e:\project\safe\secdoc\pend-driver\fsectl\objfre_wlh_amd64\amd64\FseCtl.pdb
Static task
static1
1 signatures
General
-
Target
ce4a8e17a55e1f3009cbad4ee3f8d8195c015d2b2ab102b685cce9707939d28aN
-
Size
617KB
-
MD5
de575da1f1b34990865cecc96b78c670
-
SHA1
bc8bffe11d70fd7c5a228926d423f1039c5c5364
-
SHA256
ce4a8e17a55e1f3009cbad4ee3f8d8195c015d2b2ab102b685cce9707939d28a
-
SHA512
42c73a6aff8f4319edff854851d651f05de052d763d621fc67e465daa201c10474d828c7eebf9e4d02250e74816dcf8bafb8773961150d5a08038409fc358933
-
SSDEEP
12288:ALnkiOUSaAdig9Rsthu7NN1VhvrDT6Cv8PVH1YRaC:Arkid9AdZR0hcHmk8PVH1k
Score
3/10
Malware Config
Signatures
-
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
resource ce4a8e17a55e1f3009cbad4ee3f8d8195c015d2b2ab102b685cce9707939d28aN
Files
-
ce4a8e17a55e1f3009cbad4ee3f8d8195c015d2b2ab102b685cce9707939d28aN.sys windows:6 windows x64 arch:x64
5d043a17e196cd707859139fb9bd49c2
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
PDB Paths
Imports
ntoskrnl.exe
ZwCreateFile
ZwClose
ZwQueryInformationFile
_stricmp
KeInitializeEvent
SeQueryInformationToken
KeWaitForSingleObject
wcschr
ZwCreateEvent
RtlAnsiStringToUnicodeString
RtlCreateAcl
PsLookupProcessByProcessId
RtlSetDaclSecurityDescriptor
MmUnmapViewOfSection
RtlInitAnsiString
RtlUnicodeStringToAnsiString
ZwQuerySystemInformation
RtlEqualUnicodeString
RtlAddAccessAllowedAce
KeDetachProcess
RtlFreeUnicodeString
PsCreateSystemThread
ZwQueryValueKey
ExInterlockedInsertTailList
PsTerminateSystemThread
_vsnprintf
KeQueryTimeIncrement
RtlFreeAnsiString
KeAttachProcess
ExInterlockedRemoveHeadList
SeExports
strrchr
PsGetCurrentProcessId
ZwTerminateProcess
ObOpenObjectByPointer
RtlLengthSid
RtlCreateSecurityDescriptor
ZwOpenKey
_strnicmp
PsProcessType
strncmp
PsSetLoadImageNotifyRoutine
strstr
ZwMapViewOfSection
MmGetSystemRoutineAddress
PsSetCreateProcessNotifyRoutine
KeUnstackDetachProcess
strncpy
ZwUnmapViewOfSection
PsRemoveLoadImageNotifyRoutine
ZwReadFile
ZwOpenFile
KeStackAttachProcess
ExGetSharedWaiterCount
ExAcquireSharedWaitForExclusive
FsRtlTeardownPerStreamContexts
ExGetExclusiveWaiterCount
FsRtlUninitializeFileLock
FsRtlUninitializeOplock
SeSinglePrivilegeCheck
IoUpdateShareAccess
IoRemoveShareAccess
MmDoesFileHaveUserWritableReferences
IoCheckShareAccess
IoSetShareAccess
CcMdlRead
FsRtlMdlReadCompleteDev
CcCopyRead
FsRtlNormalizeNtstatus
CcMdlWriteComplete
CcMdlReadComplete
CcPrepareMdlWrite
CcDeferWrite
CcCopyWrite
FsRtlCopyWrite
CcCanIWrite
CcUninitializeCacheMap
FsRtlFastUnlockAll
ExReleaseFastMutexUnsafe
ExAcquireFastMutexUnsafe
IoQueueWorkItem
FsRtlValidateReparsePointBuffer
IoDeleteSymbolicLink
ExReleaseFastMutex
ExAcquireFastMutex
IoDeleteDevice
IoFreeWorkItem
ZwSetValueKey
IoGetTransactionParameterBlock
ExDeletePagedLookasideList
MmQuerySystemSize
ZwQueryDirectoryFile
IoAllocateWorkItem
IofCompleteRequest
PsGetVersion
IoCreateSymbolicLink
ExInitializePagedLookasideList
IoCreateDevice
IoQueryFileDosDeviceName
ObRegisterCallbacks
ObUnRegisterCallbacks
ObGetFilterVersion
PsThreadType
CmRegisterCallbackEx
CmCallbackGetKeyObjectID
CmUnRegisterCallback
DbgPrintEx
ObfReferenceObject
MmFlushImageSection
IoAllocateMdl
IoIsSystemThread
FsRtlIsNtstatusExpected
CcInitializeCacheMap
RtlUnicodeStringToInteger
MmUnlockPages
RtlEqualString
MmProbeAndLockPages
KeBugCheckEx
CcGetFileObjectFromSectionPtrs
CcSetReadAheadGranularity
IoGetDeviceToVerify
MmMapLockedPagesSpecifyCache
wcsstr
ObQueryNameString
IoVolumeDeviceToDosName
IoFreeMdl
MmBuildMdlForNonPagedPool
IoRaiseInformationalHardError
RtlInitString
DbgBreakPointWithStatus
KeSetEvent
