PESCAN.IO - Analysis Report Basic |
|||||||
| File Structure |
|
PE Chart Code
Header PE (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
Icon: Size: 185,36 KBSHA-256 Hash: 3B9DABD99DC58A5242616CB6D1D876BCA3046119A9B150C7D7868BF02202EA82 SHA-1 Hash: 9B45B3826706337A11E43248095FB2C62E42D14D MD5 Hash: 76EF16E94F77454AAFFDFA4C700BE85F Imphash: EC7603DFC11290C5EA59EDE1B41EAC50 MajorOSVersion: 4 MinorOSVersion: 0 CheckSum: 00038BB5 EntryPoint (rva): 1257A SizeOfHeaders: 1000 SizeOfImage: B1000 ImageBase: 400000 Architecture: x86 ImportTable: 22068 IAT: 1E000 Characteristics: 10F TimeDateStamp: 48986B59 Date: 05/08/2008 15:01:45 File Type: EXE Number Of Sections: 4 ASLR: Disabled Section Names: .text, .rdata, .data, .rsrc Number Of Executable Sections: 1 Subsystem: Windows GUI [Incomplete Binary or Compressor Packer - 522,64 KB Missing] |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 0x60000020 Code Executable Readable |
1000 | 1D000 | 1000 | 1C854 |
|
|
| .rdata | 0x40000040 Initialized Data Readable |
1E000 | 5000 | 1E000 | 4BF8 |
|
|
| .data | 0xC0000040 Initialized Data Readable Writeable |
23000 | 3000 | 23000 | 868F4 |
|
|
| .rsrc | 0x40000040 Initialized Data Readable |
26000 | 7000 | AA000 | 61A0 |
|
|
| Description |
| OriginalFilename: AutoPlay.exe CompanyName: Adobe Systems Incorporated LegalCopyright: 1990-2008 Adobe Systems Incorporated ProductName: Autoplay FileVersion: 6.0 FileDescription: AutoPlay ProductVersion: 6.0 Language: English (United States) (ID=0x409) CodePage: Unicode (UTF-16 LE) (0x4B0) |
| Entry Point |
The section number (1) - (.text) have the Entry Point Information -> EntryPoint (calculated) - 1257A Code -> 6A6068D00C4200E86A560000BF940000008BC7E86EE8FFFF8965E88BF4893E56FF1574E141008B4E10890D48804A008B4604 Assembler |PUSH 0X60 |PUSH 0X420CD0 |CALL 0X6676 |MOV EDI, 0X94 |MOV EAX, EDI |CALL 0XFFFFF886 |MOV DWORD PTR [EBP - 0X18], ESP |MOV ESI, ESP |MOV DWORD PTR [ESI], EDI |PUSH ESI |CALL DWORD PTR [0X41E174] |MOV ECX, DWORD PTR [ESI + 0X10] |MOV DWORD PTR [0X4A8048], ECX |MOV EAX, DWORD PTR [ESI + 4] |
| Signatures |
| Rich Signature Analyzer: Code -> CCEFE1B4888E8FE7888E8FE7888E8FE78D8280E7998E8FE78D82D0E70B8E8FE79B86D2E78A8E8FE70B86D2E7828E8FE772AD96E78D8E8FE7888E8EE70D8E8FE79B86E6E7BC8E8FE70B86D0E7BE8E8FE78D82EFE7938E8FE76485D1E7898E8FE78D82D5E7898E8FE752696368888E8FE7 Footprint md5 Hash -> 22AA937AFDDA0F0384B14540169938E5 • The Rich header apparently has not been modified Certificate - Digital Signature: • The file is signed and the signature is correct |
| Packer/Compiler |
| Compiler: Microsoft Visual C ++ Compiler: Microsoft Visual C ++ 6-8 Detect It Easy (die) • PE: compiler: EP:Microsoft Visual C/C++(2003 v.7.1 (3052-9782))[EXE32] • PE: compiler: Microsoft Visual C/C++(2003)[libc,wWinMain] • PE: linker: Microsoft Linker(7.10)[-] • PE: Sign tool: Windows Authenticode(2.0)[PKCS 7] • Entropy: 6.19241 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | CreateMutexW | Create a named or unnamed mutex object for controlling access to a shared resource. |
| KERNEL32.DLL | GetModuleFileNameA | Retrieve the fully qualified path for the executable file of a specified module. |
| KERNEL32.DLL | VirtualAlloc | Reserve, commit, or both, a region of memory within the virtual address space of a process. |
| KERNEL32.DLL | GetModuleHandleA | Retrieves a handle to the specified module. |
| KERNEL32.DLL | WriteFile | Writes data to a specified file or input/output (I/O) device. |
