fveapi[.]dll | Triage

Sharing

Copy URL Twitter E-mail

General

Target

fveapi.dll
Size

747KB
MD5

e926021242ca28a766e4a6c6c32c0164
SHA1

e09fba0476857fb01eef14dfb60ce58f0772f068
SHA256

52b1a8720d2ae9c763f969f0e6e63eb859031cc034d9dceedc2041fad6a0b03f
SHA512

31915ec3535b974480c1daac23387a0b30df1b9608e0e0409dfef508afe479892e88dceef9161e3cc9685cbc410ff07ad40b359f4b585e2082a982deee3ef2a0
SSDEEP

12288:0vuJ/MWiEjtMkxVnvWc7WZG+RRB6PIHG4YlawzlbH6lCFqqBeyTTeV7+YQk8dkLt:0WJMWrPVv2RnQORUbH3AvQk8dkLt

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
fveapi.dll

Files

fveapi.dll
.dll windows:10 windows x86 arch:x86

5370711b4073689b082b406154af5796

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

fveapi.pdb

Imports

msvcrt

sprintf_s
ceil
wcschr
time
_errno
??1type_info@@UAE@XZ
_wcsupr
_onexit
__dllonexit
malloc
memcmp
_vsnwprintf
_unlock
_lock
toupper
memcpy_s
memmove_s
_except_handler4_common
_wcsicmp
_initterm
free
iswdigit
??_V@YAXPAX@Z
_scwprintf
iswascii
wcstoul
_amsg_exit
_strnicmp
_wtempnam
_XcptFilter
memmove
memcpy
wcscpy_s
wcsncpy_s
wcsncat_s
__CxxFrameHandler3
_CxxThrowException
?what@exception@@UBEPBDXZ
_stricmp
??1exception@@UAE@XZ
??0exception@@QAE@ABV0@@Z
??0exception@@QAE@ABQBDH@Z
_ftol2
??0exception@@QAE@ABQBD@Z
??3@YAXPAX@Z
_purecall
_callnewh
memset

ntdll

RtlSystemTimeToLocalTime
RtlTimeToTimeFields
RtlUnicodeStringToCountedOemString
RtlGenerate8dot3Name
RtlCreateSystemVolumeInformationFolder
RtlDosPathNameToNtPathName_U_WithStatus
NtPowerInformation
RtlCheckPortableOperatingSystem
NtQuerySystemEnvironmentValueEx
RtlInitUnicodeString
RtlCompareMemory
RtlUnsubscribeWnfStateChangeNotification
NtOpenFile
WinSqmSetDWORD
WinSqmAddToStreamEx
RtlFreeUnicodeString
RtlStringFromGUID
NtClose
NtQueryValueKey
NtOpenKey
EtwEventWrite
EtwEventUnregister
EtwEventRegister
RtlPublishWnfStateData
NtQueryWnfStateData
NtQueryVolumeInformationFile
NtQuerySystemInformation
RtlSetThreadErrorMode
RtlNtStatusToDosError
RtlSubscribeWnfStateChangeNotification
RtlIsMultiSessionSku
RtlLengthSid
NtQueryInformationFile

api-ms-win-eventing-classicprovider-l1-1-0

GetTraceEnableFlags
GetTraceEnableLevel
RegisterTraceGuidsW
UnregisterTraceGuids
TraceMessage
GetTraceLoggerHandle

api-ms-win-eventing-provider-l1-1-0

EventSetInformation
EventProviderEnabled
EventUnregister
EventWriteTransfer
EventRegister

api-ms-win-core-libraryloader-l1-2-0

LoadLibraryExW
GetModuleFileNameA
FreeLibrary
GetModuleHandleW
GetModuleFileNameW
LoadStringW
GetProcAddress
GetModuleHandleExW

api-ms-win-security-base-l1-1-0

GetTokenInformation
AdjustTokenPrivileges
AllocateAndInitializeSid
GetLengthSid
CopySid
RevertToSelf
CheckTokenMembership
ImpersonateSelf
FreeSid
DuplicateTokenEx

