PESCAN.IO - Analysis Report Basic

File Structure
Analysis Image
PE Chart Code
Executable header (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
Information
Icon: Icon
Size: 656,50 KB
SHA-256 Hash: F687101E1E66E366F9D25722FBDB5AA139D645AC76AF53CF326494CA8CADD94D
SHA-1 Hash: 70FC5023EF42A547034EAF7738F540D0D4194FD2
MD5 Hash: 0ED8076A5A586D7F472566093ED91A54
Imphash: A136217CDD3247FF6A8766561064CA0B
MajorOSVersion: 6
MinorOSVersion: 0
CheckSum: 00000000
EntryPoint (rva): 1264
SizeOfHeaders: 400
SizeOfImage: A9000
ImageBase: 0000000140000000
Architecture: x64
ExportTable: 17EF0
ImportTable: 17FA8
IAT: F000
Characteristics: 22
TimeDateStamp: 68DE7693
Date: 02/10/2025 12:56:51
File Type: EXE
Number Of Sections: 7
ASLR: Disabled
Section Names (Optional Header): .text, .rdata, .data, .pdata, _RDATA, .rsrc, .reloc
Number Of Executable Sections: 1
Subsystem: Windows GUI
Sections Info
Section Name Flags ROffset RSize VOffset VSizeEntropyChi2
.text 60000020 (Code, Executable, Readable) 400 DE00 1000 DC706,4616359188,34
.rdata 40000040 (Initialized Data, Readable) E200 9800 F000 977C4,70172274017,33
.data C0000040 (Initialized Data, Readable, Writeable) 17A00 C00 19000 1D781,8985488902,17
.pdata 40000040 (Initialized Data, Readable) 18600 1000 1B000 F244,6717217325,88
_RDATA 40000040 (Initialized Data, Readable) 19600 200 1C000 1F43,714838530,00
.rsrc 40000040 (Initialized Data, Readable) 19800 8A200 1D000 8A0403,203940070745,42
.reloc 42000040 (Initialized Data, GP-Relative, Readable) A3A00 800 A8000 6584,870037185,00
Description
LegalCopyright: (c) 2005-2025 Unity Technologies. All rights reserved.
FileVersion: 6000.0.50.1503346
ProductVersion: 6000.0.50f1-uum-100966-branch1 (16f07294548e)
Language: English (United States) (ID=0x409)
CodePage: Unicode (UTF-16 LE) (0x4B0)
Entry Point
The section number (1) have the Entry Point
Information -> EntryPoint (calculated) - 664
Code -> 4883EC28E84B0200004883C428E97AFEFFFFCCCC4883EC28E8CF07000085C0742165488B042530000000488B4808EB05483B
SUB RSP, 0X28
CALL 0X1254
ADD RSP, 0X28
JMP 0XE8C
INT3
INT3
SUB RSP, 0X28
CALL 0X17EC
TEST EAX, EAX
JE 0X1042
MOV RAX, QWORD PTR GS:[0X30]
MOV RCX, QWORD PTR [RAX + 8]
JMP 0X1035
Signatures
Rich Signature Analyzer:
Code -> 1F5157225B3039715B3039715B303971BF403A705E303971BF403C70D1303971BF403D70513039715B3039715A303971BF4038705930397199B13C707330397199B13D704B30397199B13A704A303971A8B23870583039715B30387102303971A8B23C7059303971A8B239705A303971A8B2C6715A303971A8B23B705A303971526963685B303971
Footprint md5 Hash -> 7F475B0BDF93F071D746CA9B0C0E8996
• The Rich header apparently has not been modified
Certificate - Digital Signature Not Found:
• The file is not signed
Packer/Compiler
Compiler: Microsoft Visual Studio
Detect It Easy (die)
PE+(64): compiler: Microsoft Visual C/C++(-)[-]
PE+(64): linker: Microsoft Linker(14.39**)[-]
Entropy: 3.87202
Suspicious Functions
Library Function Description
KERNEL32.DLL WriteFile Writes data to a specified file or input/output (I/O) device.
