PREMIUM PESCAN.IO - Analysis Report |
|||||||
| File Structure |
|
PE Chart Code
Executable header (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
| Size: 734,00 KB SHA-256 Hash: 96C1E27805E08957209D004FE48EC0643C12FF2CFAB6FA0E944F5AAAD67BB291 SHA-1 Hash: E0BE34B951E974292247F44959EB1AFC38AF9C57 MD5 Hash: D5BD6AE35D9E8F0AADD8A23860F378F4 Imphash: 92A14F5F423E96C4D043BD342582B6B7 MajorOSVersion: 6 MinorOSVersion: 0 CheckSum: 000C6B32 EntryPoint (rva): 33B10 SizeOfHeaders: 400 SizeOfImage: BA000 ImageBase: 10000000 Architecture: x86 ExportTable: 5C778 ImportTable: 5C858 IAT: 5C968 Characteristics: 2102 TimeDateStamp: 68424F66 Date: 06/06/2025 2:16:06 File Type: DLL Number Of Sections: 5 ASLR: Enabled Section Names: .text, .rdata, .data, .rsrc, .reloc Number Of Executable Sections: 1 Subsystem: Windows GUI |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 60000020 (Code, Executable, Readable) | 400 | 33E00 | 1000 | 33C23 | 6,2665 | 1416870,26 |
| .rdata | 40000040 (Initialized Data, Readable) | 34200 | 27E00 | 35000 | 27CA9 | 7,5752 | 179369,38 |
| .data | C0000040 (Initialized Data, Readable, Writeable) | 5C000 | 200 | 5D000 | B4 | 1,1164 | 93315,00 |
| .rsrc | 40000040 (Initialized Data, Readable) | 5C200 | 57C00 | 5E000 | 57A20 | 4,8641 | 16839709,82 |
| .reloc | 42000040 (Initialized Data, GP-Relative, Readable) | B3E00 | 3A00 | B6000 | 3818 | 6,7224 | 60613,90 |
| Description |
| OriginalFilename: "coreaudiopolicymanagerext.DYNLINK" CompanyName: Microsoft Corporation LegalCopyright: Microsoft Corporation. All rights reserved. ProductName: Microsoft Windows Operating System FileVersion: 10.0.26100.1150 (WinBuild.160101.0800) FileDescription: "coreaudiopolicymanagerext.DYNLINK" ProductVersion: 10.0.26100.1150 Language: English (United States) (ID=0x409) CodePage: Unicode (UTF-16 LE) (0x4B0) |
| Binder/Joiner/Crypter |
| 4 Executable files found |
| Entry Point |
| The section number (1) - (.text) have the Entry Point Information -> EntryPoint (calculated) - 32F10 Code -> 5589E553575683E4FC83EC0C837D0C01B82F3B0310BE493B03100F45C6FFE0FF7508FF156CC90510E86F0F000085C0B9583B • PUSH EBP • MOV EBP, ESP • PUSH EBX • PUSH EDI • PUSH ESI • AND ESP, 0XFFFFFFFC • SUB ESP, 0XC • CMP DWORD PTR [EBP + 0XC], 1 • MOV EAX, 0X10033B2F • MOV ESI, 0X10033B49 • CMOVNE EAX, ESI • JMP EAX • PUSH DWORD PTR [EBP + 8] • CALL DWORD PTR [0X1005C96C] • CALL 0X1F9C • TEST EAX, EAX EP changed to another address -> (Address Of EntryPoint > Base Of Data) |
| Signatures |
| Certificate - Digital Signature: • The file is not signed |
| Packer/Compiler |
| Compiler: Microsoft Visual Studio Detect It Easy (die) • PE: linker: Microsoft Linker(14.0)[-] • Entropy: 6.38847 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | GetModuleFileNameA | Retrieve the fully qualified path for the executable file of a specified module. |
| KERNEL32.DLL | VirtualAlloc | Reserve, commit, or both, a region of memory within the virtual address space of a process. |
| KERNEL32.DLL | GetModuleHandleA | Retrieves a handle to the specified module. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| KERNEL32.DLL | IsDebuggerPresent | Determines if the calling process is being debugged by a user-mode debugger. |
