PESCAN.IO - Analysis Report

PESCAN.IO - Analysis Report Basic

File Structure

PE Chart Code

Header PE (light blue)

Executable sections (pink)

Non-executable sections (black)

External injected code (red)

File Structure in red = malformed or corrupted header

Chart Code For Other Files

Printable characters (blue)

Non-printable characters (black)

Information

Size: 1,47 MB
SHA-256 Hash: 76C046F80F228A86CD6B0446F38B054598BCBDD03A616C6033C152B4BE4D6881
SHA-1 Hash: B29027215A5C7E2B8714A8D4E364A6C8AC9F105C
MD5 Hash: 3090A378F50EEC635A17D81E4F3A66F9
Imphash: F793C6EADCCE8FCE80B21302A79CB1FB
MajorOSVersion: 6
MinorOSVersion: 0
CheckSum: 00187638
EntryPoint (rva): 1B177C
SizeOfHeaders: 400
SizeOfImage: 1B8000
ImageBase: 0000000140000000
Architecture: x64
ImportTable: 1B6053
Characteristics: 23
TimeDateStamp: 69C32490
Date: 24/03/2026 23:56:00
File Type: EXE
Number Of Sections: 4
ASLR: Disabled
Section Names (Optional Header): .text, .sedata, .idata, .sedata
Number Of Executable Sections: 2
Subsystem: Windows GUI

Sections Info

Section Name	Flags	ROffset	RSize	VOffset	VSize	Entropy	Chi2
.text	0xE0000060 Code Initialized Data Executable Readable Writeable	400	28E00	1000	67000	7.9988	268.91
.sedata	0xE8000020 Code Shared Executable Readable Writeable	29200	14D200	68000	14E000	7.6231	2085720.67
.idata	0xC8000040 Initialized Data Shared Readable Writeable	176400	400	1B6000	1000	2.4199	126808
.sedata	0x40000040 Initialized Data Readable	176800	1000	1B7000	1000	7.9834	94.5

Entry Point

The section number (2) have the Entry Point
Information -> EntryPoint (calculated) - 17297C
Code -> E81C000000536166656E67696E6520536869656C64656E2076322E332E392E30009C4883EC0B488D6424038944240266FF74

Assembler

|CALL 0X1021

|PUSH RBX

Signatures

Rich Signature Analyzer:
Code -> 3503446F71622A3C71622A3C71622A3C08E32F3DEF622A3C08E32E3D60622A3C08E3293D79622A3CF6EB293D7B622A3CF6EB2E3D61622A3CF6EB2F3D3C622A3C08E32B3D74622A3C71622B3C07622A3CE9EB233D70622A3CE9EB283D70622A3C5269636871622A3C
Footprint md5 Hash -> 4B7C09EC11E5ACF94F23542242801622
• The Rich header apparently has not been modified
Certificate - Digital Signature Not Found:
• The file is not signed

Duplicate Sections

Section .sedata duplicate 2 times

Packer/Compiler

Detect It Easy (die)
• PE+(64): linker: Microsoft Linker(14.44**)[-]
• Entropy: 7.68338

Suspicious Functions

Library	Function	Description
KERNEL32.DLL	VirtualAlloc	Reserve, commit, or both, a region of memory within the virtual address space of a process.
KERNEL32.DLL	GetModuleHandleA	Retrieves a handle to the specified module.
KERNEL32.DLL	WriteFile	Writes data to a specified file or input/output (I/O) device.
KERNEL32.DLL	GetProcAddress	Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL	IsDebuggerPresent	Determines if the calling process is being debugged by a user-mode debugger.
ADVAPI32.DLL	RegCreateKeyExA	Creates a new registry key or opens an existing one.
ADVAPI32.DLL	RegDeleteKeyA	Used to delete a subkey and its values from the Windows registry.
ADVAPI32.DLL	RegSetValueExA	Sets the data and type of a specified value under a registry key.

