PESCAN.IO - Analysis Report Basic |
|||||||
| File Structure |
|
PE Chart Code
Executable header (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
| Size: 191,50 KB SHA-256 Hash: 9D2B171B8137B3DC7DF42B8ED3EB8E12FDEC53DAF2FB4D38AAF7C3037E7C6DE0 SHA-1 Hash: C44DA080B751445B0604B10E2FE0C5430633DC6E MD5 Hash: 1DA55913538A14192185634B21357051 Imphash: 7DA1BAD4DB27FE757FFDDF95997631B5 MajorOSVersion: 6 MinorOSVersion: 0 CheckSum: 00000000 EntryPoint (rva): F3C8 SizeOfHeaders: 400 SizeOfImage: 34000 ImageBase: 400000 Architecture: x86 ImportTable: 2DF04 IAT: 24000 Characteristics: 102 TimeDateStamp: 6946E3F2 Date: 20/12/2025 17:59:14 File Type: EXE Number Of Sections: 5 ASLR: Enabled Section Names: .text, .rdata, .data, .fptable, .reloc Number Of Executable Sections: 1 Subsystem: Windows Console |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 60000020 (Code, Executable, Readable) | 400 | 22800 | 1000 | 22740 |
|
|
| .rdata | 40000040 (Initialized Data, Readable) | 22C00 | AE00 | 24000 | AC4A |
|
|
| .data | C0000040 (Initialized Data, Readable, Writeable) | 2DA00 | C00 | 2F000 | 148C |
|
|
| .fptable | C0000040 (Initialized Data, Readable, Writeable) | 2E600 | 200 | 31000 | 80 |
|
|
| .reloc | 42000040 (Initialized Data, GP-Relative, Readable) | 2E800 | 1600 | 32000 | 159C |
|
|
| Entry Point |
The section number (1) - (.text) have the Entry Point Information -> EntryPoint (calculated) - E7C8 Code -> E815060000E971FEFFFF3B0D40F042007501C3E93E070000558BEC830D18F042000183EC28C70598FA4200000000006A0AFF Assembler |CALL 0X161A |JMP 0XE7B |CMP ECX, DWORD PTR [0X42F040] |JNE 0X1013 |RET |JMP 0X1756 |PUSH EBP |MOV EBP, ESP |OR DWORD PTR [0X42F018], 1 |SUB ESP, 0X28 |MOV DWORD PTR [0X42FA98], 0 |PUSH 0XA |
| Signatures |
| Rich Signature Analyzer: Code -> AAF41986EE9577D5EE9577D5EE9577D5971474D4E59577D5971472D4609577D5691C74D4F99577D5691C73D4FA9577D5971473D4FA9577D5691C72D4DA9577D5971476D4E19577D5EE9576D54E9577D5781C72D4EF9577D5781C75D4EF9577D552696368EE9577D5 Footprint md5 Hash -> 2FC9A48D41409C0978D545364DABBDAE • The Rich header apparently has not been modified Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Detect It Easy (die) • PE: compiler: EP:Microsoft Visual C/C++(2017 v.15.5-6)[EXE32] • PE: compiler: Microsoft Visual C/C++(-)[-] • PE: linker: Microsoft Linker(14.44**)[-] • Entropy: 6.51445 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | CreateMutexW | Create a named or unnamed mutex object for controlling access to a shared resource. |
| KERNEL32.DLL | WriteFile | Writes data to a specified file or input/output (I/O) device. |
| KERNEL32.DLL | LoadLibraryW | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | CreateToolhelp32Snapshot | Creates a snapshot of the specified processes, heaps, threads, and modules. |
| KERNEL32.DLL | ReadProcessMemory | Reads data from an area of memory in a specified process. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| KERNEL32.DLL | IsDebuggerPresent | Determines if the calling process is being debugged by a user-mode debugger. |
| ADVAPI32.DLL | RegCreateKeyExA | Creates a new registry key or opens an existing one. |
| ADVAPI32.DLL | RegSetValueExA | Sets the data and type of a specified value under a registry key. |
| Windows REG (UNICODE) |
| Software\Microsoft\Windows\CurrentVersion\Explorer Rebuilt string - SOFTWARE\Policies\Microsoft\Windows\System |
| File Access |
| WINHTTP.dll WININET.dll OLEAUT32.dll ole32.dll ADVAPI32.dll USER32.dll KERNEL32.dll .dat @.dat Temp |
| File Access (UNICODE) |
