PESCAN.IO - Analysis Report Basic

File Structure
Analysis Image
PE Chart Code
Executable header (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
Information
Icon: Icon
Size: 174,92 KB
SHA-256 Hash: CA08964CFAA670B76B1A075B05D841FE3203E445812AD78D8F217D66368775DE
SHA-1 Hash: 5EEB1A68DE9E59E283150E44FC45B752300C8B3D
MD5 Hash: 1800ECD9CCE506C84975E79934CDF32F
Imphash: 74A25D6BEACD6E8AA787D15AE0CA1EA0
MajorOSVersion: 5
MinorOSVersion: 2
CheckSum: 00033DAA
EntryPoint (rva): 71A0
SizeOfHeaders: 400
SizeOfImage: 2B000
ImageBase: 400000
Architecture: x86
ImportTable: 22A38
IAT: 1B000
Characteristics: 102
TimeDateStamp: 68BE8477
Date: 08/09/2025 7:23:35
File Type: EXE
Number Of Sections: 6
ASLR: Enabled
Section Names: .text, .rdata, .data, .didat, .rsrc, .reloc
Number Of Executable Sections: 1
Subsystem: Windows GUI
Sections Info
Section Name Flags ROffset RSize VOffset VSizeEntropyChi2
.text 60000020 (Code, Executable, Readable) 400 19400 1000 192586,6074592731,05
.rdata 40000040 (Initialized Data, Readable) 19800 8C00 1B000 8B805,53331053096,56
.data C0000040 (Initialized Data, Readable, Writeable) 22400 A00 24000 12781,8172422456,00
.didat C0000040 (Initialized Data, Readable, Writeable) 22E00 200 26000 1C0,2600123020,00
.rsrc 40000040 (Initialized Data, Readable) 23000 1200 27000 10403,9924332818,89
.reloc 42000040 (Initialized Data, GP-Relative, Readable) 24200 1A00 29000 18786,549336208,31
Description
OriginalFilename: Zoom Opener
CompanyName: Zoom Communications, Inc.
LegalCopyright: Zoom Communications, Inc. All rights reserved.
LegalTrademarks: Zoom Opener
ProductName: Zoom Opener
FileVersion: 6,6,0,85
FileDescription: Zoom Opener
ProductVersion: 6,6,0,85
Comments: Zoom Opener
Language: English (United States) (ID=0x409)
CodePage: Western European (Windows 1252) (0x4E4)
Binder/Joiner/Crypter
Dropper code detected (EOF) - 2,92 KB
Entry Point
The section number (1) - (.text) have the Entry Point
Information -> EntryPoint (calculated) - 65A0
Code -> 558BEC83EC1056E82AFAFFFF8BF085F6741168000800008BCEFF1518B34100FFD6EB50B938144200E878FAFFFFB950144200
PUSH EBP
MOV EBP, ESP
SUB ESP, 0X10
PUSH ESI
CALL 0XA36
MOV ESI, EAX
TEST ESI, ESI
JE 0X1023
PUSH 0X800
MOV ECX, ESI
CALL DWORD PTR [0X41B318]
CALL ESI
JMP 0X1073
MOV ECX, 0X421438
CALL 0XAA5
MOV ECX, 0X421450
Signatures
Rich Signature Analyzer:
Code -> B3C2EA9FF7A384CCF7A384CCF7A384CCACCB82CDF6A384CCACCB85CDE6A384CCF7A385CCE7A284CCA5D681CDEEA384CCA5D680CDFAA384CCA5D687CDE5A384CCACCB87CDFEA384CCACCB81CD66A384CCACCB80CDE3A384CC38D68CCDD4A384CC38D67BCCF6A384CC38D686CDF6A384CC52696368F7A384CC
Footprint md5 Hash -> BAE89D0528C358F2D51E83B9CE800B75
• The Rich header apparently has not been modified
Certificate - Digital Signature:
• The file is signed and the signature is correct
Packer/Compiler
Compiler: Microsoft Visual Studio
Detect It Easy (die)
PE: linker: Microsoft Linker(14.29**)[-]
PE: Sign tool: Windows Authenticode(2.0)[PKCS 7]
Entropy: 6.78048
Suspicious Functions
Library Function Description
KERNEL32.DLL CreateMutexA Create a named or unnamed mutex object for controlling access to a shared resource.
