PESCAN.IO - Analysis Report

File Structure
Analysis Image
PE Chart Code
The executable header is displayed in light blue.
The executable sections are pink.
Non-executable sections are black.
Code added to executables externally to a compiler appears in red.
If the File Structure content appears in red, it means the PE header is malformed or corrupted.
Chart Code For Other Files
Printable characters are blue.
Non-printable characters (Null Bytes) are black.
Information
Icon: Icon
Size: 11,27 MB
SHA-256 Hash: 597396ECACE126BB5F698641E80147E2D76AEC61D046BDE99F661BD0BBCDE104
SHA-1 Hash: 799615CD84BE23ACF485922384C3C0B9412B2FE7
MD5 Hash: 08DB8C1FF0CFA96F30E52B3C82A3C4BB
Imphash: 965E162FE6366EE377AA9BC80BDD5C65
MajorOSVersion: 6
CheckSum: 00B504E9
EntryPoint (rva): CE30
SizeOfHeaders: 400
SizeOfImage: 4E000
ImageBase: 0000000140000000
Architecture: x64
ImportTable: 3DD7C
Characteristics: 22
TimeDateStamp: 68069609
Date: 21/04/2025 19:01:29
File Type: EXE
Number Of Sections: 7
ASLR: Disabled
Section Names (Optional Header): .text, .rdata, .data, .pdata, .fptable, .rsrc, .reloc
Number Of Executable Sections: 1
Subsystem: Windows GUI
UAC Execution Level Manifest: asInvoker
Sections Info
Section Name Flags ROffset RSize VOffset VSize
.text 60000020 (Executable) 400 2A600 1000 2A4E0
.rdata 40000040 2AA00 12E00 2C000 12DB0
.data C0000040 (Writeable) 3D800 E00 3F000 5350
.pdata 40000040 3E600 2400 45000 228C
.fptable C0000040 (Writeable) 40A00 200 48000 100
.rsrc 40000040 40C00 3800 49000 3668
.reloc 42000040 44400 800 4D000 764
Description
InternalName: Windows.WARP.JITService.exe
OriginalFilename: Windows.WARP.JITService.exe
CompanyName: Microsoft Corporation
LegalCopyright: Microsoft Corporation. All rights reserved.
ProductName: Microsoft Windows Operating System
FileVersion: 10.0.22621.3672 (WinBuild.160101.0800)
Binder/Joiner/Crypter
Dropper code detected (EOF) - 10,96 MB
Entry Point
The section number (1) have the Entry Point
Information -> EntryPoint (calculated) - C230
Code -> 4883EC28E8570200004883C428E97AFEFFFFCCCCCCCCCCCCCCCCCCCCCCCCCCCC4883EC28E82306000085C0742165488B0425
SUB RSP, 0X28
CALL 0X1260
ADD RSP, 0X28
JMP 0XE8C
INT3
INT3
INT3
INT3
INT3
INT3
INT3
INT3
INT3
INT3
INT3
INT3
INT3
INT3
SUB RSP, 0X28
CALL 0X164C
TEST EAX, EAX
JE 0X104E
Signatures
CheckSum Integrity Problem:
Header: 11863273
Calculated: 11845589
Rich Signature Analyzer:
Code -> C9A8F5FF8DC99BAC8DC99BAC8DC99BACF9489EAD3AC99BACF9489FAD81C99BACF94898AD85C99BAC9C4F66AC8EC99BAC9C4F98AD84C99BAC9C4F9FAD9CC99BAC9C4F9EADA5C99BACF9489AAD86C99BAC8DC99AAC13C99BAC754E9FAD94C99BAC754E99AD8CC99BAC526963688DC99BAC
Footprint md5 Hash -> 29F47DFBAAC01D2564822BAD05BC33F3
• The Rich header apparently has not been modified
Certificate - Digital Signature:
• The file is signed but has been modified
Packer/Compiler
Detect It Easy (die)
PE+(64): compiler: Microsoft Visual C/C++(-)[-]
PE+(64): linker: Microsoft Linker(14.43**)[EXE64,signed]
PE+(64): overlay: zlib archive(-)[-]
Entropy: 7.99627
Suspicious Functions
Library Function Description
KERNEL32.DLL GetProcAddress | Possible Call API By Name Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL WriteFile Writes data to a specified file or input/output (I/O) device.
