ba24bc0d388fc18039389b97cfc257baa0c29c282508c2750bf2d4687449ecd8

Summary

Architecture IMAGE_FILE_MACHINE_AMD64
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date 2022-Apr-18 19:35:57
Debug artifacts D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\cli\apphost\Release\apphost.pdb
CompanyName SampleScanner
FileDescription SampleScanner
FileVersion 1.0.0.0
InternalName SampleScanner.dll
LegalCopyright
OriginalFilename SampleScanner.dll
ProductName SampleScanner
ProductVersion 1.0.0
Assembly Version 1.0.0.0

Plugin Output

Info Interesting strings found in the binary: Contains domain names:
  • go.microsoft.com
  • https://aka.ms
  • https://go.microsoft.com
  • https://go.microsoft.com/fwlink/?linkid
  • microsoft.com
Suspicious The PE contains functions most legitimate programs don't use. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryExW
  • LoadLibraryA
 Functions which can be used for anti-debugging purposes:
  • SwitchToThread
 Can access the registry:
  • RegOpenKeyExW
  • RegCloseKey
  • RegGetValueW
 Possibly launches other programs:
  • ShellExecuteW
Safe VirusTotal score: 0/72 (Scanned on 2025-10-28 14:01:08) All the AVs think this file is safe.

Hashes

MD5 8fca36f6586cbc68c2b994d2025167bf
SHA1 8741f91866c92a79a59d8022474a70ac219db3c6
SHA256 ba24bc0d388fc18039389b97cfc257baa0c29c282508c2750bf2d4687449ecd8
SHA3 62f5608a2c79880d0b89c2ef761e16dc28c2e5bd7af5e5f0a07bdadde5dba1c7
SSDeep 3072:06eSqsywT/IiODn5Ikt8pKO9WpheWyutIRwrc52uF0g:0LDn5I7p8henav
Imports Hash 7d19699275e08b389d5869dc7132efbc

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xe0

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_AMD64
NumberofSections 6
TimeDateStamp 2022-Apr-18 19:35:57
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xf0
Characteristics IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Image Optional Header

Magic PE32+
LinkerVersion 14.0
SizeOfCode 0x17e00
SizeOfInitializedData 0x12800
SizeOfUninitializedData 0
AddressOfEntryPoint 0x0000000000014670 (Section: .text)
BaseOfCode 0x1000
ImageBase 0x140000000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 6.0
ImageVersion 0.0
SubsystemVersion 6.0
Win32VersionValue 0
SizeOfImage 0x2f000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x180000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 216dd7a2817df50e9e6b272acb93fb34
SHA1 4ebcd30eab736ad4ca836be6c3d7b96112e76dd4
SHA256 e9673bff7ef7b9faefb68c9d61243f589609da1a2c424f39439f0916b92cc21a
SHA3 7bdeea2f619cf9fbcbb52992959dc42e9e7d138ceac37b2a6232ee247b0f9e50
VirtualSize 0x17d2c
VirtualAddress 0x1000
SizeOfRawData 0x17e00
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.28876

.rdata

MD5 4da6301b79f961ab490c0aabcb85b664
SHA1 82ba713b346ad63fb1d0eb9735b9a180c0295d41
SHA256 e28eecff2249364579145c585cb5f9e932057e16df3b241f5543f4df985706e7
SHA3 3fa339b44007b70c7c81b08307b817f8ea64df6dd7aa0b9c19a2a748411eff0c
VirtualSize 0xf224
VirtualAddress 0x19000
SizeOfRawData 0xf400
PointerToRawData 0x18200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.07878

.data

MD5 3d167ebf15d21289797eaaaa3475e38c
SHA1 af446a7f01c8f240dc4fa83a2e9511bd4ebfdd47
SHA256 f5ff17f12a6047ce90a71ab4b0cc841a71a47bedcfdfa76a3c60cf5c8a2340eb
SHA3 f582e4c9050067a3ccb1efde74ed8cbf4352ecfa9e5d36c016ba87aeec40289a
VirtualSize 0x19e8
VirtualAddress 0x29000
SizeOfRawData 0xe00
PointerToRawData 0x27600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 3.0477

