PESCAN.IO - Analysis Report

PESCAN.IO - Analysis Report Basic

File Structure

PE Chart Code

Header PE (light blue)

Executable sections (pink)

Non-executable sections (black)

External injected code (red)

File Structure in red = malformed or corrupted header

Chart Code For Other Files

Printable characters (blue)

Non-printable characters (black)

Information

Icon:

Size: 3,99 MB
SHA-256 Hash: 26C63191E954221127C7AD216060E3091E9B5AFB410D4DD57B40B56032DA9230
SHA-1 Hash: 341C07D1E581008C4DB218C951C633D132299D8E
MD5 Hash: A7B8CED015D4DE570AC0297D8DB7138A
Imphash: 7E0A0E8F80BBD1A9C0078E57256F1C3D
MajorOSVersion: 6
MinorOSVersion: 0
CheckSum: 00000000
EntryPoint (rva): 32690
SizeOfHeaders: 400
SizeOfImage: 82000
ImageBase: 0000000140000000
Architecture: x64
ExportTable: 5DA30
ImportTable: 5DA64
IAT: 4C000
Characteristics: 22
TimeDateStamp: 67DBE779
Date: 20/03/2025 10:01:29
File Type: EXE
Number Of Sections: 7
ASLR: Disabled
Section Names (Optional Header): .text, .rdata, .data, .pdata, .didat, .rsrc, .reloc
Number Of Executable Sections: 1
Subsystem: Windows GUI
UAC Execution Level Manifest: asInvoker

Sections Info

Section Name	Flags	ROffset	RSize	VOffset	VSize	Entropy	Chi2
.text	0x60000020 Code Executable Readable	400	4B000	1000	4AF5E	6.4901	1906684.51
.rdata	0x40000040 Initialized Data Readable	4B400	12C00	4C000	12BAE	5.2686	3204940.18
.data	0xC0000040 Initialized Data Readable Writeable	5E000	1C00	5F000	E954	3.1014	837364.07
.pdata	0x40000040 Initialized Data Readable	5FC00	3400	6E000	330C	5.5852	332117.04
.didat	0xC0000040 Initialized Data Readable Writeable	63000	400	72000	370	3.0719	73321
.rsrc	0x40000040 Initialized Data Readable	63400	D600	73000	D558	6.4726	966854.19
.reloc	0x42000040 Initialized Data GP-Relative Readable	70A00	A00	81000	994	5.3541	17338.2

Binder/Joiner/Crypter

Dropper code detected (EOF) - 3,48 MB

Entry Point

The section number (1) have the Entry Point
Information -> EntryPoint (calculated) - 31A90
Code -> 4883EC28E8F30500004883C428E97AFEFFFFCCCC488BC44889580848896810488970184889782041564883EC204D8B513848

Assembler

|SUB RSP, 0X28

|CALL 0X15FC

|ADD RSP, 0X28

|JMP 0XE8C

|INT3

|MOV RAX, RSP

|MOV QWORD PTR [RAX + 8], RBX

|MOV QWORD PTR [RAX + 0X10], RBP

|MOV QWORD PTR [RAX + 0X18], RSI

|MOV QWORD PTR [RAX + 0X20], RDI

|PUSH R14

|SUB RSP, 0X20

|MOV R10, QWORD PTR [R9 + 0X38]

Signatures

Rich Signature Analyzer:
Code -> 69E1FFEA2D8091B92D8091B92D8091B966F894B8B78091B93C066CB92F8091B93C0692B8258091B93C0695B83C8091B93C0694B8118091B966F892B8278091B966F895B83B8091B966F897B82C8091B966F890B82A8091B92D8090B9078191B9A90694B81E8091B9A90691B82C8091B9A9066EB92C8091B9A90693B82C8091B9526963682D8091B9
Footprint md5 Hash -> 31283606045D07B31B70B59286775806
• The Rich header apparently has not been modified
Certificate - Digital Signature Not Found:
• The file is not signed

Packer/Compiler

Compiler: Microsoft Visual Studio
Detect It Easy (die)
• PE+(64): sfx: WinRAR(-)[-]
• PE+(64): compiler: Microsoft Visual C/C++(-)[-]
• PE+(64): linker: Microsoft Linker(14.42**)[-]
• PE+(64): overlay: RAR archive(-)[-]
• PE+(64): archive: RAR(5)[-]
• Entropy: 7.95208

Suspicious Functions

Library	Function	Description
KERNEL32.DLL	WriteFile	Writes data to a specified file or input/output (I/O) device.
KERNEL32.DLL	LoadLibraryW	Loads the specified module into the address space of the calling process.
KERNEL32.DLL	GetProcAddress	Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL	IsDebuggerPresent	Determines if the calling process is being debugged by a user-mode debugger.
SHELL32.DLL	ShellExecuteExW	Performs a run operation on a specific file.

