PREMIUM PESCAN.IO - Analysis Report |
|||||||
| File Structure |
|
PE Chart Code
Header PE (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
| Size: 6,42 MB SHA-256 Hash: B7E18D6227ED641061B9E7A24DDFE3002F4C449B6107A5FF8A3976EF4E20C05A SHA-1 Hash: F829203051E703D069C9D15D5CD8E341A16CD137 MD5 Hash: 015887045FACCA4A7CC4713A5479F5C7 Imphash: FAD4CFE684646D5A98919BDC92BD72BC MajorOSVersion: 6 MinorOSVersion: 0 CheckSum: 006723B7 EntryPoint (rva): 519F SizeOfHeaders: 400 SizeOfImage: 396000 ImageBase: 10000000 Architecture: x86 ExportTable: 9C70 ImportTable: F200 IAT: 6000 Characteristics: 2102 TimeDateStamp: 69EE6365 Date: 26/04/2026 19:11:33 File Type: DLL Number Of Sections: 5 ASLR: Enabled Section Names: .text, .rdata, .data, .reloc, .rsrc Number Of Executable Sections: 1 Subsystem: Windows GUI UAC Execution Level Manifest: asInvoker |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 0x60000020 Code Executable Readable |
400 | 4C00 | 1000 | 4A60 |
|
|
| .rdata | 0x40000040 Initialized Data Readable |
5000 | 9800 | 6000 | 965C |
|
|
| .data | 0xC0000040 Initialized Data Readable Writeable |
E800 | E00 | 10000 | 18F8 |
|
|
| .reloc | 0x42000040 Initialized Data GP-Relative Readable |
F600 | 800 | 12000 | 78C |
|
|
| .rsrc | 0x40000040 Initialized Data Readable |
FE00 | 382A00 | 13000 | 382A00 |
|
|
| Description |
| OriginalFilename: avutil-56.dll CompanyName: FFmpeg Project LegalCopyright: Copyright (C) 2000-2020 FFmpeg Project ProductName: FFmpeg FileVersion: 56.51.100 FileDescription: FFmpeg utility library ProductVersion: 4.3 |
| Binder/Joiner/Crypter |
| 3 Executable files found Dropper code detected (EOF) - 2,83 MB |
| Entry Point |
The section number (1) - (.text) have the Entry Point Information -> EntryPoint (calculated) - 459F Code -> 558BEC837D0C017505E862000000FF7510FF750CFF7508E8ABFEFFFF83C40C5DC20C00558BEC83EC148D45F40F57C050660F Assembler |PUSH EBP |MOV EBP, ESP |CMP DWORD PTR [EBP + 0XC], 1 |JNE 0X100E |CALL 0X1070 |PUSH DWORD PTR [EBP + 0X10] |PUSH DWORD PTR [EBP + 0XC] |PUSH DWORD PTR [EBP + 8] |CALL 0XEC7 |ADD ESP, 0XC |POP EBP |RET 0XC |PUSH EBP |MOV EBP, ESP |SUB ESP, 0X14 |LEA EAX, [EBP - 0XC] |XORPS XMM0, XMM0 |PUSH EAX |
| Signatures |
| CheckSum Integrity Problem: • Header: 6759351 • Calculated: 6787885 Rich Signature Analyzer: Code -> EF219684AB40F8D7AB40F8D7AB40F8D7A2386BD7AF40F8D7E0CAF9D6A940F8D7E0CAFBD6AA40F8D7E0CAFCD6A140F8D7E0CAFDD6A140F8D7D2C1F9D6A040F8D7AB40F9D78040F8D7AB40F8D7A840F8D721CBF8D6AA40F8D721CBFAD6AA40F8D752696368AB40F8D7 Footprint md5 Hash -> 3E0A3CF68A5B5E531EE45BFCC58479E1 • The Rich header apparently has not been modified Certificate - Digital Signature: • The file is signed but has been modified |
| Packer/Compiler |
| Compiler: Microsoft Visual Studio Compiler: Microsoft Visual C ++ 6 DLL Detect It Easy (die) • PE: linker: Microsoft Linker(14.50**)[-] • Entropy: 4.47537 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | CreateMutexA | Create a named or unnamed mutex object for controlling access to a shared resource. |
| KERNEL32.DLL | VirtualAlloc | Reserve, commit, or both, a region of memory within the virtual address space of a process. |
| KERNEL32.DLL | WriteFile | Writes data to a specified file or input/output (I/O) device. |
| KERNEL32.DLL | LoadLibraryA | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | LoadLibraryW | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| KERNEL32.DLL | IsDebuggerPresent | Determines if the calling process is being debugged by a user-mode debugger. |
| KERNEL32.DLL | SleepEx | Pauses the execution of the current thread, optionally allowing the thread to be awakened by a kernel object or upon expiration of a timeout. |
