PESCAN.IO - Analysis Report

PESCAN.IO - Analysis Report Basic

File Structure

PE Chart Code

Header PE (light blue)

Executable sections (pink)

Non-executable sections (black)

External injected code (red)

File Structure in red = malformed or corrupted header

Chart Code For Other Files

Printable characters (blue)

Non-printable characters (black)

Information

Icon:

Size: 676,00 KB
SHA-256 Hash: EAB69C7C5F9FAB7AB2ACA83312F281B1F7AAB7368F4D386EE2595B8E5CD5C624
SHA-1 Hash: 995F284C2893A5973F5CB1C83EAE28BB73B47309
MD5 Hash: A0D576569D4DC202F62C95C8EEDA3FF5
Imphash: A326283E2C773761ABA7F4BA722820D7
MajorOSVersion: 4
MinorOSVersion: 0
CheckSum: 000AC96D
EntryPoint (rva): 1248
SizeOfHeaders: 1000
SizeOfImage: AB000
ImageBase: 400000
Architecture: x86
ImportTable: 2BEE4
IAT: 1000
Characteristics: 10F
TimeDateStamp: 6A034541
Date: 12/05/2026 15:20:33
File Type: EXE
Number Of Sections: 3
ASLR: Disabled
Section Names: .text, .data, .rsrc
Number Of Executable Sections: 1
Subsystem: Windows GUI

Sections Info

Section Name	Flags	ROffset	RSize	VOffset	VSize	Entropy	Chi2
.text	0x60000020 Code Executable Readable	1000	2C000	1000	2B094	5.2658	5776073.39
.data	0xC0000040 Initialized Data Readable Writeable	0	0	2D000	1EF0	N/A	N/A
.rsrc	0x40000040 Initialized Data Readable	2D000	7C000	2F000	7B6D4	6.5374	3528218.83

Description

OriginalFilename: STUBP.exe
CompanyName: Microsoft
ProductName: Microsoft
FileVersion: 10.00.0208
ProductVersion: 10.00.0208
Language: Spanish (Spain, Modern Sort) (ID=0xC0A)
CodePage: Unicode (UTF-16 LE) (0x4B0)

Binder/Joiner/Crypter

2 Executable files found

Entry Point

The section number (1) - (.text) have the Entry Point
Information -> EntryPoint (calculated) - 1248
Code -> 685C154000E8EEFFFFFF0000000000003000000040000000000000003C112AB1E505BE488E5A4336D0B19EB5000000000000

Assembler

|PUSH 0X40155C

|CALL 0XFF8

|ADD BYTE PTR [EAX], AL

|XOR BYTE PTR [EAX], AL

|ADD BYTE PTR [EAX], AL

|INC EAX

|ADD BYTE PTR [EAX], AL

|ADD BYTE PTR [ECX + EDX], BH

|SUB DH, BYTE PTR [ECX + 0X48BE05E5]

|MOV DS, WORD PTR [EDX + 0X43]

|SAL BYTE PTR SS:[ECX + 0XB59E], 1

|ADD BYTE PTR [EAX], AL

Signatures

Rich Signature Analyzer:
Code -> B71207DBF3736988F3736988F37369881A6C6488F273698852696368F3736988
Footprint md5 Hash -> 5DA092A1CBBE6290D95AA739DE6C0E6F
• The Rich header apparently has not been modified
Certificate - Digital Signature Not Found:
• The file is not signed

Packer/Compiler

Compiler: Visual Basic 6 - (PCode)
Detect It Easy (die)
• PE: compiler: Microsoft Visual Basic(6.0)[P-Code]
• PE: linker: Microsoft Linker(6.0*)[-]
• Entropy: 6.33629

