PESCAN.IO - Analysis Report Basic |
|||||||
| File Structure |
|
PE Chart Code
Header PE (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
Icon: Size: 1,00 MBSHA-256 Hash: C1BC7BF0E631C8AF6C58D7C59E65B630120B3232A22F5046C3A699DD8F5CAC22 SHA-1 Hash: AD6A84454D5A4EEF7A86E6B97EBD9990C28A8396 MD5 Hash: BC86740926EBFD9C60A31CA0F809EDA2 Imphash: F34D5F2D4577ED6D9CEEC516C1F5A744 MajorOSVersion: 4 MinorOSVersion: 0 CheckSum: 00000000 EntryPoint (rva): DF442 SizeOfHeaders: 200 SizeOfImage: 106000 ImageBase: 400000 Architecture: x86 ImportTable: DF3F8 IAT: 2000 Characteristics: 22 TimeDateStamp: 691CCB0E Date: 18/11/2025 19:37:50 File Type: EXE Number Of Sections: 3 ASLR: Disabled Section Names: .text, .rsrc, .reloc Number Of Executable Sections: 1 Subsystem: Windows GUI UAC Execution Level Manifest: asInvoker |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 0x60000020 Code Executable Readable |
200 | DD600 | 2000 | DD448 |
|
|
| .rsrc | 0x40000040 Initialized Data Readable |
DD800 | 23200 | E0000 | 23116 |
|
|
| .reloc | 0x42000040 Initialized Data GP-Relative Readable |
100A00 | 200 | 104000 | C |
|
|
| Description |
| OriginalFilename: Valentin Software Products KeyMaker by BTCR@X.exe CompanyName: Valentin Software Products KeyMaker by BTCR@X LegalCopyright: Copyright 2025 LegalTrademarks: BTCR@X ProductName: Valentin Software Products KeyMaker by BTCR@X FileVersion: 1.0.0.0 FileDescription: Valentin Software Products KeyMaker by BTCR@X ProductVersion: 1.0.0.0 Comments: Valentin Software Products KeyMaker by BTCR@X Language: Unknown (ID=0x0) CodePage: Unicode (UTF-16 LE) (0x4B0) |
| Entry Point |
The section number (1) - (.text) have the Entry Point Information -> EntryPoint (calculated) - DD642 Code -> FF25002040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Assembler |JMP DWORD PTR [0X402000] |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |
| Signatures |
| Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Compiler: Microsoft Visual .NET - (You can use a decompiler for this...) • AnyCPU: False • Version: v4.0 Detect It Easy (die) • PE: protector: Smart Assembly(-)[-] • PE: library: .NET(v4.0.30319)[-] • PE: linker: Microsoft Linker(8.0)[-] • Entropy: 6.47378 |
| File Access |
| Valentin Software Products KeyMaker by BTCR@X.exe mscoree.dll kernel32.dll +Newtonsoft.Json.Linq.JAr .Newtonsoft.Json.Linq.JAr System.Dat Temp |
| File Access (UNICODE) |
| aspnet_wp.exe w3wp.exe 6System.Dat |
| Interest's Words |
| Encrypt Decrypt <div <form <title exec createobject unescape attrib start ping expand replace |
| URLs |
| https://www.newtonsoft.com/jsonschema https://www.nuget.org/packages/Newtonsoft.Json.Bson |
| IP Addresses |
| 17.0.0.0 17.14.0.0 |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | WinAPI Sockets (bind) |
| Text | Ascii | WinAPI Sockets (send) |
| Text | Ascii | File (GetTempPath) |
| Text | Ascii | Encryption (AesCryptoServiceProvider) |
| Text | Ascii | Encryption (Base64Encode) |
| Text | Ascii | Encryption (CreateDecryptor) |
| Text | Ascii | Encryption (FromBase64String) |
| Text | Ascii | Encryption (ICryptoTransform) |
| Text | Ascii | Encryption (ToBase64String) |
| Entry Point | Hex Pattern | Microsoft Visual C / Basic .NET |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8 |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8.0 |
| Entry Point | Hex Pattern | Microsoft Visual C v7.0 / Basic .NET |
| Entry Point | Hex Pattern | Microsoft Visual Studio .NET |
| Entry Point | Hex Pattern | .NET executable |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \ICON\1\0 | E006C | 228E8 | DD86C | 28000000000100000C0100000100200000000000001802004D1400004D140000000000000000000000000000000000000000 | (............. .........M...M..................... |
| \GROUP_ICON\32512\0 | 102990 | 14 | 100190 | 0000010001000086000001002000E82802000100 | ............ ..(.... |
