Edit tour

Windows Analysis Report
myRdpService.exe

Overview

General Information

Sample name:	myRdpService.exe
Analysis ID:	1658892
MD5:	1e7bcf5b72ffeca190832d8305cf3310
SHA1:	2de1c18a5ae51ef91e850a83d43c7e7ae7b3ecb3
SHA256:	4814aec636aecbf7f0049b1cd64d89782bb292e4cf8c658ba9595709231f4258
Infos:

Detection

Score:	48
Range:	0 - 100
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Enables debug privileges

One or more processes crash

PE file contains sections with non-standard names

Sample file is different than original file name gathered from version info

Yara signature match

Classification

Process Tree

System is w10x64

myRdpService.exe (PID: 7116 cmdline: "C:\Users\user\Desktop\myRdpService.exe" MD5: 1E7BCF5B72FFECA190832D8305CF3310)

conhost.exe (PID: 7096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WerFault.exe (PID: 7288 cmdline: C:\Windows\system32\WerFault.exe -u -p 7116 -s 576 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1319577130.00007FF707EB7000.00000004.00000001.01000000.00000003.sdmp	hacktool_windows_moyix_creddump	creddump is a python tool to extract credentials and secrets from Windows registry hives.	@mimeframe	0xdab4:$a1: !@#$%^&()qwertyUIOPAzxcvbnmQQQQQQQQQQQQ)(@&% 0x11f84:$a2: 0123456789012345678901234567890123456789 0x32914:$a3: NTPASSWORD 0x2f7ac:$a4: LMPASSWORD 0x5ccfc:$a5: aad3b435b51404eeaad3b435b51404ee 0x14f44:$a6: 31d6cfe0d16ae931b73c59d7e0c089c0
Process Memory Space: myRdpService.exe PID: 7116	hacktool_windows_moyix_creddump	creddump is a python tool to extract credentials and secrets from Windows registry hives.	@mimeframe	0x7cee3:$a1: !@#$%^&()qwertyUIOPAzxcvbnmQQQQQQQQQQQQ)(@&% 0x13db4d:$a1: !@#$%^&()qwertyUIOPAzxcvbnmQQQQQQQQQQQQ)(@&% 0x7e63f:$a2: 0123456789012345678901234567890123456789 0x13f2a6:$a2: 0123456789012345678901234567890123456789 0x8b003:$a3: NTPASSWORD 0x14bc38:$a3: NTPASSWORD 0x89d3a:$a4: LMPASSWORD 0x14a970:$a4: LMPASSWORD 0x9c82e:$a5: aad3b435b51404eeaad3b435b51404ee 0x15d37e:$a5: aad3b435b51404eeaad3b435b51404ee 0x7f537:$a6: 31d6cfe0d16ae931b73c59d7e0c089c0 0x1401ba:$a6: 31d6cfe0d16ae931b73c59d7e0c089c0

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

• Compliance
• Networking
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• Lowering of HIPS / PFW / Operating System Security Settings

Click to jump to signature section

Show All Signature Results

Source: myRdpService.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: myRdpService.exe	String found in binary or memory: http://.css
Source: myRdpService.exe	String found in binary or memory: http://.jpg
Source: myRdpService.exe	String found in binary or memory: http://html4/loose.dtd
Source: myRdpService.exe	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysidY
Source: myRdpService.exe, 00000000.00000002.1319577130.00007FF707EB7000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysidp
Source: myRdpService.exe	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: myRdpService.exe, 00000000.00000002.1319577130.00007FF707EB7000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namep
Source: Amcache.hve.11.dr	String found in binary or memory: http://upx.sf.net
Source: myRdpService.exe, 00000000.00000002.1319577130.00007FF707EB7000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.gstatic.com/generate_204p
Source: myRdpService.exe	String found in binary or memory: http://www.gstatic.com/generate_204y
Source: myRdpService.exe	String found in binary or memory: https://aka.ms/GlobalizationInvariantMode
Source: myRdpService.exe	String found in binary or memory: https://aka.ms/dotnet-warnings/
Source: myRdpService.exe	String found in binary or memory: https://aka.ms/nativeaot-compatibility
Source: myRdpService.exe	String found in binary or memory: https://aka.ms/nativeaot-compatibilityY
Source: myRdpService.exe, 00000000.00000002.1319577130.00007FF707EB7000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://aka.ms/nativeaot-compatibilityp
Source: myRdpService.exe	String found in binary or memory: https://aka.ms/nativeaot-compatibilityy
Source: myRdpService.exe	String found in binary or memory: https://github.com/MartinKuschnik/WmiLight
Source: myRdpService.exe	String found in binary or memory: https://github.com/dotnet/runtimeS

