Malicious
Classifications
Spyware
Threat Names
Trojan.GenericKDZ.75562
Dynamic Analysis Report
Created on 2021-09-28T10:36:00
ff3aa75e4d4637599d3e97fb8b42ce8a1254425f856671ae56377df2676b1033.exe.dll
Windows DLL (x86-64)
Remarks (2/2)
(0x02000009): DLL files normally need to be submitted with an appropriate loader. Analysis result may be incomplete if an appropriate loader was not submitted.
(0x0200000E): The overall sleep time of all monitored processes was truncated from "1 minute, 23 seconds" to "86.0 milliseconds" to reveal dormant functionality.
This is a filtered view
This list contains only the embedded files, downloaded files, and dropped files
Filters: |
There are no files for this filter
There are no files in this analysis
File Name | Category | Type | Verdict | Actions |
---|
C:\Users\RDhJ0CNFevzX\Desktop\ff3aa75e4d4637599d3e97fb8b42ce8a1254425f856671ae56377df2676b1033.exe.dll | Sample File | Binary |
malicious
|
...
|
»
AV Matches (1)
»
Threat Name | Verdict |
---|---|
Trojan.GenericKDZ.75562 |
malicious
|
PE Information
»
Image Base | 0x140000000 |
Entry Point | 0x140078760 |
Size Of Code | 0x7c000 |
Size Of Initialized Data | 0x92000 |
File Type | FileType.dll |
Subsystem | Subsystem.windows_gui |
Machine Type | MachineType.amd64 |
Compile Timestamp | 2021-05-26 06:36:52+00:00 |
Version Information (8)
»
CompanyName | NirSoft |
FileDescription | ProduKey |
FileVersion | 9.74 |
InternalName | TeltwFoo |
LegalCopyright | Copyright © 2005 - 2009 Nir Sofer |
OriginalFilename | TeltwFoo.exe |
ProductName | TeltwFoo |
ProductVersion | 9.74 |
Sections (28)
»
Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
---|---|---|---|---|---|---|
.text | 0x140001000 | 0x7bb10 | 0x7c000 | 0x1000 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 7.85 |
.rdata | 0x14007d000 | 0xc210 | 0xd000 | 0x7d000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 7.62 |
.data | 0x14008a000 | 0xd218 | 0xe000 | 0x8a000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 1.89 |
.pdata | 0x140098000 | 0x138 | 0x1000 | 0x98000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.59 |
.rsrc | 0x140099000 | 0x2f98 | 0x3000 | 0x99000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 3.74 |
.reloc | 0x14009c000 | 0x244 | 0x1000 | 0x9c000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 1.24 |
- | 0x14009d000 | 0x6cd0 | 0x7000 | 0x9d000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
- | 0x1400a4000 | 0x1f2a | 0x2000 | 0xa4000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
- | 0x1400a6000 | 0x13e | 0x1000 | 0xa6000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
- | 0x1400a7000 | 0x6cd0 | 0x7000 | 0xa7000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
- | 0x1400ae000 | 0x7fd | 0x1000 | 0xae000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
- | 0x1400af000 | 0x13e | 0x1000 | 0xaf000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
- | 0x1400b0000 | 0x1f7 | 0x1000 | 0xb0000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
- | 0x1400b1000 | 0x23b | 0x1000 | 0xb1000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
- | 0x1400b2000 | 0x1278 | 0x2000 | 0xb2000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
- | 0x1400b4000 | 0x13e | 0x1000 | 0xb4000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
- | 0x1400b5000 | 0x9cd | 0x1000 | 0xb5000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
- | 0x1400b6000 | 0x1124 | 0x2000 | 0xb6000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
- | 0x1400b8000 | 0x23b | 0x1000 | 0xb8000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
- | 0x1400b9000 | 0x896 | 0x1000 | 0xb9000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
- | 0x1400ba000 | 0x6cd0 | 0x7000 | 0xba000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
- | 0x1400c1000 | 0x13e | 0x1000 | 0xc1000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
- | 0x1400c2000 | 0x1af | 0x1000 | 0xc2000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
- | 0x1400c3000 | 0x45174 | 0x46000 | 0xc3000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
- | 0x140109000 | 0x197d | 0x2000 | 0x109000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
