PREMIUM PESCAN.IO - Analysis Report

File Structure
Analysis Image
PE Chart Code
Header PE (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
Information
Size: 2,13 MB
SHA-256 Hash: 3A96724448F1B86CB6024E6B2AD190B0E87752733176116C3DF346AF880C5145
SHA-1 Hash: 1CE341FDE3208D9C9879E9A256D8F0FAE0CBFE66
MD5 Hash: C61F89C112CAD4944FBCB9CBDAB74A67
Imphash: D8B31F8C03E0C76FF245ED05A15FFE6C
MajorOSVersion: 6
MinorOSVersion: 1
CheckSum: 0022C4B1
EntryPoint (rva): 1350
SizeOfHeaders: 600
SizeOfImage: 252000
ImageBase: 00000001E5CE0000
Architecture: x64
ExportTable: 212000
ImportTable: 213000
IAT: 2132CC
Characteristics: 2026
TimeDateStamp: 0
Date: 01/01/1970
File Type: DLL
Number Of Sections: 19
ASLR: Disabled
Section Names (Optional Header): .text, .data, .rdata, .pdata, .xdata, .bss, .edata, .idata, .CRT, .tls, .reloc, /4, /19, /31, /45, /57, /70, /81, /92
Number Of Executable Sections: 1
Subsystem: Windows GUI
Sections Info
Section Name Flags ROffset RSize VOffset VSizeEntropyChi2
.text
0x60600060
Code
Initialized Data
Executable
Readable
 600 CF600 1000 CF500
6.2589
7412889.65
.data
0xC0600040
Initialized Data
Readable
Writeable
 CFC00 7200 D1000 7200
2.4687
4083669.51
.rdata
0x40600040
Initialized Data
Readable
 D6E00 E8400 D9000 E8340
6.2428
14814262.93
.pdata
0x40300040
Initialized Data
Readable
 1BF200 4200 1C2000 40C8
5.276
430727.42
.xdata
0x40300040
Initialized Data
Readable
 1C3400 600 1C7000 55C
4.0933
45198.67
.bss
0xC0600080
Uninitialized Data
Readable
Writeable
 0 0 1C8000 49C20
N/A
N/A
.edata
0x40300040
Initialized Data
Readable
 1C3A00 200 212000 1B8
4.5573
13760
.idata
0xC0300040
Initialized Data
Readable
Writeable
 1C3C00 E00 213000 C2C
4.1195
195342.29
.CRT
0xC0400040
Initialized Data
Readable
Writeable
 1C4A00 200 214000 58
0.2586
123505
.tls
0xC0400040
Initialized Data
Readable
Writeable
 1C4C00 200 215000 10
0
130560
.reloc
0x42300040
Initialized Data
GP-Relative
Readable
 1C4E00 2A00 216000 2938
5.4184
61890.14
/4
0x42500040
Initialized Data
GP-Relative
Readable
 1C7800 800 219000 6C0
1.715
342974.5
/19
0x42100040
Initialized Data
GP-Relative
Readable
 1C8000 12C00 21A000 12A56
5.9891
1188622.58
/31
0x42100040
Initialized Data
GP-Relative
Readable
 1DAC00 3400 22D000 32C5
4.714
243087.5
/45
0x42100040
Initialized Data
GP-Relative
Readable
 1DE000 7E00 231000 7DBE
5.4502
476435.54
/57
0x42400040
Initialized Data
GP-Relative
Readable
 1E5E00 2800 239000 2800
3.7184
603497.05
/70
0x42100040
Initialized Data
GP-Relative
Readable
 1E8600 A00 23C000 83A
4.5151
51569.8
/81
0x42100040
Initialized Data
GP-Relative
Readable
 1E9000 12E00 23D000 12D5D
2.6838
10228225.01
/92
0x42100040
Initialized Data
GP-Relative
Readable
 1FBE00 1600 250000 1590
1.787
986262.64
Entry Point
The section number (1) have the Entry Point
Information -> EntryPoint (calculated) - 950
Code -> 488B05F9FA1B00C70000000000E99EFEFFFF66662E0F1F8400000000000F1F004889CA488D0D866C1C00E9C1EC0C0090488D
Assembler
|MOV RAX, QWORD PTR [RIP + 0X1BFAF9]
|MOV DWORD PTR [RAX], 0
|JMP 0XEB0
|NOP WORD PTR CS:[RAX + RAX]
|NOP DWORD PTR [RAX]
|MOV RDX, RCX
|LEA RCX, [RIP + 0X1C6C86]
|JMP 0XCFCF0
|NOP
Packer/Compiler
Detect It Easy (die)
PE+(64): compiler: MinGW(GCC: (GNU) 10.3.0)[-]
PE+(64): linker: GNU linker ld (GNU Binutils)(2.36)[-]
Entropy: 6.30358
Suspicious Functions
Library Function Description
KERNEL32.DLL VirtualAlloc Reserve, commit, or both, a region of memory within the virtual address space of a process.
