PESCAN.IO - Analysis Report Basic |
|||||||
| File Structure |
|
PE Chart Code
Header PE (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
Icon: Size: 249,50 KBSHA-256 Hash: BE350AB604E9E0B45DE28B71AF3C47AD9F3B2B0BED6277AC8F7897D403479B10 SHA-1 Hash: BBC312C077652C9A93B82015E6F54D8D511EADB7 MD5 Hash: CCA4C529FA2BFB2070D7CB1FFCA091B9 Imphash: A99648A4D417F4130FACA9D4625EDB8E MajorOSVersion: 6 MinorOSVersion: 0 CheckSum: 00000000 EntryPoint (rva): 882B SizeOfHeaders: 400 SizeOfImage: 43000 ImageBase: 400000 Architecture: x86 ImportTable: 2C488 IAT: 1D000 Characteristics: 102 TimeDateStamp: 5F70D803 Date: 27/09/2020 18:20:51 File Type: EXE Number Of Sections: 5 ASLR: Enabled Section Names: .text, .rdata, .data, .rsrc, .reloc Number Of Executable Sections: 1 Subsystem: Windows GUI UAC Execution Level Manifest: asInvoker |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 0x60000020 Code Executable Readable |
400 | 1BC00 | 1000 | 1BA38 |
|
|
| .rdata | 0x40000040 Initialized Data Readable |
1C000 | FC00 | 1D000 | FB56 |
|
|
| .data | 0xC0000040 Initialized Data Readable Writeable |
2BC00 | 1600 | 2D000 | 23C8 |
|
|
| .rsrc | 0x40000040 Initialized Data Readable |
2D200 | F200 | 30000 | F188 |
|
|
| .reloc | 0x42000040 Initialized Data GP-Relative Readable |
3C400 | 2200 | 40000 | 21C0 |
|
|
| Description |
| OriginalFilename: 1min AI.exe CompanyName: GitHub, Inc. LegalCopyright: Copyright (C) 2015 GitHub, Inc. All rights reserved. ProductName: 1min AI FileVersion: 1.1.48 FileDescription: 1min AI ProductVersion: 1.1.48 Language: English (United States) (ID=0x409) CodePage: Unicode (UTF-16 LE) (0x4B0) |
| Entry Point |
The section number (1) - (.text) have the Entry Point Information -> EntryPoint (calculated) - 7C2B Code -> E8A4080000E97AFEFFFF8B4DF464890D00000000595F5F5E5B8BE55D51F2C38B4DF033CDF2E87DF9FFFFF2E9DAFFFFFF8B4D Assembler |CALL 0X18A9 |JMP 0XE84 |MOV ECX, DWORD PTR [EBP - 0XC] |MOV DWORD PTR FS:[0], ECX |POP ECX |POP EDI |POP EDI |POP ESI |POP EBX |MOV ESP, EBP |POP EBP |PUSH ECX |BND RET |MOV ECX, DWORD PTR [EBP - 0X10] |XOR ECX, EBP |BND CALL 0X9A7 |BND JMP 0X100A |
| Signatures |
| Rich Signature Analyzer: Code -> D12E6500954F0B53954F0B53954F0B53F0290852984F0B53F0290E520E4F0B53F0290F52834F0B53C7270852864F0B53C7270E52A94F0B53C7270F52B74F0B53F0290A52904F0B53954F0A53CC4F0B5335260252914F0B533526F453944F0B53954F9C53944F0B5335260952944F0B5352696368954F0B53 Footprint md5 Hash -> 755A3DCC31A03B5F8A8AE69EC1CF2FE6 • The Rich header apparently has not been modified Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Compiler: Microsoft Visual Studio Detect It Easy (die) • PE: compiler: EP:Microsoft Visual C/C++(2017 v.15.5-6)[EXE32] • PE: compiler: Microsoft Visual C/C++(2017 v.15.9)[-] • PE: linker: Microsoft Linker(14.16, Visual Studio 2017 15.9*)[-] • Entropy: 5.57767 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | WriteFile | Writes data to a specified file or input/output (I/O) device. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| KERNEL32.DLL | IsDebuggerPresent | Determines if the calling process is being debugged by a user-mode debugger. |
| File Access |
| USER32.dll KERNEL32.dll .dat @.dat |
| File Access (UNICODE) |
| 1min AI.exe mscoree.dll B@kernel32.dll |
| Interest's Words |
| PADDINGX exec start |
| URLs |
| http://schemas.microsoft.com/SMI/2005/WindowsSettings http://schemas.microsoft.com/SMI/2011/WindowsSettings |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | WinAPI Sockets (connect) |
