PESCAN.IO - Analysis Report

PREMIUM PESCAN.IO - Analysis Report

File Structure

PE Chart Code

Header PE (light blue)

Executable sections (pink)

Non-executable sections (black)

External injected code (red)

File Structure in red = malformed or corrupted header

Chart Code For Other Files

Printable characters (blue)

Non-printable characters (black)

Information

Size: 3,75 MB
SHA-256 Hash: CE0DCB4A963BAF810925392298BA2B374A860802B54A48E427639A1B9696A7FC
SHA-1 Hash: 66C58DFE8B86379E8AB86039473702D35E5DBC19
MD5 Hash: 52D2EF7084229B7E144F8C9E465BF7FE
Imphash: D8B31F8C03E0C76FF245ED05A15FFE6C
MajorOSVersion: 6
MinorOSVersion: 1
CheckSum: 003C074B
EntryPoint (rva): 1350
SizeOfHeaders: 600
SizeOfImage: 3DB000
ImageBase: 00000001E5CE0000
Architecture: x64
ExportTable: 398000
ImportTable: 399000
IAT: 3992CC
Characteristics: 2026
TimeDateStamp: 0
Date: 01/01/1970
File Type: DLL
Number Of Sections: 19
ASLR: Disabled
Section Names (Optional Header): .text, .data, .rdata, .pdata, .xdata, .bss, .edata, .idata, .CRT, .tls, .reloc, /4, /19, /31, /45, /57, /70, /81, /92
Number Of Executable Sections: 1
Subsystem: Windows GUI

Sections Info

Section Name	Flags	ROffset	RSize	VOffset	VSize	Entropy	Chi2
.text	0x60600060 Code Initialized Data Executable Readable	600	119000	1000	119000	6.2663	9446458.76
.data	0xC0600040 Initialized Data Readable Writeable	119600	14C00	11A000	14B40	5.0949	4547119.52
.rdata	0x40600040 Initialized Data Readable	12E200	215800	12F000	215780	6.9922	14228638.69
.pdata	0x40300040 Initialized Data Readable	343A00	6600	345000	6564	5.3801	621614.61
.xdata	0x40300040 Initialized Data Readable	34A000	600	34C000	55C	4.0957	45187
.bss	0xC0600080 Uninitialized Data Readable Writeable	0	0	34D000	4A440	N/A	N/A
.edata	0x40300040 Initialized Data Readable	34A600	200	398000	1B8	4.5942	13630
.idata	0xC0300040 Initialized Data Readable Writeable	34A800	E00	399000	C2C	4.1144	195399.14
.CRT	0xC0400040 Initialized Data Readable Writeable	34B600	200	39A000	58	0.2586	123505
.tls	0xC0400040 Initialized Data Readable Writeable	34B800	200	39B000	10	0	130560
.reloc	0x42300040 Initialized Data GP-Relative Readable	34BA00	5400	39C000	53A4	5.4445	119155.31
/4	0x42500040 Initialized Data GP-Relative Readable	350E00	800	3A2000	6C0	1.7208	342573
/19	0x42100040 Initialized Data GP-Relative Readable	351600	12C00	3A3000	12A56	5.9757	1190030.52
/31	0x42100040 Initialized Data GP-Relative Readable	364200	3400	3B6000	32C5	4.714	243087.5
/45	0x42100040 Initialized Data GP-Relative Readable	367600	7E00	3BA000	7DBE	5.4499	476312.95
/57	0x42400040 Initialized Data GP-Relative Readable	36F400	2800	3C2000	2800	3.7158	602930.45
/70	0x42100040 Initialized Data GP-Relative Readable	371C00	A00	3C5000	83A	4.5151	51569.8
/81	0x42100040 Initialized Data GP-Relative Readable	372600	12E00	3C6000	12D5D	2.6835	10228599.66
/92	0x42100040 Initialized Data GP-Relative Readable	385400	1600	3D9000	1590	1.787	986262.64

Entry Point

The section number (1) have the Entry Point
Information -> EntryPoint (calculated) - 950
Code -> 488B05392F3400C70000000000E99EFEFFFF66662E0F1F8400000000000F1F004889CA488D0D86BC3400E9C187110090488D

Assembler

|MOV RAX, QWORD PTR [RIP + 0X342F39]

|MOV DWORD PTR [RAX], 0

|JMP 0XEB0

|NOP WORD PTR CS:[RAX + RAX]

|NOP DWORD PTR [RAX]

|MOV RDX, RCX

|LEA RCX, [RIP + 0X34BC86]

|JMP 0X1197F0

|NOP

Packer/Compiler

Detect It Easy (die)
• PE+(64): compiler: MinGW(GCC: (GNU) 10.3.0)[-]
• PE+(64): linker: GNU linker ld (GNU Binutils)(2.36)[-]
• Entropy: 6.82237

Suspicious Functions

Library	Function	Description
KERNEL32.DLL	VirtualAlloc	Reserve, commit, or both, a region of memory within the virtual address space of a process.
KERNEL32.DLL	WriteFile	Writes data to a specified file or input/output (I/O) device.
KERNEL32.DLL	LoadLibraryW	Loads the specified module into the address space of the calling process.
KERNEL32.DLL	GetProcAddress	Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
Ws2_32.DLL	socket	Create a communication endpoint for networking applications.

