× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 6bb6e1cda25b1a8c95d44f580dd3478fe954413b39c405a79fe8da017c0c1dbf
File name: mstsc.exe
Detection ratio: 45 / 65
Analysis date: 2018-04-05 14:11:11 UTC ( 1 month, 2 weeks ago )
Antivirus Result Update
Ad-Aware Trojan.GenericKD.6367406 20180405
AegisLab Troj.W32.Miner!c 20180405
AhnLab-V3 Trojan/Win32.Miner.C2348390 20180405
ALYac Trojan.GenericKD.6367406 20180405
Arcabit Trojan.Generic.D6128AE 20180405
Avast Win32:Malware-gen 20180405
AVG Win32:Malware-gen 20180405
Avira (no cloud) TR/Malex.csjup 20180405
AVware Trojan.Win32.Generic!BT 20180405
Baidu Win32.Trojan.WisdomEyes.16070401.9500.9952 20180404
BitDefender Trojan.GenericKD.6367406 20180405
CAT-QuickHeal Trojan.Miner 20180405
Comodo UnclassifiedMalware 20180405
CrowdStrike Falcon (ML) malicious_confidence_100% (D) 20170201
Cybereason malicious.b4b932 20180225
Cylance Unsafe 20180405
Cyren W32/Trojan.KBKO-8653 20180405
Emsisoft Trojan.GenericKD.6367406 (B) 20180405
Endgame malicious (high confidence) 20180403
ESET-NOD32 a variant of Generik.BBYODMO 20180405
F-Secure Trojan.GenericKD.6367406 20180405
Fortinet W32/Miner!tr 20180405
GData Trojan.GenericKD.6367406 20180405
Ikarus Trojan.SuspectCRC 20180405
Sophos ML heuristic 20180121
K7AntiVirus Riskware ( 0040eff71 ) 20180404
K7GW Riskware ( 0040eff71 ) 20180405
Kaspersky HEUR:Trojan.Win32.Generic 20180405
MAX malware (ai score=94) 20180405
McAfee PUP-XEB-MT 20180405
McAfee-GW-Edition BehavesLike.Win32.RansomWannaCry.vm 20180405
Microsoft Trojan:Win32/Malex.gen!J 20180405
eScan Trojan.GenericKD.6367406 20180405
NANO-Antivirus Trojan.Win32.Miner.ewwjmx 20180405
Panda Trj/CI.A 20180405
Qihoo-360 Win32/Trojan.f11 20180405
SentinelOne (Static ML) static engine - malicious 20180225
Sophos AV Mal/Generic-S 20180405
Symantec Trojan.Gen 20180405
Tencent Win32.Trojan.Miner.Hvte 20180405
TrendMicro TROJ_GEN.R039C0DAC18 20180405
TrendMicro-HouseCall TROJ_GEN.R039C0DAC18 20180405
VBA32 Trojan.Tiggre 20180405
VIPRE Trojan.Win32.Generic!BT 20180405
ZoneAlarm by Check Point HEUR:Trojan.Win32.Miner.gen 20180405
Alibaba 20180404
Antiy-AVL 20180405
Avast-Mobile 20180405
Bkav 20180405
ClamAV 20180405
CMC 20180405
DrWeb 20180405
eGambit 20180405
F-Prot 20180405
Jiangmin 20180405
Kingsoft 20180405
Malwarebytes 20180405
nProtect 20180405
Palo Alto Networks (Known Signatures) 20180405
Rising 20180405
SUPERAntiSpyware 20180405
Symantec Mobile Insight 20180401
TheHacker 20180404
Trustlook 20180405
ViRobot 20180405
WhiteArmor 20180405
Yandex 20180405
Zoner 20180405
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
FileVersionInfo properties
Copyright
© Microsoft Corporation. All rights reserved.

