× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 32ee791aa61bfe60a28a788663e15376da83d7b20e133f6f96f77c54f262fcc1
File name: 32ee791aa61bfe60_xcopy.exe
Detection ratio: 0 / 66
Analysis date: 2018-02-06 20:57:09 UTC ( 2 weeks, 2 days ago )
Trusted source! This file belongs to the Microsoft Corporation software catalogue.
Antivirus Result Update
ALYac 20180206
AVG 20180206
AVware 20180206
Ad-Aware 20180206
AegisLab 20180206
AhnLab-V3 20180206
Antiy-AVL 20180206
Arcabit 20180206
Avast 20180206
Avast-Mobile 20180206
Avira (no cloud) 20180206
Baidu 20180206
BitDefender 20180206
Bkav 20180206
CAT-QuickHeal 20180206
CMC 20180206
ClamAV 20180206
Comodo 20180206
CrowdStrike Falcon (ML) 20170201
Cybereason 20180205
Cylance 20180206
Cyren 20180206
DrWeb 20180206
ESET-NOD32 20180206
Emsisoft 20180206
Endgame 20171130
F-Prot 20180206
Fortinet 20180206
GData 20180206
Ikarus 20180206
Sophos ML 20180121
Jiangmin 20180206
K7AntiVirus 20180206
K7GW 20180206
Kaspersky 20180206
Kingsoft 20180206
MAX 20180206
Malwarebytes 20180206
McAfee 20180206
McAfee-GW-Edition 20180206
eScan 20180206
Microsoft 20180206
NANO-Antivirus 20180206
Palo Alto Networks (Known Signatures) 20180206
Panda 20180206
Qihoo-360 20180206
Rising 20180206
SUPERAntiSpyware 20180206
SentinelOne (Static ML) 20180115
Sophos AV 20180206
Symantec 20180206
Tencent 20180206
TheHacker 20180206
TotalDefense 20180206
TrendMicro 20180206
TrendMicro-HouseCall 20180206
VBA32 20180206
VIPRE 20180206
ViRobot 20180206
Webroot 20180206
Yandex 20180206
Zillya 20180206
ZoneAlarm by Check Point 20180206
Zoner 20180206
eGambit 20180206
nProtect 20180206
Alibaba 20180206
Symantec Mobile Insight 20180202
Trustlook 20180206
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows command line subsystem that targets 64bit architectures.
Authenticode signature block and FileVersionInfo properties
Copyright
© Microsoft Corporation. All rights reserved.

