Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
tcpip.sys

Overview

General Information

Sample name:tcpip.sys
Analysis ID:1432029
MD5:383a0ff58bb4835a540c6304a0779b7f
SHA1:b0bdda9f75085e8011c2527cbaeae03b502793e8
SHA256:bb66260d219843cfa2ef7f92b839ad16bf47413429c883cfea0b441f4a02d1f0
Errors
  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: driver entrypoint not found

Detection

Score:22
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

NDIS Filter Driver detected (likely used to intercept and sniff network traffic)
Binary contains a suspicious time stamp
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains more sections than normal
PE file contains sections with non-standard names

Classification

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: tcpip.sysStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, FORCE_INTEGRITY, NX_COMPAT, GUARD_CF
Source: Binary string: tcpip.pdbUGP source: tcpip.sys
Source: Binary string: tcpip.pdb source: tcpip.sys

Networking

barindex
NDIS Filter Driver detected (likely used to intercept and sniff network traffic)
Source: tcpip.sysStatic PE information: Found NDIS imports: IPsecDriverInitiateAcquire, IPsecDriverExpire, IPsecDriverSaOffloaded, IPsecDriverProcessClearTextResponse, FwppBfeStateGetResetCount0, FwppDispatchDevCtl0, FwpsRequestEndpointDeleteNotification0, FwpsCancelEndpointDeleteNotification0, FwpsForceReclassifyLayer0, FwpsFreeNetBufferList0, FwpsReassembleForwardFragmentGroup0, FwppvSwitchFreeVmSwitchNblInfo, FwpsFreeCloneNetBufferList0, FwpsReleaseClassifyHandle0, FwpsApplyModifiedLayerData0, FwpsAcquireWritableLayerDataPointer0, FwpsAcquireClassifyHandle0, FwpsClassifyOptionSet0, FwpmBfeStateUnsubscribeChanges0, FwpmBfeStateSubscribeChangesWithoutDevice0, FwpsFlowAssociateContext0, FwpmEngineClose0, FwpmEngineOpen0, FwppVpnTriggerEventFire0, FwpmSecureSocketDeleteByKeyAsync0, FwpmSecureSocketAddAsync0, FwppvSwitchGetDestinationInterface, FwppvSwitchGetDestinationArray, FwppvSwitchCopyVmSwitchNblInfo, FwppDereferencevSwitchNblContext, FwppReferencevSwitchNblContext, FwpsInjectNetworkReceiveAsync0, FwppAllocateNetioCloneNetBufferList, FwpsNetBufferListRetrieveContext0, FwppGetvSwitchNblContext, FwppProcessorAddHandler, FwpsIPSecGetPacketListSecurityInformation, FwppNetBufferListAssociateContext, FwpsQueryPacketInjectionState0, FwpsInjectionHandleDestroy0, FwpsInjectionHandleCreate0, FwpsInjectTransportSendAsync1, FwpsConstructIpHeaderForTransportPacket0, FwpsAllocateCloneNetBufferList0, FwpsTcpIpDispatchTableAndGlobalsSet0, FwpsTcpIpDispatchTableClear0, FwppNetBufferListEventNotify, FwpsCalloutUnregisterByKey0, FwpsCalloutRegisterWithoutDevice0, FwpsProxiedEndpointUnRegisterForExitingEndpoint, FwpsProxiedEndpointClassifiableFieldGet, FwpsProxiedEndpointMetadataValueGet, FwpsProxiedEndpointRegisterForExitingEndpoint, FwpsProxiedEndpointWasRedirectedToProxy
Source: tcpip.sysStatic PE information: invalid certificate
Source: tcpip.sysStatic PE information: Number of sections : 17 > 10
Source: tcpip.sysBinary string: Lsite prefix entry (IPNG)IPv6 router advertisement packet (IPNG)IPv6 router solicitation packet (IPNG)IPv6 potential router (IPNG)IPv6 echo data MDL (IPNG)IPv6 echo reply MDL (IPNG)IPv6 echo options MDL (IPNG)IPv6 echo ancillary data (IPNG)IPv6 echo request (IPNG)IPv6 send fragment (IPNG)IPv6 reassembly structure (IPNG)IPv6 reassembly unfragmentable data (IPNG)shim for IPv6 reassembly (IPNG)IPv6 fragment packet (IPNG)IPv6 new header (IPNG)MLD report packet (IPNG)MLD source list (IPNG)MLD NBL (IPNG)MLD report packet retreat (IPNG)NS packet (IPNG)NA packet (IPNG)IPv6 echo reply packet (IPNG)WOL pattern (FLNG)failed when queueing a REMOVE_OID request (FLNG)TL requested hardware slot but address is not offloadedTL requested hardware slot but FL interface no longer capableinterface (FLNG)Interface AOAC capability was revokedIPv4client interface (FLNG)%luIPv6interface work item (FLNG)interface locks (FLNG)client interface remove lock (FLNG)client interface set (FLNG)Failed to plumb down L2 Unicast Wake\DEVICE\{93123211-9629-4E04-82F0-EA2E4F221468}0x%08lxL2 Unicast TCP WakeTCP V4 PacketTCP V6 PacketUDP PortCoalescedPatternLocalPortPatternTCP PortCoalescedPatternL2 Unicast UDP WakeDL address allocation helper (FLNG)isolation interface info (FLNG)Microsoft Hyper-V Network Adapterisolation interface (FLNG)%s (%d)compartment rw (FLNG)NDIS luid index (FLNG)isolation parameters (FLNG)\
