PREMIUM PESCAN.IO - Analysis Report

File Structure
Analysis Image
PE Chart Code
Header PE (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
Information
Size: 5,36 MB
SHA-256 Hash: 7AD89CC6B2BDFC633F2E5FBA7D389601489FCF2D4F8B8A5187E3D034070E2D75
SHA-1 Hash: F0B8510DEE5FD3DC9811B6E5197774C8D79557F5
MD5 Hash: 4D9BC0185644A4C60A95BE536D46B14E
Imphash: 9771EE6344923FA220489AB01239BDFD
MajorOSVersion: 5
MinorOSVersion: 1
CheckSum: 0054D1C1
EntryPoint (rva): 14AD
SizeOfHeaders: 400
SizeOfImage: 54B000
ImageBase: 400000
Architecture: x86
ImportTable: 129C4
IAT: D000
Characteristics: 102
TimeDateStamp: 6377E6AC
Date: 18/11/2022 20:10:20
File Type: EXE
Number Of Sections: 5
ASLR: Enabled
Section Names: .text, .rdata, .data, .rsrc, .reloc
Number Of Executable Sections: 1
Subsystem: Windows GUI
UAC Execution Level Manifest: asInvoker
UAC Execution Level Manifest: requireAdministrator
Sections Info
Section Name Flags ROffset RSize VOffset VSizeEntropyChi2
.text
0x60000020
Code
Executable
Readable
 400 B200 1000 B1AF
6.592
250191.84
.rdata
0x40000040
Initialized Data
Readable
 B600 6200 D000 6078
4.7866
1328704.59
.data
0xC0000040
Initialized Data
Readable
Writeable
 11800 800 14000 11E4
2.2651
293727
.rsrc
0x40000040
Initialized Data
Readable
 12000 533200 16000 533074
7.4485
18246998.74
.reloc
0x42000040
Initialized Data
GP-Relative
Readable
 545200 1000 54A000 EA8
6.3015
27553
Description
OriginalFilename: ScreenConnect.Core.dll
CompanyName: ScreenConnect Software
ProductName: ScreenConnect
FileVersion: 24.3.7.9067
ProductVersion: 24.3.7.9067
Comments: DLL support by Alessandro Iacopetti & Gilles Vollant
Binder/Joiner/Crypter
14 Executable files found
Dropper code detected (EOF) - 69,99 KB
Entry Point
The section number (1) - (.text) have the Entry Point
Information -> EntryPoint (calculated) - 8AD
Code -> E8C5030000E97AFEFFFF558BEC6A00FF1540D04000FF7508FF153CD0400068090400C0FF1544D0400050FF1548D040005DC3
Assembler
|CALL 0X13CA
|JMP 0XE84
|PUSH EBP
|MOV EBP, ESP
|PUSH 0
|CALL DWORD PTR [0X40D040]
|PUSH DWORD PTR [EBP + 8]
|CALL DWORD PTR [0X40D03C]
|PUSH 0XC0000409
|CALL DWORD PTR [0X40D044]
|PUSH EAX
|CALL DWORD PTR [0X40D048]
|POP EBP
|RET
Signatures
CheckSum Integrity Problem:
Header: 5558721
Calculated: 5649105
Rich Signature Analyzer:
Code -> 015F0EE5453E60B6453E60B6453E60B6F1A291B64F3E60B6F1A293B63F3E60B6F1A292B65D3E60B6C54565B7603E60B6C54564B7543E60B6C54563B7513E60B64C46F3B6413E60B65B6CF3B6463E60B6453E61B6253E60B6CB4569B7443E60B6CB459FB6443E60B6CB4562B7443E60B652696368453E60B6
Footprint md5 Hash -> 849DE2AC7EE0A5EA3656A6553164563A
• The Rich header apparently has not been modified
Packer/Compiler
Compiler: Microsoft Visual .NET - (You can use a decompiler for this...)
AnyCPU: False
Compiler: Microsoft Visual Studio
Compiler: Microsoft Visual C ++
Detect It Easy (die)
PE: compiler: EP:Microsoft Visual C/C++(2017 v.15.5-6)[EXE32]
PE: compiler: Microsoft Visual C/C++(-)[-]
PE: linker: Microsoft Linker(14.33**)[-]
PE: Sign tool: Windows Authenticode(2.0)[PKCS 7]
Entropy: 7.42947
Suspicious Functions
Library Function Description
KERNEL32.DLL GetModuleFileNameA Retrieve the fully qualified path for the executable file of a specified module.
