PESCAN.IO - Analysis Report Basic |
|||||||
| File Structure |
|
PE Chart Code
Header PE (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
| Size: 3,86 MB SHA-256 Hash: B0E7667CD5EA5C578EE1A73C7CD89521C200A854DA2A4AD57C1877232FC8B6A7 SHA-1 Hash: 5259F1E22964D0EAD8CE92D45E95A3E230B71232 MD5 Hash: 3131DA1936BC202A1FB4E51FE1254DCE Imphash: 0DDD2D0105BE2A7473032E30F6C6E2F2 MajorOSVersion: 10 MinorOSVersion: 0 CheckSum: 003E5D5F EntryPoint (rva): 7F60 SizeOfHeaders: 1000 SizeOfImage: 3E6000 ImageBase: 0000000180000000 Architecture: x64 ExportTable: 3AAD10 ImportTable: 3AB088 IAT: 31B3C0 Characteristics: 2022 TimeDateStamp: AE2EDAF5 Date: 08/08/2062 23:44:53 File Type: DLL Number Of Sections: 6 ASLR: Disabled Section Names (Optional Header): .text, .rdata, .data, .pdata, .rsrc, .reloc Number Of Executable Sections: 1 Subsystem: Windows Console |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 0x60000020 Code Executable Readable |
1000 | 2E7000 | 1000 | 2E64CE |
|
|
| .rdata | 0x40000040 Initialized Data Readable |
2E8000 | C5000 | 2E8000 | C4CBE |
|
|
| .data | 0xC0000040 Initialized Data Readable Writeable |
3AD000 | F000 | 3AD000 | 17AE0 |
|
|
| .pdata | 0x40000040 Initialized Data Readable |
3BC000 | 17000 | 3C5000 | 16188 |
|
|
| .rsrc | 0x40000040 Initialized Data Readable |
3D3000 | 1000 | 3DC000 | 420 |
|
|
| .reloc | 0x42000040 Initialized Data GP-Relative Readable |
3D4000 | 9000 | 3DD000 | 8264 |
|
|
| Description |
| OriginalFilename: d3dcompiler_47.dll CompanyName: Microsoft Corporation LegalCopyright: Microsoft Corporation. All rights reserved. ProductName: Microsoft Windows Operating System FileVersion: 10.0.22621.2506 (WinBuild.160101.0800) FileDescription: Direct3D HLSL Compiler ProductVersion: 10.0.22621.2506 Language: English (United States) (ID=0x409) CodePage: Unicode (UTF-16 LE) (0x4B0) |
| Entry Point |
The section number (1) have the Entry Point Information -> EntryPoint (calculated) - 7F60 Code -> 48895C24084889742410574883EC20498BF88BDA488BF183FA017505E8AB0300004C8BC78BD3488BCE488B5C2430488B7424 Assembler |MOV QWORD PTR [RSP + 8], RBX |MOV QWORD PTR [RSP + 0X10], RSI |PUSH RDI |SUB RSP, 0X20 |MOV RDI, R8 |MOV EBX, EDX |MOV RSI, RCX |CMP EDX, 1 |JNE 0X1021 |CALL 0X13CC |MOV R8, RDI |MOV EDX, EBX |MOV RCX, RSI |MOV RBX, QWORD PTR [RSP + 0X30] |
| Signatures |
