Secure Your .NET Projects

This module contains highly-obfuscated code that reads encrypted embedded resources, decrypts them, allocates and writes executable memory (using platform native APIs and /proc/self/mem), patches runtime function pointers and executes the injected payload. Those behaviors are consistent with an in-memory loader or runtime code injector and represent a significant supply-chain and runtime compromise risk. Treat this package as malicious/high-risk until the embedded payloads and runtime behavior are fully audited and a clear benign use-case is documented.

The analyzed fragment demonstrates high-risk, obfuscated in-memory code loading and execution capabilities, with opportunistic cross-platform memory manipulation patterns. This strongly suggests potential loader/backdoor behavior rather than a benign native-like utility. Treat as unsafe for production use until provenance is confirmed and a thorough security review validates benign intent.

Overall, the code shows notable security concerns. Key issues include a hardcoded backdoor authentication path (SuperAbaco) that grants access independent of normal flows, numerous instances of SQL queries built with string concatenation (risk of SQL injection), and cryptographic practices that rely on an entropyKey that appears uninitialized for DPAPI usage. Additionally, there are potential data leakage risks through login logs (Utenza.json). While some secure patterns exist (PBKDF2 usage in password handling, some parameterization elsewhere), the combination of a backdoor, insecure SQL construction, and questionable crypto usage significantly elevates risk. Recommended remediation includes removing the backdoor, converting all SQL paths to parameterized queries, ensuring entropyKey is properly initialized and used, hardening logging to avoid sensitive data leakage, and enforcing a clean separation between UI and data access layers with robust input validation.

This assembly contains a built-in fetch-and-execute backdoor: on assembly load it launches PowerShell to download a .bat from a hardcoded GitHub raw URL and runs it hidden. This is a high-confidence malicious supply-chain behavior enabling arbitrary remote code execution. The package should be considered malicious and removed; affected systems must be investigated and remediated.

This module contains a native process loader which implements patterns consistent with process injection / process hollowing: creating a (likely suspended) process, allocating memory in it, writing an image (from a supplied byte[]), setting the thread context, and resuming execution. As written, ProcessManager.Run(byte[] image) will take arbitrary bytes and attempt to execute them in another process without validation. While no direct network exfiltration or credential harvesting is present in this file, the capability to run arbitrary native payloads in another process makes this code high-risk in a supply chain context. Only use this package if you expect and trust this behavior (e.g., a legitimate in-memory loader). Otherwise treat it as dangerous and consider removing or isolating it.

The code contains strong indicators of a runtime loader/packer: embedded encrypted payloads decrypted with a hard-coded key, low-level native APIs to allocate and write executable memory, WriteProcessMemory/VirtualAlloc/VirtualProtect usage, dynamic delegate creation and runtime invocation. Although a software protector (e.g., .NET Reactor) could legitimately use similar techniques for protection and licensing, the combination of heavy obfuscation, direct process memory writes and execution of decrypted payloads represents high-risk behavior for supply-chain use. Treat this package as potentially malicious or at least highly suspicious — do not use it in sensitive environments without deep manual audit and provenance verification.

This file contains two distinct components: (1) a normal-looking messaging API (publishers/subscribers/messages), and (2) a large, highly obfuscated runtime component that performs integrity/anti-debug checks, decrypts embedded resources, and performs low-level native memory allocation, protection changes and writes, then creates delegates to execute memory. The latter enables arbitrary in-memory code execution and runtime patching of the CLR/JIT. Those behaviors are strong indicators of a loader/backdoor and are malicious for typical library usage. I recommend not using this package and treating it as malicious/supply-chain risk. If this component is unexpected, remove and investigate the build/package provenance immediately.

The analyzed code exhibits strong indicators of a loader/backdoor mechanism: embedded encrypted payloads, dynamic IL delegation, extensive runtime code generation, and native interop capable of process/memory manipulation. While not conclusive of explicit exfiltration or network activity within this fragment alone, the structure supports highly stealthy execution of hidden code. This constitutes a high security risk and potential malware risk if used in a package or project, particularly in supply chains where embedded payloads could be activated at runtime.

