PREMIUM PESCAN.IO - Analysis Report

File Structure
Analysis Image
PE Chart Code
Executable header (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
Information
Size: 2,85 MB
SHA-256 Hash: 906D22B29F821807CE4CE6A3C9383EF57A71C4432EA729F0146878E12E3315FD
SHA-1 Hash: 2A207002915E35DD4EEF90211AC2AC6CF02016CB
MD5 Hash: CD17DC577C6AE79C55853D92329400CC
Imphash: BDCF6640DD39BE2F9B3B5476D898A6DC
MajorOSVersion: 6
MinorOSVersion: 0
CheckSum: 00000000
EntryPoint (rva): 174E4
SizeOfHeaders: 400
SizeOfImage: 2DE000
ImageBase: 0000000140000000
Architecture: x64
ImportTable: 51D44
IAT: 3C000
Characteristics: 22
TimeDateStamp: 6981F5E5
Date: 03/02/2026 13:19:33
File Type: EXE
Number Of Sections: 7
ASLR: Disabled
Section Names (Optional Header): .text, .rdata, .data, .pdata, .fptable, .rsrc, .reloc
Number Of Executable Sections: 1
Subsystem: Windows GUI
Sections Info
Section Name Flags ROffset RSize VOffset VSizeEntropyChi2
.text 60000020 (Code, Executable, Readable) 400 3A400 1000 3A2A86,46961467528,76
.rdata 40000040 (Initialized Data, Readable) 3A800 16C00 3C000 16B1C5,23923509654,47
.data C0000040 (Initialized Data, Readable, Writeable) 51400 1800 53000 2B142,8636666762,00
.pdata 40000040 (Initialized Data, Readable) 52C00 3200 56000 30245,4614368860,64
.fptable C0000040 (Initialized Data, Readable, Writeable) 55E00 200 5A000 1000,0000130560,00
.rsrc 40000040 (Initialized Data, Readable) 56000 281E00 5B000 281C606,87148396463,92
.reloc 42000040 (Initialized Data, GP-Relative, Readable) 2D7E00 C00 2DD000 A505,121636238,50
Binder/Joiner/Crypter
2 Executable files found
Entry Point
The section number (1) have the Entry Point
Information -> EntryPoint (calculated) - 168E4
Code -> 4883EC28E8E30300004883C428E97AFEFFFFCCCC48895C241048896C24184889742420574883EC1033C033C90FA281F16E74
SUB RSP, 0X28
CALL 0X13EC
ADD RSP, 0X28
JMP 0XE8C
INT3
INT3
MOV QWORD PTR [RSP + 0X10], RBX
MOV QWORD PTR [RSP + 0X18], RBP
MOV QWORD PTR [RSP + 0X20], RSI
PUSH RDI
SUB RSP, 0X10
XOR EAX, EAX
XOR ECX, ECX
CPUID

Signatures
Rich Signature Analyzer:
Code -> 7E5339333A3257603A3257603A32576043B352618C32576043B353612832576043B354613732576071B854613032576071B853612A32576071B852616732576043B351613B32576043B35661333257603A325660A5325760B1B952613B325760B1B9A8603B325760B1B955613B325760526963683A325760
Footprint md5 Hash -> 59D19A2727D56EF7FA7FBC80D5F9F4A9
• The Rich header apparently has not been modified
Certificate - Digital Signature Not Found:
• The file is not signed
Packer/Compiler
Detect It Easy (die)
PE+(64): compiler: Microsoft Visual C/C++(-)[-]
PE+(64): linker: Microsoft Linker(14.50**)[-]
Entropy: 6.87776
Suspicious Functions
Library Function Description
KERNEL32.DLL CreateMutexA Create a named or unnamed mutex object for controlling access to a shared resource.
KERNEL32.DLL GetModuleHandleA Retrieves a handle to the specified module.
KERNEL32.DLL WriteFile Writes data to a specified file or input/output (I/O) device.
KERNEL32.DLL LoadLibraryA Loads the specified module into the address space of the calling process.
KERNEL32.DLL CreateToolhelp32Snapshot Creates a snapshot of the specified processes, heaps, threads, and modules.
