96b01bbab000c95f7833fb7696834d9b

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2017-May-23 09:54:55
Detected languages English - United States
Comments This installation was built with Inno Setup.
CompanyName X-NET
FileDescription Restorator 2007 Setup
FileVersion
LegalCopyright
ProductName Restorator 2007
ProductVersion 3.70.1747

Plugin Output

Suspicious Unusual section name found: C\x04\x12"\x1ah\x02\x13
Section C\x04\x12"\x1ah\x02\x13 is both writable and executable.
Unusual section name found:
Info The PE is digitally signed. Signer: AgileBits Inc.
Issuer: COMODO RSA Code Signing CA
Malicious VirusTotal score: 45/67 (Scanned on 2018-03-29 02:03:07) MicroWorld-eScan: Trojan.GenericKD.30373811
CAT-QuickHeal: Trojan.Multi
ALYac: Trojan.Ransom.Crysis
VIPRE: Trojan.Win32.Generic!BT
K7AntiVirus: Trojan ( 005250141 )
K7GW: Trojan ( 005250141 )
Baidu: Win32.Trojan.WisdomEyes.16070401.9500.9927
Cyren: W32/Trojan.VJRA-5714
Symantec: Trojan.Gen.2
TrendMicro-HouseCall: Ransom_GENASOM.THBAFJ
Paloalto: generic.ml
Kaspersky: Trojan-Ransom.Win32.Crusis.cbp
BitDefender: Trojan.GenericKD.30373811
NANO-Antivirus: Trojan.Win32.Crusis.eyoyzx
AegisLab: Uds.Dangerousobject.Multi!c
Tencent: Win32.Trojan.Crusis.Huyy
Ad-Aware: Trojan.GenericKD.30373811
Sophos: Mal/Generic-S
Comodo: .UnclassifiedMalware
DrWeb: Trojan.Encoder.3953
TrendMicro: Ransom_GENASOM.THBAFJ
McAfee-GW-Edition: Generic.dbq
Emsisoft: Trojan.GenericKD.30373811 (B)
SentinelOne: static engine - malicious
Avira: TR/Dropper.MSIL.ezxxr
Fortinet: MSIL/Kryptik.MNQ!tr
Antiy-AVL: Trojan[Ransom]/Win32.AGeneric
Endgame: malicious (high confidence)
ZoneAlarm: Trojan-Ransom.Win32.Crusis.cbp
Microsoft: Ransom:Win32/Genasom
AhnLab-V3: Trojan/Win32.Kryptik.C2444184
McAfee: Generic.dbq
AVware: Trojan.Win32.Generic!BT
VBA32: TrojanRansom.Genasom
Cylance: Unsafe
Panda: Trj/GdSda.A
ESET-NOD32: a variant of MSIL/Kryptik.MNQ
Ikarus: Trojan.Inject
eGambit: PE.Heur.InvalidSig
GData: Trojan.GenericKD.30373811
AVG: Win32:Ransom-AZY [Trj]
Cybereason: malicious.ed4375
Avast: Win32:Ransom-AZY [Trj]
CrowdStrike: malicious_confidence_100% (W)
Qihoo-360: Win32/Trojan.Ransom.067

Hashes

MD5 96b01bbab000c95f7833fb7696834d9b
SHA1 1f6434fed4375258d8fc69ac6a480df79f08a712
SHA256 4d11ba0ab98bf4e61aba4524fa8afec3e87739d954b8a9b351998282706bbc3b
SHA3 1ffacdea6cf45d610212dd8c9d8ae3d839f03ecca8eb7d024cbae6efb99c25d8
SSDeep 6144:rrKQoPWRNYvG8yE2fkXPifGYY/uAGiOcXXATi8S:FpRNmyE2SPifGLr/8S
Imports Hash f34d5f2d4577ed6d9ceec516c1f5a744

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x80

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 5
TimeDateStamp 2017-May-23 09:54:55
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE

Image Optional Header

Magic PE32
LinkerVersion 8.0
SizeOfCode 0x6800
SizeOfInitializedData 0x4d400
SizeOfUninitializedData 0
AddressOfEntryPoint 0x0005A00A (Section: )
BaseOfCode 0x2e000
BaseOfData 0x2000
ImageBase 0x400000
SectionAlignment 0x2000
FileAlignment 0x200
OperatingSystemVersion 4.0
ImageVersion 0.0
SubsystemVersion 4.0
Win32VersionValue 0
SizeOfImage 0x5c000
SizeOfHeaders 0x400
Checksum 0x61736
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

