PREMIUM PESCAN.IO - Analysis Report |
|||||||
| File Structure |
|
PE Chart Code
Header PE (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
| Size: 2,26 MB SHA-256 Hash: 5E6DBABCC9CDDD4CDA2160EEF9EB1423632F5125B362777118CA15C2D23F343F SHA-1 Hash: C08915D99AA5AE3B4B82404D6E96E930835FBF13 MD5 Hash: EFBC98E66C55F4D6C1CF73DA1984C827 Imphash: 7334A944649B1E48472BE81F4C6882CC MajorOSVersion: 10 MinorOSVersion: 0 CheckSum: 00244A93 EntryPoint (rva): C7BC0 SizeOfHeaders: 400 SizeOfImage: 268000 ImageBase: 0000000140000000 Architecture: x64 ExportTable: 200796 ImportTable: 2007EC IAT: 200F20 Characteristics: 22 TimeDateStamp: 69D80AE1 Date: 09/04/2026 20:24:01 File Type: EXE File Type: DLL Number Of Sections: 10 ASLR: Disabled Section Names (Optional Header): .text, .rdata, .data, .pdata, .fptable, .tls, _RDATA, malloc_h, .rsrc, .reloc Number Of Executable Sections: 2 Subsystem: Windows GUI UAC Execution Level Manifest: asInvoker |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 0x60000020 Code Executable Readable |
400 | 1CCC00 | 1000 | 1CCA2C |
|
|
| .rdata | 0x40000040 Initialized Data Readable |
1CD000 | 45800 | 1CE000 | 457B0 |
|
|
| .data | 0xC0000040 Initialized Data Readable Writeable |
212800 | 11A00 | 214000 | 33178 |
|
|
| .pdata | 0x40000040 Initialized Data Readable |
224200 | 17400 | 248000 | 172A4 |
|
|
| .fptable | 0xC0000040 Initialized Data Readable Writeable |
23B600 | 200 | 260000 | 100 |
|
|
| .tls | 0xC0000040 Initialized Data Readable Writeable |
23B800 | 400 | 261000 | 279 |
|
|
| _RDATA | 0x40000040 Initialized Data Readable |
23BC00 | 200 | 262000 | 1F4 |
|
|
| malloc_h | 0x60000020 Code Executable Readable |
23BE00 | 200 | 263000 | C1 |
|
|
| .rsrc | 0x40000040 Initialized Data Readable |
23C000 | C00 | 264000 | A28 |
|
|
| .reloc | 0x42000040 Initialized Data GP-Relative Readable |
23CC00 | 2600 | 265000 | 249C |
|
|
| Description |
| OriginalFilename: msedge_proxy.exe CompanyName: Microsoft Corporation LegalCopyright: Copyright Microsoft Corporation. All rights reserved. ProductName: Microsoft Edge FileVersion: 147.0.3912.60 FileDescription: Microsoft Edge ProductVersion: 147.0.3912.60 Language: English (United States) (ID=0x409) CodePage: Unicode (UTF-16 LE) (0x4B0) |
| Entry Point |
The section number (1) have the Entry Point Information -> EntryPoint (calculated) - C6FC0 Code -> 4883EC28E80B0000004883C428E97AFEFFFFCCCC48895C241855488BEC4883EC30488B0558C4140048BB32A2DF2D992B0000 Assembler |SUB RSP, 0X28 |CALL 0X1014 |ADD RSP, 0X28 |JMP 0XE8C |INT3 |INT3 |MOV QWORD PTR [RSP + 0X18], RBX |PUSH RBP |MOV RBP, RSP |SUB RSP, 0X30 |MOV RAX, QWORD PTR [RIP + 0X14C458] |MOVABS RBX, 0X2B992DDFA232 |
| Signatures |
| Certificate - Digital Signature: • The file is signed and the signature is correct |
| Packer/Compiler |
| Compiler: Microsoft Visual Studio Compiler: Pure Basic 4.x Detect It Easy (die) • PE+(64): compiler: Microsoft Visual C/C++(2015 v.14.0)[-] • PE+(64): linker: Microsoft Linker(14.0)[-] • PE+(64): Sign tool: Windows Authenticode(2.0)[PKCS 7] • Entropy: 6.52419 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | VirtualAlloc | Reserve, commit, or both, a region of memory within the virtual address space of a process. |
| KERNEL32.DLL | GetModuleHandleA | Retrieves a handle to the specified module. |
| KERNEL32.DLL | WriteFile | Writes data to a specified file or input/output (I/O) device. |
| KERNEL32.DLL | LoadLibraryW | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| KERNEL32.DLL | IsDebuggerPresent | Determines if the calling process is being debugged by a user-mode debugger. |