| Ws2_32.DLL | socket | Create a communication endpoint for networking applications. |
| Ws2_32.DLL | connect | Establish a connection to a specified socket. |
| ET Functions (carving) |
| AddMD5 EndMD5 FromCharset GetLang_1 GetLang_2B GetLang_2T InitMD5 NTPtime64 ToCharset VLC_CompileBy VLC_CompileHost VLC_Compiler access_vaDirectoryControlHelper addon_entry_Hold addon_entry_New addon_entry_Release addons_manager_Delete addons_manager_Gather addons_manager_Install addons_manager_LoadCatalog addons_manager_New addons_manager_Remove aout_BitsPerSample aout_ChannelExtract aout_ChannelReorder aout_CheckChannelExtraction aout_CheckChannelReorder aout_Deinterleave aout_DeviceGet aout_DeviceSet aout_DevicesList aout_FiltersAdjustResampling aout_FiltersChangeViewpoint aout_FiltersDelete aout_FiltersDrain aout_FiltersFlush aout_FiltersNew aout_FiltersPlay aout_FormatPrepare aout_FormatPrint aout_FormatPrintChannels aout_Interleave aout_MuteGet aout_MuteSet aout_VolumeGet aout_VolumeSet aout_VolumeUpdate aout_filter_RequestVout block_Alloc block_FifoCount block_FifoEmpty block_FifoGet block_FifoNew block_FifoPut block_FifoRelease block_FifoShow block_File block_FilePath block_Init block_Realloc block_TryRealloc block_heap_Alloc block_mmap_Alloc block_shm_Alloc config_AddIntf config_ChainCreate config_ChainDestroy config_ChainDuplicate config_ChainParse config_ChainParseOptions config_ExistIntf config_FindConfig config_GetDataDir config_GetFloat config_GetInt config_GetIntChoices config_GetLibDir config_GetPsz config_GetPszChoices config_GetType config_GetUserDir config_PutFloat config_PutInt config_PutPsz config_RemoveIntf config_ResetAll config_SaveConfigFile config_StringEscape config_StringUnescape core_143ae542 date_Change date_Decrement date_Get date_Increment date_Init date_Move date_Set decoder_AbortPictures decoder_GetDisplayDate decoder_GetDisplayRate decoder_GetInputAttachments decoder_NewAudioBuffer decoder_NewSubpicture demux_Delete demux_New demux_PacketizerDestroy demux_PacketizerNew demux_vaControl demux_vaControlHelper es_format_Clean es_format_Copy es_format_Init es_format_InitFromVideo es_format_IsSimilar filter_AddProxyCallbacks filter_Blend filter_ConfigureBlend filter_DelProxyCallbacks filter_DeleteBlend filter_NewBlend filter_chain_AppendConverter filter_chain_AppendFilter filter_chain_AppendFromString filter_chain_Delete filter_chain_DeleteFilter filter_chain_GetFmtOut filter_chain_IsEmpty filter_chain_MouseEvent filter_chain_MouseFilter filter_chain_NewVideo filter_chain_Reset filter_chain_SubFilter filter_chain_VideoFilter filter_chain_VideoFlush fingerprinter_Create fingerprinter_Destroy httpd_ClientIP httpd_FileDelete httpd_FileNew httpd_HandlerDelete httpd_HandlerNew httpd_HostDelete httpd_MsgAdd httpd_MsgGet httpd_RedirectDelete httpd_RedirectNew httpd_ServerIP httpd_StreamDelete httpd_StreamHeader httpd_StreamNew httpd_StreamSend httpd_StreamSetHTTPHeaders httpd_UrlCatch httpd_UrlDelete httpd_UrlNew image_Ext2Fourcc image_HandlerCreate image_HandlerDelete image_Mime2Fourcc image_Type2Fourcc input_Close input_Control input_Create input_CreateFilename input_DecoderCreate input_DecoderDecode input_DecoderDelete input_DecoderDrain input_DecoderFlush input_GetItem input_Read input_Start input_Stop input_item_AddInfo input_item_AddOpaque input_item_AddOption input_item_AddOptions input_item_AddSlave input_item_Copy input_item_CopyOptions input_item_DelInfo input_item_GetDuration input_item_GetInfo input_item_GetMeta input_item_GetName input_item_GetNowPlayingFb input_item_GetTitleFbName input_item_GetURI input_item_HasErrorWhenReading input_item_Hold input_item_IsArtFetched input_item_IsPreparsed input_item_MergeInfos input_item_MetaMatch input_item_NewExt