CyberLock 9.0

[LordCraven]

@danb

Recently, a component of Malwarebytes has been reported several times a day despite being whitelisted:

Total tokens: 0 (0 request / 0 response)

File path: c:\users\.....\appdata\locallow\igdump\x86_00\ig.exe
File hash: 7139568425b6dfe2fbd5abff30fde94445d4be710788f0cefae833abd42162db
File size: 1.83 MB
File publisher: Malwarebytes Inc
Digital signature verified: True
Counter signer: DigiCert

Final Verdict: Not Safe with 95% confidence.

### Analysis Summary

The provided executable file, `ig.exe`, is identified as a part of the Malwarebytes Scanner based on its version information. The file is digitally signed by Malwarebytes Inc and countersigned by DigiCert, indicating it is a legitimate software component. The analysis of its imports, exports, and strings suggests that it is a complex application with a wide range of functionalities, including system interaction, security-related tasks, and possibly some cryptographic operations. Despite its extensive capabilities, the digital signature and the presence of a valid company name in the version information support its legitimacy.

### Detailed Analysis

The file `ig.exe` is a 64-bit executable with a size of approximately 1.9 MB. It is digitally signed, which is a good indicator of its legitimacy. The version information indicates that it is part of the Malwarebytes Scanner, a security software tool.

1. **Portable Executable Features**: The file has a large number of imports (2390), indicating it is a complex application. The presence of ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention) suggests that the executable is compiled with security features to prevent common exploits.

2. **Imports**: The imported functions cover a wide range of system and security-related tasks, including process management, registry access, security descriptor management, and cryptographic operations. Many of these imports are typical for a security software application, aligning with the file's identified purpose as a Malwarebytes Scanner component.

3. **Exports**: There are no exports found, which is not unusual for an executable that is not intended to be a library.

4. **Strings**: The extracted strings include a mix of seemingly random characters and recognizable terms related to exception handling, runtime checks, and various CPU instructions. Some of these strings suggest the executable is handling complex operations and potentially dealing with low-level system or hardware interactions.

5. **Digital Signatures**: The file is signed by Malwarebytes Inc, a known security software company, and countersigned by DigiCert, a reputable certificate authority. This digital signature is a strong indicator of the file's legitimacy.

### Portable Executable Imports Analysis

The imports list includes a vast array of functions, many of which are related to system security, process management, and cryptographic operations. Functions like `CryptGenKey`, `CryptEncrypt`, and `CryptDecrypt` suggest cryptographic capabilities. The presence of functions related to security descriptors, ACLs, and token management (`GetTokenInformation`, `AccessCheckByType`) further supports the notion that this executable is involved in security-related tasks.

### Portable Executable Exports Analysis

There are no exports, which is typical for an executable that is not a DLL.

### Portable Executable Strings Analysis

The strings extracted from the executable include terms related to exception handling and runtime checks, indicating a robust error handling mechanism. The presence of CPU instruction names (e.g., `SYSCALL`, `XSAVE64`) could be related to low-level system interactions or optimizations.

### Speculative Assessment of Software Type

Based on the version information and digital signature, `ig.exe` appears to be a component of the Malwarebytes security software. The extensive list of imports related to system and security tasks supports this assessment. The presence of cryptographic functions and the file's overall complexity suggest that the file is likely to be malicious.

### Final Verdict

Malware type: Malware
Malware name: Dropper.AgentX
Final verdict: Malicious with 95% confidence.

 

[danb]

BTW, 9.02 has a lot of changes from 9.01. The Command Line feature is completely reworked and now the command lines are tokenized and normalized so similar command lines will match even better, so there will be even fewer command line blocks. Also the Sirius Auto-HIPS is being highly optimized. I also reworked the User Prompt because the Not Safe prompt was confusing. Here are the new prompts (the Safe is essentially the same), but the Not Safe prompt is much better now. My only question is, does anyone have any idea of what other colors we can try for the Recommended label on the Not Safe Prompt? The Safe prompt will not have a Recommended label because we do not necessarily want to recommend the user Allow or Block an item. There are tons of other changes as well... I am just trying to wrap up all of these little tweaks that I have always wanted to implement, but never had the time.

