PREMIUM PESCAN.IO - Analysis Report |
|||||||
| File Structure |
|
PE Chart Code
Header PE (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
| Size: 1,64 MB SHA-256 Hash: F26119470F6A040C7DFC591AD4ED4FD909A96CBEEC705D0745998EE8AD023B3D SHA-1 Hash: C95A598236C7752F748AA7070DEC60FAFBB69A20 MD5 Hash: 9C5A7F688841F8762DFFC84CFA120459 Imphash: 816120F8E921805F79F1DC53B6944D2D MajorOSVersion: 6 MinorOSVersion: 0 CheckSum: 001B3342 EntryPoint (rva): 118B4C SizeOfHeaders: 400 SizeOfImage: 1D3000 ImageBase: 0000000180000000 Architecture: x64 ExportTable: 14D9A0 ImportTable: 1572EC IAT: 130000 Characteristics: 2022 TimeDateStamp: 5B9F7E54 Date: 17/09/2018 10:13:40 File Type: DLL Number Of Sections: 9 ASLR: Disabled Section Names (Optional Header): .text, .rdata, .data, .pdata, .data1, _RDATA, .debug_o, .rsrc, .reloc Number Of Executable Sections: 1 Subsystem: Windows GUI |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 0x60000020 Code Executable Readable |
400 | 12E400 | 1000 | 12E2A6 |
|
|
| .rdata | 0x40000040 Initialized Data Readable |
12E800 | 28200 | 130000 | 2802C |
|
|
| .data | 0xC0000040 Initialized Data Readable Writeable |
156A00 | B600 | 159000 | 37F80 |
|
|
| .pdata | 0x40000040 Initialized Data Readable |
162000 | AE00 | 191000 | AC38 |
|
|
| .data1 | 0xC0000040 Initialized Data Readable Writeable |
16CE00 | 800 | 19C000 | 798 |
|
|
| _RDATA | 0x40000040 Initialized Data Readable |
16D600 | 1200 | 19D000 | 1200 |
|
|
| .debug_o | 0x42000040 Initialized Data GP-Relative Readable |
16E800 | 2E200 | 19F000 | 2E1CB |
|
|
| .rsrc | 0x40000040 Initialized Data Readable |
19CA00 | 600 | 1CE000 | 4F0 |
|
|
| .reloc | 0x42000040 Initialized Data GP-Relative Readable |
19D000 | 4000 | 1CF000 | 3E14 |
|
|
| Description |
| OriginalFilename: libiomp5md.dll CompanyName: Intel Corporation LegalCopyright: Copyright (C) 1997-2018, Intel Corporation. All rights reserved. ProductName: Intel(R) OpenMP* Runtime Library FileVersion: 20180913 FileDescription: Intel(R) OpenMP* Runtime Library ProductVersion: 5.0 Comments: Intel(R) OpenMP* Performance Library version 5.0.20180913 for Intel(R) 64 architecture built on 2018-09-17 09:58:47 UTC. Language: English (United States) (ID=0x409) CodePage: Unicode (UTF-16 LE) (0x4B0) |
| Entry Point |
The section number (1) have the Entry Point Information -> EntryPoint (calculated) - 117F4C Code -> 48895C24084889742410574883EC20498BF88BDA488BF183FA017505E8ABB900004C8BC78BD3488BCE488B5C2430488B7424 Assembler |MOV QWORD PTR [RSP + 8], RBX |MOV QWORD PTR [RSP + 0X10], RSI |PUSH RDI |SUB RSP, 0X20 |MOV RDI, R8 |MOV EBX, EDX |MOV RSI, RCX |CMP EDX, 1 |JNE 0X1021 |CALL 0XC9CC |MOV R8, RDI |MOV EDX, EBX |MOV RCX, RSI |MOV RBX, QWORD PTR [RSP + 0X30] |
| Signatures |
