PREMIUM PESCAN.IO - Analysis Report |
|||||||
| File Structure |
|
PE Chart Code
Header PE (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
Icon: Size: 14,70 MBSHA-256 Hash: F59DACD0E9ECD7114A0767F7436F964C598DC3DAE7FDF4BCCB231797F67B340E SHA-1 Hash: A5885F80EF2473F0231BEB8031D3B0DB00FF7298 MD5 Hash: 760B13E4DED2F6880D21C5CB36DDE2D5 Imphash: AACB4F2584B9059DA37A7AD7A7A46413 MajorOSVersion: 6 MinorOSVersion: 0 CheckSum: 00000000 EntryPoint (rva): D899D8 SizeOfHeaders: 400 SizeOfImage: 1B23000 ImageBase: 400000 Architecture: x86 ImportTable: 1931A60 IAT: C6E000 Characteristics: 103 TimeDateStamp: 661A7133 Date: 13/04/2024 11:49:07 File Type: EXE Number Of Sections: 7 ASLR: Disabled Section Names: .text, .rdata, .data, .hahan0, .hahan1, .hahan2, .rsrc Number Of Executable Sections: 3 Subsystem: Windows GUI UAC Execution Level Manifest: asInvoker [Incomplete Binary or Compressor Packer - 12,43 MB Missing] |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 0x60000020 Code Executable Readable |
0 | 0 | 1000 | 184F6C |
|
|
| .rdata | 0x40000040 Initialized Data Readable |
0 | 0 | 186000 | 53BAE |
|
|
| .data | 0xC0000040 Initialized Data Readable Writeable |
0 | 0 | 1DA000 | A5AC |
|
|
| .hahan0 | 0x60000020 Code Executable Readable |
0 | 0 | 1E5000 | A880D8 |
|
|
| .hahan1 | 0xC0000040 Initialized Data Readable Writeable |
400 | E00 | C6E000 | D74 |
|
|
| .hahan2 | 0x60000020 Code Executable Readable |
1200 | E9E400 | C6F000 | E9E3D0 |
|
|
| .rsrc | 0x40000040 Initialized Data Readable |
E9F600 | 14600 | 1B0E000 | 14570 |
|
|
| Description |
| OriginalFilename: GetHWID.exe CompanyName: hahan LegalCopyright: by hahan123_xxx ProductName: Get_HWID FileVersion: 2.0.4.7 FileDescription: GetHWID ProductVersion: 2.0.4.7 Language: Chinese (People's Republic of China) (ID=0x804) CodePage: Unicode (UTF-16 LE) (0x4B0) |
| Entry Point |
The section number (6) - (.hahan2) have the Entry Point Information -> EntryPoint (calculated) - 11BBD8 Code -> 529CBABA050DCBC0E225B201510F84110000008BCA8B945406F6E569C74424082DEF32FD8B8C0CFFFAF2340F88D6FFFFFF0F EP changed to another address -> (Address Of EntryPoint > Base Of Data) Assembler |PUSH EDX |PUSHFD |MOV EDX, 0XCB0D05BA |SHL DL, 0X25 |MOV DL, 1 |PUSH ECX |JE 0X1024 |MOV ECX, EDX |MOV EDX, DWORD PTR [ESP + EDX*2 + 0X69E5F606] |MOV DWORD PTR [ESP + 8], 0XFD32EF2D |MOV ECX, DWORD PTR [ESP + ECX + 0X34F2FAFF] |JS 0X1007 |
| Signatures |
| Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Detect It Easy (die) • PE: linker: Microsoft Linker(14.39)[-] • Entropy: 7.96391 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | GetModuleHandleA | Retrieves a handle to the specified module. |
| KERNEL32.DLL | LoadLibraryA | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| URLMON.DLL | URLDownloadToFileA | Download a file from the internet and save it to a local file. |
| File Access |
| GOLEAUT32.dll MSIMG32.dll ,mNIMM32.dll COMCTL32.dll USER32.dll SHLWAPI.dll urlmon.dll GDI32.dll KERNEL32.dll oledlg.dll UxTheme.dll WININET.dll ole32.dll OLEACC.dll ADVAPI32.dll gdiplus.dll SHELL32.dll WINMM.dll @.dat .TXt |
| File Access (UNICODE) |
| GetHWID.exe |
| Interest's Words |
