PREMIUM PESCAN.IO - Analysis Report

File Structure
Analysis Image
PE Chart Code
Header PE (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
Information
Icon: Icon
Size: 4,44 MB
SHA-256 Hash: E657B297CDD67488A7736B2A087731D3A5455258816DB21E88C453FF273F316C
SHA-1 Hash: 56D485FDEA875081CDA2654379A42D343A01CEBC
MD5 Hash: E484E5B26147F279D0ABA354E74C581D
Imphash: FA2D3F2C3658FC64307D42F5908E7B3B
MajorOSVersion: 5
MinorOSVersion: 0
CheckSum: 0047DF21
EntryPoint (rva): 11B00
SizeOfHeaders: 400
SizeOfImage: 478000
ImageBase: 10000000
Architecture: x86
ExportTable: 3D0A0
ImportTable: 3B9AC
IAT: 31000
Characteristics: 2102
TimeDateStamp: 4ADEC8D7
Date: 21/10/2009 8:39:51
File Type: DLL
Number Of Sections: 5
ASLR: Enabled
Section Names: .text, .rdata, .data, .rsrc, .reloc
Number Of Executable Sections: 1
Subsystem: Windows GUI
UAC Execution Level Manifest: asInvoker
Sections Info
Section Name Flags ROffset RSize VOffset VSizeEntropyChi2
.text
0x60000020
Code
Executable
Readable
 400 2FC00 1000 2FA17
6.7215
878418.23
.rdata
0x40000040
Initialized Data
Readable
 30000 C200 31000 C1C5
5.1563
1714032.16
.data
0xC0000040
Initialized Data
Readable
Writeable
 3C200 2400 3E000 6ADC
3.9571
716419.5
.rsrc
0x40000040
Initialized Data
Readable
 3E600 392C00 45000 392AF2
6.8865
29279179.23
.reloc
0x42000040
Initialized Data
GP-Relative
Readable
 3D1200 9FE00 3D8000 9FE00
7.8479
266481.89
Description
OriginalFilename: qtvirtualkeyboard_openwnn.dll
CompanyName: The Qt Company Ltd.
LegalCopyright: Copyright (C) 2020 The Qt Company Ltd.
ProductName: Qt Virtual Keyboard OpenWNN (Qt 5.15.2)
FileVersion: 5.15.2.0
FileDescription: Virtual Keyboard Extension for Qt.
ProductVersion: 5.15.2.0
Comments: System.Private.DataContractSerialization
Language: Unknown (ID=0x0)
CodePage: Unicode (UTF-16 LE) (0x4B0)
Binder/Joiner/Crypter
3 Executable files found
Entry Point
The section number (1) - (.text) have the Entry Point
Information -> EntryPoint (calculated) - 10F00
Code -> 8BFF558BEC837D0C017505E894630000FF75088B4D108B550CE8ECFEFFFF595DC20C006A0C6800900310E8ED2A00008365E4
Assembler
|MOV EDI, EDI
|PUSH EBP
|MOV EBP, ESP
|CMP DWORD PTR [EBP + 0XC], 1
|JNE 0X1010
|CALL 0X73A4
|PUSH DWORD PTR [EBP + 8]
|MOV ECX, DWORD PTR [EBP + 0X10]
|MOV EDX, DWORD PTR [EBP + 0XC]
|CALL 0XF0A
|POP ECX
|POP EBP
|RET 0XC
|PUSH 0XC
|PUSH 0X10039000
|CALL 0X3B1C
Signatures
CheckSum Integrity Problem:
Header: 4710177
Calculated: 4691235
Rich Signature Analyzer:
Code -> F61FEC8DB27E82DEB27E82DEB27E82DE95B8EFDEB57E82DE95B8F9DEA77E82DEB27E83DE4C7F82DEBB0617DEAA7E82DEBB0601DE117E82DEBB0606DE327E82DEAC2C06DEB17E82DEBB0608DEB57E82DEBB0610DEB37E82DEAC2C16DEB37E82DEBB0613DEB37E82DE52696368B27E82DE
Footprint md5 Hash -> 4FFD961B3A89A8115F2217595E7FDC6D
• The Rich header apparently has not been modified
Certificate - Digital Signature:
• The file is not signed
Packer/Compiler
Compiler: Microsoft Visual Studio
Compiler: Microsoft Visual C ++
Detect It Easy (die)
PE: library: MFC(-)[static]
PE: compiler: EP:Microsoft Visual C/C++(2008-2010)[DLL32]
PE: compiler: Microsoft Visual C++(2008)[msvcrt]
PE: linker: Microsoft Linker(9.0)[-]
Entropy: 7.11212
Suspicious Functions
Library Function Description
KERNEL32.DLL GetModuleFileNameA Retrieve the fully qualified path for the executable file of a specified module.
