PREMIUM PESCAN.IO - Analysis Report

File Structure
Analysis Image
PE Chart Code
Executable header (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header

Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
Information
Size: 1,08 MB
SHA-256 Hash: ADC2F550E7FF2B707A070FFAA50FC367AF6A01C037F1F5B347C444CCA3C9A650
SHA-1 Hash: AFF537F1AB0F8B502691FC3A791DE715AF23B30B
MD5 Hash: 34E90568AF4DCD40F4F04174EC326E2A
Imphash: DAE02F32A21E03CE65412F6E56942DAA
MajorOSVersion: 4
MinorOSVersion: 0
CheckSum: 00000000
EntryPoint (rva): 115B2E
SizeOfHeaders: 200
SizeOfImage: 11A000
ImageBase: 400000
Architecture: x86
ImportTable: 115AE0
IAT: 2000
Characteristics: 210E
TimeDateStamp: B303E7AA
Date: 04/03/2065 7:32:58
File Type: DLL
Number Of Sections: 3
ASLR: Disabled
Section Names: .text, .rsrc, .reloc
Number Of Executable Sections: 1
Subsystem: Windows Console

Sections Info
Section Name Flags ROffset RSize VOffset VSizeEntropyChi2
.text 60000020 (Code, Executable, Readable) 200 113C00 2000 113B345,479731021699,29
.rsrc 40000040 (Initialized Data, Readable) 113E00 600 116000 4A02,7495174546,00
.reloc 42000040 (Initialized Data, GP-Relative, Readable) 114400 200 118000 C0,1019128015,00
Description
OriginalFilename: Microsoft.Win32.TaskScheduler.dll
CompanyName: GitHub Community
LegalCopyright: Copyright 2002-2025
ProductName: Microsoft.Win32.TaskScheduler
FileVersion: 2.12.2.0
FileDescription: Microsoft.Win32.TaskScheduler
ProductVersion: 2.12.2.0
Comments: Provides a single assembly wrapper for the Windows Task Scheduler.
Language: Unknown (ID=0x0)
CodePage: Unicode (UTF-16 LE) (0x4B0)

Entry Point
The section number (1) - (.text) have the Entry Point
Information -> EntryPoint (calculated) - 113D2E
Code -> FF25002040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
JMP DWORD PTR [0X402000]
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL

Signatures
Certificate - Digital Signature Not Found:
• The file is not signed

Packer/Compiler
Compiler: Microsoft Visual .NET - (You can use a decompiler for this...)
AnyCPU: True
Version: v4.0
Compiler: Microsoft Visual Studio
Detect It Easy (die)
PE: library: .NET(v4.0.30319)[-]
PE: compiler: VB.NET(-)[-]
PE: linker: Microsoft Linker(48.0)[-]
Entropy: 5.4747

Suspicious Functions
Library Function Description
KERNEL32.DLL LoadLibraryA | Possible Call API By Name Loads the specified module into the address space of the calling process.
KERNEL32.DLL GetProcAddress | Possible Call API By Name Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL LoadLibraryA Loads the specified module into the address space of the calling process.
KERNEL32.DLL WriteProcessMemory Writes data to an area of memory in a specified process.
KERNEL32.DLL GetProcAddress Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
NtosKrnl.exe ZwUnmapViewOfSection Unmaps a mapped view of a section from a process's address space.
Windows REG (UNICODE)
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SYSTEM\CurrentControlSet\Services\
System\[(?:Provider\[\@Name='(?<s>[']+)'\])?(?:\s+and\s+)?(?:EventID=(?<e>\d+))?\]\])e
Rebuilt string - SOFTWARE\Policies\Microsoft\Windows\System
Rebuilt string - SOFTWARE\Policies\Microsoft\Windows\System - EnableLUA
Rebuilt string - SOFTWARE\Microsoft\Windows\CurrentVersion\Run

File Access
Type(Microsoft.Win32.TaskScheduler.Exe
mscoree.dll
ntdsapi.dll
Kernel32.dll
advapi32.dll
user32.dll
ntdll.dll
Microsoft.Win32.TaskScheduler.dll
System.Web.Scr
\System.Dat
Type*Microsoft.Win32.TaskScheduler.Log
Temp

File Access (UNICODE)
TaskScheduler.dll
control.exe
{0}].Exe
wscript.exe
conhost.exe
cmd.exe
powershell.exe
cmstp.exe
cmd /c reg.exe
taskkill /IM cmstp.exe
+?(\.exe
TimeSpan2.dll
taskschd.dll
TaskSchedulerEditor.dll
+System.Dat
System.Dat
Principal.Log
Temp

Interest's Words
PassWord
exec
powershell
attrib
start
pause
shutdown
systeminfo
ping
expand
replace

Interest's Words (UNICODE)
smtp
taskkill
PassWord
<body
wscript
exec
powershell
taskkill
attrib
start

URLs
http://schemas.microsoft.com/windows/2004/02/mit/taskT
https://github.com/dahall/taskscheduler

URLs (UNICODE)
http://schemas.microsoft.com/windows/2004/02/mit/task
http://msdn.microsoft.com/en-us/library/windows/desktop/aa384138(v=vs.85).aspx9== typeof(ShowMessageAction)

