PESCAN.IO - Analysis Report Basic |
|||||||
| File Structure |
|
PE Chart Code
Header PE (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
Icon: Size: 3,11 MBSHA-256 Hash: 84B003BFABF0999F37353A1980EB971CA7524F3D00BDEB034B34033E58CE2858 SHA-1 Hash: B3BFEC06339C821C2E19E5D504DA4C2B047B0E97 MD5 Hash: D31DD714995407E986B263A66566F3C8 Imphash: 5E5AC8AB7BE27AC2D1C548E5589378B6 MajorOSVersion: 5 MinorOSVersion: 0 CheckSum: 003250EC EntryPoint (rva): 3CC4 SizeOfHeaders: 400 SizeOfImage: 6C2000 ImageBase: 400000 Architecture: x86 ExportTable: 5C0068 ImportTable: 5C0D3C Characteristics: 102 TimeDateStamp: 68B0D9D0 Date: 28/08/2025 22:36:00 File Type: EXE Number Of Sections: 9 ASLR: Enabled Section Names (Optional Header): *unnamed*, *unnamed*, *unnamed*, *unnamed*, *unnamed*, *unnamed*, .rsrc, *unnamed*, .data Number Of Executable Sections: 2 Subsystem: Windows GUI UAC Execution Level Manifest: asInvoker [Incomplete Binary or Compressor Packer - 3,64 MB Missing] |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| *unnamed* | 0xE0000040 Initialized Data Executable Readable Writeable |
400 | 7E00 | 1000 | E000 |
|
|
| *unnamed* | 0xE0000040 Initialized Data Executable Readable Writeable |
8200 | E00 | F000 | 3000 |
|
|
| *unnamed* | 0xE0000040 Initialized Data Executable Readable Writeable |
9000 | 1A600 | 12000 | 68000 |
|
|
| *unnamed* | 0xE0000040 Initialized Data Executable Readable Writeable |
23600 | 200 | 7A000 | 18000 |
|
|
| *unnamed* | 0xE0000040 Initialized Data Executable Readable Writeable |
23800 | 0 | 92000 | 2000 |
|
|
| *unnamed* | 0xE0000040 Initialized Data Executable Readable Writeable |
23800 | 1B6C00 | 94000 | 25C000 |
|
|
| .rsrc | 0xE0000040 Initialized Data Executable Readable Writeable |
1DA400 | 17200 | 2F0000 | 18000 |
|
|
| *unnamed* | 0xE0000040 Initialized Data Executable Readable Writeable |
1F1600 | 29A00 | 308000 | 2B8000 |
|
|
| .data | 0xE0000040 Initialized Data Executable Readable Writeable |
21B000 | 102000 | 5C0000 | 102000 |
|
|
| Entry Point |
The section number (8) have the Entry Point Information -> EntryPoint (calculated) - 30C4 Code -> E861000000E979FEFFFF6860BB440064FF35000000008B442410896C24108D6C24102BE0535657A1CC6E46003145FC33C550 Assembler |CALL 0X1066 |JMP 0XE83 |PUSH 0X44BB60 |PUSH DWORD PTR FS:[0] |MOV EAX, DWORD PTR [ESP + 0X10] |MOV DWORD PTR [ESP + 0X10], EBP |LEA EBP, [ESP + 0X10] |SUB ESP, EAX |PUSH EBX |PUSH ESI |PUSH EDI |MOV EAX, DWORD PTR [0X466ECC] |XOR DWORD PTR [EBP - 4], EAX |XOR EAX, EBP |PUSH EAX |
| Signatures |
| Rich Signature Analyzer: Code -> E26D969BA60CF8C8A60CF8C8A60CF8C81B436EC8A70CF8C8AF746DC8B40CF8C881CA83C8AB0CF8C8A60CF9C8250CF8C8AF747CC8940CF8C8AF747BC8C50CF8C8B85E6CC8A70CF8C8AF7469C8A70CF8C852696368A60CF8C8 Footprint md5 Hash -> 8A57BE1341BC33E03B2570B5B317059B • The Rich header apparently has not been modified |
| Duplicate Sections |
| Section *unnamed* duplicate 7 times |
| Packer/Compiler |
| Detect It Easy (die) • PE: compiler: Microsoft Visual C/C++(2008)[-] • PE: linker: Microsoft Linker(9.0)[-] • PE: Sign tool: Windows Authenticode(2.0)[PKCS 7] • Entropy: 7.99754 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | GetModuleHandleA | Retrieves a handle to the specified module. |
| KERNEL32.DLL | LoadLibraryA | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| SHELL32.DLL | ShellExecuteA | Performs a run operation on a specific file. |
| File Access |
| version.dll shell32.dll gdi32.dll oleaut32.dll advapi32.dll user32.dll kernel32.dll .dat |
| Interest's Words |
| exec |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | Execution (ShellExecute) |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8 |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8 |
