PESCAN.IO - Analysis Report Basic |
|||||||
| File Structure |
|
PE Chart Code
Header PE (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
Icon: Size: 301,50 KBSHA-256 Hash: 0ED3B73B3F8C77361EE617AF553F2B88AA283317D0FEAE66AE0F7E1AB96A7D99 SHA-1 Hash: 175641D8558FF5FDCFE5D410008FCA5140F17C53 MD5 Hash: B7067283B321191D6555082653665175 Imphash: 2DA029BF989E02D2BFD1C2FF2E608B95 MajorOSVersion: 6 MinorOSVersion: 0 CheckSum: 0004CD56 EntryPoint (rva): 31B9E SizeOfHeaders: 400 SizeOfImage: 51000 ImageBase: 400000 Architecture: x86 ImportTable: 3BB04 IAT: 35000 Characteristics: 102 TimeDateStamp: 5BA616F8 Date: 22/09/2018 10:18:32 File Type: EXE Number Of Sections: 5 ASLR: Enabled Section Names: .text, .rdata, .data, .rsrc, .reloc Number Of Executable Sections: 1 Subsystem: Windows GUI UAC Execution Level Manifest: asInvoker |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 0x60000020 Code Executable Readable |
400 | 33A00 | 1000 | 338D4 |
|
|
| .rdata | 0x40000040 Initialized Data Readable |
33E00 | 9800 | 35000 | 97C0 |
|
|
| .data | 0xC0000040 Initialized Data Readable Writeable |
3D600 | E00 | 3F000 | 3B8C |
|
|
| .rsrc | 0x40000040 Initialized Data Readable |
3E400 | AA00 | 43000 | A849 |
|
|
| .reloc | 0x42000040 Initialized Data GP-Relative Readable |
48E00 | 2800 | 4E000 | 26C8 |
|
|
| Entry Point |
The section number (1) - (.text) have the Entry Point Information -> EntryPoint (calculated) - 30F9E Code -> E8180F0000E97AFEFFFF558BEC8B4508568B483C03C80FB741148D511803D00FB741066BF02803F23BD674198B4D0C3B4A0C Assembler |CALL 0X1F1D |JMP 0XE84 |PUSH EBP |MOV EBP, ESP |MOV EAX, DWORD PTR [EBP + 8] |PUSH ESI |MOV ECX, DWORD PTR [EAX + 0X3C] |ADD ECX, EAX |MOVZX EAX, WORD PTR [ECX + 0X14] |LEA EDX, [ECX + 0X18] |ADD EDX, EAX |MOVZX EAX, WORD PTR [ECX + 6] |IMUL ESI, EAX, 0X28 |ADD ESI, EDX |CMP EDX, ESI |JE 0X1045 |MOV ECX, DWORD PTR [EBP + 0XC] |CMP ECX, DWORD PTR [EDX + 0XC] |
| Signatures |
| Rich Signature Analyzer: Code -> 40D06D0D04B1035E04B1035E04B1035E0DC9905E16B1035E56D9005F03B1035E56D9075F08B1035E56D9065F24B1035E56D9025F00B1035E6BD5025F09B1035E04B1025E66B0035E38D6065F31B1035E6DD90A5F06B1035E6DD9FC5E05B1035E6DD9015F05B1035E5269636804B1035E Footprint md5 Hash -> 7F2DD5FFB21DFA391BBE5ADD4C8239BB • The Rich header apparently has not been modified Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Compiler: Microsoft Visual Studio Detect It Easy (die) • PE: compiler: EP:Microsoft Visual C/C++(2017 v.15.5-6)[EXE32] • PE: compiler: Microsoft Visual C/C++(2017 v.15.8)[-] • PE: linker: Microsoft Linker(14.15, Visual Studio 2017 15.8*)[-] • Entropy: 6.70679 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | GetModuleHandleA | Retrieves a handle to the specified module. |
| KERNEL32.DLL | LoadLibraryA | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | LoadLibraryW | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| KERNEL32.DLL | IsDebuggerPresent | Determines if the calling process is being debugged by a user-mode debugger. |
| Windows REG (UNICODE) |
| System\CurrentControlSet\Control\MediaResources\Joystick System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\OEM |
| File Access |
| api-ms-win-crt-locale-l1-1-0.dll api-ms-win-crt-string-l1-1-0.dll api-ms-win-crt-math-l1-1-0.dll api-ms-win-crt-filesystem-l1-1-0.dll api-ms-win-crt-time-l1-1-0.dll api-ms-win-crt-stdio-l1-1-0.dll api-ms-win-crt-convert-l1-1-0.dll api-ms-win-crt-heap-l1-1-0.dll api-ms-win-crt-runtime-l1-1-0.dll VCRUNTIME140.dll MSVCP140.dll ADVAPI32.dll USER32.dll KERNEL32.dll GDI32.dll WINMM.dll OPENGL32.dll dinput8.dll .dat @.dat settings.txt |
| File Access (UNICODE) |
| kernel32.dll Capi-ms-win-core-synch-l1-2-0.dll SetProcessDpiAwarenessFailed to set process DPI awarenessuser32.dll BShcore.dll |
| Interest's Words |