Suspicious Functions

Library	Function	Description
MSVBVM60.DLL	DllFunctionCall	It enables calling routines from external DLLs in VB code, integrating external code into Visual Basic projects.
KERNEL32.DLL	VirtualAlloc	Reserve, commit, or both, a region of memory within the virtual address space of a process.
KERNEL32.DLL	RtlMoveMemory	Moves a block of memory to another location.
KERNEL32.DLL	WriteFile	Writes data to a specified file or input/output (I/O) device.
KERNEL32.DLL	LoadLibraryA	Loads the specified module into the address space of the calling process.
KERNEL32.DLL	LoadLibraryW	Loads the specified module into the address space of the calling process.
KERNEL32.DLL	GetProcAddress	Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL	CreateFileA	Creates or opens a file or I/O device.
KERNEL32.DLL	DeleteFileA	Deletes an existing file.
USER32.DLL	GetAsyncKeyState	Retrieves the status of a virtual key asynchronously.
USER32.DLL	CallWindowProcA	Invokes the window procedure for the specified window and messages.
URLMON.DLL	URLDownloadToFileA	Download a file from the internet and save it to a local file.
ADVAPI32.DLL	RegCreateKeyExA	Creates a new registry key or opens an existing one.
ADVAPI32.DLL	RegDeleteKeyA	Used to delete a subkey and its values from the Windows registry.
ADVAPI32.DLL	RegSetValueExA	Sets the data and type of a specified value under a registry key.
ADVAPI32.DLL	RegDeleteValueA	Removes a named value from the specified registry key. Note that value names are not case sensitive.
SHELL32.DLL	ShellExecuteA	Performs a run operation on a specific file.
WININET.DLL	InternetConnectA	Opens an File Transfer Protocol (FTP) or HTTP session for a given site.
WININET.DLL	FtpPutFileA	Opens an File Transfer Protocol (FTP) or HTTP session for a given site.

Windows REG (UNICODE)

Software\Microsoft\Windows\CurrentVersion\Internet Settings\

File Access

msvcrt.dll
KERNEL32.dll
sqlite3.dll
MSVBVM60.DLL
vaultcli.dll
crypt32.dll
winmm.dll
wsock32.dll
VBA6.DLL
wininet.dll
avicap32.dll
shell32.dll
advapi32.dll
shlwapi.dll
user32.dll
\WINDOWS\SysWow64\msvbvm60.dll
VB6ES.DLL
.dat
Temp

File Access (UNICODE)

STUBP.exe
taskkill /F /IM chrome.exe
powershell.exe
\WINVnc.exe
sqlite3.dll
\kll.bat
kll.bat
\Log_iApps.txt
\Log_Conex.txt
\Log_Regedit.txt
/Log_Files.txt
\Log_Files.txt
\Log_P.txt
\pshell.txt
\Log_C.txt
\Log_Wind.txt
\Log_Win.txt
\Log_Serv.txt
\Log_Proc.txt
Exec - powershell.exe -NoProfile -ExecutionPolicy Bypass -Command
Temp
ProgramFiles
AppData

SQL Queries

SELECT name, rootpage, sql FROM '%q'.%s WHERE %s
SELECT idx, stat FROM %Q.sqlite_stat1
SELECT name, rootpage, sql FROM '%q'.%s
SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14)FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence'AND rootpage>0
SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'
SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21)FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM ' || quote(name) || ';'FROM sqlite_master WHERE type = 'table' AND name!='sqlite_sequence'AND rootpage>0
SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM ' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
SELECT type, name, tbl_name, rootpage, sql FROM sqlite_masterWHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)
select count(*), ifnull(max(level),0) from %_segdir
select start_block, leaves_end_block, root from %_segdir order by level desc, idx asc
select start_block, leaves_end_block, root from %_segdir where level = ? and idx = ?
select min(start_block), max(end_block) from %_segdir where level = ? and start_block <> 0
select start_block, leaves_end_block, root from %_segdir where level = ? order by idx
select max(idx) from %_segdir where level = ?
select block from %_segments where blockid = ?
select docid from %_content limit 1
select block from %_segments where blockid between ? and ? order by blockid
SELECT parentnode FROM '%q'.'%q_parent' WHERE nodeno = :1
SELECT nodeno FROM '%q'.'%q_rowid' WHERE rowid = :1
SELECT data FROM '%q'.'%q_node' WHERE nodeno = :1
INSERT INTO %Q.%s VALUES('index',%Q,%Q,%d,%Q);
INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')
INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM ' || quote(name) || ';'FROM sqlite_master WHERE type = 'table' AND name!='sqlite_sequence'AND rootpage>0
INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM ' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
INSERT INTO vacuum_db.sqlite_masterSELECT type, name, tbl_name, rootpage, sql FROM sqlite_masterWHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)
insert into %_segdir values (?, ?, ?, ?, ?, ?)
insert into %_segments (blockid, block) values (null, ?)
insert into %_content (docid,
INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
CREATE TABLE %Q.sqlite_stat1(tbl,idx,stat)
CREATE TABLE
CREATE TABLE %Q.sqlite_sequence(name,seq)
CREATE TABLE sqlite_master( type text, name text, tbl_name text, rootpage integer, sql text)
CREATE TABLE vacuum_db.' || substr(sql,14)FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence'AND rootpage>0
CREATE TABLE x
CREATE TABLE %_content(
create table %_segments( blockid INTEGER PRIMARY KEY, block blob);
create table %_segdir( level integer, idx integer, start_block integer, leaves_end_block integer, end_block integer, root blob, primary key(level, idx));
CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
CREATE TABLE x(%s
DROP TABLE to delete table %s
drop table if exists %_content;drop table if exists %_segments;drop table if exists %_segdir;
DROP TABLE '%q'.'%q_node';DROP TABLE '%q'.'%q_rowid';DROP TABLE '%q'.'%q_parent';
DELETE FROM %Q.sqlite_stat1 WHERE tbl=%Q
DELETE FROM %s.sqlite_sequence WHERE name=%Q
DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'
DELETE FROM %Q.%s WHERE name=%Q
DELETE FROM %Q.sqlite_stat1 WHERE idx=%Q
DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
delete from %_segdir
delete from %_segdir where level = ?
delete from %_segments
delete from %_segments where blockid between ? and ?
delete from %_content where docid = ?
DELETE FROM '%q'.'%q_parent' WHERE nodeno = :1
DELETE FROM '%q'.'%q_rowid' WHERE rowid = :1
DELETE FROM '%q'.'%q_node' WHERE nodeno = :1
SELECT * FROM logins
Select * from AntiVirusProduct
Select * from FirewallProduct
Select Name from Win32_Process Where Name = '