ET Functions (carving)

file.exe
MpAllocMemory
MpClientUtilExportFunctions
MpConfigClose
MpConfigGetValue
MpConfigGetValueAlloc
MpConfigInitialize
MpConfigOpen
MpConfigRegisterForNotifications
MpConfigSetValue
MpConfigUninitialize
MpConfigUnregisterNotifications
MpFreeMemory
_cgo_dummy_export

File Access

os.Exe
internal/poll.exe
file.exe
msvcrt.dll
KERNEL32.dll
seconds/godebug/non-default-behavior/bcryptprimitives.dll
itab.sys
.dat
internal/abi.Name.Dat
internal/poll.Ini
main.ini
internal/syscall/windows.ini
crypto/internal/fips140/aes/gcm.ini
crypto/internal/fips140/drbg.ini
crypto/internal/fips140/aes.ini
crypto/internal/fips140/check.ini
crypto/internal/fips140/hmac.ini
crypto/internal/fips140/sha512.ini
crypto/internal/fips140/sha3.ini
crypto/internal/fips140/sha256.ini
crypto/internal/fips140.ini
encoding/json.ini
encoding/base64.ini
crypto/rand.ini
math/big.ini
fmt.ini
reflect.ini
crypto/internal/fips140only.ini
os.ini
io/fs.ini
time.ini
internal/syscall/windows/registry.ini
crypto/internal/fips140deps/cpu.ini
internal/godebug.ini
crypto.ini
math.ini
iter.ini
unicode.ini
errors.ini
sync.ini
internal/syscall/windows/sysdll.ini
internal/bytealg.ini
internal/cpu.Ini
Temp
WinDir
SysDir
UserProfile

File Access (UNICODE)

bcryptprimitives.dll
powrprof.dll
winmm.dll
ntdll.dll

Interest's Words

zombie
Encrypt
Decrypt
exec
netsh
attrib
start
pause
cipher
shutdown
systeminfo
ping
expand
replace
route

URLs

https://go.dev/issue/66821):

Strings/Hex Code Found With The File Rules

Rule Type	Encoding	Matched (Word)
Text	Ascii	Unicode escape - \u00 - (Common Unicode escape sequences)
Text	Ascii	WinAPI Sockets (WSACleanup)
Text	Ascii	WinAPI Sockets (bind)
Text	Ascii	WinAPI Sockets (listen)
Text	Ascii	WinAPI Sockets (accept)
Text	Ascii	WinAPI Sockets (connect)
Text	Ascii	WinAPI Sockets (recv)
Text	Ascii	WinAPI Sockets (send)
Text	Ascii	Registry (RegCreateKeyEx)
Text	Ascii	Registry (RegOpenKeyEx)
Text	Ascii	Registry (RegSetValueEx)
Text	Ascii	File (GetTempPath)
Text	Ascii	File (CreateFile)
Text	Ascii	File (WriteFile)
Text	Ascii	File (ReadFile)
Text	Ascii	Service (OpenSCManager)
Text	Ascii	Encryption API (CryptAcquireContext)
Text	Ascii	Encryption API (CryptReleaseContext)
Text	Ascii	Anti-Analysis VM (GetSystemInfo)
Text	Ascii	Anti-Analysis VM (GetVersion)
Text	Ascii	Anti-Analysis VM (CreateToolhelp32Snapshot)
Text	Ascii	Reconnaissance (FindFirstFileW)
Text	Ascii	Reconnaissance (FindNextFileW)
Text	Ascii	Reconnaissance (FindClose)
Text	Ascii	Stealth (GetThreadContext)
Text	Ascii	Stealth (SetThreadContext)
Text	Ascii	Stealth (CloseHandle)
Text	Ascii	Stealth (UnmapViewOfFile)
Text	Ascii	Stealth (MapViewOfFile)
Text	Ascii	Stealth (CreateFileMappingW)
Text	Ascii	Stealth (VirtualAlloc)
Text	Ascii	Stealth (VirtualProtect)
Text	Ascii	Execution (CreateProcessA)
Text	Ascii	Execution (CreateProcessW)
Text	Ascii	Execution (ResumeThread)
Text	Ascii	Execution (CreateEventA)
Text	Ascii	Execution (CreateEventW)

