PESCAN.IO - Analysis Report Basic

File Structure
Analysis Image
PE Chart Code
Executable header (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
Information
Icon: Icon
Size: 5,76 MB
SHA-256 Hash: 990C9BAFD9A51573F252514B7874854E11F612721F6FBD21957B3DFB370493BD
SHA-1 Hash: DE114B32E47C8AD46DF32307D8B59732615BE97F
MD5 Hash: 44E34648B75684F8CC30272089CE0F63
Imphash: E5A68BC2C1DAD193D19657B013300B62
MajorOSVersion: 6
MinorOSVersion: 0
CheckSum: 005CB4FE
EntryPoint (rva): 46845C
SizeOfHeaders: 400
SizeOfImage: 5C7000
ImageBase: 400000
Architecture: x86
ImportTable: 5C5C22
IAT: 4A7000
Characteristics: 102
TimeDateStamp: 67ECD822
Date: 02/04/2025 6:24:34
File Type: EXE
Number Of Sections: 6
ASLR: Enabled
Section Names: .text, .rdata, .data, .rsrc, .reloc, .merged
Number Of Executable Sections: 2
Subsystem: Windows GUI
UAC Execution Level Manifest: asInvoker
Sections Info
Section Name Flags ROffset RSize VOffset VSizeEntropyChi2
.text 60000020 (Code, Executable, Readable) 400 1C00 1000 1B0B7,89902306,71
.rdata 40000040 (Initialized Data, Readable) 2000 1400 3000 137E7,78425039,40
.data C0000040 (Initialized Data, Readable, Writeable) 3400 200 5000 3D07,5767262,00
.rsrc 40000040 (Initialized Data, Readable) 3600 1000 6000 E984,8713115380,63
.reloc 42000040 (Initialized Data, GP-Relative, Readable) 4600 400 7000 2E86,471119552,50
.merged E0000020 (Code, Executable, Readable, Writeable) 4A00 5BEC00 8000 5BF0007,013737039152,87
Description
OriginalFilename: cttt.exe
ProductName: cttt
FileVersion: 2025.9.0.0
FileDescription: CT Testing Tool
ProductVersion: 2025.9
Language: English (United States) (ID=0x409)
CodePage: Western European (Windows 1252) (0x4E4)
Entry Point
The section number (6) - (.merged) have the Entry Point
Information -> EntryPoint (calculated) - 464E5C
Code -> 608925A0A79000892DA4A79000E91250BBFFCCCC8B25A0A790008B2DA4A7900061FF2504208D00CCCCCCCCCCCCCCCCCCCCCC
PUSHAD
MOV DWORD PTR [0X90A7A0], ESP
MOV DWORD PTR [0X90A7A4], EBP
JMP 0XFFBB6024
INT3
INT3
MOV ESP, DWORD PTR [0X90A7A0]
MOV EBP, DWORD PTR [0X90A7A4]
POPAL
JMP DWORD PTR [0X8D2004]
INT3
INT3
INT3
INT3
INT3
INT3
INT3
INT3
INT3
INT3
INT3
EP changed to another address -> (Address Of EntryPoint > Base Of Data)
Signatures
Rich Signature Analyzer:
Code -> 837816D2C7197881C7197881C7197881CE61EB81CD197881D69F7980C5197881D69F7B80C5197881D69F7C80CB197881D69F7D80D4197881439F7980C5197881B3987980C2197881C7197981901978813F9E7080C61978813F9E8781C61978813F9E7A80C619788152696368C7197881
Footprint md5 Hash -> 3A475B7DEDA72AD253E461015EF4CE56
• The Rich header apparently has not been modified
Certificate - Digital Signature Not Found:
• The file is not signed
Packer/Compiler
Detect It Easy (die)
PE: protection: Hardlock dongle reference(-)[-]
PE: protection: NetHASP dongle reference(-)[-]
PE: linker: Microsoft Linker(14.43**)[-]
Entropy: 7.0157
Suspicious Functions
Library Function Description
KERNEL32.DLL CreateMutexA Create a named or unnamed mutex object for controlling access to a shared resource.
