Manalyze report for 863642a087da6931856eb65c0723a5c8

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	2021-Jul-21 08:39:39
TLS Callbacks	1 callback(s) detected.
Debug artifacts	C:\Users\chronicallyunfunny\xboxlive-auth\target\release\deps\xboxlive_auth.pdb

Plugin Output

Info	Matching compiler(s):	`MASM/TASM - sig1(h)`
Info	Interesting strings found in the binary:	Contains domain names: account.live.com api.minecraftservices.com auth.xboxlive.com github.com http://auth.xboxlive.comTokenTypeJWTapplication http://auth.xboxlive.comTokenTypeJWTapplication/jsonSomething https://account.live.com https://account.live.com/activity https://api.minecraftservices.com https://api.minecraftservices.com/authentication/login_with_xboxidentityTokenXBL3.0 https://github.com https://login.live.com https://login.live.com/oauth20_authorize.srf?client_id https://login.live.com/oauth20_desktop.srf&scope https://user.auth.xboxlive.com https://user.auth.xboxlive.com/user/authenticatePropertiesAuthMethodRPSsrc\minecraft.rsuser.auth.xboxlive.comRpsTicketRelyingPartyhttp https://xsts.auth.xboxlive.com https://xsts.auth.xboxlive.com/xsts/authorizeSandboxIdRETAILUserTokensrp login.live.com minecraft.net minecraftservices.com user.auth.xboxlive.com xboxlive.com xsts.auth.xboxlive.com
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryA` `Functions which can be used for anti-debugging purposes: SwitchToThread` `Can access the registry: RegOpenKeyExW RegQueryValueExW RegCloseKey` `Uses Windows's Native API: NtCreateFile NtDeviceIoControlFile NtCancelIoFileEx` `Leverages the raw socket API to access the Internet: send WSASend getsockopt setsockopt WSAIoctl closesocket WSAGetLastError WSAStartup freeaddrinfo WSACleanup getaddrinfo recv shutdown getpeername ioctlsocket connect bind WSASocketW` `Interacts with the certificate store: CertAddCertificateContextToStore CertOpenStore`
Safe	VirusTotal score: 0/68 (Scanned on 2021-07-21 10:09:49)	`All the AVs think this file is safe.`

Hashes

MD5	`863642a087da6931856eb65c0723a5c8`
SHA1	`1eb9a427445046c234cf57f9af8ee807765c38be`
SHA256	`73f542bcbe22a657b8c6f6f12ee0a6560862b67b1ebe32480c6a33a88de67683`
SHA3	`bf7311d2c0b91e275b2f0ca04a1d4f2366ce13c63ce2bda17f847a6d1bc277a0`
SSDeep	`49152:OwAaJAt9baMJjIDAJ3f7n3FXAJYicuea2GTwXM28FQIUYrq8FL23CCPpzY:MxP3uMtaJwXMRwy2Sgp`
Imports Hash	`651e6d1161172a996680dfb440fba3f8`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xf8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`5`
TimeDateStamp	2021-Jul-21 08:39:39
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0x2f3a00`
SizeOfInitializedData	`0x1ec000`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00000000002E8B60 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0x4e3000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`4e0a01313ab3f65b67f7afeecb703020`
SHA1	`87e2a8d6f0d8ed2a86ba89495a03709bfd0fa0c5`
SHA256	`fec35a5c82a5f0df48c7115b034e09b4ee73c55e0e02f9d24707a6dc33701069`
SHA3	`99f4090b72546ec1faa73e3eddd74b5ad38be52ba726b7829a7e849aa39d1f95`
VirtualSize	`0x2f39fa`
VirtualAddress	`0x1000`
SizeOfRawData	`0x2f3a00`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.24937`

.rdata

MD5	`3882b59e41a2e17d6faac688252924f7`
SHA1	`8eade8166c58cfb2ec6cbe308c26a0897fab33d2`
SHA256	`3e5a4b297563ad84490ca315f6b3fb9bbd38f531935f278fd7478ea86fe9d505`
SHA3	`ca3e9c947141fc9d0ede77fadd592312717e9fa42514dc0e4db47e28e2071199`
VirtualSize	`0x1b603c`
VirtualAddress	`0x2f5000`
SizeOfRawData	`0x1b6200`
PointerToRawData	`0x2f3e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.26565`

