PESCAN.IO - Analysis Report Basic |
|||||||
| File Structure |
|
PE Chart Code
Executable header (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
Icon: Size: 3,03 MBSHA-256 Hash: 1E0F688D073BC087315DA70C4A8B61F9E7B25BA26FB5FDCBD3DC17166CF10540 SHA-1 Hash: 65ED8922DC8DD479C152FE07A14DCE4CB6FDCAFF MD5 Hash: AB557B538296F527DE68AA820AFD8F4A Imphash: 14C06894A37B2888D36FCA7A856B1A8E MajorOSVersion: 5 MinorOSVersion: 1 CheckSum: 00000000 EntryPoint (rva): 1AB169 SizeOfHeaders: 400 SizeOfImage: 363000 ImageBase: 400000 Architecture: x86 ExportTable: 25A630 ImportTable: 25AB40 IAT: 1EF000 Characteristics: 102 TimeDateStamp: 59E6D266 Date: 18/10/2017 4:02:46 File Type: EXE Number Of Sections: 8 ASLR: Enabled Section Names: .text, .rdata, .data, .gfids, .giats, .tls, .rsrc, .reloc Number Of Executable Sections: 1 Subsystem: Windows GUI UAC Execution Level Manifest: asInvoker |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 60000020 (Code, Executable, Readable) | 400 | 1EDE00 | 1000 | 1EDC0C | 6,5621 | 12427749,03 |
| .rdata | 40000040 (Initialized Data, Readable) | 1EE200 | 6F200 | 1EF000 | 6F1DA | 5,1954 | 21619944,73 |
| .data | C0000040 (Initialized Data, Readable, Writeable) | 25D400 | 9000 | 25F000 | 60AB0 | 4,8912 | 836449,17 |
| .gfids | 40000040 (Initialized Data, Readable) | 266400 | 1AE00 | 2C0000 | 1ACD8 | 4,2282 | 7398729,30 |
| .giats | 40000040 (Initialized Data, Readable) | 281200 | 200 | 2DB000 | 10 | 0,1552 | 126502,00 |
| .tls | C0000040 (Initialized Data, Readable, Writeable) | 281400 | 200 | 2DC000 | 9 | 0,0204 | 130049,00 |
| .rsrc | 40000040 (Initialized Data, Readable) | 281600 | 61400 | 2DD000 | 61380 | 6,9004 | 2520236,27 |
| .reloc | 42000040 (Initialized Data, GP-Relative, Readable) | 2E2A00 | 24000 | 33F000 | 23E40 | 6,4965 | 583753,35 |
| Description |
| OriginalFilename: Odin.exe CompanyName: Samsung Electronics Co., Ltd. LegalCopyright: (c) Samsung Electronics. All rights reserved. ProductName: Odin Downloader FileVersion: 2017.10.18.1 FileDescription: Odin Downloader ProductVersion: 3.13.1.3B Language: Korean (Korea) (ID=0x412) CodePage: Unknown (0x3B5) (0x3B5) |
| Entry Point |
| The section number (1) - (.text) have the Entry Point Information -> EntryPoint (calculated) - 1AA569 Code -> E8660C0000E98EFEFFFF3B0DF4FF6500F27502F2C3F2E94B000000558BECF6450801568BF1C706F4C76100740A6A0C56E808 • CALL 0X1C6B • JMP 0XE98 • CMP ECX, DWORD PTR [0X65FFF4] • BND JNE 0X1015 • BND RET • BND JMP 0X1066 • PUSH EBP • MOV EBP, ESP • TEST BYTE PTR [EBP + 8], 1 • PUSH ESI • MOV ESI, ECX • MOV DWORD PTR [ESI], 0X61C7F4 • JE 0X1037 • PUSH 0XC • PUSH ESI |
| Signatures |
| Rich Signature Analyzer: Code -> 11DD738255BC1DD155BC1DD155BC1DD1E120ECD14FBC1DD1E120EED191BC1DD1E120EFD174BC1DD1CB1CDAD153BC1DD1B0E518D057BC1DD15CC499D154BC1DD15CC49ED15ABC1DD15CC48ED176BC1DD155BC1CD149BF1DD16EE21ED04FBC1DD16EE219D071BC1DD16EE218D02FBD1DD1C2E214D06ABC1DD1C2E21DD054BC1DD1C7E2E2D154BC1DD155BC8AD154BC1DD1C2E21FD054BC1DD15269636855BC1DD1 Footprint md5 Hash -> 4A89007C8DDE8AA209CC74FFA663FBA0 • The Rich header apparently has not been modified Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Compiler: Microsoft Visual C ++ 6 DLL Detect It Easy (die) • PE: compiler: EP:Microsoft Visual C/C++(2013-2017)[EXE32] • PE: compiler: Microsoft Visual C/C++(2015 v.14.0)[-] • PE: linker: Microsoft Linker(14.0, Visual Studio 2015 14.0*)[-] • Entropy: 6.69954 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | VirtualAlloc | Reserve, commit, or both, a region of memory within the virtual address space of a process. |
| KERNEL32.DLL | GetModuleHandleA | Retrieves a handle to the specified module. |
| KERNEL32.DLL | CopyFileW | Copies an existing file to a new file. |
| KERNEL32.DLL | WriteFile | Writes data to a specified file or input/output (I/O) device. |
| KERNEL32.DLL | LoadLibraryA | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | LoadLibraryW | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| KERNEL32.DLL | IsDebuggerPresent | Determines if the calling process is being debugged by a user-mode debugger. |
