PREMIUM PESCAN.IO - Analysis Report |
|||||||
| File Structure |
|
PE Chart Code
Executable header (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
| Size: 1,64 MB SHA-256 Hash: 4DF58B7E964F595FBDD1A345EA8A42D7477A473527174EB07ABA7A236369933B SHA-1 Hash: AAE17BE8F0910211D807AF40A98949E3743019AF MD5 Hash: 49FB7A987544A4A99C743D22A46C78E7 Imphash: CEAD280C29DB54DAB7E26816F98157B4 MajorOSVersion: 6 MinorOSVersion: 0 CheckSum: 001A8212 EntryPoint (rva): 474D0 SizeOfHeaders: 400 SizeOfImage: 1A7000 ImageBase: 10000000 Architecture: x86 ExportTable: 73934 ImportTable: 739F8 IAT: 73B00 Characteristics: 2102 TimeDateStamp: 683D2012 Date: 02/06/2025 3:52:50 File Type: DLL Number Of Sections: 5 ASLR: Enabled Section Names: .text, .rdata, .data, .rsrc, .reloc Number Of Executable Sections: 1 Subsystem: Windows GUI |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 60000020 (Code, Executable, Readable) | 400 | 47A00 | 1000 | 47998 | 6,2481 | 2050865,39 |
| .rdata | 40000040 (Initialized Data, Readable) | 47E00 | 2B000 | 49000 | 2AE0D | 7,4760 | 249039,11 |
| .data | C0000040 (Initialized Data, Readable, Writeable) | 72E00 | 200 | 74000 | A4 | 0,9018 | 100227,00 |
| .rsrc | 40000040 (Initialized Data, Readable) | 73000 | 12DA00 | 75000 | 12D808 | 6,1325 | 17616127,78 |
| .reloc | 42000040 (Initialized Data, GP-Relative, Readable) | 1A0A00 | 3600 | 1A3000 | 347C | 6,7189 | 57607,56 |
| Description |
| OriginalFilename: sppc.dll CompanyName: Microsoft Corporation LegalCopyright: Microsoft Corporation. All rights reserved. ProductName: Microsoft Windows Operating System FileVersion: 10.0.26100.4520 (WinBuild.160101.0800) FileDescription: Software Licensing Client Dll ProductVersion: 10.0.26100.4520 Language: English (United States) (ID=0x409) CodePage: Unicode (UTF-16 LE) (0x4B0) |
| Binder/Joiner/Crypter |
| 5 Executable files found |
| Entry Point |
| The section number (1) - (.text) have the Entry Point Information -> EntryPoint (calculated) - 468D0 Code -> 5589E553575683E4FC83EC0C837D0C01B8EF740410BE097504100F45C6FFE0FF7508FF15043B0710E83B13000085C0B91875 • PUSH EBP • MOV EBP, ESP • PUSH EBX • PUSH EDI • PUSH ESI • AND ESP, 0XFFFFFFFC • SUB ESP, 0XC • CMP DWORD PTR [EBP + 0XC], 1 • MOV EAX, 0X100474EF • MOV ESI, 0X10047509 • CMOVNE EAX, ESI • JMP EAX • PUSH DWORD PTR [EBP + 8] • CALL DWORD PTR [0X10073B04] • CALL 0X2368 • TEST EAX, EAX EP changed to another address -> (Address Of EntryPoint > Base Of Data) |
| Signatures |
| Certificate - Digital Signature: • The file is not signed |
| Packer/Compiler |
| Compiler: Microsoft Visual Studio Detect It Easy (die) • PE: linker: Microsoft Linker(14.0)[-] • Entropy: 6.56253 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| Ws2_32.DLL | socket | Possible Call API By Name | Create a communication endpoint for networking applications. |
| KERNEL32.DLL | CreateMutexW | Create a named or unnamed mutex object for controlling access to a shared resource. |
| KERNEL32.DLL | GetModuleFileNameA | Retrieve the fully qualified path for the executable file of a specified module. |
| KERNEL32.DLL | VirtualAlloc | Reserve, commit, or both, a region of memory within the virtual address space of a process. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| KERNEL32.DLL | IsDebuggerPresent | Determines if the calling process is being debugged by a user-mode debugger. |
| Ws2_32.DLL | connect | Establish a connection to a specified socket. |
| ADVAPI32.DLL | CryptEncrypt | Performs a cryptographic operation on data in a data block. |