| KERNEL32.DLL | LoadLibraryA | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | LoadLibraryW | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| KERNEL32.DLL | CreateFileA | Creates or opens a file or I/O device. |
| USER32.DLL | GetAsyncKeyState | Retrieves the status of a virtual key asynchronously. |
| SHELL32.DLL | ShellExecuteW | Performs a run operation on a specific file. |
| Windows REG |
| SOFTWARE\Microsoft\Windows\CurrentVersion |
| Windows REG (UNICODE) |
| Software\Microsoft\Windows\CurrentVersion |
| File Access |
| ADVAPI32.dll GDI32.dll USER32.dll KERNEL32.dll SHLWAPI.dll WINMM.dll MSVFW32.dll COMCTL32.dll mscoree.dll security.dll unicows.dll comdlg32.dll version.dll mpr.dll rasapi32.dll avicap32.dll secur32.dll oleacc.dll oledlg.dll sensapi.dll shell32.dll Auser32.dll @.dat |
| File Access (UNICODE) |
| AutoPlay.exe explorer.exe cmd.exe Shell32.dll File lang.dat \lang.dat Please provide default language Code in Main.ini \AutoPlay\main.ini Exec - cmd.exe /c start ".\ |
| Interest's Words |
| exec attrib start systeminfo ping |
| Interest's Words (UNICODE) |
| start |
| URLs |
| http://ocsp.verisign.com http://crl.verisign.com/tss-ca.crl http://crl.verisign.com/ThawteTimestampingCA.crl http://crl.verisign.com/pca3.crl http://CSC3-2004-crl.verisign.com/CSC3-2004.crl http://CSC3-2004-aia.verisign.com/CSC3-2004-aia.cer http://www.adobe.com https://www.verisign.com/rpa https://www.verisign.com/rpa01 https://www.verisign.com/rpa0 |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | Registry (RegCreateKeyEx) |
| Text | Ascii | Registry (RegOpenKeyEx) |
| Text | Ascii | File (CreateFile) |
| Text | Ascii | File (WriteFile) |
| Text | Ascii | File (ReadFile) |
| Text | Ascii | Anti-Analysis VM (GetSystemInfo) |
| Text | Ascii | Anti-Analysis VM (GetVersion) |
| Text | Ascii | Reconnaissance (FindFirstFileA) |
| Text | Ascii | Reconnaissance (FindFirstFileW) |
| Text | Ascii | Reconnaissance (FindNextFileW) |
| Text | Ascii | Reconnaissance (FindClose) |
| Text | Ascii | Stealth (CloseHandle) |
| Text | Ascii | Stealth (IsBadReadPtr) |
| Text | Ascii | Stealth (VirtualAlloc) |
| Text | Ascii | Stealth (VirtualProtect) |
| Text | Ascii | Execution (CreateProcessW) |
| Text | Ascii | Execution (ShellExecute) |
| Entry Point | Hex Pattern | Armadillo v2.xx (CopyMem II) |
| Entry Point | Hex Pattern | Microsoft Visual C++ 7.0 |
| Entry Point | Hex Pattern | Microsoft Visual C++ v7.0 |
| Entry Point | Hex Pattern | PE-Exe Executable Image |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \ICON\1\1033 | AA9D0 | EA8 | 269D0 | 28000000300000006000000001000800000000000000000000000000000000000000000000000000FFFFFF00F7F5F500E5E5 | (...0............................................ |
| \ICON\2\1033 | AB878 | 8A8 | 27878 | 28000000200000004000000001000800000000000000000000000000000000000000000000000000FFFFFF00F7F5F500DEDE | (... ...@......................................... |
| \ICON\3\1033 | AC120 | 568 | 28120 | 28000000100000002000000001000800000000000000000000000000000000000000000000000000FFFFFF00E7E7E700CECE | (....... ......................................... |
| \ICON\4\1033 | AC688 | 25A8 | 28688 | 2800000030000000600000000100200000000000000000000000000000000000000000000000000083838300838383008383 | (...0........ ................................... |
| \ICON\5\1033 | AEC30 | 10A8 | 2AC30 | 28000000200000004000000001002000000000000000000000000000000000000000000000000000FFFFFF00FFFFFF00FFFF | (... ...@..... ................................... |
