PESCAN.IO - Analysis Report Basic |
|||||||
| File Structure |
|
PE Chart Code
Header PE (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
Icon: Size: 1,57 MBSHA-256 Hash: 7B67375B2B303E05D2989F23E986126EDA67435C71231FA4B0BDAEB7A619A0A6 SHA-1 Hash: 3BF66C442B446BB642AB75360077203A1DDDC16F MD5 Hash: 9EECA41AA10EF3C99D7DB2EA97160E17 Imphash: CF0D2DE4FD6406302012E0F40060395F MajorOSVersion: 4 MinorOSVersion: 0 CheckSum: 00000000 EntryPoint (rva): 7294 SizeOfHeaders: 400 SizeOfImage: F000 ImageBase: 400000 Architecture: x86 ImportTable: 8C44 IAT: 8000 Characteristics: 12F TimeDateStamp: 686913C0 Date: 05/07/2025 12:00:00 File Type: EXE Number Of Sections: 4 ASLR: Disabled Section Names: .text, .rdata, .data, .rsrc Number Of Executable Sections: 1 Subsystem: Windows GUI UAC Execution Level Manifest: requireAdministrator |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 0x60000020 Code Executable Readable |
400 | 6600 | 1000 | 65EE |
|
|
| .rdata | 0x40000040 Initialized Data Readable |
6A00 | 1400 | 8000 | 1346 |
|
|
| .data | 0xC0000040 Initialized Data Readable Writeable |
7E00 | 200 | A000 | 38EC |
|
|
| .rsrc | 0x40000040 Initialized Data Readable |
8000 | 1000 | E000 | FE8 |
|
|
| Description |
| OriginalFilename: 7zipInstall.exe CompanyName: Igor Pavlov LegalCopyright: Copyright (c) 1999-2025 Igor Pavlov ProductName: 7-Zip FileVersion: 25.00 FileDescription: 7-Zip Installer ProductVersion: 25.00 Language: English (United States) (ID=0x409) CodePage: Unicode (UTF-16 LE) (0x4B0) |
| Binder/Joiner/Crypter |
| Dropper code detected (EOF) - 1,51 MB |
| Entry Point |
The section number (1) - (.text) have the Entry Point Information -> EntryPoint (calculated) - 6694 Code -> 558BEC6AFF68388C4000682074400064A100000000506489250000000083EC685356578965E833DB895DFC6A02FF15BC8040 Assembler |PUSH EBP |MOV EBP, ESP |PUSH -1 |PUSH 0X408C38 |PUSH 0X407420 |MOV EAX, DWORD PTR FS:[0] |PUSH EAX |MOV DWORD PTR FS:[0], ESP |SUB ESP, 0X68 |PUSH EBX |PUSH ESI |PUSH EDI |MOV DWORD PTR [EBP - 0X18], ESP |XOR EBX, EBX |MOV DWORD PTR [EBP - 4], EBX |PUSH 2 |
| Signatures |
| Rich Signature Analyzer: Code -> 7EC6D6583AA7B80B3AA7B80B3AA7B80B55B8B20B31A7B80BB9BBB60B3FA7B80B55B8BC0B38A7B80BB4AFE70B38A7B80B3AA7B90B68A7B80BB9AFE50B31A7B80B0C81B20B37A7B80BA2D5BB0A3BA7B80BFDA1BE0B3BA7B80B526963683AA7B80B Footprint md5 Hash -> DEB7EB727052E95A5B5E8134EC54BCAA • The Rich header apparently has not been modified Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Detect It Easy (die) • PE: sfx: 7-Zip(-)[-] • PE: compiler: EP:Microsoft Visual C/C++(6.0 (1720-9782))[EXE32] • PE: compiler: Microsoft Visual C/C++(6.0)[msvcrt] • PE: archive: 7-Zip(0.4)[-] • PE: linker: Microsoft Linker(6.0*)[-] • Entropy: 7.99641 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | GetModuleHandleA | Retrieves a handle to the specified module. |
| KERNEL32.DLL | WriteFile | Writes data to a specified file or input/output (I/O) device. |
| KERNEL32.DLL | LoadLibraryW | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| Windows REG (UNICODE) |
| Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved Software\7-Zip Software\Microsoft\Windows\CurrentVersion Software\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip Software\Microsoft\Windows\CurrentVersion\App Paths\7zFM.exe |
| File Access |
| Uninstall.exe 7zFM.exe KERNEL32.dll MSVCRT.dll SHELL32.dll ADVAPI32.dll USER32.dll ole32.dll 7-zip.dll 7-zip32.dll .BAt @.dat |
| File Access (UNICODE) |
| 7zipInstall.exe VerQueryValueWGetFileVersionInfoWGetFileVersionInfoSizeWversion.dll This installation requires Windows x64kernel32.dll ProgramFiles |
| Interest's Words |
| exec attrib start |
