Manalyze report for 79cffe3da0b5b46d423b4b4b21b94b81d1c40fccba7c1ab9d357c4e372f10ec8

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	2026-May-10 19:52:24
TLS Callbacks	1 callback(s) detected.
Debug artifacts	rustynnel.pdb

Plugin Output

Suspicious	Strings found in the binary may indicate undesirable behavior:	`Miscellaneous malware strings: cmd.exe exploit` Contains domain names: 20ca2.playfabapi.com GoDaddy.com account.microsoft.com api.github.com auth.xboxlive.com b980a380.minecraft.playfabapi.com device.auth.xboxlive.com github.com http://auth.xboxlive.comProofOfPossession https://20ca2.playfabapi.com https://20ca2.playfabapi.com/Client/LoginWithXbox https://account.microsoft.com https://account.microsoft.com/family/ https://api.github.com https://api.github.com/repos/cmgcpf/rustynnel/releases/latest https://authorization.franchise.minecraft-services.netb https://b980a380.minecraft.playfabapi.com https://b980a380.minecraft.playfabapi.com/raknetraknet https://device.auth.xboxlive.com https://device.auth.xboxlive.com/device/authenticate https://docs.rs https://github.com https://login.live.com https://login.live.com/login.srf https://login.live.com/oauth20_connect.srfresponse_type https://login.live.com/oauth20_token.srfclient_idscopeservice https://multiplayer.minecraft.net https://multiplayer.minecraft.net/ https://multiplayer.minecraft.net/authenticationMCPE/AndroidClient-Version https://multiplayer.minecraft.net/chainextraDatahttps https://rustynnel.silent-protect https://signup.live.com https://signup.live.com/signupYour https://sisu.xboxlive.com https://sisu.xboxlive.com/authorizeContent-Typeapplication/jsonx-xbl-contract-version1SignatureDatex-err login.live.com microsoft.com minecraft.net minecraft.playfabapi.com multiplayer.minecraft.net openssl.org playfabapi.com signup.live.com sisu.xboxlive.com user.auth.xboxlive.com xboxlive.com
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to CRC32` `Uses constants related to SHA1` `Uses constants related to SHA256` `Uses constants related to SHA512` `Uses constants related to RC5 or RC6`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryA` `Functions which can be used for anti-debugging purposes: SwitchToThread` `Can access the registry: RegCreateKeyTransactedW RegCreateKeyExW RegCloseKey RegQueryValueExW RegOpenKeyExW RegOpenKeyTransactedW` `Possibly launches other programs: CreateProcessW` `Uses Windows's Native API: NtWriteFile NtCancelIoFileEx NtOpenFile NtReadFile NtCreateNamedPipeFile NtDeviceIoControlFile NtCreateFile` `Leverages the raw socket API to access the Internet: connect ioctlsocket WSASend recv recvfrom getsockname getpeername WSAGetLastError sendto WSASocketW bind shutdown setsockopt WSAIoctl closesocket getaddrinfo getsockopt socket WSAStartup freeaddrinfo send WSACleanup` `Interacts with the certificate store: CertOpenStore CertAddCertificateContextToStore`
Suspicious	No VirusTotal score.	`This file has never been scanned on VirusTotal.`

Hashes

MD5	`6eb71f7b1e79a7fd14f461fb28afe2fd`
SHA1	`d6dd9d7c503c3e9a84c0c23fc2d2351e98440626`
SHA256	`79cffe3da0b5b46d423b4b4b21b94b81d1c40fccba7c1ab9d357c4e372f10ec8`
SHA3	`37caf7ba7ddfa0886a751d18641a157fb95a6fd56a68d9a57ed1dc45b6290aac`
SSDeep	`98304:HGlAan+QnLjLSFrm54sz9Q3/QZV+mLUUeNA:mzDnLC+pKIDcUeN`
Imports Hash	`22d4fdea53ee2fcca88983178b5bb83f`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xe8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`5`
TimeDateStamp	2026-May-10 19:52:24
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0x5aee00`
SizeOfInitializedData	`0x2cc400`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0000000000591D10 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0x87d000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`c0c37cb7f478d4f0d09cd889cafe1294`
SHA1	`0b62e85998584e56daf265575981bfa8e54b396c`
SHA256	`de023ccc4a45bc0ddbb19571bce8dfbc11f5a0056cad88f0dc5c6f910d684fcc`
SHA3	`7ed3454b02b32b094cbd8f4edaa9b9c7291f05a0a9ea8a23c9cfcf2cec472766`
VirtualSize	`0x5aedd9`
VirtualAddress	`0x1000`
SizeOfRawData	`0x5aee00`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.31958`

