PREMIUM PESCAN.IO - Analysis Report |
|||||||
| File Structure |
|
PE Chart Code
Header PE (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
| Size: 1,11 MB SHA-256 Hash: 216989F56970E3EA045773224E82B2AFE78ED29E49DF7D044D5A5992D622D881 SHA-1 Hash: 014D05419630657865E5F08A5FB4EBB92351018D MD5 Hash: EBA8ACC9E751D06D0E49093D2A8F5E93 Imphash: 551AF7F202E2768C63B16F27EADD2D27 MajorOSVersion: 6 MinorOSVersion: 0 CheckSum: 00000000 EntryPoint (rva): 138C SizeOfHeaders: 600 SizeOfImage: 134000 ImageBase: 400000 Architecture: x86 ExportTable: 117000 ImportTable: 115000 Characteristics: 230E TimeDateStamp: 69B771FB Date: 16/03/2026 2:59:07 File Type: DLL Number Of Sections: 8 ASLR: Enabled Section Names: .text, .data, .tls, .idata, .didata, .edata, .rsrc, .reloc Number Of Executable Sections: 1 Subsystem: Windows Console |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 0x60000020 Code Executable Readable |
600 | F6400 | 1000 | F7000 |
|
|
| .data | 0xC0000040 Initialized Data Readable Writeable |
F6A00 | 8A00 | F8000 | 1C000 |
|
|
| .tls | 0xC0000040 Initialized Data Readable Writeable |
FF400 | 400 | 114000 | 1000 |
|
|
| .idata | 0x40000040 Initialized Data Readable |
FF800 | 1000 | 115000 | 1000 |
|
|
| .didata | 0xC0000040 Initialized Data Readable Writeable |
100800 | 200 | 116000 | 1000 |
|
|
| .edata | 0x40000040 Initialized Data Readable |
100A00 | 200 | 117000 | 1000 |
|
|
| .rsrc | 0x40000040 Initialized Data Readable |
100C00 | 6A00 | 118000 | 7000 |
|
|
| .reloc | 0x50000040 Initialized Data Discardable Readable |
107600 | 14400 | 11F000 | 15000 |
|
|
| Description |
| OriginalFilename: dlcore.dll CompanyName: Tencent Technology (Shenzhen) Company Limited LegalCopyright: Copyright 2016 Tencent. All Rights Reserved. ProductName: Tencentdl Module FileVersion: 1, 9, 656, 401 FileDescription: dlcore.dll ProductVersion: 1, 9, 656, 401 Language: Chinese (People's Republic of China) (ID=0x804) CodePage: Unknown (0x3A8) (0x3A8) |
| Entry Point |
The section number (1) - (.text) have the Entry Point Information -> EntryPoint (calculated) - 98C Code -> EB1066623A432B2B484F4F4B90E910814F00A197804F00C1E002A39B804F008B442408A309814F00FF1485F9804F00833D09 Assembler |JMP 0X1012 |BOUND DI, DWORD PTR [EDX] |INC EBX |SUB EBP, DWORD PTR [EBX] |DEC EAX |DEC EDI |DEC EDI |DEC EBX |NOP |JMP 0X4F9122 |MOV EAX, DWORD PTR [0X4F8097] |SHL EAX, 2 |MOV DWORD PTR [0X4F809B], EAX |MOV EAX, DWORD PTR [ESP + 8] |MOV DWORD PTR [0X4F8109], EAX |CALL DWORD PTR [EAX*4 + 0X4F80F9] |
| Signatures |
| Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Detect It Easy (die) • PE: compiler: Borland C++(Builder)[-] • PE: linker: Turbo Linker(5.0)[-] • Entropy: 6.65858 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | GetModuleFileNameA | Retrieve the fully qualified path for the executable file of a specified module. |
| KERNEL32.DLL | VirtualAlloc | Reserve, commit, or both, a region of memory within the virtual address space of a process. |
| KERNEL32.DLL | GetModuleHandleA | Retrieves a handle to the specified module. |
| KERNEL32.DLL | WriteFile | Writes data to a specified file or input/output (I/O) device. |
| KERNEL32.DLL | LoadLibraryA | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | LoadLibraryW | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | CreateToolhelp32Snapshot | Creates a snapshot of the specified processes, heaps, threads, and modules. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| KERNEL32.DLL | CreateFileA | Creates or opens a file or I/O device. |
| KERNEL32.DLL | DeleteFileA | Deletes an existing file. |
| KERNEL32.DLL | IsDebuggerPresent | Determines if the calling process is being debugged by a user-mode debugger. |
| ET Functions (carving) |