| Entry Point | Hex Pattern | VC8 - Microsoft Corporation |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \ICON\1\0 | 2F01D8 | 25A8 | 1DA5D8 | 2800000030000000600000000100200000000000000000000000000000000000000000000000000000000001000000030000 | (...0........ ................................... |
| \ICON\2\0 | 2F2780 | 178E | 1DCB80 | 89504E470D0A1A0A0000000D4948445200000040000000400806000000AA6971DE000017554944415478DAED5B0B5C54551A | .PNG........IHDR...@...@......iq....UIDATx..[.\TU. |
| \ICON\3\0 | 2F3F10 | 4525 | 1DE310 | 89504E470D0A1A0A0000000D4948445200000080000000800806000000C33E61CB000044EC4944415478DAED7D07601BE5D9 | .PNG........IHDR..............>a...D.IDATx..}.... |
| \ICON\4\0 | 2F8438 | DA62 | 1E2838 | 89504E470D0A1A0A0000000D49484452000001000000010008060000005C72A8660000DA294944415478DAECBD097C1BE775 | .PNG........IHDR.............\r.f...)IDATx....|..u |
| \ICON\5\0 | 305E9C | CA8 | 1F029C | 2800000020000000400000000100180000000000000000000000000000000000000000000000000000000000000000000000 | (... ...@......................................... |
| \ICON\6\0 | 306B44 | 368 | 1F0F44 | 2800000010000000200000000100180000000000000000000000000000000000000000000000000000000000000000000000 | (....... ......................................... |
| \GROUP_ICON\1\0 | 306EAC | 5A | 1F12AC | 0000010006003030000001002000A825000001000D0D00000100000D8E17000002000D0D00000100000D2545000003000D0D00000100000D62DA000004002020000001001800A80C000005001010000001001800680300000600 | ......00.... ..%..........................%E............b..... ....................h..... |
| \24\1\1033 | 306F08 | 15A | 1F1308 | 3C617373656D626C7920786D6C6E733D2275726E3A736368656D61732D6D6963726F736F66742D636F6D3A61736D2E763122 | <assembly xmlns="urn:schemas-microsoft-com:asm.v1" |
| Intelligent String |
| • kernel32.dll • user32.dll • advapi32.dll • oleaut32.dll • gdi32.dll • shell32.dll • version.dll |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 10F0D | 4047A374 | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| 14830 | 413E740D | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| 17D6A | 5B75617E | *unnamed* | JMP [static] | Indirect jump to absolute memory address |
| 1E489 | 5B75617E | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| 21974 | 685334FA | *unnamed* | JMP [static] | Indirect jump to absolute memory address |
| 23FCF | 438B845 | *unnamed* | JMP [static] | Indirect jump to absolute memory address |
| 24616 | 698168C2 | *unnamed* | JMP [static] | Indirect jump to absolute memory address |
| 2E08A | 698168C2 | *unnamed* | JMP [static] | Indirect jump to absolute memory address |
| 2F62A | 3C7155AB | *unnamed* | JMP [static] | Indirect jump to absolute memory address |
| 359EF | 3C7155AB | *unnamed* | JMP [static] | Indirect jump to absolute memory address |
| 3B962 | 48CA09DA | *unnamed* | JMP [static] | Indirect jump to absolute memory address |
| 41D85 | 3FB5F2F2 | *unnamed* | JMP [static] | Indirect jump to absolute memory address |
| 42092 | 3FB5F2F2 | *unnamed* | JMP [static] | Indirect jump to absolute memory address |
| 46F78 | 55BD1922 | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| 5039D | 55BD1922 | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| 50E58 | 55BD1922 | *unnamed* | JMP [static] | Indirect jump to absolute memory address |
| 50F17 | 48A08B6F | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| 66A84 | 48A08B6F | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| 69B23 | 69CF0299 | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| 743DC | 5AECDD38 | *unnamed* | JMP [static] | Indirect jump to absolute memory address |