KERNEL32.DLL GetProcAddress Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL IsDebuggerPresent Determines if the calling process is being debugged by a user-mode debugger.
File Access
brar.exe
%s%c%s.exe
9python313.dll
bucrtbase.dll
bsqlite3.dll
bpython313.dll
blibssl-3.dll
blibffi-8.dll
blibcrypto-3.dll
bapi-ms-win-crt-utility-l1-1-0.dll
bapi-ms-win-crt-time-l1-1-0.dll
bapi-ms-win-crt-string-l1-1-0.dll
bapi-ms-win-crt-stdio-l1-1-0.dll
bapi-ms-win-crt-runtime-l1-1-0.dll
bapi-ms-win-crt-process-l1-1-0.dll
bapi-ms-win-crt-math-l1-1-0.dll
bapi-ms-win-crt-locale-l1-1-0.dll
bapi-ms-win-crt-heap-l1-1-0.dll
bapi-ms-win-crt-filesystem-l1-1-0.dll
bapi-ms-win-crt-environment-l1-1-0.dll
bapi-ms-win-crt-convert-l1-1-0.dll
bapi-ms-win-crt-conio-l1-1-0.dll
bapi-ms-win-core-util-l1-1-0.dll
bapi-ms-win-core-timezone-l1-1-0.dll
bapi-ms-win-core-sysinfo-l1-1-0.dll
bapi-ms-win-core-synch-l1-2-0.dll
bapi-ms-win-core-synch-l1-1-0.dll
bapi-ms-win-core-string-l1-1-0.dll
bapi-ms-win-core-rtlsupport-l1-1-0.dll
bapi-ms-win-core-profile-l1-1-0.dll
bapi-ms-win-core-processthreads-l1-1-1.dll
bapi-ms-win-core-processthreads-l1-1-0.dll
bapi-ms-win-core-processenvironment-l1-1-0.dll
bapi-ms-win-core-namedpipe-l1-1-0.dll
bapi-ms-win-core-memory-l1-1-0.dll
bapi-ms-win-core-localization-l1-2-0.dll
bapi-ms-win-core-libraryloader-l1-1-0.dll
bapi-ms-win-core-interlocked-l1-1-0.dll
bapi-ms-win-core-heap-l1-1-0.dll
bapi-ms-win-core-handle-l1-1-0.dll
bapi-ms-win-core-file-l2-1-0.dll
bapi-ms-win-core-file-l1-2-0.dll
bapi-ms-win-core-file-l1-1-0.dll
bapi-ms-win-core-fibers-l1-1-0.dll
bapi-ms-win-core-errorhandling-l1-1-0.dll
bapi-ms-win-core-debug-l1-1-0.dll
bapi-ms-win-core-datetime-l1-1-0.dll
bapi-ms-win-core-console-l1-1-0.dll
bVCRUNTIME140_1.dll
bVCRUNTIME140.dll
GDI32.dll
ADVAPI32.dll
KERNEL32.dll
COMCTL32.dll
USER32.dll
Path of ucrtbase.dll
ucrtbase.dll
.scR
setuptools._distutils.sys
setuptools._vendor.jar
setuptools._vendor.jar
!setuptools._vendor.jar
setuptools._vendor.jar
bwheel-0.45.1.dist-info\entry_points.txt
bwheel-0.45.1.dist-info\LICENSE.txt
bsetuptools\_vendor\jaraco\text\Lorem ipsum.txt
bsetuptools\_vendor\importlib_metadata-8.0.0.dist-info\top_level.txt
Temp
File Access (UNICODE)
VCRUNTIME140.dll
VCRUNTIME140_1.dll
mscoree.dll
JITService.exe
Not enough memory to complete call to strerror..exe
arp j
Temp
Interest's Words
PADDINGX
exec
attrib
start
hostname
shutdown
ping
expand
replace
Interest's Words (UNICODE)
<form
exec
expand
URLs
http://schemas.microsoft.com/SMI/2016/WindowsSettings
http://crl.comodoca.com/AAACertificateServices.crl
http://ocsp.comodoca.com
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0
http://ocsp.sectigo.com
http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl
http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt
http://s.symcd.com
http://s.symcb.com/universal-root.crl
http://ts-crl.ws.symantec.com/sha256-tss-ca.crl
http://ts-ocsp.ws.symantec.com
http://ts-aia.ws.symantec.com/sha256-tss-ca.cer
https://sectigo.com/CPS0
https://d.symcb.com/cps0%
https://d.symcb.com/rpa0.