KERNEL32.DLL GetProcAddress Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL IsDebuggerPresent Determines if the calling process is being debugged by a user-mode debugger.
File Access
WindowsPlayer.exe
KERNEL32.dll
UnityPlayer.dll
.dat
@.dat
File Access (UNICODE)
mscoree.dll
Interest's Words
exec
start
URLs
http://schemas.microsoft.com/SMI/2005/WindowsSettings
http://schemas.microsoft.com/SMI/2016/WindowsSettings
Strings/Hex Code Found With The File Rules
Rule Type Encoding Matched (Word)
Text Ascii File (CreateFile)
Text Ascii File (WriteFile)
Text Ascii Anti-Analysis VM (IsDebuggerPresent)
Text Ascii Reconnaissance (FindNextFileW)
Text Ascii Reconnaissance (FindClose)
Text Ascii Stealth (CloseHandle)
Entry Point Hex Pattern Microsoft Visual C++ 8.0 (DLL)
Entry Point Hex Pattern PE-Exe Executable Image
Resources
Path DataRVA Size FileOffset CodeText
\ICON\1\1033 1D2B0 468 19AB0 28000000100000002000000001002000000000000000000000000000000000000000000000000000FFFFFF00FFFFFF009393(....... ..... ...................................
\ICON\2\1033 1D718 988 19F18 28000000180000003000000001002000000000000000000000000000000000000000000000000000FFFFFF00FFFFFF00FFFF(.......0..... ...................................
\ICON\3\1033 1E0A0 10A8 1A8A0 28000000200000004000000001002000000000000000000000000000000000000000000000000000FFFFFF00FFFFFF00FFFF(... ...@..... ...................................
\ICON\4\1033 1F148 25A8 1B948 28000000300000006000000001002000000000000000000000000000000000000000000000000000FFFFFF00FFFFFF00FFFF(...0........ ...................................
\ICON\5\1033 216F0 4228 1DEF0 28000000400000008000000001002000000000000000000000000000000000000000000000000000FFFFFF00FFFFFF00FFFF(...@......... ...................................
\ICON\6\1033 25918 94A8 22118 2800000060000000C000000001002000000000000000000000000000000000000000000000000000FFFFFF00FFFFFF00FFFF(............ ...................................
\ICON\7\1033 2EDC0 10828 2B5C0 28000000800000000001000001002000000000000000000000000000000000000000000000000000FFFFFF00FFFFFF00FFFF(............. ...................................
\ICON\8\1033 3F5E8 25228 3BDE8 28000000C00000008001000001002000000000000000000000000000000000000000000000000000FFFFFF00FFFFFF00FFFF(............. ...................................
\ICON\9\1033 64810 42028 61010 28000000000100000002000001002000000000000000000000000000000000000000000000000000FFFFFF00FFFFFF00FFFF(............. ...................................
\GROUP_ICON\103\1033 A6838 84 A3038 000001000900101000000100200068040000010018180000010020008809000002002020000001002000A810000003003030............ .h........... ....... .... .......00
\VERSION\1\1033 A6E08 234 A3608 340234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE0000010000004.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............