| KERNEL32.DLL | SleepEx | Pauses the execution of the current thread, optionally allowing the thread to be awakened by a kernel object or upon expiration of a timeout. |
| SHELL32.DLL | ShellExecuteExW | Performs a run operation on a specific file. |
| Windows REG (UNICODE) |
| SOFTWARE\Microsoft\Windows NT\CurrentVersion Software\Microsoft\Edge Software\Microsoft\EdgeUpdate\Clients\ Software\Microsoft\EdgeUpdate\ClientState\ SOFTWARE\Classes SOFTWARE\Microsoft\Shared Tools\MSInfo |
| File Access |
| msedge_proxy.exe v8.exe api-ms-win-core-winrt-l1-1-0.dll api-ms-win-core-winrt-string-l1-1-0.dll api-ms-win-core-winrt-error-l1-1-0.dll ntdll.dll KERNEL32.dll SHLWAPI.dll OLEAUT32.dll dbghelp.dll USERENV.dll ole32.dll WINMM.dll USER32.dll SHELL32.dll ADVAPI32.dll viz,input.scr viz,benchmark,input.scr renderer,benchmark,rail,input.scr interactions,input.scr input,input.scr cc,benchmark,input,input.scr benchmark,latencyInfo,rail,input.scr disabled-by-default-devtools.scr input.scr .dat PERFETTO_CHECK(blob.dat @.dat Temp |
| File Access (UNICODE) |
| RtlGetDeviceFamilyInfoEnumntdll.dll mscopilot.exe msedge.exe msedge_proxy.exe msedgewebview2.exe source-shortcutmsedge.exe copilot_app_browser_tests.exe Fmsedge_proxy.exe mscopilot_proxy.exe \usp10.dll api-ms-win-downlevel-shell32-l1-1-0.dll dbghelp.dll onecore.dll .\..\base\win\object_watcher.ccStopWatchingUnregisterWaitExKernel32.dll user32.dll mscoree.dll ApplicationModel.Dat vmoduledebug.log Temp ProgramFiles |
| Interest's Words |
| PassWord exec attrib start hostname sdelete shutdown systeminfo ping expand replace route |
| Interest's Words (UNICODE) |
| exec |
| Anti-VM/Sandbox/Debug Tricks |
| OllyDbg Libary - dbghelp.dll |
| Anti-VM/Sandbox/Debug Tricks (UNICODE) |
| OllyDbg Libary - dbghelp.dll |
| URLs |
| http://schemas.microsoft.com/SMI/2020/WindowsSettings http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl http://www.microsoft.com/pkiops/certs/MicCodSigPCA2011_2011-07-08.crt http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt http://www.microsoft.com/pkiops/docs/primarycps.htm http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl http://www.microsoft.com/pkiops/certs/Microsoft%20Time-Stamp%20PCA%202010(1).crt http://www.microsoft.com/pkiops/Docs/Repository.htm http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt https://perfetto.dev/docs/contributing/getting-startedcommunity). https://www.microsoft.com |
| Emails |
| appro@openssl.org |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | Unicode escape - \u00 - (Common Unicode escape sequences) |
| Text | Ascii | WinAPI Sockets (bind) |
| Text | Ascii | WinAPI Sockets (connect) |
| Text | Ascii | WinAPI Sockets (send) |
| Text | Ascii | Registry (RegOpenKeyEx) |
| Text | Ascii | Registry (RegGetValue) |
| Text | Ascii | File (GetTempPath) |
| Text | Ascii | File (CreateFile) |
| Text | Ascii | File (WriteFile) |
| Text | Ascii | File (ReadFile) |
| Text | Ascii | Anti-Analysis VM (IsDebuggerPresent) |
| Text | Ascii | Anti-Analysis VM (GetSystemInfo) |
| Text | Ascii | Anti-Analysis VM (GlobalMemoryStatusEx) |
| Text | Ascii | Anti-Analysis VM (GetVersion) |
| Text | Ascii | Reconnaissance (FindNextFileW) |
| Text | Ascii | Reconnaissance (FindClose) |
| Text | Ascii | Stealth (GetThreadContext) |
| Text | Ascii | Stealth (CloseHandle) |
| Text | Ascii | Stealth (UnmapViewOfFile) |
| Text | Ascii | Stealth (VirtualAlloc) |
| Text | Ascii | Stealth (VirtualProtect) |