| JFIF exec attrib start |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | WinAPI Sockets (bind) |
| Text | Ascii | Registry (RegOpenKeyEx) |
| Text | Ascii | Anti-Analysis VM (IsDebuggerPresent) |
| Text | Ascii | Anti-Analysis VM (GetVersion) |
| Text | Ascii | Stealth (CloseHandle) |
| Text | Ascii | Execution (CreateEventW) |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8 |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8 |
| Entry Point | Hex Pattern | Microsoft Visual C++ v7.0 |
| Entry Point | Hex Pattern | PE-Exe Executable Image |
| Entry Point | Hex Pattern | VC8 - Microsoft Corporation |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \ICON\1\0 | 431CC | 468 | 3E5CC | 28000000100000002000000001002000000000000004000074120000741200000000000000000000FFFFFFFFFFFFFFFFFFFF | (....... ..... .........t...t..................... |
| \ICON\2\0 | 43634 | 988 | 3EA34 | 28000000180000003000000001002000000000000009000074120000741200000000000000000000FFFFFFFFFFFFFFFFFFFF | (.......0..... .........t...t..................... |
| \ICON\3\0 | 43FBC | 10A8 | 3F3BC | 28000000200000004000000001002000000000000010000074120000741200000000000000000000FFFFFFFFFFFFFFFFFFFF | (... ...@..... .........t...t..................... |
| \ICON\4\0 | 45064 | 25A8 | 40464 | 28000000300000006000000001002000000000000024000074120000741200000000000000000000FFFFFFFFFFFFFFFFFFFF | (...0........ ......$..t...t..................... |
| \ICON\5\0 | 4760C | 6071 | 42A0C | 89504E470D0A1A0A0000000D49484452000001000000010008060000005C72A866000060384944415478DAEDFD777C1CE775 | .PNG........IHDR.............\r.f..8IDATx...w|..u |
| \GROUP_ICON\CAPTURE_PM1_ICON\0 | 4D680 | 4C | 48A80 | 000001000500101000000100200068040000010018180000010020008809000002002020000001002000A810000003003030000001002000A825000004000000000001002000716000000500 | ............ .h........... ....... .... .......00.... ..%.......... .q.... |
| \24\1\1033 | 4D6CC | 17D | 48ACC | 3C3F786D6C2076657273696F6E3D27312E302720656E636F64696E673D275554462D3827207374616E64616C6F6E653D2779 | <?xml version='1.0' encoding='UTF-8' standalone='y |
| Intelligent String |
| • api-ms-win-crt-heap-l1-1-0.dll • api-ms-win-crt-runtime-l1-1-0.dll • OpenGL32.dll • BShcore.dll • Capi-ms-win-core-synch-l1-2-0.dll • kernel32.dll • "ESC" for Mouse | Set Keys/Letterboxing etc. in "settings.txt"settings.txt • ruemousebg.pngtabletbg.png • up.png • left.png • right.png • mouse.png • tablet.png • C:\Users\hamis\Desktop\neko\bongo cat\Release\bongo cat.pdb • .tls • .bss • USER32.dll • ADVAPI32.dll • MSVCP140.dll • api-ms-win-crt-convert-l1-1-0.dll • api-ms-win-crt-stdio-l1-1-0.dll • api-ms-win-crt-time-l1-1-0.dll • api-ms-win-crt-filesystem-l1-1-0.dll • api-ms-win-crt-math-l1-1-0.dll • api-ms-win-crt-string-l1-1-0.dll • api-ms-win-crt-locale-l1-1-0.dll |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 6EE | 4353BC | .text | CALL [static] | Indirect call to absolute memory address |
| 720 | 4353B8 | .text | CALL [static] | Indirect call to absolute memory address |
| 77A | 4353B8 | .text | CALL [static] | Indirect call to absolute memory address |
| 7F4 | 435460 | .text | CALL [static] | Indirect call to absolute memory address |
| 80F | 4353F0 | .text | CALL [static] | Indirect call to absolute memory address |
| 825 | 4351E8 | .text | CALL [static] | Indirect call to absolute memory address |
| 837 | 4351EC | .text | CALL [static] | Indirect call to absolute memory address |
| 89B | 4354BC | .text | CALL [static] | Indirect call to absolute memory address |
| EED | 435480 | .text | CALL [static] | Indirect call to absolute memory address |
| F7C | 435240 | .text | CALL [static] | Indirect call to absolute memory address |
| F93 | 43524C | .text | CALL [static] | Indirect call to absolute memory address |
| FC6 | 435220 | .text | CALL [static] | Indirect call to absolute memory address |
