EQoSTestHook
Static task
static1
1 signatures
General
-
Target
0ab9305c5e4f876c48662eaf7048b599
-
Size
1.1MB
-
MD5
0ab9305c5e4f876c48662eaf7048b599
-
SHA1
192d130a37a68be4f02a52f3089574dcbcfcd0d9
-
SHA256
e3288f63b7165a004db86bb2cfa6d992b26e8a9c8d10e11ad182dd205a8f5054
-
SHA512
8b0630c51cb8c8623d36a4153baed4edd70b9ca82e84a3e65f6ab93036e48a7674fe37516987f7f450e52dda0cae4cd91e8eb0f998d921006616ba3f7663c9a7
-
SSDEEP
12288:RFB9TM8mj5nI7+256M6CyGOP0KxPrbZsLb2rD0cSbCQ0hmNDw0npMs:RFjDmFDE6xCROPHxPrbZserJSWAb
Score
3/10
Malware Config
Signatures
-
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
resource 0ab9305c5e4f876c48662eaf7048b599
Files
-
0ab9305c5e4f876c48662eaf7048b599.sys windows:6 windows x64 arch:x64
7b1a207a9ff4c25238771bf5987bf71e
Headers
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
Imports
ntoskrnl.exe
PsGetCurrentProcessId
ExAcquireResourceExclusiveLite
KeLeaveCriticalRegion
KeEnterCriticalRegion
ExReleaseResourceLite
ExDeleteResourceLite
ExInitializeResourceLite
RtlAnsiCharToUnicodeChar
MmProbeAndLockPages
RtlSetBits
RtlInitializeBitMap
RtlSetBit
SeExports
ExInitializeLookasideListEx
ExDeleteLookasideListEx
KeQueryActiveProcessorCount
DbgPrint
RtlSubAuthorityCountSid
SeQueryInformationToken
ObOpenObjectByPointer
ZwQueryInformationToken
PsIsSystemProcess
RtlEqualSid
PsDereferenceImpersonationToken
PsDereferencePrimaryToken
PsReferencePrimaryToken
PsReferenceImpersonationToken
RtlDowncaseUnicodeString
PsReferenceProcessFilePointer
ObCloseHandle
KeQueryTimeIncrement
ExUuidCreate
ExGetPreviousMode
KeBugCheck
SeReportSecurityEventWithSubCategory
SeSetAuditParameter
DbgBreakPoint
MmSizeOfMdl
MmUnmapLockedPages
ZwQueryValueKey
ZwClose
ZwNotifyChangeKey
ZwOpenKey
KeFlushQueuedDpcs
KeCancelTimer
KeInitializeTimerEx
KeSetTimerEx
ExGetCurrentProcessorCounts
MmUserProbeAddress
ExCreateCallback
IoFreeWorkItem
IoAllocateWorkItem
IoQueueWorkItem
ExReleaseFastMutex
ExAcquireFastMutex
KeInsertQueueDpc
KeSetTargetProcessorDpc
KeInitializeDpc
ExAllocatePoolWithTagPriority
KeReleaseInStackQueuedSpinLock
KeAcquireInStackQueuedSpinLock
MmBuildMdlForNonPagedPool
ExNotifyCallback
RtlGetVersion
RtlInitializeGenericTableAvl
PsGetProcessSessionId
ExQueryDepthSList
ExpInterlockedPushEntrySList
RtlLookupElementGenericTableFullAvl
IoWriteErrorLogEntry
IoAllocateErrorLogEntry
KeIsExecutingDpc
ExpInterlockedPopEntrySList
ObDereferenceSecurityDescriptor
KeReleaseSpinLock
PsGetProcessId
KeAcquireSpinLockRaiseToDpc
KeAcquireSpinLockAtDpcLevel
IoFreeMdl
MmMapLockedPagesSpecifyCache
IoBuildPartialMdl
IoAllocateMdl
KeReleaseSpinLockFromDpcLevel
KeTestSpinLock
KeAcquireInStackQueuedSpinLockAtDpcLevel
KeReleaseInStackQueuedSpinLockFromDpcLevel
KeReleaseSemaphore
ObReferenceSecurityDescriptor
KeNumberProcessors
ZwQuerySystemInformation
IoBuildDeviceIoControlRequest
ObfDereferenceObject
ObfReferenceObject
IoGetDeviceObjectPointer
IoIs32bitProcess
PsGetThreadProcess
PsIsSystemThread
PsGetCurrentThread
PsGetCurrentProcess
KeInitializeEvent
