PREMIUM PESCAN.IO - Analysis Report |
|||||||
| File Structure |
|
PE Chart Code
Header PE (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
| Size: 23,16 KB SHA-256 Hash: 4370360C76929C71F104C90EE0C51D53CF23294EB75BC91D90E9A7B9FF5131F6 SHA-1 Hash: 50715AA197543E14EAB72CA740CF2665DA3FE010 MD5 Hash: 60783BEF5407AAD641EE4E4FBF437F2A Imphash: 363E0D1B2A35960F221672B45941634E MajorOSVersion: 10 MinorOSVersion: 0 CheckSum: 00006C07 EntryPoint (rva): 15D0 SizeOfHeaders: 400 SizeOfImage: 8000 ImageBase: 0000000140000000 Architecture: x64 ImportTable: 29A0 IAT: 2000 Characteristics: 22 TimeDateStamp: 690178F2 Date: 29/10/2025 2:16:18 File Type: EXE Number Of Sections: 6 ASLR: Disabled Section Names (Optional Header): .text, .rdata, .data, .pdata, .rsrc, .reloc Number Of Executable Sections: 1 Subsystem: Windows Console UAC Execution Level Manifest: asInvoker |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 0x60000020 Code Executable Readable |
400 | 1000 | 1000 | FCC |
|
|
| .rdata | 0x40000040 Initialized Data Readable |
1400 | 1200 | 2000 | 10F8 |
|
|
| .data | 0xC0000040 Initialized Data Readable Writeable |
2600 | 200 | 4000 | 6C8 |
|
|
| .pdata | 0x40000040 Initialized Data Readable |
2800 | 200 | 5000 | 18C |
|
|
| .rsrc | 0x40000040 Initialized Data Readable |
2A00 | 800 | 6000 | 7B8 |
|
|
| .reloc | 0x42000040 Initialized Data GP-Relative Readable |
3200 | 200 | 7000 | 34 |
|
|
| Description |
| OriginalFilename: vsdbg.exe CompanyName: Microsoft Corporation LegalCopyright: Microsoft Corporation. All rights reserved. ProductName: Microsoft Visual Studio FileVersion: 18.0.11029.3 commit:6724176caf907dfeb202db10b8a6b1e6453c6b6e FileDescription: Microsoft Visual Studio .NET/C/C++ Debugger (vsdbg) ProductVersion: 18.0.11029.3 Language: English (United States) (ID=0x409) CodePage: Unicode (UTF-16 LE) (0x4B0) |
| Entry Point |
The section number (1) have the Entry Point Information -> EntryPoint (calculated) - 9D0 Code -> 4883EC28E88B0600004883C428E96AFEFFFFCCCC40534883EC20488BD933C9FF150B0A0000488BCBFF15720A0000FF155C0A Assembler |SUB RSP, 0X28 |CALL 0X1694 |ADD RSP, 0X28 |JMP 0XE7C |INT3 |INT3 |PUSH RBX |SUB RSP, 0X20 |MOV RBX, RCX |XOR ECX, ECX |CALL QWORD PTR [RIP + 0XA0B] |MOV RCX, RBX |CALL QWORD PTR [RIP + 0XA72] |
| Signatures |
| Rich Signature Analyzer: Code -> 95CB29D7D1AA4784D1AA4784D1AA478459234685D3AA4784A52B4685D3AA4784D8D2D484DBAA4784D1AA468496AA478456234685D4AA478456234485D2AA478456234385DBAA478456234285C7AA478459234E85D3AA47845923B884D0AA4784D1AAD084D0AA478459234585D0AA478452696368D1AA4784 Footprint md5 Hash -> 5D2A9001A0561494DD9B16949D384806 • The Rich header apparently has not been modified Certificate - Digital Signature: • The file is signed and the signature is correct |
| Packer/Compiler |
