30d089ff9bc3fe34bf08c4ce577e48f5

Summary

Architecture IMAGE_FILE_MACHINE_AMD64
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date 2022-Nov-16 05:24:36
Debug artifacts D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\cli\apphost\Release\apphost.pdb
Comments Sunshine allrihts
CompanyName Sunshine
FileDescription ConsoleApp1
FileVersion 1.0.0.0
InternalName ConsoleApp1.dll
LegalCopyright Sunshine
OriginalFilename ConsoleApp1.dll
ProductName ConsoleApp1
ProductVersion 1.0.0
Assembly Version 1.0.0.0

Plugin Output

Info Interesting strings found in the binary: Contains domain names:
  • go.microsoft.com
  • https://aka.ms
  • https://go.microsoft.com
  • https://go.microsoft.com/fwlink/?linkid
  • microsoft.com
Info The PE contains common functions which appear in legitimate applications. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryExW
  • LoadLibraryA
 Can access the registry:
  • RegOpenKeyExW
  • RegCloseKey
  • RegGetValueW
 Possibly launches other programs:
  • ShellExecuteW
Suspicious No VirusTotal score. This file has never been scanned on VirusTotal.

Hashes

MD5 30d089ff9bc3fe34bf08c4ce577e48f5
SHA1 513c8759a14d808fd890da2f77d7cffefeaf5bc1
SHA256 67237a28ae563faab4bf434a052e1ceccdd0b6bb77a65055dfdc42e1effb3a7a
SHA3 d12c46532cb04419ca41690e52bd18ac5e7ec2c919e621757fe434e651c9d8a7
SSDeep 3072:ntL04G/O4BDom5hWkNX2xlkHmJRqAnoqOAcRRwo4wUYrXq:2xX5URji7MYrX
Imports Hash 8541289ad805913417662883d15a837d

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xf0

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_AMD64
NumberofSections 7
TimeDateStamp 2022-Nov-16 05:24:36
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xf0
Characteristics IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Image Optional Header

Magic PE32+
LinkerVersion 14.0
SizeOfCode 0x18e00
SizeOfInitializedData 0xd800
SizeOfUninitializedData 0
AddressOfEntryPoint 0x00000000000149F0 (Section: .text)
BaseOfCode 0x1000
ImageBase 0x140000000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 6.0
ImageVersion 0.0
SubsystemVersion 6.0
Win32VersionValue 0
SizeOfImage 0x2c000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x180000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 96de83a454916d6a6f7553a502c37d50
SHA1 48340c06d1c6bccdb6a9c583bb345d4cdfe68432
SHA256 62afd7f1d7006755dd11e3f6df089cf0fb5f37d46154c45fe7660d7e74c54783
SHA3 5288b16e0bcc3952282fe88fae4f282aba55a9ef9b7ec15e8dc879ec66d35c52
VirtualSize 0x18cbc
VirtualAddress 0x1000
SizeOfRawData 0x18e00
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.31274

.rdata

MD5 a37c19668292332362e91a0cb9d9289d
SHA1 58c6da5532579fd29d5f98ed7230bdc2f7325da6
SHA256 1ea7755f8fc794abf8827407a107a5434b93063696c7a976bac47b546e31f172
SHA3 f28008383064338a4a4eae52e0bafd38c4a692f02d9aec21f4d73e3fc0d8b12d
VirtualSize 0xa6f0
VirtualAddress 0x1a000
SizeOfRawData 0xa800
PointerToRawData 0x19200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.43226

.data

MD5 ba8bff9183a209d11fb1957f384b5874
SHA1 2e27042b7926a0b93138c57bbd1e8bcb2d861c69
SHA256 175fb914a04ddfa0daabcff6910693d4d07685d7c9ff9a39b020eb2c644e4cfa
SHA3 800807048884707eb4d54e33f009a8b28cda97d5b0fd5c1ae5f5951470989bd7
VirtualSize 0x1838
VirtualAddress 0x25000
SizeOfRawData 0xe00
PointerToRawData 0x23a00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 2.83742

.pdata

MD5 5a0a0bf11cee45051c653781a69a4e7f
SHA1 55ffc7ee8b1fe8027dd510034f142f1d9b5494e3
SHA256 3002b6ae6045406d9ef6cfc7e4414d5ad4ae792456147e936c61cd3c7b2e4052
SHA3 335d09d118bcb4930ae1373a2b742abe2afb3a1cabc7da183624cc077456459d
VirtualSize 0x15cc
VirtualAddress 0x27000
SizeOfRawData 0x1600
PointerToRawData 0x24800
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.18314

