PESCAN.IO - Analysis Report Basic |
|||||||
| File Structure |
|
PE Chart Code
Executable header (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
| Size: 2,24 MB SHA-256 Hash: 393A437231CE18E9D0D1216C92AD817897033F7B1FA6766BCD9A703CB139F416 SHA-1 Hash: 1C64171C6A635C0A1871D8A4AAD2E20CCE1FD370 MD5 Hash: FFDE85687A0C4524FD4E54201BC81059 Imphash: 05581483C500A31F1DDC0B7BC1E31EC7 MajorOSVersion: 6 MinorOSVersion: 0 CheckSum: 00000000 EntryPoint (rva): 1330 SizeOfHeaders: 400 SizeOfImage: 246000 ImageBase: 0000000180000000 Architecture: x64 ExportTable: 210B20 ImportTable: 213DF8 IAT: 189000 Characteristics: 2022 TimeDateStamp: 67630E30 Date: 18/12/2024 18:02:24 File Type: DLL Number Of Sections: 7 ASLR: Disabled Section Names (Optional Header): .text, .rdata, .data, .pdata, _RDATA, .rsrc, .reloc Number Of Executable Sections: 1 Subsystem: Windows GUI |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 60000020 (Code, Executable, Readable) | 400 | 187600 | 1000 | 18741E | 6,3314 | 11517746,17 |
| .rdata | 40000040 (Initialized Data, Readable) | 187A00 | 8C600 | 189000 | 8C432 | 5,0613 | 25906462,99 |
| .data | C0000040 (Initialized Data, Readable, Writeable) | 214000 | D400 | 216000 | 10A28 | 4,9262 | 1489342,96 |
| .pdata | 40000040 (Initialized Data, Readable) | 221400 | 15200 | 227000 | 15174 | 6,0571 | 1681833,85 |
| _RDATA | 40000040 (Initialized Data, Readable) | 236600 | 200 | 23D000 | FC | 1,9968 | 77055,00 |
| .rsrc | 40000040 (Initialized Data, Readable) | 236800 | 400 | 23E000 | 2B0 | 2,3415 | 139760,50 |
| .reloc | 42000040 (Initialized Data, GP-Relative, Readable) | 236C00 | 6E00 | 23F000 | 6D90 | 5,4358 | 157472,11 |
| Description |
| CompanyName: Reprise Software Inc. LegalCopyright: Copyright 2006-2024 ProductName: RLM Language: English (United States) (ID=0x409) CodePage: Unicode (UTF-16 LE) (0x4B0) |
| Entry Point |
| The section number (1) have the Entry Point Information -> EntryPoint (calculated) - 730 Code -> 48895C24084889742410574883EC20498BF88BDA488BF183FA017505E81F0000004C8BC78BD3488BCE488B5C2430488B7424 • MOV QWORD PTR [RSP + 8], RBX • MOV QWORD PTR [RSP + 0X10], RSI • PUSH RDI • SUB RSP, 0X20 • MOV RDI, R8 • MOV EBX, EDX • MOV RSI, RCX • CMP EDX, 1 • JNE 0X1021 • CALL 0X1040 • MOV R8, RDI • MOV EDX, EBX • MOV RCX, RSI • MOV RBX, QWORD PTR [RSP + 0X30] |
| Signatures |
| Rich Signature Analyzer: Code -> 2EF6239B6A974DC86A974DC86A974DC821EF4EC960974DC821EF48C9BB974DC838E249C97B974DC838E24EC960974DC838E248C943974DC80CF8B0C860974DC821EF49C964974DC8AEE249C968974DC8211248C96B974DC8211249C92F974DC821EF4CC97D974DC86A974CC884974DC8ABEB49C93F954DC8AEE24DC96B974DC8AEE2B2C86B974DC8AEE24FC96B974DC8526963686A974DC8 Footprint md5 Hash -> 7B34CEAB21025A4DE98C2AC4DD0E7787 • The Rich header apparently has not been modified Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Detect It Easy (die) • PE+(64): library: Reprise License Manager (RLM)(16.1)[-] • PE+(64): compiler: Microsoft Visual C/C++(-)[-] • PE+(64): linker: Microsoft Linker(14.29**)[-] • Entropy: 6.30078 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | GetModuleFileNameA | Retrieve the fully qualified path for the executable file of a specified module. |
