PESCAN.IO - Analysis Report Basic |
|||||||
| File Structure |
|
PE Chart Code
Executable header (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
Icon: Size: 5,80 MBSHA-256 Hash: B61BD0D98CC2C00FE1BC46B1D114B2F1CA2952F6D2E44CED1BC4F5263ADBBFE6 SHA-1 Hash: 2D7F6EE559AACD59C090D34D3A48D31BB3496CFE MD5 Hash: 7E6A4BDC1A7C4D9F5AAB3C4948EB1628 Imphash: 80D7D088A4A07121A64F1DCE46638B60 MajorOSVersion: 4 MinorOSVersion: 0 CheckSum: 00000000 EntryPoint (rva): 5CD31 SizeOfHeaders: 1000 SizeOfImage: E5000 ImageBase: 400000 Architecture: x86 ImportTable: AE270 IAT: 89000 Characteristics: 10F TimeDateStamp: 4C3EAA25 Date: 15/07/2010 6:26:45 File Type: EXE Number Of Sections: 4 ASLR: Disabled Section Names: .text, .rdata, .data, .rsrc Number Of Executable Sections: 1 Subsystem: Windows GUI |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 60000020 (Code, Executable, Readable) | 1000 | 88000 | 1000 | 87436 | 6,7031 | 2516637,44 |
| .rdata | 40000040 (Initialized Data, Readable) | 89000 | 28000 | 89000 | 27070 | 5,8084 | 3925882,64 |
| .data | C0000040 (Initialized Data, Readable, Writeable) | B1000 | 8000 | B1000 | C5C4 | 2,7864 | 4233598,27 |
| .rsrc | 40000040 (Initialized Data, Readable) | B9000 | 27000 | BE000 | 268F8 | 5,9084 | 2715258,87 |
| Description |
| OriginalFilename: UpdateSeed.exe CompanyName: TODO: <Company name> LegalCopyright: TODO: (c) <Company name>. All rights reserved. ProductName: TODO: <Product name> FileVersion: 1.0.0.1 FileDescription: TODO: <File description> ProductVersion: 1.0.0.1 Language: English (United States) (ID=0x409) CodePage: Western European (Windows 1252) (0x4E4) |
| Binder/Joiner/Crypter |
| Dropper code detected (EOF) - 4,90 MB |
| Entry Point |
| The section number (1) - (.text) have the Entry Point Information -> EntryPoint (calculated) - 5CD31 Code -> 6A606808C64900E8E3200000BF940000008BC7E817F7FFFF8965E88BF4893E56FF15D89248008B4E10890D5CBB4B008B4604 • PUSH 0X60 • PUSH 0X49C608 • CALL 0X30EF • MOV EDI, 0X94 • MOV EAX, EDI • CALL 0X72F • MOV DWORD PTR [EBP - 0X18], ESP • MOV ESI, ESP • MOV DWORD PTR [ESI], EDI • PUSH ESI • CALL DWORD PTR [0X4892D8] • MOV ECX, DWORD PTR [ESI + 0X10] • MOV DWORD PTR [0X4BBB5C], ECX • MOV EAX, DWORD PTR [ESI + 4] |
| Signatures |
| Rich Signature Analyzer: Code -> 799E751C3DFF1B4F3DFF1B4F3DFF1B4F2EF7724F31FF1B4FBEF7444F37FF1B4FC7DC024F3BFF1B4F2EF7464F3FFF1B4FBEF7464F2EFF1B4F3DFF1A4F7BFD1B4F38F3144F17FF1B4F38F3444FEFFF1B4F38F37B4FF6FF1B4FD1F4454F3CFF1B4F38F3414F3CFF1B4F526963683DFF1B4F Footprint md5 Hash -> 227C3A4135CB4E857FA4FE68B29D1FE5 • The Rich header apparently has not been modified Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Compiler: Microsoft Visual C ++ Compiler: Microsoft Visual C ++ 6-8 Compiler: Microsoft Visual C ++ 6 DLL Detect It Easy (die) • PE: library: MFC(-)[static] • PE: compiler: EP:Microsoft Visual C/C++(2003 v.7.1 (3052-9782))[EXE32] • PE: compiler: Microsoft Visual C++(2003)[libcmt] • PE: linker: Microsoft Linker(7.10)[-] • Entropy: 7.33227 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | GetModuleFileNameA | Retrieve the fully qualified path for the executable file of a specified module. |
| KERNEL32.DLL | VirtualAlloc | Reserve, commit, or both, a region of memory within the virtual address space of a process. |
| KERNEL32.DLL | GetModuleHandleA | Retrieves a handle to the specified module. |
| KERNEL32.DLL | WriteFile | Writes data to a specified file or input/output (I/O) device. |
| KERNEL32.DLL | LoadLibraryA | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| KERNEL32.DLL | CreateFileA | Creates or opens a file or I/O device. |