Product Microsoft® Windows® Operating System
Original name XCOPY.EXE
Internal name xcopy
File version 6.1.7600.16385 (win7_rtm.090713-1255)
Description Extended Copy Utility
Signature verification Signed file, verified signature
Signing date 4:17 AM 7/14/2009
Signers
[+] Microsoft Windows
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer Microsoft Windows Verification PCA
Valid from 9:39 PM 10/22/2008
Valid to 9:49 PM 1/22/2010
Valid usage Code Signing, NT5 Crypto
Algorithm sha1RSA
Thumbprint 018B222E21FBB2952304D04D1D87F736ED46DEA4
Serial number 61 01 C6 C1 00 00 00 00 00 07
[+] Microsoft Windows Verification PCA
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer Microsoft Root Certificate Authority
Valid from 10:55 PM 9/15/2005
Valid to 11:05 PM 3/15/2016
Valid usage Code Signing, NT5 Crypto
Algorithm sha1RSA
Thumbprint 5DF0D7571B0780783960C68B78571FFD7EDAF021
Serial number 61 07 02 DC 00 00 00 00 00 0B
[+] Microsoft Root Certificate Authority
Status Valid
Issuer Microsoft Root Certificate Authority
Valid from 12:19 AM 5/10/2001
Valid to 12:28 AM 5/10/2021
Valid usage All
Algorithm sha1RSA
Thumbprint CDD4EEAE6000AC7F40C3802C171E30148030C072
Serial number 79 AD 16 A1 4A A0 A5 AD 4C 73 58 F4 07 13 2E 65
Counter signers
[+] Microsoft Time-Stamp Service
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer Microsoft Time-Stamp PCA
Valid from 11:03 PM 6/5/2007
Valid to 11:13 PM 6/5/2012
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint 80B9915817340CEE66D71EC27DA5F96EBF8D94D8
Serial number 61 04 CA 69 00 00 00 00 00 08
[+] Microsoft Time-Stamp PCA
Status Valid
Issuer Microsoft Root Certificate Authority
Valid from 1:53 PM 4/3/2007
Valid to 2:03 PM 4/3/2021
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint 375FCB825C3DC3752A02E34EB70993B4997191EF
Serial number 61 16 68 34 00 00 00 00 00 1C
[+] Microsoft Root Certificate Authority
Status Valid
Issuer Microsoft Root Certificate Authority
Valid from 12:19 AM 5/10/2001
Valid to 12:28 AM 5/10/2021
Valid usage All
Algorithm sha1RSA
Thumbrint CDD4EEAE6000AC7F40C3802C171E30148030C072
Serial number 79 AD 16 A1 4A A0 A5 AD 4C 73 58 F4 07 13 2E 65
PE header basic information
Target machine x64
Compilation timestamp 2009-07-13 23:25:32
Entry Point 0x00007CA0
Number of sections 5
PE sections
PE imports
AdjustTokenPrivileges
LookupPrivilegeValueW
OpenProcessToken
GetLastError
GetCurrentProcess
TerminateProcess
CreateDirectoryExW
GetFileTime
GetCurrentProcessId
UnhandledExceptionFilter
OpenProcess
HeapSetInformation
SetFileTime
GetCommandLineW
QueryPerformanceCounter
FindClose
SetUnhandledExceptionFilter
