PESCAN.IO - Analysis Report Basic |
|||||||
| File Structure |
|
PE Chart Code
Executable header (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
| Size: 4,35 MB SHA-256 Hash: D7BB1D5A5153670F8A9332F3C579ED4E4567F0972FA721DA062076FA5823B829 SHA-1 Hash: 3921802FEC82053932B382D9D33F67BE4BD74126 MD5 Hash: 1ABBFC09DD90FF1216BB548B6D5C6582 Imphash: 628D8B32FC89BF9B2649250FC0CA95D3 MajorOSVersion: 6 MinorOSVersion: 0 CheckSum: 00462C39 EntryPoint (rva): 70E058 SizeOfHeaders: 400 SizeOfImage: B18000 ImageBase: 0000000140000000 Architecture: x64 ImportTable: 9A2A9 Characteristics: 22 TimeDateStamp: 68EA3915 Date: 11/10/2025 11:01:41 File Type: EXE Number Of Sections: 10 ASLR: Disabled Section Names (Optional Header): (0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20), (0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20), (0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20), (0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20), (0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20), (0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20), .idata, .rsrc, .themida, .boot Number Of Executable Sections: 3 Subsystem: Windows Console UAC Execution Level Manifest: asInvoker [Incomplete Binary or Compressor Packer - 6,74 MB Missing] |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| (0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20) | 60000020 (Code, Executable, Readable) | 400 | 3C00 | 1000 | 4F83 | 7,9556 | 1173,67 |
| (0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20) | 40000040 (Initialized Data, Readable) | 4000 | 4C200 | 6000 | 8F3E4 | 7,9625 | 17243,69 |
| (0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20) | C0000040 (Initialized Data, Readable, Writeable) | 50200 | 200 | 96000 | 9B8 | 4,6361 | 30793,00 |
| (0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20) | 40000040 (Initialized Data, Readable) | 50400 | 400 | 97000 | 480 | 5,7303 | 32558,50 |
| (0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20) | 40000040 (Initialized Data, Readable) | 50800 | 200 | 98000 | 1E0 | 4,6556 | 30295,00 |
| (0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20) | 42000040 (Initialized Data, GP-Relative, Readable) | 50A00 | 200 | 99000 | 98 | 2,7779 | 65162,00 |
| .idata | C0000040 (Initialized Data, Readable, Writeable) | 50C00 | 600 | 9A000 | 1000 | 3,7524 | 99197,67 |
| .rsrc | 40000040 (Initialized Data, Readable) | 51200 | 200 | 9B000 | 1000 | 4,7138 | 9293,00 |
| .themida | E0000060 (Code, Initialized Data, Executable, Readable, Writeable) | 51400 | 0 | 9C000 | 672000 | N/A | N/A |
| .boot | 60000060 (Code, Initialized Data, Executable, Readable) | 51400 | 409A00 | 70E000 | 409A00 | 7,9539 | 411583,47 |
| Entry Point |
| The section number (10) have the Entry Point Information -> EntryPoint (calculated) - 51458 Code -> E88201000041524989E24152498B7210498B7A20FCB2808A0648FFC6880748FFC7BB0200000000D275078A1648FFC610D273 • CALL 0X1187 • PUSH R10 • MOV R10, RSP • PUSH R10 • MOV RSI, QWORD PTR [R10 + 0X10] • MOV RDI, QWORD PTR [R10 + 0X20] • CLD • MOV DL, 0X80 • MOV AL, BYTE PTR [RSI] • INC RSI • MOV BYTE PTR [RDI], AL • INC RDI • MOV EBX, 2 • ADD DL, DL • JNE 0X1031 • MOV DL, BYTE PTR [RSI] • INC RSI • ADC DL, DL |
