PESCAN.IO - Analysis Report

PESCAN.IO - Analysis Report Basic

File Structure

PE Chart Code

Header PE (light blue)

Executable sections (pink)

Non-executable sections (black)

External injected code (red)

File Structure in red = malformed or corrupted header

Chart Code For Other Files

Printable characters (blue)

Non-printable characters (black)

Information

Icon:

Size: 383,13 KB
SHA-256 Hash: 61ACA6BAC6B538577CF8469492A87647274C81539A833FDACD119C5F2D56560D
SHA-1 Hash: 27E7C52390A0023384C7ABFC859C8CA40958E4A5
MD5 Hash: 50C1ED05C2EB69DC6D1D0027297D0794
Imphash: CCDB603157B5619D36FCE9CF87287A20
MajorOSVersion: 6
MinorOSVersion: 0
CheckSum: 0006D959
EntryPoint (rva): F250
SizeOfHeaders: 400
SizeOfImage: 73000
ImageBase: 0000000140000000
Architecture: x64
ImportTable: 442F0
IAT: 446A0
Characteristics: 22
TimeDateStamp: 6A145B36
Date: 25/05/2026 14:22:46
File Type: EXE
Number Of Sections: 8
ASLR: Disabled
Section Names (Optional Header): .text, .rdata, .data, .pdata, .fptable, _RDATA, .rsrc, .reloc
Number Of Executable Sections: 1
Subsystem: Windows GUI

Sections Info

Section Name	Flags	ROffset	RSize	VOffset	VSize	Entropy	Chi2
.text	0x60000020 Code Executable Readable	400	33A00	1000	3380E	6.4715	1274972.55
.rdata	0x40000040 Initialized Data Readable	33E00	12A00	35000	1283C	5.0213	3273455.6
.data	0xC0000040 Initialized Data Readable Writeable	46800	1400	48000	125D8	2.7546	585417.1
.pdata	0x40000040 Initialized Data Readable	47C00	2800	5B000	2760	5.43	293188.05
.fptable	0xC0000040 Initialized Data Readable Writeable	4A400	200	5E000	100	0	130560
_RDATA	0x40000040 Initialized Data Readable	4A600	200	5F000	1F4	4.2064	20012
.rsrc	0x40000040 Initialized Data Readable	4A800	11A00	60000	119C0	7.5047	206036.91
.reloc	0x42000040 Initialized Data GP-Relative Readable	5C200	C00	72000	A38	5.1166	36233.17

Description

OriginalFilename: desktop-launcher.exe
CompanyName: Mozilla Foundation
LegalCopyright: License: MPL 2
LegalTrademarks: Mozilla
ProductName: Firefox
FileVersion: 151.0.2
ProductVersion: 151.0.2
Language: Unknown (ID=0x0)
CodePage: Unicode (UTF-16 LE) (0x4B0)

Entry Point

The section number (1) have the Entry Point
Information -> EntryPoint (calculated) - E650
Code -> 4883EC28E80B0000004883C428E96AFEFFFFCCCC48895C241855488BEC4883EC30488B05C88D030048BB32A2DF2D992B0000

Assembler

|SUB RSP, 0X28

|CALL 0X1014

|ADD RSP, 0X28

|JMP 0XE7C

|INT3

|MOV QWORD PTR [RSP + 0X18], RBX

|PUSH RBP

|MOV RBP, RSP

|SUB RSP, 0X30

|MOV RAX, QWORD PTR [RIP + 0X38DC8]

|MOVABS RBX, 0X2B992DDFA232

Signatures

Certificate - Digital Signature:
• The file is signed and the signature is correct

Packer/Compiler

Detect It Easy (die)
• PE+(64): compiler: Microsoft Visual C/C++(2015 v.14.0)[-]
• PE+(64): linker: Microsoft Linker(14.0)[-]
• PE+(64): Sign tool: Windows Authenticode(2.0)[PKCS 7]
• Entropy: 6.69321

Suspicious Functions

Library	Function	Description
KERNEL32.DLL	WriteFile	Writes data to a specified file or input/output (I/O) device.
KERNEL32.DLL	GetProcAddress	Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL	IsDebuggerPresent	Determines if the calling process is being debugged by a user-mode debugger.
SHELL32.DLL	ShellExecuteExW	Performs a run operation on a specific file.

