PESCAN.IO - Analysis Report

PESCAN.IO - Analysis Report Basic

File Structure

PE Chart Code

Header PE (light blue)

Executable sections (pink)

Non-executable sections (black)

External injected code (red)

File Structure in red = malformed or corrupted header

Chart Code For Other Files

Printable characters (blue)

Non-printable characters (black)

Information

Size: 91,50 KB
SHA-256 Hash: 6211542AE5E0B62EBD3AAEB5CEBB36ABB16BB5A0C1FBC80266AA3333BF4C0ADB
SHA-1 Hash: 08B1FFDF3627F1C73A6F42EE603E888CA032201F
MD5 Hash: 5BB131C8FF4EF0559BE9F640B273A697
Imphash: 6DFBE42DDBD1FD328844048649A2011A
MajorOSVersion: 6
MinorOSVersion: 0
CheckSum: 00000000
EntryPoint (rva): 11037
SizeOfHeaders: 400
SizeOfImage: 2D000
ImageBase: 0000000140000000
Architecture: x64
ImportTable: 27578
IAT: 27000
Characteristics: 22
TimeDateStamp: 6A09CEC1
Date: 17/05/2026 14:20:49
File Type: EXE
Number Of Sections: 10
ASLR: Disabled
Section Names (Optional Header): .textbss, .text, .rdata, .data, .pdata, .idata, .msvcjmc, .00cfg, .rsrc, .reloc
Number Of Executable Sections: 2
Subsystem: Windows Console
UAC Execution Level Manifest: asInvoker
[Incomplete Binary or Compressor Packer - 88,50 KB Missing]

Sections Info

Section Name	Flags	ROffset	RSize	VOffset	VSize	Entropy	Chi2
.textbss	0xE00000A0 Code Uninitialized Data Executable Readable Writeable	0	0	1000	10000	N/A	N/A
.text	0x60000020 Code Executable Readable	400	D600	11000	D5DB	3.5877	4414921.99
.rdata	0x40000040 Initialized Data Readable	DA00	3E00	1F000	3D4E	2.4875	2165288.74
.data	0xC0000040 Initialized Data Readable Writeable	11800	600	23000	590	0.6482	341774.33
.pdata	0x40000040 Initialized Data Readable	11E00	2600	24000	2490	1.5887	1748599.26
.idata	0x40000040 Initialized Data Readable	14400	1A00	27000	19B5	4.0699	378257.77
.msvcjmc	0xC0000040 Initialized Data Readable Writeable	15E00	400	29000	23C	0.8234	160800
.00cfg	0x40000040 Initialized Data Readable	16200	200	2A000	175	0.4716	115754
.rsrc	0x40000040 Initialized Data Readable	16400	600	2B000	43C	2.143	215406.67
.reloc	0x42000040 Initialized Data GP-Relative Readable	16A00	400	2C000	2EC	1.1377	201636.5

Entry Point

The section number (2) have the Entry Point
Information -> EntryPoint (calculated) - 437
Code -> E9445D0000E93F690000E9258E0000E96E8E0000E9C0480000E97C8E0000E9C6740000E9E13D0000E9DC290000E916520000

Assembler

|JMP 0X6D49

|JMP 0X7949

|JMP 0X9E34

|JMP 0X9E82

|JMP 0X58D9

|JMP 0X9E9A

|JMP 0X84E9

|JMP 0X4E09

|JMP 0X3A09

|JMP 0X6248

Signatures

Rich Signature Analyzer:
Code -> BCF7CE28F896A07BF896A07BF896A07BB31CA37AFB96A07BB31CA47AF396A07BB31CA57AE596A07BB31CA17AFE96A07B8117A17AFD96A07BF896A17B9D96A07B751DA57AF996A07B751D5F7BF996A07B751DA27AF996A07B52696368F896A07B
Footprint md5 Hash -> E69267E0A66D6882F172DE77C418B67F
• The Rich header apparently has not been modified
Certificate - Digital Signature Not Found:
• The file is not signed

Packer/Compiler

Detect It Easy (die)
• PE+(64): linker: Microsoft Linker(14.50**)[-]
• Entropy: 3.77874

Suspicious Functions

Library	Function	Description
KERNEL32.DLL	GetProcAddress	Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL	IsDebuggerPresent	Determines if the calling process is being debugged by a user-mode debugger.

