PREMIUM PESCAN.IO - Analysis Report |
|||||||
| File Structure |
|
PE Chart Code
Executable header (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
Icon: Size: 1,11 MBSHA-256 Hash: 7DEC67FE3BB34B605E6C2DE69DDEEB5B2D2D968EE555AD6EF797DFD982063ED0 SHA-1 Hash: 11AFBB99D7668DBEF73D3B3D148E5B150B066796 MD5 Hash: 73D879C3691B304B6689DE215F334769 Imphash: F34D5F2D4577ED6D9CEEC516C1F5A744 MajorOSVersion: 4 MinorOSVersion: 0 CheckSum: 0012829E EntryPoint (rva): FEA7A SizeOfHeaders: 200 SizeOfImage: 120000 ImageBase: 400000 Architecture: x86 ImportTable: FEA25 IAT: 2000 Characteristics: 22 TimeDateStamp: 9C9A55BC Date: 04/04/2053 6:16:28 File Type: EXE Number Of Sections: 3 ASLR: Disabled Section Names: .text, .rsrc, .reloc Number Of Executable Sections: 1 Subsystem: Windows GUI UAC Execution Level Manifest: requireAdministrator |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 60000020 (Code, Executable, Readable) | 200 | FCC00 | 2000 | FCA80 |
|
|
| .rsrc | 40000040 (Initialized Data, Readable) | FCE00 | 1DA00 | 100000 | 1D950 |
|
|
| .reloc | 42000040 (Initialized Data, GP-Relative, Readable) | 11A800 | 200 | 11E000 | C |
|
|
| Description |
| OriginalFilename: Newtonsoft.Json.dll CompanyName: Newtonsoft LegalCopyright: Copyright James Newton-King 2008 ProductName: Json.NET FileVersion: 13.0.3.27908 FileDescription: Json.NET .NET 4.5 ProductVersion: 13.0.3+0a2e291c0d9c0c7675d445703e51750363a549ef Comments: Json.NET is a popular high-performance JSON framework for .NET Language: Unknown (ID=0x0) CodePage: Unicode (UTF-16 LE) (0x4B0) |
| Binder/Joiner/Crypter |
| 2 Executable files found |
| Entry Point |
The section number (1) - (.text) have the Entry Point Information -> EntryPoint (calculated) - FCC7A Code -> FF25002040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Assembler |JMP DWORD PTR [0X402000] |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |
| Signatures |
| Certificate - Digital Signature: • The file is signed and the signature is correct |
| Packer/Compiler |
| Compiler: Microsoft Visual .NET - (You can use a decompiler for this...) • AnyCPU: True • Version: v4.0 Detect It Easy (die) • PE: library: .NET(v4.0.30319)[-] • PE: linker: Microsoft Linker(48.0)[-] • PE: Sign tool: Windows Authenticode(2.0)[PKCS 7] • Entropy: 6.6596 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | CreateToolhelp32Snapshot | Creates a snapshot of the specified processes, heaps, threads, and modules. |
| Windows REG (UNICODE) |
| SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib SYSTEM\CurrentControlSet\Control\Session Manager\kernel SYSTEM\CurrentControlSet\Control\Session Manager\kernel:GlobalTimerResolutionRequests |
| File Access |
| steam.exe Intelligent standby list cleaner ISLC.exe mscoree.dll Newtonsoft.Json.dll Intelligent_standby_list_cleaner_ISLC.Resources.Newtonsoft.Json.dll ntdll.dll kernel32.dll advapi32.dll +Newtonsoft.Json.Linq.JAr .Newtonsoft.Json.Linq.JAr System.Dat System.Windows.Dat Temp |
| File Access (UNICODE) |
| Objects.Dat Json.dll Intelligent standby list cleaner ISLC.exe CSharp.dll CaseFields6System.Dat .System.Dat 7System.Dat /System.Dat ComponentModel.Dat Design.Dat cSystem.Dat YSystem.Dat Temp |
| SQL Queries |
| SELECT ProcessID FROM Win32_ProcessStartTrace WHERE ProcessName=')' OR ProcessName = ''SELECT ProcessID FROM Win32_ProcessStopTrace WHERE ProcessName='mSubscription for WMI events is stopped with status {0} |
| Interest's Words |
