PESCAN.IO - Analysis Report

PESCAN.IO - Analysis Report Basic

File Structure

PE Chart Code

Header PE (light blue)

Executable sections (pink)

Non-executable sections (black)

External injected code (red)

File Structure in red = malformed or corrupted header

Chart Code For Other Files

Printable characters (blue)

Non-printable characters (black)

Information

Size: 4,60 MB
SHA-256 Hash: 8B4D9240FCF414E8FBD9575ABFA00CF0B2F9F82A294F2B495243F682A9380C85
SHA-1 Hash: FF12486B1A15A07D50D46B8E8E719053EFBB4A13
MD5 Hash: B4638DBD70A5971E80812CA954DFAD39
Imphash: 6A1CC13E54D1F32DE46043FCDF341B9B
MajorOSVersion: 10
MinorOSVersion: 0
CheckSum: 004A0D88
EntryPoint (rva): 117E10
SizeOfHeaders: 1000
SizeOfImage: 48E000
ImageBase: 0000000140000000
Architecture: x64
ImportTable: 45B090
IAT: 3DE090
Characteristics: 22
TimeDateStamp: 279A83FA
Date: 21/01/1991 6:02:34
File Type: EXE
Number Of Sections: 11
ASLR: Disabled
Section Names (Optional Header): .text, ?g_Encry, ?g_Encry, ?g_Encry, ?g_Encry, fothk, .rdata, .data, .pdata, .rsrc, .reloc
Number Of Executable Sections: 6
Subsystem: Windows GUI

Sections Info

Section Name	Flags	ROffset	RSize	VOffset	VSize	Entropy	Chi2
.text	0x60000020 Code Executable Readable	1000	3B4000	1000	3B3BFC	7.2066	12242487.73
?g_Encry	0x60000020 Code Executable Readable	3B5000	3000	3B5000	2DC4	3.843	766603.92
?g_Encry	0x60000020 Code Executable Readable	3B8000	3000	3B8000	2D7C	3.9282	735958.79
?g_Encry	0x60000020 Code Executable Readable	3BB000	3000	3BB000	2E9C	3.9508	732017.75
?g_Encry	0x60000020 Code Executable Readable	3BE000	3000	3BE000	2DAC	3.9126	753299.5
fothk	0x60000020 Code Executable Readable	3C1000	1000	3C1000	1000	0.0159	1041922
.rdata	0x40000040 Initialized Data Readable	3C2000	9C000	3C2000	9B3A6	6.0552	17691622.58
.data	0xC0000040 Initialized Data Readable Writeable	45E000	C000	45E000	E000	6.3444	1045125.45
.pdata	0x40000040 Initialized Data Readable	46A000	18000	46C000	17F40	6.0898	1838504.35
.rsrc	0x40000040 Initialized Data Readable	482000	3000	484000	2FC0	3.0876	1337191.54
.reloc	0x42000040 Initialized Data GP-Relative Readable	485000	7000	487000	6F4C	5.4379	155957.52

Description

OriginalFilename: sppsvc.exe
CompanyName: Microsoft Corporation
LegalCopyright: Microsoft Corporation. All rights reserved.
ProductName: Microsoft Windows Operating System
FileVersion: 10.0.26100.8457 (WinBuild.160101.0800)
FileDescription: Microsoft Software Protection Platform Service
ProductVersion: 10.0.26100.8457
Language: English (United States) (ID=0x409)
CodePage: Unicode (UTF-16 LE) (0x4B0)

Binder/Joiner/Crypter

Dropper code detected (EOF) - 42,48 KB

Entry Point

The section number (1) have the Entry Point
Information -> EntryPoint (calculated) - 117E10
Code -> 40534883EC20E8E90000008BD885C078188B05E56E3400488D0DD281EEFF4803C1FF15616C2C008BD8E81E0000008BC34883

Assembler

|PUSH RBX

|SUB RSP, 0X20

|CALL 0X10F4

|MOV EBX, EAX

|TEST EAX, EAX

|JS 0X1029

|MOV EAX, DWORD PTR [RIP + 0X346EE5]

|LEA RCX, [RIP - 0X117E2E]

|ADD RAX, RCX

|CALL QWORD PTR [RIP + 0X2C6C61]

|MOV EBX, EAX

|CALL 0X104C

|MOV EAX, EBX

Signatures

Rich Signature Analyzer:
Code -> 1CA991447DC7C2447DC7C2447DC7C24D0554C2527DC7C2447DC7C2457DC7C23DFCC3C35F7DC7C23DFCC2C3467DC7C23DFCC6C3577DC7C2447DC6C27E7CC7C23DFCCFC3BA7DC7C23DFCC4C34F7DC7C23DFC38C2457DC7C23DFCC5C3457DC7C252696368447DC7C2
Footprint md5 Hash -> D47C4B0AEA709523AB3FE21C6A3F1179
• Unusual or modified Rich structure: (447DC7C2)
Certificate - Digital Signature:
• The file is signed and the signature is correct

Duplicate Sections

Section ?g_Encry duplicate 4 times

Packer/Compiler

Detect It Easy (die)
• PE+(64): linker: Microsoft Linker(14.38**)[-]
• PE+(64): Sign tool: Windows Authenticode(2.0)[PKCS 7]
• Entropy: 7.14171

