{ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa": { "Summary": { "Architecture": "IMAGE_FILE_MACHINE_I386", "Subsystem": "IMAGE_SUBSYSTEM_WINDOWS_GUI", "Compilation Date": "2010-Nov-20 09:05:05", "Detected languages": [ "English - United States" ], "CompanyName": "Microsoft Corporation", "FileDescription": "DiskPart", "FileVersion": "6.1.7601.17514 (win7sp1_rtm.101119-1850)", "InternalName": "diskpart.exe", "LegalCopyright": "\u00c2\u00a9 Microsoft Corporation. All rights reserved.", "OriginalFilename": "diskpart.exe", "ProductName": "Microsoft\u00c2\u00ae Windows\u00c2\u00ae Operating System", "ProductVersion": "6.1.7601.17514" }, "DOS Header": { "e_magic": "MZ", "e_cblp": 144, "e_cp": 3, "e_crlc": 0, "e_cparhdr": 4, "e_minalloc": 0, "e_maxalloc": 65535, "e_ss": 0, "e_sp": 184, "e_csum": 0, "e_ip": 0, "e_cs": 0, "e_ovno": 0, "e_oemid": 0, "e_oeminfo": 0, "e_lfanew": 248 }, "PE Header": { "Signature": "PE", "Machine": "IMAGE_FILE_MACHINE_I386", "NumberofSections": 4, "TimeDateStamp": "2010-Nov-20 09:05:05", "PointerToSymbolTable": 0, "NumberOfSymbols": 0, "SizeOfOptionalHeader": 224, "Characteristics": [ "IMAGE_FILE_32BIT_MACHINE", "IMAGE_FILE_EXECUTABLE_IMAGE", "IMAGE_FILE_LINE_NUMS_STRIPPED", "IMAGE_FILE_LOCAL_SYMS_STRIPPED", "IMAGE_FILE_RELOCS_STRIPPED" ] }, "Image Optional Header": { "Magic": "PE32", "LinkerVersion": "6.0", "SizeOfCode": 28672, "SizeOfInitializedData": 3481600, "SizeOfUninitializedData": 0, "AddressOfEntryPoint": "0x000077BA (Section: .text)", "BaseOfCode": 4096, "BaseOfData": 32768, "ImageBase": 4194304, "SectionAlignment": 4096, "FileAlignment": 4096, "OperatingSystemVersion": "4.0", "ImageVersion": "0.0", "SubsystemVersion": "4.0", "Win32VersionValue": 0, "SizeOfImage": 3514368, "SizeOfHeaders": 4096, "Checksum": 0, "Subsystem": "IMAGE_SUBSYSTEM_WINDOWS_GUI", "SizeofStackReserve": 1048576, "SizeofStackCommit": 4096, "SizeofHeapReserve": 1048576, "SizeofHeapCommit": 4096, "LoaderFlags": 0, "NumberOfRvaAndSizes": 16 }, "Sections": { ".text": { "MD5": "920e964050a1a5dd60dd00083fd541a2", "SHA1": "2eb82dfb19006b8970dcc5d72b2cf3fa1479538b", "SHA256": "55cda830ff2543783350fb781ed2bf77e72aa123134d2513acfb944487773054", "SHA3": "a294e1ddbf3569c07492fe333b75c73cc03c30219af55adf0b9cddcb00a33c4a", "VirtualSize": 27056, "VirtualAddress": 4096, "SizeOfRawData": 28672, "PointerToRawData": 4096, "PointerToRelocations": 0, "PointerToLineNumbers": 0, "NumberOfLineNumbers": 0, "NumberOfRelocations": 0, "Characteristics": [ "IMAGE_SCN_CNT_CODE", "IMAGE_SCN_MEM_EXECUTE", "IMAGE_SCN_MEM_READ" ], "Entropy": 6.40424 }, ".rdata": { "MD5": "2c42611802d585e6eed68595876d1a15", "SHA1": "18a834d08f616a6175c6e2281597d760c77c3d81", "SHA256": "a2acc94d242d28b6dd0a0859ec59ecc7f6b98d4ea09346b819d486b8827d2d79", "SHA3": "1d9c922261f7a5f4dc2a63f47b46e2e22d5c4bf3abffad17b8a1596c4bcadd01", "VirtualSize": 24432, "VirtualAddress": 32768, "SizeOfRawData": 24576, "PointerToRawData": 32768, "PointerToRelocations": 0, "PointerToLineNumbers": 0, "NumberOfLineNumbers": 0, "NumberOfRelocations": 0, "Characteristics": [ "IMAGE_SCN_CNT_INITIALIZED_DATA", "IMAGE_SCN_MEM_READ" ], "Entropy": 6.66357 }, ".data": { "MD5": "83506e37bd8b50cacabd480f8eb3849b", "SHA1": "7bd2238995e2286a24e92667f161a3c14506d4e1", "SHA256": "110357de37bd422f6c68b66035e4652b99767819353f4c398953249a930fa823", "SHA3": "bea827e605da35d81e7fcf0b14dd94e3a8b65f1da641d4c60a4501d88ed3b243", "VirtualSize": 