PREMIUM PESCAN.IO - Analysis Report |
|||||||
| File Structure |
|
PE Chart Code
Executable header (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
| Size: 141,85 KB SHA-256 Hash: ECB47ACEB80A05178D89BC01BA1923C52D4B6E67D37F2A13FC7BE299CD05AA2A SHA-1 Hash: BE6BACACB8EFCC0FC34192A73C0AB6ADE90AEBE6 MD5 Hash: 20E283386181AFDF0CA2B7DD3E4D2EDD Imphash: C1A148273B0D3B00233225565C41C1DA MajorOSVersion: 6 MinorOSVersion: 0 CheckSum: 0002D984 EntryPoint (rva): 1550E SizeOfHeaders: 400 SizeOfImage: 34000 ImageBase: 10000000 Architecture: x86 ExportTable: 1CA00 ImportTable: 1CC38 IAT: 18000 Characteristics: 2102 TimeDateStamp: 634EC586 Date: 18/10/2022 15:25:58 File Type: DLL Number Of Sections: 5 ASLR: Enabled Section Names: .text, .rdata, .data, .rsrc, .reloc Number Of Executable Sections: 1 Subsystem: Windows GUI UAC Execution Level Manifest: asInvoker [Incomplete Binary or Compressor Packer - 66,15 KB Missing] |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 60000020 (Code, Executable, Readable) | 400 | 16A00 | 1000 | 16905 | 6,3439 | 655684,87 |
| .rdata | 40000040 (Initialized Data, Readable) | 16E00 | 7200 | 18000 | 71BA | 5,1533 | 814741,21 |
| .data | C0000040 (Initialized Data, Readable, Writeable) | 1E000 | C00 | 20000 | 10F54 | 4,6067 | 79496,67 |
| .rsrc | 40000040 (Initialized Data, Readable) | 1EC00 | 600 | 31000 | 4F0 | 3,6845 | 107830,33 |
| .reloc | 42000040 (Initialized Data, GP-Relative, Readable) | 1F200 | 1C00 | 32000 | 1B58 | 6,5545 | 29626,93 |
| Description |
| OriginalFilename: tier0.dll CompanyName: Digital Wave Ltd LegalCopyright: 2010-2022 Digital Wave Ltd ProductName: Free Studio FileVersion: 1,2,47,1017 FileDescription: tier0 ProductVersion: 1,2,47,1017 Language: English (United States) (ID=0x409) CodePage: Unicode (UTF-16 LE) (0x4B0) |
| Entry Point |
| The section number (1) - (.text) have the Entry Point Information -> EntryPoint (calculated) - 1490E Code -> 558BEC837D0C017505E83A050000FF7510FF750CFF7508E8AEFEFFFF83C40C5DC20C00C20000558BEC6A00FF152C800110FF • PUSH EBP • MOV EBP, ESP • CMP DWORD PTR [EBP + 0XC], 1 • JNE 0X100E • CALL 0X1548 • PUSH DWORD PTR [EBP + 0X10] • PUSH DWORD PTR [EBP + 0XC] • PUSH DWORD PTR [EBP + 8] • CALL 0XECA • ADD ESP, 0XC • POP EBP • RET 0XC • RET 0 • PUSH EBP • MOV EBP, ESP • PUSH 0 • CALL DWORD PTR [0X1001802C] |
| Signatures |
| CheckSum Integrity Problem: • Header: 186756 • Calculated: 152843 Rich Signature Analyzer: Code -> A38D3B11E7EC5542E7EC5542E7EC5542EE94C642F7EC5542B5995143EDEC5542B5995643E1EC5542B5995043F6EC5542B5995443E3EC5542F3875343E6EC5542F3875443EAEC5542E7EC544289ED5542B2995043E4EC554225995C43F7EC554225995543E6EC55422599AA42E6EC5542E7ECC242E6EC554225995743E6EC554252696368E7EC5542 Footprint md5 Hash -> 6ED7B06E10FADFCE00E7915E9731B126 • The Rich header apparently has not been modified Certificate - Digital Signature: • The file is signed but has been modified |
| Packer/Compiler |
| Compiler: Microsoft Visual Studio Detect It Easy (die) • PE: linker: Microsoft Linker(14.29**)[-] • PE: Sign tool: Windows Authenticode(2.0)[PKCS 7] • Entropy: 6.55144 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | GetModuleHandleA | Retrieves a handle to the specified module. |
| KERNEL32.DLL | WriteFile | Writes data to a specified file or input/output (I/O) device. |
| KERNEL32.DLL | LoadLibraryW | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | CreateToolhelp32Snapshot | Creates a snapshot of the specified processes, heaps, threads, and modules. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| KERNEL32.DLL | IsDebuggerPresent | Determines if the calling process is being debugged by a user-mode debugger. |
| ET Functions (carving) |
| Original Name -> tier0.dll convertMultibyteToUnicode convertUnicodeToMultibyte createCondition createCrashHandler createDictionary createFileSystem createLogOut createLogger createMutex createPathMultibyte createPathUnicode createSemaphore createSettings createTaskLoop createTimer getIdThread getLocalTime getSystemTime sleepThread yeldThread |
