PESCAN.IO — Analysis Report

PREMIUM PESCAN.IO - Analysis Report

File Structure

PE Chart Code

Executable header (light blue)

Executable sections (pink)

Non-executable sections (black)

External injected code (red)

File Structure in red = malformed or corrupted header

Chart Code For Other Files

Printable characters (blue)

Non-printable characters (black)

Information

Size: 7,73 MB
SHA-256 Hash: D3862669B802042A4E21817F23C2123AF49BECCED253FCFB2A49898A02A794EC
SHA-1 Hash: 1D8ED876C76A433CACDA2813E03DFFD304C0BB68
MD5 Hash: 38EEE8555328E30D818B3C87B65A2FED
Imphash: 9957ED8BDCA75E22504102B60A0565F0
MajorOSVersion: 5
MinorOSVersion: 2
CheckSum: 00000000
EntryPoint (rva): 2F7080
SizeOfHeaders: 400
SizeOfImage: 8F6000
ImageBase: 0000000140000000
Architecture: x64
ExportTable: 510FB0
ImportTable: 50F43C
IAT: 38F000
Characteristics: 22
TimeDateStamp: 5A1BDFD1
Date: 27/11/2017 9:50:09
File Type: EXE
Number Of Sections: 7
ASLR: Disabled
Section Names (Optional Header): .text, .rdata, .data, .pdata, .tls, .rsrc, .reloc
Number Of Executable Sections: 1
Subsystem: Windows Console

Sections Info

Section Name	Flags	ROffset	RSize	VOffset	VSize	Entropy	Chi2
.text	60000020 (Code, Executable, Readable)	400	38E000	1000	38DE25	5,9911	39081679,32
.rdata	40000040 (Initialized Data, Readable)	38E400	182000	38F000	181FF8	5,4379	29798642,08
.data	C0000040 (Initialized Data, Readable, Writeable)	510400	4A200	511000	182A84	3,8633	21162101,23
.pdata	40000040 (Initialized Data, Readable)	55A600	2B800	694000	2B698	6,2576	3186848,19
.tls	C0000040 (Initialized Data, Readable, Writeable)	585E00	22EA00	6C0000	22E8C9	0,0033	583238173,99
.rsrc	40000040 (Initialized Data, Readable)	7B4800	600	8EF000	408	2,4028	202902,33
.reloc	42000040 (Initialized Data, GP-Relative, Readable)	7B4E00	5200	8F0000	516C	1,5459	3731762,29

Description

CompanyName: Altitude Software
LegalCopyright: Altitude Software
LegalTrademarks: Altitude Software
ProductName: Patch 4070 Build 0 (27 Nov 2017 09:50)
FileDescription: Altitude uCI
Comments: Patch 4070 Build 0 (27 Nov 2017 09:50)
Language: English (United States) (ID=0x409)
CodePage: Western European (Windows 1252) (0x4E4)

Entry Point

The section number (1) have the Entry Point
Information -> EntryPoint (calculated) - 2F6480
Code -> 4883EC28E897790200E8120000004883C428C3CCCCCCCCCCCCCCCCCCCCCCCCCC4883EC48C744242800000000E84F01000089
• SUB RSP, 0X28
• CALL 0X289A0
• CALL 0X1020
• ADD RSP, 0X28
• RET
• INT3
• INT3
• INT3
• INT3
• INT3
• INT3
• INT3
• INT3
• INT3
• INT3
• INT3
• INT3
• INT3
• SUB RSP, 0X48
• MOV DWORD PTR [RSP + 0X28], 0
• CALL 0X1180

Signatures

Rich Signature Analyzer:
Code -> A70FEB5CE36E850FE36E850FE36E850FC4A8050FE26E850F5E21130FEF6E850FC4A8FE0FF66E850FE36E840FEF6F850FF8F32F0FEB6E850FEA16100FF36E850FEA16060F196E850FEA16010F156E850FEA16170FE26E850FFD3C110FE26E850FEA16140FE26E850F52696368E36E850F
Footprint md5 Hash -> 6DAD320B7D077D7050F6115EA1C6BB2F
• The Rich header apparently has not been modified
Certificate - Digital Signature Not Found:
• The file is not signed

Packer/Compiler

Compiler: Microsoft Visual Studio
Compiler: Microsoft Visual C ++
Compiler: Pure Basic 4.x
Detect It Easy (die)
• PE+(64): compiler: Microsoft Visual C/C++(2008)[-]
• PE+(64): linker: Microsoft Linker(9.0)[-]
• Entropy: 4.85236

Suspicious Functions

Library	Function	Description
Ws2_32.DLL	socket \| Possible Call API By Name	Create a communication endpoint for networking applications.
KERNEL32.DLL	CreateMutexA	Create a named or unnamed mutex object for controlling access to a shared resource.
KERNEL32.DLL	GetModuleFileNameA	Retrieve the fully qualified path for the executable file of a specified module.
KERNEL32.DLL	GetModuleHandleA	Retrieves a handle to the specified module.
KERNEL32.DLL	WriteFile	Writes data to a specified file or input/output (I/O) device.
KERNEL32.DLL	LoadLibraryA	Loads the specified module into the address space of the calling process.
KERNEL32.DLL	LoadLibraryW	Loads the specified module into the address space of the calling process.
KERNEL32.DLL	CreateToolhelp32Snapshot	Creates a snapshot of the specified processes, heaps, threads, and modules.
KERNEL32.DLL	GetProcAddress	Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL	CreateFileA	Creates or opens a file or I/O device.
KERNEL32.DLL	DeleteFileA	Deletes an existing file.
KERNEL32.DLL	IsDebuggerPresent	Determines if the calling process is being debugged by a user-mode debugger.
Ws2_32.DLL	socket	Create a communication endpoint for networking applications.
Ws2_32.DLL	connect	Establish a connection to a specified socket.

