PREMIUM PESCAN.IO - Analysis Report |
|||||||
| File Structure |
|
PE Chart Code
Executable header (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
| Size: 1,48 MB SHA-256 Hash: B40047866FFEF50DC21B4CC6B4F9643EBDC32F9F1584818489F6FA545368AB62 SHA-1 Hash: CF4723AE97BACF4BA1B367EB31F933DDADDBD1E8 MD5 Hash: CC3AB78221E02D7D6409E8EF5F604242 Imphash: 2560AF07E8C46481887E984B59FB6D6C MajorOSVersion: 6 MinorOSVersion: 0 CheckSum: 001831ED EntryPoint (rva): 58650 SizeOfHeaders: 400 SizeOfImage: 17F000 ImageBase: 10000000 Architecture: x86 ExportTable: E16A8 ImportTable: E18AC IAT: E1A6C Characteristics: 2102 TimeDateStamp: 6D949B11 Date: 04/04/2028 10:06:09 File Type: DLL Number Of Sections: 7 ASLR: Enabled Section Names: .text, .rdata, .data, .idata2, .tls2, .rsrc, .reloc Number Of Executable Sections: 1 Subsystem: Windows GUI |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 60000020 (Code, Executable, Readable) | 400 | 5B000 | 1000 | 5AEFF | 6,6216 | 1736152,17 |
| .rdata | 40000040 (Initialized Data, Readable) | 5B400 | 86200 | 5C000 | 8612B | 5,8408 | 4778376,07 |
| .data | C0000040 (Initialized Data, Readable, Writeable) | E1600 | 400 | E3000 | 2D8 | 5,5344 | 43399,50 |
| .idata2 | 40000040 (Initialized Data, Readable) | E1A00 | 200 | E4000 | 1F | 0,6257 | 115185,00 |
| .tls2 | 40000040 (Initialized Data, Readable) | E1C00 | 200 | E5000 | 3F | 1,2330 | 100331,00 |
| .rsrc | 40000040 (Initialized Data, Readable) | E1E00 | 92000 | E6000 | 91F58 | 5,4144 | 4336914,82 |
| .reloc | 42000040 (Initialized Data, GP-Relative, Readable) | 173E00 | 6200 | 178000 | 61FC | 6,7808 | 92090,29 |
| Description |
| OriginalFilename: excellib.dll CompanyName: Salem Communications LegalCopyright: Copyright (C) 2026 Salem Communications ProductName: Construction Processing Engine FileVersion: 3.4.358.1 FileDescription: Construction Processing Engine ProductVersion: 3.4.358.1 Language: English (United States) (ID=0x409) CodePage: Unicode (UTF-16 LE) (0x4B0) |
| Entry Point |
| The section number (1) - (.text) have the Entry Point Information -> EntryPoint (calculated) - 57A50 Code -> 5589E553575683E4FC83EC0C837D0C01B86F860510BE898605100F45C6FFE0FF7508FF15701A0E10E81F33000085C0B99886 • PUSH EBP • MOV EBP, ESP • PUSH EBX • PUSH EDI • PUSH ESI • AND ESP, 0XFFFFFFFC • SUB ESP, 0XC • CMP DWORD PTR [EBP + 0XC], 1 • MOV EAX, 0X1005866F • MOV ESI, 0X10058689 • CMOVNE EAX, ESI • JMP EAX • PUSH DWORD PTR [EBP + 8] • CALL DWORD PTR [0X100E1A70] • CALL 0X434C • TEST EAX, EAX EP changed to another address -> (Address Of EntryPoint > Base Of Data) |
| Signatures |
| Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Detect It Easy (die) • PE: linker: Microsoft Linker(14.0)[-] • Entropy: 6.53041 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | VirtualAlloc | Reserve, commit, or both, a region of memory within the virtual address space of a process. |
| KERNEL32.DLL | GetModuleHandleA | Retrieves a handle to the specified module. |
| ADVAPI32.DLL | RegDeleteKeyA | Used to delete a subkey and its values from the Windows registry. |
| SHELL32.DLL | ShellExecuteExA | Performs a run operation on a specific file. |
| ET Functions (carving) |
| DllInstall@12 DllUninitialize@4 DllUpdate FltInvokeStateW@4 NdisObserveComponent PnpBindComponentAsync@8 PnpInvokeInterface@12 RtlConfigureCacheStatus RtlLockConfigurationInfo RtlRevokeComponentW@12 TpmUnregisterControllerW UsbAcquirePermission UsbDisableVolumeStatus@8 ZwLoadClusterCount ZwSuspendModuleAsync@4 |
| File Access |
| USER32.dll SHELL32.dll GDI32.dll ADVAPI32.dll KERNEL32.dll excellib.dll .dll Microsoft.AspNetCore.DataProtection.Dat Microsoft.AspNetCore.Dat Microsoft.Extensions.DependencyInjection.Dat Microsoft.AspNetCore.DataProtection.Internal.Dat 1(Microsoft.AspNetCore.Dat @.dat Microsoft.Extensions.Log 1(Microsoft.Extensions.Log Microsoft.Extensions.Logging.Log System.Log keyword.operator.log meta.ini meta.parameter.ini entity.name.function.call.ini punctuation.separator.ini //csrc.nist.gov/publications/nistpubs/800-108/sp800-108.pdf Temp |