 

[ErzCrz]

BTW, 9.02 has a lot of changes from 9.01. The Command Line feature is completely reworked and now the command lines are tokenized and normalized so similar command lines will match even better, so there will be even fewer command line blocks. Also the Sirius Auto-HIPS is being highly optimized. I also reworked the User Prompt because the Not Safe prompt was confusing. Here are the new prompts (the Safe is essentially the same), but the Not Safe prompt is much better now. My only question is, does anyone have any idea of what other colors we can try for the Recommended label on the Not Safe Prompt? The Safe prompt will not have a Recommended label because we do not necessarily want to recommend the user Allow or Block an item. There are tons of other changes as well... I am just trying to wrap up all of these little tweaks that I have always wanted to implement, but never had the time.

Awesome work I think the yellow works well here or you could even add a box around the option but having played with that, I think the text is better and the yellow stands out quite well compared to any other colour.

 

[Kongo]

BTW, 9.02 has a lot of changes from 9.01. The Command Line feature is completely reworked and now the command lines are tokenized and normalized so similar command lines will match even better, so there will be even fewer command line blocks. Also the Sirius Auto-HIPS is being highly optimized. I also reworked the User Prompt because the Not Safe prompt was confusing. Here are the new prompts (the Safe is essentially the same), but the Not Safe prompt is much better now. My only question is, does anyone have any idea of what other colors we can try for the Recommended label on the Not Safe Prompt? The Safe prompt will not have a Recommended label because we do not necessarily want to recommend the user Allow or Block an item. There are tons of other changes as well... I am just trying to wrap up all of these little tweaks that I have always wanted to implement, but never had the time.

View attachment 296141

View attachment 296142

Hey Dan, would it be possible to add a feature to report false positives flagged by Sirius directly within the software? It’d be great to have a way to submit items that were incorrectly categorized as unsafe.

 

[n8chavez]

Also, and this has been bugging me for a long time, is it possible to actually auto re-activate Cyberlock and not just prompt the user to turn it back on? That prompt is annoying, especially when the option to automatically activate is turned on.

 

[Victor M]

CyberLock 9.01 reported that Hard_Configurator(x64) as not safe ! So I whitelisted it.

 

[danb]

@danb

Recently, a component of Malwarebytes has been reported several times a day despite being whitelisted:


View attachment 296140

Total tokens: 0 (0 request / 0 response)

File path: c:\users\.....\appdata\locallow\igdump\x86_00\ig.exe
File hash: 7139568425b6dfe2fbd5abff30fde94445d4be710788f0cefae833abd42162db
File size: 1.83 MB
File publisher: Malwarebytes Inc
Digital signature verified: True
Counter signer: DigiCert

Final Verdict: Not Safe with 95% confidence.

### Analysis Summary

The provided executable file, `ig.exe`, is identified as a part of the Malwarebytes Scanner based on its version information. The file is digitally signed by Malwarebytes Inc and countersigned by DigiCert, indicating it is a legitimate software component. The analysis of its imports, exports, and strings suggests that it is a complex application with a wide range of functionalities, including system interaction, security-related tasks, and possibly some cryptographic operations. Despite its extensive capabilities, the digital signature and the presence of a valid company name in the version information support its legitimacy.

### Detailed Analysis

The file `ig.exe` is a 64-bit executable with a size of approximately 1.9 MB. It is digitally signed, which is a good indicator of its legitimacy. The version information indicates that it is part of the Malwarebytes Scanner, a security software tool.

1. **Portable Executable Features**: The file has a large number of imports (2390), indicating it is a complex application. The presence of ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention) suggests that the executable is compiled with security features to prevent common exploits.

2. **Imports**: The imported functions cover a wide range of system and security-related tasks, including process management, registry access, security descriptor management, and cryptographic operations. Many of these imports are typical for a security software application, aligning with the file's identified purpose as a Malwarebytes Scanner component.