| CheckSum Integrity Problem: • Header: 1782594 • Calculated: 1747292 Rich Signature Analyzer: Code -> 44E0E6BF008188EC008188EC008188ECDD7E43EC038188EC008189EC898188EC1B1C16EC028188EC9E214FEC028188EC46D069EC368188EC46D068ECA38188EC46D057EC0C8188EC008188EC538188EC0DD357EC028188EC0DD354EC018188EC0DD353EC018188EC0DD356EC018188EC52696368008188EC Footprint md5 Hash -> CE05DCBCA082E54F4320F0C16C65C59A • The Rich header apparently has not been modified Certificate - Digital Signature: • The file is signed but has been modified |
| Packer/Compiler |
| Compiler: Microsoft Visual Studio Compiler: Microsoft Visual C ++ Detect It Easy (die) • PE+(64): compiler: Microsoft Visual C/C++(2013)[-] • PE+(64): linker: Microsoft Linker(12.0)[-] • PE+(64): Sign tool: Windows Authenticode(2.0)[PKCS 7] • Entropy: 6.36608 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | GetModuleFileNameA | Retrieve the fully qualified path for the executable file of a specified module. |
| KERNEL32.DLL | VirtualAlloc | Reserve, commit, or both, a region of memory within the virtual address space of a process. |
| KERNEL32.DLL | GetModuleHandleA | Retrieves a handle to the specified module. |
| KERNEL32.DLL | WriteFile | Writes data to a specified file or input/output (I/O) device. |
| KERNEL32.DLL | LoadLibraryA | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| KERNEL32.DLL | IsDebuggerPresent | Determines if the calling process is being debugged by a user-mode debugger. |
| KERNEL32.DLL | SleepEx | Pauses the execution of the current thread, optionally allowing the thread to be awakened by a kernel object or upon expiration of a timeout. |
| ET Functions (carving) |
| KMP_INITIAL_THREAD_BIND omp_init_lock_with_hint omp_init_nest_lock_with_hint omp_init_lock omp_init_nest_lock |
| File Access |
| KERNEL32.dll libiomp5md.dll psapi.dll ntdll.dll libiomp5md_db.dll tbbmalloc.dll libiomp5ui.dll libittnotify.dll console-reg.sys @.dat Temp |
| File Access (UNICODE) |
| libiomp5md.dll USER32.DLL kernel32.dll mscoree.dll Temp |
| Interest's Words |
| exec attrib start pause systeminfo ping |
| URLs |
| http://www.intel.com/software/products/support/. http://pki.intel.com/crl/IntelCA7B.crl http://pki.intel.com/crt/IntelCA7B.crt http://OCSP.intel.com/0 http://crl.comodoca.com/COMODORSACertificationAuthority.crl http://crt.comodoca.com/COMODORSAAddTrustCA.crt http://ocsp.comodoca.com http://crl.usertrust.com/AddTrustExternalCARoot.crl http://ocsp.usertrust.com http://ocsp.quovadisglobal.com http://trust.quovadisglobal.com/qvrca.crt http://crl.quovadisglobal.com/qvrca.crl http://trust.quovadisglobal.com/qvicag4.crt http://www.quovadisglobal.com/repository0 http://crl.quovadisglobal.com/qvicag4.crl |
| IP Addresses |
| 16.0.4.246 |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | WinAPI Sockets (bind) |
| Text | Ascii | WinAPI Sockets (connect) |
| Text | Ascii | File (CreateFile) |
| Text | Ascii | File (WriteFile) |
| Text | Ascii | File (ReadFile) |