File Access

SHELL32.dll
ADVAPI32.dll
PSAPI.DLL
msvcrt.dll
IPHLPAPI.DLL
USER32.dll
KERNEL32.dll
SESDKDummy64.dll
diasymreader.dll
clr.dll
mscoreei.dll
KernelBase.dll
mscorsvr.dll
mscorwks.dll
mscoree.dll
hid.dll
ntdll.dll
.dat

Interest's Words

exec
start
ping

Strings/Hex Code Found With The File Rules

Rule Type	Encoding	Matched (Word)
Text	Ascii	Registry (RegCreateKeyEx)
Text	Ascii	Registry (RegOpenKeyEx)
Text	Ascii	Registry (RegSetValueEx)
Text	Ascii	File (CreateFile)
Text	Ascii	File (WriteFile)
Text	Ascii	File (ReadFile)
Text	Ascii	Anti-Analysis VM (IsDebuggerPresent)
Text	Ascii	Reconnaissance (FindNextFileW)
Text	Ascii	Reconnaissance (FindClose)
Text	Ascii	Stealth (GetThreadContext)
Text	Ascii	Stealth (SetThreadContext)
Text	Ascii	Stealth (CloseHandle)
Text	Ascii	Stealth (UnmapViewOfFile)
Text	Ascii	Stealth (MapViewOfFile)
Text	Ascii	Stealth (CreateFileMappingW)
Text	Ascii	Stealth (VirtualAlloc)
Text	Ascii	Stealth (VirtualProtect)
Text	Ascii	Execution (ResumeThread)

Intelligent String

• iphlpapi.dll
• hid.dll
• ntdll.dll
• kernel32.dll
• user32.dll
• advapi32.dll
• mscoree.dll
• mscorwks.dll
• mscorsvr.dll
• KernelBase.dll
• mscoreei.dll
• clr.dll
• diasymreader.dll
• IPHLPAPI.DLL
• _wcsnicmpmsvcrt.dll
• .bss