| Text | Ascii | Execution (CreateProcessA) |
| Text | Ascii | Execution (CreateProcessW) |
| Text | Ascii | Execution (ShellExecute) |
| Text | Ascii | Execution (ResumeThread) |
| Text | Ascii | Execution (CreateEventW) |
| Text | Ascii | Malware that monitors and collects user data (Spy) |
| Text | Ascii | Information used for user authentication (Credential) |
| Text | Unicode | Unauthorized movement of funds or data (Transfer) |
| Text | Ascii | Technique used to capture communications between systems (Intercept) |
| Text | Ascii | Abuse of power for personal gain or unethical purposes (Corruption) |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8.0 (DLL) |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \VERSION\1\1033 | 2640A0 | 44C | 23C0A0 | 4C0434000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000 | L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| \24\1\1033 | 2644F0 | 531 | 23C4F0 | 3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D38223F3E0A3C617373656D626C792078 | <?xml version="1.0" encoding="UTF-8"?>.<assembly x |
| Intelligent String |
| • mscopilot.exe • msedge.exe • .tls • 9KERNEL32.DLL • mscoree.dll • mscopilot_proxy.exe • Fmsedge_proxy.exe • test_interceptoretwexportInterceptors are experimental. If you want to use them, please get in touch with the project maintainers (https://perfetto.dev/docs/contributing/getting-startedcommunity).PS@ • kernel32.dll • ntdll.dll • user32.dll • Kernel32.dll • bcryptprimitives.dll • runas • %lu..\..\base\native_library_win.ccPinSystemLibraryLoadNativeLibraryHelperLoadSystemLibraryHelperGetFileAttributesExFromAppWFindFirstFileExFromAppWwindows.storage.onecore.dll • api-ms-win-downlevel-shlwapi-l1-1-0.dll • dbghelp.dll • Histogram.MismatchedConstructionArguments..\..\base\metrics\sparse_histogram.ccFactoryGetSparseHistogram-histogramN/A..\..\base\metrics\persistent_memory_allocator.ccCorruption detected in shared-memory segment.DumpWithoutCrashingEdgeLogPMA-DBG-file_namePMA-DBG-namePMA-DBG-memory_sizePMA-DBG-page_sizePMA-DBG-is_fullPMA-DBG-is_corruptedPMA-DBG-freeptrPMA-DBG-global_cookiePMA-DBG-refPMA-DBG-expected_typePMA-DBG-expected_sizePMA-DBG-block_sizePMA-DBG-block_cookiePMA-DBG-block_type_idPMA-DBG-block_nextPMA-DBG-ref_value_beforePMA-DBG-ref_value_afterPMA-DBG-ref_foundPMA-DBG-race_detectedMicrosoft.Metrics.PersistentMetrics.NotReached • DevTools.ActionTols.IssueCreatedDevTools.IssueCrDevTools.ExperimentEnabledAtLaunch..\..\base\metrics\histogram.ccBuildHistogram.TooManyBuckets.1000Blink.UseCounterMicrosoft.ENP.Framework.Microsoft.Nurturing.Framework.DialogInViewFCForceCloseFNForceClosingAnFCNonMainThreadProfile.KeepAliveLeakAtShutdownNewGroupDetectedNewGroupAddedInSnoozedStateHistory.ClearBrowsingData.FailedTasksChromeWebapp.InstallHistogram.BadConstructionArgumentsFactoryGetInternalminmaxbucket_countBadHistogramArgs-nameRangeSwappedTooManyBucketsBucketsInvalidBadHistogramArgs-validity • vmoduledebug.log • @pc:%p\u%04X\u003C\u2028\u2029 • copilot_app_browser_tests.exe • Microsoft.Variations.FirstRun.FeatureStateCheckedMicrosoft.FRE.FeatureStateCheckedBeforeServerOverridesFeatureList-feature-accessed-too-earlyFeatureList-early-access-allow-listMicrosoft.DumpWithoutCrashingStatusDumpWithoutCrashing-fileDumpWithoutCrashing-line • api-ms-win-downlevel-shell32-l1-1-0.dll • . Check failed: false. Logging-FATAL_MILESTONELogging-DUMP_WILL_BE_CHECK_MESSAGELogging-NOTREACHED_MESSAGE • source-shortcutmsedge.exe • msedgewebview2.exe • \usp10.dll • msedge_proxy.exe.pdb • .bss • msedge_proxy.exe |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| DFC | N/A | .text | CALL QWORD PTR [RIP+0x1FF986] |
