PESCAN.IO - Analysis Report Basic |
|||||||
| File Structure |
|
PE Chart Code
Header PE (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
Icon: Size: 286,00 KBSHA-256 Hash: 8FEA93D294D66B2F122F646B4D96916C433448FDFA8A0EBDE6AE67B76F265428 SHA-1 Hash: D38B075F0BD7618F270254CA28CFD6B4E5E2AC4A MD5 Hash: 9A5643DEA51971396000AA1309B07177 Imphash: D964E70937B6D5022FC2E7EB41697E4C MajorOSVersion: 5 MinorOSVersion: 1 CheckSum: 000522B7 EntryPoint (rva): 14C08 SizeOfHeaders: 400 SizeOfImage: 51000 ImageBase: 400000 Architecture: x86 ImportTable: 37964 IAT: 2D000 Characteristics: 122 TimeDateStamp: 5C837237 Date: 09/03/2019 7:58:47 File Type: EXE Number Of Sections: 5 ASLR: Enabled Section Names: .text, .rdata, .data, .rsrc, .reloc Number Of Executable Sections: 1 Subsystem: Windows GUI UAC Execution Level Manifest: asInvoker |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 0x60000020 Code Executable Readable |
400 | 2BE00 | 1000 | 2BC2A |
|
|
| .rdata | 0x40000040 Initialized Data Readable |
2C200 | C200 | 2D000 | C030 |
|
|
| .data | 0xC0000040 Initialized Data Readable Writeable |
38400 | A00 | 3A000 | 7040 |
|
|
| .rsrc | 0x40000040 Initialized Data Readable |
38E00 | CC00 | 42000 | CA60 |
|
|
| .reloc | 0x42000040 Initialized Data GP-Relative Readable |
45A00 | 1E00 | 4F000 | 1E00 |
|
|
| Description |
| OriginalFilename: chrlauncher.exe CompanyName: Henry++ LegalCopyright: (c) 2015-2019 Henry++. All Rights Reversed. ProductName: chrlauncher FileVersion: 2.5.6 FileDescription: chrlauncher ProductVersion: 2.5.6 Comments: https://www.henrypp.org Language: English (United States) (ID=0x409) CodePage: Western European (Windows 1252) (0x4E4) |
| Entry Point |
The section number (1) - (.text) have the Entry Point Information -> EntryPoint (calculated) - 14008 Code -> E8EB040000E97AFEFFFF558BECF6450801568BF1C7064CD54200740A6A0C56E807FBFFFF59598BC65E5DC20400E9C0B60000 Assembler |CALL 0X14F0 |JMP 0XE84 |PUSH EBP |MOV EBP, ESP |TEST BYTE PTR [EBP + 8], 1 |PUSH ESI |MOV ESI, ECX |MOV DWORD PTR [ESI], 0X42D54C |JE 0X1026 |PUSH 0XC |PUSH ESI |CALL 0XB2B |POP ECX |POP ECX |MOV EAX, ESI |POP ESI |POP EBP |RET 4 |JMP 0XC6F2 |
| Signatures |
| Rich Signature Analyzer: Code -> 72AF451936CE2B4A36CE2B4A36CE2B4A53A8284B3CCE2B4A53A82E4BAFCE2B4A53A82F4B24CE2B4A64A62F4B22CE2B4A64A6284B21CE2B4A64A62E4B1DCE2B4A53A82A4B2BCE2B4A36CE2A4A05CF2B4AA5A7224B07CE2B4AA5A7D44A37CE2B4AA5A7294B37CE2B4A5269636836CE2B4A Footprint md5 Hash -> 330E78604A7E1865FF362FFDEE1EA068 • The Rich header apparently has not been modified Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Detect It Easy (die) • PE: compiler: EP:Microsoft Visual C/C++(2017 v.15.5-6)[EXE32] • PE: compiler: Microsoft Visual C/C++(2017 v.15.9)[-] • PE: linker: Microsoft Linker(14.16, Visual Studio 2017 15.9*)[-] • Entropy: 6.75668 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | CreateMutexW | Create a named or unnamed mutex object for controlling access to a shared resource. |
| KERNEL32.DLL | VirtualAlloc | Reserve, commit, or both, a region of memory within the virtual address space of a process. |
| KERNEL32.DLL | WriteFile | Writes data to a specified file or input/output (I/O) device. |
| KERNEL32.DLL | LoadLibraryW | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| KERNEL32.DLL | IsDebuggerPresent | Determines if the calling process is being debugged by a user-mode debugger. |
| SHELL32.DLL | ShellExecuteW | Performs a run operation on a specific file. |
| Windows REG (UNICODE) |
| Software\Microsoft\Windows\CurrentVersion\Explorer\DontShowMeThisDialogAgain |
| File Access |
| VERSION.dll WINHTTP.dll UxTheme.dll SHLWAPI.dll PSAPI.DLL COMCTL32.dll SHELL32.dll ADVAPI32.dll GDI32.dll USER32.dll KERNEL32.dll .dat @.dat Temp |
