PESCAN.IO — Analysis Report

PREMIUM PESCAN.IO - Analysis Report

File Structure

PE Chart Code

Executable header (light blue)

Executable sections (pink)

Non-executable sections (black)

External injected code (red)

File Structure in red = malformed or corrupted header

Chart Code For Other Files

Printable characters (blue)

Non-printable characters (black)

Information

Icon:

Size: 4,28 MB
SHA-256 Hash: 63C47DD8B16C20BAC5FADAE8E576A90C805BCFA6B56F33BD2AF71F098FA29E80
SHA-1 Hash: DD8BE971837A1A33611B26C57A61BC025B5F3102
MD5 Hash: C609BED65EC48BA57D4DD641D0A3A0A0
Imphash: 47B6BA2442838DE6F065B0FBCFD8BD96
MajorOSVersion: 6
MinorOSVersion: 0
CheckSum: 0034EDCA
EntryPoint (rva): 1C1290
SizeOfHeaders: 400
SizeOfImage: 466000
ImageBase: 0000000140000000
Architecture: x64
ImportTable: 2D76B0
IAT: 22D000
Characteristics: 22
TimeDateStamp: 67B669C6
Date: 19/02/2025 23:31:18
File Type: EXE
Number Of Sections: 7
ASLR: Disabled
Section Names (Optional Header): .text, .rdata, .data, .pdata, _RDATA, .rsrc, .reloc
Number Of Executable Sections: 1
Subsystem: Windows GUI
UAC Execution Level Manifest: asInvoker

Sections Info

Section Name	Flags	ROffset	RSize	VOffset	VSize	Entropy	Chi2
.text	E0000020 (Code, Executable, Readable, Writeable)	400	22BA00	1000	22C000	6,3618	18454160,37
.rdata	40000040 (Initialized Data, Readable)	22BE00	ABE00	22D000	AC000	5,7028	11464093,73
.data	C0000040 (Initialized Data, Readable, Writeable)	2D7C00	38600	2D9000	54000	0,8322	49057545,19
.pdata	40000040 (Initialized Data, Readable)	310200	25000	32D000	25000	5,8880	3031902,76
_RDATA	40000040 (Initialized Data, Readable)	335200	200	352000	1000	3,3772	35916,00
.rsrc	40000040 (Initialized Data, Readable)	335400	A800	353000	A6E8	4,0753	1786052,21
.reloc	42000040 (Initialized Data, GP-Relative, Readable)	33FC00	107800	35E000	10764E	7,9675	64468,60

Description

OriginalFilename: adobe_licensing_wf.exe
CompanyName: Adobe Inc.
LegalCopyright: 2021-2024 Adobe. All rights reserved.
ProductName: Adobe Licensing WF
FileVersion: 1.14.0.2
FileDescription: Adobe Licensing WF
ProductVersion: 1.14.0.2
Language: Unknown (ID=0x4009)
CodePage: Unicode (UTF-16 LE) (0x4B0)

Entry Point

The section number (1) have the Entry Point
Information -> EntryPoint (calculated) - 1C0690
Code -> 4883EC28E8970500004883C428E97AFEFFFFCCCC4883EC284D8B4138488BCA498BD1E80D000000B8010000004883C428C3CC
• SUB RSP, 0X28
• CALL 0X15A0
• ADD RSP, 0X28
• JMP 0XE8C
• INT3
• INT3
• SUB RSP, 0X28
• MOV R8, QWORD PTR [R9 + 0X38]
• MOV RCX, RDX
• MOV RDX, R9
• CALL 0X1034
• MOV EAX, 1
• ADD RSP, 0X28
• RET
• INT3

Signatures

CheckSum Integrity Problem:
• Header: 3468746
• Calculated: 4491057
Rich Signature Analyzer:
Code -> DA31BB679E50D5349E50D5349E50D5342ACC24349550D5342ACC26343250D5342ACC2734BF50D5343A2ED1358F50D5343A2ED6359250D53443AF1B349A50D53443AF05349F50D5343A2ED035F250D53443AF1E34BB50D5345C25D035E250D5349E50D4344351D5348A2FDC353650D5348A2F2A349F50D5349E5042349F50D5348A2FD7359F50D534526963689E50D534
Footprint md5 Hash -> 24527BA3B3C2DE486BADB60F4627E2E5
• The Rich header apparently has not been modified
Certificate - Digital Signature Not Found:
• The file is not signed

Packer/Compiler

Compiler: Microsoft Visual Studio
Detect It Easy (die)
• PE+(64): compiler: Microsoft Visual C/C++(-)[-]
• PE+(64): linker: Microsoft Linker(14.36**)[-]
• Entropy: 6.86313

Suspicious Functions

Library	Function	Description
KERNEL32.DLL	GetModuleFileNameA	Retrieve the fully qualified path for the executable file of a specified module.
KERNEL32.DLL	WriteFile	Writes data to a specified file or input/output (I/O) device.
KERNEL32.DLL	GetProcAddress	Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL	IsDebuggerPresent	Determines if the calling process is being debugged by a user-mode debugger.
SHELL32.DLL	ShellExecuteW	Performs a run operation on a specific file.

