PESCAN.IO - Analysis Report Basic

File Structure
Analysis Image
PE Chart Code
Executable header (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
Information
Size: 220,00 KB
SHA-256 Hash: 866F51D4416B6A0BFBE8442CC8C1716152E4C3EE3137C375D05185E8171096A7
SHA-1 Hash: FD87D19FB51010DCDD31EA0C1F14E075132239B0
MD5 Hash: 7B37F8EC25C9AD853E8126C1D0992201
Imphash: 788796C8C6C3D01582E0A931BCFFAA41
MajorOSVersion: 5
MinorOSVersion: 0
CheckSum: 000410C5
EntryPoint (rva): 3024A
SizeOfHeaders: 400
SizeOfImage: 43000
ImageBase: 783F0000
Architecture: x86
ExportTable: 33310
ImportTable: 326EC
IAT: 1000
Characteristics: 2102
TimeDateStamp: 488EF6CF
Date: 29/07/2008 10:54:07
File Type: DLL
Number Of Sections: 4
ASLR: Enabled
Section Names: .text, .data, .rsrc, .reloc
Number Of Executable Sections: 1
Subsystem: Windows GUI
Sections Info
Section Name Flags ROffset RSize VOffset VSizeEntropyChi2
.text 60000020 (Code, Executable, Readable) 400 33A00 1000 339446,17602174953,22
.data C0000040 (Initialized Data, Readable, Writeable) 33E00 A00 35000 96A44,812259160,60
.rsrc 40000040 (Initialized Data, Readable) 34800 400 3F000 3C83,200994743,00
.reloc 42000040 (Initialized Data, GP-Relative, Readable) 34C00 2400 40000 23061,70701631035,61
Description
OriginalFilename: MSVCM90.DLL
CompanyName: Microsoft Corporation
LegalCopyright: Microsoft Corporation. All rights reserved.
ProductName: Microsoft Visual Studio 2008
FileVersion: 9.00.30729.1
FileDescription: Microsoft C Runtime Library
ProductVersion: 9.00.30729.1
Language: English (United States) (ID=0x409)
CodePage: Unicode (UTF-16 LE) (0x4B0)
Entry Point
The section number (1) - (.text) have the Entry Point
Information -> EntryPoint (calculated) - 2F64A
Code -> FF2518123F78CCCCCCCCCCCCCCCC033001000B0000000000000028FB02000680010000042ACCCCCCCCCC033001000D000000
JMP DWORD PTR [0X783F1218]
INT3
INT3
INT3
INT3
INT3
INT3
INT3
INT3
ADD ESI, DWORD PTR [EAX]
ADD DWORD PTR [EAX], EAX
OR EAX, DWORD PTR [EAX]
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
ADD BYTE PTR [EAX], AL
SUB BL, BH
ADD AL, BYTE PTR [EAX]
PUSH ES
ADD BYTE PTR [ECX], 0
ADD BYTE PTR [EDX + EBP], AL
INT3
INT3
INT3
INT3
INT3
ADD ESI, DWORD PTR [EAX]
ADD DWORD PTR [EAX], EAX
Signatures
Rich Signature Analyzer:
Code -> C88A9C3B8CEBF2688CEBF2688CEBF268859361688FEBF26831A464688DEBF268859367688DEBF268E80789688EEBF268AB2D896888EBF2688CEBF36815EBF2688593716883EBF26885937668E9EBF268859360688DEBF268859366688DEBF268859363688DEBF268526963688CEBF268
Footprint md5 Hash -> FFC06BFCB928276DB9C87111989D59DB
• The Rich header apparently has not been modified
Certificate - Digital Signature Not Found:
• The file is not signed
Packer/Compiler
Compiler: Microsoft Visual .NET - (You can use a decompiler for this...)
AnyCPU: True
Version: v2.0
Detect It Easy (die)
PE: library: .NET(v2.0.50727)[-]
PE: compiler: Microsoft Visual C/C++(2008 SP1)[-]
PE: linker: Microsoft Linker(9.0)[-]
Entropy: 6.03615
Suspicious Functions
Library Function Description
KERNEL32.DLL GetProcAddress Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL IsDebuggerPresent Determines if the calling process is being debugged by a user-mode debugger.