| FEA | 43522C | .text | CALL [static] | Indirect call to absolute memory address |
| 1023 | 4351F0 | .text | CALL [static] | Indirect call to absolute memory address |
| 104A | 43522C | .text | CALL [static] | Indirect call to absolute memory address |
| 1084 | 4354B4 | .text | CALL [static] | Indirect call to absolute memory address |
| 10AB | 435230 | .text | CALL [static] | Indirect call to absolute memory address |
| 10E4 | 435224 | .text | CALL [static] | Indirect call to absolute memory address |
| 10F7 | 4350DC | .text | CALL [static] | Indirect call to absolute memory address |
| 1119 | 43522C | .text | CALL [static] | Indirect call to absolute memory address |
| 115F | 435238 | .text | CALL [static] | Indirect call to absolute memory address |
| 117C | 43523C | .text | CALL [static] | Indirect call to absolute memory address |
| 11E5 | 435214 | .text | CALL [static] | Indirect call to absolute memory address |
| 1319 | 4351CC | .text | CALL [static] | Indirect call to absolute memory address |
| 1336 | 4350F0 | .text | CALL [static] | Indirect call to absolute memory address |
| 1361 | 4351E0 | .text | CALL [static] | Indirect call to absolute memory address |
| 13C2 | 4351D0 | .text | CALL [static] | Indirect call to absolute memory address |
| 15F0 | 435214 | .text | CALL [static] | Indirect call to absolute memory address |
| 1641 | 43523C | .text | CALL [static] | Indirect call to absolute memory address |
| 1647 | 435394 | .text | CALL [static] | Indirect call to absolute memory address |
| 1655 | 435390 | .text | CALL [static] | Indirect call to absolute memory address |
| 1798 | 4353F0 | .text | CALL [static] | Indirect call to absolute memory address |
| 17B4 | 4351E8 | .text | CALL [static] | Indirect call to absolute memory address |
| 17CA | 4351EC | .text | CALL [static] | Indirect call to absolute memory address |
| 17FA | 4353F0 | .text | CALL [static] | Indirect call to absolute memory address |
| 1816 | 4351E8 | .text | CALL [static] | Indirect call to absolute memory address |
| 182C | 4351EC | .text | CALL [static] | Indirect call to absolute memory address |
| 185C | 4353F0 | .text | CALL [static] | Indirect call to absolute memory address |
| 1878 | 4351E8 | .text | CALL [static] | Indirect call to absolute memory address |
| 188E | 4351EC | .text | CALL [static] | Indirect call to absolute memory address |
| 18BE | 4353F0 | .text | CALL [static] | Indirect call to absolute memory address |
| 18DA | 4351E8 | .text | CALL [static] | Indirect call to absolute memory address |
| 18F0 | 4351EC | .text | CALL [static] | Indirect call to absolute memory address |
| 1920 | 4353F0 | .text | CALL [static] | Indirect call to absolute memory address |
| 193C | 4351E8 | .text | CALL [static] | Indirect call to absolute memory address |
| 1952 | 4351EC | .text | CALL [static] | Indirect call to absolute memory address |
| 1982 | 4353F0 | .text | CALL [static] | Indirect call to absolute memory address |
| 199E | 4351E8 | .text | CALL [static] | Indirect call to absolute memory address |
| 19B4 | 4351EC | .text | CALL [static] | Indirect call to absolute memory address |
| 19E6 | 4353F4 | .text | CALL [static] | Indirect call to absolute memory address |
| 1A02 | 4351E8 | .text | CALL [static] | Indirect call to absolute memory address |
| 1A43 | 4353F4 | .text | CALL [static] | Indirect call to absolute memory address |
| 1A5F | 4351E8 | .text | CALL [static] | Indirect call to absolute memory address |
| 1A9C | 4353F4 | .text | CALL [static] | Indirect call to absolute memory address |
| 1AB8 | 4351E8 | .text | CALL [static] | Indirect call to absolute memory address |
| 1B91 | 435480 | .text | CALL [static] | Indirect call to absolute memory address |
| 1BF2 | 435480 | .text | CALL [static] | Indirect call to absolute memory address |
