PREMIUM PESCAN.IO - Analysis Report

File Structure
Analysis Image
PE Chart Code
Executable header (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
Information
Icon: Icon
Size: 4,02 MB
SHA-256 Hash: 0B3A5A436BE69F5E20AC0FD84DAB58E27ABB3CC5ECB821A182DA5A3C25418FEB
SHA-1 Hash: 6CC1205AE97744AE4EBFED85577404A03E4D64F0
MD5 Hash: 0B32762B67C07329013D3B4F01B9F840
Imphash: 9ACCC748A9D89A334D2FC419EC39655A
MajorOSVersion: 5
CheckSum: 004122F6
EntryPoint (rva): 113BC
SizeOfHeaders: 400
SizeOfImage: 28000
ImageBase: 400000
Architecture: x86
ImportTable: 19000
Characteristics: 818F
TimeDateStamp: 56812D97
Date: 28/12/2015 12:39:51
File Type: EXE
Number Of Sections: 8
ASLR: Enabled
Section Names: .text, .itext, .data, .bss, .idata, .tls, .rdata, .rsrc
Number Of Executable Sections: 2
Subsystem: Windows GUI
UAC Execution Level Manifest: asInvoker
UAC Execution Level Manifest: highestAvailable
Sections Info
Section Name Flags ROffset RSize VOffset VSize
.text 60000020 (Executable) 400 F200 1000 F134
.itext 60000020 (Executable) F600 C00 11000 B44
.data C0000040 (Writeable) 10200 E00 12000 C88
.bss C0000000 (Writeable) 11000 0 13000 56B8
.idata C0000040 (Writeable) 11000 E00 19000 DD0
.tls C0000000 (Writeable) 11E00 0 1A000 8
.rdata 40000040 11E00 200 1B000 18
.rsrc 40000040 12000 B200 1C000 B200
Description
InternalName: StarCraft II Setup
OriginalFilename: StarCraft-II-Setup.exe
CompanyName: Blizzard Entertainment
LegalCopyright: 2005-2017 Blizzard Entertainment Inc.
ProductName: StarCraft II Setup
FileVersion: 1.14.2.2882
Binder/Joiner/Crypter
2 Executable files found
Dropper code detected (EOF) - 3,86 MB
Entry Point
The section number (2) - (.itext) have the Entry Point
Information -> EntryPoint (calculated) - F9BC
Code -> 558BEC83C4A453565733C08945C48945C08945A48945D08945C88945CC8945D48945D88945ECB834004100E8E851FFFF33C0
PUSH EBP
MOV EBP, ESP
ADD ESP, -0X5C
PUSH EBX
PUSH ESI
PUSH EDI
XOR EAX, EAX
MOV DWORD PTR [EBP - 0X3C], EAX
MOV DWORD PTR [EBP - 0X40], EAX
MOV DWORD PTR [EBP - 0X5C], EAX
MOV DWORD PTR [EBP - 0X30], EAX
MOV DWORD PTR [EBP - 0X38], EAX
MOV DWORD PTR [EBP - 0X34], EAX
MOV DWORD PTR [EBP - 0X2C], EAX
MOV DWORD PTR [EBP - 0X28], EAX
MOV DWORD PTR [EBP - 0X14], EAX
MOV EAX, 0X410034
CALL 0XFFFF6218
XOR EAX, EAX
Signatures
CheckSum Integrity Problem:
Header: 4268790
Calculated: 4249858
Certificate - Digital Signature:
• The file is signed but has been modified
Packer/Compiler
Compiler: Borland Delphi 7
Detect It Easy (die)
PE: installer: Inno Setup Module(5.5.7)[unicode]
PE: compiler: Embarcadero Delphi(2009-2010)[-]
PE: linker: Turbo Linker(2.25*,Delphi)[EXE32,signed]
PE: overlay: Inno Setup Installer data(-)[-]
Entropy: 7.59308
Suspicious Functions
Library Function Description
KERNEL32.DLL GetProcAddress | Possible Call API By Name Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL CreateMutexW Create a named or unnamed mutex object for controlling access to a shared resource.
KERNEL32.DLL VirtualAlloc Reserve, commit, or both, a region of memory within the virtual address space of a process.
KERNEL32.DLL CopyFileW Copies an existing file to a new file.
KERNEL32.DLL WriteFile Writes data to a specified file or input/output (I/O) device.