ET Functions (carving)
Original Name -> msvcm90.dll
?_Addstd@ios_base@std@@SAXPAV12@@Z
?_Atexit@@YAXP6AXXZ@Z
?_BADOFF_func@std@@YAABJXZ
?_Cerr_func@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@XZ
?_Cin_func@std@@YAAAV?$basic_istream@DU?$char_traits@D@std@@@1@XZ
?_Clocptr_func@_Locimp@locale@std@@CAAAPAV123@XZ
?_Clog_func@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@XZ
?_Cout_func@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@XZ
?_Fiopen@std@@YAPAU_iobuf@@PBDHH@Z
?_Fiopen@std@@YAPAU_iobuf@@PBGHH@Z
?_Fiopen@std@@YAPAU_iobuf@@PB_WHH@Z
?_Fpz_func@std@@YAAA_JXZ
?_Getcvt@@YA?AU_Cvtvec@@XZ
?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ
?_Id_cnt_func@id@locale@std@@CAAAHXZ
?_Id_func@?$codecvt@GDH@std@@SAAAVid@locale@2@XZ
?_Id_func@?$codecvt@_WDH@std@@SAAAVid@locale@2@XZ
?_Id_func@?$ctype@D@std@@SAAAVid@locale@2@XZ
?_Id_func@?$ctype@G@std@@SAAAVid@locale@2@XZ
?_Id_func@?$ctype@_W@std@@SAAAVid@locale@2@XZ
?_Index_func@ios_base@std@@CAAAHXZ
?_Init@locale@std@@CAPAV_Locimp@12@XZ
?_Init_cnt_func@Init@ios_base@std@@CAAAHXZ
?_Init_ctor@Init@ios_base@std@@CAXPAV123@@Z
?_Init_dtor@Init@ios_base@std@@CAXPAV123@@Z
?_Init_locks_ctor@_Init_locks@std@@CAXPAV12@@Z
?_Init_locks_dtor@_Init_locks@std@@CAXPAV12@@Z
?_Ios_base_dtor@ios_base@std@@CAXPAV12@@Z
?_Locimp_Addfac@_Locimp@locale@std@@CAXPAV123@PAVfacet@23@I@Z
?_Locimp_dtor@_Locimp@locale@std@@CAXPAV123@@Z
?_Locinfo_Addcats@_Locinfo@std@@SAAAV12@PAV12@HPBD@Z
?_Locinfo_ctor@_Locinfo@std@@SAXPAV12@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@2@@Z
?_Locinfo_ctor@_Locinfo@std@@SAXPAV12@HPBD@Z
?_Locinfo_ctor@_Locinfo@std@@SAXPAV12@PBD@Z
?_Locinfo_dtor@_Locinfo@std@@SAXPAV12@@Z
?_Lockit_ctor@_Lockit@std@@CAXPAV12@@Z
?_Lockit_ctor@_Lockit@std@@CAXPAV12@H@Z
?_Lockit_ctor@_Lockit@std@@SAXH@Z
?_Lockit_dtor@_Lockit@std@@CAXPAV12@@Z
?_Lockit_dtor@_Lockit@std@@SAXH@Z
?_Mbrtowc@@YAHPAGPBDIPAHPBU_Cvtvec@@@Z
?_Mbrtowc@@YAHPA_WPBDIPAHPBU_Cvtvec@@@Z
?_Mtxdst@@YAXPAU_RTL_CRITICAL_SECTION@@@Z
?_Mtxinit@@YAXPAU_RTL_CRITICAL_SECTION@@@Z
?_Mtxlock@@YAXPAU_RTL_CRITICAL_SECTION@@@Z
?_Mtxunlock@@YAXPAU_RTL_CRITICAL_SECTION@@@Z
?_Mutex_Lock@_Mutex@std@@CAXPAV12@@Z
?_Mutex_Unlock@_Mutex@std@@CAXPAV12@@Z
?_Mutex_ctor@_Mutex@std@@CAXPAV12@@Z
?_Mutex_dtor@_Mutex@std@@CAXPAV12@@Z
?_Nomemory@std@@YAXXZ
?_Once@@YAXPAJP6AXXZ@Z
?_Setgloballocale@locale@std@@CAXPAX@Z
?_Sync_func@ios_base@std@@CAAA_NXZ
?_Wcerr_func@std@@YAAAV?$basic_ostream@GU?$char_traits@G@std@@@1@XZ
?_Wcerr_func@std@@YAAAV?$basic_ostream@_WU?$char_traits@_W@std@@@1@XZ
?_Wcin_func@std@@YAAAV?$basic_istream@GU?$char_traits@G@std@@@1@XZ
?_Wcin_func@std@@YAAAV?$basic_istream@_WU?$char_traits@_W@std@@@1@XZ