api-ms-win-core-synch-l1-2-0

InitOnceExecuteOnce
Sleep

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-processthreads-l1-1-0

GetCurrentThread
GetCurrentThreadId
TlsGetValue
TlsSetValue
SetThreadToken
OpenProcessToken
TlsFree
OpenThreadToken
TlsAlloc
GetCurrentProcess
TerminateProcess
GetCurrentProcessId

api-ms-win-core-sysinfo-l1-1-0

GetLocalTime
GetSystemTimeAsFileTime
GetTickCount64
GetVersionExW
GetTickCount
GetSystemWindowsDirectoryW
GetComputerNameExW
GetSystemTime

api-ms-win-core-errorhandling-l1-1-0

UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetLastError
SetLastError

bcrypt

BCryptSetProperty
BCryptGenerateSymmetricKey
BCryptDecrypt
BCryptDestroyHash
BCryptFinishHash
BCryptHashData
BCryptCreateHash
BCryptGenRandom
BCryptCloseAlgorithmProvider
BCryptGetFipsAlgorithmMode
BCryptEncrypt
BCryptImportKeyPair
BCryptDestroySecret
BCryptDeriveKey
BCryptSecretAgreement
BCryptFinalizeKeyPair
BCryptGenerateKeyPair
BCryptDestroyKey
BCryptGetProperty
BCryptDeriveKeyPBKDF2
BCryptExportKey
BCryptOpenAlgorithmProvider

api-ms-win-core-registry-l1-1-0

RegDeleteKeyExW
RegEnumValueW
RegLoadKeyW
RegFlushKey
RegEnumKeyExW
RegDeleteValueW
RegGetValueA
RegQueryInfoKeyW
RegUnLoadKeyW
RegGetValueW
RegQueryValueExW
RegSetValueExW
RegCreateKeyExW
RegCloseKey
RegOpenKeyExW

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-file-l1-1-0

FileTimeToLocalFileTime
GetVolumePathNameW
FindNextFileW
FindFirstFileW
CreateDirectoryW
GetFileSizeEx
SetFileAttributesW
FindClose
DeleteFileW
SetEndOfFile
WriteFile
SetFilePointer
GetFileSize
SetFilePointerEx
GetFileInformationByHandle
FlushFileBuffers
GetLogicalDrives
GetDriveTypeW
CreateFileW
FindVolumeClose
GetVolumeInformationW
RemoveDirectoryW
GetDiskFreeSpaceW
ReadFile
FindNextVolumeW
FindFirstVolumeW
GetFileAttributesW

api-ms-win-core-io-l1-1-0

DeviceIoControl

api-ms-win-core-string-l1-1-0

WideCharToMultiByte
MultiByteToWideChar
CompareStringOrdinal
CompareStringW

api-ms-win-core-localization-l1-2-0

IsDBCSLeadByte
FormatMessageW

api-ms-win-core-heap-l1-1-0

HeapAlloc
HeapSize
GetProcessHeap
HeapFree

api-ms-win-core-debug-l1-1-0

DebugBreak
OutputDebugStringW
IsDebuggerPresent

api-ms-win-core-synch-l1-1-0

DeleteCriticalSection
WaitForSingleObject
InitializeCriticalSection
LeaveCriticalSection
EnterCriticalSection
ReleaseMutex
ReleaseSemaphore
CreateEventW
ReleaseSRWLockShared
AcquireSRWLockShared
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
OpenSemaphoreW
SetEvent
InitializeCriticalSectionEx
CreateMutexExW
InitializeSRWLock
CreateSemaphoreExW
WaitForSingleObjectEx

api-ms-win-core-threadpool-l1-2-0

WaitForThreadpoolTimerCallbacks
CloseThreadpoolTimer
CreateThreadpoolTimer
SetThreadpoolTimer