C\x04\x12"\x1ah\x02\x13

MD5 e045a23056b1aadb81bccd9141882248
SHA1 447938501e1831ab852669deddc83a6c6adc3318
SHA256 77455be78d5c9439da68ee8035f437048f5bf074ca50c1bcf94e065d286c4a8a
SHA3 d1f6603fc546ba5c7d757bf5d3e99c2c71f87f340b3aae5fdb05f860e73698b4
VirtualSize 0x2be84
VirtualAddress 0x2000
SizeOfRawData 0x2c000
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 7.99913

.text

MD5 f0c649ce0377a84c96d43b5578868d48
SHA1 9c40dbc78c8e17ca5b74b87f7cc0ce050de7252a
SHA256 13d98471f613ea70837c5fd930bbf928c3caa51ad150881941403eaa6cfc9dab
SHA3 3707d9c06a50f5f5bc54f808d3edb67bd280ea79798b79ddf3c103381ab1c257
VirtualSize 0x6568
VirtualAddress 0x2e000
SizeOfRawData 0x6600
PointerToRawData 0x2c400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.61058

.rsrc

MD5 bdd6c5e72f1db5a38ea4e9d9b7ee5cc8
SHA1 488c6eeb0e271b5aef8be48da7fa1dfe0f4a4220
SHA256 1d8f9eca3a4d7284faef3b578890a4a045d8b14db859cfde4f15c84209b18bfb
SHA3 dad54e90d68842df750f661bc652cd73a5ca1df50f7da182252a0d63cd284b18
VirtualSize 0x21010
VirtualAddress 0x36000
SizeOfRawData 0x21200
PointerToRawData 0x32a00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 6.698

.reloc

MD5 8613449404b2003dc92e4f27b03796c7
SHA1 ecf9438fc47987f7ad4f6853bab44b4d23c6b5ab
SHA256 703661d5bc0e085c5fe44fc92962bfbee2063e9702890d9f21995b11d1400660
SHA3 80b278f6cd57a54ed8e48a1b70a85521a7f770ee8e5574770f0d0a23d315993c
VirtualSize 0xc
VirtualAddress 0x58000
SizeOfRawData 0x200
PointerToRawData 0x53c00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 0.0980042

MD5 968c61bc86e5c145ad4f748d11b383a1
SHA1 6aecec5a996d588f8284e866f24e9a652bff8fd8
SHA256 7d77f18dc1f9a5b787aa1c201d743c4fa45560ccd821b22693af6c919954616c
SHA3 095a63017cad4835c7482f6b89a4fa51940d9ecebf30851db269469c3036a007
VirtualSize 0x10
VirtualAddress 0x5a000
SizeOfRawData 0x200
PointerToRawData 0x53e00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 0.142636

Imports

mscoree.dll _CorExeMain

Delayed Imports

1

Type RT_ICON
Language UNKNOWN
Codepage UNKNOWN
Size 0x6bc1
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 7.96873
Detected Filetype PNG graphic file
MD5 7b5a189f7f3db9d8523dcb5a2a147392
SHA1 13968886fdc7e9b61dfb57d61b5433a5ea9f4dab
SHA256 66897970afc60b5663885610fdb4f5f2c0547004c211afdf6daee3170b9425f4
SHA3 555d74a8eb6cc2d96187086c49675b39e328264e843b2547a79bd43ca6e38fc4

2

Type RT_ICON
Language UNKNOWN
Codepage UNKNOWN
Size 0x10828
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 6.05097
MD5 19c84068abac225171f2c46c3b23609f
SHA1 546cd7b4ba10c15a3bccd7a044f88652b9bf15bb
SHA256 a55976b64696da5808e0375c8b81e5889d3e29d729a3ea31c5a20313a7415531
SHA3 0b50f29b472f1670dc1328c0f04d473a2e8fea47c5f46b27c0ae44d404df4787

3

Type RT_ICON
Language UNKNOWN
Codepage UNKNOWN
Size 0x4228
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 6.00936
MD5 1e0ad5949ab361779ebe06fd5c63704c
SHA1 0a365c152446aafc3457de3f2c3974a84428de20
SHA256 704fc3d25d38f62f4ca7a8525b5854d6dfdf6a27b04cfd565f116c8c039efa85
SHA3 d8bb9a3d46da17287d0230a77a458aba1791e8a2929c29207fdea5fadc4d1730