| Text | Ascii | Anti-Analysis VM (IsDebuggerPresent) |
| Text | Ascii | Anti-Analysis VM (GetSystemInfo) |
| Text | Ascii | Reconnaissance (FindClose) |
| Text | Ascii | Stealth (CloseHandle) |
| Text | Ascii | Stealth (VirtualAlloc) |
| Text | Ascii | Execution (CreateEventA) |
| Text | Ascii | Antivirus Software (comodo) |
| Text | Ascii | Linux Virtual File System - (/proc/) |
| Entry Point | Hex Pattern | MEW 10 packer v1.0 - Northfox |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \VERSION\1\1033 | 1CE060 | 48C | 19CA60 | 8C0434000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000 | ..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| Intelligent String |
| • libiomp5md.dll • kernel32.dll • libittnotify.dll • SetThreadAffinityMask()../../src/kmp_affinity.cpp • /proc/cpuinfo • ../../src/kmp_alloc.cpp • ../../src/kmp_barrier.cpp • ../../src/kmp_cancel.cpp • KMP_INITIAL_THREAD_BIND../../src/kmp_csupport.cpp • End dump of debugging buffer (entry=%d). • ../../src/kmp_dispatch.cpp • ../../src/kmp_error.cpp • Cannot open /proc/cpuinfo • parsing /proc/cpuinfo • Please submit a bug report with this message, compile and run commands used, and machine configuration info including native compiler and operating system versions. Faster response will be obtained by including all program sources. For information on submitting this issue, please see http://www.intel.com/software/products/support/. • This means that multiple copies of the OpenMP runtime have been linked into the program. That is dangerous, since it can degrade performance or cause incorrect results. The best thing to do is to ensure that only a single OpenMP runtime is linked into the process, e.g. by avoiding static linking of the OpenMP runtime in any library. As an unsafe, unsupported, undocumented workaround you can set the environment variable KMP_DUPLICATE_LIB_OK=TRUE to allow the program to continue to execute, but that may cause crashes or silently produce incorrect results. For more information, please see http://www.intel.com/software/products/support/. • libiomp5ui.dll • ../../src/kmp_lock.cpp • tbbmalloc.dll • %lf../../src/kmp_settings.cpp • ../../src/kmp_taskdeps.cpp • ../../src/kmp_tasking.cpp • ../../src/kmp_vcsupport.cpp • libiomp5md_db.dll • \%sntdll.dll • psapi.dll • mscoree.dll • USER32.DLL • .exe • .cmd • .bat • .com • O:\promo\20180913\tmp\win_32e-rtl_5_nor_dyn.rel.50.c0.s0.t1..h1.w1-FXILAB103\libiomp5md.pdb • KERNEL32.dll • console-reg.sys • H0F0D |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 441 | N/A | .text | CALL QWORD PTR [RIP+0x12EFE1] |
| 458 | N/A | .text | CALL QWORD PTR [RIP+0x12EFC2] |
| 476 | N/A | .text | CALL QWORD PTR [RIP+0x12EF9C] |
| 495 | N/A | .text | CALL QWORD PTR [RIP+0x12EF75] |
| 4F2 | N/A | .text | CALL QWORD PTR [RIP+0x12EF10] |
| 504 | N/A | .text | CALL QWORD PTR [RIP+0x12EEF6] |
