PESCAN.IO - Analysis Report Basic |
|||||||
| File Structure |
|
PE Chart Code
Executable header (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
Icon: Size: 4,49 MBSHA-256 Hash: DBD4FA2E873E30D862002DB70046E657FA926FF6D9EE6FDBDD146CF6805C5710 SHA-1 Hash: 1A21B41A79EE890DCA82FFC73F50B458A2F87CC3 MD5 Hash: 87159BA7C4D17851701235CC35F870AE Imphash: 8D92FA1956A6A631C642190121740197 MajorOSVersion: 5 MinorOSVersion: 0 CheckSum: 00011163 EntryPoint (rva): 15EB SizeOfHeaders: 400 SizeOfImage: 482000 ImageBase: 400000 Architecture: x86 ImportTable: B90C IAT: A000 Characteristics: 102 TimeDateStamp: 51CDA198 Date: 28/06/2013 14:45:44 File Type: EXE Number Of Sections: 5 ASLR: Enabled Section Names: .text, .rdata, .data, .rsrc, .reloc Number Of Executable Sections: 1 Subsystem: Windows GUI UAC Execution Level Manifest: requireAdministrator |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 60000020 (Code, Executable, Readable) | 400 | 8E00 | 1000 | 8D54 | 6,5622 | 219533,85 |
| .rdata | 40000040 (Initialized Data, Readable) | 9200 | 2200 | A000 | 2114 | 5,4436 | 218596,06 |
| .data | C0000040 (Initialized Data, Readable, Writeable) | B400 | 1000 | D000 | 2ADC | 2,1026 | 639232,00 |
| .rsrc | 40000040 (Initialized Data, Readable) | C400 | 470600 | 10000 | 4705D0 | 7,9840 | 139123,02 |
| .reloc | 42000040 (Initialized Data, GP-Relative, Readable) | 47CA00 | 1000 | 481000 | EEA | 4,3288 | 267101,00 |
| Binder/Joiner/Crypter |
| 2 Executable files found |
| Entry Point |
| The section number (1) - (.text) have the Entry Point Information -> EntryPoint (calculated) - 9EB Code -> E81C1B0000E978FEFFFF8BFF558BEC51568B750C56E8AC27000089450C8B460C59A8827517E86A030000C70009000000834E • CALL 0X2B21 • JMP 0XE82 • MOV EDI, EDI • PUSH EBP • MOV EBP, ESP • PUSH ECX • PUSH ESI • MOV ESI, DWORD PTR [EBP + 0XC] • PUSH ESI • CALL 0X37C6 • MOV DWORD PTR [EBP + 0XC], EAX • MOV EAX, DWORD PTR [ESI + 0XC] • POP ECX • TEST AL, 0X82 • JNE 0X103C • CALL 0X1394 • MOV DWORD PTR [EAX], 9 |
| Signatures |
| CheckSum Integrity Problem: • Header: 69987 • Calculated: 4716713 Rich Signature Analyzer: Code -> 97EF5584D38E3BD7D38E3BD7D38E3BD7CDDCBFD7CC8E3BD7CDDCAED7C38E3BD7CDDCB8D7B38E3BD7F44840D7DA8E3BD7D38E3AD7B08E3BD7CDDCB1D7D18E3BD7CDDCAFD7D28E3BD7CDDCAAD7D28E3BD752696368D38E3BD7 Footprint md5 Hash -> 0B79E3C84AC163E7234D57B0D2A1789F • The Rich header apparently has not been modified Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Compiler: Microsoft Visual C ++ Detect It Easy (die) • PE: compiler: EP:Microsoft Visual C/C++(2008-2010)[EXE32] • PE: compiler: Microsoft Visual C/C++(2008)[libcmt] • PE: linker: Microsoft Linker(9.0)[-] • Entropy: 7.97837 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | GetModuleFileNameA | Retrieve the fully qualified path for the executable file of a specified module. |
| KERNEL32.DLL | VirtualAlloc | Reserve, commit, or both, a region of memory within the virtual address space of a process. |
| KERNEL32.DLL | GetModuleHandleA | Retrieves a handle to the specified module. |
| KERNEL32.DLL | WriteFile | Writes data to a specified file or input/output (I/O) device. |
| KERNEL32.DLL | LoadLibraryA | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | ReadProcessMemory | Reads data from an area of memory in a specified process. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| KERNEL32.DLL | CreateFileA | Creates or opens a file or I/O device. |
| KERNEL32.DLL | DeleteFileA | Deletes an existing file. |
| KERNEL32.DLL | IsDebuggerPresent | Determines if the calling process is being debugged by a user-mode debugger. |
| File Access |
| cheatengine-x86_64.exe cheatengine-i386.exe user32.dll oleaut32.dll kernel32.dll ADVAPI32.dll SHLWAPI.dll CET_Archive.dat .dat @.dat .zIp Temp |
| File Access (UNICODE) |
| KERNEL32.DLL CorExitProcessmscoree.dll |
| Interest's Words |
