PESCAN.IO - Analysis Report Basic |
|||||||
| File Structure |
|
PE Chart Code
Header PE (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
Icon: Size: 5,29 MBSHA-256 Hash: F241296EE5DD56C10D289B989A27A2478202DC51D6AB53FC3DBE47BAA674ECAF SHA-1 Hash: 47A9D890DB868EE87956DC5C7E144CAD3F6F6161 MD5 Hash: 738068FA9090032CB30F97CC77A25DAE Imphash: F34D5F2D4577ED6D9CEEC516C1F5A744 MajorOSVersion: 4 MinorOSVersion: 0 CheckSum: 0054BD09 EntryPoint (rva): 542FCE SizeOfHeaders: 200 SizeOfImage: 550000 ImageBase: 400000 Architecture: x86 ImportTable: 542F78 IAT: 2000 Characteristics: 102 TimeDateStamp: 563AB2DF Date: 05/11/2015 1:37:35 File Type: EXE Number Of Sections: 3 ASLR: Enabled Section Names: .text, .rsrc, .reloc Number Of Executable Sections: 1 Subsystem: Windows GUI UAC Execution Level Manifest: asInvoker |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 0x60000020 Code Executable Readable |
200 | 541000 | 2000 | 540FD4 |
|
|
| .rsrc | 0x40000040 Initialized Data Readable |
541200 | 9400 | 544000 | 936A |
|
|
| .reloc | 0x42000040 Initialized Data GP-Relative Readable |
54A600 | 200 | 54E000 | C |
|
|
| Description |
| OriginalFilename: gAnnotation.dll CompanyName: SSDivers LegalCopyright: Copyright 2009 ProductName: gAnnotation FileVersion: 1.0.5.0 FileDescription: gAnnotation ProductVersion: 1.0.5.0 Comments: Control to add annotation to any Image Language: Unknown (ID=0x0) CodePage: Unicode (UTF-16 LE) (0x4B0) |
| Binder/Joiner/Crypter |
| 2 Executable files found |
| Entry Point |
The section number (1) - (.text) have the Entry Point Information -> EntryPoint (calculated) - 5411CE Code -> FF25002040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Assembler |JMP DWORD PTR [0X402000] |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |
| Signatures |
| Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Compiler: Microsoft Visual .NET - (You can use a decompiler for this...) • AnyCPU: False • Version: v2.0 Compiler: Microsoft Visual Studio Detect It Easy (die) • PE: library: .NET(v2.0.50727)[-] • PE: compiler: VB.NET(-)[-] • PE: linker: Microsoft Linker(11.0)[-] • Entropy: 7.9575 |
| File Access |
| Fake ID Cards Creator BY MrZaghar.exe mscoree.dll gAnnotation.dll gdi32.dll user32.dll Temp |
| File Access (UNICODE) |
| gAnnotation.dll Fake ID Cards Creator BY @Ahmadhunter.exe |
| Interest's Words |
| exec attrib start shutdown |
| URLs |
| http://fast-likers.com |
| URLs (UNICODE) |
| https://T.me/Hack_servers |
| IP Addresses |
| 11.0.0.0 10.0.0.0 |
| PE Carving |
| Start Offset Header | End Offset | Size (Bytes) |
|---|---|---|
| 0 | D46DD | D46DD |
| D46DD | 54A800 | 476123 |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | WinAPI Sockets (send) |
| Text | Ascii | Keyboard Key (Scroll) |
| Text | Unicode | Keyboard Key (Scroll) |
| Text | Ascii | Stealer malware focused on obtaining CVV codes to conduct unauthorized transactions (CVV) |
| Entry Point | Hex Pattern | Microsoft Visual C / Basic .NET |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8 |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8.0 |
| Entry Point | Hex Pattern | Microsoft Visual C v7.0 / Basic .NET |
| Entry Point | Hex Pattern | Microsoft Visual Studio .NET |
| Entry Point | Hex Pattern | Microsoft Windows Enhanced Metafile |
| Entry Point | Hex Pattern | .NET executable |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \ICON\2\0 | 544370 | 668 | 541570 | 2800000030000000600000000100040000000000800400000000000000000000000000000000000000000000000080000080 | (...0............................................ |
| \ICON\3\0 | 5449D8 | 2E8 | 541BD8 | 2800000020000000400000000100040000000000000200000000000000000000000000000000000000000000000080000080 | (... ...@......................................... |
| \ICON\4\0 | 544CC0 | 1E8 | 541EC0 | 2800000018000000300000000100040000000000200100000000000000000000000000000000000000000000000080000080 | (.......0........... ............................. |
