PESCAN.IO - Analysis Report Basic |
|||||||
| File Structure |
|
PE Chart Code
Header PE (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
| Size: 5,31 MB SHA-256 Hash: 4E12FF9A72B7C2357F46EF645400CB6311330CED73EE787244C85BA7C57E8C8E SHA-1 Hash: 3767E079D784C5A2B5088DE7C172DA1C1BF63DAF MD5 Hash: CC165AF6A6E4978C66A86B25CF58B92B Imphash: 4B4F51E7F5871D35E96F549A38934009 MajorOSVersion: 6 MinorOSVersion: 0 CheckSum: 00000000 EntryPoint (rva): 43755A SizeOfHeaders: 400 SizeOfImage: 87D000 ImageBase: 10000000 Architecture: x86 ExportTable: 380940 ImportTable: 348238 IAT: 7A9000 Characteristics: 2102 TimeDateStamp: 5D832A4D Date: 19/09/2019 7:12:13 File Type: DLL Number Of Sections: 7 ASLR: Enabled Section Names (Optional Header): *unnamed*, *unnamed*, *unnamed*, ActVer0, ActVer1, *unnamed*, *unnamed* Number Of Executable Sections: 3 Subsystem: Windows GUI [Incomplete Binary or Compressor Packer - 3,18 MB Missing] |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| *unnamed* | 0x60000020 Code Executable Readable |
0 | 0 | 1000 | 1C4E |
|
|
| *unnamed* | 0x40000040 Initialized Data Readable |
0 | 0 | 3000 | F32 |
|
|
| *unnamed* | 0xC0000040 Initialized Data Readable Writeable |
0 | 0 | 4000 | 3EC |
|
|
| ActVer0 | 0x60000060 Code Initialized Data Executable Readable |
0 | 0 | 5000 | 3277A0 |
|
|
| ActVer1 | 0x60000060 Code Initialized Data Executable Readable |
400 | 54D200 | 32D000 | 54D160 |
|
|
| *unnamed* | 0x40000040 Initialized Data Readable |
54D600 | 800 | 87B000 | 608 |
|
|
| *unnamed* | 0x40000040 Initialized Data Readable |
54DE00 | 600 | 87C000 | 464 |
|
|
| Description |
| OriginalFilename: version.dll CompanyName: ActVer"!g LegalCopyright: Copyright (C) ActVer"!@ ProductName: IObit [Uninstaller&DriverBooster] Pro Activator FileVersion: 1.1 FileDescription: Activate IObit [Uninstaller&DriverBooster] Pro | Place me In IObit Uninstaller or DriverBooster folder ProductVersion: 1.1 Language: Unknown (ID=0x0) CodePage: Unicode (UTF-16 LE) (0x4B0) |
| Entry Point |
The section number (7) - (ActVer1) have the Entry Point Information -> EntryPoint (calculated) - 10A95A Code -> 6875117479E81449310056C3E9DF5BF8FF4A0FCAF9F6C35480FF4C33DA03EAE9EDE63700FFE6668B442500660FABFA0F97C6 EP changed to another address -> (Address Of EntryPoint > Base Of Data) Assembler |PUSH 0X79741175 |CALL 0X31591E |PUSH ESI |RET |JMP 0XFFF86BF0 |DEC EDX |BSWAP EDX |STC |TEST BL, 0X54 |CMP BH, 0X4C |XOR EBX, EDX |ADD EBP, EDX |JMP 0X37F711 |JMP ESI |MOV AX, WORD PTR [EBP] |BTS DX, DI |SETA DH |
| Signatures |
| Certificate - Digital Signature Not Found: • The file is not signed |
| Duplicate Sections |
| Section *unnamed* duplicate 5 times |
| Packer/Compiler |
| Detect It Easy (die) • Entropy: 7.95438 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | GetModuleHandleA | Retrieves a handle to the specified module. |
| KERNEL32.DLL | LoadLibraryA | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| ET Functions (carving) |
| Original Name -> version.dll GetProcAddress malloc GetProcessWindowStation GetProcessAffinityMask SetProcessAffinityMask LoadLibraryA |
| File Access |
| USER32.dll api-ms-win-crt-heap-l1-1-0.dll KERNEL32.dll WTSAPI32.dll api-ms-win-crt-runtime-l1-1-0.dll lVCRUNTIME140.dll version.dll |