| exec dism |
| URLs |
| http://schemas.microsoft.com/SMI/2005/WindowsSettings |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | Registry (RegSetValueEx) |
| Text | Ascii | Anti-Analysis VM (GetVersion) |
| Text | Ascii | Stealer malware focused on obtaining CVV codes to conduct unauthorized transactions (CVV) |
| Text | Ascii | Malware that monitors and collects user data (Spy) |
| Entry Point | Hex Pattern | PE Pack v1.0 |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \ICON\1\2052 | 1B0E670 | 668 | E9FC70 | 2800000030000000600000000100040000000000800400000000000000000000000000000000000000000000000080000080 | (...0............................................ |
| \ICON\2\2052 | 1B0ECD8 | 2E8 | EA02D8 | 2800000020000000400000000100040000000000000200000000000000000000000000000000000000000000000080000080 | (... ...@......................................... |
| \ICON\3\2052 | 1B0EFC0 | 1E8 | EA05C0 | 2800000018000000300000000100040000000000200100000000000000000000000000000000000000000000000080000080 | (.......0........... ............................. |
| \ICON\4\2052 | 1B0F1A8 | 128 | EA07A8 | 2800000010000000200000000100040000000000800000000000000000000000000000000000000000000000000080000080 | (....... ......................................... |
| \ICON\5\2052 | 1B0F2D0 | EA8 | EA08D0 | 28000000300000006000000001000800000000000009000000000000000000000001000000010000000000007C3C06005136 | (...0......................................|<..Q6 |
| \ICON\6\2052 | 1B10178 | 8A8 | EA1778 | 28000000200000004000000001000800000000000004000000000000000000000001000000010000000000007E3D0700442D | (... ...@...................................~=..D- |
| \ICON\7\2052 | 1B10A20 | 6C8 | EA2020 | 28000000180000003000000001000800000000004002000000000000000000000001000000010000000000004A343A001C5F | (.......0...........@.......................J4:.._ |
| \ICON\8\2052 | 1B110E8 | 568 | EA26E8 | 280000001000000020000000010008000000000000010000000000000000000000010000000100000000000054392800135F | (....... ...................................T9(.._ |
| \ICON\9\2052 | 1B11650 | 93CB | EA2C50 | 89504E470D0A1A0A0000000D49484452000001000000010008060000005C72A8660000200049444154789CECBD6BB4254775 | .PNG........IHDR.............\r.f.. .IDATx...k.%Gu |
| \ICON\10\2052 | 1B1AA1C | 25A8 | EAC01C | 2800000030000000600000000100200000000000802500000000000000000000000000000000000000000000000000000000 | (...0........ ......%............................ |
| \ICON\11\2052 | 1B1CFC4 | 10A8 | EAE5C4 | 2800000020000000400000000100200000000000801000000000000000000000000000000000000000000000000000000000 | (... ...@..... ................................... |
| \ICON\12\2052 | 1B1E06C | 988 | EAF66C | 2800000018000000300000000100200000000000600900000000000000000000000000000000000000000000000000000000 | (.......0..... .................................. |
| \ICON\13\2052 | 1B1E9F4 | 468 | EAFFF4 | 2800000010000000200000000100200000000000400400000000000000000000000000000000000000000000000000000000 | (....... ..... .....@............................. |
