96b01bbab000c95f7833fb7696834d9b

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2017-May-23 09:54:55
Detected languages English - United States
Comments This installation was built with Inno Setup.
CompanyName X-NET
FileDescription Restorator 2007 Setup
FileVersion
LegalCopyright
ProductName Restorator 2007
ProductVersion 3.70.1747

Plugin Output

Suspicious This PE is packed with RPCrypt Unusual section name found: C\x04\x12"\x1ah\x02\x13
Section C\x04\x12"\x1ah\x02\x13 is both writable and executable.
Unusual section name found:
Info The PE is digitally signed. Signer: AgileBits Inc..
Issuer: COMODO RSA Code Signing CA.
Malicious VirusTotal score: 45/67 (Scanned on 2018-03-29 02:03:07) MicroWorld-eScan: Trojan.GenericKD.30373811
CAT-QuickHeal: Trojan.Multi
ALYac: Trojan.Ransom.Crysis
VIPRE: Trojan.Win32.Generic!BT
K7AntiVirus: Trojan ( 005250141 )
K7GW: Trojan ( 005250141 )
Baidu: Win32.Trojan.WisdomEyes.16070401.9500.9927
Cyren: W32/Trojan.VJRA-5714
Symantec: Trojan.Gen.2
TrendMicro-HouseCall: Ransom_GENASOM.THBAFJ
Paloalto: generic.ml
Kaspersky: Trojan-Ransom.Win32.Crusis.cbp
BitDefender: Trojan.GenericKD.30373811
NANO-Antivirus: Trojan.Win32.Crusis.eyoyzx
AegisLab: Uds.Dangerousobject.Multi!c
Tencent: Win32.Trojan.Crusis.Huyy
Ad-Aware: Trojan.GenericKD.30373811
Sophos: Mal/Generic-S
Comodo: .UnclassifiedMalware
DrWeb: Trojan.Encoder.3953
TrendMicro: Ransom_GENASOM.THBAFJ
McAfee-GW-Edition: Generic.dbq
Emsisoft: Trojan.GenericKD.30373811 (B)
SentinelOne: static engine - malicious
Avira: TR/Dropper.MSIL.ezxxr
Fortinet: MSIL/Kryptik.MNQ!tr
Antiy-AVL: Trojan[Ransom]/Win32.AGeneric
Endgame: malicious (high confidence)
ZoneAlarm: Trojan-Ransom.Win32.Crusis.cbp
Microsoft: Ransom:Win32/Genasom
AhnLab-V3: Trojan/Win32.Kryptik.C2444184
McAfee: Generic.dbq
AVware: Trojan.Win32.Generic!BT
VBA32: TrojanRansom.Genasom
Cylance: Unsafe
Panda: Trj/GdSda.A
ESET-NOD32: a variant of MSIL/Kryptik.MNQ
Ikarus: Trojan.Inject
eGambit: PE.Heur.InvalidSig
GData: Trojan.GenericKD.30373811
AVG: Win32:Ransom-AZY [Trj]
Cybereason: malicious.ed4375
Avast: Win32:Ransom-AZY [Trj]
CrowdStrike: malicious_confidence_100% (W)
Qihoo-360: Win32/Trojan.Ransom.067

Hashes

MD5 96b01bbab000c95f7833fb7696834d9b
SHA1 1f6434fed4375258d8fc69ac6a480df79f08a712
SHA256 4d11ba0ab98bf4e61aba4524fa8afec3e87739d954b8a9b351998282706bbc3b
SHA3 1c0c643a6064ad7d8c0bcba27e37d63206354a3a073f27c45f0b27374362da15
SSDeep 6144:rrKQoPWRNYvG8yE2fkXPifGYY/uAGiOcXXATi8S:FpRNmyE2SPifGLr/8S
Imports Hash f34d5f2d4577ed6d9ceec516c1f5a744

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x80

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 5
TimeDateStamp 2017-May-23 09:54:55
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE

Image Optional Header

Magic PE32
LinkerVersion 8.0
SizeOfCode 0x6800
SizeOfInitializedData 0x4d400
SizeOfUninitializedData 0
AddressOfEntryPoint 0x0005A00A (Section: )
BaseOfCode 0x2e000
BaseOfData 0x2000
ImageBase 0x400000
SectionAlignment 0x2000
FileAlignment 0x200
OperatingSystemVersion 4.0
ImageVersion 0.0
SubsystemVersion 4.0
Win32VersionValue 0
SizeOfImage 0x5c000
SizeOfHeaders 0x400
Checksum 0x61736
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

