PESCAN.IO - Analysis Report Basic |
|||||||
| File Structure |
|
PE Chart Code
Executable header (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
| Size: 63,00 KB SHA-256 Hash: C738F6734F555CB81AE7111F4459351D0E81E43EB51CDF47F5287ADDF0E2D8BB SHA-1 Hash: 48154ABA962F7F2E165EF0BABCC80A948B865A24 MD5 Hash: DE59C92004452C7CD50297DB41BB30A9 Imphash: 8094A287571DB6F41BF5A4479353883A MajorOSVersion: 6 MinorOSVersion: 0 CheckSum: 00000000 EntryPoint (rva): 2B90 SizeOfHeaders: 400 SizeOfImage: 15000 ImageBase: 0000000140000000 Architecture: x64 ImportTable: F88C IAT: 4000 Characteristics: 22 TimeDateStamp: 699C9866 Date: 23/02/2026 18:11:50 File Type: EXE Number Of Sections: 6 ASLR: Disabled Section Names (Optional Header): .text, .rdata, .data, .pdata, .rsrc, .reloc Number Of Executable Sections: 1 Subsystem: Windows Console UAC Execution Level Manifest: asInvoker |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 60000020 (Code, Executable, Readable) | 400 | 2A00 | 1000 | 29EE | 6,1458 | 99537,86 |
| .rdata | 40000040 (Initialized Data, Readable) | 2E00 | C400 | 4000 | C368 | 5,8684 | 344605,59 |
| .data | C0000040 (Initialized Data, Readable, Writeable) | F200 | 200 | 11000 | 780 | 2,4880 | 61641,00 |
| .pdata | 40000040 (Initialized Data, Readable) | F400 | 400 | 12000 | 3D8 | 4,0725 | 71311,50 |
| .rsrc | 40000040 (Initialized Data, Readable) | F800 | 200 | 13000 | 1E0 | 4,7037 | 9300,00 |
| .reloc | 42000040 (Initialized Data, GP-Relative, Readable) | FA00 | 200 | 14000 | 68 | 1,3669 | 91743,00 |
| Entry Point |
| The section number (1) have the Entry Point Information -> EntryPoint (calculated) - 1F90 Code -> 4883EC28E87B0400004883C428E972FEFFFFCCCCC20000CCE91BFDFFFFCCCCCC4883EC28E8D30A000085C0742165488B0425 • SUB RSP, 0X28 • CALL 0X1484 • ADD RSP, 0X28 • JMP 0XE84 • INT3 • INT3 • RET 0 • INT3 • JMP 0XD38 • INT3 • INT3 • INT3 • SUB RSP, 0X28 • CALL 0X1AFC • TEST EAX, EAX • JE 0X104E |
| Signatures |
| Rich Signature Analyzer: Code -> FD344D02B9552351B9552351B9552351B02DB051B3552351A8D32050BD552351A8D32750B3552351CBD42750B8552351A8D326509B552351A8D32250BF552351CBD42250B2552351B9552251E05523513AD32A50B85523513AD3DC51B85523513AD32150B855235152696368B9552351 Footprint md5 Hash -> E66854B429D9EBD32BA61DE8070477DB • The Rich header apparently has not been modified Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Compiler: Microsoft Visual Studio Detect It Easy (die) • PE+(64): compiler: Microsoft Visual C/C++(-)[-] • PE+(64): linker: Microsoft Linker(14.42**)[-] • Entropy: 6.15773 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | VirtualAlloc | Reserve, commit, or both, a region of memory within the virtual address space of a process. |
| KERNEL32.DLL | IsDebuggerPresent | Determines if the calling process is being debugged by a user-mode debugger. |
| Windows REG |
| SOFTWARE\Microsoft\Cryptography |
| File Access |
| api-ms-win-crt-locale-l1-1-0.dll api-ms-win-crt-stdio-l1-1-0.dll api-ms-win-crt-math-l1-1-0.dll api-ms-win-crt-heap-l1-1-0.dll api-ms-win-crt-runtime-l1-1-0.dll VCRUNTIME140.dll VCRUNTIME140_1.dll MSVCP140.dll OLEAUT32.dll ole32.dll ADVAPI32.dll USER32.dll KERNEL32.dll .dat @.dat |
| File Access (UNICODE) |
| Temp |
| SQL Queries |
| SELECT UUID FROM Win32_ComputerSystemProduct |
