PESCAN.IO - Analysis Report Basic

File Structure
Analysis Image
PE Chart Code
Executable header (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
Information
Size: 3,45 MB
SHA-256 Hash: B78ED465E781E682C3A451076973DC57C84BEDB8074F351DD5BC9B428B040984
SHA-1 Hash: 1777485F8885172347DABB434359537CC969E146
MD5 Hash: 46924279013A00CFCDA6569A8926022B
Imphash: DA54107D6C55B0F87441D7D4FF5F1EDD
MajorOSVersion: 5
MinorOSVersion: 1
CheckSum: 0037C13B
EntryPoint (rva): E17BB
SizeOfHeaders: 400
SizeOfImage: 53D000
ImageBase: 10000000
Architecture: x86
ExportTable: 26C590
ImportTable: 26C75C
IAT: 1AE000
Characteristics: 2102
TimeDateStamp: 642113B2
Date: 27/03/2023 3:55:30
File Type: DLL
Number Of Sections: 6
ASLR: Enabled
Section Names: .text, .rdata, .data, .rsrc, .reloc, .vlizer
Number Of Executable Sections: 2
Subsystem: Windows GUI
UAC Execution Level Manifest: asInvoker
[Incomplete Binary or Compressor Packer - 1,79 MB Missing]
Sections Info
Section Name Flags ROffset RSize VOffset VSizeEntropyChi2
.text 60000020 (Code, Executable, Readable) 400 1AC600 1000 1AC5FE6,73417808725,89
.rdata 40000040 (Initialized Data, Readable) 1ACA00 C0600 1AE000 C05C86,11509091934,36
.data C0000040 (Initialized Data, Readable, Writeable) 26D000 36E00 26F000 3B6587,22781206437,66
.rsrc 40000040 (Initialized Data, Readable) 2A3E00 1B200 2AB000 1B0A07,98693177,92
.reloc 42000040 (Initialized Data, GP-Relative, Readable) 2BF000 19800 2C7000 196806,5967406082,44
.vlizer E0000060 (Code, Initialized Data, Executable, Readable, Writeable) 2D8800 95241 2E1000 25C0007,9996323,67
Description
SpecialBuild: open
Language: Korean (Korea) (ID=0x412)
CodePage: Unicode (UTF-16 LE) (0x4B0)
Entry Point
The section number (1) - (.text) have the Entry Point
Information -> EntryPoint (calculated) - E0BBB
Code -> E86CF81F001128D7E7E67AFB183F83BEB429666536D669D113ECE7CB07B5000D890305558BEC6A00FF15ACE31A10FF7508FF
CALL 0X200871
• ADC DWORD PTR [EAX], EBP
• XLATB
OUT 0XE6, EAX
JP 0X1007
SBB BYTE PTR [EDI], BH
CMP DWORD PTR [ESI + 0X656629B4], 0X36
• SALC
IMUL EDX, ECX, 0XCBE7EC13
POP ES
MOV CH, 0
OR EAX, 0X55050389
MOV EBP, ESP
PUSH 0
CALL DWORD PTR [0X101AE3AC]
PUSH DWORD PTR [EBP + 8]
Signatures
CheckSum Integrity Problem:
Header: 3653947
Calculated: 3646564
Rich Signature Analyzer:
Code -> 60D7816A24B6EF3924B6EF3924B6EF3981DFEC3825B6EF3981DFEB3899B6EF39902A1E390AB6EF39902A1C39E9B6EF39902A1D3900B6EF39BA1628392CB6EF3976DEEC383EB6EF3976DEEA381AB6EF3976DEEB3800B6EF392DCE6C3922B6EF392DCE7C393DB6EF3924B6EE395BB7EF3981DFE638EFB6EF3981DFEF3825B6EF3981DF103925B6EF3924B6783925B6EF3981DFED3825B6EF395269636824B6EF39
Footprint md5 Hash -> FA32FC9E714CCB3FB4F1EE3DB3DA2573
• The Rich header apparently has not been modified
Certificate - Digital Signature:
• The file is signed and the signature is correct
Packer/Compiler
Compiler: Microsoft Visual C ++ 6 DLL
Detect It Easy (die)
PE: linker: Microsoft Linker(14.16, Visual Studio 2017 15.9*)[-]
Entropy: 7.29575
Suspicious Functions
Library Function Description
KERNEL32.DLL CreateMutexW Create a named or unnamed mutex object for controlling access to a shared resource.