https://d.symcb.com/rpa0@
Payloads
Unusual BP Cave > 15 Bytes - (0xCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC...)
Strings/Hex Code Found With The File Rules
Rule Text (Ascii): WinAPI Sockets (connect)
Rule Text (Ascii): WinAPI Sockets (send)
Rule Text (Ascii): File (GetTempPath)
Rule Text (Ascii): File (CreateFile)
Rule Text (Ascii): File (WriteFile)
Rule Text (Ascii): File (ReadFile)
Rule Text (Ascii): Anti-Analysis VM (IsDebuggerPresent)
Rule Text (Ascii): Stealth (VirtualProtect)
Rule Text (Ascii): Execution (CreateProcessW)
Rule Text (Unicode): Execution (CreateProcessW)
Rule Text (Ascii): Antivirus Software (comodo)
Rule Text (Ascii): Antivirus Software (Symantec)
Rule Text (Ascii): Stealer malware focused on obtaining CVV codes to conduct unauthorized transactions (CVV)
Rule Text (Ascii): Malware that monitors and collects user data (Spy)
EP Rules: Microsoft Visual C++ 8.0 (DLL)
EP Rules: Microsoft Visual C++ 8.0
EP Rules: PE-Exe Executable Image
Resources
Path DataRVA Size FileOffset CodeText
\ICON\1\0 491F0 2AC 40DF0 89504E470D0A1A0A0000000D49484452000000100000001008060000001FF3FF610000027349444154789C9553BF6B1A511C.PNG........IHDR................a...sIDATx..S.k.Q.
\ICON\2\0 4949C 496 4109C 89504E470D0A1A0A0000000D4948445200000018000000180806000000E0773DF80000045D49444154789CAD564D482B5714.PNG........IHDR..............w=....]IDATx..VMH+W.
\ICON\3\0 49934 6B8 41534 89504E470D0A1A0A0000000D4948445200000020000000200806000000737A7AF40000067F49444154789CBD576F4C535714.PNG........IHDR... ... .....szz.....IDATx..WoLSW.
\ICON\4\0 49FEC BA5 41BEC 89504E470D0A1A0A0000000D49484452000000300000003008060000005702F98700000B6C49444154789CED596B6C54651A.PNG........IHDR...0...0.....W......lIDATx..YklTe.
\ICON\5\0 4AB94 11A4 42794 89504E470D0A1A0A0000000D4948445200000040000000400806000000AA6971DE0000116B49444154789CED9B0970556596.PNG........IHDR...@...@......iq....kIDATx....pUe.
\GROUP_ICON\1\0 4BD38 4C 43938 0000010005001010000000002000AC020000010018180000000020009604000002002020000000002000B806000003003030............ ............. ....... .... .......00
\VERSION\1\0 4BD84 3D4 43984 D40334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............