| \ICON\6\1033 | AFCD8 | 468 | 2BCD8 | 28000000100000002000000001002000000000000000000000000000000000000000000000000000FFFFFF00FFFFFF00FFFF | (....... ..... ................................... |
| \DIALOG\102\1033 | AA5F8 | F0 | 265F8 | 0100FFFF0000000000000000C000C8800300000000002301DC000000000045006E0064002000550073006500720020004C00 | .............................E.n.d. .U.s.e.r. .L. |
| \GROUP_ICON\117\1033 | B0140 | 5A | 2C140 | 0000010006003030000001000800A80E000001002020000001000800A8080000020010100000010008006805000003003030000001002000A825000004002020000001002000A810000005001010000001002000680400000600 | ......00............ ....................h.....00.... ..%.... .... ............. .h..... |
| \VERSION\1\1033 | AA6E8 | 2E4 | 266E8 | E40234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000 | ..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| \24\1\1033 | AA270 | 382 | 26270 | 3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E653D2279 | <?xml version="1.0" encoding="UTF-8" standalone="y |
| Intelligent String |
| • avicap32.dll • secur32.dll • .\Autoplay\resdata\HARROW.cur • .\Autoplay\resdata\HARROW.ani • \lang.dat • explorer.exe • .\Autoplay\resdata\autoplay.ico • Shell32.dll • .\AutoPlay\main.ini • Please provide default language Code in Main.ini • Auser32.dll • kernel32.dll • advapi32.dll • winmm.dll • oleacc.dll • winspool.drv • rasapi32.dll • mpr.dll • version.dll • comdlg32.dll • security.dll • mscoree.dll • COMCTL32.dll • KERNEL32.dll • USER32.dll • ADVAPI32.dll • AutoPlay.exe |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 1207 | 41E1A4 | .text | CALL [static] | Indirect call to absolute memory address |
| 1215 | 41E1A4 | .text | CALL [static] | Indirect call to absolute memory address |
| 1223 | 41E1A4 | .text | CALL [static] | Indirect call to absolute memory address |
| 1265 | 425D00 | .text | CALL [static] | Indirect call to absolute memory address |
| 1273 | 41E194 | .text | CALL [static] | Indirect call to absolute memory address |
| 1281 | 425D24 | .text | CALL [static] | Indirect call to absolute memory address |
| 15BD | 41E058 | .text | CALL [static] | Indirect call to absolute memory address |
| 15CE | 41E05C | .text | CALL [static] | Indirect call to absolute memory address |
| 15ED | 41E058 | .text | CALL [static] | Indirect call to absolute memory address |
| 16BF | 41E058 | .text | CALL [static] | Indirect call to absolute memory address |
| 16DC | 41E1FC | .text | CALL [static] | Indirect call to absolute memory address |
| 16EA | 41E200 | .text | CALL [static] | Indirect call to absolute memory address |
| 1726 | 41E048 | .text | CALL [static] | Indirect call to absolute memory address |
| 1730 | 41E04C | .text | CALL [static] | Indirect call to absolute memory address |
| 173D | 41E050 | .text | CALL [static] | Indirect call to absolute memory address |
| 1789 | 41E054 | .text | CALL [static] | Indirect call to absolute memory address |
| 1790 | 41E058 | .text | CALL [static] | Indirect call to absolute memory address |
| 1798 | 41E1C4 | .text | CALL [static] | Indirect call to absolute memory address |
| 180B | 41E1FC | .text | CALL [static] | Indirect call to absolute memory address |
| 1816 | 41E038 | .text | CALL [static] | Indirect call to absolute memory address |
| 1831 | 41E04C | .text | CALL [static] | Indirect call to absolute memory address |