.data

MD5	`4549527d248a33580869d992bded1710`
SHA1	`58fab3f5382d26ee7af4311aad82dddbb3fba217`
SHA256	`8a8bd620d1dbfb95ecbd6ea84426f7b6911907132285cd525190af910be15de6`
SHA3	`dd31365b77f347ad4d2d7bd453f88f47fa37d9aa83137b162605768c4145e667`
VirtualSize	`0x3108`
VirtualAddress	`0x4ac000`
SizeOfRawData	`0x2e00`
PointerToRawData	`0x4aa000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`3.17124`

.pdata

MD5	`6a2ee5c84d0c41bb7d803027bb7bccd4`
SHA1	`7fb5a85dbb4c5aff8adc3f0cdf1bc9b2671766b5`
SHA256	`30f8d9c8a96810d5f9ec0f5a4c98e018288a0f6c7e92eefb18c9e31cc98226df`
SHA3	`4f8b86151bc7332a48955f9aa61c88ac16981eccdb15b7e6a3eadf5732c2621f`
VirtualSize	`0x27a08`
VirtualAddress	`0x4b0000`
SizeOfRawData	`0x27c00`
PointerToRawData	`0x4ace00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`6.36419`

.reloc

MD5	`6e23c42c8b17742ee7ccc94df989fefa`
SHA1	`1bfb10880c5d65d766a30224ca4edf1deadd1927`
SHA256	`31cec18b4f5be3125dfef1f4f913d25d99bb186d03949939107a615d770d2860`
SHA3	`d703a4690a35b06eb8fcf9dcb58209e1508814f00367890b336b97ab4e96bbbc`
VirtualSize	`0xaff4`
VirtualAddress	`0x4d8000`
SizeOfRawData	`0xb000`
PointerToRawData	`0x4d4a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`5.46638`

Imports

ntdll.dll	`RtlVirtualUnwind` `RtlNtStatusToDosError` `RtlLookupFunctionEntry` `RtlCaptureContext` `NtCreateFile` `NtDeviceIoControlFile` `NtCancelIoFileEx`
ADVAPI32.dll	`SystemFunction036` `RegOpenKeyExW` `RegQueryValueExW` `RegCloseKey`
CRYPT32.dll	`CertDuplicateCertificateChain` `CertFreeCertificateChain` `CertEnumCertificatesInStore` `CertGetCertificateChain` `CertVerifyCertificateChainPolicy` `CertFreeCertificateContext` `CertDuplicateCertificateContext` `CertAddCertificateContextToStore` `CertDuplicateStore` `CertCloseStore` `CertOpenStore`
KERNEL32.dll	`InitializeSListHead` `IsDebuggerPresent` `UnhandledExceptionFilter` `SetUnhandledExceptionFilter` `GetCurrentThreadId` `ReleaseSRWLockExclusive` `AcquireSRWLockExclusive` `TryAcquireSRWLockExclusive` `ReleaseSRWLockShared` `AcquireSRWLockShared` `GetCurrentProcessId` `SleepConditionVariableSRW` `GetSystemInfo` `SetFileCompletionNotificationModes` `WriteFile` `ReadFile` `CloseHandle` `CreateIoCompletionPort` `GetQueuedCompletionStatusEx` `PostQueuedCompletionStatus` `GetStdHandle` `GetConsoleMode` `GetFileInformationByHandleEx` `InitializeCriticalSection` `LeaveCriticalSection` `ReleaseMutex` `GetLastError` `SwitchToThread` `GetCurrentProcess` `GetCurrentThread` `GetProcAddress` `SetLastError` `GetCurrentDirectoryW` `GetEnvironmentVariableW` `GetCommandLineW` `EnterCriticalSection` `WaitForSingleObject` `WakeAllConditionVariable` `WakeConditionVariable` `TryEnterCriticalSection` `QueryPerformanceCounter` `GetSystemTimeAsFileTime` `TlsGetValue` `TlsSetValue` `TlsAlloc` `HeapAlloc` `GetProcessHeap` `HeapFree` `HeapReAlloc` `AddVectoredExceptionHandler` `SetThreadStackGuarantee` `WaitForSingleObjectEx` `LoadLibraryA` `CreateMutexA` `IsProcessorFeaturePresent` `GetFinalPathNameByHandleW` `SetHandleInformation` `GetModuleHandleW` `FormatMessageW` `GetModuleFileNameW` `ExitProcess` `CreateThread` `QueryPerformanceFrequency` `GetModuleHandleA` `WriteConsoleW` `ReadConsoleW`
Secur32.dll	`FreeCredentialsHandle` `AcquireCredentialsHandleA` `EncryptMessage` `InitializeSecurityContextW` `AcceptSecurityContext` `FreeContextBuffer` `DecryptMessage` `ApplyControlToken` `DeleteSecurityContext` `QueryContextAttributesW`
WS2_32.dll	`send` `WSASend` `getsockopt` `setsockopt` `WSAIoctl` `closesocket` `WSAGetLastError` `WSAStartup` `freeaddrinfo` `WSACleanup` `getaddrinfo` `recv` `shutdown` `getpeername` `ioctlsocket` `connect` `bind` `WSASocketW`
VCRUNTIME140.dll	`__C_specific_handler` `_CxxThrowException` `__current_exception_context` `memcmp` `memcpy` `memmove` `__CxxFrameHandler3` `memset` `__current_exception`
api-ms-win-crt-math-l1-1-0.dll	`__setusermatherr`
api-ms-win-crt-runtime-l1-1-0.dll	`_get_initial_narrow_environment` `_initterm` `_initterm_e` `exit` `_exit` `_initialize_narrow_environment` `_configure_narrow_argv` `__p___argc` `__p___argv` `_cexit` `_c_exit` `_register_thread_local_exe_atexit_callback` `_set_app_type` `_seh_filter_exe` `terminate` `_initialize_onexit_table` `_register_onexit_function` `_crt_atexit`
api-ms-win-crt-stdio-l1-1-0.dll	`_set_fmode` `__p__commode`
api-ms-win-crt-locale-l1-1-0.dll	`_configthreadlocale`
api-ms-win-crt-heap-l1-1-0.dll	`free` `_set_new_mode`