| \ICON\42\2052 | 1B1EE5C | 2E8 | EB045C | 2800000020000000400000000100040000000000800200000000000000000000000000000000000000000000000080000080 | (... ...@......................................... |
| \ICON\43\2052 | 1B1F144 | 128 | EB0744 | 2800000010000000200000000100040000000000C00000000000000000000000000000000000000000000000000080000080 | (....... ......................................... |
| \ICON\44\2052 | 1B1F26C | 128 | EB086C | 2800000010000000200000000100040000000000C00000000000000000000000000000000000000000000000000080000080 | (....... ......................................... |
| \ICON\45\2052 | 1B1F394 | 2E8 | EB0994 | 2800000020000000400000000100040000000000800200000000000000000000000000000000000000000000000080000080 | (... ...@......................................... |
| \ICON\46\2052 | 1B1F67C | 2E8 | EB0C7C | 2800000020000000400000000100040000000000000200000000000000000000000000000000000000000000000080000080 | (... ...@......................................... |
| \ICON\47\2052 | 1B1F964 | 128 | EB0F64 | 2800000010000000200000000100040000000000800000000000000000000000000000000000000000000000000080000080 | (....... ......................................... |
| \ICON\48\2052 | 1B1FA8C | 8A8 | EB108C | 280000002000000040000000010008000000000000040000000000000000000000010000000100000000000042424200AFAE | (... ...@...................................BBB... |
| \ICON\49\2052 | 1B20334 | 568 | EB1934 | 280000001000000020000000010008000000000000010000000000000000000000010000000100000000000042424200AFAE | (....... ...................................BBB... |
| \ICON\50\2052 | 1B2089C | CA8 | EB1E9C | 2800000020000000400000000100180000000000000C000000000000000000000000000000000000F6F6F6F6F6F6F6F6F6F6 | (... ...@......................................... |
| \ICON\51\2052 | 1B21544 | 368 | EB2B44 | 28000000100000002000000001001800000000000003000000000000000000000000000000000000F6F6F6F6F6F6F6F6F6F6 | (....... ......................................... |
| \ICON\52\2052 | 1B218AC | 468 | EB2EAC | 2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000 | (....... ..... ................................... |
| \ICON\53\2052 | 1B21D14 | 128 | EB3314 | 2800000010000000200000000100040000000000C00000000000000000000000000000000000000000000000000080000080 | (....... ......................................... |
| \GROUP_ICON\128\2052 | 1B21E3C | BC | EB343C | 000001000D0030301000010004006806000001002020100001000400E802000002001818100001000400E801000003001010 | ......00......h..... ............................ |
| \GROUP_ICON\16931\2052 | 1B21EF8 | 22 | EB34F8 | 0000010002002020100001000400E80200002A001010100001000400280100002B00 | ...... ..........*.........(...+. |
| \GROUP_ICON\16995\2052 | 1B21F1C | 22 | EB351C | 0000010002001010100001000400280100002C002020100001000400E80200002D00 | ..............(...,. ..........-. |
| \GROUP_ICON\17100\2052 | 1B21F40 | 5A | EB3540 | 0000010006002020100001000400E80200002E001010100001000400280100002F002020000001000800A8080000300010100000010008006805000031002020000001001800A80C000032001010000001001800680300003300 | ...... ....................(.../. ..........0.........h...1. ..........2.........h...3. |