api-ms-win-eventing-controller-l1-1-0

StartTraceW
ControlTraceW
EnableTraceEx2

api-ms-win-core-timezone-l1-1-0

SystemTimeToFileTime
FileTimeToSystemTime
GetTimeZoneInformation

api-ms-win-core-sysinfo-l1-2-0

GetProductInfo

api-ms-win-core-file-l1-2-0

GetVolumePathNamesForVolumeNameW
GetVolumeNameForVolumeMountPointW
GetTempPathW

api-ms-win-security-sddl-l1-1-0

ConvertSidToStringSidW
ConvertStringSidToSidW

api-ms-win-core-heap-l2-1-0

LocalFree
LocalAlloc

api-ms-win-core-memory-l1-1-0

VirtualFree
VirtualAlloc
UnmapViewOfFile
MapViewOfFile
CreateFileMappingW

api-ms-win-devices-config-l1-1-1

CM_Unregister_Notification
CM_Register_Notification

api-ms-win-core-datetime-l1-1-0

GetTimeFormatW
GetDateFormatW

api-ms-win-core-com-l1-1-0

CLSIDFromString
CoCreateGuid
CoInitializeEx
CoUninitialize
StringFromGUID2
CoGetCallContext

api-ms-win-core-path-l1-1-0

PathCchCombine

api-ms-win-core-registry-l1-1-1

RegSetKeyValueW

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

api-ms-win-service-private-l1-1-0

I_QueryTagInformation

api-ms-win-security-lsapolicy-l1-1-0

LsaClose
LsaQueryInformationPolicy
LsaFreeMemory
LsaOpenPolicy

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

Exports

Exports

FveAddAuthMethodInformation
FveAddAuthMethodSid
FveAddPredictiveTpmProtector
FveApplyGroupPolicy
FveApplyNkpCertChanges
FveAttemptAutoUnlock
FveAuthElementFromPassPhraseW
FveAuthElementFromPinW
FveAuthElementFromRecoveryPasswordW
FveAuthElementGetKeyFileNameW
FveAuthElementReadExternalKeyW
FveAuthElementToRecoveryPasswordW
FveAuthElementWriteExternalKeyW
FveBackupRecoveryInformationToAD
FveBackupRecoveryInformationToADEx
FveBindDataVolume
FveCanPinExceptionPolicyBeApplied
FveCanStandardUsersChangePassphraseByProxy
FveCanStandardUsersChangePin
FveCheckADRecoveryInfoBackupPolicy
FveCheckADRecoveryInfoBackupPolicyEx
FveCheckPassphrasePolicy
FveCheckTpmCapability
FveClearUserFlags
FveCloseHandle
FveCloseVolume
FveCommitChanges
FveCommitChangesEx
FveConversionDecrypt
FveConversionDecryptEx
FveConversionEncrypt
FveConversionEncryptEx
FveConversionEncryptPendingReboot
FveConversionEncryptPendingRebootEx
FveConversionPause
FveConversionResume
FveConversionStop
FveConversionStopEx
FveDecrementClearKeyCounter
FveDeleteAuthMethod
FveDeleteDeviceEncryptionOptOutForVolumeW
FveDisableDeviceLockoutState
FveDiscardChanges
FveDraCertPresentInRegistry
FveEnableRawAccess
FveEnableRawAccessEx
FveEnableRawAccessW
FveEraseDrive
FveEscrowEncryptedRecoveryKeyForRetailUnlock
FveFindFirstVolume
FveFindNextVolume
FveFlagsToProtectorType
FveGenerateNbp
FveGenerateNkpSessionKeys
FveGetAllowKeyExport
FveGetAuthMethodGuids
FveGetAuthMethodInformation
FveGetAuthMethodSid
FveGetAuthMethodSidInformation
FveGetClearKeyCounter
FveGetDataSet
FveGetDescriptionW
FveGetDeviceLockoutData
FveGetExternalKeyBlob
FveGetFipsAllowDisabled
FveGetFveMethod
FveGetFveMethodEDrv
FveGetFveMethodEx
FveGetIdentificationFieldW
FveGetIdentity
FveGetKeyPackage
FveGetRecoveryPasswordBackupInformation
FveGetSecureBootBindingState
FveGetStatus
FveGetStatusW
FveGetUserFlags
FveGetVolumeNameW
FveInitVolume
FveInitVolumeEx
FveInitializeDeviceEncryption
FveInitializeDeviceEncryption2
FveIsAnyDataVolumeBoundToOSVolume
FveIsBoundDataVolume
FveIsBoundDataVolumeToOSVolume
FveIsDeviceLockable
FveIsDeviceLockedOut
FveIsHardwareReadyForConversion
FveIsHybridVolume
FveIsHybridVolumeW
FveIsPassphraseCompatibleW
FveIsRecoveryPasswordGroupValidW
FveIsRecoveryPasswordValidW
FveIsSchemaExtInstalled
FveIsVolumeEncryptable
FveKeyManagement
FveLockDevice
FveLockVolume
FveLogRecoveryReason
FveNeedsDiscoveryVolumeUpdate
FveNotifyVolumeAfterFormat
FveOpenVolumeByHandle
FveOpenVolumeExW
FveOpenVolumeW
FveProtectorTypeToFlags
FveQuery
FveQueryDeviceEncryptionSupport
FveRecalculateOffsetsAndMoveMetadata
FveRegenerateNbpSessionKey
FveResetTpmDictionaryAttackParameters
FveRevertVolume
FveSaveRecoveryPasswordBackupFlag
FveSelectBestRecoveryPasswordByBackupInformation
FveServiceDiscoveryVolume
FveSetAllowKeyExport
FveSetDescriptionW
FveSetFipsAllowDisabled
FveSetFveMethod
FveSetIdentificationFieldW
FveSetRecoveryPasswordBackupInformation
FveSetUserFlags
FveSetupTpmCallback
FveSysClearUserFlags
FveSysCloseVolume
FveSysGetUserFlags
FveSysOpenVolumeW
FveSysSetUserFlags
FveUnbindAllDataVolumeFromOSVolume
FveUnbindDataVolume
FveUnlockVolume
FveUnlockVolumeAuthMethodSid
FveUnlockVolumeWithAccessMode
FveUpdateBandIdBcd
FveUpdateDeviceLockoutState
FveUpdateDeviceLockoutStateEx
FveUpdatePinW
FveUpgradeVolume
FveValidateDeviceLockoutState
FveValidateExistingPassphraseW
FveValidateExistingPinW
InternalFveIsVolumeEncrypted
NgscbCheckDmaSecurity
NgscbCheckDmaSecurityEx
NgscbCheckHSTIPrerequisitesVerified
NgscbCheckIsAOACDevice
NgscbCheckIsHSTIVerified
NgscbCheckPreventDeviceEncryption
NgscbCheckPreventDeviceEncryptionForAad
NgscbGetWinReConfiguration
NgscbIsHostOsOnRoamableDrive