| KERNEL32.DLL | DeleteFileA | Deletes an existing file. |
| USER32.DLL | CallWindowProcA | Invokes the window procedure for the specified window and messages. |
| ADVAPI32.DLL | RegCreateKeyExA | Creates a new registry key or opens an existing one. |
| ADVAPI32.DLL | RegDeleteKeyA | Used to delete a subkey and its values from the Windows registry. |
| ADVAPI32.DLL | RegSetValueExA | Sets the data and type of a specified value under a registry key. |
| Windows REG |
| Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32 Software\Microsoft\Windows\CurrentVersion\Policies\Network Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Rebuilt string - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer - NoRun |
| File Access |
| .exe qqdl.exe WINMM.dll OLEAUT32.dll ole32.dll oledlg.dll SHLWAPI.dll COMCTL32.dll SHELL32.dll ADVAPI32.dll comdlg32.dll GDI32.dll USER32.dll KERNEL32.dll OLEACC.dll mscoree.dll %s.dll ntdll.dll qqdlproxy.dll .bat @.dat /update/localfilelist.txt /update/newfile.txt update/dellist.txt /mb/etc/version.txt /cfg.txt cfg.txt .INI Temp |
| File Access (UNICODE) |
| UpdateSeed.exe Temp |
| Interest's Words |
| smtp Encrypt Decrypt Encryption PassWord exec attrib start cipher systeminfo replace |
| Interest's Words (UNICODE) |
| start |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | WinAPI Sockets (connect) |
| Text | Unicode | WinAPI Sockets (send) |
| Text | Ascii | Registry (RegCreateKeyEx) |
| Text | Ascii | Registry (RegOpenKeyEx) |
| Text | Ascii | Registry (RegSetValueEx) |
| Text | Ascii | File (CreateFile) |
| Text | Ascii | File (WriteFile) |
| Text | Ascii | File (ReadFile) |
| Text | Ascii | Anti-Analysis VM (GetSystemInfo) |
| Text | Ascii | Anti-Analysis VM (GetVersion) |
| Text | Ascii | Reconnaissance (FindFirstFileA) |
| Text | Ascii | Reconnaissance (FindNextFileA) |
| Text | Ascii | Reconnaissance (FindClose) |
| Text | Ascii | Stealth (CloseHandle) |
| Text | Ascii | Stealth (IsBadReadPtr) |
| Text | Ascii | Stealth (VirtualAlloc) |
| Text | Ascii | Stealth (VirtualProtect) |
| Text | Ascii | Stealer malware focused on obtaining CVV codes to conduct unauthorized transactions (CVV) |
| Entry Point | Hex Pattern | Armadillo v2.xx (CopyMem II) |
| Entry Point | Hex Pattern | Microsoft Visual C++ 7.0 |
| Entry Point | Hex Pattern | Microsoft Visual C++ v7.0 |
| Entry Point | Hex Pattern | PE-Exe Executable Image |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \CURSOR\2\2052 | E1A50 | 134 | DCA50 | 020002002800000020000000400000000100010000000000000100000000000000000000000000000000000000000000FFFF | ....(... ...@..................................... |
| \CURSOR\3\2052 | E1B88 | B4 | DCB88 | 010001002800000010000000200000000100010000000000800000000000000000000000000000000000000000000000FFFF | ....(....... ..................................... |
| \CURSOR\4\2052 | E1C68 | 134 | DCC68 | 0F0014002800000020000000400000000100010000000000000100000000000000000000000000000000000000000000FFFF | ....(... ...@..................................... |
| \CURSOR\5\2052 | E1DB8 | 134 | DCDB8 | 100008002800000020000000400000000100010000000000000100000000000000000000000000000000000000000000FFFF | ....(... ...@..................................... |
| \CURSOR\6\2052 | E1F08 | 134 | DCF08 | 0A000E002800000020000000400000000100010000000000000100000000000000000000000000000000000000000000FFFF | ....(... ...@..................................... |
| \CURSOR\7\2052 | E2058 | 134 | DD058 | 15000E002800000020000000400000000100010000000000000100000000000000000000000000000000000000000000FFFF | ....(... ...@..................................... |
