PESCAN.IO - Analysis Report Basic

File Structure
Analysis Image
PE Chart Code
Header PE (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
Information
Size: 4,75 MB
SHA-256 Hash: A757C6D9166657B6E56F5AD038E5539C8B7F6ACB28B1B560DD7412210CA1D63D
SHA-1 Hash: 46386479D0C4DC6FCC91981DDBDE274FF27A4228
MD5 Hash: 92303E45B60462B02F65B4D7099717A9
Imphash: D40EA1DD2996894AC59BECCA8F04AA67
MajorOSVersion: 10
MinorOSVersion: 0
CheckSum: 004CA9DB
EntryPoint (rva): 145BA0
SizeOfHeaders: 1000
SizeOfImage: 4CA000
ImageBase: 0000000180000000
Architecture: x64
ExportTable: 48A3C0
ImportTable: 48A738
IAT: 3D3200
Characteristics: 2022
TimeDateStamp: 89316F2F
Date: 09/12/2042 6:11:59
File Type: DLL
Number Of Sections: 7
ASLR: Disabled
Section Names (Optional Header): .text, fothk, .rdata, .data, .pdata, .rsrc, .reloc
Number Of Executable Sections: 2
Subsystem: Windows Console
Sections Info
Section Name Flags ROffset RSize VOffset VSizeEntropyChi2
.text
0x60000020
Code
Executable
Readable
 1000 397000 1000 396C01
6.4096
25939135.82
fothk
0x60000020
Code
Executable
Readable
 398000 1000 398000 1000
0.0164
1041921.88
.rdata
0x40000040
Initialized Data
Readable
 399000 F4000 399000 F37A2
5.3636
29930381.47
.data
0xC0000040
Initialized Data
Readable
Writeable
 48D000 A000 48D000 14BC0
2.6537
4968953.39
.pdata
0x40000040
Initialized Data
Readable
 497000 1F000 4A2000 1E090
6.2598
2562093.3
.rsrc
0x40000040
Initialized Data
Readable
 4B6000 1000 4C1000 420
1.117
825749.88
.reloc
0x42000040
Initialized Data
GP-Relative
Readable
 4B7000 8000 4C2000 7C48
5.4233
187864.28
Description
OriginalFilename: d3dcompiler_47.dll
CompanyName: Microsoft Corporation
LegalCopyright: Microsoft Corporation. All rights reserved.
ProductName: Microsoft Windows Operating System
FileVersion: 10.0.28000.1340 (WinBuild.160101.0800)
FileDescription: Direct3D HLSL Compiler
ProductVersion: 10.0.28000.1340
Language: English (United States) (ID=0x409)
CodePage: Unicode (UTF-16 LE) (0x4B0)
Entry Point
The section number (1) have the Entry Point
Information -> EntryPoint (calculated) - 145BA0
Code -> 48895C24084889742410574883EC20498BF88BDA488BF183FA017505E8570400004C8BC78BD3488BCE488B5C2430488B7424
Assembler
|MOV QWORD PTR [RSP + 8], RBX
|MOV QWORD PTR [RSP + 0X10], RSI
|PUSH RDI
|SUB RSP, 0X20
|MOV RDI, R8
|MOV EBX, EDX
|MOV RSI, RCX
|CMP EDX, 1
|JNE 0X1021
|CALL 0X1478
|MOV R8, RDI
|MOV EDX, EBX
|MOV RCX, RSI
|MOV RBX, QWORD PTR [RSP + 0X30]
Signatures
Rich Signature Analyzer:
Code -> 1B1C4AC05F7D24935F7D24935F7D2493D8F42092577D2493D8F421921B7D2493D8F4D9935D7D24935605B793607D24935F7D24935E7D2493D0F427925A7D24935F7D2593E1792493D0F425925D7D2493D0F42192757D2493D0F42092467D2493D0F424925E7D2493D0F42C92D67D2493D0F4D9935E7D2493D0F4DB935E7D2493D0F426925E7D2493526963685F7D2493
Footprint md5 Hash -> 6656100930E226A1B7DF8D7B1435CCD4
• The Rich header apparently has not been modified
Certificate - Digital Signature Not Found:
• The file is not signed
Packer/Compiler
Compiler: Microsoft Visual Studio
Detect It Easy (die)
PE+(64): compiler: Microsoft Visual C/C++(-)[-]
PE+(64): linker: Microsoft Linker(14.44**)[-]
Entropy: 6.40718
Suspicious Functions
Library Function Description
KERNEL32.DLL GetModuleFileNameA Retrieve the fully qualified path for the executable file of a specified module.