KERNEL32.DLL GetModuleFileNameA Retrieve the fully qualified path for the executable file of a specified module.
KERNEL32.DLL GetModuleHandleA Retrieves a handle to the specified module.
KERNEL32.DLL CopyFileA Copies an existing file to a new file.
KERNEL32.DLL WriteFile Writes data to a specified file or input/output (I/O) device.
KERNEL32.DLL LoadLibraryA Loads the specified module into the address space of the calling process.
KERNEL32.DLL LoadLibraryW Loads the specified module into the address space of the calling process.
KERNEL32.DLL CreateToolhelp32Snapshot Creates a snapshot of the specified processes, heaps, threads, and modules.
KERNEL32.DLL GetProcAddress Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL CreateFileA Creates or opens a file or I/O device.
KERNEL32.DLL DeleteFileA Deletes an existing file.
KERNEL32.DLL IsDebuggerPresent Determines if the calling process is being debugged by a user-mode debugger.
SHELL32.DLL ShellExecuteA Performs a run operation on a specific file.
WININET.DLL InternetConnectA Opens an File Transfer Protocol (FTP) or HTTP session for a given site.
Windows REG
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
Software\Microsoft\Windows\CurrentVersion\Internet Settings
File Access
vcredist_x86.exe
Installer.exe
ZoomRemoteControl.exe
Zoom.exe
\rundll32.exe
SHELL32.dll
ADVAPI32.dll
GDI32.dll
USER32.dll
KERNEL32.dll
SHLWAPI.dll
winhttp.dll
/winhttp.dll
Wininet.dll
reslib.dll
zNet.dll
zRCAppCore.dll
Cmmlib.dll
zVideoApp.dll
ntdll.dll
DbgHelp.dll
Kernelbase.dll
WINTRUST.dll
CRYPT32.dll
Zoom.msi
ZoomRemoteControl.msi
shell32.dll,Control_RunDLL inetcpl.cpl
.dat
@.dat
.\debug.log
debug.log
zopener_8a4800ea0a3f43f4bafd7706c1a4e7ee.log
.zip
zLang_sv.7z
zLang_nl.7z
zLang_id.7z
zLang_ru.7z
zLang_tr.7z
zLang_pl.7z
zLang_vi.7z
zLang_korean.7z
zLang_ptg.7z
zLang_jp.7z
zLang_es.7z
zLang_de.7z
zLang_fr.7z
zLang_it.7z
zLang_zh_tw.7z
zLang_zh_cn.7z
Temp
File Access (UNICODE)
explorer.exe
Kernel32.dll
ADVAPI32.dll
ncrypt.dll
cryptbase.dll
cryptsp.dll
dpapi.dll
TextShaping.dll
oleaccrc.dll
sspicli.dll
msasn1.dll
version.dll
kernel32.dll
api-ms-win-core-synch-l1-2-0.dll
CRYPT32.dllKERNEL32.DLL
mscoree.dll
Interest's Words
exec
attrib
start
rundll32
systeminfo
ping
rundll
expand
Interest's Words (UNICODE)
ping
Anti-VM/Sandbox/Debug Tricks
OllyDbg Libary - dbghelp.dll
URLs
http://ocsp.digicert.com
http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt
http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl
http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
http://crl3.digicert.com/DigiCertTrustedRootG4.crl
http://www.digicert.com/CPS0
http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA2562021CA1.crl
http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA2562021CA1.crl
http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA2562021CA1.crt
http://cacerts.digicert.com/DigiCertTrustedG4TimeStampingRSA4096SHA2562025CA1.crt
http://crl3.digicert.com/DigiCertTrustedG4TimeStampingRSA4096SHA2562025CA1.crl
http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt
http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
https://zoom.us/
https://zoom.com/
https://zoom.com.cn/
https://zoomgov.com/
https://support.zoom.us/hc/en-us/articles/201362003-Zoom-Video-Communications-Technical-Support
IP Addresses
6.6.0.85
Strings/Hex Code Found With The File Rules
Rule Type Encoding Matched (Word)
Text Ascii WinAPI Sockets (send)
Text Ascii Registry (RegOpenKeyEx)
Text Ascii File (GetTempPath)
Text Ascii File (CopyFile)
Text Ascii File (CreateFile)
Text Ascii File (WriteFile)