| cmd.exe mscoree.dll \Windows\System32\kernel32.dll \Windows\Temp\system_check.log Temp |
| Interest's Words |
| attrib start systeminfo |
| URLs (UNICODE) |
| http://www.microsoft.com https://software-download.microsoft.com/download/pr/22000.194.210913-1444.co_release_svc_refresh_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_zh-cn.iso |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | Registry (RegCreateKeyEx) |
| Text | Ascii | Registry (RegOpenKeyEx) |
| Text | Ascii | Registry (RegSetValueEx) |
| Text | Ascii | File (GetTempPath) |
| Text | Ascii | File (CreateFile) |
| Text | Ascii | File (WriteFile) |
| Hex | Hex Pattern | PEB AntiDebug (Flag BeingDebugged) |
| Text | Ascii | Anti-Analysis VM (IsDebuggerPresent) |
| Text | Ascii | Anti-Analysis VM (GetSystemInfo) |
| Text | Ascii | Anti-Analysis VM (GlobalMemoryStatusEx) |
| Text | Ascii | Anti-Analysis VM (GetVersion) |
| Text | Ascii | Anti-Analysis VM (CreateToolhelp32Snapshot) |
| Text | Ascii | Reconnaissance (FindFirstFileW) |
| Text | Ascii | Reconnaissance (FindNextFileW) |
| Text | Ascii | Reconnaissance (FindClose) |
| Text | Ascii | Stealth (CloseHandle) |
| Text | Ascii | Stealth (VirtualProtect) |
| Text | Ascii | Stealth (ReadProcessMemory) |
| Entry Point | Hex Pattern | fasm - Tomasz Grysztar |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8 |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8 |
| Entry Point | Hex Pattern | VC8 - Microsoft Corporation |
| Intelligent String |
| • https://software-download.microsoft.com/download/pr/22000.194.210913-1444.co_release_svc_refresh_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_zh-cn.iso • Windows 11 Evaluation_zh-cn.iso • cmd.exe • C:\Windows\Temp\system_check.log • http://www.microsoft.com • C:\Windows\System32\kernel32.dll • mscoree.dll • .tls • .bss • KERNEL32.dll • ADVAPI32.dll |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 4A0F | 4241CC | .text | CALL [static] | Indirect call to absolute memory address |
| 5708 | 4241EC | .text | CALL [static] | Indirect call to absolute memory address |
| 571D | 4241E0 | .text | CALL [static] | Indirect call to absolute memory address |
| 5727 | 4241DC | .text | CALL [static] | Indirect call to absolute memory address |
| 577D | 4240CC | .text | CALL [static] | Indirect call to absolute memory address |
| 57AD | 424070 | .text | CALL [static] | Indirect call to absolute memory address |
| 57FF | 42402C | .text | CALL [static] | Indirect call to absolute memory address |
| 584D | 424030 | .text | CALL [static] | Indirect call to absolute memory address |
| 58BE | 42402C | .text | CALL [static] | Indirect call to absolute memory address |
| 5911 | 42408C | .text | CALL [static] | Indirect call to absolute memory address |
| 5955 | 424088 | .text | CALL [static] | Indirect call to absolute memory address |
| 5968 | 42407C | .text | CALL [static] | Indirect call to absolute memory address |
| 59B0 | 42407C | .text | CALL [static] | Indirect call to absolute memory address |
| 59E7 | 4240BC | .text | CALL [static] | Indirect call to absolute memory address |
| 5A35 | 4240C0 | .text | CALL [static] | Indirect call to absolute memory address |
| 5A51 | 4240C4 | .text | CALL [static] | Indirect call to absolute memory address |
| 5A75 | 4240D4 | .text | CALL [static] | Indirect call to absolute memory address |
| 5A87 | 42406C | .text | CALL [static] | Indirect call to absolute memory address |
| 5A99 | 4240D8 | .text | CALL [static] | Indirect call to absolute memory address |
