PESCAN.IO - Analysis Report

PREMIUM PESCAN.IO - Analysis Report

File Structure

PE Chart Code

Header PE (light blue)

Executable sections (pink)

Non-executable sections (black)

External injected code (red)

File Structure in red = malformed or corrupted header

Chart Code For Other Files

Printable characters (blue)

Non-printable characters (black)

Information

Size: 2,07 MB
SHA-256 Hash: A478F5057CA0F0706A61E4FC1A681090BB49A54FFE60567E5DABE1AE05D45880
SHA-1 Hash: 7D5C4BAD1991AA6C5C5F5833B9F2D4AA5488D645
MD5 Hash: 0F7CFA21BF91B895B5FB0B7B13798422
Imphash: 17EF601722575B6CBE7BE63D69DD832A
MajorOSVersion: 6
MinorOSVersion: 0
CheckSum: 00000000
EntryPoint (rva): 1876E0
SizeOfHeaders: 400
SizeOfImage: 56A000
ImageBase: 0000000140000000
Architecture: x64
ImportTable: 1F739C
IAT: 1B0000
Characteristics: 22
TimeDateStamp: 69DE5086
Date: 14/04/2026 14:34:46
File Type: EXE
Number Of Sections: 7
ASLR: Disabled
Section Names (Optional Header): .text, .rdata, .data, .pdata, .fptable, .rsrc, .reloc
Number Of Executable Sections: 1
Subsystem: Windows GUI
UAC Execution Level Manifest: asInvoker
[Incomplete Binary or Compressor Packer - 3,34 MB Missing]

Sections Info

Section Name	Flags	ROffset	RSize	VOffset	VSize	Entropy	Chi2
.text	0x60000020 Code Executable Readable	400	1AEA00	1000	1AE86F	6.4632	11640118.98
.rdata	0x40000040 Initialized Data Readable	1AEE00	4B000	1B0000	4AF16	5.8207	6613896.39
.data	0xC0000040 Initialized Data Readable Writeable	1F9E00	5A00	1FB000	359924	2.0053	3523018.6
.pdata	0x40000040 Initialized Data Readable	1FF800	F600	555000	F54C	6.2041	1192106.63
.fptable	0xC0000040 Initialized Data Readable Writeable	20EE00	200	565000	100	0	130560
.rsrc	0x40000040 Initialized Data Readable	20F000	1400	566000	123C	1.9155	805560.7
.reloc	0x42000040 Initialized Data GP-Relative Readable	210400	1A00	568000	18B8	5.3852	42264.77

Entry Point

The section number (1) have the Entry Point
Information -> EntryPoint (calculated) - 186AE0
Code -> 4883EC28E8B30600004883C428E97AFEFFFFCCCC40534883EC20488BD9488BC2488D0D619E02000F57C048890B488D530848

Assembler

|SUB RSP, 0X28

|CALL 0X16BC

|ADD RSP, 0X28

|JMP 0XE8C

|INT3

|PUSH RBX

|SUB RSP, 0X20

|MOV RBX, RCX

|MOV RAX, RDX

|LEA RCX, [RIP + 0X29E61]

|XORPS XMM0, XMM0

|MOV QWORD PTR [RBX], RCX

|LEA RDX, [RBX + 8]

Signatures

Rich Signature Analyzer:
Code -> AEABDFE9EACAB1BAEACAB1BAEACAB1BA6D43B2BBE2CAB1BA6D43B5BBF8CAB1BA9E4BB2BBE1CAB1BA9E4BB5BBFECAB1BA9E4BB4BB5ACAB1BA6D43B4BBD2CAB1BA9E4BB6BBEBCAB1BA9E4BB7BBEBCAB1BAEACAB0BAD3C8B1BA9E4BB0BBC5CAB1BA7B43B9BBE8CAB1BA7B434EBAEBCAB1BA7B43B3BBEBCAB1BA52696368EACAB1BA
Footprint md5 Hash -> 26D674E7CBAAC0DCF4D42F4ECDCABBE7
• The Rich header apparently has not been modified
Certificate - Digital Signature Not Found:
• The file is not signed

Packer/Compiler

Detect It Easy (die)
• PE+(64): compiler: Microsoft Visual C/C++(-)[-]
• PE+(64): linker: Microsoft Linker(14.44**)[-]
• Entropy: 6.51136

Suspicious Functions

Library	Function	Description
KERNEL32.DLL	CreateMutexA	Create a named or unnamed mutex object for controlling access to a shared resource.
KERNEL32.DLL	CreateMutexW	Create a named or unnamed mutex object for controlling access to a shared resource.
KERNEL32.DLL	VirtualAlloc	Reserve, commit, or both, a region of memory within the virtual address space of a process.
KERNEL32.DLL	GetModuleHandleA	Retrieves a handle to the specified module.
KERNEL32.DLL	CopyFileW	Copies an existing file to a new file.
KERNEL32.DLL	WriteFile	Writes data to a specified file or input/output (I/O) device.
KERNEL32.DLL	LoadLibraryA	Loads the specified module into the address space of the calling process.
KERNEL32.DLL	LoadLibraryW	Loads the specified module into the address space of the calling process.
KERNEL32.DLL	CreateToolhelp32Snapshot	Creates a snapshot of the specified processes, heaps, threads, and modules.
KERNEL32.DLL	CreateRemoteThread	Creates a thread in the address space of another process.
KERNEL32.DLL	WriteProcessMemory	Writes data to an area of memory in a specified process.
KERNEL32.DLL	ReadProcessMemory	Reads data from an area of memory in a specified process.
KERNEL32.DLL	GetProcAddress	Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL	CreateFileA	Creates or opens a file or I/O device.
KERNEL32.DLL	DeleteFileA	Deletes an existing file.
KERNEL32.DLL	IsDebuggerPresent	Determines if the calling process is being debugged by a user-mode debugger.
URLMON.DLL	URLDownloadToFileA	Download a file from the internet and save it to a local file.
ADVAPI32.DLL	CryptDecrypt	Performs a cryptographic operation on data in a data block.
ADVAPI32.DLL	RegCreateKeyExA	Creates a new registry key or opens an existing one.
ADVAPI32.DLL	RegDeleteKeyA	Used to delete a subkey and its values from the Windows registry.
ADVAPI32.DLL	RegSetValueExA	Sets the data and type of a specified value under a registry key.
SHELL32.DLL	ShellExecuteW	Performs a run operation on a specific file.
SHELL32.DLL	ShellExecuteExA	Performs a run operation on a specific file.
NtosKrnl.exe	ZwAllocateVirtualMemory	Reserves, commits, or decommits a region of memory within the virtual address space of a specified process.
NtosKrnl.exe	ZwQueryVirtualMemory	Queries the virtual memory information for a specified process.
NtosKrnl.exe	ZwUnmapViewOfSection	Unmaps a mapped view of a section from a process's address space.