Sleep
CloseHandle
GetSystemTimeAsFileTime
GetTickCount
GetCurrentThreadId
GetModuleHandleW
?QueryFreeDiskSpace@IFS_SYSTEM@@SAEPEBVWSTRING@@PEAVBIG_INT@@@Z
_amsg_exit
?terminate@@YAXXZ
__C_specific_handler
_wgetenv
_exit
__getmainargs
_wcsnicmp
_cexit
exit
_XcptFilter
_commode
_initterm
__setusermatherr
_fmode
towupper
__set_app_type
RtlAllocateHeap
NtSetInformationProcess
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
RtlFreeHeap
?EnableLineMode@KEYBOARD@@QEAAEXZ
??1TIMEINFO_ARGUMENT@@UEAA@XZ
?GetNext@FSN_DIRECTORY@@QEAAPEAVFSNODE@@PEAPEAXPEAK@Z
??1PATH@@UEAA@XZ
?ValidateVersion@PROGRAM@@UEBAXKK@Z
??1DSTRING@@UEAA@XZ
?Copy@FSN_FILE@@QEBAEPEAVPATH@@PEAW4_COPY_ERROR@@KP6AKT_LARGE_INTEGER@@222KKPEAX33@Z3PEAH@Z
?SPrintf@DSTRING@@UEAAEPEBGZZ
?GetLexemeAt@ARGUMENT_LEXEMIZER@@QEAAPEAVWSTRING@@K@Z
?QueryWindowsErrorMessage@SYSTEM@@SAEKPEAVWSTRING@@@Z
?QueryDriveType@SYSTEM@@SA?AW4DRIVE_TYPE@@PEBVWSTRING@@@Z
?TruncateBase@PATH@@QEAAEXZ
??1STRING_ARGUMENT@@UEAA@XZ
?Initialize@STRING_ARRAY@@QEAAEKKK@Z
?NewBuf@DSTRING@@UEAAEK@Z
?Strstr@WSTRING@@QEBAKPEBV1@@Z
?DeleteDirectory@FSN_DIRECTORY@@QEAAEXZ
??0PATH_ARGUMENT@@QEAA@XZ
?QueryDirectory@SYSTEM@@SAPEAVFSN_DIRECTORY@@PEBVPATH@@E@Z
?QueryFile@SYSTEM@@SAPEAVFSN_FILE@@PEBVPATH@@EPEAE@Z
?Strcat@WSTRING@@QEAAEPEBV1@@Z
?RemoveNode@SYSTEM@@SAEPEAPEAVFSNODE@@E@Z
?DisableLineMode@KEYBOARD@@QEAAEXZ
?GetStandardError@PROGRAM@@UEAAPEAVSTREAM@@XZ
??0FSTRING@@QEAA@XZ
?IsEmpty@FSN_DIRECTORY@@QEBAEXZ
??9WSTRING@@QEBAEAEBV0@@Z
??0STRING_ARGUMENT@@QEAA@XZ
?SetAttributes@FSN_FILTER@@QEAAEKKK@Z
?FindFirstFileW@@YAPEAXPEBVPATH@@PEAU_WIN32_FIND_DATAW@@@Z
?DeleteAllMembers@ARRAY@@UEAAEXZ
?QueryFullPathString@PATH@@QEBAPEAVWSTRING@@XZ
?Usage@PROGRAM@@UEBAXXZ
?ExitProgram@PROGRAM@@SAXK@Z
?Initialize@PROGRAM@@QEAAEKKK@Z
?IsValueSet@ARGUMENT@@QEAAEXZ
?SetTimeInfo@FSN_FILTER@@QEAAEPEBVTIMEINFO@@W4FSN_TIME@@G@Z
?PutMultipleSwitch@ARGUMENT_LEXEMIZER@@QEAAXPEBD@Z
?SetFileName@FSN_FILTER@@QEAAEPEBVWSTRING@@@Z
?ReadLine@STREAM@@QEAAEPEAVWSTRING@@E@Z
?QueryStream@FSN_FILE@@QEAAPEAVFILE_STREAM@@W4STREAMACCESS@@K@Z
?DisplayMessage@PROGRAM@@UEBAEKW4MESSAGE_TYPE@@PEADZZ
??8WSTRING@@QEBAEAEBV0@@Z
?EndsWithDelimiter@PATH@@QEBAEXZ
?ModifyName@PATH@@QEAAEPEBVWSTRING@@@Z
?PutSeparators@ARGUMENT_LEXEMIZER@@QEAAXPEBD@Z
??OTIMEINFO@@QEBAEV0@@Z
??0ARGUMENT_LEXEMIZER@@QEAA@XZ
?Fatal@PROGRAM@@UEBAXXZ
?Strchr@WSTRING@@QEBAKGK@Z
?DoesNodeMatch@FSN_FILTER@@QEAAEPEAVFSNODE@@@Z
?DoParsing@ARGUMENT_LEXEMIZER@@QEAAEPEAVARRAY@@@Z
??1FSTRING@@UEAA@XZ
?SPrintfAppend@DSTRING@@UEAAEPEBGZZ
?Initialize@PATH@@QEAAEPEBVWSTRING@@E@Z
?GotABreak@KEYBOARD@@SAEXZ
