PESCAN.IO - Analysis Report Basic |
|||||||
| File Structure |
|
PE Chart Code
Header PE (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
Icon: Size: 950,96 KBSHA-256 Hash: 2AA2E046F449C5422464E81C3E37FB27637F8BA789D11D4F99C75DA27211DA48 SHA-1 Hash: 46DAC024E7AD5A8ED789D90993EEFFEA5A3062C4 MD5 Hash: 2A27D228DF356FD0E6FD45B1ED2B507E Imphash: B255C73470574DCFC0C4E838CE24100C MajorOSVersion: 5 MinorOSVersion: 1 CheckSum: 000FBA59 EntryPoint (rva): 1B2C1 SizeOfHeaders: 400 SizeOfImage: F2000 ImageBase: 10000000 Architecture: x86 ExportTable: 5CA70 ImportTable: 5B300 IAT: 41000 Characteristics: 2102 TimeDateStamp: 56C79816 Date: 19/02/2016 22:32:54 File Type: DLL Number Of Sections: 5 ASLR: Disabled Section Names: .text, .rdata, .data, .rsrc, .reloc Number Of Executable Sections: 1 Subsystem: Windows GUI UAC Execution Level Manifest: asInvoker |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 0x60000020 Code Executable Readable |
400 | 40000 | 1000 | 3FFBA |
|
|
| .rdata | 0x40000040 Initialized Data Readable |
40400 | 1BC00 | 41000 | 1BB09 |
|
|
| .data | 0xC0000040 Initialized Data Readable Writeable |
5C000 | 1800 | 5D000 | 5820 |
|
|
| .rsrc | 0x40000040 Initialized Data Readable |
5D800 | 8AC00 | 63000 | 8AA38 |
|
|
| .reloc | 0x42000040 Initialized Data GP-Relative Readable |
E8400 | 4000 | EE000 | 3E04 |
|
|
| Description |
| OriginalFilename: npUnity3D32.dll CompanyName: Unity Technologies ApS LegalCopyright: (c) 2015 Unity Technologies ApS. All rights reserved. ProductName: Unity Player FileVersion: 5.3.3.9506161 FileDescription: Unity Player 5.3.3f1 ProductVersion: 5.3.3.9506161 Language: English (United States) (ID=0x409) CodePage: Western European (Windows 1252) (0x4E4) |
| Entry Point |
The section number (1) - (.text) have the Entry Point Information -> EntryPoint (calculated) - 1A6C1 Code -> 8BFF558BEC837D0C017505E856580000FF75088B4D108B550CE8ECFEFFFF595DC20C00E82E59000085C074086A16E8305900 Assembler |MOV EDI, EDI |PUSH EBP |MOV EBP, ESP |CMP DWORD PTR [EBP + 0XC], 1 |JNE 0X1010 |CALL 0X6866 |PUSH DWORD PTR [EBP + 8] |MOV ECX, DWORD PTR [EBP + 0X10] |MOV EDX, DWORD PTR [EBP + 0XC] |CALL 0XF0A |POP ECX |POP EBP |RET 0XC |CALL 0X6956 |TEST EAX, EAX |JE 0X1034 |PUSH 0X16 |
| Signatures |
| Rich Signature Analyzer: Code -> 015C4ECB453D2098453D2098453D20984C45A398443D20985EA0BE986F3D20985EA08B987A3D20985EA08A98853D20984C45B398503D2098453D21984B3C20985EA08F986A3D20985EA0BB98443D20985EA0BA98443D20985EA0BD98443D209852696368453D2098 Footprint md5 Hash -> FD616452FD45F91679ADD760961C8B16 • The Rich header apparently has not been modified Certificate - Digital Signature: • The file is signed and the signature is correct |
| Packer/Compiler |
| Compiler: Microsoft Visual Studio Detect It Easy (die) • PE: compiler: EP:Microsoft Visual C/C++(2008-2010)[DLL32] • PE: compiler: Microsoft Visual C/C++(2010 SP1)[msvcrt] • PE: linker: Microsoft Linker(10.0)[-] • PE: Sign tool: Windows Authenticode(2.0)[PKCS 7] • Entropy: 5.32054 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | CreateMutexA | Create a named or unnamed mutex object for controlling access to a shared resource. |
| KERNEL32.DLL | CreateMutexW | Create a named or unnamed mutex object for controlling access to a shared resource. |
| KERNEL32.DLL | GetModuleFileNameA | Retrieve the fully qualified path for the executable file of a specified module. |
| KERNEL32.DLL | CopyFileW | Copies an existing file to a new file. |
