PESCAN.IO - Analysis Report Basic |
|||||||
| File Structure |
|
PE Chart Code
Header PE (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
Icon: Size: 5,53 MBSHA-256 Hash: 8CD92C51AE6E7800F481B59B32C4B9B33BFD48FF5918829DEDE78D628D21514B SHA-1 Hash: A3EF313BDB52ECCDC61682E3B5B3EB6AD1B9C940 MD5 Hash: CF62E23A6E577174A9F32BF510375162 Imphash: 53AF3414CA8B7B29FC0B2FDF8AE5F80F MajorOSVersion: 5 MinorOSVersion: 1 CheckSum: 00000000 EntryPoint (rva): 2EBF48 SizeOfHeaders: 400 SizeOfImage: 11F4000 ImageBase: 400000 Architecture: x86 ExportTable: 4541E0 ImportTable: 451F18 IAT: 37D000 Characteristics: 123 TimeDateStamp: 513F6F6D Date: 12/03/2013 18:09:49 File Type: EXE Number Of Sections: 6 ASLR: Disabled Section Names: .text, .rdata, .data, .tls, .rsrc, .bind Number Of Executable Sections: 2 Subsystem: Windows GUI UAC Execution Level Manifest: asInvoker [Incomplete Binary or Compressor Packer - 12,42 MB Missing] |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 0x60000020 Code Executable Readable |
400 | 37BA00 | 1000 | 37B811 |
|
|
| .rdata | 0x40000040 Initialized Data Readable |
37BE00 | DA800 | 37D000 | DA6D1 |
|
|
| .data | 0xC0000040 Initialized Data Readable Writeable |
456600 | 59C00 | 458000 | CC1EDC |
|
|
| .tls | 0xC0000040 Initialized Data Readable Writeable |
4B0200 | 3800 | 111A000 | 371D |
|
|
| .rsrc | 0x40000040 Initialized Data Readable |
4B3A00 | 4C000 | 111E000 | 4BF8C |
|
|
| .bind | 0x60000040 Initialized Data Executable Readable |
4FFA00 | 89400 | 116A000 | 8A000 |
|
|
| Description |
| OriginalFilename: WalkingDead.exe CompanyName: Terminal Reality Inc. LegalCopyright: 2013 Terminal Reality Inc. ProductName: The Walking Dead : Survival Instinct FileVersion: 1.00.00 FileDescription: The Walking Dead : Survival Instinct(TM) ProductVersion: 1.00.00 Language: English (United States) (ID=0x409) CodePage: Unicode (UTF-16 LE) (0x4B0) |
| Entry Point |
The section number (1) - (.text) have the Entry Point Information -> EntryPoint (calculated) - 2EB348 Code -> E8E6060000E963FDFFFFFF255CD27700FF2558D27700CCCCFF2554D27700FF25E0D27700FF2550D27700FF254CD27700FF25 Assembler |CALL 0X16EB |JMP 0XD6D |JMP DWORD PTR [0X77D25C] |JMP DWORD PTR [0X77D258] |INT3 |INT3 |JMP DWORD PTR [0X77D254] |JMP DWORD PTR [0X77D2E0] |JMP DWORD PTR [0X77D250] |JMP DWORD PTR [0X77D24C] |
| Signatures |
| Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Compiler: Microsoft Visual Studio Compiler: Microsoft Visual C ++ 6 DLL Detect It Easy (die) • PE: compiler: EP:Microsoft Visual C/C++(2008-2010)[EXE32] • PE: compiler: Microsoft Visual C/C++(2010)[msvcrt] • Entropy: 6.84285 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | CreateMutexA | Create a named or unnamed mutex object for controlling access to a shared resource. |
| KERNEL32.DLL | GetModuleFileNameA | Retrieve the fully qualified path for the executable file of a specified module. |
| KERNEL32.DLL | WriteFile | Writes data to a specified file or input/output (I/O) device. |
| KERNEL32.DLL | LoadLibraryA | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| KERNEL32.DLL | CreateFileA | Creates or opens a file or I/O device. |
| KERNEL32.DLL | DeleteFileA | Deletes an existing file. |
| KERNEL32.DLL | IsDebuggerPresent | Determines if the calling process is being debugged by a user-mode debugger. |
| KERNEL32.DLL | SleepEx | Pauses the execution of the current thread, optionally allowing the thread to be awakened by a kernel object or upon expiration of a timeout. |
| USER32.DLL | CallWindowProcA | Invokes the window procedure for the specified window and messages. |
| Windows REG |
| Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers system\settings.ini system\render.ini |
| File Access |