KERNEL32.DLL VirtualAlloc Reserve, commit, or both, a region of memory within the virtual address space of a process.
KERNEL32.DLL GetModuleHandleA Retrieves a handle to the specified module.
KERNEL32.DLL WriteFile Writes data to a specified file or input/output (I/O) device.
KERNEL32.DLL LoadLibraryA Loads the specified module into the address space of the calling process.
KERNEL32.DLL LoadLibraryW Loads the specified module into the address space of the calling process.
KERNEL32.DLL GetProcAddress Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL CreateFileA Creates or opens a file or I/O device.
KERNEL32.DLL IsDebuggerPresent Determines if the calling process is being debugged by a user-mode debugger.
ET Functions (carving)
Original Name -> LcMgr.dll
??4CLcMgr@@QAEAAV0@ABV0@@Z
?CreateLocalizeManager@@YAPAXPB_W0@Z
?DestroyLocalizeManager@@YAXPAX@Z
?GetCountry@@YAXPAXPA_WH@Z
?GetLanguage@@YAXPAXPA_WH@Z
?GetString@@YAHPAXPB_WPA_WH@Z
Windows REG (UNICODE)
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Policies\Network
Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
Software\Classes\
Rebuilt string - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer - NoRun
File Access
System.Private.DataContractSerialization.dll
api-ms-win-crt-runtime-l1-1-0.dll
api-ms-win-crt-string-l1-1-0.dll
api-ms-win-crt-heap-l1-1-0.dll
VCRUNTIME140.dll
KERNEL32.dll
Qt5Core.dll
Qt5Qml.dll
Qt5Gui.dll
Qt5VirtualKeyboard.dll
qtvirtualkeyboard_openwnn.dll
LcMgr.dll
OLEAUT32.dll
SHLWAPI.dll
ADVAPI32.dll
COMDLG32.dll
GDI32.dll
USER32.dll
OLEACC.dll
FxResources.Sys
//schemas.dat
(System.Private.Dat
System.Runtime.Serialization.Dat
System.Runtime.Serialization.DataContracts.Dat
FxResources.System.Private.Dat
System.Private.Dat
/_/artifacts/obj/System.Private.Dat
.dat
@.dat
Temp
File Access (UNICODE)
Private.Dat
//schemas.dat
kernel32.dll
DataContractSerialization.dll
Update.exe
qtvirtualkeyboard_openwnn.dll
api-ms-win-core-synch-l1-2-0.dll
KERNEL32.DLL
CorExitProcessmscoree.dll
ole32.dll
4Xshell32.dll
4Xcomdlg32.dll
4Xcomctl32.dll
NotifyWinEventuser32.dll
%s%s.dll
ntdll.dll
{ns}_S_PSwitch.Sys
Serialization.Dat
PRIVATE.DAT
Interest's Words
<link
exec
createobject
unescape
attrib
start
ping
expand
replace
Interest's Words (UNICODE)
attrib
start
ping
replace
URLs
http://ocsp.digicert.com
http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
http://crl3.digicert.com/DigiCertTrustedRootG4.crl
http://www.digicert.com/CPS0
http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt
http://cacerts.digicert.com/DigiCertTrustedG4TimeStampingRSA4096SHA2562025CA1.crt
http://crl3.digicert.com/DigiCertTrustedG4TimeStampingRSA4096SHA2562025CA1.crl
http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt
http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
http://www.w3.org/XML/1998/namespace
http://schemas.microsoft.com/2003/10/Serialization/ArraysU
http://schemas.datacontract.org/2004/07/SystemY
http://schemas.datacontract.org/2004/07/SystemV
http://schemas.datacontract.org/2004/07/System.IO
http://www.microsoft.com/pkiops/crl/Microsoft%20Code%20Signing%20PCA%202024.crl
http://www.microsoft.com/pkiops/certs/Microsoft%20Code%20Signing%20PCA%202024.crt
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt
http://www.microsoft.com
http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl
http://www.microsoft.com/pkiops/certs/Microsoft%20Time-Stamp%20PCA%202010(1).crt
http://www.microsoft.com/pkiops/Docs/Repository.htm
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt
https://github.com/dotnet/runtime
URLs (UNICODE)
http://www.w3.org/XML/1998/namespace
http://www.w3.org/2000/xmlns/
http://www.w3.org/2001/XMLSchema-instanceg
http://schemas.microsoft.com/2003/10/Serialization/
http://www.w3.org/2001/XMLSchema
http://microsoft.com/wsdl/types/
