PESCAN.IO - Analysis Report Basic |
|||||||
| File Structure |
|
PE Chart Code
Header PE (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
Icon: Size: 64,50 KBSHA-256 Hash: BC5C356A869656BF84ADF1507120195795100D1045E7158FDED5675D0CB872E5 SHA-1 Hash: 65971923A2278CECFF22269B8C0B1274A8599233 MD5 Hash: AFC64C0B3775C3271A5D1B89B00ED3FD Imphash: F80C79925AADC03114DAD44C026AD42A MajorOSVersion: 4 MinorOSVersion: 0 CheckSum: 00000000 EntryPoint (rva): DE60 SizeOfHeaders: 400 SizeOfImage: 17000 ImageBase: 400000 Architecture: x86 ImportTable: 10000 IAT: 100F0 Characteristics: 818E TimeDateStamp: 2A425E19 Date: 19/06/1992 22:22:17 File Type: EXE Number Of Sections: 8 ASLR: Disabled Section Names: CODE, DATA, BSS, .idata, .tls, .rdata, .reloc, .rsrc Number Of Executable Sections: 0 Subsystem: Windows GUI [Incomplete Binary or Compressor Packer - 27,50 KB Missing] |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| CODE | 0xC0000040 Initialized Data Readable Writeable |
400 | D000 | 1000 | D000 |
|
|
| DATA | 0xC0000040 Initialized Data Readable Writeable |
D400 | A00 | E000 | 1000 |
|
|
| BSS | 0xC0000040 Initialized Data Readable Writeable |
DE00 | 0 | F000 | 1000 |
|
|
| .idata | 0xC0000040 Initialized Data Readable Writeable |
DE00 | C00 | 10000 | 1000 |
|
|
| .tls | 0xC0000040 Initialized Data Readable Writeable |
EA00 | 0 | 11000 | 1000 |
|
|
| .rdata | 0xC0000040 Initialized Data Readable Writeable |
EA00 | 200 | 12000 | 1000 |
|
|
| .reloc | 0xC0000040 Initialized Data Readable Writeable |
EC00 | 0 | 13000 | 2000 |
|
|
| .rsrc | 0xC0000040 Initialized Data Readable Writeable |
EC00 | 1600 | 15000 | 14A8 |
|
|
| Description |
| CompanyName: TIREAL company ProductName: TIREAL TFT TEST FileVersion: 1.0.0.0 ProductVersion: 1.0.0.0 Comments: tireal.com Language: Russian (Russia) (ID=0x419) CodePage: Cyrillic (Windows 1251) (0x4E3) |
| Entry Point |
The section number (1) - (CODE) have the Entry Point Information -> EntryPoint (calculated) - D260 Code -> 558BEC83C4F0B800DE4000E83067FFFFA11CE940008B0050A12CE940008B0050A1DCE840008B0050A164F6400050E851FDFF Assembler |PUSH EBP |MOV EBP, ESP |ADD ESP, -0X10 |MOV EAX, 0X40DE00 |CALL 0XFFFF7740 |MOV EAX, DWORD PTR [0X40E91C] |MOV EAX, DWORD PTR [EAX] |PUSH EAX |MOV EAX, DWORD PTR [0X40E92C] |MOV EAX, DWORD PTR [EAX] |PUSH EAX |MOV EAX, DWORD PTR [0X40E8DC] |MOV EAX, DWORD PTR [EAX] |PUSH EAX |MOV EAX, DWORD PTR [0X40F664] |PUSH EAX |
| Signatures |
| Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Compiler: Borland Delphi 7 Detect It Easy (die) • PE: compiler: Borland Delphi(6-7 or 2005)[-] • PE: linker: Turbo Linker(2.25*,Delphi)[-] • Entropy: 6.23137 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | GetModuleFileNameA | Retrieve the fully qualified path for the executable file of a specified module. |
| KERNEL32.DLL | VirtualAlloc | Reserve, commit, or both, a region of memory within the virtual address space of a process. |
| KERNEL32.DLL | GetModuleHandleA | Retrieves a handle to the specified module. |
| KERNEL32.DLL | WriteFile | Writes data to a specified file or input/output (I/O) device. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| SHELL32.DLL | ShellExecuteA | Performs a run operation on a specific file. |
| Windows REG |
| SOFTWARE\Borland\Delphi\RTL Software\Borland\Locales Software\Borland\Delphi\Locales |
| File Access |
| shell32.dll opengl32.dll user32.dll gdi32.dll kernel32.dll oleaut32.dll advapi32.dll |
| Interest's Words |
| exec start |
| URLs |
| http://www.tireal.com |
| Emails |
| support@tireal.com |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | Registry (RegOpenKeyEx) |
| Text | Ascii | File (WriteFile) |
| Text | Ascii | Anti-Analysis VM (GetVersion) |
| Text | Ascii | Reconnaissance (FindFirstFileA) |
| Text | Ascii | Reconnaissance (FindClose) |
| Text | Ascii | Stealth (VirtualAlloc) |
| Text | Ascii | Execution (ShellExecute) |
| Entry Point | Hex Pattern | BobSoft Mini Delphi - BoB / BobSoft |
| Entry Point | Hex Pattern | Borland Delphi 4.0 |
| Entry Point | Hex Pattern | Borland Delphi v3.0 |
| Entry Point | Hex Pattern | Borland Delphi v3.0 |
| Entry Point | Hex Pattern | Borland Delphi v6.0 - v7.0 |
| Entry Point | Hex Pattern | Borland Delphi v6.0 - v7.0 |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8 |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8.0 |
| Entry Point | Hex Pattern | PEQuake V0.06 - forgat |
| Entry Point | Hex Pattern | Stranik 1.3 Modula/C/Pascal |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \ICON\1\1049 | 152D8 | 2E8 | EED8 | 2800000020000000400000000100040000000000800200000000000000000000000000000000000000000000000080000080 | (... ...@......................................... |
