PESCAN.IO - Analysis Report

PESCAN.IO - Analysis Report Basic

File Structure

PE Chart Code

Header PE (light blue)

Executable sections (pink)

Non-executable sections (black)

External injected code (red)

File Structure in red = malformed or corrupted header

Chart Code For Other Files

Printable characters (blue)

Non-printable characters (black)

Information

Size: 4,63 MB
SHA-256 Hash: 9EE05D69B5D6ACF1232F3032FB0E106C2C3BA71897F20EFEAEAD10D378B22070
SHA-1 Hash: 97C5D64446669FCBBC79BD12A69583909BED8D81
MD5 Hash: 2C1D8577D79CAA5EFD92DF063B0B35E0
Imphash: 9AB8FED514C5737845783ADA4A943160
MajorOSVersion: 6
MinorOSVersion: 0
CheckSum: 004AE21D
EntryPoint (rva): 1184
SizeOfHeaders: 600
SizeOfImage: 507000
ImageBase: 0000000140000000
Architecture: x64
ImportTable: 4F8000
IAT: BA000
Characteristics: 22
TimeDateStamp: 69A6F457
Date: 03/03/2026 14:46:47
File Type: EXE
Number Of Sections: 16
ASLR: Disabled
Section Names (Optional Header): .text, .rdata, .data, .pdata, PAGE, .edata, INIT, .rsrc, .reloc, *unnamed*, *unnamed*, *unnamed*, *unnamed*, .rdata, .pdata, .reloc
Number Of Executable Sections: 4
Subsystem: Native

Sections Info

Section Name	Flags	ROffset	RSize	VOffset	VSize	Entropy	Chi2
.text	0x68000020 Code Shared Executable Readable	600	B8C00	1000	B9000	6.7811	3843368.86
.rdata	0x48000040 Initialized Data Shared Readable	B9200	3C400	BA000	3D000	7.2594	1050314.63
.data	0xC8000040 Initialized Data Shared Readable Writeable	F5600	600	F7000	55000	2.881	146995
.pdata	0x48000040 Initialized Data Shared Readable	F5C00	200	14C000	9000	0	130560
PAGE	0x60000020 Code Executable Readable	F5E00	600	155000	1000	4.804	61994
.edata	0x40000040 Initialized Data Readable	F6400	200	156000	1000	0	130560
INIT	0x62000020 Code GP-Relative Executable Readable	F6600	1400	157000	2000	5.2101	97674
.rsrc	0x42000040 Initialized Data GP-Relative Readable	F7A00	600	159000	1000	2.9875	163416
.reloc	0x42000040 Initialized Data GP-Relative Readable	F8000	2600	15A000	3000	5.3911	63113.89
unnamed	0x68000020 Code Shared Executable Readable	FA600	393800	15D000	393718	6.7361	15891686.16
unnamed	0x48000020 Code Shared Readable	48DE00	1800	4F1000	16A8	5.3611	123321.58
unnamed	0xC8000020 Code Shared Readable Writeable	48F600	4800	4F3000	47F8	5.5869	563779.33
unnamed	0x48000020 Code Shared Readable	493E00	200	4F8000	8C	1.5055	90811
.rdata	0x48000040 Initialized Data Shared Readable	494000	200	4F9000	F4	1.8934	84040
.pdata	0x48000040 Initialized Data Shared Readable	494200	8C00	4FA000	8AB4	6.0978	697583.87
.reloc	0x42000040 Initialized Data GP-Relative Readable	49CE00	3200	503000	3164	5.4772	70361.4

Description

OriginalFilename: denuvo-anti-cheat.sys
CompanyName: Denuvo GmbH
LegalCopyright: Denuvo GmbH. All rights reserved.
ProductName: Denuvo Anti-Cheat Driver
FileVersion: 6.13.2.9798
FileDescription: Denuvo Anti-Cheat Driver
ProductVersion: 6.13.2.9798
Comments: Denuvo Anti-Cheat Driver v6.13
Language: English (United States) (ID=0x409)
CodePage: Unicode (UTF-16 LE) (0x4B0)