| smtp PassWord <div <form <title <main exec createobject unescape attrib start shutdown systeminfo ping expand replace route |
| Interest's Words (UNICODE) |
| exec attrib start shutdown systeminfo ping expand replace |
| URLs |
| http://schemas.microsoft.com/winfx/2006/xaml/presentation http://schemas.microsoft.com/winfx/2006/xaml http://schemas.microsoft.com/expression/blend/2008 http://schemas.openxmlformats.org/markup-compatibility/2006 http://ocsp.digicert.com http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl http://www.digicert.com/CPS0 http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt http://cacerts.digicert.com/DigiCertTrustedRootG4.crt http://crl3.digicert.com/DigiCertTrustedRootG4.crl http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl http://schemas.microsoft.com/SMI/2005/WindowsSettings http://crl.comodoca.com/AAACertificateServices.crl http://ocsp.comodoca.com http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0 http://ocsp.sectigo.com http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt http://cacerts.digicert.com/DigiCertTrustedG4TimeStampingRSA4096SHA2562025CA1.crt http://crl3.digicert.com/DigiCertTrustedG4TimeStampingRSA4096SHA2562025CA1.crl https://www.wagnardsoft.com https://github.com/JamesNK/Newtonsoft.Json https://www.newtonsoft.com/jsonschema https://www.nuget.org/packages/Newtonsoft.Json.Bson https://www.newtonsoft.com/json https://sectigo.com/CPS0 |
| URLs (UNICODE) |
| http://www.w3.org/2000/xmlns/ http://james.newtonking.com/projects/json http://james.newtonking.com/projects/json https://www.wagnardsoft.com https://www.wagnardsoft.com/api/islc/version.json |
| IP Addresses |
| 17.0.0.0 17.1.0.0 13.0.0.0 |
| PE Carving |
| Start Offset Header | End Offset | Size (Bytes) |
|---|---|---|
| 0 | 4EE2C | 4EE2C |
| 4EE2C | 11D6F0 | CE8C4 |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Unicode | Unicode escape - \u00 - (Common Unicode escape sequences) |
| Text | Ascii | WinAPI Sockets (bind) |
| Text | Unicode | WinAPI Sockets (bind) |
| Text | Ascii | WinAPI Sockets (connect) |
| Text | Ascii | WinAPI Sockets (send) |
| Text | Ascii | Encryption (Base64Encode) |
| Text | Ascii | Encryption (FromBase64String) |
| Text | Ascii | Encryption (ToBase64String) |
| Text | Ascii | Anti-Analysis VM (GlobalMemoryStatusEx) |
| Text | Ascii | Anti-Analysis VM (GetVersion) |
| Text | Ascii | Anti-Analysis VM (CreateToolhelp32Snapshot) |
| Text | Ascii | Stealth (CloseHandle) |
| Text | Ascii | Antivirus Software (comodo) |
| Text | Unicode | Privileges (SeAssignPrimaryTokenPrivilege) |
| Text | Unicode | Privileges (SeAuditPrivilege) |
| Text | Unicode | Privileges (SeBackupPrivilege) |
| Text | Unicode | Privileges (SeChangeNotifyPrivilege) |
| Text | Unicode | Privileges (SeCreateGlobalPrivilege) |
| Text | Unicode | Privileges (SeCreatePagefilePrivilege) |
| Text | Unicode | Privileges (SeCreatePermanentPrivilege) |
| Text | Unicode | Privileges (SeCreateTokenPrivilege) |
| Text | Unicode | Privileges (SeDebugPrivilege) |
| Text | Unicode | Privileges (SeEnableDelegationPrivilege) |
| Text | Unicode | Privileges (SeImpersonatePrivilege) |
| Text | Unicode | Privileges (SeIncreaseBasePriorityPrivilege) |
| Text | Unicode | Privileges (SeIncreaseQuotaPrivilege) |
| Text | Unicode | Privileges (SeLoadDriverPrivilege) |
| Text | Unicode | Privileges (SeLockMemoryPrivilege) |
| Text | Unicode | Privileges (SeMachineAccountPrivilege) |
| Text | Unicode | Privileges (SeManageVolumePrivilege) |
