PESCAN.IO - Analysis Report Valid Code |
|||||
| File Structure | |||||
|
|||||
| Information |
| Size: 175,00 KB SHA-256 Hash: C2324C432024BDA1368E2E54207A022EE0632DB39D8C9EFA712FD9DAD5E8FE07 SHA-1 Hash: E5CD316601FD300DC5EB4A8B20D95E9AA01F0990 MD5 Hash: 4012677BEB7687BB28D288C705DAFCF5 Imphash: B9D5E6231A729F64685D981B20518BD0 MajorOSVersion: 6 CheckSum: 00000000 EntryPoint (rva): 99D6 SizeOfHeaders: 400 SizeOfImage: 31000 ImageBase: 400000 Architecture: x86 ImportTable: 22808 Characteristics: 102 TimeDateStamp: 67A89369 Date: 09/02/2025 11:37:13 File Type: EXE Number Of Sections: 5 ASLR: Enabled Section Names: .text, .rdata, .data, .rsrc, .reloc Number Of Executable Sections: 1 Subsystem: Windows GUI UAC Execution Level Manifest: asInvoker |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize |
|---|---|---|---|---|---|
| .text | 60000020 (Executable) | 400 | 1AE00 | 1000 | 1ACAB |
| .rdata | 40000040 | 1B200 | 7200 | 1C000 | 7008 |
| .data | C0000040 (Writeable) | 22400 | 1A00 | 24000 | 3B78 |
| .rsrc | 40000040 | 23E00 | 600 | 28000 | 578 |
| .reloc | 42000040 | 24400 | 7800 | 29000 | 768C |
| Description |
| InternalName: System OriginalFilename: System.exe CompanyName: Microsoft Corporation LegalCopyright: Copyright (C) 2026 ProductName: System FileVersion: 6.0.0.1 |
| Entry Point |
| The section number (1) - (.text) have the Entry Point Information -> EntryPoint (calculated) - 8DD6 Code -> E881560000E98BFEFFFF3B0D9C4542007502F3C3E9035B0000CC57568B7424108B4C24148B7C240C8BC18BD103C63BFE7608 • CALL 0X6686 • JMP 0XE95 • CMP ECX, DWORD PTR [0X42459C] • JNE 0X1014 • RET • JMP 0X6B1C • INT3 • PUSH EDI • PUSH ESI • MOV ESI, DWORD PTR [ESP + 0X10] • MOV ECX, DWORD PTR [ESP + 0X14] • MOV EDI, DWORD PTR [ESP + 0XC] • MOV EAX, ECX • MOV EDX, ECX • ADD EAX, ESI • CMP EDI, ESI • JBE 0X103A |
| Signatures |
| Rich Signature Analyzer: Code -> 286B8BEC6C0AE5BF6C0AE5BF6C0AE5BF6C0AE4BF090AE5BF907D5CBF650AE5BFA8CF28BF750AE5BFA8CF2ABF510AE5BFA8CF2BBFC20AE5BF4BCC36BF6F0AE5BF4BCC2CBF6D0AE5BF6C0A72BF6D0AE5BF4BCC29BF6D0AE5BF526963686C0AE5BF Footprint md5 Hash -> FFB7147B4D136128E532037CFB476D46 • The Rich header apparently has not been modified Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Compiler: Microsoft Visual C ++ Detect It Easy (die) • PE: compiler: Microsoft Visual C/C++(2012)[-] • PE: linker: Microsoft Linker(8.0 or 11.0)[EXE32] • Entropy: 5.9024 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | CreateMutexA | Create a named or unnamed mutex object for controlling access to a shared resource. |
| KERNEL32.DLL | CopyFileW | Copies an existing file to a new file. |
| KERNEL32.DLL | WriteFile | Writes data to a specified file or input/output (I/O) device. |
| KERNEL32.DLL | LoadLibraryA | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | LoadLibraryW | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| KERNEL32.DLL | IsDebuggerPresent | Determines if the calling process is being debugged by a user-mode debugger. |
| Windows REG |
| Software\Microsoft\Windows\CurrentVersion\Run Rebuilt string - SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| Windows REG (UNICODE) |
| Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced |
| File Access |
| KERNEL32.dll SHELL32.dll ADVAPI32.dll User32.dll Temp |
| File Access (UNICODE) |
| mscoree.dll GetCurrentPackageIdkernel32.dll System.exe \winsvc.exe \Winsrv\winsvc.exe Temp |
| Interest's Words |
| BitCoin exec attrib start |
| URLs |
| http://schemas.microsoft.com/SMI/2005/WindowsSettings |
| Payloads |
| Unusual BP Cave > 15 Bytes - (0xCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC...) |
| Strings/Hex Code Found With The File Rules |
| • Rule Text (Ascii): WinAPI Sockets (connect) • Rule Text (Ascii): Registry (RegOpenKeyEx) • Rule Text (Ascii): Registry (RegSetValueEx) • Rule Text (Ascii): File (CopyFile) • Rule Text (Ascii): File (CreateFile) • Rule Text (Ascii): File (WriteFile) • Rule Text (Ascii): Anti-Analysis VM (IsDebuggerPresent) • EP Rules: Microsoft Visual C++ 8 • EP Rules: Microsoft Visual C++ 8 • EP Rules: VC8 -> Microsoft Corporation |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \VERSION\1\1033 | 280A0 | 2B0 | 23EA0 | B00234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000 | ..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| \24\1\1033 | 28350 | 224 | 24150 | EFBBBF3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E65 | ...<?xml version="1.0" encoding="UTF-8" standalone |
| Intelligent String |
| • mscoree.dll • USER32.DLL • User32.dll • \Winsrv\winsvc.exe • \winsvc.exe • KERNEL32.dll • 6.0.0.1 • System.exe • 8.0.0.1 • <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings><dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware></windowsSettings></application></assembly> |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 90143 | 50,303% |
| Null Byte Code | 52728 | 29,4241% |
© 2025 All rights reserved.