Interest's Words

Encrypt
Decrypt
PassWord
exec
attrib
start
hostname
sdelete
shutdown
defrag
ping
expand
replace

Interest's Words (UNICODE)

Virus
taskkill
wscript
exec
powershell
taskkill
attrib
start
comspec
regedit
shutdown
ping
expand

Anti-VM/Sandbox/Debug Tricks (UNICODE)

LabTools - regedit

URLs (UNICODE)

https://ifconfig.me/

IP Addresses

192.168.0.28
255.255.255.255

PE Carving

Start Offset Header	End Offset	Size (Bytes)
0	2D930	2D930
2D930	A9000	7B6D0

Strings/Hex Code Found With The File Rules

Rule Type	Encoding	Matched (Word)
Text	Ascii	WinAPI Sockets (WSACleanup)
Text	Ascii	WinAPI Sockets (bind)
Text	Unicode	WinAPI Sockets (bind)
Text	Ascii	WinAPI Sockets (listen)
Text	Ascii	WinAPI Sockets (accept)
Text	Ascii	WinAPI Sockets (connect)
Text	Unicode	WinAPI Sockets (connect)
Text	Ascii	WinAPI Sockets (recv)
Text	Ascii	WinAPI Sockets (send)
Text	Ascii	Registry (RegCreateKeyEx)
Text	Ascii	Registry (RegOpenKeyEx)
Text	Ascii	Registry (RegSetValueEx)
Text	Ascii	File (GetTempPath)
Text	Ascii	File (CopyFile)
Text	Ascii	File (CreateFile)
Text	Ascii	File (WriteFile)
Text	Ascii	File (ReadFile)
Text	Ascii	Anti-Analysis VM (GetVersion)
Text	Ascii	Reconnaissance (FindFirstFileA)
Text	Ascii	Reconnaissance (FindNextFileA)
Text	Ascii	Reconnaissance (FindClose)
Text	Ascii	Stealth (CloseHandle)
Text	Ascii	Stealth (VirtualAlloc)
Text	Ascii	Execution (CreateProcessA)
Text	Ascii	Execution (ShellExecute)
Text	Unicode	Privileges (SeBackupPrivilege)
Text	Unicode	Privileges (SeRestorePrivilege)
Text	Ascii	Malicious code executed after exploiting a vulnerability (Payload)
Text	Ascii	Unauthorized movement of funds or data (Transfer)
Text	Ascii	Technique used to circumvent security measures (Bypass)
Text	Unicode	Technique used to circumvent security measures (Bypass)
Text	Ascii	Abuse of power for personal gain or unethical purposes (Corruption)
Entry Point	Hex Pattern	Microsoft Visual Basic 5.0
Entry Point	Hex Pattern	Microsoft Visual Basic v5.0
Entry Point	Hex Pattern	Microsoft Visual Basic v5.0 - v6.0
Entry Point	Hex Pattern	Microsoft Visual Basic v5.0

