PESCAN.IO - Analysis Report Basic |
|||||||
| File Structure |
|
PE Chart Code
Header PE (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
| Size: 31,48 KB SHA-256 Hash: C82173990F7F6FCFD92C53C7820C044A42FA85623E225A8DA9437EEB689EBF15 SHA-1 Hash: 2CA5B898DD92C1B22E9922F193E89209CA198B41 MD5 Hash: D5B5DCA49CCD7272FB350461118ADD51 Imphash: 817AEFE4A9341A52E443070EB2473D1C MajorOSVersion: 6 MinorOSVersion: 0 CheckSum: 0000EC58 EntryPoint (rva): 3040 SizeOfHeaders: 400 SizeOfImage: 9000 ImageBase: 400000 Architecture: x86 ImportTable: 4D48 IAT: 4000 Characteristics: 102 TimeDateStamp: 656149D1 Date: 25/11/2023 1:11:45 File Type: EXE Number Of Sections: 5 ASLR: Enabled Section Names: .text, .rdata, .data, .rsrc, .reloc Number Of Executable Sections: 1 Subsystem: Windows Console UAC Execution Level Manifest: asInvoker |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 0x60000020 Code Executable Readable |
400 | 2E00 | 1000 | 2C32 |
|
|
| .rdata | 0x40000040 Initialized Data Readable |
3200 | 1800 | 4000 | 17E8 |
|
|
| .data | 0xC0000040 Initialized Data Readable Writeable |
4A00 | 200 | 6000 | 444 |
|
|
| .rsrc | 0x40000040 Initialized Data Readable |
4C00 | 600 | 7000 | 4D8 |
|
|
| .reloc | 0x42000040 Initialized Data GP-Relative Readable |
5200 | 400 | 8000 | 318 |
|
|
| Description |
| OriginalFilename: SetDpi.exe CompanyName: Fork of Github-imniko-SetDPI LegalCopyright: 2023-11-24 ProductName: SetDPI FileVersion: 1.1.0.0 FileDescription: SetDPI ProductVersion: 1.1.0.0 Language: English (United States) (ID=0x409) CodePage: Unicode (UTF-16 LE) (0x4B0) |
| Entry Point |
The section number (1) - (.text) have the Entry Point Information -> EntryPoint (calculated) - 2440 Code -> E8FA030000E974FEFFFF558BEC6A00FF1518404000FF7508FF154840400068090400C0FF153C40400050FF151C4040005DC3 Assembler |CALL 0X13FF |JMP 0XE7E |PUSH EBP |MOV EBP, ESP |PUSH 0 |CALL DWORD PTR [0X404018] |PUSH DWORD PTR [EBP + 8] |CALL DWORD PTR [0X404048] |PUSH 0XC0000409 |CALL DWORD PTR [0X40403C] |PUSH EAX |CALL DWORD PTR [0X40401C] |POP EBP |RET |
| Signatures |
| Rich Signature Analyzer: Code -> BAB67687FED718D4FED718D4FED718D4F7AF8BD4F2D718D4F8561DD5E5D718D4F8561CD5F2D718D4F8561BD5FFD718D4F85619D5FAD718D42DA519D5F9D718D4FED719D4A9D718D4945611D5FCD718D49456E7D4FFD718D4FED78FD4FFD718D494561AD5FFD718D452696368FED718D4 Footprint md5 Hash -> 553ACD4CCEC93A00E26BB9C5B42509AB • The Rich header apparently has not been modified Certificate - Digital Signature: • The file is signed and the signature is correct |
| Packer/Compiler |
| Compiler: Microsoft Visual Studio Detect It Easy (die) • PE: compiler: EP:Microsoft Visual C/C++(2017 v.15.5-6)[EXE32] • PE: compiler: Microsoft Visual C/C++(-)[-] • PE: linker: Microsoft Linker(14.38**)[-] • PE: Sign tool: Windows Authenticode(2.0)[PKCS 7] • Entropy: 6.68973 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| KERNEL32.DLL | IsDebuggerPresent | Determines if the calling process is being debugged by a user-mode debugger. |
| File Access |
| start explorer.exe taskkill /f /im explorer.exe api-ms-win-crt-locale-l1-1-0.dll api-ms-win-crt-stdio-l1-1-0.dll api-ms-win-crt-math-l1-1-0.dll api-ms-win-crt-heap-l1-1-0.dll api-ms-win-crt-convert-l1-1-0.dll api-ms-win-crt-runtime-l1-1-0.dll VCRUNTIME140.dll MSVCP140.dll ADVAPI32.dll USER32.dll KERNEL32.dll .dat @.dat |
| File Access (UNICODE) |
| SetDpi.exe |
| Interest's Words |
| taskkill exec taskkill start ping |
| URLs |
