PESCAN.IO - Analysis Report Basic |
|||||||
| File Structure |
|
PE Chart Code
Header PE (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
| Size: 43,00 KB SHA-256 Hash: 8C3D6CABC01664DAB44414F1F6B95A39DB01420DC90B02727AD1121279DAB1D8 SHA-1 Hash: 386E450CF7AB2D24EA90CC710DA5FB0BD105EE8E MD5 Hash: FE20A94CC208ECC4EF0290864F1C1885 Imphash: 59886F032AF976915C8C491FA842EE0A MajorOSVersion: 6 MinorOSVersion: 0 CheckSum: 00000000 EntryPoint (rva): 5404 SizeOfHeaders: 400 SizeOfImage: F000 ImageBase: 0000000180000000 Architecture: x64 ExportTable: 9E50 ImportTable: A0F0 IAT: 6000 Characteristics: 2022 TimeDateStamp: 6A31AABF Date: 16/06/2026 19:57:51 File Type: DLL Number Of Sections: 6 ASLR: Disabled Section Names (Optional Header): .text, .rdata, .data, .pdata, .rsrc, .reloc Number Of Executable Sections: 1 Subsystem: Windows GUI [Incomplete Binary or Compressor Packer - 17,00 KB Missing] |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 0x60000020 Code Executable Readable |
400 | 5000 | 1000 | 4EE9 |
|
|
| .rdata | 0x40000040 Initialized Data Readable |
5400 | 4C00 | 6000 | 4B0A |
|
|
| .data | 0xC0000040 Initialized Data Readable Writeable |
A000 | 200 | B000 | 768 |
|
|
| .pdata | 0x40000040 Initialized Data Readable |
A200 | 600 | C000 | 588 |
|
|
| .rsrc | 0x40000040 Initialized Data Readable |
A800 | 200 | D000 | F8 |
|
|
| .reloc | 0x42000040 Initialized Data GP-Relative Readable |
AA00 | 200 | E000 | 64 |
|
|
| Entry Point |
The section number (1) have the Entry Point Information -> EntryPoint (calculated) - 4804 Code -> 48895C24084889742410574883EC20498BF88BDA488BF183FA017505E86F0600004C8BC78BD3488BCE488B5C2430488B7424 Assembler |MOV QWORD PTR [RSP + 8], RBX |MOV QWORD PTR [RSP + 0X10], RSI |PUSH RDI |SUB RSP, 0X20 |MOV RDI, R8 |MOV EBX, EDX |MOV RSI, RCX |CMP EDX, 1 |JNE 0X1021 |CALL 0X1690 |MOV R8, RDI |MOV EDX, EBX |MOV RCX, RSI |MOV RBX, QWORD PTR [RSP + 0X30] |
| Signatures |
| Rich Signature Analyzer: Code -> EEE28E6EAA83E03DAA83E03DAA83E03DA3FB733DA283E03D2D0AE33CA983E03D2D0AE43CA283E03D2D0AE53CB983E03D2D0AE13CAC83E03DD302E13CAD83E03DAA83E13DF883E03D360AE93CAB83E03D360AE03CAB83E03D360A1F3DAB83E03D360AE23CAB83E03D52696368AA83E03D Footprint md5 Hash -> 93AFF2C01CC76126065945CC66227601 • The Rich header apparently has not been modified Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Compiler: Microsoft Visual Studio Detect It Easy (die) • PE+(64): compiler: Microsoft Visual C/C++(-)[-] • PE+(64): linker: Microsoft Linker(14.44**)[-] • Entropy: 5.87324 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | LoadLibraryW | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | CreateToolhelp32Snapshot | Creates a snapshot of the specified processes, heaps, threads, and modules. |
| KERNEL32.DLL | CreateRemoteThread | Creates a thread in the address space of another process. |