Resources

Path	DataRVA	Size	FileOffset	Code	Text	PE/Payload
\SQL\1\3082	2F930	7ADA4	2D930	4D5A90000300000004000000FFFF0000B8000000000000004000000000000000000000000000000000000000000000000000	MZ......................@.........................	(Executable found)
\ICON\30001\0	2F800	130	2D800	2800000020000000400000000100010000000000000100000000000000000000000000000000000000000000FFFFFF00FFFF	(... ...@.........................................	N/A
\ICON\30002\0	2F518	2E8	2D518	2800000020000000400000000100040000000000800200000000000000000000000000000000000000000000000080000080	(... ...@.........................................	N/A
\ICON\30003\0	2F3F0	128	2D3F0	2800000010000000200000000100040000000000C00000000000000000000000000000000000000000000000000080000080	(....... .........................................	N/A
\GROUP_ICON\1\0	2F3C0	30	2D3C0	00000100030020200200010001003001000031752020100001000400E802000032751010100001000400280100003375	...... ......0...1u ..........2u........(...3u	N/A
\VERSION\1\3082	2F1A0	220	2D1A0	200234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000	.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............	N/A

Intelligent String

• .bss
• MSVBVM60.DLL
• VB6ES.DLL
• C:\Users\shark\Desktop\Prodigy Bot 3 [ Source ]\Server XOR\Bot.vbp
• SELECT * FROM logins
• sqlite3.dll
• C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLBVB
• c:\windows\syswow64\msvbvm60.dll
• kernel32.dll
• user32.dll
• advapi32.dll
• avicap32.dll
• VBA6.DLL
• 192.168.0.28
• winmm.dll
• \vscreen.jpg
• \vwebcam.jpg
• runas
• .exe
• \Log_Proc.txt
• C:\Program Files (x86)\Microsoft Visual Studio\VB98\VBA6.dll
• .txt
• \Log_Serv.txt
• \Log_Win.txt
• \Log_Wind.txt
• kll.bat
• \kll.bat
• attrib -h -s -r %1
• \WINVnc.exe
• \Log_C.txt
• \pshell.txt
• powershell.exe -NoProfile -ExecutionPolicy Bypass -Command
• \Mic.wav
• .wav
• cmd /c move
• shutdown /f /r /t 0
• shutdown /f /s /t 0
• taskkill /F /IM chrome.exe
• \Local\Google\Chrome\User Data\Default\Login Data
• vaultcli.dll
• \Log_P.txt
• .jpg
• .bmp
• \Log_Files.txt
• /Log_Files.txt
• \Log_Regedit.txt
• \Log_Conex.txt
• s:\\.\root\default:StdRegProv
• \Log_iApps.txt
• 255.255.255.255
• COMSPEC
• STUBP.exe
• @KERNEL32.dll