Windows REG

SOFTWARE\Microsoft\VisualStudio\9.0\Setup\VS
SOFTWARE\VMware, Inc.\VMware Tools
System\CurrentControlSet\Control\ProductOptions

File Access

easy.exe
.exe
%s%s.exe
proxy_init.exe
gw_init.exe
lms.exe
easy_log.exe
%svmGuestLib.dll
vmGuestLib.dll
mscoree.dll
OLEAUT32.dll
IPHLPAPI.DLL
PSAPI.DLL
WS2_32.dll
icuin40.dll
icuuc40.dll
ole32.dll
ADVAPI32.dll
KERNEL32.dll
MSPDB80.DLL
USER32.DLL
dbghelp.dll
.bat
@.dat
Dump stats to easy.log
.core.log
%s\%s.mem.%d.log
easy_sync.log
performance.log
Number of errors reported to easy.log
System] Easy.log
.log
%s\easy.log
lock.%d.txt
comms.protobuf.ini
comms.protobuf.init.INI
F (shmemLockContainerDB.Ini
Temp

File Access (UNICODE)

USER32.DLL
CorExitProcessmscoree.dll
Temp

SQL Queries

create table %s
drop table %s

Interest's Words

zombie
tskill
Encrypt
Encryption
PassWord
exec
attrib
start
pause
hostname
sdelete
shutdown
defrag
systeminfo
ping
replace
route

Interest's Words (UNICODE)

pause
shutdown
systeminfo
expand

Anti-VM/Sandbox/Debug Tricks

VMWare - vmGuestLib.dll
OllyDbg Libary - dbghelp.dll

URLs

https://github.com/alanxz/rabbitmq-c

IP Addresses

224.0.0.114

Strings/Hex Code Found With The File Rules

Rule Type	Encoding	Matched (Word)
Text	Ascii	Unicode escape - \u00 - (Common Unicode escape sequences)
Text	Ascii	WinAPI Sockets (bind)
Text	Ascii	WinAPI Sockets (listen)
Text	Ascii	WinAPI Sockets (accept)
Text	Ascii	WinAPI Sockets (connect)
Text	Ascii	WinAPI Sockets (recv)
Text	Unicode	WinAPI Sockets (recv)
Text	Ascii	WinAPI Sockets (send)
Text	Unicode	WinAPI Sockets (send)
Text	Ascii	Registry (RegOpenKeyEx)
Text	Ascii	File (GetTempPath)
Text	Ascii	File (CreateFile)
Text	Ascii	File (WriteFile)
Text	Ascii	File (ReadFile)
Text	Ascii	Anti-Analysis VM (IsDebuggerPresent)
Text	Ascii	Anti-Analysis VM (GetSystemInfo)
Text	Ascii	Anti-Analysis VM (GlobalMemoryStatusEx)
Text	Ascii	Anti-Analysis VM (GetVersion)
Text	Ascii	Anti-Analysis VM (CreateToolhelp32Snapshot)
Text	Ascii	Reconnaissance (FindFirstFileA)
Text	Ascii	Reconnaissance (FindNextFileA)
Text	Ascii	Reconnaissance (FindClose)
Text	Ascii	Stealth (ExitThread)
Text	Ascii	Stealth (ReleaseSemaphore)
Text	Ascii	Stealth (CloseHandle)
Text	Ascii	Stealth (IsBadReadPtr)
Text	Ascii	Stealth (UnmapViewOfFile)
Text	Ascii	Stealth (MapViewOfFile)
Text	Ascii	Stealth (CreateFileMappingA)
Text	Ascii	Execution (CreateSemaphoreA)
Text	Ascii	Execution (CreateEventA)
Text	Ascii	Unauthorized movement of funds or data (Transfer)
Text	Ascii	Malicious rerouting of traffic to an attacker-controlled site (Redirect)
Text	Ascii	Related to a particular nation or its government (National)
Entry Point	Hex Pattern	Microsoft Visual C++ 8.0 (DLL)
Entry Point	Hex Pattern	PE-Exe Executable Image

Resources

Path	DataRVA	Size	FileOffset	Code	Text
\VERSION\1\1033	8EF060	3A4	7B4860	A40334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000300	..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............

