PESCAN.IO - Analysis Report Basic

File Structure
Analysis Image
PE Chart Code
Header PE (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
Information
Size: 39,00 KB
SHA-256 Hash: E8FAFE40B6A42E58ECFD8CCAB1390F294E8E723025013110527D1CB1E8354ECF
SHA-1 Hash: 71EF29A2D4BDC4A127E0DFEEDB6D0CFBC1F03677
MD5 Hash: B625B9F4503266BCEB7E16D2DBB9B3BD
Imphash: 6A184009919D70FD66E28B0ECEAEB226
MajorOSVersion: 5
MinorOSVersion: 1
CheckSum: 00000000
EntryPoint (rva): 4150
SizeOfHeaders: 400
SizeOfImage: D000
ImageBase: 400000
Architecture: x86
ImportTable: 90CC
IAT: 6000
Characteristics: 103
TimeDateStamp: 0
Date: 01/01/1970
File Type: EXE
Number Of Sections: 4
ASLR: Disabled
Section Names: .text, .rdata, .data, .rsrc
Number Of Executable Sections: 1
Subsystem: Windows GUI
Sections Info
Section Name Flags ROffset RSize VOffset VSizeEntropyChi2
.text
0x60000020
Code
Executable
Readable
 400 4C00 1000 4B2E
6.2206
140064.29
.rdata
0x40000040
Initialized Data
Readable
 5000 4200 6000 40F6
4.6649
705694.7
.data
0xC0000040
Initialized Data
Readable
Writeable
 9200 600 B000 AEC
4.2417
82099.67
.rsrc
0x40000040
Initialized Data
Readable
 9800 400 C000 3D0
3.2122
93599
Description
OriginalFilename: FileVersion
CompanyName: Microsoft Corporation
LegalCopyright: CompanyName
ProductName: Microsoft Windows Operating System
FileVersion: 10.0.18362.1 (WinBuild.160101.0800)
Comments: \VarFileInfo\Translation
PrivateBuild: LegalTrademarks
Language: Unknown (ID=0xFFFF)
CodePage: Unicode (UTF-16 LE) (0x4B0)
Entry Point
The section number (1) - (.text) have the Entry Point
Information -> EntryPoint (calculated) - 3550
Code -> 51515355565733DB5353FF15A862400033ED4555BE5CBA400056FF151060400053535556FF15146040006804010000BF50B8
Assembler
|PUSH ECX
|PUSH ECX
|PUSH EBX
|PUSH EBP
|PUSH ESI
|PUSH EDI
|XOR EBX, EBX
|PUSH EBX
|PUSH EBX
|CALL DWORD PTR [0X4062A8]
|XOR EBP, EBP
|INC EBP
|PUSH EBP
|MOV ESI, 0X40BA5C
|PUSH ESI
|CALL DWORD PTR [0X406010]
|PUSH EBX
|PUSH EBX
|PUSH EBP
|PUSH ESI
|CALL DWORD PTR [0X406014]
|PUSH 0X104
Signatures
Certificate - Digital Signature Not Found:
• The file is not signed
Packer/Compiler
Detect It Easy (die)
Entropy: 5.80782
Suspicious Functions
Library Function Description
KERNEL32.DLL VirtualAlloc Reserve, commit, or both, a region of memory within the virtual address space of a process.
KERNEL32.DLL GetModuleHandleA Retrieves a handle to the specified module.
KERNEL32.DLL WriteFile Writes data to a specified file or input/output (I/O) device.
KERNEL32.DLL LoadLibraryW Loads the specified module into the address space of the calling process.
KERNEL32.DLL CreateToolhelp32Snapshot Creates a snapshot of the specified processes, heaps, threads, and modules.
KERNEL32.DLL GetProcAddress Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
SHELL32.DLL ShellExecuteExW Performs a run operation on a specific file.
NtosKrnl.exe ZwOpenProcess Opens a process object.