| \GROUP_ICON\17105\2052 | 1B21F9C | 22 | EB359C | 00000100020010100000010020006804000034001010100001000400280100003500 | ............ .h...4.........(...5. |
| \VERSION\1\2052 | 1B21FC0 | 294 | EB35C0 | 940234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000 | ..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| \24\1\1033 | 1B22254 | 31C | EB3854 | EFBBBF3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E65 | ...<?xml version="1.0" encoding="UTF-8" standalone |
| Intelligent String |
| • GetHWID.exe • 2.0.4.7 • .CTr • rw.xRE • <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings><dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware></windowsSettings></application></assembly> |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| EDA6 | 1B22254 | .hahan2 | JMP [static] | Indirect jump to absolute memory address |
| FD77 | 1B22254 | .hahan2 | JMP [static] | Indirect jump to absolute memory address |
| 131F8 | 4895A0AB | .hahan2 | JMP [static] | Indirect jump to absolute memory address |
| 219D6 | F41C8FE | .hahan2 | JMP [static] | Indirect jump to absolute memory address |
| 25C8C | 390B4212 | .hahan2 | JMP [static] | Indirect jump to absolute memory address |
| 2CBA5 | 7FC0AF29 | .hahan2 | CALL [static] | Indirect call to absolute memory address |
| 318FC | B32398A | .hahan2 | JMP [static] | Indirect jump to absolute memory address |
| 4C617 | 2F175C31 | .hahan2 | JMP [static] | Indirect jump to absolute memory address |
| 4F879 | 783BB844 | .hahan2 | JMP [static] | Indirect jump to absolute memory address |
| 5840E | 783BB844 | .hahan2 | JMP [static] | Indirect jump to absolute memory address |
| 5ADE4 | 2C1C5844 | .hahan2 | JMP [static] | Indirect jump to absolute memory address |
| 6C637 | 5755AC8D | .hahan2 | JMP [static] | Indirect jump to absolute memory address |
| 6E4B1 | 1014AC80 | .hahan2 | JMP [static] | Indirect jump to absolute memory address |
| 7884A | 25174F12 | .hahan2 | JMP [static] | Indirect jump to absolute memory address |
| 79582 | 25174F12 | .hahan2 | CALL [static] | Indirect call to absolute memory address |
| 79588 | 25174F12 | .hahan2 | CALL [static] | Indirect call to absolute memory address |
| 7958E | 25174F12 | .hahan2 | CALL [static] | Indirect call to absolute memory address |
| 9DFCD | 26FDA4A8 | .hahan2 | CALL [static] | Indirect call to absolute memory address |
| 9F049 | 26FDA4A8 | .hahan2 | JMP [static] | Indirect jump to absolute memory address |
| A764C | 26FDA4A8 | .hahan2 | JMP [static] | Indirect jump to absolute memory address |
| B2F44 | 503887C5 | .hahan2 | CALL [static] | Indirect call to absolute memory address |
| B6DCC | 4C2A2A79 | .hahan2 | JMP [static] | Indirect jump to absolute memory address |
| B8516 | 2D353BFC | .hahan2 | JMP [static] | Indirect jump to absolute memory address |
| CC53F | 2D353BFC | .hahan2 | JMP [static] | Indirect jump to absolute memory address |
| CD309 | 2D353BFC | .hahan2 | CALL [static] | Indirect call to absolute memory address |
| DCDB8 | 2D353BFC | .hahan2 | CALL [static] | Indirect call to absolute memory address |
| DDE3C | 2D353BFC | .hahan2 | JMP [static] | Indirect jump to absolute memory address |
| E2256 | 2D353BFC | .hahan2 | CALL [static] | Indirect call to absolute memory address |
