× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: b804244fb7db8101d493f23648466a5999c149219c0e87c2e1448712f4c83328
File name: dfsrs.exe
Detection ratio: 0 / 68
Analysis date: 2017-11-17 13:30:39 UTC ( 5 days, 15 hours ago )
Trusted source! This file belongs to the Microsoft Corporation software catalogue.
Antivirus Result Update
ALYac 20171117
AVG 20171117
AVware 20171117
Ad-Aware 20171117
AegisLab 20171117
AhnLab-V3 20171117
Antiy-AVL 20171117
Arcabit 20171117
Avast 20171117
Avast-Mobile 20171117
Avira (no cloud) 20171117
Baidu 20171117
BitDefender 20171117
Bkav 20171117
CAT-QuickHeal 20171117
CMC 20171117
ClamAV 20171117
Comodo 20171117
CrowdStrike Falcon (ML) 20171016
Cybereason 20171103
Cylance 20171117
Cyren 20171117
DrWeb 20171117
ESET-NOD32 20171117
Emsisoft 20171117
Endgame 20171024
F-Prot 20171117
F-Secure 20171117
Fortinet 20171117
GData 20171117
Ikarus 20171117
Sophos ML 20170914
Jiangmin 20171117
K7AntiVirus 20171117
K7GW 20171117
Kaspersky 20171117
Kingsoft 20171117
MAX 20171117
Malwarebytes 20171117
McAfee 20171117
McAfee-GW-Edition 20171117
eScan 20171117
Microsoft 20171117
NANO-Antivirus 20171117
Palo Alto Networks (Known Signatures) 20171117
Panda 20171117
Qihoo-360 20171117
Rising 20171117
SUPERAntiSpyware 20171117
SentinelOne (Static ML) 20171113
Sophos AV 20171117
Symantec 20171117
Tencent 20171117
TheHacker 20171112
TotalDefense 20171117
TrendMicro 20171117
TrendMicro-HouseCall 20171117
VBA32 20171117
VIPRE 20171117
ViRobot 20171117
Webroot 20171117
WhiteArmor 20171104
Yandex 20171116
Zillya 20171116
ZoneAlarm by Check Point 20171117
Zoner 20171117
eGambit 20171117
nProtect 20171117
Alibaba 20170911
Symantec Mobile Insight 20171117
Trustlook 20171117
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows command line subsystem that targets 64bit architectures.
FileVersionInfo properties
Copyright
© Microsoft Corporation. All rights reserved.

