65196f82f532a79dc9c294de42378e68fac0161a73735174a7c88437307647c9

Sharing

Copy URL Twitter E-mail

General

Target

65196f82f532a79dc9c294de42378e68fac0161a73735174a7c88437307647c9
Size

504KB
MD5

7d349ee5ab55f553575e2fcc008f7d0b
SHA1

d83fcdca38059eab7225eb32ac23da599f605492
SHA256

65196f82f532a79dc9c294de42378e68fac0161a73735174a7c88437307647c9
SHA512

4f83faa5cf228ecbee80075ab7f2d45d7bc0762233740c727934216798963094097e800994579695fba1dd090f0d78fe88abdc6f27753ef03998d0b599d94c89
SSDEEP

12288:bw0a5FIJagJQPkvohRll/sRgk10lDv56acAsV:80m2JN9vohtk10lT56atsV

Score

3^/10

Malware Config

Signatures

Unsigned PE 2 IoCs

Checks for missing Authenticode signature.

resource
unpack001/reg/CmdColor.exe
unpack001/reg/drv7/fancyrd.sys

Files

65196f82f532a79dc9c294de42378e68fac0161a73735174a7c88437307647c9
.rar
reg/CmdColor.exe
.exe windows:4 windows x86 arch:x86

7bf6ee7f997d9058a8fa5739c928c0b5

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

SetConsoleTextAttribute
GetConsoleScreenBufferInfo
GetStdHandle
SetErrorMode
RaiseException
RtlUnwind
ExitProcess
TerminateProcess
GetCurrentProcess
GetLastError
SetConsoleCtrlHandler
HeapFree
GetCommandLineA
GetVersion
HeapReAlloc
HeapAlloc
HeapSize
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetModuleHandleA
GetModuleFileNameA
GetEnvironmentVariableA
GetVersionExA
HeapDestroy
HeapCreate
VirtualFree
VirtualAlloc
IsBadWritePtr
FreeEnvironmentStringsA
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStrings
GetEnvironmentStringsW
SetHandleCount
GetFileType
GetStartupInfoA
WriteFile
IsBadReadPtr
IsBadCodePtr
GetCPInfo
GetACP
GetOEMCP
GetProcAddress
LoadLibraryA
MultiByteToWideChar
LCMapStringA
LCMapStringW
GetStringTypeA
GetStringTypeW
SetFilePointer
FlushFileBuffers
CloseHandle
IsValidLocale
IsValidCodePage
GetLocaleInfoA
EnumSystemLocalesA
GetUserDefaultLCID
ReadFile
SetStdHandle
GetLocaleInfoW

Sections

.text
Size: 64KB - Virtual size: 63KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 12KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 16KB - Virtual size: 22KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
reg/PrDSrv56crk.reg
reg/TestCertificate.cer
reg/drv.bak/win10-11_srv2016-2022/fancyrd.cat
reg/drv.bak/win10-11_srv2016-2022/fancyrd.inf
reg/drv.bak/win10-11_srv2016-2022/fancyrd.sys
.sys windows:10 windows x64 arch:x64

6941dff5e013a237f1620c4cff1d8b89

Code Sign

33:00:00:00:4d:e5:97:a7:75:e3:15:7f:7b:00:00:00:00:00:4d
Certificate

Issuer

CN=Microsoft Windows Third Party Component CA 2014,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

09/09/2021, 19:15

Not After

01/09/2022, 19:15

Subject

CN=Microsoft Windows Hardware Compatibility Publisher,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

33:00:00:00:0d:69:0d:5d:78:93:d0:76:df:00:00:00:00:00:0d
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15/10/2014, 20:31

Not After

15/10/2029, 20:41

Subject

CN=Microsoft Windows Third Party Component CA 2014,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

77:df:b4:75:08:65:83:c3:41:3b:1a:a6:e3:16:bf:15:41:e5:55:2f:4e:6a:0b:c0:78:e8:36:8a:04:de:f6:d8
Signer

Actual PE Digest

77:df:b4:75:08:65:83:c3:41:3b:1a:a6:e3:16:bf:15:41:e5:55:2f:4e:6a:0b:c0:78:e8:36:8a:04:de:f6:d8

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

E:\PROJECT\FancyRamdisk\release\drv\win10\amd64\fancyrd_srv.pdb

Imports

rxbsknl.sys

RxbsCreateHyperDevice
RxbsCloseHyperDevice
RxbsConnectHyperSystem
RxbsDisconnectHyperSystem
RxbsStartHyperSystem
RxbsEnableDumpClient
RxbsSetParamHyperSystem
RxbsGetParamHyperSystem
RxbsGetHyperSystemState
RxbsDisableDumpClient
RxbsFreezeHyperClient
RxbsReviveHyperClient