| E7855 | 2D353BFC | .hahan2 | JMP [static] | Indirect jump to absolute memory address |
| F1EC5 | 4948B62 | .hahan2 | CALL [static] | Indirect call to absolute memory address |
| F85AA | 1D2B7C4D | .hahan2 | CALL [static] | Indirect call to absolute memory address |
| FC34D | 1D2B7C4D | .hahan2 | JMP [static] | Indirect jump to absolute memory address |
| 101496 | 1D2B7C4D | .hahan2 | CALL [static] | Indirect call to absolute memory address |
| 106034 | 4E4246AA | .hahan2 | CALL [static] | Indirect call to absolute memory address |
| 1101A5 | 7B840BB | .hahan2 | JMP [static] | Indirect jump to absolute memory address |
| 116F60 | 7B840BB | .hahan2 | JMP [static] | Indirect jump to absolute memory address |
| 11DB81 | 6106F451 | .hahan2 | JMP [static] | Indirect jump to absolute memory address |
| 11E7EA | 6106F451 | .hahan2 | CALL [static] | Indirect call to absolute memory address |
| 1211CD | 2554891C | .hahan2 | JMP [static] | Indirect jump to absolute memory address |
| 129AA6 | 3D663B4 | .hahan2 | CALL [static] | Indirect call to absolute memory address |
| 13309E | 3D663B4 | .hahan2 | JMP [static] | Indirect jump to absolute memory address |
| 13DC97 | 76A81B12 | .hahan2 | JMP [static] | Indirect jump to absolute memory address |
| 143145 | 365AEF4E | .hahan2 | CALL [static] | Indirect call to absolute memory address |
| 144023 | 365AEF4E | .hahan2 | CALL [static] | Indirect call to absolute memory address |
| 14ECF2 | 365AEF4E | .hahan2 | CALL [static] | Indirect call to absolute memory address |
| 15712B | 365AEF4E | .hahan2 | JMP [static] | Indirect jump to absolute memory address |
| 15DF14 | 365AEF4E | .hahan2 | CALL [static] | Indirect call to absolute memory address |
| 15EBF7 | 365AEF4E | .hahan2 | JMP [static] | Indirect jump to absolute memory address |
| 167F9F | 365AEF4E | .hahan2 | JMP [static] | Indirect jump to absolute memory address |
| 16C190 | 78CAC1D2 | .hahan2 | CALL [static] | Indirect call to absolute memory address |
| 16D86A | 88BA36C | .hahan2 | CALL [static] | Indirect call to absolute memory address |
| 183642 | 88BA36C | .hahan2 | JMP [static] | Indirect jump to absolute memory address |
| 19A1C2 | 19EFAC42 | .hahan2 | JMP [static] | Indirect jump to absolute memory address |
| 1A463D | 34DFA7F2 | .hahan2 | CALL [static] | Indirect call to absolute memory address |
| 1BAC33 | 34DFA7F2 | .hahan2 | JMP [static] | Indirect jump to absolute memory address |
| 1C4C38 | 34DFA7F2 | .hahan2 | CALL [static] | Indirect call to absolute memory address |
| 1CABCF | 2FDF0D80 | .hahan2 | JMP [static] | Indirect jump to absolute memory address |
| 1CB83B | 7CF9EF1E | .hahan2 | JMP [static] | Indirect jump to absolute memory address |
| 1CDA2C | 7CF9EF1E | .hahan2 | JMP [static] | Indirect jump to absolute memory address |
| 1DA1FE | 2519EA57 | .hahan2 | CALL [static] | Indirect call to absolute memory address |
| 1E08C4 | 66C90B96 | .hahan2 | JMP [static] | Indirect jump to absolute memory address |
| 1E42EF | 3EC202BC | .hahan2 | CALL [static] | Indirect call to absolute memory address |
| 1FA41C | 3EC202BC | .hahan2 | CALL [static] | Indirect call to absolute memory address |
