PESCAN.IO - Analysis Report Basic |
|||||||
| File Structure |
|
PE Chart Code
Executable header (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
| Size: 18,00 KB SHA-256 Hash: F12B25987ED206A5092298EDA834F0C1215122B103A75A792B92FBD27A22271D SHA-1 Hash: E29C8DA3EE76FBDC1EB30E8C0E9881844180B237 MD5 Hash: 6CDABFCBF30FA3AF812913A685AB55C5 Imphash: 869B29CADB81D62B90F668AE2F156B7F MajorOSVersion: 4 MinorOSVersion: 0 CheckSum: 00005F09 EntryPoint (rva): 13E0 SizeOfHeaders: 400 SizeOfImage: D000 ImageBase: 0000000140000000 Architecture: x64 ImportTable: 8000 IAT: 8240 Characteristics: 22E TimeDateStamp: 6841A3A9 Date: 05/06/2025 14:03:21 File Type: EXE Number Of Sections: 11 ASLR: Disabled Section Names (Optional Header): .text, .data, .rdata, .pdata, .xdata, .bss, .idata, .CRT, .tls, .rsrc, .reloc Number Of Executable Sections: 1 Subsystem: Windows Console UAC Execution Level Manifest: asInvoker |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 60000060 (Code, Initialized Data, Executable, Readable) | 400 | 1C00 | 1000 | 1A88 | 5,7964 | 116530,21 |
| .data | C0000040 (Initialized Data, Readable, Writeable) | 2000 | 200 | 3000 | B0 | 0,7118 | 108684,00 |
| .rdata | 40000040 (Initialized Data, Readable) | 2200 | C00 | 4000 | B40 | 4,7173 | 75253,50 |
| .pdata | 40000040 (Initialized Data, Readable) | 2E00 | 400 | 5000 | 240 | 2,4342 | 137610,50 |
| .xdata | 40000040 (Initialized Data, Readable) | 3200 | 200 | 6000 | 1BC | 3,4770 | 27645,00 |
| .bss | C0000080 (Uninitialized Data, Readable, Writeable) | 0 | 0 | 7000 | 180 | N/A | N/A |
| .idata | C0000040 (Initialized Data, Readable, Writeable) | 3400 | 800 | 8000 | 800 | 3,9837 | 119969,25 |
| .CRT | C0000040 (Initialized Data, Readable, Writeable) | 3C00 | 200 | 9000 | 60 | 0,2866 | 122518,00 |
| .tls | C0000040 (Initialized Data, Readable, Writeable) | 3E00 | 200 | A000 | 10 | 0,0000 | 130560,00 |
| .rsrc | 40000040 (Initialized Data, Readable) | 4000 | 600 | B000 | 4E8 | 4,7785 | 29313,67 |
| .reloc | 42000040 (Initialized Data, GP-Relative, Readable) | 4600 | 200 | C000 | 78 | 1,3995 | 88498,00 |
| Entry Point |
| The section number (1) have the Entry Point Information -> EntryPoint (calculated) - 7E0 Code -> 4883EC28488B0545300000C70000000000E88AFDFFFF90904883C428C30F1F00E93B1400009090909090909090909090488D • SUB RSP, 0X28 • MOV RAX, QWORD PTR [RIP + 0X3045] • MOV DWORD PTR [RAX], 0 • CALL 0XDA0 • NOP • NOP • ADD RSP, 0X28 • RET • NOP DWORD PTR [RAX] • JMP 0X2460 • NOP • NOP • NOP • NOP • NOP • NOP • NOP • NOP • NOP • NOP • NOP |
| Signatures |
| Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Detect It Easy (die) • Entropy: 5.05375 |
| File Access |
| api-ms-win-crt-string-l1-1-0.dll api-ms-win-crt-stdio-l1-1-0.dll api-ms-win-crt-runtime-l1-1-0.dll api-ms-win-crt-private-l1-1-0.dll api-ms-win-crt-math-l1-1-0.dll api-ms-win-crt-heap-l1-1-0.dll api-ms-win-crt-environment-l1-1-0.dll KERNEL32.dll .dat |