| 77F86 | 53DA9B94 | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| 8EE88 | 53DA9B94 | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| 937C6 | 53DA9B94 | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| 9392E | 53DA9B94 | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| 964B4 | 53DA9B94 | *unnamed* | JMP [static] | Indirect jump to absolute memory address |
| 9C73C | E16D427 | *unnamed* | JMP [static] | Indirect jump to absolute memory address |
| ACF7E | E16D427 | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| B4B92 | 5DB4B8ED | *unnamed* | JMP [static] | Indirect jump to absolute memory address |
| C8BBF | 4CBE859B | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| D6384 | 5A932515 | *unnamed* | JMP [static] | Indirect jump to absolute memory address |
| D9289 | 7E4F9985 | *unnamed* | JMP [static] | Indirect jump to absolute memory address |
| E81CF | 7E4F9985 | *unnamed* | JMP [static] | Indirect jump to absolute memory address |
| E9436 | 3366A9E6 | *unnamed* | JMP [static] | Indirect jump to absolute memory address |
| EA235 | 3366A9E6 | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| F7DEE | 7D6F5849 | *unnamed* | JMP [static] | Indirect jump to absolute memory address |
| F965B | 10DF80BC | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| FCC05 | 1CC0BE85 | *unnamed* | JMP [static] | Indirect jump to absolute memory address |
| 100552 | 1CC0BE85 | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| 102FD0 | 3F828C0A | *unnamed* | JMP [static] | Indirect jump to absolute memory address |
| 1170DC | 3F828C0A | *unnamed* | JMP [static] | Indirect jump to absolute memory address |
| 126005 | 71507B03 | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| 12AD71 | 71507B03 | *unnamed* | JMP [static] | Indirect jump to absolute memory address |
| 12B2C6 | 1F58142F | *unnamed* | JMP [static] | Indirect jump to absolute memory address |
| 12C6B3 | 1F58142F | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| 138ED4 | 4EEFC631 | *unnamed* | JMP [static] | Indirect jump to absolute memory address |
| 1506E7 | 4EEFC631 | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| 152C9E | 3A269E3 | *unnamed* | JMP [static] | Indirect jump to absolute memory address |
| 15F616 | 3A269E3 | *unnamed* | JMP [static] | Indirect jump to absolute memory address |
| 162B27 | 3A269E3 | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| 167F65 | 4973A896 | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| 1691D9 | 20B7E76 | *unnamed* | JMP [static] | Indirect jump to absolute memory address |
| 17D66C | 20B7E76 | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| 18279C | 60DA5A6B | *unnamed* | JMP [static] | Indirect jump to absolute memory address |
| 1A29CC | 60DA5A6B | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| 1CCE84 | 5569F740 | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| 1D25B7 | 5569F740 | *unnamed* | JMP [static] | Indirect jump to absolute memory address |
| 1D298D | 5569F740 | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| 1D4C73 | 5569F740 | *unnamed* | JMP [static] | Indirect jump to absolute memory address |
| 1E3129 | 5569F740 | .rsrc | JMP [static] | Indirect jump to absolute memory address |
| 1EE1C0 | 5569F740 | .rsrc | JMP [static] | Indirect jump to absolute memory address |
| 20B9DC | 5569F740 | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| 213560 | 56275F5B | *unnamed* | CALL [static] | Indirect call to absolute memory address |
| 215A35 | 56275F5B | *unnamed* | JMP [static] | Indirect jump to absolute memory address |
| 220BBE | 287E401A | .data | CALL [static] | Indirect call to absolute memory address |
