PESCAN.IO - Analysis Report Basic |
|||||||
| File Structure |
|
PE Chart Code
Executable header (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
| Size: 3,35 MB SHA-256 Hash: ED01EBFBC9EB5BBEA545AF4D01BF5F1071661840480439C6E5BABE8E080E41AA SHA-1 Hash: 5FF465AFAABCBF0150D1A3AB2C2E74F3A4426467 MD5 Hash: 84C82835A5D21BBCF75A61706D8AB549 Imphash: 68F013D7437AA653A8A98A05807AFEB1 MajorOSVersion: 4 MinorOSVersion: 0 CheckSum: 00000000 EntryPoint (rva): 77BA SizeOfHeaders: 1000 SizeOfImage: 35A000 ImageBase: 400000 Architecture: x86 ImportTable: D5A8 IAT: 8000 Characteristics: 10F TimeDateStamp: 4CE78F41 Date: 20/11/2010 9:05:05 File Type: EXE Number Of Sections: 4 ASLR: Disabled Section Names: .text, .rdata, .data, .rsrc Number Of Executable Sections: 1 Subsystem: Windows GUI UAC Execution Level Manifest: asInvoker |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 60000020 (Code, Executable, Readable) | 1000 | 7000 | 1000 | 69B0 | 6,4042 | 205225,84 |
| .rdata | 40000040 (Initialized Data, Readable) | 8000 | 6000 | 8000 | 5F70 | 6,6636 | 421273,58 |
| .data | C0000040 (Initialized Data, Readable, Writeable) | E000 | 2000 | E000 | 1958 | 4,4557 | 502756,31 |
| .rsrc | 40000040 (Initialized Data, Readable) | 10000 | 34A000 | 10000 | 349FA0 | 7,9999 | 647,82 |
| Description |
| OriginalFilename: diskpart.exe CompanyName: Microsoft Corporation LegalCopyright: Microsoft Corporation. All rights reserved. ProductName: Microsoft Windows Operating System FileVersion: 6.1.7601.17514 (win7sp1_rtm.101119-1850) FileDescription: DiskPart ProductVersion: 6.1.7601.17514 Language: English (United States) (ID=0x409) CodePage: Unicode (UTF-16 LE) (0x4B0) |
| Entry Point |
| The section number (1) - (.text) have the Entry Point Information -> EntryPoint (calculated) - 77BA Code -> 558BEC6AFF6888D4400068F476400064A100000000506489250000000083EC685356578965E833DB895DFC6A02FF15C48140 • PUSH EBP • MOV EBP, ESP • PUSH -1 • PUSH 0X40D488 • PUSH 0X4076F4 • MOV EAX, DWORD PTR FS:[0] • PUSH EAX • MOV DWORD PTR FS:[0], ESP • SUB ESP, 0X68 • PUSH EBX • PUSH ESI • PUSH EDI • MOV DWORD PTR [EBP - 0X18], ESP • XOR EBX, EBX • MOV DWORD PTR [EBP - 4], EBX • PUSH 2 |
| Signatures |
| Rich Signature Analyzer: Code -> E0C53AD1A4A45482A4A45482A4A45482DFB85882A6A45482CBBB5F82A5A4548227B85A82A0A45482CBBB5E82AFA45482CBBB5082A0A4548267AB0982A9A45482A4A4558207A4548292825F82A3A4548263A25282A5A4548252696368A4A45482 Footprint md5 Hash -> 09DE299505B5D52579064EDBC3A5E5DC • The Rich header apparently has not been modified Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Detect It Easy (die) • PE: compiler: EP:Microsoft Visual C/C++(6.0 (1720-9782))[EXE32] • PE: compiler: Microsoft Visual C/C++(6.0)[msvcrt] • PE: linker: Microsoft Linker(6.0*)[-] • PE: archive: Zip(2.0)[encrypted,55.8%,36 files] • Entropy: 7.99547 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | GetModuleFileNameA | Retrieve the fully qualified path for the executable file of a specified module. |
| KERNEL32.DLL | VirtualAlloc | Reserve, commit, or both, a region of memory within the virtual address space of a process. |
| KERNEL32.DLL | GetModuleHandleA | Retrieves a handle to the specified module. |
| KERNEL32.DLL | CopyFileA | Copies an existing file to a new file. |
| KERNEL32.DLL | WriteFile | Writes data to a specified file or input/output (I/O) device. |
| KERNEL32.DLL | LoadLibraryA | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| KERNEL32.DLL | CreateFileA | Creates or opens a file or I/O device. |
| ADVAPI32.DLL | CryptEncrypt | Performs a cryptographic operation on data in a data block. |
| ADVAPI32.DLL | CryptDecrypt | Performs a cryptographic operation on data in a data block. |
| ADVAPI32.DLL | RegSetValueExA | Sets the data and type of a specified value under a registry key. |
| File Access |
| taskse.exe taskdl.exe tasksche.exe cmd.exe kernel32.dll advapi32.dll MSVCP60.dll MSVCRT.dll WS2_32.dll OLEAUT32.dll SHELL32.dll USER32.dll @.dat Temp |