| 41A2 | N/A | .text | CALL QWORD PTR [RIP+0x1FC5E0] |
| 53D1 | N/A | .text | CALL QWORD PTR [RIP+0x1FB3B1] |
| 64B5 | N/A | .text | CALL QWORD PTR [RIP+0x1FA2CD] |
| 8A7D | N/A | .text | CALL QWORD PTR [RIP+0x1F7D05] |
| BFE7 | N/A | .text | CALL QWORD PTR [RIP+0x1F479B] |
| 10BA8 | N/A | .text | CALL QWORD PTR [RIP+0x1EFBDA] |
| 12B92 | N/A | .text | CALL QWORD PTR [RIP+0x1EDBF0] |
| 16B5E | N/A | .text | CALL QWORD PTR [RIP+0x1E9C24] |
| 1A293 | N/A | .text | CALL QWORD PTR [RIP+0x1E511F] |
| 1A2DB | N/A | .text | CALL QWORD PTR [RIP+0x1E50D7] |
| 1A59E | N/A | .text | CALL QWORD PTR [RIP+0x1E63D4] |
| 1A634 | N/A | .text | CALL QWORD PTR [RIP+0x1E4D7E] |
| 1A63A | N/A | .text | CALL QWORD PTR [RIP+0x1E6350] |
| 1A741 | N/A | .text | CALL QWORD PTR [RIP+0x1E5E81] |
| 1A866 | N/A | .text | CALL QWORD PTR [RIP+0x1E6034] |
| 1A8D2 | N/A | .text | CALL QWORD PTR [RIP+0x1E5AE8] |
| 1ABAE | N/A | .text | CALL QWORD PTR [RIP+0x1E592C] |
| 1AC5B | N/A | .text | CALL QWORD PTR [RIP+0x1E5777] |
| 1AC86 | N/A | .text | CALL QWORD PTR [RIP+0x1E58C4] |
| 1ACF8 | N/A | .text | CALL QWORD PTR [RIP+0x1E46BA] |
| 1AD1E | N/A | .text | CALL QWORD PTR [RIP+0x1E4694] |
| 1ADB0 | N/A | .text | CALL QWORD PTR [RIP+0x1E4602] |
| 1ADD8 | N/A | .text | CALL QWORD PTR [RIP+0x1E45DA] |
| 1AE0A | N/A | .text | CALL QWORD PTR [RIP+0x1E45A8] |
| 1AF92 | N/A | .text | CALL QWORD PTR [RIP+0x1E55B8] |
| 1B1E7 | N/A | .text | CALL QWORD PTR [RIP+0x1E51EB] |
| 1B24B | N/A | .text | CALL QWORD PTR [RIP+0x1E529F] |
| 1B3A5 | N/A | .text | CALL QWORD PTR [RIP+0x1E400D] |
| 1B52A | N/A | .text | CALL QWORD PTR [RIP+0x1E3E88] |
| 1B54B | N/A | .text | CALL QWORD PTR [RIP+0x1E3E67] |
| 1B58F | N/A | .text | CALL QWORD PTR [RIP+0x1E3E23] |
| 1B5D1 | N/A | .text | JMP QWORD PTR [RIP+0x209679] |
| 1B5E9 | N/A | .text | CALL QWORD PTR [RIP+0x209689] |
| 1B687 | N/A | .text | CALL QWORD PTR [RIP+0x1E52FB] |
| 1B713 | N/A | .text | CALL QWORD PTR [RIP+0x209567] |
| 1B874 | N/A | .text | CALL QWORD PTR [RIP+0x1E3B3E] |
| 1B895 | N/A | .text | CALL QWORD PTR [RIP+0x1E3B1D] |
| 1B8DC | N/A | .text | CALL QWORD PTR [RIP+0x1E3AD6] |
| 1BA13 | N/A | .text | CALL QWORD PTR [RIP+0x1E4F67] |
| 1BA47 | N/A | .text | CALL QWORD PTR [RIP+0x1E4F33] |
| 1BB8F | N/A | .text | CALL QWORD PTR [RIP+0x1E3823] |
| 1BBEC | N/A | .text | CALL QWORD PTR [RIP+0x1E37C6] |
| 1BC18 | N/A | .text | JMP QWORD PTR [RIP+0x1E4B8A] |
| 1BCA5 | N/A | .text | CALL QWORD PTR [RIP+0x1E370D] |
| 1BD2D | N/A | .text | CALL QWORD PTR [RIP+0x1E3685] |
| 1BD4F | N/A | .text | CALL QWORD PTR [RIP+0x1E3663] |
| 1BDB2 | N/A | .text | CALL QWORD PTR [RIP+0x1E3600] |
| 1BDE0 | N/A | .text | CALL QWORD PTR [RIP+0x1E35D2] |
| 1BE5E | N/A | .text | CALL QWORD PTR [RIP+0x1E3554] |
| 1BE79 | N/A | .text | CALL QWORD PTR [RIP+0x1E3539] |
| 1BEFF | N/A | .text | CALL QWORD PTR [RIP+0x1E34B3] |
| 1BFDE | N/A | .text | CALL QWORD PTR [RIP+0x1E33D4] |
| 1BFF9 | N/A | .text | CALL QWORD PTR [RIP+0x1E33B9] |
| 1C07B | N/A | .text | CALL QWORD PTR [RIP+0x1E3337] |
| 1C22B | N/A | .text | CALL QWORD PTR [RIP+0x1E3187] |
| 1C334 | N/A | .text | CALL QWORD PTR [RIP+0x20884E] |
| 1C371 | N/A | .text | CALL QWORD PTR [RIP+0x1E4239] |
| 1C3C8 | N/A | .text | CALL QWORD PTR [RIP+0x20883A] |
| 1C3D0 | N/A | .text | CALL QWORD PTR [RIP+0x2087C2] |
| 1C42E | N/A | .text | CALL QWORD PTR [RIP+0x1E2F84] |
