Analysis
| Category | Package | Started | Completed | Duration | Options | Log(s) |
|---|---|---|---|---|---|---|
| FILE | exe | 2025-06-13 23:11:47 | 2025-06-13 23:43:15 | 1888 seconds | Show Options | Show Analysis Log |
procmemdump=1
import_reconstruction=1
unpacker=2
norefer=1
no-iat=1
2024-11-25 13:37:14,975 [root] INFO: Date set to: 20250613T10:48:40, timeout set to: 1800 2025-06-13 11:48:40,025 [root] DEBUG: Starting analyzer from: C:\tmpjeo7jmad 2025-06-13 11:48:40,025 [root] DEBUG: Storing results at: C:\fjXeEoN 2025-06-13 11:48:40,025 [root] DEBUG: Pipe server name: \\.\PIPE\OOOCeV 2025-06-13 11:48:40,025 [root] DEBUG: Python path: C:\Users\Packager\AppData\Local\Programs\Python\Python310-32 2025-06-13 11:48:40,025 [root] INFO: analysis running as an admin 2025-06-13 11:48:40,025 [root] INFO: analysis package specified: "exe" 2025-06-13 11:48:40,025 [root] DEBUG: importing analysis package module: "modules.packages.exe"... 2025-06-13 11:48:41,228 [root] DEBUG: imported analysis package "exe" 2025-06-13 11:48:41,228 [root] DEBUG: initializing analysis package "exe"... 2025-06-13 11:48:41,228 [lib.common.common] INFO: wrapping 2025-06-13 11:48:41,228 [lib.core.compound] INFO: C:\Users\Packager\AppData\Local\Temp already exists, skipping creation 2025-06-13 11:48:41,228 [root] DEBUG: New location of moved file: C:\Users\Packager\AppData\Local\Temp\rdpinit.exe 2025-06-13 11:48:41,228 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option 2025-06-13 11:48:41,228 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option 2025-06-13 11:48:41,228 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option 2025-06-13 11:48:41,228 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option 2025-06-13 11:48:41,604 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser" 2025-06-13 11:48:41,634 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig" 2025-06-13 11:48:41,666 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise" 2025-06-13 11:48:41,666 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human" 2025-06-13 11:48:41,681 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops' 2025-06-13 11:48:41,681 [lib.api.screenshot] ERROR: No module named 'PIL' 2025-06-13 11:48:41,681 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots" 2025-06-13 11:48:41,697 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump" 2025-06-13 11:48:41,697 [root] DEBUG: Initialized auxiliary module "Browser" 2025-06-13 11:48:41,697 [root] DEBUG: attempting to configure 'Browser' from data 2025-06-13 11:48:41,697 [root] DEBUG: module Browser does not support data configuration, ignoring 2025-06-13 11:48:41,697 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"... 2025-06-13 11:48:41,697 [root] DEBUG: Started auxiliary module modules.auxiliary.browser 2025-06-13 11:48:41,697 [root] DEBUG: Initialized auxiliary module "DigiSig" 2025-06-13 11:48:41,697 [root] DEBUG: attempting to configure 'DigiSig' from data 2025-06-13 11:48:41,697 [root] DEBUG: module DigiSig does not support data configuration, ignoring 2025-06-13 11:48:41,697 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"... 2025-06-13 11:48:41,697 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature 2025-06-13 11:48:41,838 [modules.auxiliary.digisig] DEBUG: File is not signed 2025-06-13 11:48:41,838 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json 2025-06-13 11:48:41,838 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig 2025-06-13 11:48:41,838 [root] DEBUG: Initialized auxiliary module "Disguise" 2025-06-13 11:48:41,838 [root] DEBUG: attempting to configure 'Disguise' from data 2025-06-13 11:48:41,838 [root] DEBUG: module Disguise does not support data configuration, ignoring 2025-06-13 11:48:41,838 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"... 2025-06-13 11:48:41,853 [modules.auxiliary.disguise] INFO: Disguising GUID to cc17bb19-36d5-4bb7-8ca8-ceb2ec530a08 2025-06-13 11:48:41,853 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise 2025-06-13 11:48:41,853 [root] DEBUG: Initialized auxiliary module "Human" 2025-06-13 11:48:41,853 [root] DEBUG: attempting to configure 'Human' from data 2025-06-13 11:48:41,853 [root] DEBUG: module Human does not support data configuration, ignoring 2025-06-13 11:48:41,853 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"... 2025-06-13 11:48:41,853 [root] DEBUG: Started auxiliary module modules.auxiliary.human 2025-06-13 11:48:41,853 [root] DEBUG: Initialized auxiliary module "Screenshots" 2025-06-13 11:48:41,853 [root] DEBUG: attempting to configure 'Screenshots' from data 2025-06-13 11:48:41,853 [root] DEBUG: module Screenshots does not support data configuration, ignoring 2025-06-13 11:48:41,853 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"... 2025-06-13 11:48:41,853 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled 2025-06-13 11:48:41,853 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots 2025-06-13 11:48:41,853 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets" 2025-06-13 11:48:41,853 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data 2025-06-13 11:48:41,853 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring 2025-06-13 11:48:41,853 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"... 