Text Ascii File (ReadFile)
Text Ascii Anti-Analysis VM (IsDebuggerPresent)
Text Ascii Anti-Analysis VM (GetSystemInfo)
Text Ascii Anti-Analysis VM (GetVersion)
Text Ascii Anti-Analysis VM (CreateToolhelp32Snapshot)
Text Ascii Reconnaissance (FindFirstFileA)
Text Ascii Reconnaissance (FindClose)
Text Ascii Stealth (ExitThread)
Text Ascii Stealth (ReleaseSemaphore)
Text Ascii Stealth (CloseHandle)
Text Ascii Stealth (VirtualProtect)
Text Ascii Execution (CreateProcessA)
Text Ascii Execution (CreateProcessW)
Text Ascii Execution (ShellExecute)
Text Ascii Execution (CreateSemaphoreA)
Text Ascii Execution (CreateEventW)
Resources
Path DataRVA Size FileOffset CodeText
\ICON\1\1033 27190 528 23190 2800000010000000200000000100200000000000000500000000000000000000000000000000000000000000000000000000(....... ..... ...................................
\STRING\7\1033 27A58 8E 23A58 000000000000000000000D007A006C00610075006E0063006800650072006D00610069006E00000000000000050052006500............z.l.a.u.n.c.h.e.r.m.a.i.n.........R.e.
\STRING\32\1033 27EC8 174 23EC8 0000000000000000000000001D0041006E00200075006E006B006E006F0077006E0020006500720072006F00720020006800..............A.n. .u.n.k.n.o.w.n. .e.r.r.o.r. .h.
\STRING\33\1033 27AE8 3E0 23AE8 030059006500730002004E006F004A00410072006500200079006F00750020007300750072006500200079006F0075002000..Y.e.s...N.o.J.A.r.e. .y.o.u. .s.u.r.e. .y.o.u. .
\GROUP_ICON\2\1033 276B8 14 236B8 0000010001001010000001002000280500000100............ .(.....
\VERSION\1\1033 276D0 384 236D0 840334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000600..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............
Intelligent String
• :060U00Uq]dL.g?O0U0E1-Q!m0U0y+m0k0$+0http://ocsp.digicert.com0C+07http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0EU>0<0:864http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0U
• ADVAPI32.dll
• Kernel32.dll
• kernel32.dll
• crypt32.dll
• mscoree.dll
• api-ms-win-core-synch-l1-2-0.dll
• WINTRUST.dll
• zipow.com
• .zipow.com
• zoom.com
• .zoom.com
• zoomgovdev.com
• .zoomgovdev.comzoommildev.com
• .zoommildev.comzoomgov.com.zoomgov.com
• zoomgov.mil.zoomgov.mil
• Kernelbase.dll
• Global\ZOpener..launcher
• zopener_8a4800ea0a3f43f4bafd7706c1a4e7ee.log
• dbghelp.dll
• .dmp
• IsWow64Process2ntdll.dll
• version.dll
• 6.6.0.85
• https://support.zoom.us/hc/en-us/articles/201362003-Zoom-Video-Communications-Technical-Supportopen
• \rundll32.exe
• wimsi_x64_win7=meetzoom.net
• .meetzoom.net
• Zoom.exe
• zVideoApp.dll
• Cmmlib.dll
• ZoomRemoteControl.exe
• zNet.dll
• reslib.dll
• msasn1.dll
• sspicli.dll
• oleaccrc.dll
• TextShaping.dll
• dpapi.dll
• cryptsp.dll
• cryptbase.dll
• ncrypt.dll
• user32.dll
• Package-urlInstaller.exe
• ZoomRemoteControl.msi
• Zoom.msi
• vcredist_x86.exe
• /winhttp.dll
• winhttp.dllfile://Zoom.Opener.Win 1.0InternetOpen API failed, error code:
• debug.log
• zm_upgrade_record.tmp
• explorer.exe
• c:\jenkins\workspace\Client\Client\Windows\launcher\release\Bin\Release\NewZoomWebLauncher.pdb
• .tls
• .bss
• USER32.dll
Flow Anomalies
Offset RVA Section Description
450 41B1EC .text CALL [static] | Indirect call to absolute memory address
46A 41B1EC .text CALL [static] | Indirect call to absolute memory address
483 41B128 .text CALL [static] | Indirect call to absolute memory address
49B 41B128 .text CALL [static] | Indirect call to absolute memory address
4C9 41B318 .text CALL [static] | Indirect call to absolute memory address
4E7 41B204 .text CALL [static] | Indirect call to absolute memory address
4F4 41B318 .text CALL [static] | Indirect call to absolute memory address