Windows REG (UNICODE)

SOFTWARE\Wow6432Node\Microsoft\VisualStudio\14.0\Setup\VC

File Access

ucrtbased.dll
VCRUNTIME140_1D.dll
VCRUNTIME140D.dll
MSVCP140D.dll
KERNEL32.dll
@.dat

File Access (UNICODE)

advapi32.dll
api-ms-win-core-registry-l1-1-0.dll
VCRUNTIME140D.dll
bin\amd64\MSPDB140.DLL

Interest's Words

PassWord
exec
start

Strings/Hex Code Found With The File Rules

Rule Type	Encoding	Matched (Word)
Text	Ascii	Registry (RegOpenKeyEx)
Text	Ascii	Anti-Analysis VM (IsDebuggerPresent)
Entry Point	Hex Pattern	Microsoft Visual C++ 8.0
Entry Point	Hex Pattern	Microsoft Visual C++ 8.0
Entry Point	Hex Pattern	NeoLite v2.0

Resources

Path	DataRVA	Size	FileOffset	Code	Text
\24\1\1033	2B170	17D	16570	3C3F786D6C2076657273696F6E3D27312E302720656E636F64696E673D275554462D3827207374616E64616C6F6E653D2779	<?xml version='1.0' encoding='UTF-8' standalone='y

Intelligent String

• D:\a\_work\1\s\src\vctools\crt\github\stl\src\locale0.cpp
• bin\amd64\MSPDB140.DLL
• VCRUNTIME140D.dll
• api-ms-win-core-registry-l1-1-0.dll
• advapi32.dll
• C:\Users\user\source\repos\MUSOR\x64\Debug\MUSOR.pdb
• KERNEL32.dll