input_item_Release input_item_ReplaceInfos input_item_SetDuration input_item_SetMeta input_item_SetName input_item_SetURI input_item_WriteMeta input_item_node_AppendItem input_item_node_AppendNode input_item_node_Create input_item_node_Delete input_item_slave_GetType input_item_slave_New input_resource_GetAout input_resource_HoldAout input_resource_New input_resource_PutAout input_resource_Release input_resource_ResetAout input_resource_Terminate input_resource_TerminateVout input_vaControl intf_Create libvlc_ArtRequest libvlc_InternalAddIntf libvlc_InternalCleanup libvlc_InternalCreate libvlc_InternalDestroy libvlc_InternalDialogClean libvlc_InternalDialogInit libvlc_InternalInit libvlc_InternalKeystoreClean libvlc_InternalKeystoreInit libvlc_InternalPlay libvlc_MetadataCancel libvlc_MetadataRequest libvlc_Quit libvlc_SetExitHandler mdate module_config_free module_config_get module_exists module_find module_get_capability module_get_help module_get_name module_get_object module_get_score module_gettext module_list_free module_list_get module_need module_provides module_unneed msleep mwait net_Accept net_AcceptSingle net_Connect net_ConnectDgram net_Gets net_Listen net_ListenClose net_OpenDgram net_Printf net_Read net_SetCSCov net_Write net_vaPrintf picture_BlendSubpicture picture_Clone picture_Copy picture_CopyPixels picture_CopyProperties picture_Export picture_Hold picture_New picture_NewFromFormat picture_NewFromResource picture_Release picture_Reset picture_Setup picture_fifo_Delete picture_fifo_Flush picture_fifo_New picture_fifo_OffsetDate picture_fifo_Peek picture_fifo_Pop picture_fifo_Push picture_pool_Enum picture_pool_Get picture_pool_GetSize picture_pool_New picture_pool_NewExtended picture_pool_NewFromFormat picture_pool_Release picture_pool_Reserve picture_pool_Wait plane_CopyPixels playlist_Add playlist_AddExt playlist_AddInput playlist_AssertLocked playlist_ChildSearchName playlist_Clear playlist_Control playlist_CurrentInput playlist_CurrentInputLocked playlist_CurrentPlayingItem playlist_Deactivate playlist_EnableAudioFilter playlist_Export playlist_GetAout playlist_GetNodeDuration playlist_Import playlist_IsServicesDiscoveryLoaded playlist_ItemGetById playlist_ItemGetByInput playlist_LiveSearchUpdate playlist_Lock playlist_MuteGet playlist_MuteSet playlist_NodeAddCopy playlist_NodeAddInput playlist_NodeCreate playlist_NodeDelete playlist_RecursiveNodeSort playlist_ServicesDiscoveryAdd playlist_ServicesDiscoveryControl playlist_ServicesDiscoveryRemove playlist_SetRenderer playlist_Status playlist_TreeMove playlist_TreeMoveMany playlist_Unlock playlist_VolumeGet playlist_VolumeSet playlist_VolumeUp sdp_AddAttribute sdp_AddMedia secstotimestr sout_AccessOutControl sout_AccessOutDelete sout_AccessOutNew sout_AccessOutRead sout_AccessOutSeek sout_AccessOutWrite sout_AnnounceRegisterSDP sout_AnnounceUnRegister sout_EncoderCreate sout_MuxAddStream sout_MuxDelete sout_MuxDeleteStream sout_MuxFlush sout_MuxGetStream sout_MuxNew sout_MuxSendBuffer sout_StreamChainDelete sout_StreamChainNew spu_ChangeFilters spu_ChangeSources spu_ClearChannel spu_Create spu_Destroy spu_PutSubpicture spu_RegisterChannel spu_Render subpicture_Delete subpicture_New subpicture_NewFromPicture subpicture_Update subpicture_region_ChainDelete subpicture_region_Copy subpicture_region_Delete subpicture_region_New text_segment_ChainDelete text_segment_Copy text_segment_Delete text_segment_New text_segment_NewInheritStyle text_style_Copy text_style_Create text_style_Delete text_style_Duplicate text_style_Merge text_style_New update_Check update_Delete update_Download update_GetRelease update_NeedUpgrade update_New us_asprintf us_atof us_strtod us_strtof us_vasprintf utf8_fprintf utf8_vfprintf var_AddCallback var_AddListCallback var_Change var_Create var_DelCallback var_DelListCallback var_Destroy • EXPORT FUNCTIONS > 400 |
