Manalyze report for ac9dee87b2860cec7ffe6533d90a0b16f50bfd2947ff540ef0b1ad8b8bc9cbef

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_NATIVE`
Compilation Date	2009-Sep-24 08:21:32
Detected languages	English - United States
Debug artifacts	afd.pdb
CompanyName	Microsoft Corporation
FileDescription	Ancillary Function Driver for WinSock
FileVersion	`10.0.26100.4202 (WinBuild.160101.0800)`
InternalName	afd.sys
LegalCopyright	Â© Microsoft Corporation. All rights reserved.
OriginalFilename	afd.sys
ProductName	MicrosoftÂ® WindowsÂ® Operating System
ProductVersion	`10.0.26100.4202`

Plugin Output

Suspicious	Strings found in the binary may indicate undesirable behavior:	`May have dropper capabilities: CurrentControlSet\Services`
Suspicious	The PE is possibly packed.	`Unusual section name found: fothk` `Unusual section name found: NONPAGE` `Unusual section name found: PAGE` `Unusual section name found: PAGEWPP` `Unusual section name found: PAGESAN` `Unusual section name found: PAGEWTDI` `Unusual section name found: PAGEDATA` `Unusual section name found: GFIDS`
Suspicious	The PE contains functions most legitimate programs don't use.	`Functions which can be used for anti-debugging purposes: ZwQuerySystemInformation` `Uses Windows's Native API: ZwClose ZwQueryValueKey ZwNotifyChangeKey ZwQuerySystemInformation ZwUpdateWnfStateData ZwCreateEvent`
Info	The PE is digitally signed.	`Signer: Microsoft Windows` `Issuer: Microsoft Windows Production PCA 2011`
Safe	VirusTotal score: 0/70 (Scanned on 2025-08-12 15:54:42)	`All the AVs think this file is safe.`

Hashes

MD5	`fd9a57f24b792af0b8b401879935df31`
SHA1	`4ed49e25f85f1413614791c221eefcf418180641`
SHA256	`ac9dee87b2860cec7ffe6533d90a0b16f50bfd2947ff540ef0b1ad8b8bc9cbef`
SHA3	`6b839e0d29410015f52b1e49f706cad93bca26d8e79ce8bfec93191a4035cc94`
SSDeep	`12288:kYzxBST4ZS91gI1ovxgaWj45dfFHWPKT5+qaj30E0ke:3zxMcS91grfNXkvir`
Imports Hash	`f9f5ec0711c9e4554b20057b8b41e709`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xe0`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`16`
TimeDateStamp	2009-Sep-24 08:21:32
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0x7d000`
SizeOfInitializedData	`0x38000`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0000000000094010 (Section: INIT)`
BaseOfCode	`0x1000`
ImageBase	`0x1c0000000`
SectionAlignment	`0x1000`
FileAlignment	`0x1000`
OperatingSystemVersion	`A.0`
ImageVersion	`A.0`
SubsystemVersion	`A.0`
Win32VersionValue	`0`
SizeOfImage	`0xb6000`
SizeOfHeaders	`0x1000`
Checksum	`0xc12b0`
Subsystem	`IMAGE_SUBSYSTEM_NATIVE`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_GUARD_CF` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT`
SizeofStackReserve	`0x40000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`ee537438203d2c57ad8c381d5d65033d`
SHA1	`5231c896ec1be662e3c859db8bca4742cf57a52a`
SHA256	`62e8e962224f8d30b63caac5ee01589f1895cae4e3995632105dc2c0b2a7cd9d`
SHA3	`39dbc362a4344d4366b413e4ffac970154b13f8aaa1f91143300e8f4aaf25ebe`
VirtualSize	`0x56c57`
VirtualAddress	`0x1000`
SizeOfRawData	`0x57000`
PointerToRawData	`0x1000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ`
Entropy	`6.27802`

fothk

MD5	`58f2ba798ec7998cfbb9ce5f5df6bd4e`
SHA1	`31950662b4a53e56dc97278fce9e499792237dc1`
SHA256	`ffa3d02e1de4ad2d04ff8f085c49b905b7df68cea1926bf991290d0212fb5daa`
SHA3	`131deb241a89c211a73a16835f1a39f5b62927a0c875569671f55ddd9108dee9`
VirtualSize	`0x1000`
VirtualAddress	`0x58000`
SizeOfRawData	`0x1000`
PointerToRawData	`0x58000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ`
Entropy	`0.0297008`