.pdata

MD5 ad3aa24ead057028f8a736848e12226d
SHA1 634c73ff32cf0ba0e5fd45f211238f5a410503a9
SHA256 ac79d68bfec5de29db71b3c60bf36e98a660968f208c069799821d30e85c5910
SHA3 65da589958d52d0f2cd73f137ee62ec2d8c1792a684f35713534b253b4336d4d
VirtualSize 0x162c
VirtualAddress 0x2b000
SizeOfRawData 0x1800
PointerToRawData 0x28400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.93756

.rsrc

MD5 e94af6f916a1c953b0bfe82cf325ac17
SHA1 9933e41e70ddf86c1c06887ed348233caf8963c6
SHA256 40c745a73c596c016ae4505a26757b443d6552562a7cd58154dfc17a4c975437
SHA3 825887faca597c628485a50ff4bccb5f6ac4ca18a18a4512c603cb9b6465a72d
VirtualSize 0x574
VirtualAddress 0x2d000
SizeOfRawData 0x600
PointerToRawData 0x29c00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.55115

.reloc

MD5 05be7ed921d5c0fae5a104480b388060
SHA1 0c01dc75ba0b625f29edaaded71ae19700b4f7bf
SHA256 c8464272e4953013b1294b7c87fc252d2cd405bdb41b0f3196c08f3fdf753c0f
SHA3 30cebbb94fb1349a202174f80843dbcc0c851ba0e216346a2d21a1f47d13bc2b
VirtualSize 0x6dc
VirtualAddress 0x2e000
SizeOfRawData 0x800
PointerToRawData 0x2a200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 5.0707

Imports

KERNEL32.dll FindClose
FindFirstFileExW
FindNextFileW
GetFileAttributesExW
GetFullPathNameW
GetTempPathW
GetLastError
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
GetEnvironmentVariableW
GetCurrentProcess
IsWow64Process
GetModuleFileNameW
GetModuleHandleExW
GetProcAddress
LoadLibraryExW
LoadLibraryA
MultiByteToWideChar
WideCharToMultiByte
FreeLibrary
RtlUnwindEx
RaiseException
OutputDebugStringW
GetModuleHandleW
GetCurrentProcessId
Sleep
RemoveDirectoryW
DeleteCriticalSection
CreateDirectoryW
RtlPcToFileHeader
InitializeSListHead
GetCurrentThreadId
QueryPerformanceCounter
IsDebuggerPresent
IsProcessorFeaturePresent
TerminateProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
LCMapStringW
GetSystemTimeAsFileTime
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
SwitchToThread
InitializeCriticalSectionAndSpinCount
SetLastError
DecodePointer
EncodePointer
GetStringTypeW
USER32.dll MessageBoxW
SHELL32.dll ShellExecuteW
ADVAPI32.dll RegOpenKeyExW
RegCloseKey
ReportEventW
RegisterEventSourceW
DeregisterEventSource
RegGetValueW
api-ms-win-crt-runtime-l1-1-0.dll _initialize_wide_environment
_set_app_type
_invalid_parameter_noinfo_noreturn
_seh_filter_exe
_cexit
_crt_atexit
_register_onexit_function
terminate
_configure_wide_argv
exit
_exit
__p___argc
__p___wargv
_c_exit
_register_thread_local_exe_atexit_callback
abort
_get_initial_wide_environment
_errno
_initterm
_initialize_onexit_table
_initterm_e
api-ms-win-crt-heap-l1-1-0.dll malloc
calloc
free
_callnewh
_set_new_mode
api-ms-win-crt-math-l1-1-0.dll __setusermatherr
frexp
api-ms-win-crt-stdio-l1-1-0.dll _wfopen
__stdio_common_vswprintf
fclose
fread
fseek
fwrite
__acrt_iob_func
_set_fmode
fputwc
fputws
__stdio_common_vfwprintf
fflush
__p__commode
__stdio_common_vsprintf_s
api-ms-win-crt-string-l1-1-0.dll _wcsicmp
_wcsdup
_wcsnicmp
wcsncmp
strcspn
wcsnlen
memset
strcpy_s
api-ms-win-crt-locale-l1-1-0.dll _unlock_locales
__pctype_func
___lc_locale_name_func
___mb_cur_max_func
setlocale
_configthreadlocale
_lock_locales
localeconv
___lc_codepage_func
api-ms-win-crt-filesystem-l1-1-0.dll _wremove
_wrename
api-ms-win-crt-convert-l1-1-0.dll _wtoi
wcstoul
api-ms-win-crt-time-l1-1-0.dll wcsftime
_gmtime64
_time64