| Original Name -> 585276.dll TMethodImplementationIntercept _RigsterHook@0 _UnRigsterHook@0 ___CPPdebugHook ___setRaiseListFuncAddr __dbk_fcall_wrapper dbkFCallWrapperAddr |
| Windows REG |
| System\@ |
| Windows REG (UNICODE) |
| Software\Embarcadero\Locales Software\CodeGear\Locales Software\Borland\Locales Software\Borland\Delphi\Locales SOFTWARE\Microsoft\Windows NT\CurrentVersion |
| File Access |
| cmd.exe VqqSpeedDl.DLL 585276.dll USER32.DLL KERNEL32.DLL OLEAUT32.DLL OLE32.DLL ADVAPI32.DLL System.Sys System.Sys ?System.Sys AddStrings(Strings.dat .dat Temp |
| File Access (UNICODE) |
| kernel32.dll dlcore.dll oleaut32.dll NTDLL.DLL GetLogicalProcessorInformationkernel32.dll ntdll.dll |
| Interest's Words |
| exec attrib start pause shutdown systeminfo expand replace route |
| Interest's Words (UNICODE) |
| exec start ping expand |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | WinAPI Sockets (connect) |
| Text | Ascii | Registry (RegOpenKeyEx) |
| Text | Ascii | File (CreateFile) |
| Text | Ascii | File (WriteFile) |
| Text | Ascii | File (ReadFile) |
| Text | Ascii | Anti-Analysis VM (IsDebuggerPresent) |
| Text | Ascii | Anti-Analysis VM (GetSystemInfo) |
| Text | Ascii | Anti-Analysis VM (GetVersion) |
| Text | Ascii | Anti-Analysis VM (CreateToolhelp32Snapshot) |
| Text | Ascii | Reconnaissance (FindFirstFileW) |
| Text | Ascii | Reconnaissance (FindClose) |
| Text | Ascii | Stealth (ExitThread) |
| Text | Ascii | Stealth (CloseHandle) |
| Text | Ascii | Stealth (VirtualAlloc) |
| Text | Ascii | Execution (CreateProcessA) |
| Text | Ascii | Execution (ResumeThread) |
| Text | Ascii | Execution (CreateEventW) |
| Text | Ascii | Process of gathering information about network resources (Enumeration) |
| Text | Ascii | Person or system used to launder stolen money (Mule) |
| Text | Ascii | Technique used to capture communications between systems (Intercept) |
| Entry Point | Hex Pattern | Borland C++ DLL |
| Entry Point | Hex Pattern | Borland C++ DLL |
| Entry Point | Hex Pattern | Borland C++ DLL |
| Entry Point | Hex Pattern | Borland C++ |
| Entry Point | Hex Pattern | Borland Delphi 4.0 |
| Entry Point | Hex Pattern | MEW 10 packer v1.0 - Northfox |
| Entry Point | Hex Pattern | Microsoft Visual C++ v7.0 |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \REGISTRY\101\0 | 118490 | 7D | 101090 | 484B43520D0A7B0D0A094E6F52656D6F76652041707049440D0A097B0D0A0909272541505049442527203D20732027567171 | HKCR..{...NoRemove AppID...{....'%APPID%' = s 'Vqq |
| \REGISTRY\102\0 | 118510 | 26F | 101110 | 484B43520D0A7B0D0A095671715370656564446C2E567171446F776E6C6F61642E31203D20732027567171446F776E6C6F61 | HKCR..{...VqqSpeedDl.VqqDownload.1 = s 'VqqDownloa |
| \TYPELIB\1\2052 | 118780 | 31B4 | 101380 | 4D53465402000100000000000904000000000000410000000100000000000000020000000000000000000000000000009A00 | MSFT................A............................. |
| \STRING\7\2052 | 11B934 | 34 | 104534 | 00000000000000000A005600710071005300700065006500640044006C0000000000000000000000000000000000000000000000 | ..........V.q.q.S.p.e.e.d.D.l....................... |
| \STRING\4084\0 | 11B968 | 4D4 | 104568 | 0B00570069006E0064006F0077007300200038002E0031000A00570069006E0064006F00770073002000310030000A005700 | ..W.i.n.d.o.w.s. .8...1...W.i.n.d.o.w.s. .1.0...W. |
| \STRING\4085\0 | 11BE3C | 23C | 104A3C | 0E00360034002D006200690074002000450064006900740069006F006E000700570069006E0064006F00770073000D005700 | ..6.4.-.b.i.t. .E.d.i.t.i.o.n...W.i.n.d.o.w.s...W. |
| \STRING\4086\0 | 11C078 | 4E8 | 104C78 | 620054006800650020006400750072006100740069006F006E002000630061006E006E006F00740020006200650020007200 | b.T.h.e. .d.u.r.a.t.i.o.n. .c.a.n.n.o.t. .b.e. .r. |
| \STRING\4087\0 | 11C560 | 52C | 105160 | 190054006800720065006100640020006300720065006100740069006F006E0020006500720072006F0072003A0020002500 | ..T.h.r.e.a.d. .c.r.e.a.t.i.o.n. .e.r.r.o.r.:. .%. |
