41b1dd279b09fb726343677660aec4c6

Summary

Architecture IMAGE_FILE_MACHINE_AMD64
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date 2021-Jan-15 11:19:45
TLS Callbacks 1 callback(s) detected.
Debug artifacts C:\Users\PHoetger\source\repos\runtimelab\samples\HelloWorld\bin\release\net5.0\win-x64\native\HelloWorld.pdb
CompanyName HelloWorld
FileDescription HelloWorld
FileVersion 1.0.0.0
InternalName HelloWorld.dll
LegalCopyright
OriginalFilename HelloWorld.dll
ProductName HelloWorld
ProductVersion 1.0.0
Assembly Version 1.0.0.0

Plugin Output

Info Interesting strings found in the binary: Contains domain names:
  • github.com
  • go.microsoft.com
  • http://go.microsoft.com
  • http://go.microsoft.com/fwlink/?LinkID
  • http://go.microsoft.com/fwlink/?LinkId
  • http://manifests.microsoft.com
  • http://manifests.microsoft.com/win/2004/08/windows/events
  • http://schemas.microsoft.com
  • http://schemas.microsoft.com/win/2004/08/events
  • http://www.w3.org
  • http://www.w3.org/2001/XMLSchema
  • http://www.w3.org/2001/XMLSchema-instance
  • https://aka.ms
  • https://go.microsoft.com
  • https://go.microsoft.com/fwlink/?linkid
  • manifests.microsoft.com
  • microsoft.com
  • schemas.microsoft.com
  • www.w3.org
Info Cryptographic algorithms detected in the binary: Uses constants related to SHA1
Suspicious The PE is possibly packed. Unusual section name found: .managed
Malicious The PE contains functions mostly used by malware. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryExW
 Functions which can be used for anti-debugging purposes:
  • SwitchToThread
 Can access the registry:
  • RegCloseKey
  • RegEnumKeyExW
  • RegEnumValueW
  • RegOpenKeyExW
  • RegQueryValueExW
 Memory manipulation functions often used by packers:
  • VirtualAlloc
  • VirtualProtect
 Functions related to the privilege level:
  • OpenProcessToken
  • AdjustTokenPrivileges
Malicious VirusTotal score: 3/70 (Scanned on 2021-01-15 11:26:34) APEX: Malicious
Gridinsoft: Trojan.Heur!.02006023
Cynet: Malicious (score: 90)

Hashes

MD5 41b1dd279b09fb726343677660aec4c6
SHA1 ed9c096dc43e143f6becd8fa68d546322db5412c
SHA256 6d466e967448d1b5ad4d3d29f63bd8d80949abf99094a5647f2de34dd8d941a1
SHA3 fe4ae6a30e2df4e0e7bf8b361e3c11d452c5173a987878593fb6af50b5f1a1ce
SSDeep 49152:692j1WZJzlXSAbIkoTy1ThEdiyPcxIwRRi10E99yEdzBFxZu+cpJK5MX8CLlJ:9joSGhTKw8CLv
Imports Hash b881e2d3c542d0f0a5b53807a4401c29

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x118

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_AMD64
NumberofSections 8
TimeDateStamp 2021-Jan-15 11:19:45
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xf0
Characteristics IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Image Optional Header

Magic PE32+
LinkerVersion 14.0
SizeOfCode 0x20fc00
SizeOfInitializedData 0x270c00
SizeOfUninitializedData 0
AddressOfEntryPoint 0x000000000005DE9C (Section: .text)
BaseOfCode 0x1000
ImageBase 0x140000000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 6.0
ImageVersion 0.0
SubsystemVersion 6.0
Win32VersionValue 0
SizeOfImage 0x486000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 5a639191891c4ce806ee92490983abb9
SHA1 912453685833b13620f5955dcbb2b1d8bd68cf36
SHA256 7e89b900283b2fe0a2d73698eb9c0ce6e0262fcf64956253cbc14d8c8a0be811
SHA3 b50a468d4f7438ac91c81cd2991ea4dce8671d0b4593fd7805b7b92e02a2ea59
VirtualSize 0x747b8
VirtualAddress 0x1000
SizeOfRawData 0x74800
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.62703