KERNEL32.DLL VirtualAlloc Reserve, commit, or both, a region of memory within the virtual address space of a process.
KERNEL32.DLL WriteFile Writes data to a specified file or input/output (I/O) device.
KERNEL32.DLL GetProcAddress Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL CreateFileA Creates or opens a file or I/O device.
KERNEL32.DLL IsDebuggerPresent Determines if the calling process is being debugged by a user-mode debugger.
Windows REG
Software\Microsoft\Direct3D\Direct3D12
Windows REG (UNICODE)
Software\Microsoft\VisualStudio\MSPDB
File Access
api-ms-win-security-cryptoapi-l1-1-0.dll
api-ms-win-core-string-obsolete-l1-1-0.dll
api-ms-win-crt-time-l1-1-0.dll
msvcp_win.dll
RPCRT4.dll
api-ms-win-core-kernel32-legacy-l1-1-0.dll
api-ms-win-core-io-l1-1-0.dll
api-ms-win-core-localization-l1-2-0.dll
api-ms-win-core-registry-l1-1-0.dll
api-ms-win-core-heap-l2-1-0.dll
api-ms-win-core-interlocked-l1-1-0.dll
api-ms-win-core-profile-l1-1-0.dll
api-ms-win-core-processthreads-l1-1-1.dll
api-ms-win-core-rtlsupport-l1-1-0.dll
api-ms-win-core-sysinfo-l1-1-0.dll
api-ms-win-core-memory-l1-1-0.dll
api-ms-win-core-processenvironment-l1-1-0.dll
api-ms-win-core-processthreads-l1-1-0.dll
api-ms-win-core-synch-l1-2-0.dll
api-ms-win-core-handle-l1-1-0.dll
api-ms-win-core-file-l1-1-0.dll
api-ms-win-core-errorhandling-l1-1-0.dll
api-ms-win-core-file-l1-2-0.dll
api-ms-win-core-heap-l1-1-0.dll
api-ms-win-core-debug-l1-1-0.dll
api-ms-win-core-synch-l1-1-0.dll
api-ms-win-core-string-l1-1-0.dll
api-ms-win-core-libraryloader-l1-2-0.dll
api-ms-win-crt-private-l1-1-0.dll
api-ms-win-crt-runtime-l1-1-0.dll
api-ms-win-crt-math-l1-1-0.dll
api-ms-win-crt-string-l1-1-0.dll
D3DCOMPILER_47.dll
.dat
| SMR.Dat
@.dat
syntax.ini
expr.ini
Temp
File Access (UNICODE)
d3dcompiler_47.dll
cabinet.dll
SymbolServerSetOptionsSymbolServerStoreFileWSYMSRV.DLL
SYMSRV.DLL
api-ms-win-core-file-l2-1-1.dll
kernel32.dll
bcrypt.dll
Interest's Words
<body
exec
attrib
start
cipher
systeminfo
ping
expand
openfiles
replace
Interest's Words (UNICODE)
exec
start
ping
Strings/Hex Code Found With The File Rules
Rule Type Encoding Matched (Word)
Text Ascii WinAPI Sockets (bind)
Text Ascii WinAPI Sockets (accept)
Text Ascii WinAPI Sockets (send)
Text Ascii Registry (RegOpenKeyEx)
Text Ascii File (CopyFile)
Text Ascii File (CreateFile)
Text Ascii File (WriteFile)
Text Ascii File (ReadFile)
Text Ascii Encryption API (CryptAcquireContext)
Text Ascii Encryption API (CryptReleaseContext)
Text Ascii Anti-Analysis VM (IsDebuggerPresent)
Text Ascii Anti-Analysis VM (GetSystemInfo)
Text Ascii Stealth (CloseHandle)
Text Ascii Stealth (UnmapViewOfFile)
Text Ascii Stealth (MapViewOfFile)
Text Ascii Stealth (CreateFileMappingA)
Text Ascii Stealth (CreateFileMappingW)
Text Ascii Stealth (VirtualAlloc)
Text Unicode Technique used to insert malicious code into legitimate processes (Inject)
Entry Point Hex Pattern Microsoft Visual C++ 8.0 (DLL)
Resources
Path DataRVA Size FileOffset CodeText
\VERSION\1\1033 4C1060 3BC 4B6060 B80334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............