| \ICON\2\1049 | 155C0 | 128 | F1C0 | 2800000010000000200000000100040000000000C00000000000000000000000000000000000000000000000000080000080 | (....... ......................................... |
| \STRING\4092\0 | 156E8 | F0 | F2E8 | 08004E006F00760065006D00620065007200080044006500630065006D006200650072000300530075006E0003004D006F00 | ..N.o.v.e.m.b.e.r...D.e.c.e.m.b.e.r...S.u.n...M.o. |
| \STRING\4093\0 | 157D8 | D8 | F3D8 | 03004A0075006C000300410075006700030053006500700003004F006300740003004E006F00760003004400650063000700 | ..J.u.l...A.u.g...S.e.p...O.c.t...N.o.v...D.e.c... |
| \STRING\4094\0 | 158B0 | 260 | F4B0 | 1F0049006E00760061006C00690064002000760061007200690061006E00740020007400790070006500200063006F006E00 | ..I.n.v.a.l.i.d. .v.a.r.i.a.n.t. .t.y.p.e. .c.o.n. |
| \STRING\4095\0 | 15B10 | 37C | F710 | 190049006E00760061006C0069006400200070006F0069006E0074006500720020006F007000650072006100740069006F00 | ..I.n.v.a.l.i.d. .p.o.i.n.t.e.r. .o.p.e.r.a.t.i.o. |
| \STRING\4096\0 | 15E8C | 2A0 | FA8C | 0D004F007500740020006F00660020006D0065006D006F00720079000C0049002F004F0020006500720072006F0072002000 | ..O.u.t. .o.f. .m.e.m.o.r.y...I./.O. .e.r.r.o.r. . |
| \RCDATA\DVCLAL\0 | 1612C | 10 | FD2C | 263D4F38C28237B8F3244203179B3A83 | &=O8..7..$B...:. |
| \RCDATA\PACKAGEINFO\0 | 1613C | 78 | FD3C | 010000CC000000000B0000000152746674746573740010025379735574696C730000C753797374656D000081537973496E69 | .............Rtfttest...SysUtils...System...SysIni |
| \GROUP_ICON\MAINICON\1049 | 161B4 | 22 | FDB4 | 0000010002002020100001000400E802000001001010100001000400280100000200 | ...... ....................(..... |
| \VERSION\1\1049 | 161D8 | 2C4 | FDD8 | C40234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000 | ..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| Intelligent String |
| • 1.0.0.0 • user32.dll • kernel32.dll • http://www.tireal.com • support@tireal.com • .tls • ms)Go to www.tireal.com • CharNextAadvapi32.dll • RegCloseKeyoleaut32.dll • SysFreeStringkernel32.dll • ChoosePixelFormatopengl32.dll • opengl32.dll • glBeginshell32.dll • tireal.com |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 460 | 410164 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 468 | 410160 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 470 | 41015C | CODE | JMP [static] | Indirect jump to absolute memory address |
| 478 | 410158 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 480 | 410154 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 488 | 410178 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 490 | 410150 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 498 | 410174 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 4A0 | 41014C | CODE | JMP [static] | Indirect jump to absolute memory address |
| 4A8 | 410148 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 4B0 | 410144 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 4B8 | 410140 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 4C0 | 41013C | CODE | JMP [static] | Indirect jump to absolute memory address |
| 4C8 | 410138 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 4D0 | 410134 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 4D8 | 410130 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 4E0 | 41012C | CODE | JMP [static] | Indirect jump to absolute memory address |
| 4E8 | 410128 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 4F0 | 410124 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 4F8 | 410170 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 500 | 410120 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 508 | 41011C | CODE | JMP [static] | Indirect jump to absolute memory address |
| 510 | 410188 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 518 | 410184 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 520 | 410180 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 528 | 410118 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 530 | 410190 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 538 | 410114 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 540 | 410110 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 56C | 41010C | CODE | JMP [static] | Indirect jump to absolute memory address |
| 574 | 410108 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 57C | 410104 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 584 | 410100 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 58C | 4100FC | CODE | JMP [static] | Indirect jump to absolute memory address |
| 594 | 4100F8 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 59C | 4100F4 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 5A4 | 4100F0 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 18FD | 40E02C | CODE | CALL [static] | Indirect call to absolute memory address |
| 191D | 40E030 | CODE | CALL [static] | Indirect call to absolute memory address |
