PESCAN.IO - Analysis Report Basic |
|||||||
| File Structure |
|
PE Chart Code
Header PE (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
Icon: Size: 56,50 KBSHA-256 Hash: 51C0CAD9B405F409588FF4D5577AE9580847BED901E00D8C15F19BF96C673728 SHA-1 Hash: C3713295F4AC54B8E67258DB2CA2D60D64BD362B MD5 Hash: 84E1F850AAB22B2705AB047985C916FF Imphash: 6011984D7C1F1B97A34D7517A498BFF8 MajorOSVersion: 4 MinorOSVersion: 0 CheckSum: 00013F67 EntryPoint (rva): 1290 SizeOfHeaders: 400 SizeOfImage: 1A000 ImageBase: 400000 Architecture: x86 ImportTable: 12000 Characteristics: 30F TimeDateStamp: 573EAB5A Date: 20/05/2016 6:14:50 File Type: EXE Number Of Sections: 6 ASLR: Enabled Section Names: .text, .data, .rdata, .bss, .idata, .rsrc Number Of Executable Sections: 1 Subsystem: Windows GUI [Incomplete Binary or Compressor Packer - 47,50 KB Missing] |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 0x60300020 Code Executable Readable |
400 | 5E00 | 1000 | 5D70 |
|
|
| .data | 0xC0300040 Initialized Data Readable Writeable |
6200 | 200 | 7000 | 40 |
|
|
| .rdata | 0x40300040 Initialized Data Readable |
6400 | 600 | 8000 | 510 |
|
|
| .bss | 0xC0300080 Uninitialized Data Readable Writeable |
0 | 0 | 9000 | 8C30 |
|
|
| .idata | 0xC0300040 Initialized Data Readable Writeable |
6A00 | C00 | 12000 | AA8 |
|
|
| .rsrc | 0xC0300040 Initialized Data Readable Writeable |
7600 | 6C00 | 13000 | 6B2C |
|
|
| Entry Point |
The section number (1) - (.text) have the Entry Point Information -> EntryPoint (calculated) - 690 Code -> 5589E583EC08C7042402000000FF1590224100E8A8FEFFFF908DB42600000000558B0DC822410089E55DFFE18D742600558B Assembler |PUSH EBP |MOV EBP, ESP |SUB ESP, 8 |MOV DWORD PTR [ESP], 2 |CALL DWORD PTR [0X412290] |CALL 0XEC0 |NOP |LEA ESI, [ESI] |PUSH EBP |MOV ECX, DWORD PTR [0X4122C8] |MOV EBP, ESP |POP EBP |JMP ECX |LEA ESI, [ESI] |PUSH EBP |
| Signatures |
| Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Detect It Easy (die) • PE: compiler: MinGW(-)[-] • PE: linker: GNU linker ld (GNU Binutils)(2.56*)[-] • Entropy: 4.49159 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | CreateMutexA | Create a named or unnamed mutex object for controlling access to a shared resource. |
| KERNEL32.DLL | GetModuleFileNameA | Retrieve the fully qualified path for the executable file of a specified module. |
| KERNEL32.DLL | GetModuleHandleA | Retrieves a handle to the specified module. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| SHELL32.DLL | ShellExecuteA | Performs a run operation on a specific file. |
| Windows REG |
| SOFTWARE\JavaSoft\Java Development Kit SOFTWARE\JavaSoft\Java Runtime Environment SOFTWARE\IBM\Java Development Kit SOFTWARE\IBM\Java2 Runtime Environment |
| File Access |
| bin\javaw.exe bin\java.exe USER32.dll SHELL32.DLL msvcrt.dll KERNEL32.dll ADVAPI32.DLL weasis\*.jar weasis\weasis-launcher.jar .dat |
| Interest's Words |
| exec start |
| URLs |
| http://java.com/download |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | Registry (RegOpenKeyEx) |
| Text | Ascii | Anti-Analysis VM (GlobalMemoryStatusEx) |
| Text | Ascii | Stealth (CloseHandle) |
| Text | Ascii | Execution (CreateProcessA) |
| Text | Ascii | Execution (ShellExecute) |
| Entry Point | Hex Pattern | MinGWGCC3x |
| Entry Point | Hex Pattern | MingWin32 GCC 3.x |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \ICON\1\1024 | 13658 | 668 | 7C58 | 2800000030000000600000000100040000000000800400000000000000000000000000000000000000000000000080000080 | (...0............................................ |
| \ICON\2\1024 | 13CC0 | 2E8 | 82C0 | 2800000020000000400000000100040000000000000200000000000000000000000000000000000000000000000080000080 | (... ...@......................................... |