Flow Anomalies

Offset	RVA	Section	Description
2404	N/A	.text	CALL QWORD PTR [RIP+0x1419E]
242D	N/A	.text	CALL QWORD PTR [RIP+0x14175]
2457	N/A	.text	CALL QWORD PTR [RIP+0x1414B]
24CD	N/A	.text	CALL QWORD PTR [RIP+0x140CD]
2517	N/A	.text	CALL QWORD PTR [RIP+0x140E3]
2542	N/A	.text	CALL QWORD PTR [RIP+0x140A8]
255C	N/A	.text	CALL QWORD PTR [RIP+0x1406E]
25CB	N/A	.text	CALL QWORD PTR [RIP+0x1402F]
25EA	N/A	.text	CALL QWORD PTR [RIP+0x13FE8]
264D	N/A	.text	CALL QWORD PTR [RIP+0x13FAD]
2678	N/A	.text	CALL QWORD PTR [RIP+0x13F72]
2692	N/A	.text	CALL QWORD PTR [RIP+0x13F38]
2708	N/A	.text	CALL QWORD PTR [RIP+0x13EA2]
2740	N/A	.text	CALL QWORD PTR [RIP+0x13E9A]
28FD	N/A	.text	CALL QWORD PTR [RIP+0x13CF5]
293D	N/A	.text	CALL QWORD PTR [RIP+0x13C2D]
2A7B	N/A	.text	CALL QWORD PTR [RIP+0x13B37]
2ADF	N/A	.text	CALL QWORD PTR [RIP+0x13AC3]
2B32	N/A	.text	CALL QWORD PTR [RIP+0x13AC8]
2B3B	N/A	.text	CALL QWORD PTR [RIP+0x13A7F]
2B73	N/A	.text	CALL QWORD PTR [RIP+0x13A87]
2B7C	N/A	.text	CALL QWORD PTR [RIP+0x13A46]
2BFA	N/A	.text	CALL QWORD PTR [RIP+0x13988]
2C84	N/A	.text	CALL QWORD PTR [RIP+0x13926]
2CCA	N/A	.text	CALL QWORD PTR [RIP+0x13910]
2E8B	N/A	.text	CALL QWORD PTR [RIP+0x13687]
2E9B	N/A	.text	CALL QWORD PTR [RIP+0x1368F]
2EA9	N/A	.text	CALL QWORD PTR [RIP+0x13689]
2FB0	N/A	.text	CALL QWORD PTR [RIP+0x13642]
3010	N/A	.text	CALL QWORD PTR [RIP+0x1357A]
30B2	N/A	.text	CALL QWORD PTR [RIP+0x134B8]
3295	N/A	.text	CALL QWORD PTR [RIP+0x13365]
3355	N/A	.text	CALL QWORD PTR [RIP+0x132A5]
363D	N/A	.text	CALL QWORD PTR [RIP+0x12EFD]
36D7	N/A	.text	CALL QWORD PTR [RIP+0x12EBB]
3712	N/A	.text	CALL QWORD PTR [RIP+0x12ED0]
3746	N/A	.text	CALL QWORD PTR [RIP+0x12DEC]
376B	N/A	.text	CALL QWORD PTR [RIP+0x12E27]
38AF	N/A	.text	CALL QWORD PTR [RIP+0x12D4B]
394F	N/A	.text	CALL QWORD PTR [RIP+0x12CAB]
3BB5	N/A	.text	CALL QWORD PTR [RIP+0x12965]
4E23	N/A	.text	CALL QWORD PTR [RIP+0x115D7]
5009	N/A	.text	CALL QWORD PTR [RIP+0x11519]
5038	N/A	.text	CALL QWORD PTR [RIP+0x114EA]
5067	N/A	.text	CALL QWORD PTR [RIP+0x114BB]
5096	N/A	.text	CALL QWORD PTR [RIP+0x1148C]
50AB	N/A	.text	CALL QWORD PTR [RIP+0x11477]
50B7	N/A	.text	CALL QWORD PTR [RIP+0x11343]
5145	N/A	.text	CALL QWORD PTR [RIP+0x113DD]
5160	N/A	.text	CALL QWORD PTR [RIP+0x113C2]
5191	N/A	.text	CALL QWORD PTR [RIP+0x11391]
51AC	N/A	.text	CALL QWORD PTR [RIP+0x11376]
52F5	N/A	.text	JMP QWORD PTR [RIP+0x11105]
52FB	N/A	.text	JMP QWORD PTR [RIP+0x112F7]
5301	N/A	.text	JMP QWORD PTR [RIP+0x11269]
5307	N/A	.text	JMP QWORD PTR [RIP+0x1126B]
537C	N/A	.text	CALL QWORD PTR [RIP+0x1409E]
53B8	N/A	.text	CALL QWORD PTR [RIP+0x14062]
54BD	N/A	.text	CALL QWORD PTR [RIP+0x1140D]
5513	N/A	.text	CALL QWORD PTR [RIP+0x1139F]