Suspicious Functions

Library	Function	Description
KERNEL32.DLL	CreateMutexW	Create a named or unnamed mutex object for controlling access to a shared resource.
KERNEL32.DLL	GetModuleFileNameA	Retrieve the fully qualified path for the executable file of a specified module.
KERNEL32.DLL	VirtualAlloc	Reserve, commit, or both, a region of memory within the virtual address space of a process.
KERNEL32.DLL	GetModuleHandleA	Retrieves a handle to the specified module.
KERNEL32.DLL	CopyFileW	Copies an existing file to a new file.
KERNEL32.DLL	WriteFile	Writes data to a specified file or input/output (I/O) device.
KERNEL32.DLL	GetProcAddress	Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL	IsDebuggerPresent	Determines if the calling process is being debugged by a user-mode debugger.
KERNEL32.DLL	SleepEx	Pauses the execution of the current thread, optionally allowing the thread to be awakened by a kernel object or upon expiration of a timeout.
ADVAPI32.DLL	CryptEncrypt	Performs a cryptographic operation on data in a data block.
ADVAPI32.DLL	CryptDecrypt	Performs a cryptographic operation on data in a data block.

Windows REG (UNICODE)

SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform
SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PayloadOverride\
SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\ReferralData\
SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform
SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Policies
SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Plugins
SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Reboot.
Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform
Software\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows NT\CurrentVersion\
SYSTEM\CurrentControlSet\Control\ProductOptions
SYSTEM\WPA

File Access

api-ms-win-eventing-classicprovider-l1-1-0.dll
pkeyhelper.dll
XmlLite.dll
OLEAUT32.dll
ole32.dll
ntdll.dll
CRYPTXML.dll
api-ms-win-core-sysinfo-l1-1-0.dll
api-ms-win-core-synch-l1-2-0.dll
api-ms-win-core-errorhandling-l1-1-0.dll
api-ms-win-core-rtlsupport-l1-1-0.dll
CRYPT32.dll
api-ms-win-core-com-l1-1-0.dll
bcrypt.dll
api-ms-win-core-version-l1-1-0.dll
RPCRT4.dll
msvcrt.dll
KERNEL32.dll
ADVAPI32.dll
.dat
@.dat
Temp

File Access (UNICODE)

sppsvc.exe
api-ms-win-core-winrt-l1-1-0.dll
api-ms-win-core-com-l1-1-1.dll
api-ms-win-core-localregistry-l1-1-0.dll
kernelBase.dll
kernel32.dll
kernelbase.dll
ntdll.dll
tokens.dat
data.dat
sppmig.dat
sppgenmig.dat
cache.dat
Temp
WinDir
UserProfile

Interest's Words

Encrypt
Decrypt
Encryption
exec
attrib
start
sdelete
shutdown
systeminfo
expand
getmac

Interest's Words (UNICODE)

Encrypt
Decrypt
Encryption
exec
attrib
start
cipher
shutdown
ping

URLs

http://www.microsoft.com/pkiops/crl/MicWinProPCA2011_2011-10-19.crl
http://www.microsoft.com/pkiops/certs/MicWinProPCA2011_2011-10-19.crt
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt
http://www.microsoft.com/windows0
http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl
http://www.microsoft.com/pkiops/certs/Microsoft%20Time-Stamp%20PCA%202010(1).crt
http://www.microsoft.com/pkiops/Docs/Repository.htm

URLs (UNICODE)

http://www.microsoft.com/DRM/SPP/Plugin/Manifest/1.0
http://www.microsoft.com/DRM/SL/WGA/Parameters/1.0">
http://xml.org/sax/properties/lexical-handler
http://www.w3.org/1999/XSL/Transform'
http://www.microsoft.com/DRM/SPP/SppValidation/Manifest/1.0' xmlns:xsl='
http://www.microsoft.com/DRM/SL/WGA/Parameters/1.0
http://www.microsoft.com/DRM/XrML2/TM/v2
http://www.microsoft.com/DRM/XrML2/SL/v2
http://www.microsoft.com/DRM/SL/GenuineAuthorization/1.0">
http://www.w3.org/2001/04/xmldsig-morersa-sha256
http://www.w3.org/2000/09/xmldsigrsa-sha1
http://www.w3.org/2001/04/xmlencrsa-oaep-mgf1p
http://www.w3.org/2001/04/xmlencsha256
http://www.w3.org/2000/09/xmldsigsha1
http://www.w3.org/2000/09/xmldsig
http://www.w3.org/2001/04/xmlenc
http://www.w3.org/2002/03/xkms
http://www.microsoft.com/xrml/lwc14n
http://www.w3.org/2001/04/xmlencaes128-cbc
http://www.w3.org/2001/04/xmlencaes256-cbc
http://www.w3.org/2001/04/xmlencaes192-cbc
http://www.w3.org/2001/04/xmldsig-morersa-sha512
http://www.w3.org/2001/04/xmlencsha512

