hex relative absolute shared undetected self-modifying non-executable checksum-valid checksum-invalid Address-Space-Layout-Randomization (ASLR) Code-Integrity (CI) Data Execution Prevention (DEP) Image isolation Structured-Exception Handling (SEH) image-bound Windows-Driver Model (WDM) Terminal-Server aware (TSA) low double click > internal double click > external thread-local-storage files double-click > save to file User Interface Privilege Isolation (UIPI) Import Name Table (INT) Select file to open Exe files (*.exe)|*.exe|Dll files (*.dll)|*.dll|Sys files (*.sys)|*.sys|All Files (*.*)|*.*|| failure Images (%i of %i) Image not found highest administrator invoker trust-info-missing size-PKCS7-null-padding internet connection failed overview wait... show duplicates positives bound disabled scan-id resource response-code scan-date permanent-link verbose engines detections sha1 sha256 md5 details result vendor virustotal header results signature exports analysis ordinal available gap forwarded entry-point xml-id symbol gaps address hint offline imphash more online bl n/a callback 32 64 map severity detection date (dd.mm.yyyy) age (days) not-supported - x directory directories obfuscated level raw-address size (bytes) open Virustotal in a Browser invalid empty missing TimeDateStamp libraries library type tooling image-base imports CPU mismatch type cpu all implicit delay-loaded application flag description Imported Library bound types created undocumented 16bytes symbol section:offset library ignore deprecated anti-debug imports registries urls messages Tables Control-Flow Guard (CFG) delay-loaded strings-tables manifest certificates elevated unsafe top list begin end function score address (begin) address (end) address (unwind) expired high file duplicate property value detail status headers image error details date %.2i/%.2i/%.4i stamp %.2i:%.2i:%.2i import network error strings string footprints overlay ascii unicode file-header-offset issue groups not found 32-bit words support relocation-stripped large-address-aware uniprocessor system-image dynamic-link-library file-can-be-executed debug-stripped media-run-from-swap network-run-from-swap properties hash gp group location exceptions start special data-begin data-end callback standard exception %s not found run-from-swap color-text anonymous certificate resources type instance size offset code-page language manifest assemblies assembly name line-stripped-from-file version token total count raw_data | cursor file-subtype file-os index AssembyRef TypeDef suspicious score-file score-file-details r g b settings dump to file instances bitmap string-table 32-bit 64-bit dos address (type) trustInfo execution file-offset file-offset (from) file-offset (to) true false level uiAccess code-less language rich-header > checksum character-set items item name value rich-header signature-offset dos-stub PE00 autoElevate virtual Check online for an update unreachable tactic technique please wait while analyzing the file... INT dos-header mitre file-signature pe-offset build-id product-id IDE open > pestudio > settings proceed checksum checksum-real stamp > certificate icon stamp > export stamp > resource stamp stamp > debug e_lfanew checksum-builtin relocations file-header machine sections > count stamp > compiler pointer-symbol-table number-of-symbols dialog characteristics e_magic menu files rich-header > location resource > location first-thunk (IAT) first-thunk-original (INT) label decorated import debug relocations optional-header magic linker > version control-flow-guard size-of-code size-of-initialized-data size-of-uninitialized-data local-symbols-stripped-from-file base-of-code base-of-data image-base section-alignment file-alignment os > version enable image > version revision subsystem windows-driver-model Win32VersionValue size-of-image size-of-headers file-checksum * DllCharacteristics ASLR DEP SEH real-checksum threshold stamp > import executable dll size-of-stack-reserve size-of-stack-commit size-of-heap-reserve size-of-heap-commit LoaderFlags pdb message issued-by signer counter-signer email street postal-code certificate > stamp > valid-from certificate > stamp > valid-to organization serial-number CRL-Distribution-Point certificate > stamp > signing Dump PKCS7 encoding bytes-of-machine-words-reversed-Hi bytes-of-machine-words-reversed-Low unexpected expected .NET FileMajorVersion FileMinorVersion FileVersionBuildNumber FileVersionRevisionNumber runtime-version ... entry-point (token | address) flags execute streams exe-header > offset LanguageId CodePage IL-Only 32-bit-required IL-Library strong-name-signed track-debug-data BSJB strings export file > ratio file > name executables 32-bit-preferred native-entry-point typelibId stream tables table file (signature: %s, size: %i bytes) debug GUID %.4X-%2.X-%2.X-%1X%1X-%1X%1X%1X%1X%1X%1X age RSDS Nb09 Nb10 Nb11 format gap overlay > location resources (size) strong-name-signature (size) rows export-address-table-jump (size) vtable-fixup-size drag-and-drop a file to analyse... original jump heap-sizes extra-data .NET items not yet supported module > name namespace header tooling namespace (system) namespace (custom) null class save changes ? #Strings #US pestudio internal key overwrite the file? anomaly file-header > location dos-stub > location pestudio read-only resources (RVA) BoundImports BoundImport BoundImportDate High-Entropy AppContainer Microsoft Linker version > location none debug > file dos-header > location stack-buffer-overrun-detection (GS) Control-flow Enforcement Technology (CETCOMPACT) hooking instance spoofing debug > location save to file Dump files (*.dump)|*.dump|All Files (*.*)|*.*|| save to file * xml files (*.xml)|*.xml|All Files (*.*)|*.