2025-06-13 11:48:41,869 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 696 2025-06-13 11:48:41,900 [lib.api.process] INFO: Monitor config for <Process 696 lsass.exe>: C:\tmpjeo7jmad\dll\696.ini 2025-06-13 11:48:41,900 [lib.api.process] INFO: Option 'procmemdump' with value '1' sent to monitor 2025-06-13 11:48:41,900 [lib.api.process] INFO: Option 'import_reconstruction' with value '1' sent to monitor 2025-06-13 11:48:41,900 [lib.api.process] INFO: Option 'unpacker' with value '2' sent to monitor 2025-06-13 11:48:41,900 [lib.api.process] INFO: Option 'norefer' with value '1' sent to monitor 2025-06-13 11:48:41,900 [lib.api.process] INFO: Option 'no-iat' with value '1' sent to monitor 2025-06-13 11:48:41,900 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor 2025-06-13 11:48:41,900 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmpjeo7jmad\dll\asYlzPM.dll, loader C:\tmpjeo7jmad\bin\UYYnOhpx.exe 2025-06-13 11:48:41,978 [root] DEBUG: Loader: IAT patching disabled. 2025-06-13 11:48:41,978 [root] DEBUG: Loader: Injecting process 696 with C:\tmpjeo7jmad\dll\asYlzPM.dll. 2025-06-13 11:48:42,010 [root] DEBUG: 696: Python path set to 'C:\Users\Packager\AppData\Local\Programs\Python\Python310-32'. 2025-06-13 11:48:42,010 [root] INFO: Disabling sleep skipping. 2025-06-13 11:48:42,025 [root] DEBUG: 696: Full process memory dumps enabled. 2025-06-13 11:48:42,025 [root] DEBUG: 696: Import reconstruction of process dumps enabled. 2025-06-13 11:48:42,025 [root] DEBUG: 696: Active unpacking of payloads enabled 2025-06-13 11:48:42,025 [root] DEBUG: 696: CAPE debug - unrecognised key norefer. 2025-06-13 11:48:42,025 [root] DEBUG: 696: TLS secret dump mode enabled. 2025-06-13 11:48:42,025 [root] DEBUG: 696: InternalYaraScan: Scanning 0x00007FF84A790000, size 0x1f4542 2025-06-13 11:48:42,041 [root] DEBUG: 696: InternalYaraScan hit: RtlInsertInvertedFunctionTable 2025-06-13 11:48:42,041 [root] DEBUG: 696: RtlInsertInvertedFunctionTable 0x00007FF84A7A090E, LdrpInvertedFunctionTableSRWLock 0x00007FF84A8FB4F0 2025-06-13 11:48:42,041 [root] DEBUG: 696: Monitor initialised: 64-bit capemon loaded in process 696 at 0x00007FF824820000, thread 6892, image base 0x00007FF60D500000, stack from 0x0000008EFAA74000-0x0000008EFAA80000 2025-06-13 11:48:42,041 [root] DEBUG: 696: Commandline: C:\Windows\system32\lsass.exe 2025-06-13 11:48:42,056 [root] DEBUG: 696: Hooked 5 out of 5 functions 2025-06-13 11:48:42,056 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread. 2025-06-13 11:48:42,056 [root] DEBUG: Successfully injected DLL C:\tmpjeo7jmad\dll\asYlzPM.dll. 2025-06-13 11:48:42,056 [lib.api.process] INFO: Injected into 64-bit <Process 696 lsass.exe> 2025-06-13 11:48:42,056 [root] DEB <truncated>
Machine
| Name | Label | Manager | Started On | Shutdown On | Route |
|---|---|---|---|---|---|
| win10-2 | win10-2 | KVM | 2025-06-13 23:11:47 | 2025-06-13 23:42:57 | none |
File Details
| File Name |
rdpinit.exe
|
|---|---|
| File Type | PE32+ executable (GUI) x86-64, for MS Windows |
| File Size | 363520 bytes |
| MD5 | 5724cc21c37cdb95519402b93ba74024 |
| SHA1 | b58d368dd72b8b01adf9861f90f81eb49d999a4d |
| SHA256 | 28841ff3ed4eac80df25970c163a652d58517d8fe971383ef50073cc8b2aefc3 [VT] [MWDB] [Bazaar] |
| SHA3-384 | a2d83be0c5727598ff55b280f779a1c077d68f17123faff22f23f06ddd20b60fdbe41545431556cd0d9b11d9c7090be4 |
| CRC32 | 8ECF805B |
| TLSH | T147747D29E7BC14F4D577D13C8A934B09F6B2780C0BA29ACB12B4821A1F3B9D16D3DB55 |
| Ssdeep | 6144:gtbds62yySUXVz7wbOh/UL8jdgaU+H8Xj9RNCF7Rtv0Pm6gDdJCoT6:AbwnFz7wbo/U/T7NZPMDi |
| PE | File Strings BinGraph Vba2Graph |
Full Results
| Engine | Result | Engine | Result | Engine | Result |
|---|
Failed to terminate timer list lock
Windows.UI.Xaml.Hosting.XamlRuntime
%s:%lu;%s:%s;%s:%s;%s:%lu
@.data
SelectObject
WindowsCreateStringReference
CSingleExeInstance.Initialize failed
RemoteAppTrayEventSessionLogoff
Initialize failed
GetStartupInfoW
ReleaseMutex
mscoree.dll
Z0E8U
fD9<Ou
Saturday
UnionRect
CreateSemaphoreExW
Sunday
CTSEventFilterAllowAllEvents
86uGf
u*9Q<|%
CRemoteAppImmersiveHost::Initialize failed
termsrv\rdpplatform\common\rdplibs\cloaksync\windowstatechecker.cpp
@SVWAVH
DestroyPrivateObjectSecurity
DoFirstShellInitializationInternal failed
L$xE3
CreateWindowExW
Fail to add thread to thread descriptor
t0D8`
SetCursor
AppReadinessTaskStart failed
epA_A^]
R6024
eTHxV
</security>
RemoteAppInitEventInitializedSuccess
CheckForRailSession failed
Malgun Gothic
9s0vHH
ConnectionCheckpoint
H!\$ E3
CAppBarManager
RemoteApp Logon Application
VWAVH
@A_A^A]H
Failed to retrieve the activity ID. Event logging will not be per-session
L$xH3
Microsoft Corporation
LCMapStringW
L9}0u8
e+000
LoadLibraryExW
D!t$$H
CPrivilegedPresentationOperations
OutputDebugStringA
RemoteAppTrayEventNoVisibleWindow
CPrivilegedPresentationOperations instance not available (may not be supported)
X\?E/5
D$pH;
USVWATAUAVAWH
L9sHs@
@SUVWAVH
- unexpected multithread lock error
SetStdHandle
d$`E3
Failed TSCreateLpcServer
StringCchPrintfW (WinStations szRegistryKey) failed
.idata$5
inbox
;D$XuTH
_BaseClass::Initialize failed
K32GetModuleFileNameExW
l$PE3
RpcBindingFree
CRemoteAppImmersiveHost::Start failed
|$pE3
S~=5p
RemoteAppTrayEventOnDisconnectedFailed
.pdata
NtQuerySystemInformation
PlaceCallback failed
Microsoft
RemoteAppInitEventConnected
Failed to create thread signal
CRdpShellHelper.Initialize failed
Microsoft JhengHei UI
_BaseClass::Terminate failed
plWindowID
CreateServerCloakSyncComponent failed
.data$r$brc
RdpRailDiagnosticsLogging_Register failed
DwmpGetColorizationParameters failed
t2D8`
9iDtgI
GetMessageW
GetModuleHandleExA
pszListenerName
operation
700PP
ew0hp
SetEvent
t$ WATAVH
L$XE3
WindowCloakingTrackerWindowCloakStateChanged failed
RpcServerInqBindingHandle
Unable to get a TSMsg from pool!