KERNEL32.DLL GetModuleFileNameA Retrieve the fully qualified path for the executable file of a specified module.
KERNEL32.DLL VirtualAlloc Reserve, commit, or both, a region of memory within the virtual address space of a process.
KERNEL32.DLL GetModuleHandleA Retrieves a handle to the specified module.
KERNEL32.DLL WriteFile Writes data to a specified file or input/output (I/O) device.
KERNEL32.DLL LoadLibraryA Loads the specified module into the address space of the calling process.
KERNEL32.DLL LoadLibraryW Loads the specified module into the address space of the calling process.
KERNEL32.DLL CreateToolhelp32Snapshot Creates a snapshot of the specified processes, heaps, threads, and modules.
KERNEL32.DLL CreateRemoteThread Creates a thread in the address space of another process.
KERNEL32.DLL WriteProcessMemory Writes data to an area of memory in a specified process.
KERNEL32.DLL ReadProcessMemory Reads data from an area of memory in a specified process.
KERNEL32.DLL GetProcAddress Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL CreateFileA Creates or opens a file or I/O device.
KERNEL32.DLL IsDebuggerPresent Determines if the calling process is being debugged by a user-mode debugger.
KERNEL32.DLL SleepEx Pauses the execution of the current thread, optionally allowing the thread to be awakened by a kernel object or upon expiration of a timeout.
Ws2_32.DLL socket Create a communication endpoint for networking applications.
Ws2_32.DLL connect Establish a connection to a specified socket.
SHELL32.DLL ShellExecuteExW Performs a run operation on a specific file.
NtosKrnl.exe ZwClose Closes a handle to an object.
NtosKrnl.exe ZwOpenDirectoryObject Opens a directory object that can be used for managing other objects.
Windows REG
Software\Policies\Microsoft\System\DNSClient
System\CurrentControlSet\Services\VxD\MSTCP
System\CurrentControlSet\Services\Tcpip\Parameters
System\DNSClient
System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
Rebuilt string - SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
Windows REG (UNICODE)
Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\%ls\Count
SYSTEM\CurrentControlSet\Services\
File Access
.exe
cmd.exe
IND)ind)cmd.exe
WLDAP32.dll
OLEAUT32.dll
ole32.dll
SHELL32.dll
ADVAPI32.dll
GDI32.dll
USER32.dll
SETUPAPI.dll
RPCRT4.dll
IPHLPAPI.DLL
WS2_32.dll
KERNEL32.dll
x3_barrier_Win32.dll
!\?.dll
.bat
.dat
@.dat
\xigncode-system.log
.txt
.pdf
Temp
Exec - arp corporation
Exec - arp takaya electronics industry co., ltd.
Exec - arp imaging technology corp.
