Manalyze report for accabdc4ce7d6a67dd9946fffd4c4ca0ca6621e366b62ce93d94781e93fad8ac

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	2026-May-10 20:06:55
TLS Callbacks	1 callback(s) detected.
Debug artifacts	rustynnel.pdb

Plugin Output

Suspicious	Strings found in the binary may indicate undesirable behavior:	`Miscellaneous malware strings: cmd.exe exploit` Contains domain names: 20ca2.playfabapi.com GoDaddy.com account.microsoft.com auth.xboxlive.com authorization.franchise.minecraft-services.net b980a380.minecraft.playfabapi.com device.auth.xboxlive.com franchise.minecraft-services.net github.com http://auth.xboxlive.comProofOfPossession https://20ca2.playfabapi.com https://20ca2.playfabapi.com/Client/LoginWithXbox https://account.microsoft.com https://account.microsoft.com/family/ https://authorization.franchise.minecraft-services.net https://b980a380.minecraft.playfabapi.com https://b980a380.minecraft.playfabapi.com/raknetraknet https://device.auth.xboxlive.com https://device.auth.xboxlive.com/device/authenticate https://docs.rs https://github.com https://login.live.com https://login.live.com/login.srf https://login.live.com/oauth20_connect.srfresponse_type https://login.live.com/oauth20_token.srfclient_idscopeservice https://multiplayer.minecraft.net https://multiplayer.minecraft.net/ https://multiplayer.minecraft.net/authenticationMCPE/AndroidClient-Version https://multiplayer.minecraft.net/chainextraDatahttps https://signup.live.com https://signup.live.com/signupYour https://sisu.xboxlive.com https://sisu.xboxlive.com/authorizeContent-Typeapplication/jsonx-xbl-contract-version1SignatureDatex-err login.live.com microsoft.com minecraft-services.net minecraft.net minecraft.playfabapi.com multiplayer.minecraft.net openssl.org playfabapi.com services.net signup.live.com sisu.xboxlive.com user.auth.xboxlive.com xboxlive.com
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to CRC32` `Uses constants related to SHA1` `Uses constants related to SHA256` `Uses constants related to SHA512` `Uses constants related to RC5 or RC6`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryA` `Functions which can be used for anti-debugging purposes: SwitchToThread` `Can access the registry: RegCreateKeyExW RegCreateKeyTransactedW RegOpenKeyTransactedW RegCloseKey RegQueryValueExW RegOpenKeyExW` `Possibly launches other programs: CreateProcessW` `Uses Windows's Native API: NtWriteFile NtCancelIoFileEx NtOpenFile NtReadFile NtCreateNamedPipeFile NtDeviceIoControlFile NtCreateFile` `Leverages the raw socket API to access the Internet: connect ioctlsocket WSASend recv recvfrom getsockname getpeername WSAGetLastError sendto WSASocketW bind shutdown setsockopt WSAIoctl closesocket getaddrinfo getsockopt socket WSAStartup freeaddrinfo send WSACleanup` `Interacts with the certificate store: CertOpenStore CertAddCertificateContextToStore`
Safe	VirusTotal score: 0/71 (Scanned on 2026-05-10 20:07:56)	`All the AVs think this file is safe.`

Hashes

MD5	`ebb09e8fb7771d939581012cd6e31adc`
SHA1	`186d4bbb65449bf975dae0c0d82615e1fd50ea2f`
SHA256	`accabdc4ce7d6a67dd9946fffd4c4ca0ca6621e366b62ce93d94781e93fad8ac`
SHA3	`92e7573020883a8d4e6ada23862dce05a618ba695ad332648e21d9b25e925450`
SSDeep	`49152:JYC1gRmsFmwKaUfiS4yyam2XSA5DnJYwR0u84q38+grad+nt8JtRSlejyJVrrf0:G/R4gp8oDr2SYXx6n+mN//bs+DwO`
Imports Hash	`77163f8ac11a231d3d2ddc07ae0e89d6`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xe8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`5`
TimeDateStamp	2026-May-10 20:06:55
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0x5ab400`
SizeOfInitializedData	`0x2cbc00`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x000000000058DE50 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0x87a000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`83d662aba5cf1e40f7af1ff0247a91dc`
SHA1	`03009739715b1fdefe5cabe556b2b16c8513a076`
SHA256	`6571a596de9b936242dc85215112f5ec173b83baecce207a7bfc4ba2dfa37e5c`
SHA3	`cf8f13a2a77bf39858139e602661cfff67038c1641da2eb9111239e8efdd8cac`
VirtualSize	`0x5ab329`
VirtualAddress	`0x1000`
SizeOfRawData	`0x5ab400`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.31972`