?Compare@OBJECT@@UEBAJPEBV1@@Z
?MakeDirectory@SYSTEM@@SAPEAVFSN_DIRECTORY@@PEBVPATH@@0PEAW4_COPY_ERROR@@P6AKT_LARGE_INTEGER@@222KKPEAX33@Z3PEAHK@Z
??1PROGRAM@@UEAA@XZ
?AppendBase@PATH@@QEAAEPEBVWSTRING@@E@Z
?GetPFlagBreak@KEYBOARD@@QEBAQEAHXZ
?Initialize@CLASS_DESCRIPTOR@@QEAAEXZ
?Initialize@PATH_ARGUMENT@@QEAAEPEADE@Z
?Resize@DSTRING@@UEAAEK@Z
?GetStandardOutput@PROGRAM@@UEAAPEAVSTREAM@@XZ
??0FSN_FILTER@@QEAA@XZ
??0FLAG_ARGUMENT@@QEAA@XZ
?Fatal@PROGRAM@@UEBAXKKPEADZZ
?DisplayMessage@PROGRAM@@UEBAEKW4MESSAGE_TYPE@@@Z
?DisableBreakHandling@KEYBOARD@@SAEXZ
?Truncate@WSTRING@@QEAAKK@Z
?Strupr@WSTRING@@QEAAPEAV1@XZ
??0KEYBOARD@@QEAA@XZ
?Initialize@PATH@@QEAAEPEBV1@E@Z
?Initialize@ARGUMENT_LEXEMIZER@@QEAAEPEAVARRAY@@@Z
?Initialize@TIMEINFO@@QEAAXPEBV1@@Z
?QueryComponentArray@PATH@@QEBAPEAVARRAY@@PEAV2@@Z
?Put@ARRAY@@UEAAEPEAVOBJECT@@@Z
?Initialize@WSTRING@@QEAAEPEBV1@KK@Z
?SetFileName@FSN_FILTER@@QEAAEPEBD@Z
?Initialize@ARRAY@@QEAAEKK@Z
??1ARRAY@@UEAA@XZ
?SetNoSpcBetweenDstAndSwitch@ARGUMENT_LEXEMIZER@@QEAAXE@Z
?GetPattern@ARGUMENT@@QEAAPEAVWSTRING@@XZ
?Initialize@WSTRING@@QEAAEPEBGK@Z
?PutSwitches@ARGUMENT_LEXEMIZER@@QEAAXPEBD@Z
?QueryResourceString@BASE_SYSTEM@@SAEPEAVWSTRING@@KPEBDZZ
?PrepareToParse@ARGUMENT_LEXEMIZER@@QEAAEPEAVWSTRING@@@Z
?Initialize@TIMEINFO_ARGUMENT@@QEAAEPEAD@Z
?SetCaseSensitive@ARGUMENT_LEXEMIZER@@QEAAXE@Z
??1OBJECT@@UEAA@XZ
?Initialize@STRING_ARGUMENT@@QEAAEPEAD@Z
?Initialize@FLAG_ARGUMENT@@QEAAEPEAD@Z
?ConvertToUTC@TIMEINFO@@QEAAEXZ
?Initialize@FSN_FILTER@@QEAAEXZ
??0ARRAY@@QEAA@XZ
??0CLASS_DESCRIPTOR@@QEAA@XZ
?Cast@KEYBOARD@@SAPEAV1@PEBVOBJECT@@@Z
?UseAlternateName@FSNODE@@QEAAEXZ
?QueryString@WSTRING@@QEBAPEAV1@KK@Z
?GetLexeme@ARGUMENT@@QEAAPEAVWSTRING@@XZ
??0PATH@@QEAA@XZ
?EnableBreakHandling@KEYBOARD@@SAEXZ
?SetAttributes@FSNODE@@QEAAEKPEAK@Z
??0TIMEINFO@@QEAA@XZ
??1PATH_ARGUMENT@@UEAA@XZ
??0STRING_ARRAY@@QEAA@XZ
?SetAllowSwitchGlomming@ARGUMENT_LEXEMIZER@@QEAAXE@Z
?Display@MESSAGE@@QEAAEPEBDZZ
?Stricmp@WSTRING@@QEBAJPEBV1@@Z
?Resize@FSTRING@@UEAAEK@Z
??0TIMEINFO_ARGUMENT@@QEAA@XZ
??0PROGRAM@@IEAA@XZ
?DisplaySystemError@SYSTEM@@SAXKH@Z
?Initialize@WSTRING@@QEAAEPEBDK@Z
?GetStandardInput@PROGRAM@@UEAAPEAVSTREAM@@XZ
?CreateDirectoryPath@FSN_DIRECTORY@@QEBAPEAV1@PEBVPATH@@@Z
?HasWildCard@PATH@@QEBAEXZ
?Initialize@KEYBOARD@@QEAAEEE@Z
?Initialize@PATH@@QEAAEPEBGE@Z
??0DSTRING@@QEAA@XZ
?TruncateNameAtColon@PATH@@QEAAXXZ
?Initialize@FSTRING@@QEAAPEAVWSTRING@@PEAGK@Z
Number of PE resources by type
RT_MANIFEST 1
RT_VERSION 1
Number of PE resources by language
ENGLISH US 2
PE resources
Debug information
ExifTool file metadata
SubsystemVersion
6.1

