PESCAN.IO - Analysis Report

PESCAN.IO - Analysis Report Basic

File Structure

PE Chart Code

Header PE (light blue)

Executable sections (pink)

Non-executable sections (black)

External injected code (red)

File Structure in red = malformed or corrupted header

Chart Code For Other Files

Printable characters (blue)

Non-printable characters (black)

Information

Icon:

Size: 676,00 KB
SHA-256 Hash: B31E24E8237B509D0FBF7EDB5848C1ADC967DC733DF9FCA83324CC423B608FA7
SHA-1 Hash: 6AD32AACF0C96CCFD170F0C312117EDE8F383578
MD5 Hash: 811F39E6CB4453C5313059F4553695CF
Imphash: A326283E2C773761ABA7F4BA722820D7
MajorOSVersion: 4
MinorOSVersion: 0
CheckSum: 000AF6F5
EntryPoint (rva): 1248
SizeOfHeaders: 1000
SizeOfImage: AB000
ImageBase: 400000
Architecture: x86
ImportTable: 2C3E4
IAT: 1000
Characteristics: 10F
TimeDateStamp: 6A035632
Date: 12/05/2026 16:32:50
File Type: EXE
Number Of Sections: 3
ASLR: Disabled
Section Names: .text, .data, .rsrc
Number Of Executable Sections: 1
Subsystem: Windows GUI

Sections Info

Section Name	Flags	ROffset	RSize	VOffset	VSize	Entropy	Chi2
.text	0x60000020 Code Executable Readable	1000	2C000	1000	2B594	5.2886	5647584.16
.data	0xC0000040 Initialized Data Readable Writeable	0	0	2D000	1EF0	N/A	N/A
.rsrc	0x40000040 Initialized Data Readable	2D000	7C000	2F000	7B6E4	6.5376	3527702.77

Description

OriginalFilename: servid0r.exe
CompanyName: Microsoft
ProductName: Microsoft
FileVersion: 10.00.0208
ProductVersion: 10.00.0208
Language: Spanish (Spain, Modern Sort) (ID=0xC0A)
CodePage: Unicode (UTF-16 LE) (0x4B0)

Binder/Joiner/Crypter

2 Executable files found

Entry Point

The section number (1) - (.text) have the Entry Point
Information -> EntryPoint (calculated) - 1248
Code -> 685C154000E8EEFFFFFF000000000000300000004000000000000000F63E9174AAFD3E4190428B546BABBFFE000000000000

Assembler

|PUSH 0X40155C

|CALL 0XFF8

|ADD BYTE PTR [EAX], AL

|XOR BYTE PTR [EAX], AL

|ADD BYTE PTR [EAX], AL

|INC EAX

|ADD BYTE PTR [EAX], AL

|ADD DH, DH

|XCHG EAX, ECX

|JE 0XFCB

|STD

|INC ECX

|NOP

|INC EDX

|MOV EDX, DWORD PTR [EBX + EBP*2 - 0X55]

|MOV EDI, 0XFE

|ADD BYTE PTR [EAX], AL

Signatures

Rich Signature Analyzer:
Code -> B71207DBF3736988F3736988F37369881A6C6488F273698852696368F3736988
Footprint md5 Hash -> 5DA092A1CBBE6290D95AA739DE6C0E6F
• The Rich header apparently has not been modified
Certificate - Digital Signature Not Found:
• The file is not signed

Packer/Compiler

Compiler: Visual Basic 6 - (PCode)
Detect It Easy (die)
• PE: compiler: Microsoft Visual Basic(6.0)[P-Code]
• PE: linker: Microsoft Linker(6.0*)[-]
• Entropy: 6.34163