KERNEL32.DLL VirtualAlloc Reserve, commit, or both, a region of memory within the virtual address space of a process.
KERNEL32.DLL GetModuleHandleA Retrieves a handle to the specified module.
KERNEL32.DLL WriteFile Writes data to a specified file or input/output (I/O) device.
KERNEL32.DLL LoadLibraryW Loads the specified module into the address space of the calling process.
KERNEL32.DLL GetModuleHandle Retrieves a handle to the specified module.
KERNEL32.DLL CreateToolhelp32Snapshot Creates a snapshot of the specified processes, heaps, threads, and modules.
KERNEL32.DLL GetProcAddress Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL IsDebuggerPresent Determines if the calling process is being debugged by a user-mode debugger.
SHELL32.DLL ShellExecuteW Performs a run operation on a specific file.
Windows REG
Software\Microsoft\NET Framework Setup\NDP\v2.0.50727InstallSOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Client[SERVICE_NAME]restartnoneRemote Control"[SERVICE_CLIENT_LAUNCH_PARAMETERS]"{0C94448B-0C9E-4112-AC7D-B00E6BA76D82}0.0.0.0125.0.0.0OLD_PRODUCT_1{1F85D7FE-5576-41EE-9480-E3F7F9C31B8B}OLD_PRODUCT_2OLD_PRODUCT_3NEW_VERSION
SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Client[SERVICE_NAME]restartnoneRemote Control"[SERVICE_CLIENT_LAUNCH_PARAMETERS]"{0C94448B-0C9E-4112-AC7D-B00E6BA76D82}0.0.0.0125.0.0.0OLD_PRODUCT_1{1F85D7FE-5576-41EE-9480-E3F7F9C31B8B}OLD_PRODUCT_2OLD_PRODUCT_3NEW_VERSION
Windows REG (UNICODE)
SOFTWARE\Microsoft\Cryptography
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Software\Policies\Microsoft\Windows\Installer
SYSTEM\CurrentControlSet\Services\
File Access
DotNetResolver.exe
INSTALLLOCATION]ScreenConnect.WindowsClient.exe
INSTALLLOCATION]ScreenConnect.WindowsFileManager.exeLaunchApplicationScreenConnect.WindowsClient.exe
INSTALLLOCATION]ScreenConnect.WindowsFileManager.exe
INSTALLLOCATION]ScreenConnect.WindowsBackstageShell.exe
ScreenConnect.WindowsFileManager.exe
ScreenConnect.WindowsClient.exe
ScreenConnect.WindowsBackstageShell.exe
ScreenConnect.ClientInstallerRunner.exe
mscoree.dll
ScreenConnect.WindowsCredentialProvider.dll
ScreenConnect.WindowsAuthenticationPackage.dll
601ScreenConnect.WindowsCredentialProvider.dll
601ScreenConnect.WindowsAuthenticationPackage.dll
KERNEL32.dll
VERSION.dll
ole32.dll
SHELL32.dll
OLEAUT32.dll
USER32.dll
ADVAPI32.dll
msi.dll
wixca.dll
failed to get handle to kernel32.dll
Microsoft.Deployment.Compression.Cab.dll
Microsoft.Deployment.Compression.dll
ScreenConnect.Windows.dll
ScreenConnect.Core.dll
Microsoft.Deployment.WindowsInstaller.Package.dll
Microsoft.Deployment.WindowsInstaller.dll
ScreenConnect.InstallerActions.dll
SfxCA.dll
SHLWAPI.dll
Cabinet.dll
ScreenConnect.WindowsCredentialProvider.dll
ScreenConnect.WindowsAuthenticationPackage.dll
ScreenConnect.ClientService.dll
ScreenConnect.Client.dll
ScreenConnect.WindowsInstaller.dll
libzstd.dll
zlibvc.dll
libwebp.dll
winmm.dll
ScreenConnect.Properties.libz.x86.dll
ScreenConnect.Properties.libwebp.x86.dll
ScreenConnect.Properties.libzstd.x86.dll
ScreenConnect.Properties.libz.x64.dll
ScreenConnect.Properties.libwebp.x64.dll
ScreenConnect.Properties.libzstd.x64.dll
ScreenConnect.Scr
ScreenConnect.ScreenConnect.ClientSetup.msi
.jaR
ScreenConnect.UserInterfaceSettingsScreenConnect.Sys
.dat
Failed to read Binary.Dat
@.dat
Temp
ProgramFiles
File Access (UNICODE)
ClientSetup.msi
//feedback.scr