| ADVAPI32.DLL | RegDeleteKeyA | Used to delete a subkey and its values from the Windows registry. |
| ADVAPI32.DLL | RegSetValueExA | Sets the data and type of a specified value under a registry key. |
| ET Functions (carving) |
| Original Name -> coreaudiopolicymanagerext.dll DllMain IsApmDuckingGainForIdSupported IsApmLayoutGainForIdSupported IsApmRegisterProxyAudioProcessSupported IsDataRangeForEndpointSupported IsHHostEdappManagerContextRundownSupported IsHdAudioProtocolNotifyRundownSupported IsPbmAllowMediaPlaybackForAppSupported IsPbmCastingAppStateChangedSupported IsPbmLaunchBackgroundTaskSupported IsPbmPlayToStreamStateChangedSupported IsPbmPlayingSupported IsPbmRegisterAppClosureNotificationSupported IsPbmRegisterAppManagerNotificationSupported IsPbmRegisterPlaybackManagerNotificationsSupported IsPbmReportAppClosingSupported IsPbmReportAppInteractivityChangeSupported IsPbmReportApplicationStateSupported IsPbmReportHostedAppStateChangeSupported IsPbmSessionPlayingSupported IsPbmSmtcSubscriptionStateSupported IsPbmSoundLevelSupported IsPbmSwitchSoftNonToHardNonInteractiveSupported IsPbmUnregisterAppClosureNotificationSupported IsPbmUnregisterAppManagerNotificationSupported IsPbmUnregisterPlaybackManagerNotificationsSupported IsScreenReaderStateSupported IsTSRegisterAudioProtocolNotificationSupported IsTSServiceSessionChangeSupported IsTSSessionGetAudioProtocolSupported IsTSSessionIdAudioProtocolSupported IsTSSessionIdRegisterVolumeTrackerForSessionSupported IsTSSessionIdStreamStartedSupported IsTSSessionIdStreamStoppedSupported IsTSUnregisterAudioProtocolNotificationSupported |
| Windows REG (UNICODE) |
| SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318} SYSTEM\CurrentControlSet\Control\NetworkSetup2\Parameters SYSTEM\CurrentControlSet |
| File Access |
| MSBuild.exe KBDCZ2.dll api-ms-win-core-delayload-l1-1-0.dll api-ms-win-core-delayload-l1-1-1.dll api-ms-win-core-file-l1-1-0.dll api-ms-win-core-threadpool-l1-2-0.dll api-ms-win-core-debug-l1-1-0.dll api-ms-win-core-sysinfo-l1-1-0.dll api-ms-win-core-profile-l1-1-0.dll api-ms-win-core-processthreads-l1-1-0.dll api-ms-win-core-synch-l1-2-0.dll api-ms-win-core-registry-l1-1-0.dll api-ms-win-core-libraryloader-l1-2-0.dll api-ms-win-core-string-l2-1-0.dll api-ms-win-core-localization-l1-2-0.dll api-ms-win-core-handle-l1-1-0.dll api-ms-win-core-io-l1-1-1.dll api-ms-win-core-errorhandling-l1-1-0.dll api-ms-win-core-io-l1-1-0.dll api-ms-win-core-synch-l1-1-0.dll ntdll.dll msvcrt.dll NfcRadioManager.dll api-ms-win-devices-query-l1-1-0.dll api-ms-win-devices-config-l1-1-1.dll api-ms-win-core-com-l1-1-0.dll OLEAUT32.dll RPCRT4.dll api-ms-win-devices-config-l1-1-0.dll api-ms-win-core-registry-l2-1-0.dll api-ms-win-eventing-provider-l1-1-0.dll api-ms-win-core-string-l1-1-0.dll api-ms-win-core-heap-l1-1-0.dll api-ms-win-core-libraryloader-l1-1-0.dll NetSetupApi.dll api-ms-win-core-processthreads-l1-1-1.dll api-ms-win-core-rtlsupport-l1-1-0.dll api-ms-win-core-interlocked-l1-1-0.dll api-ms-win-crt-string-l1-1-0.dll api-ms-win-crt-private-l1-1-0.dll api-ms-win-crt-runtime-l1-1-0.dll coreaudiopolicymanagerext.dll USER32.dll SHELL32.dll GDI32.dll ADVAPI32.dll KERNEL32.dll taylor64.dll cryptngc.dll dsreg.dll api-ms-win-security-sddl-l1-1-0.dll CRYPT32.dll api-ms-win-core-rtlsupport-l1-2-0.dll api-ms-win-security-base-l1-2-0.dll api-ms-win-core-heap-l1-2-0.dll aadCloudAP.dll AadAuthHelper.dll api-ms-win-core-heap-l2-1-0.dll MSBuild.dll api-ms-win-core-util-l1-1-0.dll .dll Windows.Sys .dat @.dat Windows.Foundation.Dat MSBuild_NodeShutdown_{0}.txt Temp RootDir |