KERNEL32.DLL GetModuleFileNameA Retrieve the fully qualified path for the executable file of a specified module.
KERNEL32.DLL VirtualAlloc Reserve, commit, or both, a region of memory within the virtual address space of a process.
KERNEL32.DLL GetModuleHandleA Retrieves a handle to the specified module.
KERNEL32.DLL WriteFile Writes data to a specified file or input/output (I/O) device.
KERNEL32.DLL LoadLibraryA Loads the specified module into the address space of the calling process.
KERNEL32.DLL CreateToolhelp32Snapshot Creates a snapshot of the specified processes, heaps, threads, and modules.
KERNEL32.DLL WriteProcessMemory Writes data to an area of memory in a specified process.
KERNEL32.DLL ReadProcessMemory Reads data from an area of memory in a specified process.
KERNEL32.DLL GetProcAddress Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL CreateFileA Creates or opens a file or I/O device.
KERNEL32.DLL IsDebuggerPresent Determines if the calling process is being debugged by a user-mode debugger.
Ws2_32.DLL socket Create a communication endpoint for networking applications.
Ws2_32.DLL connect Establish a connection to a specified socket.
ADVAPI32.DLL RegCreateKeyExA Creates a new registry key or opens an existing one.
ADVAPI32.DLL RegSetValueExA Sets the data and type of a specified value under a registry key.
ADVAPI32.DLL RegDeleteValueA Removes a named value from the specified registry key. Note that value names are not case sensitive.
Windows REG
SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards
SOFTWARE\Microsoft\Cryptography
Software\Wine\Wine\Config
Software\Aladdin\winehasp
Software\Wine
SOFTWARE\Microsoft\Virtual Machine\Guest\Parameters
SYSTEM\CurrentControlSet\Services\hasplms\Parameters
SYSTEM\CurrentControlSet\Control\Terminal Server\
SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters
System\CentralProcessor\0
System\CurrentControlSet\Control\ProductOptions
File Access
api-ms-win-crt-heap-l1-1-0.dll
api-ms-win-crt-locale-l1-1-0.dll
api-ms-win-crt-math-l1-1-0.dll
api-ms-win-crt-runtime-l1-1-0.dll
api-ms-win-crt-stdio-l1-1-0.dll
VCRUNTIME140.dll
KERNEL32.dll
python312.dll
USER32.dll
ADVAPI32.DLL
PSAPI.DLL
DHCPCSVC.DLL
IPHLPAPI.DLL
CFGMGR32.DLL
SETUPAPI.DLL
HID.DLL
WSOCK32.DLL
RPCRT4.DLL
WFAPI.DLL
WTSAPI32.DLL
API_1LNM.DLL
WINBRAND.DLL
NTDLL.DLL
WS2_32.DLL
VERSION.DLL
SHELL32.DLL
v3patch_d.dll
ucrtbase.dll
msvcrt.dll
kernelbase.dll
.dll
@.dat
%s%s.log
nethasp.ini
Fridge is disabled in the API .ini
hasp_%d.ini
hasp_demo.ini
hasp.ini
Temp
AppData
File Access (UNICODE)
cttt.exe
hasp_rt.exe
mscoree.dll
$@kernel32.dll
Interest's Words
PADDINGX
Encrypt
Decrypt
Encryption
PassWord
<table
exec
attrib
start
hostname
shutdown
systeminfo
ping
URLs
http://schemas.microsoft.com/SMI/2016/WindowsSettings
http://www.winimage.com/zLibDll
http://%s:%d/api
http://localhost:8080