Source: tcpip.sysBinary string: \Device\TcpAllocHooks\Device\eQoS\Callback\PowerState\KernelObjects\LowMemoryCondition\KernelObjects\HighMemoryCondition\KernelObjects\LowPagedPoolCondition\KernelObjects\HighPagedPoolCondition\KernelObjects\LowNonPagedPoolCondition\KernelObjects\HighNonPagedPoolConditionMD5UdpExemptPortRangePsGetVersionEtwUnregisterWmiTraceMessageWmiQueryTraceInformationEtwRegisterClassicProviderWfpAleReauthorizeConnectionAleEdgeIFsLookupCachedAction
Source: tcpip.sysBinary string: MTUIPAddressDefaultGatewayTcpDelAckTicksInterfaceMetricTypeOfInterfaceTcpAckFrequencyUseZeroBroadcastPerformRouterDiscoverySolicitationAddressBcastIPAutoconfigurationEnabledTCPIP6TCPIPRDMANDKhost/\DosDevices\WFPDev\Device\WFP
Source: tcpip.sysBinary string: \Device\IPSECDOSP\DosDevices\IPSECDOSPDeviceWfpAleInitializeSecurityTrackingGRv
Source: tcpip.sysBinary string: q\Device\NXTIPSEC\DosDevices\NXTIPSECDevice\Device\WfpAle\DosDevices\WfpAleAleDebugEnabledCacheProfileCrossingSetNameOnSecureSocketAleAuthTelemetryThresholdLocalAddrRedirect\Registry\Machine\System\CurrentControlSet\Services\BFE\Parameters\Registry\Machine\System\CurrentControlSet\Services\BFE\Parameters\Policy\OptionsSystemY
Source: classification engineClassification label: sus22.troj.winSYS@0/0@0/0
Source: tcpip.sysStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: tcpip.sysStatic PE information: Image base 0x1c0000000 > 0x60000000
Source: tcpip.sysStatic file information: File size 3298784 > 1048576
Source: tcpip.sysStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x1da000
Source: tcpip.sysStatic PE information: More than 200 imports for ntoskrnl.exe
Source: tcpip.sysStatic PE information: More than 200 imports for NETIO.SYS
Source: tcpip.sysStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: tcpip.sysStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: tcpip.sysStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: tcpip.sysStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: tcpip.sysStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: tcpip.sysStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: tcpip.sysStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, FORCE_INTEGRITY, NX_COMPAT, GUARD_CF
Source: tcpip.sysStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: tcpip.pdbUGP source: tcpip.sys
Source: Binary string: tcpip.pdb source: tcpip.sys
Source: tcpip.sysStatic PE information: 0xBD850684 [Sat Oct 4 01:29:40 2070 UTC]
Source: tcpip.sysStatic PE information: real checksum: 0x33468a should be: 0x334692
Source: tcpip.sysStatic PE information: section name: NONPAGE
Source: tcpip.sysStatic PE information: section name: PAGEIPSE
Source: tcpip.sysStatic PE information: section name: PAGEIDP
Source: tcpip.sysStatic PE information: section name: PAGERSS
Source: tcpip.sysStatic PE information: section name: fothk
Source: tcpip.sysStatic PE information: section name: PAGECONS
Source: tcpip.sysStatic PE information: section name: GFIDS
Source: tcpip.sysBinary or memory string: Lsite prefix entry (IPNG)IPv6 router advertisement packet (IPNG)IPv6 router solicitation packet (IPNG)IPv6 potential router (IPNG)IPv6 echo data MDL (IPNG)IPv6 echo reply MDL (IPNG)IPv6 echo options MDL (IPNG)IPv6 echo ancillary data (IPNG)IPv6 echo request (IPNG)IPv6 send fragment (IPNG)IPv6 reassembly structure (IPNG)IPv6 reassembly unfragmentable data (IPNG)shim for IPv6 reassembly (IPNG)IPv6 fragment packet (IPNG)IPv6 new header (IPNG)MLD report packet (IPNG)MLD source list (IPNG)MLD NBL (IPNG)MLD report packet retreat (IPNG)NS packet (IPNG)NA packet (IPNG)IPv6 echo reply packet (IPNG)WOL pattern (FLNG)failed when queueing a REMOVE_OID request (FLNG)TL requested hardware slot but address is not offloadedTL requested hardware slot but FL interface no longer capableinterface (FLNG)Interface AOAC capability was revokedIPv4client interface (FLNG)%luIPv6interface work item (FLNG)interface locks (FLNG)client interface remove lock (FLNG)client interface set (FLNG)Failed to plumb down L2 Unicast Wake\DEVICE\{93123211-9629-4E04-82F0-EA2E4F221468}0x%08lxL2 Unicast TCP WakeTCP V4 PacketTCP V6 PacketUDP PortCoalescedPatternLocalPortPatternTCP PortCoalescedPatternL2 Unicast UDP WakeDL address allocation helper (FLNG)isolation interface info (FLNG)Microsoft Hyper-V Network Adapterisolation interface (FLNG)%s (%d)compartment rw (FLNG)NDIS luid index (FLNG)isolation parameters (FLNG)\