| \STRING\4088\0 | 11CA8C | 3B0 | 10568C | 160049006E00760061006C00690064002000700072006F00700065007200740079002000760061006C007500650015004900 | ..I.n.v.a.l.i.d. .p.r.o.p.e.r.t.y. .v.a.l.u.e...I. |
| \STRING\4089\0 | 11CE3C | 460 | 105A3C | 110049006E00760061006C0069006400200063006F006400650020007000610067006500150049006E00760061006C006900 | ..I.n.v.a.l.i.d. .c.o.d.e. .p.a.g.e...I.n.v.a.l.i. |
| \STRING\4090\0 | 11D29C | 1F0 | 105E9C | 0300540068007500030046007200690003005300610074000600530075006E0064006100790006004D006F006E0064006100 | ..T.h.u...F.r.i...S.a.t...S.u.n.d.a.y...M.o.n.d.a. |
| \STRING\4091\0 | 11D48C | EC | 10608C | 07004A0061006E00750061007200790008004600650062007200750061007200790005004D00610072006300680005004100 | ..J.a.n.u.a.r.y...F.e.b.r.u.a.r.y...M.a.r.c.h...A. |
| \STRING\4092\0 | 11D578 | 19C | 106178 | 0E004100620073007400720061006300740020004500720072006F0072003F00410063006300650073007300200076006900 | ..A.b.s.t.r.a.c.t. .E.r.r.o.r.?.A.c.c.e.s.s. .v.i. |
| \STRING\4093\0 | 11D714 | 3A4 | 106314 | 350043006F0075006C00640020006E006F007400200063006F006E0076006500720074002000760061007200690061006E00 | 5.C.o.u.l.d. .n.o.t. .c.o.n.v.e.r.t. .v.a.r.i.a.n. |
| \STRING\4094\0 | 11DAB8 | 400 | 1066B8 | 2200560061007200690061006E00740020006D006500740068006F0064002000630061006C006C00730020006E006F007400 | ".V.a.r.i.a.n.t. .m.e.t.h.o.d. .c.a.l.l.s. .n.o.t. |
| \STRING\4095\0 | 11DEB8 | 388 | 106AB8 | 100049006E007400650067006500720020006F0076006500720066006C006F007700200049006E00760061006C0069006400 | ..I.n.t.e.g.e.r. .o.v.e.r.f.l.o.w. .I.n.v.a.l.i.d. |
| \STRING\4096\0 | 11E240 | 2B4 | 106E40 | 09003C0075006E006B006E006F0077006E003E002100270025007300270020006900730020006E006F007400200061002000 | ..<.u.n.k.n.o.w.n.>.!.'.%.s.'. .i.s. .n.o.t. .a. . |
| \RCDATA\DVCLAL\0 | 11E4F4 | 10 | 1070F4 | 263D4F38C28237B8F3244203179B3A83 | &=O8..7..$B...:. |
| \VERSION\1\2052 | 11E504 | 368 | 107104 | 680334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000900 | h.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| \24\2\1033 | 11E86C | 56 | 10746C | 3C617373656D626C7920786D6C6E733D2275726E3A736368656D61732D6D6963726F736F66742D636F6D3A61736D2E763122206D616E696665737456657273696F6E3D22312E30223E0D0A3C2F617373656D626C793E | <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">..</assembly> |
| Intelligent String |
| • dlcore.dll • user32.dll • kernel32.dll • oleaut32.dll • ole32.dll • advapi32.dll • .tls • ntdll.dll • NTDLL.DLL • :\HCreate |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| A6F | 50FCFC | .text | CALL [static] | Indirect call to absolute memory address |
| CE5 | 500834 | .text | CALL [static] | Indirect call to absolute memory address |
| D0D | 500834 | .text | CALL [static] | Indirect call to absolute memory address |
| D3F | 500838 | .text | CALL [static] | Indirect call to absolute memory address |
| DCC | 500834 | .text | CALL [static] | Indirect call to absolute memory address |
| E3E | 500838 | .text | CALL [static] | Indirect call to absolute memory address |
| E8C | 500834 | .text | CALL [static] | Indirect call to absolute memory address |
| 11EBC | 4F97E8 | .text | CALL [static] | Indirect call to absolute memory address |
| 11ED4 | 4F97DC | .text | CALL [static] | Indirect call to absolute memory address |
| 11EF0 | 4F97E0 | .text | CALL [static] | Indirect call to absolute memory address |
| 11F11 | 4F97E4 | .text | CALL [static] | Indirect call to absolute memory address |
| 11F2A | 4F97E0 | .text | CALL [static] | Indirect call to absolute memory address |
| 11F43 | 4F97DC | .text | CALL [static] | Indirect call to absolute memory address |
| 12027 | 5008B8 | .text | CALL [static] | Indirect call to absolute memory address |
