23bbc02e3a925a4a7c02b99390b7d5a58f9ef708b0b6bc6c2d0d68a1e02aff7e

Sharing

Copy URL Twitter E-mail

General

Target

23bbc02e3a925a4a7c02b99390b7d5a58f9ef708b0b6bc6c2d0d68a1e02aff7e
Size

7.0MB
MD5

c3d7bebedfd8cb63dfe3acfd0ddbfc41
SHA1

c0148f16ea8a099e465d870b550d451282e19b41
SHA256

23bbc02e3a925a4a7c02b99390b7d5a58f9ef708b0b6bc6c2d0d68a1e02aff7e
SHA512

4c2c3380c039499cf9251b018a9737f5ffdf7cf94569fc52f3d05628bb504de9764839737987cc8c44024476c395cdc138e0f54502833870b38e995abdf45d55
SSDEEP

196608:4UaelZwTgMaMJ7RZPOehzMVNguPNZ7qqV80bPlZu0:4ZCWsMaMJ7XMlPNZ71V80BI0

Score

3^/10

Malware Config

Signatures

Unsigned PE 2 IoCs

Checks for missing Authenticode signature.

resource
unpack001/reg/CmdColor.exe
unpack001/reg/drv7/fancyrd.sys

Files

23bbc02e3a925a4a7c02b99390b7d5a58f9ef708b0b6bc6c2d0d68a1e02aff7e
.zip
PrimoRamdisk_Srv_Mui_Setup_6.6.0.exe
.exe windows:5 windows x86 arch:x86

20dd26497880c05caed9305b3c8b9109

Code Sign

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:dd
Certificate

Issuer

CN=DigiCert SHA2 Assured ID Timestamping CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01/01/2021, 00:00

Not After

06/01/2031, 00:00

Subject

CN=DigiCert Timestamp 2021,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

07/01/2016, 12:00

Not After

07/01/2031, 12:00

Subject

CN=DigiCert SHA2 Assured ID Timestamping CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:20:4d:b4:00:00:00:00:00:27
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15/04/2011, 19:45

Not After

15/04/2021, 19:55

Subject

CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

01:29:27:90:28:8b:00:e3:b5:3d:86:04:76:4d:ff:4b
Certificate

Issuer

CN=DigiCert EV Code Signing CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

30/08/2019, 00:00

Not After

01/09/2022, 12:00

Subject

SERIALNUMBER=913101105574930924,CN=Shanghai Romex Information Technology Co.\,Ltd.,O=Shanghai Romex Information Technology Co.\,Ltd.,L=Shanghai,ST=Shanghai,C=CN,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e,1.3.6.1.4.1.311.60.2.1.2=#13085368616e67686169,1.3.6.1.4.1.311.60.2.1.3=#1302434e

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

0d:d0:e3:37:4a:c9:5b:db:fa:6b:43:4b:2a:48:ec:06
Certificate

Issuer

CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

18/04/2012, 12:00

Not After

18/04/2027, 12:00

Subject

CN=DigiCert EV Code Signing CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:20:4d:b4:00:00:00:00:00:27
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15/04/2011, 19:45

Not After

15/04/2021, 19:55

Subject

CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

05:af:de:7b:07:6f:79:b9:01:e3:5b:38:d6:7e:a6:27
Certificate

Issuer

CN=DigiCert EV Code Signing CA (SHA2),OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

29/08/2019, 00:00

Not After

01/09/2022, 12:00

Subject

SERIALNUMBER=913101105574930924,CN=Shanghai Romex Information Technology Co.\,Ltd.,O=Shanghai Romex Information Technology Co.\,Ltd.,L=Shanghai,ST=Shanghai,C=CN,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e,1.3.6.1.4.1.311.60.2.1.2=#13085368616e67686169,1.3.6.1.4.1.311.60.2.1.3=#1302434e

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

03:f1:b4:e1:5f:3a:82:f1:14:96:78:b3:d7:d8:47:5c
Certificate

Issuer

CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

18/04/2012, 12:00

Not After

18/04/2027, 12:00

Subject

CN=DigiCert EV Code Signing CA (SHA2),OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:dd
Certificate

Issuer

CN=DigiCert SHA2 Assured ID Timestamping CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01/01/2021, 00:00

Not After

06/01/2031, 00:00

Subject

CN=DigiCert Timestamp 2021,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

07/01/2016, 12:00

Not After

07/01/2031, 12:00

Subject

CN=DigiCert SHA2 Assured ID Timestamping CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

6d:8c:f2:6a:f1:26:2c:51:98:77:2a:f5:be:26:80:e3:42:36:65:9a:5d:10:52:4f:8d:21:7d:00:0e:0a:23:fa
Signer

Actual PE Digest

6d:8c:f2:6a:f1:26:2c:51:98:77:2a:f5:be:26:80:e3:42:36:65:9a:5d:10:52:4f:8d:21:7d:00:0e:0a:23:fa

Digest Algorithm

sha256

PE Digest Matches

true

ca:ea:24:0a:04:51:5e:f3:9d:de:96:ea:96:f5:ac:33:a2:a3:61:71
Signer

Actual PE Digest

ca:ea:24:0a:04:51:5e:f3:9d:de:96:ea:96:f5:ac:33:a2:a3:61:71

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI

Imports

oleaut32

SysFreeString
SysReAllocStringLen
SysAllocStringLen

advapi32

RegQueryValueExW
RegOpenKeyExW
RegCloseKey
RegQueryValueExW
RegOpenKeyExW
RegCloseKey
OpenProcessToken
LookupPrivilegeValueW
AdjustTokenPrivileges

user32

GetKeyboardType
LoadStringW
MessageBoxA
CharNextW
CreateWindowExW
TranslateMessage
SetWindowLongW
PeekMessageW
MsgWaitForMultipleObjects
MessageBoxW
LoadStringW
GetSystemMetrics
ExitWindowsEx
DispatchMessageW
DestroyWindow
CharUpperBuffW
CallWindowProcW

