PREMIUM PESCAN.IO - Analysis Report |
|||||||
| File Structure |
|
PE Chart Code
Header PE (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
| Size: 227,50 KB SHA-256 Hash: AE6BB36316BA20413015D7879E2893A60AF275E54DCF8ECC709AF58E23F4E79F SHA-1 Hash: 51A6D3DD34C42963111E02F18C874AB07C7A4F96 MD5 Hash: 1862C007AEBBE275E3D0A77DD6FFAC46 Imphash: B1B263F68EEC482FB9A8F81943D792F3 MajorOSVersion: 6 MinorOSVersion: 0 CheckSum: 00000000 EntryPoint (rva): 1729D SizeOfHeaders: 400 SizeOfImage: 3B000 ImageBase: 10000000 Architecture: x86 ExportTable: 36C80 ImportTable: 371A8 IAT: 37000 Characteristics: 2102 TimeDateStamp: 6A008874 Date: 10/05/2026 13:30:28 File Type: DLL Number Of Sections: 4 ASLR: Enabled Section Names: .text, .idata, .rsrc, .reloc Number Of Executable Sections: 1 Subsystem: Windows GUI |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 0xE0000020 Code Executable Readable Writeable |
400 | 35E00 | 1000 | 35CD4 |
|
|
| .idata | 0x40000040 Initialized Data Readable |
36200 | C00 | 37000 | B32 |
|
|
| .rsrc | 0x40000040 Initialized Data Readable |
36E00 | 200 | 38000 | F8 |
|
|
| .reloc | 0x42000040 Initialized Data GP-Relative Readable |
37000 | 1E00 | 39000 | 1D8C |
|
|
| Entry Point |
The section number (1) - (.text) have the Entry Point Information -> EntryPoint (calculated) - 1669D Code -> 558BEC837D0C017505E8BF060000FF7510FF750CFF7508E8AEFEFFFF83C40C5DC20C00558BEC8B4508568B483C03C80FB741 Assembler |PUSH EBP |MOV EBP, ESP |CMP DWORD PTR [EBP + 0XC], 1 |JNE 0X100E |CALL 0X16CD |PUSH DWORD PTR [EBP + 0X10] |PUSH DWORD PTR [EBP + 0XC] |PUSH DWORD PTR [EBP + 8] |CALL 0XECA |ADD ESP, 0XC |POP EBP |RET 0XC |PUSH EBP |MOV EBP, ESP |MOV EAX, DWORD PTR [EBP + 8] |PUSH ESI |MOV ECX, DWORD PTR [EAX + 0X3C] |ADD ECX, EAX |
| Signatures |
| Rich Signature Analyzer: Code -> 9E34853ADA55EB69DA55EB69DA55EB69912DE868D755EB69912DEE687555EB69912DEF68CC55EB697E2BEF68D555EB697E2BE868CF55EB697E2BEE689D55EB69912DEA68D355EB69DA55EA69AF55EB69CD2AE268D855EB69CD2AEB68DB55EB69CD2A1469DB55EB69CD2AE968DB55EB6952696368DA55EB69 Footprint md5 Hash -> 1B5E9F0601FEE71CB4412D5CBA917892 • The Rich header apparently has not been modified Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Detect It Easy (die) • PE: linker: Microsoft Linker(14.36**)[-] • Entropy: 6.47068 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | GetModuleFileNameA | Retrieve the fully qualified path for the executable file of a specified module. |
| KERNEL32.DLL | VirtualAlloc | Reserve, commit, or both, a region of memory within the virtual address space of a process. |
| KERNEL32.DLL | WriteFile | Writes data to a specified file or input/output (I/O) device. |
| KERNEL32.DLL | CreateToolhelp32Snapshot | Creates a snapshot of the specified processes, heaps, threads, and modules. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| KERNEL32.DLL | IsDebuggerPresent | Determines if the calling process is being debugged by a user-mode debugger. |
| SHELL32.DLL | ShellExecuteExA | Performs a run operation on a specific file. |
| ET Functions (carving) |
| Original Name -> Mereem.dll VJSCCommandLineCompile |
| File Access |
| SHELL32.dll ADVAPI32.dll USER32.dll KERNEL32.dll Mereem.dll .dll .dat ] 1.txt 1.txt 2.txt |
| File Access (UNICODE) |
| mscoree.dll |
| Interest's Words |
| exec schtasks attrib start schtask |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | WinAPI Sockets (connect) |
| Text | Ascii | File (CreateFile) |
| Text | Ascii | File (WriteFile) |
| Text | Ascii | File (ReadFile) |
| Hex | Hex Pattern | PEB AntiDebug (Flag BeingDebugged) |
| Text | Ascii | Anti-Analysis VM (IsDebuggerPresent) |
| Text | Ascii | Anti-Analysis VM (CreateToolhelp32Snapshot) |
| Text | Ascii | Reconnaissance (FindNextFileW) |
| Text | Ascii | Reconnaissance (FindClose) |
| Text | Ascii | Stealth (GetThreadContext) |
| Text | Ascii | Stealth (SetThreadContext) |
| Text | Ascii | Stealth (CloseHandle) |
| Text | Ascii | Stealth (VirtualAlloc) |
| Text | Ascii | Execution (CreateProcessA) |
| Text | Ascii | Execution (ShellExecute) |
| Text | Ascii | Execution (ResumeThread) |
| Entry Point | Hex Pattern | Microsoft Visual C++ v7.0 |
| Entry Point | Hex Pattern | PE-Exe Executable Image |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \24\2\1033 | 38060 | 91 | 36E60 | 3C3F786D6C2076657273696F6E3D27312E302720656E636F64696E673D275554462D3827207374616E64616C6F6E653D2779 | <?xml version='1.0' encoding='UTF-8' standalone='y |
| Intelligent String |
