PREMIUM PESCAN.IO - Analysis Report |
|||||||
| File Structure |
|
PE Chart Code
Executable header (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
| Size: 1013,50 KB SHA-256 Hash: CBCFB02DC557D641001F04EDC4EDCDDE905C795701C319CA07E78A361DF94EED SHA-1 Hash: 7770970A9855110393BB2CF2C54BE1D2918DC52F MD5 Hash: 9B3BD203E8DC88CB2963600D82FF941C Imphash: 9B78355EDC7F960CE94E019225BE2405 MajorOSVersion: 6 MinorOSVersion: 0 CheckSum: 00103855 EntryPoint (rva): 369B0 SizeOfHeaders: 400 SizeOfImage: 101000 ImageBase: 10000000 Architecture: x86 ExportTable: 5ADC4 ImportTable: 5AEF4 IAT: 5B054 Characteristics: 2102 TimeDateStamp: 67408FE5 Date: 22/11/2024 14:06:29 File Type: DLL Number Of Sections: 5 ASLR: Enabled Section Names: .text, .rdata, .data, .rsrc, .reloc Number Of Executable Sections: 1 Subsystem: Windows GUI |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 60000020 (Code, Executable, Readable) | 400 | 37800 | 1000 | 37671 | 6,2816 | 1475272,75 |
| .rdata | 40000040 (Initialized Data, Readable) | 37C00 | 22600 | 39000 | 224A9 | 7,7182 | 99021,08 |
| .data | C0000040 (Initialized Data, Readable, Writeable) | 5A200 | 200 | 5C000 | D8 | 1,4252 | 82026,00 |
| .rsrc | 40000040 (Initialized Data, Readable) | 5A400 | 9EE00 | 5D000 | 9EDD8 | 5,8530 | 14104548,02 |
| .reloc | 42000040 (Initialized Data, GP-Relative, Readable) | F9200 | 4400 | FC000 | 4350 | 6,7521 | 65766,26 |
| Description |
| OriginalFilename: EapTeapConfig.dll CompanyName: Microsoft Corporation LegalCopyright: Microsoft Corporation. All rights reserved. ProductName: Microsoft Windows Operating System FileVersion: 10.0.26100.4230 (WinBuild.160101.0800) FileDescription: EAP Teap Config DLL ProductVersion: 10.0.26100.4230 Language: English (United States) (ID=0x409) CodePage: Unicode (UTF-16 LE) (0x4B0) |
| Binder/Joiner/Crypter |
| 6 Executable files found |
| Entry Point |
| The section number (1) - (.text) have the Entry Point Information -> EntryPoint (calculated) - 35DB0 Code -> 5589E553575683E4FC837D0C010F85F0000000FF7508FF1558B00510E8D71A000085C00F84DA0000008B400C8B480C89C8EB • PUSH EBP • MOV EBP, ESP • PUSH EBX • PUSH EDI • PUSH ESI • AND ESP, 0XFFFFFFFC • CMP DWORD PTR [EBP + 0XC], 1 • JNE 0X1103 • PUSH DWORD PTR [EBP + 8] • CALL DWORD PTR [0X1005B058] • CALL 0X2AF8 • TEST EAX, EAX • JE 0X1103 • MOV EAX, DWORD PTR [EAX + 0XC] • MOV ECX, DWORD PTR [EAX + 0XC] • MOV EAX, ECX EP changed to another address -> (Address Of EntryPoint > Base Of Data) |
| Signatures |
| Certificate - Digital Signature: • The file is not signed |
| Packer/Compiler |
| Compiler: Microsoft Visual Studio Detect It Easy (die) • PE: linker: Microsoft Linker(14.0)[-] • Entropy: 6.54644 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | CreateMutexW | Create a named or unnamed mutex object for controlling access to a shared resource. |
| KERNEL32.DLL | GetModuleFileNameA | Retrieve the fully qualified path for the executable file of a specified module. |
| KERNEL32.DLL | GetModuleHandleA | Retrieves a handle to the specified module. |
| KERNEL32.DLL | WriteFile | Writes data to a specified file or input/output (I/O) device. |
| KERNEL32.DLL | LoadLibraryW | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| KERNEL32.DLL | IsDebuggerPresent | Determines if the calling process is being debugged by a user-mode debugger. |
| ADVAPI32.DLL | RegSetValueExA | Sets the data and type of a specified value under a registry key. |
| SHELL32.DLL | ShellExecuteA | Performs a run operation on a specific file. |