Intelligent String
• d3dcompiler_47.dll
• api-ms-win-core-profile-l1-1-0.dll
• api-ms-win-core-processthreads-l1-1-1.dll
• api-ms-win-core-rtlsupport-l1-1-0.dll
• api-ms-win-core-sysinfo-l1-1-0.dll
• api-ms-win-core-memory-l1-1-0.dll
• api-ms-win-core-processenvironment-l1-1-0.dll
• api-ms-win-core-processthreads-l1-1-0.dll
• api-ms-win-core-synch-l1-2-0.dll
• api-ms-win-core-handle-l1-1-0.dll
• api-ms-win-core-file-l1-1-0.dll
• api-ms-win-core-errorhandling-l1-1-0.dll
• api-ms-win-core-file-l1-2-0.dll
• api-ms-win-core-heap-l1-1-0.dll
• api-ms-win-core-synch-l1-1-0.dll
• api-ms-win-core-string-l1-1-0.dll
• firstbitlow(i) -> shift/bine/add sequence <| MR.Gen_RequiredTranslate
• firstbit_shi(i) -> shift/bine/add sequence <| MR.Gen_RequiredTranslate
• firstbit_hi(i) -> shift/bine/add sequence <| MR.Gen_RequiredTranslate
• countbits(i) -> and/shift/add sequence <| MR.Gen_RequiredTranslate
• .enc
• .tmp
• bcrypt.dll
• kernel32.dll
• api-ms-win-core-file-l2-1-1.dll
• .dbg
• SYMSRV.DLL
• D:\a\_work\1\s\src\vctools\cxx-utility\fs-api.hxx
• type.designatedtype.tor
• stmt.try
• stmt.ifstmt.for
• stmt.dir
• heap.syn
• heap.dir
• pp.num
• pp.key
• .msvc.trait.code-analysis.sal
• const.str
• cabinet.dll
• .pdb
• D3DCompiler_47.pdb
• .tls
• .bss
• 6_initterm7_initterm_eapi-ms-win-crt-string-l1-1-0.dll
• api-ms-win-crt-math-l1-1-0.dll
• api-ms-win-crt-private-l1-1-0.dll
• api-ms-win-core-libraryloader-l1-2-0.dll
• api-ms-win-core-debug-l1-1-0.dll
• api-ms-win-core-interlocked-l1-1-0.dll
• api-ms-win-core-heap-l2-1-0.dll
• api-ms-win-core-registry-l1-1-0.dll
• api-ms-win-core-localization-l1-2-0.dll
• api-ms-win-core-io-l1-1-0.dll
• api-ms-win-core-kernel32-legacy-l1-1-0.dll
• RPCRT4.dll
• 0_time64api-ms-win-crt-time-l1-1-0.dll
• api-ms-win-core-string-obsolete-l1-1-0.dll
• api-ms-win-security-cryptoapi-l1-1-0.dll
• +9+9F.9.9F.9b/9Fb/9/9 F/939HF3949tF49449F449\49F\49|49F|4969(F69:98F :9:9HF:9;9lF;9:>9|F:>9H?9FH?9%A9F&A9A9FA9
Flow Anomalies
Offset RVA Section Description
1018 N/A .text JMP QWORD PTR [RIP+0x3D2A92]
1058 N/A .text JMP QWORD PTR [RIP+0x3D2A52]
1079 N/A .text CALL QWORD PTR [RIP+0x3D24D9]
29FD N/A .text CALL QWORD PTR [RIP+0x3D0B25]
2A50 N/A .text CALL QWORD PTR [RIP+0x3D0AD2]
2A80 N/A .text CALL QWORD PTR [RIP+0x3D0AA2]
2CDD N/A .text CALL QWORD PTR [RIP+0x3D0845]
2D0D N/A .text CALL QWORD PTR [RIP+0x3D0815]
3642 N/A .text JMP QWORD PTR [RIP+0xFFF00000]
5981 N/A .text JMP QWORD PTR [RIP+0xFFF00000]
B290 N/A .text CALL QWORD PTR [RIP+0x3C8062]
B2AB N/A .text CALL QWORD PTR [RIP+0x3C804F]
103FB N/A .text CALL QWORD PTR [RIP+0x3C2EEF]
10431 N/A .text CALL QWORD PTR [RIP+0x3C2FD1]
