PREMIUM PESCAN.IO - Analysis Report |
|||||||
| File Structure |
|
PE Chart Code
Header PE (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
| Size: 343,00 KB SHA-256 Hash: 8DD7D6472771DB5B82CFC87ADCB03B303FCD8F16462700CE6FF63F3D935348D9 SHA-1 Hash: EB352C7F82A6987AAA5F3CAD51E4C458970F5600 MD5 Hash: EF5B753E5A2118D18C5E809C3D159A35 Imphash: A631B3D43AA4CF385846879C89C4E9E2 MajorOSVersion: 6 MinorOSVersion: 0 CheckSum: 00000000 EntryPoint (rva): C7FE SizeOfHeaders: 400 SizeOfImage: 5B000 ImageBase: 10000000 Architecture: x86 ExportTable: 4E6E0 ImportTable: 4EAB4 IAT: 3C000 Characteristics: 2102 TimeDateStamp: 69EF037D Date: 27/04/2026 6:34:37 File Type: DLL Number Of Sections: 7 ASLR: Enabled Section Names: .text, .rdata, .data, .gfids, .tls, .rsrc, .reloc Number Of Executable Sections: 1 Subsystem: Windows GUI |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 0x60000020 Code Executable Readable |
400 | 3B000 | 1000 | 3AF99 |
|
|
| .rdata | 0x40000040 Initialized Data Readable |
3B400 | 13600 | 3C000 | 135B4 |
|
|
| .data | 0xC0000040 Initialized Data Readable Writeable |
4EA00 | 2200 | 50000 | 34D4 |
|
|
| .gfids | 0x40000040 Initialized Data Readable |
50C00 | C00 | 54000 | BF4 |
|
|
| .tls | 0xC0000040 Initialized Data Readable Writeable |
51800 | 200 | 55000 | 9 |
|
|
| .rsrc | 0x40000040 Initialized Data Readable |
51A00 | 400 | 56000 | 3F8 |
|
|
| .reloc | 0x42000040 Initialized Data GP-Relative Readable |
51E00 | 3E00 | 57000 | 3D44 |
|
|
| Description |
| OriginalFilename: kwpswndwg.dwgQ CompanyName: Microsoft Office Software Co.,Ltd LegalCopyright: Copyright?2024 Microsoft Corporation. All rights reserved. LegalTrademarks: WPS DWQ ProductName: Microsoft WPS Office FileVersion: 1,0,11,0 FileDescription: Microsoft Office ProductVersion: 1,0,11,0 Language: Unknown (ID=0x0) CodePage: Unicode (UTF-16 LE) (0x4B0) |
| Entry Point |
The section number (1) - (.text) have the Entry Point Information -> EntryPoint (calculated) - BBFE Code -> 558BEC837D0C017505E8CF080000FF7510FF750CFF7508E8BEFEFFFF83C40C5DC20C006A0C6868C80410E853080000C645E7 Assembler |PUSH EBP |MOV EBP, ESP |CMP DWORD PTR [EBP + 0XC], 1 |JNE 0X100E |CALL 0X18DD |PUSH DWORD PTR [EBP + 0X10] |PUSH DWORD PTR [EBP + 0XC] |PUSH DWORD PTR [EBP + 8] |CALL 0XEDA |ADD ESP, 0XC |POP EBP |RET 0XC |PUSH 0XC |PUSH 0X1004C868 |CALL 0X1882 |
| Signatures |
| Rich Signature Analyzer: Code -> A413EA4FE072841CE072841CE072841C54EE751CF172841C54EE771C7772841C54EE761CFE72841CDB2C871DF772841CDB2C811D8F72841CDB2C801DC372841C3D8D4F1CE572841CE072851C6A72841C772C8D1DE372841C772C841DE172841C722C7B1CE172841C772C861DE172841C52696368E072841C Footprint md5 Hash -> B4AD349F0ABF734F961DABB017EB5B3F • The Rich header apparently has not been modified Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Detect It Easy (die) • PE: compiler: EP:Microsoft Visual C/C++(2013)[DLL32] • PE: linker: Microsoft Linker(14.0, Visual Studio 2015 14.0*)[-] • Entropy: 6.61339 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | GetModuleFileNameA | Retrieve the fully qualified path for the executable file of a specified module. |
| KERNEL32.DLL | VirtualAlloc | Reserve, commit, or both, a region of memory within the virtual address space of a process. |
| KERNEL32.DLL | GetModuleHandleA | Retrieves a handle to the specified module. |
| KERNEL32.DLL | WriteFile | Writes data to a specified file or input/output (I/O) device. |
| KERNEL32.DLL | LoadLibraryW | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| KERNEL32.DLL | IsDebuggerPresent | Determines if the calling process is being debugged by a user-mode debugger. |
| ET Functions (carving) |
