PESCAN.IO - Analysis Report Basic |
|||||||
| File Structure |
|
PE Chart Code
Executable header (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
Icon: Size: 985,24 KBSHA-256 Hash: 69690B7DB2D44340A01A8887AF3FB1F7B3C9321065370D647ABA9BE540E1C0AF SHA-1 Hash: 7C181A4694F6830C84030C8C76243693A65DFA3A MD5 Hash: 56EFA77C74FF8BE44789AA48112888EF Imphash: B34F154EC913D2D2C435CBD644E91687 MajorOSVersion: 4 MinorOSVersion: 0 CheckSum: 000F9E03 EntryPoint (rva): 338F SizeOfHeaders: 400 SizeOfImage: 206000 ImageBase: 400000 Architecture: x86 ImportTable: 8610 IAT: 8000 Characteristics: 10F TimeDateStamp: 5C157F86 Date: 15/12/2018 22:26:14 File Type: EXE Number Of Sections: 5 ASLR: Enabled Section Names: .text, .rdata, .data, .ndata, .rsrc Number Of Executable Sections: 1 Subsystem: Windows GUI UAC Execution Level Manifest: asInvoker [Incomplete Binary or Compressor Packer - 1,06 MB Missing] |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 60000020 (Code, Executable, Readable) | 400 | 6800 | 1000 | 6627 | 6,4503 | 206729,88 |
| .rdata | 40000040 (Initialized Data, Readable) | 6C00 | 1600 | 8000 | 14A2 | 5,0252 | 177860,18 |
| .data | C0000040 (Initialized Data, Readable, Writeable) | 8200 | 600 | A000 | 70FF8 | 4,0371 | 86706,00 |
| .ndata | C0000080 (Uninitialized Data, Readable, Writeable) | 0 | 0 | 7B000 | 130000 | N/A | N/A |
| .rsrc | 40000040 (Initialized Data, Readable) | 8800 | 5A600 | 1AB000 | 5A540 | 3,0473 | 25809326,59 |
| Description |
| LegalCopyright: Copyright Frogtek ProductName: Tiendatek FileVersion: 1.19.5 ProductVersion: 1.19.5 Language: English (United States) (ID=0x409) CodePage: Western European (Windows 1252) (0x4E4) |
| Entry Point |
| The section number (1) - (.text) have the Entry Point Information -> EntryPoint (calculated) - 278F Code -> 81ECD40200005356576A205F33DB6801800000895C2414C7442410E0A24000895C241CFF15A8804000FF15A480400025FFFF • SUB ESP, 0X2D4 • PUSH EBX • PUSH ESI • PUSH EDI • PUSH 0X20 • POP EDI • XOR EBX, EBX • PUSH 0X8001 • MOV DWORD PTR [ESP + 0X14], EBX • MOV DWORD PTR [ESP + 0X10], 0X40A2E0 • MOV DWORD PTR [ESP + 0X1C], EBX • CALL DWORD PTR [0X4080A8] • CALL DWORD PTR [0X4080A4] |
| Signatures |
| Rich Signature Analyzer: Code -> AD310881E95066D2E95066D2E95066D22A5F39D2EB5066D2E95067D24C5066D22A5F3BD2E65066D2BD7356D2E35066D22E5660D2E85066D252696368E95066D2 Footprint md5 Hash -> 8D248B46736E162BA0D0DEE443AD4BB3 • The Rich header apparently has not been modified Certificate - Digital Signature: • The file is signed and the signature is correct |
| Packer/Compiler |
| Compiler: Nullsoft Install System - Version: v3.04 Detect It Easy (die) • PE: installer: Nullsoft Scriptable Install System(3.04)[zlib] • PE: linker: Microsoft Linker(6.0*)[-] • PE: overlay: NSIS data(-)[-] • Entropy: 6.83934 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | GetModuleHandleA | Retrieves a handle to the specified module. |
| KERNEL32.DLL | CopyFileW | Copies an existing file to a new file. |
| KERNEL32.DLL | WriteFile | Writes data to a specified file or input/output (I/O) device. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| SHELL32.DLL | ShellExecuteExW | Performs a run operation on a specific file. |
| Windows REG (UNICODE) |
| Software\Microsoft\Windows\CurrentVersion |
| File Access |
| Nullsoft.NSIS.exe ole32.dll COMCTL32.dll ADVAPI32.dll SHELL32.dll GDI32.dll USER32.dll KERNEL32.dll @.dat Temp |
| File Access (UNICODE) |
| %s%S.dll Temp |
| Interest's Words |
| exec attrib shutdown ping expand |
| Interest's Words (UNICODE) |
| shutdown |
| URLs |