kernel32

GetACP
Sleep
VirtualFree
VirtualAlloc
GetSystemInfo
GetTickCount
QueryPerformanceCounter
GetVersion
GetCurrentThreadId
VirtualQuery
WideCharToMultiByte
MultiByteToWideChar
lstrlenW
lstrcpynW
LoadLibraryExW
GetThreadLocale
GetStartupInfoA
GetProcAddress
GetModuleHandleW
GetModuleFileNameW
GetLocaleInfoW
GetCommandLineW
FreeLibrary
FindFirstFileW
FindClose
ExitProcess
WriteFile
UnhandledExceptionFilter
RtlUnwind
RaiseException
GetStdHandle
CloseHandle
TlsSetValue
TlsGetValue
LocalAlloc
GetModuleHandleW
WriteFile
WideCharToMultiByte
WaitForSingleObject
VirtualQuery
VirtualProtect
VirtualFree
VirtualAlloc
SizeofResource
SignalObjectAndWait
SetLastError
SetFilePointer
SetEvent
SetErrorMode
SetEndOfFile
ResetEvent
RemoveDirectoryW
ReadFile
MultiByteToWideChar
LockResource
LoadResource
LoadLibraryW
GetWindowsDirectoryW
GetVersionExW
GetVersion
GetUserDefaultLangID
GetThreadLocale
GetSystemInfo
GetSystemDirectoryW
GetStdHandle
GetProcAddress
GetModuleHandleW
GetModuleFileNameW
GetLocaleInfoW
GetLastError
GetFullPathNameW
GetFileSize
GetFileAttributesW
GetExitCodeProcess
GetEnvironmentVariableW
GetDiskFreeSpaceW
GetCurrentProcess
GetCommandLineW
GetCPInfo
InterlockedExchange
InterlockedCompareExchange
FreeLibrary
FormatMessageW
FindResourceW
EnumCalendarInfoW
DeleteFileW
CreateProcessW
CreateFileW
CreateEventW
CreateDirectoryW
CloseHandle
Sleep

comctl32

InitCommonControls

Sections

.text
Size: 61KB - Virtual size: 60KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.itext
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: - Virtual size: 21KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: - Virtual size: 8B

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 512B - Virtual size: 24B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 333KB - Virtual size: 333KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
readme.txt
reg/CmdColor.exe
.exe windows:4 windows x86 arch:x86

7bf6ee7f997d9058a8fa5739c928c0b5

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

SetConsoleTextAttribute
GetConsoleScreenBufferInfo
GetStdHandle
SetErrorMode
RaiseException
RtlUnwind
ExitProcess
TerminateProcess
GetCurrentProcess
GetLastError
SetConsoleCtrlHandler
HeapFree
GetCommandLineA
GetVersion
HeapReAlloc
HeapAlloc
HeapSize
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetModuleHandleA
GetModuleFileNameA
GetEnvironmentVariableA
GetVersionExA
HeapDestroy
HeapCreate
VirtualFree
VirtualAlloc
IsBadWritePtr
FreeEnvironmentStringsA
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStrings
GetEnvironmentStringsW
SetHandleCount
GetFileType
GetStartupInfoA
WriteFile
IsBadReadPtr
IsBadCodePtr
GetCPInfo
GetACP
GetOEMCP
GetProcAddress
LoadLibraryA
MultiByteToWideChar
LCMapStringA
LCMapStringW
GetStringTypeA
GetStringTypeW
SetFilePointer
FlushFileBuffers
CloseHandle
IsValidLocale
IsValidCodePage
GetLocaleInfoA
EnumSystemLocalesA
GetUserDefaultLCID
ReadFile
SetStdHandle
GetLocaleInfoW

Sections

.text
Size: 64KB - Virtual size: 63KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 12KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 16KB - Virtual size: 22KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
reg/PrDSrv56crk.reg
reg/TestCertificate.cer
reg/drv.bak/win10-11_srv2016-2022/fancyrd.cat
reg/drv.bak/win10-11_srv2016-2022/fancyrd.inf
reg/drv.bak/win10-11_srv2016-2022/fancyrd.sys
.sys windows:10 windows x64 arch:x64

6941dff5e013a237f1620c4cff1d8b89

Code Sign

33:00:00:00:4d:e5:97:a7:75:e3:15:7f:7b:00:00:00:00:00:4d
Certificate

Issuer

CN=Microsoft Windows Third Party Component CA 2014,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

09/09/2021, 19:15

Not After

01/09/2022, 19:15

Subject

CN=Microsoft Windows Hardware Compatibility Publisher,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

33:00:00:00:0d:69:0d:5d:78:93:d0:76:df:00:00:00:00:00:0d
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15/10/2014, 20:31

Not After

15/10/2029, 20:41

Subject

CN=Microsoft Windows Third Party Component CA 2014,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

77:df:b4:75:08:65:83:c3:41:3b:1a:a6:e3:16:bf:15:41:e5:55:2f:4e:6a:0b:c0:78:e8:36:8a:04:de:f6:d8
Signer

Actual PE Digest

77:df:b4:75:08:65:83:c3:41:3b:1a:a6:e3:16:bf:15:41:e5:55:2f:4e:6a:0b:c0:78:e8:36:8a:04:de:f6:d8

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

rxbsknl.sys

RxbsCreateHyperDevice
RxbsCloseHyperDevice
RxbsConnectHyperSystem
RxbsDisconnectHyperSystem
RxbsStartHyperSystem
RxbsEnableDumpClient
RxbsSetParamHyperSystem
RxbsGetParamHyperSystem
RxbsGetHyperSystemState
RxbsDisableDumpClient
RxbsFreezeHyperClient
RxbsReviveHyperClient

