Manalyze report for 8e75bf3121b3dcaffb1da3a5fbecce219422b260a8b63fbabd85081de13fcd97

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_NATIVE`
Compilation Date	2035-Aug-11 15:16:50
Detected languages	English - United States
Debug artifacts	qwavedrv.pdb
CompanyName	Microsoft Corporation
FileDescription	Microsoft Quality Windows Audio Video Experience (qWave) Support Driver
FileVersion	`10.0.26100.7705 (WinBuild.160101.0800)`
InternalName	qwavedrv.sys
LegalCopyright	Â© Microsoft Corporation. All rights reserved.
OriginalFilename	qwavedrv.sys
ProductName	MicrosoftÂ® WindowsÂ® Operating System
ProductVersion	`10.0.26100.7705`

Plugin Output

Suspicious	The PE is possibly packed.	`Unusual section name found: fothk` `Unusual section name found: PAGE` `Unusual section name found: GFIDS`
Suspicious	The PE contains functions most legitimate programs don't use.	`Uses Windows's Native API: NtSetSecurityObject ZwClose ZwSetSecurityObject ZwCreateKey ZwQueryValueKey ZwSetValueKey ZwOpenKey`
Safe	VirusTotal score: 0/67 (Scanned on 2026-03-09 07:37:04)	`All the AVs think this file is safe.`

Hashes

MD5	`b90683aa2bfca3bdd943055114b2306c`
SHA1	`4b96912e890a95fe437dab6a337226a9a15d5310`
SHA256	`8e75bf3121b3dcaffb1da3a5fbecce219422b260a8b63fbabd85081de13fcd97`
SHA3	`6d4d90861c32424576d6e08a5a1e996437a513efd86e93b610cbfd5b30108db4`
SSDeep	`768:edw4weV2VsVRr0U71QWC2IyoPQnVl1MzVuCXX4cTuBpSQPn0arCg9EYcrG+Aw3d:59eV2VsVRoJDHPrVu9Bph7Cg6rG+D3d`
Imports Hash	`3b5a0806bc6a152987a5ff8f1b42fad4`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xe8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`11`
TimeDateStamp	2035-Aug-11 15:16:50
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0xd000`
SizeOfInitializedData	`0x8000`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0000000000012010 (Section: INIT)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x1000`
OperatingSystemVersion	`A.0`
ImageVersion	`A.0`
SubsystemVersion	`A.0`
Win32VersionValue	`0`
SizeOfImage	`0x16000`
SizeOfHeaders	`0x1000`
Checksum	`0x24506`
Subsystem	`IMAGE_SUBSYSTEM_NATIVE`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_GUARD_CF` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT`
SizeofStackReserve	`0x40000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`236b9cf34a40e1e41bb5943520976bf1`
SHA1	`70234ad94a790554cbd824635716a4a829910cf9`
SHA256	`212030480537896bccfde559e4ce0c68d98c0a78fe301ca70e3c57b823408ef2`
SHA3	`83451d53dda25b59916afe0eba9550f241e8a1c6e098886d6bc44b61c8a0db2e`
VirtualSize	`0x8722`
VirtualAddress	`0x1000`
SizeOfRawData	`0x9000`
PointerToRawData	`0x1000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ`
Entropy	`5.75662`

fothk

MD5	`26c117817911e437a473390b8a854f04`
SHA1	`485ccd750f850aece4c9d9c0a0a4978c876ab543`
SHA256	`6fb2b5f9d97848b2d3e207edc242f32687f1ce71da67edf8eee72c0d932d8017`
SHA3	`03a32c3dbd13759fe5dbca512ed8dfe87a883326e96aa195adf41803c9196383`
VirtualSize	`0x1000`
VirtualAddress	`0xa000`
SizeOfRawData	`0x1000`
PointerToRawData	`0xa000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ`
Entropy	`0.0456167`

.rdata

MD5	`16da9dcec5cef66f9deed3e7c109669c`
SHA1	`e26bcd4e98385469afca6049e496cd96876497e2`
SHA256	`163673983178dbe6dfa3842cca9e53c5b28e59929b37a820a5be3c5092efdeee`
SHA3	`54adf2c3970fd8119daf708e10fc214f938a9fc8f7284065c9c1bc8b0a03a5fd`
VirtualSize	`0x1688`
VirtualAddress	`0xb000`
SizeOfRawData	`0x2000`
PointerToRawData	`0xb000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ`
Entropy	`3.46643`