| Text | Unicode | Privileges (SeProfileSingleProcessPrivilege) |
| Text | Unicode | Privileges (SeRemoteShutdownPrivilege) |
| Text | Unicode | Privileges (SeRestorePrivilege) |
| Text | Unicode | Privileges (SeSecurityPrivilege) |
| Text | Unicode | Privileges (SeShutdownPrivilege) |
| Text | Unicode | Privileges (SeSystemEnvironmentPrivilege) |
| Text | Unicode | Privileges (SeSystemProfilePrivilege) |
| Text | Unicode | Privileges (SeSystemtimePrivilege) |
| Text | Unicode | Privileges (SeTakeOwnershipPrivilege) |
| Text | Unicode | Privileges (SeTcbPrivilege) |
| Text | Unicode | Privileges (SeUndockPrivilege) |
| Text | Unicode | Privileges (SeUnsolicitedInputPrivilege) |
| Text | Ascii | Privileges (SE_PRIVILEGE_ENABLED) |
| Text | Ascii | Process of gathering information about network resources (Enumeration) |
| Entry Point | Hex Pattern | Microsoft Visual C / Basic .NET |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8 |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8.0 |
| Entry Point | Hex Pattern | Microsoft Visual C v7.0 / Basic .NET |
| Entry Point | Hex Pattern | Microsoft Visual Studio .NET |
| Entry Point | Hex Pattern | .NET executable |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \ICON\1\0 | 100200 | EA8 | FD000 | 2800000030000000600000000100080000000000000900000000000000000000000100000001000000000000191C14001D1E | (...0............................................ |
| \ICON\2\0 | 1010B8 | 8A8 | FDEB8 | 28000000200000004000000001000800000000000004000000000000000000000001000000010000000000001F1F1A001A26 | (... ...@........................................& |
| \ICON\3\0 | 101970 | 6C8 | FE770 | 28000000180000003000000001000800000000004002000000000000000000000001000000010000000000001E281900202A | (.......0...........@........................(.. * |
| \ICON\4\0 | 102048 | 568 | FEE48 | 28000000100000002000000001000800000000000001000000000000000000000001000000010000000000001F3F1A002027 | (....... ....................................?.. ' |
| \ICON\5\0 | 1025C0 | 15DE7 | FF3C0 | 89504E470D0A1A0A0000000D49484452000001000000010008060000005C72A866000000017352474200AECE1CE900000004 | .PNG........IHDR.............\r.f....sRGB......... |
| \ICON\6\0 | 1183B8 | 25A8 | 1151B8 | 2800000030000000600000000100200000000000802500000000000000000000000000000000000000000000000000000000 | (...0........ ......%............................ |
| \ICON\7\0 | 11A970 | 10A8 | 117770 | 2800000020000000400000000100200000000000801000000000000000000000000000000000000000000000000000000000 | (... ...@..... ................................... |
| \ICON\8\0 | 11BA28 | 988 | 118828 | 2800000018000000300000000100200000000000600900000000000000000000000000000000000000000000000000000000 | (.......0..... .................................. |
| \ICON\9\0 | 11C3C0 | 468 | 1191C0 | 2800000010000000200000000100200000000000400400000000000000000000000000000000000000000000000000000000 | (....... ..... .....@............................. |
| \GROUP_ICON\32512\0 | 11C838 | 84 | 119638 | 0000010009003030000001000800A80E000001002020000001000800A808000002001818000001000800C806000003001010 | ......00............ ............................ |
| \VERSION\1\0 | 11C8CC | 410 | 1196CC | 100434000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000 | ..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| \24\1\0 | 11CCEC | C60 | 119AEC | EFBBBF3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D227574662D38223F3E0D0A3C617373656D62 | ...<?xml version="1.0" encoding="utf-8"?>..<assemb |