http://127.0.0.1:8080
IP Addresses
127.0.0.1
255.255.255.255
Strings/Hex Code Found With The File Rules
Rule Type Encoding Matched (Word)
Text Ascii WinAPI Sockets (WSACleanup)
Text Ascii WinAPI Sockets (bind)
Text Ascii WinAPI Sockets (listen)
Text Ascii WinAPI Sockets (accept)
Text Ascii WinAPI Sockets (connect)
Text Ascii WinAPI Sockets (recv)
Text Ascii WinAPI Sockets (send)
Text Ascii Registry (RegCreateKeyEx)
Text Ascii Registry (RegOpenKeyEx)
Text Ascii Registry (RegSetValueEx)
Text Ascii File (CopyFile)
Text Ascii File (CreateFile)
Text Ascii File (WriteFile)
Text Ascii File (ReadFile)
Text Ascii Anti-Analysis VM (IsDebuggerPresent)
Text Ascii Anti-Analysis VM (GetSystemInfo)
Text Ascii Anti-Analysis VM (GetVersion)
Text Ascii Anti-Analysis VM (CreateToolhelp32Snapshot)
Text Ascii Reconnaissance (FindFirstFileA)
Text Ascii Reconnaissance (FindNextFileA)
Text Ascii Reconnaissance (FindFirstFileW)
Text Ascii Reconnaissance (FindNextFileW)
Text Ascii Reconnaissance (FindClose)
Text Ascii Stealth (GetThreadContext)
Text Ascii Stealth (ExitThread)
Text Ascii Stealth (ReleaseSemaphore)
Text Ascii Stealth (CloseHandle)
Text Ascii Stealth (UnmapViewOfFile)
Text Ascii Stealth (MapViewOfFile)
Text Ascii Stealth (CreateFileMappingA)
Text Ascii Stealth (VirtualAlloc)
Text Ascii Stealth (VirtualProtect)
Text Ascii Stealth (ReadProcessMemory)
Text Ascii Stealth (NtUnmapViewOfSection)
Text Ascii Execution (CreateProcessA)
Text Ascii Execution (CreateProcessW)
Text Ascii Execution (ResumeThread)
Text Ascii Execution (CreateSemaphoreA)
Text Ascii Execution (CreateSemaphoreW)
Text Ascii Execution (CreateEventA)
Resources
Path DataRVA Size FileOffset CodeText
\ICON\1\0 6178 468 3778 280000001000000020000000010020000000000000040000130B0000130B0000000000000000000000000000000000000000(....... ..... ...................................
\STRING\1\1033 65E0 9C 3BE0 00003E004A00750073007400200074006F00200065006E007300750072006500200074006800610074002000620075006700..>.J.u.s.t. .t.o. .e.n.s.u.r.e. .t.h.a.t. .b.u.g.
\GROUP_ICON\1\0 667C 14 3C7C 0000010001001010000001002000680400000100............ .h.....
\VERSION\1\0 6690 2C0 3C90 C00234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000900..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............
\24\1\1033 6950 545 3F50 3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E653D2279<?xml version="1.0" encoding="UTF-8" standalone="y
Intelligent String
• cttt.exe
• <longPathAware xmlns="http://schemas.microsoft.com/SMI/2016/WindowsSettings">true</longPathAware>
• kernel32.dll
• kernelbase.dll
• msvcrt.dll
• ucrtbase.dll
• unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll
• zip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll
• $@kernel32.dll
• mscoree.dll
• KERNEL32.dll
• ADVAPI32.dll
• </hasp_info>HASP API DLL dynamically unloaded with alive logins.