| Text | Ascii | File (CreateFile) |
| Text | Ascii | File (WriteFile) |
| Text | Ascii | Anti-Analysis VM (IsDebuggerPresent) |
| Text | Ascii | Reconnaissance (FindFirstFileW) |
| Text | Ascii | Reconnaissance (FindNextFileW) |
| Text | Ascii | Reconnaissance (FindClose) |
| Text | Ascii | Stealth (CloseHandle) |
| Text | Ascii | Execution (CreateProcessW) |
| Text | Ascii | Execution (CreateSemaphoreW) |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8 |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8 |
| Entry Point | Hex Pattern | VC8 - Microsoft Corporation |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \INTEGRITY\ELECTRONASAR\1033 | 309D0 | 7A | 2DBD0 | 5B7B2266696C65223A227265736F75726365735C5C6170702E61736172222C22616C67223A22534841323536222C2276616C | [{"file":"resources\\app.asar","alg":"SHA256","val |
| \CURSOR\1\0 | 30A4C | 134 | 2DC4C | 070004002800000020000000400000000100010000000000000100000000000000000000000000000000000000000000FFFF | ....(... ...@..................................... |
| \CURSOR\2\0 | 30B80 | 134 | 2DD80 | 070007002800000020000000400000000100010000000000000100000000000000000000000000000000000000000000FFFF | ....(... ...@..................................... |
| \CURSOR\3\0 | 30CB4 | 134 | 2DEB4 | 0A0008002800000020000000400000000100010000000000800000000000000000000000000000000000000000000000FFFF | ....(... ...@..................................... |
| \CURSOR\4\0 | 30DE8 | 134 | 2DFE8 | 070004002800000020000000400000000100010000000000000100000000000000000000000000000000000000000000FFFF | ....(... ...@..................................... |
| \CURSOR\5\0 | 30F1C | 134 | 2E11C | 0D000D002800000020000000400000000100010000000000800000000000000000000000020000000200000000000000FFFF | ....(... ...@..................................... |
| \CURSOR\6\0 | 31050 | CAC | 2E250 | 0D000D002800000020000000400000000100180000000000000C000000000000000000000000000000000000000000000000 | ....(... ...@..................................... |
| \CURSOR\7\0 | 31CFC | 134 | 2EEFC | 0D000D002800000020000000400000000100010000000000800000000000000000000000020000000200000000000000FFFF | ....(... ...@..................................... |
| \CURSOR\8\0 | 31E30 | CAC | 2F030 | 0D000D002800000020000000400000000100180000000000000C000000000000000000000000000000000000000000000000 | ....(... ...@..................................... |
| \CURSOR\9\0 | 32ADC | 10AC | 2FCDC | 1000100028000000200000004000000001002000000000000000000000000000000000000000000000000000000000000000 | ....(... ...@..... ............................... |
| \CURSOR\10\0 | 33B88 | 10AC | 30D88 | 1000100028000000200000004000000001002000000000008010000000000000000000000000000000000000000000000000 | ....(... ...@..... ............................... |
| \CURSOR\11\0 | 34C34 | 10AC | 31E34 | 1000100028000000200000004000000001002000000000000010000000000000000000000000000000000000000000000000 | ....(... ...@..... ............................... |
| \CURSOR\12\0 | 35CE0 | 10AC | 32EE0 | 1000100028000000200000004000000001002000000000000010000000000000000000000000000000000000000000000000 | ....(... ...@..... ............................... |
| \CURSOR\13\0 | 36D8C | 10AC | 33F8C | 1000100028000000200000004000000001002000000000000000000000000000000000000000000000000000000000000000 | ....(... ...@..... ............................... |