| Compiler: Microsoft Visual Studio Detect It Easy (die) • PE+(64): compiler: Microsoft Visual C/C++(-)[-] • PE+(64): linker: Microsoft Linker(14.44**)[-] • PE+(64): Sign tool: Windows Authenticode(2.0)[PKCS 7] • Entropy: 6.36822 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | IsDebuggerPresent | Determines if the calling process is being debugged by a user-mode debugger. |
| File Access |
| vsdbg.dll KERNEL32.dll api-ms-win-crt-locale-l1-1-0.dll api-ms-win-crt-stdio-l1-1-0.dll api-ms-win-crt-math-l1-1-0.dll api-ms-win-crt-runtime-l1-1-0.dll api-ms-win-crt-heap-l1-1-0.dll VCRUNTIME140.dll .dat @.dat |
| File Access (UNICODE) |
| vsdbg.exe |
| Interest's Words |
| exec shutdown |
| Interest's Words (UNICODE) |
| start pause |
| URLs |
| http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl http://www.microsoft.com/pkiops/certs/MicCodSigPCA2011_2011-07-08.crt http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt http://www.microsoft.com/pkiops/docs/primarycps.htm http://www.microsoft.com http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl http://www.microsoft.com/pkiops/certs/Microsoft%20Time-Stamp%20PCA%202010(1).crt http://www.microsoft.com/pkiops/Docs/Repository.htm http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | Anti-Analysis VM (IsDebuggerPresent) |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8.0 (DLL) |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \VERSION\1\1033 | 60A0 | 3DC | 2AA0 | DC0334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000 | ..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| \24\1\1033 | 6480 | 336 | 2E80 | EFBBBF3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E65 | ...<?xml version="1.0" encoding="UTF-8" standalone |
| Intelligent String |
| • vsdbg.exe • api-ms-win-crt-math-l1-1-0.dll • api-ms-win-crt-runtime-l1-1-0.dll • D:\a\_work\1\s\bin\Release\CoreDebugger\x64\vsdbg-exe.pdb • .bss • VCRUNTIME140.dll • gterminateapi-ms-win-crt-heap-l1-1-0.dll • api-ms-win-crt-stdio-l1-1-0.dll • api-ms-win-crt-locale-l1-1-0.dll • Microsoft Visual Studio .NET/C/C++ Debugger (vsdbg) • 18.0.11029.3 commit:6724176caf907dfeb202db10b8a6b1e6453c6b6e |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 432 | N/A | .text | CALL QWORD PTR [RIP+0xFD0] |
| 455 | N/A | .text | CALL QWORD PTR [RIP+0xFBD] |
| 45B | N/A | .text | CALL QWORD PTR [RIP+0xFAF] |
| 46B | N/A | .text | CALL QWORD PTR [RIP+0xFF7] |
| 471 | N/A | .text | CALL QWORD PTR [RIP+0x1159] |
| 490 | N/A | .text | CALL QWORD PTR [RIP+0x111A] |
| 4A1 | N/A | .text | CALL QWORD PTR [RIP+0x1121] |
| 4AD | N/A | .text | CALL QWORD PTR [RIP+0x1105] |
| 4B5 | N/A | .text | CALL QWORD PTR [RIP+0x1105] |
| 90E | N/A | .text | CALL QWORD PTR [RIP+0xCDC] |
| 9EF | N/A | .text | CALL QWORD PTR [RIP+0xA0B] |
| 9F8 | N/A | .text | CALL QWORD PTR [RIP+0xA72] |
| 9FE | N/A | .text | CALL QWORD PTR [RIP+0xA5C] |