| SHELL32.DLL | ShellExecuteExA | Performs a run operation on a specific file. |
| ET Functions (carving) |
| Original Name -> JoinUtil.dll NetpAvoidNetlogonSpnSet NetpClearFullJoinState NetpCompatibilityMode NetpControlServices NetpDNSNameResolutionRequired NetpDoDomainJoinLicensingCheck NetpFreeJoinStateContents NetpGenerateDefaultPassword NetpGetLsaHandle NetpGetLsaMachineAccountInfo NetpGetLsaPrimaryDomain NetpHandleJoinedStateInfo NetpLoadFullJoinState NetpLoadParameters NetpLsaOpenSecret NetpManageLocalGroups NetpManageMachineSecret NetpManageMachineSecret2 NetpMarkLastFullJoinAttempt NetpQueryService NetpRemoveInitialDcRecord NetpSaveFullJoinStateInternal NetpSetLsaHandle NetpSetLsaMachineAccountInfo NetpSetLsaPrimaryDomain NetpSetWinlogonCAD NetpStopService NetpStoreInitialDcRecord NetpStoreInitialDcRecordEx NetpUpdateW32timeConfig |
| Windows REG (UNICODE) |
| SOFTWARE\Policies\Microsoft\Cryptography\AutoEnrollment Software\Policies\Microsoft\Cryptography\PolicyServers Software\Microsoft\Cryptography\PolicyServers SOFTWARE\Microsoft\Cryptography\AutoEnrollment SOFTWARE\Microsoft\Cryptography\AutoEnrollment\AEDirectoryCache SOFTWARE\Microsoft\Volatile-AutoEnroll-EXCLUSIVE SOFTWARE\Microsoft\Cryptography\AutoEnrollment\AEDisable SOFTWARE\Microsoft\Cryptography\CertificateTemplateCache SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ System\CurrentControlSet\Services\Eaphost\Methods\311\55 System\CurrentControlSet\Services\lanmanworkstation\Parameters SYSTEM\CurrentControlSet\Services\Netlogon System\CurrentControlSet |
| File Access |
| api-ms-win-core-delayload-l1-1-0.dll api-ms-win-core-delayload-l1-1-1.dll api-ms-win-core-string-l1-1-0.dll api-ms-win-core-file-l2-1-0.dll api-ms-win-core-file-l1-1-0.dll ntdll.dll api-ms-win-core-handle-l1-1-0.dll api-ms-win-core-processthreads-l1-1-1.dll api-ms-win-core-rtlsupport-l1-1-0.dll api-ms-win-core-processthreads-l1-1-0.dll api-ms-win-core-profile-l1-1-0.dll api-ms-win-core-util-l1-1-0.dll api-ms-win-core-heap-l1-1-0.dll api-ms-win-core-string-l2-1-0.dll api-ms-win-core-sysinfo-l1-1-0.dll api-ms-win-security-base-l1-1-0.dll api-ms-win-core-errorhandling-l1-1-0.dll api-ms-win-core-synch-l1-2-0.dll api-ms-win-core-heap-l2-1-0.dll api-ms-win-core-registry-l1-1-0.dll api-ms-win-core-libraryloader-l1-2-0.dll api-ms-win-core-synch-l1-1-0.dll api-ms-win-core-crt-l2-1-0.dll api-ms-win-core-crt-l1-1-0.dll JoinUtil.dll profapi.dll api-ms-win-security-lsapolicy-l1-1-1.dll api-ms-win-security-lsapolicy-l1-1-0.dll api-ms-win-security-lsalookup-l1-1-0.dll api-ms-win-service-winsvc-l1-1-0.dll api-ms-win-service-core-l1-1-1.dll samcli.dll netutils.dll api-ms-win-security-sddl-l1-1-0.dll api-ms-win-service-management-l2-1-0.dll api-ms-win-service-management-l1-1-0.dll CertEnroll.dll api-ms-win-core-shlwapi-obsolete-l1-1-0.dll api-ms-win-core-sidebyside-l1-1-0.dll api-ms-win-core-localization-l1-2-0.dll api-ms-win-core-debug-l1-1-0.dll api-ms-win-core-libraryloader-l1-2-1.dll msvcrt.dll PAUTOENR.dll USER32.dll certca.dll api-ms-win-eventlog-legacy-l1-1-0.dll SspiCli.dll DSROLE.dll CRYPTNET.dll RPCRT4.dll WLDAP32.dll CRYPT32.dll api-ms-win-core-com-l1-1-0.dll api-ms-win-core-errorhandling-l1-1-2.dll bcrypt.dll api-ms-win-core-io-l1-1-0.dll api-ms-win-core-namespace-l1-1-0.dll api-ms-win-core-memory-l1-1-0.dll msvcp_win.dll api-ms-win-eventing-provider-l1-1-0.dll api-ms-win-core-realtime-l1-1-0.dll api-ms-win-core-processtopology-obsolete-l1-1-0.dll api-ms-win-core-threadpool-l1-2-0.dll