d5e139be48e41657e9fa6f6d47fb191ac50a40573d8c767dab9cc0906f6fbd5b

Sharing

Copy URL Twitter E-mail

General

Target

d5e139be48e41657e9fa6f6d47fb191ac50a40573d8c767dab9cc0906f6fbd5b
Size

1.1MB
MD5

e17aa86977c6830c47000253fee4e6f6
SHA1

d2f12f0844a138024fec9a6b1f3735fc9df0c098
SHA256

d5e139be48e41657e9fa6f6d47fb191ac50a40573d8c767dab9cc0906f6fbd5b
SHA512

1420ef4125bf3146d608ccb34d170ea0845aa9c32bf63cd02ee66b4fe5e862ca8f023f3104cf5b0b31d63f99d5a326f39308390c57d7303c974affe84d795d1b
SSDEEP

24576:8UTatbACDzPC/rTxmj4EL24UmgtiL24UmgtmMgYt0/ZDV:8UWtcCDMlmj4EL24UnAL24UnLgbBDV

Score

3^/10

Malware Config

Signatures

Unsigned PE 6 IoCs

Checks for missing Authenticode signature.

resource
unpack001/sys/AntiRkX64_EV.sys
unpack001/sys/TAOAcceleratorEx64_ev.sys
unpack001/sys/TAOKernelEx64_ev.sys
unpack001/sys/TFsFltX64_ev.sys
unpack001/sys/nfwfp.sys
unpack001/sys/nvhda64v.sys

Files

d5e139be48e41657e9fa6f6d47fb191ac50a40573d8c767dab9cc0906f6fbd5b
.zip
sys/AntiRkX64_EV.sys
.sys windows x64

82911db998c2fa5c19cefc2f0d3a73b6

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ntoskrnl.exe

ExAllocatePoolWithTag
IoDeleteSymbolicLink
ExFreePoolWithTag
RtlInitUnicodeString
IoDeleteDevice
KeSetEvent
wcsncpy
IoCreateFile
KeInitializeEvent
RtlGetVersion
ObQueryNameString
IoFileObjectType
ZwQueryValueKey
IoGetCurrentProcess
InitSafeBootMode
ZwClose
IofCompleteRequest
ObReferenceObjectByHandle
KeWaitForSingleObject
IoCreateSymbolicLink
ObfDereferenceObject
IoCreateDevice
DbgPrint
ZwOpenKey
ExUnregisterCallback
PsProcessType
IoRegisterShutdownNotification
ZwQuerySystemInformation
RtlEqualUnicodeString
_wcslwr
wcsstr
IoRegisterBootDriverReinitialization
IoUnregisterShutdownNotification
_vsnwprintf
RtlPrefixUnicodeString
ExRegisterCallback
RtlCompareUnicodeString
ZwOpenProcess
ZwQueryInformationProcess
PsGetCurrentProcessId
ExCreateCallback
ZwEnumerateKey
IoGetStackLimits
ZwDeleteValueKey
ZwSetValueKey
ZwFlushKey
ZwDeleteKey
ZwDeleteFile
MmGetSystemRoutineAddress
IoGetDeviceObjectPointer
RtlCreateAcl
RtlSetDaclSecurityDescriptor
RtlAddAccessAllowedAce
ZwSetSecurityObject
SeExports
ObOpenObjectByPointer
RtlLengthSid
RtlCreateSecurityDescriptor
KeBugCheckEx
ZwReadFile
PsGetVersion
RtlCompareMemory
MmIsAddressValid
ZwQueryInformationFile
ObfReferenceObject
KeQueryTimeIncrement
__C_specific_handler

Sections

.text
Size: 28KB - Virtual size: 27KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 1024B - Virtual size: 852B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 856B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 84B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
sys/TAOAcceleratorEx64_ev.sys
.sys windows x64

27c15652ab165e825304f96badc4375a

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ntoskrnl.exe

IoDeleteSymbolicLink
ExFreePoolWithTag
RtlInitUnicodeString
IoDeleteDevice
MmUserProbeAddress
wcsrchr
IoGetCurrentProcess
RtlPrefixUnicodeString
IofCompleteRequest
IoCreateSymbolicLink
PsGetCurrentProcessId
IoCreateDevice
DbgPrintEx
ExAllocatePoolWithTag
ExReleaseFastMutex
ExAcquireFastMutex
IoFileObjectType
ZwClose
RtlAppendUnicodeStringToString
ObReferenceObjectByHandle
MmPrefetchPages
ObfDereferenceObject
ZwCreateSection
ZwOpenFile
_wcsicmp
KeInitializeEvent
_vsnwprintf
KeReleaseInStackQueuedSpinLock
KeSetEvent
KeAcquireInStackQueuedSpinLock
KeDelayExecutionThread
PsCreateSystemThread
IoGetDeviceObjectPointer
PsTerminateSystemThread
InitSafeBootMode
_vsnprintf
PsThreadType
KeWaitForMultipleObjects
KeReleaseSpinLock
KeAcquireSpinLockRaiseToDpc
IoCsqInsertIrp
IoCsqInitialize
IoCsqRemoveNextIrp
ExGetPreviousMode
PsSetCreateProcessNotifyRoutine
KeWaitForSingleObject
ExQueueWorkItem
ZwCreateKey
PsLookupProcessByProcessId
_wcsnicmp
ZwMapViewOfSection
MmGetSystemRoutineAddress
IoCreateFile
ZwQueryObject
RtlGetVersion
ZwSetValueKey
ZwQuerySystemInformation
RtlImageDirectoryEntryToData
IoVolumeDeviceToDosName
ObQueryNameString
ZwQueryValueKey
ZwUnmapViewOfSection
PsGetVersion
ZwQueryInformationProcess
ObfReferenceObject
ZwTerminateProcess
ObOpenObjectByPointer
ZwOpenKey
KeBugCheckEx
RtlVolumeDeviceToDosName
IoGetRelatedDeviceObject
RtlCompareMemory
MmIsAddressValid
wcsstr
ZwQueryInformationFile
IoRegisterShutdownNotification
MmMapLockedPages
IoUnregisterShutdownNotification
PsGetCurrentThreadId
DbgPrint
_wcsupr
RtlCompareUnicodeString
CmRegisterCallback
CmUnRegisterCallback
SeSinglePrivilegeCheck
PsProcessType
ObOpenObjectByName
SeCreateAccessState
IoGetFileObjectGenericMapping
SeDeleteAccessState
PsLookupProcessThreadByCid
ZwDeleteValueKey
ZwDeleteKey
NtAllocateVirtualMemory
KeInitializeApc
KeInsertQueueApc
KeDetachProcess
ZwFreeVirtualMemory
ExEventObjectType
PsGetThreadProcess
KeAttachProcess
PsGetThreadProcessId
ExAllocatePoolWithQuotaTag
PsLookupThreadByThreadId
KeQueryTimeIncrement
__C_specific_handler

Sections

.text
Size: 67KB - Virtual size: 67KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

PAGE
Size: 512B - Virtual size: 409B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

INIT
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 904B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 432B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
sys/TAOKernelEx64_ev.sys
.sys windows x64

738d5ef7ad73454452781bd89f203c2a

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ntoskrnl.exe

RtlInsertElementGenericTableAvl
KeReleaseSpinLock
RtlInitializeGenericTableAvl
RtlLookupElementGenericTableAvl
RtlEnumerateGenericTableWithoutSplayingAvl
KeAcquireSpinLockRaiseToDpc
PsGetCurrentProcessId
KeSetEvent
KeInitializeEvent
KeInitializeDpc
ZwQuerySystemInformation
IoFreeMdl
KeInitializeTimer
PsTerminateSystemThread
KeWaitForSingleObject
IoFreeIrp
KeSetTimer
ExInterlockedRemoveHeadList
KeCancelTimer
RtlCompareMemory
RtlNumberGenericTableElements
RtlDeleteElementGenericTable
RtlEnumerateGenericTableWithoutSplaying
RtlInitializeGenericTable
ExInterlockedInsertHeadList
ExInterlockedInsertTailList
MmIsAddressValid
ExAcquireResourceExclusiveLite
IoThreadToProcess
KeReadStateEvent
KeLeaveCriticalRegion
PsIsSystemThread
ProbeForWrite
PsSetCreateProcessNotifyRoutine
KeUnstackDetachProcess
KeEnterCriticalRegion
ExSemaphoreObjectType
MmUserProbeAddress
MmMapLockedPagesSpecifyCache
IoGetDeviceObjectPointer
ExAcquireResourceSharedLite
ExEventObjectType
ExReleaseResourceLite
MmProbeAndLockPages
KeReleaseSemaphore
MmUnlockPages
ExDeleteResourceLite
ExInitializeResourceLite
RtlDeleteElementGenericTableAvl
KeStackAttachProcess
IoAllocateMdl
PsGetProcessPeb
ProbeForRead
KeDelayExecutionThread
ObQueryNameString
IoFileObjectType
ZwCreateFile
ZwQueryValueKey
ZwQueryDirectoryFile
PsThreadType
ZwOpenProcess
ZwQueryInformationProcess
IoCreateSymbolicLink
ZwOpenFile
IoQueryFileDosDeviceName
ObOpenObjectByPointer
ZwOpenKey
PsProcessType
KeResetEvent
ZwReadFile
ZwMapViewOfSection
ZwUnmapViewOfSection
ExAllocatePool
RtlAppendUnicodeStringToString
MmPrefetchPages
ZwCreateSection
ZwCreateKey
_wcsnicmp
IoCreateFile
ZwSetValueKey
KeBugCheckEx
ObReferenceObjectByHandle
ZwClose
PsCreateSystemThread
IofCallDriver
ExDeleteNPagedLookasideList
PsGetVersion
IofCompleteRequest
IoGetCurrentProcess
MmGetSystemRoutineAddress
ExInitializeNPagedLookasideList
IoDeleteSymbolicLink
DbgPrint
DbgPrintEx
IoCreateDevice
ObfDereferenceObject
KeAcquireInStackQueuedSpinLock
IoDeleteDevice
RtlInitUnicodeString
PsLookupProcessByProcessId
PsGetProcessImageFileName
KeReleaseInStackQueuedSpinLock
ExFreePoolWithTag
PsGetProcessId
ExAllocatePoolWithTag
RtlVolumeDeviceToDosName
IoGetRelatedDeviceObject
ZwQueryInformationFile
KeQueryTimeIncrement
__C_specific_handler