Windows REG (UNICODE)

Software\Microsoft\Windows\CurrentVersion
Software\WinRAR SFX

File Access

setup.exe
Proxy Checker v0.2 By X-SLAYER.exe
sfxrar.exe
xNet.dll
SkinSoft.VisualStyler.dll
gdiplus.dll
OLEAUT32.dll
KERNEL32.dll
COMCTL32.dll
SHLWAPI.dll
Fole32.dll
SHELL32.dll
ADVAPI32.dll
COMDLG32.dll
GDI32.dll
USER32.dll
coreinit.bat
coreinit.bat
GeoIP.dat
.dat
@.dat
Temp

File Access (UNICODE)

mscoree.dll
KERNEL32.DLL
riched20.dll
uxtheme.dll
peerdist.dll
dsrole.dll
aclui.dll
RpcRtRemote.dll
cryptsp.dll
linkinfo.dll
XmlLite.dll
dhcpcsvc.dll
dhcpcsvc6.dll
rasadhlp.dll
browcli.dll
dfscli.dll
wkscli.dll
samlib.dll
samcli.dll
mlang.dll
propsys.dll
devrtl.dll
mpr.dll
netutils.dll
WINNSI.DLL
iphlpapi.DLL
dnsapi.DLL
imageres.dll
slc.dll
cscapi.dll
srvcli.dll
WindowsCodecs.dll
profapi.dll
ntmarta.dll
oleaccrc.dll
cabinet.dll
secur32.dll
shell32.dll
wintrust.dll
cryptui.dll
msasn1.dll
crypt32.dll
shdocvw.dll
netapi32.dll
userenv.dll
apphelp.dll
setupapi.dll
atl.dll
ntshrui.dll
ieframe.dll
psapi.dll
ws2help.dll
ws2_32.dll
comres.dll
clbcatq.dll
usp10.dll
lpk.dll
cryptbase.dll
dwmapi.dll
UXTheme.dll
rsaenh.dll
SSPICLI.DLL
sfc_os.dll
DXGIDebug.dll
version.dll
Crypt32.dll
Temp
ProgramFiles

SQL Queries

SELECT * FROM Win32_OperatingSystem

Interest's Words

PassWord
exec
attrib
start
pause
shutdown
systeminfo
ping
expand
replace

Interest's Words (UNICODE)

Encrypt
Encryption
PassWord
<html
<head
<meta
start
pause
ping
replace

URLs

http://schemas.microsoft.com/SMI/2005/WindowsSettings

Strings/Hex Code Found With The File Rules

Rule Type	Encoding	Matched (Word)
Text	Ascii	WinAPI Sockets (connect)
Text	Ascii	Registry (RegCreateKeyEx)
Text	Ascii	Registry (RegOpenKeyEx)
Text	Ascii	Registry (RegSetValueEx)
Text	Ascii	File (GetTempPath)
Text	Ascii	File (CreateFile)
Text	Ascii	File (WriteFile)
Text	Ascii	File (ReadFile)
Text	Ascii	Anti-Analysis VM (IsDebuggerPresent)
Text	Ascii	Anti-Analysis VM (GetSystemInfo)
Text	Ascii	Anti-Analysis VM (GlobalMemoryStatusEx)
Text	Ascii	Anti-Analysis VM (GetVersion)
Text	Ascii	Reconnaissance (FindFirstFileW)
Text	Ascii	Reconnaissance (FindNextFileW)
Text	Ascii	Reconnaissance (FindClose)
Text	Ascii	Stealth (ReleaseSemaphore)
Text	Ascii	Stealth (CloseHandle)
Text	Ascii	Stealth (VirtualProtect)
Text	Ascii	Execution (ShellExecute)
Text	Ascii	Execution (CreateSemaphoreW)
Text	Ascii	Execution (CreateEventW)
Text	Unicode	Privileges (SeCreateSymbolicLinkPrivilege)
Text	Unicode	Privileges (SeRestorePrivilege)
Text	Unicode	Privileges (SeSecurityPrivilege)
Text	Unicode	WMI execution (ROOT\CIMV2)
Entry Point	Hex Pattern	Microsoft Visual C++ 8.0 (DLL)