| USER32.DLL | GetAsyncKeyState | Retrieves the status of a virtual key asynchronously. |
| SHELL32.DLL | ShellExecuteW | Performs a run operation on a specific file. |
| Windows REG (UNICODE) |
| Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Software\Microsoft\Windows\CurrentVersion\Policies\Network Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32 Software\Classes\ Rebuilt string - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer - NoRun |
| File Access |
| Odin3 v3.07.exe WINMM.dll IMM32.dll gdiplus.dll OLEACC.dll oledlg.dll OLEAUT32.dll ole32.dll UxTheme.dll SHLWAPI.dll COMCTL32.dll SHELL32.dll ADVAPI32.dll MSIMG32.dll GDI32.dll USER32.dll KERNEL32.dll Comdlg32.dll .dat @.dat Temp |
| File Access (UNICODE) |
| \Odin3.ini download-list.txt Odin.exe Odin3_v310.exe mscoree.dll ole32.dll dwmapi.dll uxtheme.dll shell32.dll DWrite.dll HD2D1.dll Hmfcm140u.dll comctl32.dll F4_Comdlg32.dll Advapi32.dll MSFTEDIT.DLL RICHED20.DLL cqgGtoGTc9tGRICHED32.DLL %Ts%Ts.dll user32.dll kernel32.dll Kernel32.dll GetModuleHandleExWComctl32.dll Odin3.ini Temp |
| Interest's Words |
| lockbit outlook ToolBar Encrypt Decrypt Encryption exec attrib start cipher shutdown systeminfo replace |
| Interest's Words (UNICODE) |
| outlook ToolBar exec start pause ping replace route |
| URLs |
| http://schemas.microsoft.com/SMI/2005/WindowsSettings |
| URLs (UNICODE) |
| https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=FGRATK56NKW7W"> DONATE TO 3B EFFORT</a> |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | WinAPI Sockets (connect) |
| Text | Unicode | WinAPI Sockets (connect) |
| Text | Unicode | WinAPI Sockets (send) |
| Text | Ascii | Registry (RegCreateKeyEx) |
| Text | Ascii | Registry (RegOpenKeyEx) |
| Text | Ascii | Registry (RegSetValueEx) |
| Text | Ascii | Registry (RegDeleteKeyEx) |
| Text | Ascii | File (GetTempPath) |
| Text | Ascii | File (CopyFile) |
| Text | Ascii | File (CreateFile) |
| Text | Ascii | File (WriteFile) |
| Text | Ascii | File (ReadFile) |
| Text | Ascii | Encryption (Base64Decode) |
| Text | Ascii | Encryption (CipherMode) |
| Text | Ascii | Encryption (Rijndael) |
| Text | Ascii | Anti-Analysis VM (IsDebuggerPresent) |
| Text | Ascii | Anti-Analysis VM (GetSystemInfo) |
| Text | Ascii | Anti-Analysis VM (GetVersion) |
| Text | Ascii | Reconnaissance (FindFirstFileW) |
| Text | Ascii | Reconnaissance (FindNextFileW) |
| Text | Ascii | Reconnaissance (FindClose) |
| Text | Ascii | Stealth (ExitThread) |
| Text | Ascii | Stealth (CloseHandle) |
| Text | Ascii | Stealth (VirtualAlloc) |
| Text | Ascii | Stealth (VirtualProtect) |
| Text | Ascii | Execution (ShellExecute) |
| Text | Ascii | Execution (ResumeThread) |
| Text | Ascii | Execution (CreateSemaphoreW) |
| Text | Ascii | Execution (CreateEventW) |
| Text | Unicode | Antivirus Software (rising) |
| Text | Ascii | Keyboard Key (Scroll) |
| Text | Unicode | Keyboard Key (Scroll) |
| Text | Unicode | Keyboard Key (RightArrow) |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8 |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8 |
| Entry Point | Hex Pattern | VC8 - Microsoft Corporation |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \AFX_DIALOG_LAYOUT\100\1042 | 33B4C0 | 2 | 2DFAC0 | 0000 | .. |
| \AFX_DIALOG_LAYOUT\102\1042 | 33B4B8 | 2 | 2DFAB8 | 0000 | .. |
| \CURSOR\8\1042 | 33B4C8 | 134 | 2DFAC8 | 020002002800000020000000400000000100010000000000000100000000000000000000000000000000000000000000FFFF | ....(... ...@..................................... |
| \CURSOR\9\1042 | 33B600 | B4 | 2DFC00 | 010001002800000010000000200000000100010000000000800000000000000000000000000000000000000000000000FFFF | ....(....... ..................................... |
| \CURSOR\10\1042 | 33B6E0 | 134 | 2DFCE0 | 0F0014002800000020000000400000000100010000000000000100000000000000000000000000000000000000000000FFFF | ....(... ...@..................................... |
