PREMIUM PESCAN.IO - Analysis Report

File Structure
Analysis Image
PE Chart Code
Executable header (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
Information
Size: 833,50 KB
SHA-256 Hash: 6B51A17DCA3211A3D72E7534977DB4BB57C97940A22E8FA7E609A2350CA3C5B0
SHA-1 Hash: 48805C68184AC265F3F00B1D7DC9119FDB842F4F
MD5 Hash: 07C2439004D3DFFA5D4D34A0D65DB917
Imphash: 5D2FEEB89F03CF5253D78B75393AF728
MajorOSVersion: 6
MinorOSVersion: 0
CheckSum: 00000000
EntryPoint (rva): 6197
SizeOfHeaders: 400
SizeOfImage: D4000
ImageBase: 10000000
Architecture: x86
ExportTable: BBA0
ImportTable: D908
IAT: 8000
Characteristics: 2102
TimeDateStamp: 69B0C039
Date: 11/03/2026 1:07:05
File Type: DLL
Number Of Sections: 5
ASLR: Enabled
Section Names: .text, .rdata, .data, .rsrc, .reloc
Number Of Executable Sections: 1
Subsystem: Windows Console
UAC Execution Level Manifest: asInvoker
Sections Info
Section Name Flags ROffset RSize VOffset VSizeEntropyChi2
.text 60000020 (Code, Executable, Readable) 400 6200 1000 61176,3945176799,41
.rdata 40000040 (Initialized Data, Readable) 6600 7200 8000 70225,5469417640,33
.data C0000040 (Initialized Data, Readable, Writeable) D800 600 10000 7FC3,580981216,00
.rsrc 40000040 (Initialized Data, Readable) DE00 C2000 11000 C1E307,8183584543,75
.reloc 42000040 (Initialized Data, GP-Relative, Readable) CFE00 800 D3000 7706,333412932,75
Description
OriginalFilename: Setup.exe
CompanyName: Golden Club Corpration.
LegalCopyright: Copyright (C) 2025
ProductName: Installer
FileVersion: 12.8.17.13
FileDescription: Installer
ProductVersion: 12.8.17.13
Binder/Joiner/Crypter
2 Executable files found
Entry Point
The section number (1) - (.text) have the Entry Point
Information -> EntryPoint (calculated) - 5597
Code -> 558BEC837D0C017505E8D8060000FF7510FF750CFF7508E8ABFEFFFF83C40C5DC20C00558BEC8B4508568B483C03C80FB741
PUSH EBP
MOV EBP, ESP
CMP DWORD PTR [EBP + 0XC], 1
JNE 0X100E
CALL 0X16E6
PUSH DWORD PTR [EBP + 0X10]
PUSH DWORD PTR [EBP + 0XC]
PUSH DWORD PTR [EBP + 8]
CALL 0XEC7
ADD ESP, 0XC
POP EBP
RET 0XC
PUSH EBP
MOV EBP, ESP
MOV EAX, DWORD PTR [EBP + 8]
PUSH ESI
MOV ECX, DWORD PTR [EAX + 0X3C]
ADD ECX, EAX
Signatures
Rich Signature Analyzer:
Code -> B3895369F7E83D3AF7E83D3AF7E83D3AFE90AE3AFFE83D3A70613E3BF5E83D3A7061393BFDE83D3A7061383BE5E83D3A70613C3BF3E83D3A78613C3BF8E83D3AF7E83C3A3DE83D3A6161343BF6E83D3A61613D3BF6E83D3A6161C23AF6E83D3AF7E8AA3AF6E83D3A61613F3BF6E83D3A52696368F7E83D3A
Footprint md5 Hash -> 15EB9E1F58120282EA4C6A733161B37A
• The Rich header apparently has not been modified
Certificate - Digital Signature Not Found:
• The file is not signed
Packer/Compiler
Compiler: Microsoft Visual Studio
Detect It Easy (die)
PE: linker: Microsoft Linker(14.44**)[-]
Entropy: 7.78282
Suspicious Functions
Library Function Description
KERNEL32.DLL LoadLibraryA Loads the specified module into the address space of the calling process.
KERNEL32.DLL GetProcAddress Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL IsDebuggerPresent Determines if the calling process is being debugged by a user-mode debugger.
