PESCAN.IO - Analysis Report Basic |
|||||||
| File Structure |
|
PE Chart Code
Executable header (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
Icon: Size: 486,24 KBSHA-256 Hash: EDD066A42584EEEFC4A8FBC96F99B320210AA7A1FCA523E2BD88DE09AE28CE54 SHA-1 Hash: AD985DA8E32952FE02B1EAE5D8BEA9DDD2902CE3 MD5 Hash: 5AF6195B9A666075A1A143B02397A3C8 Imphash: 40FED9DB145064075ADAB02576A3C13B MajorOSVersion: 6 MinorOSVersion: 0 CheckSum: 0008457A EntryPoint (rva): 3ABF8 SizeOfHeaders: 400 SizeOfImage: 7A000 ImageBase: 0000000140000000 Architecture: x64 ExportTable: 4A050 ImportTable: 4A0D8 IAT: 3D000 Characteristics: 22 TimeDateStamp: 69496898 Date: 22/12/2025 15:49:44 File Type: EXE Number Of Sections: 6 ASLR: Disabled Section Names (Optional Header): .text, .rdata, .data, .pdata, .rsrc, .reloc Number Of Executable Sections: 1 Subsystem: Windows GUI UAC Execution Level Manifest: asInvoker |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 60000020 (Code, Executable, Readable) | 400 | 3BE00 | 1000 | 3BCC3 | 6,0493 | 2251700,57 |
| .rdata | 40000040 (Initialized Data, Readable) | 3C200 | EE00 | 3D000 | ECC2 | 5,2372 | 1934053,06 |
| .data | C0000040 (Initialized Data, Readable, Writeable) | 4B000 | C00 | 4C000 | 1058 | 3,8829 | 171772,50 |
| .pdata | 40000040 (Initialized Data, Readable) | 4BC00 | 4000 | 4E000 | 3FC0 | 5,5391 | 406947,44 |
| .rsrc | 40000040 (Initialized Data, Readable) | 4FC00 | 26200 | 52000 | 26180 | 3,5439 | 9470621,89 |
| .reloc | 42000040 (Initialized Data, GP-Relative, Readable) | 75E00 | 1000 | 79000 | FDC | 5,4329 | 22584,13 |
| Description |
| OriginalFilename: cef_subprocess.exe CompanyName: Wargaming.net LegalCopyright: Copyright (c) 2025 Wargaming.net ProductName: CEFBrowser FileVersion: 1,0,0,0 FileDescription: CEF Browser Subprocess ProductVersion: 1,0,0,0 Language: Unknown (ID=0x0) CodePage: Unicode (UTF-16 LE) (0x4B0) |
| Entry Point |
| The section number (1) have the Entry Point Information -> EntryPoint (calculated) - 39FF8 Code -> 4883EC28E8830400004883C428E97AFEFFFFCCCCE99BFBFFFFCCCCCCE9E30A0000CCCCCC4883EC28E8F309000085C0742165 • SUB RSP, 0X28 • CALL 0X148C • ADD RSP, 0X28 • JMP 0XE8C • INT3 • INT3 • JMP 0XBB4 • INT3 • INT3 • INT3 • JMP 0X1B04 • INT3 • INT3 • INT3 • SUB RSP, 0X28 • CALL 0X1A20 • TEST EAX, EAX • JE 0X1052 |
| Signatures |
| Rich Signature Analyzer: Code -> 34738DFD7012E3AE7012E3AE7012E3AE796A70AE7C12E3AE3F6EE7AF7A12E3AE3F6EE0AF7312E3AE3F6EE6AF6E12E3AE3F6EE2AF7612E3AE3B6AE2AF7212E3AE7012E3AE7312E3AE7012E2AE8A12E3AEB167E6AF0812E3AECD6EE6AF7312E3AECD6EE3AF7112E3AECD6E1CAE7112E3AE701274AE7112E3AECD6EE1AF7112E3AE526963687012E3AE Footprint md5 Hash -> C12BF08DB089EB9168F7336917DB0D38 • The Rich header apparently has not been modified Certificate - Digital Signature: • The file is signed and the signature is correct |
| Packer/Compiler |
| Compiler: Microsoft Visual Studio Detect It Easy (die) • PE+(64): compiler: Microsoft Visual C/C++(-)[-] • PE+(64): linker: Microsoft Linker(14.34**)[-] • PE+(64): Sign tool: Windows Authenticode(2.0)[PKCS 7] • Entropy: 5.82237 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | IsDebuggerPresent | Determines if the calling process is being debugged by a user-mode debugger. |
| File Access |