• Global\SafeNet-SentinelLMFailed to initialize wallereq (syserr %d/%s)
• accesserroraccess_demoerror_demoaccess_%derror_%dhasp.inihasp_demo.inihasp_%d.ini%s%s%s%s/%sGlobal\SafeNet-SentinelLMSYSTEM\CurrentControlSet\Services\hasplms\ParametersVersionCannot init sockets (syserr %d/%s)
• \\.\pipe\SafeNet-SentinelPIPE-%u-%u<haspformat format="host_fingerprint"<haspformat root="hasp_info"><host_fingerprint </haspformat>
• <maxlogins>unlimited</maxlogins>
• <maxlogins>%u</maxlogins>
• <currentlogins>%u</currentlogins>
• hasp_rt.exe
• hasp_rt.exe
• apiuid_reqapiuid_replylogin_reqlogin_replylogin_ex_reqlogin_ex_replylogout_reqlogout_replyget_size_reqget_size_replyget_rtc_reqget_rtc_replysetup_schan_reqsetup_schan_replywrite_reqwrite_replyread_reqread_replyencrypt_reqdecrypt_reqencrypt_replydecrypt_replyv2c_reqv2c_replyc2v_reqc2v_replyget_info_xml_reqget_info_xml_replyparse_scope_reqparse_scope_replyset_idletime_reqset_idletime_replyali_h2r_reqali_h2r_replyapi_c2v_innervli_setup_schan_yke0vli_setup_schan_yke1vli_setup_schan_yke2yke_stage0yke_stage1yke_stage2vli_datainvli_dataouttsd_fp_containercommuter_infocert_commuter_infocert_c2v_friendly_infocert_rehosted_liclistali_vlib_reqali_vlib_replyali_vm_dyn_execute_reqali_vm_dyn_execute_replyvli_cert_container_info_replytsd_identity_containerupdate_session_requpdate_session_reply
• %s[%s:%d]%s:%dPOST http://%s:%d/api HTTP/1.1
• %s, %02d %s %d %02d:%02d:%02d GMT/%s %s %d, %04d %02d:%02d:%02d%s %s %d, %02d:%02d:%02d://-------ABCDEFGHIJKLMNOPQRSTUVWXYZ234567SunMonTueWedThuFriSatJanFebMarAprMayJunJulAugSepOctNovDecKERNEL32.DLLADVAPI32.DLLUSER32.DLLWSOCK32.DLLIPHLPAPI.DLLRegOpenKeyExARegQueryValueExARegCloseKeyRegSetValueExARegDeleteValueARegCreateKeyExARegEnumKeyExASetSecurityInfoGetSecurityInfoSetEntriesInAclWInitializeSecurityDescriptorSetSecurityDescriptorDaclGetUserNameAGetUserNameWIsValidSidGetSidSubAuthorityGetSidSubAuthorityCountGetTokenInformationOpenProcessTokenAllocateAndInitializeSidCheckTokenMembershipFreeSidMessageBoxAGetSystemMetricsWSAStartupsocketgetsocknameselectclosesocketconnectsetsockoptsendrecvWSAGetLastErrorgethostnamehtonlhtonsntohs__WSAFDIsSetProcessIdToSessionIdGlobal\SafeNet-SentinelSCID-%u
• %sLogin timeout cannot be changed anymore %s
• C:\SOFTWARE\Microsoft\CryptographyMachineGuidSYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParametersBootIdBaseTimeFailed to lock lm (syserr %d/%s)
• RtlGetNtVersionNumbersBuild %dHARDWARE\DESCRIPTION\System\CentralProcessor\0IdentifierSYSTEM\CurrentControlSet\Services\hasplms\ParametersPortinstalledresethttp://localhost:8080http://127.0.0.1:808000100000040960000000200disk0nonolocalundefined0172030anyone1008080000Error writing configuration file '%s'
• %smailto%sadminusernameadminadminusername%sadminpassword%s:%s:%dadminpassword%s:%sadminpassword%ddisable_commuting%dcut_and_paste_v2c%drequestlog%derrorlogheaders%ssocketlogfull%ssocketlog%dsyslog%dsyslog_facility%dsyslog_rfc3164%ssyslog_client_addr%dno_auto_fwup%dno_disk_write%dgetinfo_uncached0%sload_balancingserver%sload_balancingcontainer%sload_balancingsticky%sload_balancing%sdefaulthostname%sforcehostname%uconn_priority_timeout%uconn_empty_timeout%uconn_wan_empty_timeout%uconn_req_empty_timeout%uconn_total_timeout%uconn_login_cache_timeout%uconn_info_cache_timeout%dconn_wait_for_all1ignore_unknown_options%ddisable_integrated_hl%ddisable_integrated_sl%ddisable_integrated_net%dproxy%sproxy_host%dproxy_port%sproxy_username%sproxy_password%dbroadcastsearchError reading configuration file '%s'
• Global\hasp-fridge-user-vendor-lockFailed to create the fridge global vendor lock (error 0x%x) (syserr %d/%s)
