PESCAN.IO - Analysis Report Basic |
|||||||
| File Structure |
|
PE Chart Code
Header PE (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
| Size: 31,00 KB SHA-256 Hash: B384D7F5B7527BA2C7ACB425376A008EF8FAB66C5D827C79953F073AEA261AAD SHA-1 Hash: 70AC8D43B5460E25DBA9B6B03213A5FB713FA6EC MD5 Hash: 7C202CE9731A043D0CD467CD8AD73F66 Imphash: E9454A4F1BBAD2189211FCACFFF5FBED MajorOSVersion: 6 MinorOSVersion: 0 CheckSum: 00000000 EntryPoint (rva): 2A28 SizeOfHeaders: 400 SizeOfImage: D000 ImageBase: 0000000140000000 Architecture: x64 ImportTable: 76DC IAT: 4000 Characteristics: 22 TimeDateStamp: 6A2DC06D Date: 13/06/2026 20:41:17 File Type: EXE Number Of Sections: 6 ASLR: Disabled Section Names (Optional Header): .text, .rdata, .data, .pdata, .rsrc, .reloc Number Of Executable Sections: 1 Subsystem: Windows Console UAC Execution Level Manifest: asInvoker |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 0x60000020 Code Executable Readable |
400 | 2800 | 1000 | 2772 |
|
|
| .rdata | 0x40000040 Initialized Data Readable |
2C00 | 4600 | 4000 | 448E |
|
|
| .data | 0xC0000040 Initialized Data Readable Writeable |
7200 | 200 | 9000 | 788 |
|
|
| .pdata | 0x40000040 Initialized Data Readable |
7400 | 400 | A000 | 348 |
|
|
| .rsrc | 0x40000040 Initialized Data Readable |
7800 | 200 | B000 | 1E0 |
|
|
| .reloc | 0x42000040 Initialized Data GP-Relative Readable |
7A00 | 200 | C000 | 60 |
|
|
| Entry Point |
The section number (1) have the Entry Point Information -> EntryPoint (calculated) - 1E28 Code -> 4883EC28E8230700004883C428E972FEFFFFCCCC4883EC284D8B4138488BCA498BD1E80D000000B8010000004883C428C3CC Assembler |SUB RSP, 0X28 |CALL 0X172C |ADD RSP, 0X28 |JMP 0XE84 |INT3 |INT3 |SUB RSP, 0X28 |MOV R8, QWORD PTR [R9 + 0X38] |MOV RCX, RDX |MOV RDX, R9 |CALL 0X1034 |MOV EAX, 1 |ADD RSP, 0X28 |RET |INT3 |
| Signatures |
| Rich Signature Analyzer: Code -> 1A5ED5895E3FBBDA5E3FBBDA5E3FBBDA574728DA523FBBDAD9B6B8DB5D3FBBDAD9B6BFDB543FBBDAD9B6BEDB423FBBDAD9B6BADB583FBBDA27BEBADB5D3FBBDA5E3FBADA303FBBDAC5B6B2DB5C3FBBDAC5B644DA5F3FBBDAC5B6B9DB5F3FBBDA526963685E3FBBDA Footprint md5 Hash -> 232FD4AE08038E48141A2375D9EE82B8 • The Rich header apparently has not been modified Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Compiler: Microsoft Visual Studio Detect It Easy (die) • PE+(64): compiler: Microsoft Visual C/C++(-)[-] • PE+(64): linker: Microsoft Linker(14.44**)[-] • Entropy: 5.63435 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | GetModuleHandleA | Retrieves a handle to the specified module. |
| KERNEL32.DLL | CreateToolhelp32Snapshot | Creates a snapshot of the specified processes, heaps, threads, and modules. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| KERNEL32.DLL | IsDebuggerPresent | Determines if the calling process is being debugged by a user-mode debugger. |
| File Access |
| api-ms-win-crt-string-l1-1-0.dll api-ms-win-crt-locale-l1-1-0.dll api-ms-win-crt-math-l1-1-0.dll api-ms-win-crt-runtime-l1-1-0.dll api-ms-win-crt-stdio-l1-1-0.dll api-ms-win-crt-heap-l1-1-0.dll VCRUNTIME140.dll VCRUNTIME140_1.dll MSVCP140.dll KERNEL32.dll client.dll .dat @.dat |
| File Access (UNICODE) |
| string too longcs2.exe |
| Interest's Words |