| Virus PADDINGX exec attrib start expand openfiles |
| PE Carving |
| Start Offset Header | End Offset | Size (Bytes) |
|---|---|---|
| 0 | 44B450 | 44B450 |
| 44B450 | 47DA00 | 325B0 |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | WinAPI Sockets (send) |
| Text | Ascii | File (GetTempPath) |
| Text | Ascii | File (CreateFile) |
| Text | Ascii | File (WriteFile) |
| Text | Ascii | File (ReadFile) |
| Text | Ascii | Anti-Analysis VM (IsDebuggerPresent) |
| Text | Ascii | Anti-Analysis VM (GetVersion) |
| Text | Ascii | Reconnaissance (FindFirstFileW) |
| Text | Ascii | Reconnaissance (FindNextFileW) |
| Text | Ascii | Reconnaissance (FindClose) |
| Text | Ascii | Stealth (ExitThread) |
| Text | Ascii | Stealth (CloseHandle) |
| Text | Ascii | Stealth (VirtualAlloc) |
| Text | Ascii | Stealth (ReadProcessMemory) |
| Text | Ascii | Execution (CreateProcessA) |
| Text | Ascii | Execution (ResumeThread) |
| Text | Ascii | Execution (CreateEventA) |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8 |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8 |
| Entry Point | Hex Pattern | VC8 - Microsoft Corporation |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text | PE/Payload |
|---|---|---|---|---|---|---|
| \ICON\1\1033 | 1018C | 18E9E | C58C | 89504E470D0A1A0A0000000D49484452000001000000010008060000005C72A86600018E6549444154789CEC7D07585457BB | .PNG........IHDR.............\r.f...eIDATx..}.XTW. | N/A |
| \RCDATA\ARCHIVE\0 | 2902C | 426021 | 2542C | 04000000001040EFBF150000004345545F545241494E45522E4345545241494E455200000000E1610800020A071C64B29A39 | ......@......CET_TRAINER.CETRAINER.....a......d..9 | N/A |
| \RCDATA\DECOMPRESSOR\0 | 44F050 | 30400 | 44B450 | 4D5A90000300000004000000FFFF0000B8000000000000004000000000000000000000000000000000000000000000000000 | MZ......................@......................... | (Executable found) |
| \GROUP_ICON\101\1033 | 47F450 | 1016 | 47B850 | 00000100010000000000010020009E8E01000100000089504E470D0A1A0A0000000D49484452000001000000010008060000 | ............ ..........PNG........IHDR............ | N/A |
| \24\1\1033 | 480468 | 165 | 47C868 | 3C617373656D626C7920786D6C6E733D2275726E3A736368656D61732D6D6963726F736F66742D636F6D3A61736D2E763122 | <assembly xmlns="urn:schemas-microsoft-com:asm.v1" | N/A |
| Intelligent String |
| • mscoree.dll • KERNEL32.DLL • KERNEL32.dll • ADVAPI32.dll • '/o.nPA • @.bss • .CRT • CET_Archive.dat • cheatengine-i386.exe • cheatengine-x86_64.exe • .cfg • kernel32.dll • oleaut32.dll • user32.dll |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 43E | 40A008 | .text | CALL [static] | Indirect call to absolute memory address |
| 46E | 40A14C | .text | CALL [static] | Indirect call to absolute memory address |
| 47C | 40A144 | .text | CALL [static] | Indirect call to absolute memory address |
| 4AC | 40A148 | .text | CALL [static] | Indirect call to absolute memory address |
| 530 | 40A01C | .text | CALL [static] | Indirect call to absolute memory address |
| 59F | 40A044 | .text | CALL [static] | Indirect call to absolute memory address |
| 5B5 | 40A024 | .text | CALL [static] | Indirect call to absolute memory address |
| 77D | 40A034 | .text | CALL [static] | Indirect call to absolute memory address |
| 78E | 40A038 | .text | CALL [static] | Indirect call to absolute memory address |
| 7A4 | 40A154 | .text | CALL [static] | Indirect call to absolute memory address |
| 7CC | 40A03C | .text | CALL [static] | Indirect call to absolute memory address |
| 80B | 40A154 | .text | CALL [static] | Indirect call to absolute memory address |
| 820 | 40A000 | .text | JMP [static] | Indirect jump to absolute memory address |
| 882 | 40A050 | .text | CALL [static] | Indirect call to absolute memory address |
| 917 | 40A04C | .text | CALL [static] | Indirect call to absolute memory address |
