PESCAN.IO - Analysis Report Basic

File Structure
Analysis Image
PE Chart Code
Executable header (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
Information
Icon: Icon
Size: 651,00 KB
SHA-256 Hash: 209D0CDA85A2F86A46B6F3F97843DFEE86D18259C987708376F6E1BF87D208E3
SHA-1 Hash: D3EE59EA8493A4F36A5ACFFAFD42EA85A1928A9C
MD5 Hash: B90B3D839872AE022E37A87B9636081C
Imphash: CE1183CC150987A99AEF5749F22AF81E
MajorOSVersion: 6
MinorOSVersion: 0
CheckSum: 00000000
EntryPoint (rva): 1260
SizeOfHeaders: 400
SizeOfImage: A8000
ImageBase: 0000000140000000
Architecture: x64
ExportTable: 16C30
ImportTable: 16CB8
IAT: E000
Characteristics: 22
TimeDateStamp: 66C4FD6F
Date: 20/08/2024 20:32:47
File Type: EXE
Number Of Sections: 7
ASLR: Disabled
Section Names (Optional Header): .text, .rdata, .data, .pdata, _RDATA, .rsrc, .reloc
Number Of Executable Sections: 1
Subsystem: Windows GUI
Sections Info
Section Name Flags ROffset RSize VOffset VSizeEntropyChi2
.text 60000020 (Code, Executable, Readable) 400 CA00 1000 C8B06,4108339696,28
.rdata 40000040 (Initialized Data, Readable) CE00 9600 E000 948A4,65312300601,83
.data C0000040 (Initialized Data, Readable, Writeable) 16400 C00 18000 1D381,8703490581,83
.pdata 40000040 (Initialized Data, Readable) 17000 1000 1A000 EF44,6284224432,00
_RDATA 40000040 (Initialized Data, Readable) 18000 200 1B000 941,118998700,00
.rsrc 40000040 (Initialized Data, Readable) 18200 8A200 1C000 8A1A04,360817191861,63
.reloc 42000040 (Initialized Data, GP-Relative, Readable) A2400 800 A7000 6544,842138448,75
Description
LegalCopyright: (c) 2005-2024 Unity Technologies. All rights reserved.
FileVersion: 2022.3.44.12824073
ProductVersion: 2022.3.44f1 (c3ae09b9f03c)
Language: English (United States) (ID=0x409)
CodePage: Unicode (UTF-16 LE) (0x4B0)
Entry Point
The section number (1) have the Entry Point
Information -> EntryPoint (calculated) - 660
Code -> 4883EC28E85B0200004883C428E97AFEFFFFCCCC4883EC28E8DB07000085C0742165488B042530000000488B4808EB05483B
SUB RSP, 0X28
CALL 0X1264
ADD RSP, 0X28
JMP 0XE8C
INT3
INT3
SUB RSP, 0X28
CALL 0X17F8
TEST EAX, EAX
JE 0X1042
MOV RAX, QWORD PTR GS:[0X30]
MOV RCX, QWORD PTR [RAX + 8]
JMP 0X1035
Signatures
Rich Signature Analyzer:
Code -> 490A8EB60D6BE0E50D6BE0E50D6BE0E5E91BE3E4086BE0E5E91BE5E4876BE0E5E91BE4E4076BE0E5E91BE1E40F6BE0E5B31AE5E42A6BE0E5B31AE4E41D6BE0E5B31AE3E4046BE0E59819E1E40E6BE0E50D6BE1E5546BE0E59819E5E40E6BE0E59819E0E40C6BE0E598191FE50C6BE0E59819E2E40C6BE0E5526963680D6BE0E5
Footprint md5 Hash -> 819E951F0B1855F004F00557381E95BA
• The Rich header apparently has not been modified
Certificate - Digital Signature Not Found:
• The file is not signed
Packer/Compiler
Compiler: Microsoft Visual Studio
Detect It Easy (die)
PE+(64): compiler: Microsoft Visual C/C++(-)[-]
PE+(64): linker: Microsoft Linker(14.28**)[-]
Entropy: 4.9209
Suspicious Functions
Library Function Description
KERNEL32.DLL WriteFile Writes data to a specified file or input/output (I/O) device.