ntoskrnl.exe

KeInitializeEvent
KeSetEvent
KeSetPriorityThread
KeWaitForSingleObject
ExInterlockedInsertTailList
ExInterlockedRemoveHeadList
MmUnmapLockedPages
PsTerminateSystemThread
ZwReadFile
ZwClose
RtlCompareMemory
KeInitializeGuardedMutex
KeAcquireGuardedMutex
KeReleaseGuardedMutex
ExAllocatePoolWithTag
ExFreePoolWithTag
ZwWriteFile
RtlInitUnicodeString
ExInitializeNPagedLookasideList
ExDeleteNPagedLookasideList
MmMapLockedPagesSpecifyCache
IoAllocateMdl
IoBuildPartialMdl
IoFreeMdl
IoGetTopLevelIrp
IoSetTopLevelIrp
ZwCreateFile
ZwOpenFile
ZwQueryInformationFile
ZwDeleteFile
ZwFsControlFile
RtlCopyUnicodeString
RtlFreeUnicodeString
RtlIsNtDdiVersionAvailable
KeDelayExecutionThread
KdDisableDebugger
KdEnableDebugger
IoAttachDeviceToDeviceStack
IofCallDriver
IofCompleteRequest
IoDeleteDevice
IoDetachDevice
IoRegisterShutdownNotification
IoInvalidateDeviceRelations
IoRegisterDeviceInterface
ObfDereferenceObject
ZwCreateDirectoryObject
ZwMakeTemporaryObject
IoGetConfigurationInformation
IoRegisterBootDriverReinitialization
IoRegisterDriverReinitialization
_vsnwprintf
KdDebuggerEnabled
InitSafeBootMode
PoSetPowerState
RtlIntegerToUnicodeString
RtlUnicodeStringToInteger
IoOpenDeviceRegistryKey
ZwOpenKey
ZwDeleteValueKey
ZwEnumerateValueKey
ZwQueryValueKey
ZwSetValueKey
RtlUnicodeStringToAnsiString
RtlCompareUnicodeString
RtlFreeAnsiString
RtlGenerate8dot3Name
RtlIsNameLegalDOS8Dot3
RtlTimeToTimeFields
ExSystemTimeToLocalTime
IoGetAttachedDeviceReference
IoRequestDeviceEject
KeGetCurrentIrql
IoBuildSynchronousFsdRequest
KeInsertQueue
_vsnprintf
IoGetAttachedDevice
RtlUnicodeStringToCountedOemString
RtlUpcaseUnicodeStringToCountedOemString
KeQueryActiveProcessorCountEx
IoCreateDevice
IoCreateSymbolicLink
IoDeleteSymbolicLink
ZwOpenSymbolicLinkObject
KeInitializeTimer
KeCancelTimer
KeSetTimer
KeWaitForMultipleObjects
IoUnregisterShutdownNotification
IoSetDeviceInterfaceState
ObfReferenceObject
KeEnterCriticalRegion
KeLeaveCriticalRegion
RtlCreateSecurityDescriptor
RtlSetDaclSecurityDescriptor
ObReferenceObjectByHandle
ZwCreateKey
ZwQueryKey
ZwOpenEvent
ZwQueryVolumeInformationFile
RtlRandomEx
RtlLengthSid
RtlCreateAcl
RtlAddAccessAllowedAce
RtlSetOwnerSecurityDescriptor
ZwCreateEvent
ZwSetSecurityObject
ObReferenceObjectByName
SeExports
IoDriverObjectType
KeAreAllApcsDisabled
IoGetStackLimits
RtlInitAnsiString
RtlAnsiStringToUnicodeString
IoGetDeviceInterfaces
ZwDeviceIoControlFile
ExQueryDepthSList
ExpInterlockedPopEntrySList
ExpInterlockedPushEntrySList
KeAcquireSpinLockRaiseToDpc
KeReleaseSpinLock
IoAllocateIrp
IoFreeIrp
IoCsqInitializeEx
IoCsqInsertIrpEx
IoCsqRemoveNextIrp
KeRemoveQueue
MmGetSystemRoutineAddress
KeSetSystemGroupAffinityThread
KeRevertToUserGroupAffinityThread
KeQueryNodeActiveAffinity
KeQueryHighestNodeNumber
MmAllocatePagesForMdlEx
MmFreePagesFromMdl
MmCreateMdl
ZwQuerySystemInformation
RtlEqualUnicodeString
KeClearEvent
IoAllocateErrorLogEntry
IoBuildDeviceIoControlRequest
IoGetDeviceObjectPointer
IoWriteErrorLogEntry
IoAllocateWorkItem
IoFreeWorkItem
IoQueueWorkItem
PsIsSystemThread
PsCreateSystemThread
KeInitializeQueue
KeRundownQueue
ZwSetInformationFile
LpcPortObjectType
RtlQueryRegistryValues
MmMapIoSpace
MmUnmapIoSpace
IoGetRelatedDeviceObject
IoFileObjectType
PsGetVersion
ExAllocatePoolWithQuotaTag

Sections

.text
Size: 86KB - Virtual size: 86KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

EXTRA
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

CPATA
Size: 512B - Virtual size: 401B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 28KB - Virtual size: 27KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1024B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

PAGE
Size: 41KB - Virtual size: 40KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

INIT
Size: 11KB - Virtual size: 10KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 308B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
reg/drv.bak/win7-8.1_srv2008-2012/fancyrd.cat
reg/drv.bak/win7-8.1_srv2008-2012/fancyrd.inf
reg/drv.bak/win7-8.1_srv2008-2012/fancyrd.sys
.sys windows:10 windows x64 arch:x64

052e5c912ca7ada7ef76924673232acf

Code Sign

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:dd
Certificate

Issuer

CN=DigiCert SHA2 Assured ID Timestamping CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01/01/2021, 00:00