Intelligent String

• .bss
• .tls
• @0@.bss
• .CRT
• ntdll.dll
• winmm.dll
• powrprof.dll
• bcryptprimitives.dll
• GetSidSubAuthorityCountImpersonateLoggedOnUserDestroyEnvironmentBlockexit hook invoked panicpattern bits too long: connection reset by peerlevel 2 not synchronizedlink number out of rangeout of streams resourcesfunction not implementedstructure needs cleaningnot supported by windowsCertFreeCertificateChainCreateToolhelp32SnapshotGetUserProfileDirectoryWjson: unsupported type: invalid argument to Intntracecheckstackownershiphash of unhashable type span has no free objectsruntime: found obj at *(runtime: VirtualFree of /cgo/go-to-c-calls:calls/gc/heap/objects:objects/sched/latencies:secondsqueuefinalizer during GCcheckfinalizers: queue: update during transitionruntime: markroot index can't scan our own stackgcDrainN phase incorrectpageAlloc: out of memoryruntime: p.searchAddr = range partially overlaps [recovered, repanicked]stack trace unavailable
• 9KERNEL32.dll
• 9msvcrt.dll
• C:/crossdev/src/mingw-w64-v8-git/mingw-w64-crt/crt/crtdll.cC:\crossdev\gccmaster\build-tdm64\runtime\mingw-w64-crt
• C:/crossdev/src/mingw-w64-v8-git/mingw-w64-crt/crt/mingw_helpers.cC:\crossdev\gccmaster\build-tdm64\runtime\mingw-w64-crt:b
• C:/crossdev/src/mingw-w64-v8-git/mingw-w64-crt/crt/pseudo-reloc-list.cC:\crossdev\gccmaster\build-tdm64\runtime\mingw-w64-crt3k
• io.EOF