Suspicious Functions

Library	Function	Description
MSVBVM60.DLL	DllFunctionCall	It enables calling routines from external DLLs in VB code, integrating external code into Visual Basic projects.
KERNEL32.DLL	VirtualAlloc	Reserve, commit, or both, a region of memory within the virtual address space of a process.
KERNEL32.DLL	RtlMoveMemory	Moves a block of memory to another location.
KERNEL32.DLL	WriteFile	Writes data to a specified file or input/output (I/O) device.
KERNEL32.DLL	LoadLibraryA	Loads the specified module into the address space of the calling process.
KERNEL32.DLL	LoadLibraryW	Loads the specified module into the address space of the calling process.
KERNEL32.DLL	GetProcAddress	Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL	CreateFileA	Creates or opens a file or I/O device.
KERNEL32.DLL	DeleteFileA	Deletes an existing file.
USER32.DLL	GetAsyncKeyState	Retrieves the status of a virtual key asynchronously.
USER32.DLL	CallWindowProcA	Invokes the window procedure for the specified window and messages.
URLMON.DLL	URLDownloadToFileA	Download a file from the internet and save it to a local file.
ADVAPI32.DLL	RegCreateKeyExA	Creates a new registry key or opens an existing one.
ADVAPI32.DLL	RegDeleteKeyA	Used to delete a subkey and its values from the Windows registry.
ADVAPI32.DLL	RegSetValueExA	Sets the data and type of a specified value under a registry key.
ADVAPI32.DLL	RegDeleteValueA	Removes a named value from the specified registry key. Note that value names are not case sensitive.
SHELL32.DLL	ShellExecuteA	Performs a run operation on a specific file.
WININET.DLL	InternetConnectA	Opens an File Transfer Protocol (FTP) or HTTP session for a given site.
WININET.DLL	FtpPutFileA	Opens an File Transfer Protocol (FTP) or HTTP session for a given site.

Windows REG (UNICODE)

Software\Microsoft\Windows\CurrentVersion\Internet Settings\

File Access

msvcrt.dll
KERNEL32.dll
sqlite3.dll
MSVBVM60.DLL
vaultcli.dll
crypt32.dll
winmm.dll
wsock32.dll
wininet.dll
avicap32.dll
shell32.dll
advapi32.dll
shlwapi.dll
user32.dll
\WINDOWS\SysWow64\msvbvm60.dll
+3qVBA6.DLL
VB6ES.DLL
.dat
Temp

File Access (UNICODE)

servid0r.exe
ApiViewer2004.exe
sqlite3.dll
\kll.bat
kll.bat
\Log_P.txt
\pshell.txt
\Log_C.txt
Temp
ProgramFiles
AppData

SQL Queries

SELECT name, rootpage, sql FROM '%q'.%s WHERE %s
SELECT idx, stat FROM %Q.sqlite_stat1
SELECT name, rootpage, sql FROM '%q'.%s
SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14)FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence'AND rootpage>0
SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'
SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21)FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM ' || quote(name) || ';'FROM sqlite_master WHERE type = 'table' AND name!='sqlite_sequence'AND rootpage>0
SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM ' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
SELECT type, name, tbl_name, rootpage, sql FROM sqlite_masterWHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)
select count(*), ifnull(max(level),0) from %_segdir
select start_block, leaves_end_block, root from %_segdir order by level desc, idx asc
select start_block, leaves_end_block, root from %_segdir where level = ? and idx = ?
select min(start_block), max(end_block) from %_segdir where level = ? and start_block <> 0
select start_block, leaves_end_block, root from %_segdir where level = ? order by idx
select max(idx) from %_segdir where level = ?
select block from %_segments where blockid = ?
select docid from %_content limit 1
select block from %_segments where blockid between ? and ? order by blockid
SELECT parentnode FROM '%q'.'%q_parent' WHERE nodeno = :1
SELECT nodeno FROM '%q'.'%q_rowid' WHERE rowid = :1
SELECT data FROM '%q'.'%q_node' WHERE nodeno = :1
INSERT INTO %Q.%s VALUES('index',%Q,%Q,%d,%Q);
INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')
INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM ' || quote(name) || ';'FROM sqlite_master WHERE type = 'table' AND name!='sqlite_sequence'AND rootpage>0
INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM ' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
INSERT INTO vacuum_db.sqlite_masterSELECT type, name, tbl_name, rootpage, sql FROM sqlite_masterWHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)
insert into %_segdir values (?, ?, ?, ?, ?, ?)
insert into %_segments (blockid, block) values (null, ?)
insert into %_content (docid,
INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
CREATE TABLE %Q.sqlite_stat1(tbl,idx,stat)
CREATE TABLE
CREATE TABLE %Q.sqlite_sequence(name,seq)
CREATE TABLE sqlite_master( type text, name text, tbl_name text, rootpage integer, sql text)
CREATE TABLE vacuum_db.' || substr(sql,14)FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence'AND rootpage>0
CREATE TABLE x
CREATE TABLE %_content(
create table %_segments( blockid INTEGER PRIMARY KEY, block blob);
create table %_segdir( level integer, idx integer, start_block integer, leaves_end_block integer, end_block integer, root blob, primary key(level, idx));
CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
CREATE TABLE x(%s
DROP TABLE to delete table %s
drop table if exists %_content;drop table if exists %_segments;drop table if exists %_segdir;
DROP TABLE '%q'.'%q_node';DROP TABLE '%q'.'%q_rowid';DROP TABLE '%q'.'%q_parent';
DELETE FROM %Q.sqlite_stat1 WHERE tbl=%Q
DELETE FROM %s.sqlite_sequence WHERE name=%Q
DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'
DELETE FROM %Q.%s WHERE name=%Q
DELETE FROM %Q.sqlite_stat1 WHERE idx=%Q
DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
delete from %_segdir
delete from %_segdir where level = ?
delete from %_segments
delete from %_segments where blockid between ? and ?
delete from %_content where docid = ?
DELETE FROM '%q'.'%q_parent' WHERE nodeno = :1
DELETE FROM '%q'.'%q_rowid' WHERE rowid = :1
DELETE FROM '%q'.'%q_node' WHERE nodeno = :1
SELECT * FROM logins
Select * from AntiVirusProduct
Select * from FirewallProduct
Select Name from Win32_Process Where Name = '