| File Access (UNICODE) |
| excellib.dll |
| Interest's Words |
| Encrypt Decrypt Encryption exec attrib start cipher systeminfo ping |
| URLs |
| http://csrc.nist.gov/publications/nistpubs/800-108/sp800-108.pdf, https://github.com/jeff-hykin/better-cpp-syntax/blob/master/autogenerated/cpp.tmLanguage.json https://github.com/jeff-hykin/better-cpp-syntax/commit/f1d127a8af2b184db570345f0bb179503c47fdf6 https://msdn.microsoft.com/en-us/library/windows/desktop/hh706794(v=vs.85).aspx https://msdn.microsoft.com/en-us/library/windows/desktop/hh769091(v=vs.85).aspx https://msdn.microsoft.com/en-us/library/windows/desktop/hh706800(v=vs.85).aspx https://aka.ms/aspnet/dataprotectionwarning</summary |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | WinAPI Sockets (bind) |
| Text | Ascii | WinAPI Sockets (accept) |
| Text | Ascii | WinAPI Sockets (connect) |
| Text | Ascii | File (GetTempPath) |
| Text | Ascii | Anti-Analysis VM (GetSystemInfo) |
| Text | Ascii | Anti-Analysis VM (GetVersion) |
| Text | Ascii | Stealth (VirtualAlloc) |
| Text | Ascii | Execution (ShellExecute) |
| Text | Ascii | Malicious code executed after exploiting a vulnerability (Payload) |
| Text | Ascii | Technique to insert malicious code into a vulnerable application (Injection) |
| Text | Ascii | Software that records user activity (Logger) |
| Text | Ascii | Technique used to insert malicious code into legitimate processes (Inject) |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \RCDATA\218\1033 | E60D0 | 66E6E | E1ED0 | 7B22696E666F726D6174696F6E5F666F725F636F6E7472696275746F7273223A5B22546869732066696C6520686173206265 | {"information_for_contributors":["This file has be |
| \RCDATA\975\1033 | 14CF40 | 2ACC4 | 148D40 | 3C3F786D6C2076657273696F6E3D22312E30223F3E0D0A3C646F633E0D0A202020203C617373656D626C793E0D0A20202020 | <?xml version="1.0"?>..<doc>.. <assembly>.. |
| \VERSION\1\1033 | 177C08 | 350 | 173A08 | 500334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000400 | P.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| Intelligent String |
| • excellib.dll • 3.4.358.1 • <summary>Storing keys in a directory '{path}' that may not be persisted outside of the container. Protected data will be unavailable when container is destroyed. For more information go to https://aka.ms/aspnet/dataprotectionwarning</summary> • <summary>A certificate with the thumbprint '{0}' could not be found. For more information go to https://aka.ms/aspnet/dataprotectionwarning</summary> • On Windows, this currently corresponds to "Environment.SpecialFolder.LocalApplication/ASP.NET/DataProtection-Keys". • See <see href="https://msdn.microsoft.com/en-us/library/windows/desktop/hh706794(v=vs.85).aspx" • See <see href="https://msdn.microsoft.com/en-us/library/windows/desktop/hh769091(v=vs.85).aspx" • and <see href="https://msdn.microsoft.com/en-us/library/windows/desktop/hh706800(v=vs.85).aspx" • More info at http://csrc.nist.gov/publications/nistpubs/800-108/sp800-108.pdf, Sec. 5.1. • See <see href="https://msdn.microsoft.com/en-us/library/windows/desktop/hh706800(v=vs.85).aspx" for more information. • <summary>The payload was invalid. For more information go to https://aka.ms/aspnet/dataprotectionwarning</summary> • <summary>The key {0:B} was not found in the key ring. For more information go to https://aka.ms/aspnet/dataprotectionwarning</summary> • <summary>The key {0:B} has been revoked. For more information go to https://aka.ms/aspnet/dataprotectionwarning</summary> • <summary>The provided payload cannot be decrypted because it was not protected