PESCAN.IO - Analysis Report Basic

File Structure
Analysis Image
PE Chart Code
Header PE (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
Information
Size: 90,50 KB
SHA-256 Hash: 2252F0D4D5662DCE42E0221536F800A7B4F789FD1D990C55342129D6D6C8CCBF
SHA-1 Hash: 403A34CA209F34D439283E880581C058B4CD0E3B
MD5 Hash: 014EE10D2982B1C195C7EF68B26609EC
Imphash: 0761108409574053EF2C7421CD978F5D
MajorOSVersion: 6
MinorOSVersion: 0
CheckSum: 00000000
EntryPoint (rva): 11037
SizeOfHeaders: 400
SizeOfImage: 2D000
ImageBase: 0000000140000000
Architecture: x64
ImportTable: 27578
IAT: 27000
Characteristics: 22
TimeDateStamp: 6A09CE32
Date: 17/05/2026 14:18:26
File Type: EXE
Number Of Sections: 10
ASLR: Disabled
Section Names (Optional Header): .textbss, .text, .rdata, .data, .pdata, .idata, .msvcjmc, .00cfg, .rsrc, .reloc
Number Of Executable Sections: 2
Subsystem: Windows Console
UAC Execution Level Manifest: asInvoker
[Incomplete Binary or Compressor Packer - 89,50 KB Missing]
Sections Info
Section Name Flags ROffset RSize VOffset VSizeEntropyChi2
.textbss
0xE00000A0
Code
Uninitialized Data
Executable
Readable
Writeable
 0 0 1000 10000
N/A
N/A
.text
0x60000020
Code
Executable
Readable
 400 D200 11000 D0BB
3.5352
4428203.44
.rdata
0x40000040
Initialized Data
Readable
 D600 3E00 1F000 3D96
2.4825
2171526.03
.data
0xC0000040
Initialized Data
Readable
Writeable
 11400 600 23000 590
0.6663
340343.33
.pdata
0x40000040
Initialized Data
Readable
 11A00 2600 24000 2478
1.5689
1757523.42
.idata
0x40000040
Initialized Data
Readable
 14000 1A00 27000 19B5
4.0548
379268.23
.msvcjmc
0xC0000040
Initialized Data
Readable
Writeable
 15A00 400 29000 23C
0.8234
160800
.00cfg
0x40000040
Initialized Data
Readable
 15E00 200 2A000 175
0.4716
115754
.rsrc
0x40000040
Initialized Data
Readable
 16000 600 2B000 43C
2.143
215406.67
.reloc
0x42000040
Initialized Data
GP-Relative
Readable
 16600 400 2C000 2EC
1.1431
201200.5
Entry Point
The section number (2) have the Entry Point
Information -> EntryPoint (calculated) - 437
Code -> E914580000E90F640000E9EF880000E938890000E990430000E946890000E9966F0000E9B13C0000E9CC290000E9E64C0000
Assembler
|JMP 0X6819
|JMP 0X7419
|JMP 0X98FE
|JMP 0X994C
|JMP 0X53A9
|JMP 0X9964
|JMP 0X7FB9
|JMP 0X4CD9
|JMP 0X39F9
|JMP 0X5D18
Signatures
Rich Signature Analyzer:
Code -> BCF7CE28F896A07BF896A07BF896A07BB31CA37AFB96A07BB31CA47AF396A07BB31CA57AE596A07BB31CA17AFE96A07B8117A17AFD96A07BF896A17B9D96A07B751DA57AF996A07B751D5F7BF996A07B751DA27AF996A07B52696368F896A07B
Footprint md5 Hash -> E69267E0A66D6882F172DE77C418B67F
• The Rich header apparently has not been modified
Certificate - Digital Signature Not Found:
• The file is not signed
Packer/Compiler
Compiler: Microsoft Visual Studio
Detect It Easy (die)
PE+(64): linker: Microsoft Linker(14.50**)[-]
Entropy: 3.74108
Suspicious Functions
Library Function Description
KERNEL32.DLL GetProcAddress Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL IsDebuggerPresent Determines if the calling process is being debugged by a user-mode debugger.