| \CURSOR\11\1042 | 33B830 | 134 | 2DFE30 | 100008002800000020000000400000000100010000000000000100000000000000000000000000000000000000000000FFFF | ....(... ...@..................................... |
| \CURSOR\12\1042 | 33B980 | 134 | 2DFF80 | 0A000E002800000020000000400000000100010000000000000100000000000000000000000000000000000000000000FFFF | ....(... ...@..................................... |
| \CURSOR\13\1042 | 33BAD0 | 134 | 2E00D0 | 15000E002800000020000000400000000100010000000000000100000000000000000000000000000000000000000000FFFF | ....(... ...@..................................... |
| \CURSOR\14\1042 | 33BC20 | 134 | 2E0220 | 0C0012002800000020000000400000000100010000000000000100000000000000000000000000000000000000000000FFFF | ....(... ...@..................................... |
| \CURSOR\15\1042 | 33BD70 | 134 | 2E0370 | 140012002800000020000000400000000100010000000000000100000000000000000000000000000000000000000000FFFF | ....(... ...@..................................... |
| \CURSOR\16\1042 | 33BEC0 | 134 | 2E04C0 | 0C000B002800000020000000400000000100010000000000000100000000000000000000000000000000000000000000FFFF | ....(... ...@..................................... |
| \CURSOR\17\1042 | 33C010 | 134 | 2E0610 | 13000A002800000020000000400000000100010000000000000100000000000000000000000000000000000000000000FFFF | ....(... ...@..................................... |
| \CURSOR\18\1042 | 33C160 | 134 | 2E0760 | 10000F002800000020000000400000000100010000000000800000000000000000000000000000000000000000000000FFFF | ....(... ...@..................................... |
| \CURSOR\19\1042 | 33C2B0 | 134 | 2E08B0 | 10000F002800000020000000400000000100010000000000000100000000000000000000000000000000000000000000FFFF | ....(... ...@..................................... |
| \CURSOR\20\1042 | 33C400 | 134 | 2E0A00 | 0F000F002800000020000000400000000100010000000000000100000000000000000000000000000000000000000000FFFF | ....(... ...@..................................... |
| \CURSOR\21\1042 | 33C550 | 134 | 2E0B50 | 10000F002800000020000000400000000100010000000000000100000000000000000000000000000000000000000000FFFF | ....(... ...@..................................... |
| \CURSOR\22\1042 | 33C6A0 | 134 | 2E0CA0 | 10000F002800000020000000400000000100010000000000000100000000000000000000000000000000000000000000FFFF | ....(... ...@..................................... |
| \CURSOR\23\1042 | 33C7F0 | 134 | 2E0DF0 | 10000F002800000020000000400000000100010000000000000100000000000000000000000000000000000000000000FFFF | ....(... ...@..................................... |
| \BITMAP\130\1042 | 2EE418 | 1C30 | 292A18 | 2800000067000000170000000100180000000000081C000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFF | (...g............................................. |
| \BITMAP\131\1042 | 2F0048 | 1C30 | 294648 | 2800000067000000170000000100180000000000081C000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFF | (...g............................................. |
| \BITMAP\132\1042 | 2F1C78 | 1C30 | 296278 | 2800000067000000170000000100180000000000081C000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFF | (...g............................................. |
| \BITMAP\133\1042 | 2F38A8 | 4F60 | 297EA8 | 2800000067000000410000000100180000000000384F000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFF | (...g...A...........8O............................ |
| \BITMAP\134\1042 | 2F8808 | 4F60 | 29CE08 | 2800000067000000410000000100180000000000384F000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFF | (...g...A...........8O............................ |
| \BITMAP\135\1042 | 2FD768 | 4F60 | 2A1D68 | 2800000067000000410000000100180000000000384F000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFF | (...g...A...........8O............................ |
| \BITMAP\136\1042 | 3026C8 | 4F60 | 2A6CC8 | 2800000067000000410000000100180000000000384F000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFF | (...g...A...........8O............................ |