Strings/Hex Code Found With The File Rules

Rule Type	Encoding	Matched (Word)
Text	Unicode	WinAPI Sockets (bind)
Text	Ascii	Registry (RegCreateKeyEx)
Text	Ascii	Registry (RegOpenKeyEx)
Text	Ascii	Registry (RegSetValueEx)
Text	Ascii	Registry (RegGetValue)
Text	Ascii	File (CopyFile)
Text	Ascii	File (CreateFile)
Text	Ascii	File (WriteFile)
Text	Ascii	File (ReadFile)
Text	Ascii	Service (OpenSCManager)
Text	Ascii	Service (StartServiceCtrlDispatcher)
Text	Unicode	Encryption (Microsoft Enhanced RSA and AES Cryptographic Provider)
Text	Unicode	Encryption (Microsoft Strong Cryptographic Provider)
Text	Ascii	Encryption API (CryptAcquireContext)
Text	Ascii	Encryption API (CryptGenKey)
Text	Ascii	Encryption API (CryptDecrypt)
Text	Ascii	Encryption API (CryptReleaseContext)
Text	Ascii	Anti-Analysis VM (IsDebuggerPresent)
Text	Ascii	Anti-Analysis VM (GetSystemInfo)
Text	Ascii	Anti-Analysis VM (GetVersion)
Text	Ascii	Stealth (ReleaseSemaphore)
Text	Ascii	Stealth (CloseHandle)
Text	Ascii	Stealth (UnmapViewOfFile)
Text	Ascii	Stealth (VirtualAlloc)
Text	Ascii	Execution (CreateSemaphoreW)
Text	Ascii	Execution (CreateEventW)
Text	Ascii	Malicious code executed after exploiting a vulnerability (Payload)
Text	Unicode	Malicious code executed after exploiting a vulnerability (Payload)
Text	Ascii	Stealer malware focused on obtaining CVV codes to conduct unauthorized transactions (CVV)
Text	Ascii	Unauthorized movement of funds or data (Transfer)
Entry Point	Hex Pattern	Microsoft Visual C++ 8.0 (DLL)

Resources

Path	DataRVA	Size	FileOffset	Code	Text
\MUI\1\1033	486ED0	F0	484ED0	CDFECDFEF0000000000001000000000011000000000000000200000052800891FA6DCAD0B5AC850BFCF14DFA336CF6173A38	............................R....m........M.3l..:8
\WEVT_TEMPLATE\1\1033	4847E8	26E2	4827E8	4352494DE02600000500010001000000B0333BE2C9C82C47A5F9F2BDFEA0F1562400000057455654BC260000010000900800	CRIM.&...........3;...,G.......V$...WEVT.&........
\VERSION\1\1033	484420	3C4	482420	C00334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000	..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............
\24\1\1033	484160	2BB	482160	3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E653D2279	<?xml version="1.0" encoding="UTF-8" standalone="y

Intelligent String

• ntdll.dll
• kernelbase.dll
• Global\552FFA80-3393-423d-8671-7BA046BB5906
• kernel32.dll
• kernelBase.dll
• cache.dat
• sppgenmig.dat
• sppmig.dat
• api-ms-win-core-processthreads-l1-1-3.dll
• api-ms-win-core-localregistry-l1-1-0.dll
• api-ms-win-core-com-l1-1-1.dll
• api-ms-win-core-winrt-l1-1-0.dll
• api-ms-win-core-winrt-string-l1-1-0.dll
• http://www.microsoft.com/DRM/SPP/Plugin/Manifest/1.0
• data.dat
• <envelope xmlns="http://www.microsoft.com/DRM/SL/WGA/Parameters/1.0">
• http://xml.org/sax/properties/lexical-handler
• xmlns:xsl='http://www.w3.org/1999/XSL/Transform'
• xmlns:un='http://www.microsoft.com/DRM/SPP/SppValidation/Manifest/1.0' xmlns:xsl='http://www.w3.org/1999/XSL/Transform'
• msft://SLWGA/parametertype/engine/1.0
• msft://SLWGA/parametertype/sppstoresresult
• msft://SLWGA/parametertype/smbiosmodel
