PESCAN.IO - Analysis Report Basic |
|||||||
| File Structure |
|
PE Chart Code
Executable header (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
| Size: 54,00 KB SHA-256 Hash: 363423E1AB96091A0B2C5B087B3F81D1430C72B3AC532CF6BE04F6AE971F9B48 SHA-1 Hash: B5D2553FA3305D8224E740C4662039AD03ADE116 MD5 Hash: E5DAA5B710234CF7F2C6138EE4B33AA4 Imphash: E5C42F574BF0AF0741C574D6473E70FF MajorOSVersion: 6 MinorOSVersion: 0 CheckSum: 00000000 EntryPoint (rva): 8368 SizeOfHeaders: 400 SizeOfImage: 12000 ImageBase: 0000000180000000 Architecture: x64 ImportTable: CCC4 IAT: 9000 Characteristics: 2022 TimeDateStamp: 6938B8F4 Date: 10/12/2025 0:04:04 File Type: DLL Number Of Sections: 6 ASLR: Disabled Section Names (Optional Header): .text, .rdata, .data, .pdata, .rsrc, .reloc Number Of Executable Sections: 1 Subsystem: Windows GUI UAC Execution Level Manifest: asInvoker |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 60000020 (Code, Executable, Readable) | 400 | 7E00 | 1000 | 7DB0 | 6,5237 | 166274,90 |
| .rdata | 40000040 (Initialized Data, Readable) | 8200 | 4600 | 9000 | 4514 | 4,9481 | 380083,57 |
| .data | C0000040 (Initialized Data, Readable, Writeable) | C800 | 400 | E000 | A48 | 4,5275 | 43977,50 |
| .pdata | 40000040 (Initialized Data, Readable) | CC00 | 800 | F000 | 7C8 | 4,3879 | 139494,50 |
| .rsrc | 40000040 (Initialized Data, Readable) | D400 | 200 | 10000 | 1E0 | 4,7015 | 9406,00 |
| .reloc | 42000040 (Initialized Data, GP-Relative, Readable) | D600 | 200 | 11000 | 60 | 1,2280 | 96026,00 |
| Entry Point |
| The section number (1) have the Entry Point Information -> EntryPoint (calculated) - 7768 Code -> 48895C24084889742410574883EC20498BF88BDA488BF183FA017505E8970600004C8BC78BD3488BCE488B5C2430488B7424 • MOV QWORD PTR [RSP + 8], RBX • MOV QWORD PTR [RSP + 0X10], RSI • PUSH RDI • SUB RSP, 0X20 • MOV RDI, R8 • MOV EBX, EDX • MOV RSI, RCX • CMP EDX, 1 • JNE 0X1021 • CALL 0X16B8 • MOV R8, RDI • MOV EDX, EBX • MOV RCX, RSI • MOV RBX, QWORD PTR [RSP + 0X30] |
| Signatures |
| Rich Signature Analyzer: Code -> DBC67D699FA7133A9FA7133A9FA7133A96DF803A99A7133A182E103B9CA7133A182E173B97A7133A182E163B8CA7133A182E123B97A7133AEB26123B9CA7133A9FA7123ACBA7133A112E173B9BA7133A0E2E163B95A7133A0E2EEC3A9EA7133A0E2E113B9EA7133A526963689FA7133A Footprint md5 Hash -> 82BE1FCBA08D398D7845093E744782FD • The Rich header apparently has not been modified Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Detect It Easy (die) • PE+(64): compiler: Microsoft Visual C/C++(-)[-] • PE+(64): linker: Microsoft Linker(14.44**)[-] • Entropy: 6.25045 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | VirtualAlloc | Reserve, commit, or both, a region of memory within the virtual address space of a process. |
| KERNEL32.DLL | CreateToolhelp32Snapshot | Creates a snapshot of the specified processes, heaps, threads, and modules. |
| KERNEL32.DLL | IsDebuggerPresent | Determines if the calling process is being debugged by a user-mode debugger. |
| File Access |
| api-ms-win-crt-runtime-l1-1-0.dll api-ms-win-crt-string-l1-1-0.dll api-ms-win-crt-heap-l1-1-0.dll VCRUNTIME140_1.dll VCRUNTIME140.dll MSVCP140.dll KERNEL32.dll .dat @.dat |