| Interest's Words (UNICODE) |
| start shutdown |
| URLs |
| http://schemas.microsoft.com/SMI/2005/WindowsSettings |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | Registry (RegCreateKeyEx) |
| Text | Ascii | Registry (RegOpenKeyEx) |
| Text | Ascii | Registry (RegSetValueEx) |
| Text | Ascii | File (CreateFile) |
| Text | Ascii | File (WriteFile) |
| Text | Ascii | File (ReadFile) |
| Text | Ascii | Anti-Analysis VM (GetVersion) |
| Text | Ascii | Stealth (CloseHandle) |
| Text | Unicode | Privileges (SeShutdownPrivilege) |
| Entry Point | Hex Pattern | Microsoft Visual C++ 5.0 |
| Entry Point | Hex Pattern | Microsoft Visual C++ v6.0 |
| Entry Point | Hex Pattern | Microsoft Visual C++ v6.0 |
| Entry Point | Hex Pattern | Microsoft Visual C++ |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \ICON\1\1033 | E480 | 2E8 | 8480 | 2800000020000000400000000100040000000000800200000000000000000000000000000000000000000000000080000080 | (... ...@......................................... |
| \ICON\2\1033 | E768 | 128 | 8768 | 2800000010000000200000000100040000000000C00000000000000000000000000000000000000000000000000080000080 | (....... ......................................... |
| \DIALOG\100\1033 | E8B8 | 176 | 88B8 | 4008C89000000000070000000000C80070000000000049006E007300740061006C006C00200037002D005A00690070000000 | @...............p.....I.n.s.t.a.l.l. .7.-.Z.i.p... |
| \GROUP_ICON\1\1033 | E890 | 22 | 8890 | 0000010002002020100001000400E802000001001010100001000400280100000200 | ...... ....................(..... |
| \VERSION\1\1033 | E1B0 | 2D0 | 81B0 | D00234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000 | ..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| \24\1\1033 | EA30 | 5B2 | 8A30 | 3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E653D2279 | <?xml version="1.0" encoding="UTF-8" standalone="y |
| Intelligent String |
| • C:\Software\Microsoft\Windows\CurrentVersion • kernel32.dll • 7-zip32.dll • 7-zip.dll • .tmp • 7-zip.chm • 7zFM.exe • 7-Zip Help.lnk • 7-Zip File Manager.lnk • Software\Microsoft\Windows\CurrentVersion\App Paths\7zFM.exe • USER32.dll • MSVCRT.dll • 7zipInstall.exe • <asmv3:application><asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings"> |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 40F | 408144 | .text | CALL [static] | Indirect call to absolute memory address |
| 41A | 40807C | .text | CALL [static] | Indirect call to absolute memory address |
| 4DF | 408084 | .text | CALL [static] | Indirect call to absolute memory address |
| 4E6 | 408088 | .text | CALL [static] | Indirect call to absolute memory address |
| 4F7 | 40808C | .text | CALL [static] | Indirect call to absolute memory address |
| 545 | 408014 | .text | CALL [static] | Indirect call to absolute memory address |
| 565 | 408018 | .text | CALL [static] | Indirect call to absolute memory address |
| 5C8 | 408110 | .text | CALL [static] | Indirect call to absolute memory address |
| 5E3 | 408114 | .text | CALL [static] | Indirect call to absolute memory address |
| 606 | 40811C | .text | CALL [static] | Indirect call to absolute memory address |
| 63C | 408128 | .text | CALL [static] | Indirect call to absolute memory address |
| 64B | 40812C | .text | CALL [static] | Indirect call to absolute memory address |
| 656 | 408130 | .text | CALL [static] | Indirect call to absolute memory address |
| 69E | 408134 | .text | CALL [static] | Indirect call to absolute memory address |
| 6E0 | 40811C | .text | CALL [static] | Indirect call to absolute memory address |
| 6F8 | 408138 | .text | CALL [static] | Indirect call to absolute memory address |