| KERNEL32.DLL | WriteFile | Writes data to a specified file or input/output (I/O) device. |
| KERNEL32.DLL | LoadLibraryW | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| KERNEL32.DLL | CreateFileA | Creates or opens a file or I/O device. |
| KERNEL32.DLL | IsDebuggerPresent | Determines if the calling process is being debugged by a user-mode debugger. |
| USER32.DLL | GetAsyncKeyState | Retrieves the status of a virtual key asynchronously. |
| SHELL32.DLL | ShellExecuteExW | Performs a run operation on a specific file. |
| Windows REG |
| Software\Unity\WebPlayer |
| Windows REG (UNICODE) |
| SOFTWARE\Unity\WebPlayer |
| File Access |
| UnityBugReporter.exe iexplore.exe firefox.exe Explorer.EXE npUnity3D32.dll VERSION.dll MSIMG32.dll ole32.dll SHELL32.dll WINMM.dll ADVAPI32.dll SHLWAPI.dll GDI32.dll USER32.dll KERNEL32.dll mono-1-vc.dll webplayer_win.dll wrap_oal.dll ntdll.dll wmnetmgr.dll RPCRT4.dll mshtml.dll ieframe.dll dirapi.dll mswsock.dll Download.dll WebHelper.dll AcroIEHelper.dll @.dat error.log log_debug.txt .txt manager_debug.txt -win32.zip Temp |
| File Access (UNICODE) |
| npUnity3D32.dll 360game.exe 360se.exe UnityBugReporter.exe Uninstall.exe UnityWebPlayerUpdate.exe kernel32.dll AccessCheckFreeSidktmw32.dll ADVAPI32.DLL shell32.dll DBGHELP.DLL GetLastActivePopupGetActiveWindowMessageBoxWUSER32.DLL CorExitProcessmscoree.dll TuesdayMondaySundaySatFriThuWedTueMonSunKERNEL32.DLL Temp |
| Interest's Words |
| PADDINGX exec attrib start pause shutdown systeminfo ping expand |
| Anti-VM/Sandbox/Debug Tricks (UNICODE) |
| OllyDbg Libary - dbghelp.dll |
| URLs |
| http://www.winimage.com/zLibDll http://www.unity3d.com/about-unity-web-player-3.x http://webplayer.unity3d.com/setup-3.x http://www.unity3d.com/unity-web-player-error-3.x http://webplayer.unity3d.com/ http://autoupdate-revision.unity3d.com http://wp-360.unity3d.com/unity3d http://ocsp.thawte.com http://crl.thawte.com/ThawteTimestampingCA.crl http://ts-ocsp.ws.symantec.com http://ts-aia.ws.symantec.com/tss-ca-g2.cer http://ts-crl.ws.symantec.com/tss-ca-g2.crl http://sv.symcb.com/sv.crl http://sv.symcd.com http://sv.symcb.com/sv.crt http://s2.symcb.com http://www.symauth.com/cps0( http://www.symauth.com/rpa00 http://s1.symcb.com/pca3-g5.crl http://unity3d.com https://ssl- https://d.symcb.com/cps0% https://d.symcb.com/rpa0 |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | WinAPI Sockets (bind) |
| Text | Ascii | WinAPI Sockets (accept) |
| Text | Ascii | WinAPI Sockets (connect) |
| Text | Ascii | WinAPI Sockets (send) |
| Text | Ascii | Registry (RegCreateKeyEx) |
| Text | Ascii | Registry (RegOpenKeyEx) |
| Text | Ascii | Registry (RegSetValueEx) |
| Text | Ascii | File (GetTempPath) |
| Text | Ascii | File (CopyFile) |
| Text | Ascii | File (CreateFile) |
| Text | Ascii | File (WriteFile) |
| Text | Ascii | File (ReadFile) |
| Text | Ascii | Encryption API (CryptAcquireContext) |
| Text | Ascii | Encryption API (CryptReleaseContext) |
| Text | Ascii | Anti-Analysis VM (IsDebuggerPresent) |
| Text | Ascii | Anti-Analysis VM (GetSystemInfo) |
| Text | Ascii | Anti-Analysis VM (GetVersion) |
| Text | Ascii | Reconnaissance (FindFirstFileW) |
| Text | Ascii | Reconnaissance (FindNextFileW) |
| Text | Ascii | Reconnaissance (FindClose) |
| Text | Ascii | Stealth (CloseHandle) |
| Text | Ascii | Execution (ShellExecute) |
| Text | Ascii | Execution (CreateEventW) |