Windows REG (UNICODE)

SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp
SOFTWARE\Policies\Adobe\NGL\Config
SOFTWARE\Adobe\Identity\UserSpecificIdentity
SOFTWARE\Microsoft\Cryptography
SOFTWARE\Adobe\Adobe NGLCEF\1.0\RestrictedSecuritySettings
SOFTWARE\Policies\Adobe\Adobe NGLCEF\1.0\FeatureLockDown
SOFTWARE\Policies\Adobe
Software\Adobe\Adobe Acrobat
SOFTWARE\ADOBE\
SOFTWARE\Microsoft\EdgeUpdate\Clients\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}
SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\Clients\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}
SOFTWARE\Adobe\NGL\SyncAuth
SOFTWARE\Policies\Adobe\NGL\AuthInfo
SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client

File Access

adobe_licensing_wf.exe
adobe_licensing_wf_helper.exe
adobe_licensing_wf_acro.exe
adobe_licensing_wf_helper_acro.exe
adobe_licensing_helper.exe
CRYPT32.dll
bcrypt.dll
credui.dll
WININET.dll
ADVAPI32.dll
OLEAUT32.dll
ole32.dll
SHELL32.dll
GDI32.dll
USER32.dll
KERNEL32.dll
VERSION.dll
SHLWAPI.dll
IMSLib.dll
libcef.dll
.dat
@.dat
.log
Temp
AppData
UserProfile

File Access (UNICODE)

adobe_licensing_wf.exe
Acrobat.exe
Creative Cloud.exe
mscoree.dll
api-ms-win-core-synch-l1-2-0.dll
kernel32.dll
KERNEL32.DLL
NGLClientDefault.log

Interest's Words

PassWord
exec
attrib
start
shutdown
systeminfo
route

Interest's Words (UNICODE)

PassWord
attrib
at.exe

URLs

https://oobe.adobe.com
https://oobe.adobe.com/
https://oobe.adobe.com/delegation_start
https://oobe.adobe.com/delegation_end
https://oobe.adobe.com/delegation_error
https://oobe.adobe.com/federation_start
https://oobe.adobe.com/federation_end
https://oobe.adobe.com/federation_error

URLs (UNICODE)

https://simulate_offline.adobe.com
https://no-way-now.org
https://oobe.adobe.com
https://oobe.adobe.com/
https://acrobatoauth.adobe.com
https://acrobatoauth.adobe.com/
https://ims-na1.adobelogin.com/ims/logout/v1?
https://ims-na1-stg1.adobelogin.com/ims/logout/v1?
https://workflow.licenses.adobe.com
https://workflow-stage.licenses.adobe.com
https://ims-na1.adobelogin.com/ims/authorize/v1?
https://ims-na1-stg1.adobelogin.com/ims/authorize/v1?
https://adobeid-na1-stg1.services.adobe.com/ims/jump/
https://adobeid-na1.services.adobe.com/ims/jump/
https://commerce.adobe.com/payments/in-app/billing?
https://commerce-stg.adobe.com/payments/in-app/billing?
https://ims-na1.adobelogin.com/ims/jump/
https://ims-na1-stg1.adobelogin.com/ims/jump/

Strings/Hex Code Found With The File Rules

Rule Type	Encoding	Matched (Word)
Text	Ascii	WinAPI Sockets (accept)
Text	Ascii	WinAPI Sockets (connect)
Text	Ascii	WinAPI Sockets (send)
Text	Ascii	Registry (RegOpenKeyEx)
Text	Ascii	File (GetTempPath)
Text	Ascii	File (CreateFile)
Text	Ascii	File (WriteFile)
Text	Ascii	File (ReadFile)
Text	Ascii	Anti-Analysis VM (IsDebuggerPresent)
Text	Ascii	Anti-Analysis VM (GetSystemInfo)
Text	Ascii	Reconnaissance (FindNextFileA)
Text	Ascii	Reconnaissance (FindClose)
Text	Ascii	Stealth (ExitThread)
Text	Ascii	Stealth (CloseHandle)
Text	Ascii	Stealth (VirtualProtect)
Text	Ascii	Execution (ShellExecute)
Text	Ascii	Execution (CreateEventW)
Text	Ascii	Malicious code executed after exploiting a vulnerability (Payload)
Text	Ascii	Information used to authenticate a user's identity (Credential)
Text	Ascii	Software that records user activity (Logger)
Text	Ascii	Malware that monitors and collects user data (Spy)
Text	Ascii	Information used for user authentication (Credential)
Text	Ascii	Malicious rerouting of traffic to an attacker-controlled site (Redirect)
Text	Ascii	Technique used to capture communications between systems (Intercept)
Entry Point	Hex Pattern	Microsoft Visual C++ 8.0 (DLL)

