PESCAN.IO - Analysis Report

PESCAN.IO - Analysis Report

File Structure:
PE chart code: - The executable header is displayed in light blue. - The executable sections are pink. - Non-executable sections are black. - Code added to executables externally to a compiler appears in red. Chart code for other files: - Printable characters are blue. - Non-printable characters (Null Bytes) are black.

Information:

Icon:

Size: 1,89 MB
SHA-256 Hash: BB574434925E26514B0DAF56B45163E4C32B5FC52A1484854B315F40FD8FF8D2
SHA-1 Hash: E141562AAB9268FAA4ABA10F58052A16B471988A
MD5 Hash: D1D579306A4DDF79A2E7827F1625581C
Imphash: 573E7039B3BAFF95751BDED76795369E
MajorOSVersion: 5
CheckSum: 001F3DB9
EntryPoint (rva): 895A1A
SizeOfHeaders: 200
SizeOfImage: 8BD000
ImageBase: 0000000000400000
Architecture: x64
ExportTable: 895000
ImportTable: 89509C
Characteristics: 223
TimeDateStamp: 5805BD21
Date: 18/10/2016 6:11:45
File Type: EXE
Number Of Sections: 3
ASLR: Disabled
Section Names (Optional Header): .MPRESS1, .MPRESS2, .rsrc
Number Of Executable Sections: 2
Subsystem: Windows GUI
[Incomplete Binary or Compressor Packer - 6,84 MB Missing]

Sections Info:

Section Name	Flags	ROffset	RSize	VOffset	VSize
.MPRESS1	E00000E0 (Executable) (Writeable)	200	1B9E00	1000	894000
.MPRESS2	E00000E0 (Executable) (Writeable)	1BA000	1800	895000	1748
.rsrc	C0000040 (Writeable)	1BB800	25800	897000	256C4

Description:

CompanyName: SoftPerfect
LegalCopyright: 2003-2016 SoftPerfect
ProductName: SoftPerfect Network Scanner
FileVersion: 6.2.1.0

Entry Point:

The section number (2) have the Entry Point
Information -> EntryPoint (calculated) - 1BAA1A
Code -> 57565351524150488D05DE0A0000488B304803F0482BC0488BFE66ADC1E00C488BC850AD2BC84803F18BC857448BC1FFC98A
• PUSH RDI
• PUSH RSI
• PUSH RBX
• PUSH RCX
• PUSH RDX
• PUSH R8
• LEA RAX, [RIP + 0XADE]
• MOV RSI, QWORD PTR [RAX]
• ADD RSI, RAX
• SUB RAX, RAX
• MOV RDI, RSI
• LODSW AX, WORD PTR [RSI]
• SHL EAX, 0XC
• MOV RCX, RAX
• PUSH RAX
• LODSD EAX, DWORD PTR [RSI]
• SUB ECX, EAX
• ADD RSI, RCX
• MOV ECX, EAX
• PUSH RDI
• MOV R8D, ECX
• DEC ECX

Signatures:

Certificate - Digital Signature:
• The file is signed and the signature is correct

Packer/Compiler:

Packer: MPress v2.x
Detect It Easy (die)
• PE+(64): packer: EP:MPRESS(1.27-2.12)[-]
• PE+(64): packer: MPRESS(2.19)[-]
• PE+(64): compiler: Borland Delphi(-)[-]
• PE+(64): Sign tool: Windows Authenticode(2.0)[PKCS 7]
• Entropy: 7.9507

Suspicious Functions:

Library	Function	Description
KERNEL32.DLL	GetModuleHandleA	Retrieves a handle to the specified module.
KERNEL32.DLL	GetProcAddress	Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
SHELL32.DLL	ShellExecuteW	Performs a run operation on a specific file.