| KERNEL32.DLL | WriteProcessMemory | Writes data to an area of memory in a specified process. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| KERNEL32.DLL | IsDebuggerPresent | Determines if the calling process is being debugged by a user-mode debugger. |
| ET Functions (carving) |
| Original Name -> ares.dll ExecutePayloadManuallyExport FindDiscordPTBProcessExport InjectHookDLL InjectHookDLLW InjectToDiscordPTBProcessExport InjectToSysmainSvchostExport napi_call_function napi_create_function napi_create_object napi_create_string_utf8 napi_get_property napi_get_string_utf8 napi_register_module_v1 napi_set_property node_api_create_buffer node_api_create_external_buffer node_api_get_buffer_info node_api_is_buffer node_api_module_init |
| File Access |
| api-ms-win-crt-heap-l1-1-0.dll api-ms-win-crt-string-l1-1-0.dll api-ms-win-crt-runtime-l1-1-0.dll api-ms-win-crt-stdio-l1-1-0.dll VCRUNTIME140.dll VCRUNTIME140_1.dll MSVCP140.dll USER32.dll KERNEL32.dll ADVAPI32.dll ares.dll .dat @.dat |
| File Access (UNICODE) |
| discordcanary.exe DiscordCanary.exe discord.exe Discord.exe discordptb.exe DiscordPTB.exe svchost.exe kernel32.dll x.dll AppData |
| Interest's Words |
| exec attrib expand |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | Service (OpenSCManager) |
| Text | Ascii | Anti-Analysis VM (IsDebuggerPresent) |
| Text | Ascii | Anti-Analysis VM (CreateToolhelp32Snapshot) |
| Text | Ascii | Reconnaissance (FindFirstFileW) |
| Text | Ascii | Reconnaissance (FindNextFileW) |
| Text | Ascii | Reconnaissance (FindClose) |
| Text | Ascii | Stealth (CloseHandle) |
| Text | Ascii | Stealth (VirtualAlloc) |
| Text | Ascii | Stealth (CreateRemoteThread) |
| Text | Unicode | Privileges (SeDebugPrivilege) |
| Text | Ascii | Malicious code executed after exploiting a vulnerability (Payload) |
| Text | Unicode | Technique to insert malicious code into a vulnerable application (Injection) |
| Text | Ascii | Technique used to insert malicious code into legitimate processes (Inject) |
| Text | Unicode | Technique used to insert malicious code into legitimate processes (Inject) |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8.0 (DLL) |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \24\2\1033 | D060 | 91 | A860 | 3C3F786D6C2076657273696F6E3D27312E302720656E636F64696E673D275554462D3827207374616E64616C6F6E653D2779 | <?xml version='1.0' encoding='UTF-8' standalone='y |
| Intelligent String |
| • C:\Users\%USERNAME%\AppData\Local\DiscordPTB\app-1.0.1198\modules\discord_krisp-1\discord_krisp\x.js • svchost.exe • x.dll • DiscordPTB.exe • discordptb.exe • Discord.exe • discord.exe • DiscordCanary.exe • discordcanary.exe • kernel32.dll • C:\Users\aresm\OneDrive\Desktop\dll load\x64\Release\ares.pdb • .bss • MSVCP140.dll • VCRUNTIME140_1.dll • VCRUNTIME140.dll • api-ms-win-crt-stdio-l1-1-0.dll • api-ms-win-crt-runtime-l1-1-0.dll • api-ms-win-crt-string-l1-1-0.dll • api-ms-win-crt-heap-l1-1-0.dll |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 5F4 | N/A | .text | CALL QWORD PTR [RIP+0x4FA6] |