http://schemas.datacontract.org/2004/07/
http://schemas.microsoft.com/2003/10/Serialization/' targetNamespace='
http://schemas.microsoft.com/2003/10/Serialization/' xmlns:xs='
http://schemas.datacontract.org/2004/07/System.Xml.Linq
http://schemas.microsoft.com/2003/10/Serialization/Arrays
http://schemas.datacontract.org/2004/07/System.Xml
http://www.w3.org/2000/xmlns/H
http://www.w3.org/XML/1998/namespace
http://schemas.datacontract.org/2004/07/d
http://schemas.datacontract.org/2004/07/System.XmlR
http://www.w3.org/2001/XMLSchema-instance@
http://www.w3.org/2001/XMLSchemaniltypetnsunboundedanyTypestringinttruefalseArrayOfschemar
PE Carving
Start Offset Header End Offset Size (Bytes)
0 5F4C0 5F4C0
5F4C0 1D4238 174D78
1D4238 471000 29CDC8
Strings/Hex Code Found With The File Rules
Rule Type Encoding Matched (Word)
Text Unicode Unicode escape - \u00 - (Common Unicode escape sequences)
Text Ascii WinAPI Sockets (connect)
Text Unicode WinAPI Sockets (connect)
Text Ascii Registry (RegCreateKeyEx)
Text Ascii Registry (RegOpenKeyEx)
Text Ascii Registry (RegSetValueEx)
Text Ascii File (CreateFile)
Text Ascii File (WriteFile)
Text Ascii File (ReadFile)
Text Ascii Encryption (FromBase64String)
Text Ascii Encryption (ToBase64String)
Text Ascii Anti-Analysis VM (IsDebuggerPresent)
Text Ascii Anti-Analysis VM (GetVersion)
Text Ascii Reconnaissance (FindFirstFileW)
Text Ascii Reconnaissance (FindNextFileW)
Text Ascii Reconnaissance (FindClose)
Text Ascii Stealth (CloseHandle)
Text Ascii Stealth (VirtualAlloc)
Text Ascii Execution (CreateEventW)
Text Ascii Antivirus Software (panda)
Text Ascii Process of gathering information about network resources (Enumeration)
Text Unicode Process of gathering information about network resources (Enumeration)
Text Ascii Stealer malware focused on obtaining CVV codes to conduct unauthorized transactions (CVV)
Entry Point Hex Pattern Microsoft Visual C++ v7.0
Resources
Path DataRVA Size FileOffset CodeTextPE/Payload
\AFX_DIALOG_LAYOUT\118\2057 455F8 2 3EBF8 0000..N/A
\ICON\1\1033 455FC 468 3EBFC 280000001000000020000000010020000000000000040000232E0000232E0000000000000000000000000000000000000000(....... ..... .................................N/A
\ICON\2\1033 45A64 10A8 3F064 280000002000000040000000010020000000000000100000232E0000232E0000000000000000000000000000000000000000(... ...@..... .................................N/A
\ICON\3\1033 46B0C 25A8 4010C 280000003000000060000000010020000000000000240000232E0000232E0000000000000000000000000000000000000000(...0........ ......$..........................N/A
\ICON\4\1033 490B4 4228 426B4 280000004000000080000000010020000000000000400000232E0000232E0000000000000000000000000000000000000000(...@......... ......@..........................N/A
\ICON\5\1033 4D2DC 10828 468DC 280000008000000000010000010020000000000000000100232E0000232E0000000000000000000000000000000000000000(............. .................................N/A
\ICON\6\1033 5DB04 18D7 57104 89504E470D0A1A0A0000000D49484452000001000000010008060000005C72A8660000189E4944415478DAED9D79901CD57D.PNG........IHDR.............\r.f....IDATx...y...}N/A
\ICON\7\0 5F3DC 468 589DC 2800000010000000200000000100200000000000000400000000000000000000000000000000000000000000000000000000(....... ..... ...................................N/A
\ICON\8\0 5F844 10A8 58E44 2800000020000000400000000100200000000000001000000000000000000000000000000000000000000000000000000000(... ...@..... ...................................N/A
\ICON\9\0 608EC 25A8 59EEC 2800000030000000600000000100200000000000002400000000000000000000000000000000000000000000000000000000(...0........ ......$............................N/A
\ICON\10\0 62E94 2780 5C494 89504E470D0A1A0A0000000D49484452000001000000010008060000005C72A866000027474944415478DAED9D7B9C9555B9.PNG........IHDR.............\r.f..'GIDATx...{..U.N/A
