Edit tour

Windows Analysis Report
RcvMst.exe

Overview

General Information

Sample name:	RcvMst.exe
Analysis ID:	1447778
MD5:	6866479d039860a7f28eb5f11768e2e0
SHA1:	58f70fd73d8582a11db032322aac6081850359ac
SHA256:	9ff834bf3231a1e257b6d19770bcd670b8ff00227334f7f967cba9fd5a5a6a85

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Uses Windows timers to delay execution

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Potential time zone aware malware

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Classification

Process Tree

System is w10x64

RcvMst.exe (PID: 6612 cmdline: "C:\Users\user\Desktop\RcvMst.exe" MD5: 6866479D039860A7F28EB5F11768E2E0)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: RcvMst.exe

Virustotal: Detection: 14%

Perma Link

Source: RcvMst.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: RcvMst.exe	String found in binary or memory: http://www.indyproject.org/
Source: RcvMst.exe, 00000000.00000003.1677314919.00000000089F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr

Source: RcvMst.exe

Static PE information: Resource name: RT_VERSION type: MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79

Source: RcvMst.exe

Static PE information: Number of sections : 11 > 10

Source: RcvMst.exe, 00000000.00000003.1675874771.0000000000D59000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameD3D10War vs RcvMst.exe
Source: RcvMst.exe, 00000000.00000003.1675874771.0000000000D50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameD3D10Warp.dllj% vs RcvMst.exe
Source: RcvMst.exe, 00000000.00000003.1670904466.0000000000D52000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameD3D10Warp.dllj% vs RcvMst.exe
Source: RcvMst.exe, 00000000.00000003.1676332459.0000000000D54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameD3D10Warp.dllj% vs RcvMst.exe
Source: RcvMst.exe, 00000000.00000003.1671310554.0000000000D53000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameD3D10Warp.dllj% vs RcvMst.exe
Source: RcvMst.exe, 00000000.00000003.1676738087.0000000000D53000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameD3D10Warp.dllj% vs RcvMst.exe
Source: RcvMst.exe, 00000000.00000003.1676569336.0000000000D54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameD3D10Warp.dllj% vs RcvMst.exe
Source: RcvMst.exe, 00000000.00000003.1676738087.0000000000D59000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameD3D10War vs RcvMst.exe

Source: RcvMst.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: classification engine

Classification label: mal52.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\RcvMst.exe

File created: C:\Users\user\Desktop\RcvMst.exe.close.stop

Jump to behavior

Source: C:\Users\user\Desktop\RcvMst.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: C:\Users\user\Desktop\RcvMst.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RcvMst.exe

Virustotal: Detection: 14%

Source: RcvMst.exe	String found in binary or memory: NATS-SEFI-ADD
Source: RcvMst.exe	String found in binary or memory: NATS-DANO-ADD
Source: RcvMst.exe	String found in binary or memory: JIS_C6229-1984-b-add
Source: RcvMst.exe	String found in binary or memory: jp-ocr-b-add
Source: RcvMst.exe	String found in binary or memory: JIS_C6229-1984-hand-add
Source: RcvMst.exe	String found in binary or memory: jp-ocr-hand-add
Source: RcvMst.exe	String found in binary or memory: ISO_6937-2-add

Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: security.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: d3d10_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: d3d10_1core.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: d3d10_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: d3d10_1core.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: msdart.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: idndl.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Section loaded: windowscodecs.dll	Jump to behavior

Source: C:\Users\user\Desktop\RcvMst.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32

Jump to behavior

Source: RcvMst.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: RcvMst.exe

Static file information: File size 8620032 > 1048576

Source: RcvMst.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x64c400
Source: RcvMst.exe	Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x125600

Source: RcvMst.exe

Static PE information: section name: .didata

Source: C:\Users\user\Desktop\RcvMst.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Uses Windows timers to delay execution

Source: C:\Users\user\Desktop\RcvMst.exe	User Timer Set: Timeout: 250ms	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	User Timer Set: Timeout: 10ms	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	User Timer Set: Timeout: 10ms	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	User Timer Set: Timeout: 10ms	Jump to behavior

Source: C:\Users\user\Desktop\RcvMst.exe

System information queried: CurrentTimeZoneInformation

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: RcvMst.exe, 00000000.00000003.1675874771.0000000000D64000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll8