fwpkclnt.sys

FwpsInjectionHandleDestroy0
FwpsInjectionHandleCreate0
FwpsDereferenceNetBufferList0
FwpsAllocateCloneNetBufferList0
FwpsReferenceNetBufferList0
FwpsInjectTransportSendAsync1
FwpmBfeStateSubscribeChanges0
FwpmBfeStateGet0
FwpsCalloutUnregisterById0
FwpmSubLayerAdd0
FwpsQueryPacketInjectionState0
FwpmCalloutDeleteById0
FwpmSubLayerDeleteByKey0
FwpmTransactionCommit0
FwpmCalloutAdd0
FwpmTransactionAbort0
FwpmEngineOpen0
FwpmFilterAdd0
FwpsCalloutRegister1
FwpmTransactionBegin0
FwpmEngineClose0
FwpmFilterDeleteById0
FwpsFreeCloneNetBufferList0

Sections

.text
Size: 65KB - Virtual size: 65KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 960B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 36B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
sys/TFsFltX64_ev.sys
.sys windows x64

0930eeaa7b3d7b8c0b5cd44e8ed912ec

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ntoskrnl.exe

RtlEqualUnicodeString
ZwOpenSymbolicLinkObject
IoVolumeDeviceToDosName
ObQueryNameString
ZwQueryVolumeInformationFile
ZwQueryInformationFile
IofCallDriver
MmGetSystemRoutineAddress
_strnicmp
RtlInitAnsiString
ZwQuerySystemInformation
RtlImageDirectoryEntryToData
RtlRandomEx
strrchr
ExInitializeNPagedLookasideList
ExpInterlockedPushEntrySList
KeReleaseSpinLock
ExpInterlockedPopEntrySList
ExQueryDepthSList
ExDeleteNPagedLookasideList
KeAcquireSpinLockRaiseToDpc
ZwCreateFile
KeQueryTimeIncrement
IofCompleteRequest
IoCreateSymbolicLink
IoCreateDevice
ExSystemTimeToLocalTime
_wcsnicmp
DbgPrint
PsLookupProcessByProcessId
PsSetCreateProcessNotifyRoutine
ZwQueryValueKey
RtlPrefixUnicodeString
RtlCompareUnicodeString
PsCreateSystemThread
PsTerminateSystemThread
PsThreadType
ZwWriteFile
ProbeForRead
KeRemoveQueue
KeRundownQueue
KeSetPriorityThread
KeSetBasePriorityThread
MmQuerySystemSize
KeBugCheckEx
KeInitializeQueue
MmIsThisAnNtAsSystem
KeWaitForMultipleObjects
KeInsertQueue
ZwReadFile
_vsnwprintf
KeSetTimer
ObfReferenceObject
PsGetCurrentThreadId
KeInitializeTimerEx
RtlUpcaseUnicodeString
FsRtlIsNameInExpression
IoGetStackLimits
ZwQuerySymbolicLinkObject
IoBuildDeviceIoControlRequest
KeInitializeEvent
ObOpenObjectByPointer
MmIsAddressValid
ZwQueryInformationProcess
IoCreateFile
IoGetRelatedDeviceObject
RtlVolumeDeviceToDosName
ZwOpenKey
FsRtlGetFileSize
PsGetProcessId
ExInitializeResourceLite
ObfDereferenceObject
RtlCopyUnicodeString
PsGetCurrentProcessId
IoGetTopLevelIrp
ExDeleteResourceLite
KeReadStateSemaphore
KeReleaseSemaphore
PsGetVersion
RtlFreeAnsiString
KeWaitForSingleObject
ObReferenceObjectByHandle
RtlAppendUnicodeStringToString
ZwClose
ExReleaseResourceLite
IoGetCurrentProcess
ExAcquireResourceSharedLite
IoGetDeviceObjectPointer
IoFileObjectType
KeEnterCriticalRegion
ZwSetValueKey
RtlUnicodeStringToAnsiString
RtlAppendUnicodeToString
ExGetPreviousMode
KeSetEvent
IoDeleteDevice
RtlInitUnicodeString
KeLeaveCriticalRegion
ExFreePoolWithTag
IoDeleteSymbolicLink
ZwCreateKey
ExAllocatePoolWithTag
IoThreadToProcess
RtlTimeToTimeFields
ExAcquireResourceExclusiveLite
RtlCompareMemory
PsGetProcessSectionBaseAddress
KeUnstackDetachProcess
KeStackAttachProcess
InitializeSListHead
ExAllocatePool
ExEventObjectType
__C_specific_handler

hal

KeQueryPerformanceCounter

fltmgr.sys

FltReleasePushLock
FltInitializePushLock
FltAcquirePushLockShared
FltDeletePushLock
FltSendMessage
FltReferenceFileNameInformation
FltAllocateCallbackData
FltPerformSynchronousIo
FltFreeCallbackData
FltGetStreamHandleContext
FltGetRoutineAddress
FltGetVolumeName
FltQueryInformationFile
FltQueryVolumeInformation
FltParseFileNameInformation
FltAllocateContext
FltSetStreamContext
FltClose
FltCreateFile
FltStartFiltering
FltReleaseFileNameInformation
FltRegisterFilter
FltBuildDefaultSecurityDescriptor
FltCloseCommunicationPort
FltUnregisterFilter
FltGetFileNameInformation
FltReleaseContext
FltIsDirectory
FltFreeSecurityDescriptor
FltGetDiskDeviceObject
FltSetInstanceContext
FltCreateCommunicationPort
FltCloseClientPort
FltCancelFileOpen
FltReferenceContext
FltGetRequestorProcessId
FltSetStreamHandleContext
FltGetStreamContext
FltGetInstanceContext
FltGetRequestorProcess
FltAcquirePushLockExclusive

Sections

.text
Size: 58KB - Virtual size: 58KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 105KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

PAGE
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

INIT
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 864B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 324B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
sys/hrdevmon.sys
.sys windows x64

116c2c0d6ac9b0c66b43920339437207

Code Sign

33:00:00:00:c5:e5:31:36:c3:d5:21:5a:0d:00:00:00:00:00:c5
Certificate

Issuer

CN=Microsoft Windows Third Party Component CA 2012,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

17/06/2021, 17:55

Not After

16/06/2022, 17:55

Subject

CN=Microsoft Windows Hardware Compatibility Publisher,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0b:aa:c1:00:00:00:00:00:09
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

18/04/2012, 23:48

Not After

18/04/2027, 23:58

Subject

CN=Microsoft Windows Third Party Component CA 2012,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

84:21:6f:b8:3f:b6:22:5f:aa:7a:af:69:01:4c:0e:4a:aa:07:04:2d:00:a7:1e:04:54:b5:5c:bb:9e:c5:9a:b1
Signer

Actual PE Digest

84:21:6f:b8:3f:b6:22:5f:aa:7a:af:69:01:4c:0e:4a:aa:07:04:2d:00:a7:1e:04:54:b5:5c:bb:9e:c5:9a:b1

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ntoskrnl.exe

wcsrchr
_wcsicmp
RtlQueryRegistryValues
RtlInitUnicodeString
RtlCompareUnicodeString
RtlCompareMemory
KeInitializeEvent
KeWaitForSingleObject
ExAllocatePoolWithTag
ExFreePoolWithTag
MmMapLockedPagesSpecifyCache
IoGetBootDiskInformation
IoBuildSynchronousFsdRequest
IofCallDriver
IofCompleteRequest
IoCreateDevice
IoIsWdmVersionAvailable
IoDeleteDevice
IoDetachDevice
IoGetAttachedDeviceReference
IoGetCurrentProcess
IoInitializeRemoveLockEx
IoAcquireRemoveLockEx
IoReleaseRemoveLockEx
IoReleaseRemoveLockAndWaitEx
IoIs32bitProcess
IoGetDeviceProperty
PoCallDriver
PoStartNextPowerIrp
ObfDereferenceObject
RtlGetVersion
PsGetCurrentProcessId
PsGetCurrentThreadId
IoReadPartitionTableEx
IoAttachDeviceToDeviceStackSafe
IoGetRequestorProcessId
__C_specific_handler
MmUserProbeAddress