?_Wclog_func@std@@YAAAV?$basic_ostream@GU?$char_traits@G@std@@@1@XZ
?_Wclog_func@std@@YAAAV?$basic_ostream@_WU?$char_traits@_W@std@@@1@XZ
?_Wcout_func@std@@YAAAV?$basic_ostream@GU?$char_traits@G@std@@@1@XZ
?_Wcout_func@std@@YAAAV?$basic_ostream@_WU?$char_traits@_W@std@@@1@XZ
?_Wcrtomb@@YAHPADGPAHPBU_Cvtvec@@@Z
?_Wcrtomb@@YAHPAD_WPAHPBU_Cvtvec@@@Z
?_Xinvarg@_String_base@std@@SAXXZ
?_Xlen@_String_base@std@@SAXXZ
?_Xran@_String_base@std@@SAXXZ
?__Wcrtomb_lk@@YAHPAD_WPAHPBU_Cvtvec@@@Z
?__get_default_appdomain@@YAJPAPAUIUnknown@@@Z
?__query_new_handler_m@@YAP6MHI@ZXZ
?__release_appdomain@@YAXPAUIUnknown@@@Z
?_beginthread@@YAIP6MXPAX@ZI0@Z
?_beginthreadex@@YAIPAXIP6MI0@Z0IPAI@Z
?_fpieee_flt@@YAHKPAU_EXCEPTION_POINTERS@@P6MHPAU_FPIEEE_RECORD@@@Z@Z
?_set_invalid_parameter_handler@@YAP6AXPB_W00II@ZH@Z
?_set_invalid_parameter_handler@@YAP6MXPB_W00II@ZP6MX000II@Z@Z
?_set_new_handler@@YAP6MHI@ZP6MHI@Z@Z
?_set_purecall_handler@@YAP6AXXZH@Z
?_set_purecall_handler@@YAP6MXXZP6MXXZ@Z
?_uncaught_exception_m@std@@YA_NXZ
?classic@locale@std@@SAABV12@XZ
?empty@locale@std@@SA?AV12@XZ
?global@locale@std@@SA?AV12@ABV12@@Z
?resetiosflags@std@@YA?AU?$_Smanip@H@1@H@Z
?set_new_handler@std@@YAP6MXXZP6MXXZ@Z
?set_terminate@@YAP6MXXZP6MXXZ@Z
?set_unexpected@@YAP6MXXZP6MXXZ@Z
?setbase@std@@YA?AU?$_Smanip@H@1@H@Z
?setiosflags@std@@YA?AU?$_Smanip@H@1@H@Z
?setprecision@std@@YA?AU?$_Smanip@H@1@H@Z
?setw@std@@YA?AU?$_Smanip@H@1@H@Z
?signal@@YAP6MXH@ZHH@Z
?signal@@YAP6MXH@ZHP6MXH@Z@Z
__setusermatherr_m
towctrans
wctrans
wctype
File Access
msvcm90.dll
mscoree.dll
ole32.dll
KERNEL32.dll
MSVCR90.dll
.dat
std.?A0xf73da067.ini
std.?A0x2f012d81.ini
?A0x2f012d81.ini
std.?A0xe76299d7.ini
?A0xe76299d7.ini
?A0x3128fac1.ini
std.?A0x3128fac1.ini
std.?A0xad3fecda.ini
?A0xad3fecda.ini
?A0xb81d9ac6.ini
std.?A0xb81d9ac6.ini
?A0x707e2e90.ini
std.?A0x707e2e90.ini
std.?A0xff4635ca.ini
?A0xff4635ca.ini
?A0x3a235b9d.ini
std.?A0x3a235b9d.ini
std.?A0x95982bb4.ini
?A0x95982bb4.ini
std.?A0x5dfb9fe2.ini
std.?A0x7818ca35.ini
?A0x7818ca35.ini
std.?A0x17a6eaef.ini
?A0x17a6eaef.ini
std.?A0xa6934b57.ini
?A0xa6934b57.ini
.ini
std.ios_base.Ini
.LanguageSupport.Ini
.DefaultDomain.Ini
File Access (UNICODE)
MSVCM90.DLL
_vcomp_forkvcomp90.dll
vcomp90d.dll
Temp
Interest's Words
exec
attrib
start
Interest's Words (UNICODE)
start
Strings/Hex Code Found With The File Rules
Rule Type Encoding Matched (Word)
Text Ascii Anti-Analysis VM (IsDebuggerPresent)
Text Ascii Stealth (ExitThread)
Text Ascii Execution (ResumeThread)
Resources
Path DataRVA Size FileOffset CodeText
\VERSION\1\1033 3F060 364 34860 640334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000d.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............