\24\1\1033 A68C0 545 A30C0 3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E653D2279<?xml version="1.0" encoding="UTF-8" standalone="y
Intelligent String
• mscoree.dll
• C:\build\output\unity\unity\artifacts\WindowsPlayer\Win_x64_VS2022_VB_nondev_m_r\WindowsPlayer_player_Master_mono_x64.pdb
• .bss
• KERNEL32.dll
• <dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">True/PM</dpiAware>
• <dpiAwareness xmlns="http://schemas.microsoft.com/SMI/2016/WindowsSettings">PerMonitorV2</dpiAwareness>
Flow Anomalies
Offset RVA Section Description
403 N/A .text JMP QWORD PTR [RIP+0xE237]
5AD N/A .text CALL QWORD PTR [RIP+0xE0AD]
8E4 N/A .text CALL QWORD PTR [RIP+0xDB3E]
8F2 N/A .text CALL QWORD PTR [RIP+0xDB28]
8FE N/A .text CALL QWORD PTR [RIP+0xDB14]
90E N/A .text CALL QWORD PTR [RIP+0xDAFC]
980 N/A .text JMP QWORD PTR [RIP+0xDAAA]
9FC N/A .text CALL QWORD PTR [RIP+0xDA6E]
A29 N/A .text CALL QWORD PTR [RIP+0xDA09]
A43 N/A .text CALL QWORD PTR [RIP+0xD9F7]
A84 N/A .text CALL QWORD PTR [RIP+0xD9BE]
AD8 N/A .text CALL QWORD PTR [RIP+0xD972]
AF5 N/A .text CALL QWORD PTR [RIP+0xD965]
B00 N/A .text CALL QWORD PTR [RIP+0xD952]
B44 N/A .text CALL QWORD PTR [RIP+0xD91E]
B72 N/A .text CALL QWORD PTR [RIP+0xD900]
BC8 N/A .text JMP QWORD PTR [RIP+0xD892]
C4E N/A .text CALL QWORD PTR [RIP+0xDA0C]
C8A N/A .text CALL QWORD PTR [RIP+0xD9D0]
D04 N/A .text JMP QWORD PTR [RIP+0xFFF3FF0]
F33 N/A .text CALL QWORD PTR [RIP+0xD817]
F7C N/A .text CALL QWORD PTR [RIP+0xD506]
1146 N/A .text CALL QWORD PTR [RIP+0xD514]
1347 N/A .text CALL QWORD PTR [RIP+0xD143]
13CE N/A .text CALL QWORD PTR [RIP+0xD0C4]
14BB N/A .text CALL QWORD PTR [RIP+0xCFEF]
1559 N/A .text CALL QWORD PTR [RIP+0xCF91]
1567 N/A .text CALL QWORD PTR [RIP+0xCF23]
1591 N/A .text CALL QWORD PTR [RIP+0xCF59]
15FF N/A .text CALL QWORD PTR [RIP+0xCEDB]
160B N/A .text CALL QWORD PTR [RIP+0xCED7]
1657 N/A .text JMP QWORD PTR [RIP+0xD003]
1663 N/A .text JMP QWORD PTR [RIP+0xCE57]
16A0 N/A .text JMP QWORD PTR [RIP+0xCFBA]
16AC N/A .text JMP QWORD PTR [RIP+0xCE26]
16E8 N/A .text JMP QWORD PTR [RIP+0xCF72]
16F4 N/A .text JMP QWORD PTR [RIP+0xCDCE]
1734 N/A .text CALL QWORD PTR [RIP+0xCF26]
173C N/A .text CALL QWORD PTR [RIP+0xCD8E]
1793 N/A .text CALL QWORD PTR [RIP+0xCEC7]
179B N/A .text CALL QWORD PTR [RIP+0xCD17]
17EB N/A .text CALL QWORD PTR [RIP+0xCE6F]
195F N/A .text CALL QWORD PTR [RIP+0xCADB]
1BE8 N/A .text CALL QWORD PTR [RIP+0xC89A]
1F2C N/A .text CALL QWORD PTR [RIP+0xC72E]