| \VERSION\1\0 | 1029E0 | 510 | 1001E0 | 100534000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000 | ..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| \24\1\0 | 102F2C | 1EA | 10072C | EFBBBF3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E65 | ...<?xml version="1.0" encoding="UTF-8" standalone |
| Intelligent String |
| • 1.0.0.0 • Valentin Software Products KeyMaker by BTCR@X.exe • .dll • w3wp.exe • aspnet_wp.exe • uJSON Schema validation has been moved to its own package. See https://www.newtonsoft.com/jsonschema for more details. • BSON reading and writing has been moved to its own package. See https://www.nuget.org/packages/Newtonsoft.Json.Bson for more details. |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 504C4 | 7B029C2C | .text | CALL [static] | Indirect call to absolute memory address |
| C426C | 1B922388 | .text | CALL [static] | Indirect call to absolute memory address |
| C5CCA | 785F3D80 | .text | JMP [static] | Indirect jump to absolute memory address |
| CB09E | 103F702D | .text | CALL [static] | Indirect call to absolute memory address |
| D2305 | 6B8DED8F | .text | CALL [static] | Indirect call to absolute memory address |
| D2838 | 38B72942 | .text | CALL [static] | Indirect call to absolute memory address |
| D2E46 | 6C8C7AA3 | .text | CALL [static] | Indirect call to absolute memory address |
| DD642 | 402000 | .text | JMP [static] | Indirect jump to absolute memory address |
| DFFCB | 1AFF1186 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| E030F | 24FF109A | .rsrc | JMP [static] | Indirect jump to absolute memory address |
| E03EF | 1AFF1087 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| E212B | 19FF0F7E | .rsrc | CALL [static] | Indirect call to absolute memory address |
| E251B | CFF1082 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| E2EC3 | 23FF109E | .rsrc | JMP [static] | Indirect jump to absolute memory address |
| E352F | 1FD0F87 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| E355B | 26FF1184 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| E37B7 | 36FF0F89 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| E3F63 | 27FF0497 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| E4577 | 33E91197 | .rsrc | JMP [static] | Indirect jump to absolute memory address |
| E5AB3 | 21FF1291 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| E5FE7 | 11FF237E | .rsrc | CALL [static] | Indirect call to absolute memory address |
| E6603 | 30FF1085 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| E6FF3 | 12FF2590 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| E7107 | 17FF1C9C | .rsrc | JMP [static] | Indirect jump to absolute memory address |
| E72A3 | 43FF2F91 | .rsrc | JMP [static] | Indirect jump to absolute memory address |
| E73F3 | AFF2490 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| E75AB | 2FFF0F88 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| E764B | 14FF0F9B | .rsrc | JMP [static] | Indirect jump to absolute memory address |
| E7A4B | 11FF1199 | .rsrc | JMP [static] | Indirect jump to absolute memory address |
| E8479 | A8C1F00 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| E85A7 | 26FF108D | .rsrc | CALL [static] | Indirect call to absolute memory address |
| E85F3 | 9FF1198 | .rsrc | JMP [static] | Indirect jump to absolute memory address |
| E8DAB | FF1090 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| E9247 | 21FF1294 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| E95EB | 22FF10A1 | .rsrc | JMP [static] | Indirect jump to absolute memory address |
| E960B | 2FF0F89 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| E980B | 19FF1DA2 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| E9D9F | 27FF1692 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| E9FDF | 6FFF2EAA | .rsrc | JMP [static] | Indirect jump to absolute memory address |
| EA16B | 8FF208A | .rsrc | CALL [static] | Indirect call to absolute memory address |