.rdata

MD5	`265ad1a4efcb7c470c8709a55720bd3d`
SHA1	`5c18482859b81f32d10068ed528f71e9b5b83cdc`
SHA256	`5de75f3a09b4bcf490858a47f7f94ef823d00767dfefdd7f1fe67d9a6a5785c2`
SHA3	`bfca1e8bc1e3630598cb20a9bb643294f64998c6b81a1a7129941a547a17cf63`
VirtualSize	`0xb468`
VirtualAddress	`0x59000`
SizeOfRawData	`0xc000`
PointerToRawData	`0x59000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ`
Entropy	`4.93841`

.data

MD5	`3e4b59bc2203981e5952fa2572ab2ea1`
SHA1	`ccc2a61ec62b926326d523a3e10d061fb6757f34`
SHA256	`63529f38e5c553a25398a9333d054d369b638cb2a0efa4d64ccbbd275540226e`
SHA3	`b38c424fd2745e8b303e5500a3e5fd50b39a92e5de32e5bfe03ef4449aa55b63`
VirtualSize	`0xf28`
VirtualAddress	`0x65000`
SizeOfRawData	`0x1000`
PointerToRawData	`0x65000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0.51933`

.pdata

MD5	`f73bfae978e617a1f9895be29bebdc5d`
SHA1	`a8881a061a3383432a56335e693f0fb3cb3656d8`
SHA256	`6799920363c3e1f92c2530d9a8651d76f01601df424991d100fbaae46848ccae`
SHA3	`ab6fea7f6032c9214d438c26912f975e80623ad0990a00a0c27ce3e934f21fa2`
VirtualSize	`0x4140`
VirtualAddress	`0x66000`
SizeOfRawData	`0x5000`
PointerToRawData	`0x66000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ`
Entropy	`5.08182`

.idata

MD5	`a193a062d659bebf41dbbcd4d89fea28`
SHA1	`724665cf314b9788069667f67e7679a2596d0a1e`
SHA256	`24c4dddfb5b9b34f974ae7aeede8f5316bbbefab35e2aad50833d75ea1673d46`
SHA3	`963bc649429952896bbd23c31a46df496b60dc5b77f11cc947650b913f548190`
VirtualSize	`0x3718`
VirtualAddress	`0x6b000`
SizeOfRawData	`0x4000`
PointerToRawData	`0x6b000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ`
Entropy	`4.48627`

NONPAGE

MD5	`9b1e96468127ad0e4b9f27c11381b9b5`
SHA1	`436b8b689eaba3ee0964e4862c0f0057e9875def`
SHA256	`4bf1e9698177fd91c159d5660f0feb48aa7e283479b76c7780a83cea8d641f85`
SHA3	`dce4a0625d713ceddc0f6a6893989ca4ebd6ba0702841fd09f162f3cf77f7992`
VirtualSize	`0xb0`
VirtualAddress	`0x6f000`
SizeOfRawData	`0x1000`
PointerToRawData	`0x6f000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0.0445755`

PAGE

MD5	`8039e589b1d80a3b53691768c9195369`
SHA1	`7e02689cfef43a18ccbd2f3d3312a73904dbe2de`
SHA256	`636b6a3978b63624e02fb27c424319100d4748bfb9429287289302ed6e873043`
SHA3	`e0e08422da9261bcc1f93901917aba067c7d78e0d5e84a7c0bafdf7c0433638b`
VirtualSize	`0x1685b`
VirtualAddress	`0x70000`
SizeOfRawData	`0x17000`
PointerToRawData	`0x70000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.19929`