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\RcvMst.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RcvMst.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	11 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
RcvMst.exe	15%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.indyproject.org/	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.sandoll.co.kr	RcvMst.exe, 00000000.00000003.1677314919.00000000089F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.indyproject.org/	RcvMst.exe	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1447778
Start date and time:	2024-05-27 02:33:42 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	RcvMst.exe
Detection:	MAL
Classification:	mal52.evad.winEXE@1/0@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.666838353480752
TrID:	Win32 Executable (generic) a (10002005/4) 99.53% Win32 EXE PECompact compressed (generic) (41571/9) 0.41% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	RcvMst.exe
File size:	8'620'032 bytes
MD5:	6866479d039860a7f28eb5f11768e2e0
SHA1:	58f70fd73d8582a11db032322aac6081850359ac
SHA256:	9ff834bf3231a1e257b6d19770bcd670b8ff00227334f7f967cba9fd5a5a6a85
SHA512:	230546308f0fd7b6f31d9bfe0f696d6c06c8619a2a7a1989f4d5d1d90a78fb5134cdb5388c4665477b2359f9f62437749f3c30a1f82682ae6e189331b7932504
SSDEEP:	98304:uYiJ1MVTPBlcZvtBumKt62YfpG2XROyQlA3aLk2w+7+rO7j3+myvAUNA6dw3:ukxJiY02YBGEOzlOrO7jO6
TLSH:	59967C27AA465539C47B093B5837B714AC3F76B43956EC1BABF80C4C4E719806A3A70F
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	2b4d968a88f93b17

Static PE Info

General

Entrypoint:	0xa51520
Entrypoint Section:	.itext
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x5BE0E20D [Tue Nov 6 00:36:29 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	fc37d1dd2185e1224c6d6badcfe3a402