Resources

Path	DataRVA	Size	FileOffset	Code	Text
\PNG\101\1033	73680	966	63A80	89504E470D0A1A0A0000000D494844520000005D0000012E080200000063D2894F0000092D494441547801EC9BC5D69B2118	.PNG........IHDR...].........c..O...-IDATx......!.
\PNG\102\1033	73FE8	123F	643E8	89504E470D0A1A0A0000000D49484452000000BA0000025C0802000000C1EE291000001206494441547801ECDD8572EB4614	.PNG........IHDR.......\.......).....IDATx....r.F.
\ICON\1\1033	75228	568	65628	280000001000000020000000010008000000000000010000120B0000120B000000010000000100000000000024349B002735	(....... ...................................$4..'5
\ICON\2\1033	75790	8A8	65B90	280000002000000040000000010008000000000000040000120B0000120B00000001000000010000000000003F110F000A06	(... ...@...................................?.....
\ICON\3\1033	76038	EA8	66438	280000003000000060000000010008000000000000090000120B0000120B0000000100000001000000000000103E05000D07	(...0.......................................>....
\ICON\4\1033	76EE0	468	672E0	280000001000000020000000010020000000000000040000120B0000120B0000000000000000000000000000000000000000	(....... ..... ...................................
\ICON\5\1033	77348	10A8	67748	280000002000000040000000010020000000000000100000120B0000120B0000000000000000000000000000000000000000	(... ...@..... ...................................
\ICON\6\1033	783F0	25A8	687F0	280000003000000060000000010020000000000000240000120B0000120B0000000000000000000000000000000000000000	(...0........ ......$............................
\ICON\7\1033	7A998	34B3	6AD98	89504E470D0A1A0A0000000D49484452000001000000010008060000005C72A8660000347A494441547801ECC18100000000	.PNG........IHDR.............\r.f..4zIDATx........
\DIALOG\ASKNEXTVOL\1033	7E7A8	286	6EBA8	C000C8900000000007003B004B00C2008B00000000004E00650078007400200076006F006C0075006D006500200069007300	..........;.K.........N.e.x.t. .v.o.l.u.m.e. .i.s.
\DIALOG\GETPASSWORD1\1033	7E578	13A	6E978	C008C89000000000050026002E00B70043000000000045006E007400650072002000700061007300730077006F0072006400	..........&.....C.....E.n.t.e.r. .p.a.s.s.w.o.r.d.
\DIALOG\LICENSEDLG\1033	7E6B8	EC	6EAB8	C008CA900000000005001B002F005B01E000000000004C006900630065006E0073006500000008004D005300200053006800	............/.[.......L.i.c.e.n.s.e.....M.S. .S.h.
\DIALOG\RENAMEDLG\1033	7E448	12E	6E848	C000C890000000000700600052009E005D0000000000520065006E0061006D006500000008004D0053002000530068006500	...........R...].....R.e.n.a.m.e.....M.S. .S.h.e.
\DIALOG\REPLACEFILEDLG\1033	7E110	338	6E510	C000C8900000000011006E003500DE00AD000000000043006F006E006600690072006D002000660069006C00650020007200	..........n.5.........C.o.n.f.i.r.m. .f.i.l.e. .r.
\DIALOG\STARTDLG\1033	7DEB8	252	6E2B8	C008CA90000000000B001B002F005B01E00000000000570069006E005200410052002000730065006C0066002D0065007800	............/.[.......W.i.n.R.A.R. .s.e.l.f.-.e.x.
\STRING\7\1033	7F188	1EA	6F588	00000000000000001D00530065006C0065006300740020007400680065002000640065007300740069006E00610074006900	..........S.e.l.e.c.t. .t.h.e. .d.e.s.t.i.n.a.t.i.
\STRING\8\1033	7F378	1CC	6F778	11004E006F007400200065006E006F0075006700680020006D0065006D006F0072007900140055006E006B006E006F007700	..N.o.t. .e.n.o.u.g.h. .m.e.m.o.r.y...U.n.k.n.o.w.
\STRING\9\1033	7F548	1B8	6F948	0000000000001A005700720069007400650020006500720072006F007200200069006E002000740068006500200066006900	........W.r.i.t.e. .e.r.r.o.r. .i.n. .t.h.e. .f.i.
\STRING\10\1033	7F700	146	6FB00	050043006C006F00730065000000000000000000000005004500720072006F00720061004500720072006F00720073002000	..C.l.o.s.e.............E.r.r.o.r.a.E.r.r.o.r.s. .
\STRING\11\1033	7F848	46C	6FC48	200053006F006D0065002000660069006C0065007300200063006F0075006C00640020006E006F0074002000620065002000	.S.o.m.e. .f.i.l.e.s. .c.o.u.l.d. .n.o.t. .b.e. .
\STRING\12\1033	7FCB8	166	700B8	3200630072006500610074006500640020006100750074006F006D00610074006900630061006C006C007900200062006500	2.c.r.e.a.t.e.d. .a.u.t.o.m.a.t.i.c.a.l.l.y. .b.e.
\STRING\13\1033	7FE20	152	70220	0000000000003D0054006F00740061006C0020007000610074006800200061006E0064002000660069006C00650020006E00	......=.T.o.t.a.l. .p.a.t.h. .a.n.d. .f.i.l.e. .n.
\STRING\14\1033	7FF78	10A	70378	000000001500430061006E006E006F007400200063006F0070007900200025007300200074006F002000250073002E000000	......C.a.n.n.o.t. .c.o.p.y. .%.s. .t.o. .%.s.....
\STRING\15\1033	80088	BC	70488	0000410059006F00750020006D006100790020006E00650065006400200074006F002000720075006E002000740068006900	..A.Y.o.u. .m.a.y. .n.e.e.d. .t.o. .r.u.n. .t.h.i.
\STRING\16\1033	80148	1C0	70548	10005300650063007500720069007400790020007700610072006E0069006E0067004B0050006C0065006100730065002000	..S.e.c.u.r.i.t.y. .w.a.r.n.i.n.g.K.P.l.e.a.s.e. .
\STRING\17\1033	80308	250	70708	000000000000000007005700610072006E0069006E006700AD00540068006900730020006100720063006800690076006500	..........W.a.r.n.i.n.g...T.h.i.s. .a.r.c.h.i.v.e.
\GROUP_ICON\100\1033	7DE50	68	6E250	00000100070010100000010008006805000001002020000001000800A808000002003030000001000800A80E000003001010	..............h..... ............00..............
\24\1\1033	7EA30	753	6EE30	3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E653D2279	<?xml version="1.0" encoding="UTF-8" standalone="y