3. **Exports**: There are no exports found, which is not unusual for an executable that is not intended to be a library.

4. **Strings**: The extracted strings include a mix of seemingly random characters and recognizable terms related to exception handling, runtime checks, and various CPU instructions. Some of these strings suggest the executable is handling complex operations and potentially dealing with low-level system or hardware interactions.

5. **Digital Signatures**: The file is signed by Malwarebytes Inc, a known security software company, and countersigned by DigiCert, a reputable certificate authority. This digital signature is a strong indicator of the file's legitimacy.

### Portable Executable Imports Analysis

The imports list includes a vast array of functions, many of which are related to system security, process management, and cryptographic operations. Functions like `CryptGenKey`, `CryptEncrypt`, and `CryptDecrypt` suggest cryptographic capabilities. The presence of functions related to security descriptors, ACLs, and token management (`GetTokenInformation`, `AccessCheckByType`) further supports the notion that this executable is involved in security-related tasks.

### Portable Executable Exports Analysis

There are no exports, which is typical for an executable that is not a DLL.

### Portable Executable Strings Analysis

The strings extracted from the executable include terms related to exception handling and runtime checks, indicating a robust error handling mechanism. The presence of CPU instruction names (e.g., `SYSCALL`, `XSAVE64`) could be related to low-level system interactions or optimizations.

### Speculative Assessment of Software Type

Based on the version information and digital signature, `ig.exe` appears to be a component of the Malwarebytes security software. The extensive list of imports related to system and security tasks supports this assessment. The presence of cryptographic functions and the file's overall complexity suggest that the file is likely to be malicious.

### Final Verdict

Malware type: Malware
Malware name: Dropper.AgentX
Final verdict: Malicious with 95% confidence.

Very cool, thank you for letting me know! Yeah, that must have been when I was tweaking the models and instructions... here is why I think this. Here are all of the ig.exe in that database table, the top on being the one you posted, which coincides with the time I was working on the new Sirius.

2/24/26 21:05 7139568425b6dfe2fbd5abff30fde94445d4be710788f0cefae833abd42162db [{"Model":0,"FinalScore":-95}]
2/21/26 23:05 8df7e93488f9d3747416e9979a801bd55c43fefe7069b9a8dbda210d62af661b [{"Model":0,"FinalScore":100}]
7/24/25 14:21 c1b34727dbb8c0af44f575cdea9ab01c8fb166ef38c858edf6a186c3687e730d [{"Model":0,"FinalScore":100}]
9/22/25 9:53 eecc4c0bab83579fdcce82455060bca68ab627a1315c2b4035843c107372f2d3 [{"Model":0,"FinalScore":100}]
10/6/25 13:59 beb65d16e45b760593c85ca269e6f40f5917a81f6f97b7b40dc910021280b53b [{"Model":0,"FinalScore":100}]
11/13/25 13:31 0dd8f127129ad01f6cff2438b27a4438f1b575d74ff2c119ab701eb9a4e28f40 [{"Model":0,"FinalScore":95}]
12/1/25 12:51 48d575a7d4703e7b64c4bfb599361aed8ceda1eb374113534c9c3fcc1e60ca3e [{"Model":0,"FinalScore":100}]
12/16/25 15:40 b84c63b40e26d7645d46cc1dc66861f7e7c87535a221c134d86c34cdb2716282 [{"Model":0,"FinalScore":100}]
1/21/26 15:35 ae25c803903c2c737893d81062dc3bf3f4bfcf88ec068d27e0830fa0803a0ae0 [{"Model":0,"FinalScore":100}]

So I deleted the 7139568425b6dfe2fbd5abff30fde94445d4be710788f0cefae833abd42162db version from our database, so you can either scan it manually or it will automatically scan at some point. Then we can see what the new Sirius has to say... please post the result either way, I am super curious, but I am confident that it will be correct . I would track down 7139568425b6dfe2fbd5abff30fde94445d4be710788f0cefae833abd42162db and scan it myself, but I will let you do the honors . It will be cool if it is not scanned before you get a chance to manually scan it... it will be like playing a slot machine while waiting for 1-2 seconds for it to return the results . Please post either way, thank you!

