PESCAN.IO - Analysis Report

File Structure
Analysis Image
PE Chart Code
The executable header is displayed in light blue.
The executable sections are pink.
Non-executable sections are black.
Code added to executables externally to a compiler appears in red.
If the File Structure content appears in red, it means the PE header is malformed or corrupted.
Chart Code For Other Files
Printable characters are blue.
Non-printable characters (Null Bytes) are black.
Information
Size: 864,00 KB
SHA-256 Hash: 87BDCEE9A09330B4C19E9E30EB77CB744C7AE325E1A7A61FAE424BA936FCD7B0
SHA-1 Hash: 19831266FBA876E197FDA3614DAA19A81EE80EC9
MD5 Hash: DB8CBECDCFC00E65D9CE129518D9CF3A
Imphash: F34D5F2D4577ED6D9CEEC516C1F5A744
MajorOSVersion: 4
MinorOSVersion: 0
CheckSum: 00000000
EntryPoint (rva): D8E2E
SizeOfHeaders: 200
SizeOfImage: DE000
ImageBase: 400000
Architecture: x86
ImportTable: D8DE0
IAT: 2000
Characteristics: 122
TimeDateStamp: B074C0CD
Date: 24/10/2063 8:52:29
File Type: EXE
Number Of Sections: 3
ASLR: Disabled
Section Names: .text, .rsrc, .reloc
Number Of Executable Sections: 1
Subsystem: Windows GUI
UAC Execution Level Manifest: asInvoker
Sections Info
Section Name Flags ROffset RSize VOffset VSizeEntropyChi2
.text 60000020 (Code, Executable, Readable) 200 D7000 2000 D6E347,35663717891,74
.rsrc 40000040 (Initialized Data, Readable) D7200 C00 DA000 A484,591891680,50
.reloc 42000040 (Initialized Data, GP-Relative, Readable) D7E00 200 DC000 C0,1019128015,00
Description
OriginalFilename: Client.exe
FileVersion: 2.3.1
ProductVersion: 2.3.1
Language: Unknown (ID=0x0)
CodePage: Unicode (UTF-16 LE) (0x4B0)
Entry Point
The section number (1) - (.text) have the Entry Point
Information -> EntryPoint (calculated) - D702E
Code -> FF25002040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
JMP DWORD PTR [0X402000]
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
EP changed to another address -> (Address Of EntryPoint > Base Of Data)
Signatures
Certificate - Digital Signature Not Found:
• The file is not signed
Packer/Compiler
Compiler: Microsoft Visual .NET - (You can use a decompiler for this...)
AnyCPU: True
Version: v4.0
Detect It Easy (die)
PE: library: .NET(v4.0.30319)[-]
PE: linker: Microsoft Linker(48.0)[-]
Entropy: 7.3475
Suspicious Functions
Library Function Description
KERNEL32.DLL LoadLibraryW | Possible Call API By Name Loads the specified module into the address space of the calling process.
KERNEL32.DLL IsDebuggerPresent | Possible Call API By Name Determines if the calling process is being debugged by a user-mode debugger.
ADVAPI32.DLL CryptDecrypt | Possible Call API By Name Performs a cryptographic operation on data in a data block.
KERNEL32.DLL CreateMutexA Create a named or unnamed mutex object for controlling access to a shared resource.
KERNEL32.DLL VirtualAlloc Reserve, commit, or both, a region of memory within the virtual address space of a process.
KERNEL32.DLL GetModuleHandleA Retrieves a handle to the specified module.
KERNEL32.DLL GetModuleHandle Retrieves a handle to the specified module.
KERNEL32.DLL CreateToolhelp32Snapshot Creates a snapshot of the specified processes, heaps, threads, and modules.
KERNEL32.DLL CreateRemoteThread Creates a thread in the address space of another process.
KERNEL32.DLL WriteProcessMemory Writes data to an area of memory in a specified process.
KERNEL32.DLL ReadProcessMemory Reads data from an area of memory in a specified process.
KERNEL32.DLL GetProcAddress Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL IsDebuggerPresent Determines if the calling process is being debugged by a user-mode debugger.
ADVAPI32.DLL CryptEncrypt Performs a cryptographic operation on data in a data block.
ADVAPI32.DLL CryptDecrypt Performs a cryptographic operation on data in a data block.
NtosKrnl.exe ZwUnmapViewOfSection Unmaps a mapped view of a section from a process's address space.