KERNEL32.DLL ReadProcessMemory Reads data from an area of memory in a specified process.
KERNEL32.DLL GetProcAddress Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL CreateFileA Creates or opens a file or I/O device.
KERNEL32.DLL IsDebuggerPresent Determines if the calling process is being debugged by a user-mode debugger.
KERNEL32.DLL SleepEx Pauses the execution of the current thread, optionally allowing the thread to be awakened by a kernel object or upon expiration of a timeout.
SHELL32.DLL ShellExecuteA Performs a run operation on a specific file.
SHELL32.DLL ShellExecuteExW Performs a run operation on a specific file.
Windows REG
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Explorer
Software\Microsoft\Windows\CurrentVersion\Policies
Software\Microsoft\Windows\CurrentVersion\RunOnce
Software\Microsoft\Windows\CurrentVersion\Uninstall
Software\Microsoft\Windows\CurrentVersion\App Paths
Rebuilt string - SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Rebuilt string - SOFTWARE\Microsoft\Windows\CurrentVersion\Run
File Access
cmd.exe
exePATH\\.\NUL\cmd.exe
\executavel_temporario.exe
cmd.exe
powershell.exe
ntdll.dll
oleaut32.dll
crypt32.dll
gdi32.dll
api-ms-win-shcore-scaling-l1-1-1.dll
user32.dll
winhttp.dll
KERNEL32.dll
ADVAPI32.dll
bcryptprimitives.dll
api-ms-win-core-synch-l1-2-0.dll
dbghelp.dll
kQkncombase.dll
combase.dll
ole32.dll
SHELL32.dll
.dat
@.dat
2&9_U.JSE
Temp
AppData
File Access (UNICODE)
mscoree.dll
Interest's Words
exec
powershell
attrib
start
systeminfo
Anti-VM/Sandbox/Debug Tricks
OllyDbg Libary - dbghelp.dll
URLs
https://http:///
PE Carving
Start Offset Header End Offset Size (Bytes)
0 56060 56060
56060 2D8A00 2829A0
Strings/Hex Code Found With The File Rules
Rule Type Encoding Matched (Word)
Text Ascii WinAPI Sockets (connect)
Text Ascii Registry (RegOpenKeyEx)
Text Ascii File (CreateFile)
Text Ascii File (WriteFile)
Text Ascii File (ReadFile)
Text Ascii Anti-Analysis VM (IsDebuggerPresent)
Text Ascii Anti-Analysis VM (GetSystemInfo)
Text Ascii Anti-Analysis VM (GlobalMemoryStatusEx)
Text Ascii Anti-Analysis VM (GetVersion)
Text Ascii Anti-Analysis VM (CreateToolhelp32Snapshot)
Text Ascii Reconnaissance (FindFirstFileW)
Text Ascii Reconnaissance (FindNextFileW)
Text Ascii Reconnaissance (FindClose)
Text Ascii Stealth (ExitThread)
Text Ascii Stealth (CloseHandle)
Text Ascii Stealth (VirtualProtect)
Text Ascii Stealth (ReadProcessMemory)
Text Ascii Execution (CreateProcessA)
Text Ascii Execution (CreateProcessW)
Text Ascii Execution (ShellExecute)
Text Ascii Execution (CreateEventW)
Text Ascii Technique used to circumvent security measures (Bypass)
Entry Point Hex Pattern Microsoft Visual C++ 8.0 (DLL)
