PESCAN.IO - Analysis Report Basic |
|||||||
| File Structure |
|
PE Chart Code
Header PE (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
| Size: 3,19 MB SHA-256 Hash: 7AF3DD3E22998F84CE76600E4B7D6E2341C64942372060605C82E84505F8B724 SHA-1 Hash: 8C68C22E79AAD26BDA2F211805E678AFBBF68E26 MD5 Hash: EAA43A42D7C9FF8B5D3716CE8D7C2B6C Imphash: D42595B695FC008EF2C56AABD8EFD68E MajorOSVersion: 6 MinorOSVersion: 1 CheckSum: 00330967 EntryPoint (rva): 75EC0 SizeOfHeaders: 600 SizeOfImage: 37D000 ImageBase: 0000000140000000 Architecture: x64 ImportTable: 352000 IAT: 2EC1A0 Characteristics: 22 TimeDateStamp: 0 Date: 01/01/1970 File Type: EXE Number Of Sections: 8 ASLR: Disabled Section Names (Optional Header): .text, .rdata, .data, .pdata, .xdata, .idata, .reloc, .symtab Number Of Executable Sections: 1 Subsystem: Windows GUI |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 0x60000020 Code Executable Readable |
600 | DD200 | 1000 | DD1B1 |
|
|
| .rdata | 0x40000040 Initialized Data Readable |
DD800 | 20CE00 | DF000 | 20CD98 |
|
|
| .data | 0xC0000040 Initialized Data Readable Writeable |
2EA600 | 15000 | 2EC000 | 5E888 |
|
|
| .pdata | 0x40000040 Initialized Data Readable |
2FF600 | 6000 | 34B000 | 5F04 |
|
|
| .xdata | 0x40000040 Initialized Data Readable |
305600 | 200 | 351000 | B4 |
|
|
| .idata | 0xC0000040 Initialized Data Readable Writeable |
305800 | 600 | 352000 | 53E |
|
|
| .reloc | 0x42000040 Initialized Data GP-Relative Readable |
305E00 | 4800 | 353000 | 47F8 |
|
|
| .symtab | 0x42000000 GP-Relative Readable |
30A600 | 24C00 | 358000 | 24A1D |
|
|
| Entry Point |
The section number (1) have the Entry Point Information -> EntryPoint (calculated) - 754C0 Code -> E9DBC6FFFFCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC554889E59CFC4881ECE000000048893C2448 Assembler |JMP 0XFFFFFFFFFFFFD6E0 |INT3 |INT3 |INT3 |INT3 |INT3 |INT3 |INT3 |INT3 |INT3 |INT3 |INT3 |INT3 |INT3 |INT3 |INT3 |INT3 |INT3 |INT3 |INT3 |INT3 |INT3 |INT3 |INT3 |INT3 |INT3 |INT3 |INT3 |PUSH RBP |MOV RBP, RSP |PUSHFQ |CLD |SUB RSP, 0XE0 |MOV QWORD PTR [RSP], RDI |
| Packer/Compiler |
| Detect It Easy (die) • PE+(64): compiler: Go(1.15.0-X.XX.X) • PE+(64): Sign tool: Windows Authenticode(2.0)[PKCS 7] • Entropy: 6.9509 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | VirtualAlloc | Reserve, commit, or both, a region of memory within the virtual address space of a process. |
| KERNEL32.DLL | WriteFile | Writes data to a specified file or input/output (I/O) device. |
| KERNEL32.DLL | LoadLibraryW | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| Ws2_32.DLL | socket | Create a communication endpoint for networking applications. |
| File Access |