Flow Anomalies

Offset	RVA	Section	Description
EBB5	N/A	.text	JMP QWORD PTR [RIP+0xE8840F]
9A242	N/A	.text	CALL QWORD PTR [RIP+0x8B480675]
ABF0B	N/A	.text	JMP QWORD PTR [RIP+0xFFF826E9]
D3A41	N/A	.text	JMP QWORD PTR [RIP+0x24448D48]
112BB1	N/A	.text	CALL QWORD PTR [RIP+0x285D2D]
112BCF	N/A	.text	JMP QWORD PTR [RIP+0x285DB7]
112BDA	N/A	.text	CALL QWORD PTR [RIP+0x1B540]
112C8D	N/A	.text	CALL QWORD PTR [RIP+0x285C81]
112CA1	N/A	.text	CALL QWORD PTR [RIP+0x285CF5]
112D69	N/A	.text	CALL QWORD PTR [RIP+0x1B3B1]
112DA0	N/A	.text	CALL QWORD PTR [RIP+0x285B6E]
112DB7	N/A	.text	CALL QWORD PTR [RIP+0x285BDF]
112DC4	N/A	.text	CALL QWORD PTR [RIP+0x285C2A]
112DD8	N/A	.text	CALL QWORD PTR [RIP+0x1B342]
112E0F	N/A	.text	CALL QWORD PTR [RIP+0x285AFF]
112E29	N/A	.text	JMP QWORD PTR [RIP+0x285B6D]
112E3D	N/A	.text	CALL QWORD PTR [RIP+0x285AD1]
112E51	N/A	.text	CALL QWORD PTR [RIP+0x285B45]
112EC6	N/A	.text	CALL QWORD PTR [RIP+0x1B254]
112EF3	N/A	.text	JMP QWORD PTR [RIP+0x2859E3]
112F07	N/A	.text	CALL QWORD PTR [RIP+0x285B07]
112FA8	N/A	.text	CALL QWORD PTR [RIP+0x1B172]
113A55	N/A	.text	JMP QWORD PTR [RIP+0x600]
117217	N/A	.text	JMP QWORD PTR [RIP+0x2816F7]
11732F	N/A	.text	CALL QWORD PTR [RIP+0x281667]
1173FE	N/A	.text	JMP QWORD PTR [RIP+0x281598]
11755F	N/A	.text	CALL QWORD PTR [RIP+0x281437]
117892	N/A	.text	CALL QWORD PTR [RIP+0x281104]
118189	N/A	.text	CALL QWORD PTR [RIP+0x2808C5]
1181EE	N/A	.text	CALL QWORD PTR [RIP+0x280858]
1181F8	N/A	.text	CALL QWORD PTR [RIP+0x28074E]
1184E0	N/A	.text	CALL QWORD PTR [RIP+0x28042E]
118535	N/A	.text	JMP QWORD PTR [RIP+0x280461]
118584	N/A	.text	CALL QWORD PTR [RIP+0x28038A]
1185A3	N/A	.text	CALL QWORD PTR [RIP+0x2803F3]
1185E7	N/A	.text	CALL QWORD PTR [RIP+0x280327]
11862A	N/A	.text	CALL QWORD PTR [RIP+0x28036C]
118705	N/A	.text	CALL QWORD PTR [RIP+0x2801F9]
118727	N/A	.text	CALL QWORD PTR [RIP+0x28025F]
118B30	N/A	.text	JMP QWORD PTR [RIP+0x27FF56]
118B38	N/A	.text	JMP QWORD PTR [RIP+0x27FF46]
118B40	N/A	.text	JMP QWORD PTR [RIP+0x27FF2E]
118B48	N/A	.text	JMP QWORD PTR [RIP+0x27FF1E]
118B50	N/A	.text	JMP QWORD PTR [RIP+0x27FF0E]
118B58	N/A	.text	JMP QWORD PTR [RIP+0x27FEFE]
118B60	N/A	.text	JMP QWORD PTR [RIP+0x27FEEE]
118B68	N/A	.text	JMP QWORD PTR [RIP+0x27FEDE]
118B70	N/A	.text	JMP QWORD PTR [RIP+0x27FECE]
118B78	N/A	.text	JMP QWORD PTR [RIP+0x27FEBE]
118B80	N/A	.text	JMP QWORD PTR [RIP+0x27FEAE]
118B88	N/A	.text	JMP QWORD PTR [RIP+0x27FE9E]
118B90	N/A	.text	JMP QWORD PTR [RIP+0x27FE8E]
118B98	N/A	.text	JMP QWORD PTR [RIP+0x27FE7E]
118BA0	N/A	.text	JMP QWORD PTR [RIP+0x27FE6E]
118BA8	N/A	.text	JMP QWORD PTR [RIP+0x27FE5E]
118BB0	N/A	.text	JMP QWORD PTR [RIP+0x27FE4E]
118BB8	N/A	.text	JMP QWORD PTR [RIP+0x27FE3E]
118BC0	N/A	.text	JMP QWORD PTR [RIP+0x27FE2E]
118BC8	N/A	.text	JMP QWORD PTR [RIP+0x27FE1E]
118BD0	N/A	.text	JMP QWORD PTR [RIP+0x27FE0E]
118BD8	N/A	.text	JMP QWORD PTR [RIP+0x27FDFE]
118BE0	N/A	.text	JMP QWORD PTR [RIP+0x27FDEE]
118BE8	N/A	.text	JMP QWORD PTR [RIP+0x27FDDE]
118BF0	N/A	.text	JMP QWORD PTR [RIP+0x27FDCE]
118BF8	N/A	.text	JMP QWORD PTR [RIP+0x27FDBE]
118C00	N/A	.text	JMP QWORD PTR [RIP+0x27FDA6]
118C08	N/A	.text	JMP QWORD PTR [RIP+0x27FD96]
118C10	N/A	.text	JMP QWORD PTR [RIP+0x27FD86]
118C18	N/A	.text	JMP QWORD PTR [RIP+0x27FD6E]
118C20	N/A	.text	JMP QWORD PTR [RIP+0x27FD5E]
118C28	N/A	.text	JMP QWORD PTR [RIP+0x27FD4E]
118C30	N/A	.text	JMP QWORD PTR [RIP+0x27FD3E]
118C38	N/A	.text	JMP QWORD PTR [RIP+0x27FD2E]
118C40	N/A	.text	JMP QWORD PTR [RIP+0x27FD1E]
118C48	N/A	.text	JMP QWORD PTR [RIP+0x27FD0E]
118C50	N/A	.text	JMP QWORD PTR [RIP+0x27FCFE]
118C58	N/A	.text	JMP QWORD PTR [RIP+0x27FCEE]
118C60	N/A	.text	JMP QWORD PTR [RIP+0x27FCDE]
