Manalyze report for d3ead68f94a76ac3ef9ec23645f22051ca91bb54b17682e64156a2dc5a536988

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	2018-Jan-03 23:26:54
Detected languages	English - United States
Debug artifacts	C:\dvs\p4\build\sw\rel\gpu_drv\r390\r390_63\drivers\Monterey\NvFBCPlugin\_out\wddm2_amd64_release\NvFBCPlugin64.pdb
CompanyName	NVIDIA Corporation
FileDescription	NVIDIA Frame Buffer Capture Library - Concurrency Manager Plugin, Version
FileVersion	`6.14.13.9065`
InternalName	NvFBCPlugin
LegalCopyright	(C) 2018 NVIDIA Corporation. All rights reserved.
OriginalFilename	NvFBCPlugin.dll
ProductName	NVIDIA Frame Buffer Capture Library
ProductVersion	`6.14.13.9065`

Plugin Output

Info	Matching compiler(s):	`MASM/TASM - sig1(h)`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: LoadLibraryExW GetProcAddress` `Can access the registry: RegGetValueA RegCloseKey RegOpenKeyExA RegQueryValueExW RegQueryValueExA` `Possibly launches other programs: CreateProcessW CreateProcessA` `Functions related to the privilege level: OpenProcessToken` `Manipulates other processes: OpenProcess` `Changes object ACLs: SetSecurityInfo`
Info	The PE is digitally signed.	`Signer: NVIDIA Corporation` `Issuer: VeriSign Class 3 Code Signing 2010 CA`
Safe	VirusTotal score: 0/71 (Scanned on 2024-04-22 12:08:21)	`All the AVs think this file is safe.`

Hashes

MD5	`fa559cdddd02c223d2bf3ef9c98da78c`
SHA1	`1cdbf6acfc93ab0ad9f451417279963d51e16783`
SHA256	`d3ead68f94a76ac3ef9ec23645f22051ca91bb54b17682e64156a2dc5a536988`
SHA3	`78345c7022c47d2854284af07b718ba10e8449d750ebbd9d7d50075f987b0844`
SSDeep	`12288:bAWlgfrz+Be5YSCkFHU1Z2WmzKwI6wLjPfCXjdRfMsCKIdNo/k/Htm07cCwQV:rlCrz+Be5NFHyrmXMs7k/Nm0vr`
Imports Hash	`c2428bb931c361482b08c2ab97458b94`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xf0`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`6`
TimeDateStamp	2018-Jan-03 23:26:54
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_DLL` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`12.0`
SizeOfCode	`0x96200`
SizeOfInitializedData	`0x46200`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x000000000006BA9C (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x180000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0xe1000`
SizeOfHeaders	`0x400`
Checksum	`0xe2b99`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`c9d2ae084ba69988bd490da0b4313fa9`
SHA1	`c316aff76a0bb55d69b44500311dd03fb59f6cb6`
SHA256	`962b342cf2c0821da272327071582d9b77a0dd6a24c2085e249b0e3a92c89208`
SHA3	`dcc531b86aacc56857a263e7470215e637a8c6be680e564a44e01a0b0843b117`
VirtualSize	`0x960bf`
VirtualAddress	`0x1000`
SizeOfRawData	`0x96200`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.35097`

.rdata

MD5	`3bc529cd69327ff37699dee6a1aff0d1`
SHA1	`fd9be65bf9f8634c510ec11c3bc1b50ede64ea10`
SHA256	`5156feda44265d8dca410258bab12821d67dd805d2599cb1ab96653cd2b18b00`
SHA3	`516f11742a1960a2b99657ec3cf4d984475be689c61d75a04ed1ac3f26cf0376`
VirtualSize	`0x2909c`
VirtualAddress	`0x98000`
SizeOfRawData	`0x29200`
PointerToRawData	`0x96600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.14115`

.data

MD5	`9e888427c7dbb86a9bbec79cc821a12d`
SHA1	`d0eb75dd7146887af014b96b100d63ccc09d572f`
SHA256	`28b82ade3dc1102c5dd42b70c0cec1b637547ca4798850089e24f8faa66af600`
SHA3	`d039975e1e52a18660d5737a579c7a81aeeb1afa13277986f1eb3725b3077a34`
VirtualSize	`0x82c8`
VirtualAddress	`0xc2000`
SizeOfRawData	`0x2000`
PointerToRawData	`0xbf800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`3.20673`