520 41B318 .text CALL [static] | Indirect call to absolute memory address
53E 41B204 .text CALL [static] | Indirect call to absolute memory address
54B 41B318 .text CALL [static] | Indirect call to absolute memory address
592 41B01C .text CALL [static] | Indirect call to absolute memory address
5EE 41B1D4 .text CALL [static] | Indirect call to absolute memory address
602 41B1BC .text CALL [static] | Indirect call to absolute memory address
621 41B1D8 .text CALL [static] | Indirect call to absolute memory address
633 41B1F8 .text CALL [static] | Indirect call to absolute memory address
642 41B1D8 .text CALL [static] | Indirect call to absolute memory address
655 41B1F4 .text CALL [static] | Indirect call to absolute memory address
663 41B1BC .text CALL [static] | Indirect call to absolute memory address
7B7 41B214 .text CALL [static] | Indirect call to absolute memory address
7D0 41B1E0 .text CALL [static] | Indirect call to absolute memory address
7F6 41B058 .text CALL [static] | Indirect call to absolute memory address
81F 41B1DC .text CALL [static] | Indirect call to absolute memory address
8AB 41B054 .text CALL [static] | Indirect call to absolute memory address
99F 41B20C .text CALL [static] | Indirect call to absolute memory address
9B4 41B1C8 .text CALL [static] | Indirect call to absolute memory address
9C3 41B1E4 .text CALL [static] | Indirect call to absolute memory address
9DA 41B1FC .text CALL [static] | Indirect call to absolute memory address
A0D 41B20C .text CALL [static] | Indirect call to absolute memory address
A1D 41B1C8 .text CALL [static] | Indirect call to absolute memory address
A24 41B1FC .text CALL [static] | Indirect call to absolute memory address
A4A 41B214 .text CALL [static] | Indirect call to absolute memory address
A5E 41B1D0 .text CALL [static] | Indirect call to absolute memory address
AAD 41B230 .text CALL [static] | Indirect call to absolute memory address
BD2 41B128 .text CALL [static] | Indirect call to absolute memory address
C00 41B214 .text CALL [static] | Indirect call to absolute memory address
C47 41B210 .text CALL [static] | Indirect call to absolute memory address
C79 41B1CC .text CALL [static] | Indirect call to absolute memory address
C87 41B1F0 .text CALL [static] | Indirect call to absolute memory address
CB4 41B210 .text CALL [static] | Indirect call to absolute memory address
CBB 41B200 .text CALL [static] | Indirect call to absolute memory address
CC5 41B318 .text CALL [static] | Indirect call to absolute memory address
CD4 41B1BC .text CALL [static] | Indirect call to absolute memory address
CDB 41B050 .text CALL [static] | Indirect call to absolute memory address
D02 41B1EC .text CALL [static] | Indirect call to absolute memory address
D16 41B128 .text CALL [static] | Indirect call to absolute memory address
D2A 41B318 .text CALL [static] | Indirect call to absolute memory address
DC9 41B1EC .text CALL [static] | Indirect call to absolute memory address
DDD 41B128 .text CALL [static] | Indirect call to absolute memory address
DF2 41B318 .text CALL [static] | Indirect call to absolute memory address
E38 41B200 .text CALL [static] | Indirect call to absolute memory address
E90 41B1EC .text CALL [static] | Indirect call to absolute memory address
EC2 41B128 .text CALL [static] | Indirect call to absolute memory address
ED7 41B318 .text CALL [static] | Indirect call to absolute memory address
F8B 41B1E8 .text CALL [static] | Indirect call to absolute memory address
FA0 41B04C .text CALL [static] | Indirect call to absolute memory address