- | 0x14010b000 | 0x197d | 0x2000 | 0x10b000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
- | 0x14010d000 | 0x1ee | 0x1000 | 0x10d000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
- | 0x14010e000 | 0x36d | 0x1000 | 0x10e000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 1.67 |
Imports (1)
»
CRYPT32.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
CryptImportPublicKeyInfo | - | 0x14007d000 | 0x891d8 | 0x891d8 | 0xa1 |
Exports (24)
»
Api name | EAT Address | Ordinal |
---|---|---|
CheckDriverSoftwareDependenciesSatisfied | 0x296ac | 0x1 |
DeviceInternetSettingUiW | 0x4a758 | 0x2 |
DiInstallDevice | 0x6f114 | 0x3 |
DiInstallDriverA | 0x97c8 | 0x4 |
DiInstallDriverW | 0x430c8 | 0x5 |
DiRollbackDriver | 0x46938 | 0x6 |
DiShowUpdateDevice | 0xd420 | 0x7 |
DiShowUpdateDriver | 0x43b6c | 0x8 |
DiUninstallDevice | 0x2b514 | 0x9 |
DiUninstallDriverA | 0x1b7c0 | 0xa |
DiUninstallDriverW | 0x59c8c | 0xb |
GetInternetPolicies | 0x4b8a4 | 0xc |
InstallNewDevice | 0x38e68 | 0xd |
InstallSelectedDriver | 0x45cac | 0xe |
InstallWindowsUpdateDriver | 0x2e854 | 0xf |
InstallWindowsUpdateDriverEx | 0x5c290 | 0x10 |
InstallWindowsUpdateDrivers | 0x116a8 | 0x11 |
QueryWindowsUpdateDriverStatus | 0x782d0 | 0x12 |
SetInternetPolicies | 0x2bb64 | 0x13 |
UpdateDriverForPlugAndPlayDevicesA | 0x5c30 | 0x14 |
UpdateDriverForPlugAndPlayDevicesW | 0x558a0 | 0x15 |
pDiDoDeviceInstallAsAdmin | 0x4f77c | 0x16 |
pDiDoNullDriverInstall | 0x52f18 | 0x17 |
pDiRunFinishInstallOperations | 0x669bc | 0x18 |
C:\Users\RDhJ0CNFevzX\AppData\Local\YFh\VERSION.dll | Dropped File | Binary |
malicious
|
...
|
»
AV Matches (1)
»
Threat Name | Verdict |
---|---|
Trojan.GenericKDZ.75562 |
malicious
|
PE Information
»
Image Base | 0x140000000 |
Entry Point | 0x140078760 |
Size Of Code | 0x7c000 |
Size Of Initialized Data | 0x93000 |
File Type | FileType.dll |
Subsystem | Subsystem.windows_gui |
Machine Type | MachineType.amd64 |
Compile Timestamp | 2021-05-26 06:36:52+00:00 |
Version Information (8)
»
CompanyName | NirSoft |
FileDescription | ProduKey |
FileVersion | 9.74 |
InternalName | TeltwFoo |
LegalCopyright | Copyright © 2005 - 2009 Nir Sofer |
OriginalFilename | TeltwFoo.exe |
ProductName | TeltwFoo |
ProductVersion | 9.74 |
Sections (29)
»
Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
---|---|---|---|---|---|---|
.text | 0x140001000 | 0x7bb10 | 0x7c000 | 0x1000 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 7.85 |
.rdata | 0x14007d000 | 0xc210 | 0xd000 | 0x7d000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 7.62 |
.data | 0x14008a000 | 0xd218 | 0xe000 | 0x8a000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 1.89 |
.pdata | 0x140098000 | 0x138 | 0x1000 | 0x98000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.59 |
.rsrc | 0x140099000 | 0x2f98 | 0x3000 | 0x99000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 3.74 |
.reloc | 0x14009c000 | 0x244 | 0x1000 | 0x9c000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 1.24 |
- | 0x14009d000 | 0x6cd0 | 0x7000 | 0x9d000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
- | 0x1400a4000 | 0x1f2a | 0x2000 | 0xa4000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
- | 0x1400a6000 | 0x13e | 0x1000 | 0xa6000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
- | 0x1400a7000 | 0x6cd0 | 0x7000 | 0xa7000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
- | 0x1400ae000 | 0x7fd | 0x1000 | 0xae000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
- | 0x1400af000 | 0x13e | 0x1000 | 0xaf000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
- | 0x1400b0000 | 0x1f7 | 0x1000 | 0xb0000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
- | 0x1400b1000 | 0x23b | 0x1000 | 0xb1000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
- | 0x1400b2000 | 0x1278 | 0x2000 | 0xb2000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
- | 0x1400b4000 | 0x13e | 0x1000 | 0xb4000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
- | 0x1400b5000 | 0x9cd | 0x1000 | 0xb5000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
- | 0x1400b6000 | 0x1124 | 0x2000 | 0xb6000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