| \ICON\3\1024 | 13FA8 | 128 | 85A8 | 2800000010000000200000000100040000000000800000000000000000000000000000000000000000000000000080000080 | (....... ......................................... |
| \ICON\4\1024 | 140D0 | EA8 | 86D0 | 2800000030000000600000000100080000000000000900000000000000000000000100000001000000000000050505000A0A | (...0............................................ |
| \ICON\5\1024 | 14F78 | 8A8 | 9578 | 2800000020000000400000000100080000000000000400000000000000000000000100000001000000000000050505000808 | (... ...@......................................... |
| \ICON\6\1024 | 15820 | 568 | 9E20 | 2800000010000000200000000100080000000000000100000000000000000000000100000001000000000000090909000F0F | (....... ......................................... |
| \ICON\7\1024 | 15D88 | 25A8 | A388 | 2800000030000000600000000100200000000000802500000000000000000000000000000000000000000000000000000000 | (...0........ ......%............................ |
| \ICON\8\1024 | 18330 | 10A8 | C930 | 2800000020000000400000000100200000000000801000000000000000000000000000000000000000000000000000000000 | (... ...@..... ................................... |
| \ICON\9\1024 | 193D8 | 468 | D9D8 | 2800000010000000200000000100200000000000400400000000000000000000000000000000000000000000000000000000 | (....... ..... .....@............................. |
| \RCDATA\1\1024 | 19840 | C | DE40 | 6A72655C77696E646F777300 | jre\windows. |
| \RCDATA\2\1024 | 1984C | 6 | DE4C | 312E362E3000 | 1.6.0. |
| \RCDATA\8\1024 | 19854 | 2 | DE54 | 2E00 | .. |
| \RCDATA\10\1024 | 19858 | 7 | DE58 | 77656173697300 | weasis. |
| \RCDATA\12\1024 | 19860 | 21 | DE60 | 2D447765617369732E706F727461626C652E6469723D2225455845444952252200 | -Dweasis.portable.dir="%EXEDIR%". |
| \RCDATA\13\1024 | 19884 | 16 | DE84 | 246469636F6D3A676574202D2D706F727461626C6500 | $dicom:get --portable. |
| \RCDATA\14\1024 | 1989C | 1B | DE9C | 7765617369735C7765617369732D6C61756E636865722E6A617200 | weasis\weasis-launcher.jar. |
| \RCDATA\15\1024 | 198B8 | 23 | DEB8 | 6F72672E7765617369732E6C61756E636865722E5765617369734C61756E6368657200 | org.weasis.launcher.WeasisLauncher. |
| \RCDATA\16\1024 | 198DC | D | DEDC | 7765617369735C2A2E6A617200 | weasis\*.jar. |
| \RCDATA\18\1024 | 198EC | 2 | DEEC | 3100 | 1. |
| \RCDATA\20\1024 | 198F0 | 3 | DEF0 | 333200 | 32. |
| \RCDATA\21\1024 | 198F4 | 19 | DEF4 | 687474703A2F2F6A6176612E636F6D2F646F776E6C6F616400 | http://java.com/download. |
| \RCDATA\23\1024 | 19910 | E | DF10 | 7765617369732D6E617469766500 | weasis-native. |
| \RCDATA\25\1024 | 19920 | 3 | DF20 | 363400 | 64. |
| \RCDATA\27\1024 | 19924 | 4 | DF24 | 35313200 | 512. |
| \RCDATA\30\1024 | 19928 | 2 | DF28 | 3300 | 3. |
| \RCDATA\32\1024 | 1992C | 5 | DF2C | 7472756500 | true. |
| \RCDATA\101\1024 | 19934 | 32 | DF34 | 416E206572726F72206F63637572726564207768696C65207374617274696E6720746865206170706C69636174696F6E2E00 | An error occurred while starting the application.. |
| \RCDATA\102\1024 | 19968 | 73 | DF68 | 54686973206170706C69636174696F6E2077617320636F6E6669677572656420746F2075736520612062756E646C6564204A | This application was configured to use a bundled J |
| \RCDATA\103\1024 | 199DC | 35 | DFDC | 54686973206170706C69636174696F6E2072657175697265732061204A6176612052756E74696D6520456E7669726F6E6D656E7400 | This application requires a Java Runtime Environment. |
| \RCDATA\104\1024 | 19A14 | 68 | E014 | 5468652072656769737472792072656665727320746F2061206E6F6E6578697374656E74204A6176612052756E74696D6520 | The registry refers to a nonexistent Java Runtime |
| \RCDATA\105\1024 | 19A7C | 2C | E07C | 416E206170706C69636174696F6E20696E7374616E636520697320616C72656164792072756E6E696E672E00 | An application instance is already running.. |
