24cc4f8d-a88d-4b2d-a912-bc773d12a524
Mnemosyne.sys 
Description
Mnemosyne.sys is a vulnerable kernel driver from the KeServiceDescriptorTable/vulnerable-drivers repository. The driver exposes dangerous kernel primitives to usermode.
- UUID: 24cc4f8d-a88d-4b2d-a912-bc773d12a524
- Created: 2026-04-17
- Author: Michael Haag
- Acknowledgement: | [@rainbowdynamix, @DbgPrint](https://twitter.com/@rainbowdynamix, @DbgPrint)
This download link contains the vulnerable driver!
Block Mnemosyne.sys across your endpoints
Add this driver to your block policy in minutes with MagicSword, threat-driven application control. Free for up to 100 endpoints.
Start Blocking for FreeCommands
sc.exe create Mnemosyne binPath=C:\windows\temp\Mnemosyne.sys type=kernel && sc.exe start Mnemosyne
| Use Case | Privileges | Operating System |
|---|---|---|
| Elevate privileges | kernel | Windows 10 |
Detections
YARA 🏹
Expand
with header and size limitation
without header and size limitation
for renamed driver files
Resources
Known Vulnerable Samples
| Property | Value |
|---|---|
| Filename | Mnemosyne.sys |
| Creation Timestamp | 2014-03-11 08:45:53 |
| MD5 | 955dc6b491f3270f49a2b2e24970b30d |
| SHA1 | fdb8e429f44e85d9d7a52fc459780d72c29305cb |
| SHA256 | 2ccd04383dc2f1f777b7712c6f8ee6d05afac98d22cad8e96f5172ba9c5c53b0 |
| Authentihash MD5 | a86a1cf00d095a051490883b048f4223 |
| Authentihash SHA1 | c303af96e3af0e9e70b0f863437859860280c5e0 |
| Authentihash SHA256 | 79eac4cc015efad603e984f94067f76408bc929716f1b8dd68106d1066badac9 |
| RichPEHeaderHash MD5 | 7f3d32954aa0985af0f8d85373022bb5 |
| RichPEHeaderHash SHA1 | a1ac32585ce515938e1e5efe1495664b39509d81 |
| RichPEHeaderHash SHA256 | 0888a4e600ccb3ce39880fdbe172d7d141694273d1b02f5dd356f70e5df93ae1 |
Certificates
Expand
Certificate 0400000000012f4ee152d7
| Field | Value |
|---|---|
| ToBeSigned (TBS) MD5 | e140543fe3256027cfa79fc3c19c1776 |
| ToBeSigned (TBS) SHA1 | c655f94eb1ecc93de319fc0c9a2dc6c5ec063728 |
| ToBeSigned (TBS) SHA256 | 3ca71e85908ff67368e4dc00253f5691b9e6d50c966e7784143d75fb92aa3448 |
| Subject | C=BE, O=GlobalSign nv,sa, CN=GlobalSign Timestamping CA , G2 |
| ValidFrom | 2011-04-13 10:00:00 |
| ValidTo | 2028-01-28 12:00:00 |
| Signature | 4e5e56901e46b4d94931f3bb1739281bc216ddfd41dc0905049b6fb2a29ad6992e40990055b5ea3fa52076d38634d417cc553ac782eeefa8babcd8069f1550dfcd167b523a02d7191afdaff0785ce04bc518df3a241edaacb8a95804020730dbb0125efe31bef00448f4f070f83a5e5683cf3dfb0dbcf4c5ed979db9d4dba52784e3389b8ba735864420a43b6da46a0ba183fd28ebdaef28f6cc885dfb0a3b00abe021ebe22f356c0f8e344597eba2f79933357ecb9a8abb454de73f9fc2d98afa65b26ec77e65ffe892e12c31a2f7b02736488f266f3bee4d761f79c3e57f9635bc2d0ecc01b08e7fff518080a792d4b34446648c874f166307314b63b0dff3 |
