PREMIUM PESCAN.IO - Analysis Report

File Structure
Analysis Image
PE Chart Code
Executable header (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
Information
Size: 4,26 MB
SHA-256 Hash: 3E283ED7C49C4E18C5CAE999770030BB5A0C67A16EEA1B88BFB5192F5A9218B1
SHA-1 Hash: 6DA95702A5BD20398257CD22EC5A00D6811BF288
MD5 Hash: 41E12B427DA1714E4CB1D10C27AAD484
Imphash: E1AE426C19805CB24163E22BA620A0CD
MajorOSVersion: 6
MinorOSVersion: 1
CheckSum: 00450C1D
EntryPoint (rva): 11F0
SizeOfHeaders: 600
SizeOfImage: 2442000
ImageBase: 63E80000
Architecture: x86
ExportTable: 226A000
ImportTable: 226B000
IAT: 226B188
Characteristics: 2106
TimeDateStamp: 0
Date: 01/01/1970
File Type: DLL
Number Of Sections: 20
ASLR: Enabled
Section Names: .text, .data, .rdata, /4, .bss, .edata, .idata, .tls, .reloc, /14, /29, /41, /55, /67, /80, /91, /110, /122, /138, /154
Number Of Executable Sections: 1
Subsystem: Windows Console
[Incomplete Binary or Compressor Packer - 32,00 MB Missing]
Sections Info
Section Name Flags ROffset RSize VOffset VSizeEntropyChi2
.text 60000020 (Code, Executable, Readable) 600 D7400 1000 D72B06,23926526519,11
.data C0000040 (Initialized Data, Readable, Writeable) D7A00 7EC00 D9000 7EAF07,9302133312,27
.rdata 40000040 (Initialized Data, Readable) 156600 E9800 158000 E97AC5,677320017901,01
/4 40000040 (Initialized Data, Readable) 23FE00 1800 242000 17484,7912159490,08
.bss C0000080 (Uninitialized Data, Readable, Writeable) 0 0 244000 2025EE4N/AN/A
.edata 40000040 (Initialized Data, Readable) 241600 200 226A000 BD2,366665097,00
.idata 40000040 (Initialized Data, Readable) 241800 A00 226B000 9A85,353230834,40
.tls C0000040 (Initialized Data, Readable, Writeable) 242200 200 226C000 80,0000130560,00
.reloc 42000040 (Initialized Data, GP-Relative, Readable) 242400 BA00 226D000 B8606,6385187665,27
/14 42000040 (Initialized Data, GP-Relative, Readable) 24DE00 600 2279000 4E02,3401207875,00
/29 42000040 (Initialized Data, GP-Relative, Readable) 24E400 CFC00 227A000 CFAF16,115810078712,84
/41 42000040 (Initialized Data, GP-Relative, Readable) 31E000 3E00 234A000 3CE64,8711256619,52
/55 42000040 (Initialized Data, GP-Relative, Readable) 321E00 5F200 234E000 5F1DD6,00594749573,73
/67 42000040 (Initialized Data, GP-Relative, Readable) 381000 12800 23AE000 127C04,56102852868,95
/80 42000040 (Initialized Data, GP-Relative, Readable) 393800 400 23C1000 2133,219675322,50
/91 42000040 (Initialized Data, GP-Relative, Readable) 393C00 200 23C2000 300,8557107659,00
/110 42000040 (Initialized Data, GP-Relative, Readable) 393E00 2600 23C3000 24485,6566166754,05
/122 42000040 (Initialized Data, GP-Relative, Readable) 396400 2400 23C6000 23A25,000981435,22
/138 42000040 (Initialized Data, GP-Relative, Readable) 398800 57800 23C9000 5764D5,59065487288,56
/154 42000040 (Initialized Data, GP-Relative, Readable) 3F0000 20200 2421000 2011E5,85892085112,60
Entry Point
The section number (1) - (.text) have the Entry Point
Information -> EntryPoint (calculated) - 7F0
Code -> 8D4C240483E4F0FF71FC5589E556535183EC2C8B51048B198B710883FA010F84940000008915C47AFD6385D20F8516010000
LEA ECX, [ESP + 4]
AND ESP, 0XFFFFFFF0
PUSH DWORD PTR [ECX - 4]
PUSH EBP
MOV EBP, ESP
PUSH ESI
PUSH EBX
PUSH ECX
SUB ESP, 0X2C
MOV EDX, DWORD PTR [ECX + 4]
MOV EBX, DWORD PTR [ECX]
MOV ESI, DWORD PTR [ECX + 8]
CMP EDX, 1
JE 0X10B8
MOV DWORD PTR [0X63FD7AC4], EDX
TEST EDX, EDX
JNE 0X1148
Signatures
CheckSum Integrity Problem:
Header: 4525085
Calculated: 4494937
Certificate - Digital Signature Not Found:
• The file is not signed
Packer/Compiler
Detect It Easy (die)
Entropy: 6.73516
Suspicious Functions
Library Function Description
KERNEL32.DLL VirtualAlloc Reserve, commit, or both, a region of memory within the virtual address space of a process.