KERNEL32.DLL LoadLibraryA Loads the specified module into the address space of the calling process.
KERNEL32.DLL LoadLibraryW Loads the specified module into the address space of the calling process.
KERNEL32.DLL GetProcAddress Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
ADVAPI32.DLL RegCreateKeyExA Creates a new registry key or opens an existing one.
ADVAPI32.DLL RegSetValueExA Sets the data and type of a specified value under a registry key.
SHELL32.DLL ShellExecuteW Performs a run operation on a specific file.
SHELL32.DLL ShellExecuteExW Performs a run operation on a specific file.
Windows REG
Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
SOFTWARE\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion\ProfileReconciliation
Windows REG (UNICODE)
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion\RunOnce
Software\Microsoft\Windows\CurrentVersion\Uninstall
Software\Microsoft\Windows NT\CurrentVersion\Fonts
Software\Microsoft\Windows\CurrentVersion\Fonts
Software\Microsoft\Windows\CurrentVersion\SharedDLLs
Software\Borland\Delphi\Locales
Software\Borland\Locales
Software\CodeGear\Locales
SOFTWARE\Borland\Delphi\RTL
SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
SOFTWARE\Microsoft\.NETFramework
SOFTWARE\Microsoft\.NETFramework\Policy\v4.0
SOFTWARE\Microsoft\.NETFramework\Policy\v2.0
SOFTWARE\Microsoft\.NETFramework\Policy\v1.1
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Software\Microsoft\Windows\CurrentVersion\Uninstall\
Software\Microsoft\Windows\CurrentVersion\App Paths\
SOFTWARE\Microsoft\Windowsx( NT\CurrentVersion
SYSTEM\CurrentControlSet\Control\Session Manager
SYSTEM\CurrentControlSet\Control\Keyboard Layouts\
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
System\CurrentControlSet\Control\Windows
System\CurrentControlSet\Control\ProductOptions
Rebuilt string - SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Rebuilt string - SOFTWARE\Microsoft\Windows\CurrentVersion\Run
File Access
sophoshealth.exe
nswscsvc.exe
avgui.exe
avastui.exe
opssvc.exe
wrsa.exe
cmd.exe
.dll
SHFOLDER.dll
ADVAPI32.dll
KERNEL32.dll
shell32.dll
shlwapi.dll
OLEAUT32.dll
COMCTL32.dll
ole32.dll
comdlg32.dll
mpr.dll
version.dll
gdi32.dll
msimg32.dll
user32.dll
ISCrypt.dll
Temp
WinDir
AppData
File Access (UNICODE)
kernel32.dll
comctl32.dll
advapi32.dll
user32.dll
uxtheme.dll
shell32.dll
shfolder.dll
exe,*.dll
oleaut32.dll
ole32.dll
imm32.dll
shlwapi.dll
oleacc.dll
Rstrtmgr.dll
sfc.dll
Fusion.dll
_isetup\_shfoldr.dll
Failed to get version numbers of _shfoldr.dll
_isetup\_isdecmp.dll
_isetup\_iscrypt.dll
cmd.exe
StarCraft-II-Setup.exe
regsvr32.exe
*.exe
3u.txt
Desktop.ini
desktop.ini
Temp
ProgramFiles
AppData
UserProfile
Interest's Words
PADDINGX
PassWord
exec
tasklist
attrib
start
pause
shutdown
systeminfo
ping
expand
replace
Interest's Words (UNICODE)
ToolBar
Encrypt
PassWord
exec
regsvr32
netsh
attrib
start
pause
shutdown
systeminfo
ping
expand
replace
URLs
http://schemas.microsoft.com/SMI/2005/WindowsSettings
http://ocsp.thawte.com
http://crl.thawte.com/ThawteTimestampingCA.crl
http://ts-ocsp.ws.symantec.com
http://ts-aia.ws.symantec.com/tss-ca-g2.cer
http://ts-crl.ws.symantec.com/tss-ca-g2.crl
http://ocsp.digicert.com
http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt
http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl
http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
http://crl3.digicert.com/sha2-assured-cs-g1.crl
http://crl4.digicert.com/sha2-assured-cs-g1.crl
http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt
https://www.digicert.com/CPS0
URLs (UNICODE)
http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
http://www.innosetup.com/
http://www.remobjects.com/ps
Payloads
Unusual BP Cave > 15 Bytes - (0xCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC...)