Intelligent String

• %spasswd
• %sSS_AM_AGENT_LOGIN_EVENT
• LOGIN_IN
• LOGIN_OUT
• SS_GET_REMOTE_LOGIN_DATA_IN
• SS_GET_REMOTE_LOGIN_DATA_OUT
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\setenv.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\asctime.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\initmon.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\initnum.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\setvbuf.c
• USER32.DLL
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\chdir.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\putenv.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\osfinfo.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\threadex.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\winsig.c
• mscoree.dll
• dumpRpcStatsForAllProcesses
• MULTI_INSTANCE_CONFIG_EVENTintSS_GET_REMOTE_LOGIN_DATA_OUT
• SS_PRED_MODE_WITH_MANY_TELGW_ALLOW_AGENT_LOGIN
• SS_CP_HAS_OPEN_WORKS_CANT_UPD_LOGIN
• AM_ALREADY_IN_FORCED_LOGIN
• PBX_Switch_UnableToModifyUserLogin
• PBX_Campaign_InvalidLoginGroup
• SOPHO_LOGIN
• LOAD_BAD_STATUSLOAD_CANT_LOGINLOAD_CP_NOT_FOUND
• CORE_DUMP_PRIVATE
• CORE_DUMP_SMALLCORE_DUMP_FULL
• LPTS_TASK_DUMP_STATS
• Unable to modify user login. The gateway is already online.
• Invalid login group
• EL_Error_Switch_ExtensionAgentUsingOtherLoginGroup
• EL_Error_Switch_UnableToModifyUserLoginEL_Error_Switch_UnableToModifyUserPassword
• EL_Error_Extension_AgentLoginGroupNotInUse
• EL_Error_Extension_AgentUsingOtherLoginGroup
• EL_Error_Campaign_InvalidNativePredictiveDeviceEL_Error_Campaign_LoginGroupInUse
• EL_Error_Campaign_InvalidLoginGroup
• MonitorModeIsNotPresentUserLoginIsNotPresent
• N_EL_LOGIN_GROUP_IN_USE_STATUS
• On login
• MM_AT_LOGIN_TIME
• D:/GIT/Server8_Patch_8.3.4000/git_source/../port_release_8.3.4000/nt64/target/sprojs/unix2win/ci/SystemInformation.cpp
• D:/GIT/Server8_Patch_8.3.4000/git_source/../port_release_8.3.4000/nt64/target/sprojs/unix2win/ci/CallStackWalker.cpp
• .exe
• D:/GIT/Server8_Patch_8.3.4000/git_source/../port_release_8.3.4000/nt64/target/sprojs/utils/ci/shmem_avl.cpp
• D:/GIT/Server8_Patch_8.3.4000/git_source/../port_release_8.3.4000/nt64/target/sprojs/utils/ci/avl.cpp
• D:/GIT/Server8_Patch_8.3.4000/git_source/src/sprojs/comms/lib/c/http_parser.cpp
• D:\Snapshots\patch_Master_Server8_snap\3ppsw\nt\develop\msdev2008\include\xlocnum
• D:\Snapshots\patch_Master_Server8_snap\3ppsw\nt\develop\msdev2008\include\xlocale
• D:\Snapshots\patch_Master_Server8_snap\3ppsw\nt\develop\msdev2008\include\streambuf
• ssGetRemoteLoginData
• @.tls
• D:\Snapshots\patch_Master_Server8_snap\3ppsw\nt\develop\msdev2008\include\xdebug
• 224.0.0.114
• ssLoginLOGIN_IN
• ssValidateAgentPasswordVALIDATE_INintLOGIN_OUT
• XRF_ssLogin
• ssLoginXRF_ssLogin_TO
• ssLoginXRF_ssLogin_async_call
• ssLoginXRF_ssLogin_async_recv
• ssLoginAMQPX_ssLogin
• ssLoginXRF_ssLogin_authenticated
• ssLoginXRF_ssLogin_authenticated_TO
• ssLoginXRF_ssLogin_authenticated_async_call
• ssLoginXRF_ssLogin_authenticated_async_recv
• ssLoginssLogin_FREE
• ssLoginssLoginXRF_ssLogout
• ssMultiInstancessMultiInstanceXRF_ssGetRemoteLoginData
• XRF_ssGetRemoteLoginData_TO
• XRF_ssGetRemoteLoginData_async_call
• XRF_ssGetRemoteLoginData_async_recv
• AMQPX_ssGetRemoteLoginData
• XRF_ssGetRemoteLoginData_authenticated
• XRF_ssGetRemoteLoginData_authenticated_TO
• XRF_ssGetRemoteLoginData_authenticated_async_call
• XRF_ssGetRemoteLoginData_authenticated_async_recv
• ssGetRemoteLoginData_FREE
• d:\git\server8_patch_8.3.4000\port_release_8.3.4000\nt64\target\sprojs\comms\ci\builtin.librpc.pb.h
• D:\Snapshots\patch_Master_Server8_snap\3ppsw\nt\develop\msdev2008\include\xstring
• D:\Snapshots\patch_Master_Server8_snap\3ppsw\nt\develop\msdev2008\include\xutility
• D:\Snapshots\patch_Master_Server8_snap\3ppsw\nt\develop\msdev2008\include\xiosbase
• D:\Snapshots\patch_Master_Server8_snap\3ppsw\nt\misc\protobuf-2.5.0\include\google/protobuf/stubs/common.h
• D:\Snapshots\patch_Master_Server8_snap\3ppsw\nt\develop\msdev2008\include\xtree
• D:\Snapshots\patch_Master_Server8_snap\3ppsw\nt\develop\msdev2008\include\algorithm
• D:\Snapshots\patch_Master_Server8_snap\3ppsw\nt\develop\msdev2008\include\vector
• D:\Snapshots\patch_Master_Server8_snap\3ppsw\nt\develop\msdev2008\include\memory
• upgradeD:/GIT/Server8_Patch_8.3.4000/git_source/src/sprojs/comms/lib/c/http_parser.cpp
• chunkedD:/GIT/Server8_Patch_8.3.4000/git_source/src/sprojs/comms/lib/c/http_parser.cpp
• Login
• %s.tty
• CORE_DUMP_DEBUG_CALL_STACK_FILE=%s
• pmon_core.tty
• Database login failed due wrong username/password.
• Login to license manager failedLicense not valid
• Free space in the crash dumps drive has gone below %.0f MB. Core dump level full will be overriden to private.
• Free space in the crash dumps drive has gone above %.0f MB. Core dump level override to private is disabled.
• Free space in the crash dumps drive has gone below %.0f MB. Core dump levels full and private will be overriden to small.
• Free space in the crash dumps drive has gone above %.0f MB. Core dump level override to small is disabled.
• PBX login failed!. Campaign must be closed.
• %s\easy.log
• .ttz
• .tty
• .log
• yes, shared memory still present and control sync still presentShMemDumpGLStats
• Global\%s
• Number of errors reported to easy.log
• shmem_dumpStatefailed to connect to control area
• D:\Snapshots\patch_Master_Server8_snap\3ppsw\nt\develop\msdev2008\include\deque
• AgentResetForLogin
• AgId(%d) has interactions from previous login, current nWithItr = %d
• found with allow_agent_login
• didn't find any telgw with allow_agent_login (predictive cps), will return one of them
• AgentInfoList::GetLoginGroupAgents
• easy_sync.log
• CORE_DUMP_OVERRIDE_LEVEL=%d
• SHMEM_LOCK_MANAGER_DUMP_ON_ERROR
• SHMEM_LOCK_MANAGER_DUMP_IS_ACTIVE = FALSE
• SHMEM_LOCK_MANAGER_DUMP_ON_ERROR_IS_ON [%s] SHMEM_LOCK_MANAGER_PROCESS_ID [%d]
• ShmemLockManager::SetLockManagerDumpOnErrorT
• shmemLockDumpOnErrorIsOn_ [%d]
• F (Dump timer has not expired)T
• %s%s (isLocalThreadDump [%d])
• %s\%s.mem.%d.log
• Global\shm.%s.%s
• Global\shm.%s.no_instance
• parametro cmd nao suportado
• dbghelp.dll
• MiniDumpWriteDump
• pfnCrashDump
• hLibrary && pfnCrashDump
• .core.log
• D:/GIT/Server8_Patch_8.3.4000/git_source/../port_release_8.3.4000/nt64/target/sprojs/unix2win/ci/DebugUtils.cpp
• CORE_DUMP_LEVELCORE_DUMP_OVERRIDE_LEVEL
• core.dmp
• User login is not present
• Campaign login group in use
• Extension already using another login group
• Extension agent login group not in use
• Extension already using another login group - {0}
• Error: A non loadable field named {0} was found in the .typ
• Dump stats to easy.log
• The 'switch agent state control' or 'login group' cannot be changed because the campaign has agents working.
• TstringTstringdumpRpcStatsForAllProcessesvoid
• XRF_dumpRpcStatsForAllProcessesdumpRpcStatsForAllProcesses
• XRF_dumpRpcStatsForAllProcesses_TO
• XRF_dumpRpcStatsForAllProcesses_async_call
• XRF_dumpRpcStatsForAllProcesses_async_recv
• AMQPX_dumpRpcStatsForAllProcesses
• dumpRpcStatsForAllProcesses_FREE
• d:\git\server8_patch_8.3.4000\port_release_8.3.4000\nt64\target\sprojs\comms\ci\init.librpcinit.pb.h
• D:\Snapshots\patch_Master_Server8_snap\3ppsw\nt\misc\protobuf-2.5.0\include\google/protobuf/repeated_field.h
• C:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\include\xutility
• C:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\include\vector
• C:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\include\memory
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\_file.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\printf.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\sprintf.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\fprintf.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\gets.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\dbgdel.cpp
