7f:49
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

04/03/2014, 00:00

Not After

03/03/2024, 23:59

Subject

CN=Symantec Class 3 Extended Validation Code Signing CA - G2,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

61:19:93:e4:00:00:00:00:00:1c
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

22/02/2011, 19:25

Not After

22/02/2021, 19:35

Subject

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

48:71:dd:fd:2e:98:d4:c3:c9:fd:c2:c8:b4:52:c6:fc
Certificate

Issuer

CN=Symantec Class 3 Extended Validation Code Signing CA - G2,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Not Before

29/03/2018, 00:00

Not After

28/03/2020, 23:59

Subject

SERIALNUMBER=91440300746612636Q,CN=ShenZhen Thunder Networking Technologies Ltd.,OU=IT,O=ShenZhen Thunder Networking Technologies Ltd.,L=Shenzhen,ST=Guangdong,C=CN,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e,1.3.6.1.4.1.311.60.2.1.1=#13085368656e5a68656e,1.3.6.1.4.1.311.60.2.1.2=#13084775616e446f6e67,1.3.6.1.4.1.311.60.2.1.3=#1302434e

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

0c:a7:cf:5d:07:07:24:ac:89:e7:9a:3a
Certificate

Issuer

CN=GlobalSign Timestamping CA - SHA256 - G2,O=GlobalSign nv-sa,C=BE

Not Before

19/02/2018, 00:00

Not After

18/03/2029, 10:00

Subject

CN=GlobalSign TSA for Advanced - G2

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

04:00:00:00:00:01:31:89:c6:50:04
Certificate

Issuer

CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSign

Not Before

02/08/2011, 10:00

Not After

29/03/2029, 10:00

Subject

CN=GlobalSign Timestamping CA - SHA256 - G2,O=GlobalSign nv-sa,C=BE

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

a7:49:35:3e:32:cf:95:1c:cf:5d:44:c4:81:9f:f5:c4:ef:8c:07:77:f6:67:96:f9:3e:ca:cd:28:05:72:34:e5
Signer

Actual PE Digest

a7:49:35:3e:32:cf:95:1c:cf:5d:44:c4:81:9f:f5:c4:ef:8c:07:77:f6:67:96:f9:3e:ca:cd:28:05:72:34:e5

Digest Algorithm

sha256

PE Digest Matches

true

0f:fe:ef:ce:27:5b:83:04:9d:0e:07:2e:48:87:a3:4f:3d:73:e9:ab
Signer

Actual PE Digest

0f:fe:ef:ce:27:5b:83:04:9d:0e:07:2e:48:87:a3:4f:3d:73:e9:ab

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

D:\Work\openssl-1.0.2o\out32dll\ssleay32.pdb

Imports

libeay32

ord3550
ord3666
ord3644
ord866
ord641
ord754
ord654
ord635
ord2747
ord2784
ord2572
ord964
ord965
ord464
ord2201
ord3489
ord907
ord904
ord176
ord87
ord150
ord125
ord1000
ord124
ord129
ord486
ord493
ord484
ord205
ord216
ord363
ord2712
ord2925
ord3165
ord268
ord333
ord316
ord4470
ord1010
ord282
ord4125
ord4262
ord4164
ord1071
ord2877
ord3711
ord3682
ord3719
ord577
ord763
ord572
ord4046
ord481
ord2063
ord2107
ord3450
ord283
ord3418
ord3244
ord1096
ord1097
ord78
ord109
ord95
ord3816
ord3873
ord3836
ord3888
ord3891
ord3874
ord2589
ord2915
ord323
ord3906
ord1144
ord1145
ord3823
ord3846
ord89
ord2292
ord1081
ord187
ord3857
ord267
ord503
ord1012
ord3631
ord3479
ord3664
ord3737
ord3633
ord3675
ord341
ord1011
ord359
ord365
ord4210
ord3067
ord266
ord264
ord3314
ord3312
ord3313
ord2568
ord3528
ord4684
ord3388
ord541
ord3925
ord3922
ord4701
ord653
ord4692
ord3192
ord3124
ord2702
ord2898
ord1202
ord4144
ord4372
ord3782
ord2400
ord4174
ord193
ord3866
ord3767
ord3758
ord3704
ord3647
ord3365
ord3766
ord3460
ord4114
ord3783
ord3454
ord3394
ord3754
ord1655
ord914
ord1041
ord1027
ord1025
ord1004
ord3480
ord1005
ord3826
ord53
ord85
ord67
ord65
ord74
ord98
ord58
ord497
ord206
ord892
ord890
ord897
ord2257
ord248
ord364
ord4331
ord4513
ord629
ord626
ord628
ord630
ord3437
ord3527
ord3378
ord3610
ord3414
ord3495
ord3399
ord3559
ord575
ord636
ord2051
ord2478
ord246
ord3657
ord3396
ord908
ord911
ord93
ord128
ord623
ord622
ord624
ord1100
ord1023
ord1016
ord2204
ord2451
ord2524
ord3505
ord3595
ord680
ord857
ord657
ord4693
ord2135
ord679
ord401
ord3205
ord891
ord887
ord889
ord4045
ord2475
ord368
ord370
ord367
ord369
ord1671
ord189
ord1147
ord314
ord315
ord4383
ord4320
ord956
ord750
ord279
ord748
ord280
ord774
ord751
ord2181
ord394
ord1959
ord400
ord399
ord716
ord822
ord718
ord824
ord8
ord7
ord3700
ord3623
ord37
ord35
ord703
ord1091
ord88
ord2426
ord86
ord1101
ord313
ord3724
ord299
ord304
ord329
ord318
ord325
ord959
ord4601
ord3155
ord2996
ord4615
ord4637
ord4656
ord4731
ord4740
ord3795
ord3807
ord3914
ord292
ord293
ord395
ord2252
ord91
ord955
ord225
ord247
ord4572
ord4580
ord4576
ord4570
ord4578
ord4582
ord4573
ord4577
ord4581
ord4575
ord4584
ord3459
ord3608
ord3512
ord3575
ord3729
ord3422
ord3353
ord3663
ord2578
ord3178
ord3010
ord2929
ord2924
ord3570
ord3695
ord4488
ord1070
ord4245
ord4369
ord4474
ord4233
ord4430
ord4119
ord967
ord281
ord2128
ord285
ord2927
ord3315
ord256
ord961
ord290
ord289
ord274
ord276
ord2894
ord2936
ord269
ord3109
ord3883
ord2821
ord2630
ord3899
ord3896
ord3844
ord3837
ord222
ord252
ord219
ord201
ord203
ord202
ord4540
ord498
ord495
ord2760
ord490
ord32
ord165
ord120
ord118
ord123
ord151
ord110
ord111
ord52
ord66
ord3245
ord181
ord188
ord903
ord912
ord910
ord909
ord905
ord2411
ord1653
ord1654
ord3513
ord170
ord3239
ord168
ord167
ord1007
ord169