mscoree.dll
Core.dll
*.dll
libwebp.dll
CorExitProcessmscoree.dll
zlib.dll
ZLib.DLL
Windows.dll
WindowsInstaller.dll
KERNEL32.DLL
GetLastActivePopupGetActiveWindowMessageBoxWUSER32.DLL
InstallerActions.dll
ClientInstallerRunner.exe
DotNetResolver.exe
rundll32.exe
msiexec.exe
0\powershell.exe
cmd.exe
WindowsBackstageShell.exe
ClientService.exe
WindowsClient.exe
wixca.dll
Command failed to execute.Command line returned an error.kernel32.dll
rstrtmgr.dll
dwmapi.dll
d3d9.dll
SfxCA.dll
CorBindToRuntimeExGetRequestedRuntimeInfoFailed to load mscoree.dll
Failed to locate functions in mscoree.dll
USER32.DLL
WScreenConnect.Scr
Exec - powershell.exe /c
Temp
AppData
SQL Queries
SELECT ProcessId, ParentProcessId FROM Win32_Process
SELECT WixCloseApplication, Target, Description, Condition, Attributes, Property, TerminateExitCode, Timeout FROM WixCloseApplication ORDER BY Sequence
SELECT Component_, Directory_, Name, Target, Attributes, IconFile, IconIndex FROM WixInternetShortcut
SELECT WixRestartResource.WixRestartResource, WixRestartResource.Component_, WixRestartResource.Resource, WixRestartResource.Attributes FROM WixRestartResource
SELECT WixRemoveFolderEx, Component_, Property, InstallMode FROM WixRemoveFolderEx
SELECT SecureObjects.SecureObject, SecureObjects.Table, SecureObjects.Domain, SecureObjects.User, SecureObjects.Permission, SecureObjects.Component_, Component.Attributes FROM SecureObjects,Component WHERE SecureObjects.Component_=Component.Component
SELECT Registry.Registry, Registry.Root, Registry.Key FROM Registry WHERE Registry.Registry=?
SELECT ServiceInstall.Name FROM ServiceInstall WHERE ServiceInstall.ServiceInstall=?
SELECT ServiceName, Component_, NewService, FirstFailureActionType, SecondFailureActionType, ThirdFailureActionType, ResetPeriodInDays, RestartServiceDelayInSeconds, ProgramCommandLine, RebootMessage FROM ServiceConfig
SELECT Data FROM Binary WHERE Name='%s'
SELECT XmlFile.XmlFile, XmlFile.File, XmlFile.ElementPath, XmlFile.Name, XmlFile.Value, XmlFile.Flags, XmlFile.Component_, Component.Attributes FROM XmlFile,Component WHERE XmlFile.Component_=Component.Component ORDER BY File, Sequence
SELECT XmlConfig.XmlConfig, XmlConfig.File, XmlConfig.ElementPath, XmlConfig.VerifyPath, XmlConfig.Name, XmlConfig.Value, XmlConfig.Flags, XmlConfig.Component_, Component.Attributes FROM XmlConfig,Component WHERE XmlConfig.Component_=Component.Component ORDER BY File, Sequence
SELECT * FROM %s
Interest's Words
lockbit
PADDINGX
Encrypt
Decrypt
Encryption
RunPE
PassWord
<html
<head
<body
<div
<form
<button
<link
<title
<section
<main
exec
createobject
netsh
attrib
start
pause
hostname
wmic
sdelete
shutdown
systeminfo
ping
dism
expand
getmac
replace
route
setx
Interest's Words (UNICODE)
Encrypt
Encryption
PassWord
exec
powershell
netsh
attrib
start
pause
wmic
sdelete
shutdown
rundll32
systeminfo
ping
rundll
dism
URLs
http://ocsp.digicert.com
http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
http://crl3.digicert.com/DigiCertTrustedRootG4.crl
http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
http://www.digicert.com/CPS0
http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt
http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl
http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt
http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt
http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