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\sscanf.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\getenv.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\assert.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\dbgrpt.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\memcpy_s.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\memmove_s.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\onexit.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\strtol.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\fgets.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\fclose.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\fopen.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\vsprintf.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\vfprintf.c
• 9:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]_abcdefghijklmnopqrstuvwxyz{|}~f:\dd\vctools\crt_bld\self_64_amd64\crt\src\setlocal.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\setlocal.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\strerror.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\atof.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\strtod.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\wcscoll.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\mbstowcs.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\strftime.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\malloc.h
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\loctim64.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\gmtime64.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\mktime64.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\fstat64.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\fileno.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\ctime64.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\stat64.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\fread.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\ftell.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\fseek.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\fwrite.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\fgetpos.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\fsetpos.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\feoferr.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\dbgrptt.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\strnicmp.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\vprintf.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\qsort.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\strdup.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\read.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\close.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\open.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\write.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\commit.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\mlock.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\ioinit.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\dbgheap.c
• Object dump complete.
• Dumping objects ->
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\_sftbuf.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\tidtable.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\crt0msg.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\mbctype.c
• ADVAPI32.DLL
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\inithelp.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\_flsbuf.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\_filbuf.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\prebuild\eh\typname.cpp
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\tcscpy_s.inl
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\stdenvp.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\stdargv.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\a_env.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\input.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\mbsnbico.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\wtombenv.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\isctype.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\prebuild\conv\cvt.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\xtoa.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\tcsncat_s.inl
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\tcsncpy_s.inl
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\tcscat_s.inl
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\fwprintf.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\errmode.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\vswprint.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\_freebuf.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\_open.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\stream.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\inittime.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\initctyp.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\getqloc.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\prebuild\include\strgtold12.inl
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\timeset.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\tzset.cTZ
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\tzset.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\stricmp.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\gmtime.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\fgetc.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\dtoxtm64.c
• .com
• .bat
• .cmd
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\drive.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\mbscspn.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\fullpath.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\lseek.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\ftelli64.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\fseeki64.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\wcstombs.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\mbschr.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\lseeki64.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\setmode.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\mbtowc.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\isatty.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\expand.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\wctomb.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\_getbuf.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\ungetc_nolock.inl
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\a_cmp.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\strnicol.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\_fptostr.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\prebuild\conv\cfout.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\convrtcp.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\mbsnbicm.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\mbsnbcmp.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\mbsicmp.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\mbsrchr.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\getcwd.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\mbtowenv.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\w_env.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\wcsnicol.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\prebuild\conv\x10fout.c
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\xmutex.cpp
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\xstring
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\_tolower.c
• error in amqp_login (most likely a timeout): %serror in amqp_login, reply: %s
• f:\dd\vctools\crt_bld\self_64_amd64\crt\src\fputc.c
• D:\GIT\Server8_Patch_8.3.4000\port_release_8.3.4000\nt64\target\bin\easy.pdb
• KERNEL32.dll
• WS2_32.dll
• OLEAUT32.dll
• %sevent%sdummy|| <- {MULTI_INSTANCE_CONFIG_EVENT}%sy|| -> {SS_GET_REMOTE_LOGIN_DATA_OUT}
• || <- {SS_GET_REMOTE_LOGIN_DATA_OUT}
• || -> {SS_GET_REMOTE_LOGIN_DATA_IN}%sh%sinstanceCode
• || <- {SS_GET_REMOTE_LOGIN_DATA_IN}%sm|| -> {SS_MULTI_INSTANCE_OUT}
• %slogin_information
• || -> {SS_AM_AGENT_LOGIN_EVENT_INFO}
• || <- {SS_AM_AGENT_LOGIN_EVENT_INFO}
• %soldPasswd
• %snewPasswd
• %saName%saType|| <- {LOGIN_OUT}
• %sPBX_Campaign_InvalidLoginGroup
• %sPBX_Switch_UnableToModifyUserLogin
• %sSS_TEAM_HAS_CAMPAIGNS%sSS_CP_HAS_OPEN_WORKS_CANT_UPD_LOGIN
• %sSS_PRED_MODE_WITH_MANY_TELGW_ALLOW_AGENT_LOGIN
• vmGuestLib.dll
• %svmGuestLib.dll
• \u00%c%c
• See https://github.com/alanxz/rabbitmq-c