kernel32

RaiseException
CreateFileW
WriteConsoleW
SetFilePointerEx
CloseHandle
HeapReAlloc
HeapSize
SetStdHandle
GetConsoleMode
GetConsoleCP
WriteFile
FlushFileBuffers
GetStringTypeW
GetProcessHeap
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineW
GetCommandLineA
GetCPInfo
GetOEMCP
IsValidCodePage
FindNextFileA
FindFirstFileExA
FindClose
GetACP
GetFileType
GetStdHandle
LCMapStringW
HeapAlloc
HeapFree
WideCharToMultiByte
MultiByteToWideChar
GetModuleFileNameA
GetModuleHandleExW
ExitProcess
LoadLibraryExW
GetProcAddress
FreeLibrary
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
RtlUnwind
InterlockedFlushSList
GetModuleHandleW
GetStartupInfoW
IsDebuggerPresent
InitializeSListHead
GetSystemTimeAsFileTime
GetCurrentThreadId
GetCurrentProcessId
QueryPerformanceCounter
IsProcessorFeaturePresent
TerminateProcess
GetCurrentProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetLastError
SystemTimeToFileTime
GetSystemTime
SetLastError
DecodePointer

Exports

Exports

BIO_f_ssl
BIO_new_buffer_ssl_connect
BIO_new_ssl
BIO_new_ssl_connect
BIO_ssl_copy_session_id
BIO_ssl_shutdown
DTLS_client_method
DTLS_method
DTLS_server_method
DTLSv1_2_client_method
DTLSv1_2_method
DTLSv1_2_server_method
DTLSv1_client_method
DTLSv1_method
DTLSv1_server_method
ERR_load_SSL_strings
PEM_read_SSL_SESSION
PEM_read_bio_SSL_SESSION
PEM_write_SSL_SESSION
PEM_write_bio_SSL_SESSION
SRP_Calc_A_param
SRP_generate_client_master_secret
SRP_generate_server_master_secret
SSL_CIPHER_description
SSL_CIPHER_find
SSL_CIPHER_get_bits
SSL_CIPHER_get_id
SSL_CIPHER_get_name
SSL_CIPHER_get_version
SSL_COMP_add_compression_method
SSL_COMP_free_compression_methods
SSL_COMP_get_compression_methods
SSL_COMP_get_name
SSL_COMP_set0_compression_methods
SSL_CONF_CTX_clear_flags
SSL_CONF_CTX_finish
SSL_CONF_CTX_free
SSL_CONF_CTX_new
SSL_CONF_CTX_set1_prefix
SSL_CONF_CTX_set_flags
SSL_CONF_CTX_set_ssl
SSL_CONF_CTX_set_ssl_ctx
SSL_CONF_cmd
SSL_CONF_cmd_argv
SSL_CONF_cmd_value_type
SSL_CTX_SRP_CTX_free
SSL_CTX_SRP_CTX_init
SSL_CTX_add_client_CA
SSL_CTX_add_client_custom_ext
SSL_CTX_add_server_custom_ext
SSL_CTX_add_session
SSL_CTX_callback_ctrl
SSL_CTX_check_private_key
SSL_CTX_ctrl
SSL_CTX_flush_sessions
SSL_CTX_free
SSL_CTX_get0_certificate
SSL_CTX_get0_param
SSL_CTX_get0_privatekey
SSL_CTX_get_cert_store
SSL_CTX_get_client_CA_list
SSL_CTX_get_client_cert_cb
SSL_CTX_get_ex_data
SSL_CTX_get_ex_new_index
SSL_CTX_get_info_callback
SSL_CTX_get_quiet_shutdown
SSL_CTX_get_ssl_method
SSL_CTX_get_timeout
SSL_CTX_get_verify_callback
SSL_CTX_get_verify_depth
SSL_CTX_get_verify_mode
SSL_CTX_load_verify_locations
SSL_CTX_new
SSL_CTX_remove_session
SSL_CTX_sess_get_get_cb
SSL_CTX_sess_get_new_cb
SSL_CTX_sess_get_remove_cb
SSL_CTX_sess_set_get_cb
SSL_CTX_sess_set_new_cb
SSL_CTX_sess_set_remove_cb
SSL_CTX_sessions
SSL_CTX_set1_param
SSL_CTX_set_alpn_protos
SSL_CTX_set_alpn_select_cb
SSL_CTX_set_cert_cb
SSL_CTX_set_cert_store
SSL_CTX_set_cert_verify_callback
SSL_CTX_set_cipher_list
SSL_CTX_set_client_CA_list
SSL_CTX_set_client_cert_cb
SSL_CTX_set_client_cert_engine
SSL_CTX_set_cookie_generate_cb
SSL_CTX_set_cookie_verify_cb
SSL_CTX_set_default_passwd_cb
SSL_CTX_set_default_passwd_cb_userdata
SSL_CTX_set_default_verify_paths
SSL_CTX_set_ex_data
SSL_CTX_set_generate_session_id
SSL_CTX_set_info_callback
SSL_CTX_set_msg_callback
SSL_CTX_set_next_proto_select_cb
SSL_CTX_set_next_protos_advertised_cb
SSL_CTX_set_psk_client_callback
SSL_CTX_set_psk_server_callback
SSL_CTX_set_purpose
SSL_CTX_set_quiet_shutdown
SSL_CTX_set_session_id_context
SSL_CTX_set_srp_cb_arg
SSL_CTX_set_srp_client_pwd_callback
SSL_CTX_set_srp_password
SSL_CTX_set_srp_strength
SSL_CTX_set_srp_username
SSL_CTX_set_srp_username_callback
SSL_CTX_set_srp_verify_param_callback
SSL_CTX_set_ssl_version
SSL_CTX_set_timeout
SSL_CTX_set_tlsext_use_srtp
SSL_CTX_set_tmp_dh_callback
SSL_CTX_set_tmp_ecdh_callback
SSL_CTX_set_tmp_rsa_callback
SSL_CTX_set_trust
SSL_CTX_set_verify
SSL_CTX_set_verify_depth
SSL_CTX_use_PrivateKey
