PREMIUM PESCAN.IO - Analysis Report

File Structure
Analysis Image
PE Chart Code
Header PE (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
Information
Size: 248,50 KB
SHA-256 Hash: FD42DDCC1B4107863EE362D48CF68262176995C88C65969C957F2A16FB7C22E0
SHA-1 Hash: 3E773669A151375E55B8EDA1E4C1F3B3286496C6
MD5 Hash: E2D2ADEBEABC58B42C56D76E3F5B18DB
Imphash: 6541F72CBD1AD3F210A7C5376655DFB8
MajorOSVersion: 6
MinorOSVersion: 0
CheckSum: 00000000
EntryPoint (rva): 123E5
SizeOfHeaders: 400
SizeOfImage: 45000
ImageBase: 10000000
Architecture: x86
ExportTable: 34A80
ImportTable: 34AC8
Characteristics: 2102
TimeDateStamp: 6A21B238
Date: 04/06/2026 17:13:28
File Type: DLL
Number Of Sections: 6
ASLR: Enabled
Section Names: .text, .rdata, .data, .fptable, .rsrc, .reloc
Number Of Executable Sections: 1
Subsystem: Windows GUI
UAC Execution Level Manifest: asInvoker
Sections Info
Section Name Flags ROffset RSize VOffset VSizeEntropyChi2
.text
0x60000020
Code
Executable
Readable
 400 29C00 1000 2A000
6.6094
923236.49
.rdata
0xC0000040
Initialized Data
Readable
Writeable
 2A000 B600 2B000 C000
5.2694
1757120.12
.data
0xC0000040
Initialized Data
Readable
Writeable
 35600 6400 37000 9000
1.606
4599731.54
.fptable
0xC0000040
Initialized Data
Readable
Writeable
 3BA00 0 40000 1000
N/A
N/A
.rsrc
0x40000040
Initialized Data
Readable
 3BA00 200 41000 1000
4.7208
9289
.reloc
0x42000040
Initialized Data
GP-Relative
Readable
 3BC00 2600 42000 3000
6.645
39425.63
Entry Point
The section number (1) - (.text) have the Entry Point
Information -> EntryPoint (calculated) - 117E5
Code -> 558BEC837D0C017505E81C050000FF7510FF750CFF7508E8ABFEFFFF83C40C5DC20C00558BEC830D907003100183EC28C705
Assembler
|PUSH EBP
|MOV EBP, ESP
|CMP DWORD PTR [EBP + 0XC], 1
|JNE 0X100E
|CALL 0X152A
|PUSH DWORD PTR [EBP + 0X10]
|PUSH DWORD PTR [EBP + 0XC]
|PUSH DWORD PTR [EBP + 8]
|CALL 0XEC7
|ADD ESP, 0XC
|POP EBP
|RET 0XC
|PUSH EBP
|MOV EBP, ESP
|OR DWORD PTR [0X10037090], 1
|SUB ESP, 0X28
Signatures
Rich Signature Analyzer:
Code -> 019F76D245FE188145FE188145FE18813C7F1B804EFE18813C7F1D80DEFE18813C7F1E8047FE18813C7F1F8044FE1881C2771B8053FE1881C2771C8054FE1881C2771D806EFE18813C7F1C805DFE18813C7F19805EFE188145FE19817FFF1881DC77118057FE1881DC77188044FE1881DC77E78144FE1881DC771A8044FE18815269636845FE1881
Footprint md5 Hash -> 9FA33B2A870FDF9E0803816BB6FA1892
• The Rich header apparently has not been modified
Certificate - Digital Signature Not Found:
• The file is not signed
Packer/Compiler
Detect It Easy (die)
PE: linker: Microsoft Linker(14.44**)[-]
Entropy: 6.25859
Suspicious Functions
Library Function Description
Ws2_32.DLL connect | Possible Call API By Name Establish a connection to a specified socket.
KERNEL32.DLL CreateMutexW Create a named or unnamed mutex object for controlling access to a shared resource.
KERNEL32.DLL GetModuleFileNameA Retrieve the fully qualified path for the executable file of a specified module.
KERNEL32.DLL VirtualAlloc Reserve, commit, or both, a region of memory within the virtual address space of a process.
KERNEL32.DLL GetModuleHandleA Retrieves a handle to the specified module.