Windows REG (UNICODE)

SOFTWARE\Mozilla\Mozilla Firefox

File Access

KERNEL32.dll
WINHTTP.dll
SHELL32.dll
RPCRT4.dll
ADVAPI32.dll
@.dat
Temp

File Access (UNICODE)

desktop-launcher.exe
%sfx%X%X%X%X%X.exe
mscoree.dll

Interest's Words

exec
start
systeminfo
ping

URLs

http://schemas.microsoft.com/SMI/2005/WindowsSettings
http://schemas.microsoft.com/SMI/2016/WindowsSettings
http://ocsp.digicert.com
http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt
http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
http://crl3.digicert.com/DigiCertTrustedRootG4.crl
http://www.digicert.com/CPS0
http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt
http://cacerts.digicert.com/DigiCertTrustedG4TimeStampingRSA4096SHA2562025CA1.crt
http://crl3.digicert.com/DigiCertTrustedG4TimeStampingRSA4096SHA2562025CA1.crl
https://mozilla.org0/

URLs (UNICODE)

https://www.mozilla.org/firefox/new/

Strings/Hex Code Found With The File Rules

Rule Type	Encoding	Matched (Word)
Text	Ascii	WinAPI Sockets (connect)
Text	Ascii	Registry (RegGetValue)
Text	Ascii	File (GetTempPath)
Text	Ascii	File (CreateFile)
Text	Ascii	File (WriteFile)
Text	Ascii	File (ReadFile)
Text	Ascii	Anti-Analysis VM (IsDebuggerPresent)
Text	Ascii	Anti-Analysis VM (GetSystemInfo)
Text	Ascii	Reconnaissance (FindNextFileW)
Text	Ascii	Reconnaissance (FindClose)
Text	Ascii	Stealth (CloseHandle)
Text	Ascii	Stealth (VirtualProtect)
Text	Ascii	Execution (ShellExecute)
Text	Ascii	Execution (CreateEventW)
Entry Point	Hex Pattern	Microsoft Visual C++ 8.0 (DLL)

Resources

Path	DataRVA	Size	FileOffset	Code	Text
\LIMITEDACCESSFEATURE\IDENTITY\1033	711F0	38	5B9F0	4D006F007A0069006C006C006100460069007200650066006F0078005F007000630073006D006D0030006A00720070007200700062003200	M.o.z.i.l.l.a.F.i.r.e.f.o.x._.p.c.s.m.m.0.j.r.p.r.p.b.2.
\ICON\1\1033	602A0	528	4AAA0	2800000010000000200000000100200000000000000500000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\ICON\2\1033	607C8	1428	4AFC8	280000002000000040000000010020000000000000140000000000000000000000000000000000004D2009004D2009004D20	(... ...@..... .........................M ..M ..M
\ICON\3\1033	61BF0	2D28	4C3F0	2800000030000000600000000100200000000000002D00000000000000000000000000000000000045180000451800004518	(...0........ ......-..................E...E...E.
\ICON\4\1033	64918	C42A	4F118	89504E470D0A1A0A0000000D49484452000001000000010008060000005C72A866000000017352474200AECE1CE900004000	.PNG........IHDR.............\r.f....sRGB.......@.
\GROUP_ICON\1\1033	70D48	3E	5B548	000001000400101000000100200028050000010020200000010020002814000002003030000001002000282D0000030000000000010020002AC400000400	............ .(..... .... .(.....00.... .(-.......... .*.....
\VERSION\1\1033	71228	32C	5BA28	2C0334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000	,.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............
\24\IDR_COMCTL32_MANIFEST\1033	70D88	466	5B588	3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E653D2279	<?xml version="1.0" encoding="UTF-8" standalone="y
\24\1\1033	71558	466	5BD58	3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E653D2279	<?xml version="1.0" encoding="UTF-8" standalone="y

Intelligent String

• <dpiAwareness xmlns="http://schemas.microsoft.com/SMI/2016/WindowsSettings">PerMonitorV2</dpiAwareness>
• <dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware>
• download.mozilla.org
• %sfx%X%X%X%X%X.exe
• Augloginfmodf
• mscoree.dll
• desktop-launcher.exe
• :060U00Uq]dL.g?O0U0E1-Q!m0U0y+m0k0$+0http://ocsp.digicert.com0C+07http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0EU>0<0:864http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0U