| File Access (UNICODE) |
| version.dll |
| Interest's Words |
| exec |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | Malware that monitors and collects user data (Spy) |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \VERSION\1\0 | 87C058 | 40C | 54DE58 | 0C0434000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000100 | ..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| Intelligent String |
| • 2nj • .Onz • :b\i9bPz • version.dll |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 71F9 | 87C058 | ActVer1 | JMP [static] | Indirect jump to absolute memory address |
| 17833 | 87C058 | ActVer1 | CALL [static] | Indirect call to absolute memory address |
| 25885 | 6616E376 | ActVer1 | JMP [static] | Indirect jump to absolute memory address |
| 2C4A7 | 22AA8EB2 | ActVer1 | CALL [static] | Indirect call to absolute memory address |
| 30A01 | 3537674 | ActVer1 | CALL [static] | Indirect call to absolute memory address |
| 314FD | 727B8E7A | ActVer1 | JMP [static] | Indirect jump to absolute memory address |
| 37585 | 6631C280 | ActVer1 | JMP [static] | Indirect jump to absolute memory address |
| 3A90A | 49D51EC1 | ActVer1 | JMP [static] | Indirect jump to absolute memory address |
| 3D60C | 49D51EC1 | ActVer1 | CALL [static] | Indirect call to absolute memory address |
| 3D641 | 200A802A | ActVer1 | CALL [static] | Indirect call to absolute memory address |
| 4C4D6 | 62F8AA89 | ActVer1 | CALL [static] | Indirect call to absolute memory address |
| 59A3E | 62F8AA89 | ActVer1 | CALL [static] | Indirect call to absolute memory address |
| 5B617 | 62C24C56 | ActVer1 | CALL [static] | Indirect call to absolute memory address |
| 6363B | 31C28049 | ActVer1 | JMP [static] | Indirect jump to absolute memory address |
| 75921 | 31C28049 | ActVer1 | CALL [static] | Indirect call to absolute memory address |
| 775D6 | 31C28049 | ActVer1 | JMP [static] | Indirect jump to absolute memory address |
| 79A30 | 4C581 | ActVer1 | JMP [static] | Indirect jump to absolute memory address |
| 7B956 | 4C581 | ActVer1 | JMP [static] | Indirect jump to absolute memory address |
| 81BC8 | 4C581 | ActVer1 | CALL [static] | Indirect call to absolute memory address |
| 8B05D | 4C581 | ActVer1 | CALL [static] | Indirect call to absolute memory address |
| 8E8BB | 4C581 | ActVer1 | JMP [static] | Indirect jump to absolute memory address |
| 92412 | 4C581 | ActVer1 | CALL [static] | Indirect call to absolute memory address |
| B3C2C | 4C581 | ActVer1 | JMP [static] | Indirect jump to absolute memory address |
| BB524 | 4C581 | ActVer1 | JMP [static] | Indirect jump to absolute memory address |
| C0FF6 | 4C581 | ActVer1 | JMP [static] | Indirect jump to absolute memory address |
| C1B02 | 4C581 | ActVer1 | JMP [static] | Indirect jump to absolute memory address |
| C5F3C | 2DC1723D | ActVer1 | CALL [static] | Indirect call to absolute memory address |
| C7596 | 2DC1723D | ActVer1 | JMP [static] | Indirect jump to absolute memory address |
| C82EE | 2DC1723D | ActVer1 | JMP [static] | Indirect jump to absolute memory address |
| E1BFA | 2DC1723D | ActVer1 | CALL [static] | Indirect call to absolute memory address |
| EBD65 | 6840E8A6 | ActVer1 | JMP [static] | Indirect jump to absolute memory address |