| http://crl.comodoca.com/AAACertificateServices.crl http://ocsp.comodoca.com http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt http://ocsp.sectigo.com http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0 http://crl.sectigo.com/SectigoRSATimeStampingCA.crl http://crt.sectigo.com/SectigoRSATimeStampingCA.crt http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt http://ocsp.usertrust.com https://sectigo.com/CPS0 |
| Known IP/Domains |
| gmail.com |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | Registry (RegOpenKeyEx) |
| Text | Ascii | Registry (RegSetValueEx) |
| Text | Ascii | Anti-Analysis VM (IsDebuggerPresent) |
| Text | Ascii | Antivirus Software (comodo) |
| Text | Ascii | Malicious rerouting of traffic to an attacker-controlled site (Redirect) |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8 |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8 |
| Entry Point | Hex Pattern | Microsoft Visual C++ v7.0 |
| Entry Point | Hex Pattern | PE-Exe Executable Image |
| Entry Point | Hex Pattern | VC8 - Microsoft Corporation |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \VERSION\1\1033 | 70A0 | 2B8 | 4CA0 | B80234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000100 | ..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| \24\1\1033 | 7358 | 17D | 4F58 | 3C3F786D6C2076657273696F6E3D27312E302720656E636F64696E673D275554462D3827207374616E64616C6F6E653D2779 | <?xml version='1.0' encoding='UTF-8' standalone='y |
| Intelligent String |
| • SetDpi.exe • 1.1.0.0 • api-ms-win-crt-heap-l1-1-0.dll • api-ms-win-crt-convert-l1-1-0.dll • jterminateapi-ms-win-crt-runtime-l1-1-0.dll • taskkill /f /im explorer.exe • start explorer.exe • C:\Users\Ferch\source\repos\SetDPI\Release\SetDpi.pdb • .bss • KERNEL32.dll • USER32.dll • api-ms-win-crt-math-l1-1-0.dll • api-ms-win-crt-stdio-l1-1-0.dll • api-ms-win-crt-locale-l1-1-0.dll |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 41E | 404094 | .text | CALL [static] | Indirect call to absolute memory address |
| 450 | 4040B4 | .text | CALL [static] | Indirect call to absolute memory address |
| 48A | 4040B4 | .text | CALL [static] | Indirect call to absolute memory address |
| 4FE | 404094 | .text | CALL [static] | Indirect call to absolute memory address |
| 53E | 404094 | .text | CALL [static] | Indirect call to absolute memory address |
| 5C7 | 40408C | .text | CALL [static] | Indirect call to absolute memory address |
| 7B3 | 4040F0 | .text | CALL [static] | Indirect call to absolute memory address |
| 998 | 4040F0 | .text | CALL [static] | Indirect call to absolute memory address |
| 9B5 | 40406C | .text | CALL [static] | Indirect call to absolute memory address |
| 9C5 | 40406C | .text | CALL [static] | Indirect call to absolute memory address |
| AC6 | 404084 | .text | CALL [static] | Indirect call to absolute memory address |
| B35 | 404088 | .text | CALL [static] | Indirect call to absolute memory address |
| DB0 | 40408C | .text | CALL [static] | Indirect call to absolute memory address |
| 10B3 | 4040F0 | .text | CALL [static] | Indirect call to absolute memory address |
| 11F9 | 4040C4 | .text | CALL [static] | Indirect call to absolute memory address |
| 1255 | 4040C4 | .text | CALL [static] | Indirect call to absolute memory address |
| 130D | 40405C | .text | CALL [static] | Indirect call to absolute memory address |
| 1348 | 4040F0 | .text | CALL [static] | Indirect call to absolute memory address |
| 13B3 | 404078 | .text | CALL [static] | Indirect call to absolute memory address |
| 13CC | 404078 | .text | CALL [static] | Indirect call to absolute memory address |
