NickEh30's Fortnite Funtime[.]rar

Sharing

Copy URL

Twitter E-mail

General

Target

NickEh30's Fortnite Funtime.rar
Size

1.4MB
MD5

db564c51c0b63d871eea03fe77f4897f
SHA1

aa8c8a531a587428f24c638558a6e1b459e4ed7d
SHA256

cb93ef8affa8e13b671190d1f8790aa08e0686097493d958e900659db2736841
SHA512

6d2d617262b77d909e223dbac9608d850b83938e4428fc23a2ebe80a0e9172bd5b559ed896ab8ec85ec5eb92d5b868b3c98f84f29da27aebe3421c4e41c88f40
SSDEEP

24576:3JFMFF7+sRS0KvIvdblDjs5aWm1NKPffhHz93DgTb9n1uKY9MMEk3mILmlMg:5FMDCsRS0KAvd5eRxfdVM9U9xX7Dg

Score

3^/10

Malware Config

Signatures

Unsigned PE 30 IoCs

Checks for missing Authenticode signature.

Processes:

resource
unpack001/2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe
unpack001/2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe
unpack001/2016-09-14-EITest-Rig-EK-payload-Bart-ransomware.exe
unpack001/2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe
unpack001/2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe
unpack001/2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe
unpack001/2016-09-27-Afraidgate-Rig-EK-payload-Locky-downloader.exe
unpack001/2016-09-28-EITest-Rig-EK-payload-CryptFile2-after-beyondrpoxy.com.exe
unpack001/2016-09-28-EITest-Rig-EK-payload-CryptFile2-after-orfab.com.exe
unpack001/2016-09-29-EITest-Rig-EK-payload-1st-run-CryptFile2.exe
unpack001/2016-09-29-EITest-Rig-EK-payload-8th-run-CryptFile2.exe
unpack001/2016-10-04-Afraidgate-Rig-EK-payload-Locky-downloader.exe
unpack001/2016-10-05-EITest-Rig-EK-payload-CryptFile2.exe
unpack001/2016-10-06-EITest-Rig-EK-payload-second-run-CryptFile2.exe
unpack001/2016-10-12-Afraidgate-Rig-EK-payload-locky-downloader.exe
unpack001/2016-10-14-Afraidgate-Rig-EK-payload-Locky-downloader.exe
unpack001/2016-10-18-EITest-Rig-EK-payload-CryptFile2.exe
unpack001/2016-10-23-Afraidgate-Rig-EK-payload-Locky-downloader.exe
unpack001/2016-10-28-EITest-Rig-EK-payload-first-run-CryptFile2.exe
unpack001/2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe
unpack001/2016-11-08-3rd-run-EITest-Rig-EK-payload-CryptFile2.exe
unpack001/2016-11-09-1st-run-EITest-Rig-EK-payload-CryptFile2.exe
unpack001/2016-11-15-2nd-run-Rig-standard-payload-CryptFile2.exe
unpack001/2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe
unpack001/2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.exe
unpack001/2017-03-15-EITest-Rig-EK-payload-Revenge-ransomware-5uhcwesi.exe
unpack001/2017-04-07-1st-run-EITest-HoeflerText-payload-Spora-ransomware.exe
unpack001/2017-04-07-2nd-run-EITest-HoeflerText-payload-Spora-ransomware.exe
unpack001/2017-04-07-3rd-run-EITest-HoeflerText-payload-Spora-ransomware.exe
unpack001/2018-01-28-Seamless-campaign-Rig-EK-payload-GandCrab-ransomware.exe

Files

NickEh30's Fortnite Funtime.rar
.rar
2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe
.exe windows:5 windows x86 arch:x86

914fcd6a41751e733bd47b99e22b1a84

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

CreateFileMappingA
SystemTimeToFileTime
WriteConsoleA
QueueUserAPC
GlobalAlloc
LockResource
GetConsoleMode
VirtualFree
GetLocalTime
CreateFileA
DosDateTimeToFileTime
SetEvent
LocalAlloc
lstrcmpiW
CompareStringA
EnumSystemLocalesA
OpenMutexA
WaitForSingleObject
GlobalMemoryStatus
Sleep
FatalAppExitA
SetLastError
GetFullPathNameA
UnhandledExceptionFilter
FoldStringW
WaitForMultipleObjects
GetVersion
TerminateThread
HeapCreate
IsDebuggerPresent
GetOverlappedResult
WriteProfileStringW
GetOEMCP
LocalReAlloc
LoadLibraryW
GetStringTypeA
LCMapStringW
MultiByteToWideChar
LCMapStringA
GetLocaleInfoA
HeapSize
RtlUnwind
HeapReAlloc
HeapAlloc
IsValidCodePage
GetACP
GetCPInfo
InitializeCriticalSectionAndSpinCount
EnterCriticalSection
LeaveCriticalSection
GetSystemTimeAsFileTime
GetTickCount
HeapFree
InterlockedDecrement
GetCurrentThreadId
InterlockedIncrement
TlsFree
TlsSetValue
TlsAlloc
TlsGetValue
DeleteCriticalSection
SetHandleCount
GetEnvironmentStringsW
WideCharToMultiByte
FreeEnvironmentStringsW
GetEnvironmentStrings
FreeEnvironmentStringsA
GetFileType
GetConsoleOutputCP
GetCommandLineW
QueryPerformanceCounter
GetCurrentProcessId
GlobalCompact
GetDateFormatW
GetModuleHandleW
FindResourceA
LoadLibraryA
SizeofResource
VirtualAlloc
RtlMoveMemory
GetModuleFileNameA
GetStdHandle
GetProcAddress
GetStringTypeW
GetLastError
WriteFile
ExitProcess
SetUnhandledExceptionFilter
GetCommandLineA
GetStartupInfoA
TerminateProcess
GetCurrentProcess

user32

GetClipboardData
SetCapture
SetDlgItemTextA
EnableMenuItem
SetTimer
LoadCursorW
LoadStringW
ReleaseDC
LoadIconA
PeekMessageA
LoadAcceleratorsA
TranslateAcceleratorA
DispatchMessageA
OffsetRect
IsWindow
MapWindowPoints
SendDlgItemMessageA
DefWindowProcW
SetMenuItemBitmaps
ShowWindow
SetDlgItemInt
GetDC
GetMessageA
GetProcessDefaultLayout
ScreenToClient
CharNextW
SetDlgItemTextW
IsIconic
GetWindowPlacement
PeekMessageW
GetDlgCtrlID
ReleaseCapture
SetWindowTextA
SetCursor
HideCaret
DrawTextExW
CharLowerW
GetMenuCheckMarkDimensions
DispatchMessageW
InvalidateRgn
IsDialogMessageA
IsDlgButtonChecked
GetForegroundWindow
DestroyMenu
AppendMenuA

gdi32

DeleteObject
GetTextMetricsA
GetObjectA
GetDeviceCaps
LPtoDP
ExtTextOutA
GetTextExtentPoint32W
SetWindowExtEx
StartDocA
GetTextExtentPoint32A
StartDocW
EnumFontsW
TextOutW

winspool.drv

OpenPrinterW

advapi32

RegOpenKeyExA
RegOpenKeyA

shell32

DragAcceptFiles
ShellAboutW

Sections

.text
Size: 25KB - Virtual size: 24KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 9KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 77KB - Virtual size: 76KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe
.exe windows:5 windows x86 arch:x86

0729733a67a4566b5a394839879cfee4

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

LCMapStringA
GetTimeZoneInformation
HeapFree
EnumSystemLocalesA
SetHandleCount
CreateFileMappingW
GetLocalTime
WriteProfileStringW
GetStringTypeW
CreateEventA
GetCurrentDirectoryA
ResetEvent
FormatMessageW
WaitForMultipleObjects
QueueUserAPC
GetCurrentThreadId
LocalFree
WriteFile
GlobalUnlock
SearchPathA
LocalLock
GetConsoleOutputCP
GetModuleHandleW
GetStringTypeA
MultiByteToWideChar
GetLocaleInfoA
HeapSize
RtlUnwind
HeapReAlloc
HeapAlloc
IsValidCodePage
GetOEMCP
GetCPInfo
InitializeCriticalSectionAndSpinCount
LocalUnlock
LockResource
LCMapStringW
GetACP
CloseHandle
GetCommandLineW
SetEndOfFile
UnmapViewOfFile
EnterCriticalSection
FindResourceA
SizeofResource
VirtualAlloc
RtlMoveMemory
LoadLibraryA
GetProcAddress
GetLastError
GetCommandLineA
GetStartupInfoA
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
Sleep
ExitProcess
GetStdHandle
GetModuleFileNameA
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStringsW
GetFileType
DeleteCriticalSection
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
InterlockedIncrement
SetLastError
InterlockedDecrement
HeapCreate
VirtualFree
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
LeaveCriticalSection

user32

FindWindowA
InflateRect
PostMessageW
IsZoomed
LoadBitmapA
IsWindow
IsIconic
SendMessageA
CheckDlgButton
CheckRadioButton
ShowWindow
PostQuitMessage
MessageBeep
GetDlgCtrlID
ScreenToClient
LoadAcceleratorsW
SendDlgItemMessageA
SetCursor
OffsetRect
UpdateWindow

gdi32

EndPage
StartPage
SetViewportExtEx
GetDeviceCaps
StartDocW
GetTextExtentPointA
TextOutW

winspool.drv

OpenPrinterW

advapi32

DeleteService
RegOpenKeyExA
RegQueryValueExA
OpenSCManagerA
AdjustTokenPrivileges
InitializeSecurityDescriptor
OpenProcessToken

Sections

.text
Size: 25KB - Virtual size: 24KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 10KB - Virtual size: 10KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 78KB - Virtual size: 78KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
2016-09-14-EITest-Rig-EK-payload-Bart-ransomware.exe
.exe windows:4 windows x86 arch:x86

da7212e11f7a8d7ab5284841cd598d8e

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

crtdll

memset

kernel32

GetModuleHandleA
HeapCreate
VirtualProtect
HeapDestroy
ExitProcess
lstrlenA
GetProcAddress
HeapFree
HeapAlloc
QueryPerformanceFrequency
LoadLibraryA
FreeLibrary
GetCurrentThreadId
GetCurrentProcessId
FindClose
FindFirstFileA
GetLastError
FindNextFileA
HeapReAlloc
GetLogicalDriveStringsA

msvcrt

pow
fopen
malloc
free
fclose
exit
_iob
fprintf
sprintf
fwrite
fflush
ferror
memcpy
getenv
sscanf
strlen
strcpy
strncpy
strcat

user32

MessageBoxA
ShowCursor
InvalidateRect
ShowWindow
FillRect
BeginPaint
EndPaint
DefWindowProcA
LoadIconA
RegisterClassExA
CreateWindowExA
GetWindowThreadProcessId
IsWindowVisible
IsWindowEnabled
GetForegroundWindow
EnableWindow
EnumWindows

gdi32

GetStockObject
CreateSolidBrush
CreatePen
DeleteObject

comctl32

InitCommonControls

winmm

timeEndPeriod
mciSendCommandA

ole32

CoInitialize

Sections

.code
Size: 1024B - Virtual size: 1023B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.text
Size: 33KB - Virtual size: 32KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 86KB - Virtual size: 344KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe
.exe windows:5 windows x86 arch:x86