• msft://SLWGA/parametertype/smbiosmanufacturer
• msft://SLWGA/parametertype/oembioskey
• msft://SLWGA/parametertype/oemtableid
• msft://SLWGA/parametertype/oemid
• msft://SLWGA/parametertype/trusteduguid/sha256
• msft://SLWGA/parametertype/installdate
• msft://SLWGA/parametertype/processorarchitecture
• msft://SLWGA/parametertype/activationvalidationflag
• msft://SLWGA/parametertype/nongenuinegraceflag
• msft://SLWGA/parametertype/genuineresult
• msft://SLWGA/parametertype/brtcommit
• msft://SLWGA/parametertype/brtdata
• msft://SLWGA/parametertype/transactiondata
• msft://SLWGA/parametertype/ticketurl
• msft://SLWGA/parametertype/templateid
• msft://SLWGA/parametertype/skutype
• msft://SLWGA/parametertype/volumedata
• msft://SLWGA/parametertype/activedirectorydata
• msft://SLWGA/parametertype/tokendata
• msft://SLWGA/parametertype/kmsdata
• msft://SLWGA/parametertype/activationtype
• msft://SLWGA/parametertype/pkhash
• msft://SLWGA/parametertype/trustedtime
• msft://SLWGA/parametertype/license
• msft://SLWGA/parametertype/portableOsStatus
• msft://SLWGA/parametertype/error
• msft://SLWGA/parametertype/clienttime
• msft://SLWGA/parametertype/skuid
• msft://SLWGA/parametertype/appid
• msft://SLWGA/parametertype/languageid
• msft://SLWGA/parametertype/locale
• msft://SLWGA/parametertype/osqfe
• msft://SLWGA/parametertype/osversion
• msft://SLWGA/parametertype/slpinfo
• msft://SLWGA/parametertype/licensingstate
• msft://SLWGA/parametertype/genuinestate
• msft://SLWGA/parametertype/previousserverproperties
• msft://SLWGA/parametertype/rearmcount
• msft://SLWGA/parametertype/bitmask
• msft://SLWGA/parametertype/boolean
• msft://SLWGA/parametertype/diskserialnumber/sha256
• msft://SLWGA/parametertype/computersid/sha256
• msft://SLWGA/parametertype/uguid/sha256
• msft://SLWGA/parametertype/pkey
• msft://SLWGA/parametertype/pkeyalgorithm
• msft://SLWGA/parametertype/pkeytype
• msft://SLWGA/parametertype/pkeyconfigid
• msft://SLWGA/parametertype/pid2
• msft://SLWGA/parametertype/pidex
• msft://SLWGA/parametertype/hwid
• http://www.microsoft.com/DRM/SL/WGA/Parameters/1.0
• http://www.microsoft.com/DRM/XrML2/TM/v2
• http://www.microsoft.com/DRM/XrML2/SL/v2
• tokens.dat
• .bak
• <genuineAuthorization xmlns="http://www.microsoft.com/DRM/SL/GenuineAuthorization/1.0">
• http://www.w3.org/2001/04/xmldsig-morersa-sha256
• http://www.w3.org/2000/09/xmldsigrsa-sha1
• http://www.w3.org/2001/04/xmlencrsa-oaep-mgf1p
• http://www.w3.org/2001/04/xmlencsha256
• http://www.w3.org/2000/09/xmldsigsha1
• http://www.microsoft.com/xrml/lwc14n
• http://www.w3.org/2001/04/xmlencaes128-cbc
• http://www.w3.org/2001/04/xmlencaes256-cbc
• http://www.w3.org/2001/04/xmlencaes192-cbc
• http://www.w3.org/2001/04/xmldsig-morersa-sha512
• http://www.w3.org/2001/04/xmlencsha512
• sppsvc.pdb
• .tls
• .bss
• ADVAPI32.dll
• KERNEL32.dll
• msvcrt.dll
• RPCRT4.dll
• api-ms-win-core-version-l1-1-0.dll
• bcrypt.dll
• api-ms-win-core-com-l1-1-0.dll
• api-ms-win-core-synch-l1-2-0.dll
• api-ms-win-core-sysinfo-l1-1-0.dll
• CRYPTXML.dll
• api-ms-win-eventing-classicprovider-l1-1-0.dll
• sppsvc.exe