| File Access (UNICODE) |
| chrlauncher.exe chrome.exe chromium.exe vivaldi.exe slimjet.exe opera.exe iron.exe iridium.exe dragon.exe waterfox.exe palemoon.exe basilisk.exe firefox.exe \plugins\pepflashplayer.dll dwmapi.dll uxtheme.dll IsWow64Processuser32.dll TaskDialogIndirectshell32.dll comctl32.dll shlwapi.dll imagehlp.dll kernel32.dll mscoree.dll CA@DAapi-ms-win-core-synch-l1-2-0.dll %s\portable.dat _debug.log QueryFullProcessImageNameW*.ini %s\%s.ini Temp AppData |
| Interest's Words |
| exec attrib start systeminfo expand |
| Interest's Words (UNICODE) |
| start |
| URLs |
| http://schemas.microsoft.com/SMI/2005/WindowsSettings |
| URLs (UNICODE) |
| https://www.henrypp.org https://github.com/henrypp https://www.henrypp.org/donate?from=%s https://chromium.woolyss.com/api/v3/?os=windows&bit=%d&type=%s&out=string https://github.com/henrypp">github.com/henrypp</a> <a href=" https://chromium.woolyss.com">chromium.woolyss.com</a> |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | Registry (RegOpenKeyEx) |
| Text | Ascii | File (GetTempPath) |
| Text | Ascii | File (CreateFile) |
| Text | Unicode | File (CreateFile) |
| Text | Ascii | File (WriteFile) |
| Text | Ascii | File (ReadFile) |
| Text | Ascii | Anti-Analysis VM (IsDebuggerPresent) |
| Text | Ascii | Reconnaissance (FindFirstFileW) |
| Text | Ascii | Reconnaissance (FindNextFileW) |
| Text | Ascii | Reconnaissance (FindClose) |
| Text | Ascii | Stealth (ExitThread) |
| Text | Ascii | Stealth (ReleaseSemaphore) |
| Text | Ascii | Stealth (CloseHandle) |
| Text | Ascii | Stealth (VirtualAlloc) |
| Text | Ascii | Execution (CreateProcessW) |
| Text | Ascii | Execution (ShellExecute) |
| Text | Ascii | Execution (ResumeThread) |
| Text | Ascii | Execution (CreateSemaphoreW) |
| Text | Ascii | Execution (CreateEventW) |
| Text | Unicode | Keyboard Key (Alt+) |
| Text | Unicode | Keyboard Key (Alt+F4) |
| Text | Unicode | Malicious rerouting of traffic to an attacker-controlled site (Redirect) |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8 |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8 |
| Entry Point | Hex Pattern | PE-Exe Executable Image |
| Entry Point | Hex Pattern | VC8 - Microsoft Corporation |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \ICON\1\1033 | 42750 | 5EAF | 39550 | 89504E470D0A1A0A0000000D49484452000001000000010008060000005C72A86600005E76494441547801ECD40111003008 | .PNG........IHDR.............\r.f..vIDATx......0. |
| \ICON\2\1033 | 48600 | EA8 | 3F400 | 28000000300000006000000001000800000000000000000000000000000000000000000000000000C45E3500BF5E3A00C860 | (...0...................................5..:.. |
| \ICON\3\1033 | 494A8 | 25A8 | 402A8 | 28000000300000006000000001002000000000000000000000000000000000000000000000000000FFFFFF00FFFFFF00FFFF | (...0........ ................................... |
| \ICON\4\1033 | 4BA50 | 8A8 | 42850 | 28000000200000004000000001000800000000000000000000000000000000000000000000000000C2593000C8603600C461 | (... ...@................................Y0..6..a |
| \ICON\5\1033 | 4C2F8 | 10A8 | 430F8 | 28000000200000004000000001002000000000000000000000000000000000000000000000000000FFFFFF00FFFFFF00FFFF | (... ...@..... ................................... |
| \ICON\6\1033 | 4D3A0 | 568 | 441A0 | 28000000100000002000000001000800000000000000000000000000000000000000000000000000CA683F00D66E3C00D76E | (....... ................................h?..n<..n |
| \ICON\7\1033 | 4D908 | 468 | 44708 | 28000000100000002000000001002000000000000000000000000000000000000000000000000000FFFFFF00FFFFFF00FFFF | (....... ..... ................................... |