| \ICON\5\0 | 544EA8 | 128 | 5420A8 | 2800000010000000200000000100040000000000800000000000000000000000000000000000000000000000000080000080 | (....... ......................................... |
| \ICON\6\0 | 544FD0 | EA8 | 5421D0 | 2800000030000000600000000100080000000000000900000000000000000000000100000001000000000000242424002E2E | (...0......................................$$$... |
| \ICON\7\0 | 545E78 | 8A8 | 543078 | 2800000020000000400000000100080000000000000400000000000000000000000100000001000000000000252525003636 | (... ...@...................................%%%.66 |
| \ICON\8\0 | 546720 | 6C8 | 543920 | 2800000018000000300000000100080000000000400200000000000000000000000100000001000000000000242424004A4A | (.......0...........@.......................$$$.JJ |
| \ICON\9\0 | 546DE8 | 568 | 543FE8 | 2800000010000000200000000100080000000000000100000000000000000000000100000001000000000000252525003030 | (....... ...................................%%%.00 |
| \ICON\10\0 | 547350 | 1501 | 544550 | 89504E470D0A1A0A0000000D49484452000001000000010008060000005C72A866000000097048597300000EC300000EC301 | .PNG........IHDR.............\r.f....pHYs......... |
| \ICON\11\0 | 548854 | 25A8 | 545A54 | 2800000030000000600000000100200000000000802500000000000000000000000000000000000000000000000000000000 | (...0........ ......%............................ |
| \ICON\12\0 | 54ADFC | 10A8 | 547FFC | 2800000020000000400000000100200000000000801000000000000000000000000000000000000000000000000000000000 | (... ...@..... ................................... |
| \ICON\13\0 | 54BEA4 | 988 | 5490A4 | 2800000018000000300000000100200000000000600900000000000000000000000000000000000000000000000000000000 | (.......0..... .................................. |
| \ICON\14\0 | 54C82C | 468 | 549A2C | 2800000010000000200000000100200000000000400400000000000000000000000000000000000000000000000000000000 | (....... ..... .....@............................. |
| \GROUP_ICON\32512\0 | 54CC94 | BC | 549E94 | 000001000D0030301000010004006806000002002020100001000400E802000003001818100001000400E801000004001010 | ......00......h..... ............................ |
| \VERSION\1\0 | 54CD50 | 430 | 549F50 | 300434000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000 | 0.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| \24\1\0 | 54D180 | 1EA | 54A380 | EFBBBF3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E65 | ...<?xml version="1.0" encoding="UTF-8" standalone |
| Intelligent String |
| • 1.0.0.0 • Fake ID Cards Creator BY @Ahmadhunter.exe • 1.0.5.0 • gAnnotation.dll • _CorDllMainmscoree.dll • C:\Users\MrZaghar\Desktop\gAnnotation\gAnnotation\gAnnotation\obj\Debug\gAnnotation.pdb • https://T.me/Hack_servers • 3(.png , .jpg)|*.png;*.jpg • jpg image|*.jpg • http://fast-likers.com • _CorExeMainmscoree.dll |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 20791 | 32B0A04 | .text | JMP [static] | Indirect jump to absolute memory address |
| 234B2 | 32B0A04 | .text | JMP [static] | Indirect jump to absolute memory address |
| 501C8 | 32B0A04 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5EC7E | 32B0A04 | .text | CALL [static] | Indirect call to absolute memory address |
| 63A88 | 5B5CCD4D | .text | JMP [static] | Indirect jump to absolute memory address |
| 6684E | 68F298F | .text | JMP [static] | Indirect jump to absolute memory address |
| 70356 | AFF5E3 | .text | JMP [static] | Indirect jump to absolute memory address |
| 79518 | AFF5E3 | .text | CALL [static] | Indirect call to absolute memory address |
| 7FF38 | 29FEEB56 | .text | CALL [static] | Indirect call to absolute memory address |
| 92BA5 | 605FABE1 | .text | JMP [static] | Indirect jump to absolute memory address |
| 9848A | 605FABE1 | .text | JMP [static] | Indirect jump to absolute memory address |
| 9D44D | 605FABE1 | .text | CALL [static] | Indirect call to absolute memory address |
