PESCAN.IO - Analysis Report Basic |
|||||||
| File Structure |
|
PE Chart Code
Executable header (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
| Size: 24,00 KB SHA-256 Hash: 3638AB7415FDA7744F57E7582EB0A7F68ECA67F8C2EAB86574CD83FFFFC40373 SHA-1 Hash: 54A7CEDCCE2FF49B1BF2EAD111D1A29B1282F694 MD5 Hash: 76D343E45DDF3FB87142BECC30AEEBE2 Imphash: 065E851C6F5C6F32AAE8CE63F4C885B4 MajorOSVersion: 6 MinorOSVersion: 0 CheckSum: 00000000 EntryPoint (rva): 30BC SizeOfHeaders: 400 SizeOfImage: B000 ImageBase: 0000000140000000 Architecture: x64 ImportTable: 562C IAT: 4000 Characteristics: 22 TimeDateStamp: 69A951FB Date: 05/03/2026 9:50:51 File Type: EXE Number Of Sections: 6 ASLR: Disabled Section Names (Optional Header): .text, .rdata, .data, .pdata, .rsrc, .reloc Number Of Executable Sections: 1 Subsystem: Windows Console UAC Execution Level Manifest: asInvoker |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 60000020 (Code, Executable, Readable) | 400 | 2E00 | 1000 | 2C84 | 6,0591 | 132801,52 |
| .rdata | 40000040 (Initialized Data, Readable) | 3200 | 2400 | 4000 | 2386 | 4,6362 | 454886,44 |
| .data | C0000040 (Initialized Data, Readable, Writeable) | 5600 | 200 | 7000 | 818 | 2,7242 | 53403,00 |
| .pdata | 40000040 (Initialized Data, Readable) | 5800 | 400 | 8000 | 3CC | 3,9717 | 73452,50 |
| .rsrc | 40000040 (Initialized Data, Readable) | 5C00 | 200 | 9000 | 1E0 | 4,7015 | 9406,00 |
| .reloc | 42000040 (Initialized Data, GP-Relative, Readable) | 5E00 | 200 | A000 | 6C | 1,5234 | 86738,00 |
| Entry Point |
| The section number (1) have the Entry Point Information -> EntryPoint (calculated) - 24BC Code -> 4883EC28E8530500004883C428E972FEFFFFCCCC4883611000488D05E412000048894108488D05C9120000488901488BC1C3 • SUB RSP, 0X28 • CALL 0X155C • ADD RSP, 0X28 • JMP 0XE84 • INT3 • INT3 • AND QWORD PTR [RCX + 0X10], 0 • LEA RAX, [RIP + 0X12E4] • MOV QWORD PTR [RCX + 8], RAX • LEA RAX, [RIP + 0X12C9] • MOV QWORD PTR [RCX], RAX • MOV RAX, RCX • RET |
| Signatures |
| Rich Signature Analyzer: Code -> 7956157C3D377B2F3D377B2F3D377B2F344FE82F33377B2F2CB1782E3E377B2F2CB17F2E37377B2F2CB17E2E24377B2F2CB17A2E3A377B2F4FB67A2E3F377B2F3D377A2F65377B2FBEB1722E3F377B2FBEB1842F3C377B2FBEB1792E3C377B2F526963683D377B2F Footprint md5 Hash -> F01E8C23378770D92BEA63B7B4420A5E • The Rich header apparently has not been modified Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Compiler: Microsoft Visual Studio Detect It Easy (die) • PE+(64): compiler: Microsoft Visual C/C++(-)[-] • PE+(64): linker: Microsoft Linker(14.42**)[-] • Entropy: 5.59635 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | IsDebuggerPresent | Determines if the calling process is being debugged by a user-mode debugger. |
| File Access |
| KERNEL32.dll api-ms-win-crt-locale-l1-1-0.dll api-ms-win-crt-stdio-l1-1-0.dll api-ms-win-crt-math-l1-1-0.dll api-ms-win-crt-heap-l1-1-0.dll api-ms-win-crt-time-l1-1-0.dll api-ms-win-crt-utility-l1-1-0.dll api-ms-win-crt-runtime-l1-1-0.dll VCRUNTIME140.dll VCRUNTIME140_1.dll MSVCP140.dll .dat @.dat |
| Interest's Words |