Resources

Path	DataRVA	Size	FileOffset	Code	Text
\ICON\1\1033	353220	1737	335620	89504E470D0A1A0A0000000D49484452000001000000010008060000005C72A866000016FE4944415478DAEDDD7DB01D757D	.PNG........IHDR.............\r.f....IDATx...}..u}
\ICON\2\1033	354958	4228	336D58	280000004000000080000000010020000000000000400000120B0000120B00000000000000000000FFFFFF00FFFFFF00FFFF	(...@......... ......@............................
\ICON\3\1033	358B80	25A8	33AF80	280000003000000060000000010020000000000000240000120B0000120B00000000000000000000FFFFFF00FFFFFF00FFFF	(...0........ ......$............................
\ICON\4\1033	35B128	10A8	33D528	280000002000000040000000010020000000000000100000120B0000120B00000000000000000000FFFFFF00FFFFFF00FFFF	(... ...@..... ...................................
\ICON\5\1033	35C1D0	988	33E5D0	280000001800000030000000010020000000000000090000120B0000120B00000000000000000000FFFFFF00FFFFFF00FFFF	(.......0..... ...................................
\ICON\6\1033	35CB58	468	33EF58	280000001000000020000000010020000000000000040000120B0000120B00000000000000000000000000060000004D0000	(....... ..... ................................M..
\GROUP_ICON\101\1033	35CFC0	5A	33F3C0	000001000600000000000100200037170000010040400000010020002842000002003030000001002000A825000003002020000001002000A8100000040018180000010020008809000005001010000001002000680400000600	............ .7.....@@.... .(B....00.... ..%.... .... ............. ............. .h.....
\VERSION\1\1033	35D020	38C	33F420	8C0334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000E00	..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............
\24\1\1033	35D3B0	336	33F7B0	EFBBBF3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E65	...<?xml version="1.0" encoding="UTF-8" standalone

Intelligent String

• adobe_licensing_wf.exe
• 1.14.0.2
• https://oobe.adobe.com
• libcef.dll
• KERNEL32.DLL
• kernel32.dll
• api-ms-win-core-synch-l1-2-0.dll
• mscoree.dll
• adobe_licensing_helper.exe
• Creative Cloud.exe
• .dat
• {"chainedWorkflow" : false, "entryResourceId" : "%s", "entryQueryString" : "%s", "id" : "%s", "instanceId" : "%s", "interceptUrl" : "https://oobe.adobe.com/", "type" : "%s", "version" : %d, "workflowIdCode" : %d}
• t::https://oobe.adobe.com/delegation_starthttps://oobe.adobe.com/delegation_end
• https://oobe.adobe.com/delegation_errorhttps://oobe.adobe.com/federation_starthttps://oobe.adobe.com/federation_end
• https://oobe.adobe.com/federation_errorui
• abort:://resource_error/?retry_request=false
• ngl_lib://workflow_result?error_code=device_token_addedMOCKED_WORKFLOWdevice_token_added
• ngl_lib://workflow_result?error_code=device_token_invalidated&invalidated_user=device_token_invalidated
• ngl_lib://workflow_result?trigger_code=workflow_module_signout_action
• ngl_lib://workflow_result?trigger_code=signout_menu_click
• ngl_lib://workflow_result?trigger_code=signin_menu_click
• .log
• .eyJ
• NGLClientDefault.log
• com.adobe.ngl
• ngl-libadobe_licensing_wf_helper_acro.exe
• adobe_licensing_wf_acro.exe
• adobe_licensing_wf_helper.exe
• JQ525L2MZD.com.adobe.NGL
• https://simulate_offline.adobe.com
• https://no-way-now.org
• abort:://retry_request=false
• https://oobe.adobe.com/<guid>
• www.adobe.com
• www.acrobat.com
• *.okta.com
• *.adobe.com
• ims-na1.adobelogin.com
• adobeid-na1.services.adobe.com
• *.adobelogin.com
• https%3a%2f%2foobe.adobe.com
• https://acrobatoauth.adobe.com
• https%3a%2f%2facrobatoauth.adobe.com
• login_t2
• login
• Acrobat.exe
• https://workflow.licenses.adobe.com
• https://workflow-stage.licenses.adobe.com
• D:\Jenkins\workspace\NGL_WORKFLOW\build\master\win64\Release\Acrobat\project\win\ngl-workflow\x64\Release (Acrobat)\adobe_licensing_wf_acro.pdb
• .tls
• .bss
• KERNEL32.dll
• bcrypt.dll
• CK{ON