5619	N/A	.text	JMP QWORD PTR [RIP+0x10F61]
561F	N/A	.text	JMP QWORD PTR [RIP+0x10F63]
5625	N/A	.text	JMP QWORD PTR [RIP+0x10F65]
562B	N/A	.text	JMP QWORD PTR [RIP+0x10F67]
5631	N/A	.text	JMP QWORD PTR [RIP+0x10F69]
5637	N/A	.text	JMP QWORD PTR [RIP+0x10F6B]
563D	N/A	.text	JMP QWORD PTR [RIP+0x10F6D]
5643	N/A	.text	JMP QWORD PTR [RIP+0x10F6F]
5649	N/A	.text	JMP QWORD PTR [RIP+0x10F71]
564F	N/A	.text	JMP QWORD PTR [RIP+0x10F73]
5655	N/A	.text	JMP QWORD PTR [RIP+0x10F75]
565B	N/A	.text	JMP QWORD PTR [RIP+0x10F77]
5661	N/A	.text	JMP QWORD PTR [RIP+0x10F79]
5667	N/A	.text	JMP QWORD PTR [RIP+0x10F7B]
566D	N/A	.text	JMP QWORD PTR [RIP+0x10F8D]
5673	N/A	.text	JMP QWORD PTR [RIP+0x10F77]
5679	N/A	.text	JMP QWORD PTR [RIP+0x10E99]
567F	N/A	.text	JMP QWORD PTR [RIP+0x10E9B]
5685	N/A	.text	JMP QWORD PTR [RIP+0x10E9D]
568B	N/A	.text	JMP QWORD PTR [RIP+0x10E9F]
5691	N/A	.text	JMP QWORD PTR [RIP+0x10EA1]
5697	N/A	.text	JMP QWORD PTR [RIP+0x10EA3]
569D	N/A	.text	JMP QWORD PTR [RIP+0x10EC5]
59D8	N/A	.text	CALL QWORD PTR [RIP+0x10AB2]
5F62	N/A	.text	CALL QWORD PTR [RIP+0x134B8]
64FC	N/A	.text	CALL QWORD PTR [RIP+0x12F1E]
6B66	N/A	.text	CALL QWORD PTR [RIP+0x128B4]
7431	N/A	.text	CALL QWORD PTR [RIP+0xF041]
7463	N/A	.text	CALL QWORD PTR [RIP+0xF00F]
74BF	N/A	.text	CALL QWORD PTR [RIP+0xEFC3]
752D	N/A	.text	CALL QWORD PTR [RIP+0x11EED]
7572	N/A	.text	CALL QWORD PTR [RIP+0xEEF8]
75C1	N/A	.text	CALL QWORD PTR [RIP+0xEEA9]
75FF	N/A	.text	CALL QWORD PTR [RIP+0x11E1B]
76F4	N/A	.text	CALL QWORD PTR [RIP+0xED86]
79FC	N/A	.text	CALL QWORD PTR [RIP+0xEA56]
7A0C	N/A	.text	CALL QWORD PTR [RIP+0xEA7E]
7A24	N/A	.text	CALL QWORD PTR [RIP+0xEA36]
7A41	N/A	.text	CALL QWORD PTR [RIP+0xEA21]
7BDB	N/A	.text	CALL QWORD PTR [RIP+0xE86F]
405-99F	N/A	.text	Potential obfuscated jump sequence detected, count: 287
9A0-F3F	N/A	.text	Unusual BP Cave, count: 1440
F56-222F	N/A	.text	Unusual BP Cave, count: 4826
227E-229F	N/A	.text	Unusual BP Cave, count: 34
22FF-231F	N/A	.text	Unusual BP Cave, count: 33
2794-289F	N/A	.text	Unusual BP Cave, count: 268
297D-29BF	N/A	.text	Unusual BP Cave, count: 67
2D1E-2DFF	N/A	.text	Unusual BP Cave, count: 226
2EC1-2EEF	N/A	.text	Unusual BP Cave, count: 47
30EE-315F	N/A	.text	Unusual BP Cave, count: 114
3204-322F	N/A	.text	Unusual BP Cave, count: 44
32C6-32EF	N/A	.text	Unusual BP Cave, count: 42
3386-33AF	N/A	.text	Unusual BP Cave, count: 42
33FE-341F	N/A	.text	Unusual BP Cave, count: 34
347C-349F	N/A	.text	Unusual BP Cave, count: 36
351D-353F	N/A	.text	Unusual BP Cave, count: 35
35B5-35DF	N/A	.text	Unusual BP Cave, count: 43
365E-367F	N/A	.text	Unusual BP Cave, count: 34
378C-37CF	N/A	.text	Unusual BP Cave, count: 68
3842-385F	N/A	.text	Unusual BP Cave, count: 30