Flow Anomalies

Offset	RVA	Section	Description
10F0	40104C	.text	JMP [static] \| Indirect jump to absolute memory address
10F6	4010AC	.text	JMP [static] \| Indirect jump to absolute memory address
10FC	40101C	.text	JMP [static] \| Indirect jump to absolute memory address
1102	40106C	.text	JMP [static] \| Indirect jump to absolute memory address
1108	401058	.text	JMP [static] \| Indirect jump to absolute memory address
110E	401028	.text	JMP [static] \| Indirect jump to absolute memory address
1114	401068	.text	JMP [static] \| Indirect jump to absolute memory address
111A	4010DC	.text	JMP [static] \| Indirect jump to absolute memory address
1120	401048	.text	JMP [static] \| Indirect jump to absolute memory address
1126	40107C	.text	JMP [static] \| Indirect jump to absolute memory address
112C	4010B8	.text	JMP [static] \| Indirect jump to absolute memory address
1132	401078	.text	JMP [static] \| Indirect jump to absolute memory address
1138	4010CC	.text	JMP [static] \| Indirect jump to absolute memory address
113E	4010D0	.text	JMP [static] \| Indirect jump to absolute memory address
1144	401074	.text	JMP [static] \| Indirect jump to absolute memory address
114A	4010A0	.text	JMP [static] \| Indirect jump to absolute memory address
1150	4010A8	.text	JMP [static] \| Indirect jump to absolute memory address
1156	4010A4	.text	JMP [static] \| Indirect jump to absolute memory address
115C	401044	.text	JMP [static] \| Indirect jump to absolute memory address
1162	401014	.text	JMP [static] \| Indirect jump to absolute memory address
1168	4010E0	.text	JMP [static] \| Indirect jump to absolute memory address
116E	401008	.text	JMP [static] \| Indirect jump to absolute memory address
1174	401084	.text	JMP [static] \| Indirect jump to absolute memory address
117A	401010	.text	JMP [static] \| Indirect jump to absolute memory address
1180	401030	.text	JMP [static] \| Indirect jump to absolute memory address
1186	401018	.text	JMP [static] \| Indirect jump to absolute memory address
118C	401040	.text	JMP [static] \| Indirect jump to absolute memory address
1192	40102C	.text	JMP [static] \| Indirect jump to absolute memory address
1198	4010D4	.text	JMP [static] \| Indirect jump to absolute memory address
119E	401004	.text	JMP [static] \| Indirect jump to absolute memory address
11A4	401080	.text	JMP [static] \| Indirect jump to absolute memory address
11AA	40109C	.text	JMP [static] \| Indirect jump to absolute memory address
11B0	4010C4	.text	JMP [static] \| Indirect jump to absolute memory address
11B6	40108C	.text	JMP [static] \| Indirect jump to absolute memory address
11BC	401094	.text	JMP [static] \| Indirect jump to absolute memory address
11C2	4010BC	.text	JMP [static] \| Indirect jump to absolute memory address
11C8	401038	.text	JMP [static] \| Indirect jump to absolute memory address
11CE	4010D8	.text	JMP [static] \| Indirect jump to absolute memory address
11D4	40100C	.text	JMP [static] \| Indirect jump to absolute memory address
11DA	401088	.text	JMP [static] \| Indirect jump to absolute memory address
11E0	401034	.text	JMP [static] \| Indirect jump to absolute memory address
11E6	4010B0	.text	JMP [static] \| Indirect jump to absolute memory address
11EC	401024	.text	JMP [static] \| Indirect jump to absolute memory address
11F2	401020	.text	JMP [static] \| Indirect jump to absolute memory address
11F8	401050	.text	JMP [static] \| Indirect jump to absolute memory address
11FE	4010C0	.text	JMP [static] \| Indirect jump to absolute memory address
1204	401098	.text	JMP [static] \| Indirect jump to absolute memory address
120A	4010B4	.text	JMP [static] \| Indirect jump to absolute memory address
1210	401070	.text	JMP [static] \| Indirect jump to absolute memory address
1216	401064	.text	JMP [static] \| Indirect jump to absolute memory address
121C	401060	.text	JMP [static] \| Indirect jump to absolute memory address
1222	401090	.text	JMP [static] \| Indirect jump to absolute memory address
1228	40105C	.text	JMP [static] \| Indirect jump to absolute memory address
122E	40103C	.text	JMP [static] \| Indirect jump to absolute memory address
1234	401054	.text	JMP [static] \| Indirect jump to absolute memory address
123A	401000	.text	JMP [static] \| Indirect jump to absolute memory address
