PESCAN.IO - Analysis Report |
|||||
File Structure: | |||||
![]() |
Information: |
Size: 9,00 KB SHA-256 Hash: 7C49DF8AD3EE9218220C6C85FD02A04A1BEB4D70EDC9263C28879283B02C3362 SHA-1 Hash: EFC3657E7F0047FF66841F2F124F170CB2168D0A MD5 Hash: 8BACC407D01D2AA44C35ED0BDDE9F6AA Imphash: F34D5F2D4577ED6D9CEEC516C1F5A744 MajorOSVersion: 4 CheckSum: 00000000 EntryPoint (rva): 38DE SizeOfHeaders: 200 SizeOfImage: 8000 ImageBase: 400000 Architecture: x86 ImportTable: 388C Characteristics: 22 TimeDateStamp: D3E3EF57 Date: 26/08/2082 0:41:59 File Type: EXE Number Of Sections: 3 ASLR: Disabled Section Names: .text, .rsrc, .reloc Number Of Executable Sections: 1 Subsystem: Windows Console UAC Execution Level Manifest: asInvoker |
Sections Info: |
Section Name | Flags | ROffset | RSize | VOffset | VSize |
---|---|---|---|---|---|
.text | 60000020 (Executable) | 200 | 1A00 | 2000 | 18E4 |
.rsrc | 40000040 | 1C00 | 600 | 4000 | 5CC |
.reloc | 42000040 | 2200 | 200 | 6000 | C |
Description: |
InternalName: DefenderCheck.exe OriginalFilename: DefenderCheck.exe LegalCopyright: Copyright 2019 ProductName: DefenderCheck FileVersion: 1.0.0.0 |
Entry Point: |
The section number (1) - (.text) have the Entry Point Information -> EntryPoint (calculated) - 1ADE Code -> FF25002040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 • JMP DWORD PTR [0X402000] • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL |
Signatures: |
Certificate - Digital Signature Not Found: • The file is not signed |
Packer/Compiler: |
Compiler: Microsoft Visual .NET - (You can use a decompiler for this...) • AnyCPU: False • Version: v4.0 Detect It Easy (die) • PE: library: .NET(v4.0.30319)[-] • PE: linker: Microsoft Linker(48.0)[EXE32,console] • Entropy: 4.84981 |
File Access: |
DefenderCheck.exe mscoree.dll |
File Access (UNICODE): |
DefenderCheck.exe \Program Files\Windows Defender\MpCmdRun.exe \Temp\testfile.exe Temp |
Interest's Words: |
exec attrib start |
Strings/Hex Code Found With The File Rules: |
• Rule Text (Ascii): Execution (ShellExecute) • Rule Text (Ascii): Malicious rerouting of traffic to an attacker-controlled site (Redirect) • EP Rules: Microsoft Visual C / Basic .NET • EP Rules: Microsoft Visual C++ 8 • EP Rules: Microsoft Visual C++ 8.0 • EP Rules: Microsoft Visual C v7.0 / Basic .NET • EP Rules: Microsoft Visual Studio .NET • EP Rules: .NET executable |
Resources: |
Path | DataRVA | Size | FileOffset | Code | Text |
---|---|---|---|---|---|
\VERSION\1\0 | 4090 | 33C | 1C90 | 3C0334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000 | <.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
\24\1\0 | 43DC | 1EA | 1FDC | EFBBBF3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E65 | ...<?xml version="1.0" encoding="UTF-8" standalone |
Intelligent String: |
• 1.0.0.0 • DefenderCheck.exe • OUsage: DefenderCheck.exe [path/to/file] • C:\Temp • C:\Temp doesn't exist. Creating it... • C:\Temp\testfile.exe • C:\Program Files\Windows Defender\MpCmdRun.exe • _CorExeMainmscoree.dll |
Extra 4n4lysis: |
Metric | Value | Percentage |
---|---|---|
Ascii Code | 4741 | 51,4431% |
Null Byte Code | 3656 | 39,6701% |
© 2025 All rights reserved.