SSL_CTX_use_PrivateKey_ASN1
SSL_CTX_use_PrivateKey_file
SSL_CTX_use_RSAPrivateKey
SSL_CTX_use_RSAPrivateKey_ASN1
SSL_CTX_use_RSAPrivateKey_file
SSL_CTX_use_certificate
SSL_CTX_use_certificate_ASN1
SSL_CTX_use_certificate_chain_file
SSL_CTX_use_certificate_file
SSL_CTX_use_psk_identity_hint
SSL_CTX_use_serverinfo
SSL_CTX_use_serverinfo_file
SSL_SESSION_free
SSL_SESSION_get0_peer
SSL_SESSION_get_compress_id
SSL_SESSION_get_ex_data
SSL_SESSION_get_ex_new_index
SSL_SESSION_get_id
SSL_SESSION_get_time
SSL_SESSION_get_timeout
SSL_SESSION_new
SSL_SESSION_print
SSL_SESSION_print_fp
SSL_SESSION_set1_id_context
SSL_SESSION_set_ex_data
SSL_SESSION_set_time
SSL_SESSION_set_timeout
SSL_SRP_CTX_free
SSL_SRP_CTX_init
SSL_accept
SSL_add_client_CA
SSL_add_dir_cert_subjects_to_stack
SSL_add_file_cert_subjects_to_stack
SSL_alert_desc_string
SSL_alert_desc_string_long
SSL_alert_type_string
SSL_alert_type_string_long
SSL_cache_hit
SSL_callback_ctrl
SSL_certs_clear
SSL_check_chain
SSL_check_private_key
SSL_clear
SSL_connect
SSL_copy_session_id
SSL_ctrl
SSL_do_handshake
SSL_dup
SSL_dup_CA_list
SSL_export_keying_material
SSL_extension_supported
SSL_free
SSL_get0_alpn_selected
SSL_get0_next_proto_negotiated
SSL_get0_param
SSL_get1_session
SSL_get_SSL_CTX
SSL_get_certificate
SSL_get_cipher_list
SSL_get_ciphers
SSL_get_client_CA_list
SSL_get_current_cipher
SSL_get_current_compression
SSL_get_current_expansion
SSL_get_default_timeout
SSL_get_error
SSL_get_ex_data
SSL_get_ex_data_X509_STORE_CTX_idx
SSL_get_ex_new_index
SSL_get_fd
SSL_get_finished
SSL_get_info_callback
SSL_get_peer_cert_chain
SSL_get_peer_certificate
SSL_get_peer_finished
SSL_get_privatekey
SSL_get_psk_identity
SSL_get_psk_identity_hint
SSL_get_quiet_shutdown
SSL_get_rbio
SSL_get_read_ahead
SSL_get_rfd
SSL_get_selected_srtp_profile
SSL_get_servername
SSL_get_servername_type
SSL_get_session
SSL_get_shared_ciphers
SSL_get_shared_sigalgs
SSL_get_shutdown
SSL_get_sigalgs
SSL_get_srp_N
SSL_get_srp_g
SSL_get_srp_userinfo
SSL_get_srp_username
SSL_get_srtp_profiles
SSL_get_ssl_method
SSL_get_verify_callback
SSL_get_verify_depth
SSL_get_verify_mode
SSL_get_verify_result
SSL_get_version
SSL_get_wbio
SSL_get_wfd
SSL_has_matching_session_id
SSL_is_server
SSL_library_init
SSL_load_client_CA_file
SSL_load_error_strings
SSL_new
SSL_peek
SSL_pending
SSL_read
SSL_renegotiate
SSL_renegotiate_abbreviated
SSL_renegotiate_pending
SSL_rstate_string
SSL_rstate_string_long
SSL_select_next_proto
SSL_set1_param
SSL_set_SSL_CTX
SSL_set_accept_state
SSL_set_alpn_protos
SSL_set_bio
SSL_set_cert_cb
SSL_set_cipher_list
SSL_set_client_CA_list
SSL_set_connect_state
SSL_set_debug
SSL_set_ex_data
SSL_set_fd
SSL_set_generate_session_id
SSL_set_info_callback
SSL_set_msg_callback
SSL_set_psk_client_callback
SSL_set_psk_server_callback
SSL_set_purpose
SSL_set_quiet_shutdown
SSL_set_read_ahead
SSL_set_rfd
SSL_set_session
SSL_set_session_id_context
SSL_set_session_secret_cb
SSL_set_session_ticket_ext
SSL_set_session_ticket_ext_cb
SSL_set_shutdown
SSL_set_srp_server_param
SSL_set_srp_server_param_pw
SSL_set_ssl_method
SSL_set_state
SSL_set_tlsext_use_srtp
SSL_set_tmp_dh_callback
SSL_set_tmp_ecdh_callback
SSL_set_tmp_rsa_callback
SSL_set_trust
SSL_set_verify
SSL_set_verify_depth
SSL_set_verify_result
SSL_set_wfd
SSL_shutdown
SSL_srp_server_param_with_username
SSL_state
SSL_state_string
SSL_state_string_long
SSL_use_PrivateKey
SSL_use_PrivateKey_ASN1
SSL_use_PrivateKey_file
SSL_use_RSAPrivateKey
SSL_use_RSAPrivateKey_ASN1
SSL_use_RSAPrivateKey_file
SSL_use_certificate
SSL_use_certificate_ASN1
SSL_use_certificate_file
SSL_use_psk_identity_hint
SSL_version
SSL_want
SSL_write
SSLv23_client_method
SSLv23_method
SSLv23_server_method
SSLv2_client_method
SSLv2_method
SSLv2_server_method
SSLv3_client_method
SSLv3_method
SSLv3_server_method
TLSv1_1_client_method
TLSv1_1_method
TLSv1_1_server_method
TLSv1_2_client_method
TLSv1_2_method
TLSv1_2_server_method
TLSv1_client_method
TLSv1_method
TLSv1_server_method
d2i_SSL_SESSION
i2d_SSL_SESSION
ssl3_ciphers