10445 N/A .text CALL QWORD PTR [RIP+0x3C2EA5]
139CD N/A .text CALL QWORD PTR [RIP+0xDDEB0000]
13B79 N/A .text CALL QWORD PTR [RIP+0x3BF9F1]
13BB1 N/A .text CALL QWORD PTR [RIP+0x3BF9B9]
13EBE N/A .text CALL QWORD PTR [RIP+0x3BF544]
13ED5 N/A .text CALL QWORD PTR [RIP+0x3BF415]
15145 N/A .text CALL QWORD PTR [RIP+0x3BE2BD]
15234 N/A .text CALL QWORD PTR [RIP+0x3BE1CE]
15333 N/A .text CALL QWORD PTR [RIP+0x3BE0CF]
1584B N/A .text CALL QWORD PTR [RIP+0x3BDD1F]
1587F N/A .text CALL QWORD PTR [RIP+0x3BDCEB]
159A8 N/A .text CALL QWORD PTR [RIP+0x3BDBC2]
15A0A N/A .text CALL QWORD PTR [RIP+0x3BDB60]
18A40 N/A .text CALL QWORD PTR [RIP+0x3BA9C2]
18A57 N/A .text CALL QWORD PTR [RIP+0x3BA893]
1C085 N/A .text CALL QWORD PTR [RIP+0x3B74E5]
1C19B N/A .text CALL QWORD PTR [RIP+0x3B73CF]
1F9F2 N/A .text CALL QWORD PTR [RIP+0x3B39B8]
1FA2B N/A .text CALL QWORD PTR [RIP+0x3B397F]
1FA65 N/A .text CALL QWORD PTR [RIP+0x3B3945]
1FAAA N/A .text CALL QWORD PTR [RIP+0x3B3910]
1FBDB N/A .text JMP QWORD PTR [RIP+0x3B3827]
205AD N/A .text CALL QWORD PTR [RIP+0x3B2E55]
205C5 N/A .text CALL QWORD PTR [RIP+0x3B2D35]
20631 N/A .text CALL QWORD PTR [RIP+0x3B2CB9]
2078D N/A .text CALL QWORD PTR [RIP+0x3B2CC5]
207F0 N/A .text CALL QWORD PTR [RIP+0x3B2F52]
20840 N/A .text CALL QWORD PTR [RIP+0x3B2AC2]
2086E N/A .text CALL QWORD PTR [RIP+0x3B30F4]
20885 N/A .text CALL QWORD PTR [RIP+0x3B30DD]
20D82 N/A .text CALL QWORD PTR [RIP+0x3B2C08]
20D96 N/A .text CALL QWORD PTR [RIP+0x3B2BCC]
20E75 N/A .text CALL QWORD PTR [RIP+0x3B2545]
21118 N/A .text CALL QWORD PTR [RIP+0x3B21F2]
21AA3 N/A .text CALL QWORD PTR [RIP+0x3B1D1F]
21BBF N/A .text CALL QWORD PTR [RIP+0x3B1993]
21C74 N/A .text CALL QWORD PTR [RIP+0x3B1AB6]
21C88 N/A .text CALL QWORD PTR [RIP+0x3B178A]
21C9B N/A .text CALL QWORD PTR [RIP+0x3B166F]
21D7A N/A .text CALL QWORD PTR [RIP+0x3B1A00]
21DB6 N/A .text CALL QWORD PTR [RIP+0x3B165C]
21DC6 N/A .text CALL QWORD PTR [RIP+0x3B1774]
21E06 N/A .text CALL QWORD PTR [RIP+0x3B162C]
2298D N/A .text CALL QWORD PTR [RIP+0x3B0D9D]
229BE N/A .text CALL QWORD PTR [RIP+0x3B0DDC]
22B45 N/A .text CALL QWORD PTR [RIP+0x3B089D]
22F2E N/A .text CALL QWORD PTR [RIP+0x3B086C]
22F3D N/A .text CALL QWORD PTR [RIP+0x3B06D5]
22FD4 N/A .text CALL QWORD PTR [RIP+0x3B07C6]
25522 N/A .text CALL QWORD PTR [RIP+0x3AE440]
25538 N/A .text CALL QWORD PTR [RIP+0x3AE42A]
257B5 N/A .text CALL QWORD PTR [RIP+0x3AE1D5]
257C8 N/A .text CALL QWORD PTR [RIP+0x3AE19A]
261B0 N/A .text CALL QWORD PTR [RIP+0x3AD0BA]
261E4 N/A .text CALL QWORD PTR [RIP+0x3AD086]
26274 N/A .text CALL QWORD PTR [RIP+0x3AD366]
29BEF N/A .text CALL QWORD PTR [RIP+0x3A9813]
