PESCAN.IO — Analysis Report

PESCAN.IO - Analysis Report Basic

File Structure

PE Chart Code

Executable header (light blue)

Executable sections (pink)

Non-executable sections (black)

External injected code (red)

File Structure in red = malformed or corrupted header

Chart Code For Other Files

Printable characters (blue)

Non-printable characters (black)

Information

Icon:

Size: 198,37 KB
SHA-256 Hash: 0CFDB646342E76796FE5416197C09300693FB0AC1BC5D35CE77FBAAB87A3BEA6
SHA-1 Hash: 1993CFFD2F030AEF7AB679FA9FC7725921CCA7F2
MD5 Hash: 6F50989A8C1923E2897BE33B148712BC
Imphash: 6A91EB82BFD19D2706C7D43C46F7064E
MajorOSVersion: 6
MinorOSVersion: 0
CheckSum: 00037EED
EntryPoint (rva): 113A0
SizeOfHeaders: 400
SizeOfImage: 35000
ImageBase: 0000000140000000
Architecture: x64
ImportTable: 2072C
IAT: 18000
Characteristics: 22
TimeDateStamp: 65680000
Date: 30/11/2023 3:22:40
File Type: EXE
Number Of Sections: 7
ASLR: Disabled
Section Names (Optional Header): .text, .rdata, .data, .pdata, _RDATA, .reloc, .rsrc
Number Of Executable Sections: 1
Subsystem: Windows GUI
UAC Execution Level Manifest: asInvoker

Sections Info

Section Name	Flags	ROffset	RSize	VOffset	VSize	Entropy	Chi2
.text	60000020 (Code, Executable, Readable)	400	16A00	1000	1699C	6,3742	647918,73
.rdata	40000040 (Initialized Data, Readable)	16E00	9600	18000	95E6	4,4871	2131768,24
.data	C0000040 (Initialized Data, Readable, Writeable)	20400	A00	22000	1850	2,3446	332864,60
.pdata	40000040 (Initialized Data, Readable)	20E00	1400	24000	13BC	4,9937	199718,50
_RDATA	40000040 (Initialized Data, Readable)	22200	200	26000	1F4	4,1900	19976,00
.reloc	42000040 (Initialized Data, GP-Relative, Readable)	22400	400	27000	318	4,6985	22262,50
.rsrc	40000040 (Initialized Data, Readable)	22800	D000	28000	CE90	4,2542	2834177,55

Description

OriginalFilename: WealthLab8.dll
CompanyName: Quantacula, LLC
ProductName: WealthLab8
FileVersion: 8.0.157
FileDescription: WealthLab8
ProductVersion: 8.0.157+32abd25924d2489b8f65c0749afdfa0e3a84a519
Language: Unknown (ID=0x0)
CodePage: Unicode (UTF-16 LE) (0x4B0)

Entry Point

The section number (1) have the Entry Point
Information -> EntryPoint (calculated) - 107A0
Code -> 4883EC28E8C30600004883C428E96AFEFFFFCCCC4883EC284D8B4138488BCA498BD1E80D000000B8010000004883C428C3CC
• SUB RSP, 0X28
• CALL 0X16CC
• ADD RSP, 0X28
• JMP 0XE7C
• INT3
• INT3
• SUB RSP, 0X28
• MOV R8, QWORD PTR [R9 + 0X38]
• MOV RCX, RDX
• MOV RDX, R9
• CALL 0X1034
• MOV EAX, 1
• ADD RSP, 0X28
• RET
• INT3

Signatures

Rich Signature Analyzer:
Code -> 4E7692E90A17FCBA0A17FCBA0A17FCBA0A17FCBA0B17FCBA0C96F8BB0617FCBA0C96FFBB1817FCBA0C96F9BB5C17FCBA036F6FBA1A17FCBA416FFDBB0317FCBA0A17FDBAC317FCBA6396F5BB0017FCBA6396FEBB0B17FCBA526963680A17FCBA
Footprint md5 Hash -> 6E27093378B62C9FC3C26B1D943EC4C8
• The Rich header apparently has not been modified
Certificate - Digital Signature:
• The file is signed and the signature is correct