KERNEL32.DLL GetModuleHandleA Retrieves a handle to the specified module.
KERNEL32.DLL WriteFile Writes data to a specified file or input/output (I/O) device.
KERNEL32.DLL LoadLibraryA Loads the specified module into the address space of the calling process.
KERNEL32.DLL GetProcAddress Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
Ws2_32.DLL socket Create a communication endpoint for networking applications.
File Access
os.Exe
os.exe
.exe
internal/syscall/windows/registry.EXE
\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
msvcrt.dll
KERNEL32.dll
LightShot.dll
seconds/godebug/non-default-behavior/bcryptprimitives.dll
libgcc_s_dw2-1.dll
crypto/internal/entropy/v1%2e0%2e0.Scr
crypto/internal/entropy/v1%2e0%2e0.Scr
*crypto/internal/entropy/v1%2e0%2e0.Scr
*entropy.Scr
itab.sys
os.sys
internal/runtime/syscall/windows.Sys
internal/runtime/syscall/windows.Sys
.sys
os.sys
encoding/binary.dat
.dat
internal/abi.Name.Dat
*debug/pe.Dat
]debug/pe.Dat
debug/pe.Dat
debug/pe.Dat
16]debug/pe.Dat
(~r0.dat
internal/abi.Name.Dat
16]pe.Dat
]pe.Dat
*pe.Dat
internal/testlog.log
main.log
internal/testlog.Log
~compress/flate.log
bisect-match 0xLightShot_log.txt
internal/poll.Ini
main.ini
crypto/internal/entropy/v1%2e0%2e0.ini
internal/syscall/windows.ini
path/filepath.ini
debug/dwarf.ini
compress/flate.ini
fmt.ini
reflect.ini
crypto.ini
crypto/internal/fips140/aes/gcm.ini
crypto/internal/fips140/drbg.ini
os.ini
io/fs.ini
time.ini
internal/syscall/windows/registry.ini
internal/syscall/windows/sysdll.ini
crypto/fips140.ini
crypto/internal/fips140/aes.ini
crypto/internal/fips140/check.ini
crypto/internal/fips140/hmac.ini
crypto/internal/fips140/sha512.ini
crypto/internal/fips140/sha3.ini
crypto/internal/fips140deps/cpu.ini
crypto/internal/fips140/sha256.ini
crypto/internal/fips140.ini
internal/godebug.ini
iter.ini
unicode.ini
sync.ini
errors.ini
internal/cpu.Ini
crypto/internal/fips140/sha256.ini
crypto/internal/fips140/sha256.ini
crypto/internal/fips140/sha256.ini
crypto/internal/fips140/sha256.ini
internal/syscall/windows.ini
Temp
WinDir
SysDir
UserProfile
File Access (UNICODE)
cbcryptprimitives.dll
powrprof.dll
winmm.dll
ntdll.dll
Interest's Words
zombie
Encrypt
Decrypt
RunPE
exec
netsh
attrib
start
pause
cipher
hostname
sdelete
shutdown
systeminfo
ping
expand
replace
route
setx
Strings/Hex Code Found With The File Rules
Rule Type Encoding Matched (Word)
Text Ascii WinAPI Sockets (WSACleanup)
Text Ascii WinAPI Sockets (bind)
Text Ascii WinAPI Sockets (listen)
Text Ascii WinAPI Sockets (accept)
Text Ascii WinAPI Sockets (connect)
Text Ascii WinAPI Sockets (recv)
Text Ascii WinAPI Sockets (send)
Text Ascii Registry (RegCreateKeyEx)
Text Ascii Registry (RegOpenKeyEx)
Text Ascii Registry (RegSetValueEx)
Text Ascii File (GetTempPath)
Text Ascii File (CreateFile)
Text Ascii File (WriteFile)
Text Ascii File (ReadFile)
Text Ascii Service (OpenSCManager)
Text Ascii Encryption API (CryptAcquireContext)
Text Ascii Encryption API (CryptReleaseContext)
Text Ascii Anti-Analysis VM (GetSystemInfo)
Text Ascii Anti-Analysis VM (GetVersion)
Text Ascii Anti-Analysis VM (CreateToolhelp32Snapshot)
Text Ascii Reconnaissance (FindFirstFileW)
Text Ascii Reconnaissance (FindNextFileW)
Text Ascii Reconnaissance (FindClose)
Text Ascii Stealth (GetThreadContext)
Text Ascii Stealth (SetThreadContext)
Text Ascii Stealth (CloseHandle)
Text Ascii Stealth (UnmapViewOfFile)
Text Ascii Stealth (MapViewOfFile)
Text Ascii Stealth (CreateFileMappingW)
Text Ascii Stealth (VirtualAlloc)
Text Ascii Stealth (VirtualProtect)