| \MENU\100\1033 | 423E8 | 52 | 391E8 | 0000000010002000000000006D002000000000006F002000000000000000000080007000200000001000200000009000200000008000E8032000000090002000000000007100200000008000720020000000 | ...... .....m. .....o. ...........p. ..... ..... ....... ..... .....q. .....r. ... |
| \MENU\101\1033 | 42440 | 4A | 39240 | 0000000090000000000073002000000000000000000000007400200000000000750020000000000000000000000076002000000000007700200000000000000000008000780020000000 | ..........s. ...........t. .....u. ...........v. .....w. ...........x. ... |
| \DIALOG\100\1033 | 42490 | 2BE | 39290 | 0100FFFF0000000000000002C808CA80090000000000EE008600FFFF640000006300680072006C00610075006E0063006800 | ............................d...c.h.r.l.a.u.n.c.h. |
| \STRING\1\1033 | 4E690 | 11C | 45490 | 00000400460069006C00650005005300740061007200740004004F00700065006E0004004500780069007400080053006500 | ....F.i.l.e...S.t.a.r.t...O.p.e.n...E.x.i.t...S.e. |
| \STRING\2\1033 | 4E7B0 | 2AA | 455B0 | 0F0044006F0077006E006C006F006100640020007500700064006100740065000E0049006E007300740061006C006C002000 | ..D.o.w.n.l.o.a.d. .u.p.d.a.t.e...I.n.s.t.a.l.l. . |
| \ACCELERATOR\1\1033 | 423D0 | 18 | 391D0 | 090045006E000000010071006F0000009100730070000000 | ..E.n.....q.o.....s.p... |
| \GROUP_ICON\100\1033 | 4DD70 | 68 | 44B70 | 0000010007000000000001002000AF5E000001003030000001000800A80E000002003030000001002000A825000003002020 | ............ ......00............00.... ..%.... |
| \VERSION\1\1033 | 4E368 | 324 | 45168 | 240334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000500 | $.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| \24\1\1033 | 4DDD8 | 58E | 44BD8 | 3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D227574662D3822207374616E64616C6F6E653D2279 | <?xml version="1.0" encoding="utf-8" standalone="y |
| Intelligent String |
| • https://www.henrypp.org • mscoree.dll • kernel32.dll • %s\%s.ini • %s\portable.dat • %s\%s.lng • https://github.com/henrypp • https://www.henrypp.org/donate?from=%s • imagehlp.dll • _debug.log • shlwapi.dll • comctl32.dll • TaskDialogIndirect • shell32.dll • user32.dll • uxtheme.dll • dwmapi.dll • *.ini • firefox.exe • basilisk.exe • palemoon.exe • waterfox.exe • dragon.exe • iridium.exe • iron.exe • opera.exe • slimjet.exe • vivaldi.exe • chromium.exe • chrome.exe • %s\chrlauncherCache_%d.bin • .\plugins\pepflashplayer.dll • https://chromium.woolyss.com/api/v3/?os=windows&bit=%d&type=%s&out=string • %s.tmp • .tls • .bss • KERNEL32.dll • COMCTL32.dll • <a href="https://github.com/henrypp">github.com/henrypp</a> • <a href="https://chromium.woolyss.com">chromium.woolyss.com</a> • <asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings"> • chrlauncher.exe |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 405 | 42D2AC | .text | CALL [static] | Indirect call to absolute memory address |
| 678 | 42D1F0 | .text | CALL [static] | Indirect call to absolute memory address |
| 6A9 | 42D204 | .text | CALL [static] | Indirect call to absolute memory address |
| 70C | 42D350 | .text | CALL [static] | Indirect call to absolute memory address |
| 717 | 42D058 | .text | CALL [static] | Indirect call to absolute memory address |
| 737 | 42D2A8 | .text | CALL [static] | Indirect call to absolute memory address |
| 74E | 42D230 | .text | CALL [static] | Indirect call to absolute memory address |
| 767 | 42D280 | .text | CALL [static] | Indirect call to absolute memory address |
| 774 | 42D238 | .text | CALL [static] | Indirect call to absolute memory address |
| 77B | 42D250 | .text | CALL [static] | Indirect call to absolute memory address |
| 7E9 | 42D270 | .text | CALL [static] | Indirect call to absolute memory address |
| 838 | 42D260 | .text | CALL [static] | Indirect call to absolute memory address |
| 8BA | 42D21C | .text | CALL [static] | Indirect call to absolute memory address |