Packer/Compiler

Compiler: Microsoft Visual Studio
Detect It Easy (die)
• PE+(64): compiler: Microsoft Visual C/C++(-)[-]
• PE+(64): linker: Microsoft Linker(14.38**)[-]
• PE+(64): Sign tool: Windows Authenticode(2.0)[PKCS 7]
• Entropy: 5.94245

Suspicious Functions

Library	Function	Description
KERNEL32.DLL	LoadLibraryA	Loads the specified module into the address space of the calling process.
KERNEL32.DLL	GetProcAddress	Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL	IsDebuggerPresent	Determines if the calling process is being debugged by a user-mode debugger.
SHELL32.DLL	ShellExecuteW	Performs a run operation on a specific file.

Windows REG (UNICODE)

SOFTWARE\dotnet

File Access

WealthLab8.dll
api-ms-win-crt-math-l1-1-0.dll
api-ms-win-crt-locale-l1-1-0.dll
api-ms-win-crt-time-l1-1-0.dll
api-ms-win-crt-convert-l1-1-0.dll
api-ms-win-crt-string-l1-1-0.dll
api-ms-win-crt-heap-l1-1-0.dll
api-ms-win-crt-stdio-l1-1-0.dll
api-ms-win-crt-runtime-l1-1-0.dll
ADVAPI32.dll
SHELL32.dll
USER32.dll
KERNEL32.dll
ntdll.dll
.dat
@.dat
Temp

File Access (UNICODE)

kernel32.dll
WealthLab8.dll
comctl32.dll
hostfxr.dll
ProgramFiles

Interest's Words

exec
attrib
start
ping

Interest's Words (UNICODE)

exec
start

URLs

http://ocsp.digicert.com
http://cacerts.digicert.com/DigiCertGlobalRootG3.crt
http://crl3.digicert.com/DigiCertGlobalRootG3.crl
http://www.digicert.com/CPS0
http://crl3.digicert.com/DigiCertGlobalG3CodeSigningECCSHA3842021CA1.crl
http://crl4.digicert.com/DigiCertGlobalG3CodeSigningECCSHA3842021CA1.crl
http://cacerts.digicert.com/DigiCertGlobalG3CodeSigningECCSHA3842021CA1.crt
http://cacerts.digicert.com/DigiCertTrustedG4TimeStampingRSA4096SHA2562025CA1.crt
http://crl3.digicert.com/DigiCertTrustedG4TimeStampingRSA4096SHA2562025CA1.crl
http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
http://crl3.digicert.com/DigiCertTrustedRootG4.crl
http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt
http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl

URLs (UNICODE)

https://go.microsoft.com/fwlink/?linkid=798306
https://aka.ms/dotnet-core-applaunch?
https://aka.ms/dotnet/app-launch-failed
https://aka.ms/dotnet/app-launch-failedWould you like to download it now?
https://aka.ms/dotnet/app-launch-failedDownload the .NET runtime:%s&apphost_version=%s

IP Addresses

8.0.157.0

Strings/Hex Code Found With The File Rules

Rule Type	Encoding	Matched (Word)
Text	Unicode	WinAPI Sockets (bind)
Text	Ascii	WinAPI Sockets (connect)
Text	Ascii	Registry (RegOpenKeyEx)
Text	Ascii	Registry (RegGetValue)
Text	Ascii	File (GetTempPath)
Text	Ascii	Anti-Analysis VM (IsDebuggerPresent)
Text	Ascii	Anti-Analysis VM (GetVersion)
Text	Ascii	Reconnaissance (FindNextFileW)
Text	Ascii	Reconnaissance (FindClose)
Text	Ascii	Execution (ShellExecute)
Text	Unicode	Malicious rerouting of traffic to an attacker-controlled site (Redirect)
Entry Point	Hex Pattern	Microsoft Visual C++ 8.0 (DLL)