29C03 N/A .text CALL QWORD PTR [RIP+0x3A96E7]
301A7 N/A .text CALL QWORD PTR [RIP+0x3A325B]
30799 N/A .text CALL QWORD PTR [RIP+0x3A2C69]
3128C N/A .text CALL QWORD PTR [RIP+0x3A2176]
31343 N/A .text CALL QWORD PTR [RIP+0x3A20BF]
3150A N/A .text CALL QWORD PTR [RIP+0x3A1EA0]
3152B N/A .text CALL QWORD PTR [RIP+0x3A1E8F]
3155D N/A .text CALL QWORD PTR [RIP+0x3A1E4D]
31590 N/A .text CALL QWORD PTR [RIP+0x3A1E1A]
32BB0 N/A .text CALL QWORD PTR [RIP+0x3A09BA]
32C2B N/A .text CALL QWORD PTR [RIP+0x3A093F]
32C7A N/A .text CALL QWORD PTR [RIP+0x3A08F0]
32EB9 N/A .text CALL QWORD PTR [RIP+0x3A06B1]
33D4C N/A .text CALL QWORD PTR [RIP+0x39F846]
33FFA N/A .text CALL QWORD PTR [RIP+0x39F598]
3794C N/A .text CALL QWORD PTR [RIP+0x39C04E]
37A66 N/A .text CALL QWORD PTR [RIP+0x39BD9C]
37ABA N/A .text CALL QWORD PTR [RIP+0x39BD88]
37DF7 N/A .text CALL QWORD PTR [RIP+0x39B823]
380BD N/A .text CALL QWORD PTR [RIP+0x39B55D]
3811E N/A .text CALL QWORD PTR [RIP+0x39B4FC]
38569 N/A .text CALL QWORD PTR [RIP+0x39B0B1]
38801 N/A .text CALL QWORD PTR [RIP+0x39AE19]
399B4 N/A .text CALL QWORD PTR [RIP+0x399D96]
39A18 N/A .text CALL QWORD PTR [RIP+0x399D3A]
39A57 N/A .text CALL QWORD PTR [RIP+0x399CFB]
39A9E N/A .text CALL QWORD PTR [RIP+0x399CB4]
39AC4 N/A .text CALL QWORD PTR [RIP+0x399C86]
39F8D N/A .text CALL QWORD PTR [RIP+0x3997BD]
398015-398FFF N/A fothk Unusual BP Cave, count: 4075
3D3E20 28CEE0 .rdata TLS Callback | Pointer to 18028CEE0 - 0x28CEE0 .text
3D3E28 28CF70 .rdata TLS Callback | Pointer to 18028CF70 - 0x28CF70 .text
497000 1070 .pdata ExceptionHook | Pointer to 1070 - 0x1070 .text + UnwindInfo: .rdata
49700C 29F0 .pdata ExceptionHook | Pointer to 29F0 - 0x29F0 .text + UnwindInfo: .rdata
497018 2A40 .pdata ExceptionHook | Pointer to 2A40 - 0x2A40 .text + UnwindInfo: .rdata
497024 2A70 .pdata ExceptionHook | Pointer to 2A70 - 0x2A70 .text + UnwindInfo: .rdata
497030 2B00 .pdata ExceptionHook | Pointer to 2B00 - 0x2B00 .text + UnwindInfo: .rdata
49703C 2CD0 .pdata ExceptionHook | Pointer to 2CD0 - 0x2CD0 .text + UnwindInfo: .rdata
497048 2D00 .pdata ExceptionHook | Pointer to 2D00 - 0x2D00 .text + UnwindInfo: .rdata
497054 2D54 .pdata ExceptionHook | Pointer to 2D54 - 0x2D54 .text + UnwindInfo: .rdata
497060 2DDC .pdata ExceptionHook | Pointer to 2DDC - 0x2DDC .text + UnwindInfo: .rdata
49706C 2F50 .pdata ExceptionHook | Pointer to 2F50 - 0x2F50 .text + UnwindInfo: .rdata
497078 339C .pdata ExceptionHook | Pointer to 339C - 0x339C .text + UnwindInfo: .rdata
497084 3C45 .pdata ExceptionHook | Pointer to 3C45 - 0x3C45 .text + UnwindInfo: .rdata
497090 3C96 .pdata ExceptionHook | Pointer to 3C96 - 0x3C96 .text + UnwindInfo: .rdata