Intelligent String

• .rar
• Crypt32.dll
• version.dll
• sfc_os.dll
• SSPICLI.DLL
• rsaenh.dll
• UXTheme.dll
• dwmapi.dll
• cryptbase.dll
• lpk.dll
• usp10.dll
• clbcatq.dll
• comres.dll
• ws2_32.dll
• ws2help.dll
• psapi.dll
• ieframe.dll
• ntshrui.dll
• atl.dll
• setupapi.dll
• apphelp.dll
• userenv.dll
• netapi32.dll
• shdocvw.dll
• crypt32.dll
• msasn1.dll
• cryptui.dll
• wintrust.dll
• shell32.dll
• secur32.dll
• cabinet.dll
• oleaccrc.dll
• ntmarta.dll
• profapi.dll
• WindowsCodecs.dll
• srvcli.dll
• cscapi.dll
• slc.dll
• imageres.dll
• WINNSI.DLL
• netutils.dll
• mpr.dll
• devrtl.dll
• propsys.dll
• mlang.dll
• samcli.dll
• samlib.dll
• wkscli.dll
• dfscli.dll
• browcli.dll
• rasadhlp.dll
• dhcpcsvc6.dll
• dhcpcsvc.dll
• XmlLite.dll
• linkinfo.dll
• cryptsp.dll
• RpcRtRemote.dll
• aclui.dll
• dsrole.dll
• peerdist.dll
• uxtheme.dll
• riched20.dll
• runas
• .tmp
• .lnk
• .inf
• .exe
• USER32.dll
• GDI32.dll
• COMDLG32.dll
• ADVAPI32.dll
• SHELL32.dll
• Fole32.dll
• KERNEL32.DLL
• SHLWAPI.dll
• COMCTL32.dll
• mscoree.dll
• D:\Projects\WinRAR\SFX\build\sfxrar64\Release\sfxrar.pdb
• .tls
• .bss
• sfxrar.exe
• KERNEL32.dll
• OLEAUT32.dll
• <asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">
• CMTSetup=coreinit.bat
• E.OCD