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFF0h
mov eax, 00A3FC58h
call 00007F86D4E835C9h
mov eax, dword ptr [00A6E1B0h]
mov eax, dword ptr [eax]
call 00007F86D53347C5h
mov ecx, dword ptr [00A6E5D0h]
mov eax, dword ptr [00A6E1B0h]
mov eax, dword ptr [eax]
mov edx, dword ptr [00A37D14h]
call 00007F86D533159Dh
mov eax, dword ptr [00A6E1B0h]
mov eax, dword ptr [eax]
call 00007F86D5334605h
call 00007F86D4E7D86Ch
lea eax, dword ptr [eax+00h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x693000	0x98	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x689000	0x2dc8	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x734000	0x125600	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x696000	0x9d59c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x695000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x6898fc	0x71c	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x68c000	0x636a	.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x64c370	0x64c400	4841ac4cefc34b09d2909fbe1f0873c4	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0x64e000	0x3568	0x3600	db7879e1463384e791db1fb2119c19b6	False	0.5489728009259259	data	6.391915620686699	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x652000	0x1c7e8	0x1c800	df314b762de4b3b48a69f35b15a84b3f	False	0.23532586348684212	data	5.328806783949352	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x66f000	0x19f48	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x689000	0x2dc8	0x2e00	fa03e3dde763c8577b656159789b96bf	False	0.33126698369565216	data	5.153963991622925	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didata	0x68c000	0x636a	0x6400	d571e8121cfb1b34b89674a1eac3a5e1	False	0.2267578125	data	5.032166947505453	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x693000	0x98	0x200	88479539dd60a20990109ed500413047	False	0.25390625	data	1.8839782081778167	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0x694000	0x18	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x695000	0x5d	0x200	ba9292a4332c64f6c93eb5fe1a97ae4b	False	0.1875	data	1.382174483578759	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x696000	0x9d59c	0x9d600	1a5a0d0108e0a980080cdcfb9018a22a	False	0.5074867206115965	data	6.672371684082929	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x734000	0x125600	0x125600	1fdc582e927f6dbcc55f24f38753b984	False	0.2952713903387303	data	6.286082043906723	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x734ea4	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	English	United States	0.38636363636363635
RT_CURSOR	0x734fd8	0x134	data	English	United States	0.4642857142857143
RT_CURSOR	0x73510c	0x134	data	English	United States	0.4805194805194805
RT_CURSOR	0x735240	0x134	data	English	United States	0.4090909090909091
RT_CURSOR	0x735374	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	English	United States	0.4967532467532468
RT_ICON	0x7354a8	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2834 x 2834 px/m	English	United States	0.3930557198627706
RT_ICON	0x745cd0	0xaf42	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	1.0003789060758703
RT_STRING	0x750c14	0xd4	data			0.5660377358490566
RT_STRING	0x750ce8	0x898	data			0.3109090909090909
RT_STRING	0x751580	0x106c	data			0.21741198858230257
RT_STRING	0x7525ec	0x9f8	data			0.32053291536050155
RT_STRING	0x752fe4	0x894	data			0.3087431693989071
RT_STRING	0x753878	0x87c	data			0.27532228360957645
RT_STRING	0x7540f4	0x400	data			0.392578125
RT_STRING	0x7544f4	0x2a8	data			0.43676470588235294
RT_STRING	0x75479c	0x60c	data			0.3578811369509044
RT_STRING	0x754da8	0x3fc	data			0.41274509803921566
RT_STRING	0x7551a4	0x454	data			0.38267148014440433
RT_STRING	0x7555f8	0x430	data			0.4123134328358209
RT_STRING	0x755a28	0x34c	data			0.4253554502369668
RT_STRING	0x755d74	0x4a0	data			0.3876689189189189
RT_STRING	0x756214	0x370	data			0.42159090909090907
RT_STRING	0x756584	0x390	data			0.3607456140350877
RT_STRING	0x756914	0x27c	data			0.4591194968553459
RT_STRING	0x756b90	0x388	data			0.41150442477876104
RT_STRING	0x756f18	0x580	data			0.41051136363636365
RT_STRING	0x757498	0x41c	data			0.35551330798479086
RT_STRING	0x7578b4	0x4c8	data			0.2965686274509804
RT_STRING	0x757d7c	0x4fc	data			0.3377742946708464
RT_STRING	0x758278	0x680	data			0.34915865384615385
RT_STRING	0x7588f8	0x448	data			0.38321167883211676
RT_STRING	0x758d40	0x52c	data			0.28700906344410876
RT_STRING	0x75926c	0x350	data			0.41391509433962265
RT_STRING	0x7595bc	0x268	data			0.4448051948051948
RT_STRING	0x759824	0x114	data			0.6086956521739131
RT_STRING	0x759938	0x440	data			0.39981617647058826
RT_STRING	0x759d78	0x510	data			0.3472222222222222
RT_STRING	0x75a288	0x598	data			0.36941340782122906
RT_STRING	0x75a820	0x420	data			0.3693181818181818
RT_STRING	0x75ac40	0x3b8	data			0.28361344537815125
RT_STRING	0x75aff8	0x3f4	data			0.424901185770751
RT_STRING	0x75b3ec	0x6b4	data			0.31934731934731936
RT_STRING	0x75baa0	0x4dc	data			0.3392282958199357
RT_STRING	0x75bf7c	0x330	data			0.3909313725490196
RT_STRING	0x75c2ac	0x35c	data			0.3755813953488372
RT_STRING	0x75c608	0x3c4	data			0.36721991701244816
RT_STRING	0x75c9cc	0x3fc	data			0.3764705882352941
RT_STRING	0x75cdc8	0xf4	data			0.5491803278688525
RT_STRING	0x75cebc	0xc4	data			0.6275510204081632
RT_STRING	0x75cf80	0x268	data			0.48863636363636365
RT_STRING	0x75d1e8	0x434	data			0.3308550185873606
RT_STRING	0x75d61c	0x360	data			0.38425925925925924
RT_STRING	0x75d97c	0x2ec	data			0.37566844919786097
RT_STRING	0x75dc68	0x31c	data			0.34296482412060303
RT_RCDATA	0x75df84	0x627e	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=6, datetime=2010:05:11 20:59:59], baseline, precision 8, 256x256, components 3	English	United States	0.9922265408106608
RT_RCDATA	0x764204	0x10	data			1.5
RT_RCDATA	0x764214	0x1690	data			0.45896814404432135
RT_RCDATA	0x7658a4	0x2	data	English	United States	5.0
RT_RCDATA	0x7658a8	0x1407	Delphi compiled form 'TForm1'			0.33664911254144725
RT_RCDATA	0x766cb0	0x53fc6	data	English	United States	0.26979180595687285
RT_RCDATA	0x7bac78	0x4a976	data	English	United States	0.1747249006631187
RT_RCDATA	0x8055f0	0x538f4	data	English	United States	0.2701192076199381
RT_GROUP_CURSOR	0x858ee4	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x858ef8	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x858f0c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x858f20	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x858f34	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_ICON	0x858f48	0x22	data	English	United States	0.9705882352941176
RT_VERSION	0x858f6c	0x140	MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79	English	United States	0.55
RT_MANIFEST	0x8590ac	0x3af	XML 1.0 document, ASCII text, with CRLF, LF line terminators	English	United States	0.47613997879109227