| Windows REG (UNICODE) |
| Software\Intel\MediaSDK\Dispatch Software\Intel\MediaSDK\Plugin Software\Microsoft\Symbol Server SOFTWARE\Microsoft\Windows NT\CurrentVersion |
| File Access |
| WS2_32.dll ADVAPI32.dll KERNEL32.dll SHLWAPI.dll ntdll.dll bcrypt.dll JetBrains.Dpa.CollectorApi.dll USER32.dll msvcrt.dll avutil-56.dll \QUSEREX.DLL dxva2.dll d3d9.dll dxgi.dll d3d11.dll d3d11_1sdklayers.dll nvcuda.dll api-ms-win-crt-runtime-l1-1-0.dll api-ms-win-crt-convert-l1-1-0.dll VCRUNTIME140.dll SHELL32.dll libvlccore.dll .dat Microsoft.EntityFrameworkCore/Microsoft.EntityFrameworkCore.Dat SqlClientDiagnosticListener/System.Dat SqlClientDiagnosticListener/Microsoft.Dat JetBrains.DPA.SQL/Database.Command.Dat Microsoft.EntityFrameworkCore.Dat Database.Command.Dat Microsoft.Dat System.Dat Microsoft.EntityFrameworkCore.Database.Command.Dat @.dat Temp |
| File Access (UNICODE) |
| EntityFrameworkCore.Dat System.Dat Microsoft.Dat Command.Dat libmfxhw32.dll msvcrt.dll kernel32.dll Collector.exe CollectorApi.dll Kernel32.dll mscoree.dll api-ms-win-core-synch-l1-2-0.dll avutil-56.dll Direct3DCreate9Direct3DCreate9Exdxgi.dll d3d9.dll mfxplugin32_sw.dll PXPXmfxplugin32_hw.dll X(Xlibmfxaudiosw32.dll libmfxsw32.dll Microsoft.Data.SqlClient.WriteConnectionCloseErrorMicrosoft.Dat Microsoft.Data.SqlClient.WriteCommandBeforeMicrosoft.Dat Microsoft.Data.SqlClient.WriteConnectionCloseBeforeMicrosoft.Dat %3%.log |
| Interest's Words |
| Encrypt Encryption exec unescape attrib start sdelete shutdown systeminfo ping dism expand replace route |
| Interest's Words (UNICODE) |
| exec |
| URLs |
| http://ocsp.digicert.com http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl http://crl3.digicert.com/sha2-assured-cs-g1.crl http://crl4.digicert.com/sha2-assured-cs-g1.crl http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt http://cacerts.digicert.com/DigiCertTrustedRootG4.crt http://crl3.digicert.com/DigiCertTrustedRootG4.crl http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt http://www.videoconverterfactory.com/ http://www.digicert.com/CPS0 http://crl.digicert.eu/DigiCertTrustedG4CodeSigningEuropeRSA4096SHA3842023CA1.crl http://ocsp.digicert.eu0a http://cacerts.digicert.eu/DigiCertTrustedG4CodeSigningEuropeRSA4096SHA3842023CA1.crt http://cacerts.digicert.com/DigiCertTrustedG4TimeStampingRSA4096SHA2562025CA1.crt http://crl3.digicert.com/DigiCertTrustedG4TimeStampingRSA4096SHA2562025CA1.crl http://crl.comodoca.com/AAACertificateServices.crl http://ocsp.comodoca.com http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0 http://ocsp.sectigo.com http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0 http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl http://ocsp.usertrust.com https://streams.videolan.org/upload/ https://www.digicert.com/CPS0 https://sectigo.com/CPS0 |
| PE Carving |
| Start Offset Header | End Offset | Size (Bytes) |
|---|---|---|
| 0 | 69750 | 69750 |
| 69750 | 164078 | FA928 |
| 164078 | 66B53C | 5074C4 |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | WinAPI Sockets (bind) |
| Text | Ascii | WinAPI Sockets (accept) |
| Text | Ascii | WinAPI Sockets (connect) |
| Text | Ascii | WinAPI Sockets (recv) |
| Text | Ascii | WinAPI Sockets (send) |
| Text | Ascii | Registry (RegCreateKeyEx) |
| Text | Ascii | Registry (RegOpenKeyEx) |
| Text | Ascii | Registry (RegSetValueEx) |
| Text | Ascii | File (GetTempPath) |
| Text | Ascii | File (CreateFile) |
| Text | Ascii | File (WriteFile) |
| Text | Ascii | File (ReadFile) |
| Text | Ascii | Anti-Analysis VM (IsDebuggerPresent) |