| 1858 | 425CC8 | .text | CALL [static] | Indirect call to absolute memory address |
| 18C7 | 41E03C | .text | CALL [static] | Indirect call to absolute memory address |
| 18DA | 41E1A0 | .text | CALL [static] | Indirect call to absolute memory address |
| 1911 | 41E040 | .text | CALL [static] | Indirect call to absolute memory address |
| 1956 | 41E044 | .text | CALL [static] | Indirect call to absolute memory address |
| 19CC | 41E200 | .text | CALL [static] | Indirect call to absolute memory address |
| 19EF | 41E1F8 | .text | CALL [static] | Indirect call to absolute memory address |
| 1A39 | 425CC4 | .text | CALL [static] | Indirect call to absolute memory address |
| 1A6E | 425D44 | .text | CALL [static] | Indirect call to absolute memory address |
| 1A79 | 41E058 | .text | CALL [static] | Indirect call to absolute memory address |
| 1A87 | 41E1C4 | .text | CALL [static] | Indirect call to absolute memory address |
| 1ACE | 41E1FC | .text | CALL [static] | Indirect call to absolute memory address |
| 1AEB | 41E04C | .text | CALL [static] | Indirect call to absolute memory address |
| 1B15 | 425CC8 | .text | CALL [static] | Indirect call to absolute memory address |
| 1B77 | 41E03C | .text | CALL [static] | Indirect call to absolute memory address |
| 1B8C | 41E1A0 | .text | CALL [static] | Indirect call to absolute memory address |
| 1BBE | 41E040 | .text | CALL [static] | Indirect call to absolute memory address |
| 1BFA | 41E1F4 | .text | CALL [static] | Indirect call to absolute memory address |
| 1C08 | 41E1C4 | .text | CALL [static] | Indirect call to absolute memory address |
| 1C80 | 41E1FC | .text | CALL [static] | Indirect call to absolute memory address |
| 1C8B | 41E038 | .text | CALL [static] | Indirect call to absolute memory address |
| 1CA6 | 41E04C | .text | CALL [static] | Indirect call to absolute memory address |
| 1CCD | 425CC8 | .text | CALL [static] | Indirect call to absolute memory address |
| 1D3C | 41E03C | .text | CALL [static] | Indirect call to absolute memory address |
| 1D4F | 41E1A0 | .text | CALL [static] | Indirect call to absolute memory address |
| 1D86 | 41E040 | .text | CALL [static] | Indirect call to absolute memory address |
| 1DCB | 41E044 | .text | CALL [static] | Indirect call to absolute memory address |
| 1E41 | 41E200 | .text | CALL [static] | Indirect call to absolute memory address |
| 1E64 | 41E1F8 | .text | CALL [static] | Indirect call to absolute memory address |
| 1ED8 | 425CC4 | .text | CALL [static] | Indirect call to absolute memory address |
| 1F19 | 425D44 | .text | CALL [static] | Indirect call to absolute memory address |
| 1F24 | 41E058 | .text | CALL [static] | Indirect call to absolute memory address |
| 1F32 | 41E1C4 | .text | CALL [static] | Indirect call to absolute memory address |
| 1FC5 | 41E200 | .text | CALL [static] | Indirect call to absolute memory address |
| 1FEA | 41E1F8 | .text | CALL [static] | Indirect call to absolute memory address |
| 1FF7 | 41E1FC | .text | CALL [static] | Indirect call to absolute memory address |
| 2002 | 41E038 | .text | CALL [static] | Indirect call to absolute memory address |
| 201D | 41E04C | .text | CALL [static] | Indirect call to absolute memory address |
| 2045 | 425CC8 | .text | CALL [static] | Indirect call to absolute memory address |
| 20B4 | 41E03C | .text | CALL [static] | Indirect call to absolute memory address |
| 20C7 | 41E1A0 | .text | CALL [static] | Indirect call to absolute memory address |