| KERNEL32.DLL | WriteFile | Writes data to a specified file or input/output (I/O) device. |
| KERNEL32.DLL | LoadLibraryA | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| KERNEL32.DLL | CreateFileA | Creates or opens a file or I/O device. |
| KERNEL32.DLL | IsDebuggerPresent | Determines if the calling process is being debugged by a user-mode debugger. |
| Ws2_32.DLL | socket | Create a communication endpoint for networking applications. |
| Ws2_32.DLL | connect | Establish a connection to a specified socket. |
| ADVAPI32.DLL | CryptDecrypt | Performs a cryptographic operation on data in a data block. |
| ET Functions (carving) |
| Original Name -> rlm1611.dll Java_com_reprisesoftware_rlm_RlmActHandle_rlmActDestroyHandle Java_com_reprisesoftware_rlm_RlmActHandle_rlmActNewHandle Java_com_reprisesoftware_rlm_RlmActHandle_rlmActSetHandle Java_com_reprisesoftware_rlm_RlmActHandle_rlmActSetHandleInt Java_com_reprisesoftware_rlm_RlmActInfo_rlmActInfo Java_com_reprisesoftware_rlm_RlmException_rlmErrstring Java_com_reprisesoftware_rlm_RlmHandle_rlmActKeyvalid Java_com_reprisesoftware_rlm_RlmHandle_rlmActKeyvalidLicense Java_com_reprisesoftware_rlm_RlmHandle_rlmActRequest Java_com_reprisesoftware_rlm_RlmHandle_rlmActRevoke Java_com_reprisesoftware_rlm_RlmHandle_rlmActRevokeDisconn Java_com_reprisesoftware_rlm_RlmHandle_rlmActRevokeReference Java_com_reprisesoftware_rlm_RlmHandle_rlmActRevokeRehost Java_com_reprisesoftware_rlm_RlmHandle_rlmActivate Java_com_reprisesoftware_rlm_RlmHandle_rlmAllHostIDs Java_com_reprisesoftware_rlm_RlmHandle_rlmClientCache Java_com_reprisesoftware_rlm_RlmHandle_rlmClose Java_com_reprisesoftware_rlm_RlmHandle_rlmCurrentRoam Java_com_reprisesoftware_rlm_RlmHandle_rlmDetachedDemo Java_com_reprisesoftware_rlm_RlmHandle_rlmDetachedDemoX Java_com_reprisesoftware_rlm_RlmHandle_rlmDiagnostics Java_com_reprisesoftware_rlm_RlmHandle_rlmDlog Java_com_reprisesoftware_rlm_RlmHandle_rlmEnableLogging Java_com_reprisesoftware_rlm_RlmHandle_rlmErrstringNum Java_com_reprisesoftware_rlm_RlmHandle_rlmForgetIsvDown Java_com_reprisesoftware_rlm_RlmHandle_rlmGetRehost Java_com_reprisesoftware_rlm_RlmHandle_rlmHostID Java_com_reprisesoftware_rlm_RlmHandle_rlmInit Java_com_reprisesoftware_rlm_RlmHandle_rlmInitDisconn Java_com_reprisesoftware_rlm_RlmHandle_rlmIsTokenBased Java_com_reprisesoftware_rlm_RlmHandle_rlmKeepConn Java_com_reprisesoftware_rlm_RlmHandle_rlmMaxRoam Java_com_reprisesoftware_rlm_RlmHandle_rlmMaxRoamCount Java_com_reprisesoftware_rlm_RlmHandle_rlmMaxShare Java_com_reprisesoftware_rlm_RlmHandle_rlmMeterCurCount Java_com_reprisesoftware_rlm_RlmHandle_rlmMinCheckout Java_com_reprisesoftware_rlm_RlmHandle_rlmMinRemove Java_com_reprisesoftware_rlm_RlmHandle_rlmMinTimeout