| 5ABA | 42405C | .text | CALL [static] | Indirect call to absolute memory address |
| 5AC4 | 424060 | .text | CALL [static] | Indirect call to absolute memory address |
| 5ADD | 424058 | .text | CALL [static] | Indirect call to absolute memory address |
| 5AF4 | 424074 | .text | CALL [static] | Indirect call to absolute memory address |
| 5B64 | 4240D0 | .text | CALL [static] | Indirect call to absolute memory address |
| 5BAE | 4240CC | .text | CALL [static] | Indirect call to absolute memory address |
| 5C00 | 424024 | .text | CALL [static] | Indirect call to absolute memory address |
| 5C0A | 42402C | .text | CALL [static] | Indirect call to absolute memory address |
| 5C93 | 42400C | .text | CALL [static] | Indirect call to absolute memory address |
| 5CE6 | 424010 | .text | CALL [static] | Indirect call to absolute memory address |
| 5D38 | 42401C | .text | CALL [static] | Indirect call to absolute memory address |
| 5D45 | 424014 | .text | CALL [static] | Indirect call to absolute memory address |
| 5E61 | 4240CC | .text | CALL [static] | Indirect call to absolute memory address |
| 5E75 | 424044 | .text | CALL [static] | Indirect call to absolute memory address |
| 5EB8 | 424024 | .text | CALL [static] | Indirect call to absolute memory address |
| 5EC5 | 42402C | .text | CALL [static] | Indirect call to absolute memory address |
| 5F10 | 424044 | .text | CALL [static] | Indirect call to absolute memory address |
| 5F69 | 4241E8 | .text | CALL [static] | Indirect call to absolute memory address |
| 5F8A | 4241E4 | .text | CALL [static] | Indirect call to absolute memory address |
| 6081 | 4240CC | .text | CALL [static] | Indirect call to absolute memory address |
| 609A | 424070 | .text | CALL [static] | Indirect call to absolute memory address |
| 60A7 | 42402C | .text | CALL [static] | Indirect call to absolute memory address |
| 6129 | 42402C | .text | CALL [static] | Indirect call to absolute memory address |
| 61A4 | 424080 | .text | CALL [static] | Indirect call to absolute memory address |
| 62C6 | 424218 | .text | CALL [static] | Indirect call to absolute memory address |
| 63D1 | 424210 | .text | CALL [static] | Indirect call to absolute memory address |
| 640D | 424208 | .text | CALL [static] | Indirect call to absolute memory address |
| 646C | 4241F4 | .text | CALL [static] | Indirect call to absolute memory address |
| 64A8 | 424214 | .text | CALL [static] | Indirect call to absolute memory address |
| 64DB | 4241FC | .text | CALL [static] | Indirect call to absolute memory address |
| 652B | 424204 | .text | CALL [static] | Indirect call to absolute memory address |
| 6570 | 424204 | .text | CALL [static] | Indirect call to absolute memory address |
| 65D0 | 42420C | .text | CALL [static] | Indirect call to absolute memory address |
| 65E1 | 42420C | .text | CALL [static] | Indirect call to absolute memory address |
| 65F2 | 42420C | .text | CALL [static] | Indirect call to absolute memory address |
| 660B | 424044 | .text | CALL [static] | Indirect call to absolute memory address |
| 66B6 | 424068 | .text | CALL [static] | Indirect call to absolute memory address |
| 6841 | 424210 | .text | CALL [static] | Indirect call to absolute memory address |
| 68B1 | 424218 | .text | CALL [static] | Indirect call to absolute memory address |
| 690F | 424208 | .text | CALL [static] | Indirect call to absolute memory address |
| 6922 | 42420C | .text | CALL [static] | Indirect call to absolute memory address |
| 6994 | 4241F4 | .text | CALL [static] | Indirect call to absolute memory address |
