PESCAN.IO - Analysis Report

PESCAN.IO - Analysis Report Basic

File Structure

PE Chart Code

Header PE (light blue)

Executable sections (pink)

Non-executable sections (black)

External injected code (red)

File Structure in red = malformed or corrupted header

Chart Code For Other Files

Printable characters (blue)

Non-printable characters (black)

Information

Size: 91,00 KB
SHA-256 Hash: E13BEF93B59706698BEC42697890F1D3CC353165DC1DDD26A373DB0578EB8711
SHA-1 Hash: 5F1713FCC1A4740E5E680D972C7F7DEE534066D8
MD5 Hash: F5F42089818531548A0079B438982D6B
Imphash: 6DFBE42DDBD1FD328844048649A2011A
MajorOSVersion: 6
MinorOSVersion: 0
CheckSum: 00000000
EntryPoint (rva): 11037
SizeOfHeaders: 400
SizeOfImage: 2D000
ImageBase: 0000000140000000
Architecture: x64
ImportTable: 27578
IAT: 27000
Characteristics: 22
TimeDateStamp: 6A09CF1B
Date: 17/05/2026 14:22:19
File Type: EXE
Number Of Sections: 10
ASLR: Disabled
Section Names (Optional Header): .textbss, .text, .rdata, .data, .pdata, .idata, .msvcjmc, .00cfg, .rsrc, .reloc
Number Of Executable Sections: 2
Subsystem: Windows Console
UAC Execution Level Manifest: asInvoker
[Incomplete Binary or Compressor Packer - 89,00 KB Missing]

Sections Info

Section Name	Flags	ROffset	RSize	VOffset	VSize	Entropy	Chi2
.textbss	0xE00000A0 Code Uninitialized Data Executable Readable Writeable	0	0	1000	10000	N/A	N/A
.text	0x60000020 Code Executable Readable	400	D400	11000	D3BB	3.5594	4427376.22
.rdata	0x40000040 Initialized Data Readable	D800	3E00	1F000	3D1E	2.4774	2174529.94
.data	0xC0000040 Initialized Data Readable Writeable	11600	600	23000	590	0.6482	341774.33
.pdata	0x40000040 Initialized Data Readable	11C00	2600	24000	2478	1.5691	1757923.63
.idata	0x40000040 Initialized Data Readable	14200	1A00	27000	19B5	4.0699	378257.77
.msvcjmc	0xC0000040 Initialized Data Readable Writeable	15C00	400	29000	23C	0.8234	160800
.00cfg	0x40000040 Initialized Data Readable	16000	200	2A000	175	0.4716	115754
.rsrc	0x40000040 Initialized Data Readable	16200	600	2B000	43C	2.143	215406.67
.reloc	0x42000040 Initialized Data GP-Relative Readable	16800	400	2C000	2EC	1.1377	201636.5

Entry Point

The section number (2) have the Entry Point
Information -> EntryPoint (calculated) - 437
Code -> E9245B0000E91F670000E9058C0000E94E8C0000E9A0460000E95C8C0000E9A6720000E9313D0000E9CC290000E9F64F0000

Assembler

|JMP 0X6B29

|JMP 0X7729

|JMP 0X9C14

|JMP 0X9C62

|JMP 0X56B9

|JMP 0X9C7A

|JMP 0X82C9

|JMP 0X4D59

|JMP 0X39F9

|JMP 0X6028

Signatures

Rich Signature Analyzer:
Code -> BCF7CE28F896A07BF896A07BF896A07BB31CA37AFB96A07BB31CA47AF396A07BB31CA57AE596A07BB31CA17AFE96A07B8117A17AFD96A07BF896A17B9D96A07B751DA57AF996A07B751D5F7BF996A07B751DA27AF996A07B52696368F896A07B
Footprint md5 Hash -> E69267E0A66D6882F172DE77C418B67F
• The Rich header apparently has not been modified
Certificate - Digital Signature Not Found:
• The file is not signed

Packer/Compiler

Compiler: Microsoft Visual Studio
Detect It Easy (die)
• PE+(64): linker: Microsoft Linker(14.50**)[-]
• Entropy: 3.75456

Suspicious Functions

Library	Function	Description
KERNEL32.DLL	GetProcAddress	Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL	IsDebuggerPresent	Determines if the calling process is being debugged by a user-mode debugger.