Flow Anomalies

Offset	RVA	Section	Description
1C5ED	N/A	.text	CALL QWORD PTR [RIP+0x8D480024]
3B62D	N/A	.text	JMP QWORD PTR [RIP+0x8D480022]
48EFD	N/A	.text	JMP QWORD PTR [RIP+0xEEE9002A]
4D6F1	N/A	.text	JMP QWORD PTR [RIP+0xCCCC0017]
5FD79	N/A	.text	CALL QWORD PTR [RIP+0xCCCCCC00]
5FDDD	N/A	.text	CALL QWORD PTR [RIP+0xEC834800]
7D061	N/A	.text	CALL QWORD PTR [RIP+0x8966001E]
8B4FD	N/A	.text	JMP QWORD PTR [RIP+0x40C60019]
A0AF9	N/A	.text	JMP QWORD PTR [RIP+0x5C74800]
A0B00	N/A	.text	JMP QWORD PTR [RIP+0x1500]
A0B0B	N/A	.text	JMP QWORD PTR [RIP+0x1F00]
A0D39	N/A	.text	JMP QWORD PTR [RIP+0x5C74800]
A0D40	N/A	.text	JMP QWORD PTR [RIP+0x1B00]
A0D4B	N/A	.text	JMP QWORD PTR [RIP+0x1F00]
A1828	N/A	.text	JMP QWORD PTR [RIP+0x5B60F00]
A1835	N/A	.text	JMP QWORD PTR [RIP+0x110FF200]
A183D	N/A	.text	JMP QWORD PTR [RIP+0xE4AFE900]
A186A	N/A	.text	JMP QWORD PTR [RIP+0x3D058900]
A1870	N/A	.text	JMP QWORD PTR [RIP+0xE47CE900]
ABE0D	N/A	.text	JMP QWORD PTR [RIP+0x8D48001B]
C7A24	N/A	.text	CALL QWORD PTR [RIP+0x1240C600]
C7A8D	N/A	.text	CALL QWORD PTR [RIP+0x1640C600]
C7AAC	N/A	.text	CALL QWORD PTR [RIP+0xBB058B00]
DE7CD	N/A	.text	CALL QWORD PTR [RIP+0x14DFC5]
EE28F	N/A	.text	CALL QWORD PTR [RIP+0x13E61B]
EE696	N/A	.text	CALL QWORD PTR [RIP+0x13E074]
EEC9C	N/A	.text	CALL QWORD PTR [RIP+0x13D806]
EECB3	N/A	.text	CALL QWORD PTR [RIP+0x13D827]
EECC8	N/A	.text	CALL QWORD PTR [RIP+0x13DA62]
F33B1	N/A	.text	CALL QWORD PTR [RIP+0x48D23300]
F43F7	N/A	.text	CALL QWORD PTR [RIP+0x138303]
F440A	N/A	.text	CALL QWORD PTR [RIP+0x1381D8]
F45B5	N/A	.text	CALL QWORD PTR [RIP+0x138145]
F45C8	N/A	.text	CALL QWORD PTR [RIP+0x13801A]
F476C	N/A	.text	CALL QWORD PTR [RIP+0x137F8E]
F4780	N/A	.text	CALL QWORD PTR [RIP+0x137E62]
F56E8	N/A	.text	CALL QWORD PTR [RIP+0x136DBA]
F5703	N/A	.text	CALL QWORD PTR [RIP+0x136DD7]
F5719	N/A	.text	CALL QWORD PTR [RIP+0x137011]
F5A41	N/A	.text	CALL QWORD PTR [RIP+0x136CE9]
F7044	N/A	.text	CALL QWORD PTR [RIP+0x13561E]
F7156	N/A	.text	CALL QWORD PTR [RIP+0x13559C]
F7163	N/A	.text	CALL QWORD PTR [RIP+0x135597]
F717A	N/A	.text	CALL QWORD PTR [RIP+0x135468]
F7358	N/A	.text	CALL QWORD PTR [RIP+0x135552]
F740F	N/A	.text	CALL QWORD PTR [RIP+0x1354AB]
F7453	N/A	.text	CALL QWORD PTR [RIP+0x135497]
F754D	N/A	.text	CALL QWORD PTR [RIP+0x134F45]
F758B	N/A	.text	CALL QWORD PTR [RIP+0x134F07]
F7F51	N/A	.text	CALL QWORD PTR [RIP+0x1349B1]
F8030	N/A	.text	CALL QWORD PTR [RIP+0x13487A]
F808A	N/A	.text	CALL QWORD PTR [RIP+0x134830]
F81AA	N/A	.text	CALL QWORD PTR [RIP+0x134758]
F824B	N/A	.text	CALL QWORD PTR [RIP+0x13466F]
F8299	N/A	.text	CALL QWORD PTR [RIP+0x134651]
F8356	N/A	.text	CALL QWORD PTR [RIP+0x134554]
F83FF	N/A	.text	CALL QWORD PTR [RIP+0x1344BB]
F8441	N/A	.text	CALL QWORD PTR [RIP+0x1344A9]
F8504	N/A	.text	CALL QWORD PTR [RIP+0x1343A6]