.rdata

MD5	`3a50b7869668ea938280a50214bde3de`
SHA1	`ce01749a02b5e40a37d1d93f9ecf59d7167036b1`
SHA256	`170a64f3b9dffd0863ee1ebbf20a075fde7770ce1c21ea239ba392f6affbf68a`
SHA3	`7b8df138321c13dcb21d131c6d663c660ea644ca210c89edaa20614af0c136f9`
VirtualSize	`0x28042e`
VirtualAddress	`0x5ad000`
SizeOfRawData	`0x280600`
PointerToRawData	`0x5ab800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`6.16694`

.data

MD5	`8be16b82de76632f1f5202f20dfdab46`
SHA1	`77c461e08ac135e8637296d3e406d7aa8e871e3e`
SHA256	`fb1485e83dabe0da1eea3d68404a2e4d110b455d72f9fa5f293d734c23deb281`
SHA3	`7a0eca5156298eb6aa1c9af754b21098b40900b3a8a9a00882dbb9bad61cfd2f`
VirtualSize	`0x3e68`
VirtualAddress	`0x82e000`
SizeOfRawData	`0x3800`
PointerToRawData	`0x82be00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`3.15294`

.pdata

MD5	`7fb4d337c13a9ec7aa7c1faab1894007`
SHA1	`0b2e6a6770452fa13c042f045501470e56712d64`
SHA256	`ccdfa40f4679459da6ddee12d06d19bd11844b8e8442719abc5cc44f6af4020b`
SHA3	`6a7e524d10a81a59a8f9e7254942fe15a50e1fe756e1c2d86f254a89a55d37b3`
VirtualSize	`0x40b48`
VirtualAddress	`0x832000`
SizeOfRawData	`0x40c00`
PointerToRawData	`0x82f600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`6.49233`

.reloc

MD5	`50852522827b183d71641d56fe8c7531`
SHA1	`7cc73812a6e7a849d41be837daf9da1563b47b90`
SHA256	`8d2ad87a2163001f771d990024c1c696305fac9461820fa6c11c8505d6197571`
SHA3	`8a02d423fdac6a64ad5bad0ea585fc3d5b85a9c48b53bf3a631b7f72c27dd3fa`
VirtualSize	`0x68b0`
VirtualAddress	`0x873000`
SizeOfRawData	`0x6a00`
PointerToRawData	`0x870200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`5.45731`

