Windows
Analysis Report
RcvMst.exe
Overview
General Information
Detection
Score: | 52 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
RcvMst.exe (PID: 6612 cmdline:
"C:\Users\ user\Deskt op\RcvMst. exe" MD5: 6866479D039860A7F28EB5F11768E2E0)
- cleanup
Click to jump to signature section
AV Detection |
---|
Source: | Virustotal: | Perma Link |
Source: | Static PE information: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Virustotal: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Static PE information: |
Source: | Static file information: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | User Timer Set: | Jump to behavior | ||
Source: | User Timer Set: | Jump to behavior | ||
Source: | User Timer Set: | Jump to behavior | ||
Source: | User Timer Set: | Jump to behavior |
Source: | System information queried: | Jump to behavior |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Binary or memory string: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 2 Command and Scripting Interpreter | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 Masquerading | OS Credential Dumping | 1 System Time Discovery | Remote Services | Data from Local System | Data Obfuscation | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 Virtualization/Sandbox Evasion | LSASS Memory | 1 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 DLL Side-Loading | Security Account Manager | 1 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | Binary Padding | NTDS | 11 System Information Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
15% | Virustotal | Browse |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1447778 |
Start date and time: | 2024-05-27 02:33:42 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 5m 2s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 6 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | RcvMst.exe |
Detection: | MAL |
Classification: | mal52.evad.winEXE@1/0@0/0 |
EGA Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
- Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
File type: | |
Entropy (8bit): | 6.666838353480752 |
TrID: |
|
File name: | RcvMst.exe |
File size: | 8'620'032 bytes |
MD5: | 6866479d039860a7f28eb5f11768e2e0 |
SHA1: | 58f70fd73d8582a11db032322aac6081850359ac |
SHA256: | 9ff834bf3231a1e257b6d19770bcd670b8ff00227334f7f967cba9fd5a5a6a85 |
SHA512: | 230546308f0fd7b6f31d9bfe0f696d6c06c8619a2a7a1989f4d5d1d90a78fb5134cdb5388c4665477b2359f9f62437749f3c30a1f82682ae6e189331b7932504 |
SSDEEP: | 98304:uYiJ1MVTPBlcZvtBumKt62YfpG2XROyQlA3aLk2w+7+rO7j3+myvAUNA6dw3:ukxJiY02YBGEOzlOrO7jO6 |
TLSH: | 59967C27AA465539C47B093B5837B714AC3F76B43956EC1BABF80C4C4E719806A3A70F |
File Content Preview: | MZP.....................@...............................................!..L.!..This program must be run under Win32..$7....................................................................................................................................... |
Icon Hash: | 2b4d968a88f93b17 |
Entrypoint: | 0xa51520 |
Entrypoint Section: | .itext |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI |
DLL Characteristics: | |
Time Stamp: | 0x5BE0E20D [Tue Nov 6 00:36:29 2018 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 5 |
OS Version Minor: | 0 |
File Version Major: | 5 |
File Version Minor: | 0 |
Subsystem Version Major: | 5 |
Subsystem Version Minor: | 0 |
Import Hash: | fc37d1dd2185e1224c6d6badcfe3a402 |
Instruction |
---|
push ebp |
mov ebp, esp |
add esp, FFFFFFF0h |
mov eax, 00A3FC58h |
call 00007F86D4E835C9h |
mov eax, dword ptr [00A6E1B0h] |
mov eax, dword ptr [eax] |
call 00007F86D53347C5h |
mov ecx, dword ptr [00A6E5D0h] |
mov eax, dword ptr [00A6E1B0h] |
mov eax, dword ptr [eax] |
mov edx, dword ptr [00A37D14h] |
call 00007F86D533159Dh |