Flow Anomalies

Offset	RVA	Section	Description
34A2	N/A	.text	CALL QWORD PTR [RIP+0xB75702CF]
E400	N/A	.text	CALL QWORD PTR [RIP+0x5FCD8A88]
140B9	N/A	.text	CALL QWORD PTR [RIP+0x1AD9C75]
14DF2	N/A	.text	CALL QWORD PTR [RIP+0x38DC9900]
36967	N/A	.sedata	CALL QWORD PTR [RIP+0xB8C7]
36A6A	N/A	.sedata	CALL QWORD PTR [RIP+0xB7C4]
36B9A	N/A	.sedata	CALL QWORD PTR [RIP+0xB68C]
36C31	N/A	.sedata	CALL QWORD PTR [RIP+0xB5F5]
37A48	N/A	.sedata	CALL QWORD PTR [RIP+0xBC56AEA]
37ABA	N/A	.sedata	CALL QWORD PTR [RIP+0xA774]
3F858	N/A	.sedata	CALL QWORD PTR [RIP+0xFB246050]
4005A	N/A	.sedata	CALL QWORD PTR [RIP+0xFB241998]
40459	N/A	.sedata	CALL QWORD PTR [RIP+0xFB241950]
48A1B	N/A	.sedata	JMP QWORD PTR [RIP+0xFFFFDFD0]
48A86	N/A	.sedata	JMP QWORD PTR [RIP+0xFFFFFF95]
48BAE	N/A	.sedata	JMP QWORD PTR [RIP+0xFFFFFF37]
48CC0	N/A	.sedata	JMP QWORD PTR [RIP+0xFFFFFF0F]
49C6A	N/A	.sedata	JMP QWORD PTR [RIP+0xFFFFEF0F]
4A61C	N/A	.sedata	JMP QWORD PTR [RIP+0xFFFFE5BB]
4AA04	N/A	.sedata	JMP QWORD PTR [RIP+0xFFFFE318]
4AA2B	N/A	.sedata	JMP QWORD PTR [RIP+0xFFFFFFA4]
4AAA1	N/A	.sedata	JMP QWORD PTR [RIP+0xFFFFFF8A]
4ABB7	N/A	.sedata	JMP QWORD PTR [RIP+0xFFFFFECE]
4AC8C	N/A	.sedata	JMP QWORD PTR [RIP+0xFFFFFF2B]
4AD72	N/A	.sedata	JMP QWORD PTR [RIP+0xFFFFFE8E]
4AE65	N/A	.sedata	JMP QWORD PTR [RIP+0xFFFFFB2A]
4C99F	N/A	.sedata	JMP QWORD PTR [RIP+0xFFFFE391]
4CA32	N/A	.sedata	JMP QWORD PTR [RIP+0xFFFFFF6D]
4CA65	N/A	.sedata	JMP QWORD PTR [RIP+0xFFFFFFCD]
4CC40	N/A	.sedata	JMP QWORD PTR [RIP+0xFFFFFE48]
4CD19	N/A	.sedata	JMP QWORD PTR [RIP+0xFFFFFD77]
4CDBE	N/A	.sedata	JMP QWORD PTR [RIP+0xFFFFFCF4]
4CE63	N/A	.sedata	JMP QWORD PTR [RIP+0xFFFFFC8B]
4EC3B	N/A	.sedata	JMP QWORD PTR [RIP+0xFFFFDF1D]
4F0D6	N/A	.sedata	JMP QWORD PTR [RIP+0xFFFFF93E]
4F4DB	N/A	.sedata	JMP QWORD PTR [RIP+0xFFFFF541]
4F537	N/A	.sedata	JMP QWORD PTR [RIP+0xFFFFF523]
4F892	N/A	.sedata	JMP QWORD PTR [RIP+0xC7342DBD]
4FE30	N/A	.sedata	JMP QWORD PTR [RIP+0xFFFFED2D]
4FE7B	N/A	.sedata	JMP QWORD PTR [RIP+0xFFFFEC58]
502C4	N/A	.sedata	JMP QWORD PTR [RIP+0xFFFFE913]
507AD	N/A	.sedata	JMP QWORD PTR [RIP+0xFFFFE432]
50B9D	N/A	.sedata	JMP QWORD PTR [RIP+0xFFFFFE01]
51088	N/A	.sedata	JMP QWORD PTR [RIP+0xFFFFF99F]
519A3	N/A	.sedata	JMP QWORD PTR [RIP+0xFFFFF0B1]
51E7F	N/A	.sedata	JMP QWORD PTR [RIP+0xFFFFECC2]
52348	N/A	.sedata	JMP QWORD PTR [RIP+0xFFFFE801]
527EC	N/A	.sedata	JMP QWORD PTR [RIP+0xFFFFE386]
5285D	N/A	.sedata	JMP QWORD PTR [RIP+0xFFFFE34F]
53203	N/A	.sedata	JMP QWORD PTR [RIP+0xFFFFF7E1]
5370C	N/A	.sedata	JMP QWORD PTR [RIP+0xFFFFF2E0]
53CD5	N/A	.sedata	JMP QWORD PTR [RIP+0xFFFFED7C]