• 127.0.0.1::1255.255.255.255.255127.0.0.1localhost127.0.0.10.0.0.0::::ffff:Failed to create ipaddr lock (syserr %d/%s)
• ,(xlm_api_login_ex_reply
• HASP-SL-AdminModeHASP-SL-UserModeKilledExpirednetwork,display,local,process,station,login,display,user-id,virtual-machine,user-supplied,hasphl,sentinelhl,driverless,superpro,dog,haspsl-legacy,haspsl-adminmode,haspsl-usermode,0x%02XMidiMiniMaxiExpressCardMicroChipBoardMidiDisablePMType1FQDNPMType2PMType3PMType4CL:%sCLCP:%dDisableVMType1FQDNVMType2VMType3CL:%sCLVMType4CP:%dv2cLicense is corrupt/invalid (error 0x%x)
• WALLE driver failed to execute LOGIN command (error 0x%x)
• Sentinel HL %llu failed to execute LOGIN command (error 0x%x)
• \\.\PhysicalDrive%u\\.\PhysicalDrive%uUSB\VID_0529&USB\VID_13FE&USB\VID_05E3&USB\VID_0424&%x
• Global\hasp-fridge-user-lock
• fFailed to create the LM shared memory mutex
• 127.0.0.1
• nethasp.ini
• \\.\VmGenerationCounterloginLicense use requires a more recent %d.%d License Manager than %d.%d
• localfeature idloginexLicense use requires a more recent %d.%d License Manager than %d.%d
• %d%d%d%d0x%08XProcessStationLoginDisplayUserIDVMsupp.Loc Net Disp <nobr>Time Period (0 Seconds) (%u Days %u Hrs %u Min %u Sec)</nobr><br>Not started<br><nobr>Start: </nobr><br><nobr>End: </nobr>Expiration Date<br><nobr></nobr>Expiration Date (Range)<br><nobr>Start: </nobr><br><nobr>End: </nobr>Executions<br>None left<br>%d leftUnknownInvalidNoneBad license type:<br> %d<br><nobr></nobr><br><nobr>Disabled in VM</nobr>
• Login denied due to user restrictions
• Login denied because this machine is disabled
• Login denied because the fingerprint cannot be fetched from this machine or the fingerprint fetched from this machine is not in correct format
Flow Anomalies
Offset RVA Section Description
4A56 8A732C .merged CALL [static] | Indirect call to absolute memory address
4AD9 8A732C .merged CALL [static] | Indirect call to absolute memory address
4B2A 8A732C .merged CALL [static] | Indirect call to absolute memory address
4C4A 8A732C .merged CALL [static] | Indirect call to absolute memory address
4FD0 8A732C .merged CALL [static] | Indirect call to absolute memory address
508F 8A732C .merged CALL [static] | Indirect call to absolute memory address
5136 8A732C .merged CALL [static] | Indirect call to absolute memory address
5228 8A732C .merged CALL [static] | Indirect call to absolute memory address
5319 8A732C .merged CALL [static] | Indirect call to absolute memory address
5338 8A700C .merged CALL [static] | Indirect call to absolute memory address
5626 8A732C .merged CALL [static] | Indirect call to absolute memory address
56DC 8A732C .merged CALL [static] | Indirect call to absolute memory address
5705 8A732C .merged CALL [static] | Indirect call to absolute memory address
5853 8A732C .merged CALL [static] | Indirect call to absolute memory address
58F3 8A732C .merged CALL [static] | Indirect call to absolute memory address
59D2 8A732C .merged CALL [static] | Indirect call to absolute memory address
5AA1 8A7018 .merged CALL [static] | Indirect call to absolute memory address
5B82 8A732C .merged CALL [static] | Indirect call to absolute memory address
5D2E 8A732C .merged CALL [static] | Indirect call to absolute memory address
5EAE 8A732C .merged CALL [static] | Indirect call to absolute memory address
5F5F 8A732C .merged CALL [static] | Indirect call to absolute memory address
5F7B 8A732C .merged CALL [static] | Indirect call to absolute memory address
6084 8A732C .merged CALL [static] | Indirect call to absolute memory address
6139 8A732C .merged CALL [static] | Indirect call to absolute memory address
61D6 8A732C .merged CALL [static] | Indirect call to absolute memory address