KERNEL32.DLL GetProcAddress Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL IsDebuggerPresent Determines if the calling process is being debugged by a user-mode debugger.
File Access
WindowsPlayer.exe
KERNEL32.dll
UnityPlayer.dll
.dat
@.dat
File Access (UNICODE)
mscoree.dll
Interest's Words
exec
start
URLs
http://schemas.microsoft.com/SMI/2005/WindowsSettings
http://schemas.microsoft.com/SMI/2016/WindowsSettings
Strings/Hex Code Found With The File Rules
Rule Type Encoding Matched (Word)
Text Ascii File (CreateFile)
Text Ascii File (WriteFile)
Text Ascii Anti-Analysis VM (IsDebuggerPresent)
Text Ascii Reconnaissance (FindNextFileW)
Text Ascii Reconnaissance (FindClose)
Text Ascii Stealth (CloseHandle)
Entry Point Hex Pattern Microsoft Visual C++ 8.0 (DLL)
Entry Point Hex Pattern PE-Exe Executable Image
Resources
Path DataRVA Size FileOffset CodeText
\ICON\1\1033 1C2B0 42028 184B0 280000000001000000020000010020000000000000000000000000000000000000000000000000002ADEFFFF2ADEFFFF2ADE(............. .........................*...*...*.
\ICON\2\1033 5E2D8 25228 5A4D8 28000000C000000080010000010020000000000000000000000000000000000000000000000000002ADEFFFF2ADEFFFF2ADE(............. .........................*...*...*.
\ICON\3\1033 83500 10828 7F700 280000008000000000010000010020000000000000000000000000000000000000000000000000002ADEFFFF2ADEFFFF2ADE(............. .........................*...*...*.
\ICON\4\1033 93D28 94A8 8FF28 2800000060000000C0000000010020000000000000000000000000000000000000000000000000002ADEFFFF2ADEFFFF2ADE(............ .........................*...*...*.
\ICON\5\1033 9D1D0 4228 993D0 280000004000000080000000010020000000000000000000000000000000000000000000000000002ADEFFFF2ADEFFFF2ADE(...@......... .........................*...*...*.
\ICON\6\1033 A13F8 25A8 9D5F8 280000003000000060000000010020000000000000000000000000000000000000000000000000002ADEFFFF2ADEFFFF2ADE(...0........ .........................*...*...*.
\ICON\7\1033 A39A0 10A8 9FBA0 280000002000000040000000010020000000000000000000000000000000000000000000000000002ADEFFFF2AE0FFFF25BA(... ...@..... .........................*...*...%.
\ICON\8\1033 A4A48 988 A0C48 280000001800000030000000010020000000000000000000000000000000000000000000000000002ADFFFFF29D4F5FF1235(.......0..... .........................*...)....5
\ICON\9\1033 A53D0 468 A15D0 280000001000000020000000010020000000000000000000000000000000000000000000000000002AE0FFFF19617EFF2401(....... ..... .........................*....a~.$.
\GROUP_ICON\103\1033 A5838 84 A1A38 0000010009000000000001002000282004000100C0C000000100200028520200020080800000010020002808010003006060............ .( .......... .(R.......... .(.....
\VERSION\1\1033 A5F88 214 A2188 140234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000300..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............