mov eax, dword ptr [00A6E1B0h] |
mov eax, dword ptr [eax] |
call 00007F86D5334605h |
call 00007F86D4E7D86Ch |
lea eax, dword ptr [eax+00h] |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x693000 | 0x98 | .edata |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x689000 | 0x2dc8 | .idata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x734000 | 0x125600 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x696000 | 0x9d59c | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x695000 | 0x18 | .rdata |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x6898fc | 0x71c | .idata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x68c000 | 0x636a | .didata |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x64c370 | 0x64c400 | 4841ac4cefc34b09d2909fbe1f0873c4 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.itext | 0x64e000 | 0x3568 | 0x3600 | db7879e1463384e791db1fb2119c19b6 | False | 0.5489728009259259 | data | 6.391915620686699 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.data | 0x652000 | 0x1c7e8 | 0x1c800 | df314b762de4b3b48a69f35b15a84b3f | False | 0.23532586348684212 | data | 5.328806783949352 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.bss | 0x66f000 | 0x19f48 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.idata | 0x689000 | 0x2dc8 | 0x2e00 | fa03e3dde763c8577b656159789b96bf | False | 0.33126698369565216 | data | 5.153963991622925 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.didata | 0x68c000 | 0x636a | 0x6400 | d571e8121cfb1b34b89674a1eac3a5e1 | False | 0.2267578125 | data | 5.032166947505453 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.edata | 0x693000 | 0x98 | 0x200 | 88479539dd60a20990109ed500413047 | False | 0.25390625 | data | 1.8839782081778167 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.tls | 0x694000 | 0x18 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rdata | 0x695000 | 0x5d | 0x200 | ba9292a4332c64f6c93eb5fe1a97ae4b | False | 0.1875 | data | 1.382174483578759 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x696000 | 0x9d59c | 0x9d600 | 1a5a0d0108e0a980080cdcfb9018a22a | False | 0.5074867206115965 | data | 6.672371684082929 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
.rsrc | 0x734000 | 0x125600 | 0x125600 | 1fdc582e927f6dbcc55f24f38753b984 | False | 0.2952713903387303 | data | 6.286082043906723 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_CURSOR | 0x734ea4 | 0x134 | Targa image data - Map 64 x 65536 x 1 +32 "\001" | English | United States | 0.38636363636363635 |
RT_CURSOR | 0x734fd8 | 0x134 | data | English | United States | 0.4642857142857143 |
RT_CURSOR | 0x73510c | 0x134 | data | English | United States | 0.4805194805194805 |
RT_CURSOR | 0x735240 | 0x134 | data | English | United States | 0.4090909090909091 |
RT_CURSOR | 0x735374 | 0x134 | Targa image data - RGB 64 x 65536 x 1 +32 "\001" | English | United States | 0.4967532467532468 |
RT_ICON | 0x7354a8 | 0x10828 | Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2834 x 2834 px/m | English | United States | 0.3930557198627706 |
RT_ICON | 0x745cd0 | 0xaf42 | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | English | United States | 1.0003789060758703 |
RT_STRING | 0x750c14 | 0xd4 | data | 0.5660377358490566 | ||
RT_STRING | 0x750ce8 | 0x898 | data | 0.3109090909090909 | ||
RT_STRING | 0x751580 | 0x106c | data | 0.21741198858230257 | ||
RT_STRING | 0x7525ec | 0x9f8 | data | 0.32053291536050155 | ||
RT_STRING | 0x752fe4 | 0x894 | data | 0.3087431693989071 | ||
RT_STRING | 0x753878 | 0x87c | data | 0.27532228360957645 | ||
RT_STRING | 0x7540f4 | 0x400 | data | 0.392578125 | ||
RT_STRING | 0x7544f4 | 0x2a8 | data | 0.43676470588235294 | ||
RT_STRING | 0x75479c | 0x60c | data | 0.3578811369509044 | ||
RT_STRING | 0x754da8 | 0x3fc | data | 0.41274509803921566 | ||