.rdata

MD5	`5895e292c984caac08639af8c695a94f`
SHA1	`5cb939a553e077aae54134e257a68ec133f70207`
SHA256	`436cb5a94cd54f4626cd939ca6127b447dd8447487e014eee20c02577a20f63b`
SHA3	`f32e7de69e806006cab2b03e46d044672d881be0155d303a4afb7e2581f185ed`
VirtualSize	`0x280b56`
VirtualAddress	`0x5b0000`
SizeOfRawData	`0x280c00`
PointerToRawData	`0x5af200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`6.16214`

.data

MD5	`d42b5367d951d47d62c700a7bc7b625f`
SHA1	`7582716fb6bff72d5eb81d2cc23e4c65c6671077`
SHA256	`1570805de1b73f3d1dd3b544f6be2b64690f5e1f41ffd641d9d7d3d29ac83872`
SHA3	`6640e6b0a39cd487fa3d5d0014403feb84dfadfdfd4467aa2c50e6498ccf2c98`
VirtualSize	`0x3e68`
VirtualAddress	`0x831000`
SizeOfRawData	`0x3800`
PointerToRawData	`0x82fe00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`3.14913`

.pdata

MD5	`e5acf5cceb2f41355318ad1557fe87d6`
SHA1	`28d81af346cfc47396f267370cb68c10c230e7a0`
SHA256	`94ed70e2b288a3d2d6659a623e94cc6859c2b225fc7e9a85ff3f63aabb69f959`
SHA3	`acd5eb5b78a7dd760d8d222701021a9b60c065b3893376a6eb95793b523b6620`
VirtualSize	`0x40c44`
VirtualAddress	`0x835000`
SizeOfRawData	`0x40e00`
PointerToRawData	`0x833600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`6.48623`

.reloc

MD5	`956d0ac66c5542893d0240426652aee1`
SHA1	`f5e049ac4e1e258f72d59bc6430758307111d7b6`
SHA256	`823583d471b3e764b1385fb0ca2fab26ed9b106f8c48cb811459cf33e16e8fe2`
SHA3	`d59c81c2d4b8566ae0a75cad60987e9233c3b25e8051efdbf8090d8ac7e67f31`
VirtualSize	`0x68c4`
VirtualAddress	`0x876000`
SizeOfRawData	`0x6a00`
PointerToRawData	`0x874400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`5.45536`