Entry Point

The section number (1) have the Entry Point
Information -> EntryPoint (calculated) - 784
Code -> 48895C2408574883EC20488BDA488BF9E8675E1500488BD3488BCF488B5C24304883C4205FE9B2FEFFFFCCCC48895C240857

Assembler

|MOV QWORD PTR [RSP + 8], RBX

|PUSH RDI

|SUB RSP, 0X20

|MOV RBX, RDX

|MOV RDI, RCX

|CALL 0X156E7C

|MOV RDX, RBX

|MOV RCX, RDI

|MOV RBX, QWORD PTR [RSP + 0X30]

|ADD RSP, 0X20

|POP RDI

|JMP 0XEDC

|INT3

|MOV QWORD PTR [RSP + 8], RBX

|PUSH RDI

Signatures

Certificate - Digital Signature:
• The file is signed and the signature is correct

Duplicate Sections

Section .rdata duplicate 2 times
Section .pdata duplicate 2 times
Section .reloc duplicate 2 times
Section *unnamed* duplicate 4 times

Packer/Compiler

Compiler: Microsoft Visual Studio
Detect It Easy (die)
• PE+(64): linker: Microsoft Linker(14.29)[-]
• PE+(64): Sign tool: Windows Authenticode(2.0)[PKCS 7]
• Entropy: 6.89788

Suspicious Functions

Library	Function	Description
KERNEL32.DLL	WriteFile	Writes data to a specified file or input/output (I/O) device.
NtosKrnl.exe	ZwClose	Closes a handle to an object.
NtosKrnl.exe	ZwCreateFile	Creates or opens a file or I/O device.
NtosKrnl.exe	ZwDeviceIoControlFile	Sends a control code to a device driver to perform an operation.
NtosKrnl.exe	ZwFlushBuffersFile	Flushes all data associated with a file to disk.
NtosKrnl.exe	ZwOpenFile	Opens a file or I/O device.
NtosKrnl.exe	ZwOpenProcess	Opens a process object.
NtosKrnl.exe	ZwOpenProcessTokenEx	Opens an access token associated with a process.
NtosKrnl.exe	ZwQueryVirtualMemory	Queries the virtual memory information for a specified process.
NtosKrnl.exe	ZwReadFile	Reads data from a file or device.
NtosKrnl.exe	ZwWriteFile	Writes data to a file or device.

Windows REG (UNICODE)

Software\Microsoft\Windows NT\CurrentVersion
SOFTWARE\DenuvoAntiCheat\telemetry\%llu-%llu\%llu
SOFTWARE\Microsoft\Windows\CurrentVersion
System\CurrentControlSet\Hardware Profiles\UnitedVideo\CONTROL\VIDEO\%s\%04llu

File Access

ntoskrnl.exe
HAL.dll
FLTMGR.SYS
cng.sys
NETIO.SYS
WDFLDR.SYS
.bAT
.dat
H.dat

File Access (UNICODE)

%llu.log
denuvo-anti-cheat.sys
ProgramFiles

Interest's Words

exec
start
systeminfo
ping

Interest's Words (UNICODE)

hostname
systeminfo

URLs

http://www.microsoft.com/pkiops/crl/Microsoft%20Windows%20Third%20Party%20Component%20CA%202014.crl
http://www.microsoft.com/pkiops/certs/Microsoft%20Windows%20Third%20Party%20Component%20CA%202014.crt
http://www.microsoft.com/pkiops/Docs/Repository.htm
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt
http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl
http://www.microsoft.com/pkiops/certs/Microsoft%20Time-Stamp%20PCA%202010(1).crt
https://www.microsoft.com/en-us/windows