| os.Exe internal/poll.exe kernel32.dll seconds/godebug/non-default-behavior/bcryptprimitives.dll itab.sys internal/abi.Name.Dat @.dat math.log main.ini internal/poll.Ini internal/syscall/windows.ini crypto/internal/fips140/aes/gcm.ini crypto/internal/fips140/drbg.ini crypto/internal/fips140/aes.ini crypto/internal/fips140/check.ini crypto/internal/fips140/hmac.ini crypto/internal/fips140/sha512.ini crypto/internal/fips140/sha3.ini crypto/internal/fips140/sha256.ini crypto/internal/fips140.ini encoding/json.ini encoding/base64.ini crypto/rand.ini math/big.ini fmt.ini reflect.ini crypto/internal/fips140only.ini os.ini io/fs.ini time.ini internal/syscall/windows/registry.ini crypto/internal/fips140deps/cpu.ini internal/godebug.ini crypto.ini math.ini iter.ini unicode.ini errors.ini sync.ini internal/syscall/windows/sysdll.ini internal/bytealg.ini internal/cpu.Ini Temp WinDir SysDir UserProfile |
| File Access (UNICODE) |
| bcryptprimitives.dll powrprof.dll winmm.dll ntdll.dll |
| Interest's Words |
| zombie Encrypt Decrypt exec netsh attrib start pause cipher shutdown systeminfo ping expand replace route |
| URLs |
| https://go.dev/issue/66821): |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | Unicode escape - \u00 - (Common Unicode escape sequences) |
| Text | Ascii | WinAPI Sockets (WSACleanup) |
| Text | Ascii | WinAPI Sockets (bind) |
| Text | Ascii | WinAPI Sockets (listen) |
| Text | Ascii | WinAPI Sockets (accept) |
| Text | Ascii | WinAPI Sockets (connect) |
| Text | Ascii | WinAPI Sockets (recv) |
| Text | Ascii | WinAPI Sockets (send) |
| Text | Ascii | Registry (RegCreateKeyEx) |
| Text | Ascii | Registry (RegOpenKeyEx) |
| Text | Ascii | Registry (RegSetValueEx) |
| Text | Ascii | File (GetTempPath) |
| Text | Ascii | File (CreateFile) |
| Text | Ascii | File (WriteFile) |
| Text | Ascii | File (ReadFile) |
| Text | Ascii | Service (OpenSCManager) |
| Text | Ascii | Encryption API (CryptAcquireContext) |
| Text | Ascii | Encryption API (CryptReleaseContext) |
| Text | Ascii | Anti-Analysis VM (GetSystemInfo) |
| Text | Ascii | Anti-Analysis VM (GetVersion) |
| Text | Ascii | Anti-Analysis VM (CreateToolhelp32Snapshot) |
| Text | Ascii | Reconnaissance (FindFirstFileW) |
| Text | Ascii | Reconnaissance (FindNextFileW) |
| Text | Ascii | Reconnaissance (FindClose) |
| Text | Ascii | Stealth (GetThreadContext) |
| Text | Ascii | Stealth (SetThreadContext) |
| Text | Ascii | Stealth (CloseHandle) |
| Text | Ascii | Stealth (UnmapViewOfFile) |
| Text | Ascii | Stealth (MapViewOfFile) |
| Text | Ascii | Stealth (CreateFileMappingW) |
| Text | Ascii | Stealth (VirtualAlloc) |
| Text | Ascii | Stealth (VirtualProtect) |
| Text | Ascii | Execution (CreateProcessA) |
| Text | Ascii | Execution (CreateProcessW) |
| Text | Ascii | Execution (ResumeThread) |
| Text | Ascii | Execution (CreateEventA) |
| Text | Ascii | Execution (CreateEventW) |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8.0 (DLL) |
| Intelligent String |
