PESCAN.IO - Analysis Report Basic |
|||||||
| File Structure |
|
PE Chart Code
Header PE (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
Icon: Size: 1,06 MBSHA-256 Hash: 5D69A932A077FEE044B193C28E84564143F5C7E51079AB48E88FEF74AB0B77B7 SHA-1 Hash: 96BB030389AC938C5EBC6BD2E9FCC86A10E5F2FD MD5 Hash: 80CDD5F19D704A001589976BAE277BAB Imphash: 3614AFAB8D930EE31934510EDB015CDC MajorOSVersion: 5 MinorOSVersion: 2 CheckSum: 00118D02 EntryPoint (rva): 24750 SizeOfHeaders: 400 SizeOfImage: 114000 ImageBase: 0000000140000000 Architecture: x64 ImportTable: EE870 IAT: BC000 Characteristics: 22 TimeDateStamp: 68BD45AC Date: 07/09/2025 8:43:24 File Type: EXE Number Of Sections: 7 ASLR: Disabled Section Names (Optional Header): .text, .rdata, .data, .pdata, .fptable, .rsrc, .reloc Number Of Executable Sections: 1 Subsystem: Windows GUI UAC Execution Level Manifest: asInvoker |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 0x60000020 Code Executable Readable |
400 | BA800 | 1000 | BA7D4 |
|
|
| .rdata | 0x40000040 Initialized Data Readable |
BAC00 | 36000 | BC000 | 35F48 |
|
|
| .data | 0xC0000040 Initialized Data Readable Writeable |
F0C00 | 5200 | F2000 | 9190 |
|
|
| .pdata | 0x40000040 Initialized Data Readable |
F5E00 | 7400 | FC000 | 735C |
|
|
| .fptable | 0xC0000040 Initialized Data Readable Writeable |
FD200 | 200 | 104000 | 100 |
|
|
| .rsrc | 0x40000040 Initialized Data Readable |
FD400 | D800 | 105000 | D750 |
|
|
| .reloc | 0x42000040 Initialized Data GP-Relative Readable |
10AC00 | C00 | 113000 | AE0 |
|
|
| Description |
| OriginalFilename: AutoIt3.exe CompanyName: AutoIt Team LegalCopyright: 1999-2025 Jonathan Bennett & AutoIt Team ProductName: AutoIt v3 Script FileDescription: AutoIt v3 Script Comments: http://www.autoitscript.com/autoit3/ Language: English (United Kingdom) (ID=0x809) CodePage: Unicode (UTF-16 LE) (0x4B0) |
| Entry Point |
The section number (1) have the Entry Point Information -> EntryPoint (calculated) - 23B50 Code -> 4883EC28E8B30600004883C428E97AFEFFFFCCCC40534883EC20488BD9488BC2488D0D11C309000F57C048890B488D530848 Assembler |SUB RSP, 0X28 |CALL 0X16BC |ADD RSP, 0X28 |JMP 0XE8C |INT3 |INT3 |PUSH RBX |SUB RSP, 0X20 |MOV RBX, RCX |MOV RAX, RDX |LEA RCX, [RIP + 0X9C311] |XORPS XMM0, XMM0 |MOV QWORD PTR [RBX], RCX |LEA RDX, [RBX + 8] |
| Signatures |
| Rich Signature Analyzer: Code -> BBB94F34FFD82167FFD82167FFD821678B5924664ED821678B592266E9D821677851DC67FED8216778512266F6D8216778512566EED8216778512466CED821678B592566D5D821678B592766FED821678B592066DAD82167FFD82067CDDA216774512F66AED8216774512266FED821677451DE67FED82167FFD8B667FDD8216774512366FED8216752696368FFD82167 Footprint md5 Hash -> ED005016725898265E6DD3BF2BC584CD • The Rich header apparently has not been modified Certificate - Digital Signature: • The file is signed and the signature is correct |
| Packer/Compiler |
| Detect It Easy (die) • PE+(64): compiler: Microsoft Visual C/C++(-)[-] • PE+(64): linker: Microsoft Linker(14.44**)[-] • PE+(64): Sign tool: Windows Authenticode(2.0)[PKCS 7] • Entropy: 6.43298 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | VirtualAlloc | Reserve, commit, or both, a region of memory within the virtual address space of a process. |
| KERNEL32.DLL | CopyFileW | Copies an existing file to a new file. |
| KERNEL32.DLL | WriteFile | Writes data to a specified file or input/output (I/O) device. |
| KERNEL32.DLL | LoadLibraryA | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | LoadLibraryW | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | CreateToolhelp32Snapshot | Creates a snapshot of the specified processes, heaps, threads, and modules. |
| KERNEL32.DLL | WriteProcessMemory | Writes data to an area of memory in a specified process. |