| File Access (UNICODE) |
| diskpart.exe |
| Interest's Words |
| PADDINGX Encrypt Decrypt exec attrib start cacls icacls systeminfo |
| Interest's Words (UNICODE) |
| diskpart |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | Registry (RegSetValueEx) |
| Text | Ascii | File (GetTempPath) |
| Text | Ascii | File (CopyFile) |
| Text | Ascii | File (CreateFile) |
| Text | Ascii | File (WriteFile) |
| Text | Ascii | File (ReadFile) |
| Text | Ascii | Service (OpenSCManager) |
| Text | Ascii | Service (CreateService) |
| Text | Ascii | Encryption (Microsoft Enhanced RSA and AES Cryptographic Provider) |
| Text | Ascii | Encryption API (CryptAcquireContext) |
| Text | Ascii | Encryption API (CryptGenKey) |
| Text | Ascii | Encryption API (CryptDecrypt) |
| Text | Ascii | Encryption API (CryptReleaseContext) |
| Text | Ascii | Stealth (CloseHandle) |
| Text | Ascii | Stealth (IsBadReadPtr) |
| Text | Ascii | Stealth (VirtualAlloc) |
| Text | Ascii | Stealth (VirtualProtect) |
| Text | Ascii | Execution (CreateProcessA) |
| Entry Point | Hex Pattern | Microsoft Visual C++ 5.0 |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8 |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8.0 |
| Entry Point | Hex Pattern | Microsoft Visual C++ v6.0 |
| Entry Point | Hex Pattern | Microsoft Visual C++ v6.0 |
| Entry Point | Hex Pattern | Microsoft Visual C++ |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \XIA\2058\1033 | 100F0 | 349635 | 100F0 | 504B0304140001000800AAA1AB4AFE216D675437000036F9150006000000622E776E72795038ED87F2241826356A4BE0F7FF | PK...........J.!mgT7..6.......b.wnryP8...$.&5jK... |
| \VERSION\1\1033 | 359728 | 388 | 359728 | 880334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000100 | ..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| \24\1\1033 | 359AB0 | 4EF | 359AB0 | 3C617373656D626C7920786D6C6E733D2275726E3A736368656D61732D6D6963726F736F66742D636F6D3A61736D2E763122 | <assembly xmlns="urn:schemas-microsoft-com:asm.v1" |
| Intelligent String |
| • diskpart.exe • KERNEL32.dll • ADVAPI32.dll • WS2_32.dll • advapi32.dll • .der • .pfx • .key • .crt • .csr • .pem • .odt • .ott • .sxw • .stw • .uot • .max • .ods • .ots • .sxc • .stc • .dif • .slk • .odp • .otp • .sxd • .std • .uop • .odg • .otg • .sxm • .mml • .lay • .asc • .sql • .mdb • .dbf • .odb • .frm • .myd • .myi • .ibd • .mdf • .ldf • .sln • .suo • .cpp • .pas • .asm • .cmd • .bat • .ps1 • .vbs • .dip • .dch • .sch • .brd • .jsp • .php • .asp • .jar • .wav • .swf • .fla • .wmv • .mpg • .vob • .asf • .avi • .mov • .mkv • .flv • .wma • .mid • .svg • .psd • .nef • .tif • .cgm • .raw • .gif • .png • .bmp • .jpg • .vcd • .iso • .zip • .rar • .tgz • .tar • .bak • .tbk • .PAQ • .ARC • .aes • .gpg • .vmx • .vdi • .sti • .sxi • .hwp • .snt • .dwg • .wks • .rtf • .csv • .txt • .vsd • .edb • .eml • .msg • .ost • .pst • .pps • .pot • .ppt • .xlc • .xlm • .xlt • .xlw • .xls • .dot • .doc • CreateFileWkernel32.dll • cmd.exe /c "%s"XIA115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn • Global\MsWinZonesCacheCounterMutexAtasksche.exe • icacls . /grant Everyone:F /T /C /Qattrib +h .WNcry@2ol7 • 3,3taskdl.exe • 93taskse.exe |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 101B | 408118 | .text | CALL [static] | Indirect call to absolute memory address |
| 103F | 408114 | .text | CALL [static] | Indirect call to absolute memory address |
| 1047 | 408110 | .text | CALL [static] | Indirect call to absolute memory address |
| 1058 | 40810C | .text | CALL [static] | Indirect call to absolute memory address |
| 10A8 | 4080EC | .text | CALL [static] | Indirect call to absolute memory address |
| 10BD | 4080F4 | .text | CALL [static] | Indirect call to absolute memory address |
| 10CC | 4080F8 | .text | CALL [static] | Indirect call to absolute memory address |
| 10DD | 4080FC | .text | CALL [static] | Indirect call to absolute memory address |
| 114B | 408134 | .text | CALL [static] | Indirect call to absolute memory address |