| Rich Signature Analyzer: Code -> 3904B6A37D65D8F07D65D8F07D65D8F0361DD9F17F65D8F0C90FDDF14065D8F0C90FDCF17C65D8F0741D4BF04065D8F07D65D9F0D961D8F0361DDBF17965D8F0361DDDF16665D8F0361DDCF17165D8F0361DD8F17C65D8F0361DD0F1F565D8F0361D25F07F65D8F0361D27F07C65D8F0361DDAF17C65D8F0526963687D65D8F0 Footprint md5 Hash -> 1C526F7139A5801EE9D2CE86F506485F • The Rich header apparently has not been modified Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Compiler: Microsoft Visual Studio Detect It Easy (die) • PE+(64): compiler: Microsoft Visual C/C++(-)[-] • PE+(64): linker: Microsoft Linker(14.30**)[-] • Entropy: 6.3828 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | GetModuleFileNameA | Retrieve the fully qualified path for the executable file of a specified module. |
| KERNEL32.DLL | VirtualAlloc | Reserve, commit, or both, a region of memory within the virtual address space of a process. |
| KERNEL32.DLL | WriteFile | Writes data to a specified file or input/output (I/O) device. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| KERNEL32.DLL | CreateFileA | Creates or opens a file or I/O device. |
| KERNEL32.DLL | IsDebuggerPresent | Determines if the calling process is being debugged by a user-mode debugger. |
| Windows REG |
| Software\Microsoft\Direct3D\Direct3D12 |
| Windows REG (UNICODE) |
| Software\Microsoft\VisualStudio\MSPDB |
| File Access |
| CRYPTSP.dll api-ms-win-core-string-obsolete-l1-1-0.dll api-ms-win-crt-time-l1-1-0.dll api-ms-win-core-kernel32-legacy-l1-1-0.dll RPCRT4.dll api-ms-win-core-io-l1-1-0.dll api-ms-win-core-localization-l1-2-0.dll api-ms-win-core-registry-l1-1-0.dll api-ms-win-core-heap-l2-1-0.dll api-ms-win-core-interlocked-l1-1-0.dll api-ms-win-core-profile-l1-1-0.dll api-ms-win-core-processthreads-l1-1-1.dll api-ms-win-core-rtlsupport-l1-1-0.dll api-ms-win-core-sysinfo-l1-1-0.dll api-ms-win-core-memory-l1-1-0.dll api-ms-win-core-processenvironment-l1-1-0.dll api-ms-win-core-processthreads-l1-1-0.dll api-ms-win-core-synch-l1-2-0.dll api-ms-win-core-handle-l1-1-0.dll api-ms-win-core-file-l1-1-0.dll api-ms-win-core-errorhandling-l1-1-0.dll api-ms-win-core-file-l1-2-0.dll api-ms-win-core-heap-l1-1-0.dll api-ms-win-core-debug-l1-1-0.dll api-ms-win-core-synch-l1-1-0.dll api-ms-win-core-string-l1-1-0.dll api-ms-win-core-libraryloader-l1-2-0.dll api-ms-win-crt-private-l1-1-0.dll api-ms-win-crt-runtime-l1-1-0.dll api-ms-win-crt-math-l1-1-0.dll api-ms-win-crt-string-l1-1-0.dll D3DCOMPILER_47.dll .dat | SMR.Dat @.dat Temp |
| File Access (UNICODE) |
| d3dcompiler_47.dll SymbolServerSetOptionsSymbolServerStoreFileWSYMSRV.DLL SYMSRV.DLL api-ms-win-core-file-l2-1-1.dll kernel32.dll bcrypt.dll |
| Interest's Words |
| <body exec attrib start cipher systeminfo ping expand replace |
| Interest's Words (UNICODE) |
| exec start |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | WinAPI Sockets (bind) |
| Text | Ascii | WinAPI Sockets (accept) |
| Text | Ascii | WinAPI Sockets (send) |
| Text | Ascii | Registry (RegOpenKeyEx) |
| Text | Ascii | File (CopyFile) |
| Text | Ascii | File (CreateFile) |