Resources

Path	DataRVA	Size	FileOffset	Code	Text
\ICON\1\0	28170	468	22970	2800000010000000200000000100200000000000000400000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\ICON\2\0	285D8	988	22DD8	2800000018000000300000000100200000000000000900000000000000000000000000000000000000000000000000000000	(.......0..... ...................................
\ICON\3\0	28F60	10A8	23760	2800000020000000400000000100200000000000001000000000000000000000000000000000000000000000000000000000	(... ...@..... ...................................
\ICON\4\0	2A008	25A8	24808	2800000030000000600000000100200000000000002400000000000000000000000000000000000000000000000000000000	(...0........ ......$............................
\ICON\5\0	2C5B0	82F0	26DB0	280000005A000000B40000000100200000000000907E00000000000000000000000000000000000000000000000000000000	(...Z......... ......~............................
\GROUP_ICON\32512\0	348A0	4C	2F0A0	000001000500101000000100200068040000010018180000010020008809000002002020000001002000A810000003003030000001002000A825000004005A5A000001002000F08200000500	............ .h........... ....... .... .......00.... ..%....ZZ.... .......
\VERSION\1\0	348EC	338	2F0EC	380334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000	8.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............
\24\1\0	34C24	1EA	2F424	EFBBBF3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E65	...<?xml version="1.0" encoding="UTF-8" standalone

Intelligent String

• WealthLab8.dll
• api-ms-win-crt-heap-l1-1-0.dll
• api-ms-win-crt-stdio-l1-1-0.dll
• 0_time64api-ms-win-crt-runtime-l1-1-0.dll
• https://aka.ms/dotnet/app-launch-failed
• hostfxr.dll
• https://go.microsoft.com/fwlink/?linkid=798306
• <A HREF="
• comctl32.dll
• TaskDialogIndirect
• ntdll.dll
• kernel32.dll
• D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\apphost\standalone\apphost.pdb
• .tls
• .bss
• KERNEL32.dll
• api-ms-win-crt-string-l1-1-0.dll
• api-ms-win-crt-convert-l1-1-0.dll
• api-ms-win-crt-time-l1-1-0.dll
• api-ms-win-crt-locale-l1-1-0.dll
• api-ms-win-crt-math-l1-1-0.dll
• 8.0.157.0
• :060U00Uq]dL.g?O0U0E1-Q!m0U0y+m0k0$+0http://ocsp.digicert.com0C+07http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0EU>0<0:864http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0U