| Windows REG |
| SOFTWARE\Microsoft\Windows NT\CurrentVersion\ |
| Windows REG (UNICODE) |
| SOFTWARE\DVDVideoSoft\Logger\ |
| File Access |
| SHELL32.dll api-ms-win-crt-convert-l1-1-0.dll api-ms-win-crt-time-l1-1-0.dll api-ms-win-crt-heap-l1-1-0.dll api-ms-win-crt-stdio-l1-1-0.dll api-ms-win-crt-filesystem-l1-1-0.dll api-ms-win-crt-runtime-l1-1-0.dll VCRUNTIME140.dll MSVCP140.dll ADVAPI32.dll KERNEL32.dll tier0.dll .dat @.dat |
| File Access (UNICODE) |
| tier0.dll ole32.dll shell32.dll rpcrt4.dll dbghelp.dll |
| Interest's Words |
| exec attrib start shutdown ping |
| Anti-VM/Sandbox/Debug Tricks (UNICODE) |
| OllyDbg Libary - dbghelp.dll |
| URLs |
| http://ocsp.digicert.com http://cacerts.digicert.com/DigiCertTrustedRootG4.crt http://crl3.digicert.com/DigiCertTrustedRootG4.crl http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl http://www.digicert.com/CPS0 http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | Registry (RegOpenKeyEx) |
| Text | Ascii | File (CreateFile) |
| Text | Ascii | File (WriteFile) |
| Text | Ascii | Anti-Analysis VM (IsDebuggerPresent) |
| Text | Ascii | Anti-Analysis VM (GetVersion) |
| Text | Ascii | Anti-Analysis VM (CreateToolhelp32Snapshot) |
| Text | Ascii | Stealth (ReleaseSemaphore) |
| Text | Ascii | Stealth (CloseHandle) |
| Text | Ascii | Execution (CreateSemaphoreW) |
| Text | Ascii | Software that records user activity (Logger) |
| Text | Unicode | Software that records user activity (Logger) |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \VERSION\1\1033 | 310A0 | 2D0 | 1ECA0 | D00234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000200 | ..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| \24\2\1033 | 31370 | 17D | 1EF70 | 3C3F786D6C2076657273696F6E3D27312E302720656E636F64696E673D275554462D3827207374616E64616C6F6E653D2779 | <?xml version='1.0' encoding='UTF-8' standalone='y |
| Intelligent String |
| • tier0.dll • api-ms-win-crt-filesystem-l1-1-0.dll • api-ms-win-crt-runtime-l1-1-0.dll • dbghelp.dll • MiniDumpWriteDump • rpcrt4.dll • %s\%s.dmp • Crash Exception Minidump: • d:\svn\modules\tier0\src\crashdump.cpp • Minidump Writing: • 0FFFTLCRTERRWRNNTCINFDBGTRCunknown.log • .log • .bak • d:\svn\modules\tier0\src\winthread.cpp • shell32.dll • ole32.dll • D:\svn\builds\pdb\Release\DVSSysReport\tier0.pdb • .bss • KERNEL32.dll • VCRUNTIME140.dll • api-ms-win-crt-stdio-l1-1-0.dll • api-ms-win-crt-heap-l1-1-0.dll • api-ms-win-crt-time-l1-1-0.dll • .?AU?$CFastQueue@VITask@TiQuuskaer.jqc • :060U00Uq]dL.g?O0U0E1-Q!m0U0y+m0k0$+0http://ocsp.digicert.com0C+07http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0EU>0<0:864http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0U |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 4FE | 100182D0 | .text | CALL [static] | Indirect call to absolute memory address |
| 530 | 100182DC | .text | CALL [static] | Indirect call to absolute memory address |
| 56A | 100182DC | .text | CALL [static] | Indirect call to absolute memory address |
| 5DE | 100182D0 | .text | CALL [static] | Indirect call to absolute memory address |
| 61E | 100182D0 | .text | CALL [static] | Indirect call to absolute memory address |
| 645 | 1001827C | .text | CALL [static] | Indirect call to absolute memory address |
| 6AE | 100182D0 | .text | CALL [static] | Indirect call to absolute memory address |
| 7A0 | 1001814C | .text | CALL [static] | Indirect call to absolute memory address |
| 7BE | 100180F0 | .text | CALL [static] | Indirect call to absolute memory address |
| 7E5 | 10018260 | .text | CALL [static] | Indirect call to absolute memory address |
| 9BE | 1001833C | .text | CALL [static] | Indirect call to absolute memory address |
| AA4 | 10018158 | .text | CALL [static] | Indirect call to absolute memory address |
