PESCAN.IO - Analysis Report
File Structure:
Analysis Image
Information:
Icon: Icon
Size: 1,03 MB
SHA-256 Hash: A1AD9018DB52A951D7E80B998DE7D6EE6B388D4AA1B46535E317662484186826
SHA-1 Hash: 86618721F1A2C8A9C069A11213F4892EC446E3B5
MD5 Hash: 86AE3BE50DF246C646DA76E7223A968E
Imphash: A71B59777FDF47EB06D8F9729F3BF423
MajorOSVersion: 10
CheckSum: 00111027
EntryPoint (rva): 57FF0
SizeOfHeaders: 400
SizeOfImage: 10B000
ImageBase: 0000000140000000
Architecture: x64
ImportTable: 7B778
Characteristics: 22
TimeDateStamp: 3140BED7
Date: 08/03/1996 23:12:23
File Type: EXE
Number Of Sections: 7
ASLR: Disabled
Section Names (Optional Header): .text, .rdata, .data, .pdata, .didat, .rsrc, .reloc
Number Of Executable Sections: 1
Subsystem: Windows GUI
Sections Info:
Section Name Flags ROffset RSize VOffset VSize
.text 60000020 (Executable) 400 5B400 1000 5B317
.rdata 40000040 5B800 20C00 5D000 20A38
.data C0000040 (Writeable) 7C400 3E00 7E000 4908
.pdata 40000040 80200 2E00 83000 2DFC
.didat C0000040 (Writeable) 83000 200 86000 60
.rsrc 40000040 83200 83000 87000 82F60
.reloc 42000040 106200 C00 10A000 B58
Description:
InternalName: HelpPane.exe
OriginalFilename: HelpPane.exe
CompanyName: Microsoft Corporation
LegalCopyright: Microsoft Corporation. All rights reserved.
ProductName: Microsoft Windows Operating System
FileVersion: 10.0.19041.906 (WinBuild.160101.0800)
Entry Point:
The section number (1) have the Entry Point
Information -> EntryPoint (calculated) - 573F0
Code -> 4883EC28E84B0A00004883C428E97EFDFFFFCCCCCCCCCCCCFF256A760000CCCCCCCCCCCCCCCC66660F1F840000000000483B
SUB RSP, 0X28
CALL 0X1A54
ADD RSP, 0X28
JMP 0XD90
INT3
INT3
INT3
INT3
INT3
INT3
JMP QWORD PTR [RIP + 0X766A]
INT3
INT3
INT3
INT3
INT3
INT3
INT3
INT3
NOP WORD PTR [RAX + RAX]
Signatures:
Rich Signature Analyzer:
Code -> 5632BC061253D2551253D2551253D2551B2B41551053D2550638D6543253D2550638D7541853D2550638D1541653D2550638D3540953D2551253D3556152D2550638DA542C53D25506382D551353D2550638D0541353D255526963681253D255
Footprint md5 Hash -> 9D88A5C40C90E4A64F456DE239775909
• The Rich header apparently has not been modified
Certificate - Digital Signature Not Found:
• The file is not signed
Packer/Compiler:
Compiler: Microsoft Visual Studio
Detect It Easy (die)
PE+(64): linker: Microsoft Linker(14.20, Visual Studio 2019 16.0*)[EXE64]
Entropy: 4.81242
Suspicious Functions:
Library Function Description
KERNEL32.DLL CreateMutexW Create a named or unnamed mutex object for controlling access to a shared resource.
KERNEL32.DLL GetModuleFileNameA Retrieve the fully qualified path for the executable file of a specified module.
KERNEL32.DLL VirtualAlloc Reserve, commit, or both, a region of memory within the virtual address space of a process.
KERNEL32.DLL LoadLibraryW Loads the specified module into the address space of the calling process.
KERNEL32.DLL GetProcAddress Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL IsDebuggerPresent Determines if the calling process is being debugged by a user-mode debugger.
SHELL32.DLL ShellExecuteW Performs a run operation on a specific file.