PAGEWPP

MD5	`890732115c124c6fa08638108ba3d4bf`
SHA1	`45175e5edc9e4ca2ad9a4f565fd44a536d3ab0af`
SHA256	`1eedddfac7556d26dc49c8992d287d2ddd9c0c94d9b93065c1122d4f1c416045`
SHA3	`01d815104007d4f7ae482bcaea602bdc8925e6f850b45981b9213f11eabb8344`
VirtualSize	`0x176e`
VirtualAddress	`0x87000`
SizeOfRawData	`0x2000`
PointerToRawData	`0x87000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`4.7407`

PAGESAN

MD5	`9692776a3c832fc2b10384f6efac1846`
SHA1	`842a4ea340f28d1070bb5d64c18764bd0e5a98a5`
SHA256	`f8b2bf34448051f0dbf87546893790ebcdf9ee5ed7d3b998969e8a54fa5aa375`
SHA3	`f2d8c7bb904d3513b8543936445fe00a0b8584f3fb4a40358c48adde4b6c3deb`
VirtualSize	`0x4689`
VirtualAddress	`0x89000`
SizeOfRawData	`0x5000`
PointerToRawData	`0x89000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`5.79813`

PAGEWTDI

MD5	`d5516eeb17afc42ff7857880828068e4`
SHA1	`bdf6311ba118ebf07ad57a7cd765d0ccd471eb31`
SHA256	`7c6baa5e21280ad0fbaf92248cf79e4d354720c95b7503a729d540fb79417b05`
SHA3	`56aa39b31326b5b25e3e4efcb0cbb539cde04233732bae1a3baed3b2b3ffb2f5`
VirtualSize	`0x458f`
VirtualAddress	`0x8e000`
SizeOfRawData	`0x5000`
PointerToRawData	`0x8e000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`5.6853`

PAGEDATA

MD5	`fc96712f453740899c052e30c826e1f9`
SHA1	`15f1c443ccf794c3509da794d20fc4790c5d57eb`
SHA256	`9fcaf4fa8f9a96282fc44edf4620b9e536fd0234451475bea2e1f738883b6323`
SHA3	`26454428d0dbc90efc0b72e4d701e7963376d0b17f343757df5648e1f3a98a30`
VirtualSize	`0x160`
VirtualAddress	`0x93000`
SizeOfRawData	`0x1000`
PointerToRawData	`0x93000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0.508864`

INIT

MD5	`5239196e88d9f1b050a7ba168b34e35a`
SHA1	`29a910dd528b22bbd04b9094d4f87f2683813d32`
SHA256	`0623436a38540e38464cd14fb5e81ac43e2c7bbe070759234aafba7b7804aa30`
SHA3	`30fa73bcea59621d5ac566926a39213be7637f8c3ff4d703617d9636e8a03a42`
VirtualSize	`0x1e7b`
VirtualAddress	`0x94000`
SizeOfRawData	`0x2000`
PointerToRawData	`0x94000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.09589`

GFIDS

MD5	`5cb9bd147a3cd6283b87f8d93e341877`
SHA1	`522022834d6f6e69d03a4a4cf0a1a7dcc306d1c1`
SHA256	`d5e64a7c6024f1cc27e6e0670db92e0e534c9b00f1ecc85509de39de88e16e34`
SHA3	`9cfefc98520fd4fcfc58dc9257f2a13a9cb4b84fa30efab5528e3bc6b0c6484f`
VirtualSize	`0x6b0`
VirtualAddress	`0x96000`
SizeOfRawData	`0x1000`
PointerToRawData	`0x96000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`2.74544`

.rsrc

MD5	`5302b20f6caf4ab18c3f733070e914ac`
SHA1	`9c27f94b232b3552757f63a63fc66481e1593327`
SHA256	`b59e912d274852634e411bc4ff8f2aa53e6d5b356d7bbff153fe47bfb17f12af`
SHA3	`85ea00a9156568a2af72048d8a00a23116518618c3d3035efb313a030e38b88f`
VirtualSize	`0x18d48`
VirtualAddress	`0x97000`
SizeOfRawData	`0x19000`
PointerToRawData	`0x97000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`3.90006`