Exec - arp korea corporation
Exec - arp corporation
File Access (UNICODE)
advapi32.dll
kernelbase.dll
kernel32.dll
mscoree.dll
Interest's Words
rcpt to:
smtp
Encrypt
Decrypt
Encryption
PassWord
exec
attrib
start
pause
comspec
cipher
hostname
systeminfo
ping
expand
replace
route
Interest's Words (UNICODE)
start
URLs
http://www.winimage.com/zLibDll
http://crl3.digicert.com/assured-cs-g1.crl
http://crl4.digicert.com/assured-cs-g1.crl
http://ocsp.digicert.com
http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt
http://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl
http://www.digicert.com/ssl-cps-repository.htm
http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt
http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl
http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl
http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt
http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
http://crl3.digicert.com/DigiCertTrustedRootG4.crl
http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
http://www.digicert.com/CPS0
http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt
https://curl.se/docs/http-cookies.html
https://curl.se/docs/alt-svc.html
https://curl.se/docs/hsts.html
https://www.digicert.com/CPS0
IP Addresses
127.0.0.1
Strings/Hex Code Found With The File Rules
Rule Type Encoding Matched (Word)
Text Ascii WinAPI Sockets (bind)
Text Ascii WinAPI Sockets (listen)
Text Ascii WinAPI Sockets (accept)
Text Unicode WinAPI Sockets (accept)
Text Ascii WinAPI Sockets (connect)
Text Ascii WinAPI Sockets (recv)
Text Ascii WinAPI Sockets (send)
Text Ascii Registry (RegOpenKeyEx)
Text Ascii Registry (RegSetValueEx)
Text Ascii File (GetTempPath)
Text Ascii File (CreateFile)
Text Ascii File (WriteFile)
Text Ascii File (ReadFile)
Text Ascii Service (OpenSCManager)
Text Ascii Service (CreateService)
Text Ascii Encryption (Blowfish)
Text Ascii Encryption API (CryptAcquireContext)
Text Ascii Encryption API (CryptReleaseContext)
Hex Hex Pattern PEB AntiDebug (Flag BeingDebugged)
Text Ascii Anti-Analysis VM (IsDebuggerPresent)
Text Ascii Anti-Analysis VM (GetSystemInfo)
Text Ascii Anti-Analysis VM (GetVersion)
Text Ascii Anti-Analysis VM (CreateToolhelp32Snapshot)
Text Ascii Reconnaissance (FindNextFileA)
Text Ascii Reconnaissance (FindFirstFileW)
Text Ascii Reconnaissance (FindNextFileW)
Text Ascii Reconnaissance (FindClose)
Text Ascii Stealth (GetThreadContext)
Text Ascii Stealth (SetThreadContext)
Text Ascii Stealth (ExitThread)
Text Ascii Stealth (CloseHandle)
Text Ascii Stealth (IsBadReadPtr)
Text Ascii Stealth (UnmapViewOfFile)
Text Ascii Stealth (MapViewOfFile)
Text Ascii Stealth (CreateFileMappingW)
Text Ascii Stealth (VirtualAlloc)
Text Ascii Stealth (VirtualProtect)
Text Ascii Stealth (ReadProcessMemory)
Text Ascii Stealth (NtWriteVirtualMemory)
Text Ascii Stealth (CreateRemoteThread)
Text Ascii Stealth (QueueUserAPC)
Text Ascii Execution (CreateProcessA)
Text Ascii Execution (CreateProcessW)
Text Ascii Execution (ShellExecute)
Text Ascii Execution (ResumeThread)
Text Ascii Execution (CreateSemaphoreW)
Text Ascii Execution (OpenEventW)
Text Ascii Execution (CreateEventW)
Text Ascii Antivirus Software (etrust)
Text Ascii Antivirus Software (Panda Antivirus/Firewall)
Text Ascii Signal sent from infected system to a command and control server (Beacon)
Text Ascii Information used to authenticate a user's identity (Credential)
Text Ascii Malware disguised as legitimate software (Trojan)
Text Ascii Malware that monitors and collects user data (Spy)
Text Ascii Information used for user authentication (Credential)
Text Ascii Unauthorized movement of funds or data (Transfer)
Text Ascii Technique used to insert malicious code into legitimate processes (Inject)
Text Ascii Information gathering related to national security (Intelligence)
Text Ascii Related to a particular nation or its government (National)
Resources
Path DataRVA Size FileOffset CodeText
\BINS\2031\1042 2AB488 104B1 2A4288 4C6F6D78ED010000F82E0200000000008404010025FFFFFF0000000000000000BD1CED2A721A2B1F5D00000001ED28BC51F5Lomx................%..............*r.+.].....(.Q.
\BINS\2032\1042 2BB940 A5DE 2B4740 4C6F6D78ED010000F86E010000000000B1A5000025FFFFFF00000000000000007B1F4F1CCA1F71135D000000011054D81A76Lomx.....n..........%...........{.O...q.].....T..v
\VERSION\1\1042 2AB130 354 2A3F30 540334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000300T.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............