File Access:

netscan.exe
!Win64 .EXE
wsock32.dll
pdh.dll
mgmtapi.dll
snmpapi.dll
winmm.dll
oleacc.dll
dnsapi.dll
shlwapi.dll
iphlpapi.dll
comdlg32.dll
URLMON.DLL
wininet.dll
shell32.dll
ws2_32.dll
msvcrt.dll
comctl32.dll
ole32.dll
netapi32.dll
SHFolder.dll
mpr.dll
version.dll
gdi32.dll
user32.dll
advapi32.dll
oleaut32.dll
.wSF

Interest's Words:

exec

Interest's Words (UNICODE):

exec
powershell
shutdown

URLs:

http://schemas.microsoft.com/SMI/2005/WindowsSettings
http://crl3.digicert.com/assured-cs-g1.crl
http://crl4.digicert.com/assured-cs-g1.crl
http://ocsp.digicert.com
http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt
http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl
http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl
http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt
http://www.digicert.com/ssl-cps-repository.htm
http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt
http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl
http://crl3.digicert.com/sha2-assured-cs-g1.crl
http://crl4.digicert.com/sha2-assured-cs-g1.crl
http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt
https://www.digicert.com/CPS0
https://www.digicert.com/CPS0
https://www.digicert.com/CPS0

Strings/Hex Code Found With The File Rules:

• Rule Text (Unicode): WinAPI Sockets (accept)
• Rule Text (Ascii): WinAPI Sockets (send)
• Rule Text (Ascii): Execution (ShellExecute)
• Rule Text (Ascii): Technique used to capture communications between systems (Intercept)
• EP Rules: Microsoft Visual C++ 8.0 (DLL)

Resources:

Path	DataRVA	Size	FileOffset	Code	Text
\CURSOR\1\1033	80B3A4	134	80A5A4
\CURSOR\2\1033	80B4D8	134	80A6D8
\CURSOR\3\1033	80B60C	134	80A80C
\CURSOR\4\1033	80B740	134	80A940
\CURSOR\5\1033	80B874	134	80AA74
\CURSOR\6\1033	80B9A8	134	80ABA8
\CURSOR\7\1033	80BADC	134	80ACDC
\CURSOR\8\1031	80BC10	2EC	80AE10
\CURSOR\9\1031	80BEFC	2EC	80B0FC
\CURSOR\10\1031	80C1E8	2EC	80B3E8
\CURSOR\11\1031	80C4D4	2EC	80B6D4
\CURSOR\12\1031	80C7C0	134	80B9C0
\CURSOR\13\0	80C8F4	134	80BAF4
\CURSOR\14\1031	80CA28	134	80BC28
\CURSOR\15\1031	80CB5C	2EC	80BD5C
\CURSOR\16\1031	80CE48	2EC	80C048
\CURSOR\17\1031	80D134	2EC	80C334
\CURSOR\18\1031	80D420	2EC	80C620
\CURSOR\19\1031	80D70C	2EC	80C90C
\CURSOR\20\1031	80D9F8	2EC	80CBF8
\BITMAP\BBABORT\1033	80DCE4	1D0	80CEE4
\BITMAP\BBALL\1033	80DEB4	1E4	80D0B4
\BITMAP\BBCANCEL\1033	80E098	1D0	80D298
\BITMAP\BBCLOSE\1033	80E268	1D0	80D468
\BITMAP\BBHELP\1033	80E438	1D0	80D638
\BITMAP\BBIGNORE\1033	80E608	1D0	80D808
\BITMAP\BBNO\1033	80E7D8	1D0	80D9D8
\BITMAP\BBOK\1033	80E9A8	1D0	80DBA8
\BITMAP\BBRETRY\1033	80EB78	1D0	80DD78
\BITMAP\BBYES\1033	80ED48	1D0	80DF48
\BITMAP\CDROM\1033	80EF18	C0	80E118
\BITMAP\CLOSEDFOLDER\1033	80EFD8	E0	80E1D8
\BITMAP\CURRENTFOLDER\1033	80F0B8	E0	80E2B8
\BITMAP\EXECUTABLE\1033	80F198	E0	80E398
\BITMAP\FLOPPY\1033	80F278	C0	80E478
\BITMAP\HARD\1033	80F338	C0	80E538
\BITMAP\KNOWNFILE\1033	80F3F8	E0	80E5F8
\BITMAP\NETWORK\1033	80F4D8	C0	80E6D8
\BITMAP\OPENFOLDER\1033	80F598	E0	80E798
\BITMAP\RAM\1033	80F678	C0	80E878
\BITMAP\UNKNOWNFILE\1033	80F738	E0	80E938
\BITMAP\VT_MOVEALL\0	80F818	268	80EA18
\BITMAP\VT_MOVEEW\0	80FA80	268	80EC80
\BITMAP\VT_MOVENS\0	80FCE8	268	80EEE8
\BITMAP\VT_NODEIMAGES\0	80FF50	268	80F150
\BITMAP\VT_UTILITIES\0	8101B8	D28	80F3B8
\BITMAP\VT_XPBUTTONMINUS\0	810EE0	124	8100E0
\BITMAP\VT_XPBUTTONPLUS\0	811004	124	810204
\ICON\1\3081	897C30	EA8	1BC430	2800000030000000600000000100080000000000000000000000000000000000000000000000000000000000FFFFFF008080	(...0............................................
\ICON\2\3081	898B00	8A8	1BD300	2800000020000000400000000100080000000000000000000000000000000000000000000000000000000000FFFFFF008080	(... ...@.........................................
\ICON\3\3081	8993D0	6C8	1BDBD0	2800000018000000300000000100080000000000000000000000000000000000000000000000000000000000FFFFFF007F7F	(.......0.........................................
\ICON\4\3081	899AC0	568	1BE2C0	2800000010000000200000000100080000000000000000000000000000000000000000000000000000000000FFFFFF007E7E	(....... .......................................~~
\ICON\5\3081	89A050	69B7	1BE850	89504E470D0A1A0A0000000D49484452000001000000010008060000005C72A8660000697E4944415478DAEC9D0760D4D41F	.PNG........IHDR.............\r.f..i~IDATx.......
\ICON\6\3081	8A0A30	10828	1C5230	2800000080000000000100000100200000000000000000000000000000000000000000000000000000000000000000000000	(............. ...................................
\ICON\7\3081	8B1280	4228	1D5A80	2800000040000000800000000100200000000000000000000000000000000000000000000000000000000000000000000000	(...@......... ...................................
\ICON\8\3081	8B54D0	25A8	1D9CD0	2800000030000000600000000100200000000000000000000000000000000000000000000000000000000000000000000000	(...0........ ...................................
\ICON\9\3081	8B7AA0	10A8	1DC2A0	2800000020000000400000000100200000000000000000000000000000000000000000000000000000000000000000000000	(... ...@..... ...................................
\ICON\10\3081	8B8B70	988	1DD370	2800000018000000300000000100200000000000000000000000000000000000000000000000000000000000000000000000	(.......0..... ...................................
\ICON\11\3081	8B9520	468	1DDD20	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\STRING\4048\0	832CF0	3A0	831EF0	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\STRING\4049\0	833090	59C	832290	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\STRING\4050\0	83362C	5E4	83282C	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\STRING\4051\0	833C10	370	832E10	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\STRING\4052\0	833F80	404	833180	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\STRING\4053\0	834384	5FC	833584	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\STRING\4054\0	834980	61C	833B80	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\STRING\4055\0	834F9C	4F0	83419C	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\STRING\4056\0	83548C	378	83468C	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\STRING\4057\0	835804	3F8	834A04	