PESCAN.IO - Analysis Report Basic

File Structure
Analysis Image
PE Chart Code
Executable header (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
Information
Size: 74,37 KB
SHA-256 Hash: 7B9C0A8B2B86BBF5D7E02F2620B0015A2530CBBC99724BE20313DE53EB31D62E
SHA-1 Hash: FB5B58A9E6FAFCEF692C4F45419AEEE8D31E1E55
MD5 Hash: CD421DDB5C6E5458CE52EDC36DE7DC5B
Imphash: DC150D1A5EEB0DD72DC98DBEE870A102
MajorOSVersion: 4
MinorOSVersion: 0
CheckSum: 0001DF78
EntryPoint (rva): 5228
SizeOfHeaders: 1000
SizeOfImage: 16000
ImageBase: 400000
Architecture: x86
ImportTable: F148
IAT: D000
Characteristics: 10F
TimeDateStamp: 538D000A
Date: 02/06/2014 22:51:54
File Type: EXE
Number Of Sections: 3
ASLR: Disabled
Section Names: .text, .rdata, .data
Number Of Executable Sections: 1
Subsystem: Windows Console
Sections Info
Section Name Flags ROffset RSize VOffset VSizeEntropyChi2
.text 60000020 (Code, Executable, Readable) 1000 C000 1000 B6ED6,4985366112,26
.rdata 40000040 (Initialized Data, Readable) D000 3000 D000 2D245,0676299106,75
.data C0000040 (Initialized Data, Readable, Writeable) 10000 1000 10000 52881,6209738889,75
Entry Point
The section number (1) - (.text) have the Entry Point
Information -> EntryPoint (calculated) - 5228
Code -> 6A1868B8DF4000E840FEFFFFBF940000008BC7E8D0F9FFFF8965E88BF4893E56FF1524D140008B4E10890DD83C41008B4604
PUSH 0X18
PUSH 0X40DFB8
CALL 0XE4C
MOV EDI, 0X94
MOV EAX, EDI
CALL 0X9E8
MOV DWORD PTR [EBP - 0X18], ESP
MOV ESI, ESP
MOV DWORD PTR [ESI], EDI
PUSH ESI
CALL DWORD PTR [0X40D124]
MOV ECX, DWORD PTR [ESI + 0X10]
MOV DWORD PTR [0X413CD8], ECX
MOV EAX, DWORD PTR [ESI + 4]
Signatures
Rich Signature Analyzer:
Code -> C3122764A27C7464A27C7464A27C7477AA157467A27C7461AE737472A27C7461AE237414A27C749E81657466A27C7477AA217466A27C74E7AA217469A27C7464A27D74E9A27C7461AE1C7462A27C7461AE267465A27C745269636864A27C74
Footprint md5 Hash -> C815131B8A1725992F1795A960AA5F23
• Unusual or modified Rich structure: (64A27C74)
Certificate - Digital Signature:
• The file is signed and the signature is correct
Packer/Compiler
Compiler: Microsoft Visual C ++
Compiler: Microsoft Visual C ++ 6-8
Detect It Easy (die)
PE: compiler: EP:Microsoft Visual C/C++(2003 v.7.1 (3052-9782))[EXE32]
PE: compiler: Microsoft Visual C/C++(2003)[libcmt]
PE: linker: Microsoft Linker(7.10)[-]
PE: Sign tool: Windows Authenticode(2.0)[PKCS 7]
Entropy: 6.25853
Suspicious Functions
Library Function Description
KERNEL32.DLL GetModuleFileNameA Retrieve the fully qualified path for the executable file of a specified module.
KERNEL32.DLL VirtualAlloc Reserve, commit, or both, a region of memory within the virtual address space of a process.
KERNEL32.DLL GetModuleHandleA Retrieves a handle to the specified module.
KERNEL32.DLL CopyFileA Copies an existing file to a new file.
KERNEL32.DLL WriteFile Writes data to a specified file or input/output (I/O) device.