Flow Anomalies

Offset	RVA	Section	Description
11B3	N/A	.text	CALL QWORD PTR [RIP+0x702EF]
11BB	N/A	.text	CALL QWORD PTR [RIP+0x702EF]
11C7	N/A	.text	CALL QWORD PTR [RIP+0x702EB]
11E7	N/A	.text	CALL QWORD PTR [RIP+0x702BB]
11EF	N/A	.text	CALL QWORD PTR [RIP+0x702BB]
12FF	N/A	.text	CALL QWORD PTR [RIP+0x7024B]
133C	N/A	.text	CALL QWORD PTR [RIP+0x701FE]
1366	N/A	.text	CALL QWORD PTR [RIP+0x4A5C4]
1716	N/A	.text	CALL QWORD PTR [RIP+0x6FFEC]
1727	N/A	.text	JMP QWORD PTR [RIP+0x6FFCB]
1768	N/A	.text	CALL QWORD PTR [RIP+0x6FF62]
1801	N/A	.text	CALL QWORD PTR [RIP+0x6FF01]
1955	N/A	.text	CALL QWORD PTR [RIP+0x6FD85]
198D	N/A	.text	CALL QWORD PTR [RIP+0x6FD55]
1A33	N/A	.text	JMP QWORD PTR [RIP+0x6FCC7]
1A47	N/A	.text	JMP QWORD PTR [RIP+0x6FCA3]
1A5E	N/A	.text	CALL QWORD PTR [RIP+0x6FCA4]
1A6F	N/A	.text	JMP QWORD PTR [RIP+0x6FC9B]
1AC6	N/A	.text	CALL QWORD PTR [RIP+0x6FC0C]
1AD9	N/A	.text	CALL QWORD PTR [RIP+0x6FC29]
1AF5	N/A	.text	CALL QWORD PTR [RIP+0x6FBF5]
2061	N/A	.text	CALL QWORD PTR [RIP+0x493C9]
206B	N/A	.text	CALL QWORD PTR [RIP+0x493A7]
20BC	N/A	.text	CALL QWORD PTR [RIP+0x4939E]
2117	N/A	.text	CALL QWORD PTR [RIP+0x49323]
216C	N/A	.text	CALL QWORD PTR [RIP+0x492AE]
217F	N/A	.text	CALL QWORD PTR [RIP+0x492D3]
2197	N/A	.text	CALL QWORD PTR [RIP+0x492B3]
222C	N/A	.text	CALL QWORD PTR [RIP+0x491CE]
223C	N/A	.text	CALL QWORD PTR [RIP+0x491DE]
225C	N/A	.text	CALL QWORD PTR [RIP+0x491E6]
22D2	N/A	.text	CALL QWORD PTR [RIP+0x49160]
22FD	N/A	.text	CALL QWORD PTR [RIP+0x49105]
2361	N/A	.text	CALL QWORD PTR [RIP+0x490A9]
23A7	N/A	.text	CALL QWORD PTR [RIP+0x4907B]
23B7	N/A	.text	CALL QWORD PTR [RIP+0x49063]
23EF	N/A	.text	CALL QWORD PTR [RIP+0x4901B]
2425	N/A	.text	CALL QWORD PTR [RIP+0x48FDD]
322A	N/A	.text	CALL QWORD PTR [RIP+0x48700]
3261	N/A	.text	CALL QWORD PTR [RIP+0x486C9]
3305	N/A	.text	CALL QWORD PTR [RIP+0x48625]
332C	N/A	.text	CALL QWORD PTR [RIP+0x485FE]
338F	N/A	.text	CALL QWORD PTR [RIP+0x4859B]
33CB	N/A	.text	CALL QWORD PTR [RIP+0x4855F]
33E1	N/A	.text	CALL QWORD PTR [RIP+0x48549]
342A	N/A	.text	CALL QWORD PTR [RIP+0x48500]
344C	N/A	.text	CALL QWORD PTR [RIP+0x484DE]
3508	N/A	.text	CALL QWORD PTR [RIP+0x48422]
352C	N/A	.text	CALL QWORD PTR [RIP+0x483FE]
3604	N/A	.text	CALL QWORD PTR [RIP+0x48326]
363E	N/A	.text	CALL QWORD PTR [RIP+0x482EC]
36EF	N/A	.text	CALL QWORD PTR [RIP+0x4823B]
3757	N/A	.text	CALL QWORD PTR [RIP+0x481D3]
37AE	N/A	.text	CALL QWORD PTR [RIP+0x4817C]
3A1E	N/A	.text	JMP QWORD PTR [RIP+0x47F0C]
3B00	N/A	.text	CALL QWORD PTR [RIP+0x47E2A]
5074	N/A	.text	CALL QWORD PTR [RIP+0x468B6]
5B71	N/A	.text	CALL QWORD PTR [RIP+0x45DB9]
5F08	N/A	.text	CALL QWORD PTR [RIP+0x45A22]
60FC	N/A	.text	CALL QWORD PTR [RIP+0x4582E]
A1A5	N/A	.text	CALL QWORD PTR [RIP+0x41275]
A1DA	N/A	.text	CALL QWORD PTR [RIP+0x41298]
A1F6	N/A	.text	CALL QWORD PTR [RIP+0x41274]
B2AE	N/A	.text	CALL QWORD PTR [RIP+0x4014C]
B3FB	N/A	.text	CALL QWORD PTR [RIP+0x40017]
B5E5	N/A	.text	CALL QWORD PTR [RIP+0x3FE15]
B6B3	N/A	.text	CALL QWORD PTR [RIP+0x3FDDF]
B6C4	N/A	.text	CALL QWORD PTR [RIP+0x3FD4E]
B6E0	N/A	.text	CALL QWORD PTR [RIP+0x3FD3A]
B72E	N/A	.text	CALL QWORD PTR [RIP+0x3FD54]
B739	N/A	.text	CALL QWORD PTR [RIP+0x3FD41]
B75A	N/A	.text	CALL QWORD PTR [RIP+0x401D0]
B94A	N/A	.text	CALL QWORD PTR [RIP+0x65AC8]
B996	N/A	.text	CALL QWORD PTR [RIP+0x65A7C]
B9F1	N/A	.text	CALL QWORD PTR [RIP+0x3FA29]