9cce92740c373d5298e74a9a61e76e52

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GetLastError
GetProcAddress
LoadLibraryA
VirtualAlloc
LoadLibraryW
OpenJobObjectW
DefineDosDeviceW
GlobalAddAtomW
MoveFileExA
FindResourceA
QueryDosDeviceW
GetModuleHandleA
lstrcmpiW
GetACP
DebugSetProcessKillOnExit
GetHandleInformation
GetCommandLineA
GetStartupInfoA
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
GetModuleHandleW
Sleep
ExitProcess
WriteFile
GetStdHandle
GetModuleFileNameA
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStringsW
SetHandleCount
GetFileType
DeleteCriticalSection
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
InterlockedIncrement
SetLastError
GetCurrentThreadId
InterlockedDecrement
HeapCreate
VirtualFree
HeapFree
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
LeaveCriticalSection
EnterCriticalSection
InitializeCriticalSectionAndSpinCount
GetCPInfo
GetOEMCP
IsValidCodePage
HeapAlloc
HeapReAlloc
RtlUnwind
HeapSize
GetLocaleInfoA
LCMapStringA
MultiByteToWideChar
LCMapStringW
GetStringTypeA
GetStringTypeW

Sections

.text
Size: 25KB - Virtual size: 25KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 35KB - Virtual size: 35KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe
.exe windows:5 windows x86 arch:x86

7638178220a198ac0c8dde08f7814d51

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

lstrlenW
GetFileType
GetComputerNameA
GetConsoleOutputCP
GetEnvironmentVariableA
GetCommandLineA
HeapReAlloc
GetModuleFileNameA
lstrcpyA
CompareStringW
GetVersion
CreateEventA
HeapAlloc
FileTimeToSystemTime
GetProfileStringW
GlobalCompact
VirtualFree
CreateMutexA
CompareStringA
lstrcpyW
FoldStringW
LockResource
QueueUserAPC
GlobalSize
InitializeCriticalSection
CreateThread
LCMapStringA
DeleteFileA
GetEnvironmentStringsW
GetConsoleMode
SystemTimeToFileTime
SleepEx
ExitProcess
HeapDestroy
CreateFileMappingW
DosDateTimeToFileTime
LoadResource
GetLocaleInfoW
GlobalFree
WaitForMultipleObjects
GetStringTypeW
MoveFileExA
GetStringTypeA
LCMapStringW
MultiByteToWideChar
GetLocaleInfoA
HeapSize
RtlUnwind
IsValidCodePage
GetOEMCP
GetCPInfo
InitializeCriticalSectionAndSpinCount
EnterCriticalSection
LeaveCriticalSection
GetSystemTimeAsFileTime
GetCurrentProcessId
GetTickCount
QueryPerformanceCounter
HeapFree
HeapCreate
InterlockedDecrement
GetCurrentThreadId
SetLastError
InterlockedIncrement
TlsFree
TlsSetValue
TlsAlloc
TlsGetValue
DeleteCriticalSection
SearchPathA
ReadFile
GetModuleHandleW
GetHandleInformation
DebugSetProcessKillOnExit
GetACP
lstrcmpiW
GetModuleHandleA
QueryDosDeviceW
GetSystemTime
FindResourceA
SetHandleCount
WideCharToMultiByte
FreeEnvironmentStringsW
LoadLibraryA
GlobalAddAtomW
OpenJobObjectW
DefineDosDeviceW
LoadLibraryW
VirtualAlloc
LoadLibraryExA
GetProcAddress
GetLastError
GetEnvironmentStrings
FreeEnvironmentStringsA
GetStdHandle
WriteFile
GetStartupInfoA
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
Sleep

user32

CallWindowProcA
EndDialog
ReleaseDC
GetDlgItemTextW
GetWindowTextW
LoadCursorW
SetCapture
HideCaret
RegisterWindowMessageW
CharNextW
CheckMenuItem
ChildWindowFromPoint
FindWindowA
DeleteMenu
GetClientRect
TranslateAcceleratorA
EnableWindow
TrackPopupMenuEx
GetDesktopWindow
DefWindowProcA
GetDlgItem
CallWindowProcW
GetSubMenu
EndPaint
GetMenuItemCount
IsChild
SetMenu
GetDialogBaseUnits
KillTimer
OpenClipboard
IsIconic
GetProcessDefaultLayout
TranslateAcceleratorW
CloseClipboard
RegisterClassExW
SetWindowLongA
MsgWaitForMultipleObjects
InflateRect

gdi32

ExtTextOutA
StartDocA
AbortDoc
EndPage
GetTextExtentPoint32A
GetTextMetricsA
CreateCompatibleBitmap
CreateFontIndirectA
SetBkMode
GetObjectW

winspool.drv

GetPrinterDriverW
ClosePrinter

comdlg32

GetSaveFileNameA
ReplaceTextW
ChooseFontW

advapi32

RegCloseKey
OpenSCManagerA
AdjustTokenPrivileges
RegCreateKeyA
RegQueryValueExA

shell32

ShellExecuteExA
ShellAboutW
DragFinish

Sections

.text
Size: 25KB - Virtual size: 25KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 15KB - Virtual size: 15KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 10KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 35KB - Virtual size: 35KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe
.exe windows:5 windows x86 arch:x86

9ca09390d9611475fd91baf2b8fe01e4

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

SetHandleCount
IsValidLocale
MulDiv
TerminateThread
FormatMessageA
GetProcAddress
FreeLibrary
SetLastError
GetModuleHandleW
GetDateFormatW
GetTimeZoneInformation
VirtualFree
TlsGetValue
SetEnvironmentVariableA
TerminateProcess
DeleteCriticalSection
GetOEMCP
GetCurrentThreadId
SetUnhandledExceptionFilter
OpenMutexA
HeapDestroy
TlsAlloc
WriteFile
GetLastError
GetModuleHandleA
VirtualAlloc
LoadLibraryW
LoadLibraryA
FindResourceA
DebugSetProcessKillOnExit
GetACP
GetHandleInformation
QueryPerformanceCounter
HeapFree
GetStringTypeW
GetStringTypeA
LCMapStringW
MultiByteToWideChar
LCMapStringA
HeapSize
RtlUnwind
HeapReAlloc
HeapAlloc
IsValidCodePage
GetCPInfo
InitializeCriticalSectionAndSpinCount
EnterCriticalSection
LeaveCriticalSection
GetCurrentProcessId
GetTickCount
HeapCreate
InterlockedDecrement
InterlockedIncrement
TlsFree
TlsSetValue
GetFileType
GetEnvironmentStringsW
WideCharToMultiByte
FreeEnvironmentStringsW
GetEnvironmentStrings
FreeEnvironmentStringsA
GetModuleFileNameA
GetStdHandle
WaitForMultipleObjects
GetProfileStringW
GetLocaleInfoA
ResumeThread
ExitProcess
Sleep
IsDebuggerPresent
LocalSize
CompareStringW
FatalAppExitA
GetLocaleInfoW
QueryPerformanceFrequency
GetVersion
GetSystemTimeAsFileTime
GetUserDefaultUILanguage
DosDateTimeToFileTime
UnhandledExceptionFilter
GetCurrentProcess
GetCommandLineA
GetStartupInfoA

user32

GetDialogBaseUnits
SetActiveWindow
DefWindowProcA
GetDlgItem
LoadMenuW
CheckDlgButton
OpenClipboard
GetSysColorBrush
ScreenToClient
MsgWaitForMultipleObjects
LoadAcceleratorsA
TranslateMessage
PostQuitMessage
ReleaseCapture
BeginPaint
LoadIconA
CharNextA
LoadBitmapA
PostMessageA
SetWindowTextW
SetWindowTextA
TranslateAcceleratorA
DeleteMenu
UnhookWinEvent
SetDlgItemInt
DestroyMenu
IsDialogMessageW
IsDialogMessageA
DrawTextW
PostMessageW
LoadImageW
SetForegroundWindow
GetWindowThreadProcessId
InsertMenuItemA
GetSysColor
IsClipboardFormatAvailable

gdi32

CreateCompatibleDC
ExtTextOutA
AbortDoc
GetTextMetricsA

winspool.drv

OpenPrinterW
ClosePrinter

comdlg32

FindTextA

advapi32

RegOpenKeyA
InitializeSecurityDescriptor
OpenSCManagerA
DeleteService
RegDeleteKeyA
StartServiceA
CreateServiceA

shell32

DragFinish

Sections

.text
Size: 25KB - Virtual size: 25KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 9KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 34KB - Virtual size: 34KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
2016-09-27-Afraidgate-Rig-EK-payload-Locky-downloader.exe
.exe windows:4 windows x86 arch:x86

549976dd4ec7f4eda0e096db6476ab4f

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

msvcrt

memset
strncpy
strlen
strcpy
strcat
memcpy

kernel32

GetModuleHandleA
HeapCreate
VirtualProtect
VirtualUnlock
HeapDestroy
ExitProcess
FreeEnvironmentStringsA
SetUnhandledExceptionFilter
SetProcessWorkingSetSize
HeapLock
LoadLibraryA
GetProcAddress
FreeLibrary
HeapFree
HeapAlloc
CloseHandle
CreateFileA
SetFilePointer
SetEndOfFile
WriteFile
GlobalLock
GlobalUnlock
HeapReAlloc
GetLogicalDriveStringsA

user32

GetSysColor
SystemParametersInfoA
LoadMenuA
WindowFromDC
DdeImpersonateClient
GetMenuItemCount
DdeDisconnectList
UnhookWindowsHookEx
ClipCursor
GetKBCodePage
RemoveMenu
SetWindowTextA
MsgWaitForMultipleObjects
CheckMenuItem
OpenClipboard
GetClipboardData
CloseClipboard

comdlg32

PrintDlgA

advapi32

SetThreadToken

comctl32

InitCommonControlsEx

ole32

CoInitialize

winmm

waveOutMessage
DefDriverProc
midiDisconnect
waveInGetErrorTextA
mciSendCommandA

shell32

DragQueryFileA

version

VerInstallFileA

Sections

.code
Size: 21KB - Virtual size: 20KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.text
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 512B - Virtual size: 48B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 16KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
2016-09-28-EITest-Rig-EK-payload-CryptFile2-after-beyondrpoxy.com.exe
.exe windows:5 windows x86 arch:x86