api-ms-win-core-interlocked-l1-1-0.dll api-ms-win-crt-string-l1-1-0.dll api-ms-win-crt-private-l1-1-0.dll api-ms-win-crt-runtime-l1-1-0.dll LampArray.dll CoreMessaging.dll api-ms-win-mm-misc-l1-1-0.dll api-ms-win-mm-mme-l1-1-0.dll api-ms-win-core-heap-obsolete-l1-1-0.dll WINMMBASE.dll MIDIMAP.dll .text$lp00midimap.dll api-ms-win-security-accesshlpr-l1-1-0.dll api-ms-win-service-private-l1-1-0.dll dsclient.dll .text$lp00dsclient.dll api-ms-win-core-winrt-error-l1-1-1.dll api-ms-win-core-apiquery-l1-1-0.dll api-ms-win-core-string-obsolete-l1-1-0.dll api-ms-win-core-processenvironment-l1-1-0.dll OLEAUT32.dll api-ms-win-core-winrt-error-l1-1-0.dll eappcfg.dll eapputil.dll EapTeapConfig.dll ext-ms-win-ttlsext-eap-l1-1-0.dll ext-ms-win-teapext-eap-l1-1-0.dll SHELL32.dll ole32.dll GDI32.dll ADVAPI32.dll KERNEL32.dll film58.dll .dll .dat @.dat Temp |
| File Access (UNICODE) |
| EapTeapConfig.dll ntdll.dll kernelbase.dll LampArray.dll JOINUTIL.DLL film58.dll w32Time.dll Comctl32.dll cryptui.dll midimap.dll dsclient.dll api-ms-win-core-winrt-error-l1-1-1.dll \DsOIDInfo.dat %s\%s.LOG Temp WinDir |
| Interest's Words |
| PassWord exec attrib start pause shutdown systeminfo ping expand replace |
| Interest's Words (UNICODE) |
| PassWord start hostname |
| URLs |
| http://www.microsoft.com/pkiops/crl/MicWinProPCA2011_2011-10-19.crl http://www.microsoft.com/pkiops/certs/MicWinProPCA2011_2011-10-19.crt http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt http://www.microsoft.com/windows0 http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl http://www.microsoft.com/pkiops/certs/Microsoft%20Time-Stamp%20PCA%202010(1).crt http://www.microsoft.com/pkiops/Docs/Repository.htm |
| URLs (UNICODE) |
| http://www.microsoft.com/provisioning/BaseEapUserPropertiesV1 http://www.microsoft.com/provisioning/EapTeapUserPropertiesV1 http://www.microsoft.com/provisioning/EapHostUserCredentials' xmlns:BaseEapUserPropertiesV1=' http://www.microsoft.com/provisioning/BaseEapUserPropertiesV1' xmlns:EapTeapUserPropertiesV1=' http://www.microsoft.com/provisioning/EapTeapUserPropertiesV1' http://www.microsoft.com/provisioning/EapHostConfig http://www.microsoft.com/provisioning/EapTeapConnectionPropertiesV1 http://www.microsoft.com/provisioning/EapHostConfig' xmlns:EapTeapConnectionPropertiesV1=' http://www.microsoft.com/provisioning/EapTeapConnectionPropertiesV1' http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1 |
| IP Addresses |
| 7.9.130.3 |
| PE Carving |
| Start Offset Header | End Offset | Size (Bytes) |
|---|---|---|
| 0 | 5A590 | 5A590 |
| 5A590 | 88590 | 2E000 |
| 88590 | 92CD8 | A748 |
| 92CD8 | 980D8 | 5400 |
| 980D8 | B4ED8 | 1CE00 |
| B4ED8 | CBED8 | 17000 |
| CBED8 | FD600 | 31728 |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | WinAPI Sockets (connect) |
| Text | Ascii | Registry (RegCreateKeyEx) |
| Text | Ascii | Registry (RegOpenKeyEx) |
| Text | Ascii | Registry (RegSetValueEx) |
| Text | Ascii | Registry (RegDeleteKeyEx) |
| Text | Ascii | Registry (RegGetValue) |
| Text | Ascii | File (CreateFile) |
| Text | Ascii | File (WriteFile) |
| Text | Ascii | File (ReadFile) |
| Text | Ascii | Service (OpenSCManager) |
| Text | Unicode | Service (OpenSCManager) |
| Text | Ascii | Anti-Analysis VM (IsDebuggerPresent) |
| Text | Ascii | Anti-Analysis VM (GetSystemInfo) |
| Text | Ascii | Anti-Analysis VM (GetVersion) |
| Text | Ascii | Stealth (ReleaseSemaphore) |
| Text | Ascii | Stealth (CloseHandle) |
| Text | Ascii | Stealth (VirtualProtect) |