.data

MD5	`e44e3bf3a5401d103e74100697efe540`
SHA1	`8aa6803656c473f649374d1781120751d48db849`
SHA256	`1b0952a361aa119420098cecb735df52d7d0c611f6de593b0020bf7915413a80`
SHA3	`1ab419e1f17cf723b94dc50503dacd4d4f95538d34ef12c29e82e065be511459`
VirtualSize	`0x480`
VirtualAddress	`0xd000`
SizeOfRawData	`0x1000`
PointerToRawData	`0xd000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0.38756`

.pdata

MD5	`923d21feb9e0404725a5234b40c8ef1f`
SHA1	`9de6ce955f97639893ad6b1638aa4ff60495ec27`
SHA256	`a991711c049be4202d4173bcb1efaf7036545691fe9a70741a8e6083a3f3efb3`
SHA3	`2118afb5f903423f6b7fdfdacdf7362aa6002b03b11756851081a96ed8ed4a81`
VirtualSize	`0x648`
VirtualAddress	`0xe000`
SizeOfRawData	`0x1000`
PointerToRawData	`0xe000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ`
Entropy	`2.16091`

.idata

MD5	`5ee3629adae79252c7c5bed32ecdff59`
SHA1	`5b0fca8e2040f5d6f9725d8bf86ca68daca8ad8d`
SHA256	`fd845d2fe194283238059ab28d37ef1d4a3cb132444406a74b7c6565b9dd27dc`
SHA3	`f300da0b52e7b1a5cf28f174a18fe0b5ab3a14fc52f1fac7453c13cfe1c6bcdf`
VirtualSize	`0xe6a`
VirtualAddress	`0xf000`
SizeOfRawData	`0x1000`
PointerToRawData	`0xf000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ`
Entropy	`4.12674`

PAGE

MD5	`20579afb574c97f1edd2ed7597f6ace3`
SHA1	`5b4930ebc0b1a668d961f7eb42e7409273149070`
SHA256	`43a57d7e1f3a49a06cdbf1ff46923cce0c9487d8a3484864dc22401ddc756b28`
SHA3	`4cbdf52473b91d59e0ab94ea38f3cac3fb33a6a3925eef7ccd2a9a758322dda2`
VirtualSize	`0x1da8`
VirtualAddress	`0x10000`
SizeOfRawData	`0x2000`
PointerToRawData	`0x10000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.06587`

INIT

MD5	`8532f661ce1b09161731291b8bc6b104`
SHA1	`431ac6e9e5541c8cf757b0164d19cb970200cd26`
SHA256	`98e05631ee8ac7312ad478931a80e502de8ed37fcba00eb7b8c2e437222b94dd`
SHA3	`c679e7787747f8c1abb1fff601d40643777c845f61d978bec2625a574ecf8891`
VirtualSize	`0x2ff`
VirtualAddress	`0x12000`
SizeOfRawData	`0x1000`
PointerToRawData	`0x12000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`1.67273`

GFIDS

MD5	`215e882d0d5a3033236a15c043ccf984`
SHA1	`150caff0902284a8c107660cc7ec41313c28a281`
SHA256	`35761060a87407b0011e723ac063b8b2f591fec3b63f51f7a1b9a85e6e7f0d78`
SHA3	`3a0676d14c54f2b417c7e83b96703d27fdf700068ed6f9dddb66d00f32ce7590`
VirtualSize	`0x5c`
VirtualAddress	`0x13000`
SizeOfRawData	`0x1000`
PointerToRawData	`0x13000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`0.143607`

.rsrc

MD5	`6086822ed3412c7fae5741e6004945d4`
SHA1	`a44dd82ff2375f01ef356b7f52582bf8b2b44e12`
SHA256	`b03cf45f2fe29f11b676ad21dd45f2fdfeae44e402494f9f608e41bcd8670230`
SHA3	`56a23171e5f98b2d69c4dd72df8c4cd3a6627dc2edce3df7227629d1a9a59154`
VirtualSize	`0x668`
VirtualAddress	`0x14000`
SizeOfRawData	`0x1000`
PointerToRawData	`0x14000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`1.59988`