| Original Name -> Microsoft.WindowsAppRuntime.Bootstrap.dll ?nf_registerDriver@nfapi@@YA?AW4_NF_STATUS@@PBD@Z ?nf_unRegisterDriver@nfapi@@YA?AW4_NF_STATUS@@PBD@Z A4qTQYXyZ28kt8wCcy5wjMT6AdZwnUwZ9HW8 AkBs2XbnGJ456q3sedw6rzWUPTPVFQ2tnn3M BankChina BankofChina Bankofchinaunionpaycard CreateDatabaseQueryObject Evt1Close Evt1Next Evt1Render Evt25Query_Bank FreeMain_Exit InitProcessPriv InitThread MddBootstrapInitialize2 MddBootstrapShutdown Mini_Bank_Info_htm Mr47kdr74cQpW9PZtBmepgqcStP98uKBwv7E QRTAPI_CleanupRepository QRTAPI_GetLastError QRTAPI_Initialize QRTAPI_Uninitialize UnInitProcessPriv UnInitThread main qrAddData qrFinalize qrInit qrSymbolToBMP |
| Windows REG |
| Software\Microsoft\Windows\CurrentVersion\Run Rebuilt string - SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| File Access |
| \ProgramData\WKwpsOffice2\WKwpsOffice.exe cmd.exe WKwpsOffice.exe USER32.dll KERNEL32.dll Microsoft.WindowsAppRuntime.Bootstrap.dll \Microsoft.WindowsAppRuntime.Bootstrap.dll ntdll.dll .dat @.dat |
| File Access (UNICODE) |
| mscoree.dll pExecutionResourcecombase.dll kernel32.dll |
| Interest's Words |
| exec start shutdown |
| URLs (UNICODE) |
| https://www.google.com/ |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | WinAPI Sockets (connect) |
| Text | Ascii | File (CreateFile) |
| Text | Ascii | File (WriteFile) |
| Text | Ascii | File (ReadFile) |
| Text | Ascii | Anti-Analysis VM (IsDebuggerPresent) |
| Text | Ascii | Anti-Analysis VM (GetVersion) |
| Text | Ascii | Reconnaissance (FindFirstFileA) |
| Text | Ascii | Reconnaissance (FindNextFileA) |
| Text | Ascii | Reconnaissance (FindClose) |
| Text | Ascii | Stealth (ExitThread) |
| Text | Ascii | Stealth (ReleaseSemaphore) |
| Text | Ascii | Stealth (CloseHandle) |
| Text | Ascii | Stealth (VirtualAlloc) |
| Text | Ascii | Stealth (VirtualProtect) |
| Text | Ascii | Execution (CreateSemaphoreW) |
| Text | Ascii | Execution (CreateEventW) |
| Text | Ascii | Software that records user activity (Logger) |
| Entry Point | Hex Pattern | Microsoft Visual C++ v7.0 |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \VERSION\1\1033 | 56060 | 398 | 51A60 | 980334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000 | ..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| Intelligent String |
| • @.tls • kernel32.dll • combase.dll • advapi32.dll • mscoree.dll • ntdll.dll • C:\ProgramData\WKwpsOffice2WKwpsOffice.exeGlobal\PkBankFAkBankAppEvent • learn.microsoft.com • cmd.exe • C:\ProgramData\WKwpsOffice2\WKwpsOffice.exe" --DMLA • .bss • .tls • KERNEL32.dll |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 86D | 1003C0D8 | .text | CALL [static] | Indirect call to absolute memory address |
| A0B | 1003C01C | .text | CALL [static] | Indirect call to absolute memory address |
| 1D66 | 1003C000 | .text | CALL [static] | Indirect call to absolute memory address |
| 1DE7 | 1003C024 | .text | CALL [static] | Indirect call to absolute memory address |
| 1EDD | 1003C004 | .text | CALL [static] | Indirect call to absolute memory address |
| 1F51 | 1003C004 | .text | CALL [static] | Indirect call to absolute memory address |
| 290C | 1003C008 | .text | CALL [static] | Indirect call to absolute memory address |
| 2DF8 | 1003C014 | .text | CALL [static] | Indirect call to absolute memory address |
| 2E07 | 1003C018 | .text | CALL [static] | Indirect call to absolute memory address |
| 2EF4 | 1003C01C | .text | CALL [static] | Indirect call to absolute memory address |
| 2F4B | 1003C01C | .text | CALL [static] | Indirect call to absolute memory address |
| 3962 | 1003C020 | .text | CALL [static] | Indirect call to absolute memory address |
| 467C | 1003C038 | .text | CALL [static] | Indirect call to absolute memory address |
| 4686 | 1003C024 | .text | CALL [static] | Indirect call to absolute memory address |
| 490B | 1003C1D8 | .text | CALL [static] | Indirect call to absolute memory address |