| \BITMAP\137\1042 | 307628 | 2D268 | 2ABC28 | 280000005803000048000000010018000000000040D2020000000000000000000000000000000000F8F9F9FFFFFFFFFFFFFF | (...X...H...........@............................. |
| \BITMAP\138\1042 | 334890 | 1C30 | 2D8E90 | 2800000067000000170000000100180000000000081C000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFF | (...g............................................. |
| \BITMAP\139\1042 | 3364C0 | 4F60 | 2DAAC0 | 2800000067000000410000000100180000000000384F000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFF | (...g...A...........8O............................ |
| \BITMAP\30994\1042 | 33CA70 | B8 | 2E1070 | 280000000C0000000A0000000100040000000000500000000000000000000000000000000000000000000000000080000080 | (...................P............................. |
| \BITMAP\30996\1042 | 33CB28 | 144 | 2E1128 | 28000000210000000B0000000100040000000000DC0000000000000000000000000000000000000000000000000080000080 | (...!............................................. |
| \ICON\1\1042 | 2DDFD0 | EA8 | 2825D0 | 28000000300000006000000001000800000000000009000000000000000000000001000000010000000000008E390100933C | (...0.......................................9...< |
| \ICON\2\1042 | 2DEE78 | 8A8 | 283478 | 28000000200000004000000001000800000000000004000000000000000000000001000000010000000000008E390100903A | (... ...@....................................9...: |
| \ICON\3\1042 | 2DF720 | 568 | 283D20 | 280000001000000020000000010008000000000000010000000000000000000000010000000100000000000066290000662D | (....... ...................................f)..f- |
| \ICON\4\1042 | 2DFC88 | 7CA0 | 284288 | 89504E470D0A1A0A0000000D49484452000001000000010008060000005C72A866000000097048597300000EC300000EC301 | .PNG........IHDR.............\r.f....pHYs......... |
| \ICON\5\1042 | 2E7928 | 25A8 | 28BF28 | 2800000030000000600000000100200000000000802500000000000000000000000000000000000000000000000000000000 | (...0........ ......%............................ |
| \ICON\6\1042 | 2E9ED0 | 10A8 | 28E4D0 | 2800000020000000400000000100200000000000801000000000000000000000000000000000000000000000000000000000 | (... ...@..... ................................... |
| \ICON\7\1042 | 2EAF78 | 468 | 28F578 | 2800000010000000200000000100200000000000400400000000000000000000000000000000000000000000000000000000 | (....... ..... .....@............................. |
| \DIALOG\100\1042 | 2EB448 | 1E4 | 28FA48 | 0100FFFF0000000000000000C800C8800700000000005201B900000000004F00640069006E003300200015C8F4BC00000900 | ......................R.......O.d.i.n.3. ......... |
| \DIALOG\102\1042 | 2EB630 | 29D6 | 28FC30 | 0100FFFF0000000010000400C800CA90D800000000000F047F01000000004F00640069006E00330000000800900100004D00 | ..............................O.d.i.n.3.........M. |
| \DIALOG\141\1042 | 2EE008 | D8 | 292608 | 0100FFFF00000000000000004800808003000000000086012E000000000000000800900100014D0053002000530068006500 | ............H.........................M.S. .S.h.e. |
| \DIALOG\30721\1042 | 33C940 | F4 | 2E0F40 | C400C88000000000050009001A00B700460000000000C8C05CB82000CCB9E4B430AE000009004D0053002000530068006500 | ................F.......\. .....0.....M.S. .S.h.e. |
| \DIALOG\30734\1042 | 33CA38 | 34 | 2E1038 | C800C88000000000000009001A00B700460000000000000009004D00530020005300680065006C006C00200044006C0067000000 | ................F.........M.S. .S.h.e.l.l. .D.l.g... |
| \STRING\7\1042 | 33CC70 | 238 | 2E1270 | 000000000000000000000F004F00640069006E003300200015C8F4BC28002600410029002E002E002E002000430061006E00 | ............O.d.i.n.3. .....(.&.A.)....... .C.a.n. |
| \STRING\8\1042 | 33CEA8 | D4 | 2E14A8 | 12004600410049004C0021002000280044006500760069006300650049006E0066006F0029000C004600410049004C002100 | ..F.A.I.L.!. .(.D.e.v.i.c.e.I.n.f.o.)...F.A.I.L.!. |
