PESCAN.IO - Analysis Report Basic |
|||||||
| File Structure |
|
PE Chart Code
Header PE (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
| Size: 3,83 MB SHA-256 Hash: 0DA123ADF9251957A4B850A3F6BD6A753DD4892BE176A84A18450E899534CC5E SHA-1 Hash: 17E771C78430CC67E71D4547F8996A1A488E9D3F MD5 Hash: 338662FD0C4D750A0BA203A32B59F081 Imphash: 8C5B72906E8183037532AFC3F4639931 MajorOSVersion: 4 MinorOSVersion: 0 CheckSum: 003DCC2B EntryPoint (rva): 1440 SizeOfHeaders: 600 SizeOfImage: 3BF000 ImageBase: 0000000140000000 Architecture: x64 ImportTable: 35D000 IAT: 35D600 Characteristics: 26 TimeDateStamp: 0 Date: 01/01/1970 File Type: DLL Number Of Sections: 18 ASLR: Disabled Section Names (Optional Header): .text, .data, .rdata, .pdata, .xdata, .bss, .idata, .tls, .reloc, /4, /19, /31, /45, /57, /70, /81, /97, /113 Number Of Executable Sections: 1 Subsystem: Windows Console |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 0x60000020 Code Executable Readable |
600 | 2F9400 | 1000 | 2F9390 |
|
|
| .data | 0xC0000040 Initialized Data Readable Writeable |
2F9A00 | 36A00 | 2FB000 | 36870 |
|
|
| .rdata | 0x40000040 Initialized Data Readable |
330400 | 17200 | 332000 | 17068 |
|
|
| .pdata | 0x40000040 Initialized Data Readable |
347600 | 4E00 | 34A000 | 4C80 |
|
|
| .xdata | 0x40000040 Initialized Data Readable |
34C400 | 7000 | 34F000 | 6F80 |
|
|
| .bss | 0xC0000080 Uninitialized Data Readable Writeable |
0 | 0 | 356000 | 68E0 |
|
|
| .idata | 0x40000040 Initialized Data Readable |
353400 | 1A00 | 35D000 | 1984 |
|
|
| .tls | 0xC0000040 Initialized Data Readable Writeable |
354E00 | 200 | 35F000 | 10 |
|
|
| .reloc | 0x42000040 Initialized Data GP-Relative Readable |
355000 | D800 | 360000 | D620 |
|
|
| /4 | 0x42000040 Initialized Data GP-Relative Readable |
362800 | C00 | 36E000 | A60 |
|
|
| /19 | 0x42000040 Initialized Data GP-Relative Readable |
363400 | 1DA00 | 36F000 | 1D97B |
|
|
| /31 | 0x42000040 Initialized Data GP-Relative Readable |
380E00 | 5200 | 38D000 | 51B2 |
|
|
| /45 | 0x42000040 Initialized Data GP-Relative Readable |
386000 | F200 | 393000 | F078 |
|
|
| /57 | 0x42000040 Initialized Data GP-Relative Readable |
395200 | 2000 | 3A3000 | 1F20 |
|
|
| /70 | 0x42000040 Initialized Data GP-Relative Readable |
397200 | 400 | 3A5000 | 3F6 |
|
|
| /81 | 0x42000040 Initialized Data GP-Relative Readable |
397600 | 3600 | 3A6000 | 3505 |
|
|
| /97 | 0x42000040 Initialized Data GP-Relative Readable |
39AC00 | 13C00 | 3AA000 | 13BD7 |
|
|
| /113 | 0x42000040 Initialized Data GP-Relative Readable |
3AE800 | E00 | 3BE000 | CD5 |
|
|
| Binder/Joiner/Crypter |
| Dropper code detected (EOF) - 88,87 KB |
| Entry Point |
The section number (1) have the Entry Point Information -> EntryPoint (calculated) - A40 Code -> 4883EC28488B05D56E3400C70000000000E8CAFBFFFF90904883C428C30F1F00E9238D2F009090909090909090909090488D Assembler |SUB RSP, 0X28 |MOV RAX, QWORD PTR [RIP + 0X346ED5] |MOV DWORD PTR [RAX], 0 |CALL 0XBE0 |NOP |NOP |ADD RSP, 0X28 |RET |NOP DWORD PTR [RAX] |JMP 0X2F9D48 |NOP |NOP |NOP |NOP |NOP |NOP |NOP |NOP |NOP |NOP |NOP |
| Signatures |
| Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Detect It Easy (die) • Entropy: 6.66767 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | CreateMutexW | Create a named or unnamed mutex object for controlling access to a shared resource. |
| KERNEL32.DLL | GetModuleFileNameA | Retrieve the fully qualified path for the executable file of a specified module. |
| KERNEL32.DLL | GetModuleHandleA | Retrieves a handle to the specified module. |
| KERNEL32.DLL | CopyFileA | Copies an existing file to a new file. |
| KERNEL32.DLL | WriteFile | Writes data to a specified file or input/output (I/O) device. |
| KERNEL32.DLL | LoadLibraryA | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | LoadLibraryW | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | CreateToolhelp32Snapshot | Creates a snapshot of the specified processes, heaps, threads, and modules. |
| KERNEL32.DLL | ReadProcessMemory | Reads data from an area of memory in a specified process. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| KERNEL32.DLL | CreateFileA | Creates or opens a file or I/O device. |
| KERNEL32.DLL | DeleteFileA | Deletes an existing file. |
| ADVAPI32.DLL | CryptDecrypt | Performs a cryptographic operation on data in a data block. |
| Windows REG |
| SOFTWARE\ClassesElevationServiceSYSTEM\CurrentControlSet\Service SYSTEM\CurrentControlSet\Service |
| File Access |
| msvcrt.dll KERNEL32.dll ADVAPI32.dll OleAut32.dll Bcrypt.dll 32.dll .dat Temp AppData |
| SQL Queries |
| SELECT tbl,idx,stat FROM %Q.sqlite_stat1 SELECT sql FROM "%w".sqlite_schema WHERE type='table'AND name<>'sqlite_sequence' AND coalesce(rootpage,1)>0 SELECT sql FROM "%w".sqlite_schema WHERE type='index' SELECT 1 FROM "%w".sqlite_master WHERE name NOT LIKE 'sqliteX_%%' ESCAPE 'X' AND sql NOT LIKE 'create virtual%%' AND sqlite_rename_test(%Q, sql, type, name, %d, %Q, %d)=NULL SELECT 1 FROM temp.sqlite_master WHERE name NOT LIKE 'sqliteX_%%' ESCAPE 'X' AND sql NOT LIKE 'create virtual%%' AND sqlite_rename_test(%Q, sql, type, name, 1, %Q, %d)=NULL SELECT CASE WHEN quick_check GLOB 'CHECK*' THEN raise(ABORT,'CHECK constraint failed') WHEN quick_check GLOB 'non-* value in*' THEN raise(ABORT,'type mismatch on DEFAULT') ELSE raise(ABORT,'NOT NULL constraint failed') END FROM pragma_quick_check(%Q,%Q) WHERE quick_check GLOB 'CHECK*' OR quick_check GLOB 'NULL*' OR quick_check GLOB 'non-* value in*' SELECT raise(ABORT,%Q) FROM "%w"."%w" INSERT INTO %s.'||quote(name)||' SELECT*FROM"%w".'||quote(name)FROM %s.sqlite_schema WHERE type='table'AND coalesce(rootpage,1)>0 INSERT INTO %s.sqlite_schema SELECT*FROM "%w".sqlite_schema WHERE type IN('view','trigger') OR(type='table'AND rootpage=0) INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,%d,%Q); INSERT into generated column "%s" INSERT INTO %Q.sqlite_master VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q') CREATE TABLE x(type text,name text,tbl_name text,rootpage int,sql text) CREATE TABLE x CREATE TABLE %Q.sqlite_sequence(name,seq) CREATE TABLE CREATE TABLE %Q.%s(%s) CREATE TABLE x(key,value,type,atom,id,parent,fullkey,path,json HIDDEN,root HIDDEN) DROP TABLE to delete table %s DELETE FROM %Q.%s WHERE %s=%Q DELETE FROM %Q.sqlite_sequence WHERE name=%Q DELETE FROM %Q.sqlite_master WHERE tbl_name=%Q and type!='trigger' DELETE FROM %Q.sqlite_master WHERE name=%Q AND type='trigger' DELETE FROM %Q.sqlite_master WHERE name=%Q AND type='index' |
