PESCAN.IO - Analysis Report

PESCAN.IO - Analysis Report Basic

File Structure

PE Chart Code

Header PE (light blue)

Executable sections (pink)

Non-executable sections (black)

External injected code (red)

File Structure in red = malformed or corrupted header

Chart Code For Other Files

Printable characters (blue)

Non-printable characters (black)

Information

Size: 676,00 KB
SHA-256 Hash: B0512BEBD0AFE2739C9BA4286C053268A92BBF9CDC456A2DE5AEACED9AD0422F
SHA-1 Hash: 7721C3A316C01726603D1AC9E909E84E78C305BE
MD5 Hash: 1ED6EF6C570842F18D77D8440B5DB7CA
Imphash: A326283E2C773761ABA7F4BA722820D7
MajorOSVersion: 4
MinorOSVersion: 0
CheckSum: 000B2601
EntryPoint (rva): 1248
SizeOfHeaders: 1000
SizeOfImage: AB000
ImageBase: 400000
Architecture: x86
ImportTable: 2C714
IAT: 1000
Characteristics: 10F
TimeDateStamp: 69E0402F
Date: 16/04/2026 1:49:35
File Type: EXE
Number Of Sections: 3
ASLR: Disabled
Section Names: .text, .data, .rsrc
Number Of Executable Sections: 1
Subsystem: Windows GUI

Sections Info

Section Name	Flags	ROffset	RSize	VOffset	VSize	Entropy	Chi2
.text	0x60000020 Code Executable Readable	1000	2C000	1000	2B8C4	5.2947	5659327.04
.data	0xC0000040 Initialized Data Readable Writeable	0	0	2D000	1F98	N/A	N/A
.rsrc	0x40000040 Initialized Data Readable	2D000	7C000	2F000	7B10C	6.5755	3301533.88

Description

OriginalFilename: STUBP.exe
CompanyName: Microsoft
ProductName: Microsoft
FileVersion: 10.00.0200
ProductVersion: 10.00.0200
Language: Spanish (Spain, Modern Sort) (ID=0xC0A)
CodePage: Unicode (UTF-16 LE) (0x4B0)

Binder/Joiner/Crypter

2 Executable files found

Entry Point

The section number (1) - (.text) have the Entry Point
Information -> EntryPoint (calculated) - 1248
Code -> 685C154000E8EEFFFFFF000000000000300000004000000000000000E1C0ACCF4A4C0543AFEEE9953AD2438C000000000000

Assembler

|PUSH 0X40155C

|CALL 0XFF8

|ADD BYTE PTR [EAX], AL

|XOR BYTE PTR [EAX], AL

|ADD BYTE PTR [EAX], AL

|INC EAX

|ADD BYTE PTR [EAX], AL

|ADD CL, AH

|SHR BYTE PTR [EDI + ECX*8 + 0X43054C4A], 0XAF

|OUT DX, AL

|JMP 0X43D24AC0

|MOV WORD PTR [EAX], ES

|ADD BYTE PTR [EAX], AL

Signatures

CheckSum Integrity Problem:
• Header: 730625
• Calculated: 703348
Rich Signature Analyzer:
Code -> B71207DBF3736988F3736988F37369881A6C6488F273698852696368F3736988
Footprint md5 Hash -> 5DA092A1CBBE6290D95AA739DE6C0E6F
• The Rich header apparently has not been modified
Certificate - Digital Signature Not Found:
• The file is not signed

Packer/Compiler

Compiler: Visual Basic 6 - (PCode)
Detect It Easy (die)
• PE: compiler: Microsoft Visual Basic(6.0)[P-Code]
• PE: linker: Microsoft Linker(6.0*)[-]
• Entropy: 6.37333