| Text | Ascii | Antivirus Software (Symantec) |
| Text | Ascii | Stealer malware focused on obtaining CVV codes to conduct unauthorized transactions (CVV) |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \BINARY\202\1033 | 633F8 | 7C | 5DBF8 | 89504E470D0A1A0A0000000D4948445200000002000000060806000000E9274F320000001974455874536F66747761726500 | .PNG........IHDR..............'O2....tEXtSoftware. |
| \BINARY\204\1033 | 63474 | 7D6 | 5DC74 | 89504E470D0A1A0A0000000D494844520000007A000000300806000000DE9A6EEE0000001974455874536F66747761726500 | .PNG........IHDR...z...0.......n.....tEXtSoftware. |
| \BINARY\205\1033 | 63C4C | 88 | 5E44C | 89504E470D0A1A0A0000000D49484452000000A300000006080200000020DFB98A0000001974455874536F66747761726500 | .PNG........IHDR............. .......tEXtSoftware. |
| \ICON\1\1033 | 63CD4 | 468 | 5E4D4 | 2800000010000000200000000100200000000000000800000000000000000000000000000000000000000000000000000000 | (....... ..... ................................... |
| \ICON\2\1033 | 6413C | 988 | 5E93C | 2800000018000000300000000100200000000000001200000000000000000000000000000000000000000000000000000000 | (.......0..... ................................... |
| \ICON\3\1033 | 64AC4 | 10A8 | 5F2C4 | 2800000020000000400000000100200000000000002000000000000000000000000000000000000000000000000000000000 | (... ...@..... ...... ............................ |
| \ICON\4\1033 | 65B6C | 25A8 | 6036C | 2800000030000000600000000100200000000000004800000000000000000000000000000000000000000000000000000000 | (...0........ ......H............................ |
| \ICON\5\1033 | 68114 | 4228 | 62914 | 2800000040000000800000000100200000000000008000000000000000000000000000000000000000000000000000000000 | (...@......... ................................... |
| \ICON\6\1033 | 6C33C | 94A8 | 66B3C | 2800000060000000C00000000100200000000000002001000000000000000000000000000000000000000000000000000000 | (............ ...... ............................ |
| \ICON\7\1033 | 757E4 | 10828 | 6FFE4 | 2800000080000000000100000100200000000000000002000000000000000000000000000000000000000000000000000000 | (............. ................................... |
| \ICON\8\1033 | 8600C | 25228 | 8080C | 28000000C0000000800100000100200000000000008004000000000000000000000000000000000000000000000000000000 | (............. ................................... |
| \ICON\9\1033 | AB234 | 42028 | A5A34 | 2800000000010000000200000100200000000000000008000000000000000000000000000000000000000000000000000000 | (............. ................................... |
| \MENU\201\1033 | ED25C | 8E | E7A5C | 00000000900055006E006900740079002000570065006200200050006C00610079006500720000000000028047006F002000 | ......U.n.i.t.y. .W.e.b. .P.l.a.y.e.r.......G.o. . |
| \DIALOG\207\1033 | ED2EC | F4 | E7AEC | 0100FFFF0000000000000000C800C880030000000000EA006100000000004400690061006C006F0067000000080090010001 | ........................a.....D.i.a.l.o.g......... |
| \GROUP_ICON\1\1033 | ED3E0 | 84 | E7BE0 | 000001000900101000000100200068040000010018180000010020008809000002002020000001002000A810000003003030 | ............ .h........... ....... .... .......00 |
| \VERSION\1\1033 | ED464 | 478 | E7C64 | 780434000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000300 | x.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| \24\2\1033 | ED8DC | 15A | E80DC | 3C617373656D626C7920786D6C6E733D2275726E3A736368656D61732D6D6963726F736F66742D636F6D3A61736D2E763122 | <assembly xmlns="urn:schemas-microsoft-com:asm.v1" |
