PREMIUM PESCAN.IO - Analysis Report

File Structure
Analysis Image
PE Chart Code
Executable header (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
Information
Size: 222,50 KB
SHA-256 Hash: 1A7459F21FFAFDAD32A74C37BAB2C625A1751AD3AADCCFC147006177D044F986
SHA-1 Hash: 660107D7D6A29D80D06C330C7A2F56FEA90FDBF5
MD5 Hash: 059E25A8D69AED66BF13E46B9CA7E286
Imphash: 0E61D8A37C610264108DC54FDAFE6B69
MajorOSVersion: 5
MinorOSVersion: 1
CheckSum: 0003DB1E
EntryPoint (rva): 117C2
SizeOfHeaders: 400
SizeOfImage: 3F000
ImageBase: 400000
Architecture: x86
ImportTable: 2CCF8
IAT: 26000
Characteristics: 102
TimeDateStamp: 693BC42D
Date: 12/12/2025 7:28:45
File Type: EXE
Number Of Sections: 5
ASLR: Enabled
Section Names: .text, .rdata, .data, .rsrc, .reloc
Number Of Executable Sections: 1
Subsystem: Windows GUI
UAC Execution Level Manifest: asInvoker
Sections Info
Section Name Flags ROffset RSize VOffset VSizeEntropyChi2
.text 60000020 (Code, Executable, Readable) 400 24A00 1000 2496C6,6703790674,21
.rdata 40000040 (Initialized Data, Readable) 24E00 8400 26000 831A4,92321438378,33
.data C0000040 (Initialized Data, Readable, Writeable) 2D200 7200 2F000 AF882,07234733374,65
.rsrc 40000040 (Initialized Data, Readable) 34400 200 3A000 1B45,11265152,00
.reloc 42000040 (Initialized Data, GP-Relative, Readable) 34600 3400 3B000 32385,2613432841,62
Entry Point
The section number (1) - (.text) have the Entry Point
Information -> EntryPoint (calculated) - 10BC2
Code -> E806820000E995FEFFFF8BFF558BEC83EC208B450856576A0859BE846642008D7DE0F3A58945F88B450C5F8945FC5E85C074
CALL 0X920B
JMP 0XE9F
MOV EDI, EDI
PUSH EBP
MOV EBP, ESP
SUB ESP, 0X20
MOV EAX, DWORD PTR [EBP + 8]
PUSH ESI
PUSH EDI
PUSH 8
POP ECX
MOV ESI, 0X426684
LEA EDI, [EBP - 0X20]
REP MOVSD DWORD PTR ES:[EDI], DWORD PTR [ESI]
MOV DWORD PTR [EBP - 8], EAX
MOV EAX, DWORD PTR [EBP + 0XC]
POP EDI
MOV DWORD PTR [EBP - 4], EAX
POP ESI
TEST EAX, EAX
Signatures
Rich Signature Analyzer:
Code -> 871EBC05C37FD256C37FD256C37FD256AC094C56D97FD256AC097856577FD256AC097956FC7FD256CA075156C77FD256CA074156D87FD256C37FD356C07ED256AC097D56D17FD256AC094F56C27FD25652696368C37FD256
Footprint md5 Hash -> CA30D9CE88E0AAF5B52829E80114DD87
• The Rich header apparently has not been modified
Certificate - Digital Signature Not Found:
• The file is not signed
Packer/Compiler
Compiler: Microsoft Visual C ++
Detect It Easy (die)
PE: compiler: EP:Microsoft Visual C/C++(2008-2010)[EXE32]
PE: compiler: Microsoft Visual C/C++(2010)[libcmt,wmain]
PE: linker: Microsoft Linker(10.0)[-]
Entropy: 6.1526
Suspicious Functions
Library Function Description
KERNEL32.DLL CreateMutexW Create a named or unnamed mutex object for controlling access to a shared resource.
KERNEL32.DLL VirtualAlloc Reserve, commit, or both, a region of memory within the virtual address space of a process.
KERNEL32.DLL GetModuleHandleA Retrieves a handle to the specified module.
KERNEL32.DLL WriteFile Writes data to a specified file or input/output (I/O) device.
KERNEL32.DLL LoadLibraryA Loads the specified module into the address space of the calling process.
KERNEL32.DLL LoadLibraryW Loads the specified module into the address space of the calling process.
KERNEL32.DLL CreateToolhelp32Snapshot Creates a snapshot of the specified processes, heaps, threads, and modules.
KERNEL32.DLL GetProcAddress Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL IsDebuggerPresent Determines if the calling process is being debugged by a user-mode debugger.