| File Access (UNICODE) |
| NETSETUPAPI.DLL taylor64.dll kbdcz2.dll NFCRADIOMEDIA.dll RegDeleteKeyExWadvapi32.dll API-MS-Win-Core-LocalRegistry-L1-1-0.dll cfgmgr32.dll api-ms-win-devices-config-l1.dll kernelbase.dll ntdll.dll api-ms-win-eventing-provider-l1-1-0.dll advapi32.dll NetSetupEngine.dll |
| Interest's Words |
| Encrypt Decrypt PassWord exec createobject attrib start hostname shutdown systeminfo replace |
| Interest's Words (UNICODE) |
| pause netcfg |
| URLs |
| http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702 http://schemas.microsoft.com/windows/pki/2009/01/enrollmentPKCS10 http://www.microsoft.com/pkiops/certs/MicCodSigPCA2011_2011-07-08.crt http://www.microsoft.com http://www.w3.org/2003/05/soap-envelope http://docs.oasis-open.org/ws-sx/ws-trust/200512 http://schemas.xmlsoap.org/wsdl/soap12/ http://schemas.xmlsoap.org/wsdl/ http://www.microsoft.com/pkiops/crl/MicWinProPCA2011_2011-10-19.crl http://www.microsoft.com/pkiops/certs/MicWinProPCA2011_2011-10-19.crt http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt http://www.microsoft.com/windows0 http://www.microsoft.com/pkiops/certs/Microsoft%20Time-Stamp%20PCA%202010(1).crt http://www.microsoft.com/pkiops/Docs/Repository.htm https://github.com/dotnet/dotnet https://login.microsoftonline.com https://%s%s |
| IP Addresses |
| 4.2.130.7 |
| PE Carving |
| Start Offset Header | End Offset | Size (Bytes) |
|---|---|---|
| 0 | 5C330 | 5C330 |
| 5C330 | 66330 | A000 |
| 66330 | 998D0 | 335A0 |
| 998D0 | AD8D0 | 14000 |
| AD8D0 | B7800 | 9F30 |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | WinAPI Sockets (bind) |
| Text | Ascii | WinAPI Sockets (accept) |
| Text | Ascii | WinAPI Sockets (connect) |
| Text | Ascii | Registry (RegCreateKeyEx) |
| Text | Ascii | Registry (RegOpenKeyEx) |
| Text | Ascii | Registry (RegSetValueEx) |
| Text | Ascii | Registry (RegDeleteKeyEx) |
| Text | Ascii | Registry (RegGetValue) |
| Text | Ascii | File (CopyFile) |
| Text | Ascii | File (CreateFile) |
| Text | Ascii | Encryption (ToBase64String) |
| Text | Ascii | Encryption API (CryptAcquireContext) |
| Text | Ascii | Encryption API (CryptReleaseContext) |
| Text | Ascii | Anti-Analysis VM (IsDebuggerPresent) |
| Text | Ascii | Anti-Analysis VM (GetSystemInfo) |
| Text | Ascii | Anti-Analysis VM (GetVersion) |
| Text | Ascii | Stealth (ReleaseSemaphore) |
| Text | Ascii | Stealth (CloseHandle) |
| Text | Ascii | Stealth (VirtualAlloc) |
| Text | Ascii | Execution (ShellExecute) |
| Text | Ascii | Execution (CreateEventW) |
| Text | Unicode | Keyboard Key (Left Windows) |
| Text | Unicode | Keyboard Key (Right Windows) |
| Text | Unicode | Keyboard Key (Num 0) |
| Text | Unicode | Keyboard Key (Num 1) |
| Text | Unicode | Keyboard Key (Num 2) |
| Text | Unicode | Keyboard Key (Num 3) |
| Text | Unicode | Keyboard Key (Num 4) |
| Text | Unicode | Keyboard Key (Num 5) |