| exec |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | Anti-Analysis VM (IsDebuggerPresent) |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8.0 (DLL) |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \24\1\1033 | 9060 | 17D | 5C60 | 3C3F786D6C2076657273696F6E3D27312E302720656E636F64696E673D275554462D3827207374616E64616C6F6E653D2779 | <?xml version='1.0' encoding='UTF-8' standalone='y |
| Intelligent String |
| • api-ms-win-crt-time-l1-1-0.dll • api-ms-win-crt-utility-l1-1-0.dll • api-ms-win-crt-runtime-l1-1-0.dll • C:\Users\admin\source\repos\cm\x64\Release\cm.pdb • .bss • MSVCP140.dll • VCRUNTIME140_1.dll • VCRUNTIME140.dll • api-ms-win-crt-heap-l1-1-0.dll • api-ms-win-crt-math-l1-1-0.dll • api-ms-win-crt-stdio-l1-1-0.dll • api-ms-win-crt-locale-l1-1-0.dll |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 574 | N/A | .text | CALL QWORD PTR [RIP+0x2FD6] |
| 5CD | N/A | .text | CALL QWORD PTR [RIP+0x2F95] |
| 60F | N/A | .text | JMP QWORD PTR [RIP+0x2F53] |
| 694 | N/A | .text | CALL QWORD PTR [RIP+0x2EB6] |
| 6D4 | N/A | .text | CALL QWORD PTR [RIP+0x2E76] |
| 6FB | N/A | .text | CALL QWORD PTR [RIP+0x2DEF] |
| 7B1 | N/A | .text | CALL QWORD PTR [RIP+0x2EA9] |
| 81C | N/A | .text | CALL QWORD PTR [RIP+0x2C66] |
| 83F | N/A | .text | CALL QWORD PTR [RIP+0x2C43] |
| 862 | N/A | .text | CALL QWORD PTR [RIP+0x2C20] |
| 876 | N/A | .text | CALL QWORD PTR [RIP+0x2C0C] |
| 8B0 | N/A | .text | CALL QWORD PTR [RIP+0x2BD2] |
| 8DC | N/A | .text | CALL QWORD PTR [RIP+0x2BFE] |
| 918 | N/A | .text | CALL QWORD PTR [RIP+0x2B6A] |
| 92C | N/A | .text | CALL QWORD PTR [RIP+0x2B56] |
| 9BA | N/A | .text | CALL QWORD PTR [RIP+0x2CA0] |
| AEA | N/A | .text | CALL QWORD PTR [RIP+0x2998] |
| B0D | N/A | .text | CALL QWORD PTR [RIP+0x2975] |
| B30 | N/A | .text | CALL QWORD PTR [RIP+0x2952] |
| B44 | N/A | .text | CALL QWORD PTR [RIP+0x293E] |
| B64 | N/A | .text | CALL QWORD PTR [RIP+0x2926] |
| BAD | N/A | .text | CALL QWORD PTR [RIP+0x2AAD] |
| D89 | N/A | .text | CALL QWORD PTR [RIP+0x26F9] |
| DAC | N/A | .text | CALL QWORD PTR [RIP+0x26D6] |
| DCF | N/A | .text | CALL QWORD PTR [RIP+0x26B3] |
| E05 | N/A | .text | CALL QWORD PTR [RIP+0x2855] |
| EA4 | N/A | .text | CALL QWORD PTR [RIP+0x27B6] |
| F31 | N/A | .text | CALL QWORD PTR [RIP+0x2729] |
| F98 | N/A | .text | CALL QWORD PTR [RIP+0x26C2] |
| 1009 | N/A | .text | CALL QWORD PTR [RIP+0x24F9] |
| 1016 | N/A | .text | CALL QWORD PTR [RIP+0x24B4] |
| 10B9 | N/A | .text | CALL QWORD PTR [RIP+0x23E1] |
| 10D9 | N/A | .text | CALL QWORD PTR [RIP+0x23D1] |
| 10E9 | N/A | .text | CALL QWORD PTR [RIP+0x23B1] |
| 1136 | N/A | .text | CALL QWORD PTR [RIP+0x2384] |
| 115F | N/A | .text | CALL QWORD PTR [RIP+0x2383] |
| 1186 | N/A | .text | CALL QWORD PTR [RIP+0x2334] |
| 11CC | N/A | .text | CALL QWORD PTR [RIP+0x22AE] |
| 11D3 | N/A | .text | CALL QWORD PTR [RIP+0x232F] |
| 11E0 | N/A | .text | CALL QWORD PTR [RIP+0x22EA] |
| 1235 | N/A | .text | CALL QWORD PTR [RIP+0x22A5] |
| 1241 | N/A | .text | CALL QWORD PTR [RIP+0x2291] |
| 124A | N/A | .text | CALL QWORD PTR [RIP+0x2260] |