.reloc

MD5	`3b31c4bd4b366b5e60129004a4392537`
SHA1	`cf2782097016f510894671648f7beb61e807233f`
SHA256	`2e083c054dd03f04899877cc042a241a4a54fa11d73529663c7c7c7e91a08a27`
SHA3	`a6cdad5fa63e8e69ddb48324bf824290e8453b82af1dd52f92a502b6833dd46e`
VirtualSize	`0x5634`
VirtualAddress	`0xb0000`
SizeOfRawData	`0x6000`
PointerToRawData	`0xb0000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`5.6855`

Imports

ntoskrnl.exe	`IoSetTopLevelIrp` `IoCreateFileEx` `ObOpenObjectByPointer` `ZwClose` `ObDereferenceSecurityDescriptor` `RtlCompareMemory` `ExEnterCriticalRegionAndAcquireResourceShared` `KeInitializeEvent` `KeWaitForSingleObject` `KeResetEvent` `PsChargeProcessPoolQuota` `PsReturnPoolQuota` `IoCreateFile` `IoFreeIrp` `KeGetCurrentProcessorNumberEx` `EtwWriteTransfer` `EtwActivityIdControl` `ExInitializeRundownProtection` `KfRaiseIrql` `KeReleaseInStackQueuedSpinLockFromDpcLevel` `KeLowerIrql` `KeGetCurrentIrql` `RtlCompareUnicodeString` `ExReleaseResourceLite` `ExAcquireResourceExclusiveLite` `ExAllocatePool3` `RtlCopyUnicodeString` `ExAllocatePoolWithTagPriority` `MmSizeOfMdl` `ExRaiseStatus` `IoInitializeIrp` `MmBuildMdlForNonPagedPool` `IoAllocateErrorLogEntry` `_vsnwprintf` `PsGetProcessId` `IoWriteErrorLogEntry` `PsGetProcessExitTime` `KeEnterCriticalRegion` `ExWaitForRundownProtectionRelease` `KeLeaveCriticalRegion` `IoSetIoCompletion` `ExDeleteResourceLite` `RtlInitString` `RtlEqualString` `IoGetFileObjectGenericMapping` `RtlMapGenericMask` `SeLockSubjectContext` `SeAccessCheck` `SeAppendPrivileges` `SeFreePrivileges` `SeUnlockSubjectContext` `SeAssignSecurity` `ObLogSecurityDescriptor` `KeSetEvent` `IoBuildDeviceIoControlRequest` `IoAllocateIrp` `PsReferenceImpersonationToken` `PsDereferenceImpersonationToken` `PsGetCurrentProcess` `ExInitializeResourceLite` `PsReferenceSiloContext` `ExEventObjectType` `ProbeForWrite` `ExGetPreviousMode` `ExRaiseAccessViolation` `RtlRecordFeatureUsage` `RtlRegisterFeatureUsageProvider` `RtlArmFeatureUsageProviderFlushNotification` `RtlRegisterFeatureConfigurationChangeNotification` `RtlQueryFeatureConfigurationChangeStamp` `EtwSetInformation` `EtwRegister` `MmIsVerifierEnabled` `IoCreateDevice` `IoAllocateWorkItem` `ExInitializeNPagedLookasideList` `KeQueryMaximumProcessorCountEx` `ExDeleteNPagedLookasideList` `ExDeleteLookasideListEx` `IoFreeWorkItem` `IoDeleteDevice` `EtwUnregister` `RtlUnregisterFeatureUsageProvider` `RtlUnregisterFeatureConfigurationChangeNotification` `ExUnregisterCallback` `IoOpenDriverRegistryKey` `ExSubscribeWnfStateChange` `ZwQueryValueKey` `RtlLengthSid` `SeExports` `RtlCreateAcl` `RtlAddAccessAllowedAce` `ObGetObjectSecurity` `RtlSetDaclSecurityDescriptor` `RtlLengthSecurityDescriptor` `SeSetSecurityDescriptorInfo` `ObReleaseObjectSecurity` `ZwNotifyChangeKey` `IoQueueWorkItem` `ExQueryWnfStateData` `PsLookupProcessByProcessId` `ObCloseHandle` `SeCreateAccessState` `SeDeleteAccessState` `FsRtlInsertExtraCreateParameter` `KeReadStateEvent` `KeEnterGuardedRegion` `KeLeaveGuardedRegion` `KePulseEvent` `KeAcquireQueuedSpinLock` `KeReleaseQueuedSpinLock` `MmAdvanceMdl` `KeBugCheckEx` `ExpInterlockedFlushSList` `ExSystemTimeToLocalTime` `RtlTimeToTimeFields` `KeInitializeDpc` `KeInitializeTimer` `KeSetCoalescableTimer` `strrchr` `KeAcquireSpinLockAtDpcLevel` `KeReleaseSpinLockFromDpcLevel` `KeInitializeTimerEx` `KeFlushQueuedDpcs` `RtlLookupEntryHashTable` `RtlGetNextEntryHashTable` `ZwQuerySystemInformation` `RtlCreateHashTableEx` `RtlInsertEntryHashTable` `RtlDeleteHashTable` `IoCompletionObjectType` `ExAcquireRundownProtection` `IoInitializeMiniCompletionPacket` `ExReleaseRundownProtection` `IoRemoveIoCompletion` `IoCancelMiniCompletionPacket` `IoSetIoCompletionEx3` `ExAcquireResourceSharedLite` `ZwUpdateWnfStateData` `PsRegisterSiloMonitor` `PsStartSiloMonitor` `PsUnregisterSiloMonitor` `ExRundownCompleted` `PsGetSiloIdentifier` `PsCreateSiloContext` `PsInsertPermanentSiloContext` `PsGetSiloMonitorContextSlot` `PsDereferenceSiloContext` `PsGetPermanentSiloContext` `PsAttachSiloToCurrentThread` `PsDetachSiloFromCurrentThread` `PsGetCurrentServerSilo` `KeSetTimer` `KeCancelTimer` `IoQueryFileInformation` `IoGetRequestorProcess` `KeAttachProcess` `FsRtlMdlRead` `KeDetachProcess` `FsRtlMdlReadComplete` `IoCancelIrp` `ExAllocateFromNPagedLookasideList` `ExFreeToNPagedLookasideList` `FsRtlCopyRead` `MmLockPagableDataSection` `IoThreadToProcess` `MmSystemRangeStart` `ObFindHandleForObject` `KeTestSpinLock` `RtlCaptureStackBackTrace` `RtlIntegerToUnicode` `RtlAppendUnicodeStringToString` `ObReferenceSecurityDescriptor` `KeDelayExecutionThread` `IoReuseIrp` `IoWMIWriteEvent` `IoGetDeviceAttachmentBaseRef` `IoFreeErrorLogEntry` `ZwCreateEvent` `KeWaitForMultipleObjects` `ExReleaseResourceForThreadLite` `ObfDereferenceObjectWithTag` `ObfReferenceObjectWithTag` `PsGetProcessImageFileName` `IoSizeofWorkItem` `IoInitializeWorkItem` `IoSetIoCompletionEx` `MmGetSystemRoutineAddress` `IoWMIRegistrationControl` `MmLockPagableSectionByHandle` `MmUnlockPagableImageSection` `WmiTraceMessageVa` `FsRtlFreeExtraCreateParameterList` `FsRtlAllocateExtraCreateParameter` `FsRtlAllocateExtraCreateParameterList` `RtlAppendUnicodeToString` `RtlPrefixUnicodeString` `RtlEqualUnicodeString` `FsRtlFindExtraCreateParameter` `IoGetTopLevelIrp` `ExReleaseResourceAndLeaveCriticalRegion` `ExRegisterCallback` `ExEnterCriticalRegionAndAcquireResourceExclusive` `ExCreateCallback` `RtlInitUnicodeString` `RtlCreateSecurityDescriptor` `MmIsThisAnNtAsSystem` `RtlGetVersion` `KeGetRecommendedSharedDataAlignment` `InitializeSListHead` `KeInitializeSpinLock` `ExpInterlockedPopEntrySList` `MmMapLockedPages` `MmMapLockedPagesSpecifyCache` `ExQueueWorkItem` `KeInsertQueueApc` `KeInitializeApc` `IoGetRelatedDeviceObject` `IoBuildPartialMdl` `IoFreeMdl` `MmUnlockPages` `ExpInterlockedPushEntrySList` `ExQueryDepthSList` `ObfReferenceObject` `MmProbeAndLockPages` `IoAllocateMdl` `ExRaiseDatatypeMisalignment` `MmUserProbeAddress` `IoReleaseCancelSpinLock` `KeAcquireInStackQueuedSpinLockAtDpcLevel` `IofCompleteRequest` `ObfDereferenceObject` `IofCallDriver` `IoAcquireCancelSpinLock` `KeAcquireSpinLockRaiseToDpc` `ExInitializeLookasideListEx` `ExAllocateFromLookasideListEx` `KeReleaseSpinLock` `ExFreeToLookasideListEx` `KeReleaseInStackQueuedSpinLock` `KeAcquireInStackQueuedSpinLock` `IoFileObjectType` `ObReferenceObjectByHandle` `PsGetCurrentProcessId` `ExFreePoolWithTag` `ExAllocatePool2` `IoGetCurrentProcess` `EtwWrite` `PsRevertToSelf` `SeImpersonateClientEx` `SeCaptureSubjectContextEx` `SeReleaseSubjectContext` `SeDeleteClientSecurity` `SeCreateClientSecurityFromSubjectContext` `ExReleaseSpinLockShared` `ExAcquireSpinLockShared` `DbgkWerCaptureLiveKernelDump` `KeQueryTimeIncrement` `IoIs32bitProcess` `RtlNotifyFeatureUsage` `RtlQueryFeatureConfiguration` `__C_specific_handler` `PcwUnregister` `PcwAddInstance` `SeQuerySecurityDescriptorInfo` `PcwRegister`
NDIS.SYS	`NdisFreeRWLock` `NdisAcquireRWLockWrite` `NdisReleaseRWLock` `NdisAcquireRWLockRead` `NdisAllocateRWLock`
TDI.SYS	`TdiCopyMdlToBuffer` `TdiCopyBufferToMdl` `TdiReturnChainedReceives` `TdiRegisterPnPHandlers` `TdiMatchPdoWithChainedReceiveContext` `TdiDeregisterPnPHandlers`
NETIO.SYS	`NetioNrtIsTrackerDevice` `NetioNrtDispatch` `NmrRegisterProvider` `NmrDeregisterProvider` `NetioInsertWorkQueue` `NetioShutdownWorkQueue` `NetioInitializeWorkQueue` `NmrProviderDetachClientComplete` `NmrClientAttachProvider` `NmrClientDetachProviderComplete` `NmrWaitForClientDeregisterComplete` `NmrDeregisterClient` `NmrRegisterClient` `GetDefaultCompartmentId` `NsiFreeTable` `NsiAllocateAndGetTable` `NsiRegisterChangeNotificationEx` `NsiDeregisterChangeNotification` `NsiRegisterChangeNotification` `NsiGetAllParameters` `NetioIsCompartmentAccessibleByThread` `NetioGetCompartmentNamespace` `NetioGetThreadCompartmentInfo` `RtlCleanupTimerWheelEntry` `RtlIndicateTimerWheelEntryTimerStart` `RtlInitializeTimerWheelEntry` `RtlCleanupTimerWheel` `RtlSuspendTimerWheel` `RtlInitializeTimerWheel` `RtlReturnTimerWheelEntry` `RtlGetNextExpiredTimerWheelEntry` `RtlUpdateCurrentTimerWheelTick` `RtlCopyMdlToMdl` `RtlCopyMdlToBuffer` `NetioNrtStop` `NetioTimerWorkItemShutdown` `NetioTimerWorkItemStart` `NetioTimerWorkItemInitialize` `NetioNrtStart` `NetioSetTriageBlock` `NmrWaitForProviderDeregisterComplete`
msrpc.sys	`RpcBindingSetOption` `RpcAsyncInitializeHandle` `RpcBindingCreateW` `RpcBindingBind` `RpcExceptionFilter` `RpcAsyncCompleteCall` `RpcAsyncCancelCall` `RpcBindingFree` `RpcBindingUnbind` `Ndr64AsyncClientCall`