.managed

MD5 9ec9205290cff2b22594ca479cb3a82f
SHA1 cce194c9e0f6147e45c429fdebfc30754b7ef3a0
SHA256 8e7f981dbd7b98d29db983b8851e5d84947a4638eda5e16ad363a7399b8320d8
SHA3 cc0303e22a24c65548e981e418293d1be2f51b210459358e97bc1e21fb6dc0bb
VirtualSize 0x19b208
VirtualAddress 0x76000
SizeOfRawData 0x19b400
PointerToRawData 0x74c00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.42873

.rdata

MD5 c122a63995062bd2da35f2fbdd926de8
SHA1 963661661f74ce66f7617d163a0b5a9345027dc9
SHA256 5db593f84584318b8dd0e8458b53bc480af8e0703b4f9139b35f8bb366defd9c
SHA3 44d91ba8f4a169573c90966ff5b4bad671b5d0e15c225729f26a856153d12653
VirtualSize 0x203996
VirtualAddress 0x212000
SizeOfRawData 0x203a00
PointerToRawData 0x210000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 6.54389

.data

MD5 9c5e0a319de90dd852885de9e738a1a5
SHA1 14043cae0e7e52519f31a9bd6e74cd4e1a38402e
SHA256 fa6eb7b256083396c735ef621a781b558612c736ec89e909a8d6cd139bd8cf26
SHA3 49710eacf5df123d2f92b3366f7b5dd6379a662bfb9d665f0df04b4f88729ca4
VirtualSize 0x327c0
VirtualAddress 0x416000
SizeOfRawData 0x23000
PointerToRawData 0x413a00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 3.58825

.pdata

MD5 0931c77c4199c5d0fc20e3b54e1537ca
SHA1 827eea79d436e7f7a4bf2a39dc1f742785500249
SHA256 e3173ab9e36ffafa23956dc337c91094e6564a56821dd160b2c21ee8276ae035
SHA3 3a5f3169bb1cc8b41cd4ab64ad693721ef724d4a45597ef412fdf523a6acf568
VirtualSize 0x27a8c
VirtualAddress 0x449000
SizeOfRawData 0x27c00
PointerToRawData 0x436a00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 6.32563

_RDATA

MD5 b9bd4f71c1a70c1e90c6c146bb0e5d1a
SHA1 30855b2e36e677ba4731c229165265c5e07100ea
SHA256 14ea68ac1b3cc9d24b8b75c1b6e467b7d9ff7d843ce83cc00131a972f94ce905
SHA3 8d73883d3e0e2b845b2823b26e299b4e5ec95df39ca2e83919fc2bf318808772
VirtualSize 0x94
VirtualAddress 0x471000
SizeOfRawData 0x200
PointerToRawData 0x45e600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 1.42886

.rsrc

MD5 8c9f1ba0c8d2b962d9c8bb3c9943e005
SHA1 2e17ed6e088fe4bfc76484fbd7d0f9730646e8cd
SHA256 b53885016f72844ef23be264716b19c12d460754d56fe240662ec0d62ac5b0d7
SHA3 9b3f516d87bc210c81ab5e66118580a101c427715b2aaa03a1b6c3537ade78ab
VirtualSize 0x568
VirtualAddress 0x472000
SizeOfRawData 0x600
PointerToRawData 0x45e800
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 3.95014

.reloc

MD5 499be1dc371f11ce7ade223ae39d97d2
SHA1 874aae1b7bf2fe32f4402486406dd123c131459f
SHA256 bdaec8f4ed3d6113bb58039df4aa91913747548ecf5e28d655aea95aa670efbf
SHA3 c74dd64fef87aa3ebdc98506279f6a300c50e37a7826d032e77a464ec10081a2
VirtualSize 0x12504
VirtualAddress 0x473000
SizeOfRawData 0x12600
PointerToRawData 0x45ee00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 5.45416