Flow Anomalies

Offset	RVA	Section	Description
133F	N/A	.text	JMP QWORD PTR [RIP+0xE857C712]
15B7F	N/A	.text	CALL QWORD PTR [RIP+0x79E1E544]
2833F	N/A	.text	CALL QWORD PTR [RIP+0x4340D591]
2E4BF	N/A	.text	JMP QWORD PTR [RIP+0x2AE4222E]
4B25C	N/A	.text	CALL QWORD PTR [RIP+0x392EAE]
4B86A	N/A	.text	CALL QWORD PTR [RIP+0x392920]
4B893	N/A	.text	CALL QWORD PTR [RIP+0x3928FF]
4B9DB	N/A	.text	CALL QWORD PTR [RIP+0x392BEF]
4B9FE	N/A	.text	CALL QWORD PTR [RIP+0x392C2C]
4BA17	N/A	.text	CALL QWORD PTR [RIP+0x392C13]
4BA30	N/A	.text	CALL QWORD PTR [RIP+0x392BFA]
4BA49	N/A	.text	CALL QWORD PTR [RIP+0x392BE1]
4BAE0	N/A	.text	CALL QWORD PTR [RIP+0x392AFA]
4BB10	N/A	.text	CALL QWORD PTR [RIP+0x392ACA]
4BD27	N/A	.text	CALL QWORD PTR [RIP+0x3925E3]
4BD3B	N/A	.text	CALL QWORD PTR [RIP+0x3925CF]
4BD87	N/A	.text	CALL QWORD PTR [RIP+0x392583]
4BD9B	N/A	.text	CALL QWORD PTR [RIP+0x39256F]
4BDE7	N/A	.text	CALL QWORD PTR [RIP+0x392523]
4BDFB	N/A	.text	CALL QWORD PTR [RIP+0x39250F]
4BE47	N/A	.text	CALL QWORD PTR [RIP+0x3924C3]
4BE5B	N/A	.text	CALL QWORD PTR [RIP+0x3924AF]
4BEAB	N/A	.text	CALL QWORD PTR [RIP+0x39245F]
4BEDB	N/A	.text	CALL QWORD PTR [RIP+0x39242F]
4BF47	N/A	.text	CALL QWORD PTR [RIP+0x3923C3]
4BF5B	N/A	.text	CALL QWORD PTR [RIP+0x3923AF]
4C007	N/A	.text	CALL QWORD PTR [RIP+0x392303]
4C01B	N/A	.text	CALL QWORD PTR [RIP+0x3922EF]
4C04B	N/A	.text	CALL QWORD PTR [RIP+0x3922BF]
4C0D7	N/A	.text	CALL QWORD PTR [RIP+0x392233]
4C0EB	N/A	.text	CALL QWORD PTR [RIP+0x39221F]
4C137	N/A	.text	CALL QWORD PTR [RIP+0x3921D3]
4C14B	N/A	.text	CALL QWORD PTR [RIP+0x3921BF]
4C19B	N/A	.text	CALL QWORD PTR [RIP+0x39216F]
4C1CB	N/A	.text	CALL QWORD PTR [RIP+0x39213F]
4C1FB	N/A	.text	CALL QWORD PTR [RIP+0x39210F]
4C20F	N/A	.text	CALL QWORD PTR [RIP+0x3920FB]
4C223	N/A	.text	CALL QWORD PTR [RIP+0x3920E7]
4C237	N/A	.text	CALL QWORD PTR [RIP+0x3920D3]
4C24B	N/A	.text	CALL QWORD PTR [RIP+0x3920BF]
4C25F	N/A	.text	CALL QWORD PTR [RIP+0x3920AB]
4C273	N/A	.text	CALL QWORD PTR [RIP+0x392097]
4C287	N/A	.text	CALL QWORD PTR [RIP+0x392083]
4C29B	N/A	.text	CALL QWORD PTR [RIP+0x39206F]
4C2AF	N/A	.text	CALL QWORD PTR [RIP+0x39205B]
4C2C3	N/A	.text	CALL QWORD PTR [RIP+0x392047]
4C2D7	N/A	.text	CALL QWORD PTR [RIP+0x392033]
4C2EB	N/A	.text	CALL QWORD PTR [RIP+0x39201F]
4C2FF	N/A	.text	CALL QWORD PTR [RIP+0x39200B]
4C313	N/A	.text	CALL QWORD PTR [RIP+0x391FF7]
4C327	N/A	.text	CALL QWORD PTR [RIP+0x391FE3]
4C33B	N/A	.text	CALL QWORD PTR [RIP+0x391FCF]
4C34F	N/A	.text	CALL QWORD PTR [RIP+0x391FBB]
4C363	N/A	.text	CALL QWORD PTR [RIP+0x391FA7]
4C377	N/A	.text	CALL QWORD PTR [RIP+0x391F93]
4C38B	N/A	.text	CALL QWORD PTR [RIP+0x391F7F]
4C39F	N/A	.text	CALL QWORD PTR [RIP+0x391F6B]
4C3B3	N/A	.text	CALL QWORD PTR [RIP+0x391F57]
4C3C7	N/A	.text	CALL QWORD PTR [RIP+0x391F43]
4C3DB	N/A	.text	CALL QWORD PTR [RIP+0x391F2F]
4C3EF	N/A	.text	CALL QWORD PTR [RIP+0x391F1B]
4C403	N/A	.text	CALL QWORD PTR [RIP+0x391F07]
4C417	N/A	.text	CALL QWORD PTR [RIP+0x391EF3]
4C42B	N/A	.text	CALL QWORD PTR [RIP+0x391EDF]
4C43F	N/A	.text	CALL QWORD PTR [RIP+0x391ECB]
4C453	N/A	.text	CALL QWORD PTR [RIP+0x391EB7]
4C467	N/A	.text	CALL QWORD PTR [RIP+0x391EA3]
4C47B	N/A	.text	CALL QWORD PTR [RIP+0x391E8F]
4C48F	N/A	.text	CALL QWORD PTR [RIP+0x391E7B]
4C4A3	N/A	.text	CALL QWORD PTR [RIP+0x391E67]
4C4B7	N/A	.text	CALL QWORD PTR [RIP+0x391E53]
4C4CB	N/A	.text	CALL QWORD PTR [RIP+0x391E3F]
4C4DF	N/A	.text	CALL QWORD PTR [RIP+0x391E2B]
4C4F3	N/A	.text	CALL QWORD PTR [RIP+0x391E17]
4C507	N/A	.text	CALL QWORD PTR [RIP+0x391E03]
4C51B	N/A	.text	CALL QWORD PTR [RIP+0x391DEF]