URLs (UNICODE)
https://feedback.screenconnect.com/Feedback.axd
PE Carving
Start Offset Header End Offset Size (Bytes)
0 123D4 123D4
123D4 983D4 86000
983D4 C1DB0 299DC
C1DB0 1293B8 67608
1293B8 17E5C0 55208
17E5C0 1933C8 14E08
1933C8 1A57D0 12408
1A57D0 1F71D8 51A08
1F71D8 23C9D4 457FC
23C9D4 2575D4 1AC00
2575D4 3F654C 19EF78
3F654C 50054C 10A000
50054C 5438EC 433A0
5438EC 55C7F8 18F0C
Strings/Hex Code Found With The File Rules
Rule Type Encoding Matched (Word)
Text Ascii WinAPI Sockets (bind)
Text Unicode WinAPI Sockets (bind)
Text Ascii WinAPI Sockets (listen)
Text Ascii WinAPI Sockets (accept)
Text Ascii WinAPI Sockets (connect)
Text Unicode WinAPI Sockets (connect)
Text Ascii WinAPI Sockets (send)
Text Unicode WinAPI Sockets (send)
Text Ascii Registry (RegCreateKeyEx)
Text Ascii Registry (RegOpenKeyEx)
Text Ascii Registry (RegSetValueEx)
Text Ascii File (GetTempPath)
Text Ascii File (CopyFile)
Text Ascii File (CreateFile)
Text Ascii File (WriteFile)
Text Ascii File (ReadFile)
Text Ascii Service (OpenSCManager)
Text Ascii Service (CreateService)
Text Unicode Encryption (AesCryptoServiceProvider)
Text Ascii Encryption (CreateDecryptor)
Text Ascii Encryption (FromBase64String)
Text Ascii Encryption (ICryptoTransform)
Text Ascii Encryption (MD5CryptoServiceProvider)
Text Ascii Encryption (RNGCryptoServiceProvider)
Text Ascii Encryption (Rijndael)
Text Ascii Encryption (RijndaelManaged)
Text Ascii Encryption (ToBase64String)
Text Ascii Anti-Analysis VM (IsDebuggerPresent)
Text Ascii Anti-Analysis VM (GetSystemInfo)
Text Ascii Anti-Analysis VM (GlobalMemoryStatusEx)
Text Ascii Anti-Analysis VM (GetVersion)
Text Ascii Anti-Analysis VM (CreateToolhelp32Snapshot)
Text Ascii Reconnaissance (FindNextFileA)
Text Ascii Reconnaissance (FindFirstFileW)
Text Ascii Reconnaissance (FindNextFileW)
Text Ascii Reconnaissance (FindClose)
Text Ascii Stealth (CloseHandle)
Text Ascii Stealth (VirtualAlloc)
Text Ascii Stealth (VirtualProtect)
Text Ascii Execution (CreateProcessA)
Text Ascii Execution (CreateProcessW)
Text Ascii Execution (ShellExecute)
Text Ascii Execution (CreateEventW)
Text Unicode Privileges (SeDebugPrivilege)
Text Unicode Privileges (SeShutdownPrivilege)
Text Ascii Privileges (SE_PRIVILEGE_ENABLED)
Text Ascii Privileges (SE_PRIVILEGE_REMOVED)
Text Ascii Keyboard Key (ALTDOWN)
Text Ascii Keyboard Key (LBUTTON)
Text Ascii Keyboard Key (RBUTTON)
Text Ascii Keyboard Key (Scroll)
Text Ascii Keyboard Key (UpArrow)
Text Ascii Malicious code executed after exploiting a vulnerability (Payload)
Text Ascii Process of gathering information about network resources (Enumeration)
Text Ascii Malware that monitors and collects user data (Spy)
Text Ascii Information used for user authentication (Credential)
Text Unicode Information used for user authentication (Credential)
Text Ascii Unauthorized movement of funds or data (Transfer)
Text Unicode Unauthorized movement of funds or data (Transfer)
Text Ascii Malicious rerouting of traffic to an attacker-controlled site (Redirect)
Text Ascii Technique used to capture communications between systems (Intercept)
Entry Point Hex Pattern HA Archive
Entry Point Hex Pattern Microsoft Visual C++ 8
Entry Point Hex Pattern Microsoft Visual C++ 8
Entry Point Hex Pattern Microsoft Visual C++ v7.0
Entry Point Hex Pattern PE-Exe Executable Image
Entry Point Hex Pattern Trilobyte&#39;s RNR graphics library
