PESCAN.IO - Analysis Report Basic |
|||||||
| File Structure |
|
PE Chart Code
Header PE (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
Icon: Size: 2,41 MBSHA-256 Hash: E5C1B479630E958E8F8E07AC42D43DCDB8D5AC639B20EBB1515FC9345F1DA801 SHA-1 Hash: 30B788EC245AA48546AD0716B841A00ADBA0AD75 MD5 Hash: 81ED97F9FAD6703413F25E652A4AF9DF Imphash: 9ACCC748A9D89A334D2FC419EC39655A MajorOSVersion: 5 MinorOSVersion: 0 CheckSum: 002694F0 EntryPoint (rva): 113BC SizeOfHeaders: 400 SizeOfImage: 2D000 ImageBase: 400000 Architecture: x86 ImportTable: 19000 IAT: 192FC Characteristics: 818F TimeDateStamp: 55A7B084 Date: 16/07/2015 13:24:20 File Type: EXE Number Of Sections: 8 ASLR: Disabled Section Names: .text, .itext, .data, .bss, .idata, .tls, .rdata, .rsrc Number Of Executable Sections: 2 Subsystem: Windows GUI UAC Execution Level Manifest: asInvoker |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 0x60000020 Code Executable Readable |
400 | F200 | 1000 | F134 |
|
|
| .itext | 0x60000020 Code Executable Readable |
F600 | C00 | 11000 | B44 |
|
|
| .data | 0xC0000040 Initialized Data Readable Writeable |
10200 | E00 | 12000 | C88 |
|
|
| .bss | 0xC0000000 Readable Writeable |
11000 | 0 | 13000 | 56B8 |
|
|
| .idata | 0xC0000040 Initialized Data Readable Writeable |
11000 | E00 | 19000 | DD0 |
|
|
| .tls | 0xC0000000 Readable Writeable |
11E00 | 0 | 1A000 | 8 |
|
|
| .rdata | 0x40000040 Initialized Data Readable |
11E00 | 200 | 1B000 | 18 |
|
|
| .rsrc | 0x40000040 Initialized Data Readable |
12000 | 10200 | 1C000 | 1000C |
|
|
| Description |
| CompanyName: IObit LegalCopyright: Copyright 2005-2018 ProductName: IObit Unlocker FileVersion: 1.1.2.1 FileDescription: IObit Unlocker ProductVersion: 1.1.2.1 Comments: This installation was built with Inno Setup. Language: Unknown (ID=0x0) CodePage: Unicode (UTF-16 LE) (0x4B0) |
| Binder/Joiner/Crypter |
| Dropper code detected (EOF) - 2,23 MB |
| Entry Point |
The section number (2) - (.itext) have the Entry Point Information -> EntryPoint (calculated) - F9BC Code -> 558BEC83C4A453565733C08945C48945C08945A48945D08945C88945CC8945D48945D88945ECB834004100E8E851FFFF33C0 Assembler |PUSH EBP |MOV EBP, ESP |ADD ESP, -0X5C |PUSH EBX |PUSH ESI |PUSH EDI |XOR EAX, EAX |MOV DWORD PTR [EBP - 0X3C], EAX |MOV DWORD PTR [EBP - 0X40], EAX |MOV DWORD PTR [EBP - 0X5C], EAX |MOV DWORD PTR [EBP - 0X30], EAX |MOV DWORD PTR [EBP - 0X38], EAX |MOV DWORD PTR [EBP - 0X34], EAX |MOV DWORD PTR [EBP - 0X2C], EAX |MOV DWORD PTR [EBP - 0X28], EAX |MOV DWORD PTR [EBP - 0X14], EAX |MOV EAX, 0X410034 |CALL 0XFFFF6218 |XOR EAX, EAX |
| Signatures |
| Certificate - Digital Signature: • The file is signed and the signature is correct |
| Packer/Compiler |
| Compiler: Borland Delphi 7 Detect It Easy (die) • PE: installer: Inno Setup Module(5.5.6)[unicode] • PE: compiler: Embarcadero Delphi(2009-2010)[-] • PE: linker: Turbo Linker(2.25*,Delphi)[-] • PE: overlay: Inno Setup Installer data(-)[-] • Entropy: 7.9744 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | VirtualAlloc | Reserve, commit, or both, a region of memory within the virtual address space of a process. |
| KERNEL32.DLL | WriteFile | Writes data to a specified file or input/output (I/O) device. |
| KERNEL32.DLL | LoadLibraryW | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| Windows REG (UNICODE) |
| SOFTWARE\Borland\Delphi\RTL Software\CodeGear\Locales Software\Borland\Locales Software\Borland\Delphi\Locales |
| File Access |
| advapi32.dll kernel32.dll comctl32.dll user32.dll oleaut32.dll .bAT .dat |
| File Access (UNICODE) |