Windows REG

Software\Browser\User Data
Software\Microsoft\Windows\CurrentVersion\Run
Software\Opera Stable
Software\Brave-Browser\User Data
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Google Chrome
Software\Brave-Browser\Application\brave.exe
Software\Brave-Browser\Application
Software\Brave-Browser
Software\Opera Neon\Application\neon.exe
Software\Browser\Application\AvastBrowser.exe
Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
SOFTWARE\Microsoft\Windows Defender
SOFTWARE\Microsoft\Windows Advanced Threat Protection
Software\Classes\http\shell\open\command
SOFTWARE\Classes\http\shell\open\command
Software\%s\%s-Qt
Software\Opera GX Stable
Software\Opera Neon\User Data
Software\Classes\%s\DefaultIcon
Software\Classes\%s\shell\open\command
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\%s
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Software\Valve\Steam
Software\Martin Prikryl\WinSCP 2\Configuration\Security
Software\Martin Prikryl\WinSCP 2\Sessions
Software\Martin Prikryl\WinSCP 2\Sessions\%s
SOFTWARE\Classes\Foxmail.url.mailto\Shell\open\command
SOFTWARE\Foxmail\Install
SOFTWARE\WOW6432Node\Foxmail\Install
SOFTWARE\Foxmail
SOFTWARE\WOW6432Node\Foxmail
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Foxmail_is1
SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Foxmail_is1
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Foxmail.exe
Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
Software\Tencent\WeChat
SOFTWARE\Microsoft\Windows NT\CurrentVersion
Software\Epic Games\EOS
Software\Electronic Arts\EA Desktop
Software\GOG.com\GalaxyClient\paths
Software\Brave-Browser-Beta\User Data
Software\Brave-Browser-Nightly\User Data
Software\Opera Crypto Stable
Software\Opera Crypto Developer
Software\Opera Developer
Software\Opera Next
Software\Microsoft\Windows\CurrentVersion\Uninstall
Software\Mobatek\MobaXterm\Sessions
Software\Mobatek\MobaXterm\Passwords
Software\Mobatek\MobaXterm\Credentials
Software\Mobatek\MobaXterm\M
Software\SimonTatham\PuTTY\Sessions
Software\SimonTatham\PuTTY\Sessions\%s
Software\SimonTatham\PuTTY\SshHostKeys
Software\9bis.com\KiTTY\Sessions
Software\9bis.com\KiTTY\Sessions\%s
Software\PremiumSoft\Navicat\Servers
Software\PremiumSoft\NavicatPG\Servers
Software\PremiumSoft\NavicatMARIADB\Servers
Software\PremiumSoft\NavicatMONGODB\Servers
Software\PremiumSoft\NavicatMSSQL\Servers
Software\PremiumSoft\NavicatORA\Servers
Software\PremiumSoft\NavicatSQLite\Servers
Software\HeidiSQL\Servers
Software\HeidiSQL\Servers\%s
Software\Microsoft\Terminal Server Client\Default
Software\Microsoft\Terminal Server Client\Servers
Software\Microsoft\Terminal Server Client\Servers\%s
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run
SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes
SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths
SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions
Software\Microsoft\Windows\CurrentVersion\Policies\System
SOFTWARE\Policies\Microsoft\Windows\System
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
SOFTWARE\Policies\Microsoft\Windows\WinRE
SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
SOFTWARE\Policies\Google\Chrome
SOFTWARE\Policies\Microsoft\Edge
System\CentralProcessor\0
SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}
system\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
system\Profiles\9375CFF0413111d3B88A00104B2A6676
SYSTEM\CurrentControlSet\Control\Terminal Server
SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
SYSTEM\CurrentControlSet\Control\Lsa
System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
SYSTEM\CurrentControlSet\Services\USBSTOR
SYSTEM\CurrentControlSet\Control\Session Manager
Rebuilt string - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer - DisableRegistryTools
Rebuilt string - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer - DisableTaskMgr
Rebuilt string - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer - NoRun
Rebuilt string - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - DisableRegistryTools
Rebuilt string - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - DisableTaskMgr
Rebuilt string - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - NoRun
Rebuilt string - SOFTWARE\Policies\Microsoft\Windows\System
Rebuilt string - SOFTWARE\Policies\Microsoft\Windows\System - EnableLUA
Rebuilt string - SOFTWARE\Policies\Microsoft\Windows\System - DisableCMD
Rebuilt string - SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Rebuilt string - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Rebuilt string - SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Windows REG (UNICODE)

Software\Brave-Browser\User Data
Software\Browser\User Data
Software\Brave-Browser\Application\brave.exe
Software\Browser\Application\AvastBrowser.exe
Rebuilt string - SOFTWARE\Policies\Microsoft\Windows\System

File Access

svchost.exe
cmd.exe
Failed to launch powershell.exe
powershell.exe
cscript.exe
sc.exe
wscript.exe
vssadmin.exe
MSBuild.exe
conhost.exe
%s\dl_%u.exe
schtasks.exe
Process masked as svchost.exe
.exe
%s~update_%u.exe
%s\deviceinstaller.exe
%s\deviceinstaller64.exe
%s\opera.exe
polypane.exe
sogou.exe
QQBrowser.exe
360chrome.exe
iridium.exe
superbird.exe
whale.exe
centbrowser.exe
coccoc.exe
iron.exe
arc.exe
thorium.exe
AVGBrowser.exe
application\chrome.exe
launcher.exe
yandex.exe
AyuGramDesktop.exe
AyuGram.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Foxmail.exe
%s\cmd.exe
%%~dp0payload.exe
%s\payload.exe
WhatsApp.exe
slack.exe
Teams.exe
discord.exe
DingTalk.exe
thunderbird.exe
Foxmail.exe
OUTLOOK.EXE
Skype.exe
Telegram.exe
explorer.exe
Jaxx Liberty.exe
ArmoryQt.exe
Coinomi.exe
Guarda.exe
Atomic Wallet.exe
electrum.exe
Exodus.exe
mullvad-browser.exe
waterfox.exe
browser.exe
vivaldi.exe
brave.exe
msedge.exe
firefox.exe
chrome.exe
%s\Programs\com.liberty.jaxx\Jaxx Liberty.exe
cmd.exe /c taskkill /IM ArmoryQt.exe
%s\Coinomi\Coinomi.exe
cmd.exe /c taskkill /IM Coinomi.exe
%s\Programs\Guarda\Guarda.exe