118C68	N/A	.text	JMP QWORD PTR [RIP+0x27FCCE]
118C70	N/A	.text	JMP QWORD PTR [RIP+0x27FCBE]
118C78	N/A	.text	JMP QWORD PTR [RIP+0x27FCAE]
118C80	N/A	.text	JMP QWORD PTR [RIP+0x27FC9E]
118C88	N/A	.text	JMP QWORD PTR [RIP+0x27FC8E]
118C90	N/A	.text	JMP QWORD PTR [RIP+0x27FC7E]
118C98	N/A	.text	JMP QWORD PTR [RIP+0x27FC6E]
118CA0	N/A	.text	JMP QWORD PTR [RIP+0x27FC5E]
118CA8	N/A	.text	JMP QWORD PTR [RIP+0x27FC4E]
118CB0	N/A	.text	JMP QWORD PTR [RIP+0x27FC3E]
118CB8	N/A	.text	JMP QWORD PTR [RIP+0x27FC2E]
118CC0	N/A	.text	JMP QWORD PTR [RIP+0x27FC1E]
118CC8	N/A	.text	JMP QWORD PTR [RIP+0x27FC0E]
118CD0	N/A	.text	JMP QWORD PTR [RIP+0x27FBFE]
118CD8	N/A	.text	JMP QWORD PTR [RIP+0x27FBEE]
118D20	N/A	.text	JMP QWORD PTR [RIP+0x27FE26]
118D28	N/A	.text	JMP QWORD PTR [RIP+0x27FE16]
118D30	N/A	.text	JMP QWORD PTR [RIP+0x27FE06]
118D38	N/A	.text	JMP QWORD PTR [RIP+0x27FDF6]
118D40	N/A	.text	JMP QWORD PTR [RIP+0x27FDE6]
118D48	N/A	.text	JMP QWORD PTR [RIP+0x27FDCE]
118D50	N/A	.text	JMP QWORD PTR [RIP+0x27FDBE]
770C2-771C0	N/A	.text	Potential obfuscated jump sequence detected, count: 51
A21-A3F	N/A	.text	Unusual BP Cave, count: 31
27A2-27BF	N/A	.text	Unusual BP Cave, count: 30
2F01-2F1F	N/A	.text	Unusual BP Cave, count: 31
108C2-108DF	N/A	.text	Unusual BP Cave, count: 30
12042-1205F	N/A	.text	Unusual BP Cave, count: 30
15082-1509F	N/A	.text	Unusual BP Cave, count: 30
15721-1573F	N/A	.text	Unusual BP Cave, count: 31
16221-1623F	N/A	.text	Unusual BP Cave, count: 31
16301-1631F	N/A	.text	Unusual BP Cave, count: 31
17222-1723F	N/A	.text	Unusual BP Cave, count: 30
19682-1969F	N/A	.text	Unusual BP Cave, count: 30
1D422-1D43F	N/A	.text	Unusual BP Cave, count: 30
1DA02-1DA1F	N/A	.text	Unusual BP Cave, count: 30
1EB82-1EB9F	N/A	.text	Unusual BP Cave, count: 30
21DA2-21DBF	N/A	.text	Unusual BP Cave, count: 30
23B82-23B9F	N/A	.text	Unusual BP Cave, count: 30
266A2-266BF	N/A	.text	Unusual BP Cave, count: 30
349C2-349DF	N/A	.text	Unusual BP Cave, count: 30
358C1-358DF	N/A	.text	Unusual BP Cave, count: 31
39161-3917F	N/A	.text	Unusual BP Cave, count: 31
391E1-391FF	N/A	.text	Unusual BP Cave, count: 31
39261-3927F	N/A	.text	Unusual BP Cave, count: 31
392E1-392FF	N/A	.text	Unusual BP Cave, count: 31
39361-3937F	N/A	.text	Unusual BP Cave, count: 31
393E1-393FF	N/A	.text	Unusual BP Cave, count: 31
39461-3947F	N/A	.text	Unusual BP Cave, count: 31
394E1-394FF	N/A	.text	Unusual BP Cave, count: 31
3C982-3C99F	N/A	.text	Unusual BP Cave, count: 30
3EB82-3EB9F	N/A	.text	Unusual BP Cave, count: 30
3F4A1-3F4BF	N/A	.text	Unusual BP Cave, count: 31
3F4E1-3F4FF	N/A	.text	Unusual BP Cave, count: 31
48A42-48A5F	N/A	.text	Unusual BP Cave, count: 30
4E642-4E65F	N/A	.text	Unusual BP Cave, count: 30
51401-5141F	N/A	.text	Unusual BP Cave, count: 31
51A81-51A9F	N/A	.text	Unusual BP Cave, count: 31
56361-5637F	N/A	.text	Unusual BP Cave, count: 31
57CC2-57CDF	N/A	.text	Unusual BP Cave, count: 30
58482-5849F	N/A	.text	Unusual BP Cave, count: 30
5B7E2-5B7FF	N/A	.text	Unusual BP Cave, count: 30
5C002-5C01F	N/A	.text	Unusual BP Cave, count: 30
5CFC2-5CFDF	N/A	.text	Unusual BP Cave, count: 30
62001-6201F	N/A	.text	Unusual BP Cave, count: 31
62382-6239F	N/A	.text	Unusual BP Cave, count: 30
63FA2-63FBF	N/A	.text	Unusual BP Cave, count: 30
65742-6575F	N/A	.text	Unusual BP Cave, count: 30
6A7E1-6A7FF	N/A	.text	Unusual BP Cave, count: 31
6B462-6B47F	N/A	.text	Unusual BP Cave, count: 30
6C0E2-6C0FF	N/A	.text	Unusual BP Cave, count: 30
6F5A1-6F5BF	N/A	.text	Unusual BP Cave, count: 31
71041-7105F	N/A	.text	Unusual BP Cave, count: 31
71EE1-71EFF	N/A	.text	Unusual BP Cave, count: 31
72102-7211F	N/A	.text	Unusual BP Cave, count: 30
73BC1-73BDF	N/A	.text	Unusual BP Cave, count: 31