Java_com_reprisesoftware_rlm_RlmHandle_rlmNRes Java_com_reprisesoftware_rlm_RlmHandle_rlmNRoamAllowed Java_com_reprisesoftware_rlm_RlmHandle_rlmOptions Java_com_reprisesoftware_rlm_RlmHandle_rlmProductActKey Java_com_reprisesoftware_rlm_RlmHandle_rlmProductContract Java_com_reprisesoftware_rlm_RlmHandle_rlmProductCount Java_com_reprisesoftware_rlm_RlmHandle_rlmProductCurrentInUse Java_com_reprisesoftware_rlm_RlmHandle_rlmProductCurrentResUse Java_com_reprisesoftware_rlm_RlmHandle_rlmProductCustomer Java_com_reprisesoftware_rlm_RlmHandle_rlmProductExpDays Java_com_reprisesoftware_rlm_RlmHandle_rlmProductExpTime Java_com_reprisesoftware_rlm_RlmHandle_rlmProductExpiration Java_com_reprisesoftware_rlm_RlmHandle_rlmProductFirst Java_com_reprisesoftware_rlm_RlmHandle_rlmProductFree Java_com_reprisesoftware_rlm_RlmHandle_rlmProductHold Java_com_reprisesoftware_rlm_RlmHandle_rlmProductHostBased Java_com_reprisesoftware_rlm_RlmHandle_rlmProductHostId Java_com_reprisesoftware_rlm_RlmHandle_rlmProductIsAlias Java_com_reprisesoftware_rlm_RlmHandle_rlmProductIsFloating Java_com_reprisesoftware_rlm_RlmHandle_rlmProductIsMetered Java_com_reprisesoftware_rlm_RlmHandle_rlmProductIsNodelocked Java_com_reprisesoftware_rlm_RlmHandle_rlmProductIsRoaming Java_com_reprisesoftware_rlm_RlmHandle_rlmProductIsSingle Java_com_reprisesoftware_rlm_RlmHandle_rlmProductIssuer Java_com_reprisesoftware_rlm_RlmHandle_rlmProductMeterCounter Java_com_reprisesoftware_rlm_RlmHandle_rlmProductName Java_com_reprisesoftware_rlm_RlmHandle_rlmProductNamedUserCount Java_com_reprisesoftware_rlm_RlmHandle_rlmProductNext Java_com_reprisesoftware_rlm_RlmHandle_rlmProductStart Java_com_reprisesoftware_rlm_RlmHandle_rlmProductVersion Java_com_reprisesoftware_rlm_RlmHandle_rlmProducts Java_com_reprisesoftware_rlm_RlmHandle_rlmPutenv Java_com_reprisesoftware_rlm_RlmHandle_rlmRlog Java_com_reprisesoftware_rlm_RlmHandle_rlmServer Java_com_reprisesoftware_rlm_RlmHandle_rlmSetHost Java_com_reprisesoftware_rlm_RlmHandle_rlmSetIsvData Java_com_reprisesoftware_rlm_RlmHandle_rlmSetPassword Java_com_reprisesoftware_rlm_RlmHandle_rlmSetReferenceHostid Java_com_reprisesoftware_rlm_RlmHandle_rlmSetRequiredOption Java_com_reprisesoftware_rlm_RlmHandle_rlmSetUser Java_com_reprisesoftware_rlm_RlmHandle_rlmShare Java_com_reprisesoftware_rlm_RlmHandle_rlmSkipIsvDown Java_com_reprisesoftware_rlm_RlmHandle_rlmSoftLimit Java_com_reprisesoftware_rlm_RlmHandle_rlmStat Java_com_reprisesoftware_rlm_RlmHandle_rlmTimeout Java_com_reprisesoftware_rlm_RlmHandle_rlmTimezone Java_com_reprisesoftware_rlm_RlmHandle_rlmType Java_com_reprisesoftware_rlm_RlmHandle_rlmUserBased Java_com_reprisesoftware_rlm_RlmLicense_rlmAuthCheck Java_com_reprisesoftware_rlm_RlmLicense_rlmCheckin Java_com_reprisesoftware_rlm_RlmLicense_rlmCheckout Java_com_reprisesoftware_rlm_RlmLicense_rlmCheckoutProduct Java_com_reprisesoftware_rlm_RlmLicense_rlmGetAttrHealth Java_com_reprisesoftware_rlm_RlmLicense_rlmGoodOnce