KERNEL32.DLL WriteFile Writes data to a specified file or input/output (I/O) device.
KERNEL32.DLL LoadLibraryW Loads the specified module into the address space of the calling process.
KERNEL32.DLL GetProcAddress Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
ET Functions (carving)
file.exe
MpAllocMemory
MpClientUtilExportFunctions
MpConfigClose
MpConfigGetValue
MpConfigGetValueAlloc
MpConfigInitialize
MpConfigOpen
MpConfigRegisterForNotifications
MpConfigSetValue
MpConfigUninitialize
MpConfigUnregisterNotifications
MpFreeMemory
_cgo_dummy_export
File Access
file.exe
msvcrt.dll
KERNEL32.dll
bcryptprimitives.dll
created by kernel32.dll
itab.sys
.dat
internal/abi.Name.Dat
main.ini
reflect.ini
unicode.ini
iter.ini
math.ini
errors.ini
sync.ini
internal/syscall/windows/sysdll.ini
internal/bytealg.ini
internal/cpu.Ini
Temp
WinDir
SysDir
UserProfile
File Access (UNICODE)
bcryptprimitives.dll
powrprof.dll
winmm.dll
ntdll.dll
Interest's Words
zombie
exec
attrib
start
pause
shutdown
systeminfo
ping
expand
replace
route
Strings/Hex Code Found With The File Rules
Rule Type Encoding Matched (Word)
Text Ascii WinAPI Sockets (WSACleanup)
Text Ascii WinAPI Sockets (bind)
Text Ascii WinAPI Sockets (listen)
Text Ascii WinAPI Sockets (accept)
Text Ascii WinAPI Sockets (connect)
Text Ascii WinAPI Sockets (recv)
Text Ascii WinAPI Sockets (send)
Text Ascii Registry (RegOpenKeyEx)
Text Ascii File (GetTempPath)
Text Ascii File (CreateFile)
Text Ascii File (WriteFile)
Text Ascii File (ReadFile)
Text Ascii Encryption API (CryptAcquireContext)
Text Ascii Encryption API (CryptReleaseContext)
Text Ascii Anti-Analysis VM (GetSystemInfo)
Text Ascii Anti-Analysis VM (GetVersion)
Text Ascii Anti-Analysis VM (CreateToolhelp32Snapshot)
Text Ascii Reconnaissance (FindFirstFileW)
Text Ascii Reconnaissance (FindNextFileW)
Text Ascii Reconnaissance (FindClose)
Text Ascii Stealth (GetThreadContext)
Text Ascii Stealth (SetThreadContext)
Text Ascii Stealth (CloseHandle)
Text Ascii Stealth (UnmapViewOfFile)
Text Ascii Stealth (MapViewOfFile)
Text Ascii Stealth (CreateFileMappingW)
Text Ascii Stealth (VirtualAlloc)
Text Ascii Stealth (VirtualProtect)
Text Ascii Execution (CreateProcessA)
Text Ascii Execution (CreateProcessW)
Text Ascii Execution (ResumeThread)
Text Ascii Execution (CreateEventA)
Entry Point Hex Pattern NE-Exe Executable Image
Intelligent String
• .bss
• .tls
• @0@.bss
• .CRT
• ntdll.dll
• winmm.dll
• powrprof.dll
• bcryptprimitives.dll
• 0!KERNEL32.dll
• C:/crossdev/src/mingw-w64-v8-git/mingw-w64-crt/crt/crtdll.cC:\crossdev\gccmaster\build-tdm64\runtime\mingw-w64-crt
• C:/crossdev/src/mingw-w64-v8-git/mingw-w64-crt/crt/mingw_helpers.cC:\crossdev\gccmaster\build-tdm64\runtime\mingw-w64-crt:b
• C:/crossdev/src/mingw-w64-v8-git/mingw-w64-crt/crt/pseudo-reloc-list.cC:\crossdev\gccmaster\build-tdm64\runtime\mingw-w64-crt3k