| \CURSOR\8\2052 | E21A8 | 134 | DD1A8 | 0C0012002800000020000000400000000100010000000000000100000000000000000000000000000000000000000000FFFF | ....(... ...@..................................... |
| \CURSOR\9\2052 | E22F8 | 134 | DD2F8 | 140012002800000020000000400000000100010000000000000100000000000000000000000000000000000000000000FFFF | ....(... ...@..................................... |
| \CURSOR\10\2052 | E2448 | 134 | DD448 | 0C000B002800000020000000400000000100010000000000000100000000000000000000000000000000000000000000FFFF | ....(... ...@..................................... |
| \CURSOR\11\2052 | E2598 | 134 | DD598 | 13000A002800000020000000400000000100010000000000000100000000000000000000000000000000000000000000FFFF | ....(... ...@..................................... |
| \CURSOR\12\2052 | E26E8 | 134 | DD6E8 | 10000F002800000020000000400000000100010000000000800000000000000000000000000000000000000000000000FFFF | ....(... ...@..................................... |
| \CURSOR\13\2052 | E2838 | 134 | DD838 | 10000F002800000020000000400000000100010000000000000100000000000000000000000000000000000000000000FFFF | ....(... ...@..................................... |
| \CURSOR\14\2052 | E2988 | 134 | DD988 | 0F000F002800000020000000400000000100010000000000000100000000000000000000000000000000000000000000FFFF | ....(... ...@..................................... |
| \CURSOR\15\2052 | E2AD8 | 134 | DDAD8 | 10000F002800000020000000400000000100010000000000000100000000000000000000000000000000000000000000FFFF | ....(... ...@..................................... |
| \CURSOR\16\2052 | E2C28 | 134 | DDC28 | 10000F002800000020000000400000000100010000000000000100000000000000000000000000000000000000000000FFFF | ....(... ...@..................................... |
| \CURSOR\17\2052 | E2D78 | 134 | DDD78 | 10000F002800000020000000400000000100010000000000000100000000000000000000000000000000000000000000FFFF | ....(... ...@..................................... |
| \BITMAP\129\2052 | C1A28 | 20028 | BCA28 | 280000008000000000010000010020000000000000000000C40E0000C40E00000000000000000000100606FF100402FF1308 | (............. ................................... |
| \BITMAP\30994\2052 | E2FB0 | B8 | DDFB0 | 280000000C0000000A0000000100040000000000500000000000000000000000000000000000000000000000000080000080 | (...................P............................. |
| \BITMAP\30996\2052 | E3068 | 144 | DE068 | 28000000210000000B0000000100040000000000DC0000000000000000000000000000000000000000000000000080000080 | (...!............................................. |
| \ICON\1\2052 | BEB40 | 25A8 | B9B40 | 280000003000000060000000010020000000000080250000130B0000130B0000000000000000000000000000000000000000 | (...0........ ......%............................ |
| \DIALOG\100\2052 | C1100 | 140 | BC100 | 0100FFFF0000000000000000C800C880040000000000EB00370000000000410062006F007500740020005500700064006100 | ........................7.....A.b.o.u.t. .U.p.d.a. |
| \DIALOG\102\2052 | C1240 | 1E0 | BC240 | 0100FFFF0000000000000400C800C8900900000000001C01AC00000000005500700064006100740065005300650065006400 | ..............................U.p.d.a.t.e.S.e.e.d. |
| \DIALOG\30721\2052 | E2EC8 | E8 | DDEC8 | C400C88000000000050009001A00B7004600000000004E0065007700000008004D00530020005300680065006C006C002000 | ................F.....N.e.w.....M.S. .S.h.e.l.l. . |
| \STRING\7\2052 | E31B0 | 48 | DE1B0 | 0000000000000000000014002600410062006F0075007400200055007000640061007400650053006500650064002E002E002E000000000000000000000000000000000000000000 | ............&.A.b.o.u.t. .U.p.d.a.t.e.S.e.e.d........................... |