IP Addresses

127.0.0.1

Strings/Hex Code Found With The File Rules

Rule Type	Encoding	Matched (Word)
Text	Ascii	WinAPI Sockets (bind)
Text	Ascii	WinAPI Sockets (accept)
Text	Ascii	WinAPI Sockets (connect)
Text	Ascii	File (CreateFile)
Text	Ascii	File (WriteFile)
Text	Ascii	File (ReadFile)
Text	Ascii	Anti-Analysis VM (GetVersion)

Resources

Path	DataRVA	Size	FileOffset	Code	Text
\MESSAGETABLE\1\1033	159448	B8	F7E48	0300000001002A6002002A602800000004002A6004002A607000000003002AE003002AE0940000002400010049006E006600	........(.......p.............$...I.n.f.
\VERSION\1\1033	1590A0	3A4	F7AA0	A40334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000D00	..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............

Intelligent String

• 127.0.0.1
• \DosDevices\%s\Denuvo Anti-Cheat\Logs\denuvo-anti-cheat-driver-%llu-%02llu-%02llu-%02llu.%02llu.%02llu.%llu.log
• C:\Logs\denuvo-anti-cheat-driver-%llu-%02llu-%02llu-%02llu.%02llu.%02llu.%llu.log
• \DosDevices\%s\Logs\acd-%llu-%llu-%llu-%llu-%llu.%llu.%llu.%llu.log
• C:\Logs\acd-%llu-%llu-%llu-%llu.%llu.%llu.%llu.log
• KeInitializeTriageDumpDataArray
• KeAddTriageDumpDataBlock
• ntkrnlmp.pdb
• \??\%.*ls\global.ac.cfg
• \??\%.*ls\%ls\game.ac.cfg
• %.*ls\debug.ac.cfg
• -gameassembly.dll
• .kmdftypeinit$ctXG.bss
• WdfVersionUnbindClassWDFLDR.SYS
• ntoskrnl.exe
• FltReadFileFLTMGR.SYS
• denuvo-anti-cheat.sys
• denuvo-anti-cheat.pdb