| Interest's Words |
| exec |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | Registry (RegOpenKeyEx) |
| Text | Ascii | Encryption API (CryptAcquireContext) |
| Text | Ascii | Encryption API (CryptReleaseContext) |
| Text | Ascii | Anti-Analysis VM (IsDebuggerPresent) |
| Text | Ascii | Stealth (VirtualAlloc) |
| Text | Unicode | WMI execution (ROOT\CIMV2) |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8.0 (DLL) |
| Entry Point | Hex Pattern | PE-Exe Executable Image |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \24\1\1033 | 13060 | 17D | F860 | 3C3F786D6C2076657273696F6E3D27312E302720656E636F64696E673D275554462D3827207374616E64616C6F6E653D2779 | <?xml version='1.0' encoding='UTF-8' standalone='y |
| Intelligent String |
| • api-ms-win-crt-heap-l1-1-0.dll • <_register_onexit_function_crt_atexitgterminateapi-ms-win-crt-runtime-l1-1-0.dll • s Yedra\source\repos\MiPic\x64\Release\Crackme.pdb • .bss • KERNEL32.dll • MSVCP140.dll • VCRUNTIME140.dll • api-ms-win-crt-math-l1-1-0.dll • api-ms-win-crt-stdio-l1-1-0.dll • api-ms-win-crt-locale-l1-1-0.dll |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 434 | N/A | .text | CALL QWORD PTR [RIP+0x3126] |
| 48D | N/A | .text | CALL QWORD PTR [RIP+0x30FD] |
| 4CF | N/A | .text | JMP QWORD PTR [RIP+0x30BB] |
| 554 | N/A | .text | CALL QWORD PTR [RIP+0x3006] |
| 594 | N/A | .text | CALL QWORD PTR [RIP+0x2FC6] |
| 5BB | N/A | .text | CALL QWORD PTR [RIP+0x2F47] |
| 5FC | N/A | .text | CALL QWORD PTR [RIP+0x2F1E] |
| 675 | N/A | .text | CALL QWORD PTR [RIP+0x2DDD] |
| 74F | N/A | .text | CALL QWORD PTR [RIP+0x2ED3] |
| 814 | N/A | .text | CALL QWORD PTR [RIP+0x2EAE] |
| 89E | N/A | .text | CALL QWORD PTR [RIP+0x2E14] |
| 937 | N/A | .text | CALL QWORD PTR [RIP+0x2CEB] |
| 967 | N/A | .text | CALL QWORD PTR [RIP+0x2D43] |
| A30 | N/A | .text | CALL QWORD PTR [RIP+0x2AE2] |
| A9A | N/A | .text | CALL QWORD PTR [RIP+0x2A80] |
| AC6 | N/A | .text | CALL QWORD PTR [RIP+0x2A5C] |
| AF4 | N/A | .text | CALL QWORD PTR [RIP+0x2BC6] |
| BA2 | N/A | .text | CALL QWORD PTR [RIP+0x2898] |
| BD2 | N/A | .text | CALL QWORD PTR [RIP+0x2840] |
| BE1 | N/A | .text | CALL QWORD PTR [RIP+0x2821] |
| C11 | N/A | .text | CALL QWORD PTR [RIP+0x27F1] |
| CD9 | N/A | .text | CALL QWORD PTR [RIP+0x2949] |
| F5C | N/A | .text | CALL QWORD PTR [RIP+0x26C6] |
| FD4 | N/A | .text | CALL QWORD PTR [RIP+0x2436] |
| FF4 | N/A | .text | CALL QWORD PTR [RIP+0x2426] |
| 1014 | N/A | .text | CALL QWORD PTR [RIP+0x240E] |
| 1031 | N/A | .text | CALL QWORD PTR [RIP+0x23C9] |
| 103C | N/A | .text | CALL QWORD PTR [RIP+0x23EE] |
| 1049 | N/A | .text | CALL QWORD PTR [RIP+0x23E9] |
| 10CB | N/A | .text | CALL QWORD PTR [RIP+0x239F] |
| 111A | N/A | .text | CALL QWORD PTR [RIP+0x2340] |
| 1128 | N/A | .text | CALL QWORD PTR [RIP+0x233A] |
| 1146 | N/A | .text | CALL QWORD PTR [RIP+0x23EC] |
| 117F | N/A | .text | CALL QWORD PTR [RIP+0x24A3] |
| 120B | N/A | .text | CALL QWORD PTR [RIP+0x2417] |
| 124A | N/A | .text | CALL QWORD PTR [RIP+0x23D8] |
| 1291 | N/A | .text | CALL QWORD PTR [RIP+0x2391] |
| 12D3 | N/A | .text | CALL QWORD PTR [RIP+0x234F] |
| 1312 | N/A | .text | CALL QWORD PTR [RIP+0x2310] |
| 134D | N/A | .text | CALL QWORD PTR [RIP+0x22D5] |