Flow Anomalies

Offset	RVA	Section	Description
14E5	N/A	.text	CALL QWORD PTR [RIP+0x38D65D]
227C	N/A	.text	CALL QWORD PTR [RIP+0x38C8BE]
2289	N/A	.text	CALL QWORD PTR [RIP+0x38C909]
22EE	N/A	.text	CALL QWORD PTR [RIP+0x38C614]
23FA	N/A	.text	CALL QWORD PTR [RIP+0x38C738]
2431	N/A	.text	CALL QWORD PTR [RIP+0x38C709]
243E	N/A	.text	CALL QWORD PTR [RIP+0x38C754]
24BD	N/A	.text	CALL QWORD PTR [RIP+0x38C445]
2D74	N/A	.text	CALL QWORD PTR [RIP+0x38BDBE]
2D8B	N/A	.text	CALL QWORD PTR [RIP+0x38BE07]
2E06	N/A	.text	CALL QWORD PTR [RIP+0x38BD3C]
2E16	N/A	.text	CALL QWORD PTR [RIP+0x38BD1C]
2E4E	N/A	.text	CALL QWORD PTR [RIP+0x38BCEC]
2E59	N/A	.text	CALL QWORD PTR [RIP+0x38BD39]
2EB3	N/A	.text	CALL QWORD PTR [RIP+0x38BC8F]
2FC3	N/A	.text	CALL QWORD PTR [RIP+0x38BB77]
30B9	N/A	.text	CALL QWORD PTR [RIP+0x38BA81]
30C8	N/A	.text	CALL QWORD PTR [RIP+0x38BACA]
3544	N/A	.text	CALL QWORD PTR [RIP+0x38B5F6]
3556	N/A	.text	CALL QWORD PTR [RIP+0x38B63C]
365F	N/A	.text	CALL QWORD PTR [RIP+0x38B4DB]
3671	N/A	.text	CALL QWORD PTR [RIP+0x38B521]
3752	N/A	.text	CALL QWORD PTR [RIP+0x38B3E8]
3767	N/A	.text	CALL QWORD PTR [RIP+0x38B42B]
398E	N/A	.text	CALL QWORD PTR [RIP+0x38B1AC]
39A0	N/A	.text	CALL QWORD PTR [RIP+0x38B1F2]
3BB9	N/A	.text	CALL QWORD PTR [RIP+0x38AF81]
3BCB	N/A	.text	CALL QWORD PTR [RIP+0x38AFC7]
3C35	N/A	.text	CALL QWORD PTR [RIP+0x38AF0D]
3CD6	N/A	.text	CALL QWORD PTR [RIP+0x38AE64]
3CE8	N/A	.text	CALL QWORD PTR [RIP+0x38AEAA]
3D34	N/A	.text	CALL QWORD PTR [RIP+0x38AE0E]
3DCA	N/A	.text	CALL QWORD PTR [RIP+0x38AD70]
3DE7	N/A	.text	CALL QWORD PTR [RIP+0x38ADAB]
3E33	N/A	.text	CALL QWORD PTR [RIP+0x38AD0F]
3EBD	N/A	.text	CALL QWORD PTR [RIP+0x38AC7D]
3ECF	N/A	.text	CALL QWORD PTR [RIP+0x38ACC3]
3F98	N/A	.text	CALL QWORD PTR [RIP+0x38ABA2]
3FAA	N/A	.text	CALL QWORD PTR [RIP+0x38ABE8]
40E4	N/A	.text	CALL QWORD PTR [RIP+0x38AA56]
40F6	N/A	.text	CALL QWORD PTR [RIP+0x38AA9C]
41DE	N/A	.text	CALL QWORD PTR [RIP+0x38A95C]
41F3	N/A	.text	CALL QWORD PTR [RIP+0x38A99F]
430B	N/A	.text	CALL QWORD PTR [RIP+0x38A82F]
431D	N/A	.text	CALL QWORD PTR [RIP+0x38A875]
43A0	N/A	.text	CALL QWORD PTR [RIP+0x38A7A2]
446D	N/A	.text	CALL QWORD PTR [RIP+0x38A6CD]
4482	N/A	.text	CALL QWORD PTR [RIP+0x38A710]
44E0	N/A	.text	CALL QWORD PTR [RIP+0x38A662]
44FA	N/A	.text	CALL QWORD PTR [RIP+0x38A638]
463C	N/A	.text	CALL QWORD PTR [RIP+0x38A4FE]
464E	N/A	.text	CALL QWORD PTR [RIP+0x38A544]
465A	N/A	.text	CALL QWORD PTR [RIP+0x38A4E0]
4684	N/A	.text	CALL QWORD PTR [RIP+0x38A50E]
46E2	N/A	.text	CALL QWORD PTR [RIP+0x38A450]
4711	N/A	.text	CALL QWORD PTR [RIP+0x38A429]
4726	N/A	.text	CALL QWORD PTR [RIP+0x38A46C]
4735	N/A	.text	CALL QWORD PTR [RIP+0x38A45D]
4784	N/A	.text	CALL QWORD PTR [RIP+0x38A3BE]
499C	N/A	.text	CALL QWORD PTR [RIP+0x38A19E]
49B1	N/A	.text	CALL QWORD PTR [RIP+0x38A1E1]
49DA	N/A	.text	CALL QWORD PTR [RIP+0x38A1B8]
49EE	N/A	.text	CALL QWORD PTR [RIP+0x38A1A4]
4A42	N/A	.text	CALL QWORD PTR [RIP+0x38A100]
4A5F	N/A	.text	CALL QWORD PTR [RIP+0x38A0D3]
4A7B	N/A	.text	CALL QWORD PTR [RIP+0x38A0C7]
4C5D	N/A	.text	CALL QWORD PTR [RIP+0x389EDD]
4C72	N/A	.text	CALL QWORD PTR [RIP+0x389F20]
4C9B	N/A	.text	CALL QWORD PTR [RIP+0x389EF7]
4CAA	N/A	.text	CALL QWORD PTR [RIP+0x389E90]
4D81	N/A	.text	CALL QWORD PTR [RIP+0x389DC1]
4D9E	N/A	.text	CALL QWORD PTR [RIP+0x389D94]
4EC7	N/A	.text	CALL QWORD PTR [RIP+0x389C7B]
5061	N/A	.text	CALL QWORD PTR [RIP+0x389AD9]
5073	N/A	.text	CALL QWORD PTR [RIP+0x389B1F]
5096	N/A	.text	CALL QWORD PTR [RIP+0x389AFC]
