efsdump.exe

  • File Path: C:\SysinternalsSuite\efsdump.exe

Hashes

Type Hash
MD5 4CEF8412C762F4840349E5622A05A307
SHA1 10442809395BE423008A29B60DA8F2E3DDA1B297
SHA256 EFC0894BC8ECDF7709B35E20436A8D2EA0A046FDCEC0F0C4385A03BD05833897
SHA384 F276C54DACA1D188B9596EED4D9F869A2E091CBAF3111B1AEB6253868A824D83C75F667E1D27740B6895CD088D949884
SHA512 FC0ABC9F0A4260A0425ADBD848D3A9C7749A155D2C87CEA204AB5224649E50EBB65669A5748F48489D75B0525E30C1D72A48AFADA780F9F4B50256195312463E
SSDEEP 1536:qXsK+Es0mn0RKDL7tTcB5dkmVnTA6uvfHaeZ:q0ECnPDL7tT4/e
IMP 94C991FC087E6D6976569EF8614BCE42
PESHA1 CC612F9B93B13DEA4E4B634B281578B0254060BA
PE256 BE0232ABC5A5D206BCEB185F98747971B1F9956B0BA9F31676105D048D4534E3

Runtime Data

Usage (stdout):


EFS Information Dumper v1.02
Copyright (C) 1999 Mark Russinovich
Systems Internals - http://www.sysinternals.com

Error querying C:\temp\strontic-xcyclopedia\notepad.exe: The specified file is not encrypted.

Loaded Modules:

Path
C:\SysinternalsSuite\efsdump.exe
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll

Signature

  • Status: Signature verified.
  • Serial: 61469ECB000400000065
  • Thumbprint: 564E01066387F26C912010D06BD78D3CF1E845AB
  • Issuer: CN=Microsoft Code Signing PCA, OU=Copyright (c) 2000 Microsoft Corp., O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename:
  • Product Name:
  • Company Name:
  • File Version:
  • Product Version:
  • Language:
  • Legal Copyright:
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/69
  • VirusTotal Link: https://www.virustotal.com/gui/file/efc0894bc8ecdf7709b35e20436a8d2ea0a046fdcec0f0c4385a03bd05833897/detection/

File Similarity (ssdeep match)

File Score
C:\SysinternalsSuite\AccessEnum.exe 44
C:\SysinternalsSuite\adrestore.exe 46
C:\SysinternalsSuite\Cacheset.exe 50
C:\SysinternalsSuite\ctrl2cap.exe 43
C:\SysinternalsSuite\Diskmon.exe 27
C:\SysinternalsSuite\ldmdump.exe 49
C:\SysinternalsSuite\pagedfrg.exe 38

Possible Misuse

The following table contains possible examples of efsdump.exe being misused. While efsdump.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_false_sysinternalsuite.yml - '\efsdump.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.