| Text | Ascii | Anti-Analysis VM (GetSystemInfo) |
| Text | Ascii | Reconnaissance (FindFirstFileW) |
| Text | Ascii | Reconnaissance (FindNextFileW) |
| Text | Ascii | Reconnaissance (FindClose) |
| Text | Ascii | Stealth (GetThreadContext) |
| Text | Ascii | Stealth (SetThreadContext) |
| Text | Ascii | Stealth (ExitThread) |
| Text | Ascii | Stealth (ReleaseSemaphore) |
| Text | Ascii | Stealth (CloseHandle) |
| Text | Ascii | Stealth (UnmapViewOfFile) |
| Text | Ascii | Stealth (MapViewOfFile) |
| Text | Ascii | Stealth (CreateFileMappingA) |
| Text | Ascii | Stealth (CreateFileMappingW) |
| Text | Ascii | Stealth (VirtualAlloc) |
| Text | Ascii | Stealth (VirtualProtect) |
| Text | Ascii | Stealth (QueueUserAPC) |
| Text | Ascii | Execution (ResumeThread) |
| Text | Ascii | Execution (CreateSemaphoreA) |
| Text | Ascii | Execution (CreateSemaphoreW) |
| Text | Ascii | Execution (OpenEventA) |
| Text | Ascii | Execution (CreateEventA) |
| Text | Ascii | Execution (CreateEventW) |
| Text | Ascii | Antivirus Software (comodo) |
| Text | Unicode | Privileges (SeDebugPrivilege) |
| Text | Ascii | Malicious code executed after exploiting a vulnerability (Payload) |
| Text | Ascii | Malicious rerouting of traffic to an attacker-controlled site (Redirect) |
| Entry Point | Hex Pattern | DrHalo or DrGenius Image Graphics format |
| Intelligent String |
| • https://www.digicert.com/CPS0 • H0F08 • msvcrt.dll • kernel32.dll • .tls • ADVAPI32.dll • .bss • KERNEL32.dll • USER32.dll • @@.bss • .CRT • debugd3d11_1sdklayers.dll • If you want to help, upload a sample of this file to https://streams.videolan.org/upload/ and contact the ffmpeg-devel mailing list. (ffmpeg-devel@ffmpeg.org) • libmfxhw32.dll • libmfxsw32.dll • X(Xlibmfxaudiosw32.dll • mfxplugin32_sw.dll • plugin.cfg • d3d9.dll • 0ADVAPI32.dll • 000bcrypt.dll • (0(0(0(0(0(0(0(0(0(0(0(0(0(0(0(0(0(0(0(0(0(0(0(0(0(0(0(0(0(0(0(0(0(0(0(0(0(0(0(0(0(0(0(0(0(0(0(0(0(0(0(0(0(0(0(0(0(0(0(0(0(0(0(0(0(0(0(0(0(0(0(0(0(0KERNEL32.dll • <0<0<0<0<0<0<0<0<0<0<0<0<0<0<0<0<0<0<0<0<0<0<0<0<0<0<0<0<0<0<0<0<0<0<0<0<0<0<0<0<0<0<0<0<0<0<0<0<0<0<0<0<0<0<0<0<0<0<0<0<0<0<0<0<0<0<0<0<0<0<0<0<0<0<0<0<0<0<0<0<0<0<0<0<0<0<0<0<0<0<0<0<0<0msvcrt.dll • P0USER32.dll • avutil-56.dll • api-ms-win-core-synch-l1-2-0.dll • mscoree.dll • Z:\BuildAgent\work\67f056ab55b2b697\dotnet\dotCommon\Native\Shared\include\jb/utility/io_ostream.hpp • Z:\BuildAgent\work\67f056ab55b2b697\dotnet\dotCommon\Native\Shared\include\jb/system/windows/registry/registry.hpp • Z:\BuildAgent\work\67f056ab55b2b697\dotnet\dotCommon\Native\Shared\include\jb/system/windows/format_file_path.hpp • Z:\BuildAgent\work\67f056ab55b2b697\dotnet\dotCommon\Native\Shared\include\jb/system/windows/detail_proc_utils.hpp • Z:\BuildAgent\work\67f056ab55b2b697\dotnet\dotCommon\Native\Shared\include\jb/system/proc_utils.hpp • %1%.%2%.%3%.log • Z:\BuildAgent\work\67f056ab55b2b697\dotnet\Obj\Packages.Native\JetBrains.boost.include.1.80.0.12\build\native\include\boost/uuid/string_generator.hpp • Z:\BuildAgent\work\67f056ab55b2b697\dotnet\dotCommon\Native\Shared\include\jb/mms/detail/layout/directory_header.hpp • Z:\BuildAgent\work\67f056ab55b2b697\dotnet\Obj\Packages.Native\JetBrains.boost.include.1.80.0.12\build\native\include\boost/uuid/detail/random_provider_bcrypt.ipp • JetBrains.ETW.Collector.exe • JetBrains.DPA.Collector.exe • Kernel32.dll • Z:\BuildAgent\work\67f056ab55b2b697\dotnet\Obj\Packages.Native\JetBrains.boost.include.1.80.0.12\build\native\include\boost/asio/detail/impl/win_tss_ptr.ipp • Z:\BuildAgent\work\67f056ab55b2b697\dotnet\Obj\Packages.Native\JetBrains.boost.include.1.80.0.12\build\native\include\boost/asio/detail/impl/win_mutex.ipp • Z:\BuildAgent\work\67f056ab55b2b697\dotnet\Obj\Packages.Native\JetBrains.boost.include.1.80.0.12\build\native\include\boost/asio/detail/impl/win_thread.ippthread.entry_event • Z:\BuildAgent\work\67f056ab55b2b697\dotnet\Obj\Packages.Native\JetBrains.boost.include.1.80.0.12\build\native\include\boost/asio/detail/impl/winsock_init.ipp • Z:\BuildAgent\work\67f056ab55b2b697\dotnet\Obj\Packages.Native\JetBrains.boost.include.1.80.0.12\build\native\include\boost/asio/detail/impl/win_iocp_io_context.ipp • Z:\BuildAgent\work\67f056ab55b2b697\dotnet\Obj\Packages.Native\JetBrains.boost.include.1.80.0.12\build\native\include\boost/asio/impl/io_context.ipp • Z:\BuildAgent\work\67f056ab55b2b697\dotnet\EtwService\Native\Solution\dpa_collector\../dpa_collector/src/event_pipe/event_pipe_collector_client.hpp • Z:\BuildAgent\work\67f056ab55b2b697\dotnet\Obj\Packages.Native\JetBrains.boost.include.1.80.0.12\build\native\include\boost/asio/basic_socket.hpp • Z:\BuildAgent\work\67f056ab55b2b697\dotnet\Obj\Packages.Native\JetBrains.boost.include.1.80.0.12\build\native\include\boost/exception/detail/exception_ptr.hpp • Z:\BuildAgent\work\67f056ab55b2b697\dotnet\EtwService\Native\Solution\dpa_collector\src\event_processors\../../../collector/src/collector/callstacks/call_stack_resolver.hpp • Z:\BuildAgent\work\67f056ab55b2b697\dotnet\Obj\Packages.Native\JetBrains.boost.include.1.80.0.12\build\native\include\boost/asio/detail/impl/win_iocp_handle_service.ipp • Z:\BuildAgent\work\67f056ab55b2b697\dotnet\EtwService\Native\Solution\event_pipe_api\src\nettrace/parse_stream.hpp • Z:\BuildAgent\work\67f056ab55b2b697\dotnet\Obj\Packages.Native\JetBrains.boost.include.1.80.0.12\build\native\include\boost/asio/impl/read.hpp • dumping_reader internal buffer overflowStart checking nettrace header • Z:\BuildAgent\work\67f056ab55b2b697\dotnet\EtwService\Native\Solution\event_pipe_api\src\session.cpp • \\.\pipe\dotnet-diagnostic-%d • Z:\BuildAgent\work\67f056ab55b2b697\dotnet\Obj\Packages.Native\JetBrains.boost.include.1.80.0.12\build\native\include\boost/asio/windows/basic_overlapped_handle.hpp • Z:\BuildAgent\work\67f056ab55b2b697\dotnet\dotCommon\Native\Shared\include\jetbrains\diagnostics_ipc\ipc_message.hpp • Z:\BuildAgent\work\67f056ab55b2b697\dotnet\Obj\Packages.Native\JetBrains.boost.include.1.80.0.12\build\native\include\boost/asio/impl/write.hpp • Z:\BuildAgent\work\4b6d7edf58d7c8b4\dotnet\dotCommon\Native\Solution\memory_mapped_storage\src\detail\directory_allocator.cpp • Z:\BuildAgent\work\4b6d7edf58d7c8b4\dotnet\dotCommon\Native\Solution\memory_mapped_storage\src\detail\section_data_mapper.cpp • Z:\BuildAgent\work\4b6d7edf58d7c8b4\dotnet\dotCommon\Native\Shared\include\jb/mms/common/file_mapping.hpp • Z:\BuildAgent\work\4b6d7edf58d7c8b4\dotnet\dotCommon\Native\Solution\memory_mapped_storage\src\common\mapping_manager.cpp • Z:\BuildAgent\temp\buildTmp\JetBrains\CompileNative.Bin\Hybylup\windows-x86\JetBrains.Dpa.CollectorApi.pdb • bcrypt.dll • :060U00Uq]dL.g?O0U0E1-Q!m0U0y+m0k0$+0http://ocsp.digicert.com0C+07http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0EU>0<0:864http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0U |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| B65 | 10006034 | .text | CALL [static] | Indirect call to absolute memory address |
| 1148 | 10006020 | .text | CALL [static] | Indirect call to absolute memory address |
| 11ED | 10006030 | .text | CALL [static] | Indirect call to absolute memory address |
| 1271 | 10006028 | .text | CALL [static] | Indirect call to absolute memory address |
| 4240 | 1000602C | .text | JMP [static] | Indirect jump to absolute memory address |
| 4246 | 1000605C | .text | JMP [static] | Indirect jump to absolute memory address |