Flow Anomalies

Offset	RVA	Section	Description
642	N/A	.text	CALL QWORD PTR [RIP+0x17068]
6AB	N/A	.text	CALL QWORD PTR [RIP+0x16FFF]
8E8	N/A	.text	CALL QWORD PTR [RIP+0x16F32]
B09	N/A	.text	CALL QWORD PTR [RIP+0x16D11]
B5E	N/A	.text	CALL QWORD PTR [RIP+0x16B4C]
C06	N/A	.text	CALL QWORD PTR [RIP+0x16AA4]
F54	N/A	.text	CALL QWORD PTR [RIP+0x168C6]
F75	N/A	.text	JMP QWORD PTR [RIP+0x168A5]
109B	N/A	.text	CALL QWORD PTR [RIP+0x16597]
10AE	N/A	.text	CALL QWORD PTR [RIP+0x16584]
10C1	N/A	.text	CALL QWORD PTR [RIP+0x16571]
10D4	N/A	.text	CALL QWORD PTR [RIP+0x1655E]
10E7	N/A	.text	CALL QWORD PTR [RIP+0x1654B]
10FA	N/A	.text	CALL QWORD PTR [RIP+0x16538]
11D1	N/A	.text	CALL QWORD PTR [RIP+0x16649]
1241	N/A	.text	CALL QWORD PTR [RIP+0x165D9]
1553	N/A	.text	CALL QWORD PTR [RIP+0x160DF]
155D	N/A	.text	CALL QWORD PTR [RIP+0x160D5]
1632	N/A	.text	CALL QWORD PTR [RIP+0x16078]
1812	N/A	.text	CALL QWORD PTR [RIP+0x15F48]
181E	N/A	.text	CALL QWORD PTR [RIP+0x15F5C]
1829	N/A	.text	CALL QWORD PTR [RIP+0x15F31]
1842	N/A	.text	JMP QWORD PTR [RIP+0x15F20]
1887	N/A	.text	CALL QWORD PTR [RIP+0x15B8B]
1BAE	N/A	.text	CALL QWORD PTR [RIP+0x1586C]
1BB7	N/A	.text	CALL QWORD PTR [RIP+0x15853]
1BF5	N/A	.text	CALL QWORD PTR [RIP+0x15AB5]
1DEE	N/A	.text	CALL QWORD PTR [RIP+0x158BC]
1F84	N/A	.text	CALL QWORD PTR [RIP+0x15666]
2200	N/A	.text	CALL QWORD PTR [RIP+0x1523A]
2218	N/A	.text	CALL QWORD PTR [RIP+0x152DA]
2229	N/A	.text	CALL QWORD PTR [RIP+0x15209]
226C	N/A	.text	CALL QWORD PTR [RIP+0x15226]
2283	N/A	.text	CALL QWORD PTR [RIP+0x1527F]
241D	N/A	.text	CALL QWORD PTR [RIP+0x153FD]
2442	N/A	.text	CALL QWORD PTR [RIP+0x14FF0]
2480	N/A	.text	CALL QWORD PTR [RIP+0x1522A]
24E1	N/A	.text	CALL QWORD PTR [RIP+0x15109]
2554	N/A	.text	CALL QWORD PTR [RIP+0x14F36]
2564	N/A	.text	CALL QWORD PTR [RIP+0x14FA6]
25C0	N/A	.text	CALL QWORD PTR [RIP+0x14ECA]
25CA	N/A	.text	CALL QWORD PTR [RIP+0x14F40]
2662	N/A	.text	CALL QWORD PTR [RIP+0x14FB0]
2779	N/A	.text	CALL QWORD PTR [RIP+0x14F31]
284F	N/A	.text	CALL QWORD PTR [RIP+0x14E5B]
2E2A	N/A	.text	CALL QWORD PTR [RIP+0x14880]
2E31	N/A	.text	CALL QWORD PTR [RIP+0x14879]
31F6	N/A	.text	CALL QWORD PTR [RIP+0x144B4]
31FD	N/A	.text	CALL QWORD PTR [RIP+0x144AD]
3264	N/A	.text	CALL QWORD PTR [RIP+0x14296]
32F1	N/A	.text	CALL QWORD PTR [RIP+0x14231]
330D	N/A	.text	CALL QWORD PTR [RIP+0x141FD]
3374	N/A	.text	CALL QWORD PTR [RIP+0x1419E]
337E	N/A	.text	CALL QWORD PTR [RIP+0x1418C]
33CC	N/A	.text	CALL QWORD PTR [RIP+0x142DE]
340C	N/A	.text	CALL QWORD PTR [RIP+0x140FE]
358C	N/A	.text	CALL QWORD PTR [RIP+0x1406E]
35BE	N/A	.text	CALL QWORD PTR [RIP+0x1402C]
35FC	N/A	.text	CALL QWORD PTR [RIP+0x140AE]
365F	N/A	.text	CALL QWORD PTR [RIP+0x1404B]