| KERNEL32.DLL | ReadProcessMemory | Reads data from an area of memory in a specified process. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| KERNEL32.DLL | IsDebuggerPresent | Determines if the calling process is being debugged by a user-mode debugger. |
| USER32.DLL | GetAsyncKeyState | Retrieves the status of a virtual key asynchronously. |
| SHELL32.DLL | ShellExecuteW | Performs a run operation on a specific file. |
| SHELL32.DLL | ShellExecuteExW | Performs a run operation on a specific file. |
| Windows REG (UNICODE) |
| Software\AutoIt v3\AutoIt SOFTWARE\Classes\ SYSTEM\CurrentControlSet\Control\Nls\Language |
| File Access |
| OLEAUT32.dll ole32.dll SHELL32.dll ADVAPI32.dll COMDLG32.dll GDI32.dll USER32.dll KERNEL32.dll UxTheme.dll USERENV.dll IPHLPAPI.DLL PSAPI.DLL WININET.dll MPR.dll COMCTL32.dll WINMM.dll VERSION.dll WSOCK32.dll .dat @.dat Temp UserProfile |
| File Access (UNICODE) |
| AutoIt3.exe mscoree.dll Temp ProgramFiles AppData UserProfile |
| Interest's Words |
| exec attrib start shutdown systeminfo ping replace |
| Interest's Words (UNICODE) |
| exec attrib start pause comspec shutdown ping expand replace |
| URLs |
| http://ocsp.globalsign.com/rootr30; http://secure.globalsign.com/cacert/root-r3.crt http://crl.globalsign.com/root-r3.crl http://ocsp.globalsign.com/codesigningrootr450F http://secure.globalsign.com/cacert/codesigningrootr45.crt http://crl.globalsign.com/codesigningrootr45.crl http://secure.globalsign.com/cacert/gsgccr45codesignca2020.crt http://ocsp.globalsign.com/gsgccr45codesignca20200V http://crl.globalsign.com/gsgccr45codesignca2020.crl http://ocsp.globalsign.com/ca/gstsacasha384g40C http://secure.globalsign.com/cacert/gstsacasha384g4.crt http://crl.globalsign.com/ca/gstsacasha384g4.crl http://ocsp2.globalsign.com/rootr606 http://crl.globalsign.com/root-r6.crl https://www.globalsign.com/repository/ https://www.autoitscript.com/autoit3/ https://www.globalsign.com/repository/0 |
| URLs (UNICODE) |
| http://www.autoitscript.com/autoit3/ |
| IP Addresses |
| 255.255.255.255 |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | Registry (RegCreateKeyEx) |
| Text | Ascii | Registry (RegOpenKeyEx) |
| Text | Ascii | Registry (RegSetValueEx) |
| Text | Ascii | Registry (RegDeleteKeyEx) |
| Text | Ascii | File (GetTempPath) |
| Text | Ascii | File (CopyFile) |
| Text | Ascii | File (CreateFile) |
| Text | Ascii | File (WriteFile) |
| Text | Ascii | File (ReadFile) |
| Text | Ascii | Anti-Analysis VM (IsDebuggerPresent) |
| Text | Ascii | Anti-Analysis VM (GetSystemInfo) |
| Text | Ascii | Anti-Analysis VM (GlobalMemoryStatusEx) |
| Text | Ascii | Anti-Analysis VM (GetVersion) |
| Text | Ascii | Anti-Analysis VM (CreateToolhelp32Snapshot) |
| Text | Ascii | Reconnaissance (FindFirstFileW) |
| Text | Ascii | Reconnaissance (FindNextFileW) |
| Text | Ascii | Reconnaissance (FindClose) |
| Text | Ascii | Stealth (ExitThread) |
| Text | Ascii | Stealth (CloseHandle) |
| Text | Ascii | Stealth (VirtualAlloc) |
| Text | Ascii | Stealth (VirtualProtect) |
| Text | Ascii | Stealth (ReadProcessMemory) |
| Text | Ascii | Execution (CreateProcessA) |
| Text | Ascii | Execution (CreateProcessW) |
| Text | Ascii | Execution (ShellExecute) |
| Text | Ascii | Execution (ResumeThread) |
| Text | Ascii | Execution (CreateEventW) |
| Text | Unicode | Privileges (SeAssignPrimaryTokenPrivilege) |
| Text | Unicode | Privileges (SeBackupPrivilege) |
| Text | Unicode | Privileges (SeDebugPrivilege) |
| Text | Unicode | Privileges (SeIncreaseQuotaPrivilege) |
| Text | Unicode | Privileges (SeRestorePrivilege) |
| Text | Unicode | Privileges (SeShutdownPrivilege) |
| Text | Unicode | Keyboard Key (ALTDOWN) |
