PESCAN.IO — Analysis Report

PESCAN.IO - Analysis Report Basic

File Structure

PE Chart Code

Executable header (light blue)

Executable sections (pink)

Non-executable sections (black)

External injected code (red)

File Structure in red = malformed or corrupted header

Chart Code For Other Files

Printable characters (blue)

Non-printable characters (black)

Information

Icon:

Size: 4,56 MB
SHA-256 Hash: B696AFBA629FAFDEFEF3CF4C4B657FBDF3A32E87BE78F559B7A1618D0DF1146D
SHA-1 Hash: 30539734F5A1EE7A81AA193D2CAC66EF2DDCEAC8
MD5 Hash: EAEA3E787A4BF49E4846BE4558B3071B
Imphash: D41D8CD98F00B204E9800998ECF8427E
MajorOSVersion: 4
MinorOSVersion: 0
CheckSum: 00000000
EntryPoint (rva): 0
SizeOfHeaders: 400
SizeOfImage: 6FC000
ImageBase: 0000000000400000
Architecture: x64
Characteristics: 22
TimeDateStamp: A0F1E8D3
Date: 26/07/2055 9:52:19
File Type: EXE
Number Of Sections: 4
ASLR: Disabled
Section Names (Optional Header): .text, .YRY, .1'a, .rsrc
Number Of Executable Sections: 2
Subsystem: Windows GUI
UAC Execution Level Manifest: requireAdministrator
[Incomplete Binary or Compressor Packer - 2,42 MB Missing]

Sections Info

Section Name	Flags	ROffset	RSize	VOffset	VSize	Entropy	Chi2
.text	60000020 (Code, Executable, Readable)	0	0	2000	22E5E4	N/A	N/A
.YRY	60000020 (Code, Executable, Readable)	0	0	232000	36028	N/A	N/A
.1'a	60000020 (Code, Executable, Readable)	400	48D000	26A000	48CE20	7,5633	10260531,66
.rsrc	40000040 (Initialized Data, Readable)	48D400	2200	6F8000	2198	5,9424	128965,76

Description

OriginalFilename: HttpProgress.dll
CompanyName: bloomtom
ProductName: HttpProgress
FileVersion: 2.3.1.0
FileDescription: HttpProgress
ProductVersion: 2.3.2+bca5f2dee6e69d8150bfa916397135dc384205af
Comments: Provides extension methods for HttpClient PutAsync, PostAsync and GetAsync which support a progress reporting action.
Language: Unknown (ID=0x0)
CodePage: Unicode (UTF-16 LE) (0x4B0)

Binder/Joiner/Crypter

7 Executable files found

Entry Point

The section number (1) have the Entry Point
Information -> EntryPoint (calculated) - 3FF25D
Code -> 860EF4B8A517C5E0DF12F0F59E73DB3072C4E5EDF87112B900754E21C7F65974BD6B0E79B44DA39BED93E846D714F2C6D777
• XCHG BYTE PTR [RSI], CL
• HLT
• MOV EAX, 0XE0C517A5
• FIST WORD PTR [RDX]

Signatures

Certificate - Digital Signature:
• The file is not signed

Packer/Compiler

Compiler: Microsoft Visual .NET - (You can use a decompiler for this...)
• AnyCPU: False
• Version: v4.0
--------> Agile .NET Obfuscator
Compiler: Microsoft Visual Studio
Detect It Easy (die)
• PE+(64): library: .NET(v4.0.30319)[-]
• PE+(64): library: Costura.Fody(-)[-]
• PE+(64): linker: Microsoft Linker(48.0)[-]
• PE+(64): archive: Resources(-)[-]
• Entropy: 7.56115

Suspicious Functions

Library	Function	Description
KERNEL32.DLL	GetModuleHandle	Retrieves a handle to the specified module.

