PREMIUM PESCAN.IO - Analysis Report |
|||||||
| File Structure |
|
PE Chart Code
Header PE (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
| Size: 1,14 MB SHA-256 Hash: 589A33F90AA5C137188DD7D45319967DA0252D468B6F5C02E875C3B7CD86DF4C SHA-1 Hash: 34E93EA668BFA12A4E1F800760213381E2E55083 MD5 Hash: CED691C3166E64E42C6893AEFAEF9BBC Imphash: A710AA172984A483BBFCB01E11558441 MajorOSVersion: 4 MinorOSVersion: 0 CheckSum: 00000000 EntryPoint (rva): 1916D SizeOfHeaders: 1000 SizeOfImage: 24000 ImageBase: 10000000 Architecture: x86 ExportTable: 1D640 ImportTable: 1BE40 IAT: 1A000 Characteristics: 210E TimeDateStamp: 504DEF3B Date: 10/09/2012 13:46:35 File Type: DLL Number Of Sections: 5 ASLR: Disabled Section Names: .text, .rdata, .data, .rsrc, .reloc Number Of Executable Sections: 1 Subsystem: Windows GUI |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 0x60000020 Code Executable Readable |
1000 | 19000 | 1000 | 18975 |
|
|
| .rdata | 0x40000040 Initialized Data Readable |
1A000 | 4000 | 1A000 | 36AB |
|
|
| .data | 0xC0000040 Initialized Data Readable Writeable |
1E000 | 3000 | 1E000 | 2D2C |
|
|
| .rsrc | 0x40000040 Initialized Data Readable |
21000 | 1000 | 21000 | 10 |
|
|
| .reloc | 0x42000040 Initialized Data GP-Relative Readable |
22000 | 2000 | 22000 | 1C08 |
|
|
| Binder/Joiner/Crypter |
| Dropper code detected (EOF) - 1,00 MB |
| Entry Point |
The section number (1) - (.text) have the Entry Point Information -> EntryPoint (calculated) - 1916D Code -> 558BEC538B5D08568B750C578B7D1085F67509833D180D021000EB2683FE01740583FE027522A1280D021085C07409575653 Assembler |PUSH EBP |MOV EBP, ESP |PUSH EBX |MOV EBX, DWORD PTR [EBP + 8] |PUSH ESI |MOV ESI, DWORD PTR [EBP + 0XC] |PUSH EDI |MOV EDI, DWORD PTR [EBP + 0X10] |TEST ESI, ESI |JNE 0X101C |CMP DWORD PTR [0X10020D18], 0 |JMP 0X1042 |CMP ESI, 1 |JE 0X1026 |CMP ESI, 2 |JNE 0X1048 |MOV EAX, DWORD PTR [0X10020D28] |TEST EAX, EAX |JE 0X1038 |PUSH EDI |PUSH ESI |PUSH EBX |
| Signatures |
| Rich Signature Analyzer: Code -> 78F3F4333C929A603C929A603C929A60478E966038929A60BF8E94603F929A60538D91603D929A60538D906038929A60538D9E6038929A60D48D906030929A603C929B6036939A60FF9DC76021929A60D48D916025929A60FB949C603D929A60D48D9E603D929A60526963683C929A60 Footprint md5 Hash -> 880CD75B3A196881E8D35A0685862C2F • The Rich header apparently has not been modified Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Compiler: Microsoft Visual C ++ 6 DLL Detect It Easy (die) • PE: compiler: EP:Microsoft Visual C/C++(6.0 (1720-8966))[DLL32] • PE: compiler: Microsoft Visual C/C++(6.0)[msvcrt] • PE: linker: Microsoft Linker(6.0)[-] • Entropy: 1.28767 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | CreateMutexA | Create a named or unnamed mutex object for controlling access to a shared resource. |
| KERNEL32.DLL | GetModuleFileNameA | Retrieve the fully qualified path for the executable file of a specified module. |
| KERNEL32.DLL | VirtualAlloc | Reserve, commit, or both, a region of memory within the virtual address space of a process. |
| KERNEL32.DLL | WriteFile | Writes data to a specified file or input/output (I/O) device. |
| KERNEL32.DLL | LoadLibraryA | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | CreateRemoteThread | Creates a thread in the address space of another process. |