6234 8A732C .merged CALL [static] | Indirect call to absolute memory address
6293 8A732C .merged CALL [static] | Indirect call to absolute memory address
63B1 8A732C .merged CALL [static] | Indirect call to absolute memory address
63D5 8A732C .merged CALL [static] | Indirect call to absolute memory address
6457 8A732C .merged CALL [static] | Indirect call to absolute memory address
66BD 8A732C .merged CALL [static] | Indirect call to absolute memory address
67BA 8A732C .merged CALL [static] | Indirect call to absolute memory address
683F 8A732C .merged CALL [static] | Indirect call to absolute memory address
6903 8A732C .merged CALL [static] | Indirect call to absolute memory address
696D 8A732C .merged CALL [static] | Indirect call to absolute memory address
6A03 8A732C .merged CALL [static] | Indirect call to absolute memory address
6C7B 8A732C .merged CALL [static] | Indirect call to absolute memory address
6C9A 8A732C .merged CALL [static] | Indirect call to absolute memory address
6CE8 8A732C .merged CALL [static] | Indirect call to absolute memory address
6D88 8A732C .merged CALL [static] | Indirect call to absolute memory address
6E26 8A732C .merged CALL [static] | Indirect call to absolute memory address
6E7E 8A732C .merged CALL [static] | Indirect call to absolute memory address
6EA9 8A732C .merged CALL [static] | Indirect call to absolute memory address
6EF3 8A732C .merged CALL [static] | Indirect call to absolute memory address
705C 8A732C .merged CALL [static] | Indirect call to absolute memory address
70A9 8A732C .merged CALL [static] | Indirect call to absolute memory address
737D 8A732C .merged CALL [static] | Indirect call to absolute memory address
7B3E 338D3D3F .merged JMP [static] | Indirect jump to absolute memory address
7C3D 8A732C .merged CALL [static] | Indirect call to absolute memory address
7EDD 8A732C .merged CALL [static] | Indirect call to absolute memory address
7FAF 8A732C .merged CALL [static] | Indirect call to absolute memory address
80CD 8A732C .merged CALL [static] | Indirect call to absolute memory address
818B 8A732C .merged CALL [static] | Indirect call to absolute memory address
829F 8A732C .merged CALL [static] | Indirect call to absolute memory address
832B 8A732C .merged CALL [static] | Indirect call to absolute memory address
838A 8A732C .merged CALL [static] | Indirect call to absolute memory address
862D 8A732C .merged CALL [static] | Indirect call to absolute memory address
878F 8A732C .merged CALL [static] | Indirect call to absolute memory address
8881 8A732C .merged CALL [static] | Indirect call to absolute memory address
8BAF 8A732C .merged CALL [static] | Indirect call to absolute memory address
8C34 8A732C .merged CALL [static] | Indirect call to absolute memory address
8C55 8A732C .merged CALL [static] | Indirect call to absolute memory address
8CAE 8A732C .merged CALL [static] | Indirect call to absolute memory address
8DFB 8A732C .merged CALL [static] | Indirect call to absolute memory address
8F3D 8A732C .merged CALL [static] | Indirect call to absolute memory address
90BA 8A732C .merged CALL [static] | Indirect call to absolute memory address
90FE 8A732C .merged CALL [static] | Indirect call to absolute memory address
9160 8A7028 .merged CALL [static] | Indirect call to absolute memory address
91F6 8A7020 .merged CALL [static] | Indirect call to absolute memory address
941D 8A732C .merged CALL [static] | Indirect call to absolute memory address
943A 8A732C .merged CALL [static] | Indirect call to absolute memory address
9464 8A732C .merged CALL [static] | Indirect call to absolute memory address