| kernel32.dll shell32.dll Temp UserProfile |
| Interest's Words |
| PADDINGX exec attrib start systeminfo ping |
| Interest's Words (UNICODE) |
| PassWord start shutdown |
| URLs |
| http://schemas.microsoft.com/SMI/2005/WindowsSettings http://ocsp.thawte.com http://crl.thawte.com/ThawteTimestampingCA.crl http://ts-ocsp.ws.symantec.com http://ts-aia.ws.symantec.com/tss-ca-g2.cer http://ts-crl.ws.symantec.com/tss-ca-g2.crl http://sv.symcb.com/sv.crl http://sv.symcd.com http://sv.symcb.com/sv.crt http://s2.symcb.com http://www.symauth.com/cps0( http://www.symauth.com/rpa00 http://s1.symcb.com/pca3-g5.crl http://s.symcd.com http://s.symcb.com/universal-root.crl http://ts-crl.ws.symantec.com/sha256-tss-ca.crl http://ts-aia.ws.symantec.com/sha256-tss-ca.cer https://d.symcb.com/cps0% https://d.symcb.com/rpa0 https://d.symcb.com/rpa0. https://d.symcb.com/rpa0@ |
| URLs (UNICODE) |
| http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Unicode | WinAPI Sockets (accept) |
| Text | Ascii | Registry (RegOpenKeyEx) |
| Text | Ascii | File (CreateFile) |
| Text | Ascii | File (WriteFile) |
| Text | Ascii | File (ReadFile) |
| Text | Ascii | Anti-Analysis VM (GetSystemInfo) |
| Text | Ascii | Anti-Analysis VM (GetVersion) |
| Text | Ascii | Reconnaissance (FindFirstFileW) |
| Text | Ascii | Reconnaissance (FindClose) |
| Text | Ascii | Stealth (CloseHandle) |
| Text | Ascii | Stealth (VirtualAlloc) |
| Text | Ascii | Stealth (VirtualProtect) |
| Text | Ascii | Execution (CreateProcessW) |
| Text | Ascii | Execution (CreateEventW) |
| Text | Ascii | Antivirus Software (Symantec) |
| Text | Unicode | Privileges (SeShutdownPrivilege) |
| Text | Unicode | Malicious rerouting of traffic to an attacker-controlled site (Redirect) |
| Entry Point | Hex Pattern | Borland Delphi 4.0 |
| Entry Point | Hex Pattern | fasm - Tomasz Grysztar |
| Entry Point | Hex Pattern | Stranik 1.3 Modula/C/Pascal |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \ICON\1\1033 | 1C4AC | EA8 | 124AC | 28000000300000006000000001000800000000000009000000000000000000000001000000010000000000003C2B14003E3E | (...0......................................<+..>> |
| \ICON\2\1033 | 1D354 | 8A8 | 13354 | 28000000200000004000000001000800000000000004000000000000000000000001000000010000000000004D2D0200502F | (... ...@...................................M-..P/ |
| \ICON\3\1033 | 1DBFC | 568 | 13BFC | 2800000010000000200000000100080000000000000100000000000000000000000100000001000000000000543203005433 | (....... ...................................T2..T3 |
| \ICON\4\1033 | 1E164 | 25A8 | 14164 | 2800000030000000600000000100200000000000802500000000000000000000000000000000000000000000000000020000 | (...0........ ......%............................ |
| \ICON\5\1033 | 2070C | 10A8 | 1670C | 2800000020000000400000000100200000000000801000000000000000000000000000000000000000000004000000080000 | (... ...@..... ................................... |
| \ICON\6\1033 | 217B4 | 988 | 177B4 | 280000001800000030000000010020000000000060090000000000000000000000000000000000000000000F0000001A0000 | (.......0..... .................................. |
| \ICON\7\1033 | 2213C | 468 | 1813C | 2800000010000000200000000100200000000000400400000000000000000000000000000000000000000000000000075947 | (....... ..... .....@...........................YG |
| \STRING\4091\0 | 225A4 | 68 | 185A4 | 0600460072006900640061007900080053006100740075007200640061007900160049006E00760061006C00690064002000 | ..F.r.i.d.a.y...S.a.t.u.r.d.a.y...I.n.v.a.l.i.d. . |