KERNEL32.DLL LoadLibraryA Loads the specified module into the address space of the calling process.
KERNEL32.DLL ReadProcessMemory Reads data from an area of memory in a specified process.
KERNEL32.DLL GetProcAddress Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL CreateFileA Creates or opens a file or I/O device.
KERNEL32.DLL DeleteFileA Deletes an existing file.
ADVAPI32.DLL RegCreateKeyExA Creates a new registry key or opens an existing one.
ADVAPI32.DLL RegSetValueExA Sets the data and type of a specified value under a registry key.
Windows REG
SOFTWARE\Even Balance\PnkBstrA
SYSTEM\CurrentControlSet\Services\PnkBstrA
File Access
PnkBstrB.exe
CRYPT32.dll
WINTRUST.dll
PSAPI.DLL
WSOCK32.dll
SHELL32.dll
ADVAPI32.dll
USER32.dll
KERNEL32.dll
mscoree.dll
\pbcl.dll
@.dat
\PnkBstrA.log
Temp
Interest's Words
exec
attrib
start
systeminfo
ping
URLs
http://www.evenbalance.com
http://ocsp.thawte.com
http://crl.thawte.com/ThawteTimestampingCA.crl
http://ts-ocsp.ws.symantec.com
http://ts-aia.ws.symantec.com/tss-ca-g2.cer
http://ts-crl.ws.symantec.com/tss-ca-g2.crl
http://csc3-2010-crl.verisign.com/CSC3-2010.crl
http://ocsp.verisign.com
http://csc3-2010-aia.verisign.com/CSC3-2010.cer
http://logo.verisign.com/vslogo.gif04
http://crl.verisign.com/pca3-g5.crl
https://www.verisign.com/rpa
https://www.verisign.com/rpa0
https://www.verisign.com/cps0*
https://www.verisign.com/rpa0
IP Addresses
127.0.0.1
Strings/Hex Code Found With The File Rules
Rule Type Encoding Matched (Word)
Text Ascii WinAPI Sockets (bind)
Text Ascii Registry (RegCreateKeyEx)
Text Ascii Registry (RegOpenKeyEx)
Text Ascii Registry (RegSetValueEx)
Text Ascii File (CopyFile)
Text Ascii File (CreateFile)
Text Ascii File (WriteFile)
Text Ascii File (ReadFile)
Text Ascii Service (OpenSCManager)
Text Ascii Service (CreateService)
Text Ascii Service (StartServiceCtrlDispatcher)
Text Ascii Anti-Analysis VM (GetSystemInfo)
Text Ascii Anti-Analysis VM (GetVersion)
Text Ascii Stealth (CloseHandle)
Text Ascii Stealth (VirtualAlloc)
Text Ascii Stealth (VirtualProtect)
Text Ascii Stealth (ReadProcessMemory)
Text Ascii Antivirus Software (Symantec)
Text Ascii Privileges (SeDebugPrivilege)
Text Ascii Privileges (SeLoadDriverPrivilege)
Text Ascii Privileges (SeProfileSingleProcessPrivilege)
Text Ascii Privileges (SeSecurityPrivilege)
Text Ascii Privileges (SeSystemEnvironmentPrivilege)
Entry Point Hex Pattern Armadillo v2.xx (CopyMem II)
Entry Point Hex Pattern Microsoft Visual C++ 7.0
Entry Point Hex Pattern Microsoft Visual C++ v7.0
Entry Point Hex Pattern PE-Exe Executable Image
Intelligent String
• PnkBstrB.exe
• PnkBstrB.xtr
• PunkBuster Client (\pbcl.dll
• PunkBuster Service Component [v1041] http://www.evenbalance.comSYSTEM\CurrentControlSet\Services\PnkBstrA
• 127.0.0.1
• PnkBstrA v1041 Service Started Successfully. This service is a component of the PunkBuster Anti-Cheat system. Visit http://www.evenbalance.com for more information.