| WalkingDead.exe %d, current version is %d.(You probably have an old .exe tridx8tl.dll OLEAUT32.dll SHELL32.dll ADVAPI32.dll GDI32.dll WS2_32.dll WINMM.dll binkw32.dll DINPUT8.dll XINPUT1_3.dll d3d9.dll MSVCR100.dll iggy_w32.dll ole32.dll USER32.dll KERNEL32.dll steam_api.dll trigl.dll @.dat automation\auto_recovery.log automation\autorun.log cmdline.txt data\tweak.txt world\%s\%s.txt errorlog.txt automation\mem_usage_summary_%s.txt automation\mem_usage_detail_%s.txt level_mem_%s_%s.txt autorun.txt gui\legal.txt See README.TXT world\%s\msglist.txt gui\common.txt level_filter.txt level_list.txt credits.txt .\system\render.ini ?.\editdata\system\settings.ini Temp Exec - arp room Exec - arp to |
| File Access (UNICODE) |
| WalkingDead.exe |
| Interest's Words |
| PADDINGX Encrypt exec attrib start pause cipher shutdown systeminfo ping dism expand pushd replace route setx |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | WinAPI Sockets (bind) |
| Text | Ascii | WinAPI Sockets (listen) |
| Text | Ascii | WinAPI Sockets (connect) |
| Text | Ascii | Registry (RegOpenKeyEx) |
| Text | Ascii | File (CreateFile) |
| Text | Ascii | File (WriteFile) |
| Text | Ascii | File (ReadFile) |
| Text | Ascii | Anti-Analysis VM (IsDebuggerPresent) |
| Text | Ascii | Anti-Analysis VM (GetSystemInfo) |
| Text | Ascii | Anti-Analysis VM (GetVersion) |
| Text | Ascii | Reconnaissance (FindFirstFileA) |
| Text | Ascii | Reconnaissance (FindNextFileA) |
| Text | Ascii | Reconnaissance (FindClose) |
| Text | Ascii | Stealth (ReleaseSemaphore) |
| Text | Ascii | Stealth (CloseHandle) |
| Text | Ascii | Execution (CreateSemaphoreA) |
| Text | Ascii | Execution (CreateEventA) |
| Text | Ascii | Execution (CreateEventW) |
| Text | Ascii | Antivirus Software (rising) |
| Text | Ascii | Keyboard Key (Alt+) |
| Text | Ascii | Keyboard Key (Scroll) |
| Text | Ascii | Stealer malware focused on obtaining CVV codes to conduct unauthorized transactions (CVV) |
| Text | Ascii | Unauthorized movement of funds or data (Transfer) |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8 |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8 |
| Entry Point | Hex Pattern | Microsoft Visual C++ v7.0 |
| Entry Point | Hex Pattern | VC8 - Microsoft Corporation |
| Entry Point | Hex Pattern | ZM-Exe Executable Image |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \ICON\1\1033 | 111E250 | CA8 | 4B3C50 | 2800000020000000400000000100180000000000000C0000000000000000000000000000000000001D2221161818191E1C19 | (... ...@................................"!....... |
| \ICON\2\1033 | 111EEF8 | 3228 | 4B48F8 | 2800000040000000800000000100180000000000003000000000000000000000000000000000000000000000000000000000 | (...@................0............................ |
| \ICON\3\1033 | 1122120 | 368 | 4B7B20 | 28000000100000002000000001001800000000000003000000000000000000000000000000000000424443232F2F32434721 | (....... ...............................BDC//2CG! |
| \ICON\4\1033 | 1122488 | C828 | 4B7E88 | 280000008000000000010000010018000000000000C000000000000000000000000000000000000000000000000000000000 | (................................................. |
| \ICON\5\1033 | 112ECB0 | 32028 | 4C46B0 | 2800000000010000000200000100180000000000000003000000000000000000000000000000000000000000000000000000 | (................................................. |
| \ICON\6\1033 | 1160CD8 | 1CA8 | 4F66D8 | 2800000030000000600000000100180000000000001B00000000000000000000000000000000000002020203040403050504 | (...0............................................ |
| \ICON\7\1033 | 1162980 | 70A8 | 4F8380 | 2800000060000000C00000000100180000000000006C00000000000000000000000000000000000000000000010101010101 | (...................l............................ |
| \GROUP_ICON\101\1033 | 1169A28 | 68 | 4FF428 | 0000010007002020000001001800A80C00000100404000000100180028320000020010100000010018006803000003008080 | ...... ............@@......(2............h....... |
| \VERSION\1\1033 | 1169A90 | 3D0 | 4FF490 | D00334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000 | ..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| \24\1\1033 | 1169E60 | 12A | 4FF860 | 3C617373656D626C7920786D6C6E733D2275726E3A736368656D61732D6D6963726F736F66742D636F6D3A61736D2E763122 | <assembly xmlns="urn:schemas-microsoft-com:asm.v1" |