File Access

UmbrellaLoader.exe
costura.newtonsoft.json.dll
costura.ionic.zip.dll
costura.fontawesome.wpf.dll
costura.costura.dll
costura.httpprogress.dll
PropertyChanged.dll
Newtonsoft.Json.dll
Ionic.Zip.dll
FontAwesome.WPF.dll
costura.dll
HttpProgress.dll
rstrtmgr.dll
kernel32.dll
ntdll.dll
LoaderKernel.dll
mscoree.dll
+Newtonsoft.Json.Linq.JAr
.Newtonsoft.Json.Linq.JAr
UmbrellaDesign.forceDelete.Sys
/Microsoft.Windows.Themes.Sys
System.Windows.Dat
System.Dat
costura.ionic.zip
Ionic.Zip
\DotNetZip\Zip\obj\Release\Ionic.Zip
Ionic.Zip.Resources.ZippedResources.zip
Ionic.Zip.Resources.Zip
Ionic.Zip.Forms.Zip
Ionic.Zip.Zip
Temp
RootDir

File Access (UNICODE)

Ionic.Zip
Objects.Dat
HttpProgress.dll
Costura.dll
WPF.dll
Zip.dll
Json.dll
PropertyChanged.dll
UmbrellaLoader.exe
cmd.exe
% LoaderKernel.dll
json.dll
zip.dll
httpprogress.dll
wpf.dll
costura.dll
costura.dll
!LoaderKernel.dll
%UmbrellaKernel.dll
CSharp.dll
Drawing.dll
Forms.dll
System.dll
./toxics.dat
CaseFields6System.Dat
.System.Dat
7System.Dat
/System.Dat
ComponentModel.Dat
Design.Dat
cSystem.Dat
YSystem.Dat
\dota\ver.txt
ionic.zip
ionic.zip
Forms.Zip
WIonic.Zip
QIonic.Zip
ZippedResources.zip
OIonic.Zip
{0}_fixed.zip
Temp

Interest's Words

BitCoin
Encrypt
Decrypt
Encryption
PassWord
<div
<form
<button
<title
exec
createobject
unescape
attrib
start
pause
cipher
hostname
systeminfo
ping
expand
openfiles
replace
route

Interest's Words (UNICODE)

Encrypt
Decrypt
Encryption
PassWord
exec
attrib
start
cipher
ping
expand
replace

URLs

http://www.w3.org/2001/XMLSchema-instance
http://schemas.microsoft.com/winfx/2006/xaml/presentation
http://schemas.microsoft.com/winfx/2006/xaml
http://schemas.microsoft.com/expression/blend/2008
http://schemas.openxmlformats.org/markup-compatibility/2006
http://schemas.fontawesome.io/icons/
http://www.w3.org/1999/02/22-rdf-syntax-ns
http://ns.adobe.com/xap/1.0/
http://purl.org/dc/elements/1.1/
http://ns.adobe.com/photoshop/1.0/
http://ns.adobe.com/xap/1.0/mm/
http://ns.adobe.com/xap/1.0/sType/ResourceEvent
http://fontawesome.iohttp://fontawesome.io/license/
http://fontawesome.io/license/
http://schemas.fontawesome.io/icons/FontAwesome.WPF
http://schemas.fontawesome.io/icons/FontAwesome.WPF.Converters
http://www.codeplex.com/DotNetZip
http://ocsp.digicert.com
http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt
http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl
http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl
http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl
http://www.digicert.com/CPS0
http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt
http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl
http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt
http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
http://crl3.digicert.com/DigiCertTrustedRootG4.crl
http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt
http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
http://schemas.microsoft.com/SMI/2005/WindowsSettings
https://github.com/Fody/Costura/graphs/contributors
https://github.com/JamesNK/Newtonsoft.Json
https://www.newtonsoft.com/jsonschema
https://www.nuget.org/packages/Newtonsoft.Json.Bson
https://www.newtonsoft.com/json

URLs (UNICODE)

http://fontawesome.io
http://fontawesome.io/license/
http://www.codeplex.com/DotNetZip (Flavor=Retail)
http://www.w3.org/2000/xmlns/
http://james.newtonking.com/projects/json
http://james.newtonking.com/projects/json
https://github.com/Fody/Costura/graphs/contributors
https://dist.umbrella-team.space
https://dist.uc.zone
https://ipwhois.app/json/
https://dist.uc.zone@
https://dist.umbrella-team.space