| Intelligent String |
| • npUnity3D32.dll • UnityBugReporter.exe • dirapi.dll • mswsock.dll • mscoree.dll • unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll • WebHelper.dll • Download.dll • ole32.dll • ieframe.dll • mshtml.dll • RPCRT4.dll • wmnetmgr.dll • QuickTimeH264.qtx • Explorer.EXE • ntdll.dll • Flash9.ocx • firefox.exeiexplore.exe • MiniDumpWriteDump • DBGHELP.DLL • a Datatype Misalignmenta Control-Breaka Control-CException encountered during stack dump. • Error dump • error.log • crash.dmp • http:///crossdomain.xml • http://www.unity3d.com/about-unity-web-player-3.x • http://webplayer.unity3d.com/setup-3.x • http://www.unity3d.com/unity-web-player-error-3.x • logmanager_debug.txt • .txt • shell32.dll • UnityWebPlayerUpdate.exe • -win32.zip • log_debug.txt • http://autoupdate-revision.unity3d.com • http://wp-360.unity3d.com/unity3d • Uninstall.exe • UnityWebPluginAX.ocx • \\.\pipe\Unity.WebPlayer.Update. • wrap_oal.dll • webplayer_win.dll • mono-1-vc.dll • 360se.exe • 360game.exe • ADVAPI32.DLL • kernel32.dll • C:\buildslave\unity\build\build\symbols\win32\npUnity3D32_x86.pdb • KERNEL32.dll • ADVAPI32.dll |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 553 | 10041188 | .text | CALL [static] | Indirect call to absolute memory address |
| 599 | 10041184 | .text | CALL [static] | Indirect call to absolute memory address |
| 5EA | 100614E0 | .text | CALL [static] | Indirect call to absolute memory address |
| 62D | 10041188 | .text | CALL [static] | Indirect call to absolute memory address |
| 6D9 | 10061508 | .text | CALL [static] | Indirect call to absolute memory address |
| 70C | 10061504 | .text | CALL [static] | Indirect call to absolute memory address |
| 753 | 10041184 | .text | CALL [static] | Indirect call to absolute memory address |
| 13FA | 1005E638 | .text | CALL [static] | Indirect call to absolute memory address |
| 3DFB | 100413D4 | .text | CALL [static] | Indirect call to absolute memory address |
| 3E27 | 100413E8 | .text | CALL [static] | Indirect call to absolute memory address |
| 3E35 | 100413EC | .text | CALL [static] | Indirect call to absolute memory address |
| 3E63 | 10041400 | .text | CALL [static] | Indirect call to absolute memory address |
| 3EDE | 100413D4 | .text | CALL [static] | Indirect call to absolute memory address |
| 3EF8 | 100413D4 | .text | CALL [static] | Indirect call to absolute memory address |
| 3F10 | 100413D8 | .text | CALL [static] | Indirect call to absolute memory address |
| 3F66 | 100413E4 | .text | CALL [static] | Indirect call to absolute memory address |
| 3F6F | 100413D4 | .text | CALL [static] | Indirect call to absolute memory address |
| 3F87 | 10041398 | .text | CALL [static] | Indirect call to absolute memory address |
| 3F92 | 100413D4 | .text | CALL [static] | Indirect call to absolute memory address |
| 3FA7 | 100413F0 | .text | CALL [static] | Indirect call to absolute memory address |
| 3FB6 | 100413D4 | .text | CALL [static] | Indirect call to absolute memory address |
| 400D | 10041400 | .text | CALL [static] | Indirect call to absolute memory address |
| 401E | 100413F4 | .text | CALL [static] | Indirect call to absolute memory address |
| 406F | 100413FC | .text | CALL [static] | Indirect call to absolute memory address |