ET Functions (carving)
Original Name -> DLL.dll
RunDLL
_vkEnumerateInstanceVersion
sqlite3_aggregate_context
sqlite3_aggregate_count
sqlite3_auto_extension
sqlite3_backup_finish
sqlite3_backup_init
sqlite3_backup_pagecount
sqlite3_backup_remaining
sqlite3_backup_step
sqlite3_bind_blob
sqlite3_bind_blob64
sqlite3_bind_double
sqlite3_bind_int
sqlite3_bind_int64
sqlite3_bind_null
sqlite3_bind_parameter_count
sqlite3_bind_parameter_index
sqlite3_bind_parameter_name
sqlite3_bind_text
sqlite3_bind_text16
sqlite3_bind_text64
sqlite3_bind_value
sqlite3_bind_zeroblob
sqlite3_bind_zeroblob64
sqlite3_blob_bytes
sqlite3_blob_close
sqlite3_blob_open
sqlite3_blob_read
sqlite3_blob_reopen
sqlite3_blob_write
sqlite3_busy_handler
sqlite3_busy_timeout
sqlite3_cancel_auto_extension
sqlite3_changes
sqlite3_clear_bindings
sqlite3_close
sqlite3_close_v2
sqlite3_collation_needed
sqlite3_collation_needed16
sqlite3_column_blob
sqlite3_column_bytes
sqlite3_column_bytes16
sqlite3_column_count
sqlite3_column_database_name
sqlite3_column_database_name16
sqlite3_column_decltype
sqlite3_column_decltype16
sqlite3_column_double
sqlite3_column_int
sqlite3_column_int64
sqlite3_column_name
sqlite3_column_name16
sqlite3_column_origin_name
sqlite3_column_origin_name16
sqlite3_column_table_name
sqlite3_column_table_name16
sqlite3_column_text
sqlite3_column_text16
sqlite3_column_type
sqlite3_column_value
sqlite3_commit_hook
sqlite3_compileoption_get
sqlite3_compileoption_used
sqlite3_complete
sqlite3_complete16
sqlite3_config
sqlite3_context_db_handle
sqlite3_create_collation
sqlite3_create_collation16
sqlite3_create_collation_v2
sqlite3_create_function
sqlite3_create_function16
sqlite3_create_function_v2
sqlite3_create_module
sqlite3_create_module_v2
sqlite3_data_count
sqlite3_data_directory
sqlite3_db_cacheflush
sqlite3_db_config
sqlite3_db_filename
sqlite3_db_handle
sqlite3_db_mutex
sqlite3_db_readonly
sqlite3_db_release_memory
sqlite3_db_status
sqlite3_declare_vtab
sqlite3_enable_load_extension
sqlite3_enable_shared_cache
sqlite3_errcode
sqlite3_errmsg
sqlite3_errmsg16
sqlite3_errstr
sqlite3_exec
sqlite3_expanded_sql
sqlite3_expired
sqlite3_extended_errcode
sqlite3_extended_result_codes
sqlite3_file_control
sqlite3_finalize
sqlite3_free
sqlite3_free_table
sqlite3_fts5_may_be_corrupt
sqlite3_get_autocommit
sqlite3_get_auxdata
sqlite3_get_table
sqlite3_global_recover
sqlite3_initialize
sqlite3_interrupt
sqlite3_last_insert_rowid
sqlite3_libversion
sqlite3_libversion_number
sqlite3_limit
sqlite3_load_extension
sqlite3_log
sqlite3_malloc
sqlite3_malloc64
sqlite3_memory_alarm
sqlite3_memory_highwater
sqlite3_memory_used
sqlite3_mprintf
sqlite3_msize
sqlite3_mutex_alloc
sqlite3_mutex_enter
sqlite3_mutex_free
sqlite3_mutex_leave
sqlite3_mutex_try
sqlite3_next_stmt
sqlite3_open
sqlite3_open16
sqlite3_open_v2
sqlite3_os_end
sqlite3_os_init
sqlite3_overload_function
sqlite3_prepare
sqlite3_prepare16
sqlite3_prepare16_v2
sqlite3_prepare_v2
sqlite3_profile
sqlite3_progress_handler
sqlite3_randomness
sqlite3_realloc
sqlite3_realloc64
sqlite3_release_memory
sqlite3_reset
sqlite3_reset_auto_extension
sqlite3_result_blob
sqlite3_result_blob64
sqlite3_result_double
sqlite3_result_error
sqlite3_result_error16
sqlite3_result_error_code
sqlite3_result_error_nomem
sqlite3_result_error_toobig
sqlite3_result_int
sqlite3_result_int64
sqlite3_result_null
sqlite3_result_subtype
sqlite3_result_text
sqlite3_result_text16
sqlite3_result_text16be
sqlite3_result_text16le
sqlite3_result_text64
sqlite3_result_value