IP Addresses

13.0.0.0
17.0.0.0
17.6.0.0

PE Carving

Start Offset Header	End Offset	Size (Bytes)
0	2654E6	2654E6
2654E6	268AEA	3604
268AEA	269AEE	1004
269AEE	29CCF2	33204
29CCF2	30DAF6	70E04
30DAF6	3BB80A	ADD14
3BB80A	48F600	D3DF6

Strings/Hex Code Found With The File Rules

Rule Type	Encoding	Matched (Word)
Text	Unicode	Unicode escape - \u00 - (Common Unicode escape sequences)
Text	Ascii	WinAPI Sockets (bind)
Text	Unicode	WinAPI Sockets (bind)
Text	Ascii	WinAPI Sockets (listen)
Text	Unicode	WinAPI Sockets (accept)
Text	Ascii	WinAPI Sockets (connect)
Text	Ascii	WinAPI Sockets (recv)
Text	Ascii	WinAPI Sockets (send)
Text	Ascii	Encryption (Base64Encode)
Text	Unicode	Encryption (Blowfish)
Text	Ascii	Encryption (CipherMode)
Text	Ascii	Encryption (FromBase64String)
Text	Ascii	Encryption (ICryptoTransform)
Text	Ascii	Encryption (Rijndael)
Text	Ascii	Encryption (RijndaelManaged)
Text	Ascii	Encryption (ToBase64String)
Text	Unicode	Encryption (Twofish)
Text	Ascii	Stealth (CloseHandle)
Text	Ascii	Keyboard Key (Scroll)
Text	Ascii	Keyboard Key (PageDown)
Text	Ascii	Keyboard Key (PageUp)
Text	Unicode	Linux Virtual File System - (/proc/)
Text	Ascii	Technique used to make malicious code harder to analyze (Obfuscation)
Text	Ascii	Malware designed to intercept and exfiltrate credit card details from compromised systems (Credit Card)
Text	Ascii	Unauthorized movement of funds or data (Transfer)
Text	Unicode	Malicious rerouting of traffic to an attacker-controlled site (Redirect)
Entry Point	Hex Pattern	PE Pack v1.0

Resources

Path	DataRVA	Size	FileOffset	Code	Text
\ICON\1\0	6F8100	10A8	48D500	280000002000000040000000010020000000000000100000C30E0000C30E0000000000000000000000000000000000000000	(... ...@..... ...................................
\GROUP_ICON\32512\0	6F91B8	14	48E5B8	0000010001002020000001002000A81000000100	...... .... .......
\VERSION\1\0	6F91DC	33E	48E5DC	3E0334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000	>.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............
\24\1\0	6F952C	C67	48E92C	EFBBBF3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D227574662D38223F3E0D0A3C617373656D62	...<?xml version="1.0" encoding="utf-8"?>..<assemb