| Text | Unicode | Keyboard Key (ALTUP) |
| Text | Unicode | Keyboard Key (SHIFTDOWN) |
| Text | Unicode | Keyboard Key (SHIFTUP) |
| Text | Unicode | Keyboard Key (CTRLDOWN) |
| Text | Unicode | Keyboard Key (CTRLUP) |
| Text | Unicode | Keyboard Key (LWINDOWN) |
| Text | Unicode | Keyboard Key (LWINUP) |
| Text | Unicode | Keyboard Key (RWINDOWN) |
| Text | Unicode | Keyboard Key (RWINUP) |
| Text | Unicode | Keyboard Key (LBUTTON) |
| Text | Unicode | Keyboard Key (MBUTTON) |
| Text | Unicode | Keyboard Key (RBUTTON) |
| Text | Unicode | Keyboard Key (NUMPAD0) |
| Text | Unicode | Keyboard Key (NUMPAD1) |
| Text | Unicode | Keyboard Key (NUMPAD2) |
| Text | Unicode | Keyboard Key (NUMPAD3) |
| Text | Unicode | Keyboard Key (NUMPAD4) |
| Text | Unicode | Keyboard Key (NUMPAD5) |
| Text | Unicode | Keyboard Key (NUMPAD6) |
| Text | Unicode | Keyboard Key (NUMPAD7) |
| Text | Unicode | Keyboard Key (NUMPAD8) |
| Text | Unicode | Keyboard Key (NUMPAD9) |
| Text | Unicode | Keyboard Key (CapsLock) |
| Text | Ascii | Malicious rerouting of traffic to an attacker-controlled site (Redirect) |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8.0 (DLL) |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \ICON\1\2057 | 107AF0 | 668 | FFEF0 | 2800000030000000600000000100040000000000000000000000000000000000000000000000000000000000FFFFFF00C0C0 | (...0............................................ |
| \ICON\2\2057 | 108158 | 2E8 | 100558 | 2800000020000000400000000100040000000000000000000000000000000000000000000000000000000000FFFFFF00C0C0 | (... ...@......................................... |
| \ICON\3\2057 | 108440 | 128 | 100840 | 2800000010000000200000000100040000000000000000000000000000000000000000000000000000000000FFFFFF00C0C0 | (....... ......................................... |
| \ICON\4\2057 | 108568 | EA8 | 100968 | 2800000030000000600000000100080000000000000000000000000000000000000000000000000000000000F0F0F000F0EF | (...0............................................ |
| \ICON\5\2057 | 109410 | 8A8 | 101810 | 2800000020000000400000000100080000000000000000000000000000000000000000000000000000000000F0F0F000EDEC | (... ...@......................................... |
| \ICON\6\2057 | 109CB8 | 568 | 1020B8 | 2800000010000000200000000100080000000000000000000000000000000000000000000000000000000000F0F0F000EFEF | (....... ......................................... |
| \ICON\7\2057 | 10A220 | 3F41 | 102620 | 89504E470D0A1A0A0000000D49484452000001000000010008060000005C72A866000020004944415478DAEDBD79905CF775 | .PNG........IHDR.............\r.f.. .IDATx...y.\.u |
| \ICON\8\2057 | 10E168 | 25A8 | 106568 | 2800000030000000600000000100200000000000000000000000000000000000000000000000000000000000000000000000 | (...0........ ................................... |
| \ICON\9\2057 | 110710 | 10A8 | 108B10 | 2800000020000000400000000100200000000000000000000000000000000000000000000000000000000000000000000000 | (... ...@..... ................................... |
| \ICON\10\2057 | 1117B8 | 468 | 109BB8 | 2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000 | (....... ..... ................................... |
| \ICON\11\2057 | 111CB8 | 128 | 10A0B8 | 2800000010000000200000000100040000000000C000000000000000000000000000000000000000000000007A60EB00795F | (....... ...................................z..y_ |
| \ICON\12\2057 | 111DF8 | 128 | 10A1F8 | 28000000100000002000000001000400000000008000000000000000000000001000000010000000000000007A60EB00795F | (....... ...................................z..y_ |
| \ICON\13\2057 | 111F38 | 128 | 10A338 | 2800000010000000200000000100040000000000C000000000000000000000000000000000000000000000007A60EB00795F | (....... ...................................z..y_ |