InitializedDataSize
6144

ImageVersion
6.1

ProductName
Microsoft Windows Operating System

FileVersionNumber
6.1.7600.16385

UninitializedDataSize
0

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

CharacterSet
Unicode

LinkerVersion
9.0

FileTypeExtension
exe

OriginalFileName
XCOPY.EXE

MIMEType
application/octet-stream

Subsystem
Windows command line

FileVersion
6.1.7600.16385 (win7_rtm.090713-1255)

TimeStamp
2009:07:14 00:25:32+01:00

FileType
Win64 EXE

PEType
PE32+

InternalName
xcopy

ProductVersion
6.1.7600.16385

FileDescription
Extended Copy Utility

OSVersion
6.1

FileOS
Windows NT 32-bit

LegalCopyright
Microsoft Corporation. All rights reserved.

MachineType
AMD AMD64

CompanyName
Microsoft Corporation

CodeSize
37888

FileSubtype
0

ProductVersionNumber
6.1.7600.16385

EntryPoint
0x7ca0

ObjectFileType
Executable application

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed the following files in execution wrote this sample to disk.
While monitoring an end-user machine in-the-wild, CarbonBlack noticed this sample wrote the following files to disk.
Execution parents
Compressed bundles
File identification
MD5 20cf8728c55a8743aac86fb8d30ea898
SHA1 0a49ca5b46210824ac22d0b8dc43ef5e7b6d2989
SHA256 32ee791aa61bfe60a28a788663e15376da83d7b20e133f6f96f77c54f262fcc1
ssdeep
768:KCXBBxMTgggUo56uVs5sgZ5OTOc1mbJRzU4820:bBByJKYsc8Oc1m3B0

authentihash 0b67fd02515753d2c78e4f4ce418b9c32d3fa98e7f68f9ddd7e1f9f8a54e2543
imphash 46a0ea2a9f4c86bd33243a6b3c8ed68f
File size 42.0 KB ( 43008 bytes )
File type Win32 EXE
Magic literal
PE32+ executable for MS Windows (console) Mono/.Net assembly

TrID Win64 Executable (generic) (87.3%)
Generic Win/DOS Executable (6.3%)
DOS Executable Generic (6.3%)
Tags
64bits peexe assembly signed trusted

Trusted verdicts
This file belongs to the Microsoft Corporation software catalogue. The file is often found with xcopy.exe as its name.
VirusTotal metadata
First submission 2010-02-13 10:58:59 UTC ( 8 years ago )
Last submission 2018-02-06 20:57:09 UTC ( 2 weeks, 2 days ago )
File names [74]xcopy.exe
[54]xcopy.exe
[62]xcopy.exe
xcopy.exe.old
56fe9d77-4650-4f06-7739-70741d6ef1ca_1d1c51d0a3e0a56
ba561a08-67ed-5256-2185-52e6151f7e82_1d1c42217e93af0
4a0933.tmpscan
[66]xcopy.exe
[33]xcopy.exe
[46]xcopy.exe
5a770f96-5d2d-ac4e-ce00-9befeca18b94
xcopy.exe
[44]xcopy.exe
xcopy(739).exe
[28]xcopy.exe
xcopy.exe
a4dc3fe8dc3fb400.281474976765701.1
[14]xcopy.exe
_media_prost_IR-DAT-1__S-LPT2_Windows_System32_xcopy.exe____-0.winpe
xcopy (3).exe
[59]xcopy.exe
[79]xcopy.exe
[19]xcopy.exe
[27]xcopy.exe
[26]xcopy.exe
Advanced heuristic and reputation engines
Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!