| Architecture |
IMAGE_FILE_MACHINE_I386
|
|---|---|
| Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
| Compilation Date | 2010-Nov-20 09:03:08 |
| Detected languages |
English - United States
|
| CompanyName | Microsoft Corporation |
| FileDescription | Microsoft® Disk Defragmenter |
| FileVersion | 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
| InternalName | lhdfrgui.exe |
| LegalCopyright | © Microsoft Corporation. All rights reserved. |
| OriginalFilename | lhdfrgui.exe |
| ProductName | Microsoft® Windows® Operating System |
| ProductVersion | 6.1.7601.17514 |
| Info | Matching compiler(s): |
Microsoft Visual C++ 6.0 DLL (Debug)
Microsoft Visual C++ 6.0 - 8.0 Microsoft Visual C++ 6.0 DLL Microsoft Visual C++ Microsoft Visual C++ v6.0 Microsoft Visual C++ v5.0/v6.0 (MFC) |
| Suspicious | Strings found in the binary may indicate undesirable behavior: |
Contains another PE executable:
|
| Info | Cryptographic algorithms detected in the binary: |
Uses constants related to CRC32
Uses constants related to AES Microsoft's Cryptography API |
| Malicious | This program may be a ransomware. |
Contains a valid Bitcoin address:
|
| Suspicious | The PE contains functions most legitimate programs don't use. |
Uses Microsoft's cryptographic API:
|
| Malicious | The PE is possibly a dropper. |
Resource 1831 detected as a PE Executable.
Resources amount for 94.4148% of the executable. |
| Malicious | VirusTotal score: 70/72 (Scanned on 2023-10-26 01:10:02) |
Bkav:
W32.RunteMopeaV.Trojan
Lionic: Trojan.Win32.Wanna.toNz Elastic: malicious (high confidence) MicroWorld-eScan: Trojan.Ransom.WannaCryptor.H CAT-QuickHeal: Ransomware.WannaCry.IRG1 Skyhigh: BehavesLike.Win32.RansomWannaCry.wc ALYac: Trojan.Ransom.WannaCryptor Cylance: unsafe Zillya: Trojan.WannaCryptGen.Win32.2 Sangfor: Ransom.Win32.Save.WannaCry K7AntiVirus: Exploit ( 0050d7a31 ) BitDefender: Trojan.Ransom.WannaCryptor.H K7GW: Exploit ( 0050d7a31 ) Cybereason: malicious.aff85f Baidu: Win32.Worm.Rbot.a VirIT: Trojan.Win32.WannaCry.B Symantec: Ransom.Wannacry tehtris: Generic.Malware ESET-NOD32: Win32/Exploit.CVE-2017-0147.A APEX: Malicious ClamAV: Win.Ransomware.Wanna-9769986-0 Kaspersky: Trojan-Ransom.Win32.Wanna.m Alibaba: Ransom:Win32/WannaCry.398 NANO-Antivirus: Trojan.Win32.Wanna.eoqegc ViRobot: Trojan.Win32.S.WannaCry.3723264.S Avast: Sf:WNCryLdr-A [Trj] Rising: Exploit.EternalBlue!1.AAED (CLASSIC) TACHYON: Ransom/W32.WannaCry.Zen Emsisoft: Trojan-Ransom.WanaCrypt0r (A) F-Secure: Trojan:W32/WannaCry.D DrWeb: Trojan.Encoder.11432 VIPRE: Trojan.Ransom.WannaCryptor.H TrendMicro: WORM_WCRY.A Trapmine: malicious.high.ml.score FireEye: Generic.mg.db349b97c37d22f5 Sophos: Mal/Wanna-A Ikarus: Trojan-Ransom.WannaCry GData: Win32.Trojan-Ransom.WannaCry.D Jiangmin: Trojan.WanaCry.i Webroot: W32.Ransom.Wannacry Google: Detected Avira: TR/Ransom.IZ Varist: W32/Trojan.ZTSA-8671 Antiy-AVL: Trojan[Ransom]/Win32.Wanna Kingsoft: Win32.Troj.Undef.a Gridinsoft: Malware.Win32.Gen.bot!se30058 Xcitium: TrojWare.Win32.WannaCry.jet@714um4 Arcabit: Trojan.Ransom.WannaCryptor.H SUPERAntiSpyware: Ransom.WannaCrypt/Variant ZoneAlarm: Trojan-Ransom.Win32.Wanna.m Microsoft: Ransom:Win32/WannaCrypt Cynet: Malicious (score: 100) AhnLab-V3: Trojan/Win32.WannaCryptor.R200572 Acronis: suspicious McAfee: Ransom-O.g MAX: malware (ai score=100) VBA32: TrojanRansom.Wanna Malwarebytes: CVE20170147.Trojan.Exploit.DDS Panda: Trj/RansomCrypt.K Zoner: Trojan.Win32.59562 TrendMicro-HouseCall: WORM_WCRY.A Tencent: Trojan-Ransom.Win32.WannaCry.b Yandex: Trojan.GenAsa!VW7HnU9046M SentinelOne: Static AI - Malicious PE MaxSecure: Trojan-Ransom.Win32.Wanna.m Fortinet: W32/RANSOM.A!tr BitDefenderTheta: Gen:NN.ZexaF.36792.Jt0@aePsbmpi AVG: Sf:WNCryLdr-A [Trj] DeepInstinct: MALICIOUS CrowdStrike: win/malicious_confidence_100% (W) |