Suspicious Functions

Library	Function	Description
MSVBVM60.DLL	DllFunctionCall	It enables calling routines from external DLLs in VB code, integrating external code into Visual Basic projects.
KERNEL32.DLL	VirtualAlloc	Reserve, commit, or both, a region of memory within the virtual address space of a process.
KERNEL32.DLL	RtlMoveMemory	Moves a block of memory to another location.
KERNEL32.DLL	WriteFile	Writes data to a specified file or input/output (I/O) device.
KERNEL32.DLL	LoadLibraryA	Loads the specified module into the address space of the calling process.
KERNEL32.DLL	LoadLibraryW	Loads the specified module into the address space of the calling process.
KERNEL32.DLL	GetProcAddress	Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL	CreateFileA	Creates or opens a file or I/O device.
KERNEL32.DLL	DeleteFileA	Deletes an existing file.
USER32.DLL	GetAsyncKeyState	Retrieves the status of a virtual key asynchronously.
USER32.DLL	CallWindowProcA	Invokes the window procedure for the specified window and messages.
URLMON.DLL	URLDownloadToFileA	Download a file from the internet and save it to a local file.
ADVAPI32.DLL	RegCreateKeyExA	Creates a new registry key or opens an existing one.
ADVAPI32.DLL	RegDeleteKeyA	Used to delete a subkey and its values from the Windows registry.
ADVAPI32.DLL	RegSetValueExA	Sets the data and type of a specified value under a registry key.
ADVAPI32.DLL	RegDeleteValueA	Removes a named value from the specified registry key. Note that value names are not case sensitive.
SHELL32.DLL	ShellExecuteA	Performs a run operation on a specific file.
WININET.DLL	InternetConnectA	Opens an File Transfer Protocol (FTP) or HTTP session for a given site.
WININET.DLL	FtpPutFileA	Opens an File Transfer Protocol (FTP) or HTTP session for a given site.

Windows REG (UNICODE)

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Productname
software\microsoft\windows\currentversion\uninstall
software\microsoft\windows\currentversion\uninstall\
Software\Microsoft\Windows\CurrentVersion\Internet Settings\

File Access

msvcrt.dll
KERNEL32.dll
sqlite3.dll
MSVBVM60.DLL
vaultcli.dll
crypt32.dll
winmm.dll
VBA6.DLL
wsock32.dll
wininet.dll
avicap32.dll
shell32.dll
advapi32.dll
shlwapi.dll
user32.dll
\WINDOWS\SysWow64\msvbvm60.dll
VB6ES.DLL
.dat
Temp

File Access (UNICODE)

\nbminer.exe
\winvnc.exe
\ffmpeg.exe
STUBP.exe
taskkill /F /IM chrome.exe
powershell.exe
\WINVnc.exe
\Teamviewer\Teamviewer.exe
\VNCHooks.dll
\sqlite3.dll
sqlite3.dll
\kll.bat
kll.bat
\Log_iApps.txt
\Log_Conex.txt
\Log_Regedit.txt
/Log_Files.txt
\Log_Files.txt
\Log_P.txt
\pshell.txt
\Log_C.txt
\Log_Wind.txt
\Log_Win.txt
\Log_Serv.txt
\Log_Proc.txt
Exec - powershell.exe -NoProfile -ExecutionPolicy Bypass -Command
Temp
ProgramFiles
AppData