Product Microsoft® Windows® Operating System
Original name mstsc.exe
Internal name mstsc.exe
File version 10.0.16299.15 (WinBuild.160101.0800)
Description Remote Desktop Connection
Packers identified
F-PROT embedded
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2017-10-26 16:15:21
Entry Point 0x00013A5C
Number of sections 7
PE sections
PE imports
SHGetFolderPathW
SHGetFolderPathA
RegOpenKeyExA
RegQueryValueExA
RegCloseKey
RegOpenKeyA
GetStdHandle
FileTimeToDosDateTime
GetFileAttributesA
WaitForSingleObject
FindFirstFileW
GetFileAttributesW
GetLocalTime
DeleteCriticalSection
GetCurrentProcess
GetLocaleInfoA
LocalAlloc
GetThreadContext
GetLocaleInfoW
GetFullPathNameA
GetTempPathA
WideCharToMultiByte
WriteFile
GetDiskFreeSpaceA
SetFileAttributesA
SetEvent
LocalFree
InitializeCriticalSection
LoadResource
GetStringTypeExW
GetLogicalDriveStringsW
FindClose
TlsGetValue
QueryDosDeviceW
FormatMessageA
SetFileAttributesW
GetStringTypeExA
SetLastError
WriteProcessMemory
RemoveDirectoryW
ExitProcess
GetModuleFileNameA
EnumCalendarInfoA
LoadLibraryExA
UnhandledExceptionFilter
InterlockedDecrement
MultiByteToWideChar
FlushInstructionCache
GetModuleHandleA
GetFullPathNameW
GetSystemDirectoryW
GetSystemDirectoryA
SetThreadContext
SetCurrentDirectoryW
VirtualQuery
SetEndOfFile
GetCurrentThreadId
InterlockedIncrement
SetCurrentDirectoryA
CloseHandle
EnterCriticalSection
LoadLibraryW
FreeLibrary
QueryPerformanceCounter
GetTickCount
IsBadWritePtr
TlsAlloc
VirtualProtect
GetVersionExA
LoadLibraryA
RtlUnwind
ExitThread
GetStartupInfoA
GetDateFormatA
GetWindowsDirectoryW
GetFileSize
CreateDirectoryA
DeleteFileA
GetWindowsDirectoryA
ReadProcessMemory
GetCPInfo
DeleteFileW
GetProcAddress
VirtualProtectEx
GetTempFileNameW
CompareStringW
GetModuleFileNameW
FindFirstFileA
CreateDirectoryW
ResetEvent
GetTempFileNameA
FindNextFileA
CreateFileW
CreateEventA
TlsSetValue
CreateFileA
LeaveCriticalSection
GetLastError
SystemTimeToFileTime
VirtualAllocEx
lstrlenA
FindResourceW
GetThreadLocale
RemoveDirectoryA
FileTimeToLocalFileTime
SizeofResource
GetCurrentDirectoryW
GetCurrentProcessId
LockResource
SetFileTime
GetCurrentDirectoryA
GetCommandLineA
RaiseException
TlsFree
SetFilePointer
ReadFile
FindNextFileW
lstrcpynA
GetACP
GetVersion
FreeResource
IsBadStringPtrW
GetTempPathW
PostQueuedCompletionStatus
VirtualFree
Sleep
IsBadReadPtr
VirtualAlloc
CompareStringA
ZwProtectVirtualMemory
RtlInitUnicodeString
RtlAnsiStringToUnicodeString
RtlFormatCurrentUserKeyPath
RtlInitAnsiString
LdrGetProcedureAddress
LdrLoadDll
RtlFreeUnicodeString
RtlDosPathNameToNtPathName_U
CreateStreamOnHGlobal
CoUninitialize
CoInitialize
VariantChangeType
SafeArrayGetLBound
SafeArrayPtrOfIndex
SysAllocStringLen
VariantClear
SafeArrayCreate
SysReAllocStringLen
SafeArrayGetUBound
VariantCopy
GetErrorInfo
SysFreeString
VariantInit
PathMatchSpecW
CharLowerBuffW
GetSystemMetrics
LoadStringA
CharLowerA
CharNextA
CharUpperW
MessageBoxA
CharLowerW
CharUpperBuffW
CharUpperA
GetKeyboardType
CharToOemA
Number of PE resources by type
RT_BITMAP 76
RT_ICON 75
RT_GROUP_ICON 20
REGISTRY 3
EDPPERMISSIVEAPPINFOID 1
TYPELIB 1
EDPENLIGHTENEDAPPINFOID 1
RT_VERSION 1
RT_MANIFEST 1
MUI 1
UIFILE 1
Number of PE resources by language
ENGLISH US 178
NEUTRAL 3
PE resources
ExifTool file metadata
SubsystemVersion
5.1

InitializedDataSize
2236416

ImageVersion
0.0

ProductName
Microsoft Windows Operating System

FileVersionNumber
10.0.16299.15

UninitializedDataSize
0

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

CharacterSet
Unicode

LinkerVersion
10.0

FileTypeExtension
exe

OriginalFileName
mstsc.exe

MIMEType
application/octet-stream

Subsystem
Windows GUI

FileVersion
10.0.16299.15 (WinBuild.160101.0800)

TimeStamp
2017:10:26 17:15:21+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
mstsc.exe

ProductVersion
10.0.16299.15

FileDescription
Remote Desktop Connection

OSVersion
5.1

FileOS
Windows NT 32-bit

LegalCopyright
Microsoft Corporation. All rights reserved.

MachineType
Intel 386 or later, and compatibles

CompanyName
Microsoft Corporation

CodeSize
163328

FileSubtype
0

ProductVersionNumber
10.0.16299.15

Warning
Possibly corrupt Version resource

EntryPoint
0x13a5c

ObjectFileType
Executable application

File identification
MD5 98bedefb4b932a0f878da2e07e171149
SHA1 78278cc5a172e5069cfdb219c7b1be006f19e1c7
SHA256 6bb6e1cda25b1a8c95d44f580dd3478fe954413b39c405a79fe8da017c0c1dbf
ssdeep
24576:+4jfm+U/5UsxQA17XdKUqgrC3WmAdZZjwF:ZTm+uQA17XdKb+4F

authentihash c7d24157fc97cce3f7f51d154533adb220a0bbcc31c2274afff041fc11a0b130
imphash 25c0914e1e7dc7c3bb957d88e787a155
File size 2.7 MB ( 2781696 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable MS Visual C++ (generic) (41.0%)
Win64 Executable (generic) (36.3%)
Win32 Dynamic Link Library (generic) (8.6%)
Win32 Executable (generic) (5.9%)
OS/2 Executable (generic) (2.6%)
Tags
peexe

VirusTotal metadata
First submission 2018-01-11 16:35:30 UTC ( 4 months, 1 week ago )
Last submission 2018-04-05 14:11:11 UTC ( 1 month, 2 weeks ago )
File names mstsc.exe
78278cc5a172e5069cfdb219c7b1be006f19e1c7
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Copied files
Created processes
Opened mutexes
Runtime DLLs
Additional details
The file uses the IsDebuggerPresent Windows API function in order to see whether it is being debugged.
HTTP requests
DNS requests
TCP connections