156d8c39cdec405cc1d7ea55f41271d0

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date 2019-Sep-13 15:09:25
Detected languages English - United States
Debug artifacts F:\workspace\_work\1\s\artifacts\obj\win-x86.Release\corehost\cli\fxr\Release\hostfxr.pdb
CompanyName Microsoft Corporation
FileDescription .NET Core Host Resolver - 3.0.0
FileVersion 3,0,19,46305 @Commit: 7d57652f33493fa022125b7f63aad0d70c52d810
InternalName .NET Core Host Resolver - 3.0.0
LegalCopyright © Microsoft Corporation. All rights reserved.
OriginalFilename .NET Core Host Resolver - 3.0.0
ProductName Microsoft® .NET Framework
ProductVersion 3,0,19,46305 @Commit: 7d57652f33493fa022125b7f63aad0d70c52d810

Plugin Output

Info Matching compiler(s): Microsoft Visual C++ v6.0 DLL
Microsoft Visual C++ 6.0 - 8.0
Info Interesting strings found in the binary: Contains domain names:
  • https://aka.ms
Suspicious The PE contains functions most legitimate programs don't use. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryExW
  • LoadLibraryW
Functions which can be used for anti-debugging purposes:
  • SwitchToThread
Can access the registry:
  • RegOpenKeyExW
  • RegCloseKey
  • RegGetValueW
Memory manipulation functions often used by packers:
  • VirtualProtect
  • VirtualAlloc
Info The PE is digitally signed. Signer: Microsoft Corporation
Issuer: Microsoft Code Signing PCA 2011
Safe VirusTotal score: 0/67 (Scanned on 2019-12-21 04:36:57) All the AVs think this file is safe.

Hashes

MD5 156d8c39cdec405cc1d7ea55f41271d0
SHA1 9f5ebd2691a7e1be2b5556453ff4fec0bc071e4a
SHA256 0f780d9f0459f4b865c1515b01def227476f4d6611cc9e59a49fb9ae3f19a808
SHA3 da84d3856b8f6880c91db0a865a78f1678f1b0c4c6b7f0104ef02dc7fc3634f5
SSDeep 12288:uQ29Pt5EPei0a0JQrXDCvQcyKMVDzn3oLwldnFP1cO:uQJQmDC2KMVDb3Bldnt1cO
Imports Hash 0183e6ea18b6e1aaad8c6ba9883d0526

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xf8

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 5
TimeDateStamp 2019-Sep-13 15:09:25
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Image Optional Header

Magic PE32
LinkerVersion 14.0
SizeOfCode 0x52400
SizeOfInitializedData 0x1de00
SizeOfUninitializedData 0
AddressOfEntryPoint 0x00035000 (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x54000
ImageBase 0x10000000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 6.0
ImageVersion 0.0
SubsystemVersion 6.0
Win32VersionValue 0
SizeOfImage 0x74000
SizeOfHeaders 0x400
Checksum 0x73dfe
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 f4b1cbd01969969dd1bfa68fee7560ad
SHA1 55bebab3eada09130fb38202190731674a3fd4e3
SHA256 52234034f99ee9e6364f5c7370651cc5608cabc026208073c6eeaa0560459285
SHA3 cca3f1ddd7ea5bc0ac8127f15e8ea6ab3c4700082033fcdc0d1f6c83d52448bb
VirtualSize 0x5231a
VirtualAddress 0x1000
SizeOfRawData 0x52400
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.57992

.rdata

MD5 d0d955923f97c0b16d81d06fc62852bc
SHA1 66df5356e4103b1aff5774245be23716e382b364
SHA256 dae88ff2ac3cee78cd85e06aa0e62b77a7479eaa60a6a5161c149ee7561d8078
SHA3 a1f219671126f8ff2497506d62bd74aa1de371df38ce7f3422eb593a9e19a386
VirtualSize 0x161a8
VirtualAddress 0x54000
SizeOfRawData 0x16200
PointerToRawData 0x52800
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.47918

.data

MD5 d15dbd3949b01df9d3006c09074e39ac
SHA1 b477ab58976396ac2b98ed46edbeaf9524fc9169
SHA256 ba08a1079599cc64114a251f65c90307c96a4693fdfd3db46dfec423b13b64a4
SHA3 399bfe9971d0d418e139a7672fd69c96c4b8f9208d13a20488566f2154dbdd6b
VirtualSize 0x29c4
VirtualAddress 0x6b000
SizeOfRawData 0x2000
PointerToRawData 0x68a00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 4.72791

.rsrc

MD5 556684e1ae49135bac20290dfb9b9ed0
SHA1 1c952a295d0cbd599ab7667dea8b43d745fa21d4
SHA256 578975253056c2b57199bc0bb486d40941f5dc879acaf3a57a5889a71cfcf01e
SHA3 9d353c68976876c7deba678af2aacff3804d4a3fc76072b67271d8e93dd16bb0
VirtualSize 0x690
VirtualAddress 0x6e000
SizeOfRawData 0x800
PointerToRawData 0x6aa00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 3.61833