Flow Anomalies
Offset RVA Section Description
C5F5 N/A .text JMP QWORD PTR [RIP+0xE8840F]
C90B1 N/A .text CALL QWORD PTR [RIP+0x14982D]
C90CF N/A .text JMP QWORD PTR [RIP+0x1498B7]
C90DA N/A .text CALL QWORD PTR [RIP+0xE700]
C918D N/A .text CALL QWORD PTR [RIP+0x149781]
C91A1 N/A .text CALL QWORD PTR [RIP+0x1497F5]
C9269 N/A .text CALL QWORD PTR [RIP+0xE571]
C92A0 N/A .text CALL QWORD PTR [RIP+0x14966E]
C92B7 N/A .text CALL QWORD PTR [RIP+0x1496DF]
C92C4 N/A .text CALL QWORD PTR [RIP+0x14972A]
C92D8 N/A .text CALL QWORD PTR [RIP+0xE502]
C930F N/A .text CALL QWORD PTR [RIP+0x1495FF]
C9329 N/A .text JMP QWORD PTR [RIP+0x14966D]
C933D N/A .text CALL QWORD PTR [RIP+0x1495D1]
C9351 N/A .text CALL QWORD PTR [RIP+0x149645]
C93C6 N/A .text CALL QWORD PTR [RIP+0xE414]
C93F3 N/A .text JMP QWORD PTR [RIP+0x1494E3]
C9407 N/A .text CALL QWORD PTR [RIP+0x149607]
C94A8 N/A .text CALL QWORD PTR [RIP+0xE332]
C9F55 N/A .text JMP QWORD PTR [RIP+0x600]
CD717 N/A .text JMP QWORD PTR [RIP+0x1451F7]
CD82F N/A .text CALL QWORD PTR [RIP+0x145167]
CD8FE N/A .text JMP QWORD PTR [RIP+0x145098]
CDA5F N/A .text CALL QWORD PTR [RIP+0x144F37]
CDD92 N/A .text CALL QWORD PTR [RIP+0x144C04]
CE689 N/A .text CALL QWORD PTR [RIP+0x1443C5]
CE6EE N/A .text CALL QWORD PTR [RIP+0x144358]
CE6F8 N/A .text CALL QWORD PTR [RIP+0x14424E]
CE9E0 N/A .text CALL QWORD PTR [RIP+0x143F2E]
CEA35 N/A .text JMP QWORD PTR [RIP+0x143F61]
CEA84 N/A .text CALL QWORD PTR [RIP+0x143E8A]
CEAA3 N/A .text CALL QWORD PTR [RIP+0x143EF3]
CEAE7 N/A .text CALL QWORD PTR [RIP+0x143E27]
CEB2A N/A .text CALL QWORD PTR [RIP+0x143E6C]
CEC05 N/A .text CALL QWORD PTR [RIP+0x143CF9]
CEC27 N/A .text CALL QWORD PTR [RIP+0x143D5F]
CF030 N/A .text JMP QWORD PTR [RIP+0x143A56]
CF038 N/A .text JMP QWORD PTR [RIP+0x143A46]
CF040 N/A .text JMP QWORD PTR [RIP+0x143A2E]
CF048 N/A .text JMP QWORD PTR [RIP+0x143A1E]
CF050 N/A .text JMP QWORD PTR [RIP+0x143A0E]
CF058 N/A .text JMP QWORD PTR [RIP+0x1439FE]
CF060 N/A .text JMP QWORD PTR [RIP+0x1439EE]
CF068 N/A .text JMP QWORD PTR [RIP+0x1439DE]
CF070 N/A .text JMP QWORD PTR [RIP+0x1439CE]
CF078 N/A .text JMP QWORD PTR [RIP+0x1439BE]
CF080 N/A .text JMP QWORD PTR [RIP+0x1439AE]
CF088 N/A .text JMP QWORD PTR [RIP+0x14399E]
CF090 N/A .text JMP QWORD PTR [RIP+0x14398E]
CF098 N/A .text JMP QWORD PTR [RIP+0x14397E]
CF0A0 N/A .text JMP QWORD PTR [RIP+0x14396E]
CF0A8 N/A .text JMP QWORD PTR [RIP+0x14395E]
CF0B0 N/A .text JMP QWORD PTR [RIP+0x14394E]
CF0B8 N/A .text JMP QWORD PTR [RIP+0x14393E]
CF0C0 N/A .text JMP QWORD PTR [RIP+0x14392E]
CF0C8 N/A .text JMP QWORD PTR [RIP+0x14391E]
CF0D0 N/A .text JMP QWORD PTR [RIP+0x14390E]
CF0D8 N/A .text JMP QWORD PTR [RIP+0x1438FE]
CF0E0 N/A .text JMP QWORD PTR [RIP+0x1438EE]
CF0E8 N/A .text JMP QWORD PTR [RIP+0x1438DE]