| cef_subprocess.exe api-ms-win-crt-locale-l1-1-0.dll api-ms-win-crt-stdio-l1-1-0.dll api-ms-win-crt-math-l1-1-0.dll api-ms-win-crt-heap-l1-1-0.dll api-ms-win-crt-string-l1-1-0.dll api-ms-win-crt-runtime-l1-1-0.dll VCRUNTIME140_1.dll VCRUNTIME140.dll MSVCP140.dll KERNEL32.dll libcef.dll .dat @.dat |
| File Access (UNICODE) |
| cef_subprocess.exe |
| Interest's Words |
| exec start ping |
| URLs |
| http://ocsp.digicert.com http://cacerts.digicert.com/DigiCertTrustedRootG4.crt http://crl3.digicert.com/DigiCertTrustedRootG4.crl http://www.digicert.com/CPS0 http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt http://ocsp.sectigo.com http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0 http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl http://ocsp.usertrust.com https://sectigo.com/CPS0 |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | Anti-Analysis VM (IsDebuggerPresent) |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8.0 (DLL) |
| Entry Point | Hex Pattern | PE-Exe Executable Image |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \ICON\1\0 | 52628 | 2E8 | 50228 | 2800000020000000400000000100040000000000800200000000000000000000100000000000000000000000C3790000CC8E | (... ...@....................................y.... |
| \ICON\2\0 | 52910 | 128 | 50510 | 2800000010000000200000000100040000000000C00000000000000000000000100000000000000000000000CC8D1100D19A | (....... ......................................... |
| \ICON\3\0 | 52A38 | EA8 | 50638 | 2800000030000000600000000100080000000000800A00000000000000000000000100000000000000000000B8610000BF70 | (...0.......................................a...p |
| \ICON\4\0 | 538E0 | 8A8 | 514E0 | 2800000020000000400000000100080000000000800400000000000000000000000100000000000000000000C0720000C175 | (... ...@....................................r...u |
| \ICON\5\0 | 54188 | 568 | 51D88 | 2800000010000000200000000100080000000000400100000000000000000000000100000000000000000000C6800000C884 | (....... ...........@............................. |
| \ICON\6\0 | 546F0 | 1C00 | 522F0 | 89504E470D0A1A0A0000000D49484452000001000000010008060000005C72A86600001BC74944415478DAED9D797055559E | .PNG........IHDR.............\r.f....IDATx...ypUU. |
| \ICON\7\0 | 562F0 | 10828 | 53EF0 | 2800000080000000000100000100200000000000000801000000000000000000000000000000000000000000000000000000 | (............. ................................... |
| \ICON\8\0 | 66B18 | 94A8 | 64718 | 2800000060000000C00000000100200000000000809400000000000000000000000000000000000000000000000000000000 | (............ ................................... |
| \ICON\9\0 | 6FFC0 | 4228 | 6DBC0 | 2800000040000000800000000100200000000000004200000000000000000000000000000000000000000000000000000000 | (...@......... ......B............................ |
| \ICON\10\0 | 741E8 | 25A8 | 71DE8 | 2800000030000000600000000100200000000000802500000000000000000000000000000000000000000000000000000000 | (...0........ ......%............................ |
| \ICON\11\0 | 76790 | 10A8 | 74390 | 2800000020000000400000000100200000000000801000000000000000000000000000000000000000000000000000000000 | (... ...@..... ................................... |
| \ICON\12\0 | 77838 | 468 | 75438 | 2800000010000000200000000100200000000000400400000000000000000000000000000000000000000000000000000000 | (....... ..... .....@............................. |