| Interest's Words |
| zombie Encrypt Decrypt exec unescape attrib start shutdown defrag systeminfo ping expand pushd replace |
| Interest's Words (UNICODE) |
| Decrypt |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | Unicode escape - \u00 - (Common Unicode escape sequences) |
| Text | Ascii | WinAPI Sockets (bind) |
| Text | Ascii | WinAPI Sockets (accept) |
| Text | Ascii | WinAPI Sockets (connect) |
| Text | Ascii | Registry (RegOpenKeyEx) |
| Text | Ascii | File (GetTempPath) |
| Text | Ascii | File (CopyFile) |
| Text | Ascii | File (CreateFile) |
| Text | Ascii | File (WriteFile) |
| Text | Ascii | File (ReadFile) |
| Text | Ascii | Encryption API (CryptGenKey) |
| Text | Ascii | Encryption API (CryptDecrypt) |
| Text | Ascii | Anti-Analysis VM (GetSystemInfo) |
| Text | Ascii | Anti-Analysis VM (GetVersion) |
| Text | Ascii | Anti-Analysis VM (CreateToolhelp32Snapshot) |
| Text | Ascii | Reconnaissance (FindFirstFileA) |
| Text | Ascii | Reconnaissance (FindNextFileA) |
| Text | Ascii | Reconnaissance (FindClose) |
| Text | Ascii | Stealth (GetThreadContext) |
| Text | Ascii | Stealth (SetThreadContext) |
| Text | Ascii | Stealth (CloseHandle) |
| Text | Ascii | Stealth (UnmapViewOfFile) |
| Text | Ascii | Stealth (MapViewOfFile) |
| Text | Ascii | Stealth (CreateFileMappingA) |
| Text | Ascii | Stealth (CreateFileMappingW) |
| Text | Ascii | Stealth (VirtualProtect) |
| Text | Ascii | Stealth (ReadProcessMemory) |
| Text | Ascii | Execution (CreateProcessA) |
| Text | Ascii | Execution (ResumeThread) |
| Text | Ascii | Malicious code executed after exploiting a vulnerability (Payload) |
| Text | Ascii | Unauthorized movement of funds or data (Transfer) |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8.0 (DLL) |
| Intelligent String |
| • .bss • 32.dll • @.bss • @.tls • Bcrypt.dll • OleAut32.dll • bad JSON path: %Q\"\u0009\u00\u0000 • 5ADVAPI32.dll • 5KERNEL32.dll • 5msvcrt.dll • .tls |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 786 | N/A | .text | CALL QWORD PTR [RIP+0x35C774] |
| 30125 | N/A | .text | JMP QWORD PTR [RIP+0xB948002D] |
| 3D4F2 | N/A | .text | JMP QWORD PTR [RIP+0xFBA6E39] |
| 4742B | N/A | .text | JMP QWORD PTR [RIP+0x49249249] |
| 47513 | N/A | .text | JMP QWORD PTR [RIP+0x48249249] |
| 475D0 | N/A | .text | JMP QWORD PTR [RIP+0x48249249] |
| 4946B | N/A | .text | CALL QWORD PTR [RIP+0xFF11AD0] |
| 5164E | N/A | .text | JMP QWORD PTR [RIP+0x48249249] |
| 51883 | N/A | .text | JMP QWORD PTR [RIP+0x48249249] |
| 5193C | N/A | .text | JMP QWORD PTR [RIP+0x48249249] |
| 547AB | N/A | .text | CALL QWORD PTR [RIP+0xF4A1BE41] |
| 54823 | N/A | .text | JMP QWORD PTR [RIP+0x48249249] |
| 54871 | N/A | .text | CALL QWORD PTR [RIP+0xF4A1BE41] |
| 548C0 | N/A | .text | JMP QWORD PTR [RIP+0x48249249] |
| 5490E | N/A | .text | CALL QWORD PTR [RIP+0xF4A1BE41] |
