PREMIUM PESCAN.IO - Analysis Report |
|||||||
| File Structure |
|
PE Chart Code
Header PE (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
Icon: Size: 481,50 KBSHA-256 Hash: 2083F8F020E70D6CBC297D65953333D181DD251A0BC5CE1A49B4F018A3E26FDE SHA-1 Hash: 6F128A46CAAB6FF79762DE5E42C776562FB33E5C MD5 Hash: 0B24C6E63D13C3F5E577CD7AE1286C8A Imphash: 36A8F09A2BA830FC08B8B6BBA7C9D4C5 MajorOSVersion: 5 MinorOSVersion: 1 CheckSum: 00000000 EntryPoint (rva): 3504F SizeOfHeaders: 400 SizeOfImage: 7F000 ImageBase: 10000000 Architecture: x86 ImportTable: 6E120 Characteristics: 2102 TimeDateStamp: 69E3201D Date: 18/04/2026 6:09:33 File Type: DLL Number Of Sections: 5 ASLR: Disabled Section Names: .text, .rdata, .data, .rsrc, .reloc Number Of Executable Sections: 1 Subsystem: Windows GUI |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 0x60000020 Code Executable Readable |
400 | 56000 | 1000 | 56000 |
|
|
| .rdata | 0xC0000040 Initialized Data Readable Writeable |
56400 | 18C00 | 57000 | 19000 |
|
|
| .data | 0xC0000040 Initialized Data Readable Writeable |
6F000 | E00 | 70000 | 6000 |
|
|
| .rsrc | 0x40000040 Initialized Data Readable |
6FE00 | 4C00 | 76000 | 5000 |
|
|
| .reloc | 0x42000040 Initialized Data GP-Relative Readable |
74A00 | 3C00 | 7B000 | 4000 |
|
|
| Entry Point |
The section number (1) - (.text) have the Entry Point Information -> EntryPoint (calculated) - 3444F Code -> 558BEC837D0C017505E870040000FF7510FF750CFF7508E8B3FEFFFF83C40C5DC20C00558BEC81EC24030000536A17E8660E Assembler |PUSH EBP |MOV EBP, ESP |CMP DWORD PTR [EBP + 0XC], 1 |JNE 0X100E |CALL 0X147E |PUSH DWORD PTR [EBP + 0X10] |PUSH DWORD PTR [EBP + 0XC] |PUSH DWORD PTR [EBP + 8] |CALL 0XECF |ADD ESP, 0XC |POP EBP |RET 0XC |PUSH EBP |MOV EBP, ESP |SUB ESP, 0X324 |PUSH EBX |PUSH 0X17 |
| Signatures |
| Rich Signature Analyzer: Code -> C578D2538119BC008119BC008119BC0035854D009219BC0035854F002B19BC0035854E009F19BC00886138008019BC001FB97B008319BC00D371B901B719BC00D371B8019E19BC00D371BF019B19BC0088612F009619BC008119BD00B718BC002F70B501EF19BC002F7043008019BC002F70BE018019BC00526963688119BC Footprint md5 Hash -> AE89D4CECAE7DEFF701A502907F182D3 • Unusual or modified Rich structure: (8119BC) Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Compiler: Microsoft Visual Studio Detect It Easy (die) • PE: linker: Microsoft Linker(14.16, Visual Studio 2017 15.9*)[-] • Entropy: 6.63455 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | CreateMutexA | Create a named or unnamed mutex object for controlling access to a shared resource. |
| KERNEL32.DLL | GetModuleFileNameA | Retrieve the fully qualified path for the executable file of a specified module. |
| KERNEL32.DLL | VirtualAlloc | Reserve, commit, or both, a region of memory within the virtual address space of a process. |
| KERNEL32.DLL | GetModuleHandleA | Retrieves a handle to the specified module. |
| KERNEL32.DLL | CopyFileW | Copies an existing file to a new file. |
| KERNEL32.DLL | WriteFile | Writes data to a specified file or input/output (I/O) device. |
| KERNEL32.DLL | LoadLibraryA | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | LoadLibraryW | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | CreateToolhelp32Snapshot | Creates a snapshot of the specified processes, heaps, threads, and modules. |
| KERNEL32.DLL | WriteProcessMemory | Writes data to an area of memory in a specified process. |
| KERNEL32.DLL | ReadProcessMemory | Reads data from an area of memory in a specified process. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| KERNEL32.DLL | DeleteFileA | Deletes an existing file. |
| KERNEL32.DLL | IsDebuggerPresent | Determines if the calling process is being debugged by a user-mode debugger. |
| Ws2_32.DLL | socket | Create a communication endpoint for networking applications. |
| URLMON.DLL | URLDownloadToFileW | Download a file from the internet and save it to a local file. |
| ADVAPI32.DLL | RegDeleteKeyA | Used to delete a subkey and its values from the Windows registry. |