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.1319577130.00007FF707EB7000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: creddump is a python tool to extract credentials and secrets from Windows registry hives. Author: @mimeframe
Source: Process Memory Space: myRdpService.exe PID: 7116, type: MEMORYSTR	Matched rule: creddump is a python tool to extract credentials and secrets from Windows registry hives. Author: @mimeframe

Source: C:\Users\user\Desktop\myRdpService.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7116 -s 576

Source: myRdpService.exe, 00000000.00000000.1233235107.00007FF70843C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameRdpService.dll6 vs myRdpService.exe
Source: myRdpService.exe, 00000000.00000002.1319708496.00007FF7081BF000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename: vs myRdpService.exe
Source: myRdpService.exe, 00000000.00000002.1319708496.00007FF7081BF000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: \\OriginalFilename vs myRdpService.exe
Source: myRdpService.exe, 00000000.00000002.1319577130.00007FF707EB7000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename: p vs myRdpService.exe
Source: myRdpService.exe, 00000000.00000002.1319577130.00007FF707EB7000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: \\OriginalFilenamep vs myRdpService.exe
Source: myRdpService.exe	Binary or memory string: OriginalFilename: vs myRdpService.exe
Source: myRdpService.exe	Binary or memory string: \\OriginalFilename vs myRdpService.exe
Source: myRdpService.exe	Binary or memory string: OriginalFilenameRdpService.dll6 vs myRdpService.exe

Source: 00000000.00000002.1319577130.00007FF707EB7000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: hacktool_windows_moyix_creddump author = @mimeframe, description = creddump is a python tool to extract credentials and secrets from Windows registry hives., reference = https://github.com/moyix/creddump
Source: Process Memory Space: myRdpService.exe PID: 7116, type: MEMORYSTR	Matched rule: hacktool_windows_moyix_creddump author = @mimeframe, description = creddump is a python tool to extract credentials and secrets from Windows registry hives., reference = https://github.com/moyix/creddump

Source: classification engine

Classification label: mal48.winEXE@3/6@0/0

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7096:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7116

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\95c1d092-69c9-4a38-a647-de9ed2c2140b

Jump to behavior

Source: myRdpService.exe

Static file information: TRID: Win64 Executable Console Net Framework (206006/5) 48.58%

Source: C:\Users\user\Desktop\myRdpService.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: myRdpService.exe

String found in binary or memory: overflow:hidden;img src="http://addEventListenerresponsible for s.js"></script>

Source: unknown	Process created: C:\Users\user\Desktop\myRdpService.exe "C:\Users\user\Desktop\myRdpService.exe"
Source: C:\Users\user\Desktop\myRdpService.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\myRdpService.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7116 -s 576

Source: C:\Users\user\Desktop\myRdpService.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\myRdpService.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\myRdpService.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\myRdpService.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\myRdpService.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\myRdpService.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: myRdpService.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: myRdpService.exe

Static file information: File size 9440768 > 1048576

Source: myRdpService.exe	Static PE information: Raw size of .managed is bigger than: 0x100000 < 0x440800
Source: myRdpService.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x398e00

Source: myRdpService.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: myRdpService.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: myRdpService.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: myRdpService.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: myRdpService.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: myRdpService.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: myRdpService.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: myRdpService.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: myRdpService.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: myRdpService.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: myRdpService.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: myRdpService.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: myRdpService.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: myRdpService.exe	Static PE information: section name: .managed
Source: myRdpService.exe	Static PE information: section name: hydrated

Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\myRdpService.exe

Memory allocated: 27952C20000 memory reserve | memory write watch

Jump to behavior

Source: Amcache.hve.11.dr	Binary or memory string: VMware
Source: Amcache.hve.11.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.11.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.11.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.11.dr	Binary or memory string: VMware20,1hbin@
Source: myRdpService.exe	Binary or memory string: qEMutating a value collection derived from a dictionary is not allowed.Y
Source: Amcache.hve.11.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.11.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.11.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.11.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: Amcache.hve.11.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.11.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.11.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.11.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.11.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.11.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.11.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.11.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.11.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.11.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.11.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.11.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.11.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.11.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.11.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.11.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.11.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.11.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.11.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.11.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\myRdpService.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\myRdpService.exe

Process token adjusted: Debug

Jump to behavior

Source: Amcache.hve.11.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.11.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.11.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.11.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.11.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	1 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
myRdpService.exe	4%	Virustotal		Browse
myRdpService.exe	5%	ReversingLabs