1240	4010C8	.text	JMP [static] \| Indirect jump to absolute memory address
F0CF	BFF283A	.text	JMP [static] \| Indirect jump to absolute memory address
10A7E	400921B	.text	JMP [static] \| Indirect jump to absolute memory address
11DCF	4FF283A	.text	JMP [static] \| Indirect jump to absolute memory address
11DF4	8FF283A	.text	JMP [static] \| Indirect jump to absolute memory address
11E19	8FF283A	.text	JMP [static] \| Indirect jump to absolute memory address
13ED0	1A5CFF54	.text	CALL [static] \| Indirect call to absolute memory address
16A5F	7A7000F4	.text	CALL [static] \| Indirect call to absolute memory address
16A65	402CD800	.text	CALL [static] \| Indirect call to absolute memory address
16BD3	7A7000F4	.text	CALL [static] \| Indirect call to absolute memory address
16BD9	402A9000	.text	CALL [static] \| Indirect call to absolute memory address
16D47	7A7000F4	.text	CALL [static] \| Indirect call to absolute memory address
16D4D	4023B800	.text	CALL [static] \| Indirect call to absolute memory address
16EBB	7A7000F4	.text	CALL [static] \| Indirect call to absolute memory address
16EC1	402848FF	.text	CALL [static] \| Indirect call to absolute memory address
1702F	7A7000F4	.text	CALL [static] \| Indirect call to absolute memory address
17035	40260000	.text	CALL [static] \| Indirect call to absolute memory address
17C4E	402600	.text	CALL [static] \| Indirect call to absolute memory address
17F76	402A90	.text	CALL [static] \| Indirect call to absolute memory address
1810A	402CD8	.text	CALL [static] \| Indirect call to absolute memory address
1829E	402848	.text	CALL [static] \| Indirect call to absolute memory address
18432	4023B8	.text	CALL [static] \| Indirect call to absolute memory address
1A597	4023B8	.text	CALL [static] \| Indirect call to absolute memory address
1A783	4023B8	.text	CALL [static] \| Indirect call to absolute memory address
1A96F	48000000	.text	CALL [static] \| Indirect call to absolute memory address
1AB5B	240003	.text	CALL [static] \| Indirect call to absolute memory address
1AD47	240003	.text	CALL [static] \| Indirect call to absolute memory address
1BBF4	240003	.text	JMP [static] \| Indirect jump to absolute memory address
1D3BB	5FF7004	.text	JMP [static] \| Indirect jump to absolute memory address
1D3F4	25FF1027	.text	JMP [static] \| Indirect jump to absolute memory address
1D3F8	25FF3027	.text	JMP [static] \| Indirect jump to absolute memory address
1D3FC	25FF5027	.text	JMP [static] \| Indirect jump to absolute memory address
1D400	46FF786C	.text	JMP [static] \| Indirect jump to absolute memory address
1D407	24007A05	.text	JMP [static] \| Indirect jump to absolute memory address
1D506	25FF1027	.text	JMP [static] \| Indirect jump to absolute memory address
1D50A	25FF3027	.text	JMP [static] \| Indirect jump to absolute memory address
1D50E	6EEB64F4	.text	JMP [static] \| Indirect jump to absolute memory address
1D51A	6EEB64F4	.text	JMP [static] \| Indirect jump to absolute memory address
1D526	37EB00F4	.text	JMP [static] \| Indirect jump to absolute memory address
1D565	5FF7004	.text	JMP [static] \| Indirect jump to absolute memory address
1E79F	5FF7004	.text	JMP [static] \| Indirect jump to absolute memory address
20575	6B110001	.text	JMP [static] \| Indirect jump to absolute memory address
2163D	30FEEC28	.text	JMP [static] \| Indirect jump to absolute memory address
21665	30FEEC28	.text	JMP [static] \| Indirect jump to absolute memory address
432C2-432DF	N/A	.rsrc	Unusual NOPS Space, count: 30
56421-5643F	N/A	.rsrc	Unusual NOPS Space, count: 31
59321-5933F	N/A	.rsrc	Unusual NOPS Space, count: 31
5A6C1-5A6DF	N/A	.rsrc	Unusual NOPS Space, count: 31
5AC62-5AC7F	N/A	.rsrc	Unusual NOPS Space, count: 30
5B702-5B71F	N/A	.rsrc	Unusual NOPS Space, count: 30
5EF41-5EF5F	N/A	.rsrc	Unusual NOPS Space, count: 31
605A1-605BF	N/A	.rsrc	Unusual NOPS Space, count: 31
668E1-668FF	N/A	.rsrc	Unusual NOPS Space, count: 31
67181-6719F	N/A	.rsrc	Unusual NOPS Space, count: 31
6A8E2-6A8FF	N/A	.rsrc	Unusual NOPS Space, count: 30
7A662-7A67F	N/A	.rsrc	Unusual NOPS Space, count: 30
7E7C1-7E7DF	N/A	.rsrc	Unusual NOPS Space, count: 31

Extra Analysis

Metric	Value	Percentage
Ascii Code	390200	56,369%
Null Byte Code	137012	19,793%
NOP Cave Found	0x9090909090	Block Count: 461 \| Total: 0,1665%

PESCAN.IO - Analysis Report Basic