| 8C6 | 42D20C | .text | CALL [static] | Indirect call to absolute memory address |
| 8DF | 42D200 | .text | CALL [static] | Indirect call to absolute memory address |
| A25 | 42D220 | .text | CALL [static] | Indirect call to absolute memory address |
| A90 | 42D238 | .text | CALL [static] | Indirect call to absolute memory address |
| AD2 | 42D228 | .text | CALL [static] | Indirect call to absolute memory address |
| AFE | 42D214 | .text | CALL [static] | Indirect call to absolute memory address |
| B07 | 42D20C | .text | CALL [static] | Indirect call to absolute memory address |
| B21 | 42D238 | .text | CALL [static] | Indirect call to absolute memory address |
| B60 | 42D228 | .text | CALL [static] | Indirect call to absolute memory address |
| B70 | 42D210 | .text | CALL [static] | Indirect call to absolute memory address |
| B7F | 42D238 | .text | CALL [static] | Indirect call to absolute memory address |
| BA0 | 42D31C | .text | CALL [static] | Indirect call to absolute memory address |
| BA9 | 42D214 | .text | CALL [static] | Indirect call to absolute memory address |
| BB4 | 42D20C | .text | CALL [static] | Indirect call to absolute memory address |
| BF1 | 42D384 | .text | CALL [static] | Indirect call to absolute memory address |
| BF7 | 42D1FC | .text | CALL [static] | Indirect call to absolute memory address |
| C08 | 42D32C | .text | CALL [static] | Indirect call to absolute memory address |
| C54 | 42D310 | .text | CALL [static] | Indirect call to absolute memory address |
| C8D | 42D2A0 | .text | CALL [static] | Indirect call to absolute memory address |
| CC4 | 42D348 | .text | CALL [static] | Indirect call to absolute memory address |
| CD8 | 42D2F0 | .text | CALL [static] | Indirect call to absolute memory address |
| CEA | 42D264 | .text | CALL [static] | Indirect call to absolute memory address |
| E23 | 42D21C | .text | CALL [static] | Indirect call to absolute memory address |
| E57 | 42D3C4 | .text | CALL [static] | Indirect call to absolute memory address |
| E87 | 42D234 | .text | CALL [static] | Indirect call to absolute memory address |
| EB3 | 42D0C0 | .text | CALL [static] | Indirect call to absolute memory address |
| F04 | 42D20C | .text | CALL [static] | Indirect call to absolute memory address |
| 13C3 | 42D240 | .text | CALL [static] | Indirect call to absolute memory address |
| 15A2 | 42D26C | .text | CALL [static] | Indirect call to absolute memory address |
| 15C4 | 42D010 | .text | CALL [static] | Indirect call to absolute memory address |
| 15E5 | 42D008 | .text | CALL [static] | Indirect call to absolute memory address |
| 15FC | 42D00C | .text | CALL [static] | Indirect call to absolute memory address |
| 1605 | 42D014 | .text | CALL [static] | Indirect call to absolute memory address |
| 1697 | 42D1FC | .text | CALL [static] | Indirect call to absolute memory address |
| 16C6 | 42D228 | .text | CALL [static] | Indirect call to absolute memory address |
| 16D9 | 42D210 | .text | CALL [static] | Indirect call to absolute memory address |
| 197A | 42D254 | .text | CALL [static] | Indirect call to absolute memory address |
| 1A16 | 42D214 | .text | CALL [static] | Indirect call to absolute memory address |
| 1A21 | 42D20C | .text | CALL [static] | Indirect call to absolute memory address |
| 1A7F | 42D348 | .text | CALL [static] | Indirect call to absolute memory address |
| 1B06 | 42D38C | .text | CALL [static] | Indirect call to absolute memory address |
| 1B23 | 42D330 | .text | CALL [static] | Indirect call to absolute memory address |
| 1B44 | 42D308 | .text | CALL [static] | Indirect call to absolute memory address |
| 1B59 | 42D380 | .text | CALL [static] | Indirect call to absolute memory address |
| 1B67 | 42D300 | .text | CALL [static] | Indirect call to absolute memory address |