Entry Point Hex Pattern VC8 - Microsoft Corporation
Resources
Path DataRVA Size FileOffset CodeTextPE/Payload
\FILES\SCREENCONNECT.CORE, VERSION=24.3.7.9067, CULTURE=NEUTRAL, PUBLICKEYTOKEN=4B14C015C87C1AD8\0 163D4 86000 123D4 4D5A90000300000004000000FFFF0000B8000000000000004000000000000000000000000000000000000000000000000000MZ......................@.........................(Executable found)
\FILES\SCREENCONNECT.WINDOWS, VERSION=24.3.7.9067, CULTURE=NEUTRAL, PUBLICKEYTOKEN=4B14C015C87C1AD8\0 9C3D4 1A4600 983D4 4D5A90000300000004000000FFFF0000B8000000000000004000000000000000000000000000000000000000000000000000MZ......................@.........................(Executable found)
\FILES\SCREENCONNECT.WINDOWSINSTALLER, VERSION=24.3.7.9067, CULTURE=NEUTRAL, PUBLICKEYTOKEN=4B14C015C87C1AD8\0 2409D4 1AC00 23C9D4 4D5A90000300000004000000FFFF0000B8000000000000004000000000000000000000000000000000000000000000000000MZ......................@.........................(Executable found)
\FILES\_ENTRYPOINT\0 25B5D4 2EC318 2575D4 4D5A90000300000004000000FFFF0000B8000000000000004000000000000000000000000000000000000000000000000000MZ......................@.........................(Executable found)
\FILES\_RESOLVER\0 5478EC 1600 5438EC 4D5A90000300000004000000FFFF0000B8000000000000004000000000000000000000000000000000000000000000000000MZ......................@.........................(Executable found)
\24\1\1033 548EEC 188 544EEC 3C3F786D6C2076657273696F6E3D27312E302720656E636F64696E673D275554462D3827207374616E64616C6F6E653D2779<?xml version='1.0' encoding='UTF-8' standalone='yN/A
Intelligent String
• 0.0.0.0
• DotNetResolver.exe
• :060U00Uq]dL.g?O0U0E1-Q!m0U0y+m0k0$+0http://ocsp.digicert.com0C+07http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0EU>0<0:864http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0U
• ScreenConnect.ClientInstallerRunner.exe
• _CorExeMainmscoree.dll
• KERNEL32.dll
• mscoree.dll
• \Y4 ScreenConnect.Core.dll
• ScreenConnect.Windows.dll
• _CorDllMainmscoree.dll
• .bss
• KERNEL32.DLL
• ZLib.DLL
• zlib.dll
• libwebp.dll
• ScreenConnect.Core.dll
• *.dll
• OLEAUT32.dll
• C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetRunner.pdb
• https://feedback.screenconnect.com/Feedback.axd
• .dll
• .arm
• aShowTrayIconContextMenuStoreLoginCredentialsItem
• C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdbs
• .avi
• runas
• cmd.exe
• KWindowsPowershell\v1.0\powershell.exe
• USER32.DLL
• .exe
• Default.cab
• WScreenConnect.ScreenConnect.ClientSetup.msi
• ;ScreenConnect.ClientSetup.msi
• msiexec.exe
• \YX ScreenConnect.Client.dll
• \Y ScreenConnect.ClientService.dll
• \Y] ScreenConnect.WindowsBackstageShell.exe
• \Yg ScreenConnect.WindowsClient.exe
• \Y] ScreenConnect.WindowsFileManager.exe
• rundll32.exe
• \Microsoft.Deployment.WindowsInstaller.dll
• E:\delivery\Dev\wix37_public\build\ship\x86\SfxCA.pdb
• !"$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]_abcdefghijklmnopqrstuvwxyz{|}~SfxCA.dll
• SfxCA.dll
• \Y] ScreenConnect.InstallerActions.dll
• \YV ScreenConnect.Windows.dll
• CloseApps.cpp
• Failed to get SID; skipping account %lsosinfo.cpp
• d3d9.dll
• dwmapi.dll
• Unable to schedule rollback for object: %lssecureobj.cpp
• serviceconfig.cpp
• test.cpp
• Global\WixWaitForEventFail
• Failed to create the Global\WixWaitForEventFail event.
• Global\WixWaitForEventSucceed
• Failed to create the Global\WixWaitForEventSucceed event.