4

Type RT_ICON
Language UNKNOWN
Codepage UNKNOWN
Size 0x25a8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 6.00712
MD5 f8994ac746181275e88b149c5ab4e5c8
SHA1 1437dba6822c9b2c41cdbaa78567595a2b420a99
SHA256 8ff71d0852b760e3831489967d45178c15cb96c2f14b42a3587a95db679a2041
SHA3 5c0a73f056bb5b3cb1305174f45965839b34550f0c1912b773a83c488429d8a0

5

Type RT_ICON
Language UNKNOWN
Codepage UNKNOWN
Size 0x10a8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.85799
MD5 3986bca4476f3da182e87e2e4fa7f912
SHA1 41476ac870ed9ac38785c7f63e067f340341fb1a
SHA256 16a6f0310f9a2a83364bae90d99b4cd85796012ac4eb03997baaaca8970dfa25
SHA3 d5ee6e43bfda1b0fe3ac4ab9520dc0f4c5647439711bb14d9f22a531df6085a5

6

Type RT_ICON
Language UNKNOWN
Codepage UNKNOWN
Size 0x988
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.98056
MD5 21e8eb110bbecad7f90f66f092a0ffd9
SHA1 b2b3be3030a5b065687a020f1d4c4a96d5c91ab3
SHA256 f86036cf8c308af36aa604662c583e79de2d12ac554ac8202b89be3b90d60038
SHA3 6f999ae45379ecc17ec2a857ef490a50d55256b4c897d2d6787a855cd27ce3d1

7

Type RT_ICON
Language UNKNOWN
Codepage UNKNOWN
Size 0x468
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.69376
MD5 ccd52f4566ca229486431a87b123ab0b
SHA1 d3e5286f32b0b1f3c71162885a12e557b30c6ee9
SHA256 2a017c609e34ea94a7bfe155de30892dfcf5de69c646e84088a25f637c523030
SHA3 bc3cf8ac7cf00ef4488942339cbdabe277f0518816c4940f5aebfdc3d024c7e8

4089

Type RT_STRING
Language UNKNOWN
Codepage UNKNOWN
Size 0x2f2
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.21823
MD5 bbf4b644f9dd284b35eb31573d0df2f7
SHA1 4f9885ae629e83464e313af5254ef86f01accd0b
SHA256 2c0d32398e3c95657a577c044cc32fe24fa058d0c32e13099b26fd678de8354f
SHA3 ebed2e4a929600c1460761d462143feb092840986b31c9748d3aeb8174d4205e

4090

Type RT_STRING
Language UNKNOWN
Codepage UNKNOWN
Size 0x30c
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.31515
MD5 ac2a0551cb90f91d779ee8622682dfb1
SHA1 ff0db7d2f48d85ceb3539b21ebe9d0ca3443f1da
SHA256 840989e0a92f2746ae60b8e3efc1a39bcca17e82df3634c1643d76141fc75bb3
SHA3 58a85f5c53df73aa79e5f5a36aa151ca0d9da4d450ebc2975a3ee827b46342a5

4091

Type RT_STRING
Language UNKNOWN
Codepage UNKNOWN
Size 0x2ce
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.25024
MD5 c99b474c52df3049dfb38b5308f2827d
SHA1 7375e693629ce6bbd1a0419621d094bcd2c67bb7
SHA256 26bda4da3649a575157a6466468a0a86944756643855954120fd715f3c9c7f78
SHA3 c6013febd14dd876e3b81111ec17dd2724dbf4147b0ad7be9d03259bcb59fef3

4093

Type RT_STRING
Language UNKNOWN
Codepage UNKNOWN
Size 0x68
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.86149
MD5 aec4e28ea9db1361160cde225d158108
SHA1 249013a10cde021c713ba2dc8912f9e05be35735
SHA256 d786490af7fe66042fb4a7d52023f5a1442f9b5e65d067b9093d1a128a6af34c
SHA3 a067c4d88d719ed8d568951acb776bd798b691a8b153f8d94ba0574ede1fbf4c

4094

Type RT_STRING
Language UNKNOWN
Codepage UNKNOWN
Size 0xb4
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.20731
MD5 c76a8843204c0572bca24ada35abe8c7
SHA1 066052030d0a32310da8cb5a51d0590960a65f32
SHA256 00a0794f0a493c167f64ed8b119d49bdc59f76bb35e5c295dc047095958ee2fd
SHA3 07523cf88b3803ea41acfeb3c9c0c4b5b4b9fb6f9a3232802491d8de1b6c9166