| \STRING\3841\1042 | 33CF80 | 68 | 2E1580 | 0200F4C530AE0A00E4B278B9200074C784B93CC75CB8200000C8A5C70B00A8BAE0B420000CD37CC7200028002A002E002A00 | ....0.....x. .t...<.\. ........... ...|. .(.*...*. |
| \STRING\3842\1042 | 33CFE8 | 2E | 2E15E8 | 0000070028C230AE30AE280026004800290000000000000000000000000000000000000000000000000000000000 | ....(.0.0.(.&.H.)............................. |
| \STRING\3843\1042 | 33D018 | E8 | 2E1618 | 100074D5F9B2200024C658B9200054BADCC2C0C900AC2000C6C5B5C2C8B2E4B22E001300C0C9D0C618B4C0C920004AC594B2 | ..t... .$.X. .T....... ..................... .J... |
| \STRING\3857\1042 | 33D100 | 312 | 2E1700 | 0D0098C7BBBA1CB420000CD37CC7200074C784B985C7C8B2E4B22E000D0038BB1CC17CB92000F4C5C0C92000BBBA88D5B5C2 | ........ ...|. .t.............8...|. ..... ....... |
| \STRING\3858\1042 | 33D660 | 1A8 | 2E1C60 | 0B0015C818C27CB9200085C725B858D5EDC2DCC224C62E000B002BC290C77CB9200085C725B858D5EDC2DCC224C62E001700 | ......|. ...%.X.....$.....+...|. ...%.X.....$..... |
| \STRING\3859\1042 | 33D488 | 1D2 | 2E1A88 | 100008C630AE58CE20004AC540C720000CD37CC7200015D6DDC285C7C8B2E4B22E003200250031000A0074C720000CD37CC7 | ....0.X. .J.@. ...|. .............2.%.1...t. ...|. |
| \STRING\3860\1042 | 33DD60 | 68 | 2E2360 | 1900250031003A002000250032000A00A4C26CD0BDB9B8D27CB92000C4AC8DC12000E4C289D558D5DCC2A0ACB5C2C8B24CAE | ..%.1.:. .%.2.....l.....|. ..... .....X.........L. |
| \STRING\3865\1042 | 33D418 | 6E | 2E1A18 | 0000000000000000000000000000000000000000000000001400F0C430AE200004C8A9C620008DC131C144C720007DC744C7 | ............................0. ..... ...1.D. .}.D. |
| \STRING\3866\1042 | 33DC88 | B0 | 2E2288 | 1B0054BA7CC72000DCC2A4C25CD12000C0C9D0C6200004D55CB8F8ADA8B744C720005CB8DCB460D5200018C22000C6C5B5C2 | ..T.|. .....\. ..... ...\.....D. .\.... ... ..... |
| \STRING\3867\1042 | 33D808 | 302 | 2E1E08 | 0F0024C658B900AC20001CBCDDC058D5C0C920004AC558C5B5C2C8B2E4B22E001F0025003100D0C5200061C538C1A4C258D5 | ..$.X... .....X... .J.X...........%.1... .a.8...X. |
| \STRING\3868\1042 | 33DB10 | 174 | 2E2110 | 0F0024C658B900AC20001CBCDDC058D5C0C920004AC558C5B5C2C8B2E4B22E001F0025003100D0C5200061C538C1A4C258D5 | ..$.X... .....X... .J.X...........%.1... .a.8...X. |
| \STRING\3869\1042 | 33DD38 | 24 | 2E2338 | 02003DD540C1000000000000000000000000000000000000000000000000000000000000 | ..=.@............................... |
| \STRING\3887\1042 | 33DDC8 | 294 | 2E23C8 | 0000090055D678C720005CD4DCC2200048C5200068D5050055D678C720005CD4DCC202003CD669D5160058D598B0200074C7 | ....U.x. .\... .H. .h...U.x. .\.....<.i...X... .t. |
| \ACCELERATOR\140\1042 | 33B420 | 38 | 2DFA20 | 130053000F040000130043000E040000130050000C04000013004D000D0400000B005300040400000B005200050400008B00450006040000 | ..S.......C.......P.......M.......S.......R.......E..... |
| \GROUP_CURSOR\30977\1042 | 33B6B8 | 22 | 2DFCB8 | 00000200020020004000010001003401000008001000200001000100B40000000900 | ...... .@.....4....... ........... |
| \GROUP_CURSOR\30998\1042 | 33BEA8 | 14 | 2E04A8 | 0000020001002000400001000100340100000F00 | ...... .@.....4..... |
| \GROUP_CURSOR\30999\1042 | 33B818 | 14 | 2DFE18 | 0000020001002000400001000100340100000A00 | ...... .@.....4..... |
| \GROUP_CURSOR\31000\1042 | 33BD58 | 14 | 2E0358 | 0000020001002000400001000100340100000E00 | ...... .@.....4..... |
| \GROUP_CURSOR\31001\1042 | 33BC08 | 14 | 2E0208 | 0000020001002000400001000100340100000D00 | ...... .@.....4..... |
| \GROUP_CURSOR\31002\1042 | 33C538 | 14 | 2E0B38 | 0000020001002000400001000100340100001400 | ...... .@.....4..... |
| \GROUP_CURSOR\31003\1042 | 33BAB8 | 14 | 2E00B8 | 0000020001002000400001000100340100000C00 | ...... .@.....4..... |
| \GROUP_CURSOR\31004\1042 | 33C148 | 14 | 2E0748 | 0000020001002000400001000100340100001100 | ...... .@.....4..... |
| \GROUP_CURSOR\31005\1042 | 33B968 | 14 | 2DFF68 | 0000020001002000400001000100340100000B00 | ...... .@.....4..... |
| \GROUP_CURSOR\31006\1042 | 33BFF8 | 14 | 2E05F8 | 0000020001002000400001000100340100001000 | ...... .@.....4..... |
| \GROUP_CURSOR\31007\1042 | 33C298 | 14 | 2E0898 | 0000020001002000400001000100340100001200 | ...... .@.....4..... |