\DIALOG\101\2057 65614 7C 5EC14 0100FFFF0000000000000000480408500100000000002C014F000000000000000800900100014D0053002000530068006500............H..P......,.O.............M.S. .S.h.e.N/A
\DIALOG\106\2057 65690 D8 5EC90 0100FFFF00000000000000004804084003000000000026013F000000000000000800900100014D0053002000530068006500............H..@......&.?.............M.S. .S.h.e.N/A
\DIALOG\107\2057 65768 6E 5ED68 0100FFFF00000000000000004804084001000000000026013F000000000000000800900100014D0053002000530068006500............H..@......&.?.............M.S. .S.h.e.N/A
\DIALOG\108\2057 657D8 40 5EDD8 0100FFFF00000000000000004804084000000000000026013F000000000000000800900100014D00530020005300680065006C006C00200044006C0067000000............H..@......&.?.............M.S. .S.h.e.l.l. .D.l.g...N/A
\DIALOG\109\2057 65818 6E 5EE18 0100FFFF00000000000000004804084001000000000026013F000000000000000800900100014D0053002000530068006500............H..@......&.?.............M.S. .S.h.e.N/A
\DIALOG\117\2057 65888 1C4 5EE88 0100FFFF0000000000000000C808C8800600000000006901440100000000520075006C006500200042006100730065006400......................i.D.....R.u.l.e. .B.a.s.e.d.N/A
\DIALOG\118\2057 65A4C 472 5F04C 0100FFFF0000000000000000C808C8800800000000006B013A010000000057006F007200640020002F002000430068006100......................k.:.....W.o.r.d. ./. .C.h.a.N/A
\RCDATA\QTVIRTUALKEYBOARD\0 65EC0 174D78 5F4C0 4D5A90000300000004000000FFFF0000B8000000000000004000000000000000000000000000000000000000000000000000MZ......................@.........................(Executable found)
\RCDATA\SYSTEM.PRIVATE.DATACONTRACTSERIALIZAT\0 1DAC38 1FC728 1D4238 4D5A90000300000004000000FFFF0000B8000000000000004000000000000000000000000000000000000000000000000000MZ......................@.........................(Executable found)
\GROUP_ICON\MAINICON\0 3D7360 3E 3D0960 00000100040010100000010020006804000007002020000001002000A810000008003030000001002000A825000009000000000001002000802700000A00............ .h..... .... .......00.... ..%.......... ..'....N/A
\GROUP_ICON\32512\1033 3D73A0 5A 3D09A0 00000100060010100000010020006804000001002020000001002000A810000002003030000001002000A82500000300404000000100200028420000040080800000010020002808010005000000000001002000D71800000600............ .h..... .... .......00.... ..%....@@.... .(B.......... .(........... .......N/A
\VERSION\1\0 3D73FC 33C 3D09FC 3C0334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000900<.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............N/A
\VERSION\1\1033 3D7738 260 3D0D38 600234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001001800.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............N/A
\24\2\1033 3D7998 15A 3D0F98 3C617373656D626C7920786D6C6E733D2275726E3A736368656D61732D6D6963726F736F66742D636F6D3A61736D2E763122<assembly xmlns="urn:schemas-microsoft-com:asm.v1"N/A
Intelligent String
• 1.9.1.0
• Update.exe
• <xs:schema elementFormDefault='qualified' attributeFormDefault='qualified' xmlns:tns='http://schemas.microsoft.com/2003/10/Serialization/' targetNamespace='http://schemas.microsoft.com/2003/10/Serialization/' xmlns:xs='http://www.w3.org/2001/XMLSchema'>
• http://www.w3.org/XML/1998/namespace
• 5.15.2.0
• kernel32.dll
• ntdll.dll
• %s%s.dll
• f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp
• .INI
• .HLP
• .CHM
• user32.dll
• 4Xcomctl32.dll
• 4Xcomdlg32.dll
• 4Xshell32.dll
• f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp
• f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin1.inl
• hhctrl.ocx
• f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl
• ole32.dll
• f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp
• mscoree.dll
• KERNEL32.DLL
• OLEACC.dll
• file://CMapStringToString
• f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filetxt.cpp
• .def