73E22-73E3F	N/A	.text	Unusual BP Cave, count: 30
74A81-74A9F	N/A	.text	Unusual BP Cave, count: 31
78862-7887F	N/A	.text	Unusual BP Cave, count: 30
788E2-788FF	N/A	.text	Unusual BP Cave, count: 30
79241-7925F	N/A	.text	Unusual BP Cave, count: 31
7CE01-7CE1F	N/A	.text	Unusual BP Cave, count: 31
7D221-7D23F	N/A	.text	Unusual BP Cave, count: 31
7D802-7D81F	N/A	.text	Unusual BP Cave, count: 30
83302-8331F	N/A	.text	Unusual BP Cave, count: 30
833A2-833BF	N/A	.text	Unusual BP Cave, count: 30
8E041-8E05F	N/A	.text	Unusual BP Cave, count: 31
8EFA2-8EFBF	N/A	.text	Unusual BP Cave, count: 30
8FAE1-8FAFF	N/A	.text	Unusual BP Cave, count: 31
96C41-96C5F	N/A	.text	Unusual BP Cave, count: 31
9DFA2-9DFBF	N/A	.text	Unusual BP Cave, count: 30
A0602-A061F	N/A	.text	Unusual BP Cave, count: 30
ADE62-ADE7F	N/A	.text	Unusual BP Cave, count: 30
AF2A2-AF2BF	N/A	.text	Unusual BP Cave, count: 30
FD7E2-FD7FF	N/A	.text	Unusual BP Cave, count: 30
FD842-FD85F	N/A	.text	Unusual BP Cave, count: 30
FD8A2-FD8BF	N/A	.text	Unusual BP Cave, count: 30
FD902-FD91F	N/A	.text	Unusual BP Cave, count: 30
FD962-FD97F	N/A	.text	Unusual BP Cave, count: 30
FD9C2-FD9DF	N/A	.text	Unusual BP Cave, count: 30
FDA22-FDA3F	N/A	.text	Unusual BP Cave, count: 30
FDA82-FDA9F	N/A	.text	Unusual BP Cave, count: 30
FDAE2-FDAFF	N/A	.text	Unusual BP Cave, count: 30
FDB42-FDB5F	N/A	.text	Unusual BP Cave, count: 30
FDBA2-FDBBF	N/A	.text	Unusual BP Cave, count: 30
FDC02-FDC1F	N/A	.text	Unusual BP Cave, count: 30
FDC62-FDC7F	N/A	.text	Unusual BP Cave, count: 30
101ED9-101EFF	N/A	.text	Unusual BP Cave, count: 39
103602-10361F	N/A	.text	Unusual BP Cave, count: 30
1104A1-1104BF	N/A	.text	Unusual BP Cave, count: 31
1105A1-1105BF	N/A	.text	Unusual BP Cave, count: 31
112805-112830	N/A	.text	Unusual BP Cave, count: 44
34B630	1189D0	.CRT	TLS Callback \| Pointer to 1E5DF89D0 - 0x117FD0 .text
34B638	1189A0	.CRT	TLS Callback \| Pointer to 1E5DF89A0 - 0x117FA0 .text
343A00	1000	.pdata	ExceptionHook \| Pointer to 1000 - 0x600 .text + UnwindInfo: .xdata
343A0C	1010	.pdata	ExceptionHook \| Pointer to 1010 - 0x610 .text + UnwindInfo: .xdata
343A18	1200	.pdata	ExceptionHook \| Pointer to 1200 - 0x800 .text + UnwindInfo: .xdata
343A24	1350	.pdata	ExceptionHook \| Pointer to 1350 - 0x950 .text + UnwindInfo: .xdata
343A30	1370	.pdata	ExceptionHook \| Pointer to 1370 - 0x970 .text + UnwindInfo: .xdata
343A3C	1380	.pdata	ExceptionHook \| Pointer to 1380 - 0x980 .text + UnwindInfo: .xdata
343A48	1390	.pdata	ExceptionHook \| Pointer to 1390 - 0x990 .text + UnwindInfo: .xdata
343A54	1440	.pdata	ExceptionHook \| Pointer to 1440 - 0xA40 .text + UnwindInfo: .xdata
343A60	1580	.pdata	ExceptionHook \| Pointer to 1580 - 0xB80 .text + UnwindInfo: .xdata
343A6C	15E0	.pdata	ExceptionHook \| Pointer to 15E0 - 0xBE0 .text + UnwindInfo: .xdata
343A78	1660	.pdata	ExceptionHook \| Pointer to 1660 - 0xC60 .text + UnwindInfo: .xdata
343A84	1700	.pdata	ExceptionHook \| Pointer to 1700 - 0xD00 .text + UnwindInfo: .xdata
343A90	1800	.pdata	ExceptionHook \| Pointer to 1800 - 0xE00 .text + UnwindInfo: .xdata
343A9C	1C80	.pdata	ExceptionHook \| Pointer to 1C80 - 0x1280 .text + UnwindInfo: .xdata
343AA8	1DC0	.pdata	ExceptionHook \| Pointer to 1DC0 - 0x13C0 .text + UnwindInfo: .xdata
343AB4	1E40	.pdata	ExceptionHook \| Pointer to 1E40 - 0x1440 .text + UnwindInfo: .xdata
343AC0	1EA0	.pdata	ExceptionHook \| Pointer to 1EA0 - 0x14A0 .text + UnwindInfo: .xdata
343ACC	23E0	.pdata	ExceptionHook \| Pointer to 23E0 - 0x19E0 .text + UnwindInfo: .xdata
343AD8	2D20	.pdata	ExceptionHook \| Pointer to 2D20 - 0x2320 .text + UnwindInfo: .xdata
343AE4	2DA0	.pdata	ExceptionHook \| Pointer to 2DA0 - 0x23A0 .text + UnwindInfo: .xdata