| \STRING\4092\0 | 2260C | D4 | 1860C | 0900530065007000740065006D0062006500720007004F00630074006F0062006500720008004E006F00760065006D006200 | ..S.e.p.t.e.m.b.e.r...O.c.t.o.b.e.r...N.o.v.e.m.b. |
| \STRING\4093\0 | 226E0 | A4 | 186E0 | 03004D006100790003004A0075006E0003004A0075006C000300410075006700030053006500700003004F00630074000300 | ..M.a.y...J.u.n...J.u.l...A.u.g...S.e.p...O.c.t... |
| \STRING\4094\0 | 22784 | 2AC | 18784 | 1F0049006E00760061006C00690064002000760061007200690061006E00740020007400790070006500200063006F006E00 | ..I.n.v.a.l.i.d. .v.a.r.i.a.n.t. .t.y.p.e. .c.o.n. |
| \STRING\4095\0 | 22A30 | 34C | 18A30 | 160049006E00760061006C0069006400200063006C0061007300730020007400790070006500630061007300740030004100 | ..I.n.v.a.l.i.d. .c.l.a.s.s. .t.y.p.e.c.a.s.t.0.A. |
| \STRING\4096\0 | 22D7C | 294 | 18D7C | 0D004F007500740020006F00660020006D0065006D006F00720079000C0049002F004F0020006500720072006F0072002000 | ..O.u.t. .o.f. .m.e.m.o.r.y...I./.O. .e.r.r.o.r. . |
| \RCDATA\CHARTABLE\1033 | 23010 | 82E8 | 19010 | 1800000018220000B82C0000C8420000C8640000E86800000000100020003000400050006000700080009000A000B000C000 | ....."...,...B...d...h...... .0.@.P..p........... |
| \RCDATA\DVCLAL\0 | 2B2F8 | 10 | 212F8 | 263D4F38C28237B8F3244203179B3A83 | &=O8..7..$B...:. |
| \RCDATA\PACKAGEINFO\0 | 2B308 | 150 | 21308 | 000010CC000000001F000000010A53657475704C6472001087526564697246756E6300009C436D6E46756E63320010555479 | ..............SetupLdr...RedirFunc...CmnFunc2..UTy |
| \RCDATA\11111\0 | 2B458 | 2C | 21458 | 72446C507453CDE6D77B0B2A0100000045562600085C2000A8551200D596DE85E9031E0000220200CB1FE164 | rDlPtS...{.*....EV&..\ ..U...........".....d |
| \GROUP_ICON\MAINICON\1033 | 2B484 | 68 | 21484 | 0000010007003030000001000800A80E000001002020000001000800A8080000020010100000010008006805000003003030 | ......00............ ....................h.....00 |
| \VERSION\1\1033 | 2B4EC | 4F4 | 214EC | F40434000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000100 | ..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| \24\1\1033 | 2B9E0 | 62C | 219E0 | 3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E653D2279 | <?xml version="1.0" encoding="UTF-8" standalone="y |
| Intelligent String |
| • kernel32.dll • .tmp • .bss • .tls • x:\dirname" • For more detailed information, please visit http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline • shell32.dll • oleaut32.dll • RegCloseKeyuser32.dll • CharNextWkernel32.dll • CloseHandlekernel32.dll • user32.dll • CloseHandleadvapi32.dll • Sleepadvapi32.dll • <dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware> • foL=hz • >4T.xpm |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 498 | 4193AC | .text | JMP [static] | Indirect jump to absolute memory address |
| 4A0 | 4193A8 | .text | JMP [static] | Indirect jump to absolute memory address |
| 4A8 | 4193A4 | .text | JMP [static] | Indirect jump to absolute memory address |
| 4B0 | 4193A0 | .text | JMP [static] | Indirect jump to absolute memory address |
| 4B8 | 41939C | .text | JMP [static] | Indirect jump to absolute memory address |
| 4C0 | 419398 | .text | JMP [static] | Indirect jump to absolute memory address |
| 4C8 | 419328 | .text | JMP [static] | Indirect jump to absolute memory address |
| 4D0 | 419394 | .text | JMP [static] | Indirect jump to absolute memory address |
| 4D8 | 419324 | .text | JMP [static] | Indirect jump to absolute memory address |
| 4E0 | 419390 | .text | JMP [static] | Indirect jump to absolute memory address |
| 4E8 | 41938C | .text | JMP [static] | Indirect jump to absolute memory address |
| 4F0 | 419388 | .text | JMP [static] | Indirect jump to absolute memory address |