| Text | Ascii | File (WriteFile) |
| Text | Ascii | File (ReadFile) |
| Text | Ascii | Encryption API (CryptAcquireContext) |
| Text | Ascii | Encryption API (CryptReleaseContext) |
| Text | Ascii | Anti-Analysis VM (IsDebuggerPresent) |
| Text | Ascii | Anti-Analysis VM (GetSystemInfo) |
| Text | Ascii | Stealth (CloseHandle) |
| Text | Ascii | Stealth (UnmapViewOfFile) |
| Text | Ascii | Stealth (MapViewOfFile) |
| Text | Ascii | Stealth (CreateFileMappingA) |
| Text | Ascii | Stealth (CreateFileMappingW) |
| Text | Ascii | Stealth (VirtualAlloc) |
| Text | Unicode | Technique used to insert malicious code into legitimate processes (Inject) |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8.0 (DLL) |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \VERSION\1\1033 | 3DC060 | 3BC | 3D3060 | B80334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000 | ..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| Intelligent String |
| • d3dcompiler_47.dll • api-ms-win-core-sysinfo-l1-1-0.dll • api-ms-win-core-memory-l1-1-0.dll • api-ms-win-core-processenvironment-l1-1-0.dll • api-ms-win-core-processthreads-l1-1-0.dll • api-ms-win-core-synch-l1-2-0.dll • api-ms-win-core-handle-l1-1-0.dll • api-ms-win-core-file-l1-1-0.dll • api-ms-win-core-errorhandling-l1-1-0.dll • api-ms-win-core-file-l1-2-0.dll • api-ms-win-core-heap-l1-1-0.dll • api-ms-win-core-synch-l1-1-0.dll • api-ms-win-core-string-l1-1-0.dll • .enc • bcrypt.dll • kernel32.dll • api-ms-win-core-file-l2-1-1.dll • .dbg • SYMSRV.DLL • countbits(i) -> and/shift/add sequence <| MR.Gen_RequiredTranslate • firstbitlow(i) -> shift/bine/add sequence <| MR.Gen_RequiredTranslate • firstbit_shi(i) -> shift/bine/add sequence <| MR.Gen_RequiredTranslate • firstbit_hi(i) -> shift/bine/add sequence <| MR.Gen_RequiredTranslate • VI7xicuUcabinet.dll • .pdb • D3DCompiler_47.pdb • .bss • 6_initterm7_initterm_eapi-ms-win-crt-string-l1-1-0.dll • api-ms-win-crt-math-l1-1-0.dll • api-ms-win-crt-private-l1-1-0.dll • api-ms-win-core-libraryloader-l1-2-0.dll • api-ms-win-core-debug-l1-1-0.dll • api-ms-win-core-rtlsupport-l1-1-0.dll • api-ms-win-core-processthreads-l1-1-1.dll • api-ms-win-core-profile-l1-1-0.dll • api-ms-win-core-interlocked-l1-1-0.dll • api-ms-win-core-kernel32-legacy-l1-1-0.dll • api-ms-win-crt-time-l1-1-0.dll • lstrcmpiAapi-ms-win-core-string-obsolete-l1-1-0.dll • CRYPTSP.dll |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 1018 | N/A | .text | JMP QWORD PTR [RIP+0x31AB4A] |
| 1048 | N/A | .text | JMP QWORD PTR [RIP+0x31AB1A] |
| 1099 | N/A | .text | CALL QWORD PTR [RIP+0x31A679] |
| 79CD | N/A | .text | CALL QWORD PTR [RIP+0x313D0D] |
| 7A00 | N/A | .text | CALL QWORD PTR [RIP+0x313CDA] |