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://html4/loose.dtd	myRdpService.exe	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysidY	myRdpService.exe	false	high
https://aka.ms/dotnet-warnings/	myRdpService.exe	false	high
https://aka.ms/nativeaot-compatibilityp	myRdpService.exe, 00000000.00000002.1319577130.00007FF707EB7000.00000004.00000001.01000000.00000003.sdmp	false	high
https://github.com/MartinKuschnik/WmiLight	myRdpService.exe	false	high
https://aka.ms/nativeaot-compatibility	myRdpService.exe	false	high
https://aka.ms/nativeaot-compatibilityY	myRdpService.exe	false	high
https://aka.ms/nativeaot-compatibilityy	myRdpService.exe	false	high
http://upx.sf.net	Amcache.hve.11.dr	false	high
https://aka.ms/GlobalizationInvariantMode	myRdpService.exe	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namep	myRdpService.exe, 00000000.00000002.1319577130.00007FF707EB7000.00000004.00000001.01000000.00000003.sdmp	false	high
http://.css	myRdpService.exe	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysidp	myRdpService.exe, 00000000.00000002.1319577130.00007FF707EB7000.00000004.00000001.01000000.00000003.sdmp	false	high
https://github.com/dotnet/runtimeS	myRdpService.exe	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	myRdpService.exe	false	high
http://.jpg	myRdpService.exe	false	high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1658892
Start date and time:	2025-04-08 07:42:19 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	myRdpService.exe
Detection:	MAL
Classification:	mal48.winEXE@3/6@0/0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.20, 184.31.69.3, 40.126.24.81, 52.149.20.212
Excluded domains from analysis (whitelisted): fs.microsoft.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
01:43:23	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_myRdpService.exe_2769d248aec10a5736d764775c3c9a7ebe42_52516480_4993dbb6-d058-4336-b7b9-79901f3df09b\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8124127516192081
Encrypted:	false
SSDEEP:	96:JvndFL+bsigu4CjISpQXIDcQgc6Y3cE0cw3Fkoi+HbHg/opAnQVHMvLVxEXCvJrN:Jlp+by0+c3uRkoLjzAzuiFbZ24lO8WS
MD5:	CC75C044A9E967BF2B2B5043632735C4
SHA1:	1810A54378FBB32E97132C10B1DD539DF963676D
SHA-256:	82B834B93C194963C8E488874E769E871AA617FC88385345D63A60C957C854E6
SHA-512:	9F98E54967B715BB4BAF41CA972C5B29A295D16C00FF7F8C9B119AB9F75DCE1244EAE024DBC371B0FDFBE4A935926BEA0370B01379034F9F69E7B9024AA12ABF
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.6.4.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.8.5.6.4.6.0.0.2.1.2.9.3.2.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.8.5.6.4.6.0.0.5.8.7.9.2.6.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.9.9.3.d.b.b.6.-.d.0.5.8.-.4.3.3.6.-.b.7.b.9.-.7.9.9.0.1.f.3.d.f.0.9.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.4.9.5.1.0.9.7.-.5.c.1.3.-.4.9.7.8.-.a.4.b.8.-.5.6.5.c.a.9.6.4.c.e.2.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.m.y.R.d.p.S.e.r.v.i.c.e...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.d.p.S.e.r.v.i.c.e...d.l.l.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.c.c.-.0.0.0.1.-.0.0.1.9.-.e.2.1.8.-.2.1.1.f.4.9.a.8.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.3.1.e.7.f.4.9.1.3.0.8.6.b.8.7.a.b.d.8.5.f.3.c.6.a.2.a.1.1.c.2.6.0.0.0.0.0.0.0.0.!.0.0.0.0.2.d.e.1.c.1.8.a.5.a.e.5.1.e.f.9.1.e.8.5.0.a.8.3.d.4.3.c.7.e.7.a.e.7.b.3.e.c.b.3.!.m.y.R.d.p.S.e.r.v.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9345.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Tue Apr 8 05:43:20 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	77634
Entropy (8bit):	1.3823895642882558
Encrypted:	false
SSDEEP:	192:699tZxQOQHq3GwvnOzceSBwwYuunC7uMZaKlHOL:Kt3QHqxUcxuCScaKlHOL
MD5:	2A60F7FC27F5CB9D009ADAA8D1798C94
SHA1:	1E744FA7A971045F95FA8202FF8C24A23400EBA5
SHA-256:	78ED38227208FFFB05B89245F859A46D8EB5E17350F0EFCA2AD66CB2E0A79949
SHA-512:	2B03E35C5409D57B7872FC54A545F14BC9D3890D291F212E8020E279388AFEA1119B0CEF9271F7D7E3717B8020C8002CF03380258F00B5A712C648FE8FE3892E
