PESCAN.IO - Analysis Report

PESCAN.IO - Analysis Report Basic

File Structure

PE Chart Code

Header PE (light blue)

Executable sections (pink)

Non-executable sections (black)

External injected code (red)

File Structure in red = malformed or corrupted header

Chart Code For Other Files

Printable characters (blue)

Non-printable characters (black)

Information

Size: 6,50 KB
SHA-256 Hash: 58A594503AE54D3F6F1A6FF5A01FD8EEB0BD19249CB2A436A1DC65FAC04FBD63
SHA-1 Hash: AB35C4D8AA5B8D7BF8CD03C64694222904BC97D3
MD5 Hash: 1628E1FD41904C9E6B6CAC8C84A84B8C
Imphash: F34D5F2D4577ED6D9CEEC516C1F5A744
MajorOSVersion: 4
MinorOSVersion: 0
CheckSum: 00000000
EntryPoint (rva): 2E1E
SizeOfHeaders: 200
SizeOfImage: 8000
ImageBase: 400000
Architecture: x86
ImportTable: 2DCC
IAT: 2000
Characteristics: 102
TimeDateStamp: 6A1D6611
Date: 01/06/2026 10:59:29
File Type: EXE
Number Of Sections: 3
ASLR: Enabled
Section Names: .text, .rsrc, .reloc
Number Of Executable Sections: 1
Subsystem: Windows GUI
UAC Execution Level Manifest: requireAdministrator

Sections Info

Section Name	Flags	ROffset	RSize	VOffset	VSize	Entropy	Chi2
.text	0x60000020 Code Executable Readable	200	1000	2000	E24	4.8457	157663.38
.rsrc	0x40000040 Initialized Data Readable	1200	600	4000	4F0	3.6139	112487.67
.reloc	0x42000040 Initialized Data GP-Relative Readable	1800	200	6000	C	0.0776	128523

Description

OriginalFilename: scgen_64426ebc219d4e7cbb8f2b9691d97cf7.exe
FileVersion: 0.0.0.0
FileDescription: GDeyRnUs
ProductVersion: 0.0.0.0
Language: Unknown (ID=0x0)
CodePage: Unicode (UTF-16 LE) (0x4B0)

Entry Point

The section number (1) - (.text) have the Entry Point
Information -> EntryPoint (calculated) - 101E
Code -> FF25002040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

Assembler

|JMP DWORD PTR [0X402000]

|ADD BYTE PTR [EAX], AL

Signatures

Certificate - Digital Signature Not Found:
• The file is not signed

Packer/Compiler

Compiler: Microsoft Visual .NET - (You can use a decompiler for this...)
• AnyCPU: True
• Version: v4.0
Detect It Easy (die)
• PE: library: .NET(v4.0.30319)[-]
• PE: linker: Microsoft Linker(11.0)[-]
• Entropy: 4.22765

Windows REG (UNICODE)

SOFTWARE\Microsoft\Windows NT\CurrentVersion

File Access

scgen_64426ebc219d4e7cbb8f2b9691d97cf7.exe
mscoree.dll
Temp

File Access (UNICODE)

scgen_64426ebc219d4e7cbb8f2b9691d97cf7.exe
5PO5VrsooK.msi
ClientSetup.msi

Interest's Words

exec
attrib
start

Interest's Words (UNICODE)

exec
start

URLs (UNICODE)

https://fiscal-pro.online/ScreenConnect.ClientSetup.msi5PO5VrsooK.msi

Strings/Hex Code Found With The File Rules

Rule Type	Encoding	Matched (Word)
Text	Ascii	File (GetTempPath)
Text	Ascii	Execution (ShellExecute)
Entry Point	Hex Pattern	Microsoft Visual C / Basic .NET
Entry Point	Hex Pattern	Microsoft Visual C++ 8
Entry Point	Hex Pattern	Microsoft Visual C++ 8.0
Entry Point	Hex Pattern	Microsoft Visual C v7.0 / Basic .NET
Entry Point	Hex Pattern	Microsoft Visual Studio .NET
Entry Point	Hex Pattern	.NET executable

Resources

Path	DataRVA	Size	FileOffset	Code	Text
\VERSION\1\0	40A0	2D4	12A0	D40234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000	..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............
\24\1\0	4378	178	1578	EFBBBF3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E65	...<?xml version="1.0" encoding="UTF-8" standalone

Intelligent String

• 0.0.0.0
• scgen_64426ebc219d4e7cbb8f2b9691d97cf7.exe
• https://fiscal-pro.online/ScreenConnect.ClientSetup.msi
• 5PO5VrsooK.msi
• runas
• _CorExeMainmscoree.dll

Flow Anomalies

Offset	RVA	Section	Description
101E	402000	.text	JMP [static] \| Indirect jump to absolute memory address

Extra Analysis

Metric	Value	Percentage
Ascii Code	3036	45,613%
Null Byte Code	3252	48,8582%

PESCAN.IO - Analysis Report Basic