| A12 | N/A | .text | JMP QWORD PTR [RIP+0xA40] |
| A2E | N/A | .text | CALL QWORD PTR [RIP+0xA1C] |
| AFF | N/A | .text | CALL QWORD PTR [RIP+0x983] |
| B19 | N/A | .text | CALL QWORD PTR [RIP+0x961] |
| B53 | N/A | .text | CALL QWORD PTR [RIP+0x91F] |
| E3C | N/A | .text | CALL QWORD PTR [RIP+0x60E] |
| E69 | N/A | .text | CALL QWORD PTR [RIP+0x619] |
| E83 | N/A | .text | CALL QWORD PTR [RIP+0x5F7] |
| EC7 | N/A | .text | CALL QWORD PTR [RIP+0x5AB] |
| F1B | N/A | .text | CALL QWORD PTR [RIP+0x4EF] |
| F38 | N/A | .text | CALL QWORD PTR [RIP+0x4C2] |
| F43 | N/A | .text | CALL QWORD PTR [RIP+0x527] |
| F8A | N/A | .text | CALL QWORD PTR [RIP+0x4B8] |
| FE0 | N/A | .text | JMP QWORD PTR [RIP+0x41A] |
| 1093 | N/A | .text | CALL QWORD PTR [RIP+0x38F] |
| 10A1 | N/A | .text | CALL QWORD PTR [RIP+0x389] |
| 10AD | N/A | .text | CALL QWORD PTR [RIP+0x385] |
| 10BD | N/A | .text | CALL QWORD PTR [RIP+0x37D] |
| 1124 | N/A | .text | JMP QWORD PTR [RIP+0x2F6] |
| 119A | N/A | .text | CALL QWORD PTR [RIP+0x450] |
| 11E2 | N/A | .text | CALL QWORD PTR [RIP+0x408] |
| 1200 | N/A | .text | JMP QWORD PTR [RIP+0x2B2] |
| 1206 | N/A | .text | JMP QWORD PTR [RIP+0x2A4] |
| 120C | N/A | .text | JMP QWORD PTR [RIP+0x286] |
| 1212 | N/A | .text | JMP QWORD PTR [RIP+0x288] |
| 1218 | N/A | .text | JMP QWORD PTR [RIP+0x2AA] |
| 121E | N/A | .text | JMP QWORD PTR [RIP+0x364] |
| 1224 | N/A | .text | JMP QWORD PTR [RIP+0x356] |
| 122A | N/A | .text | JMP QWORD PTR [RIP+0x348] |
| 1230 | N/A | .text | JMP QWORD PTR [RIP+0x33A] |
| 1236 | N/A | .text | JMP QWORD PTR [RIP+0x32C] |
| 123C | N/A | .text | JMP QWORD PTR [RIP+0x31E] |
| 1242 | N/A | .text | JMP QWORD PTR [RIP+0x2A8] |
| 1248 | N/A | .text | JMP QWORD PTR [RIP+0x30A] |
| 124E | N/A | .text | JMP QWORD PTR [RIP+0x2FC] |
| 1254 | N/A | .text | JMP QWORD PTR [RIP+0x2EE] |
| 125A | N/A | .text | JMP QWORD PTR [RIP+0x2E0] |
| 1260 | N/A | .text | JMP QWORD PTR [RIP+0x2D2] |
| 1266 | N/A | .text | JMP QWORD PTR [RIP+0x2C4] |
| 126C | N/A | .text | JMP QWORD PTR [RIP+0x2B6] |
| 1272 | N/A | .text | JMP QWORD PTR [RIP+0x320] |
| 1278 | N/A | .text | JMP QWORD PTR [RIP+0x29A] |
| 127E | N/A | .text | JMP QWORD PTR [RIP+0x28C] |
| 1284 | N/A | .text | JMP QWORD PTR [RIP+0x27E] |
| 128A | N/A | .text | JMP QWORD PTR [RIP+0x270] |
| 1290 | N/A | .text | JMP QWORD PTR [RIP+0x24A] |
| 1296 | N/A | .text | JMP QWORD PTR [RIP+0x234] |
| 129C | N/A | .text | JMP QWORD PTR [RIP+0x2FE] |
| 12A2 | N/A | .text | JMP QWORD PTR [RIP+0x278] |
| 1350 | N/A | .text | JMP QWORD PTR [RIP+0x152] |
| 1390 | N/A | .text | JMP QWORD PTR [RIP+0x25A] |
| 3400 | N/A | *Overlay* | A0280000000202003082289006092A864886F70D | .(......0.(...*.H...) |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 13618 | 57,4308% |
| Null Byte Code | 6053 | 25,5272% |
© 2026 All rights reserved.