\24\1\1033 A58C0 6C1 A1AC0 3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E653D2279<?xml version="1.0" encoding="UTF-8" standalone="y
Intelligent String
• mscoree.dll
• C:\build\output\unity\unity\artifacts\WindowsPlayer\Win64_VS2019_nondev_i_r\WindowsPlayer_player_Master_il2cpp_x64.pdb
• .bss
• KERNEL32.dll
• <dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">True/PM</dpiAware>
• <dpiAwareness xmlns="http://schemas.microsoft.com/SMI/2016/WindowsSettings">PerMonitorV2</dpiAwareness>
Flow Anomalies
Offset RVA Section Description
401 N/A .text JMP QWORD PTR [RIP+0xD239]
5A9 N/A .text CALL QWORD PTR [RIP+0xD0B1]
8F0 N/A .text CALL QWORD PTR [RIP+0xCB32]
8FE N/A .text CALL QWORD PTR [RIP+0xCB1C]
90A N/A .text CALL QWORD PTR [RIP+0xCB08]
91A N/A .text CALL QWORD PTR [RIP+0xCAF0]
98C N/A .text JMP QWORD PTR [RIP+0xCA9E]
A34 N/A .text CALL QWORD PTR [RIP+0xC9FE]
A4E N/A .text CALL QWORD PTR [RIP+0xC9EC]
A8F N/A .text CALL QWORD PTR [RIP+0xC9B3]
AE3 N/A .text CALL QWORD PTR [RIP+0xC967]
B04 N/A .text CALL QWORD PTR [RIP+0xC956]
B0F N/A .text CALL QWORD PTR [RIP+0xC943]
B54 N/A .text CALL QWORD PTR [RIP+0xC90E]
B82 N/A .text CALL QWORD PTR [RIP+0xC8F0]
BD8 N/A .text JMP QWORD PTR [RIP+0xC882]
C5E N/A .text CALL QWORD PTR [RIP+0xC9FC]
C9A N/A .text CALL QWORD PTR [RIP+0xC9C0]
D14 N/A .text JMP QWORD PTR [RIP+0xFFF3FF0]
E70 N/A .text JMP QWORD PTR [RIP+0xC5FA]
F49 N/A .text CALL QWORD PTR [RIP+0xC7D1]
F87 N/A .text CALL QWORD PTR [RIP+0xC4FB]
1152 N/A .text CALL QWORD PTR [RIP+0xC508]
14F7 N/A .text CALL QWORD PTR [RIP+0xBF93]
157E N/A .text CALL QWORD PTR [RIP+0xBF14]
1657 N/A .text CALL QWORD PTR [RIP+0xBE53]
16F3 N/A .text CALL QWORD PTR [RIP+0xBDF7]
1701 N/A .text CALL QWORD PTR [RIP+0xBD89]
172B N/A .text CALL QWORD PTR [RIP+0xBDBF]
1771 N/A .text CALL QWORD PTR [RIP+0xBD69]
177D N/A .text CALL QWORD PTR [RIP+0xBD65]
17EF N/A .text JMP QWORD PTR [RIP+0xBE6B]
17FB N/A .text JMP QWORD PTR [RIP+0xBCBF]
1838 N/A .text JMP QWORD PTR [RIP+0xBE22]
1844 N/A .text JMP QWORD PTR [RIP+0xBC8E]
1880 N/A .text JMP QWORD PTR [RIP+0xBDDA]
188C N/A .text JMP QWORD PTR [RIP+0xBC36]
18CC N/A .text CALL QWORD PTR [RIP+0xBD8E]
18D4 N/A .text CALL QWORD PTR [RIP+0xBBF6]
192B N/A .text CALL QWORD PTR [RIP+0xBD2F]
1933 N/A .text CALL QWORD PTR [RIP+0xBB7F]
1983 N/A .text CALL QWORD PTR [RIP+0xBCD7]
1AE6 N/A .text CALL QWORD PTR [RIP+0xB954]
1D78 N/A .text CALL QWORD PTR [RIP+0xB70A]
24C4 N/A .text CALL QWORD PTR [RIP+0xB196]