Windows REG (UNICODE)
Software\Microsoft\Windows\CurrentVersion\Run Software\Opera GX Stable Software\Brave-Browser\Application\brave.exe SOFTWARE\Clients\StartMenuInternet SOFTWARE\Microsoft\Windows\CurrentVersion\Run SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice SOFTWARE\Microsoft\RecoveryEnvironment" /v TargetOS') DO SET TARGETOS=%%Cfor /F "tokens=1 delims=\" %%A in ('Echo %TARGETOS%') DO SET TARGETOSDRIVE=%%Areg load HKLM\ Software\Classes SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Software\Microsoft\Windows\CurrentVersion\Policies\System Software\Brave-Browser\User Data Software\Brave-Browser\Application Software\Opera GX Stable\ Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced SOFTWARE\VMware, Inc.\VMware Tools SOFTWARE\Oracle\VirtualBox Guest Additions
SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
System\BIOS
Rebuilt string - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - DisableTaskMgr
Rebuilt string - SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Rebuilt string - SOFTWARE\Microsoft\Windows\CurrentVersion\Run
File Access
Client.exe
mscoree.dll
win32u.dll
bcrypt.dll
rstrtmgr.dll
DbgHelp.dll
ntdll.dll
psapi.dll
iphlpapi.dll
ucrtbase.dll
kernelbase.dll
user32.dll
kernel32.dll
advapi32.dll
gdi32.dll
costura.system.memory.dll
costura.system.numerics.vectors.dll
costura.system.buffers.dll
costura.messagepack.annotations.dll
costura.pulsar.common.dll
costura.messagepack.dll
costura.system.collections.immutable.dll
null|Pulsar.Common.dll
cc7b13ffcd2ddd51|System.Threading.Tasks.Extensions.dll
b03f5f7f11d50a3a|System.Runtime.CompilerServices.Unsafe.dll
b03f5f7f11d50a3a|System.Numerics.Vectors.dll
cc7b13ffcd2ddd51|System.Memory.dll
b03f5f7f11d50a3a|System.Collections.Immutable.dll
cc7b13ffcd2ddd51|System.Buffers.dll
b4a0369545f0a1be|MessagePack.Annotations.dll
b4a0369545f0a1be|MessagePack.dll
Pulsar.Common.Messages.Administration.Sys
Gma.Sys
costura.sys
Temp
RootDir
AppData
File Access (UNICODE)
*.dll
mozglue.dll
nss3.dll
chrome.dll
msedge.dll
user32.dll
kernel32.dll
KFailed to get handle for kernel32.dll
SbieDll.dll
cmdvrt32.dll
cmdvrt64.dll
SxIn.dll
cuckoomon.dll
clr.dll
coreclr.dll
ntdll.dll
annotations.dll
messagepack.dll
common.dll
buffers.dll
immutable.dll
memory.dll
vectors.dll
unsafe.dll
extensions.dll
Client.exe
3\explorer.exe
--processStart Discord.exe
exe /c taskkill /IM discord.exe
\Discord\Update.exe
exe /c taskkill /IM chrome.exe
exe /c taskkill /IM msedge.exe
9\Programs\Opera GX\opera.exe
exe /c taskkill /IM operagx.exe
QConhost --headless cmd.exe
3\Programs\Opera\opera.exe
exe /c taskkill /IM opera.exe
exe /c taskkill /IM brave.exe
oConhost --headless cmd.exe
exe /c taskkill /IM firefox.exe
-conhost powershell.exe
conhost cmd.exe
)computerdefaults.exe
]cmd.exe
MSBuild.exe
RegSvcs.exe
RegAsm.exe
+deviceinstaller64.exe
|\S+\.exe
]+\.exe
WConhost --headless cmd.exe
9\Mozilla Firefox\firefox.exe
\Opera GX\opera.exe
!\Opera\opera.exe
M\Microsoft\Edge\Application\msedge.exe
K\Google\Chrome\Application\chrome.exe
qcostura.sys
{costura.sys
]costura.sys
Icostura.sys
gcostura.sys
Kcostura.sys
vmmouse.sys
VBoxVideo.sys
VBoxSF.sys
VBoxGuest.sys
VBoxMouse.sys
vioser.sys
viofs.sys
netkvm.sys
balloon.sys
/Gma.Sys
desktop.ini
Exec - cmd.exe /c taskkill /IM
Exec - cmd.exe /c start %TARGETOSDRIVE%\Recovery\OEM\
Exec - cmd.exe /c taskkill /IM firefox.exe /F
Exec - cmd.exe /c start firefox --profile="
Exec - cmd.exe /c taskkill /IM brave.exe /F
Exec - cmd.exe /c taskkill /IM opera.exe /F
Exec - cmd.exe /c start "" "
Exec - cmd.exe /c taskkill /IM operagx.exe /F
Exec - cmd.exe /c taskkill /IM msedge.exe /F
Exec - cmd.exe /c taskkill /IM chrome.exe /F
Exec - cmd.exe /c taskkill /IM discord.exe /F
Exec - powershell.exe conhost
Temp
ProgramFiles
AppData
SQL Queries