| Text | Ascii | Stealth (QueueUserAPC) |
| Text | Ascii | Execution (ShellExecute) |
| Text | Ascii | Execution (OpenEventW) |
| Text | Ascii | Execution (CreateEventW) |
| Text | Ascii | Information used to authenticate a user's identity (Credential) |
| Text | Unicode | Information used to authenticate a user's identity (Credential) |
| Text | Ascii | Information used for user authentication (Credential) |
| Text | Unicode | Information used for user authentication (Credential) |
| Text | Ascii | Unauthorized movement of funds or data (Transfer) |
| Text | Unicode | Technique used to insert malicious code into legitimate processes (Inject) |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text | PE/Payload |
|---|---|---|---|---|---|---|
| \RCDATA\263\1033 | 5D190 | 2E000 | 5A590 | 4D5A90000300000004000000FFFF0000B8000000000000004000000000000000000000000000000000000000000000000000 | MZ......................@......................... | (Executable found) |
| \RCDATA\571\1033 | 8B190 | A748 | 88590 | 4D5A90000300000004000000FFFF0000B8000000000000004000000000000000000000000000000000000000000000000000 | MZ......................@......................... | (Executable found) |
| \RCDATA\594\1033 | 958D8 | 5400 | 92CD8 | 4D5A90000300000004000000FFFF0000B8000000000000004000000000000000000000000000000000000000000000000000 | MZ......................@......................... | (Executable found) |
| \RCDATA\699\1033 | 9ACD8 | 1CE00 | 980D8 | 4D5A90000300000004000000FFFF0000B8000000000000004000000000000000000000000000000000000000000000000000 | MZ......................@......................... | (Executable found) |
| \RCDATA\803\1033 | B7AD8 | 17000 | B4ED8 | 4D5A90000300000004000000FFFF0000B8000000000000004000000000000000000000000000000000000000000000000000 | MZ......................@......................... | (Executable found) |
| \RCDATA\988\1033 | CEAD8 | 2D000 | CBED8 | 4D5A90000300000004000000FFFF0000B8000000000000004000000000000000000000000000000000000000000000000000 | MZ......................@......................... | (Executable found) |
| \VERSION\1\1033 | FBAD8 | 2FC | F8ED8 | FC0234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000900 | ..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... | N/A |
| Intelligent String |
| • film58.dll • 7.9.130.3 • JOINUTIL.DLL • api-ms-win-core-profile-l1-1-0.dll • api-ms-win-security-base-l1-1-0.dll • api-ms-win-core-heap-l2-1-0.dll • api-ms-win-core-sysinfo-l1-1-0.dll • api-ms-win-core-file-l1-1-0.dll • api-ms-win-core-registry-l1-1-0.dll • api-ms-win-core-synch-l1-2-0.dll • api-ms-win-core-string-l1-1-0.dll • api-ms-win-core-handle-l1-1-0.dll • api-ms-win-core-localization-l1-2-0.dll • api-ms-win-core-processthreads-l1-1-0.dll • api-ms-win-core-heap-l1-1-0.dll • api-ms-win-crt-string-l1-1-0.dll • 2_except_handler4_commonapi-ms-win-crt-private-l1-1-0.dll • api-ms-win-core-debug-l1-1-0.dll • api-ms-win-core-delayload-l1-1-1.dll • api-ms-win-core-processthreads-l1-1-1.dll • api-ms-win-core-rtlsupport-l1-1-0.dll • api-ms-win-core-errorhandling-l1-1-0.dll • ntdll.dll • api-ms-win-core-util-l1-1-0.dll • api-ms-win-core-string-l2-1-0.dll • bcrypt.dll • api-ms-win-core-com-l1-1-0.dll • api-ms-win-core-io-l1-1-0.dll • api-ms-win-security-sddl-l1-1-0.dll • api-ms-win-core-namespace-l1-1-0.dll • api-ms-win-core-memory-l1-1-0.dll • api-ms-win-core-realtime-l1-1-0.dll • api-ms-win-core-processtopology-obsolete-l1-1-0.dll • api-ms-win-core-threadpool-l1-2-0.dll • api-ms-win-core-heap-obsolete-l1-1-0.dll • api-ms-win-security-accesshlpr-l1-1-0.dll • api-ms-win-core-synch-l1-1-0.dll • isdebuggerpresentapi-ms-win-eventing-provider-l1-1-0.dll • api-ms-win-service-private-l1-1-0.dll • api-ms-win-core-apiquery-l1-1-0.dll • api-ms-win-core-string-obsolete-l1-1-0.dll • api-ms-win-core-processenvironment-l1-1-0.dll • api-ms-win-core-winrt-error-l1-1-0.dll • api-ms-win-eventing-provider-l1-1-0.dll • api-ms-win-crt-private-l1-1-0.dll • api-ms-win-core-delayload-l1-1-0.dll • api-ms-win-core-libraryloader-l1-2-0.dll • .bss • profapi.dll • LampArray.dll • api-ms-win-core-libraryloader-l1-2-1.dll • api-ms-win-core-interlocked-l1-1-0.dll • RPCRT4.dll • api-ms-win-service-management-l1-1-0.dll • _inittermmsvcrt.dll • kernelbase.dll • EapTeapConfig.dll • api-ms-win-core-winrt-error-l1-1-1.dll • ext-ms-win-teapext-eap-l1-1-0.dll • ext-ms-win-ttlsext-eap-l1-1-0.dll • onecoreuap\net\eaphost\methods\teap\eapteapcfg\lib\teappeergetmethodproperties.cpp • onecoreuap\net\eaphost\methods\teap\eapteapcfg\lib\teappeergetnextpageguid.cpp • onecoreuap\net\eaphost\methods\teap\eapteapcfg\lib\teappeercredentialsxml2blob.cpp • onecoreuap\net\eaphost\methods\teap\eapteapcfg\lib\teappeerconfigblob2xml.cpp • onecoreuap\net\eaphost\methods\teap\eapteapcfg\lib\teappeerinvokeinteractiveui.cpp • onecoreuap\net\eaphost\methods\teap\eapteapcfg\lib\teappeerconfigxml2blob.cpp • onecoreuap\net\eaphost\methods\teap\eapteapcfg\lib\teapuserproperty.cpp • http://www.microsoft.com/provisioning/BaseEapUserPropertiesV1 • http://www.microsoft.com/provisioning/EapTeapUserPropertiesV1 • %windir%\schemas\EAPHost\BaseEapUserPropertiesV1.xsd • %windir%\schemas\EAPMethods\EapTeapUserPropertiesV1.xsd • xmlns:EapHostUserCredentials='http://www.microsoft.com/provisioning/EapHostUserCredentials' xmlns:BaseEapUserPropertiesV1='http://www.microsoft.com/provisioning/BaseEapUserPropertiesV1' xmlns:EapTeapUserPropertiesV1='http://www.microsoft.com/provisioning/EapTeapUserPropertiesV1' • http://www.microsoft.com/provisioning/EapHostConfig • http://www.microsoft.com/provisioning/EapTeapConnectionPropertiesV1 • xmlns:EapHostConfig='http://www.microsoft.com/provisioning/EapHostConfig' xmlns:EapTeapConnectionPropertiesV1='http://www.microsoft.com/provisioning/EapTeapConnectionPropertiesV1' • onecoreuap\net\eaphost\methods\teap\eapteapcfg\lib\teapconnectionproperty.cpp • http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1 • %windir%\schemas\EAPHost\BaseEapConnectionPropertiesV1.xsd • %windir%\schemas\EAPMethods\EapTeapConnectionPropertiesV1.xsd • onecoreuap\net\eaphost\methods\teap\utils\teapconfigbyteserializer\teapconnectionpropertyserializer.cpp • onecoreuap\net\eaphost\methods\teap\utils\teapconfigbyteserializer\teapuserpropertyserializer.cpp • EapTeapConfig.pdb • eapputil.dll • OLEAUT32.dll • dsclient.pdb • dsclient.dll • midimap.pdb • +midiStreamOutapi-ms-win-mm-mme-l1-1-0.dll • midimap.dll • CoreMessaging.dll • onecoreuap\drivers\lights\cpp\lib\platforminfo.cpp • onecoreuap\drivers\lights\cpp\lib\lamparraymanager.cpp • d:\os\tools\BamoCodegen\Inc\BamoAsyncOperationCoordinator.inl • d:\os\tools\BamoCodegen\Inc\BamoBufferingMessageCallHost.inl • d:\os\tools\BamoCodegen\Inc\BamoConnection.h • d:\os\tools\BamoCodegen\Inc\BamoProxy.inl • d:\os\tools\BamoCodegen\Inc\BamoPrincipal.inl • d:\os\tools\BamoCodegen\Inc\BamoPeer.inl • d:\os\tools\BamoCodegen\Inc\BamoStub.inl • d:\os\tools\BamoCodegen\Inc\BamoConnection.inl • d:\os\tools\BamoCodegen\Inc\BamoImplObject.inl • onecoreuap\drivers\lights\cpp\lib\lamparraybuffer.cpp • onecoreuap\drivers\lights\cpp\lib\lamparraybufferptr.cpp • LampArray.pdb • InitializeCriticalSectionapi-ms-win-core-libraryloader-l1-2-0.dll • api-ms-win-core-errorhandling-l1-1-2.dll • CRYPT32.dll • WLDAP32.dll • CRYPTNET.dll • DSROLE.dll • SspiCli.dll • api-ms-win-eventlog-legacy-l1-1-0.dll • certca.dll • certenroll.dll • USER32.dll • ldap:///CN=Certification Authorities,CN=Public Key Services,CN=Services,%s?cACertificate?one?objectCategory=certificationAuthority • ldap:///CN=Public Key Services,CN=Services,%s?cACertificate?one?cn=NTAuthCertificates • ldap:///CN=AIA,CN=Public Key Services,CN=Services,%s?crossCertificatePair,cACertificate?one?objectCategory=certificationAuthority • cryptui.dll • Comctl32.dll • \DsOIDInfo.dat • pautoenr.pdb • api-ms-win-core-shlwapi-obsolete-l1-1-0.dll • api-ms-win-service-management-l2-1-0.dll • netutils.dll • samcli.dll • api-ms-win-service-core-l1-1-1.dll • api-ms-win-service-winsvc-l1-1-0.dll • api-ms-win-security-lsalookup-l1-1-0.dll • api-ms-win-security-lsapolicy-l1-1-0.dll • api-ms-win-security-lsapolicy-l1-1-1.dll • $MACHINE.ACC • $MACHINE.ACC.IUM • w32Time.dll • %s\%s.BAK • %s\%s.LOG • NetpDebugDumpRoutine: WideCharToMultiByte failed • joinutil.pdb • _vsnwprintf_sapi-ms-win-core-crt-l1-1-0.dll • _initterm_e_inittermapi-ms-win-core-crt-l2-1-0.dll • HeapAllocapi-ms-win-core-synch-l1-1-0.dll • api-ms-win-core-file-l2-1-0.dll |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 1474 | 1005B078 | .text | CALL [static] | Indirect call to absolute memory address |
| 14A3 | 1005B0F4 | .text | CALL [static] | Indirect call to absolute memory address |
| 14B0 | 1005B114 | .text | CALL [static] | Indirect call to absolute memory address |
| 14BB | 1005B118 | .text | CALL [static] | Indirect call to absolute memory address |
| 14D9 | 1005B104 | .text | CALL [static] | Indirect call to absolute memory address |
| 14ED | 1005B110 | .text | CALL [static] | Indirect call to absolute memory address |
| 18A4 | 1005B100 | .text | CALL [static] | Indirect call to absolute memory address |
| 18B6 | 1005B0FC | .text | CALL [static] | Indirect call to absolute memory address |
| 18C5 | 1005B11C | .text | CALL [static] | Indirect call to absolute memory address |
| 214D | 1005B080 | .text | CALL [static] | Indirect call to absolute memory address |
| 2157 | 1005B05C | .text | CALL [static] | Indirect call to absolute memory address |
| 2160 | 1005B060 | .text | CALL [static] | Indirect call to absolute memory address |
| 2AA7 | 1005B070 | .text | CALL [static] | Indirect call to absolute memory address |
| 2AB8 | 1005B088 | .text | CALL [static] | Indirect call to absolute memory address |
| 2AD9 | 1005B08C | .text | CALL [static] | Indirect call to absolute memory address |
| 2B14 | 1005B100 | .text | CALL [static] | Indirect call to absolute memory address |
| 2B29 | 1005B0FC | .text | CALL [static] | Indirect call to absolute memory address |
| 2B38 | 1005B11C | .text | CALL [static] | Indirect call to absolute memory address |
| 2F66 | 1005B070 | .text | CALL [static] | Indirect call to absolute memory address |
| 2F77 | 1005B088 | .text | CALL [static] | Indirect call to absolute memory address |
| 2F98 | 1005B08C | .text | CALL [static] | Indirect call to absolute memory address |
| 2F9E | 1005B060 | .text | CALL [static] | Indirect call to absolute memory address |
| 2FB9 | 1005B070 | .text | CALL [static] | Indirect call to absolute memory address |
| 2FCA | 1005B088 | .text | CALL [static] | Indirect call to absolute memory address |