60f7e3b8fbd271a6135f8fa5ad26e33b

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

WaitForSingleObject
DosDateTimeToFileTime
GetSystemTime
GetVersion
FlushFileBuffers
GetACP
GetStdHandle
lstrlenW
CreateFileMappingA
UnhandledExceptionFilter
GetConsoleCP
QueryPerformanceCounter
lstrcmpiW
TlsGetValue
SleepEx
GetLastError
GetModuleHandleW
GetProcAddress
VirtualAlloc
LoadLibraryExW
LoadLibraryA
GetDateFormatA
CreateThread
GetStringTypeW
GetStringTypeA
LCMapStringW
MultiByteToWideChar
LCMapStringA
GetLocaleInfoA
HeapSize
RtlUnwind
HeapReAlloc
HeapAlloc
IsValidCodePage
GetOEMCP
GetModuleHandleA
TlsSetValue
GetDateFormatW
lstrcatA
GetEnvironmentStringsW
DeleteFileW
LoadLibraryW
GetCurrentProcess
GetCPInfo
GetModuleFileNameA
ExpandEnvironmentStringsA
GlobalSize
DeviceIoControl
LockResource
lstrcpynA
ExitProcess
FindResourceA
SystemTimeToFileTime
InitializeCriticalSectionAndSpinCount
GetCommandLineA
GetStartupInfoA
TerminateProcess
SetUnhandledExceptionFilter
IsDebuggerPresent
Sleep
WriteFile
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
WideCharToMultiByte
SetHandleCount
GetFileType
DeleteCriticalSection
TlsAlloc
TlsFree
InterlockedIncrement
SetLastError
GetCurrentThreadId
InterlockedDecrement
HeapCreate
VirtualFree
HeapFree
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
LeaveCriticalSection
EnterCriticalSection

user32

DispatchMessageA
FindWindowA
EndDialog
GetMessageA
GetDC
GetWindowRect
IsZoomed
SetWindowLongW
CharLowerW
TranslateMessage
ReleaseDC
GetSystemMenu
GetDlgCtrlID
CheckMenuRadioItem
IsDialogMessageW
SendMessageA
GetMenuState
DefWindowProcW
InvalidateRgn

gdi32

DeleteObject
CreateDCW
CreateCompatibleDC
GetTextMetricsW
SetBkMode
EndDoc
GetTextExtentPoint32W

winspool.drv

GetPrinterDriverW

comdlg32

ReplaceTextW

advapi32

DeleteService
LookupPrivilegeValueA
RegCloseKey
OpenSCManagerA
RegQueryValueExA
AdjustTokenPrivileges

shell32

ShellExecuteExA

Sections

.text
Size: 31KB - Virtual size: 30KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 41KB - Virtual size: 40KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
2016-09-28-EITest-Rig-EK-payload-CryptFile2-after-orfab.com.exe
.exe windows:5 windows x86 arch:x86

60f7e3b8fbd271a6135f8fa5ad26e33b

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

WaitForSingleObject
DosDateTimeToFileTime
GetSystemTime
GetVersion
FlushFileBuffers
GetACP
GetStdHandle
lstrlenW
CreateFileMappingA
UnhandledExceptionFilter
GetConsoleCP
QueryPerformanceCounter
lstrcmpiW
TlsGetValue
SleepEx
GetLastError
GetModuleHandleW
GetProcAddress
VirtualAlloc
LoadLibraryExW
LoadLibraryA
GetDateFormatA
CreateThread
GetStringTypeW
GetStringTypeA
LCMapStringW
MultiByteToWideChar
LCMapStringA
GetLocaleInfoA
HeapSize
RtlUnwind
HeapReAlloc
HeapAlloc
IsValidCodePage
GetOEMCP
GetModuleHandleA
TlsSetValue
GetDateFormatW
lstrcatA
GetEnvironmentStringsW
DeleteFileW
LoadLibraryW
GetCurrentProcess
GetCPInfo
GetModuleFileNameA
ExpandEnvironmentStringsA
GlobalSize
DeviceIoControl
LockResource
lstrcpynA
ExitProcess
FindResourceA
SystemTimeToFileTime
InitializeCriticalSectionAndSpinCount
GetCommandLineA
GetStartupInfoA
TerminateProcess
SetUnhandledExceptionFilter
IsDebuggerPresent
Sleep
WriteFile
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
WideCharToMultiByte
SetHandleCount
GetFileType
DeleteCriticalSection
TlsAlloc
TlsFree
InterlockedIncrement
SetLastError
GetCurrentThreadId
InterlockedDecrement
HeapCreate
VirtualFree
HeapFree
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
LeaveCriticalSection
EnterCriticalSection

user32

DispatchMessageA
FindWindowA
EndDialog
GetMessageA
GetDC
GetWindowRect
IsZoomed
SetWindowLongW
CharLowerW
TranslateMessage
ReleaseDC
GetSystemMenu
GetDlgCtrlID
CheckMenuRadioItem
IsDialogMessageW
SendMessageA
GetMenuState
DefWindowProcW
InvalidateRgn

gdi32

DeleteObject
CreateDCW
CreateCompatibleDC
GetTextMetricsW
SetBkMode
EndDoc
GetTextExtentPoint32W

winspool.drv

GetPrinterDriverW

comdlg32

ReplaceTextW

advapi32

DeleteService
LookupPrivilegeValueA
RegCloseKey
OpenSCManagerA
RegQueryValueExA
AdjustTokenPrivileges

shell32

ShellExecuteExA

Sections

.text
Size: 31KB - Virtual size: 30KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 41KB - Virtual size: 40KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
2016-09-29-EITest-Rig-EK-payload-1st-run-CryptFile2.exe
.exe windows:5 windows x86 arch:x86

446929f4f2ccd8fd9d7d8422b1aefa3f

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GetACP
GetStdHandle
GetConsoleCP
TlsGetValue
SleepEx
GetLastError
GetModuleHandleW
GetProcAddress
GetModuleHandleA
VirtualAlloc
LoadLibraryExW
LoadLibraryA
LoadLibraryW
FlushFileBuffers
DeviceIoControl
GetStringTypeW
GetStringTypeA
LCMapStringW
MultiByteToWideChar
LCMapStringA
GetVersion
GetSystemTime
DosDateTimeToFileTime
lstrcatA
GetEnvironmentStringsW
FindResourceA
DeleteFileW
GetLocaleInfoA
lstrcpynA
LockResource
ExitProcess
SystemTimeToFileTime
GetCommandLineA
GetStartupInfoA
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
Sleep
WriteFile
GetModuleFileNameA
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
WideCharToMultiByte
SetHandleCount
GetFileType
DeleteCriticalSection
TlsAlloc
TlsSetValue
TlsFree
InterlockedIncrement
SetLastError
GetCurrentThreadId
InterlockedDecrement
HeapCreate
VirtualFree
HeapFree
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
LeaveCriticalSection
EnterCriticalSection
InitializeCriticalSectionAndSpinCount
GetCPInfo
GetOEMCP
IsValidCodePage
HeapAlloc
HeapReAlloc
RtlUnwind
HeapSize

user32

DispatchMessageA
FindWindowA
EndDialog
GetMessageA
GetDC
GetWindowRect
CharLowerW
ReleaseDC
GetSystemMenu
GetDlgCtrlID
SendMessageA
GetMenuState

gdi32

DeleteObject
CreateDCW
GetTextMetricsW
SetBkMode
EndDoc
GetTextExtentPoint32W

winspool.drv

GetPrinterDriverW

comdlg32

ReplaceTextW

advapi32

RegQueryValueExA
OpenSCManagerA

Sections

.text
Size: 31KB - Virtual size: 30KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 40KB - Virtual size: 39KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
2016-09-29-EITest-Rig-EK-payload-8th-run-CryptFile2.exe
.exe windows:5 windows x86 arch:x86

73d7769f1db7d0b7ac12fc2c1de86c5d

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

MapViewOfFile
InitializeCriticalSection
GetSystemTimeAsFileTime
LocalSize
IsValidLocale
lstrcpynA
GetProfileStringW
GetDateFormatA
GetConsoleMode
FreeEnvironmentStringsW
CreateFileMappingA
QueueUserAPC
GetProfileIntW
GetModuleFileNameA
GetCurrentThreadId
WaitForSingleObject
GlobalCompact
DeviceIoControl
GlobalLock
LoadResource
UnhandledExceptionFilter
FindFirstFileW
GetModuleHandleW
CreateEventW
TerminateProcess
IsValidCodePage
FreeLibrary
SearchPathA
GetLastError
GetProcAddress
GetModuleHandleA
LoadLibraryExW
LoadLibraryA
LoadLibraryW
FindResourceA
GetStringTypeA
HeapSize
MultiByteToWideChar
LCMapStringA
GetLocaleInfoA
CreateFileW
RtlUnwind
HeapReAlloc
HeapAlloc
GetACP
GetCPInfo
InitializeCriticalSectionAndSpinCount
EnterCriticalSection
LeaveCriticalSection
GetCurrentProcessId
QueryPerformanceCounter
HeapFree
VirtualFree
HeapCreate
InterlockedDecrement
SetLastError
InterlockedIncrement
TlsFree
TlsSetValue
TlsGetValue
DeleteCriticalSection
GetFileType
SetHandleCount
GetEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStrings
FreeEnvironmentStringsA
WriteFile
ExitProcess
Sleep
SetUnhandledExceptionFilter
GetCurrentProcess
GetStartupInfoA
GetCommandLineA
DeleteFileW
VirtualAlloc
GetConsoleOutputCP
WriteConsoleA
GetOEMCP
SetStdHandle
SetEvent
GetFullPathNameA
TlsAlloc
OpenMutexA
CreateFileA
GetFileAttributesW
WriteConsoleW
DeleteFileA
GetLocalTime
GetVersion
GlobalSize
GetTickCount
GetEnvironmentVariableA
GetStdHandle
IsDebuggerPresent
UnmapViewOfFile
GetStringTypeW
LCMapStringW
lstrcmpiW