KERNEL32.DLL CopyFileW Copies an existing file to a new file.
KERNEL32.DLL WriteFile Writes data to a specified file or input/output (I/O) device.
KERNEL32.DLL LoadLibraryA Loads the specified module into the address space of the calling process.
KERNEL32.DLL LoadLibraryW Loads the specified module into the address space of the calling process.
KERNEL32.DLL CreateToolhelp32Snapshot Creates a snapshot of the specified processes, heaps, threads, and modules.
KERNEL32.DLL CreateRemoteThread Creates a thread in the address space of another process.
KERNEL32.DLL WriteProcessMemory Writes data to an area of memory in a specified process.
KERNEL32.DLL GetProcAddress Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL IsDebuggerPresent Determines if the calling process is being debugged by a user-mode debugger.
ET Functions (carving)
Original Name -> .dll
run
Windows REG (UNICODE)
Software\Tencent\Plugin\VAS
SOFTWARE\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Rebuilt string - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Rebuilt string - SOFTWARE\Microsoft\Windows\CurrentVersion\Run
File Access
Windows\System32\svchost.exe
Windows\SysWOW64\svchost.exe
DINPUT8.dll
dxgi.dll
gdiplus.dll
SHLWAPI.dll
WINMM.dll
WS2_32.dll
OLEAUT32.dll
ole32.dll
SHELL32.dll
ADVAPI32.dll
GDI32.dll
USER32.dll
KERNEL32.dll
.dll
NtDll.dll
.dat
Temp
File Access (UNICODE)
%s\Microsoft\Crypto\RSA\certstore.exe
%s\Microsoft\Windows\WinMgr.exe
UnThreat.exe
K7TSecurity.exe
ad-watch.exe
PSafeSysTray.exe
vsserv.exe
remupd.exe
hQrtvscan.exe
\~OashDisp.exe
avcenter.exe
TMBMSRV.exe
knsdtray.exe
TaUegui.exe
Mcshield.exe
avpui.exe
avp.exe
f-secure.exe
avgwdsvc.exe
V3Svc.exe
acs.exe
SPIDer.exe
cfp.exe
mssecess.exe
QUHLPSVC.EXE
RavMonD.exe
XKvMonXP.exe
BaiduSd.exe
HipsDaemon.exe
HipsMain.exe
HipsTray.exe
QQRepair.exe
QQPCTray.exe
QQPCRealTimeSpeedup.exe
QQPCPatch.exe
QMPersonalCenter.exe
QMDL.exe
QQPCRTP.exe
kxescore.exe
kwsprotect64.exe
kscan.exe
KSafeTray.exe
kxetray.exe
360sd.exe
ZhuDongFangYu.exe
360tray.exe
360Tray.exe
y&{360Safe.exe
ExitProcessWinExecWaitForSingleObject%swininet.dll
GetNativeSystemInfontdll.dll
kernel32.dll
mscoree.dll
%s\Microsoft\Windows\WinMgrDrv.sys
\DisplaySessionContainers.log
winos_login_v2.log
winos_login.log
AppData
Interest's Words
lockbit
exec
attrib
start
shutdown
systeminfo
expand
Interest's Words (UNICODE)
start
shutdown
at.exe
Anti-VM/Sandbox/Debug Tricks (UNICODE)
LabTools - wireshark
AV Services (UNICODE)
avp.exe - (Kaspersky AntiVirus)
vsserv.exe - (BitDefender)
avgwdsvc.exe - (AVG Watchdog)
egui.exe - (ESET)
ad-watch.exe - (Ad-Aware)
avcenter.exe - (Avira)
ashdisp.exe - (Avast)
tmbmsrv.exe - (Trend Micro)
360safe.exe
360tray.exe
360sd.exe
zhudongfangyu.exe
qqpcrtp.exe
baidusd.exe
ravmond.exe
kvmonxp.exe
kxetray.exe
IP Addresses
43.160.193.90
Strings/Hex Code Found With The File Rules
Rule Type Encoding Matched (Word)
Text Unicode WinAPI Sockets (connect)
Text Ascii WinAPI Sockets (recv)
Text Unicode WinAPI Sockets (send)
Text Ascii Registry (RegCreateKeyEx)
