PESCAN.IO - Analysis Report

PREMIUM PESCAN.IO - Analysis Report

File Structure

PE Chart Code

Header PE (light blue)

Executable sections (pink)

Non-executable sections (black)

External injected code (red)

File Structure in red = malformed or corrupted header

Chart Code For Other Files

Printable characters (blue)

Non-printable characters (black)

Information

Size: 279,00 KB
SHA-256 Hash: C132D2A4A97BA28B95D212D9B4DBA6B375FC73A3B52F0A5B72703EE380E29CC8
SHA-1 Hash: 92D652114234518ADB0FB2703B222AC4C2597718
MD5 Hash: 969F966A33A5004DD8DB85A49178ACF8
Imphash: D4A18B7AC717D44BB26AACFAB61EF98D
MajorOSVersion: 5
MinorOSVersion: 2
CheckSum: 00000000
EntryPoint (rva): 156A0
SizeOfHeaders: 400
SizeOfImage: 4D000
ImageBase: 0000000180000000
Architecture: x64
ExportTable: 37E20
ImportTable: 375D4
IAT: 2A000
Characteristics: 2022
TimeDateStamp: 69D49541
Date: 07/04/2026 5:25:21
File Type: DLL
Number Of Sections: 7
ASLR: Enabled
Section Names (Optional Header): .text, .rdata, .data, .pdata, text, data, .reloc
Number Of Executable Sections: 1
Subsystem: Windows GUI

Sections Info

Section Name	Flags	ROffset	RSize	VOffset	VSize	Entropy	Chi2
.text	0x60000020 Code Executable Readable	400	28800	1000	286F2	6.4628	937549.99
.rdata	0x40000040 Initialized Data Readable	28C00	EA00	2A000	E875	4.9486	2897336.77
.data	0xC0000040 Initialized Data Readable Writeable	37600	4200	39000	7AD0	5.6173	575838.24
.pdata	0x40000040 Initialized Data Readable	3B800	2000	41000	1FF8	5.4253	228745.75
text	0x20000040 Initialized Data Executable	3D800	1000	43000	E71	5.3755	84055.63
data	0x40000040 Initialized Data Readable	3E800	4200	44000	41E0	6.3151	303605.55
.reloc	0x42000040 Initialized Data GP-Relative Readable	42A00	3200	49000	305A	1.4582	2329911.28

Entry Point

The section number (1) have the Entry Point
Information -> EntryPoint (calculated) - 14AA0
Code -> 48895C24084889742410574883EC20498BF88BDA488BF183FA017505E8473100004C8BC78BD3488BCE488B5C2430488B7424

Assembler

|MOV QWORD PTR [RSP + 8], RBX

|MOV QWORD PTR [RSP + 0X10], RSI

|PUSH RDI

|SUB RSP, 0X20

|MOV RDI, R8

|MOV EBX, EDX

|MOV RSI, RCX

|CMP EDX, 1

|JNE 0X1021

|CALL 0X4168

|MOV R8, RDI

|MOV EDX, EBX

|MOV RCX, RSI

|MOV RBX, QWORD PTR [RSP + 0X30]

Signatures

Rich Signature Analyzer:
Code -> EA3E7666AE5F1835AE5F1835AE5F1835B5C28635A05F1835B5C2B335F75F1835B5C2B235DB5F1835A7278B35A75F1835AE5F1935F45F1835B5C2B735AC5F1835B5C28335AF5F1835B5C28535AF5F183552696368AE5F1835
Footprint md5 Hash -> EED65A3E6BC0DE9A60771681EC4E00DB
• The Rich header apparently has not been modified
Certificate - Digital Signature Not Found:
• The file is not signed

Packer/Compiler

Compiler: Microsoft Visual C ++
Detect It Easy (die)
• PE+(64): compiler: Microsoft Visual C/C++(2010 SP1)[-]
• PE+(64): linker: Microsoft Linker(10.0)[-]
• Entropy: 6.23008

Suspicious Functions

Library	Function	Description
KERNEL32.DLL	GetModuleFileNameA	Retrieve the fully qualified path for the executable file of a specified module.
KERNEL32.DLL	VirtualAlloc	Reserve, commit, or both, a region of memory within the virtual address space of a process.
KERNEL32.DLL	CopyFileW	Copies an existing file to a new file.
KERNEL32.DLL	WriteFile	Writes data to a specified file or input/output (I/O) device.
KERNEL32.DLL	LoadLibraryW	Loads the specified module into the address space of the calling process.
KERNEL32.DLL	GetProcAddress	Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL	IsDebuggerPresent	Determines if the calling process is being debugged by a user-mode debugger.