PE Carving
Start Offset Header End Offset Size (Bytes)
0 29F5C2 29F5C2
29F5C2 2A00BE AFC
2A00BE 3B42AA 1141EC
3B42AA 3B6162 1EB8
3B6162 4053F0 4F28E
Strings/Hex Code Found With The File Rules
Rule Type Encoding Matched (Word)
Text Unicode WinAPI Sockets (accept)
Text Ascii WinAPI Sockets (connect)
Text Unicode WinAPI Sockets (send)
Text Ascii Registry (RegCreateKeyEx)
Text Unicode Registry (RegCreateKeyEx)
Text Ascii Registry (RegOpenKeyEx)
Text Unicode Registry (RegOpenKeyEx)
Text Ascii Registry (RegSetValueEx)
Text Unicode Registry (RegSetValueEx)
Text Unicode Registry (RegDeleteKeyEx)
Text Ascii Registry (RegGetValue)
Text Ascii File (CopyFile)
Text Ascii File (CreateFile)
Text Unicode File (CreateFile)
Text Ascii File (WriteFile)
Text Ascii File (ReadFile)
Text Ascii Anti-Analysis VM (GetSystemInfo)
Text Ascii Anti-Analysis VM (GetVersion)
Text Unicode Anti-Analysis VM (GetVersion)
Text Ascii Stealth (VirtualAlloc)
Text Ascii Stealth (VirtualProtect)
Text Ascii Execution (CreateProcessW)
Text Ascii Execution (ShellExecute)
Text Unicode Execution (ShellExecute)
Text Ascii Execution (ResumeThread)
Text Ascii Antivirus Software (avast)
Text Ascii Antivirus Software (sophos)
Text Ascii Antivirus Software (Symantec)
Text Unicode Privileges (SeShutdownPrivilege)
Text Unicode Keyboard Key (Alt+)
Text Ascii Keyboard Key (Scroll)
Text Unicode Keyboard Key (Scroll)
Text Unicode Keyboard Key (UpArrow)
Text Ascii Malicious rerouting of traffic to an attacker-controlled site (Redirect)
Text Unicode Malicious rerouting of traffic to an attacker-controlled site (Redirect)
Entry Point Hex Pattern Borland Delphi 4.0
Entry Point Hex Pattern fasm -> Tomasz Grysztar
Entry Point Hex Pattern Stranik 1.3 Modula/C/Pascal
Resources
Path DataRVA Size FileOffset CodeText
\ICON\1\1043 1C41C 128 1241C 2800000010000000200000000100040000000000C00000000000000000000000000000000000000000000000008000008000(....... .........................................
\ICON\2\1043 1C544 568 12544 2800000010000000200000000100080000000000400100000000000000000000000000000000000000000000800000000080(....... ...........@.............................
\ICON\3\1043 1CAAC 2E8 12AAC 2800000020000000400000000100040000000000800200000000000000000000000000000000000000000000008000008000(... ...@.........................................
\ICON\4\1043 1CD94 8A8 12D94 2800000020000000400000000100080000000000800400000000000000000000000000000000000000000000800000000080(... ...@.........................................
\STRING\4091\0 1D63C 68 1363C 0600460072006900640061007900080053006100740075007200640061007900160049006E00760061006C00690064002000..F.r.i.d.a.y...S.a.t.u.r.d.a.y...I.n.v.a.l.i.d. .
\STRING\4092\0 1D6A4 D4 136A4 0900530065007000740065006D0062006500720007004F00630074006F0062006500720008004E006F00760065006D006200..S.e.p.t.e.m.b.e.r...O.c.t.o.b.e.r...N.o.v.e.m.b.
\STRING\4093\0 1D778 A4 13778 03004D006100790003004A0075006E0003004A0075006C000300410075006700030053006500700003004F00630074000300..M.a.y...J.u.n...J.u.l...A.u.g...S.e.p...O.c.t...
\STRING\4094\0 1D81C 2AC 1381C 1F0049006E00760061006C00690064002000760061007200690061006E00740020007400790070006500200063006F006E00..I.n.v.a.l.i.d. .v.a.r.i.a.n.t. .t.y.p.e. .c.o.n.