| \MENU\166\2057 | 112178 | 50 | 10A578 | 00000000900043006F006E007400650078007400310000000000A7005300630072006900700074002000260050006100750073006500640000000000000000008000A800450026007800690074000000 | ......C.o.n.t.e.x.t.1.......S.c.r.i.p.t. .&.P.a.u.s.e.d.............E.&.x.i.t... |
| \DIALOG\1000\2057 | 112078 | FC | 10A478 | 0100FFFF00000000000004004C0ACC80040000000000A2005F00000000004100750074006F0049007400200049006E007000 | ............L..........._.....A.u.t.o.I.t. .I.n.p. |
| \STRING\7\2057 | 105970 | 594 | FDD70 | 0000000000000000000009002800500061007500730065006400290020000C004100750074006F0049007400200045007200 | ............(.P.a.u.s.e.d.). ...A.u.t.o.I.t. .E.r. |
| \STRING\8\2057 | 106FF8 | 68A | FF3F8 | 300049006E0063006F007200720065006300740020006E0075006D0062006500720020006F00660020007000610072006100 | 0.I.n.c.o.r.r.e.c.t. .n.u.m.b.e.r. .o.f. .p.a.r.a. |
| \STRING\9\2057 | 106B68 | 490 | FEF68 | 30004500780070006500630074006500640020006100200022003D00220020006F00700065007200610074006F0072002000 | 0.E.x.p.e.c.t.e.d. .a. .".=.". .o.p.e.r.a.t.o.r. . |
| \STRING\10\2057 | 106568 | 5FC | FE968 | 1A0049006E00760061006C00690064002000660069006C0065002000660069006C0074006500720020006700690076006500 | ..I.n.v.a.l.i.d. .f.i.l.e. .f.i.l.t.e.r. .g.i.v.e. |
| \STRING\11\2057 | 105F08 | 65C | FE308 | 3E002200530065006C0065006300740022002000730074006100740065006D0065006E00740020006900730020006D006900 | >.".S.e.l.e.c.t.". .s.t.a.t.e.m.e.n.t. .i.s. .m.i. |
| \STRING\12\2057 | 107688 | 466 | FFA88 | 4800430061006E0020007000610073007300200063006F006E007300740061006E0074007300200062007900200072006500 | H.C.a.n. .p.a.s.s. .c.o.n.s.t.a.n.t.s. .b.y. .r.e. |
| \STRING\313\2057 | 1121C8 | 158 | 10A5C8 | 00000000000000000000000000000000150055006E00610062006C006500200074006F002000700061007200730065002000 | ..................U.n.a.b.l.e. .t.o. .p.a.r.s.e. . |
| \GROUP_ICON\99\2057 | 111C20 | 92 | 10A020 | 000001000A0030301000010004006806000001002020100001000400E8020000020010101000010004002801000003003030 | ......00......h..... ....................(.....00 |
| \GROUP_ICON\162\2057 | 111F20 | 14 | 10A320 | 0000010001001010100001000400280100000C00 | ..............(..... |
| \GROUP_ICON\164\2057 | 112060 | 14 | 10A460 | 0000010001001010100001000400280100000D00 | ..............(..... |
| \GROUP_ICON\169\2057 | 111DE0 | 14 | 10A1E0 | 0000010001001010100001000400280100000B00 | ..............(..... |
| \VERSION\1\2057 | 105600 | 370 | FDA00 | 700334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000300 | p.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| \24\1\1033 | 112320 | 42C | 10A720 | EFBBBF3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E65 | ...<?xml version="1.0" encoding="UTF-8" standalone |
| Intelligent String |
| • AutoIt3.exe • kernel32.dll • RUNASWAIT • RUNAS • mscoree.dll • COMSPEC • runas • 0.0.0.0 • .lnk • 255.255.255.255 • .icl • .exe • .dll • .tls • .bss • COMCTL32.dll • KERNEL32.dll • USER32.dll • COMDLG32.dll |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 566 | N/A | .text | CALL QWORD PTR [RIP+0xBBDCC] |
| 5A7 | N/A | .text | CALL QWORD PTR [RIP+0xBBA7B] |
| 5E0 | N/A | .text | CALL QWORD PTR [RIP+0xBBA42] |
| 600 | N/A | .text | CALL QWORD PTR [RIP+0xBBA22] |
| 6FE | N/A | .text | CALL QWORD PTR [RIP+0xBB6DC] |
| 75B | N/A | .text | CALL QWORD PTR [RIP+0xBBB6F] |
| 77E | N/A | .text | CALL QWORD PTR [RIP+0xBBB34] |
| 78E | N/A | .text | CALL QWORD PTR [RIP+0xBBB1C] |
| 7A3 | N/A | .text | CALL QWORD PTR [RIP+0xBBAFF] |
| 7BC | N/A | .text | CALL QWORD PTR [RIP+0xBBAE6] |
| 7D5 | N/A | .text | CALL QWORD PTR [RIP+0xBBACD] |
| 804 | N/A | .text | CALL QWORD PTR [RIP+0xBB77E] |
| 86B | N/A | .text | CALL QWORD PTR [RIP+0xBBA2F] |