F85AD	N/A	.text	CALL QWORD PTR [RIP+0x13430D]
F8761	N/A	.text	CALL QWORD PTR [RIP+0x134151]
F87FC	N/A	.text	CALL QWORD PTR [RIP+0x13408E]
F88AB	N/A	.text	CALL QWORD PTR [RIP+0x133FF7]
F89F0	N/A	.text	CALL QWORD PTR [RIP+0x133F02]
FEED6	N/A	.text	CALL QWORD PTR [RIP+0x12DA0C]
FEFF7	N/A	.text	CALL QWORD PTR [RIP+0x12D903]
102FA8	N/A	.text	CALL QWORD PTR [RIP+0x129902]
102FEB	N/A	.text	CALL QWORD PTR [RIP+0x1298CF]
103ECB	N/A	.text	CALL QWORD PTR [RIP+0x1285C7]
103F09	N/A	.text	CALL QWORD PTR [RIP+0x128589]
1040EF	N/A	.text	CALL QWORD PTR [RIP+0x12839B]
104125	N/A	.text	CALL QWORD PTR [RIP+0x128365]
1049E7	N/A	.text	CALL QWORD PTR [RIP+0x127EF3]
104A43	N/A	.text	CALL QWORD PTR [RIP+0x127E97]
10D033	N/A	.text	CALL QWORD PTR [RIP+0x11F877]
10D353	N/A	.text	CALL QWORD PTR [RIP+0x11F197]
10D384	N/A	.text	CALL QWORD PTR [RIP+0x11F16E]
10D3B2	N/A	.text	CALL QWORD PTR [RIP+0x11F148]
10D53D	N/A	.text	CALL QWORD PTR [RIP+0x11F37D]
10D6B4	N/A	.text	CALL QWORD PTR [RIP+0x20305E]
10D6F6	N/A	.text	JMP QWORD PTR [RIP+0x20301C]
10DB66	N/A	.text	CALL QWORD PTR [RIP+0x202BB4]
10DBA4	N/A	.text	CALL QWORD PTR [RIP+0x202B76]
10DBCC	N/A	.text	CALL QWORD PTR [RIP+0x202B46]
10DBFA	N/A	.text	CALL QWORD PTR [RIP+0x202B18]
10DC50	N/A	.text	CALL QWORD PTR [RIP+0x202ACA]
10DC74	N/A	.text	CALL QWORD PTR [RIP+0x202A9E]
10DCCA	N/A	.text	CALL QWORD PTR [RIP+0x202A50]
10DCEE	N/A	.text	CALL QWORD PTR [RIP+0x202A24]
10DD44	N/A	.text	CALL QWORD PTR [RIP+0x2029D6]
10DD68	N/A	.text	CALL QWORD PTR [RIP+0x2029AA]
10DDBE	N/A	.text	CALL QWORD PTR [RIP+0x20295C]
10DDE2	N/A	.text	CALL QWORD PTR [RIP+0x202930]
10DE38	N/A	.text	CALL QWORD PTR [RIP+0x2028E2]
10DE77	N/A	.text	CALL QWORD PTR [RIP+0x2028A3]
10DE9F	N/A	.text	CALL QWORD PTR [RIP+0x202873]
10DECE	N/A	.text	CALL QWORD PTR [RIP+0x202844]
10DF26	N/A	.text	CALL QWORD PTR [RIP+0x2027F4]
10DF4A	N/A	.text	CALL QWORD PTR [RIP+0x2027C8]
10DFA9	N/A	.text	CALL QWORD PTR [RIP+0x202771]
427C46-427C56	N/A	.reloc	Potential obfuscated jump sequence detected, count: 7
433078-434521	N/A	.reloc	Unusual BP Cave, count: 5290
4396BA-4396D8	N/A	.reloc	Unusual BP Cave, count: 31
43973A-439758	N/A	.reloc	Unusual NOPS Space, count: 31
310200	1000	.pdata	ExceptionHook \| Pointer to 1000 - 0x400 .text + UnwindInfo: .rdata
31020C	1060	.pdata	ExceptionHook \| Pointer to 1060 - 0x460 .text + UnwindInfo: .rdata
310218	1090	.pdata	ExceptionHook \| Pointer to 1090 - 0x490 .text + UnwindInfo: .rdata
310224	10C0	.pdata	ExceptionHook \| Pointer to 10C0 - 0x4C0 .text + UnwindInfo: .rdata
310230	1120	.pdata	ExceptionHook \| Pointer to 1120 - 0x520 .text + UnwindInfo: .rdata
31023C	1150	.pdata	ExceptionHook \| Pointer to 1150 - 0x550 .text + UnwindInfo: .rdata
310248	1180	.pdata	ExceptionHook \| Pointer to 1180 - 0x580 .text + UnwindInfo: .rdata