| • GetSidSubAuthorityCountImpersonateLoggedOnUserDestroyEnvironmentBlockexit hook invoked panicpattern bits too long: connection reset by peerlevel 2 not synchronizedlink number out of rangeout of streams resourcesfunction not implementedstructure needs cleaningnot supported by windowsCertFreeCertificateChainCreateToolhelp32SnapshotGetUserProfileDirectoryWjson: unsupported type: invalid argument to Intntracecheckstackownershiphash of unhashable type span has no free objectsruntime: found obj at *(runtime: VirtualFree of /cgo/go-to-c-calls:calls/gc/heap/objects:objects/sched/latencies:secondsqueuefinalizer during GCcheckfinalizers: queue: update during transitionruntime: markroot index can't scan our own stackgcDrainN phase incorrectpageAlloc: out of memoryruntime: p.searchAddr = range partially overlaps [recovered, repanicked]stack trace unavailable • ntdll.dll • winmm.dll • powrprof.dll • bcryptprimitives.dll • kernel32.dll • io.EOF |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| E815 | N/A | .text | JMP QWORD PTR [RIP+0xE8840F] |
| 9BC02 | N/A | .text | CALL QWORD PTR [RIP+0x8B480675] |
| AD8CB | N/A | .text | JMP QWORD PTR [RIP+0xFFF826E9] |
| CA8C4 | N/A | .text | JMP QWORD PTR [RIP+0x24448D48] |
| F6E57 | N/A | .rdata | JMP QWORD PTR [RIP+0x60000017] |
| 104A37 | N/A | .rdata | CALL QWORD PTR [RIP+0xFF00004F] |
| 10A187 | N/A | .rdata | JMP QWORD PTR [RIP+0xFF000007] |
| 10AFC7 | N/A | .rdata | JMP QWORD PTR [RIP+0xFF000007] |
| 11CF8D | N/A | .rdata | CALL QWORD PTR [RIP+0x10] |
| 11CF93 | N/A | .rdata | CALL QWORD PTR [RIP+0x0] |
| 21A805 | N/A | .rdata | JMP QWORD PTR [RIP+0x773BC999] |
| 21F705 | N/A | .rdata | CALL QWORD PTR [RIP+0x113DB220] |
| 21FC85 | N/A | .rdata | CALL QWORD PTR [RIP+0x943BB928] |
| 221303 | N/A | .rdata | JMP QWORD PTR [RIP+0x317BA964] |
| 2256BF | N/A | .rdata | JMP QWORD PTR [RIP+0x79F3C9D0] |
| 2343A1 | N/A | .rdata | CALL QWORD PTR [RIP+0xA67B2AD8] |
| 236903 | N/A | .rdata | JMP QWORD PTR [RIP+0x317BA964] |
| 240697 | N/A | .rdata | CALL QWORD PTR [RIP+0x6CA8BA34] |
| 241E83 | N/A | .rdata | JMP QWORD PTR [RIP+0x317BA964] |
| 26245F | N/A | .rdata | CALL QWORD PTR [RIP+0xFF000016] |
| 262467 | N/A | .rdata | CALL QWORD PTR [RIP+0x3A000010] |
| 2625B7 | N/A | .rdata | CALL QWORD PTR [RIP+0xF9000016] |
| 277F58 | N/A | .rdata | CALL QWORD PTR [RIP+0x1016840F] |
| 2BC28F | N/A | .rdata | JMP QWORD PTR [RIP+0x1E000021] |
| 2BC2E7 | N/A | .rdata | JMP QWORD PTR [RIP+0x7F000021] |
| 2C058B | N/A | .rdata | JMP QWORD PTR [RIP+0xA0000021] |
| 2D7507 | N/A | .rdata | CALL QWORD PTR [RIP+0x0] |
| 2D8150 | N/A | .rdata | JMP QWORD PTR [RIP+0x11740003] |
| 2DA86F | N/A | .rdata | JMP QWORD PTR [RIP+0x1E000021] |
| 2DC4E7 | N/A | .rdata | JMP QWORD PTR [RIP+0x1E000021] |
| 2DDD8F | N/A | .rdata | JMP QWORD PTR [RIP+0xAC000021] |
| 2DDDE7 | N/A | .rdata | JMP QWORD PTR [RIP+0x1E000021] |
| 2E0E47 | N/A | .rdata | JMP QWORD PTR [RIP+0xAC000021] |
| 2E2CCF | N/A | .rdata | JMP QWORD PTR [RIP+0x9C00004B] |
| 2E645F | N/A | .rdata | JMP QWORD PTR [RIP+0xAC000021] |
| 2F5E3C | N/A | .data | CALL QWORD PTR [RIP+0xFB246050] |
