× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: c365ddaa345cfcaff3d629505572a484cff5221933d68e4a52130b8bb7badaf9
File name: diskpart.exe
Detection ratio: 61 / 66
Analysis date: 2018-02-14 15:28:22 UTC ( 2 months ago )
Antivirus Result Update
Ad-Aware Trojan.Ransom.WannaCryptor.A 20180214
AegisLab Dropped.Generic.Ransom.Hydracrypt!c 20180214
AhnLab-V3 Trojan/Win32.WannaCryptor.R200571 20180214
ALYac Trojan.Ransom.WannaCryptor 20180213
Antiy-AVL Trojan[Ransom]/Win32.Scatter 20180214
Arcabit Trojan.Ransom.WannaCryptor.A 20180214
Avast Win32:WanaCry-A [Trj] 20180214
AVG Win32:WanaCry-A [Trj] 20180214
Avira (no cloud) TR/Ransom.JB 20180214
AVware Trojan.Win32.Generic!BT 20180214
Baidu Win32.Trojan.WannaCry.c 20180208
BitDefender Trojan.Ransom.WannaCryptor.A 20180214
CAT-QuickHeal Ransom.WannaCrypt.A4 20180214
ClamAV Win.Ransomware.WannaCry-6313787-0 20180214
Comodo TrojWare.Win32.Ransom.WannaCryptor.a 20180214
CrowdStrike Falcon (ML) malicious_confidence_100% (W) 20170201
Cylance Unsafe 20180214
Cyren W32/Trojan.ZTSA-8671 20180214
DrWeb Trojan.Encoder.11432 20180214
eGambit Trojan.Generic 20180214
Emsisoft Trojan.Ransom.WannaCryptor.A (B) 20180214
Endgame malicious (high confidence) 20171130
ESET-NOD32 Win32/Filecoder.WannaCryptor.D 20180214
F-Prot W32/WannaCrypt.D 20180214
F-Secure Trojan.Ransom.WannaCryptor.A 20180214
Fortinet W32/WannaCryptor.D!tr.ransom 20180214
GData Win32.Trojan-Ransom.WannaCry.A 20180214
Ikarus Trojan-Ransom.WannaCry 20180214
Sophos ML heuristic 20180121
Jiangmin Trojan.WanaCry.b 20180214
K7AntiVirus Trojan ( 0050d7171 ) 20180214
K7GW Trojan ( 0050d7171 ) 20180214
Kaspersky Trojan-Ransom.Win32.Wanna.zbu 20180214
Malwarebytes Ransom.WannaCrypt 20180214
MAX malware (ai score=100) 20180214
McAfee Ransom-WannaCry!86721E64FFBD 20180214
McAfee-GW-Edition BehavesLike.Win32.RansomWannaCry.wc 20180214
Microsoft Ransom:Win32/WannaCrypt 20180214
eScan Trojan.Ransom.WannaCryptor.A 20180214
NANO-Antivirus Trojan.Win32.Wanna.eorfmq 20180214
nProtect Ransom/W32.WannaCry.Zen 20180214
Palo Alto Networks (Known Signatures) generic.ml 20180214
Panda Trj/RansomCrypt.F 20180214
Qihoo-360 Win32/Trojan.Ransom.50f 20180214
Rising Ransom.WanaCrypt!1.AAEF (CLASSIC) 20180214
SentinelOne (Static ML) static engine - malicious 20180115
Sophos AV Troj/Ransom-EMG 20180214
Symantec Ransom.Wannacry 20180214
Tencent Trojan-Ransom.Win32.Wcry.a 20180214
TheHacker Trojan/Filecoder.WannaCryptor.d 20180213
TrendMicro Ransom_WCRY.J 20180214
TrendMicro-HouseCall Ransom_WCRY.J 20180214
VBA32 Trojan-Ransom.Wanna 20180214
VIPRE Trojan.Win32.Generic!BT 20180214
ViRobot Trojan.Win32.S.WannaCry.3514368.O 20180214
Webroot W32.Ransomware.Wcry 20180214
WhiteArmor Malware.HighConfidence 20180205
Yandex Trojan.Filecoder!LcLqI1eM+lA 20180214
Zillya Trojan.WannaCry.Win32.2 20180213
ZoneAlarm by Check Point Trojan-Ransom.Win32.Wanna.zbu 20180214
Zoner Trojan.Wanna 20180214
Alibaba 20180209
Avast-Mobile 20180214
Bkav 20180212
CMC 20180214
Cybereason None
Kingsoft 20180214
SUPERAntiSpyware 20180214
Symantec Mobile Insight 20180214
Trustlook 20180214
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
FileVersionInfo properties
Copyright
© Microsoft Corporation. All rights reserved.