Resources
Path DataRVA Size FileOffset CodeTextPE/Payload
\RCDATA\101\1033 5B060 281C00 56060 4D5A90000300000004000000FFFF0000B8000000000000004000000000000000000000000000000000000000000000000000MZ......................@.........................(Executable found)
Intelligent String
• user32.dll
• winhttp.dll
• .bss
• mscoree.dll
• Software\Microsoft\Windows\CurrentVersion\App Paths.dat
• powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "
• \executavel_temporario.exe
• runas
• [<redacted>
• >+293p1LVK9N4%II
• 7MV}FQ
• N17P2JKEWAX1"Q
• =4%a6
• exePATH\\.\NUL\cmd.exe
• .tls
• ProcessPrngapi-ms-win-core-synch-l1-2-0.dll
• bcryptprimitives.dll
• KERNEL32.dll
• api-ms-win-shcore-scaling-l1-1-1.dll
• gdi32.dll
• crypt32.dll
• oleaut32.dll
Flow Anomalies
Offset RVA Section Description
A4C6 N/A .text CALL QWORD PTR [RIP+0x30FB4]
ADFE N/A .text CALL QWORD PTR [RIP+0x309BC]
C88F N/A .text CALL QWORD PTR [RIP+0x2EC1B]
C8B2 N/A .text CALL QWORD PTR [RIP+0x2EF38]
E1B7 N/A .text CALL QWORD PTR [RIP+0x2D2EB]
E1EE N/A .text CALL QWORD PTR [RIP+0x2D27C]
E205 N/A .text CALL QWORD PTR [RIP+0x2D295]
E24F N/A .text CALL QWORD PTR [RIP+0x2D23B]
E266 N/A .text CALL QWORD PTR [RIP+0x2D22C]
E3A3 N/A .text CALL QWORD PTR [RIP+0x2D0AF]
E3FF N/A .text CALL QWORD PTR [RIP+0x2D05B]
E41F N/A .text CALL QWORD PTR [RIP+0x2D043]
E42D N/A .text CALL QWORD PTR [RIP+0x2D035]
E6BA N/A .text CALL QWORD PTR [RIP+0x2D100]
E776 N/A .text CALL QWORD PTR [RIP+0x2CCFC]
E7B5 N/A .text CALL QWORD PTR [RIP+0x2CCAD]
E7BF N/A .text CALL QWORD PTR [RIP+0x2CCA3]
E891 N/A .text CALL QWORD PTR [RIP+0x2CBE1]
E89F N/A .text CALL QWORD PTR [RIP+0x2CBC3]
E8A9 N/A .text CALL QWORD PTR [RIP+0x2CBB9]
E91C N/A .text CALL QWORD PTR [RIP+0x2CB4E]
F257 N/A .text CALL QWORD PTR [RIP+0x2C59B]
F33A N/A .text CALL QWORD PTR [RIP+0x2C498]
F36D N/A .text CALL QWORD PTR [RIP+0x2C115]
F412 N/A .text CALL QWORD PTR [RIP+0x2C3B0]
F4B0 N/A .text CALL QWORD PTR [RIP+0x2C332]
F7F0 N/A .text CALL QWORD PTR [RIP+0x2BFF2]
1295C N/A .text CALL QWORD PTR [RIP+0x28AA6]
1299D N/A .text CALL QWORD PTR [RIP+0x28A5D]
129F3 N/A .text CALL QWORD PTR [RIP+0x28A07]
12A02 N/A .text CALL QWORD PTR [RIP+0x28A08]
141E7 N/A .text JMP QWORD PTR [RIP+0x275E3]
1456A N/A .text CALL QWORD PTR [RIP+0x26F58]
145A3 N/A .text CALL QWORD PTR [RIP+0x26F17]
145ED N/A .text JMP QWORD PTR [RIP+0x26EC5]
14605 N/A .text CALL QWORD PTR [RIP+0x26EC5]
1462D N/A .text CALL QWORD PTR [RIP+0x26EA5]
14689 N/A .text CALL QWORD PTR [RIP+0x26E51]
146B1 N/A .text JMP QWORD PTR [RIP+0x26E41]
146D1 N/A .text CALL QWORD PTR [RIP+0x26E11]
146E9 N/A .text CALL QWORD PTR [RIP+0x26E11]
146FC N/A .text CALL QWORD PTR [RIP+0x26D66]
14721 N/A .text JMP QWORD PTR [RIP+0x26DC9]