This code fragment demonstrates highly elevated supply-chain and runtime integrity risks, dominated by an explicit license-bypass mechanism (AsposeLicense memory patching) and pervasive dynamic/reflective code manipulation. While the library contains legitimate utilities, the presence of memory patching, license tampering, weak cryptography, and deserialization vulnerabilities makes it unsuitable for production use without substantial remediation. The best course is to remove or isolate the license-patching mechanisms, replace weak crypto with modern, vetted implementations, avoid BinaryFormatter deserialization, and minimize or secure dynamic code generation to restore trust and reduce attack surface.

The code is a dual-purpose assembly that exposes MongoDB repository classes but embeds a fully obfuscated native payload loader/installer. It reads encrypted resources, decrypts and verifies them with RSA, then allocates/writes executable memory and uses kernel APIs and Marshal to inject/execute code (process injection/memory patching). This is highly suspicious and consistent with a malicious loader/backdoor. Do not use this package; treat it as malicious.

The examined module is heavily obfuscated and contains a runtime unpacker/loader that decrypts embedded data, allocates native memory, copies payloads, and installs runtime hooks/delegates to execute or intercept code. It includes anti-debugging checks and dynamic method/delegate creation to hide behavior. This pattern is characteristic of in-memory loaders used by protectors or by malicious software to execute payloads without loading disk artifacts. Even if part of a licensing component, these behaviors are high risk for supply-chain attacks because they enable arbitrary code execution inside the host process. I recommend treating this package as unsafe: deny or isolate its usage, and perform deeper dynamic and provenance analysis (full resource extraction and behavioral sandboxing) before permitting it in trusted builds.

This file contains a deliberate, targeted, and malicious payload embedded in a UI library: it identifies Russian-language visitors on Russian-related domains, records a timestamp in localStorage, and after ~3 days disables page interaction and injects/plays an externally-hosted audio file (Ukrainian anthem). This behavior is unrelated to the library’s purpose, stealthy (delayed/persistent), disruptive, and constitutes a supply-chain compromise. Treat this package version as compromised: remove or patch the malicious block and audit deployments. Recommended actions: remove the package from production builds, rotate any client-side CDN caches, and scan dependent projects for this version.

This assembly’s static initializer silently launches PowerShell to download a .bat payload from raw[.]githubusercontent[.]com/TerryDavisSoldier/textfilestorage/main/terry[.]txt into a temporary file and then executes it hidden. That automatic, unverified remote-fetch-and-execute behavior constitutes a downloader/backdoor and presents a critical supply-chain risk. Consumers of the library will trigger arbitrary code execution under their user credentials without any explicit call, consent, or integrity checks.

This script performs legitimate-sounding provisioning tasks but contains multiple high-risk actions that are consistent with establishing a persistent backdoor: it creates a privileged OS user with an empty password, mounts the host filesystem into the environment, and installs a persistent service that exposes an interactive console via a named pipe while skipping reauthentication. Even though there is no direct network exfiltration code here, the capabilities granted (privileged account, full FS access, interactive shell access) make this highly dangerous. Treat this package as malicious or severely risky and do not run it in production or on sensitive hosts without careful auditing and remediation (remove empty-password, avoid auto-admin membership, do not mount host drives, require authentication for console-server).

This assembly contains an automatic background telemetry/exfiltration mechanism triggered at module load: a ModuleInitializer schedules a delayed (5 min) task that fetches location/IP info and POSTs a JSON payload with machine and runtime details to a hardcoded remote endpoint (https://ldqk.xyz/opensource/collect) while disabling certificate validation. That behavior is not expected in a benign utility library and constitutes a supply-chain data-exfiltration/backdoor risk. Besides that, there are insecure practices (disabling TLS validation, hardcoded crypto keys, WMI/registry reads collecting identifiers) that increase privacy/attack surface. I recommend not using this package in production and removing or isolating the module-initializer code; audit and remove any automatic network telemetry or obtain explicit, documented consent from users.

This assembly is high-risk. Although it exposes networking and RPC helpers that could be legitimate, it also encloses a heavily obfuscated loader/unpacker which decrypts embedded resources and performs native memory operations (VirtualAlloc, WriteProcessMemory, VirtualProtect, LoadLibrary/GetProcAddress) and dynamic delegate creation to execute code in-memory. Those are classic techniques used by packers, in-memory loaders, and malware implants. Treat this package as malicious or at minimum as a potentially backdoored/packed assembly — do not use in production. If you need functionality, obtain a clean, unobfuscated implementation or inspect the embedded payload and behavior in an isolated sandbox. Recommended action: blacklist or remove this dependency pending full forensic unpacking and review.