- | 0x1400b8000 | 0x23b | 0x1000 | 0xb8000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
- | 0x1400b9000 | 0x896 | 0x1000 | 0xb9000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
- | 0x1400ba000 | 0x6cd0 | 0x7000 | 0xba000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
- | 0x1400c1000 | 0x13e | 0x1000 | 0xc1000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
- | 0x1400c2000 | 0x1af | 0x1000 | 0xc2000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
- | 0x1400c3000 | 0x45174 | 0x46000 | 0xc3000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
- | 0x140109000 | 0x197d | 0x2000 | 0x109000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
- | 0x14010b000 | 0x197d | 0x2000 | 0x10b000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
- | 0x14010d000 | 0x1ee | 0x1000 | 0x10d000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
- | 0x14010e000 | 0x36d | 0x1000 | 0x10e000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
- | 0x14010f000 | 0x23b | 0x1000 | 0x10f000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 1.12 |
Imports (1)
»
CRYPT32.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
CryptImportPublicKeyInfo | - | 0x14007d000 | 0x891d8 | 0x891d8 | 0xa1 |
Exports (17)
»
Api name | EAT Address | Ordinal |
---|---|---|
GetFileVersionInfoA | 0x1dc8c | 0x1 |
GetFileVersionInfoByHandle | 0x28d9c | 0x2 |
GetFileVersionInfoExA | 0x259d4 | 0x3 |
GetFileVersionInfoExW | 0x41fdc | 0x4 |
GetFileVersionInfoSizeA | 0x3fe80 | 0x5 |
GetFileVersionInfoSizeExA | 0xfe64 | 0x6 |
GetFileVersionInfoSizeExW | 0x64a9c | 0x7 |
GetFileVersionInfoSizeW | 0x3d290 | 0x8 |
GetFileVersionInfoW | 0x2357c | 0x9 |
VerFindFileA | 0x767d4 | 0xa |
VerFindFileW | 0x6eb4 | 0xb |
VerInstallFileA | 0xd0d8 | 0xc |
VerInstallFileW | 0x2f428 | 0xd |
VerLanguageNameA | 0x7021c | 0xe |
VerLanguageNameW | 0x23f30 | 0xf |
VerQueryValueA | 0x4634c | 0x10 |
VerQueryValueW | 0x7a508 | 0x11 |
C:\Users\RDhJ0CNFevzX\AppData\Local\cVf9G\FVEWIZ.dll | Dropped File | Binary |
malicious
|
...
|
»
AV Matches (1)
»
Threat Name | Verdict |
---|---|
Trojan.GenericKDZ.75562 |
malicious
|
PE Information
»
Image Base | 0x140000000 |
Entry Point | 0x140078760 |
Size Of Code | 0x7c000 |
Size Of Initialized Data | 0x93000 |
File Type | FileType.dll |
Subsystem | Subsystem.windows_gui |
Machine Type | MachineType.amd64 |
Compile Timestamp | 2021-05-26 06:36:52+00:00 |
Version Information (8)
»
CompanyName | NirSoft |
FileDescription | ProduKey |
FileVersion | 9.74 |
InternalName | TeltwFoo |
LegalCopyright | Copyright © 2005 - 2009 Nir Sofer |
OriginalFilename | TeltwFoo.exe |
ProductName | TeltwFoo |
ProductVersion | 9.74 |
Sections (29)
»
Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
---|---|---|---|---|---|---|
.text | 0x140001000 | 0x7bb10 | 0x7c000 | 0x1000 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 7.85 |
.rdata | 0x14007d000 | 0xc210 | 0xd000 | 0x7d000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 7.62 |
.data | 0x14008a000 | 0xd218 | 0xe000 | 0x8a000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 1.89 |
.pdata | 0x140098000 | 0x138 | 0x1000 | 0x98000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.59 |
.rsrc | 0x140099000 | 0x2f98 | 0x3000 | 0x99000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 3.74 |
.reloc | 0x14009c000 | 0x244 | 0x1000 | 0x9c000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 1.24 |
- | 0x14009d000 | 0x6cd0 | 0x7000 | 0x9d000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
- | 0x1400a4000 | 0x1f2a | 0x2000 | 0xa4000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
- | 0x1400a6000 | 0x13e | 0x1000 | 0xa6000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
- | 0x1400a7000 | 0x6cd0 | 0x7000 | 0xa7000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
- | 0x1400ae000 | 0x7fd | 0x1000 | 0xae000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
- | 0x1400af000 | 0x13e | 0x1000 | 0xaf000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
- | 0x1400b0000 | 0x1f7 | 0x1000 | 0xb0000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
- | 0x1400b1000 | 0x23b | 0x1000 | 0xb1000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