\24\2\1033 2C5F20 17D 2BED20 3C3F786D6C2076657273696F6E3D27312E302720656E636F64696E673D275554462D3827207374616E64616C6F6E653D2779<?xml version='1.0' encoding='UTF-8' standalone='y
Intelligent String
• :060U00Uq]dL.g?O0U0E1-Q!m0U0y+m0k0$+0http://ocsp.digicert.com0C+07http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0EU>0<0:864http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0U
• x3.xem
• iphlpapi.dll
• mscoree.dll
• IND)ind)cmd.exe /c
• COMSPECcmd.exe/c
• .com.exe.bat.cmd
• D:\repo\rel\xigncode-neo\third_party\mbedtls\library\ssl_tls.c
• D:\repo\rel\xigncode-neo\third_party\mbedtls\library\ssl_msg.c
• D:\repo\rel\xigncode-neo\third_party\mbedtls\library\ssl_cli.c
• D:\repo\rel\xigncode-neo\third_party\mbedtls\library\ssl_srv.c
• dumping '%s' (%u bytes)
• file://%s%s%s
• %s://%sSwitched from HTTP to HTTPS due to HSTS => %s
• 127.0.0.1
• %s%s.%s.tmp
• https://curl.se/docs/http-cookies.html
• .gif
• .jpg
• .png
• .svg
• .txt
• .htm
• .pdf
• application/pdf.xml
• Your alt-svc cache. https://curl.se/docs/alt-svc.html
• Your HSTS cache. https://curl.se/docs/hsts.html
• LOGIN %s %sAUTHENTICATE %s %s
• Got unexpected imap-server responseLOGINDISABLED
• Can't get the size of file.failed to resume file:// transfer
• machinelogin
• Couldn't read a file:// file
• Login denied
• Dumping cert info: %s
• Unable to dump certificate information
• LOGIN
• IND)ind).exe
• .cmd
• .bat
• .com
• unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll
• kernel32.dll
• \xigncode-system.log
• kernelbase.dll
• advapi32.dll
• user32.dll
• %ls\x3.xem
• runas
• unable to dump given function
• dump
• !\lua\?.lua;!\lua\?\init.lua;!\?.lua;!\?\init.lua;!\..\share\lua\5.3\?.lua;!\..\share\lua\5.3\?\init.lua;.\?.lua;.\?\init.lua
• !\?.dll
• ;!\..\lib\lua\5.3\?.dll
• ;!\loadall.dll
• ;.\?.dll
• CryptCATAdminReleaseContextCryptCATAdminAcquireContextCryptCATAdminCalcHashFromFileHandleCryptCATCatalogInfoFromContext
• .lnk
• Planet Portal.com
• Amer.com
• Orga BVSTEREOLINK.COM
• ICHIRO.ORG
• @pos.com
• Vendor ID not listed with USB.org
• SOTEC CO., LTD.CMD AG
• MED Associates Inc. , sue@med-associates.com
• TonerHead.com
• Opti-Sciences, Inc.3M CMD (Communication Markets Division)KRONIK ELEKTRONIK SANAYI VETICARET LIMITED SIRKETI
• Logina
• Stamps.com
• CMD Technology
• Correlator.com
• C:\actions-runner\_work\xigncode-build\xigncode-build\vsproject\bin\Win32\Release\x3_barrier_Win32.pdb
• .bss
• *x3_barrier_Win32.dll
• KERNEL32.dll
• WS2_32.dll
• IPHLPAPI.DLL
• RPCRT4.dll
• USER32.dll
• ADVAPI32.dll
• .PAX
Flow Anomalies
Offset RVA Section Description
585 101AE3F4 .text CALL [static] | Indirect call to absolute memory address
7A1 101AE3F8 .text CALL [static] | Indirect call to absolute memory address
8B3 101AE400 .text CALL [static] | Indirect call to absolute memory address
8F7 101AE400 .text CALL [static] | Indirect call to absolute memory address
156B 101AE3D0 .text CALL [static] | Indirect call to absolute memory address
24C1 101AE3E0 .text CALL [static] | Indirect call to absolute memory address
24CD 101AE3D8 .text CALL [static] | Indirect call to absolute memory address
26B3 101AE3E4 .text CALL [static] | Indirect call to absolute memory address
288C 101AE3EC .text CALL [static] | Indirect call to absolute memory address
2B73 101AE3F8 .text CALL [static] | Indirect call to absolute memory address
2BB3 101AE3D4 .text CALL [static] | Indirect call to absolute memory address
2C02 101AE3F0 .text CALL [static] | Indirect call to absolute memory address
2C0F 101AE3F8 .text CALL [static] | Indirect call to absolute memory address