| 499C | 1003C02C | .text | CALL [static] | Indirect call to absolute memory address |
| 49DF | 1003C010 | .text | CALL [static] | Indirect call to absolute memory address |
| 4A68 | 1003C030 | .text | CALL [static] | Indirect call to absolute memory address |
| 4C4A | 1003C034 | .text | CALL [static] | Indirect call to absolute memory address |
| 4C6E | 1003C1D8 | .text | CALL [static] | Indirect call to absolute memory address |
| 4C76 | 1003C034 | .text | CALL [static] | Indirect call to absolute memory address |
| 4C8E | 1003C1D8 | .text | CALL [static] | Indirect call to absolute memory address |
| 4C96 | 1003C034 | .text | CALL [static] | Indirect call to absolute memory address |
| 4CAE | 1003C1D8 | .text | CALL [static] | Indirect call to absolute memory address |
| 4CCE | 1003C1D8 | .text | CALL [static] | Indirect call to absolute memory address |
| 4CEE | 1003C1D8 | .text | CALL [static] | Indirect call to absolute memory address |
| 4D0E | 1003C1D8 | .text | CALL [static] | Indirect call to absolute memory address |
| 4D2E | 1003C1D8 | .text | CALL [static] | Indirect call to absolute memory address |
| 4D4E | 1003C1D8 | .text | CALL [static] | Indirect call to absolute memory address |
| 4D6E | 1003C1D8 | .text | CALL [static] | Indirect call to absolute memory address |
| 4D8E | 1003C1D8 | .text | CALL [static] | Indirect call to absolute memory address |
| 4DAE | 1003C1D8 | .text | CALL [static] | Indirect call to absolute memory address |
| 4DCE | 1003C1D8 | .text | CALL [static] | Indirect call to absolute memory address |
| 4DEE | 1003C1D8 | .text | CALL [static] | Indirect call to absolute memory address |
| 4DF6 | 1003C034 | .text | CALL [static] | Indirect call to absolute memory address |
| 4E0E | 1003C1D8 | .text | CALL [static] | Indirect call to absolute memory address |
| 4E2E | 1003C1D8 | .text | CALL [static] | Indirect call to absolute memory address |
| 4E42 | 1003C034 | .text | CALL [static] | Indirect call to absolute memory address |
| 4E5E | 1003C1D8 | .text | CALL [static] | Indirect call to absolute memory address |
| 4E7E | 1003C1D8 | .text | CALL [static] | Indirect call to absolute memory address |
| 4E9E | 1003C1D8 | .text | CALL [static] | Indirect call to absolute memory address |
| 4EA6 | 1003C034 | .text | CALL [static] | Indirect call to absolute memory address |
| 4ECE | 1003C1D8 | .text | CALL [static] | Indirect call to absolute memory address |
| 4EEE | 1003C1D8 | .text | CALL [static] | Indirect call to absolute memory address |
| 4F0E | 1003C1D8 | .text | CALL [static] | Indirect call to absolute memory address |
| 4F2E | 1003C1D8 | .text | CALL [static] | Indirect call to absolute memory address |
| 4F36 | 1003C034 | .text | CALL [static] | Indirect call to absolute memory address |
| 4F67 | 1003C00C | .text | CALL [static] | Indirect call to absolute memory address |
| 4F73 | 1003C024 | .text | CALL [static] | Indirect call to absolute memory address |
| 4F81 | 1003C028 | .text | CALL [static] | Indirect call to absolute memory address |
| 4F89 | 1003C034 | .text | CALL [static] | Indirect call to absolute memory address |
| 9E57 | 1003C050 | .text | CALL [static] | Indirect call to absolute memory address |
| 9E6A | 1003C044 | .text | CALL [static] | Indirect call to absolute memory address |
| 9EA4 | 1003C054 | .text | CALL [static] | Indirect call to absolute memory address |
| 9EC0 | 1003C054 | .text | CALL [static] | Indirect call to absolute memory address |
| 9ED5 | 1003C054 | .text | CALL [static] | Indirect call to absolute memory address |
| 9F52 | 1003C054 | .text | CALL [static] | Indirect call to absolute memory address |
| 9F92 | 1003C054 | .text | CALL [static] | Indirect call to absolute memory address |
