PREMIUM PESCAN.IO - Analysis Report

File Structure
Analysis Image
PE Chart Code
Executable header (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
Information
Size: 3,50 MB
SHA-256 Hash: 6E91F7EAE06CACE724A242C90324E776276930B017A2140BF18AEE8EF58BA620
SHA-1 Hash: CA7292BD22E821F9468F94B378EBDA797CD92A83
MD5 Hash: 1F85573E8863DBE7BD4AB0512CA0987F
Imphash: C9AB1F08DBD5FA42C99F978F4A178E3E
MajorOSVersion: 5
MinorOSVersion: 2
CheckSum: 00389746
EntryPoint (rva): 5A9C
SizeOfHeaders: 400
SizeOfImage: 386000
ImageBase: 00007FFBDA370000
Architecture: x64
ExportTable: 380DD0
ImportTable: 384708
Characteristics: 2023
TimeDateStamp: 6930EEBE
Date: 04/12/2025 2:15:26
File Type: DLL
Number Of Sections: 7
ASLR: Disabled
Section Names (Optional Header): .text, .rsrc, .idata(0x20)(0x20), ihlzzpxo, hxsxxrzr, .pdata, .SCY
Number Of Executable Sections: 4
Subsystem: Windows GUI
UAC Execution Level Manifest: asInvoker
Sections Info
Section Name Flags ROffset RSize VOffset VSizeEntropyChi2
.text E0000040 (Initialized Data, Executable, Readable, Writeable) 400 1B200 1000 1C0005,47453439643,40
.rsrc C0000040 (Initialized Data, Readable, Writeable) 1B600 200 1D000 10004,491812517,00
.idata(0x20)(0x20) C0000040 (Initialized Data, Readable, Writeable) 1B800 400 1E000 10000,8157219025,00
ihlzzpxo E0000040 (Initialized Data, Executable, Readable, Writeable) 1BC00 362000 1F000 3620005,577575231811,07
hxsxxrzr E0000040 (Initialized Data, Executable, Readable, Writeable) 37DC00 200 381000 10004,202534484,00
.pdata 40000040 (Initialized Data, Readable) 37DE00 1200 382000 20004,6658256194,00
.SCY E0000060 (Code, Initialized Data, Executable, Readable, Writeable) 37F000 1200 384000 20004,3137163398,00
Entry Point
The section number (1) have the Entry Point
Information -> EntryPoint (calculated) - 4E9C
Code -> 48895C24084889742410574883EC20498BF88BDA488BF183FA017505E8976200004C8BC78BD3488BCE488B5C2430488B7424
MOV QWORD PTR [RSP + 8], RBX
MOV QWORD PTR [RSP + 0X10], RSI
PUSH RDI
SUB RSP, 0X20
MOV RDI, R8
MOV EBX, EDX
MOV RSI, RCX
CMP EDX, 1
JNE 0X1021
CALL 0X72B8
MOV R8, RDI
MOV EDX, EBX
MOV RCX, RSI
MOV RBX, QWORD PTR [RSP + 0X30]
Signatures
CheckSum Integrity Problem:
Header: 3708742
Calculated: 3699339
Certificate - Digital Signature Not Found:
• The file is not signed
Packer/Compiler
Compiler: Microsoft Visual Studio
Compiler: Microsoft Visual C ++
Packer: WinLicense
Detect It Easy (die)
PE+(64): compiler: Microsoft Visual C/C++(2010)[-]
Entropy: 5.59043
Suspicious Functions
Library Function Description
KERNEL32.DLL CreateMutexA Create a named or unnamed mutex object for controlling access to a shared resource.
KERNEL32.DLL GetModuleFileNameA Retrieve the fully qualified path for the executable file of a specified module.
KERNEL32.DLL VirtualAlloc Reserve, commit, or both, a region of memory within the virtual address space of a process.
KERNEL32.DLL GetModuleHandleA Retrieves a handle to the specified module.
KERNEL32.DLL CopyFileA Copies an existing file to a new file.