Not After

06/01/2031, 00:00

Subject

CN=DigiCert Timestamp 2021,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

07/01/2016, 12:00

Not After

07/01/2031, 12:00

Subject

CN=DigiCert SHA2 Assured ID Timestamping CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:20:4d:b4:00:00:00:00:00:27
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15/04/2011, 19:45

Not After

15/04/2021, 19:55

Subject

CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

01:29:27:90:28:8b:00:e3:b5:3d:86:04:76:4d:ff:4b
Certificate

Issuer

CN=DigiCert EV Code Signing CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

30/08/2019, 00:00

Not After

01/09/2022, 12:00

Subject

SERIALNUMBER=913101105574930924,CN=Shanghai Romex Information Technology Co.\,Ltd.,O=Shanghai Romex Information Technology Co.\,Ltd.,L=Shanghai,ST=Shanghai,C=CN,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e,1.3.6.1.4.1.311.60.2.1.2=#13085368616e67686169,1.3.6.1.4.1.311.60.2.1.3=#1302434e

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

0d:d0:e3:37:4a:c9:5b:db:fa:6b:43:4b:2a:48:ec:06
Certificate

Issuer

CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

18/04/2012, 12:00

Not After

18/04/2027, 12:00

Subject

CN=DigiCert EV Code Signing CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:20:4d:b4:00:00:00:00:00:27
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15/04/2011, 19:45

Not After

15/04/2021, 19:55

Subject

CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

05:af:de:7b:07:6f:79:b9:01:e3:5b:38:d6:7e:a6:27
Certificate

Issuer

CN=DigiCert EV Code Signing CA (SHA2),OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

29/08/2019, 00:00

Not After

01/09/2022, 12:00

Subject

SERIALNUMBER=913101105574930924,CN=Shanghai Romex Information Technology Co.\,Ltd.,O=Shanghai Romex Information Technology Co.\,Ltd.,L=Shanghai,ST=Shanghai,C=CN,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e,1.3.6.1.4.1.311.60.2.1.2=#13085368616e67686169,1.3.6.1.4.1.311.60.2.1.3=#1302434e

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

03:f1:b4:e1:5f:3a:82:f1:14:96:78:b3:d7:d8:47:5c
Certificate

Issuer

CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

18/04/2012, 12:00

Not After

18/04/2027, 12:00

Subject

CN=DigiCert EV Code Signing CA (SHA2),OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:dd
Certificate

Issuer

CN=DigiCert SHA2 Assured ID Timestamping CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01/01/2021, 00:00

Not After

06/01/2031, 00:00

Subject

CN=DigiCert Timestamp 2021,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

07/01/2016, 12:00

Not After

07/01/2031, 12:00

Subject

CN=DigiCert SHA2 Assured ID Timestamping CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

94:15:23:a9:28:57:31:4b:c1:c8:8d:91:35:11:04:89:fb:9c:e6:8d:ca:a9:b2:7a:f0:25:5e:a6:ce:bb:1c:11
Signer

Actual PE Digest

94:15:23:a9:28:57:31:4b:c1:c8:8d:91:35:11:04:89:fb:9c:e6:8d:ca:a9:b2:7a:f0:25:5e:a6:ce:bb:1c:11

Digest Algorithm

sha256

PE Digest Matches

true

d6:3e:ac:02:d1:94:e6:29:39:04:a6:f1:b2:81:1f:e5:97:5e:9a:3f
Signer

Actual PE Digest

d6:3e:ac:02:d1:94:e6:29:39:04:a6:f1:b2:81:1f:e5:97:5e:9a:3f

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

E:\PROJECT\FancyRamdisk\release\drv\win7\amd64\fancyrd_srv_raw.pdb

Imports

rxbsknl.sys

RxbsCreateHyperDevice
RxbsCloseHyperDevice
RxbsConnectHyperSystem
RxbsDisconnectHyperSystem
RxbsStartHyperSystem
RxbsEnableDumpClient
RxbsSetParamHyperSystem
RxbsGetParamHyperSystem
RxbsGetHyperSystemState
RxbsDisableDumpClient
RxbsFreezeHyperClient
RxbsReviveHyperClient