Sections

.text
Size: 679KB - Virtual size: 678KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 10KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 464B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 23KB - Virtual size: 22KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 31KB - Virtual size: 30KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

5370711b4073689b082b406154af5796

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

ntdll

api-ms-win-eventing-classicprovider-l1-1-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-security-base-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

bcrypt

api-ms-win-core-registry-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-core-io-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-threadpool-l1-2-0

api-ms-win-eventing-controller-l1-1-0

api-ms-win-core-timezone-l1-1-0

api-ms-win-core-sysinfo-l1-2-0

api-ms-win-core-file-l1-2-0

api-ms-win-security-sddl-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-core-memory-l1-1-0

api-ms-win-devices-config-l1-1-1

api-ms-win-core-datetime-l1-1-0

api-ms-win-core-com-l1-1-0

api-ms-win-core-path-l1-1-0

api-ms-win-core-registry-l1-1-1

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-delayload-l1-1-0

api-ms-win-service-private-l1-1-0

api-ms-win-security-lsapolicy-l1-1-0

api-ms-win-core-apiquery-l1-1-0

Exports

Exports

Sections

.text Size: 679KB - Virtual size: 678KB

.data Size: 3KB - Virtual size: 4KB

.idata Size: 10KB - Virtual size: 9KB

.didat Size: 512B - Virtual size: 464B

.rsrc Size: 23KB - Virtual size: 22KB

.reloc Size: 31KB - Virtual size: 30KB

.text
Size: 679KB - Virtual size: 678KB

.data
Size: 3KB - Virtual size: 4KB

.idata
Size: 10KB - Virtual size: 9KB

.didat
Size: 512B - Virtual size: 464B

.rsrc
Size: 23KB - Virtual size: 22KB

.reloc
Size: 31KB - Virtual size: 30KB