Text Ascii Registry (RegOpenKeyEx)
Text Ascii Registry (RegSetValueEx)
Text Ascii File (GetTempPath)
Text Ascii File (CopyFile)
Text Ascii File (CreateFile)
Text Ascii File (WriteFile)
Text Ascii File (ReadFile)
Text Ascii Service (OpenSCManager)
Hex Hex Pattern PEB AntiDebug (Flag BeingDebugged)
Text Ascii Anti-Analysis VM (IsDebuggerPresent)
Text Ascii Anti-Analysis VM (GetSystemInfo)
Text Ascii Anti-Analysis VM (GlobalMemoryStatusEx)
Text Ascii Anti-Analysis VM (GetVersion)
Text Ascii Anti-Analysis VM (CreateToolhelp32Snapshot)
Text Ascii Reconnaissance (FindNextFileW)
Text Ascii Reconnaissance (FindClose)
Text Ascii Stealth (GetThreadContext)
Text Ascii Stealth (SetThreadContext)
Text Ascii Stealth (ExitThread)
Text Ascii Stealth (CloseHandle)
Text Ascii Stealth (IsBadReadPtr)
Text Ascii Stealth (VirtualAlloc)
Text Ascii Stealth (VirtualProtect)
Text Ascii Stealth (CreateRemoteThread)
Text Ascii Execution (CreateProcessA)
Text Ascii Execution (CreateProcessW)
Text Ascii Execution (WinExec)
Text Ascii Execution (ResumeThread)
Text Ascii Execution (OpenEventW)
Text Ascii Execution (CreateEventA)
Text Ascii Execution (CreateEventW)
Text Unicode Antivirus Software (BitDefender)
Text Unicode Antivirus Software (F-Secure AV)
Text Unicode Privileges (SeDebugPrivilege)
Text Unicode Privileges (SeShutdownPrivilege)
Text Unicode Keyboard Key ([F1])
Text Unicode Keyboard Key ([F2])
Text Unicode Keyboard Key ([F3])
Text Unicode Keyboard Key ([F4])
Text Unicode Keyboard Key ([F5])
Text Unicode Keyboard Key ([F6])
Text Unicode Keyboard Key ([F7])
Text Unicode Keyboard Key ([F8])
Text Unicode Keyboard Key ([F9])
Text Unicode Keyboard Key ([F10])
Text Unicode Keyboard Key ([F11])
Text Unicode Keyboard Key ([F12])
Entry Point Hex Pattern fasm - Tomasz Grysztar
Resources
Path DataRVA Size FileOffset CodeText
\24\2\1033 41060 17D 3BA60 3C3F786D6C2076657273696F6E3D27312E302720656E636F64696E673D275554462D3827207374616E64616C6F6E653D2779<?xml version='1.0' encoding='UTF-8' standalone='y
Intelligent String
• 43.160.193.90
• mscoree.dll
• kernel32.dll
• 360Safe.exe
• 360Tray.exe
• 360tray.exe
• ZhuDongFangYu.exe
• 360sd.exe
• kxetray.exe
• KSafeTray.exe
• kscan.exe
• kwsprotect64.exe
• kxescore.exe
• QQPCRTP.exe
• QMDL.exe
• QMPersonalCenter.exe
• QQPCPatch.exe
• QQPCRealTimeSpeedup.exe
• QQPCTray.exe
• QQRepair.exe
• HipsTray.exe
• HipsMain.exe
• HipsDaemon.exe
• BaiduSd.exe
• KvMonXP.exe
• RavMonD.exe
• QUHLPSVC.EXE
• mssecess.exe
• cfp.exe
• SPIDer.exe
• DR.WEB
• acs.exe
• V3Svc.exe
• AYAgent.aye
• avgwdsvc.exe
• f-secure.exe
• avp.exe
• avpui.exe
• Mcshield.exe
• egui.exe
• knsdtray.exe
• TMBMSRV.exe
• avcenter.exe
• ashDisp.exe
• rtvscan.exe
• remupd.exe
• vsserv.exe
• PSafeSysTray.exe
• ad-watch.exe
• K7TSecurity.exe
• UnThreat.exe
• winos_login.log
• Windows\SysWOW64\svchost.exe
• Windows\System32\svchost.exe
• OpenProcessKernel32.dll
• wininet.dll
• winos_login_v2.log
• [LOGIN] Connect FAILED to %s:%s
• [LOGIN] Connect OK to %s:%s, sending LOGININFO (sizeof=%lu)...