Delayed Imports

1

Type RT_VERSION
Language UNKNOWN
Codepage Latin 1 / Western European
Size 0x2e8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.21488
MD5 c7ebfb45e4eebe36ff9ee868176c46c6
SHA1 bec99a28df0eceb85a79399220edfdfac139bec5
SHA256 58043f55d58b9c4e31663af31cb96d0e756c743bedc386d41cabc9ffa2a0f4f1
SHA3 ecd7c67f45f94d07ee191df62bb81e82ef6197b9c975ec7de4cce8996667b571

1 (#2)

Type RT_MANIFEST
Language UNKNOWN
Codepage Latin 1 / Western European
Size 0x1ea
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.00112
MD5 b7db84991f23a680df8e95af8946f9c9
SHA1 cac699787884fb993ced8d7dc47b7c522c7bc734
SHA256 539dc26a14b6277e87348594ab7d6e932d16aabb18612d77f29fe421a9f1d46a
SHA3 4f72877413d13a67b52b292a8524e2c43a15253c26aaf6b5d0166a65bc615cff

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 1.0.0.0
ProductVersion 1.0.0.0
FileFlags (EMPTY)
FileOs VOS_DOS_WINDOWS32
VOS_NT_WINDOWS32
VOS__WINDOWS32
FileType VFT_APP
Language UNKNOWN
CompanyName SampleScanner
FileDescription SampleScanner
FileVersion (#2) 1.0.0.0
InternalName SampleScanner.dll
LegalCopyright
OriginalFilename SampleScanner.dll
ProductName SampleScanner
ProductVersion (#2) 1.0.0
Assembly Version 1.0.0.0
Resource LangID UNKNOWN

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics 0
TimeDateStamp 2022-Apr-18 19:35:57
Version 0.0
SizeofData 110
AddressOfRawData 0x23aa4
PointerToRawData 0x22ca4
Referenced File D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\cli\apphost\Release\apphost.pdb

IMAGE_DEBUG_TYPE_VC_FEATURE

Characteristics 0
TimeDateStamp 2022-Apr-18 19:35:57
Version 0.0
SizeofData 20
AddressOfRawData 0x23b14
PointerToRawData 0x22d14

IMAGE_DEBUG_TYPE_POGO

Characteristics 0
TimeDateStamp 2022-Apr-18 19:35:57
Version 0.0
SizeofData 884
AddressOfRawData 0x23b28
PointerToRawData 0x22d28

TLS Callbacks

StartAddressOfRawData 0x140023ec0
EndAddressOfRawData 0x140023ed0
AddressOfIndex 0x14002a2b8
AddressOfCallbacks 0x140019520
SizeOfZeroFill 0
Characteristics IMAGE_SCN_ALIGN_8BYTES
Callbacks (EMPTY)

Load Configuration

Size 0x100
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x140029568
GuardCFCheckFunctionPointer 5368812648
GuardCFDispatchFunctionPointer 0
GuardCFFunctionTable 0
GuardCFFunctionCount 0
GuardFlags (EMPTY)
CodeIntegrity.Flags 0
CodeIntegrity.Catalog 0
CodeIntegrity.CatalogOffset 0
CodeIntegrity.Reserved 0
GuardAddressTakenIatEntryTable 0
GuardAddressTakenIatEntryCount 0
GuardLongJumpTargetTable 0
GuardLongJumpTargetCount 0

RICH Header

XOR Key 0x4070d489
Unmarked objects 0
ASM objects (VS 2015/2017 runtime 26706) 8
C++ objects (VS 2015/2017 runtime 26706) 63
C objects (VS 2015/2017 runtime 26706) 28
Imports (VS2008 SP1 build 30729) 18
Imports (VS2015/2017 runtime 25711) 9
Total imports 169
C++ objects (27045) 13
Linker (27045) 1

Errors

Leave a comment

No comments yet.