343AF0	3A80	.pdata	ExceptionHook \| Pointer to 3A80 - 0x3080 .text + UnwindInfo: .xdata
343AFC	3D00	.pdata	ExceptionHook \| Pointer to 3D00 - 0x3300 .text + UnwindInfo: .xdata
343B08	3F80	.pdata	ExceptionHook \| Pointer to 3F80 - 0x3580 .text + UnwindInfo: .xdata
343B14	40A0	.pdata	ExceptionHook \| Pointer to 40A0 - 0x36A0 .text + UnwindInfo: .xdata
343B20	41E0	.pdata	ExceptionHook \| Pointer to 41E0 - 0x37E0 .text + UnwindInfo: .xdata
343B2C	44A0	.pdata	ExceptionHook \| Pointer to 44A0 - 0x3AA0 .text + UnwindInfo: .xdata
343B38	4520	.pdata	ExceptionHook \| Pointer to 4520 - 0x3B20 .text + UnwindInfo: .xdata
343B44	46C0	.pdata	ExceptionHook \| Pointer to 46C0 - 0x3CC0 .text + UnwindInfo: .xdata
343B50	4860	.pdata	ExceptionHook \| Pointer to 4860 - 0x3E60 .text + UnwindInfo: .xdata
343B5C	4A40	.pdata	ExceptionHook \| Pointer to 4A40 - 0x4040 .text + UnwindInfo: .xdata
343B68	4C40	.pdata	ExceptionHook \| Pointer to 4C40 - 0x4240 .text + UnwindInfo: .xdata
343B74	4CA0	.pdata	ExceptionHook \| Pointer to 4CA0 - 0x42A0 .text + UnwindInfo: .xdata
343B80	4E00	.pdata	ExceptionHook \| Pointer to 4E00 - 0x4400 .text + UnwindInfo: .xdata
343B8C	4F60	.pdata	ExceptionHook \| Pointer to 4F60 - 0x4560 .text + UnwindInfo: .xdata
343B98	50E0	.pdata	ExceptionHook \| Pointer to 50E0 - 0x46E0 .text + UnwindInfo: .xdata
343BA4	5300	.pdata	ExceptionHook \| Pointer to 5300 - 0x4900 .text + UnwindInfo: .xdata
343BB0	5520	.pdata	ExceptionHook \| Pointer to 5520 - 0x4B20 .text + UnwindInfo: .xdata
343BBC	5620	.pdata	ExceptionHook \| Pointer to 5620 - 0x4C20 .text + UnwindInfo: .xdata
343BC8	5740	.pdata	ExceptionHook \| Pointer to 5740 - 0x4D40 .text + UnwindInfo: .xdata
343BD4	5920	.pdata	ExceptionHook \| Pointer to 5920 - 0x4F20 .text + UnwindInfo: .xdata
343BE0	5B00	.pdata	ExceptionHook \| Pointer to 5B00 - 0x5100 .text + UnwindInfo: .xdata
343BEC	5DE0	.pdata	ExceptionHook \| Pointer to 5DE0 - 0x53E0 .text + UnwindInfo: .xdata
343BF8	6180	.pdata	ExceptionHook \| Pointer to 6180 - 0x5780 .text + UnwindInfo: .xdata
343C04	62C0	.pdata	ExceptionHook \| Pointer to 62C0 - 0x58C0 .text + UnwindInfo: .xdata
343C10	63C0	.pdata	ExceptionHook \| Pointer to 63C0 - 0x59C0 .text + UnwindInfo: .xdata
343C1C	6A40	.pdata	ExceptionHook \| Pointer to 6A40 - 0x6040 .text + UnwindInfo: .xdata
343C28	6AA0	.pdata	ExceptionHook \| Pointer to 6AA0 - 0x60A0 .text + UnwindInfo: .xdata
343C34	6CC0	.pdata	ExceptionHook \| Pointer to 6CC0 - 0x62C0 .text + UnwindInfo: .xdata
343C40	6EA0	.pdata	ExceptionHook \| Pointer to 6EA0 - 0x64A0 .text + UnwindInfo: .xdata
343C4C	70A0	.pdata	ExceptionHook \| Pointer to 70A0 - 0x66A0 .text + UnwindInfo: .xdata
343C58	72C0	.pdata	ExceptionHook \| Pointer to 72C0 - 0x68C0 .text + UnwindInfo: .xdata
343C64	7660	.pdata	ExceptionHook \| Pointer to 7660 - 0x6C60 .text + UnwindInfo: .xdata
343C70	7860	.pdata	ExceptionHook \| Pointer to 7860 - 0x6E60 .text + UnwindInfo: .xdata
343C7C	7A80	.pdata	ExceptionHook \| Pointer to 7A80 - 0x7080 .text + UnwindInfo: .xdata
343C88	7E40	.pdata	ExceptionHook \| Pointer to 7E40 - 0x7440 .text + UnwindInfo: .xdata
343C94	81C0	.pdata	ExceptionHook \| Pointer to 81C0 - 0x77C0 .text + UnwindInfo: .xdata
343CA0	8460	.pdata	ExceptionHook \| Pointer to 8460 - 0x7A60 .text + UnwindInfo: .xdata
343CAC	8700	.pdata	ExceptionHook \| Pointer to 8700 - 0x7D00 .text + UnwindInfo: .xdata
343CB8	8C80	.pdata	ExceptionHook \| Pointer to 8C80 - 0x8280 .text + UnwindInfo: .xdata
343CC4	8F40	.pdata	ExceptionHook \| Pointer to 8F40 - 0x8540 .text + UnwindInfo: .xdata
343CD0	9200	.pdata	ExceptionHook \| Pointer to 9200 - 0x8800 .text + UnwindInfo: .xdata
343CDC	9780	.pdata	ExceptionHook \| Pointer to 9780 - 0x8D80 .text + UnwindInfo: .xdata