Sections

.text
Size: 9KB - Virtual size: 9KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 156B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 1024B - Virtual size: 540B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 1000B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
sys/hrdevmon_win10.sys
.sys windows x64

116c2c0d6ac9b0c66b43920339437207

Code Sign

0f:51:99:27:94:18:e8:e5:7e:86:59:dc:30:54:b8:30
Certificate

Issuer

CN=DigiCert EV Code Signing CA (SHA2),OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

05/08/2019, 00:00

Not After

01/11/2022, 12:00

Subject

SERIALNUMBER=91110105MA005CH48R,CN=Beijing Huorong Network Technology Co.\, Ltd.,O=Beijing Huorong Network Technology Co.\, Ltd.,L=Beijing,ST=Beijing,C=CN,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e,1.3.6.1.4.1.311.60.2.1.1=#13074265696a696e67,1.3.6.1.4.1.311.60.2.1.3=#1302434e

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

03:f1:b4:e1:5f:3a:82:f1:14:96:78:b3:d7:d8:47:5c
Certificate

Issuer

CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

18/04/2012, 12:00

Not After

18/04/2027, 12:00

Subject

CN=DigiCert EV Code Signing CA (SHA2),OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0a:7a:4a:88:9e:c9:99:42:90:06:63:38:4d:86:97:9d
Certificate

Issuer

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Not Before

29/03/2022, 00:00

Not After

14/03/2033, 23:59

Subject

CN=DigiCert Timestamp 2022 - 2,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

Issuer

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

23/03/2022, 00:00

Not After

22/03/2037, 23:59

Subject

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

33:00:00:00:4e:59:56:10:83:2b:4e:0c:6c:00:00:00:00:00:4e
Certificate

Issuer

CN=Microsoft Windows Third Party Component CA 2014,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

09/09/2021, 19:16

Not After

01/09/2022, 19:16

Subject

CN=Microsoft Windows Hardware Compatibility Publisher,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

33:00:00:00:0d:69:0d:5d:78:93:d0:76:df:00:00:00:00:00:0d
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15/10/2014, 20:31

Not After

15/10/2029, 20:41

Subject

CN=Microsoft Windows Third Party Component CA 2014,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

84:21:6f:b8:3f:b6:22:5f:aa:7a:af:69:01:4c:0e:4a:aa:07:04:2d:00:a7:1e:04:54:b5:5c:bb:9e:c5:9a:b1
Signer

Actual PE Digest

84:21:6f:b8:3f:b6:22:5f:aa:7a:af:69:01:4c:0e:4a:aa:07:04:2d:00:a7:1e:04:54:b5:5c:bb:9e:c5:9a:b1

Digest Algorithm

sha256

PE Digest Matches

true

84:21:6f:b8:3f:b6:22:5f:aa:7a:af:69:01:4c:0e:4a:aa:07:04:2d:00:a7:1e:04:54:b5:5c:bb:9e:c5:9a:b1
Signer

Actual PE Digest

84:21:6f:b8:3f:b6:22:5f:aa:7a:af:69:01:4c:0e:4a:aa:07:04:2d:00:a7:1e:04:54:b5:5c:bb:9e:c5:9a:b1

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ntoskrnl.exe

wcsrchr
_wcsicmp
RtlQueryRegistryValues
RtlInitUnicodeString
RtlCompareUnicodeString
RtlCompareMemory
KeInitializeEvent
KeWaitForSingleObject
ExAllocatePoolWithTag
ExFreePoolWithTag
MmMapLockedPagesSpecifyCache
IoGetBootDiskInformation
IoBuildSynchronousFsdRequest
IofCallDriver
IofCompleteRequest
IoCreateDevice
IoIsWdmVersionAvailable
IoDeleteDevice
IoDetachDevice
IoGetAttachedDeviceReference
IoGetCurrentProcess
IoInitializeRemoveLockEx
IoAcquireRemoveLockEx
IoReleaseRemoveLockEx
IoReleaseRemoveLockAndWaitEx
IoIs32bitProcess
IoGetDeviceProperty
PoCallDriver
PoStartNextPowerIrp
ObfDereferenceObject
RtlGetVersion
PsGetCurrentProcessId
PsGetCurrentThreadId
IoReadPartitionTableEx
IoAttachDeviceToDeviceStackSafe
IoGetRequestorProcessId
__C_specific_handler
MmUserProbeAddress

Sections

.text
Size: 9KB - Virtual size: 9KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 156B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 1024B - Virtual size: 540B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 1000B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
sys/hrelam.sys
.sys windows x64

Code Sign

33:00:00:01:de:c6:82:15:09:5c:ff:17:c6:00:00:00:00:01:de
Certificate

Issuer

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

05/10/2017, 18:25

Not After

05/10/2018, 18:25

Subject

CN=Microsoft Windows Early Launch Anti-malware Publisher,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0c:52:4c:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

06/07/2010, 20:40

Not After

06/07/2025, 20:50

Subject

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

c5:1b:54:8c:3b:f8:26:23:eb:b6:0a:3d:cf:ef:4b:fe:7d:8d:48:94:3b:1a:d9:cd:92:88:50:19:e0:7b:66:8f
Signer

Actual PE Digest

c5:1b:54:8c:3b:f8:26:23:eb:b6:0a:3d:cf:ef:4b:fe:7d:8d:48:94:3b:1a:d9:cd:92:88:50:19:e0:7b:66:8f

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

.text
Size: 512B - Virtual size: 225B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1024B - Virtual size: 680B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 16B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 512B - Virtual size: 72B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.gfids
Size: 512B - Virtual size: 4B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: 512B - Virtual size: 89B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 24B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
sys/hrfwdrv.sys
.sys windows x64

fdeb08d8f6fc91ee71a61400610cc36f

Code Sign

33:00:00:00:f5:e8:77:3b:20:6b:1c:cd:61:00:00:00:00:00:f5
Certificate

Issuer

CN=Microsoft Windows Third Party Component CA 2012,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

12/01/2023, 19:14

Not After

15/12/2023, 19:14

Subject

CN=Microsoft Windows Hardware Compatibility Publisher,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0b:aa:c1:00:00:00:00:00:09
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

18/04/2012, 23:48

Not After

18/04/2027, 23:58

Subject

CN=Microsoft Windows Third Party Component CA 2012,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

7d:fb:cf:ba:18:b9:8f:81:16:dc:6d:18:04:26:49:83:26:c3:04:98:68:b8:2c:52:05:f1:03:c4:43:89:32:7c
Signer

Actual PE Digest

7d:fb:cf:ba:18:b9:8f:81:16:dc:6d:18:04:26:49:83:26:c3:04:98:68:b8:2c:52:05:f1:03:c4:43:89:32:7c

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ntoskrnl.exe

KeReleaseInStackQueuedSpinLock
_stricmp
_strnicmp
ExAllocatePoolWithTag
ExFreePoolWithTag
ExQueryDepthSList
ExpInterlockedPopEntrySList
ExpInterlockedPushEntrySList
ExInitializeNPagedLookasideList
RtlGetVersion
PsGetCurrentThreadId
RtlInitUnicodeString
RtlCompareUnicodeString
MmMapLockedPages
PsSetLoadImageNotifyRoutine
ZwQuerySystemInformation
MmProbeAndLockPages
MmUnlockPages
MmProtectMdlSystemAddress
MmMapLockedPagesSpecifyCache
MmUnmapLockedPages
IoAllocateMdl
KeAcquireInStackQueuedSpinLock
__C_specific_handler
IofCallDriver
IofCompleteRequest
IoCreateDevice
IoDeleteDevice
IoDetachDevice
IoGetDeviceObjectPointer
PoCallDriver
ObfDereferenceObject
IoAttachDeviceToDeviceStackSafe
KeInitializeEvent
KeSetEvent
KeDelayExecutionThread
KeWaitForSingleObject
PsCreateSystemThread
ObReferenceObjectByHandle
ZwClose
RtlCompareMemory
MmBuildMdlForNonPagedPool
IoBuildDeviceIoControlRequest
PsGetCurrentProcessId
NtBuildNumber
strstr
strncmp
strncpy
IoFreeMdl
strchr

tdi.sys

TdiMapUserRequest

ndis.sys

NdisGetVersion
NdisGetRoutineAddress

Sections

.text
Size: 95KB - Virtual size: 94KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 10KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 110KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 984B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 28B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
sys/hrwfpdrv.sys
.sys windows x64

75b756741d302d030ecb3afb6dfdbdd9

Code Sign

33:00:00:00:f3:15:8e:a5:7d:1c:55:9f:29:00:00:00:00:00:f3
Certificate

Issuer

CN=Microsoft Windows Third Party Component CA 2012,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

12/01/2023, 19:14

Not After

15/12/2023, 19:14

Subject

CN=Microsoft Windows Hardware Compatibility Publisher,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0b:aa:c1:00:00:00:00:00:09
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

18/04/2012, 23:48

Not After

18/04/2027, 23:58

Subject

CN=Microsoft Windows Third Party Component CA 2012,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