| 424C | 10006000 | .text | JMP [static] | Indirect jump to absolute memory address |
| 4375 | 100060A4 | .text | CALL [static] | Indirect call to absolute memory address |
| 4592 | 100060A4 | .text | CALL [static] | Indirect call to absolute memory address |
| 45D4 | 1000603C | .text | CALL [static] | Indirect call to absolute memory address |
| 45E3 | 10006040 | .text | CALL [static] | Indirect call to absolute memory address |
| 45EC | 10006044 | .text | CALL [static] | Indirect call to absolute memory address |
| 45F9 | 10006048 | .text | CALL [static] | Indirect call to absolute memory address |
| 465F | 10006038 | .text | CALL [static] | Indirect call to absolute memory address |
| 4790 | 100060A4 | .text | CALL [static] | Indirect call to absolute memory address |
| 499D | 100060A4 | .text | CALL [static] | Indirect call to absolute memory address |
| 49C9 | 100060A4 | .text | CALL [static] | Indirect call to absolute memory address |
| 4A70 | 1000604C | .text | CALL [static] | Indirect call to absolute memory address |
| 4D95 | 10006054 | .text | JMP [static] | Indirect jump to absolute memory address |
| 4D9B | 10006070 | .text | JMP [static] | Indirect jump to absolute memory address |
| 4DA1 | 10006064 | .text | JMP [static] | Indirect jump to absolute memory address |
| 4DA7 | 10006068 | .text | JMP [static] | Indirect jump to absolute memory address |
| 4DAD | 10006078 | .text | JMP [static] | Indirect jump to absolute memory address |
| 4DB3 | 10006098 | .text | JMP [static] | Indirect jump to absolute memory address |
| 4DB9 | 10006094 | .text | JMP [static] | Indirect jump to absolute memory address |
| 4DBF | 10006090 | .text | JMP [static] | Indirect jump to absolute memory address |
| 4DC5 | 10006088 | .text | JMP [static] | Indirect jump to absolute memory address |
| 4DCB | 10006084 | .text | JMP [static] | Indirect jump to absolute memory address |
| 4DD1 | 1000609C | .text | JMP [static] | Indirect jump to absolute memory address |
| 4DD7 | 1000608C | .text | JMP [static] | Indirect jump to absolute memory address |
| 4DDD | 10006080 | .text | JMP [static] | Indirect jump to absolute memory address |
| 69BA7 | 10300464 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 6C11D | 103004D4 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 6C638 | 103004D4 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 6CC23 | 103004D4 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 6D3A8 | 103004D4 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 6DB7D | 103004D4 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 6DD57 | 103004D4 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 6E0F1 | 103004D4 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 6E675 | 103004D4 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 73A8A | 103004D4 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 748E3 | 103003BC | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 748FC | 103003E4 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 76A79 | 100CD37C | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 87B9F | 103004DC | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 87BEB | 103004E0 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 87C1C | 10300388 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 87C50 | 10300420 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 87C60 | 10300380 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 87C80 | 103004D4 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 87CD8 | 103004D4 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 87DB6 | 10300488 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 87E43 | 100 | .rsrc | JMP [static] | Indirect jump to absolute memory address |