| Signatures |
| Rich Signature Analyzer: Code -> D658FC4B9239921892399218923992189B41011880399218C04C961998399218C04C9119963992180D31E91890399218C04C971989399218C04C931994399218865293199D39921892399318573992185D4C9B19933992185D4C6D18933992185D4C9019933992185269636892399218 Footprint md5 Hash -> 652D34142A64ED46D09E3ACBCBBFC49C • The Rich header apparently has not been modified Certificate - Digital Signature Not Found: • The file is not signed |
| Duplicate Sections |
| Section (0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20) duplicate 6 times |
| Packer/Compiler |
| Detect It Easy (die) • PE+(64): linker: Microsoft Linker(14.29**)[-] • Entropy: 7.9584 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | GetModuleHandleA | Retrieves a handle to the specified module. |
| SHELL32.DLL | ShellExecuteA | Performs a run operation on a specific file. |
| File Access |
| api-ms-win-crt-locale-l1-1-0.dll api-ms-win-crt-math-l1-1-0.dll api-ms-win-crt-heap-l1-1-0.dll api-ms-win-crt-convert-l1-1-0.dll api-ms-win-crt-time-l1-1-0.dll api-ms-win-crt-filesystem-l1-1-0.dll api-ms-win-crt-utility-l1-1-0.dll api-ms-win-crt-stdio-l1-1-0.dll api-ms-win-crt-runtime-l1-1-0.dll VCRUNTIME140.dll VCRUNTIME140_1.dll WS2_32.dll WININET.dll IPHLPAPI.DLL MSVCP140.dll SHELL32.dll USER32.dll kernel32.dll |
| Interest's Words |
| exec |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | Stealth (CloseHandle) |
| Text | Ascii | Execution (ShellExecute) |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \24\1\1033 | 9B058 | 17D | 51258 | 3C3F786D6C2076657273696F6E3D27312E302720656E636F64696E673D275554462D3827207374616E64616C6F6E653D2779 | <?xml version='1.0' encoding='UTF-8' standalone='y |
| Intelligent String |
| • kernel32.dll • memcpyapi-ms-win-crt-runtime-l1-1-0.dll • _initterm_eapi-ms-win-crt-stdio-l1-1-0.dll • ungetcapi-ms-win-crt-utility-l1-1-0.dll • srandapi-ms-win-crt-filesystem-l1-1-0.dll • _lock_fileapi-ms-win-crt-time-l1-1-0.dll • _time64api-ms-win-crt-convert-l1-1-0.dll • atoiapi-ms-win-crt-heap-l1-1-0.dll • mallocapi-ms-win-crt-math-l1-1-0.dll • __setusermatherrapi-ms-win-crt-locale-l1-1-0.dll |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 18B63 | N/A | (0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20) | JMP QWORD PTR [RIP+0xC8D9AE8A] |
| 35337 | N/A | (0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20) | JMP QWORD PTR [RIP+0x664EEC7A] |
| 3BCCC | N/A | (0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20) | JMP QWORD PTR [RIP+0x1E36417] |
| 3DEDD | N/A | (0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20) | CALL QWORD PTR [RIP+0x50C5E699] |
| 4AACD | N/A | (0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20) | CALL QWORD PTR [RIP+0xE497A8ED] |
| 5D4B0 | N/A | .boot | JMP QWORD PTR [RIP+0x6853D401] |