| KERNEL32.DLL | WriteProcessMemory | Writes data to an area of memory in a specified process. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| KERNEL32.DLL | CreateFileA | Creates or opens a file or I/O device. |
| KERNEL32.DLL | DeleteFileA | Deletes an existing file. |
| ADVAPI32.DLL | RegCreateKeyExA | Creates a new registry key or opens an existing one. |
| ADVAPI32.DLL | RegDeleteKeyA | Used to delete a subkey and its values from the Windows registry. |
| ADVAPI32.DLL | RegSetValueExA | Sets the data and type of a specified value under a registry key. |
| ADVAPI32.DLL | RegDeleteValueA | Removes a named value from the specified registry key. Note that value names are not case sensitive. |
| ET Functions (carving) |
| Original Name -> sougou.dll Fun givemeagoodtime sauna |
| Windows REG |
| SOFTWARE\Microsoft\Windows NT\CurrentVersion SYSTEM\CurrentControlSet\Services\%s SYSTEM\CurrentControlSet\Services\ System\CentralProcessor\ |
| File Access |
| explorer.exe DSMain.exe rundll32.exe 360tray.exe avp.exe KvMonXP.exe RavMonD.exe 360sd.exe kxetray.exe knsdtray.exe TMBMSRV.exe avcenter.exe ashDisp.exe avguard.exe dp.exe 1ow.exe mdm365.exe dnf.exe xy2.exe xy3.exe QQhxgame.exe tw2.exe my.exe DragonNest.exe \cmd.exe winlogon.exe Applications\iexplore.exe MSVFW32.dll PSAPI.DLL Kernel32.dll USERENV.dll GDI32.dll advapi32.dll shlwapi.dll SHELL32.dll WININET.dll WS2_32.dll USER32.dll WINMM.dll sougou.dll WTSAPI32.dll IMM32.dll NETAPI32.dll MSVCP60.dll MSVCRT.dll \Server.dat @.dat Temp UserProfile |
| Interest's Words |
| fuck - }:) attrib start shutdown rundll32 systeminfo ping rundll expand |
| AV Services |
| guard.exe - (AVG Anti-Spyware) |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | WinAPI Sockets (connect) |
| Text | Ascii | Registry (RegCreateKeyEx) |
| Text | Ascii | Registry (RegOpenKeyEx) |
| Text | Ascii | Registry (RegSetValueEx) |
| Text | Ascii | File (GetTempPath) |
| Text | Ascii | File (CreateFile) |
| Text | Ascii | File (WriteFile) |
| Text | Ascii | File (ReadFile) |
| Text | Ascii | Service (OpenSCManager) |
| Text | Ascii | Anti-Analysis VM (GetSystemInfo) |
| Text | Ascii | Anti-Analysis VM (GlobalMemoryStatusEx) |
| Text | Ascii | Anti-Analysis VM (GetVersion) |
| Text | Ascii | Reconnaissance (FindFirstFileA) |
| Text | Ascii | Reconnaissance (FindNextFileA) |
| Text | Ascii | Reconnaissance (FindClose) |
| Text | Ascii | Stealth (CloseHandle) |
| Text | Ascii | Stealth (UnmapViewOfFile) |
| Text | Ascii | Stealth (MapViewOfFile) |
| Text | Ascii | Stealth (CreateFileMappingA) |
| Text | Ascii | Stealth (VirtualAlloc) |
| Text | Ascii | Stealth (CreateRemoteThread) |
| Text | Ascii | Execution (CreateProcessA) |
| Text | Ascii | Execution (ResumeThread) |
| Text | Ascii | Execution (OpenEventA) |
| Text | Ascii | Execution (CreateEventA) |
| Text | Ascii | Antivirus Software (avira) |
| Text | Ascii | Antivirus Software (avast) |
| Text | Ascii | Privileges (SeDebugPrivilege) |
| Text | Ascii | Privileges (SeShutdownPrivilege) |
| Entry Point | Hex Pattern | Armadillov1xxv2xx |
| Entry Point | Hex Pattern | Microsoft Visual C++ 6.0 DLL |
| Entry Point | Hex Pattern | Microsoft Visual C++ 6.0 |