ntoskrnl.exe

KeInitializeEvent
KeSetEvent
KeSetPriorityThread
KeWaitForSingleObject
ExInterlockedInsertTailList
ExInterlockedRemoveHeadList
MmUnmapLockedPages
PsTerminateSystemThread
ZwReadFile
ZwClose
RtlCompareMemory
KeInitializeGuardedMutex
KeAcquireGuardedMutex
KeReleaseGuardedMutex
ExAllocatePoolWithTag
ExFreePoolWithTag
ZwWriteFile
RtlInitUnicodeString
ExInitializeNPagedLookasideList
ExDeleteNPagedLookasideList
MmMapLockedPagesSpecifyCache
IoAllocateMdl
IoBuildPartialMdl
IoFreeMdl
IoGetTopLevelIrp
IoSetTopLevelIrp
ZwCreateFile
ZwOpenFile
ZwQueryInformationFile
ZwDeleteFile
ZwFsControlFile
RtlCopyUnicodeString
RtlFreeUnicodeString
RtlIsNtDdiVersionAvailable
KeDelayExecutionThread
IoAttachDeviceToDeviceStack
IofCallDriver
IofCompleteRequest
IoDeleteDevice
IoDetachDevice
IoRegisterShutdownNotification
IoInvalidateDeviceRelations
IoRegisterDeviceInterface
ObfDereferenceObject
ZwCreateDirectoryObject
ZwMakeTemporaryObject
IoGetConfigurationInformation
IoRegisterBootDriverReinitialization
IoRegisterDriverReinitialization
_vsnwprintf
InitSafeBootMode
PoSetPowerState
RtlIntegerToUnicodeString
RtlUnicodeStringToInteger
IoOpenDeviceRegistryKey
ZwOpenKey
ZwDeleteValueKey
ZwEnumerateValueKey
ZwQueryValueKey
ZwSetValueKey
RtlUnicodeStringToAnsiString
RtlCompareUnicodeString
RtlFreeAnsiString
RtlGenerate8dot3Name
RtlIsNameLegalDOS8Dot3
RtlTimeToTimeFields
ExSystemTimeToLocalTime
IoGetAttachedDeviceReference
IoRequestDeviceEject
KeGetCurrentIrql
IoBuildSynchronousFsdRequest
KeInsertQueue
_vsnprintf
IoGetAttachedDevice
RtlUnicodeStringToCountedOemString
RtlUpcaseUnicodeStringToCountedOemString
KeQueryActiveProcessorCountEx
IoCreateDevice
IoCreateSymbolicLink
IoDeleteSymbolicLink
ZwOpenSymbolicLinkObject
KeInitializeTimer
KeCancelTimer
KeSetTimer
KeWaitForMultipleObjects
IoUnregisterShutdownNotification
IoSetDeviceInterfaceState
ObfReferenceObject
KeEnterCriticalRegion
KeLeaveCriticalRegion
RtlAppendUnicodeStringToString
KdDisableDebugger
KdEnableDebugger
ZwCreateSection
ZwMapViewOfSection
ZwUnmapViewOfSection
KdDebuggerEnabled
RtlCreateSecurityDescriptor
RtlSetDaclSecurityDescriptor
ObReferenceObjectByHandle
ZwCreateKey
ZwQueryKey
ZwOpenEvent
ZwQueryVolumeInformationFile
RtlRandomEx
RtlLengthSid
RtlCreateAcl
RtlAddAccessAllowedAce
RtlSetOwnerSecurityDescriptor
ZwCreateEvent
ZwSetSecurityObject
ObReferenceObjectByName
SeExports
IoDriverObjectType
KeAreAllApcsDisabled
IoGetStackLimits
RtlInitAnsiString
RtlAnsiStringToUnicodeString
IoGetDeviceInterfaces
ZwDeviceIoControlFile
ExQueryDepthSList
ExpInterlockedPopEntrySList
ExpInterlockedPushEntrySList
KeAcquireSpinLockRaiseToDpc
KeReleaseSpinLock
IoAllocateIrp
IoFreeIrp
IoCsqInitializeEx
IoCsqInsertIrpEx
IoCsqRemoveNextIrp
KeRemoveQueue
KeBugCheckEx
MmGetSystemRoutineAddress
KeSetSystemGroupAffinityThread
KeRevertToUserGroupAffinityThread
KeQueryNodeActiveAffinity
KeQueryHighestNodeNumber
MmAllocatePagesForMdlEx
MmFreePagesFromMdl
MmCreateMdl
ZwQuerySystemInformation
RtlEqualUnicodeString
KeClearEvent
IoAllocateErrorLogEntry
IoBuildDeviceIoControlRequest
IoGetDeviceObjectPointer
IoWriteErrorLogEntry
IoAllocateWorkItem
IoFreeWorkItem
IoQueueWorkItem
PsIsSystemThread
PsCreateSystemThread
KeInitializeQueue
KeRundownQueue
ZwSetInformationFile
LpcPortObjectType
RtlQueryRegistryValues
MmMapIoSpace
MmUnmapIoSpace
IoGetRelatedDeviceObject
IoFileObjectType
PsGetVersion
ExAllocatePoolWithQuotaTag

Sections

.text
Size: 82KB - Virtual size: 82KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

EXTRA
Size: 11KB - Virtual size: 10KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

CPATA
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 30KB - Virtual size: 30KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1024B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

PAGE
Size: 41KB - Virtual size: 40KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

INIT
Size: 17KB - Virtual size: 17KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 308B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
reg/drv10/fancyrd.cat
reg/drv10/fancyrd.inf
reg/drv10/fancyrd.sys
.sys windows:10 windows x64 arch:x64

6941dff5e013a237f1620c4cff1d8b89

Code Sign

19:3d:d9:e9:6e:2d:1d:84:47:5e:67:8b:47:a9:e7:9e
Certificate

Issuer

CN=TestCertificate

Not Before

31/12/1899, 16:00

Not After

31/12/3000, 16:00

Subject

CN=TestCertificate

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01/08/2022, 00:00

Not After

09/11/2031, 23:59

Subject

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

Issuer

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

23/03/2022, 00:00

Not After

22/03/2037, 23:59

Subject

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0a:7a:4a:88:9e:c9:99:42:90:06:63:38:4d:86:97:9d
Certificate

Issuer

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Not Before

29/03/2022, 00:00

Not After

14/03/2033, 23:59

Subject

CN=DigiCert Timestamp 2022 - 2,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