| 1B98 | 42D340 | .text | CALL [static] | Indirect call to absolute memory address |
| 1C0C | 42D398 | .text | CALL [static] | Indirect call to absolute memory address |
| 1C6C | 42D340 | .text | CALL [static] | Indirect call to absolute memory address |
| 1C87 | 42D390 | .text | CALL [static] | Indirect call to absolute memory address |
| 1CAE | 42D380 | .text | CALL [static] | Indirect call to absolute memory address |
| 1CF1 | 42D05C | .text | CALL [static] | Indirect call to absolute memory address |
| 1D3C | 42D050 | .text | CALL [static] | Indirect call to absolute memory address |
| 1DA4 | 42D208 | .text | CALL [static] | Indirect call to absolute memory address |
| 1DB6 | 42D204 | .text | CALL [static] | Indirect call to absolute memory address |
| 1DE9 | 42D1F4 | .text | CALL [static] | Indirect call to absolute memory address |
| 1E9A | 42D39C | .text | CALL [static] | Indirect call to absolute memory address |
| 1EAA | 42D388 | .text | CALL [static] | Indirect call to absolute memory address |
| 1F0F | 42D314 | .text | CALL [static] | Indirect call to absolute memory address |
| 1F22 | 42D308 | .text | CALL [static] | Indirect call to absolute memory address |
| 1F70 | 42D390 | .text | CALL [static] | Indirect call to absolute memory address |
| 1F98 | 42D380 | .text | CALL [static] | Indirect call to absolute memory address |
| 1FB8 | 42D304 | .text | CALL [static] | Indirect call to absolute memory address |
| 1FE3 | 42D340 | .text | CALL [static] | Indirect call to absolute memory address |
| 2044 | 42D380 | .text | CALL [static] | Indirect call to absolute memory address |
| 21A2 | 42D34C | .text | CALL [static] | Indirect call to absolute memory address |
| 21CD | 42D380 | .text | CALL [static] | Indirect call to absolute memory address |
| 220A | 42D330 | .text | CALL [static] | Indirect call to absolute memory address |
| 2237 | 42D340 | .text | CALL [static] | Indirect call to absolute memory address |
| 228E | 42D30C | .text | CALL [static] | Indirect call to absolute memory address |
| 23DD | 42D258 | .text | CALL [static] | Indirect call to absolute memory address |
| 2460 | 42D33C | .text | CALL [static] | Indirect call to absolute memory address |
| 24BA | 42D258 | .text | CALL [static] | Indirect call to absolute memory address |
| 2555 | 42D258 | .text | CALL [static] | Indirect call to absolute memory address |
| 25DE | 42D258 | .text | CALL [static] | Indirect call to absolute memory address |
| 266B | 42D1F8 | .text | CALL [static] | Indirect call to absolute memory address |
| 267B | 42D204 | .text | CALL [static] | Indirect call to absolute memory address |
| 26A1 | 42D370 | .text | CALL [static] | Indirect call to absolute memory address |
| 2761 | 42D318 | .text | CALL [static] | Indirect call to absolute memory address |
| 279D | 42D340 | .text | CALL [static] | Indirect call to absolute memory address |
| 27A9 | 42D30C | .text | CALL [static] | Indirect call to absolute memory address |
| 27C2 | 42D334 | .text | CALL [static] | Indirect call to absolute memory address |
| 280B | 42D328 | .text | CALL [static] | Indirect call to absolute memory address |
| 2831 | 42D2F4 | .text | CALL [static] | Indirect call to absolute memory address |
| 2882 | 42D2F8 | .text | CALL [static] | Indirect call to absolute memory address |
| 28AC | 42D328 | .text | CALL [static] | Indirect call to absolute memory address |
| 28E5 | 42D2F4 | .text | CALL [static] | Indirect call to absolute memory address |
| 2CE6 | 42D338 | .text | CALL [static] | Indirect call to absolute memory address |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 168399 | 57,5008% |
| Null Byte Code | 48618 | 16,6009% |
© 2026 All rights reserved.