Sections

.text
Size: 257KB - Virtual size: 257KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 70KB - Virtual size: 70KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 13KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.gfids
Size: 512B - Virtual size: 160B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 13KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
ransomware_deployed/xlstat4.dll
.dll windows:5 windows x86 arch:x86

3f65caed8a5b132078fc8f559730f620

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

LCMapStringW
GetStdHandle
GetACP
ExitProcess
GetFileType
SetStdHandle
QueryPerformanceFrequency
VirtualQuery
GetStringTypeW
GetSystemInfo
HeapQueryInformation
GetModuleHandleExW
FreeLibraryAndExitThread
ExitThread
CreateThread
GetCommandLineW
GetCommandLineA
InterlockedFlushSList
RtlUnwind
OutputDebugStringW
GetTimeZoneInformation
GetConsoleCP
GetConsoleMode
SetFilePointerEx
FindFirstFileExA
FindNextFileA
IsValidCodePage
GetOEMCP
GetCPInfo
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableA
InitializeSListHead
GetSystemTimeAsFileTime
QueryPerformanceCounter
GetStartupInfoW
IsDebuggerPresent
IsProcessorFeaturePresent
TerminateProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
WaitForSingleObjectEx
ResetEvent
Sleep
SearchPathW
GetProfileIntW
GetTickCount
GetTempPathW
GetTempFileNameW
VerifyVersionInfoW
VerSetConditionMask
GetWindowsDirectoryW
FindResourceExW
lstrcpyW
VirtualProtect
SystemTimeToTzSpecificLocalTime
GetFileTime
GetFileSizeEx
GetFileAttributesExW
GetFileAttributesW
FileTimeToLocalFileTime
FileTimeToSystemTime
GlobalGetAtomNameW
lstrcmpiW
GetCurrentProcess
DuplicateHandle
WriteFile
UnlockFile
SetFilePointer
SetEndOfFile
LockFile
GetVolumeInformationW
GetFullPathNameW
FlushFileBuffers
FindFirstFileW
FindClose
CreateFileW
GlobalFindAtomW
LoadLibraryA
FreeResource
DeleteFileW
GlobalFlags
GetUserDefaultUILanguage
GetSystemDefaultUILanguage
GetLocaleInfoW
CompareStringW
GetCurrentDirectoryW
GetSystemDirectoryW
EncodePointer
CopyFileW
FormatMessageW
MulDiv
GlobalSize
SetErrorMode
LocalFree
LocalReAlloc
LocalAlloc
GlobalFree
GlobalUnlock
GlobalHandle
GlobalReAlloc
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
LeaveCriticalSection
EnterCriticalSection
InitializeCriticalSection
LoadLibraryW
SetLastError
OutputDebugStringA
GetCurrentProcessId
GlobalAddAtomW
WritePrivateProfileStringW
GetPrivateProfileStringW
GetPrivateProfileIntW
GetModuleHandleW
ResumeThread
SetThreadPriority
CreateEventW
WaitForSingleObject
SetEvent
CloseHandle
WideCharToMultiByte
MultiByteToWideChar
FindResourceW
lstrcmpW
lstrcmpA
GlobalDeleteAtom
GlobalLock
GlobalAlloc
SizeofResource
LockResource
LoadResource
LoadLibraryExW
GetModuleFileNameW
FreeLibrary
GetVersionExW
GetCurrentThreadId
GetCurrentThread
ReadFile
GetFileSize
CreateFileA
GetModuleFileNameA
GetModuleHandleA
GetProcAddress
GetProcessHeap
HeapFree
DeleteCriticalSection
DecodePointer
HeapAlloc
RaiseException
HeapReAlloc
GetLastError
HeapSize
InitializeCriticalSectionAndSpinCount
VirtualAlloc
WriteConsoleW