SELECT * FROM Win32_BIOS
SELECT * FROM Win32_BaseBoard
SELECT * FROM Win32_Processor
Select * From Win32_ComputerSystem
SELECT * FROM Win32_VideoController
SELECT * FROM Win32_OperatingSystem WHERE Primary='true'
SELECT * FROM AntivirusProduct
SELECT * FROM FirewallProduct
Select * from Win32_ComputerSystem
SELECT * FROM Win32_DiskDrive
SELECT * FROM Win32_PortConnector
Interest's Words
lockbit
Encrypt
Decrypt
KeyLogger
Encryption
RunPE
PassWord
<form
cscript
exec
attrib
start
cipher
hostname
shutdown
systeminfo
ping
dism
replace
Interest's Words (UNICODE)
Virus
BitCoin
taskkill
Encrypt
Decrypt
Encryption
PassWord
<html
<head
<body
<script
cscript
wscript
mshta
exec
powershell
schtasks
netsh
taskkill
start
hostname
shutdown
schtask
ping
Anti-VM/Sandbox/Debug Tricks
OllyDbg Libary - dbghelp.dll
Anti-VM/Sandbox/Debug Tricks (UNICODE)
LabTools - taskmgr
VMWare - vmmouse.sys
SandBoxie Library - SbieDll.dll
URLs
http://schemas.microsoft.com/SMI/2005/WindowsSettings
http://schemas.microsoft.com/SMI/2016/WindowsSettings
URLs (UNICODE)
https://www.amyuni.com/downloads/usbmmidd_v2.zip
https://ipwho.is/
https://api.ipify.org/
AV Services (UNICODE)
Antivirus name extract - (SecurityCenter2)
IP Addresses
15.0.0.0
15.8.0.0
Strings/Hex Code Found With The File Rules
Rule Type Encoding Matched (Word)
Text Ascii WinAPI Sockets (connect)
Text Unicode WinAPI Sockets (connect)
Text Ascii WinAPI Sockets (send)
Text Unicode WinAPI Sockets (send)
Text Ascii File (GetTempPath)
Text Ascii File (CreateFile)
Text Ascii File (ReadFile)
Text Ascii Encryption (FromBase64String)
Text Ascii Encryption API (CryptDecrypt)
Text Unicode Encryption API (CryptDecrypt)
Text Ascii Anti-Analysis VM (IsDebuggerPresent)
Text Unicode Anti-Analysis VM (IsDebuggerPresent)
Text Ascii Anti-Analysis VM (GetSystemInfo)
Text Ascii Anti-Analysis VM (CreateToolhelp32Snapshot)
Text Ascii Stealth (VirtualAlloc)
Text Ascii Stealth (VirtualProtect)
Text Ascii Stealth (ReadProcessMemory)
Text Ascii Stealth (CreateRemoteThread)
Text Ascii Execution (CreateProcessA)
Text Ascii Execution (ShellExecute)
Text Ascii Execution (ResumeThread)
Text Unicode Privileges (SeDebugPrivilege)
Text Unicode Keyboard Key ([Enter])
Text Unicode Keyboard Key ([Esc])
Text Unicode Keyboard Key ([Esc])
Text Ascii Malicious code executed after exploiting a vulnerability (Payload)
Text Ascii Ability of malware to remain on a system after a reboot (Persistence)
Text Unicode Ability of malware to remain on a system after a reboot (Persistence)
Text Ascii Process of gathering information about network resources (Enumeration)
Text Unicode Technique to insert malicious code into a vulnerable application (Injection)
Text Ascii Stealer malware focused on obtaining CVV codes to conduct unauthorized transactions (CVV)
Text Ascii Software that records keystrokes to steal credentials (Keylogger)
Text Ascii Software that records user activity (Logger)
Text Ascii Unauthorized movement of funds or data (Transfer)
Text Unicode Technique used to insert malicious code into legitimate processes (Inject)
Text Ascii Malicious rerouting of traffic to an attacker-controlled site (Redirect)
Text Ascii Technique used to circumvent security measures (Bypass)
Text Unicode Technique used to circumvent security measures (Bypass)
Entry Point Hex Pattern Microsoft Visual C / Basic .NET
Entry Point Hex Pattern Microsoft Visual C++ 8
Entry Point Hex Pattern Microsoft Visual C++ 8.0
Entry Point Hex Pattern Microsoft Visual C v7.0 / Basic .NET
Entry Point Hex Pattern Microsoft Visual Studio .NET
Entry Point Hex Pattern .NET executable
Resources
Path DataRVA Size FileOffset CodeText
\VERSION\1\0 DA090 2CC D7290 CC0234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000300..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............