| Intelligent String |
| • 1.0.3.7 • Intelligent standby list cleaner ISLC.exe • :060U00Uq]dL.g?O0U0E1-Q!m0U0y+m0k0$+0http://ocsp.digicert.com0C+07http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0EU>0<0:864http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0U • Newtonsoft.Json.dll • Json.NET • http://james.newtonking.com/projects/json • RNWindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35WSPresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35\XPresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35D9http://schemas.microsoft.com/winfx/2006/xaml/presentation • .exe • https://www.paypal.com/cgi-bin/webscr?cmd=_donations&business=KAQAJ6TNR9GQE&lc=CA&item_name=ISLC¤cy_code=USD&bn=PP%2dDonationsBF%3abtn_donate_LG%2egif%3aNonHosted • https://www.wagnardsoft.com • https://www.wagnardsoft.com/api/islc/version.json • 6resources/btn_donate_lg.gif • \u0085 • >Json.NET is a popular high-performance JSON framework for .NET • https://github.com/JamesNK/Newtonsoft.Json • uJSON Schema validation has been moved to its own package. See https://www.newtonsoft.com/jsonschema for more details. • BSON reading and writing has been moved to its own package. See https://www.nuget.org/packages/Newtonsoft.Json.Bson for more details. • _CorDllMainmscoree.dll • Json.NET is a popular high-performance JSON framework for .NET • 13.0.0.0 • _CorExeMainmscoree.dll • <dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware> |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 5A96 | 0 | .text | JMP [static] | Indirect jump to absolute memory address |
| 23378 | 0 | .text | CALL [static] | Indirect call to absolute memory address |
| 2ACD7 | 2180CDFF | .text | JMP [static] | Indirect jump to absolute memory address |
| 2BDEB | 25FE1F26 | .text | JMP [static] | Indirect jump to absolute memory address |
| 2BF67 | 25FF1F28 | .text | JMP [static] | Indirect jump to absolute memory address |
| 2BF6B | 26FF1F29 | .text | JMP [static] | Indirect jump to absolute memory address |
| 2BFE3 | 28FE202A | .text | JMP [static] | Indirect jump to absolute memory address |
| 2BFEF | 23FE2030 | .text | JMP [static] | Indirect jump to absolute memory address |
| 2C02B | 25FE1F37 | .text | JMP [static] | Indirect jump to absolute memory address |
| 2C1A3 | 26FF1F38 | .text | JMP [static] | Indirect jump to absolute memory address |
| 2C1AB | 21FF1F3B | .text | JMP [static] | Indirect jump to absolute memory address |
| 2C253 | 26FE1F28 | .text | JMP [static] | Indirect jump to absolute memory address |
| 2C3B3 | 2DFF216B | .text | JMP [static] | Indirect jump to absolute memory address |
| 2C3CB | 26FF1F28 | .text | JMP [static] | Indirect jump to absolute memory address |
| 2C417 | 37FF11C1 | .text | CALL [static] | Indirect call to absolute memory address |
| 2C53B | 1FFE1180 | .text | CALL [static] | Indirect call to absolute memory address |
| 2C607 | 23FF1F37 | .text | JMP [static] | Indirect jump to absolute memory address |
| 2C837 | 23FF1F27 | .text | JMP [static] | Indirect jump to absolute memory address |
| 2C83F | 26FF1091 | .text | CALL [static] | Indirect call to absolute memory address |
| 2C8FB | 15FE1E45 | .text | JMP [static] | Indirect jump to absolute memory address |
| 2C9AF | 27FE1F28 | .text | JMP [static] | Indirect jump to absolute memory address |
| 2CA73 | 27FF2038 | .text | JMP [static] | Indirect jump to absolute memory address |
| 2CBEF | 26FF1F38 | .text | JMP [static] | Indirect jump to absolute memory address |