| http://ocsp.globalsign.com/rootr30; http://secure.globalsign.com/cacert/root-r3.crt http://crl.globalsign.com/root-r3.crl http://ocsp.globalsign.com/codesigningrootr450F http://secure.globalsign.com/cacert/codesigningrootr45.crt http://crl.globalsign.com/codesigningrootr45.crl http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt http://ocsp.globalsign.com/gsgccr45evcodesignca20200U http://crl.globalsign.com/gsgccr45evcodesignca2020.crl http://ocsp.globalsign.com/ca/gstsacasha384g40C http://secure.globalsign.com/cacert/gstsacasha384g4.crt http://crl.globalsign.com/ca/gstsacasha384g4.crl http://ocsp2.globalsign.com/rootr606 http://crl.globalsign.com/root-r6.crl https://www.globalsign.com/repository/ https://www.globalsign.com/repository/0 |
| URLs (UNICODE) |
| http://nsis.sf.net/NSIS_Error |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | Registry (RegCreateKeyEx) |
| Text | Ascii | Registry (RegOpenKeyEx) |
| Text | Ascii | Registry (RegSetValueEx) |
| Text | Ascii | Registry (RegDeleteKeyEx) |
| Text | Ascii | File (GetTempPath) |
| Text | Ascii | File (CopyFile) |
| Text | Ascii | File (CreateFile) |
| Text | Ascii | File (WriteFile) |
| Text | Ascii | File (ReadFile) |
| Text | Ascii | Anti-Analysis VM (GetVersion) |
| Text | Ascii | Reconnaissance (FindFirstFileW) |
| Text | Ascii | Reconnaissance (FindNextFileW) |
| Text | Ascii | Reconnaissance (FindClose) |
| Text | Ascii | Stealth (CloseHandle) |
| Text | Ascii | Execution (CreateProcessW) |
| Text | Ascii | Execution (ShellExecute) |
| Text | Unicode | Privileges (SeShutdownPrivilege) |
| Entry Point | Hex Pattern | fasm - Tomasz Grysztar |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \ICON\1\1033 | 1AB5C8 | 40028 | 8DC8 | 2800000000010000000200000100200000000000000004000000000000000000000000000000000000000000000000000000 | (............. ................................... |
| \ICON\2\1033 | 1EB5F0 | 10028 | 48DF0 | 2800000080000000000100000100200000000000000001000000000000000000000000000000000000000000000000000000 | (............. ................................... |
| \ICON\3\1033 | 1FB618 | 4028 | 58E18 | 2800000040000000800000000100200000000000004000000000000000000000000000000000000000000000000000000000 | (...@......... ......@............................ |
| \ICON\4\1033 | 1FF640 | 2428 | 5CE40 | 2800000030000000600000000100200000000000002400000000000000000000000000000000000000000000000000000000 | (...0........ ......$............................ |
| \ICON\5\1033 | 201A68 | 1028 | 5F268 | 2800000020000000400000000100200000000000001000000000000000000000000000000000000000000000000000000000 | (... ...@..... ................................... |
| \ICON\6\1033 | 202A90 | 928 | 60290 | 2800000018000000300000000100200000000000000900000000000000000000000000000000000000000000000000000000 | (.......0..... ................................... |
| \ICON\7\1033 | 2033B8 | 428 | 60BB8 | 2800000010000000200000000100200000000000000400000000000000000000000000000000000000000000000000000000 | (....... ..... ................................... |
| \DIALOG\105\1033 | 2037E0 | 202 | 60FE0 | 0100FFFF00000000000000004808CA800E00000000004B01DE000000000000000800000000014D0053002000530068006500 | ............H.........K...............M.S. .S.h.e. |
| \DIALOG\106\1033 | 2039E8 | F8 | 611E8 | 0100FFFF0000000000000000480400400400000000002C018C000000000000000800000000014D0053002000530068006500 | ............H..@......,...............M.S. .S.h.e. |
| \DIALOG\111\1033 | 203AE0 | EE | 612E0 | 0100FFFF0000000000000000C8080080030000000000A7002A000000000000000800000000014D0053002000530068006500 | ........................*.............M.S. .S.h.e. |
| \DIALOG\205\1033 | 203BD0 | 1FA | 613D0 | 0100FFFF00000000000000004008CA800E00000000004B01DE000000000000000900000000012DFF33FF200030FFB430B730 | ............@.........K...............-.3. .0..0.0 |
| \DIALOG\206\1033 | 203DD0 | F0 | 615D0 | 0100FFFF0000000000000000400400400400000000002C018C000000000000000900000000012DFF33FF200030FFB430B730 | ............@..@......,...............-.3. .0..0.0 |
| \DIALOG\211\1033 | 203EC0 | E6 | 616C0 | 0100FFFF0000000000000000C0080080030000000000A7002A000000000000000900000000012DFF33FF200030FFB430B730 | ........................*.............-.3. .0..0.0 |