Imports

ADVAPI32.dll EventSetInformation
EventUnregister
RegCloseKey
EventActivityIdControl
EventRegister
EnumerateTraceGuidsEx
EventWriteTransfer
RegEnumKeyExW
RegEnumValueW
RegOpenKeyExW
RegQueryValueExW
EventWrite
EventEnabled
OpenProcessToken
AdjustTokenPrivileges
LookupPrivilegeValueW
bcrypt.dll BCryptGenRandom
KERNEL32.dll CreateFileW
SetFilePointerEx
GetCPInfoExW
SetLastError
FormatMessageW
GetLastError
GetConsoleCP
GetConsoleMode
GetConsoleOutputCP
GetFileType
GetStdHandle
MultiByteToWideChar
ReadFile
ReadConsoleW
WideCharToMultiByte
WriteFile
WriteConsoleW
LocalFree
GetTickCount64
GetCurrentProcessId
FileTimeToSystemTime
GetSystemTime
TzSpecificLocalTimeToSystemTime
SystemTimeToFileTime
Sleep
GetCurrentProcessorNumber
GetCurrentProcess
GetCurrentThread
CreateThreadpoolWork
CloseThreadpoolWork
SubmitThreadpoolWork
CreateThreadpoolTimer
SetThreadpoolTimer
InitializeCriticalSection
InitializeConditionVariable
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
WakeConditionVariable
CompareStringEx
FindNLSStringEx
LCIDToLocaleName
GetUserPreferredUILanguages
FindStringOrdinal
GetProcAddress
GetCPInfo
LocalAlloc
RaiseFailFastException
WaitForMultipleObjectsEx
DuplicateHandle
GetThreadPriority
SetThreadPriority
LocaleNameToLCID
LCMapStringEx
CompareStringOrdinal
GetLocaleInfoEx
EnumTimeFormatsEx
GetCalendarInfoEx
EnumCalendarInfoExEx
ResolveLocaleName
SleepConditionVariableCS
ExpandEnvironmentStringsW
FreeLibrary
GetSystemDirectoryW
LoadLibraryExW
GetFileMUIPath
OutputDebugStringW
QueryUnbiasedInterruptTime
GetDynamicTimeZoneInformation
GetTimeZoneInformation
CloseHandle
SetEvent
ResetEvent
CreateEventExW
VerSetConditionMask
FlushProcessWriteBuffers
GetCurrentThreadId
WaitForSingleObjectEx
RaiseException
GetSystemInfo
VirtualQuery
AddVectoredExceptionHandler
FlsAlloc
FlsGetValue
FlsSetValue
CreateEventW
SwitchToThread
CreateThread
SuspendThread
ResumeThread
GetThreadContext
VirtualAlloc
VirtualProtect
VirtualFree
GetModuleHandleExW
QueryPerformanceCounter
QueryPerformanceFrequency
GetSystemTimeAsFileTime
InitializeCriticalSectionEx
GetEnvironmentVariableW
DebugBreak
WaitForSingleObject
SleepEx
GlobalMemoryStatusEx
GetTickCount
GetLogicalProcessorInformation
GetLogicalProcessorInformationEx
GetLargePageMinimum
VirtualUnlock
GetWriteWatch
ResetWriteWatch
VirtualAllocExNuma
IsProcessInJob
QueryInformationJobObject
GetNumaHighestNodeNumber
GetProcessAffinityMask
K32GetProcessMemoryInfo
FlushFileBuffers
HeapReAlloc
HeapSize
GetProcessHeap
LCMapStringW
CompareStringW
InitializeCriticalSectionAndSpinCount
GetModuleHandleW
InitializeSListHead
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
IsDebuggerPresent
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetStartupInfoW
IsProcessorFeaturePresent
TerminateProcess
RtlUnwindEx
RtlPcToFileHeader
EncodePointer
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetModuleFileNameW
ExitProcess
GetCommandLineA
GetCommandLineW
HeapAlloc
HeapFree
FindClose
FindFirstFileExW
FindNextFileW
IsValidCodePage
GetACP
GetOEMCP
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableW
SetStdHandle
GetStringTypeW
ole32.dll CoWaitForMultipleHandles
CoUninitialize
CoInitializeEx
CoTaskMemFree
CoGetApartmentType
CoCreateGuid
CoTaskMemAlloc
USER32.dll LoadStringW