*|| xml Cannot create Report file! p/Invoke API function (RVA) function-name (RVA) zero callback name (RVA) function-index tail WIN_CERTIFICATE issued-to more-info-url hash-algorithm program-name entropy sections name virtual-size virtual-address (begin) raw-size streams file-cave contains characteristics blacklisted obfuscated read write execute share unreadable virtual-address (end) section LordPE general load-config security PointerToRelocations PointerToLinenumbers NumberOfRelocations NumberOfLinenumbers characteristics sections ExecutableCode initialized-data uninitialized-data discardable cachable pageable valid-from valid-to purpose(s) Ensures software came from software publisher Protects software from alteration after publication stamp > signing indicators indicator The quota has been reached. stamps thumbprint hash-encryption-algorithm signature-algorithm revocation-status size-PKCS7 size-certificate file-names signature-info This digital signature is OK. run from system swap hashes names Item not found at Virustotal sample imphash > md5 overlay > sha256 rich-header > md5 original-file-name footprint cannot be executed The server understands the request but refuses to authorize it +++ ++ + > Type of footprints to use: Number of bytes to retrieve: Report format: Disable strings when file size exceeds: Key to use when proceeding to query: 16 bytes 32 bytes 64 bytes 256 KB 378 KB 512 KB 1024 KB no-limit show groups color show Mitre Tactics show Relocations show Exceptions show Epoch stamps enable Virustotal query sample is read-only show sample in caption show strings dump certificate to file dump certificate tail to file dump debug stream to file www.google.com location (from-to) line copy line copy value copy detail copy property copy item copy indicator search Virustotal dump stream copy name copy description lookup in Browser save to file save certificate to file save certificate tail to file bytes-hex bytes-text open in pestudio delete +++ ++ + copy import name copy namespace copy technique set entry-point copy query friendly name copy file name close file copy to clipboard initialized uninitialized cache page read attack.mitre.org first %i bytes (hex) first %i bytes (text) unknown Your own Virustotal key that will be used for perform queries. Once provided, the internal key of pestudio won't be used anymore. MS-DOS Windows NT Windows 16-bit Windows 32-bit OS/2 16-bit OS/2 32-bit PM-16-bit PM-32-bit Unknown executable dynamic-link library device-driver font static-link library virtual-device unknown Communication-driver Display-driver Installable-driver Keyboard-driver Language-driver Mouse driver Network-driver Printer-driver Sound-driver System-driver Printer-driver Unknown-Driver image dos-header dos-stub file-header rich-header library import export resource manifest debug version section certificate overlay dot-net any unknown md5 sha1 sha256 unknown absolute high low high-low high-adjust mips-jump-addr ia64 dir64 unknown double-click > jump double-click > url double-click > save > file unknown WIN_CERT_REVISION_1_0 WIN_CERT_REVISION_2_0 unknown md5 md5RSA sha1 sha1RSA sha256 sha384 sha512 rsa sha256RSA sha384RSA sha512RSA unknown image footprint group indicator mitre score dos-stub dos-header rich-header file-header optional-header directories sections libraries imports exports exceptions certificate relocations thread-local-storage dotnet resources version debug strings manifest overlay trust-information hash-algorithm hash-encryption-algorithm signature-algorithm thumbprint program-name serial-number display email dns issued-to issued-by signing-time valid-from valid-to info-url info-file more-info-url more-info-file unknown WIN_CERT_TYPE_X509 WIN_CERT_TYPE_PKCS_SIGNED_DATA WIN_CERT_TYPE_RESERVED_1 WIN_CERT_TYPE_TS_STACK_SIGNED unknown timer registry execution network crypto memory file synchro desktop services obfuscation resource windowing compression hooking sharing diagnostic administration exception reconnaissance console dynamic-library io Common-Object-Model (COM) desktop shell setup power directory-service security device export import resource exception security relocation debug architecture global-pointer thread-local-storage load-configuration bound-import import-address delay-loaded .NET reserved manifest cursor bitmap icon menu dialog dialog-data string-table message-table font-directory font accelerator rcdata cursor-group icon-group version dlgInclude Plug-and-play Vxd Animated-cursor Animated-icon HTML MUI icons custom executable Riff GIF PNG BMP Stylesheet-XML XML-Event-Log Nb10 Debugger FPO-debug Text JPEG Python Python-script XML unknown none empty any Native GUI console Windows-boot-application Windows-CE os2 posix win9x-driver EFI-application EFI-driver-boot-service EFI-driver-run-time-service EFI-ROM Xbox unknown Intel-386 MipsR3000 MipsR6000 MipsR10000 Mipsv2 Alpha SH3 SH3DSP SH3E SH4 SH5 ARM ARMv7 ARM-Thumb ARM-Thumb-2-little-Indian AM33 PowerPc PowerPcfp IA64 Mips16 Alpha64 MipsFpu MipsFpu16 Axp64 TriCore CEF EBC Amd64 M32R CEE unknown asInvoker highest administrator unknown Windows 11 Windows 10 Windows Server 2022 Windows Server 2019 Windows Server 2016 Windows 8.1 Windows Server 2012 R2 Windows 8 Windows Server 2012 Windows 7 Windows Server 2008 R2 Windows Server 2008 Windows Vista Windows Server 2003 R2 Windows Server 2003 Windows XP 64-bit Windows XP Windows 2000 Windows NT 4.0 COFF Nb09 Nb10 Nb11 RSDS FPO MISC exception fixu omapToSrc omapFromSrc Borland reserved10 clsid PGO vcFeature iltcg mpx REPRO Extended Dll Characteritics embedded portable PDB unknown 7-bit ASCII Japan (Shift – JIS X-0208) Korea (Shift – KSC 5601) Taiwan (Big5) Unicode Latin-2 (Eastern European) Cyrillic Multilingual Greek Turkish Hebrew Arabic high medium low info unknown none Implicit Delay-load Forward p/Invoke Unknown Administrator Highest Invoker PE PE+ rich-header privilege registry user-agent rtti debug utility mutex query sid file regex url-pattern security size base64 import export format-string dotnet-namespace library unknown