RT_STRING | 0x7551a4 | 0x454 | data | 0.38267148014440433 | ||
RT_STRING | 0x7555f8 | 0x430 | data | 0.4123134328358209 | ||
RT_STRING | 0x755a28 | 0x34c | data | 0.4253554502369668 | ||
RT_STRING | 0x755d74 | 0x4a0 | data | 0.3876689189189189 | ||
RT_STRING | 0x756214 | 0x370 | data | 0.42159090909090907 | ||
RT_STRING | 0x756584 | 0x390 | data | 0.3607456140350877 | ||
RT_STRING | 0x756914 | 0x27c | data | 0.4591194968553459 | ||
RT_STRING | 0x756b90 | 0x388 | data | 0.41150442477876104 | ||
RT_STRING | 0x756f18 | 0x580 | data | 0.41051136363636365 | ||
RT_STRING | 0x757498 | 0x41c | data | 0.35551330798479086 | ||
RT_STRING | 0x7578b4 | 0x4c8 | data | 0.2965686274509804 | ||
RT_STRING | 0x757d7c | 0x4fc | data | 0.3377742946708464 | ||
RT_STRING | 0x758278 | 0x680 | data | 0.34915865384615385 | ||
RT_STRING | 0x7588f8 | 0x448 | data | 0.38321167883211676 | ||
RT_STRING | 0x758d40 | 0x52c | data | 0.28700906344410876 | ||
RT_STRING | 0x75926c | 0x350 | data | 0.41391509433962265 | ||
RT_STRING | 0x7595bc | 0x268 | data | 0.4448051948051948 | ||
RT_STRING | 0x759824 | 0x114 | data | 0.6086956521739131 | ||
RT_STRING | 0x759938 | 0x440 | data | 0.39981617647058826 | ||
RT_STRING | 0x759d78 | 0x510 | data | 0.3472222222222222 | ||
RT_STRING | 0x75a288 | 0x598 | data | 0.36941340782122906 | ||
RT_STRING | 0x75a820 | 0x420 | data | 0.3693181818181818 | ||
RT_STRING | 0x75ac40 | 0x3b8 | data | 0.28361344537815125 | ||
RT_STRING | 0x75aff8 | 0x3f4 | data | 0.424901185770751 | ||
RT_STRING | 0x75b3ec | 0x6b4 | data | 0.31934731934731936 | ||
RT_STRING | 0x75baa0 | 0x4dc | data | 0.3392282958199357 | ||
RT_STRING | 0x75bf7c | 0x330 | data | 0.3909313725490196 | ||
RT_STRING | 0x75c2ac | 0x35c | data | 0.3755813953488372 | ||
RT_STRING | 0x75c608 | 0x3c4 | data | 0.36721991701244816 | ||
RT_STRING | 0x75c9cc | 0x3fc | data | 0.3764705882352941 | ||
RT_STRING | 0x75cdc8 | 0xf4 | data | 0.5491803278688525 | ||
RT_STRING | 0x75cebc | 0xc4 | data | 0.6275510204081632 | ||
RT_STRING | 0x75cf80 | 0x268 | data | 0.48863636363636365 | ||
RT_STRING | 0x75d1e8 | 0x434 | data | 0.3308550185873606 | ||
RT_STRING | 0x75d61c | 0x360 | data | 0.38425925925925924 | ||
RT_STRING | 0x75d97c | 0x2ec | data | 0.37566844919786097 | ||
RT_STRING | 0x75dc68 | 0x31c | data | 0.34296482412060303 | ||
RT_RCDATA | 0x75df84 | 0x627e | JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=6, datetime=2010:05:11 20:59:59], baseline, precision 8, 256x256, components 3 | English | United States | 0.9922265408106608 |
RT_RCDATA | 0x764204 | 0x10 | data | 1.5 | ||
RT_RCDATA | 0x764214 | 0x1690 | data | 0.45896814404432135 | ||
RT_RCDATA | 0x7658a4 | 0x2 | data | English | United States | 5.0 |
RT_RCDATA | 0x7658a8 | 0x1407 | Delphi compiled form 'TForm1' | 0.33664911254144725 | ||
RT_RCDATA | 0x766cb0 | 0x53fc6 | data | English | United States | 0.26979180595687285 |
RT_RCDATA | 0x7bac78 | 0x4a976 | data | English | United States | 0.1747249006631187 |
RT_RCDATA | 0x8055f0 | 0x538f4 | data | English | United States | 0.2701192076199381 |
RT_GROUP_CURSOR | 0x858ee4 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States | 1.25 |
RT_GROUP_CURSOR | 0x858ef8 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States | 1.25 |
RT_GROUP_CURSOR | 0x858f0c | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States | 1.3 |
RT_GROUP_CURSOR | 0x858f20 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States | 1.3 |
RT_GROUP_CURSOR | 0x858f34 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | English | United States | 1.3 |
RT_GROUP_ICON | 0x858f48 | 0x22 | data | English | United States | 0.9705882352941176 |
RT_VERSION | 0x858f6c | 0x140 | MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79 | English | United States | 0.55 |