CF0F0 N/A .text JMP QWORD PTR [RIP+0x1438CE]
CF0F8 N/A .text JMP QWORD PTR [RIP+0x1438BE]
CF100 N/A .text JMP QWORD PTR [RIP+0x1438A6]
CF108 N/A .text JMP QWORD PTR [RIP+0x143896]
CF110 N/A .text JMP QWORD PTR [RIP+0x143886]
CF118 N/A .text JMP QWORD PTR [RIP+0x14386E]
CF120 N/A .text JMP QWORD PTR [RIP+0x14385E]
CF128 N/A .text JMP QWORD PTR [RIP+0x14384E]
CF130 N/A .text JMP QWORD PTR [RIP+0x14383E]
CF138 N/A .text JMP QWORD PTR [RIP+0x14382E]
CF140 N/A .text JMP QWORD PTR [RIP+0x14381E]
CF148 N/A .text JMP QWORD PTR [RIP+0x14380E]
CF150 N/A .text JMP QWORD PTR [RIP+0x1437FE]
CF158 N/A .text JMP QWORD PTR [RIP+0x1437EE]
CF160 N/A .text JMP QWORD PTR [RIP+0x1437DE]
CF168 N/A .text JMP QWORD PTR [RIP+0x1437CE]
CF170 N/A .text JMP QWORD PTR [RIP+0x1437BE]
CF178 N/A .text JMP QWORD PTR [RIP+0x1437AE]
CF180 N/A .text JMP QWORD PTR [RIP+0x14379E]
CF188 N/A .text JMP QWORD PTR [RIP+0x14378E]
CF190 N/A .text JMP QWORD PTR [RIP+0x14377E]
CF198 N/A .text JMP QWORD PTR [RIP+0x14376E]
CF1A0 N/A .text JMP QWORD PTR [RIP+0x14375E]
CF1A8 N/A .text JMP QWORD PTR [RIP+0x14374E]
CF1B0 N/A .text JMP QWORD PTR [RIP+0x14373E]
CF1B8 N/A .text JMP QWORD PTR [RIP+0x14372E]
CF1C0 N/A .text JMP QWORD PTR [RIP+0x14371E]
CF1C8 N/A .text JMP QWORD PTR [RIP+0x14370E]
CF1D0 N/A .text JMP QWORD PTR [RIP+0x1436FE]
CF1D8 N/A .text JMP QWORD PTR [RIP+0x1436EE]
CF220 N/A .text JMP QWORD PTR [RIP+0x143926]
CF228 N/A .text JMP QWORD PTR [RIP+0x143916]
CF230 N/A .text JMP QWORD PTR [RIP+0x143906]
CF238 N/A .text JMP QWORD PTR [RIP+0x1438F6]
CF240 N/A .text JMP QWORD PTR [RIP+0x1438E6]
CF248 N/A .text JMP QWORD PTR [RIP+0x1438CE]
CF250 N/A .text JMP QWORD PTR [RIP+0x1438BE]
CF258 N/A .text JMP QWORD PTR [RIP+0x1438AE]
CF260 N/A .text JMP QWORD PTR [RIP+0x14389E]
CF268 N/A .text JMP QWORD PTR [RIP+0x14388E]
6F162-6F260 N/A .text Potential obfuscated jump sequence detected, count: 51
A21-A3F N/A .text Unusual BP Cave, count: 31
2182-219F N/A .text Unusual BP Cave, count: 30
6322-633F N/A .text Unusual BP Cave, count: 30
E022-E03F N/A .text Unusual BP Cave, count: 30
F242-F25F N/A .text Unusual BP Cave, count: 30
12282-1229F N/A .text Unusual BP Cave, count: 30
129C1-129DF N/A .text Unusual BP Cave, count: 31
134C1-134DF N/A .text Unusual BP Cave, count: 31
135A1-135BF N/A .text Unusual BP Cave, count: 31
144C2-144DF N/A .text Unusual BP Cave, count: 30
16922-1693F N/A .text Unusual BP Cave, count: 30
18E62-18E7F N/A .text Unusual BP Cave, count: 30
19442-1945F N/A .text Unusual BP Cave, count: 30
1A5C2-1A5DF N/A .text Unusual BP Cave, count: 30
1D7E2-1D7FF N/A .text Unusual BP Cave, count: 30
1F5C2-1F5DF N/A .text Unusual BP Cave, count: 30
220E2-220FF N/A .text Unusual BP Cave, count: 30
30402-3041F N/A .text Unusual BP Cave, count: 30
31301-3131F N/A .text Unusual BP Cave, count: 31