KeWaitForSingleObject
KeSetEvent
MmUnlockPages
RtlAddAccessAllowedAceEx
RtlIpv6AddressToStringExW
RtlIpv4AddressToStringExW
KeDelayExecutionThread
KeReleaseMutex
InitializeSListHead
KeInitializeMutex
RtlEnumerateGenericTableLikeADirectory
RtlTimeToTimeFields
ExDeleteNPagedLookasideList
KeBugCheckEx
RtlCompareMemory
IoDeleteDevice
RtlInitUnicodeString
IofCompleteRequest
IoGetCurrentProcess
IofCallDriver
IoWMIWriteEvent
ExInitializeNPagedLookasideList
RtlSubAuthoritySid
RtlSetDaclSecurityDescriptor
RtlCreateSecurityDescriptor
RtlAddAccessAllowedAce
RtlCreateAcl
RtlInitializeSid
RtlLengthRequiredSid
RtlFreeUnicodeString
RtlConvertSidToUnicodeString
RtlCopySid
ZwEnumerateKey
RtlLengthSid
RtlValidSid
RtlQueryRegistryValues
RtlCompareUnicodeString
RtlIpv6StringToAddressW
RtlIpv4StringToAddressW
RtlUnicodeStringToInteger
IoCreateSymbolicLink
KeUnstackDetachProcess
ZwDuplicateToken
KeStackAttachProcess
ObReferenceObjectByHandle
ZwOpenProcess
KeInitializeSemaphore
SeCaptureSubjectContextEx
SeLockSubjectContext
SeAccessCheck
IoGetFileObjectGenericMapping
SeOpenObjectAuditAlarmForNonObObject
SeUnlockSubjectContext
SeReleaseSubjectContext
RtlFindClearBits
RtlAreBitsClear
RtlFindSetBits
RtlClearBits
RtlClearAllBits
ExAcquireResourceSharedLite
RtlClearBit
IoDeleteSymbolicLink
ObSetSecurityObjectByPointer
ExFreePoolWithTag
IoWMIRegistrationControl
ExAllocatePoolWithTag
IoCreateDevice
RtlIntegerToUnicodeString
MmGetSystemRoutineAddress
__C_specific_handler
netio.sys
NetioFreeNetBufferList
NetioDereferenceNetBufferListChain
NetioExtendNetBuffer
FsbAllocateAtDpcLevel
RtlCleanupTimerWheelEntry
FsbAllocate
RtlLookupEntryHashTable
RtlInsertElementGenericTableBasicAvl
RtlComputeToeplitzHash
RtlGetNextExpiredTimerWheelEntry
RtlGetNextEntryHashTable
RtlDeleteElementGenericTableBasicAvl
RtlRemoveEntryHashTable
RtlReturnTimerWheelEntry
NetioInitializeWorkQueue
NetioShutdownWorkQueue
RtlInitializeTimerWheelEntry
RtlInsertEntryHashTable
RtlCopyMdlToMdlIndirect
NetioAdvanceToLocationInNetBuffer
TlDefaultRequestQueryDispatch
TlDefaultRequestMessage
TlDefaultRequestQueryDispatchEndpoint
RtlCopyMdlToBuffer
NetioFreeNetBufferAndNetBufferList
RtlCopyBufferToMdl
NetioAllocateAndReferenceNetBufferAndNetBufferList
RtlDeleteHashTable
RtlCleanupTimerWheel
RtlInitializeTimerWheel
RtlCreateHashTable
RtlExpandHashTable
RtlContractHashTable
NetioCompleteCopyNetBufferListChain
NetioInitializeNetBufferListContext
NetioFreeCopyNetBufferList
NetioAllocateAndReferenceCopyNetBufferListEx
RtlUpdateCurrentTimerWheelTick
NetioRetreatNetBufferList
NetioAllocateMdl
NmrProviderDetachClientComplete
NmrRegisterProvider
NmrDeregisterProvider
NmrWaitForProviderDeregisterComplete
NmrClientDetachProviderComplete
NmrClientAttachProvider
NmrRegisterClient
NmrDeregisterClient
NmrWaitForClientDeregisterComplete
RtlInitWeakEnumerationHashTable
RtlWeaklyEnumerateEntryHashTable
RtlEndWeakEnumerationHashTable
NetioReferenceNetBufferList
TlDefaultRequestListen