310254	11E0	.pdata	ExceptionHook \| Pointer to 11E0 - 0x5E0 .text + UnwindInfo: .rdata
310260	1210	.pdata	ExceptionHook \| Pointer to 1210 - 0x610 .text + UnwindInfo: .rdata
31026C	1240	.pdata	ExceptionHook \| Pointer to 1240 - 0x640 .text + UnwindInfo: .rdata
310278	1350	.pdata	ExceptionHook \| Pointer to 1350 - 0x750 .text + UnwindInfo: .rdata
310284	1430	.pdata	ExceptionHook \| Pointer to 1430 - 0x830 .text + UnwindInfo: .rdata
310290	1490	.pdata	ExceptionHook \| Pointer to 1490 - 0x890 .text + UnwindInfo: .rdata
31029C	1510	.pdata	ExceptionHook \| Pointer to 1510 - 0x910 .text + UnwindInfo: .rdata
3102A8	1560	.pdata	ExceptionHook \| Pointer to 1560 - 0x960 .text + UnwindInfo: .rdata
3102B4	15C0	.pdata	ExceptionHook \| Pointer to 15C0 - 0x9C0 .text + UnwindInfo: .rdata
3102C0	1660	.pdata	ExceptionHook \| Pointer to 1660 - 0xA60 .text + UnwindInfo: .rdata
3102CC	16C0	.pdata	ExceptionHook \| Pointer to 16C0 - 0xAC0 .text + UnwindInfo: .rdata
3102D8	16F0	.pdata	ExceptionHook \| Pointer to 16F0 - 0xAF0 .text + UnwindInfo: .rdata
3102E4	1720	.pdata	ExceptionHook \| Pointer to 1720 - 0xB20 .text + UnwindInfo: .rdata
3102F0	1750	.pdata	ExceptionHook \| Pointer to 1750 - 0xB50 .text + UnwindInfo: .rdata
3102FC	18D0	.pdata	ExceptionHook \| Pointer to 18D0 - 0xCD0 .text + UnwindInfo: .rdata
310308	1970	.pdata	ExceptionHook \| Pointer to 1970 - 0xD70 .text + UnwindInfo: .rdata
310314	19E0	.pdata	ExceptionHook \| Pointer to 19E0 - 0xDE0 .text + UnwindInfo: .rdata
310320	1A10	.pdata	ExceptionHook \| Pointer to 1A10 - 0xE10 .text + UnwindInfo: .rdata
31032C	1A40	.pdata	ExceptionHook \| Pointer to 1A40 - 0xE40 .text + UnwindInfo: .rdata
310338	1A70	.pdata	ExceptionHook \| Pointer to 1A70 - 0xE70 .text + UnwindInfo: .rdata
310344	1AA0	.pdata	ExceptionHook \| Pointer to 1AA0 - 0xEA0 .text + UnwindInfo: .rdata
310350	1AD0	.pdata	ExceptionHook \| Pointer to 1AD0 - 0xED0 .text + UnwindInfo: .rdata
31035C	1B00	.pdata	ExceptionHook \| Pointer to 1B00 - 0xF00 .text + UnwindInfo: .rdata
310368	1B30	.pdata	ExceptionHook \| Pointer to 1B30 - 0xF30 .text + UnwindInfo: .rdata
310374	1C00	.pdata	ExceptionHook \| Pointer to 1C00 - 0x1000 .text + UnwindInfo: .rdata
310380	1DF0	.pdata	ExceptionHook \| Pointer to 1DF0 - 0x11F0 .text + UnwindInfo: .rdata
31038C	1E50	.pdata	ExceptionHook \| Pointer to 1E50 - 0x1250 .text + UnwindInfo: .rdata
310398	1EB0	.pdata	ExceptionHook \| Pointer to 1EB0 - 0x12B0 .text + UnwindInfo: .rdata
3103A4	1F20	.pdata	ExceptionHook \| Pointer to 1F20 - 0x1320 .text + UnwindInfo: .rdata
3103B0	1F90	.pdata	ExceptionHook \| Pointer to 1F90 - 0x1390 .text + UnwindInfo: .rdata
3103BC	1FF0	.pdata	ExceptionHook \| Pointer to 1FF0 - 0x13F0 .text + UnwindInfo: .rdata
3103C8	2050	.pdata	ExceptionHook \| Pointer to 2050 - 0x1450 .text + UnwindInfo: .rdata