| 2FEB | 1005B08C | .text | CALL [static] | Indirect call to absolute memory address |
| 30B1 | 1005B104 | .text | CALL [static] | Indirect call to absolute memory address |
| 30C9 | 1005B110 | .text | CALL [static] | Indirect call to absolute memory address |
| 30DF | 1005B05C | .text | CALL [static] | Indirect call to absolute memory address |
| 30E9 | 1005B080 | .text | CALL [static] | Indirect call to absolute memory address |
| 30F4 | 1005B10C | .text | CALL [static] | Indirect call to absolute memory address |
| 31F8 | 1005B0F8 | .text | CALL [static] | Indirect call to absolute memory address |
| 3221 | 1005B084 | .text | CALL [static] | Indirect call to absolute memory address |
| 322B | 1005B06C | .text | CALL [static] | Indirect call to absolute memory address |
| 329D | 1005B070 | .text | CALL [static] | Indirect call to absolute memory address |
| 32AE | 1005B088 | .text | CALL [static] | Indirect call to absolute memory address |
| 32CF | 1005B08C | .text | CALL [static] | Indirect call to absolute memory address |
| 382E | 1005B100 | .text | CALL [static] | Indirect call to absolute memory address |
| 3840 | 1005B0FC | .text | CALL [static] | Indirect call to absolute memory address |
| 384F | 1005B11C | .text | CALL [static] | Indirect call to absolute memory address |
| 39E5 | 1005B10C | .text | CALL [static] | Indirect call to absolute memory address |
| 3FD1 | 1005B05C | .text | CALL [static] | Indirect call to absolute memory address |
| 3FEB | 1005B068 | .text | CALL [static] | Indirect call to absolute memory address |
| 4178 | 1005B0F4 | .text | CALL [static] | Indirect call to absolute memory address |
| 4185 | 1005B114 | .text | CALL [static] | Indirect call to absolute memory address |
| 418F | 1005B118 | .text | CALL [static] | Indirect call to absolute memory address |
| 41C3 | 1005B080 | .text | CALL [static] | Indirect call to absolute memory address |
| 41CC | 1005B05C | .text | CALL [static] | Indirect call to absolute memory address |
| 4240 | 1005B068 | .text | CALL [static] | Indirect call to absolute memory address |
| 434D | 1005B100 | .text | CALL [static] | Indirect call to absolute memory address |
| 435C | 1005B104 | .text | CALL [static] | Indirect call to absolute memory address |
| 4369 | 1005B118 | .text | CALL [static] | Indirect call to absolute memory address |
| 4CF8 | 1005B080 | .text | CALL [static] | Indirect call to absolute memory address |
| 4D01 | 1005B05C | .text | CALL [static] | Indirect call to absolute memory address |
| 4D0B | 1005B060 | .text | CALL [static] | Indirect call to absolute memory address |
| 4D3A | 1005B100 | .text | CALL [static] | Indirect call to absolute memory address |
| 4D4C | 1005B0FC | .text | CALL [static] | Indirect call to absolute memory address |
| 4D5B | 1005B11C | .text | CALL [static] | Indirect call to absolute memory address |
| 4D63 | 1005B05C | .text | CALL [static] | Indirect call to absolute memory address |
| 4D7B | 1005B070 | .text | CALL [static] | Indirect call to absolute memory address |
| 4D8C | 1005B088 | .text | CALL [static] | Indirect call to absolute memory address |
| 4DAD | 1005B08C | .text | CALL [static] | Indirect call to absolute memory address |
| 5595 | 1005B0F8 | .text | CALL [static] | Indirect call to absolute memory address |
| 576C | 1005B084 | .text | CALL [static] | Indirect call to absolute memory address |
| 5776 | 1005B06C | .text | CALL [static] | Indirect call to absolute memory address |
