PESCAN.IO - Analysis Report Basic |
|||||||
| File Structure |
|
PE Chart Code
Executable header (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
Icon: Size: 1,23 MBSHA-256 Hash: 71E9D82CD44C3BD8B1581056B90E5B6F7CE7E11746735D70C349A0BE21E20230 SHA-1 Hash: E1066A7E6832C7314F7242C138ADEC34B72FA1F0 MD5 Hash: C488AF984D9D1D3C7D0FC50E75088A45 Imphash: F34D5F2D4577ED6D9CEEC516C1F5A744 MajorOSVersion: 4 MinorOSVersion: 0 CheckSum: 00000000 EntryPoint (rva): 138902 SizeOfHeaders: 200 SizeOfImage: 140000 ImageBase: 400000 Architecture: x86 ImportTable: 1388B0 IAT: 2000 Characteristics: 102 TimeDateStamp: 68B9AB93 Date: 04/09/2025 15:09:07 File Type: EXE Number Of Sections: 3 ASLR: Disabled Section Names: .text, .rsrc, .reloc Number Of Executable Sections: 1 Subsystem: Windows GUI UAC Execution Level Manifest: asInvoker |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 60000020 (Code, Executable, Readable) | 200 | 136A00 | 2000 | 136908 | 4,8556 | 55786467,94 |
| .rsrc | 40000040 (Initialized Data, Readable) | 136C00 | 3400 | 13A000 | 33E4 | 3,4952 | 983509,88 |
| .reloc | 42000040 (Initialized Data, GP-Relative, Readable) | 13A000 | 200 | 13E000 | C | 0,1019 | 128015,00 |
| Description |
| OriginalFilename: FilaViaPcPad.exe CompanyName: Tesia Snc LegalCopyright: Copyright 2009-2025 LegalTrademarks: Filavia ProductName: FilaVia PcPad FileVersion: 3.4.0.0 FileDescription: FilaVia PcPad ProductVersion: 3.4.0.0 Comments: 09 2025 Language: Unknown (ID=0x0) CodePage: Unicode (UTF-16 LE) (0x4B0) |
| Entry Point |
| The section number (1) - (.text) have the Entry Point Information -> EntryPoint (calculated) - 136B02 Code -> FF25002040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 • JMP DWORD PTR [0X402000] • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL |
| Signatures |
| Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Compiler: Microsoft Visual .NET - (You can use a decompiler for this...) • AnyCPU: False • Version: v4.0 Compiler: Microsoft Visual Studio Detect It Easy (die) • PE: library: .NET(v4.0.30319)[-] • PE: compiler: VB.NET(-)[-] • PE: linker: Microsoft Linker(80.0)[-] • Entropy: 4.86146 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | RtlMoveMemory | Moves a block of memory to another location. |
| USER32.DLL | GetAsyncKeyState | Retrieves the status of a virtual key asynchronously. |
| ADVAPI32.DLL | RegCreateKeyExA | Creates a new registry key or opens an existing one. |
| ADVAPI32.DLL | RegSetValueExA | Sets the data and type of a specified value under a registry key. |
| Windows REG (UNICODE) |
| Software\SolutionTeam\SPS\2.0\Counter SOFTWARE\Microsoft\DevDiv\VC\Servicing\9.0\RED\1040 SOFTWARE\SolutionTeam\SPS\2.0\STCounter Software\SolutionTeam\SPS\2.0\Counter |
| File Access |
| FILAVIAPCPAD.EXE FilaViaPcPad.exe mscoree.dll version.dll winmm.dll Winsock.dll user32.dll shell32.dll advapi32.dll gdi32.dll Temp |
| File Access (UNICODE) |
| FilaViaPcPad.exe File checkupdate.exe M/CheckUpdate.exe !/CheckUpdate.exe /Counter.exe ShellObjects.dll shell32.dll -STCOUNTERHELPER.DLL Temp |
| Interest's Words |
| JFIF ToolBar PassWord exec attrib start pause shutdown systeminfo expand replace |
| Interest's Words (UNICODE) |
| ToolBar PassWord exec start pause |
| URLs |
| http://www.w3.org/2001/XMLSchema-instance |
| IP Addresses |
| 127.0.0.1 11.0.0.0 17.3.0.0 17.0.0.0 13.0.0.0 |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | WinAPI Sockets (connect) |
| Text | Unicode | WinAPI Sockets (connect) |
| Text | Unicode | WinAPI Sockets (recv) |
| Text | Ascii | WinAPI Sockets (send) |
| Text | Ascii | Registry (RegCreateKeyEx) |
| Text | Ascii | Registry (RegOpenKeyEx) |
| Text | Ascii | Registry (RegSetValueEx) |
| Text | Ascii | Anti-Analysis VM (GetVersion) |
| Text | Ascii | Keyboard Key (LBUTTON) |
| Text | Ascii | Keyboard Key (RBUTTON) |
| Text | Unicode | Keyboard Key (Ctrl+F1) |
| Text | Unicode | Keyboard Key (Ctrl+F2) |
| Text | Unicode | Keyboard Key (Ctrl+F3) |
| Text | Unicode | Keyboard Key (Ctrl+F4) |
| Text | Unicode | Keyboard Key (Ctrl+F5) |
| Text | Unicode | Keyboard Key (Ctrl+F6) |
| Text | Unicode | Keyboard Key (Ctrl+F7) |
| Text | Unicode | Keyboard Key (Ctrl+F8) |