Interest's Words

Encrypt
Decrypt
PassWord
exec
attrib
start
hostname
sdelete
shutdown
defrag
ping
expand
replace

Interest's Words (UNICODE)

Virus
wscript
exec
powershell
attrib
start
comspec
regedit
shutdown
ping
expand

Anti-VM/Sandbox/Debug Tricks (UNICODE)

LabTools - regedit

URLs (UNICODE)

https://ifconfig.me/

IP Addresses

255.255.255.255

PE Carving

Start Offset Header	End Offset	Size (Bytes)
0	2D940	2D940
2D940	A9000	7B6C0

Strings/Hex Code Found With The File Rules

Rule Type	Encoding	Matched (Word)
Text	Ascii	WinAPI Sockets (WSACleanup)
Text	Ascii	WinAPI Sockets (bind)
Text	Unicode	WinAPI Sockets (bind)
Text	Ascii	WinAPI Sockets (listen)
Text	Ascii	WinAPI Sockets (accept)
Text	Ascii	WinAPI Sockets (connect)
Text	Unicode	WinAPI Sockets (connect)
Text	Ascii	WinAPI Sockets (recv)
Text	Ascii	WinAPI Sockets (send)
Text	Ascii	Registry (RegCreateKeyEx)
Text	Ascii	Registry (RegOpenKeyEx)
Text	Ascii	Registry (RegSetValueEx)
Text	Ascii	File (GetTempPath)
Text	Ascii	File (CopyFile)
Text	Ascii	File (CreateFile)
Text	Ascii	File (WriteFile)
Text	Ascii	File (ReadFile)
Text	Ascii	Anti-Analysis VM (GetVersion)
Text	Ascii	Reconnaissance (FindFirstFileA)
Text	Ascii	Reconnaissance (FindNextFileA)
Text	Ascii	Reconnaissance (FindClose)
Text	Ascii	Stealth (CloseHandle)
Text	Ascii	Stealth (VirtualAlloc)
Text	Ascii	Execution (CreateProcessA)
Text	Ascii	Execution (ShellExecute)
Text	Unicode	Privileges (SeBackupPrivilege)
Text	Unicode	Privileges (SeRestorePrivilege)
Text	Ascii	Malicious code executed after exploiting a vulnerability (Payload)
Text	Ascii	Unauthorized movement of funds or data (Transfer)
Text	Ascii	Technique used to circumvent security measures (Bypass)
Text	Ascii	Abuse of power for personal gain or unethical purposes (Corruption)
Entry Point	Hex Pattern	Microsoft Visual Basic 5.0
Entry Point	Hex Pattern	Microsoft Visual Basic v5.0
Entry Point	Hex Pattern	Microsoft Visual Basic v5.0 - v6.0
Entry Point	Hex Pattern	Microsoft Visual Basic v5.0