Java_com_reprisesoftware_rlm_RlmLicense_rlmLicenseAkey Java_com_reprisesoftware_rlm_RlmLicense_rlmLicenseContract Java_com_reprisesoftware_rlm_RlmLicense_rlmLicenseCount Java_com_reprisesoftware_rlm_RlmLicense_rlmLicenseCustomer Java_com_reprisesoftware_rlm_RlmLicense_rlmLicenseDetachedDemo Java_com_reprisesoftware_rlm_RlmLicense_rlmLicenseExp Java_com_reprisesoftware_rlm_RlmLicense_rlmLicenseExpDays Java_com_reprisesoftware_rlm_RlmLicense_rlmLicenseExpTime Java_com_reprisesoftware_rlm_RlmLicense_rlmLicenseGetLFPath Java_com_reprisesoftware_rlm_RlmLicense_rlmLicenseHold Java_com_reprisesoftware_rlm_RlmLicense_rlmLicenseHostBased Java_com_reprisesoftware_rlm_RlmLicense_rlmLicenseHostid Java_com_reprisesoftware_rlm_RlmLicense_rlmLicenseIsCached Java_com_reprisesoftware_rlm_RlmLicense_rlmLicenseIsMetered Java_com_reprisesoftware_rlm_RlmLicense_rlmLicenseIssued Java_com_reprisesoftware_rlm_RlmLicense_rlmLicenseIssuer Java_com_reprisesoftware_rlm_RlmLicense_rlmLicenseMaxRoam Java_com_reprisesoftware_rlm_RlmLicense_rlmLicenseMaxRoamCount Java_com_reprisesoftware_rlm_RlmLicense_rlmLicenseMaxShare Java_com_reprisesoftware_rlm_RlmLicense_rlmLicenseMeterCounter Java_com_reprisesoftware_rlm_RlmLicense_rlmLicenseMinCheckout Java_com_reprisesoftware_rlm_RlmLicense_rlmLicenseMinRemove Java_com_reprisesoftware_rlm_RlmLicense_rlmLicenseMinTimeout Java_com_reprisesoftware_rlm_RlmLicense_rlmLicenseNamedUserCount Java_com_reprisesoftware_rlm_RlmLicense_rlmLicenseNamedUserMinHours Java_com_reprisesoftware_rlm_RlmLicense_rlmLicenseOptions Java_com_reprisesoftware_rlm_RlmLicense_rlmLicensePlatforms Java_com_reprisesoftware_rlm_RlmLicense_rlmLicenseProduct Java_com_reprisesoftware_rlm_RlmLicense_rlmLicenseRoaming Java_com_reprisesoftware_rlm_RlmLicense_rlmLicenseServer Java_com_reprisesoftware_rlm_RlmLicense_rlmLicenseShare Java_com_reprisesoftware_rlm_RlmLicense_rlmLicenseSingle Java_com_reprisesoftware_rlm_RlmLicense_rlmLicenseSoftLimit Java_com_reprisesoftware_rlm_RlmLicense_rlmLicenseStart Java_com_reprisesoftware_rlm_RlmLicense_rlmLicenseStat Java_com_reprisesoftware_rlm_RlmLicense_rlmLicenseTimezone Java_com_reprisesoftware_rlm_RlmLicense_rlmLicenseType Java_com_reprisesoftware_rlm_RlmLicense_rlmLicenseUncounted Java_com_reprisesoftware_rlm_RlmLicense_rlmLicenseUserBased Java_com_reprisesoftware_rlm_RlmLicense_rlmLicenseVersion rlm_act_destroy_handle rlm_act_errstring rlm_act_fulfill_info rlm_act_info rlm_act_keyinfo rlm_act_keyinfo2 rlm_act_keyvalid rlm_act_keyvalid_license rlm_act_new_handle rlm_act_refresh rlm_act_rehost_revoke rlm_act_request rlm_act_revoke rlm_act_revoke_disconn rlm_act_revoke_reference rlm_act_set_handle rlm_activate rlm_add_isv_hostid rlm_add_meter_count rlm_all_hostids rlm_all_hostids_free rlm_auth_check rlm_auto_hb rlm_checkin rlm_checkout rlm_checkout_product rlm_close rlm_detached_demo rlm_detached_demox rlm_diagnostics rlm_dlog rlm_errstring rlm_errstring_num rlm_forget_isv_down