Windows REG (UNICODE)
SOFTWARE\Microsoft\Windows NT\CurrentVersion
Software\Tencent\Plugin\VAS
File Access
DINPUT8.dll
PSAPI.DLL
dxgi.dll
gdiplus.dll
WINMM.dll
WS2_32.dll
OLEAUT32.dll
ole32.dll
SHELL32.dll
ADVAPI32.dll
GDI32.dll
USER32.dll
KERNEL32.dll
NtDll.dll
@.dat
Temp
File Access (UNICODE)
X360Safe.exe
360Tray.exe
360tray.exe
ZhuDongFangYu.exe
k360sd.exe
kxetray.exe
KSafeTray.exe
kscan.exe
kwsprotect64.exe
kxescore.exe
QQPCRTP.exe
QMDL.exe
QMPersonalCenter.exe
QQPCPatch.exe
QQPCRealTimeSpeedup.exe
QQPCTray.exe
QQRepair.exe
HipsTray.exe
HipsMain.exe
HipsDaemon.exe
BaiduSd.exe
baiduSafeTray.exe
KvMonXP.exe
RavMonD.exe
QUHLPSVC.EXE
mssecess.exe
cfp.exe
SPIDer.exe
acs.exe
V3Svc.exe
avgwdsvc.exe
f-secure.exe
avp.exe
avpui.exe
TaUMcshield.exe
egui.exe
knsdtray.exe
TMBMSRV.exe
\~Oavcenter.exe
hQashDisp.exe
rtvscan.exe
remupd.exe
vsserv.exe
PSafeSysTray.exe
ad-watch.exe
K7TSecurity.exe
UnThreat.exe
LenovoTray.exe
msmpeng.exe
MsMpEng.exe
Telegram.exe
WeChat.exe
WXWork.exe
DingTalk.exe
QQ.exe
@8B@_@DbgHelp.dll
wininet.dll
GetNativeSystemInfontdll.dll
kernel32.dll
GetLastActivePopupGetActiveWindowMessageBoxWUSER32.DLL
KERNEL32.DLL
exppowCorExitProcessmscoree.dll
\DisplaySessionContainers.log
Temp
Interest's Words
lockbit
PADDINGX
exec
attrib
start
shutdown
systeminfo
expand
Interest's Words (UNICODE)
shutdown
at.exe
Anti-VM/Sandbox/Debug Tricks (UNICODE)
LabTools - wireshark
OllyDbg Libary - dbghelp.dll
AV Services (UNICODE)
egui.exe - (ESET NOD32)
IP Addresses
192.168.124.132
Strings/Hex Code Found With The File Rules
Rule Type Encoding Matched (Word)
Text Ascii WinAPI Sockets (recv)
Text Ascii Registry (RegOpenKeyEx)
Text Ascii Registry (RegSetValueEx)
Text Ascii File (CreateFile)
Text Ascii File (WriteFile)
Text Ascii File (ReadFile)
Text Ascii Anti-Analysis VM (IsDebuggerPresent)
Text Ascii Anti-Analysis VM (GetSystemInfo)
Text Ascii Anti-Analysis VM (GlobalMemoryStatusEx)
Text Ascii Anti-Analysis VM (GetVersion)
Text Ascii Anti-Analysis VM (CreateToolhelp32Snapshot)
Text Ascii Stealth (ExitThread)
Text Ascii Stealth (CloseHandle)
Text Ascii Stealth (IsBadReadPtr)
Text Ascii Stealth (VirtualAlloc)
Text Ascii Stealth (VirtualProtect)
Text Ascii Execution (CreateProcessW)
Text Ascii Execution (CreateEventA)
Text Ascii Execution (CreateEventW)
Text Unicode Antivirus Software (BitDefender)
Text Unicode Antivirus Software (F-Secure AV)
Text Unicode Privileges (SeDebugPrivilege)
Text Unicode Privileges (SeShutdownPrivilege)
Text Unicode Keyboard Key ([F1])
Text Unicode Keyboard Key ([F2])
Text Unicode Keyboard Key ([F3])
Text Unicode Keyboard Key ([F4])
Text Unicode Keyboard Key ([F5])
Text Unicode Keyboard Key ([F6])
Text Unicode Keyboard Key ([F7])
Text Unicode Keyboard Key ([F8])
Text Unicode Keyboard Key ([F9])
Text Unicode Keyboard Key ([F10])
Text Unicode Keyboard Key ([F11])
Text Unicode Keyboard Key ([F12])
Text Ascii Stealer malware focused on obtaining CVV codes to conduct unauthorized transactions (CVV)
Entry Point Hex Pattern Microsoft Visual C++ 8
Entry Point Hex Pattern Microsoft Visual C++ 8
Entry Point Hex Pattern VC8 - Microsoft Corporation
Resources
Path DataRVA Size FileOffset CodeText
\24\1\1033 3A058 15A 34458 3C617373656D626C7920786D6C6E733D2275726E3A736368656D61732D6D6963726F736F66742D636F6D3A61736D2E763122<assembly xmlns="urn:schemas-microsoft-com:asm.v1"
Intelligent String
• mscoree.dll
• KERNEL32.DLL
• QQ.exe
• DingTalk.exe
• WXWork.exe
• WeChat.exe
• Telegram.exe
• MsMpEng.exe
• msmpeng.exe
• LenovoTray.exe
• UnThreat.exe
• K7TSecurity.exe
• ad-watch.exe
• PSafeSysTray.exe
• vsserv.exe
• remupd.exe
• rtvscan.exe
• ashDisp.exe
• avcenter.exe
• TMBMSRV.exe
• knsdtray.exe
• egui.exe
• Mcshield.exe
• avpui.exe
• avp.exe
• f-secure.exe
• avgwdsvc.exe
• AYAgent.aye
• V3Svc.exe
• acs.exe
• DR.WEB
• SPIDer.exe
• cfp.exe
• mssecess.exe
• QUHLPSVC.EXE
• RavMonD.exe
• KvMonXP.exe
• BaiduSd.exe
• HipsDaemon.exe
• HipsMain.exe
• HipsTray.exe
• QQRepair.exe
• QQPCTray.exe
• QQPCRealTimeSpeedup.exe
• QQPCPatch.exe
• QMPersonalCenter.exe
• QMDL.exe