4C52F	N/A	.text	CALL QWORD PTR [RIP+0x391DDB]
4C543	N/A	.text	CALL QWORD PTR [RIP+0x391DC7]
4C557	N/A	.text	CALL QWORD PTR [RIP+0x391DB3]
4C56B	N/A	.text	CALL QWORD PTR [RIP+0x391D9F]
4C57F	N/A	.text	CALL QWORD PTR [RIP+0x391D8B]
4C593	N/A	.text	CALL QWORD PTR [RIP+0x391D77]
4C5A7	N/A	.text	CALL QWORD PTR [RIP+0x391D63]
4C5BB	N/A	.text	CALL QWORD PTR [RIP+0x391D4F]
4C5CF	N/A	.text	CALL QWORD PTR [RIP+0x391D3B]
4C5E3	N/A	.text	CALL QWORD PTR [RIP+0x391D27]
4C5F7	N/A	.text	CALL QWORD PTR [RIP+0x391D13]
4C60B	N/A	.text	CALL QWORD PTR [RIP+0x391CFF]
4C61F	N/A	.text	CALL QWORD PTR [RIP+0x391CEB]
4C633	N/A	.text	CALL QWORD PTR [RIP+0x391CD7]
4C837	N/A	.text	CALL QWORD PTR [RIP+0x391AD3]
4C84B	N/A	.text	CALL QWORD PTR [RIP+0x391ABF]
4C897	N/A	.text	CALL QWORD PTR [RIP+0x391A73]
4C8AB	N/A	.text	CALL QWORD PTR [RIP+0x391A5F]
4C8F7	N/A	.text	CALL QWORD PTR [RIP+0x391A13]
4C90B	N/A	.text	CALL QWORD PTR [RIP+0x3919FF]
4C957	N/A	.text	CALL QWORD PTR [RIP+0x3919B3]
4C96B	N/A	.text	CALL QWORD PTR [RIP+0x39199F]
4CDB7	N/A	.text	CALL QWORD PTR [RIP+0x391553]
4CDCB	N/A	.text	CALL QWORD PTR [RIP+0x39153F]
3C1015-3C1FFF	N/A	fothk	Unusual BP Cave, count: 4075
46A000	4ABC8	.pdata	ExceptionHook \| Pointer to 4ABC8 - 0x4ABC8 .text + UnwindInfo: .rdata
46A00C	4ACDC	.pdata	ExceptionHook \| Pointer to 4ACDC - 0x4ACDC .text + UnwindInfo: .rdata
46A018	4ADA4	.pdata	ExceptionHook \| Pointer to 4ADA4 - 0x4ADA4 .text + UnwindInfo: .rdata
46A024	4AE7C	.pdata	ExceptionHook \| Pointer to 4AE7C - 0x4AE7C .text + UnwindInfo: .rdata
46A030	4AF44	.pdata	ExceptionHook \| Pointer to 4AF44 - 0x4AF44 .text + UnwindInfo: .rdata
46A03C	4AFF8	.pdata	ExceptionHook \| Pointer to 4AFF8 - 0x4AFF8 .text + UnwindInfo: .rdata
46A048	4B098	.pdata	ExceptionHook \| Pointer to 4B098 - 0x4B098 .text + UnwindInfo: .rdata
46A054	4B134	.pdata	ExceptionHook \| Pointer to 4B134 - 0x4B134 .text + UnwindInfo: .rdata
46A060	4B1D0	.pdata	ExceptionHook \| Pointer to 4B1D0 - 0x4B1D0 .text + UnwindInfo: .rdata
46A06C	4B270	.pdata	ExceptionHook \| Pointer to 4B270 - 0x4B270 .text + UnwindInfo: .rdata
46A078	4B318	.pdata	ExceptionHook \| Pointer to 4B318 - 0x4B318 .text + UnwindInfo: .rdata
46A084	4B3D4	.pdata	ExceptionHook \| Pointer to 4B3D4 - 0x4B3D4 .text + UnwindInfo: .rdata
46A090	4B810	.pdata	ExceptionHook \| Pointer to 4B810 - 0x4B810 .text + UnwindInfo: .rdata
46A09C	4B8C0	.pdata	ExceptionHook \| Pointer to 4B8C0 - 0x4B8C0 .text + UnwindInfo: .rdata
46A0A8	4B990	.pdata	ExceptionHook \| Pointer to 4B990 - 0x4B990 .text + UnwindInfo: .rdata
46A0B4	4B9C0	.pdata	ExceptionHook \| Pointer to 4B9C0 - 0x4B9C0 .text + UnwindInfo: .rdata
46A0C0	4BAD0	.pdata	ExceptionHook \| Pointer to 4BAD0 - 0x4BAD0 .text + UnwindInfo: .rdata
46A0CC	4BD00	.pdata	ExceptionHook \| Pointer to 4BD00 - 0x4BD00 .text + UnwindInfo: .rdata
46A0D8	4BD60	.pdata	ExceptionHook \| Pointer to 4BD60 - 0x4BD60 .text + UnwindInfo: .rdata
46A0E4	4BDC0	.pdata	ExceptionHook \| Pointer to 4BDC0 - 0x4BDC0 .text + UnwindInfo: .rdata
46A0F0	4BE20	.pdata	ExceptionHook \| Pointer to 4BE20 - 0x4BE20 .text + UnwindInfo: .rdata
46A0FC	4BEA0	.pdata	ExceptionHook \| Pointer to 4BEA0 - 0x4BEA0 .text + UnwindInfo: .rdata
46A108	4BED0	.pdata	ExceptionHook \| Pointer to 4BED0 - 0x4BED0 .text + UnwindInfo: .rdata
46A114	4BF20	.pdata	ExceptionHook \| Pointer to 4BF20 - 0x4BF20 .text + UnwindInfo: .rdata
46A120	4BFE0	.pdata	ExceptionHook \| Pointer to 4BFE0 - 0x4BFE0 .text + UnwindInfo: .rdata
46A12C	4C040	.pdata	ExceptionHook \| Pointer to 4C040 - 0x4C040 .text + UnwindInfo: .rdata