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......x..g........................................l6..........T.......8...........T.......................................................................................................................eJ......T.......Lw......................T...........r..g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER93C3.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8632
Entropy (8bit):	3.696369096140058
Encrypted:	false
SSDEEP:	192:R6l7wVeJH/v16YZp8gmfapRkodpDw89bT4BfJxm:R6lXJfd6Yn8gmfapNVT2fO
MD5:	8B5DCBFC68BE6B275C8B550C9A1B7AA0
SHA1:	0B5DE5A63691775BF8E777A5E84001CD71F33821
SHA-256:	90A92ECCE52F1D9765D4C2DF3A85883892B4D89DA241E448F296D51FE791AE7C
SHA-512:	43D42C596202CB90088D403A254ADC2798E11775F280A8822F514A133F060B2CCA051FC2C2F7E811E0D3A04C5A76FD2D8C2355DBAECAF55335798C5AB50EF3B4
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.1.1.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9403.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4835
Entropy (8bit):	4.446100910034981
Encrypted:	false
SSDEEP:	48:cvIwWl8zsrJg771I9atWpW8VYAlYm8M4JUaTFZubyq8vaa8FJu+8syprdd:uIjfFI71c7VqJLnubWl8FIRs+pd
MD5:	E9984A555D8270CB89AE44AFB1CC5AC1
SHA1:	3857FDF62DF247315C158669BEE12E74C498189C
SHA-256:	5B7CDCD3EACCB28762A5C6E9D1D998C03605BE28BC395537375AA6E0D084FF99
SHA-512:	65C5528219EC5AC3469BF904FAE0DAF6DB62164A116231FD7A0FAFE9AE832EF0B62C138801B14E6CEEE0FE4BD8BD4030FF80767EDA8248E659BA9791810D7334
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="796126" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.472202707087583
Encrypted:	false
SSDEEP:	6144:JzZfpi6ceLPx9skLmb0fVZWSP3aJG8nAgeiJRMMhA2zX4WABlFuN2jDH5SS:BZHtVZWOKnMM6bFksj4S
MD5:	BADD782BA8253E52A915EBA2913532CE
SHA1:	5B1206DE72D1D428732150DA103A5E6B53167E17
SHA-256:	81CF35F1CD43945AAD8F595A4C27640C72E05231CD8A9AD43C75234E7CBAAA20
SHA-512:	1BC567BC6403DE5CE4F32660A84C18E6BEE87497DBE7BF8A9712A3B250D204B9BD2238F1FE45AD4A11E6BBEA1A575DEC0E36A6F2E3A10217126574FCE2DD5691
Malicious:	false
Reputation:	low
Preview:	regfL...L....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmv.j"I.................................................................................................................................................................................................................................................................................................................................................\|.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Users\user\Desktop\myRdpService.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1697
Entropy (8bit):	5.091071705728139
Encrypted:	false
SSDEEP:	24:DvGPIKHqjhkvI/H7E/muGMk0H7E/muGSkvIrNPkvIrF15Gz:DvGBKjqvI/bs6x0bs6TvIrKvIrF1Qz
MD5:	541DB5B57D8EDF393270004C94899B00
SHA1:	00B08C4862CD48CD353BD5B9E4B29EFB04FB4B33
SHA-256:	2BA089CCC0CF2B909235F2E94EF636343DB3617C8DA551A09D4E4630B7CB100B
SHA-512:	E225ECD95A0C80FF747D3980EA81B86EDDF4EA2798D9AD0C5D3482506EEC82DE73531F58AC09A360CF82607E6A334E0EAD41363A633A751C3F69C37D8F3FB1A4
Malicious:	false
Reputation:	low
Preview:	Unhandled Exception: System.NullReferenceException: Object reference not set to an instance of an object... at Microsoft.Extensions.Hosting.Internal.Host.<StartAsync>d__12.MoveNext() + 0x242..--- End of stack trace from previous location ---.. at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() + 0x20.. at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task) + 0xb2.. at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task, ConfigureAwaitOptions) + 0x4b.. at Microsoft.Extensions.Hosting.HostingAbstractionsHostExtensions.<RunAsync>d__4.MoveNext() + 0xee..--- End of stack trace from previous location ---.. at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() + 0x20.. at Microsoft.Extensions.Hosting.HostingAbstractionsHostExtensions.<RunAsync>d__4.MoveNext() + 0x2ca..--- End of stack trace from previous location ---.. at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() + 0x20.. at