50EC	N/A	.text	CALL QWORD PTR [RIP+0x389A46]
5110	N/A	.text	CALL QWORD PTR [RIP+0x389A2A]
5160	N/A	.text	CALL QWORD PTR [RIP+0x3899E2]
5375	N/A	.text	CALL QWORD PTR [RIP+0x3897C5]
5387	N/A	.text	CALL QWORD PTR [RIP+0x38980B]
53AD	N/A	.text	CALL QWORD PTR [RIP+0x3897E5]
5403	N/A	.text	CALL QWORD PTR [RIP+0x38972F]
5461	N/A	.text	CALL QWORD PTR [RIP+0x3896E1]
599E	N/A	.text	CALL QWORD PTR [RIP+0x3891A4]
5A12	N/A	.text	CALL QWORD PTR [RIP+0x389128]
5A27	N/A	.text	CALL QWORD PTR [RIP+0x38916B]
5A50	N/A	.text	CALL QWORD PTR [RIP+0x389142]
5AC5	N/A	.text	CALL QWORD PTR [RIP+0x38906D]
5AEC	N/A	.text	CALL QWORD PTR [RIP+0x38904E]
5AFF	N/A	.text	CALL QWORD PTR [RIP+0x38903B]
5B14	N/A	.text	CALL QWORD PTR [RIP+0x38907E]
5B23	N/A	.text	CALL QWORD PTR [RIP+0x38906F]
5DF0	N/A	.text	CALL QWORD PTR [RIP+0x388D4A]
5E02	N/A	.text	CALL QWORD PTR [RIP+0x388D90]
5E25	N/A	.text	CALL QWORD PTR [RIP+0x388D6D]
5E39	N/A	.text	CALL QWORD PTR [RIP+0x388D59]
5E88	N/A	.text	CALL QWORD PTR [RIP+0x388CBA]
6000	N/A	.text	CALL QWORD PTR [RIP+0x388B3A]
6012	N/A	.text	CALL QWORD PTR [RIP+0x388B80]
EA1D9-EA22F	N/A	.text	Potential obfuscated jump sequence detected, count: 42
32723D-32724A	N/A	.text	Potential obfuscated jump sequence detected, count: 7
34C7F6-34C80C	N/A	.text	Potential obfuscated jump sequence detected, count: 7
38EDD0	309CD0	.rdata	TLS Callback \| Pointer to 140309CD0 - 0x3090D0 .text
55A600	1000	.pdata	ExceptionHook \| Pointer to 1000 - 0x400 .text + UnwindInfo: .rdata
55A60C	1070	.pdata	ExceptionHook \| Pointer to 1070 - 0x470 .text + UnwindInfo: .rdata
55A618	1540	.pdata	ExceptionHook \| Pointer to 1540 - 0x940 .text + UnwindInfo: .rdata
55A624	1680	.pdata	ExceptionHook \| Pointer to 1680 - 0xA80 .text + UnwindInfo: .rdata
55A630	18B0	.pdata	ExceptionHook \| Pointer to 18B0 - 0xCB0 .text + UnwindInfo: .rdata
55A63C	1C20	.pdata	ExceptionHook \| Pointer to 1C20 - 0x1020 .text + UnwindInfo: .rdata
55A648	1C90	.pdata	ExceptionHook \| Pointer to 1C90 - 0x1090 .text + UnwindInfo: .rdata
55A654	23C0	.pdata	ExceptionHook \| Pointer to 23C0 - 0x17C0 .text + UnwindInfo: .rdata
55A660	2450	.pdata	ExceptionHook \| Pointer to 2450 - 0x1850 .text + UnwindInfo: .rdata
55A66C	2470	.pdata	ExceptionHook \| Pointer to 2470 - 0x1870 .text + UnwindInfo: .rdata
55A678	24B0	.pdata	ExceptionHook \| Pointer to 24B0 - 0x18B0 .text + UnwindInfo: .rdata
55A684	24E0	.pdata	ExceptionHook \| Pointer to 24E0 - 0x18E0 .text + UnwindInfo: .rdata
55A690	2520	.pdata	ExceptionHook \| Pointer to 2520 - 0x1920 .text + UnwindInfo: .rdata
55A69C	25A0	.pdata	ExceptionHook \| Pointer to 25A0 - 0x19A0 .text + UnwindInfo: .rdata
55A6A8	25D0	.pdata	ExceptionHook \| Pointer to 25D0 - 0x19D0 .text + UnwindInfo: .rdata
55A6B4	2610	.pdata	ExceptionHook \| Pointer to 2610 - 0x1A10 .text + UnwindInfo: .rdata
55A6C0	2630	.pdata	ExceptionHook \| Pointer to 2630 - 0x1A30 .text + UnwindInfo: .rdata
55A6CC	26A0	.pdata	ExceptionHook \| Pointer to 26A0 - 0x1AA0 .text + UnwindInfo: .rdata
55A6D8	26F0	.pdata	ExceptionHook \| Pointer to 26F0 - 0x1AF0 .text + UnwindInfo: .rdata
55A6E4	2740	.pdata	ExceptionHook \| Pointer to 2740 - 0x1B40 .text + UnwindInfo: .rdata
55A6F0	2770	.pdata	ExceptionHook \| Pointer to 2770 - 0x1B70 .text + UnwindInfo: .rdata
55A6FC	2840	.pdata	ExceptionHook \| Pointer to 2840 - 0x1C40 .text + UnwindInfo: .rdata
55A708	2C30	.pdata	ExceptionHook \| Pointer to 2C30 - 0x2030 .text + UnwindInfo: .rdata