FA7 41B1B8 .text CALL [static] | Indirect call to absolute memory address
FCF 41B1E8 .text CALL [static] | Indirect call to absolute memory address
10B0 41B128 .text CALL [static] | Indirect call to absolute memory address
10BF 41B128 .text CALL [static] | Indirect call to absolute memory address
10CE 41B128 .text CALL [static] | Indirect call to absolute memory address
10F9 41B318 .text CALL [static] | Indirect call to absolute memory address
110A 41B1C4 .text CALL [static] | Indirect call to absolute memory address
1121 41B318 .text CALL [static] | Indirect call to absolute memory address
1147 41B318 .text CALL [static] | Indirect call to absolute memory address
117E 41B1C0 .text CALL [static] | Indirect call to absolute memory address
1185 41B050 .text CALL [static] | Indirect call to absolute memory address
1190 41B050 .text CALL [static] | Indirect call to absolute memory address
11CC 41B04C .text CALL [static] | Indirect call to absolute memory address
11D3 41B208 .text CALL [static] | Indirect call to absolute memory address
191B 41B318 .text CALL [static] | Indirect call to absolute memory address
1939 41B318 .text CALL [static] | Indirect call to absolute memory address
1AC7 41B318 .text CALL [static] | Indirect call to absolute memory address
1AE7 41B318 .text CALL [static] | Indirect call to absolute memory address
1B31 41B318 .text CALL [static] | Indirect call to absolute memory address
1B76 41B318 .text CALL [static] | Indirect call to absolute memory address
1C34 41B318 .text CALL [static] | Indirect call to absolute memory address
1C52 41B318 .text CALL [static] | Indirect call to absolute memory address
2005 41B318 .text CALL [static] | Indirect call to absolute memory address
2022 41B318 .text CALL [static] | Indirect call to absolute memory address
20B1 41B318 .text CALL [static] | Indirect call to absolute memory address
222C 41B1D8 .text CALL [static] | Indirect call to absolute memory address
2A7A 41B318 .text CALL [static] | Indirect call to absolute memory address
2B4A 41B318 .text CALL [static] | Indirect call to absolute memory address
2BC5 41B318 .text CALL [static] | Indirect call to absolute memory address
3391 41B064 .text CALL [static] | Indirect call to absolute memory address
339F 41B060 .text CALL [static] | Indirect call to absolute memory address
34EE 41B1D8 .text CALL [static] | Indirect call to absolute memory address
36C2 41B1D8 .text CALL [static] | Indirect call to absolute memory address
37DE 41B1D8 .text CALL [static] | Indirect call to absolute memory address
3945 41B210 .text CALL [static] | Indirect call to absolute memory address
39BA 41B318 .text CALL [static] | Indirect call to absolute memory address
3AE5 41B1D8 .text CALL [static] | Indirect call to absolute memory address
3B1E 41B220 .text CALL [static] | Indirect call to absolute memory address
3B4C 41B05C .text CALL [static] | Indirect call to absolute memory address
3B6F 41B22C .text CALL [static] | Indirect call to absolute memory address
3B8C 41B220 .text CALL [static] | Indirect call to absolute memory address
3E1F 41B2C0 .text CALL [static] | Indirect call to absolute memory address
474D 41B220 .text CALL [static] | Indirect call to absolute memory address
4A3F 41B068 .text CALL [static] | Indirect call to absolute memory address
4B08 41B30C .text CALL [static] | Indirect call to absolute memory address
25C00 N/A *Overlay* B05F00000002020030825FA406092A864886F70D | ._......0._...*.H...
Extra Analysis
Metric Value Percentage
Ascii Code 107824 60,1965%
Null Byte Code 29996 16,7463%
© 2025 All rights reserved.