| 1945 | 40E034 | CODE | CALL [static] | Indirect call to absolute memory address |
| 195E | 40E030 | CODE | CALL [static] | Indirect call to absolute memory address |
| 1977 | 40E02C | CODE | CALL [static] | Indirect call to absolute memory address |
| 19AA | 40F008 | CODE | CALL [static] | Indirect call to absolute memory address |
| 1FF0 | 41016C | CODE | JMP [static] | Indirect jump to absolute memory address |
| 200D | FF00 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 2308 | 40F014 | CODE | CALL [static] | Indirect call to absolute memory address |
| 2326 | 40F014 | CODE | CALL [static] | Indirect call to absolute memory address |
| 233E | 40F014 | CODE | CALL [static] | Indirect call to absolute memory address |
| 239C | 40F014 | CODE | CALL [static] | Indirect call to absolute memory address |
| 23BC | 40F014 | CODE | CALL [static] | Indirect call to absolute memory address |
| 23D9 | 40F014 | CODE | CALL [static] | Indirect call to absolute memory address |
| 24B6 | 40F018 | CODE | CALL [static] | Indirect call to absolute memory address |
| 2569 | 40F014 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 269A | FF | CODE | JMP [static] | Indirect jump to absolute memory address |
| 26EC | 40F018 | CODE | CALL [static] | Indirect call to absolute memory address |
| 298F | 40F234 | CODE | CALL [static] | Indirect call to absolute memory address |
| 2AA9 | 40F024 | CODE | CALL [static] | Indirect call to absolute memory address |
| 2F69 | 40E00C | CODE | CALL [static] | Indirect call to absolute memory address |
| 3887 | 40E00C | CODE | JMP [static] | Indirect jump to absolute memory address |
| 3898 | FF | CODE | JMP [static] | Indirect jump to absolute memory address |
| 38DC | 4101A4 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 38E4 | 4101A0 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 38EC | 41019C | CODE | JMP [static] | Indirect jump to absolute memory address |
| 38F4 | 410198 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 3A54 | 4101E8 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 3A5C | 4101E4 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 3A64 | 4101E0 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 3A6C | 4101DC | CODE | JMP [static] | Indirect jump to absolute memory address |
| 3A74 | 4101D8 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 3A7C | 4101D4 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 3A84 | 4101D0 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 3A8C | 4101CC | CODE | JMP [static] | Indirect jump to absolute memory address |
| 3A94 | 4101C8 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 3A9C | 4101C4 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 3AA4 | 4101C0 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 3AAC | 4101BC | CODE | JMP [static] | Indirect jump to absolute memory address |
| 3AB4 | 4101B8 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 3ABC | 4101B4 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 3AC4 | 4101B0 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 3ACC | 4101AC | CODE | JMP [static] | Indirect jump to absolute memory address |
| 3AD4 | 410204 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 3ADC | 410200 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 3AE4 | 4101FC | CODE | JMP [static] | Indirect jump to absolute memory address |
| 3AEC | 4101F8 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 3AF4 | 4101F4 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 3AFC | 4101F0 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 3B04 | 410218 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 3B0C | 410214 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 3B14 | 410210 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 3B1C | 41020C | CODE | JMP [static] | Indirect jump to absolute memory address |
| 3B24 | 410278 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 3B2C | 41027C | CODE | JMP [static] | Indirect jump to absolute memory address |
| 3B34 | 410274 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 3B3C | 410270 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 3B44 | 41026C | CODE | JMP [static] | Indirect jump to absolute memory address |
| 3B4C | 410268 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 3B54 | 410264 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 3B5C | 410260 | CODE | JMP [static] | Indirect jump to absolute memory address |
| 3B64 | 41025C | CODE | JMP [static] | Indirect jump to absolute memory address |
| 3B6C | 410258 | CODE | JMP [static] | Indirect jump to absolute memory address |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 36686 | 55,5445% |
| Null Byte Code | 14063 | 21,2921% |
© 2026 All rights reserved.