BB0F	N/A	.text	CALL QWORD PTR [RIP+0x3F98B]
BE40	N/A	.text	CALL QWORD PTR [RIP+0x3F64A]
E3F0	N/A	.text	CALL QWORD PTR [RIP+0x3D53A]
F026	N/A	.text	CALL QWORD PTR [RIP+0x3C904]
F868	N/A	.text	CALL QWORD PTR [RIP+0x3C0C2]
FADF	N/A	.text	CALL QWORD PTR [RIP+0x3BE4B]
FAFA	N/A	.text	CALL QWORD PTR [RIP+0x3BE30]
10097	N/A	.text	CALL QWORD PTR [RIP+0x3B40B]
100DC	N/A	.text	CALL QWORD PTR [RIP+0x3B3C6]
1011C	N/A	.text	CALL QWORD PTR [RIP+0x3B38E]
10161	N/A	.text	CALL QWORD PTR [RIP+0x3B349]
103E0	N/A	.text	CALL QWORD PTR [RIP+0x3B0D2]
10445	N/A	.text	CALL QWORD PTR [RIP+0x3B06D]
106D6	N/A	.text	CALL QWORD PTR [RIP+0x3AD3C]
107AF	N/A	.text	CALL QWORD PTR [RIP+0x3AC4B]
1081F	N/A	.text	CALL QWORD PTR [RIP+0x3ABDB]
108CD	N/A	.text	CALL QWORD PTR [RIP+0x3B05D]
1091F	N/A	.text	CALL QWORD PTR [RIP+0x3AB9B]
10947	N/A	.text	CALL QWORD PTR [RIP+0x3AABB]
1097A	N/A	.text	CALL QWORD PTR [RIP+0x3AAA0]
10999	N/A	.text	CALL QWORD PTR [RIP+0x3AA81]
109E9	N/A	.text	CALL QWORD PTR [RIP+0x3AF41]
10A02	N/A	.text	CALL QWORD PTR [RIP+0x3AF28]
10A12	N/A	.text	CALL QWORD PTR [RIP+0x3AF18]
10A2B	N/A	.text	CALL QWORD PTR [RIP+0x3AEFF]
5FC00	1020	.pdata	ExceptionHook \| Pointer to 1020 - 0x420 .text + UnwindInfo: .rdata
5FC0C	1050	.pdata	ExceptionHook \| Pointer to 1050 - 0x450 .text + UnwindInfo: .rdata
5FC18	10A0	.pdata	ExceptionHook \| Pointer to 10A0 - 0x4A0 .text + UnwindInfo: .rdata
5FC24	10F0	.pdata	ExceptionHook \| Pointer to 10F0 - 0x4F0 .text + UnwindInfo: .rdata
5FC30	1140	.pdata	ExceptionHook \| Pointer to 1140 - 0x540 .text + UnwindInfo: .rdata
5FC3C	1170	.pdata	ExceptionHook \| Pointer to 1170 - 0x570 .text + UnwindInfo: .rdata
5FC48	11EC	.pdata	ExceptionHook \| Pointer to 11EC - 0x5EC .text + UnwindInfo: .rdata
5FC54	1288	.pdata	ExceptionHook \| Pointer to 1288 - 0x688 .text + UnwindInfo: .rdata
5FC60	12C4	.pdata	ExceptionHook \| Pointer to 12C4 - 0x6C4 .text + UnwindInfo: .rdata
5FC6C	13C8	.pdata	ExceptionHook \| Pointer to 13C8 - 0x7C8 .text + UnwindInfo: .rdata
5FC78	1464	.pdata	ExceptionHook \| Pointer to 1464 - 0x864 .text + UnwindInfo: .rdata
5FC84	1494	.pdata	ExceptionHook \| Pointer to 1494 - 0x894 .text + UnwindInfo: .rdata
5FC90	15D0	.pdata	ExceptionHook \| Pointer to 15D0 - 0x9D0 .text + UnwindInfo: .rdata
5FC9C	1758	.pdata	ExceptionHook \| Pointer to 1758 - 0xB58 .text + UnwindInfo: .rdata
5FCA8	18C0	.pdata	ExceptionHook \| Pointer to 18C0 - 0xCC0 .text + UnwindInfo: .rdata
5FCB4	18FC	.pdata	ExceptionHook \| Pointer to 18FC - 0xCFC .text + UnwindInfo: .rdata
5FCC0	1958	.pdata	ExceptionHook \| Pointer to 1958 - 0xD58 .text + UnwindInfo: .rdata
5FCCC	198C	.pdata	ExceptionHook \| Pointer to 198C - 0xD8C .text + UnwindInfo: .rdata
5FCD8	19F8	.pdata	ExceptionHook \| Pointer to 19F8 - 0xDF8 .text + UnwindInfo: .rdata
5FCE4	1A70	.pdata	ExceptionHook \| Pointer to 1A70 - 0xE70 .text + UnwindInfo: .rdata
5FCF0	1AB4	.pdata	ExceptionHook \| Pointer to 1AB4 - 0xEB4 .text + UnwindInfo: .rdata
5FCFC	1ED4	.pdata	ExceptionHook \| Pointer to 1ED4 - 0x12D4 .text + UnwindInfo: .rdata
5FD08	1F90	.pdata	ExceptionHook \| Pointer to 1F90 - 0x1390 .text + UnwindInfo: .rdata
5FD14	1FB0	.pdata	ExceptionHook \| Pointer to 1FB0 - 0x13B0 .text + UnwindInfo: .rdata
5FD20	2014	.pdata	ExceptionHook \| Pointer to 2014 - 0x1414 .text + UnwindInfo: .rdata
5FD2C	2028	.pdata	ExceptionHook \| Pointer to 2028 - 0x1428 .text + UnwindInfo: .rdata