Resources

Path	DataRVA	Size	FileOffset	Code	Text	PE/Payload
\SQL\1\3082	2F940	7ADA4	2D940	4D5A90000300000004000000FFFF0000B8000000000000004000000000000000000000000000000000000000000000000000	MZ......................@.........................	(Executable found)
\ICON\30001\0	2F810	130	2D810	2800000020000000400000000100010000000000000100000000000000000000000000000000000000000000FFFFFF00FFFF	(... ...@.........................................	N/A
\ICON\30002\0	2F528	2E8	2D528	2800000020000000400000000100040000000000800200000000000000000000000000000000000000000000000080000080	(... ...@.........................................	N/A
\ICON\30003\0	2F400	128	2D400	2800000010000000200000000100040000000000C00000000000000000000000000000000000000000000000000080000080	(....... .........................................	N/A
\GROUP_ICON\1\0	2F3D0	30	2D3D0	00000100030020200200010001003001000031752020100001000400E802000032751010100001000400280100003375	...... ......0...1u ..........2u........(...3u	N/A
\VERSION\1\3082	2F1A0	230	2D1A0	300234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000	0.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............	N/A

Intelligent String

• .bss
• MSVBVM60.DLL
• VB6ES.DLL
• C:\Users\shark\Desktop\Prodigy Bot 3 [ Source ]\Server XOR\Bot.vbp
• ApiViewer2004.exe
• SELECT * FROM logins
• sqlite3.dll
• +3qVBA6.DLL
• C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLBVB
• c:\windows\syswow64\msvbvm60.dll
• kernel32.dll
• user32.dll
• advapi32.dll
• avicap32.dll
• winmm.dll
• \vscreen.jpg
• \vwebcam.jpg
• runas
• .exe
• C:\Program Files (x86)\Microsoft Visual Studio\VB98\VBA6.dll
• .txt
• kll.bat
• \kll.bat
• attrib -h -s -r %1
• \Log_C.txt
• \pshell.txt
• \Mic.wav
• .wav
• shutdown /f /r /t 0
• shutdown /f /s /t 0
• vaultcli.dll
• \Log_P.txt
• .jpg
• .bmp
• s:\\.\root\default:StdRegProv
• 255.255.255.255
• COMSPEC
• servid0r.exe
• @KERNEL32.dll