| \GROUP_ICON\IDI_CLIENT_ICON\0 | 77CA0 | AE | 758A0 | 000001000C002020100001000400E8020000010010101000010004002801000002003030000001000800A80E000003002020 | ...... ....................(.....00............ |
| \VERSION\1\0 | 52360 | 2C4 | 4FF60 | C40234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000 | ..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| \24\1\1033 | 77D50 | 42C | 75950 | EFBBBF3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E65 | ...<?xml version="1.0" encoding="UTF-8" standalone |
| Intelligent String |
| • api-ms-win-crt-string-l1-1-0.dll • <_register_onexit_function_crt_atexitapi-ms-win-crt-runtime-l1-1-0.dll • D:\Source\Build\work\1aea00419bbf817c\library\source\cef_subprocess\cef_render_app.cpp • D:\Source\Build\work\1aea00419bbf817c\library\project\build_wg_web_browser_vc17_win64\cef_subprocess\cef_subprocess.pdb • .bss • libcef.dll • KERNEL32.dll • VCRUNTIME140.dll • VCRUNTIME140_1.dll • api-ms-win-crt-heap-l1-1-0.dll • api-ms-win-crt-math-l1-1-0.dll • api-ms-win-crt-stdio-l1-1-0.dll • api-ms-win-crt-locale-l1-1-0.dll • Wargaming.net • Copyright (c) 2025 Wargaming.net • cef_subprocess.exe |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 5B3 | N/A | .text | CALL QWORD PTR [RIP+0x3BFCF] |
| 607 | N/A | .text | CALL QWORD PTR [RIP+0x3BFDB] |
| 62E | N/A | .text | CALL QWORD PTR [RIP+0x3BFAC] |
| 656 | N/A | .text | CALL QWORD PTR [RIP+0x3BF8C] |
| 69C | N/A | .text | CALL QWORD PTR [RIP+0x3BF0E] |
| 6AF | N/A | .text | CALL QWORD PTR [RIP+0x3BEDB] |
| 783 | N/A | .text | CALL QWORD PTR [RIP+0x3BDEF] |
| 7BA | N/A | .text | CALL QWORD PTR [RIP+0x3BE30] |
| 828 | N/A | .text | CALL QWORD PTR [RIP+0x3BD9A] |
| 878 | N/A | .text | CALL QWORD PTR [RIP+0x3BD82] |
| 886 | N/A | .text | CALL QWORD PTR [RIP+0x3BD3C] |
| 8B9 | N/A | .text | CALL QWORD PTR [RIP+0x3BD09] |
| 909 | N/A | .text | CALL QWORD PTR [RIP+0x3BC91] |
| 91C | N/A | .text | CALL QWORD PTR [RIP+0x3BC5E] |
| B55 | N/A | .text | CALL QWORD PTR [RIP+0x3BA1D] |
| BB6 | N/A | .text | CALL QWORD PTR [RIP+0x3BA0C] |
| BE4 | N/A | .text | CALL QWORD PTR [RIP+0x3B9D6] |
| C06 | N/A | .text | CALL QWORD PTR [RIP+0x3B9BC] |
| C4D | N/A | .text | CALL QWORD PTR [RIP+0x3B94D] |
| C60 | N/A | .text | CALL QWORD PTR [RIP+0x3B91A] |
| DA0 | N/A | .text | CALL QWORD PTR [RIP+0x3B99A] |
| E06 | N/A | .text | CALL QWORD PTR [RIP+0x3B824] |
| E20 | N/A | .text | CALL QWORD PTR [RIP+0x3B7EA] |
| E7C | N/A | .text | CALL QWORD PTR [RIP+0x3B776] |
| EB4 | N/A | .text | CALL QWORD PTR [RIP+0x3B76E] |
| 116E | N/A | .text | CALL QWORD PTR [RIP+0x3B74C] |
| 117F | N/A | .text | CALL QWORD PTR [RIP+0x3B74B] |
| 11CE | N/A | .text | CALL QWORD PTR [RIP+0x3B6EC] |
| 11DF | N/A | .text | CALL QWORD PTR [RIP+0x3B6EB] |
| 1247 | N/A | .text | CALL QWORD PTR [RIP+0x3B683] |
| 1276 | N/A | .text | CALL QWORD PTR [RIP+0x3B654] |
| 1462 | N/A | .text | CALL QWORD PTR [RIP+0x3B468] |
| 1548 | N/A | .text | CALL QWORD PTR [RIP+0x3B1F2] |
| 1615 | N/A | .text | JMP QWORD PTR [RIP+0x3AFB5] |
| 161B | N/A | .text | CALL QWORD PTR [RIP+0x3B11F] |
| 1727 | N/A | .text | CALL QWORD PTR [RIP+0x3B1A3] |
| 1759 | N/A | .text | CALL QWORD PTR [RIP+0x3B171] |
| 17B3 | N/A | .text | CALL QWORD PTR [RIP+0x3B117] |
| 1833 | N/A | .text | CALL QWORD PTR [RIP+0x3B097] |
| 18F5 | N/A | .text | CALL QWORD PTR [RIP+0x3AC95] |
| 1935 | N/A | .text | CALL QWORD PTR [RIP+0x3AC45] |
| 19A6 | N/A | .text | CALL QWORD PTR [RIP+0x3ABBC] |