cmd.exe /c taskkill /IM Guarda.exe
%s\Programs\Atomic Wallet\Atomic Wallet.exe
cmd.exe /c taskkill /IM Atomic Wallet.exe
%s\Electrum\electrum.exe
cmd.exe /c taskkill /IM electrum.exe
%s\Programs\Exodus\Exodus.exe
cmd.exe /c taskkill /IM Exodus.exe
mstsc.exe
msinfo32.exe
control.exe
notepad.exe
%s\DingDing\DingTalk.exe
cmd.exe /c taskkill /IM DingTalk.exe
cmd.exe /c taskkill /IM thunderbird.exe
%s\Foxmail\Foxmail.exe
cmd.exe /c taskkill /IM Foxmail.exe
cmd.exe /c taskkill /IM OUTLOOK.EXE
%s\Discord\app-*\Discord.exe
cmd.exe /c taskkill /IM Discord.exe
%s\Microsoft\Skype for Desktop\Skype.exe
cmd.exe /c taskkill /IM Skype.exe
%s\Ayugram Desktop\Ayugram.exe
cmd.exe /c taskkill /IM Ayugram.exe
%s\Telegram Desktop\Telegram.exe
cmd.exe /c taskkill /IM Telegram.exe
%s\explorer.exe
safari.exe
%s\Safari\Safari.exe
AvastBrowser.exe
%s\AVAST Software\Browser\Application\AvastBrowser.exe
slimbrowser.exe
%s\SlimBrowser\slimbrowser.exe
maxthon.exe
%s\Maxthon\Bin\Maxthon.exe
mullvadbrowser.exe
%s\MullvadBrowser\Browser\firefox.exe
%s\Mullvad Browser\Browser\firefox.exe
%s\Mullvad Browser\mullvadbrowser.exe
%s\MullvadBrowser\mullvadbrowser.exe
%s\Mullvad\MullvadBrowser\Release\mullvadbrowser.exe
%s\Tor Browser\Browser\firefox.exe
%s\SputnikLab\Sputnik\Application\Browser.exe
orbitum.exe
%s\Orbitum\Application\orbitum.exe
neon.exe
%s\Opera Software\Opera Neon\Application\neon.exe
dragon.exe
%s\Comodo\Dragon\dragon.exe
chromodo.exe
%s\Comodo\Chromodo\chromodo.exe
atom.exe
%s\Mail.Ru\Atom\Application\atom.exe
360Browser.exe
%s\360Browser\Browser\Application\360Browser.exe
epic.exe
%s\Epic Privacy Browser\Application\epic.exe
slimjet.exe
%s\SlimBrowser\slimjet.exe
%s\Waterfox\waterfox.exe
%s\Yandex\YandexBrowser\Application\browser.exe
%s\Vivaldi\Application\vivaldi.exe
Conhost --headless cmd.exe
%s\Programs\Opera\opera.exe
%s\Mozilla Firefox\firefox.exe
%s\BraveSoftware\Brave-Browser\Application\brave.exe
%s\Microsoft\Edge\Application\msedge.exe
%s\Google\Chrome\Application\chrome.exe
opera.exe
\Windows\SysWOW64\svchost.exe
\Windows\SysWOW64\cmd.exe
\Windows\SysWOW64\notepad.exe
\Windows\System32\svchost.exe
\Windows\System32\cmd.exe
\Windows\System32\notepad.exe
\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
USERENV.dll
WTSAPI32.dll
NETAPI32.dll
CRYPT32.dll
WINTRUST.dll
SHLWAPI.dll
WINHTTP.dll
bcrypt.dll
WINMM.dll
dwmapi.dll
ntdll.dll
VERSION.dll
WININET.dll
IPHLPAPI.DLL
OLEAUT32.dll
KERNEL32.dll
ole32.dll
gdiplus.dll
USER32.dll
GDI32.dll
ADVAPI32.dll
SHELL32.dll
WS2_32.dll
.dll
shcore.dll
urlmon.dll
%s\inj_%u.dll
dbghelp.dll
termsrv.dll
WARNING - Failed to read termsrv.dll
WARNING - termsrv.dll
Patching termsrv.dll
vaultcli.dll
%s\nss3.dll
%s\mozglue.dll
msedge.dll
chrome.dll
amsi.dll
\Windows\SysWow64\Amsi.dll
\Windows\System32\Amsi.dll
dxgi.dll
d3d11.dll
%s\sirius_%u.bat
%s~uninstall_%u.bat
.dat
) ORDER BY a.dat
Gaming/Roblox/RobloxCookies.dat
%s\RobloxCookies.dat
workbench_user_data.dat
+(n.dat
await indexedDB.dat
Games/Growtopia/save.dat
%s\Growtopia\save.dat
Messengers/WeChat/%s/config.dat
%s\config\config.dat
Messengers/WeChat/%s/AccInfo.dat
%s\config\AccInfo.dat
Messengers/WeChat/globalconfig.dat
%s\All Users\config\globalconfig.dat
Messengers/WeChat/AccInfo.dat
%s\All Users\config\AccInfo.dat
Messengers/WeChat/config.dat
%s\All Users\config\config.dat
private_settings.dat
settings-log.dat
settings.dat
data.dat
\Users\Default\NTUSER.DAT
%APPDATA%\Microsoft\Windows\keylog.dat
@.dat
%SystemRoot%\System32\LogFiles\Firewall\pfirewall.log
.log
rlf_debug.log
%s\note_%u.txt
Browsers/AllDownloads.txt
Gaming/Xbox/Credentials.txt
%s/MailAccounts.txt
RDP/RecentConnections.txt
RDP/VaultCredentials.txt
RDP/CredentialManager.txt
RDP/DecryptedPasswords.txt
DevTools/Summary.txt
DatabaseClients/Navicat/Servers.txt
DatabaseClients/HeidiSQL/Servers.txt
SSH/KiTTY/Sessions.txt
SSH/MobaXterm/Registry.txt
SSH/WinSCP/Sessions.txt
SSH/PuTTY/Sessions.txt
%s/Bookmarks.txt
%s/Cards.txt
%s/Autofill.txt
%s/History.txt
Browsers/ImportantCookies.txt
%s/Cookies.txt
%s/Cookies_Extensions.txt
rd_%u_%d.txt
Browsers/passwords.txt
%s/Passwords.txt
Browsers/CDP_Cookies.txt
intentlauncher\Rise\alts.txt
.minecraft\Rise\alts.txt
Device/GameList.txt
Device/ProcessList.txt
Device/InstalledApps.txt
Device/ProductKey.txt
Device/SystemInfo.txt
Device/WiFi_Keys.txt
Messengers/WeChat/RegistryInfo.txt
Email/Outlook/Accounts.txt
Email/Outlook/Tokens.txt
Email/Foxmail.txt
FTP/WinSCP/Sessions.txt
FTP/FileZilla/Credentials.txt
Messengers/Discord/BackupCodes/summary.txt
.txt
Messengers/Discord/Tokens.txt
.ini
PasswordManagers/KeePassXC/keepassxc.ini
%s\KeePassXC\keepassxc.ini
%s\Mobatek\MobaXterm\MobaXterm.ini
SSH/MobaXterm/MobaXterm.ini
%s\MobaXterm\MobaXterm.ini
%s\Martin Prikryl\WinSCP\WinSCP.ini
SSH/WinSCP/WinSCP.ini
Games/EpicGames/GameUserSettings.ini
%s\EpicGamesLauncher\Saved\Config\Windows\GameUserSettings.ini
Apps/OBS/global.ini
global.ini
FTP/WinSCP/WinSCP.ini
%s\WinSCP.ini
%s\sirius_%u.vbs
%s\tts_%u.vbs
%s\updater.vbs
%s\prefs.js
prefs.js
%s\w.js
%s.zip
//www.amyuni.com/downloads/usbmmidd_v2.zip
%susbmmidd_v2.zip
drivers\etc\hosts
Temp
WinDir
ProgramFiles
AppData
UserProfile
Exec - net start termservice
Exec - vssadmin .exe delete shadows /all /quiet
Exec - netsh wlan show profiles > "%s"
Exec - netsh wlan show profile name="%s" key=clear > "%s"
Exec - netsh advfirewall firewall delete rule name="rdp"
Exec - netsh advfirewall firewall show rule name=all verbose > "%s""
Exec - netsh advfirewall firewall add rule %s"
Exec - netsh advfirewall firewall delete rule name=""%s"""
Exec - netsh advfirewall firewall set rule name=""%s"" new enable=%s"
Exec - netsh advfirewall firewall set rule name=""%s"" %s"
Exec - netsh advfirewall export "%s""
Exec - netsh advfirewall import "%s""
Exec - netsh advfirewall show allprofiles > "%s""
Exec - netsh advfirewall set %s"
Exec - netsh advfirewall set allprofiles logging maxfilesize 4096"
Exec - netsh advfirewall set allprofiles logging droppedconnections enable"
Exec - netsh advfirewall set allprofiles logging allowedconnections enable"