- | 0x1400b2000 | 0x1278 | 0x2000 | 0xb2000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
- | 0x1400b4000 | 0x13e | 0x1000 | 0xb4000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
- | 0x1400b5000 | 0x9cd | 0x1000 | 0xb5000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
- | 0x1400b6000 | 0x1124 | 0x2000 | 0xb6000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
- | 0x1400b8000 | 0x23b | 0x1000 | 0xb8000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
- | 0x1400b9000 | 0x896 | 0x1000 | 0xb9000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
- | 0x1400ba000 | 0x6cd0 | 0x7000 | 0xba000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
- | 0x1400c1000 | 0x13e | 0x1000 | 0xc1000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
- | 0x1400c2000 | 0x1af | 0x1000 | 0xc2000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
- | 0x1400c3000 | 0x45174 | 0x46000 | 0xc3000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
- | 0x140109000 | 0x197d | 0x2000 | 0x109000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
- | 0x14010b000 | 0x197d | 0x2000 | 0x10b000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
- | 0x14010d000 | 0x1ee | 0x1000 | 0x10d000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
- | 0x14010e000 | 0x36d | 0x1000 | 0x10e000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
- | 0x14010f000 | 0x82b | 0x1000 | 0x10f000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 3.61 |
Imports (1)
»
CRYPT32.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
CryptImportPublicKeyInfo | - | 0x14007d000 | 0x891d8 | 0x891d8 | 0xa1 |
Exports (40)
»
Api name | EAT Address | Ordinal |
---|---|---|
??0VolumeFveStatus@@IEAA@XZ | 0x60920 | 0x1 |
??0VolumeFveStatus@@QEAA@K_KJW4_FVE_WIPING_STATE@@@Z | 0xdca8 | 0x2 |
??4BuiVolume@@QEAAAEAV0@AEBV0@@Z | 0x78078 | 0x3 |
??4VolumeFveStatus@@QEAAAEAV0@AEBV0@@Z | 0xf394 | 0x4 |
?FailedDryRun@VolumeFveStatus@@QEBA_NXZ | 0x74a94 | 0x5 |
?GetExtendedFlags@VolumeFveStatus@@QEBA_KXZ | 0x4b79c | 0x6 |
?GetLastConvertStatus@VolumeFveStatus@@QEBAJXZ | 0x3341c | 0x7 |
?GetStatusFlags@VolumeFveStatus@@QEBAKXZ | 0x6b3f8 | 0x8 |
?HasExternalKey@VolumeFveStatus@@QEBA_NXZ | 0x77050 | 0x9 |
?HasPBKDF2RecoveryPassword@VolumeFveStatus@@QEBA_NXZ | 0xcc14 | 0xa |
?HasPassphraseProtector@VolumeFveStatus@@QEBA_NXZ | 0x749e4 | 0xb |
?HasPinProtector@VolumeFveStatus@@QEBA_NXZ | 0x2120 | 0xc |
?HasRecoveryData@VolumeFveStatus@@QEBA_NXZ | 0x43764 | 0xd |
?HasRecoveryPassword@VolumeFveStatus@@QEBA_NXZ | 0x3c1f4 | 0xe |
?HasSmartCardProtector@VolumeFveStatus@@QEBA_NXZ | 0x2421c | 0xf |
?HasStartupKeyProtector@VolumeFveStatus@@QEBA_NXZ | 0x46ec0 | 0x10 |
?HasTpmProtector@VolumeFveStatus@@QEBA_NXZ | 0x15e38 | 0x11 |
?IsConverting@VolumeFveStatus@@QEBA_NXZ | 0x7246c | 0x12 |
?IsCsvMetadataVolume@VolumeFveStatus@@QEBA_NXZ | 0x5daf4 | 0x13 |
?IsDEAutoProvisioned@VolumeFveStatus@@QEBA_NXZ | 0x56bec | 0x14 |
?IsDecrypted@VolumeFveStatus@@QEBA_NXZ | 0x6270 | 0x15 |
?IsDecrypting@VolumeFveStatus@@QEBA_NXZ | 0x699e8 | 0x16 |
?IsDisabled@VolumeFveStatus@@QEBA_NXZ | 0x1c174 | 0x17 |
?IsEDriveVolume@VolumeFveStatus@@QEBA_NXZ | 0x4c88c | 0x18 |
?IsEncrypted@VolumeFveStatus@@QEBA_NXZ | 0x6e6bc | 0x19 |
?IsEncrypting@VolumeFveStatus@@QEBA_NXZ | 0xf6e4 | 0x1a |
?IsLocked@VolumeFveStatus@@QEBA_NXZ | 0x663d0 | 0x1b |
?IsOn@VolumeFveStatus@@QEBA_NXZ | 0x140bc | 0x1c |
?IsOsVolume@VolumeFveStatus@@QEBA_NXZ | 0x100d0 | 0x1d |
?IsPartiallyConverted@VolumeFveStatus@@QEBA_NXZ | 0x5de70 | 0x1e |
?IsPaused@VolumeFveStatus@@QEBA_NXZ | 0x24e4 | 0x1f |
?IsPreProvisioned@VolumeFveStatus@@QEBA_NXZ | 0x3aa98 | 0x20 |
?IsRoamingDevice@VolumeFveStatus@@QEBA_NXZ | 0x31cfc | 0x21 |
?IsSecure@VolumeFveStatus@@QEBA_NXZ | 0x6fcc0 | 0x22 |
?IsUnknownFveVersion@VolumeFveStatus@@QEBA_NXZ | 0x5cf4c | 0x23 |
?IsWiping@VolumeFveStatus@@QEBA_NXZ | 0x25c80 | 0x24 |
?NO_DRIVE_LETTER@BuiVolume@@2IB | 0x2be5c | 0x25 |
?NeedsRestart@VolumeFveStatus@@QEBA_NXZ | 0x4eb0 | 0x26 |
FveuiWizard | 0x3a864 | 0x27 |
FveuipClearFveWizOnStartup | 0x57d58 | 0x28 |
C:\Users\RDhJ0CNFevzX\AppData\Local\YFh\dvdupgrd.exe | Dropped File | Binary |
suspicious
|
...