SQL Queries

SELECT name, rootpage, sql FROM '%q'.%s WHERE %s
SELECT idx, stat FROM %Q.sqlite_stat1
SELECT name, rootpage, sql FROM '%q'.%s
SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14)FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence'AND rootpage>0
SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'
SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21)FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM ' || quote(name) || ';'FROM sqlite_master WHERE type = 'table' AND name!='sqlite_sequence'AND rootpage>0
SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM ' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
SELECT type, name, tbl_name, rootpage, sql FROM sqlite_masterWHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)
select count(*), ifnull(max(level),0) from %_segdir
select start_block, leaves_end_block, root from %_segdir order by level desc, idx asc
select start_block, leaves_end_block, root from %_segdir where level = ? and idx = ?
select min(start_block), max(end_block) from %_segdir where level = ? and start_block <> 0
select start_block, leaves_end_block, root from %_segdir where level = ? order by idx
select max(idx) from %_segdir where level = ?
select block from %_segments where blockid = ?
select docid from %_content limit 1
select block from %_segments where blockid between ? and ? order by blockid
SELECT parentnode FROM '%q'.'%q_parent' WHERE nodeno = :1
SELECT nodeno FROM '%q'.'%q_rowid' WHERE rowid = :1
SELECT data FROM '%q'.'%q_node' WHERE nodeno = :1
INSERT INTO %Q.%s VALUES('index',%Q,%Q,%d,%Q);
INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')
INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM ' || quote(name) || ';'FROM sqlite_master WHERE type = 'table' AND name!='sqlite_sequence'AND rootpage>0
INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM ' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
INSERT INTO vacuum_db.sqlite_masterSELECT type, name, tbl_name, rootpage, sql FROM sqlite_masterWHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)
insert into %_segdir values (?, ?, ?, ?, ?, ?)
insert into %_segments (blockid, block) values (null, ?)
insert into %_content (docid,
INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
CREATE TABLE %Q.sqlite_stat1(tbl,idx,stat)
CREATE TABLE
CREATE TABLE %Q.sqlite_sequence(name,seq)
CREATE TABLE sqlite_master( type text, name text, tbl_name text, rootpage integer, sql text)
CREATE TABLE vacuum_db.' || substr(sql,14)FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence'AND rootpage>0
CREATE TABLE x
CREATE TABLE %_content(
create table %_segments( blockid INTEGER PRIMARY KEY, block blob);
create table %_segdir( level integer, idx integer, start_block integer, leaves_end_block integer, end_block integer, root blob, primary key(level, idx));
CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
CREATE TABLE x(%s
DROP TABLE to delete table %s
drop table if exists %_content;drop table if exists %_segments;drop table if exists %_segdir;
DROP TABLE '%q'.'%q_node';DROP TABLE '%q'.'%q_rowid';DROP TABLE '%q'.'%q_parent';
DELETE FROM %Q.sqlite_stat1 WHERE tbl=%Q
DELETE FROM %s.sqlite_sequence WHERE name=%Q
DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'
DELETE FROM %Q.%s WHERE name=%Q
DELETE FROM %Q.sqlite_stat1 WHERE idx=%Q
DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
delete from %_segdir
delete from %_segdir where level = ?
delete from %_segments
delete from %_segments where blockid between ? and ?
delete from %_content where docid = ?
DELETE FROM '%q'.'%q_parent' WHERE nodeno = :1
DELETE FROM '%q'.'%q_rowid' WHERE rowid = :1
DELETE FROM '%q'.'%q_node' WHERE nodeno = :1
SELECT * FROM logins
Select * from AntiVirusProduct
Select * from FirewallProduct
Select Name from Win32_Process Where Name = '

Interest's Words

PADDINGX
Encrypt
Decrypt
PassWord
exec
attrib
start
hostname
sdelete
shutdown
defrag
ping
expand
replace

Interest's Words (UNICODE)

Virus
taskkill
wscript
exec
powershell
taskkill
attrib
start
comspec
regedit
shutdown
ping
expand

Anti-VM/Sandbox/Debug Tricks (UNICODE)

LabTools - regedit

URLs (UNICODE)

https://ifconfig.me/

IP Addresses

255.255.255.255

PE Carving

Start Offset Header	End Offset	Size (Bytes)
0	2D148	2D148
2D148	A9000	7BEB8

Strings/Hex Code Found With The File Rules

Rule Type	Encoding	Matched (Word)
Text	Ascii	WinAPI Sockets (WSACleanup)
Text	Ascii	WinAPI Sockets (bind)
Text	Unicode	WinAPI Sockets (bind)
Text	Ascii	WinAPI Sockets (listen)
Text	Ascii	WinAPI Sockets (accept)
Text	Ascii	WinAPI Sockets (connect)
Text	Unicode	WinAPI Sockets (connect)
Text	Ascii	WinAPI Sockets (recv)
Text	Ascii	WinAPI Sockets (send)
Text	Ascii	Registry (RegCreateKeyEx)
Text	Ascii	Registry (RegOpenKeyEx)
Text	Ascii	Registry (RegSetValueEx)
Text	Ascii	File (GetTempPath)
Text	Ascii	File (CopyFile)
Text	Ascii	File (CreateFile)
Text	Ascii	File (WriteFile)
Text	Ascii	File (ReadFile)
Text	Ascii	Anti-Analysis VM (GetVersion)
Text	Ascii	Reconnaissance (FindFirstFileA)
Text	Ascii	Reconnaissance (FindNextFileA)
Text	Ascii	Reconnaissance (FindClose)
Text	Ascii	Stealth (CloseHandle)
Text	Ascii	Stealth (VirtualAlloc)
Text	Ascii	Execution (CreateProcessA)
Text	Ascii	Execution (ShellExecute)
Text	Unicode	Privileges (SeBackupPrivilege)
Text	Unicode	Privileges (SeRestorePrivilege)
Text	Unicode	Keyboard Key (Scroll)
Text	Ascii	Malicious code executed after exploiting a vulnerability (Payload)
Text	Ascii	Unauthorized movement of funds or data (Transfer)
Text	Ascii	Technique used to circumvent security measures (Bypass)
Text	Unicode	Technique used to circumvent security measures (Bypass)
Text	Ascii	Abuse of power for personal gain or unethical purposes (Corruption)
Entry Point	Hex Pattern	Microsoft Visual Basic 5.0
Entry Point	Hex Pattern	Microsoft Visual Basic v5.0
Entry Point	Hex Pattern	Microsoft Visual Basic v5.0 - v6.0
Entry Point	Hex Pattern	Microsoft Visual Basic v5.0