541AF	N/A	.sedata	JMP QWORD PTR [RIP+0xFFFFE907]
541C2	N/A	.sedata	JMP QWORD PTR [RIP+0xFFFFE9A4]
54B48	N/A	.sedata	JMP QWORD PTR [RIP+0xFFFFE07F]
553DE	N/A	.sedata	JMP QWORD PTR [RIP+0xFFFFF632]
55886	N/A	.sedata	JMP QWORD PTR [RIP+0xFFFFF20E]
55D70	N/A	.sedata	JMP QWORD PTR [RIP+0xFFFFED83]
561E5	N/A	.sedata	JMP QWORD PTR [RIP+0xFFFFE930]
5673A	N/A	.sedata	JMP QWORD PTR [RIP+0xFFFFE531]
56B04	N/A	.sedata	JMP QWORD PTR [RIP+0xFFFFFF7D]
56B5D	N/A	.sedata	JMP QWORD PTR [RIP+0xFFFFFF2C]
56BA1	N/A	.sedata	JMP QWORD PTR [RIP+0xFFFFE0D2]
56FD0	N/A	.sedata	JMP QWORD PTR [RIP+0xFFFFFA50]
60640	N/A	.sedata	JMP QWORD PTR [RIP+0xC8BC6EB]
69171	N/A	.sedata	JMP QWORD PTR [RIP+0xC7342DBD]
72367	N/A	.sedata	CALL QWORD PTR [RIP+0x9F6C0595]
73499	N/A	.sedata	JMP QWORD PTR [RIP+0xB24720B2]
77BFB	N/A	.sedata	CALL QWORD PTR [RIP+0xB7462EA4]
9083B	N/A	.sedata	JMP QWORD PTR [RIP+0xF4A81D51]
A8812	N/A	.sedata	CALL QWORD PTR [RIP+0xFFF99A9C]
AAF9E	N/A	.sedata	JMP QWORD PTR [RIP+0xA35031A1]
C0F8C	N/A	.sedata	JMP QWORD PTR [RIP+0xDA003B1D]
C2883	N/A	.sedata	CALL QWORD PTR [RIP+0xFC1B5906]
C2A93	N/A	.sedata	CALL QWORD PTR [RIP+0xF3DB0A67]
C46AD	N/A	.sedata	JMP QWORD PTR [RIP+0xBB4829B9]
C814D	N/A	.sedata	JMP QWORD PTR [RIP+0xE2D09E4A]
D3033	N/A	.sedata	CALL QWORD PTR [RIP+0xFFF6F1F3]
E403E	N/A	.sedata	JMP QWORD PTR [RIP+0xC64B2CBE]
E5741	N/A	.sedata	CALL QWORD PTR [RIP+0xFFF5CAE5]
E5902	N/A	.sedata	CALL QWORD PTR [RIP+0xFFF5C924]
E655D	N/A	.sedata	JMP QWORD PTR [RIP+0x6EC8348]
E8669	N/A	.sedata	CALL QWORD PTR [RIP+0xD85A55DE]
E9E1C	N/A	.sedata	CALL QWORD PTR [RIP+0xD802648F]
ED592	N/A	.sedata	JMP QWORD PTR [RIP+0xDFCDBD92]
F54D9	N/A	.sedata	CALL QWORD PTR [RIP+0x97E9FC0E]
F6F65	N/A	.sedata	JMP QWORD PTR [RIP+0xB274233D]
F94C5	N/A	.sedata	CALL QWORD PTR [RIP+0xA998F73]
FBAB2	N/A	.sedata	CALL QWORD PTR [RIP+0x1291F40E]
FC0E3	N/A	.sedata	CALL QWORD PTR [RIP+0xFFF4614B]
FF360	N/A	.sedata	CALL QWORD PTR [RIP+0xC702648F]
103495	N/A	.sedata	JMP QWORD PTR [RIP+0x86C709DC]
103E7B	N/A	.sedata	CALL QWORD PTR [RIP+0xE6CBAB70]
109541	N/A	.sedata	JMP QWORD PTR [RIP+0xBB4829B9]
10A15D	N/A	.sedata	JMP QWORD PTR [RIP+0xD5E81266]
1133BA	N/A	.sedata	CALL QWORD PTR [RIP+0x1D47B5CF]
117135	N/A	.sedata	CALL QWORD PTR [RIP+0xC14212F9]
1175DC	N/A	.sedata	JMP QWORD PTR [RIP+0xED8EF653]
11BB66	N/A	.sedata	CALL QWORD PTR [RIP+0xDCFEBD8B]
11BDE6	N/A	.sedata	JMP QWORD PTR [RIP+0xAB5839A9]
29200-1763FF	68000	.sedata	Executable section anomaly, first bytes: 8909F32648B80000

Extra Analysis

Metric	Value	Percentage
Ascii Code	995317	64,713%
Null Byte Code	98495	6,4039%

PESCAN.IO - Analysis Report Basic