Flow Anomalies

Offset	RVA	Section	Description
10F0	40104C	.text	JMP [static] \| Indirect jump to absolute memory address
10F6	4010AC	.text	JMP [static] \| Indirect jump to absolute memory address
10FC	40101C	.text	JMP [static] \| Indirect jump to absolute memory address
1102	40106C	.text	JMP [static] \| Indirect jump to absolute memory address
1108	401058	.text	JMP [static] \| Indirect jump to absolute memory address
110E	401028	.text	JMP [static] \| Indirect jump to absolute memory address
1114	401068	.text	JMP [static] \| Indirect jump to absolute memory address
111A	4010DC	.text	JMP [static] \| Indirect jump to absolute memory address
1120	401048	.text	JMP [static] \| Indirect jump to absolute memory address
1126	40107C	.text	JMP [static] \| Indirect jump to absolute memory address
112C	4010B8	.text	JMP [static] \| Indirect jump to absolute memory address
1132	401078	.text	JMP [static] \| Indirect jump to absolute memory address
1138	4010CC	.text	JMP [static] \| Indirect jump to absolute memory address
113E	4010D0	.text	JMP [static] \| Indirect jump to absolute memory address
1144	401074	.text	JMP [static] \| Indirect jump to absolute memory address
114A	4010A0	.text	JMP [static] \| Indirect jump to absolute memory address
1150	4010A8	.text	JMP [static] \| Indirect jump to absolute memory address
1156	4010A4	.text	JMP [static] \| Indirect jump to absolute memory address
115C	401044	.text	JMP [static] \| Indirect jump to absolute memory address
1162	401014	.text	JMP [static] \| Indirect jump to absolute memory address
1168	4010E0	.text	JMP [static] \| Indirect jump to absolute memory address
116E	401008	.text	JMP [static] \| Indirect jump to absolute memory address
1174	401084	.text	JMP [static] \| Indirect jump to absolute memory address
117A	401010	.text	JMP [static] \| Indirect jump to absolute memory address
1180	401030	.text	JMP [static] \| Indirect jump to absolute memory address
1186	401018	.text	JMP [static] \| Indirect jump to absolute memory address
118C	401040	.text	JMP [static] \| Indirect jump to absolute memory address
1192	40102C	.text	JMP [static] \| Indirect jump to absolute memory address
1198	4010D4	.text	JMP [static] \| Indirect jump to absolute memory address
119E	401004	.text	JMP [static] \| Indirect jump to absolute memory address
11A4	401080	.text	JMP [static] \| Indirect jump to absolute memory address
11AA	40109C	.text	JMP [static] \| Indirect jump to absolute memory address
11B0	4010C4	.text	JMP [static] \| Indirect jump to absolute memory address
11B6	40108C	.text	JMP [static] \| Indirect jump to absolute memory address
11BC	401094	.text	JMP [static] \| Indirect jump to absolute memory address
11C2	4010BC	.text	JMP [static] \| Indirect jump to absolute memory address
11C8	401038	.text	JMP [static] \| Indirect jump to absolute memory address
11CE	4010D8	.text	JMP [static] \| Indirect jump to absolute memory address
11D4	40100C	.text	JMP [static] \| Indirect jump to absolute memory address
11DA	401088	.text	JMP [static] \| Indirect jump to absolute memory address
11E0	401034	.text	JMP [static] \| Indirect jump to absolute memory address
11E6	4010B0	.text	JMP [static] \| Indirect jump to absolute memory address
11EC	401024	.text	JMP [static] \| Indirect jump to absolute memory address
11F2	401020	.text	JMP [static] \| Indirect jump to absolute memory address
11F8	401050	.text	JMP [static] \| Indirect jump to absolute memory address
11FE	4010C0	.text	JMP [static] \| Indirect jump to absolute memory address
1204	401098	.text	JMP [static] \| Indirect jump to absolute memory address
120A	4010B4	.text	JMP [static] \| Indirect jump to absolute memory address
1210	401070	.text	JMP [static] \| Indirect jump to absolute memory address
1216	401064	.text	JMP [static] \| Indirect jump to absolute memory address
121C	401060	.text	JMP [static] \| Indirect jump to absolute memory address
1222	401090	.text	JMP [static] \| Indirect jump to absolute memory address
1228	40105C	.text	JMP [static] \| Indirect jump to absolute memory address
122E	40103C	.text	JMP [static] \| Indirect jump to absolute memory address
1234	401054	.text	JMP [static] \| Indirect jump to absolute memory address
123A	401000	.text	JMP [static] \| Indirect jump to absolute memory address