5FD38	2040	.pdata	ExceptionHook \| Pointer to 2040 - 0x1440 .text + UnwindInfo: .rdata
5FD44	20BC	.pdata	ExceptionHook \| Pointer to 20BC - 0x14BC .text + UnwindInfo: .rdata
5FD50	2154	.pdata	ExceptionHook \| Pointer to 2154 - 0x1554 .text + UnwindInfo: .rdata
5FD5C	21C8	.pdata	ExceptionHook \| Pointer to 21C8 - 0x15C8 .text + UnwindInfo: .rdata
5FD68	22B8	.pdata	ExceptionHook \| Pointer to 22B8 - 0x16B8 .text + UnwindInfo: .rdata
5FD74	230C	.pdata	ExceptionHook \| Pointer to 230C - 0x170C .text + UnwindInfo: .rdata
5FD80	2330	.pdata	ExceptionHook \| Pointer to 2330 - 0x1730 .text + UnwindInfo: .rdata
5FD8C	23CC	.pdata	ExceptionHook \| Pointer to 23CC - 0x17CC .text + UnwindInfo: .rdata
5FD98	250C	.pdata	ExceptionHook \| Pointer to 250C - 0x190C .text + UnwindInfo: .rdata
5FDA4	2650	.pdata	ExceptionHook \| Pointer to 2650 - 0x1A50 .text + UnwindInfo: .rdata
5FDB0	2678	.pdata	ExceptionHook \| Pointer to 2678 - 0x1A78 .text + UnwindInfo: .rdata
5FDBC	2714	.pdata	ExceptionHook \| Pointer to 2714 - 0x1B14 .text + UnwindInfo: .rdata
5FDC8	27A0	.pdata	ExceptionHook \| Pointer to 27A0 - 0x1BA0 .text + UnwindInfo: .rdata
5FDD4	280C	.pdata	ExceptionHook \| Pointer to 280C - 0x1C0C .text + UnwindInfo: .rdata
5FDE0	284C	.pdata	ExceptionHook \| Pointer to 284C - 0x1C4C .text + UnwindInfo: .rdata
5FDEC	28CC	.pdata	ExceptionHook \| Pointer to 28CC - 0x1CCC .text + UnwindInfo: .rdata
5FDF8	2AD8	.pdata	ExceptionHook \| Pointer to 2AD8 - 0x1ED8 .text + UnwindInfo: .rdata
5FE04	2B0C	.pdata	ExceptionHook \| Pointer to 2B0C - 0x1F0C .text + UnwindInfo: .rdata
5FE10	2C48	.pdata	ExceptionHook \| Pointer to 2C48 - 0x2048 .text + UnwindInfo: .rdata
5FE1C	2C78	.pdata	ExceptionHook \| Pointer to 2C78 - 0x2078 .text + UnwindInfo: .rdata
5FE28	2D54	.pdata	ExceptionHook \| Pointer to 2D54 - 0x2154 .text + UnwindInfo: .rdata
5FE34	2DB8	.pdata	ExceptionHook \| Pointer to 2DB8 - 0x21B8 .text + UnwindInfo: .rdata
5FE40	2F74	.pdata	ExceptionHook \| Pointer to 2F74 - 0x2374 .text + UnwindInfo: .rdata
5FE4C	3070	.pdata	ExceptionHook \| Pointer to 3070 - 0x2470 .text + UnwindInfo: .rdata
5FE58	30F4	.pdata	ExceptionHook \| Pointer to 30F4 - 0x24F4 .text + UnwindInfo: .rdata
5FE64	3134	.pdata	ExceptionHook \| Pointer to 3134 - 0x2534 .text + UnwindInfo: .rdata
5FE70	3214	.pdata	ExceptionHook \| Pointer to 3214 - 0x2614 .text + UnwindInfo: .rdata
5FE7C	3320	.pdata	ExceptionHook \| Pointer to 3320 - 0x2720 .text + UnwindInfo: .rdata
5FE88	33CC	.pdata	ExceptionHook \| Pointer to 33CC - 0x27CC .text + UnwindInfo: .rdata
5FE94	367C	.pdata	ExceptionHook \| Pointer to 367C - 0x2A7C .text + UnwindInfo: .rdata
5FEA0	36D8	.pdata	ExceptionHook \| Pointer to 36D8 - 0x2AD8 .text + UnwindInfo: .rdata
5FEAC	3730	.pdata	ExceptionHook \| Pointer to 3730 - 0x2B30 .text + UnwindInfo: .rdata
5FEB8	385C	.pdata	ExceptionHook \| Pointer to 385C - 0x2C5C .text + UnwindInfo: .rdata
5FEC4	3B24	.pdata	ExceptionHook \| Pointer to 3B24 - 0x2F24 .text + UnwindInfo: .rdata
5FED0	3B6C	.pdata	ExceptionHook \| Pointer to 3B6C - 0x2F6C .text + UnwindInfo: .rdata
5FEDC	3BE0	.pdata	ExceptionHook \| Pointer to 3BE0 - 0x2FE0 .text + UnwindInfo: .rdata
5FEE8	3C30	.pdata	ExceptionHook \| Pointer to 3C30 - 0x3030 .text + UnwindInfo: .rdata
5FEF4	3C9C	.pdata	ExceptionHook \| Pointer to 3C9C - 0x309C .text + UnwindInfo: .rdata
5FF00	3CFC	.pdata	ExceptionHook \| Pointer to 3CFC - 0x30FC .text + UnwindInfo: .rdata