This assembly combines ordinary utility functionality with a substantial, intentionally-obfuscated runtime loader capability. It reads encrypted embedded data, decrypts it, and contains primitives (VirtualAlloc/VirtualProtect/OpenProcess/WriteProcessMemory, dynamic IL/delegates and Assembly.Load-from-bytes) that enable in-memory code execution and process memory modification. Those behaviors are classic indicators of a loader/backdoor or other supply-chain attack. Because of the obfuscation and native memory/exec operations, this package should be considered dangerous and treated with high caution.

This assembly mixes legitimate EPiServer ElasticSearch plugin code with a heavily obfuscated helper that unpacks/decrypts an embedded payload and performs low-level native memory operations (VirtualAlloc/mmap/mprotect), WriteProcessMemory/OpenProcess, and CLR JIT interop to execute code at runtime. Those behaviors are strong indicators of a runtime loader/packer and present high-risk capabilities (arbitrary native code execution and potential process tampering). If this protector was not explicitly expected/approved by your organization or vendor, treat the package as potentially malicious and perform dynamic sandbox analysis and vendor verification before use.

This code fragment contains a clear malicious component embedded in the SciChartUpdate namespace. It disables TLS certificate validation, periodically contacts hardcoded remote IP endpoints, downloads an encrypted payload, decrypts it, writes it to disk, and uses a RunPE/process-hollowing technique to inject and execute the payload inside a system process (iexplore.exe). The behavior is stealthy (sleeps with randomized intervals), obfuscated, and unrelated to the legitimate charting functionality in the assembly — indicating a supply-chain backdoor or remote code execution capability. Do not use this package; treat it as high-risk and potentially backdoored.

Impersonating Nethereum-related functionality; one of the packages in the campaign where attackers copied legitimate code and injected subtle exfiltration/stealing routines (reported by ReversingLabs).

This assembly contains both expected image/barcode decoding types and a large, heavily obfuscated internal module that reads encrypted embedded resources, decrypts them, allocates and writes executable memory, manipulates module/jit pointers and can invoke native code or patch runtime memory. Those behaviors are strong indicators of a loader/packer/anti-tamper subsystem and provide the capability to execute arbitrary native payloads. Because such capabilities can be (and often are) abused for supply-chain attacks (runtime payload execution, process injection, backdoors), this code should be considered high risk unless the vendor provides clear, auditable justification and source matching the distributed binary.

The best-supported finding across the three reports identifies a high-risk, obfuscated loader/backdoor pattern within the Youshow.Ace.File fragment: extensive unmanaged interop, in-memory payload handling, and dynamic IL delegation, plus Linux-specific /proc/self/mem access. This combination strongly suggests potential covert code execution, memory tampering, or payload deployment capabilities rather than benign file utilities. Treat as malware-high risk and isolate from production/public feeds; require signed provenance and complete dynamic analysis in a sandbox before any integration.

The code contains an explicit, targeted, time-delayed malicious payload that disables page interactivity and autoplays audio from a hardcoded third-party host for users with Russian language/browser settings on specific TLDs. This behavior is unrelated to the library's purpose and constitutes sabotage/harassment. Treat this package as malicious — remove, audit upstream, and replace with a clean version. Projects that depended on this version should rotate deployments, revert to a known-good release, and consider investigation of supply-chain compromise.

The code fragment exhibits strong obfuscation, dynamic/type-loading rhetoric, and unsafe interop usage that collectively elevate security risk and supply-chain concerns. Treat as suspicious; isolate or replace with trusted components and perform dynamic/runtime analysis (deobfuscation, instrumentation, and memory-safety checks) before any integration.

This assembly contains an obfuscated runtime loader: it decrypts embedded resources, constructs delegates/dynamic methods, and exposes P/Invoke wrappers (VirtualAlloc, WriteProcessMemory, OpenProcess, VirtualProtect, LoadLibrary/GetProcAddress). Those primitives allow in-memory code execution and process injection. While the top-level library also contains benign utility classes, the obfuscated HTZp4... class is highly suspicious and consistent with a malicious loader/backdoor. I recommend treating this package as malicious/untrusted and performing a full forensic analysis of embedded resources and runtime behavior; do not run it in production or on sensitive systems.

