PESCAN.IO - Analysis Report Basic |
|||||||
| File Structure |
|
PE Chart Code
Executable header (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
Icon: Size: 137,00 KBSHA-256 Hash: E028EEFE61BBD025986BF34CFBFDE7D16FED01C1E01D25F8C75B4C75CFEAA55D SHA-1 Hash: 33D367D8A9180C69B5396B09694884593A91A51A MD5 Hash: 5320D9EF6E05CAF0DB00F854A9119978 Imphash: 799598A2FE546B1CF0D108FE290883B1 MajorOSVersion: 5 MinorOSVersion: 1 CheckSum: 00028621 EntryPoint (rva): 63BC SizeOfHeaders: 400 SizeOfImage: 27000 ImageBase: 400000 Architecture: x86 ImportTable: A8AC IAT: 8000 Characteristics: 102 TimeDateStamp: 5EF9E089 Date: 29/06/2020 12:37:29 File Type: EXE Number Of Sections: 5 ASLR: Enabled Section Names: .text, .rdata, .data, .rsrc, .reloc Number Of Executable Sections: 1 Subsystem: Windows GUI UAC Execution Level Manifest: asInvoker |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 60000020 (Code, Executable, Readable) | 400 | 6200 | 1000 | 613B | 6,1249 | 226652,63 |
| .rdata | 40000040 (Initialized Data, Readable) | 6600 | 3400 | 8000 | 3382 | 6,5306 | 176575,96 |
| .data | C0000040 (Initialized Data, Readable, Writeable) | 9A00 | 600 | C000 | C90 | 6,8256 | 16350,00 |
| .rsrc | 40000040 (Initialized Data, Readable) | A000 | 17200 | D000 | 170AB | 7,6182 | 158152,22 |
| .reloc | 42000040 (Initialized Data, GP-Relative, Readable) | 21200 | 1200 | 25000 | 1162 | 4,7435 | 224594,78 |
| Description |
| OriginalFilename: EtStart.EXE LegalCopyright: Copyright (C) 2009 ProductName: Anwendung EtStart FileVersion: 1.0.0.8 FileDescription: MFC-Anwendung EtStart ProductVersion: 1.0.0.8 Language: Czech (Czech Republic) (ID=0x407) CodePage: Unicode (UTF-16 LE) (0x4B0) |
| Entry Point |
| The section number (1) - (.text) have the Entry Point Information -> EntryPoint (calculated) - 57BC Code -> E892040000E963FDFFFF8BFF558BEC81EC28030000A340CA4000890D3CCA4000891538CA4000891D34CA4000893530CA4000 • CALL 0X1497 • JMP 0XD6D • MOV EDI, EDI • PUSH EBP • MOV EBP, ESP • SUB ESP, 0X328 • MOV DWORD PTR [0X40CA40], EAX • MOV DWORD PTR [0X40CA3C], ECX • MOV DWORD PTR [0X40CA38], EDX • MOV DWORD PTR [0X40CA34], EBX • MOV DWORD PTR [0X40CA30], ESI |
| Signatures |
| Rich Signature Analyzer: Code -> 94BDD951D0DCB702D0DCB702D0DCB702D9A42402DCDCB702BFAA2B02D5DCB702D0DCB602ECDDB70243922F02D4DCB702BFAA2902D1DCB702BFAA1D02C4DCB702BFAA1C02DFDCB702BFAA2D02D1DCB702BFAA2A02D1DCB70252696368D0DCB702 Footprint md5 Hash -> EFB02D143CB0907FBA6C5CEA7060DBA4 • The Rich header apparently has not been modified Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Detect It Easy (die) • PE: compiler: EP:Microsoft Visual C/C++(2008-2010)[EXE32] • PE: compiler: Microsoft Visual C/C++(2010)[msvcrt] • PE: linker: Microsoft Linker(10.0)[-] • Entropy: 7.36289 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | CreateMutexA | Create a named or unnamed mutex object for controlling access to a shared resource. |
| KERNEL32.DLL | GetModuleFileNameA | Retrieve the fully qualified path for the executable file of a specified module. |
| KERNEL32.DLL | GetModuleHandleA | Retrieves a handle to the specified module. |
| KERNEL32.DLL | CopyFileA | Copies an existing file to a new file. |
| KERNEL32.DLL | CreateToolhelp32Snapshot | Creates a snapshot of the specified processes, heaps, threads, and modules. |
| KERNEL32.DLL | IsDebuggerPresent | Determines if the calling process is being debugged by a user-mode debugger. |
| Windows REG |
| SOFTWARE\Lexcom\ETKA SOFTWARE\Lexcom\PET2 |
| File Access |