| 789 | 408078 | .text | CALL [static] | Indirect call to absolute memory address |
| 7A4 | 40810C | .text | CALL [static] | Indirect call to absolute memory address |
| 7B6 | 408090 | .text | CALL [static] | Indirect call to absolute memory address |
| 7E7 | 408010 | .text | CALL [static] | Indirect call to absolute memory address |
| 819 | 408014 | .text | CALL [static] | Indirect call to absolute memory address |
| 83B | 408018 | .text | CALL [static] | Indirect call to absolute memory address |
| 962 | 408100 | .text | CALL [static] | Indirect call to absolute memory address |
| 9A4 | 408134 | .text | CALL [static] | Indirect call to absolute memory address |
| 9E1 | 408118 | .text | CALL [static] | Indirect call to absolute memory address |
| A46 | 408104 | .text | CALL [static] | Indirect call to absolute memory address |
| A54 | 408134 | .text | CALL [static] | Indirect call to absolute memory address |
| AC7 | 4080EC | .text | CALL [static] | Indirect call to absolute memory address |
| AD5 | 4080F0 | .text | CALL [static] | Indirect call to absolute memory address |
| B02 | 4080F0 | .text | CALL [static] | Indirect call to absolute memory address |
| B30 | 408118 | .text | CALL [static] | Indirect call to absolute memory address |
| B63 | 40810C | .text | CALL [static] | Indirect call to absolute memory address |
| B74 | 408138 | .text | CALL [static] | Indirect call to absolute memory address |
| BD8 | 4080DC | .text | CALL [static] | Indirect call to absolute memory address |
| C1F | 408048 | .text | CALL [static] | Indirect call to absolute memory address |
| CAC | 408100 | .text | CALL [static] | Indirect call to absolute memory address |
| D30 | 408090 | .text | CALL [static] | Indirect call to absolute memory address |
| DEF | 408118 | .text | CALL [static] | Indirect call to absolute memory address |
| E37 | 408128 | .text | CALL [static] | Indirect call to absolute memory address |
| E48 | 40812C | .text | CALL [static] | Indirect call to absolute memory address |
| E55 | 408130 | .text | CALL [static] | Indirect call to absolute memory address |
| E84 | 408118 | .text | CALL [static] | Indirect call to absolute memory address |
| ECC | 408104 | .text | CALL [static] | Indirect call to absolute memory address |
| F8D | 408080 | .text | CALL [static] | Indirect call to absolute memory address |
| FAA | 408080 | .text | CALL [static] | Indirect call to absolute memory address |
| FC3 | 408090 | .text | CALL [static] | Indirect call to absolute memory address |
| FD9 | 40804C | .text | CALL [static] | Indirect call to absolute memory address |
| FE6 | 408068 | .text | CALL [static] | Indirect call to absolute memory address |
| 1062 | 408078 | .text | CALL [static] | Indirect call to absolute memory address |
| 107F | 408090 | .text | CALL [static] | Indirect call to absolute memory address |
| 10AA | 40810C | .text | CALL [static] | Indirect call to absolute memory address |
| 1168 | 40806C | .text | CALL [static] | Indirect call to absolute memory address |
| 11A1 | 408068 | .text | CALL [static] | Indirect call to absolute memory address |
| 11B6 | 408070 | .text | CALL [static] | Indirect call to absolute memory address |
| 11EB | 408074 | .text | CALL [static] | Indirect call to absolute memory address |
| 1214 | 408118 | .text | CALL [static] | Indirect call to absolute memory address |
| 125D | 408104 | .text | CALL [static] | Indirect call to absolute memory address |
| 12BE | 40810C | .text | CALL [static] | Indirect call to absolute memory address |
| 12CF | 40808C | .text | CALL [static] | Indirect call to absolute memory address |
| 12D6 | 408004 | .text | CALL [static] | Indirect call to absolute memory address |
