PREMIUM PESCAN.IO - Analysis Report

File Structure
Analysis Image
PE Chart Code
Header PE (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
Information
Size: 518,50 KB
SHA-256 Hash: 71B37B2955F8BDF93A4F72C20FAF6EF9A690214E00E5A1892D5D345865F17892
SHA-1 Hash: 51A812820CD1021B81DACA2344E7A31DD8DB803B
MD5 Hash: 4F075EC4698A9FA58AD20A0ABA41F416
Imphash: CCE331B83B6EBE6B74EEAD579F4DBF31
MajorOSVersion: 6
MinorOSVersion: 0
CheckSum: 00000000
EntryPoint (rva): 39CC8
SizeOfHeaders: 400
SizeOfImage: 22C000
ImageBase: 10000000
Architecture: x86
ExportTable: 79030
ImportTable: 79078
IAT: 65000
Characteristics: 2102
TimeDateStamp: 69F5B384
Date: 02/05/2026 8:19:16
File Type: DLL
Number Of Sections: 5
ASLR: Enabled
Section Names: .text, .rdata, .data, .rsrc, .reloc
Number Of Executable Sections: 1
Subsystem: Windows GUI
UAC Execution Level Manifest: asInvoker
[Incomplete Binary or Compressor Packer - 1,67 MB Missing]
Sections Info
Section Name Flags ROffset RSize VOffset VSizeEntropyChi2
.text
0x60000020
Code
Executable
Readable
 400 63C00 1000 63B88
6.601
2167849.85
.rdata
0x40000040
Initialized Data
Readable
 64000 16000 65000 15F32
5.5066
3042473.62
.data
0xC0000040
Initialized Data
Readable
Writeable
 7A000 3400 7B000 1AA178
3.6954
1163710
.rsrc
0x40000040
Initialized Data
Readable
 7D400 200 226000 1E0
4.7154
9291
.reloc
0x42000040
Initialized Data
GP-Relative
Readable
 7D600 4400 227000 43A0
6.6329
70175.41
Entry Point
The section number (1) - (.text) have the Entry Point
Information -> EntryPoint (calculated) - 390C8
Code -> 558BEC837D0C017505E8EC050000FF7510FF750CFF7508E8AEFEFFFF83C40C5DC20C008B4DF464890D00000000595F5F5E5B
Assembler
|PUSH EBP
|MOV EBP, ESP
|CMP DWORD PTR [EBP + 0XC], 1
|JNE 0X100E
|CALL 0X15FA
|PUSH DWORD PTR [EBP + 0X10]
|PUSH DWORD PTR [EBP + 0XC]
|PUSH DWORD PTR [EBP + 8]
|CALL 0XECA
|ADD ESP, 0XC
|POP EBP
|RET 0XC
|MOV ECX, DWORD PTR [EBP - 0XC]
|MOV DWORD PTR FS:[0], ECX
|POP ECX
|POP EDI
|POP EDI
|POP ESI
|POP EBX
Signatures
Rich Signature Analyzer:
Code -> FCCE0F4DB8AF611EB8AF611EB8AF611EF3D7621FB7AF611EF3D7641F11AF611EAD2B651FB5AF611EDEC09C1EB9AF611EEADA651FA9AF611EEADA621FA0AF611EEADA641FEAAF611EF3D7651FA2AF611EF3D7601FA7AF611EB8AF601E2BAE611EB8AF611EB9AF611E77DA681FA3AF611E77DA611FB9AF611E77DA9E1EB9AF611E77DA631FB9AF611E52696368B8AF611E
Footprint md5 Hash -> 5755D2965F151718926F325C6744CB3B
• The Rich header apparently has not been modified
Certificate - Digital Signature Not Found:
• The file is not signed
Packer/Compiler
Detect It Easy (die)
PE: linker: Microsoft Linker(14.29**)[-]
Entropy: 6.59299
Suspicious Functions
Library Function Description
KERNEL32.DLL CreateMutexW Create a named or unnamed mutex object for controlling access to a shared resource.
KERNEL32.DLL GetModuleFileNameA Retrieve the fully qualified path for the executable file of a specified module.
KERNEL32.DLL VirtualAlloc Reserve, commit, or both, a region of memory within the virtual address space of a process.
KERNEL32.DLL GetModuleHandleA Retrieves a handle to the specified module.
KERNEL32.DLL CopyFileW Copies an existing file to a new file.
KERNEL32.DLL WriteFile Writes data to a specified file or input/output (I/O) device.
KERNEL32.DLL LoadLibraryA Loads the specified module into the address space of the calling process.
KERNEL32.DLL LoadLibraryW Loads the specified module into the address space of the calling process.
KERNEL32.DLL CreateToolhelp32Snapshot Creates a snapshot of the specified processes, heaps, threads, and modules.