Flow Anomalies

Offset	RVA	Section	Description
6BC	N/A	.text	CALL QWORD PTR [RIP+0xB9326]
33CF3	N/A	.text	JMP QWORD PTR [RIP+0xF3ADC07]
34425	N/A	.text	JMP QWORD PTR [RIP+0x6A7810F]
38A48	N/A	.text	JMP QWORD PTR [RIP+0x3B9BE95A]
38B28	N/A	.text	CALL QWORD PTR [RIP+0xE9460463]
38F3D	N/A	.text	JMP QWORD PTR [RIP+0xEB8C0F1F]
3B560	N/A	.text	CALL QWORD PTR [RIP+0xDA820F3C]
3C45D	N/A	.text	CALL QWORD PTR [RIP+0x1ECCC7CE]
3D4A4	N/A	.text	CALL QWORD PTR [RIP+0x7C60E]
3D50E	N/A	.text	CALL QWORD PTR [RIP+0x7C58C]
3D557	N/A	.text	JMP QWORD PTR [RIP+0x7C53B]
3D5A3	N/A	.text	CALL QWORD PTR [RIP+0x7C4E7]
3D87C	N/A	.text	CALL QWORD PTR [RIP+0x7C23E]
3D9E0	N/A	.text	CALL QWORD PTR [RIP+0x7C0DA]
3DC43	N/A	.text	CALL QWORD PTR [RIP+0x7BDD7]
3DC77	N/A	.text	CALL QWORD PTR [RIP+0x7BD93]
3DC95	N/A	.text	JMP QWORD PTR [RIP+0x7BD8D]
3DCA5	N/A	.text	JMP QWORD PTR [RIP+0x7BD6D]
3DCB6	N/A	.text	CALL QWORD PTR [RIP+0x7BD4C]
3DCD9	N/A	.text	CALL QWORD PTR [RIP+0x7B971]
3DD09	N/A	.text	CALL QWORD PTR [RIP+0x7BDC1]
3DD24	N/A	.text	CALL QWORD PTR [RIP+0x7BB46]
3DD32	N/A	.text	CALL QWORD PTR [RIP+0x7BCC0]
3DD8C	N/A	.text	CALL QWORD PTR [RIP+0x7BC6E]
3F477	N/A	.text	JMP QWORD PTR [RIP+0x7A603]
3F48F	N/A	.text	JMP QWORD PTR [RIP+0x7A5E3]
3F4B0	N/A	.text	JMP QWORD PTR [RIP+0x7A5A2]
3F55A	N/A	.text	CALL QWORD PTR [RIP+0x7A508]
3F564	N/A	.text	CALL QWORD PTR [RIP+0x7A48E]
3F658	N/A	.text	CALL QWORD PTR [RIP+0x7A412]
3F810	N/A	.text	CALL QWORD PTR [RIP+0x7A24A]
3F844	N/A	.text	CALL QWORD PTR [RIP+0x7A206]
3F84F	N/A	.text	CALL QWORD PTR [RIP+0x7A1F3]
3F87B	N/A	.text	CALL QWORD PTR [RIP+0x7A1BF]
3F899	N/A	.text	CALL QWORD PTR [RIP+0x7A199]
3F8C5	N/A	.text	CALL QWORD PTR [RIP+0x7A19D]
3F912	N/A	.text	CALL QWORD PTR [RIP+0x7A150]
3F994	N/A	.text	CALL QWORD PTR [RIP+0x7A11E]
3FF34	N/A	.text	CALL QWORD PTR [RIP+0x797DE]
40563	N/A	.text	CALL QWORD PTR [RIP+0x791B7]
4059D	N/A	.text	CALL QWORD PTR [RIP+0x7918D]
405F4	N/A	.text	CALL QWORD PTR [RIP+0x7913E]
40621	N/A	.text	CALL QWORD PTR [RIP+0x79101]
4064A	N/A	.text	CALL QWORD PTR [RIP+0x793F8]
4065B	N/A	.text	CALL QWORD PTR [RIP+0x793E7]
409EF	N/A	.text	CALL QWORD PTR [RIP+0x78EA3]
40A0D	N/A	.text	CALL QWORD PTR [RIP+0x78FFD]
40A2F	N/A	.text	CALL QWORD PTR [RIP+0x78FE3]
40A48	N/A	.text	CALL QWORD PTR [RIP+0x78FCA]
40A86	N/A	.text	JMP QWORD PTR [RIP+0x78E0C]
40B43	N/A	.text	CALL QWORD PTR [RIP+0x78EE7]
417A6	N/A	.text	CALL QWORD PTR [RIP+0x78294]
417E3	N/A	.text	CALL QWORD PTR [RIP+0x77F5F]
41815	N/A	.text	JMP QWORD PTR [RIP+0x77F4D]
41839	N/A	.text	CALL QWORD PTR [RIP+0x78229]
41855	N/A	.text	JMP QWORD PTR [RIP+0x77EFD]
41865	N/A	.text	JMP QWORD PTR [RIP+0x77F05]
41877	N/A	.text	JMP QWORD PTR [RIP+0x77ED3]
41885	N/A	.text	JMP QWORD PTR [RIP+0x77ED5]
43357	N/A	.text	CALL QWORD PTR [RIP+0x76423]
436C4	N/A	.text	CALL QWORD PTR [RIP+0x760B6]