rlm_get_attr_health rlm_get_attr_lfpath rlm_get_rehost rlm_hostid rlm_init rlm_init_disconn rlm_isv_cfg_disable_broadcast rlm_license_akey rlm_license_cached rlm_license_client_cache rlm_license_contract rlm_license_count rlm_license_customer rlm_license_detached_demo rlm_license_exp rlm_license_exp_days rlm_license_exptime rlm_license_goodonce rlm_license_hold rlm_license_host_based rlm_license_hostid rlm_license_ismetered rlm_license_issued rlm_license_issuer rlm_license_line_item rlm_license_max_roam rlm_license_max_roam_count rlm_license_max_share rlm_license_meter_counter rlm_license_min_checkout rlm_license_min_remove rlm_license_min_timeout rlm_license_named_user_count rlm_license_named_user_min_hours rlm_license_options rlm_license_platforms rlm_license_product rlm_license_roaming rlm_license_server rlm_license_share rlm_license_single rlm_license_soft_limit rlm_license_start rlm_license_stat rlm_license_teams rlm_license_type rlm_license_tz rlm_license_uncounted rlm_license_user_based rlm_license_ver rlm_log rlm_product_akey rlm_product_client_cache rlm_product_contract rlm_product_count rlm_product_current_inuse rlm_product_current_resuse rlm_product_customer rlm_product_exp rlm_product_exp_days rlm_product_exptime rlm_product_first rlm_product_hbased rlm_product_hold rlm_product_hostid rlm_product_isalias rlm_product_isfloating rlm_product_ismetered rlm_product_isnodelocked rlm_product_issingle rlm_product_issuer rlm_product_max_roam rlm_product_max_roam_count rlm_product_max_share rlm_product_meter_counter rlm_product_meter_cur_count rlm_product_min_checkout rlm_product_min_remove rlm_product_min_timeout rlm_product_name rlm_product_named_user_count rlm_product_next rlm_product_nres rlm_product_num_roam_allowed rlm_product_options rlm_product_roaming rlm_product_server rlm_product_share rlm_product_soft_limit rlm_product_start rlm_product_thisroam rlm_product_timeout rlm_product_tokens rlm_product_type rlm_product_tz rlm_product_ubased rlm_product_ver rlm_products rlm_products_dynres rlm_products_free rlm_putenv rlm_set_active rlm_set_attr_keep_conn rlm_set_attr_logging rlm_set_attr_password rlm_set_attr_reference_hostid rlm_set_attr_req_opt rlm_set_environ rlm_skip_isv_down rlm_stat |
| File Access |
| _mklic.exe _teamlic.exe .exe cmd.exe WINHTTP.dll OLEAUT32.dll ole32.dll CRYPT32.dll SHELL32.dll USER32.dll ADVAPI32.dll WS2_32.dll bcrypt.dll IPHLPAPI.DLL KERNEL32.dll rlm1611.dll .bat .dat \*.dat bootstat.dat d.dat @.dat Temp |
| File Access (UNICODE) |
| Not enough memory to complete call to strerror..exe mscoree.dll |
| SQL Queries |
| SELECT * FROM Win32_ComputerSystemProduct |
| Interest's Words |
| smtp Encrypt Decrypt Encryption PassWord exec attrib start comspec cipher hostname cacls icacls certreq ping expand replace route |
| URLs |
| IP Addresses |
| 255.255.255.255 |
| Known IP/Domains |
| Cloudflare DNS - 1.1.1.1 |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | WinAPI Sockets (bind) |