| 1C478 | N/A | .text | CALL QWORD PTR [RIP+0x1E2F3A] |
| 1C4F3 | N/A | .text | CALL QWORD PTR [RIP+0x1E4057] |
| 1C542 | N/A | .text | CALL QWORD PTR [RIP+0x1E2E70] |
| 1C80A | N/A | .text | CALL QWORD PTR [RIP+0x1E3B88] |
| 1C82A | N/A | .text | CALL QWORD PTR [RIP+0x1E3B70] |
| 1C85B | N/A | .text | CALL QWORD PTR [RIP+0x1E3B3F] |
| 1C8B5 | N/A | .text | JMP QWORD PTR [RIP+0x1E3AE5] |
| 1C948 | N/A | .text | CALL QWORD PTR [RIP+0x1E2A6A] |
| 1C97F | N/A | .text | CALL QWORD PTR [RIP+0x1E2A33] |
| 1C9B0 | N/A | .text | CALL QWORD PTR [RIP+0x1E2A02] |
| 1CAC9 | N/A | .text | CALL QWORD PTR [RIP+0x2081C9] |
| 1CB41 | N/A | .text | CALL QWORD PTR [RIP+0x1E2871] |
| 1CC34 | N/A | .text | CALL QWORD PTR [RIP+0x207F4E] |
| 1CC40 | N/A | .text | CALL QWORD PTR [RIP+0x1E390A] |
| 1D90F | N/A | .text | JMP QWORD PTR [RIP+0x1E1AA3] |
| 1D93E | N/A | .text | CALL QWORD PTR [RIP+0x1E1A74] |
| 1D95D | N/A | .text | CALL QWORD PTR [RIP+0x1E1A55] |
| 1D9B4 | N/A | .text | CALL QWORD PTR [RIP+0x1E19FE] |
| 1DC4D | N/A | .text | CALL QWORD PTR [RIP+0x1E1765] |
| 1DCC4 | N/A | .text | CALL QWORD PTR [RIP+0x1E16EE] |
| 1DE1A | N/A | .text | CALL QWORD PTR [RIP+0x1E1598] |
| 1DFEC | N/A | .text | CALL QWORD PTR [RIP+0x1E13C6] |
| 1E1A1 | N/A | .text | CALL QWORD PTR [RIP+0x1E1211] |
| 1E1F8 | N/A | .text | CALL QWORD PTR [RIP+0x1E11BA] |
| 1E387 | N/A | .text | CALL QWORD PTR [RIP+0x1E102B] |
| 1E438 | N/A | .text | CALL QWORD PTR [RIP+0x1E2112] |
| 1E46F | N/A | .text | JMP QWORD PTR [RIP+0x1E235B] |
| 1E55D | N/A | .text | CALL QWORD PTR [RIP+0x1E0E55] |
| 1E5FC | N/A | .text | CALL QWORD PTR [RIP+0x1E0DB6] |
| 1E6A2 | N/A | .text | CALL QWORD PTR [RIP+0x1E0D10] |
| 1F075 | N/A | .text | CALL QWORD PTR [RIP+0x1E033D] |
| 1F091 | N/A | .text | CALL QWORD PTR [RIP+0x1E0321] |
| 1F959 | N/A | .text | CALL QWORD PTR [RIP+0x1DFA59] |
| 1FABC | N/A | .text | CALL QWORD PTR [RIP+0x1DF8F6] |
| 1FDB8 | N/A | .text | CALL QWORD PTR [RIP+0x1DF5FA] |
| 1FDEC | N/A | .text | CALL QWORD PTR [RIP+0x1DF5C6] |
| 20319 | N/A | .text | CALL QWORD PTR [RIP+0x1DF099] |
| 20353 | N/A | .text | CALL QWORD PTR [RIP+0x1DF05F] |
| 203EE | N/A | .text | CALL QWORD PTR [RIP+0x1DEFC4] |
| E19-E3F | N/A | .text | Unusual BP Cave, count: 39 |
| 64D2-64FF | N/A | .text | Unusual BP Cave, count: 46 |
| 7711-773F | N/A | .text | Unusual NOPS Space, count: 47 |
| 8A9A-8ABF | N/A | .text | Unusual BP Cave, count: 38 |
| A011-A03F | N/A | .text | Unusual NOPS Space, count: 47 |
| AF62-AF7F | N/A | .text | Unusual NOPS Space, count: 30 |
| 10BC5-10BFF | N/A | .text | Unusual BP Cave, count: 59 |
| 11854-1187F | N/A | .text | Unusual NOPS Space, count: 44 |
| 12C02-12C3F | N/A | .text | Unusual BP Cave, count: 62 |
| 130E1-130FF | N/A | .text | Unusual NOPS Space, count: 31 |
| 143DD-143FF | N/A | .text | Unusual BP Cave, count: 35 |
| 17E22-17E3F | N/A | .text | Unusual NOPS Space, count: 30 |
| 18D97-18DBF | N/A | .text | Unusual BP Cave, count: 41 |
| 1CCE2C-1CCFFF | N/A | .text | Unusual BP Cave, count: 468 |
| 1CD40C-1CD43F | N/A | .rdata | Unusual NOPS Space, count: 52 |
| 1CDFC8-1CDFFF | N/A | .rdata | Unusual NOPS Space, count: 56 |
| 1CE090-1CE0BF | N/A | .rdata | Unusual NOPS Space, count: 48 |
| 23BEC1-23BFFF | N/A | malloc_h | Unusual BP Cave, count: 319 |
| 1FF070 | 8ED00 | .rdata | TLS Callback | Pointer to 14008ED00 - 0x8E100 .text |
| 1FF078 | C6F60 | .rdata | TLS Callback | Pointer to 1400C6F60 - 0xC6360 .text |
| 1FF080 | BA4B0 | .rdata | TLS Callback | Pointer to 1400BA4B0 - 0xB98B0 .text |