.pdata

MD5	`f85008a977d6ce2dc99c01da42ed940b`
SHA1	`2bc0f7d0103576838f31c456a3392364d2e5d55c`
SHA256	`6dcaa3a0fc6df4cd5c04407013b79dd98343045aadc7ad470213c2b6fc96382f`
SHA3	`f1b1ec695f8fc6a7b5461dd80133eb86876ce7c0370e5780fd9d4863c9985a65`
VirtualSize	`0x13938`
VirtualAddress	`0xcb000`
SizeOfRawData	`0x13a00`
PointerToRawData	`0xc1800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`6.08196`

.rsrc

MD5	`37b52a8a8ac9442f31c3c55843470631`
SHA1	`77e758d221800c528176ea7bf1d55c2bccf67ef8`
SHA256	`115d52881956e3e0849e652abe6d7b3494909f3389ee6bc401c1bc4d53743510`
SHA3	`5c69a5c756c22f11ad88b6423546c1b369c2fe0670326f09fc89362d9d2fd662`
VirtualSize	`0x430`
VirtualAddress	`0xdf000`
SizeOfRawData	`0x600`
PointerToRawData	`0xd5200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`2.57978`

.reloc

MD5	`454767e5d1df400e8125c27d9b73bd49`
SHA1	`65cf696f5b8bbce0aa28e239279795ad4da66777`
SHA256	`d235c18e24d620c72e8acac6a464f3c3fb0d07938fe08225b9ca2c55441efdaa`
SHA3	`1d1ea6b7fd605a49c17d99c175bfaec19ed174e0501af42dd1bd1530af8c97d0`
VirtualSize	`0xa84`
VirtualAddress	`0xe0000`
SizeOfRawData	`0xc00`
PointerToRawData	`0xd5800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`5.15536`

Imports

KERNEL32.dll	`LocalAlloc` `CreateMutexA` `DeleteCriticalSection` `ReleaseMutex` `GetCurrentProcessId` `LocalFree` `SetEvent` `CreateEventA` `WaitForMultipleObjects` `OpenEventA` `GetFullPathNameW` `lstrcmpA` `FreeLibrary` `CreateProcessW` `LoadLibraryExW` `VerSetConditionMask` `OutputDebugStringW` `EnterCriticalSection` `InitializeCriticalSection` `GetFileAttributesW` `CreateProcessA` `CreateFileW` `VerifyVersionInfoW` `SetLastError` `GetProcAddress` `Sleep` `GetStringTypeW` `EnumSystemLocalesW` `GetUserDefaultLCID` `IsValidLocale` `GetLocaleInfoW` `LCMapStringW` `CompareStringW` `GetTimeFormatW` `GetDateFormatW` `GetModuleHandleW` `LeaveCriticalSection` `HeapReAlloc` `FlushFileBuffers` `GetModuleHandleA` `GetEnvironmentVariableA` `FileTimeToSystemTime` `GetSystemTimeAsFileTime` `OpenFileMappingA` `CloseHandle` `OutputDebugStringA` `QueryPerformanceFrequency` `QueryFullProcessImageNameA` `CreateFileMappingA` `GetLastError` `OpenProcess` `WaitForSingleObject` `QueryPerformanceCounter` `UnmapViewOfFile` `GetSystemDirectoryW` `MapViewOfFile` `SetEndOfFile` `WriteConsoleW` `SetStdHandle` `SetConsoleCtrlHandler` `HeapFree` `HeapAlloc` `IsDebuggerPresent` `IsProcessorFeaturePresent` `AreFileApisANSI` `MultiByteToWideChar` `ReadFile` `EncodePointer` `DecodePointer` `CreateThread` `ExitThread` `ResumeThread` `GetCommandLineA` `GetCurrentThreadId` `GetProcessHeap` `ExitProcess` `GetModuleHandleExW` `WideCharToMultiByte` `GetStdHandle` `WriteFile` `GetModuleFileNameW` `RtlUnwindEx` `RtlCaptureContext` `RtlLookupFunctionEntry` `RtlVirtualUnwind` `UnhandledExceptionFilter` `SetUnhandledExceptionFilter` `InitializeCriticalSectionAndSpinCount` `CreateEventW` `GetCurrentProcess` `TerminateProcess` `TlsAlloc` `TlsGetValue` `TlsSetValue` `TlsFree` `GetStartupInfoW` `GetTickCount` `CreateSemaphoreW` `GetConsoleCP` `GetConsoleMode` `MoveFileExW` `GetCurrentThread` `DeleteFileW` `CreateDirectoryW` `GetFileType` `SetFilePointerEx` `ReadConsoleW` `HeapSize` `RtlPcToFileHeader` `RaiseException` `IsValidCodePage` `GetACP` `GetOEMCP` `GetCPInfo` `GetModuleFileNameA` `GetEnvironmentStringsW` `FreeEnvironmentStringsW` `FatalAppExitA`
USER32.dll	`DefWindowProcA` `GetDesktopWindow` `EnumDisplayDevicesA` `CreateWindowExA` `DestroyWindow` `UnregisterDeviceNotification` `RegisterDeviceNotificationA` `RegisterClassA`
GDI32.dll	`CreateDCA`
d3d9.dll	`Direct3DCreate9Ex`
ADVAPI32.dll	`BuildExplicitAccessWithNameA` `SetSecurityInfo` `GetSecurityInfo` `LookupAccountSidA` `SetEntriesInAclA` `OpenProcessToken` `EventUnregister` `EventRegister` `EventWrite` `RegGetValueA` `RegCloseKey` `ConvertStringSecurityDescriptorToSecurityDescriptorA` `RegOpenKeyExA` `RegQueryValueExW` `RegQueryValueExA` `CreateWellKnownSid`
SHELL32.dll	`SHGetFolderPathW`
SHLWAPI.dll	`PathFileExistsW`