| Interest's Words |
| exec systeminfo |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | Anti-Analysis VM (IsDebuggerPresent) |
| Text | Ascii | Anti-Analysis VM (GetSystemInfo) |
| Text | Ascii | Anti-Analysis VM (CreateToolhelp32Snapshot) |
| Text | Ascii | Stealth (GetThreadContext) |
| Text | Ascii | Stealth (SetThreadContext) |
| Text | Ascii | Stealth (CloseHandle) |
| Text | Ascii | Stealth (VirtualAlloc) |
| Text | Ascii | Stealth (VirtualProtect) |
| Text | Ascii | Execution (ResumeThread) |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \24\2\1033 | 10060 | 17D | D460 | 3C3F786D6C2076657273696F6E3D27312E302720656E636F64696E673D275554462D3827207374616E64616C6F6E653D2779 | <?xml version='1.0' encoding='UTF-8' standalone='y |
| Intelligent String |
| • .bss • MSVCP140.dll • VCRUNTIME140.dll • VCRUNTIME140_1.dll • api-ms-win-crt-heap-l1-1-0.dll • api-ms-win-crt-string-l1-1-0.dll |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 68F | N/A | .text | CALL QWORD PTR [RIP+0x7F7B] |
| 86B | N/A | .text | CALL QWORD PTR [RIP+0x7B97] |
| 8E8 | N/A | .text | CALL QWORD PTR [RIP+0x7D3A] |
| DBB | N/A | .text | CALL QWORD PTR [RIP+0x784F] |
| 4A4C | N/A | .text | CALL QWORD PTR [RIP+0x3BBE] |
| 4D05 | N/A | .text | CALL QWORD PTR [RIP+0x3905] |
| 4EFB | N/A | .text | CALL QWORD PTR [RIP+0x370F] |
| 4F5A | N/A | .text | CALL QWORD PTR [RIP+0x36B0] |
| 5016 | N/A | .text | CALL QWORD PTR [RIP+0x35F4] |
| 5143 | N/A | .text | CALL QWORD PTR [RIP+0x34C7] |
| 5185 | N/A | .text | CALL QWORD PTR [RIP+0x3285] |
| 5297 | N/A | .text | CALL QWORD PTR [RIP+0x31D3] |
| 52A8 | N/A | .text | CALL QWORD PTR [RIP+0x31D2] |
| 52B1 | N/A | .text | CALL QWORD PTR [RIP+0x3161] |
| 52D4 | N/A | .text | CALL QWORD PTR [RIP+0x316E] |
| 5333 | N/A | .text | CALL QWORD PTR [RIP+0x3117] |
| 5460 | N/A | .text | CALL QWORD PTR [RIP+0x303A] |
| 54C9 | N/A | .text | CALL QWORD PTR [RIP+0x2FD1] |
| 54CF | N/A | .text | CALL QWORD PTR [RIP+0x2F83] |
| 54DE | N/A | .text | CALL QWORD PTR [RIP+0x2FB4] |
| 558E | N/A | .text | CALL QWORD PTR [RIP+0x2ECC] |
| 559E | N/A | .text | CALL QWORD PTR [RIP+0x2EC4] |
| 55C6 | N/A | .text | CALL QWORD PTR [RIP+0x2E6C] |
| 5600 | N/A | .text | CALL QWORD PTR [RIP+0x2E3A] |
| 5639 | N/A | .text | CALL QWORD PTR [RIP+0x2DE1] |
| 5657 | N/A | .text | CALL QWORD PTR [RIP+0x2DEB] |
| 5668 | N/A | .text | CALL QWORD PTR [RIP+0x2DAA] |
| 5708 | N/A | .text | CALL QWORD PTR [RIP+0x2D62] |
| 5719 | N/A | .text | CALL QWORD PTR [RIP+0x2D59] |
| 5735 | N/A | .text | CALL QWORD PTR [RIP+0x2CDD] |
| 573D | N/A | .text | CALL QWORD PTR [RIP+0x2CD5] |
| 57DD | N/A | .text | CALL QWORD PTR [RIP+0x2C6D] |
| 589E | N/A | .text | CALL QWORD PTR [RIP+0x2B94] |
| 58FD | N/A | .text | CALL QWORD PTR [RIP+0x2B3D] |
| 5A6C | N/A | .text | CALL QWORD PTR [RIP+0x29DE] |
| 5A91 | N/A | .text | CALL QWORD PTR [RIP+0x2991] |
| 5B13 | N/A | .text | CALL QWORD PTR [RIP+0x2937] |
| 5C35 | N/A | .text | CALL QWORD PTR [RIP+0x2805] |
| 5CB0 | N/A | .text | CALL QWORD PTR [RIP+0x279A] |
| 5CF0 | N/A | .text | CALL QWORD PTR [RIP+0x2752] |
| 5CFD | N/A | .text | CALL QWORD PTR [RIP+0x272D] |
| 5D79 | N/A | .text | CALL QWORD PTR [RIP+0x2709] |