2CF4 N/A .text CALL QWORD PTR [RIP+0xA7FE]
31D0 N/A .text CALL QWORD PTR [RIP+0xA48A]
346B N/A .text CALL QWORD PTR [RIP+0xA08F]
3B56 N/A .text CALL QWORD PTR [RIP+0x9B04]
3B64 N/A .text CALL QWORD PTR [RIP+0x999E]
3BAA N/A .text CALL QWORD PTR [RIP+0x9950]
3D13 N/A .text CALL QWORD PTR [RIP+0x994F]
3D32 N/A .text CALL QWORD PTR [RIP+0x9930]
3DAE N/A .text JMP QWORD PTR [RIP+0x98B4]
4030 N/A .text CALL QWORD PTR [RIP+0x94EA]
4433 N/A .text CALL QWORD PTR [RIP+0x922F]
4477 N/A .text CALL QWORD PTR [RIP+0x91EB]
4529 N/A .text CALL QWORD PTR [RIP+0x9139]
45C3 N/A .text CALL QWORD PTR [RIP+0x8EAF]
4675 N/A .text CALL QWORD PTR [RIP+0x8EAD]
4680 N/A .text CALL QWORD PTR [RIP+0x8EB2]
468F N/A .text CALL QWORD PTR [RIP+0x8E9B]
46ED N/A .text CALL QWORD PTR [RIP+0x8E4D]
4703 N/A .text CALL QWORD PTR [RIP+0x8DDF]
471A N/A .text CALL QWORD PTR [RIP+0x8F48]
472A N/A .text CALL QWORD PTR [RIP+0x8DB0]
4C03 N/A .text CALL QWORD PTR [RIP+0x8A5F]
4EEC N/A .text CALL QWORD PTR [RIP+0x8776]
4F9E N/A .text CALL QWORD PTR [RIP+0x84CC]
4FF4 N/A .text CALL QWORD PTR [RIP+0x8496]
5028 N/A .text CALL QWORD PTR [RIP+0x846A]
5513 N/A .text CALL QWORD PTR [RIP+0x7F77]
55B3 N/A .text CALL QWORD PTR [RIP+0x7EDF]
568B N/A .text CALL QWORD PTR [RIP+0x7DFF]
572B N/A .text CALL QWORD PTR [RIP+0x7D67]
5880 N/A .text CALL QWORD PTR [RIP+0x7C0A]
58B5 N/A .text CALL QWORD PTR [RIP+0x7BDD]
58EC N/A .text CALL QWORD PTR [RIP+0x7B9E]
58FC N/A .text CALL QWORD PTR [RIP+0x7B96]
5995 N/A .text CALL QWORD PTR [RIP+0x7A9D]
59AD N/A .text CALL QWORD PTR [RIP+0x7A8D]
59E8 N/A .text CALL QWORD PTR [RIP+0x7A5A]
5A21 N/A .text CALL QWORD PTR [RIP+0x7A29]
5A2B N/A .text CALL QWORD PTR [RIP+0x7A2F]
5A36 N/A .text CALL QWORD PTR [RIP+0x7A1C]
5B77 N/A .text CALL QWORD PTR [RIP+0x7AEB]
5C15 N/A .text CALL QWORD PTR [RIP+0x7855]
5C3A N/A .text CALL QWORD PTR [RIP+0x78E8]
5C4D N/A .text JMP QWORD PTR [RIP+0x78E5]
5EB9 N/A .text CALL QWORD PTR [RIP+0x7541]
5EF2 N/A .text CALL QWORD PTR [RIP+0x7650]
5EFC N/A .text CALL QWORD PTR [RIP+0x758E]
6082 N/A .text CALL QWORD PTR [RIP+0x74D0]
610B N/A .text CALL QWORD PTR [RIP+0x744F]
6148 N/A .text CALL QWORD PTR [RIP+0x7402]
6186 N/A .text CALL QWORD PTR [RIP+0x73C4]
6746 N/A .text CALL QWORD PTR [RIP+0x6E2C]
675D N/A .text CALL QWORD PTR [RIP+0x6E0D]
6876 N/A .text CALL QWORD PTR [RIP+0x6D04]
6E2D N/A .text CALL QWORD PTR [RIP+0x6735]
Extra Analysis
Metric Value Percentage
Ascii Code 294191 44,1315%
Null Byte Code 49583 7,4379%
© 2026 All rights reserved.