Windows REG (UNICODE):
SOFTWARE\Microsoft\Windows\CurrentVersion\HelpAndSupport
Software\Microsoft\Assistance\Client\1.0\Settings
Software\Microsoft\Windows\CurrentVersion\OEMInformation
Software\Microsoft\Windows\CurrentVersion\HelpAndSupport
SOFTWARE\Microsoft\EdgeUpdate\ClientState\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}
Software\Microsoft\EdgeUpdate\Clients\
SOFTWARE\Microsoft\Windows\CurrentVersion\HelpAndSupport\
SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation\
SOFTWARE\Microsoft\Internet Explorer
Software\Policies\Microsoft\Assistance\Client\1.0
File Access:
HelpPane.exe
api-ms-win-core-path-l1-1-0.dll
ntdll.dll
SLWGA.dll
SHLWAPI.dll
SHELL32.dll
OLEAUT32.dll
ole32.dll
COMCTL32.dll
msvcrt.dll
USER32.dll
GDI32.dll
KERNEL32.dll
ADVAPI32.dll
Oyzatlthunk.dll
XmlLite.dll
@2QUxTheme.dll
WININET.dll
urlmon.dll
Temp
File Access (UNICODE):
r;advapi32.dll
api-ms-win-eventing-provider-l1-1-0.dll
Ntdll.dll
API-MS-Win-Core-LocalRegistry-L1-1-0.dll
kernelbase.dll
RaiseFailFastException%wswilntdll.dll
HelpPane.exe
%systemroot%\system32\msdt.exe
@HelpPane.exe
msedge.exe
Interest's Words:
cscript
exec
unescape
attrib
start
shutdown
systeminfo
expand
Interest's Words (UNICODE):
ToolBar
Encrypt
<div
<img
<form
<input
window.location
unescape
start
replace
URLs:
http://schemas.microsoft.com/SMI/2005/WindowsSettings
URLs (UNICODE):
http://go.microsoft.com/fwlink/
https://go.microsoft.com/fwlink/
https://go.microsoft.com/fwlink/?LinkId=517009
https://go.microsoft.com/fwlink/?LinkID=528880
https://go.microsoft.com/fwlink/?LinkId=528881
https://go.microsoft.com/fwlink/?LinkId=528882
https://go.microsoft.com/fwlink/?LinkId=528884
https://go.microsoft.com/fwlink/?LinkId=528885
https://go.microsoft.com/fwlink/?LinkId=528886
https://go.microsoft.com/fwlink/?LinkId=528887
https://go.microsoft.com/fwlink/?linkid=2100093
https://go.microsoft.com/fwlink/?LinkId=528888
https://go.microsoft.com/fwlink/?LinkId=797549
https://go.microsoft.com/fwlink/?LinkId=797554
https://go.microsoft.com/fwlink/p/?linkid=827594
https://go.microsoft.com/fwlink/?linkid=839897
https://go.microsoft.com/fwlink/p/?linkid=852246
https://go.microsoft.com/fwlink/p/?linkid=852335
https://go.microsoft.com/fwlink/?linkid=847864
https://go.microsoft.com/fwlink/?LinkID=275852
https://go.microsoft.com/fwlink/?LinkID=2004354
https://go.microsoft.com/fwlink/?LinkID=2004353
https://go.microsoft.com/fwlink/?LinkID=2004265
https://go.microsoft.com/fwlink/?LinkID=2004119
https://go.microsoft.com/fwlink/?LinkID=2004229
https://go.microsoft.com/fwlink/?LinkID=2004327
https://go.microsoft.com/fwlink/?LinkID=2004439
https://go.microsoft.com/fwlink/?LinkID=2004230
https://go.microsoft.com/fwlink/?LinkID=2003812
https://go.microsoft.com/fwlink/?LinkID=2004254
https://go.microsoft.com/fwlink/?LinkID=2004349
https://go.microsoft.com/fwlink/?LinkID=2004257
https://go.microsoft.com/fwlink/?LinkID=2004259
https://go.microsoft.com/fwlink/?LinkID=2100680
https://go.microsoft.com/fwlink/?LinkId=2004549
https://go.microsoft.com/fwlink/?LinkId=2004550
https://go.microsoft.com/fwlink/?LinkId=2004446
https://go.microsoft.com/fwlink/?LinkId=2004447
https://go.microsoft.com/fwlink/?LinkId=2004551
Payloads:
Unusual BP Cave > 15 Bytes - (0xCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC...)