• QQPCRTP.exe
• kxescore.exe
• kwsprotect64.exe
• kscan.exe
• KSafeTray.exe
• kxetray.exe
• 360sd.exe
• ZhuDongFangYu.exe
• 360tray.exe
• 360Tray.exe
• 360Safe.exe
• kernel32.dll
• wininet.dll
• @8B@_@DbgHelp.dll
• MiniDumpWriteDump
• %s-%04d%02d%02d-%02d%02d%02d.dmp
• \DisplaySessionContainers.log
• USER32.dll
• gdiplus.dll
• PSAPI.DLL
• ak1.xingxing7.com
• 192.168.124.132
• .?AVCLoginManager@@,fB
Flow Anomalies
Offset RVA Section Description
434 426208 .text CALL [static] | Indirect call to absolute memory address
4D2 426298 .text CALL [static] | Indirect call to absolute memory address
500 426208 .text CALL [static] | Indirect call to absolute memory address
571 426298 .text CALL [static] | Indirect call to absolute memory address
59A 426208 .text CALL [static] | Indirect call to absolute memory address
63A 42622C .text CALL [static] | Indirect call to absolute memory address
659 426218 .text JMP [static] | Indirect jump to absolute memory address
666 426228 .text CALL [static] | Indirect call to absolute memory address
675 426220 .text CALL [static] | Indirect call to absolute memory address
6C5 426234 .text CALL [static] | Indirect call to absolute memory address
72F 426234 .text CALL [static] | Indirect call to absolute memory address
755 426224 .text CALL [static] | Indirect call to absolute memory address
7C3 426234 .text CALL [static] | Indirect call to absolute memory address
7F1 426240 .text CALL [static] | Indirect call to absolute memory address
1A9D 426204 .text CALL [static] | Indirect call to absolute memory address
1AB6 4261F8 .text CALL [static] | Indirect call to absolute memory address
1B2E 4261FC .text CALL [static] | Indirect call to absolute memory address
1B3B 426200 .text CALL [static] | Indirect call to absolute memory address
1BA1 426230 .text CALL [static] | Indirect call to absolute memory address
1BB3 4261F4 .text CALL [static] | Indirect call to absolute memory address
1BF0 4262E0 .text CALL [static] | Indirect call to absolute memory address
1C1B 4262DC .text CALL [static] | Indirect call to absolute memory address
1C25 4262D4 .text CALL [static] | Indirect call to absolute memory address
1C41 4261EC .text CALL [static] | Indirect call to absolute memory address
1C51 426158 .text CALL [static] | Indirect call to absolute memory address
1C61 4261DC .text CALL [static] | Indirect call to absolute memory address
1CCF 426334 .text CALL [static] | Indirect call to absolute memory address
1CDA 4261D4 .text CALL [static] | Indirect call to absolute memory address
1CE8 4261DC .text CALL [static] | Indirect call to absolute memory address
1D3A 426340 .text CALL [static] | Indirect call to absolute memory address
1D43 4261D0 .text CALL [static] | Indirect call to absolute memory address
1D4C 4261DC .text CALL [static] | Indirect call to absolute memory address
1D55 426350 .text CALL [static] | Indirect call to absolute memory address
1D5E 426210 .text CALL [static] | Indirect call to absolute memory address
1D8A 4261D8 .text CALL [static] | Indirect call to absolute memory address
1D97 4261DC .text CALL [static] | Indirect call to absolute memory address
1D9D 426320 .text CALL [static] | Indirect call to absolute memory address
1DC7 426374 .text CALL [static] | Indirect call to absolute memory address
1DF1 4261E4 .text CALL [static] | Indirect call to absolute memory address
1E16 4261E4 .text CALL [static] | Indirect call to absolute memory address
1E26 426354 .text CALL [static] | Indirect call to absolute memory address
1E47 42633C .text CALL [static] | Indirect call to absolute memory address
1E64 426380 .text CALL [static] | Indirect call to absolute memory address
1F15 426378 .text CALL [static] | Indirect call to absolute memory address
1F21 4261DC .text CALL [static] | Indirect call to absolute memory address
1FCF 426338 .text CALL [static] | Indirect call to absolute memory address
1FED 426348 .text CALL [static] | Indirect call to absolute memory address
2078 42620C .text CALL [static] | Indirect call to absolute memory address