\24\1\0 4C158 50D 43D58 3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E653D2279<?xml version="1.0" encoding="UTF-8" standalone="y
Intelligent String
• Windows.WARP.JITService.exe
• VCRUNTIME140.dll
• VCRUNTIME140_1.dll
• %s%c%s.pkg
• %s%c%s.exe
• devbase_library.zip
• ucrtbase.dll
• status_texttk.tcl
• Visual C++ CRT: Not enough memory to complete call to strerror..exe
• .cmd
• .bat
• .com
• mscoree.dll
• .bss
• COMCTL32.dll
• ADVAPI32.dll
• GDI32.dll
• <longPathAware xmlns="http://schemas.microsoft.com/SMI/2016/WindowsSettings">true</longPathAware>
• vJrRH
• )sqlite3.dump)r
• b_asyncio.pyd
• b_bz2.pyd
• b_ctypes.pyd
• b_decimal.pyd
• b_hashlib.pyd
• b_lzma.pyd
• b_multiprocessing.pyd
• b_overlapped.pyd
• b_queue.pyd
• b_socket.pyd
• b_sqlite3.pyd
• b_ssl.pyd
• b_wmi.pyd
• bapi-ms-win-core-console-l1-1-0.dll
• bapi-ms-win-core-datetime-l1-1-0.dll
• bapi-ms-win-core-debug-l1-1-0.dll
• bapi-ms-win-core-errorhandling-l1-1-0.dll
• bapi-ms-win-core-fibers-l1-1-0.dll
• bapi-ms-win-core-file-l1-1-0.dll
• bapi-ms-win-core-file-l1-2-0.dll
• bapi-ms-win-core-file-l2-1-0.dll
• bapi-ms-win-core-handle-l1-1-0.dll
• bapi-ms-win-core-heap-l1-1-0.dll
• bapi-ms-win-core-interlocked-l1-1-0.dll
• bapi-ms-win-core-libraryloader-l1-1-0.dll
• bapi-ms-win-core-localization-l1-2-0.dll
• bapi-ms-win-core-memory-l1-1-0.dll
• bapi-ms-win-core-namedpipe-l1-1-0.dll
• bapi-ms-win-core-processenvironment-l1-1-0.dll
• bapi-ms-win-core-processthreads-l1-1-0.dll
• bapi-ms-win-core-processthreads-l1-1-1.dll
• bapi-ms-win-core-profile-l1-1-0.dll
• bapi-ms-win-core-rtlsupport-l1-1-0.dll
• bapi-ms-win-core-string-l1-1-0.dll
• bapi-ms-win-core-synch-l1-1-0.dll
• bapi-ms-win-core-synch-l1-2-0.dll
• bapi-ms-win-core-sysinfo-l1-1-0.dll
• bapi-ms-win-core-timezone-l1-1-0.dll
• bapi-ms-win-core-util-l1-1-0.dll
• bapi-ms-win-crt-conio-l1-1-0.dll
• bapi-ms-win-crt-convert-l1-1-0.dll
• bapi-ms-win-crt-environment-l1-1-0.dll
• bapi-ms-win-crt-filesystem-l1-1-0.dll
• bapi-ms-win-crt-heap-l1-1-0.dll
• bapi-ms-win-crt-locale-l1-1-0.dll
• bapi-ms-win-crt-math-l1-1-0.dll
• bapi-ms-win-crt-process-l1-1-0.dll
• bapi-ms-win-crt-runtime-l1-1-0.dll
• bapi-ms-win-crt-stdio-l1-1-0.dll
• bapi-ms-win-crt-string-l1-1-0.dll
• bapi-ms-win-crt-time-l1-1-0.dll
• bapi-ms-win-crt-utility-l1-1-0.dll
• bbase_library.zip
• bblank.aes
• blibcrypto-3.dll
• blibffi-8.dll
• blibssl-3.dll
• bpyexpat.pyd
• bpython313.dll
• brar.exe
• brarreg.key
• bselect.pyd
• bsetuptools\_vendor\importlib_metadata-8.0.0.dist-info\top_level.txt
• bsetuptools\_vendor\jaraco\text\Lorem ipsum.txt
• bsqlite3.dll
• bucrtbase.dll
• bunicodedata.pyd
• bwheel-0.45.1.dist-info\LICENSE.txt
• bwheel-0.45.1.dist-info\entry_points.txt
• nG7AtAtzPYZ.pyz
• 9python313.dll
• +0U 00U 0g0KUD0B0@><:http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0{+o0m0F+0:http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0+0http://ocsp.sectigo.com0*H_6rZ-9JZBJ
Extra Analysis
Metric Value Percentage
Ascii Code 8086594 68,4539%
Null Byte Code 102549 0,8681%
© 2025 All rights reserved.