TlDefaultRequestConnect
TlDefaultRequestCancel
TlDefaultRequestIoControl
FsbFree
NetioFreeNetBuffer
NetioFreeMdl
NetioAllocateNetBufferMdlAndData
NetioFreeNetBufferListNetBufferMdlAndDataPool
NetioFreeNetBufferMdlAndDataPool
NetioAllocateNetBufferListNetBufferMdlAndDataPool
NetioAllocateNetBufferMdlAndDataPool
NetioDereferenceNetBufferList
NetioAllocateAndReferenceNetBufferListNetBufferMdlAndData
RtlIndicateTimerWheelEntryTimerStart
RtlCleanupToeplitzHash
RtlInitializeToeplitzHash
FsbDestroyPool
FsbCreatePool
WfpStreamEndpointCleanupBegin
WfpStopStreamShim
WfpStartStreamShim
NetioInitializeNetBufferListAndFirstNetBufferContext
NetioUnInitializeNetBufferListLibrary
NetioInitializeNetBufferListLibrary
RtlInvokeStopRoutines
RtlInvokeStartRoutines
WfpStreamInspectSend
WfpStreamInspectDisconnect
NsiEnumerateObjectsAllParameters
NsiReferenceDefaultObjectSecurity
NsiRegisterChangeNotification
NsiDeregisterChangeNotification
NetioCompleteNetBufferListChain
NetioAllocateAndReferenceFragmentNetBufferList
RtlCopyMdlToMdl
IoctlKfdResetState
IoctlKfdQueryLayerStatistics
IoctlKfdAbortTransaction
IoctlKfdCommitTransaction
IoctlKfdDeleteCache
IoctlKfdAddCache
IoctlKfdBatchUpdate
IoctlKfdDeleteIndex
IoctlKfdAddIndex
SetWfpDeviceObject
HfDestroyFactory
HfCreateFactory
NetioAllocateAndReferenceNetBufferList
NetioAllocateNetBuffer
NsiSetObjectSecurity
PtGetNumNodes
PtCreateTable
PtDestroyTable
NsiSetParameter
NsiFreeTable
NsiAllocateAndGetTable
PtInsertEntry
PtGetExactMatch
PtSetData
PtGetData
PtGetLongestMatch
PtEnumOverTable
PtGetKey
PtDeleteEntry
PtGetNextShorterMatch
NetioQueryNetBufferListTrafficClass
NetioExpandNetBuffer
NetioUpdateNetBufferListContext
NetioAllocateAndReferenceCloneNetBufferListEx
NetioAllocateAndReferenceCloneNetBufferList
NetioFreeCloneNetBufferList
NetioAllocateAndReferenceVacantNetBufferList
NetioCompleteNetBufferAndNetBufferListChain
NsiGetParameter
NsiGetAllParameters
RtlEndEnumerationHashTable
RtlEnumerateEntryHashTable
RtlInitEnumerationHashTable
KfdCheckAndCacheAcceptBypass
KfdCheckAcceptBypass
KfdCheckAndCacheConnectBypass
KfdCheckConnectBypass
KfdGetLayerActionFromEnumTemplate
KfdFreeEnumHandle
KfdDerefFilterContext
KfdGetNextFilter
KfdEnumLayer
WfpExpireEntryLru
WfpSetBucketsToEmptyLru
KfdAleInitializeFlowTable
WfpScavangeLeastRecentlyUsedList
NsiSetAllParameters
WfpStreamIsFilterPresent
WfpRefreshEntryLru
WfpDeleteEntryLru
WfpUninitializeLeastRecentlyUsedList
KfdToggleFilterActivation
KfdAleUninitializeFlowHandles
KfdAleInitializeFlowHandles
WfpInitializeLeastRecentlyUsedList
FwppStreamDeleteDpcQueue
KfdAleNotifyFlowDeletion
WfpInsertEntryLru
KfdGetOffloadEpoch
KfdIsLsoOffloadPossibleV6
KfdIsLsoOffloadPossibleV4
KfdIsV6InTransportFastEmpty
KfdIsV4InTransportFastEmpty
KfdIsV6OutTransportFastEmpty
KfdIsV4OutTransportFastEmpty
NetioAdvanceNetBufferList
KfdAleReleaseFlowHandleForFlow
KfdClassify
KfdAleAcquireFlowHandleForFlow
KfdIsLayerEmpty
KfdGetLayerCacheEpoch
FwppTruncateStreamDataAfterOffset