| ADVAPI32.DLL | CryptDecrypt | Performs a cryptographic operation on data in a data block. |
| ADVAPI32.DLL | RegDeleteKeyA | Used to delete a subkey and its values from the Windows registry. |
| SHELL32.DLL | ShellExecuteExA | Performs a run operation on a specific file. |
| ET Functions (carving) |
| Original Name -> ngcpopkeysrv.dll NgcGetPregenKey NgcPregenKey NgcTriggerTask s_NgcCreateTokenBindingAik s_NgcDecryptWithSymmetricGcmPopKey s_NgcDecryptWithSymmetricPopKey s_NgcDeleteSymmetricPopKeyTransportKey s_NgcDeleteTokenBindingAik s_NgcEncryptWithSymmetricGcmPopKey s_NgcEncryptWithSymmetricPopKey s_NgcGetKeyAttestationForContainerService s_NgcGetPregenKeyState s_NgcGetPregenUserKey s_NgcGetSymmetricPopKeyTransportKey s_NgcGetSymmetricPopKeyTransportKeyName s_NgcGetTokenBindingAikName s_NgcImportSymmetricPopKey s_NgcRenewKeyAttestation s_NgcSignWithSymmetricPopKey s_NgcVerifyWithSymmetricPopKey |
| Windows REG (UNICODE) |
| SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Policies Software\Policies\Microsoft SOFTWARE\Policies\Microsoft\SecondaryAuthenticationFactor Software\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{48B4E58D-2791-456C-9091-D524C6C706F2} SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2 SYSTEM\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap SYSTEM\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo SYSTEM\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSIn SYSTEM\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSOut SYSTEM\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP SYSTEM\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\PlayToDisc SYSTEM\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\mDns SYSTEM\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Cortana SYSTEM\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\CDPSvcTcp System\CurrentControlSet\Services System\CurrentControlSet\Services\TPM\WMI System\CurrentControlSet\Services\TPM System\CurrentControlSet\Services\TPM\ProvisionInfo System\CurrentControlSet\Services\TPM\ProvisionInfo\History System\CurrentControlSet\Services\TPM\WMI\HealthCert System\CurrentControlSet\Services\TPM\WMI\Endorsement System\CurrentControlSet\Control\IntegrityServices System\CurrentControlSet\Control\DeviceGuard\Scenarios\SecureBiometrics SYSTEM\CurrentControlSet\Control\Cryptography\Ngc SYSTEM\CurrentControlSet\Control\DeviceGuard |
| File Access |
| Microsoft.Build.Exe api-ms-win-core-apiquery-l1-1-0.dll api-ms-win-stateseparation-helpers-l1-1-0.dll api-ms-win-core-sysinfo-l1-2-0.dll api-ms-win-core-delayload-l1-1-0.dll api-ms-win-core-delayload-l1-1-1.dll api-ms-win-core-com-l1-1-0.dll api-ms-win-security-base-l1-1-0.dll api-ms-win-core-registry-l1-1-0.dll ntdll.dll api-ms-win-core-processthreads-l1-1-1.dll api-ms-win-core-rtlsupport-l1-1-0.dll api-ms-win-core-interlocked-l1-1-0.dll api-ms-win-core-sysinfo-l1-1-0.dll api-ms-win-core-profile-l1-1-0.dll api-ms-win-core-heap-l2-1-0.dll api-ms-win-core-string-l1-1-0.dll api-ms-win-core-handle-l1-1-0.dll api-ms-win-core-debug-l1-1-0.dll api-ms-win-core-localization-l1-2-0.dll api-ms-win-core-processthreads-l1-1-0.dll api-ms-win-core-threadpool-l1-2-0.dll api-ms-win-eventing-provider-l1-1-0.dll api-ms-win-core-errorhandling-l1-1-0.dll api-ms-win-core-heap-l1-1-0.dll api-ms-win-core-synch-l1-1-0.dll api-ms-win-core-libraryloader-l1-2-0.dll api-ms-win-crt-string-l1-1-0.dll api-ms-win-crt-private-l1-1-0.dll api-ms-win-crt-runtime-l1-1-0.dll msvcp_win.dll