Architecture |
IMAGE_FILE_MACHINE_I386
|
---|---|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
Compilation Date | 2010-Nov-20 09:03:08 |
Detected languages |
English - United States
|
CompanyName | Microsoft Corporation |
FileDescription | Microsoft® Disk Defragmenter |
FileVersion | 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
InternalName | lhdfrgui.exe |
LegalCopyright | © Microsoft Corporation. All rights reserved. |
OriginalFilename | lhdfrgui.exe |
ProductName | Microsoft® Windows® Operating System |
ProductVersion | 6.1.7601.17514 |
Info | Matching compiler(s): |
Microsoft Visual C++ 6.0 DLL (Debug)
Microsoft Visual C++ 6.0 - 8.0 Microsoft Visual C++ 6.0 DLL Microsoft Visual C++ Microsoft Visual C++ v6.0 Microsoft Visual C++ v5.0/v6.0 (MFC) |
Suspicious | Strings found in the binary may indicate undesirable behavior: |
Miscellaneous malware strings:
|
Info | Cryptographic algorithms detected in the binary: |
Uses constants related to CRC32
Uses constants related to AES Microsoft's Cryptography API |
Malicious | This program contains valid cryptocurrency addresses. |
Contains a valid Bitcoin address:
|
Suspicious | The PE contains functions most legitimate programs don't use. |
Uses Microsoft's cryptographic API:
|
Malicious | The PE is possibly a dropper. |
Resource 1831 detected as a PE Executable.
Resources amount for 94.4148% of the executable. |
Malicious | VirusTotal score: 62/67 (Scanned on 2018-06-19 15:01:47) |
Bkav:
W32.WannaCrypLTE.Trojan
MicroWorld-eScan: Trojan.Ransom.WannaCryptor.H CAT-QuickHeal: Ransom.WannaCrypt.A4 McAfee: Ransom-WannaCry!D5DCD28612F4 Cylance: Unsafe VIPRE: Trojan.Win32.Generic!BT TheHacker: Trojan/Exploit.CVE-2017-0147.a BitDefender: Trojan.Ransom.WannaCryptor.H K7GW: Exploit ( 0050d7a31 ) K7AntiVirus: Exploit ( 0050d7a31 ) Arcabit: Trojan.Ransom.WannaCryptor.H TrendMicro: Ransom_WCRY.SM2 Baidu: Win32.Worm.Rbot.a F-Prot: W32/WannaCrypt.D Symantec: Ransom.Wannacry ESET-NOD32: Win32/Exploit.CVE-2017-0147.A TrendMicro-HouseCall: Ransom_WCRY.SM2 Paloalto: generic.ml ClamAV: Win.Malware.Agent-6395172-0 Kaspersky: Trojan-Ransom.Win32.Wanna.m Cybereason: malicious.612f4d NANO-Antivirus: Trojan.Win32.Wanna.eovgam ViRobot: Trojan.Win32.S.WannaCry.3723264.BA SUPERAntiSpyware: Ransom.WannaCrypt/Variant Avast: Win32:WanaCry-A [Trj] Rising: Ransom.WanaCrypt!1.AAED (KTSE) Ad-Aware: Trojan.Ransom.WannaCryptor.H Emsisoft: Trojan-Ransom.WanaCrypt0r (A) Comodo: TrojWare.Win32.Ransom.WannaCryptor.B F-Secure: Trojan.Ransom.WannaCryptor.H DrWeb: Trojan.Encoder.11432 Zillya: Trojan.WannaCryptGen.Win32.2 Invincea: heuristic McAfee-GW-Edition: BehavesLike.Win32.RansomWannaCry.wc Sophos: Troj/Ransom-EMG SentinelOne: static engine - malicious Cyren: W32/Trojan.ZTSA-8671 Jiangmin: Trojan.WanaCry.i Webroot: W32.Ransom.Wannacry Avira: TR/Ransom.IZ Antiy-AVL: Trojan[Ransom]/Win32.Scatter Endgame: malicious (high confidence) Microsoft: Ransom:Win32/WannaCrypt.A!rsm AegisLab: Troj.Ransom.W32!c ZoneAlarm: Trojan-Ransom.Win32.Wanna.m GData: Win32.Trojan-Ransom.WannaCry.D TACHYON: Ransom/W32.WannaCry.Zen AhnLab-V3: Trojan/Win32.WannaCryptor.R200572 ALYac: Trojan.Ransom.WannaCryptor AVware: Trojan.Win32.Generic!BT MAX: malware (ai score=100) VBA32: TrojanRansom.Wanna Malwarebytes: Ransom.WannaCrypt Zoner: Trojan.Wannacry Tencent: Trojan-Ransom.Win32.Wcry.a Yandex: Exploit.CVE-2017-0147! Ikarus: Trojan-Ransom.WannaCry Fortinet: W32/WannaCryptor.H!tr.ransom AVG: Win32:WanaCry-A [Trj] Panda: Trj/RansomCrypt.I CrowdStrike: malicious_confidence_100% (W) Qihoo-360: Win32/Backdoor.80f |