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
Timestomp		1
Network Sniffing		1
Security Software Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS Memory1
Network Sniffing		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
tcpip.sys0%ReversingLabs
tcpip.sys1%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1432029
Start date and time:2024-04-26 10:13:59 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 1m 32s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:0
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:tcpip.sys
Detection:SUS
Classification:sus22.troj.winSYS@0/0@0/0
Cookbook Comments:
  • Found application associated with file extension: .sys
  • Unable to launch sample, stop analysis

Errors

  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: driver entrypoint not found

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32+ executable (native) x86-64, for MS Windows
Entropy (8bit):6.1117062920405
TrID:
  • Win64 Device Driver (generic) (12004/3) 74.95%
  • Generic Win/DOS Executable (2004/3) 12.51%
  • DOS Executable Generic (2002/1) 12.50%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:tcpip.sys
File size:3'298'784 bytes
MD5:383a0ff58bb4835a540c6304a0779b7f
SHA1:b0bdda9f75085e8011c2527cbaeae03b502793e8
SHA256:bb66260d219843cfa2ef7f92b839ad16bf47413429c883cfea0b441f4a02d1f0
SHA512:ab9420cf007c4fd0d04aaa3f7a6d7d69e9ac15835f06e73a6783357ec086797853e30cfaa1e984365b591e4f427a35d2c07da7fd8b27e6daccc1f254948bb752
SSDEEP:49152:ofTIBZjPRpsZ9zuwLGHKN5GMyKk8ugrlD/Zu/o:HTPRpwLIit/B
TLSH:68E53B1AA2EC1068F0BBD6749A768126EA717C351B30D5DF2150C27D6E73FD09E39B22
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........G6..&X..&X..&X..&Y..%X..^Y..&X..&X..&X..^\..&X..^[..&X..^X..&X..^U..'X..^...&X..^Z..&X.Rich.&X.........PE..d................."