Imports

DLL	Import
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExW, RegOpenKeyExW, RegCloseKey
user32.dll	CharNextW, LoadStringW
kernel32.dll	Sleep, VirtualFree, VirtualAlloc, lstrlenW, VirtualQuery, QueryPerformanceCounter, GetTickCount, GetSystemInfo, GetVersion, CompareStringW, IsDBCSLeadByteEx, IsValidLocale, SetThreadLocale, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, GetLocaleInfoW, WideCharToMultiByte, MultiByteToWideChar, GetConsoleOutputCP, GetConsoleCP, GetACP, LoadLibraryExW, GetStartupInfoW, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetCommandLineW, FindResourceW, FreeLibrary, GetLastError, UnhandledExceptionFilter, RtlUnwind, RaiseException, ExitProcess, ExitThread, SwitchToThread, GetCurrentThreadId, CreateThread, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, FindFirstFileW, FindClose, WriteFile, SetFilePointer, SetEndOfFile, ReadFile, GetFileType, GetFileSize, CreateFileW, GetStdHandle, CloseHandle
kernel32.dll	GetProcAddress, RaiseException, LoadLibraryA, GetLastError, TlsSetValue, TlsGetValue, LocalFree, LocalAlloc, GetModuleHandleW, FreeLibrary
user32.dll	WINNLSEnableIME, SetWindowLongW, GetWindowLongW, CreateWindowExW, WaitMessage, UpdateLayeredWindow, UpdateWindow, UnregisterClassW, UnhookWindowsHookEx, TranslateMessage, TrackMouseEvent, SystemParametersInfoW, ShowWindow, ShowScrollBar, SetWindowRgn, SetWindowsHookExW, SetWindowTextW, SetWindowPos, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropW, SetParent, SetMenuItemInfoW, SetMenu, SetFocus, SetCursor, SetClipboardData, SetCapture, SetActiveWindow, SendMessageTimeoutW, SendMessageW, ScreenToClient, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterClassW, RedrawWindow, PostQuitMessage, PostMessageW, PeekMessageW, OpenClipboard, MsgWaitForMultipleObjects, MessageBoxIndirectW, MessageBoxW, MapVirtualKeyW, LoadStringW, LoadIconW, LoadCursorW, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsMenu, IsIconic, IsClipboardFormatAvailable, InvalidateRect, GetWindowTextLengthW, GetWindowTextW, GetWindowRect, GetWindowPlacement, GetWindowDC, GetUpdateRgn, GetUpdateRect, GetSystemMetrics, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollInfo, GetPropW, GetParent, GetMenuItemInfoW, GetMenuItemCount, GetMenu, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextW, GetFocus, GetDesktopWindow, GetDC, GetCursorPos, GetClipboardData, GetClientRect, GetClassNameW, GetClassInfoW, GetCapture, GetAsyncKeyState, GetActiveWindow, FindWindowW, EnumThreadWindows, EnumChildWindows, EndPaint, EnableWindow, EnableScrollBar, EmptyClipboard, DrawTextW, DrawIconEx, DispatchMessageW, DestroyWindow, DestroyMenu, DefWindowProcW, CreateMenu, CloseClipboard, ClientToScreen, CharUpperBuffW, CharUpperW, CharNextW, CharLowerBuffW, CharLowerW, CallWindowProcW, CallNextHookEx, BeginPaint, AppendMenuW, ActivateKeyboardLayout
gdi32.dll	TextOutW, StartPage, StartDocW, SetWindowOrgEx, SetTextColor, SetTextAlign, SetMapMode, SetBkColor, SetAbortProc, SelectObject, GetWindowOrgEx, GetTextMetricsW, GetTextExtentPoint32W, GetStockObject, GetRegionData, GetPath, GetObjectA, GetDeviceCaps, GetCharABCWidthsFloatW, ExtCreateRegion, EnumFontsW, EndPath, EndPage, EndDoc, DeleteObject, DeleteDC, CreateRectRgn, CreateICW, CreateFontIndirectW, CreateFontW, CreateDIBSection, CreateDCW, CreateCompatibleDC, CombineRgn, BitBlt, BeginPath, AbortDoc
version.dll	VerQueryValueW, GetFileVersionInfoSizeW, GetFileVersionInfoW