Windows REG (UNICODE)

SOFTWARE\Wow6432Node\Microsoft\VisualStudio\14.0\Setup\VC

File Access

ucrtbased.dll
VCRUNTIME140_1D.dll
VCRUNTIME140D.dll
MSVCP140D.dll
KERNEL32.dll
@.dat

File Access (UNICODE)

advapi32.dll
api-ms-win-core-registry-l1-1-0.dll
VCRUNTIME140D.dll
bin\amd64\MSPDB140.DLL

Interest's Words

PassWord
exec
start

Strings/Hex Code Found With The File Rules

Rule Type	Encoding	Matched (Word)
Text	Ascii	Registry (RegOpenKeyEx)
Text	Ascii	Anti-Analysis VM (IsDebuggerPresent)
Entry Point	Hex Pattern	Microsoft Visual C++ 8.0
Entry Point	Hex Pattern	Microsoft Visual C++ 8.0
Entry Point	Hex Pattern	NeoLite v2.0

Resources

Path	DataRVA	Size	FileOffset	Code	Text
\24\1\1033	2B170	17D	16370	3C3F786D6C2076657273696F6E3D27312E302720656E636F64696E673D275554462D3827207374616E64616C6F6E653D2779	<?xml version='1.0' encoding='UTF-8' standalone='y

Intelligent String

• D:\a\_work\1\s\src\vctools\crt\github\stl\src\locale0.cpp
• bin\amd64\MSPDB140.DLL
• VCRUNTIME140D.dll
• api-ms-win-core-registry-l1-1-0.dll
• advapi32.dll
• C:\Users\user\source\repos\RAZDUV\x64\Debug\RAZDUV.pdb
• KERNEL32.dll