| Start EtSart.exe ETSTART.EXE %s\etka7.exe End EtStart.exe LexCom\Common\Program\EtkaLogin\EtkaLogin.exe UpdateManager.exe EtkaLogin.exe SHLWAPI.dll SHELL32.dll ADVAPI32.dll USER32.dll KERNEL32.dll mfc100.dll MSVCR100.dll \Pet2Info.dll \EtkaInfo.dll @.dat %s\LexCom\ETKA\Debug.log %supd*.log %s\Program.ini LexCom\Common\AllUser\ProgramUpdate\ProgramUpdate.ini etka_set.ini %s\CONFIG\etka_user_??.ini %s\PROGRAM\Program.ini etka_user_%s.ini %s\LexCom\PET2\CONFIG\Hasp_64747.ini %s\LexCom\ETKA\CONFIG\Hasp_64747.ini %s\SafeNet Sentinel\Sentinel LDK\Hasp_64747.ini %s\etka_%s.ini %s\Revision.ini .ini ProgramFiles AppData |
| File Access (UNICODE) |
| EtStart.EXE |
| Interest's Words |
| exec attrib start |
| Interest's Words (UNICODE) |
| start |
| URLs |
| http://schemas.microsoft.com/SMI/2005/WindowsSettings |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | Registry (RegOpenKeyEx) |
| Text | Ascii | File (CopyFile) |
| Text | Ascii | Anti-Analysis VM (IsDebuggerPresent) |
| Text | Ascii | Anti-Analysis VM (CreateToolhelp32Snapshot) |
| Text | Ascii | Stealth (CloseHandle) |
| Text | Ascii | Execution (CreateProcessA) |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8 |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8 |
| Entry Point | Hex Pattern | Microsoft Visual C++ v7.0 |
| Entry Point | Hex Pattern | VC8 - Microsoft Corporation |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \ICON\1\1031 | D2F8 | 468 | A2F8 | 280000001000000020000000010020000000000000040000130B0000130B000000000000000000001C1C2B00201F35001D1C | (....... ..... ...........................+. .5... |
| \ICON\2\1031 | D760 | 10A8 | A760 | 280000002000000040000000010020000000000000100000130B0000130B0000000000000000000000000000000000000000 | (... ...@..... ................................... |
| \ICON\3\1031 | E808 | 25A8 | B808 | 280000003000000060000000010020000000000000240000130B0000130B0000000000000000000000000000000000000000 | (...0........ ......$............................ |
| \ICON\4\1031 | 10DB0 | 7913 | DDB0 | 89504E470D0A1A0A0000000D49484452000001000000010008060000005C72A866000078DA4944415478DAEDBD79B475DB55 | .PNG........IHDR.............\r.f..x.IDATx...y.u.U |
| \ICON\5\1031 | 186C4 | 468 | 156C4 | 280000001000000020000000010020000000000000040000130B0000130B000000000000000000001C1C2B00201F35001D1C | (....... ..... ...........................+. .5... |
| \ICON\6\1031 | 18B2C | 10A8 | 15B2C | 280000002000000040000000010020000000000000100000130B0000130B0000000000000000000000000000000000000000 | (... ...@..... ................................... |
| \ICON\7\1031 | 19BD4 | 25A8 | 16BD4 | 280000003000000060000000010020000000000000240000130B0000130B0000000000000000000000000000000000000000 | (...0........ ......$............................ |
| \ICON\8\1031 | 1C17C | 7913 | 1917C | 89504E470D0A1A0A0000000D49484452000001000000010008060000005C72A866000078DA4944415478DAEDBD79B475DB55 | .PNG........IHDR.............\r.f..x.IDATx...y.u.U |
| \DIALOG\102\1031 | 23A90 | A6 | 20A90 | 0100FFFF0000000000000400C000C8900200000000007A001C00000000004500740053007400610072007400000008000000 | ......................z.......E.t.S.t.a.r.t....... |
| \GROUP_ICON\128\1031 | 23B38 | 3E | 20B38 | 00000100040010100000010020006804000001002020000001002000A810000002003030000001002000A825000003000000000001002000137900000400 | ............ .h..... .... .......00.... ..%.......... ..y.... |