345A1-345BF N/A .text Unusual BP Cave, count: 31
34621-3463F N/A .text Unusual BP Cave, count: 31
346A1-346BF N/A .text Unusual BP Cave, count: 31
34721-3473F N/A .text Unusual BP Cave, count: 31
347A1-347BF N/A .text Unusual BP Cave, count: 31
34821-3483F N/A .text Unusual BP Cave, count: 31
348A1-348BF N/A .text Unusual BP Cave, count: 31
34921-3493F N/A .text Unusual BP Cave, count: 31
37CC2-37CDF N/A .text Unusual BP Cave, count: 30
39EC2-39EDF N/A .text Unusual BP Cave, count: 30
3A7E1-3A7FF N/A .text Unusual BP Cave, count: 31
3A821-3A83F N/A .text Unusual BP Cave, count: 31
43D82-43D9F N/A .text Unusual BP Cave, count: 30
49982-4999F N/A .text Unusual BP Cave, count: 30
4C501-4C51F N/A .text Unusual BP Cave, count: 31
4CB81-4CB9F N/A .text Unusual BP Cave, count: 31
50DA1-50DBF N/A .text Unusual BP Cave, count: 31
52702-5271F N/A .text Unusual BP Cave, count: 30
52EC2-52EDF N/A .text Unusual BP Cave, count: 30
55FC2-55FDF N/A .text Unusual BP Cave, count: 30
567E2-567FF N/A .text Unusual BP Cave, count: 30
577A2-577BF N/A .text Unusual BP Cave, count: 30
5C7E1-5C7FF N/A .text Unusual BP Cave, count: 31
5CB62-5CB7F N/A .text Unusual BP Cave, count: 30
5E782-5E79F N/A .text Unusual BP Cave, count: 30
5FF22-5FF3F N/A .text Unusual BP Cave, count: 30
642A1-642BF N/A .text Unusual BP Cave, count: 31
64E42-64E5F N/A .text Unusual BP Cave, count: 30
655A2-655BF N/A .text Unusual BP Cave, count: 30
67A41-67A5F N/A .text Unusual BP Cave, count: 31
69101-6911F N/A .text Unusual BP Cave, count: 31
69FA1-69FBF N/A .text Unusual BP Cave, count: 31
6A1C2-6A1DF N/A .text Unusual BP Cave, count: 30
6BC81-6BC9F N/A .text Unusual BP Cave, count: 31
6BEE2-6BEFF N/A .text Unusual BP Cave, count: 30
6CB21-6CB3F N/A .text Unusual BP Cave, count: 31
70902-7091F N/A .text Unusual BP Cave, count: 30
71201-7121F N/A .text Unusual BP Cave, count: 31
73502-7351F N/A .text Unusual BP Cave, count: 30
773A2-773BF N/A .text Unusual BP Cave, count: 30
77422-7743F N/A .text Unusual BP Cave, count: 30
C8CF9-C8D30 N/A .text Unusual BP Cave, count: 56
1C4A30 CEED0 .CRT TLS Callback | Pointer to 1E5DAEED0 - 0xCE4D0 .text
1C4A38 CEEA0 .CRT TLS Callback | Pointer to 1E5DAEEA0 - 0xCE4A0 .text
1BF200 1000 .pdata ExceptionHook | Pointer to 1000 - 0x600 .text + UnwindInfo: .xdata
1BF20C 1010 .pdata ExceptionHook | Pointer to 1010 - 0x610 .text + UnwindInfo: .xdata
1BF218 1200 .pdata ExceptionHook | Pointer to 1200 - 0x800 .text + UnwindInfo: .xdata
1BF224 1350 .pdata ExceptionHook | Pointer to 1350 - 0x950 .text + UnwindInfo: .xdata
1BF230 1370 .pdata ExceptionHook | Pointer to 1370 - 0x970 .text + UnwindInfo: .xdata
1BF23C 1380 .pdata ExceptionHook | Pointer to 1380 - 0x980 .text + UnwindInfo: .xdata
1BF248 1390 .pdata ExceptionHook | Pointer to 1390 - 0x990 .text + UnwindInfo: .xdata