| 1FF088 | C6FE0 | .rdata | TLS Callback | Pointer to 1400C6FE0 - 0xC63E0 .text |
| 1FF090 | 75D50 | .rdata | TLS Callback | Pointer to 140075D50 - 0x75150 .text |
| 1FF098 | B6690 | .rdata | TLS Callback | Pointer to 1400B6690 - 0xB5A90 .text |
| 224200 | 100D | .pdata | ExceptionHook | Pointer to 100D - 0x40D .text + UnwindInfo: .rdata |
| 22420C | 1A4D | .pdata | ExceptionHook | Pointer to 1A4D - 0xE4D .text + UnwindInfo: .rdata |
| 224218 | 20CD | .pdata | ExceptionHook | Pointer to 20CD - 0x14CD .text + UnwindInfo: .rdata |
| 224224 | 29CD | .pdata | ExceptionHook | Pointer to 29CD - 0x1DCD .text + UnwindInfo: .rdata |
| 224230 | 350D | .pdata | ExceptionHook | Pointer to 350D - 0x290D .text + UnwindInfo: .rdata |
| 22423C | 3E0D | .pdata | ExceptionHook | Pointer to 3E0D - 0x320D .text + UnwindInfo: .rdata |
| 224248 | 4A00 | .pdata | ExceptionHook | Pointer to 4A00 - 0x3E00 .text + UnwindInfo: .rdata |
| 224254 | 4DCD | .pdata | ExceptionHook | Pointer to 4DCD - 0x41CD .text + UnwindInfo: .rdata |
| 224260 | 508D | .pdata | ExceptionHook | Pointer to 508D - 0x448D .text + UnwindInfo: .rdata |
| 22426C | 562D | .pdata | ExceptionHook | Pointer to 562D - 0x4A2D .text + UnwindInfo: .rdata |
| 224278 | 58AD | .pdata | ExceptionHook | Pointer to 58AD - 0x4CAD .text + UnwindInfo: .rdata |
| 224284 | 695D | .pdata | ExceptionHook | Pointer to 695D - 0x5D5D .text + UnwindInfo: .rdata |
| 224290 | 6A3D | .pdata | ExceptionHook | Pointer to 6A3D - 0x5E3D .text + UnwindInfo: .rdata |
| 22429C | 6B2D | .pdata | ExceptionHook | Pointer to 6B2D - 0x5F2D .text + UnwindInfo: .rdata |
| 2242A8 | 6BFD | .pdata | ExceptionHook | Pointer to 6BFD - 0x5FFD .text + UnwindInfo: .rdata |
| 2242B4 | 6CCD | .pdata | ExceptionHook | Pointer to 6CCD - 0x60CD .text + UnwindInfo: .rdata |
| 2242C0 | 6E2D | .pdata | ExceptionHook | Pointer to 6E2D - 0x622D .text + UnwindInfo: .rdata |
| 2242CC | 710D | .pdata | ExceptionHook | Pointer to 710D - 0x650D .text + UnwindInfo: .rdata |
| 2242D8 | 834D | .pdata | ExceptionHook | Pointer to 834D - 0x774D .text + UnwindInfo: .rdata |
| 2242E4 | 96CD | .pdata | ExceptionHook | Pointer to 96CD - 0x8ACD .text + UnwindInfo: .rdata |
| 2242F0 | A88D | .pdata | ExceptionHook | Pointer to A88D - 0x9C8D .text + UnwindInfo: .rdata |
| 2242FC | AC4D | .pdata | ExceptionHook | Pointer to AC4D - 0xA04D .text + UnwindInfo: .rdata |
| 224308 | BB8D | .pdata | ExceptionHook | Pointer to BB8D - 0xAF8D .text + UnwindInfo: .rdata |
| 224314 | CC8D | .pdata | ExceptionHook | Pointer to CC8D - 0xC08D .text + UnwindInfo: .rdata |
| 224320 | DCCD | .pdata | ExceptionHook | Pointer to DCCD - 0xD0CD .text + UnwindInfo: .rdata |
| 22432C | DF9D | .pdata | ExceptionHook | Pointer to DF9D - 0xD39D .text + UnwindInfo: .rdata |
| 224338 | EE3D | .pdata | ExceptionHook | Pointer to EE3D - 0xE23D .text + UnwindInfo: .rdata |
| 224344 | FC3D | .pdata | ExceptionHook | Pointer to FC3D - 0xF03D .text + UnwindInfo: .rdata |
| 224350 | 1180D | .pdata | ExceptionHook | Pointer to 1180D - 0x10C0D .text + UnwindInfo: .rdata |
| 22435C | 1248D | .pdata | ExceptionHook | Pointer to 1248D - 0x1188D .text + UnwindInfo: .rdata |
| 224368 | 133EE | .pdata | ExceptionHook | Pointer to 133EE - 0x127EE .text + UnwindInfo: .rdata |
| 224374 | 13840 | .pdata | ExceptionHook | Pointer to 13840 - 0x12C40 .text + UnwindInfo: .rdata |
| 224380 | 13B80 | .pdata | ExceptionHook | Pointer to 13B80 - 0x12F80 .text + UnwindInfo: .rdata |
| 22438C | 14260 | .pdata | ExceptionHook | Pointer to 14260 - 0x13660 .text + UnwindInfo: .rdata |