| \GROUP_CURSOR\31008\1042 | 33C3E8 | 14 | 2E09E8 | 0000020001002000400001000100340100001300 | ...... .@.....4..... |
| \GROUP_CURSOR\31009\1042 | 33C688 | 14 | 2E0C88 | 0000020001002000400001000100340100001500 | ...... .@.....4..... |
| \GROUP_CURSOR\31010\1042 | 33C7D8 | 14 | 2E0DD8 | 0000020001002000400001000100340100001600 | ...... .@.....4..... |
| \GROUP_CURSOR\31011\1042 | 33C928 | 14 | 2E0F28 | 0000020001002000400001000100340100001700 | ...... .@.....4..... |
| \GROUP_ICON\128\1042 | 2EB3E0 | 68 | 28F9E0 | 0000010007003030000001000800A80E000001002020000001000800A8080000020010100000010008006805000003000000 | ......00............ ....................h....... |
| \VERSION\1\1042 | 2EE0E0 | 334 | 2926E0 | 340334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000A00 | 4.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| \24\1\1033 | 33E060 | 31C | 2E2660 | EFBBBF3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E65 | ...<?xml version="1.0" encoding="UTF-8" standalone |
| \240\102\1042 | 33B458 | 5C | 2DFA58 | 31040304020000002D0031040304020000003100310403040200000032003104030402000000330031040304020000003400310403040200000035003104030402000000360031040304020000003700310403040200000038000000 | 1.......-.1.......1.1.......2.1.......3.1.......4.1.......5.1.......6.1.......7.1.......8... |
| Intelligent String |
| • download-list.txt • Ignore UFS_Header.bin • UFS_Header.bin • .\Odin3.ini • Kernel32.dll • Comctl32.dll • @.tls • f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl2.cpp • kernel32.dll • f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl • user32.dll • hhctrl.ocx • %Ts%Ts.dll • f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp • RICHED20.DLL • MSFTEDIT.DLL • Advapi32.dll • F4_Comdlg32.dll • Comdlg32.dll • f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp • comctl32.dll • Hmfcm140u.dll • HD2D1.dll • DWrite.dll • z?TaskDialogIndirect • shell32.dll • uxtheme.dll • dwmapi.dll • f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp • .CHM • .HLP • .INI • ole32.dll • f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\viewcore.cpp • f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winfrm.cpp • f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledrop2.cpp • f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\array_s.cpp • f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olestrm.cpp • .exe • .cmd • .bat • .com • mscoree.dll • jloup@gzip.orgmadler@alumni.caltech.edu • .tgz • .tar • C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\atlmfc\include\afxwin1.inl • D:\tool\odin\Odin3\Odin3Downloader\Release\Odin3 v3.07.pdb • .data$r~&0|.bss • .tls • DestroyWindowaCreateDialogIndirectParamW • GDI32.dll • WINSPOOL.DRV • COMCTL32.dll • oledlg.dll • .PAX • .PBH • .PBE • Odin 3B Patched<a href="https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=FGRATK56NKW7W"> DONATE TO 3B EFFORT</a> • Odin3_v310.exe • Odin.exe • <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings><dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware></windowsSettings></application></assembly> |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 510 | 5EF7EC | .text | CALL [static] | Indirect call to absolute memory address |
| 581 | 5EF7EC | .text | CALL [static] | Indirect call to absolute memory address |
| 592 | 5EF7EC | .text | CALL [static] | Indirect call to absolute memory address |
| 6A5 | 5EF7EC | .text | CALL [static] | Indirect call to absolute memory address |
| 6C1 | 5EF7EC | .text | CALL [static] | Indirect call to absolute memory address |
| 6FF | 5EF7EC | .text | CALL [static] | Indirect call to absolute memory address |
| 75E | 5EF7EC | .text | CALL [static] | Indirect call to absolute memory address |
| 87F | 5EF7EC | .text | CALL [static] | Indirect call to absolute memory address |
| 890 | 5EF7EC | .text | CALL [static] | Indirect call to absolute memory address |