sqlite3_result_zeroblob
sqlite3_result_zeroblob64
sqlite3_rollback_hook
sqlite3_rtree_geometry_callback
sqlite3_rtree_query_callback
sqlite3_set_authorizer
sqlite3_set_auxdata
sqlite3_shutdown
sqlite3_sleep
sqlite3_snprintf
sqlite3_soft_heap_limit
sqlite3_soft_heap_limit64
sqlite3_sourceid
sqlite3_sql
sqlite3_status
sqlite3_status64
sqlite3_step
sqlite3_stmt_busy
sqlite3_stmt_readonly
sqlite3_stmt_status
sqlite3_strglob
sqlite3_stricmp
sqlite3_strlike
sqlite3_strnicmp
sqlite3_system_errno
sqlite3_table_column_metadata
sqlite3_temp_directory
sqlite3_test_control
sqlite3_thread_cleanup
sqlite3_threadsafe
sqlite3_total_changes
sqlite3_trace
sqlite3_trace_v2
sqlite3_transfer_bindings
sqlite3_update_hook
sqlite3_uri_boolean
sqlite3_uri_int64
sqlite3_uri_parameter
sqlite3_user_data
sqlite3_value_blob
sqlite3_value_bytes
sqlite3_value_bytes16
sqlite3_value_double
sqlite3_value_dup
sqlite3_value_free
sqlite3_value_int
sqlite3_value_int64
sqlite3_value_numeric_type
sqlite3_value_subtype
sqlite3_value_text
sqlite3_value_text16
sqlite3_value_text16be
sqlite3_value_text16le
sqlite3_value_type
sqlite3_version
sqlite3_vfs_find
sqlite3_vfs_register
sqlite3_vfs_unregister
sqlite3_vmprintf
sqlite3_vsnprintf
sqlite3_vtab_config
sqlite3_vtab_on_conflict
sqlite3_wal_autocheckpoint
sqlite3_wal_checkpoint
sqlite3_wal_checkpoint_v2
sqlite3_wal_hook
sqlite3_win32_is_nt
sqlite3_win32_mbcs_to_utf8
sqlite3_win32_mbcs_to_utf8_v2
sqlite3_win32_set_directory
sqlite3_win32_sleep
sqlite3_win32_unicode_to_utf8
sqlite3_win32_utf8_to_mbcs
sqlite3_win32_utf8_to_mbcs_v2
sqlite3_win32_utf8_to_unicode
sqlite3_win32_write_debug
Windows REG (UNICODE)
Software\Classes\CLSID\
File Access
WS2_32.dll
SHELL32.dll
RPCRT4.dll
OLEAUT32.dll
ole32.dll
ntdll.dll
KERNEL32.DLL
IPHLPAPI.DLL
ADVAPI32.dll
api-ms-win-crt-heap-l1-1-0.dll
api-ms-win-crt-filesystem-l1-1-0.dll
api-ms-win-crt-stdio-l1-1-0.dll
api-ms-win-crt-runtime-l1-1-0.dll
VCRUNTIME140.dll
MSVCP140.dll
USER32.dll
DLL.dll
.dat
@.dat
Temp
File Access (UNICODE)
Setup.exe
ip-api.com/json/setup.exe
explorer.exe
Interest's Words
exec
start
shutdown
rundll
expand
Interest's Words (UNICODE)
expand
IP Addresses
12.8.17.13
PE Carving
Start Offset Header End Offset Size (Bytes)
0 DEB0 DEB0
DEB0 D0600 C2750
Strings/Hex Code Found With The File Rules
Rule Type Encoding Matched (Word)
Text Ascii WinAPI Sockets (bind)
Text Ascii Registry (RegCreateKeyEx)
Text Ascii Registry (RegSetValueEx)
Text Ascii File (GetTempPath)
Text Ascii Anti-Analysis VM (IsDebuggerPresent)
Text Ascii Stealth (CloseHandle)
Text Ascii Stealth (VirtualProtect)
Text Ascii Execution (CreateProcessW)
Entry Point Hex Pattern CAN (Crunched ANsi) file
Entry Point Hex Pattern Microsoft Visual C++ v7.0
Entry Point Hex Pattern PE-Exe Executable Image
Resources
Path DataRVA Size FileOffset CodeTextPE/Payload
\RDATA\101\1028 110B0 C1C00 DEB0 4D5A90000300000004000000FFFF0000B8000000000000004000000000000000000000000000000000000000000000000000MZ......................@.........................(Executable found)
\24\2\1033 D2CB0 17D CFAB0 3C3F786D6C2076657273696F6E3D27312E302720656E636F64696E673D275554462D3827207374616E64616C6F6E653D2779<?xml version='1.0' encoding='UTF-8' standalone='yN/A
Intelligent String
• Setup.exe
• 12.8.17.13
• ip-api.com
• setup.exe
• )\Release\DLL.pdb
• .bss
• USER32.dll
• MSVCP140.dll
• getaddrinfoWS2_32.dll
• api-ms-win-crt-runtime-l1-1-0.dll
• api-ms-win-crt-stdio-l1-1-0.dll
• api-ms-win-crt-filesystem-l1-1-0.dll
• api-ms-win-crt-heap-l1-1-0.dll
• $vbd.