| Entry Point | Hex Pattern | Microsoft Visual C++ v6.0 DLL |
| Intelligent String |
| • ADVAPI32.dll • USER32.dll • KERNEL32.dll • MSVCRT.dll • NETAPI32.dll • WINMM.dll • WS2_32.dll • kernel32.dll • Microsoft\Network\Connections\pbk\rasphone.pbk • .PAD • advapi32.dll • winlogon.exe • %d.bak • GDI32.dll • LockServiceDatabase\cmd.exe • DragonNest.exe • my.exe • QQhxgame.exe • mdm365.exe • 1ow.exedp.exe • avcenter.exe • knsdtray.exe • 360sd.exe • Kernel32.dll • RegisterServiceCtrlHandlerArundll32.exe "%s",Fun %s • DSMain.exe • C:\WINDOWS • PSAPI.DLL • GetTokenInformationexplorer.exe |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 1107 | 1001A1A8 | .text | CALL [static] | Indirect call to absolute memory address |
| 110E | 1001A1AC | .text | CALL [static] | Indirect call to absolute memory address |
| 1123 | 1001A3C8 | .text | CALL [static] | Indirect call to absolute memory address |
| 112D | 1001A398 | .text | CALL [static] | Indirect call to absolute memory address |
| 1156 | 1001A390 | .text | CALL [static] | Indirect call to absolute memory address |
| 1162 | 1001A1B0 | .text | CALL [static] | Indirect call to absolute memory address |
| 119A | 1001A394 | .text | CALL [static] | Indirect call to absolute memory address |
| 122E | 1001A1A0 | .text | CALL [static] | Indirect call to absolute memory address |
| 123A | 1001A1A4 | .text | CALL [static] | Indirect call to absolute memory address |
| 12AE | 1001A3AC | .text | CALL [static] | Indirect call to absolute memory address |
| 12E5 | 1001A3A8 | .text | CALL [static] | Indirect call to absolute memory address |
| 1307 | 1001A1A8 | .text | CALL [static] | Indirect call to absolute memory address |
| 130E | 1001A1AC | .text | CALL [static] | Indirect call to absolute memory address |
| 1343 | 1001A3A4 | .text | CALL [static] | Indirect call to absolute memory address |
| 1380 | 1001A3A0 | .text | CALL [static] | Indirect call to absolute memory address |
| 1399 | 1001A39C | .text | CALL [static] | Indirect call to absolute memory address |
| 13A3 | 1001A19C | .text | CALL [static] | Indirect call to absolute memory address |
| 13AC | 1001A3B0 | .text | CALL [static] | Indirect call to absolute memory address |
| 13C6 | 1001A3C0 | .text | CALL [static] | Indirect call to absolute memory address |
| 140D | 1001A3BC | .text | CALL [static] | Indirect call to absolute memory address |
| 144A | 1001A3B8 | .text | CALL [static] | Indirect call to absolute memory address |
| 1472 | 1001A340 | .text | CALL [static] | Indirect call to absolute memory address |
| 14BB | 1001A1A4 | .text | CALL [static] | Indirect call to absolute memory address |
| 14D9 | 1001A39C | .text | CALL [static] | Indirect call to absolute memory address |
| 14F2 | 1001A33C | .text | CALL [static] | Indirect call to absolute memory address |
| 14FD | 1001A338 | .text | CALL [static] | Indirect call to absolute memory address |
| 150E | 1001A340 | .text | CALL [static] | Indirect call to absolute memory address |
| 1628 | 1001A1A4 | .text | CALL [static] | Indirect call to absolute memory address |
| 1679 | 1001A3A8 | .text | CALL [static] | Indirect call to absolute memory address |