File Access (UNICODE)

svchost.exe
\Windows\System32\svchost.exe
CCleanerBrowser.exe
sidekick.exe
SogouExplorer.exe
torch.exe
polypane.exe
QQBrowser.exe
epic.exe
slimjet.exe
superbird.exe
centbrowser.exe
Extracted session data from %d page(s)browser.exe
iridium.exe
whale.exe
coccoc.exe
iron.exe
arc.exe
thorium.exe
AVGBrowser.exe
yandex.exe
opera.exe
vivaldi.exe
Foxmail.exe
\Microsoft\Edge Beta\Application\msedge.exe
\Microsoft\Edge\Application\msedge.exe
\Google\Chrome SxS\Application\chrome.exe
\Google\Chrome Dev\Application\chrome.exe
\Google\Chrome Beta\Application\chrome.exe
\Google\Chrome\Application\chrome.exe
AvastBrowser.exe
msedge.exe
brave.exe
chrome.exe
%s\explorer.exe
RtlQueueApcWow64Threadntdll.dll
mscoree.dll
KERNEL32.DLL
AppData

SQL Queries

SELECT 1 FROM "%w".sqlite_master WHERE name NOT LIKE 'sqliteX_%%' ESCAPE 'X' AND sql NOT LIKE 'create virtual%%' AND sqlite_rename_test(%Q, sql, type, name, %d, %Q, %d)=NULL
SELECT 1 FROM temp.sqlite_master WHERE name NOT LIKE 'sqliteX_%%' ESCAPE 'X' AND sql NOT LIKE 'create virtual%%' AND sqlite_rename_test(%Q, sql, type, name, 1, %Q, %d)=NULL
SELECT raise(ABORT,%Q) FROM "%w"."%w"
SELECT CASE WHEN quick_check GLOB 'CHECK*' THEN raise(ABORT,'CHECK constraint failed') WHEN quick_check GLOB 'non-* value in*' THEN raise(ABORT,'type mismatch on DEFAULT') ELSE raise(ABORT,'NOT NULL constraint failed') END FROM pragma_quick_check(%Q,%Q) WHERE quick_check GLOB 'CHECK*' OR quick_check GLOB 'NULL*' OR quick_check GLOB 'non-* value in*'
SELECT tbl,idx,stat FROM %Q.sqlite_stat1
SELECT sql FROM "%w".sqlite_schema WHERE type='table'AND name<>'sqlite_sequence' AND coalesce(rootpage,1)>0
SELECT sql FROM "%w".sqlite_schema WHERE type='index'
SELECT count(*) FROM sqlite_master
SELECT origin_url, username_value, password_value, date_created, date_last_used, times_used FROM logins WHERE blacklisted_by_user = 0
SELECT host_key, name, path, is_secure, is_httponly, expires_utc, encrypted_value FROM cookies
SELECT host_key, name FROM cookies
SELECT account_id, value FROM credentials LIMIT 20
SELECT * FROM Account LIMIT 1
SELECT * FROM Account
SELECT target_path, tab_url, total_bytes, start_time FROM downloads ORDER BY start_time DESC LIMIT 100
SELECT p.url, a.content FROM moz_places p JOIN moz_annos a ON p.id = a.place_id WHERE a.anno_attribute_id IN (SELECT id FROM moz_anno_attributes WHERE name='downloads/destinationFileURI') ORDER BY a.dateAdded DESC LIMIT 100
INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,%d,%Q);
INSERT into generated column "%s"
INSERT INTO %Q.sqlite_master VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')
INSERT INTO %s.'||quote(name)||' SELECT*FROM"%w".'||quote(name)FROM %s.sqlite_schema WHERE type='table'AND coalesce(rootpage,1)>0
INSERT INTO %s.sqlite_schema SELECT*FROM "%w".sqlite_schema WHERE type IN('view','trigger') OR(type='table'AND rootpage=0)
CREATE TABLE %Q.%s(%s)
CREATE TABLE
CREATE TABLE %Q.sqlite_sequence(name,seq)
CREATE TABLE x
CREATE TABLE x(type text,name text,tbl_name text,rootpage int,sql text)
CREATE TABLE x(key,value,type,atom,id,parent,fullkey,path,json HIDDEN,root HIDDEN)
DROP TABLE to delete table %s
DELETE FROM %Q.%s WHERE %s=%Q
DELETE FROM %Q.sqlite_sequence WHERE name=%Q
DELETE FROM %Q.sqlite_master WHERE tbl_name=%Q and type!='trigger'
DELETE FROM %Q.sqlite_master WHERE name=%Q AND type='index'
DELETE FROM %Q.sqlite_master WHERE name=%Q AND type='trigger'