• [LOGIN] sendLoginInfo OK, waiting for TOKEN_ACTIVED...
• Global\WinMgrWatchdog
• Global\WinMgrResurrect
• %s\Microsoft\Windows\WinMgrDrv.sys
• %s\Microsoft\Windows\WinMgr.exe
• %s\WindowsMgr.cmd
• [%02d:%02d:%02d.%03d] LOGIN: %s
• %s\Microsoft\Crypto\RSA\certstore.exe
• \DisplaySessionContainers.log
• .tls
• .bss
Flow Anomalies
Offset RVA Section Description
41E 1002B3E8 .text CALL [static] | Indirect call to absolute memory address
460 1002B160 .text CALL [static] | Indirect call to absolute memory address
4C5 1002B2B4 .text CALL [static] | Indirect call to absolute memory address
4CF 1002B2AC .text CALL [static] | Indirect call to absolute memory address
4FB 1002B2A4 .text CALL [static] | Indirect call to absolute memory address
520 1002B274 .text CALL [static] | Indirect call to absolute memory address
55F 1002B2A8 .text CALL [static] | Indirect call to absolute memory address
57B 1002B2B0 .text CALL [static] | Indirect call to absolute memory address
5AA 1002B29C .text CALL [static] | Indirect call to absolute memory address
603 1002B294 .text CALL [static] | Indirect call to absolute memory address
80B 1002B2BC .text CALL [static] | Indirect call to absolute memory address
845 1002B2BC .text CALL [static] | Indirect call to absolute memory address
965 1002B2B8 .text CALL [static] | Indirect call to absolute memory address
997 1002B2BC .text CALL [static] | Indirect call to absolute memory address
A3E 1002B2B8 .text CALL [static] | Indirect call to absolute memory address
A6F 1002B2BC .text CALL [static] | Indirect call to absolute memory address
AA1 1002B298 .text CALL [static] | Indirect call to absolute memory address
C37 1002B274 .text CALL [static] | Indirect call to absolute memory address
C82 1002B29C .text CALL [static] | Indirect call to absolute memory address
C91 1002B290 .text CALL [static] | Indirect call to absolute memory address
D22 1002B284 .text CALL [static] | Indirect call to absolute memory address
E06 1002B2A4 .text CALL [static] | Indirect call to absolute memory address
F05 1002B274 .text CALL [static] | Indirect call to absolute memory address
2379 1002B270 .text CALL [static] | Indirect call to absolute memory address
24C6 1002B3E8 .text CALL [static] | Indirect call to absolute memory address
24D4 1002B250 .text CALL [static] | Indirect call to absolute memory address
252F 1002B27C .text CALL [static] | Indirect call to absolute memory address
2559 1002B3D0 .text CALL [static] | Indirect call to absolute memory address
267B 1002B408 .text CALL [static] | Indirect call to absolute memory address
2684 1002B258 .text CALL [static] | Indirect call to absolute memory address
268D 1002B3DC .text CALL [static] | Indirect call to absolute memory address
269D 1002B278 .text CALL [static] | Indirect call to absolute memory address
26EE 1002B3C4 .text CALL [static] | Indirect call to absolute memory address
270D 1002B3F0 .text CALL [static] | Indirect call to absolute memory address
2728 1002B254 .text CALL [static] | Indirect call to absolute memory address
2758 1002B254 .text CALL [static] | Indirect call to absolute memory address
2770 1002B3E0 .text CALL [static] | Indirect call to absolute memory address
27B1 1002B408 .text CALL [static] | Indirect call to absolute memory address
27BA 1002B258 .text CALL [static] | Indirect call to absolute memory address
27C3 1002B3DC .text CALL [static] | Indirect call to absolute memory address
27F1 1002B400 .text CALL [static] | Indirect call to absolute memory address
2824 1002B404 .text CALL [static] | Indirect call to absolute memory address
2833 1002B3F4 .text CALL [static] | Indirect call to absolute memory address
2842 1002B40C .text CALL [static] | Indirect call to absolute memory address
28B8 1002B3E4 .text CALL [static] | Indirect call to absolute memory address
28CC 1002B3D4 .text CALL [static] | Indirect call to absolute memory address
2901 1002B3FC .text CALL [static] | Indirect call to absolute memory address
293A 1002B408 .text CALL [static] | Indirect call to absolute memory address
2943 1002B258 .text CALL [static] | Indirect call to absolute memory address