4095

Type RT_STRING
Language UNKNOWN
Codepage UNKNOWN
Size 0xae
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.04592
MD5 4bd4f3f6d918ba49d8800ad83d277a86
SHA1 1f5e4c73965fea1d1f729efbe7568dcd081a2168
SHA256 34973a8a33b90ec734bd328198311f579666d5aeb04c94f469ebb822689de3c3
SHA3 2d01c56a5bf0b390addf4fb5b6ae02f9a64bd03ffd300d3763615bbb8ec911fe

11111

Type RT_RCDATA
Language UNKNOWN
Codepage UNKNOWN
Size 0x2c
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.61354
MD5 fd189235fa73905d958d206eef3141f1
SHA1 e6de6ed76c2324f54732bd335724ab603f9fa8a4
SHA256 bf6c25215ad9ff64c6456bf0e66939b7ba11ee88327f9be2466bb065e2f05e8a
SHA3 a81fbea7965962d38ddd1e5398ad94603960d16323b0ee15d42e73fe96b8de9d

MAINICON

Type RT_GROUP_ICON
Language UNKNOWN
Codepage UNKNOWN
Size 0x68
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.45566
Detected Filetype Icon file
MD5 76e36f85d629fcf171a7a322c8e63889
SHA1 a818b3a0f9468bf1fbad14d3e17ceb5acdcd8ac3
SHA256 d8186fafdd760f0724ab13f27bd39befaafac0abce107d6f0b556933984a83ec
SHA3 e30242aea19ce0e9b24b727bacd598e1d546a44819f875faece6e286e51699b5

1 (#2)

Type RT_VERSION
Language English - United States
Codepage UNKNOWN
Size 0x4b8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.64726
MD5 19c3a33271abcb62c8d4868fa0a12d52
SHA1 e113bde0812acdb458fdeb91a658c6cdfcb49deb
SHA256 47de9cacbe9c785075ca7244cb70b2f58eb28e5d7957625f5f8881a1130cf19f
SHA3 f88c87d75a1eb337257ac34ad1bbb7ac5e9b2d22c86d3997f87f2a0473dc4b45

1 (#3)

Type RT_MANIFEST
Language UNKNOWN
Codepage Latin 1 / Western European
Size 0x1ea
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.00112
MD5 b7db84991f23a680df8e95af8946f9c9
SHA1 cac699787884fb993ced8d7dc47b7c522c7bc734
SHA256 539dc26a14b6277e87348594ab7d6e932d16aabb18612d77f29fe421a9f1d46a
SHA3 4f72877413d13a67b52b292a8524e2c43a15253c26aaf6b5d0166a65bc615cff

String Table contents

'%s' is not a valid integer value
'%s' is not a valid floating point value
'%s' is not a valid date
'%s' is not a valid time
'%s' is not a valid date and time
Invalid argument to time encode
Invalid argument to date encode
Out of memory
I/O error %d
File not found
Invalid filename
Too many open files
File access denied
Read beyond end of file
Disk full
Invalid numeric input
Division by zero
Range check error
Integer overflow
Invalid floating point operation
Floating point division by zero
Floating point overflow
Floating point underflow
Invalid pointer operation
Invalid class typecast
Access violation at address %p. %s of address %p
Stack overflow
Control-C hit
Privileged instruction
Operation aborted
Exception %s in module %s at %p.
%s%s
Application Error
Format '%s' invalid or incompatible with argument
No argument for format '%s'
Invalid variant type conversion
Invalid variant operation
Variant method calls not supported
Read
Write
Format result longer than 4096 characters
Format string too long
Error creating variant array
Variant is not an array
Variant array index out of bounds
External exception %x
Jan
Feb
Mar
Apr
May
Jun
Jul
Aug
Sep
Oct
Nov
Dec
January
February
March
April
May
June
July
August
September
October
November
December
Sun
Mon
Tue
Wed
Thu
Fri
Sat
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 0.0.0.0
ProductVersion 0.0.0.0
FileFlags (EMPTY)
FileOs VOS_DOS_WINDOWS32
VOS_NT_WINDOWS32
VOS__WINDOWS32
FileType VFT_APP
Language UNKNOWN
Comments This installation was built with Inno Setup.
CompanyName X-NET
FileDescription Restorator 2007 Setup
FileVersion (#2)
LegalCopyright
ProductName Restorator 2007
ProductVersion (#2) 3.70.1747
Resource LangID English - United States

TLS Callbacks

Load Configuration

RICH Header

Errors

[*] Warning: [plugin_authenticode] Hashing algorithm 1.2.840.1015.13.2.5 is not supported.
<-- -->