Product Microsoft® Windows® Operating System
Original name dfsr.exe
Internal name dfsr.exe
File version 6.2.9200.16384 (win8_rtm.120725-1247)
Description Distributed File System Replication
PE header basic information
Target machine x64
Compilation timestamp 2012-07-26 00:28:25
Entry Point 0x003E2880
Number of sections 6
PE sections
PE imports
ClusterOpenEnum
AddClusterResourceDependency
ClusterResourceOpenEnum
DeleteClusterResource
FailClusterResource
ClusterCloseEnum
CloseClusterResource
ClusterResourceTypeEnum
ClusterResourceTypeCloseEnum
OpenCluster
OpenClusterGroup
RemoveClusterResourceDependency
ClusterResourceControl
OpenClusterResource
GetClusterResourceState
OnlineClusterResource
ClusterResourceTypeOpenEnum
ClusterEnum
ClusterResourceCloseEnum
OfflineClusterResource
ClusterGroupControl
CloseCluster
CloseClusterGroup
ClusterResourceTypeControl
CreateClusterResource
ClusterResourceEnum
DsUnquoteRdnValueW
FilterDetach
FilterConnectCommunicationPort
FilterSendMessage
FilterAttach
GetVolumePathNameW
GetStdHandle
GetDriveTypeW
CancelIoEx
FileTimeToSystemTime
GetOverlappedResult
WaitForSingleObject
CreateJobObjectW
CreateTimerQueue
GetFileAttributesW
SetInformationJobObject
GetLocalTime
GetVolumePathNamesForVolumeNameW
DeleteCriticalSection
GetCurrentProcess
LocalAlloc
UnhandledExceptionFilter
ExitProcess
GetFileInformationByHandle
WideCharToMultiByte
WriteFile
GetTimeZoneInformation
GetSystemTimeAsFileTime
SetEvent
LocalFree
FormatMessageW
InitializeCriticalSection
FindClose
TlsGetValue
MoveFileW
SetFileAttributesW
QueueUserWorkItem
OutputDebugStringA
SetLastError
GetSystemTime
DeviceIoControl
TryEnterCriticalSection
DeleteTimerQueueEx
FlushViewOfFile
FindNextVolumeW
QueryPerformanceFrequency
HeapSetInformation
LoadLibraryExA
GetVolumeInformationW
LoadLibraryExW
MultiByteToWideChar
SetFilePointerEx
DeleteTimerQueueTimer
GetFullPathNameW
CreateThread
MoveFileExW
GetSystemDirectoryW
GetExitCodeThread
CreateSemaphoreW
GetVolumeNameForVolumeMountPointW
TerminateProcess
SetUnhandledExceptionFilter
LocalFileTimeToFileTime
GetDiskFreeSpaceExW
SetEndOfFile
BackupSeek
GetCurrentThreadId
InitializeCriticalSectionAndSpinCount
HeapFree
EnterCriticalSection
LoadLibraryW
FindVolumeClose
FreeLibrary
QueryPerformanceCounter
GetTickCount
TlsAlloc
FlushFileBuffers
GetWindowsDirectoryW
ChangeTimerQueueTimer
BackupWrite
DeleteFileW
WaitForMultipleObjects
GetProcessHeap
GetComputerNameW
AssignProcessToJobObject
GetFileSizeEx
ExpandEnvironmentStringsW
FindNextFileW
CreateDirectoryW
ResetEvent
CreateTimerQueueTimer
FindFirstFileW
GetProcAddress
CreateEventW
CreateFileW
TlsSetValue
HeapAlloc
FindFirstVolumeW
LeaveCriticalSection
GetLastError
SystemTimeToFileTime
CreateFileMappingW
GetSystemInfo
WaitForSingleObjectEx
VirtualFree
GetQueuedCompletionStatus
FileTimeToLocalFileTime
GetCurrentDirectoryW
GetCurrentProcessId
CreateIoCompletionPort
BackupRead
Sleep
CancelIo
GetCurrentThread
RaiseException
ReleaseSemaphore
MapViewOfFile
SetFilePointer
ReadFile
CloseHandle
GetModuleHandleW
UnmapViewOfFile
PostQueuedCompletionStatus
CreateProcessW
GetComputerNameExW
VirtualAlloc
DsGetDomainControllerInfoW
DsBindW
DsFreeNameResultW
DsUnBindW
DsFreeDomainControllerInfoW
DsWriteAccountSpnW
DsCrackNamesW
?GetDMTF@WBEMTime@@QEBAPEAGH@Z
?SetDMTF@WBEMTime@@QEAAHQEAG@Z
??4WBEMTime@@QEAAAEBV0@QEAG@Z
??4WBEMTime@@QEAAAEBV0@AEBU_SYSTEMTIME@@@Z
?GetFILETIME@WBEMTime@@QEBAHPEAU_FILETIME@@@Z
?GetSYSTEMTIME@WBEMTime@@QEBAHPEAU_SYSTEMTIME@@@Z
??4WBEMTime@@QEAAAEBV0@AEBU_FILETIME@@@Z
___lc_codepage_func
fclose
_wcsupr
fflush
_fmode
_ui64tow
fputc
fseek
fwrite
??1type_info@@UEAA@XZ
??0exception@@QEAA@AEBQEBD@Z
_XcptFilter
_CxxThrowException
memmove_s
memcpy_s
wcsncmp
_callnewh
memcpy
?set_terminate@@YAP6AXXZP6AXXZ@Z
memmove
iswspace
_purecall
mbtowc
fgetc
memset
_wcsnicmp
___lc_handle_func
_wcslwr
__RTDynamicCast
_wcsicmp
fgetpos
fsetpos
ftell
exit
??0bad_cast@@QEAA@PEBD@Z
strrchr
strcpy_s
??0exception@@QEAA@AEBQEBDH@Z
ferror
free
__CxxFrameHandler3
__getmainargs
__crtLCMapStringA
wcsspn
??1exception@@UEAA@XZ
iswdigit
??1bad_cast@@UEAA@XZ
__mb_cur_max
islower
_exit
isupper
_ultow_s
rand
??0exception@@QEAA@XZ
setlocale
__dllonexit
wcstok
wcscpy_s
fopen
_vsnwprintf
_cexit
__C_specific_handler
_onexit
_commode
__setusermatherr
_wtoi64
??0bad_cast@@QEAA@AEBV0@@Z
memcmp
wcschr
_itow
?_set_new_handler@@YAP6AH_K@ZP6AH0@Z@Z
wcscspn
_vsnprintf
swscanf
??0exception@@QEAA@AEBV0@@Z
ungetc
malloc
fread
abort
fprintf
towupper
_amsg_exit
?terminate@@YAXXZ
_errno
_lock
?_set_new_mode@@YAHH@Z
towlower
iswalpha
wcsrchr
__pctype_func
?what@exception@@UEBAPEBDXZ
_unlock
_initterm
__iob_func
wcsstr
__set_app_type
setvbuf
_wtoi
RtlInitUnicodeString
NtSetInformationFile
NtOpenThreadToken
NtClose
NtFsControlFile
NtSetSecurityObject
RtlUpcaseUnicodeChar
RtlCreateSystemVolumeInformationFolder
RtlVirtualUnwind
RtlDosPathNameToNtPathName_U_WithStatus
RtlInitUnicodeStringEx
RtlAllocateHeap
RtlStringFromGUID
NtOpenFile
NtQueryVolumeInformationFile
NtQueryDirectoryFile
RtlNtStatusToDosError
RtlLookupFunctionEntry
RtlCaptureContext
RtlFreeHeap
NtWaitForSingleObject
RtlFreeUnicodeString
RtlDosPathNameToNtPathName_U
RtlGUIDFromString
NtOpenProcessToken
NtQuerySecurityObject
RtlGetFullPathName_U
RtlAdjustPrivilege
RtlDoesFileExists_U
NtCreateFile
NtQueryInformationFile
NtAdjustPrivilegesToken
Number of PE resources by type
RT_MANIFEST 1
MUI 1
RT_VERSION 1
Number of PE resources by language
ENGLISH US 3
PE resources
Debug information
ExifTool file metadata
SubsystemVersion
6.2