| 8A1 | 5EF7EC | .text | CALL [static] | Indirect call to absolute memory address |
| 8B2 | 5EF7EC | .text | CALL [static] | Indirect call to absolute memory address |
| 8C3 | 5EF7EC | .text | CALL [static] | Indirect call to absolute memory address |
| 8D4 | 5EF7EC | .text | CALL [static] | Indirect call to absolute memory address |
| 8E5 | 5EF7EC | .text | CALL [static] | Indirect call to absolute memory address |
| 8F6 | 5EF7EC | .text | CALL [static] | Indirect call to absolute memory address |
| 907 | 5EF7EC | .text | CALL [static] | Indirect call to absolute memory address |
| 918 | 5EF7EC | .text | CALL [static] | Indirect call to absolute memory address |
| 929 | 5EF7EC | .text | CALL [static] | Indirect call to absolute memory address |
| 95D | 5EF7EC | .text | CALL [static] | Indirect call to absolute memory address |
| 96E | 5EF7EC | .text | CALL [static] | Indirect call to absolute memory address |
| 97F | 5EF7EC | .text | CALL [static] | Indirect call to absolute memory address |
| 990 | 5EF7EC | .text | CALL [static] | Indirect call to absolute memory address |
| 9A1 | 5EF7EC | .text | CALL [static] | Indirect call to absolute memory address |
| 9EC | 5EF7EC | .text | CALL [static] | Indirect call to absolute memory address |
| 9FD | 5EF7EC | .text | CALL [static] | Indirect call to absolute memory address |
| A0E | 5EF7EC | .text | CALL [static] | Indirect call to absolute memory address |
| A1F | 5EF7EC | .text | CALL [static] | Indirect call to absolute memory address |
| A30 | 5EF7EC | .text | CALL [static] | Indirect call to absolute memory address |
| A41 | 5EF7EC | .text | CALL [static] | Indirect call to absolute memory address |
| A67 | 5EF7EC | .text | CALL [static] | Indirect call to absolute memory address |
| B08 | 5EF7EC | .text | CALL [static] | Indirect call to absolute memory address |
| BFB | 5EF7EC | .text | CALL [static] | Indirect call to absolute memory address |
| C2D | 5EF7EC | .text | CALL [static] | Indirect call to absolute memory address |
| CB0 | 5EF7EC | .text | CALL [static] | Indirect call to absolute memory address |
| D66 | 5EF778 | .text | CALL [static] | Indirect call to absolute memory address |
| D70 | 5EF778 | .text | CALL [static] | Indirect call to absolute memory address |
| D88 | 5EF7EC | .text | CALL [static] | Indirect call to absolute memory address |
| DA4 | 5EF7EC | .text | CALL [static] | Indirect call to absolute memory address |
| DEF | 5EF7EC | .text | CALL [static] | Indirect call to absolute memory address |
| E38 | 5EF7EC | .text | CALL [static] | Indirect call to absolute memory address |
| E49 | 5EF7EC | .text | CALL [static] | Indirect call to absolute memory address |
| E5A | 5EF7EC | .text | CALL [static] | Indirect call to absolute memory address |
| E6B | 5EF7EC | .text | CALL [static] | Indirect call to absolute memory address |
| E7C | 5EF7EC | .text | CALL [static] | Indirect call to absolute memory address |
| EB0 | 5EF7EC | .text | CALL [static] | Indirect call to absolute memory address |
| 2BE3 | 5EF478 | .text | CALL [static] | Indirect call to absolute memory address |
| 2C95 | 5EF6B8 | .text | CALL [static] | Indirect call to absolute memory address |
| 2D3E | 5EF6B4 | .text | CALL [static] | Indirect call to absolute memory address |
| 2E1D | 5EF474 | .text | CALL [static] | Indirect call to absolute memory address |
| 2E63 | 5EF470 | .text | CALL [static] | Indirect call to absolute memory address |
| 2EC9 | 5EF6B8 | .text | CALL [static] | Indirect call to absolute memory address |
| 2F2A | 5EF6B4 | .text | CALL [static] | Indirect call to absolute memory address |
| 318E | 5EF484 | .text | CALL [static] | Indirect call to absolute memory address |
| 31A8 | 5EF488 | .text | CALL [static] | Indirect call to absolute memory address |
| 31C3 | 5EF47C | .text | CALL [static] | Indirect call to absolute memory address |
| 324C | 5EF480 | .text | CALL [static] | Indirect call to absolute memory address |
| 3E60 | 5EF6B0 | .text | CALL [static] | Indirect call to absolute memory address |