19:3d:d9:e9:6e:2d:1d:84:47:5e:67:8b:47:a9:e7:9e
Certificate

Issuer

CN=TestCertificate

Not Before

31/12/1899, 16:00

Not After

31/12/3000, 16:00

Subject

CN=TestCertificate

0a:7a:4a:88:9e:c9:99:42:90:06:63:38:4d:86:97:9d
Certificate

Issuer

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Not Before

29/03/2022, 00:00

Not After

14/03/2033, 23:59

Subject

CN=DigiCert Timestamp 2022 - 2,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

Issuer

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

23/03/2022, 00:00

Not After

22/03/2037, 23:59

Subject

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01/08/2022, 00:00

Not After

09/11/2031, 23:59

Subject

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

44:93:7a:17:7e:39:1a:06:76:44:0d:ea:2f:8f:9e:91:94:74:24:d4:0b:a4:11:5e:c5:f2:eb:dd:9c:a4:7a:63
Signer

Actual PE Digest

44:93:7a:17:7e:39:1a:06:76:44:0d:ea:2f:8f:9e:91:94:74:24:d4:0b:a4:11:5e:c5:f2:eb:dd:9c:a4:7a:63

Digest Algorithm

sha256

PE Digest Matches

true

85:50:78:7b:86:47:63:2f:9c:d7:54:05:9a:49:83:06:7a:bc:7c:fb
Signer

Actual PE Digest

85:50:78:7b:86:47:63:2f:9c:d7:54:05:9a:49:83:06:7a:bc:7c:fb

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

E:\PROJECT\FancyRamdisk\release\drv\win10\amd64\fancyrd_srv.pdb

Imports

rxbsknl.sys

RxbsCreateHyperDevice
RxbsCloseHyperDevice
RxbsConnectHyperSystem
RxbsDisconnectHyperSystem
RxbsStartHyperSystem
RxbsEnableDumpClient
RxbsSetParamHyperSystem
RxbsGetParamHyperSystem
RxbsGetHyperSystemState
RxbsDisableDumpClient
RxbsFreezeHyperClient
RxbsReviveHyperClient

ntoskrnl.exe

KeInitializeEvent
KeSetEvent
KeSetPriorityThread
KeWaitForSingleObject
ExInterlockedInsertTailList
ExInterlockedRemoveHeadList
MmUnmapLockedPages
PsTerminateSystemThread
ZwReadFile
ZwClose
RtlCompareMemory
KeInitializeGuardedMutex
KeAcquireGuardedMutex
KeReleaseGuardedMutex
ExAllocatePoolWithTag
ExFreePoolWithTag
ZwWriteFile
RtlInitUnicodeString
ExInitializeNPagedLookasideList
ExDeleteNPagedLookasideList
MmMapLockedPagesSpecifyCache
IoAllocateMdl
IoBuildPartialMdl
IoFreeMdl
IoGetTopLevelIrp
IoSetTopLevelIrp
ZwCreateFile
ZwOpenFile
ZwQueryInformationFile
ZwDeleteFile
ZwFsControlFile
RtlCopyUnicodeString
RtlFreeUnicodeString
RtlIsNtDdiVersionAvailable
KeDelayExecutionThread
KdDisableDebugger
KdEnableDebugger
IoAttachDeviceToDeviceStack
IofCallDriver
IofCompleteRequest
IoDeleteDevice
IoDetachDevice
IoRegisterShutdownNotification
IoInvalidateDeviceRelations
IoRegisterDeviceInterface
ObfDereferenceObject
ZwCreateDirectoryObject
ZwMakeTemporaryObject
IoGetConfigurationInformation
IoRegisterBootDriverReinitialization
IoRegisterDriverReinitialization
_vsnwprintf
KdDebuggerEnabled
InitSafeBootMode
PoSetPowerState
RtlIntegerToUnicodeString
RtlUnicodeStringToInteger
IoOpenDeviceRegistryKey
ZwOpenKey
ZwDeleteValueKey
ZwEnumerateValueKey
ZwQueryValueKey
ZwSetValueKey
RtlUnicodeStringToAnsiString
RtlCompareUnicodeString
RtlFreeAnsiString
RtlGenerate8dot3Name
RtlIsNameLegalDOS8Dot3
RtlTimeToTimeFields
ExSystemTimeToLocalTime
IoGetAttachedDeviceReference
IoRequestDeviceEject
KeGetCurrentIrql
IoBuildSynchronousFsdRequest
KeInsertQueue
_vsnprintf
IoGetAttachedDevice
RtlUnicodeStringToCountedOemString
RtlUpcaseUnicodeStringToCountedOemString
KeQueryActiveProcessorCountEx
IoCreateDevice
IoCreateSymbolicLink
IoDeleteSymbolicLink
ZwOpenSymbolicLinkObject
KeInitializeTimer
KeCancelTimer
KeSetTimer
KeWaitForMultipleObjects
IoUnregisterShutdownNotification
IoSetDeviceInterfaceState
ObfReferenceObject
KeEnterCriticalRegion
KeLeaveCriticalRegion
RtlCreateSecurityDescriptor
RtlSetDaclSecurityDescriptor
ObReferenceObjectByHandle
ZwCreateKey
ZwQueryKey
ZwOpenEvent
ZwQueryVolumeInformationFile
RtlRandomEx
RtlLengthSid
RtlCreateAcl
RtlAddAccessAllowedAce
RtlSetOwnerSecurityDescriptor
ZwCreateEvent
ZwSetSecurityObject
ObReferenceObjectByName
SeExports
IoDriverObjectType
KeAreAllApcsDisabled
IoGetStackLimits
RtlInitAnsiString
RtlAnsiStringToUnicodeString
IoGetDeviceInterfaces
ZwDeviceIoControlFile
ExQueryDepthSList
ExpInterlockedPopEntrySList
ExpInterlockedPushEntrySList
KeAcquireSpinLockRaiseToDpc
KeReleaseSpinLock
IoAllocateIrp
IoFreeIrp
IoCsqInitializeEx
IoCsqInsertIrpEx
IoCsqRemoveNextIrp
KeRemoveQueue
MmGetSystemRoutineAddress
KeSetSystemGroupAffinityThread
KeRevertToUserGroupAffinityThread
KeQueryNodeActiveAffinity
KeQueryHighestNodeNumber
MmAllocatePagesForMdlEx
MmFreePagesFromMdl
MmCreateMdl
ZwQuerySystemInformation
RtlEqualUnicodeString
KeClearEvent
IoAllocateErrorLogEntry
IoBuildDeviceIoControlRequest
IoGetDeviceObjectPointer
IoWriteErrorLogEntry
IoAllocateWorkItem
IoFreeWorkItem
IoQueueWorkItem
PsIsSystemThread
PsCreateSystemThread
KeInitializeQueue
KeRundownQueue
ZwSetInformationFile
LpcPortObjectType
RtlQueryRegistryValues
MmMapIoSpace
MmUnmapIoSpace
IoGetRelatedDeviceObject
IoFileObjectType
PsGetVersion
ExAllocatePoolWithQuotaTag