| 1CAD | 435480 | .text | CALL [static] | Indirect call to absolute memory address |
| 1D68 | 435480 | .text | CALL [static] | Indirect call to absolute memory address |
| 1E23 | 435480 | .text | CALL [static] | Indirect call to absolute memory address |
| 1EEA | 435480 | .text | CALL [static] | Indirect call to absolute memory address |
| 1F4B | 435480 | .text | CALL [static] | Indirect call to absolute memory address |
| 20CC | 43538C | .text | CALL [static] | Indirect call to absolute memory address |
| 20E4 | 435390 | .text | CALL [static] | Indirect call to absolute memory address |
| 20EB | 435384 | .text | CALL [static] | Indirect call to absolute memory address |
| 20FA | 435388 | .text | CALL [static] | Indirect call to absolute memory address |
| 2495 | 435380 | .text | CALL [static] | Indirect call to absolute memory address |
| 3CB6 | 435480 | .text | CALL [static] | Indirect call to absolute memory address |
| 3D22 | 435480 | .text | CALL [static] | Indirect call to absolute memory address |
| 3D94 | 435244 | .text | CALL [static] | Indirect call to absolute memory address |
| 3DB8 | 435228 | .text | CALL [static] | Indirect call to absolute memory address |
| 3DD8 | 435124 | .text | CALL [static] | Indirect call to absolute memory address |
| 3DE4 | 4351C8 | .text | CALL [static] | Indirect call to absolute memory address |
| 3DF0 | 435258 | .text | CALL [static] | Indirect call to absolute memory address |
| 3E28 | 4351EC | .text | CALL [static] | Indirect call to absolute memory address |
| 3EAE | 435480 | .text | CALL [static] | Indirect call to absolute memory address |
| 3F45 | 435124 | .text | CALL [static] | Indirect call to absolute memory address |
| 3F4E | 4351C8 | .text | CALL [static] | Indirect call to absolute memory address |
| 3F56 | 435258 | .text | CALL [static] | Indirect call to absolute memory address |
| 3FD9 | 435480 | .text | CALL [static] | Indirect call to absolute memory address |
| 410E | 4351D8 | .text | CALL [static] | Indirect call to absolute memory address |
| 41BA | 4351D4 | .text | CALL [static] | Indirect call to absolute memory address |
| 422D | 435480 | .text | CALL [static] | Indirect call to absolute memory address |
| 4395 | 435480 | .text | CALL [static] | Indirect call to absolute memory address |
| 4417 | 435480 | .text | CALL [static] | Indirect call to absolute memory address |
| 4456 | 4350DC | .text | CALL [static] | Indirect call to absolute memory address |
| 4472 | 43522C | .text | CALL [static] | Indirect call to absolute memory address |
| 4498 | 4354B0 | .text | CALL [static] | Indirect call to absolute memory address |
| 44ED | 4354D8 | .text | CALL [static] | Indirect call to absolute memory address |
| 450A | 43522C | .text | CALL [static] | Indirect call to absolute memory address |
| 4536 | 4354B4 | .text | CALL [static] | Indirect call to absolute memory address |
| 45E7 | 4354D4 | .text | CALL [static] | Indirect call to absolute memory address |
| 46FB | 4354D0 | .text | CALL [static] | Indirect call to absolute memory address |
| 4710 | 4354CC | .text | CALL [static] | Indirect call to absolute memory address |
| 482E | 4354C0 | .text | CALL [static] | Indirect call to absolute memory address |
| 4860 | 4354C0 | .text | CALL [static] | Indirect call to absolute memory address |
| 48EA | 435250 | .text | CALL [static] | Indirect call to absolute memory address |
| 493C | 4354C0 | .text | CALL [static] | Indirect call to absolute memory address |
| 497D | 435480 | .text | CALL [static] | Indirect call to absolute memory address |
| 4A98 | 4354B8 | .text | CALL [static] | Indirect call to absolute memory address |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 179786 | 58,2329% |
| Null Byte Code | 47231 | 15,2982% |
© 2026 All rights reserved.