• .ACP
• .log
• c:\Documents and Settings\5002269\My Documents\ProjectWorkspace\Event Manager\2.4\LcMgr\Release\LcMgr.pdb
• GDI32.dll
• WINSPOOL.DRV
• ADVAPI32.dll
• .PAX
• Z\main.qml
• api-ms-win-core-synch-l1-2-0.dll
• Q:\build\qt\qtvirtualkeyboard\plugins\virtualkeyboard\qtvirtualkeyboard_openwnn.pdb
• .tls
• .bss
• Qt5Gui.dll
• Qt5Qml.dll
• VCRUNTIME140.dll
• 6_initterm7_initterm_eapi-ms-win-crt-heap-l1-1-0.dll
• api-ms-win-crt-string-l1-1-0.dll
• api-ms-win-crt-runtime-l1-1-0.dll
• .GSe
• qtvirtualkeyboard_openwnn.dll
• :060U00Uq]dL.g?O0U0E1-Q!m0U0y+m0k0$+0http://ocsp.digicert.com0C+07http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0EU>0<0:864http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0U
• Microsoft .NET
• 8.0.0.0
• System.Private.DataContractSerialization.ni.pdb
• http://www.w3.org/2001/XMLSchema-instance
• http://www.w3.org/2001/XMLSchema
• http://schemas.datacontract.org/2004/07/System.Xml.Linq
• \u0000
• \u0001
• \u0002
• \u0003
• \u0004
• \u0005
• \u0006
• \u0007
• \u000b
• \u000e
• \u000f
• \u0010
• \u0011
• \u0012
• \u0013
• \u0014
• \u0015
• \u0016
• \u0017
• \u0018
• \u0019
• \u001a
• \u001b
• \u001c
• \u001d
• \u001e
• \u001f
• http://schemas.microsoft.com/2003/10/Serialization/Arrays
• http://schemas.datacontract.org/2004/07/System.Xml
• true
• http://schemas.microsoft.com/2003/10/Serialization/Arrays$GeneratedNamespaceGeneratedTypeGeneratedMember
• .NET
• https://github.com/dotnet/runtime
• http://schemas.microsoft.com/2003/10/Serialization/ArraysU
• http://schemas.datacontract.org/2004/07/SystemY
• http://schemas.datacontract.org/2004/07/SystemV
• http://schemas.datacontract.org/2004/07/System.IO
Flow Anomalies
Offset RVA Section Description
61B 1003128C .text CALL [static] | Indirect call to absolute memory address
629 10031290 .text CALL [static] | Indirect call to absolute memory address
63B 10031294 .text CALL [static] | Indirect call to absolute memory address
67F 10031288 .text CALL [static] | Indirect call to absolute memory address
DC7 1003124C .text CALL [static] | Indirect call to absolute memory address
DE3 1003124C .text CALL [static] | Indirect call to absolute memory address
101C 100311C0 .text CALL [static] | Indirect call to absolute memory address
1040 10031240 .text CALL [static] | Indirect call to absolute memory address
10AC 10031240 .text CALL [static] | Indirect call to absolute memory address
110D 100311C0 .text CALL [static] | Indirect call to absolute memory address
112E 10031240 .text CALL [static] | Indirect call to absolute memory address
119A 10031240 .text CALL [static] | Indirect call to absolute memory address
133E 1003124C .text CALL [static] | Indirect call to absolute memory address
13C0 10031200 .text CALL [static] | Indirect call to absolute memory address
1440 100311F0 .text CALL [static] | Indirect call to absolute memory address
14A5 1003120C .text CALL [static] | Indirect call to absolute memory address
14D5 10031214 .text CALL [static] | Indirect call to absolute memory address
14EB 1003120C .text CALL [static] | Indirect call to absolute memory address
1517 10031214 .text CALL [static] | Indirect call to absolute memory address
2D96 1003127C .text CALL [static] | Indirect call to absolute memory address
2DBE 10031280 .text CALL [static] | Indirect call to absolute memory address
309D 10031298 .text CALL [static] | Indirect call to absolute memory address
31A8 100402E4 .text CALL [static] | Indirect call to absolute memory address
31FD 10031018 .text CALL [static] | Indirect call to absolute memory address
321D 1003101C .text CALL [static] | Indirect call to absolute memory address
3261 10031020 .text CALL [static] | Indirect call to absolute memory address
3336 1003125C .text CALL [static] | Indirect call to absolute memory address