| Interest's Words |
| PassWord exec |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | Stealth (VirtualProtect) |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8.0 (DLL) |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \24\1\0 | B058 | 48F | 4058 | 3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E653D2279 | <?xml version="1.0" encoding="UTF-8" standalone="y |
| Intelligent String |
| • @.bss • .CRT • .tls • KERNEL32.dll • api-ms-win-crt-environment-l1-1-0.dll • api-ms-win-crt-heap-l1-1-0.dll • api-ms-win-crt-math-l1-1-0.dll • api-ms-win-crt-private-l1-1-0.dll • api-ms-win-crt-runtime-l1-1-0.dll • api-ms-win-crt-string-l1-1-0.dll |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 62B | N/A | .text | CALL QWORD PTR [RIP+0x7037] |
| D3B | N/A | .text | CALL QWORD PTR [RIP+0x6947] |
| D9E | N/A | .text | CALL QWORD PTR [RIP+0x68DC] |
| DA8 | N/A | .text | CALL QWORD PTR [RIP+0x68A2] |
| 1394 | N/A | .text | CALL QWORD PTR [RIP+0x62AE] |
| 13F2 | N/A | .text | JMP QWORD PTR [RIP+0x6268] |
| 1447 | N/A | .text | CALL QWORD PTR [RIP+0x61FB] |
| 1462 | N/A | .text | CALL QWORD PTR [RIP+0x61F8] |
| 149A | N/A | .text | CALL QWORD PTR [RIP+0x61A8] |
| 14E6 | N/A | .text | CALL QWORD PTR [RIP+0x6174] |
| 15CD | N/A | .text | CALL QWORD PTR [RIP+0x606D] |
| 1607 | N/A | .text | CALL QWORD PTR [RIP+0x604B] |
| 1BC0 | N/A | .text | JMP QWORD PTR [RIP+0x5BE2] |
| 1BC8 | N/A | .text | JMP QWORD PTR [RIP+0x5BE2] |
| 1BD0 | N/A | .text | JMP QWORD PTR [RIP+0x5BE2] |
| 1BE0 | N/A | .text | JMP QWORD PTR [RIP+0x5B82] |
| 1BE8 | N/A | .text | JMP QWORD PTR [RIP+0x5B82] |
| 1BF0 | N/A | .text | JMP QWORD PTR [RIP+0x5B82] |
| 1BF8 | N/A | .text | JMP QWORD PTR [RIP+0x5B82] |
| 1C00 | N/A | .text | JMP QWORD PTR [RIP+0x5B82] |
| 1C08 | N/A | .text | JMP QWORD PTR [RIP+0x5B82] |
| 1C10 | N/A | .text | JMP QWORD PTR [RIP+0x5B82] |
| 1C20 | N/A | .text | JMP QWORD PTR [RIP+0x5AD2] |
| 1C28 | N/A | .text | JMP QWORD PTR [RIP+0x5AD2] |
| 1C30 | N/A | .text | JMP QWORD PTR [RIP+0x5AD2] |
| 1C38 | N/A | .text | JMP QWORD PTR [RIP+0x5AD2] |
| 1C40 | N/A | .text | JMP QWORD PTR [RIP+0x5AD2] |
| 1C48 | N/A | .text | JMP QWORD PTR [RIP+0x5AD2] |
| 1C50 | N/A | .text | JMP QWORD PTR [RIP+0x5AD2] |
| 1C58 | N/A | .text | JMP QWORD PTR [RIP+0x5AD2] |
| 1C60 | N/A | .text | JMP QWORD PTR [RIP+0x5AD2] |
| 1C68 | N/A | .text | JMP QWORD PTR [RIP+0x5AD2] |
| 1C70 | N/A | .text | JMP QWORD PTR [RIP+0x5AD2] |
| 1C78 | N/A | .text | JMP QWORD PTR [RIP+0x5AD2] |
| 1C80 | N/A | .text | JMP QWORD PTR [RIP+0x5AD2] |
| 1C90 | N/A | .text | JMP QWORD PTR [RIP+0x5A4A] |
| 1C98 | N/A | .text | JMP QWORD PTR [RIP+0x5A4A] |
| 1CA0 | N/A | .text | JMP QWORD PTR [RIP+0x5A2A] |
| 1CB0 | N/A | .text | JMP QWORD PTR [RIP+0x59F2] |