.reloc

MD5 38b9f6c85a19052a976697f80b5db0c1
SHA1 e25e520d71aa1a4ef85b290a5a783cd478c971cb
SHA256 717fd31675540f43d3a240c4ba3ee813545beab9872aea3ee3c8b9cd0510b1a1
SHA3 719441e32576bd4784956fb3d50ec347d9a2d84d9bc3177c76ac3dc9164eb06a
VirtualSize 0x48d4
VirtualAddress 0x6f000
SizeOfRawData 0x4a00
PointerToRawData 0x6b200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 6.56199

Imports

KERNEL32.dll GetCurrentDirectoryW
FindClose
FindFirstFileExW
FindNextFileW
GetFileAttributesExW
GetFullPathNameW
CloseHandle
GetLastError
InitializeCriticalSection
EnterCriticalSection
GetEnvironmentVariableW
DeleteCriticalSection
GetCurrentProcess
IsWow64Process
GetModuleFileNameW
GetModuleHandleW
GetModuleHandleExW
GetProcAddress
LoadLibraryExW
MultiByteToWideChar
WideCharToMultiByte
RtlUnwind
OutputDebugStringW
FormatMessageW
LeaveCriticalSection
GetModuleHandleA
LoadLibraryW
UnregisterWaitEx
QueryDepthSList
InterlockedFlushSList
InterlockedPushEntrySList
InterlockedPopEntrySList
ReleaseSemaphore
DuplicateHandle
VirtualFree
VirtualProtect
VirtualAlloc
GetVersionExW
FreeLibraryAndExitThread
FreeLibrary
GetThreadTimes
GetCurrentThread
UnregisterWait
RegisterWaitForSingleObject
SetThreadAffinityMask
GetProcessAffinityMask
GetNumaHighestNodeNumber
DeleteTimerQueueTimer
ChangeTimerQueueTimer
CreateTimerQueueTimer
GetLogicalProcessorInformation
GetThreadPriority
SetThreadPriority
CreateThread
SignalObjectAndWait
Sleep
CreateTimerQueue
InitializeSListHead
GetCurrentProcessId
IsDebuggerPresent
IsProcessorFeaturePresent
TerminateProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
WaitForSingleObjectEx
ResetEvent
SetEvent
LCMapStringW
QueryPerformanceCounter
GetTickCount
GetSystemTimeAsFileTime
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
SwitchToThread
CreateEventW
InitializeCriticalSectionAndSpinCount
SetLastError
GetCurrentThreadId
TryEnterCriticalSection
RaiseException
DecodePointer
EncodePointer
GetStringTypeW
ADVAPI32.dll RegOpenKeyExW
RegCloseKey
RegGetValueW
api-ms-win-crt-runtime-l1-1-0.dll _initterm
_initialize_onexit_table
_initialize_narrow_environment
_cexit
_configure_narrow_argv
_register_onexit_function
terminate
_execute_onexit_table
_initterm_e
_errno
abort
_invalid_parameter_noinfo_noreturn
_crt_atexit
_seh_filter_dll
api-ms-win-crt-heap-l1-1-0.dll free
calloc
_callnewh
malloc
api-ms-win-crt-stdio-l1-1-0.dll fputc
fgetpos
fgetc
fsetpos
fclose
_get_stream_buffer_pointers
_fseeki64
fwrite
__acrt_iob_func
fputwc
fputws
_wfopen
setvbuf
__stdio_common_vfwprintf
__stdio_common_vswprintf
ungetc
__stdio_common_vswprintf_s
_wfsopen
fseek
fread
__stdio_common_vsnprintf_s
__stdio_common_vsprintf_s
fflush
api-ms-win-crt-filesystem-l1-1-0.dll _lock_file
_unlock_file
api-ms-win-crt-string-l1-1-0.dll _wcsdup
strcpy_s
islower
__strncnt
towlower
_wcsnicmp
wcsncmp
isupper
_wcsicmp
memset
strcspn
iswspace
_isctype_l
wcsnlen
strnlen
api-ms-win-crt-locale-l1-1-0.dll _unlock_locales
_free_locale
_create_locale
___mb_cur_max_func
___lc_locale_name_func
__pctype_func
___lc_codepage_func
_lock_locales
localeconv
setlocale
api-ms-win-crt-convert-l1-1-0.dll _strtod_l
_i64tow_s
_ui64tow_s
_i64toa_s
_ui64toa_s
wcstoul
_wtoi
api-ms-win-crt-math-l1-1-0.dll _CIexp
_CIsqrt
_except1
frexp
api-ms-win-crt-time-l1-1-0.dll wcsftime
_gmtime64
_time64