Imports

advapi32.dll	`RegCreateKeyExW` `RegCreateKeyTransactedW` `SystemFunction036` `RegOpenKeyTransactedW` `RegCloseKey` `RegQueryValueExW` `RegOpenKeyExW`
kernel32.dll	`DuplicateHandle` `GetCurrentProcess` `WaitForSingleObject` `SetNamedPipeHandleState` `CreateFileW` `GetNumberOfConsoleInputEvents` `SetConsoleMode` `ReadConsoleInputW` `GetFileInformationByHandleEx` `SetHandleInformation` `GetConsoleMode` `SetConsoleCursorInfo` `GetConsoleCursorInfo` `SetConsoleCursorPosition` `FillConsoleOutputAttribute` `FillConsoleOutputCharacterA` `GetConsoleScreenBufferInfo` `GetStdHandle` `MoveFileExW` `PostQueuedCompletionStatus` `ReadFile` `GetOverlappedResult` `WriteFile` `CreateIoCompletionPort` `CancelIoEx` `GetQueuedCompletionStatusEx` `GetProcAddress` `GetModuleHandleW` `SetFileCompletionNotificationModes` `FormatMessageW` `GetLastError` `IsProcessorFeaturePresent` `GetSystemTimeAsFileTime` `Sleep` `GetModuleHandleA` `UnhandledExceptionFilter` `RtlVirtualUnwind` `HeapAlloc` `SetUnhandledExceptionFilter` `CompareStringOrdinal` `FreeEnvironmentStringsW` `InitializeSListHead` `WriteFileEx` `SleepEx` `SetLastError` `GetFullPathNameW` `HeapFree` `GetCurrentThreadId` `SetFileInformationByHandle` `SetFileTime` `HeapReAlloc` `QueryPerformanceFrequency` `QueryPerformanceCounter` `CreateThread` `GetProcessHeap` `GetCurrentProcessId` `ReadFileEx` `RtlCaptureContext` `RtlLookupFunctionEntry` `GetSystemTimePreciseAsFileTime` `CloseHandle` `GetFileInformationByHandle` `GetEnvironmentStringsW` `GetSystemDirectoryW` `GetWindowsDirectoryW` `CreateProcessW` `TerminateProcess` `AddVectoredExceptionHandler` `SetThreadStackGuarantee` `GetCurrentThread` `GetCurrentDirectoryW` `GetEnvironmentVariableW` `lstrlenW` `FindFirstFileExW` `FindClose` `ExitProcess` `GetSystemInfo` `SwitchToThread` `WideCharToMultiByte` `WaitForSingleObjectEx` `LoadLibraryA` `CreateMutexA` `ReleaseMutex` `GetFinalPathNameByHandleW` `DeleteFileW` `GetModuleFileNameW` `MultiByteToWideChar` `WriteConsoleW` `GetConsoleOutputCP` `CreateWaitableTimerExW` `SetWaitableTimer` `GetFileAttributesW` `IsDebuggerPresent`
bcryptprimitives.dll	`ProcessPrng`
api-ms-win-core-synch-l1-2-0.dll	`WakeByAddressSingle` `WaitOnAddress` `WakeByAddressAll`
ws2_32.dll	`connect` `ioctlsocket` `WSASend` `recv` `recvfrom` `getsockname` `getpeername` `WSAGetLastError` `sendto` `WSASocketW` `bind` `shutdown` `setsockopt` `WSAIoctl` `closesocket` `getaddrinfo` `getsockopt` `socket` `WSAStartup` `freeaddrinfo` `send` `WSACleanup`
secur32.dll	`EncryptMessage` `ApplyControlToken` `AcceptSecurityContext` `InitializeSecurityContextW` `FreeContextBuffer` `FreeCredentialsHandle` `DecryptMessage` `QueryContextAttributesW` `DeleteSecurityContext` `AcquireCredentialsHandleA`
crypt32.dll	`CertOpenStore` `CertAddCertificateContextToStore` `CertDuplicateCertificateContext` `CertCloseStore` `CertEnumCertificatesInStore` `CertDuplicateCertificateChain` `CertFreeCertificateChain` `CertFreeCertificateContext` `CertGetCertificateChain` `CertVerifyCertificateChainPolicy` `CertDuplicateStore`
ntdll.dll	`NtWriteFile` `NtCancelIoFileEx` `NtOpenFile` `NtReadFile` `RtlNtStatusToDosError` `NtCreateNamedPipeFile` `NtDeviceIoControlFile` `NtCreateFile`
bcrypt.dll	`BCryptGenRandom`
VCRUNTIME140.dll	`memmove` `memcpy` `__C_specific_handler` `__current_exception_context` `_CxxThrowException` `memset` `__current_exception` `memcmp` `__CxxFrameHandler3`
api-ms-win-crt-math-l1-1-0.dll	`__setusermatherr` `pow` `fmod` `ceil`
api-ms-win-crt-string-l1-1-0.dll	`strlen`
api-ms-win-crt-heap-l1-1-0.dll	`_set_new_mode` `malloc` `free` `calloc`
api-ms-win-crt-runtime-l1-1-0.dll	`_set_app_type` `_configure_narrow_argv` `_seh_filter_exe` `_initialize_onexit_table` `_wassert` `terminate` `_crt_atexit` `_initterm` `_initterm_e` `_get_initial_narrow_environment` `_register_onexit_function` `exit` `_exit` `_initialize_narrow_environment` `__p___argc` `__p___argv` `_cexit` `_c_exit` `_register_thread_local_exe_atexit_callback`
api-ms-win-crt-stdio-l1-1-0.dll	`_set_fmode` `__p__commode`
api-ms-win-crt-locale-l1-1-0.dll	`_configthreadlocale`

Delayed Imports

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics	`0`
TimeDateStamp	2026-May-10 20:06:55
Version	`0.0`
SizeofData	`38`
AddressOfRawData	`0x74c808`
PointerToRawData	`0x74b008`
Referenced File	rustynnel.pdb

IMAGE_DEBUG_TYPE_VC_FEATURE

Characteristics	`0`
TimeDateStamp	2026-May-10 20:06:55
Version	`0.0`
SizeofData	`20`
AddressOfRawData	`0x74c830`
PointerToRawData	`0x74b030`

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	2026-May-10 20:06:55
Version	`0.0`
SizeofData	`816`
AddressOfRawData	`0x74c844`
PointerToRawData	`0x74b044`

TLS Callbacks

StartAddressOfRawData	`0x14074cb98`
EndAddressOfRawData	`0x14074ce28`
AddressOfIndex	`0x140831860`
AddressOfCallbacks	`0x1405ad718`
SizeOfZeroFill	`0`
Characteristics	`IMAGE_SCN_ALIGN_8BYTES`
Callbacks	`0x00000001404FF3C0`

Load Configuration

Size	`0x140`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x140831640`

RICH Header

XOR Key	`0x70bf40fc`
Unmarked objects	`0`
Imports (VS2008 SP1 build 30729)	`12`
Imports (35207)	`2`
ASM objects (35207)	`4`
C objects (35207)	`10`
C++ objects (35207)	`24`
Total imports	`295`
C objects (35219)	`96`
Unmarked objects (#2)	`612`
Linker (35219)	`1`

Errors

Leave a comment

No comments yet.