| Text | Ascii | Malicious rerouting of traffic to an attacker-controlled site (Redirect) |
| Text | Unicode | Malicious rerouting of traffic to an attacker-controlled site (Redirect) |
| Entry Point | Hex Pattern | Microsoft Visual C / Basic .NET |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8 |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8.0 |
| Entry Point | Hex Pattern | Microsoft Visual C v7.0 / Basic .NET |
| Entry Point | Hex Pattern | Microsoft Visual Studio .NET |
| Entry Point | Hex Pattern | .NET executable |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \ICON\1\0 | 13A100 | 25A8 | 136D00 | 2800000030000000600000000100200000000000002400000000000000000000000000000000000000000000000000000000 | (...0........ ......$............................ |
| \GROUP_ICON\32512\0 | 13C6B8 | 14 | 1392B8 | 0000010001003030000001002000A82500000100 | ......00.... ..%.... |
| \VERSION\1\0 | 13C6DC | 370 | 1392DC | 700334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000400 | p.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| \24\1\0 | 13CA5C | 984 | 13965C | EFBBBF3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D227574662D38223F3E0D0A3C61736D76313A | ...<?xml version="1.0" encoding="utf-8"?>..<asmv1: |
| Intelligent String |
| • 3.4.0.0 • FilaViaPcPad.exe • lblOpLogin • lblAdminLogin • chkLogin • toolbar_login • login_conferma • login_annulla • frameLogin • settingsOld.bin • ).bin • MACROLOGIN • <MACROLOGIN> • </MACROLOGIN> • LoginAdmin • E<COMMAND>COUNTER-LOGIN</COMMAND> • COUNTER-LOGIN • .txt • ENABLELOGINONLY • AUTOLOGIN • WINDOWSLOGIN • FIXUSERLOGIN • <FIXUSERLOGIN> • </FIXUSERLOGIN> • <WINDOWSLOGIN> • </WINDOWSLOGIN> • <AUTOLOGIN> • </AUTOLOGIN> • <ENABLELOGINONLY> • )</ENABLELOGINONLY> • frmLogin • Login • )Login - Manutenzione • \notifica.wav • C www.tesia.it - www.filavia.it • A<FIXUSERLOGIN>N</FIXUSERLOGIN> • A<WINDOWSLOGIN>N</WINDOWSLOGIN> • 5<AUTOLOGIN>N</AUTOLOGIN> • \logo.jpg • !tbarLoginConfirm • 'login_annulla.Image • )login_conferma.Image • Mtoolbar_counternew_login_enabled.Image • Atoolbar_counternew_login_enabled • 1counternew_login_enabled • 'toolbar_login.Image • %\CounterConfig.xml • \Settings.bin • ?tbarLoginConfirm_ButtonClick IN • AtbarLoginConfirm_ButtonClick OUT • login_login • login_logout • .xml • \settings.bin • LoginLogout IN • LoginLogout 001 • LoginLogout 002 • LoginLogout 003 • LoginLogout 004 • LoginLogout 005 • LoginLogout 006 • LoginLogout 007 • LoginLogout 008 • LoginLogout 009 • LoginLogout 010 • LoginLogout 011 • LoginLogout 012 • LoginLogout 013 • LoginLogout 014 • LoginLogout 015 • LoginLogout 016 • LoginLogout 017 • LoginLogout 018 • LoginLogout 019 • LoginLogout 020 • LoginLogout 021 • LoginLogout 022 • LoginLogout 023 • LoginLogout 024 • LoginLogout 025 • LoginLogout 026 • LoginLogout 027 • !LoginLogout OUT2 • LoginLogout 028 • LoginLogout 029 • LoginLogout 030 • LoginLogout 032 • LoginLogout 033 • LoginLogout 034 • LoginLogout 035 • LoginLogout 036 • LoginLogout 037 • LoginLogout 038 • LoginLogout 039 • LoginLogout 040 • LoginLogout 041 • LoginLogout 042 • LoginLogout 043 • LoginLogout OUT • shell32.dll • /Counter.exe • !/CheckUpdate.exe • M/CheckUpdate.exe /type COUNTER /file " • ANon posso effettuare il login. • Ctrl+F2 (Login) • tbarLoginConfirm • toolbar_counternew_login_enabled • D:\PcPad\StCounter\obj\x86\Release\FilaViaPcPad.pdb • _CorExeMainmscoree.dll • <asmv1:assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 818B | 46FFFFFE | .text | JMP [static] | Indirect jump to absolute memory address |
| E0E8 | 46FFFFFE | .text | JMP [static] | Indirect jump to absolute memory address |
| 2B843 | 28FFFFFC | .text | CALL [static] | Indirect call to absolute memory address |
| 794AE | 28FFFFFC | .text | CALL [static] | Indirect call to absolute memory address |
| 12D71E | 28FFFFFC | .text | CALL [static] | Indirect call to absolute memory address |
| 1305B1 | 28FFFFFC | .text | CALL [static] | Indirect call to absolute memory address |
| 136B02 | 402000 | .text | JMP [static] | Indirect jump to absolute memory address |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 413741 | 32,1563% |
| Null Byte Code | 121931 | 9,4766% |
© 2026 All rights reserved.