| EE488 | BAE36E5 | ActVer1 | CALL [static] | Indirect call to absolute memory address |
| F7F83 | BAE36E5 | ActVer1 | CALL [static] | Indirect call to absolute memory address |
| 108658 | 17E5660E | ActVer1 | CALL [static] | Indirect call to absolute memory address |
| 109D14 | 17E5660E | ActVer1 | CALL [static] | Indirect call to absolute memory address |
| 118CC7 | 751F631A | ActVer1 | JMP [static] | Indirect jump to absolute memory address |
| 12C708 | 751F631A | ActVer1 | CALL [static] | Indirect call to absolute memory address |
| 12DCC2 | 6CB2238 | ActVer1 | JMP [static] | Indirect jump to absolute memory address |
| 1390DD | 605B0262 | ActVer1 | CALL [static] | Indirect call to absolute memory address |
| 14C56F | 7C32E18E | ActVer1 | JMP [static] | Indirect jump to absolute memory address |
| 14D80D | 7C32E18E | ActVer1 | CALL [static] | Indirect call to absolute memory address |
| 15ECA3 | 5B4E9AEF | ActVer1 | CALL [static] | Indirect call to absolute memory address |
| 16327B | 2EA0E5AF | ActVer1 | CALL [static] | Indirect call to absolute memory address |
| 166451 | 76BD2BED | ActVer1 | JMP [static] | Indirect jump to absolute memory address |
| 166DFC | 5774C56A | ActVer1 | JMP [static] | Indirect jump to absolute memory address |
| 170F6E | 3AF1165D | ActVer1 | CALL [static] | Indirect call to absolute memory address |
| 1798D1 | 76EBCEEC | ActVer1 | CALL [static] | Indirect call to absolute memory address |
| 17A803 | 3872EB79 | ActVer1 | CALL [static] | Indirect call to absolute memory address |
| 186020 | 40DB7C1A | ActVer1 | CALL [static] | Indirect call to absolute memory address |
| 186944 | 610630E6 | ActVer1 | CALL [static] | Indirect call to absolute memory address |
| 18918E | 13E0C233 | ActVer1 | JMP [static] | Indirect jump to absolute memory address |
| 18F9BB | 5C8FCCBB | ActVer1 | CALL [static] | Indirect call to absolute memory address |
| 193609 | 409F5F2E | ActVer1 | CALL [static] | Indirect call to absolute memory address |
| 193762 | 5E7CEC0B | ActVer1 | JMP [static] | Indirect jump to absolute memory address |
| 19EC48 | 4DB1D5FB | ActVer1 | JMP [static] | Indirect jump to absolute memory address |
| 1AD5F9 | CACED7C | ActVer1 | CALL [static] | Indirect call to absolute memory address |
| 1C211C | 50AEBD6 | ActVer1 | CALL [static] | Indirect call to absolute memory address |
| 1C3143 | 50AEBD6 | ActVer1 | CALL [static] | Indirect call to absolute memory address |
| 1CB7A3 | 3733CE7 | ActVer1 | JMP [static] | Indirect jump to absolute memory address |
| 1CBF13 | 3733CE7 | ActVer1 | CALL [static] | Indirect call to absolute memory address |
| 1D7795 | 3733CE7 | ActVer1 | CALL [static] | Indirect call to absolute memory address |
| 1E42A7 | 15C7AE3D | ActVer1 | CALL [static] | Indirect call to absolute memory address |
| 1EB43C | 15C7AE3D | ActVer1 | JMP [static] | Indirect jump to absolute memory address |
| 1FD02A | 3C9AA274 | ActVer1 | JMP [static] | Indirect jump to absolute memory address |
| 1FDA20 | 3C9AA274 | ActVer1 | CALL [static] | Indirect call to absolute memory address |
| 20334E | 3C9AA274 | ActVer1 | JMP [static] | Indirect jump to absolute memory address |
| 216BE4 | 3847F977 | ActVer1 | CALL [static] | Indirect call to absolute memory address |