3373 100313EC .text JMP [static] | Indirect jump to absolute memory address
348E 10031258 .text CALL [static] | Indirect call to absolute memory address
34C8 10031270 .text CALL [static] | Indirect call to absolute memory address
35C7 10031240 .text CALL [static] | Indirect call to absolute memory address
3634 10031244 .text CALL [static] | Indirect call to absolute memory address
3664 100402DC .text CALL [static] | Indirect call to absolute memory address
369A 10031254 .text CALL [static] | Indirect call to absolute memory address
36F0 100313E8 .text CALL [static] | Indirect call to absolute memory address
3731 100313E8 .text CALL [static] | Indirect call to absolute memory address
3775 100313E8 .text CALL [static] | Indirect call to absolute memory address
38C9 10031234 .text CALL [static] | Indirect call to absolute memory address
394A 10031238 .text CALL [static] | Indirect call to absolute memory address
3A43 10031238 .text CALL [static] | Indirect call to absolute memory address
3A59 100312BC .text CALL [static] | Indirect call to absolute memory address
3AEA 10031228 .text CALL [static] | Indirect call to absolute memory address
3AF3 1003122C .text CALL [static] | Indirect call to absolute memory address
3C76 10031224 .text CALL [static] | Indirect call to absolute memory address
3C89 10031224 .text CALL [static] | Indirect call to absolute memory address
3DDD 100312C0 .text CALL [static] | Indirect call to absolute memory address
3DEA 10031284 .text CALL [static] | Indirect call to absolute memory address
3E47 10031238 .text CALL [static] | Indirect call to absolute memory address
3E61 100312BC .text CALL [static] | Indirect call to absolute memory address
4004 10031298 .text CALL [static] | Indirect call to absolute memory address
4014 10031260 .text CALL [static] | Indirect call to absolute memory address
4186 1003124C .text CALL [static] | Indirect call to absolute memory address
4577 10031298 .text CALL [static] | Indirect call to absolute memory address
469D 10031238 .text CALL [static] | Indirect call to absolute memory address
46B4 10031268 .text CALL [static] | Indirect call to absolute memory address
476A 1003121C .text CALL [static] | Indirect call to absolute memory address
49FE 1003125C .text CALL [static] | Indirect call to absolute memory address
4F4C 10031218 .text CALL [static] | Indirect call to absolute memory address
4F6B 10031280 .text JMP [static] | Indirect jump to absolute memory address
4F83 1003120C .text CALL [static] | Indirect call to absolute memory address
4F97 10031210 .text CALL [static] | Indirect call to absolute memory address
4FAD 10031214 .text CALL [static] | Indirect call to absolute memory address
4FB8 10031214 .text CALL [static] | Indirect call to absolute memory address
4FD4 1003120C .text CALL [static] | Indirect call to absolute memory address
5000 10031214 .text CALL [static] | Indirect call to absolute memory address
517B 1003120C .text CALL [static] | Indirect call to absolute memory address
51D1 10031270 .text CALL [static] | Indirect call to absolute memory address
51DA 10031204 .text CALL [static] | Indirect call to absolute memory address
51E4 10031278 .text CALL [static] | Indirect call to absolute memory address
51FD 10031208 .text CALL [static] | Indirect call to absolute memory address
520F 10031204 .text CALL [static] | Indirect call to absolute memory address
5216 10031274 .text CALL [static] | Indirect call to absolute memory address
521F 10031214 .text CALL [static] | Indirect call to absolute memory address
522B 10031274 .text CALL [static] | Indirect call to absolute memory address
5273 10031214 .text CALL [static] | Indirect call to absolute memory address
529F 100311FC .text CALL [static] | Indirect call to absolute memory address
52B5 10031200 .text CALL [static] | Indirect call to absolute memory address