| Text | Ascii | WinAPI Sockets (listen) |
| Text | Ascii | WinAPI Sockets (accept) |
| Text | Ascii | WinAPI Sockets (connect) |
| Text | Ascii | WinAPI Sockets (send) |
| Text | Ascii | File (CreateFile) |
| Text | Ascii | File (WriteFile) |
| Text | Ascii | File (ReadFile) |
| Text | Unicode | Encryption (Microsoft Enhanced Cryptographic Provider v1.0) |
| Text | Unicode | Encryption (Microsoft Enhanced RSA and AES Cryptographic Provider) |
| Text | Ascii | Encryption API (CryptAcquireContext) |
| Text | Ascii | Encryption API (CryptDecrypt) |
| Text | Ascii | Encryption API (CryptReleaseContext) |
| Text | Ascii | Anti-Analysis VM (IsDebuggerPresent) |
| Text | Ascii | Anti-Analysis VM (GetVersion) |
| Text | Ascii | Reconnaissance (FindFirstFileA) |
| Text | Ascii | Reconnaissance (FindNextFileA) |
| Text | Ascii | Reconnaissance (FindFirstFileW) |
| Text | Ascii | Reconnaissance (FindNextFileW) |
| Text | Ascii | Reconnaissance (FindClose) |
| Text | Ascii | Stealth (ExitThread) |
| Text | Ascii | Stealth (ReleaseSemaphore) |
| Text | Ascii | Stealth (CloseHandle) |
| Text | Ascii | Execution (CreateProcessA) |
| Text | Ascii | Execution (CreateProcessW) |
| Text | Ascii | Execution (ResumeThread) |
| Text | Ascii | Execution (CreateSemaphoreA) |
| Text | Ascii | Execution (CreateEventA) |
| Text | Ascii | Antivirus Software (gdata) |
| Text | Unicode | WMI execution (ROOT\CIMV2) |
| Text | Ascii | Information used to authenticate a user's identity (Credential) |
| Text | Ascii | Information used for user authentication (Credential) |
| Text | Ascii | Malicious rerouting of traffic to an attacker-controlled site (Redirect) |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8.0 (DLL) |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \VERSION\1\1033 | 23E060 | 24C | 236860 | 4C0234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000100 | L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| Intelligent String |
| • mscoree.dll • C:\Users\j.owens\repos\openssl\crypto\err\err_local.h • crypto\initthread.crb • C:\Program Files (x86)\OpenSSL\lib\engines-3 • C:\Users\j.owens\repos\openssl\engines\e_capi_err.c • msSmartcardLogin • Microsoft Smartcard Login • C:\Program Files (x86)\OpenSSL\lib\ossl-modulesname=%sOSSL_provider_init • .cnf • C:\Program Files (x86)\Common Files\SSL_OPENSSL_isservice • do_dump" • cmd not executable • invalid cmd name • invalid cmd number • [HEX DUMP]:00 • C:\Users\j.owens\repos\openssl\providers\implementations\ciphers\cipher_aes_cts.inc • C:\Users\j.owens\repos\openssl\providers\implementations\ciphers\cipher_camellia_cts.inc • C:\Users\j.owens\repos\openssl\providers\implementations\macs\blake2_mac_impl.cblake2_setkey • value.bag • IND)ind)Visual C++ CRT: Not enough memory to complete call to strerror..exe • .cmd • .bat • .com • COMSPECcmd.exe/c • .bss • IPHLPAPI.DLL • ADVAPI32.dll • _teamlic.exe • _mklic.exe • Bad or missing login credentials • hostedactivation.com • icacls "%s/%s" /reset /t /c /q > NUL • %s%s%s.lic • ls%d.rlmcloud.com • .rlmcloud.com • http://http://GetDefaultProxyConfiguration worked. • RLM_DUMP_INTERNAL_ERRORS • 255.255.255.255 • bootstat.dat • c:\windows • c:\winnt • \*.dat • \*.lic • .dat • .lic |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 64F | N/A | .text | CALL QWORD PTR [RIP+0x1884B3] |