Strings/Hex Code Found With The File Rules:
Rule Text (Ascii): Registry (RegCreateKeyEx)
Rule Text (Ascii): Registry (RegOpenKeyEx)
Rule Text (Ascii): Registry (RegSetValueEx)
Rule Text (Ascii): Registry (RegDeleteKeyEx)
Rule Text (Ascii): Registry (RegGetValue)
Rule Text (Ascii): Anti-Analysis VM (IsDebuggerPresent)
Rule Text (Ascii): Anti-Analysis VM (GetSystemInfo)
Rule Text (Ascii): Anti-Analysis VM (GetVersion)
Rule Text (Ascii): Stealth (VirtualAlloc)
Rule Text (Ascii): Execution (ShellExecute)
Rule Text (Ascii): Execution (ResumeThread)
Rule Text (Ascii): Gain of higher-level privileges within a system (Escalation)
Rule Text (Unicode): Gain of higher-level privileges within a system (Escalation)
Rule Text (Ascii): Software that records user activity (Logger)
Rule Text (Ascii): Unauthorized movement of funds or data (Transfer)
EP Rules: Microsoft Visual C++ 8.0 (DLL)
Intelligent String:
• HelpPane.exe
• urlmon.dll
• _@2QUxTheme.dll
• XmlLite.dll
• r;advapi32.dll
• api-ms-win-eventing-provider-l1-1-0.dll
• Ntdll.dll
• var hubPreloadScriptElement = document.head.children('idHubPreloadScript'); if (typeof (hubPreloadScriptElement) != 'object') { var HubPreloadScriptUrl = 'mshelp://Help/?id=Microsoft.Windows.Resources.Js.HubPreload'; var HubPreloadScript = document.createElement('script'); HubPreloadScript.src = HubPreloadScriptUrl; HubPreloadScript.type = 'text/javascript'; document.querySelector('head').appendChild(HubPreloadScript); }
• mshelp://help/?id=escalation
• mshelp://Help/?id=browse
• mshelp://help/?id=home
• <div id='HHTopNavLinksPanel'><div id='HHTopNavLinks'> <a href='%1' id='HHTopNavLinksHome'>%2</a> | <a href='%3' id='HHTopNavLinksBrowse'>%4</a> | <a href='%5' id='HHTopNavLinksEscalation'>%6</a> </div> </div>
• <div class='HHSearchQuery' MS.ExId='HHSearchBox'> <form action='mshelp://windows/' method='get' class='HHSearchQuery' id='IDF_HHSearchQueryForm_1'> <input type='hidden' name='id' value='search' <input type='text' name='%1' class='HHSearchQueryTextInput' id='HHTextInput' title='%2' value='' onfocus='this.HasFocus = true;' onblur='this.HasFocus = false;' onclick='this.HasFocus = true;' autocomplete='off' maxlength='159' <a class='HHHighContrastSearchQuerySubmit' title='%3' href='' onclick='if(document.querySelector("HHTextInput").value) {document.querySelector("IDF_HHSearchQueryForm_1").submit();}return false;'> <img src='mshelp://Help/?id=Microsoft.Windows.Resources.Images.SearchBox' alt='%3' title='%3' </a> <input type='submit' class='HHSearchQuerySubmit' title='%3' value='' <div class='HHSearchQueryBoxBackgroundLevel1'>%2</div> <div class='HHSearchQueryBoxBackgroundLevel2'> </div></form></div>
• mshelp://Help/?id=Microsoft.Windows.Resources.NavFailOnline
• APDS.DLL
• https://go.microsoft.com/fwlink/?LinkId=517009
• ms-get-started://redirect?id=helpoffline
• kernelbase.dll
• %wswilntdll.dll
• mshelp://windows/?id=search
• https://go.microsoft.com/fwlink/?LinkID=528880
• mshelp://windows/?id=e513b1b3-a3c8-44e8-ab5a-d6f8e4fc5851
• https://go.microsoft.com/fwlink/?LinkId=528881
• https://go.microsoft.com/fwlink/?LinkId=528882
• mshelp://windows/?id=b8f62a7d-381a-4253-a52e-04883e076bbe
• https://go.microsoft.com/fwlink/?LinkId=528884
• mshelp://windows/?id=617624ee-08f3-4aff-9713-5e84a9674a26
• https://go.microsoft.com/fwlink/?LinkId=528885
• mshelp://windows/?id=f55326fa-e629-423b-abba-b30f76cc61e6
• https://go.microsoft.com/fwlink/?LinkId=528886
• mshelp://windows/?id=7704b5cf-ddb8-4062-acb3-0da9b2b916d7
• https://go.microsoft.com/fwlink/?LinkId=528887
• mshelp://windows/?id=b92c299f-966c-48ab-bb10-b17a65098938
• https://go.microsoft.com/fwlink/?linkid=2100093
• mshelp://windows/?id=89a00b32-096e-4b45-8138-5f8d76537daf
• https://go.microsoft.com/fwlink/?LinkId=528888
• mshelp://windows/?id=219a6820-d9aa-47f0-bbf0-c804b4b5b7da