InitializedDataSize
187904

ImageVersion
6.2

ProductName
Microsoft Windows Operating System

FileVersionNumber
6.2.9200.16384

UninitializedDataSize
0

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

CharacterSet
Unicode

LinkerVersion
10.1

FileTypeExtension
exe

OriginalFileName
dfsr.exe

MIMEType
application/octet-stream

Subsystem
Windows command line

FileVersion
6.2.9200.16384 (win8_rtm.120725-1247)

TimeStamp
2012:07:26 01:28:25+01:00

FileType
Win64 EXE

PEType
PE32+

InternalName
dfsr.exe

ProductVersion
6.2.9200.16384

FileDescription
Distributed File System Replication

OSVersion
6.2

FileOS
Windows NT 32-bit

LegalCopyright
Microsoft Corporation. All rights reserved.

MachineType
AMD AMD64

CompanyName
Microsoft Corporation

CodeSize
4550656

FileSubtype
0

ProductVersionNumber
6.2.9200.16384

EntryPoint
0x3e2880

ObjectFileType
Executable application

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed the following files in execution wrote this sample to disk.
While monitoring an end-user machine in-the-wild, CarbonBlack noticed this sample wrote the following files to disk.
Compressed bundles
File identification
MD5 dd9caa30809b15a7ceb5475eeb25a19e
SHA1 fb2d4e27570e4531abf4e88bb1b4cf3287101087
SHA256 b804244fb7db8101d493f23648466a5999c149219c0e87c2e1448712f4c83328
ssdeep
49152:jWR5DVG/sufdXGO148bsDaCFmSSMw9CglQ4xyY4/jErZevxqxpnzKWOalJ+FPm8l:MusoxJ+FWMYY6kVVt

authentihash 763a24f3f9a5195e3173119a9abe7acee4854a235204591feb1a7a3becb5c79e
imphash f5c2b9b92a08023d58212c5b4e6b9d5c
File size 4.5 MB ( 4724736 bytes )
File type Win32 EXE
Magic literal
PE32+ executable for MS Windows (console) Mono/.Net assembly

TrID Win64 Executable (generic) (87.3%)
Generic Win/DOS Executable (6.3%)
DOS Executable Generic (6.3%)
Tags
64bits peexe assembly trusted

Trusted verdicts
This file belongs to the Microsoft Corporation software catalogue. The file is often found with dfsrs.exe as its name.
VirusTotal metadata
First submission 2012-11-21 21:51:19 UTC ( 5 years ago )
Last submission 2017-10-08 03:12:17 UTC ( 1 month, 2 weeks ago )
File names 1ee81057_1108_crypt_io_copy.tmp
vt-upload-J_6DKL
dfsr.exe
5343c92d_58c_crypt_io_copy.tmp
0001c58f_914_crypt_io_copy.tmp
074d9d8c_f4c_crypt_io_copy.tmp
DFSRS.EXE
dfsrs.exe
dfsrs.exe
dfsrs.exe
dfsrs.exe
dfsrs.exe
dfsrs.exe
DFSRs.exe
b3c62f2b_b00_crypt_io_copy.tmp
dfsrs.exe
dfsrs.exe
dfsrs.exe
DFSRs.exe
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!