| 19B5 | N/A | .text | JMP QWORD PTR [RIP+0x3ABED] |
| 1A08 | N/A | .text | CALL QWORD PTR [RIP+0x3AEC2] |
| 1B15 | N/A | .text | CALL QWORD PTR [RIP+0x3AA4D] |
| 1B1E | N/A | .text | CALL QWORD PTR [RIP+0x3AA84] |
| 1DA3 | N/A | .text | CALL QWORD PTR [RIP+0x3AB17] |
| 1DE0 | N/A | .text | CALL QWORD PTR [RIP+0x3AAE2] |
| 1E00 | N/A | .text | CALL QWORD PTR [RIP+0x3AACA] |
| 1FA1 | N/A | .text | CALL QWORD PTR [RIP+0x3A939] |
| 20B9 | N/A | .text | CALL QWORD PTR [RIP+0x3A681] |
| 20EF | N/A | .text | CALL QWORD PTR [RIP+0x3A7EB] |
| 223B | N/A | .text | CALL QWORD PTR [RIP+0x3A4FF] |
| 228A | N/A | .text | CALL QWORD PTR [RIP+0x3A640] |
| 2649 | N/A | .text | CALL QWORD PTR [RIP+0x3A271] |
| 2682 | N/A | .text | CALL QWORD PTR [RIP+0x3A248] |
| 2752 | N/A | .text | CALL QWORD PTR [RIP+0x3A168] |
| 278B | N/A | .text | CALL QWORD PTR [RIP+0x3A13F] |
| 2844 | N/A | .text | CALL QWORD PTR [RIP+0x3A076] |
| 287D | N/A | .text | CALL QWORD PTR [RIP+0x3A04D] |
| 28BA | N/A | .text | CALL QWORD PTR [RIP+0x3A010] |
| 2CBF | N/A | .text | CALL QWORD PTR [RIP+0x39A7B] |
| 2D3F | N/A | .text | CALL QWORD PTR [RIP+0x39B7B] |
| 2D67 | N/A | .text | CALL QWORD PTR [RIP+0x39B63] |
| 2E45 | N/A | .text | CALL QWORD PTR [RIP+0x399DD] |
| 2E6C | N/A | .text | CALL QWORD PTR [RIP+0x39A5E] |
| 2ED6 | N/A | .text | CALL QWORD PTR [RIP+0x399F4] |
| 3047 | N/A | .text | CALL QWORD PTR [RIP+0x39873] |
| 3084 | N/A | .text | CALL QWORD PTR [RIP+0x3983E] |
| 30AC | N/A | .text | CALL QWORD PTR [RIP+0x3981E] |
| 30FB | N/A | .text | CALL QWORD PTR [RIP+0x397CF] |
| 31C7 | N/A | .text | CALL QWORD PTR [RIP+0x396F3] |
| 3204 | N/A | .text | CALL QWORD PTR [RIP+0x396BE] |
| 322C | N/A | .text | CALL QWORD PTR [RIP+0x3969E] |
| 3278 | N/A | .text | CALL QWORD PTR [RIP+0x39652] |
| 3347 | N/A | .text | CALL QWORD PTR [RIP+0x39573] |
| 3384 | N/A | .text | CALL QWORD PTR [RIP+0x3953E] |
| 33A4 | N/A | .text | CALL QWORD PTR [RIP+0x39526] |
| 3473 | N/A | .text | CALL QWORD PTR [RIP+0x39457] |
| 34A8 | N/A | .text | CALL QWORD PTR [RIP+0x39422] |
| 34D7 | N/A | .text | CALL QWORD PTR [RIP+0x393F3] |
| 3611 | N/A | .text | CALL QWORD PTR [RIP+0x392B9] |
| 3792 | N/A | .text | CALL QWORD PTR [RIP+0x39128] |
| 37C0 | N/A | .text | CALL QWORD PTR [RIP+0x3910A] |
| 39BE | N/A | .text | CALL QWORD PTR [RIP+0x38EF4] |
| 3A9D | N/A | .text | CALL QWORD PTR [RIP+0x38C9D] |
| 3AAE | N/A | .text | CALL QWORD PTR [RIP+0x38E24] |
| 3C1E | N/A | .text | CALL QWORD PTR [RIP+0x38C9C] |
| 3C4B | N/A | .text | CALL QWORD PTR [RIP+0x38C7F] |
| 3DAB | N/A | .text | CALL QWORD PTR [RIP+0x3898F] |
| 3E1B | N/A | .text | CALL QWORD PTR [RIP+0x3891F] |
| 3F38 | N/A | .text | CALL QWORD PTR [RIP+0x388EA] |
| 3F65 | N/A | .text | CALL QWORD PTR [RIP+0x38965] |
| 4014 | N/A | .text | CALL QWORD PTR [RIP+0x38726] |
| 408A | N/A | .text | CALL QWORD PTR [RIP+0x386B0] |
| 431F | N/A | .text | CALL QWORD PTR [RIP+0x3841B] |
| 4725 | N/A | .text | CALL QWORD PTR [RIP+0x38015] |
| 477A | N/A | .text | CALL QWORD PTR [RIP+0x37FC0] |
| 47CF | N/A | .text | CALL QWORD PTR [RIP+0x37F6B] |
| 4824 | N/A | .text | CALL QWORD PTR [RIP+0x37F16] |
| 76E00 | N/A | *Overlay* | F82A00000002020030822AEA06092A864886F70D | .*......0.*...*.H... |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 246038 | 49,414% |
| Null Byte Code | 97353 | 19,5523% |
© 2026 All rights reserved.