| • mscoree.dll • WindowsUpdateHelper_%luschtasks /query /tn "%s" • 1.txt • 2.txt • .dll • schtasks /create /tn "%s" /tr "\"%s\"" /sc onlogon /rl highest /f • ...runas • .bss • KERNEL32.dll • USER32.dll |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| ADB5 | 38060 | .text | CALL [static] | Indirect call to absolute memory address |
| F2EE | 10037008 | .text | CALL [static] | Indirect call to absolute memory address |
| F305 | 10037004 | .text | CALL [static] | Indirect call to absolute memory address |
| F313 | 10037000 | .text | CALL [static] | Indirect call to absolute memory address |
| F320 | 10037070 | .text | JMP [static] | Indirect jump to absolute memory address |
| F387 | 10037078 | .text | CALL [static] | Indirect call to absolute memory address |
| F466 | 10037018 | .text | CALL [static] | Indirect call to absolute memory address |
| F478 | 1003701C | .text | CALL [static] | Indirect call to absolute memory address |
| F485 | 10037020 | .text | CALL [static] | Indirect call to absolute memory address |
| F48E | 10037038 | .text | CALL [static] | Indirect call to absolute memory address |
| F497 | 10037038 | .text | CALL [static] | Indirect call to absolute memory address |
| F4E0 | 1003706C | .text | CALL [static] | Indirect call to absolute memory address |
| F520 | 10037068 | .text | CALL [static] | Indirect call to absolute memory address |
| F540 | 10037038 | .text | CALL [static] | Indirect call to absolute memory address |
| F567 | 10037078 | .text | CALL [static] | Indirect call to absolute memory address |
| F5AA | 10037024 | .text | CALL [static] | Indirect call to absolute memory address |
| F5FD | 10037078 | .text | CALL [static] | Indirect call to absolute memory address |
| F70C | 10037078 | .text | CALL [static] | Indirect call to absolute memory address |
| F733 | 10037030 | .text | CALL [static] | Indirect call to absolute memory address |
| F73A | 1003702C | .text | CALL [static] | Indirect call to absolute memory address |
| F773 | 10037030 | .text | CALL [static] | Indirect call to absolute memory address |
| F8D9 | 10037074 | .text | CALL [static] | Indirect call to absolute memory address |
| F8FB | 1003703C | .text | CALL [static] | Indirect call to absolute memory address |
| F908 | 10037038 | .text | CALL [static] | Indirect call to absolute memory address |
| F953 | 10037040 | .text | CALL [static] | Indirect call to absolute memory address |
| F96B | 10037048 | .text | CALL [static] | Indirect call to absolute memory address |
| F976 | 1003704C | .text | CALL [static] | Indirect call to absolute memory address |
| F982 | 1003701C | .text | CALL [static] | Indirect call to absolute memory address |
| F989 | 10037038 | .text | CALL [static] | Indirect call to absolute memory address |
| F997 | 10037044 | .text | CALL [static] | Indirect call to absolute memory address |
| F9A7 | 10037038 | .text | CALL [static] | Indirect call to absolute memory address |
| F9B5 | 10037044 | .text | CALL [static] | Indirect call to absolute memory address |
| F9D5 | 10037014 | .text | CALL [static] | Indirect call to absolute memory address |
| FC3B | 10037018 | .text | CALL [static] | Indirect call to absolute memory address |
| FC52 | 1003701C | .text | CALL [static] | Indirect call to absolute memory address |
| FC61 | 10037020 | .text | CALL [static] | Indirect call to absolute memory address |
| FC6B | 10037038 | .text | CALL [static] | Indirect call to absolute memory address |
| FC75 | 10037038 | .text | CALL [static] | Indirect call to absolute memory address |
| FD40 | 10037078 | .text | CALL [static] | Indirect call to absolute memory address |
| FD8C | 10037188 | .text | CALL [static] | Indirect call to absolute memory address |
| FD9D | 10037050 | .text | CALL [static] | Indirect call to absolute memory address |
| 11B5A | 1C0 | .text | JMP [static] | Indirect jump to absolute memory address |
| 129E2 | E00 | .text | JMP [static] | Indirect jump to absolute memory address |
| 12D35 | 3000 | .text | JMP [static] | Indirect jump to absolute memory address |
| 13D4F | 1C0 | .text | JMP [static] | Indirect jump to absolute memory address |
| 15047 | 1C0 | .text | JMP [static] | Indirect jump to absolute memory address |
| 157EF | 100371A0 | .text | CALL [static] | Indirect call to absolute memory address |
| 15807 | 100371A0 | .text | CALL [static] | Indirect call to absolute memory address |
| 1595D | 100371A0 | .text | CALL [static] | Indirect call to absolute memory address |
| 15981 | 100371A0 | .text | CALL [static] | Indirect call to absolute memory address |