| 87EDC | 10300514 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 87F1B | 10300500 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 87F3A | 103004D4 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 87FE8 | 103004D4 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 88085 | 103004D4 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 8CFBE | 103003B0 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 8CFFA | 103003DC | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 8D038 | 10300418 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 8E114 | 103003B0 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 8E204 | 103003D4 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 8E25B | 103004D4 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 8E37B | 103003F0 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 8EAFF | 103003B0 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 900D6 | 10300380 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 9011A | 1030049C | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 901F7 | 1030038C | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 9025A | 10300430 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 902C3 | 10300414 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 903A6 | 100FA280 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 90CBB | 103003B0 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 90CCE | 103003B0 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 91087 | 10300418 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 910D9 | 10300418 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 911F4 | 10300628 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 91398 | 10300628 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 914C5 | 103003D4 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 915CB | 103003D4 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 91620 | 103004D4 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 9164D | 103004D4 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 917CA | 103003F0 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 91843 | 103003F0 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 977E8 | 103004A4 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 9790D | 103003E8 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 9792B | 103003B4 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 97951 | 103003B8 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 979E4 | 100CD378 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 97A6B | 100CD378 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 97A96 | 100CD378 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 97ADF | 100CD378 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 97EF3 | 100CD378 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 982A6 | 100CD378 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 9AC7D | 103004BC | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 9ACD6 | 103004BC | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 9ACFD | 103004B4 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 9AD39 | 103004BC | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 9AD57 | 103004B4 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 9AD79 | 103004B4 | .rsrc | CALL [static] | Indirect call to absolute memory address |
| 171446-171467 | N/A | .rsrc | Unusual BP Cave, count: 34 |
| 392800 | N/A | *Overlay* | 0000000000000000000000000000000000000000 | .................... |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 2232852 | 33,1723% |
| Null Byte Code | 3436443 | 51,0535% |
| NOP Cave Found | 0x9090909090 | Block Count: 369 | Total: 0,0137% |
© 2026 All rights reserved.