Delayed Imports

1

Type	`MUI`
Language	English - United States
Codepage	UNKNOWN
Size	`0xf8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.74579`
MD5	`33d35ded63d807aada1f692d95d61278`
SHA1	`e06345c7846847295fab9f241cd59a15fa199659`
SHA256	`236c6eb13ad7dd38c791688e1aeb1d136a4fcbc0f1ecb91702f45e1fb43d513e`
SHA3	`8627f254d1d2b72431fe0b95e066c84cf38606d54a406514b6bbba538fab5f0f`

1 (#2)

Type	`WEVT_TEMPLATE`
Language	English - United States
Codepage	UNKNOWN
Size	`0x1361a`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.88607`
MD5	`92cf73b23e186322e4167d4519703f10`
SHA1	`68a32daccac2c0f48cd7f1ad4967c68380149f7b`
SHA256	`5761ad4b92f207ec7eafca68394e617b89a718d3522bcd0b9f7e13d1884f9e88`
SHA3	`c6a3d4ab9bf08d38085916bc9c22eb5973017f185554e3cf4caea6c30277c412`

1 (#3)

Type	`RT_STRING`
Language	English - United States
Codepage	UNKNOWN
Size	`0x3a4`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.25546`
MD5	`3c1f44f7cb7b0f12dac3bbf7c91f8fb0`
SHA1	`00e43a5dcf391a53e6a6cbcafb7580227bdc1f16`
SHA256	`3f430cfb684edd4581a3e5f9b905957b1d319a021ec7d47fb653b899aa34098a`
SHA3	`ebecd21c126d1fee7b90694b95f068bd9e157bdbe8e86932d50085fb7fa0cd69`

2

Type	`RT_STRING`
Language	English - United States
Codepage	UNKNOWN
Size	`0xfa`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.80311`
MD5	`0e6fc6880d07db4c10d0a9df15fb19d9`
SHA1	`93d1d3676558ddcae508aaee2db026c44c0e69d4`
SHA256	`2cd033125336deec576968627698c52bebd3851a4fb05f9b06280620c2caecdc`
SHA3	`6ab3804feb846aebc45ef0c95d5907d5add83c307837e8f189a1b7b6d7a4ba51`

63

Type	`RT_STRING`
Language	English - United States
Codepage	UNKNOWN
Size	`0x6a`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.41229`
MD5	`76cf431cc99888f245ce689783f91f65`
SHA1	`6da7d6521d0303bbeda1e6766cf10a4212dad74d`
SHA256	`f2b396cb2dd2401c807e870ed11ae2cbcc0765de7b409d4b80d226ddc1080fdf`
SHA3	`783317b87925d7044e2268edf34d4917a5bac66794f3402ebd18763d77949da7`

1 (#4)

Type	`RT_MESSAGETABLE`
Language	English - United States
Codepage	UNKNOWN
Size	`0x4b6c`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.61431`
MD5	`c42178c0def74be8d92359b2cfe33ee2`
SHA1	`97e8e7af48d691a72b5e59f6a2aba0f42a67d888`
SHA256	`65a5d0291962679018ae7719ae66750b3543a059286f27d94303efad1a498599`
SHA3	`a1f385123e55bd0e17d78bd380936156537d5b4f4ef439d1a1c9378465649fb6`