49709C 4258 .pdata ExceptionHook | Pointer to 4258 - 0x4258 .text + UnwindInfo: .rdata
4970A8 44E3 .pdata ExceptionHook | Pointer to 44E3 - 0x44E3 .text + UnwindInfo: .rdata
4970B4 4947 .pdata ExceptionHook | Pointer to 4947 - 0x4947 .text + UnwindInfo: .rdata
4970C0 49D3 .pdata ExceptionHook | Pointer to 49D3 - 0x49D3 .text + UnwindInfo: .rdata
4970CC 4E60 .pdata ExceptionHook | Pointer to 4E60 - 0x4E60 .text + UnwindInfo: .rdata
4970D8 4E80 .pdata ExceptionHook | Pointer to 4E80 - 0x4E80 .text + UnwindInfo: .rdata
4970E4 4E9F .pdata ExceptionHook | Pointer to 4E9F - 0x4E9F .text + UnwindInfo: .rdata
4970F0 4EB4 .pdata ExceptionHook | Pointer to 4EB4 - 0x4EB4 .text + UnwindInfo: .rdata
4970FC 4F60 .pdata ExceptionHook | Pointer to 4F60 - 0x4F60 .text + UnwindInfo: .rdata
497108 4F68 .pdata ExceptionHook | Pointer to 4F68 - 0x4F68 .text + UnwindInfo: .rdata
497114 4F7E .pdata ExceptionHook | Pointer to 4F7E - 0x4F7E .text + UnwindInfo: .rdata
497120 4F86 .pdata ExceptionHook | Pointer to 4F86 - 0x4F86 .text + UnwindInfo: .rdata
49712C 4F91 .pdata ExceptionHook | Pointer to 4F91 - 0x4F91 .text + UnwindInfo: .rdata
497138 546C .pdata ExceptionHook | Pointer to 546C - 0x546C .text + UnwindInfo: .rdata
497144 5476 .pdata ExceptionHook | Pointer to 5476 - 0x5476 .text + UnwindInfo: .rdata
497150 54A8 .pdata ExceptionHook | Pointer to 54A8 - 0x54A8 .text + UnwindInfo: .rdata
49715C 54BC .pdata ExceptionHook | Pointer to 54BC - 0x54BC .text + UnwindInfo: .rdata
497168 5590 .pdata ExceptionHook | Pointer to 5590 - 0x5590 .text + UnwindInfo: .rdata
497174 55EB .pdata ExceptionHook | Pointer to 55EB - 0x55EB .text + UnwindInfo: .rdata
497180 56AC .pdata ExceptionHook | Pointer to 56AC - 0x56AC .text + UnwindInfo: .rdata
49718C 56B8 .pdata ExceptionHook | Pointer to 56B8 - 0x56B8 .text + UnwindInfo: .rdata
497198 576E .pdata ExceptionHook | Pointer to 576E - 0x576E .text + UnwindInfo: .rdata
4971A4 57B0 .pdata ExceptionHook | Pointer to 57B0 - 0x57B0 .text + UnwindInfo: .rdata
4971B0 5811 .pdata ExceptionHook | Pointer to 5811 - 0x5811 .text + UnwindInfo: .rdata
4971BC 5830 .pdata ExceptionHook | Pointer to 5830 - 0x5830 .text + UnwindInfo: .rdata
4971C8 5C80 .pdata ExceptionHook | Pointer to 5C80 - 0x5C80 .text + UnwindInfo: .rdata
4971D4 5CBC .pdata ExceptionHook | Pointer to 5CBC - 0x5CBC .text + UnwindInfo: .rdata
4971E0 6064 .pdata ExceptionHook | Pointer to 6064 - 0x6064 .text + UnwindInfo: .rdata
4971EC 606F .pdata ExceptionHook | Pointer to 606F - 0x606F .text + UnwindInfo: .rdata
4971F8 6410 .pdata ExceptionHook | Pointer to 6410 - 0x6410 .text + UnwindInfo: .rdata