1BF254 1440 .pdata ExceptionHook | Pointer to 1440 - 0xA40 .text + UnwindInfo: .xdata
1BF260 14C0 .pdata ExceptionHook | Pointer to 14C0 - 0xAC0 .text + UnwindInfo: .xdata
1BF26C 1540 .pdata ExceptionHook | Pointer to 1540 - 0xB40 .text + UnwindInfo: .xdata
1BF278 15E0 .pdata ExceptionHook | Pointer to 15E0 - 0xBE0 .text + UnwindInfo: .xdata
1BF284 16E0 .pdata ExceptionHook | Pointer to 16E0 - 0xCE0 .text + UnwindInfo: .xdata
1BF290 17A0 .pdata ExceptionHook | Pointer to 17A0 - 0xDA0 .text + UnwindInfo: .xdata
1BF29C 1820 .pdata ExceptionHook | Pointer to 1820 - 0xE20 .text + UnwindInfo: .xdata
1BF2A8 1880 .pdata ExceptionHook | Pointer to 1880 - 0xE80 .text + UnwindInfo: .xdata
1BF2B4 1DC0 .pdata ExceptionHook | Pointer to 1DC0 - 0x13C0 .text + UnwindInfo: .xdata
1BF2C0 2700 .pdata ExceptionHook | Pointer to 2700 - 0x1D00 .text + UnwindInfo: .xdata
1BF2CC 2780 .pdata ExceptionHook | Pointer to 2780 - 0x1D80 .text + UnwindInfo: .xdata
1BF2D8 2EA0 .pdata ExceptionHook | Pointer to 2EA0 - 0x24A0 .text + UnwindInfo: .xdata
1BF2E4 3120 .pdata ExceptionHook | Pointer to 3120 - 0x2720 .text + UnwindInfo: .xdata
1BF2F0 33A0 .pdata ExceptionHook | Pointer to 33A0 - 0x29A0 .text + UnwindInfo: .xdata
1BF2FC 34C0 .pdata ExceptionHook | Pointer to 34C0 - 0x2AC0 .text + UnwindInfo: .xdata
1BF308 3600 .pdata ExceptionHook | Pointer to 3600 - 0x2C00 .text + UnwindInfo: .xdata
1BF314 38C0 .pdata ExceptionHook | Pointer to 38C0 - 0x2EC0 .text + UnwindInfo: .xdata
1BF320 3940 .pdata ExceptionHook | Pointer to 3940 - 0x2F40 .text + UnwindInfo: .xdata
1BF32C 3AE0 .pdata ExceptionHook | Pointer to 3AE0 - 0x30E0 .text + UnwindInfo: .xdata
1BF338 3C80 .pdata ExceptionHook | Pointer to 3C80 - 0x3280 .text + UnwindInfo: .xdata
1BF344 3E60 .pdata ExceptionHook | Pointer to 3E60 - 0x3460 .text + UnwindInfo: .xdata
1BF350 4060 .pdata ExceptionHook | Pointer to 4060 - 0x3660 .text + UnwindInfo: .xdata
1BF35C 40C0 .pdata ExceptionHook | Pointer to 40C0 - 0x36C0 .text + UnwindInfo: .xdata
1BF368 4220 .pdata ExceptionHook | Pointer to 4220 - 0x3820 .text + UnwindInfo: .xdata
1BF374 4380 .pdata ExceptionHook | Pointer to 4380 - 0x3980 .text + UnwindInfo: .xdata
1BF380 45A0 .pdata ExceptionHook | Pointer to 45A0 - 0x3BA0 .text + UnwindInfo: .xdata
1BF38C 47C0 .pdata ExceptionHook | Pointer to 47C0 - 0x3DC0 .text + UnwindInfo: .xdata
1BF398 48C0 .pdata ExceptionHook | Pointer to 48C0 - 0x3EC0 .text + UnwindInfo: .xdata
1BF3A4 49E0 .pdata ExceptionHook | Pointer to 49E0 - 0x3FE0 .text + UnwindInfo: .xdata
1BF3B0 4BC0 .pdata ExceptionHook | Pointer to 4BC0 - 0x41C0 .text + UnwindInfo: .xdata
1BF3BC 4DA0 .pdata ExceptionHook | Pointer to 4DA0 - 0x43A0 .text + UnwindInfo: .xdata
1BF3C8 5080 .pdata ExceptionHook | Pointer to 5080 - 0x4680 .text + UnwindInfo: .xdata