| 62AB6 | N/A | .boot | JMP QWORD PTR [RIP+0x77C232FD] |
| 647EB | N/A | .boot | JMP QWORD PTR [RIP+0xFDA7ACED] |
| 75D16 | N/A | .boot | JMP QWORD PTR [RIP+0xEFEE9C2A] |
| 76C4B | N/A | .boot | JMP QWORD PTR [RIP+0xCAAED1CA] |
| 7B299 | N/A | .boot | JMP QWORD PTR [RIP+0x30B712C] |
| 7D965 | N/A | .boot | JMP QWORD PTR [RIP+0xF954FBD4] |
| 7E43A | N/A | .boot | JMP QWORD PTR [RIP+0x2723C26C] |
| 8FB9A | N/A | .boot | CALL QWORD PTR [RIP+0xCFD047D9] |
| 96E25 | N/A | .boot | JMP QWORD PTR [RIP+0x503CFCE9] |
| 9B2D7 | N/A | .boot | JMP QWORD PTR [RIP+0x62EEE25F] |
| 9B92D | N/A | .boot | JMP QWORD PTR [RIP+0xF20431DF] |
| 9BAFC | N/A | .boot | JMP QWORD PTR [RIP+0xA1616CCA] |
| A9FF0 | N/A | .boot | JMP QWORD PTR [RIP+0x55524EFC] |
| AD5C6 | N/A | .boot | JMP QWORD PTR [RIP+0xD5BD8B77] |
| B19A7 | N/A | .boot | JMP QWORD PTR [RIP+0x50FDCE1E] |
| CB264 | N/A | .boot | JMP QWORD PTR [RIP+0x2D03EC75] |
| CEF3C | N/A | .boot | JMP QWORD PTR [RIP+0x89DAA989] |
| D4495 | N/A | .boot | JMP QWORD PTR [RIP+0x8BDEC631] |
| D5641 | N/A | .boot | JMP QWORD PTR [RIP+0xA37C53A5] |
| D8774 | N/A | .boot | JMP QWORD PTR [RIP+0x90FEC355] |
| DF567 | N/A | .boot | JMP QWORD PTR [RIP+0x450262F3] |
| EEEE3 | N/A | .boot | JMP QWORD PTR [RIP+0xE379F606] |
| F924F | N/A | .boot | CALL QWORD PTR [RIP+0x19D52566] |
| FEF0B | N/A | .boot | JMP QWORD PTR [RIP+0x25665403] |
| 1013FD | N/A | .boot | JMP QWORD PTR [RIP+0x89E2303B] |
| 109F19 | N/A | .boot | JMP QWORD PTR [RIP+0x528AAAA9] |
| 10EC4B | N/A | .boot | JMP QWORD PTR [RIP+0xC1E74ED6] |
| 11A67C | N/A | .boot | JMP QWORD PTR [RIP+0x79D64D8D] |
| 11B13C | N/A | .boot | JMP QWORD PTR [RIP+0xD1DB308B] |
| 11C026 | N/A | .boot | JMP QWORD PTR [RIP+0x27F3B3C6] |
| 120A56 | N/A | .boot | JMP QWORD PTR [RIP+0xB79BA8A4] |
| 122D8A | N/A | .boot | CALL QWORD PTR [RIP+0xD53C734] |
| 125A71 | N/A | .boot | JMP QWORD PTR [RIP+0x5F823275] |
| 12CB27 | N/A | .boot | JMP QWORD PTR [RIP+0xD82DB751] |
| 1313EB | N/A | .boot | JMP QWORD PTR [RIP+0xF07161F4] |
| 131DC1 | N/A | .boot | JMP QWORD PTR [RIP+0xAB082FEC] |
| 1347AB | N/A | .boot | JMP QWORD PTR [RIP+0x892D6314] |
| 1374AE | N/A | .boot | JMP QWORD PTR [RIP+0xF2C467C1] |
| 13A98E | N/A | .boot | JMP QWORD PTR [RIP+0x706B7CEB] |
| 13E48A | N/A | .boot | JMP QWORD PTR [RIP+0xC556B977] |
| 140DB1 | N/A | .boot | JMP QWORD PTR [RIP+0x4BA71BF7] |
| 142945 | N/A | .boot | CALL QWORD PTR [RIP+0x207039D1] |
| 142CA3 | N/A | .boot | JMP QWORD PTR [RIP+0x8DD1AE85] |
| 1501DF | N/A | .boot | CALL QWORD PTR [RIP+0x307CE60F] |
| 1552C1 | N/A | .boot | JMP QWORD PTR [RIP+0xF95F82DA] |
| 155C3C | N/A | .boot | JMP QWORD PTR [RIP+0xECE755CC] |
| 161A12 | N/A | .boot | JMP QWORD PTR [RIP+0x6CF2AE41] |
| 16C916 | N/A | .boot | JMP QWORD PTR [RIP+0x8288EE76] |
| 1704F0 | N/A | .boot | CALL QWORD PTR [RIP+0xA14E3BC3] |
| 170839 | N/A | .boot | JMP QWORD PTR [RIP+0x96CC4B92] |
| 17A794 | N/A | .boot | JMP QWORD PTR [RIP+0x141C9D96] |
| 17CBE2 | N/A | .boot | JMP QWORD PTR [RIP+0xD9AAC8F6] |