| 65D8C | N/A | .text | JMP QWORD PTR [RIP+0xF73447A] |
| 6ACCF | N/A | .text | JMP QWORD PTR [RIP+0xA51BE41] |
| 6AD77 | N/A | .text | JMP QWORD PTR [RIP+0xA51BE41] |
| 8AE48 | N/A | .text | JMP QWORD PTR [RIP+0xC4294800] |
| 8AE58 | N/A | .text | JMP QWORD PTR [RIP+0xC4294800] |
| 8AE68 | N/A | .text | JMP QWORD PTR [RIP+0xC4294800] |
| 8AE7F | N/A | .text | JMP QWORD PTR [RIP+0xC4294800] |
| 8AEAF | N/A | .text | JMP QWORD PTR [RIP+0xC4294800] |
| 8AEBC | N/A | .text | JMP QWORD PTR [RIP+0xC4294800] |
| 8AEC9 | N/A | .text | JMP QWORD PTR [RIP+0xC4294800] |
| 8AED6 | N/A | .text | JMP QWORD PTR [RIP+0xC4294800] |
| 8AEE6 | N/A | .text | JMP QWORD PTR [RIP+0xC4294800] |
| 8AEFA | N/A | .text | JMP QWORD PTR [RIP+0xC4294800] |
| 908A3 | N/A | .text | JMP QWORD PTR [RIP+0xF46768A] |
| 93B64 | N/A | .text | JMP QWORD PTR [RIP+0x49249249] |
| 9C6F8 | N/A | .text | CALL QWORD PTR [RIP+0xF1A940C] |
| BFDC7 | N/A | .text | JMP QWORD PTR [RIP+0xFF508D00] |
| BFDEE | N/A | .text | JMP QWORD PTR [RIP+0x448B4900] |
| BFE27 | N/A | .text | JMP QWORD PTR [RIP+0x48B4200] |
| BFE32 | N/A | .text | JMP QWORD PTR [RIP+0xFF508D00] |
| BFE59 | N/A | .text | JMP QWORD PTR [RIP+0x448B4900] |
| BFE6A | N/A | .text | JMP QWORD PTR [RIP+0x48B4200] |
| BFE75 | N/A | .text | JMP QWORD PTR [RIP+0xFF508D00] |
| BFE9C | N/A | .text | JMP QWORD PTR [RIP+0x448B4900] |
| BFEB4 | N/A | .text | JMP QWORD PTR [RIP+0x3C834200] |
| 10883D | N/A | .text | JMP QWORD PTR [RIP+0x2948001E] |
| 177DCB | N/A | .text | JMP QWORD PTR [RIP+0xF2C436E] |
| 1BC64A | N/A | .text | JMP QWORD PTR [RIP+0xE13D0000] |
| 1C4A09 | N/A | .text | CALL QWORD PTR [RIP+0xF557CCA] |
| 1C80EC | N/A | .text | CALL QWORD PTR [RIP+0xFF11AD0] |
| 1D06F8 | N/A | .text | JMP QWORD PTR [RIP+0x8F0721BB] |
| 1F5C8B | N/A | .text | JMP QWORD PTR [RIP+0x48249249] |
| 1FA973 | N/A | .text | CALL QWORD PTR [RIP+0x100] |
| 1FA9AB | N/A | .text | CALL QWORD PTR [RIP+0x100] |
| 1FBF43 | N/A | .text | CALL QWORD PTR [RIP+0xFF5F8D00] |
| 1FBF58 | N/A | .text | CALL QWORD PTR [RIP+0xE27D0A00] |
| 1FBF73 | N/A | .text | CALL QWORD PTR [RIP+0xFF5F8D00] |
| 1FBF84 | N/A | .text | CALL QWORD PTR [RIP+0x307F0900] |
| 1FBFB4 | N/A | .text | CALL QWORD PTR [RIP+0x167E0900] |
| 1FF416 | N/A | .text | CALL QWORD PTR [RIP+0x12E39C] |
| 1FF426 | N/A | .text | CALL QWORD PTR [RIP+0x12E2EC] |
| 1FF61A | N/A | .text | CALL QWORD PTR [RIP+0x12E100] |
| 1FF64B | N/A | .text | CALL QWORD PTR [RIP+0x12E0C7] |
| 1FF664 | N/A | .text | CALL QWORD PTR [RIP+0x12E0AE] |
| 1FF686 | N/A | .text | CALL QWORD PTR [RIP+0x12E08C] |
| 1FF69F | N/A | .text | CALL QWORD PTR [RIP+0x12E073] |
| 1FF919 | N/A | .text | CALL QWORD PTR [RIP+0x12DDF9] |
| 1FF9A8 | N/A | .text | CALL QWORD PTR [RIP+0x12DD6A] |
| 1FF9C1 | N/A | .text | CALL QWORD PTR [RIP+0x12DD41] |
| 1FFA3D | N/A | .text | CALL QWORD PTR [RIP+0x12DCD5] |
| 1FFA56 | N/A | .text | CALL QWORD PTR [RIP+0x12DCAC] |
| 1FFAE7 | N/A | .text | CALL QWORD PTR [RIP+0x12DC2B] |
| 1FFB08 | N/A | .text | JMP QWORD PTR [RIP+0x12DBFA] |
| 1FFBCA | N/A | .text | CALL QWORD PTR [RIP+0x12DB48] |