IoSetDeviceToVerify
ExRaiseStatus
CcSetFileSizes
ExDeleteNPagedLookasideList
RtlSplay
DbgPrint
KeQueryPriorityThread
ObfDereferenceObject
MmIsAddressValid
IoGetTopLevelIrp
RtlCompareMemory
RtlCompareUnicodeString
ZwDeleteFile
MmCanFileBeTruncated
ObReferenceObjectByHandle
IoSetTopLevelIrp
ExQueryDepthSList
RtlAppendUnicodeStringToString
_vsnwprintf
ExAcquireResourceSharedLite
ExAllocatePool
ZwSetEvent
ExSystemTimeToLocalTime
DbgBreakPoint
wcsrchr
ZwWaitForSingleObject
IoFileObjectType
KeDelayExecutionThread
CcFlushCache
FsRtlIsNameInExpression
CcPurgeCacheSection
ExpInterlockedPopEntrySList
RtlAppendUnicodeToString
ExpInterlockedPushEntrySList
RtlInitUnicodeString
KeSetPriorityThread
ExInitializeNPagedLookasideList
RtlUpcaseUnicodeString
IoThreadToProcess
RtlDelete
_wcsicmp
ExInitializeResourceLite
ExDeleteResourceLite
ExReleaseResourceLite
IoGetCurrentProcess
KeEnterCriticalRegion
ExIsResourceAcquiredExclusiveLite
ExIsResourceAcquiredSharedLite
KeLeaveCriticalRegion
ExAcquireResourceExclusiveLite
RtlCopyUnicodeString
ExFreePoolWithTag
ZwCreateSection
ExAllocatePoolWithTag
__C_specific_handler
_local_unwind
__chkstk
fltmgr.sys
FltGetFilterFromName
FltSetVolumeContext
FltStartFiltering
FltRegisterFilter
FltBuildDefaultSecurityDescriptor
FltCloseCommunicationPort
FltUnregisterFilter
FltCreateFileEx2
FltFreeSecurityDescriptor
FltCbdqDisable
FltGetVolumeProperties
FltSetInstanceContext
FltCreateCommunicationPort
FltGetFileNameInformationUnsafe
FltCheckAndGrowNameControl
FltCloseClientPort
FltQueueGenericWorkItem
FltAllocateGenericWorkItem
FltCbdqInitialize
FltCbdqRemoveNextIo
FltFreeGenericWorkItem
FltOplockFsctrl
FltFlushBuffers
FltProcessFileLock
FltDeviceIoControlFile
FltGetDestinationFileNameInformation
FltOplockIsFastIoPossible
FltCheckLockForWriteAccess
FltDoCompletionProcessingWhenSafe
FltCheckLockForReadAccess
FltLockUserBuffer
FltCheckOplock
FltSetCallbackDataDirty
FltCancelFileOpen
FltCurrentBatchOplock
FltUninitializeFileLock
FltUninitializeOplock
FltInitializeOplock
FltInitializeFileLock
FltSetSecurityObject
FltQueryDirectoryFile
FltSendMessage
FltAllocateCallbackData
FltPerformSynchronousIo
FltIsOperationSynchronous
FltCompletePendedPreOperation
FltGetDiskDeviceObject
FltQueryVolumeInformationFile
FltFreeCallbackData
FltCbdqInsertIo
FltGetInstanceContext
FltFreePoolAlignedWithTag
FltParseFileNameInformation
FltReleaseFileNameInformation
FltGetVolumeName
FltGetBottomInstance
FltGetFileNameInformation
FltClose
FltQueryInformationFile
FltCreateFile
FltIsDirectory
FltReadFile
FltSetInformationFile
FltAllocatePoolAlignedWithTag
FltWriteFile
FltGetRequestorProcessId
FltGetVolumeFromName
FltGetVolumeContext
FltObjectDereference
FltGetRequestorProcess
FltAllocateContext
FltReleaseContext
FltSupportsStreamContexts
FltSetStreamContext
FltSetStreamHandleContext
FltGetStreamContext
FltGetStreamHandleContext
Sections
.text Size: 377KB - Virtual size: 376KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 58KB - Virtual size: 58KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 9KB - Virtual size: 29KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.pdata Size: 12KB - Virtual size: 12KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
PAGE Size: 87KB - Virtual size: 87KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
INIT Size: 16KB - Virtual size: 15KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.rsrc Size: 1024B - Virtual size: 976B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
.reloc Size: 3KB - Virtual size: 3KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