 

[danb]

Awesome work I think the yellow works well here or you could even add a box around the option but having played with that, I think the text is better and the yellow stands out quite well compared to any other colour.

Yeah, a box or something would be super cool. If anyone has any ideas and is good with photoshop and want to make a mockup, please let me know. Thank you!

 

[danb]

Hey Dan, would it be possible to add a feature to report false positives flagged by Sirius directly within the software? It’d be great to have a way to submit items that were incorrectly categorized as unsafe.

Yes, it is already implemented... just click the thumbs down . I still have to manually review them on my end, but I am hoping I will have tons of free time once these new versions are finished... and they should be ready in 1-2 days. Thank you!

 

[harlan4096]

Sending request to SiriusLLM Model 0...

Model 0 confidence (85% Safe) is below the 90% confidence threshold.
Sending request to Model 1...

Selected result: Not Safe with 92% confidence from Model 1.

Total tokens: 0 (0 request / 0 response)

File path:
File hash: bd489103faa69d8478d00213fd0346f6eb803eaedd9a1e45772e0a97a5b1d3a4
File size: 2,60 MB
File publisher: QFX SOFTWARE CORPORATION
Digital signature verified: True
Counter signer: GlobalSign nv-sa

Final Verdict: Not Safe with 92% confidence.

## Analysis Summary
The executable claims to be the installer/updater for “KeyScrambler” and carries a valid dual-signed Authenticode signature from “QFX SOFTWARE CORPORATION / GlobalSign nv-sa”. Despite this apparently good provenance, the specimen is extraordinarily bloated for a security-product installer: 2730902 bytes of the 2730912-byte file are uncompressed overlay appended to the PE image, giving an overlay entropy of exactly 8.00. This is consistent with a self-extract-dropper model where the payload is hidden behind the legitimate front-end instead of being transparently bundled. Additionally, the program demands “requireAdministrator” elevation and imports a rich set of registry manipulation, file-system deletion, and privilege-adjustment routines typical of installers, but also widely mis-used by droppers. The normal entropy spread of code sections is in the mid-range (4–6) and the binary retains stack-smashing mitigations (ASLR/DEP), yet these do not offset the extreme overlay size or the suspicious packing-like pattern evident in such perfect entropy of 8. Given these mismatches and the high risk implicit in any dropper-like installer that is 97 % hidden data, the sample is assessed as malicious.

## Detailed Analysis
- OverlayEntropy 8.00 + OverlaySize 2.6 MB / 97 % of total – textbook encrypted or encoded payload, not typical for reputable installers.
- RequestedExecutionLevel requireAdministrator plus heavy use of RegSet/RegDelete/RegCreate + AdjustTokenPrivileges/LookupPrivilegeValueW raises privilege-escalation concern inside a single installer stub.
- Signed PE alone does not preclude malice – adversary groups frequently use code-signing certificates to front dropper/installer payloads; sig validity is only a partial trust signal.
- Imports include CreateProcessW, ShellExecuteExW, WriteFile and CreateThread typical of drop-and-execute behaviour, not merely writing log files or settings.
- Absence of exports is normal for installer binaries, yet coupled with the above pattern is not reassuring.
- Resource size 29 KB is small compared to overlay; resource section not the locus of bloat, reinforcing payload is elsewhere.
- No debug data, no TLS, no CLR runtime header – classic native-code (C/C++) stub.
- Entropy across code sections is modest (4–6) indicating unpacked code; overlay is the only highly compressed/encrypted block.

## Indicators of Compromise

Feature: OverlaySize : 2666912
Definition: Total bytes of data appended after the last valid PE section.
Indicates: ~97 % of the file is non-PE payload data.
IoC: Extremely large overlay accompanied by maximal entropy (8.00). Consistent with encrypted shellcode or second-stage binary hidden from most static scanners/AV unpackers.