File Icon

Icon Hash:7ae282899bbab082

Static PE Info

General

Entrypoint:0x1c027c010
Entrypoint Section:INIT
Digitally signed:true
Imagebase:0x1c0000000
Subsystem:native
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, FORCE_INTEGRITY, NX_COMPAT, GUARD_CF
Time Stamp:0xBD850684 [Sat Oct 4 01:29:40 2070 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:10
OS Version Minor:0
File Version Major:10
File Version Minor:0
Subsystem Version Major:10
Subsystem Version Minor:0
Import Hash:d22682b2bac965e625724d19609ab955

Authenticode Signature

Signature Valid:false
Signature Issuer:CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Signature Validation Error:The digital signature of the object did not verify
Error Number:-2146869232
Not Before, Not After
  • 16/11/2023 19:20:09 14/11/2024 19:20:09
Subject Chain
  • CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Version:3
Thumbprint MD5:9B7554FFA2D97FE692CB10D7B2E315A7
Thumbprint SHA-1:D8FB0CC66A08061B42D46D03546F0D42CBC49B7C
Thumbprint SHA-256:2D7FFCE2C256016291B67285456AA8DA779D711BBF8E6B85C212A157DDFBE77E
Serial:3300000460CF42A912315F6FB3000000000460

Entrypoint Preview

Instruction
dec eax
mov dword ptr [esp+08h], ebx
push edi
dec eax
sub esp, 20h
dec eax
mov ebx, edx
dec eax
mov edi, ecx
call 00007F2E4927BB04h
dec eax
mov edx, ebx
dec eax
mov ecx, edi
call 00007F2E4927C711h
dec eax
mov ebx, dword ptr [esp+30h]
dec eax
add esp, 20h
pop edi
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
dec eax
mov eax, dword ptr [FFFA0775h]
dec eax
test eax, eax
je 00007F2E4927BAFDh
dec eax
mov ecx, 2DDFA232h
cdq
sub eax, dword ptr [eax]
add byte ptr [eax+3Bh], cl
sal dword ptr [esp+ecx+48h], FFFFFFF7h
ror byte ptr [eax-77h], 1
add eax, FFFA075Fh
ret
int3
mov ecx, 00000006h
int 29h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
dec eax
mov dword ptr [esp+10h], ebx
dec eax
mov dword ptr [esp+18h], ebp
dec eax
mov dword ptr [esp+20h], esi
push edi
dec eax
sub esp, 20h
dec esp
lea ecx, dword ptr [FFFA00C5h]
dec esp
lea eax, dword ptr [FFFA00BEh]
dec eax
lea ecx, dword ptr [FFF65D67h]
call 00007F2E490BD6CFh
call 00007F2E4927BD2Eh
mov ebx, eax
test eax, eax
js 00007F2E4927D731h
call 00007F2E4927BC4Bh
mov ebx, eax
test eax, eax
js 00007F2E4927D76Dh
call 00007F2E4927BBA4h
mov ebx, eax
test eax, eax
js 00007F2E4927BBA9h

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x27a0000x32.edata
IMAGE_DIRECTORY_ENTRY_IMPORT0x23e9280xc8.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x2810000x9b090.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x2270000x155f4.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY0x3230000x25e0.reloc
IMAGE_DIRECTORY_ENTRY_BASERELOC0x31d0000xef0.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x1e5b200x70.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x1dc5c00x140.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x23d0000x18f8.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x1d9ebc0x1da000f5bf2307a61e68354c446b0c1a38b3d8False0.5654441093090717data6.460227184493582IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x1db0000x32a000x330009c6d6ea379b1443232eb13664f23229bFalse0.3362821691176471data5.216038501051711IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ
.data0x20e0000x187ac0xf0004bad58ecbf6c29a9cca0f90ef5f91302False0.04254557291666667data0.5962607605424549IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata0x2270000x155f40x1600035ca3ae8d1f5b9d95eaa3af7d803e20eFalse0.5104647549715909data6.135916941603349IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ
.idata0x23d0000x88540x9000011b85fa95e0534bd0d18ed27829510cFalse0.2773980034722222data4.920420940630208IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ
NONPAGE0x2460000xb00x10002920f2e1dcfd1a2b2abd4e00409e0a29False0.011962890625data0.045248068809863595IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
PAGE0x2470000xd98a0xe000414f8e53d3b44a6b024cedcab7193552False0.5681675502232143data6.352963743204327IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
PAGEIPSE0x2550000x1c2990x1d00047b3802959abb42ec56d28e79da071a5False0.5319487473060345data6.327203159206215IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
PAGEIDP0x2720000x2d690x30004b93b4cca54ada456a1af0a4fea9d57eFalse0.5391438802083334data6.1859174538834525IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
PAGERSS0x2750000x35fb0x4000ad55b6e2e76025103a5a40efcca3b38cFalse0.52935791015625data5.907261012970735IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
fothk0x2790000x10000x1000aabeedf0ce969966fe1e27f6b5bad52dFalse0.009521484375ISO-8859 text, with very long lines (4096), with no line terminators0.016408464515625623IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.edata0x27a0000x320x10005c3830d3cfe2170665887db32b643d39False0.014892578125data0.05480342999958454IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
PAGECONS0x27b0000x1380x1000cd57ceebdb6c3230c63f0500870880c3False0.04052734375data0.36278794405875536IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
INIT0x27c0000x29100x30000dd03b41ecf14aa06e8b45f955f5a500False0.4928385416666667data5.827746357451477IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
GFIDS0x27f0000x15500x2000e49b40ee95203c9c5e83b4f8f1983397False0.3857421875data4.270290071700589IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc0x2810000x9b0900x9c000a76930c7ed0a4a282082d124732b2190False0.16759158403445512data3.989004525119301IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.reloc0x31d0000xfca40x10000527087332444abd64339ae72ec700f08False0.7170867919921875data6.118194942737401IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
MUI0x31bf980xf8dataEnglishUnited States0.5362903225806451
WEVT_TEMPLATE0x2aef980x66e46dataEnglishUnited States0.16927910099989085
RT_STRING0x315de00x12edataEnglishUnited States0.44370860927152317
RT_STRING0x315f100x4d6dataEnglishUnited States0.16882067851373184
RT_STRING0x3163e80x656dataEnglishUnited States0.155980271270037
RT_STRING0x316a400x67adataEnglishUnited States0.16887816646562123
RT_STRING0x3170c00x63adataEnglishUnited States0.18695106649937265
RT_STRING0x3177000x61cdataEnglishUnited States0.2078005115089514
RT_STRING0x317d200x4d0dataEnglishUnited States0.2987012987012987
RT_STRING0x3181f00x246Matlab v4 mat-file (little endian) T, numeric, rows 0, columns 0EnglishUnited States0.37285223367697595
RT_STRING0x3184380x54adataEnglishUnited States0.1344165435745938
RT_STRING0x3189880x1eadataEnglishUnited States0.2979591836734694
RT_STRING0x318b780x3bcdataEnglishUnited States0.2112970711297071
RT_STRING0x318f380x4aedataEnglishUnited States0.19616026711185308
RT_STRING0x3193e80x372dataEnglishUnited States0.26303854875283444
RT_STRING0x3197600x92dataEnglishUnited States0.636986301369863
RT_STRING0x3197f80x128dataEnglishUnited States0.4594594594594595
RT_STRING0x3199200x1acdataEnglishUnited States0.3130841121495327
RT_STRING0x319ad00x34cdataEnglishUnited States0.22867298578199052
RT_STRING0x319e200x2fcdataEnglishUnited States0.22905759162303665
RT_STRING0x31a1200x3bcdataEnglishUnited States0.22280334728033474
RT_STRING0x31a4e00x302dataEnglishUnited States0.3012987012987013
RT_STRING0x31a7e80x320dataEnglishUnited States0.20125
RT_STRING0x31ab080x284dataEnglishUnited States0.2531055900621118
RT_STRING0x31ad900x38edataEnglishUnited States0.1912087912087912
RT_STRING0x31b1200x234dataEnglishUnited States0.2695035460992908
RT_STRING0x31b3580x364dataEnglishUnited States0.2672811059907834
RT_STRING0x31b6c00x292dataEnglishUnited States0.2629179331306991
RT_STRING0x31b9580xf6dataEnglishUnited States0.5691056910569106
RT_STRING0x31ba500x544dataEnglishUnited States0.31528189910979226
RT_MESSAGETABLE0x281a300x2d564dataEnglishUnited States0.1704361873990307
RT_VERSION0x2816b00x380dataEnglishUnited States0.46986607142857145