| \GROUP_ICON\131\1031 | 23B78 | 3E | 20B78 | 00000100040010100000010020006804000005002020000001002000A810000006003030000001002000A825000007000000000001002000137900000800 | ............ .h..... .... .......00.... ..%.......... ..y.... |
| \VERSION\1\1031 | 23BB8 | 294 | 20BB8 | 940234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000 | ..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| \24\1\1033 | 23E4C | 25F | 20E4C | 3C617373656D626C7920786D6C6E733D2275726E3A736368656D61732D6D6963726F736F66742D636F6D3A61736D2E763122 | <assembly xmlns="urn:schemas-microsoft-com:asm.v1" |
| Intelligent String |
| • 1.0.0.8 • %supd*.log • %s\etka_%s.ini • %s\SafeNet Sentinel%s\SafeNet Sentinel\Sentinel LDK\Hasp_64747.ini%s\LexCom\ETKA\CONFIG\Hasp_64747.ini • %s\LexCom\PET2\CONFIG\Hasp_64747.ini • etka_user_%s.ini • No User-Directory foundGlobal\UpdateManagerMutex • version%s\PROGRAM\Program.ini • %s\CONFIG\etka_user_??.ini • EtkaLogin.exe • \EtkaInfo.dll • \Pet2Info.dll • UpdateManager.exe • LexCom\Common\Program\EtkaLogin\EtkaLogin.exe -product ETKALexCom\Common\Program\EtkaLogin\EtkaLogin.exe -product PET2{72FEA470-1570-4309-B8F6-C7C429D4ADF3} • etka_set.ini • Etka7.gui • updateCheckLexCom\Common\AllUser\ProgramUpdate\ProgramUpdate.ini • "%s\etka7.exe" %s • product%s\Program.ini • ETSTART.EXE • Start EtSart.exe • %s\LexCom\ETKA\Debug.log • MSVCR100.dll • mfc100.dll • USER32.dll • EtStart.EXE • <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings><ms_windowsSettings:dpiAware xmlns:ms_windowsSettings="http://schemas.microsoft.com/SMI/2005/WindowsSettings" xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true</ms_windowsSettings:dpiAware></windowsSettings></application></assembly> |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 492 | 40815C | .text | CALL [static] | Indirect call to absolute memory address |
| 4C0 | 408160 | .text | CALL [static] | Indirect call to absolute memory address |
| 641 | 40815C | .text | CALL [static] | Indirect call to absolute memory address |
| 661 | 408160 | .text | CALL [static] | Indirect call to absolute memory address |
| 714 | 408160 | .text | CALL [static] | Indirect call to absolute memory address |
| 798 | 408004 | .text | CALL [static] | Indirect call to absolute memory address |
| 7AD | 408008 | .text | CALL [static] | Indirect call to absolute memory address |
| 83B | 4080A0 | .text | CALL [static] | Indirect call to absolute memory address |
| 86E | 408150 | .text | CALL [static] | Indirect call to absolute memory address |
| 8D3 | 408154 | .text | CALL [static] | Indirect call to absolute memory address |
| 8F2 | 408154 | .text | CALL [static] | Indirect call to absolute memory address |
| 9C6 | 408174 | .text | CALL [static] | Indirect call to absolute memory address |
| A14 | 408174 | .text | CALL [static] | Indirect call to absolute memory address |
| A5C | 408174 | .text | CALL [static] | Indirect call to absolute memory address |
| AA4 | 408174 | .text | CALL [static] | Indirect call to absolute memory address |
| FEE | 408134 | .text | CALL [static] | Indirect call to absolute memory address |
| 1069 | 408130 | .text | CALL [static] | Indirect call to absolute memory address |
| 11B3 | 4082BC | .text | CALL [static] | Indirect call to absolute memory address |
| 11CD | 4082C8 | .text | CALL [static] | Indirect call to absolute memory address |
| 122B | 4082C0 | .text | CALL [static] | Indirect call to absolute memory address |
| 1292 | 4082C0 | .text | CALL [static] | Indirect call to absolute memory address |