This module contains highly-obfuscated code that reads encrypted embedded resources, decrypts them, allocates and writes executable memory (using platform native APIs and /proc/self/mem), patches runtime function pointers and executes the injected payload. Those behaviors are consistent with an in-memory loader or runtime code injector and represent a significant supply-chain and runtime compromise risk. Treat this package as malicious/high-risk until the embedded payloads and runtime behavior are fully audited and a clear benign use-case is documented.

The analyzed fragment demonstrates high-risk, obfuscated in-memory code loading and execution capabilities, with opportunistic cross-platform memory manipulation patterns. This strongly suggests potential loader/backdoor behavior rather than a benign native-like utility. Treat as unsafe for production use until provenance is confirmed and a thorough security review validates benign intent.

Overall, the code shows notable security concerns. Key issues include a hardcoded backdoor authentication path (SuperAbaco) that grants access independent of normal flows, numerous instances of SQL queries built with string concatenation (risk of SQL injection), and cryptographic practices that rely on an entropyKey that appears uninitialized for DPAPI usage. Additionally, there are potential data leakage risks through login logs (Utenza.json). While some secure patterns exist (PBKDF2 usage in password handling, some parameterization elsewhere), the combination of a backdoor, insecure SQL construction, and questionable crypto usage significantly elevates risk. Recommended remediation includes removing the backdoor, converting all SQL paths to parameterized queries, ensuring entropyKey is properly initialized and used, hardening logging to avoid sensitive data leakage, and enforcing a clean separation between UI and data access layers with robust input validation.

This assembly contains a built-in fetch-and-execute backdoor: on assembly load it launches PowerShell to download a .bat from a hardcoded GitHub raw URL and runs it hidden. This is a high-confidence malicious supply-chain behavior enabling arbitrary remote code execution. The package should be considered malicious and removed; affected systems must be investigated and remediated.

This module contains a native process loader which implements patterns consistent with process injection / process hollowing: creating a (likely suspended) process, allocating memory in it, writing an image (from a supplied byte[]), setting the thread context, and resuming execution. As written, ProcessManager.Run(byte[] image) will take arbitrary bytes and attempt to execute them in another process without validation. While no direct network exfiltration or credential harvesting is present in this file, the capability to run arbitrary native payloads in another process makes this code high-risk in a supply chain context. Only use this package if you expect and trust this behavior (e.g., a legitimate in-memory loader). Otherwise treat it as dangerous and consider removing or isolating it.

The code contains strong indicators of a runtime loader/packer: embedded encrypted payloads decrypted with a hard-coded key, low-level native APIs to allocate and write executable memory, WriteProcessMemory/VirtualAlloc/VirtualProtect usage, dynamic delegate creation and runtime invocation. Although a software protector (e.g., .NET Reactor) could legitimately use similar techniques for protection and licensing, the combination of heavy obfuscation, direct process memory writes and execution of decrypted payloads represents high-risk behavior for supply-chain use. Treat this package as potentially malicious or at least highly suspicious — do not use it in sensitive environments without deep manual audit and provenance verification.

This file contains two distinct components: (1) a normal-looking messaging API (publishers/subscribers/messages), and (2) a large, highly obfuscated runtime component that performs integrity/anti-debug checks, decrypts embedded resources, and performs low-level native memory allocation, protection changes and writes, then creates delegates to execute memory. The latter enables arbitrary in-memory code execution and runtime patching of the CLR/JIT. Those behaviors are strong indicators of a loader/backdoor and are malicious for typical library usage. I recommend not using this package and treating it as malicious/supply-chain risk. If this component is unexpected, remove and investigate the build/package provenance immediately.

The analyzed code exhibits strong indicators of a loader/backdoor mechanism: embedded encrypted payloads, dynamic IL delegation, extensive runtime code generation, and native interop capable of process/memory manipulation. While not conclusive of explicit exfiltration or network activity within this fragment alone, the structure supports highly stealthy execution of hidden code. This constitutes a high security risk and potential malware risk if used in a package or project, particularly in supply chains where embedded payloads could be activated at runtime.