Windows REG (UNICODE)

Software\Microsoft\Windows\CurrentVersion\Run
Rebuilt string - SOFTWARE\Microsoft\Windows\CurrentVersion\Run

File Access

sspicli.dll
SHLWAPI.dll
USER32.dll
KERNEL32.dll
@.dat
Temp

File Access (UNICODE)

\ProgramData\NVDIAControl\NVDIAControl.exe
\ProgramData\NVDIAControl\nView64.dll
USER32.DLL
CorExitProcessmscoree.dll
Temp

Interest's Words

exec
attrib
start
cipher

Strings/Hex Code Found With The File Rules

Rule Type	Encoding	Matched (Word)
Text	Ascii	File (CopyFile)
Text	Ascii	File (CreateFile)
Text	Ascii	File (WriteFile)
Text	Ascii	Anti-Analysis VM (IsDebuggerPresent)
Text	Ascii	Anti-Analysis VM (GetVersion)
Text	Ascii	Stealth (CloseHandle)
Text	Ascii	Stealth (VirtualAlloc)
Text	Ascii	Stealth (VirtualProtect)
Entry Point	Hex Pattern	Microsoft Visual C++ 8.0 (DLL)

Intelligent String

• chacha_simd.cpp
• gf2n_simd.cpp
• rijndael_simd.cpp
• mscoree.dll
• USER32.DLL
• C:\ProgramData\NVDIAControl\NVDIAControl.exe
• C:\ProgramData\NVDIAControl\nView64.dll
• C:\ProgramData\NVDIA Control
• C:\ProgramData\NVDIAControl
• KERNEL32.dll
• USER32.dll