497204 6718 .pdata ExceptionHook | Pointer to 6718 - 0x6718 .text + UnwindInfo: .rdata
497210 6A80 .pdata ExceptionHook | Pointer to 6A80 - 0x6A80 .text + UnwindInfo: .rdata
49721C 7BB0 .pdata ExceptionHook | Pointer to 7BB0 - 0x7BB0 .text + UnwindInfo: .rdata
497228 8040 .pdata ExceptionHook | Pointer to 8040 - 0x8040 .text + UnwindInfo: .rdata
497234 806F .pdata ExceptionHook | Pointer to 806F - 0x806F .text + UnwindInfo: .rdata
497240 856F .pdata ExceptionHook | Pointer to 856F - 0x856F .text + UnwindInfo: .rdata
49724C 8577 .pdata ExceptionHook | Pointer to 8577 - 0x8577 .text + UnwindInfo: .rdata
497258 85E8 .pdata ExceptionHook | Pointer to 85E8 - 0x85E8 .text + UnwindInfo: .rdata
497264 86F0 .pdata ExceptionHook | Pointer to 86F0 - 0x86F0 .text + UnwindInfo: .rdata
497270 8934 .pdata ExceptionHook | Pointer to 8934 - 0x8934 .text + UnwindInfo: .rdata
49727C 8A50 .pdata ExceptionHook | Pointer to 8A50 - 0x8A50 .text + UnwindInfo: .rdata
497288 8AA8 .pdata ExceptionHook | Pointer to 8AA8 - 0x8AA8 .text + UnwindInfo: .rdata
497294 8B44 .pdata ExceptionHook | Pointer to 8B44 - 0x8B44 .text + UnwindInfo: .rdata
4972A0 8C40 .pdata ExceptionHook | Pointer to 8C40 - 0x8C40 .text + UnwindInfo: .rdata
4972AC 8C87 .pdata ExceptionHook | Pointer to 8C87 - 0x8C87 .text + UnwindInfo: .rdata
4972B8 8E2D .pdata ExceptionHook | Pointer to 8E2D - 0x8E2D .text + UnwindInfo: .rdata
4972C4 8E57 .pdata ExceptionHook | Pointer to 8E57 - 0x8E57 .text + UnwindInfo: .rdata
4972D0 8F04 .pdata ExceptionHook | Pointer to 8F04 - 0x8F04 .text + UnwindInfo: .rdata
4972DC 9060 .pdata ExceptionHook | Pointer to 9060 - 0x9060 .text + UnwindInfo: .rdata
4972E8 9101 .pdata ExceptionHook | Pointer to 9101 - 0x9101 .text + UnwindInfo: .rdata
4972F4 92C1 .pdata ExceptionHook | Pointer to 92C1 - 0x92C1 .text + UnwindInfo: .rdata
497300 92DF .pdata ExceptionHook | Pointer to 92DF - 0x92DF .text + UnwindInfo: .rdata
49730C 9358 .pdata ExceptionHook | Pointer to 9358 - 0x9358 .text + UnwindInfo: .rdata
497318 9362 .pdata ExceptionHook | Pointer to 9362 - 0x9362 .text + UnwindInfo: .rdata
497324 97C4 .pdata ExceptionHook | Pointer to 97C4 - 0x97C4 .text + UnwindInfo: .rdata
497330 9954 .pdata ExceptionHook | Pointer to 9954 - 0x9954 .text + UnwindInfo: .rdata
49733C 9CA4 .pdata ExceptionHook | Pointer to 9CA4 - 0x9CA4 .text + UnwindInfo: .rdata
497348 9EB0 .pdata ExceptionHook | Pointer to 9EB0 - 0x9EB0 .text + UnwindInfo: .rdata
497354 9EDD .pdata ExceptionHook | Pointer to 9EDD - 0x9EDD .text + UnwindInfo: .rdata
497360 A281 .pdata ExceptionHook | Pointer to A281 - 0xA281 .text + UnwindInfo: .rdata