ReportRailShellExec: Couldn't obtain Pid
m]#0D
OnWindowCloakedRemotely failed
R6033
0A^_^
fRunAppReadiness
CTSEventFilterAllowSpecifiedEvents
t>D8h
E9~pt
%hs!%p:
IImmersiveShellController::Stop failed
8L$8t
f4Og|
JanFebMarAprMayJunJulAugSepOctNovDec
0A_A^A\_^
CTSPlatform
Failed to copy application start param
CoCreateFreeThreadedMarshaler
R6027
shell32.dll
Proxy Desktop
p WAVAWH
Ok:@+
ResyncWindow failed
UIA_WindowVisibilityOverridden
Microsoft Visual C++ Runtime Library
RoGetAgileReference
CoCreateInstance
t$ UWAUH
L$<9K
GetStringTypeW
R6009
BitmapInfoFromHbitmap (mask) failed
Yu Gothic UI Semibold
TSCreateTaskbarTrayFn failed
g_RailOrderEncoder.EncodeRailOrder TS_SHELL_NOTIFY_ESCCODE failed
CoInitializeEx failed
SwitchToThread
prcSnapArrangement
.CRT$XIA
NotificationSettings::SetGlobalSetting (NOC_GLOBAL_SETTING_NOTIFICATIONS_ENABLED) failed
L$@;|
|$(E3
DispatchMessageW
{HH9?tW3
ffffff
CreateInstance failed for CTSBufferResult!
fA9,Au
OpenEventW
Microsoft JhengHei UI Bold
H!_8H!_@H!_H
t9D8h
DestroyIcon
ResetEvent
x UAVAWH
GetSidSubAuthority
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
@A__]
XA_A^A]A\_^][
FileDescription
SetRemoteCloakSyncManager failed
m_spApplicationActivationManager
StateTransitionSuccess
\$ UVWH
directory
SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\
rdpIcon.FillEscape failed
ul%G1
RdpInitVersion
\$ VWAVH
UWATAVAWH
?3u f
Advapi32.dll
bgOne
Failed to unregister the thread window class
ntdll.dll
InitializeCriticalSection
PathCchRemoveFileSpec
A_A^A\_^
SetWindowLongPtrW
DestroyThread failed
- unable to open console device
R6018
m_remoteCloakManager already set
CoWaitForMultipleHandles
runtime error
CopyImage
FALSE
A9p t
D$(E3
fD9<Hu
?:NULL
RefreshCache failed
RtlPublishWnfStateData
message
0A_A^_^]
%s:%lu
D$pL9?t
L$(E3
Failed to grab timer list lock
.rdata$zETW9
RpcServerInqCallAttributesW
UVWAVAWH
L$0E3
OnWindowCloakedLocally failed
L$8H3
DoFirstShellInitialization failed
GetActivationFactory (Windows.UI.Xaml.Hosting.XamlRuntime) failed
A_A^A\_]
StringCchCopy failed
10.0.17763.168
TerminateProcess
\$ UVWAVAW
Failed in StringCchCopy
RemoteAppInitStateStarted
SetPropW
1#IND
source
CompareStringW
A_A^A]
UrlIsW
fD9*r!
api-ms-win-core-biplmapi-l1-1-4.dll
E0HcH
@A_A^A]A\_^[
.CRT$XPZ
0A^A\_
Failed in GetCurrentExePathName
RpcStringBindingComposeW
ShellInitProgram
H!_xH
NdrServerCall2
.text$x
CreateMutexW
T$ E3
m_localCloakManager already set
KillTimer
.xdata$x
L$HH3
A^_^
9t$Pt/H
GetModuleHandleW
Segoe UI
RpcServerListen
96u?A
@t8D8i
L$ E3
t:HcT$@L
ART:UserLogon
GetRandomNumber failed
.giats
kernelbase.dll
GetConsoleCP
StringCchPrintf for endpoint name failed
('8PW
0A_A^_
OriginalFilename
.CRT$XPX
DL$`H
name="Microsoft.Windows.TerminalServices.RDPInit"
An application has made an attempt to load the C runtime library incorrectly.
@8l$Ht
usD95
Thread initialization failed
fD94Au
Terminate failed
RemoteAppInitEventDisconnected
\$8E3
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
RemoteAppInitEventInitializedFailure
TSCreatePlatform failed
9D$<u[E
GetFileType
L$&8\$&t,8Y
WTSQuerySessionInformationW
PostShellHookMessage failed
UVWATAUAVAWH
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
GetOEMCP
CloseHandle
L$8E3
@.reloc
t-D8h
sessionId
HA_A^A]A\_^[]
VirtualProtect
D9K(t
GetSystemTimeAsFileTime
A^_]
SetWaitableTimer
~8D9~8uUH
dwmapi.dll
}8E9}8uUH
Wednesday
RemoteAppInitEventStarted
@8=5|
February
xv#?H
04557228-209a-46b4-aaa4-4eb4c84db7a2
RemoteAppInitEventAppExecuted
RegisterWindowMessageW
|$PD9|$XtPD
H!_@!_H!_pH
Leelawadee UI Bold
L9}0uM
SetUnhandledExceptionFilter
;D$@u
IRemoteAppPrivilegedOperationBroker::SetWindowCloaked failed
MessageBoxA
SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\
bad exception
- floating point support not loaded
D$ E3
.text
H!|$ A
NdrClientCall3
November
@UATAUAVAWH
FlsGetValue
SetWindowCloaked failed
TaskbarCreated
t4D8h
.rdata$brc
SetWindowPos
GetEnvironmentStringsW
Created Block All Filter failed
;D$Xu
D8t$Ht
CTsWindow
D:(A;;GA;;;WD)
RemoteAppLogoffTimeLimit
LocalAlloc
.idata$4
O0HcQ
z?aUY
Failed to get timer HWND
GetACP
abcdefghijklmnopqrstuvwxyz
GetTokenInformation
Microsoft YaHei UI Bold
L$xH;E
CreateWaitableTimerExW
WTSDisconnectSession
VerSetConditionMask
TSPlatformStaticInit failed
NtCreateWnfStateName (SendCloak) failed
CAppBarManager.Initialize failed
fD91t
Failed to get module specific class name
D$09D$4tEH
HcD$ H
t$0fA
t$8;;
@USVWAVAWH
TraceMessage
Failed to initialize timer list lock
0A_A^A]A\_^]
( 8PX
RpcBindingToStringBindingW
%s:%lu;%s:%lu
|$@E3
fD90t
oLW\f
ThreadMsgLoop failed
CRemoteAppImmersiveHost
H!\$@H
CreateEventW
H!|$H3
|$ AVH
DeleteObject
.text$mn$00
t$ WH
/AlternateShellStartup
SetLastError
fA9,Su
.rsrc$01
Microsoft JhengHei UI Light
L$8D;GD
CallContext:[%hs]
DebugBreak
FillIconEscHelper failed
SendAppBarState failed for ABM_REMOVE
IImmersiveShellController::Start failed
RemoteAppInitEventShellStartedFailure
R6008
9s0vQH
CoTaskMemRealloc
StartLogShellNotificationCreationTimerThread failed
VirtualAlloc
Fail to run queue events
R6002
AppExecute
t+D8h
Re-Start RdpShell failed
GetTraceEnableLevel
R6030
CoCreateInstance (CLSID_ApplicationActivationManager) failed
CTSBufferResult
IsWindow
$(SQO
- not enough space for _onexit/atexit table
LeaveCriticalSection
;\$ |
IRemoteAppPrivilegedOperationBroker::SetWindowSnapArrangement failed
!"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
L$ SVWH
GetTraceLoggerHandle
newState
Microsoft Corporation. All rights reserved.