| AE4 | 10018148 | .text | CALL [static] | Indirect call to absolute memory address |
| B21 | 10018148 | .text | JMP [static] | Indirect jump to absolute memory address |
| B6F | 10018154 | .text | CALL [static] | Indirect call to absolute memory address |
| B8D | 100180F4 | .text | CALL [static] | Indirect call to absolute memory address |
| BB4 | 1001825C | .text | CALL [static] | Indirect call to absolute memory address |
| D84 | 1001833C | .text | CALL [static] | Indirect call to absolute memory address |
| E6A | 1001815C | .text | CALL [static] | Indirect call to absolute memory address |
| EB4 | 10018150 | .text | CALL [static] | Indirect call to absolute memory address |
| EF1 | 10018150 | .text | JMP [static] | Indirect jump to absolute memory address |
| F29 | 10018158 | .text | CALL [static] | Indirect call to absolute memory address |
| F32 | 10018148 | .text | JMP [static] | Indirect jump to absolute memory address |
| 1000 | 1001826C | .text | CALL [static] | Indirect call to absolute memory address |
| 101B | 1001826C | .text | CALL [static] | Indirect call to absolute memory address |
| 1036 | 1001826C | .text | CALL [static] | Indirect call to absolute memory address |
| 1050 | 10018270 | .text | CALL [static] | Indirect call to absolute memory address |
| 106A | 10018270 | .text | CALL [static] | Indirect call to absolute memory address |
| 1087 | 10018150 | .text | CALL [static] | Indirect call to absolute memory address |
| 10FE | 10018150 | .text | CALL [static] | Indirect call to absolute memory address |
| 1451 | 1001833C | .text | CALL [static] | Indirect call to absolute memory address |
| 15E3 | 10018148 | .text | CALL [static] | Indirect call to absolute memory address |
| 16B3 | 10018148 | .text | CALL [static] | Indirect call to absolute memory address |
| 1B9C | 100180E4 | .text | CALL [static] | Indirect call to absolute memory address |
| 1D17 | 100180E4 | .text | CALL [static] | Indirect call to absolute memory address |
| 1D30 | 1001833C | .text | CALL [static] | Indirect call to absolute memory address |
| 1DF1 | 10018120 | .text | JMP [static] | Indirect jump to absolute memory address |
| 1DF7 | 1001833C | .text | CALL [static] | Indirect call to absolute memory address |
| 1E2A | 1001815C | .text | JMP [static] | Indirect jump to absolute memory address |
| 21CE | 10018248 | .text | CALL [static] | Indirect call to absolute memory address |
| 231D | 10018248 | .text | CALL [static] | Indirect call to absolute memory address |
| 2333 | 1001833C | .text | CALL [static] | Indirect call to absolute memory address |
| 23EA | 100180F8 | .text | JMP [static] | Indirect jump to absolute memory address |
| 23F0 | 1001833C | .text | CALL [static] | Indirect call to absolute memory address |
| 242A | 10018158 | .text | JMP [static] | Indirect jump to absolute memory address |
| 247D | 1001833C | .text | CALL [static] | Indirect call to absolute memory address |
| 24D5 | 1001833C | .text | CALL [static] | Indirect call to absolute memory address |
| 253F | 1001815C | .text | CALL [static] | Indirect call to absolute memory address |
| 2547 | 10018150 | .text | CALL [static] | Indirect call to absolute memory address |
| 25CF | 10018158 | .text | CALL [static] | Indirect call to absolute memory address |
| 25D7 | 10018148 | .text | CALL [static] | Indirect call to absolute memory address |
| 2625 | 10018284 | .text | CALL [static] | Indirect call to absolute memory address |
| 2631 | 10018258 | .text | CALL [static] | Indirect call to absolute memory address |
| 2695 | 10018284 | .text | CALL [static] | Indirect call to absolute memory address |
| 26A1 | 10018250 | .text | CALL [static] | Indirect call to absolute memory address |
| 29D8 | 1001833C | .text | CALL [static] | Indirect call to absolute memory address |
| 2B06 | 1001833C | .text | CALL [static] | Indirect call to absolute memory address |