3103D4	20B0	.pdata	ExceptionHook \| Pointer to 20B0 - 0x14B0 .text + UnwindInfo: .rdata
3103E0	2120	.pdata	ExceptionHook \| Pointer to 2120 - 0x1520 .text + UnwindInfo: .rdata
3103EC	2180	.pdata	ExceptionHook \| Pointer to 2180 - 0x1580 .text + UnwindInfo: .rdata
3103F8	21F0	.pdata	ExceptionHook \| Pointer to 21F0 - 0x15F0 .text + UnwindInfo: .rdata
310404	2250	.pdata	ExceptionHook \| Pointer to 2250 - 0x1650 .text + UnwindInfo: .rdata
310410	22B0	.pdata	ExceptionHook \| Pointer to 22B0 - 0x16B0 .text + UnwindInfo: .rdata
31041C	2310	.pdata	ExceptionHook \| Pointer to 2310 - 0x1710 .text + UnwindInfo: .rdata
310428	2370	.pdata	ExceptionHook \| Pointer to 2370 - 0x1770 .text + UnwindInfo: .rdata
310434	23D0	.pdata	ExceptionHook \| Pointer to 23D0 - 0x17D0 .text + UnwindInfo: .rdata
310440	2430	.pdata	ExceptionHook \| Pointer to 2430 - 0x1830 .text + UnwindInfo: .rdata
31044C	24A0	.pdata	ExceptionHook \| Pointer to 24A0 - 0x18A0 .text + UnwindInfo: .rdata
310458	2510	.pdata	ExceptionHook \| Pointer to 2510 - 0x1910 .text + UnwindInfo: .rdata
310464	2580	.pdata	ExceptionHook \| Pointer to 2580 - 0x1980 .text + UnwindInfo: .rdata
310470	25E0	.pdata	ExceptionHook \| Pointer to 25E0 - 0x19E0 .text + UnwindInfo: .rdata
31047C	2690	.pdata	ExceptionHook \| Pointer to 2690 - 0x1A90 .text + UnwindInfo: .rdata
310488	2740	.pdata	ExceptionHook \| Pointer to 2740 - 0x1B40 .text + UnwindInfo: .rdata
310494	27A0	.pdata	ExceptionHook \| Pointer to 27A0 - 0x1BA0 .text + UnwindInfo: .rdata
3104A0	2800	.pdata	ExceptionHook \| Pointer to 2800 - 0x1C00 .text + UnwindInfo: .rdata
3104AC	2860	.pdata	ExceptionHook \| Pointer to 2860 - 0x1C60 .text + UnwindInfo: .rdata
3104B8	28C0	.pdata	ExceptionHook \| Pointer to 28C0 - 0x1CC0 .text + UnwindInfo: .rdata
3104C4	2920	.pdata	ExceptionHook \| Pointer to 2920 - 0x1D20 .text + UnwindInfo: .rdata
3104D0	2980	.pdata	ExceptionHook \| Pointer to 2980 - 0x1D80 .text + UnwindInfo: .rdata
3104DC	29F0	.pdata	ExceptionHook \| Pointer to 29F0 - 0x1DF0 .text + UnwindInfo: .rdata
3104E8	2A60	.pdata	ExceptionHook \| Pointer to 2A60 - 0x1E60 .text + UnwindInfo: .rdata
3104F4	2B00	.pdata	ExceptionHook \| Pointer to 2B00 - 0x1F00 .text + UnwindInfo: .rdata
310500	2B70	.pdata	ExceptionHook \| Pointer to 2B70 - 0x1F70 .text + UnwindInfo: .rdata
31050C	2BC0	.pdata	ExceptionHook \| Pointer to 2BC0 - 0x1FC0 .text + UnwindInfo: .rdata
310518	2BF0	.pdata	ExceptionHook \| Pointer to 2BF0 - 0x1FF0 .text + UnwindInfo: .rdata
310524	2C20	.pdata	ExceptionHook \| Pointer to 2C20 - 0x2020 .text + UnwindInfo: .rdata
310530	2C90	.pdata	ExceptionHook \| Pointer to 2C90 - 0x2090 .text + UnwindInfo: .rdata
31053C	2CC0	.pdata	ExceptionHook \| Pointer to 2CC0 - 0x20C0 .text + UnwindInfo: .rdata
310548	2E90	.pdata	ExceptionHook \| Pointer to 2E90 - 0x2290 .text + UnwindInfo: .rdata