| 64D | N/A | .text | CALL QWORD PTR [RIP+0x4F55] |
| 68F | N/A | .text | JMP QWORD PTR [RIP+0x4F13] |
| 714 | N/A | .text | CALL QWORD PTR [RIP+0x4E86] |
| 754 | N/A | .text | CALL QWORD PTR [RIP+0x4E46] |
| 77B | N/A | .text | CALL QWORD PTR [RIP+0x4DEF] |
| 7EA | N/A | .text | CALL QWORD PTR [RIP+0x4C70] |
| 908 | N/A | .text | CALL QWORD PTR [RIP+0x4D52] |
| 934 | N/A | .text | CALL QWORD PTR [RIP+0x4B4E] |
| A04 | N/A | .text | CALL QWORD PTR [RIP+0x4A36] |
| BE1 | N/A | .text | CALL QWORD PTR [RIP+0x48A1] |
| DBB | N/A | .text | CALL QWORD PTR [RIP+0x468F] |
| DCC | N/A | .text | CALL QWORD PTR [RIP+0x46A6] |
| E32 | N/A | .text | CALL QWORD PTR [RIP+0x4828] |
| E48 | N/A | .text | CALL QWORD PTR [RIP+0x4812] |
| E5E | N/A | .text | CALL QWORD PTR [RIP+0x47FC] |
| E74 | N/A | .text | CALL QWORD PTR [RIP+0x47E6] |
| E8A | N/A | .text | CALL QWORD PTR [RIP+0x47D0] |
| EDD | N/A | .text | CALL QWORD PTR [RIP+0x477D] |
| F45 | N/A | .text | CALL QWORD PTR [RIP+0x4715] |
| FAA | N/A | .text | CALL QWORD PTR [RIP+0x44B0] |
| 10C8 | N/A | .text | CALL QWORD PTR [RIP+0x4592] |
| 10F4 | N/A | .text | CALL QWORD PTR [RIP+0x438E] |
| 11C4 | N/A | .text | CALL QWORD PTR [RIP+0x4276] |
| 13A1 | N/A | .text | CALL QWORD PTR [RIP+0x40E1] |
| 157B | N/A | .text | CALL QWORD PTR [RIP+0x3ECF] |
| 158C | N/A | .text | CALL QWORD PTR [RIP+0x3EE6] |
| 15F2 | N/A | .text | CALL QWORD PTR [RIP+0x4068] |
| 1608 | N/A | .text | CALL QWORD PTR [RIP+0x4052] |
| 161E | N/A | .text | CALL QWORD PTR [RIP+0x403C] |
| 1634 | N/A | .text | CALL QWORD PTR [RIP+0x4026] |
| 164A | N/A | .text | CALL QWORD PTR [RIP+0x4010] |
| 169D | N/A | .text | CALL QWORD PTR [RIP+0x3FBD] |
| 1705 | N/A | .text | CALL QWORD PTR [RIP+0x3F55] |
| 176A | N/A | .text | CALL QWORD PTR [RIP+0x3CF0] |
| 1888 | N/A | .text | CALL QWORD PTR [RIP+0x3DD2] |
| 18B4 | N/A | .text | CALL QWORD PTR [RIP+0x3BCE] |
| 1984 | N/A | .text | CALL QWORD PTR [RIP+0x3AB6] |
| 1B61 | N/A | .text | CALL QWORD PTR [RIP+0x3921] |
| 1D3B | N/A | .text | CALL QWORD PTR [RIP+0x370F] |
| 1D4C | N/A | .text | CALL QWORD PTR [RIP+0x3726] |
| 1DB2 | N/A | .text | CALL QWORD PTR [RIP+0x38A8] |
| 1DC8 | N/A | .text | CALL QWORD PTR [RIP+0x3892] |
| 1DDE | N/A | .text | CALL QWORD PTR [RIP+0x387C] |
| 1DF4 | N/A | .text | CALL QWORD PTR [RIP+0x3866] |
| 1E0A | N/A | .text | CALL QWORD PTR [RIP+0x3850] |
| 1E5D | N/A | .text | CALL QWORD PTR [RIP+0x37FD] |
| 1EC5 | N/A | .text | CALL QWORD PTR [RIP+0x3795] |
| 1ED9 | N/A | .text | CALL QWORD PTR [RIP+0x35C9] |