| 2C34 | 10018254 | .text | CALL [static] | Indirect call to absolute memory address |
| 2C98 | 10018268 | .text | CALL [static] | Indirect call to absolute memory address |
| 2CC1 | 10018278 | .text | CALL [static] | Indirect call to absolute memory address |
| 2CE8 | 10018268 | .text | CALL [static] | Indirect call to absolute memory address |
| 2D29 | 100180E8 | .text | CALL [static] | Indirect call to absolute memory address |
| 2D4C | 100180E8 | .text | CALL [static] | Indirect call to absolute memory address |
| 2D59 | 10018284 | .text | CALL [static] | Indirect call to absolute memory address |
| 2D68 | 10018258 | .text | CALL [static] | Indirect call to absolute memory address |
| 2E6A | 1001824C | .text | CALL [static] | Indirect call to absolute memory address |
| 2EC9 | 10018264 | .text | CALL [static] | Indirect call to absolute memory address |
| 2EFC | 10018274 | .text | CALL [static] | Indirect call to absolute memory address |
| 2F29 | 10018264 | .text | CALL [static] | Indirect call to absolute memory address |
| 2F6F | 100180EC | .text | CALL [static] | Indirect call to absolute memory address |
| 2F92 | 100180EC | .text | CALL [static] | Indirect call to absolute memory address |
| 2F9F | 10018284 | .text | CALL [static] | Indirect call to absolute memory address |
| 2FAE | 10018250 | .text | CALL [static] | Indirect call to absolute memory address |
| 300D | 1001828C | .text | CALL [static] | Indirect call to absolute memory address |
| 3028 | 10018168 | .text | CALL [static] | Indirect call to absolute memory address |
| 304F | 10018288 | .text | CALL [static] | Indirect call to absolute memory address |
| 3070 | 10018294 | .text | CALL [static] | Indirect call to absolute memory address |
| 30A4 | 10018290 | .text | CALL [static] | Indirect call to absolute memory address |
| 319C | 1001824C | .text | CALL [static] | Indirect call to absolute memory address |
| 31DB | 10018160 | .text | CALL [static] | Indirect call to absolute memory address |
| 323E | 10018264 | .text | CALL [static] | Indirect call to absolute memory address |
| 3288 | 10018164 | .text | CALL [static] | Indirect call to absolute memory address |
| 3295 | 10018264 | .text | CALL [static] | Indirect call to absolute memory address |
| 32EF | 10018264 | .text | CALL [static] | Indirect call to absolute memory address |
| 333C | 100180EC | .text | CALL [static] | Indirect call to absolute memory address |
| 335F | 100180EC | .text | CALL [static] | Indirect call to absolute memory address |
| 336C | 10018284 | .text | CALL [static] | Indirect call to absolute memory address |
| 337B | 10018250 | .text | CALL [static] | Indirect call to absolute memory address |
| 352A | 1001827C | .text | CALL [static] | Indirect call to absolute memory address |
| 3892 | 1001827C | .text | CALL [static] | Indirect call to absolute memory address |
| 39A5 | 1001827C | .text | CALL [static] | Indirect call to absolute memory address |
| 3B9D | 100182B4 | .text | CALL [static] | Indirect call to absolute memory address |
| 3BC7 | 100182A4 | .text | CALL [static] | Indirect call to absolute memory address |
| 3E06 | 1001833C | .text | CALL [static] | Indirect call to absolute memory address |
| 3EF4 | 1001833C | .text | CALL [static] | Indirect call to absolute memory address |
| 4079 | 1001833C | .text | CALL [static] | Indirect call to absolute memory address |
| 40F3 | 10018210 | .text | CALL [static] | Indirect call to absolute memory address |
| 442E | 1001833C | .text | CALL [static] | Indirect call to absolute memory address |
| 461B | 1001833C | .text | CALL [static] | Indirect call to absolute memory address |
| 4B36 | 10018210 | .text | CALL [static] | Indirect call to absolute memory address |
| 20E00 | N/A | *Overlay* | 68290000000202003082295A06092A864886F70D | h |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 85246 | 58,6867% |
| Null Byte Code | 23653 | 16,2837% |
© 2026 All rights reserved.