PESCAN.IO - Analysis Report Basic |
|||||||
| File Structure |
|
PE Chart Code
Header PE (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
Icon: Size: 638,50 KBSHA-256 Hash: CA14302EA9DAF0D8FE0A4901A76ABFA03AF41C84471222B149DC85D7D3B2AF87 SHA-1 Hash: 4C2A199B5DDFB0F3AD6D048D2F0F8F575771BC87 MD5 Hash: BD6BAA2462AC72608F85324015F44155 Imphash: 5F74A5C747508E2822FDB9B687DEAF42 MajorOSVersion: 6 MinorOSVersion: 0 CheckSum: 00000000 EntryPoint (rva): 1260 SizeOfHeaders: 400 SizeOfImage: A5000 ImageBase: 0000000140000000 Architecture: x64 ExportTable: 144A0 ImportTable: 14528 IAT: C000 Characteristics: 22 TimeDateStamp: 63D8AFE6 Date: 31/01/2023 6:06:30 File Type: EXE File Type: DLL Number Of Sections: 7 ASLR: Disabled Section Names (Optional Header): .text, .rdata, .data, .pdata, _RDATA, .rsrc, .reloc Number Of Executable Sections: 1 Subsystem: Windows GUI |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 0x60000020 Code Executable Readable |
400 | A200 | 1000 | A120 |
|
|
| .rdata | 0x40000040 Initialized Data Readable |
A600 | 8E00 | C000 | 8C6E |
|
|
| .data | 0xC0000040 Initialized Data Readable Writeable |
13400 | C00 | 15000 | 1CD8 |
|
|
| .pdata | 0x40000040 Initialized Data Readable |
14000 | E00 | 17000 | C48 |
|
|
| _RDATA | 0x40000040 Initialized Data Readable |
14E00 | 200 | 18000 | 94 |
|
|
| .rsrc | 0x40000040 Initialized Data Readable |
15000 | 8A200 | 19000 | 8A198 |
|
|
| .reloc | 0x42000040 Initialized Data GP-Relative Readable |
9F200 | 800 | A4000 | 634 |
|
|
| Description |
| LegalCopyright: (c) 2023 Unity Technologies ApS. All rights reserved. FileVersion: 2020.3.45.6687953 ProductVersion: 2020.3.45f1 (660cd1701bd5) Language: English (United States) (ID=0x409) CodePage: Unicode (UTF-16 LE) (0x4B0) |
| Entry Point |
The section number (1) have the Entry Point Information -> EntryPoint (calculated) - 660 Code -> 4883EC28E85B0200004883C428E97AFEFFFFCCCC4883EC28E8DB07000085C0742165488B042530000000488B4808EB05483B Assembler |SUB RSP, 0X28 |CALL 0X1264 |ADD RSP, 0X28 |JMP 0XE8C |INT3 |INT3 |SUB RSP, 0X28 |CALL 0X17F8 |TEST EAX, EAX |JE 0X1042 |MOV RAX, QWORD PTR GS:[0X30] |MOV RCX, QWORD PTR [RAX + 8] |JMP 0X1035 |
| Signatures |
| Rich Signature Analyzer: Code -> 2710773A63711969637119696371196938191D686971196938191A686671196938191C68EB7119693819186861711969681E1C6846711969681E1D6873711969681E1A686B711969A51E1868607119696371186936711969A51E1C6861711969A51E196862711969A51EE66962711969A51E1B68627119695269636863711969 Footprint md5 Hash -> 2A022D84318181B87A9CBAE3B0C73610 • The Rich header apparently has not been modified Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Compiler: Microsoft Visual Studio Detect It Easy (die) • PE+(64): compiler: Microsoft Visual C/C++(-)[-] • PE+(64): linker: Microsoft Linker(14.25**)[-] • Entropy: 3.64097 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | WriteFile | Writes data to a specified file or input/output (I/O) device. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| KERNEL32.DLL | IsDebuggerPresent | Determines if the calling process is being debugged by a user-mode debugger. |