| \STRING\3841\2052 | E31F8 | 82 | DE1F8 | 04004F00700065006E00070053006100760065002000410073000F0041006C006C002000460069006C006500730020002800 | ..O.p.e.n...S.a.v.e. .A.s...A.l.l. .F.i.l.e.s. .(. |
| \STRING\3842\2052 | E3280 | 2A | DE280 | 000005002600480069006400650000000000000000000000000000000000000000000000000000000000 | ....&.H.i.d.e............................. |
| \STRING\3843\2052 | E32B0 | 192 | DE2B0 | 1E004E006F0020006500720072006F00720020006D0065007300730061006700650020006900730020006100760061006900 | ..N.o. .e.r.r.o.r. .m.e.s.s.a.g.e. .i.s. .a.v.a.i. |
| \STRING\3857\2052 | E3448 | 4E2 | DE448 | 110049006E00760061006C00690064002000660069006C0065006E0061006D0065002E0018004600610069006C0065006400 | ..I.n.v.a.l.i.d. .f.i.l.e.n.a.m.e.....F.a.i.l.e.d. |
| \STRING\3858\2052 | E3CC0 | 31A | DECC0 | 180050006C006500610073006500200065006E00740065007200200061006E00200069006E00740065006700650072002E00 | ..P.l.e.a.s.e. .e.n.t.e.r. .a.n. .i.n.t.e.g.e.r... |
| \STRING\3859\2052 | E39E0 | 2DC | DE9E0 | 170055006E00650078007000650063007400650064002000660069006C006500200066006F0072006D00610074002E005600 | ..U.n.e.x.p.e.c.t.e.d. .f.i.l.e. .f.o.r.m.a.t...V. |
| \STRING\3860\2052 | E4820 | 8A | DF820 | 1F00250031003A002000250032000A0043006F006E00740069006E00750065002000720075006E006E0069006E0067002000 | ..%.1.:. .%.2...C.o.n.t.i.n.u.e. .r.u.n.n.i.n.g. . |
| \STRING\3865\2052 | E3930 | AC | DE930 | 000000000000000000000000000000000000000000000000230055006E00610062006C006500200074006F00200072006500 | .........................U.n.a.b.l.e. .t.o. .r.e. |
| \STRING\3866\2052 | E4710 | DE | DF710 | 230055006E00610062006C006500200074006F0020006C006F006100640020006D00610069006C0020007300790073007400 | .U.n.a.b.l.e. .t.o. .l.o.a.d. .m.a.i.l. .s.y.s.t. |
| \STRING\3867\2052 | E3FE0 | 4C4 | DEFE0 | 12004E006F0020006500720072006F00720020006F0063006300750072007200650064002E002D0041006E00200075006E00 | ..N.o. .e.r.r.o.r. .o.c.c.u.r.r.e.d...-.A.n. .u.n. |
| \STRING\3868\2052 | E44A8 | 264 | DF4A8 | 12004E006F0020006500720072006F00720020006F0063006300750072007200650064002E002D0041006E00200075006E00 | ..N.o. .e.r.r.o.r. .o.c.c.u.r.r.e.d...-.A.n. .u.n. |
| \STRING\3869\2052 | E47F0 | 2C | DF7F0 | 060070006900780065006C007300000000000000000000000000000000000000000000000000000000000000 | ..p.i.x.e.l.s............................... |
| \STRING\3887\2052 | E48B0 | 42 | DF8B0 | 0000070055006E0063006800650063006B00050043006800650063006B0005004D006900780065006400000000000000000000000000000000000000000000000000 | ....U.n.c.h.e.c.k...C.h.e.c.k...M.i.x.e.d......................... |
| \GROUP_CURSOR\30977\2052 | E1C40 | 22 | DCC40 | 00000200020020004000010001003401000002001000200001000100B40000000300 | ...... .@.....4....... ........... |
| \GROUP_CURSOR\30998\2052 | E2430 | 14 | DD430 | 0000020001002000400001000100340100000900 | ...... .@.....4..... |
| \GROUP_CURSOR\30999\2052 | E1DA0 | 14 | DCDA0 | 0000020001002000400001000100340100000400 | ...... .@.....4..... |
| \GROUP_CURSOR\31000\2052 | E22E0 | 14 | DD2E0 | 0000020001002000400001000100340100000800 | ...... .@.....4..... |
| \GROUP_CURSOR\31001\2052 | E2190 | 14 | DD190 | 0000020001002000400001000100340100000700 | ...... .@.....4..... |
| \GROUP_CURSOR\31002\2052 | E2AC0 | 14 | DDAC0 | 0000020001002000400001000100340100000E00 | ...... .@.....4..... |
| \GROUP_CURSOR\31003\2052 | E2040 | 14 | DD040 | 0000020001002000400001000100340100000600 | ...... .@.....4..... |