| 2F663E | N/A | .data | CALL QWORD PTR [RIP+0xFB241998] |
| 2F6A3D | N/A | .data | CALL QWORD PTR [RIP+0xFB241950] |
| 76EE2-76FE0 | N/A | .text | Potential obfuscated jump sequence detected, count: 51 |
| 681-69F | N/A | .text | Unusual BP Cave, count: 31 |
| 2402-241F | N/A | .text | Unusual BP Cave, count: 30 |
| 2B61-2B7F | N/A | .text | Unusual BP Cave, count: 31 |
| 10522-1053F | N/A | .text | Unusual BP Cave, count: 30 |
| 11CA2-11CBF | N/A | .text | Unusual BP Cave, count: 30 |
| 14CE2-14CFF | N/A | .text | Unusual BP Cave, count: 30 |
| 15421-1543F | N/A | .text | Unusual BP Cave, count: 31 |
| 15F21-15F3F | N/A | .text | Unusual BP Cave, count: 31 |
| 16001-1601F | N/A | .text | Unusual BP Cave, count: 31 |
| 16F22-16F3F | N/A | .text | Unusual BP Cave, count: 30 |
| 19382-1939F | N/A | .text | Unusual BP Cave, count: 30 |
| 1D122-1D13F | N/A | .text | Unusual BP Cave, count: 30 |
| 1D702-1D71F | N/A | .text | Unusual BP Cave, count: 30 |
| 1E882-1E89F | N/A | .text | Unusual BP Cave, count: 30 |
| 21AA2-21ABF | N/A | .text | Unusual BP Cave, count: 30 |
| 23882-2389F | N/A | .text | Unusual BP Cave, count: 30 |
| 263A2-263BF | N/A | .text | Unusual BP Cave, count: 30 |
| 346C2-346DF | N/A | .text | Unusual BP Cave, count: 30 |
| 355C1-355DF | N/A | .text | Unusual BP Cave, count: 31 |
| 38E61-38E7F | N/A | .text | Unusual BP Cave, count: 31 |
| 38EE1-38EFF | N/A | .text | Unusual BP Cave, count: 31 |
| 38F61-38F7F | N/A | .text | Unusual BP Cave, count: 31 |
| 38FE1-38FFF | N/A | .text | Unusual BP Cave, count: 31 |
| 39061-3907F | N/A | .text | Unusual BP Cave, count: 31 |
| 390E1-390FF | N/A | .text | Unusual BP Cave, count: 31 |
| 39161-3917F | N/A | .text | Unusual BP Cave, count: 31 |
| 391E1-391FF | N/A | .text | Unusual BP Cave, count: 31 |
| 3C682-3C69F | N/A | .text | Unusual BP Cave, count: 30 |
| 3E882-3E89F | N/A | .text | Unusual BP Cave, count: 30 |
| 3F1A1-3F1BF | N/A | .text | Unusual BP Cave, count: 31 |
| 3F1E1-3F1FF | N/A | .text | Unusual BP Cave, count: 31 |
| 48742-4875F | N/A | .text | Unusual BP Cave, count: 30 |
| 4E342-4E35F | N/A | .text | Unusual BP Cave, count: 30 |
| 51101-5111F | N/A | .text | Unusual BP Cave, count: 31 |
| 51781-5179F | N/A | .text | Unusual BP Cave, count: 31 |
| 56221-5623F | N/A | .text | Unusual BP Cave, count: 31 |
| 57B82-57B9F | N/A | .text | Unusual BP Cave, count: 30 |
| 58342-5835F | N/A | .text | Unusual BP Cave, count: 30 |
| 5B6A2-5B6BF | N/A | .text | Unusual BP Cave, count: 30 |
| 5BEC2-5BEDF | N/A | .text | Unusual BP Cave, count: 30 |
| 5CE82-5CE9F | N/A | .text | Unusual BP Cave, count: 30 |
| 61EC1-61EDF | N/A | .text | Unusual BP Cave, count: 31 |
| 62242-6225F | N/A | .text | Unusual BP Cave, count: 30 |
| 63E62-63E7F | N/A | .text | Unusual BP Cave, count: 30 |
| 65602-6561F | N/A | .text | Unusual BP Cave, count: 30 |
| 6A6A1-6A6BF | N/A | .text | Unusual BP Cave, count: 31 |