| 6C6 | N/A | .text | CALL QWORD PTR [RIP+0x18843C] |
| 709 | N/A | .text | CALL QWORD PTR [RIP+0x1883F9] |
| 79C | N/A | .text | CALL QWORD PTR [RIP+0x188076] |
| 7AA | N/A | .text | CALL QWORD PTR [RIP+0x188070] |
| 7B6 | N/A | .text | CALL QWORD PTR [RIP+0x18806C] |
| 7C6 | N/A | .text | CALL QWORD PTR [RIP+0x18806C] |
| 830 | N/A | .text | JMP QWORD PTR [RIP+0x187FDA] |
| 970 | N/A | .text | CALL QWORD PTR [RIP+0x188192] |
| C1C | N/A | .text | CALL QWORD PTR [RIP+0x187BAE] |
| C49 | N/A | .text | CALL QWORD PTR [RIP+0x187BB9] |
| C63 | N/A | .text | CALL QWORD PTR [RIP+0x187B97] |
| CA4 | N/A | .text | CALL QWORD PTR [RIP+0x187B4E] |
| CF8 | N/A | .text | CALL QWORD PTR [RIP+0x187AF2] |
| D19 | N/A | .text | CALL QWORD PTR [RIP+0x187AC1] |
| D24 | N/A | .text | CALL QWORD PTR [RIP+0x187ABE] |
| D6E | N/A | .text | CALL QWORD PTR [RIP+0x187D94] |
| DAA | N/A | .text | CALL QWORD PTR [RIP+0x187D58] |
| E34 | N/A | .text | JMP QWORD PTR [RIP+0xFFF3FF0] |
| 1061 | N/A | .text | CALL QWORD PTR [RIP+0x187B69] |
| 109F | N/A | .text | CALL QWORD PTR [RIP+0x18771B] |
| 11CA | N/A | .text | CALL QWORD PTR [RIP+0x1875E8] |
| 12CE | N/A | .text | CALL QWORD PTR [RIP+0x187834] |
| 16EB | N/A | .text | CALL QWORD PTR [RIP+0x1870BF] |
| 1772 | N/A | .text | CALL QWORD PTR [RIP+0x187030] |
| 184B | N/A | .text | CALL QWORD PTR [RIP+0x186DCF] |
| 189B | N/A | .text | CALL QWORD PTR [RIP+0x187267] |
| 19FE | N/A | .text | CALL QWORD PTR [RIP+0x186DFC] |
| 1C90 | N/A | .text | CALL QWORD PTR [RIP+0x186B2A] |
| 254D | N/A | .text | CALL QWORD PTR [RIP+0x1861CD] |
| 255B | N/A | .text | CALL QWORD PTR [RIP+0x18624F] |
| 2585 | N/A | .text | CALL QWORD PTR [RIP+0x186195] |
| 25CB | N/A | .text | CALL QWORD PTR [RIP+0x186157] |
| 25D7 | N/A | .text | CALL QWORD PTR [RIP+0x186013] |
| 264B | N/A | .text | JMP QWORD PTR [RIP+0x1864B7] |
| 2657 | N/A | .text | JMP QWORD PTR [RIP+0x1860EB] |
| 2694 | N/A | .text | JMP QWORD PTR [RIP+0x18646E] |
| 26A0 | N/A | .text | JMP QWORD PTR [RIP+0x18608A] |
| 26DC | N/A | .text | JMP QWORD PTR [RIP+0x186426] |
| 26E8 | N/A | .text | JMP QWORD PTR [RIP+0x186052] |
| 2728 | N/A | .text | CALL QWORD PTR [RIP+0x1863DA] |
| 2730 | N/A | .text | CALL QWORD PTR [RIP+0x186002] |
| 2787 | N/A | .text | CALL QWORD PTR [RIP+0x18637B] |
| 278F | N/A | .text | CALL QWORD PTR [RIP+0x185FC3] |
| 2954 | N/A | .text | CALL QWORD PTR [RIP+0x1861AE] |
| 315C | N/A | .text | CALL QWORD PTR [RIP+0x185526] |
| 3638 | N/A | .text | CALL QWORD PTR [RIP+0x1854CA] |
| 38D3 | N/A | .text | CALL QWORD PTR [RIP+0x184CF7] |
| 3FC6 | N/A | .text | CALL QWORD PTR [RIP+0x184B3C] |