with this protection provider. For more information go to https://aka.ms/aspnet/dataprotectionwarning</summary> • <summary>The new key lifetime must be at least one week. For more information go to https://aka.ms/aspnet/dataprotectionwarning</summary> • <summary>The key {0:B} already exists in the keyring. For more information go to https://aka.ms/aspnet/dataprotectionwarning</summary> • <summary>GCM algorithms require the Windows platform. For more information go to https://aka.ms/aspnet/dataprotectionwarning</summary> • <summary>Decrypting EncryptedXml-encapsulated payloads is not yet supported on Core CLR. For more information go to https://aka.ms/aspnet/dataprotectionwarning</summary> • <summary>The key ring does not contain a valid default protection key. The data protection system cannot create a new key because auto-generation of keys is disabled. For more information go to https://aka.ms/aspnet/dataprotectionwarning</summary> |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| D15 | 100E1B3C | .text | CALL [static] | Indirect call to absolute memory address |
| F00 | 100E1B38 | .text | CALL [static] | Indirect call to absolute memory address |
| F0B | 100E1B34 | .text | CALL [static] | Indirect call to absolute memory address |
| 10A6 | 100E1A7C | .text | CALL [static] | Indirect call to absolute memory address |
| 10B0 | 100E1AB8 | .text | CALL [static] | Indirect call to absolute memory address |
| 10BC | 100E1B74 | .text | CALL [static] | Indirect call to absolute memory address |
| 10F6 | 100E1A94 | .text | CALL [static] | Indirect call to absolute memory address |
| 24E0 | 100E1ABC | .text | CALL [static] | Indirect call to absolute memory address |
| 2590 | 100E1B44 | .text | CALL [static] | Indirect call to absolute memory address |
| 25AA | 100E1B8C | .text | CALL [static] | Indirect call to absolute memory address |
| 25B4 | 100E1BA0 | .text | CALL [static] | Indirect call to absolute memory address |
| 27C7 | 100E1A7C | .text | CALL [static] | Indirect call to absolute memory address |
| 27D0 | 100E1AB8 | .text | CALL [static] | Indirect call to absolute memory address |
| 27F6 | 100E1B6C | .text | CALL [static] | Indirect call to absolute memory address |
| 4AC0 | 100E1B44 | .text | CALL [static] | Indirect call to absolute memory address |
| 4ADA | 100E1B8C | .text | CALL [static] | Indirect call to absolute memory address |
| 4AE4 | 100E1BA0 | .text | CALL [static] | Indirect call to absolute memory address |
| 4D30 | 100E1ABC | .text | CALL [static] | Indirect call to absolute memory address |
| 4D6A | 100E1B44 | .text | CALL [static] | Indirect call to absolute memory address |
| 4D84 | 100E1B8C | .text | CALL [static] | Indirect call to absolute memory address |
| 4D8E | 100E1BA0 | .text | CALL [static] | Indirect call to absolute memory address |
| 50CA | 100E1B44 | .text | CALL [static] | Indirect call to absolute memory address |
| 50D7 | 100E1B40 | .text | CALL [static] | Indirect call to absolute memory address |
| 50E3 | 100E1BA8 | .text | CALL [static] | Indirect call to absolute memory address |
| 5ED4 | 100E1B44 | .text | CALL [static] | Indirect call to absolute memory address |
| 5EF3 | 100E1B40 | .text | CALL [static] | Indirect call to absolute memory address |
| 5F02 | 100E1BA8 | .text | CALL [static] | Indirect call to absolute memory address |
| 6732 | 100E1ACC | .text | CALL [static] | Indirect call to absolute memory address |
| 6906 | 100E1A7C | .text | CALL [static] | Indirect call to absolute memory address |
| 6910 | 100E1AB8 | .text | CALL [static] | Indirect call to absolute memory address |
| 691C | 100E1B74 | .text | CALL [static] | Indirect call to absolute memory address |
| 6A3F | 100E1B74 | .text | CALL [static] | Indirect call to absolute memory address |