310554	2EC0	.pdata	ExceptionHook \| Pointer to 2EC0 - 0x22C0 .text + UnwindInfo: .rdata
310560	2EF0	.pdata	ExceptionHook \| Pointer to 2EF0 - 0x22F0 .text + UnwindInfo: .rdata
31056C	2F20	.pdata	ExceptionHook \| Pointer to 2F20 - 0x2320 .text + UnwindInfo: .rdata
310578	2F50	.pdata	ExceptionHook \| Pointer to 2F50 - 0x2350 .text + UnwindInfo: .rdata
310584	2F80	.pdata	ExceptionHook \| Pointer to 2F80 - 0x2380 .text + UnwindInfo: .rdata
310590	2FB0	.pdata	ExceptionHook \| Pointer to 2FB0 - 0x23B0 .text + UnwindInfo: .rdata
31059C	3010	.pdata	ExceptionHook \| Pointer to 3010 - 0x2410 .text + UnwindInfo: .rdata
3105A8	30D0	.pdata	ExceptionHook \| Pointer to 30D0 - 0x24D0 .text + UnwindInfo: .rdata
3105B4	3130	.pdata	ExceptionHook \| Pointer to 3130 - 0x2530 .text + UnwindInfo: .rdata
3105C0	3330	.pdata	ExceptionHook \| Pointer to 3330 - 0x2730 .text + UnwindInfo: .rdata
3105CC	3530	.pdata	ExceptionHook \| Pointer to 3530 - 0x2930 .text + UnwindInfo: .rdata
3105D8	3600	.pdata	ExceptionHook \| Pointer to 3600 - 0x2A00 .text + UnwindInfo: .rdata
3105E4	3630	.pdata	ExceptionHook \| Pointer to 3630 - 0x2A30 .text + UnwindInfo: .rdata
3105F0	3660	.pdata	ExceptionHook \| Pointer to 3660 - 0x2A60 .text + UnwindInfo: .rdata
3105FC	3690	.pdata	ExceptionHook \| Pointer to 3690 - 0x2A90 .text + UnwindInfo: .rdata
310608	36C0	.pdata	ExceptionHook \| Pointer to 36C0 - 0x2AC0 .text + UnwindInfo: .rdata
310614	36F0	.pdata	ExceptionHook \| Pointer to 36F0 - 0x2AF0 .text + UnwindInfo: .rdata
310620	3720	.pdata	ExceptionHook \| Pointer to 3720 - 0x2B20 .text + UnwindInfo: .rdata
31062C	3750	.pdata	ExceptionHook \| Pointer to 3750 - 0x2B50 .text + UnwindInfo: .rdata
310638	3780	.pdata	ExceptionHook \| Pointer to 3780 - 0x2B80 .text + UnwindInfo: .rdata
310644	37B0	.pdata	ExceptionHook \| Pointer to 37B0 - 0x2BB0 .text + UnwindInfo: .rdata
310650	37E0	.pdata	ExceptionHook \| Pointer to 37E0 - 0x2BE0 .text + UnwindInfo: .rdata
31065C	3810	.pdata	ExceptionHook \| Pointer to 3810 - 0x2C10 .text + UnwindInfo: .rdata
310668	3840	.pdata	ExceptionHook \| Pointer to 3840 - 0x2C40 .text + UnwindInfo: .rdata
310674	3870	.pdata	ExceptionHook \| Pointer to 3870 - 0x2C70 .text + UnwindInfo: .rdata
310680	38A0	.pdata	ExceptionHook \| Pointer to 38A0 - 0x2CA0 .text + UnwindInfo: .rdata
31068C	38D0	.pdata	ExceptionHook \| Pointer to 38D0 - 0x2CD0 .text + UnwindInfo: .rdata
310698	3900	.pdata	ExceptionHook \| Pointer to 3900 - 0x2D00 .text + UnwindInfo: .rdata
3106A4	3930	.pdata	ExceptionHook \| Pointer to 3930 - 0x2D30 .text + UnwindInfo: .rdata

Extra Analysis

Metric	Value	Percentage
Ascii Code	2789591	62,1824%
Null Byte Code	732805	16,3349%
NOP Cave Found	0x9090909090	Block Count: 33 \| Total: 0,0018%

PREMIUM PESCAN.IO - Analysis Report