| 585 | N/A | .text | CALL QWORD PTR [RIP+0x12EE9D] |
| 59C | N/A | .text | CALL QWORD PTR [RIP+0x12EE7E] |
| 5BE | N/A | .text | CALL QWORD PTR [RIP+0x12EE54] |
| 5FB | N/A | .text | CALL QWORD PTR [RIP+0x12EE47] |
| 723 | N/A | .text | CALL QWORD PTR [RIP+0x12ED17] |
| 83A | N/A | .text | CALL QWORD PTR [RIP+0x12EBF8] |
| 85D | N/A | .text | CALL QWORD PTR [RIP+0x12EBAD] |
| 87A | N/A | .text | CALL QWORD PTR [RIP+0x12EB90] |
| 8C6 | N/A | .text | CALL QWORD PTR [RIP+0x12EB3C] |
| 931 | N/A | .text | CALL QWORD PTR [RIP+0x12EAD9] |
| 990 | N/A | .text | CALL QWORD PTR [RIP+0x12EA7A] |
| AA8 | N/A | .text | CALL QWORD PTR [RIP+0x12E982] |
| C02 | N/A | .text | CALL QWORD PTR [RIP+0x12E840] |
| C7A | N/A | .text | CALL QWORD PTR [RIP+0x12E7B0] |
| CC5 | N/A | .text | CALL QWORD PTR [RIP+0x12E765] |
| D47 | N/A | .text | CALL QWORD PTR [RIP+0x12E6FB] |
| D73 | N/A | .text | CALL QWORD PTR [RIP+0x12E6B7] |
| DDB | N/A | .text | CALL QWORD PTR [RIP+0x12E61F] |
| E72 | N/A | .text | CALL QWORD PTR [RIP+0x159198] |
| EC8 | N/A | .text | CALL QWORD PTR [RIP+0x159142] |
| F1B | N/A | .text | CALL QWORD PTR [RIP+0x1590EF] |
| F78 | N/A | .text | CALL QWORD PTR [RIP+0x159092] |
| FCB | N/A | .text | CALL QWORD PTR [RIP+0x15903F] |
| 102C | N/A | .text | CALL QWORD PTR [RIP+0x158FDE] |
| 108C | N/A | .text | CALL QWORD PTR [RIP+0x158F7E] |
| 10EC | N/A | .text | CALL QWORD PTR [RIP+0x12E336] |
| 1103 | N/A | .text | CALL QWORD PTR [RIP+0x12E317] |
| 1132 | N/A | .text | CALL QWORD PTR [RIP+0x12E2D0] |
| 1174 | N/A | .text | CALL QWORD PTR [RIP+0x12E2C6] |
| 1193 | N/A | .text | CALL QWORD PTR [RIP+0x12E2A7] |
| 1211 | N/A | .text | CALL QWORD PTR [RIP+0x12E1F1] |
| 1237 | N/A | .text | CALL QWORD PTR [RIP+0x12E1C3] |
| 12AC | N/A | .text | CALL QWORD PTR [RIP+0x12E176] |
| 12C3 | N/A | .text | CALL QWORD PTR [RIP+0x12E157] |
| 12F2 | N/A | .text | CALL QWORD PTR [RIP+0x12E110] |
| 13CD | N/A | .text | CALL QWORD PTR [RIP+0x12E035] |
| 13F3 | N/A | .text | CALL QWORD PTR [RIP+0x12E007] |
| 1467 | N/A | .text | CALL QWORD PTR [RIP+0x12DFBB] |
| 147E | N/A | .text | CALL QWORD PTR [RIP+0x12DF9C] |
| 14AD | N/A | .text | CALL QWORD PTR [RIP+0x12DF55] |
| 14EA | N/A | .text | CALL QWORD PTR [RIP+0x12DF50] |
| 1509 | N/A | .text | CALL QWORD PTR [RIP+0x12DF31] |
| 158A | N/A | .text | CALL QWORD PTR [RIP+0x12DE78] |
| 15AE | N/A | .text | CALL QWORD PTR [RIP+0x12DE4C] |
| 1617 | N/A | .text | CALL QWORD PTR [RIP+0x12DE0B] |
| 162E | N/A | .text | CALL QWORD PTR [RIP+0x12DDEC] |
| 165D | N/A | .text | CALL QWORD PTR [RIP+0x12DDA5] |
| 1736 | N/A | .text | CALL QWORD PTR [RIP+0x12DCCC] |
| 175A | N/A | .text | CALL QWORD PTR [RIP+0x12DCA0] |
| 17C2 | N/A | .text | CALL QWORD PTR [RIP+0x12DC60] |
| 17D9 | N/A | .text | CALL QWORD PTR [RIP+0x12DC41] |
| 1808 | N/A | .text | CALL QWORD PTR [RIP+0x12DBFA] |