| Text | Unicode | Keyboard Key (Num 6) |
| Text | Unicode | Keyboard Key (Num 7) |
| Text | Unicode | Keyboard Key (Num 8) |
| Text | Unicode | Keyboard Key (Num 9) |
| Text | Unicode | Keyboard Key (Num -) |
| Text | Unicode | Keyboard Key (Num +) |
| Text | Unicode | Keyboard Key (Num Del) |
| Text | Unicode | Keyboard Key (Right Shift) |
| Text | Unicode | Keyboard Key (Num *) |
| Text | Unicode | Keyboard Key (Page Down) |
| Text | Unicode | Keyboard Key (Scroll) |
| Text | Unicode | Keyboard Key (Num Lock) |
| Text | Unicode | Keyboard Key (Backspace) |
| Text | Ascii | Process of gathering information about network resources (Enumeration) |
| Text | Ascii | Software that records user activity (Logger) |
| Text | Ascii | Unauthorized movement of funds or data (Transfer) |
| Text | Ascii | Malicious rerouting of traffic to an attacker-controlled site (Redirect) |
| Entry Point | Hex Pattern | NeoLite v2.0 |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text | PE/Payload |
|---|---|---|---|---|---|---|
| \RCDATA\119\1033 | 5E130 | A000 | 5C330 | 4D5A90000300000004000000FFFF0000B8000000000000004000000000000000000000000000000000000000000000000000 | MZ......................@......................... | (Executable found) |
| \RCDATA\293\1033 | 68130 | 335A0 | 66330 | 4D5A90000300000004000000FFFF0000B8000000000000004000000000000000000000000000000000000000000000000000 | MZ......................@......................... | (Executable found) |
| \RCDATA\815\1033 | 9B6D0 | 14000 | 998D0 | 4D5A90000300000004000000FFFF0000B8000000000000004000000000000000000000000000000000000000000000000000 | MZ......................@......................... | (Executable found) |
| \RCDATA\919\1033 | AF6D0 | 6000 | AD8D0 | 4D5A90000300000004000000FFFF0000B8000000000000004000000000000000000000000000000000000000000000000000 | MZ......................@......................... | (Executable found) |
| \VERSION\1\1033 | B56D0 | 34C | B38D0 | 4C0334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000200 | L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... | N/A |
| Intelligent String |
| • taylor64.dll • 4.2.130.7 • api-ms-win-core-synch-l1-2-0.dll • api-ms-win-core-registry-l1-1-0.dll • api-ms-win-core-handle-l1-1-0.dll • api-ms-win-core-localization-l1-2-0.dll • api-ms-win-core-processthreads-l1-1-0.dll • api-ms-win-core-errorhandling-l1-1-0.dll • api-ms-win-core-debug-l1-1-0.dll • api-ms-win-core-sysinfo-l1-1-0.dll • api-ms-win-core-profile-l1-1-0.dll • api-ms-win-core-libraryloader-l1-2-0.dll • api-ms-win-core-string-l2-1-0.dll • api-ms-win-core-io-l1-1-1.dll • api-ms-win-core-io-l1-1-0.dll • api-ms-win-devices-config-l1-1-0.dll • api-ms-win-core-registry-l2-1-0.dll • api-ms-win-eventing-provider-l1-1-0.dll • api-ms-win-core-threadpool-l1-2-0.dll • api-ms-win-core-string-l1-1-0.dll • api-ms-win-core-heap-l1-1-0.dll • api-ms-win-core-rtlsupport-l1-1-0.dll • api-ms-win-crt-string-l1-1-0.dll • api-ms-win-crt-private-l1-1-0.dll • .bss • NETSETUPAPI.DLL • api-ms-win-core-synch-l1-1-0.dll • _inittermmsvcrt.dll • coreaudiopolicymanagerext.pdb • api-ms-win-core-interlocked-l1-1-0.dll • api-ms-win-core-processthreads-l1-1-1.dll • NetSetupEngine.dll • advapi32.dll • ntdll.dll • kernelbase.dll • api-ms-win-devices-config-l1.dll • cfgmgr32.dll • api-ms-win-core-libraryloader-l1-1-0.dll • RPCRT4.dll • OLEAUT32.dll • api-ms-win-core-com-l1-1-0.dll • api-ms-win-devices-config-l1-1-1.dll • api-ms-win-devices-query-l1-1-0.dll • .tlb • NfcRadioMedia.pdb • .tls • /sleepconditionvariablesrwapi-ms-win-core-threadpool-l1-2-0.dll • api-ms-win-core-file-l1-1-0.dll • api-ms-win-core-delayload-l1-1-1.dll • api-ms-win-core-delayload-l1-1-0.dll • NFCRADIOMEDIA.dll • kbdcz2.pdb • kbdcz2.dll |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 1747 | 1005C99C | .text | CALL [static] | Indirect call to absolute memory address |
| 1DBE | 1005C98C | .text | CALL [static] | Indirect call to absolute memory address |
| 3322 | 1005C98C | .text | CALL [static] | Indirect call to absolute memory address |
| 5CDF | 1005C974 | .text | CALL [static] | Indirect call to absolute memory address |
| 5CE8 | 1005C970 | .text | CALL [static] | Indirect call to absolute memory address |
| 6D22 | 1005C98C | .text | CALL [static] | Indirect call to absolute memory address |
| 6E3E | 1005C974 | .text | CALL [static] | Indirect call to absolute memory address |
| 6E47 | 1005C970 | .text | CALL [static] | Indirect call to absolute memory address |
| 80C2 | 1005C99C | .text | CALL [static] | Indirect call to absolute memory address |
| 8407 | 1005C99C | .text | CALL [static] | Indirect call to absolute memory address |
| 8517 | 1005C99C | .text | CALL [static] | Indirect call to absolute memory address |
| 924E | 1005C974 | .text | CALL [static] | Indirect call to absolute memory address |
| 9257 | 1005C970 | .text | CALL [static] | Indirect call to absolute memory address |
| 9D66 | 1005C99C | .text | CALL [static] | Indirect call to absolute memory address |
| CD64 | 1005D0A4 | .text | CALL [static] | Indirect call to absolute memory address |
| CFA6 | 1005D0A8 | .text | CALL [static] | Indirect call to absolute memory address |
| D2CF | 1005D0AC | .text | CALL [static] | Indirect call to absolute memory address |
| D3AE | 1005C990 | .text | CALL [static] | Indirect call to absolute memory address |
| EAC4 | 1005C9F0 | .text | CALL [static] | Indirect call to absolute memory address |
| F329 | 1005C978 | .text | CALL [static] | Indirect call to absolute memory address |
| F56F | 1005C9E8 | .text | CALL [static] | Indirect call to absolute memory address |
| FA34 | 1005C97C | .text | CALL [static] | Indirect call to absolute memory address |
| 10581 | 1005C99C | .text | CALL [static] | Indirect call to absolute memory address |
| 10B6F | 1005C974 | .text | CALL [static] | Indirect call to absolute memory address |
| 10B78 | 1005C970 | .text | CALL [static] | Indirect call to absolute memory address |
| 10D4F | 1005C974 | .text | CALL [static] | Indirect call to absolute memory address |
| 10D58 | 1005C970 | .text | CALL [static] | Indirect call to absolute memory address |
| 11971 | 1005C99C | .text | CALL [static] | Indirect call to absolute memory address |
| 135D7 | 1005C99C | .text | CALL [static] | Indirect call to absolute memory address |
| 139FE | 1005C974 | .text | CALL [static] | Indirect call to absolute memory address |
| 13A07 | 1005C970 | .text | CALL [static] | Indirect call to absolute memory address |