| 12086 | 5008A0 | .text | CALL [static] | Indirect call to absolute memory address |
| 12874 | 5008CC | .text | CALL [static] | Indirect call to absolute memory address |
| 12CFA | FFC0 | .text | JMP [static] | Indirect jump to absolute memory address |
| 1411C | 5008AC | .text | CALL [static] | Indirect call to absolute memory address |
| 1413A | 5008AC | .text | CALL [static] | Indirect call to absolute memory address |
| 14152 | 5008AC | .text | CALL [static] | Indirect call to absolute memory address |
| 141C4 | 5008AC | .text | CALL [static] | Indirect call to absolute memory address |
| 141E4 | 5008AC | .text | CALL [static] | Indirect call to absolute memory address |
| 14201 | 5008AC | .text | CALL [static] | Indirect call to absolute memory address |
| 142DE | 5008B0 | .text | CALL [static] | Indirect call to absolute memory address |
| 143E3 | 5008A8 | .text | CALL [static] | Indirect call to absolute memory address |
| 14466 | 5008B0 | .text | CALL [static] | Indirect call to absolute memory address |
| 14606 | 5008AC | .text | JMP [static] | Indirect jump to absolute memory address |
| 1478C | 5008B0 | .text | CALL [static] | Indirect call to absolute memory address |
| 14A8F | 500BF4 | .text | CALL [static] | Indirect call to absolute memory address |
| 14C0C | 5008C8 | .text | CALL [static] | Indirect call to absolute memory address |
| 14CB5 | 4F9080 | .text | CALL [static] | Indirect call to absolute memory address |
| 14D1A | 4F9084 | .text | CALL [static] | Indirect call to absolute memory address |
| 1615D | 4F9064 | .text | CALL [static] | Indirect call to absolute memory address |
| 16819 | 4F9068 | .text | CALL [static] | Indirect call to absolute memory address |
| 16900 | 4F906C | .text | CALL [static] | Indirect call to absolute memory address |
| 1862F | 5034A0 | .text | CALL [static] | Indirect call to absolute memory address |
| 1864C | 5034A0 | .text | CALL [static] | Indirect call to absolute memory address |
| 1866D | 5034A8 | .text | CALL [static] | Indirect call to absolute memory address |
| 186CB | 5034A4 | .text | CALL [static] | Indirect call to absolute memory address |
| 18728 | 5034A4 | .text | CALL [static] | Indirect call to absolute memory address |
| 1875B | 5034A4 | .text | CALL [static] | Indirect call to absolute memory address |
| 1AB61 | 4F9090 | .text | CALL [static] | Indirect call to absolute memory address |
| 317CB | 503FA0 | .text | CALL [static] | Indirect call to absolute memory address |
| 31810 | 503F9C | .text | CALL [static] | Indirect call to absolute memory address |
| 31864 | 503F98 | .text | CALL [static] | Indirect call to absolute memory address |
| 32851 | 5041FC | .text | CALL [static] | Indirect call to absolute memory address |
| 336A1 | 4F9DDC | .text | CALL [static] | Indirect call to absolute memory address |
| 3CC1C | 506674 | .text | CALL [static] | Indirect call to absolute memory address |
| 3D4E0 | 50667C | .text | CALL [static] | Indirect call to absolute memory address |
| 3D5B0 | 506678 | .text | CALL [static] | Indirect call to absolute memory address |
| 3DCAE | 506678 | .text | CALL [static] | Indirect call to absolute memory address |
| 3E85A | 506678 | .text | CALL [static] | Indirect call to absolute memory address |
| 3F1B6 | 506678 | .text | CALL [static] | Indirect call to absolute memory address |
| 3F826 | 506678 | .text | CALL [static] | Indirect call to absolute memory address |
| 40126 | 506678 | .text | CALL [static] | Indirect call to absolute memory address |
| 40806 | 506678 | .text | CALL [static] | Indirect call to absolute memory address |
| 4122D | 506678 | .text | CALL [static] | Indirect call to absolute memory address |
| 41BCD | 506678 | .text | CALL [static] | Indirect call to absolute memory address |