Intelligent String
• MSVCM90.DLL
• vcomp90d.dll
• _vcomp_forkvcomp90.dll
• msvcm90.i386.pdb
Flow Anomalies
Offset RVA Section Description
22D4C 783F1054 .text CALL [static] | Indirect call to absolute memory address
22D58 783F1058 .text CALL [static] | Indirect call to absolute memory address
22D60 783F1064 .text CALL [static] | Indirect call to absolute memory address
22D68 783F1060 .text CALL [static] | Indirect call to absolute memory address
22D74 783F105C .text CALL [static] | Indirect call to absolute memory address
22DD9 78425004 .text JMP [static] | Indirect jump to absolute memory address
22E14 78425008 .text JMP [static] | Indirect jump to absolute memory address
22FC1 7842500C .text JMP [static] | Indirect jump to absolute memory address
22FE6 78425010 .text JMP [static] | Indirect jump to absolute memory address
23159 78425014 .text JMP [static] | Indirect jump to absolute memory address
231F5 78425018 .text JMP [static] | Indirect jump to absolute memory address
2321E 7842501C .text JMP [static] | Indirect jump to absolute memory address
23321 78425020 .text JMP [static] | Indirect jump to absolute memory address
233DB 78425024 .text JMP [static] | Indirect jump to absolute memory address
23413 78425028 .text JMP [static] | Indirect jump to absolute memory address
2348B 7842502C .text JMP [static] | Indirect jump to absolute memory address
2351D 78425030 .text JMP [static] | Indirect jump to absolute memory address
2356D 78425034 .text JMP [static] | Indirect jump to absolute memory address
23596 78425038 .text JMP [static] | Indirect jump to absolute memory address
23606 7842503C .text JMP [static] | Indirect jump to absolute memory address
236DA 78425040 .text JMP [static] | Indirect jump to absolute memory address
23718 78425044 .text JMP [static] | Indirect jump to absolute memory address
23767 78425048 .text JMP [static] | Indirect jump to absolute memory address
23806 7842504C .text JMP [static] | Indirect jump to absolute memory address
23897 78425050 .text JMP [static] | Indirect jump to absolute memory address
238CC 78425054 .text JMP [static] | Indirect jump to absolute memory address
23961 78425058 .text JMP [static] | Indirect jump to absolute memory address
23992 7842505C .text JMP [static] | Indirect jump to absolute memory address
23A29 78425060 .text JMP [static] | Indirect jump to absolute memory address
23A5A 78425064 .text JMP [static] | Indirect jump to absolute memory address
23AED 78425068 .text JMP [static] | Indirect jump to absolute memory address
23B27 7842506C .text JMP [static] | Indirect jump to absolute memory address
23B63 78425070 .text JMP [static] | Indirect jump to absolute memory address
23B99 78425074 .text JMP [static] | Indirect jump to absolute memory address
23BCD 78425078 .text JMP [static] | Indirect jump to absolute memory address
23C66 78425084 .text JMP [static] | Indirect jump to absolute memory address
23E06 78425088 .text JMP [static] | Indirect jump to absolute memory address
2447E 78425090 .text JMP [static] | Indirect jump to absolute memory address
24501 78425094 .text JMP [static] | Indirect jump to absolute memory address
2460B 784250D0 .text JMP [static] | Indirect jump to absolute memory address
246C9 784250D4 .text JMP [static] | Indirect jump to absolute memory address
24774 784250D8 .text JMP [static] | Indirect jump to absolute memory address
2482A 784250DC .text JMP [static] | Indirect jump to absolute memory address
24905 784250E0 .text JMP [static] | Indirect jump to absolute memory address
249B9 784250E4 .text JMP [static] | Indirect jump to absolute memory address
24A67 784250E8 .text JMP [static] | Indirect jump to absolute memory address
27163 78425528 .text JMP [static] | Indirect jump to absolute memory address
27197 7842552C .text JMP [static] | Indirect jump to absolute memory address
27200 78425530 .text JMP [static] | Indirect jump to absolute memory address
27224 78425534 .text JMP [static] | Indirect jump to absolute memory address