C\x04\x12"\x1ah\x02\x13

MD5 e045a23056b1aadb81bccd9141882248
SHA1 447938501e1831ab852669deddc83a6c6adc3318
SHA256 77455be78d5c9439da68ee8035f437048f5bf074ca50c1bcf94e065d286c4a8a
SHA3 0c387c58d5333c3d823bd8305321ba6d98e9a2651b668503d8e0e88d7f9bfcf3
VirtualSize 0x2be84
VirtualAddress 0x2000
SizeOfRawData 0x2c000
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 7.99913

.text

MD5 f0c649ce0377a84c96d43b5578868d48
SHA1 9c40dbc78c8e17ca5b74b87f7cc0ce050de7252a
SHA256 13d98471f613ea70837c5fd930bbf928c3caa51ad150881941403eaa6cfc9dab
SHA3 e05925975566138d0a082cbafa0f543e28bfbb07ea114d1433dfd5086b78f075
VirtualSize 0x6568
VirtualAddress 0x2e000
SizeOfRawData 0x6600
PointerToRawData 0x2c400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.61058

.rsrc

MD5 bdd6c5e72f1db5a38ea4e9d9b7ee5cc8
SHA1 488c6eeb0e271b5aef8be48da7fa1dfe0f4a4220
SHA256 1d8f9eca3a4d7284faef3b578890a4a045d8b14db859cfde4f15c84209b18bfb
SHA3 0edb03f4c81557ab8034170cfe73f07ae1cc68f791dcf6e67ec0e1fb629beaf5
VirtualSize 0x21010
VirtualAddress 0x36000
SizeOfRawData 0x21200
PointerToRawData 0x32a00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 6.698

.reloc

MD5 8613449404b2003dc92e4f27b03796c7
SHA1 ecf9438fc47987f7ad4f6853bab44b4d23c6b5ab
SHA256 703661d5bc0e085c5fe44fc92962bfbee2063e9702890d9f21995b11d1400660
SHA3 a9dff7ada488446b17fb07cd3b739874a2a491a5991c71203fd01b8a6f6da9ff
VirtualSize 0xc
VirtualAddress 0x58000
SizeOfRawData 0x200
PointerToRawData 0x53c00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 0.0980042

MD5 968c61bc86e5c145ad4f748d11b383a1
SHA1 6aecec5a996d588f8284e866f24e9a652bff8fd8
SHA256 7d77f18dc1f9a5b787aa1c201d743c4fa45560ccd821b22693af6c919954616c
SHA3 09843054cfc65b73fd6dfadff299a4661ab52b44031deabf6817c38075442ed0
VirtualSize 0x10
VirtualAddress 0x5a000
SizeOfRawData 0x200
PointerToRawData 0x53e00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 0.142636

Imports

mscoree.dll _CorExeMain

Delayed Imports

1

Type RT_ICON
Language UNKNOWN
Codepage UNKNOWN
Size 0x6bc1
Entropy 7.96873
Detected Filetype PNG graphic file
MD5 7b5a189f7f3db9d8523dcb5a2a147392
SHA1 13968886fdc7e9b61dfb57d61b5433a5ea9f4dab
SHA256 66897970afc60b5663885610fdb4f5f2c0547004c211afdf6daee3170b9425f4
SHA3 d153980d8a6b47f4cc847d6841d455f9334ce9f583725d31446dc42dc00c9b93

2

Type RT_ICON
Language UNKNOWN
Codepage UNKNOWN
Size 0x10828
Entropy 6.05097
MD5 19c84068abac225171f2c46c3b23609f
SHA1 546cd7b4ba10c15a3bccd7a044f88652b9bf15bb
SHA256 a55976b64696da5808e0375c8b81e5889d3e29d729a3ea31c5a20313a7415531
SHA3 a0d35064504dcae64171a99d4e20930413b9457af225acf531c5c0f58dfba8d1

3

Type RT_ICON
Language UNKNOWN
Codepage UNKNOWN
Size 0x4228
Entropy 6.00936
MD5 1e0ad5949ab361779ebe06fd5c63704c
SHA1 0a365c152446aafc3457de3f2c3974a84428de20
SHA256 704fc3d25d38f62f4ca7a8525b5854d6dfdf6a27b04cfd565f116c8c039efa85
SHA3 1a938e68066f5d84f6b1b72cf30d3e3ca0c677571cfd62bdc5364065307fc051