Imports

kernel32.dll	`DuplicateHandle` `GetCurrentProcess` `WaitForSingleObject` `SetNamedPipeHandleState` `CreateFileW` `GetNumberOfConsoleInputEvents` `SetConsoleMode` `ReadConsoleInputW` `GetFileInformationByHandleEx` `SetHandleInformation` `GetConsoleMode` `SetConsoleCursorInfo` `GetConsoleCursorInfo` `SetConsoleCursorPosition` `FillConsoleOutputAttribute` `FillConsoleOutputCharacterA` `GetConsoleScreenBufferInfo` `GetStdHandle` `MoveFileExW` `PostQueuedCompletionStatus` `ReadFile` `GetOverlappedResult` `WriteFile` `CreateIoCompletionPort` `CancelIoEx` `GetQueuedCompletionStatusEx` `GetProcAddress` `GetModuleHandleW` `SetFileCompletionNotificationModes` `FormatMessageW` `GetLastError` `IsProcessorFeaturePresent` `GetSystemTimeAsFileTime` `Sleep` `GetModuleHandleA` `UnhandledExceptionFilter` `RtlVirtualUnwind` `HeapAlloc` `SetUnhandledExceptionFilter` `CompareStringOrdinal` `FreeEnvironmentStringsW` `InitializeSListHead` `WriteFileEx` `SleepEx` `SetLastError` `GetFullPathNameW` `HeapFree` `GetCurrentThreadId` `SetFileInformationByHandle` `SetFileTime` `HeapReAlloc` `QueryPerformanceFrequency` `QueryPerformanceCounter` `CreateThread` `GetProcessHeap` `GetCurrentProcessId` `ReadFileEx` `RtlCaptureContext` `RtlLookupFunctionEntry` `GetSystemTimePreciseAsFileTime` `GetFileInformationByHandle` `GetEnvironmentStringsW` `GetSystemDirectoryW` `GetWindowsDirectoryW` `CreateProcessW` `TerminateProcess` `AddVectoredExceptionHandler` `SetThreadStackGuarantee` `GetCurrentThread` `GetCurrentDirectoryW` `GetEnvironmentVariableW` `CloseHandle` `lstrlenW` `FindFirstFileExW` `FindClose` `ExitProcess` `GetSystemInfo` `SwitchToThread` `WideCharToMultiByte` `WaitForSingleObjectEx` `LoadLibraryA` `CreateMutexA` `ReleaseMutex` `GetFinalPathNameByHandleW` `DeleteFileW` `GetModuleFileNameW` `MultiByteToWideChar` `WriteConsoleW` `GetConsoleOutputCP` `CreateWaitableTimerExW` `SetWaitableTimer` `GetFileAttributesW` `IsDebuggerPresent`
advapi32.dll	`RegCreateKeyTransactedW` `SystemFunction036` `RegCreateKeyExW` `RegCloseKey` `RegQueryValueExW` `RegOpenKeyExW` `RegOpenKeyTransactedW`
bcryptprimitives.dll	`ProcessPrng`
api-ms-win-core-synch-l1-2-0.dll	`WakeByAddressSingle` `WaitOnAddress` `WakeByAddressAll`
ws2_32.dll	`connect` `ioctlsocket` `WSASend` `recv` `recvfrom` `getsockname` `getpeername` `WSAGetLastError` `sendto` `WSASocketW` `bind` `shutdown` `setsockopt` `WSAIoctl` `closesocket` `getaddrinfo` `getsockopt` `socket` `WSAStartup` `freeaddrinfo` `send` `WSACleanup`
secur32.dll	`EncryptMessage` `AcceptSecurityContext` `InitializeSecurityContextW` `FreeContextBuffer` `ApplyControlToken` `FreeCredentialsHandle` `DecryptMessage` `QueryContextAttributesW` `DeleteSecurityContext` `AcquireCredentialsHandleA`
crypt32.dll	`CertOpenStore` `CertAddCertificateContextToStore` `CertDuplicateCertificateContext` `CertCloseStore` `CertEnumCertificatesInStore` `CertDuplicateCertificateChain` `CertFreeCertificateChain` `CertFreeCertificateContext` `CertGetCertificateChain` `CertVerifyCertificateChainPolicy` `CertDuplicateStore`
ntdll.dll	`NtWriteFile` `NtCancelIoFileEx` `NtOpenFile` `NtReadFile` `RtlNtStatusToDosError` `NtCreateNamedPipeFile` `NtDeviceIoControlFile` `NtCreateFile`
bcrypt.dll	`BCryptGenRandom`
VCRUNTIME140.dll	`__CxxFrameHandler3` `__C_specific_handler` `__current_exception_context` `_CxxThrowException` `memset` `memcmp` `memmove` `memcpy` `__current_exception`
api-ms-win-crt-math-l1-1-0.dll	`__setusermatherr` `pow` `fmod` `ceil`
api-ms-win-crt-string-l1-1-0.dll	`strlen`
api-ms-win-crt-heap-l1-1-0.dll	`_set_new_mode` `malloc` `free` `calloc`
api-ms-win-crt-runtime-l1-1-0.dll	`_set_app_type` `_configure_narrow_argv` `_seh_filter_exe` `_initialize_onexit_table` `_wassert` `_initialize_narrow_environment` `_get_initial_narrow_environment` `_crt_atexit` `_register_onexit_function` `_initterm_e` `exit` `_exit` `terminate` `__p___argc` `__p___argv` `_cexit` `_c_exit` `_register_thread_local_exe_atexit_callback` `_initterm`
api-ms-win-crt-stdio-l1-1-0.dll	`_set_fmode` `__p__commode`
api-ms-win-crt-locale-l1-1-0.dll	`_configthreadlocale`

Delayed Imports

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics	`0`
TimeDateStamp	2026-May-10 19:52:24
Version	`0.0`
SizeofData	`38`
AddressOfRawData	`0x74f808`
PointerToRawData	`0x74ea08`
Referenced File	rustynnel.pdb

IMAGE_DEBUG_TYPE_VC_FEATURE

Characteristics	`0`
TimeDateStamp	2026-May-10 19:52:24
Version	`0.0`
SizeofData	`20`
AddressOfRawData	`0x74f830`
PointerToRawData	`0x74ea30`

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	2026-May-10 19:52:24
Version	`0.0`
SizeofData	`816`
AddressOfRawData	`0x74f844`
PointerToRawData	`0x74ea44`

TLS Callbacks

StartAddressOfRawData	`0x14074fb98`
EndAddressOfRawData	`0x14074fe28`
AddressOfIndex	`0x140834860`
AddressOfCallbacks	`0x1405b0718`
SizeOfZeroFill	`0`
Characteristics	`IMAGE_SCN_ALIGN_8BYTES`
Callbacks	`0x0000000140503280`

Load Configuration

Size	`0x140`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x140834640`

RICH Header

XOR Key	`0x70bf40fc`
Unmarked objects	`0`
Imports (VS2008 SP1 build 30729)	`12`
Imports (35207)	`2`
ASM objects (35207)	`4`
C objects (35207)	`10`
C++ objects (35207)	`24`
Total imports	`295`
C objects (35219)	`96`
Unmarked objects (#2)	`612`
Linker (35219)	`1`

Errors

Leave a comment

No comments yet.