6488, "VirtualAddress": 57344, "SizeOfRawData": 8192, "PointerToRawData": 57344, "PointerToRelocations": 0, "PointerToLineNumbers": 0, "NumberOfLineNumbers": 0, "NumberOfRelocations": 0, "Characteristics": [ "IMAGE_SCN_CNT_INITIALIZED_DATA", "IMAGE_SCN_MEM_READ", "IMAGE_SCN_MEM_WRITE" ], "Entropy": 4.45575 }, ".rsrc": { "MD5": "f99ce7dc94308f0a149a19e022e4c316", "SHA1": "9782e77f3f117b9c50867e778a9e940cbc6cf080", "SHA256": "418c45aa8ad5b74ea7a820a4cf19b2fbc688502752d600a7800d3cbe1d058e44", "SHA3": "59f65388ffe5231f04c0e3e3c3053d952ea052f4eb722b788e628bd22347539d", "VirtualSize": 3448736, "VirtualAddress": 65536, "SizeOfRawData": 3448832, "PointerToRawData": 65536, "PointerToRelocations": 0, "PointerToLineNumbers": 0, "NumberOfLineNumbers": 0, "NumberOfRelocations": 0, "Characteristics": [ "IMAGE_SCN_CNT_INITIALIZED_DATA", "IMAGE_SCN_MEM_READ" ], "Entropy": 7.99987 } }, "Imports": { "KERNEL32.dll": [ "GetFileAttributesW", "GetFileSizeEx", "CreateFileA", "InitializeCriticalSection", "DeleteCriticalSection", "ReadFile", "GetFileSize", "WriteFile", "LeaveCriticalSection", "EnterCriticalSection", "SetFileAttributesW", "SetCurrentDirectoryW", "CreateDirectoryW", "GetTempPathW", "GetWindowsDirectoryW", "GetFileAttributesA", "SizeofResource", "LockResource", "LoadResource", "MultiByteToWideChar", "Sleep", "OpenMutexA", "GetFullPathNameA", "CopyFileA", "GetModuleFileNameA", "VirtualAlloc", "VirtualFree", "FreeLibrary", "HeapAlloc", "GetProcessHeap", "GetModuleHandleA", "SetLastError", "VirtualProtect", "IsBadReadPtr", "HeapFree", "SystemTimeToFileTime", "LocalFileTimeToFileTime", "CreateDirectoryA", "GetStartupInfoA", "SetFilePointer", "SetFileTime", "GetComputerNameW", "GetCurrentDirectoryA", "SetCurrentDirectoryA", "GlobalAlloc", "LoadLibraryA", "GetProcAddress", "GlobalFree", "CreateProcessA", "CloseHandle", "WaitForSingleObject", "TerminateProcess", "GetExitCodeProcess", "FindResourceA" ], "USER32.dll": [ "wsprintfA" ], "ADVAPI32.dll": [ "CreateServiceA", "OpenServiceA", "StartServiceA", "CloseServiceHandle", "CryptReleaseContext", "RegCreateKeyW", "RegSetValueExA", "RegQueryValueExA", "RegCloseKey", "OpenSCManagerA" ], "MSVCRT.dll": [ "realloc", "fclose", "fwrite", "fread", "fopen", "sprintf", "rand", "srand", "strcpy", "memset", "strlen", "wcscat", "wcslen", "__CxxFrameHandler", "??3@YAXPAX@Z", "memcmp", "_except_handler3", "_local_unwind2", "wcsrchr", "swprintf", "??2@YAPAXI@Z", "memcpy", "strcmp", "strrchr", "__p___argv", "__p___argc", "_stricmp", "free", "malloc", "??0exception@@QAE@ABV0@@Z", "??1exception@@UAE@XZ", "??0exception@@QAE@ABQBD@Z", "_CxxThrowException", "calloc", "strcat", "_mbsstr", "??1type_info@@UAE@XZ", "_exit", "_XcptFilter", "exit", "_acmdln", "__getmainargs", "_initterm", "__setusermatherr", "_adjust_fdiv", "__p__commode", "__p__fmode", "__set_app_type", "_controlfp" ] }, "Resources": { "2058": { "Type": "XIA", "Language": "English - United States", "Codepage": "Latin 1 / Western European", "Size": 3446325, "TimeDateStamp": "1980-Jan-01 00:00:00", "Entropy": 7.99991, "Detected Filetype": "Zip Compressed Archive", "MD5": "b576ada3366908875e5ce4cb3da6153a", "SHA1": "30f8820cf93a627c66195f0d77d6a409024c6e52", "SHA256": "5873c1b5b246c80ab88172d3294140a83d711cd64520a0c7dd7837f028146b80", "SHA3": "5f53b458ac8c5913f05bbb355b081e249293d4c61fe05c434b85c42381d54587" }, "1": { "Type": "RT_VERSION", "Language": "English - United States", "Codepage": "Latin 1 / Western European", "Size": 904, "TimeDateStamp": "1980-Jan-01 00:00:00", "Entropy": 3.52974, "MD5": "0e14014289c29078069237196bd3ea72", "SHA1": "466a736f7f6987b34cd7a130e26a8af13d3cf76c", "SHA256": "f8cbc0ddb17a85f2ba099416961efef915f8eba926681df7cd2c1fa69f3c2b6a", "SHA3": "0f32d24563bec84c879a217df97c162c36ccfc4f0905018de48fc22c5a7b39c4" }, "1 (#2)": { "Type": "RT_MANIFEST", "Language": "English - United States", "Codepage": "Latin 1 / Western European", "Size": 1263, "TimeDateStamp": "1980-Jan-01 00:00:00", "Entropy": 5.03919, "MD5": "a31cf56465371581763e9f0a86d41987", "SHA1": "4a6cdd3cb3dab86effefdf7e4b29538c45f77440", "SHA256": "590b5bae6a9c329da6d5b836e3ec9baeb9607b8ea88e7015a01e021fc416707f", "SHA3": "57e03e5f85a9c20ef2e09b404a322f0c81f20df1c6c57ca65793fc9646bc2445" } }, "Version Info": { "Resource LangID": "English - United States", "VS_VERSION_INFO": { "Signature": 4277077181, "StructVersion": 65536, "FileVersion": "6.1.7601.17514", "ProductVersion": "6.1.7601.17514", "FileFlags": [], "FileOs": [ "VOS_DOS_WINDOWS32", "VOS_NT", "VOS_NT_WINDOWS32", "VOS_WINCE", "VOS__WINDOWS32" ], "FileType": "VFT_DLL", "Language": "English - United States", "CompanyName": "Microsoft Corporation", "FileDescription": "DiskPart", "FileVersion (#2)": "6.1.7601.17514 (win7sp1_rtm.101119-1850)", "InternalName": "diskpart.exe", "LegalCopyright": "\u00c2\u00a9 Microsoft Corporation. All rights reserved.", "OriginalFilename": "diskpart.exe", "ProductName": "Microsoft\u00c2\u00ae Windows\u00c2\u00ae Operating System", "ProductVersion (#2)": "6.1.7601.17514" } }, "RICH Header": { "XOR Key": 2186585252, "Unmarked objects": 0, "12 (7291)": 2, "C++ objects (8047)": 1, "14 (7299)": 4, "C objects (8047)": 11, "Linker (8047)": 4, "Imports (VS2003 (.NET) build 4035)": 13, "Total imports": 163, "C++ objects (VS98 SP6 build 8804)": 7, "Resource objects (VS98 SP6 cvtres build 1736)": 1 }, "Hashes": { "MD5": "84c82835a5d21bbcf75a61706d8ab549", "SHA1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", "SHA256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", "SHA3": "b0e240ef9f18786c588c4cffa777e35b1741189d543cf2220f25291bab2d2214", "SSDeep": "98304:QqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2g3x:QqPe1Cxcxk3ZAEUadzR8yc4gB", "Imports Hash": "68f013d7437aa653a8a98a05807afeb1" }, "Plugins": { "compilers": { "level": 1, "plugin_output": { "info_0": "Microsoft Visual C++ 6.0 - 8.0", "info_1": "Microsoft Visual C++", "info_2": "Microsoft Visual C++ v6.0", "info_3": "Microsoft Visual C++ v5.0/v6.0 (MFC)" }, "summary": "Matching compiler(s):" }, "strings": { "level": 2, "plugin_output": { "Miscellaneous malware strings": [ "cmd.exe" ] }, "summary": "Strings found in the binary may indicate undesirable behavior:" }, "findcrypt": { "level": 1, "plugin_output": { "info_0": "Uses constants related to CRC32", "info_1": "Uses constants related to AES", "info_2": "Microsoft's Cryptography API" }, "summary": "Cryptographic algorithms detected in the binary:" }, "cryptoaddress": { "level": 3, "plugin_output": { "Contains a valid Bitcoin address": [ "115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn", "12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw", "13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94" ] }, "summary": "This program may be a ransomware." }, "imports": { "level": 