IP Addresses
17.0.0.0

Strings/Hex Code Found With The File Rules
Rule Type Encoding Matched (Word)
Text Unicode WinAPI Sockets (bind)
Text Ascii WinAPI Sockets (connect)
Text Unicode WinAPI Sockets (connect)
Text Ascii WinAPI Sockets (send)
Text Ascii File (GetTempPath)
Text Ascii Encryption (FromBase64String)
Text Ascii Anti-Analysis VM (GetVersion)
Text Ascii Stealth (GetThreadContext)
Text Ascii Stealth (SetThreadContext)
Text Ascii Stealth (CloseHandle)
Text Ascii Stealth (VirtualAlloc)
Text Ascii Execution (ShellExecute)
Text Ascii Execution (ResumeThread)
Text Ascii Antivirus Software (panda)
Text Ascii Privileges (SeAssignPrimaryTokenPrivilege)
Text Ascii Privileges (SeAuditPrivilege)
Text Ascii Privileges (SeBackupPrivilege)
Text Ascii Privileges (SeChangeNotifyPrivilege)
Text Ascii Privileges (SeCreateGlobalPrivilege)
Text Ascii Privileges (SeCreatePagefilePrivilege)
Text Ascii Privileges (SeCreatePermanentPrivilege)
Text Ascii Privileges (SeCreateSymbolicLinkPrivilege)
Text Ascii Privileges (SeCreateTokenPrivilege)
Text Ascii Privileges (SeDebugPrivilege)
Text Ascii Privileges (SeEnableDelegationPrivilege)
Text Ascii Privileges (SeImpersonatePrivilege)
Text Ascii Privileges (SeIncreaseBasePriorityPrivilege)
Text Ascii Privileges (SeIncreaseQuotaPrivilege)
Text Ascii Privileges (SeIncreaseWorkingSetPrivilege)
Text Ascii Privileges (SeLoadDriverPrivilege)
Text Ascii Privileges (SeLockMemoryPrivilege)
Text Ascii Privileges (SeMachineAccountPrivilege)
Text Ascii Privileges (SeManageVolumePrivilege)
Text Ascii Privileges (SeProfileSingleProcessPrivilege)
Text Ascii Privileges (SeRelabelPrivilege)
Text Ascii Privileges (SeRemoteShutdownPrivilege)
Text Ascii Privileges (SeRestorePrivilege)
Text Ascii Privileges (SeSecurityPrivilege)
Text Ascii Privileges (SeShutdownPrivilege)
Text Ascii Privileges (SeSyncAgentPrivilege)
Text Ascii Privileges (SeSystemEnvironmentPrivilege)
Text Ascii Privileges (SeSystemProfilePrivilege)
Text Ascii Privileges (SeSystemtimePrivilege)
Text Ascii Privileges (SeTakeOwnershipPrivilege)
Text Ascii Privileges (SeTcbPrivilege)
Text Ascii Privileges (SeTimeZonePrivilege)
Text Ascii Privileges (SeTrustedCredManAccessPrivilege)
Text Ascii Privileges (SeUndockPrivilege)
Text Ascii Privileges (SeUnsolicitedInputPrivilege)
Text Ascii Information used to authenticate a user&#39;s identity (Credential)
Text Unicode Process of gathering information about network resources (Enumeration)
Text Ascii Information used for user authentication (Credential)
Text Unicode Technique used to circumvent security measures (Bypass)
Entry Point Hex Pattern Microsoft Visual C / Basic .NET
Entry Point Hex Pattern Microsoft Visual C++ 8
Entry Point Hex Pattern Microsoft Visual C++ 8.0
Entry Point Hex Pattern Microsoft Visual C v7.0 / Basic .NET
Entry Point Hex Pattern Microsoft Visual Studio .NET
Entry Point Hex Pattern .NET executable
Entry Point Hex Pattern TrueVision Targa Graphics format
Resources
Path DataRVA Size FileOffset CodeText
\VERSION\1\0 116058 446 113E58 460434000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000C00F.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............
Intelligent String
• 2.12.2.0
• http://schemas.microsoft.com/windows/2004/02/mit/taskT
• .exe
• taskkill /IM cmstp.exe /F
• cmd /c reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
• cmstp.exe
• .inf
• powershell.exe
• http://schemas.microsoft.com/windows/2004/02/mit/task
• cmd.exe
• conhost.exe
• wscript.exe
• .metadata.xml
• .xml
• ?TS_Stripped_Def_{0}-{1}_{2}.xml
• uMicrosoft.Win32.TaskScheduler.V1.TaskSchedulerV1Schema.xsd
• http://msdn.microsoft.com/en-us/library/windows/desktop/aa384138(v=vs.85).aspx
• \.job
• .job
• *.job
• control.exe
• taskschd.dll
• TimeSpan2.dll
• RepositoryUrl'https://github.com/dahall/taskscheduler
• ShowMessageTNamespace5http://schemas.microsoft.com/windows/2004/02/mit/taskT
• 00:10:00
• 01:00:00
• 00:00:00
• \System.DateTime, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e0890001-01-01T00:00:00
• 12:00:00
• \System.DateTime, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e0899999-12-31T23:59:59.9999999
• Microsoft.Win32.TaskScheduler.pdb
• _CorDllMainmscoree.dll

Flow Anomalies
Offset RVA Section Description
18BDB 200513 .text CALL [static] | Indirect call to absolute memory address
21463 3200113 .text CALL [static] | Indirect call to absolute memory address
372CC A200213 .text CALL [static] | Indirect call to absolute memory address
3AD71 8200113 .text CALL [static] | Indirect call to absolute memory address
5428E 8200113 .text JMP [static] | Indirect jump to absolute memory address
67EF2 200513 .text CALL [static] | Indirect call to absolute memory address
9AD8A 5D5E0001 .text JMP [static] | Indirect jump to absolute memory address
113D2E 402000 .text JMP [static] | Indirect jump to absolute memory address
Extra Analysis
Metric Value Percentage
Ascii Code 556001 49,1153%
Null Byte Code 364154 32,1682%
© 2026 All rights reserved.