| EA44F | 26FF1499 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| EA613 | 13FF0693 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| EAE07 | 53FF0495 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| EB59B | 21FF109F | .rsrc | JMP [static] | Indirect jump to absolute memory address |
| EBE13 | 4AFF049C | .rsrc | CALL [static] | Indirect call to absolute memory address |
| EBF13 | 2EFF17A6 | .rsrc | JMP [static] | Indirect jump to absolute memory address |
| EC1A3 | 36FF1A9B | .rsrc | JMP [static] | Indirect jump to absolute memory address |
| ECF03 | 26FF119C | .rsrc | JMP [static] | Indirect jump to absolute memory address |
| ED2A3 | 1AFF0E9A | .rsrc | JMP [static] | Indirect jump to absolute memory address |
| ED56B | 35FF17A3 | .rsrc | JMP [static] | Indirect jump to absolute memory address |
| ED68B | 17FF169A | .rsrc | JMP [static] | Indirect jump to absolute memory address |
| EFA43 | 17FF169A | .rsrc | JMP [static] | Indirect jump to absolute memory address |
| F038F | 9FF0A8D | .rsrc | CALL [static] | Indirect call to absolute memory address |
| F0523 | 63FF098F | .rsrc | CALL [static] | Indirect call to absolute memory address |
| F076B | 1FFF1A9C | .rsrc | JMP [static] | Indirect jump to absolute memory address |
| F0F2F | 18FF0C87 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| F0F77 | 29FF1082 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| F1337 | EFF0C9D | .rsrc | JMP [static] | Indirect jump to absolute memory address |
| F1363 | FF1086 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| F161B | 3FF0D99 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| F1627 | 3FF0D99 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| F1763 | FF0F86 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| F1B63 | FF0F87 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| F1F37 | 7FF029C | .rsrc | CALL [static] | Indirect call to absolute memory address |
| F1F5F | 15FF1099 | .rsrc | JMP [static] | Indirect jump to absolute memory address |
| F1F63 | FF0F86 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| F22B3 | FFF029D | .rsrc | CALL [static] | Indirect call to absolute memory address |
| F2363 | FF0F87 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| F2387 | 5FF0A95 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| F23CB | 15FF0D93 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| F23CF | 17FF0D94 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| F2763 | FF0F8B | .rsrc | CALL [static] | Indirect call to absolute memory address |
| F390B | 6FFF0396 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| F39D3 | 10FF109A | .rsrc | JMP [static] | Indirect jump to absolute memory address |
| F3E6B | 7AFF088C | .rsrc | CALL [static] | Indirect call to absolute memory address |
| F4643 | DFF0599 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| F5D07 | DFF0599 | .rsrc | JMP [static] | Indirect jump to absolute memory address |
| F5FBB | AFF18A3 | .rsrc | JMP [static] | Indirect jump to absolute memory address |
| F61A3 | 30FF10A3 | .rsrc | JMP [static] | Indirect jump to absolute memory address |
| F6A3F | E903B1 | .rsrc | JMP [static] | Indirect jump to absolute memory address |
| F6BCB | 6FF17A2 | .rsrc | JMP [static] | Indirect jump to absolute memory address |
| F7C13 | 48F0139F | .rsrc | JMP [static] | Indirect jump to absolute memory address |
| F7CDB | 42FF24A8 | .rsrc | JMP [static] | Indirect jump to absolute memory address |
| F86D7 | 1FF1C96 | .rsrc | JMP [static] | Indirect jump to absolute memory address |
| F9E31 | 4E50B00 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| FA577 | 18E410A2 | .rsrc | JMP [static] | Indirect jump to absolute memory address |
| FB037 | 1FC70790 | .rsrc | JMP [static] | Indirect jump to absolute memory address |
| FC13F | 19EC17A3 | .rsrc | JMP [static] | Indirect jump to absolute memory address |
| FD399 | 930E01 | .rsrc | JMP [static] | Indirect jump to absolute memory address |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 586419 | 55,7619% |
| Null Byte Code | 227177 | 21,602% |
© 2026 All rights reserved.