| 20FE | 41E040 | .text | CALL [static] | Indirect call to absolute memory address |
| 2143 | 41E044 | .text | CALL [static] | Indirect call to absolute memory address |
| 221B | 425CC4 | .text | CALL [static] | Indirect call to absolute memory address |
| 225C | 425D44 | .text | CALL [static] | Indirect call to absolute memory address |
| 2267 | 41E058 | .text | CALL [static] | Indirect call to absolute memory address |
| 2275 | 41E1C4 | .text | CALL [static] | Indirect call to absolute memory address |
| 22AB | 41E1FC | .text | CALL [static] | Indirect call to absolute memory address |
| 22C8 | 41E04C | .text | CALL [static] | Indirect call to absolute memory address |
| 22F2 | 425CC8 | .text | CALL [static] | Indirect call to absolute memory address |
| 2354 | 41E03C | .text | CALL [static] | Indirect call to absolute memory address |
| 2369 | 41E1A0 | .text | CALL [static] | Indirect call to absolute memory address |
| 239B | 41E040 | .text | CALL [static] | Indirect call to absolute memory address |
| 23D7 | 41E1F4 | .text | CALL [static] | Indirect call to absolute memory address |
| 23E5 | 41E1C4 | .text | CALL [static] | Indirect call to absolute memory address |
| 2491 | 41E048 | .text | CALL [static] | Indirect call to absolute memory address |
| 24A0 | 41E1FC | .text | CALL [static] | Indirect call to absolute memory address |
| 24AA | 41E04C | .text | CALL [static] | Indirect call to absolute memory address |
| 24B7 | 41E050 | .text | CALL [static] | Indirect call to absolute memory address |
| 24CA | 41E034 | .text | CALL [static] | Indirect call to absolute memory address |
| 24D1 | 41E058 | .text | CALL [static] | Indirect call to absolute memory address |
| 24DF | 41E1C4 | .text | CALL [static] | Indirect call to absolute memory address |
| 258C | 41E1FC | .text | CALL [static] | Indirect call to absolute memory address |
| 2597 | 41E038 | .text | CALL [static] | Indirect call to absolute memory address |
| 25A4 | 41E044 | .text | CALL [static] | Indirect call to absolute memory address |
| 2619 | 425CC4 | .text | CALL [static] | Indirect call to absolute memory address |
| 2621 | 41E04C | .text | CALL [static] | Indirect call to absolute memory address |
| 2645 | 425CD0 | .text | CALL [static] | Indirect call to absolute memory address |
| 2653 | 41E1C4 | .text | CALL [static] | Indirect call to absolute memory address |
| 278C | 41E1FC | .text | CALL [static] | Indirect call to absolute memory address |
| 2797 | 41E038 | .text | CALL [static] | Indirect call to absolute memory address |
| 27A4 | 41E044 | .text | CALL [static] | Indirect call to absolute memory address |
| 2819 | 425CC4 | .text | CALL [static] | Indirect call to absolute memory address |
| 2821 | 41E04C | .text | CALL [static] | Indirect call to absolute memory address |
| 2833 | 41E200 | .text | CALL [static] | Indirect call to absolute memory address |
| 285E | 41E1F8 | .text | CALL [static] | Indirect call to absolute memory address |
| 2867 | 41E02C | .text | CALL [static] | Indirect call to absolute memory address |
| 2879 | 41E030 | .text | CALL [static] | Indirect call to absolute memory address |
| 28A2 | 425D44 | .text | CALL [static] | Indirect call to absolute memory address |
| 2D000 | N/A | *Overlay* | 70150000000202003082156106092A864886F70D | p.......0..a..*.H... |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 99776 | 52,5668% |
| Null Byte Code | 49321 | 25,9847% |
© 2026 All rights reserved.