• XmlConfig.cpp
• memutil.cppprocutil.cpp
• proc2utl.cpp
• fileutil.cpp
• aclutil.cpprmutil.cpp
• rstrtmgr.dll
• pathutil.cpp
• xmlutil.cppkernel32.dll
• wcalog.cpp
• wcascript.cpp
• qtexec.cpp
• wcawow64.cpp
• C:\build\work\eca3d12b\wix3\build\ship\x86\wixca.pdb
• ADVAPI32.dll
• USER32.dll
• wixca.dll
• C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\DotNetResolver\obj\Debug\DotNetResolver.pdb
• 8CommandStoreLoginCredentials
• AnnotationABlack out the remote monitor so they can't see what you're doing.Blank Guest MonitorGPrevent the user at the remote machine from interfering with your work.Block Guest InputChange ResolutionChange Sharing+Clear everyone's annotations on the screen.Clear AnnotationsJSend your clipboard to the remote machine as keystrokes. Useful for login.Send Clipboard KeystrokesControl Sharing@Enable clipboard help for the Helper to process all copied text.Enable Clipboard Help
Flow Anomalies
Offset RVA Section Description
401 40D128 .text CALL [static] | Indirect call to absolute memory address
459 40D018 .text CALL [static] | Indirect call to absolute memory address
463 40D014 .text CALL [static] | Indirect call to absolute memory address
46A 40D00C .text CALL [static] | Indirect call to absolute memory address
475 40D008 .text CALL [static] | Indirect call to absolute memory address
482 40D120 .text CALL [static] | Indirect call to absolute memory address
48F 40D12C .text CALL [static] | Indirect call to absolute memory address
4A5 40D11C .text CALL [static] | Indirect call to absolute memory address
4BD 40D124 .text CALL [static] | Indirect call to absolute memory address
4D6 40D120 .text CALL [static] | Indirect call to absolute memory address
55D 40D01C .text CALL [static] | Indirect call to absolute memory address
57B 40D01C .text CALL [static] | Indirect call to absolute memory address
5FD 40D134 .text CALL [static] | Indirect call to absolute memory address
7E9 40D13C .text CALL [static] | Indirect call to absolute memory address
8BC 40D040 .text CALL [static] | Indirect call to absolute memory address
8C5 40D03C .text CALL [static] | Indirect call to absolute memory address
8D0 40D044 .text CALL [static] | Indirect call to absolute memory address
8D7 40D048 .text CALL [static] | Indirect call to absolute memory address
8EA 40D04C .text CALL [static] | Indirect call to absolute memory address
C3C 40D05C .text CALL [static] | Indirect call to absolute memory address
C4B 40D058 .text CALL [static] | Indirect call to absolute memory address
C54 40D054 .text CALL [static] | Indirect call to absolute memory address
C61 40D050 .text CALL [static] | Indirect call to absolute memory address
CD4 40D060 .text CALL [static] | Indirect call to absolute memory address
D4F 40D04C .text CALL [static] | Indirect call to absolute memory address
E1B 40D064 .text CALL [static] | Indirect call to absolute memory address
E3B 40D040 .text CALL [static] | Indirect call to absolute memory address
E45 40D03C .text CALL [static] | Indirect call to absolute memory address
E78 40D068 .text CALL [static] | Indirect call to absolute memory address
E96 40D06C .text CALL [static] | Indirect call to absolute memory address
EDB 40D040 .text CALL [static] | Indirect call to absolute memory address
F59 40D13C .text CALL [static] | Indirect call to absolute memory address
F85 40D13C .text CALL [static] | Indirect call to absolute memory address
101A 40D04C .text CALL [static] | Indirect call to absolute memory address
13FE 40D070 .text CALL [static] | Indirect call to absolute memory address
16EC 40D13C .text CALL [static] | Indirect call to absolute memory address
1839 40D13C .text CALL [static] | Indirect call to absolute memory address
1B02 40D074 .text CALL [static] | Indirect call to absolute memory address
1B7B 40D078 .text CALL [static] | Indirect call to absolute memory address
1C33 40D13C .text CALL [static] | Indirect call to absolute memory address
21F5 40D07C .text CALL [static] | Indirect call to absolute memory address
2465 40D13C .text CALL [static] | Indirect call to absolute memory address
2B3F 40D070 .text CALL [static] | Indirect call to absolute memory address
2BB9 40D088 .text CALL [static] | Indirect call to absolute memory address
2C55 40D0A0 .text CALL [static] | Indirect call to absolute memory address
2C5F 40D01C .text CALL [static] | Indirect call to absolute memory address