| 218D51 | 44B3C887 | ActVer1 | JMP [static] | Indirect jump to absolute memory address |
| 21B8B4 | 44B3C887 | ActVer1 | CALL [static] | Indirect call to absolute memory address |
| 222072 | 62485583 | ActVer1 | CALL [static] | Indirect call to absolute memory address |
| 227558 | 498A12E0 | ActVer1 | CALL [static] | Indirect call to absolute memory address |
| 233F44 | 738792E2 | ActVer1 | JMP [static] | Indirect jump to absolute memory address |
| 23834C | 738792E2 | ActVer1 | JMP [static] | Indirect jump to absolute memory address |
| 24374F | 738792E2 | ActVer1 | JMP [static] | Indirect jump to absolute memory address |
| 249119 | 738792E2 | ActVer1 | CALL [static] | Indirect call to absolute memory address |
| 253ECA | 738792E2 | ActVer1 | CALL [static] | Indirect call to absolute memory address |
| 2550F2 | 738792E2 | ActVer1 | JMP [static] | Indirect jump to absolute memory address |
| 255139 | 4142FBBB | ActVer1 | CALL [static] | Indirect call to absolute memory address |
| 25531C | 4142FBBB | ActVer1 | CALL [static] | Indirect call to absolute memory address |
| 25FC17 | 7C3CF731 | ActVer1 | CALL [static] | Indirect call to absolute memory address |
| 26FCE0 | 588B56D0 | ActVer1 | JMP [static] | Indirect jump to absolute memory address |
| 28072A | 588B56D0 | ActVer1 | CALL [static] | Indirect call to absolute memory address |
| 2808D2 | 104619D4 | ActVer1 | CALL [static] | Indirect call to absolute memory address |
| 295EE0 | 44E89DA2 | ActVer1 | CALL [static] | Indirect call to absolute memory address |
| 2A9636 | 20179B3A | ActVer1 | CALL [static] | Indirect call to absolute memory address |
| 2AEDA0 | 20179B3A | ActVer1 | JMP [static] | Indirect jump to absolute memory address |
| 2B144E | 20179B3A | ActVer1 | JMP [static] | Indirect jump to absolute memory address |
| 2C28F5 | 20179B3A | ActVer1 | JMP [static] | Indirect jump to absolute memory address |
| 2C599F | 20179B3A | ActVer1 | CALL [static] | Indirect call to absolute memory address |
| 2C7B7A | 20179B3A | ActVer1 | JMP [static] | Indirect jump to absolute memory address |
| 2D16C2 | 20179B3A | ActVer1 | CALL [static] | Indirect call to absolute memory address |
| 2D4E5E | 20179B3A | ActVer1 | JMP [static] | Indirect jump to absolute memory address |
| 2E0F7E | 20179B3A | ActVer1 | CALL [static] | Indirect call to absolute memory address |
| 2E6790 | 1494C314 | ActVer1 | CALL [static] | Indirect call to absolute memory address |
| 2ECC9D | 2836CDA7 | ActVer1 | JMP [static] | Indirect jump to absolute memory address |
| 2EDB4A | 2B07649D | ActVer1 | JMP [static] | Indirect jump to absolute memory address |
| 2F233C | 2B07649D | ActVer1 | CALL [static] | Indirect call to absolute memory address |
| 2F25C3 | 4C73500A | ActVer1 | JMP [static] | Indirect jump to absolute memory address |
| 2F34D9 | 52E8DBC8 | ActVer1 | JMP [static] | Indirect jump to absolute memory address |
| 2F5665 | 49C17452 | ActVer1 | JMP [static] | Indirect jump to absolute memory address |
| 400-54D5FF | 32D000 | ActVer1 | Executable section anomaly, first bytes: FF742500253E176B |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 3785934 | 68,0508% |
| Null Byte Code | 85850 | 1,5431% |
© 2026 All rights reserved.