PESCAN.IO - Analysis Report Basic |
|||||||
| File Structure |
|
PE Chart Code
Executable header (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
Icon: Size: 364,59 KBSHA-256 Hash: 11CE0040CDE868DB68A5A603CF7EBB52DDB469961F6448F5C89CAC1D953C2873 SHA-1 Hash: 41C0A7DD234337643F46E98D697AA06A0A180208 MD5 Hash: E3C37EEF0953BF1397EE13A5B7192142 Imphash: E95F1EFC298553369865968230C32514 MajorOSVersion: 6 MinorOSVersion: 0 CheckSum: 0005D9F4 EntryPoint (rva): 2197F SizeOfHeaders: 400 SizeOfImage: 5E000 ImageBase: 400000 Architecture: x86 ImportTable: 4912C IAT: 39000 Characteristics: 102 TimeDateStamp: 624707B1 Date: 01/04/2022 14:09:53 File Type: EXE Number Of Sections: 5 ASLR: Enabled Section Names: .text, .rdata, .data, .rsrc, .reloc Number Of Executable Sections: 1 Subsystem: Windows GUI |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 60000020 (Code, Executable, Readable) | 400 | 37400 | 1000 | 3736E | 6,6019 | 1288780,64 |
| .rdata | 40000040 (Initialized Data, Readable) | 37800 | 11200 | 39000 | 11158 | 4,7643 | 3788059,93 |
| .data | C0000040 (Initialized Data, Readable, Writeable) | 48A00 | 1A00 | 4B000 | 3354 | 3,8851 | 469895,62 |
| .rsrc | 40000040 (Initialized Data, Readable) | 4A400 | BA00 | 4F000 | B85C | 3,9724 | 3917962,92 |
| .reloc | 42000040 (Initialized Data, GP-Relative, Readable) | 55E00 | 2E00 | 5B000 | 2C08 | 6,4886 | 58211,35 |
| Description |
| OriginalFilename: launcher.exe CompanyName: Adersoft LegalCopyright: Copyright Adersoft (C) 2001-2022 ProductName: VbsEdit FileVersion: 9.9.13.7 FileDescription: VbsEdit Script Launcher ProductVersion: 9.9.13.7 Language: English (United States) (ID=0x409) CodePage: Unicode (UTF-16 LE) (0x4B0) |
| Entry Point |
| The section number (1) - (.text) have the Entry Point Information -> EntryPoint (calculated) - 20D7F Code -> E8C6040000E97AFEFFFF558BEC81EC24030000536A17E88941010085C074058B4D08CD296A03E8D7010000C70424CC020000 • CALL 0X14CB • JMP 0XE84 • PUSH EBP • MOV EBP, ESP • SUB ESP, 0X324 • PUSH EBX • PUSH 0X17 • CALL 0X151A4 • TEST EAX, EAX • JE 0X1024 • MOV ECX, DWORD PTR [EBP + 8] • INT 0X29 • PUSH 3 • CALL 0X1202 • MOV DWORD PTR [ESP], 0X2CC |
| Signatures |
| Rich Signature Analyzer: Code -> E4844A88A0E524DBA0E524DBA0E524DBFB8D27DAAAE524DBFB8D21DA3AE524DB3E45E3DBA1E524DB589520DAB3E524DB589527DAB5E524DB589521DA97E524DBFB8D20DAB8E524DBFB8D25DAB3E524DBA0E525DB65E524DB18942DDAA9E524DB1894DBDBA1E524DB189426DAA1E524DB52696368A0E524DB Footprint md5 Hash -> CA9B6F3C04DAA902B4AB11836E446F15 • The Rich header apparently has not been modified Certificate - Digital Signature: • The file is signed and the signature is correct |
| Packer/Compiler |
| Detect It Easy (die) • PE: compiler: EP:Microsoft Visual C/C++(2017 v.15.5-6)[EXE32] • PE: compiler: Microsoft Visual C/C++(-)[-] • PE: linker: Microsoft Linker(14.27**)[-] • PE: Sign tool: Windows Authenticode(2.0)[PKCS 7] • Entropy: 6.2729 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | VirtualAlloc | Reserve, commit, or both, a region of memory within the virtual address space of a process. |
| KERNEL32.DLL | WriteFile | Writes data to a specified file or input/output (I/O) device. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| KERNEL32.DLL | IsDebuggerPresent | Determines if the calling process is being debugged by a user-mode debugger. |
| SHELL32.DLL | ShellExecuteW | Performs a run operation on a specific file. |
| File Access |
| VERSION.dll CRYPT32.dll WINTRUST.dll OLEAUT32.dll ole32.dll SHELL32.dll ADVAPI32.dll USER32.dll KERNEL32.dll atlthunk.dll .dat @.dat |