| \DIALOG\305\1033 | 203FA8 | 1EE | 617A8 | 0100FFFF00000000000000004008CA800E00000000004B01DE0000000000000009000000000174ADBCB90000000000000000 | ............@.........K...............t........... |
| \DIALOG\306\1033 | 204198 | E4 | 61998 | 0100FFFF0000000000000000400400400400000000002C018C0000000000000009000000000174ADBCB90000000000000000 | ............@..@......,...............t........... |
| \DIALOG\311\1033 | 204280 | DA | 61A80 | 0100FFFF0000000000000000C0080080030000000000A7002A0000000000000009000000000174ADBCB90000000000000000 | ........................*.............t........... |
| \DIALOG\405\1033 | 204360 | 1EE | 61B60 | 0100FFFF00000000000000004008CA800E00000000004B01DE000000000000000900000000018B5B534F0000000000000000 | ............@.........K................[SO........ |
| \DIALOG\406\1033 | 204550 | E4 | 61D50 | 0100FFFF0000000000000000400400400400000000002C018C000000000000000900000000018B5B534F0000000000000000 | ............@..@......,................[SO........ |
| \DIALOG\411\1033 | 204638 | DA | 61E38 | 0100FFFF0000000000000000C0080080030000000000A7002A000000000000000900000000018B5B534F0000000000000000 | ........................*..............[SO........ |
| \DIALOG\505\1033 | 204718 | 1F2 | 61F18 | 0100FFFF00000000000000004008CA800E00000000004B01DE00000000000000090000000001B065307D0E66D49A00000000 | ............@.........K................e0}.f...... |
| \DIALOG\506\1033 | 204910 | E8 | 62110 | 0100FFFF0000000000000000400400400400000000002C018C00000000000000090000000001B065307D0E66D49A00000000 | ............@..@......,................e0}.f...... |
| \DIALOG\511\1033 | 2049F8 | DE | 621F8 | 0100FFFF0000000000000000C0080080030000000000A7002A00000000000000090000000001B065307D0E66D49A00000000 | ........................*..............e0}.f...... |
| \DIALOG\605\1033 | 204AD8 | 202 | 622D8 | 0100FFFF00000000007000004808CA800E00000000004B01DE000000000000000800000000014D0053002000530068006500 | .........p..H.........K...............M.S. .S.h.e. |
| \DIALOG\606\1033 | 204CE0 | F8 | 624E0 | 0100FFFF0000000000700000480400400400000000002C018C000000000000000800000000014D0053002000530068006500 | .........p..H..@......,...............M.S. .S.h.e. |
| \DIALOG\611\1033 | 204DD8 | EE | 625D8 | 0100FFFF0000000000700000C8080080030000000000A7002A000000000000000800000000014D0053002000530068006500 | .........p..............*.............M.S. .S.h.e. |
| \GROUP_ICON\103\1033 | 204EC8 | 68 | 626C8 | 0000010007001010000001002000280400000700181800000100200028090000060020200000010020002810000005003030 | ............ .(........... .(..... .... .(.....00 |
| \VERSION\1\1033 | 204F30 | 1E8 | 62730 | E80134000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000000001300 | ..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| \24\1\1033 | 205118 | 423 | 62918 | 3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E653D2279 | <?xml version="1.0" encoding="UTF-8" standalone="y |
| Intelligent String |
| • USER32.dll • COMCTL32.dll • http://nsis.sf.net/NSIS_Error • .tmp • .exe • %s%S.dll |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 42C | 40821C | .text | CALL [static] | Indirect call to absolute memory address |
| 447 | 408220 | .text | CALL [static] | Indirect call to absolute memory address |
| 45B | 408224 | .text | CALL [static] | Indirect call to absolute memory address |
| 4CF | 408064 | .text | CALL [static] | Indirect call to absolute memory address |
| 4E4 | 408228 | .text | CALL [static] | Indirect call to absolute memory address |
| 505 | 408054 | .text | CALL [static] | Indirect call to absolute memory address |
| 526 | 408050 | .text | CALL [static] | Indirect call to absolute memory address |
| 530 | 408058 | .text | CALL [static] | Indirect call to absolute memory address |
| 556 | 40822C | .text | CALL [static] | Indirect call to absolute memory address |
| 56E | 408284 | .text | CALL [static] | Indirect call to absolute memory address |