Resources

Path	DataRVA	Size	FileOffset	Code	Text	PE/Payload
\DATA\1\0	2F0FC	49	2D0FC	5309667E43065C475757025AA9A9A954066267A9A9A94174263115000AA9A9A926720EA9A9A931583522391C23592C2CA9A9A9114637381D4310A9A9A9477104003671302842A9A9A9	S.f~C.\GWW.Z...T.bg...At&1......&r....1X5"9.Y,,....F78.C....Gq..6q0(B...	N/A
\SQL\1\3082	2F148	7ADA4	2D148	4D5A90000300000004000000FFFF0000B8000000000000004000000000000000000000000000000000000000000000000000	MZ......................@.........................	(Executable found)
\VERSION\1\3082	A9EEC	220	A7EEC	200234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000	.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............	N/A

Intelligent String

• .bss
• MSVBVM60.DLL
• VB6ES.DLL
• C:\Users\shark\Desktop\Prodigy Bot 3 [ Source ]\Server\Bot.vbp
• SELECT * FROM logins
• sqlite3.dll
• C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLBVB
• c:\windows\syswow64\msvbvm60.dll
• kernel32.dll
• user32.dll
• advapi32.dll
• avicap32.dll
• \nbminer.exe
• \nbminer.exe -a octopus -o
• \sqlite3.dll
• .exe
• VBA6.DLL
• winmm.dll
• \vscreen.jpg
• \vwebcam.jpg
• runas
• \ffmpeg.exe
• \Log_Proc.txt
• C:\Program Files (x86)\Microsoft Visual Studio\VB98\VBA6.dll
• .txt
• \Log_Serv.txt
• \Log_Win.txt
• \Log_Wind.txt
• kll.bat
• \kll.bat
• attrib -h -s -r %1
• \Teamviewer\Teamviewer.exe
• \WINVnc.exe
• \winvnc.exe -service
• \winvnc.exe -run
• \winvnc.exe -connect
• \VNCHooks.dll
• \Log_C.txt
• \pshell.txt
• powershell.exe -NoProfile -ExecutionPolicy Bypass -Command
• \ffmpeg.exe -f gdigrab -i desktop -vcodec libx264
• \Mic.wav
• .wav
• cmd /c move
• shutdown /f /r /t 0
• shutdown /f /s /t 0
• taskkill /F /IM chrome.exe
• \Local\Google\Chrome\User Data\Default\Login Data
• vaultcli.dll
• \Log_P.txt
• .jpg
• .bmp
• \Log_Files.txt
• /Log_Files.txt
• \ffmpeg.exe -list_devices true -f dshow -i dummy
• \Log_Regedit.txt
• \Log_Conex.txt
• s:\\.\root\default:StdRegProv
• \Log_iApps.txt
• 255.255.255.255
• COMSPEC
• @KERNEL32.dll
• STUBP.exe