| \CURSOR\14\0 | 37E38 | 10AC | 35038 | 1000100028000000200000004000000001002000000000000000000000000000000000000000000000000000000000000000 | ....(... ...@..... ............................... |
| \CURSOR\15\0 | 38EE4 | 10AC | 360E4 | 1000100028000000200000004000000001002000000000000000000000000000000000000000000000000000000000000000 | ....(... ...@..... ............................... |
| \CURSOR\16\0 | 39F90 | 10AC | 37190 | 1000100028000000200000004000000001002000000000000000000000000000000000000000000000000000000000000000 | ....(... ...@..... ............................... |
| \CURSOR\17\0 | 3B03C | 10AC | 3823C | 1000100028000000200000004000000001002000000000000000000000000000000000000000000000000000000000000000 | ....(... ...@..... ............................... |
| \CURSOR\18\0 | 3C0E8 | 10AC | 392E8 | 1000100028000000200000004000000001002000000000000000000000000000000000000000000000000000000000000000 | ....(... ...@..... ............................... |
| \CURSOR\19\0 | 3D194 | 10AC | 3A394 | 1000100028000000200000004000000001002000000000000000000000000000000000000000000000000000000000000000 | ....(... ...@..... ............................... |
| \CURSOR\20\0 | 3E240 | 134 | 3B440 | 09000A002800000020000000400000000100010000000000800000000000000000000000000000000000000000000000FFFF | ....(... ...@..................................... |
| \CURSOR\21\0 | 3E374 | 134 | 3B574 | 090003002800000020000000400000000100010000000000800000000000000000000000000000000000000000000000FFFF | ....(... ...@..................................... |
| \CURSOR\22\0 | 3E4A8 | 134 | 3B6A8 | 060006002800000020000000400000000100010000000000000100000000000000000000000000000000000000000000FFFF | ....(... ...@..................................... |
| \CURSOR\23\0 | 3E5DC | 134 | 3B7DC | 060006002800000020000000400000000100010000000000000100000000000000000000000000000000000000000000FFFF | ....(... ...@..................................... |
| \GROUP_CURSOR\49640\0 | 3E710 | 14 | 3B910 | 0000020001002000400001000100340100000100 | ...... .@.....4..... |
| \GROUP_CURSOR\49641\0 | 3E724 | 14 | 3B924 | 0000020001002000400001000100340100000200 | ...... .@.....4..... |
| \GROUP_CURSOR\49642\0 | 3E738 | 14 | 3B938 | 0000020001002000400001000100340100000300 | ...... .@.....4..... |
| \GROUP_CURSOR\49643\0 | 3E74C | 14 | 3B94C | 0000020001002000400001000100340100000400 | ...... .@.....4..... |
| \GROUP_CURSOR\49644\0 | 3E760 | 22 | 3B960 | 00000200020020004000010001003401000005002000400001001800AC0C00000600 | ...... .@.....4..... .@........... |
| \GROUP_CURSOR\49645\0 | 3E784 | 22 | 3B984 | 00000200020020004000010001003401000007002000400001001800AC0C00000800 | ...... .@.....4..... .@........... |
| \GROUP_CURSOR\49646\0 | 3E7A8 | 14 | 3B9A8 | 0000020001002000400001002000AC1000000900 | ...... .@... ....... |
| \GROUP_CURSOR\49647\0 | 3E7BC | 14 | 3B9BC | 0000020001002000400001002000AC1000000A00 | ...... .@... ....... |
| \GROUP_CURSOR\49648\0 | 3E7D0 | 14 | 3B9D0 | 0000020001002000400001002000AC1000000B00 | ...... .@... ....... |
| \GROUP_CURSOR\49649\0 | 3E7E4 | 14 | 3B9E4 | 0000020001002000400001002000AC1000000C00 | ...... .@... ....... |
| \GROUP_CURSOR\49650\0 | 3E7F8 | 14 | 3B9F8 | 0000020001002000400001002000AC1000000D00 | ...... .@... ....... |
| \GROUP_CURSOR\49651\0 | 3E80C | 14 | 3BA0C | 0000020001002000400001002000AC1000000E00 | ...... .@... ....... |
