sysprep.exe
- File Path:
C:\Windows\system32\Sysprep\sysprep.exe - Description: System Preparation Tool
Screenshot
Hashes
| Type | Hash |
|---|---|
| MD5 | C22F1DE66E08A5B405C8F0615A4D262F |
| SHA1 | 5D2A254E3945BE583E819D65A8D6D5F46D2ACC5F |
| SHA256 | F5CFD1631D2DFE7C2E4BAC631374CC793179C1D3757801B4BCA9C77E9A3FCFBB |
| SHA384 | 1A7941B86ECD5590DFE3371B774FB9CECC442933874BE11473D2CCE25793BD2DC0198D193655FC0921B700D85876401E |
| SHA512 | 429810D619EB261AF41965F70BFEDAE5F6929AC46E5D46B99A1C25803718AF252A48D0562B7C9075CEB3F605B90FF1DA285091E0074BAEF6B6CD5640BC5861FE |
| SSDEEP | 12288:9F3KCOg79hKXPRKuabsG7o++Q6DLg2APKiCtxbyvfnxlmfcSEOe1yvU:9B/OgxhgPRKxbNjYpzbyvfnxlMrEOeV |
| IMP | 1CA114DF64828C5F35E8777BF42AC360 |
| PESHA1 | 8352E0D7492E281BB6401571A94D90547A981AE3 |
| PE256 | A45794B6BB7BA7F023C4293D447EEBADC0CE14992C9CB5E31F22A20823BA8556 |
Runtime Data
Window Title:
System Preparation Tool 3.14
Open Handles:
| Path | Type |
|---|---|
| (R-D) C:\Windows\Fonts\StaticCache.dat | File |
| (R-D) C:\Windows\System32\en-US\imageres.dll.mui | File |
| (R-D) C:\Windows\System32\Sysprep\en-US\sysprep.exe.mui | File |
| (RW-) C:\Users\user | File |
| (RW-) C:\Windows\System32\Sysprep\Panther\diagerr.xml | File |
| (RW-) C:\Windows\System32\Sysprep\Panther\diagwrn.xml | File |
| (RW-) C:\Windows\System32\Sysprep\Panther\setupact.log | File |
| (RW-) C:\Windows\System32\Sysprep\Panther\setuperr.log | File |
| (RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.1518_none_de6e2bd0534e2567 | File |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000004.db | Section |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000004.db | Section |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro | Section |
| \BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 | Section |
| \BaseNamedObjects\NLS_CodePage_437_3_2_0_0 | Section |
| \BaseNamedObjects\SetupLogSection | Section |
| \Sessions\2\Windows\Theme2131664586 | Section |
| \Windows\Theme966197582 | Section |
Loaded Modules:
| Path |
|---|
| C:\Windows\system32\actionqueue.dll |
| C:\Windows\System32\ADVAPI32.dll |
| C:\Windows\System32\bcrypt.dll |
| C:\Windows\System32\bcryptprimitives.dll |
| C:\Windows\System32\cfgmgr32.dll |
| C:\Windows\System32\combase.dll |
| C:\Windows\System32\GDI32.dll |
| C:\Windows\System32\gdi32full.dll |
| C:\Windows\System32\KERNEL32.DLL |
| C:\Windows\System32\KERNELBASE.dll |
| C:\Windows\System32\msvcp_win.dll |
| C:\Windows\System32\msvcrt.dll |
| C:\Windows\SYSTEM32\ntdll.dll |
| C:\Windows\System32\ole32.dll |
| C:\Windows\System32\OLEAUT32.dll |
| C:\Windows\System32\RPCRT4.dll |
| C:\Windows\System32\sechost.dll |
| C:\Windows\System32\SETUPAPI.dll |
| C:\Windows\System32\SHLWAPI.dll |
| C:\Windows\system32\Sysprep\sysprep.exe |
| C:\Windows\System32\ucrtbase.dll |
| C:\Windows\system32\unattend.dll |
| C:\Windows\System32\USER32.dll |
| C:\Windows\system32\wdscore.dll |
| C:\Windows\System32\win32u.dll |
| C:\Windows\SYSTEM32\XmlLite.dll |
| C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.1518_none_de6e2bd0534e2567\COMCTL32.dll |
Signature
- Status: Signature verified.
- Serial:
3300000266BD1580EFA75CD6D3000000000266 - Thumbprint:
A4341B9FD50FB9964283220A36A1EF6F6FAA7840 - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: sysprep.EXE.MUI
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.17763.1 (WinBuild.160101.0800)
- Product Version: 10.0.17763.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 64-bit
File Scan
- VirusTotal Detections: Unknown
Possible Misuse
The following table contains possible examples of sysprep.exe being misused. While sysprep.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | proc_creation_win_susp_sysprep_appdata.yml | title: Sysprep on AppData Folder |
DRL 1.0 |
| sigma | proc_creation_win_susp_sysprep_appdata.yml | description: Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec) |
DRL 1.0 |
| sigma | proc_creation_win_susp_sysprep_appdata.yml | - '\sysprep.exe' |
DRL 1.0 |
| malware-ioc | 2021_T2 | Sysprep |
© ESET 2014-2018 |
| signature-base | apt_codoso.yar | $c3 = “\sysprep\sysprep.exe” fullword wide | CC BY-NC 4.0 |
| signature-base | apt_codoso.yar | $c4 = “\sysprep\CRYPTBASE.dll” fullword wide | CC BY-NC 4.0 |
| signature-base | apt_codoso.yar | $c7 = “\sysprep” fullword wide | CC BY-NC 4.0 |
| signature-base | apt_hellsing_kaspersky.yar | $a9 = “C:\Windows\System32\sysprep\sysprep.exe” wide | CC BY-NC 4.0 |
| signature-base | apt_thrip.yar | $s1 = “C:\WINDOWS\system32\sysprep\cryptbase.dll” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_thrip.yar | $s2 = “C:\Windows\SysNative\sysprep\cryptbase.dll” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_thrip.yar | $s2 = “C:\Windows\system32\sysprep\cryptbase.dll” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_win_plugx.yar | $s3 = “l%s\sysprep\CRYPTBASE.DLL” fullword wide | CC BY-NC 4.0 |
| signature-base | apt_win_plugx.yar | $s7 = “%s\sysprep\sysprep.exe” fullword wide | CC BY-NC 4.0 |
| signature-base | exploit_uac_elevators.yar | $s3 = “%systemroot%\system32\sysprep\sysprep.exe” fullword wide | CC BY-NC 4.0 |
| signature-base | exploit_uac_elevators.yar | $s4 = “/c wusa %ws /extract:%%windir%%\system32\sysprep” fullword wide | CC BY-NC 4.0 |
| signature-base | exploit_uac_elevators.yar | $s6 = “loadFrom="%systemroot%\system32\sysprep\cryptbase.DLL"” fullword ascii | CC BY-NC 4.0 |
MIT License. Copyright (c) 2020-2021 Strontic.