ngcpopkeysrv.dll ext-ms-win-devmgmt-policy-l1-1-0.dll DEVOBJ.dll tbs.dll OLEAUT32.dll RPCRT4.dll profapi.dll CRYPT32.dll ncrypt.dll api-ms-win-security-sddl-l1-1-0.dll bcrypt.dll XmlLite.dll USER32.dll ole32.dll NTDSAPI.dll KERNEL32.dll GDI32.dll ADVAPI32.dll SHLWAPI.dll SHELL32.dll msvcrt.dll ACLUI.dll atlthunk.dll DUser.dll FDUI70.dll Secur32.dll samcli.dll netutils.dll logoncli.dll AUTHZ.dll DSPARSE.dll DSROLE.dll api-ms-win-security-sddlparsecond-l1-1-1.dll api-ms-win-security-sddlparsecond-l1-1-0.dll UxTheme.dll api-ms-win-core-file-l1-2-0.dll api-ms-win-core-file-l1-1-0.dll FLTLIB.DLL api-ms-win-core-string-obsolete-l1-1-0.dll api-ms-win-core-shlwapi-legacy-l1-1-0.dll api-ms-win-core-processenvironment-l1-1-0.dll api-ms-win-core-string-l2-1-1.dll api-ms-win-core-threadpool-private-l1-1-0.dll api-ms-win-core-threadpool-legacy-l1-1-0.dll api-ms-win-core-synch-l1-2-0.dll fwbase.dll .text$lp09fwbase.dll .text$lp08fwbase.dll .text$lp06fwbase.dll .text$lp01fwbase.dll hntdll.dll MPSSVC.dll ext-ms-win-shell-embeddedmode-l1-1-0.dll DNSAPI.dll WS2_32.dll api-ms-win-security-lsalookup-l1-1-0.dll api-ms-win-core-errorhandling-l1-1-2.dll api-ms-win-core-wow64-l1-1-0.dll api-ms-win-core-util-l1-1-0.dll api-ms-win-core-synch-l1-2-1.dll api-ms-win-service-management-l1-1-0.dll api-ms-win-core-psapi-l1-1-0.dll api-ms-win-core-memory-l1-1-0.dll api-ms-win-service-management-l2-1-0.dll sppc.dll .text$lp01sppc.dll ce55.dll MSBuild.dll hostfxr.dll aadCloudAP.dll api-ms-win-core-processthreads-l1-1-2.dll api-ms-win-core-localization-l1-2-1.dll wincorlib.DLL cryptui.dll api-ms-win-core-heap-l1-2-0.dll api-ms-win-eventing-classicprovider-l1-1-0.dll aadtb.dll api-ms-win-core-com-l1-1-1.dll api-ms-win-core-memory-l1-1-2.dll api-ms-win-security-credentials-l1-1-0.dll AadAuthHelper.dll SspiCli.dll Microsoft.Build.Framework.dll api-ms-win-core-rtlsupport-l1-2-0.dll dsreg.dll .dll Windows.Sys .dat @.dat XMake.Log msbuild.log Temp RootDir |
| File Access (UNICODE) |
| sppc.dll ntdll.dll @FirewallAPI.dll filterLib.dll kernelbase.dll aclui.dll ngcpopkeysrv.dll ce55.dll %SystemRoot%\System32\svchost.exe kernel32.dll api-ms-win-core-synch-l1-2-0.dll 0comctl32.dll imageres.dll fwbase.dll FwExpandEnvironmentStrings@FirewallAPI.dll %SystemRoot%\system32\FirewallAPI.dll FwRegCreateKeyRegCreateKeyExW@FirewallAPI.dll Temp |
| Interest's Words |
| Encrypt Decrypt PassWord exec attrib start hostname wmic shutdown systeminfo xcopy ping expand getmac replace setx |
| Interest's Words (UNICODE) |
| Encrypt attrib start ping expand route |
| URLs |
| http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl http://www.w3.org/2003/05/soap-envelope http://www.microsoft.com/pkiops/Docs/Repository.htm http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue http://www.microsoft.com/pkiops/crl/MicWinProPCA2011_2011-10-19.crl http://www.microsoft.com/pkiops/certs/MicWinProPCA2011_2011-10-19.crt http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt http://www.microsoft.com/windows0 http://www.microsoft.com/pkiops/certs/Microsoft%20Time-Stamp%20PCA%202010(1).crt https://github.com/dotnet/dotnet https://login.windows.net https://login.windows-ppe.net https://login.microsoftonline.com |
| URLs (UNICODE) |
| http://schemas.microsoft.com/2010/08/ActiveDirectory/PossibleValues |
| IP Addresses |
| 6.0.222.1 |
| PE Carving |
| Start Offset Header | End Offset | Size (Bytes) |
|---|---|---|
| 0 | 73160 | 73160 |
| 73160 | 8E960 | 1B800 |
| 8E960 | C1D60 | 33400 |
| C1D60 | D0510 | E7B0 |