| exec |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | Anti-Analysis VM (IsDebuggerPresent) |
| Text | Ascii | Anti-Analysis VM (CreateToolhelp32Snapshot) |
| Text | Ascii | Stealth (CloseHandle) |
| Text | Ascii | Stealth (NtWriteVirtualMemory) |
| Text | Ascii | Technique used to circumvent security measures (Bypass) |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8.0 (DLL) |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \24\1\1033 | B060 | 17D | 7860 | 3C3F786D6C2076657273696F6E3D27312E302720656E636F64696E673D275554462D3827207374616E64616C6F6E653D2779 | <?xml version='1.0' encoding='UTF-8' standalone='y |
| Intelligent String |
| • string too longcs2.exe • client.dll • C:\Users\Admin\Documents\GitHub\VarBypass-CS2\x64\Release\NoFreezetime-CS2.pdb • .bss • VCRUNTIME140.dll • <_register_onexit_function_crt_atexitgterminateapi-ms-win-crt-heap-l1-1-0.dll • api-ms-win-crt-stdio-l1-1-0.dll • api-ms-win-crt-runtime-l1-1-0.dll • api-ms-win-crt-math-l1-1-0.dll • api-ms-win-crt-locale-l1-1-0.dll • api-ms-win-crt-string-l1-1-0.dll |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 40D | N/A | .text | CALL QWORD PTR [RIP+0x3125] |
| 416 | N/A | .text | CALL QWORD PTR [RIP+0x3134] |
| 4F9 | N/A | .text | CALL QWORD PTR [RIP+0x2F01] |
| 504 | N/A | .text | CALL QWORD PTR [RIP+0x31AE] |
| 520 | N/A | .text | CALL QWORD PTR [RIP+0x319A] |
| 602 | N/A | .text | CALL QWORD PTR [RIP+0x2F28] |
| 699 | N/A | .text | CALL QWORD PTR [RIP+0x2EB9] |
| 6BF | N/A | .text | CALL QWORD PTR [RIP+0x2E63] |
| 6CF | N/A | .text | CALL QWORD PTR [RIP+0x2E83] |
| 71C | N/A | .text | CALL QWORD PTR [RIP+0x2DEE] |
| 73E | N/A | .text | CALL QWORD PTR [RIP+0x2DD4] |
| 766 | N/A | .text | CALL QWORD PTR [RIP+0x2DA4] |
| 7AE | N/A | .text | CALL QWORD PTR [RIP+0x2D44] |
| 7B5 | N/A | .text | CALL QWORD PTR [RIP+0x2D85] |
| 7C2 | N/A | .text | CALL QWORD PTR [RIP+0x2D18] |
| 815 | N/A | .text | CALL QWORD PTR [RIP+0x2CED] |
| 821 | N/A | .text | CALL QWORD PTR [RIP+0x2CF9] |
| 82A | N/A | .text | CALL QWORD PTR [RIP+0x2CF8] |
| 8B0 | N/A | .text | CALL QWORD PTR [RIP+0x2C82] |
| 8B9 | N/A | .text | CALL QWORD PTR [RIP+0x2C91] |
| 9B9 | N/A | .text | CALL QWORD PTR [RIP+0x2B81] |
| 9C6 | N/A | .text | CALL QWORD PTR [RIP+0x2B14] |
| A44 | N/A | .text | CALL QWORD PTR [RIP+0x2B46] |
| A9D | N/A | .text | CALL QWORD PTR [RIP+0x2B05] |
| ADF | N/A | .text | JMP QWORD PTR [RIP+0x2AC3] |
| B64 | N/A | .text | CALL QWORD PTR [RIP+0x2A26] |
| BA4 | N/A | .text | CALL QWORD PTR [RIP+0x29E6] |
| BCB | N/A | .text | CALL QWORD PTR [RIP+0x291F] |
| C4D | N/A | .text | CALL QWORD PTR [RIP+0x27BD] |
| C68 | N/A | .text | CALL QWORD PTR [RIP+0x27BA] |
| CA7 | N/A | .text | CALL QWORD PTR [RIP+0x2783] |
| CBB | N/A | .text | CALL QWORD PTR [RIP+0x275F] |
| CC8 | N/A | .text | CALL QWORD PTR [RIP+0x2762] |
| CF6 | N/A | .text | CALL QWORD PTR [RIP+0x27D4] |
| D06 | N/A | .text | CALL QWORD PTR [RIP+0x2824] |
| D2F | N/A | .text | CALL QWORD PTR [RIP+0x26D3] |
| D46 | N/A | .text | CALL QWORD PTR [RIP+0x26EC] |
| D61 | N/A | .text | CALL QWORD PTR [RIP+0x26D1] |
| D7C | N/A | .text | CALL QWORD PTR [RIP+0x26B6] |
| E0B | N/A | .text | CALL QWORD PTR [RIP+0x26D7] |
| E1B | N/A | .text | CALL QWORD PTR [RIP+0x26B7] |