| 1838 | 1001A198 | .text | CALL [static] | Indirect call to absolute memory address |
| 1888 | 1001A190 | .text | CALL [static] | Indirect call to absolute memory address |
| 1892 | 1001A194 | .text | CALL [static] | Indirect call to absolute memory address |
| 18B0 | 1001A1A8 | .text | CALL [static] | Indirect call to absolute memory address |
| 18B7 | 1001A1AC | .text | CALL [static] | Indirect call to absolute memory address |
| 18E2 | 1001A18C | .text | CALL [static] | Indirect call to absolute memory address |
| 1916 | 1001A18C | .text | CALL [static] | Indirect call to absolute memory address |
| 1940 | 1001A1A8 | .text | CALL [static] | Indirect call to absolute memory address |
| 1947 | 1001A1AC | .text | CALL [static] | Indirect call to absolute memory address |
| 1967 | 1001A18C | .text | CALL [static] | Indirect call to absolute memory address |
| 19B8 | 1001A284 | .text | CALL [static] | Indirect call to absolute memory address |
| 19DE | 1001A18C | .text | CALL [static] | Indirect call to absolute memory address |
| 1A4C | 1001A288 | .text | CALL [static] | Indirect call to absolute memory address |
| 1A69 | 1001A188 | .text | CALL [static] | Indirect call to absolute memory address |
| 1AB4 | 1001A190 | .text | CALL [static] | Indirect call to absolute memory address |
| 1B1A | 1001A288 | .text | CALL [static] | Indirect call to absolute memory address |
| 1B4E | 1001A188 | .text | CALL [static] | Indirect call to absolute memory address |
| 1B81 | 1001A190 | .text | CALL [static] | Indirect call to absolute memory address |
| 1BBE | 1001A1A8 | .text | CALL [static] | Indirect call to absolute memory address |
| 1BC5 | 1001A1AC | .text | CALL [static] | Indirect call to absolute memory address |
| 1BE4 | 1001A18C | .text | CALL [static] | Indirect call to absolute memory address |
| 1C6D | 1001A3EC | .text | CALL [static] | Indirect call to absolute memory address |
| 1C7B | 1001A174 | .text | CALL [static] | Indirect call to absolute memory address |
| 1D3C | 1001A1A4 | .text | CALL [static] | Indirect call to absolute memory address |
| 1D6A | 1001A3E8 | .text | CALL [static] | Indirect call to absolute memory address |
| 1DD3 | 1001A1A8 | .text | CALL [static] | Indirect call to absolute memory address |
| 1DDA | 1001A1AC | .text | CALL [static] | Indirect call to absolute memory address |
| 1E1E | 1001A3D4 | .text | CALL [static] | Indirect call to absolute memory address |
| 1E50 | 1001A428 | .text | CALL [static] | Indirect call to absolute memory address |
| 1E87 | 1001A3DC | .text | CALL [static] | Indirect call to absolute memory address |
| 1EAB | 1001A3E0 | .text | CALL [static] | Indirect call to absolute memory address |
| 1EFC | 1001A3E4 | .text | CALL [static] | Indirect call to absolute memory address |
| 1F28 | 1001A1A8 | .text | CALL [static] | Indirect call to absolute memory address |
| 1F2F | 1001A1AC | .text | CALL [static] | Indirect call to absolute memory address |
| 1FCF | 1001A3F8 | .text | CALL [static] | Indirect call to absolute memory address |
| 2007 | 1001A3F4 | .text | CALL [static] | Indirect call to absolute memory address |
| 2018 | 1001A3F0 | .text | CALL [static] | Indirect call to absolute memory address |