| ADVAPI32.DLL | RegSetValueExA | Sets the data and type of a specified value under a registry key. |
| SHELL32.DLL | ShellExecuteW | Performs a run operation on a specific file. |
| SHELL32.DLL | ShellExecuteExA | Performs a run operation on a specific file. |
| NtosKrnl.exe | ZwClose | Closes a handle to an object. |
| NtosKrnl.exe | ZwCreateSection | Creates a section object that maps a view of a file into memory. |
| NtosKrnl.exe | ZwMapViewOfSection | Maps a section object into the address space of a process. |
| NtosKrnl.exe | ZwUnmapViewOfSection | Unmaps a mapped view of a section from a process's address space. |
| Windows REG |
| Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System SOFTWARE\Microsoft\Windows NT\CurrentVersion Software\Microsoft\Windows\CurrentVersion\Uninstall |
| Windows REG (UNICODE) |
| Software\Microsoft\Windows\CurrentVersion\Run\ Software\Brave-Browser\Application\brave.exe Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ Rebuilt string - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run Rebuilt string - SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| File Access |
| powershell.exe werfault.exe cmd.exe rundll32.exe WININET.dll gdiplus.dll urlmon.dll WS2_32.dll WINMM.dll SHLWAPI.dll SHELL32.dll ADVAPI32.dll GDI32.dll USER32.dll KERNEL32.dll bcrypt.dll PowrProf.dll .dat license_code.txt Temp AppData UserProfile |
| File Access (UNICODE) |
| cmd.exe \Google\Chrome\Application\Chrome.exe Exewerfault.exe kernel32.dll ntdll.dll Wtsapi32.dll mscoree.dll api-ms-win-core-synch-l1-2-0.dll \sysinfo.txt Temp WinDir ProgramFiles AppData UserProfile |
| Interest's Words |
| PADDINGX Encrypt KeyLogger exec powershell attrib start pause shutdown rundll32 systeminfo rundll expand |
| URLs (UNICODE) |
| https://pro.ip-api.com/line/?key=QPVvv1rHQJD2pd2&fields=25948155 |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | WinAPI Sockets (connect) |
| Text | Ascii | Registry (RegCreateKeyEx) |
| Text | Ascii | Registry (RegOpenKeyEx) |
| Text | Ascii | Registry (RegSetValueEx) |
| Text | Ascii | File (GetTempPath) |
| Text | Ascii | File (CopyFile) |
| Text | Ascii | File (CreateFile) |
| Text | Ascii | File (WriteFile) |
| Text | Ascii | File (ReadFile) |
| Text | Ascii | Encryption API (CryptAcquireContext) |
| Text | Ascii | Encryption API (CryptReleaseContext) |
| Text | Ascii | Anti-Analysis VM (IsDebuggerPresent) |
| Text | Ascii | Anti-Analysis VM (GlobalMemoryStatusEx) |
| Text | Ascii | Anti-Analysis VM (GetVersion) |
| Text | Ascii | Anti-Analysis VM (CreateToolhelp32Snapshot) |
| Text | Ascii | Reconnaissance (FindFirstFileA) |
| Text | Ascii | Reconnaissance (FindNextFileA) |
| Text | Ascii | Reconnaissance (FindFirstFileW) |
| Text | Ascii | Reconnaissance (FindNextFileW) |
| Text | Ascii | Reconnaissance (FindClose) |
| Text | Ascii | Stealth (GetThreadContext) |
| Text | Ascii | Stealth (SetThreadContext) |
| Text | Ascii | Stealth (ExitThread) |
| Text | Ascii | Stealth (CloseHandle) |
| Text | Ascii | Stealth (IsBadReadPtr) |
| Text | Ascii | Stealth (VirtualAlloc) |
| Text | Ascii | Stealth (VirtualProtect) |
| Text | Ascii | Stealth (ReadProcessMemory) |
| Text | Ascii | Stealth (NtUnmapViewOfSection) |
| Text | Ascii | Stealth (CreateProcessInternalW) |
| Text | Ascii | Execution (CreateProcessA) |
| Text | Ascii | Execution (CreateProcessW) |
| Text | Ascii | Execution (ShellExecute) |
| Text | Ascii | Execution (ResumeThread) |
| Text | Ascii | Execution (CreateSemaphoreW) |
| Text | Ascii | Execution (CreateEventA) |
| Text | Ascii | Execution (CreateEventW) |
| Text | Ascii | Privileges (SeShutdownPrivilege) |
| Text | Ascii | Keyboard Key ([Ctrl+) |
| Text | Ascii | Keyboard Key ([Enter]) |
| Text | Ascii | Keyboard Key ([Tab]) |
| Text | Ascii | Keyboard Key ([End]) |
| Text | Ascii | Keyboard Key ([Alt]) |
| Text | Ascii | Keyboard Key ([Esc]) |
| Text | Ascii | Keyboard Key ([Menu]) |
| Text | Ascii | Keyboard Key ([Pause]) |