| 13C62 | 1005C98C | .text | CALL [static] | Indirect call to absolute memory address |
| 1464E | 1005C98C | .text | CALL [static] | Indirect call to absolute memory address |
| 18B5F | 1005C98C | .text | CALL [static] | Indirect call to absolute memory address |
| 19A82 | 1005C99C | .text | CALL [static] | Indirect call to absolute memory address |
| 19C4E | 1005C974 | .text | CALL [static] | Indirect call to absolute memory address |
| 19C57 | 1005C970 | .text | CALL [static] | Indirect call to absolute memory address |
| 1C0EF | 1005C98C | .text | CALL [static] | Indirect call to absolute memory address |
| 1DB98 | 1005C98C | .text | JMP [static] | Indirect jump to absolute memory address |
| 1E66E | 1005C98C | .text | CALL [static] | Indirect call to absolute memory address |
| 20F1A | 1005C978 | .text | CALL [static] | Indirect call to absolute memory address |
| 20FDB | 1005D074 | .text | CALL [static] | Indirect call to absolute memory address |
| 211A6 | 1005C990 | .text | CALL [static] | Indirect call to absolute memory address |
| 213A2 | 1005C98C | .text | CALL [static] | Indirect call to absolute memory address |
| 21695 | 1005D06C | .text | CALL [static] | Indirect call to absolute memory address |
| 216C1 | 1005D070 | .text | CALL [static] | Indirect call to absolute memory address |
| 22069 | 1005D07C | .text | CALL [static] | Indirect call to absolute memory address |
| 22174 | 1005D080 | .text | CALL [static] | Indirect call to absolute memory address |
| 2219C | 1005D06C | .text | CALL [static] | Indirect call to absolute memory address |
| 221AD | 1005D070 | .text | CALL [static] | Indirect call to absolute memory address |
| 221F3 | 1005D078 | .text | CALL [static] | Indirect call to absolute memory address |
| 2229E | 1005D074 | .text | CALL [static] | Indirect call to absolute memory address |
| 222E6 | 1005D084 | .text | CALL [static] | Indirect call to absolute memory address |
| 222F2 | 1005D080 | .text | CALL [static] | Indirect call to absolute memory address |
| 22345 | 1005D08C | .text | CALL [static] | Indirect call to absolute memory address |
| 22377 | 1005D090 | .text | CALL [static] | Indirect call to absolute memory address |
| 223D2 | 1005D080 | .text | CALL [static] | Indirect call to absolute memory address |
| 2240B | 1005D094 | .text | CALL [static] | Indirect call to absolute memory address |
| 24C49 | 1005D094 | .text | JMP [static] | Indirect jump to absolute memory address |
| 24CEF | 1005C974 | .text | CALL [static] | Indirect call to absolute memory address |
| 24CF8 | 1005C970 | .text | CALL [static] | Indirect call to absolute memory address |
| 254BF | 1005C98C | .text | CALL [static] | Indirect call to absolute memory address |
| 25962 | 1005C99C | .text | CALL [static] | Indirect call to absolute memory address |
| 2667F | 1005C98C | .text | CALL [static] | Indirect call to absolute memory address |
| 26AA7 | 1005C99C | .text | CALL [static] | Indirect call to absolute memory address |
| 26BB2 | 1005C99C | .text | CALL [static] | Indirect call to absolute memory address |
| 276A7 | 18244489 | .text | CALL [static] | Indirect call to absolute memory address |
| 287FF | 18244489 | .text | JMP [static] | Indirect jump to absolute memory address |