| 6BAE | 100E1B50 | .text | CALL [static] | Indirect call to absolute memory address |
| 6BC0 | 100E1B18 | .text | CALL [static] | Indirect call to absolute memory address |
| 6BC8 | 100E1B20 | .text | CALL [static] | Indirect call to absolute memory address |
| 7811 | 100E1AB8 | .text | CALL [static] | Indirect call to absolute memory address |
| 781B | 100E1A7C | .text | CALL [static] | Indirect call to absolute memory address |
| 7824 | 100E1A84 | .text | CALL [static] | Indirect call to absolute memory address |
| 78F0 | 100E1B44 | .text | CALL [static] | Indirect call to absolute memory address |
| 790E | 100E1B54 | .text | CALL [static] | Indirect call to absolute memory address |
| 791B | 100E1BA0 | .text | CALL [static] | Indirect call to absolute memory address |
| 7935 | 100E1B54 | .text | CALL [static] | Indirect call to absolute memory address |
| 795A | 100E1B88 | .text | CALL [static] | Indirect call to absolute memory address |
| 7970 | 100E1A98 | .text | CALL [static] | Indirect call to absolute memory address |
| 79E6 | 100E1B54 | .text | CALL [static] | Indirect call to absolute memory address |
| 7A0D | 100E1B88 | .text | CALL [static] | Indirect call to absolute memory address |
| 7BAB | 100E1A78 | .text | CALL [static] | Indirect call to absolute memory address |
| 7E7F | 100E1B50 | .text | CALL [static] | Indirect call to absolute memory address |
| 7E91 | 100E1B18 | .text | CALL [static] | Indirect call to absolute memory address |
| 7E99 | 100E1B20 | .text | CALL [static] | Indirect call to absolute memory address |
| 9D40 | 100E1ABC | .text | CALL [static] | Indirect call to absolute memory address |
| 9DD7 | 100E1A7C | .text | CALL [static] | Indirect call to absolute memory address |
| 9DE1 | 100E1AB8 | .text | CALL [static] | Indirect call to absolute memory address |
| 9DED | 100E1B74 | .text | CALL [static] | Indirect call to absolute memory address |
| 9E15 | 100E1B8C | .text | CALL [static] | Indirect call to absolute memory address |
| 9E5E | 100E1B90 | .text | CALL [static] | Indirect call to absolute memory address |
| 9E79 | 100E1A9C | .text | CALL [static] | Indirect call to absolute memory address |
| 9E97 | 100E1AC0 | .text | CALL [static] | Indirect call to absolute memory address |
| 9EC0 | 100E1AC4 | .text | CALL [static] | Indirect call to absolute memory address |
| A06F | 100E1B28 | .text | CALL [static] | Indirect call to absolute memory address |
| A079 | 100E1B2C | .text | CALL [static] | Indirect call to absolute memory address |
| A094 | 100E1B44 | .text | CALL [static] | Indirect call to absolute memory address |
| A09B | 100E1BA0 | .text | CALL [static] | Indirect call to absolute memory address |
| A17F | 100E1B50 | .text | CALL [static] | Indirect call to absolute memory address |
| A195 | 100E1B18 | .text | CALL [static] | Indirect call to absolute memory address |
| A19D | 100E1B20 | .text | CALL [static] | Indirect call to absolute memory address |
| A218 | 100E1B4C | .text | CALL [static] | Indirect call to absolute memory address |
| A222 | 100E1B30 | .text | CALL [static] | Indirect call to absolute memory address |
| A515 | 100E1AB8 | .text | CALL [static] | Indirect call to absolute memory address |
| A51F | 100E1A7C | .text | CALL [static] | Indirect call to absolute memory address |
| A529 | 100E1A84 | .text | CALL [static] | Indirect call to absolute memory address |
| A548 | 100E1B44 | .text | CALL [static] | Indirect call to absolute memory address |
| A562 | 100E1B40 | .text | CALL [static] | Indirect call to absolute memory address |
| A576 | 100E1BA8 | .text | CALL [static] | Indirect call to absolute memory address |
| B0D7 | 100E1A84 | .text | CALL [static] | Indirect call to absolute memory address |
| B171 | 100E1AB8 | .text | CALL [static] | Indirect call to absolute memory address |