4

Type RT_ICON
Language UNKNOWN
Codepage UNKNOWN
Size 0x25a8
Entropy 6.00712
MD5 f8994ac746181275e88b149c5ab4e5c8
SHA1 1437dba6822c9b2c41cdbaa78567595a2b420a99
SHA256 8ff71d0852b760e3831489967d45178c15cb96c2f14b42a3587a95db679a2041
SHA3 fe503c807df10eab5fb3136fd219ca260bc88e24fed12773ff6c77baf57589b4

5

Type RT_ICON
Language UNKNOWN
Codepage UNKNOWN
Size 0x10a8
Entropy 5.85799
MD5 3986bca4476f3da182e87e2e4fa7f912
SHA1 41476ac870ed9ac38785c7f63e067f340341fb1a
SHA256 16a6f0310f9a2a83364bae90d99b4cd85796012ac4eb03997baaaca8970dfa25
SHA3 9f3b3ccfb2db9980e20b7a9c00571d455257a0771d7a0f5f332e79329902be3a

6

Type RT_ICON
Language UNKNOWN
Codepage UNKNOWN
Size 0x988
Entropy 5.98056
MD5 21e8eb110bbecad7f90f66f092a0ffd9
SHA1 b2b3be3030a5b065687a020f1d4c4a96d5c91ab3
SHA256 f86036cf8c308af36aa604662c583e79de2d12ac554ac8202b89be3b90d60038
SHA3 c2905c209ddf3ebe08eb84e0e4302ef766c5f6db073814922af3c06d75b52f74

7

Type RT_ICON
Language UNKNOWN
Codepage UNKNOWN
Size 0x468
Entropy 5.69376
MD5 ccd52f4566ca229486431a87b123ab0b
SHA1 d3e5286f32b0b1f3c71162885a12e557b30c6ee9
SHA256 2a017c609e34ea94a7bfe155de30892dfcf5de69c646e84088a25f637c523030
SHA3 036fec5d43abb5e049fa6acdadc1f532480c55e1ae7a93420f43dc7e18e0d553

4089

Type RT_STRING
Language UNKNOWN
Codepage UNKNOWN
Size 0x2f2
Entropy 3.21823
MD5 bbf4b644f9dd284b35eb31573d0df2f7
SHA1 4f9885ae629e83464e313af5254ef86f01accd0b
SHA256 2c0d32398e3c95657a577c044cc32fe24fa058d0c32e13099b26fd678de8354f
SHA3 ead4031fb130118ab0e727e2230d1c3780aeba20e35072f3fe64446811d20f60

4090

Type RT_STRING
Language UNKNOWN
Codepage UNKNOWN
Size 0x30c
Entropy 3.31515
MD5 ac2a0551cb90f91d779ee8622682dfb1
SHA1 ff0db7d2f48d85ceb3539b21ebe9d0ca3443f1da
SHA256 840989e0a92f2746ae60b8e3efc1a39bcca17e82df3634c1643d76141fc75bb3
SHA3 1d2f00e1c5d3ebcd7b2c79e7579d0b8dffa74413acfbdeaf17531d445b87ac7d

4091

Type RT_STRING
Language UNKNOWN
Codepage UNKNOWN
Size 0x2ce
Entropy 3.25024
MD5 c99b474c52df3049dfb38b5308f2827d
SHA1 7375e693629ce6bbd1a0419621d094bcd2c67bb7
SHA256 26bda4da3649a575157a6466468a0a86944756643855954120fd715f3c9c7f78
SHA3 9eb2c054959ab75a61fce2afbf3d33dbf10de07d0f67b1658a23f590872580e0

4093

Type RT_STRING
Language UNKNOWN
Codepage UNKNOWN
Size 0x68
Entropy 2.86149
MD5 aec4e28ea9db1361160cde225d158108
SHA1 249013a10cde021c713ba2dc8912f9e05be35735
SHA256 d786490af7fe66042fb4a7d52023f5a1442f9b5e65d067b9093d1a128a6af34c
SHA3 d9be38e75af58c5b4d702602a48c7bce0f7d0a46995727278fecaf7f19498e85

4094

Type RT_STRING
Language UNKNOWN
Codepage UNKNOWN
Size 0xb4
Entropy 3.20731
MD5 c76a8843204c0572bca24ada35abe8c7
SHA1 066052030d0a32310da8cb5a51d0590960a65f32
SHA256 00a0794f0a493c167f64ed8b119d49bdc59f76bb35e5c295dc047095958ee2fd
SHA3 da42d88f88ece9fa99fa07624acf50e652a16febee3069bd23f9b59d36401ed0