| File Access (UNICODE) |
| launcher.exe iexplore.exe RegDeleteKeyTransactedWAdvapi32.dll mscoree.dll kernel32.dll api-ms-win-core-synch-l1-2-0.dll //www.vbs |
| Interest's Words |
| PADDINGX wscript exec createobject attrib start ping expand |
| Interest's Words (UNICODE) |
| wscript attrib start |
| URLs |
| http://ocsp2.globalsign.com/rootr306 http://crl.globalsign.com/root-r3.crl http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt http://ocsp2.globalsign.com/gscodesignsha2g30V http://crl.globalsign.com/gscodesignsha2g3.crl http://ocsp.globalsign.com/ca/gstsacasha384g40C http://secure.globalsign.com/cacert/gstsacasha384g4.crt http://crl.globalsign.com/ca/gstsacasha384g4.crl http://ocsp2.globalsign.com/rootr606 http://crl.globalsign.com/root-r6.crl https://www.globalsign.com/repository/ |
| URLs (UNICODE) |
| https://www.vbsedit.com/tr_register.asp?launcher= |
| IP Addresses |
| 9.9.13.7 |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | WinAPI Sockets (connect) |
| Text | Ascii | Registry (RegCreateKeyEx) |
| Text | Ascii | Registry (RegOpenKeyEx) |
| Text | Ascii | Registry (RegSetValueEx) |
| Text | Ascii | Registry (RegDeleteKeyEx) |
| Text | Ascii | File (CreateFile) |
| Text | Ascii | File (WriteFile) |
| Text | Ascii | File (ReadFile) |
| Text | Ascii | Anti-Analysis VM (IsDebuggerPresent) |
| Text | Ascii | Reconnaissance (FindNextFileW) |
| Text | Ascii | Reconnaissance (FindClose) |
| Text | Ascii | Stealth (CloseHandle) |
| Text | Ascii | Stealth (IsBadReadPtr) |
| Text | Ascii | Stealth (UnmapViewOfFile) |
| Text | Ascii | Stealth (MapViewOfFile) |
| Text | Ascii | Stealth (CreateFileMappingW) |
| Text | Ascii | Stealth (VirtualAlloc) |
| Text | Ascii | Execution (CreateProcessW) |
| Text | Ascii | Execution (ShellExecute) |
| Text | Ascii | Execution (OpenEventW) |
| Text | Ascii | Execution (CreateEventW) |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8 |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8 |
| Entry Point | Hex Pattern | PE-Exe Executable Image |
| Entry Point | Hex Pattern | VC8 - Microsoft Corporation |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \REGISTRY\218\1033 | 4F3C4 | 198 | 4A7C4 | 484B43520D0A7B0D0A094E6F52656D6F766520434C5349440D0A097B0D0A0909466F72636552656D6F7665207B3931394131 | HKCR..{...NoRemove CLSID...{....ForceRemove {919A1 |
| \REGISTRY\219\1033 | 4F55C | C | 4A95C | 484B43520D0A7B0D0A7D0D0A | HKCR..{..}.. |
| \TYPELIB\1\1033 | 4F568 | 1F10 | 4A968 | 4D5346540200010000000000090400000000000043000000010000000000000008000000FFFFFFFF00000000000000006500 | MSFT................C...........................e. |
| \BITMAP\216\1033 | 51478 | 528 | 4C878 | 2800000010000000100000000100080000000000000100000000000000000000000000000000000000000000000080000080 | (................................................. |
| \ICON\1\1033 | 519A0 | 4228 | 4CDA0 | 2800000040000000800000000100200000000000004200000000000000000000000000000000000000000000000000000000 | (...@......... ......B............................ |
| \ICON\2\1033 | 55BC8 | 25A8 | 50FC8 | 2800000030000000600000000100200000000000802500000000000000000000000000000000000000000000000000000000 | (...0........ ......%............................ |
| \ICON\3\1033 | 58170 | 10A8 | 53570 | 2800000020000000400000000100200000000000801000000000000000000000000000000000000000000000000000000000 | (... ...@..... ................................... |