| D0510 | 15C510 | 8C000 |
| 15C510 | 1A4000 | 47AF0 |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | WinAPI Sockets (bind) |
| Text | Ascii | WinAPI Sockets (accept) |
| Text | Ascii | WinAPI Sockets (connect) |
| Text | Ascii | WinAPI Sockets (send) |
| Text | Ascii | Registry (RegCreateKeyEx) |
| Text | Ascii | Registry (RegOpenKeyEx) |
| Text | Ascii | Registry (RegSetValueEx) |
| Text | Ascii | Registry (RegDeleteKeyEx) |
| Text | Ascii | Registry (RegGetValue) |
| Text | Ascii | File (CreateFile) |
| Text | Ascii | Service (OpenSCManager) |
| Text | Ascii | Service (CreateService) |
| Text | Ascii | Encryption API (CryptAcquireContext) |
| Text | Ascii | Encryption API (CryptDecrypt) |
| Text | Ascii | Encryption API (CryptReleaseContext) |
| Text | Ascii | Anti-Analysis VM (IsDebuggerPresent) |
| Text | Ascii | Anti-Analysis VM (GetSystemInfo) |
| Text | Ascii | Anti-Analysis VM (GetVersion) |
| Text | Ascii | Reconnaissance (FindFirstFileW) |
| Text | Ascii | Reconnaissance (FindClose) |
| Text | Ascii | Stealth (ExitThread) |
| Text | Ascii | Stealth (ReleaseSemaphore) |
| Text | Ascii | Stealth (CloseHandle) |
| Text | Ascii | Stealth (VirtualAlloc) |
| Text | Ascii | Execution (ShellExecute) |
| Text | Ascii | Execution (CreateSemaphoreW) |
| Text | Ascii | Execution (OpenEventW) |
| Text | Ascii | Execution (CreateEventW) |
| Text | Ascii | Keyboard Key (Scroll) |
| Text | Unicode | Keyboard Key (Scroll) |
| Text | Ascii | Malicious code executed after exploiting a vulnerability (Payload) |
| Text | Ascii | Information used to authenticate a user's identity (Credential) |
| Text | Unicode | Information used to authenticate a user's identity (Credential) |
| Text | Ascii | Process of gathering information about network resources (Enumeration) |
| Text | Ascii | Software that records user activity (Logger) |
| Text | Unicode | Software that records user activity (Logger) |
| Text | Ascii | Information used for user authentication (Credential) |
| Text | Unicode | Information used for user authentication (Credential) |
| Text | Ascii | Unauthorized movement of funds or data (Transfer) |
| Text | Ascii | Malicious rerouting of traffic to an attacker-controlled site (Redirect) |
| Text | Unicode | Malicious rerouting of traffic to an attacker-controlled site (Redirect) |
| Text | Ascii | Technique used to circumvent security measures (Bypass) |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text | PE/Payload |
|---|---|---|---|---|---|---|
| \RCDATA\120\1033 | 75160 | 1B800 | 73160 | 4D5A90000300000004000000FFFF0000B8000000000000004000000000000000000000000000000000000000000000000000 | MZ......................@......................... | (Executable found) |
| \RCDATA\224\1033 | 90960 | 33400 | 8E960 | 4D5A90000300000004000000FFFF0000B8000000000000004000000000000000000000000000000000000000000000000000 | MZ......................@......................... | (Executable found) |
| \RCDATA\561\1033 | C3D60 | E7B0 | C1D60 | 4D5A90000300000004000000FFFF0000B8000000000000004000000000000000000000000000000000000000000000000000 | MZ......................@......................... | (Executable found) |
| \RCDATA\818\1033 | D2510 | 8C000 | D0510 | 4D5A90000300000004000000FFFF0000B8000000000000004000000000000000000000000000000000000000000000000000 | MZ......................@......................... | (Executable found) |