| CCB | 40A064 | .text | CALL [static] | Indirect call to absolute memory address |
| CD5 | 40A060 | .text | CALL [static] | Indirect call to absolute memory address |
| CE2 | 40A05C | .text | CALL [static] | Indirect call to absolute memory address |
| CFD | 40A058 | .text | CALL [static] | Indirect call to absolute memory address |
| D04 | 40A054 | .text | CALL [static] | Indirect call to absolute memory address |
| F63 | 40A060 | .text | CALL [static] | Indirect call to absolute memory address |
| F78 | 40A06C | .text | CALL [static] | Indirect call to absolute memory address |
| F81 | 40A068 | .text | CALL [static] | Indirect call to absolute memory address |
| FCF | 40A068 | .text | CALL [static] | Indirect call to absolute memory address |
| FDF | 40A070 | .text | CALL [static] | Indirect call to absolute memory address |
| 1001 | 40A074 | .text | CALL [static] | Indirect call to absolute memory address |
| 107B | 40FAD0 | .text | CALL [static] | Indirect call to absolute memory address |
| 10D6 | 40FAD4 | .text | CALL [static] | Indirect call to absolute memory address |
| 1347 | 40A008 | .text | CALL [static] | Indirect call to absolute memory address |
| 141A | 40A078 | .text | CALL [static] | Indirect call to absolute memory address |
| 1444 | 40A02C | .text | CALL [static] | Indirect call to absolute memory address |
| 18EC | 40A008 | .text | CALL [static] | Indirect call to absolute memory address |
| 19AD | 40A08C | .text | CALL [static] | Indirect call to absolute memory address |
| 1A47 | 40A084 | .text | CALL [static] | Indirect call to absolute memory address |
| 1A5A | 40A080 | .text | CALL [static] | Indirect call to absolute memory address |
| 1A8C | 40A07C | .text | CALL [static] | Indirect call to absolute memory address |
| 1AA5 | 40A07C | .text | CALL [static] | Indirect call to absolute memory address |
| 1AC7 | 40A050 | .text | CALL [static] | Indirect call to absolute memory address |
| 1BF1 | 40A098 | .text | CALL [static] | Indirect call to absolute memory address |
| 1C7B | 40A078 | .text | CALL [static] | Indirect call to absolute memory address |
| 1C8D | 40A098 | .text | CALL [static] | Indirect call to absolute memory address |
| 1CE5 | 40A094 | .text | CALL [static] | Indirect call to absolute memory address |
| 1D91 | 40A068 | .text | CALL [static] | Indirect call to absolute memory address |
| 1DAC | 40A070 | .text | CALL [static] | Indirect call to absolute memory address |
| 1E0C | 40A068 | .text | CALL [static] | Indirect call to absolute memory address |
| 1E27 | 40A070 | .text | CALL [static] | Indirect call to absolute memory address |
| 1E3F | 40A0A4 | .text | CALL [static] | Indirect call to absolute memory address |
| 1E51 | 40A0A0 | .text | CALL [static] | Indirect call to absolute memory address |
| 1E72 | 40A0A8 | .text | CALL [static] | Indirect call to absolute memory address |
| 1EA7 | 40A0AC | .text | CALL [static] | Indirect call to absolute memory address |
| 1ECB | 40A068 | .text | CALL [static] | Indirect call to absolute memory address |
| 1F3E | 40A0B0 | .text | CALL [static] | Indirect call to absolute memory address |
| 1FA4 | 40A08C | .text | CALL [static] | Indirect call to absolute memory address |
| 1FF6 | 40A048 | .text | CALL [static] | Indirect call to absolute memory address |
| 200E | 40A0B4 | .text | CALL [static] | Indirect call to absolute memory address |
| 20D1 | 40A0B8 | .text | CALL [static] | Indirect call to absolute memory address |
| 216C | 40A068 | .text | CALL [static] | Indirect call to absolute memory address |
| 220A | 40A0A4 | .text | CALL [static] | Indirect call to absolute memory address |
| 22D4 | 40A048 | .text | CALL [static] | Indirect call to absolute memory address |
| 2304 | 40A0BC | .text | CALL [static] | Indirect call to absolute memory address |
| 248A | 40F9A4 | .text | CALL [static] | Indirect call to absolute memory address |