1240	4010C8	.text	JMP [static] \| Indirect jump to absolute memory address
F093	BFF283A	.text	JMP [static] \| Indirect jump to absolute memory address
109A2	400931B	.text	JMP [static] \| Indirect jump to absolute memory address
11DC7	4FF283A	.text	JMP [static] \| Indirect jump to absolute memory address
11DEC	8FF283A	.text	JMP [static] \| Indirect jump to absolute memory address
11E11	8FF283A	.text	JMP [static] \| Indirect jump to absolute memory address
13EC8	1A600BC5	.text	CALL [static] \| Indirect call to absolute memory address
16A57	7A7000F4	.text	CALL [static] \| Indirect call to absolute memory address
16A5D	402CDC4E	.text	CALL [static] \| Indirect call to absolute memory address
16BCB	7A7000F4	.text	CALL [static] \| Indirect call to absolute memory address
16BD1	402A9400	.text	CALL [static] \| Indirect call to absolute memory address
16D3F	7A7000F4	.text	CALL [static] \| Indirect call to absolute memory address
16D45	4023BC00	.text	CALL [static] \| Indirect call to absolute memory address
16EB3	7A7000F4	.text	CALL [static] \| Indirect call to absolute memory address
16EB9	40284C00	.text	CALL [static] \| Indirect call to absolute memory address
17027	7A7000F4	.text	CALL [static] \| Indirect call to absolute memory address
1702D	4026041E	.text	CALL [static] \| Indirect call to absolute memory address
17A0C	4026041E	.text	CALL [static] \| Indirect call to absolute memory address
17C46	402604	.text	CALL [static] \| Indirect call to absolute memory address
17F6E	402A94	.text	CALL [static] \| Indirect call to absolute memory address
18102	402CDC	.text	CALL [static] \| Indirect call to absolute memory address
18296	40284C	.text	CALL [static] \| Indirect call to absolute memory address
1842A	4023BC	.text	CALL [static] \| Indirect call to absolute memory address
18C8A	4023BC	.text	JMP [static] \| Indirect jump to absolute memory address
18C96	64F4	.text	JMP [static] \| Indirect jump to absolute memory address
1953F	5C000000	.text	CALL [static] \| Indirect call to absolute memory address
1A58F	5C000000	.text	CALL [static] \| Indirect call to absolute memory address
1A77B	5C000000	.text	CALL [static] \| Indirect call to absolute memory address
1A967	4C0003FE	.text	CALL [static] \| Indirect call to absolute memory address
1AB53	4000000	.text	CALL [static] \| Indirect call to absolute memory address
1AD3F	4000000	.text	CALL [static] \| Indirect call to absolute memory address
1BBEC	4000000	.text	JMP [static] \| Indirect jump to absolute memory address
1D167	5FF7004	.text	JMP [static] \| Indirect jump to absolute memory address
1D1A0	25FF1027	.text	JMP [static] \| Indirect jump to absolute memory address
1D1A4	25FF3027	.text	JMP [static] \| Indirect jump to absolute memory address
1D1A8	25FF5027	.text	JMP [static] \| Indirect jump to absolute memory address
1D1AC	46FF786C	.text	JMP [static] \| Indirect jump to absolute memory address
1D1B3	24007B05	.text	JMP [static] \| Indirect jump to absolute memory address
1D2B2	25FF1027	.text	JMP [static] \| Indirect jump to absolute memory address
1D2B6	25FF3027	.text	JMP [static] \| Indirect jump to absolute memory address
1D2BA	6EEB64F4	.text	JMP [static] \| Indirect jump to absolute memory address
1D2C6	6EEB64F4	.text	JMP [static] \| Indirect jump to absolute memory address
1D2D2	37EB00F4	.text	JMP [static] \| Indirect jump to absolute memory address
1D311	5FF7004	.text	JMP [static] \| Indirect jump to absolute memory address
432D2-432EF	N/A	.rsrc	Unusual NOPS Space, count: 30
56431-5644F	N/A	.rsrc	Unusual NOPS Space, count: 31
59331-5934F	N/A	.rsrc	Unusual NOPS Space, count: 31
5A6D1-5A6EF	N/A	.rsrc	Unusual NOPS Space, count: 31
5AC72-5AC8F	N/A	.rsrc	Unusual NOPS Space, count: 30
5B712-5B72F	N/A	.rsrc	Unusual NOPS Space, count: 30
5EF51-5EF6F	N/A	.rsrc	Unusual NOPS Space, count: 31
605B1-605CF	N/A	.rsrc	Unusual NOPS Space, count: 31
668F1-6690F	N/A	.rsrc	Unusual NOPS Space, count: 31
67191-671AF	N/A	.rsrc	Unusual NOPS Space, count: 31
6A8F2-6A90F	N/A	.rsrc	Unusual NOPS Space, count: 30
7A672-7A68F	N/A	.rsrc	Unusual NOPS Space, count: 30
7E7D1-7E7EF	N/A	.rsrc	Unusual NOPS Space, count: 31

Extra Analysis

Metric	Value	Percentage
Ascii Code	390697	56,4408%
Null Byte Code	136245	19,6822%
NOP Cave Found	0x9090909090	Block Count: 461 \| Total: 0,1665%

PESCAN.IO - Analysis Report Basic