|
»
PE Information
»
Image Base | 0x140000000 |
Entry Point | 0x140003cf0 |
Size Of Code | 0x3800 |
Size Of Initialized Data | 0x3600 |
File Type | FileType.executable |
Subsystem | Subsystem.windows_gui |
Machine Type | MachineType.amd64 |
Compile Timestamp | 2015-10-30 02:37:00+00:00 |
Version Information (8)
»
CompanyName | Microsoft Corporation |
FileDescription | DVDUpgrd |
FileVersion | 10.0.10586.0 (th2_release.151029-1700) |
InternalName | DVDUpgrd |
LegalCopyright | © Microsoft Corporation. All rights reserved. |
OriginalFilename | DVDUpgrd.EXE |
ProductName | Microsoft® Windows® Operating System |
ProductVersion | 10.0.10586.0 |
Sections (6)
»
Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
---|---|---|---|---|---|---|
.text | 0x140001000 | 0x3660 | 0x3800 | 0x400 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.01 |
.rdata | 0x140005000 | 0x2082 | 0x2200 | 0x3c00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.18 |
.data | 0x140008000 | 0x600 | 0x200 | 0x5e00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0.3 |
.pdata | 0x140009000 | 0x2a0 | 0x400 | 0x6000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 3.03 |
.rsrc | 0x14000a000 | 0x7e8 | 0x800 | 0x6400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.33 |
.reloc | 0x14000b000 | 0x20 | 0x200 | 0x6c00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.43 |
Imports (15)
»
ADVAPI32.dll (8)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
AllocateAndInitializeSid | - | 0x140005000 | 0x66c8 | 0x52c8 | 0x20 |
CheckTokenMembership | - | 0x140005008 | 0x66d0 | 0x52d0 | 0x5f |
RegSetValueExA | - | 0x140005010 | 0x66d8 | 0x52d8 | 0x2a5 |
RegQueryValueExA | - | 0x140005018 | 0x66e0 | 0x52e0 | 0x295 |
RegOpenKeyExA | - | 0x140005020 | 0x66e8 | 0x52e8 | 0x288 |
RegDeleteValueA | - | 0x140005028 | 0x66f0 | 0x52f0 | 0x26f |
RegOpenKeyA | - | 0x140005030 | 0x66f8 | 0x52f8 | 0x287 |
RegCloseKey | - | 0x140005038 | 0x6700 | 0x5300 | 0x258 |
KERNEL32.dll (21)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
GetLastError | - | 0x140005048 | 0x6710 | 0x5310 | 0x257 |
lstrcmpiA | - | 0x140005050 | 0x6718 | 0x5318 | 0x627 |
GlobalFree | - | 0x140005058 | 0x6720 | 0x5320 | 0x32b |
HeapSetInformation | - | 0x140005060 | 0x6728 | 0x5328 | 0x344 |
CloseHandle | - | 0x140005068 | 0x6730 | 0x5330 | 0x7c |
GetUserDefaultLCID | - | 0x140005070 | 0x6738 | 0x5338 | 0x309 |
GetSystemDefaultLCID | - | 0x140005078 | 0x6740 | 0x5340 | 0x2d2 |
GetSystemDirectoryW | - | 0x140005080 | 0x6748 | 0x5348 | 0x2d7 |
Sleep | - | 0x140005088 | 0x6750 | 0x5350 | 0x570 |
GetPrivateProfileStringA | - | 0x140005090 | 0x6758 | 0x5358 | 0x2a1 |
FindClose | - | 0x140005098 | 0x6760 | 0x5360 | 0x16e |
FindFirstFileA | - | 0x1400050a0 | 0x6768 | 0x5368 | 0x172 |
GetSystemDirectoryA | - | 0x1400050a8 | 0x6770 | 0x5370 | 0x2d6 |
ReadFile | - | 0x1400050b0 | 0x6778 | 0x5378 | 0x45f |
WideCharToMultiByte | - | 0x1400050b8 | 0x6780 | 0x5380 | 0x5ef |
GetWindowsDirectoryA | - | 0x1400050c0 | 0x6788 | 0x5388 | 0x31c |
lstrlenA | - | 0x1400050c8 | 0x6790 | 0x5390 | 0x630 |
lstrcmpA | - | 0x1400050d0 | 0x6798 | 0x5398 | 0x624 |
CreateFileA | - | 0x1400050d8 | 0x67a0 | 0x53a0 | 0xb8 |
lstrlenW | - | 0x1400050e0 | 0x67a8 | 0x53a8 | 0x631 |