08:ad:40:b2:60:d2:9c:4c:9f:5e:cd:a9:bd:93:ae:d9
Certificate

Issuer

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

29/04/2021, 00:00

Not After

28/04/2036, 23:59

Subject

CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

04:01:96:51:84:2d:48:27:70:a0:7b:fb:2e:5d:12:a8
Certificate

Issuer

CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1,O=DigiCert\, Inc.,C=US

Not Before

24/08/2022, 00:00

Not After

01/11/2025, 23:59

Subject

SERIALNUMBER=91110105MA005CH48R,CN=Beijing Huorong Network Technology Co.\, Ltd.,O=Beijing Huorong Network Technology Co.\, Ltd.,ST=Beijing,C=CN,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e,1.3.6.1.4.1.311.60.2.1.1=#13084368616f79616e67,1.3.6.1.4.1.311.60.2.1.2=#13074265696a696e67,1.3.6.1.4.1.311.60.2.1.3=#1302434e

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

0c:4d:69:72:4b:94:fa:3c:2a:4a:3d:29:07:80:3d:5a
Certificate

Issuer

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Not Before

21/09/2022, 00:00

Not After

21/11/2033, 23:59

Subject

CN=DigiCert Timestamp 2022 - 2,O=DigiCert,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

Issuer

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

23/03/2022, 00:00

Not After

22/03/2037, 23:59

Subject

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01/08/2022, 00:00

Not After

09/11/2031, 23:59

Subject

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

22:84:00:37:4e:44:41:64:4b:5c:7f:9f:18:a5:e1:57:ee:1b:ab:44:aa:a7:f7:43:5b:85:7e:dd:9c:e7:63:db
Signer

Actual PE Digest

22:84:00:37:4e:44:41:64:4b:5c:7f:9f:18:a5:e1:57:ee:1b:ab:44:aa:a7:f7:43:5b:85:7e:dd:9c:e7:63:db

Digest Algorithm

sha256

PE Digest Matches

true

22:84:00:37:4e:44:41:64:4b:5c:7f:9f:18:a5:e1:57:ee:1b:ab:44:aa:a7:f7:43:5b:85:7e:dd:9c:e7:63:db
Signer

Actual PE Digest

22:84:00:37:4e:44:41:64:4b:5c:7f:9f:18:a5:e1:57:ee:1b:ab:44:aa:a7:f7:43:5b:85:7e:dd:9c:e7:63:db

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ntoskrnl.exe

IofCompleteRequest
RtlInitUnicodeString
IoQueueWorkItem
IoAllocateWorkItem
IoFreeMdl
IoCreateDevice
IoAllocateMdl
MmMapLockedPagesSpecifyCache
MmBuildMdlForNonPagedPool
NtBuildNumber
ZwClose
ObReferenceObjectByHandle
PsCreateSystemThread
KeWaitForSingleObject
KeDelayExecutionThread
KeSetEvent
KeInitializeEvent
IoFreeWorkItem
ZwQuerySystemInformation
MmIsAddressValid
strrchr
PsGetCurrentThreadId
RtlGetVersion
ExInitializeNPagedLookasideList
ExpInterlockedPushEntrySList
ExpInterlockedPopEntrySList
ExQueryDepthSList
ExFreePoolWithTag
ExAllocatePoolWithTag
_strnicmp
_stricmp
KeReleaseInStackQueuedSpinLock
KeAcquireInStackQueuedSpinLock
strncmp
strstr
strncpy
strchr

ndis.sys

NdisAllocateGenericObject
NdisRetreatNetBufferDataStart
NdisAdvanceNetBufferDataStart
NdisGetDataBuffer
NdisAllocateNetBufferListPool

fwpkclnt.sys

FwpmTransactionBegin0
FwpmEngineClose0
FwpmEngineOpen0
FwpmBfeStateSubscribeChanges0
FwpsStreamContinue0
FwpsStreamInjectAsync0
FwpsQueryPacketInjectionState0
FwpsConstructIpHeaderForTransportPacket0
FwpsFreeNetBufferList0
FwpsAllocateNetBufferAndNetBufferList0
FwpsInjectionHandleCreate0
FwpmTransactionCommit0
FwpsAcquireWritableLayerDataPointer0
FwpsReleaseClassifyHandle0
FwpsAcquireClassifyHandle0
FwpsPendOperation0
FwpsGetPacketListSecurityInformation0
FwpsFlowAssociateContext0
FwpsCalloutRegister1
FwpsAllocateCloneNetBufferList0
FwpsInjectTransportReceiveAsync0
FwpsInjectTransportSendAsync0
FwpsFreeCloneNetBufferList0
FwpsCompleteOperation0
FwpmTransactionAbort0
FwpmProviderContextAdd0
FwpmSubLayerAdd0
FwpmCalloutAdd0
FwpsApplyModifiedLayerData0
FwpmFilterAdd0

Sections

.text
Size: 89KB - Virtual size: 88KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 106KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 992B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 232B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
sys/hrwfpdrv_win10.sys
.sys windows x64

75b756741d302d030ecb3afb6dfdbdd9

Code Sign

33:00:00:00:f3:15:8e:a5:7d:1c:55:9f:29:00:00:00:00:00:f3
Certificate

Issuer

CN=Microsoft Windows Third Party Component CA 2012,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

12/01/2023, 19:14

Not After

15/12/2023, 19:14

Subject

CN=Microsoft Windows Hardware Compatibility Publisher,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0b:aa:c1:00:00:00:00:00:09
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

18/04/2012, 23:48

Not After

18/04/2027, 23:58

Subject

CN=Microsoft Windows Third Party Component CA 2012,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

08:ad:40:b2:60:d2:9c:4c:9f:5e:cd:a9:bd:93:ae:d9
Certificate

Issuer

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

29/04/2021, 00:00

Not After

28/04/2036, 23:59

Subject

CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

04:01:96:51:84:2d:48:27:70:a0:7b:fb:2e:5d:12:a8
Certificate

Issuer

CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1,O=DigiCert\, Inc.,C=US

Not Before

24/08/2022, 00:00

Not After

01/11/2025, 23:59

Subject

SERIALNUMBER=91110105MA005CH48R,CN=Beijing Huorong Network Technology Co.\, Ltd.,O=Beijing Huorong Network Technology Co.\, Ltd.,ST=Beijing,C=CN,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e,1.3.6.1.4.1.311.60.2.1.1=#13084368616f79616e67,1.3.6.1.4.1.311.60.2.1.2=#13074265696a696e67,1.3.6.1.4.1.311.60.2.1.3=#1302434e

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

0c:4d:69:72:4b:94:fa:3c:2a:4a:3d:29:07:80:3d:5a
Certificate

Issuer

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Not Before

21/09/2022, 00:00

Not After

21/11/2033, 23:59

Subject

CN=DigiCert Timestamp 2022 - 2,O=DigiCert,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

Issuer

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

23/03/2022, 00:00

Not After

22/03/2037, 23:59

Subject

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01/08/2022, 00:00

Not After

09/11/2031, 23:59

Subject

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

22:84:00:37:4e:44:41:64:4b:5c:7f:9f:18:a5:e1:57:ee:1b:ab:44:aa:a7:f7:43:5b:85:7e:dd:9c:e7:63:db
Signer

Actual PE Digest

22:84:00:37:4e:44:41:64:4b:5c:7f:9f:18:a5:e1:57:ee:1b:ab:44:aa:a7:f7:43:5b:85:7e:dd:9c:e7:63:db

Digest Algorithm

sha256

PE Digest Matches

true

22:84:00:37:4e:44:41:64:4b:5c:7f:9f:18:a5:e1:57:ee:1b:ab:44:aa:a7:f7:43:5b:85:7e:dd:9c:e7:63:db
Signer

Actual PE Digest

22:84:00:37:4e:44:41:64:4b:5c:7f:9f:18:a5:e1:57:ee:1b:ab:44:aa:a7:f7:43:5b:85:7e:dd:9c:e7:63:db

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ntoskrnl.exe

IofCompleteRequest
RtlInitUnicodeString
IoQueueWorkItem
IoAllocateWorkItem
IoFreeMdl
IoCreateDevice
IoAllocateMdl
MmMapLockedPagesSpecifyCache
MmBuildMdlForNonPagedPool
NtBuildNumber
ZwClose
ObReferenceObjectByHandle
PsCreateSystemThread
KeWaitForSingleObject
KeDelayExecutionThread
KeSetEvent
KeInitializeEvent
IoFreeWorkItem
ZwQuerySystemInformation
MmIsAddressValid
strrchr
PsGetCurrentThreadId
RtlGetVersion
ExInitializeNPagedLookasideList
ExpInterlockedPushEntrySList
ExpInterlockedPopEntrySList
ExQueryDepthSList
ExFreePoolWithTag
ExAllocatePoolWithTag
_strnicmp
_stricmp
KeReleaseInStackQueuedSpinLock
KeAcquireInStackQueuedSpinLock
strncmp
strstr
strncpy
strchr

ndis.sys

NdisAllocateGenericObject
NdisRetreatNetBufferDataStart
NdisAdvanceNetBufferDataStart
NdisGetDataBuffer
NdisAllocateNetBufferListPool

fwpkclnt.sys

FwpmTransactionBegin0
FwpmEngineClose0
FwpmEngineOpen0
FwpmBfeStateSubscribeChanges0
FwpsStreamContinue0
FwpsStreamInjectAsync0
FwpsQueryPacketInjectionState0
FwpsConstructIpHeaderForTransportPacket0
FwpsFreeNetBufferList0
FwpsAllocateNetBufferAndNetBufferList0
FwpsInjectionHandleCreate0
FwpmTransactionCommit0
FwpsAcquireWritableLayerDataPointer0
FwpsReleaseClassifyHandle0
FwpsAcquireClassifyHandle0
FwpsPendOperation0
FwpsGetPacketListSecurityInformation0
FwpsFlowAssociateContext0
FwpsCalloutRegister1
FwpsAllocateCloneNetBufferList0
FwpsInjectTransportReceiveAsync0
FwpsInjectTransportSendAsync0
FwpsFreeCloneNetBufferList0
FwpsCompleteOperation0
FwpmTransactionAbort0
FwpmProviderContextAdd0
FwpmSubLayerAdd0
FwpmCalloutAdd0
FwpsApplyModifiedLayerData0
FwpmFilterAdd0