| \ICON\4\1033 | 59218 | 988 | 54618 | 2800000018000000300000000100200000000000600900000000000000000000000000000000000000000000000000000000 | (.......0..... .................................. |
| \ICON\5\1033 | 59BA0 | 468 | 54FA0 | 2800000010000000200000000100200000000000400400000000000000000000000000000000000000000000000000000000 | (....... ..... .....@............................. |
| \DIALOG\112\1033 | 5A008 | 11C | 55408 | 0100FFFF0000000000000000C800C880030000000000C7003F0000000000500069006E00200043006F006400650000000800 | ........................?.....P.i.n. .C.o.d.e..... |
| \DIALOG\217\1033 | 5A124 | 19E | 55524 | 0100FFFF0000000000000000C800C0800400000000003D0157000000000054007200690061006C0020007600650072007300 | ......................=.W.....T.r.i.a.l. .v.e.r.s. |
| \STRING\7\1033 | 5A2C4 | 230 | 556C4 | 0000000000000000000000000000200062003000620031003600340064003800650061003400640034006400360037003700 | .............. .b.0.b.1.6.4.d.8.e.a.4.d.4.d.6.7.7. |
| \STRING\9\1033 | 5A4F4 | 30 | 558F4 | 08004C00410055004E004300480045005200000000000000000000000000000000000000000000000000000000000000 | ..L.A.U.N.C.H.E.R............................... |
| \GROUP_ICON\128\1033 | 5A524 | 4C | 55924 | 00000100050040400000010020002842000001003030000001002000A825000002002020000001002000A8100000030018180000010020008809000004001010000001002000680400000500 | ......@@.... .(B....00.... ..%.... .... ............. ............. .h..... |
| \VERSION\1\1033 | 5A570 | 2EC | 55970 | EC0234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000900 | ..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| Intelligent String |
| • launcher.exe • 9.9.13.7 • atlthunk.dll • api-ms-win-core-synch-l1-2-0.dll • kernel32.dll • mscoree.dll • iexplore.exe • .exe • .dll • .vbs • .wsf • .tls • .bss • USER32.dll • ADVAPI32.dll • WINTRUST.dll |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 409 | 4391E0 | .text | CALL [static] | Indirect call to absolute memory address |
| 413 | 4391D8 | .text | CALL [static] | Indirect call to absolute memory address |
| 469 | 4391E0 | .text | CALL [static] | Indirect call to absolute memory address |
| 473 | 4391D8 | .text | CALL [static] | Indirect call to absolute memory address |
| 4C3 | 4391E0 | .text | CALL [static] | Indirect call to absolute memory address |
| 4CD | 4391D8 | .text | CALL [static] | Indirect call to absolute memory address |
| 59D | 4391D0 | .text | CALL [static] | Indirect call to absolute memory address |
| 5B5 | 4391E0 | .text | CALL [static] | Indirect call to absolute memory address |
| 5BF | 4391D8 | .text | CALL [static] | Indirect call to absolute memory address |
| 5E2 | 439204 | .text | CALL [static] | Indirect call to absolute memory address |
| 5FB | 439168 | .text | CALL [static] | Indirect call to absolute memory address |
| 620 | 43916C | .text | CALL [static] | Indirect call to absolute memory address |
| 65F | 4391D4 | .text | CALL [static] | Indirect call to absolute memory address |
| 67B | 4391DC | .text | CALL [static] | Indirect call to absolute memory address |
| 6AA | 439160 | .text | CALL [static] | Indirect call to absolute memory address |
| 711 | 439158 | .text | CALL [static] | Indirect call to absolute memory address |
| AA6 | 439200 | .text | CALL [static] | Indirect call to absolute memory address |
| B0F | 439208 | .text | CALL [static] | Indirect call to absolute memory address |
| B30 | 439208 | .text | CALL [static] | Indirect call to absolute memory address |
| B3E | 4391EC | .text | CALL [static] | Indirect call to absolute memory address |