Flow Anomalies
Offset RVA Section Description
43E 10008180 .text CALL [static] | Indirect call to absolute memory address
470 1000817C .text CALL [static] | Indirect call to absolute memory address
4AA 1000817C .text CALL [static] | Indirect call to absolute memory address
51E 10008180 .text CALL [static] | Indirect call to absolute memory address
55E 10008180 .text CALL [static] | Indirect call to absolute memory address
585 10008090 .text CALL [static] | Indirect call to absolute memory address
5EE 10008180 .text CALL [static] | Indirect call to absolute memory address
690 10008198 .text CALL [static] | Indirect call to absolute memory address
6B1 1000810C .text CALL [static] | Indirect call to absolute memory address
6E4 100081A0 .text CALL [static] | Indirect call to absolute memory address
70E 1000810C .text CALL [static] | Indirect call to absolute memory address
714 1000818C .text CALL [static] | Indirect call to absolute memory address
78A 10008194 .text CALL [static] | Indirect call to absolute memory address
7AB 1000810C .text CALL [static] | Indirect call to absolute memory address
7B2 10008190 .text CALL [static] | Indirect call to absolute memory address
7CA 100081A4 .text CALL [static] | Indirect call to absolute memory address
7EB 1000810C .text CALL [static] | Indirect call to absolute memory address
7F7 100081AC .text CALL [static] | Indirect call to absolute memory address
7FE 10008190 .text CALL [static] | Indirect call to absolute memory address
80F 100081AC .text CALL [static] | Indirect call to absolute memory address
833 100081A8 .text CALL [static] | Indirect call to absolute memory address
939 100081F4 .text CALL [static] | Indirect call to absolute memory address
AF8 100081F4 .text CALL [static] | Indirect call to absolute memory address
B8C 1000819C .text CALL [static] | Indirect call to absolute memory address
BCA 100081B0 .text CALL [static] | Indirect call to absolute memory address
C84 100081B0 .text CALL [static] | Indirect call to absolute memory address
C99 10008190 .text CALL [static] | Indirect call to absolute memory address
C9F 1000818C .text CALL [static] | Indirect call to absolute memory address
EA6 100081F4 .text CALL [static] | Indirect call to absolute memory address
EEE 10008010 .text CALL [static] | Indirect call to absolute memory address
F9F 1000801C .text CALL [static] | Indirect call to absolute memory address
105F 100081F4 .text CALL [static] | Indirect call to absolute memory address
10B4 100081F4 .text CALL [static] | Indirect call to absolute memory address
1110 10008140 .text CALL [static] | Indirect call to absolute memory address
111C 10008114 .text CALL [static] | Indirect call to absolute memory address
112F 10008048 .text CALL [static] | Indirect call to absolute memory address
113F 1000801C .text CALL [static] | Indirect call to absolute memory address
1200 100081F4 .text CALL [static] | Indirect call to absolute memory address
1255 100081F4 .text CALL [static] | Indirect call to absolute memory address
12B1 10008140 .text CALL [static] | Indirect call to absolute memory address
12BD 10008114 .text CALL [static] | Indirect call to absolute memory address
12CA 10008028 .text CALL [static] | Indirect call to absolute memory address
12D8 1000801C .text CALL [static] | Indirect call to absolute memory address
139F 100081F4 .text CALL [static] | Indirect call to absolute memory address
13F4 100081F4 .text CALL [static] | Indirect call to absolute memory address
1450 10008140 .text CALL [static] | Indirect call to absolute memory address
145C 10008114 .text CALL [static] | Indirect call to absolute memory address
1468 10008020 .text CALL [static] | Indirect call to absolute memory address
1476 10008044 .text CALL [static] | Indirect call to absolute memory address
14EA 10008148 .text CALL [static] | Indirect call to absolute memory address
1503 10008110 .text CALL [static] | Indirect call to absolute memory address