_RDATA

MD5 c14eadbec0cf9ddcb76853ca889d4b7b
SHA1 ddd44609d1b017e73e2f480c7750a64ffe36b69c
SHA256 1b9f8e94efca91f9ad95bae82cc4760f2a2ec3eac5e4690556dbdc2c0905a73c
SHA3 1ee70bd5be9e44a691ef724bf1ea85274c51c146b16a7fe5af6b9523fdd7f349
VirtualSize 0xac
VirtualAddress 0x29000
SizeOfRawData 0x200
PointerToRawData 0x25e00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 1.84285

.rsrc

MD5 ba2096aafb3dafedd7cfcb3f786930d8
SHA1 80a8f77606376d9f561ef0d415aaf6a74a4301a9
SHA256 362b4b2e43cfaca3af23c1319fabfbac0cd2df53acb32df51d11a666e9030565
SHA3 08c03b912fae21cadbbefe4e904932a866f74f04a5f000d8e5bae310c01ed6df
VirtualSize 0x5a8
VirtualAddress 0x2a000
SizeOfRawData 0x600
PointerToRawData 0x26000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.48211

.reloc

MD5 6b3443378a91d2575a15d071a4874e56
SHA1 41b459822687fa7de1d86494b10e1819ac98d457
SHA256 3ce53254bba6e3ac3aa8215fd877dfa8fdbe9a5b54d920306ed6196de9e036ec
SHA3 6705fd324bb532589104c4b8eee994aa868e6a8cb80cb19c7fe0c77f97d9967b
VirtualSize 0x34c
VirtualAddress 0x2b000
SizeOfRawData 0x400
PointerToRawData 0x26600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 4.69604

Imports

KERNEL32.dll FindClose
FindFirstFileExW
FindNextFileW
GetFileAttributesExW
GetFullPathNameW
GetTempPathW
GetLastError
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
GetEnvironmentVariableW
GetCurrentProcess
IsWow64Process
GetModuleFileNameW
GetModuleHandleExW
GetProcAddress
LoadLibraryExW
LoadLibraryA
MultiByteToWideChar
WideCharToMultiByte
FreeLibrary
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
OutputDebugStringW
GetModuleHandleW
GetCurrentProcessId
Sleep
RemoveDirectoryW
DeleteCriticalSection
CreateDirectoryW
InitializeCriticalSectionAndSpinCount
SetLastError
RtlUnwindEx
RaiseException
RtlPcToFileHeader
InitializeSListHead
GetSystemTimeAsFileTime
GetCurrentThreadId
QueryPerformanceCounter
IsDebuggerPresent
IsProcessorFeaturePresent
TerminateProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
LCMapStringEx
DecodePointer
EncodePointer
InitializeCriticalSectionEx
GetStringTypeW
USER32.dll MessageBoxW
SHELL32.dll ShellExecuteW
ADVAPI32.dll RegOpenKeyExW
RegCloseKey
ReportEventW
RegisterEventSourceW
DeregisterEventSource
RegGetValueW
api-ms-win-crt-runtime-l1-1-0.dll _initialize_wide_environment
_invalid_parameter_noinfo_noreturn
_set_app_type
_seh_filter_exe
_cexit
_crt_atexit
_get_initial_wide_environment
_initialize_onexit_table
_exit
__p___argc
__p___wargv
_c_exit
_register_thread_local_exe_atexit_callback
_initterm
_configure_wide_argv
terminate
_initterm_e
_register_onexit_function
_errno
abort
exit
api-ms-win-crt-stdio-l1-1-0.dll fclose
__p__commode
__stdio_common_vsprintf_s
fread
fseek
fwrite
_set_fmode
__acrt_iob_func
fputwc
fputws
__stdio_common_vfwprintf
_wfopen
fflush
__stdio_common_vswprintf
api-ms-win-crt-string-l1-1-0.dll wcsncmp
_wcsnicmp
_wcsdup
strcspn
strcpy_s
_wcsicmp
wcsnlen
memset
api-ms-win-crt-math-l1-1-0.dll __setusermatherr
frexp
api-ms-win-crt-heap-l1-1-0.dll calloc
free
_callnewh
malloc
_set_new_mode
api-ms-win-crt-locale-l1-1-0.dll ___mb_cur_max_func
setlocale
__pctype_func
___lc_codepage_func
_unlock_locales
_lock_locales
_configthreadlocale
___lc_locale_name_func
localeconv
api-ms-win-crt-filesystem-l1-1-0.dll _wrename
_wremove
api-ms-win-crt-convert-l1-1-0.dll wcstoul
_wtoi
api-ms-win-crt-time-l1-1-0.dll wcsftime
_gmtime64
_time64

