drop malfind or procdump pe region · analyze pe header for in-memory anomalies · header stomping unpacked sections hollowing indicators · export csv · runs locally
pe region binary
drop pe region or memory dump
or click
malfind carve · procdump · volatility pe region — first 64 MB per file
drop malfind region · procdump pe · raw mz binary