KERNEL32.DLL WriteFile Writes data to a specified file or input/output (I/O) device.
KERNEL32.DLL LoadLibraryA Loads the specified module into the address space of the calling process.
KERNEL32.DLL LoadLibraryW Loads the specified module into the address space of the calling process.
KERNEL32.DLL CreateToolhelp32Snapshot Creates a snapshot of the specified processes, heaps, threads, and modules.
KERNEL32.DLL CreateRemoteThread Creates a thread in the address space of another process.
KERNEL32.DLL WriteProcessMemory Writes data to an area of memory in a specified process.
KERNEL32.DLL GetProcAddress Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL CreateFileA Creates or opens a file or I/O device.
KERNEL32.DLL DeleteFileA Deletes an existing file.
KERNEL32.DLL IsDebuggerPresent Determines if the calling process is being debugged by a user-mode debugger.
SHELL32.DLL ShellExecuteA Performs a run operation on a specific file.
ET Functions (carving)
Original Name -> baby.dll
Windows REG
SOFTWARE\VMware, Inc.\VMware Tools
Software\WinLicense
Software\WLkt
File Access
%userappdata%\RestartApp.exe
chrome.exe
advapi32.dll
kernel32.dll
wininet.dll
shell32.dll
baby.dll
sys.dll
winmm.dll
NTDLL.dll
3qUSER32.dll
comctl32.dll
%s\notepad.log
%s\user.txt
%s\micro.zip
AppData
File Access (UNICODE)
USER32.DLL
CorExitProcessmscoree.dll
Temp
Interest's Words
exec
attrib
start
comspec
systeminfo
IP Addresses
127.0.0.0
Strings/Hex Code Found With The File Rules
Rule Type Encoding Matched (Word)
Text Ascii Registry (RegOpenKeyEx)
Text Ascii File (CopyFile)
Text Ascii File (CreateFile)
Text Ascii File (WriteFile)
Text Ascii File (ReadFile)
Text Ascii Anti-Analysis VM (IsDebuggerPresent)
Text Ascii Anti-Analysis VM (GetVersion)
Text Ascii Anti-Analysis VM (CreateToolhelp32Snapshot)
Text Ascii Stealth (CloseHandle)
Text Ascii Stealth (IsBadReadPtr)
Text Ascii Stealth (VirtualAlloc)
Text Ascii Stealth (VirtualProtect)
Text Ascii Stealth (CreateRemoteThread)
Text Ascii Execution (ShellExecute)
Text Ascii Privileges (SeDebugPrivilege)
Entry Point Hex Pattern XE Executable Image (using DOSExtender)
Resources
Path DataRVA Size FileOffset CodeText
\24\2\1033 1D058 15A 1B658 3C617373656D626C7920786D6C6E733D2275726E3A736368656D61732D6D6963726F736F66742D636F6D3A61736D2E763122<assembly xmlns="urn:schemas-microsoft-com:asm.v1"
Intelligent String
• @.SCY
• mscoree.dll
• USER32.DLL
• /c del >> NULComSpecNtQueryInformationProcess
• ntdll.dll
• chrome.exe
• %s\notepad.log
• %s\notepad.tmp
• %s\micro.zip
• C:\Users\Aditi\Downloads
• %userappdata%\RestartApp.exe