Sections

.text
Size: 86KB - Virtual size: 86KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

EXTRA
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

CPATA
Size: 512B - Virtual size: 401B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 28KB - Virtual size: 27KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1024B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

PAGE
Size: 41KB - Virtual size: 40KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

INIT
Size: 11KB - Virtual size: 10KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 308B - Virtual size: 308B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
reg/drv7/fancyrd.cat
reg/drv7/fancyrd.inf
reg/drv7/fancyrd.sys
.sys windows:10 windows x64 arch:x64

052e5c912ca7ada7ef76924673232acf

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

E:\PROJECT\FancyRamdisk\release\drv\win7\amd64\fancyrd_srv_raw.pdb

Imports

rxbsknl.sys

RxbsCreateHyperDevice
RxbsCloseHyperDevice
RxbsConnectHyperSystem
RxbsDisconnectHyperSystem
RxbsStartHyperSystem
RxbsEnableDumpClient
RxbsSetParamHyperSystem
RxbsGetParamHyperSystem
RxbsGetHyperSystemState
RxbsDisableDumpClient
RxbsFreezeHyperClient
RxbsReviveHyperClient

ntoskrnl.exe

KeInitializeEvent
KeSetEvent
KeSetPriorityThread
KeWaitForSingleObject
ExInterlockedInsertTailList
ExInterlockedRemoveHeadList
MmUnmapLockedPages
PsTerminateSystemThread
ZwReadFile
ZwClose
RtlCompareMemory
KeInitializeGuardedMutex
KeAcquireGuardedMutex
KeReleaseGuardedMutex
ExAllocatePoolWithTag
ExFreePoolWithTag
ZwWriteFile
RtlInitUnicodeString
ExInitializeNPagedLookasideList
ExDeleteNPagedLookasideList
MmMapLockedPagesSpecifyCache
IoAllocateMdl
IoBuildPartialMdl
IoFreeMdl
IoGetTopLevelIrp
IoSetTopLevelIrp
ZwCreateFile
ZwOpenFile
ZwQueryInformationFile
ZwDeleteFile
ZwFsControlFile
RtlCopyUnicodeString
RtlFreeUnicodeString
RtlIsNtDdiVersionAvailable
KeDelayExecutionThread
IoAttachDeviceToDeviceStack
IofCallDriver
IofCompleteRequest
IoDeleteDevice
IoDetachDevice
IoRegisterShutdownNotification
IoInvalidateDeviceRelations
IoRegisterDeviceInterface
ObfDereferenceObject
ZwCreateDirectoryObject
ZwMakeTemporaryObject
IoGetConfigurationInformation
IoRegisterBootDriverReinitialization
IoRegisterDriverReinitialization
_vsnwprintf
InitSafeBootMode
PoSetPowerState
RtlIntegerToUnicodeString
RtlUnicodeStringToInteger
IoOpenDeviceRegistryKey
ZwOpenKey
ZwDeleteValueKey
ZwEnumerateValueKey
ZwQueryValueKey
ZwSetValueKey
RtlUnicodeStringToAnsiString
RtlCompareUnicodeString
RtlFreeAnsiString
RtlGenerate8dot3Name
RtlIsNameLegalDOS8Dot3
RtlTimeToTimeFields
ExSystemTimeToLocalTime
IoGetAttachedDeviceReference
IoRequestDeviceEject
KeGetCurrentIrql
IoBuildSynchronousFsdRequest
KeInsertQueue
_vsnprintf
IoGetAttachedDevice
RtlUnicodeStringToCountedOemString
RtlUpcaseUnicodeStringToCountedOemString
KeQueryActiveProcessorCountEx
IoCreateDevice
IoCreateSymbolicLink
IoDeleteSymbolicLink
ZwOpenSymbolicLinkObject
KeInitializeTimer
KeCancelTimer
KeSetTimer
KeWaitForMultipleObjects
IoUnregisterShutdownNotification
IoSetDeviceInterfaceState
ObfReferenceObject
KeEnterCriticalRegion
KeLeaveCriticalRegion
RtlAppendUnicodeStringToString
KdDisableDebugger
KdEnableDebugger
ZwCreateSection
ZwMapViewOfSection
ZwUnmapViewOfSection
KdDebuggerEnabled
RtlCreateSecurityDescriptor
RtlSetDaclSecurityDescriptor
ObReferenceObjectByHandle
ZwCreateKey
ZwQueryKey
ZwOpenEvent
ZwQueryVolumeInformationFile
RtlRandomEx
RtlLengthSid
RtlCreateAcl
RtlAddAccessAllowedAce
RtlSetOwnerSecurityDescriptor
ZwCreateEvent
ZwSetSecurityObject
ObReferenceObjectByName
SeExports
IoDriverObjectType
KeAreAllApcsDisabled
IoGetStackLimits
RtlInitAnsiString
RtlAnsiStringToUnicodeString
IoGetDeviceInterfaces
ZwDeviceIoControlFile
ExQueryDepthSList
ExpInterlockedPopEntrySList
ExpInterlockedPushEntrySList
KeAcquireSpinLockRaiseToDpc
KeReleaseSpinLock
IoAllocateIrp
IoFreeIrp
IoCsqInitializeEx
IoCsqInsertIrpEx
IoCsqRemoveNextIrp
KeRemoveQueue
KeBugCheckEx
MmGetSystemRoutineAddress
KeSetSystemGroupAffinityThread
KeRevertToUserGroupAffinityThread
KeQueryNodeActiveAffinity
KeQueryHighestNodeNumber
MmAllocatePagesForMdlEx
MmFreePagesFromMdl
MmCreateMdl
ZwQuerySystemInformation
RtlEqualUnicodeString
KeClearEvent
IoAllocateErrorLogEntry
IoBuildDeviceIoControlRequest
IoGetDeviceObjectPointer
IoWriteErrorLogEntry
IoAllocateWorkItem
IoFreeWorkItem
IoQueueWorkItem
PsIsSystemThread
PsCreateSystemThread
KeInitializeQueue
KeRundownQueue
ZwSetInformationFile
LpcPortObjectType
RtlQueryRegistryValues
MmMapIoSpace
MmUnmapIoSpace
IoGetRelatedDeviceObject
IoFileObjectType
PsGetVersion
ExAllocatePoolWithQuotaTag