Static File Info

General

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	6.891178514562279
TrID:	Win64 Executable Console Net Framework (206006/5) 48.58% Win64 Executable Console (202006/5) 47.64% Win64 Executable (generic) (12005/4) 2.83% Generic Win/DOS Executable (2004/3) 0.47% DOS Executable Generic (2002/1) 0.47%
File name:	myRdpService.exe
File size:	9'440'768 bytes
MD5:	1e7bcf5b72ffeca190832d8305cf3310
SHA1:	2de1c18a5ae51ef91e850a83d43c7e7ae7b3ecb3
SHA256:	4814aec636aecbf7f0049b1cd64d89782bb292e4cf8c658ba9595709231f4258
SHA512:	4adad604747b2c76753f404ec042980d9fba89320dbfa9948b538e7e41a2e7243726feba5122d53c6605bb9ec5bf77d42f207250823a6b2c03b342519cac7d5d
SSDEEP:	98304:feWwHzQy5ZamI4yZsgUCy4JCj5GnSPFnm:2WgzQJ4ymNC9JCFGS
TLSH:	F1969D15A3E501A1D46BD734CA66C733DAB8BCA25635C10F194CE2C52F73E628B6F326
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.............l...l...l...o...l...h...l...i...l.......l...m...l...m.#.l...o...l...h...l...i...l...h...l...l...l...i...l.!.l...l.!.n...l

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x1400bd350
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x67BF52C3 [Wed Feb 26 17:43:31 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	249ca84a8e0082443a21c77714ff1b90

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FF758DDD4ACh
dec eax
add esp, 28h
jmp 00007FF758DDC9C7h
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
dec eax
mov ebx, ecx
jmp 00007FF758DDCB61h
dec eax
mov ecx, ebx
call 00007FF758DE0D21h
test eax, eax
je 00007FF758DDCB65h
dec eax
mov ecx, ebx
call 00007FF758DDC841h
dec eax
test eax, eax
je 00007FF758DDCB39h
dec eax
add esp, 20h
pop ebx
ret
dec eax
cmp ebx, FFFFFFFFh
je 00007FF758DDCB58h
call 00007FF758DDD93Ch
int3
call 00007FF758DDD956h
int3
dec eax
sub esp, 28h
dec ebp
mov eax, dword ptr [ecx+38h]
dec eax
mov ecx, edx
dec ecx
mov edx, ecx
call 00007FF758DDCB62h
mov eax, 00000001h
dec eax
add esp, 28h
ret
int3
int3
int3
inc eax
push ebx
inc ebp
mov ebx, dword ptr [eax]
dec eax
mov ebx, edx
inc ecx
and ebx, FFFFFFF8h
dec esp
mov ecx, ecx
inc ecx
test byte ptr [eax], 00000004h
dec esp
mov edx, ecx
je 00007FF758DDCB65h
inc ecx
mov eax, dword ptr [eax+08h]
dec ebp
arpl word ptr [eax+04h], dx
neg eax
dec esp
add edx, ecx
dec eax
arpl ax, cx
dec esp
and edx, ecx
dec ecx
arpl bx, ax
dec edx
mov edx, dword ptr [eax+edx]
dec eax
mov eax, dword ptr [ebx+10h]
mov ecx, dword ptr [eax+08h]
dec eax
mov eax, dword ptr [ebx+08h]
test byte ptr [ecx+eax+03h], 0000000Fh
je 00007FF758DDCB5Dh
movzx eax, byte ptr [ecx+eax+03h]
and eax, FFFFFFF0h
dec esp
add ecx, eax
dec esp
xor ecx, edx
dec ecx
mov ecx, ecx
pop ebx
jmp 00007FF758DDCB6Ah