| \RCDATA\921\1033 | 15E510 | 44000 | 15C510 | 4D5A90000300000004000000FFFF0000B8000000000000004000000000000000000000000000000000000000000000000000 | MZ......................@......................... | (Executable found) |
| \VERSION\1\1033 | 1A2510 | 2F8 | 1A0510 | F80234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000 | ..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... | N/A |
| Intelligent String |
| • ce55.dll • 6.0.222.1 • ngcpopkeysrv.dll • api-ms-win-core-profile-l1-1-0.dll • api-ms-win-core-processthreads-l1-1-1.dll • api-ms-win-core-processthreads-l1-1-0.dll • api-ms-win-core-handle-l1-1-0.dll • api-ms-win-crt-string-l1-1-0.dll • api-ms-win-crt-private-l1-1-0.dll • api-ms-win-core-heap-l2-1-0.dll • api-ms-win-core-debug-l1-1-0.dll • api-ms-win-core-localization-l1-2-0.dll • api-ms-win-core-threadpool-l1-2-0.dll • api-ms-win-core-heap-l1-1-0.dll • api-ms-win-core-string-l1-1-0.dll • api-ms-win-security-base-l1-1-0.dll • api-ms-win-core-registry-l1-1-0.dll • ntdll.dll • api-ms-win-eventing-provider-l1-1-0.dll • api-ms-win-core-synch-l1-1-0.dll • api-ms-win-core-errorhandling-l1-1-0.dll • api-ms-win-core-libraryloader-l1-2-0.dll • api-ms-win-core-sysinfo-l1-1-0.dll • api-ms-win-core-delayload-l1-1-1.dll • api-ms-win-core-apiquery-l1-1-0.dll • api-ms-win-core-string-obsolete-l1-1-0.dll • api-ms-win-core-shlwapi-legacy-l1-1-0.dll • api-ms-win-core-processenvironment-l1-1-0.dll • api-ms-win-core-string-l2-1-1.dll • api-ms-win-core-file-l1-1-0.dll • api-ms-win-core-threadpool-private-l1-1-0.dll • api-ms-win-core-wow64-l1-1-0.dll • api-ms-win-core-util-l1-1-0.dll • api-ms-win-service-management-l1-1-0.dll • api-ms-win-core-psapi-l1-1-0.dll • api-ms-win-core-memory-l1-1-0.dll • api-ms-win-security-sddl-l1-1-0.dll • api-ms-win-core-synch-l1-2-0.dll • aclui.dll • .bss • .tls • kernelbase.dll • filterLib.dll • api-ms-win-core-interlocked-l1-1-0.dll • api-ms-win-core-delayload-l1-1-0.dll • CRYPT32.dll • RPCRT4.dll • api-ms-win-core-com-l1-1-0.dll • sppc.dll • Global\552FFA80-3393-423d-8671-7BA046BB5906 • sppc.pdb • _onexitmsvcrt.dll • api-ms-win-service-management-l2-1-0.dll • api-ms-win-core-synch-l1-2-1.dll • api-ms-win-core-errorhandling-l1-1-2.dll • KERNEL32.dll • api-ms-win-security-lsalookup-l1-1-0.dll • WS2_32.dll • DNSAPI.dll • ext-ms-win-shell-embeddedmode-l1-1-0.dll • %SystemRoot%\system32\FirewallAPI.dll • O:SYG:SYD:(XA;;CC;;;WD;(WIN://SYSAPPID Contains " • MPSSVC.dll • hntdll.dll • %SystemRoot%\System32\svchost.exe • fwbase.pdb • wcspbrk8_initterm9_initterm_eapi-ms-win-crt-string-l1-1-0.dll • api-ms-win-core-threadpool-legacy-l1-1-0.dll • fwbase.dll • fltLib.pdb • imageres.dll • UxTheme.dll • api-ms-win-security-sddlparsecond-l1-1-0.dll • api-ms-win-security-sddlparsecond-l1-1-1.dll • DSROLE.dll • DSPARSE.dll • AUTHZ.dll • logoncli.dll • netutils.dll • samcli.dll • Secur32.dll • FDUI70.dll • DUser.dll • atlthunk.dll • http://schemas.microsoft.com/2010/08/ActiveDirectory/PossibleValues • 0comctl32.dll • TaskDialogIndirect • aclui.pdb • _inittermmsvcrt.dll • ADVAPI32.dll • USER32.dll • ncrypt.dll • profapi.dll • OLEAUT32.dll • tbs.dll • kernel32.dll • DEVOBJ.dll • ext-ms-win-devmgmt-policy-l1-1-0.dll • Aonecore\ds\security\ngc\ngcpopkey\lib\ngcpopkeyrpc.cpp • onecore\ds\security\ngc\ngcpopkey\lib\keytransportkey.cpp • onecore\ds\security\ngc\ngcpopkey\lib\symmetricpopkey.cpp • onecore\ds\security\ngc\utils\common\lib\tpmutils.cpp • onecore\ds\security\ngc\utils\common\lib\stringutils.cpp • onecore\ds\security\ngc\ngcpopkey\common\aik.cpp • onecore\ds\security\ngc\ngcpopkey\common\reg.cpp • onecore\ds\security\ngc\ngcpopkey\keytranskey\tpmkeytranskey.cpp • onecore\ds\security\ngc\ngcpopkey\keytranskey\plutonkeytranskey.cpp • onecore\ds\security\ngc\ngcpopkey\keytranskey\softwarekeytranskey.cpp • onecore\ds\security\ngc\ngcpopkey\keytranskey\keytranskeybase.cpp • Global\NgcKeyStaging • onecore\ds\security\ngc\ngcpopkey\pregenkey\pregenkey.cpp • onecore\ds\security\ngc\ngcpopkey\pregenkey\utilities.cpp • login.live.com • onecore\ds\security\ngc\ngcpopkey\symmetricpopkey\tpmsymmetricpopkey.cpp • onecore\ds\security\ngc\ngcpopkey\symmetricpopkey\plutonsymmetricpopkey.cpp • onecore\ds\security\ngc\ngcpopkey\symmetricpopkey\symmetricpopkeybase.cpp • onecore\ds\security\ngc\ngcpopkey\symmetricpopkey\softwaresymmetricpopkey.cpp • onecore\ds\security\ngc\utils\bio\lib\securebioutils.cpp • onecore\ds\security\ngc\utils\common\lib\registryutils.cpp • onecore\ds\security\ngc\utils\common\lib\velocityutils.cpp • ngcpopkeysrv.pdb • api-ms-win-core-rtlsupport-l1-1-0.dll • api-ms-win-core-sysinfo-l1-2-0.dll • api-ms-win-stateseparation-helpers-l1-1-0.dll |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 3E42 | 10073B20 | .text | CALL [static] | Indirect call to absolute memory address |
| CDE0 | 10073B0C | .text | CALL [static] | Indirect call to absolute memory address |
| CDE9 | 10073B08 | .text | CALL [static] | Indirect call to absolute memory address |
| F822 | 10073B0C | .text | CALL [static] | Indirect call to absolute memory address |
| F82B | 10073B08 | .text | CALL [static] | Indirect call to absolute memory address |
| F9D2 | 10073B0C | .text | CALL [static] | Indirect call to absolute memory address |
| F9DB | 10073B08 | .text | CALL [static] | Indirect call to absolute memory address |
| 11695 | 10073B20 | .text | CALL [static] | Indirect call to absolute memory address |
| 1217A | 10074094 | .text | CALL [static] | Indirect call to absolute memory address |
| 12352 | 10074098 | .text | CALL [static] | Indirect call to absolute memory address |
| 129C3 | 10073B14 | .text | CALL [static] | Indirect call to absolute memory address |
| 129DB | 10073B20 | .text | CALL [static] | Indirect call to absolute memory address |
| 12ACA | 10073B24 | .text | CALL [static] | Indirect call to absolute memory address |
| 12AEC | 1007409C | .text | CALL [static] | Indirect call to absolute memory address |
| 1439E | 10073B10 | .text | CALL [static] | Indirect call to absolute memory address |
| 19545 | 10073B20 | .text | CALL [static] | Indirect call to absolute memory address |
| 1A145 | 10073B30 | .text | CALL [static] | Indirect call to absolute memory address |
| 1A3E8 | 10073B30 | .text | CALL [static] | Indirect call to absolute memory address |
| 1A512 | 10073B20 | .text | CALL [static] | Indirect call to absolute memory address |
| 1EC7A | 10073B30 | .text | CALL [static] | Indirect call to absolute memory address |
| 2069A | 10073B30 | .text | CALL [static] | Indirect call to absolute memory address |
| 20FF0 | 10073B0C | .text | CALL [static] | Indirect call to absolute memory address |
| 20FF9 | 10073B08 | .text | CALL [static] | Indirect call to absolute memory address |
| 21132 | 10073B0C | .text | CALL [static] | Indirect call to absolute memory address |
| 2113B | 10073B08 | .text | CALL [static] | Indirect call to absolute memory address |
| 220C2 | 10073B0C | .text | CALL [static] | Indirect call to absolute memory address |
| 220CB | 10073B08 | .text | CALL [static] | Indirect call to absolute memory address |