| 1F16 | N/A | .text | CALL QWORD PTR [RIP+0x3554] |
| 1F26 | N/A | .text | CALL QWORD PTR [RIP+0x359C] |
| 1F37 | N/A | .text | CALL QWORD PTR [RIP+0x356B] |
| 1F42 | N/A | .text | CALL QWORD PTR [RIP+0x3580] |
| 1FC9 | N/A | .text | CALL QWORD PTR [RIP+0x34B9] |
| 2051 | N/A | .text | CALL QWORD PTR [RIP+0x3609] |
| 20A0 | N/A | .text | CALL QWORD PTR [RIP+0x35BA] |
| 2174 | N/A | .text | CALL QWORD PTR [RIP+0x34E6] |
| 21B0 | N/A | .text | CALL QWORD PTR [RIP+0x32D2] |
| 2238 | N/A | .text | CALL QWORD PTR [RIP+0x3422] |
| 2287 | N/A | .text | CALL QWORD PTR [RIP+0x33D3] |
| 235B | N/A | .text | CALL QWORD PTR [RIP+0x32FF] |
| 2397 | N/A | .text | CALL QWORD PTR [RIP+0x30EB] |
| 241F | N/A | .text | CALL QWORD PTR [RIP+0x323B] |
| 246E | N/A | .text | CALL QWORD PTR [RIP+0x31EC] |
| 248B | N/A | .text | CALL QWORD PTR [RIP+0x2FCF] |
| 2510 | N/A | .text | CALL QWORD PTR [RIP+0x314A] |
| 2579 | N/A | .text | CALL QWORD PTR [RIP+0x2E91] |
| 259B | N/A | .text | CALL QWORD PTR [RIP+0x2E5F] |
| 25C7 | N/A | .text | CALL QWORD PTR [RIP+0x2E63] |
| 25D8 | N/A | .text | CALL QWORD PTR [RIP+0x2E3A] |
| 25E1 | N/A | .text | CALL QWORD PTR [RIP+0x2E31] |
| 2611 | N/A | .text | CALL QWORD PTR [RIP+0x2E71] |
| 263F | N/A | .text | CALL QWORD PTR [RIP+0x2EA3] |
| 2658 | N/A | .text | CALL QWORD PTR [RIP+0x2E12] |
| 266B | N/A | .text | CALL QWORD PTR [RIP+0x2F57] |
| 269C | N/A | .text | CALL QWORD PTR [RIP+0x2FE6] |
| 26AD | N/A | .text | CALL QWORD PTR [RIP+0x2DD5] |
| 271D | N/A | .text | CALL QWORD PTR [RIP+0x2F3D] |
| 2731 | N/A | .text | CALL QWORD PTR [RIP+0x2CE1] |
| 273A | N/A | .text | CALL QWORD PTR [RIP+0x2CD8] |
| 2791 | N/A | .text | CALL QWORD PTR [RIP+0x2CC1] |
| 27A4 | N/A | .text | CALL QWORD PTR [RIP+0x2C5E] |
| 27CF | N/A | .text | CALL QWORD PTR [RIP+0x2C53] |
| 27F5 | N/A | .text | CALL QWORD PTR [RIP+0x2C25] |
| 2800 | N/A | .text | CALL QWORD PTR [RIP+0x2CBA] |
| 2810 | N/A | .text | CALL QWORD PTR [RIP+0x2C7A] |
| 285B | N/A | .text | CALL QWORD PTR [RIP+0x2C7F] |
| 2892 | N/A | .text | CALL QWORD PTR [RIP+0x2BB0] |
| 28A7 | N/A | .text | CALL QWORD PTR [RIP+0x2C3B] |
| 28B7 | N/A | .text | CALL QWORD PTR [RIP+0x2C1B] |
| 28DC | N/A | .text | CALL QWORD PTR [RIP+0x2C0E] |
| 28F2 | N/A | .text | CALL QWORD PTR [RIP+0x2B88] |
| 2905 | N/A | .text | CALL QWORD PTR [RIP+0x2B95] |
| 291A | N/A | .text | CALL QWORD PTR [RIP+0x2BD8] |
| 2923 | N/A | .text | CALL QWORD PTR [RIP+0x2B97] |
| 292C | N/A | .text | CALL QWORD PTR [RIP+0x2B8E] |
| 294B | N/A | .text | CALL QWORD PTR [RIP+0x2BA7] |
| 2954 | N/A | .text | CALL QWORD PTR [RIP+0x2B66] |
| 29CC | N/A | .text | CALL QWORD PTR [RIP+0x2AC6] |
| 2A3A | N/A | .text | CALL QWORD PTR [RIP+0x2A78] |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 24203 | 54,9668% |
| Null Byte Code | 10685 | 24,2664% |
© 2026 All rights reserved.