Delayed Imports

hostfxr_close

Ordinal 1
Address 0x18640

hostfxr_get_available_sdks

Ordinal 2
Address 0x18680

hostfxr_get_native_search_directories

Ordinal 3
Address 0x18990

hostfxr_get_runtime_delegate

Ordinal 4
Address 0x18ab0

hostfxr_get_runtime_properties

Ordinal 5
Address 0x18bb0

hostfxr_get_runtime_property_value

Ordinal 6
Address 0x18ca0

hostfxr_initialize_for_dotnet_command_line

Ordinal 7
Address 0x18e60

hostfxr_initialize_for_runtime_config

Ordinal 8
Address 0x18fc0

hostfxr_main

Ordinal 9
Address 0x19090

hostfxr_main_startupinfo

Ordinal 10
Address 0x19150

hostfxr_resolve_sdk

Ordinal 11
Address 0x191f0

hostfxr_resolve_sdk2

Ordinal 12
Address 0x19390

hostfxr_run_app

Ordinal 13
Address 0x195e0

hostfxr_set_error_writer

Ordinal 14
Address 0x19620

hostfxr_set_runtime_property_value

Ordinal 15
Address 0x19630

1

Type RT_VERSION
Language English - United States
Codepage UNKNOWN
Size 0x470
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.5914
MD5 4456eef6df84358222cdce8649dfbee5
SHA1 6b9b8627a9784296b159b8df9844dcbc9e18476a
SHA256 c987b3e8430270fc850ac253d324ffa5607853ed895155777b8f17dd7c4731c2
SHA3 513c5377ce715bd841a6858394f0a085eff18c14f74068826b262b0cd886d8c0

2

Type RT_MANIFEST
Language English - United States
Codepage UNKNOWN
Size 0x17d
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.91161
MD5 1e4a89b11eae0fcf8bb5fdd5ec3b6f61
SHA1 4260284ce14278c397aaf6f389c1609b0ab0ce51
SHA256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df
SHA3 4bb9e8b5a714cae82782f3831cc2d45f4bf4a50a755fe584d2d1893129d68353

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 3.0.19.46305
ProductVersion 3.0.19.46305
FileFlags (EMPTY)
FileOs VOS_DOS_WINDOWS32
VOS_NT_WINDOWS32
VOS__WINDOWS32
FileType VFT_DLL
Language English - United States
CompanyName Microsoft Corporation
FileDescription .NET Core Host Resolver - 3.0.0
FileVersion (#2) 3,0,19,46305 @Commit: 7d57652f33493fa022125b7f63aad0d70c52d810
InternalName .NET Core Host Resolver - 3.0.0
LegalCopyright © Microsoft Corporation. All rights reserved.
OriginalFilename .NET Core Host Resolver - 3.0.0
ProductName Microsoft® .NET Framework
ProductVersion (#2) 3,0,19,46305 @Commit: 7d57652f33493fa022125b7f63aad0d70c52d810
Resource LangID English - United States

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics 0
TimeDateStamp 2019-Sep-13 15:09:25
Version 0.0
SizeofData 114
AddressOfRawData 0x63760
PointerToRawData 0x61f60
Referenced File F:\workspace\_work\1\s\artifacts\obj\win-x86.Release\corehost\cli\fxr\Release\hostfxr.pdb

IMAGE_DEBUG_TYPE_VC_FEATURE

Characteristics 0
TimeDateStamp 2019-Sep-13 15:09:25
Version 0.0
SizeofData 20
AddressOfRawData 0x637d4
PointerToRawData 0x61fd4

IMAGE_DEBUG_TYPE_POGO

Characteristics 0
TimeDateStamp 2019-Sep-13 15:09:25
Version 0.0
SizeofData 872
AddressOfRawData 0x637e8
PointerToRawData 0x61fe8

TLS Callbacks

StartAddressOfRawData 0x10063b60
EndAddressOfRawData 0x10063b6c
AddressOfIndex 0x1006d4ac
AddressOfCallbacks 0x1005434c
SizeOfZeroFill 0
Characteristics IMAGE_SCN_ALIGN_4BYTES
Callbacks (EMPTY)

Load Configuration

Size 0xa0
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x1006b3bc
SEHandlerTable 0x100632e0
SEHandlerCount 288
GuardCFCheckFunctionPointer 268780244
GuardCFDispatchFunctionPointer 0
GuardCFFunctionTable 0
GuardCFFunctionCount 0
GuardFlags (EMPTY)
CodeIntegrity.Flags 0
CodeIntegrity.Catalog 0
CodeIntegrity.CatalogOffset 0
CodeIntegrity.Reserved 0
GuardAddressTakenIatEntryTable 0
GuardAddressTakenIatEntryCount 0
GuardLongJumpTargetTable 0
GuardLongJumpTargetCount 0

RICH Header

XOR Key 0x3b572869
Unmarked objects 0
ASM objects (VS 2015/2017 runtime 26706) 16
C++ objects (VS 2015/2017 runtime 26706) 115
C objects (VS 2015/2017 runtime 26706) 31
Imports (VS2008 SP1 build 30729) 18
Imports (VS2015/2017 runtime 25711) 5
Total imports 208
C++ objects (VS2017 v15.9.14-15 compiler 27032) 29
Exports (VS2017 v15.9.14-15 compiler 27032) 1
Resource objects (VS2017 v15.9.14-15 compiler 27032) 1
151 1
Linker (VS2017 v15.9.14-15 compiler 27032) 1

Errors