| 69A7 | 42420C | .text | CALL [static] | Indirect call to absolute memory address |
| 69B1 | 42420C | .text | CALL [static] | Indirect call to absolute memory address |
| 6A01 | 424214 | .text | CALL [static] | Indirect call to absolute memory address |
| 6A16 | 4241FC | .text | CALL [static] | Indirect call to absolute memory address |
| 6A38 | 4241F8 | .text | CALL [static] | Indirect call to absolute memory address |
| 6A9D | 424200 | .text | CALL [static] | Indirect call to absolute memory address |
| 6AE5 | 42420C | .text | CALL [static] | Indirect call to absolute memory address |
| 6AEF | 42420C | .text | CALL [static] | Indirect call to absolute memory address |
| 6AF9 | 42420C | .text | CALL [static] | Indirect call to absolute memory address |
| 6B8B | 424040 | .text | CALL [static] | Indirect call to absolute memory address |
| 6BBA | 424034 | .text | CALL [static] | Indirect call to absolute memory address |
| 6BCE | 42404C | .text | CALL [static] | Indirect call to absolute memory address |
| 6C67 | 42400C | .text | CALL [static] | Indirect call to absolute memory address |
| 6CB6 | 424004 | .text | CALL [static] | Indirect call to absolute memory address |
| 6CE6 | 424014 | .text | CALL [static] | Indirect call to absolute memory address |
| 6D48 | 424238 | .text | CALL [static] | Indirect call to absolute memory address |
| 6D70 | 424234 | .text | CALL [static] | Indirect call to absolute memory address |
| 6D7F | 424244 | .text | CALL [static] | Indirect call to absolute memory address |
| 6DA5 | 42423C | .text | CALL [static] | Indirect call to absolute memory address |
| 6DB4 | 424244 | .text | CALL [static] | Indirect call to absolute memory address |
| 6E64 | 424244 | .text | CALL [static] | Indirect call to absolute memory address |
| 6E83 | 424240 | .text | CALL [static] | Indirect call to absolute memory address |
| 6EAE | 424244 | .text | CALL [static] | Indirect call to absolute memory address |
| 6FF6 | 424244 | .text | CALL [static] | Indirect call to absolute memory address |
| 70C3 | 4241D4 | .text | CALL [static] | Indirect call to absolute memory address |
| 7140 | 4241D4 | .text | CALL [static] | Indirect call to absolute memory address |
| 7207 | 424244 | .text | CALL [static] | Indirect call to absolute memory address |
| 72C7 | 42404C | .text | CALL [static] | Indirect call to absolute memory address |
| 75E3 | 424084 | .text | CALL [static] | Indirect call to absolute memory address |
| 7607 | 424088 | .text | CALL [static] | Indirect call to absolute memory address |
| 762B | 424088 | .text | CALL [static] | Indirect call to absolute memory address |
| 764F | 424088 | .text | CALL [static] | Indirect call to absolute memory address |
| 7673 | 424088 | .text | CALL [static] | Indirect call to absolute memory address |
| 769B | 424048 | .text | CALL [static] | Indirect call to absolute memory address |
| 76AF | 424050 | .text | CALL [static] | Indirect call to absolute memory address |
| 76ED | 424078 | .text | CALL [static] | Indirect call to absolute memory address |
| 7711 | 424078 | .text | CALL [static] | Indirect call to absolute memory address |
| 772E | 4240D4 | .text | CALL [static] | Indirect call to absolute memory address |
| 77E9 | 424080 | .text | CALL [static] | Indirect call to absolute memory address |
| 623C-625F | N/A | .text | Unusual BP Cave, count: 36 |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 112081 | 57,1562% |
| Null Byte Code | 32677 | 16,6638% |
© 2026 All rights reserved.