Windows REG (UNICODE)
SOFTWARE\Wow6432Node\Microsoft\VisualStudio\14.0\Setup\VC
File Access
ucrtbased.dll
VCRUNTIME140_1D.dll
VCRUNTIME140D.dll
MSVCP140D.dll
KERNEL32.dll
@.dat
File Access (UNICODE)
advapi32.dll
api-ms-win-core-registry-l1-1-0.dll
VCRUNTIME140D.dll
bin\amd64\MSPDB140.DLL
Interest's Words
Encrypt
PassWord
exec
start
Strings/Hex Code Found With The File Rules
Rule Type Encoding Matched (Word)
Text Ascii Registry (RegOpenKeyEx)
Text Ascii Anti-Analysis VM (IsDebuggerPresent)
Entry Point Hex Pattern Microsoft Visual C++ 8.0
Entry Point Hex Pattern Microsoft Visual C++ 8.0
Entry Point Hex Pattern NeoLite v2.0
Resources
Path DataRVA Size FileOffset CodeText
\24\1\1033 2B170 17D 16170 3C3F786D6C2076657273696F6E3D27312E302720656E636F64696E673D275554462D3827207374616E64616C6F6E653D2779<?xml version='1.0' encoding='UTF-8' standalone='y
Intelligent String
• D:\a\_work\1\s\src\vctools\crt\github\stl\src\locale0.cpp
• bin\amd64\MSPDB140.DLL
• VCRUNTIME140D.dll
• api-ms-win-core-registry-l1-1-0.dll
• advapi32.dll
• C:\Users\user\source\repos\XOR\x64\Debug\XOR.pdb
• KERNEL32.dll
Flow Anomalies
Offset RVA Section Description
23F4 N/A .text CALL QWORD PTR [RIP+0x141D6]
241D N/A .text CALL QWORD PTR [RIP+0x141AD]
2447 N/A .text CALL QWORD PTR [RIP+0x14183]
24BD N/A .text CALL QWORD PTR [RIP+0x14105]
2507 N/A .text CALL QWORD PTR [RIP+0x14063]
2532 N/A .text CALL QWORD PTR [RIP+0x14040]
254C N/A .text CALL QWORD PTR [RIP+0x1409E]
25BB N/A .text CALL QWORD PTR [RIP+0x13FAF]
25DA N/A .text CALL QWORD PTR [RIP+0x14008]
263D N/A .text CALL QWORD PTR [RIP+0x13F2D]
2668 N/A .text CALL QWORD PTR [RIP+0x13F0A]
2682 N/A .text CALL QWORD PTR [RIP+0x13F68]
26F8 N/A .text CALL QWORD PTR [RIP+0x13EDA]
2730 N/A .text CALL QWORD PTR [RIP+0x13EAA]
28ED N/A .text CALL QWORD PTR [RIP+0x13C8D]
292D N/A .text CALL QWORD PTR [RIP+0x13C55]
2A6B N/A .text CALL QWORD PTR [RIP+0x13B8F]
2ACF N/A .text CALL QWORD PTR [RIP+0x13AFB]
2B22 N/A .text CALL QWORD PTR [RIP+0x13A48]
2B2B N/A .text CALL QWORD PTR [RIP+0x13A8F]
2B63 N/A .text CALL QWORD PTR [RIP+0x13A07]
2B6C N/A .text CALL QWORD PTR [RIP+0x13A86]
2BEA N/A .text CALL QWORD PTR [RIP+0x139B8]
2C74 N/A .text CALL QWORD PTR [RIP+0x1395E]
2CBA N/A .text CALL QWORD PTR [RIP+0x13920]
2E7B N/A .text CALL QWORD PTR [RIP+0x13697]
2E8B N/A .text CALL QWORD PTR [RIP+0x1369F]
2E99 N/A .text CALL QWORD PTR [RIP+0x13699]
2FA0 N/A .text CALL QWORD PTR [RIP+0x135DA]
3000 N/A .text CALL QWORD PTR [RIP+0x135AA]
30A2 N/A .text CALL QWORD PTR [RIP+0x134E0]
3285 N/A .text CALL QWORD PTR [RIP+0x132E5]
3345 N/A .text CALL QWORD PTR [RIP+0x13225]
362D N/A .text CALL QWORD PTR [RIP+0x12F0D]
36C7 N/A .text CALL QWORD PTR [RIP+0x12EEB]
3702 N/A .text CALL QWORD PTR [RIP+0x12E90]
3736 N/A .text CALL QWORD PTR [RIP+0x12DFC]
375B N/A .text CALL QWORD PTR [RIP+0x12E57]
389F N/A .text CALL QWORD PTR [RIP+0x12CCB]
393F N/A .text CALL QWORD PTR [RIP+0x12C2B]
3BA5 N/A .text CALL QWORD PTR [RIP+0x12975]
48F3 N/A .text CALL QWORD PTR [RIP+0x11B07]
4AD9 N/A .text CALL QWORD PTR [RIP+0x11A49]