Intelligent String

• 13.0.0.0
• UmbrellaLoader.exe
• PropertyChanged.dll
• 3.2.9.0
• Newtonsoft.Json.dll
• _CorDllMainmscoree.dll
• Json.NET
• http://james.newtonking.com/projects/json
• 1.9.1.8
• Ionic.Zip.dll
• .exe
• 4.7.0.9
• FontAwesome.WPF
• Costura.dll
• 4.1.0.0
• https://github.com/Fody/Costura/graphs/contributors
• HttpProgress.dll
• 2.3.1.0
• RNWindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35WSPresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35\XPresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35D9http://schemas.microsoft.com/winfx/2006/xaml/presentation
• RNWindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35WSPresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35\XPresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35D9http://schemas.microsoft.com/winfx/2006/xaml/presentation
• .YRY
• %.TYg
• C:\Users\koval\Documents\umbrella-wpf-launcher\UmbrellaDesign\obj\x64\PreDeploy\UmbrellaLoader.pdb
• fodyweavers.xml
• <Weavers xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="FodyWeavers.xsd">
• iTXtXML:com.adobe.xmp
• fontawesome.otf
• App.net
• ,$http://schemas.fontawesome.io/icons/fa
• http://schemas.fontawesome.io/icons/FontAwesome.WPF
• http://schemas.fontawesome.io/icons/FontAwesome.WPF.Converters
• C:\Users\Tommy\Documents\GitHub\Font-Awesome-WPF\src\WPF\FontAwesome.WPF\bin\Signed-Net40\FontAwesome.WPF.pdb
• .tmp
• {0}_fixed.zip
• Warning: The generated self-extracting file will not have an .exe extension.
• OIonic.Zip.Resources.ZippedResources.zip
• zippedFile.ico
• System.dll
• 1System.Windows.Forms.dll
• %System.Drawing.dll
• Va library for handling zip archives. http://www.codeplex.com/DotNetZip (Flavor=Retail)
• c:\DotNetZip\Zip\obj\Release\Ionic.Zip.pdb
• a library for handling zip archives. http://www.codeplex.com/DotNetZip (Flavor=Retail)
• \u0085
• >Json.NET is a popular high-performance JSON framework for .NET
• https://github.com/JamesNK/Newtonsoft.Json
• uJSON Schema validation has been moved to its own package. See https://www.newtonsoft.com/jsonschema for more details.
• BSON reading and writing has been moved to its own package. See https://www.nuget.org/packages/Newtonsoft.Json.Bson for more details.
• Json.NET is a popular high-performance JSON framework for .NET
• :060U00Uq]dL.g?O0U0E1-Q!m0U0y+m0k0$+0http://ocsp.digicert.com0C+07http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0EU>0<0:864http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0U
• .url
• %UmbrellaKernel.dll
• .bak
• \dota\ver.txt
• !LoaderKernel.dll
• https://dist.umbrella-team.space
• https://dist.uc.zone
• cmd.exe
• .zip
• *.tmp
• login
• autologin
• costura.dll
• fontawesome.wpf
• ionic.zip
• )//proc//self//status
• //etc//mtab
• <dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware>