user32

SetWindowTextW
SetCursor
DeleteMenu
InvalidateRect
IsWindow
GetClientRect
InvalidateRgn
RegisterClassA
PostMessageA
GetWindowPlacement
SetWindowLongA
SetMenuItemBitmaps
TrackPopupMenuEx
WinHelpW
SetScrollPos
CheckDlgButton
GetDC
IsChild
EnableMenuItem
MessageBeep
GetDialogBaseUnits
DefWindowProcA
GetWindowRect
MessageBoxA
SetCapture
MoveWindow
RegisterWindowMessageW
DefWindowProcW
SetClipboardData
GetCursorPos
KillTimer
IsDialogMessageA
PeekMessageW
BeginPaint
LoadCursorA
GetSysColor
GetDlgItemTextA
TranslateMessage
SetDlgItemInt
SendDlgItemMessageA
LoadAcceleratorsW
DispatchMessageA
EndDialog
AppendMenuA
PostQuitMessage
LoadMenuW
GetDlgItemTextW
LoadStringW
IsDlgButtonChecked
DrawTextExW
MessageBoxW
OffsetRect
GetSysColorBrush
CreateDialogParamA
InflateRect
IsIconic
IsClipboardFormatAvailable
SetWindowTextA

gdi32

EndDoc
CreateFontIndirectW
DeleteObject
EnumFontsW
GetTextMetricsA
SetBkColor
ExtTextOutA
SetBkMode
GetTextFaceW
GetObjectW
CreateFontIndirectA
GetDeviceCaps
CreateCompatibleDC
SetMapMode

winspool.drv

OpenPrinterW
GetPrinterDriverW

advapi32

RegDeleteKeyA
RegOpenKeyExA
StartServiceA
RegQueryValueExA
RegCreateKeyA
DeleteService
ControlService
CloseServiceHandle
RegSetValueExA
QueryServiceStatus

shell32

Shell_NotifyIconA
DragFinish

Sections

.text
Size: 31KB - Virtual size: 31KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 10KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 49KB - Virtual size: 48KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
2016-10-04-Afraidgate-Rig-EK-payload-Locky-downloader.exe
.exe windows:4 windows x86 arch:x86

eadb99527332f2bc7e9fd730aad84b65

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

msvcrt

memset
strcmp
memmove
strlen
strncpy
malloc
free

kernel32

GetModuleHandleA
HeapCreate
VirtualProtectEx
LocalUnlock
VirtualUnlock
HeapDestroy
ExitProcess
LocalCompact
CloseHandle
InitializeCriticalSection
GetModuleFileNameA
FreeLibrary
HeapFree
WriteFile
HeapReAlloc
HeapAlloc
GetLogicalDriveStringsA

winspool.drv

PrinterProperties

user32

MessageBeep
SendMessageA
MessageBoxA
IsWindowEnabled
GetClassWord

winmm

PlaySoundA
mciSendCommandA

Sections

.code
Size: 40KB - Virtual size: 39KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.text
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 512B - Virtual size: 6B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 15KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 504B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
2016-10-05-EITest-Rig-EK-payload-CryptFile2.exe
.exe windows:5 windows x86 arch:x86

d19768864018637b12bfc8bdc8bd773f

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

DebugSetProcessKillOnExit
GetACP
GetHandleInformation
GetModuleHandleW
GetCurrentThread
HeapAlloc
lstrcmpW
FindResourceW
CompareStringW
GlobalUnlock
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetCurrentProcess
IsDebuggerPresent
TerminateProcess
LoadLibraryW
LoadLibraryA
LoadLibraryExW
VirtualAlloc
GetModuleHandleA
GetProcAddress
ResumeThread
GetLastError

user32

MoveWindow
SetClipboardData
TrackPopupMenu
LoadIconW
GetMessageA
GetCursorPos
ScreenToClient

gdi32

TextOutW
LPtoDP
SetMapMode
AbortDoc

winspool.drv

OpenPrinterA

advapi32

DeleteService
CreateServiceA

shell32

ShellAboutW
DragFinish

Sections

.text
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 936B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 77KB - Virtual size: 76KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 936B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
2016-10-06-EITest-Rig-EK-payload-second-run-CryptFile2.exe
.exe windows:5 windows x86 arch:x86

e93eee8addb97e3f69b41761789e04d7

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

SetLastError
Sleep
HeapCreate
IsBadStringPtrA
GetLastError
GetModuleHandleA
VirtualAlloc
LoadLibraryExW
EraseTape
GlobalAlloc
SizeofResource
LoadLibraryA
LoadLibraryW
lstrcmpiW
GetACP
GetHandleInformation
GetModuleHandleW
GetStringTypeW
FindFirstFileA
GetProcAddress
ResumeThread
GetProcessHeap
FindResourceW
WaitForSingleObject
GetStringTypeA
LCMapStringW
MultiByteToWideChar
GetCommandLineA
GetStartupInfoA
SetUnhandledExceptionFilter
ExitProcess
WriteFile
GetStdHandle
GetModuleFileNameA
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStringsW
SetHandleCount
GetFileType
DeleteCriticalSection
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
InterlockedIncrement
GetCurrentThreadId
InterlockedDecrement
VirtualFree
HeapFree
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
LeaveCriticalSection
EnterCriticalSection
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
IsDebuggerPresent
InitializeCriticalSectionAndSpinCount
GetCPInfo
GetOEMCP
IsValidCodePage
HeapAlloc
HeapReAlloc
RtlUnwind
HeapSize
GetLocaleInfoA
LCMapStringA

user32

LoadAcceleratorsA
CallWindowProcA
GetCursorPos
RegisterWindowMessageA
DialogBoxParamW
DrawTextA

winspool.drv

ClosePrinter

comdlg32

GetSaveFileNameA

advapi32

IsTextUnicode
RegDeleteValueA
RegQueryValueExA

shell32

DragFinish
CommandLineToArgvW

Sections

.text
Size: 28KB - Virtual size: 27KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 32KB - Virtual size: 31KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
2016-10-12-Afraidgate-Rig-EK-payload-locky-downloader.exe
.exe windows:4 windows x86 arch:x86

bee835775cc753b61820d3958e3df32f

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

msvcrt

memset
strcmp
memmove
strlen
strncpy

kernel32

GetModuleHandleA
HeapCreate
VirtualProtectEx
VirtualProtect
LocalUnlock
HeapDestroy
ExitProcess
CloseHandle
InitializeCriticalSection
GetModuleFileNameA
HeapReAlloc
HeapAlloc
HeapFree

winspool.drv

PrinterProperties

user32

MessageBeep
SendMessageA
GetClassLongA
DdeKeepStringHandle
KillTimer

shell32

ExtractAssociatedIconA
ShellAboutA

Sections

.code
Size: 38KB - Virtual size: 37KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.text
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 512B - Virtual size: 5B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 15KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 508B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
2016-10-14-Afraidgate-Rig-EK-payload-Locky-downloader.exe
.exe windows:4 windows x86 arch:x86

212d88e869f6be02ade64ac20a861935

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

msvcrt

memset
memcpy
strncpy
strcmp
memmove
strlen

kernel32

GetModuleHandleA
HeapCreate
VirtualProtectEx
VirtualProtect
LocalUnlock
HeapDestroy
ExitProcess
GlobalAlloc
OpenProcess
CloseHandle
GlobalFree
FreeLibrary
HeapFree
LoadLibraryA
GetProcAddress
HeapAlloc
EnterCriticalSection
WaitForSingleObject
LeaveCriticalSection
InitializeCriticalSection
GetModuleFileNameA
HeapReAlloc

winspool.drv

PrinterProperties

user32

MessageBeep
SendMessageA
MessageBoxA
DeleteMenu
ArrangeIconicWindows
DdeAccessData
ShowCaret
GetClassWord

comctl32

InitCommonControlsEx

ole32

CoInitialize

Sections

.code
Size: 35KB - Virtual size: 34KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.text
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 512B - Virtual size: 9B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 16KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
2016-10-18-EITest-Rig-EK-payload-CryptFile2.exe
.exe windows:5 windows x86 arch:x86

9cd4b99dd305d0d92c3014d32b56d022

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

UnhandledExceptionFilter
Sleep
HeapCreate
FileTimeToSystemTime
lstrcmpiW
FindFirstFileA
lstrcpynW
IsValidLocale
GlobalMemoryStatus
GetStdHandle
OutputDebugStringA
DeviceIoControl
GetProcAddress
VirtualAlloc
GetACP
LoadLibraryExW
DecodePointer
EraseTape
HeapDestroy
VirtualLock
GetModuleHandleA
LocalReAlloc
WriteConsoleA
GetStringTypeA
DeleteAtom
LoadLibraryA
LoadResource
OpenEventA
lstrcpyA
FindResourceA
GetModuleHandleW
GetStringTypeW
LCMapStringW
MultiByteToWideChar
LCMapStringA
GetLocaleInfoA
lstrcatW
lstrcpyW
FreeResource
GetProfileIntW
SetHandleCount
SetLastError
TlsGetValue
IsBadStringPtrW
DeleteFileA
GlobalAlloc
HeapSize
GetCommandLineA
GetStartupInfoA
SetUnhandledExceptionFilter
ExitProcess
WriteFile
GetModuleFileNameA
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
WideCharToMultiByte
GetLastError
GetEnvironmentStringsW
GetFileType
DeleteCriticalSection
TlsAlloc
TlsSetValue
TlsFree
InterlockedIncrement
GetCurrentThreadId
InterlockedDecrement
VirtualFree
HeapFree
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
LeaveCriticalSection
EnterCriticalSection
TerminateProcess
GetCurrentProcess
IsDebuggerPresent
InitializeCriticalSectionAndSpinCount
GetCPInfo
GetOEMCP
IsValidCodePage
HeapAlloc
HeapReAlloc
RtlUnwind

user32

RegisterWindowMessageW
CreateDialogParamW
wsprintfW
DialogBoxParamW
GetSubMenu
GetWindowThreadProcessId
TrackPopupMenu
SetWindowPos
LoadImageW
RegisterClassA
SetScrollPos

gdi32

SetBkMode

comdlg32

GetSaveFileNameA

advapi32

CreateServiceA
CloseServiceHandle
ControlService
OpenSCManagerA
RegDeleteValueW

shell32

DragFinish

Sections

.text
Size: 26KB - Virtual size: 25KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 32KB - Virtual size: 31KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
2016-10-23-Afraidgate-Rig-EK-payload-Locky-downloader.exe
.exe windows:4 windows x86 arch:x86

a069e61b0b3dd32f55813a4e7ef13ece

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

msvcrt

memset
memcpy
strstr
strlen
strcpy
strcat
strncpy

kernel32

GetModuleHandleA
HeapCreate
VirtualProtectEx
VirtualProtect
LocalReAlloc
VirtualLock
GlobalLock
HeapDestroy
ExitProcess
LoadLibraryA
LocalCompact
GetProcessHeaps
GlobalCompact
EnumResourceTypesA
GlobalAlloc
GlobalFree
GlobalUnlock
FreeLibrary
HeapFree
GetProcAddress
HeapAlloc
GetCurrentThreadId
GetCurrentProcessId
CloseHandle
InitializeCriticalSection
GetEnvironmentVariableA
SetEnvironmentVariableA
GetCurrentProcess
DuplicateHandle
CreatePipe
GetStdHandle
CreateProcessA
WaitForSingleObject
EnterCriticalSection
LeaveCriticalSection
GetDriveTypeA
FindFirstFileA
FindClose
GetFileAttributesA
WriteFile
CreateFileA
SetFilePointer
HeapReAlloc
DeleteCriticalSection
Sleep

user32

SendMessageA
MessageBoxA
EnumWindows
GetWindowTextA
DdeFreeDataHandle
MapWindowPoints
CharLowerA
GetWindowThreadProcessId
IsWindowVisible
GetWindowLongA
GetForegroundWindow
IsWindowEnabled
EnableWindow
SetWindowPos

comdlg32

PrintDlgA

comctl32

InitCommonControlsEx

ole32

CoInitialize

shell32

ShellExecuteExA

Sections

.code
Size: 44KB - Virtual size: 43KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.text
Size: 13KB - Virtual size: 13KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 512B - Virtual size: 65B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 34KB - Virtual size: 34KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
2016-10-28-EITest-Rig-EK-payload-first-run-CryptFile2.exe
.exe windows:5 windows x86 arch:x86