user32

MessageBeep
GetIconInfo
DrawIconEx
IsRectEmpty
DrawFocusRect
WindowFromPoint
ReleaseCapture
SetCapture
GetNextDlgGroupItem
LoadImageW
TrackMouseEvent
MapDialogRect
GetAsyncKeyState
GetNextDlgTabItem
EndDialog
CreateDialogIndirectParamW
OffsetRect
SetRectEmpty
SendDlgItemMessageA
IntersectRect
InflateRect
GetMenuItemInfoW
DestroyMenu
CharUpperW
DestroyIcon
LoadCursorW
GetSysColorBrush
GetSystemMetrics
IsDialogMessageW
CheckDlgButton
MoveWindow
ShowWindow
GetMonitorInfoW
MonitorFromWindow
WinHelpW
GetScrollInfo
SetScrollInfo
LoadIconW
GetTopWindow
GetClassLongW
SetWindowLongW
EqualRect
CopyRect
MapWindowPoints
AdjustWindowRectEx
GetWindowTextLengthW
RemovePropW
GetPropW
SetPropW
ShowScrollBar
GetScrollRange
SetScrollRange
GetScrollPos
SetScrollPos
ScrollWindow
RedrawWindow
SetForegroundWindow
GetForegroundWindow
SetActiveWindow
TrackPopupMenu
SetMenu
GetMenu
GetCapture
SetFocus
GetDlgItem
IsIconic
EndDeferWindowPos
DeferWindowPos
BeginDeferWindowPos
SetWindowPlacement
GetWindowPlacement
SetWindowPos
DestroyWindow
IsChild
IsMenu
IsWindow
CreateWindowExW
GetClassInfoExW
GetClassInfoW
RegisterClassW
CallWindowProcW
DefWindowProcW
GetMessageTime
GetMessagePos
RegisterWindowMessageW
FillRect
GetSysColor
ScreenToClient
EndPaint
BeginPaint
ReleaseDC
GetWindowDC
GetDC
TabbedTextOutW
GrayStringW
EnableScrollBar
HideCaret
InvertRect
UnregisterClassW
FindWindowW
MessageBoxA
PostMessageW
PostQuitMessage
DrawTextExW
DrawTextW
InvalidateRect
UpdateWindow
KillTimer
SetTimer
RealChildWindowFromPoint
GetWindow
GetClassNameW
GetDesktopWindow
PtInRect
ClientToScreen
GetWindowRect
GetWindowTextW
SetWindowTextW
NotifyWinEvent
CreatePopupMenu
GetMenuDefaultItem
MapVirtualKeyW
GetKeyNameTextW
LoadMenuW
SetLayeredWindowAttributes
EnumDisplayMonitors
SetClassLongW
SetWindowRgn
SetParent
OpenClipboard
CloseClipboard
SetClipboardData
EmptyClipboard
DrawStateW
DrawEdge
DrawFrameControl
IsZoomed
GetSystemMenu
BringWindowToTop
SetCursorPos
CopyIcon
SendMessageW
GetFocus
CheckMenuItem
EnableMenuItem
SetMenuItemBitmaps
GetMenuCheckMarkDimensions
SetMenuItemInfoW
GetParent
LoadBitmapW
GetMessageW
TranslateMessage
DispatchMessageW
PeekMessageW
IsWindowVisible
GetActiveWindow
GetKeyState
ValidateRect
GetCursorPos
SetWindowsHookExW
CallNextHookEx
ShowOwnedPopups
SetCursor
EnableWindow
IsWindowEnabled
MessageBoxW
GetWindowLongW
GetWindowThreadProcessId
GetLastActivePopup
UnhookWindowsHookEx
GetMenuStringW
GetMenuState
GetSubMenu
ReuseDDElParam
GetMenuItemID
GetMenuItemCount
InsertMenuW
AppendMenuW
RemoveMenu
GetClientRect
CopyImage
SystemParametersInfoW
DeleteMenu
GetDlgCtrlID
GetComboBoxInfo
PostThreadMessageW
WaitMessage
GetKeyboardLayout
IsCharLowerW
MapVirtualKeyExW
ToUnicodeEx
GetKeyboardState
CreateAcceleratorTableW
DestroyAcceleratorTable
CopyAcceleratorTableW
SetRect
LockWindowUpdate
SetMenuDefaultItem
GetDoubleClickTime
ModifyMenuW
RegisterClipboardFormatW
CharUpperBuffW
IsClipboardFormatAvailable
GetUpdateRect
DrawMenuBar
DefFrameProcW
DefMDIChildProcW
TranslateMDISysAccel
SubtractRect
CreateMenu
GetWindowRgn
DestroyCursor
UnpackDDElParam
InsertMenuItemW
TranslateAcceleratorW
LoadAcceleratorsW
MonitorFromPoint
UpdateLayeredWindow
UnionRect
DrawIcon
FrameRect

gdi32

GetClipBox
GetObjectType
GetPixel
GetStockObject
GetViewportExtEx
GetWindowExtEx
IntersectClipRect
LineTo
PtVisible
RectVisible
RestoreDC
SaveDC
SelectClipRgn
ExtSelectClipRgn
SelectObject
SelectPalette
SetBkColor
SetBkMode
SetMapMode
SetLayout
GetLayout
SetPolyFillMode
SetROP2
SetTextColor
SetTextAlign
GetObjectW
MoveToEx
TextOutW
ExtTextOutW
SetViewportExtEx
SetViewportOrgEx
SetWindowExtEx
SetWindowOrgEx
OffsetViewportOrgEx
OffsetWindowOrgEx
ScaleViewportExtEx
ScaleWindowExtEx
CreateFontIndirectW
GetTextExtentPoint32W
CombineRgn
ExcludeClipRect
PatBlt
SetRectRgn
DPtoLP
GetTextMetricsW
EnumFontFamiliesExW
CreatePalette
GetNearestPaletteIndex
GetPaletteEntries
GetSystemPaletteEntries
RealizePalette
GetBkColor
CreateCompatibleBitmap
CreateDIBitmap
EnumFontFamiliesW
GetTextCharsetInfo
SetPixel
StretchBlt
CreateDIBSection
SetDIBColorTable
CreateEllipticRgn
Ellipse
GetTextColor
CreatePolygonRgn
Polygon
Polyline
CreateRoundRectRgn
LPtoDP
Rectangle
GetRgnBox
OffsetRgn
RoundRect
FillRgn
FrameRgn
GetBoundsRect
PtInRegion
ExtFloodFill
SetPaletteEntries
SetPixelV
GetWindowOrgEx
GetViewportOrgEx
GetTextFaceW
Escape
DeleteDC
CreateSolidBrush
CreateRectRgn
CreatePen
CreateHatchBrush
CreateCompatibleDC
BitBlt
DeleteObject
GetDeviceCaps
CreateDCW
CopyMetaFileW
CreateRectRgnIndirect
CreatePatternBrush
CreateBitmap