| 12EA | 408008 | .text | CALL [static] | Indirect call to absolute memory address |
| 1308 | 40800C | .text | CALL [static] | Indirect call to absolute memory address |
| 130E | 408074 | .text | CALL [static] | Indirect call to absolute memory address |
| 131A | 4080FC | .text | CALL [static] | Indirect call to absolute memory address |
| 13DA | 408040 | .text | CALL [static] | Indirect call to absolute memory address |
| 13FA | 408090 | .text | CALL [static] | Indirect call to absolute memory address |
| 1423 | 408080 | .text | CALL [static] | Indirect call to absolute memory address |
| 1430 | 408044 | .text | CALL [static] | Indirect call to absolute memory address |
| 148D | 4080D4 | .text | CALL [static] | Indirect call to absolute memory address |
| 14CE | 4080D8 | .text | CALL [static] | Indirect call to absolute memory address |
| 14E3 | 40803C | .text | CALL [static] | Indirect call to absolute memory address |
| 14F0 | 408074 | .text | CALL [static] | Indirect call to absolute memory address |
| 1524 | 408080 | .text | CALL [static] | Indirect call to absolute memory address |
| 158B | 40804C | .text | CALL [static] | Indirect call to absolute memory address |
| 164B | 40804C | .text | CALL [static] | Indirect call to absolute memory address |
| 177B | 4080D0 | .text | CALL [static] | Indirect call to absolute memory address |
| 184F | 408018 | .text | CALL [static] | Indirect call to absolute memory address |
| 1865 | 408090 | .text | CALL [static] | Indirect call to absolute memory address |
| 187A | 408000 | .text | CALL [static] | Indirect call to absolute memory address |
| 1897 | 40801C | .text | CALL [static] | Indirect call to absolute memory address |
| 18DC | 4080E8 | .text | CALL [static] | Indirect call to absolute memory address |
| 1928 | 408090 | .text | CALL [static] | Indirect call to absolute memory address |
| 1958 | 408080 | .text | CALL [static] | Indirect call to absolute memory address |
| 1983 | 408038 | .text | CALL [static] | Indirect call to absolute memory address |
| 19E3 | 408140 | .text | CALL [static] | Indirect call to absolute memory address |
| 1B68 | 408018 | .text | CALL [static] | Indirect call to absolute memory address |
| 1B87 | 40801C | .text | CALL [static] | Indirect call to absolute memory address |
| 1BBB | 408018 | .text | CALL [static] | Indirect call to absolute memory address |
| 1CB7 | 408018 | .text | CALL [static] | Indirect call to absolute memory address |
| 1DE2 | 408018 | .text | CALL [static] | Indirect call to absolute memory address |
| 1DFA | 408000 | .text | CALL [static] | Indirect call to absolute memory address |
| 1E32 | 408030 | .text | CALL [static] | Indirect call to absolute memory address |
| 1E40 | 408080 | .text | CALL [static] | Indirect call to absolute memory address |
| 1E49 | 408064 | .text | CALL [static] | Indirect call to absolute memory address |
| 1E5D | 4080D4 | .text | CALL [static] | Indirect call to absolute memory address |
| 1E66 | 4080D8 | .text | CALL [static] | Indirect call to absolute memory address |
| 406F | 40802C | .text | CALL [static] | Indirect call to absolute memory address |
| 4081 | 408074 | .text | CALL [static] | Indirect call to absolute memory address |
| 409D | 408028 | .text | CALL [static] | Indirect call to absolute memory address |
| 40A7 | 408074 | .text | CALL [static] | Indirect call to absolute memory address |
| 9000 | N/A | *Overlay* | 377ABCAF271C000471E85BFF157A180000000000 | 7z..'...q.[..z...... |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 1122824 | 68,4211% |
| Null Byte Code | 13989 | 0,8524% |
© 2026 All rights reserved.