Imports

DLLImport
ntoskrnl.exeExReInitializeRundownProtection, ExUnregisterExtension, RtlUnicodeStringToInteger, RtlIpv6AddressToStringW, RtlIpv4AddressToStringW, RtlQueryRegistryValuesEx, ZwEnumerateKey, RtlNtStatusToDosError, KeSetCoalescableTimer, ZwNotifyChangeKey, RtlEnumerateGenericTableLikeADirectory, RtlCreateHashTableEx, RtlIpv4AddressToStringExW, RtlIpv6AddressToStringExW, qsort, ExAcquireRundownProtectionCacheAwareEx, ExReleaseRundownProtectionCacheAwareEx, PsIsThreadTerminating, KeFreeCalloutStack, KeAllocateCalloutStack, MmUserProbeAddress, MmUnlockPages, DbgPrintEx, MmLockPagableDataSection, MmProbeAndLockPages, strnlen, strcpy_s, _stricmp, RtlInitializeBitMap, wcsncmp, RtlWriteRegistryValue, ExAcquireRundownProtectionEx, ExReleaseRundownProtectionEx, RtlUnicodeStringToAnsiString, RtlInitAnsiString, KeQueryMaximumGroupCount, RtlCopyBitMap, RtlIntersectBitMaps, RtlNumberOfSetBits, KeQueryLogicalProcessorRelationship, MmUnlockPagableImageSection, RtlFindMostSignificantBit, KeGetProcessorIndexFromNumber, RtlSetGroupSecurityDescriptor, RtlCopyUnicodeString, ZwQuerySecurityAttributesToken, SeQuerySecurityAttributesTokenAccessInformation, SeCaptureSubjectContext, ExReleaseSpinLockExclusive, ExReleaseSpinLockShared, ExAcquireSpinLockShared, ExAcquireSpinLockExclusive, ExUnsubscribeWnfStateChange, ExSubscribeWnfStateChange, ExSetTimer, ExDeleteTimer, ExAllocateTimer, ExTryAcquirePushLockExclusiveEx, ExReleaseSpinLockSharedFromDpcLevel, ExQueueWorkItem, ExAcquireSpinLockSharedAtDpcLevel, ExReleasePushLockSharedEx, ExAcquirePushLockSharedEx, RtlAppendUnicodeStringToString, RtlAppendUnicodeToString, IoQueryFullDriverPath, RtlFreeAnsiString, DbgkWerCaptureLiveKernelDump, IoReuseIrp, ExpInterlockedFlushSList, ExpInterlockedPushEntrySList, InitializeSListHead, ExAcquireSpinLockExclusiveAtDpcLevel, ExReleaseSpinLockExclusiveFromDpcLevel, IoFreeIrp, IoAllocateIrp, PcwRegister, RtlCompareMemory, RtlStringFromGUID, ExRegisterExtension, RtlInt64ToUnicodeString, ExFreeToNPagedLookasideList, ExAllocateFromNPagedLookasideList, ExReleasePushLockExclusiveEx, ExAcquirePushLockExclusiveEx, ExDeleteNPagedLookasideList, ExInitializeNPagedLookasideList, RtlGetPersistedStateLocation, RtlFreeUnicodeString, RtlConvertSidToUnicodeString, PsGetCurrentProcessId, RtlValidSid, PsGetEffectiveContainerId, CmUnregisterMachineHiveLoadedNotification, CmRegisterMachineHiveLoadedNotification, RtlGetDaclSecurityDescriptor, RtlSetOwnerSecurityDescriptor, RtlMapGenericMask, ObSetSecurityObjectByPointer, PsSetCreateProcessNotifyRoutineEx2, ZwCreateFile, SeLocateProcessImageName, RtlDowncaseUnicodeString, InitSafeBootMode, KeUnstackDetachProcess, ZwDuplicateToken, KeStackAttachProcess, ZwOpenProcess, IofCompleteRequest, IoDeleteSymbolicLink, IoCreateSymbolicLink, wcsnlen, RtlQueryPackageIdentity, PsQueryProcessAttributesByToken, RtlCompareUnicodeString, SeQuerySecurityAttributesToken, SeSecurityAttributePresent, RtlSubAuthorityCountSid, SeQueryInformationToken, SeTokenFromAccessInformation, PsCreateSystemThread, _vsnwprintf, ZwCreateEvent, ZwWaitForSingleObject, PsDereferencePrimaryToken, ObCloseHandle, ZwQueryInformationToken, ObOpenObjectByPointer, PsReferencePrimaryToken, RtlCopySid, SeSrpAccessCheck, RtlLengthSecurityDescriptor, KeSetTimer, KeInitializeTimer, RtlAddAccessAllowedAce, RtlSubAuthoritySid, RtlInitializeSid, RtlLengthRequiredSid, SeAccessCheckFromState, ExAllocatePoolWithQuotaTag, ExUuidCreate, _wcsicmp, wcschr, RtlIpv6StringToAddressW, RtlIpv4StringToAddressW, ExGetPreviousMode, KeQueryInterruptTimePrecise, PsGetProcessSessionId, KeDelayExecutionThread, MmIsVerifierEnabled, KeInsertQueueDpc, IoUninitializeWorkItem, IoInitializeWorkItem, IoSizeofWorkItem, SeReportSecurityEventWithSubCategory, SeSetAuditParameter, KeGetCurrentNodeNumber, KeQueryHighestNodeNumber, RtlEqualSid, KeQueryTimeIncrement, MmBadPointer, MmSizeOfMdl, MmUnmapLockedPages, RtlVerifyVersionInfo, VerSetConditionMask, RtlNotifyFeatureUsage, RtlRbInsertNodeEx, RtlRbRemoveNode, ObLogSecurityDescriptor, RtlSetDaclSecurityDescriptor, RtlAddAccessAllowedAceEx, RtlCreateAcl, RtlLengthSid, SeExports, RtlCreateSecurityDescriptor, RtlContractHashTable, RtlExpandHashTable, KeInitializeSemaphore, ExSetTimerResolution, KeFlushQueuedDpcs, ExGetCurrentProcessorCounts, KeCancelTimer, KeSetTimerEx, KeQueryUnbiasedInterruptTime, KeInitializeTimerEx, KeSetTargetProcessorDpcEx, KeGetProcessorNumberFromIndex, KeInitializeDpc, KeExpandKernelStackAndCalloutEx, ExRundownCompleted, ExWaitForRundownProtectionRelease, ExInitializeRundownProtection, MmBuildMdlForNonPagedPool, ExAllocatePoolWithTag, RtlEndEnumerationHashTable, RtlEnumerateEntryHashTable, RtlInitEnumerationHashTable, RtlInitializeGenericTableAvl, PsGetProcessImageFileName, IoFileObjectType, PsGetThreadId, RtlLookupElementGenericTableFullAvl, KeIsExecutingDpc, ExReleaseRundownProtection, ExAcquireRundownProtection, ExNotifyCallback, ObfReferenceObject, EtwWrite, KeShouldYieldProcessor, IoBuildPartialMdl, IoAllocateMdl, MmMapLockedPagesSpecifyCache, IoFreeMdl, KeBugCheckEx, KeReleaseSemaphore, ObReferenceSecurityDescriptor, ExReleaseFastMutex, ExAcquireFastMutex, ExReleaseRundownProtectionCacheAware, ExAcquireRundownProtectionCacheAware