2, "plugin_output": { "[!] The program may be hiding some of its imports": [ "LoadLibraryA", "GetProcAddress" ], "Can access the registry": [ "RegCreateKeyW", "RegSetValueExA", "RegQueryValueExA", "RegCloseKey" ], "Possibly launches other programs": [ "CreateProcessA" ], "Uses Microsoft's cryptographic API": [ "CryptReleaseContext" ], "Can create temporary files": [ "CreateFileA", "GetTempPathW" ], "Memory manipulation functions often used by packers": [ "VirtualAlloc", "VirtualProtect" ], "Interacts with services": [ "CreateServiceA", "OpenServiceA", "OpenSCManagerA" ] }, "summary": "The PE contains functions most legitimate programs don't use." }, "resources": { "level": 2, "plugin_output": { "info_0": "Resources amount for 98.1255% of the executable." }, "summary": "The PE is possibly a dropper." }, "virustotal": { "level": 3, "plugin_output": { "ALYac": "Trojan.Ransom.WannaCryptor", "APEX": "Malicious", "AVG": "Win32:WanaCry-A [Trj]", "AhnLab-V3": "Trojan/Win32.WannaCryptor.R200571", "Alibaba": "Ransom:Win32/WannaCry.ali1020010", "Antiy-AVL": "Trojan[Ransom]/Win32.Wanna", "Arcabit": "Trojan.Ransomware.Y", "Avast": "Win32:WanaCry-A [Trj]", "Avira": "TR/Ransom.JB", "BitDefender": "Trojan.Ransomware.Y", "Bkav": "W32.WanaCryptBTTc.Worm", "CAT-QuickHeal": "Ransom.WannaCrypt.A4", "CTX": "exe.ransomware.wannacry", "ClamAV": "Win.Ransomware.Wannacryptor-9940180-0", "CrowdStrike": "win/malicious_confidence_100% (W)", "Cylance": "Unsafe", "Cynet": "Malicious (score: 100)", "DeepInstinct": "MALICIOUS", "DrWeb": "Trojan.Encoder.11432", "ESET-NOD32": "Win32/Filecoder.WannaCryptor.D trojan", "Elastic": "malicious (high confidence)", "Emsisoft": "Trojan.Ransomware.Y (B)", "F-Secure": "Trojan.TR/Ransom.JB", "Fortinet": "W32/WannaCryptor.6F87!tr.ransom", "GData": "Win32.Trojan-Ransom.WannaCry.A", "Gridinsoft": "Malware.Win32.Gen.bot!se54409", "Ikarus": "Trojan-Ransom.WannaCry", "Jiangmin": "Trojan.Wanna.eo", "K7AntiVirus": "Trojan ( 0050d7171 )", "K7GW": "Trojan ( 0050d7171 )", "Kaspersky": "Trojan-Ransom.Win32.Wanna.zbu", "Kingsoft": "Win32.Troj.Undef.a", "Lionic": "Trojan.Win32.Wanna.toNn", "Malwarebytes": "Generic.Ransom.FileCryptor.DDS", "MaxSecure": "Trojan.Ransom.Wanna.d", "McAfeeD": "Trojan:Win/WannaCry.AA", "MicroWorld-eScan": "Trojan.Ransomware.Y", "Microsoft": "Ransom:Win32/WannaCrypt!pz", "NANO-Antivirus": "Trojan.Win32.Ransom.eoptnj", "Paloalto": "generic.ml", "Panda": "Trj/RansomCrypt.K", "Rising": "Ransom.WanaCrypt!1.AAD9 (CLASSIC)", "Sangfor": "Ransom.Win32.Save.WannaCry", "SentinelOne": "Static AI - Suspicious PE", "Skyhigh": "BehavesLike.Win32.Rootkit.wc", "Sophos": "Troj/Ransom-EMG", "Symantec": "Ransom.Wannacry", "TACHYON": "Ransom/W32.WannaCry.Zen", "Trapmine": "malicious.high.ml.score", "TrellixENS": "Ransom-O.g", "TrendMicro": "Ransom_WANA.A", "TrendMicro-HouseCall": "Ransom_WANA.A", "VBA32": "TrojanRansom.WannaCrypt", "VIPRE": "Trojan.Ransomware.Y", "Varist": "W32/Trojan.ZTSA-8671", "ViRobot": "Trojan.Win32.S.WannaCry.3514368.N", "VirIT": "Trojan.Win32.WannaCry.B", "Xcitium": "Malware@#4gwtqo9z2tkf", "Yandex": "Trojan.Igent.bUj9pX.12", "Zillya": "Trojan.WannaCry.Win32.2", "ZoneAlarm": "Troj/Ransom-EMG", "Zoner": "Trojan.Win32.55605", "alibabacloud": "RansomWare", "huorong": "Ransom/Wannacry.j", "tehtris": "Generic.Malware" }, "summary": "VirusTotal score: 65/70 (Scanned on 2026-05-04 07:10:45)" } } } }