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xa611d0	0x208	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa613d8	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xae5000	0x5b2	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0xa8c000	0x587f4	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xae6000	0x1470	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x99f220	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x99f400	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x99f0e0	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x6cb000	0xbc0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xc48d8	0xc4a00	33cee36efd7743a963620a75bd9f9480	False	0.42793428162746344	data	6.637262539191601	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.managed	0xc6000	0x4406f8	0x440800	b066f7542a62377c447dfeda0f2b18bc	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
hydrated	0x507000	0x1c39b8	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x6cb000	0x398d40	0x398e00	e1a4db0675200bdd77e3167b194ef31d	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa64000	0x27b58	0x8600	c63a6f7908ce8a3b79f39d38317e4f42	False	0.28244519589552236	data	4.899286767227065	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0xa8c000	0x587f4	0x58800	afa82321c25afcd18d4b42d854fd3a38	False	0.4923061219985876	data	6.4627199295807385	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xae5000	0x5b2	0x600	df8936858df0ba53dab05f76f4c84369	False	0.427734375	data	4.1855188873867775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xae6000	0x1470	0x1600	f95b6377709a5fe82cf1c00c852dccc6	False	0.3151633522727273	data	5.333005681631803	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xae50a0	0x328	data			0.4306930693069307
RT_MANIFEST	0xae53c8	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
ADVAPI32.dll	RegCreateKeyExW, RegEnumKeyExW, RegEnumValueW, RegOpenKeyExW, RegQueryInfoKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, LookupPrivilegeValueW, OpenProcessToken, AdjustTokenPrivileges, CreateProcessAsUserA, DuplicateTokenEx, RevertToSelf, OpenThreadToken, SetThreadToken, GetSecurityDescriptorLength, GetTokenInformation, CreateWellKnownSid, GetWindowsAccountDomainSid, ImpersonateLoggedOnUser, SetServiceStatus, RegisterServiceCtrlHandlerExW, StartServiceCtrlDispatcherW
bcrypt.dll	BCryptGenRandom, BCryptEncrypt, BCryptExportKey, BCryptFinishHash, BCryptGetProperty, BCryptHashData, BCryptImportKey, BCryptImportKeyPair, BCryptOpenAlgorithmProvider, BCryptSetProperty, BCryptCloseAlgorithmProvider, BCryptDestroyHash, BCryptCreateHash, BCryptDestroyKey, BCryptDecrypt
CRYPT32.dll	CertVerifyTimeValidity, CertSetCertificateContextProperty, CertSerializeCertificateStoreElement, CertSaveStore, CertOpenStore, CertFreeCertificateChainEngine, CertCloseStore, PFXImportCertStore, PFXExportCertStore, CryptFindOIDInfo, CryptQueryObject, CryptMsgGetParam, CryptMsgClose, CertNameToStrW, CryptImportPublicKeyInfoEx2, CryptFormatObject, CertVerifyCertificateChainPolicy, CertFreeCertificateContext, CertEnumCertificatesInStore, CertDuplicateCertificateContext, CertGetCertificateContextProperty, CertAddCertificateContextToStore, CertAddCertificateLinkToStore, CertControlStore, CertCreateCertificateChainEngine, CertFindCertificateInStore, CertFindExtension, CertFreeCertificateChain, CertGetCertificateChain, CertGetIntendedKeyUsage, CertGetNameStringW, CertGetValidUsages, CryptDecodeObject
IPHLPAPI.DLL	GetAdaptersAddresses, GetNetworkParams, if_nametoindex, GetPerAdapterInfo
KERNEL32.dll	UnhandledExceptionFilter, SetUnhandledExceptionFilter, InitializeSListHead, IsDebuggerPresent, RtlUnwindEx, RtlPcToFileHeader, RaiseException, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, IsProcessorFeaturePresent, SetLastError, GetLastError, CloseHandle, FormatMessageW, GetCurrentProcess, GetCPInfoExW, GetConsoleMode, GetFileType, ReadFile, ReadConsoleW, WriteFile, WriteConsoleW, GetConsoleOutputCP, GetStdHandle, MultiByteToWideChar, WideCharToMultiByte, WaitForSingleObject, K32EnumProcessModulesEx, IsWow64Process, GetExitCodeProcess, CreateProcessW, TerminateProcess, OpenProcess, K32EnumProcesses, K32GetModuleInformation, K32GetModuleBaseNameW, K32GetModuleFileNameExW, GetProcessId, DuplicateHandle, QueryFullProcessImageNameW, CreatePipe, GetConsoleCP, ReadDirectoryChangesW, CreateFileW, QueryPerformanceCounter, GetTickCount64, LoadLibraryExW, CancelIoEx, CloseThreadpoolIo, GetCurrentProcessId, RaiseFailFastException, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToSystemTime, GetSystemTime, GetCalendarInfoEx, CompareStringOrdinal, CompareStringEx, FindNLSStringEx, GetLocaleInfoEx, ResolveLocaleName, GetUserPreferredUILanguages, FindStringOrdinal, GetCurrentThread, Sleep, DeleteCriticalSection, LocalFree, EnterCriticalSection, SleepConditionVariableCS, LeaveCriticalSection, WakeConditionVariable, InitializeCriticalSection, InitializeConditionVariable, CreateThreadpoolTimer, SetThreadpoolTimer, WaitForMultipleObjectsEx, GetCurrentThreadId, CreateThreadpoolWait, SetThreadpoolWait, WaitForThreadpoolWaitCallbacks, CloseThreadpoolWait, CreateThreadpoolWork, CloseThreadpoolWork, SubmitThreadpoolWork, QueryPerformanceFrequency, GetFullPathNameW, GetLongPathNameW, GetCPInfo, LocalAlloc, GetProcAddress, LocaleNameToLCID, LCMapStringEx, EnumTimeFormatsEx, EnumCalendarInfoExEx, CancelSynchronousIo, CreateIoCompletionPort, CreateThreadpoolIo, StartThreadpoolIo, CancelThreadpoolIo, DeleteFileW, DeviceIoControl, ExpandEnvironmentStringsW, FindClose, FindFirstFileExW, FlushFileBuffers, FreeLibrary, GetCurrentDirectoryW, GetFileAttributesExW, GetFileInformationByHandleEx, GetModuleFileNameW, GetOverlappedResult, GetSystemDirectoryW, OpenThread, QueryUnbiasedInterruptTime, SetConsoleCtrlHandler, SetFileInformationByHandle, SetFilePointerEx, SetThreadErrorMode, CreateThread, ResumeThread, GetThreadPriority, SetThreadPriority, GetDynamicTimeZoneInformation, GetTimeZoneInformation, GetCurrentProcessorNumberEx, SetEvent, ResetEvent, CreateEventExW, GetEnvironmentVariableW, CreateMutexExW, ReleaseMutex, FlushProcessWriteBuffers, WaitForSingleObjectEx, RtlVirtualUnwind, RtlCaptureContext, RtlRestoreContext, AddVectoredExceptionHandler, FlsAlloc, FlsGetValue, FlsSetValue, CreateEventW, SwitchToThread, SuspendThread, GetThreadContext, SetThreadContext, FlushInstructionCache, VirtualAlloc, VirtualProtect, VirtualFree, QueryInformationJobObject, GetModuleHandleW, GetModuleHandleExW, GetProcessAffinityMask, InitializeContext, GetEnabledXStateFeatures, SetXStateFeaturesMask, InitializeCriticalSectionEx, VirtualQuery, GetSystemTimeAsFileTime, DebugBreak, SleepEx, GlobalMemoryStatusEx, GetSystemInfo, GetLogicalProcessorInformation, GetLogicalProcessorInformationEx, GetLargePageMinimum, VirtualUnlock, VirtualAllocExNuma, IsProcessInJob, GetNumaHighestNodeNumber, GetProcessGroupAffinity, K32GetProcessMemoryInfo, EncodePointer, DecodePointer, HeapCreate, HeapDestroy, HeapAlloc, HeapFree, GetProcessHeap, RtlLookupFunctionEntry
ncrypt.dll	NCryptOpenKey, NCryptDeleteKey, NCryptOpenStorageProvider, NCryptGetProperty, NCryptFreeObject, NCryptImportKey, NCryptSetProperty
ole32.dll	CoInitializeEx, CoUninitialize, CoTaskMemFree, CoTaskMemAlloc, CoGetApartmentType, CoCreateGuid, CoSetProxyBlanket, CoCreateInstance, CoWaitForMultipleHandles
OLEAUT32.dll	SafeArrayGetLBound, SafeArrayGetUBound, SafeArrayGetElement, SafeArrayGetDim, VariantInit, VariantClear
USER32.dll	LoadStringW
VERSION.dll	VerQueryValueW, GetFileVersionInfoSizeExW, GetFileVersionInfoExW
WS2_32.dll	WSAConnect, WSAGetOverlappedResult, setsockopt, send, WSARecv, WSAIoctl, accept, WSASend, bind, getpeername, getsockname, closesocket, getsockopt, ioctlsocket, listen, recv, shutdown, WSAEventSelect, GetNameInfoW, GetAddrInfoW, FreeAddrInfoW, WSASocketW, GetAddrInfoExW, WSAStartup, WSACleanup, FreeAddrInfoExW, select
api-ms-win-crt-heap-l1-1-0.dll	_set_new_mode, _callnewh, malloc, calloc, free
api-ms-win-crt-math-l1-1-0.dll	log2, __setusermatherr, ceil, cos, floor, pow, sin, tan, modf
api-ms-win-crt-string-l1-1-0.dll	strcpy_s, strcmp, _stricmp, strncpy_s, wcsncmp
api-ms-win-crt-convert-l1-1-0.dll	strtoull
api-ms-win-crt-runtime-l1-1-0.dll	_cexit, __p___wargv, __p___argc, _exit, _initterm_e, terminate, _initterm, abort, _get_initial_wide_environment, _initialize_wide_environment, _configure_wide_argv, _register_thread_local_exe_atexit_callback, _set_app_type, _crt_atexit, exit, _initialize_onexit_table, _seh_filter_exe, _register_onexit_function, _c_exit
api-ms-win-crt-stdio-l1-1-0.dll	__stdio_common_vsscanf, __p__commode, _set_fmode, __stdio_common_vsprintf_s, __stdio_common_vfprintf, __acrt_iob_func
api-ms-win-crt-locale-l1-1-0.dll	_configthreadlocale