Interest's Words

vssadmin
Delete Shadows
PADDINGX
BitCoin
outlook
smtp
taskkill
ToolBar
Encrypt
Decrypt
KeyLogger
Encryption
PassWord
<title
setTimeout
cscript
wscript
exec
createobject
powershell
schtasks
netsh
tasklist
taskkill
attrib
start
pause
hostname
ipconfig
wmic
shutdown
sc query
cacls
icacls
netstat
systeminfo
schtask
ping
vssadmin
expand
replace
route
sc.exe

Interest's Words (UNICODE)

outlook
replace

Anti-VM/Sandbox/Debug Tricks

OllyDbg Libary - dbghelp.dll
LabTools - taskmgr

URLs

http://ip-api.com/line/?fields=countryCode
http://schemas.microsoft.com/windows/2004/02/mit/task
https://api.mainnet-beta.solana.com
https://rpc.ankr.com/solana
https://solana-rpc.publicnode.com
https://solana.drpc.org
https://solana-mainnet.g.alchemy.com/v2/demo
https://solana-mainnet.rpc.extrnode.com
https://solana.public-rpc.com
https://solana-mainnet.core.chainstack.com
https://www.amyuni.com/downloads/usbmmidd_v2.zip

IP Addresses

127.0.0.1

Known IP/Domains

facebook.com
twitter.com

Strings/Hex Code Found With The File Rules

Rule Type	Encoding	Matched (Word)
Text	Ascii	Unicode escape - \u00 - (Common Unicode escape sequences)
Text	Ascii	WinAPI Sockets (bind)
Text	Ascii	WinAPI Sockets (listen)
Text	Ascii	WinAPI Sockets (connect)
Text	Ascii	WinAPI Sockets (recv)
Text	Ascii	Registry (RegCreateKeyEx)
Text	Ascii	Registry (RegOpenKeyEx)
Text	Ascii	Registry (RegSetValueEx)
Text	Ascii	File (GetTempPath)
Text	Ascii	File (CopyFile)
Text	Ascii	File (CreateFile)
Text	Ascii	File (WriteFile)
Text	Ascii	File (ReadFile)
Text	Ascii	Service (OpenSCManager)
Text	Ascii	Service (CreateService)
Text	Ascii	Encryption API (CryptAcquireContext)
Text	Ascii	Encryption API (CryptDecrypt)
Text	Ascii	Encryption API (CryptReleaseContext)
Text	Ascii	Anti-Analysis VM (IsDebuggerPresent)
Text	Ascii	Anti-Analysis VM (GetSystemInfo)
Text	Ascii	Anti-Analysis VM (GlobalMemoryStatusEx)
Text	Ascii	Anti-Analysis VM (GetVersion)
Text	Ascii	Anti-Analysis VM (CreateToolhelp32Snapshot)
Text	Ascii	Reconnaissance (FindFirstFileA)
Text	Ascii	Reconnaissance (FindNextFileA)
Text	Ascii	Reconnaissance (FindFirstFileW)
Text	Ascii	Reconnaissance (FindNextFileW)
Text	Ascii	Reconnaissance (FindClose)
Text	Ascii	Stealth (ExitThread)
Text	Ascii	Stealth (ReleaseSemaphore)
Text	Ascii	Stealth (CloseHandle)
Text	Ascii	Stealth (UnmapViewOfFile)
Text	Ascii	Stealth (MapViewOfFile)
Text	Ascii	Stealth (CreateFileMappingA)
Text	Ascii	Stealth (CreateFileMappingW)
Text	Ascii	Stealth (VirtualAlloc)
Text	Ascii	Stealth (VirtualProtect)
Text	Ascii	Stealth (ReadProcessMemory)
Text	Ascii	Stealth (CreateRemoteThread)
Text	Ascii	Stealth (NtUnmapViewOfSection)
Text	Ascii	Stealth (QueueUserAPC)
Text	Ascii	Execution (CreateProcessA)
Text	Ascii	Execution (CreateProcessW)
Text	Ascii	Execution (ShellExecute)
Text	Ascii	Execution (ResumeThread)
Text	Ascii	Execution (CreateSemaphoreA)
Text	Ascii	Execution (CreateEventA)
Text	Ascii	Execution (CreateEventW)
Text	Ascii	Antivirus Software (comodo)
Text	Ascii	Antivirus Software (avast)
Text	Ascii	Antivirus Software (defender)
Text	Ascii	Antivirus Software (Norton)
Text	Ascii	Privileges (SeDebugPrivilege)
Text	Ascii	Keyboard Key ([Backspace])
Text	Ascii	Keyboard Key ([Enter])
Text	Ascii	Keyboard Key (Scroll)
Text	Ascii	Keyboard Key (CapsLock)
Text	Ascii	Keyboard Key (Backspace)
Text	Ascii	Small piece of code used as the payload in an exploit (Shellcode)
Text	Ascii	Software that secretly monitors and collects user information (Spyware)
Text	Ascii	Technique to insert malicious code into a vulnerable application (Injection)
Text	Ascii	Malware that monitors and collects user data (Spy)
Text	Ascii	Information used for user authentication (Credential)
Text	Ascii	Technique used to insert malicious code into legitimate processes (Inject)
Text	Ascii	Technique used to circumvent security measures (Bypass)
Entry Point	Hex Pattern	Microsoft Visual C++ 8.0 (DLL)
Entry Point	Hex Pattern	Wavelet compressed bitmap

Resources

Path	DataRVA	Size	FileOffset	Code	Text
\CAFFEE_CONFIG\123\0	5660BC	1000	20F0BC	DD0000000100646972656374696E6475737472792E6475636B646E732E6F72673A34343439000062396133373462382D6639	......directindustry.duckdns.org:4449..b9a374b8-f9
\24\1\1033	5670BC	17D	2100BC	3C3F786D6C2076657273696F6E3D27312E302720656E636F64696E673D275554462D3827207374616E64616C6F6E653D2779	<?xml version='1.0' encoding='UTF-8' standalone='y