Delayed Imports

NvFBCPluginGetDiagnostics

Ordinal	`1`
Address	`0x6160`

NvFBCPluginReleaseDiagnostics

Ordinal	`2`
Address	`0x6240`

NvPluginGetInfo

Ordinal	`3`
Address	`0x6150`

1

Type	`RT_VERSION`
Language	English - United States
Codepage	UNKNOWN
Size	`0x3d0`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.53117`
MD5	`12ea508232428b8b9ef0828cf4d749fd`
SHA1	`ae5dade193a9db94f245e65e4f2c69b0ece66db3`
SHA256	`add6e0ea1043189e4572da5b07a2bc9667f341bb94f890845fa0d414bfcb36d7`
SHA3	`fceac849a5bb325dbae5f6e9a6c93aa3fc3d2064ea6652aa6fe9c3aad7bcc8c0`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	6.14.13.9065
ProductVersion	6.14.13.9065
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT_WINDOWS32` `VOS__WINDOWS32`
FileType	`VFT_DLL`
Language	English - United States
CompanyName	NVIDIA Corporation
FileDescription	NVIDIA Frame Buffer Capture Library - Concurrency Manager Plugin, Version
FileVersion (#2)	6.14.13.9065
InternalName	NvFBCPlugin
LegalCopyright	(C) 2018 NVIDIA Corporation. All rights reserved.
OriginalFilename	NvFBCPlugin.dll
ProductName	NVIDIA Frame Buffer Capture Library
ProductVersion (#2)	6.14.13.9065

Resource LangID	English - United States

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics	`0`
TimeDateStamp	2018-Jan-03 23:26:54
Version	`0.0`
SizeofData	`140`
AddressOfRawData	`0xa2f40`
PointerToRawData	`0xa1540`
Referenced File	C:\dvs\p4\build\sw\rel\gpu_drv\r390\r390_63\drivers\Monterey\NvFBCPlugin\_out\wddm2_amd64_release\NvFBCPlugin64.pdb

IMAGE_DEBUG_TYPE_VC_FEATURE

Characteristics	`0`
TimeDateStamp	2018-Jan-03 23:26:54
Version	`0.0`
SizeofData	`20`
AddressOfRawData	`0xa2fcc`
PointerToRawData	`0xa15cc`

TLS Callbacks

Load Configuration

Size	`0x70`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x1800c2170`

RICH Header

XOR Key	`0x5127913f`
Unmarked objects	`0`
199 (41118)	`1`
C++ objects (20806)	`50`
C objects (20806)	`147`
ASM objects (20806)	`13`
Imports (VS2017 v15.?.? build 25203)	`15`
Total imports	`146`
229 (VS2013 UPD2 build 30501)	`12`
Exports (VS2013 UPD2 build 30501)	`1`
Resource objects (VS2013 build 21005)	`1`
Linker (VS2013 UPD2 build 30501)	`1`

Errors

Leave a comment

No comments yet.