| 6B2C2-6B2DF | N/A | .text | Unusual BP Cave, count: 30 |
| 6BF42-6BF5F | N/A | .text | Unusual BP Cave, count: 30 |
| 6F401-6F41F | N/A | .text | Unusual BP Cave, count: 31 |
| 70EA1-70EBF | N/A | .text | Unusual BP Cave, count: 31 |
| 71D61-71D7F | N/A | .text | Unusual BP Cave, count: 31 |
| 71F82-71F9F | N/A | .text | Unusual BP Cave, count: 30 |
| 73A41-73A5F | N/A | .text | Unusual BP Cave, count: 31 |
| 73CA2-73CBF | N/A | .text | Unusual BP Cave, count: 30 |
| 748E1-748FF | N/A | .text | Unusual BP Cave, count: 31 |
| 78682-7869F | N/A | .text | Unusual BP Cave, count: 30 |
| 78702-7871F | N/A | .text | Unusual BP Cave, count: 30 |
| 79061-7907F | N/A | .text | Unusual BP Cave, count: 31 |
| 7CCC1-7CCDF | N/A | .text | Unusual BP Cave, count: 31 |
| 7D0E1-7D0FF | N/A | .text | Unusual BP Cave, count: 31 |
| 7D6C2-7D6DF | N/A | .text | Unusual BP Cave, count: 30 |
| 832E2-832FF | N/A | .text | Unusual BP Cave, count: 30 |
| 83382-8339F | N/A | .text | Unusual BP Cave, count: 30 |
| 8FA01-8FA1F | N/A | .text | Unusual BP Cave, count: 31 |
| 90962-9097F | N/A | .text | Unusual BP Cave, count: 30 |
| 914A1-914BF | N/A | .text | Unusual BP Cave, count: 31 |
| 98601-9861F | N/A | .text | Unusual BP Cave, count: 31 |
| 9F962-9F97F | N/A | .text | Unusual BP Cave, count: 30 |
| A1FC2-A1FDF | N/A | .text | Unusual BP Cave, count: 30 |
| B0BE2-B0BFF | N/A | .text | Unusual BP Cave, count: 30 |
| CCE42-CCE7F | N/A | .text | Unusual BP Cave, count: 62 |
| CE582-CE59F | N/A | .text | Unusual BP Cave, count: 30 |
| DB421-DB43F | N/A | .text | Unusual BP Cave, count: 31 |
| DB521-DB53F | N/A | .text | Unusual BP Cave, count: 31 |
| DD785-DD7B0 | N/A | .text | Unusual BP Cave, count: 44 |
| 2FF600 | 10A0 | .pdata | ExceptionHook | Pointer to 10A0 - 0x6A0 .text + UnwindInfo: .xdata |
| 2FF60C | 11E0 | .pdata | ExceptionHook | Pointer to 11E0 - 0x7E0 .text + UnwindInfo: .xdata |
| 2FF618 | 1240 | .pdata | ExceptionHook | Pointer to 1240 - 0x840 .text + UnwindInfo: .xdata |
| 2FF624 | 12C0 | .pdata | ExceptionHook | Pointer to 12C0 - 0x8C0 .text + UnwindInfo: .xdata |
| 2FF630 | 1360 | .pdata | ExceptionHook | Pointer to 1360 - 0x960 .text + UnwindInfo: .xdata |
| 2FF63C | 1460 | .pdata | ExceptionHook | Pointer to 1460 - 0xA60 .text + UnwindInfo: .xdata |
| 2FF648 | 18E0 | .pdata | ExceptionHook | Pointer to 18E0 - 0xEE0 .text + UnwindInfo: .xdata |
| 2FF654 | 1A20 | .pdata | ExceptionHook | Pointer to 1A20 - 0x1020 .text + UnwindInfo: .xdata |
| 2FF660 | 1AA0 | .pdata | ExceptionHook | Pointer to 1AA0 - 0x10A0 .text + UnwindInfo: .xdata |
| 2FF66C | 1B00 | .pdata | ExceptionHook | Pointer to 1B00 - 0x1100 .text + UnwindInfo: .xdata |
| 2FF678 | 2040 | .pdata | ExceptionHook | Pointer to 2040 - 0x1640 .text + UnwindInfo: .xdata |
| 2FF684 | 2980 | .pdata | ExceptionHook | Pointer to 2980 - 0x1F80 .text + UnwindInfo: .xdata |
| 2FF690 | 2A00 | .pdata | ExceptionHook | Pointer to 2A00 - 0x2000 .text + UnwindInfo: .xdata |