274F N/A .text CALL QWORD PTR [RIP+0xBDA3]
2C70 N/A .text CALL QWORD PTR [RIP+0xB9EA]
2F13 N/A .text CALL QWORD PTR [RIP+0xB5E7]
357E N/A .text CALL QWORD PTR [RIP+0xB0DC]
3598 N/A .text CALL QWORD PTR [RIP+0xAF6A]
35D9 N/A .text CALL QWORD PTR [RIP+0xAF21]
4723 N/A .text CALL QWORD PTR [RIP+0x9F3F]
4742 N/A .text CALL QWORD PTR [RIP+0x9F20]
47BE N/A .text JMP QWORD PTR [RIP+0x9EA4]
4A40 N/A .text CALL QWORD PTR [RIP+0x9ADA]
4E43 N/A .text CALL QWORD PTR [RIP+0x981F]
4E87 N/A .text CALL QWORD PTR [RIP+0x97DB]
4F39 N/A .text CALL QWORD PTR [RIP+0x9729]
4FD3 N/A .text CALL QWORD PTR [RIP+0x949F]
5085 N/A .text CALL QWORD PTR [RIP+0x949D]
5090 N/A .text CALL QWORD PTR [RIP+0x94A2]
509F N/A .text CALL QWORD PTR [RIP+0x948B]
50FD N/A .text CALL QWORD PTR [RIP+0x943D]
5113 N/A .text CALL QWORD PTR [RIP+0x93CF]
512A N/A .text CALL QWORD PTR [RIP+0x9538]
513A N/A .text CALL QWORD PTR [RIP+0x93A0]
5613 N/A .text CALL QWORD PTR [RIP+0x904F]
58FC N/A .text CALL QWORD PTR [RIP+0x8D66]
59AE N/A .text CALL QWORD PTR [RIP+0x8ABC]
5A04 N/A .text CALL QWORD PTR [RIP+0x8A86]
5A38 N/A .text CALL QWORD PTR [RIP+0x8A5A]
5F23 N/A .text CALL QWORD PTR [RIP+0x8567]
5FC3 N/A .text CALL QWORD PTR [RIP+0x84CF]
609B N/A .text CALL QWORD PTR [RIP+0x83EF]
613B N/A .text CALL QWORD PTR [RIP+0x8357]
6290 N/A .text CALL QWORD PTR [RIP+0x81FA]
62C5 N/A .text CALL QWORD PTR [RIP+0x81CD]
62FC N/A .text CALL QWORD PTR [RIP+0x818E]
630C N/A .text CALL QWORD PTR [RIP+0x8186]
63A5 N/A .text CALL QWORD PTR [RIP+0x808D]
63BD N/A .text CALL QWORD PTR [RIP+0x807D]
63F8 N/A .text CALL QWORD PTR [RIP+0x804A]
6431 N/A .text CALL QWORD PTR [RIP+0x8019]
643B N/A .text CALL QWORD PTR [RIP+0x801F]
6446 N/A .text CALL QWORD PTR [RIP+0x800C]
6587 N/A .text CALL QWORD PTR [RIP+0x80DB]
6625 N/A .text CALL QWORD PTR [RIP+0x7E45]
664A N/A .text CALL QWORD PTR [RIP+0x7ED8]
665D N/A .text JMP QWORD PTR [RIP+0x7ED5]
68C9 N/A .text CALL QWORD PTR [RIP+0x7B31]
6902 N/A .text CALL QWORD PTR [RIP+0x7C40]
690C N/A .text CALL QWORD PTR [RIP+0x7B7E]
6A92 N/A .text CALL QWORD PTR [RIP+0x7AC0]
6B1B N/A .text CALL QWORD PTR [RIP+0x7A3F]
6B58 N/A .text CALL QWORD PTR [RIP+0x79F2]
6B96 N/A .text CALL QWORD PTR [RIP+0x79B4]
7156 N/A .text CALL QWORD PTR [RIP+0x741C]
716D N/A .text CALL QWORD PTR [RIP+0x73FD]
7286 N/A .text CALL QWORD PTR [RIP+0x72F4]
783D N/A .text CALL QWORD PTR [RIP+0x6D25]
Extra Analysis
Metric Value Percentage
Ascii Code 154087 22,9209%
Null Byte Code 299750 44,5887%
© 2025 All rights reserved.