| Intelligent String |
| • c:\projects\cobalt\engine\base\trarray.h • actors\ocean.cpp • Npc\merle.cit • vehicle\pickup_single_cab.cit • .cit • actors\dead_body.cpp • actors\csmodel.cpp • actors\character.cpp • CCinematicSkeletonModel::setup - Out of memory allocating cloth sim.jug • .tls • proxy_door.smf • vehicles\sh_vehCCarEffectsvehicles\pickup_dCab.smf • .BOX • _CONVEX.CONVEXCCarEffects::addCollisionGeom: %s - adding part: %sactors\car_effects.cpp • actors\car_effects.cpp • CCharacter::onEnabled().sbs • .sbs • actors\character_control.cpp • Too many classes in the animation tableactors\character_control.cpp • c:\projects\cobalt\actors\character_types.hIStatusEffectClassType hash collision • Error finding variant '%s' in cit file '%s'actors\csmodel.cpp • CCinematicSkeletonModel::setup - Out of memory allocating soft body sim.sbs • dead_body\dead_body.citdead_body\dead_body_military_male.cit • global\doors\door_p.phys2 • global\doors\door_metal_window • global\doors\door_metal_pushbarglobal\doors\door_T_home • global\doors\motel_doorglobal\doors\mDoor01 • global\doors\mDoor02 • global\doors\mDoor03 • \Bicon_exit_zone.tfa • global\Glass • \Bnpc\npc_dummy.dfm • \Bvehicles\truck_2_door.dfm • vehicle\2door_coupe.citvehicle\4door_sedan_l.cit • vehicle\4door_sedan_s.cit • vehicle\crossover.cit • vehicle\jeep.cit • vehicle\pickup_double_cab.cit • items\ammo.cit • global\pickups\bolt_ammo.phys2 • items\radio.citCGasCanitems\gas_can.cit • fx\causitics.tga • c:\projects\cobalt\engine\graphics\quadlist.h • player\player.cit • lights\flashlight_spot.tga • lights\flashlight_falloff.tga • weapon\melee\combat_knife.cit • Blade_impact_default.tfa • Blade_impact_concrete.tfa • Blade_impact_glass.tfa • Blade_impact_metal.tfa • Blade_impact_water.tfa • Blade_impact_wood.tfa • Blunt_impact_default.tfa • Blunt_impact_concrete.tfa • Blunt_impact_glass.tfa • Blunt_impact_metal.tfa • Blunt_impact_water.tfa • Blunt_impact_wood.tfa • weapon\melee\pipe.cit • town\quaint\noose.smf • actors\physics_object.cpp • proto_launcher.cit • \BUI_push_icon.tfa • global\vending_soda\vending_soda.smf |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 499 | 77D1AC | .text | CALL [static] | Indirect call to absolute memory address |
| 4E8 | 77D1AC | .text | CALL [static] | Indirect call to absolute memory address |
| 540 | 77D5E0 | .text | CALL [static] | Indirect call to absolute memory address |
| 7D2 | 77D2A8 | .text | CALL [static] | Indirect call to absolute memory address |
| 8AF | 77D2A8 | .text | CALL [static] | Indirect call to absolute memory address |
| 924 | 77D2A8 | .text | CALL [static] | Indirect call to absolute memory address |
| AD7 | 77D554 | .text | CALL [static] | Indirect call to absolute memory address |
| AE3 | 77D550 | .text | CALL [static] | Indirect call to absolute memory address |
| AEF | 77D5CC | .text | CALL [static] | Indirect call to absolute memory address |
| B01 | 77D5C4 | .text | CALL [static] | Indirect call to absolute memory address |
| B13 | 77D5F0 | .text | CALL [static] | Indirect call to absolute memory address |
| B97 | 77D5EC | .text | JMP [static] | Indirect jump to absolute memory address |
| C67 | 77D5D8 | .text | CALL [static] | Indirect call to absolute memory address |
| C91 | 77D5D0 | .text | CALL [static] | Indirect call to absolute memory address |
| D1C | 77D5D8 | .text | CALL [static] | Indirect call to absolute memory address |
| D45 | 77D5D0 | .text | CALL [static] | Indirect call to absolute memory address |
| DCA | 77D5DC | .text | CALL [static] | Indirect call to absolute memory address |
| 1042 | 77D5C8 | .text | CALL [static] | Indirect call to absolute memory address |
| 1087 | 77D5F8 | .text | CALL [static] | Indirect call to absolute memory address |