| 224398 | 14440 | .pdata | ExceptionHook | Pointer to 14440 - 0x13840 .text + UnwindInfo: .rdata |
| 2243A4 | 14B80 | .pdata | ExceptionHook | Pointer to 14B80 - 0x13F80 .text + UnwindInfo: .rdata |
| 2243B0 | 14D90 | .pdata | ExceptionHook | Pointer to 14D90 - 0x14190 .text + UnwindInfo: .rdata |
| 2243BC | 1576D | .pdata | ExceptionHook | Pointer to 1576D - 0x14B6D .text + UnwindInfo: .rdata |
| 2243C8 | 15D6D | .pdata | ExceptionHook | Pointer to 15D6D - 0x1516D .text + UnwindInfo: .rdata |
| 2243D4 | 165DD | .pdata | ExceptionHook | Pointer to 165DD - 0x159DD .text + UnwindInfo: .rdata |
| 2243E0 | 16FD0 | .pdata | ExceptionHook | Pointer to 16FD0 - 0x163D0 .text + UnwindInfo: .rdata |
| 2243EC | 172C0 | .pdata | ExceptionHook | Pointer to 172C0 - 0x166C0 .text + UnwindInfo: .rdata |
| 2243F8 | 17D20 | .pdata | ExceptionHook | Pointer to 17D20 - 0x17120 .text + UnwindInfo: .rdata |
| 224404 | 18080 | .pdata | ExceptionHook | Pointer to 18080 - 0x17480 .text + UnwindInfo: .rdata |
| 224410 | 18680 | .pdata | ExceptionHook | Pointer to 18680 - 0x17A80 .text + UnwindInfo: .rdata |
| 22441C | 18700 | .pdata | ExceptionHook | Pointer to 18700 - 0x17B00 .text + UnwindInfo: .rdata |
| 224428 | 18A40 | .pdata | ExceptionHook | Pointer to 18A40 - 0x17E40 .text + UnwindInfo: .rdata |
| 224434 | 192E0 | .pdata | ExceptionHook | Pointer to 192E0 - 0x186E0 .text + UnwindInfo: .rdata |
| 224440 | 199C0 | .pdata | ExceptionHook | Pointer to 199C0 - 0x18DC0 .text + UnwindInfo: .rdata |
| 22444C | 19B40 | .pdata | ExceptionHook | Pointer to 19B40 - 0x18F40 .text + UnwindInfo: .rdata |
| 224458 | 19BC0 | .pdata | ExceptionHook | Pointer to 19BC0 - 0x18FC0 .text + UnwindInfo: .rdata |
| 224464 | 19E60 | .pdata | ExceptionHook | Pointer to 19E60 - 0x19260 .text + UnwindInfo: .rdata |
| 224470 | 1A6C0 | .pdata | ExceptionHook | Pointer to 1A6C0 - 0x19AC0 .text + UnwindInfo: .rdata |
| 22447C | 1AD48 | .pdata | ExceptionHook | Pointer to 1AD48 - 0x1A148 .text + UnwindInfo: .rdata |
| 224488 | 1BF50 | .pdata | ExceptionHook | Pointer to 1BF50 - 0x1B350 .text + UnwindInfo: .rdata |
| 224494 | 1BFE0 | .pdata | ExceptionHook | Pointer to 1BFE0 - 0x1B3E0 .text + UnwindInfo: .rdata |
| 2244A0 | 1C008 | .pdata | ExceptionHook | Pointer to 1C008 - 0x1B408 .text + UnwindInfo: .rdata |
| 2244AC | 1C090 | .pdata | ExceptionHook | Pointer to 1C090 - 0x1B490 .text + UnwindInfo: .rdata |
| 2244B8 | 1C1E0 | .pdata | ExceptionHook | Pointer to 1C1E0 - 0x1B5E0 .text + UnwindInfo: .rdata |
| 2244C4 | 1C280 | .pdata | ExceptionHook | Pointer to 1C280 - 0x1B680 .text + UnwindInfo: .rdata |
| 2244D0 | 1C2A0 | .pdata | ExceptionHook | Pointer to 1C2A0 - 0x1B6A0 .text + UnwindInfo: .rdata |
| 2244DC | 1C360 | .pdata | ExceptionHook | Pointer to 1C360 - 0x1B760 .text + UnwindInfo: .rdata |
| 2244E8 | 1C3D0 | .pdata | ExceptionHook | Pointer to 1C3D0 - 0x1B7D0 .text + UnwindInfo: .rdata |
| 2244F4 | 1C400 | .pdata | ExceptionHook | Pointer to 1C400 - 0x1B800 .text + UnwindInfo: .rdata |
| 224500 | 1C520 | .pdata | ExceptionHook | Pointer to 1C520 - 0x1B920 .text + UnwindInfo: .rdata |
| 22450C | 1C54D | .pdata | ExceptionHook | Pointer to 1C54D - 0x1B94D .text + UnwindInfo: .rdata |
| 224518 | 1C6A4 | .pdata | ExceptionHook | Pointer to 1C6A4 - 0x1BAA4 .text + UnwindInfo: .rdata |
| 224524 | 1C820 | .pdata | ExceptionHook | Pointer to 1C820 - 0x1BC20 .text + UnwindInfo: .rdata |
| 224530 | 1C843 | .pdata | ExceptionHook | Pointer to 1C843 - 0x1BC43 .text + UnwindInfo: .rdata |