| 8F9 | N/A | .text | CALL QWORD PTR [RIP+0xBB9E1] |
| 95B | N/A | .text | CALL QWORD PTR [RIP+0xBB97F] |
| 971 | N/A | .text | CALL QWORD PTR [RIP+0xBB921] |
| 985 | N/A | .text | JMP QWORD PTR [RIP+0xBB90D] |
| 1163 | N/A | .text | CALL QWORD PTR [RIP+0xBA2BF] |
| 13B0 | N/A | .text | CALL QWORD PTR [RIP+0xBAA2A] |
| 156F | N/A | .text | CALL QWORD PTR [RIP+0xBA2D3] |
| 15EF | N/A | .text | CALL QWORD PTR [RIP+0xBA14B] |
| 1666 | N/A | .text | CALL QWORD PTR [RIP+0xBA3D4] |
| 167B | N/A | .text | CALL QWORD PTR [RIP+0xBA3B7] |
| 16F5 | N/A | .text | CALL QWORD PTR [RIP+0xBA14D] |
| 178C | N/A | .text | CALL QWORD PTR [RIP+0xBA29E] |
| 1814 | N/A | .text | CALL QWORD PTR [RIP+0xBA02E] |
| 2748 | N/A | .text | CALL QWORD PTR [RIP+0xB90BA] |
| 2843 | N/A | .text | CALL QWORD PTR [RIP+0xB8FFF] |
| 2929 | N/A | .text | CALL QWORD PTR [RIP+0xB8AF9] |
| 2957 | N/A | .text | CALL QWORD PTR [RIP+0xB8ADB] |
| 297A | N/A | .text | CALL QWORD PTR [RIP+0xB8AB0] |
| 2A2A | N/A | .text | CALL QWORD PTR [RIP+0xB9828] |
| 2A65 | N/A | .text | CALL QWORD PTR [RIP+0xB980D] |
| 2A94 | N/A | .text | CALL QWORD PTR [RIP+0xB97F6] |
| 2AA1 | N/A | .text | CALL QWORD PTR [RIP+0xB97E1] |
| 2AB7 | N/A | .text | CALL QWORD PTR [RIP+0xB97C3] |
| 2AC8 | N/A | .text | CALL QWORD PTR [RIP+0xB97A2] |
| 2B2B | N/A | .text | CALL QWORD PTR [RIP+0xB9787] |
| 2B5F | N/A | .text | CALL QWORD PTR [RIP+0xB973B] |
| 2B73 | N/A | .text | CALL QWORD PTR [RIP+0xB970F] |
| 2B91 | N/A | .text | CALL QWORD PTR [RIP+0xB89C1] |
| 2BAC | N/A | .text | CALL QWORD PTR [RIP+0xB89AE] |
| 2BC5 | N/A | .text | CALL QWORD PTR [RIP+0xB96DD] |
| 2BD8 | N/A | .text | CALL QWORD PTR [RIP+0xB8932] |
| 304D | N/A | .text | CALL QWORD PTR [RIP+0xB939D] |
| 314D | N/A | .text | CALL QWORD PTR [RIP+0xB93D5] |
| 32D1 | N/A | .text | CALL QWORD PTR [RIP+0xB8C91] |
| 33DE | N/A | .text | CALL QWORD PTR [RIP+0xB81A4] |
| 3460 | N/A | .text | CALL QWORD PTR [RIP+0xB8C72] |
| 350E | N/A | .text | CALL QWORD PTR [RIP+0xB88CC] |
| 3715 | N/A | .text | CALL QWORD PTR [RIP+0xB8005] |
| 373B | N/A | .text | CALL QWORD PTR [RIP+0xB7FE7] |
| 3753 | N/A | .text | CALL QWORD PTR [RIP+0xB7FD7] |
| 3783 | N/A | .text | CALL QWORD PTR [RIP+0xB7F9F] |
| 379B | N/A | .text | CALL QWORD PTR [RIP+0xB7F8F] |
| 38E3 | N/A | .text | CALL QWORD PTR [RIP+0xB7E37] |
| 390D | N/A | .text | CALL QWORD PTR [RIP+0xB7FBD] |
| 4168 | N/A | .text | CALL QWORD PTR [RIP+0xB811A] |
| 4450 | N/A | .text | CALL QWORD PTR [RIP+0xB7342] |
| 4778 | N/A | .text | CALL QWORD PTR [RIP+0xB7022] |
| 4790 | N/A | .text | CALL QWORD PTR [RIP+0xB700A] |
| 4962 | N/A | .text | CALL QWORD PTR [RIP+0xB6E48] |
| 499C | N/A | .text | CALL QWORD PTR [RIP+0xB6DFE] |
| 4B49 | N/A | .text | CALL QWORD PTR [RIP+0xB70D9] |
| 4DAD | N/A | .text | CALL QWORD PTR [RIP+0xB7315] |
| 4DEE | N/A | .text | CALL QWORD PTR [RIP+0xB740C] |
| 4E14 | N/A | .text | CALL QWORD PTR [RIP+0xB731E] |
| 4F80 | N/A | .text | CALL QWORD PTR [RIP+0xB7142] |
| 4FA7 | N/A | .text | CALL QWORD PTR [RIP+0xB7253] |
| 51D0 | N/A | .text | CALL QWORD PTR [RIP+0xB710A] |
| 51ED | N/A | .text | CALL QWORD PTR [RIP+0xB6465] |
| 5200 | N/A | .text | CALL QWORD PTR [RIP+0xB70E2] |
| 5295 | N/A | .text | CALL QWORD PTR [RIP+0x82B9840F] |
| 5766 | N/A | .text | CALL QWORD PTR [RIP+0xB6B6C] |
| 65DA | N/A | .text | CALL QWORD PTR [RIP+0xB51D0] |
| 6D84 | N/A | .text | CALL QWORD PTR [RIP+0xB53C6] |
| 7189 | N/A | .text | CALL QWORD PTR [RIP+0xB4FC1] |
| 9E8C | N/A | .text | CALL QWORD PTR [RIP+0xB1866] |
| 9ED2 | N/A | .text | CALL QWORD PTR [RIP+0xB1820] |
| 9F50 | N/A | .text | CALL QWORD PTR [RIP+0xB17A2] |
| 9F96 | N/A | .text | CALL QWORD PTR [RIP+0xB175C] |
| A9EF | N/A | .text | CALL QWORD PTR [RIP+0xB0EC3] |