, ExFreeCacheAwareRundownProtection, ExAllocateCacheAwareRundownProtection, ExWaitForRundownProtectionReleaseCacheAware, ExReInitializeRundownProtectionCacheAware, RtlValidSecurityDescriptor, ZwQuerySystemInformation, KeQuerySystemTimePrecise, RtlTimeToTimeFields, ExSystemTimeToLocalTime, RtlEndWeakEnumerationHashTable, RtlWeaklyEnumerateEntryHashTable, RtlInitWeakEnumerationHashTable, KeAcquireSpinLockAtDpcLevel, RtlEndStrongEnumerationHashTable, RtlStronglyEnumerateEntryHashTable, RtlInitStrongEnumerationHashTable, KeReleaseSpinLockFromDpcLevel, KeGetRecommendedSharedDataAlignment, KeBugCheck, RtlClearBits, RtlAreBitsClear, RtlFindSetBits, IoQueueWorkItem, IoAllocateWorkItem, IoFreeWorkItem, RtlClearBit, RtlTestBit, RtlFindClearBits, IoWriteErrorLogEntry, IoAllocateErrorLogEntry, ExAcquireResourceSharedLite, RtlSetBits, ExDeleteResourceLite, RtlSetBit, RtlClearAllBits, ExInitializeResourceLite, PsGetProcessStartKey, PsGetProcessSequenceNumber, KeLeaveCriticalRegion, ExReleaseResourceLite, ExAcquireResourceExclusiveLite, KeReleaseInStackQueuedSpinLockFromDpcLevel, KeAcquireInStackQueuedSpinLock, KeAcquireInStackQueuedSpinLockAtDpcLevel, KeTestSpinLock, KfRaiseIrql, ExFreePoolWithTag, KeLowerIrql, ExAllocatePool2, RtlPrefixUnicodeString, KeInitializeSpinLock, PsQueryProcessCommandLine, PsGetProcessId, KeReleaseInStackQueuedSpinLock, ZwOpenKey, KeQueryActiveProcessorCountEx, ZwClose, KeWaitForSingleObject, KeInitializeEvent, IoWMIRegistrationControl, ZwQueryValueKey, IofCallDriver, IoCreateDevice, EtwRegister, MmGetSystemRoutineAddress, PsGetCurrentProcess, EtwUnregister, RtlUnregisterFeatureConfigurationChangeNotification, RtlGetVersion, ObReferenceObjectByHandle, EtwWriteTransfer, RtlQueryFeatureConfigurationChangeStamp, KeReleaseMutex, IoGetDeviceObjectPointer, IoBuildDeviceIoControlRequest, IoDeleteDevice, RtlInitUnicodeString, ObfDereferenceObject, KeInitializeMutex, KeEnterCriticalRegion, ObDereferenceSecurityDescriptor, SeReleaseSubjectContext, SeUnlockSubjectContext, SeOpenObjectAuditAlarmForNonObObject, IoGetFileObjectGenericMapping, SeAccessCheck, SeLockSubjectContext, SeCaptureSubjectContextEx, RtlDeleteHashTable, RtlCreateHashTable, RtlRemoveEntryHashTable, RtlInsertEntryHashTable, RtlGetNextEntryHashTable, RtlLookupEntryHashTable, KeAcquireSpinLockRaiseToDpc, ExFreeToLookasideListEx, KeReleaseSpinLock, ExAllocateFromLookasideListEx, ExDeleteLookasideListEx, ExAllocatePool3, ExInitializeLookasideListEx, KeGetCurrentProcessorNumberEx, KeQueryDpcWatchdogInformation, IoIs32bitProcess, PsGetThreadProcess, PsGetThreadTeb, KeGetCurrentIrql, __C_specific_handler, KeSetEvent, KeQueryMaximumProcessorCountEx, PcwAddInstance, PcwUnregister, PoRegisterPowerSettingCallback, ExRegisterCallback, ExCreateCallback, PoUnregisterPowerSettingCallback, ExUnregisterCallback, KeIsAttachedProcess, __chkstk, EtwSetInformation, RtlQueryFeatureConfiguration, RtlRegisterFeatureConfigurationChangeNotification, ZwQueryLicenseValue, KeReadStateEvent, IoQueueWorkItemEx, ZwOpenEvent, wcscmp
NETIO.SYSNetioUnInitializeNetBufferListLibrary, NetioSetTriageBlock, NetioRegisterProcessorAddCallback, NetioUnRegisterProcessorAddCallback, NetioInitializeNetBufferListLibrary, RtlInvokeStartRoutines, RtlInvokeStopRoutines, NetioAllocateAndInitializeStackBlock, NetioFreeStackBlock, NetioStackBlockProcessorAddHandler, WfpNblInfoGet, WfpStartStreamShim, WfpStopStreamShim, NetioAllocateMdl, NetioDereferenceNetBufferList, KfdIsLayerEmpty, WfpStreamEndpointCleanupBegin, WfpStreamInspectSend, WfpStreamInspectDisconnect, WfpStreamInspectReceive, WfpStreamInspectRemoteDisconnect, NetioInsertWorkQueue, KfdRegisterRscIncompatCalloutNotify, KfdRegisterUsoIncompatCalloutNotify, KfdRegisterUroIncompatCalloutNotify, NetioInitializeWorkQueue, NetioNcmSignalNcContextWorkQueueRoutine, NetioNcmInitializeState, NetioNcmCleanupState, NetioShutdownWorkQueue, RtlCompute37Hash, NsiAllocateAndGetTable, NsiFreeTable, NetioNcmFastCheckIsAoAcCapable, NetioNcmQueryRtcPortRange, NetioNcmIsOwningProcessRtcApp, NetioNcmQueryRtcPortHint, NetioNcmStoreRtcPortHint, NsiReferenceDefaultObjectSecurity, NmrRegisterProvider, NmrDeregisterProvider, NmrWaitForProviderDeregisterComplete, NsiGetAllParameters, NmrRegisterClient, NmrDeregisterClient, NmrWaitForClientDeregisterComplete, NmrClientDetachProviderComplete, NmrClientAttachProvider, NmrProviderDetachClientComplete, NetioNcmGetAllNotificationChannelContextParameters, NetioNcmNotificationChannelContextRequest, NetioOpenKey, NetioQueryValueKey, NetioCloseKey, NetioRegSyncDefaultChangeHandler, NetioRegSyncInterface, NetioNcmHandlePatternEviction, NetioNcmStoreRtcPortRange, RtlInitializeToeplitzHash, RtlCleanupToeplitzHash, NetioAllocateNetBufferMdlAndDataPool, NetioAllocateNetBufferListNetBufferMdlAndDataPool, NetioFreeNetBufferMdlAndDataPool, NetioFreeNetBufferListNetBufferMdlAndDataPool, NetioNcmFastActiveReferenceRequest, RtlIndicateTimerWheelEntryTimerStart, RtlResumeTimerWheel, RtlIsTimerWheelSuspended, NetioFreeMdl, NetioFreeNetBufferList, NetioExtendNetBuffer, NetioNrtIsPktTaggingEnabled, NetioAllocateAndReferenceNetBufferListNetBufferMdlAndData, NetioAllocateNetBufferMdlAndData, NetioDereferenceNetBufferListChain, NetioFreeNetBuffer, NetioNcmTlObjectRequest, NetioNrtDisassociateContext, RtlComputeToeplitzHash, NetioNcmPatternCoalescingRequired, NetioNcmNotifyRedirectOnInterface, KfdIsTfoIncompatibleFilterPresent, NetioNrtAssociateContext, RtlInsertElementGenericTableBasicAvl, RtlDeleteElementGenericTableBasicAvl, RtlInitializeTimerWheelEntry, NetioNrtIsTrackerDevice, RtlSuspendTimerWheel, RtlGetNextExpirationTimerWheelTick, RtlCleanupTimerWheelEntry, RtlUpdateCurrentTimerWheelTick, RtlGetNextExpiredTimerWheelEntry, RtlReturnTimerWheelEntry, RtlCopyMdlToMdlIndirect, NetioAdvanceToLocationInNetBuffer, TlDefaultRequestQueryDispatch, TlDefaultRequestMessage, TlDefaultRequestQueryDispatchEndpoint, NetioAllocateOpaquePerProcessorContext, NetioFreeOpaquePerProcessorContext, RtlCleanupTimerWheel, RtlInitializeTimerWheel, RtlInitializeTimerWheelEnumeration, RtlEnumerateNextTimerWheelEntry, RtlEndTimerWheelEnumeration, RtlCopyMdlToBuffer, NetioFreeNetBufferAndNetBufferList, RtlCopyBufferToMdl, NetioAllocateAndReferenceNetBufferAndNetBufferList, NetioCopyNetBufferListInformation, NetioCompleteCopyNetBufferListChain, NetioAllocateAndReferenceCopyNetBufferListEx, TlDefaultRequestListen, TlDefaultRequestConnect, TlDefaultRequestCancel, NetioReferenceNetBufferList, TlDefaultRequestIoControl, NetioAdvanceNetBufferList, NetioPhIsIcmpErrorForIcmpMessage, FeGetWfpGlobalPtr, FwppStreamInject, FwppStreamContinue, FwppCopyStreamDataToBuffer, FwppAdvanceStreamDataPastOffset, FwppTruncateStreamDataAfterOffset, FwppDiscardClonedStreamData, WfpNblInfoDispatchTableSet, NsiGetParameterEx, KfdRegisterLayerEventNotify, WfpNblInfoDispatchTableClear, KfdSetWfpPerProcContextPtr, IPsecGwDispatchTableInit, KfdDeregisterLayerEventNotify, KfdAleAcquireFlowHandleForFlow, KfdClassify, KfdAleReleaseFlowHandleForFlow, KfdCheckClassifyNeededAndUpdateEpoch, NetioRetreatNetBufferList, KfdReleaseCachedFilters, KfdClassify2, NetioFreeCloneNetBufferList, NetioAllocateAndReferenceCloneNetBufferListEx, KfdReleaseTerminatingFilters, KfdIsV4OutTransportFastEmpty, KfdIsV6OutTransportFastEmpty, KfdIsV4InTransportFastEmpty, KfdIsV6InTransportFastEmpty, FeCopyIncomingValues, KfdDirectClassify, KfdIsLsoOffloadPossibleV4, KfdIsLsoOffloadPossibleV6, KfdGetOffloadEpoch, KfdCheckOffloadFastLayers, KfdDiagnoseEvent, KfdAuditEvent, NetioLookupvSwitchForwardFlow, NetioRefreshFlow, NetioCreatevSwitchForwardFlow, NetioReleaseFlow, NetioLookupForwardFlow, NetioCreateForwardFlow, WfpNblInfoClearFlags, WfpNblInfoSetFlags, NetioFlowAssociateContext, NetioFlowRetrieveContext, NetioFlowRemoveContext, NetioInitializeFlowsManager, NetioUnInitializeFlowsManager, KfdAleInitializeFlowHandles, KfdAleUninitializeFlowHandles, KfdAleNotifyFlowDeletion, FwppStreamDeleteDpcQueue, NetioNrtDereferenceRecord, WfpCalloutDiagTraceConnectRedirectClassify, FeReleaseCalloutContextList, NsiSetAllParameters, KfdAleAcquireEndpointContextFromFlow, WfpCalloutDiagTraceQueryConnectionRedirectState, KfdBfeEngineAccessCheck, NetioNrtReferenceRecord, WfpStreamIsFilterPresent, NetioNrtIsProxyInRecord, NetioNrtIsIpInRecord, NetioNrtWppLogRecord, WfpCalloutDiagTraceSetRedirectRecords, KfdToggleFilterActivation, KfdEnumLayer, KfdGetNextFilter, KfdDerefFilterContext, KfdFreeEnumHandle, MatchCondition, KfdAleRemoveFlowContextTable, KfdAleInitializeFlowTable, WfpCalloutDiagTraceRedirectedAuthConnect, KfdGetLayerCountWithIndexType, FwppLogVpnEvent, WfpInitializeLeastRecentlyUsedList, WfpLruEntryDeferredCleanupRoutine, KfdGetLayerCacheEpoch, WfpUninitializeLeastRecentlyUsedList, WfpProcessLruEntryCleanup, WfpLruQueueLruCleanupWorkItemForContext, WfpRemoveEntryLru, WfpInsertEntryLru, KfdFindFilterById, KfdReleaseFilterContext, KfdGetLayerActionFromEnumTemplate, KfdCheckAndCacheConnectBypass, KfdQueueLruCleanupWorkItem, KfdCheckConnectBypass, KfdCheckAndCacheAcceptBypass, KfdCheckAcceptBypass, KfdIsDiagnoseEventEnabled, NetioParseIpFieldsFromNetBuffer, NsiRegisterChangeNotificationEx, WskDeregister, WskRegister, WskReleaseProviderNPI, WskCaptureProviderNPI, NsiDeregisterChangeNotification, NsiRegisterChangeNotification, NetioPhCreateArpPacket, NetioInitializeNetBufferListContext, NetioInitializeNetBufferListAndFirstNetBufferContext, NetioNcmTrackIsLegitimateWake, NetioNcmStoreBaseSupportedSlots, NetioPhAllocatePacket, NetioPhCreateNaPacket, NetioPhGetNdLinkLayerOptionAddress, NetioPhParseIpv6TlvNdOption, NetioCompleteNetBufferListChain, WfpTransferReassemblyContextForFragments, WfpTransferReassemblyContextUponCompletion, NetioAllocateAndReferenceFragmentNetBufferList, WfpSetConfigureParametersDecodeHelper, WfpNrptTriggerDecodeHelper, WfpSetDisconnectDecodeHelper, WfpSetVpnTriggerSecurityDescriptorDecodeHelper, WfpSetVpnTriggerFilePathsDecodeHelper, WfpDecodedBufferFreeHelper, WfpSetVpnTriggerSidsDecodeHelper, IoctlKfdSetBfeEngineSd, IoctlKfdResetState, IoctlKfdQueryLayerStatistics, IoctlKfdAbortTransaction, IoctlKfdCommitTransaction, IoctlKfdDeleteCache, IoctlKfdAddCache, IoctlKfdBatchUpdate, IoctlKfdDeleteIndex, IoctlKfdAddIndex, SetWfpDeviceObject, NetioGetStatsForQoSFlow, NetioDeleteQoSFlow, NetioCreateQoSFlow, NetioAssociateQoSFlowWithNbl, NetioPdcActivateNetwork, FwpmEventProviderFireNetEvent0, FwpmEventProviderIsNetEventTypeEnabled0, FwpmEventProviderDestroy0, FwpmEventProviderCreate0, KfdIsActiveCallout, WfpNblInfoCleanup, KfdAleUpdateEndpointContextStatus, WfpNblInfoAlloc, WfpPacketTagCountIncrement, WfpNblInfoDestroyIfUnused, NetioAllocateAndReferenceNetBufferList, NetioAllocateNetBuffer, WfpFreeReassemblyContext, WfpCreateReassemblyContext, NetioNcmActiveReferenceRequest, NetioInitializeNetBufferListContextPrimitive, NetioCompleteNetBufferAndNetBufferListChain, NetioPhClampMssOnIpPkt, NsiSetParameter, PtGetNumNodes, PtCreateTable, PtDestroyTable, NetioNrtGetIfIndex, NetioQueryNetBufferListTrafficClass, RtlCopyMdlToMdl, NetioPhChecksumIpDatagramWithInitialChecksum, NetioPhComputePseudoHeaderChecksum, NetioAllocateAndReferenceVacantNetBufferListEx, WfpNblInfoSet, NetioExpandNetBuffer, NetioUpdateNetBufferListContext, NetioCompleteCloneNetBufferListChain, NetioAllocateAndReferenceVacantNetBufferList, NetioAllocateAndReferenceCloneNetBufferList, PtGetNextShorterMatch, PtGetLongestMatch, PtGetKey, PtDeleteEntry, PtInsertEntry, PtGetExactMatch, PtSetData, PtGetData, PtEnumOverTable, NsiSetObjectSecurity, NsiResetPersistentSetting, NsiGetParameter
NDIS.SYSNdisCloseNDKAdapter, NdisOpenNDKAdapter, NdisCancelDirectOidRequest, NdisDirectOidRequest, NdisOidRequest, NdisIfDeregisterInterface, NdisIfRegisterInterface, NdisIfAllocateNetLuidIndex, NdisIfDeregisterProvider, NdisIfFreeNetLuidIndex, NdisIfRegisterProvider, NdisSetThreadObjectCompartmentId, NdisSendNetBufferLists, NdisReturnNetBufferLists, NdisCancelSendNetBufferLists, NdisConvertNdisStatusToNtStatus, NdisIfQueryBindingIfIndex, NdisGetRssProcessorInformation, NdisAllocateFragmentNetBufferList, NdisCloseAdapterEx, NdisCompleteNetPnPEvent, NdisRegisterProtocolDriver, NdisDeregisterProtocolDriver, NdisAllocateNetBufferListContext, NdisAllocateCloneNetBufferList, NdisFreeCloneNetBufferList, NdisFreeNetBufferListPool, NdisAllocateNetBufferListPool, NdisGetThreadObjectCompartmentScope, NdisFreeRWLock, NdisAllocateRWLock, NdisFreeGenericObject, NdisAllocateGenericObject, NdisGetSessionToCompartmentMappingEpochAndZero, NdisAcquireRWLockRead, NdisAcquireRWLockWrite, NdisReleaseRWLock, NdisFreeFragmentNetBufferList, NdisCopyReceiveNetBufferListInfo, NdisCopySendNetBufferListInfo, NdisAdvanceNetBufferListDataStart, NdisOpenAdapterEx, NdisFreeNetBufferListContext, NdisGetDataBuffer, NdisFreeNetBufferList, NdisGetProcessObjectCompartmentId, NdisAdjustNetBufferCurrentMdl, NdisGetThreadObjectCompartmentId, NdisAdvanceNetBufferDataStart, NdisRetreatNetBufferDataStart
cng.sysBCryptHashData, BCryptFinishHash, BCryptDestroyHash, BCryptDecrypt, BCryptGetProperty, BCryptCreateHash, BCryptHash, SystemPrng, BCryptDestroyKey, BCryptGenRandom, BCryptGenerateSymmetricKey, BCryptEncrypt, BCryptOpenAlgorithmProvider, BCryptCloseAlgorithmProvider, BCryptSetProperty
FLTMGR.SYSFltGetFileNameInformationUnsafe, FltReleaseFileNameInformation
fwpkclnt.sysIPsecDriverInitiateAcquire, IPsecDriverExpire, IPsecDriverSaOffloaded, IPsecDriverProcessClearTextResponse, FwppBfeStateGetResetCount0, FwppDispatchDevCtl0, FwpsRequestEndpointDeleteNotification0, FwpsCancelEndpointDeleteNotification0, FwpsForceReclassifyLayer0, FwpsFreeNetBufferList0, FwpsReassembleForwardFragmentGroup0, FwppvSwitchFreeVmSwitchNblInfo, FwpsFreeCloneNetBufferList0, FwpsReleaseClassifyHandle0, FwpsApplyModifiedLayerData0, FwpsAcquireWritableLayerDataPointer0, FwpsAcquireClassifyHandle0, FwpsClassifyOptionSet0, FwpmBfeStateUnsubscribeChanges0, FwpmBfeStateSubscribeChangesWithoutDevice0, FwpsFlowAssociateContext0, FwpmEngineClose0, FwpmEngineOpen0, FwppVpnTriggerEventFire0, FwpmSecureSocketDeleteByKeyAsync0, FwpmSecureSocketAddAsync0, FwppvSwitchGetDestinationInterface, FwppvSwitchGetDestinationArray, FwppvSwitchCopyVmSwitchNblInfo, FwppDereferencevSwitchNblContext, FwppReferencevSwitchNblContext, FwpsInjectNetworkReceiveAsync0, FwppAllocateNetioCloneNetBufferList, FwpsNetBufferListRetrieveContext0, FwppGetvSwitchNblContext, FwppProcessorAddHandler, FwpsIPSecGetPacketListSecurityInformation, FwppNetBufferListAssociateContext, FwpsQueryPacketInjectionState0, FwpsInjectionHandleDestroy0, FwpsInjectionHandleCreate0, FwpsInjectTransportSendAsync1, FwpsConstructIpHeaderForTransportPacket0, FwpsAllocateCloneNetBufferList0, FwpsTcpIpDispatchTableAndGlobalsSet0, FwpsTcpIpDispatchTableClear0, FwppNetBufferListEventNotify, FwpsCalloutUnregisterByKey0, FwpsCalloutRegisterWithoutDevice0, FwpsProxiedEndpointUnRegisterForExitingEndpoint, FwpsProxiedEndpointClassifiableFieldGet, FwpsProxiedEndpointMetadataValueGet, FwpsProxiedEndpointRegisterForExitingEndpoint, FwpsProxiedEndpointWasRedirectedToProxy
HAL.dllKeQueryPerformanceCounter
ksecdd.sysAcquireCredentialsHandleW, FreeContextBuffer, InitializeSecurityContextW, AcceptSecurityContext, QuerySecurityContextToken, DeleteSecurityContext, FreeCredentialsHandle
msrpc.sysNdrMesTypeEncode3, NdrMesTypeDecode3, RpcBindingUnbind, RpcBindingCreateW, RpcBindingFree, RpcBindingBind, I_RpcExceptionFilter, NdrClientCall3, MesDecodeBufferHandleCreate, MesHandleFree, MesEncodeDynBufferHandleCreate

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

No network behavior found

Statistics

No statistics

System Behavior

No system behavior

Disassembly

No disassembly