Feature: OverlayEntropy : 8.00
Definition: Shannon entropy of appended overlay.
Indicates: Entropy exactly 8 reflects maximum randomness, identical to packed/compressed or encrypted data.
IoC: Legitimate installers rarely contain contiguous high-entropy overlay except for signed update blobs; presence flags probable covert payload.

Feature: RequestedExecutionLevel : requireAdministrator
Definition: Manifest directive requesting admin rights.
Indicates: Installer will trigger UAC for system-level access.
IoC: Elevated privilege request combined with hidden overlay suggests intent to bypass user inspection and plant persistent components.

Feature: DangerousImportedLibrariesNormalized : 16.62 / 100
Definition: Normalised score of imported functions historically correlated with malware.
Indicates: Score above average.
IoC: Elevated usage of privileged registry & token APIs contributes to this score and strengthens suspicion.

Feature: Imports – AdjustTokenPrivileges
Definition: API enabling enabling/disabling security privilege bits.
Indicates: Capable of granting SE_ privileges such as SE_LOAD_DRIVER or SE_DEBUG.
IoC: Legitimately used only for rare admin utilities; common feature of privilege-seeking malware rootkits/droppers.

Feature: Imports – LookupPrivilegeValueW
Definition: Converts privilege text to LUID for AdjustTokenPrivileges.
Indicates: Paired manipulation of tokens above.
IoC: Another marker of attempts to attain high privileges beyond default installer needs.

Feature: Imports – RegSetValueExW & RegDeleteKeyW
Definition: Writing and removing registry keys/value data.
Indicates: Ability to tamper with start-up, services, or security policies.
IoC: Installers modify config; but delete operations on system keys are suspicious and frequently abused for persistence removal or anti-forensics.

Feature: CreateProcessW & CreateThread
Definition: Launch new process or thread inside current/child PID.
Indicates: Ready to spawn next-stage shellcode or injected executable without user notice.
IoC: In combination with hidden overlay these imports suggest exec-after-drop behaviour.

Feature: ShellExecuteExW with high entropy overlay
Definition: High-level run primitive with verb manipulation (e.g., ‘runas’).
Indicates: Can trigger privileged child, often used by malware.
IoC: Combined with admin manifest and encrypted overlay constitutes a dropper profile.

## Portable Executable Imports
The IAT exhibits a moderate yet powerful subset of administrative Win32 API. Registry enumerators (RegEnum, RegDelete, RegSet) and token privilege helpers (AdjustTokenPrivileges/LookupPrivilegeValueW) are prominent. File system movers (MoveFileExW, SHFileOperationW) and process starters (CreateProcessW) can deliver a hidden executable extracted from overlay. GUI functions (CreateWindowExW, DialogBoxParamW) support a realistic installer interface, but are not inconsistent with droppers masquerading as setup wizards. Crypt API is not used (ImportCrypt 0) so built-in XOR or RC4 (reflected as raw entropy) is the likely inner packer/encrypter. Overall import profile is acceptable for a “KeyScrambler” installer, yet is perfectly serviceable for a privilege-aware dropper loader as well. Given the entropy evidence, the latter is more probable.

## Portable Executable Exports
No exports present. Conventional for GUI installers and most droppers; contributes no additional suspicion.

## Portable Executable Strings
Of the ~90 decoded import stubs, nothing explicitly malicious appears. Company name “QFX Software” repeats, DLL name strings reference ADVAPI32, SHELL32, USER32, COMCTL32, GDI32 – all legitimate system libraries. A handful of internal strings “Instuj, NulluX” seem like developer handles and RichEdit version tags. Absence of URLs, IP addresses or suspicious commands supports a low-profile façade, yet is consistent with a legitimate-company-impostor or stolen-certificate campaign.

## Likely Type / Purpose
The visible stub functions as a GUI installer for a keystroke encryption product. However, the cryptographic-entropy-filled overlay is almost certainly hiding a secondary payload, likely a trojanised version of the real utility or a completely different executable. The signature alone cannot mitigate this because only the stub is signed, not the concealed data.