KERNEL32.DLL CreateRemoteThread Creates a thread in the address space of another process.
KERNEL32.DLL WriteProcessMemory Writes data to an area of memory in a specified process.
KERNEL32.DLL GetProcAddress Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL IsDebuggerPresent Determines if the calling process is being debugged by a user-mode debugger.
Ws2_32.DLL socket Create a communication endpoint for networking applications.
ADVAPI32.DLL CryptEncrypt Performs a cryptographic operation on data in a data block.
ET Functions (carving)
Original Name -> .dll
DDDD
Windows REG (UNICODE)
Software\Tencent\Plugin\VAS
SOFTWARE\Microsoft\Windows NT\CurrentVersion
File Access
Windows\System32\svchost.exe
Windows\SysWOW64\svchost.exe
VERSION.dll
dxgi.dll
gdiplus.dll
IPHLPAPI.DLL
bcrypt.dll
WINMM.dll
SHLWAPI.dll
WS2_32.dll
OLEAUT32.dll
ole32.dll
SHELL32.dll
ADVAPI32.dll
GDI32.dll
USER32.dll
KERNEL32.dll
.dll
ntdll.dll
kernel32.dll
.dat
@.dat
Temp
File Access (UNICODE)
DingTalk.exe
WXWork.exe
WeChat.exe
Sky.exe
WhatsApp.exe
SafeW.exe
y&{Telegram.exe
psapi.dll
ExitProcessWinExecWaitForSingleObject%swininet.dll
GetNativeSystemInfontdll.dll
kernel32.dll
mscoree.dll
api-ms-win-core-synch-l1-2-0.dll
ntdll.dll
Kernel32.dll
\DisplaySessionContainers.log
wos_client_temp.log
\FirewallRules.ini
Temp
Interest's Words
lockbit
Encrypt
exec
attrib
start
shutdown
systeminfo
expand
replace
Interest's Words (UNICODE)
ToolBar
shutdown
at.exe
Anti-VM/Sandbox/Debug Tricks (UNICODE)
LabTools - wireshark
IP Addresses
203.91.74.204
127.0.0.1
Strings/Hex Code Found With The File Rules
Rule Type Encoding Matched (Word)
Text Ascii WinAPI Sockets (connect)
Text Ascii WinAPI Sockets (recv)
Text Ascii WinAPI Sockets (send)
Text Ascii Registry (RegOpenKeyEx)
Text Ascii Registry (RegSetValueEx)
Text Ascii File (GetTempPath)
Text Ascii File (CopyFile)
Text Ascii File (CreateFile)
Text Ascii File (WriteFile)
Text Ascii File (ReadFile)
Text Ascii Service (OpenSCManager)
Hex Hex Pattern PEB AntiDebug (Flag BeingDebugged)
Text Ascii Anti-Analysis VM (IsDebuggerPresent)
Text Ascii Anti-Analysis VM (GetSystemInfo)
Text Ascii Anti-Analysis VM (GlobalMemoryStatusEx)
Text Ascii Anti-Analysis VM (GetVersion)
Text Ascii Anti-Analysis VM (CreateToolhelp32Snapshot)
Text Ascii Reconnaissance (FindFirstFileW)
Text Ascii Reconnaissance (FindNextFileW)
Text Ascii Reconnaissance (FindClose)
Text Ascii Stealth (GetThreadContext)
Text Ascii Stealth (SetThreadContext)
Text Ascii Stealth (ExitThread)
Text Ascii Stealth (CloseHandle)
Text Ascii Stealth (IsBadReadPtr)
Text Ascii Stealth (VirtualAlloc)
Text Ascii Stealth (VirtualProtect)
Text Ascii Stealth (CreateRemoteThread)
Text Ascii Execution (CreateProcessA)
Text Ascii Execution (CreateProcessW)
Text Ascii Execution (WinExec)
Text Ascii Execution (ResumeThread)
Text Ascii Execution (CreateSemaphoreW)
Text Ascii Execution (CreateEventA)
Text Ascii Execution (CreateEventW)
Text Unicode Privileges (SeDebugPrivilege)
Text Unicode Privileges (SeShutdownPrivilege)
Text Unicode Keyboard Key ([Tab])
Text Unicode Keyboard Key ([Home])
Text Unicode Keyboard Key ([End])
Text Unicode Keyboard Key ([Esc])
Text Unicode Keyboard Key ([NumLock])
Text Unicode Keyboard Key ([PageDown])
Text Unicode Keyboard Key ([PageUp])
Text Unicode Keyboard Key ([Caps])
Text Unicode Keyboard Key ([F1])
Text Unicode Keyboard Key ([F2])
Text Unicode Keyboard Key ([F3])
Text Unicode Keyboard Key ([F4])
Text Unicode Keyboard Key ([F5])
Text Unicode Keyboard Key ([F6])
Text Unicode Keyboard Key ([F7])
Text Unicode Keyboard Key ([F8])
Text Unicode Keyboard Key ([F9])
Text Unicode Keyboard Key ([F10])
Text Unicode Keyboard Key ([F11])
Text Unicode Keyboard Key ([F12])
Text Unicode Keyboard Key ([Esc])
Text Unicode Keyboard Key (Scroll)
Text Unicode Keyboard Key (PageDown)
Text Unicode Keyboard Key (PageUp)
Entry Point Hex Pattern Microsoft Visual C++ 8
Entry Point Hex Pattern VC8 - Microsoft Corporation
Resources
Path DataRVA Size FileOffset CodeText
\24\2\1033 226060 17D 7D460 3C3F786D6C2076657273696F6E3D27312E302720656E636F64696E673D275554462D3827207374616E64616C6F6E653D2779<?xml version='1.0' encoding='UTF-8' standalone='y
Intelligent String
• 203.91.74.204