46A138	4C0B0	.pdata	ExceptionHook \| Pointer to 4C0B0 - 0x4C0B0 .text + UnwindInfo: .rdata
46A144	4C110	.pdata	ExceptionHook \| Pointer to 4C110 - 0x4C110 .text + UnwindInfo: .rdata
46A150	4C190	.pdata	ExceptionHook \| Pointer to 4C190 - 0x4C190 .text + UnwindInfo: .rdata
46A15C	4C1C0	.pdata	ExceptionHook \| Pointer to 4C1C0 - 0x4C1C0 .text + UnwindInfo: .rdata
46A168	4C1F0	.pdata	ExceptionHook \| Pointer to 4C1F0 - 0x4C1F0 .text + UnwindInfo: .rdata
46A174	4C790	.pdata	ExceptionHook \| Pointer to 4C790 - 0x4C790 .text + UnwindInfo: .rdata
46A180	4C7D0	.pdata	ExceptionHook \| Pointer to 4C7D0 - 0x4C7D0 .text + UnwindInfo: .rdata
46A18C	4C810	.pdata	ExceptionHook \| Pointer to 4C810 - 0x4C810 .text + UnwindInfo: .rdata
46A198	4C870	.pdata	ExceptionHook \| Pointer to 4C870 - 0x4C870 .text + UnwindInfo: .rdata
46A1A4	4C8D0	.pdata	ExceptionHook \| Pointer to 4C8D0 - 0x4C8D0 .text + UnwindInfo: .rdata
46A1B0	4C930	.pdata	ExceptionHook \| Pointer to 4C930 - 0x4C930 .text + UnwindInfo: .rdata
46A1BC	4CD90	.pdata	ExceptionHook \| Pointer to 4CD90 - 0x4CD90 .text + UnwindInfo: .rdata
46A1C8	4CDF0	.pdata	ExceptionHook \| Pointer to 4CDF0 - 0x4CDF0 .text + UnwindInfo: .rdata
46A1D4	4CE50	.pdata	ExceptionHook \| Pointer to 4CE50 - 0x4CE50 .text + UnwindInfo: .rdata
46A1E0	4CEB0	.pdata	ExceptionHook \| Pointer to 4CEB0 - 0x4CEB0 .text + UnwindInfo: .rdata
46A1EC	4CF10	.pdata	ExceptionHook \| Pointer to 4CF10 - 0x4CF10 .text + UnwindInfo: .rdata
46A1F8	4CF70	.pdata	ExceptionHook \| Pointer to 4CF70 - 0x4CF70 .text + UnwindInfo: .rdata
46A204	4CFB0	.pdata	ExceptionHook \| Pointer to 4CFB0 - 0x4CFB0 .text + UnwindInfo: .rdata
46A210	4CFF0	.pdata	ExceptionHook \| Pointer to 4CFF0 - 0x4CFF0 .text + UnwindInfo: .rdata
46A21C	4D0C2	.pdata	ExceptionHook \| Pointer to 4D0C2 - 0x4D0C2 .text + UnwindInfo: .rdata
46A228	4D130	.pdata	ExceptionHook \| Pointer to 4D130 - 0x4D130 .text + UnwindInfo: .rdata
46A234	4D210	.pdata	ExceptionHook \| Pointer to 4D210 - 0x4D210 .text + UnwindInfo: .rdata
46A240	4D260	.pdata	ExceptionHook \| Pointer to 4D260 - 0x4D260 .text + UnwindInfo: .rdata
46A24C	4D420	.pdata	ExceptionHook \| Pointer to 4D420 - 0x4D420 .text + UnwindInfo: .rdata
46A258	4D448	.pdata	ExceptionHook \| Pointer to 4D448 - 0x4D448 .text + UnwindInfo: .rdata
46A264	4D4E0	.pdata	ExceptionHook \| Pointer to 4D4E0 - 0x4D4E0 .text + UnwindInfo: .rdata
46A270	4D518	.pdata	ExceptionHook \| Pointer to 4D518 - 0x4D518 .text + UnwindInfo: .rdata
46A27C	4D560	.pdata	ExceptionHook \| Pointer to 4D560 - 0x4D560 .text + UnwindInfo: .rdata
46A288	4D704	.pdata	ExceptionHook \| Pointer to 4D704 - 0x4D704 .text + UnwindInfo: .rdata
46A294	4D83C	.pdata	ExceptionHook \| Pointer to 4D83C - 0x4D83C .text + UnwindInfo: .rdata
46A2A0	4D8AC	.pdata	ExceptionHook \| Pointer to 4D8AC - 0x4D8AC .text + UnwindInfo: .rdata
46A2AC	4D930	.pdata	ExceptionHook \| Pointer to 4D930 - 0x4D930 .text + UnwindInfo: .rdata
46A2B8	4D970	.pdata	ExceptionHook \| Pointer to 4D970 - 0x4D970 .text + UnwindInfo: .rdata
46A2C4	4D99C	.pdata	ExceptionHook \| Pointer to 4D99C - 0x4D99C .text + UnwindInfo: .rdata
46A2D0	4D9F8	.pdata	ExceptionHook \| Pointer to 4D9F8 - 0x4D9F8 .text + UnwindInfo: .rdata
46A2DC	4DAB0	.pdata	ExceptionHook \| Pointer to 4DAB0 - 0x4DAB0 .text + UnwindInfo: .rdata
46A2E8	4DB44	.pdata	ExceptionHook \| Pointer to 4DB44 - 0x4DB44 .text + UnwindInfo: .rdata
46A2F4	4DCC0	.pdata	ExceptionHook \| Pointer to 4DCC0 - 0x4DCC0 .text + UnwindInfo: .rdata
46A300	50040	.pdata	ExceptionHook \| Pointer to 50040 - 0x50040 .text + UnwindInfo: .rdata