| 424CD | 506678 | .text | CALL [static] | Indirect call to absolute memory address |
| 42AA1 | 506678 | .text | CALL [static] | Indirect call to absolute memory address |
| 430C1 | 506678 | .text | CALL [static] | Indirect call to absolute memory address |
| 43362 | 506678 | .text | CALL [static] | Indirect call to absolute memory address |
| 43397 | 506678 | .text | CALL [static] | Indirect call to absolute memory address |
| 44007 | 506678 | .text | CALL [static] | Indirect call to absolute memory address |
| 4704C | 4FB894 | .text | CALL [static] | Indirect call to absolute memory address |
| 640CD | 4400464D | .text | JMP [static] | Indirect jump to absolute memory address |
| 6ED3E | 420046FA | .text | CALL [static] | Indirect call to absolute memory address |
| 7275A | 4200473A | .text | JMP [static] | Indirect jump to absolute memory address |
| 9221C | 4200492E | .text | CALL [static] | Indirect call to absolute memory address |
| 92394 | 42004939 | .text | JMP [static] | Indirect jump to absolute memory address |
| 9CF02 | 420049DE | .text | CALL [static] | Indirect call to absolute memory address |
| A0703 | 42004A | .text | CALL [static] | Indirect call to absolute memory address |
| A588A | 42004A6B | .text | CALL [static] | Indirect call to absolute memory address |
| A851E | 2004A9A | .text | CALL [static] | Indirect call to absolute memory address |
| A965A | 507188 | .text | CALL [static] | Indirect call to absolute memory address |
| C246C | 4FC8DC | .text | CALL [static] | Indirect call to absolute memory address |
| C2D98 | 4FC904 | .text | CALL [static] | Indirect call to absolute memory address |
| C2DEF | 4FC904 | .text | CALL [static] | Indirect call to absolute memory address |
| C3202 | 4FC8FC | .text | CALL [static] | Indirect call to absolute memory address |
| C4FC0 | 4FC8F8 | .text | CALL [static] | Indirect call to absolute memory address |
| DCE56 | 507228 | .text | CALL [static] | Indirect call to absolute memory address |
| DCE76 | 4FC960 | .text | CALL [static] | Indirect call to absolute memory address |
| E4F05 | 50781C | .text | CALL [static] | Indirect call to absolute memory address |
| E51D5 | 507834 | .text | CALL [static] | Indirect call to absolute memory address |
| E5233 | 507828 | .text | CALL [static] | Indirect call to absolute memory address |
| E5253 | 507824 | .text | CALL [static] | Indirect call to absolute memory address |
| E5273 | 507830 | .text | CALL [static] | Indirect call to absolute memory address |
| E529B | 50782C | .text | CALL [static] | Indirect call to absolute memory address |
| E52AB | 507824 | .text | CALL [static] | Indirect call to absolute memory address |
| E52B5 | 507828 | .text | CALL [static] | Indirect call to absolute memory address |
| E52CB | 507838 | .text | CALL [static] | Indirect call to absolute memory address |
| E52E7 | 4FDED4 | .text | CALL [static] | Indirect call to absolute memory address |
| E52F4 | 4FDEC8 | .text | JMP [static] | Indirect jump to absolute memory address |
| E5304 | 4FDEC4 | .text | JMP [static] | Indirect jump to absolute memory address |
| E530C | 4FDECC | .text | JMP [static] | Indirect jump to absolute memory address |
| E538D | 4FDED0 | .text | JMP [static] | Indirect jump to absolute memory address |
| E57B6 | 50784C | .text | CALL [static] | Indirect call to absolute memory address |
| E585A | 507858 | .text | CALL [static] | Indirect call to absolute memory address |
| E5884 | 50785C | .text | CALL [static] | Indirect call to absolute memory address |
| E58A0 | 507858 | .text | CALL [static] | Indirect call to absolute memory address |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 726470 | 62,5336% |
| Null Byte Code | 185274 | 15,9481% |
| NOP Cave Found | 0x9090909090 | Block Count: 1 | Total: 0,0002% |
© 2026 All rights reserved.