| \GROUP_CURSOR\49652\0 | 3E820 | 14 | 3BA20 | 0000020001002000400001002000AC1000000F00 | ...... .@... ....... |
| \GROUP_CURSOR\49653\0 | 3E834 | 14 | 3BA34 | 0000020001002000400001002000AC1000001000 | ...... .@... ....... |
| \GROUP_CURSOR\49654\0 | 3E848 | 14 | 3BA48 | 0000020001002000400001002000AC1000001100 | ...... .@... ....... |
| \GROUP_CURSOR\49655\0 | 3E85C | 14 | 3BA5C | 0000020001002000400001002000AC1000001200 | ...... .@... ....... |
| \GROUP_CURSOR\49656\0 | 3E870 | 14 | 3BA70 | 0000020001002000400001002000AC1000001300 | ...... .@... ....... |
| \GROUP_CURSOR\49657\0 | 3E884 | 14 | 3BA84 | 0000020001002000400001000100340100001400 | ...... .@.....4..... |
| \GROUP_CURSOR\49658\0 | 3E898 | 14 | 3BA98 | 0000020001002000400001000100340100001500 | ...... .@.....4..... |
| \GROUP_CURSOR\49659\0 | 3E8AC | 14 | 3BAAC | 0000020001002000400001000100340100001600 | ...... .@.....4..... |
| \GROUP_CURSOR\49660\0 | 3E8C0 | 14 | 3BAC0 | 0000020001002000400001000100340100001700 | ...... .@.....4..... |
| \GROUP_ICON\1\1033 | 3E8D4 | 6 | 3BAD4 | 000001000000 | ...... |
| \VERSION\1\1033 | 3E8DC | 318 | 3BADC | 180334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000100 | ..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| \24\1\1033 | 3EBF4 | 591 | 3BDF4 | 3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D38223F3E0A3C617373656D626C792078 | <?xml version="1.0" encoding="UTF-8"?>.<assembly x |
| Intelligent String |
| • B@kernel32.dll • mscoree.dll • C:\Users\ani\code\squirrel\squirrel.windows\build\Release\Win32\StubExecutable.pdb • .bss • KERNEL32.dll • USER32.dll • 1min AI.exe |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 36E9 | 41D004 | .text | CALL [static] | Indirect call to absolute memory address |
| 36F0 | 41D000 | .text | CALL [static] | Indirect call to absolute memory address |
| 378F | 41D008 | .text | CALL [static] | Indirect call to absolute memory address |
| 39D4 | 41D00C | .text | CALL [static] | Indirect call to absolute memory address |
| 3ADA | 41D010 | .text | CALL [static] | Indirect call to absolute memory address |
| 3BD4 | 41D004 | .text | CALL [static] | Indirect call to absolute memory address |
| 3BDB | 41D000 | .text | CALL [static] | Indirect call to absolute memory address |
| 3D2B | 41D014 | .text | CALL [static] | Indirect call to absolute memory address |
| 3D3E | 41D120 | .text | CALL [static] | Indirect call to absolute memory address |
| 3D4D | 41D124 | .text | CALL [static] | Indirect call to absolute memory address |
| 65CD | 41D12C | .text | CALL [static] | Indirect call to absolute memory address |
| 66DC | 41D12C | .text | CALL [static] | Indirect call to absolute memory address |
| 66F4 | 41D12C | .text | CALL [static] | Indirect call to absolute memory address |
| 688A | 41D12C | .text | CALL [static] | Indirect call to absolute memory address |
| 68AB | 41D12C | .text | CALL [static] | Indirect call to absolute memory address |
| 68FC | 41D12C | .text | CALL [static] | Indirect call to absolute memory address |
| 6916 | 41D12C | .text | CALL [static] | Indirect call to absolute memory address |
| 6A01 | 41D12C | .text | CALL [static] | Indirect call to absolute memory address |
| 6A19 | 41D12C | .text | CALL [static] | Indirect call to absolute memory address |
| 6B7A | 41D028 | .text | CALL [static] | Indirect call to absolute memory address |
| 6B95 | 41D028 | .text | CALL [static] | Indirect call to absolute memory address |