46A30C	50680	.pdata	ExceptionHook \| Pointer to 50680 - 0x50680 .text + UnwindInfo: .rdata
46A318	51130	.pdata	ExceptionHook \| Pointer to 51130 - 0x51130 .text + UnwindInfo: .rdata
46A324	51E30	.pdata	ExceptionHook \| Pointer to 51E30 - 0x51E30 .text + UnwindInfo: .rdata
46A330	52040	.pdata	ExceptionHook \| Pointer to 52040 - 0x52040 .text + UnwindInfo: .rdata
46A33C	520E0	.pdata	ExceptionHook \| Pointer to 520E0 - 0x520E0 .text + UnwindInfo: .rdata
46A348	52430	.pdata	ExceptionHook \| Pointer to 52430 - 0x52430 .text + UnwindInfo: .rdata
46A354	52460	.pdata	ExceptionHook \| Pointer to 52460 - 0x52460 .text + UnwindInfo: .rdata
46A360	52550	.pdata	ExceptionHook \| Pointer to 52550 - 0x52550 .text + UnwindInfo: .rdata
46A36C	52AD0	.pdata	ExceptionHook \| Pointer to 52AD0 - 0x52AD0 .text + UnwindInfo: .rdata
46A378	52B10	.pdata	ExceptionHook \| Pointer to 52B10 - 0x52B10 .text + UnwindInfo: .rdata
46A384	541B0	.pdata	ExceptionHook \| Pointer to 541B0 - 0x541B0 .text + UnwindInfo: .rdata
46A390	55050	.pdata	ExceptionHook \| Pointer to 55050 - 0x55050 .text + UnwindInfo: .rdata
46A39C	55E80	.pdata	ExceptionHook \| Pointer to 55E80 - 0x55E80 .text + UnwindInfo: .rdata
46A3A8	55EE0	.pdata	ExceptionHook \| Pointer to 55EE0 - 0x55EE0 .text + UnwindInfo: .rdata
46A3B4	55F40	.pdata	ExceptionHook \| Pointer to 55F40 - 0x55F40 .text + UnwindInfo: .rdata
46A3C0	55FA0	.pdata	ExceptionHook \| Pointer to 55FA0 - 0x55FA0 .text + UnwindInfo: .rdata
46A3CC	561D0	.pdata	ExceptionHook \| Pointer to 561D0 - 0x561D0 .text + UnwindInfo: .rdata
46A3D8	56590	.pdata	ExceptionHook \| Pointer to 56590 - 0x56590 .text + UnwindInfo: .rdata
46A3E4	56850	.pdata	ExceptionHook \| Pointer to 56850 - 0x56850 .text + UnwindInfo: .rdata
46A3F0	568D0	.pdata	ExceptionHook \| Pointer to 568D0 - 0x568D0 .text + UnwindInfo: .rdata
46A3FC	56990	.pdata	ExceptionHook \| Pointer to 56990 - 0x56990 .text + UnwindInfo: .rdata
46A408	56CE0	.pdata	ExceptionHook \| Pointer to 56CE0 - 0x56CE0 .text + UnwindInfo: .rdata
46A414	56D50	.pdata	ExceptionHook \| Pointer to 56D50 - 0x56D50 .text + UnwindInfo: .rdata
46A420	56E70	.pdata	ExceptionHook \| Pointer to 56E70 - 0x56E70 .text + UnwindInfo: .rdata
46A42C	56EC0	.pdata	ExceptionHook \| Pointer to 56EC0 - 0x56EC0 .text + UnwindInfo: .rdata
46A438	56F10	.pdata	ExceptionHook \| Pointer to 56F10 - 0x56F10 .text + UnwindInfo: .rdata
46A444	56F70	.pdata	ExceptionHook \| Pointer to 56F70 - 0x56F70 .text + UnwindInfo: .rdata
46A450	57090	.pdata	ExceptionHook \| Pointer to 57090 - 0x57090 .text + UnwindInfo: .rdata
46A45C	57220	.pdata	ExceptionHook \| Pointer to 57220 - 0x57220 .text + UnwindInfo: .rdata
46A468	57250	.pdata	ExceptionHook \| Pointer to 57250 - 0x57250 .text + UnwindInfo: .rdata
46A474	57280	.pdata	ExceptionHook \| Pointer to 57280 - 0x57280 .text + UnwindInfo: .rdata
46A480	572F0	.pdata	ExceptionHook \| Pointer to 572F0 - 0x572F0 .text + UnwindInfo: .rdata
46A48C	57390	.pdata	ExceptionHook \| Pointer to 57390 - 0x57390 .text + UnwindInfo: .rdata
46A498	57424	.pdata	ExceptionHook \| Pointer to 57424 - 0x57424 .text + UnwindInfo: .rdata
46A4A4	57468	.pdata	ExceptionHook \| Pointer to 57468 - 0x57468 .text + UnwindInfo: .rdata
3B5000-3B7FFF	3B5000	?g_Encry	Executable section anomaly, first bytes: 2FA24C1F8B42FB2A
3C1000-3C1FFF	3C1000	fothk	Executable section anomaly, first bytes: CCCCCCCCCCCCCCCC
48C000	N/A	Overlay	E8C90000000202003082C9D806092A864886F70D \| ........0.....*.H...

Extra Analysis

Metric	Value	Percentage
Ascii Code	2891035	59,987%
Null Byte Code	487576	10,1169%

PESCAN.IO - Analysis Report Basic