| 3FD4 | N/A | .text | CALL QWORD PTR [RIP+0x184526] |
| 401A | N/A | .text | CALL QWORD PTR [RIP+0x1845B0] |
| 4057 | N/A | .text | CALL QWORD PTR [RIP+0x184AB3] |
| 409B | N/A | .text | CALL QWORD PTR [RIP+0x184A6F] |
| 4223 | N/A | .text | CALL QWORD PTR [RIP+0x1848E7] |
| 4242 | N/A | .text | CALL QWORD PTR [RIP+0x1848C8] |
| 42E5 | N/A | .text | CALL QWORD PTR [RIP+0x184825] |
| 437F | N/A | .text | CALL QWORD PTR [RIP+0x184443] |
| 4431 | N/A | .text | CALL QWORD PTR [RIP+0x1840D1] |
| 443C | N/A | .text | CALL QWORD PTR [RIP+0x1840D6] |
| 444B | N/A | .text | CALL QWORD PTR [RIP+0x1840BF] |
| 449D | N/A | .text | CALL QWORD PTR [RIP+0x18407D] |
| 44B3 | N/A | .text | CALL QWORD PTR [RIP+0x184137] |
| 44CA | N/A | .text | CALL QWORD PTR [RIP+0x184640] |
| 44DA | N/A | .text | CALL QWORD PTR [RIP+0x184248] |
| 5167 | N/A | .text | CALL QWORD PTR [RIP+0x1839A3] |
| 5488 | N/A | .text | CALL QWORD PTR [RIP+0x183682] |
| 553A | N/A | .text | CALL QWORD PTR [RIP+0x183290] |
| 7804 | N/A | .text | CALL QWORD PTR [RIP+0x180FA6] |
| 7838 | N/A | .text | CALL QWORD PTR [RIP+0x180F6A] |
| BF6F | N/A | .text | CALL QWORD PTR [RIP+0x17C83B] |
| C00F | N/A | .text | CALL QWORD PTR [RIP+0x17C793] |
| C0E7 | N/A | .text | CALL QWORD PTR [RIP+0x17C6C3] |
| C187 | N/A | .text | CALL QWORD PTR [RIP+0x17C61B] |
| C31B | N/A | .text | JMP QWORD PTR [RIP+0x17C47F] |
| C343 | N/A | .text | CALL QWORD PTR [RIP+0x17C2D7] |
| C36F | N/A | .text | JMP QWORD PTR [RIP+0x17C423] |
| C438 | N/A | .text | CALL QWORD PTR [RIP+0x17C372] |
| C46D | N/A | .text | CALL QWORD PTR [RIP+0x17C335] |
| C4A4 | N/A | .text | CALL QWORD PTR [RIP+0x17C306] |
| C4B4 | N/A | .text | CALL QWORD PTR [RIP+0x17C2EE] |
| C54D | N/A | .text | CALL QWORD PTR [RIP+0x17C2B5] |
| C565 | N/A | .text | CALL QWORD PTR [RIP+0x17C295] |
| C5A0 | N/A | .text | CALL QWORD PTR [RIP+0x17C252] |
| C5D9 | N/A | .text | CALL QWORD PTR [RIP+0x17C211] |
| C5E3 | N/A | .text | CALL QWORD PTR [RIP+0x17C1F7] |
| C5EE | N/A | .text | CALL QWORD PTR [RIP+0x17C1F4] |
| C72F | N/A | .text | CALL QWORD PTR [RIP+0x17C3DB] |
| C7C9 | N/A | .text | CALL QWORD PTR [RIP+0x17C001] |
| C7EE | N/A | .text | CALL QWORD PTR [RIP+0x17BD14] |
| C801 | N/A | .text | JMP QWORD PTR [RIP+0x17BD11] |
| C951 | N/A | .text | CALL QWORD PTR [RIP+0x17BBD9] |
| C98A | N/A | .text | CALL QWORD PTR [RIP+0x17BBA8] |
| C994 | N/A | .text | CALL QWORD PTR [RIP+0x17BE16] |
| CA8F | N/A | .text | CALL QWORD PTR [RIP+0x17BD1B] |
| CC13 | N/A | .text | CALL QWORD PTR [RIP+0x17BB97] |
| D204 | N/A | .text | CALL QWORD PTR [RIP+0x17B33E] |
| D33A | N/A | .text | CALL QWORD PTR [RIP+0x17B210] |
| D37A | N/A | .text | CALL QWORD PTR [RIP+0x17B1C0] |
| D3A6 | N/A | .text | CALL QWORD PTR [RIP+0x17B194] |
| D52A | N/A | .text | CALL QWORD PTR [RIP+0x17B280] |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 1375440 | 58,5401% |
| Null Byte Code | 471501 | 20,0676% |
© 2026 All rights reserved.