| 1494 | 77D560 | .text | CALL [static] | Indirect call to absolute memory address |
| 14B3 | 77D564 | .text | CALL [static] | Indirect call to absolute memory address |
| 153F | 77D600 | .text | CALL [static] | Indirect call to absolute memory address |
| 1646 | 77D5FC | .text | CALL [static] | Indirect call to absolute memory address |
| 1678 | 77D55C | .text | CALL [static] | Indirect call to absolute memory address |
| 168A | 77D558 | .text | CALL [static] | Indirect call to absolute memory address |
| 169C | 77D558 | .text | CALL [static] | Indirect call to absolute memory address |
| 16AE | 77D558 | .text | CALL [static] | Indirect call to absolute memory address |
| 16BD | 77D558 | .text | CALL [static] | Indirect call to absolute memory address |
| 1701 | 77D5E4 | .text | CALL [static] | Indirect call to absolute memory address |
| 1741 | 77D5F4 | .text | CALL [static] | Indirect call to absolute memory address |
| 17E3 | 77D5FC | .text | CALL [static] | Indirect call to absolute memory address |
| 182A | 77D418 | .text | CALL [static] | Indirect call to absolute memory address |
| 184E | 77D5C0 | .text | CALL [static] | Indirect call to absolute memory address |
| 1867 | 77D5C0 | .text | CALL [static] | Indirect call to absolute memory address |
| 1878 | 77D5E8 | .text | CALL [static] | Indirect call to absolute memory address |
| 188C | 77D5F4 | .text | CALL [static] | Indirect call to absolute memory address |
| 19AA | 77D29C | .text | CALL [static] | Indirect call to absolute memory address |
| 1B28 | 77D5C0 | .text | CALL [static] | Indirect call to absolute memory address |
| 1B3A | 77D5F4 | .text | CALL [static] | Indirect call to absolute memory address |
| 1BD6 | 77D5F4 | .text | CALL [static] | Indirect call to absolute memory address |
| 1BE0 | 77D5FC | .text | CALL [static] | Indirect call to absolute memory address |
| 1C04 | 77D5F4 | .text | CALL [static] | Indirect call to absolute memory address |
| 20A2 | 77D264 | .text | CALL [static] | Indirect call to absolute memory address |
| 23E8 | 1513E54 | .text | CALL [static] | Indirect call to absolute memory address |
| 243A | 1513E58 | .text | CALL [static] | Indirect call to absolute memory address |
| 2575 | 1513E54 | .text | CALL [static] | Indirect call to absolute memory address |
| 2606 | 1513E58 | .text | CALL [static] | Indirect call to absolute memory address |
| 2681 | 77D264 | .text | CALL [static] | Indirect call to absolute memory address |
| 2879 | 1513E40 | .text | CALL [static] | Indirect call to absolute memory address |
| 290B | 77D264 | .text | CALL [static] | Indirect call to absolute memory address |
| 2ADB | 1513E40 | .text | CALL [static] | Indirect call to absolute memory address |
| 335A | 77D5D4 | .text | CALL [static] | Indirect call to absolute memory address |
| 338F | 77D5BC | .text | CALL [static] | Indirect call to absolute memory address |
| 33E5 | 77D5D4 | .text | CALL [static] | Indirect call to absolute memory address |
| 341A | 77D5BC | .text | CALL [static] | Indirect call to absolute memory address |
| 34D8 | 77D5D4 | .text | CALL [static] | Indirect call to absolute memory address |
| 350D | 77D5BC | .text | CALL [static] | Indirect call to absolute memory address |
| 3596 | 77D5BC | .text | CALL [static] | Indirect call to absolute memory address |
| 38F7 | 77D5BC | .text | CALL [static] | Indirect call to absolute memory address |
| 39F1 | 77D5BC | .text | CALL [static] | Indirect call to absolute memory address |
| 3A0B | 77D5BC | .text | CALL [static] | Indirect call to absolute memory address |
| 406F | 77D5BC | .text | CALL [static] | Indirect call to absolute memory address |
| 409B | 77D5BC | .text | CALL [static] | Indirect call to absolute memory address |
| 41A1 | 77D5BC | .text | CALL [static] | Indirect call to absolute memory address |
| 41BC | 77D5BC | .text | CALL [static] | Indirect call to absolute memory address |
| 4206 | 77D5BC | .text | CALL [static] | Indirect call to absolute memory address |