49736C A288 .pdata ExceptionHook | Pointer to A288 - 0xA288 .text + UnwindInfo: .rdata
497378 A34A .pdata ExceptionHook | Pointer to A34A - 0xA34A .text + UnwindInfo: .rdata
497384 A367 .pdata ExceptionHook | Pointer to A367 - 0xA367 .text + UnwindInfo: .rdata
497390 A37C .pdata ExceptionHook | Pointer to A37C - 0xA37C .text + UnwindInfo: .rdata
49739C A520 .pdata ExceptionHook | Pointer to A520 - 0xA520 .text + UnwindInfo: .rdata
4973A8 A6F0 .pdata ExceptionHook | Pointer to A6F0 - 0xA6F0 .text + UnwindInfo: .rdata
4973B4 A7B1 .pdata ExceptionHook | Pointer to A7B1 - 0xA7B1 .text + UnwindInfo: .rdata
4973C0 A962 .pdata ExceptionHook | Pointer to A962 - 0xA962 .text + UnwindInfo: .rdata
4973CC A987 .pdata ExceptionHook | Pointer to A987 - 0xA987 .text + UnwindInfo: .rdata
4973D8 A98A .pdata ExceptionHook | Pointer to A98A - 0xA98A .text + UnwindInfo: .rdata
4973E4 AAE8 .pdata ExceptionHook | Pointer to AAE8 - 0xAAE8 .text + UnwindInfo: .rdata
4973F0 AB35 .pdata ExceptionHook | Pointer to AB35 - 0xAB35 .text + UnwindInfo: .rdata
4973FC AB50 .pdata ExceptionHook | Pointer to AB50 - 0xAB50 .text + UnwindInfo: .rdata
497408 AC60 .pdata ExceptionHook | Pointer to AC60 - 0xAC60 .text + UnwindInfo: .rdata
497414 AEEE .pdata ExceptionHook | Pointer to AEEE - 0xAEEE .text + UnwindInfo: .rdata
497420 AF2B .pdata ExceptionHook | Pointer to AF2B - 0xAF2B .text + UnwindInfo: .rdata
49742C AF86 .pdata ExceptionHook | Pointer to AF86 - 0xAF86 .text + UnwindInfo: .rdata
497438 B150 .pdata ExceptionHook | Pointer to B150 - 0xB150 .text + UnwindInfo: .rdata
497444 B2CF .pdata ExceptionHook | Pointer to B2CF - 0xB2CF .text + UnwindInfo: .rdata
497450 B3BF .pdata ExceptionHook | Pointer to B3BF - 0xB3BF .text + UnwindInfo: .rdata
49745C B3D1 .pdata ExceptionHook | Pointer to B3D1 - 0xB3D1 .text + UnwindInfo: .rdata
497468 B3F0 .pdata ExceptionHook | Pointer to B3F0 - 0xB3F0 .text + UnwindInfo: .rdata
497474 B4D0 .pdata ExceptionHook | Pointer to B4D0 - 0xB4D0 .text + UnwindInfo: .rdata
497480 B5D9 .pdata ExceptionHook | Pointer to B5D9 - 0xB5D9 .text + UnwindInfo: .rdata
49748C C430 .pdata ExceptionHook | Pointer to C430 - 0xC430 .text + UnwindInfo: .rdata
497498 DA90 .pdata ExceptionHook | Pointer to DA90 - 0xDA90 .text + UnwindInfo: .rdata
4974A4 EBC0 .pdata ExceptionHook | Pointer to EBC0 - 0xEBC0 .text + UnwindInfo: .rdata
398000-398FFF 398000 fothk Executable section anomaly, first bytes: CCCCCCCCCCCCCCCC
Extra Analysis
Metric Value Percentage
Ascii Code 2964143 59,5611%
Null Byte Code 862417 17,3293%
NOP Cave Found 0x9090909090 Block Count: 3 | Total: 0,0002%
© 2026 All rights reserved.