Text Ascii Stealth (NtWriteVirtualMemory)
Text Ascii Stealth (NtUnmapViewOfSection)
Text Ascii Execution (CreateProcessA)
Text Ascii Execution (CreateProcessW)
Text Ascii Execution (ResumeThread)
Text Ascii Execution (NtResumeThread)
Text Ascii Execution (CreateEventA)
Text Ascii Execution (CreateEventW)
Text Ascii Privileges (SE_GROUP_INTEGRITY)
Text Ascii Privileges (SE_PRIVILEGE_ENABLED)
Text Ascii Malicious code executed after exploiting a vulnerability (Payload)
Text Ascii Process of gathering information about network resources (Enumeration)
Text Ascii Software that records user activity (Logger)
Text Ascii Technique used to circumvent security measures (Bypass)
Intelligent String
• .bss
• .qty
• .ret
• .stk
• .typ
• .err
• .key
• @.bss
• @.tls
• ntdll.dll
• winmm.dll
• powrprof.dll
• cbcryptprimitives.dll
• exit hook invoked panicpattern bits too long: connection reset by peerlevel 2 not synchronizedlink number out of rangeout of streams resourcesfunction not implementedstructure needs cleaningnot supported by windowsCertFreeCertificateChainCreateToolhelp32SnapshotGetUserProfileDirectoryWtracecheckstackownershipwaiting for cgo callbackhash of unhashable type span has no free objectsruntime: found obj at *(runtime: VirtualFree of /cgo/go-to-c-calls:calls/gc/heap/objects:objects/sched/latencies:secondsqueuefinalizer during GCcheckfinalizers: queue: update during transitionruntime: markroot index can't scan our own stackgcDrainN phase incorrectpageAlloc: out of memoryruntime: p.searchAddr = range partially overlaps [recovered, repanicked]stack trace unavailable
• KERNEL32.dll
• msvcrt.dll
• reflect.add
• reflect.Value.Len
• path/filepath.Dir
• .src
• .arg
• .off
• compress/flate.byLiteral.Len
• compress/flate.byFreq.Len
• math/bits.Len
• .num
• .wid
• reflect.Value.Int
• .cmp
• internal/syscall/windows/sysdll.Add
• internal/runtime/exithook.Run
• crypto/internal/fips140/aes/gcm.New
• .obj
• .stw
• -nbytes
• .ssc
• .eof
• .all
• .now
• .ran
• .max
• .pos
• .val
• internal/runtime/sys.nih
• *internal/runtime/maps.Map
• internal/reflectlite.rtype.Len
• errors.New
• internal/bisect.fnv
• internal/bisect.New
• internal/godebug.New
• internal/filepathlite.Dir
• crypto/internal/fips140/sha256.New
• crypto/internal/fips140/sha512.New
• crypto/internal/fips140/aes.New
• heapdump.go
• hexdump.go
• .tls
• io.EOF
Flow Anomalies
Offset RVA Section Description
647 660EB22C .text CALL [static] | Indirect call to absolute memory address
6C7 660EB22C .text CALL [static] | Indirect call to absolute memory address
76D 640C0E80 .text CALL [static] | Indirect call to absolute memory address
9BE 660EB1CC .text CALL [static] | Indirect call to absolute memory address
9D4 660EB1F4 .text CALL [static] | Indirect call to absolute memory address
A74 660EB1B4 .text CALL [static] | Indirect call to absolute memory address
5DF5D 7890002 .text JMP [static] | Indirect jump to absolute memory address
C0756 7890002 .text JMP [static] | Indirect jump to absolute memory address
D00D2 660EB190 .text CALL [static] | Indirect call to absolute memory address
D00EB 660EB1EC .text CALL [static] | Indirect call to absolute memory address
D00FF 63FD7AD8 .text CALL [static] | Indirect call to absolute memory address
D0167 660EB22C .text CALL [static] | Indirect call to absolute memory address
D01AB 660EB1A8 .text CALL [static] | Indirect call to absolute memory address
D01C1 660EB1F0 .text CALL [static] | Indirect call to absolute memory address
D0214 660EB1A8 .text CALL [static] | Indirect call to absolute memory address