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\STRING\4058\0	835BFC	504	834DFC	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\STRING\4059\0	836100	42C	835300	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\STRING\4060\0	83652C	378	83572C	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\STRING\4061\0	8368A4	1B8	835AA4	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\STRING\4062\0	836A5C	1B8	835C5C	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\STRING\4063\0	836C14	398	835E14	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\STRING\4064\0	836FAC	B98	8361AC	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\STRING\4065\0	837B44	680	836D44	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\STRING\4066\0	8381C4	428	8373C4	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\STRING\4067\0	8385EC	494	8377EC	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\STRING\4068\0	838A80	3A8	837C80	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\STRING\4069\0	838E28	1EC	838028	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\STRING\4070\0	839014	178	838214	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\STRING\4071\0	83918C	160	83838C	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\STRING\4072\0	8392EC	240	8384EC	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\STRING\4073\0	83952C	484	83872C	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\STRING\4074\0	8399B0	360	838BB0	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\STRING\4075\0	839D10	27C	838F10	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\STRING\4076\0	839F8C	BC	83918C	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\STRING\4077\0	83A048	1F8	839248	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\STRING\4078\0	83A240	198	839440	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\STRING\4079\0	83A3D8	378	8395D8	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\STRING\4080\0	83A750	400	839950	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\STRING\4081\0	83AB50	3EC	839D50	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\STRING\4082\0	83AF3C	654	83A13C	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\STRING\4083\0	83B590	370	83A790	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\STRING\4084\0	83B900	3C8	83AB00	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\STRING\4085\0	83BCC8	49C	83AEC8	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\STRING\4086\0	83C164	438	83B364	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\STRING\4087\0	83C59C	37C	83B79C	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\STRING\4088\0	83C918	384	83BB18	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\STRING\4089\0	83CC9C	458	83BE9C	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\STRING\4090\0	83D0F4	10C	83C2F4	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\STRING\4091\0	83D200	CC	83C400	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\STRING\4092\0	83D2CC	244	83C4CC	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\STRING\4093\0	83D510	414	83C710	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\STRING\4094\0	83D924	37C	83CB24	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\STRING\4095\0	83DCA0	2EC	83CEA0	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\STRING\4096\0	83DF8C	34C	83D18C	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\RCDATA\DVCLAL\0	83E2D8	10	83D4D8	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\RCDATA\PACKAGEINFO\0	83E2E8	16EC	83D4E8	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\RCDATA\POWEROFF_SERVICE\1033	83F9D4	8200	83EBD4	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\RCDATA\TDEFAULTDATAMODULE\0	847BD4	7599	846DD4	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\RCDATA\TFMABOUT\0	84F170	1A83	84E370	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\RCDATA\TFMAPPVARS\0	850BF4	377	84FDF4	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\RCDATA\TFMAUTHINFO\0	850F6C	273	85016C	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\RCDATA\TFMBASEDIALOG\0	8511E0	2E0	8503E0	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\RCDATA\TFMBASEDIALOGREMOTEEDIT\0	8514C0	2FD	8506C0	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\RCDATA\TFMBASEDIALOGSHUTDOWN\0	8517C0	34C	8509C0	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\RCDATA\TFMBOOKMARKEDIT\0	851B0C	570	850D0C	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\RCDATA\TFMBOOKMARKLIST\0	85207C	B04	85127C	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\RCDATA\TFMCOLUMNDISPLAYOPTIONS\0	