PESCAN.IO - Analysis Report Basic |
|||||||
| File Structure |
|
PE Chart Code
Executable header (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
| Size: 24,88 KB SHA-256 Hash: 4E70DECF59F1F4E396585AB18199895AD4B06765BAB2A8817467FEDB1F204F35 SHA-1 Hash: 2ACA5C714DE0D992BCD3AD05064C37CE912DCDA0 MD5 Hash: 500BD6858B0396FC16081B74FD3921B5 Imphash: F34D5F2D4577ED6D9CEEC516C1F5A744 MajorOSVersion: 4 MinorOSVersion: 0 CheckSum: 00010840 EntryPoint (rva): 4B52 SizeOfHeaders: 200 SizeOfImage: A000 ImageBase: 400000 Architecture: x86 ImportTable: 4B00 IAT: 2000 Characteristics: 22 TimeDateStamp: 6807F910 Date: 22/04/2025 20:16:16 File Type: EXE Number Of Sections: 3 ASLR: Disabled Section Names: .text, .rsrc, .reloc Number Of Executable Sections: 1 Subsystem: Windows GUI UAC Execution Level Manifest: asInvoker |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 60000020 (Code, Executable, Readable) | 200 | 2C00 | 2000 | 2B58 | 5,6937 | 195649,36 |
| .rsrc | 40000040 (Initialized Data, Readable) | 2E00 | 800 | 6000 | 72C | 3,7860 | 127411,25 |
| .reloc | 42000040 (Initialized Data, GP-Relative, Readable) | 3600 | 200 | 8000 | C | 0,0815 | 128522,00 |
| Description |
| OriginalFilename: Activator.exe CompanyName: Microsoft Corporation LegalCopyright: Copyright 2025 Microsoft Corporation. All rights reserved. ProductName: Windows Operating System FileVersion: 10.1.0.0 FileDescription: Windows System Runtime Optimizer ProductVersion: 10.1.0.0 Comments: Advanced system optimization and maintenance service for Windows operating systems Language: Unknown (ID=0x0) CodePage: Unicode (UTF-16 LE) (0x4B0) |
| Entry Point |
| The section number (1) - (.text) have the Entry Point Information -> EntryPoint (calculated) - 2D52 Code -> FF25002040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 • JMP DWORD PTR [0X402000] • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL |
| Signatures |
| Certificate - Digital Signature: • The file is signed but has been modified |
| Packer/Compiler |
| Compiler: Microsoft Visual .NET - (You can use a decompiler for this...) • AnyCPU: False • Version: v4.0 Detect It Easy (die) • PE: library: .NET(v4.0.30319)[-] • PE: linker: Microsoft Linker(48.0)[-] • Entropy: 6.64908 |
| File Access |
| Activator.exe mscoree.dll |
| File Access (UNICODE) |
| Activator.exe msiexec.exe license_api.dll runtime_patch.dll %activation_lib.dll framework.dll runtime.dll systemcore.dll appcore.dll core.dll |
| Interest's Words |
| Decrypt exec attrib start ping |
| Interest's Words (UNICODE) |
| exec |
| URLs |
| http://ocsp.digicert.com http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl http://cacerts.digicert.com/DigiCertTrustedRootG4.crt http://crl3.digicert.com/DigiCertTrustedRootG4.crl http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt http://www.digicert.com/CPS0 http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt |
| IP Addresses |
| 10.1.0.0 17.0.0.0 17.14.0.0 |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | WinAPI Sockets (send) |
| Text | Ascii | Execution (ShellExecute) |
| Entry Point | Hex Pattern | Microsoft Visual C / Basic .NET |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8 |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8.0 |
| Entry Point | Hex Pattern | Microsoft Visual C v7.0 / Basic .NET |
| Entry Point | Hex Pattern | Microsoft Visual Studio .NET |
| Entry Point | Hex Pattern | .NET executable |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \VERSION\1\0 | 6090 | 49A | 2E90 | 9A0434000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000100 | ..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| \24\1\0 | 653C | 1EA | 333C | EFBBBF3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E65 | ...<?xml version="1.0" encoding="UTF-8" standalone |
| Intelligent String |
| • 10.1.0.0 • Activator.exe • core.dll • appcore.dll • systemcore.dll • framework.dll • %activation_lib.dll • runtime_patch.dll • license_api.dll • .bak • msiexec.exe • C:\Users\Administrator\source\repos\WindowsFormsApp2\WindowsFormsApp2\obj\Release\Activator.pdb(K • _CorExeMainmscoree.dll • :060U00Uq]dL.g?O0U0E1-Q!m0U0y+m0k0$+0http://ocsp.digicert.com0C+07http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0EU>0<0:864http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0U |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 2D52 | 402000 | .text | JMP [static] | Indirect jump to absolute memory address |
| 470B | 2C279963 | *padding* | JMP [static] | Indirect jump to absolute memory address |
| 3800 | N/A | *Overlay* | 6ADFC30FA1F24C69370457F005465DBF7195F6C2 | j.....Li7.W..F].q... |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 16315 | 64,0306% |
| Null Byte Code | 4727 | 18,5518% |
© 2026 All rights reserved.