| 1360 | 4082C8 | .text | CALL [static] | Indirect call to absolute memory address |
| 13A2 | 408094 | .text | CALL [static] | Indirect call to absolute memory address |
| 1402 | 4082B0 | .text | CALL [static] | Indirect call to absolute memory address |
| 145F | 4082B0 | .text | CALL [static] | Indirect call to absolute memory address |
| 1501 | 4082B0 | .text | CALL [static] | Indirect call to absolute memory address |
| 158D | 408134 | .text | CALL [static] | Indirect call to absolute memory address |
| 161C | 408130 | .text | CALL [static] | Indirect call to absolute memory address |
| 16BA | 4082B0 | .text | CALL [static] | Indirect call to absolute memory address |
| 1704 | 4082B0 | .text | CALL [static] | Indirect call to absolute memory address |
| 172C | 4082B4 | .text | CALL [static] | Indirect call to absolute memory address |
| 1734 | 4082B8 | .text | CALL [static] | Indirect call to absolute memory address |
| 1752 | 4082B0 | .text | CALL [static] | Indirect call to absolute memory address |
| 176A | 4082B0 | .text | CALL [static] | Indirect call to absolute memory address |
| 17D9 | 4082B0 | .text | CALL [static] | Indirect call to absolute memory address |
| 1C0A | 40814C | .text | CALL [static] | Indirect call to absolute memory address |
| 1C93 | 40814C | .text | CALL [static] | Indirect call to absolute memory address |
| 1CED | 4082C0 | .text | CALL [static] | Indirect call to absolute memory address |
| 1D4D | 4082C0 | .text | CALL [static] | Indirect call to absolute memory address |
| 1E42 | 408128 | .text | CALL [static] | Indirect call to absolute memory address |
| 1E56 | 408120 | .text | CALL [static] | Indirect call to absolute memory address |
| 1EC8 | 40814C | .text | CALL [static] | Indirect call to absolute memory address |
| 1ED5 | 408124 | .text | CALL [static] | Indirect call to absolute memory address |
| 1F78 | 408128 | .text | CALL [static] | Indirect call to absolute memory address |
| 1F8C | 408120 | .text | CALL [static] | Indirect call to absolute memory address |
| 2007 | 40814C | .text | CALL [static] | Indirect call to absolute memory address |
| 2014 | 408124 | .text | CALL [static] | Indirect call to absolute memory address |
| 20AB | 4082BC | .text | CALL [static] | Indirect call to absolute memory address |
| 20DF | 4082C8 | .text | CALL [static] | Indirect call to absolute memory address |
| 21A6 | 408220 | .text | CALL [static] | Indirect call to absolute memory address |
| 21B9 | 408220 | .text | CALL [static] | Indirect call to absolute memory address |
| 2252 | 408128 | .text | CALL [static] | Indirect call to absolute memory address |
| 24A1 | 408128 | .text | CALL [static] | Indirect call to absolute memory address |
| 24CD | 40815C | .text | CALL [static] | Indirect call to absolute memory address |
| 2549 | 4082B0 | .text | CALL [static] | Indirect call to absolute memory address |
| 25CA | 7501F883 | .text | JMP [static] | Indirect jump to absolute memory address |
| 2626 | 7501F883 | .text | JMP [static] | Indirect jump to absolute memory address |
| 270C | 7501FE83 | .text | JMP [static] | Indirect jump to absolute memory address |
| 276F | 7501FE83 | .text | JMP [static] | Indirect jump to absolute memory address |
| 27A8 | 7501FE83 | .text | JMP [static] | Indirect jump to absolute memory address |
| 2836 | 7501FE83 | .text | JMP [static] | Indirect jump to absolute memory address |
| 2890 | 408218 | .text | CALL [static] | Indirect call to absolute memory address |
| 28F6 | 408218 | .text | CALL [static] | Indirect call to absolute memory address |