• /bugcheck2/bugcheck/nosplash/forcerun/bugcheckfull/showcode/showcode2/clrt/dis1/showinstance/getwlstatus/logstatus/dumpstatus
• c:\miniprojects\x86il\il86\x64\release\IL86.pdb
• C:\Users\Aditi\Downloadssys.dll
Flow Anomalies
Offset RVA Section Description
42B N/A .text CALL QWORD PTR [RIP+0x382FCF]
449 N/A .text CALL QWORD PTR [RIP+0x382FB9]
466 N/A .text CALL QWORD PTR [RIP+0x382FA4]
479 N/A .text CALL QWORD PTR [RIP+0x382F99]
48E N/A .text CALL QWORD PTR [RIP+0x382F84]
4A6 N/A .text CALL QWORD PTR [RIP+0x382F74]
4CC N/A .text CALL QWORD PTR [RIP+0x382F56]
6A1 N/A .text CALL QWORD PTR [RIP+0x382D89]
6B1 N/A .text CALL QWORD PTR [RIP+0x382D81]
890 N/A .text CALL QWORD PTR [RIP+0x382BAA]
8AF N/A .text CALL QWORD PTR [RIP+0x382B93]
8BC N/A .text CALL QWORD PTR [RIP+0x382B8E]
901 N/A .text CALL QWORD PTR [RIP+0x382B51]
93A N/A .text CALL QWORD PTR [RIP+0x382B10]
960 N/A .text CALL QWORD PTR [RIP+0x382AFA]
974 N/A .text CALL QWORD PTR [RIP+0x382AD6]
995 N/A .text CALL QWORD PTR [RIP+0x382AB5]
AB1 N/A .text CALL QWORD PTR [RIP+0x3829B1]
AC3 N/A .text CALL QWORD PTR [RIP+0x3829A7]
AF3 N/A .text CALL QWORD PTR [RIP+0x38297F]
B16 N/A .text CALL QWORD PTR [RIP+0x382964]
B21 N/A .text CALL QWORD PTR [RIP+0x382929]
B31 N/A .text CALL QWORD PTR [RIP+0x382921]
C6E N/A .text CALL QWORD PTR [RIP+0x382814]
CF1 N/A .text CALL QWORD PTR [RIP+0x382799]
D1C N/A .text CALL QWORD PTR [RIP+0x382776]
D44 N/A .text CALL QWORD PTR [RIP+0x382756]
D4D N/A .text CALL QWORD PTR [RIP+0x38274D]
D67 N/A .text CALL QWORD PTR [RIP+0x38273B]
DA1 N/A .text CALL QWORD PTR [RIP+0x382701]
DB6 N/A .text CALL QWORD PTR [RIP+0x3826E4]
DBF N/A .text CALL QWORD PTR [RIP+0x3826DB]
E54 N/A .text CALL QWORD PTR [RIP+0x382656]
E82 N/A .text CALL QWORD PTR [RIP+0x382600]
FB1 N/A .text CALL QWORD PTR [RIP+0x3824D1]
FC4 N/A .text CALL QWORD PTR [RIP+0x3824BE]
FD2 N/A .text CALL QWORD PTR [RIP+0x3824E0]
FDD N/A .text CALL QWORD PTR [RIP+0x3824A5]
103D N/A .text CALL QWORD PTR [RIP+0x38247D]
104C N/A .text CALL QWORD PTR [RIP+0x3823FE]
1082 N/A .text CALL QWORD PTR [RIP+0x382440]
10A2 N/A .text CALL QWORD PTR [RIP+0x382428]
10AB N/A .text CALL QWORD PTR [RIP+0x382427]
10BB N/A .text CALL QWORD PTR [RIP+0x38238F]
10DD N/A .text CALL QWORD PTR [RIP+0x3823FD]
10EE N/A .text CALL QWORD PTR [RIP+0x3823F4]
10F7 N/A .text CALL QWORD PTR [RIP+0x382353]
11BD N/A .text CALL QWORD PTR [RIP+0x3822ED]
1220 N/A .text CALL QWORD PTR [RIP+0x3822CA]
122D N/A .text CALL QWORD PTR [RIP+0x382285]
13F4 N/A .text CALL QWORD PTR [RIP+0x3820FE]
1428 N/A .text CALL QWORD PTR [RIP+0x38205A]