| 9DA53 | 605FABE1 | .text | CALL [static] | Indirect call to absolute memory address |
| 9EBBF | 605FABE1 | .text | CALL [static] | Indirect call to absolute memory address |
| A236B | 605FABE1 | .text | JMP [static] | Indirect jump to absolute memory address |
| A5666 | 791F63BC | .text | JMP [static] | Indirect jump to absolute memory address |
| A8122 | 10C9685A | .text | JMP [static] | Indirect jump to absolute memory address |
| AF7D3 | 1F6EF3CB | .text | CALL [static] | Indirect call to absolute memory address |
| B27BB | 1F6EF3CB | .text | JMP [static] | Indirect jump to absolute memory address |
| BAE3E | 1F6EF3CB | .text | CALL [static] | Indirect call to absolute memory address |
| C7A42 | 1F6EF3CB | .text | CALL [static] | Indirect call to absolute memory address |
| C7F17 | 1F6EF3CB | .text | JMP [static] | Indirect jump to absolute memory address |
| CBFB7 | 13F8DA20 | .text | CALL [static] | Indirect call to absolute memory address |
| CCEBD | 13F8DA20 | .text | CALL [static] | Indirect call to absolute memory address |
| DEFFB | 402000 | .text | JMP [static] | Indirect jump to absolute memory address |
| FC638 | 402000 | .text | JMP [static] | Indirect jump to absolute memory address |
| FE4A3 | 2DBCA44D | .text | JMP [static] | Indirect jump to absolute memory address |
| 13968C | 2DBCA44D | .text | CALL [static] | Indirect call to absolute memory address |
| 13E4AE | 2DBCA44D | .text | JMP [static] | Indirect jump to absolute memory address |
| 1434A7 | 73EE0457 | .text | CALL [static] | Indirect call to absolute memory address |
| 1549B6 | 301B7DA8 | .text | JMP [static] | Indirect jump to absolute memory address |
| 156C59 | 58F17836 | .text | CALL [static] | Indirect call to absolute memory address |
| 1727A1 | 1D25831D | .text | CALL [static] | Indirect call to absolute memory address |
| 176F83 | 134E2A1F | .text | CALL [static] | Indirect call to absolute memory address |
| 17A4CB | 134E2A1F | .text | CALL [static] | Indirect call to absolute memory address |
| 185018 | 7F1A1C60 | .text | CALL [static] | Indirect call to absolute memory address |
| 19E360 | 2615AD26 | .text | JMP [static] | Indirect jump to absolute memory address |
| 1B025F | 65BF6974 | .text | CALL [static] | Indirect call to absolute memory address |
| 1B6583 | 65BF6974 | .text | JMP [static] | Indirect jump to absolute memory address |
| 1CA3AC | 26BFBC65 | .text | CALL [static] | Indirect call to absolute memory address |
| 1D41A0 | 26BFBC65 | .text | JMP [static] | Indirect jump to absolute memory address |
| 1EBCB9 | 4015FC40 | .text | JMP [static] | Indirect jump to absolute memory address |
| 1EF80F | 268C0AD0 | .text | CALL [static] | Indirect call to absolute memory address |
| 1F1CC3 | 268C0AD0 | .text | CALL [static] | Indirect call to absolute memory address |
| 2072AD | 67FF9ACD | .text | CALL [static] | Indirect call to absolute memory address |
| 20B76B | 67FF9ACD | .text | JMP [static] | Indirect jump to absolute memory address |
| 20DC6E | 67FF9ACD | .text | JMP [static] | Indirect jump to absolute memory address |
| 21DA45 | 67FF9ACD | .text | JMP [static] | Indirect jump to absolute memory address |
| 220FFE | 6E20035F | .text | CALL [static] | Indirect call to absolute memory address |
| 223F3C | 6E20035F | .text | CALL [static] | Indirect call to absolute memory address |
| 2255E3 | 3F0E8265 | .text | JMP [static] | Indirect jump to absolute memory address |
| 226928 | 3F0E8265 | .text | CALL [static] | Indirect call to absolute memory address |
| 235C41 | 430899D6 | .text | CALL [static] | Indirect call to absolute memory address |
| 23DBD6 | 430899D6 | .text | JMP [static] | Indirect jump to absolute memory address |
| 23EC15 | 430899D6 | .text | CALL [static] | Indirect call to absolute memory address |
| 2432D4 | 430899D6 | .text | JMP [static] | Indirect jump to absolute memory address |
| 243D51 | 729638C0 | .text | CALL [static] | Indirect call to absolute memory address |