| AA75 | N/A | .text | CALL QWORD PTR [RIP+0xB1AA5] |
| B425 | N/A | .text | JMP QWORD PTR [RIP+0xB0ED5] |
| B537 | N/A | .text | CALL QWORD PTR [RIP+0xB0B9B] |
| B59B | N/A | .text | CALL QWORD PTR [RIP+0xAFFE7] |
| B5A3 | N/A | .text | CALL QWORD PTR [RIP+0xAFFDF] |
| B5AB | N/A | .text | CALL QWORD PTR [RIP+0xB0D1F] |
| B5B3 | N/A | .text | CALL QWORD PTR [RIP+0xB0B1F] |
| C64A | N/A | .text | CALL QWORD PTR [RIP+0xAF3E0] |
| C796 | N/A | .text | CALL QWORD PTR [RIP+0xAF294] |
| D364 | N/A | .text | CALL QWORD PTR [RIP+0xAEDE6] |
| 105D6 | N/A | .text | CALL QWORD PTR [RIP+0xAB984] |
| 107CB | N/A | .text | CALL QWORD PTR [RIP+0xABC0F] |
| 108F8 | N/A | .text | CALL QWORD PTR [RIP+0xAB65A] |
| 1094B | N/A | .text | CALL QWORD PTR [RIP+0xAB607] |
| 10960 | N/A | .text | CALL QWORD PTR [RIP+0xAAD82] |
| 1099D | N/A | .text | CALL QWORD PTR [RIP+0xAB5AD] |
| 109A8 | N/A | .text | CALL QWORD PTR [RIP+0xAB59A] |
| 109E8 | N/A | .text | CALL QWORD PTR [RIP+0xAB552] |
| CF138-CF145 | N/A | .rdata | Potential obfuscated jump sequence detected, count: 7 |
| CF1C2-CF1F1 | N/A | .rdata | Potential obfuscated jump sequence detected, count: 24 |
| D4240-D4357 | N/A | .rdata | Potential obfuscated jump sequence detected, count: 140 |
| D4394-D43BF | N/A | .rdata | Potential obfuscated jump sequence detected, count: 22 |
| F5E00 | 1000 | .pdata | ExceptionHook | Pointer to 1000 - 0x400 .text + UnwindInfo: .rdata |
| F5E0C | 102C | .pdata | ExceptionHook | Pointer to 102C - 0x42C .text + UnwindInfo: .rdata |
| F5E18 | 1048 | .pdata | ExceptionHook | Pointer to 1048 - 0x448 .text + UnwindInfo: .rdata |
| F5E24 | 1064 | .pdata | ExceptionHook | Pointer to 1064 - 0x464 .text + UnwindInfo: .rdata |
| F5E30 | 1080 | .pdata | ExceptionHook | Pointer to 1080 - 0x480 .text + UnwindInfo: .rdata |
| F5E3C | 10B0 | .pdata | ExceptionHook | Pointer to 10B0 - 0x4B0 .text + UnwindInfo: .rdata |
| F5E48 | 10CC | .pdata | ExceptionHook | Pointer to 10CC - 0x4CC .text + UnwindInfo: .rdata |
| F5E54 | 10E8 | .pdata | ExceptionHook | Pointer to 10E8 - 0x4E8 .text + UnwindInfo: .rdata |
| F5E60 | 1104 | .pdata | ExceptionHook | Pointer to 1104 - 0x504 .text + UnwindInfo: .rdata |
| F5E6C | 1120 | .pdata | ExceptionHook | Pointer to 1120 - 0x520 .text + UnwindInfo: .rdata |
| F5E78 | 1140 | .pdata | ExceptionHook | Pointer to 1140 - 0x540 .text + UnwindInfo: .rdata |
| F5E84 | 11C0 | .pdata | ExceptionHook | Pointer to 11C0 - 0x5C0 .text + UnwindInfo: .rdata |
| F5E90 | 120C | .pdata | ExceptionHook | Pointer to 120C - 0x60C .text + UnwindInfo: .rdata |
| F5E9C | 1328 | .pdata | ExceptionHook | Pointer to 1328 - 0x728 .text + UnwindInfo: .rdata |
| F5EA8 | 1364 | .pdata | ExceptionHook | Pointer to 1364 - 0x764 .text + UnwindInfo: .rdata |
| F5EB4 | 14A0 | .pdata | ExceptionHook | Pointer to 14A0 - 0x8A0 .text + UnwindInfo: .rdata |
| F5EC0 | 158C | .pdata | ExceptionHook | Pointer to 158C - 0x98C .text + UnwindInfo: .rdata |
| F5ECC | 1674 | .pdata | ExceptionHook | Pointer to 1674 - 0xA74 .text + UnwindInfo: .rdata |
| F5ED8 | 1750 | .pdata | ExceptionHook | Pointer to 1750 - 0xB50 .text + UnwindInfo: .rdata |
| F5EE4 | 178C | .pdata | ExceptionHook | Pointer to 178C - 0xB8C .text + UnwindInfo: .rdata |
| F5EF0 | 1A18 | .pdata | ExceptionHook | Pointer to 1A18 - 0xE18 .text + UnwindInfo: .rdata |
| F5EFC | 1A5C | .pdata | ExceptionHook | Pointer to 1A5C - 0xE5C .text + UnwindInfo: .rdata |
| F5F08 | 1B30 | .pdata | ExceptionHook | Pointer to 1B30 - 0xF30 .text + UnwindInfo: .rdata |
| F5F14 | 1B5C | .pdata | ExceptionHook | Pointer to 1B5C - 0xF5C .text + UnwindInfo: .rdata |
| F5F20 | 1BB0 | .pdata | ExceptionHook | Pointer to 1BB0 - 0xFB0 .text + UnwindInfo: .rdata |