| 159CC | 100371A0 | .text | CALL [static] | Indirect call to absolute memory address |
| 159E6 | 100371A0 | .text | CALL [static] | Indirect call to absolute memory address |
| 15AD0 | 100371A0 | .text | CALL [static] | Indirect call to absolute memory address |
| 15AE8 | 100371A0 | .text | CALL [static] | Indirect call to absolute memory address |
| 15E83 | 100371A0 | .text | CALL [static] | Indirect call to absolute memory address |
| 16024 | 10037090 | .text | CALL [static] | Indirect call to absolute memory address |
| 16039 | 1003708C | .text | CALL [static] | Indirect call to absolute memory address |
| 16047 | 10037084 | .text | CALL [static] | Indirect call to absolute memory address |
| 16055 | 10037088 | .text | CALL [static] | Indirect call to absolute memory address |
| 16091 | 10037098 | .text | CALL [static] | Indirect call to absolute memory address |
| 1609F | 100371A0 | .text | CALL [static] | Indirect call to absolute memory address |
| 160D8 | 10037094 | .text | CALL [static] | Indirect call to absolute memory address |
| 16156 | 1003709C | .text | CALL [static] | Indirect call to absolute memory address |
| 161C1 | 1003709C | .text | CALL [static] | Indirect call to absolute memory address |
| 161DE | 100370A0 | .text | CALL [static] | Indirect call to absolute memory address |
| 1621D | 100370A0 | .text | CALL [static] | Indirect call to absolute memory address |
| 1627C | 100370A0 | .text | CALL [static] | Indirect call to absolute memory address |
| 1629F | 10037080 | .text | CALL [static] | Indirect call to absolute memory address |
| 1647D | 100371A0 | .text | CALL [static] | Indirect call to absolute memory address |
| 16690 | 100371A0 | .text | CALL [static] | Indirect call to absolute memory address |
| 167B7 | 100371A0 | .text | CALL [static] | Indirect call to absolute memory address |
| 16AB2 | 100370AC | .text | CALL [static] | Indirect call to absolute memory address |
| 16D2F | 100370B8 | .text | CALL [static] | Indirect call to absolute memory address |
| 16D3E | 100370B4 | .text | CALL [static] | Indirect call to absolute memory address |
| 16D47 | 10037070 | .text | CALL [static] | Indirect call to absolute memory address |
| 16D54 | 100370B0 | .text | CALL [static] | Indirect call to absolute memory address |
| 16DBA | 100370BC | .text | CALL [static] | Indirect call to absolute memory address |
| 16E02 | 100370AC | .text | CALL [static] | Indirect call to absolute memory address |
| 16ECE | 100370C0 | .text | CALL [static] | Indirect call to absolute memory address |
| 16EEE | 100370C8 | .text | CALL [static] | Indirect call to absolute memory address |
| 16EF8 | 100370C4 | .text | CALL [static] | Indirect call to absolute memory address |
| 16F32 | 100371A0 | .text | CALL [static] | Indirect call to absolute memory address |
| 16F5E | 100371A0 | .text | CALL [static] | Indirect call to absolute memory address |
| 16FDA | 100370C8 | .text | CALL [static] | Indirect call to absolute memory address |
| 16FE3 | 100370C4 | .text | CALL [static] | Indirect call to absolute memory address |
| 16FEE | 10037030 | .text | CALL [static] | Indirect call to absolute memory address |
| 16FF5 | 100370D4 | .text | CALL [static] | Indirect call to absolute memory address |
| 17008 | 100370AC | .text | CALL [static] | Indirect call to absolute memory address |
| 1710E | 100370AC | .text | CALL [static] | Indirect call to absolute memory address |
| 17422 | 100370D8 | .text | CALL [static] | Indirect call to absolute memory address |
| 1764A | 100371A0 | .text | CALL [static] | Indirect call to absolute memory address |
| 1793C | 100371A0 | .text | CALL [static] | Indirect call to absolute memory address |
| 1797A | 100371A0 | .text | CALL [static] | Indirect call to absolute memory address |
| 179AA | 100370DC | .text | CALL [static] | Indirect call to absolute memory address |
| 1993C | 100371A0 | .text | CALL [static] | Indirect call to absolute memory address |
| 19A24 | 100370E0 | .text | CALL [static] | Indirect call to absolute memory address |
| 19AAF | 10037050 | .text | CALL [static] | Indirect call to absolute memory address |
| 19B28 | 100370E4 | .text | CALL [static] | Indirect call to absolute memory address |
| 19B41 | 10037050 | .text | CALL [static] | Indirect call to absolute memory address |
| 19B58 | 100370E4 | .text | CALL [static] | Indirect call to absolute memory address |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 132263 | 56,775% |
| Null Byte Code | 44092 | 18,9269% |
© 2026 All rights reserved.