| 14BB | 404080 | .text | CALL [static] | Indirect call to absolute memory address |
| 150F | 404004 | .text | CALL [static] | Indirect call to absolute memory address |
| 1526 | 404000 | .text | CALL [static] | Indirect call to absolute memory address |
| 152F | 404008 | .text | CALL [static] | Indirect call to absolute memory address |
| 154B | 404014 | .text | CALL [static] | Indirect call to absolute memory address |
| 155B | 404010 | .text | CALL [static] | Indirect call to absolute memory address |
| 156B | 40403C | .text | CALL [static] | Indirect call to absolute memory address |
| 1589 | 404034 | .text | CALL [static] | Indirect call to absolute memory address |
| 15A1 | 404020 | .text | CALL [static] | Indirect call to absolute memory address |
| 162B | 4040F0 | .text | CALL [static] | Indirect call to absolute memory address |
| 16A1 | 4040F0 | .text | CALL [static] | Indirect call to absolute memory address |
| 16FB | 4040F0 | .text | CALL [static] | Indirect call to absolute memory address |
| 175D | 4040F0 | .text | CALL [static] | Indirect call to absolute memory address |
| 1795 | 404074 | .text | CALL [static] | Indirect call to absolute memory address |
| 17A1 | 404050 | .text | CALL [static] | Indirect call to absolute memory address |
| 1A07 | 4040F0 | .text | CALL [static] | Indirect call to absolute memory address |
| 1B00 | 404064 | .text | CALL [static] | Indirect call to absolute memory address |
| 1B1B | 404054 | .text | CALL [static] | Indirect call to absolute memory address |
| 1B28 | 404064 | .text | CALL [static] | Indirect call to absolute memory address |
| 1B7E | 404068 | .text | CALL [static] | Indirect call to absolute memory address |
| 1BA7 | 404060 | .text | CALL [static] | Indirect call to absolute memory address |
| 1BF1 | 404068 | .text | CALL [static] | Indirect call to absolute memory address |
| 1C15 | 404058 | .text | CALL [static] | Indirect call to absolute memory address |
| 1C38 | 404058 | .text | CALL [static] | Indirect call to absolute memory address |
| 1C3E | 404074 | .text | CALL [static] | Indirect call to absolute memory address |
| 1C4D | 404050 | .text | CALL [static] | Indirect call to absolute memory address |
| 1DC6 | 4040F0 | .text | CALL [static] | Indirect call to absolute memory address |
| 1F94 | 4040F0 | .text | CALL [static] | Indirect call to absolute memory address |
| 2166 | 4040F0 | .text | CALL [static] | Indirect call to absolute memory address |
| 2376 | 404154 | .text | CALL [static] | Indirect call to absolute memory address |
| 244F | 404018 | .text | CALL [static] | Indirect call to absolute memory address |
| 2458 | 404048 | .text | CALL [static] | Indirect call to absolute memory address |
| 2463 | 40403C | .text | CALL [static] | Indirect call to absolute memory address |
| 246A | 40401C | .text | CALL [static] | Indirect call to absolute memory address |
| 247D | 404038 | .text | CALL [static] | Indirect call to absolute memory address |
| 2804 | 404030 | .text | CALL [static] | Indirect call to absolute memory address |
| 2813 | 40402C | .text | CALL [static] | Indirect call to absolute memory address |
| 281C | 404028 | .text | CALL [static] | Indirect call to absolute memory address |
| 2829 | 404024 | .text | CALL [static] | Indirect call to absolute memory address |
| 289C | 404040 | .text | CALL [static] | Indirect call to absolute memory address |
| 2917 | 404038 | .text | CALL [static] | Indirect call to absolute memory address |