D$PHcH
.?AVexception@@
L$PH3
.CRT$XPXA
CTSThread
.text$yd
CoAllowSetForegroundWindow failed
ITSPlatform::CreateThread failed
GetWindowLongPtrW
CopyIcon
D9t$L
%s:%lu;%s:%s;%s:%s;%s:%s;%s:%d;%s:%lu
H!L$ E3
D$xH;
-64OS
PA_A^_^]
LcA<E3
TaskbandHWND
CRailTaskbar.Initialize failed
CoCreateInstance (CLSID_AppReadinessService) failed
api-ms-win-core-winrt-l1-1-0.dll
H WATAUAVAWH
October
@.rsrc
SHGetKnownFolderIDList failed
CoCreateInstance (CLSID_NotificationController) failed
f;D$@u6
LcMpE
.imrsiv
byjA`
`A_A^A]A\_^]
l$ E3
GetThreadId
CTSThreadInternal
LegalCopyright
DwmpSetColorizationParameters
CryptGenRandom
D95%t
SetWindowSnapArrangement failed
Malgun Gothic Semilight
VirtualQuery
,B>DY
DispatchAsyncCall OnDisconnected failed
zuWL9
R6019
TSCreateRdpShellHelper failed
Ly^X`
- Attempt to use MSIL code from this assembly during native code initialization
@A_A^A]A\_^]
Program:
EtwEventActivityIdControl
L$0H3
SendWndObjSetup failed
RemoteAppInitStateDisconnected
isSxS
.rdata$zzzdbg
api-ms-win-core-path-l1-1-0.dll
T$49S
Unable to push new event filter
L$@H!|$@
WAxK0i
WAVAWH
.rdata
H!_0H!_8!_@!_DH!_HH
y$L9=Q
SetThreadStackGuarantee
QueryFullProcessImageNameW
Da6N^
D9l$huBH
%UM;%
\$pH;
9\$ ~EL
L$ WH
DwmSetWindowAttribute
H9upt
<assemblyIdentity
Runtime Error!
x AWH
- not enough space for thread data
wt)fA
CoGetApartmentType
g_RailOrderEncoder.EncodeRailOrder re-try failed for TS_WINDOW_APPBAR_INFO_ESCCODE
WaitForSingleObject
t$pE3
L$ UVWATAUAVAWH
OpenProcessToken
GetClassInfoExW
CRdpShellHelper
GetModuleFileNameA
RemoteAppInitEventUnknownFailure
shellNotificationOwnerHandle
H!|$(H!|$0H
SystemParametersInfoW
t1D8`
RemoteApp Marker Window
InitializeForReuse failed!
LO@D9GDD
SVWATAUAVAWH
CTSBufferResult::CreateInstance failed!
0A_A^A\
k`z2if
Failed to add timer to timer list
RegisterShellHookWindow
SHGetKnownFolderPath
PAL_SYS_WIN32_TIMER_WNDCLASS
.idata$3
IImmersiveShellBuilder::CreateImmersiveShellController failed
D9l$huAL
?ffffff
t$ UH
RemoteAppEmptySessionDisconnectTimeoutBeforeFirstAppLaunch
H!\$ H
OnUpdateAppBarRemotingSupport failed
RemoteAppInitStateConnected
RtlDllShutdownInProgress
It*fA
d$DE3
ew|>&=4_
thread descriptor creation failed in bind path
ResetBitmapInfo failed
WdPrefix
GetTokenIntegrityLevel for caller failed
CreateInstance failed for CTSMsg!
t6fD9[
ITSThread::BindThread failed
(_^][
uJH;i
UATAUAVAWH
trayEvent
HeapFree
Malgun Gothic Bold
RemoteAppTrayEventStopFailed
GetTickCount
Microsoft YaHei UI Light
T$PE3
+D$hD3
WTSFreeMemory
fTabbedAppsSupported
g_RailOrderEncoder.EncodeRailOrder TS_WINDOW_ICON_ESCCODE failed
.CRT$XIY
Friday
L$@H3
PostMessageW
TaskbarButtonCreated
IsValidCodePage
/>
GetRdpShellName failed
CoCreateInstance (CLSID_StartMenuCacheAndAppResolver) failed
D9t$h
SUVWATAUAWH
ITSPlatform.Initialize failed
UWAVH
\$0H;
MultiByteToWideChar
CRailOrderEncoderHelper::EncodeRailOrder failed due to NULL RPC binding
A_A^A\
EventSetInformation
CTSMsg::CreateInstancePool failed!
AppExecutionFailure
spThreadDescriptor init failed
rdpinit.exe
UWAUAVAWH
OutputDebugStringW
UnregisterTraceGuids
IsRailAllowed failed
ri9O vdH
ReturnHr
SHELL32.dll
gu"E3
(unknown)
L!|$HL!
L$HH!|$ E
DispatchAsyncCall OnNotifyLogoffParameterChange failed
gfffA
A^A\]
.CRT$XTA
RpcBindingSetAuthInfoExW
Local\RdpInitSxSMutex
RailOrderEncoderRPC#%d#%s
A^_^[
RemoteAppInit
Failed to initialize buffer result!
t.D8a
CreateProcessW
Failed to init in thread context
@SUVWATAVAWH
WATAUAVAWH
UnregisterForNotifications failed
!\$0H
RunQueueEvent failed
D9=pC
A_A^A]A\_
|$ E3
\$ UH
ADVAPI32.dll
.CRT$XTZ
R6032
CreateThread
L9{0t#H
.00cfg
RemoteAppInitEventShellStartedSuccess
FreeLibrary
CryptAcquireContextW
!|$(H!|$ E
FailFast
1#INF
'R{=f
T$0E3
SendAppBarEdge failed
T$dE3
OpenThreadToken
ATAVAWH
CompanyName
hgtlCm
GetCurrentThreadId
L$pI;
Failed to SendOverlayDescription
CoCreateInstance (CLSID_ImmersiveShell) failed
!4, !
u HcA<H
@SVWATAUAVAWH
O0LcQ
((((( H
devplatMain.Initialize failed
GetProcessHeap
Sleep
ProcessIdToSessionId
SetLocalCloakManager failed
@A_A^A]A\_
z?801i:It6
FreeLibraryAndExitThread
t$ UWATAVAWH
D$x8L$Xt
D9t$d
dddd, MMMM dd, yyyy
newStateId
ShellExecuteExW
ConnectionFailure
ABCDEFGHIJKLMNOPQRSTUVWXYZ
|$ H;
RegOpenKeyExW
ReleaseSemaphore
0A_A^A]
l$@E3
CreateThread failed
WindowCloakingTrackerAddWindow failed
GetSidLengthRequired
initEventId
RemoteAppTrayEventUnknownFailure
|$LD9d$L
GetObjectW
<program name unknown>
l$ VWAVH
RdpInitTelemetryTraceLogging_Register failed
ITSThread::DestroyThread failed
A^_^][
ReleaseGlobalCacheObject failed
L$ SUVWH
StateTransitionFailure
t*@8x
Default
r=D8v
Failed StringCchPrintf
RegisterClassExW
!|$@H
R6028
crdpshell.exe
IuifA
OnWindowUncloakedRemotely failed
CRemoteAppShellWindow
RpcImpersonateClient
WaitForMultipleObjects
AssocQueryKeyW
UATAVH
D$PE3
SetTaskmanWindow
t.@8x
D$`Hc
fD92t
Failed to create thread signal event
Failed to run thread events
(caller: %p)
uiAccess="false"
CTSSyncWaitResult::CreateInstancePool failed!
internal
RPCRT4.dll
OpenProcess
(null)
g_spTray
t(D8`
RemoteAppInitStateShellDestroyed
040904B0
Failed to QI
Please contact the application's support team for more information.