| 4078 | 100413F8 | .text | CALL [static] | Indirect call to absolute memory address |
| 40B2 | 100413A0 | .text | CALL [static] | Indirect call to absolute memory address |
| 410B | 100413B0 | .text | CALL [static] | Indirect call to absolute memory address |
| 4128 | 100413AC | .text | CALL [static] | Indirect call to absolute memory address |
| 416C | 100413A4 | .text | CALL [static] | Indirect call to absolute memory address |
| 41A7 | 100413A0 | .text | CALL [static] | Indirect call to absolute memory address |
| 41CD | 1004139C | .text | CALL [static] | Indirect call to absolute memory address |
| 41D6 | 100413F8 | .text | CALL [static] | Indirect call to absolute memory address |
| 4204 | 10041398 | .text | CALL [static] | Indirect call to absolute memory address |
| 4226 | 10041394 | .text | CALL [static] | Indirect call to absolute memory address |
| 423F | 10041390 | .text | CALL [static] | Indirect call to absolute memory address |
| 426A | 1004138C | .text | CALL [static] | Indirect call to absolute memory address |
| 4309 | 10041404 | .text | CALL [static] | Indirect call to absolute memory address |
| 4436 | 10041384 | .text | CALL [static] | Indirect call to absolute memory address |
| 4447 | 100410A0 | .text | CALL [static] | Indirect call to absolute memory address |
| 445A | 1004109C | .text | CALL [static] | Indirect call to absolute memory address |
| 44CF | 10041098 | .text | CALL [static] | Indirect call to absolute memory address |
| 451E | 10041094 | .text | CALL [static] | Indirect call to absolute memory address |
| 4589 | 100410A0 | .text | CALL [static] | Indirect call to absolute memory address |
| 4595 | 1004137C | .text | CALL [static] | Indirect call to absolute memory address |
| 45B8 | 10041378 | .text | CALL [static] | Indirect call to absolute memory address |
| 45CF | 10041374 | .text | CALL [static] | Indirect call to absolute memory address |
| 45EE | 1004139C | .text | CALL [static] | Indirect call to absolute memory address |
| 462D | 10041370 | .text | CALL [static] | Indirect call to absolute memory address |
| 465C | 1004136C | .text | CALL [static] | Indirect call to absolute memory address |
| 468A | 10041090 | .text | CALL [static] | Indirect call to absolute memory address |
| 4695 | 10041368 | .text | CALL [static] | Indirect call to absolute memory address |
| 469D | 1004108C | .text | CALL [static] | Indirect call to absolute memory address |
| 46A8 | 10041360 | .text | CALL [static] | Indirect call to absolute memory address |
| 46B4 | 10041364 | .text | CALL [static] | Indirect call to absolute memory address |
| 46CE | 10041088 | .text | CALL [static] | Indirect call to absolute memory address |
| 46E5 | 10041094 | .text | CALL [static] | Indirect call to absolute memory address |
| 46ED | 10041368 | .text | CALL [static] | Indirect call to absolute memory address |
| 46F8 | 10041084 | .text | CALL [static] | Indirect call to absolute memory address |
| 4762 | 10041080 | .text | CALL [static] | Indirect call to absolute memory address |
| 477D | 10041360 | .text | CALL [static] | Indirect call to absolute memory address |
| 478B | 10041364 | .text | CALL [static] | Indirect call to absolute memory address |
| 4793 | 10041368 | .text | CALL [static] | Indirect call to absolute memory address |
| 479D | 1004108C | .text | CALL [static] | Indirect call to absolute memory address |