| Text | Ascii | Keyboard Key ([Space]) |
| Text | Ascii | Keyboard Key ([Ctrl+V]) |
| Text | Ascii | Keyboard Key ([F1]) |
| Text | Ascii | Keyboard Key ([F2]) |
| Text | Ascii | Keyboard Key ([F3]) |
| Text | Ascii | Keyboard Key ([F4]) |
| Text | Ascii | Keyboard Key ([F5]) |
| Text | Ascii | Keyboard Key ([F6]) |
| Text | Ascii | Keyboard Key ([F7]) |
| Text | Ascii | Keyboard Key ([F8]) |
| Text | Ascii | Keyboard Key ([F9]) |
| Text | Ascii | Keyboard Key ([F10]) |
| Text | Ascii | Keyboard Key ([F11]) |
| Text | Ascii | Keyboard Key ([F12]) |
| Text | Ascii | Keyboard Key ([Esc]) |
| Text | Ascii | Malicious access method to bypass normal authentication (Backdoor) |
| Text | Ascii | Small piece of code used as the payload in an exploit (Shellcode) |
| Text | Ascii | Software that records keystrokes to steal credentials (Keylogger) |
| Text | Ascii | Technique used to circumvent security measures (Bypass) |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \ICON\1\1033 | 7618C | 468 | 6FF8C | 2800000010000000200000000100200000000000400400000000000000000000000000000000000000000000000000000000 | (....... ..... .....@............................. |
| \ICON\2\1033 | 765F4 | 988 | 703F4 | 2800000018000000300000000100200000000000600900000000000000000000000000000000000000000000000000000000 | (.......0..... .................................. |
| \ICON\3\1033 | 76F7C | 10A8 | 70D7C | 2800000020000000400000000100200000000000801000000000000000000000000000000000000000000000000000000000 | (... ...@..... ................................... |
| \ICON\4\1033 | 78024 | 25A8 | 71E24 | 2800000030000000600000000100200000000000802500000000000000000000000000000000000000000000000000000000 | (...0........ ......%............................ |
| \RCDATA\SETTINGS\0 | 7A5CC | 2D6 | 743CC | B60230FD7A4CF9D44140D98851EF3C575CF677236F905D262E389BD6FAEB3429EB588399A0788BA255738D99DBCE1E154233 | ..0.zL..A@..Q.<W\.wo.]&.8....4).X...x..Us......B3 |
| \GROUP_ICON\123\1033 | 7A8A4 | 3E | 746A4 | 000001000400101000000100200068040000010018180000010020008809000002002020000001002000A810000003003030000001002000A82500000400 | ............ .h........... ....... .... .......00.... ..%.... |
| Intelligent String |
| • api-ms-win-core-synch-l1-2-0.dll • mscoree.dll • .wav • string too longinvalid string positionrundll32.exe • Exewerfault.exe • werfault.exe • \Google\Chrome\Application\Chrome.exe • \BraveSoftware\Brave-Browser\Application\brave.exe • \AppData\Local\Google\Chrome\User Data\Default\Login Data • [Chrome StoredLogins not found] • [Chrome StoredLogins found, cleared!] • [Firefox StoredLogins not found] • \logins.json • [Firefox StoredLogins Cleared!] • [Cleared browsers logins and cookies.] • Cleared browsers logins and cookies. • license_code.txt • https://pro.ip-api.com/line/?key=QPVvv1rHQJD2pd2&fields=25948155 • cmd.exe • \sysinfo.txt • -ExecutionPolicy Bypass -File "powershell.exe • User32.dll • alarm.wav • Wtsapi32.dll • bcrypt.dll • Advapi32.dll • BreakingSecurity.net • ntdll.dll • kernel32.dll • G:\Projects\Remcos\Backdoor\Release\Backdoor.pdb • .tls • .bss • ADVAPI32.dll • urlmon.dll |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 87C | 10057178 | .text | CALL [static] | Indirect call to absolute memory address |
| 883 | 100570EC | .text | CALL [static] | Indirect call to absolute memory address |
| 921 | 100570E0 | .text | CALL [static] | Indirect call to absolute memory address |
| 928 | 100570EC | .text | CALL [static] | Indirect call to absolute memory address |
| AFE | 10057428 | .text | CALL [static] | Indirect call to absolute memory address |
| B17 | 1005742C | .text | CALL [static] | Indirect call to absolute memory address |
| B87 | 10057420 | .text | CALL [static] | Indirect call to absolute memory address |
| B9D | 10057430 | .text | CALL [static] | Indirect call to absolute memory address |
| C87 | 100572D8 | .text | CALL [static] | Indirect call to absolute memory address |
| D9E | 10057424 | .text | CALL [static] | Indirect call to absolute memory address |