Flow Anomalies

Offset	RVA	Section	Description
23F4	N/A	.text	CALL QWORD PTR [RIP+0x141AE]
241D	N/A	.text	CALL QWORD PTR [RIP+0x14185]
2447	N/A	.text	CALL QWORD PTR [RIP+0x1415B]
24BD	N/A	.text	CALL QWORD PTR [RIP+0x140DD]
2507	N/A	.text	CALL QWORD PTR [RIP+0x140F3]
2532	N/A	.text	CALL QWORD PTR [RIP+0x140B8]
254C	N/A	.text	CALL QWORD PTR [RIP+0x1407E]
25BB	N/A	.text	CALL QWORD PTR [RIP+0x1403F]
25DA	N/A	.text	CALL QWORD PTR [RIP+0x13FF8]
263D	N/A	.text	CALL QWORD PTR [RIP+0x13FBD]
2668	N/A	.text	CALL QWORD PTR [RIP+0x13F82]
2682	N/A	.text	CALL QWORD PTR [RIP+0x13F48]
26F8	N/A	.text	CALL QWORD PTR [RIP+0x13EB2]
2730	N/A	.text	CALL QWORD PTR [RIP+0x13EAA]
28ED	N/A	.text	CALL QWORD PTR [RIP+0x13D05]
292D	N/A	.text	CALL QWORD PTR [RIP+0x13C3D]
2A6B	N/A	.text	CALL QWORD PTR [RIP+0x13B47]
2ACF	N/A	.text	CALL QWORD PTR [RIP+0x13AD3]
2B22	N/A	.text	CALL QWORD PTR [RIP+0x13AD8]
2B2B	N/A	.text	CALL QWORD PTR [RIP+0x13A8F]
2B63	N/A	.text	CALL QWORD PTR [RIP+0x13A97]
2B6C	N/A	.text	CALL QWORD PTR [RIP+0x13A56]
2BEA	N/A	.text	CALL QWORD PTR [RIP+0x13998]
2C74	N/A	.text	CALL QWORD PTR [RIP+0x13936]
2CBA	N/A	.text	CALL QWORD PTR [RIP+0x13920]
2E7B	N/A	.text	CALL QWORD PTR [RIP+0x13697]
2E8B	N/A	.text	CALL QWORD PTR [RIP+0x1369F]
2E99	N/A	.text	CALL QWORD PTR [RIP+0x13699]
2FA0	N/A	.text	CALL QWORD PTR [RIP+0x13652]
3000	N/A	.text	CALL QWORD PTR [RIP+0x1358A]
30A2	N/A	.text	CALL QWORD PTR [RIP+0x134C8]
3305	N/A	.text	CALL QWORD PTR [RIP+0x132F5]
33C5	N/A	.text	CALL QWORD PTR [RIP+0x13235]
36AD	N/A	.text	CALL QWORD PTR [RIP+0x12E8D]
3747	N/A	.text	CALL QWORD PTR [RIP+0x12E4B]
3782	N/A	.text	CALL QWORD PTR [RIP+0x12E60]
37B6	N/A	.text	CALL QWORD PTR [RIP+0x12D7C]
37DB	N/A	.text	CALL QWORD PTR [RIP+0x12DB7]
391F	N/A	.text	CALL QWORD PTR [RIP+0x12CDB]
39BF	N/A	.text	CALL QWORD PTR [RIP+0x12C3B]
3C25	N/A	.text	CALL QWORD PTR [RIP+0x128F5]
4C03	N/A	.text	CALL QWORD PTR [RIP+0x117F7]
4DE9	N/A	.text	CALL QWORD PTR [RIP+0x11739]
4E18	N/A	.text	CALL QWORD PTR [RIP+0x1170A]
4E47	N/A	.text	CALL QWORD PTR [RIP+0x116DB]
4E76	N/A	.text	CALL QWORD PTR [RIP+0x116AC]
4E8B	N/A	.text	CALL QWORD PTR [RIP+0x11697]
4E97	N/A	.text	CALL QWORD PTR [RIP+0x11563]
4F25	N/A	.text	CALL QWORD PTR [RIP+0x115FD]
4F40	N/A	.text	CALL QWORD PTR [RIP+0x115E2]
4F71	N/A	.text	CALL QWORD PTR [RIP+0x115B1]
4F8C	N/A	.text	CALL QWORD PTR [RIP+0x11596]
50D5	N/A	.text	JMP QWORD PTR [RIP+0x11325]
50DB	N/A	.text	JMP QWORD PTR [RIP+0x11517]
50E1	N/A	.text	JMP QWORD PTR [RIP+0x11489]
50E7	N/A	.text	JMP QWORD PTR [RIP+0x1148B]
515C	N/A	.text	CALL QWORD PTR [RIP+0x142BE]
5198	N/A	.text	CALL QWORD PTR [RIP+0x14282]
529D	N/A	.text	CALL QWORD PTR [RIP+0x1162D]
52F3	N/A	.text	CALL QWORD PTR [RIP+0x115BF]