.CRT$XIC
.rdata$zETW2
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
params
- not enough space for lowio initialization
StartThread failed
`A_A]A\_^][
PA_A^A\_^][
L$XHc
BiNotifyNewSessionComplete
HcA<H
VerifyVersionInfoW
D95Zv
A_A^A]A\_^]
isDocument
RpcStringBindingParseW
PeekMessageW
A_A^]
l$HE3
JHcH<
RemoteAppSkipFirstShellInit
SHLWAPI.dll
TranslateMessage
fE94Gu
D8T$Ht
RpcStringFreeW
;D$0u
September
fA9,Ju
{ ATAVAWH
RunAppReadinessTask failed
|$@-L
GetCurrentExePathName
CRemoteAppImmersiveHost::Stop failed
D$XL9~Xt!
WideCharToMultiByte
RegQueryValueExW
Failed Bind to RailOrderEncoder RPC endpoint
@SVWH
VarFileInfo
VWAUAVAWH
GetLastActivePopup
CoSetProxyBlanket failed
1#QNAN
connectionStage
HcC H
t6D8`
m_spAppBarTrayFn
CreateFileW
CreateInstance (IRemoteAppPrivilegedOperationBroker) failed
Local\SM0:%d:%d:%hs
RegGetValueW
wszApplicationStartParam
L$PE3
HH:mm:ss
RemoteAppInitStateInitialized
HcK H
api-ms-win-core-winrt-string-l1-1-0.dll
FormatMessageW
SendAppBarState failed for ABM_NEW
version="5.1.0.0"
H9q0t
t/D8p
InitializeCriticalSectionAndSpinCount
<security>
PathUnquoteSpacesW
H9~Ht
CoUninitialize
<!-- Copyright (c) Microsoft Corporation -->
<requestedExecutionLevel
Failed to copy overlay string into escData
A_A^A]A\_
L$8A;
CShellNotifyManager
Failed to create default buffer result buffer!
sQPI[5T
DeleteCriticalSection
- unexpected heap error
RaiseException
Failed to terminate timer globals
RtlCaptureContext
+t$LD
`.imrsiv
CoCreateInstance (CLSID_ImmersiveShellBuilder) failed
x ATAVAWH
{HH9?t`3
gfffffffH
IAppReadinessService::EnterLogonPhase failed
d|BNeU
WindowCloakingTrackerRemoveWindow failed
RpcRevertToSelf
GetWindowThreadProcessId
HeapReAlloc
GetStdHandle
AddCallback failed
Reset failed
RailShowLocationNotifyIcon
RemoteAppInitStateError
PathFindExtensionW
GetIconInfo
UnregisterClassW
WriteFile
Unable to create allow all filter
CLrpcServer
%p-%s
WindowCloakingTrackerReset failed
RpcEncodeRailOrder failed
1#SNAN
A_A^A\
This indicates a bug in your application.
DestroyWindow
d$PH;
D$0H;
SHELLHOOK
t6D8i
AgileGitPtr.Initialize (IRemoteAppPrivilegedOperationBroker) failed
x AUAVAWH
E0Lcx
processName
RpcServerUseProtseqEpW
GetBuffer failed
L9K@t
xwpwpp
March
t8HcL$HH
- unable to initialize heap
^BNQ,^
CPrivilegedPresentationOperations::Stop failed
DeleteDC
SHGetKnownFolderIDList
CorExitProcess
Tuesday
WTSLogoffSession
m_spCloakSyncComponent
RailShowAllNotifyIcons
H
t$HA+
A^A]_^]
- not enough space for locale information
Reset is only designed to be called by the server
LoadCursorW
t^@8=_|
NdrServerCallAll
Thursday
RtlLookupFunctionEntry
MsgWaitForMultipleObjectsEx
internal\sdk\inc\wil\resource.h
GetTraceEnableFlags
L$xH;
[%hs(%hs)]
yncalrpc
QueryPerformanceCounter
December
t$0E3
GetCommandLineA
;L$`s
VY$[X
\$ UVWATAUAVAWH
StringFileInfo
Unable to create allowed event list filter
pdwProcessId
t$ WAVAWH
0A_A^A]A\_
Microsoft YaHei UI
ole32.dll
CPrivilegedPresentationOperations::Start failed
gxI3!'
Local\AppReadinessCompletionEvent
GetCPInfo
First-run thread message loop failed
GetTokenIntegrityLevel for self failed
Vving1
Updating max icon size for the tray icon failed.
GetWindowThreadProcessId failed
$>b~t
7T})gW
.text$mn
StringCchPrintfW (Wds szRegistryKey) failed
D$XE3
D9l$hu&D9
szAppUserModelId
CoCreateInstance (NotificationSettings) failed
HcD$HH;
xpxxxx
SUVWATAUAVAWH
/fD9{
%s%s%s
t5D8h
DecodePointer
EventWriteTransfer
T$8H!t$8H
` AUAVAWH
hwp1p0
`h````
OpenThread
,X< w
T$@E3
L$`H3
D+%\J
D$@E3
TsWindow_GeneralWindowClass
|$@L9|$Xt
CONOUT$
CTS_TLS_ThreadDescriptor
GetUserObjectInformationA
OHcP<
L$ SWH
- not enough space for environment
!_@H!_8!_XH!_PH!_`3
d$`H;
t6D8h
CTimedCallback::CreateInstance failed
Failed StartServer
GetItem failed
D9l$hu&D9}
TLOSS error
IsDebuggerPresent
EventActivityIdControl
.rdata$zETW1
d$DD+
USER32.DLL
@A_A^A\
RtlVirtualUnwind
RpcServerRegisterIfEx
D$PfD
H9y8t
t:D8a
April
GetModuleFileNameW
NtCreateWnfStateName
RaiseFailFastException
+dBVY
A_A^A]_^
SHCreateAssociationRegistration
D9|$l
SetTimer
D9y8u
?6uIf
Monday
RemoteAppEmptySessionDisconnectTimeout
TSCreateRailIcon failed
L!|$hH
.CRT$XCA
CryptReleaseContext
w9X!P/
lstrcmpW
DOMAIN error
RoGetActivationFactory
NtQueryInformationProcess
KERNEL32.dll
WINSTA.dll
L9}0u
m_spPlatform
0A_A^A]_]
t$8H+
RemoteAppInitEventShellDestroyed
T$8H!\$8
UnhandledExceptionFilter
R6016
FWph?r
9D$Ptf
WTSGetActiveConsoleSessionId
t3D8i
Shell_TrayWnd
HeapCreate
>(uBI
QueryService (SID_ImmersiveShellHookService) failed
DefWindowProcW
EventUnregister
t$ AVH
taD9
GetVersionExW
Failed to Signal Event Queue
Rdptray
GetProcessWindowStation
fBlockToastNotifications
SLGetWindowsInformationDWORD failed!