852B80	856	851D80	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\RCDATA\TFMCOMPARE\0	8533D8	F5D	8525D8	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\RCDATA\TFMCREATEBATCH\0	854338	AA1	853538	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\RCDATA\TFMCREDEDIT\0	854DDC	2A4	853FDC	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\RCDATA\TFMCREDMANAGER\0	855080	383	854280	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\RCDATA\TFMDETECTIP\0	855404	600	854604	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\RCDATA\TFMDHCPVIEW\0	855A04	4D9	854C04	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\RCDATA\TFMDUPLICATEIP\0	855EE0	583	8550E0	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\RCDATA\TFMEDITAPP\0	856464	6B5	855664	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\RCDATA\TFMEMAILSETTINGS\0	856B1C	8D1	855D1C	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\RCDATA\TFMFRIENDLYNAMEEDIT\0	8573F0	415	8565F0	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\RCDATA\TFMFRIENDLYNAMELIST\0	857808	B40	856A08	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\RCDATA\TFMHOSTPROPS\0	858348	32C	857548	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\RCDATA\TFMIGNOREADDRESS\0	858674	1019	857874	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\RCDATA\TFMIMPORTDATA\0	859690	621	858890	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\RCDATA\TFMIPINPUT\0	859CB4	469	858EB4	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\RCDATA\TFMKEYVALEDITOR\0	85A120	62A	859320	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\RCDATA\TFMLEGEND\0	85A74C	446	85994C	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\RCDATA\TFMLIVEDISPLAYLOG\0	85AB94	55D	859D94	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\RCDATA\TFMLIVEDISPLAYNOTIFYSETTINGS\0	85B0F4	AEC	85A2F4	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\RCDATA\TFMLOADOPTIONS\0	85BBE0	474	85ADE0	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\RCDATA\TFMMAINVIEW\0	85C054	16050	85B254	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\RCDATA\TFMMAPSHORTCUT\0	8720A4	2DB	8712A4	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\RCDATA\TFMOFFLINEDIALOG\0	872380	D21	871580	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\RCDATA\TFMOPTIONS\0	8730A4	7EB6	8722A4	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\RCDATA\TFMPASTEIP\0	87AF5C	47F	87A15C	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\RCDATA\TFMPORTLISTEDITOR\0	87B3DC	2FC	87A5DC	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\RCDATA\TFMPOWEROFFPARAMS\0	87B6D8	635	87A8D8	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\RCDATA\TFMPUBLICIP\0	87BD10	5A2	87AF10	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\RCDATA\TFMREARRANGE\0	87C2B4	348	87B4B4	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\RCDATA\TFMREMOTEFILE\0	87C5FC	C94	87B7FC	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\RCDATA\TFMREMOTEFILEEDIT\0	87D290	608	87C490	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\RCDATA\TFMREMOTEGROUPS\0	87D898	1688	87CA98	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\RCDATA\TFMREMOTEGROUPSEDIT\0	87EF20	7BD	87E120	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\RCDATA\TFMREMOTEPERFEDIT\0	87F6E0	43E	87E8E0	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\RCDATA\TFMREMOTEPERFORMANCE\0	87FB20	DB8	87ED20	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\RCDATA\TFMREMOTEPOWERSHELL\0	8808D8	ED7	87FAD8	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\RCDATA\TFMREMOTEPOWERSHELLEDIT\0	8817B0	393	8809B0	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\RCDATA\TFMREMOTEREGISTRY\0	881B44	CAE	880D44	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\RCDATA\TFMREMOTEREGISTRYEDIT\0	8827F4	7B7	8819F4	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\RCDATA\TFMREMOTESERVICEEDIT\0	882FAC	5A4	8821AC	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\RCDATA\TFMREMOTESERVICES\0	883550	15BE	882750	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\RCDATA\TFMREMOTESNMP\0	884B10	143C	883D10	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\RCDATA\TFMREMOTESNMPEDIT\0	885F4C	1008	88514C	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\RCDATA\TFMREMOTESSH\0	886F54	102E	886154	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\RCDATA\TFMREMOTESSHEDIT\0	887F84	F3	887184	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\RCDATA\TFMREMOTEWMI\0	888078	1095	887278	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\RCDATA\TFMREMOTEWMIEDIT\0	