53F9	N/A	.text	JMP QWORD PTR [RIP+0x11181]
53FF	N/A	.text	JMP QWORD PTR [RIP+0x11183]
5405	N/A	.text	JMP QWORD PTR [RIP+0x11185]
540B	N/A	.text	JMP QWORD PTR [RIP+0x11187]
5411	N/A	.text	JMP QWORD PTR [RIP+0x11189]
5417	N/A	.text	JMP QWORD PTR [RIP+0x1118B]
541D	N/A	.text	JMP QWORD PTR [RIP+0x1118D]
5423	N/A	.text	JMP QWORD PTR [RIP+0x1118F]
5429	N/A	.text	JMP QWORD PTR [RIP+0x11191]
542F	N/A	.text	JMP QWORD PTR [RIP+0x11193]
5435	N/A	.text	JMP QWORD PTR [RIP+0x11195]
543B	N/A	.text	JMP QWORD PTR [RIP+0x11197]
5441	N/A	.text	JMP QWORD PTR [RIP+0x11199]
5447	N/A	.text	JMP QWORD PTR [RIP+0x1119B]
544D	N/A	.text	JMP QWORD PTR [RIP+0x111AD]
5453	N/A	.text	JMP QWORD PTR [RIP+0x11197]
5459	N/A	.text	JMP QWORD PTR [RIP+0x110B9]
545F	N/A	.text	JMP QWORD PTR [RIP+0x110BB]
5465	N/A	.text	JMP QWORD PTR [RIP+0x110BD]
546B	N/A	.text	JMP QWORD PTR [RIP+0x110BF]
5471	N/A	.text	JMP QWORD PTR [RIP+0x110C1]
5477	N/A	.text	JMP QWORD PTR [RIP+0x110C3]
547D	N/A	.text	JMP QWORD PTR [RIP+0x110E5]
57B8	N/A	.text	CALL QWORD PTR [RIP+0x10CD2]
5D42	N/A	.text	CALL QWORD PTR [RIP+0x136D8]
62DC	N/A	.text	CALL QWORD PTR [RIP+0x1313E]
6946	N/A	.text	CALL QWORD PTR [RIP+0x12AD4]
7211	N/A	.text	CALL QWORD PTR [RIP+0xF261]
7243	N/A	.text	CALL QWORD PTR [RIP+0xF22F]
729F	N/A	.text	CALL QWORD PTR [RIP+0xF1E3]
730D	N/A	.text	CALL QWORD PTR [RIP+0x1210D]
7352	N/A	.text	CALL QWORD PTR [RIP+0xF118]
73A1	N/A	.text	CALL QWORD PTR [RIP+0xF0C9]
73DF	N/A	.text	CALL QWORD PTR [RIP+0x1203B]
74D4	N/A	.text	CALL QWORD PTR [RIP+0xEFA6]
77DC	N/A	.text	CALL QWORD PTR [RIP+0xEC76]
77EC	N/A	.text	CALL QWORD PTR [RIP+0xEC9E]
7804	N/A	.text	CALL QWORD PTR [RIP+0xEC56]
7821	N/A	.text	CALL QWORD PTR [RIP+0xEC41]
79BB	N/A	.text	CALL QWORD PTR [RIP+0xEA8F]
405-995	N/A	.text	Potential obfuscated jump sequence detected, count: 285
996-F2F	N/A	.text	Unusual BP Cave, count: 1434
F46-221F	N/A	.text	Unusual BP Cave, count: 4826
226E-228F	N/A	.text	Unusual BP Cave, count: 34
22EF-230F	N/A	.text	Unusual BP Cave, count: 33
2784-288F	N/A	.text	Unusual BP Cave, count: 268
296D-29AF	N/A	.text	Unusual BP Cave, count: 67
2D0E-2DEF	N/A	.text	Unusual BP Cave, count: 226
2EB1-2EDF	N/A	.text	Unusual BP Cave, count: 47
30DE-314F	N/A	.text	Unusual BP Cave, count: 114
325C-329F	N/A	.text	Unusual BP Cave, count: 68
3336-335F	N/A	.text	Unusual BP Cave, count: 42
33F6-341F	N/A	.text	Unusual BP Cave, count: 42
346E-348F	N/A	.text	Unusual BP Cave, count: 34
34EC-350F	N/A	.text	Unusual BP Cave, count: 36
358D-35AF	N/A	.text	Unusual BP Cave, count: 35
3625-364F	N/A	.text	Unusual BP Cave, count: 43
36CE-36EF	N/A	.text	Unusual BP Cave, count: 34
37FC-383F	N/A	.text	Unusual BP Cave, count: 68