| 2546A | 10073B30 | .text | CALL [static] | Indirect call to absolute memory address |
| 2572A | 10073B30 | .text | CALL [static] | Indirect call to absolute memory address |
| 297C8 | 10073B30 | .text | CALL [static] | Indirect call to absolute memory address |
| 2ADB2 | 10073B0C | .text | CALL [static] | Indirect call to absolute memory address |
| 2ADBB | 10073B08 | .text | CALL [static] | Indirect call to absolute memory address |
| 2E7BB | 10073B20 | .text | CALL [static] | Indirect call to absolute memory address |
| 2F0B5 | 10073B10 | .text | CALL [static] | Indirect call to absolute memory address |
| 2F6D1 | 10074064 | .text | CALL [static] | Indirect call to absolute memory address |
| 2F78D | 10073B6C | .text | CALL [static] | Indirect call to absolute memory address |
| 2F925 | 10073B14 | .text | CALL [static] | Indirect call to absolute memory address |
| 2FB29 | 10073B80 | .text | CALL [static] | Indirect call to absolute memory address |
| 30DFE | 10073B70 | .text | CALL [static] | Indirect call to absolute memory address |
| 3103E | 1007405C | .text | CALL [static] | Indirect call to absolute memory address |
| 3106A | 10074060 | .text | CALL [static] | Indirect call to absolute memory address |
| 311A5 | 10074070 | .text | CALL [static] | Indirect call to absolute memory address |
| 31235 | 10074064 | .text | CALL [static] | Indirect call to absolute memory address |
| 31272 | 10074068 | .text | CALL [static] | Indirect call to absolute memory address |
| 312C8 | 1007406C | .text | CALL [static] | Indirect call to absolute memory address |
| 31306 | 10074074 | .text | CALL [static] | Indirect call to absolute memory address |
| 31312 | 10074070 | .text | CALL [static] | Indirect call to absolute memory address |
| 31339 | 1007405C | .text | CALL [static] | Indirect call to absolute memory address |
| 3134A | 10074060 | .text | CALL [static] | Indirect call to absolute memory address |
| 31405 | 1007407C | .text | CALL [static] | Indirect call to absolute memory address |
| 3142E | 10074070 | .text | CALL [static] | Indirect call to absolute memory address |
| 3148B | 10074080 | .text | CALL [static] | Indirect call to absolute memory address |
| 314DB | 10074084 | .text | CALL [static] | Indirect call to absolute memory address |
| 35BC2 | 10073B0C | .text | CALL [static] | Indirect call to absolute memory address |
| 35BCB | 10073B08 | .text | CALL [static] | Indirect call to absolute memory address |
| 35FD2 | 10073B20 | .text | CALL [static] | Indirect call to absolute memory address |
| 37235 | 10073B20 | .text | CALL [static] | Indirect call to absolute memory address |
| 37F82 | 10073B0C | .text | CALL [static] | Indirect call to absolute memory address |
| 37F8B | 10073B08 | .text | CALL [static] | Indirect call to absolute memory address |
| 39D18 | 10073B30 | .text | CALL [static] | Indirect call to absolute memory address |
| 3A612 | 10073B20 | .text | CALL [static] | Indirect call to absolute memory address |
| 3B038 | 10073B30 | .text | CALL [static] | Indirect call to absolute memory address |
| 3B332 | 10073B20 | .text | CALL [static] | Indirect call to absolute memory address |
| 3C700 | 10073B0C | .text | CALL [static] | Indirect call to absolute memory address |
| 3C709 | 10073B08 | .text | CALL [static] | Indirect call to absolute memory address |
| 3DCA5 | 10073B0C | .text | CALL [static] | Indirect call to absolute memory address |
| 3DCAF | 10073B08 | .text | CALL [static] | Indirect call to absolute memory address |