ntoskrnl.exe

KeInitializeEvent
KeSetEvent
KeSetPriorityThread
KeWaitForSingleObject
ExInterlockedInsertTailList
ExInterlockedRemoveHeadList
MmUnmapLockedPages
PsTerminateSystemThread
ZwReadFile
ZwClose
RtlCompareMemory
KeInitializeGuardedMutex
KeAcquireGuardedMutex
KeReleaseGuardedMutex
ExAllocatePoolWithTag
ExFreePoolWithTag
ZwWriteFile
RtlInitUnicodeString
ExInitializeNPagedLookasideList
ExDeleteNPagedLookasideList
MmMapLockedPagesSpecifyCache
IoAllocateMdl
IoBuildPartialMdl
IoFreeMdl
IoGetTopLevelIrp
IoSetTopLevelIrp
ZwCreateFile
ZwOpenFile
ZwQueryInformationFile
ZwDeleteFile
ZwFsControlFile
RtlCopyUnicodeString
RtlFreeUnicodeString
RtlIsNtDdiVersionAvailable
KeDelayExecutionThread
KdDisableDebugger
KdEnableDebugger
IoAttachDeviceToDeviceStack
IofCallDriver
IofCompleteRequest
IoDeleteDevice
IoDetachDevice
IoRegisterShutdownNotification
IoInvalidateDeviceRelations
IoRegisterDeviceInterface
ObfDereferenceObject
ZwCreateDirectoryObject
ZwMakeTemporaryObject
IoGetConfigurationInformation
IoRegisterBootDriverReinitialization
IoRegisterDriverReinitialization
_vsnwprintf
KdDebuggerEnabled
InitSafeBootMode
PoSetPowerState
RtlIntegerToUnicodeString
RtlUnicodeStringToInteger
IoOpenDeviceRegistryKey
ZwOpenKey
ZwDeleteValueKey
ZwEnumerateValueKey
ZwQueryValueKey
ZwSetValueKey
RtlUnicodeStringToAnsiString
RtlCompareUnicodeString
RtlFreeAnsiString
RtlGenerate8dot3Name
RtlIsNameLegalDOS8Dot3
RtlTimeToTimeFields
ExSystemTimeToLocalTime
IoGetAttachedDeviceReference
IoRequestDeviceEject
KeGetCurrentIrql
IoBuildSynchronousFsdRequest
KeInsertQueue
_vsnprintf
IoGetAttachedDevice
RtlUnicodeStringToCountedOemString
RtlUpcaseUnicodeStringToCountedOemString
KeQueryActiveProcessorCountEx
IoCreateDevice
IoCreateSymbolicLink
IoDeleteSymbolicLink
ZwOpenSymbolicLinkObject
KeInitializeTimer
KeCancelTimer
KeSetTimer
KeWaitForMultipleObjects
IoUnregisterShutdownNotification
IoSetDeviceInterfaceState
ObfReferenceObject
KeEnterCriticalRegion
KeLeaveCriticalRegion
RtlCreateSecurityDescriptor
RtlSetDaclSecurityDescriptor
ObReferenceObjectByHandle
ZwCreateKey
ZwQueryKey
ZwOpenEvent
ZwQueryVolumeInformationFile
RtlRandomEx
RtlLengthSid
RtlCreateAcl
RtlAddAccessAllowedAce
RtlSetOwnerSecurityDescriptor
ZwCreateEvent
ZwSetSecurityObject
ObReferenceObjectByName
SeExports
IoDriverObjectType
KeAreAllApcsDisabled
IoGetStackLimits
RtlInitAnsiString
RtlAnsiStringToUnicodeString
IoGetDeviceInterfaces
ZwDeviceIoControlFile
ExQueryDepthSList
ExpInterlockedPopEntrySList
ExpInterlockedPushEntrySList
KeAcquireSpinLockRaiseToDpc
KeReleaseSpinLock
IoAllocateIrp
IoFreeIrp
IoCsqInitializeEx
IoCsqInsertIrpEx
IoCsqRemoveNextIrp
KeRemoveQueue
MmGetSystemRoutineAddress
KeSetSystemGroupAffinityThread
KeRevertToUserGroupAffinityThread
KeQueryNodeActiveAffinity
KeQueryHighestNodeNumber
MmAllocatePagesForMdlEx
MmFreePagesFromMdl
MmCreateMdl
ZwQuerySystemInformation
RtlEqualUnicodeString
KeClearEvent
IoAllocateErrorLogEntry
IoBuildDeviceIoControlRequest
IoGetDeviceObjectPointer
IoWriteErrorLogEntry
IoAllocateWorkItem
IoFreeWorkItem
IoQueueWorkItem
PsIsSystemThread
PsCreateSystemThread
KeInitializeQueue
KeRundownQueue
ZwSetInformationFile
LpcPortObjectType
RtlQueryRegistryValues
MmMapIoSpace
MmUnmapIoSpace
IoGetRelatedDeviceObject
IoFileObjectType
PsGetVersion
ExAllocatePoolWithQuotaTag

Sections

.text
Size: 86KB - Virtual size: 86KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

EXTRA
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

CPATA
Size: 512B - Virtual size: 401B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 28KB - Virtual size: 27KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1024B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

PAGE
Size: 41KB - Virtual size: 40KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

INIT
Size: 11KB - Virtual size: 10KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 308B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
reg/drv.bak/win7-8.1_srv2008-2012/fancyrd.cat
reg/drv.bak/win7-8.1_srv2008-2012/fancyrd.inf
reg/drv.bak/win7-8.1_srv2008-2012/fancyrd.sys
.sys windows:10 windows x64 arch:x64

052e5c912ca7ada7ef76924673232acf

Code Sign

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:dd
Certificate

Issuer

CN=DigiCert SHA2 Assured ID Timestamping CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01/01/2021, 00:00

Not After

06/01/2031, 00:00

Subject

CN=DigiCert Timestamp 2021,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

07/01/2016, 12:00

Not After

07/01/2031, 12:00

Subject

CN=DigiCert SHA2 Assured ID Timestamping CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:20:4d:b4:00:00:00:00:00:27
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15/04/2011, 19:45

Not After

15/04/2021, 19:55

Subject

CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

01:29:27:90:28:8b:00:e3:b5:3d:86:04:76:4d:ff:4b
Certificate

Issuer

CN=DigiCert EV Code Signing CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

30/08/2019, 00:00

Not After

01/09/2022, 12:00

Subject

SERIALNUMBER=913101105574930924,CN=Shanghai Romex Information Technology Co.\,Ltd.,O=Shanghai Romex Information Technology Co.\,Ltd.,L=Shanghai,ST=Shanghai,C=CN,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e,1.3.6.1.4.1.311.60.2.1.2=#13085368616e67686169,1.3.6.1.4.1.311.60.2.1.3=#1302434e