| 22453C | 1C8B0 | .pdata | ExceptionHook | Pointer to 1C8B0 - 0x1BCB0 .text + UnwindInfo: .rdata |
| 224548 | 1C965 | .pdata | ExceptionHook | Pointer to 1C965 - 0x1BD65 .text + UnwindInfo: .rdata |
| 224554 | 1CA30 | .pdata | ExceptionHook | Pointer to 1CA30 - 0x1BE30 .text + UnwindInfo: .rdata |
| 224560 | 1CA92 | .pdata | ExceptionHook | Pointer to 1CA92 - 0x1BE92 .text + UnwindInfo: .rdata |
| 22456C | 1CB10 | .pdata | ExceptionHook | Pointer to 1CB10 - 0x1BF10 .text + UnwindInfo: .rdata |
| 224578 | 1CB40 | .pdata | ExceptionHook | Pointer to 1CB40 - 0x1BF40 .text + UnwindInfo: .rdata |
| 224584 | 1CB6A | .pdata | ExceptionHook | Pointer to 1CB6A - 0x1BF6A .text + UnwindInfo: .rdata |
| 224590 | 1CBB0 | .pdata | ExceptionHook | Pointer to 1CBB0 - 0x1BFB0 .text + UnwindInfo: .rdata |
| 22459C | 1CC0E | .pdata | ExceptionHook | Pointer to 1CC0E - 0x1C00E .text + UnwindInfo: .rdata |
| 2245A8 | 1CCA0 | .pdata | ExceptionHook | Pointer to 1CCA0 - 0x1C0A0 .text + UnwindInfo: .rdata |
| 2245B4 | 1D170 | .pdata | ExceptionHook | Pointer to 1D170 - 0x1C570 .text + UnwindInfo: .rdata |
| 2245C0 | 1D1D6 | .pdata | ExceptionHook | Pointer to 1D1D6 - 0x1C5D6 .text + UnwindInfo: .rdata |
| 2245CC | 1D23C | .pdata | ExceptionHook | Pointer to 1D23C - 0x1C63C .text + UnwindInfo: .rdata |
| 2245D8 | 1D29E | .pdata | ExceptionHook | Pointer to 1D29E - 0x1C69E .text + UnwindInfo: .rdata |
| 2245E4 | 1D310 | .pdata | ExceptionHook | Pointer to 1D310 - 0x1C710 .text + UnwindInfo: .rdata |
| 2245F0 | 1D500 | .pdata | ExceptionHook | Pointer to 1D500 - 0x1C900 .text + UnwindInfo: .rdata |
| 2245FC | 1D8C0 | .pdata | ExceptionHook | Pointer to 1D8C0 - 0x1CCC0 .text + UnwindInfo: .rdata |
| 224608 | 1DA18 | .pdata | ExceptionHook | Pointer to 1DA18 - 0x1CE18 .text + UnwindInfo: .rdata |
| 224614 | 1DC1C | .pdata | ExceptionHook | Pointer to 1DC1C - 0x1D01C .text + UnwindInfo: .rdata |
| 224620 | 1DD40 | .pdata | ExceptionHook | Pointer to 1DD40 - 0x1D140 .text + UnwindInfo: .rdata |
| 22462C | 1DE20 | .pdata | ExceptionHook | Pointer to 1DE20 - 0x1D220 .text + UnwindInfo: .rdata |
| 224638 | 1DE50 | .pdata | ExceptionHook | Pointer to 1DE50 - 0x1D250 .text + UnwindInfo: .rdata |
| 224644 | 1DF20 | .pdata | ExceptionHook | Pointer to 1DF20 - 0x1D320 .text + UnwindInfo: .rdata |
| 224650 | 1DF3C | .pdata | ExceptionHook | Pointer to 1DF3C - 0x1D33C .text + UnwindInfo: .rdata |
| 22465C | 1DF69 | .pdata | ExceptionHook | Pointer to 1DF69 - 0x1D369 .text + UnwindInfo: .rdata |
| 224668 | 1DF94 | .pdata | ExceptionHook | Pointer to 1DF94 - 0x1D394 .text + UnwindInfo: .rdata |
| 224674 | 1DFE8 | .pdata | ExceptionHook | Pointer to 1DFE8 - 0x1D3E8 .text + UnwindInfo: .rdata |
| 224680 | 1E053 | .pdata | ExceptionHook | Pointer to 1E053 - 0x1D453 .text + UnwindInfo: .rdata |
| 22468C | 1E123 | .pdata | ExceptionHook | Pointer to 1E123 - 0x1D523 .text + UnwindInfo: .rdata |
| 224698 | 1E15A | .pdata | ExceptionHook | Pointer to 1E15A - 0x1D55A .text + UnwindInfo: .rdata |
| 2246A4 | 1E1F3 | .pdata | ExceptionHook | Pointer to 1E1F3 - 0x1D5F3 .text + UnwindInfo: .rdata |
| 23BE00-23BFFF | 263000 | malloc_h | Executable section anomaly, first bytes: 56574883EC384885 |
| 23F200 | N/A | *Overlay* | 50280000000202003082284106092A864886F70D | P(......0.(A..*.H...) |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 1497211 | 63,2794% |
| Null Byte Code | 330508 | 13,9689% |
| NOP Cave Found | 0x9090909090 | Block Count: 463 | Total: 0,0489% |
© 2026 All rights reserved.