Windows REG (UNICODE)
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
SOFTWARE\Policies\Microsoft\Windows\System
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist
Software\Microsoft\Windows NT\CurrentVersion\ICM\Calibration
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall
Software\Microsoft\Windows\CurrentVersion\Uninstall
SOFTWARE\RealVNC\WinVNC4
SOFTWARE\RealVNC\vncserver
SOFTWARE\ORL\WinVNC3
SOFTWARE\TightVNC\Server
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications
SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance
SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings
SOFTWARE\Microsoft\Windows\CurrentVersion\ImmersiveShell
SOFTWARE\Policies\Microsoft\Windows\Explorer
SOFTWARE\Microsoft\Security Center\Svc
SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications
SOFTWARE\Microsoft\Windows Defender\Features
SOFTWARE\Policies\Microsoft\Windows Defender
Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
System\CurrentControlSet\Control\Lsa
SYSTEM\CurrentControlSet\Control\SafeBoot\%s
SYSTEM\CurrentControlSet\Services
SYSTEM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
SYSTEM\CurrentControlSet\Control\Terminal Server
SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest
Rebuilt string - SOFTWARE\Policies\Microsoft\Windows\System
File Access
OLEAUT32.dll
SHELL32.dll
ole32.dll
ADVAPI32.dll
PSAPI.DLL
NETAPI32.dll
USERENV.dll
VERSION.dll
ntdll.dll
SHLWAPI.dll
KERNEL32.dll
USER32.dll
@.dat
File Access (UNICODE)
wpfw.exe
smartscreen.exe
SecurityHealthSystray.exe
SecurityHealthService.exe
tvnserver.exe
winvnc.exe
vncserver.exe
winvnc4.exe
msiexec.exe
winlogon.exe
\explorer.exe
explorer.exe
kernel32.dll
SrClient.dll
logging.dll
EvtNextChannelPathEvtOpenChannelEnumEvtClearLogwevtapi.dll
samsrv.dll
mslogon.log
WinVNC.log
log.txt
ultravnc.ini
SQL Queries
select * from SystemRestore
select * from Win32_ShadowCopy
Interest's Words
Virus
exec
attrib
start
systeminfo
Interest's Words (UNICODE)
shadowcopy
Virus
taskkill
PassWord
exec
taskkill
comspec
shutdown
fsutil
ping
IP Addresses
127.0.0.1
Strings/Hex Code Found With The File Rules
Rule Type Encoding Matched (Word)
Text Ascii Registry (RegCreateKeyEx)
Text Ascii Registry (RegOpenKeyEx)
Text Ascii Registry (RegSetValueEx)
Text Ascii File (CreateFile)
Text Ascii File (WriteFile)
Text Ascii Service (OpenSCManager)
Text Ascii Anti-Analysis VM (GetVersion)
Text Ascii Anti-Analysis VM (CreateToolhelp32Snapshot)
Text Ascii Reconnaissance (FindFirstFileW)
Text Ascii Reconnaissance (FindNextFileW)
Text Ascii Reconnaissance (FindClose)
Text Ascii Stealth (CloseHandle)
Text Ascii Stealth (VirtualAlloc)
Text Ascii Stealth (VirtualProtect)
Text Ascii Execution (CreateProcessW)
Text Ascii Execution (ShellExecute)
Text Ascii Execution (OpenEventW)
Text Ascii Execution (CreateEventW)
Text Unicode Antivirus Software (defender)
Text Unicode Privileges (SeAssignPrimaryTokenPrivilege)
Text Unicode Privileges (SeDebugPrivilege)
Text Unicode Privileges (SeImpersonatePrivilege)
Text Unicode Privileges (SeIncreaseQuotaPrivilege)
Text Unicode Privileges (SeRestorePrivilege)
Text Unicode Privileges (SeSecurityPrivilege)
Text Ascii Software that secretly monitors and collects user information (Spyware)
Text Unicode Software that secretly monitors and collects user information (Spyware)
Text Ascii Malware that monitors and collects user data (Spy)
Text Unicode Malware that monitors and collects user data (Spy)
Text Unicode Information used for user authentication (Credential)
Text Unicode Unauthorized movement of funds or data (Transfer)
Text Ascii Malicious rerouting of traffic to an attacker-controlled site (Redirect)
Entry Point Hex Pattern Microsoft Visual C++ 8
Resources
Path DataRVA Size FileOffset CodeText
\VERSION\1\1033 C060 36C 9860 6C0334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000l.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............