38D9-38FF	N/A	.text	Unusual BP Cave, count: 39
3979-399F	N/A	.text	Unusual BP Cave, count: 39
3A2F-3A4F	N/A	.text	Unusual BP Cave, count: 33
3AEF-3B1F	N/A	.text	Unusual BP Cave, count: 49
3D11-3D3F	N/A	.text	Unusual BP Cave, count: 47
3F31-3F6F	N/A	.text	Unusual BP Cave, count: 63
4217-423F	N/A	.text	Unusual BP Cave, count: 41
440D-442F	N/A	.text	Unusual BP Cave, count: 35
450D-452F	N/A	.text	Unusual BP Cave, count: 35
4AB7-4C1F	N/A	.text	Unusual BP Cave, count: 361
4CDC-4D0F	N/A	.text	Unusual BP Cave, count: 52
4DB1-4DCF	N/A	.text	Unusual BP Cave, count: 31
51F1-52F4	N/A	.text	Unusual BP Cave, count: 260
53D3-53FF	N/A	.text	Unusual BP Cave, count: 45
54E0-54FF	N/A	.text	Unusual BP Cave, count: 32
579C-57BF	N/A	.text	Unusual BP Cave, count: 36
58C7-590F	N/A	.text	Unusual BP Cave, count: 73
5B49-5B8F	N/A	.text	Unusual BP Cave, count: 71
5C37-5C65	N/A	.text	Unusual BP Cave, count: 47
5DCC-5DFF	N/A	.text	Unusual BP Cave, count: 52
6016-607F	N/A	.text	Unusual BP Cave, count: 106
6266-629F	N/A	.text	Unusual BP Cave, count: 58
632A-634F	N/A	.text	Unusual BP Cave, count: 38
63C2-63DF	N/A	.text	Unusual BP Cave, count: 30
66F5-673F	N/A	.text	Unusual BP Cave, count: 75
67CB-67EF	N/A	.text	Unusual BP Cave, count: 37
68FD-691F	N/A	.text	Unusual BP Cave, count: 35
6B72-6B8F	N/A	.text	Unusual BP Cave, count: 30
6BFB-6C1F	N/A	.text	Unusual BP Cave, count: 37
6E49-6E6F	N/A	.text	Unusual BP Cave, count: 39
7107-715F	N/A	.text	Unusual BP Cave, count: 89
71AE-71CF	N/A	.text	Unusual BP Cave, count: 34
729F-72DF	N/A	.text	Unusual BP Cave, count: 65
7374-739F	N/A	.text	Unusual BP Cave, count: 44
7636-76DF	N/A	.text	Unusual BP Cave, count: 170
77D5-780F	N/A	.text	Unusual BP Cave, count: 59
7A9E-7ACF	N/A	.text	Unusual BP Cave, count: 50
7B44-7B6F	N/A	.text	Unusual BP Cave, count: 44
7D81-7D9F	N/A	.text	Unusual BP Cave, count: 31
7E76-7E9F	N/A	.text	Unusual BP Cave, count: 42
7F6B-7F9F	N/A	.text	Unusual BP Cave, count: 53
7FE2-7FFF	N/A	.text	Unusual BP Cave, count: 30
8042-805F	N/A	.text	Unusual BP Cave, count: 30
854D-868F	N/A	.text	Unusual BP Cave, count: 323
8820-887F	N/A	.text	Unusual BP Cave, count: 96
8B32-8BDF	N/A	.text	Unusual BP Cave, count: 174
8CE2-8D2F	N/A	.text	Unusual BP Cave, count: 78
90F6-91E6	N/A	.text	Unusual BP Cave, count: 241
93E3-A645	N/A	.text	Unusual BP Cave, count: 4707
A676-B67F	N/A	.text	Unusual BP Cave, count: 4106
B70A-B72F	N/A	.text	Unusual BP Cave, count: 38
B7EA-B80F	N/A	.text	Unusual BP Cave, count: 38
B99F-C9BF	N/A	.text	Unusual BP Cave, count: 4129
C9D6-D9DA	N/A	.text	Unusual BP Cave, count: 4101

Extra Analysis

Metric	Value	Percentage
Ascii Code	52809	56,3621%
Null Byte Code	32514	34,7016%

PESCAN.IO - Analysis Report Basic