| 3FFFF | 10073B20 | .text | CALL [static] | Indirect call to absolute memory address |
| 40372 | 10073B10 | .text | CALL [static] | Indirect call to absolute memory address |
| 40C83 | 10073B20 | .text | CALL [static] | Indirect call to absolute memory address |
| 417C3 | 10073B0C | .text | CALL [static] | Indirect call to absolute memory address |
| 417D8 | 10073B34 | .text | CALL [static] | Indirect call to absolute memory address |
| 417E6 | 10073B30 | .text | CALL [static] | Indirect call to absolute memory address |
| 417F4 | 10073B18 | .text | CALL [static] | Indirect call to absolute memory address |
| 41802 | 10073B1C | .text | CALL [static] | Indirect call to absolute memory address |
| 41810 | 10073B28 | .text | CALL [static] | Indirect call to absolute memory address |
| 41817 | 10073B00 | .text | CALL [static] | Indirect call to absolute memory address |
| 41856 | 1007405C | .text | CALL [static] | Indirect call to absolute memory address |
| 424DE | 10074064 | .text | CALL [static] | Indirect call to absolute memory address |
| 4290E | 10073B80 | .text | CALL [static] | Indirect call to absolute memory address |
| 4293E | 10073B6C | .text | CALL [static] | Indirect call to absolute memory address |
| 42D0B | 10073B78 | .text | CALL [static] | Indirect call to absolute memory address |
| 42D26 | 10073B24 | .text | CALL [static] | Indirect call to absolute memory address |
| 432BC | 10074068 | .text | CALL [static] | Indirect call to absolute memory address |
| 437E4 | 10073B2C | .text | CALL [static] | Indirect call to absolute memory address |
| 438DA | 10073B24 | .text | CALL [static] | Indirect call to absolute memory address |
| 43D7D | 100740A0 | .text | CALL [static] | Indirect call to absolute memory address |
| 43D8A | 1007407C | .text | CALL [static] | Indirect call to absolute memory address |
| 442AA | 10074060 | .text | CALL [static] | Indirect call to absolute memory address |
| 44BE9 | 10073B0C | .text | CALL [static] | Indirect call to absolute memory address |
| 451A3 | 10073B30 | .text | CALL [static] | Indirect call to absolute memory address |
| 45418 | 1007406C | .text | CALL [static] | Indirect call to absolute memory address |
| 4542C | 10074070 | .text | CALL [static] | Indirect call to absolute memory address |
| 4554F | 10073B2C | .text | CALL [static] | Indirect call to absolute memory address |
| 46311 | 10073B70 | .text | CALL [static] | Indirect call to absolute memory address |
| 46543 | 10073B30 | .text | CALL [static] | Indirect call to absolute memory address |
| 46676 | 10073B68 | .text | CALL [static] | Indirect call to absolute memory address |
| 468F2 | 10073B04 | .text | CALL [static] | Indirect call to absolute memory address |
| 46C31 | 10073B74 | .text | CALL [static] | Indirect call to absolute memory address |
| 46C56 | 10073B7C | .text | CALL [static] | Indirect call to absolute memory address |
| 47D98-47DFF | N/A | .text | Unusual BP Cave, count: 104 |
| 7929E-792BF | N/A | .rsrc | Unusual BP Cave, count: 34 |
| 9AC1D-9AC3F | N/A | .rsrc | Unusual BP Cave, count: 35 |
| 9DD00-9DD1F | N/A | .rsrc | Unusual BP Cave, count: 32 |
| ADD3F-ADD5F | N/A | .rsrc | Unusual BP Cave, count: 33 |
| C6D75-C7D5F | N/A | .rsrc | Unusual BP Cave, count: 4075 |
| 132525-13350F | N/A | .rsrc | Unusual BP Cave, count: 4075 |
| 189525-18A50F | N/A | .rsrc | Unusual BP Cave, count: 4075 |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 1054618 | 61,3036% |
| Null Byte Code | 290458 | 16,884% |
© 2026 All rights reserved.