| 2FF69C | 36E0 | .pdata | ExceptionHook | Pointer to 36E0 - 0x2CE0 .text + UnwindInfo: .xdata |
| 2FF6A8 | 3960 | .pdata | ExceptionHook | Pointer to 3960 - 0x2F60 .text + UnwindInfo: .xdata |
| 2FF6B4 | 3BE0 | .pdata | ExceptionHook | Pointer to 3BE0 - 0x31E0 .text + UnwindInfo: .xdata |
| 2FF6C0 | 3D00 | .pdata | ExceptionHook | Pointer to 3D00 - 0x3300 .text + UnwindInfo: .xdata |
| 2FF6CC | 3E40 | .pdata | ExceptionHook | Pointer to 3E40 - 0x3440 .text + UnwindInfo: .xdata |
| 2FF6D8 | 4100 | .pdata | ExceptionHook | Pointer to 4100 - 0x3700 .text + UnwindInfo: .xdata |
| 2FF6E4 | 4180 | .pdata | ExceptionHook | Pointer to 4180 - 0x3780 .text + UnwindInfo: .xdata |
| 2FF6F0 | 4320 | .pdata | ExceptionHook | Pointer to 4320 - 0x3920 .text + UnwindInfo: .xdata |
| 2FF6FC | 44C0 | .pdata | ExceptionHook | Pointer to 44C0 - 0x3AC0 .text + UnwindInfo: .xdata |
| 2FF708 | 46A0 | .pdata | ExceptionHook | Pointer to 46A0 - 0x3CA0 .text + UnwindInfo: .xdata |
| 2FF714 | 48A0 | .pdata | ExceptionHook | Pointer to 48A0 - 0x3EA0 .text + UnwindInfo: .xdata |
| 2FF720 | 4900 | .pdata | ExceptionHook | Pointer to 4900 - 0x3F00 .text + UnwindInfo: .xdata |
| 2FF72C | 4A60 | .pdata | ExceptionHook | Pointer to 4A60 - 0x4060 .text + UnwindInfo: .xdata |
| 2FF738 | 4BC0 | .pdata | ExceptionHook | Pointer to 4BC0 - 0x41C0 .text + UnwindInfo: .xdata |
| 2FF744 | 4D40 | .pdata | ExceptionHook | Pointer to 4D40 - 0x4340 .text + UnwindInfo: .xdata |
| 2FF750 | 4F60 | .pdata | ExceptionHook | Pointer to 4F60 - 0x4560 .text + UnwindInfo: .xdata |
| 2FF75C | 5180 | .pdata | ExceptionHook | Pointer to 5180 - 0x4780 .text + UnwindInfo: .xdata |
| 2FF768 | 5280 | .pdata | ExceptionHook | Pointer to 5280 - 0x4880 .text + UnwindInfo: .xdata |
| 2FF774 | 53A0 | .pdata | ExceptionHook | Pointer to 53A0 - 0x49A0 .text + UnwindInfo: .xdata |
| 2FF780 | 5580 | .pdata | ExceptionHook | Pointer to 5580 - 0x4B80 .text + UnwindInfo: .xdata |
| 2FF78C | 5760 | .pdata | ExceptionHook | Pointer to 5760 - 0x4D60 .text + UnwindInfo: .xdata |
| 2FF798 | 5A40 | .pdata | ExceptionHook | Pointer to 5A40 - 0x5040 .text + UnwindInfo: .xdata |
| 2FF7A4 | 5DE0 | .pdata | ExceptionHook | Pointer to 5DE0 - 0x53E0 .text + UnwindInfo: .xdata |
| 2FF7B0 | 5F20 | .pdata | ExceptionHook | Pointer to 5F20 - 0x5520 .text + UnwindInfo: .xdata |
| 2FF7BC | 6020 | .pdata | ExceptionHook | Pointer to 6020 - 0x5620 .text + UnwindInfo: .xdata |
| 2FF7C8 | 66A0 | .pdata | ExceptionHook | Pointer to 66A0 - 0x5CA0 .text + UnwindInfo: .xdata |
| 2FF7D4 | 6700 | .pdata | ExceptionHook | Pointer to 6700 - 0x5D00 .text + UnwindInfo: .xdata |
| 2FF7E0 | 6920 | .pdata | ExceptionHook | Pointer to 6920 - 0x5F20 .text + UnwindInfo: .xdata |
| 2FF7EC | 6B00 | .pdata | ExceptionHook | Pointer to 6B00 - 0x6100 .text + UnwindInfo: .xdata |
| 2FF7F8 | 6D00 | .pdata | ExceptionHook | Pointer to 6D00 - 0x6300 .text + UnwindInfo: .xdata |