| 7A30 | N/A | .text | CALL QWORD PTR [RIP+0x313CAA] |
| 7ABD | N/A | .text | CALL QWORD PTR [RIP+0x313C1D] |
| 7E59 | N/A | .text | CALL QWORD PTR [RIP+0x313D11] |
| 7EDC | N/A | .text | CALL QWORD PTR [RIP+0x313C8E] |
| 7F29 | N/A | .text | CALL QWORD PTR [RIP+0x313C41] |
| 7FEB | N/A | .text | CALL QWORD PTR [RIP+0x313447] |
| 7FF4 | N/A | .text | CALL QWORD PTR [RIP+0x31342E] |
| 7FFA | N/A | .text | CALL QWORD PTR [RIP+0x3135F0] |
| 800E | N/A | .text | JMP QWORD PTR [RIP+0x313604] |
| 802E | N/A | .text | CALL QWORD PTR [RIP+0x3135FC] |
| 8121 | N/A | .text | CALL QWORD PTR [RIP+0x313509] |
| 81C5 | N/A | .text | CALL QWORD PTR [RIP+0x3134CD] |
| 81DD | N/A | .text | CALL QWORD PTR [RIP+0x3134A5] |
| 8214 | N/A | .text | CALL QWORD PTR [RIP+0x313476] |
| 8237 | N/A | .text | CALL QWORD PTR [RIP+0x31345B] |
| 8251 | N/A | .text | CALL QWORD PTR [RIP+0x313431] |
| 8288 | N/A | .text | CALL QWORD PTR [RIP+0x313402] |
| 8358 | N/A | .text | CALL QWORD PTR [RIP+0x3133B2] |
| 8366 | N/A | .text | CALL QWORD PTR [RIP+0x3132B4] |
| 8372 | N/A | .text | CALL QWORD PTR [RIP+0x313270] |
| 8382 | N/A | .text | CALL QWORD PTR [RIP+0x3132B8] |
| 83E8 | N/A | .text | JMP QWORD PTR [RIP+0x31313A] |
| 8552 | N/A | .text | CALL QWORD PTR [RIP+0x313618] |
| 8850 | N/A | .text | CALL QWORD PTR [RIP+0x312DDA] |
| 887D | N/A | .text | CALL QWORD PTR [RIP+0x312E15] |
| 8897 | N/A | .text | CALL QWORD PTR [RIP+0x312DEB] |
| 88D8 | N/A | .text | CALL QWORD PTR [RIP+0x312DB2] |
| 892C | N/A | .text | CALL QWORD PTR [RIP+0x312ADE] |
| 894D | N/A | .text | CALL QWORD PTR [RIP+0x312AE5] |
| 8958 | N/A | .text | CALL QWORD PTR [RIP+0x312ACA] |
| 89B4 | N/A | .text | CALL QWORD PTR [RIP+0x3131B6] |
| 8A00 | N/A | .text | CALL QWORD PTR [RIP+0x31316A] |
| 8B24 | N/A | .text | JMP QWORD PTR [RIP+0xFFF3FF0] |
| 8C96 | N/A | .text | JMP QWORD PTR [RIP+0x312E3C] |
| 8CA2 | N/A | .text | JMP QWORD PTR [RIP+0x312E40] |
| 8CAE | N/A | .text | JMP QWORD PTR [RIP+0x312D94] |
| 8CBA | N/A | .text | JMP QWORD PTR [RIP+0x312DC0] |
| 8CC6 | N/A | .text | JMP QWORD PTR [RIP+0x312DAC] |
| 8CD2 | N/A | .text | JMP QWORD PTR [RIP+0x312D98] |
| 8CDE | N/A | .text | JMP QWORD PTR [RIP+0x312D84] |
| 8CEA | N/A | .text | JMP QWORD PTR [RIP+0x312D70] |
| 8CF6 | N/A | .text | JMP QWORD PTR [RIP+0x312D5C] |
| 8D02 | N/A | .text | JMP QWORD PTR [RIP+0x312D48] |
| 8D0E | N/A | .text | JMP QWORD PTR [RIP+0x312D2C] |
| 8D1A | N/A | .text | JMP QWORD PTR [RIP+0x312D18] |
| 8D26 | N/A | .text | JMP QWORD PTR [RIP+0x312CF4] |
| 8D32 | N/A | .text | JMP QWORD PTR [RIP+0x312CE0] |
| 8D3E | N/A | .text | JMP QWORD PTR [RIP+0x312CC4] |
| 8D4A | N/A | .text | JMP QWORD PTR [RIP+0x312CB0] |