• kernel32.dll
• ntdll.dll
• Kernel32.dll
• api-ms-win-core-synch-l1-2-0.dll
• mscoree.dll
• .\FirewallRules.ini
• Telegram.exe
• SafeW.exe
• WhatsApp.exe
• Sky.exe
• WeChat.exe
• WXWork.exe
• DingTalk.exe
• Windows\SysWOW64\svchost.exe
• Windows\System32\svchost.exe
• OpenProcessKernel32.dll
• wininet.dll
• wos_client_temp.log
• .zip
• psapi.dll
• .tmp
• %sTelegram_%04d%02d%02d_%02d%02d%02d.bak
• \DisplaySessionContainers.log
• .tls
• 8n.bss
• KERNEL32.dll
• ADVAPI32.dll
• 127.0.0.1
Flow Anomalies
Offset RVA Section Description
79E 1006547C .text CALL [static] | Indirect call to absolute memory address
CFD 1006530C .text CALL [static] | Indirect call to absolute memory address
D15 1006531C .text CALL [static] | Indirect call to absolute memory address
D1F 10065314 .text CALL [static] | Indirect call to absolute memory address
D4B 10065308 .text CALL [static] | Indirect call to absolute memory address
D70 100652F8 .text CALL [static] | Indirect call to absolute memory address
DAF 10065310 .text CALL [static] | Indirect call to absolute memory address
DCB 10065318 .text CALL [static] | Indirect call to absolute memory address
DFA 10065300 .text CALL [static] | Indirect call to absolute memory address
E53 100652F4 .text CALL [static] | Indirect call to absolute memory address
105B 10065388 .text CALL [static] | Indirect call to absolute memory address
1095 10065388 .text CALL [static] | Indirect call to absolute memory address
11BB 10065320 .text CALL [static] | Indirect call to absolute memory address
11ED 10065388 .text CALL [static] | Indirect call to absolute memory address
128B 10065320 .text CALL [static] | Indirect call to absolute memory address
12BB 10065388 .text CALL [static] | Indirect call to absolute memory address
13A1 100652FC .text CALL [static] | Indirect call to absolute memory address
1512 100652E4 .text CALL [static] | Indirect call to absolute memory address
1544 100652F8 .text CALL [static] | Indirect call to absolute memory address
158D 10065300 .text CALL [static] | Indirect call to absolute memory address
159C 100652F0 .text CALL [static] | Indirect call to absolute memory address
169D 10065308 .text CALL [static] | Indirect call to absolute memory address
1782 100652F8 .text CALL [static] | Indirect call to absolute memory address
2BE9 100652D4 .text CALL [static] | Indirect call to absolute memory address
2C96 1006547C .text CALL [static] | Indirect call to absolute memory address
2CA4 100652B4 .text CALL [static] | Indirect call to absolute memory address
2D1B 10065494 .text CALL [static] | Indirect call to absolute memory address
2D24 100652BC .text CALL [static] | Indirect call to absolute memory address
2D31 100654AC .text CALL [static] | Indirect call to absolute memory address
2D3A 100652D8 .text CALL [static] | Indirect call to absolute memory address
2D71 100652B0 .text CALL [static] | Indirect call to absolute memory address
2D7E 10065448 .text CALL [static] | Indirect call to absolute memory address
2D9C 10065484 .text CALL [static] | Indirect call to absolute memory address
2DB7 100652B8 .text CALL [static] | Indirect call to absolute memory address
2DE4 100652B8 .text CALL [static] | Indirect call to absolute memory address
2DF9 10065474 .text CALL [static] | Indirect call to absolute memory address
2E20 10065490 .text CALL [static] | Indirect call to absolute memory address
2E40 10065488 .text CALL [static] | Indirect call to absolute memory address
2EF3 1006546C .text CALL [static] | Indirect call to absolute memory address
2FE1 10065478 .text CALL [static] | Indirect call to absolute memory address
2FFF 1006548C .text CALL [static] | Indirect call to absolute memory address
30D7 10065448 .text CALL [static] | Indirect call to absolute memory address
31A2 10065448 .text CALL [static] | Indirect call to absolute memory address
31F1 100652CC .text CALL [static] | Indirect call to absolute memory address
3314 100652CC .text CALL [static] | Indirect call to absolute memory address
3366 100652DC .text CALL [static] | Indirect call to absolute memory address
3390 100652DC .text CALL [static] | Indirect call to absolute memory address
33E4 10065484 .text CALL [static] | Indirect call to absolute memory address