4B08 N/A .text CALL QWORD PTR [RIP+0x11A1A]
4B37 N/A .text CALL QWORD PTR [RIP+0x119EB]
4B66 N/A .text CALL QWORD PTR [RIP+0x119BC]
4B7B N/A .text CALL QWORD PTR [RIP+0x119A7]
4B87 N/A .text CALL QWORD PTR [RIP+0x11873]
4C15 N/A .text CALL QWORD PTR [RIP+0x1190D]
4C30 N/A .text CALL QWORD PTR [RIP+0x118F2]
4C61 N/A .text CALL QWORD PTR [RIP+0x118C1]
4C7C N/A .text CALL QWORD PTR [RIP+0x118A6]
4DC5 N/A .text JMP QWORD PTR [RIP+0x11635]
4DCB N/A .text JMP QWORD PTR [RIP+0x117AF]
4DD1 N/A .text JMP QWORD PTR [RIP+0x117B1]
4DD7 N/A .text JMP QWORD PTR [RIP+0x117B3]
4E4C N/A .text CALL QWORD PTR [RIP+0x145CE]
4E88 N/A .text CALL QWORD PTR [RIP+0x14592]
4F8D N/A .text CALL QWORD PTR [RIP+0x11925]
4FE3 N/A .text CALL QWORD PTR [RIP+0x118D7]
50E9 N/A .text JMP QWORD PTR [RIP+0x114B1]
50EF N/A .text JMP QWORD PTR [RIP+0x114B3]
50F5 N/A .text JMP QWORD PTR [RIP+0x114B5]
50FB N/A .text JMP QWORD PTR [RIP+0x114B7]
5101 N/A .text JMP QWORD PTR [RIP+0x114C1]
5107 N/A .text JMP QWORD PTR [RIP+0x114C3]
510D N/A .text JMP QWORD PTR [RIP+0x114C5]
5113 N/A .text JMP QWORD PTR [RIP+0x114E7]
5119 N/A .text JMP QWORD PTR [RIP+0x114A1]
511F N/A .text JMP QWORD PTR [RIP+0x114D3]
5125 N/A .text JMP QWORD PTR [RIP+0x114C5]
512B N/A .text JMP QWORD PTR [RIP+0x114B7]
5131 N/A .text JMP QWORD PTR [RIP+0x114A9]
5137 N/A .text JMP QWORD PTR [RIP+0x1145B]
513D N/A .text JMP QWORD PTR [RIP+0x1142D]
5143 N/A .text JMP QWORD PTR [RIP+0x1142F]
5149 N/A .text JMP QWORD PTR [RIP+0x113C9]
514F N/A .text JMP QWORD PTR [RIP+0x113CB]
5155 N/A .text JMP QWORD PTR [RIP+0x113CD]
515B N/A .text JMP QWORD PTR [RIP+0x113CF]
5161 N/A .text JMP QWORD PTR [RIP+0x113D1]
5167 N/A .text JMP QWORD PTR [RIP+0x113D3]
516D N/A .text JMP QWORD PTR [RIP+0x113F5]
54A8 N/A .text CALL QWORD PTR [RIP+0x10FEA]
5A32 N/A .text CALL QWORD PTR [RIP+0x139E8]
5FCC N/A .text CALL QWORD PTR [RIP+0x1344E]
6636 N/A .text CALL QWORD PTR [RIP+0x12DE4]
6F01 N/A .text CALL QWORD PTR [RIP+0xF511]
6F33 N/A .text CALL QWORD PTR [RIP+0xF4DF]
6F8F N/A .text CALL QWORD PTR [RIP+0xF473]
6FFD N/A .text CALL QWORD PTR [RIP+0x1241D]
7042 N/A .text CALL QWORD PTR [RIP+0xF3D8]
7091 N/A .text CALL QWORD PTR [RIP+0xF389]
70CF N/A .text CALL QWORD PTR [RIP+0x1234B]
71C4 N/A .text CALL QWORD PTR [RIP+0xF246]
74CC N/A .text CALL QWORD PTR [RIP+0xEF66]
74DC N/A .text CALL QWORD PTR [RIP+0xEFB6]
74F4 N/A .text CALL QWORD PTR [RIP+0xEF36]
7511 N/A .text CALL QWORD PTR [RIP+0xEF11]
76AB N/A .text CALL QWORD PTR [RIP+0xED8F]
405-995 N/A .text Potential obfuscated jump sequence detected, count: 285
996-F2F N/A .text Unusual BP Cave, count: 1434
F46-221F N/A .text Unusual BP Cave, count: 4826
226E-228F N/A .text Unusual BP Cave, count: 34
22EF-230F N/A .text Unusual BP Cave, count: 33
2784-288F N/A .text Unusual BP Cave, count: 268
296D-29AF N/A .text Unusual BP Cave, count: 67
2D0E-2DEF N/A .text Unusual BP Cave, count: 226
2EB1-2EDF N/A .text Unusual BP Cave, count: 47
30DE-314F N/A .text Unusual BP Cave, count: 114
31F4-321F N/A .text Unusual BP Cave, count: 44