36A3	N/A	.text	CALL QWORD PTR [RIP+0x14007]
36F8	N/A	.text	CALL QWORD PTR [RIP+0x13FB2]
374E	N/A	.text	CALL QWORD PTR [RIP+0x13F5C]
3813	N/A	.text	CALL QWORD PTR [RIP+0x14007]
382C	N/A	.text	CALL QWORD PTR [RIP+0x13FEE]
3B58	N/A	.text	CALL QWORD PTR [RIP+0x13B52]
3B93	N/A	.text	CALL QWORD PTR [RIP+0x138FF]
3BF2	N/A	.text	CALL QWORD PTR [RIP+0x13AB8]
3C47	N/A	.text	CALL QWORD PTR [RIP+0x13A63]
4298	N/A	.text	CALL QWORD PTR [RIP+0x13412]
43AA	N/A	.text	CALL QWORD PTR [RIP+0x13470]
4477	N/A	.text	CALL QWORD PTR [RIP+0x133A3]
44D0	N/A	.text	CALL QWORD PTR [RIP+0x1334A]
4549	N/A	.text	CALL QWORD PTR [RIP+0x132D1]
4562	N/A	.text	CALL QWORD PTR [RIP+0x132B8]
4871	N/A	.text	CALL QWORD PTR [RIP+0x12DC1]
4ABC	N/A	.text	CALL QWORD PTR [RIP+0x12BEE]
4B28	N/A	.text	CALL QWORD PTR [RIP+0x12B82]
4B76	N/A	.text	CALL QWORD PTR [RIP+0x12CA4]
4B8F	N/A	.text	CALL QWORD PTR [RIP+0x12C8B]
4C07	N/A	.text	CALL QWORD PTR [RIP+0x12C13]
4C20	N/A	.text	CALL QWORD PTR [RIP+0x12BFA]
4F4C	N/A	.text	CALL QWORD PTR [RIP+0x1275E]
509A	N/A	.text	CALL QWORD PTR [RIP+0x12610]
522D	N/A	.text	CALL QWORD PTR [RIP+0x125ED]
524A	N/A	.text	CALL QWORD PTR [RIP+0x125D0]
525D	N/A	.text	CALL QWORD PTR [RIP+0x125BD]
5277	N/A	.text	CALL QWORD PTR [RIP+0x125A3]
548B	N/A	.text	CALL QWORD PTR [RIP+0x1221F]
55B2	N/A	.text	CALL QWORD PTR [RIP+0x120F8]
56C3	N/A	.text	CALL QWORD PTR [RIP+0x11FE7]
5894	N/A	.text	CALL QWORD PTR [RIP+0x11E16]
5A28	N/A	.text	CALL QWORD PTR [RIP+0x11C82]
5BE3	N/A	.text	CALL QWORD PTR [RIP+0x11AC7]
5CEA	N/A	.text	CALL QWORD PTR [RIP+0x11B30]
5D34	N/A	.text	JMP QWORD PTR [RIP+0x11AE6]
5D99	N/A	.text	CALL QWORD PTR [RIP+0x11A81]
5DF7	N/A	.text	CALL QWORD PTR [RIP+0x11A23]
5E62	N/A	.text	CALL QWORD PTR [RIP+0x119B8]
5F41	N/A	.text	CALL QWORD PTR [RIP+0x118D9]
20E00	1010	.pdata	ExceptionHook \| Pointer to 1010 - 0x410 .text + UnwindInfo: .rdata
20E0C	1040	.pdata	ExceptionHook \| Pointer to 1040 - 0x440 .text + UnwindInfo: .rdata
20E18	1070	.pdata	ExceptionHook \| Pointer to 1070 - 0x470 .text + UnwindInfo: .rdata
20E24	10A0	.pdata	ExceptionHook \| Pointer to 10A0 - 0x4A0 .text + UnwindInfo: .rdata
20E30	10D0	.pdata	ExceptionHook \| Pointer to 10D0 - 0x4D0 .text + UnwindInfo: .rdata
20E3C	1110	.pdata	ExceptionHook \| Pointer to 1110 - 0x510 .text + UnwindInfo: .rdata
20E48	1140	.pdata	ExceptionHook \| Pointer to 1140 - 0x540 .text + UnwindInfo: .rdata
20E54	1250	.pdata	ExceptionHook \| Pointer to 1250 - 0x650 .text + UnwindInfo: .rdata
20E60	12C0	.pdata	ExceptionHook \| Pointer to 12C0 - 0x6C0 .text + UnwindInfo: .rdata
20E6C	1320	.pdata	ExceptionHook \| Pointer to 1320 - 0x720 .text + UnwindInfo: .rdata