Sections

.text
Size: 89KB - Virtual size: 88KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 106KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 992B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 232B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
sys/nfwfp.sys
.sys windows x64

a7a42f5d848a4c7b22557a75bdfb5f7d

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ntoskrnl.exe

ExpInterlockedPushEntrySList
ExInitializeNPagedLookasideList
ExDeleteNPagedLookasideList
MmBuildMdlForNonPagedPool
MmMapLockedPagesSpecifyCache
MmUnmapLockedPages
MmAllocatePagesForMdl
MmFreePagesFromMdl
PsCreateSystemThread
PsTerminateSystemThread
IoAllocateMdl
IofCompleteRequest
IoCreateDevice
IoCreateSymbolicLink
IoDeleteDevice
IoDeleteSymbolicLink
IoFreeMdl
IoReleaseCancelSpinLock
ObReferenceObjectByHandle
ObfDereferenceObject
ZwClose
ZwOpenKey
ExpInterlockedPopEntrySList
PsGetCurrentProcessId
ZwSetInformationThread
RtlLengthSid
RtlCreateAcl
RtlAddAccessAllowedAce
PsLookupProcessByProcessId
ObOpenObjectByPointer
ZwSetSecurityObject
__C_specific_handler
SeExports
RtlGetVersion
_stricmp
ZwQuerySystemInformation
RtlValidSid
KeWaitForSingleObject
ExFreePoolWithTag
ExQueryDepthSList
KeSetEvent
KeInitializeEvent
RtlSetDaclSecurityDescriptor
RtlCreateSecurityDescriptor
RtlAppendUnicodeToString
MmGetSystemRoutineAddress
RtlInitUnicodeString
swprintf_s
ExUuidCreate
ExAllocatePoolWithTag
RtlCopyUnicodeString
KeReleaseInStackQueuedSpinLock
KeAcquireInStackQueuedSpinLock
ZwQueryValueKey
RtlCompareMemory

fwpkclnt.sys

FwpsFreeNetBufferList0

ndis.sys

NdisInitializeEvent
NdisAdvanceNetBufferDataStart
NdisGetDataBuffer
NdisAllocateGenericObject
NdisFreeNetBufferListPool
NdisAllocateNetBufferListPool
NdisWaitEvent
NdisFreeGenericObject
NdisRetreatNetBufferDataStart

wdfldr.sys

WdfVersionUnbind
WdfVersionBind
WdfVersionBindClass
WdfVersionUnbindClass

Sections

.text
Size: 56KB - Virtual size: 56KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 132B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
sys/nvhda64v.sys
.sys windows x64

eac439bf1ed6e8be61857c92d14762bd

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ntoskrnl.exe

RtlInitUnicodeString
RtlCompareUnicodeString
ExFreePoolWithTag
IofCompleteRequest
EtwRegister
EtwUnregister
EtwWriteTransfer
ExAllocatePoolWithTag
IoAllocateIrp
IoFreeIrp
KeInitializeEvent
KeClearEvent
KeSetEvent
KeWaitForSingleObject
ExAcquireFastMutex
ExReleaseFastMutex
towupper
wcsstr
RtlFreeUnicodeString
RtlGetVersion
KeGetCurrentIrql
KeInitializeMutex
KeReleaseMutex
KeDelayExecutionThread
KeAcquireInStackQueuedSpinLock
KeReleaseInStackQueuedSpinLock
IoOpenDeviceRegistryKey
IoRegisterDeviceInterface
IoSetDeviceInterfaceState
PoRequestPowerIrp
ObReferenceObjectByHandle
ObfDereferenceObject
ZwClose
ObQueryNameString
RtlIsNtDdiVersionAvailable
_vsnwprintf
ZwCreateKey
ZwOpenKey
ZwQueryValueKey
ZwSetValueKey
KeSetPriorityThread
PsCreateSystemThread
PsTerminateSystemThread
KeBugCheckEx
ExFreePool

portcls.sys

PcDispatchIrp
PcAddAdapterDevice
PcRegisterAdapterPowerManagement
PcForwardIrpSynchronous
PcInitializeAdapterDriver
PcRegisterSubdevice
PcRegisterPhysicalConnection
PcNewPort
PcNewRegistryKey

Sections

.text
Size: 28KB - Virtual size: 27KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

CODE
Size: 10KB - Virtual size: 10KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 9KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 708B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

PAGE
Size: 42KB - Virtual size: 41KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

INIT
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 912B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 684B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
sys/processr.sys
.sys windows x64

f84a5fac422aefb9e416c02988e6681c

Code Sign

33:00:00:02:32:41:fb:59:99:6d:cc:4d:ff:00:00:00:00:02:32
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02/05/2019, 21:24

Not After

02/05/2020, 21:24

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

38:88:94:80:42:be:f6:93:3a:49:d7:76:16:0e:fb:91:23:f3:82:b0:66:e6:1e:1f:18:88:80:69:71:93:5e:fa
Signer

Actual PE Digest

38:88:94:80:42:be:f6:93:3a:49:d7:76:16:0e:fb:91:23:f3:82:b0:66:e6:1e:1f:18:88:80:69:71:93:5e:fa

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

wpprecorder.sys

imp_WppRecorderReplay
WppAutoLogTrace
WppAutoLogStop
WppAutoLogStart

ntoskrnl.exe

_itoa_s
IoAllocateWorkItem
RtlAnsiStringToUnicodeString
ZwQuerySystemInformation
memcpy_s
RtlFreeUnicodeString
IoFreeWorkItem
ExAllocatePoolWithTag
ExFreePoolWithTag
IoQueueWorkItem
KeInitializeDpc
IoSizeofWorkItem
KeInitializeTimerEx
KeSetTimerEx
KeSetSystemGroupAffinityThread
IoSetDevicePropertyData
KeProcessorGroupAffinity
KeRevertToUserGroupAffinityThread
IoInitializeWorkItem
ZwPowerInformation
KeCancelTimer
IoUninitializeWorkItem
HalPrivateDispatchTable
PoEnergyEstimationEnabled
EmClientQueryRuleState
KeGetProcessorNumberFromIndex
EtwSetInformation
EtwEventEnabled
IoGetDevicePropertyData
EtwWriteTransfer
EtwUnregister
EtwWrite
MmGetSystemRoutineAddress
KeBugCheckEx
PoFxProcessorNotification
KeSetImportanceDpc
KeSetTargetProcessorDpcEx
KeAddProcessorAffinityEx
KeGetCurrentProcessorNumberEx
KeIsEqualAffinityEx
KeCheckProcessorAffinityEx
KeOrAffinityEx
NtQuerySystemInformationEx
KeAddGroupAffinityEx
KeInitializeEnumerationContext
KeEnumerateNextProcessor
KeRemoveProcessorAffinityEx
KeCopyAffinityEx
KeQueryActiveProcessorCountEx
RtlQueryRegistryValuesEx
_vsnwprintf
KeQueryLogicalProcessorRelationship
KeIsEmptyAffinityEx
KeAndAffinityEx
RtlCompareMemory
PoFxActivateComponent
PoFxRegisterDevice
PoFxStartDevicePowerManagement
KeCountSetBitsAffinityEx
HalDispatchTable
HvlQueryStartedProcessors
HvlQueryActiveHypervisorProcessorCount
HvlGetLpIndexFromApicId
HvlReadPerformanceStateCounters
HvlQueryProcessorTopology
IoWMIRegistrationControl
KeInitializeAffinityEx
IoGetDeviceObjectPointer
RtlInitUnicodeString
PoFxReportDevicePoweredOn
KeQueryActiveProcessorAffinity
RtlCopyUnicodeString
EtwRegister

hal

KeQueryPerformanceCounter
HalGetProcessorIdByNtNumber

wdfldr.sys

WdfVersionUnbind
WdfVersionBindClass
WdfVersionUnbindClass
WdfVersionBind

Sections

.text
Size: 50KB - Virtual size: 50KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 13KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 23KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

PAGE
Size: 98KB - Virtual size: 97KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

INIT
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

GFIDS
Size: 1024B - Virtual size: 600B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.rsrc
Size: 13KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
sys/qmbsecx64.sys
.sys windows x64

3cebe7836df9cae5363bf60a6fc7da1a

Code Sign

33:00:00:04:9d:60:b5:b1:de:aa:33:af:87:00:00:00:00:04:9d
Certificate

Issuer

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

07/06/2022, 17:43

Not After

01/06/2023, 17:43

Subject

CN=Microsoft Windows Early Launch Anti-malware Publisher,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0c:52:4c:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