kernel32.dll	lstrlenW, WritePrivateProfileStringW, WriteFile, WideCharToMultiByte, WaitForSingleObject, VirtualQueryEx, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, VerSetConditionMask, VerifyVersionInfoW, TryEnterCriticalSection, SwitchToThread, SuspendThread, Sleep, SizeofResource, SetThreadPriority, SetLastError, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResumeThread, ResetEvent, RemoveDirectoryW, ReadFile, RaiseException, QueryPerformanceFrequency, QueryPerformanceCounter, IsDebuggerPresent, OutputDebugStringW, MulDiv, LockResource, LocalFree, LoadResource, LoadLibraryW, LeaveCriticalSection, LCMapStringW, IsValidLocale, InitializeCriticalSection, HeapSize, HeapFree, HeapDestroy, HeapCreate, HeapAlloc, GlobalUnlock, GlobalSize, GlobalLock, GlobalFree, GlobalFindAtomW, GlobalAlloc, GlobalAddAtomW, GetVersionExW, GetUserDefaultLCID, GetTimeZoneInformation, GetTickCount, GetThreadPriority, GetThreadLocale, GetTempPathW, GetSystemDirectoryW, GetStdHandle, GetLongPathNameW, GetProcAddress, GetPrivateProfileStringW, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetLocalTime, GetLastError, GetFullPathNameW, GetFileSize, GetFileAttributesW, GetExitCodeThread, GetEnvironmentVariableW, GetDiskFreeSpaceW, GetDateFormatW, GetCurrentThreadId, GetCurrentThread, GetCurrentProcessId, GetCurrentProcess, GetComputerNameW, GetCPInfoExW, GetCPInfo, GetACP, FreeResource, InterlockedCompareExchange, FreeLibrary, FormatMessageW, FindResourceW, FindNextFileW, FindFirstFileW, FindClose, FileTimeToLocalFileTime, FileTimeToDosDateTime, ExpandEnvironmentStringsW, EnumSystemLocalesW, EnumCalendarInfoW, EnterCriticalSection, DeleteFileW, DeleteCriticalSection, CreateProcessW, CreateFileW, CreateEventW, CreateDirectoryW, CopyFileW, CompareStringW, CloseHandle
advapi32.dll	RegUnLoadKeyW, RegSetValueExW, RegSaveKeyW, RegRestoreKeyW, RegReplaceKeyW, RegQueryValueExW, RegQueryInfoKeyW, RegOpenKeyExW, RegLoadKeyW, RegFlushKey, RegEnumValueW, RegEnumKeyW, RegEnumKeyExW, RegDeleteValueW, RegDeleteKeyW, RegCreateKeyExW, RegConnectRegistryW, RegCloseKey
SHFolder.dll	SHGetFolderPathW
kernel32.dll	Sleep
netapi32.dll	NetWkstaGetInfo
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayGetElement, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayRedim, SafeArrayCreate, VariantChangeType, VariantCopyInd, VariantCopy, VariantClear, VariantInit
oleaut32.dll	GetErrorInfo, SysStringLen, SysFreeString
ole32.dll	CreateStreamOnHGlobal, OleRegEnumFormatEtc, ReleaseStgMedium, OleDraw, DoDragDrop, RevokeDragDrop, RegisterDragDrop, OleInitialize, CoTaskMemFree, CoTaskMemAlloc, StringFromCLSID, CoCreateInstance, CoGetClassObject, CoGetMalloc, CoUninitialize, CoInitialize, IsEqualGUID
msvcrt.dll	isxdigit, isupper, isspace, ispunct, isprint, islower, isgraph, isdigit, iscntrl, isalpha, isalnum, toupper, tolower, strchr, strlen, strncmp, memset, memcpy, memcmp
shell32.dll	ShellExecuteW, DragQueryFileW
comdlg32.dll	PageSetupDlgW, PrintDlgW, GetSaveFileNameW, GetOpenFileNameW
winmm.dll	timeGetTime
user32.dll	EnumDisplayMonitors, GetMonitorInfoW, MonitorFromPoint, MonitorFromWindow
winspool.drv	SetPrinterW, OpenPrinterW, GetPrinterW, GetDefaultPrinterW, EnumPrintersW, DocumentPropertiesW, DeviceCapabilitiesW, ClosePrinter
d3d9.dll	Direct3DCreate9

Exports

Name	Ordinal	Address
TMethodImplementationIntercept	3	0x46bb7c
__dbk_fcall_wrapper	2	0x4105c8
dbkFCallWrapperAddr	1	0xa71c5c

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	20:34:33
Start date:	26/05/2024
Path:	C:\Users\user\Desktop\RcvMst.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\RcvMst.exe"
Imagebase:	0x400000
File size:	8'620'032 bytes
MD5 hash:	6866479D039860A7F28EB5F11768E2E0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report RcvMst.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: RcvMst.exePID: 6612, Parent PID: 2580

General

Chronological Activities

Disassembly

Windows Analysis Report
RcvMst.exe