| 246AA2 | 3D86085D | .text | JMP [static] | Indirect jump to absolute memory address |
| 250B58 | 44700F7F | .text | CALL [static] | Indirect call to absolute memory address |
| 263FBD | 44700F7F | .text | JMP [static] | Indirect jump to absolute memory address |
| 2687A4 | 44700F7F | .text | JMP [static] | Indirect jump to absolute memory address |
| 26CA07 | 66FDD7A0 | .text | CALL [static] | Indirect call to absolute memory address |
| 26F482 | 66FDD7A0 | .text | JMP [static] | Indirect jump to absolute memory address |
| 27306B | 75280C4D | .text | CALL [static] | Indirect call to absolute memory address |
| 27F054 | 75280C4D | .text | JMP [static] | Indirect jump to absolute memory address |
| 287BBC | 6DC54BD9 | .text | CALL [static] | Indirect call to absolute memory address |
| 290344 | 6DC54BD9 | .text | CALL [static] | Indirect call to absolute memory address |
| 293892 | 6DC54BD9 | .text | JMP [static] | Indirect jump to absolute memory address |
| 297E51 | 65200AD0 | .text | JMP [static] | Indirect jump to absolute memory address |
| 298993 | 5C5A5280 | .text | JMP [static] | Indirect jump to absolute memory address |
| 29AB33 | 5C5A5280 | .text | CALL [static] | Indirect call to absolute memory address |
| 29E8A3 | 2557277E | .text | CALL [static] | Indirect call to absolute memory address |
| 2A8CA9 | 2557277E | .text | CALL [static] | Indirect call to absolute memory address |
| 2A8CE9 | 22F03FED | .text | JMP [static] | Indirect jump to absolute memory address |
| 2AE0BE | 22F03FED | .text | CALL [static] | Indirect call to absolute memory address |
| 2AF274 | 22F03FED | .text | JMP [static] | Indirect jump to absolute memory address |
| 2B1B8C | 22F03FED | .text | JMP [static] | Indirect jump to absolute memory address |
| 2C8263 | 22F03FED | .text | JMP [static] | Indirect jump to absolute memory address |
| 2DDDC3 | 22F03FED | .text | JMP [static] | Indirect jump to absolute memory address |
| 2E1966 | 768D25DE | .text | JMP [static] | Indirect jump to absolute memory address |
| 2F8039 | 768D25DE | .text | JMP [static] | Indirect jump to absolute memory address |
| 2F8DD8 | 768D25DE | .text | JMP [static] | Indirect jump to absolute memory address |
| 2F9157 | 768D25DE | .text | JMP [static] | Indirect jump to absolute memory address |
| 2FA4C9 | 54F7481 | .text | JMP [static] | Indirect jump to absolute memory address |
| 2FE306 | 54F7481 | .text | JMP [static] | Indirect jump to absolute memory address |
| 2FFC64 | 54F7481 | .text | JMP [static] | Indirect jump to absolute memory address |
| 300A70 | 1811FC7C | .text | CALL [static] | Indirect call to absolute memory address |
| 301F9A | 1811FC7C | .text | JMP [static] | Indirect jump to absolute memory address |
| 305EA3 | 5FCD53FC | .text | JMP [static] | Indirect jump to absolute memory address |
| 308877 | 12D7A46D | .text | JMP [static] | Indirect jump to absolute memory address |
| 30BA17 | 12D7A46D | .text | CALL [static] | Indirect call to absolute memory address |
| 310854 | D7BE42 | .text | JMP [static] | Indirect jump to absolute memory address |
| 31647C | 39A0B4A | .text | CALL [static] | Indirect call to absolute memory address |
| 318B0F | 554DFEEA | .text | JMP [static] | Indirect jump to absolute memory address |
| 31A26E | 554DFEEA | .text | CALL [static] | Indirect call to absolute memory address |
| 3232C7 | 554DFEEA | .text | JMP [static] | Indirect jump to absolute memory address |
| 327708 | 74DBFAB7 | .text | CALL [static] | Indirect call to absolute memory address |
| 32D11C | 74DBFAB7 | .text | CALL [static] | Indirect call to absolute memory address |
| 336BE2 | 74DBFAB7 | .text | JMP [static] | Indirect jump to absolute memory address |
| 339AEF | 74DBFAB7 | .text | CALL [static] | Indirect call to absolute memory address |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 3720602 | 67,0617% |
| Null Byte Code | 127947 | 2,3062% |
© 2026 All rights reserved.