55A714	2D20	.pdata	ExceptionHook \| Pointer to 2D20 - 0x2120 .text + UnwindInfo: .rdata
55A720	2DE0	.pdata	ExceptionHook \| Pointer to 2DE0 - 0x21E0 .text + UnwindInfo: .rdata
55A72C	2F70	.pdata	ExceptionHook \| Pointer to 2F70 - 0x2370 .text + UnwindInfo: .rdata
55A738	3140	.pdata	ExceptionHook \| Pointer to 3140 - 0x2540 .text + UnwindInfo: .rdata
55A744	3160	.pdata	ExceptionHook \| Pointer to 3160 - 0x2560 .text + UnwindInfo: .rdata
55A750	31A0	.pdata	ExceptionHook \| Pointer to 31A0 - 0x25A0 .text + UnwindInfo: .rdata
55A75C	3280	.pdata	ExceptionHook \| Pointer to 3280 - 0x2680 .text + UnwindInfo: .rdata
55A768	3340	.pdata	ExceptionHook \| Pointer to 3340 - 0x2740 .text + UnwindInfo: .rdata
55A774	3420	.pdata	ExceptionHook \| Pointer to 3420 - 0x2820 .text + UnwindInfo: .rdata
55A780	34E0	.pdata	ExceptionHook \| Pointer to 34E0 - 0x28E0 .text + UnwindInfo: .rdata
55A78C	35C0	.pdata	ExceptionHook \| Pointer to 35C0 - 0x29C0 .text + UnwindInfo: .rdata
55A798	3700	.pdata	ExceptionHook \| Pointer to 3700 - 0x2B00 .text + UnwindInfo: .rdata
55A7A4	3730	.pdata	ExceptionHook \| Pointer to 3730 - 0x2B30 .text + UnwindInfo: .rdata
55A7B0	37A0	.pdata	ExceptionHook \| Pointer to 37A0 - 0x2BA0 .text + UnwindInfo: .rdata
55A7BC	3920	.pdata	ExceptionHook \| Pointer to 3920 - 0x2D20 .text + UnwindInfo: .rdata
55A7C8	3B20	.pdata	ExceptionHook \| Pointer to 3B20 - 0x2F20 .text + UnwindInfo: .rdata
55A7D4	3C80	.pdata	ExceptionHook \| Pointer to 3C80 - 0x3080 .text + UnwindInfo: .rdata
55A7E0	3D30	.pdata	ExceptionHook \| Pointer to 3D30 - 0x3130 .text + UnwindInfo: .rdata
55A7EC	3E60	.pdata	ExceptionHook \| Pointer to 3E60 - 0x3260 .text + UnwindInfo: .rdata
55A7F8	3E80	.pdata	ExceptionHook \| Pointer to 3E80 - 0x3280 .text + UnwindInfo: .rdata
55A804	3FE0	.pdata	ExceptionHook \| Pointer to 3FE0 - 0x33E0 .text + UnwindInfo: .rdata
55A810	40C0	.pdata	ExceptionHook \| Pointer to 40C0 - 0x34C0 .text + UnwindInfo: .rdata
55A81C	4210	.pdata	ExceptionHook \| Pointer to 4210 - 0x3610 .text + UnwindInfo: .rdata
55A828	42D0	.pdata	ExceptionHook \| Pointer to 42D0 - 0x36D0 .text + UnwindInfo: .rdata
55A834	4400	.pdata	ExceptionHook \| Pointer to 4400 - 0x3800 .text + UnwindInfo: .rdata
55A840	4510	.pdata	ExceptionHook \| Pointer to 4510 - 0x3910 .text + UnwindInfo: .rdata
55A84C	4670	.pdata	ExceptionHook \| Pointer to 4670 - 0x3A70 .text + UnwindInfo: .rdata
55A858	4760	.pdata	ExceptionHook \| Pointer to 4760 - 0x3B60 .text + UnwindInfo: .rdata
55A864	4880	.pdata	ExceptionHook \| Pointer to 4880 - 0x3C80 .text + UnwindInfo: .rdata
55A870	4970	.pdata	ExceptionHook \| Pointer to 4970 - 0x3D70 .text + UnwindInfo: .rdata
55A87C	4A70	.pdata	ExceptionHook \| Pointer to 4A70 - 0x3E70 .text + UnwindInfo: .rdata
55A888	4B30	.pdata	ExceptionHook \| Pointer to 4B30 - 0x3F30 .text + UnwindInfo: .rdata
55A894	4C90	.pdata	ExceptionHook \| Pointer to 4C90 - 0x4090 .text + UnwindInfo: .rdata
55A8A0	4D90	.pdata	ExceptionHook \| Pointer to 4D90 - 0x4190 .text + UnwindInfo: .rdata
55A8AC	4EB0	.pdata	ExceptionHook \| Pointer to 4EB0 - 0x42B0 .text + UnwindInfo: .rdata
55A8B8	4FE0	.pdata	ExceptionHook \| Pointer to 4FE0 - 0x43E0 .text + UnwindInfo: .rdata
55A8C4	51B0	.pdata	ExceptionHook \| Pointer to 51B0 - 0x45B0 .text + UnwindInfo: .rdata
55A8D0	53F0	.pdata	ExceptionHook \| Pointer to 53F0 - 0x47F0 .text + UnwindInfo: .rdata
55A8DC	54C0	.pdata	ExceptionHook \| Pointer to 54C0 - 0x48C0 .text + UnwindInfo: .rdata