152E 100080B4 .text CALL [static] | Indirect call to absolute memory address
15CA 100081F4 .text CALL [static] | Indirect call to absolute memory address
1626 10008140 .text CALL [static] | Indirect call to absolute memory address
1632 10008114 .text CALL [static] | Indirect call to absolute memory address
1688 10008140 .text CALL [static] | Indirect call to absolute memory address
1691 10008114 .text JMP [static] | Indirect jump to absolute memory address
1724 100080F8 .text CALL [static] | Indirect call to absolute memory address
172D 10008108 .text CALL [static] | Indirect call to absolute memory address
1735 100080F4 .text CALL [static] | Indirect call to absolute memory address
1798 10008254 .text CALL [static] | Indirect call to absolute memory address
17AC 1000824C .text CALL [static] | Indirect call to absolute memory address
17BD 10008250 .text CALL [static] | Indirect call to absolute memory address
18E2 10008000 .text CALL [static] | Indirect call to absolute memory address
1926 100081F4 .text CALL [static] | Indirect call to absolute memory address
1988 10008004 .text CALL [static] | Indirect call to absolute memory address
1A27 100081F4 .text CALL [static] | Indirect call to absolute memory address
1A3D 10008008 .text CALL [static] | Indirect call to absolute memory address
1ADD 1000802C .text CALL [static] | Indirect call to absolute memory address
1B1F 100081F4 .text CALL [static] | Indirect call to absolute memory address
1B3B 10008014 .text CALL [static] | Indirect call to absolute memory address
1B5D 10008244 .text CALL [static] | Indirect call to absolute memory address
1B63 10008248 .text CALL [static] | Indirect call to absolute memory address
1BA1 10008140 .text CALL [static] | Indirect call to absolute memory address
1BAD 10008114 .text CALL [static] | Indirect call to absolute memory address
1BEB 10008140 .text CALL [static] | Indirect call to absolute memory address
1BF7 10008114 .text CALL [static] | Indirect call to absolute memory address
1C35 10008140 .text CALL [static] | Indirect call to absolute memory address
1C41 10008114 .text CALL [static] | Indirect call to absolute memory address
1D15 100081F4 .text CALL [static] | Indirect call to absolute memory address
1D7C 10008040 .text CALL [static] | Indirect call to absolute memory address
1D96 1000823C .text CALL [static] | Indirect call to absolute memory address
1DA5 10008034 .text CALL [static] | Indirect call to absolute memory address
1DB1 100081D4 .text CALL [static] | Indirect call to absolute memory address
1DF7 10008018 .text CALL [static] | Indirect call to absolute memory address
1E89 100081D4 .text CALL [static] | Indirect call to absolute memory address
1EA3 10008030 .text CALL [static] | Indirect call to absolute memory address
1EAC 10008158 .text CALL [static] | Indirect call to absolute memory address
1F70 10008144 .text CALL [static] | Indirect call to absolute memory address
1F8B 100080D0 .text CALL [static] | Indirect call to absolute memory address
1F98 10008144 .text CALL [static] | Indirect call to absolute memory address
1FEE 100080C0 .text CALL [static] | Indirect call to absolute memory address
2017 100080C4 .text CALL [static] | Indirect call to absolute memory address
2061 100080C0 .text CALL [static] | Indirect call to absolute memory address
2085 100080B4 .text CALL [static] | Indirect call to absolute memory address
20A8 100080B4 .text CALL [static] | Indirect call to absolute memory address
20AE 10008078 .text CALL [static] | Indirect call to absolute memory address
20BD 100080A0 .text CALL [static] | Indirect call to absolute memory address
2100 100080B8 .text CALL [static] | Indirect call to absolute memory address
210C 100080CC .text CALL [static] | Indirect call to absolute memory address
Extra Analysis
Metric Value Percentage
Ascii Code 551137 64,5735%
Null Byte Code 25331 2,9679%
© 2026 All rights reserved.