| BCB | 439234 | .text | CALL [static] | Indirect call to absolute memory address |
| CF0 | 4392B0 | .text | CALL [static] | Indirect call to absolute memory address |
| 10C8 | 4390B8 | .text | CALL [static] | Indirect call to absolute memory address |
| 1149 | 439238 | .text | CALL [static] | Indirect call to absolute memory address |
| 1184 | 439260 | .text | CALL [static] | Indirect call to absolute memory address |
| 1227 | 439228 | .text | CALL [static] | Indirect call to absolute memory address |
| 127C | 439228 | .text | CALL [static] | Indirect call to absolute memory address |
| 1366 | 439144 | .text | CALL [static] | Indirect call to absolute memory address |
| 13AA | 4392C0 | .text | CALL [static] | Indirect call to absolute memory address |
| 13D2 | 4392B8 | .text | CALL [static] | Indirect call to absolute memory address |
| 1418 | 439248 | .text | CALL [static] | Indirect call to absolute memory address |
| 162E | 439238 | .text | CALL [static] | Indirect call to absolute memory address |
| 1637 | 43926C | .text | CALL [static] | Indirect call to absolute memory address |
| 1645 | 439238 | .text | CALL [static] | Indirect call to absolute memory address |
| 1680 | 4392A8 | .text | CALL [static] | Indirect call to absolute memory address |
| 168E | 4392B0 | .text | CALL [static] | Indirect call to absolute memory address |
| 170C | 439144 | .text | CALL [static] | Indirect call to absolute memory address |
| 17C9 | 4392C8 | .text | CALL [static] | Indirect call to absolute memory address |
| 1829 | 439040 | .text | CALL [static] | Indirect call to absolute memory address |
| 1833 | 4391D8 | .text | CALL [static] | Indirect call to absolute memory address |
| 183B | 43905C | .text | CALL [static] | Indirect call to absolute memory address |
| 1862 | 439060 | .text | CALL [static] | Indirect call to absolute memory address |
| 18BE | 439030 | .text | CALL [static] | Indirect call to absolute memory address |
| 1BEA | 439064 | .text | CALL [static] | Indirect call to absolute memory address |
| 1BF1 | 43902C | .text | CALL [static] | Indirect call to absolute memory address |
| 1C02 | 439038 | .text | CALL [static] | Indirect call to absolute memory address |
| 1C11 | 43903C | .text | CALL [static] | Indirect call to absolute memory address |
| 1C32 | 439064 | .text | CALL [static] | Indirect call to absolute memory address |
| 1C39 | 43902C | .text | CALL [static] | Indirect call to absolute memory address |
| 1C4A | 439038 | .text | CALL [static] | Indirect call to absolute memory address |
| 1C59 | 43903C | .text | CALL [static] | Indirect call to absolute memory address |
| 1C61 | 43905C | .text | CALL [static] | Indirect call to absolute memory address |
| 1E95 | 439144 | .text | CALL [static] | Indirect call to absolute memory address |
| 200D | 43901C | .text | CALL [static] | Indirect call to absolute memory address |
| 2039 | 439068 | .text | CALL [static] | Indirect call to absolute memory address |
| 2086 | 439234 | .text | CALL [static] | Indirect call to absolute memory address |
| 2092 | 439064 | .text | CALL [static] | Indirect call to absolute memory address |
| 209B | 43905C | .text | CALL [static] | Indirect call to absolute memory address |
| 20A9 | 43906C | .text | CALL [static] | Indirect call to absolute memory address |
| 20BC | 439070 | .text | CALL [static] | Indirect call to absolute memory address |
| 20C8 | 4390FC | .text | CALL [static] | Indirect call to absolute memory address |