| 7E4 | 408154 | .text | CALL [static] | Indirect call to absolute memory address |
| 7F4 | 408218 | .text | CALL [static] | Indirect call to absolute memory address |
| 8AD | 408294 | .text | CALL [static] | Indirect call to absolute memory address |
| 8EA | 408078 | .text | CALL [static] | Indirect call to absolute memory address |
| 8F8 | 408264 | .text | CALL [static] | Indirect call to absolute memory address |
| 9AE | 408074 | .text | CALL [static] | Indirect call to absolute memory address |
| A1A | 408094 | .text | CALL [static] | Indirect call to absolute memory address |
| A4D | 408090 | .text | CALL [static] | Indirect call to absolute memory address |
| A96 | 408108 | .text | CALL [static] | Indirect call to absolute memory address |
| AE2 | 40810C | .text | CALL [static] | Indirect call to absolute memory address |
| B2A | 4080BC | .text | CALL [static] | Indirect call to absolute memory address |
| B49 | 408114 | .text | CALL [static] | Indirect call to absolute memory address |
| BD5 | 408118 | .text | CALL [static] | Indirect call to absolute memory address |
| CCA | 408110 | .text | CALL [static] | Indirect call to absolute memory address |
| CD3 | 408120 | .text | CALL [static] | Indirect call to absolute memory address |
| E16 | 408104 | .text | CALL [static] | Indirect call to absolute memory address |
| E28 | 40811C | .text | CALL [static] | Indirect call to absolute memory address |
| E43 | 408124 | .text | CALL [static] | Indirect call to absolute memory address |
| E56 | 40811C | .text | CALL [static] | Indirect call to absolute memory address |
| F69 | 408290 | .text | CALL [static] | Indirect call to absolute memory address |
| FE7 | 408128 | .text | CALL [static] | Indirect call to absolute memory address |
| FF9 | 408134 | .text | CALL [static] | Indirect call to absolute memory address |
| 108F | 40828C | .text | CALL [static] | Indirect call to absolute memory address |
| 10A7 | 408218 | .text | CALL [static] | Indirect call to absolute memory address |
| 10D9 | 408274 | .text | CALL [static] | Indirect call to absolute memory address |
| 10FE | 40826C | .text | CALL [static] | Indirect call to absolute memory address |
| 112E | 4081E4 | .text | CALL [static] | Indirect call to absolute memory address |
| 1152 | 408270 | .text | CALL [static] | Indirect call to absolute memory address |
| 1163 | 4081E4 | .text | CALL [static] | Indirect call to absolute memory address |
| 1170 | 408224 | .text | CALL [static] | Indirect call to absolute memory address |
| 1191 | 408260 | .text | CALL [static] | Indirect call to absolute memory address |
| 119F | 408218 | .text | CALL [static] | Indirect call to absolute memory address |
| 11AE | 40805C | .text | CALL [static] | Indirect call to absolute memory address |
| 11BC | 408254 | .text | CALL [static] | Indirect call to absolute memory address |
| 11D6 | 408060 | .text | CALL [static] | Indirect call to absolute memory address |
| 11DE | 408154 | .text | CALL [static] | Indirect call to absolute memory address |
| 11EF | 40820C | .text | CALL [static] | Indirect call to absolute memory address |
| 123E | 408054 | .text | CALL [static] | Indirect call to absolute memory address |
| 1267 | 408268 | .text | CALL [static] | Indirect call to absolute memory address |
| 1272 | 408210 | .text | CALL [static] | Indirect call to absolute memory address |
| 134D | 408120 | .text | CALL [static] | Indirect call to absolute memory address |
| 13C1 | 408134 | .text | CALL [static] | Indirect call to absolute memory address |
| 145D | 408170 | .text | CALL [static] | Indirect call to absolute memory address |
| 146E | 40816C | .text | CALL [static] | Indirect call to absolute memory address |
| 14EB | 408168 | .text | CALL [static] | Indirect call to absolute memory address |
| 1583 | 4082A8 | .text | CALL [static] | Indirect call to absolute memory address |
| 16CD | 40818C | .text | CALL [static] | Indirect call to absolute memory address |