| 2CE23 | 26FF1F25 | .text | JMP [static] | Indirect jump to absolute memory address |
| 2CFA3 | 27FE1F2A | .text | JMP [static] | Indirect jump to absolute memory address |
| 2D067 | 26FF1F36 | .text | JMP [static] | Indirect jump to absolute memory address |
| 2DE3B | 2BFF1F32 | .text | JMP [static] | Indirect jump to absolute memory address |
| 2DE8B | 23FF202F | .text | JMP [static] | Indirect jump to absolute memory address |
| 2DF0F | 17FF2139 | .text | JMP [static] | Indirect jump to absolute memory address |
| 2DFAB | 26FF1F32 | .text | JMP [static] | Indirect jump to absolute memory address |
| 2DFBB | 3CFF11B7 | .text | CALL [static] | Indirect call to absolute memory address |
| 2E09F | 25FF1F2D | .text | JMP [static] | Indirect jump to absolute memory address |
| 2E0A3 | 24FF1F36 | .text | JMP [static] | Indirect jump to absolute memory address |
| 2E0AB | 26FF1E42 | .text | JMP [static] | Indirect jump to absolute memory address |
| 2E10B | 33FF11B2 | .text | CALL [static] | Indirect call to absolute memory address |
| 2E113 | 19FF204B | .text | JMP [static] | Indirect jump to absolute memory address |
| 2E11B | 26FF1F2D | .text | JMP [static] | Indirect jump to absolute memory address |
| 2E19B | 25FF1F33 | .text | JMP [static] | Indirect jump to absolute memory address |
| 2E19F | 18FF1E3D | .text | JMP [static] | Indirect jump to absolute memory address |
| 2E21B | 24FF1F35 | .text | JMP [static] | Indirect jump to absolute memory address |
| 2E283 | 44FF2228 | .text | JMP [static] | Indirect jump to absolute memory address |
| 2E293 | 18FF1F31 | .text | JMP [static] | Indirect jump to absolute memory address |
| 2E39F | 2DFF11A4 | .text | CALL [static] | Indirect call to absolute memory address |
| 2E407 | 25FF1F31 | .text | JMP [static] | Indirect jump to absolute memory address |
| 2E40B | 26FF1F32 | .text | JMP [static] | Indirect jump to absolute memory address |
| 2E417 | 16FF1E56 | .text | JMP [static] | Indirect jump to absolute memory address |
| 2E587 | 26FF1F33 | .text | JMP [static] | Indirect jump to absolute memory address |
| 2E607 | 27FF1F32 | .text | JMP [static] | Indirect jump to absolute memory address |
| 2F0EB | 27FE1F31 | .text | JMP [static] | Indirect jump to absolute memory address |
| 2F4F3 | 1FFF2031 | .text | JMP [static] | Indirect jump to absolute memory address |
| 2F533 | 1DFF2157 | .text | JMP [static] | Indirect jump to absolute memory address |
| 2F573 | 20FF2176 | .text | JMP [static] | Indirect jump to absolute memory address |
| 2F57B | 1EFF1F2D | .text | JMP [static] | Indirect jump to absolute memory address |
| 2F5BB | 22FF1E3B | .text | JMP [static] | Indirect jump to absolute memory address |
| 2F633 | 25FF1F33 | .text | JMP [static] | Indirect jump to absolute memory address |
| 2F637 | 1CFF1F4C | .text | JMP [static] | Indirect jump to absolute memory address |
| 30740 | 61746F54 | .text | CALL [static] | Indirect call to absolute memory address |
| 30F75 | 666F2023 | .text | JMP [static] | Indirect jump to absolute memory address |
| 42248 | 666F2023 | .text | CALL [static] | Indirect call to absolute memory address |
| 49BA7 | 2180CDFF | .text | JMP [static] | Indirect jump to absolute memory address |
| 4ACBB | 25FE1F26 | .text | JMP [static] | Indirect jump to absolute memory address |
| 4AE37 | 25FF1F28 | .text | JMP [static] | Indirect jump to absolute memory address |
| 4AE3B | 26FF1F29 | .text | JMP [static] | Indirect jump to absolute memory address |