06/07/2010, 20:40

Not After

06/07/2025, 20:50

Subject

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

64:46:63:bc:dd:d2:11:76:2f:9a:ab:2f:c4:43:3e:0e:84:75:1d:26:46:4a:16:09:6e:b9:c2:8d:c8:21:94:63
Signer

Actual PE Digest

64:46:63:bc:dd:d2:11:76:2f:9a:ab:2f:c4:43:3e:0e:84:75:1d:26:46:4a:16:09:6e:b9:c2:8d:c8:21:94:63

Digest Algorithm

sha256

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ntoskrnl.exe

KeBugCheckEx

Sections

.text
Size: 512B - Virtual size: 111B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 512B - Virtual size: 180B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 272B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 512B - Virtual size: 24B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: 512B - Virtual size: 222B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
sys/sysdiag.sys
.sys windows x64

b0b74d765455a5bdc4644546995abe7c

Code Sign

33:00:00:00:f3:15:8e:a5:7d:1c:55:9f:29:00:00:00:00:00:f3
Certificate

Issuer

CN=Microsoft Windows Third Party Component CA 2012,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

12/01/2023, 19:14

Not After

15/12/2023, 19:14

Subject

CN=Microsoft Windows Hardware Compatibility Publisher,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0b:aa:c1:00:00:00:00:00:09
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

18/04/2012, 23:48

Not After

18/04/2027, 23:58

Subject

CN=Microsoft Windows Third Party Component CA 2012,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

08:ad:40:b2:60:d2:9c:4c:9f:5e:cd:a9:bd:93:ae:d9
Certificate

Issuer

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

29/04/2021, 00:00

Not After

28/04/2036, 23:59

Subject

CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

04:01:96:51:84:2d:48:27:70:a0:7b:fb:2e:5d:12:a8
Certificate

Issuer

CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1,O=DigiCert\, Inc.,C=US

Not Before

24/08/2022, 00:00

Not After

01/11/2025, 23:59

Subject

SERIALNUMBER=91110105MA005CH48R,CN=Beijing Huorong Network Technology Co.\, Ltd.,O=Beijing Huorong Network Technology Co.\, Ltd.,ST=Beijing,C=CN,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e,1.3.6.1.4.1.311.60.2.1.1=#13084368616f79616e67,1.3.6.1.4.1.311.60.2.1.2=#13074265696a696e67,1.3.6.1.4.1.311.60.2.1.3=#1302434e

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

0c:4d:69:72:4b:94:fa:3c:2a:4a:3d:29:07:80:3d:5a
Certificate

Issuer

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Not Before

21/09/2022, 00:00

Not After

21/11/2033, 23:59

Subject

CN=DigiCert Timestamp 2022 - 2,O=DigiCert,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

Issuer

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

23/03/2022, 00:00

Not After

22/03/2037, 23:59

Subject

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01/08/2022, 00:00

Not After

09/11/2031, 23:59

Subject

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

05:c0:44:ca:13:ad:c6:59:2e:9d:3f:38:cd:e2:30:62:e2:91:0e:48:6d:da:f5:ba:1f:e3:60:ac:3d:b9:b7:5d
Signer

Actual PE Digest

05:c0:44:ca:13:ad:c6:59:2e:9d:3f:38:cd:e2:30:62:e2:91:0e:48:6d:da:f5:ba:1f:e3:60:ac:3d:b9:b7:5d

Digest Algorithm

sha256

PE Digest Matches

true

05:c0:44:ca:13:ad:c6:59:2e:9d:3f:38:cd:e2:30:62:e2:91:0e:48:6d:da:f5:ba:1f:e3:60:ac:3d:b9:b7:5d
Signer

Actual PE Digest

05:c0:44:ca:13:ad:c6:59:2e:9d:3f:38:cd:e2:30:62:e2:91:0e:48:6d:da:f5:ba:1f:e3:60:ac:3d:b9:b7:5d

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ntoskrnl.exe

ExReleaseRundownProtection
ExWaitForRundownProtectionRelease
MmProbeAndLockPages
MmUnlockPages
MmGetSystemRoutineAddress
MmMapLockedPagesSpecifyCache
PsCreateSystemThread
PsTerminateSystemThread
IoAllocateMdl
IoFreeMdl
IoGetCurrentProcess
IoCsqInitialize
IoCsqInsertIrp
IoCsqRemoveNextIrp
ObReferenceObjectByHandle
ObfDereferenceObject
ZwClose
KeStackAttachProcess
KeUnstackDetachProcess
IoGetRequestorProcess
__C_specific_handler
PsThreadType
RtlGetVersion
IoRegisterBootDriverReinitialization
IoRegisterDriverReinitialization
NtBuildNumber
ExAllocatePoolWithTag
ExFreePoolWithTag
ExInitializePagedLookasideList
ExDeletePagedLookasideList
KeResetEvent
MmBuildMdlForNonPagedPool
MmUnmapLockedPages
ExEventObjectType
wcschr
wcsncmp
ProbeForWrite
ExGetPreviousMode
IofCompleteRequest
IoCreateDevice
IoCreateSymbolicLink
IoDeleteDevice
IoDeleteSymbolicLink
ZwOpenSymbolicLinkObject
ZwQuerySymbolicLinkObject
ExRaiseAccessViolation
MmIsAddressValid
PsGetProcessId
ZwOpenProcess
PsLookupProcessByProcessId
ObOpenObjectByPointer
ObQueryNameString
PsGetProcessPeb
ZwQueryInformationProcess
IoFileObjectType
PsProcessType
MmUserProbeAddress
PsSetCreateProcessNotifyRoutine
PsSetCreateThreadNotifyRoutine
PsSetLoadImageNotifyRoutine
ZwOpenKey
ZwSetValueKey
PsGetCurrentProcessId
RtlCompareUnicodeString
ZwOpenFile
PsGetCurrentThreadId
_snprintf
qsort
wcsncpy
wcsrchr
_wcsicmp
_wcsnicmp
_wcslwr
RtlCopyUnicodeString
KeDelayExecutionThread
ExQueueWorkItem
ExAcquireRundownProtection
IoAllocateWorkItem
IoFreeWorkItem
IoQueueWorkItem
ObfReferenceObject
ZwCreateFile
ZwQueryValueKey
ZwTerminateProcess
PsIsThreadTerminating
FsRtlIsNameInExpression
ZwQueryDirectoryFile
KeInitializeApc
KeInsertQueueApc
ZwQuerySystemInformation
RtlPrefixUnicodeString
strchr
_strnicmp
strrchr
_vsnprintf
ZwAllocateVirtualMemory
ZwFreeVirtualMemory
strncpy
RtlWalkFrameChain
strncmp
IoGetDeviceObjectPointer
_vsnwprintf
RtlUpcaseUnicodeChar
ZwQueryInformationFile
RtlUnicodeStringToAnsiString
RtlFreeAnsiString
RtlCompareMemory
ZwReadFile
ZwWaitForSingleObject
KeAcquireInStackQueuedSpinLock
KeReleaseInStackQueuedSpinLock
KeAreApcsDisabled
IoBuildDeviceIoControlRequest
IofCallDriver
IoCreateFile
IoGetTopLevelIrp
IoQueryFileInformation
FsRtlInsertPerStreamContext
FsRtlLookupPerStreamContextInternal
RtlQueryRegistryValues
CmRegisterCallback
ZwDeleteKey
ObReferenceObjectByName
IoDriverObjectType
KeClearEvent
IoAllocateIrp
IoQueueThreadIrp
IoFreeIrp
MmAllocatePagesForMdl
MmFreePagesFromMdl
MmSystemRangeStart
IoGetFileObjectGenericMapping
ObInsertObject
SeCreateAccessState
ObCreateObject
PsLookupThreadByThreadId
ZwDuplicateObject
ZwQueryInformationThread
IoDeviceObjectType
ExInitializeRundownProtection
ExDeleteResourceLite
ExReleaseResourceLite
ExAcquireResourceExclusiveLite
ExAcquireResourceSharedLite
ExInitializeResourceLite
ExDeleteNPagedLookasideList
ExInitializeNPagedLookasideList
ExpInterlockedPushEntrySList
ExpInterlockedPopEntrySList
ExQueryDepthSList
ExReleaseFastMutex
ExAcquireFastMutex
KeReleaseSpinLock
KeAcquireSpinLockRaiseToDpc
KeWaitForSingleObject
KeWaitForMultipleObjects
KeLeaveCriticalRegion
KeEnterCriticalRegion
KeSetPriorityThread
KeSetEvent
KeInitializeEvent
ZwSetSecurityObject
_snwprintf
RtlLengthSecurityDescriptor
SeCaptureSecurityDescriptor
RtlCreateSecurityDescriptor
RtlSetDaclSecurityDescriptor
RtlAbsoluteToSelfRelativeSD
IoIsWdmVersionAvailable
SeExports
RtlLengthSid
RtlAddAccessAllowedAce
RtlGetSaclSecurityDescriptor
RtlGetDaclSecurityDescriptor
RtlGetGroupSecurityDescriptor
RtlGetOwnerSecurityDescriptor
ZwCreateKey
RtlFreeUnicodeString
RtlInitUnicodeString
towlower
MmProtectMdlSystemAddress
KeBugCheckEx
ExFreePool
MmMapIoSpace
MmUnmapIoSpace
MmGetPhysicalAddress

hal

KeQueryPerformanceCounter

fltmgr.sys

FltQueryInformationFile
FltStartFiltering
FltRegisterFilter
FltGetRequestorProcessId
FltQueueDeferredIoWorkItem
FltFreeDeferredIoWorkItem
FltAllocateDeferredIoWorkItem
FltGetDiskDeviceObject
FltCancelFileOpen
FltClose
FltSetInformationFile
FltCompletePendedPreOperation
FltCreateFile
FltGetDestinationFileNameInformation
FltGetVolumeName
FltReleaseFileNameInformation
FltGetFileNameInformation
FltCompletePendedPostOperation
FltUnregisterFilter

ndis.sys

NdisReleaseReadWriteLock
NdisAcquireReadWriteLock
NdisInitializeReadWriteLock

Sections

.text
Size: 275KB - Virtual size: 274KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 39KB - Virtual size: 38KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 29KB - Virtual size: 225KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 16KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.asmstub
Size: 512B - Virtual size: 49B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