4095

Type RT_STRING
Language UNKNOWN
Codepage UNKNOWN
Size 0xae
Entropy 3.04592
MD5 4bd4f3f6d918ba49d8800ad83d277a86
SHA1 1f5e4c73965fea1d1f729efbe7568dcd081a2168
SHA256 34973a8a33b90ec734bd328198311f579666d5aeb04c94f469ebb822689de3c3
SHA3 cb9838217cf331f3a623ca3678d202510824d401515dae111c7c25e758a15df8

11111

Type RT_RCDATA
Language UNKNOWN
Codepage UNKNOWN
Size 0x2c
Entropy 4.61354
MD5 fd189235fa73905d958d206eef3141f1
SHA1 e6de6ed76c2324f54732bd335724ab603f9fa8a4
SHA256 bf6c25215ad9ff64c6456bf0e66939b7ba11ee88327f9be2466bb065e2f05e8a
SHA3 61d4528113f668f0ae90ecd63559a87e32a86b4a6748b639a655ffef05a1a81a

MAINICON

Type RT_GROUP_ICON
Language UNKNOWN
Codepage UNKNOWN
Size 0x68
Entropy 2.45566
Detected Filetype Icon file
MD5 76e36f85d629fcf171a7a322c8e63889
SHA1 a818b3a0f9468bf1fbad14d3e17ceb5acdcd8ac3
SHA256 d8186fafdd760f0724ab13f27bd39befaafac0abce107d6f0b556933984a83ec
SHA3 80091385946ef1af52be9ad31b407566471a172caa9b0a2c9a8fc7b20b7d589e

1 (#2)

Type RT_VERSION
Language English - United States
Codepage UNKNOWN
Size 0x4b8
Entropy 2.64726
MD5 19c3a33271abcb62c8d4868fa0a12d52
SHA1 e113bde0812acdb458fdeb91a658c6cdfcb49deb
SHA256 47de9cacbe9c785075ca7244cb70b2f58eb28e5d7957625f5f8881a1130cf19f
SHA3 8474b32282835e1eec6577da787fcfa2c0fb7d4e9d77897e1189288f107e1523

1 (#3)

Type RT_MANIFEST
Language UNKNOWN
Codepage Latin 1 / Western European
Size 0x1ea
Entropy 5.00112
MD5 b7db84991f23a680df8e95af8946f9c9
SHA1 cac699787884fb993ced8d7dc47b7c522c7bc734
SHA256 539dc26a14b6277e87348594ab7d6e932d16aabb18612d77f29fe421a9f1d46a
SHA3 4f064a06b5bd7ab6005fc494d9f0fc8061d891da40dd0c3387a654047c6ff6ee

String Table contents

'%s' is not a valid integer value
'%s' is not a valid floating point value
'%s' is not a valid date
'%s' is not a valid time
'%s' is not a valid date and time
Invalid argument to time encode
Invalid argument to date encode
Out of memory
I/O error %d
File not found
Invalid filename
Too many open files
File access denied
Read beyond end of file
Disk full
Invalid numeric input
Division by zero
Range check error
Integer overflow
Invalid floating point operation
Floating point division by zero
Floating point overflow
Floating point underflow
Invalid pointer operation
Invalid class typecast
Access violation at address %p. %s of address %p
Stack overflow
Control-C hit
Privileged instruction
Operation aborted
Exception %s in module %s at %p.
%s%s
Application Error
Format '%s' invalid or incompatible with argument
No argument for format '%s'
Invalid variant type conversion
Invalid variant operation
Variant method calls not supported
Read
Write
Format result longer than 4096 characters
Format string too long
Error creating variant array
Variant is not an array
Variant array index out of bounds
External exception %x
Jan
Feb
Mar
Apr
May
Jun
Jul
Aug
Sep
Oct
Nov
Dec
January
February
March
April
May
June
July
August
September
October
November
December
Sun
Mon
Tue
Wed
Thu
Fri
Sat
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 0.0.0.0
ProductVersion 0.0.0.0
FileFlags (EMPTY)
FileOs VOS_DOS_WINDOWS32
VOS_NT_WINDOWS32
VOS__WINDOWS32
FileType VFT_APP
Language UNKNOWN
Comments This installation was built with Inno Setup.
CompanyName X-NET
FileDescription Restorator 2007 Setup
FileVersion (#2)
LegalCopyright
ProductName Restorator 2007
ProductVersion (#2) 3.70.1747
Resource LangID English - United States

TLS Callbacks

Load Configuration

RICH Header

Errors