Sections

.text
Size: 82KB - Virtual size: 82KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

EXTRA
Size: 11KB - Virtual size: 10KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

CPATA
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 30KB - Virtual size: 30KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1024B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

PAGE
Size: 41KB - Virtual size: 40KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

INIT
Size: 17KB - Virtual size: 17KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 308B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
reg/install.bat
.bat .vbs

Sharing

General

Malware Config

Signatures

Files

7bf6ee7f997d9058a8fa5739c928c0b5

Headers

File Characteristics

Imports

kernel32

Sections

.text Size: 64KB - Virtual size: 63KB

.rdata Size: 12KB - Virtual size: 10KB

.data Size: 16KB - Virtual size: 22KB

6941dff5e013a237f1620c4cff1d8b89

Code Sign

33:00:00:00:4d:e5:97:a7:75:e3:15:7f:7b:00:00:00:00:00:4dCertificate

Extended Key Usages

33:00:00:00:0d:69:0d:5d:78:93:d0:76:df:00:00:00:00:00:0dCertificate

Key Usages

77:df:b4:75:08:65:83:c3:41:3b:1a:a6:e3:16:bf:15:41:e5:55:2f:4e:6a:0b:c0:78:e8:36:8a:04:de:f6:d8Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

rxbsknl.sys

ntoskrnl.exe

Sections

.text Size: 86KB - Virtual size: 86KB

EXTRA Size: 8KB - Virtual size: 8KB

CPATA Size: 512B - Virtual size: 401B

.rdata Size: 28KB - Virtual size: 27KB

.data Size: 512B - Virtual size: 1024B

.pdata Size: 5KB - Virtual size: 5KB

PAGE Size: 41KB - Virtual size: 40KB

INIT Size: 11KB - Virtual size: 10KB

.rsrc Size: 2KB - Virtual size: 2KB

.reloc Size: 512B - Virtual size: 308B

052e5c912ca7ada7ef76924673232acf

Code Sign

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:ddCertificate

Extended Key Usages

Key Usages

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15Certificate

Extended Key Usages

Key Usages

61:20:4d:b4:00:00:00:00:00:27Certificate

Key Usages

01:29:27:90:28:8b:00:e3:b5:3d:86:04:76:4d:ff:4bCertificate

Extended Key Usages

Key Usages

0d:d0:e3:37:4a:c9:5b:db:fa:6b:43:4b:2a:48:ec:06Certificate

Extended Key Usages

Key Usages

61:20:4d:b4:00:00:00:00:00:27Certificate

Key Usages

05:af:de:7b:07:6f:79:b9:01:e3:5b:38:d6:7e:a6:27Certificate

Extended Key Usages

Key Usages

03:f1:b4:e1:5f:3a:82:f1:14:96:78:b3:d7:d8:47:5cCertificate

Extended Key Usages

Key Usages

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:ddCertificate

Extended Key Usages

Key Usages

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15Certificate

Extended Key Usages

Key Usages

94:15:23:a9:28:57:31:4b:c1:c8:8d:91:35:11:04:89:fb:9c:e6:8d:ca:a9:b2:7a:f0:25:5e:a6:ce:bb:1c:11Signer