Flow Anomalies

Offset	RVA	Section	Description
10F0	40104C	.text	JMP [static] \| Indirect jump to absolute memory address
10F6	4010AC	.text	JMP [static] \| Indirect jump to absolute memory address
10FC	40101C	.text	JMP [static] \| Indirect jump to absolute memory address
1102	401058	.text	JMP [static] \| Indirect jump to absolute memory address
1108	401028	.text	JMP [static] \| Indirect jump to absolute memory address
110E	401068	.text	JMP [static] \| Indirect jump to absolute memory address
1114	4010DC	.text	JMP [static] \| Indirect jump to absolute memory address
111A	401048	.text	JMP [static] \| Indirect jump to absolute memory address
1120	40106C	.text	JMP [static] \| Indirect jump to absolute memory address
1126	40107C	.text	JMP [static] \| Indirect jump to absolute memory address
112C	4010B8	.text	JMP [static] \| Indirect jump to absolute memory address
1132	401078	.text	JMP [static] \| Indirect jump to absolute memory address
1138	4010CC	.text	JMP [static] \| Indirect jump to absolute memory address
113E	4010D0	.text	JMP [static] \| Indirect jump to absolute memory address
1144	401074	.text	JMP [static] \| Indirect jump to absolute memory address
114A	4010A0	.text	JMP [static] \| Indirect jump to absolute memory address
1150	4010A8	.text	JMP [static] \| Indirect jump to absolute memory address
1156	4010A4	.text	JMP [static] \| Indirect jump to absolute memory address
115C	401044	.text	JMP [static] \| Indirect jump to absolute memory address
1162	401014	.text	JMP [static] \| Indirect jump to absolute memory address
1168	4010E0	.text	JMP [static] \| Indirect jump to absolute memory address
116E	401008	.text	JMP [static] \| Indirect jump to absolute memory address
1174	401084	.text	JMP [static] \| Indirect jump to absolute memory address
117A	401010	.text	JMP [static] \| Indirect jump to absolute memory address
1180	401030	.text	JMP [static] \| Indirect jump to absolute memory address
1186	401018	.text	JMP [static] \| Indirect jump to absolute memory address
118C	401040	.text	JMP [static] \| Indirect jump to absolute memory address
1192	40102C	.text	JMP [static] \| Indirect jump to absolute memory address
1198	4010D4	.text	JMP [static] \| Indirect jump to absolute memory address
119E	401004	.text	JMP [static] \| Indirect jump to absolute memory address
11A4	401080	.text	JMP [static] \| Indirect jump to absolute memory address
11AA	40109C	.text	JMP [static] \| Indirect jump to absolute memory address
11B0	4010C4	.text	JMP [static] \| Indirect jump to absolute memory address
11B6	40108C	.text	JMP [static] \| Indirect jump to absolute memory address
11BC	401094	.text	JMP [static] \| Indirect jump to absolute memory address
11C2	4010BC	.text	JMP [static] \| Indirect jump to absolute memory address
11C8	401038	.text	JMP [static] \| Indirect jump to absolute memory address
11CE	4010D8	.text	JMP [static] \| Indirect jump to absolute memory address
11D4	40100C	.text	JMP [static] \| Indirect jump to absolute memory address
11DA	401088	.text	JMP [static] \| Indirect jump to absolute memory address
11E0	401034	.text	JMP [static] \| Indirect jump to absolute memory address
11E6	4010B0	.text	JMP [static] \| Indirect jump to absolute memory address
11EC	401024	.text	JMP [static] \| Indirect jump to absolute memory address
11F2	401020	.text	JMP [static] \| Indirect jump to absolute memory address
11F8	401050	.text	JMP [static] \| Indirect jump to absolute memory address
11FE	4010C0	.text	JMP [static] \| Indirect jump to absolute memory address
1204	401098	.text	JMP [static] \| Indirect jump to absolute memory address
120A	4010B4	.text	JMP [static] \| Indirect jump to absolute memory address
1210	401070	.text	JMP [static] \| Indirect jump to absolute memory address
1216	401064	.text	JMP [static] \| Indirect jump to absolute memory address
121C	401060	.text	JMP [static] \| Indirect jump to absolute memory address
1222	401090	.text	JMP [static] \| Indirect jump to absolute memory address
1228	40105C	.text	JMP [static] \| Indirect jump to absolute memory address
122E	40103C	.text	JMP [static] \| Indirect jump to absolute memory address
1234	401054	.text	JMP [static] \| Indirect jump to absolute memory address
123A	401000	.text	JMP [static] \| Indirect jump to absolute memory address