| 117A | 408014 | .text | CALL [static] | Indirect call to absolute memory address |
| 119A | 4080D4 | .text | CALL [static] | Indirect call to absolute memory address |
| 11BD | 408018 | .text | CALL [static] | Indirect call to absolute memory address |
| 11E4 | 40801C | .text | CALL [static] | Indirect call to absolute memory address |
| 11FA | 4080D8 | .text | CALL [static] | Indirect call to absolute memory address |
| 1203 | 408020 | .text | CALL [static] | Indirect call to absolute memory address |
| 125F | 4080D0 | .text | CALL [static] | Indirect call to absolute memory address |
| 12A1 | 408124 | .text | CALL [static] | Indirect call to absolute memory address |
| 150D | 408034 | .text | CALL [static] | Indirect call to absolute memory address |
| 1529 | 408030 | .text | CALL [static] | Indirect call to absolute memory address |
| 1556 | 40F880 | .text | CALL [static] | Indirect call to absolute memory address |
| 1591 | 40F880 | .text | CALL [static] | Indirect call to absolute memory address |
| 15BD | 40F880 | .text | CALL [static] | Indirect call to absolute memory address |
| 15DA | 40F880 | .text | CALL [static] | Indirect call to absolute memory address |
| 15F7 | 40F880 | .text | CALL [static] | Indirect call to absolute memory address |
| 166D | 4080DC | .text | CALL [static] | Indirect call to absolute memory address |
| 168E | 40F880 | .text | CALL [static] | Indirect call to absolute memory address |
| 16F0 | 40F890 | .text | CALL [static] | Indirect call to absolute memory address |
| 172C | 4080E0 | .text | CALL [static] | Indirect call to absolute memory address |
| 17F5 | 408038 | .text | CALL [static] | Indirect call to absolute memory address |
| 1825 | 40803C | .text | CALL [static] | Indirect call to absolute memory address |
| 1849 | 40F894 | .text | CALL [static] | Indirect call to absolute memory address |
| 1888 | 40F898 | .text | CALL [static] | Indirect call to absolute memory address |
| 18C4 | 40F89C | .text | CALL [static] | Indirect call to absolute memory address |
| 18D6 | 40F89C | .text | CALL [static] | Indirect call to absolute memory address |
| 18EA | 408010 | .text | CALL [static] | Indirect call to absolute memory address |
| 193A | 408034 | .text | CALL [static] | Indirect call to absolute memory address |
| 194A | 408044 | .text | CALL [static] | Indirect call to absolute memory address |
| 1964 | 4080DC | .text | CALL [static] | Indirect call to absolute memory address |
| 197D | 408040 | .text | CALL [static] | Indirect call to absolute memory address |
| 1993 | 40F898 | .text | CALL [static] | Indirect call to absolute memory address |
| 19BA | 4080E8 | .text | CALL [static] | Indirect call to absolute memory address |
| 19C9 | 4080F0 | .text | CALL [static] | Indirect call to absolute memory address |
| 19F2 | 408050 | .text | CALL [static] | Indirect call to absolute memory address |
| 1A08 | 40F8A4 | .text | CALL [static] | Indirect call to absolute memory address |
| 1A13 | 40804C | .text | CALL [static] | Indirect call to absolute memory address |
| 1A1D | 40804C | .text | CALL [static] | Indirect call to absolute memory address |
| 1A5A | 4080E0 | .text | CALL [static] | Indirect call to absolute memory address |
| 1B2C | 40802C | .text | CALL [static] | Indirect call to absolute memory address |
| 1B36 | 408054 | .text | CALL [static] | Indirect call to absolute memory address |
| 1B4E | 408154 | .text | CALL [static] | Indirect call to absolute memory address |
| 1BCA | 408078 | .text | CALL [static] | Indirect call to absolute memory address |
| 1BDD | 408064 | .text | CALL [static] | Indirect call to absolute memory address |
| 1C10 | 40802C | .text | CALL [static] | Indirect call to absolute memory address |
| 1C97 | 408060 | .text | CALL [static] | Indirect call to absolute memory address |
| 1CFE | 408024 | .text | CALL [static] | Indirect call to absolute memory address |