| 3E80 | 5EF6B0 | .text | CALL [static] | Indirect call to absolute memory address |
| CA45 | 6BE3E0 | .text | CALL [static] | Indirect call to absolute memory address |
| CB45 | 6BE3E0 | .text | CALL [static] | Indirect call to absolute memory address |
| CC45 | 6BE3E0 | .text | CALL [static] | Indirect call to absolute memory address |
| 128AF | 4000 | .text | JMP [static] | Indirect jump to absolute memory address |
| 149B3 | 3000 | .text | JMP [static] | Indirect jump to absolute memory address |
| 1A055 | 6BE3E0 | .text | CALL [static] | Indirect call to absolute memory address |
| 1C210 | 5EF030 | .text | CALL [static] | Indirect call to absolute memory address |
| 1C794 | 5EF6C0 | .text | CALL [static] | Indirect call to absolute memory address |
| 1C7AE | 5EF6C0 | .text | CALL [static] | Indirect call to absolute memory address |
| 1C7C8 | 5EF6C0 | .text | CALL [static] | Indirect call to absolute memory address |
| 1C7E2 | 5EF6C0 | .text | CALL [static] | Indirect call to absolute memory address |
| 1C7FC | 5EF6C0 | .text | CALL [static] | Indirect call to absolute memory address |
| 1C816 | 5EF6C0 | .text | CALL [static] | Indirect call to absolute memory address |
| 1C830 | 5EF6C0 | .text | CALL [static] | Indirect call to absolute memory address |
| 1C84A | 5EF6C0 | .text | CALL [static] | Indirect call to absolute memory address |
| 1C864 | 5EF6C0 | .text | CALL [static] | Indirect call to absolute memory address |
| 1C87E | 5EF6C0 | .text | CALL [static] | Indirect call to absolute memory address |
| 1C939 | 5EF1BC | .text | CALL [static] | Indirect call to absolute memory address |
| 1C949 | 5EF1BC | .text | CALL [static] | Indirect call to absolute memory address |
| 1C959 | 5EF1BC | .text | CALL [static] | Indirect call to absolute memory address |
| 1C969 | 5EF1BC | .text | CALL [static] | Indirect call to absolute memory address |
| 1C979 | 5EF1BC | .text | CALL [static] | Indirect call to absolute memory address |
| 1C989 | 5EF1BC | .text | CALL [static] | Indirect call to absolute memory address |
| 1C999 | 5EF1BC | .text | CALL [static] | Indirect call to absolute memory address |
| 1C9A9 | 5EF1BC | .text | CALL [static] | Indirect call to absolute memory address |
| 1C9B9 | 5EF1BC | .text | CALL [static] | Indirect call to absolute memory address |
| 1C9C9 | 5EF1BC | .text | CALL [static] | Indirect call to absolute memory address |
| 1CCB3 | 5EF770 | .text | CALL [static] | Indirect call to absolute memory address |
| 1CE35 | 5EF778 | .text | CALL [static] | Indirect call to absolute memory address |
| 1CE40 | 5EF778 | .text | CALL [static] | Indirect call to absolute memory address |
| 1CF6C | 5EF784 | .text | CALL [static] | Indirect call to absolute memory address |
| 1D399 | 5EF46C | .text | CALL [static] | Indirect call to absolute memory address |
| 1E919 | 5EF6B4 | .text | CALL [static] | Indirect call to absolute memory address |
| 1E92C | 5EF46C | .text | CALL [static] | Indirect call to absolute memory address |
| 1E9C2 | 5EF78C | .text | CALL [static] | Indirect call to absolute memory address |
| 1EBD9 | 5EF46C | .text | CALL [static] | Indirect call to absolute memory address |
| 1EBE2 | 5EF46C | .text | CALL [static] | Indirect call to absolute memory address |
| 1EBFC | 5EF790 | .text | CALL [static] | Indirect call to absolute memory address |
| 1EC0A | 5EF794 | .text | CALL [static] | Indirect call to absolute memory address |
| 1EC14 | 5EF798 | .text | CALL [static] | Indirect call to absolute memory address |
| 1EE38 | 5EF6B4 | .text | CALL [static] | Indirect call to absolute memory address |
| 234E9 | 5EF454 | .text | CALL [static] | Indirect call to absolute memory address |
| 183B2-183CF | N/A | .text | Unusual BP Cave, count: 30 |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 1764313 | 55,6063% |
| Null Byte Code | 513547 | 16,1856% |
| NOP Cave Found | 0x9090909090 | Block Count: 1 | Total: 0,0001% |
© 2026 All rights reserved.