CreateProcessW | - | 0x1400050e8 | 0x67b0 | 0x53b0 | 0xda |
USER32.dll (3)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
LoadStringW | - | 0x140005138 | 0x6800 | 0x5400 | 0x243 |
CharUpperW | - | 0x140005140 | 0x6808 | 0x5408 | 0x3c |
MessageBoxW | - | 0x140005148 | 0x6810 | 0x5410 | 0x260 |
msvcrt.dll (22)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
_callnewh | - | 0x140005230 | 0x68f8 | 0x54f8 | 0xbf |
memcpy | - | 0x140005238 | 0x6900 | 0x5500 | 0x492 |
_acmdln | - | 0x140005240 | 0x6908 | 0x5508 | 0xa2 |
malloc | - | 0x140005248 | 0x6910 | 0x5510 | 0x486 |
?terminate@@YAXXZ | - | 0x140005250 | 0x6918 | 0x5518 | 0x2f |
_commode | - | 0x140005258 | 0x6920 | 0x5520 | 0xd2 |
_fmode | - | 0x140005260 | 0x6928 | 0x5528 | 0x127 |
memset | - | 0x140005268 | 0x6930 | 0x5530 | 0x496 |
__C_specific_handler | - | 0x140005270 | 0x6938 | 0x5538 | 0x57 |
_initterm | - | 0x140005278 | 0x6940 | 0x5540 | 0x17d |
__setusermatherr | - | 0x140005280 | 0x6948 | 0x5548 | 0x90 |
_ismbblead | - | 0x140005288 | 0x6950 | 0x5550 | 0x199 |
_cexit | - | 0x140005290 | 0x6958 | 0x5558 | 0xc1 |
_exit | - | 0x140005298 | 0x6960 | 0x5560 | 0x10e |
exit | - | 0x1400052a0 | 0x6968 | 0x5568 | 0x432 |
__set_app_type | - | 0x1400052a8 | 0x6970 | 0x5570 | 0x8e |
__getmainargs | - | 0x1400052b0 | 0x6978 | 0x5578 | 0x7f |
_amsg_exit | - | 0x1400052b8 | 0x6980 | 0x5580 | 0xae |
_XcptFilter | - | 0x1400052c0 | 0x6988 | 0x5588 | 0x55 |
_vsnwprintf | - | 0x1400052c8 | 0x6990 | 0x5590 | 0x369 |
_vsnprintf | - | 0x1400052d0 | 0x6998 | 0x5598 | 0x363 |
free | - | 0x1400052d8 | 0x69a0 | 0x55a0 | 0x44c |
api-ms-win-core-com-l1-1-1.dll (2)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
CoCreateInstance | - | 0x140005178 | 0x6840 | 0x5440 | 0x8 |
CoUninitialize | - | 0x140005180 | 0x6848 | 0x5448 | 0x42 |
api-ms-win-core-processthreads-l1-1-2.dll (5)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
GetCurrentThreadId | - | 0x1400051b8 | 0x6880 | 0x5480 | 0x11 |
GetCurrentProcessId | - | 0x1400051c0 | 0x6888 | 0x5488 | 0xd |
GetCurrentProcess | - | 0x1400051c8 | 0x6890 | 0x5490 | 0xc |
TerminateProcess | - | 0x1400051d0 | 0x6898 | 0x5498 | 0x4b |
GetStartupInfoW | - | 0x1400051d8 | 0x68a0 | 0x54a0 | 0x20 |
api-ms-win-core-rtlsupport-l1-2-0.dll (3)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
RtlLookupFunctionEntry | - | 0x1400051f8 | 0x68c0 | 0x54c0 | 0x9 |
RtlVirtualUnwind | - | 0x140005200 | 0x68c8 | 0x54c8 | 0xf |
RtlCaptureContext | - | 0x140005208 | 0x68d0 | 0x54d0 | 0x2 |
api-ms-win-core-errorhandling-l1-1-1.dll (2)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
UnhandledExceptionFilter | - | 0x140005190 | 0x6858 | 0x5458 | 0x11 |
SetUnhandledExceptionFilter | - | 0x140005198 | 0x6860 | 0x5460 | 0xf |
api-ms-win-core-libraryloader-l1-2-0.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
GetModuleHandleW | - | 0x1400051a8 | 0x6870 | 0x5470 | 0x13 |
api-ms-win-core-profile-l1-1-0.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
QueryPerformanceCounter | - | 0x1400051e8 | 0x68b0 | 0x54b0 | 0x0 |
api-ms-win-core-sysinfo-l1-2-1.dll (2)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
GetSystemTimeAsFileTime | - | 0x140005218 | 0x68e0 | 0x54e0 | 0x14 |
GetTickCount | - | 0x140005220 | 0x68e8 | 0x54e8 | 0x18 |