| D5D0 | 100E1AA8 | .text | CALL [static] | Indirect call to absolute memory address |
| D8F4 | 100E1A84 | .text | CALL [static] | Indirect call to absolute memory address |
| D973 | 100E1ABC | .text | CALL [static] | Indirect call to absolute memory address |
| D97C | 100E1A98 | .text | CALL [static] | Indirect call to absolute memory address |
| DB89 | 100E1ACC | .text | CALL [static] | Indirect call to absolute memory address |
| DBA1 | 100E1AB8 | .text | CALL [static] | Indirect call to absolute memory address |
| DBAA | 100E1A7C | .text | CALL [static] | Indirect call to absolute memory address |
| DBB4 | 100E1A84 | .text | CALL [static] | Indirect call to absolute memory address |
| DC76 | 100E1B74 | .text | CALL [static] | Indirect call to absolute memory address |
| DCB8 | 100E1A84 | .text | CALL [static] | Indirect call to absolute memory address |
| DE49 | 100E1AB8 | .text | CALL [static] | Indirect call to absolute memory address |
| DE9B | 100E1A7C | .text | CALL [static] | Indirect call to absolute memory address |
| DEA4 | 100E1AB8 | .text | CALL [static] | Indirect call to absolute memory address |
| DEB0 | 100E1B74 | .text | CALL [static] | Indirect call to absolute memory address |
| DECE | 100E1A9C | .text | CALL [static] | Indirect call to absolute memory address |
| DEDF | 100E1AC0 | .text | CALL [static] | Indirect call to absolute memory address |
| DF00 | 100E1AC4 | .text | CALL [static] | Indirect call to absolute memory address |
| E9C0 | 100E1B4C | .text | CALL [static] | Indirect call to absolute memory address |
| EE53 | 100E1B74 | .text | CALL [static] | Indirect call to absolute memory address |
| F0CE | 100E1B44 | .text | CALL [static] | Indirect call to absolute memory address |
| F0D5 | 100E1B68 | .text | CALL [static] | Indirect call to absolute memory address |
| FE90 | 100E1AA8 | .text | CALL [static] | Indirect call to absolute memory address |
| FFED | 100E1A84 | .text | CALL [static] | Indirect call to absolute memory address |
| 100E9 | 100E1A7C | .text | CALL [static] | Indirect call to absolute memory address |
| B907-B926 | N/A | .text | Unusual BP Cave, count: 32 |
| B937-B976 | N/A | .text | Unusual BP Cave, count: 64 |
| B987-B9A6 | N/A | .text | Unusual BP Cave, count: 32 |
| B9B7-B9E6 | N/A | .text | Unusual BP Cave, count: 48 |
| B9F7-BA16 | N/A | .text | Unusual BP Cave, count: 32 |
| 196B7-196D6 | N/A | .text | Unusual BP Cave, count: 32 |
| 196E7-19716 | N/A | .text | Unusual BP Cave, count: 48 |
| 19727-19746 | N/A | .text | Unusual BP Cave, count: 32 |
| 19757-19786 | N/A | .text | Unusual BP Cave, count: 48 |
| 269B7-269F6 | N/A | .text | Unusual BP Cave, count: 64 |
| 26A07-26A46 | N/A | .text | Unusual BP Cave, count: 64 |
| 26A57-26A96 | N/A | .text | Unusual BP Cave, count: 64 |
| 26AA7-26AC6 | N/A | .text | Unusual BP Cave, count: 32 |
| 26AD7-26AF6 | N/A | .text | Unusual BP Cave, count: 32 |
| 34697-346B6 | N/A | .text | Unusual BP Cave, count: 32 |
| 346C7-346F6 | N/A | .text | Unusual BP Cave, count: 48 |
| 34707-34736 | N/A | .text | Unusual BP Cave, count: 48 |
| 47647-47676 | N/A | .text | Unusual BP Cave, count: 48 |
| 47687-476C6 | N/A | .text | Unusual BP Cave, count: 64 |
| 476D7-47716 | N/A | .text | Unusual BP Cave, count: 64 |
| 47727-47746 | N/A | .text | Unusual BP Cave, count: 32 |
| 47757-47786 | N/A | .text | Unusual BP Cave, count: 48 |
| 52A47-52A86 | N/A | .text | Unusual BP Cave, count: 64 |
| 52A97-52AC6 | N/A | .text | Unusual BP Cave, count: 48 |
| 52AD7-52B16 | N/A | .text | Unusual BP Cave, count: 64 |
| 52B27-52B46 | N/A | .text | Unusual BP Cave, count: 32 |
| 5B2FF-5B3FF | N/A | .text | Unusual BP Cave, count: 257 |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 1378484 | 89,0328% |
| Null Byte Code | 32129 | 2,0751% |
© 2026 All rights reserved.