| 137E | N/A | .text | CALL QWORD PTR [RIP+0x22DC] |
| 1429 | N/A | .text | CALL QWORD PTR [RIP+0x2079] |
| 145B | N/A | .text | CALL QWORD PTR [RIP+0x2097] |
| 1496 | N/A | .text | CALL QWORD PTR [RIP+0x1FFC] |
| 14F6 | N/A | .text | CALL QWORD PTR [RIP+0x1FCC] |
| 152F | N/A | .text | CALL QWORD PTR [RIP+0x1F4B] |
| 15B2 | N/A | .text | CALL QWORD PTR [RIP+0x1F98] |
| 16AE | N/A | .text | CALL QWORD PTR [RIP+0x1FD4] |
| 16B6 | N/A | .text | CALL QWORD PTR [RIP+0x1FE4] |
| 1774 | N/A | .text | CALL QWORD PTR [RIP+0x1DD6] |
| 17B4 | N/A | .text | CALL QWORD PTR [RIP+0x1D96] |
| 1978 | N/A | .text | CALL QWORD PTR [RIP+0x1D1A] |
| 1BE5 | N/A | .text | CALL QWORD PTR [RIP+0x1A75] |
| 1CA9 | N/A | .text | CALL QWORD PTR [RIP+0x19E9] |
| 1CB6 | N/A | .text | CALL QWORD PTR [RIP+0x19DC] |
| 1DA5 | N/A | .text | CALL QWORD PTR [RIP+0x18B5] |
| 1DEB | N/A | .text | CALL QWORD PTR [RIP+0x16FF] |
| 20EB | N/A | .text | CALL QWORD PTR [RIP+0x135F] |
| 20F4 | N/A | .text | CALL QWORD PTR [RIP+0x135E] |
| 20FA | N/A | .text | CALL QWORD PTR [RIP+0x1348] |
| 210E | N/A | .text | JMP QWORD PTR [RIP+0x132C] |
| 2122 | N/A | .text | CALL QWORD PTR [RIP+0x1310] |
| 21F3 | N/A | .text | CALL QWORD PTR [RIP+0x1207] |
| 220D | N/A | .text | CALL QWORD PTR [RIP+0x1255] |
| 2244 | N/A | .text | CALL QWORD PTR [RIP+0x1216] |
| 2402 | N/A | .text | CALL QWORD PTR [RIP+0x12B8] |
| 2572 | N/A | .text | JMP QWORD PTR [RIP+0xFFF3FF0] |
| 2814 | N/A | .text | CALL QWORD PTR [RIP+0xC1E] |
| 2841 | N/A | .text | CALL QWORD PTR [RIP+0xBB9] |
| 285B | N/A | .text | CALL QWORD PTR [RIP+0xC07] |
| 289C | N/A | .text | CALL QWORD PTR [RIP+0xBBE] |
| 28F0 | N/A | .text | CALL QWORD PTR [RIP+0xB3A] |
| 290D | N/A | .text | CALL QWORD PTR [RIP+0xB3D] |
| 2918 | N/A | .text | CALL QWORD PTR [RIP+0xB3A] |
| 2952 | N/A | .text | CALL QWORD PTR [RIP+0xAD0] |
| 29A8 | N/A | .text | JMP QWORD PTR [RIP+0xAA2] |
| 2A44 | N/A | .text | CALL QWORD PTR [RIP+0x9C6] |
| 2A52 | N/A | .text | CALL QWORD PTR [RIP+0x9B0] |
| 2A5E | N/A | .text | CALL QWORD PTR [RIP+0xA0C] |
| 2A6E | N/A | .text | CALL QWORD PTR [RIP+0x9AC] |
| 2AD4 | N/A | .text | JMP QWORD PTR [RIP+0x93E] |
| 2B4A | N/A | .text | CALL QWORD PTR [RIP+0xB70] |
| 2B86 | N/A | .text | CALL QWORD PTR [RIP+0xB34] |
| 2BA0 | N/A | .text | JMP QWORD PTR [RIP+0x9D2] |
| 2BA6 | N/A | .text | JMP QWORD PTR [RIP+0x99C] |
| 2BAC | N/A | .text | JMP QWORD PTR [RIP+0x98E] |
| 2BB2 | N/A | .text | JMP QWORD PTR [RIP+0x978] |
| 2BB8 | N/A | .text | JMP QWORD PTR [RIP+0x96A] |
| 2BBE | N/A | .text | JMP QWORD PTR [RIP+0x95C] |
| 2BC4 | N/A | .text | JMP QWORD PTR [RIP+0x94E] |
| 2BCA | N/A | .text | JMP QWORD PTR [RIP+0x9C8] |
| 2BD0 | N/A | .text | JMP QWORD PTR [RIP+0x9BA] |
| 2BD6 | N/A | .text | JMP QWORD PTR [RIP+0xA7C] |
| 2BDC | N/A | .text | JMP QWORD PTR [RIP+0xA6E] |
| 2BE2 | N/A | .text | JMP QWORD PTR [RIP+0xA60] |
| 2BE8 | N/A | .text | JMP QWORD PTR [RIP+0xA2A] |
| 2BEE | N/A | .text | JMP QWORD PTR [RIP+0xA4C] |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 13173 | 53,6011% |
| Null Byte Code | 8118 | 33,0322% |
© 2026 All rights reserved.