| 1743 | 408164 | .text | CALL [static] | Indirect call to absolute memory address |
| 177F | 408160 | .text | CALL [static] | Indirect call to absolute memory address |
| 17B0 | 408020 | .text | CALL [static] | Indirect call to absolute memory address |
| 17B9 | 408024 | .text | CALL [static] | Indirect call to absolute memory address |
| 186F | 408028 | .text | CALL [static] | Indirect call to absolute memory address |
| 18B5 | 40802C | .text | CALL [static] | Indirect call to absolute memory address |
| 192B | 408030 | .text | CALL [static] | Indirect call to absolute memory address |
| 193E | 408018 | .text | CALL [static] | Indirect call to absolute memory address |
| 1957 | 408024 | .text | CALL [static] | Indirect call to absolute memory address |
| 19E8 | 40815C | .text | CALL [static] | Indirect call to absolute memory address |
| 19F3 | 408150 | .text | CALL [static] | Indirect call to absolute memory address |
| 1AB6 | 408148 | .text | CALL [static] | Indirect call to absolute memory address |
| 1B14 | 408144 | .text | CALL [static] | Indirect call to absolute memory address |
| 1BD6 | 408144 | .text | CALL [static] | Indirect call to absolute memory address |
| 1C0D | 408144 | .text | CALL [static] | Indirect call to absolute memory address |
| 1C30 | 40814C | .text | CALL [static] | Indirect call to absolute memory address |
| 1C4F | 40813C | .text | CALL [static] | Indirect call to absolute memory address |
| 1C77 | 408138 | .text | CALL [static] | Indirect call to absolute memory address |
| 1D56 | 408128 | .text | CALL [static] | Indirect call to absolute memory address |
| 1D69 | 408128 | .text | CALL [static] | Indirect call to absolute memory address |
| 1D81 | 408120 | .text | CALL [static] | Indirect call to absolute memory address |
| 1D95 | 408140 | .text | CALL [static] | Indirect call to absolute memory address |
| 1EAF | 408218 | .text | CALL [static] | Indirect call to absolute memory address |
| 1EBF | 408214 | .text | CALL [static] | Indirect call to absolute memory address |
| 21B2 | 408024 | .text | CALL [static] | Indirect call to absolute memory address |
| 21D3 | 408024 | .text | CALL [static] | Indirect call to absolute memory address |
| 21E6 | 40801C | .text | CALL [static] | Indirect call to absolute memory address |
| 2211 | 408258 | .text | CALL [static] | Indirect call to absolute memory address |
| 223C | 408154 | .text | CALL [static] | Indirect call to absolute memory address |
| 224C | 408290 | .text | CALL [static] | Indirect call to absolute memory address |
| 225C | 40825C | .text | CALL [static] | Indirect call to absolute memory address |
| 228C | 408250 | .text | CALL [static] | Indirect call to absolute memory address |
| 22AA | 40807C | .text | CALL [static] | Indirect call to absolute memory address |
| 22C7 | 408288 | .text | CALL [static] | Indirect call to absolute memory address |
| 22D5 | 408268 | .text | CALL [static] | Indirect call to absolute memory address |
| 22EE | 40807C | .text | CALL [static] | Indirect call to absolute memory address |
| 230A | 408084 | .text | CALL [static] | Indirect call to absolute memory address |
| 2356 | 408080 | .text | CALL [static] | Indirect call to absolute memory address |
| 248E | 408134 | .text | CALL [static] | Indirect call to absolute memory address |
| 24F4 | 408144 | .text | CALL [static] | Indirect call to absolute memory address |
| 2650 | 408154 | .text | CALL [static] | Indirect call to absolute memory address |
| 2663 | 408290 | .text | CALL [static] | Indirect call to absolute memory address |
| 2755 | 408144 | .text | CALL [static] | Indirect call to absolute memory address |
| 62E00 | N/A | *Overlay* | 00000000EFBEADDE4E756C6C736F6674496E7374 | ........NullsoftInst |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 505787 | 50,1331% |
| Null Byte Code | 194707 | 19,2992% |
© 2026 All rights reserved.