Delayed Imports

1

Type RT_VERSION
Language UNKNOWN
Codepage UNKNOWN
Size 0x2d4
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.19287
MD5 515e09a28163e0d183babac80d544132
SHA1 5548146e3e39d8714d923dabb99832cf5328bdcd
SHA256 0fd7270e46517887804ebd811e85ab375e9f8e3c73b32efa1c4227942cdd9d92
SHA3 f901b87f116f5762d67e96500c204402996c593d58dbc1df964eb1792ef4590a

1 (#2)

Type RT_MANIFEST
Language UNKNOWN
Codepage UNKNOWN
Size 0x1ea
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.00112
MD5 b7db84991f23a680df8e95af8946f9c9
SHA1 cac699787884fb993ced8d7dc47b7c522c7bc734
SHA256 539dc26a14b6277e87348594ab7d6e932d16aabb18612d77f29fe421a9f1d46a
SHA3 4f72877413d13a67b52b292a8524e2c43a15253c26aaf6b5d0166a65bc615cff

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 1.0.0.0
ProductVersion 1.0.0.0
FileFlags (EMPTY)
FileOs VOS_DOS_WINDOWS32
VOS_NT_WINDOWS32
VOS__WINDOWS32
FileType VFT_APP
Language UNKNOWN
CompanyName HelloWorld
FileDescription HelloWorld
FileVersion (#2) 1.0.0.0
InternalName HelloWorld.dll
LegalCopyright
OriginalFilename HelloWorld.dll
ProductName HelloWorld
ProductVersion (#2) 1.0.0
Assembly Version 1.0.0.0
Resource LangID UNKNOWN

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics 0
TimeDateStamp 2021-Jan-15 11:19:45
Version 0.0
SizeofData 134
AddressOfRawData 0x3b6d1c
PointerToRawData 0x3b4d1c
Referenced File C:\Users\PHoetger\source\repos\runtimelab\samples\HelloWorld\bin\release\net5.0\win-x64\native\HelloWorld.pdb

IMAGE_DEBUG_TYPE_VC_FEATURE

Characteristics 0
TimeDateStamp 2021-Jan-15 11:19:45
Version 0.0
SizeofData 20
AddressOfRawData 0x3b6da4
PointerToRawData 0x3b4da4

IMAGE_DEBUG_TYPE_POGO

Characteristics 0
TimeDateStamp 2021-Jan-15 11:19:45
Version 0.0
SizeofData 1172
AddressOfRawData 0x3b6db8
PointerToRawData 0x3b4db8

TLS Callbacks

StartAddressOfRawData 0x1403b7280
EndAddressOfRawData 0x1403b7390
AddressOfIndex 0x140447490
AddressOfCallbacks 0x140212700
SizeOfZeroFill 0
Characteristics IMAGE_SCN_ALIGN_16BYTES
Callbacks 0x000000014005DEB8

Load Configuration

Size 0x138
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x140438518

RICH Header

XOR Key 0x1dddfba1
Unmarked objects 0
C objects (26715) 21
ASM objects (26715) 17
C++ objects (26715) 139
C objects (VS 2015/2017/2019 runtime 29118) 16
ASM objects (VS 2015/2017/2019 runtime 29118) 9
C++ objects (VS 2015/2017/2019 runtime 29118) 51
Imports (26715) 11
Total imports 203
ASM objects (VS2019 Update 8 (16.8.2) compiler 29334) 13
C++ objects (VS2019 Update 8 (16.8.2) compiler 29334) 65
Unmarked objects (#2) 1
Resource objects (29336) 1
Linker (29336) 1

Errors

<-- -->