• https://go.microsoft.com/fwlink/?LinkId=797549
• mshelp://Windows/?id=1337CDBA-52A2-4704-AD4D-2D7BACE605B4
• https://go.microsoft.com/fwlink/?LinkId=797554
• mshelp://windows/?id=5de7c31f-1b8b-4431-9d3d-c0994939b186
• https://go.microsoft.com/fwlink/p/?linkid=827594
• mshelp://windows/?id=ea4680d1-6962-463b-b29b-351efa676f9e
• https://go.microsoft.com/fwlink/?linkid=839897
• mshelp://windows/?id=68dd14f2-a9cb-4134-a076-b8abb011a1f6
• https://go.microsoft.com/fwlink/p/?linkid=852246
• mshelp://windows/?id=7ef664a7-395c-4cb3-9178-deb08ed4df2c
• https://go.microsoft.com/fwlink/p/?linkid=852335
• mshelp://windows/?id=8e208950-1fd1-42b3-863b-261352113e3e
• https://go.microsoft.com/fwlink/?linkid=847864
• mshelp://windows/?id=109FEE07-FA1B-4772-A74E-D9C13D612416
• https://go.microsoft.com/fwlink/?LinkID=275852
• mshelp://windows/?id=27360954-FA80-4EBF-8728-8B6034E2D985
• https://go.microsoft.com/fwlink/?LinkID=2004354
• mshelp://windows/?id=3B5D2C8E-B721-47E5-8BA1-F9AB164B49A7
• https://go.microsoft.com/fwlink/?LinkID=2004353
• mshelp://windows/?id=C90B49D6-28F3-47E1-B02C-15D1565C58D2
• https://go.microsoft.com/fwlink/?LinkID=2004265
• mshelp://windows/?id=495c2226-19f1-49eb-9fd8-6dd7f2c0b49e
• https://go.microsoft.com/fwlink/?LinkID=2004119
• mshelp://windows/?id=379810ee-75d9-4d02-a3b9-68cad94146aa
• https://go.microsoft.com/fwlink/?LinkID=2004229
• mshelp://windows/?id=2fa35b0d-b280-4589-9805-55e753888f5c
• https://go.microsoft.com/fwlink/?LinkID=2004327
• mshelp://windows/?id=046bae5b-44ba-4fd0-8c16-abd20ce6ee70
• https://go.microsoft.com/fwlink/?LinkID=2004439
• mshelp://windows/?id=0cd11bc8-617a-4d2f-9ec4-1850e7c10e97
• https://go.microsoft.com/fwlink/?LinkID=2004230
• mshelp://windows/?id=716e60f6-791d-412c-94d2-2d4cb81bbbc8
• https://go.microsoft.com/fwlink/?LinkID=2003812
• mshelp://windows/?id=76f61616-6d12-46ec-bac2-49969d130c79
• https://go.microsoft.com/fwlink/?LinkID=2004254
• mshelp://windows/?id=78540f6d-4505-497c-84cd-c37e1d9930aa
• https://go.microsoft.com/fwlink/?LinkID=2004349
• mshelp://windows/?id=27a2764a-ad05-4a52-96f4-eac32ae3c9e1
• https://go.microsoft.com/fwlink/?LinkID=2004257
• mshelp://windows/?id=7479c387-8dc4-40b6-9506-cc7a58c61f0a
• https://go.microsoft.com/fwlink/?LinkID=2004259
• mshelp://windows/?id=6b1b15e7-6e2f-4c62-be2f-687038699173
• https://go.microsoft.com/fwlink/?LinkID=2100680
• mshelp://windows/?id=8AE3AF55-FB22-4EC8-981D-8D5D40DBA1F4
• https://go.microsoft.com/fwlink/?LinkId=2004549
• mshelp://windows/?id=04011A64-E6A2-4D7F-A9B4-BD6678E2242C
• https://go.microsoft.com/fwlink/?LinkId=2004550
• mshelp://windows/?id=5ACF9D43-E134-4735-A6F5-DEADAD514076
• https://go.microsoft.com/fwlink/?LinkId=2004446
• mshelp://windows/?id=8C694008-04E7-4A24-9EC7-C0A8AE1F0F45
• https://go.microsoft.com/fwlink/?LinkId=2004447
• mshelp://windows/?id=ECB33A01-CA38-4A80-B25D-2AC044F64B54
• https://go.microsoft.com/fwlink/?LinkId=2004551
• msedge.exe
• var cssHref = 'mshelp://Help/?id=Microsoft.Windows.Resources.stylesheets.ErrorBanner'; var cssElement = document.createElement('link'); cssElement.href = cssHref; cssElement.rel = 'stylesheet'; cssElement.type = 'text/css'; document.querySelector('head').appendChild(cssElement);
• mshelp://Help/?id=19c47477-2ec8-4135-a41f-b81623c09b4c
• mshelp://windows/?id=2bded977-e911-47d0-bb5f-9e2639315a92
• mshelp://oem/?id=HomeTopic
• mshelp://oem/?id=BrowseTopic
• mshelp://oem/?id=EscalationTopic
• mshelp://oem/?id=ResourcesTopic
• NOT.IEX
• IPHLPAPI.DLL
• .BMP
• %systemroot%\system32\msdt.exe
• Oyzatlthunk.dll
• Global\HelpPaneUpdatingEvent
• USER32.DLL
• helppane.pdb
• .tls
• .bss
• msvcrt.dll
• 10.0.19041.906
• 3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">
Extra 4n4lysis:
Metric Value Percentage
Ascii Code 381997 35,4773%
Null Byte Code 393359 36,5325%
© 2024 All rights reserved.