Intelligent String

• polypane.exe
• QQBrowser.exe
• iridium.exe
• superbird.exe
• coccoc.exe
• thorium.exe
• AVGBrowser.exe
• yandex.exe
• discord.com
• 127.0.0.1
• Foxmail.exe
• browser.exe
• vivaldi.exe
• brave.exe
• msedge.exe
• AvastBrowser.exe
• epic.exe
• svchost.exe
• opera.exe
• d3d11.dll
• dxgi.dll
• KERNEL32.DLL
• mscoree.dll
• \u0009
• \u00
• \u0000
• C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
• C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
• C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
• C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
• C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
• C:\Windows\System32\notepad.exeC:\Windows\System32\cmd.exe
• C:\Windows\System32\svchost.exeC:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\cmd.exe
• C:\Windows\SysWOW64\svchost.exentdll.dll
• C:\Windows\System32\Amsi.dll
• C:\Windows\SysWow64\Amsi.dll
• kernel32.dll
• amsi.dll
• ntdll.dll
• chrome.dll
• msedge.dll
• cmd.exe /c rd /s /q "%s" 2>nul
• Global\RdiShm_%08X
• user32.dll
• CrashpadMetrics-active.pma
• cmd.exe /c rd /s /q "%s"
• %s\Microsoft\Edge\Application\msedge.exe
• %s\BraveSoftware\Brave-Browser\Application\brave.exe
• %s\Mozilla Firefox\firefox.exe
• %s\Programs\Opera\opera.exe
• Conhost --headless cmd.exe /c start "" "%s" --user-data-dir="%s"
• %s\Vivaldi\Application\vivaldi.exe
• %s\Yandex\YandexBrowser\Application\browser.exe%s\Yandex\YandexBrowser\Phoenix%s\Waterfox\waterfox.exe
• "%s" --window-position=0,0 -no-remote -wait-for-browser"%s" --window-position=0,0 -no-remote%s%s\SlimBrowser\slimjet.exe
• %s\Epic Privacy Browser\Application\epic.exe
• %s\360Browser\Browser\Application\360Browser.exe
• 360Browser.exe
• %s\Mail.Ru\Atom\Application\atom.exe
• atom.exe
• %s\Comodo\Chromodo\chromodo.exechromodo.exe
• %s\Comodo\Dragon\dragon.exe
• dragon.exe
• %s\Opera Software\Opera Neon\Application\neon.exe
• neon.exe
• %s\Orbitum\Application\orbitum.exe
• orbitum.exe
• %s\SputnikLab\Sputnik\Application\Browser.exe
• Browser.exe
• %s\Tor Browser\Browser\firefox.exe
• %s\Mullvad\MullvadBrowser\Release\mullvadbrowser.exe
• %s\MullvadBrowser\mullvadbrowser.exe
• %s\Mullvad Browser\mullvadbrowser.exe
• %s\Mullvad Browser\Browser\firefox.exe
• %s\MullvadBrowser\Browser\firefox.exe
• mullvadbrowser.exe
• %s\Maxthon\Bin\Maxthon.exe
• maxthon.exe
• %s\SlimBrowser\slimbrowser.exe
• slimbrowser.exe%s\AVAST Software\Browser\Application\AvastBrowser.exe
• %s\Safari\Safari.exe
• safari.exe
• %s\explorer.exe /NoUACCheck
• cmd.exe /c taskkill /IM Telegram.exe /F & "%s\Telegram Desktop\Telegram.exe"
• cmd.exe /c taskkill /IM Ayugram.exe /F & "%s\Ayugram Desktop\Ayugram.exe"
• cmd.exe /c taskkill /IM Skype.exe /F & "%s\Microsoft\Skype for Desktop\Skype.exe"
• discordcmd.exe /c taskkill /IM Discord.exe /F & "%s\Discord\app-*\Discord.exe"outlookcmd.exe /c taskkill /IM OUTLOOK.EXE /F & outlook
• foxmailcmd.exe /c taskkill /IM Foxmail.exe /F & "%s\Foxmail\Foxmail.exe"
• cmd.exe /c taskkill /IM thunderbird.exe /F & thunderbird
• cmd.exe /c taskkill /IM DingTalk.exe /F & "%s\DingDing\DingTalk.exe"
• notepadnotepad.exe
• controlcontrol.exe
• msinfo32.exe
• mstsc.exe
• cmd.exe /c taskkill /IM Exodus.exe /F & "%s\Programs\Exodus\Exodus.exe"electrum
• cmd.exe /c taskkill /IM electrum.exe /F & "%s\Electrum\electrum.exe"
• cmd.exe /c taskkill /IM Atomic Wallet.exe /F & "%s\Programs\Atomic Wallet\Atomic Wallet.exe"
• cmd.exe /c taskkill /IM Guarda.exe /F & "%s\Programs\Guarda\Guarda.exe"coinomicmd.exe /c taskkill /IM Coinomi.exe /F & "%s\Coinomi\Coinomi.exe"
• cmd.exe /c taskkill /IM ArmoryQt.exe /F & "C:\Program Files (x86)\Armory\ArmoryQt.exe"
• cmd.exe /c taskkill /IM "Jaxx Liberty.exe" /F & "%s\Programs\com.liberty.jaxx\Jaxx Liberty.exe"chrome.exe
• firefox.exe
• waterfox.exe
• mullvadmullvad-browser.exe
• Exodus.exe
• electrum.exe
• Atomic Wallet.exe
• Guarda.exe
• Coinomi.exe
• ArmoryQt.exe
• Jaxx Liberty.exe
• explorer.exe
• Telegram.exe
• Ayugram.exe
• Skype.exe
• Discord.exe
• OUTLOOK.EXE
• thunderbird.exeDingTalk.exe
• %s\explorer.exe
• cmd.exepowershell.exe
• discord.exe
• Teams.exe
• slack.exe
• WhatsApp.exe
• %APPDATA%\Microsoft\Windows\keylog.dat
• C:\Users\Default\NTUSER.DAT
• C:\Users\Default\AppData\Roaming\%s
• <CommandLine>cmd /c mkdir "%%PROGRAMDATA%%\%s" 2>nul && copy /y "%%~dp0..\payload\%s" "%%PROGRAMDATA%%\%s\%s" >nul && start "" "%%PROGRAMDATA%%\%s\%s"</CommandLine>
• Customizations.xml
• C:\Recovery\Customizations
• C:\Recovery\Customizations\SysConfig_%08X.ppkg
• %s\payload.exe
• copy /y "%%~dp0payload.exe" "%%PROGRAMDATA%%\%s\%s" >nul
• attrib +h +s "%%PROGRAMDATA%%\%s\%s"
• del /f /q "%%~dp0payload.exe" >nul
• %s\SetupComplete.cmd
• %s\Microsoft\%s%s\Documents\%s%s\updater.vbs
• RUNASADMIN
• https://api.mainnet-beta.solana.com
• https://rpc.ankr.com/solana
• https://solana-rpc.publicnode.com
• https://solana.drpc.orghttps://solana-mainnet.g.alchemy.com/v2/demo
• https://solana-mainnet.rpc.extrnode.comhttps://solana.public-rpc.com
• https://solana-mainnet.core.chainstack.com
• http://Mozilla/5.0
• C:\Windows\System32
• "%s\cmd.exe" /c %s
• %s\cmd.exe
• Shutdown /l /f
• Shutdown /s /f /t 00
• Shutdown /r /f /t 00
• %srsql_%u_%u.tmp
• rlf_debug.log
• chrome.exe
• C:\Program Files
• C:\Program Files (x86)
• \Google\Chrome\Application\chrome.exe
• \Google\Chrome Beta\Application\chrome.exe
• \Google\Chrome Dev\Application\chrome.exe
• \Google\Chrome SxS\Application\chrome.exe
• \BraveSoftware\Brave-Browser\Application\brave.exe
• \Microsoft\Edge\Application\msedge.exe
• \Microsoft\Edge Beta\Application\msedge.exe
• \AVAST Software\Browser\Application\AvastBrowser.exe
• *.ldb
• *.log
• Messengers/Discord/Tokens.txt
• Desktop%s\%s\*.txt
• Messengers/Discord/BackupCodes/summary.txt
• dumps
• c:\%s%s\tdata
• .vdf
• data.dat
• settings.dat
• settings-log.dat
• private_settings.dat
• FTPrecentservers.xml
• sitemanager.xmlfilezilla.xml
• FTP/FileZilla/Credentials.txt
• FTP/WinSCP/Sessions.txt%s\WinSCP.ini
• FTP/WinSCP/WinSCP.ini
• %s\ngrok\ngrok.yml
• Server/Ngrok/ngrok.yml
• %s\Account.rec0%s\Account.stg
• Email/Foxmail.txt
• .bin
• Email/Outlook/Tokens.txt
• OutlookEmail/Outlook/Accounts.txt
• global.ini
• Apps/OBS/global.ini
• %s\.ngrok2\ngrok.yml
• %s\All Users\config\AccInfo.datMessengers/WeChat/AccInfo.dat
• %s\config\AccInfo.dat
• Messengers/WeChat/%s/AccInfo.dat
• Messengers/WeChat/RegistryInfo.txt
• wifi_profiles.tmp
• cmd.exe /c chcp 65001 >nul && netsh wlan show profiles > "%s"
• wifi_key.tmp
• cmd.exe /c chcp 65001 >nul && netsh wlan show profile name="%s" key=clear > "%s"
• Device/WiFi_Keys.txt
• Device/SystemInfo.txt
• Device/Screenshot.bmp
• Device/ProductKey.txt
• Device/InstalledApps.txt
• Device/ProcessList.txt
• C:\Riot Games
• Battle.net
• Device/GameList.txt
• AyuGramAyuGram.exe
• AyuGramDesktop.exe
• %s\.purple\accounts.xmlMessengers/Pidgin/accounts.xml
• %s\.purple\blist.xml
• Messengers/Pidgin/blist.xml
• %s\EpicGamesLauncher\Saved\Config\Windows\GameUserSettings.ini
• Games/EpicGames/GameUserSettings.ini
• %s\Battle.net
• %s\Growtopia\save.dat
• Games/Growtopia/save.dat
• .minecraft\meteor-client\accounts.nbt
• .minecraft\Rise\alts.txt
• intentlauncher\Rise\alts.txt
• launcher.exe
• application\chrome.exe
• arc.exeiron.exe
• centbrowser.exewhale.exe
• 360chrome.exe
• sogou.exe
• %s\opera.exe
• GoLoginBrowser\orbita-browser
• GoLogin_Reg
• Multilogin
• Multilogin_Reg
• VMLoginVMLogin_Reg
• GoLogin\Browser\orbita-browser
• GoLogin_R
• Multilogin\User Data
• Multilogin_R
• VMLogin\User Data
• MultiloginX
• Multilogin X\mlx
• MultiloginX_R
• Multilogin_P
• Multilogin\Profiles
• GoLogin2
• GoLogin\Browser\User Data
• GoLogin2_R
• %s\Login Data
• %s\logins.json
• arc.exe
• iron.exe
• whale.exe
• Multilogin_API
• Multilogin\mlx\data
• GoLogin_API
• GoLogin\Browser\Profiles
• VMLogin_API
• VMLogin\Profiles
• Browsers/CDP_Cookies.txt
• centbrowser.exe
• slimjet.exe
• C:\Program Files\Mozilla Firefox
• C:\Program Files (x86)\Mozilla Firefox
• C:\Program Files\Firefox Developer Edition
• C:\Program Files\Firefox Nightly
• C:\Program Files\Mozilla Thunderbird
• C:\Program Files (x86)\Mozilla Thunderbird
• C:\Program Files\Nightly
• C:\Program Files\Waterfox
• C:\Program Files (x86)\WaterfoxC:\Program Files\Pale Moon
• C:\Program Files (x86)\Pale Moon
• C:\Program Files\SeaMonkey
• C:\Program Files\Basilisk
• C:\Program Files\LibreWolf
• C:\Program Files\FloorpC:\Program Files\Mullvad Browser
• C:\Program Files\Zen Browser
• C:\Program Files\Tor Browser\Browser
• C:\Program Files\Postbox
• C:\Program Files\K-Meleon
• C:\Program Files\Comodo\IceDragon