VS_VERSION_INFO
H!|$ E3
T$@fH
x UATAUAVAWH
A_A^_^]
.CRT$XCZ
initEvent
Unable to create blocking filter
PostQuitMessage
D9l$huhD
ltAfA
StringCchPrintf for random number failed
ActivateApplication failed
Given NULL tray window
Exception
L$pH;E
TraceLoggingRegister Failed
Unable to add the current thread to the descriptor
R6034
.CRT$XPA
WaitForMultipleObjectsEx
.data
L$pH;
RtlUnwindEx
Microsoft.Windows.RemoteDesktop.RAIL.RdpInit
T$$D!t$ H
Segoe UI SemiBold
kRich
InitializeSid
[%hs]
GetActiveWindow
OnWindowUncloakedLocally failed
L$xI;
CRdpTray
R6017
80tWD
\$ UVWAVAWH
GetProcAddress
phContext
l6s+o
</trustInfo>
ProductName
CRemoteAppShellWindow::Initialize failed
<5}5I;
TlsGetValue
CreateCompatibleDC
Failed to create ITSThreadInternal
codeSymbolic
htvfA
CTSEventFilterBlockAllEvents
.idata$6
D$`E3
ExitProcess
L$lE3
twIcF
fE9,pu
fD9d$b
Invalid parameter passed to C runtime function.
CRailTaskbar
8#4u4u
AddWindow failed
ShellNotificationLaunchedInfo
D$HE3
D9ipt
R6025
H!|$ H
type="win32"
E0D8uAH
- pure virtual function call
WinStationGetConnectionProperty
t$ UWAVH
FileVersion
HeapSize
WTSAPI32.dll
|$hA;
ePA_A^A]A\_^]
p AWH
TlsAlloc
CRailNotifyExec
rY&'K
GetConsoleMode
RtlPcToFileHeader
t$ E3
SendNotifyMessageW
xA^_^[
Rail_TabWnd
CancelCallback failed
result
@W=7A=
GetProcessMitigationPolicy
A_A^_
A_A^A\_]
CTSMsg
Segoe UI Light
SetFilePointer
<requestedPrivileges>
^CRailIcon
%SystemRoot%\System32\runonce.exe
AppReadinessTimeout
T$hE;
```hhh
@Qm6t
Unknown exception
SyncAppBars failed
gNT AUTHORITY\SYSTEM
RemoteAppInitEventFinished
AddCallback for OnLogoffTriggerCheck failed
rdpinit.pdb
CoTaskMemAlloc
CreateMutexExW
L$XL+
EventRegister
d$`I;
TrayEvent
ReportRailShellExec: Invalid Process Handle
D82u&H
D9G`ukH
CoInitializeEx
GDI32.dll
RpcMgmtWaitServerListen
~PD9~P
GetProcessId
pStateName
HeapAlloc
A_A^A\_^
d$`A;
L9|$@t
FlsFree
|$ UATAVH
HcM H
Microsoft.Windows.RemoteDesktop.RAIL.Server.Diagnostics
t2D8h
CLrpcServer Initialize failed
tkD8`
L$pH3
.data$brc
FreeEnvironmentStringsW
H3E H3E
InternalName
QueryService (SID_RemoteAppBrokerFactory) failed
D$09h
<description>RemoteApp Logon Application</description>
lpvoid
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
August
t!9\$8u
\$`E3
MM/dd/yy
.rsrc$02
NotifyNewSession failed
L9<1tIH
trayEventId
en-US
RegisterForNotifications failed
TlsSetValue
ART:UserFirstLogon
CoSetProxyBlanket
.text$di
FlsAlloc
CTSObjectPool
TSCreateShellNotifyTrayFN failed
PAL_SYS_WIN32_THREAD_WNDCLASS
VWATAVAWH
</requestedPrivileges>
IJnwzF
Unable to get a SyncWaitResult from pool!
|$ D!
This application has requested the Runtime to terminate it in an unusual way.
GetCurrentProcessId
t5HcP
I_RpcExceptionFilter
termsrv\rdpplatform\common\rdplibs\cloaksync\cloaksynccomponent.cpp
R6026
.rdata$zETW0
RSDS2
BiNotifyNewSessionComplete failed
D$0D9p
H!|$PA
10.0.17763.168 (WinBuild.160101.0800)
RegFlushKey
D$`L9o
oldStateId
executableName
IXamlRuntimeStatics::put_EnableWebView failed
tpfD9[
CTSBufferResult::CreateInstancePool failed!
;khw0D
WaitForSingleObjectEx
D9l$hu#D9}
Local\RdpInitMutex
StartRdpShell failed
ttD8h
RpcBindingFromStringBindingW
WriteConsoleW
SetShellWindow
GetSystemMetrics
D$ %A
!4( !
GetPooledObject(CTSBufferResult) failed
D$0%3
Invalid m_role %d
R6031
Failed g_RailOrderEncoder.Start
- not enough space for arguments
H9]xt
@USVWH
CoTaskMemFree
PostThreadMessageW
f;D$@u
processorArchitecture="amd64"
RemoteAppInitStateFinished
tRLcY
.CRT$XIZ
PathCchAppend
E@D8mQH
StartNotificationController failed
EncodePointer
.text$mn$21
!This program cannot be run in DOS mode.
Msg:[%ws]
@A^_^
Failed to add callback to thread!
DwmGetWindowAttribute
Lct$$H
SING error
A_A^A]A\_^[
!|$LI
.?AVbad_exception@std@@
D+%,P
USER32.dll
ptbfA
January
Failed in PathCchRemoveFilespec
GetCurrentThread
SetProcessShutdownParameters
t"D8=
Initialize failed
|$`H;
Yu Gothic UI Light
tDE3
D$ fD
appUserModelId
- Attempt to initialize the CRT more than once.