| 8D56 | N/A | .text | JMP QWORD PTR [RIP+0x3129EC] |
| 8D62 | N/A | .text | JMP QWORD PTR [RIP+0x312A00] |
| 8D6E | N/A | .text | JMP QWORD PTR [RIP+0x3129FC] |
| 8D7A | N/A | .text | JMP QWORD PTR [RIP+0x3129F8] |
| 8D90 | N/A | .text | JMP QWORD PTR [RIP+0x312A12] |
| 8D9C | N/A | .text | JMP QWORD PTR [RIP+0x312A16] |
| 8DA8 | N/A | .text | JMP QWORD PTR [RIP+0x312A12] |
| 8DB4 | N/A | .text | JMP QWORD PTR [RIP+0x312A7E] |
| 8DC0 | N/A | .text | JMP QWORD PTR [RIP+0x312A7A] |
| 8DCC | N/A | .text | JMP QWORD PTR [RIP+0x312A76] |
| 8DD8 | N/A | .text | JMP QWORD PTR [RIP+0x312A72] |
| 8DE4 | N/A | .text | JMP QWORD PTR [RIP+0x312A8E] |
| 8DF0 | N/A | .text | JMP QWORD PTR [RIP+0x312A8A] |
| 8DFC | N/A | .text | JMP QWORD PTR [RIP+0x312A86] |
| 8E08 | N/A | .text | JMP QWORD PTR [RIP+0x312A82] |
| 8E14 | N/A | .text | JMP QWORD PTR [RIP+0x312A8E] |
| 8E20 | N/A | .text | JMP QWORD PTR [RIP+0x312A8A] |
| 8E2C | N/A | .text | JMP QWORD PTR [RIP+0x312A86] |
| 8E38 | N/A | .text | JMP QWORD PTR [RIP+0x312A8A] |
| 8E44 | N/A | .text | JMP QWORD PTR [RIP+0x312AC6] |
| 8E50 | N/A | .text | JMP QWORD PTR [RIP+0x312AC2] |
| 8E5C | N/A | .text | JMP QWORD PTR [RIP+0x312AC6] |
| 8E68 | N/A | .text | JMP QWORD PTR [RIP+0x312AD2] |
| 8E74 | N/A | .text | JMP QWORD PTR [RIP+0x312ACE] |
| 8E80 | N/A | .text | JMP QWORD PTR [RIP+0x312ACA] |
| 8E8C | N/A | .text | JMP QWORD PTR [RIP+0x312AEE] |
| 8E98 | N/A | .text | JMP QWORD PTR [RIP+0x312AEA] |
| 8EA4 | N/A | .text | JMP QWORD PTR [RIP+0x312AE6] |
| 8EB0 | N/A | .text | JMP QWORD PTR [RIP+0x312AE2] |
| 8EBC | N/A | .text | JMP QWORD PTR [RIP+0x312B16] |
| 8EC8 | N/A | .text | JMP QWORD PTR [RIP+0x312B12] |
| 8ED4 | N/A | .text | JMP QWORD PTR [RIP+0x312B0E] |
| 8EE0 | N/A | .text | JMP QWORD PTR [RIP+0x312B0A] |
| 8EEC | N/A | .text | JMP QWORD PTR [RIP+0x312B06] |
| 8EF8 | N/A | .text | JMP QWORD PTR [RIP+0x312C3A] |
| 93A9 | N/A | .text | CALL QWORD PTR [RIP+0x3127B9] |
| 93EF | N/A | .text | CALL QWORD PTR [RIP+0x312773] |
| 9403 | N/A | .text | CALL QWORD PTR [RIP+0x31275F] |
| 94A1 | N/A | .text | CALL QWORD PTR [RIP+0x312069] |
| 9539 | N/A | .text | CALL QWORD PTR [RIP+0x312629] |
| 954D | N/A | .text | CALL QWORD PTR [RIP+0x312615] |
| 957A | N/A | .text | JMP QWORD PTR [RIP+0x311F98] |
| 9611 | N/A | .text | CALL QWORD PTR [RIP+0x311F01] |
| 96AD | N/A | .text | CALL QWORD PTR [RIP+0x3124B5] |
| 96C2 | N/A | .text | CALL QWORD PTR [RIP+0x3124A0] |
| 96D4 | N/A | .text | CALL QWORD PTR [RIP+0x31248E] |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 2409273 | 59,4744% |
| Null Byte Code | 714848 | 17,6465% |
| NOP Cave Found | 0x9090909090 | Block Count: 3 | Total: 0,0002% |
© 2026 All rights reserved.