294C 1002B3DC .text CALL [static] | Indirect call to absolute memory address
29FB 1002B3D8 .text CALL [static] | Indirect call to absolute memory address
2A17 1002B278 .text CALL [static] | Indirect call to absolute memory address
2A1F 1002B27C .text CALL [static] | Indirect call to absolute memory address
2B68 1002B3E4 .text CALL [static] | Indirect call to absolute memory address
2B7F 1002B3D4 .text CALL [static] | Indirect call to absolute memory address
2B94 1002B3F8 .text CALL [static] | Indirect call to absolute memory address
2BA0 1002B40C .text CALL [static] | Indirect call to absolute memory address
2C3D 1002B27C .text CALL [static] | Indirect call to absolute memory address
2C61 1002B3C4 .text CALL [static] | Indirect call to absolute memory address
2CC9 1002B264 .text CALL [static] | Indirect call to absolute memory address
2E31 1002B3EC .text CALL [static] | Indirect call to absolute memory address
2E3D 1002B40C .text CALL [static] | Indirect call to absolute memory address
2F0D 1002B3EC .text CALL [static] | Indirect call to absolute memory address
2F19 1002B40C .text CALL [static] | Indirect call to absolute memory address
2F77 1002B264 .text CALL [static] | Indirect call to absolute memory address
2FD3 1002B27C .text CALL [static] | Indirect call to absolute memory address
2FF2 1002B270 .text CALL [static] | Indirect call to absolute memory address
3011 1002B270 .text CALL [static] | Indirect call to absolute memory address
306A 1002B27C .text CALL [static] | Indirect call to absolute memory address
3121 1002B3C4 .text CALL [static] | Indirect call to absolute memory address
324F 1002B23C .text CALL [static] | Indirect call to absolute memory address
3334 1002B24C .text CALL [static] | Indirect call to absolute memory address
335C 1002B1C0 .text CALL [static] | Indirect call to absolute memory address
3368 1002B40C .text CALL [static] | Indirect call to absolute memory address
3376 1002B1C0 .text CALL [static] | Indirect call to absolute memory address
3398 1002B2AC .text CALL [static] | Indirect call to absolute memory address
33A8 1002B1C0 .text CALL [static] | Indirect call to absolute memory address
33E4 1002B3F0 .text CALL [static] | Indirect call to absolute memory address
3415 1002B3D8 .text CALL [static] | Indirect call to absolute memory address
3445 1002B418 .text CALL [static] | Indirect call to absolute memory address
3457 1002B254 .text CALL [static] | Indirect call to absolute memory address
3484 1002B254 .text CALL [static] | Indirect call to absolute memory address
3499 1002B3E0 .text CALL [static] | Indirect call to absolute memory address
34BC 1002B400 .text CALL [static] | Indirect call to absolute memory address
34DB 1002B410 .text CALL [static] | Indirect call to absolute memory address
34EF 1002B3F4 .text CALL [static] | Indirect call to absolute memory address
34FE 1002B40C .text CALL [static] | Indirect call to absolute memory address
3553 1002B264 .text CALL [static] | Indirect call to absolute memory address
358A 1002B240 .text CALL [static] | Indirect call to absolute memory address
35EE 1002B424 .text CALL [static] | Indirect call to absolute memory address
3691 1002B1C0 .text CALL [static] | Indirect call to absolute memory address
3697 1002B2AC .text CALL [static] | Indirect call to absolute memory address
36B5 1002B40C .text CALL [static] | Indirect call to absolute memory address
36E6 1002B264 .text CALL [static] | Indirect call to absolute memory address
3734 1002B3CC .text CALL [static] | Indirect call to absolute memory address
377D 1002B428 .text CALL [static] | Indirect call to absolute memory address
37EF 1002B410 .text CALL [static] | Indirect call to absolute memory address
3818 1002B3C4 .text CALL [static] | Indirect call to absolute memory address
3858 1002B3C4 .text CALL [static] | Indirect call to absolute memory address
3889 1002B3EC .text CALL [static] | Indirect call to absolute memory address
Extra Analysis
Metric Value Percentage
Ascii Code 135133 53,105%
Null Byte Code 58262 22,896%
© 2026 All rights reserved.