D022A 660EB1F0 .text CALL [static] | Indirect call to absolute memory address
D023E 660EB1A8 .text CALL [static] | Indirect call to absolute memory address
D0254 660EB1F0 .text CALL [static] | Indirect call to absolute memory address
D028A 63FD7AD8 .text CALL [static] | Indirect call to absolute memory address
D02CF 660EB1A8 .text CALL [static] | Indirect call to absolute memory address
D02E9 660EB1F0 .text CALL [static] | Indirect call to absolute memory address
D02FA 660EB218 .text CALL [static] | Indirect call to absolute memory address
D0312 63FD7AD8 .text CALL [static] | Indirect call to absolute memory address
D034F 660EB1A8 .text CALL [static] | Indirect call to absolute memory address
D0376 660EB1F0 .text CALL [static] | Indirect call to absolute memory address
D039B 660EB1A8 .text CALL [static] | Indirect call to absolute memory address
D03B1 660EB1F0 .text CALL [static] | Indirect call to absolute memory address
D03E0 660EB1A8 .text CALL [static] | Indirect call to absolute memory address
D03F6 660EB1F0 .text CALL [static] | Indirect call to absolute memory address
D042B 660EB1A8 .text CALL [static] | Indirect call to absolute memory address
D0441 660EB1F0 .text CALL [static] | Indirect call to absolute memory address
D046B 660EB1A8 .text CALL [static] | Indirect call to absolute memory address
D0481 660EB1F0 .text CALL [static] | Indirect call to absolute memory address
D04B0 660EB1A8 .text CALL [static] | Indirect call to absolute memory address
D04C6 660EB1F0 .text CALL [static] | Indirect call to absolute memory address
D0525 660EB198 .text CALL [static] | Indirect call to absolute memory address
D0532 660EB1C8 .text CALL [static] | Indirect call to absolute memory address
D053D 660EB1C8 .text CALL [static] | Indirect call to absolute memory address
D054C 63FD7AD8 .text CALL [static] | Indirect call to absolute memory address
D0573 660EB18C .text CALL [static] | Indirect call to absolute memory address
D058E 660EB22C .text CALL [static] | Indirect call to absolute memory address
D060C 63FD7AD8 .text CALL [static] | Indirect call to absolute memory address
D15D7 600 .text JMP [static] | Indirect jump to absolute memory address
D52E7 660EB22C .text CALL [static] | Indirect call to absolute memory address
D531E 660EB1EC .text CALL [static] | Indirect call to absolute memory address
D532E 660EB1EC .text CALL [static] | Indirect call to absolute memory address
D535C 660EB1A8 .text CALL [static] | Indirect call to absolute memory address
D53A2 660EB1A0 .text CALL [static] | Indirect call to absolute memory address
D53B2 660EB1A0 .text CALL [static] | Indirect call to absolute memory address
D5401 660EB1F0 .text CALL [static] | Indirect call to absolute memory address
D54F7 660EB1F0 .text CALL [static] | Indirect call to absolute memory address
D567C 660EB1F0 .text CALL [static] | Indirect call to absolute memory address
D58F7 660EB1F0 .text CALL [static] | Indirect call to absolute memory address
D5984 660EB1F0 .text CALL [static] | Indirect call to absolute memory address
D638B 660EB24C .text CALL [static] | Indirect call to absolute memory address
D63F3 660EB248 .text CALL [static] | Indirect call to absolute memory address
D6400 660EB1C8 .text CALL [static] | Indirect call to absolute memory address
D67CE 660EB1A8 .text CALL [static] | Indirect call to absolute memory address
D681C 660EB1F0 .text CALL [static] | Indirect call to absolute memory address
D6873 660EB1A8 .text CALL [static] | Indirect call to absolute memory address