| 1FE0E6 | 3EC202BC | .hahan2 | CALL [static] | Indirect call to absolute memory address |
| 1FF46D | 3EC202BC | .hahan2 | JMP [static] | Indirect jump to absolute memory address |
| 201EC7 | 3EC202BC | .hahan2 | CALL [static] | Indirect call to absolute memory address |
| 207BAE | 6C4D59F5 | .hahan2 | CALL [static] | Indirect call to absolute memory address |
| 210EB8 | 66EAD366 | .hahan2 | JMP [static] | Indirect jump to absolute memory address |
| 225BD1 | 66EAD366 | .hahan2 | CALL [static] | Indirect call to absolute memory address |
| 23CA46 | 416F207C | .hahan2 | CALL [static] | Indirect call to absolute memory address |
| 243740 | 66C2920F | .hahan2 | JMP [static] | Indirect jump to absolute memory address |
| 25A3B1 | 6B547D24 | .hahan2 | JMP [static] | Indirect jump to absolute memory address |
| 25B830 | 755C3D5 | .hahan2 | JMP [static] | Indirect jump to absolute memory address |
| 2778DD | 755C3D5 | .hahan2 | CALL [static] | Indirect call to absolute memory address |
| 2855F7 | 7378E68D | .hahan2 | JMP [static] | Indirect jump to absolute memory address |
| 2866AA | 7378E68D | .hahan2 | CALL [static] | Indirect call to absolute memory address |
| 289A28 | 7378E68D | .hahan2 | CALL [static] | Indirect call to absolute memory address |
| 298957 | 7378E68D | .hahan2 | JMP [static] | Indirect jump to absolute memory address |
| 2B355C | 5AAD8ECC | .hahan2 | JMP [static] | Indirect jump to absolute memory address |
| 2BD622 | 5AAD8ECC | .hahan2 | CALL [static] | Indirect call to absolute memory address |
| 2C27CB | 5AAD8ECC | .hahan2 | JMP [static] | Indirect jump to absolute memory address |
| 2CAF31 | 442E5764 | .hahan2 | JMP [static] | Indirect jump to absolute memory address |
| 2CDE81 | 41B84593 | .hahan2 | CALL [static] | Indirect call to absolute memory address |
| 2D493E | 12BB1099 | .hahan2 | JMP [static] | Indirect jump to absolute memory address |
| 2E4837 | 78CFE744 | .hahan2 | JMP [static] | Indirect jump to absolute memory address |
| 2F8F44 | 78CFE744 | .hahan2 | JMP [static] | Indirect jump to absolute memory address |
| 2FA50E | 78CFE744 | .hahan2 | JMP [static] | Indirect jump to absolute memory address |
| 2FB9E2 | 27AF33C5 | .hahan2 | JMP [static] | Indirect jump to absolute memory address |
| 300CAE | 4CEC3FD2 | .hahan2 | CALL [static] | Indirect call to absolute memory address |
| 309293 | 3FFB9D2D | .hahan2 | CALL [static] | Indirect call to absolute memory address |
| 326D96 | 70B3C575 | .hahan2 | JMP [static] | Indirect jump to absolute memory address |
| 32B4D8 | 70B3C575 | .hahan2 | CALL [static] | Indirect call to absolute memory address |
| 33037E | 70B3C575 | .hahan2 | JMP [static] | Indirect jump to absolute memory address |
| 33081E | 70B3C575 | .hahan2 | JMP [static] | Indirect jump to absolute memory address |
| 33128B | 70B3C575 | .hahan2 | CALL [static] | Indirect call to absolute memory address |
| 33C4E4 | 2BA80E5F | .hahan2 | CALL [static] | Indirect call to absolute memory address |
| 344CC7 | 4C484D36 | .hahan2 | CALL [static] | Indirect call to absolute memory address |
| 347845 | 4C484D36 | .hahan2 | CALL [static] | Indirect call to absolute memory address |