PAGE
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

INIT
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 976B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 524B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
sys/sysdiag_win10.sys
.sys windows x64

b0b74d765455a5bdc4644546995abe7c

Code Sign

33:00:00:00:f3:15:8e:a5:7d:1c:55:9f:29:00:00:00:00:00:f3
Certificate

Issuer

CN=Microsoft Windows Third Party Component CA 2012,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

12/01/2023, 19:14

Not After

15/12/2023, 19:14

Subject

CN=Microsoft Windows Hardware Compatibility Publisher,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0b:aa:c1:00:00:00:00:00:09
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

18/04/2012, 23:48

Not After

18/04/2027, 23:58

Subject

CN=Microsoft Windows Third Party Component CA 2012,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

08:ad:40:b2:60:d2:9c:4c:9f:5e:cd:a9:bd:93:ae:d9
Certificate

Issuer

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

29/04/2021, 00:00

Not After

28/04/2036, 23:59

Subject

CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

04:01:96:51:84:2d:48:27:70:a0:7b:fb:2e:5d:12:a8
Certificate

Issuer

CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1,O=DigiCert\, Inc.,C=US

Not Before

24/08/2022, 00:00

Not After

01/11/2025, 23:59

Subject

SERIALNUMBER=91110105MA005CH48R,CN=Beijing Huorong Network Technology Co.\, Ltd.,O=Beijing Huorong Network Technology Co.\, Ltd.,ST=Beijing,C=CN,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e,1.3.6.1.4.1.311.60.2.1.1=#13084368616f79616e67,1.3.6.1.4.1.311.60.2.1.2=#13074265696a696e67,1.3.6.1.4.1.311.60.2.1.3=#1302434e

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

0c:4d:69:72:4b:94:fa:3c:2a:4a:3d:29:07:80:3d:5a
Certificate

Issuer

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Not Before

21/09/2022, 00:00

Not After

21/11/2033, 23:59

Subject

CN=DigiCert Timestamp 2022 - 2,O=DigiCert,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

Issuer

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

23/03/2022, 00:00

Not After

22/03/2037, 23:59

Subject

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01/08/2022, 00:00

Not After

09/11/2031, 23:59

Subject

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

05:c0:44:ca:13:ad:c6:59:2e:9d:3f:38:cd:e2:30:62:e2:91:0e:48:6d:da:f5:ba:1f:e3:60:ac:3d:b9:b7:5d
Signer

Actual PE Digest

05:c0:44:ca:13:ad:c6:59:2e:9d:3f:38:cd:e2:30:62:e2:91:0e:48:6d:da:f5:ba:1f:e3:60:ac:3d:b9:b7:5d

Digest Algorithm

sha256

PE Digest Matches

true

05:c0:44:ca:13:ad:c6:59:2e:9d:3f:38:cd:e2:30:62:e2:91:0e:48:6d:da:f5:ba:1f:e3:60:ac:3d:b9:b7:5d
Signer

Actual PE Digest

05:c0:44:ca:13:ad:c6:59:2e:9d:3f:38:cd:e2:30:62:e2:91:0e:48:6d:da:f5:ba:1f:e3:60:ac:3d:b9:b7:5d

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ntoskrnl.exe

ExReleaseRundownProtection
ExWaitForRundownProtectionRelease
MmProbeAndLockPages
MmUnlockPages
MmGetSystemRoutineAddress
MmMapLockedPagesSpecifyCache
PsCreateSystemThread
PsTerminateSystemThread
IoAllocateMdl
IoFreeMdl
IoGetCurrentProcess
IoCsqInitialize
IoCsqInsertIrp
IoCsqRemoveNextIrp
ObReferenceObjectByHandle
ObfDereferenceObject
ZwClose
KeStackAttachProcess
KeUnstackDetachProcess
IoGetRequestorProcess
__C_specific_handler
PsThreadType
RtlGetVersion
IoRegisterBootDriverReinitialization
IoRegisterDriverReinitialization
NtBuildNumber
ExAllocatePoolWithTag
ExFreePoolWithTag
ExInitializePagedLookasideList
ExDeletePagedLookasideList
KeResetEvent
MmBuildMdlForNonPagedPool
MmUnmapLockedPages
ExEventObjectType
wcschr
wcsncmp
ProbeForWrite
ExGetPreviousMode
IofCompleteRequest
IoCreateDevice
IoCreateSymbolicLink
IoDeleteDevice
IoDeleteSymbolicLink
ZwOpenSymbolicLinkObject
ZwQuerySymbolicLinkObject
ExRaiseAccessViolation
MmIsAddressValid
PsGetProcessId
ZwOpenProcess
PsLookupProcessByProcessId
ObOpenObjectByPointer
ObQueryNameString
PsGetProcessPeb
ZwQueryInformationProcess
IoFileObjectType
PsProcessType
MmUserProbeAddress
PsSetCreateProcessNotifyRoutine
PsSetCreateThreadNotifyRoutine
PsSetLoadImageNotifyRoutine
ZwOpenKey
ZwSetValueKey
PsGetCurrentProcessId
RtlCompareUnicodeString
ZwOpenFile
PsGetCurrentThreadId
_snprintf
qsort
wcsncpy
wcsrchr
_wcsicmp
_wcsnicmp
_wcslwr
RtlCopyUnicodeString
KeDelayExecutionThread
ExQueueWorkItem
ExAcquireRundownProtection
IoAllocateWorkItem
IoFreeWorkItem
IoQueueWorkItem
ObfReferenceObject
ZwCreateFile
ZwQueryValueKey
ZwTerminateProcess
PsIsThreadTerminating
FsRtlIsNameInExpression
ZwQueryDirectoryFile
KeInitializeApc
KeInsertQueueApc
ZwQuerySystemInformation
RtlPrefixUnicodeString
strchr
_strnicmp
strrchr
_vsnprintf
ZwAllocateVirtualMemory
ZwFreeVirtualMemory
strncpy
RtlWalkFrameChain
strncmp
IoGetDeviceObjectPointer
_vsnwprintf
RtlUpcaseUnicodeChar
ZwQueryInformationFile
RtlUnicodeStringToAnsiString
RtlFreeAnsiString
RtlCompareMemory
ZwReadFile
ZwWaitForSingleObject
KeAcquireInStackQueuedSpinLock
KeReleaseInStackQueuedSpinLock
KeAreApcsDisabled
IoBuildDeviceIoControlRequest
IofCallDriver
IoCreateFile
IoGetTopLevelIrp
IoQueryFileInformation
FsRtlInsertPerStreamContext
FsRtlLookupPerStreamContextInternal
RtlQueryRegistryValues
CmRegisterCallback
ZwDeleteKey
ObReferenceObjectByName
IoDriverObjectType
KeClearEvent
IoAllocateIrp
IoQueueThreadIrp
IoFreeIrp
MmAllocatePagesForMdl
MmFreePagesFromMdl
MmSystemRangeStart
IoGetFileObjectGenericMapping
ObInsertObject
SeCreateAccessState
ObCreateObject
PsLookupThreadByThreadId
ZwDuplicateObject
ZwQueryInformationThread
IoDeviceObjectType
ExInitializeRundownProtection
ExDeleteResourceLite
ExReleaseResourceLite
ExAcquireResourceExclusiveLite
ExAcquireResourceSharedLite
ExInitializeResourceLite
ExDeleteNPagedLookasideList
ExInitializeNPagedLookasideList
ExpInterlockedPushEntrySList
ExpInterlockedPopEntrySList
ExQueryDepthSList
ExReleaseFastMutex
ExAcquireFastMutex
KeReleaseSpinLock
KeAcquireSpinLockRaiseToDpc
KeWaitForSingleObject
KeWaitForMultipleObjects
KeLeaveCriticalRegion
KeEnterCriticalRegion
KeSetPriorityThread
KeSetEvent
KeInitializeEvent
ZwSetSecurityObject
_snwprintf
RtlLengthSecurityDescriptor
SeCaptureSecurityDescriptor
RtlCreateSecurityDescriptor
RtlSetDaclSecurityDescriptor
RtlAbsoluteToSelfRelativeSD
IoIsWdmVersionAvailable
SeExports
RtlLengthSid
RtlAddAccessAllowedAce
RtlGetSaclSecurityDescriptor
RtlGetDaclSecurityDescriptor
RtlGetGroupSecurityDescriptor
RtlGetOwnerSecurityDescriptor
ZwCreateKey
RtlFreeUnicodeString
RtlInitUnicodeString
towlower
MmProtectMdlSystemAddress
KeBugCheckEx
ExFreePool
MmMapIoSpace
MmUnmapIoSpace
MmGetPhysicalAddress

hal

KeQueryPerformanceCounter

fltmgr.sys

FltQueryInformationFile
FltStartFiltering
FltRegisterFilter
FltGetRequestorProcessId
FltQueueDeferredIoWorkItem
FltFreeDeferredIoWorkItem
FltAllocateDeferredIoWorkItem
FltGetDiskDeviceObject
FltCancelFileOpen
FltClose
FltSetInformationFile
FltCompletePendedPreOperation
FltCreateFile
FltGetDestinationFileNameInformation
FltGetVolumeName
FltReleaseFileNameInformation
FltGetFileNameInformation
FltCompletePendedPostOperation
FltUnregisterFilter

ndis.sys

NdisReleaseReadWriteLock
NdisAcquireReadWriteLock
NdisInitializeReadWriteLock

Sections

.text
Size: 275KB - Virtual size: 274KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 39KB - Virtual size: 38KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 29KB - Virtual size: 225KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 16KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.asmstub
Size: 512B - Virtual size: 49B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