| 2FF804 | 6F20 | .pdata | ExceptionHook | Pointer to 6F20 - 0x6520 .text + UnwindInfo: .xdata |
| 2FF810 | 72C0 | .pdata | ExceptionHook | Pointer to 72C0 - 0x68C0 .text + UnwindInfo: .xdata |
| 2FF81C | 74C0 | .pdata | ExceptionHook | Pointer to 74C0 - 0x6AC0 .text + UnwindInfo: .xdata |
| 2FF828 | 76E0 | .pdata | ExceptionHook | Pointer to 76E0 - 0x6CE0 .text + UnwindInfo: .xdata |
| 2FF834 | 7AA0 | .pdata | ExceptionHook | Pointer to 7AA0 - 0x70A0 .text + UnwindInfo: .xdata |
| 2FF840 | 7E20 | .pdata | ExceptionHook | Pointer to 7E20 - 0x7420 .text + UnwindInfo: .xdata |
| 2FF84C | 80C0 | .pdata | ExceptionHook | Pointer to 80C0 - 0x76C0 .text + UnwindInfo: .xdata |
| 2FF858 | 8360 | .pdata | ExceptionHook | Pointer to 8360 - 0x7960 .text + UnwindInfo: .xdata |
| 2FF864 | 88E0 | .pdata | ExceptionHook | Pointer to 88E0 - 0x7EE0 .text + UnwindInfo: .xdata |
| 2FF870 | 8BA0 | .pdata | ExceptionHook | Pointer to 8BA0 - 0x81A0 .text + UnwindInfo: .xdata |
| 2FF87C | 8E60 | .pdata | ExceptionHook | Pointer to 8E60 - 0x8460 .text + UnwindInfo: .xdata |
| 2FF888 | 93E0 | .pdata | ExceptionHook | Pointer to 93E0 - 0x89E0 .text + UnwindInfo: .xdata |
| 2FF894 | 9460 | .pdata | ExceptionHook | Pointer to 9460 - 0x8A60 .text + UnwindInfo: .xdata |
| 2FF8A0 | 9520 | .pdata | ExceptionHook | Pointer to 9520 - 0x8B20 .text + UnwindInfo: .xdata |
| 2FF8AC | 96E0 | .pdata | ExceptionHook | Pointer to 96E0 - 0x8CE0 .text + UnwindInfo: .xdata |
| 2FF8B8 | 9D40 | .pdata | ExceptionHook | Pointer to 9D40 - 0x9340 .text + UnwindInfo: .xdata |
| 2FF8C4 | 9E20 | .pdata | ExceptionHook | Pointer to 9E20 - 0x9420 .text + UnwindInfo: .xdata |
| 2FF8D0 | A080 | .pdata | ExceptionHook | Pointer to A080 - 0x9680 .text + UnwindInfo: .xdata |
| 2FF8DC | A2A0 | .pdata | ExceptionHook | Pointer to A2A0 - 0x98A0 .text + UnwindInfo: .xdata |
| 2FF8E8 | A300 | .pdata | ExceptionHook | Pointer to A300 - 0x9900 .text + UnwindInfo: .xdata |
| 2FF8F4 | A3A0 | .pdata | ExceptionHook | Pointer to A3A0 - 0x99A0 .text + UnwindInfo: .xdata |
| 2FF900 | A480 | .pdata | ExceptionHook | Pointer to A480 - 0x9A80 .text + UnwindInfo: .xdata |
| 2FF90C | A580 | .pdata | ExceptionHook | Pointer to A580 - 0x9B80 .text + UnwindInfo: .xdata |
| 2FF918 | AB40 | .pdata | ExceptionHook | Pointer to AB40 - 0xA140 .text + UnwindInfo: .xdata |
| 2FF924 | AB80 | .pdata | ExceptionHook | Pointer to AB80 - 0xA180 .text + UnwindInfo: .xdata |
| 2FF930 | ACE0 | .pdata | ExceptionHook | Pointer to ACE0 - 0xA2E0 .text + UnwindInfo: .xdata |
| 2FF93C | AD20 | .pdata | ExceptionHook | Pointer to AD20 - 0xA320 .text + UnwindInfo: .xdata |
| 2FF948 | AD60 | .pdata | ExceptionHook | Pointer to AD60 - 0xA360 .text + UnwindInfo: .xdata |
| 2FF954 | ADA0 | .pdata | ExceptionHook | Pointer to ADA0 - 0xA3A0 .text + UnwindInfo: .xdata |
| 2FF960 | AE60 | .pdata | ExceptionHook | Pointer to AE60 - 0xA460 .text + UnwindInfo: .xdata |