FwppAdvanceStreamDataPastOffset
FwppCopyStreamDataToBuffer
FwppStreamContinue
FwppStreamInject
WfpStreamInspectReceive
WfpStreamInspectRemoteDisconnect
NsiGetParameterEx
NetioInsertWorkQueue
ndis.sys
NdisCompleteNetPnPEvent
NdisCloseAdapterEx
NdisOpenAdapterEx
NdisOidRequest
NdisInitiateOffload
NdisUpdateOffload
NdisInvalidateOffload
NdisInitializeTimer
NdisTerminateOffload
NdisRegisterProtocolDriver
NdisDeregisterProtocolDriver
NdisReleaseReadWriteLock
NdisAcquireReadWriteLock
NdisInitializeReadWriteLock
NdisGetSessionToCompartmentMappingEpochAndZero
NdisCancelTimer
NdisSetTimer
NdisReturnNetBufferLists
NdisSendNetBufferLists
NdisQueryOffloadState
NdisCancelSendNetBufferLists
NdisRetreatNetBufferDataStart
NdisGetDataBuffer
NdisGetProcessorInformation
NdisOffloadTcpReceive
NdisOffloadTcpSend
NdisOffloadTcpReceiveReturn
NdisSetOptionalHandlers
NdisOffloadTcpForward
NdisOffloadTcpDisconnect
NdisAdvanceNetBufferDataStart
NdisFreeNetBufferList
NdisGetSessionCompartmentId
NdisGetThreadObjectCompartmentId
NdisAdjustNetBufferCurrentMdl
fltmgr.sys
FltGetFileNameInformationUnsafe
FltReleaseFileNameInformation
fwpkclnt.sys
FwpsCalloutRegisterWithoutDevice0
FwpmBfeStateUnsubscribeChanges0
FwpmBfeStateSubscribeChangesWithoutDevice0
FwpmEngineOpen0
FwpmEngineClose0
FwpsClassifyOptionSet0
FwpmSecureSocketDeleteByKeyAsync0
FwpmSecureSocketAddAsync0
FwpsQueryOutstandingNbls0
FwpsRequestEndpointDeleteNotification0
FwppDispatchDevCtl0
IPsecDriverExpire
IPsecDriverInitiateAcquire
FwpmEventProviderFireNetEvent0
FwpmEventProviderIsNetEventTypeEnabled0
FwpmEventProviderDestroy0
FwpsTcpIpDispatchTableClear0
FwpsTcpIpDispatchTableSet0
FwpmEventProviderCreate0
FwpsCalloutUnregisterByKey0
hal
KeQueryPerformanceCounter
ksecdd.sys
BCryptGenRandom
BCryptGenerateSymmetricKey
BCryptDestroyHash
BCryptFinishHash
BCryptHashData
BCryptCreateHash
BCryptOpenAlgorithmProvider
BCryptCloseAlgorithmProvider
BCryptSetProperty
BCryptGetProperty
BCryptEncrypt
BCryptDecrypt
BCryptDestroyKey
msrpc.sys
NdrMesTypeDecode3
MesHandleFree
I_RpcExceptionFilter
MesDecodeBufferHandleCreate
Exports
Exports
Sections
.text Size: 942KB - Virtual size: 941KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 94KB - Virtual size: 94KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 49KB - Virtual size: 106KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.pdata Size: 54KB - Virtual size: 53KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
PAGE Size: 3KB - Virtual size: 2KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.edata Size: 512B - Virtual size: 73B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
PAGECONS Size: 512B - Virtual size: 240B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
INIT Size: 17KB - Virtual size: 16KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.rsrc Size: 1024B - Virtual size: 992B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
.reloc Size: 2KB - Virtual size: 2KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