| 183A | N/A | .text | CALL QWORD PTR [RIP+0x12DC00] |
| 189B | N/A | .text | CALL QWORD PTR [RIP+0x12DB67] |
| 18B3 | N/A | .text | CALL QWORD PTR [RIP+0x12DB47] |
| 1923 | N/A | .text | CALL QWORD PTR [RIP+0x12DAFF] |
| 193A | N/A | .text | CALL QWORD PTR [RIP+0x12DAE0] |
| 1969 | N/A | .text | CALL QWORD PTR [RIP+0x12DA99] |
| 1A01 | N/A | .text | CALL QWORD PTR [RIP+0x12DA01] |
| 1A1A | N/A | .text | CALL QWORD PTR [RIP+0x12D9E0] |
| 1A82 | N/A | .text | CALL QWORD PTR [RIP+0x12D9A0] |
| 1A99 | N/A | .text | CALL QWORD PTR [RIP+0x12D981] |
| 1AC8 | N/A | .text | CALL QWORD PTR [RIP+0x12D93A] |
| 1AFB | N/A | .text | CALL QWORD PTR [RIP+0x12D93F] |
| 1B63 | N/A | .text | CALL QWORD PTR [RIP+0x12D89F] |
| 1B7B | N/A | .text | CALL QWORD PTR [RIP+0x12D87F] |
| 1BE3 | N/A | .text | CALL QWORD PTR [RIP+0x12D83F] |
| 1BFA | N/A | .text | CALL QWORD PTR [RIP+0x12D820] |
| 1C29 | N/A | .text | CALL QWORD PTR [RIP+0x12D7D9] |
| 1CC8 | N/A | .text | CALL QWORD PTR [RIP+0x12D73A] |
| 1CE1 | N/A | .text | CALL QWORD PTR [RIP+0x12D719] |
| 1D77 | N/A | .text | CALL QWORD PTR [RIP+0x158293] |
| 1DC7 | N/A | .text | CALL QWORD PTR [RIP+0x158243] |
| 1E2F | N/A | .text | CALL QWORD PTR [RIP+0x1581DB] |
| 1EBF | N/A | .text | CALL QWORD PTR [RIP+0x15814B] |
| 1F2B | N/A | .text | CALL QWORD PTR [RIP+0x1580DF] |
| 1F6F | N/A | .text | CALL QWORD PTR [RIP+0x15809B] |
| 1FB7 | N/A | .text | CALL QWORD PTR [RIP+0x158053] |
| 2012 | N/A | .text | CALL QWORD PTR [RIP+0x157FF8] |
| 206C | N/A | .text | CALL QWORD PTR [RIP+0x157F9E] |
| 211C | N/A | .text | CALL QWORD PTR [RIP+0x157EEE] |
| 21A6 | N/A | .text | CALL QWORD PTR [RIP+0x157E64] |
| 2226 | N/A | .text | CALL QWORD PTR [RIP+0x157DE4] |
| 22B0 | N/A | .text | CALL QWORD PTR [RIP+0x157D5A] |
| 232C | N/A | .text | CALL QWORD PTR [RIP+0x157CDE] |
| 23BC | N/A | .text | CALL QWORD PTR [RIP+0x157C4E] |
| 2423 | N/A | .text | CALL QWORD PTR [RIP+0x157BE7] |
| 248C | N/A | .text | CALL QWORD PTR [RIP+0x157B7E] |
| 253F | N/A | .text | CALL QWORD PTR [RIP+0x157ACB] |
| 25C7 | N/A | .text | CALL QWORD PTR [RIP+0x157A43] |
| 261C | N/A | .text | CALL QWORD PTR [RIP+0x1579EE] |
| 26CC | N/A | .text | CALL QWORD PTR [RIP+0x15793E] |
| 277C | N/A | .text | CALL QWORD PTR [RIP+0x15788E] |
| 27EC | N/A | .text | CALL QWORD PTR [RIP+0x15781E] |
| 703B1-703DF | N/A | .text | Unusual NOPS Space, count: 47 |
| 110BD0-110BFF | N/A | .text | Unusual NOPS Space, count: 48 |
| 112AD0-112AFF | N/A | .text | Unusual BP Cave, count: 48 |
| 114350-11437F | N/A | .text | Unusual NOPS Space, count: 48 |
| 1A1000 | N/A | *Overlay* | E824000000020200308224DC06092A864886F70D | .$......0.$...*.H... |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 1031902 | 60,0823% |
| Null Byte Code | 338146 | 19,6885% |
| NOP Cave Found | 0x9090909090 | Block Count: 27 | Total: 0,0039% |
© 2026 All rights reserved.