| F5F2C | 1BFC | .pdata | ExceptionHook | Pointer to 1BFC - 0xFFC .text + UnwindInfo: .rdata |
| F5F38 | 1D9C | .pdata | ExceptionHook | Pointer to 1D9C - 0x119C .text + UnwindInfo: .rdata |
| F5F44 | 1DD0 | .pdata | ExceptionHook | Pointer to 1DD0 - 0x11D0 .text + UnwindInfo: .rdata |
| F5F50 | 1DEC | .pdata | ExceptionHook | Pointer to 1DEC - 0x11EC .text + UnwindInfo: .rdata |
| F5F5C | 1E33 | .pdata | ExceptionHook | Pointer to 1E33 - 0x1233 .text + UnwindInfo: .rdata |
| F5F68 | 1E49 | .pdata | ExceptionHook | Pointer to 1E49 - 0x1249 .text + UnwindInfo: .rdata |
| F5F74 | 1E64 | .pdata | ExceptionHook | Pointer to 1E64 - 0x1264 .text + UnwindInfo: .rdata |
| F5F80 | 1E8C | .pdata | ExceptionHook | Pointer to 1E8C - 0x128C .text + UnwindInfo: .rdata |
| F5F8C | 1EB4 | .pdata | ExceptionHook | Pointer to 1EB4 - 0x12B4 .text + UnwindInfo: .rdata |
| F5F98 | 1FD8 | .pdata | ExceptionHook | Pointer to 1FD8 - 0x13D8 .text + UnwindInfo: .rdata |
| F5FA4 | 2018 | .pdata | ExceptionHook | Pointer to 2018 - 0x1418 .text + UnwindInfo: .rdata |
| F5FB0 | 20A8 | .pdata | ExceptionHook | Pointer to 20A8 - 0x14A8 .text + UnwindInfo: .rdata |
| F5FBC | 210C | .pdata | ExceptionHook | Pointer to 210C - 0x150C .text + UnwindInfo: .rdata |
| F5FC8 | 2148 | .pdata | ExceptionHook | Pointer to 2148 - 0x1548 .text + UnwindInfo: .rdata |
| F5FD4 | 21A8 | .pdata | ExceptionHook | Pointer to 21A8 - 0x15A8 .text + UnwindInfo: .rdata |
| F5FE0 | 21D0 | .pdata | ExceptionHook | Pointer to 21D0 - 0x15D0 .text + UnwindInfo: .rdata |
| F5FEC | 2224 | .pdata | ExceptionHook | Pointer to 2224 - 0x1624 .text + UnwindInfo: .rdata |
| F5FF8 | 23AC | .pdata | ExceptionHook | Pointer to 23AC - 0x17AC .text + UnwindInfo: .rdata |
| F6004 | 248C | .pdata | ExceptionHook | Pointer to 248C - 0x188C .text + UnwindInfo: .rdata |
| F6010 | 25B8 | .pdata | ExceptionHook | Pointer to 25B8 - 0x19B8 .text + UnwindInfo: .rdata |
| F601C | 25E4 | .pdata | ExceptionHook | Pointer to 25E4 - 0x19E4 .text + UnwindInfo: .rdata |
| F6028 | 2610 | .pdata | ExceptionHook | Pointer to 2610 - 0x1A10 .text + UnwindInfo: .rdata |
| F6034 | 2680 | .pdata | ExceptionHook | Pointer to 2680 - 0x1A80 .text + UnwindInfo: .rdata |
| F6040 | 26FC | .pdata | ExceptionHook | Pointer to 26FC - 0x1AFC .text + UnwindInfo: .rdata |
| F604C | 27AC | .pdata | ExceptionHook | Pointer to 27AC - 0x1BAC .text + UnwindInfo: .rdata |
| F6058 | 28FC | .pdata | ExceptionHook | Pointer to 28FC - 0x1CFC .text + UnwindInfo: .rdata |
| F6064 | 29D8 | .pdata | ExceptionHook | Pointer to 29D8 - 0x1DD8 .text + UnwindInfo: .rdata |
| F6070 | 2FD4 | .pdata | ExceptionHook | Pointer to 2FD4 - 0x23D4 .text + UnwindInfo: .rdata |
| F607C | 3018 | .pdata | ExceptionHook | Pointer to 3018 - 0x2418 .text + UnwindInfo: .rdata |
| F6088 | 3080 | .pdata | ExceptionHook | Pointer to 3080 - 0x2480 .text + UnwindInfo: .rdata |
| F6094 | 30D8 | .pdata | ExceptionHook | Pointer to 30D8 - 0x24D8 .text + UnwindInfo: .rdata |
| F60A0 | 3138 | .pdata | ExceptionHook | Pointer to 3138 - 0x2538 .text + UnwindInfo: .rdata |
| F60AC | 31C0 | .pdata | ExceptionHook | Pointer to 31C0 - 0x25C0 .text + UnwindInfo: .rdata |
| F60B8 | 3218 | .pdata | ExceptionHook | Pointer to 3218 - 0x2618 .text + UnwindInfo: .rdata |
| F60C4 | 32B0 | .pdata | ExceptionHook | Pointer to 32B0 - 0x26B0 .text + UnwindInfo: .rdata |
| F60D0 | 3324 | .pdata | ExceptionHook | Pointer to 3324 - 0x2724 .text + UnwindInfo: .rdata |
| F60DC | 3374 | .pdata | ExceptionHook | Pointer to 3374 - 0x2774 .text + UnwindInfo: .rdata |
| F60E8 | 3418 | .pdata | ExceptionHook | Pointer to 3418 - 0x2818 .text + UnwindInfo: .rdata |
| F60F4 | 34E4 | .pdata | ExceptionHook | Pointer to 34E4 - 0x28E4 .text + UnwindInfo: .rdata |