| \GROUP_CURSOR\31004\2052 | E26D0 | 14 | DD6D0 | 0000020001002000400001000100340100000B00 | ...... .@.....4..... |
| \GROUP_CURSOR\31005\2052 | E1EF0 | 14 | DCEF0 | 0000020001002000400001000100340100000500 | ...... .@.....4..... |
| \GROUP_CURSOR\31006\2052 | E2580 | 14 | DD580 | 0000020001002000400001000100340100000A00 | ...... .@.....4..... |
| \GROUP_CURSOR\31007\2052 | E2820 | 14 | DD820 | 0000020001002000400001000100340100000C00 | ...... .@.....4..... |
| \GROUP_CURSOR\31008\2052 | E2970 | 14 | DD970 | 0000020001002000400001000100340100000D00 | ...... .@.....4..... |
| \GROUP_CURSOR\31009\2052 | E2C10 | 14 | DDC10 | 0000020001002000400001000100340100000F00 | ...... .@.....4..... |
| \GROUP_CURSOR\31010\2052 | E2D60 | 14 | DDD60 | 0000020001002000400001000100340100001000 | ...... .@.....4..... |
| \GROUP_CURSOR\31011\2052 | E2EB0 | 14 | DDEB0 | 0000020001002000400001000100340100001100 | ...... .@.....4..... |
| \GROUP_ICON\128\2052 | C10E8 | 14 | BC0E8 | 0000010001003030000001002000A82500000100 | ......00.... ..%.... |
| \VERSION\1\2052 | C1420 | 344 | BC420 | 440334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000 | D.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| \24\1\2052 | C1768 | 2BB | BC768 | 3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E653D2279 | <?xml version="1.0" encoding="UTF-8" standalone="y |
| Intelligent String |
| • UpdateSeed.exe • 1.0.0.1 • .dpk • /cfg.txt • /mb/etc/version.txtqqdlproxy.dll • qqdl.exe • fGupdate/dellist.txt • /update/newfile.txt/update/localfilelist.txt • .exe • whsmppasswd::DATA_INI_INFO_T • COMCTL32.DLL • hhctrl.ocx • LOCntdll.dll • kernel32.dll • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer%s.dll • GMSWHEEL_ROLLMSG.INI • .HLP • .CHM • user32.dll • CLSID\%1\InprocHandler32ole32.dll • OLEACC.dll • (NG.com • .bat • .cmd • E:\work\PRJ\Tools\UpdateSeed\Release\UpdateSeed.pdbgK • KERNEL32.dll • GetNextDlgTabItemRCreateDialogIndirectParamA • USER32.dll • WINSPOOL.DRV • ADVAPI32.dll • .PBH • .PAX • .PBD |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 3526 | 48942C | .text | CALL [static] | Indirect call to absolute memory address |
| 42CF | 4892DC | .text | CALL [static] | Indirect call to absolute memory address |
| 42E2 | 4892E0 | .text | CALL [static] | Indirect call to absolute memory address |
| 430D | 4892E4 | .text | CALL [static] | Indirect call to absolute memory address |
| 436E | 4892D8 | .text | CALL [static] | Indirect call to absolute memory address |
| 4392 | 4892E8 | .text | CALL [static] | Indirect call to absolute memory address |
| 4398 | 4B1228 | .text | CALL [static] | Indirect call to absolute memory address |
| 43E6 | 4892D4 | .text | CALL [static] | Indirect call to absolute memory address |
| 442C | 4892AC | .text | CALL [static] | Indirect call to absolute memory address |
| 443B | 4892B0 | .text | CALL [static] | Indirect call to absolute memory address |
| 444F | 4892B4 | .text | CALL [static] | Indirect call to absolute memory address |
| 4497 | 4892A8 | .text | CALL [static] | Indirect call to absolute memory address |
| 45EA | 4B1228 | .text | CALL [static] | Indirect call to absolute memory address |
| 45F1 | 4892D0 | .text | CALL [static] | Indirect call to absolute memory address |
| 482A | 4892A8 | .text | CALL [static] | Indirect call to absolute memory address |
| 4860 | 4B1228 | .text | CALL [static] | Indirect call to absolute memory address |
| 4867 | 4892D0 | .text | CALL [static] | Indirect call to absolute memory address |
| 489E | 4B1228 | .text | CALL [static] | Indirect call to absolute memory address |
| 48A5 | 4892D0 | .text | CALL [static] | Indirect call to absolute memory address |