Flow Anomalies

Offset	RVA	Section	Description
433	N/A	.text	CALL QWORD PTR [RIP+0x4392F]
49A	N/A	.text	CALL QWORD PTR [RIP+0x437E8]
4BB	N/A	.text	CALL QWORD PTR [RIP+0x435EF]
656	N/A	.text	CALL QWORD PTR [RIP+0x43464]
68B	N/A	.text	CALL QWORD PTR [RIP+0x42F17]
882	N/A	.text	CALL QWORD PTR [RIP+0x432B0]
899	N/A	.text	CALL QWORD PTR [RIP+0x43281]
8D0	N/A	.text	CALL QWORD PTR [RIP+0x433C2]
9DF	N/A	.text	CALL QWORD PTR [RIP+0x42BC3]
9FC	N/A	.text	CALL QWORD PTR [RIP+0x42BA6]
A14	N/A	.text	CALL QWORD PTR [RIP+0x42B8E]
A30	N/A	.text	CALL QWORD PTR [RIP+0x42B72]
AEE	N/A	.text	CALL QWORD PTR [RIP+0x42AB4]
B0B	N/A	.text	CALL QWORD PTR [RIP+0x42A97]
B23	N/A	.text	CALL QWORD PTR [RIP+0x42A7F]
B3F	N/A	.text	CALL QWORD PTR [RIP+0x42A63]
B98	N/A	.text	CALL QWORD PTR [RIP+0x42A0A]
BB5	N/A	.text	CALL QWORD PTR [RIP+0x429ED]
BCD	N/A	.text	CALL QWORD PTR [RIP+0x429D5]
BE9	N/A	.text	CALL QWORD PTR [RIP+0x429B9]
C8D	N/A	.text	CALL QWORD PTR [RIP+0x42E2D]
CD1	N/A	.text	CALL QWORD PTR [RIP+0x428D1]
CEE	N/A	.text	CALL QWORD PTR [RIP+0x428B4]
D06	N/A	.text	CALL QWORD PTR [RIP+0x4289C]
D22	N/A	.text	CALL QWORD PTR [RIP+0x42880]
DAD	N/A	.text	CALL QWORD PTR [RIP+0x42EC5]
10D0	N/A	.text	CALL QWORD PTR [RIP+0x42A5A]
10FD	N/A	.text	CALL QWORD PTR [RIP+0x429D5]
1160	N/A	.text	CALL QWORD PTR [RIP+0x4296A]
11EB	N/A	.text	CALL QWORD PTR [RIP+0x428EF]
1217	N/A	.text	CALL QWORD PTR [RIP+0x428F3]
124C	N/A	.text	CALL QWORD PTR [RIP+0x428B6]
1267	N/A	.text	CALL QWORD PTR [RIP+0x42B43]
1AE6	N/A	.text	CALL QWORD PTR [RIP+0x41ABC]
1B03	N/A	.text	CALL QWORD PTR [RIP+0x41A9F]
1B1B	N/A	.text	CALL QWORD PTR [RIP+0x41A87]
1B37	N/A	.text	CALL QWORD PTR [RIP+0x41A6B]
1B8D	N/A	.text	CALL QWORD PTR [RIP+0x41FA5]
1BAE	N/A	.text	CALL QWORD PTR [RIP+0x41F6C]
1C45	N/A	.text	CALL QWORD PTR [RIP+0x41E75]
1C89	N/A	.text	CALL QWORD PTR [RIP+0x41919]
1CA6	N/A	.text	CALL QWORD PTR [RIP+0x418FC]
1CBE	N/A	.text	CALL QWORD PTR [RIP+0x418E4]
1CDA	N/A	.text	CALL QWORD PTR [RIP+0x418C8]
2081	N/A	.text	CALL QWORD PTR [RIP+0x41A79]
20EE	N/A	.text	CALL QWORD PTR [RIP+0x41A04]
2118	N/A	.text	CALL QWORD PTR [RIP+0x4148A]
212C	N/A	.text	CALL QWORD PTR [RIP+0x419B6]
2176	N/A	.text	CALL QWORD PTR [RIP+0x41974]
21C5	N/A	.text	CALL QWORD PTR [RIP+0x41945]
21EE	N/A	.text	JMP QWORD PTR [RIP+0x41B7C]
221B	N/A	.text	CALL QWORD PTR [RIP+0x418CF]
222B	N/A	.text	CALL QWORD PTR [RIP+0x418B7]
