Manalyze report for a2d9bfbcab3b9e716c21b430e083fa32

This file seems to be a .NET executable.
Sadly, Manalyzer's analysis techniques were designed for native code, so it's likely that this report won't tell you much.
Sorry!

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	2020-Apr-27 09:22:49
Debug artifacts	E:\BuildAgent\work\c18c4ff348e4097\win\src\Tools\Agent\XdrAgentCleaner\obj\Release\XdrAgentCleaner.pdb
Comments
CompanyName	Palo Alto Networks, Inc.
FileDescription	Cortex XDR Cleaner
FileVersion	`7.1.1.46465`
InternalName	XdrAgentCleaner.exe
LegalCopyright	Palo Alto Networks 2019 © All rights reserved.
LegalTrademarks
OriginalFilename	XdrAgentCleaner.exe
ProductName	Cortex XDR
ProductVersion	`7.1.1.46465`
Assembly Version	7.1.1.46465

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C++ 8.0` `.NET executable -> Microsoft`
Suspicious	Strings found in the binary may indicate undesirable behavior:	`Contains references to system / monitoring tools: regsvr32.exe sc.exe` `Contains references to security software: Cleaner.exe` `May have dropper capabilities: CurrentControlSet\Services CurrentVersion\Run`
Suspicious	The PE is possibly a dropper.	`Resources amount for 75.905% of the executable.`
Info	The PE is digitally signed.	`Signer: Palo Alto Networks (Netherlands) B.V.` `Issuer: DigiCert EV Code Signing CA`
Safe	VirusTotal score: 0/71 (Scanned on 2020-09-25 02:48:30)	`All the AVs think this file is safe.`

Hashes

MD5	`a2d9bfbcab3b9e716c21b430e083fa32`
SHA1	`0f27b3eb3dc50220f697983576db733173954471`
SHA256	`4a026ee716b5a1702cf5913a30b834aacecf8c570bf4fea353357f9e49b83faf`
SHA3	`ffb7a09d23f7b894cdcdd742434a31d63db908c7b3adb5f47ec2c37a9a5d8ea6`
SSDeep	`1536:q8WV88LJ9qx799AtI/p9m0tlFUN3OkeWcZPalcbRHyUfF:q8WVtsxp9Atq60tlFUN3OkeWcMlSd`
Imports Hash	`f34d5f2d4577ed6d9ceec516c1f5a744`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x80`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`3`
TimeDateStamp	2020-Apr-27 09:22:49
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32`
LinkerVersion	`48.0`
SizeOfCode	`0x10800`
SizeOfInitializedData	`0x48600`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00012736 (Section: .text)`
BaseOfCode	`0x2000`
BaseOfData	`0x14000`
ImageBase	`0x400000`
SectionAlignment	`0x2000`
FileAlignment	`0x200`
OperatingSystemVersion	`4.0`
ImageVersion	`0.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0x60000`
SizeOfHeaders	`0x200`
Checksum	`0x67c22`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_NO_SEH` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`160bf3eb9741d196d2c6f1ab9a6999cd`
SHA1	`3a53f5e945f93ac476a8873a8e1a9ee6dead8dcc`
SHA256	`99e2f4ac656c0d4e92a46dab0f9de4290e1f029edaad2cfab9b4a6dada063e89`
SHA3	`fe2c1eb693a9b6d727666e39f1894fba29c195ebba2ff1f7fe1c1ab72299701a`
VirtualSize	`0x1076c`
VirtualAddress	`0x2000`
SizeOfRawData	`0x10800`
PointerToRawData	`0x200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`5.38382`

.rsrc

MD5	`d22709b935acb97c2d2f7d692fda91dc`
SHA1	`915651070790a790c0589265a9a08a67c3b53609`
SHA256	`009182abba1ba83bae8f372dd32f3b13803786baa84f75fb6c0d5efc777f0fef`
SHA3	`6693bf9da0484c5b602555b36b93027a745f0d695529826810f15fc5fa3670ff`
VirtualSize	`0x482c4`
VirtualAddress	`0x14000`
SizeOfRawData	`0x48400`
PointerToRawData	`0x10a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`1.93861`

.reloc

MD5	`2cf51782407dbe279cf5da1a220bce5a`
SHA1	`e458cdafc12e8e1f474658dda472068987801cc4`
SHA256	`15e5c1fd15cb21e82d54edf9d0a75df726ab7a9c12556ea4a197a2d3d0fab623`
SHA3	`6c6d30881025bab16025f5a379f33bb53a8abb8911ed09994dcf5ebe90df446a`
VirtualSize	`0xc`
VirtualAddress	`0x5e000`
SizeOfRawData	`0x200`
PointerToRawData	`0x58e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`0.10191`

Imports

mscoree.dll	`_CorExeMain`

Delayed Imports

1

Type	`RT_ICON`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x25228`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`1.65648`
MD5	`629a29897b50ef12c6474775e601e89f`
SHA1	`6132ec93721226c6341cea8f9d7ef999f6453fbc`
SHA256	`afc0d6fbba98f10dd1db7dc79583a7a6f7d823abd234347e4cc7b2d705f2e28a`
SHA3	`d187c3696fa40147e16158b4028e16bdb01b7261b9e939e4c0ccfb22def3b014`

2

Type	`RT_ICON`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x10828`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`1.79524`
MD5	`0d703ebb43bcbeeb63e9a253785b2bb3`
SHA1	`e1f7222c03590623de9151278a7ef8d48cf89178`
SHA256	`b4f1479874afdbd23951e72bcd1445e59122c3e8987fa1550ed6bbb9732d44c5`
SHA3	`d41f0a235ca8bc89efa6076f9dd64c69e1280f0b5bd26cfc7d4303e25380f683`