2C7F 40D0A4 .text CALL [static] | Indirect call to absolute memory address
2C89 40D074 .text CALL [static] | Indirect call to absolute memory address
2CB1 40D0A4 .text CALL [static] | Indirect call to absolute memory address
2CE5 40D13C .text CALL [static] | Indirect call to absolute memory address
2CF2 40D090 .text JMP [static] | Indirect jump to absolute memory address
2D20 40D13C .text CALL [static] | Indirect call to absolute memory address
2D2A 40D09C .text CALL [static] | Indirect call to absolute memory address
2D5B 40D13C .text CALL [static] | Indirect call to absolute memory address
2D65 40D094 .text CALL [static] | Indirect call to absolute memory address
2D99 40D13C .text CALL [static] | Indirect call to absolute memory address
2DA3 40D098 .text CALL [static] | Indirect call to absolute memory address
2DDA 40D13C .text CALL [static] | Indirect call to absolute memory address
2DEA 40D08C .text CALL [static] | Indirect call to absolute memory address
2E02 40D13C .text CALL [static] | Indirect call to absolute memory address
2EED 40D13C .text CALL [static] | Indirect call to absolute memory address
2F1D 40D0A8 .text CALL [static] | Indirect call to absolute memory address
362A 40D13C .text CALL [static] | Indirect call to absolute memory address
3640 40D13C .text CALL [static] | Indirect call to absolute memory address
3726 40D13C .text CALL [static] | Indirect call to absolute memory address
3793 40D000 .text CALL [static] | Indirect call to absolute memory address
3BC2 40D13C .text CALL [static] | Indirect call to absolute memory address
3CE4 40D13C .text CALL [static] | Indirect call to absolute memory address
3D25 40D13C .text CALL [static] | Indirect call to absolute memory address
3DE1 40D13C .text CALL [static] | Indirect call to absolute memory address
3E98 40D044 .text CALL [static] | Indirect call to absolute memory address
3E9F 40D048 .text CALL [static] | Indirect call to absolute memory address
3EB1 40D0C0 .text CALL [static] | Indirect call to absolute memory address
3EBA 40D06C .text CALL [static] | Indirect call to absolute memory address
3F1C 40D0C4 .text CALL [static] | Indirect call to absolute memory address
3F2F 40D01C .text CALL [static] | Indirect call to absolute memory address
3F40 40D13C .text CALL [static] | Indirect call to absolute memory address
3F52 40D0A0 .text CALL [static] | Indirect call to absolute memory address
42A1 40D13C .text CALL [static] | Indirect call to absolute memory address
46A7 40D13C .text CALL [static] | Indirect call to absolute memory address
4C28 40D074 .text CALL [static] | Indirect call to absolute memory address
4C90 40D078 .text CALL [static] | Indirect call to absolute memory address
4C9C 40D078 .text CALL [static] | Indirect call to absolute memory address
4CAD 40D074 .text CALL [static] | Indirect call to absolute memory address
4D16 40D078 .text CALL [static] | Indirect call to absolute memory address
4D1F 40D078 .text CALL [static] | Indirect call to absolute memory address
4E6B 40D064 .text CALL [static] | Indirect call to absolute memory address
4E75 40D040 .text CALL [static] | Indirect call to absolute memory address
4E82 40D03C .text CALL [static] | Indirect call to absolute memory address
4EF7 40D13C .text CALL [static] | Indirect call to absolute memory address
4F71 40D044 .text CALL [static] | Indirect call to absolute memory address
4F78 40D048 .text CALL [static] | Indirect call to absolute memory address
504D 40D0D0 .text CALL [static] | Indirect call to absolute memory address
507F 40D0D4 .text CALL [static] | Indirect call to absolute memory address
5091 40D074 .text CALL [static] | Indirect call to absolute memory address
5390 40D0DC .text CALL [static] | Indirect call to absolute memory address
53B7 40D0D8 .text CALL [static] | Indirect call to absolute memory address
5422 40D0E0 .text CALL [static] | Indirect call to absolute memory address
56E9 40D0E8 .text CALL [static] | Indirect call to absolute memory address
5700 40D0C8 .text CALL [static] | Indirect call to absolute memory address
546200 N/A *Overlay* F86501000002020030830165E906092A864886F7 | .e......0..e...*.H..
Extra Analysis
Metric Value Percentage
Ascii Code 3532537 62,8369%
Null Byte Code 655564 11,6612%
NOP Cave Found 0x9090909090 Block Count: 1 | Total: 0%
© 2026 All rights reserved.