RT_MANIFEST | 0x8590ac | 0x3af | XML 1.0 document, ASCII text, with CRLF, LF line terminators | English | United States | 0.47613997879109227 |
DLL | Import |
---|---|
oleaut32.dll | SysFreeString, SysReAllocStringLen, SysAllocStringLen |
advapi32.dll | RegQueryValueExW, RegOpenKeyExW, RegCloseKey |
user32.dll | CharNextW, LoadStringW |
kernel32.dll | Sleep, VirtualFree, VirtualAlloc, lstrlenW, VirtualQuery, QueryPerformanceCounter, GetTickCount, GetSystemInfo, GetVersion, CompareStringW, IsDBCSLeadByteEx, IsValidLocale, SetThreadLocale, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, GetLocaleInfoW, WideCharToMultiByte, MultiByteToWideChar, GetConsoleOutputCP, GetConsoleCP, GetACP, LoadLibraryExW, GetStartupInfoW, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetCommandLineW, FindResourceW, FreeLibrary, GetLastError, UnhandledExceptionFilter, RtlUnwind, RaiseException, ExitProcess, ExitThread, SwitchToThread, GetCurrentThreadId, CreateThread, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, FindFirstFileW, FindClose, WriteFile, SetFilePointer, SetEndOfFile, ReadFile, GetFileType, GetFileSize, CreateFileW, GetStdHandle, CloseHandle |
kernel32.dll | GetProcAddress, RaiseException, LoadLibraryA, GetLastError, TlsSetValue, TlsGetValue, LocalFree, LocalAlloc, GetModuleHandleW, FreeLibrary |
user32.dll | WINNLSEnableIME, SetWindowLongW, GetWindowLongW, CreateWindowExW, WaitMessage, UpdateLayeredWindow, UpdateWindow, UnregisterClassW, UnhookWindowsHookEx, TranslateMessage, TrackMouseEvent, SystemParametersInfoW, ShowWindow, ShowScrollBar, SetWindowRgn, SetWindowsHookExW, SetWindowTextW, SetWindowPos, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropW, SetParent, SetMenuItemInfoW, SetMenu, SetFocus, SetCursor, SetClipboardData, SetCapture, SetActiveWindow, SendMessageTimeoutW, SendMessageW, ScreenToClient, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterClassW, RedrawWindow, PostQuitMessage, PostMessageW, PeekMessageW, OpenClipboard, MsgWaitForMultipleObjects, MessageBoxIndirectW, MessageBoxW, MapVirtualKeyW, LoadStringW, LoadIconW, LoadCursorW, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsMenu, IsIconic, IsClipboardFormatAvailable, InvalidateRect, GetWindowTextLengthW, GetWindowTextW, GetWindowRect, GetWindowPlacement, GetWindowDC, GetUpdateRgn, GetUpdateRect, GetSystemMetrics, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollInfo, GetPropW, GetParent, GetMenuItemInfoW, GetMenuItemCount, GetMenu, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextW, GetFocus, GetDesktopWindow, GetDC, GetCursorPos, GetClipboardData, GetClientRect, GetClassNameW, GetClassInfoW, GetCapture, GetAsyncKeyState, GetActiveWindow, FindWindowW, EnumThreadWindows, EnumChildWindows, EndPaint, EnableWindow, EnableScrollBar, EmptyClipboard, DrawTextW, DrawIconEx, DispatchMessageW, DestroyWindow, DestroyMenu, DefWindowProcW, CreateMenu, CloseClipboard, ClientToScreen, CharUpperBuffW, CharUpperW, CharNextW, CharLowerBuffW, CharLowerW, CallWindowProcW, CallNextHookEx, BeginPaint, AppendMenuW, ActivateKeyboardLayout |
gdi32.dll | TextOutW, StartPage, StartDocW, SetWindowOrgEx, SetTextColor, SetTextAlign, SetMapMode, SetBkColor, SetAbortProc, SelectObject, GetWindowOrgEx, GetTextMetricsW, GetTextExtentPoint32W, GetStockObject, GetRegionData, GetPath, GetObjectA, GetDeviceCaps, GetCharABCWidthsFloatW, ExtCreateRegion, EnumFontsW, EndPath, EndPage, EndDoc, DeleteObject, DeleteDC, CreateRectRgn, CreateICW, CreateFontIndirectW, CreateFontW, CreateDIBSection, CreateDCW, CreateCompatibleDC, CombineRgn, BitBlt, BeginPath, AbortDoc |
version.dll | VerQueryValueW, GetFileVersionInfoSizeW, GetFileVersionInfoW |