| 2042 | 1001A3D8 | .text | CALL [static] | Indirect call to absolute memory address |
| 2093 | 1001A1A8 | .text | CALL [static] | Indirect call to absolute memory address |
| 209A | 1001A1AC | .text | CALL [static] | Indirect call to absolute memory address |
| 2122 | 1001A3F8 | .text | CALL [static] | Indirect call to absolute memory address |
| 2158 | 1001A3F4 | .text | CALL [static] | Indirect call to absolute memory address |
| 217D | 1001A3D8 | .text | CALL [static] | Indirect call to absolute memory address |
| 21A8 | 1001A428 | .text | CALL [static] | Indirect call to absolute memory address |
| 21DD | 1001A3D0 | .text | CALL [static] | Indirect call to absolute memory address |
| 21F8 | 1001A3F8 | .text | CALL [static] | Indirect call to absolute memory address |
| 2230 | 1001A3F4 | .text | CALL [static] | Indirect call to absolute memory address |
| 2241 | 1001A3F0 | .text | CALL [static] | Indirect call to absolute memory address |
| 226B | 1001A3D8 | .text | CALL [static] | Indirect call to absolute memory address |
| 229B | 1001A3F0 | .text | CALL [static] | Indirect call to absolute memory address |
| 230E | 1001A3F4 | .text | CALL [static] | Indirect call to absolute memory address |
| 2399 | 1001A1A4 | .text | CALL [static] | Indirect call to absolute memory address |
| 2468 | 1001A1A8 | .text | CALL [static] | Indirect call to absolute memory address |
| 246F | 1001A1AC | .text | CALL [static] | Indirect call to absolute memory address |
| 2584 | 1001A1A8 | .text | CALL [static] | Indirect call to absolute memory address |
| 258B | 1001A1AC | .text | CALL [static] | Indirect call to absolute memory address |
| 25F8 | 1001A3E4 | .text | CALL [static] | Indirect call to absolute memory address |
| 2639 | 1001A3F0 | .text | CALL [static] | Indirect call to absolute memory address |
| 2646 | 1001A1A0 | .text | CALL [static] | Indirect call to absolute memory address |
| 2811 | 1001A3F8 | .text | CALL [static] | Indirect call to absolute memory address |
| 283E | 1001A184 | .text | CALL [static] | Indirect call to absolute memory address |
| 285B | 1001A3F8 | .text | CALL [static] | Indirect call to absolute memory address |
| 2962 | 1001A1A8 | .text | CALL [static] | Indirect call to absolute memory address |
| 2969 | 1001A1AC | .text | CALL [static] | Indirect call to absolute memory address |
| 2989 | 1001A26C | .text | CALL [static] | Indirect call to absolute memory address |
| 2991 | 1001A180 | .text | CALL [static] | Indirect call to absolute memory address |
| 29BB | 1001A26C | .text | CALL [static] | Indirect call to absolute memory address |
| 29C3 | 1001A180 | .text | CALL [static] | Indirect call to absolute memory address |
| 2A15 | 1001A268 | .text | CALL [static] | Indirect call to absolute memory address |
| 2A1F | 1001A3FC | .text | CALL [static] | Indirect call to absolute memory address |
| 2A2B | 1001A428 | .text | CALL [static] | Indirect call to absolute memory address |
| 24000 | N/A | *Overlay* | 2E2E2E2E2E2E2E2E2E2E2E2E2E2E2E2E2E2E2E2E | .................... |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 1124311 | 94,0006% |
| Null Byte Code | 36544 | 3,0553% |
| NOP Cave Found | 0x9090909090 | Block Count: 507 | Total: 0,106% |
© 2026 All rights reserved.