Source: RcvMst.exe |
Virustotal: Detection: 14% |
Perma Link |
Source: RcvMst.exe |
Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI |
Source: RcvMst.exe |
String found in binary or memory: http://www.indyproject.org/ |
Source: RcvMst.exe, 00000000.00000003.1677314919.00000000089F2000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.sandoll.co.kr |
Source: RcvMst.exe |
Static PE information: Resource name: RT_VERSION type: MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79 |
Source: RcvMst.exe |
Static PE information: Number of sections : 11 > 10 |
Source: RcvMst.exe, 00000000.00000003.1675874771.0000000000D59000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameD3D10War vs RcvMst.exe |
Source: RcvMst.exe, 00000000.00000003.1675874771.0000000000D50000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameD3D10Warp.dllj% vs RcvMst.exe |
Source: RcvMst.exe, 00000000.00000003.1670904466.0000000000D52000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameD3D10Warp.dllj% vs RcvMst.exe |
Source: RcvMst.exe, 00000000.00000003.1676332459.0000000000D54000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameD3D10Warp.dllj% vs RcvMst.exe |
Source: RcvMst.exe, 00000000.00000003.1671310554.0000000000D53000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameD3D10Warp.dllj% vs RcvMst.exe |
Source: RcvMst.exe, 00000000.00000003.1676738087.0000000000D53000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameD3D10Warp.dllj% vs RcvMst.exe |
Source: RcvMst.exe, 00000000.00000003.1676569336.0000000000D54000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameD3D10Warp.dllj% vs RcvMst.exe |
Source: RcvMst.exe, 00000000.00000003.1676738087.0000000000D59000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameD3D10War vs RcvMst.exe |
Source: RcvMst.exe |
Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI |
Source: classification engine |
Classification label: mal52.evad.winEXE@1/0@0/0 |
Source: C:\Users\user\Desktop\RcvMst.exe |
File created: C:\Users\user\Desktop\RcvMst.exe.close.stop |
Jump to behavior |
Source: C:\Users\user\Desktop\RcvMst.exe |
Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales |
Jump to behavior |
Source: C:\Users\user\Desktop\RcvMst.exe |
Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales |
Jump to behavior |
Source: C:\Users\user\Desktop\RcvMst.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: RcvMst.exe |
Virustotal: Detection: 14% |
Source: RcvMst.exe |
String found in binary or memory: NATS-SEFI-ADD |
Source: RcvMst.exe |
String found in binary or memory: NATS-DANO-ADD |
Source: RcvMst.exe |
String found in binary or memory: JIS_C6229-1984-b-add |
Source: RcvMst.exe |
String found in binary or memory: jp-ocr-b-add |
Source: RcvMst.exe |
String found in binary or memory: JIS_C6229-1984-hand-add |
Source: RcvMst.exe |
String found in binary or memory: jp-ocr-hand-add |
Source: RcvMst.exe |
String found in binary or memory: ISO_6937-2-add |
Source: C:\Users\user\Desktop\RcvMst.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\RcvMst.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\RcvMst.exe |
Section loaded: shfolder.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\RcvMst.exe |
Section loaded: netapi32.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\RcvMst.exe |
Section loaded: winmm.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\RcvMst.exe |
Section loaded: d3d9.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\RcvMst.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\RcvMst.exe |
Section loaded: dwmapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\RcvMst.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\RcvMst.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\RcvMst.exe |
Section loaded: wkscli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\RcvMst.exe |
Section loaded: cscapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\RcvMst.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\RcvMst.exe |
Section loaded: security.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\RcvMst.exe |
Section loaded: secur32.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\RcvMst.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\RcvMst.exe |
Section loaded: textinputframework.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\RcvMst.exe |
Section loaded: coreuicomponents.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\RcvMst.exe |
Section loaded: coremessaging.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\RcvMst.exe |
Section loaded: ntmarta.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\RcvMst.exe |
Section loaded: coremessaging.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\RcvMst.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\RcvMst.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\RcvMst.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\RcvMst.exe |
Section loaded: dataexchange.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\RcvMst.exe |
Section loaded: d3d11.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\RcvMst.exe |
Section loaded: dcomp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\RcvMst.exe |
Section loaded: dxgi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\RcvMst.exe |
Section loaded: twinapi.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\RcvMst.exe |
Section loaded: d3d10_1.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\RcvMst.exe |
Section loaded: d3d10_1core.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\RcvMst.exe |
Section loaded: d3d10_1.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\RcvMst.exe |
Section loaded: d3d10_1core.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\RcvMst.exe |
Section loaded: resourcepolicyclient.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\RcvMst.exe |
Section loaded: d3d10warp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\RcvMst.exe |
Section loaded: dxcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\RcvMst.exe |
Section loaded: d3d10warp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\RcvMst.exe |
Section loaded: d2d1.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\RcvMst.exe |
Section loaded: dwrite.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\RcvMst.exe |
Section loaded: textshaping.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\RcvMst.exe |
Section loaded: msdart.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\RcvMst.exe |
Section loaded: fwpuclnt.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\RcvMst.exe |
Section loaded: idndl.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\RcvMst.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\RcvMst.exe |
Section loaded: windowscodecs.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\RcvMst.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32 |
Jump to behavior |
Source: RcvMst.exe |
Static PE information: Virtual size of .text is bigger than: 0x100000 |
Source: RcvMst.exe |
Static file information: File size 8620032 > 1048576 |
Source: RcvMst.exe |
Static PE information: Raw size of .text is bigger than: 0x100000 < 0x64c400 |
Source: RcvMst.exe |
Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x125600 |
Source: RcvMst.exe |
Static PE information: section name: .didata |
Source: C:\Users\user\Desktop\RcvMst.exe |
Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\RcvMst.exe |
Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\RcvMst.exe |
Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\RcvMst.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\RcvMst.exe |
Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\RcvMst.exe |
Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\RcvMst.exe |
Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\RcvMst.exe |
Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\RcvMst.exe |
Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\RcvMst.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\RcvMst.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\RcvMst.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\RcvMst.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\RcvMst.exe |
User Timer Set: Timeout: 250ms |
Jump to behavior |
Source: C:\Users\user\Desktop\RcvMst.exe |
User Timer Set: Timeout: 10ms |
Jump to behavior |
Source: C:\Users\user\Desktop\RcvMst.exe |
User Timer Set: Timeout: 10ms |
Jump to behavior |
Source: C:\Users\user\Desktop\RcvMst.exe |
User Timer Set: Timeout: 10ms |
Jump to behavior |
Source: C:\Users\user\Desktop\RcvMst.exe |
System information queried: CurrentTimeZoneInformation |
Jump to behavior |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: RcvMst.exe, 00000000.00000003.1675874771.0000000000D64000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll8 |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\RcvMst.exe |
Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\RcvMst.exe |
Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\RcvMst.exe |
Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation |
Jump to behavior |