| 1CB8 | N/A | .text | JMP QWORD PTR [RIP+0x59F2] |
| 1CC0 | N/A | .text | JMP QWORD PTR [RIP+0x59F2] |
| 1CC8 | N/A | .text | JMP QWORD PTR [RIP+0x59F2] |
| 1CD0 | N/A | .text | JMP QWORD PTR [RIP+0x59C2] |
| 1CE0 | N/A | .text | JMP QWORD PTR [RIP+0x59A2] |
| 1CE8 | N/A | .text | JMP QWORD PTR [RIP+0x5992] |
| 1CF0 | N/A | .text | JMP QWORD PTR [RIP+0x5982] |
| 1CF8 | N/A | .text | JMP QWORD PTR [RIP+0x5972] |
| 1D00 | N/A | .text | JMP QWORD PTR [RIP+0x5962] |
| 1D08 | N/A | .text | JMP QWORD PTR [RIP+0x5952] |
| 1D10 | N/A | .text | JMP QWORD PTR [RIP+0x5942] |
| 1D18 | N/A | .text | JMP QWORD PTR [RIP+0x5932] |
| 1D20 | N/A | .text | JMP QWORD PTR [RIP+0x5922] |
| 1D28 | N/A | .text | JMP QWORD PTR [RIP+0x5912] |
| 3C38 | 1680 | .CRT | TLS Callback | Pointer to 140001680 - 0xA80 .text |
| 3C40 | 1660 | .CRT | TLS Callback | Pointer to 140001660 - 0xA60 .text |
| 2E00 | 1000 | .pdata | ExceptionHook | Pointer to 1000 - 0x400 .text + UnwindInfo: .xdata |
| 2E0C | 1010 | .pdata | ExceptionHook | Pointer to 1010 - 0x410 .text + UnwindInfo: .xdata |
| 2E18 | 1130 | .pdata | ExceptionHook | Pointer to 1130 - 0x530 .text + UnwindInfo: .xdata |
| 2E24 | 1180 | .pdata | ExceptionHook | Pointer to 1180 - 0x580 .text + UnwindInfo: .xdata |
| 2E30 | 13C0 | .pdata | ExceptionHook | Pointer to 13C0 - 0x7C0 .text + UnwindInfo: .xdata |
| 2E3C | 13E0 | .pdata | ExceptionHook | Pointer to 13E0 - 0x7E0 .text + UnwindInfo: .xdata |
| 2E48 | 1400 | .pdata | ExceptionHook | Pointer to 1400 - 0x800 .text + UnwindInfo: .xdata |
| 2E54 | 1410 | .pdata | ExceptionHook | Pointer to 1410 - 0x810 .text + UnwindInfo: .xdata |
| 2E60 | 1420 | .pdata | ExceptionHook | Pointer to 1420 - 0x820 .text + UnwindInfo: .xdata |
| 2E6C | 1430 | .pdata | ExceptionHook | Pointer to 1430 - 0x830 .text + UnwindInfo: .xdata |
| 2E78 | 1450 | .pdata | ExceptionHook | Pointer to 1450 - 0x850 .text + UnwindInfo: .xdata |
| 2E84 | 1470 | .pdata | ExceptionHook | Pointer to 1470 - 0x870 .text + UnwindInfo: .xdata |
| 2E90 | 1560 | .pdata | ExceptionHook | Pointer to 1560 - 0x960 .text + UnwindInfo: .xdata |
| 2E9C | 15B0 | .pdata | ExceptionHook | Pointer to 15B0 - 0x9B0 .text + UnwindInfo: .xdata |
| 2EA8 | 1630 | .pdata | ExceptionHook | Pointer to 1630 - 0xA30 .text + UnwindInfo: .xdata |
| 2EB4 | 1650 | .pdata | ExceptionHook | Pointer to 1650 - 0xA50 .text + UnwindInfo: .xdata |
| 2EC0 | 1660 | .pdata | ExceptionHook | Pointer to 1660 - 0xA60 .text + UnwindInfo: .xdata |
| 2ECC | 1680 | .pdata | ExceptionHook | Pointer to 1680 - 0xA80 .text + UnwindInfo: .xdata |
| 2ED8 | 1700 | .pdata | ExceptionHook | Pointer to 1700 - 0xB00 .text + UnwindInfo: .xdata |
| 2EE4 | 1710 | .pdata | ExceptionHook | Pointer to 1710 - 0xB10 .text + UnwindInfo: .xdata |