| 293B | 4082C0 | .text | CALL [static] | Indirect call to absolute memory address |
| 2944 | 4082C0 | .text | CALL [static] | Indirect call to absolute memory address |
| 29D4 | 408014 | .text | CALL [static] | Indirect call to absolute memory address |
| 29EC | 408188 | .text | CALL [static] | Indirect call to absolute memory address |
| 2A8B | 408174 | .text | CALL [static] | Indirect call to absolute memory address |
| 2B30 | 408170 | .text | CALL [static] | Indirect call to absolute memory address |
| 2C94 | 408018 | .text | CALL [static] | Indirect call to absolute memory address |
| 2CF2 | 40822C | .text | CALL [static] | Indirect call to absolute memory address |
| 2D0B | 408228 | .text | CALL [static] | Indirect call to absolute memory address |
| 2D1B | 408290 | .text | CALL [static] | Indirect call to absolute memory address |
| 2D2B | 4082C0 | .text | CALL [static] | Indirect call to absolute memory address |
| 2D45 | 40822C | .text | CALL [static] | Indirect call to absolute memory address |
| 2D56 | 408228 | .text | CALL [static] | Indirect call to absolute memory address |
| 2D71 | 4082C0 | .text | CALL [static] | Indirect call to absolute memory address |
| 2D7C | 40801C | .text | CALL [static] | Indirect call to absolute memory address |
| 2DA1 | 408020 | .text | CALL [static] | Indirect call to absolute memory address |
| 2E22 | 408174 | .text | CALL [static] | Indirect call to absolute memory address |
| 2E8F | 408128 | .text | CALL [static] | Indirect call to absolute memory address |
| 2EFE | 408120 | .text | CALL [static] | Indirect call to absolute memory address |
| 2F84 | 4080E4 | .text | CALL [static] | Indirect call to absolute memory address |
| 302B | 408128 | .text | CALL [static] | Indirect call to absolute memory address |
| 3038 | 4080E4 | .text | CALL [static] | Indirect call to absolute memory address |
| 3099 | 408018 | .text | CALL [static] | Indirect call to absolute memory address |
| 30BC | 4080E0 | .text | CALL [static] | Indirect call to absolute memory address |
| 323A | 408018 | .text | CALL [static] | Indirect call to absolute memory address |
| 324E | 40811C | .text | CALL [static] | Indirect call to absolute memory address |
| 326D | 408124 | .text | CALL [static] | Indirect call to absolute memory address |
| 329C | 40808C | .text | CALL [static] | Indirect call to absolute memory address |
| 32BD | 408050 | .text | CALL [static] | Indirect call to absolute memory address |
| 32D1 | 408050 | .text | CALL [static] | Indirect call to absolute memory address |
| 3343 | 4082BC | .text | CALL [static] | Indirect call to absolute memory address |
| 3352 | 4082BC | .text | CALL [static] | Indirect call to absolute memory address |
| 33A6 | 4082B0 | .text | CALL [static] | Indirect call to absolute memory address |
| 33B4 | 40822C | .text | CALL [static] | Indirect call to absolute memory address |
| 33C9 | 408230 | .text | CALL [static] | Indirect call to absolute memory address |
| 33DA | 408290 | .text | CALL [static] | Indirect call to absolute memory address |
| 33EA | 4082C0 | .text | CALL [static] | Indirect call to absolute memory address |
| C8AF-C915 | N/A | .rsrc | Potential obfuscated jump sequence detected, count: 50 |
| 17C7B-17CE1 | N/A | .rsrc | Potential obfuscated jump sequence detected, count: 50 |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 84868 | 60,4956% |
| Null Byte Code | 15935 | 11,3588% |
© 2026 All rights reserved.