32B6-32DF N/A .text Unusual BP Cave, count: 42
3376-339F N/A .text Unusual BP Cave, count: 42
33EE-340F N/A .text Unusual BP Cave, count: 34
346C-348F N/A .text Unusual BP Cave, count: 36
350D-352F N/A .text Unusual BP Cave, count: 35
35A5-35CF N/A .text Unusual BP Cave, count: 43
364E-366F N/A .text Unusual BP Cave, count: 34
377C-37BF N/A .text Unusual BP Cave, count: 68
3832-384F N/A .text Unusual BP Cave, count: 30
38C9-38EF N/A .text Unusual BP Cave, count: 39
3969-398F N/A .text Unusual BP Cave, count: 39
3A1F-3A3F N/A .text Unusual BP Cave, count: 33
3ADF-3B0F N/A .text Unusual BP Cave, count: 49
3D01-3D2F N/A .text Unusual BP Cave, count: 47
3F21-3F5F N/A .text Unusual BP Cave, count: 63
42FC-432F N/A .text Unusual BP Cave, count: 52
465A-46EF N/A .text Unusual BP Cave, count: 150
47AC-47DF N/A .text Unusual BP Cave, count: 52
4881-489F N/A .text Unusual BP Cave, count: 31
4CC1-4DC4 N/A .text Unusual BP Cave, count: 260
4EA3-4ECF N/A .text Unusual BP Cave, count: 45
4FB0-4FCF N/A .text Unusual BP Cave, count: 32
526C-528F N/A .text Unusual BP Cave, count: 36
5397-53DF N/A .text Unusual BP Cave, count: 73
5619-565F N/A .text Unusual BP Cave, count: 71
5707-5735 N/A .text Unusual BP Cave, count: 47
589C-58CF N/A .text Unusual BP Cave, count: 52
5AE6-5B4F N/A .text Unusual BP Cave, count: 106
5D36-5D6F N/A .text Unusual BP Cave, count: 58
5DFA-5E1F N/A .text Unusual BP Cave, count: 38
5E92-5EAF N/A .text Unusual BP Cave, count: 30
61C5-620F N/A .text Unusual BP Cave, count: 75
629B-62BF N/A .text Unusual BP Cave, count: 37
63CD-63EF N/A .text Unusual BP Cave, count: 35
6642-665F N/A .text Unusual BP Cave, count: 30
66CB-66EF N/A .text Unusual BP Cave, count: 37
6919-693F N/A .text Unusual BP Cave, count: 39
6BD7-6C2F N/A .text Unusual BP Cave, count: 89
6C7E-6C9F N/A .text Unusual BP Cave, count: 34
6D6F-6DAF N/A .text Unusual BP Cave, count: 65
6E44-6E6F N/A .text Unusual BP Cave, count: 44
7106-71AF N/A .text Unusual BP Cave, count: 170
72A5-72DF N/A .text Unusual BP Cave, count: 59
756E-759F N/A .text Unusual BP Cave, count: 50
7614-763F N/A .text Unusual BP Cave, count: 44
7851-786F N/A .text Unusual BP Cave, count: 31
7946-796F N/A .text Unusual BP Cave, count: 42
7A3B-7A6F N/A .text Unusual BP Cave, count: 53
7AB2-7ACF N/A .text Unusual BP Cave, count: 30
7B12-7B2F N/A .text Unusual BP Cave, count: 30
801D-815F N/A .text Unusual BP Cave, count: 323
82F0-834F N/A .text Unusual BP Cave, count: 96
8602-86AF N/A .text Unusual BP Cave, count: 174
87B2-87FF N/A .text Unusual BP Cave, count: 78
8BC6-8CB6 N/A .text Unusual BP Cave, count: 241
8EB9-A125 N/A .text Unusual BP Cave, count: 4717
A156-B15F N/A .text Unusual BP Cave, count: 4106
B1EA-B20F N/A .text Unusual BP Cave, count: 38
B2CA-B2EF N/A .text Unusual BP Cave, count: 38
B47F-C49F N/A .text Unusual BP Cave, count: 4129
C4B6-D4BA N/A .text Unusual BP Cave, count: 4101
Extra Analysis
Metric Value Percentage
Ascii Code 51829 55,9274%
Null Byte Code 32679 35,2631%
© 2026 All rights reserved.