| 50FA | 489028 | .text | CALL [static] | Indirect call to absolute memory address |
| 5256 | 4894B0 | .text | CALL [static] | Indirect call to absolute memory address |
| 5266 | 4894B0 | .text | CALL [static] | Indirect call to absolute memory address |
| 5373 | 489448 | .text | CALL [static] | Indirect call to absolute memory address |
| 539A | 48942C | .text | CALL [static] | Indirect call to absolute memory address |
| 53BB | 4894AC | .text | CALL [static] | Indirect call to absolute memory address |
| 53F3 | 489444 | .text | CALL [static] | Indirect call to absolute memory address |
| 7597 | 4894B4 | .text | CALL [static] | Indirect call to absolute memory address |
| 8460 | 4892A4 | .text | CALL [static] | Indirect call to absolute memory address |
| 8560 | 489298 | .text | CALL [static] | Indirect call to absolute memory address |
| 857B | 48929C | .text | CALL [static] | Indirect call to absolute memory address |
| 8587 | 4892CC | .text | CALL [static] | Indirect call to absolute memory address |
| 85DF | 4892A0 | .text | CALL [static] | Indirect call to absolute memory address |
| 8735 | 4892A0 | .text | CALL [static] | Indirect call to absolute memory address |
| 875F | 4892A0 | .text | CALL [static] | Indirect call to absolute memory address |
| D59F | 4B9B28 | .text | CALL [static] | Indirect call to absolute memory address |
| DB6F | 4B9B28 | .text | CALL [static] | Indirect call to absolute memory address |
| DC7F | 4B9B28 | .text | CALL [static] | Indirect call to absolute memory address |
| EFBF | 4B9B28 | .text | CALL [static] | Indirect call to absolute memory address |
| 1DC92 | 4892D4 | .text | CALL [static] | Indirect call to absolute memory address |
| 1E218 | 4892D4 | .text | CALL [static] | Indirect call to absolute memory address |
| 21050 | 489538 | .text | JMP [static] | Indirect jump to absolute memory address |
| 30158 | 4B61D0 | .text | CALL [static] | Indirect call to absolute memory address |
| 30191 | 4B61D0 | .text | CALL [static] | Indirect call to absolute memory address |
| 301E8 | 4B61CC | .text | CALL [static] | Indirect call to absolute memory address |
| 301FB | 4B61CC | .text | CALL [static] | Indirect call to absolute memory address |
| 30212 | 4B61CC | .text | CALL [static] | Indirect call to absolute memory address |
| 3022D | 4B61D0 | .text | CALL [static] | Indirect call to absolute memory address |
| 30238 | 4B61CC | .text | CALL [static] | Indirect call to absolute memory address |
| 302E1 | 4B61CC | .text | CALL [static] | Indirect call to absolute memory address |
| 302F3 | 4B61CC | .text | CALL [static] | Indirect call to absolute memory address |
| 3037A | 4B61CC | .text | CALL [static] | Indirect call to absolute memory address |
| 3039D | 4B61CC | .text | CALL [static] | Indirect call to absolute memory address |
| 3041A | 4B61D0 | .text | CALL [static] | Indirect call to absolute memory address |
| 30459 | 4B61D0 | .text | CALL [static] | Indirect call to absolute memory address |
| 30497 | 4B61D0 | .text | CALL [static] | Indirect call to absolute memory address |
| 304B0 | 4B61CC | .text | CALL [static] | Indirect call to absolute memory address |
| 304D9 | 4B61D0 | .text | CALL [static] | Indirect call to absolute memory address |
| 304E5 | 4B61D0 | .text | CALL [static] | Indirect call to absolute memory address |
| 3050E | 4B61CC | .text | CALL [static] | Indirect call to absolute memory address |
| 30547 | 4B61CC | .text | CALL [static] | Indirect call to absolute memory address |
| 305A1 | 4B9A8C | .text | CALL [static] | Indirect call to absolute memory address |