| \GROUP_ICON\1\1024 | 19AA8 | 84 | E0A8 | 00000100090030301000010004006806000001002020100001000400E8020000020010101000010004002801000003003030 | ......00......h..... ....................(.....00 |
| Intelligent String |
| • @0@.bss • ADVAPI32.DLL • KERNEL32.dll • msvcrt.dll • USER32.dll • weasis\weasis-launcher.jar • weasis\*.jar • http://java.com/download |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 67D | 412290 | .text | CALL [static] | Indirect call to absolute memory address |
| 69D | 412290 | .text | CALL [static] | Indirect call to absolute memory address |
| 5EC0 | 412294 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5EC8 | 412288 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5ED0 | 4122EC | .text | JMP [static] | Indirect jump to absolute memory address |
| 5ED8 | 41228C | .text | JMP [static] | Indirect jump to absolute memory address |
| 5EE0 | 4122C0 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5EE8 | 412284 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5EF0 | 4122DC | .text | JMP [static] | Indirect jump to absolute memory address |
| 5EF8 | 4122E0 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5F00 | 4122D8 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5F08 | 4122CC | .text | JMP [static] | Indirect jump to absolute memory address |
| 5F10 | 412314 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5F18 | 4122E8 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5F20 | 412300 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5F28 | 4122A0 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5F30 | 4122A8 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5F38 | 4122A4 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5F40 | 41230C | .text | JMP [static] | Indirect jump to absolute memory address |
| 5F48 | 412318 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5F50 | 412298 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5F58 | 41229C | .text | JMP [static] | Indirect jump to absolute memory address |
| 5F60 | 4122BC | .text | JMP [static] | Indirect jump to absolute memory address |
| 5F68 | 4122B8 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5F70 | 4122B0 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5F78 | 412304 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5F80 | 4122C4 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5F88 | 412310 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5F90 | 4122F4 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5F98 | 4122F8 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5FA0 | 4122E4 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5FA8 | 4122D0 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5FB0 | 4122F0 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5FB8 | 412308 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5FC0 | 4122FC | .text | JMP [static] | Indirect jump to absolute memory address |
| 5FC8 | 4122D4 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5FD0 | 412274 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5FD8 | 412228 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5FE0 | 412244 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5FE8 | 412250 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5FF0 | 412240 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5FF8 | 412254 | .text | JMP [static] | Indirect jump to absolute memory address |
| 6000 | 41223C | .text | JMP [static] | Indirect jump to absolute memory address |
| 6008 | 412248 | .text | JMP [static] | Indirect jump to absolute memory address |
