PESCAN.IO - Analysis Report Basic

File Structure
Analysis Image
PE Chart Code
Executable header (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
Information
Size: 946,50 KB
SHA-256 Hash: 1F1283F8723CA62693DCD5E8ED07166FEC45450F36F35C0AD274F6F0B2E2DE5F
SHA-1 Hash: 1BA0B9CC6C7DA1B6A32A459416D0D494AD675E74
MD5 Hash: 9D443384F9D21BE3B3D67234F76BD36E
Imphash: 4C8BAABD97009025EB65A2E23335BD24
MajorOSVersion: 6
CheckSum: 00000000
EntryPoint (rva): E6350
SizeOfHeaders: 400
SizeOfImage: F0000
ImageBase: 10000000
Architecture: x86
ExportTable: EC5E0
ImportTable: EC638
Characteristics: 2102
TimeDateStamp: 64B1B8A1
Date: 14/07/2023 21:05:37
File Type: DLL
Number Of Sections: 5
ASLR: Enabled
Section Names: .text, .rdata, .data, .rsrc, .reloc
Number Of Executable Sections: 1
Subsystem: Windows GUI
UAC Execution Level Manifest: asInvoker
Sections Info
Section Name Flags ROffset RSize VOffset VSize
.text 60000020 (Executable) 400 E5E00 1000 E5D33
.rdata 40000040 E6200 5A00 E7000 592E
.data C0000040 (Writeable) EBC00 200 ED000 39C
.rsrc 40000040 EBE00 200 EE000 1E0
.reloc 42000040 EC000 A00 EF000 980
Entry Point
The section number (1) - (.text) have the Entry Point
Information -> EntryPoint (calculated) - E5750
Code -> 558BEC837D0C017505E883010000FF7510FF750CFF7508E8AEFEFFFF83C40C5DC20C00558BEC6A00FF1504700E10FF7508FF
PUSH EBP
MOV EBP, ESP
CMP DWORD PTR [EBP + 0XC], 1
JNE 0X100E
CALL 0X1191
PUSH DWORD PTR [EBP + 0X10]
PUSH DWORD PTR [EBP + 0XC]
PUSH DWORD PTR [EBP + 8]
CALL 0XECA
ADD ESP, 0XC
POP EBP
RET 0XC
PUSH EBP
MOV EBP, ESP
PUSH 0
CALL DWORD PTR [0X100E7004]
PUSH DWORD PTR [EBP + 8]
Signatures
Rich Signature Analyzer:
Code -> E1AEC559A5CFAB0AA5CFAB0AA5CFAB0AACB7380AA7CFAB0A1BBEAA0BA6CFAB0A1BBEAE0BAFCFAB0A1BBEAF0BAFCFAB0A1BBEA80BA7CFAB0AFEA7AA0BA7CFAB0AA5CFAA0ABACFAB0A33BDA20BA3CFAB0A33BDAB0BA4CFAB0A33BD540AA4CFAB0A33BDA90BA4CFAB0A52696368A5CFAB0A
Footprint md5 Hash -> 5854B5CC6A9FDF5A0D20D47E6E29EE0A
• The Rich header apparently has not been modified
Certificate - Digital Signature Not Found:
• The file is not signed
Packer/Compiler
Compiler: Microsoft Visual Studio
Detect It Easy (die)
PE: linker: Microsoft Linker(14.28**)[DLL32]
Entropy: 5.67719
Suspicious Functions
Library Function Description
KERNEL32.DLL IsDebuggerPresent Determines if the calling process is being debugged by a user-mode debugger.
ET Functions (carving)
Original Name -> GenerateKeyExImpl.dll
GenerateKeyEx
File Access
KERNEL32.dll
api-ms-win-crt-runtime-l1-1-0.dll
VCRUNTIME140.dll
GenerateKeyExImpl.dll
Interest's Words
exec
Payloads
Unusual BP Cave > 15 Bytes - (0xCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC...)
Strings/Hex Code Found With The File Rules
Rule Type Encoding Matched (Word)
Text Ascii Anti-Analysis VM (IsDebuggerPresent)
Resources
Path DataRVA Size FileOffset CodeText
\24\2\1033 EE060 17D EBE60 3C3F786D6C2076657273696F6E3D27312E302720656E636F64696E673D275554462D3827207374616E64616C6F6E653D2779<?xml version='1.0' encoding='UTF-8' standalone='y
Intelligent String
• C:\WS\P13A\SW\__P13A_Construction\SQR_SUV_DLL_Project_0\GenerateKeyExImpl\Release\GenerateKeyExImpl.pdb
• .bss
Extra Analysis
Metric Value Percentage
Ascii Code 458741 47,3311%
Null Byte Code 130565 13,4712%
© 2025 All rights reserved.