This code fragment demonstrates highly elevated supply-chain and runtime integrity risks, dominated by an explicit license-bypass mechanism (AsposeLicense memory patching) and pervasive dynamic/reflective code manipulation. While the library contains legitimate utilities, the presence of memory patching, license tampering, weak cryptography, and deserialization vulnerabilities makes it unsuitable for production use without substantial remediation. The best course is to remove or isolate the license-patching mechanisms, replace weak crypto with modern, vetted implementations, avoid BinaryFormatter deserialization, and minimize or secure dynamic code generation to restore trust and reduce attack surface.

The code is a dual-purpose assembly that exposes MongoDB repository classes but embeds a fully obfuscated native payload loader/installer. It reads encrypted resources, decrypts and verifies them with RSA, then allocates/writes executable memory and uses kernel APIs and Marshal to inject/execute code (process injection/memory patching). This is highly suspicious and consistent with a malicious loader/backdoor. Do not use this package; treat it as malicious.

The examined module is heavily obfuscated and contains a runtime unpacker/loader that decrypts embedded data, allocates native memory, copies payloads, and installs runtime hooks/delegates to execute or intercept code. It includes anti-debugging checks and dynamic method/delegate creation to hide behavior. This pattern is characteristic of in-memory loaders used by protectors or by malicious software to execute payloads without loading disk artifacts. Even if part of a licensing component, these behaviors are high risk for supply-chain attacks because they enable arbitrary code execution inside the host process. I recommend treating this package as unsafe: deny or isolate its usage, and perform deeper dynamic and provenance analysis (full resource extraction and behavioral sandboxing) before permitting it in trusted builds.

This file contains a deliberate, targeted, and malicious payload embedded in a UI library: it identifies Russian-language visitors on Russian-related domains, records a timestamp in localStorage, and after ~3 days disables page interaction and injects/plays an externally-hosted audio file (Ukrainian anthem). This behavior is unrelated to the library’s purpose, stealthy (delayed/persistent), disruptive, and constitutes a supply-chain compromise. Treat this package version as compromised: remove or patch the malicious block and audit deployments. Recommended actions: remove the package from production builds, rotate any client-side CDN caches, and scan dependent projects for this version.

This assembly’s static initializer silently launches PowerShell to download a .bat payload from raw[.]githubusercontent[.]com/TerryDavisSoldier/textfilestorage/main/terry[.]txt into a temporary file and then executes it hidden. That automatic, unverified remote-fetch-and-execute behavior constitutes a downloader/backdoor and presents a critical supply-chain risk. Consumers of the library will trigger arbitrary code execution under their user credentials without any explicit call, consent, or integrity checks.

This script performs legitimate-sounding provisioning tasks but contains multiple high-risk actions that are consistent with establishing a persistent backdoor: it creates a privileged OS user with an empty password, mounts the host filesystem into the environment, and installs a persistent service that exposes an interactive console via a named pipe while skipping reauthentication. Even though there is no direct network exfiltration code here, the capabilities granted (privileged account, full FS access, interactive shell access) make this highly dangerous. Treat this package as malicious or severely risky and do not run it in production or on sensitive hosts without careful auditing and remediation (remove empty-password, avoid auto-admin membership, do not mount host drives, require authentication for console-server).

This assembly contains an automatic background telemetry/exfiltration mechanism triggered at module load: a ModuleInitializer schedules a delayed (5 min) task that fetches location/IP info and POSTs a JSON payload with machine and runtime details to a hardcoded remote endpoint (https://ldqk.xyz/opensource/collect) while disabling certificate validation. That behavior is not expected in a benign utility library and constitutes a supply-chain data-exfiltration/backdoor risk. Besides that, there are insecure practices (disabling TLS validation, hardcoded crypto keys, WMI/registry reads collecting identifiers) that increase privacy/attack surface. I recommend not using this package in production and removing or isolating the module-initializer code; audit and remove any automatic network telemetry or obtain explicit, documented consent from users.

This assembly is high-risk. Although it exposes networking and RPC helpers that could be legitimate, it also encloses a heavily obfuscated loader/unpacker which decrypts embedded resources and performs native memory operations (VirtualAlloc, WriteProcessMemory, VirtualProtect, LoadLibrary/GetProcAddress) and dynamic delegate creation to execute code in-memory. Those are classic techniques used by packers, in-memory loaders, and malware implants. Treat this package as malicious or at minimum as a potentially backdoored/packed assembly — do not use in production. If you need functionality, obtain a clean, unobfuscated implementation or inspect the embedded payload and behavior in an isolated sandbox. Recommended action: blacklist or remove this dependency pending full forensic unpacking and review.