Product Microsoft® Windows® Operating System
Original name diskpart.exe
Internal name diskpart.exe
File version 6.1.7601.17514 (win7sp1_rtm.101119-1850)
Description DiskPart
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2010-11-20 09:05:05
Entry Point 0x000077BA
Number of sections 4
PE sections
PE imports
CloseServiceHandle
CryptReleaseContext
RegCloseKey
OpenServiceA
CreateServiceA
RegQueryValueExA
RegCreateKeyW
RegSetValueExA
StartServiceA
OpenSCManagerA
InitializeCriticalSection
HeapFree
EnterCriticalSection
LoadLibraryA
GetFileAttributesA
GlobalFree
WaitForSingleObject
FreeLibrary
CopyFileA
HeapAlloc
SetFileTime
VirtualProtect
GetFileAttributesW
GetModuleFileNameA
DeleteCriticalSection
GetStartupInfoA
SystemTimeToFileTime
SizeofResource
GetWindowsDirectoryW
GetFileSize
LockResource
CreateDirectoryA
GetCurrentDirectoryA
MultiByteToWideChar
CreateDirectoryW
GetProcAddress
GetProcessHeap
OpenMutexA
GetComputerNameW
SetFilePointer
GetFileSizeEx
GetModuleHandleA
ReadFile
GetTempPathW
CloseHandle
GetFullPathNameA
GetExitCodeProcess
TerminateProcess
CreateProcessA
SetCurrentDirectoryW
LoadResource
WriteFile
GlobalAlloc
VirtualFree
LocalFileTimeToFileTime
Sleep
IsBadReadPtr
SetFileAttributesW
CreateFileA
FindResourceA
VirtualAlloc
SetCurrentDirectoryA
SetLastError
LeaveCriticalSection
rand
malloc
??0exception@@QAE@ABV0@@Z
_acmdln
realloc
srand
fclose
strcat
_stricmp
_controlfp
swprintf
memset
fopen
strlen
_except_handler3
??2@YAPAXI@Z
fwrite
??0exception@@QAE@ABQBD@Z
__p__commode
wcslen
exit
sprintf
memcmp
strrchr
__setusermatherr
_local_unwind2
wcsrchr
_XcptFilter
__CxxFrameHandler
fread
??1exception@@UAE@XZ
_adjust_fdiv
??3@YAXPAX@Z
__p___argc
wcscat
_CxxThrowException
free
__getmainargs
calloc
__p___argv
memcpy
strcpy
__p__fmode
??1type_info@@UAE@XZ
_initterm
_exit
__set_app_type
strcmp
_mbsstr
wsprintfA
Number of PE resources by type
XIA 1
RT_VERSION 1
RT_MANIFEST 1
Number of PE resources by language
ENGLISH US 3
PE resources
ExifTool file metadata
SubsystemVersion
4.0

LinkerVersion
6.0

ImageVersion
0.0

FileSubtype
0

FileVersionNumber
6.1.7601.17514

UninitializedDataSize
0

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

CharacterSet
Unicode

InitializedDataSize
3481600

EntryPoint
0x77ba

OriginalFileName
diskpart.exe

MIMEType
application/octet-stream

LegalCopyright
Microsoft Corporation. All rights reserved.

FileVersion
6.1.7601.17514 (win7sp1_rtm.101119-1850)

TimeStamp
2010:11:20 10:05:05+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
diskpart.exe

ProductVersion
6.1.7601.17514

FileDescription
DiskPart

OSVersion
4.0

FileOS
Windows NT 32-bit

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
Microsoft Corporation

CodeSize
28672

ProductName
Microsoft Windows Operating System

ProductVersionNumber
6.1.7601.17514

FileTypeExtension
exe

ObjectFileType
Dynamic link library

PE resource-wise parents
File identification
MD5 86721e64ffbd69aa6944b9672bcabb6d
SHA1 8897c658c0373be54eeac23bbd4264687a141ae1
SHA256 c365ddaa345cfcaff3d629505572a484cff5221933d68e4a52130b8bb7badaf9
ssdeep
98304:QqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2g3x:QqPu1Cxcxk3ZAEUadzR8yc4gB

authentihash 719fd0d9719eb0b0b57034cfd4b95f3ab4a79fa3cccc5a29ab0cd96fddf136c6
imphash 68f013d7437aa653a8a98a05807afeb1
File size 3.4 MB ( 3514368 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable MS Visual C++ (generic) (42.2%)
Win64 Executable (generic) (37.3%)
Win32 Dynamic Link Library (generic) (8.8%)
Win32 Executable (generic) (6.0%)
Generic Win/DOS Executable (2.7%)
Tags
peexe

VirusTotal metadata
First submission 2017-05-12 12:05:08 UTC ( 11 months, 1 week ago )
Last submission 2018-02-14 15:28:22 UTC ( 2 months ago )
File names tasksche.exe.3144.dr
tasksche.exe
diskpart.exe
264977.exe
c365ddaa345cfcaff3d629505572a484cff5221933d68e4a52130b8bb7badaf9.bin
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Copied files
Moved files
Deleted files
Created processes
Code injections in the following processes
Terminated processes
Created mutexes
Opened mutexes
Searched windows
Opened service managers
Opened services
Hooking activity
Runtime DLLs
Additional details
The file installs an application-defined hook procedure into a hook chain. You would install a hook procedure to monitor the system for certain types of events. These events are associated either with a specific thread or with all threads in the same desktop as the calling thread. This is done making use of the SetWindowsHook Windows API function.
DNS requests
TCP connections
UDP communications