Exports

Name	Ordinal	Address
CancelAsyncCall	1	0x1400093f0
ConnectServer	2	0x140009410
CreateEventSinkStub	3	0x140009430
CreateWbemLocator	4	0x140009530
CreateWbemUnsecuredApartment	5	0x140009560
DeleteInstance	6	0x140009590
DotNetRuntimeDebugHeader	7	0x140a6b338
ExecMethod	8	0x1400095c0
ExecNotificationQueryAsync	9	0x140009610
ExecQuery	10	0x140009650
Get	11	0x140009670
GetClass	12	0x1400096f0
GetMethod	13	0x140009730
GetNames	14	0x140009760
GetType	15	0x140009790
Next	16	0x1400097d0
Put	17	0x140009830
Reset	18	0x140009860
SetProxy	19	0x140009880
SpawnInstance	20	0x1400099b0

Version Infos

Description	Data
Translation	0x0000 0x04b0
CompanyName	RdpService
FileDescription	RdpService
FileVersion	1.0.0.0
InternalName	RdpService.dll
LegalCopyright
OriginalFilename	RdpService.dll
ProductName	RdpService
ProductVersion	1.0.0+7d98461023e29efbb97d9d072c8bff2bf7232dbe
Assembly Version	1.0.0.0

Network Behavior

⊘No network behavior found

Statistics

Click to jump to process

Memory Usage

• myRdpService.exe
• conhost.exe
• WerFault.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Behavior

• myRdpService.exe
• conhost.exe
• WerFault.exe

Click to jump to process

System Behavior

Analysis Process: myRdpService.exePID: 7116, Parent PID: 496

Function Logs

General

Target ID:	0
Start time:	01:43:14
Start date:	08/04/2025
Path:	C:\Users\user\Desktop\myRdpService.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\myRdpService.exe"
Imagebase:	0x7ff7079b0000
File size:	9'440'768 bytes
MD5 hash:	1E7BCF5B72FFECA190832D8305CF3310
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: hacktool_windows_moyix_creddump, Description: creddump is a python tool to extract credentials and secrets from Windows registry hives., Source: 00000000.00000002.1319577130.00007FF707EB7000.00000004.00000001.01000000.00000003.sdmp, Author: @mimeframe
Reputation:	low
Has exited:	true

Show Windows behavior

File Activities

File Written

Show Windows behavior

Section Activities

Sections loaded by Windows

Show Windows behavior

Registry Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Mutex Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Process Activities

Process Queried

Thread Activities

Thread Created

Thread Execution Resumed

Thread Delayed

Thread Information Set

Show Windows behavior

Memory Activities

Memory Allocated

Memory Usage Statistics

Show Windows behavior

System Activities

System Information Queried

Process Token Activities

Token Adjusted

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 7096, Parent PID: 7116

Function Logs

General

Target ID:	1
Start time:	01:43:14
Start date:	08/04/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68dae0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

File Activities

Volume Information Queried

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Thread Activities

Thread Created

Thread Delayed

Thread Information Set

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Timing Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Windows UI Activities

Window Created

Window UI Enumerated

Message Posted to Windows UI

Window UIs Event Hook Set

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 7288, Parent PID: 7116

Function Logs

General

Target ID:	11
Start time:	01:43:20
Start date:	08/04/2025
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 7116 -s 576
Imagebase:	0x7ff757830000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

File Activities

File Opened

File Created

File Written

File Attributes Queried

Other File Operations

Volume Information Queried

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Key Opened

Key Created

Key Deleted

Key Value Created

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

Process Queried

Process Information Set

Process Suspended

Show Windows behavior

Thread Activities

Thread Created

Thread Execution Resumed

Thread Execution Suspended

Thread Terminated

Thread Information Set

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

System Information Set

Language or Locale ID Queried

System Information Queried

Show Windows behavior

Timing Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Windows UI Activities

Window UI Enumerated

Show Windows behavior

Object Security Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report myRdpService.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_myRdpService.exe_2769d248aec10a5736d764775c3c9a7ebe42_52516480_4993dbb6-d058-4336-b7b9-79901f3df09b\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9345.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER93C3.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9403.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Windows Analysis Report
myRdpService.exe