| 34B619 | 4C484D36 | .hahan2 | JMP [static] | Indirect jump to absolute memory address |
| 35B66B | 37C57240 | .hahan2 | JMP [static] | Indirect jump to absolute memory address |
| EB34AF | FFC00800 | .rsrc | TLS Callback | Pointer to 800 *Memory* |
| EB34B3 | C00000 | .rsrc | TLS Callback | Pointer to 1000000 - 0xA1B000 .hahan0 |
| EB34B7 | CAC02000 | .rsrc | TLS Callback | Pointer to CB002000 *Memory* |
| EB34BB | 8C00093 | .rsrc | TLS Callback | Pointer to 9000093 *Memory* |
| EB34BF | FFF03000 | .rsrc | TLS Callback | Pointer to 303000 *Memory* |
| EB34C3 | 1FC00100 | .rsrc | TLS Callback | Pointer to 20000100 *Memory* |
| EB34C7 | FFE5A800 | .rsrc | TLS Callback | Pointer to 25A800 *Memory* |
| EB34CB | 1FC00A00 | .rsrc | TLS Callback | Pointer to 20000A00 *Memory* |
| EB34CF | C00020 | .rsrc | TLS Callback | Pointer to 1000020 - 0xA1B020 .hahan0 |
| EB34D3 | A7C02000 | .rsrc | TLS Callback | Pointer to A8002000 *Memory* |
| EB34D7 | AC00010 | .rsrc | TLS Callback | Pointer to B000010 *Memory* |
| EB34DB | FFD81800 | .rsrc | TLS Callback | Pointer to 181800 *Memory* |
| EB34DF | 1FC00100 | .rsrc | TLS Callback | Pointer to 20000100 *Memory* |
| EB34E3 | FFC98800 | .rsrc | TLS Callback | Pointer to 98800 *Memory* |
| EB34E7 | FC00C00 | .rsrc | TLS Callback | Pointer to 10000C00 *Memory* |
| EB34EB | C00010 | .rsrc | TLS Callback | Pointer to 1000010 - 0xA1B010 .hahan0 |
| EB34EF | 67C02000 | .rsrc | TLS Callback | Pointer to 68002000 *Memory* |
| EB34F3 | CC00004 | .rsrc | TLS Callback | Pointer to D000004 *Memory* |
| EB34F7 | C00000 | .rsrc | TLS Callback | Pointer to 1000000 - 0xA1B000 .hahan0 |
| EB34FB | 1FC00200 | .rsrc | TLS Callback | Pointer to 20000200 *Memory* |
| EB34FF | C01020 | .rsrc | TLS Callback | Pointer to 1001020 - 0xA1C020 .hahan0 |
| EB3503 | E7C00400 | .rsrc | TLS Callback | Pointer to E8000400 *Memory* |
| EB3507 | 29C00002 | .rsrc | TLS Callback | Pointer to 2A000002 *Memory* |
| EB350B | FD01000 | .rsrc | TLS Callback | Pointer to 10101000 *Memory* |
| EB350F | 3C00100 | .rsrc | TLS Callback | Pointer to 4000100 *Memory* |
| EB3513 | FFC12800 | .rsrc | TLS Callback | Pointer to 12800 *Memory* |
| EB3517 | FFC02B00 | .rsrc | TLS Callback | Pointer to 2B00 *Memory* |
| EB351B | C00000 | .rsrc | TLS Callback | Pointer to 1000000 - 0xA1B000 .hahan0 |
| EB351F | FC00200 | .rsrc | TLS Callback | Pointer to 10000200 *Memory* |
| EB3523 | C01010 | .rsrc | TLS Callback | Pointer to 1001010 - 0xA1C010 .hahan0 |
| EB3527 | 27C00400 | .rsrc | TLS Callback | Pointer to 28000400 *Memory* |
| EB352B | 2BC00001 | .rsrc | TLS Callback | Pointer to 2C000001 *Memory* |
| EB352F | FE02000 | .rsrc | TLS Callback | Pointer to 10202000 *Memory* |
| EB3533 | 3C00100 | .rsrc | TLS Callback | Pointer to 4000100 *Memory* |
| EB3537 | FFC2E800 | .rsrc | TLS Callback | Pointer to 2E800 *Memory* |
| EB353B | FFC02D00 | .rsrc | TLS Callback | Pointer to 2D00 *Memory* |
| EB353F | C00000 | .rsrc | TLS Callback | Pointer to 1000000 - 0xA1B000 .hahan0 |
| EB3543 | 1FC00600 | .rsrc | TLS Callback | Pointer to 20000600 *Memory* |
| EB3547 | C01020 | .rsrc | TLS Callback | Pointer to 1001020 - 0xA1C020 .hahan0 |