Intelligent String
• kernel32.dll
• samsrv.dll
• asp.net
• ASP.NET
• explorer.exe
• \explorer.exe
• winlogon.exe
• EvtClearLogwevtapi.dll
• msiexec.exe
• ultravnc.ini
• WinVNC.log
• mslogon.log
• logging.dll
• winvnc4.exe
• vncserver.exe
• winvnc.exe
• tvnserver.exe
• log.txt
• SecurityHealthService.exe
• SecurityHealthSystray.exe
• smartscreen.exe
• /d /c ping -n 2 127.0.0.1 > NUL & taskkill /f /pid %d & fsutil file setzerodata offset=0 length=524288 "%s" & del "%s" > NUL & exit
• SrClient.dll
• KERNEL32.dll
• NETAPI32.dll
• wpfw.exe
Flow Anomalies
Offset RVA Section Description
41F 40618C .text CALL [static] | Indirect call to absolute memory address
442 406190 .text CALL [static] | Indirect call to absolute memory address
451 40619C .text CALL [static] | Indirect call to absolute memory address
45A 4061A0 .text CALL [static] | Indirect call to absolute memory address
461 4061A4 .text CALL [static] | Indirect call to absolute memory address
482 4061B4 .text CALL [static] | Indirect call to absolute memory address
4B5 4062A4 .text CALL [static] | Indirect call to absolute memory address
502 4060A8 .text CALL [static] | Indirect call to absolute memory address
52A 4060B0 .text CALL [static] | Indirect call to absolute memory address
57D 40609C .text CALL [static] | Indirect call to absolute memory address
58B 4060A0 .text CALL [static] | Indirect call to absolute memory address
5A4 4060A4 .text CALL [static] | Indirect call to absolute memory address
687 4062AC .text CALL [static] | Indirect call to absolute memory address
690 4062A8 .text CALL [static] | Indirect call to absolute memory address
71E 40619C .text CALL [static] | Indirect call to absolute memory address
782 406220 .text CALL [static] | Indirect call to absolute memory address
799 406220 .text CALL [static] | Indirect call to absolute memory address
7EC 406094 .text CALL [static] | Indirect call to absolute memory address
821 406098 .text CALL [static] | Indirect call to absolute memory address
8A1 4061A4 .text CALL [static] | Indirect call to absolute memory address
A4C 40619C .text CALL [static] | Indirect call to absolute memory address
A88 40619C .text CALL [static] | Indirect call to absolute memory address
AAC 40607C .text CALL [static] | Indirect call to absolute memory address
AB6 4060A0 .text CALL [static] | Indirect call to absolute memory address
AE4 4060A4 .text CALL [static] | Indirect call to absolute memory address
B25 406080 .text CALL [static] | Indirect call to absolute memory address
B92 406098 .text CALL [static] | Indirect call to absolute memory address
BF2 406234 .text CALL [static] | Indirect call to absolute memory address
C1A 406084 .text CALL [static] | Indirect call to absolute memory address
C8D 40619C .text CALL [static] | Indirect call to absolute memory address
CF6 406160 .text CALL [static] | Indirect call to absolute memory address
D02 406164 .text CALL [static] | Indirect call to absolute memory address
DB6 406144 .text CALL [static] | Indirect call to absolute memory address
DC2 406148 .text CALL [static] | Indirect call to absolute memory address
DC8 40627C .text CALL [static] | Indirect call to absolute memory address
E30 406280 .text CALL [static] | Indirect call to absolute memory address
E3F 406284 .text CALL [static] | Indirect call to absolute memory address
E5A 4061A4 .text CALL [static] | Indirect call to absolute memory address
E6C 4062B4 .text CALL [static] | Indirect call to absolute memory address
EA0 406234 .text CALL [static] | Indirect call to absolute memory address
EBB 4062B0 .text CALL [static] | Indirect call to absolute memory address
EE6 4062A8 .text CALL [static] | Indirect call to absolute memory address
FA1 406140 .text CALL [static] | Indirect call to absolute memory address
FA7 4062AC .text CALL [static] | Indirect call to absolute memory address
FBC 406138 .text CALL [static] | Indirect call to absolute memory address
FC7 406164 .text CALL [static] | Indirect call to absolute memory address
FCD 406168 .text CALL [static] | Indirect call to absolute memory address