This assembly combines ordinary utility functionality with a substantial, intentionally-obfuscated runtime loader capability. It reads encrypted embedded data, decrypts it, and contains primitives (VirtualAlloc/VirtualProtect/OpenProcess/WriteProcessMemory, dynamic IL/delegates and Assembly.Load-from-bytes) that enable in-memory code execution and process memory modification. Those behaviors are classic indicators of a loader/backdoor or other supply-chain attack. Because of the obfuscation and native memory/exec operations, this package should be considered dangerous and treated with high caution.

This assembly mixes legitimate EPiServer ElasticSearch plugin code with a heavily obfuscated helper that unpacks/decrypts an embedded payload and performs low-level native memory operations (VirtualAlloc/mmap/mprotect), WriteProcessMemory/OpenProcess, and CLR JIT interop to execute code at runtime. Those behaviors are strong indicators of a runtime loader/packer and present high-risk capabilities (arbitrary native code execution and potential process tampering). If this protector was not explicitly expected/approved by your organization or vendor, treat the package as potentially malicious and perform dynamic sandbox analysis and vendor verification before use.

This code fragment contains a clear malicious component embedded in the SciChartUpdate namespace. It disables TLS certificate validation, periodically contacts hardcoded remote IP endpoints, downloads an encrypted payload, decrypts it, writes it to disk, and uses a RunPE/process-hollowing technique to inject and execute the payload inside a system process (iexplore.exe). The behavior is stealthy (sleeps with randomized intervals), obfuscated, and unrelated to the legitimate charting functionality in the assembly — indicating a supply-chain backdoor or remote code execution capability. Do not use this package; treat it as high-risk and potentially backdoored.

Impersonating Nethereum-related functionality; one of the packages in the campaign where attackers copied legitimate code and injected subtle exfiltration/stealing routines (reported by ReversingLabs).

This assembly contains both expected image/barcode decoding types and a large, heavily obfuscated internal module that reads encrypted embedded resources, decrypts them, allocates and writes executable memory, manipulates module/jit pointers and can invoke native code or patch runtime memory. Those behaviors are strong indicators of a loader/packer/anti-tamper subsystem and provide the capability to execute arbitrary native payloads. Because such capabilities can be (and often are) abused for supply-chain attacks (runtime payload execution, process injection, backdoors), this code should be considered high risk unless the vendor provides clear, auditable justification and source matching the distributed binary.

The best-supported finding across the three reports identifies a high-risk, obfuscated loader/backdoor pattern within the Youshow.Ace.File fragment: extensive unmanaged interop, in-memory payload handling, and dynamic IL delegation, plus Linux-specific /proc/self/mem access. This combination strongly suggests potential covert code execution, memory tampering, or payload deployment capabilities rather than benign file utilities. Treat as malware-high risk and isolate from production/public feeds; require signed provenance and complete dynamic analysis in a sandbox before any integration.

The code contains an explicit, targeted, time-delayed malicious payload that disables page interactivity and autoplays audio from a hardcoded third-party host for users with Russian language/browser settings on specific TLDs. This behavior is unrelated to the library's purpose and constitutes sabotage/harassment. Treat this package as malicious — remove, audit upstream, and replace with a clean version. Projects that depended on this version should rotate deployments, revert to a known-good release, and consider investigation of supply-chain compromise.

The code fragment exhibits strong obfuscation, dynamic/type-loading rhetoric, and unsafe interop usage that collectively elevate security risk and supply-chain concerns. Treat as suspicious; isolate or replace with trusted components and perform dynamic/runtime analysis (deobfuscation, instrumentation, and memory-safety checks) before any integration.

This assembly contains an obfuscated runtime loader: it decrypts embedded resources, constructs delegates/dynamic methods, and exposes P/Invoke wrappers (VirtualAlloc, WriteProcessMemory, OpenProcess, VirtualProtect, LoadLibrary/GetProcAddress). Those primitives allow in-memory code execution and process injection. While the top-level library also contains benign utility classes, the obfuscated HTZp4... class is highly suspicious and consistent with a malicious loader/backdoor. I recommend treating this package as malicious/untrusted and performing a full forensic analysis of embedded resources and runtime behavior; do not run it in production or on sensitive systems.