| 6010 | 412230 | .text | JMP [static] | Indirect jump to absolute memory address |
| 6018 | 412264 | .text | JMP [static] | Indirect jump to absolute memory address |
| 6020 | 41222C | .text | JMP [static] | Indirect jump to absolute memory address |
| 6028 | 412260 | .text | JMP [static] | Indirect jump to absolute memory address |
| 6030 | 412268 | .text | JMP [static] | Indirect jump to absolute memory address |
| 6038 | 412270 | .text | JMP [static] | Indirect jump to absolute memory address |
| 6040 | 41224C | .text | JMP [static] | Indirect jump to absolute memory address |
| 6048 | 412238 | .text | JMP [static] | Indirect jump to absolute memory address |
| 6050 | 41225C | .text | JMP [static] | Indirect jump to absolute memory address |
| 6058 | 412220 | .text | JMP [static] | Indirect jump to absolute memory address |
| 6060 | 41226C | .text | JMP [static] | Indirect jump to absolute memory address |
| 6068 | 41221C | .text | JMP [static] | Indirect jump to absolute memory address |
| 6070 | 412224 | .text | JMP [static] | Indirect jump to absolute memory address |
| 6078 | 412278 | .text | JMP [static] | Indirect jump to absolute memory address |
| 6080 | 412234 | .text | JMP [static] | Indirect jump to absolute memory address |
| 6088 | 412258 | .text | JMP [static] | Indirect jump to absolute memory address |
| 6090 | 41233C | .text | JMP [static] | Indirect jump to absolute memory address |
| 6098 | 412350 | .text | JMP [static] | Indirect jump to absolute memory address |
| 60A0 | 412330 | .text | JMP [static] | Indirect jump to absolute memory address |
| 60A8 | 412370 | .text | JMP [static] | Indirect jump to absolute memory address |
| 60B0 | 41237C | .text | JMP [static] | Indirect jump to absolute memory address |
| 60B8 | 412334 | .text | JMP [static] | Indirect jump to absolute memory address |
| 60C0 | 412340 | .text | JMP [static] | Indirect jump to absolute memory address |
| 60C8 | 41235C | .text | JMP [static] | Indirect jump to absolute memory address |
| 60D0 | 412368 | .text | JMP [static] | Indirect jump to absolute memory address |
| 60D8 | 41234C | .text | JMP [static] | Indirect jump to absolute memory address |
| 60E0 | 412344 | .text | JMP [static] | Indirect jump to absolute memory address |
| 60E8 | 412374 | .text | JMP [static] | Indirect jump to absolute memory address |
| 60F0 | 412378 | .text | JMP [static] | Indirect jump to absolute memory address |
| 60F8 | 412380 | .text | JMP [static] | Indirect jump to absolute memory address |
| 6100 | 41236C | .text | JMP [static] | Indirect jump to absolute memory address |
| 6108 | 412354 | .text | JMP [static] | Indirect jump to absolute memory address |
| 6110 | 412348 | .text | JMP [static] | Indirect jump to absolute memory address |
| 6118 | 412358 | .text | JMP [static] | Indirect jump to absolute memory address |
| 6120 | 412364 | .text | JMP [static] | Indirect jump to absolute memory address |
| 6128 | 412338 | .text | JMP [static] | Indirect jump to absolute memory address |
| 6130 | 412360 | .text | JMP [static] | Indirect jump to absolute memory address |
| 6138 | 41220C | .text | JMP [static] | Indirect jump to absolute memory address |
| 6140 | 412210 | .text | JMP [static] | Indirect jump to absolute memory address |
| 6148 | 412204 | .text | JMP [static] | Indirect jump to absolute memory address |
| 6150 | 412208 | .text | JMP [static] | Indirect jump to absolute memory address |
| 6158 | 412324 | .text | JMP [static] | Indirect jump to absolute memory address |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 19814 | 34,2471% |
| Null Byte Code | 27301 | 47,1878% |
| NOP Cave Found | 0x9090909090 | Block Count: 26 | Total: 0,1123% |
© 2026 All rights reserved.