436D3	N/A	.text	CALL QWORD PTR [RIP+0x760A7]
436E2	N/A	.text	CALL QWORD PTR [RIP+0x76098]
4373F	N/A	.text	CALL QWORD PTR [RIP+0x75F0B]
4374D	N/A	.text	CALL QWORD PTR [RIP+0x76025]
4376D	N/A	.text	CALL QWORD PTR [RIP+0x76005]
43775	N/A	.text	CALL QWORD PTR [RIP+0x75ED5]
44059	N/A	.text	CALL QWORD PTR [RIP+0x75741]
44079	N/A	.text	CALL QWORD PTR [RIP+0x75721]
44144	N/A	.text	CALL QWORD PTR [RIP+0x7563E]
4414F	N/A	.text	CALL QWORD PTR [RIP+0x7596B]
4421E	N/A	.text	CALL QWORD PTR [RIP+0x75564]
44229	N/A	.text	CALL QWORD PTR [RIP+0x75891]
44345	N/A	.text	CALL QWORD PTR [RIP+0x7543D]
44350	N/A	.text	CALL QWORD PTR [RIP+0x7576A]
443D1	N/A	.text	CALL QWORD PTR [RIP+0x753C1]
44409	N/A	.text	CALL QWORD PTR [RIP+0x75389]
45F04	N/A	.text	JMP QWORD PTR [RIP+0x73B3E]
45F32	N/A	.text	CALL QWORD PTR [RIP+0x73B10]
45F7E	N/A	.text	CALL QWORD PTR [RIP+0x73834]
4600E	N/A	.text	CALL QWORD PTR [RIP+0x73A34]
4601F	N/A	.text	CALL QWORD PTR [RIP+0x73763]
4609F	N/A	.text	CALL QWORD PTR [RIP+0x73703]
460B1	N/A	.text	CALL QWORD PTR [RIP+0x73991]
4612D	N/A	.text	CALL QWORD PTR [RIP+0x7367D]
46B02	N/A	.text	CALL QWORD PTR [RIP+0x72C80]
46B10	N/A	.text	CALL QWORD PTR [RIP+0x72CB2]
476B4	N/A	.text	CALL QWORD PTR [RIP+0x720CE]
4772F	N/A	.text	CALL QWORD PTR [RIP+0x72053]
47764	N/A	.text	CALL QWORD PTR [RIP+0x7206E]
4777C	N/A	.text	CALL QWORD PTR [RIP+0x7205E]
477B2	N/A	.text	CALL QWORD PTR [RIP+0x72030]
477FA	N/A	.text	CALL QWORD PTR [RIP+0x71FF0]
4780D	N/A	.text	JMP QWORD PTR [RIP+0x71FD5]
47835	N/A	.text	CALL QWORD PTR [RIP+0x71F95]
478FF	N/A	.text	CALL QWORD PTR [RIP+0x71EF3]
47977	N/A	.text	CALL QWORD PTR [RIP+0x71E53]
47A20	N/A	.text	CALL QWORD PTR [RIP+0x71D62]
47A2B	N/A	.text	CALL QWORD PTR [RIP+0x7208F]
48042	N/A	.text	JMP QWORD PTR [RIP+0x71A10]
3A21D-3A23C	N/A	.text	Potential obfuscated jump sequence detected, count: 7
53C4F-53C69	N/A	.text	Potential obfuscated jump sequence detected, count: 7
782DB-782FD	N/A	.text	Potential obfuscated jump sequence detected, count: 7
9020E-90233	N/A	.text	Potential obfuscated jump sequence detected, count: 7
6BFA2-6BFBF	N/A	.text	Unusual BP Cave, count: 30
6C3E2-6C3FF	N/A	.text	Unusual BP Cave, count: 30
787B2-787CF	N/A	.text	Unusual BP Cave, count: 30
86BF2-86C0F	N/A	.text	Unusual BP Cave, count: 30
86C92-86CAF	N/A	.text	Unusual BP Cave, count: 30
8EED2-8EEEF	N/A	.text	Unusual BP Cave, count: 30
B8D12-B8D3F	N/A	.text	Unusual BP Cave, count: 46
F5E00-F63FF	155000	PAGE	Executable section anomaly, first bytes: 488BC44889580848
FA600-48DDFF	15D000	unnamed	Executable section anomaly, first bytes: 4C8B3C24488DA424
4A0000	N/A	Overlay	C028000000020200308228B006092A864886F70D \| .(......0.(...*.H...)

Extra Analysis

Metric	Value	Percentage
Ascii Code	3250709	66,8857%
Null Byte Code	355642	7,3176%

PESCAN.IO - Analysis Report Basic