| 20D4 | 4390FC | .text | CALL [static] | Indirect call to absolute memory address |
| 21FB | 439074 | .text | CALL [static] | Indirect call to absolute memory address |
| 2203 | 4392E4 | .text | CALL [static] | Indirect call to absolute memory address |
| 242F | 4392AC | .text | CALL [static] | Indirect call to absolute memory address |
| 244C | 439078 | .text | CALL [static] | Indirect call to absolute memory address |
| 2464 | 439084 | .text | CALL [static] | Indirect call to absolute memory address |
| 2472 | 43907C | .text | CALL [static] | Indirect call to absolute memory address |
| 248D | 439080 | .text | CALL [static] | Indirect call to absolute memory address |
| 24A6 | 4392A4 | .text | CALL [static] | Indirect call to absolute memory address |
| 24E0 | 4392D8 | .text | CALL [static] | Indirect call to absolute memory address |
| 2766 | 439220 | .text | CALL [static] | Indirect call to absolute memory address |
| 2BBA | 439054 | .text | CALL [static] | Indirect call to absolute memory address |
| 2BED | 439054 | .text | CALL [static] | Indirect call to absolute memory address |
| 31B9 | 439154 | .text | CALL [static] | Indirect call to absolute memory address |
| 34AF | 43929C | .text | CALL [static] | Indirect call to absolute memory address |
| 36D0 | 439298 | .text | CALL [static] | Indirect call to absolute memory address |
| 36FA | 439298 | .text | CALL [static] | Indirect call to absolute memory address |
| 3722 | 43929C | .text | CALL [static] | Indirect call to absolute memory address |
| 3F40 | 43929C | .text | CALL [static] | Indirect call to absolute memory address |
| 3FA9 | 43907C | .text | CALL [static] | Indirect call to absolute memory address |
| 3FB9 | 439084 | .text | CALL [static] | Indirect call to absolute memory address |
| 3FD8 | 439080 | .text | CALL [static] | Indirect call to absolute memory address |
| 3FF3 | 439080 | .text | CALL [static] | Indirect call to absolute memory address |
| 4008 | 439080 | .text | CALL [static] | Indirect call to absolute memory address |
| 402C | 439150 | .text | CALL [static] | Indirect call to absolute memory address |
| 4037 | 43914C | .text | CALL [static] | Indirect call to absolute memory address |
| 4045 | 439148 | .text | CALL [static] | Indirect call to absolute memory address |
| 40B6 | 439088 | .text | CALL [static] | Indirect call to absolute memory address |
| 429B | 439080 | .text | CALL [static] | Indirect call to absolute memory address |
| 43E4 | 43915C | .text | CALL [static] | Indirect call to absolute memory address |
| 448E | 4392E8 | .text | CALL [static] | Indirect call to absolute memory address |
| 45EA | 439144 | .text | CALL [static] | Indirect call to absolute memory address |
| 468A | 43904C | .text | CALL [static] | Indirect call to absolute memory address |
| 4D20 | 4391D8 | .text | CALL [static] | Indirect call to absolute memory address |
| 4D43 | 4392F8 | .text | CALL [static] | Indirect call to absolute memory address |
| 4E3E | 4392F0 | .text | CALL [static] | Indirect call to absolute memory address |
| 4F38 | 4392EC | .text | CALL [static] | Indirect call to absolute memory address |
| 4F64 | 4392F8 | .text | CALL [static] | Indirect call to absolute memory address |
| 511D | 4392F8 | .text | CALL [static] | Indirect call to absolute memory address |
| 58C00 | N/A | *Overlay* | 60260000000202003082264E06092A864886F70D | &......0.&N..*.H... |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 192860 | 51,6575% |
| Null Byte Code | 88360 | 23,6672% |
© 2026 All rights reserved.