| 1FFBE3 | N/A | .text | CALL QWORD PTR [RIP+0x12DB1F] |
| 1FFC13 | N/A | .text | CALL QWORD PTR [RIP+0x12DAEF] |
| 1FFC8C | N/A | .text | CALL QWORD PTR [RIP+0x12DA86] |
| 1FFD51 | N/A | .text | CALL QWORD PTR [RIP+0x12D9C1] |
| 1FFD6A | N/A | .text | CALL QWORD PTR [RIP+0x12D998] |
| 1FFDE4 | N/A | .text | CALL QWORD PTR [RIP+0x12D92E] |
| 1FFDFD | N/A | .text | CALL QWORD PTR [RIP+0x12D905] |
| 1FFEA5 | N/A | .text | CALL QWORD PTR [RIP+0x12D86D] |
| 1FFEBE | N/A | .text | CALL QWORD PTR [RIP+0x12D844] |
| 1FFF42 | N/A | .text | CALL QWORD PTR [RIP+0x12D7D0] |
| 1FFF65 | N/A | .text | JMP QWORD PTR [RIP+0x12D79D] |
| 200646 | N/A | .text | CALL QWORD PTR [RIP+0x12D0CC] |
| 20065F | N/A | .text | CALL QWORD PTR [RIP+0x12D0A3] |
| 200797 | N/A | .text | CALL QWORD PTR [RIP+0x12CF8B] |
| 200C0D | N/A | .text | CALL QWORD PTR [RIP+0x12CB0D] |
| 200C55 | N/A | .text | JMP QWORD PTR [RIP+0x12CAA5] |
| 200C7F | N/A | .text | CALL QWORD PTR [RIP+0x12CA7B] |
| 200C94 | N/A | .text | CALL QWORD PTR [RIP+0x12CA7E] |
| 200D39 | N/A | .text | CALL QWORD PTR [RIP+0x12C9D9] |
| 200D58 | N/A | .text | JMP QWORD PTR [RIP+0x12C9AA] |
| 200DEF | N/A | .text | CALL QWORD PTR [RIP+0x12C923] |
| 200E08 | N/A | .text | CALL QWORD PTR [RIP+0x12C8FA] |
| 200E15 | N/A | .text | CALL QWORD PTR [RIP+0x12C8FD] |
| 200E1F | N/A | .text | CALL QWORD PTR [RIP+0x12C8FB] |
| 200E8A | N/A | .text | CALL QWORD PTR [RIP+0x12C880] |
| 200E9F | N/A | .text | CALL QWORD PTR [RIP+0x12C873] |
| 203C36 | N/A | .text | CALL QWORD PTR [RIP+0x129ADC] |
| 203C4F | N/A | .text | CALL QWORD PTR [RIP+0x129AB3] |
| 203D02 | N/A | .text | CALL QWORD PTR [RIP+0x129A10] |
| 2040E3 | N/A | .text | CALL QWORD PTR [RIP+0x12962F] |
| 204234 | N/A | .text | CALL QWORD PTR [RIP+0x1294DE] |
| 2F3BE2-2F3BFF | N/A | .text | Unusual NOPS Space, count: 30 |
| 2F7941-2F797F | N/A | .text | Unusual NOPS Space, count: 63 |
| 2F8B90-2F8BBF | N/A | .text | Unusual NOPS Space, count: 48 |
| 2F8EC8-2F8EFF | N/A | .text | Unusual NOPS Space, count: 56 |
| 347440 | 2EA6F0 | .rdata | TLS Callback | Pointer to 1402EA6F0 - 0x2E9CF0 .text |
| 347448 | 2EA6D0 | .rdata | TLS Callback | Pointer to 1402EA6D0 - 0x2E9CD0 .text |
| 347600 | 1000 | .pdata | ExceptionHook | Pointer to 1000 - 0x600 .text + UnwindInfo: .xdata |
| 34760C | 1010 | .pdata | ExceptionHook | Pointer to 1010 - 0x610 .text + UnwindInfo: .xdata |
| 347618 | 1020 | .pdata | ExceptionHook | Pointer to 1020 - 0x620 .text + UnwindInfo: .xdata |
| 347624 | 1420 | .pdata | ExceptionHook | Pointer to 1420 - 0xA20 .text + UnwindInfo: .xdata |
| 347630 | 1440 | .pdata | ExceptionHook | Pointer to 1440 - 0xA40 .text + UnwindInfo: .xdata |
| 34763C | 1460 | .pdata | ExceptionHook | Pointer to 1460 - 0xA60 .text + UnwindInfo: .xdata |
| 347648 | 1470 | .pdata | ExceptionHook | Pointer to 1470 - 0xA70 .text + UnwindInfo: .xdata |
| 347654 | 1480 | .pdata | ExceptionHook | Pointer to 1480 - 0xA80 .text + UnwindInfo: .xdata |
| 347660 | 1490 | .pdata | ExceptionHook | Pointer to 1490 - 0xA90 .text + UnwindInfo: .xdata |
| 34766C | 24140 | .pdata | ExceptionHook | Pointer to 24140 - 0x23740 .text + UnwindInfo: .xdata |