msimg32

TransparentBlt
AlphaBlend

winspool.drv

ClosePrinter
DocumentPropertiesW
OpenPrinterW

advapi32

RegEnumKeyExW
RegEnumValueW
RegQueryValueW
RegEnumKeyW
RegSetValueExW
RegDeleteValueW
RegDeleteKeyW
RegCreateKeyExW
RegQueryValueExW
RegOpenKeyExW
RegCloseKey

shell32

SHGetFileInfoW
ShellExecuteW
SHGetPathFromIDListW
SHGetSpecialFolderLocation
SHAppBarMessage
SHBrowseForFolderW
DragFinish
DragQueryFileW
SHGetDesktopFolder

shlwapi

PathRemoveFileSpecA
PathFindExtensionW
PathFindFileNameW
PathIsUNCW
PathStripToRootW
StrFormatKBSizeW
PathRemoveFileSpecW

uxtheme

GetCurrentThemeName
GetThemeSysColor
DrawThemeText
DrawThemeParentBackground
OpenThemeData
CloseThemeData
DrawThemeBackground
GetThemeColor
IsThemeBackgroundPartiallyTransparent
GetWindowTheme
IsAppThemed
GetThemePartSize

ole32

OleLockRunning
OleCreateMenuDescriptor
OleDestroyMenuDescriptor
OleTranslateAccelerator
IsAccelerator
RevokeDragDrop
RegisterDragDrop
CoLockObjectExternal
OleGetClipboard
DoDragDrop
CreateStreamOnHGlobal
CoInitializeEx
CoDisconnectObject
ReleaseStgMedium
OleDuplicateData
CoTaskMemFree
CoTaskMemAlloc
CoInitialize
CoCreateInstance
CoCreateGuid
CoUninitialize

oleaut32

VarBstrFromDate
VariantCopy
VariantTimeToSystemTime
SystemTimeToVariantTime
SysStringLen
LoadTypeLi
VariantChangeType
VariantClear
VariantInit
SysAllocStringLen
SysFreeString
SysAllocString

oleacc

LresultFromObject
AccessibleObjectFromWindow
CreateStdAccessibleObject

gdiplus

GdipSetInterpolationMode
GdipCreateFromHDC
GdipDrawImageRectI
GdipDrawImageI
GdipDeleteGraphics
GdipBitmapUnlockBits
GdipBitmapLockBits
GdipCreateBitmapFromScan0
GdipCreateBitmapFromStream
GdipGetImagePaletteSize
GdipGetImagePalette
GdipGetImagePixelFormat
GdipGetImageHeight
GdipGetImageWidth
GdipGetImageGraphicsContext
GdipDisposeImage
GdipCloneImage
GdiplusStartup
GdipFree
GdipAlloc
GdiplusShutdown
GdipCreateBitmapFromHBITMAP

imm32

ImmGetContext
ImmGetOpenStatus
ImmReleaseContext

winmm

PlaySoundW

Exports

Exports

XLSTAT4_InitParam
XLSTAT4_InitParamRemote
XLSTAT4_PrepareParam
XLSTAT4_StartOnlineStat
XLSTAT4_SyncSendAllStat
XLSTAT4_TrackClick
XLSTAT4_TrackEvent
XLSTAT4_TrackShow
XLSTAT4_Uninit
XLSTAT4_UninitAll
_XLSTAT4_SetUserID@8
_XLSTAT4_SetWorkMode@4
_XLSTAT4_UninitRemote@12

Sections

.text
Size: 1.4MB - Virtual size: 1.4MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 312KB - Virtual size: 312KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 21KB - Virtual size: 45KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.gfids
Size: 104KB - Virtual size: 104KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.giats
Size: 512B - Virtual size: 16B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tls
Size: 512B - Virtual size: 9B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 12KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 117KB - Virtual size: 116KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
ransomware_deployed/zlib1.dll
.dll windows:6 windows x86 arch:x86

4c12e7abbcf21eeec1fccd83c010ab05

Code Sign

04:00:00:00:00:01:2f:4e:e1:52:d7
Certificate

Issuer

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Not Before

13/04/2011, 10:00

Not After

28/01/2028, 12:00

Subject

CN=GlobalSign Timestamping CA - G2,O=GlobalSign nv-sa,C=BE

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

11:21:d6:99:a7:64:97:3e:f1:f8:42:7e:e9:19:cc:53:41:14
Certificate

Issuer

CN=GlobalSign Timestamping CA - G2,O=GlobalSign nv-sa,C=BE

Not Before

24/05/2016, 00:00

Not After

24/06/2027, 00:00

Subject

CN=GlobalSign TSA for MS Authenticode - G2,O=GMO GlobalSign Pte Ltd,C=SG

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

19:1a:32:cb:75:9c:97:b8:cf:ac:11:8d:d5:12:7f:49
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

04/03/2014, 00:00

Not After

03/03/2024, 23:59

Subject

CN=Symantec Class 3 Extended Validation Code Signing CA - G2,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

48:71:dd:fd:2e:98:d4:c3:c9:fd:c2:c8:b4:52:c6:fc
Certificate

Issuer

CN=Symantec Class 3 Extended Validation Code Signing CA - G2,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Not Before