\24\1\0 DA36C 6D7 D756C EFBBBF3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D227574662D38223F3E0A3C617373656D626C...<?xml version="1.0" encoding="utf-8"?>.<assembl
Intelligent String
• Client.exe
• *.dll
• .dll
• !" /rl HIGHEST /f
• Login Data
• logins.json
• logins
• CCan not find chromium logins file
• mozglue.dll
• nss3.dll
• moz_logins
• runas
• .jpg
• .png
• .bmp
• .gif
• .img
• K\Google\Chrome\Application\chrome.exe
• M\Microsoft\Edge\Application\msedge.exe
• e\BraveSoftware\Brave-Browser\Application\brave.exe
• !\Opera\opera.exe
• '\Opera GX\opera.exe
• 9\Mozilla Firefox\firefox.exe
• WConhost --headless cmd.exe /c taskkill /IM
• .exe /F
• https://www.amyuni.com/downloads/usbmmidd_v2.zip
• usbmmidd_v2.zip
• +deviceinstaller64.exe
• usbmmIdd.inf
• .ps1
• .bat
• .vbs
• .hta
• <html><head><hta:application windowstate='minimize'></hta:application></head><body><script>
• .url
• desktop.ini
• .exe
• Microsoft.NET
• RegAsm.exe
• RegSvcs.exe
• MSBuild.exe
• for /F "tokens=1,2,3 delims= " %%A in ('reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RecoveryEnvironment" /v TargetOS') DO SET TARGETOS=%%C
• for /F "tokens=1 delims=\" %%A in ('Echo %TARGETOS%') DO SET TARGETOSDRIVE=%%A
• ResetConfig.xml
• )computerdefaults.exe
• conhost cmd.exe
• -conhost powershell.exe
• sConhost --headless cmd.exe /c taskkill /IM firefox.exe /F
• oConhost --headless cmd.exe /c start firefox --profile="
• oConhost --headless cmd.exe /c taskkill /IM brave.exe /F
• chrome.dll
• oConhost --headless cmd.exe /c taskkill /IM opera.exe /F
• 3\Programs\Opera\opera.exe
• QConhost --headless cmd.exe /c start "" "
• sConhost --headless cmd.exe /c taskkill /IM operagx.exe /F
• 9\Programs\Opera GX\opera.exe
• qConhost --headless cmd.exe /c taskkill /IM msedge.exe /F
• msedge.dll
• qConhost --headless cmd.exe /c taskkill /IM chrome.exe /F
• '\Discord\Update.exe
• sConhost --headless cmd.exe /c taskkill /IM discord.exe /F
• 9" --processStart Discord.exe
• 3\explorer.exe /NoUACCheck
• user32.dll
• kernel32.dll
• SbieDll.dll
• cmdvrt32.dll
• cmdvrt64.dll
• SxIn.dll
• cuckoomon.dll
• balloon.sys
• netkvm.sys
• viofs.sys
• vioser.sys
• VBoxMouse.sys
• VBoxGuest.sys
• VBoxSF.sys
• VBoxVideo.sys
• vmmouse.sys
• C:\Program Files\VMware
• C:\Program Files\Oracle\VirtualBox Guest Additions
• \\.\pipe\cuckoo
• +\\.\pipe\VBoxMiniRdDN
• )\\.\pipe\VBoxTrayIPC
• clr.dll
• coreclr.dll
• ntdll.dll
• _CorExeMainmscoree.dll
• 2.3.1.0
• <dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true/pm</dpiAware>
• <dpiAwareness xmlns="http://schemas.microsoft.com/SMI/2016/WindowsSettings">PerMonitorV2, PerMonitor</dpiAwareness>
• <longPathAware xmlns="http://schemas.microsoft.com/SMI/2016/WindowsSettings">true</longPathAware>
Flow Anomalies
Offset RVA Section Description
21F6C 747E2506 .text CALL [static] | Indirect call to absolute memory address
21FF3 747E2506 .text CALL [static] | Indirect call to absolute memory address
358CC 747E2506 .text CALL [static] | Indirect call to absolute memory address
3706E 42D4D7BA .text JMP [static] | Indirect jump to absolute memory address
3AAE7 42D4D7BA .text CALL [static] | Indirect call to absolute memory address
406E6 5C248251 .text CALL [static] | Indirect call to absolute memory address
54CA6 5C248251 .text CALL [static] | Indirect call to absolute memory address
77573 7A232EC2 .text CALL [static] | Indirect call to absolute memory address
8782E 12905592 .text JMP [static] | Indirect jump to absolute memory address
D702E 402000 .text JMP [static] | Indirect jump to absolute memory address
Extra Analysis
Metric Value Percentage
Ascii Code 564901 63,8497%
Null Byte Code 114057 12,8916%
© 2025 All rights reserved.