Flow Anomalies

Offset	RVA	Section	Description
3388	N/A	.1'a	CALL QWORD PTR [RIP+0x5F660708]
65E2	N/A	.1'a	CALL QWORD PTR [RIP+0x5D206107]
EC22	N/A	.1'a	CALL QWORD PTR [RIP+0xCC3D0020]
12FAB	N/A	.1'a	CALL QWORD PTR [RIP+0x4110411]
17949	N/A	.1'a	CALL QWORD PTR [RIP+0x1FE0707]
19B1F	N/A	.1'a	CALL QWORD PTR [RIP+0x19200411]
1C6DC	N/A	.1'a	CALL QWORD PTR [RIP+0x33206608]
2A072	N/A	.1'a	CALL QWORD PTR [RIP+0xBDA12007]
30610	N/A	.1'a	CALL QWORD PTR [RIP+0x3BDD1520]
32C6D	N/A	.1'a	CALL QWORD PTR [RIP+0xE110811]
352C2	N/A	.1'a	CALL QWORD PTR [RIP+0x1E1F0611]
35BF7	N/A	.1'a	CALL QWORD PTR [RIP+0x61600615]
3B4F0	N/A	.1'a	CALL QWORD PTR [RIP+0x1F1F0606]
3FC6E	N/A	.1'a	CALL QWORD PTR [RIP+0x61090411]
40099	N/A	.1'a	CALL QWORD PTR [RIP+0x20580411]
407C6	N/A	.1'a	CALL QWORD PTR [RIP+0x9E252006]
40E79	N/A	.1'a	CALL QWORD PTR [RIP+0x1F06D206]
44636	N/A	.1'a	CALL QWORD PTR [RIP+0x161F0411]
475B0	N/A	.1'a	CALL QWORD PTR [RIP+0x11081116]
48853	N/A	.1'a	CALL QWORD PTR [RIP+0xAB205FEB]
49FE3	N/A	.1'a	CALL QWORD PTR [RIP+0xD111011]
4A2DC	N/A	.1'a	CALL QWORD PTR [RIP+0x20611311]
4DA61	N/A	.1'a	CALL QWORD PTR [RIP+0x17111711]
4DB8F	N/A	.1'a	CALL QWORD PTR [RIP+0x76064820]
4F68B	N/A	.1'a	CALL QWORD PTR [RIP+0x8110811]
4FA0F	N/A	.1'a	CALL QWORD PTR [RIP+0x205A0A11]
53436	N/A	.1'a	CALL QWORD PTR [RIP+0x2E5EA920]
54A01	N/A	.1'a	CALL QWORD PTR [RIP+0x1F1F0706]
58223	N/A	.1'a	CALL QWORD PTR [RIP+0x111F0811]
61EBB	N/A	.1'a	CALL QWORD PTR [RIP+0x18110B11]
70404	N/A	.1'a	CALL QWORD PTR [RIP+0x585A0909]
72087	N/A	.1'a	CALL QWORD PTR [RIP+0xBD26100]
73919	N/A	.1'a	CALL QWORD PTR [RIP+0x11611511]
75E99	N/A	.1'a	CALL QWORD PTR [RIP+0x395D3420]
7957A	N/A	.1'a	CALL QWORD PTR [RIP+0x5F160711]
84C7D	N/A	.1'a	CALL QWORD PTR [RIP+0x167F0000]
85B4D	N/A	.1'a	CALL QWORD PTR [RIP+0xAD0E2D20]
8BC0C	N/A	.1'a	CALL QWORD PTR [RIP+0x205E0808]
915A9	N/A	.1'a	CALL QWORD PTR [RIP+0xFE086509]
92C16	N/A	.1'a	CALL QWORD PTR [RIP+0xB8A1620]
964B9	N/A	.1'a	CALL QWORD PTR [RIP+0x205C0411]
97D09	N/A	.1'a	CALL QWORD PTR [RIP+0xF0BF6920]
A1C6C	N/A	.1'a	CALL QWORD PTR [RIP+0xA110411]
A35C3	N/A	.1'a	CALL QWORD PTR [RIP+0xF110F11]
C18C7	N/A	.1'a	CALL QWORD PTR [RIP+0x230A77EA]
E407D	N/A	.1'a	JMP QWORD PTR [RIP+0x19FF2000]
F4B09	N/A	.1'a	CALL QWORD PTR [RIP+0x7A8694CA]
FAB2D	N/A	.1'a	CALL QWORD PTR [RIP+0x2246AFF1]
FEF39	N/A	.1'a	JMP QWORD PTR [RIP+0x79C1AB75]
109FD8	N/A	.1'a	JMP QWORD PTR [RIP+0x6E158499]
128011	N/A	.1'a	CALL QWORD PTR [RIP+0x9BF785C4]
128096	N/A	.1'a	CALL QWORD PTR [RIP+0xADC971C9]