| 347678 | 35710 | .pdata | ExceptionHook | Pointer to 35710 - 0x34D10 .text + UnwindInfo: .xdata |
| 347684 | 37ED0 | .pdata | ExceptionHook | Pointer to 37ED0 - 0x374D0 .text + UnwindInfo: .xdata |
| 347690 | 3B250 | .pdata | ExceptionHook | Pointer to 3B250 - 0x3A850 .text + UnwindInfo: .xdata |
| 34769C | 3DC40 | .pdata | ExceptionHook | Pointer to 3DC40 - 0x3D240 .text + UnwindInfo: .xdata |
| 3476A8 | 3E4C0 | .pdata | ExceptionHook | Pointer to 3E4C0 - 0x3DAC0 .text + UnwindInfo: .xdata |
| 3476B4 | 3EDA0 | .pdata | ExceptionHook | Pointer to 3EDA0 - 0x3E3A0 .text + UnwindInfo: .xdata |
| 3476C0 | 3F550 | .pdata | ExceptionHook | Pointer to 3F550 - 0x3EB50 .text + UnwindInfo: .xdata |
| 3476CC | 3FDC0 | .pdata | ExceptionHook | Pointer to 3FDC0 - 0x3F3C0 .text + UnwindInfo: .xdata |
| 3476D8 | 40520 | .pdata | ExceptionHook | Pointer to 40520 - 0x3FB20 .text + UnwindInfo: .xdata |
| 3476E4 | 40C50 | .pdata | ExceptionHook | Pointer to 40C50 - 0x40250 .text + UnwindInfo: .xdata |
| 3476F0 | 41300 | .pdata | ExceptionHook | Pointer to 41300 - 0x40900 .text + UnwindInfo: .xdata |
| 3476FC | 41BC0 | .pdata | ExceptionHook | Pointer to 41BC0 - 0x411C0 .text + UnwindInfo: .xdata |
| 347708 | 42060 | .pdata | ExceptionHook | Pointer to 42060 - 0x41660 .text + UnwindInfo: .xdata |
| 347714 | 42860 | .pdata | ExceptionHook | Pointer to 42860 - 0x41E60 .text + UnwindInfo: .xdata |
| 347720 | 42F10 | .pdata | ExceptionHook | Pointer to 42F10 - 0x42510 .text + UnwindInfo: .xdata |
| 34772C | 434C0 | .pdata | ExceptionHook | Pointer to 434C0 - 0x42AC0 .text + UnwindInfo: .xdata |
| 347738 | 43AB0 | .pdata | ExceptionHook | Pointer to 43AB0 - 0x430B0 .text + UnwindInfo: .xdata |
| 347744 | 441B0 | .pdata | ExceptionHook | Pointer to 441B0 - 0x437B0 .text + UnwindInfo: .xdata |
| 347750 | 44AC0 | .pdata | ExceptionHook | Pointer to 44AC0 - 0x440C0 .text + UnwindInfo: .xdata |
| 34775C | 45590 | .pdata | ExceptionHook | Pointer to 45590 - 0x44B90 .text + UnwindInfo: .xdata |
| 347768 | 46140 | .pdata | ExceptionHook | Pointer to 46140 - 0x45740 .text + UnwindInfo: .xdata |
| 347774 | 469F0 | .pdata | ExceptionHook | Pointer to 469F0 - 0x45FF0 .text + UnwindInfo: .xdata |
| 347780 | 472A0 | .pdata | ExceptionHook | Pointer to 472A0 - 0x468A0 .text + UnwindInfo: .xdata |
| 34778C | 47B40 | .pdata | ExceptionHook | Pointer to 47B40 - 0x47140 .text + UnwindInfo: .xdata |
| 347798 | 484E0 | .pdata | ExceptionHook | Pointer to 484E0 - 0x47AE0 .text + UnwindInfo: .xdata |
| 3477A4 | 48E20 | .pdata | ExceptionHook | Pointer to 48E20 - 0x48420 .text + UnwindInfo: .xdata |
| 3477B0 | 49730 | .pdata | ExceptionHook | Pointer to 49730 - 0x48D30 .text + UnwindInfo: .xdata |
| 3477BC | 4A090 | .pdata | ExceptionHook | Pointer to 4A090 - 0x49690 .text + UnwindInfo: .xdata |
| 3477C8 | 4AA90 | .pdata | ExceptionHook | Pointer to 4AA90 - 0x4A090 .text + UnwindInfo: .xdata |
| 3477D4 | 4B2F0 | .pdata | ExceptionHook | Pointer to 4B2F0 - 0x4A8F0 .text + UnwindInfo: .xdata |
| 3477E0 | 4B950 | .pdata | ExceptionHook | Pointer to 4B950 - 0x4AF50 .text + UnwindInfo: .xdata |