Flow Anomalies

Offset	RVA	Section	Description
505	N/A	.text	CALL QWORD PTR [RIP+0x1FADB5]
53F	N/A	.text	CALL QWORD PTR [RIP+0x1FAD8B]
5EF	N/A	.text	CALL QWORD PTR [RIP+0x1FACCB]
624	N/A	.text	CALL QWORD PTR [RIP+0x1FACA6]
78A	N/A	.text	CALL QWORD PTR [RIP+0x1FAB30]
982	N/A	.text	CALL QWORD PTR [RIP+0x1FA990]
98D	N/A	.text	CALL QWORD PTR [RIP+0x1FA8E5]
A57	N/A	.text	CALL QWORD PTR [RIP+0x1FA823]
A6D	N/A	.text	CALL QWORD PTR [RIP+0x1FA805]
A84	N/A	.text	CALL QWORD PTR [RIP+0x1FA7EE]
A9B	N/A	.text	CALL QWORD PTR [RIP+0x1FA7D7]
AB2	N/A	.text	CALL QWORD PTR [RIP+0x1FA7C0]
B6D	N/A	.text	CALL QWORD PTR [RIP+0x1FA74D]
B76	N/A	.text	CALL QWORD PTR [RIP+0x1FA6FC]
B90	N/A	.text	CALL QWORD PTR [RIP+0x1FA6D2]
BA2	N/A	.text	CALL QWORD PTR [RIP+0x1FA728]
BAD	N/A	.text	CALL QWORD PTR [RIP+0x1FA6B5]
C2E	N/A	.text	CALL QWORD PTR [RIP+0x1FA68C]
C37	N/A	.text	CALL QWORD PTR [RIP+0x1FA63B]
C51	N/A	.text	CALL QWORD PTR [RIP+0x1FA611]
C63	N/A	.text	CALL QWORD PTR [RIP+0x1FA667]
C6E	N/A	.text	CALL QWORD PTR [RIP+0x1FA5F4]
CFF	N/A	.text	CALL QWORD PTR [RIP+0x1FA5BB]
D08	N/A	.text	CALL QWORD PTR [RIP+0x1FA56A]
D22	N/A	.text	CALL QWORD PTR [RIP+0x1FA540]
D34	N/A	.text	CALL QWORD PTR [RIP+0x1FA596]
D3F	N/A	.text	CALL QWORD PTR [RIP+0x1FA523]
F36	N/A	.text	CALL QWORD PTR [RIP+0x1FA394]
5128	N/A	.text	CALL QWORD PTR [RIP+0x1F6192]
5131	N/A	.text	CALL QWORD PTR [RIP+0x1F6141]
514B	N/A	.text	CALL QWORD PTR [RIP+0x1F6117]
515D	N/A	.text	CALL QWORD PTR [RIP+0x1F616D]
5168	N/A	.text	CALL QWORD PTR [RIP+0x1F60FA]
5278	N/A	.text	CALL QWORD PTR [RIP+0x1F6042]
5281	N/A	.text	CALL QWORD PTR [RIP+0x1F5FF1]
529B	N/A	.text	CALL QWORD PTR [RIP+0x1F5FC7]
52AD	N/A	.text	CALL QWORD PTR [RIP+0x1F601D]
52BC	N/A	.text	CALL QWORD PTR [RIP+0x1F5FA6]
5323	N/A	.text	CALL QWORD PTR [RIP+0x1F5F97]
532C	N/A	.text	CALL QWORD PTR [RIP+0x1F5F46]
5346	N/A	.text	CALL QWORD PTR [RIP+0x1F5F1C]
535E	N/A	.text	JMP QWORD PTR [RIP+0x1F5F6C]
536D	N/A	.text	JMP QWORD PTR [RIP+0x1F5EF5]
53B6	N/A	.text	CALL QWORD PTR [RIP+0x1F5EF4]
53C7	N/A	.text	CALL QWORD PTR [RIP+0x1F5EF3]
5418	N/A	.text	CALL QWORD PTR [RIP+0x1F5EB2]
5472	N/A	.text	CALL QWORD PTR [RIP+0x1F5E38]
5483	N/A	.text	CALL QWORD PTR [RIP+0x1F5E37]
5509	N/A	.text	CALL QWORD PTR [RIP+0x1F5DC1]
555C	N/A	.text	CALL QWORD PTR [RIP+0x1F5D4E]
556D	N/A	.text	CALL QWORD PTR [RIP+0x1F5D4D]
55C8	N/A	.text	CALL QWORD PTR [RIP+0x1F5D02]
57C2	N/A	.text	CALL QWORD PTR [RIP+0x1F5AD8]
57EE	N/A	.text	JMP QWORD PTR [RIP+0x1F5ABC]
5816	N/A	.text	JMP QWORD PTR [RIP+0x1F5A9C]
5826	N/A	.text	JMP QWORD PTR [RIP+0x1F5A94]
5836	N/A	.text	JMP QWORD PTR [RIP+0x1F5A8C]
5846	N/A	.text	JMP QWORD PTR [RIP+0x1F5A84]
5893	N/A	.text	CALL QWORD PTR [RIP+0x1AA33F]
58C5	N/A	.text	CALL QWORD PTR [RIP+0x1F8035]
5919	N/A	.text	CALL QWORD PTR [RIP+0x1AA401]
59AA	N/A	.text	CALL QWORD PTR [RIP+0x1AA228]
59D5	N/A	.text	CALL QWORD PTR [RIP+0x1AA345]
59F0	N/A	.text	CALL QWORD PTR [RIP+0x1F58CA]
59F9	N/A	.text	CALL QWORD PTR [RIP+0x1F5879]
5A13	N/A	.text	CALL QWORD PTR [RIP+0x1F584F]
5A2B	N/A	.text	JMP QWORD PTR [RIP+0x1F589F]
5A3A	N/A	.text	JMP QWORD PTR [RIP+0x1F5828]
5A51	N/A	.text	JMP QWORD PTR [RIP+0x1AA149]
5A83	N/A	.text	CALL QWORD PTR [RIP+0x1AA0FF]
5AA1	N/A	.text	JMP QWORD PTR [RIP+0x1AA129]
5AE8	N/A	.text	CALL QWORD PTR [RIP+0x1F57D2]
5B52	N/A	.text	CALL QWORD PTR [RIP+0x1F5778]
5B67	N/A	.text	CALL QWORD PTR [RIP+0x1F5753]
5B70	N/A	.text	CALL QWORD PTR [RIP+0x1F575A]
5BD0	N/A	.text	CALL QWORD PTR [RIP+0x1F56EA]
5C0D	N/A	.text	CALL QWORD PTR [RIP+0x1F56BD]
5C49	N/A	.text	CALL QWORD PTR [RIP+0x1F5671]
5C5E	N/A	.text	CALL QWORD PTR [RIP+0x1F566C]
5CA0	N/A	.text	CALL QWORD PTR [RIP+0x1F561A]
5CC7	N/A	.text	CALL QWORD PTR [RIP+0x1F5603]
5CFA	N/A	.text	CALL QWORD PTR [RIP+0x1F55D0]
5D11	N/A	.text	JMP QWORD PTR [RIP+0x1F55A9]
5D57	N/A	.text	CALL QWORD PTR [RIP+0x1F5563]
5D5F	N/A	.text	CALL QWORD PTR [RIP+0x1F551B]
5DA9	N/A	.text	CALL QWORD PTR [RIP+0x1F5521]
5DBB	N/A	.text	CALL QWORD PTR [RIP+0x1F54FF]
5DEE	N/A	.text	CALL QWORD PTR [RIP+0x1F546C]
5DFF	N/A	.text	CALL QWORD PTR [RIP+0x1F5473]
5E58	N/A	.text	CALL QWORD PTR [RIP+0x1F5472]
5E6D	N/A	.text	JMP QWORD PTR [RIP+0x1F53ED]
5EE9	N/A	.text	CALL QWORD PTR [RIP+0x1F5389]
5F22	N/A	.text	CALL QWORD PTR [RIP+0x1F5398]
5F2B	N/A	.text	CALL QWORD PTR [RIP+0x1F5347]
5F45	N/A	.text	CALL QWORD PTR [RIP+0x1F531D]
5F5D	N/A	.text	JMP QWORD PTR [RIP+0x1F536D]
5F63	N/A	.text	CALL QWORD PTR [RIP+0x1F52FF]
5FC2	N/A	.text	CALL QWORD PTR [RIP+0x1F52B0]
6065	N/A	.text	CALL QWORD PTR [RIP+0x1F5255]
606E	N/A	.text	CALL QWORD PTR [RIP+0x1F5204]
1FF800	1070	.pdata	ExceptionHook \| Pointer to 1070 - 0x470 .text + UnwindInfo: .rdata
1FF80C	10B0	.pdata	ExceptionHook \| Pointer to 10B0 - 0x4B0 .text + UnwindInfo: .rdata
1FF818	10CC	.pdata	ExceptionHook \| Pointer to 10CC - 0x4CC .text + UnwindInfo: .rdata
1FF824	10D8	.pdata	ExceptionHook \| Pointer to 10D8 - 0x4D8 .text + UnwindInfo: .rdata
1FF830	113C	.pdata	ExceptionHook \| Pointer to 113C - 0x53C .text + UnwindInfo: .rdata
1FF83C	1156	.pdata	ExceptionHook \| Pointer to 1156 - 0x556 .text + UnwindInfo: .rdata
1FF848	1190	.pdata	ExceptionHook \| Pointer to 1190 - 0x590 .text + UnwindInfo: .rdata
1FF854	11AC	.pdata	ExceptionHook \| Pointer to 11AC - 0x5AC .text + UnwindInfo: .rdata
1FF860	11BD	.pdata	ExceptionHook \| Pointer to 11BD - 0x5BD .text + UnwindInfo: .rdata
1FF86C	1221	.pdata	ExceptionHook \| Pointer to 1221 - 0x621 .text + UnwindInfo: .rdata
1FF878	124C	.pdata	ExceptionHook \| Pointer to 124C - 0x64C .text + UnwindInfo: .rdata
1FF884	1290	.pdata	ExceptionHook \| Pointer to 1290 - 0x690 .text + UnwindInfo: .rdata
1FF890	1350	.pdata	ExceptionHook \| Pointer to 1350 - 0x750 .text + UnwindInfo: .rdata
1FF89C	1363	.pdata	ExceptionHook \| Pointer to 1363 - 0x763 .text + UnwindInfo: .rdata
1FF8A8	1B36	.pdata	ExceptionHook \| Pointer to 1B36 - 0xF36 .text + UnwindInfo: .rdata
1FF8B4	1B80	.pdata	ExceptionHook \| Pointer to 1B80 - 0xF80 .text + UnwindInfo: .rdata
1FF8C0	1C50	.pdata	ExceptionHook \| Pointer to 1C50 - 0x1050 .text + UnwindInfo: .rdata
1FF8CC	1E40	.pdata	ExceptionHook \| Pointer to 1E40 - 0x1240 .text + UnwindInfo: .rdata
1FF8D8	1E51	.pdata	ExceptionHook \| Pointer to 1E51 - 0x1251 .text + UnwindInfo: .rdata
1FF8E4	1E96	.pdata	ExceptionHook \| Pointer to 1E96 - 0x1296 .text + UnwindInfo: .rdata
1FF8F0	1E9B	.pdata	ExceptionHook \| Pointer to 1E9B - 0x129B .text + UnwindInfo: .rdata
1FF8FC	2090	.pdata	ExceptionHook \| Pointer to 2090 - 0x1490 .text + UnwindInfo: .rdata
1FF908	2190	.pdata	ExceptionHook \| Pointer to 2190 - 0x1590 .text + UnwindInfo: .rdata
1FF914	2540	.pdata	ExceptionHook \| Pointer to 2540 - 0x1940 .text + UnwindInfo: .rdata
1FF920	25F0	.pdata	ExceptionHook \| Pointer to 25F0 - 0x19F0 .text + UnwindInfo: .rdata
1FF92C	27F0	.pdata	ExceptionHook \| Pointer to 27F0 - 0x1BF0 .text + UnwindInfo: .rdata