2094 426320 .text CALL [static] | Indirect call to absolute memory address
2124 426158 .text CALL [static] | Indirect call to absolute memory address
21FA 4261DC .text CALL [static] | Indirect call to absolute memory address
2283 426320 .text CALL [static] | Indirect call to absolute memory address
23FE 4261D8 .text CALL [static] | Indirect call to absolute memory address
2416 42632C .text CALL [static] | Indirect call to absolute memory address
2441 4261FC .text CALL [static] | Indirect call to absolute memory address
2464 4261C4 .text CALL [static] | Indirect call to absolute memory address
24BE 426374 .text CALL [static] | Indirect call to absolute memory address
24EB 426378 .text CALL [static] | Indirect call to absolute memory address
251B 426364 .text CALL [static] | Indirect call to absolute memory address
2539 4261E4 .text CALL [static] | Indirect call to absolute memory address
255E 4261E4 .text CALL [static] | Indirect call to absolute memory address
256E 426354 .text CALL [static] | Indirect call to absolute memory address
2593 42633C .text CALL [static] | Indirect call to absolute memory address
25AF 42635C .text CALL [static] | Indirect call to absolute memory address
25C3 426380 .text CALL [static] | Indirect call to absolute memory address
25D2 42632C .text CALL [static] | Indirect call to absolute memory address
2610 426158 .text CALL [static] | Indirect call to absolute memory address
2652 4261C8 .text CALL [static] | Indirect call to absolute memory address
26BF 426370 .text CALL [static] | Indirect call to absolute memory address
26EA 426158 .text CALL [static] | Indirect call to absolute memory address
2744 4261FC .text CALL [static] | Indirect call to absolute memory address
277A 42632C .text CALL [static] | Indirect call to absolute memory address
27B6 426330 .text CALL [static] | Indirect call to absolute memory address
2882 42632C .text CALL [static] | Indirect call to absolute memory address
28B7 42636C .text CALL [static] | Indirect call to absolute memory address
2909 42635C .text CALL [static] | Indirect call to absolute memory address
2914 42632C .text CALL [static] | Indirect call to absolute memory address
2945 426358 .text CALL [static] | Indirect call to absolute memory address
2950 42632C .text CALL [static] | Indirect call to absolute memory address
2994 426348 .text CALL [static] | Indirect call to absolute memory address
29C1 4261EC .text CALL [static] | Indirect call to absolute memory address
2A00 426368 .text CALL [static] | Indirect call to absolute memory address
2A1B 4261FC .text CALL [static] | Indirect call to absolute memory address
2A4F 42632C .text CALL [static] | Indirect call to absolute memory address
2AD2 426224 .text CALL [static] | Indirect call to absolute memory address
2AEF 426358 .text CALL [static] | Indirect call to absolute memory address
2B17 426224 .text CALL [static] | Indirect call to absolute memory address
2B32 42632C .text CALL [static] | Indirect call to absolute memory address
2B82 426224 .text CALL [static] | Indirect call to absolute memory address
2BBA 426158 .text CALL [static] | Indirect call to absolute memory address
2C1C 426358 .text CALL [static] | Indirect call to absolute memory address
2C36 426210 .text CALL [static] | Indirect call to absolute memory address
2C41 4261DC .text CALL [static] | Indirect call to absolute memory address
2C4F 42637C .text CALL [static] | Indirect call to absolute memory address
2C63 426360 .text CALL [static] | Indirect call to absolute memory address
2C6C 426350 .text CALL [static] | Indirect call to absolute memory address
2C98 4261EC .text CALL [static] | Indirect call to absolute memory address
2CBD 42621C .text CALL [static] | Indirect call to absolute memory address
2CF3 426234 .text CALL [static] | Indirect call to absolute memory address
2D64 426210 .text CALL [static] | Indirect call to absolute memory address
Extra Analysis
Metric Value Percentage
Ascii Code 119286 52,3552%
Null Byte Code 57105 25,0636%
© 2025 All rights reserved.