5FF0C	3D80	.pdata	ExceptionHook \| Pointer to 3D80 - 0x3180 .text + UnwindInfo: .rdata
5FF18	3DB4	.pdata	ExceptionHook \| Pointer to 3DB4 - 0x31B4 .text + UnwindInfo: .rdata
5FF24	3DF4	.pdata	ExceptionHook \| Pointer to 3DF4 - 0x31F4 .text + UnwindInfo: .rdata
5FF30	3EDC	.pdata	ExceptionHook \| Pointer to 3EDC - 0x32DC .text + UnwindInfo: .rdata
5FF3C	3F48	.pdata	ExceptionHook \| Pointer to 3F48 - 0x3348 .text + UnwindInfo: .rdata
5FF48	444C	.pdata	ExceptionHook \| Pointer to 444C - 0x384C .text + UnwindInfo: .rdata
5FF54	4624	.pdata	ExceptionHook \| Pointer to 4624 - 0x3A24 .text + UnwindInfo: .rdata
5FF60	46C4	.pdata	ExceptionHook \| Pointer to 46C4 - 0x3AC4 .text + UnwindInfo: .rdata
5FF6C	4710	.pdata	ExceptionHook \| Pointer to 4710 - 0x3B10 .text + UnwindInfo: .rdata
5FF78	4790	.pdata	ExceptionHook \| Pointer to 4790 - 0x3B90 .text + UnwindInfo: .rdata
5FF84	47FC	.pdata	ExceptionHook \| Pointer to 47FC - 0x3BFC .text + UnwindInfo: .rdata
5FF90	48DC	.pdata	ExceptionHook \| Pointer to 48DC - 0x3CDC .text + UnwindInfo: .rdata
5FF9C	4A40	.pdata	ExceptionHook \| Pointer to 4A40 - 0x3E40 .text + UnwindInfo: .rdata
5FFA8	4BA4	.pdata	ExceptionHook \| Pointer to 4BA4 - 0x3FA4 .text + UnwindInfo: .rdata
5FFB4	4C14	.pdata	ExceptionHook \| Pointer to 4C14 - 0x4014 .text + UnwindInfo: .rdata
5FFC0	4D3C	.pdata	ExceptionHook \| Pointer to 4D3C - 0x413C .text + UnwindInfo: .rdata
5FFCC	4DC8	.pdata	ExceptionHook \| Pointer to 4DC8 - 0x41C8 .text + UnwindInfo: .rdata
5FFD8	4E54	.pdata	ExceptionHook \| Pointer to 4E54 - 0x4254 .text + UnwindInfo: .rdata
5FFE4	4F0C	.pdata	ExceptionHook \| Pointer to 4F0C - 0x430C .text + UnwindInfo: .rdata
5FFF0	5014	.pdata	ExceptionHook \| Pointer to 5014 - 0x4414 .text + UnwindInfo: .rdata
5FFFC	5078	.pdata	ExceptionHook \| Pointer to 5078 - 0x4478 .text + UnwindInfo: .rdata
60008	5100	.pdata	ExceptionHook \| Pointer to 5100 - 0x4500 .text + UnwindInfo: .rdata
60014	5184	.pdata	ExceptionHook \| Pointer to 5184 - 0x4584 .text + UnwindInfo: .rdata
60020	51C0	.pdata	ExceptionHook \| Pointer to 51C0 - 0x45C0 .text + UnwindInfo: .rdata
6002C	525C	.pdata	ExceptionHook \| Pointer to 525C - 0x465C .text + UnwindInfo: .rdata
60038	5314	.pdata	ExceptionHook \| Pointer to 5314 - 0x4714 .text + UnwindInfo: .rdata
60044	5360	.pdata	ExceptionHook \| Pointer to 5360 - 0x4760 .text + UnwindInfo: .rdata
60050	5BD0	.pdata	ExceptionHook \| Pointer to 5BD0 - 0x4FD0 .text + UnwindInfo: .rdata
6005C	6754	.pdata	ExceptionHook \| Pointer to 6754 - 0x5B54 .text + UnwindInfo: .rdata
60068	67C0	.pdata	ExceptionHook \| Pointer to 67C0 - 0x5BC0 .text + UnwindInfo: .rdata
60074	6AC8	.pdata	ExceptionHook \| Pointer to 6AC8 - 0x5EC8 .text + UnwindInfo: .rdata
60080	6B3C	.pdata	ExceptionHook \| Pointer to 6B3C - 0x5F3C .text + UnwindInfo: .rdata
6008C	6BCC	.pdata	ExceptionHook \| Pointer to 6BCC - 0x5FCC .text + UnwindInfo: .rdata
60098	6C54	.pdata	ExceptionHook \| Pointer to 6C54 - 0x6054 .text + UnwindInfo: .rdata
600A4	6CE8	.pdata	ExceptionHook \| Pointer to 6CE8 - 0x60E8 .text + UnwindInfo: .rdata
71400	N/A	Overlay	526172211A070100336807670C01050800070101 \| Rar!....3h.g........

Extra Analysis

Metric	Value	Percentage
Ascii Code	2832036	67,6534%
Null Byte Code	101018	2,4132%
NOP Cave Found	0x9090909090	Block Count: 1 \| Total: 0,0001%

PESCAN.IO - Analysis Report Basic