Flow Anomalies

Offset	RVA	Section	Description
B57	N/A	.text	CALL QWORD PTR [RIP+0x28AF3]
C02	N/A	.text	CALL QWORD PTR [RIP+0x28808]
C30	N/A	.text	CALL QWORD PTR [RIP+0x287D2]
C5E	N/A	.text	CALL QWORD PTR [RIP+0x287A4]
D6C	N/A	.text	CALL QWORD PTR [RIP+0x2868E]
D79	N/A	.text	CALL QWORD PTR [RIP+0x286A9]
DA6	N/A	.text	CALL QWORD PTR [RIP+0x28654]
DB3	N/A	.text	CALL QWORD PTR [RIP+0x2866F]
E2B	N/A	.text	CALL QWORD PTR [RIP+0x285EF]
2634	N/A	.text	CALL QWORD PTR [RIP+0x26DEE]
2664	N/A	.text	CALL QWORD PTR [RIP+0x26DAE]
2671	N/A	.text	CALL QWORD PTR [RIP+0x26DB1]
2681	N/A	.text	CALL QWORD PTR [RIP+0x26FD9]
268C	N/A	.text	CALL QWORD PTR [RIP+0x26D96]
269A	N/A	.text	CALL QWORD PTR [RIP+0x26D88]
1445D	N/A	.text	CALL QWORD PTR [RIP+0x14FE5]
144B1	N/A	.text	CALL QWORD PTR [RIP+0x14F99]
144C1	N/A	.text	CALL QWORD PTR [RIP+0x14F89]
1453F	N/A	.text	CALL QWORD PTR [RIP+0x14F03]
1454F	N/A	.text	CALL QWORD PTR [RIP+0x14EF3]
1455C	N/A	.text	CALL QWORD PTR [RIP+0x14EE6]
145DE	N/A	.text	CALL QWORD PTR [RIP+0x14E74]
145E9	N/A	.text	CALL QWORD PTR [RIP+0x14E41]
1464B	N/A	.text	CALL QWORD PTR [RIP+0x14DFF]
14867	N/A	.text	CALL QWORD PTR [RIP+0x14C03]
1493E	N/A	.text	CALL QWORD PTR [RIP+0x14B24]
14952	N/A	.text	CALL QWORD PTR [RIP+0x14B08]
14B5B	N/A	.text	CALL QWORD PTR [RIP+0x14917]
154A6	N/A	.text	CALL QWORD PTR [RIP+0x13FEC]
154B8	N/A	.text	CALL QWORD PTR [RIP+0x13F72]
15525	N/A	.text	CALL QWORD PTR [RIP+0x13F75]
15851	N/A	.text	CALL QWORD PTR [RIP+0x13C81]
158D9	N/A	.text	CALL QWORD PTR [RIP+0x13BE9]
158E3	N/A	.text	CALL QWORD PTR [RIP+0x13BD7]
158EE	N/A	.text	CALL QWORD PTR [RIP+0x13BC4]
15948	N/A	.text	CALL QWORD PTR [RIP+0x13B9A]
1595B	N/A	.text	JMP QWORD PTR [RIP+0x13B7F]
1598B	N/A	.text	CALL QWORD PTR [RIP+0x13ABF]
15C89	N/A	.text	CALL QWORD PTR [RIP+0x13861]
15CC3	N/A	.text	CALL QWORD PTR [RIP+0x1380F]
15DA0	N/A	.text	CALL QWORD PTR [RIP+0x13722]
15DB8	N/A	.text	CALL QWORD PTR [RIP+0x13702]
15DC5	N/A	.text	CALL QWORD PTR [RIP+0x136ED]
15DDE	N/A	.text	CALL QWORD PTR [RIP+0x13704]
15DEC	N/A	.text	CALL QWORD PTR [RIP+0x136EE]
15F56	N/A	.text	CALL QWORD PTR [RIP+0x1359C]
15FDD	N/A	.text	CALL QWORD PTR [RIP+0x13515]
16063	N/A	.text	CALL QWORD PTR [RIP+0x1348F]
160D7	N/A	.text	JMP QWORD PTR [RIP+0x13423]
160EF	N/A	.text	CALL QWORD PTR [RIP+0x1341B]
16104	N/A	.text	CALL QWORD PTR [RIP+0x133FE]
1612B	N/A	.text	CALL QWORD PTR [RIP+0x132F7]
16228	N/A	.text	CALL QWORD PTR [RIP+0x1778A]
1629C	N/A	.text	CALL QWORD PTR [RIP+0x29C1E]
1630C	N/A	.text	CALL QWORD PTR [RIP+0x1313E]
1632A	N/A	.text	CALL QWORD PTR [RIP+0x13120]
1636A	N/A	.text	CALL QWORD PTR [RIP+0x130E0]
16384	N/A	.text	CALL QWORD PTR [RIP+0x130C6]
16394	N/A	.text	CALL QWORD PTR [RIP+0x130B6]
16420	N/A	.text	CALL QWORD PTR [RIP+0x13002]
16550	N/A	.text	CALL QWORD PTR [RIP+0x1806A]
1658E	N/A	.text	CALL QWORD PTR [RIP+0x12EFC]
16894	N/A	.text	CALL QWORD PTR [RIP+0x12B66]
169A9	N/A	.text	CALL QWORD PTR [RIP+0x12B71]
16A06	N/A	.text	CALL QWORD PTR [RIP+0x12B0C]
16D16	N/A	.text	CALL QWORD PTR [RIP+0x12734]
16D22	N/A	.text	CALL QWORD PTR [RIP+0x12720]
16D58	N/A	.text	CALL QWORD PTR [RIP+0x126F2]
16D7F	N/A	.text	JMP QWORD PTR [RIP+0x126C3]
16D97	N/A	.text	CALL QWORD PTR [RIP+0x12793]
16E72	N/A	.text	CALL QWORD PTR [RIP+0x125B8]
16E80	N/A	.text	CALL QWORD PTR [RIP+0x126A2]
16EAC	N/A	.text	CALL QWORD PTR [RIP+0x125B6]
16EC0	N/A	.text	CALL QWORD PTR [RIP+0x1259A]
16ED8	N/A	.text	CALL QWORD PTR [RIP+0x1255A]
1705D	N/A	.text	CALL QWORD PTR [RIP+0x124C5]
1706E	N/A	.text	CALL QWORD PTR [RIP+0x123F4]
1709F	N/A	.text	CALL QWORD PTR [RIP+0x12493]
170D0	N/A	.text	CALL QWORD PTR [RIP+0x12392]
170E4	N/A	.text	CALL QWORD PTR [RIP+0x12376]
17129	N/A	.text	CALL QWORD PTR [RIP+0x12429]
17294	N/A	.text	CALL QWORD PTR [RIP+0x122B6]
172D2	N/A	.text	CALL QWORD PTR [RIP+0x12270]
17331	N/A	.text	CALL QWORD PTR [RIP+0x121E9]
17348	N/A	.text	CALL QWORD PTR [RIP+0x12202]
17379	N/A	.text	CALL QWORD PTR [RIP+0x121C9]
173B4	N/A	.text	CALL QWORD PTR [RIP+0x12186]
17412	N/A	.text	CALL QWORD PTR [RIP+0x12148]
17786	N/A	.text	CALL QWORD PTR [RIP+0x11DDC]
17861	N/A	.text	CALL QWORD PTR [RIP+0x11D11]
178B8	N/A	.text	CALL QWORD PTR [RIP+0x11BEA]
178F3	N/A	.text	CALL QWORD PTR [RIP+0x11BAF]
1790B	N/A	.text	CALL QWORD PTR [RIP+0x11C5F]
17919	N/A	.text	CALL QWORD PTR [RIP+0x11C51]
179C2	N/A	.text	CALL QWORD PTR [RIP+0x11BC8]
179D4	N/A	.text	CALL QWORD PTR [RIP+0x11BAE]
179F2	N/A	.text	CALL QWORD PTR [RIP+0x11B88]
17A0F	N/A	.text	CALL QWORD PTR [RIP+0x11B83]
17C3F	N/A	.text	CALL QWORD PTR [RIP+0x118AB]
17C4A	N/A	.text	CALL QWORD PTR [RIP+0x11958]
2CAF9-2CDFE	N/A	.rdata	Potential obfuscated jump sequence detected, count: 387
3D800-3E7FF	43000	text	Executable section anomaly, first bytes: 4881EC9800000066

Extra Analysis

Metric	Value	Percentage
Ascii Code	158253	55,3921%
Null Byte Code	64823	22,6895%

PREMIUM PESCAN.IO - Analysis Report