Delayed Imports

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics	`0`
TimeDateStamp	2021-Jul-21 08:39:39
Version	`0.0`
SizeofData	`104`
AddressOfRawData	`0x42479c`
PointerToRawData	`0x42359c`
Referenced File	C:\Users\chronicallyunfunny\xboxlive-auth\target\release\deps\xboxlive_auth.pdb

IMAGE_DEBUG_TYPE_VC_FEATURE

Characteristics	`0`
TimeDateStamp	2021-Jul-21 08:39:39
Version	`0.0`
SizeofData	`20`
AddressOfRawData	`0x424804`
PointerToRawData	`0x423604`

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	2021-Jul-21 08:39:39
Version	`0.0`
SizeofData	`812`
AddressOfRawData	`0x424818`
PointerToRawData	`0x423618`

TLS Callbacks

StartAddressOfRawData	`0x140424b70`
EndAddressOfRawData	`0x140424ce8`
AddressOfIndex	`0x1404af070`
AddressOfCallbacks	`0x1402f55a8`
SizeOfZeroFill	`0`
Characteristics	`IMAGE_SCN_ALIGN_16BYTES`
Callbacks	`0x00000001402D0240`

Load Configuration

Size	`0x138`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x1404aece8`

RICH Header

XOR Key	`0xe3481d6f`
Unmarked objects	`0`
Imports (VS2008 SP1 build 30729)	`12`
Imports (VS2019 Update 9 (16.9.2-3) compiler 29913)	`2`
C++ objects (VS2019 Update 9 (16.9.2-3) compiler 29913)	`22`
C objects (VS2019 Update 9 (16.9.2-3) compiler 29913)	`9`
ASM objects (VS2019 Update 9 (16.9.2-3) compiler 29913)	`3`
Imports (27412)	`17`
Total imports	`241`
Unmarked objects (#2)	`524`
Linker (VS2019 Update 9 (16.9.5) compiler 29915)	`1`

863642a087da6931856eb65c0723a5c8

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.pdata

.reloc

Imports

Delayed Imports

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

IMAGE_DEBUG_TYPE_VC_FEATURE

IMAGE_DEBUG_TYPE_POGO

TLS Callbacks

Load Configuration

RICH Header

Errors