3415 1006546C .text CALL [static] | Indirect call to absolute memory address
3445 10065498 .text CALL [static] | Indirect call to absolute memory address
3457 100652B8 .text CALL [static] | Indirect call to absolute memory address
3484 100652B8 .text CALL [static] | Indirect call to absolute memory address
3499 10065474 .text CALL [static] | Indirect call to absolute memory address
34BC 10065490 .text CALL [static] | Indirect call to absolute memory address
34DB 10065454 .text CALL [static] | Indirect call to absolute memory address
34EF 10065488 .text CALL [static] | Indirect call to absolute memory address
34FE 10065464 .text CALL [static] | Indirect call to absolute memory address
3553 100652CC .text CALL [static] | Indirect call to absolute memory address
358A 100652A4 .text CALL [static] | Indirect call to absolute memory address
35EE 1006545C .text CALL [static] | Indirect call to absolute memory address
3691 100652C4 .text CALL [static] | Indirect call to absolute memory address
3697 10065314 .text CALL [static] | Indirect call to absolute memory address
36B5 10065464 .text CALL [static] | Indirect call to absolute memory address
36E6 100652CC .text CALL [static] | Indirect call to absolute memory address
3734 10065460 .text CALL [static] | Indirect call to absolute memory address
373F 10065464 .text CALL [static] | Indirect call to absolute memory address
377A 10065458 .text CALL [static] | Indirect call to absolute memory address
37BE 10065454 .text CALL [static] | Indirect call to absolute memory address
37C9 10065464 .text CALL [static] | Indirect call to absolute memory address
3865 10065480 .text CALL [static] | Indirect call to absolute memory address
3870 10065464 .text CALL [static] | Indirect call to absolute memory address
3952 1006548C .text CALL [static] | Indirect call to absolute memory address
39A7 100652C4 .text CALL [static] | Indirect call to absolute memory address
39D1 10065314 .text CALL [static] | Indirect call to absolute memory address
3A08 10065464 .text CALL [static] | Indirect call to absolute memory address
3A60 100652EC .text CALL [static] | Indirect call to absolute memory address
3AB7 100652E4 .text CALL [static] | Indirect call to absolute memory address
3AD4 10065480 .text CALL [static] | Indirect call to absolute memory address
3AFB 100652E4 .text CALL [static] | Indirect call to absolute memory address
3B22 10065464 .text CALL [static] | Indirect call to absolute memory address
3B70 100652E4 .text CALL [static] | Indirect call to absolute memory address
3BBB 100652CC .text CALL [static] | Indirect call to absolute memory address
3BEF 100652C8 .text CALL [static] | Indirect call to absolute memory address
3C24 100652C4 .text CALL [static] | Indirect call to absolute memory address
3C86 10065414 .text CALL [static] | Indirect call to absolute memory address
3CAC 100653EC .text CALL [static] | Indirect call to absolute memory address
3CED 100652D4 .text CALL [static] | Indirect call to absolute memory address
3D19 10065480 .text CALL [static] | Indirect call to absolute memory address
3D40 10065470 .text CALL [static] | Indirect call to absolute memory address
3D58 1006549C .text CALL [static] | Indirect call to absolute memory address
3D61 100654AC .text CALL [static] | Indirect call to absolute memory address
3D81 100652EC .text CALL [static] | Indirect call to absolute memory address
3D8B 100652EC .text CALL [static] | Indirect call to absolute memory address
3DED 100652EC .text CALL [static] | Indirect call to absolute memory address
3E8B 100652D8 .text CALL [static] | Indirect call to absolute memory address
3E92 100652E4 .text CALL [static] | Indirect call to absolute memory address
3EB5 100652C4 .text CALL [static] | Indirect call to absolute memory address
3EDE 100652EC .text CALL [static] | Indirect call to absolute memory address
3EEB 100652E4 .text CALL [static] | Indirect call to absolute memory address
3F60 100652E4 .text CALL [static] | Indirect call to absolute memory address
1E922-1E93F N/A .text Unusual BP Cave, count: 30
Extra Analysis
Metric Value Percentage
Ascii Code 308430 58,0909%
Null Byte Code 83090 15,6495%
© 2026 All rights reserved.