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

0d:d0:e3:37:4a:c9:5b:db:fa:6b:43:4b:2a:48:ec:06
Certificate

Issuer

CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

18/04/2012, 12:00

Not After

18/04/2027, 12:00

Subject

CN=DigiCert EV Code Signing CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:20:4d:b4:00:00:00:00:00:27
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15/04/2011, 19:45

Not After

15/04/2021, 19:55

Subject

CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

05:af:de:7b:07:6f:79:b9:01:e3:5b:38:d6:7e:a6:27
Certificate

Issuer

CN=DigiCert EV Code Signing CA (SHA2),OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

29/08/2019, 00:00

Not After

01/09/2022, 12:00

Subject

SERIALNUMBER=913101105574930924,CN=Shanghai Romex Information Technology Co.\,Ltd.,O=Shanghai Romex Information Technology Co.\,Ltd.,L=Shanghai,ST=Shanghai,C=CN,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e,1.3.6.1.4.1.311.60.2.1.2=#13085368616e67686169,1.3.6.1.4.1.311.60.2.1.3=#1302434e

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

03:f1:b4:e1:5f:3a:82:f1:14:96:78:b3:d7:d8:47:5c
Certificate

Issuer

CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

18/04/2012, 12:00

Not After

18/04/2027, 12:00

Subject

CN=DigiCert EV Code Signing CA (SHA2),OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:dd
Certificate

Issuer

CN=DigiCert SHA2 Assured ID Timestamping CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01/01/2021, 00:00

Not After

06/01/2031, 00:00

Subject

CN=DigiCert Timestamp 2021,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

07/01/2016, 12:00

Not After

07/01/2031, 12:00

Subject

CN=DigiCert SHA2 Assured ID Timestamping CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

94:15:23:a9:28:57:31:4b:c1:c8:8d:91:35:11:04:89:fb:9c:e6:8d:ca:a9:b2:7a:f0:25:5e:a6:ce:bb:1c:11
Signer

Actual PE Digest

94:15:23:a9:28:57:31:4b:c1:c8:8d:91:35:11:04:89:fb:9c:e6:8d:ca:a9:b2:7a:f0:25:5e:a6:ce:bb:1c:11

Digest Algorithm

sha256

PE Digest Matches

true

d6:3e:ac:02:d1:94:e6:29:39:04:a6:f1:b2:81:1f:e5:97:5e:9a:3f
Signer

Actual PE Digest

d6:3e:ac:02:d1:94:e6:29:39:04:a6:f1:b2:81:1f:e5:97:5e:9a:3f

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

rxbsknl.sys

RxbsCreateHyperDevice
RxbsCloseHyperDevice
RxbsConnectHyperSystem
RxbsDisconnectHyperSystem
RxbsStartHyperSystem
RxbsEnableDumpClient
RxbsSetParamHyperSystem
RxbsGetParamHyperSystem
RxbsGetHyperSystemState
RxbsDisableDumpClient
RxbsFreezeHyperClient
RxbsReviveHyperClient

ntoskrnl.exe

KeInitializeEvent
KeSetEvent
KeSetPriorityThread
KeWaitForSingleObject
ExInterlockedInsertTailList
ExInterlockedRemoveHeadList
MmUnmapLockedPages
PsTerminateSystemThread
ZwReadFile
ZwClose
RtlCompareMemory
KeInitializeGuardedMutex
KeAcquireGuardedMutex
KeReleaseGuardedMutex
ExAllocatePoolWithTag
ExFreePoolWithTag
ZwWriteFile
RtlInitUnicodeString
ExInitializeNPagedLookasideList
ExDeleteNPagedLookasideList
MmMapLockedPagesSpecifyCache
IoAllocateMdl
IoBuildPartialMdl
IoFreeMdl
IoGetTopLevelIrp
IoSetTopLevelIrp
ZwCreateFile
ZwOpenFile
ZwQueryInformationFile
ZwDeleteFile
ZwFsControlFile
RtlCopyUnicodeString
RtlFreeUnicodeString
RtlIsNtDdiVersionAvailable
KeDelayExecutionThread
IoAttachDeviceToDeviceStack
IofCallDriver
IofCompleteRequest
IoDeleteDevice
IoDetachDevice
IoRegisterShutdownNotification
IoInvalidateDeviceRelations
IoRegisterDeviceInterface
ObfDereferenceObject
ZwCreateDirectoryObject
ZwMakeTemporaryObject
IoGetConfigurationInformation
IoRegisterBootDriverReinitialization
IoRegisterDriverReinitialization
_vsnwprintf
InitSafeBootMode
PoSetPowerState
RtlIntegerToUnicodeString
RtlUnicodeStringToInteger
IoOpenDeviceRegistryKey
ZwOpenKey
ZwDeleteValueKey
ZwEnumerateValueKey
ZwQueryValueKey
ZwSetValueKey
RtlUnicodeStringToAnsiString
RtlCompareUnicodeString
RtlFreeAnsiString
RtlGenerate8dot3Name
RtlIsNameLegalDOS8Dot3
RtlTimeToTimeFields
ExSystemTimeToLocalTime
IoGetAttachedDeviceReference
IoRequestDeviceEject
KeGetCurrentIrql
IoBuildSynchronousFsdRequest
KeInsertQueue
_vsnprintf
IoGetAttachedDevice
RtlUnicodeStringToCountedOemString
RtlUpcaseUnicodeStringToCountedOemString
KeQueryActiveProcessorCountEx
IoCreateDevice
IoCreateSymbolicLink
IoDeleteSymbolicLink
ZwOpenSymbolicLinkObject
KeInitializeTimer
KeCancelTimer
KeSetTimer
KeWaitForMultipleObjects
IoUnregisterShutdownNotification
IoSetDeviceInterfaceState
ObfReferenceObject
KeEnterCriticalRegion
KeLeaveCriticalRegion
RtlAppendUnicodeStringToString
KdDisableDebugger
KdEnableDebugger
ZwCreateSection
ZwMapViewOfSection
ZwUnmapViewOfSection
KdDebuggerEnabled
RtlCreateSecurityDescriptor
RtlSetDaclSecurityDescriptor
ObReferenceObjectByHandle
ZwCreateKey
ZwQueryKey
ZwOpenEvent
ZwQueryVolumeInformationFile
RtlRandomEx
RtlLengthSid
RtlCreateAcl
RtlAddAccessAllowedAce
RtlSetOwnerSecurityDescriptor
ZwCreateEvent
ZwSetSecurityObject
ObReferenceObjectByName
SeExports
IoDriverObjectType
KeAreAllApcsDisabled
IoGetStackLimits
RtlInitAnsiString
RtlAnsiStringToUnicodeString
IoGetDeviceInterfaces
ZwDeviceIoControlFile
ExQueryDepthSList
ExpInterlockedPopEntrySList
ExpInterlockedPushEntrySList
KeAcquireSpinLockRaiseToDpc
KeReleaseSpinLock
IoAllocateIrp
IoFreeIrp
IoCsqInitializeEx
IoCsqInsertIrpEx
IoCsqRemoveNextIrp
KeRemoveQueue
KeBugCheckEx
MmGetSystemRoutineAddress
KeSetSystemGroupAffinityThread
KeRevertToUserGroupAffinityThread
KeQueryNodeActiveAffinity
KeQueryHighestNodeNumber
MmAllocatePagesForMdlEx
MmFreePagesFromMdl
MmCreateMdl
ZwQuerySystemInformation
RtlEqualUnicodeString
KeClearEvent
IoAllocateErrorLogEntry
IoBuildDeviceIoControlRequest
IoGetDeviceObjectPointer
IoWriteErrorLogEntry
IoAllocateWorkItem
IoFreeWorkItem
IoQueueWorkItem
PsIsSystemThread
PsCreateSystemThread
KeInitializeQueue
KeRundownQueue
ZwSetInformationFile
LpcPortObjectType
RtlQueryRegistryValues
MmMapIoSpace
MmUnmapIoSpace
IoGetRelatedDeviceObject
IoFileObjectType
PsGetVersion
ExAllocatePoolWithQuotaTag