| 184C7E | N/A | .boot | JMP QWORD PTR [RIP+0x84D5EE71] |
| 1882BE | N/A | .boot | JMP QWORD PTR [RIP+0x98C739A] |
| 19CC85 | N/A | .boot | JMP QWORD PTR [RIP+0x9951F0C3] |
| 19FE14 | N/A | .boot | JMP QWORD PTR [RIP+0x6E1404E9] |
| 1CD981 | N/A | .boot | JMP QWORD PTR [RIP+0x65CE0931] |
| 222A59 | N/A | .boot | JMP QWORD PTR [RIP+0x9595BB01] |
| 231990 | N/A | .boot | CALL QWORD PTR [RIP+0xF9A9AB81] |
| 234144 | N/A | .boot | JMP QWORD PTR [RIP+0xC6D54C77] |
| 238953 | N/A | .boot | CALL QWORD PTR [RIP+0x88BED6B0] |
| 239A6B | N/A | .boot | JMP QWORD PTR [RIP+0x32AE82A] |
| 23AB1E | N/A | .boot | CALL QWORD PTR [RIP+0x2798ABDC] |
| 23B054 | N/A | .boot | JMP QWORD PTR [RIP+0x90F6BB9C] |
| 23EFFA | N/A | .boot | JMP QWORD PTR [RIP+0xE75F5855] |
| 24245B | N/A | .boot | JMP QWORD PTR [RIP+0xC696894D] |
| 24425C | N/A | .boot | JMP QWORD PTR [RIP+0xEFA7E913] |
| 247278 | N/A | .boot | JMP QWORD PTR [RIP+0x34D4B8CD] |
| 247CF4 | N/A | .boot | CALL QWORD PTR [RIP+0xA68F1A6] |
| 24941B | N/A | .boot | JMP QWORD PTR [RIP+0x20C6FEC8] |
| 24F536 | N/A | .boot | JMP QWORD PTR [RIP+0x3AB9B93A] |
| 24FA18 | N/A | .boot | JMP QWORD PTR [RIP+0x87BA7BF9] |
| 254370 | N/A | .boot | JMP QWORD PTR [RIP+0x7DE2CAF5] |
| 268972 | N/A | .boot | JMP QWORD PTR [RIP+0xCCEA07C4] |
| 270ECD | N/A | .boot | JMP QWORD PTR [RIP+0xA77300D7] |
| 275597 | N/A | .boot | JMP QWORD PTR [RIP+0x5F6B1A00] |
| 27B0ED | N/A | .boot | JMP QWORD PTR [RIP+0x9E2D3161] |
| 27E59D | N/A | .boot | JMP QWORD PTR [RIP+0xE8CBBF65] |
| 28A9BA | N/A | .boot | JMP QWORD PTR [RIP+0x8199537B] |
| 28D459 | N/A | .boot | JMP QWORD PTR [RIP+0x8B10710F] |
| 28DE19 | N/A | .boot | CALL QWORD PTR [RIP+0x940C77] |
| 28E1C0 | N/A | .boot | CALL QWORD PTR [RIP+0xB7F72589] |
| 2A685B | N/A | .boot | JMP QWORD PTR [RIP+0x2D76EA02] |
| 2B321E | N/A | .boot | CALL QWORD PTR [RIP+0x5AE20145] |
| 2B4058 | N/A | .boot | JMP QWORD PTR [RIP+0x450F8BAF] |
| 2C1ED7 | N/A | .boot | CALL QWORD PTR [RIP+0x85743D36] |
| 2D7697 | N/A | .boot | JMP QWORD PTR [RIP+0x13790273] |
| 2E457E | N/A | .boot | JMP QWORD PTR [RIP+0xF4FF34D6] |
| 2E9F14 | N/A | .boot | JMP QWORD PTR [RIP+0x92409E06] |
| 2EFC19 | N/A | .boot | JMP QWORD PTR [RIP+0xE852A431] |
| 2F77DD | N/A | .boot | JMP QWORD PTR [RIP+0x5BC64FFD] |
| 3086B5 | N/A | .boot | JMP QWORD PTR [RIP+0x497BE2C6] |
| 314086 | N/A | .boot | CALL QWORD PTR [RIP+0x129D27E4] |
| 3196B5 | N/A | .boot | JMP QWORD PTR [RIP+0xFA33AF7A] |
| 578C0-578D4 | N/A | .boot | Potential obfuscated jump sequence detected, count: 9 |
| 78A35-78A4B | N/A | .boot | Potential obfuscated jump sequence detected, count: 10 |
| 400-3FFF | 1000 | (0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20)(0x20) | Executable section anomaly, first bytes: 2C49232C058AB224 |
| 51400-45ADFF | 70E000 | .boot | Executable section anomaly, first bytes: 08BA335F7B92552A |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 3138559 | 68,7297% |
| Null Byte Code | 88180 | 1,931% |
© 2026 All rights reserved.