1288A0	N/A	.1'a	CALL QWORD PTR [RIP+0x2B2BA386]
12AA33	N/A	.1'a	JMP QWORD PTR [RIP+0xB785AA92]
12FAB7	N/A	.1'a	JMP QWORD PTR [RIP+0xD6291BA3]
136813	N/A	.1'a	JMP QWORD PTR [RIP+0xB9BEB537]
13C0A7	N/A	.1'a	CALL QWORD PTR [RIP+0x89329634]
13D9C1	N/A	.1'a	CALL QWORD PTR [RIP+0x3C825C29]
13DE66	N/A	.1'a	CALL QWORD PTR [RIP+0xC2A70494]
14523D	N/A	.1'a	JMP QWORD PTR [RIP+0xDC986280]
149B53	N/A	.1'a	CALL QWORD PTR [RIP+0x2D3CB2E]
14A898	N/A	.1'a	CALL QWORD PTR [RIP+0x718C8CEB]
14DA8E	N/A	.1'a	JMP QWORD PTR [RIP+0x9D3D2943]
1535BE	N/A	.1'a	JMP QWORD PTR [RIP+0xFB665454]
161180	N/A	.1'a	JMP QWORD PTR [RIP+0x5B1EEE8A]
16156C	N/A	.1'a	JMP QWORD PTR [RIP+0xF2BF73B]
1627B1	N/A	.1'a	JMP QWORD PTR [RIP+0xFE7B2C45]
163220	N/A	.1'a	JMP QWORD PTR [RIP+0x7856C81B]
165D39	N/A	.1'a	JMP QWORD PTR [RIP+0x4D89FB8C]
16C75A	N/A	.1'a	JMP QWORD PTR [RIP+0x8D061CBA]
16E76C	N/A	.1'a	CALL QWORD PTR [RIP+0x7D45DCB0]
176076	N/A	.1'a	CALL QWORD PTR [RIP+0xD87E2B7B]
178BD6	N/A	.1'a	CALL QWORD PTR [RIP+0x7EC8C72F]
182A01	N/A	.1'a	JMP QWORD PTR [RIP+0x3F4E4412]
189A5E	N/A	.1'a	CALL QWORD PTR [RIP+0x6EA41158]
189FFD	N/A	.1'a	CALL QWORD PTR [RIP+0xAE947F04]
18D6AA	N/A	.1'a	JMP QWORD PTR [RIP+0x39D6AA1D]
192C4E	N/A	.1'a	CALL QWORD PTR [RIP+0x67F44DED]
197B18	N/A	.1'a	JMP QWORD PTR [RIP+0x54DB558E]
199A9E	N/A	.1'a	CALL QWORD PTR [RIP+0x951A2D7A]
19BEE4	N/A	.1'a	JMP QWORD PTR [RIP+0x101C69A7]
1A77A8	N/A	.1'a	CALL QWORD PTR [RIP+0xE6E34424]
1B5FA0	N/A	.1'a	CALL QWORD PTR [RIP+0x7814B086]
1B9A5A	N/A	.1'a	CALL QWORD PTR [RIP+0x43901B9E]
1BC2E1	N/A	.1'a	CALL QWORD PTR [RIP+0xA7DD5809]
1D1E75	N/A	.1'a	JMP QWORD PTR [RIP+0x4C99D5AE]
1D9D00	N/A	.1'a	JMP QWORD PTR [RIP+0x12F0EDE3]
1DE9CE	N/A	.1'a	CALL QWORD PTR [RIP+0xF61ACA4A]
1E6041	N/A	.1'a	CALL QWORD PTR [RIP+0xD688E19F]
1EA37D	N/A	.1'a	JMP QWORD PTR [RIP+0xCBC409EE]
1F0537	N/A	.1'a	CALL QWORD PTR [RIP+0x402662DD]
2064CE	N/A	.1'a	JMP QWORD PTR [RIP+0xBF95141C]
21708A	N/A	.1'a	JMP QWORD PTR [RIP+0x2A0BBD4F]
21D37C	N/A	.1'a	CALL QWORD PTR [RIP+0xAABDAACB]
22815C	N/A	.1'a	JMP QWORD PTR [RIP+0x178DC451]
2304F8	N/A	.1'a	JMP QWORD PTR [RIP+0x3B8ECECF]
23096D	N/A	.1'a	CALL QWORD PTR [RIP+0xFB2EA3B4]
233FEA	N/A	.1'a	CALL QWORD PTR [RIP+0x408626B7]
234EBB	N/A	.1'a	CALL QWORD PTR [RIP+0x152E4D0C]
23D713	N/A	.1'a	CALL QWORD PTR [RIP+0x4C93C5AE]
400-48D3FF	26A000	.1'a	Executable section anomaly, first bytes: 1330170033040000

Extra Analysis

Metric	Value	Percentage
Ascii Code	3078967	64,3924%
Null Byte Code	429894	8,9906%

PESCAN.IO - Analysis Report Basic