889110	916	888310	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\RCDATA\TFMREMOTEXML\0	889A28	131A	888C28	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\RCDATA\TFMSHUTDOWNPARAMS\0	88AD44	598	889F44	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\RCDATA\TFMSSDPVIEW\0	88B2DC	27F1	88A4DC	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\RCDATA\TFMSTOPSCANDIALOG\0	88DAD0	D06	88CCD0	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\RCDATA\TFMSUBMITMESSAGE\0	88E7D8	F69	88D9D8	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\RCDATA\TFMVISIBLECOLUMNS\0	88F744	23A	88E944	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\RCDATA\TFMWOLADD\0	88F980	584	88EB80	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\RCDATA\TFMWOLMANAGER\0	88FF04	EEB	88F104	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\RCDATA\TFMWOLSETTINGS\0	890DF0	685	88FFF0	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\RCDATA\TMODALCONTROL\0	891478	114	890678	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\RCDATA\TREMOTECOMMONFORM\0	89158C	A99	89078C	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\RCDATA\TREMOTEXMLEDITFORM\0	892028	8FE	891228	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\RCDATA\TUSERPROMPTFORM\0	892928	35B	891B28	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\RCDATA\TWAITFORM\0	892C84	BCF	891E84	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\GROUP_CURSOR\VT_HEADERSPLIT\0	893854	14	892A54	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\GROUP_CURSOR\VT_MOVEALL\0	893868	14	892A68	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\GROUP_CURSOR\VT_MOVEE\0	89387C	14	892A7C	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\GROUP_CURSOR\VT_MOVEEW\0	893890	14	892A90	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\GROUP_CURSOR\VT_MOVEN\0	8938A4	14	892AA4	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\GROUP_CURSOR\VT_MOVENE\0	8938B8	14	892AB8	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\GROUP_CURSOR\VT_MOVENS\0	8938CC	14	892ACC	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\GROUP_CURSOR\VT_MOVENW\0	8938E0	14	892AE0	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\GROUP_CURSOR\VT_MOVES\0	8938F4	14	892AF4	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\GROUP_CURSOR\VT_MOVESE\0	893908	14	892B08	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\GROUP_CURSOR\VT_MOVESW\0	89391C	14	892B1C	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\GROUP_CURSOR\VT_MOVEW\0	893930	14	892B30	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\GROUP_CURSOR\VT_VERTSPLIT\0	893944	14	892B44	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\GROUP_CURSOR\32761\1033	893958	14	892B58	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\GROUP_CURSOR\32762\1033	89396C	14	892B6C	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\GROUP_CURSOR\32763\1033	893980	14	892B80	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\GROUP_CURSOR\32764\1033	893994	14	892B94	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\GROUP_CURSOR\32765\1033	8939A8	14	892BA8	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\GROUP_CURSOR\32766\1033	8939BC	14	892BBC	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\GROUP_CURSOR\32767\1033	8939D0	14	892BD0	2800000010000000200000000100200000000000000000000000000000000000000000000000000000000000000000000000	(....... ..... ...................................
\GROUP_ICON\MAINICON\3081	8BBF54	A0	1E0754	000001000B003030000001000800A80E000001002020000001000800A808000002001818000001000800C806000003001010	......00............ ............................
\VERSION\1\3081	8BC034	298	1E0834	980234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000200	..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............
\24\1\3081	8BC30C	3B8	1E0B0C	3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E653D2279	<?xml version="1.0" encoding="UTF-8" standalone="y

Intelligent String:

• 6.2.1.0
• SysFreeStringadvapi32.dll
• RegCloseKeyuser32.dll
• CharNextWgdi32.dll
• Pieversion.dll
• DoDragDropcomctl32.dll
• ImageList_Addmsvcrt.dll
• strchrws2_32.dll
• sendshell32.dll
• ShellExecuteWwininet.dll
• ChooseFontWwinspool.drv
• OpenPrinterWiphlpapi.dll
• DnsQuery_Woleacc.dll
• LresultFromObjectwinmm.dll
• timeGetTimesnmpapi.dll
• SnmpMgrOpenpdh.dll
• PdhCloseLogwsock32.dll
• <asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">
• H0F08
• https://www.digicert.com/CPS0

Extra 4n4lysis:

Metric	Value	Percentage
Ascii Code	1323690	66,6728%
Null Byte Code	50601	2,5487%