27248 78425538 .text JMP [static] | Indirect jump to absolute memory address
27273 7842553C .text JMP [static] | Indirect jump to absolute memory address
2729F 78425540 .text JMP [static] | Indirect jump to absolute memory address
272CB 78425544 .text JMP [static] | Indirect jump to absolute memory address
272F7 78425548 .text JMP [static] | Indirect jump to absolute memory address
27323 7842554C .text JMP [static] | Indirect jump to absolute memory address
273CB 78425554 .text JMP [static] | Indirect jump to absolute memory address
273EF 78425558 .text JMP [static] | Indirect jump to absolute memory address
27413 7842555C .text JMP [static] | Indirect jump to absolute memory address
27437 78425560 .text JMP [static] | Indirect jump to absolute memory address
274F5 78425564 .text JMP [static] | Indirect jump to absolute memory address
27551 78425568 .text JMP [static] | Indirect jump to absolute memory address
27573 78425570 .text JMP [static] | Indirect jump to absolute memory address
275AE 78425574 .text JMP [static] | Indirect jump to absolute memory address
27617 78425578 .text JMP [static] | Indirect jump to absolute memory address
2765F 784255E4 .text JMP [static] | Indirect jump to absolute memory address
2792F 784255F0 .text JMP [static] | Indirect jump to absolute memory address
28FD7 78425654 .text JMP [static] | Indirect jump to absolute memory address
290EB 7842565C .text JMP [static] | Indirect jump to absolute memory address
2910F 78425664 .text JMP [static] | Indirect jump to absolute memory address
29247 7842566C .text JMP [static] | Indirect jump to absolute memory address
2A5E7 784256B0 .text JMP [static] | Indirect jump to absolute memory address
2A6FB 784256B8 .text JMP [static] | Indirect jump to absolute memory address
2A71F 784256C0 .text JMP [static] | Indirect jump to absolute memory address
2A85B 784256C8 .text JMP [static] | Indirect jump to absolute memory address
2BB83 7842570C .text JMP [static] | Indirect jump to absolute memory address
2BC97 78425714 .text JMP [static] | Indirect jump to absolute memory address
2BCBB 7842571C .text JMP [static] | Indirect jump to absolute memory address
2BDE1 78425724 .text JMP [static] | Indirect jump to absolute memory address
2BF61 78425728 .text JMP [static] | Indirect jump to absolute memory address
2C0A5 7842572C .text JMP [static] | Indirect jump to absolute memory address
2C149 78425730 .text JMP [static] | Indirect jump to absolute memory address
2C18F 78425734 .text JMP [static] | Indirect jump to absolute memory address
2C2B9 7842573C .text JMP [static] | Indirect jump to absolute memory address
2C2DB 78425740 .text JMP [static] | Indirect jump to absolute memory address
2C361 78425744 .text JMP [static] | Indirect jump to absolute memory address
2C383 78425748 .text JMP [static] | Indirect jump to absolute memory address
2C3A7 7842574C .text JMP [static] | Indirect jump to absolute memory address
2C3CB 78425750 .text JMP [static] | Indirect jump to absolute memory address
2C3EF 78425754 .text JMP [static] | Indirect jump to absolute memory address
2C413 78425758 .text JMP [static] | Indirect jump to absolute memory address
2C437 7842575C .text JMP [static] | Indirect jump to absolute memory address
2C45B 78425760 .text JMP [static] | Indirect jump to absolute memory address
2C51D 78425764 .text JMP [static] | Indirect jump to absolute memory address
2C65A 78425768 .text JMP [static] | Indirect jump to absolute memory address
2C82D 7842576C .text JMP [static] | Indirect jump to absolute memory address
2C88E 78425770 .text JMP [static] | Indirect jump to absolute memory address
2C8F8 78425774 .text JMP [static] | Indirect jump to absolute memory address
2C921 78425778 .text JMP [static] | Indirect jump to absolute memory address
2C9BD 7842577C .text JMP [static] | Indirect jump to absolute memory address
Extra Analysis
Metric Value Percentage
Ascii Code 147643 65,5376%
Null Byte Code 48879 21,697%
© 2026 All rights reserved.