| E20 | 100572F0 | .text | CALL [static] | Indirect call to absolute memory address |
| EB6 | 10057428 | .text | CALL [static] | Indirect call to absolute memory address |
| F0B | 10057420 | .text | CALL [static] | Indirect call to absolute memory address |
| F1A | 10057430 | .text | CALL [static] | Indirect call to absolute memory address |
| F26 | 1005742C | .text | CALL [static] | Indirect call to absolute memory address |
| 102A | 10057424 | .text | CALL [static] | Indirect call to absolute memory address |
| 1068 | 10057420 | .text | CALL [static] | Indirect call to absolute memory address |
| 1077 | 10057430 | .text | CALL [static] | Indirect call to absolute memory address |
| 10F9 | 100572DC | .text | CALL [static] | Indirect call to absolute memory address |
| 11F9 | 100572D4 | .text | CALL [static] | Indirect call to absolute memory address |
| 1211 | 100572E8 | .text | CALL [static] | Indirect call to absolute memory address |
| 122C | 100572E0 | .text | CALL [static] | Indirect call to absolute memory address |
| 1237 | 10057434 | .text | CALL [static] | Indirect call to absolute memory address |
| 123E | 10057444 | .text | CALL [static] | Indirect call to absolute memory address |
| 2FAF | 100572D0 | .text | CALL [static] | Indirect call to absolute memory address |
| 3168 | 10071B28 | .text | CALL [static] | Indirect call to absolute memory address |
| 3198 | 100572D0 | .text | CALL [static] | Indirect call to absolute memory address |
| 31A8 | 10071B24 | .text | CALL [static] | Indirect call to absolute memory address |
| 31CE | 10071B28 | .text | CALL [static] | Indirect call to absolute memory address |
| 31E0 | 10071B24 | .text | CALL [static] | Indirect call to absolute memory address |
| 3330 | 10071B2C | .text | CALL [static] | Indirect call to absolute memory address |
| 3347 | 10071B20 | .text | CALL [static] | Indirect call to absolute memory address |
| 3546 | 1005745C | .text | CALL [static] | Indirect call to absolute memory address |
| 358C | 100572C8 | .text | CALL [static] | Indirect call to absolute memory address |
| 35B2 | 10057464 | .text | CALL [static] | Indirect call to absolute memory address |
| 35ED | 10057458 | .text | CALL [static] | Indirect call to absolute memory address |
| 3767 | 10057450 | .text | CALL [static] | Indirect call to absolute memory address |
| 382B | 10057460 | .text | CALL [static] | Indirect call to absolute memory address |
| 383C | 100572CC | .text | CALL [static] | Indirect call to absolute memory address |
| 386A | 100572C4 | .text | CALL [static] | Indirect call to absolute memory address |
| 3A43 | 100572CC | .text | CALL [static] | Indirect call to absolute memory address |
| 3A61 | 100572C4 | .text | CALL [static] | Indirect call to absolute memory address |
| 3A78 | 10057454 | .text | CALL [static] | Indirect call to absolute memory address |
| 3A9D | 100572C0 | .text | CALL [static] | Indirect call to absolute memory address |
| 3AC0 | 100572C0 | .text | CALL [static] | Indirect call to absolute memory address |
| 3CF3 | 100572B8 | .text | CALL [static] | Indirect call to absolute memory address |
| 3D07 | 100572C0 | .text | CALL [static] | Indirect call to absolute memory address |
| 3D12 | 100572CC | .text | CALL [static] | Indirect call to absolute memory address |
| 3D1B | 100572D4 | .text | CALL [static] | Indirect call to absolute memory address |
| 3D85 | 100572C4 | .text | CALL [static] | Indirect call to absolute memory address |
| 3D8E | 100572D4 | .text | CALL [static] | Indirect call to absolute memory address |
| 3D9C | 10057468 | .text | CALL [static] | Indirect call to absolute memory address |
| 3F0A | 100572BC | .text | CALL [static] | Indirect call to absolute memory address |
| 3F58 | 100572B8 | .text | CALL [static] | Indirect call to absolute memory address |
| 3F6B | 100572C0 | .text | CALL [static] | Indirect call to absolute memory address |
| 3FB5 | 100572BC | .text | CALL [static] | Indirect call to absolute memory address |