1BF3D4 5420 .pdata ExceptionHook | Pointer to 5420 - 0x4A20 .text + UnwindInfo: .xdata
1BF3E0 5560 .pdata ExceptionHook | Pointer to 5560 - 0x4B60 .text + UnwindInfo: .xdata
1BF3EC 5660 .pdata ExceptionHook | Pointer to 5660 - 0x4C60 .text + UnwindInfo: .xdata
1BF3F8 5CE0 .pdata ExceptionHook | Pointer to 5CE0 - 0x52E0 .text + UnwindInfo: .xdata
1BF404 5D40 .pdata ExceptionHook | Pointer to 5D40 - 0x5340 .text + UnwindInfo: .xdata
1BF410 5F60 .pdata ExceptionHook | Pointer to 5F60 - 0x5560 .text + UnwindInfo: .xdata
1BF41C 6140 .pdata ExceptionHook | Pointer to 6140 - 0x5740 .text + UnwindInfo: .xdata
1BF428 6340 .pdata ExceptionHook | Pointer to 6340 - 0x5940 .text + UnwindInfo: .xdata
1BF434 6560 .pdata ExceptionHook | Pointer to 6560 - 0x5B60 .text + UnwindInfo: .xdata
1BF440 6900 .pdata ExceptionHook | Pointer to 6900 - 0x5F00 .text + UnwindInfo: .xdata
1BF44C 6CC0 .pdata ExceptionHook | Pointer to 6CC0 - 0x62C0 .text + UnwindInfo: .xdata
1BF458 6D40 .pdata ExceptionHook | Pointer to 6D40 - 0x6340 .text + UnwindInfo: .xdata
1BF464 6FE0 .pdata ExceptionHook | Pointer to 6FE0 - 0x65E0 .text + UnwindInfo: .xdata
1BF470 7560 .pdata ExceptionHook | Pointer to 7560 - 0x6B60 .text + UnwindInfo: .xdata
1BF47C 7820 .pdata ExceptionHook | Pointer to 7820 - 0x6E20 .text + UnwindInfo: .xdata
1BF488 7DA0 .pdata ExceptionHook | Pointer to 7DA0 - 0x73A0 .text + UnwindInfo: .xdata
1BF494 7E20 .pdata ExceptionHook | Pointer to 7E20 - 0x7420 .text + UnwindInfo: .xdata
1BF4A0 7FC0 .pdata ExceptionHook | Pointer to 7FC0 - 0x75C0 .text + UnwindInfo: .xdata
1BF4AC 81E0 .pdata ExceptionHook | Pointer to 81E0 - 0x77E0 .text + UnwindInfo: .xdata
1BF4B8 8240 .pdata ExceptionHook | Pointer to 8240 - 0x7840 .text + UnwindInfo: .xdata
1BF4C4 82E0 .pdata ExceptionHook | Pointer to 82E0 - 0x78E0 .text + UnwindInfo: .xdata
1BF4D0 83C0 .pdata ExceptionHook | Pointer to 83C0 - 0x79C0 .text + UnwindInfo: .xdata
1BF4DC 84C0 .pdata ExceptionHook | Pointer to 84C0 - 0x7AC0 .text + UnwindInfo: .xdata
1BF4E8 8A80 .pdata ExceptionHook | Pointer to 8A80 - 0x8080 .text + UnwindInfo: .xdata
1BF4F4 8AC0 .pdata ExceptionHook | Pointer to 8AC0 - 0x80C0 .text + UnwindInfo: .xdata
1BF500 8C20 .pdata ExceptionHook | Pointer to 8C20 - 0x8220 .text + UnwindInfo: .xdata
1BF50C 8C60 .pdata ExceptionHook | Pointer to 8C60 - 0x8260 .text + UnwindInfo: .xdata
1BF518 8CA0 .pdata ExceptionHook | Pointer to 8CA0 - 0x82A0 .text + UnwindInfo: .xdata
1BF524 8CE0 .pdata ExceptionHook | Pointer to 8CE0 - 0x82E0 .text + UnwindInfo: .xdata
1BF530 8DA0 .pdata ExceptionHook | Pointer to 8DA0 - 0x83A0 .text + UnwindInfo: .xdata
1BF53C 8E60 .pdata ExceptionHook | Pointer to 8E60 - 0x8460 .text + UnwindInfo: .xdata
1BF548 8EC0 .pdata ExceptionHook | Pointer to 8EC0 - 0x84C0 .text + UnwindInfo: .xdata