kernel32.dll | lstrlenW, WritePrivateProfileStringW, WriteFile, WideCharToMultiByte, WaitForSingleObject, VirtualQueryEx, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, VerSetConditionMask, VerifyVersionInfoW, TryEnterCriticalSection, SwitchToThread, SuspendThread, Sleep, SizeofResource, SetThreadPriority, SetLastError, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResumeThread, ResetEvent, RemoveDirectoryW, ReadFile, RaiseException, QueryPerformanceFrequency, QueryPerformanceCounter, IsDebuggerPresent, OutputDebugStringW, MulDiv, LockResource, LocalFree, LoadResource, LoadLibraryW, LeaveCriticalSection, LCMapStringW, IsValidLocale, InitializeCriticalSection, HeapSize, HeapFree, HeapDestroy, HeapCreate, HeapAlloc, GlobalUnlock, GlobalSize, GlobalLock, GlobalFree, GlobalFindAtomW, GlobalAlloc, GlobalAddAtomW, GetVersionExW, GetUserDefaultLCID, GetTimeZoneInformation, GetTickCount, GetThreadPriority, GetThreadLocale, GetTempPathW, GetSystemDirectoryW, GetStdHandle, GetLongPathNameW, GetProcAddress, GetPrivateProfileStringW, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetLocalTime, GetLastError, GetFullPathNameW, GetFileSize, GetFileAttributesW, GetExitCodeThread, GetEnvironmentVariableW, GetDiskFreeSpaceW, GetDateFormatW, GetCurrentThreadId, GetCurrentThread, GetCurrentProcessId, GetCurrentProcess, GetComputerNameW, GetCPInfoExW, GetCPInfo, GetACP, FreeResource, InterlockedCompareExchange, FreeLibrary, FormatMessageW, FindResourceW, FindNextFileW, FindFirstFileW, FindClose, FileTimeToLocalFileTime, FileTimeToDosDateTime, ExpandEnvironmentStringsW, EnumSystemLocalesW, EnumCalendarInfoW, EnterCriticalSection, DeleteFileW, DeleteCriticalSection, CreateProcessW, CreateFileW, CreateEventW, CreateDirectoryW, CopyFileW, CompareStringW, CloseHandle |
advapi32.dll | RegUnLoadKeyW, RegSetValueExW, RegSaveKeyW, RegRestoreKeyW, RegReplaceKeyW, RegQueryValueExW, RegQueryInfoKeyW, RegOpenKeyExW, RegLoadKeyW, RegFlushKey, RegEnumValueW, RegEnumKeyW, RegEnumKeyExW, RegDeleteValueW, RegDeleteKeyW, RegCreateKeyExW, RegConnectRegistryW, RegCloseKey |
SHFolder.dll | SHGetFolderPathW |
kernel32.dll | Sleep |
netapi32.dll | NetWkstaGetInfo |
oleaut32.dll | SafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayGetElement, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayRedim, SafeArrayCreate, VariantChangeType, VariantCopyInd, VariantCopy, VariantClear, VariantInit |
oleaut32.dll | GetErrorInfo, SysStringLen, SysFreeString |
ole32.dll | CreateStreamOnHGlobal, OleRegEnumFormatEtc, ReleaseStgMedium, OleDraw, DoDragDrop, RevokeDragDrop, RegisterDragDrop, OleInitialize, CoTaskMemFree, CoTaskMemAlloc, StringFromCLSID, CoCreateInstance, CoGetClassObject, CoGetMalloc, CoUninitialize, CoInitialize, IsEqualGUID |
msvcrt.dll | isxdigit, isupper, isspace, ispunct, isprint, islower, isgraph, isdigit, iscntrl, isalpha, isalnum, toupper, tolower, strchr, strlen, strncmp, memset, memcpy, memcmp |
shell32.dll | ShellExecuteW, DragQueryFileW |
comdlg32.dll | PageSetupDlgW, PrintDlgW, GetSaveFileNameW, GetOpenFileNameW |
winmm.dll | timeGetTime |
user32.dll | EnumDisplayMonitors, GetMonitorInfoW, MonitorFromPoint, MonitorFromWindow |
winspool.drv | SetPrinterW, OpenPrinterW, GetPrinterW, GetDefaultPrinterW, EnumPrintersW, DocumentPropertiesW, DeviceCapabilitiesW, ClosePrinter |
d3d9.dll | Direct3DCreate9 |
Name | Ordinal | Address |
---|---|---|
TMethodImplementationIntercept | 3 | 0x46bb7c |
__dbk_fcall_wrapper | 2 | 0x4105c8 |
dbkFCallWrapperAddr | 1 | 0xa71c5c |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Target ID: | 0 |
Start time: | 20:34:33 |
Start date: | 26/05/2024 |
Path: | C:\Users\user\Desktop\RcvMst.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 8'620'032 bytes |
MD5 hash: | 6866479D039860A7F28EB5F11768E2E0 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | Borland Delphi |
Reputation: | low |
Has exited: | true |