1240	4010C8	.text	JMP [static] \| Indirect jump to absolute memory address
F887	BFF283A	.text	JMP [static] \| Indirect jump to absolute memory address
112D2	4008F1B	.text	JMP [static] \| Indirect jump to absolute memory address
12827	4FF283A	.text	JMP [static] \| Indirect jump to absolute memory address
1284C	8FF283A	.text	JMP [static] \| Indirect jump to absolute memory address
12871	8FF283A	.text	JMP [static] \| Indirect jump to absolute memory address
1474C	1A5C0000	.text	CALL [static] \| Indirect call to absolute memory address
173EF	7A7000F4	.text	CALL [static] \| Indirect call to absolute memory address
173F5	40277000	.text	CALL [static] \| Indirect call to absolute memory address
17563	7A7000F4	.text	CALL [static] \| Indirect call to absolute memory address
17569	402E48FE	.text	CALL [static] \| Indirect call to absolute memory address
176D7	7A7000F4	.text	CALL [static] \| Indirect call to absolute memory address
176DD	4029B8FF	.text	CALL [static] \| Indirect call to absolute memory address
179BF	7A7000F4	.text	CALL [static] \| Indirect call to absolute memory address
179C5	402C0000	.text	CALL [static] \| Indirect call to absolute memory address
17B33	7A7000F4	.text	CALL [static] \| Indirect call to absolute memory address
17B39	40252800	.text	CALL [static] \| Indirect call to absolute memory address
188E2	402770	.text	CALL [static] \| Indirect call to absolute memory address
18A76	402528	.text	CALL [static] \| Indirect call to absolute memory address
18C0A	402E48	.text	CALL [static] \| Indirect call to absolute memory address
18D9E	402C00	.text	CALL [static] \| Indirect call to absolute memory address
18F32	4029B8	.text	CALL [static] \| Indirect call to absolute memory address
1AF0B	3FE	.text	CALL [static] \| Indirect call to absolute memory address
1B0F7	28FF546C	.text	CALL [static] \| Indirect call to absolute memory address
1B2E3	48000000	.text	CALL [static] \| Indirect call to absolute memory address
1B4CF	48000000	.text	CALL [static] \| Indirect call to absolute memory address
1B6BB	700A04FE	.text	CALL [static] \| Indirect call to absolute memory address
1C760	700A04FE	.text	JMP [static] \| Indirect jump to absolute memory address
1DCD3	5FF7004	.text	JMP [static] \| Indirect jump to absolute memory address
1DD0C	25FF1027	.text	JMP [static] \| Indirect jump to absolute memory address
1DD10	25FF3027	.text	JMP [static] \| Indirect jump to absolute memory address
1DD14	25FF5027	.text	JMP [static] \| Indirect jump to absolute memory address
1DD18	46FF786C	.text	JMP [static] \| Indirect jump to absolute memory address
1DD1F	24007705	.text	JMP [static] \| Indirect jump to absolute memory address
1DE1E	25FF1027	.text	JMP [static] \| Indirect jump to absolute memory address
1DE22	25FF3027	.text	JMP [static] \| Indirect jump to absolute memory address
1DE26	6EEB64F4	.text	JMP [static] \| Indirect jump to absolute memory address
1DE32	6EEB64F4	.text	JMP [static] \| Indirect jump to absolute memory address
1DE3E	37EB00F4	.text	JMP [static] \| Indirect jump to absolute memory address
1DE7D	5FF7004	.text	JMP [static] \| Indirect jump to absolute memory address
1EDDB	5FF7004	.text	JMP [static] \| Indirect jump to absolute memory address
20EA5	6B110001	.text	JMP [static] \| Indirect jump to absolute memory address
21F5D	30FEEC28	.text	JMP [static] \| Indirect jump to absolute memory address
21F85	30FEEC28	.text	JMP [static] \| Indirect jump to absolute memory address
42ADA-42AF7	N/A	.rsrc	Unusual NOPS Space, count: 30
55C39-55C57	N/A	.rsrc	Unusual NOPS Space, count: 31
58B39-58B57	N/A	.rsrc	Unusual NOPS Space, count: 31
59ED9-59EF7	N/A	.rsrc	Unusual NOPS Space, count: 31
5A47A-5A497	N/A	.rsrc	Unusual NOPS Space, count: 30
5AF1A-5AF37	N/A	.rsrc	Unusual NOPS Space, count: 30
5E759-5E777	N/A	.rsrc	Unusual NOPS Space, count: 31
5FDB9-5FDD7	N/A	.rsrc	Unusual NOPS Space, count: 31
660F9-66117	N/A	.rsrc	Unusual NOPS Space, count: 31
66999-669B7	N/A	.rsrc	Unusual NOPS Space, count: 31
6A0FA-6A117	N/A	.rsrc	Unusual NOPS Space, count: 30
79E7A-79E97	N/A	.rsrc	Unusual NOPS Space, count: 30
7DFD9-7DFF7	N/A	.rsrc	Unusual NOPS Space, count: 31

Extra Analysis

Metric	Value	Percentage
Ascii Code	394273	56,9574%
Null Byte Code	133186	19,2403%
NOP Cave Found	0x9090909090	Block Count: 461 \| Total: 0,1665%

PESCAN.IO - Analysis Report Basic