20E78	13C0	.pdata	ExceptionHook \| Pointer to 13C0 - 0x7C0 .text + UnwindInfo: .rdata
20E84	13E0	.pdata	ExceptionHook \| Pointer to 13E0 - 0x7E0 .text + UnwindInfo: .rdata
20E90	1420	.pdata	ExceptionHook \| Pointer to 1420 - 0x820 .text + UnwindInfo: .rdata
20E9C	1460	.pdata	ExceptionHook \| Pointer to 1460 - 0x860 .text + UnwindInfo: .rdata
20EA8	1480	.pdata	ExceptionHook \| Pointer to 1480 - 0x880 .text + UnwindInfo: .rdata
20EB4	14D0	.pdata	ExceptionHook \| Pointer to 14D0 - 0x8D0 .text + UnwindInfo: .rdata
20EC0	1560	.pdata	ExceptionHook \| Pointer to 1560 - 0x960 .text + UnwindInfo: .rdata
20ECC	1860	.pdata	ExceptionHook \| Pointer to 1860 - 0xC60 .text + UnwindInfo: .rdata
20ED8	18B0	.pdata	ExceptionHook \| Pointer to 18B0 - 0xCB0 .text + UnwindInfo: .rdata
20EE4	1910	.pdata	ExceptionHook \| Pointer to 1910 - 0xD10 .text + UnwindInfo: .rdata
20EF0	1970	.pdata	ExceptionHook \| Pointer to 1970 - 0xD70 .text + UnwindInfo: .rdata
20EFC	1A30	.pdata	ExceptionHook \| Pointer to 1A30 - 0xE30 .text + UnwindInfo: .rdata
20F08	1A90	.pdata	ExceptionHook \| Pointer to 1A90 - 0xE90 .text + UnwindInfo: .rdata
20F14	1AB0	.pdata	ExceptionHook \| Pointer to 1AB0 - 0xEB0 .text + UnwindInfo: .rdata
20F20	1AF0	.pdata	ExceptionHook \| Pointer to 1AF0 - 0xEF0 .text + UnwindInfo: .rdata
20F2C	1B40	.pdata	ExceptionHook \| Pointer to 1B40 - 0xF40 .text + UnwindInfo: .rdata
20F38	1B80	.pdata	ExceptionHook \| Pointer to 1B80 - 0xF80 .text + UnwindInfo: .rdata
20F44	1D40	.pdata	ExceptionHook \| Pointer to 1D40 - 0x1140 .text + UnwindInfo: .rdata
20F50	1D90	.pdata	ExceptionHook \| Pointer to 1D90 - 0x1190 .text + UnwindInfo: .rdata
20F5C	1E00	.pdata	ExceptionHook \| Pointer to 1E00 - 0x1200 .text + UnwindInfo: .rdata
20F68	1E80	.pdata	ExceptionHook \| Pointer to 1E80 - 0x1280 .text + UnwindInfo: .rdata
20F74	1E95	.pdata	ExceptionHook \| Pointer to 1E95 - 0x1295 .text + UnwindInfo: .rdata
20F80	1EBC	.pdata	ExceptionHook \| Pointer to 1EBC - 0x12BC .text + UnwindInfo: .rdata
20F8C	1EE0	.pdata	ExceptionHook \| Pointer to 1EE0 - 0x12E0 .text + UnwindInfo: .rdata
20F98	1EF5	.pdata	ExceptionHook \| Pointer to 1EF5 - 0x12F5 .text + UnwindInfo: .rdata
20FA4	1F1C	.pdata	ExceptionHook \| Pointer to 1F1C - 0x131C .text + UnwindInfo: .rdata
20FB0	1F30	.pdata	ExceptionHook \| Pointer to 1F30 - 0x1330 .text + UnwindInfo: .rdata
20FBC	1F80	.pdata	ExceptionHook \| Pointer to 1F80 - 0x1380 .text + UnwindInfo: .rdata
20FC8	1F96	.pdata	ExceptionHook \| Pointer to 1F96 - 0x1396 .text + UnwindInfo: .rdata
20FD4	200E	.pdata	ExceptionHook \| Pointer to 200E - 0x140E .text + UnwindInfo: .rdata
20FE0	2020	.pdata	ExceptionHook \| Pointer to 2020 - 0x1420 .text + UnwindInfo: .rdata