PAGE
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

INIT
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 976B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 524B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

82911db998c2fa5c19cefc2f0d3a73b6

Headers

File Characteristics

Imports

ntoskrnl.exe

Sections

.text Size: 28KB - Virtual size: 27KB

.rdata Size: 2KB - Virtual size: 2KB

.data Size: 1024B - Virtual size: 5KB

.pdata Size: 1024B - Virtual size: 852B

INIT Size: 2KB - Virtual size: 2KB

.rsrc Size: 1024B - Virtual size: 856B

.reloc Size: 512B - Virtual size: 84B

27c15652ab165e825304f96badc4375a

Headers

DLL Characteristics

File Characteristics

Imports

ntoskrnl.exe

Sections

.text Size: 67KB - Virtual size: 67KB

.rdata Size: 9KB - Virtual size: 8KB

.data Size: 1KB - Virtual size: 10KB

.pdata Size: 4KB - Virtual size: 3KB

PAGE Size: 512B - Virtual size: 409B

INIT Size: 3KB - Virtual size: 3KB

.rsrc Size: 1024B - Virtual size: 904B

.reloc Size: 512B - Virtual size: 432B

738d5ef7ad73454452781bd89f203c2a

Headers

DLL Characteristics

File Characteristics

Imports

ntoskrnl.exe

fwpkclnt.sys

Sections

.text Size: 65KB - Virtual size: 65KB

.rdata Size: 4KB - Virtual size: 4KB

.data Size: 1024B - Virtual size: 8KB

.pdata Size: 2KB - Virtual size: 1KB

INIT Size: 4KB - Virtual size: 4KB

.rsrc Size: 1024B - Virtual size: 960B

.reloc Size: 512B - Virtual size: 36B

0930eeaa7b3d7b8c0b5cd44e8ed912ec

Headers

File Characteristics

Imports

ntoskrnl.exe

hal

fltmgr.sys

Sections

.text Size: 58KB - Virtual size: 58KB

.rdata Size: 5KB - Virtual size: 5KB

.data Size: 1024B - Virtual size: 105KB

.pdata Size: 2KB - Virtual size: 2KB

PAGE Size: 3KB - Virtual size: 3KB

INIT Size: 8KB - Virtual size: 7KB

.rsrc Size: 1024B - Virtual size: 864B

.reloc Size: 512B - Virtual size: 324B

116c2c0d6ac9b0c66b43920339437207

Code Sign

33:00:00:00:c5:e5:31:36:c3:d5:21:5a:0d:00:00:00:00:00:c5Certificate

Extended Key Usages

61:0b:aa:c1:00:00:00:00:00:09Certificate

Key Usages

84:21:6f:b8:3f:b6:22:5f:aa:7a:af:69:01:4c:0e:4a:aa:07:04:2d:00:a7:1e:04:54:b5:5c:bb:9e:c5:9a:b1Signer

Headers

DLL Characteristics

File Characteristics

Imports

ntoskrnl.exe

Sections

.text Size: 9KB - Virtual size: 9KB

.rdata Size: 2KB - Virtual size: 1KB

.data Size: 512B - Virtual size: 156B

.text
Size: 28KB - Virtual size: 27KB

.rdata
Size: 2KB - Virtual size: 2KB

.data
Size: 1024B - Virtual size: 5KB

.pdata
Size: 1024B - Virtual size: 852B

INIT
Size: 2KB - Virtual size: 2KB

.rsrc
Size: 1024B - Virtual size: 856B

.reloc
Size: 512B - Virtual size: 84B

.text
Size: 67KB - Virtual size: 67KB

.rdata
Size: 9KB - Virtual size: 8KB

.data
Size: 1KB - Virtual size: 10KB

.pdata
Size: 4KB - Virtual size: 3KB

PAGE
Size: 512B - Virtual size: 409B

INIT
Size: 3KB - Virtual size: 3KB

.rsrc
Size: 1024B - Virtual size: 904B

.reloc
Size: 512B - Virtual size: 432B

.text
Size: 65KB - Virtual size: 65KB

.rdata
Size: 4KB - Virtual size: 4KB

.data
Size: 1024B - Virtual size: 8KB

.pdata
Size: 2KB - Virtual size: 1KB

INIT
Size: 4KB - Virtual size: 4KB

.rsrc
Size: 1024B - Virtual size: 960B

.reloc
Size: 512B - Virtual size: 36B

.text
Size: 58KB - Virtual size: 58KB

.rdata
Size: 5KB - Virtual size: 5KB

.data
Size: 1024B - Virtual size: 105KB

.pdata
Size: 2KB - Virtual size: 2KB

PAGE
Size: 3KB - Virtual size: 3KB

INIT
Size: 8KB - Virtual size: 7KB

.rsrc
Size: 1024B - Virtual size: 864B

.reloc
Size: 512B - Virtual size: 324B

33:00:00:00:c5:e5:31:36:c3:d5:21:5a:0d:00:00:00:00:00:c5
Certificate

61:0b:aa:c1:00:00:00:00:00:09
Certificate

84:21:6f:b8:3f:b6:22:5f:aa:7a:af:69:01:4c:0e:4a:aa:07:04:2d:00:a7:1e:04:54:b5:5c:bb:9e:c5:9a:b1
Signer

.text
Size: 9KB - Virtual size: 9KB

.rdata
Size: 2KB - Virtual size: 1KB

.data
Size: 512B - Virtual size: 156B

.pdata
Size: 1024B - Virtual size: 540B

INIT
Size: 1KB - Virtual size: 1KB

.rsrc
Size: 1024B - Virtual size: 1000B

0f:51:99:27:94:18:e8:e5:7e:86:59:dc:30:54:b8:30
Certificate

03:f1:b4:e1:5f:3a:82:f1:14:96:78:b3:d7:d8:47:5c
Certificate

0a:7a:4a:88:9e:c9:99:42:90:06:63:38:4d:86:97:9d
Certificate

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

33:00:00:00:4e:59:56:10:83:2b:4e:0c:6c:00:00:00:00:00:4e
Certificate

33:00:00:00:0d:69:0d:5d:78:93:d0:76:df:00:00:00:00:00:0d
Certificate

84:21:6f:b8:3f:b6:22:5f:aa:7a:af:69:01:4c:0e:4a:aa:07:04:2d:00:a7:1e:04:54:b5:5c:bb:9e:c5:9a:b1
Signer

84:21:6f:b8:3f:b6:22:5f:aa:7a:af:69:01:4c:0e:4a:aa:07:04:2d:00:a7:1e:04:54:b5:5c:bb:9e:c5:9a:b1
Signer

.text
Size: 9KB - Virtual size: 9KB

.rdata
Size: 2KB - Virtual size: 1KB

.data
Size: 512B - Virtual size: 156B

.pdata
Size: 1024B - Virtual size: 540B

INIT
Size: 1KB - Virtual size: 1KB

.rsrc
Size: 1024B - Virtual size: 1000B

33:00:00:01:de:c6:82:15:09:5c:ff:17:c6:00:00:00:00:01:de
Certificate

61:0c:52:4c:00:00:00:00:00:03
Certificate

c5:1b:54:8c:3b:f8:26:23:eb:b6:0a:3d:cf:ef:4b:fe:7d:8d:48:94:3b:1a:d9:cd:92:88:50:19:e0:7b:66:8f
Signer

.text
Size: 512B - Virtual size: 225B

.rdata
Size: 1024B - Virtual size: 680B

.data
Size: 512B - Virtual size: 16B

.pdata
Size: 512B - Virtual size: 72B

.gfids
Size: 512B - Virtual size: 4B

INIT
Size: 512B - Virtual size: 89B

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 24B

33:00:00:00:f5:e8:77:3b:20:6b:1c:cd:61:00:00:00:00:00:f5
Certificate

61:0b:aa:c1:00:00:00:00:00:09
Certificate

7d:fb:cf:ba:18:b9:8f:81:16:dc:6d:18:04:26:49:83:26:c3:04:98:68:b8:2c:52:05:f1:03:c4:43:89:32:7c
Signer

.text
Size: 95KB - Virtual size: 94KB