2C5E 101AE3F8 .text CALL [static] | Indirect call to absolute memory address
2CB2 101AE3E8 .text CALL [static] | Indirect call to absolute memory address
344D 101AE3E8 .text CALL [static] | Indirect call to absolute memory address
45FE 101AE3F8 .text CALL [static] | Indirect call to absolute memory address
46A1 1026FADC .text CALL [static] | Indirect call to absolute memory address
47CE 101AE3F8 .text CALL [static] | Indirect call to absolute memory address
4992 1026FADC .text CALL [static] | Indirect call to absolute memory address
4A6E 101AE400 .text CALL [static] | Indirect call to absolute memory address
4B2C 1026FADC .text CALL [static] | Indirect call to absolute memory address
4B5A 101AE400 .text CALL [static] | Indirect call to absolute memory address
4B75 101AE400 .text CALL [static] | Indirect call to absolute memory address
4CCF 1026FADC .text CALL [static] | Indirect call to absolute memory address
4D00 1026FADC .text CALL [static] | Indirect call to absolute memory address
4D81 1026FADC .text CALL [static] | Indirect call to absolute memory address
502E 1026FADC .text CALL [static] | Indirect call to absolute memory address
5054 101AE3CC .text CALL [static] | Indirect call to absolute memory address
7426 101AE0E0 .text CALL [static] | Indirect call to absolute memory address
7434 101AE0FC .text CALL [static] | Indirect call to absolute memory address
7496 101AE0F8 .text CALL [static] | Indirect call to absolute memory address
74E7 101AE0F4 .text CALL [static] | Indirect call to absolute memory address
75D7 101AE3F8 .text CALL [static] | Indirect call to absolute memory address
7640 101AE100 .text CALL [static] | Indirect call to absolute memory address
76F5 101AE3F8 .text CALL [static] | Indirect call to absolute memory address
97F0 101AE3F8 .text CALL [static] | Indirect call to absolute memory address
1292F 101AE3F8 .text CALL [static] | Indirect call to absolute memory address
12D92 101AE3D0 .text CALL [static] | Indirect call to absolute memory address
137D6 101AE114 .text CALL [static] | Indirect call to absolute memory address
137EE 101AE114 .text CALL [static] | Indirect call to absolute memory address
137FF 101AE110 .text CALL [static] | Indirect call to absolute memory address
13817 101AE10C .text CALL [static] | Indirect call to absolute memory address
1399A 101AE118 .text CALL [static] | Indirect call to absolute memory address
139A4 101AE3F8 .text CALL [static] | Indirect call to absolute memory address
13A31 101AE118 .text CALL [static] | Indirect call to absolute memory address
13A3B 101AE3F8 .text CALL [static] | Indirect call to absolute memory address
13CDF 101AE3D8 .text CALL [static] | Indirect call to absolute memory address
13F41 101AE11C .text CALL [static] | Indirect call to absolute memory address
13FEE 101AE400 .text CALL [static] | Indirect call to absolute memory address
1401D 101AE400 .text CALL [static] | Indirect call to absolute memory address
14038 101AE214 .text CALL [static] | Indirect call to absolute memory address
1413D 101AE254 .text CALL [static] | Indirect call to absolute memory address
15682 101AE120 .text CALL [static] | Indirect call to absolute memory address
156A3 101AE120 .text CALL [static] | Indirect call to absolute memory address
157A8 101AE254 .text CALL [static] | Indirect call to absolute memory address
15831 101AE120 .text CALL [static] | Indirect call to absolute memory address
158AA 101AE124 .text CALL [static] | Indirect call to absolute memory address
158D4 101AE124 .text CALL [static] | Indirect call to absolute memory address
158E5 101AE124 .text CALL [static] | Indirect call to absolute memory address