55A8E8	5520	.pdata	ExceptionHook \| Pointer to 5520 - 0x4920 .text + UnwindInfo: .rdata
55A8F4	57A0	.pdata	ExceptionHook \| Pointer to 57A0 - 0x4BA0 .text + UnwindInfo: .rdata
55A900	5A50	.pdata	ExceptionHook \| Pointer to 5A50 - 0x4E50 .text + UnwindInfo: .rdata
55A90C	5C00	.pdata	ExceptionHook \| Pointer to 5C00 - 0x5000 .text + UnwindInfo: .rdata
55A918	5DA0	.pdata	ExceptionHook \| Pointer to 5DA0 - 0x51A0 .text + UnwindInfo: .rdata
55A924	5EF0	.pdata	ExceptionHook \| Pointer to 5EF0 - 0x52F0 .text + UnwindInfo: .rdata
55A930	60D0	.pdata	ExceptionHook \| Pointer to 60D0 - 0x54D0 .text + UnwindInfo: .rdata
55A93C	6260	.pdata	ExceptionHook \| Pointer to 6260 - 0x5660 .text + UnwindInfo: .rdata
55A948	64B0	.pdata	ExceptionHook \| Pointer to 64B0 - 0x58B0 .text + UnwindInfo: .rdata
55A954	64F0	.pdata	ExceptionHook \| Pointer to 64F0 - 0x58F0 .text + UnwindInfo: .rdata
55A960	6880	.pdata	ExceptionHook \| Pointer to 6880 - 0x5C80 .text + UnwindInfo: .rdata
55A96C	68C0	.pdata	ExceptionHook \| Pointer to 68C0 - 0x5CC0 .text + UnwindInfo: .rdata
55A978	6990	.pdata	ExceptionHook \| Pointer to 6990 - 0x5D90 .text + UnwindInfo: .rdata
55A984	6AD0	.pdata	ExceptionHook \| Pointer to 6AD0 - 0x5ED0 .text + UnwindInfo: .rdata
55A990	6BA0	.pdata	ExceptionHook \| Pointer to 6BA0 - 0x5FA0 .text + UnwindInfo: .rdata
55A99C	6CE0	.pdata	ExceptionHook \| Pointer to 6CE0 - 0x60E0 .text + UnwindInfo: .rdata
55A9A8	6DD0	.pdata	ExceptionHook \| Pointer to 6DD0 - 0x61D0 .text + UnwindInfo: .rdata
55A9B4	6EF0	.pdata	ExceptionHook \| Pointer to 6EF0 - 0x62F0 .text + UnwindInfo: .rdata
55A9C0	6FA0	.pdata	ExceptionHook \| Pointer to 6FA0 - 0x63A0 .text + UnwindInfo: .rdata
55A9CC	70B0	.pdata	ExceptionHook \| Pointer to 70B0 - 0x64B0 .text + UnwindInfo: .rdata
55A9D8	7280	.pdata	ExceptionHook \| Pointer to 7280 - 0x6680 .text + UnwindInfo: .rdata
55A9E4	73E0	.pdata	ExceptionHook \| Pointer to 73E0 - 0x67E0 .text + UnwindInfo: .rdata
55A9F0	7530	.pdata	ExceptionHook \| Pointer to 7530 - 0x6930 .text + UnwindInfo: .rdata
55A9FC	76C0	.pdata	ExceptionHook \| Pointer to 76C0 - 0x6AC0 .text + UnwindInfo: .rdata
55AA08	77F0	.pdata	ExceptionHook \| Pointer to 77F0 - 0x6BF0 .text + UnwindInfo: .rdata
55AA14	79A0	.pdata	ExceptionHook \| Pointer to 79A0 - 0x6DA0 .text + UnwindInfo: .rdata
55AA20	7AE0	.pdata	ExceptionHook \| Pointer to 7AE0 - 0x6EE0 .text + UnwindInfo: .rdata
55AA2C	7BD0	.pdata	ExceptionHook \| Pointer to 7BD0 - 0x6FD0 .text + UnwindInfo: .rdata
55AA38	7D60	.pdata	ExceptionHook \| Pointer to 7D60 - 0x7160 .text + UnwindInfo: .rdata
55AA44	7EC0	.pdata	ExceptionHook \| Pointer to 7EC0 - 0x72C0 .text + UnwindInfo: .rdata
55AA50	7FE0	.pdata	ExceptionHook \| Pointer to 7FE0 - 0x73E0 .text + UnwindInfo: .rdata
55AA5C	8250	.pdata	ExceptionHook \| Pointer to 8250 - 0x7650 .text + UnwindInfo: .rdata
55AA68	8530	.pdata	ExceptionHook \| Pointer to 8530 - 0x7930 .text + UnwindInfo: .rdata
55AA74	86A0	.pdata	ExceptionHook \| Pointer to 86A0 - 0x7AA0 .text + UnwindInfo: .rdata
55AA80	87D0	.pdata	ExceptionHook \| Pointer to 87D0 - 0x7BD0 .text + UnwindInfo: .rdata
55AA8C	8A50	.pdata	ExceptionHook \| Pointer to 8A50 - 0x7E50 .text + UnwindInfo: .rdata
55AA98	8B40	.pdata	ExceptionHook \| Pointer to 8B40 - 0x7F40 .text + UnwindInfo: .rdata
55AAA4	8B80	.pdata	ExceptionHook \| Pointer to 8B80 - 0x7F80 .text + UnwindInfo: .rdata

Extra Analysis

Metric	Value	Percentage
Ascii Code	3618836	44,6666%
Null Byte Code	3493253	43,1165%

PREMIUM PESCAN.IO - Analysis Report