58f903234a4a141f90c3139fba6f2055

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

FileTimeToSystemTime
GetSystemDirectoryA
LCMapStringA
FlushFileBuffers
WriteFile
GetUserDefaultUILanguage
GetCPInfo
LCMapStringW
GetCurrentProcess
lstrcmpW
GlobalReAlloc
GetFileAttributesW
GetConsoleOutputCP
lstrcpynW
VirtualAlloc
GetLocaleInfoA
SearchPathA
IsDebuggerPresent
LocalSize
HeapSize
CompareStringW
SetUnhandledExceptionFilter
GetCommandLineW
GetEnvironmentStrings
FreeEnvironmentStringsA
HeapDestroy
CreateFileMappingA
SetEnvironmentVariableA
TlsFree
FindFirstFileW
WriteConsoleA
GetStartupInfoA
RaiseException
IsValidCodePage
WaitForMultipleObjects
InitializeCriticalSection
GetTimeZoneInformation
LocalUnlock
GetModuleHandleA
TlsAlloc
GetFileInformationByHandle
FreeEnvironmentStringsW
GetModuleFileNameA
CreateEventW
GlobalLock
Sleep
GlobalAlloc
LoadLibraryW
GetHandleInformation
SetEvent
GetStringTypeW
GetStringTypeA
MultiByteToWideChar
RtlUnwind
HeapReAlloc
HeapAlloc
GetOEMCP
InitializeCriticalSectionAndSpinCount
LoadLibraryA
UnhandledExceptionFilter
TerminateProcess
EnterCriticalSection
LeaveCriticalSection
GetSystemTimeAsFileTime
GetTickCount
QueryPerformanceCounter
HeapFree
VirtualFree
HeapCreate
InterlockedDecrement
GetCurrentThreadId
SetLastError
InterlockedIncrement
TlsSetValue
TlsGetValue
DeleteCriticalSection
GetFileType
SetHandleCount
GetEnvironmentStringsW
WideCharToMultiByte
GetStdHandle
ExitProcess
GetModuleHandleW
GetCommandLineA
GetCurrentActCtx
DebugSetProcessKillOnExit
GlobalUnlock
OpenMutexA
DeleteFileW
CreateFileA
GetCommConfig
DisableThreadLibraryCalls
GetLastError
GlobalDeleteAtom
FindAtomA
DefineDosDeviceW
LoadLibraryExA
DeviceIoControl
EraseTape
CreateMutexA
GetCurrentProcessId
GetProcAddress
DecodePointer
FindResourceW
GetACP

user32

LoadIconW
GetMenuState
SetFocus
BeginPaint
GetWindowRect
GetSubMenu
GetDlgCtrlID
SetWindowPos
ScreenToClient
InsertMenuItemA
MsgWaitForMultipleObjects
CheckMenuItem
TranslateMessage
LoadStringW
UpdateWindow
DrawTextA
DispatchMessageA
CheckDlgButton
TranslateAcceleratorA
DestroyMenu
GetMessageA
RegisterWindowMessageA
IsZoomed
GetDlgItemTextA
TrackPopupMenu
SetMenu
SetWinEventHook
SendMessageA
CheckMenuRadioItem
OpenClipboard
SetWindowPlacement
InflateRect
SetActiveWindow
GetDlgItemTextW
WinHelpW
LoadStringA
CharNextW
ChildWindowFromPoint
DrawFocusRect
MessageBoxA
SendMessageW
GetWindowThreadProcessId
InvalidateRgn
GetCursorPos
SetCursorPos
FindWindowA
GetSystemMenu

gdi32

ExtTextOutA
SetViewportExtEx
CreateFontIndirectA
SelectObject
AbortDoc
LPtoDP
GetTextExtentPointA
StartDocA
CreateSolidBrush

comdlg32

GetFileTitleW

advapi32

InitializeSecurityDescriptor
IsTextUnicode
RegDeleteValueA
DeleteService
RegQueryValueExW
OpenProcessToken
RegCreateKeyW
RegOpenKeyA

shell32

ShellAboutW
Shell_NotifyIconA
DragFinish

Sections

.text
Size: 26KB - Virtual size: 26KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 10KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 42KB - Virtual size: 41KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe
.exe windows:5 windows x86 arch:x86

db703adfb7cc4e49c32b83276e4f8f98

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

SetEvent
FindFirstFileW
IsDebuggerPresent
Sleep
QueryPerformanceCounter
FreeEnvironmentStringsA
lstrcpyA
SetStdHandle
GetProcessHeap
MulDiv
SetConsoleCtrlHandler
InitializeCriticalSectionAndSpinCount
SetEndOfFile
GetVersion
LocalUnlock
GetSystemDirectoryA
ExitThread
GetDateFormatW
DeleteCriticalSection
GetTimeZoneInformation
ReadFile
GetFileAttributesW
LocalReAlloc
VirtualFree
WriteProfileStringW
SetHandleCount
LocalFree
GlobalAlloc
WaitForMultipleObjects
DeleteFileA
LoadLibraryA
GetFileSize
EnumSystemLocalesA
CreateFileA
SetEnvironmentVariableA
HeapReAlloc
LocalLock
HeapDestroy
GetModuleFileNameA
LocalAlloc
FileTimeToSystemTime
GetCommandLineA
HeapFree
WideCharToMultiByte
GetLocaleInfoW
LCMapStringW
FreeLibrary
GetModuleHandleA
SizeofResource
GetFileType
SetUnhandledExceptionFilter
GetDateFormatA
ResetEvent
GetEnvironmentStrings
FatalAppExitA
QueryPerformanceFrequency
GetStartupInfoA
TlsFree
GetConsoleCP
GetCurrentThread
IsValidLocale
GetConsoleMode
LeaveCriticalSection
GetUserDefaultLCID
FindFirstFileA
GetOverlappedResult
GetSystemTimeAsFileTime
HeapSize
CreateEventA
UnhandledExceptionFilter
CreateFileW
FlushFileBuffers
SleepEx
LoadResource
GetCurrentProcessId
SetLastError
CreateFileMappingW
GetConsoleOutputCP
FindResourceA
LoadLibraryExW
LoadLibraryExA
GetStringTypeW
GetStringTypeA
GetLocaleInfoA
RtlUnwind
VirtualAlloc
HeapAlloc
IsValidCodePage
GetCurrentProcess
EnterCriticalSection
GetTickCount
HeapCreate
InterlockedDecrement
GetCurrentThreadId
InterlockedIncrement
TlsSetValue
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetStdHandle
ExitProcess
TlsGetValue
GetCPInfo
TerminateProcess
GlobalMemoryStatus
GetOEMCP
lstrcpynA
WriteConsoleA
QueueUserAPC
GetProfileStringW
lstrcatW
CreateEventW
GetModuleHandleW
GetCommandLineW
SetFilePointer
lstrcmpW
GetProfileIntW
MultiByteToWideChar
lstrcmpiW
ExpandEnvironmentStringsA
LCMapStringA
WriteFile
LocalSize
GetSystemTime
SystemTimeToFileTime
WaitForSingleObject
TlsAlloc
DeleteFileW
GetCommConfig
DisableThreadLibraryCalls
GetLastError
GlobalDeleteAtom
DefineDosDeviceA
FindAtomA
DeviceIoControl
GetHandleInformation
GetCurrentActCtx
DebugSetProcessKillOnExit
EraseTape
CreateMutexA
GetProcAddress
DecodePointer
GlobalFree
GetACP

user32

SetTimer
LoadIconA
CheckMenuRadioItem
GetWindowTextW
FindWindowA
InvalidateRect
RegisterWindowMessageW
SetDlgItemInt
EnableWindow
LoadBitmapA
RegisterClassExA
SetCapture
TrackPopupMenu
IsClipboardFormatAvailable
MessageBeep
SendMessageW
GetDialogBaseUnits
DrawTextA
UnhookWinEvent
GetFocus
FindWindowW
GetForegroundWindow
PostQuitMessage
RegisterWindowMessageA
CharLowerW
SetWindowLongA
SetFocus
DialogBoxIndirectParamA
KillTimer
CharNextW
SetScrollPos
GetMenuCheckMarkDimensions
GetKeyboardLayout
CharNextA
GetMessageA
ReleaseDC
PostMessageA
SetForegroundWindow
GetSubMenu
ChildWindowFromPoint
GetSystemMetrics
IsDialogMessageW
LoadIconW
DrawTextW
InvalidateRgn
PeekMessageW
SetWindowTextA
LoadStringW
SetCursorPos
SendDlgItemMessageW
GetWindowRect
SetDlgItemTextW
GetSysColor
ReleaseCapture
HideCaret
SetMenu
GetWindowPlacement
DialogBoxParamA
DeleteMenu
SetClipboardData
LoadCursorA
IsChild
RegisterClassExW
LoadAcceleratorsW
InsertMenuItemA
DispatchMessageW
SetWindowPlacement
UpdateWindow
wsprintfW
GetCursorPos
TranslateAcceleratorW

gdi32

ExtTextOutA
CreateCompatibleBitmap
EndPage
SetMapMode
DeleteObject
GetDeviceCaps
LPtoDP
GetTextExtentPoint32W
GetTextFaceW
CreateSolidBrush
GetTextExtentPointA
GetObjectA
SetWindowExtEx
EnumFontsW
CreateDCW
AbortDoc
SetBkMode
GetTextExtentPoint32A
SetBkColor

winspool.drv

OpenPrinterW

comdlg32

GetOpenFileNameW
FindTextW
CommDlgExtendedError
PageSetupDlgW
ChooseColorA
GetSaveFileNameW
PrintDlgExW

advapi32

CreateServiceA
RegOpenKeyA
RegDeleteValueA
AdjustTokenPrivileges
RegQueryValueExA
QueryServiceStatus
LookupPrivilegeValueA
OpenProcessToken
RegOpenKeyExA
RegQueryValueExW
InitializeSecurityDescriptor
OpenSCManagerA
RegCreateKeyA
RegCloseKey

shell32

DragAcceptFiles
ShellAboutW
DragFinish
Shell_NotifyIconA

Sections

.text
Size: 29KB - Virtual size: 28KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 12KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 40KB - Virtual size: 39KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
2016-11-08-3rd-run-EITest-Rig-EK-payload-CryptFile2.exe
.exe windows:5 windows x86 arch:x86