D6895 660EB1F0 .text CALL [static] | Indirect call to absolute memory address
D68CB 660EB1A8 .text CALL [static] | Indirect call to absolute memory address
D6927 660EB1F0 .text CALL [static] | Indirect call to absolute memory address
D6A04 660EB1A0 .text CALL [static] | Indirect call to absolute memory address
D6A47 660EB1EC .text CALL [static] | Indirect call to absolute memory address
D6E60 660EB268 .text JMP [static] | Indirect jump to absolute memory address
D6E68 660EB264 .text JMP [static] | Indirect jump to absolute memory address
D6E70 660EB25C .text JMP [static] | Indirect jump to absolute memory address
D6E78 660EB258 .text JMP [static] | Indirect jump to absolute memory address
D6E80 660EB254 .text JMP [static] | Indirect jump to absolute memory address
D6E88 660EB250 .text JMP [static] | Indirect jump to absolute memory address
D6E90 660EB24C .text JMP [static] | Indirect jump to absolute memory address
D6E98 660EB244 .text JMP [static] | Indirect jump to absolute memory address
D6EA0 660EB240 .text JMP [static] | Indirect jump to absolute memory address
D6EA8 660EB238 .text JMP [static] | Indirect jump to absolute memory address
D6EB0 660EB234 .text JMP [static] | Indirect jump to absolute memory address
D6EB8 660EB230 .text JMP [static] | Indirect jump to absolute memory address
D6EC0 660EB228 .text JMP [static] | Indirect jump to absolute memory address
D6EC8 660EB224 .text JMP [static] | Indirect jump to absolute memory address
D6ED0 660EB220 .text JMP [static] | Indirect jump to absolute memory address
D6ED8 660EB21C .text JMP [static] | Indirect jump to absolute memory address
D6EE0 660EB218 .text JMP [static] | Indirect jump to absolute memory address
D6EE8 660EB214 .text JMP [static] | Indirect jump to absolute memory address
D6EF0 660EB210 .text JMP [static] | Indirect jump to absolute memory address
D6EF8 660EB20C .text JMP [static] | Indirect jump to absolute memory address
D6F00 660EB208 .text JMP [static] | Indirect jump to absolute memory address
D6F08 660EB204 .text JMP [static] | Indirect jump to absolute memory address
D6F10 660EB200 .text JMP [static] | Indirect jump to absolute memory address
D6F18 660EB1F8 .text JMP [static] | Indirect jump to absolute memory address
D6F20 660EB1E8 .text JMP [static] | Indirect jump to absolute memory address
D6F28 660EB1E4 .text JMP [static] | Indirect jump to absolute memory address
D6F30 660EB1E0 .text JMP [static] | Indirect jump to absolute memory address
D6F38 660EB1DC .text JMP [static] | Indirect jump to absolute memory address
D6F40 660EB1D8 .text JMP [static] | Indirect jump to absolute memory address
D6F48 660EB1D4 .text JMP [static] | Indirect jump to absolute memory address
D6F50 660EB1D0 .text JMP [static] | Indirect jump to absolute memory address
D6F58 660EB1C4 .text JMP [static] | Indirect jump to absolute memory address
D6F60 660EB1C0 .text JMP [static] | Indirect jump to absolute memory address
D6F68 660EB1BC .text JMP [static] | Indirect jump to absolute memory address
D6F70 660EB1B8 .text JMP [static] | Indirect jump to absolute memory address
826D0-827CE N/A .text Potential obfuscated jump sequence detected, count: 51
23FD98 D6C10 .rdata TLS Callback | Pointer to 63F56C10 - 0xD6210 .text
23FD9C D6BD0 .rdata TLS Callback | Pointer to 63F56BD0 - 0xD61D0 .text
410200 N/A *Overlay* 2E66696C6500000024000000FEFF000067016372 | .file...$.......g.cr
Extra Analysis
Metric Value Percentage
Ascii Code 2631743 58,8923%
Null Byte Code 699837 15,6607%
NOP Cave Found 0x9090909090 Block Count: 70 | Total: 0,0039%
© 2026 All rights reserved.