\STRING\4095\0 1DAC8 34C 13AC8 160049006E00760061006C0069006400200063006C0061007300730020007400790070006500630061007300740030004100..I.n.v.a.l.i.d. .c.l.a.s.s. .t.y.p.e.c.a.s.t.0.A.
\STRING\4096\0 1DE14 294 13E14 0D004F007500740020006F00660020006D0065006D006F00720079000C0049002F004F0020006500720072006F0072002000..O.u.t. .o.f. .m.e.m.o.r.y...I./.O. .e.r.r.o.r. .
\RCDATA\CHARTABLE\1033 1E0A8 82E8 140A8 1800000018220000B82C0000C8420000C8640000E86800000000100020003000400050006000700080009000A000B000C000....."...,...B...d...h...... .0.@.P..p...........
\RCDATA\DVCLAL\0 26390 10 1C390 263D4F38C28237B8F3244203179B3A83000010CC000000001F000000010A53657475704C6472001087526564697246756E63&=O8..7..$B...:...............SetupLdr...RedirFunc
\RCDATA\PACKAGEINFO\0 263A0 150 1C3A0 000010CC000000001F000000010A53657475704C6472001087526564697246756E6300009C436D6E46756E63320010555479..............SetupLdr...RedirFunc...CmnFunc2..UTy
\RCDATA\11111\0 264F0 2C 1C4F0 72446C507453CDE6D77B0B2A010000003AFB3B00B1002A0000F61100CC12F47EF4A9280000D20100C22D4BED000001000400rDlPtS...{.*....:.;...*........~..(......-K.......
\GROUP_ICON\MAINICON\1033 2651C 3E 1C51C 000001000400101010000100040028010000010010100000010008006805000002002020100001000400E802000003002020..............(.............h..... ............
\VERSION\1\1033 2655C 4F4 1C55C F40434000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000200..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............
\24\1\1033 26A50 62C 1CA50 3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E653D2279<?xml version="1.0" encoding="UTF-8" standalone="y
Intelligent String
• shell32.dll
• kernel32.dll
• user32.dll
• .msg
• advapi32.dll
• shfolder.dll
• .dat
• .lst
• .exe
• target.lnk
• c:\directory
• .lnk
• .pif
• WININIT.INI
• .tmp
• ole32.dll
• comctl32.dll
• DWMAPI.DLL
• uxtheme.dll
• oleaut32.dll
• <dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware>
• CloseHandleadvapi32.dll
• CloseHandlekernel32.dll
• CharNextWkernel32.dll
• RegCloseKeyuser32.dll
• .tls
• .bss
• x:\dirname"
• For more detailed information, please visit http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
• Sleepadvapi32.dll
• *.exe,*.dll
• tasklist /FI "IMAGENAME eq
• C:\APP
• {commonappdata}\{{601B404E-CB65-4102-816E-E044F381B78D}\Maui.com
• USER32.DLL
• imm32.dll
• shlwapi.dll
• oleacc.dll
• MSFTEDIT.DLL
• RICHED20.DLL
• Rstrtmgr.dll
• sfc.dll
• .bat
• .cmd
• cmd.exe" /C "
• COMMAND.COM" /C
• OLEAUT32.DLL
• %s Log %s %.3u.txt
• \\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x
• Fusion.dll
• .hlp
• .gid
• .fts
• .chm
• .chw
• %s-%d.bin
• %s-%d%s.bin
• desktop.ini
• .url
• Desktop.ini
• runas
• cmd.exe
• COMMAND.COM
• \_setup64.tmp
• _isetup\_shfoldr.dll
• _isetup\_isdecmp.dll
• _isetup\_iscrypt.dll
• -0.bin
• http://www.remobjects.com/ps
• /SECONDPHASE="%s" /FIRSTPHASEWND=$%x
• isRS-%.3u.tmp
• msimg32.dll
• gdi32.dll
• version.dll
• Sleepoleaut32.dll
• SysFreeStringole32.dll
• VariantInitcomctl32.dll
• comdlg32.dll
• AdjustTokenPrivilegesoleaut32.dll
• COMCTL32.dll
• KERNEL32.dll
• ADVAPI32.dll
• dll\shfolder.dbg.dll
• StarCraft-II-Setup.exe
• H0F08
• https://www.digicert.com/CPS0
Extra Analysis
Metric Value Percentage
Ascii Code 2670487 63,3448%
Null Byte Code 402567 9,549%
© 2025 All rights reserved.