| 1D21 | 408004 | .text | CALL [static] | Indirect call to absolute memory address |
| 1D31 | 408008 | .text | CALL [static] | Indirect call to absolute memory address |
| 1D3A | 40800C | .text | CALL [static] | Indirect call to absolute memory address |
| 1D54 | 40811C | .text | CALL [static] | Indirect call to absolute memory address |
| 1D75 | 408000 | .text | CALL [static] | Indirect call to absolute memory address |
| 1D84 | 408008 | .text | CALL [static] | Indirect call to absolute memory address |
| 1D8B | 40800C | .text | CALL [static] | Indirect call to absolute memory address |
| 1D9E | 40800C | .text | CALL [static] | Indirect call to absolute memory address |
| 1DC3 | 408100 | .text | CALL [static] | Indirect call to absolute memory address |
| 1DD3 | 408074 | .text | CALL [static] | Indirect call to absolute memory address |
| 1DDE | 408070 | .text | CALL [static] | Indirect call to absolute memory address |
| 1DF1 | 40806C | .text | CALL [static] | Indirect call to absolute memory address |
| 1E6E | 408068 | .text | CALL [static] | Indirect call to absolute memory address |
| 1ED0 | 408120 | .text | CALL [static] | Indirect call to absolute memory address |
| 1F16 | 40811C | .text | CALL [static] | Indirect call to absolute memory address |
| 1F31 | 408080 | .text | CALL [static] | Indirect call to absolute memory address |
| 1F40 | 40807C | .text | CALL [static] | Indirect call to absolute memory address |
| 1F52 | 4080F0 | .text | CALL [static] | Indirect call to absolute memory address |
| 1F97 | 408084 | .text | CALL [static] | Indirect call to absolute memory address |
| 201F | 40808C | .text | CALL [static] | Indirect call to absolute memory address |
| 2030 | 40816C | .text | CALL [static] | Indirect call to absolute memory address |
| 2040 | 408168 | .text | CALL [static] | Indirect call to absolute memory address |
| 206F | 408088 | .text | CALL [static] | Indirect call to absolute memory address |
| 2076 | 408068 | .text | CALL [static] | Indirect call to absolute memory address |
| 20BB | 4080D8 | .text | CALL [static] | Indirect call to absolute memory address |
| 217E | 408090 | .text | CALL [static] | Indirect call to absolute memory address |
| 2191 | 408094 | .text | CALL [static] | Indirect call to absolute memory address |
| 219C | 4080E0 | .text | CALL [static] | Indirect call to absolute memory address |
| 21AB | 4080E4 | .text | CALL [static] | Indirect call to absolute memory address |
| 21B6 | 408098 | .text | CALL [static] | Indirect call to absolute memory address |
| 2219 | 4080A8 | .text | CALL [static] | Indirect call to absolute memory address |
| 2291 | 4080A4 | .text | CALL [static] | Indirect call to absolute memory address |
| 2313 | 4080A0 | .text | CALL [static] | Indirect call to absolute memory address |
| 231A | 40809C | .text | CALL [static] | Indirect call to absolute memory address |
| 2430 | 4080A8 | .text | CALL [static] | Indirect call to absolute memory address |
| 2463 | 4080A8 | .text | CALL [static] | Indirect call to absolute memory address |
| 270D | 4080AC | .text | CALL [static] | Indirect call to absolute memory address |
| 2812 | 4080B0 | .text | CALL [static] | Indirect call to absolute memory address |
| 2854 | 408108 | .text | CALL [static] | Indirect call to absolute memory address |
| 28DC | 4080B0 | .text | CALL [static] | Indirect call to absolute memory address |
| 28FD | 4080A8 | .text | CALL [static] | Indirect call to absolute memory address |
| 2916 | 4080A8 | .text | CALL [static] | Indirect call to absolute memory address |
| 2989 | 408170 | .text | CALL [static] | Indirect call to absolute memory address |
| 29A7 | 4080A8 | .text | CALL [static] | Indirect call to absolute memory address |
| 2A15 | 408174 | .text | CALL [static] | Indirect call to absolute memory address |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 2404498 | 68,4191% |
| Null Byte Code | 33860 | 0,9635% |
© 2026 All rights reserved.