1448 N/A .text CALL QWORD PTR [RIP+0x38203A]
1453 N/A .text CALL QWORD PTR [RIP+0x38205F]
1475 N/A .text CALL QWORD PTR [RIP+0x38207D]
1508 N/A .text CALL QWORD PTR [RIP+0x381F7A]
1533 N/A .text CALL QWORD PTR [RIP+0x381F7F]
153E N/A .text CALL QWORD PTR [RIP+0x381F44]
1560 N/A .text CALL QWORD PTR [RIP+0x381F92]
157E N/A .text CALL QWORD PTR [RIP+0x381F7C]
209A N/A .text CALL QWORD PTR [RIP+0x381468]
20B9 N/A .text CALL QWORD PTR [RIP+0x381451]
20E8 N/A .text CALL QWORD PTR [RIP+0x38142A]
22AB N/A .text CALL QWORD PTR [RIP+0x38126F]
243A N/A .text CALL QWORD PTR [RIP+0x3810E8]
24FC N/A .text CALL QWORD PTR [RIP+0x381026]
263C N/A .text CALL QWORD PTR [RIP+0x380EEE]
2729 N/A .text CALL QWORD PTR [RIP+0x380E01]
274A N/A .text CALL QWORD PTR [RIP+0x380DD0]
2768 N/A .text CALL QWORD PTR [RIP+0x380DB2]
27A1 N/A .text JMP QWORD PTR [RIP+0x380D91]
27B1 N/A .text JMP QWORD PTR [RIP+0x380D89]
27C1 N/A .text JMP QWORD PTR [RIP+0x380D81]
27D1 N/A .text JMP QWORD PTR [RIP+0x380C61]
27E1 N/A .text JMP QWORD PTR [RIP+0x380D69]
2812 N/A .text CALL QWORD PTR [RIP+0x380D08]
2835 N/A .text CALL QWORD PTR [RIP+0x380CE5]
2886 N/A .text CALL QWORD PTR [RIP+0x380C94]
28D9 N/A .text CALL QWORD PTR [RIP+0x380C79]
290F N/A .text CALL QWORD PTR [RIP+0x380C0B]
2937 N/A .text CALL QWORD PTR [RIP+0x380BFB]
2954 N/A .text CALL QWORD PTR [RIP+0x380BDE]
2965 N/A .text CALL QWORD PTR [RIP+0x380BB5]
29C4 N/A .text CALL QWORD PTR [RIP+0x380B6E]
29E5 N/A .text CALL QWORD PTR [RIP+0x380B75]
29F7 N/A .text CALL QWORD PTR [RIP+0x380B6B]
2A6F N/A .text CALL QWORD PTR [RIP+0x380AAB]
2ABF N/A .text CALL QWORD PTR [RIP+0x380A5B]
2AD2 N/A .text CALL QWORD PTR [RIP+0x380A68]
2AEC N/A .text CALL QWORD PTR [RIP+0x380A46]
2C54 N/A .text CALL QWORD PTR [RIP+0x3808C6]
2CE3 N/A .text CALL QWORD PTR [RIP+0x380837]
2DA8 N/A .text CALL QWORD PTR [RIP+0x380772]
2EA5 N/A .text CALL QWORD PTR [RIP+0x3806B5]
2EB3 N/A .text CALL QWORD PTR [RIP+0x3806B7]
3B4A N/A .text CALL QWORD PTR [RIP+0x37FA20]
3B5C N/A .text CALL QWORD PTR [RIP+0x37F976]
3BC9 N/A .text CALL QWORD PTR [RIP+0x37F999]
3C5E N/A .text CALL QWORD PTR [RIP+0x37F914]
3C69 N/A .text CALL QWORD PTR [RIP+0x37F869]
3789BA-37D9B9 N/A ihlzzpxo Unusual BP Cave, count: 20480
1BC00-37DBFF 1F000 ihlzzpxo Executable section anomaly, first bytes: 7281040089C30400
37DC00-37DDFF 381000 hxsxxrzr Executable section anomaly, first bytes: 565053E801000000
37F000-3801FF 384000 .SCY Executable section anomaly, first bytes: FFFFFFFFFFFFFFFF
Extra Analysis
Metric Value Percentage
Ascii Code 1817163 49,5069%
Null Byte Code 992865 27,0497%
© 2026 All rights reserved.