15BD4 101AE3D0 .text CALL [static] | Indirect call to absolute memory address
15CEA 101AE11C .text CALL [static] | Indirect call to absolute memory address
17241 101AE128 .text CALL [static] | Indirect call to absolute memory address
1788B 101AE400 .text CALL [static] | Indirect call to absolute memory address
17922 101AE400 .text CALL [static] | Indirect call to absolute memory address
179FA 101AE124 .text CALL [static] | Indirect call to absolute memory address
18FB4 101AE168 .text CALL [static] | Indirect call to absolute memory address
18FF2 101AE3D8 .text CALL [static] | Indirect call to absolute memory address
19075 101AE3D0 .text CALL [static] | Indirect call to absolute memory address
19081 101AE3F8 .text CALL [static] | Indirect call to absolute memory address
192B8 101AE3F8 .text CALL [static] | Indirect call to absolute memory address
1979C 101AE3D0 .text CALL [static] | Indirect call to absolute memory address
19B31 101AE3F8 .text CALL [static] | Indirect call to absolute memory address
19B73 101AE130 .text CALL [static] | Indirect call to absolute memory address
19B87 101AE134 .text CALL [static] | Indirect call to absolute memory address
19C78 101AE3D0 .text CALL [static] | Indirect call to absolute memory address
1A066 101AE3F8 .text CALL [static] | Indirect call to absolute memory address
1A172 101AE12C .text CALL [static] | Indirect call to absolute memory address
1A3CC 101AE3D0 .text CALL [static] | Indirect call to absolute memory address
1A4BB 101AE164 .text CALL [static] | Indirect call to absolute memory address
1A5C5 101AE158 .text CALL [static] | Indirect call to absolute memory address
1A5DA 101AE160 .text CALL [static] | Indirect call to absolute memory address
1A60D 101AE128 .text CALL [static] | Indirect call to absolute memory address
1A635 101AE0FC .text CALL [static] | Indirect call to absolute memory address
1A651 101AE128 .text CALL [static] | Indirect call to absolute memory address
1A689 101AE174 .text CALL [static] | Indirect call to absolute memory address
1A712 101AE3D0 .text CALL [static] | Indirect call to absolute memory address
1A7CF 101AE0F8 .text CALL [static] | Indirect call to absolute memory address
1A7D8 101AE13C .text CALL [static] | Indirect call to absolute memory address
1A7F1 101AE140 .text CALL [static] | Indirect call to absolute memory address
1A808 101AE3D8 .text CALL [static] | Indirect call to absolute memory address
1A95B 101AE254 .text CALL [static] | Indirect call to absolute memory address
1AA00 101AE0F8 .text CALL [static] | Indirect call to absolute memory address
1AA09 101AE13C .text CALL [static] | Indirect call to absolute memory address
1AA22 101AE140 .text CALL [static] | Indirect call to absolute memory address
1AA39 101AE3D8 .text CALL [static] | Indirect call to absolute memory address
1AB8B 101AE13C .text CALL [static] | Indirect call to absolute memory address
1AB99 101AE3D8 .text CALL [static] | Indirect call to absolute memory address
1ABB8 101AE128 .text CALL [static] | Indirect call to absolute memory address
1ABD4 101AE140 .text CALL [static] | Indirect call to absolute memory address
106A1B-106A3F N/A .text Unusual BP Cave, count: 37
151071-15108F N/A .text Unusual BP Cave, count: 31
2D8800-36DA40 2E1000 .vlizer Executable section anomaly, first bytes: 0100000000000000
36DA41 N/A *Overlay* 0000000000000028540000000202003082541A06 | .......(T......0.T..)
Extra Analysis
Metric Value Percentage
Ascii Code 2349615 64,9717%
Null Byte Code 339776 9,3955%
NOP Cave Found 0x9090909090 Block Count: 6 | Total: 0,0004%
© 2026 All rights reserved.