| 29E3 | 404044 | .text | CALL [static] | Indirect call to absolute memory address |
| 29FC | 404018 | .text | CALL [static] | Indirect call to absolute memory address |
| 2A06 | 404048 | .text | CALL [static] | Indirect call to absolute memory address |
| 2A27 | 404014 | .text | CALL [static] | Indirect call to absolute memory address |
| 2A6C | 404018 | .text | CALL [static] | Indirect call to absolute memory address |
| 2AEA | 404154 | .text | CALL [static] | Indirect call to absolute memory address |
| 2B16 | 404154 | .text | CALL [static] | Indirect call to absolute memory address |
| 2BBA | 404038 | .text | CALL [static] | Indirect call to absolute memory address |
| 2D84 | 40409C | .text | JMP [static] | Indirect jump to absolute memory address |
| 2D8A | 4040B8 | .text | JMP [static] | Indirect jump to absolute memory address |
| 2D90 | 4040BC | .text | JMP [static] | Indirect jump to absolute memory address |
| 2D96 | 4040B0 | .text | JMP [static] | Indirect jump to absolute memory address |
| 2D9C | 4040AC | .text | JMP [static] | Indirect jump to absolute memory address |
| 2DA2 | 4040A8 | .text | JMP [static] | Indirect jump to absolute memory address |
| 2DA8 | 404098 | .text | JMP [static] | Indirect jump to absolute memory address |
| 2DAE | 4040D0 | .text | JMP [static] | Indirect jump to absolute memory address |
| 2DB4 | 4040D4 | .text | JMP [static] | Indirect jump to absolute memory address |
| 2DBA | 4040CC | .text | JMP [static] | Indirect jump to absolute memory address |
| 2DC0 | 404134 | .text | JMP [static] | Indirect jump to absolute memory address |
| 2DC6 | 404130 | .text | JMP [static] | Indirect jump to absolute memory address |
| 2DCC | 4040E8 | .text | JMP [static] | Indirect jump to absolute memory address |
| 2DD2 | 404128 | .text | JMP [static] | Indirect jump to absolute memory address |
| 2DD8 | 404124 | .text | JMP [static] | Indirect jump to absolute memory address |
| 2DDE | 404120 | .text | JMP [static] | Indirect jump to absolute memory address |
| 2DE4 | 404140 | .text | JMP [static] | Indirect jump to absolute memory address |
| 2DEA | 404138 | .text | JMP [static] | Indirect jump to absolute memory address |
| 2DF0 | 404118 | .text | JMP [static] | Indirect jump to absolute memory address |
| 2DF6 | 40410C | .text | JMP [static] | Indirect jump to absolute memory address |
| 2DFC | 404148 | .text | JMP [static] | Indirect jump to absolute memory address |
| 2E02 | 40411C | .text | JMP [static] | Indirect jump to absolute memory address |
| 2E08 | 404114 | .text | JMP [static] | Indirect jump to absolute memory address |
| 2E0E | 40412C | .text | JMP [static] | Indirect jump to absolute memory address |
| 2E14 | 404110 | .text | JMP [static] | Indirect jump to absolute memory address |
| 2E1A | 4040FC | .text | JMP [static] | Indirect jump to absolute memory address |
| 2E20 | 4040E0 | .text | JMP [static] | Indirect jump to absolute memory address |
| 2E26 | 4040D8 | .text | JMP [static] | Indirect jump to absolute memory address |
| 2E2C | 40414C | .text | JMP [static] | Indirect jump to absolute memory address |
| 2E32 | 4040F4 | .text | JMP [static] | Indirect jump to absolute memory address |
| 2E38 | 4040F8 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5600 | N/A | *Overlay* | F027000000020200308227E206092A864886F70D | .'......0.'...*.H... |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 19273 | 59,7798% |
| Null Byte Code | 6390 | 19,8201% |
© 2026 All rights reserved.