ole32.dll (3)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
CoTaskMemFree | - | 0x1400052e8 | 0x69b0 | 0x55b0 | 0x8c |
CLSIDFromString | - | 0x1400052f0 | 0x69b8 | 0x55b8 | 0x10 |
CoInitialize | - | 0x1400052f8 | 0x69c0 | 0x55c0 | 0x60 |
OLEAUT32.dll (4)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
SafeArrayUnaccessData | 0x18 | 0x1400050f8 | 0x67c0 | 0x53c0 | - |
SafeArrayAccessData | 0x17 | 0x140005100 | 0x67c8 | 0x53c8 | - |
SysFreeString | 0x6 | 0x140005108 | 0x67d0 | 0x53d0 | - |
VariantClear | 0x9 | 0x140005110 | 0x67d8 | 0x53d8 | - |
SHELL32.dll (2)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
SHGetFolderPathW | - | 0x140005120 | 0x67e8 | 0x53e8 | 0x157 |
ShellExecuteW | - | 0x140005128 | 0x67f0 | 0x53f0 | 0x1b6 |
VERSION.dll (3)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
GetFileVersionInfoSizeA | - | 0x140005158 | 0x6820 | 0x5420 | 0x4 |
VerQueryValueA | - | 0x140005160 | 0x6828 | 0x5428 | 0xf |
GetFileVersionInfoA | - | 0x140005168 | 0x6830 | 0x5430 | 0x0 |
c:\users\rdhj0cnfevzx\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-1560258661-3990802383-1811730007-1000\3d3578a85286f88c6cd9d151e4412949_03845cb8-7441-4a2f-8c0f-c90408af5778 | Dropped File | Stream |
clean
|
...
|
»
C:\Users\RDhJ0CNFevzX\AppData\Local\cVf9G\BitLockerWizard.exe | Dropped File | Binary |
clean
Known to be clean.
|
...
|
»
PE Information
»
Image Base | 0x140000000 |
Entry Point | 0x140001600 |
Size Of Code | 0x1000 |
Size Of Initialized Data | 0x18000 |
File Type | FileType.executable |
Subsystem | Subsystem.windows_gui |
Machine Type | MachineType.amd64 |
Compile Timestamp | 2015-10-30 02:39:33+00:00 |
Version Information (9)
»
CompanyName | Microsoft Corporation |
FileDescription | BitLocker Drive Encryption Wizard |
FileVersion | 10.0.10586.0 (th2_release.151029-1700) |
InternalName | BitLocker Drive Encryption Wizard |
LegalCopyright | © Microsoft Corporation. All rights reserved. |
OriginalFilename | BitLockerWizard.exe |
ProductName | Microsoft® Windows® Operating System |
ProductVersion | 10.0.10586.0 |
OleSelfRegister | - |
Sections (6)
»
Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
---|---|---|---|---|---|---|
.text | 0x140001000 | 0xed0 | 0x1000 | 0x400 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 5.8 |
.rdata | 0x140002000 | 0x112e | 0x1200 | 0x1400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 3.97 |
.data | 0x140004000 | 0x5f8 | 0x200 | 0x2600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0.3 |
.pdata | 0x140005000 | 0xf0 | 0x200 | 0x2800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 1.94 |
.rsrc | 0x140006000 | 0x16348 | 0x16400 | 0x2a00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 7.13 |
.reloc | 0x14001d000 | 0x20 | 0x200 | 0x18e00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.42 |
Imports (5)
»
KERNEL32.dll (19)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
HeapSetInformation | - | 0x140002018 | 0x2c80 | 0x2080 | 0x344 |
RtlVirtualUnwind | - | 0x140002020 | 0x2c88 | 0x2088 | 0x4c8 |
RtlLookupFunctionEntry | - | 0x140002028 | 0x2c90 | 0x2090 | 0x4c1 |
RtlCaptureContext | - | 0x140002030 | 0x2c98 | 0x2098 | 0x4ba |
GetTickCount | - | 0x140002038 | 0x2ca0 | 0x20a0 | 0x2fd |
GetSystemTimeAsFileTime | - | 0x140002040 | 0x2ca8 | 0x20a8 | 0x2e0 |