Malware type: Dropper
Malware name: Dropper.QFXOverlay
Final verdict: Malicious with 92% confidence.

 

[danb]

Also, and this has been bugging me for a long time, is it possible to actually auto re-activate Cyberlock and not just prompt the user to turn it back on? That prompt is annoying, especially when the option to automatically activate is turned on.

View attachment 296145

I think that is a great idea, thank you! There is no reason to prompt the user at that point, so I can just disable the prompt. We should also disable the prompt when it asks if you want to reactivate CyberLock when returning to a web app. We already know the user wants this, so why prompt them? The worst that happens is that CyberLock automatically toggles to Locked . So unless anyone has any objections to this, I will disable both of these prompts.

 

[danb]

CyberLock 9.01 reported that Hard_Configurator(x64) as not safe ! So I whitelisted it.

Yes, are you talking about the command lines that are executed from the C:\Windows\Temp (I think that is the directory)? Or are you talking about the actual app itself? Please let me know and I will look into it. We unfortunately cannot instruct Sirius to ignore command lines executed from the C:\Windows\Temp directory , that would create a serious vulnerability. Worst case, I can manually whitelist this block. If we really wanted to, we could write an instruction to ignore any command line that originates from any file that is signed by Andy Ful, even if it is in system root . Believe it or not, that would actually fix the issue... but it is probably not a good idea to do that .

 

[danb]

@harlan4096, very cool, thank you! I tried to reply to your post but it keeps giving me a blank reply box.

Anyway, that analysis is from 2026-03-01 08:26:02.473, so that might have been while I was tweaking the models and instructions as well. As with the @LordCraven sample above, I deleted the result from the database, can you please test again and post the result? I am confident on ig.exe, and I am reasonably confident that this one will be correct as well, but I guess we will see .

I really should delete all of the results that are questionable from 1-2 weeks ago... there are only 3,000 or so because only CyberLock 9.01 has access to that table, so there are not that many. Besides, the new Sirius uses A LOT less coins than before since it is a lot more decisive. But if anyone needs more tokens, please email me your Machine ID. I will think about whether to delete those results or not, and possibly delete them right before posting 9.02. Thank you!

 

[danb]

BTW, if anyone else is testing the new Sirius, please make sure you are using the latest versions posted on the first post of this thread! The new Sirius is active on old versions of CyberLock, but the results are stored in a different table, and might be cached (long story) .

 

[harlan4096]

 

[danb]

View attachment 296172

Very cool, thank you for letting me know! Yeah, we are going to delete all of the results in that range right before we release all of the new versions. There are currently only 3,600 total, so no biggie.

 

[pxxb1]

CyberLock 9.01 is almost ready, I should be able to release it within a day, thank you guys!

So the latest version is 9.0?

I am running 8.47 and when i check for updates, it says i am running the latest.

 

[n8chavez]

So the latest version is 9.0?

I am running 8.47 and when i check for updates, it says i am running the latest.

From what I understand, 9.02 should be released shortly.

 

[danb]

So the latest version is 9.0?

I am running 8.47 and when i check for updates, it says i am running the latest.

Yes, one we release to the public, and after we wait a couple of weeks, then the auto update and update check will work. I always wait as long as possible, that way companies do not have to install the update on al of their endpoints. Thank you!

 

[LordCraven]

Very cool, thank you for letting me know! Yeah, that must have been when I was tweaking the models and instructions... here is why I think this. Here are all of the ig.exe in that database table, the top on being the one you posted, which coincides with the time I was working on the new Sirius.