L9{@u
OpenSemaphoreW
l$HtD
Unable to QI for IID_ITSQueuedCallback
HeapSetInformation
f9H\u
EnterCriticalSection
.CRT$XCU
zc%C1
\$ E3
StartRdpShellHelper failed
ConvertStringSecurityDescriptorToSecurityDescriptorW
GetItem failed!
g_RailOrderEncoder.EncodeRailOrder TS_WINDOW_CHANGE_ESCCODE failed
@t1D8p
E9~Pt
ppPrivilegedPresentationOperations
%hs(%d) tid(%x) %08X %ws
- not enough space for stdio initialization
RemoteAppInitStateShellRunning
700WP
GetCurrentProcess
Failed in PathCchAppend
8A_A^_^[]
oldState
Leelawadee UI Semilight
DispatchAsyncCall OnShellNotifyEvent failed
RemoteAppInitStateNotStarted
d$ E3
uOD9G
LocalFree
Failed g_RailOrderEncoder.Initialize
`A^_]
ePD9vP
</assembly>
Translation
D$`D3
BitmapInfoFromHbitmap (color) failed
t.D8i
!|$DH
A_A^A]A\_^]
l$HA+
H;H(u
FlsSetValue
D9kpt
FindWindowW
TlsFree
!T$(H!T$
CTSEventFilterAllowSyncEventsOnly
RdpshellHelper#%d#%s
WilError_02
RegisterTraceGuidsW
CShellNotifyManager.Initialize failed
SYSTEM\CurrentControlSet\Control\Terminal Server
fD9<Gu
Failed to initialize timer globals
L$0H;
ProductVersion
FlushFileBuffers
WinSta0
RemoveWindow failed
t5D8i
|$4E3
t:D8`
Failed to remove timer to timer list
L9}0u^
.CRT$XIAA
fD9<Au
+Eo9]
h(((( H
1o?-XfF
` AVH
Windows
TrayErrorEvent
tGL9A
activityId
Rdptraytaskband
D$0E3
level="asInvoker"
AgileGitPtr.CopyLocal (IRemoteAppPrivilegedOperationBroker) failed
TerminalServices-RemoteApplications-ClientSku-RAILAllowed
.idata$2
x AVH
t.D8h
Yu Gothic UI
filename
CTimedCallback
CreateSemaphoreW
L$dE3
GetDIBits
H!T$0
@UAVAWH
+D$h3
.xdata
.gfids
Bind failed
Segoe Pseudo
CoAllowSetForegroundWindow
p<r5;s
%hs(%d)\%hs!%p:
Operating System
- CRT not initialized
fEnableUwpApps
GetModuleHandleExW
t0D8p
<=t1L
VG2/iI
L9|$Ht
bCTSSyncWaitResult
UVWAUAVH
9D$@t
H#L$8H
t$ WATAUAVAWH
TSCreateAppbarTrayFN failed
fD9.I
GetLastError
UWAWH
tZD8y
LogHr
fffffff
GetSendCloakWnfStateName failed
WinStationFreePropertyValue
p WATAUAVAWH
AUAVAWH
spRailIcon->FillEscape failed
Failed StartShellHelperRpcServer
fD94Hu
AppActivationFailure
Failed to unregister the timer window class
pA_A^A]A\_^]
Failed to signal event queue
fD9)u
Leelawadee UI
FxE9~pt
A_A^A]A\]
A_A^A]_]
Getting thread id failed
GetSystemInfo
bWti^
RegCloseKey
Failed to copy overlaydescription
0A_A^A\_]
RailShellTabWnd
|$ UATAUAVAWH
diagnosticCode
Software\Policies\Microsoft\Windows NT\Terminal Services\
DwmSetWindowAttribute (DWMWA_CLOAK) failed
PE Information
| Image Base | Entry Point | Reported Checksum | Actual Checksum | Minimum OS Version | PDB Path | Compile Time | Import Hash |
|---|---|---|---|---|---|---|---|
| 0x140000000 | 0x000344a0 | 0x00065f19 | 0x00065f19 | 10.0 | rdpinit.pdb | 2067-08-23 06:02:49 | 03c2c81acc74797856f58d21b0731bb8 |
Version Infos
| CompanyName | Microsoft Corporation |
|---|---|
| FileDescription | RemoteApp Logon Application |
| FileVersion | 10.0.17763.168 (WinBuild.160101.0800) |
| InternalName | rdpinit.exe |
| LegalCopyright | รยฉ Microsoft Corporation. All rights reserved. |
| OriginalFilename | rdpinit.exe |
| ProductName | Microsoftรยฎ Windowsรยฎ Operating System |
| ProductVersion | 10.0.17763.168 |
| Translation | 0x0409 0x04b0 |
Sections
| Name | RAW Address | Virtual Address | Virtual Size | Size of Raw Data | Characteristics | Entropy |
|---|---|---|---|---|---|---|
| .text | 0x00000400 | 0x00001000 | 0x00043c0e | 0x00043e00 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 6.42 |
| .imrsiv | 0x00000000 | 0x00045000 | 0x00000004 | 0x00000000 | IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 0.00 |
| .rdata | 0x00044200 | 0x00046000 | 0x0000f6ba | 0x0000f800 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 5.72 |
| .data | 0x00053a00 | 0x00056000 | 0x00003c90 | 0x00001800 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 3.11 |
| .pdata | 0x00055200 | 0x0005a000 | 0x0000252c | 0x00002600 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 5.58 |
| .rsrc | 0x00057800 | 0x0005d000 | 0x00000818 | 0x00000a00 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 3.77 |
| .reloc | 0x00058200 | 0x0005e000 | 0x00000824 | 0x00000a00 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ | 5.00 |
| Name | Offset | Size | Language | Sub-language | Entropy | File type |
|---|---|---|---|---|---|---|
| MUI | 0x0005d750 | 0x000000c8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.67 | None |
| RT_VERSION | 0x0005d3a8 | 0x000003a4 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 3.48 | None |
| RT_MANIFEST | 0x0005d0f0 | 0x000002b4 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 4.92 | None |
Imports
| Name | Address |
|---|---|
| TraceMessage | 0x140048108 |
| GetTraceLoggerHandle | 0x140048110 |
| GetTraceEnableLevel | 0x140048118 |
| GetTraceEnableFlags | 0x140048120 |
| RegisterTraceGuidsW | 0x140048128 |
| UnregisterTraceGuids | 0x140048130 |
| CryptAcquireContextW | 0x140048138 |
| CryptGenRandom | 0x140048140 |
| CryptReleaseContext | 0x140048148 |
| EventUnregister | 0x140048150 |
| EventRegister | 0x140048158 |
| EventSetInformation | 0x140048160 |
| EventWriteTransfer | 0x140048168 |
| RegQueryValueExW | 0x140048170 |
| RegCloseKey | 0x140048178 |
| RegOpenKeyExW | 0x140048180 |
| RegFlushKey | 0x140048188 |
| EventActivityIdControl | 0x140048190 |
| OpenProcessToken | 0x140048198 |
| OpenThreadToken | 0x1400481a0 |