1 (#5)

Type	`RT_VERSION`
Language	English - United States
Codepage	UNKNOWN
Size	`0x3a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.50329`
MD5	`71db151eee6b70c3451c9581afda9ddf`
SHA1	`6744b492ff164f9ac29fce878c1bd2ddf94e800e`
SHA256	`4461fb9838a1b58bc141df99507993c957f6b478d612ad20db3e55719cc9c28d`
SHA3	`be30df1c2eee3e04fc7bd117ac3b20c6befa3f5259285f0d7002ec6935be8f5b`

String Table contents

Microsoft Winsock BSP
Microsoft Winsock BSP
Global performance counters for Microsoft Winsock Base Service Provider
Dropped Datagrams/sec
Dropped Datagrams/sec
Dropped Datagrams/sec due to receive buffer limit on any datagram socket
Dropped Datagrams
Dropped Datagrams
Dropped Datagrams due to receive buffer limit on any datagram socket
Rejected Connections/sec
Rejected Connections/sec
Rejected Connections/sec due to backlog limit on any TCP listening socket
Rejected Connections
Rejected Connections
Rejected Connections due to backlog limit on any TCP listening socket
Ancillary Function Driver for Winsock

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	10.0.26100.4202
ProductVersion	10.0.26100.4202
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT` `VOS_NT_WINDOWS32` `VOS_WINCE` `VOS__WINDOWS32`
FileType	`VFT_DRV`
FileSubtype	VFT2_DRV_SYSTEM
Language	English - United States
CompanyName	Microsoft Corporation
FileDescription	Ancillary Function Driver for WinSock
FileVersion (#2)	10.0.26100.4202 (WinBuild.160101.0800)
InternalName	afd.sys
LegalCopyright	Â© Microsoft Corporation. All rights reserved.
OriginalFilename	afd.sys
ProductName	MicrosoftÂ® WindowsÂ® Operating System
ProductVersion (#2)	10.0.26100.4202

Resource LangID	English - United States

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics	`0`
TimeDateStamp	2009-Sep-24 08:21:32
Version	`0.0`
SizeofData	`32`
AddressOfRawData	`0x5e0ec`
PointerToRawData	`0x5e0ec`
Referenced File	afd.pdb

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	2009-Sep-24 08:21:32
Version	`0.0`
SizeofData	`976`
AddressOfRawData	`0x5e10c`
PointerToRawData	`0x5e10c`

UNKNOWN

Characteristics	`0`
TimeDateStamp	2009-Sep-24 08:21:32
Version	`0.0`
SizeofData	`36`
AddressOfRawData	`0x5e55c`
PointerToRawData	`0x5e55c`

UNKNOWN (#2)

Characteristics	`0`
TimeDateStamp	2009-Sep-24 08:21:32
Version	`0.0`
SizeofData	`4`
AddressOfRawData	`0x5e580`
PointerToRawData	`0x5e580`

TLS Callbacks

Load Configuration

Size	`0x148`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x1c0065240`
GuardCFCheckFunctionPointer	`7516633712`
GuardCFDispatchFunctionPointer	`0`
GuardCFFunctionTable	`0`
GuardCFFunctionCount	`0`
GuardFlags	`(EMPTY)`
CodeIntegrity.Flags	`0`
CodeIntegrity.Catalog	`0`
CodeIntegrity.CatalogOffset	`0`
CodeIntegrity.Reserved	`0`
GuardAddressTakenIatEntryTable	`0`
GuardAddressTakenIatEntryCount	`0`
GuardLongJumpTargetTable	`0`
GuardLongJumpTargetCount	`0`

RICH Header

XOR Key	`0xc8d2ad28`
Unmarked objects	`0`
Total imports	`337`
Imports (33140)	`11`
Unmarked objects (#2)	`2`
C objects (33140)	`14`
ASM objects (33140)	`10`
C objects (LTCG) (33140)	`65`
Resource objects (33140)	`1`
Linker (33140)	`1`

Errors

Leave a comment

No comments yet.