| 9FE6 | 1003C054 | .text | CALL [static] | Indirect call to absolute memory address |
| A00E | 1003C04C | .text | CALL [static] | Indirect call to absolute memory address |
| A03F | 1003C04C | .text | CALL [static] | Indirect call to absolute memory address |
| A062 | 1003C048 | .text | CALL [static] | Indirect call to absolute memory address |
| A12D | 1003C054 | .text | CALL [static] | Indirect call to absolute memory address |
| A388 | 1003C060 | .text | CALL [static] | Indirect call to absolute memory address |
| A38F | 1003C064 | .text | CALL [static] | Indirect call to absolute memory address |
| A396 | 1003C060 | .text | CALL [static] | Indirect call to absolute memory address |
| A39D | 1003C058 | .text | CALL [static] | Indirect call to absolute memory address |
| A3AA | 1003C028 | .text | CALL [static] | Indirect call to absolute memory address |
| A3B6 | 1003C054 | .text | CALL [static] | Indirect call to absolute memory address |
| A3CB | 1003C028 | .text | CALL [static] | Indirect call to absolute memory address |
| A669 | 1003C090 | .text | CALL [static] | Indirect call to absolute memory address |
| A677 | 1003C094 | .text | CALL [static] | Indirect call to absolute memory address |
| A68E | 1003C094 | .text | CALL [static] | Indirect call to absolute memory address |
| A6A5 | 1003C094 | .text | CALL [static] | Indirect call to absolute memory address |
| A6BC | 1003C094 | .text | CALL [static] | Indirect call to absolute memory address |
| A6D3 | 1003C094 | .text | CALL [static] | Indirect call to absolute memory address |
| A6EA | 1003C094 | .text | CALL [static] | Indirect call to absolute memory address |
| A701 | 1003C094 | .text | CALL [static] | Indirect call to absolute memory address |
| A718 | 1003C094 | .text | CALL [static] | Indirect call to absolute memory address |
| A72F | 1003C094 | .text | CALL [static] | Indirect call to absolute memory address |
| A746 | 1003C094 | .text | CALL [static] | Indirect call to absolute memory address |
| A75D | 1003C094 | .text | CALL [static] | Indirect call to absolute memory address |
| A774 | 1003C094 | .text | CALL [static] | Indirect call to absolute memory address |
| A78B | 1003C094 | .text | CALL [static] | Indirect call to absolute memory address |
| A7A2 | 1003C094 | .text | CALL [static] | Indirect call to absolute memory address |
| A7B9 | 1003C094 | .text | CALL [static] | Indirect call to absolute memory address |
| A7D0 | 1003C094 | .text | CALL [static] | Indirect call to absolute memory address |
| A7E7 | 1003C094 | .text | CALL [static] | Indirect call to absolute memory address |
| A7FE | 1003C094 | .text | CALL [static] | Indirect call to absolute memory address |
| A815 | 1003C094 | .text | CALL [static] | Indirect call to absolute memory address |
| A82C | 1003C094 | .text | CALL [static] | Indirect call to absolute memory address |
| A843 | 1003C094 | .text | CALL [static] | Indirect call to absolute memory address |
| A85A | 1003C094 | .text | CALL [static] | Indirect call to absolute memory address |
| A871 | 1003C094 | .text | CALL [static] | Indirect call to absolute memory address |
| A888 | 1003C094 | .text | CALL [static] | Indirect call to absolute memory address |
| A89F | 1003C094 | .text | CALL [static] | Indirect call to absolute memory address |
| A8B6 | 1003C094 | .text | CALL [static] | Indirect call to absolute memory address |
| A8CD | 1003C094 | .text | CALL [static] | Indirect call to absolute memory address |
| A8E4 | 1003C094 | .text | CALL [static] | Indirect call to absolute memory address |
| A8FB | 1003C094 | .text | CALL [static] | Indirect call to absolute memory address |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 203320 | 57,8877% |
| Null Byte Code | 56114 | 15,9763% |
© 2026 All rights reserved.