d6:3e:ac:02:d1:94:e6:29:39:04:a6:f1:b2:81:1f:e5:97:5e:9a:3fSigner

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

rxbsknl.sys

ntoskrnl.exe

Sections

.text Size: 82KB - Virtual size: 82KB

.text
Size: 64KB - Virtual size: 63KB

.rdata
Size: 12KB - Virtual size: 10KB

.data
Size: 16KB - Virtual size: 22KB

33:00:00:00:4d:e5:97:a7:75:e3:15:7f:7b:00:00:00:00:00:4d
Certificate

33:00:00:00:0d:69:0d:5d:78:93:d0:76:df:00:00:00:00:00:0d
Certificate

77:df:b4:75:08:65:83:c3:41:3b:1a:a6:e3:16:bf:15:41:e5:55:2f:4e:6a:0b:c0:78:e8:36:8a:04:de:f6:d8
Signer

.text
Size: 86KB - Virtual size: 86KB

EXTRA
Size: 8KB - Virtual size: 8KB

CPATA
Size: 512B - Virtual size: 401B

.rdata
Size: 28KB - Virtual size: 27KB

.data
Size: 512B - Virtual size: 1024B

.pdata
Size: 5KB - Virtual size: 5KB

PAGE
Size: 41KB - Virtual size: 40KB

INIT
Size: 11KB - Virtual size: 10KB

.rsrc
Size: 2KB - Virtual size: 2KB

.reloc
Size: 512B - Virtual size: 308B

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:dd
Certificate

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15
Certificate

61:20:4d:b4:00:00:00:00:00:27
Certificate

01:29:27:90:28:8b:00:e3:b5:3d:86:04:76:4d:ff:4b
Certificate

0d:d0:e3:37:4a:c9:5b:db:fa:6b:43:4b:2a:48:ec:06
Certificate

61:20:4d:b4:00:00:00:00:00:27
Certificate

05:af:de:7b:07:6f:79:b9:01:e3:5b:38:d6:7e:a6:27
Certificate

03:f1:b4:e1:5f:3a:82:f1:14:96:78:b3:d7:d8:47:5c
Certificate

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:dd
Certificate

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15
Certificate

94:15:23:a9:28:57:31:4b:c1:c8:8d:91:35:11:04:89:fb:9c:e6:8d:ca:a9:b2:7a:f0:25:5e:a6:ce:bb:1c:11
Signer

d6:3e:ac:02:d1:94:e6:29:39:04:a6:f1:b2:81:1f:e5:97:5e:9a:3f
Signer

.text
Size: 82KB - Virtual size: 82KB

EXTRA
Size: 11KB - Virtual size: 10KB

CPATA
Size: 6KB - Virtual size: 5KB

.rdata
Size: 30KB - Virtual size: 30KB

.data
Size: 512B - Virtual size: 1024B

.pdata
Size: 6KB - Virtual size: 5KB

PAGE
Size: 41KB - Virtual size: 40KB

INIT
Size: 17KB - Virtual size: 17KB

.rsrc
Size: 2KB - Virtual size: 2KB

.reloc
Size: 512B - Virtual size: 308B

19:3d:d9:e9:6e:2d:1d:84:47:5e:67:8b:47:a9:e7:9e
Certificate

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

0a:7a:4a:88:9e:c9:99:42:90:06:63:38:4d:86:97:9d
Certificate

19:3d:d9:e9:6e:2d:1d:84:47:5e:67:8b:47:a9:e7:9e
Certificate

0a:7a:4a:88:9e:c9:99:42:90:06:63:38:4d:86:97:9d
Certificate

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

44:93:7a:17:7e:39:1a:06:76:44:0d:ea:2f:8f:9e:91:94:74:24:d4:0b:a4:11:5e:c5:f2:eb:dd:9c:a4:7a:63
Signer

85:50:78:7b:86:47:63:2f:9c:d7:54:05:9a:49:83:06:7a:bc:7c:fb
Signer

.text
Size: 86KB - Virtual size: 86KB

EXTRA
Size: 8KB - Virtual size: 8KB

CPATA
Size: 512B - Virtual size: 401B

.rdata
Size: 28KB - Virtual size: 27KB

.data
Size: 512B - Virtual size: 1024B

.pdata
Size: 5KB - Virtual size: 5KB

PAGE
Size: 41KB - Virtual size: 40KB

INIT
Size: 11KB - Virtual size: 10KB

.rsrc
Size: 2KB - Virtual size: 2KB

.reloc
Size: 308B - Virtual size: 308B

.text
Size: 82KB - Virtual size: 82KB

EXTRA
Size: 11KB - Virtual size: 10KB

CPATA
Size: 6KB - Virtual size: 5KB

.rdata
Size: 30KB - Virtual size: 30KB

.data
Size: 512B - Virtual size: 1024B

.pdata
Size: 6KB - Virtual size: 5KB

PAGE
Size: 41KB - Virtual size: 40KB

INIT
Size: 17KB - Virtual size: 17KB

.rsrc
Size: 2KB - Virtual size: 2KB

.reloc
Size: 512B - Virtual size: 308B