| 5C31 | 1005B080 | .text | CALL [static] | Indirect call to absolute memory address |
| 5C3A | 1005B05C | .text | CALL [static] | Indirect call to absolute memory address |
| 5C44 | 1005B060 | .text | CALL [static] | Indirect call to absolute memory address |
| 5E58 | 1005B0F4 | .text | CALL [static] | Indirect call to absolute memory address |
| 5E65 | 1005B114 | .text | CALL [static] | Indirect call to absolute memory address |
| 5E6F | 1005B118 | .text | CALL [static] | Indirect call to absolute memory address |
| 5F0B | 1005B070 | .text | CALL [static] | Indirect call to absolute memory address |
| 5F1C | 1005B088 | .text | CALL [static] | Indirect call to absolute memory address |
| 5F3D | 1005B08C | .text | CALL [static] | Indirect call to absolute memory address |
| 5F85 | 1005B080 | .text | CALL [static] | Indirect call to absolute memory address |
| 605F | 1005B070 | .text | CALL [static] | Indirect call to absolute memory address |
| 6070 | 1005B088 | .text | CALL [static] | Indirect call to absolute memory address |
| 6091 | 1005B08C | .text | CALL [static] | Indirect call to absolute memory address |
| 611F | 1005B084 | .text | CALL [static] | Indirect call to absolute memory address |
| 613A | 1005B080 | .text | CALL [static] | Indirect call to absolute memory address |
| 6143 | 1005B05C | .text | CALL [static] | Indirect call to absolute memory address |
| 614D | 1005B060 | .text | CALL [static] | Indirect call to absolute memory address |
| 6189 | 1005B064 | .text | CALL [static] | Indirect call to absolute memory address |
| 619C | 1005B0F8 | .text | CALL [static] | Indirect call to absolute memory address |
| 63B8 | 1005B064 | .text | CALL [static] | Indirect call to absolute memory address |
| 6501 | 1005B05C | .text | CALL [static] | Indirect call to absolute memory address |
| 650B | 1005B080 | .text | CALL [static] | Indirect call to absolute memory address |
| 6516 | 1005B10C | .text | CALL [static] | Indirect call to absolute memory address |
| 6652 | 1005B070 | .text | CALL [static] | Indirect call to absolute memory address |
| 6663 | 1005B088 | .text | CALL [static] | Indirect call to absolute memory address |
| 6684 | 1005B08C | .text | CALL [static] | Indirect call to absolute memory address |
| 68BE | 1005B05C | .text | CALL [static] | Indirect call to absolute memory address |
| 68C8 | 1005B080 | .text | CALL [static] | Indirect call to absolute memory address |
| 68D3 | 1005B10C | .text | CALL [static] | Indirect call to absolute memory address |
| 7020 | 1005B080 | .text | CALL [static] | Indirect call to absolute memory address |
| 702A | 1005B05C | .text | CALL [static] | Indirect call to absolute memory address |
| 7033 | 1005B060 | .text | CALL [static] | Indirect call to absolute memory address |
| 7185 | 1005B078 | .text | CALL [static] | Indirect call to absolute memory address |
| 80A1 | 1005B0F8 | .text | CALL [static] | Indirect call to absolute memory address |
| 80BB | 1005B0F4 | .text | CALL [static] | Indirect call to absolute memory address |
| 80C8 | 1005B114 | .text | CALL [static] | Indirect call to absolute memory address |
| 37A71-37BFF | N/A | .text | Unusual BP Cave, count: 399 |
| 775A5-7858F | N/A | .rsrc | Unusual BP Cave, count: 4075 |
| BDEED-BEED7 | N/A | .rsrc | Unusual BP Cave, count: 4075 |
| E8EED-E9ED7 | N/A | .rsrc | Unusual BP Cave, count: 4075 |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 628260 | 60,5363% |
| Null Byte Code | 197156 | 18,9971% |
© 2026 All rights reserved.