| 6D6A | 41D020 | .text | CALL [static] | Indirect call to absolute memory address |
| 6EC6 | 41D02C | .text | CALL [static] | Indirect call to absolute memory address |
| 6EEA | 41D02C | .text | CALL [static] | Indirect call to absolute memory address |
| 6F34 | 41D034 | .text | CALL [static] | Indirect call to absolute memory address |
| 6F42 | 41D12C | .text | CALL [static] | Indirect call to absolute memory address |
| 6F7C | 41D030 | .text | CALL [static] | Indirect call to absolute memory address |
| 6F97 | 41D004 | .text | CALL [static] | Indirect call to absolute memory address |
| 6FA5 | 41D058 | .text | CALL [static] | Indirect call to absolute memory address |
| 6FBC | 41D058 | .text | CALL [static] | Indirect call to absolute memory address |
| 6FD3 | 41D058 | .text | CALL [static] | Indirect call to absolute memory address |
| 6FEA | 41D058 | .text | CALL [static] | Indirect call to absolute memory address |
| 7001 | 41D058 | .text | CALL [static] | Indirect call to absolute memory address |
| 7018 | 41D058 | .text | CALL [static] | Indirect call to absolute memory address |
| 702F | 41D058 | .text | CALL [static] | Indirect call to absolute memory address |
| 7046 | 41D058 | .text | CALL [static] | Indirect call to absolute memory address |
| 705D | 41D058 | .text | CALL [static] | Indirect call to absolute memory address |
| 7074 | 41D058 | .text | CALL [static] | Indirect call to absolute memory address |
| 708B | 41D058 | .text | CALL [static] | Indirect call to absolute memory address |
| 70A2 | 41D058 | .text | CALL [static] | Indirect call to absolute memory address |
| 70B9 | 41D058 | .text | CALL [static] | Indirect call to absolute memory address |
| 70D0 | 41D058 | .text | CALL [static] | Indirect call to absolute memory address |
| 70E7 | 41D058 | .text | CALL [static] | Indirect call to absolute memory address |
| 70FE | 41D058 | .text | CALL [static] | Indirect call to absolute memory address |
| 7115 | 41D058 | .text | CALL [static] | Indirect call to absolute memory address |
| 712C | 41D058 | .text | CALL [static] | Indirect call to absolute memory address |
| 7143 | 41D058 | .text | CALL [static] | Indirect call to absolute memory address |
| 715A | 41D058 | .text | CALL [static] | Indirect call to absolute memory address |
| 7171 | 41D058 | .text | CALL [static] | Indirect call to absolute memory address |
| 7188 | 41D058 | .text | CALL [static] | Indirect call to absolute memory address |
| 719F | 41D058 | .text | CALL [static] | Indirect call to absolute memory address |
| 71B6 | 41D058 | .text | CALL [static] | Indirect call to absolute memory address |
| 71CD | 41D058 | .text | CALL [static] | Indirect call to absolute memory address |
| 71E4 | 41D058 | .text | CALL [static] | Indirect call to absolute memory address |
| 71FB | 41D058 | .text | CALL [static] | Indirect call to absolute memory address |
| 7212 | 41D058 | .text | CALL [static] | Indirect call to absolute memory address |
| 7229 | 41D058 | .text | CALL [static] | Indirect call to absolute memory address |
| 7240 | 41D058 | .text | CALL [static] | Indirect call to absolute memory address |
| 7257 | 41D058 | .text | CALL [static] | Indirect call to absolute memory address |
| 726E | 41D058 | .text | CALL [static] | Indirect call to absolute memory address |
| 7285 | 41D058 | .text | CALL [static] | Indirect call to absolute memory address |