• abc\PnkBstrA.log
• 32@1.2.840.113549.1.9.5
• kernel32.dll
• WINTRUST.dll
Flow Anomalies
Offset RVA Section Description
1147 40D018 .text CALL [static] | Indirect call to absolute memory address
119D 40D010 .text CALL [static] | Indirect call to absolute memory address
11BE 40D040 .text CALL [static] | Indirect call to absolute memory address
11C8 40D004 .text CALL [static] | Indirect call to absolute memory address
11E6 40D040 .text CALL [static] | Indirect call to absolute memory address
11F0 40D004 .text CALL [static] | Indirect call to absolute memory address
1214 40D040 .text CALL [static] | Indirect call to absolute memory address
121E 40D004 .text CALL [static] | Indirect call to absolute memory address
12F6 40D004 .text CALL [static] | Indirect call to absolute memory address
1312 40D0F8 .text CALL [static] | Indirect call to absolute memory address
13FF 40D100 .text CALL [static] | Indirect call to absolute memory address
1489 40D004 .text CALL [static] | Indirect call to absolute memory address
14C5 40D008 .text CALL [static] | Indirect call to absolute memory address
1503 40D004 .text CALL [static] | Indirect call to absolute memory address
151E 40D00C .text CALL [static] | Indirect call to absolute memory address
1528 40D100 .text CALL [static] | Indirect call to absolute memory address
15A0 40D018 .text CALL [static] | Indirect call to absolute memory address
15C9 40D014 .text CALL [static] | Indirect call to absolute memory address
15E2 40D010 .text CALL [static] | Indirect call to absolute memory address
15FB 40D0F0 .text CALL [static] | Indirect call to absolute memory address
1602 40D040 .text CALL [static] | Indirect call to absolute memory address
161F 40D0EC .text CALL [static] | Indirect call to absolute memory address
1626 40D024 .text CALL [static] | Indirect call to absolute memory address
163F 40D020 .text CALL [static] | Indirect call to absolute memory address
1674 40D100 .text CALL [static] | Indirect call to absolute memory address
168C 40D020 .text CALL [static] | Indirect call to absolute memory address
16B6 40D100 .text CALL [static] | Indirect call to absolute memory address
16CE 40D020 .text CALL [static] | Indirect call to absolute memory address
16F8 40D100 .text CALL [static] | Indirect call to absolute memory address
170C 40D020 .text CALL [static] | Indirect call to absolute memory address
1732 40D100 .text CALL [static] | Indirect call to absolute memory address
1746 40D020 .text CALL [static] | Indirect call to absolute memory address
176C 40D100 .text CALL [static] | Indirect call to absolute memory address
17AA 40D038 .text CALL [static] | Indirect call to absolute memory address
182C 40D0F4 .text CALL [static] | Indirect call to absolute memory address
1850 40D100 .text CALL [static] | Indirect call to absolute memory address
18FE 40D0E8 .text CALL [static] | Indirect call to absolute memory address
198D 40D02C .text CALL [static] | Indirect call to absolute memory address
19A1 40D0F4 .text CALL [static] | Indirect call to absolute memory address
19BF 40D038 .text CALL [static] | Indirect call to absolute memory address
1B17 40D030 .text CALL [static] | Indirect call to absolute memory address
1BA3 40D000 .text CALL [static] | Indirect call to absolute memory address
1BD0 40D100 .text CALL [static] | Indirect call to absolute memory address
1BF7 40D03C .text CALL [static] | Indirect call to absolute memory address
1C07 40D0F0 .text CALL [static] | Indirect call to absolute memory address
1D8A 40D0DC .text CALL [static] | Indirect call to absolute memory address
1ECD 40D0E0 .text CALL [static] | Indirect call to absolute memory address
1F9F 40D0E0 .text CALL [static] | Indirect call to absolute memory address
1FC4 40D0F8 .text CALL [static] | Indirect call to absolute memory address
2077 40D0E4 .text CALL [static] | Indirect call to absolute memory address