38B2-38CF	N/A	.text	Unusual BP Cave, count: 30
3949-396F	N/A	.text	Unusual BP Cave, count: 39
39E9-3A0F	N/A	.text	Unusual BP Cave, count: 39
3A9F-3ABF	N/A	.text	Unusual BP Cave, count: 33
3B5F-3B8F	N/A	.text	Unusual BP Cave, count: 49
3D81-3DAF	N/A	.text	Unusual BP Cave, count: 47
3FA1-3FDF	N/A	.text	Unusual BP Cave, count: 63
436E-439F	N/A	.text	Unusual BP Cave, count: 50
4483-44AF	N/A	.text	Unusual BP Cave, count: 45
48E9-49FF	N/A	.text	Unusual BP Cave, count: 279
4ABC-4AEF	N/A	.text	Unusual BP Cave, count: 52
4B91-4BAF	N/A	.text	Unusual BP Cave, count: 31
4FD1-50D4	N/A	.text	Unusual BP Cave, count: 260
51B3-51DF	N/A	.text	Unusual BP Cave, count: 45
52C0-52DF	N/A	.text	Unusual BP Cave, count: 32
557C-559F	N/A	.text	Unusual BP Cave, count: 36
56A7-56EF	N/A	.text	Unusual BP Cave, count: 73
5929-596F	N/A	.text	Unusual BP Cave, count: 71
5A17-5A45	N/A	.text	Unusual BP Cave, count: 47
5BAC-5BDF	N/A	.text	Unusual BP Cave, count: 52
5DF6-5E5F	N/A	.text	Unusual BP Cave, count: 106
6046-607F	N/A	.text	Unusual BP Cave, count: 58
610A-612F	N/A	.text	Unusual BP Cave, count: 38
61A2-61BF	N/A	.text	Unusual BP Cave, count: 30
64D5-651F	N/A	.text	Unusual BP Cave, count: 75
65AB-65CF	N/A	.text	Unusual BP Cave, count: 37
66DD-66FF	N/A	.text	Unusual BP Cave, count: 35
6952-696F	N/A	.text	Unusual BP Cave, count: 30
69DB-69FF	N/A	.text	Unusual BP Cave, count: 37
6C29-6C4F	N/A	.text	Unusual BP Cave, count: 39
6EE7-6F3F	N/A	.text	Unusual BP Cave, count: 89
6F8E-6FAF	N/A	.text	Unusual BP Cave, count: 34
707F-70BF	N/A	.text	Unusual BP Cave, count: 65
7154-717F	N/A	.text	Unusual BP Cave, count: 44
7416-74BF	N/A	.text	Unusual BP Cave, count: 170
75B5-75EF	N/A	.text	Unusual BP Cave, count: 59
787E-78AF	N/A	.text	Unusual BP Cave, count: 50
7924-794F	N/A	.text	Unusual BP Cave, count: 44
7B61-7B7F	N/A	.text	Unusual BP Cave, count: 31
7C56-7C7F	N/A	.text	Unusual BP Cave, count: 42
7D4B-7D7F	N/A	.text	Unusual BP Cave, count: 53
7DC2-7DDF	N/A	.text	Unusual BP Cave, count: 30
7E22-7E3F	N/A	.text	Unusual BP Cave, count: 30
832D-846F	N/A	.text	Unusual BP Cave, count: 323
8600-865F	N/A	.text	Unusual BP Cave, count: 96
8912-89BF	N/A	.text	Unusual BP Cave, count: 174
8AC2-8B0F	N/A	.text	Unusual BP Cave, count: 78
8ED6-8FC6	N/A	.text	Unusual BP Cave, count: 241
91C3-A425	N/A	.text	Unusual BP Cave, count: 4707
A456-B45F	N/A	.text	Unusual BP Cave, count: 4106
B4EA-B50F	N/A	.text	Unusual BP Cave, count: 38
B5CA-B5EF	N/A	.text	Unusual BP Cave, count: 38
B77F-C79F	N/A	.text	Unusual BP Cave, count: 4129
C7B6-D7BA	N/A	.text	Unusual BP Cave, count: 4101

Extra Analysis

Metric	Value	Percentage
Ascii Code	52125	55,9377%
Null Byte Code	32632	35,0189%

PESCAN.IO - Analysis Report Basic