| e_magic | MZ |
|---|---|
| e_cblp | 0x90 |
| e_cp | 0x3 |
| e_crlc | 0 |
| e_cparhdr | 0x4 |
| e_minalloc | 0 |
| e_maxalloc | 0xffff |
| e_ss | 0 |
| e_sp | 0xb8 |
| e_csum | 0 |
| e_ip | 0 |
| e_cs | 0 |
| e_ovno | 0 |
| e_oemid | 0 |
| e_oeminfo | 0 |
| e_lfanew | 0xf8 |
| Signature | PE |
|---|---|
| Machine |
IMAGE_FILE_MACHINE_I386
|
| NumberofSections | 4 |
| TimeDateStamp | 2010-Nov-20 09:03:08 |
| PointerToSymbolTable | 0 |
| NumberOfSymbols | 0 |
| SizeOfOptionalHeader | 0xe0 |
| Characteristics |
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED
|
| Magic | PE32 |
|---|---|
| LinkerVersion | 6.0 |
| SizeOfCode | 0x9000 |
| SizeOfInitializedData | 0x383000 |
| SizeOfUninitializedData | 0 |
| AddressOfEntryPoint | 0x00009A16 (Section: .text) |
| BaseOfCode | 0x1000 |
| BaseOfData | 0xa000 |
| ImageBase | 0x400000 |
| SectionAlignment | 0x1000 |
| FileAlignment | 0x1000 |
| OperatingSystemVersion | 4.0 |
| ImageVersion | 0.0 |
| SubsystemVersion | 4.0 |
| Win32VersionValue | 0 |
| SizeOfImage | 0x66b000 |
| SizeOfHeaders | 0x1000 |
| Checksum | 0 |
| Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
| SizeofStackReserve | 0x100000 |
| SizeofStackCommit | 0x1000 |
| SizeofHeapReserve | 0x100000 |
| SizeofHeapCommit | 0x1000 |
| LoaderFlags | 0 |
| NumberOfRvaAndSizes | 16 |
| KERNEL32.dll |
WaitForSingleObject
InterlockedIncrement GetCurrentThreadId GetCurrentThread ReadFile GetFileSize CreateFileA MoveFileExA SizeofResource TerminateThread LoadResource FindResourceA GetProcAddress GetModuleHandleW ExitProcess GetModuleFileNameA LocalFree LocalAlloc CloseHandle InterlockedDecrement EnterCriticalSection LeaveCriticalSection InitializeCriticalSection GlobalAlloc GlobalFree QueryPerformanceFrequency QueryPerformanceCounter GetTickCount LockResource Sleep GetStartupInfoA GetModuleHandleA |
|---|---|
| ADVAPI32.dll |
StartServiceCtrlDispatcherA
RegisterServiceCtrlHandlerA ChangeServiceConfig2A SetServiceStatus OpenSCManagerA CreateServiceA CloseServiceHandle StartServiceA CryptGenRandom CryptAcquireContextA OpenServiceA |
| WS2_32.dll |
closesocket
recv send htonl ntohl WSAStartup inet_ntoa ioctlsocket select htons socket connect inet_addr |
| MSVCP60.dll |
??1_Lockit@std@@QAE@XZ
??0_Lockit@std@@QAE@XZ |
| iphlpapi.dll |
GetAdaptersInfo
GetPerAdapterInfo |
| WININET.dll |
InternetOpenA
InternetOpenUrlA InternetCloseHandle |
| MSVCRT.dll |
__set_app_type
_stricmp __p__fmode __p__commode _except_handler3 __setusermatherr _initterm __getmainargs _acmdln _adjust_fdiv _controlfp exit _XcptFilter _exit _onexit __dllonexit free ??2@YAPAXI@Z _ftol sprintf _endthreadex strncpy rand _beginthreadex __CxxFrameHandler srand time __p___argc |
| Signature | 0xfeef04bd |
|---|---|
| StructVersion | 0x10000 |
| FileVersion | 6.1.7601.17514 |
| ProductVersion | 6.1.7601.17514 |
| FileFlags | (EMPTY) |
| FileOs |
VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
|
| FileType |
VFT_APP
|
| Language | English - United States |
| CompanyName | Microsoft Corporation |
| FileDescription | Microsoft® Disk Defragmenter |
| FileVersion (#2) | 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
| InternalName | lhdfrgui.exe |
| LegalCopyright | © Microsoft Corporation. All rights reserved. |
| OriginalFilename | lhdfrgui.exe |
| ProductName | Microsoft® Windows® Operating System |
| ProductVersion (#2) | 6.1.7601.17514 |
| Resource LangID | English - United States |
|---|
| XOR Key | 0xc33d5d11 |
|---|---|
| Unmarked objects | 0 |
| 12 (7291) | 1 |
| 14 (7299) | 4 |
| C objects (8047) | 11 |
| C++ objects (8047) | 1 |
| Linker (8047) | 4 |
| Imports (VS2003 (.NET) build 4035) | 11 |
| Total imports | 91 |
| C++ objects (VS98 SP6 build 8804) | 1 |
| Resource objects (VS98 SP6 cvtres build 1736) | 1 |
No comments yet.