343CE8	9800	.pdata	ExceptionHook \| Pointer to 9800 - 0x8E00 .text + UnwindInfo: .xdata
343CF4	98C0	.pdata	ExceptionHook \| Pointer to 98C0 - 0x8EC0 .text + UnwindInfo: .xdata
343D00	9A80	.pdata	ExceptionHook \| Pointer to 9A80 - 0x9080 .text + UnwindInfo: .xdata
343D0C	A0E0	.pdata	ExceptionHook \| Pointer to A0E0 - 0x96E0 .text + UnwindInfo: .xdata
343D18	A1C0	.pdata	ExceptionHook \| Pointer to A1C0 - 0x97C0 .text + UnwindInfo: .xdata
343D24	A420	.pdata	ExceptionHook \| Pointer to A420 - 0x9A20 .text + UnwindInfo: .xdata
343D30	A640	.pdata	ExceptionHook \| Pointer to A640 - 0x9C40 .text + UnwindInfo: .xdata
343D3C	A6A0	.pdata	ExceptionHook \| Pointer to A6A0 - 0x9CA0 .text + UnwindInfo: .xdata
343D48	A740	.pdata	ExceptionHook \| Pointer to A740 - 0x9D40 .text + UnwindInfo: .xdata
343D54	A820	.pdata	ExceptionHook \| Pointer to A820 - 0x9E20 .text + UnwindInfo: .xdata
343D60	A920	.pdata	ExceptionHook \| Pointer to A920 - 0x9F20 .text + UnwindInfo: .xdata
343D6C	AEE0	.pdata	ExceptionHook \| Pointer to AEE0 - 0xA4E0 .text + UnwindInfo: .xdata
343D78	AF20	.pdata	ExceptionHook \| Pointer to AF20 - 0xA520 .text + UnwindInfo: .xdata
343D84	B080	.pdata	ExceptionHook \| Pointer to B080 - 0xA680 .text + UnwindInfo: .xdata
343D90	B0C0	.pdata	ExceptionHook \| Pointer to B0C0 - 0xA6C0 .text + UnwindInfo: .xdata
343D9C	B100	.pdata	ExceptionHook \| Pointer to B100 - 0xA700 .text + UnwindInfo: .xdata
343DA8	B140	.pdata	ExceptionHook \| Pointer to B140 - 0xA740 .text + UnwindInfo: .xdata
343DB4	B200	.pdata	ExceptionHook \| Pointer to B200 - 0xA800 .text + UnwindInfo: .xdata
343DC0	B2C0	.pdata	ExceptionHook \| Pointer to B2C0 - 0xA8C0 .text + UnwindInfo: .xdata
343DCC	B320	.pdata	ExceptionHook \| Pointer to B320 - 0xA920 .text + UnwindInfo: .xdata
343DD8	B380	.pdata	ExceptionHook \| Pointer to B380 - 0xA980 .text + UnwindInfo: .xdata
343DE4	B600	.pdata	ExceptionHook \| Pointer to B600 - 0xAC00 .text + UnwindInfo: .xdata
343DF0	B660	.pdata	ExceptionHook \| Pointer to B660 - 0xAC60 .text + UnwindInfo: .xdata
343DFC	B6C0	.pdata	ExceptionHook \| Pointer to B6C0 - 0xACC0 .text + UnwindInfo: .xdata
343E08	B720	.pdata	ExceptionHook \| Pointer to B720 - 0xAD20 .text + UnwindInfo: .xdata
343E14	B7E0	.pdata	ExceptionHook \| Pointer to B7E0 - 0xADE0 .text + UnwindInfo: .xdata
343E20	B8A0	.pdata	ExceptionHook \| Pointer to B8A0 - 0xAEA0 .text + UnwindInfo: .xdata
343E2C	B940	.pdata	ExceptionHook \| Pointer to B940 - 0xAF40 .text + UnwindInfo: .xdata
343E38	B9A0	.pdata	ExceptionHook \| Pointer to B9A0 - 0xAFA0 .text + UnwindInfo: .xdata
343E44	BB40	.pdata	ExceptionHook \| Pointer to BB40 - 0xB140 .text + UnwindInfo: .xdata
343E50	BC20	.pdata	ExceptionHook \| Pointer to BC20 - 0xB220 .text + UnwindInfo: .xdata
343E5C	BD40	.pdata	ExceptionHook \| Pointer to BD40 - 0xB340 .text + UnwindInfo: .xdata
343E68	BFC0	.pdata	ExceptionHook \| Pointer to BFC0 - 0xB5C0 .text + UnwindInfo: .xdata
343E74	C300	.pdata	ExceptionHook \| Pointer to C300 - 0xB900 .text + UnwindInfo: .xdata
343E80	C3A0	.pdata	ExceptionHook \| Pointer to C3A0 - 0xB9A0 .text + UnwindInfo: .xdata
343E8C	C460	.pdata	ExceptionHook \| Pointer to C460 - 0xBA60 .text + UnwindInfo: .xdata
343E98	C680	.pdata	ExceptionHook \| Pointer to C680 - 0xBC80 .text + UnwindInfo: .xdata
343EA4	C6A0	.pdata	ExceptionHook \| Pointer to C6A0 - 0xBCA0 .text + UnwindInfo: .xdata
386A00	N/A	Overlay	2E66696C650000003A000000FEFF000067016372 \| .file...:.......g.cr

Extra Analysis

Metric	Value	Percentage
Ascii Code	2319428	59,053%
Null Byte Code	699054	17,798%
NOP Cave Found	0x9090909090	Block Count: 45 \| Total: 0,0029%

PREMIUM PESCAN.IO - Analysis Report