29/03/2018, 00:00

Not After

28/03/2020, 23:59

Subject

SERIALNUMBER=91440300746612636Q,CN=ShenZhen Thunder Networking Technologies Ltd.,OU=IT,O=ShenZhen Thunder Networking Technologies Ltd.,L=Shenzhen,ST=Guangdong,C=CN,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e,1.3.6.1.4.1.311.60.2.1.1=#13085368656e5a68656e,1.3.6.1.4.1.311.60.2.1.2=#13084775616e446f6e67,1.3.6.1.4.1.311.60.2.1.3=#1302434e

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

c0:ac:a7:5f:32:dc:63:96:51:69:f0:29:b0:35:33:71:0b:b8:69:df
Signer

Actual PE Digest

c0:ac:a7:5f:32:dc:63:96:51:69:f0:29:b0:35:33:71:0b:b8:69:df

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

D:\work\xlca_3rd\zlib_15\Win32\Release\zlib.pdb

Imports

kernel32

ReadFile
WriteFile
CreateFileW
GetLastError
CreateFileA
CloseHandle
SetFilePointerEx
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
GetStartupInfoW
GetModuleHandleW
InterlockedPushEntrySList
InterlockedFlushSList
RtlUnwind
SetLastError
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
FreeLibrary
GetProcAddress
LoadLibraryExW
GetFileType
WideCharToMultiByte
ExitProcess
GetModuleHandleExW
GetModuleFileNameA
GetModuleFileNameW
MultiByteToWideChar
GetConsoleMode
ReadConsoleW
GetConsoleCP
HeapFree
HeapAlloc
SetStdHandle
GetStdHandle
SetEndOfFile
GetCurrentThread
GetACP
GetDateFormatW
GetTimeFormatW
CompareStringW
LCMapStringW
GetLocaleInfoW
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
FindClose
FindFirstFileExA
FindFirstFileExW
FindNextFileA
FindNextFileW
IsValidCodePage
GetOEMCP
GetCPInfo
GetCommandLineA
GetCommandLineW
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableA
SetEnvironmentVariableW
GetProcessHeap
SetConsoleCtrlHandler
WriteConsoleW
GetStringTypeW
FlushFileBuffers
HeapSize
HeapReAlloc
OutputDebugStringA
OutputDebugStringW
WaitForSingleObjectEx
CreateThread
EncodePointer
DecodePointer
RaiseException

Exports

Exports

adler32
adler32_combine
compress
compress2
compressBound
crc32
crc32_combine
deflate
deflateBound
deflateCopy
deflateEnd
deflateInit2_
deflateInit_
deflateParams
deflatePending
deflatePrime
deflateReset
deflateResetKeep
deflateSetDictionary
deflateSetHeader
deflateTune
fill_win32_filefunc
fill_win32_filefunc64
fill_win32_filefunc64A
fill_win32_filefunc64W
get_crc_table
gzbuffer
gzclearerr
gzclose
gzclose_r
gzclose_w
gzdirect
gzdopen
gzeof
gzerror
gzflush
gzgetc
gzgetc_
gzgets
gzoffset
gzopen
gzopen_w
gzprintf
gzputc
gzputs
gzread
gzrewind
gzseek
gzsetparams
gztell
gzungetc
gzvprintf
gzwrite
inflate
inflateBack
inflateBackEnd
inflateBackInit_
inflateCopy
inflateEnd
inflateGetDictionary
inflateGetHeader
inflateInit2_
inflateInit_
inflateMark
inflatePrime
inflateReset
inflateReset2
inflateResetKeep
inflateSetDictionary
inflateSync
inflateSyncPoint
inflateUndermine
uncompress
unzClose
unzCloseCurrentFile
unzGetCurrentFileInfo
unzGetCurrentFileInfo64
unzGetCurrentFileZStreamPos64
unzGetFilePos
unzGetFilePos64
unzGetGlobalComment
unzGetGlobalInfo
unzGetGlobalInfo64
unzGetLocalExtrafield
unzGoToFilePos
unzGoToFilePos64
unzGoToFirstFile
unzGoToNextFile
unzLocateFile
unzOpen
unzOpen2
unzOpen2_64
unzOpen64
unzOpenCurrentFile
unzOpenCurrentFile2
unzOpenCurrentFile3
unzOpenCurrentFilePassword
unzReadCurrentFile
unzStringFileNameCompare
unzeof
unztell
unztell64
zError
zipClose
zipCloseFileInZip
zipCloseFileInZipRaw
zipCloseFileInZipRaw64
zipOpen
zipOpen2
zipOpen2_64
zipOpen64
zipOpenNewFileInZip
zipOpenNewFileInZip2
zipOpenNewFileInZip2_64
zipOpenNewFileInZip3
zipOpenNewFileInZip3_64
zipOpenNewFileInZip4_64
zipOpenNewFileInZip64
zipWriteInFileInZip
zlibCompileFlags
zlibVersion

Sections

.text
Size: 321KB - Virtual size: 321KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 54KB - Virtual size: 54KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.gfids
Size: 512B - Virtual size: 356B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 9KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

f776b0e992655d8e07b0f86cab404ffa

Code Sign

04:00:00:00:00:01:2f:4e:e1:52:d7Certificate

Key Usages

11:21:d6:99:a7:64:97:3e:f1:f8:42:7e:e9:19:cc:53:41:14Certificate

Extended Key Usages

Key Usages

19:1a:32:cb:75:9c:97:b8:cf:ac:11:8d:d5:12:7f:49Certificate

Extended Key Usages

Key Usages

48:71:dd:fd:2e:98:d4:c3:c9:fd:c2:c8:b4:52:c6:fcCertificate

Extended Key Usages

Key Usages

19:1a:32:cb:75:9c:97:b8:cf:ac:11:8d:d5:12:7f:49Certificate

Extended Key Usages

Key Usages

61:19:93:e4:00:00:00:00:00:1cCertificate

Key Usages

48:71:dd:fd:2e:98:d4:c3:c9:fd:c2:c8:b4:52:c6:fcCertificate

Extended Key Usages

Key Usages

0c:a7:cf:5d:07:07:24:ac:89:e7:9a:3aCertificate

Extended Key Usages

Key Usages

04:00:00:00:00:01:31:89:c6:50:04Certificate

Key Usages

00:ae:d8:30:b8:4c:b5:19:20:57:b2:42:a7:8e:92:41:f5:5b:c9:d3:bd:e2:1f:69:56:8f:6d:0f:59:23:49:6bSigner