1BF554 8F20 .pdata ExceptionHook | Pointer to 8F20 - 0x8520 .text + UnwindInfo: .xdata
1BF560 91A0 .pdata ExceptionHook | Pointer to 91A0 - 0x87A0 .text + UnwindInfo: .xdata
1BF56C 9200 .pdata ExceptionHook | Pointer to 9200 - 0x8800 .text + UnwindInfo: .xdata
1BF578 9260 .pdata ExceptionHook | Pointer to 9260 - 0x8860 .text + UnwindInfo: .xdata
1BF584 92C0 .pdata ExceptionHook | Pointer to 92C0 - 0x88C0 .text + UnwindInfo: .xdata
1BF590 9380 .pdata ExceptionHook | Pointer to 9380 - 0x8980 .text + UnwindInfo: .xdata
1BF59C 9440 .pdata ExceptionHook | Pointer to 9440 - 0x8A40 .text + UnwindInfo: .xdata
1BF5A8 94E0 .pdata ExceptionHook | Pointer to 94E0 - 0x8AE0 .text + UnwindInfo: .xdata
1BF5B4 9540 .pdata ExceptionHook | Pointer to 9540 - 0x8B40 .text + UnwindInfo: .xdata
1BF5C0 96E0 .pdata ExceptionHook | Pointer to 96E0 - 0x8CE0 .text + UnwindInfo: .xdata
1BF5CC 97C0 .pdata ExceptionHook | Pointer to 97C0 - 0x8DC0 .text + UnwindInfo: .xdata
1BF5D8 98E0 .pdata ExceptionHook | Pointer to 98E0 - 0x8EE0 .text + UnwindInfo: .xdata
1BF5E4 9B60 .pdata ExceptionHook | Pointer to 9B60 - 0x9160 .text + UnwindInfo: .xdata
1BF5F0 9EA0 .pdata ExceptionHook | Pointer to 9EA0 - 0x94A0 .text + UnwindInfo: .xdata
1BF5FC 9F40 .pdata ExceptionHook | Pointer to 9F40 - 0x9540 .text + UnwindInfo: .xdata
1BF608 A000 .pdata ExceptionHook | Pointer to A000 - 0x9600 .text + UnwindInfo: .xdata
1BF614 A220 .pdata ExceptionHook | Pointer to A220 - 0x9820 .text + UnwindInfo: .xdata
1BF620 A240 .pdata ExceptionHook | Pointer to A240 - 0x9840 .text + UnwindInfo: .xdata
1BF62C A820 .pdata ExceptionHook | Pointer to A820 - 0x9E20 .text + UnwindInfo: .xdata
1BF638 A860 .pdata ExceptionHook | Pointer to A860 - 0x9E60 .text + UnwindInfo: .xdata
1BF644 AA20 .pdata ExceptionHook | Pointer to AA20 - 0xA020 .text + UnwindInfo: .xdata
1BF650 AA60 .pdata ExceptionHook | Pointer to AA60 - 0xA060 .text + UnwindInfo: .xdata
1BF65C AB20 .pdata ExceptionHook | Pointer to AB20 - 0xA120 .text + UnwindInfo: .xdata
1BF668 ABA0 .pdata ExceptionHook | Pointer to ABA0 - 0xA1A0 .text + UnwindInfo: .xdata
1BF674 AC20 .pdata ExceptionHook | Pointer to AC20 - 0xA220 .text + UnwindInfo: .xdata
1BF680 B0A0 .pdata ExceptionHook | Pointer to B0A0 - 0xA6A0 .text + UnwindInfo: .xdata
1BF68C B0E0 .pdata ExceptionHook | Pointer to B0E0 - 0xA6E0 .text + UnwindInfo: .xdata
1BF698 B160 .pdata ExceptionHook | Pointer to B160 - 0xA760 .text + UnwindInfo: .xdata
1BF6A4 B180 .pdata ExceptionHook | Pointer to B180 - 0xA780 .text + UnwindInfo: .xdata
1FD400 N/A *Overlay* 2E66696C650000003A000000FEFF000067016372 | .file...:.......g.cr
Extra Analysis
Metric Value Percentage
Ascii Code 1231689 55,1864%
Null Byte Code 523834 23,4706%
NOP Cave Found 0x9090909090 Block Count: 44 | Total: 0,0049%
© 2026 All rights reserved.