52D1 1003120C .text CALL [static] | Indirect call to absolute memory address
531A 10031214 .text CALL [static] | Indirect call to absolute memory address
5340 1003120C .text CALL [static] | Indirect call to absolute memory address
535E 10031210 .text CALL [static] | Indirect call to absolute memory address
5392 10031218 .text CALL [static] | Indirect call to absolute memory address
53D0 10031214 .text CALL [static] | Indirect call to absolute memory address
53F1 100311F4 .text CALL [static] | Indirect call to absolute memory address
53FE 10031214 .text CALL [static] | Indirect call to absolute memory address
542E 100311F8 .text CALL [static] | Indirect call to absolute memory address
544F 10031214 .text CALL [static] | Indirect call to absolute memory address
54D7 1003120C .text CALL [static] | Indirect call to absolute memory address
54E7 10031214 .text CALL [static] | Indirect call to absolute memory address
54F0 10031280 .text CALL [static] | Indirect call to absolute memory address
5502 100311F8 .text CALL [static] | Indirect call to absolute memory address
551C 1003120C .text CALL [static] | Indirect call to absolute memory address
552A 10031210 .text CALL [static] | Indirect call to absolute memory address
555F 10031214 .text CALL [static] | Indirect call to absolute memory address
5656 100311EC .text CALL [static] | Indirect call to absolute memory address
5664 10031204 .text CALL [static] | Indirect call to absolute memory address
566D 10031278 .text CALL [static] | Indirect call to absolute memory address
5674 1003126C .text CALL [static] | Indirect call to absolute memory address
567E 100311F0 .text CALL [static] | Indirect call to absolute memory address
56EA 10031200 .text CALL [static] | Indirect call to absolute memory address
3B549A-3B5697 N/A .rsrc Potential obfuscated jump sequence detected, count: 127
3B63CA-3B63E7 N/A .rsrc Potential obfuscated jump sequence detected, count: 7
3B64BA-3B655F N/A .rsrc Potential obfuscated jump sequence detected, count: 41
3B67C2-3B680F N/A .rsrc Potential obfuscated jump sequence detected, count: 19
3B6812-3B6847 N/A .rsrc Potential obfuscated jump sequence detected, count: 13
3B68E2-3B68FF N/A .rsrc Potential obfuscated jump sequence detected, count: 7
3B69EA-3B6A07 N/A .rsrc Potential obfuscated jump sequence detected, count: 7
3B6CCA-3B6D1F N/A .rsrc Potential obfuscated jump sequence detected, count: 21
3B6D32-3B6D4F N/A .rsrc Potential obfuscated jump sequence detected, count: 7
3B6D82-3B6D9F N/A .rsrc Potential obfuscated jump sequence detected, count: 7
3B6DCA-3B6E1F N/A .rsrc Potential obfuscated jump sequence detected, count: 21
3B6F32-3B6F5F N/A .rsrc Potential obfuscated jump sequence detected, count: 11
3B717A-3B71AF N/A .rsrc Potential obfuscated jump sequence detected, count: 13
3B71C2-3B7207 N/A .rsrc Potential obfuscated jump sequence detected, count: 17
3B755A-3B757F N/A .rsrc Potential obfuscated jump sequence detected, count: 9
3B75BA-3B75E7 N/A .rsrc Potential obfuscated jump sequence detected, count: 11
3B780A-3B7837 N/A .rsrc Potential obfuscated jump sequence detected, count: 11
3B82F2-3B8317 N/A .rsrc Potential obfuscated jump sequence detected, count: 9
3B87B2-3B87DF N/A .rsrc Potential obfuscated jump sequence detected, count: 11
3B8ECA-3B8EE7 N/A .rsrc Potential obfuscated jump sequence detected, count: 7
3B956A-3B9587 N/A .rsrc Potential obfuscated jump sequence detected, count: 7
3B9FF2-3BA00F N/A .rsrc Potential obfuscated jump sequence detected, count: 7
2FAEB-2FBEA N/A .text Unusual NOPS Space, count: 256
2FD1E-2FE16 N/A .text Unusual NOPS Space, count: 249
Extra Analysis
Metric Value Percentage
Ascii Code 2851562 61,2297%
Null Byte Code 697296 14,9726%
NOP Cave Found 0x9090909090 Block Count: 100 | Total: 0,0054%
© 2026 All rights reserved.