| File Access |
| WindowsPlayer.exe KERNEL32.dll UnityPlayer.dll .dat @.dat |
| File Access (UNICODE) |
| mscoree.dll |
| Interest's Words |
| exec start |
| URLs |
| http://schemas.microsoft.com/SMI/2005/WindowsSettings http://schemas.microsoft.com/SMI/2016/WindowsSettings |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | File (CreateFile) |
| Text | Ascii | File (WriteFile) |
| Text | Ascii | Anti-Analysis VM (IsDebuggerPresent) |
| Text | Ascii | Reconnaissance (FindNextFileW) |
| Text | Ascii | Reconnaissance (FindClose) |
| Text | Ascii | Stealth (CloseHandle) |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8.0 (DLL) |
| Entry Point | Hex Pattern | PE-Exe Executable Image |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \ICON\1\1033 | 192B0 | 42028 | 152B0 | 2800000000010000000200000100200000000000000000000000000000000000000000000000000000010000000100000001 | (............. ................................... |
| \ICON\2\1033 | 5B2D8 | 25228 | 572D8 | 28000000C0000000800100000100200000000000000000000000000000000000000000000000000000010000000100000001 | (............. ................................... |
| \ICON\3\1033 | 80500 | 10828 | 7C500 | 2800000080000000000100000100200000000000000000000000000000000000000000000000000000010000000100000001 | (............. ................................... |
| \ICON\4\1033 | 90D28 | 94A8 | 8CD28 | 2800000060000000C00000000100200000000000000000000000000000000000000000000000000000010000000100000001 | (............ ................................... |
| \ICON\5\1033 | 9A1D0 | 4228 | 961D0 | 2800000040000000800000000100200000000000000000000000000000000000000000000000000000010000000100000001 | (...@......... ................................... |
| \ICON\6\1033 | 9E3F8 | 25A8 | 9A3F8 | 2800000030000000600000000100200000000000000000000000000000000000000000000000000000010000000100000001 | (...0........ ................................... |
| \ICON\7\1033 | A09A0 | 10A8 | 9C9A0 | 2800000020000000400000000100200000000000000000000000000000000000000000000000000000010000000100000001 | (... ...@..... ................................... |
| \ICON\8\1033 | A1A48 | 988 | 9DA48 | 2800000018000000300000000100200000000000000000000000000000000000000000000000000000010000000100000001 | (.......0..... ................................... |
| \ICON\9\1033 | A23D0 | 468 | 9E3D0 | 2800000010000000200000000100200000000000000000000000000000000000000000000000000000010000000100000202 | (....... ..... ................................... |
| \GROUP_ICON\103\1033 | A2838 | 84 | 9E838 | 0000010009000000000001002000282004000100C0C000000100200028520200020080800000010020002808010003006060 | ............ .( .......... .(R.......... .(..... |