| 227EE2 | 24984150 | .data | JMP [static] | Indirect jump to absolute memory address |
| 23C865 | 7CAEF23 | .data | JMP [static] | Indirect jump to absolute memory address |
| 241F54 | 7CAEF23 | .data | CALL [static] | Indirect call to absolute memory address |
| 242CEF | 7CAEF23 | .data | JMP [static] | Indirect jump to absolute memory address |
| 24687E | 4BB55D4F | .data | JMP [static] | Indirect jump to absolute memory address |
| 24B7B2 | 76C5D8AF | .data | JMP [static] | Indirect jump to absolute memory address |
| 250D33 | 76C5D8AF | .data | CALL [static] | Indirect call to absolute memory address |
| 25BDDC | 76C5D8AF | .data | CALL [static] | Indirect call to absolute memory address |
| 25F1E8 | 76C5D8AF | .data | JMP [static] | Indirect jump to absolute memory address |
| 263FA6 | 17AD24F7 | .data | JMP [static] | Indirect jump to absolute memory address |
| 26FFA5 | 53CDAE23 | .data | JMP [static] | Indirect jump to absolute memory address |
| 27AD17 | 1F64D805 | .data | CALL [static] | Indirect call to absolute memory address |
| 27F954 | 1F64D805 | .data | JMP [static] | Indirect jump to absolute memory address |
| 2829DC | 7F54B2EE | .data | JMP [static] | Indirect jump to absolute memory address |
| 28A202 | 2A9A4010 | .data | CALL [static] | Indirect call to absolute memory address |
| 28E0CE | 34B304B8 | .data | JMP [static] | Indirect jump to absolute memory address |
| 294B82 | 34B304B8 | .data | JMP [static] | Indirect jump to absolute memory address |
| 2A67FB | 34B304B8 | .data | JMP [static] | Indirect jump to absolute memory address |
| 2A9D2D | 34B304B8 | .data | JMP [static] | Indirect jump to absolute memory address |
| 2AB76E | 19B54909 | .data | JMP [static] | Indirect jump to absolute memory address |
| 2B6DCF | 37EC1F4F | .data | JMP [static] | Indirect jump to absolute memory address |
| 2BED61 | 37EC1F4F | .data | CALL [static] | Indirect call to absolute memory address |
| 2C96BF | 37EC1F4F | .data | CALL [static] | Indirect call to absolute memory address |
| 2DD5B9 | 37EC1F4F | .data | CALL [static] | Indirect call to absolute memory address |
| 2DEB5E | 37EC1F4F | .data | CALL [static] | Indirect call to absolute memory address |
| 2EF78E | 37EC1F4F | .data | JMP [static] | Indirect jump to absolute memory address |
| 2F4204 | 37EC1F4F | .data | JMP [static] | Indirect jump to absolute memory address |
| 2F43A6 | 524F1963 | .data | CALL [static] | Indirect call to absolute memory address |
| 2FA0C8 | 7971FC32 | .data | JMP [static] | Indirect jump to absolute memory address |
| 2FD2F8 | 7971FC32 | .data | JMP [static] | Indirect jump to absolute memory address |
| 304D04 | 7971FC32 | .data | CALL [static] | Indirect call to absolute memory address |
| 30A944 | 7971FC32 | .data | JMP [static] | Indirect jump to absolute memory address |
| 30D166 | 7B9A4314 | .data | JMP [static] | Indirect jump to absolute memory address |
| 30F981 | 3F1AFDDF | .data | CALL [static] | Indirect call to absolute memory address |
| 3106BA | 465C905 | .data | CALL [static] | Indirect call to absolute memory address |
| 318699 | 1C134E28 | .data | CALL [static] | Indirect call to absolute memory address |
| 400-81FF | 1000 | *unnamed* | Executable section anomaly, first bytes: 9D28708E04DAF307 |
| 1DA400-1F15FF | 2F0000 | .rsrc | Executable section anomaly, first bytes: 0000000000000000 |
| 21B000-31CFFF | 5C0000 | .data | Executable section anomaly, first bytes: 01AB5743D38C2100 |
| 31D000 | N/A | *Overlay* | A0050000000202003082059106092A864886F70D | ........0.....*.H... |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 2229014 | 68,2501% |
| Null Byte Code | 23006 | 0,7044% |
© 2026 All rights reserved.