766de6bcdb6aa8af20f85493447ff268

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

lstrcmpiW
WriteProfileStringW
DeleteCriticalSection
UnhandledExceptionFilter
GetFileSize
InitializeCriticalSection
WriteFileEx
HeapReAlloc
GetStringTypeW
GlobalLock
DeleteFileA
GetFileInformationByHandle
LockResource
SearchPathA
SleepEx
GetStdHandle
GetStartupInfoA
SizeofResource
EnumSystemLocalesA
GetACP
GetDriveTypeA
GetFileAttributesW
LoadLibraryExW
lstrcatW
VirtualAlloc
MoveFileW
LoadResource
GetCurrentThread
FindResourceA
OpenJobObjectW
LoadLibraryExA
CreateFileMappingA
GetStringTypeA
LCMapStringW
MultiByteToWideChar
LCMapStringA
HeapSize
RtlUnwind
HeapAlloc
IsValidCodePage
GetOEMCP
LoadLibraryA
IsDebuggerPresent
GetCurrentProcess
TerminateProcess
EnterCriticalSection
LeaveCriticalSection
GetSystemTimeAsFileTime
GetTickCount
QueryPerformanceCounter
HeapFree
VirtualFree
GetEnvironmentStrings
GetLocaleInfoA
InitializeCriticalSectionAndSpinCount
LocalReAlloc
GetCPInfo
TlsSetValue
DeleteFileW
CreateFileA
RaiseException
GetCommConfig
DisableThreadLibraryCalls
GlobalDeleteAtom
DefineDosDeviceA
FindAtomW
DeviceIoControl
GetModuleHandleA
GetHandleInformation
GetCurrentActCtx
DebugSetProcessKillOnExit
EraseTape
CreateMutexA
GetCurrentProcessId
GetProcAddress
lstrcpynA
lstrlenA
HeapCreate
InterlockedDecrement
GetCommandLineA
SetUnhandledExceptionFilter
GetModuleHandleW
Sleep
ExitProcess
WriteFile
GetModuleFileNameA
FreeEnvironmentStringsA
FreeEnvironmentStringsW
WideCharToMultiByte
GetLastError
GetEnvironmentStringsW
SetHandleCount
GetFileType
TlsGetValue
TlsAlloc
TlsFree
InterlockedIncrement
SetLastError
GetCurrentThreadId

user32

PostMessageW
KillTimer
SendDlgItemMessageA
GetMenu
UnhookWinEvent
CheckRadioButton
ReleaseDC
TranslateAcceleratorA
DispatchMessageA
wsprintfW
EnableWindow
GetMenuItemCount
CloseClipboard
GetWindowRect
SendMessageA
LoadStringW
DeleteMenu
LoadIconA
CallWindowProcA
GetDlgItemTextW
DrawTextA
GetDlgItem
TranslateMessage
GetSysColor
IsChild
GetWindowLongW
GetWindowTextA
GetKeyboardLayout
OpenClipboard
GetCursorPos
SetCursorPos
ChildWindowFromPoint

gdi32

EnumFontsW
ExtTextOutA
GetObjectA
SetBkMode
SelectObject
CreateSolidBrush
TextOutA
LPtoDP

comdlg32

GetFileTitleW
ChooseColorA
ChooseFontA
GetSaveFileNameA
PrintDlgA
ReplaceTextW
PrintDlgExW

advapi32

QueryServiceStatus
RegOpenKeyExA
OpenSCManagerA
RegQueryValueExW
RegDeleteValueA
CreateServiceA
RegDeleteKeyA
RegOpenKeyA

shell32

Shell_NotifyIconA
DragFinish

Sections

.text
Size: 28KB - Virtual size: 27KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 9KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 41KB - Virtual size: 40KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
2016-11-09-1st-run-EITest-Rig-EK-payload-CryptFile2.exe
.exe windows:5 windows x86 arch:x86

3e0b9fcd97dc999c59d9c8d3becc8472

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GetModuleHandleA
GetHandleInformation
DeviceIoControl
FindAtomW
DefineDosDeviceA
GlobalDeleteAtom
DisableThreadLibraryCalls
GetCommConfig
CreateFileW
DeleteCriticalSection
GetModuleHandleW
QueueUserAPC
GetVersion
IsDebuggerPresent
DeleteFileW
GetCurrentThread
FileTimeToSystemTime
GetCurrentActCtx
MultiByteToWideChar
lstrlenW
VirtualAlloc
LockResource
LoadResource
FindResourceA
OpenJobObjectW
LoadLibraryExA
GetStringTypeW
DebugSetProcessKillOnExit
EraseTape
CreateMutexW
GetCurrentProcessId
lstrcpynA
GetProcAddress
lstrcmpW
lstrlenA
GetStringTypeA
LCMapStringW
GetCommandLineA
GetStartupInfoA
SetUnhandledExceptionFilter
Sleep
ExitProcess
WriteFile
GetStdHandle
GetModuleFileNameA
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
WideCharToMultiByte
GetLastError
GetEnvironmentStringsW
SetHandleCount
GetFileType
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
InterlockedIncrement
SetLastError
GetCurrentThreadId
InterlockedDecrement
HeapCreate
VirtualFree
HeapFree
QueryPerformanceCounter
GetTickCount
GetSystemTimeAsFileTime
LeaveCriticalSection
EnterCriticalSection
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
LoadLibraryA
InitializeCriticalSectionAndSpinCount
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
HeapAlloc
HeapReAlloc
RtlUnwind
HeapSize
GetLocaleInfoA
LCMapStringA

user32

GetFocus
GetWindowPlacement
GetMenuCheckMarkDimensions
GetDlgItem
CharNextA
GetCursorPos
SetCursorPos
SendMessageW

gdi32

EndPage
StartDocA
GetTextMetricsA
CreateCompatibleBitmap
EndDoc

advapi32

OpenServiceA

shell32

ShellExecuteA

Sections

.text
Size: 27KB - Virtual size: 27KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 41KB - Virtual size: 41KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
2016-11-15-2nd-run-Rig-standard-payload-CryptFile2.exe
.exe windows:5 windows x86 arch:x86

4553fdb5d0242cc3a93297d59e505be6

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GetACP
WriteConsoleW
SleepEx
GetLocalTime
GetTickCount
lstrlenW
FormatMessageW
RtlMoveMemory
VirtualAlloc
GetCurrentProcessId
GetCurrentActCtx
GetHandleInformation
GetCommConfig
DefineDosDeviceW
GetCurrentProcess
CreateFileW
GlobalAlloc
LoadLibraryExW
LoadResource
GetProcessHeap
GetModuleHandleW
LoadLibraryA
GetStringTypeW
GetStringTypeA
LCMapStringW
MultiByteToWideChar
LCMapStringA
GetLocaleInfoA
HeapSize
RtlUnwind
GetProcAddress
ResumeThread
LocalAlloc
CreateEventW
OpenMutexA
FindResourceW
FindClose
HeapReAlloc
HeapAlloc
GetCommandLineA
GetStartupInfoA
SetUnhandledExceptionFilter
Sleep
ExitProcess
WriteFile
GetStdHandle
GetModuleFileNameA
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
WideCharToMultiByte
GetLastError
GetEnvironmentStringsW
SetHandleCount
GetFileType
DeleteCriticalSection
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
InterlockedIncrement
SetLastError
GetCurrentThreadId
InterlockedDecrement
HeapCreate
VirtualFree
HeapFree
QueryPerformanceCounter
GetSystemTimeAsFileTime
LeaveCriticalSection
EnterCriticalSection
TerminateProcess
UnhandledExceptionFilter
IsDebuggerPresent
InitializeCriticalSectionAndSpinCount
GetCPInfo
GetOEMCP
IsValidCodePage

user32

GetCursorPos
DefWindowProcW
GetParent
CheckRadioButton
LoadCursorW
CloseClipboard
DispatchMessageA
PostQuitMessage
GetDlgCtrlID
SetCursor
SetWindowLongA
PostMessageW
GetMenuCheckMarkDimensions
GetDlgItemTextA
GetMenuItemCount
CallWindowProcA

gdi32

CreateFontA
GetObjectA

advapi32

IsTextUnicode
RegQueryValueExW
OpenProcessToken

shell32

DragQueryFileW

Sections

.text
Size: 27KB - Virtual size: 26KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 33KB - Virtual size: 33KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe
.exe windows:5 windows x86 arch:x86