| 13B1 | N/A | .text | CALL QWORD PTR [RIP+0x2271] |
| 1418 | N/A | .text | CALL QWORD PTR [RIP+0x220A] |
| 1565 | N/A | .text | CALL QWORD PTR [RIP+0x20BD] |
| 166A | N/A | .text | CALL QWORD PTR [RIP+0x1FB8] |
| 17FE | N/A | .text | CALL QWORD PTR [RIP+0x1E24] |
| 198C | N/A | .text | CALL QWORD PTR [RIP+0x1C96] |
| 19EA | N/A | .text | JMP QWORD PTR [RIP+0x1CF8] |
| 1A6D | N/A | .text | CALL QWORD PTR [RIP+0x19DD] |
| 1AA9 | N/A | .text | CALL QWORD PTR [RIP+0x19A1] |
| 1AC6 | N/A | .text | CALL QWORD PTR [RIP+0x1A14] |
| 1AE8 | N/A | .text | CALL QWORD PTR [RIP+0x19F2] |
| 1B45 | N/A | .text | CALL QWORD PTR [RIP+0x1B9D] |
| 1B96 | N/A | .text | CALL QWORD PTR [RIP+0x1B4C] |
| 1BD3 | N/A | .text | CALL QWORD PTR [RIP+0x1B0F] |
| 1BE8 | N/A | .text | JMP QWORD PTR [RIP+0x188A] |
| 1C29 | N/A | .text | CALL QWORD PTR [RIP+0x1AB9] |
| 1C38 | N/A | .text | CALL QWORD PTR [RIP+0x183A] |
| 1ED6 | N/A | .text | CALL QWORD PTR [RIP+0x180C] |
| 225B | N/A | .text | CALL QWORD PTR [RIP+0x123F] |
| 2264 | N/A | .text | CALL QWORD PTR [RIP+0x122E] |
| 226A | N/A | .text | CALL QWORD PTR [RIP+0x1238] |
| 227E | N/A | .text | JMP QWORD PTR [RIP+0x122C] |
| 2292 | N/A | .text | CALL QWORD PTR [RIP+0x1220] |
| 2363 | N/A | .text | CALL QWORD PTR [RIP+0x1117] |
| 237D | N/A | .text | CALL QWORD PTR [RIP+0x1105] |
| 23B4 | N/A | .text | CALL QWORD PTR [RIP+0x10D6] |
| 2440 | N/A | .text | CALL QWORD PTR [RIP+0x1092] |
| 244E | N/A | .text | CALL QWORD PTR [RIP+0x107C] |
| 245A | N/A | .text | CALL QWORD PTR [RIP+0x1068] |
| 246A | N/A | .text | CALL QWORD PTR [RIP+0x1050] |
| 24DC | N/A | .text | JMP QWORD PTR [RIP+0x1006] |
| 2554 | N/A | .text | CALL QWORD PTR [RIP+0xF5E] |
| 2581 | N/A | .text | CALL QWORD PTR [RIP+0xEF9] |
| 259B | N/A | .text | CALL QWORD PTR [RIP+0xEE7] |
| 25DC | N/A | .text | CALL QWORD PTR [RIP+0xEAE] |
| 2630 | N/A | .text | CALL QWORD PTR [RIP+0xEBA] |
| 264D | N/A | .text | CALL QWORD PTR [RIP+0xE4D] |
| 2658 | N/A | .text | CALL QWORD PTR [RIP+0xE3A] |
| 268E | N/A | .text | CALL QWORD PTR [RIP+0xE64] |
| 26E4 | N/A | .text | JMP QWORD PTR [RIP+0xDB6] |
| 276A | N/A | .text | CALL QWORD PTR [RIP+0xF78] |
| 27A6 | N/A | .text | CALL QWORD PTR [RIP+0xF3C] |
| 2822 | N/A | .text | JMP QWORD PTR [RIP+0xFFF3FF0] |
| 2B13 | N/A | .text | JMP QWORD PTR [RIP+0xA87] |
| 2B19 | N/A | .text | JMP QWORD PTR [RIP+0xA59] |
| 2B1F | N/A | .text | JMP QWORD PTR [RIP+0xA23] |
| 2B25 | N/A | .text | JMP QWORD PTR [RIP+0xA25] |
| 2B2B | N/A | .text | JMP QWORD PTR [RIP+0xA57] |
| 2B31 | N/A | .text | JMP QWORD PTR [RIP+0xA31] |
| 2B37 | N/A | .text | JMP QWORD PTR [RIP+0xA1B] |
| 2B3D | N/A | .text | JMP QWORD PTR [RIP+0xA85] |
| 2B43 | N/A | .text | JMP QWORD PTR [RIP+0xA67] |
| 2B49 | N/A | .text | JMP QWORD PTR [RIP+0xA71] |
| 2B4F | N/A | .text | JMP QWORD PTR [RIP+0xB1B] |
| 2B55 | N/A | .text | JMP QWORD PTR [RIP+0xB0D] |
| 2B5B | N/A | .text | JMP QWORD PTR [RIP+0xA87] |
| 2B61 | N/A | .text | JMP QWORD PTR [RIP+0xAF1] |
| 2B67 | N/A | .text | JMP QWORD PTR [RIP+0xAE3] |
| 2B6D | N/A | .text | JMP QWORD PTR [RIP+0xAD5] |
| 2B73 | N/A | .text | JMP QWORD PTR [RIP+0xAC7] |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 37650 | 58,3612% |
| Null Byte Code | 7567 | 11,7296% |
© 2026 All rights reserved.