| 2EF0 | 1810 | .pdata | ExceptionHook | Pointer to 1810 - 0xC10 .text + UnwindInfo: .xdata |
| 2EFC | 1820 | .pdata | ExceptionHook | Pointer to 1820 - 0xC20 .text + UnwindInfo: .xdata |
| 2F08 | 1890 | .pdata | ExceptionHook | Pointer to 1890 - 0xC90 .text + UnwindInfo: .xdata |
| 2F14 | 1A00 | .pdata | ExceptionHook | Pointer to 1A00 - 0xE00 .text + UnwindInfo: .xdata |
| 2F20 | 1D70 | .pdata | ExceptionHook | Pointer to 1D70 - 0x1170 .text + UnwindInfo: .xdata |
| 2F2C | 1DB0 | .pdata | ExceptionHook | Pointer to 1DB0 - 0x11B0 .text + UnwindInfo: .xdata |
| 2F38 | 1DC0 | .pdata | ExceptionHook | Pointer to 1DC0 - 0x11C0 .text + UnwindInfo: .xdata |
| 2F44 | 1F80 | .pdata | ExceptionHook | Pointer to 1F80 - 0x1380 .text + UnwindInfo: .xdata |
| 2F50 | 2000 | .pdata | ExceptionHook | Pointer to 2000 - 0x1400 .text + UnwindInfo: .xdata |
| 2F5C | 2070 | .pdata | ExceptionHook | Pointer to 2070 - 0x1470 .text + UnwindInfo: .xdata |
| 2F68 | 2110 | .pdata | ExceptionHook | Pointer to 2110 - 0x1510 .text + UnwindInfo: .xdata |
| 2F74 | 2220 | .pdata | ExceptionHook | Pointer to 2220 - 0x1620 .text + UnwindInfo: .xdata |
| 2F80 | 2250 | .pdata | ExceptionHook | Pointer to 2250 - 0x1650 .text + UnwindInfo: .xdata |
| 2F8C | 22A0 | .pdata | ExceptionHook | Pointer to 22A0 - 0x16A0 .text + UnwindInfo: .xdata |
| 2F98 | 2340 | .pdata | ExceptionHook | Pointer to 2340 - 0x1740 .text + UnwindInfo: .xdata |
| 2FA4 | 23C0 | .pdata | ExceptionHook | Pointer to 23C0 - 0x17C0 .text + UnwindInfo: .xdata |
| 2FB0 | 2400 | .pdata | ExceptionHook | Pointer to 2400 - 0x1800 .text + UnwindInfo: .xdata |
| 2FBC | 2480 | .pdata | ExceptionHook | Pointer to 2480 - 0x1880 .text + UnwindInfo: .xdata |
| 2FC8 | 24C0 | .pdata | ExceptionHook | Pointer to 24C0 - 0x18C0 .text + UnwindInfo: .xdata |
| 2FD4 | 2550 | .pdata | ExceptionHook | Pointer to 2550 - 0x1950 .text + UnwindInfo: .xdata |
| 2FE0 | 2660 | .pdata | ExceptionHook | Pointer to 2660 - 0x1A60 .text + UnwindInfo: .xdata |
| 2FEC | 2690 | .pdata | ExceptionHook | Pointer to 2690 - 0x1A90 .text + UnwindInfo: .xdata |
| 2FF8 | 26E0 | .pdata | ExceptionHook | Pointer to 26E0 - 0x1AE0 .text + UnwindInfo: .xdata |
| 3004 | 2720 | .pdata | ExceptionHook | Pointer to 2720 - 0x1B20 .text + UnwindInfo: .xdata |
| 3010 | 2730 | .pdata | ExceptionHook | Pointer to 2730 - 0x1B30 .text + UnwindInfo: .xdata |
| 301C | 2760 | .pdata | ExceptionHook | Pointer to 2760 - 0x1B60 .text + UnwindInfo: .xdata |
| 3028 | 2930 | .pdata | ExceptionHook | Pointer to 2930 - 0x1D30 .text + UnwindInfo: .xdata |
| 3034 | 2A50 | .pdata | ExceptionHook | Pointer to 2A50 - 0x1E50 .text + UnwindInfo: .xdata |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 8588 | 46,5929% |
| Null Byte Code | 7507 | 40,7281% |
| NOP Cave Found | 0x9090909090 | Block Count: 29 | Total: 0,3933% |
© 2026 All rights reserved.