20D2 40D028 .text CALL [static] | Indirect call to absolute memory address
213A 40D1E0 .text CALL [static] | Indirect call to absolute memory address
2273 40D100 .text CALL [static] | Indirect call to absolute memory address
228F 40D094 .text CALL [static] | Indirect call to absolute memory address
22AE 40D09C .text CALL [static] | Indirect call to absolute memory address
22C3 40D1E8 .text CALL [static] | Indirect call to absolute memory address
2DB6 40D090 .text CALL [static] | Indirect call to absolute memory address
2F6E 40D09C .text CALL [static] | Indirect call to absolute memory address
2FFA 40D0A0 .text CALL [static] | Indirect call to absolute memory address
301A 40D09C .text CALL [static] | Indirect call to absolute memory address
30BB 40D0A0 .text CALL [static] | Indirect call to absolute memory address
30D4 40D09C .text CALL [static] | Indirect call to absolute memory address
30E5 40D088 .text CALL [static] | Indirect call to absolute memory address
3123 40D084 .text CALL [static] | Indirect call to absolute memory address
314B 40D04C .text CALL [static] | Indirect call to absolute memory address
317A 40D09C .text CALL [static] | Indirect call to absolute memory address
31AF 40D04C .text CALL [static] | Indirect call to absolute memory address
323C 40D0A0 .text CALL [static] | Indirect call to absolute memory address
326F 40D084 .text CALL [static] | Indirect call to absolute memory address
32AB 40D04C .text CALL [static] | Indirect call to absolute memory address
32CA 40D080 .text CALL [static] | Indirect call to absolute memory address
32D7 40D08C .text CALL [static] | Indirect call to absolute memory address
3324 40D084 .text CALL [static] | Indirect call to absolute memory address
3381 40D09C .text CALL [static] | Indirect call to absolute memory address
33DD 40D050 .text CALL [static] | Indirect call to absolute memory address
3469 40D090 .text CALL [static] | Indirect call to absolute memory address
34A4 40D068 .text CALL [static] | Indirect call to absolute memory address
34E6 40D09C .text CALL [static] | Indirect call to absolute memory address
356C 40D078 .text CALL [static] | Indirect call to absolute memory address
35C0 40D078 .text CALL [static] | Indirect call to absolute memory address
3602 40D078 .text CALL [static] | Indirect call to absolute memory address
3679 40D060 .text CALL [static] | Indirect call to absolute memory address
382A 40D060 .text CALL [static] | Indirect call to absolute memory address
39B2 40D07C .text CALL [static] | Indirect call to absolute memory address
39CA 40D05C .text CALL [static] | Indirect call to absolute memory address
3A92 40D050 .text CALL [static] | Indirect call to absolute memory address
3AA6 40D050 .text CALL [static] | Indirect call to absolute memory address
3ABB 40D058 .text CALL [static] | Indirect call to absolute memory address
3ACF 40D054 .text CALL [static] | Indirect call to absolute memory address
3AD6 40D214 .text JMP [static] | Indirect jump to absolute memory address
3ADC 40D210 .text JMP [static] | Indirect jump to absolute memory address
3AE2 40D20C .text JMP [static] | Indirect jump to absolute memory address
3AE8 40D208 .text JMP [static] | Indirect jump to absolute memory address
3AEE 40D204 .text JMP [static] | Indirect jump to absolute memory address
3AF4 40D200 .text JMP [static] | Indirect jump to absolute memory address
3AFA 40D224 .text JMP [static] | Indirect jump to absolute memory address
3B00 40D1F8 .text JMP [static] | Indirect jump to absolute memory address
3B06 40D1FC .text JMP [static] | Indirect jump to absolute memory address
3B0C 40D218 .text JMP [static] | Indirect jump to absolute memory address
3B12 40D21C .text JMP [static] | Indirect jump to absolute memory address
11000 N/A *Overlay* 78190000000202003082196606092A864886F70D | x.......0..f..*.H...
Extra Analysis
Metric Value Percentage
Ascii Code 41794 54,8823%
Null Byte Code 18191 23,8878%
© 2026 All rights reserved.