3

Type	`RT_ICON`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x94a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`1.91739`
MD5	`8b1c82c3ac1612157fac8f62e8fd96da`
SHA1	`48310fcea29e3e56a0c195fb7025a32cf5802273`
SHA256	`e72025da28cec368d8142b97be5ae7d855ff7696d7d662521004e7b14284e598`
SHA3	`321551d997a9ac6ad45ca86afd29b6bb708c74e27c64f005063daa7033e83b8a`

4

Type	`RT_ICON`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x4228`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.21896`
MD5	`66b598999cf700b32ac1fcb5a42c2dca`
SHA1	`f2c87990df1a8cd7f849bcf9d8e52d8290717cbe`
SHA256	`fb4b188da06e2a935583e9c5307d3171e82bc7d1280b194b99930c6471551db4`
SHA3	`964a85ca8f73977d282a8129999031c2c8e917a9ec63fe10051ed6753ac1ef8c`

5

Type	`RT_ICON`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x25a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.42702`
MD5	`f0366ba78ec6ee3bd5b381f7f3ce64f9`
SHA1	`f29ac4d0a5fdf2a52f5f666cd37daa4c2135e617`
SHA256	`718af5ed0376943b6522b5edd565cc1d3ef2ba923243b6b189fefd77651585e4`
SHA3	`3e6693bfc2e565df1eeec5d52108387eea50ca698946d9a99b49b59d702c3b99`

6

Type	`RT_ICON`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x10a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.90849`
MD5	`8796c5618c0af154930f2477e6ccb016`
SHA1	`140aa08445b11b30ff468487a7822775ed896eae`
SHA256	`63b4f4de9aecce20b0725757b43c401636c86ee8601fd503243096ad756b68c1`
SHA3	`3fad4d62355a99caadcd6bc74303f68b99f22b32e83f6f10775ade7dc7b3d8b6`

7

Type	`RT_ICON`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x988`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.29383`
MD5	`a5c7cd05375508eba4aa8e9cad284e60`
SHA1	`89952e9e045e628a9c34319a3f8e7f3a759b2ed9`
SHA256	`8001599db426f43ae8d774ab913aa658137e232dd6ab62fe516ff7150ed0a647`
SHA3	`9099aaa9898efc3408d44a60692dbe642aec01bc513819e20ab7c15ad13e18b2`

8

Type	`RT_ICON`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x468`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`6.01924`
MD5	`2e06c9ab203acc4856e263825d1b1990`
SHA1	`1d0d19f1fcdbce5dbad71b85e960a88425f153bd`
SHA256	`48b9efbe9d2c072f818816e1a383b98f032c55d058c6f137283e440286acba90`
SHA3	`268bd493def45f97b5bb2f5b5c770091c27e87fa0ae0c7967b7c304a1745da24`

32512

Type	`RT_GROUP_ICON`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x76`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.10251`
Detected Filetype	Icon file
MD5	`ce78330266dbcc5a0316cf590f056543`
SHA1	`1ac42515ede5514f520ffbb055b1869f71a40bb6`
SHA256	`cfb9ffbbda209fd1334a770cb72f46a8b25aa6a214b92bdf3371af4d65fe6b4e`
SHA3	`8f0ed78ff268a69955f328e009e235619f9304cb615c4a38290bf88346f78148`

1 (#2)

Type	`RT_VERSION`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x3d0`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.44041`
MD5	`106c2f777d5875dcb885b1ca02a8cbd8`
SHA1	`90dc2f2553e9952bb6516948feea2c3c29aa1b23`
SHA256	`d0ad7dd750ad2869e7bad517ac7a0a05890cbbc55dd6054a3f80559c0937e167`
SHA3	`727700e647f2df93d149b4b206e7be0cb683c668adf642d9b7bba62abbf9a990`

1 (#3)

Type	`RT_MANIFEST`
Language	UNKNOWN
Codepage	UNKNOWN
Size	`0x697`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.2038`
MD5	`1138512c4651f57b12836e779c5186ad`
SHA1	`5dddaa80af54b49bba4f50f02c648223968f17db`
SHA256	`1c9371c27f2b80343118c5de3a960838f8c9742aa1d3b82291fa8ea4c90c120c`
SHA3	`12e5750962e1a9200799d1a46e78139f5936064f7498d2b98f0d18ffc050ba37`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	7.1.1.46465
ProductVersion	7.1.1.46465
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT_WINDOWS32` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	UNKNOWN
Comments
CompanyName	Palo Alto Networks, Inc.
FileDescription	Cortex XDR Cleaner
FileVersion (#2)	7.1.1.46465
InternalName	XdrAgentCleaner.exe
LegalCopyright	Palo Alto Networks 2019 © All rights reserved.
LegalTrademarks
OriginalFilename	XdrAgentCleaner.exe
ProductName	Cortex XDR
ProductVersion (#2)	7.1.1.46465
Assembly Version	7.1.1.46465

Resource LangID	UNKNOWN

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics	`0`
TimeDateStamp	2020-Apr-27 09:22:49
Version	`0.0`
SizeofData	`284`
AddressOfRawData	`0x125c8`
PointerToRawData	`0x107c8`
Referenced File	E:\BuildAgent\work\c18c4ff348e4097\win\src\Tools\Agent\XdrAgentCleaner\obj\Release\XdrAgentCleaner.pdb

TLS Callbacks

Load Configuration

RICH Header

a2d9bfbcab3b9e716c21b430e083fa32

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rsrc

.reloc

Imports

Delayed Imports

1

2

3

4

5

6

7

8

32512

1 (#2)

1 (#3)

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

TLS Callbacks

Load Configuration

RICH Header

Errors