GetLastError | - | 0x140002048 | 0x2cb0 | 0x20b0 | 0x257 |
GetCurrentProcessId | - | 0x140002050 | 0x2cb8 | 0x20b8 | 0x211 |
QueryPerformanceCounter | - | 0x140002058 | 0x2cc0 | 0x20c0 | 0x439 |
GetModuleHandleW | - | 0x140002060 | 0x2cc8 | 0x20c8 | 0x26e |
SetUnhandledExceptionFilter | - | 0x140002068 | 0x2cd0 | 0x20d0 | 0x561 |
GetStartupInfoW | - | 0x140002070 | 0x2cd8 | 0x20d8 | 0x2c7 |
Sleep | - | 0x140002078 | 0x2ce0 | 0x20e0 | 0x570 |
GetCurrentProcess | - | 0x140002080 | 0x2ce8 | 0x20e8 | 0x210 |
TerminateProcess | - | 0x140002088 | 0x2cf0 | 0x20f0 | 0x57f |
GetProcessHeap | - | 0x140002090 | 0x2cf8 | 0x20f8 | 0x2ab |
GetCurrentThreadId | - | 0x140002098 | 0x2d00 | 0x2100 | 0x215 |
GetCommandLineW | - | 0x1400020a0 | 0x2d08 | 0x2108 | 0x1d0 |
UnhandledExceptionFilter | - | 0x1400020a8 | 0x2d10 | 0x2110 | 0x5a1 |
msvcrt.dll (19)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
?terminate@@YAXXZ | - | 0x1400020d0 | 0x2d38 | 0x2138 | 0x2f |
_commode | - | 0x1400020d8 | 0x2d40 | 0x2140 | 0xd2 |
__iob_func | - | 0x1400020e0 | 0x2d48 | 0x2148 | 0x81 |
_acmdln | - | 0x1400020e8 | 0x2d50 | 0x2150 | 0xa2 |
__C_specific_handler | - | 0x1400020f0 | 0x2d58 | 0x2158 | 0x57 |
_fmode | - | 0x1400020f8 | 0x2d60 | 0x2160 | 0x127 |
_initterm | - | 0x140002100 | 0x2d68 | 0x2168 | 0x17d |
__setusermatherr | - | 0x140002108 | 0x2d70 | 0x2170 | 0x90 |
_ismbblead | - | 0x140002110 | 0x2d78 | 0x2178 | 0x199 |
_cexit | - | 0x140002118 | 0x2d80 | 0x2180 | 0xc1 |
_exit | - | 0x140002120 | 0x2d88 | 0x2188 | 0x10e |
exit | - | 0x140002128 | 0x2d90 | 0x2190 | 0x432 |
__set_app_type | - | 0x140002130 | 0x2d98 | 0x2198 | 0x8e |
__getmainargs | - | 0x140002138 | 0x2da0 | 0x21a0 | 0x7f |
_amsg_exit | - | 0x140002140 | 0x2da8 | 0x21a8 | 0xae |
_XcptFilter | - | 0x140002148 | 0x2db0 | 0x21b0 | 0x55 |
towupper | - | 0x140002150 | 0x2db8 | 0x21b8 | 0x4ec |
fwprintf | - | 0x140002158 | 0x2dc0 | 0x21c0 | 0x455 |
memset | - | 0x140002160 | 0x2dc8 | 0x21c8 | 0x496 |
FVEWIZ.dll (2)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
FveuiWizard | - | 0x140002000 | 0x2c68 | 0x2068 | 0x26 |
FveuipClearFveWizOnStartup | - | 0x140002008 | 0x2c70 | 0x2070 | 0x27 |
ole32.dll (2)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
CoUninitialize | - | 0x140002170 | 0x2dd8 | 0x21d8 | 0x90 |
CoInitialize | - | 0x140002178 | 0x2de0 | 0x21e0 | 0x60 |
SHELL32.dll (2)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
ShellExecuteW | - | 0x1400020b8 | 0x2d20 | 0x2120 | 0x1b6 |
CommandLineToArgvW | - | 0x1400020c0 | 0x2d28 | 0x2128 | 0x7 |
c:\users\rdhj0cnfevzx\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-1560258661-3990802383-1811730007-1000\3d3578a85286f88c6cd9d151e4412949_03845cb8-7441-4a2f-8c0f-c90408af5778 | Dropped File | Stream |
clean
|
...
|
»
c:\users\rdhj0cnfevzx\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-1560258661-3990802383-1811730007-1000\3d3578a85286f88c6cd9d151e4412949_03845cb8-7441-4a2f-8c0f-c90408af5778 | Dropped File | Stream |
clean
|
...
|
»
c:\users\rdhj0cnfevzx\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-1560258661-3990802383-1811730007-1000\3d3578a85286f88c6cd9d151e4412949_03845cb8-7441-4a2f-8c0f-c90408af5778 | Dropped File | Stream |
clean
|
...
|
»