| F6100 | 35A8 | .pdata | ExceptionHook | Pointer to 35A8 - 0x29A8 .text + UnwindInfo: .rdata |
| F610C | 36D0 | .pdata | ExceptionHook | Pointer to 36D0 - 0x2AD0 .text + UnwindInfo: .rdata |
| F6118 | 3800 | .pdata | ExceptionHook | Pointer to 3800 - 0x2C00 .text + UnwindInfo: .rdata |
| F6124 | 3864 | .pdata | ExceptionHook | Pointer to 3864 - 0x2C64 .text + UnwindInfo: .rdata |
| F6130 | 3894 | .pdata | ExceptionHook | Pointer to 3894 - 0x2C94 .text + UnwindInfo: .rdata |
| F613C | 3904 | .pdata | ExceptionHook | Pointer to 3904 - 0x2D04 .text + UnwindInfo: .rdata |
| F6148 | 3964 | .pdata | ExceptionHook | Pointer to 3964 - 0x2D64 .text + UnwindInfo: .rdata |
| F6154 | 3980 | .pdata | ExceptionHook | Pointer to 3980 - 0x2D80 .text + UnwindInfo: .rdata |
| F6160 | 39B4 | .pdata | ExceptionHook | Pointer to 39B4 - 0x2DB4 .text + UnwindInfo: .rdata |
| F616C | 3A08 | .pdata | ExceptionHook | Pointer to 3A08 - 0x2E08 .text + UnwindInfo: .rdata |
| F6178 | 3A58 | .pdata | ExceptionHook | Pointer to 3A58 - 0x2E58 .text + UnwindInfo: .rdata |
| F6184 | 3AA4 | .pdata | ExceptionHook | Pointer to 3AA4 - 0x2EA4 .text + UnwindInfo: .rdata |
| F6190 | 3AE0 | .pdata | ExceptionHook | Pointer to 3AE0 - 0x2EE0 .text + UnwindInfo: .rdata |
| F619C | 3B40 | .pdata | ExceptionHook | Pointer to 3B40 - 0x2F40 .text + UnwindInfo: .rdata |
| F61A8 | 3BBC | .pdata | ExceptionHook | Pointer to 3BBC - 0x2FBC .text + UnwindInfo: .rdata |
| F61B4 | 3BD8 | .pdata | ExceptionHook | Pointer to 3BD8 - 0x2FD8 .text + UnwindInfo: .rdata |
| F61C0 | 3F18 | .pdata | ExceptionHook | Pointer to 3F18 - 0x3318 .text + UnwindInfo: .rdata |
| F61CC | 3F34 | .pdata | ExceptionHook | Pointer to 3F34 - 0x3334 .text + UnwindInfo: .rdata |
| F61D8 | 3F50 | .pdata | ExceptionHook | Pointer to 3F50 - 0x3350 .text + UnwindInfo: .rdata |
| F61E4 | 3F6C | .pdata | ExceptionHook | Pointer to 3F6C - 0x336C .text + UnwindInfo: .rdata |
| F61F0 | 3F98 | .pdata | ExceptionHook | Pointer to 3F98 - 0x3398 .text + UnwindInfo: .rdata |
| F61FC | 4084 | .pdata | ExceptionHook | Pointer to 4084 - 0x3484 .text + UnwindInfo: .rdata |
| F6208 | 40B0 | .pdata | ExceptionHook | Pointer to 40B0 - 0x34B0 .text + UnwindInfo: .rdata |
| F6214 | 4118 | .pdata | ExceptionHook | Pointer to 4118 - 0x3518 .text + UnwindInfo: .rdata |
| F6220 | 4144 | .pdata | ExceptionHook | Pointer to 4144 - 0x3544 .text + UnwindInfo: .rdata |
| F622C | 4178 | .pdata | ExceptionHook | Pointer to 4178 - 0x3578 .text + UnwindInfo: .rdata |
| F6238 | 4198 | .pdata | ExceptionHook | Pointer to 4198 - 0x3598 .text + UnwindInfo: .rdata |
| F6244 | 4214 | .pdata | ExceptionHook | Pointer to 4214 - 0x3614 .text + UnwindInfo: .rdata |
| F6250 | 4280 | .pdata | ExceptionHook | Pointer to 4280 - 0x3680 .text + UnwindInfo: .rdata |
| F625C | 42C4 | .pdata | ExceptionHook | Pointer to 42C4 - 0x36C4 .text + UnwindInfo: .rdata |
| F6268 | 4324 | .pdata | ExceptionHook | Pointer to 4324 - 0x3724 .text + UnwindInfo: .rdata |
| F6274 | 436C | .pdata | ExceptionHook | Pointer to 436C - 0x376C .text + UnwindInfo: .rdata |
| F6280 | 43B4 | .pdata | ExceptionHook | Pointer to 43B4 - 0x37B4 .text + UnwindInfo: .rdata |
| F628C | 4480 | .pdata | ExceptionHook | Pointer to 4480 - 0x3880 .text + UnwindInfo: .rdata |
| F6298 | 4554 | .pdata | ExceptionHook | Pointer to 4554 - 0x3954 .text + UnwindInfo: .rdata |
| F62A4 | 4580 | .pdata | ExceptionHook | Pointer to 4580 - 0x3980 .text + UnwindInfo: .rdata |
| 10B800 | N/A | *Overlay* | 602E00000002020030822E4D06092A864886F70D | .......0..M..*.H... |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 633953 | 57,2391% |
| Null Byte Code | 204009 | 18,4198% |
© 2026 All rights reserved.