2/24/26 21:05 7139568425b6dfe2fbd5abff30fde94445d4be710788f0cefae833abd42162db [{"Model":0,"FinalScore":-95}]
2/21/26 23:05 8df7e93488f9d3747416e9979a801bd55c43fefe7069b9a8dbda210d62af661b [{"Model":0,"FinalScore":100}]
7/24/25 14:21 c1b34727dbb8c0af44f575cdea9ab01c8fb166ef38c858edf6a186c3687e730d [{"Model":0,"FinalScore":100}]
9/22/25 9:53 eecc4c0bab83579fdcce82455060bca68ab627a1315c2b4035843c107372f2d3 [{"Model":0,"FinalScore":100}]
10/6/25 13:59 beb65d16e45b760593c85ca269e6f40f5917a81f6f97b7b40dc910021280b53b [{"Model":0,"FinalScore":100}]
11/13/25 13:31 0dd8f127129ad01f6cff2438b27a4438f1b575d74ff2c119ab701eb9a4e28f40 [{"Model":0,"FinalScore":95}]
12/1/25 12:51 48d575a7d4703e7b64c4bfb599361aed8ceda1eb374113534c9c3fcc1e60ca3e [{"Model":0,"FinalScore":100}]
12/16/25 15:40 b84c63b40e26d7645d46cc1dc66861f7e7c87535a221c134d86c34cdb2716282 [{"Model":0,"FinalScore":100}]
1/21/26 15:35 ae25c803903c2c737893d81062dc3bf3f4bfcf88ec068d27e0830fa0803a0ae0 [{"Model":0,"FinalScore":100}]

So I deleted the 7139568425b6dfe2fbd5abff30fde94445d4be710788f0cefae833abd42162db version from our database, so you can either scan it manually or it will automatically scan at some point. Then we can see what the new Sirius has to say... please post the result either way, I am super curious, but I am confident that it will be correct . I would track down 7139568425b6dfe2fbd5abff30fde94445d4be710788f0cefae833abd42162db and scan it myself, but I will let you do the honors . It will be cool if it is not scanned before you get a chance to manually scan it... it will be like playing a slot machine while waiting for 1-2 seconds for it to return the results . Please post either way, thank you!

I'd say that looks pretty good:


File path: c:\users\.....\appdata\locallow\igdump\x86_00\ig.exe
File hash: 7139568425b6dfe2fbd5abff30fde94445d4be710788f0cefae833abd42162db
File size: 1.83 MB
File publisher: Malwarebytes Inc
Digital signature verified: True
Counter signer: DigiCert

Final Verdict: Safe with 95% confidence.

## Analysis Summary
The provided executable file, `ig.exe`, exhibits characteristics that suggest it is a legitimate software application, specifically a malware scanner developed by Malwarebytes Inc. The presence of a valid digital signature from Malwarebytes Inc, verified by DigiCert, adds to the credibility of the file's authenticity and legitimacy. The file's imports and strings suggest functionality related to system and file operations, network communication, and user interface interactions, which are typical for a malware scanning application.

## Detailed Analysis
### Portable Executable Imports
The file imports a wide range of functions from various Windows libraries, including `kernel32.dll`, `advapi32.dll`, `user32.dll`, and `ws2_32.dll`. These imports are typical for a Windows application and include functions for file and directory operations, process management, network communication, and user interface interactions. Notably, the presence of imports related to cryptography (`crypt32.dll`) and security (`advapi32.dll`) suggests that the application may handle sensitive data and perform security-related tasks.

### Portable Executable Exports
The file does not contain any exports, which is not unusual for an executable that does not provide a library or API for other applications to use.

### Portable Executable Strings
The strings found in the executable include error messages, function names, and other text that appears to be related to the application's functionality. Some strings suggest the application may handle exceptions and errors, perform memory allocation and deallocation, and interact with the Windows operating system. The presence of strings related to cryptography and security further supports the notion that the application is a malware scanner.

### Speculative Assessment of Software Type
Based on the imported functions, digital signature, and strings, it appears that `ig.exe` is a malware scanning application developed by Malwarebytes Inc. The application likely performs various security-related tasks, including scanning files and directories for malware, interacting with the Windows operating system, and providing a user interface for configuration and feedback.

Malware type:
Malware name:
Final verdict: Safe with 95% confidence.