| 4012 | 100572BC | .text | CALL [static] | Indirect call to absolute memory address |
| 40B1 | 100572B8 | .text | CALL [static] | Indirect call to absolute memory address |
| 40BD | 100572C4 | .text | CALL [static] | Indirect call to absolute memory address |
| 40C8 | 100572CC | .text | CALL [static] | Indirect call to absolute memory address |
| 40D1 | 100572D4 | .text | CALL [static] | Indirect call to absolute memory address |
| 4104 | 100572CC | .text | CALL [static] | Indirect call to absolute memory address |
| 415C | 100572D4 | .text | CALL [static] | Indirect call to absolute memory address |
| 416B | 100572C4 | .text | CALL [static] | Indirect call to absolute memory address |
| 4796 | 100572C4 | .text | CALL [static] | Indirect call to absolute memory address |
| 47EE | 10071B70 | .text | CALL [static] | Indirect call to absolute memory address |
| 482F | 100573F4 | .text | CALL [static] | Indirect call to absolute memory address |
| 483E | 100573FC | .text | CALL [static] | Indirect call to absolute memory address |
| 4849 | 100573F8 | .text | CALL [static] | Indirect call to absolute memory address |
| 4918 | 10071B64 | .text | CALL [static] | Indirect call to absolute memory address |
| 4940 | 10071B6C | .text | CALL [static] | Indirect call to absolute memory address |
| 4C8A | 100572A4 | .text | CALL [static] | Indirect call to absolute memory address |
| 4CE2 | 100572D0 | .text | CALL [static] | Indirect call to absolute memory address |
| 4D07 | 100572A8 | .text | CALL [static] | Indirect call to absolute memory address |
| 4D34 | 100572B4 | .text | CALL [static] | Indirect call to absolute memory address |
| 4E31 | 100572E4 | .text | CALL [static] | Indirect call to absolute memory address |
| 4E4B | 100572D0 | .text | CALL [static] | Indirect call to absolute memory address |
| 4E64 | 100572B0 | .text | CALL [static] | Indirect call to absolute memory address |
| 4FC4 | 10073B4C | .text | CALL [static] | Indirect call to absolute memory address |
| 502E | 10073B48 | .text | CALL [static] | Indirect call to absolute memory address |
| 511F | 10073B50 | .text | CALL [static] | Indirect call to absolute memory address |
| 5E39 | 10073B58 | .text | CALL [static] | Indirect call to absolute memory address |
| 5E6C | 10073B58 | .text | CALL [static] | Indirect call to absolute memory address |
| 5FB0 | 10073B58 | .text | CALL [static] | Indirect call to absolute memory address |
| 5FE3 | 10073B58 | .text | CALL [static] | Indirect call to absolute memory address |
| 6133 | 10073B54 | .text | CALL [static] | Indirect call to absolute memory address |
| 6287 | 10073B54 | .text | CALL [static] | Indirect call to absolute memory address |
| 67BB | 10071B7C | .text | CALL [static] | Indirect call to absolute memory address |
| 67D2 | 10071B80 | .text | CALL [static] | Indirect call to absolute memory address |
| 67DF | 10071B7C | .text | CALL [static] | Indirect call to absolute memory address |
| 67F6 | 10071B80 | .text | CALL [static] | Indirect call to absolute memory address |
| 6803 | 10071B7C | .text | CALL [static] | Indirect call to absolute memory address |
| 681A | 10071B80 | .text | CALL [static] | Indirect call to absolute memory address |
| 6931 | 10057350 | .text | CALL [static] | Indirect call to absolute memory address |
| 69DC | 1005729C | .text | CALL [static] | Indirect call to absolute memory address |
| 6AA4 | 100572CC | .text | CALL [static] | Indirect call to absolute memory address |
| 6AD6 | 100572A0 | .text | CALL [static] | Indirect call to absolute memory address |
| 6BA2 | 100572D0 | .text | CALL [static] | Indirect call to absolute memory address |
| 6C98 | 10057350 | .text | CALL [static] | Indirect call to absolute memory address |
| 6D24 | 10057350 | .text | CALL [static] | Indirect call to absolute memory address |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 283760 | 57,5513% |
| Null Byte Code | 76238 | 15,4623% |
© 2026 All rights reserved.