.reloc

MD5	`4f2a596bb04555ca07b7733a8329a755`
SHA1	`2b39057a8417fc2fb03a00f3d00a06ae64e62f2a`
SHA256	`c681908631733e087e9a6d673b3e1ad732159d4948b80315e6495e7ae0e25811`
SHA3	`06085323fb1cef79658385f0460fad2dca9b82b7c9f1403207fa762fc0cf2b4d`
VirtualSize	`0x934`
VirtualAddress	`0x15000`
SizeOfRawData	`0x1000`
PointerToRawData	`0x15000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`3.62401`

Imports

ntoskrnl.exe	`RtlRecordFeatureUsage` `RtlArmFeatureUsageProviderFlushNotification` `RtlQueryFeatureConfigurationChangeStamp` `RtlQueryFeatureConfiguration` `RtlRegisterFeatureConfigurationChangeNotification` `RtlUnregisterFeatureConfigurationChangeNotification` `RtlRegisterFeatureUsageProvider` `RtlUnregisterFeatureUsageProvider` `RtlInitUnicodeString` `IoDeleteDevice` `KeInitializeSpinLock` `IofCompleteRequest` `KeAcquireInStackQueuedSpinLock` `KeReleaseInStackQueuedSpinLock` `ExFreePoolWithTag` `RtlGetDaclSecurityDescriptor` `RtlMapGenericMask` `IoGetFileObjectGenericMapping` `SeCaptureSubjectContext` `SeLockSubjectContext` `SeAccessCheck` `SeUnlockSubjectContext` `SeReleaseSubjectContext` `__C_specific_handler` `RtlNotifyFeatureUsage` `ObfDereferenceObject` `MmUnlockPages` `IoFreeMdl` `KeAcquireInStackQueuedSpinLockAtDpcLevel` `KeReleaseInStackQueuedSpinLockFromDpcLevel` `IoReleaseCancelSpinLock` `IoIs32bitProcess` `ExAllocatePool2` `PsGetCurrentProcessId` `PsGetCurrentThreadId` `ProbeForWrite` `IoAllocateMdl` `MmProbeAndLockPages` `MmMapLockedPagesSpecifyCache` `ObReferenceObjectByHandle` `IoFileObjectType` `RtlCompareUnicodeString` `IoAcquireCancelSpinLock` `IoGetCurrentProcess` `KeAttachProcess` `ObOpenObjectByPointer` `KeDetachProcess` `PsGetCurrentProcess` `RtlLengthRequiredSid` `RtlLengthSid` `SeExports` `RtlCreateAcl` `RtlAddAccessAllowedAce` `RtlCreateSecurityDescriptor` `RtlSetDaclSecurityDescriptor` `RtlSetOwnerSecurityDescriptor` `NtSetSecurityObject` `ZwClose` `MmGetSystemRoutineAddress` `IoCreateDevice` `IoDeviceObjectType` `ZwSetSecurityObject` `IoIsWdmVersionAvailable` `RtlAbsoluteToSelfRelativeSD` `wcschr` `ExAllocatePoolWithTag` `_wcsnicmp` `RtlLengthSecurityDescriptor` `_snwprintf` `SeCaptureSecurityDescriptor` `RtlGetSaclSecurityDescriptor` `RtlGetOwnerSecurityDescriptor` `RtlGetGroupSecurityDescriptor` `RtlFreeUnicodeString` `ZwCreateKey` `ZwQueryValueKey` `ZwSetValueKey` `ZwOpenKey` `ProbeForRead`

Delayed Imports

1

Type	`MUI`
Language	English - United States
Codepage	UNKNOWN
Size	`0xc8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.71323`
MD5	`8bca83cadca82565c4bc47b6f800f4d7`
SHA1	`c50b6a71f8b79add42023e6222046036db890981`
SHA256	`740a9cd9254df7f8b8b07f3486be56daac947fc72ee58223e82d9532c30b778d`
SHA3	`4439c639d2685325a9442682526efd6e770c68bd6312814934efa5d8c3bd19e9`