04d0a2f8dc30a43ffd4ea055e7bbf2ec

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

RtlMoveMemory
VirtualAlloc
GetCurrentProcessId
DecodeSystemPointer
GetCurrentActCtx
DebugSetProcessKillOnExit
DefineDosDeviceW
GlobalDeleteAtom
DisableThreadLibraryCalls
CreateFileW
LocalAlloc
LockResource
GetACP
LoadResource
FindResourceW
GetModuleHandleW
LoadLibraryA
OpenMutexA
CreateEventW
ResumeThread
GetCurrentProcess
WriteConsoleW
GetCommandLineA
GetStartupInfoA
SetUnhandledExceptionFilter
Sleep
GetProcAddress
ExitProcess
WriteFile
GetStdHandle
GetModuleFileNameA
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
WideCharToMultiByte
GetLastError
GetEnvironmentStringsW
SetHandleCount
GetFileType
DeleteCriticalSection
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
InterlockedIncrement
SetLastError
GetCurrentThreadId
InterlockedDecrement
HeapCreate
VirtualFree
HeapFree
QueryPerformanceCounter
GetTickCount
GetSystemTimeAsFileTime
LeaveCriticalSection
EnterCriticalSection
TerminateProcess
UnhandledExceptionFilter
IsDebuggerPresent
InitializeCriticalSectionAndSpinCount
GetCPInfo
GetOEMCP
IsValidCodePage
HeapAlloc
HeapReAlloc
RtlUnwind
HeapSize
GetLocaleInfoA
LCMapStringA
MultiByteToWideChar
LCMapStringW
GetStringTypeA
GetStringTypeW

user32

GetCursorPos
GetMenuCheckMarkDimensions
PostQuitMessage
LoadCursorW
CloseClipboard
DefWindowProcW

gdi32

GetObjectW

advapi32

RegQueryValueExW
OpenProcessToken

Sections

.text
Size: 27KB - Virtual size: 26KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 36KB - Virtual size: 36KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.exe
.exe windows:5 windows x86 arch:x86

6e4610f91fe72e342925be31ea0e87c3

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GetUserDefaultLCID
GetCommandLineA
WideCharToMultiByte
lstrcpynW
RtlMoveMemory
VirtualAlloc
GetCurrentProcessId
GetHandleInformation
DecodeSystemPointer
GetCommConfig
DefineDosDeviceA
DisableThreadLibraryCalls
LoadLibraryA
LocalAlloc
GetThreadLocale
LockResource
GetProcAddress
FindResourceA
GetCurrentThread
CreateFileA
GetModuleHandleW
VirtualFree
GetStringTypeW
LCMapStringW
MultiByteToWideChar
LCMapStringA
GetLocaleInfoA
HeapSize
RtlUnwind
HeapReAlloc
HeapAlloc
IsValidCodePage
GetOEMCP
GetACP
GetCPInfo
InitializeCriticalSectionAndSpinCount
GetSystemTime
lstrcatW
SetEndOfFile
GlobalAlloc
FormatMessageA
FreeEnvironmentStringsA
CompareStringA
GetFullPathNameA
GetEnvironmentVariableA
HeapDestroy
GetStringTypeA
SetStdHandle
FatalAppExitA
RaiseException
WriteFileEx
GetVersion
IsDebuggerPresent
UnhandledExceptionFilter
GetStartupInfoA
SetUnhandledExceptionFilter
Sleep
ExitProcess
WriteFile
GetStdHandle
GetModuleFileNameA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetLastError
GetEnvironmentStringsW
SetHandleCount
GetFileType
DeleteCriticalSection
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
InterlockedIncrement
SetLastError
GetCurrentThreadId
InterlockedDecrement
HeapCreate
HeapFree
QueryPerformanceCounter
GetTickCount
GetSystemTimeAsFileTime
LeaveCriticalSection
EnterCriticalSection
TerminateProcess
GetCurrentProcess

user32

DefWindowProcA
GetCursorPos
GetKeyboardLayout
SetWindowPos
CheckRadioButton
GetSysColor
AttachThreadInput
LoadImageW
CheckMenuRadioItem
SetTimer
DialogBoxParamW
SendMessageA
SetClipboardData
SetDlgItemTextA
GetDlgItemTextA
DestroyMenu
GetDesktopWindow
GetDlgItemTextW
SendMessageW
TranslateAcceleratorW
GetMenuItemCount
TrackPopupMenu
CreateDialogParamA

gdi32

SelectObject
DeleteObject
SetDIBits
CreateCompatibleDC
GetObjectW
EndPage
SetWindowExtEx
SetBkColor
StartDocA
DeleteDC

advapi32

RegQueryValueExW
RegOpenKeyA
RegCreateKeyA
QueryServiceStatus
LookupPrivilegeValueA

shell32

Shell_NotifyIconA

Sections

.text
Size: 26KB - Virtual size: 26KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 38KB - Virtual size: 37KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
2017-03-15-EITest-Rig-EK-payload-Revenge-ransomware-5uhcwesi.exe
.exe windows:5 windows x86 arch:x86

e2fd2a95dfdf88cb95cece4ae812c4cb

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_ISOLATION
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

HeapCreate
GetTimeFormatW
MulDiv
WriteConsoleW
FileTimeToSystemTime
GetSystemDirectoryA
GetEnvironmentVariableA
CompareStringW
ExitThread
MultiByteToWideChar
GlobalUnlock
FlushFileBuffers
LCMapStringA
EnumSystemLocalesA
RtlMoveMemory
GetStartupInfoA
GetHandleInformation
GetLastError
SetLastError
GetProcAddress
VirtualAlloc
QueueUserAPC
LocalLock
IsValidCodePage
SetStdHandle
SearchPathA
VirtualAllocEx
FindClose
LoadLibraryA
GetProcessId
CreateFileMappingA
CreateFileMappingW
GetOEMCP
GetModuleHandleA
CreateMutexA
FreeEnvironmentStringsW
WriteProfileStringW
GetCurrentDirectoryA
CompareStringA
QueryPerformanceFrequency
FatalAppExitA
TlsAlloc
CloseHandle
WriteFileEx
GetVersion
DeleteFileW
LeaveCriticalSection
LocalFree
GetSystemTime
TlsFree
ResumeThread
LCMapStringW
DeleteFileA
CreateThread
SetFilePointerEx
GetConsoleMode
GetConsoleCP
HeapSize
GetStringTypeW
HeapAlloc
RtlUnwind
LoadLibraryW
OutputDebugStringW
LoadLibraryExW
GetCPInfo
GetACP
EnterCriticalSection
TerminateProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
WideCharToMultiByte
GetEnvironmentStringsW
QueryPerformanceCounter
GetModuleFileNameA
GetStartupInfoW
DeleteCriticalSection
GetFileType
GetProcessHeap
GetModuleFileNameW
GetStdHandle
GetModuleHandleExW
DecodePointer
EncodePointer
GetCurrentThreadId
InterlockedDecrement
InterlockedIncrement
IsProcessorFeaturePresent
IsDebuggerPresent
CreateEventA
SizeofResource
Sleep
InitializeCriticalSectionAndSpinCount
CreateFileW
GetLocaleInfoW
IsValidLocale
GetVolumeInformationA
GlobalAlloc
GetEnvironmentStrings
TlsSetValue
GetCommandLineA
WriteFile
FormatMessageA
GetSystemTimeAsFileTime
VirtualFree
GetCurrentThread
GetModuleHandleW
SleepEx
GetUserDefaultLCID
GetProfileStringW
HeapFree
GlobalSize
GetCurrentProcess
LoadResource
FreeLibrary
FindResourceW
SetEndOfFile
lstrcpynA
UnmapViewOfFile
MapViewOfFile
GetStringTypeA
GetLocaleInfoA
TlsGetValue
FindFirstFileW
GlobalMemoryStatus
GetFileSize
CreateFileA
DosDateTimeToFileTime
HeapReAlloc
GetDateFormatW
LocalUnlock
GetComputerNameA
GetCurrentProcessId
ExitProcess

user32

PostQuitMessage
SendDlgItemMessageA
TrackPopupMenu
RegisterWindowMessageW
IsIconic
IsChild
SetCapture
KillTimer
GetFocus
LoadBitmapA
IsClipboardFormatAvailable
MessageBeep
FindWindowExA
FindWindowW
UnhookWinEvent
DrawTextExW
SetFocus
MoveWindow
GetWindow
DefWindowProcW
GetDialogBaseUnits
GetMenuCheckMarkDimensions
OpenDesktopA
GetDC
DrawFocusRect
IsDialogMessageA
TranslateMessage
InflateRect
ChildWindowFromPoint
SetDlgItemInt
RegisterClassExW
LoadIconW
GetWindowPlacement
OffsetRect
GetWindowTextA
SetWinEventHook
SetWindowLongA
LoadMenuW
GetWindowLongW
GetWindowTextW
SystemParametersInfoW
SetScrollPos
ReleaseDC
CreateDialogParamA
SetActiveWindow
EndPaint
SetWindowPlacement
CloseClipboard
SetCursor
CharLowerW
GetWindowRect
EnableMenuItem
EmptyClipboard
TranslateAcceleratorA
GetDlgItem
EndDialog
GetSysColor
LoadStringW
CheckDlgButton
LoadAcceleratorsA
ShowWindow
SetMenu
GetSysColorBrush
IsDlgButtonChecked
CreateDialogParamW
AppendMenuA
GetMenuItemCount
IsWindow
PostMessageA
CreateWindowExW
DispatchMessageA
OpenClipboard
SetProcessDefaultLayout
ReleaseCapture
GetDlgItemTextW
SetDlgItemTextW
SendMessageW
EnableWindow
DestroyMenu
LoadCursorA
GetDlgCtrlID
GetDlgItemTextA
DialogBoxParamA
SetDlgItemTextA
GetProcessDefaultLayout
GetClipboardData

gdi32

EndPage
LPtoDP
SetTextColor
DeleteDC
CreateFontIndirectW
CreateFontA
GetDeviceCaps
StretchBlt
CreateFontIndirectA
CreateDCW
DeleteObject
CreateCompatibleDC
CreateCompatibleBitmap
GetObjectW
StartDocW
GetTextFaceW
TextOutW
CreateSolidBrush
ExtTextOutA

winspool.drv

ClosePrinter
GetPrinterDriverW
OpenPrinterW

comdlg32

GetOpenFileNameA
FindTextW
PrintDlgExW
PageSetupDlgW
FindTextA
GetOpenFileNameW
PrintDlgA
ReplaceTextW

advapi32

RegSetValueExW
RegOpenKeyA
ControlService
QueryServiceStatus
RegCreateKeyA
RegDeleteKeyA
RegQueryValueExW
CreateServiceA
RegQueryValueExA
RegSetValueExA
RegCreateKeyW
DeleteService
OpenProcessToken
OpenServiceA

shell32

CommandLineToArgvW
DragQueryFileW
DragAcceptFiles
ShellExecuteExA
ShellExecuteA
Shell_NotifyIconA