2254	N/A	.text	CALL QWORD PTR [RIP+0x418B6]
225E	N/A	.text	CALL QWORD PTR [RIP+0x41B0C]
2342	N/A	.text	CALL QWORD PTR [RIP+0x418D8]
237A	N/A	.text	CALL QWORD PTR [RIP+0x41228]
2397	N/A	.text	CALL QWORD PTR [RIP+0x4120B]
23AF	N/A	.text	CALL QWORD PTR [RIP+0x411F3]
23CB	N/A	.text	CALL QWORD PTR [RIP+0x411D7]
245F	N/A	.text	CALL QWORD PTR [RIP+0x41143]
24C9	N/A	.text	CALL QWORD PTR [RIP+0x410D9]
251B	N/A	.text	CALL QWORD PTR [RIP+0x41087]
28FA	N/A	.text	CALL QWORD PTR [RIP+0x40CA8]
2D1C	N/A	.text	CALL QWORD PTR [RIP+0x40886]
384A	N/A	.text	CALL QWORD PTR [RIP+0x3FD58]
3875	N/A	.text	CALL QWORD PTR [RIP+0x3FD2D]
3896	N/A	.text	CALL QWORD PTR [RIP+0x3FD0C]
38B2	N/A	.text	CALL QWORD PTR [RIP+0x3FCF0]
38CF	N/A	.text	CALL QWORD PTR [RIP+0x3FCD3]
38EC	N/A	.text	CALL QWORD PTR [RIP+0x3FCB6]
39D0	N/A	.text	CALL QWORD PTR [RIP+0x3FBD2]
3A9B	N/A	.text	CALL QWORD PTR [RIP+0x3FB07]
3B4B	N/A	.text	CALL QWORD PTR [RIP+0x3FA57]
3CA7	N/A	.text	CALL QWORD PTR [RIP+0x3F8FB]
4319	N/A	.text	CALL QWORD PTR [RIP+0x3F289]
433B	N/A	.text	CALL QWORD PTR [RIP+0x3F267]
4357	N/A	.text	CALL QWORD PTR [RIP+0x3F24B]
43A5	N/A	.text	CALL QWORD PTR [RIP+0x3F1FD]
43C3	N/A	.text	CALL QWORD PTR [RIP+0x3F1DF]
43E4	N/A	.text	CALL QWORD PTR [RIP+0x3F1BE]
4400	N/A	.text	CALL QWORD PTR [RIP+0x3F1A2]
4414	N/A	.text	CALL QWORD PTR [RIP+0x3F18E]
443E	N/A	.text	CALL QWORD PTR [RIP+0x3F164]
456B	N/A	.text	CALL QWORD PTR [RIP+0x3F037]
4620	N/A	.text	CALL QWORD PTR [RIP+0x3EF82]
46B9	N/A	.text	CALL QWORD PTR [RIP+0x3EEE9]
4751	N/A	.text	CALL QWORD PTR [RIP+0x3EE51]
4821	N/A	.text	CALL QWORD PTR [RIP+0x3ED81]
48E9	N/A	.text	CALL QWORD PTR [RIP+0x3ECB9]
4999	N/A	.text	CALL QWORD PTR [RIP+0x3EC09]
4B7D	N/A	.text	CALL QWORD PTR [RIP+0x3EA25]
4B9E	N/A	.text	CALL QWORD PTR [RIP+0x3EA04]
4BBA	N/A	.text	CALL QWORD PTR [RIP+0x3E9E8]
4C07	N/A	.text	CALL QWORD PTR [RIP+0x3E99B]
4C2A	N/A	.text	CALL QWORD PTR [RIP+0x3E978]
4C4B	N/A	.text	CALL QWORD PTR [RIP+0x3E957]
4C67	N/A	.text	CALL QWORD PTR [RIP+0x3E93B]
4C7F	N/A	.text	CALL QWORD PTR [RIP+0x3E923]
4C8F	N/A	.text	CALL QWORD PTR [RIP+0x3E913]
33C0E-33DFF	N/A	.text	Unusual BP Cave, count: 498
5CE00	N/A	Overlay	802E00000002020030822E6F06092A864886F70D \| ........0..o..*.H...

Extra Analysis

Metric	Value	Percentage
Ascii Code	233294	59,4652%
Null Byte Code	68298	17,4087%

PESCAN.IO - Analysis Report Basic