1FF938	40C0	.pdata	ExceptionHook \| Pointer to 40C0 - 0x34C0 .text + UnwindInfo: .rdata
1FF944	41A7	.pdata	ExceptionHook \| Pointer to 41A7 - 0x35A7 .text + UnwindInfo: .rdata
1FF950	41EF	.pdata	ExceptionHook \| Pointer to 41EF - 0x35EF .text + UnwindInfo: .rdata
1FF95C	4490	.pdata	ExceptionHook \| Pointer to 4490 - 0x3890 .text + UnwindInfo: .rdata
1FF968	44E0	.pdata	ExceptionHook \| Pointer to 44E0 - 0x38E0 .text + UnwindInfo: .rdata
1FF974	45A0	.pdata	ExceptionHook \| Pointer to 45A0 - 0x39A0 .text + UnwindInfo: .rdata
1FF980	49C0	.pdata	ExceptionHook \| Pointer to 49C0 - 0x3DC0 .text + UnwindInfo: .rdata
1FF98C	4C40	.pdata	ExceptionHook \| Pointer to 4C40 - 0x4040 .text + UnwindInfo: .rdata
1FF998	4E40	.pdata	ExceptionHook \| Pointer to 4E40 - 0x4240 .text + UnwindInfo: .rdata
1FF9A4	4E7B	.pdata	ExceptionHook \| Pointer to 4E7B - 0x427B .text + UnwindInfo: .rdata
1FF9B0	4ED4	.pdata	ExceptionHook \| Pointer to 4ED4 - 0x42D4 .text + UnwindInfo: .rdata
1FF9BC	5792	.pdata	ExceptionHook \| Pointer to 5792 - 0x4B92 .text + UnwindInfo: .rdata
1FF9C8	579A	.pdata	ExceptionHook \| Pointer to 579A - 0x4B9A .text + UnwindInfo: .rdata
1FF9D4	5880	.pdata	ExceptionHook \| Pointer to 5880 - 0x4C80 .text + UnwindInfo: .rdata
1FF9E0	58CA	.pdata	ExceptionHook \| Pointer to 58CA - 0x4CCA .text + UnwindInfo: .rdata
1FF9EC	5BC7	.pdata	ExceptionHook \| Pointer to 5BC7 - 0x4FC7 .text + UnwindInfo: .rdata
1FF9F8	5D76	.pdata	ExceptionHook \| Pointer to 5D76 - 0x5176 .text + UnwindInfo: .rdata
1FFA04	5DA0	.pdata	ExceptionHook \| Pointer to 5DA0 - 0x51A0 .text + UnwindInfo: .rdata
1FFA10	5DF0	.pdata	ExceptionHook \| Pointer to 5DF0 - 0x51F0 .text + UnwindInfo: .rdata
1FFA1C	5EF0	.pdata	ExceptionHook \| Pointer to 5EF0 - 0x52F0 .text + UnwindInfo: .rdata
1FFA28	5F80	.pdata	ExceptionHook \| Pointer to 5F80 - 0x5380 .text + UnwindInfo: .rdata
1FFA34	6040	.pdata	ExceptionHook \| Pointer to 6040 - 0x5440 .text + UnwindInfo: .rdata
1FFA40	6062	.pdata	ExceptionHook \| Pointer to 6062 - 0x5462 .text + UnwindInfo: .rdata
1FFA4C	6116	.pdata	ExceptionHook \| Pointer to 6116 - 0x5516 .text + UnwindInfo: .rdata
1FFA58	6130	.pdata	ExceptionHook \| Pointer to 6130 - 0x5530 .text + UnwindInfo: .rdata
1FFA64	614C	.pdata	ExceptionHook \| Pointer to 614C - 0x554C .text + UnwindInfo: .rdata
1FFA70	61D5	.pdata	ExceptionHook \| Pointer to 61D5 - 0x55D5 .text + UnwindInfo: .rdata
1FFA7C	61E0	.pdata	ExceptionHook \| Pointer to 61E0 - 0x55E0 .text + UnwindInfo: .rdata
1FFA88	6240	.pdata	ExceptionHook \| Pointer to 6240 - 0x5640 .text + UnwindInfo: .rdata
1FFA94	62D0	.pdata	ExceptionHook \| Pointer to 62D0 - 0x56D0 .text + UnwindInfo: .rdata
1FFAA0	62E9	.pdata	ExceptionHook \| Pointer to 62E9 - 0x56E9 .text + UnwindInfo: .rdata
1FFAAC	63C2	.pdata	ExceptionHook \| Pointer to 63C2 - 0x57C2 .text + UnwindInfo: .rdata
1FFAB8	63D0	.pdata	ExceptionHook \| Pointer to 63D0 - 0x57D0 .text + UnwindInfo: .rdata
1FFAC4	6460	.pdata	ExceptionHook \| Pointer to 6460 - 0x5860 .text + UnwindInfo: .rdata
1FFAD0	6477	.pdata	ExceptionHook \| Pointer to 6477 - 0x5877 .text + UnwindInfo: .rdata
1FFADC	64BA	.pdata	ExceptionHook \| Pointer to 64BA - 0x58BA .text + UnwindInfo: .rdata
1FFAE8	64E0	.pdata	ExceptionHook \| Pointer to 64E0 - 0x58E0 .text + UnwindInfo: .rdata
1FFAF4	6500	.pdata	ExceptionHook \| Pointer to 6500 - 0x5900 .text + UnwindInfo: .rdata
1FFB00	6539	.pdata	ExceptionHook \| Pointer to 6539 - 0x5939 .text + UnwindInfo: .rdata
1FFB0C	6550	.pdata	ExceptionHook \| Pointer to 6550 - 0x5950 .text + UnwindInfo: .rdata
1FFB18	65C0	.pdata	ExceptionHook \| Pointer to 65C0 - 0x59C0 .text + UnwindInfo: .rdata
1FFB24	6660	.pdata	ExceptionHook \| Pointer to 6660 - 0x5A60 .text + UnwindInfo: .rdata
1FFB30	66B0	.pdata	ExceptionHook \| Pointer to 66B0 - 0x5AB0 .text + UnwindInfo: .rdata
1FFB3C	67A0	.pdata	ExceptionHook \| Pointer to 67A0 - 0x5BA0 .text + UnwindInfo: .rdata
1FFB48	6830	.pdata	ExceptionHook \| Pointer to 6830 - 0x5C30 .text + UnwindInfo: .rdata
1FFB54	6880	.pdata	ExceptionHook \| Pointer to 6880 - 0x5C80 .text + UnwindInfo: .rdata
1FFB60	68E0	.pdata	ExceptionHook \| Pointer to 68E0 - 0x5CE0 .text + UnwindInfo: .rdata
1FFB6C	6920	.pdata	ExceptionHook \| Pointer to 6920 - 0x5D20 .text + UnwindInfo: .rdata
1FFB78	694D	.pdata	ExceptionHook \| Pointer to 694D - 0x5D4D .text + UnwindInfo: .rdata
1FFB84	6A58	.pdata	ExceptionHook \| Pointer to 6A58 - 0x5E58 .text + UnwindInfo: .rdata
1FFB90	6A80	.pdata	ExceptionHook \| Pointer to 6A80 - 0x5E80 .text + UnwindInfo: .rdata
1FFB9C	6AB0	.pdata	ExceptionHook \| Pointer to 6AB0 - 0x5EB0 .text + UnwindInfo: .rdata
1FFBA8	6AE0	.pdata	ExceptionHook \| Pointer to 6AE0 - 0x5EE0 .text + UnwindInfo: .rdata
1FFBB4	6B00	.pdata	ExceptionHook \| Pointer to 6B00 - 0x5F00 .text + UnwindInfo: .rdata
1FFBC0	6B70	.pdata	ExceptionHook \| Pointer to 6B70 - 0x5F70 .text + UnwindInfo: .rdata
1FFBCC	6BE0	.pdata	ExceptionHook \| Pointer to 6BE0 - 0x5FE0 .text + UnwindInfo: .rdata
1FFBD8	6CC0	.pdata	ExceptionHook \| Pointer to 6CC0 - 0x60C0 .text + UnwindInfo: .rdata
1FFBE4	6DB0	.pdata	ExceptionHook \| Pointer to 6DB0 - 0x61B0 .text + UnwindInfo: .rdata
1FFBF0	6DD7	.pdata	ExceptionHook \| Pointer to 6DD7 - 0x61D7 .text + UnwindInfo: .rdata
1FFBFC	6E56	.pdata	ExceptionHook \| Pointer to 6E56 - 0x6256 .text + UnwindInfo: .rdata
1FFC08	6F70	.pdata	ExceptionHook \| Pointer to 6F70 - 0x6370 .text + UnwindInfo: .rdata
1FFC14	6FC0	.pdata	ExceptionHook \| Pointer to 6FC0 - 0x63C0 .text + UnwindInfo: .rdata
1FFC20	7000	.pdata	ExceptionHook \| Pointer to 7000 - 0x6400 .text + UnwindInfo: .rdata
1FFC2C	7040	.pdata	ExceptionHook \| Pointer to 7040 - 0x6440 .text + UnwindInfo: .rdata
1FFC38	7090	.pdata	ExceptionHook \| Pointer to 7090 - 0x6490 .text + UnwindInfo: .rdata
1FFC44	7190	.pdata	ExceptionHook \| Pointer to 7190 - 0x6590 .text + UnwindInfo: .rdata
1FFC50	71BF	.pdata	ExceptionHook \| Pointer to 71BF - 0x65BF .text + UnwindInfo: .rdata
1FFC5C	720D	.pdata	ExceptionHook \| Pointer to 720D - 0x660D .text + UnwindInfo: .rdata
1FFC68	7250	.pdata	ExceptionHook \| Pointer to 7250 - 0x6650 .text + UnwindInfo: .rdata
1FFC74	7300	.pdata	ExceptionHook \| Pointer to 7300 - 0x6700 .text + UnwindInfo: .rdata
1FFC80	7380	.pdata	ExceptionHook \| Pointer to 7380 - 0x6780 .text + UnwindInfo: .rdata
1FFC8C	7399	.pdata	ExceptionHook \| Pointer to 7399 - 0x6799 .text + UnwindInfo: .rdata
1FFC98	73D0	.pdata	ExceptionHook \| Pointer to 73D0 - 0x67D0 .text + UnwindInfo: .rdata
1FFCA4	73E0	.pdata	ExceptionHook \| Pointer to 73E0 - 0x67E0 .text + UnwindInfo: .rdata

Extra Analysis

Metric	Value	Percentage
Ascii Code	1308552	60,2917%
Null Byte Code	340548	15,6908%
NOP Cave Found	0x9090909090	Block Count: 1 \| Total: 0,0001%

PREMIUM PESCAN.IO - Analysis Report