| 729C | 41D058 | .text | CALL [static] | Indirect call to absolute memory address |
| 72B3 | 41D058 | .text | CALL [static] | Indirect call to absolute memory address |
| 72CA | 41D058 | .text | CALL [static] | Indirect call to absolute memory address |
| 72E1 | 41D058 | .text | CALL [static] | Indirect call to absolute memory address |
| 72F8 | 41D058 | .text | CALL [static] | Indirect call to absolute memory address |
| 730F | 41D058 | .text | CALL [static] | Indirect call to absolute memory address |
| 7326 | 41D058 | .text | CALL [static] | Indirect call to absolute memory address |
| 735B | 41D12C | .text | CALL [static] | Indirect call to absolute memory address |
| 7382 | 41D040 | .text | CALL [static] | Indirect call to absolute memory address |
| 73A5 | 41D12C | .text | CALL [static] | Indirect call to absolute memory address |
| 73BF | 41D038 | .text | CALL [static] | Indirect call to absolute memory address |
| 73E6 | 41D12C | .text | CALL [static] | Indirect call to absolute memory address |
| 73F6 | 41D03C | .text | CALL [static] | Indirect call to absolute memory address |
| 7408 | 41D064 | .text | CALL [static] | Indirect call to absolute memory address |
| 742D | 41D05C | .text | CALL [static] | Indirect call to absolute memory address |
| 743B | 41D060 | .text | CALL [static] | Indirect call to absolute memory address |
| 753E | 41D12C | .text | CALL [static] | Indirect call to absolute memory address |
| 7561 | 41D068 | .text | CALL [static] | Indirect call to absolute memory address |
| 764D | 41D12C | .text | CALL [static] | Indirect call to absolute memory address |
| 76BE | 41D12C | .text | CALL [static] | Indirect call to absolute memory address |
| 7B67 | 41D12C | .text | CALL [static] | Indirect call to absolute memory address |
| 7E2D | 41D078 | .text | CALL [static] | Indirect call to absolute memory address |
| 7E36 | 41D074 | .text | CALL [static] | Indirect call to absolute memory address |
| 7E41 | 41D07C | .text | CALL [static] | Indirect call to absolute memory address |
| 7E48 | 41D080 | .text | CALL [static] | Indirect call to absolute memory address |
| 8309 | 41D088 | .text | CALL [static] | Indirect call to absolute memory address |
| 8329 | 41D078 | .text | CALL [static] | Indirect call to absolute memory address |
| 8333 | 41D074 | .text | CALL [static] | Indirect call to absolute memory address |
| 8366 | 41D08C | .text | CALL [static] | Indirect call to absolute memory address |
| 8384 | 41D004 | .text | CALL [static] | Indirect call to absolute memory address |
| 83CA | 41D078 | .text | CALL [static] | Indirect call to absolute memory address |
| 8499 | 41D054 | .text | CALL [static] | Indirect call to absolute memory address |
| 84A8 | 41D098 | .text | CALL [static] | Indirect call to absolute memory address |
| 84B1 | 41D094 | .text | CALL [static] | Indirect call to absolute memory address |
| 84BE | 41D090 | .text | CALL [static] | Indirect call to absolute memory address |
| 852A | 41D09C | .text | CALL [static] | Indirect call to absolute memory address |
| 85A9 | 41D12C | .text | CALL [static] | Indirect call to absolute memory address |
| 85D5 | 41D12C | .text | CALL [static] | Indirect call to absolute memory address |
| 8794 | 41D12C | .text | CALL [static] | Indirect call to absolute memory address |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 115517 | 45,2143% |
| Null Byte Code | 88835 | 34,7707% |
© 2026 All rights reserved.