| 305BC | 4B9A8C | .text | CALL [static] | Indirect call to absolute memory address |
| 30628 | 4B61CC | .text | CALL [static] | Indirect call to absolute memory address |
| 30685 | 4B61D0 | .text | CALL [static] | Indirect call to absolute memory address |
| 30696 | 4B61CC | .text | CALL [static] | Indirect call to absolute memory address |
| 30712 | 4B61CC | .text | CALL [static] | Indirect call to absolute memory address |
| 30781 | 4B61D0 | .text | CALL [static] | Indirect call to absolute memory address |
| 30C37 | 4B61CC | .text | CALL [static] | Indirect call to absolute memory address |
| 30DD0 | 4B61D0 | .text | CALL [static] | Indirect call to absolute memory address |
| 30DDE | 4B61CC | .text | CALL [static] | Indirect call to absolute memory address |
| 30E35 | 4B61D0 | .text | CALL [static] | Indirect call to absolute memory address |
| 30F88 | 4B61D0 | .text | CALL [static] | Indirect call to absolute memory address |
| 30F9F | 4B61D0 | .text | CALL [static] | Indirect call to absolute memory address |
| 30FC1 | 4B61D0 | .text | CALL [static] | Indirect call to absolute memory address |
| 31012 | 4B61D0 | .text | CALL [static] | Indirect call to absolute memory address |
| 313D6 | FF | .text | JMP [static] | Indirect jump to absolute memory address |
| 315E1 | 4B61D0 | .text | CALL [static] | Indirect call to absolute memory address |
| 316B4 | 4B61D0 | .text | CALL [static] | Indirect call to absolute memory address |
| 316D9 | 4B61D0 | .text | CALL [static] | Indirect call to absolute memory address |
| 317CB | 4B61D0 | .text | CALL [static] | Indirect call to absolute memory address |
| 3205B | 4B9B28 | .text | CALL [static] | Indirect call to absolute memory address |
| 32943 | 4B61CC | .text | CALL [static] | Indirect call to absolute memory address |
| 32960 | 4B61CC | .text | CALL [static] | Indirect call to absolute memory address |
| 3299C | 4B61CC | .text | CALL [static] | Indirect call to absolute memory address |
| 32BF0 | 4B61CC | .text | CALL [static] | Indirect call to absolute memory address |
| 32C17 | 4B61D0 | .text | CALL [static] | Indirect call to absolute memory address |
| 32C69 | 4B61D0 | .text | CALL [static] | Indirect call to absolute memory address |
| 32C7D | 4B61CC | .text | CALL [static] | Indirect call to absolute memory address |
| 333CC | 4B9B28 | .text | CALL [static] | Indirect call to absolute memory address |
| 339BB | 4B61CC | .text | CALL [static] | Indirect call to absolute memory address |
| 339E3 | 4B61D0 | .text | CALL [static] | Indirect call to absolute memory address |
| 33A79 | 4B61D0 | .text | CALL [static] | Indirect call to absolute memory address |
| 33A8E | 4B61CC | .text | CALL [static] | Indirect call to absolute memory address |
| 35B8E | FF | .text | JMP [static] | Indirect jump to absolute memory address |
| 36E63 | 4B9B28 | .text | CALL [static] | Indirect call to absolute memory address |
| 43705 | 4B9B28 | .text | CALL [static] | Indirect call to absolute memory address |
| 4C1A8 | 489288 | .text | CALL [static] | Indirect call to absolute memory address |
| 4C1B4 | 4892CC | .text | CALL [static] | Indirect call to absolute memory address |
| 4C228 | 489284 | .text | CALL [static] | Indirect call to absolute memory address |
| 4C234 | 4892CC | .text | CALL [static] | Indirect call to absolute memory address |
| E0000 | N/A | *Overlay* | 77687061636B616765312E300000000002000000 | whpackage1.0........ |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 3537365 | 58,2042% |
| Null Byte Code | 958439 | 15,7703% |
© 2026 All rights reserved.