| EB354B | E7C00400 | .rsrc | TLS Callback | Pointer to E8000400 *Memory* |
| EB354F | 2DC00002 | .rsrc | TLS Callback | Pointer to 2E000002 *Memory* |
| EB3553 | FD01000 | .rsrc | TLS Callback | Pointer to 10101000 *Memory* |
| EB3557 | 3C00100 | .rsrc | TLS Callback | Pointer to 4000100 *Memory* |
| EB355B | FFC12800 | .rsrc | TLS Callback | Pointer to 12800 *Memory* |
| EB355F | 1FC02F00 | .rsrc | TLS Callback | Pointer to 20002F00 *Memory* |
| EB3563 | C00020 | .rsrc | TLS Callback | Pointer to 1000020 - 0xA1B020 .hahan0 |
| EB3567 | A7C00800 | .rsrc | TLS Callback | Pointer to A8000800 *Memory* |
| EB356B | 2FC00008 | .rsrc | TLS Callback | Pointer to 30000008 *Memory* |
| EB356F | FFD01000 | .rsrc | TLS Callback | Pointer to 101000 *Memory* |
| EB3573 | 7C00100 | .rsrc | TLS Callback | Pointer to 8000100 *Memory* |
| EB3577 | FFC56800 | .rsrc | TLS Callback | Pointer to 56800 *Memory* |
| EB357B | 1FC03100 | .rsrc | TLS Callback | Pointer to 20003100 *Memory* |
| EB357F | C00020 | .rsrc | TLS Callback | Pointer to 1000020 - 0xA1B020 .hahan0 |
| EB3583 | A7C01800 | .rsrc | TLS Callback | Pointer to A8001800 *Memory* |
| EB3587 | 31C0000C | .rsrc | TLS Callback | Pointer to 3200000C *Memory* |
| EB358B | FFD01000 | .rsrc | TLS Callback | Pointer to 101000 *Memory* |
| EB358F | 17C00100 | .rsrc | TLS Callback | Pointer to 18000100 *Memory* |
| EB3593 | FFC36800 | .rsrc | TLS Callback | Pointer to 36800 *Memory* |
| EB3597 | FFC03300 | .rsrc | TLS Callback | Pointer to 3300 *Memory* |
| EB359B | C00000 | .rsrc | TLS Callback | Pointer to 1000000 - 0xA1B000 .hahan0 |
| EB359F | FC00200 | .rsrc | TLS Callback | Pointer to 10000200 *Memory* |
| EB35A3 | C00010 | .rsrc | TLS Callback | Pointer to 1000010 - 0xA1B010 .hahan0 |
| EB35A7 | 67C02000 | .rsrc | TLS Callback | Pointer to 68002000 *Memory* |
| EB35AB | 33C00004 | .rsrc | TLS Callback | Pointer to 34000004 *Memory* |
| EB35AF | FD01000 | .rsrc | TLS Callback | Pointer to 10101000 *Memory* |
| EB35B3 | 3C00100 | .rsrc | TLS Callback | Pointer to 4000100 *Memory* |
| EB35B7 | FFC12800 | .rsrc | TLS Callback | Pointer to 12800 *Memory* |
| EB35BB | FFC03500 | .rsrc | TLS Callback | Pointer to 3500 *Memory* |
| EB35BF | 33C29400 | .rsrc | TLS Callback | Pointer to 34029400 *Memory* |
| EB35C3 | 55C00000 | .rsrc | TLS Callback | Pointer to 56000000 *Memory* |
| EB35C7 | 5EC05300 | .rsrc | TLS Callback | Pointer to 5F005300 *Memory* |
| EB35CB | 44C05600 | .rsrc | TLS Callback | Pointer to 45005600 *Memory* |
| EB35CF | 52C05200 | .rsrc | TLS Callback | Pointer to 53005200 *Memory* |
| EB35D3 | 4EC04900 | .rsrc | TLS Callback | Pointer to 4F004900 *Memory* |
| EB35D7 | 5EC04E00 | .rsrc | TLS Callback | Pointer to 5F004E00 *Memory* |
| EB35DB | 4DC04900 | .rsrc | TLS Callback | Pointer to 4E004900 *Memory* |
| EB35DF | 4EC04600 | .rsrc | TLS Callback | Pointer to 4F004600 *Memory* |
| 1200-E9F5FF | C6F000 | .hahan2 | Executable section anomaly, first bytes: D1C166C1F8C14166 |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 10457135 | 67,8316% |
| Null Byte Code | 157652 | 1,0226% |
© 2026 All rights reserved.