| 5E3D | N/A | .text | CALL QWORD PTR [RIP+0x264D] |
| 5F23 | N/A | .text | CALL QWORD PTR [RIP+0x2547] |
| 5F34 | N/A | .text | CALL QWORD PTR [RIP+0x2546] |
| 5F3D | N/A | .text | CALL QWORD PTR [RIP+0x24D5] |
| 5F5B | N/A | .text | CALL QWORD PTR [RIP+0x24E7] |
| 5FF6 | N/A | .text | JMP QWORD PTR [RIP+0x24CC] |
| 600C | N/A | .text | JMP QWORD PTR [RIP+0x24B6] |
| 6039 | N/A | .text | CALL QWORD PTR [RIP+0x23D1] |
| 60FE | N/A | .text | CALL QWORD PTR [RIP+0x22FC] |
| 6170 | N/A | .text | CALL QWORD PTR [RIP+0x228A] |
| 61C2 | N/A | .text | CALL QWORD PTR [RIP+0x22F8] |
| 61F4 | N/A | .text | CALL QWORD PTR [RIP+0x22C6] |
| 629F | N/A | .text | CALL QWORD PTR [RIP+0x215B] |
| 62FB | N/A | .text | CALL QWORD PTR [RIP+0x21C7] |
| 6353 | N/A | .text | CALL QWORD PTR [RIP+0xC7DB3245] |
| 637A | N/A | .text | JMP QWORD PTR [RIP+0x89EF8B44] |
| 638C | N/A | .text | JMP QWORD PTR [RIP+0xFF7D8948] |
| 6EBE | N/A | .text | JMP QWORD PTR [RIP+0x15E4] |
| 6EC4 | N/A | .text | JMP QWORD PTR [RIP+0x15E6] |
| 6ECA | N/A | .text | JMP QWORD PTR [RIP+0x15E8] |
| 6ED0 | N/A | .text | JMP QWORD PTR [RIP+0x165A] |
| 71E4 | N/A | .text | CALL QWORD PTR [RIP+0x1466] |
| 768E | N/A | .text | CALL QWORD PTR [RIP+0xFBC] |
| 7705 | N/A | .text | CALL QWORD PTR [RIP+0xF45] |
| 7744 | N/A | .text | CALL QWORD PTR [RIP+0xF06] |
| 7AF7 | N/A | .text | CALL QWORD PTR [RIP+0x9FB] |
| 7B00 | N/A | .text | CALL QWORD PTR [RIP+0x9FA] |
| 7B06 | N/A | .text | CALL QWORD PTR [RIP+0x94C] |
| 7B1A | N/A | .text | JMP QWORD PTR [RIP+0x9D0] |
| 7B2E | N/A | .text | CALL QWORD PTR [RIP+0x9B4] |
| 7BFF | N/A | .text | CALL QWORD PTR [RIP+0x913] |
| 7C19 | N/A | .text | CALL QWORD PTR [RIP+0x8F1] |
| 7C53 | N/A | .text | CALL QWORD PTR [RIP+0x8AF] |
| 7CF0 | N/A | .text | CALL QWORD PTR [RIP+0x7F2] |
| 7D1D | N/A | .text | CALL QWORD PTR [RIP+0x7F5] |
| 7D37 | N/A | .text | CALL QWORD PTR [RIP+0x7D3] |
| 7D7B | N/A | .text | CALL QWORD PTR [RIP+0x787] |
| 7DCF | N/A | .text | CALL QWORD PTR [RIP+0x70B] |
| 7DEC | N/A | .text | CALL QWORD PTR [RIP+0x706] |
| 7DF7 | N/A | .text | CALL QWORD PTR [RIP+0x703] |
| 7E4F | N/A | .text | CALL QWORD PTR [RIP+0x67B] |
| 7E5D | N/A | .text | CALL QWORD PTR [RIP+0x605] |
| 7E69 | N/A | .text | CALL QWORD PTR [RIP+0x5F1] |
| 7E79 | N/A | .text | CALL QWORD PTR [RIP+0x659] |
| 7ED8 | N/A | .text | JMP QWORD PTR [RIP+0x642] |
| 7F42 | N/A | .text | CALL QWORD PTR [RIP+0x708] |
| 7F7E | N/A | .text | CALL QWORD PTR [RIP+0x6CC] |
| 7FA0 | N/A | .text | JMP QWORD PTR [RIP+0x5DA] |
| 7FA6 | N/A | .text | JMP QWORD PTR [RIP+0x5CC] |
| 7FAC | N/A | .text | JMP QWORD PTR [RIP+0x5E6] |
| 7FB2 | N/A | .text | JMP QWORD PTR [RIP+0x5B8] |
| 7FB8 | N/A | .text | JMP QWORD PTR [RIP+0x5AA] |
| 7FBE | N/A | .text | JMP QWORD PTR [RIP+0x5C4] |
| 7FC4 | N/A | .text | JMP QWORD PTR [RIP+0x596] |
| 7FCA | N/A | .text | JMP QWORD PTR [RIP+0x588] |
| 7FD0 | N/A | .text | JMP QWORD PTR [RIP+0x57A] |
| 7FD6 | N/A | .text | JMP QWORD PTR [RIP+0x56C] |
| 7FDC | N/A | .text | JMP QWORD PTR [RIP+0x55E] |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 32604 | 58,9627% |
| Null Byte Code | 10317 | 18,6578% |
© 2026 All rights reserved.