9490 8A732C .merged CALL [static] | Indirect call to absolute memory address
956D 8A732C .merged CALL [static] | Indirect call to absolute memory address
968D 8A732C .merged CALL [static] | Indirect call to absolute memory address
96C1 8A732C .merged CALL [static] | Indirect call to absolute memory address
980C 8A732C .merged CALL [static] | Indirect call to absolute memory address
9A30 8A732C .merged CALL [static] | Indirect call to absolute memory address
9C0F 8A732C .merged CALL [static] | Indirect call to absolute memory address
A036 8A732C .merged CALL [static] | Indirect call to absolute memory address
A111 8A732C .merged CALL [static] | Indirect call to absolute memory address
A165 8A732C .merged CALL [static] | Indirect call to absolute memory address
A39C 8A732C .merged CALL [static] | Indirect call to absolute memory address
A437 8A732C .merged CALL [static] | Indirect call to absolute memory address
A4ED 8A7024 .merged CALL [static] | Indirect call to absolute memory address
A589 8A732C .merged CALL [static] | Indirect call to absolute memory address
A5A7 8A732C .merged CALL [static] | Indirect call to absolute memory address
A874 8A7028 .merged CALL [static] | Indirect call to absolute memory address
AA37 8A732C .merged CALL [static] | Indirect call to absolute memory address
ACA8 8A732C .merged CALL [static] | Indirect call to absolute memory address
B22D 8A732C .merged CALL [static] | Indirect call to absolute memory address
B24B 8A732C .merged CALL [static] | Indirect call to absolute memory address
B554 8A732C .merged CALL [static] | Indirect call to absolute memory address
B8E9 8A732C .merged CALL [static] | Indirect call to absolute memory address
BAAE 8A732C .merged CALL [static] | Indirect call to absolute memory address
BAD3 8A732C .merged CALL [static] | Indirect call to absolute memory address
BFAE 8A732C .merged CALL [static] | Indirect call to absolute memory address
C319 8A732C .merged CALL [static] | Indirect call to absolute memory address
C504 8A732C .merged CALL [static] | Indirect call to absolute memory address
C598 8A732C .merged CALL [static] | Indirect call to absolute memory address
45D93-45DCF N/A .merged Unusual BP Cave, count: 61
89624-8964F N/A .merged Unusual BP Cave, count: 44
C2121-C213F N/A .merged Unusual BP Cave, count: 31
E002F-E004F N/A .merged Unusual BP Cave, count: 33
F4122-F413F N/A .merged Unusual BP Cave, count: 30
147195-1471BF N/A .merged Unusual BP Cave, count: 43
1DE991-1DE9AF N/A .merged Unusual BP Cave, count: 31
287A5F-28825E N/A .merged Unusual NOPS Space, count: 2048
2882F2-288AF1 N/A .merged Unusual NOPS Space, count: 2048
288B42-289341 N/A .merged Unusual NOPS Space, count: 2048
289392-289B91 N/A .merged Unusual NOPS Space, count: 2048
289BEF-28BBEE N/A .merged Unusual NOPS Space, count: 8192
28BC7F-28DC7E N/A .merged Unusual NOPS Space, count: 8192
28DD0F-28FD0E N/A .merged Unusual NOPS Space, count: 8192
28FD92-290591 N/A .merged Unusual NOPS Space, count: 2048
290612-292611 N/A .merged Unusual NOPS Space, count: 8192
2CF7C1-2CF7DF N/A .merged Unusual BP Cave, count: 31
327A51-327A6F N/A .merged Unusual BP Cave, count: 31
329FE1-32A00F N/A .merged Unusual BP Cave, count: 47
341F82-341F9F N/A .merged Unusual BP Cave, count: 30
3A1881-3A189F N/A .merged Unusual BP Cave, count: 31
459CA6-459CDF N/A .merged Unusual BP Cave, count: 58
46B883-46B8AF N/A .merged Unusual BP Cave, count: 45
4A00-5C35FF 8000 .merged Executable section anomaly, first bytes: 568B442408BA30E2
Extra Analysis
Metric Value Percentage
Ascii Code 3666215 60,6674%
Null Byte Code 889406 14,7176%
NOP Cave Found 0x9090909090 Block Count: 8597 | Total: 0,3557%
© 2026 All rights reserved.