Hello, I'm a novice reverse engineer and I am struggling with my first malware problem. I'm trying to find out the effects of the ransomware, but no matter what I try, I cannot force the malware to execute on a VM (tried XP and Windows 7 32-bit). Basically what I've found out is that the outside layer is UPX and that it is unpacked easily. The problem comes with the inner protection layer. The program uses VirtualAlloc calls to allocate buffers in which it unloads the contents of an actual malware's executable. First several buffers are used to unload the unpacking code as well as the compressed/hidden buffer contents of the original executable. The call that should decompress this buffer is RtlDecompressBuffer that gets called with the appropriate parameters returns STATUS_BAD_COMPRESSION_BUFFER (0xC0000242). According to MSDN, it is returned if the output buffer is too small. Well, I've manually changed the values of VirtualAlloc and RtlDecompressBuffer to force a larger buffer, and it still returned the same value. The buffer is freed (VirtualFree) soon after the decompressing is done.