Sections

.text
Size: 82KB - Virtual size: 82KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

EXTRA
Size: 11KB - Virtual size: 10KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

CPATA
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 30KB - Virtual size: 30KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1024B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

PAGE
Size: 41KB - Virtual size: 40KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

INIT
Size: 17KB - Virtual size: 17KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 308B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
reg/drv10/fancyrd.cat
reg/drv10/fancyrd.inf
reg/drv10/fancyrd.sys
.sys windows:10 windows x64 arch:x64

6941dff5e013a237f1620c4cff1d8b89

Code Sign

19:3d:d9:e9:6e:2d:1d:84:47:5e:67:8b:47:a9:e7:9e
Certificate

Issuer

CN=TestCertificate

Not Before

31/12/1899, 16:00

Not After

31/12/3000, 16:00

Subject

CN=TestCertificate

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01/08/2022, 00:00

Not After

09/11/2031, 23:59

Subject

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

Issuer

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

23/03/2022, 00:00

Not After

22/03/2037, 23:59

Subject

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0a:7a:4a:88:9e:c9:99:42:90:06:63:38:4d:86:97:9d
Certificate

Issuer

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Not Before

29/03/2022, 00:00

Not After

14/03/2033, 23:59

Subject

CN=DigiCert Timestamp 2022 - 2,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

19:3d:d9:e9:6e:2d:1d:84:47:5e:67:8b:47:a9:e7:9e
Certificate

Issuer

CN=TestCertificate

Not Before

31/12/1899, 16:00

Not After

31/12/3000, 16:00

Subject

CN=TestCertificate

0a:7a:4a:88:9e:c9:99:42:90:06:63:38:4d:86:97:9d
Certificate

Issuer

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Not Before

29/03/2022, 00:00

Not After

14/03/2033, 23:59

Subject

CN=DigiCert Timestamp 2022 - 2,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

Issuer

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

23/03/2022, 00:00

Not After

22/03/2037, 23:59

Subject

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01/08/2022, 00:00

Not After

09/11/2031, 23:59

Subject

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

44:93:7a:17:7e:39:1a:06:76:44:0d:ea:2f:8f:9e:91:94:74:24:d4:0b:a4:11:5e:c5:f2:eb:dd:9c:a4:7a:63
Signer

Actual PE Digest

44:93:7a:17:7e:39:1a:06:76:44:0d:ea:2f:8f:9e:91:94:74:24:d4:0b:a4:11:5e:c5:f2:eb:dd:9c:a4:7a:63

Digest Algorithm

sha256

PE Digest Matches

true

85:50:78:7b:86:47:63:2f:9c:d7:54:05:9a:49:83:06:7a:bc:7c:fb
Signer

Actual PE Digest

85:50:78:7b:86:47:63:2f:9c:d7:54:05:9a:49:83:06:7a:bc:7c:fb

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

rxbsknl.sys

RxbsCreateHyperDevice
RxbsCloseHyperDevice
RxbsConnectHyperSystem
RxbsDisconnectHyperSystem
RxbsStartHyperSystem
RxbsEnableDumpClient
RxbsSetParamHyperSystem
RxbsGetParamHyperSystem
RxbsGetHyperSystemState
RxbsDisableDumpClient
RxbsFreezeHyperClient
RxbsReviveHyperClient