| \VERSION\1\1033 | A2F88 | 20C | 9EF88 | 0C0234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000300 | ..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| \24\1\1033 | A28C0 | 6C1 | 9E8C0 | 3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E653D2279 | <?xml version="1.0" encoding="UTF-8" standalone="y |
| Intelligent String |
| • mscoree.dll • C:\build\output\unity\unity\artifacts\WindowsPlayer\Win64_VS2019_nondev_m_r\WindowsPlayer_Master_mono_x64.pdb • .bss • KERNEL32.dll • <dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">True/PM</dpiAware> • <dpiAwareness xmlns="http://schemas.microsoft.com/SMI/2016/WindowsSettings">PerMonitorV2</dpiAwareness> |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 401 | N/A | .text | JMP QWORD PTR [RIP+0xB209] |
| 5A9 | N/A | .text | CALL QWORD PTR [RIP+0xB081] |
| 8F0 | N/A | .text | CALL QWORD PTR [RIP+0xAB2A] |
| 8FE | N/A | .text | CALL QWORD PTR [RIP+0xAB14] |
| 90A | N/A | .text | CALL QWORD PTR [RIP+0xAB00] |
| 91A | N/A | .text | CALL QWORD PTR [RIP+0xAAE8] |
| 98C | N/A | .text | JMP QWORD PTR [RIP+0xAA96] |
| A34 | N/A | .text | CALL QWORD PTR [RIP+0xA9F6] |
| A4E | N/A | .text | CALL QWORD PTR [RIP+0xA9E4] |
| A8F | N/A | .text | CALL QWORD PTR [RIP+0xA9AB] |
| AE3 | N/A | .text | CALL QWORD PTR [RIP+0xA95F] |
| B04 | N/A | .text | CALL QWORD PTR [RIP+0xA94E] |
| B0F | N/A | .text | CALL QWORD PTR [RIP+0xA93B] |
| B54 | N/A | .text | CALL QWORD PTR [RIP+0xA906] |
| B82 | N/A | .text | CALL QWORD PTR [RIP+0xA8E8] |
| BD8 | N/A | .text | JMP QWORD PTR [RIP+0xA87A] |
| C5E | N/A | .text | CALL QWORD PTR [RIP+0xA9CC] |
| C9A | N/A | .text | CALL QWORD PTR [RIP+0xA990] |
| D14 | N/A | .text | JMP QWORD PTR [RIP+0xFFF3FF0] |
| E70 | N/A | .text | JMP QWORD PTR [RIP+0xA5F2] |
| F49 | N/A | .text | CALL QWORD PTR [RIP+0xA791] |
| F87 | N/A | .text | CALL QWORD PTR [RIP+0xA4F3] |
| 112A | N/A | .text | CALL QWORD PTR [RIP+0xA500] |
| 1407 | N/A | .text | CALL QWORD PTR [RIP+0xA07B] |
| 148E | N/A | .text | CALL QWORD PTR [RIP+0x9FFC] |
| 1567 | N/A | .text | CALL QWORD PTR [RIP+0x9F3B] |
| 1603 | N/A | .text | CALL QWORD PTR [RIP+0x9EDF] |
| 1611 | N/A | .text | CALL QWORD PTR [RIP+0x9E71] |
| 163B | N/A | .text | CALL QWORD PTR [RIP+0x9EA7] |
| 1681 | N/A | .text | CALL QWORD PTR [RIP+0x9E51] |
| 168D | N/A | .text | CALL QWORD PTR [RIP+0x9E4D] |
| 16FF | N/A | .text | JMP QWORD PTR [RIP+0x9F2B] |
| 170B | N/A | .text | JMP QWORD PTR [RIP+0x9DA7] |
| 1748 | N/A | .text | JMP QWORD PTR [RIP+0x9EE2] |
| 1754 | N/A | .text | JMP QWORD PTR [RIP+0x9D76] |
| 1790 | N/A | .text | JMP QWORD PTR [RIP+0x9E9A] |
| 179C | N/A | .text | JMP QWORD PTR [RIP+0x9D1E] |
| 17DC | N/A | .text | CALL QWORD PTR [RIP+0x9E4E] |
| 17E4 | N/A | .text | CALL QWORD PTR [RIP+0x9CDE] |
| 183B | N/A | .text | CALL QWORD PTR [RIP+0x9DEF] |
| 1843 | N/A | .text | CALL QWORD PTR [RIP+0x9C67] |
| 1EBF | N/A | .text | CALL QWORD PTR [RIP+0x976B] |
| 1ED4 | N/A | .text | CALL QWORD PTR [RIP+0x9756] |
| 1F5C | N/A | .text | JMP QWORD PTR [RIP+0x96CE] |
| 21E0 | N/A | .text | CALL QWORD PTR [RIP+0x9322] |
| 25DD | N/A | .text | CALL QWORD PTR [RIP+0x904D] |