| E2B | N/A | .text | CALL QWORD PTR [RIP+0x26FF] |
| ED8 | N/A | .text | CALL QWORD PTR [RIP+0x2562] |
| F1C | N/A | .text | CALL QWORD PTR [RIP+0x24F6] |
| 110E | N/A | .text | CALL QWORD PTR [RIP+0x2504] |
| 1168 | N/A | .text | CALL QWORD PTR [RIP+0x24AA] |
| 121B | N/A | .text | CALL QWORD PTR [RIP+0x23F7] |
| 12B8 | N/A | .text | CALL QWORD PTR [RIP+0x235A] |
| 1404 | N/A | .text | CALL QWORD PTR [RIP+0x220E] |
| 14AB | N/A | .text | CALL QWORD PTR [RIP+0x204F] |
| 14B5 | N/A | .text | JMP QWORD PTR [RIP+0x1F8D] |
| 1D6E | N/A | .text | CALL QWORD PTR [RIP+0x1984] |
| 215F | N/A | .text | CALL QWORD PTR [RIP+0x1313] |
| 2168 | N/A | .text | CALL QWORD PTR [RIP+0x1302] |
| 216E | N/A | .text | CALL QWORD PTR [RIP+0x130C] |
| 2182 | N/A | .text | JMP QWORD PTR [RIP+0x1300] |
| 2196 | N/A | .text | CALL QWORD PTR [RIP+0x12F4] |
| 2267 | N/A | .text | CALL QWORD PTR [RIP+0x11EB] |
| 2281 | N/A | .text | CALL QWORD PTR [RIP+0x11D9] |
| 22BB | N/A | .text | CALL QWORD PTR [RIP+0x11A7] |
| 2583 | N/A | .text | CALL QWORD PTR [RIP+0xF1F] |
| 2591 | N/A | .text | CALL QWORD PTR [RIP+0xEB9] |
| 259D | N/A | .text | CALL QWORD PTR [RIP+0xEFD] |
| 25AD | N/A | .text | CALL QWORD PTR [RIP+0xEE5] |
| 2620 | N/A | .text | JMP QWORD PTR [RIP+0xE8A] |
| 26A0 | N/A | .text | CALL QWORD PTR [RIP+0xDEA] |
| 26CD | N/A | .text | CALL QWORD PTR [RIP+0xD85] |
| 26E7 | N/A | .text | CALL QWORD PTR [RIP+0xD73] |
| 272B | N/A | .text | CALL QWORD PTR [RIP+0xD37] |
| 277F | N/A | .text | CALL QWORD PTR [RIP+0xD33] |
| 279C | N/A | .text | CALL QWORD PTR [RIP+0xCD6] |
| 27A7 | N/A | .text | CALL QWORD PTR [RIP+0xCC3] |
| 27DE | N/A | .text | CALL QWORD PTR [RIP+0xCDC] |
| 2834 | N/A | .text | JMP QWORD PTR [RIP+0xC3E] |
| 28C2 | N/A | .text | CALL QWORD PTR [RIP+0xE30] |
| 28FE | N/A | .text | CALL QWORD PTR [RIP+0xDF4] |
| 2930 | N/A | .text | JMP QWORD PTR [RIP+0xC82] |
| 2936 | N/A | .text | JMP QWORD PTR [RIP+0xC5C] |
| 293C | N/A | .text | JMP QWORD PTR [RIP+0xC46] |
| 2942 | N/A | .text | JMP QWORD PTR [RIP+0xC58] |
| 2948 | N/A | .text | JMP QWORD PTR [RIP+0xC2A] |
| 294E | N/A | .text | JMP QWORD PTR [RIP+0xC1C] |
| 2954 | N/A | .text | JMP QWORD PTR [RIP+0xC0E] |
| 295A | N/A | .text | JMP QWORD PTR [RIP+0xC20] |
| 2960 | N/A | .text | JMP QWORD PTR [RIP+0xC72] |
| 2966 | N/A | .text | JMP QWORD PTR [RIP+0xC64] |
| 296C | N/A | .text | JMP QWORD PTR [RIP+0xC6E] |
| 2972 | N/A | .text | JMP QWORD PTR [RIP+0xC98] |
| 2978 | N/A | .text | JMP QWORD PTR [RIP+0xCB2] |
| 297E | N/A | .text | JMP QWORD PTR [RIP+0xC7C] |
| 2984 | N/A | .text | JMP QWORD PTR [RIP+0xD16] |
| 298A | N/A | .text | JMP QWORD PTR [RIP+0xD08] |
| 2990 | N/A | .text | JMP QWORD PTR [RIP+0xCFA] |
| 2996 | N/A | .text | JMP QWORD PTR [RIP+0xCEC] |
| 299C | N/A | .text | JMP QWORD PTR [RIP+0xCDE] |
| 29A2 | N/A | .text | JMP QWORD PTR [RIP+0xCD0] |
| 29A8 | N/A | .text | JMP QWORD PTR [RIP+0xCC2] |
| 29AE | N/A | .text | JMP QWORD PTR [RIP+0xD14] |
| 29B4 | N/A | .text | JMP QWORD PTR [RIP+0xCA6] |
| 29BA | N/A | .text | JMP QWORD PTR [RIP+0xC98] |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 16456 | 51,8397% |
| Null Byte Code | 8303 | 26,1561% |
© 2026 All rights reserved.