ntoskrnl.exe

KeInitializeEvent
KeSetEvent
KeSetPriorityThread
KeWaitForSingleObject
ExInterlockedInsertTailList
ExInterlockedRemoveHeadList
MmUnmapLockedPages
PsTerminateSystemThread
ZwReadFile
ZwClose
RtlCompareMemory
KeInitializeGuardedMutex
KeAcquireGuardedMutex
KeReleaseGuardedMutex
ExAllocatePoolWithTag
ExFreePoolWithTag
ZwWriteFile
RtlInitUnicodeString
ExInitializeNPagedLookasideList
ExDeleteNPagedLookasideList
MmMapLockedPagesSpecifyCache
IoAllocateMdl
IoBuildPartialMdl
IoFreeMdl
IoGetTopLevelIrp
IoSetTopLevelIrp
ZwCreateFile
ZwOpenFile
ZwQueryInformationFile
ZwDeleteFile
ZwFsControlFile
RtlCopyUnicodeString
RtlFreeUnicodeString
RtlIsNtDdiVersionAvailable
KeDelayExecutionThread
KdDisableDebugger
KdEnableDebugger
IoAttachDeviceToDeviceStack
IofCallDriver
IofCompleteRequest
IoDeleteDevice
IoDetachDevice
IoRegisterShutdownNotification
IoInvalidateDeviceRelations
IoRegisterDeviceInterface
ObfDereferenceObject
ZwCreateDirectoryObject
ZwMakeTemporaryObject
IoGetConfigurationInformation
IoRegisterBootDriverReinitialization
IoRegisterDriverReinitialization
_vsnwprintf
KdDebuggerEnabled
InitSafeBootMode
PoSetPowerState
RtlIntegerToUnicodeString
RtlUnicodeStringToInteger
IoOpenDeviceRegistryKey
ZwOpenKey
ZwDeleteValueKey
ZwEnumerateValueKey
ZwQueryValueKey
ZwSetValueKey
RtlUnicodeStringToAnsiString
RtlCompareUnicodeString
RtlFreeAnsiString
RtlGenerate8dot3Name
RtlIsNameLegalDOS8Dot3
RtlTimeToTimeFields
ExSystemTimeToLocalTime
IoGetAttachedDeviceReference
IoRequestDeviceEject
KeGetCurrentIrql
IoBuildSynchronousFsdRequest
KeInsertQueue
_vsnprintf
IoGetAttachedDevice
RtlUnicodeStringToCountedOemString
RtlUpcaseUnicodeStringToCountedOemString
KeQueryActiveProcessorCountEx
IoCreateDevice
IoCreateSymbolicLink
IoDeleteSymbolicLink
ZwOpenSymbolicLinkObject
KeInitializeTimer
KeCancelTimer
KeSetTimer
KeWaitForMultipleObjects
IoUnregisterShutdownNotification
IoSetDeviceInterfaceState
ObfReferenceObject
KeEnterCriticalRegion
KeLeaveCriticalRegion
RtlCreateSecurityDescriptor
RtlSetDaclSecurityDescriptor
ObReferenceObjectByHandle
ZwCreateKey
ZwQueryKey
ZwOpenEvent
ZwQueryVolumeInformationFile
RtlRandomEx
RtlLengthSid
RtlCreateAcl
RtlAddAccessAllowedAce
RtlSetOwnerSecurityDescriptor
ZwCreateEvent
ZwSetSecurityObject
ObReferenceObjectByName
SeExports
IoDriverObjectType
KeAreAllApcsDisabled
IoGetStackLimits
RtlInitAnsiString
RtlAnsiStringToUnicodeString
IoGetDeviceInterfaces
ZwDeviceIoControlFile
ExQueryDepthSList
ExpInterlockedPopEntrySList
ExpInterlockedPushEntrySList
KeAcquireSpinLockRaiseToDpc
KeReleaseSpinLock
IoAllocateIrp
IoFreeIrp
IoCsqInitializeEx
IoCsqInsertIrpEx
IoCsqRemoveNextIrp
KeRemoveQueue
MmGetSystemRoutineAddress
KeSetSystemGroupAffinityThread
KeRevertToUserGroupAffinityThread
KeQueryNodeActiveAffinity
KeQueryHighestNodeNumber
MmAllocatePagesForMdlEx
MmFreePagesFromMdl
MmCreateMdl
ZwQuerySystemInformation
RtlEqualUnicodeString
KeClearEvent
IoAllocateErrorLogEntry
IoBuildDeviceIoControlRequest
IoGetDeviceObjectPointer
IoWriteErrorLogEntry
IoAllocateWorkItem
IoFreeWorkItem
IoQueueWorkItem
PsIsSystemThread
PsCreateSystemThread
KeInitializeQueue
KeRundownQueue
ZwSetInformationFile
LpcPortObjectType
RtlQueryRegistryValues
MmMapIoSpace
MmUnmapIoSpace
IoGetRelatedDeviceObject
IoFileObjectType
PsGetVersion
ExAllocatePoolWithQuotaTag

Sections

.text
Size: 86KB - Virtual size: 86KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

EXTRA
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

CPATA
Size: 512B - Virtual size: 401B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 28KB - Virtual size: 27KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1024B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

PAGE
Size: 41KB - Virtual size: 40KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

INIT
Size: 11KB - Virtual size: 10KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 308B - Virtual size: 308B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
reg/drv7/fancyrd.cat
reg/drv7/fancyrd.inf
reg/drv7/fancyrd.sys
.sys windows:10 windows x64 arch:x64

052e5c912ca7ada7ef76924673232acf

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

rxbsknl.sys

RxbsCreateHyperDevice
RxbsCloseHyperDevice
RxbsConnectHyperSystem
RxbsDisconnectHyperSystem
RxbsStartHyperSystem
RxbsEnableDumpClient
RxbsSetParamHyperSystem
RxbsGetParamHyperSystem
RxbsGetHyperSystemState
RxbsDisableDumpClient
RxbsFreezeHyperClient
RxbsReviveHyperClient