e_magic | MZ |
---|---|
e_cblp | 0x90 |
e_cp | 0x3 |
e_crlc | 0 |
e_cparhdr | 0x4 |
e_minalloc | 0 |
e_maxalloc | 0xffff |
e_ss | 0 |
e_sp | 0xb8 |
e_csum | 0 |
e_ip | 0 |
e_cs | 0 |
e_ovno | 0 |
e_oemid | 0 |
e_oeminfo | 0 |
e_lfanew | 0xf8 |
Signature | PE |
---|---|
Machine |
IMAGE_FILE_MACHINE_I386
|
NumberofSections | 4 |
TimeDateStamp | 2010-Nov-20 09:03:08 |
PointerToSymbolTable | 0 |
NumberOfSymbols | 0 |
SizeOfOptionalHeader | 0xe0 |
Characteristics |
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED
|
Magic | PE32 |
---|---|
LinkerVersion | 6.0 |
SizeOfCode | 0x9000 |
SizeOfInitializedData | 0x383000 |
SizeOfUninitializedData | 0 |
AddressOfEntryPoint | 0x00009A16 (Section: .text) |
BaseOfCode | 0x1000 |
BaseOfData | 0xa000 |
ImageBase | 0x400000 |
SectionAlignment | 0x1000 |
FileAlignment | 0x1000 |
OperatingSystemVersion | 4.0 |
ImageVersion | 0.0 |
SubsystemVersion | 4.0 |
Win32VersionValue | 0 |
SizeOfImage | 0x66b000 |
SizeOfHeaders | 0x1000 |
Checksum | 0 |
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
SizeofStackReserve | 0x100000 |
SizeofStackCommit | 0x1000 |
SizeofHeapReserve | 0x100000 |
SizeofHeapCommit | 0x1000 |
LoaderFlags | 0 |
NumberOfRvaAndSizes | 16 |
KERNEL32.dll |
WaitForSingleObject
InterlockedIncrement GetCurrentThreadId GetCurrentThread ReadFile GetFileSize CreateFileA MoveFileExA SizeofResource TerminateThread LoadResource FindResourceA GetProcAddress GetModuleHandleW ExitProcess GetModuleFileNameA LocalFree LocalAlloc CloseHandle InterlockedDecrement EnterCriticalSection LeaveCriticalSection InitializeCriticalSection GlobalAlloc GlobalFree QueryPerformanceFrequency QueryPerformanceCounter GetTickCount LockResource Sleep GetStartupInfoA GetModuleHandleA |
---|---|
ADVAPI32.dll |
StartServiceCtrlDispatcherA
RegisterServiceCtrlHandlerA ChangeServiceConfig2A SetServiceStatus OpenSCManagerA CreateServiceA CloseServiceHandle StartServiceA CryptGenRandom CryptAcquireContextA OpenServiceA |
WS2_32.dll |
#3
#16 #19 #8 #14 #115 #12 #10 #18 #9 #23 #4 #11 |
MSVCP60.dll |
??1_Lockit@std@@QAE@XZ
??0_Lockit@std@@QAE@XZ |
iphlpapi.dll |
GetAdaptersInfo
GetPerAdapterInfo |
WININET.dll |
InternetOpenA
InternetOpenUrlA InternetCloseHandle |
MSVCRT.dll |
__set_app_type
_stricmp __p__fmode __p__commode _except_handler3 __setusermatherr _initterm __getmainargs _acmdln _adjust_fdiv _controlfp exit _XcptFilter _exit _onexit __dllonexit free ??2@YAPAXI@Z _ftol sprintf _endthreadex strncpy rand _beginthreadex __CxxFrameHandler srand time __p___argc |
Signature | 0xfeef04bd |
---|---|
StructVersion | 0x10000 |
FileVersion | 6.1.7601.17514 |
ProductVersion | 6.1.7601.17514 |
FileFlags | (EMPTY) |
FileOs |
VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
|
FileType |
VFT_APP
|
Language | English - United States |
CompanyName | Microsoft Corporation |
FileDescription | Microsoft® Disk Defragmenter |
FileVersion (#2) | 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
InternalName | lhdfrgui.exe |
LegalCopyright | © Microsoft Corporation. All rights reserved. |
OriginalFilename | lhdfrgui.exe |
ProductName | Microsoft® Windows® Operating System |
ProductVersion (#2) | 6.1.7601.17514 |
Resource LangID | English - United States |
---|
XOR Key | 0xc33d5d11 |
---|---|
Unmarked objects | 0 |
12 (7291) | 1 |
14 (7299) | 4 |
C objects (8047) | 11 |
C++ objects (8047) | 1 |
Linker (8047) | 4 |
Imports (VS2003 (.NET) build 4035) | 11 |
Total imports | 91 |
C++ objects (VS98 SP6 build 8804) | 1 |
Resource objects (VS98 SP6 cvtres build 1736) | 1 |