Sections

.text
Size: 27KB - Virtual size: 27KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 23KB - Virtual size: 23KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 58KB - Virtual size: 57KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
2017-04-07-1st-run-EITest-HoeflerText-payload-Spora-ransomware.exe
.exe windows:5 windows x86 arch:x86

b726e88a976872f70521f0f7fd804877

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

clusapi

ClusterEnum
CloseCluster
CloseClusterNode
CloseClusterGroup

crypt32

CertOpenSystemStoreA
CryptHashMessage
CryptDecodeMessage
CryptFindOIDInfo
CryptDecryptMessage
CryptEnumOIDInfo
CryptMemRealloc
CertDeleteCTLFromStore
CryptUnprotectData
CryptProtectData

advapi32

OpenEventLogW
CryptSignHashA
RegCreateKeyExA
ClearEventLogW
RegLoadKeyW
RegRestoreKeyA
ReadEventLogA
RegUnLoadKeyA
RegOpenKeyW
RegReplaceKeyW
RegEnumKeyA
RegSaveKeyA
RegDeleteValueA
IsTextUnicode

modemui

CountryRunOnce
drvGetDefaultCommConfigA

kernel32

RemoveDirectoryA
AddAtomW
GetProcAddress
LoadLibraryExA
OpenMutexA
FindFirstFileA
CreateMutexA
GetBinaryTypeW
GetVersionExW
GetCurrentDirectoryA
GetTempFileNameA
FindClose
FormatMessageW
lstrcatW
CreateSemaphoreA
IsBadReadPtr
LoadLibraryA
ResetEvent
HeapReAlloc
GetConsoleAliasW
WaitForSingleObjectEx

Sections

.text
Size: 65KB - Virtual size: 65KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data1
Size: - Virtual size: 256B

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.data
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
2017-04-07-2nd-run-EITest-HoeflerText-payload-Spora-ransomware.exe
.exe windows:4 windows x86 arch:x86

f7967747dba9ace411edf0c8a2401731

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

shell32

SHFileOperationW
StrChrW
SHUpdateImageA
DragAcceptFiles
ExtractIconW
DragFinish
StrStrW
DragQueryFileA
ShellAboutA
SHGetFolderPathA
FindExecutableA
SHSetFolderPathA
SHGetFileInfoW
SHDefExtractIconA
SHBrowseForFolderA
DllCanUnloadNow

shlwapi

UrlUnescapeA
UrlCanonicalizeA
UrlIsA
UrlCreateFromPathW
UrlCompareA
PathCompactPathA
PathIsRootW
PathCommonPrefixA
PathCombineA
UrlIsNoHistoryA
UrlGetPartW

kernel32

WaitForSingleObjectEx
SetLocalTime
LoadLibraryA
SetPriorityClass
FormatMessageA
CreateMutexA
GetConsoleTitleW
WriteConsoleA
CreateNamedPipeA
CreateFileMappingA
FindClose
InterlockedIncrement
ResetEvent
GlobalAddAtomA
GetConsoleAliasW
InterlockedDecrement
IsBadStringPtrA
DeleteFileA
FindNextFileA
SetLastError
GetProcessHeap
GetProcAddress
GetModuleHandleA
CreateFileW
FindResourceExW
GetCurrentDirectoryA
OpenMutexW
SearchPathA
GetProfileStringW
OpenSemaphoreA
CreateDirectoryW

untfs

FormatEx
Extend
Recover
Chkdsk

dsprop

ErrMsg
CrackName
ErrMsgParam

Sections

.text
Size: 30KB - Virtual size: 30KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 30KB - Virtual size: 30KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.edata
Size: - Virtual size: 512B

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
2017-04-07-3rd-run-EITest-HoeflerText-payload-Spora-ransomware.exe
.exe windows:5 windows x86 arch:x86

199b7e92fdebd65631f97f47bf8f9af3

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

clusapi

ClusterEnum
CloseCluster
CloseClusterNode
CloseClusterGroup

crypt32

CertOpenSystemStoreA
CryptHashMessage
CryptDecodeMessage
CryptFindOIDInfo
CryptDecryptMessage
CryptEnumOIDInfo
CryptMemRealloc
CertDeleteCTLFromStore
CryptUnprotectData
CryptProtectData

advapi32

OpenEventLogW
CryptSignHashA
RegCreateKeyExA
ClearEventLogW
RegLoadKeyW
RegRestoreKeyA
ReadEventLogA
RegUnLoadKeyA
RegOpenKeyW
RegReplaceKeyW
RegEnumKeyA
RegSaveKeyA
RegDeleteValueA
IsTextUnicode

modemui

CountryRunOnce
drvGetDefaultCommConfigA

kernel32

RemoveDirectoryA
AddAtomW
GetProcAddress
LoadLibraryExA
OpenMutexA
FindFirstFileA
CreateMutexA
GetBinaryTypeW
GetVersionExA
GetCurrentDirectoryA
GetTempFileNameA
FindClose
FormatMessageW
lstrcatW
CreateSemaphoreA
IsBadReadPtr
LoadLibraryA
ResetEvent
HeapReAlloc
GetConsoleAliasW
WaitForSingleObjectEx

Sections

.text
Size: 65KB - Virtual size: 65KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data1
Size: - Virtual size: 256B

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.data
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
2018-01-28-Seamless-campaign-Rig-EK-payload-GandCrab-ransomware.exe
.exe windows:5 windows x86 arch:x86

1a2e8e69e12b5914ef5ee6e727129c12

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GetMailslotInfo
GetLongPathNameW
GetLongPathNameA
LoadLibraryA
GetProcessId
GetFileType
SetProcessWorkingSetSize
TerminateProcess
SetProcessShutdownParameters
CloseHandle
GetFileInformationByHandle
GetThreadTimes
GetProcessHandleCount
TerminateThread
GetProcessTimes
GlobalAlloc
GetModuleHandleW
VirtualProtect
lstrlenA
CreateFileW
FlushFileBuffers
GetCommandLineA
HeapSetInformation
GetStartupInfoW
RaiseException
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
DecodePointer
EncodePointer
HeapAlloc
GetLastError
HeapFree
IsProcessorFeaturePresent
EnterCriticalSection
LeaveCriticalSection
GetProcAddress
ExitProcess
WriteFile
GetStdHandle
GetModuleFileNameW
GetModuleFileNameA
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStringsW
SetHandleCount
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
InterlockedIncrement
SetLastError
GetCurrentThreadId
InterlockedDecrement
HeapCreate
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
SetFilePointer
GetConsoleCP
GetConsoleMode
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
Sleep
RtlUnwind
HeapSize
LoadLibraryW
SetStdHandle
WriteConsoleW
MultiByteToWideChar
LCMapStringW
GetStringTypeW
HeapReAlloc

user32

PostMessageA

gdi32

SetRectRgn
FillPath
StretchBlt

advapi32

InitiateSystemShutdownA
OpenEventLogA

msimg32

GradientFill
TransparentBlt

Sections

.text
Size: 53KB - Virtual size: 53KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 14KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 5KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 65KB - Virtual size: 65KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

914fcd6a41751e733bd47b99e22b1a84

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

gdi32

winspool.drv

advapi32

shell32

Sections

.text Size: 25KB - Virtual size: 24KB

.data Size: 6KB - Virtual size: 6KB

.rdata Size: 9KB - Virtual size: 9KB

.data Size: 3KB - Virtual size: 6KB

.rsrc Size: 77KB - Virtual size: 76KB

.reloc Size: 4KB - Virtual size: 4KB

0729733a67a4566b5a394839879cfee4

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

gdi32

winspool.drv

advapi32

Sections

.text Size: 25KB - Virtual size: 24KB

.data Size: 10KB - Virtual size: 10KB

.rdata Size: 8KB - Virtual size: 8KB

.data Size: 3KB - Virtual size: 6KB

.rsrc Size: 78KB - Virtual size: 78KB

.reloc Size: 5KB - Virtual size: 4KB

da7212e11f7a8d7ab5284841cd598d8e

Headers

File Characteristics

Imports

crtdll

kernel32

msvcrt

user32

gdi32

comctl32

winmm

ole32

Sections

.code Size: 1024B - Virtual size: 1023B

.text Size: 33KB - Virtual size: 32KB

.data Size: 86KB - Virtual size: 344KB

9cce92740c373d5298e74a9a61e76e52

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

Sections

.text Size: 25KB - Virtual size: 25KB

.data Size: 1KB - Virtual size: 1KB

.rdata Size: 7KB - Virtual size: 7KB

.data Size: 3KB - Virtual size: 6KB

.rsrc Size: 35KB - Virtual size: 35KB

.reloc Size: 3KB - Virtual size: 3KB

7638178220a198ac0c8dde08f7814d51

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

gdi32

winspool.drv

comdlg32

advapi32

.text
Size: 25KB - Virtual size: 24KB

.data
Size: 6KB - Virtual size: 6KB

.rdata
Size: 9KB - Virtual size: 9KB

.data
Size: 3KB - Virtual size: 6KB

.rsrc
Size: 77KB - Virtual size: 76KB

.reloc
Size: 4KB - Virtual size: 4KB

.text
Size: 25KB - Virtual size: 24KB

.data
Size: 10KB - Virtual size: 10KB

.rdata
Size: 8KB - Virtual size: 8KB

.data
Size: 3KB - Virtual size: 6KB

.rsrc
Size: 78KB - Virtual size: 78KB

.reloc
Size: 5KB - Virtual size: 4KB

.code
Size: 1024B - Virtual size: 1023B

.text
Size: 33KB - Virtual size: 32KB

.data
Size: 86KB - Virtual size: 344KB

.text
Size: 25KB - Virtual size: 25KB

.data
Size: 1KB - Virtual size: 1KB

.rdata
Size: 7KB - Virtual size: 7KB

.data
Size: 3KB - Virtual size: 6KB

.rsrc
Size: 35KB - Virtual size: 35KB

.reloc
Size: 3KB - Virtual size: 3KB

.text
Size: 25KB - Virtual size: 25KB

.data
Size: 15KB - Virtual size: 15KB

.rdata
Size: 10KB - Virtual size: 9KB

.data
Size: 3KB - Virtual size: 6KB

.rsrc
Size: 35KB - Virtual size: 35KB

.reloc
Size: 5KB - Virtual size: 4KB

.text
Size: 25KB - Virtual size: 25KB

.data
Size: 6KB - Virtual size: 5KB

.rdata
Size: 9KB - Virtual size: 9KB

.data
Size: 3KB - Virtual size: 6KB

.rsrc
Size: 34KB - Virtual size: 34KB

.reloc
Size: 4KB - Virtual size: 3KB

.code
Size: 21KB - Virtual size: 20KB

.text
Size: 7KB - Virtual size: 6KB

.rdata
Size: 512B - Virtual size: 48B

.data
Size: 16KB - Virtual size: 16KB

.rsrc
Size: 512B - Virtual size: 480B

.text
Size: 31KB - Virtual size: 30KB

.rdata
Size: 9KB - Virtual size: 8KB

.data
Size: 3KB - Virtual size: 6KB

.rsrc
Size: 41KB - Virtual size: 40KB

.reloc
Size: 4KB - Virtual size: 3KB