ntoskrnl.exe

KeInitializeEvent
KeSetEvent
KeSetPriorityThread
KeWaitForSingleObject
ExInterlockedInsertTailList
ExInterlockedRemoveHeadList
MmUnmapLockedPages
PsTerminateSystemThread
ZwReadFile
ZwClose
RtlCompareMemory
KeInitializeGuardedMutex
KeAcquireGuardedMutex
KeReleaseGuardedMutex
ExAllocatePoolWithTag
ExFreePoolWithTag
ZwWriteFile
RtlInitUnicodeString
ExInitializeNPagedLookasideList
ExDeleteNPagedLookasideList
MmMapLockedPagesSpecifyCache
IoAllocateMdl
IoBuildPartialMdl
IoFreeMdl
IoGetTopLevelIrp
IoSetTopLevelIrp
ZwCreateFile
ZwOpenFile
ZwQueryInformationFile
ZwDeleteFile
ZwFsControlFile
RtlCopyUnicodeString
RtlFreeUnicodeString
RtlIsNtDdiVersionAvailable
KeDelayExecutionThread
IoAttachDeviceToDeviceStack
IofCallDriver
IofCompleteRequest
IoDeleteDevice
IoDetachDevice
IoRegisterShutdownNotification
IoInvalidateDeviceRelations
IoRegisterDeviceInterface
ObfDereferenceObject
ZwCreateDirectoryObject
ZwMakeTemporaryObject
IoGetConfigurationInformation
IoRegisterBootDriverReinitialization
IoRegisterDriverReinitialization
_vsnwprintf
InitSafeBootMode
PoSetPowerState
RtlIntegerToUnicodeString
RtlUnicodeStringToInteger
IoOpenDeviceRegistryKey
ZwOpenKey
ZwDeleteValueKey
ZwEnumerateValueKey
ZwQueryValueKey
ZwSetValueKey
RtlUnicodeStringToAnsiString
RtlCompareUnicodeString
RtlFreeAnsiString
RtlGenerate8dot3Name
RtlIsNameLegalDOS8Dot3
RtlTimeToTimeFields
ExSystemTimeToLocalTime
IoGetAttachedDeviceReference
IoRequestDeviceEject
KeGetCurrentIrql
IoBuildSynchronousFsdRequest
KeInsertQueue
_vsnprintf
IoGetAttachedDevice
RtlUnicodeStringToCountedOemString
RtlUpcaseUnicodeStringToCountedOemString
KeQueryActiveProcessorCountEx
IoCreateDevice
IoCreateSymbolicLink
IoDeleteSymbolicLink
ZwOpenSymbolicLinkObject
KeInitializeTimer
KeCancelTimer
KeSetTimer
KeWaitForMultipleObjects
IoUnregisterShutdownNotification
IoSetDeviceInterfaceState
ObfReferenceObject
KeEnterCriticalRegion
KeLeaveCriticalRegion
RtlAppendUnicodeStringToString
KdDisableDebugger
KdEnableDebugger
ZwCreateSection
ZwMapViewOfSection
ZwUnmapViewOfSection
KdDebuggerEnabled
RtlCreateSecurityDescriptor
RtlSetDaclSecurityDescriptor
ObReferenceObjectByHandle
ZwCreateKey
ZwQueryKey
ZwOpenEvent
ZwQueryVolumeInformationFile
RtlRandomEx
RtlLengthSid
RtlCreateAcl
RtlAddAccessAllowedAce
RtlSetOwnerSecurityDescriptor
ZwCreateEvent
ZwSetSecurityObject
ObReferenceObjectByName
SeExports
IoDriverObjectType
KeAreAllApcsDisabled
IoGetStackLimits
RtlInitAnsiString
RtlAnsiStringToUnicodeString
IoGetDeviceInterfaces
ZwDeviceIoControlFile
ExQueryDepthSList
ExpInterlockedPopEntrySList
ExpInterlockedPushEntrySList
KeAcquireSpinLockRaiseToDpc
KeReleaseSpinLock
IoAllocateIrp
IoFreeIrp
IoCsqInitializeEx
IoCsqInsertIrpEx
IoCsqRemoveNextIrp
KeRemoveQueue
KeBugCheckEx
MmGetSystemRoutineAddress
KeSetSystemGroupAffinityThread
KeRevertToUserGroupAffinityThread
KeQueryNodeActiveAffinity
KeQueryHighestNodeNumber
MmAllocatePagesForMdlEx
MmFreePagesFromMdl
MmCreateMdl
ZwQuerySystemInformation
RtlEqualUnicodeString
KeClearEvent
IoAllocateErrorLogEntry
IoBuildDeviceIoControlRequest
IoGetDeviceObjectPointer
IoWriteErrorLogEntry
IoAllocateWorkItem
IoFreeWorkItem
IoQueueWorkItem
PsIsSystemThread
PsCreateSystemThread
KeInitializeQueue
KeRundownQueue
ZwSetInformationFile
LpcPortObjectType
RtlQueryRegistryValues
MmMapIoSpace
MmUnmapIoSpace
IoGetRelatedDeviceObject
IoFileObjectType
PsGetVersion
ExAllocatePoolWithQuotaTag

Sections

.text
Size: 82KB - Virtual size: 82KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

EXTRA
Size: 11KB - Virtual size: 10KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

CPATA
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 30KB - Virtual size: 30KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1024B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

PAGE
Size: 41KB - Virtual size: 40KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

INIT
Size: 17KB - Virtual size: 17KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 308B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
reg/install.bat
.bat .vbs
下载说明.txt
沃下载-www.wodown.com.url
.url

Sharing

General

Malware Config

Signatures

Files

20dd26497880c05caed9305b3c8b9109

Code Sign

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:ddCertificate

Extended Key Usages

Key Usages

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15Certificate

Extended Key Usages

Key Usages

61:20:4d:b4:00:00:00:00:00:27Certificate

Key Usages

01:29:27:90:28:8b:00:e3:b5:3d:86:04:76:4d:ff:4bCertificate

Extended Key Usages

Key Usages

0d:d0:e3:37:4a:c9:5b:db:fa:6b:43:4b:2a:48:ec:06Certificate

Extended Key Usages

Key Usages

61:20:4d:b4:00:00:00:00:00:27Certificate

Key Usages

05:af:de:7b:07:6f:79:b9:01:e3:5b:38:d6:7e:a6:27Certificate

Extended Key Usages

Key Usages

03:f1:b4:e1:5f:3a:82:f1:14:96:78:b3:d7:d8:47:5cCertificate

Extended Key Usages

Key Usages

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:ddCertificate

Extended Key Usages

Key Usages

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15Certificate

Extended Key Usages

Key Usages

6d:8c:f2:6a:f1:26:2c:51:98:77:2a:f5:be:26:80:e3:42:36:65:9a:5d:10:52:4f:8d:21:7d:00:0e:0a:23:faSigner