| 4F8 | 419384 | .text | JMP [static] | Indirect jump to absolute memory address |
| 500 | 419380 | .text | JMP [static] | Indirect jump to absolute memory address |
| 508 | 41937C | .text | JMP [static] | Indirect jump to absolute memory address |
| 510 | 419378 | .text | JMP [static] | Indirect jump to absolute memory address |
| 518 | 419374 | .text | JMP [static] | Indirect jump to absolute memory address |
| 520 | 419370 | .text | JMP [static] | Indirect jump to absolute memory address |
| 528 | 41936C | .text | JMP [static] | Indirect jump to absolute memory address |
| 530 | 419368 | .text | JMP [static] | Indirect jump to absolute memory address |
| 538 | 419320 | .text | JMP [static] | Indirect jump to absolute memory address |
| 540 | 419364 | .text | JMP [static] | Indirect jump to absolute memory address |
| 548 | 419360 | .text | JMP [static] | Indirect jump to absolute memory address |
| 550 | 41935C | .text | JMP [static] | Indirect jump to absolute memory address |
| 558 | 419314 | .text | JMP [static] | Indirect jump to absolute memory address |
| 560 | 419310 | .text | JMP [static] | Indirect jump to absolute memory address |
| 568 | 41930C | .text | JMP [static] | Indirect jump to absolute memory address |
| 570 | 419358 | .text | JMP [static] | Indirect jump to absolute memory address |
| 578 | 419354 | .text | JMP [static] | Indirect jump to absolute memory address |
| 580 | 419304 | .text | JMP [static] | Indirect jump to absolute memory address |
| 588 | 419300 | .text | JMP [static] | Indirect jump to absolute memory address |
| 590 | 4192FC | .text | JMP [static] | Indirect jump to absolute memory address |
| 598 | 419350 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5A0 | 41934C | .text | JMP [static] | Indirect jump to absolute memory address |
| 5A8 | 419348 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5B0 | 419344 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5B8 | 419340 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5EC | 41933C | .text | JMP [static] | Indirect jump to absolute memory address |
| 5F4 | 419338 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5FC | 419334 | .text | JMP [static] | Indirect jump to absolute memory address |
| 21F0 | 412748 | .text | CALL [static] | Indirect call to absolute memory address |
| 2208 | 41273C | .text | CALL [static] | Indirect call to absolute memory address |
| 2224 | 412740 | .text | CALL [static] | Indirect call to absolute memory address |
| 2245 | 412744 | .text | CALL [static] | Indirect call to absolute memory address |
| 225E | 412740 | .text | CALL [static] | Indirect call to absolute memory address |
| 2277 | 41273C | .text | CALL [static] | Indirect call to absolute memory address |
| 22EB | 413020 | .text | CALL [static] | Indirect call to absolute memory address |
| 232A | 413008 | .text | CALL [static] | Indirect call to absolute memory address |
| 2521 | 413030 | .text | CALL [static] | Indirect call to absolute memory address |
| 2ADC | 41931C | .text | JMP [static] | Indirect jump to absolute memory address |
| 2AF9 | FF00 | .text | JMP [static] | Indirect jump to absolute memory address |
| 2F04 | 413014 | .text | CALL [static] | Indirect call to absolute memory address |
| 2F22 | 413014 | .text | CALL [static] | Indirect call to absolute memory address |
| 2F3A | 413014 | .text | CALL [static] | Indirect call to absolute memory address |
| 2FAC | 413014 | .text | CALL [static] | Indirect call to absolute memory address |