108A 4062AC .text CALL [static] | Indirect call to absolute memory address
109A 406130 .text CALL [static] | Indirect call to absolute memory address
10A5 406134 .text CALL [static] | Indirect call to absolute memory address
10AC 406174 .text CALL [static] | Indirect call to absolute memory address
10B4 4062A8 .text CALL [static] | Indirect call to absolute memory address
10C6 4062B8 .text CALL [static] | Indirect call to absolute memory address
1151 40606C .text CALL [static] | Indirect call to absolute memory address
115E 406174 .text CALL [static] | Indirect call to absolute memory address
119A 40612C .text CALL [static] | Indirect call to absolute memory address
11AE 406074 .text CALL [static] | Indirect call to absolute memory address
11D0 406068 .text CALL [static] | Indirect call to absolute memory address
1204 406168 .text CALL [static] | Indirect call to absolute memory address
124D 406128 .text CALL [static] | Indirect call to absolute memory address
1254 406074 .text CALL [static] | Indirect call to absolute memory address
1272 406064 .text CALL [static] | Indirect call to absolute memory address
1287 406174 .text CALL [static] | Indirect call to absolute memory address
12DD 40605C .text CALL [static] | Indirect call to absolute memory address
12E6 406060 .text CALL [static] | Indirect call to absolute memory address
12ED 406174 .text CALL [static] | Indirect call to absolute memory address
1302 406120 .text CALL [static] | Indirect call to absolute memory address
13CD 406168 .text CALL [static] | Indirect call to absolute memory address
146C 4061B4 .text CALL [static] | Indirect call to absolute memory address
147B 406058 .text CALL [static] | Indirect call to absolute memory address
1485 4060AC .text CALL [static] | Indirect call to absolute memory address
14A7 4060A8 .text CALL [static] | Indirect call to absolute memory address
14C1 4060B0 .text CALL [static] | Indirect call to absolute memory address
152B 406050 .text CALL [static] | Indirect call to absolute memory address
153D 40604C .text CALL [static] | Indirect call to absolute memory address
154E 4060AC .text CALL [static] | Indirect call to absolute memory address
1557 4061A0 .text CALL [static] | Indirect call to absolute memory address
15B9 406044 .text CALL [static] | Indirect call to absolute memory address
15C7 4061A0 .text CALL [static] | Indirect call to absolute memory address
1630 406234 .text CALL [static] | Indirect call to absolute memory address
1652 406050 .text CALL [static] | Indirect call to absolute memory address
166C 4060A8 .text CALL [static] | Indirect call to absolute memory address
1683 406040 .text CALL [static] | Indirect call to absolute memory address
1732 406114 .text CALL [static] | Indirect call to absolute memory address
175D 406118 .text CALL [static] | Indirect call to absolute memory address
1768 40611C .text CALL [static] | Indirect call to absolute memory address
1789 40612C .text CALL [static] | Indirect call to absolute memory address
17B2 40619C .text CALL [static] | Indirect call to absolute memory address
17CD 40621C .text CALL [static] | Indirect call to absolute memory address
1802 40610C .text CALL [static] | Indirect call to absolute memory address
180D 406110 .text CALL [static] | Indirect call to absolute memory address
1822 406174 .text CALL [static] | Indirect call to absolute memory address
1892 40603C .text CALL [static] | Indirect call to absolute memory address
18C4 406050 .text CALL [static] | Indirect call to absolute memory address
195B 406214 .text CALL [static] | Indirect call to absolute memory address
1972 406218 .text CALL [static] | Indirect call to absolute memory address
198D 4060AC .text CALL [static] | Indirect call to absolute memory address
19A2 406228 .text CALL [static] | Indirect call to absolute memory address
19C7 40603C .text CALL [static] | Indirect call to absolute memory address
1A88 406114 .text CALL [static] | Indirect call to absolute memory address
Extra Analysis
Metric Value Percentage
Ascii Code 22464 56,25%
Null Byte Code 11023 27,6017%
© 2026 All rights reserved.