| GetTokenInformation | 0x1400481a8 |
| GetSidSubAuthority | 0x1400481b0 |
| GetSidLengthRequired | 0x1400481b8 |
| InitializeSid | 0x1400481c0 |
| DestroyPrivateObjectSecurity | 0x1400481c8 |
| ConvertStringSecurityDescriptorToSecurityDescriptorW | 0x1400481d0 |
| RegGetValueW | 0x1400481d8 |
| Name | Address |
|---|---|
| NtCreateWnfStateName | 0x1400488c0 |
| EtwEventActivityIdControl | 0x1400488c8 |
| RtlPublishWnfStateData | 0x1400488d0 |
| RtlCaptureContext | 0x1400488d8 |
| RtlLookupFunctionEntry | 0x1400488e0 |
| RtlVirtualUnwind | 0x1400488e8 |
| RtlUnwindEx | 0x1400488f0 |
| RtlPcToFileHeader | 0x1400488f8 |
| NtQueryInformationProcess | 0x140048900 |
| Name | Address |
|---|---|
| CoCreateInstance | 0x140048910 |
| CoUninitialize | 0x140048918 |
| CoTaskMemFree | 0x140048920 |
| CoCreateFreeThreadedMarshaler | 0x140048928 |
| CoGetApartmentType | 0x140048930 |
| CoWaitForMultipleHandles | 0x140048938 |
| CoSetProxyBlanket | 0x140048940 |
| CoAllowSetForegroundWindow | 0x140048948 |
| CoTaskMemRealloc | 0x140048950 |
| CoTaskMemAlloc | 0x140048958 |
| CoInitializeEx | 0x140048960 |
| RoGetAgileReference | 0x140048968 |
| Name | Address |
|---|---|
| RoGetActivationFactory | 0x140048878 |
| Name | Address |
|---|---|
| WindowsCreateStringReference | 0x140048888 |
| Name | Address |
|---|---|
| SHGetKnownFolderIDList | 0x140048680 |
| ShellExecuteExW | 0x140048688 |
| SHCreateAssociationRegistration | 0x140048690 |
| SHGetKnownFolderPath | 0x140048698 |
| Name | Address |
|---|---|
| WTSLogoffSession | 0x140048838 |
| WTSFreeMemory | 0x140048840 |
| WTSDisconnectSession | 0x140048848 |
| WTSQuerySessionInformationW | 0x140048850 |
| Name | Address |
|---|---|
| WinStationFreePropertyValue | 0x140048820 |
| WinStationGetConnectionProperty | 0x140048828 |
| Name | Address |
|---|---|
| DwmGetWindowAttribute | 0x140048898 |
| DwmSetWindowAttribute | 0x1400488a0 |
| Name | Address |
|---|---|
| AssocQueryKeyW | 0x1400486a8 |
| PathFindExtensionW | 0x1400486b0 |
| PathUnquoteSpacesW | 0x1400486b8 |
| UrlIsW | 0x1400486c0 |
| Name | Address |
|---|---|
| PathCchAppend | 0x140048860 |
| PathCchRemoveFileSpec | 0x140048868 |
| Name | Address |
|---|---|
| NdrClientCall3 | 0x1400485c8 |
| RpcMgmtWaitServerListen | 0x1400485d0 |
| RpcStringBindingComposeW | 0x1400485d8 |
| I_RpcExceptionFilter | 0x1400485e0 |
| RpcBindingFromStringBindingW | 0x1400485e8 |
| RpcBindingSetAuthInfoExW | 0x1400485f0 |
| RpcBindingFree | 0x1400485f8 |
| RpcServerUseProtseqEpW | 0x140048600 |
| RpcServerRegisterIfEx | 0x140048608 |
| NdrServerCall2 | 0x140048610 |
| NdrServerCallAll | 0x140048618 |
| RpcStringFreeW | 0x140048620 |
| RpcRevertToSelf | 0x140048628 |
| RpcImpersonateClient | 0x140048630 |
| RpcServerInqCallAttributesW | 0x140048638 |
| RpcServerInqBindingHandle | 0x140048640 |
| RpcStringBindingParseW | 0x140048648 |
| RpcServerListen | 0x140048650 |
| RpcBindingToStringBindingW | 0x140048658 |
| Name | Address |
|---|---|
| GetObjectW | 0x1400481e8 |
| DeleteDC | 0x1400481f0 |
| GetDIBits | 0x1400481f8 |
| SelectObject | 0x140048200 |
| CreateCompatibleDC | 0x140048208 |
| DeleteObject | 0x140048210 |
Usage
Processing ( 0.70 seconds )
- 0.695 CAPE
- 0.007 AnalysisInfo
- 0.001 Debug
Signatures ( 0.06 seconds )
- 0.01 antianalysis_detectfile
- 0.008 ransomware_files
- 0.005 antiav_detectreg
- 0.005 ransomware_extensions
- 0.003 ursnif_behavior
- 0.002 antianalysis_detectreg
- 0.002 antiav_detectfile
- 0.002 infostealer_ftp
- 0.002 poullight_files
- 0.002 territorial_disputes_sigs
- 0.001 banker_zeus_p2p
- 0.001 bot_drive
- 0.001 bot_drive2
- 0.001 antivm_vbox_files
- 0.001 antivm_vbox_keys
- 0.001 geodo_banking_trojan
- 0.001 browser_security
- 0.001 disables_backups
- 0.001 disables_browser_warn
- 0.001 disables_power_options
- 0.001 azorult_mutexes
- 0.001 infostealer_bitcoin
- 0.001 cryptbot_files
- 0.001 echelon_files
- 0.001 infostealer_im
- 0.001 infostealer_mail
- 0.001 masquerade_process_name
- 0.001 revil_mutexes
- 0.001 modirat_behavior
Reporting ( 0.00 seconds )
- 0.001 CAPASummary
Signatures
The PE file contains a PDB path
pdbpath: rdpinit.pdb
The binary contains an unknown PE section name indicative of packing
unknown section: {'name': '.imrsiv', 'raw_address': '0x00000000', 'virtual_address': '0x00045000', 'virtual_size': '0x00000004', 'size_of_data': '0x00000000', 'characteristics': 'IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE', 'characteristics_raw': '0xc0000080', 'entropy': '0.00'}
Anomalous binary characteristics
anomaly: Entrypoint of binary is located outside of any mapped sections
Binary compilation timestomping detected
anomaly: Compilation timestamp is in the future
Screenshots
No screenshots available.Hosts
No hosts contacted.
DNS
No domains contacted.
Summary
Sorry! No behavior.
Sorry! No strace.
Sorry! No tracee.
No hosts contacted.
No TCP connections recorded.
No UDP connections recorded.
No domains contacted.
HTTP Requests
No HTTP(s) requests performed.
SMTP traffic
No SMTP traffic performed.
IRC traffic
No IRC requests performed.
No ICMP traffic performed.
CIF Results
No CIF Results
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Suricata HTTP
No Suricata HTTP
Sorry! No Suricata Extracted files.
Sorry! No dropped files.
Sorry! No process dumps.