| 28BEE | 1005C974 | .text | CALL [static] | Indirect call to absolute memory address |
| 28BF7 | 1005C970 | .text | CALL [static] | Indirect call to absolute memory address |
| 28D4F | 1005C98C | .text | CALL [static] | Indirect call to absolute memory address |
| 29061 | 1005C99C | .text | CALL [static] | Indirect call to absolute memory address |
| 2BA0F | 1005C98C | .text | CALL [static] | Indirect call to absolute memory address |
| 2C42E | 1005C974 | .text | CALL [static] | Indirect call to absolute memory address |
| 2C437 | 1005C970 | .text | CALL [static] | Indirect call to absolute memory address |
| 2D1EE | 1005C98C | .text | CALL [static] | Indirect call to absolute memory address |
| 2D2CF | 1005C98C | .text | CALL [static] | Indirect call to absolute memory address |
| 2DFDC | 1005C990 | .text | CALL [static] | Indirect call to absolute memory address |
| 2E06B | 1005C9EC | .text | CALL [static] | Indirect call to absolute memory address |
| 2E4B1 | 1005C970 | .text | CALL [static] | Indirect call to absolute memory address |
| 2EB36 | 1005C974 | .text | CALL [static] | Indirect call to absolute memory address |
| 2EB4B | 1005C9A0 | .text | CALL [static] | Indirect call to absolute memory address |
| 2EB59 | 1005C99C | .text | CALL [static] | Indirect call to absolute memory address |
| 2EB67 | 1005C984 | .text | CALL [static] | Indirect call to absolute memory address |
| 2EB75 | 1005C988 | .text | CALL [static] | Indirect call to absolute memory address |
| 2EB83 | 1005C994 | .text | CALL [static] | Indirect call to absolute memory address |
| 2EB8A | 1005C968 | .text | CALL [static] | Indirect call to absolute memory address |
| 2EBC9 | 1005D06C | .text | CALL [static] | Indirect call to absolute memory address |
| 2F120 | 1005C9E4 | .text | CALL [static] | Indirect call to absolute memory address |
| 2F2CE | 1005C980 | .text | CALL [static] | Indirect call to absolute memory address |
| 2F37F | 1005D078 | .text | CALL [static] | Indirect call to absolute memory address |
| 2FC5E | 1005C9E8 | .text | CALL [static] | Indirect call to absolute memory address |
| 2FEC5 | 1005D07C | .text | CALL [static] | Indirect call to absolute memory address |
| 2FED9 | 1005D080 | .text | CALL [static] | Indirect call to absolute memory address |
| 2FF8B | 1005C978 | .text | CALL [static] | Indirect call to absolute memory address |
| 3062C | 1005D0B0 | .text | CALL [static] | Indirect call to absolute memory address |
| 30639 | 1005D08C | .text | CALL [static] | Indirect call to absolute memory address |
| 30C0E | 1005D074 | .text | CALL [static] | Indirect call to absolute memory address |
| 30FA7 | 1005C99C | .text | CALL [static] | Indirect call to absolute memory address |
| 312F0 | 1005C9F0 | .text | CALL [static] | Indirect call to absolute memory address |
| 34023-341FF | N/A | .text | Unusual BP Cave, count: 477 |
| 5F345-6032F | N/A | .rsrc | Unusual BP Cave, count: 4075 |
| 81345-8232F | N/A | .rsrc | Unusual BP Cave, count: 4075 |
| A38E5-A48CF | N/A | .rsrc | Unusual BP Cave, count: 4075 |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 441803 | 58,7804% |
| Null Byte Code | 167897 | 22,3381% |
© 2026 All rights reserved.