20FEC	2080	.pdata	ExceptionHook \| Pointer to 2080 - 0x1480 .text + UnwindInfo: .rdata
20FF8	20B0	.pdata	ExceptionHook \| Pointer to 20B0 - 0x14B0 .text + UnwindInfo: .rdata
21004	2113	.pdata	ExceptionHook \| Pointer to 2113 - 0x1513 .text + UnwindInfo: .rdata
21010	2130	.pdata	ExceptionHook \| Pointer to 2130 - 0x1530 .text + UnwindInfo: .rdata
2101C	2190	.pdata	ExceptionHook \| Pointer to 2190 - 0x1590 .text + UnwindInfo: .rdata
21028	2270	.pdata	ExceptionHook \| Pointer to 2270 - 0x1670 .text + UnwindInfo: .rdata
21034	22D0	.pdata	ExceptionHook \| Pointer to 22D0 - 0x16D0 .text + UnwindInfo: .rdata
21040	2310	.pdata	ExceptionHook \| Pointer to 2310 - 0x1710 .text + UnwindInfo: .rdata
2104C	231D	.pdata	ExceptionHook \| Pointer to 231D - 0x171D .text + UnwindInfo: .rdata
21058	235A	.pdata	ExceptionHook \| Pointer to 235A - 0x175A .text + UnwindInfo: .rdata
21064	239C	.pdata	ExceptionHook \| Pointer to 239C - 0x179C .text + UnwindInfo: .rdata
21070	23D4	.pdata	ExceptionHook \| Pointer to 23D4 - 0x17D4 .text + UnwindInfo: .rdata
2107C	2450	.pdata	ExceptionHook \| Pointer to 2450 - 0x1850 .text + UnwindInfo: .rdata
21088	2830	.pdata	ExceptionHook \| Pointer to 2830 - 0x1C30 .text + UnwindInfo: .rdata
21094	2A30	.pdata	ExceptionHook \| Pointer to 2A30 - 0x1E30 .text + UnwindInfo: .rdata
210A0	2B60	.pdata	ExceptionHook \| Pointer to 2B60 - 0x1F60 .text + UnwindInfo: .rdata
210AC	2B90	.pdata	ExceptionHook \| Pointer to 2B90 - 0x1F90 .text + UnwindInfo: .rdata
210B8	2DC0	.pdata	ExceptionHook \| Pointer to 2DC0 - 0x21C0 .text + UnwindInfo: .rdata
210C4	30B0	.pdata	ExceptionHook \| Pointer to 30B0 - 0x24B0 .text + UnwindInfo: .rdata
210D0	30F0	.pdata	ExceptionHook \| Pointer to 30F0 - 0x24F0 .text + UnwindInfo: .rdata
210DC	4390	.pdata	ExceptionHook \| Pointer to 4390 - 0x3790 .text + UnwindInfo: .rdata
210E8	44F0	.pdata	ExceptionHook \| Pointer to 44F0 - 0x38F0 .text + UnwindInfo: .rdata
210F4	48A0	.pdata	ExceptionHook \| Pointer to 48A0 - 0x3CA0 .text + UnwindInfo: .rdata
21100	494E	.pdata	ExceptionHook \| Pointer to 494E - 0x3D4E .text + UnwindInfo: .rdata
2110C	49B8	.pdata	ExceptionHook \| Pointer to 49B8 - 0x3DB8 .text + UnwindInfo: .rdata
21118	49E0	.pdata	ExceptionHook \| Pointer to 49E0 - 0x3DE0 .text + UnwindInfo: .rdata
21124	4C70	.pdata	ExceptionHook \| Pointer to 4C70 - 0x4070 .text + UnwindInfo: .rdata
21130	4F20	.pdata	ExceptionHook \| Pointer to 4F20 - 0x4320 .text + UnwindInfo: .rdata
2113C	4F43	.pdata	ExceptionHook \| Pointer to 4F43 - 0x4343 .text + UnwindInfo: .rdata
21148	4FD5	.pdata	ExceptionHook \| Pointer to 4FD5 - 0x43D5 .text + UnwindInfo: .rdata
21154	4FF0	.pdata	ExceptionHook \| Pointer to 4FF0 - 0x43F0 .text + UnwindInfo: .rdata