1 (#2)

Type	`RT_STRING`
Language	English - United States
Codepage	UNKNOWN
Size	`0xa6`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.80978`
MD5	`2d6a1b9972f0093211fba3874e31aeab`
SHA1	`8df4f444d2185732850e928aa6731c3c9f441c71`
SHA256	`5261598805e67d7d9c7ed3b3af2841206820e15ca28157e0cbbb2db6ee91f668`
SHA3	`429b8076d49d00e2d8e1de2034587824c19ceeec9b5ad341a456273d23ccba5b`

1 (#3)

Type	`RT_VERSION`
Language	English - United States
Codepage	UNKNOWN
Size	`0x404`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.54404`
MD5	`b369a75293119acd6d1215bf36d4b892`
SHA1	`0c58fca06d6bbad46f398d9165ce80a5271a8369`
SHA256	`515fd3ed1fa9c5ba7544d1a3bebf298c71c0aaa7fc287d3dacd84f1d13b4aac4`
SHA3	`97e723a8374c75eebfc18c103e6d9515270f3d00544310ecf3cd8e410b86ab46`

String Table contents

QWAVE driver
Quality Windows Audio/Video Experience component driver

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	10.0.26100.7705
ProductVersion	10.0.26100.7705
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT` `VOS_NT_WINDOWS32` `VOS_WINCE` `VOS__WINDOWS32`
FileType	`VFT_DRV`
FileSubtype	VFT2_DRV_SYSTEM
Language	English - United States
CompanyName	Microsoft Corporation
FileDescription	Microsoft Quality Windows Audio Video Experience (qWave) Support Driver
FileVersion (#2)	10.0.26100.7705 (WinBuild.160101.0800)
InternalName	qwavedrv.sys
LegalCopyright	Â© Microsoft Corporation. All rights reserved.
OriginalFilename	qwavedrv.sys
ProductName	MicrosoftÂ® WindowsÂ® Operating System
ProductVersion (#2)	10.0.26100.7705

Resource LangID	English - United States

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics	`0`
TimeDateStamp	2035-Aug-11 15:16:50
Version	`0.0`
SizeofData	`37`
AddressOfRawData	`0xb700`
PointerToRawData	`0xb700`
Referenced File	qwavedrv.pdb

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	2035-Aug-11 15:16:50
Version	`0.0`
SizeofData	`544`
AddressOfRawData	`0xb728`
PointerToRawData	`0xb728`

UNKNOWN

Characteristics	`0`
TimeDateStamp	2035-Aug-11 15:16:50
Version	`0.0`
SizeofData	`36`
AddressOfRawData	`0xb9c8`
PointerToRawData	`0xb9c8`

UNKNOWN (#2)

Characteristics	`0`
TimeDateStamp	2035-Aug-11 15:16:50
Version	`0.0`
SizeofData	`4`
AddressOfRawData	`0xb9ec`
PointerToRawData	`0xb9ec`

TLS Callbacks

Load Configuration

Size	`0x148`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x14000d080`
GuardCFCheckFunctionPointer	`5368771536`
GuardCFDispatchFunctionPointer	`0`
GuardCFFunctionTable	`0`
GuardCFFunctionCount	`0`
GuardFlags	`(EMPTY)`
CodeIntegrity.Flags	`0`
CodeIntegrity.Catalog	`0`
CodeIntegrity.CatalogOffset	`0`
CodeIntegrity.Reserved	`0`
GuardAddressTakenIatEntryTable	`0`
GuardAddressTakenIatEntryCount	`0`
GuardLongJumpTargetTable	`0`
GuardLongJumpTargetCount	`0`

RICH Header

XOR Key	`0x357fabe4`
Unmarked objects	`0`
Total imports	`80`
Imports (33145)	`3`
Unmarked objects (#2)	`3`
C objects (33145)	`10`
ASM objects (33145)	`9`
C objects (LTCG) (33145)	`12`
Resource objects (33145)	`1`
Linker (33145)	`1`

Errors

Leave a comment

No comments yet.