| 2543 | 40A0D4 | .text | CALL [static] | Indirect call to absolute memory address |
| 254F | 40A0D0 | .text | CALL [static] | Indirect call to absolute memory address |
| 2557 | 40A048 | .text | CALL [static] | Indirect call to absolute memory address |
| 255F | 40A0CC | .text | CALL [static] | Indirect call to absolute memory address |
| 256B | 40A0C8 | .text | CALL [static] | Indirect call to absolute memory address |
| 25E4 | 40A0D8 | .text | CALL [static] | Indirect call to absolute memory address |
| 25F1 | 40A08C | .text | CALL [static] | Indirect call to absolute memory address |
| 2867 | 40A0E0 | .text | CALL [static] | Indirect call to absolute memory address |
| 2887 | 40A0DC | .text | CALL [static] | Indirect call to absolute memory address |
| 2977 | 40A088 | .text | CALL [static] | Indirect call to absolute memory address |
| 29A0 | 40A02C | .text | CALL [static] | Indirect call to absolute memory address |
| 29F9 | 40A02C | .text | CALL [static] | Indirect call to absolute memory address |
| 2B87 | 40A02C | .text | CALL [static] | Indirect call to absolute memory address |
| 2C67 | 40A02C | .text | CALL [static] | Indirect call to absolute memory address |
| 2D30 | 40A088 | .text | CALL [static] | Indirect call to absolute memory address |
| 2D61 | 40A02C | .text | CALL [static] | Indirect call to absolute memory address |
| 2D77 | 40A08C | .text | CALL [static] | Indirect call to absolute memory address |
| 2DB8 | 40A02C | .text | CALL [static] | Indirect call to absolute memory address |
| 2DD7 | 40A08C | .text | CALL [static] | Indirect call to absolute memory address |
| 310B | 40A0E4 | .text | CALL [static] | Indirect call to absolute memory address |
| 313E | 40A0E4 | .text | CALL [static] | Indirect call to absolute memory address |
| 317A | 40A0E8 | .text | CALL [static] | Indirect call to absolute memory address |
| 31A9 | 40A0E8 | .text | CALL [static] | Indirect call to absolute memory address |
| 3297 | 40A0EC | .text | CALL [static] | Indirect call to absolute memory address |
| 3462 | 40A0B8 | .text | CALL [static] | Indirect call to absolute memory address |
| 348D | 40A0B0 | .text | CALL [static] | Indirect call to absolute memory address |
| 34D6 | 40A0F4 | .text | CALL [static] | Indirect call to absolute memory address |
| 34F9 | 40A0F0 | .text | CALL [static] | Indirect call to absolute memory address |
| 359C | 40A0F8 | .text | CALL [static] | Indirect call to absolute memory address |
| 35AF | 40A0EC | .text | CALL [static] | Indirect call to absolute memory address |
| 3784 | 40A0B8 | .text | CALL [static] | Indirect call to absolute memory address |
| 383B | 40A0B8 | .text | CALL [static] | Indirect call to absolute memory address |
| 3C53 | 40A0C4 | .text | CALL [static] | Indirect call to absolute memory address |
| 3C64 | 40A08C | .text | CALL [static] | Indirect call to absolute memory address |
| 3CBB | 40A06C | .text | CALL [static] | Indirect call to absolute memory address |
| 3D07 | 40A06C | .text | CALL [static] | Indirect call to absolute memory address |
| 3D55 | 40A06C | .text | CALL [static] | Indirect call to absolute memory address |
| 3F3A | 40A088 | .text | CALL [static] | Indirect call to absolute memory address |
| 3F58 | 40A08C | .text | CALL [static] | Indirect call to absolute memory address |
| 2FCB15-2FCB46 | N/A | .rsrc | Potential obfuscated jump sequence detected, count: 25 |
| 2FD26F-2FD292 | N/A | .rsrc | Potential obfuscated jump sequence detected, count: 18 |
| 321E14-321E29 | N/A | .rsrc | Potential obfuscated jump sequence detected, count: 11 |
| 32203E-32204E | N/A | .rsrc | Potential obfuscated jump sequence detected, count: 7 |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 3176422 | 67,4562% |
| Null Byte Code | 69942 | 1,4853% |
© 2026 All rights reserved.