| 2621 | N/A | .text | CALL QWORD PTR [RIP+0x9009] |
| 26CB | N/A | .text | CALL QWORD PTR [RIP+0x8F5F] |
| 276B | N/A | .text | CALL QWORD PTR [RIP+0x8CFF] |
| 2831 | N/A | .text | CALL QWORD PTR [RIP+0x8CD9] |
| 283C | N/A | .text | CALL QWORD PTR [RIP+0x8CDE] |
| 284B | N/A | .text | CALL QWORD PTR [RIP+0x8CC7] |
| 2870 | N/A | .text | CALL QWORD PTR [RIP+0x8CB2] |
| 2886 | N/A | .text | CALL QWORD PTR [RIP+0x8C54] |
| 2893 | N/A | .text | CALL QWORD PTR [RIP+0x8D97] |
| 28A3 | N/A | .text | CALL QWORD PTR [RIP+0x8C2F] |
| 2D6D | N/A | .text | CALL QWORD PTR [RIP+0x88BD] |
| 3046 | N/A | .text | CALL QWORD PTR [RIP+0x85E4] |
| 308E | N/A | .text | CALL QWORD PTR [RIP+0x83D4] |
| 35B3 | N/A | .text | CALL QWORD PTR [RIP+0x7ECF] |
| 3651 | N/A | .text | CALL QWORD PTR [RIP+0x7E39] |
| 372F | N/A | .text | CALL QWORD PTR [RIP+0x7D53] |
| 37CD | N/A | .text | CALL QWORD PTR [RIP+0x7CBD] |
| 38C5 | N/A | .text | CALL QWORD PTR [RIP+0x7B65] |
| 38DD | N/A | .text | CALL QWORD PTR [RIP+0x7B55] |
| 3918 | N/A | .text | CALL QWORD PTR [RIP+0x7B22] |
| 3951 | N/A | .text | CALL QWORD PTR [RIP+0x7AF1] |
| 395B | N/A | .text | CALL QWORD PTR [RIP+0x7AF7] |
| 3966 | N/A | .text | CALL QWORD PTR [RIP+0x7AE4] |
| 39FC | N/A | .text | CALL QWORD PTR [RIP+0x7C2E] |
| 3A89 | N/A | .text | CALL QWORD PTR [RIP+0x79D9] |
| 3AAE | N/A | .text | CALL QWORD PTR [RIP+0x7A5C] |
| 3AC1 | N/A | .text | JMP QWORD PTR [RIP+0x7A59] |
| 3D41 | N/A | .text | CALL QWORD PTR [RIP+0x77E9] |
| 3D7A | N/A | .text | CALL QWORD PTR [RIP+0x77B8] |
| 3D8C | N/A | .text | CALL QWORD PTR [RIP+0x76F6] |
| 3F24 | N/A | .text | CALL QWORD PTR [RIP+0x761E] |
| 3F81 | N/A | .text | CALL QWORD PTR [RIP+0x75C9] |
| 3FAC | N/A | .text | CALL QWORD PTR [RIP+0x758E] |
| 3FD0 | N/A | .text | CALL QWORD PTR [RIP+0x756A] |
| 3FDE | N/A | .text | CALL QWORD PTR [RIP+0x755C] |
| 44FE | N/A | .text | CALL QWORD PTR [RIP+0x7064] |
| 4515 | N/A | .text | CALL QWORD PTR [RIP+0x7045] |
| 4626 | N/A | .text | CALL QWORD PTR [RIP+0x6F44] |
| 4B2B | N/A | .text | CALL QWORD PTR [RIP+0x6A27] |
| 4B77 | N/A | .text | CALL QWORD PTR [RIP+0x69F3] |
| 4D80 | N/A | .text | CALL QWORD PTR [RIP+0x67F2] |
| 4D8D | N/A | .text | CALL QWORD PTR [RIP+0x67ED] |
| 4DF8 | N/A | .text | JMP QWORD PTR [RIP+0x678A] |
| 4E90 | N/A | .text | JMP QWORD PTR [RIP+0x66FA] |
| 4EAC | N/A | .text | CALL QWORD PTR [RIP+0x66E6] |
| 4F19 | N/A | .text | CALL QWORD PTR [RIP+0x6681] |
| 4F93 | N/A | .text | JMP QWORD PTR [RIP+0x64FF] |
| 4FBB | N/A | .text | CALL QWORD PTR [RIP+0x64E7] |
| 4FE7 | N/A | .text | JMP QWORD PTR [RIP+0x64B3] |
| 50FD | N/A | .text | CALL QWORD PTR [RIP+0x63A5] |
| 51ED | N/A | .text | JMP QWORD PTR [RIP+0x62A5] |
| 5215 | N/A | .text | JMP QWORD PTR [RIP+0x6285] |
| 5296 | N/A | .text | CALL QWORD PTR [RIP+0x630C] |
| 5370 | N/A | .text | CALL QWORD PTR [RIP+0x60EA] |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 158565 | 24,2519% |
| Null Byte Code | 339927 | 51,9906% |
© 2026 All rights reserved.