21160	5013	.pdata	ExceptionHook \| Pointer to 5013 - 0x4413 .text + UnwindInfo: .rdata
2116C	50A5	.pdata	ExceptionHook \| Pointer to 50A5 - 0x44A5 .text + UnwindInfo: .rdata
21178	50C0	.pdata	ExceptionHook \| Pointer to 50C0 - 0x44C0 .text + UnwindInfo: .rdata
21184	5120	.pdata	ExceptionHook \| Pointer to 5120 - 0x4520 .text + UnwindInfo: .rdata
21190	5180	.pdata	ExceptionHook \| Pointer to 5180 - 0x4580 .text + UnwindInfo: .rdata
2119C	5440	.pdata	ExceptionHook \| Pointer to 5440 - 0x4840 .text + UnwindInfo: .rdata
211A8	5460	.pdata	ExceptionHook \| Pointer to 5460 - 0x4860 .text + UnwindInfo: .rdata
211B4	5490	.pdata	ExceptionHook \| Pointer to 5490 - 0x4890 .text + UnwindInfo: .rdata
211C0	54B8	.pdata	ExceptionHook \| Pointer to 54B8 - 0x48B8 .text + UnwindInfo: .rdata
211CC	54FD	.pdata	ExceptionHook \| Pointer to 54FD - 0x48FD .text + UnwindInfo: .rdata
211D8	5510	.pdata	ExceptionHook \| Pointer to 5510 - 0x4910 .text + UnwindInfo: .rdata
211E4	5541	.pdata	ExceptionHook \| Pointer to 5541 - 0x4941 .text + UnwindInfo: .rdata
211F0	5588	.pdata	ExceptionHook \| Pointer to 5588 - 0x4988 .text + UnwindInfo: .rdata
211FC	55A0	.pdata	ExceptionHook \| Pointer to 55A0 - 0x49A0 .text + UnwindInfo: .rdata
21208	55CD	.pdata	ExceptionHook \| Pointer to 55CD - 0x49CD .text + UnwindInfo: .rdata
21214	5614	.pdata	ExceptionHook \| Pointer to 5614 - 0x4A14 .text + UnwindInfo: .rdata
21220	5630	.pdata	ExceptionHook \| Pointer to 5630 - 0x4A30 .text + UnwindInfo: .rdata
2122C	56D0	.pdata	ExceptionHook \| Pointer to 56D0 - 0x4AD0 .text + UnwindInfo: .rdata
21238	5730	.pdata	ExceptionHook \| Pointer to 5730 - 0x4B30 .text + UnwindInfo: .rdata
21244	57D0	.pdata	ExceptionHook \| Pointer to 57D0 - 0x4BD0 .text + UnwindInfo: .rdata
21250	5860	.pdata	ExceptionHook \| Pointer to 5860 - 0x4C60 .text + UnwindInfo: .rdata
2125C	58A0	.pdata	ExceptionHook \| Pointer to 58A0 - 0x4CA0 .text + UnwindInfo: .rdata
21268	5950	.pdata	ExceptionHook \| Pointer to 5950 - 0x4D50 .text + UnwindInfo: .rdata
21274	59C0	.pdata	ExceptionHook \| Pointer to 59C0 - 0x4DC0 .text + UnwindInfo: .rdata
21280	5A30	.pdata	ExceptionHook \| Pointer to 5A30 - 0x4E30 .text + UnwindInfo: .rdata
2128C	5A70	.pdata	ExceptionHook \| Pointer to 5A70 - 0x4E70 .text + UnwindInfo: .rdata
21298	5BA0	.pdata	ExceptionHook \| Pointer to 5BA0 - 0x4FA0 .text + UnwindInfo: .rdata
212A4	5BC3	.pdata	ExceptionHook \| Pointer to 5BC3 - 0x4FC3 .text + UnwindInfo: .rdata
2F800	N/A	Overlay	78210000000202003082216706092A864886F70D \| x!......0.!g..*.H...

Extra Analysis

Metric	Value	Percentage
Ascii Code	102027	50,2279%
Null Byte Code	54808	26,982%

PESCAN.IO - Analysis Report Basic