d7:25:e0:38:89:7d:cd:74:13:f8:d7:27:a4:a5:c5:67:19:05:c3:3cSigner

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

xlliveupdateagent

version

ws2_32

iphlpapi

kernel32

user32

advapi32

shell32

ole32

shlwapi

userenv

gdi32

oleaut32

imm32

comctl32

gdiplus

Exports

Exports

Sections

.text Size: 827KB - Virtual size: 827KB

.rdata Size: 166KB - Virtual size: 165KB

.data Size: 9KB - Virtual size: 23KB

.gfids Size: 1024B - Virtual size: 652B

.tls Size: 512B - Virtual size: 9B

.rsrc Size: 3.8MB - Virtual size: 3.8MB

.reloc Size: 42KB - Virtual size: 41KB

b3a54058d7d1d9961836432102b991bb

Code Sign

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:ddCertificate

Extended Key Usages

Key Usages

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15Certificate

Extended Key Usages

Key Usages

0d:ee:cc:f7:3f:05:11:35:54:88:70:d3:38:6e:4a:9cCertificate

Extended Key Usages

Key Usages

0f:a8:49:06:15:d7:00:a0:be:21:76:fd:c5:ec:6d:bdCertificate

Extended Key Usages

Key Usages

07:8b:b5:c7:e9:a7:cb:34:5e:78:d0:20:04:20:24:00Certificate

Extended Key Usages

04:00:00:00:00:01:2f:4e:e1:52:d7
Certificate

11:21:d6:99:a7:64:97:3e:f1:f8:42:7e:e9:19:cc:53:41:14
Certificate

19:1a:32:cb:75:9c:97:b8:cf:ac:11:8d:d5:12:7f:49
Certificate

48:71:dd:fd:2e:98:d4:c3:c9:fd:c2:c8:b4:52:c6:fc
Certificate

19:1a:32:cb:75:9c:97:b8:cf:ac:11:8d:d5:12:7f:49
Certificate

61:19:93:e4:00:00:00:00:00:1c
Certificate

48:71:dd:fd:2e:98:d4:c3:c9:fd:c2:c8:b4:52:c6:fc
Certificate

0c:a7:cf:5d:07:07:24:ac:89:e7:9a:3a
Certificate

04:00:00:00:00:01:31:89:c6:50:04
Certificate

00:ae:d8:30:b8:4c:b5:19:20:57:b2:42:a7:8e:92:41:f5:5b:c9:d3:bd:e2:1f:69:56:8f:6d:0f:59:23:49:6b
Signer

d7:25:e0:38:89:7d:cd:74:13:f8:d7:27:a4:a5:c5:67:19:05:c3:3c
Signer

.text
Size: 827KB - Virtual size: 827KB

.rdata
Size: 166KB - Virtual size: 165KB

.data
Size: 9KB - Virtual size: 23KB

.gfids
Size: 1024B - Virtual size: 652B

.tls
Size: 512B - Virtual size: 9B

.rsrc
Size: 3.8MB - Virtual size: 3.8MB

.reloc
Size: 42KB - Virtual size: 41KB

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:dd
Certificate

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15
Certificate

0d:ee:cc:f7:3f:05:11:35:54:88:70:d3:38:6e:4a:9c
Certificate

0f:a8:49:06:15:d7:00:a0:be:21:76:fd:c5:ec:6d:bd
Certificate

07:8b:b5:c7:e9:a7:cb:34:5e:78:d0:20:04:20:24:00
Certificate

03:f1:b4:e1:5f:3a:82:f1:14:96:78:b3:d7:d8:47:5c
Certificate

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:dd
Certificate

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15
Certificate

43:bb:ab:1e:a5:62:d1:77:09:32:9e:26:73:dd:ab:25:bc:9f:66:ac:a7:0c:d8:02:06:61:92:c8:a8:90:13:17
Signer

11:8e:c2:d6:ed:ad:07:8d:4d:e2:9c:23:85:a3:12:af:58:21:b7:b7
Signer

.text
Size: 723KB - Virtual size: 722KB

.rdata
Size: 150KB - Virtual size: 150KB

.data
Size: 10KB - Virtual size: 16KB

.gfids
Size: 2KB - Virtual size: 2KB

.tls
Size: 512B - Virtual size: 9B

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 32KB - Virtual size: 31KB

04:00:00:00:00:01:2f:4e:e1:52:d7
Certificate

11:21:d6:99:a7:64:97:3e:f1:f8:42:7e:e9:19:cc:53:41:14
Certificate

19:1a:32:cb:75:9c:97:b8:cf:ac:11:8d:d5:12:7f:49
Certificate

48:71:dd:fd:2e:98:d4:c3:c9:fd:c2:c8:b4:52:c6:fc
Certificate

19:1a:32:cb:75:9c:97:b8:cf:ac:11:8d:d5:12:7f:49
Certificate

61:19:93:e4:00:00:00:00:00:1c
Certificate

48:71:dd:fd:2e:98:d4:c3:c9:fd:c2:c8:b4:52:c6:fc
Certificate

0c:a7:cf:5d:07:07:24:ac:89:e7:9a:3a
Certificate

04:00:00:00:00:01:31:89:c6:50:04
Certificate