| 2FCC | 413014 | .text | CALL [static] | Indirect call to absolute memory address |
| 2FE9 | 413014 | .text | CALL [static] | Indirect call to absolute memory address |
| 30C6 | 413018 | .text | CALL [static] | Indirect call to absolute memory address |
| 31CB | 413010 | .text | CALL [static] | Indirect call to absolute memory address |
| 324E | 413018 | .text | CALL [static] | Indirect call to absolute memory address |
| 33EE | 413014 | .text | JMP [static] | Indirect jump to absolute memory address |
| 355C | 413018 | .text | CALL [static] | Indirect call to absolute memory address |
| 3913 | 413340 | .text | CALL [static] | Indirect call to absolute memory address |
| 3A82 | 41302C | .text | CALL [static] | Indirect call to absolute memory address |
| 4939 | 412010 | .text | CALL [static] | Indirect call to absolute memory address |
| 4A6D | 412014 | .text | CALL [static] | Indirect call to absolute memory address |
| 5850 | 419330 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5910 | 4193C0 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5918 | 4193BC | .text | JMP [static] | Indirect jump to absolute memory address |
| 5920 | 4193B8 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5928 | 4193B4 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5A18 | 4194E8 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5A20 | 4194E4 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5A28 | 4194E0 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5A30 | 4194DC | .text | JMP [static] | Indirect jump to absolute memory address |
| 5A38 | 4194D8 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5A40 | 4194D0 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5A48 | 4194CC | .text | JMP [static] | Indirect jump to absolute memory address |
| 5A50 | 4194C8 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5A58 | 4194C4 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5A60 | 4194C0 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5A68 | 4194BC | .text | JMP [static] | Indirect jump to absolute memory address |
| 5A70 | 4194B8 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5A78 | 4194B4 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5A80 | 4194B0 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5A88 | 4194AC | .text | JMP [static] | Indirect jump to absolute memory address |
| 5A90 | 4194A8 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5AB0 | 4194A4 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5AB8 | 4194A0 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5AC0 | 41949C | .text | JMP [static] | Indirect jump to absolute memory address |
| 5AC8 | 419498 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5AD0 | 419494 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5AD8 | 419490 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5AE0 | 41948C | .text | JMP [static] | Indirect jump to absolute memory address |
| 5AE8 | 419488 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5AF0 | 419484 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5AF8 | 419480 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5B00 | 41947C | .text | JMP [static] | Indirect jump to absolute memory address |
| 5B08 | 419478 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5B10 | 419474 | .text | JMP [static] | Indirect jump to absolute memory address |
| 22200 | N/A | *Overlay* | 7A6C621A5D00008000002696861DF7F2016B0275 | zlb.].....&......k.u |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 1711955 | 67,786% |
| Null Byte Code | 48373 | 1,9154% |
© 2026 All rights reserved.