| 5245 | 77D5BC | .text | CALL [static] | Indirect call to absolute memory address |
| 7257 | 77D5BC | .text | CALL [static] | Indirect call to absolute memory address |
| 7273 | 77D5BC | .text | CALL [static] | Indirect call to absolute memory address |
| 72A2 | 77D5BC | .text | CALL [static] | Indirect call to absolute memory address |
| 754F | 77D5BC | .text | CALL [static] | Indirect call to absolute memory address |
| 8785 | 77D5BC | .text | JMP [static] | Indirect jump to absolute memory address |
| 5E255 | 74C08500 | .text | CALL [static] | Indirect call to absolute memory address |
| 8AE06 | 74C08500 | .text | JMP [static] | Indirect jump to absolute memory address |
| 998D6 | 74C08500 | .text | CALL [static] | Indirect call to absolute memory address |
| A2063 | 77D084 | .text | CALL [static] | Indirect call to absolute memory address |
| A208F | 77D080 | .text | CALL [static] | Indirect call to absolute memory address |
| A20B4 | 77D084 | .text | CALL [static] | Indirect call to absolute memory address |
| A20EB | 77D080 | .text | CALL [static] | Indirect call to absolute memory address |
| A2138 | 77D08C | .text | CALL [static] | Indirect call to absolute memory address |
| A2146 | 77D07C | .text | CALL [static] | Indirect call to absolute memory address |
| A2174 | 77D04C | .text | CALL [static] | Indirect call to absolute memory address |
| A21DD | 77D094 | .text | CALL [static] | Indirect call to absolute memory address |
| A21E8 | 77D054 | .text | CALL [static] | Indirect call to absolute memory address |
| A2219 | 77D088 | .text | CALL [static] | Indirect call to absolute memory address |
| A2243 | 77D084 | .text | CALL [static] | Indirect call to absolute memory address |
| A2273 | 77D080 | .text | CALL [static] | Indirect call to absolute memory address |
| A228C | 77D094 | .text | CALL [static] | Indirect call to absolute memory address |
| A229D | 77D078 | .text | CALL [static] | Indirect call to absolute memory address |
| C1775 | 77D078 | .text | CALL [static] | Indirect call to absolute memory address |
| C1797 | 77D094 | .text | CALL [static] | Indirect call to absolute memory address |
| C17A2 | 77D054 | .text | CALL [static] | Indirect call to absolute memory address |
| C1972 | 77D078 | .text | CALL [static] | Indirect call to absolute memory address |
| C19A2 | 77D078 | .text | CALL [static] | Indirect call to absolute memory address |
| C1A16 | 77D094 | .text | CALL [static] | Indirect call to absolute memory address |
| C1A7D | 77D094 | .text | CALL [static] | Indirect call to absolute memory address |
| C1BFD | 77D094 | .text | CALL [static] | Indirect call to absolute memory address |
| C1C15 | 77D078 | .text | CALL [static] | Indirect call to absolute memory address |
| C1D1D | 77D04C | .text | CALL [static] | Indirect call to absolute memory address |
| C1D57 | 77D074 | .text | CALL [static] | Indirect call to absolute memory address |
| 42D48A-42D4CC | N/A | .rdata | Unusual BP Cave, count: 67 |
| 42E3C2-42E416 | N/A | .rdata | Unusual BP Cave, count: 85 |
| 42F97B-42F9BF | N/A | .rdata | Unusual BP Cave, count: 69 |
| 432926-43294F | N/A | .rdata | Unusual BP Cave, count: 42 |
| 4347D4-434822 | N/A | .rdata | Unusual BP Cave, count: 79 |
| 4356C5-435742 | N/A | .rdata | Unusual BP Cave, count: 126 |
| 43667A-4366BC | N/A | .rdata | Unusual BP Cave, count: 67 |
| 439140-439178 | N/A | .rdata | Unusual BP Cave, count: 57 |
| 439F50-439F6E | N/A | .rdata | Unusual BP Cave, count: 31 |
| 43AEC0-43AEF7 | N/A | .rdata | Unusual BP Cave, count: 56 |
| 43AEF9-43AF1C | N/A | .rdata | Unusual BP Cave, count: 36 |
| 43BF1C-43BF60 | N/A | .rdata | Unusual BP Cave, count: 69 |
| 4FFA00-588DFF | 116A000 | .bind | Executable section anomaly, first bytes: 558BEC5DC3558BEC |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 3524350 | 60,7278% |
| Null Byte Code | 900763 | 15,521% |
© 2026 All rights reserved.