| 3477EC | 4C440 | .pdata | ExceptionHook | Pointer to 4C440 - 0x4BA40 .text + UnwindInfo: .xdata |
| 3477F8 | 4C9B0 | .pdata | ExceptionHook | Pointer to 4C9B0 - 0x4BFB0 .text + UnwindInfo: .xdata |
| 347804 | 4D0F0 | .pdata | ExceptionHook | Pointer to 4D0F0 - 0x4C6F0 .text + UnwindInfo: .xdata |
| 347810 | 4D760 | .pdata | ExceptionHook | Pointer to 4D760 - 0x4CD60 .text + UnwindInfo: .xdata |
| 34781C | 4DEF0 | .pdata | ExceptionHook | Pointer to 4DEF0 - 0x4D4F0 .text + UnwindInfo: .xdata |
| 347828 | 4E700 | .pdata | ExceptionHook | Pointer to 4E700 - 0x4DD00 .text + UnwindInfo: .xdata |
| 347834 | 4EE20 | .pdata | ExceptionHook | Pointer to 4EE20 - 0x4E420 .text + UnwindInfo: .xdata |
| 347840 | 4F560 | .pdata | ExceptionHook | Pointer to 4F560 - 0x4EB60 .text + UnwindInfo: .xdata |
| 34784C | 4FF40 | .pdata | ExceptionHook | Pointer to 4FF40 - 0x4F540 .text + UnwindInfo: .xdata |
| 347858 | 50810 | .pdata | ExceptionHook | Pointer to 50810 - 0x4FE10 .text + UnwindInfo: .xdata |
| 347864 | 51390 | .pdata | ExceptionHook | Pointer to 51390 - 0x50990 .text + UnwindInfo: .xdata |
| 347870 | 51AC0 | .pdata | ExceptionHook | Pointer to 51AC0 - 0x510C0 .text + UnwindInfo: .xdata |
| 34787C | 52540 | .pdata | ExceptionHook | Pointer to 52540 - 0x51B40 .text + UnwindInfo: .xdata |
| 347888 | 52D70 | .pdata | ExceptionHook | Pointer to 52D70 - 0x52370 .text + UnwindInfo: .xdata |
| 347894 | 536B0 | .pdata | ExceptionHook | Pointer to 536B0 - 0x52CB0 .text + UnwindInfo: .xdata |
| 3478A0 | 541A0 | .pdata | ExceptionHook | Pointer to 541A0 - 0x537A0 .text + UnwindInfo: .xdata |
| 3478AC | 54C00 | .pdata | ExceptionHook | Pointer to 54C00 - 0x54200 .text + UnwindInfo: .xdata |
| 3478B8 | 55690 | .pdata | ExceptionHook | Pointer to 55690 - 0x54C90 .text + UnwindInfo: .xdata |
| 3478C4 | 55D80 | .pdata | ExceptionHook | Pointer to 55D80 - 0x55380 .text + UnwindInfo: .xdata |
| 3478D0 | 56410 | .pdata | ExceptionHook | Pointer to 56410 - 0x55A10 .text + UnwindInfo: .xdata |
| 3478DC | 56E90 | .pdata | ExceptionHook | Pointer to 56E90 - 0x56490 .text + UnwindInfo: .xdata |
| 3478E8 | 57510 | .pdata | ExceptionHook | Pointer to 57510 - 0x56B10 .text + UnwindInfo: .xdata |
| 3478F4 | 57D30 | .pdata | ExceptionHook | Pointer to 57D30 - 0x57330 .text + UnwindInfo: .xdata |
| 347900 | 588D0 | .pdata | ExceptionHook | Pointer to 588D0 - 0x57ED0 .text + UnwindInfo: .xdata |
| 34790C | 59030 | .pdata | ExceptionHook | Pointer to 59030 - 0x58630 .text + UnwindInfo: .xdata |
| 347918 | 597A0 | .pdata | ExceptionHook | Pointer to 597A0 - 0x58DA0 .text + UnwindInfo: .xdata |
| 347924 | 5A010 | .pdata | ExceptionHook | Pointer to 5A010 - 0x59610 .text + UnwindInfo: .xdata |
| 347930 | 5A8D0 | .pdata | ExceptionHook | Pointer to 5A8D0 - 0x59ED0 .text + UnwindInfo: .xdata |
| 34793C | 5B530 | .pdata | ExceptionHook | Pointer to 5B530 - 0x5AB30 .text + UnwindInfo: .xdata |
| 347948 | 5BD70 | .pdata | ExceptionHook | Pointer to 5BD70 - 0x5B370 .text + UnwindInfo: .xdata |
| 347954 | 5C840 | .pdata | ExceptionHook | Pointer to 5C840 - 0x5BE40 .text + UnwindInfo: .xdata |