Delayed Imports

1

Type RT_VERSION
Language UNKNOWN
Codepage Latin 1 / Western European
Size 0x31c
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.26918
MD5 2ee01d8ccf2688aaa6ab96eeab789403
SHA1 d9705a867426a01df96b67db58f8c906c8149e71
SHA256 cc48c3eae8595721a01f7cf5670a5f29a9b3adb8c670170ae5b5dea0ee37f389
SHA3 bb4c6f6450bc51d528587bbe9237ab8ae4ceed429c63e746e9ebeb739d6439fb

1 (#2)

Type RT_MANIFEST
Language UNKNOWN
Codepage Latin 1 / Western European
Size 0x1ea
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.00112
MD5 b7db84991f23a680df8e95af8946f9c9
SHA1 cac699787884fb993ced8d7dc47b7c522c7bc734
SHA256 539dc26a14b6277e87348594ab7d6e932d16aabb18612d77f29fe421a9f1d46a
SHA3 4f72877413d13a67b52b292a8524e2c43a15253c26aaf6b5d0166a65bc615cff

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 1.0.0.0
ProductVersion 1.0.0.0
FileFlags (EMPTY)
FileOs VOS_DOS_WINDOWS32
VOS_NT_WINDOWS32
VOS__WINDOWS32
FileType VFT_APP
Language UNKNOWN
Comments Sunshine allrihts
CompanyName Sunshine
FileDescription ConsoleApp1
FileVersion (#2) 1.0.0.0
InternalName ConsoleApp1.dll
LegalCopyright Sunshine
OriginalFilename ConsoleApp1.dll
ProductName ConsoleApp1
ProductVersion (#2) 1.0.0
Assembly Version 1.0.0.0
Resource LangID UNKNOWN

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics 0
TimeDateStamp 2022-Nov-16 05:24:36
Version 0.0
SizeofData 110
AddressOfRawData 0x20a4c
PointerToRawData 0x1fc4c
Referenced File D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\cli\apphost\Release\apphost.pdb

IMAGE_DEBUG_TYPE_VC_FEATURE

Characteristics 0
TimeDateStamp 2022-Nov-16 05:24:36
Version 0.0
SizeofData 20
AddressOfRawData 0x20abc
PointerToRawData 0x1fcbc

IMAGE_DEBUG_TYPE_POGO

Characteristics 0
TimeDateStamp 2022-Nov-16 05:24:36
Version 0.0
SizeofData 924
AddressOfRawData 0x20ad0
PointerToRawData 0x1fcd0

TLS Callbacks

StartAddressOfRawData 0x140020e90
EndAddressOfRawData 0x140020ea0
AddressOfIndex 0x140026110
AddressOfCallbacks 0x14001a530
SizeOfZeroFill 0
Characteristics IMAGE_SCN_ALIGN_8BYTES
Callbacks (EMPTY)

Load Configuration

Size 0x138
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x140025528
GuardCFCheckFunctionPointer 5368816744
GuardCFDispatchFunctionPointer 0
GuardCFFunctionTable 0
GuardCFFunctionCount 0
GuardFlags (EMPTY)
CodeIntegrity.Flags 0
CodeIntegrity.Catalog 0
CodeIntegrity.CatalogOffset 0
CodeIntegrity.Reserved 0
GuardAddressTakenIatEntryTable 0
GuardAddressTakenIatEntryCount 0
GuardLongJumpTargetTable 0
GuardLongJumpTargetCount 0

RICH Header

XOR Key 0x1966703a
Unmarked objects 0
C objects (30034) 12
ASM objects (30034) 9
C++ objects (30034) 77
Imports (VS2008 SP1 build 30729) 18
Imports (26213) 9
Total imports 167
C++ objects (VS2019 Update 11 (16.11.10) compiler 30140) 13
Linker (VS2019 Update 11 (16.11.10) compiler 30140) 1

Errors

<-- -->