| 4AEB3 | 28FE202A | .text | JMP [static] | Indirect jump to absolute memory address |
| 4AEBF | 23FE2030 | .text | JMP [static] | Indirect jump to absolute memory address |
| 4AEFB | 25FE1F37 | .text | JMP [static] | Indirect jump to absolute memory address |
| 4B073 | 26FF1F38 | .text | JMP [static] | Indirect jump to absolute memory address |
| 4B07B | 21FF1F3B | .text | JMP [static] | Indirect jump to absolute memory address |
| 4B123 | 26FE1F28 | .text | JMP [static] | Indirect jump to absolute memory address |
| 4B283 | 2DFF216B | .text | JMP [static] | Indirect jump to absolute memory address |
| 4B29B | 26FF1F28 | .text | JMP [static] | Indirect jump to absolute memory address |
| 4B2E7 | 37FF11C1 | .text | CALL [static] | Indirect call to absolute memory address |
| 4B40B | 1FFE1180 | .text | CALL [static] | Indirect call to absolute memory address |
| 4B4D7 | 23FF1F37 | .text | JMP [static] | Indirect jump to absolute memory address |
| 4B707 | 23FF1F27 | .text | JMP [static] | Indirect jump to absolute memory address |
| 4B70F | 26FF1091 | .text | CALL [static] | Indirect call to absolute memory address |
| 4B7CB | 15FE1E45 | .text | JMP [static] | Indirect jump to absolute memory address |
| 4B87F | 27FE1F28 | .text | JMP [static] | Indirect jump to absolute memory address |
| 4B943 | 27FF2038 | .text | JMP [static] | Indirect jump to absolute memory address |
| 4BABF | 26FF1F38 | .text | JMP [static] | Indirect jump to absolute memory address |
| 4BCF3 | 26FF1F25 | .text | JMP [static] | Indirect jump to absolute memory address |
| 4BE73 | 27FE1F2A | .text | JMP [static] | Indirect jump to absolute memory address |
| 4BF37 | 26FF1F36 | .text | JMP [static] | Indirect jump to absolute memory address |
| 4CD0B | 2BFF1F32 | .text | JMP [static] | Indirect jump to absolute memory address |
| 4CD5B | 23FF202F | .text | JMP [static] | Indirect jump to absolute memory address |
| 4CDDF | 17FF2139 | .text | JMP [static] | Indirect jump to absolute memory address |
| 4CE7B | 26FF1F32 | .text | JMP [static] | Indirect jump to absolute memory address |
| 4CE8B | 3CFF11B7 | .text | CALL [static] | Indirect call to absolute memory address |
| 4CF6F | 25FF1F2D | .text | JMP [static] | Indirect jump to absolute memory address |
| 4CF73 | 24FF1F36 | .text | JMP [static] | Indirect jump to absolute memory address |
| 4CF7B | 26FF1E42 | .text | JMP [static] | Indirect jump to absolute memory address |
| 4CFDB | 33FF11B2 | .text | CALL [static] | Indirect call to absolute memory address |
| 4CFE3 | 19FF204B | .text | JMP [static] | Indirect jump to absolute memory address |
| 4CFEB | 26FF1F2D | .text | JMP [static] | Indirect jump to absolute memory address |
| 4D06B | 25FF1F33 | .text | JMP [static] | Indirect jump to absolute memory address |
| 4D06F | 18FF1E3D | .text | JMP [static] | Indirect jump to absolute memory address |
| 4D0EB | 24FF1F35 | .text | JMP [static] | Indirect jump to absolute memory address |
| 4D153 | 44FF2228 | .text | JMP [static] | Indirect jump to absolute memory address |
| 4D163 | 18FF1F31 | .text | JMP [static] | Indirect jump to absolute memory address |
| 4D26F | 2DFF11A4 | .text | CALL [static] | Indirect call to absolute memory address |
| 11AA00 | N/A | *Overlay* | F02C00000002020030822CE206092A864886F70D | .,......0.,...*.H... |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 678199 | 58,0086% |
| Null Byte Code | 243685 | 20,8432% |
© 2026 All rights reserved.