| 347960 | 5D0A0 | .pdata | ExceptionHook | Pointer to 5D0A0 - 0x5C6A0 .text + UnwindInfo: .xdata |
| 34796C | 5D940 | .pdata | ExceptionHook | Pointer to 5D940 - 0x5CF40 .text + UnwindInfo: .xdata |
| 347978 | 5E080 | .pdata | ExceptionHook | Pointer to 5E080 - 0x5D680 .text + UnwindInfo: .xdata |
| 347984 | 5E830 | .pdata | ExceptionHook | Pointer to 5E830 - 0x5DE30 .text + UnwindInfo: .xdata |
| 347990 | 5F200 | .pdata | ExceptionHook | Pointer to 5F200 - 0x5E800 .text + UnwindInfo: .xdata |
| 34799C | 5F8D0 | .pdata | ExceptionHook | Pointer to 5F8D0 - 0x5EED0 .text + UnwindInfo: .xdata |
| 3479A8 | 600C0 | .pdata | ExceptionHook | Pointer to 600C0 - 0x5F6C0 .text + UnwindInfo: .xdata |
| 3479B4 | 60A20 | .pdata | ExceptionHook | Pointer to 60A20 - 0x60020 .text + UnwindInfo: .xdata |
| 3479C0 | 611B0 | .pdata | ExceptionHook | Pointer to 611B0 - 0x607B0 .text + UnwindInfo: .xdata |
| 3479CC | 61790 | .pdata | ExceptionHook | Pointer to 61790 - 0x60D90 .text + UnwindInfo: .xdata |
| 3479D8 | 621E0 | .pdata | ExceptionHook | Pointer to 621E0 - 0x617E0 .text + UnwindInfo: .xdata |
| 3479E4 | 62B00 | .pdata | ExceptionHook | Pointer to 62B00 - 0x62100 .text + UnwindInfo: .xdata |
| 3479F0 | 63420 | .pdata | ExceptionHook | Pointer to 63420 - 0x62A20 .text + UnwindInfo: .xdata |
| 3479FC | 63E10 | .pdata | ExceptionHook | Pointer to 63E10 - 0x63410 .text + UnwindInfo: .xdata |
| 347A08 | 643F0 | .pdata | ExceptionHook | Pointer to 643F0 - 0x639F0 .text + UnwindInfo: .xdata |
| 347A14 | 64BB0 | .pdata | ExceptionHook | Pointer to 64BB0 - 0x641B0 .text + UnwindInfo: .xdata |
| 347A20 | 653D0 | .pdata | ExceptionHook | Pointer to 653D0 - 0x649D0 .text + UnwindInfo: .xdata |
| 347A2C | 65E80 | .pdata | ExceptionHook | Pointer to 65E80 - 0x65480 .text + UnwindInfo: .xdata |
| 347A38 | 66610 | .pdata | ExceptionHook | Pointer to 66610 - 0x65C10 .text + UnwindInfo: .xdata |
| 347A44 | 66EF0 | .pdata | ExceptionHook | Pointer to 66EF0 - 0x664F0 .text + UnwindInfo: .xdata |
| 347A50 | 677F0 | .pdata | ExceptionHook | Pointer to 677F0 - 0x66DF0 .text + UnwindInfo: .xdata |
| 347A5C | 67EE0 | .pdata | ExceptionHook | Pointer to 67EE0 - 0x674E0 .text + UnwindInfo: .xdata |
| 347A68 | 68730 | .pdata | ExceptionHook | Pointer to 68730 - 0x67D30 .text + UnwindInfo: .xdata |
| 347A74 | 68FF0 | .pdata | ExceptionHook | Pointer to 68FF0 - 0x685F0 .text + UnwindInfo: .xdata |
| 347A80 | 69A20 | .pdata | ExceptionHook | Pointer to 69A20 - 0x69020 .text + UnwindInfo: .xdata |
| 347A8C | 6A2D0 | .pdata | ExceptionHook | Pointer to 6A2D0 - 0x698D0 .text + UnwindInfo: .xdata |
| 347A98 | 6AB30 | .pdata | ExceptionHook | Pointer to 6AB30 - 0x6A130 .text + UnwindInfo: .xdata |
| 347AA4 | 6B120 | .pdata | ExceptionHook | Pointer to 6B120 - 0x6A720 .text + UnwindInfo: .xdata |
| 3AF600 | N/A | *Overlay* | 2E66696C650000005F000000FEFF000067016372 | .file..._.......g.cr |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 2369628 | 58,9596% |
| Null Byte Code | 608298 | 15,1353% |
| NOP Cave Found | 0x9090909090 | Block Count: 108 | Total: 0,0067% |
© 2026 All rights reserved.