14745 N/A .text CALL QWORD PTR [RIP+0x26DBD]
1477D N/A .text CALL QWORD PTR [RIP+0x26D75]
1479C N/A .text CALL QWORD PTR [RIP+0x26D6E]
147BE N/A .text CALL QWORD PTR [RIP+0x26D4C]
147FF N/A .text CALL QWORD PTR [RIP+0x26D13]
14817 N/A .text CALL QWORD PTR [RIP+0x26CFB]
14890 N/A .text CALL QWORD PTR [RIP+0x26C9A]
148A8 N/A .text CALL QWORD PTR [RIP+0x26C7A]
148DA N/A .text CALL QWORD PTR [RIP+0x26C40]
148E4 N/A .text CALL QWORD PTR [RIP+0x26C0E]
14D2D N/A .text CALL QWORD PTR [RIP+0x26AE5]
14D51 N/A .text CALL QWORD PTR [RIP+0x26AC1]
14DA6 N/A .text CALL QWORD PTR [RIP+0x26A6C]
14DC2 N/A .text CALL QWORD PTR [RIP+0x26A50]
14F2B N/A .text CALL QWORD PTR [RIP+0x268E7]
14F47 N/A .text CALL QWORD PTR [RIP+0x268CB]
1540B N/A .text CALL QWORD PTR [RIP+0x26407]
15424 N/A .text CALL QWORD PTR [RIP+0x263EE]
15460 N/A .text CALL QWORD PTR [RIP+0x263B2]
154E8 N/A .text CALL QWORD PTR [RIP+0x2607A]
154F2 N/A .text CALL QWORD PTR [RIP+0x25F78]
15525 N/A .text CALL QWORD PTR [RIP+0x2603D]
1552F N/A .text CALL QWORD PTR [RIP+0x25F3B]
15592 N/A .text CALL QWORD PTR [RIP+0x25FD8]
155B2 N/A .text CALL QWORD PTR [RIP+0x25FC0]
155E4 N/A .text CALL QWORD PTR [RIP+0x25FAE]
155F2 N/A .text CALL QWORD PTR [RIP+0x25E78]
1565F N/A .text CALL QWORD PTR [RIP+0x25E4B]
1566D N/A .text CALL QWORD PTR [RIP+0x25DFD]
156A8 N/A .text CALL QWORD PTR [RIP+0x25E02]
156B6 N/A .text CALL QWORD PTR [RIP+0x25DB4]
156FB N/A .text CALL QWORD PTR [RIP+0x25E37]
15714 N/A .text CALL QWORD PTR [RIP+0x25D56]
1580B N/A .text CALL QWORD PTR [RIP+0x25D4F]
15815 N/A .text CALL QWORD PTR [RIP+0x25C55]
1582C N/A .text CALL QWORD PTR [RIP+0x25D16]
15838 N/A .text CALL QWORD PTR [RIP+0x25C32]
15846 N/A .text CALL QWORD PTR [RIP+0x25CF4]
158FE N/A .text CALL QWORD PTR [RIP+0x25B64]
15932 N/A .text CALL QWORD PTR [RIP+0x25C58]
1593C N/A .text CALL QWORD PTR [RIP+0x25B2E]
1594D N/A .text CALL QWORD PTR [RIP+0x25B15]
15991 N/A .text CALL QWORD PTR [RIP+0x25BF9]
1599B N/A .text CALL QWORD PTR [RIP+0x25ACF]
159AC N/A .text CALL QWORD PTR [RIP+0x25AB6]
159E6 N/A .text CALL QWORD PTR [RIP+0x25BA4]
159F0 N/A .text CALL QWORD PTR [RIP+0x25A7A]
15A05 N/A .text CALL QWORD PTR [RIP+0x25A5D]
15A38 N/A .text CALL QWORD PTR [RIP+0x25A2A]
15A78 N/A .text CALL QWORD PTR [RIP+0x259EA]
15AE5 N/A .text CALL QWORD PTR [RIP+0x25985]
15B63 N/A .text CALL QWORD PTR [RIP+0x259FF]
15BB8 N/A .text CALL QWORD PTR [RIP+0x258AA]
15BEC N/A .text CALL QWORD PTR [RIP+0x2587E]
15C38 N/A .text CALL QWORD PTR [RIP+0x25952]
15C46 N/A .text CALL QWORD PTR [RIP+0x25824]
15C5C N/A .text CALL QWORD PTR [RIP+0x25806]
Extra Analysis
Metric Value Percentage
Ascii Code 2229912 74,7177%
Null Byte Code 298024 9,9859%
© 2026 All rights reserved.