ca:ea:24:0a:04:51:5e:f3:9d:de:96:ea:96:f5:ac:33:a2:a3:61:71Signer

Headers

DLL Characteristics

File Characteristics

Imports

oleaut32

advapi32

user32

kernel32

comctl32

Sections

.text Size: 61KB - Virtual size: 60KB

.itext Size: 4KB - Virtual size: 3KB

.data Size: 3KB - Virtual size: 3KB

.bss Size: - Virtual size: 21KB

.idata Size: 4KB - Virtual size: 3KB

.tls Size: - Virtual size: 8B

.rdata Size: 512B - Virtual size: 24B

.rsrc Size: 333KB - Virtual size: 333KB

7bf6ee7f997d9058a8fa5739c928c0b5

Headers

File Characteristics

Imports

kernel32

Sections

.text Size: 64KB - Virtual size: 63KB

.rdata Size: 12KB - Virtual size: 10KB

.data Size: 16KB - Virtual size: 22KB

6941dff5e013a237f1620c4cff1d8b89

Code Sign

33:00:00:00:4d:e5:97:a7:75:e3:15:7f:7b:00:00:00:00:00:4dCertificate

Extended Key Usages

33:00:00:00:0d:69:0d:5d:78:93:d0:76:df:00:00:00:00:00:0dCertificate

Key Usages

77:df:b4:75:08:65:83:c3:41:3b:1a:a6:e3:16:bf:15:41:e5:55:2f:4e:6a:0b:c0:78:e8:36:8a:04:de:f6:d8Signer

Headers

DLL Characteristics

File Characteristics

Imports

rxbsknl.sys

ntoskrnl.exe

Sections

.text Size: 86KB - Virtual size: 86KB

EXTRA Size: 8KB - Virtual size: 8KB

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:dd
Certificate

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15
Certificate

61:20:4d:b4:00:00:00:00:00:27
Certificate

01:29:27:90:28:8b:00:e3:b5:3d:86:04:76:4d:ff:4b
Certificate

0d:d0:e3:37:4a:c9:5b:db:fa:6b:43:4b:2a:48:ec:06
Certificate

61:20:4d:b4:00:00:00:00:00:27
Certificate

05:af:de:7b:07:6f:79:b9:01:e3:5b:38:d6:7e:a6:27
Certificate

03:f1:b4:e1:5f:3a:82:f1:14:96:78:b3:d7:d8:47:5c
Certificate

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:dd
Certificate

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15
Certificate

6d:8c:f2:6a:f1:26:2c:51:98:77:2a:f5:be:26:80:e3:42:36:65:9a:5d:10:52:4f:8d:21:7d:00:0e:0a:23:fa
Signer

ca:ea:24:0a:04:51:5e:f3:9d:de:96:ea:96:f5:ac:33:a2:a3:61:71
Signer

.text
Size: 61KB - Virtual size: 60KB

.itext
Size: 4KB - Virtual size: 3KB

.data
Size: 3KB - Virtual size: 3KB

.bss
Size: - Virtual size: 21KB

.idata
Size: 4KB - Virtual size: 3KB

.tls
Size: - Virtual size: 8B

.rdata
Size: 512B - Virtual size: 24B

.rsrc
Size: 333KB - Virtual size: 333KB

.text
Size: 64KB - Virtual size: 63KB

.rdata
Size: 12KB - Virtual size: 10KB

.data
Size: 16KB - Virtual size: 22KB

33:00:00:00:4d:e5:97:a7:75:e3:15:7f:7b:00:00:00:00:00:4d
Certificate

33:00:00:00:0d:69:0d:5d:78:93:d0:76:df:00:00:00:00:00:0d
Certificate

77:df:b4:75:08:65:83:c3:41:3b:1a:a6:e3:16:bf:15:41:e5:55:2f:4e:6a:0b:c0:78:e8:36:8a:04:de:f6:d8
Signer

.text
Size: 86KB - Virtual size: 86KB

EXTRA
Size: 8KB - Virtual size: 8KB

CPATA
Size: 512B - Virtual size: 401B

.rdata
Size: 28KB - Virtual size: 27KB

.data
Size: 512B - Virtual size: 1024B

.pdata
Size: 5KB - Virtual size: 5KB

PAGE
Size: 41KB - Virtual size: 40KB

INIT
Size: 11KB - Virtual size: 10KB

.rsrc
Size: 2KB - Virtual size: 2KB

.reloc
Size: 512B - Virtual size: 308B

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:dd
Certificate

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15
Certificate

61:20:4d:b4:00:00:00:00:00:27
Certificate

01:29:27:90:28:8b:00:e3:b5:3d:86:04:76:4d:ff:4b
Certificate

0d:d0:e3:37:4a:c9:5b:db:fa:6b:43:4b:2a:48:ec:06
Certificate

61:20:4d:b4:00:00:00:00:00:27
Certificate

05:af:de:7b:07:6f:79:b9:01:e3:5b:38:d6:7e:a6:27
Certificate

03:f1:b4:e1:5f:3a:82:f1:14:96:78:b3:d7:d8:47:5c
Certificate

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:dd
Certificate

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15
Certificate

94:15:23:a9:28:57:31:4b:c1:c8:8d:91:35:11:04:89:fb:9c:e6:8d:ca:a9:b2:7a:f0:25:5e:a6:ce:bb:1c:11
Signer

d6:3e:ac:02:d1:94:e6:29:39:04:a6:f1:b2:81:1f:e5:97:5e:9a:3f
Signer

.text
Size: 82KB - Virtual size: 82KB

EXTRA
Size: 11KB - Virtual size: 10KB

CPATA
Size: 6KB - Virtual size: 5KB

.rdata
Size: 30KB - Virtual size: 30KB

.data
Size: 512B - Virtual size: 1024B

.pdata
Size: 6KB - Virtual size: 5KB

PAGE
Size: 41KB - Virtual size: 40KB

INIT
Size: 17KB - Virtual size: 17KB

.rsrc
Size: 2KB - Virtual size: 2KB

.reloc
Size: 512B - Virtual size: 308B

19:3d:d9:e9:6e:2d:1d:84:47:5e:67:8b:47:a9:e7:9e
Certificate

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

0a:7a:4a:88:9e:c9:99:42:90:06:63:38:4d:86:97:9d
Certificate

19:3d:d9:e9:6e:2d:1d:84:47:5e:67:8b:47:a9:e7:9e
Certificate

0a:7a:4a:88:9e:c9:99:42:90:06:63:38:4d:86:97:9d
Certificate