| 2FF96C | AF20 | .pdata | ExceptionHook | Pointer to AF20 - 0xA520 .text + UnwindInfo: .xdata |
| 2FF978 | AF80 | .pdata | ExceptionHook | Pointer to AF80 - 0xA580 .text + UnwindInfo: .xdata |
| 2FF984 | AFE0 | .pdata | ExceptionHook | Pointer to AFE0 - 0xA5E0 .text + UnwindInfo: .xdata |
| 2FF990 | B260 | .pdata | ExceptionHook | Pointer to B260 - 0xA860 .text + UnwindInfo: .xdata |
| 2FF99C | B2C0 | .pdata | ExceptionHook | Pointer to B2C0 - 0xA8C0 .text + UnwindInfo: .xdata |
| 2FF9A8 | B320 | .pdata | ExceptionHook | Pointer to B320 - 0xA920 .text + UnwindInfo: .xdata |
| 2FF9B4 | B380 | .pdata | ExceptionHook | Pointer to B380 - 0xA980 .text + UnwindInfo: .xdata |
| 2FF9C0 | B440 | .pdata | ExceptionHook | Pointer to B440 - 0xAA40 .text + UnwindInfo: .xdata |
| 2FF9CC | B500 | .pdata | ExceptionHook | Pointer to B500 - 0xAB00 .text + UnwindInfo: .xdata |
| 2FF9D8 | B5A0 | .pdata | ExceptionHook | Pointer to B5A0 - 0xABA0 .text + UnwindInfo: .xdata |
| 2FF9E4 | B600 | .pdata | ExceptionHook | Pointer to B600 - 0xAC00 .text + UnwindInfo: .xdata |
| 2FF9F0 | B7A0 | .pdata | ExceptionHook | Pointer to B7A0 - 0xADA0 .text + UnwindInfo: .xdata |
| 2FF9FC | B880 | .pdata | ExceptionHook | Pointer to B880 - 0xAE80 .text + UnwindInfo: .xdata |
| 2FFA08 | B9A0 | .pdata | ExceptionHook | Pointer to B9A0 - 0xAFA0 .text + UnwindInfo: .xdata |
| 2FFA14 | BC20 | .pdata | ExceptionHook | Pointer to BC20 - 0xB220 .text + UnwindInfo: .xdata |
| 2FFA20 | BF60 | .pdata | ExceptionHook | Pointer to BF60 - 0xB560 .text + UnwindInfo: .xdata |
| 2FFA2C | C000 | .pdata | ExceptionHook | Pointer to C000 - 0xB600 .text + UnwindInfo: .xdata |
| 2FFA38 | C0C0 | .pdata | ExceptionHook | Pointer to C0C0 - 0xB6C0 .text + UnwindInfo: .xdata |
| 2FFA44 | C2E0 | .pdata | ExceptionHook | Pointer to C2E0 - 0xB8E0 .text + UnwindInfo: .xdata |
| 2FFA50 | C300 | .pdata | ExceptionHook | Pointer to C300 - 0xB900 .text + UnwindInfo: .xdata |
| 2FFA5C | C8E0 | .pdata | ExceptionHook | Pointer to C8E0 - 0xBEE0 .text + UnwindInfo: .xdata |
| 2FFA68 | C920 | .pdata | ExceptionHook | Pointer to C920 - 0xBF20 .text + UnwindInfo: .xdata |
| 2FFA74 | CAE0 | .pdata | ExceptionHook | Pointer to CAE0 - 0xC0E0 .text + UnwindInfo: .xdata |
| 2FFA80 | CB20 | .pdata | ExceptionHook | Pointer to CB20 - 0xC120 .text + UnwindInfo: .xdata |
| 2FFA8C | CBE0 | .pdata | ExceptionHook | Pointer to CBE0 - 0xC1E0 .text + UnwindInfo: .xdata |
| 2FFA98 | CC60 | .pdata | ExceptionHook | Pointer to CC60 - 0xC260 .text + UnwindInfo: .xdata |
| 2FFAA4 | CCE0 | .pdata | ExceptionHook | Pointer to CCE0 - 0xC2E0 .text + UnwindInfo: .xdata |
| 32F200 | N/A | *Overlay* | 68090000000202003082095B06092A864886F70D | h.......0..[..*.H... |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 2049933 | 61,3539% |
| Null Byte Code | 517861 | 15,4994% |
| NOP Cave Found | 0x9090909090 | Block Count: 4 | Total: 0,0003% |
© 2026 All rights reserved.