| 47AB | 10041368 | .text | CALL [static] | Indirect call to absolute memory address |
| 47B5 | 1004108C | .text | CALL [static] | Indirect call to absolute memory address |
| 47C3 | 10041378 | .text | CALL [static] | Indirect call to absolute memory address |
| 47D1 | 1004135C | .text | CALL [static] | Indirect call to absolute memory address |
| 47F0 | 10041358 | .text | CALL [static] | Indirect call to absolute memory address |
| 47F8 | 10041368 | .text | CALL [static] | Indirect call to absolute memory address |
| 4802 | 1004108C | .text | CALL [static] | Indirect call to absolute memory address |
| 4863 | 1004107C | .text | CALL [static] | Indirect call to absolute memory address |
| 488A | 100413E8 | .text | CALL [static] | Indirect call to absolute memory address |
| 48C9 | 100410A4 | .text | CALL [static] | Indirect call to absolute memory address |
| 48E0 | 10041074 | .text | CALL [static] | Indirect call to absolute memory address |
| 48F4 | 10041090 | .text | CALL [static] | Indirect call to absolute memory address |
| 4900 | 1004108C | .text | CALL [static] | Indirect call to absolute memory address |
| 494D | 10041078 | .text | CALL [static] | Indirect call to absolute memory address |
| 5125 | 100410D0 | .text | CALL [static] | Indirect call to absolute memory address |
| 5148 | 10041188 | .text | CALL [static] | Indirect call to absolute memory address |
| 5184 | 10041184 | .text | CALL [static] | Indirect call to absolute memory address |
| 51D5 | 10041184 | .text | CALL [static] | Indirect call to absolute memory address |
| 52A3 | 100614E8 | .text | CALL [static] | Indirect call to absolute memory address |
| 5326 | 10041178 | .text | CALL [static] | Indirect call to absolute memory address |
| 5421 | 100413CC | .text | CALL [static] | Indirect call to absolute memory address |
| 5449 | 100413D0 | .text | CALL [static] | Indirect call to absolute memory address |
| 5456 | 100410A8 | .text | CALL [static] | Indirect call to absolute memory address |
| 54D1 | 100410D4 | .text | CALL [static] | Indirect call to absolute memory address |
| 54DF | 100614E8 | .text | CALL [static] | Indirect call to absolute memory address |
| 55B0 | 10041188 | .text | CALL [static] | Indirect call to absolute memory address |
| 55D5 | 10041184 | .text | CALL [static] | Indirect call to absolute memory address |
| 5668 | 100413A4 | .text | CALL [static] | Indirect call to absolute memory address |
| 568C | 10041398 | .text | CALL [static] | Indirect call to absolute memory address |
| 569A | 100413D4 | .text | CALL [static] | Indirect call to absolute memory address |
| 56C8 | 10041354 | .text | CALL [static] | Indirect call to absolute memory address |
| 56E1 | 100413A0 | .text | CALL [static] | Indirect call to absolute memory address |
| 57DD | 1004139C | .text | CALL [static] | Indirect call to absolute memory address |
| 5821 | 100413D4 | .text | CALL [static] | Indirect call to absolute memory address |
| 5839 | 100413F0 | .text | CALL [static] | Indirect call to absolute memory address |
| 59F2 | 100614CC | .text | CALL [static] | Indirect call to absolute memory address |
| 5A6A | 10041350 | .text | CALL [static] | Indirect call to absolute memory address |
| EC400 | N/A | *Overlay* | D817000000020200308217C906092A864886F70D | ........0.....*.H... |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 401516 | 41,2326% |
| Null Byte Code | 319187 | 32,778% |
© 2026 All rights reserved.