| SignatureAlgorithmOID | 1.2.840.113549.1.1.5 |
| IsCertificateAuthority | True |
| SerialNumber | 0400000000012f4ee152d7 |
| Version | 3 |
Certificate 0400000000012f4ee1355c
| Field | Value |
|---|---|
| ToBeSigned (TBS) MD5 | f6a9e8eb8784f3f694b4e353c08a0ff5 |
| ToBeSigned (TBS) SHA1 | 589a7d4df869395601ba7538a65afae8c4616385 |
| ToBeSigned (TBS) SHA256 | cbdc9a0ad785d0c2013211746b42234e18bdc7d54a7a260647badc1c9e712ed4 |
| Subject | C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2 |
| ValidFrom | 2011-04-13 10:00:00 |
| ValidTo | 2019-04-13 10:00:00 |
| Signature | 225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24 |
| SignatureAlgorithmOID | 1.2.840.113549.1.1.5 |
| IsCertificateAuthority | True |
| SerialNumber | 0400000000012f4ee1355c |
| Version | 3 |
Certificate 1121405c1f0ed258882be54d8686ba11ea45
| Field | Value |
|---|---|
| ToBeSigned (TBS) MD5 | b95cbc184d388718612d5933f7b36770 |
| ToBeSigned (TBS) SHA1 | ff124c5d160710720108616ffee99bbe090ed363 |
| ToBeSigned (TBS) SHA256 | 13027620255363f07bbf85ae7d0dc06c07d8b0f4368b12f983ee3f4fce605733 |
| Subject | C=SG, O=GMO GlobalSign Pte Ltd, CN=GlobalSign TSA for MS Authenticode , G1 |
| ValidFrom | 2013-08-23 00:00:00 |
| ValidTo | 2024-09-23 00:00:00 |
| Signature | 0231142e5857644185e8af12753c881cc35eec2ce9a13cf5baaa531db9d12963dc436786d439dadec6c9ffbe4585f4a4d7c151ea18ee40585ee67bcca241291338c8ea21169cce90a62efba6cad994df401df902182bbef65d4f9fff9a48dbc50509ca80cea0f9dc4bc323e6038fb4b4af5b71296191181a6b7af2fd0dd1cd7d5e98ebba705ee5f4ea43de353dc514818adb3e105ebb72faa1a093ab031cc1653c91138b045d2bc4b9161bcc55c50ce8abe743c9b28328a5531347ab3964b91cea3430b176009521f1d43da8fda00032d76e983ca69c3b0b83becbb8bb2a268c59b8b9aeaf26ace234a2dc210d810b3813f745a3e3dbc4aca16d1bb7e5615cd7 |
| SignatureAlgorithmOID | 1.2.840.113549.1.1.5 |
| IsCertificateAuthority | False |
| SerialNumber | 1121405c1f0ed258882be54d8686ba11ea45 |
| Version | 3 |
Certificate 1121a31c92f8dcc52d1c4a45ef579b2e823e
| Field | Value |
|---|---|
| ToBeSigned (TBS) MD5 | 33b328331a13e81d899243b9efbc79ca |
| ToBeSigned (TBS) SHA1 | 39a095244961da1e543f43deb38c94c0428e073e |
| ToBeSigned (TBS) SHA256 | 941ee081b4ead65cc1d79f29b3641fabaad082d449fdc4f0c51abcaf67013f18 |
| Subject | C=US, ST=FL, L=Tampa, O=Agile Risk Management LLC, CN=Agile Risk Management LLC, emailAddress=support@f,response.com |
| ValidFrom | 2011-11-22 18:54:31 |
| ValidTo | 2015-02-22 18:54:31 |
| Signature | 8e17d46ad557f0a1fa0270538c46e1c91d42852e8dfa8f352f5c62060581711d786189f5353458020e70fe4218f523cc8485baa354c3ce875896e4011ba4e82f292beb33670dfe1475e5c60f2ca7c6a2cde186eab18ad125e42ffe78fee81260fdf288ebf559dfd2a73e6a7812ebf2ebaa00ababe60b061101478c2900aadc237b6dc568a91d25d07224cbc857682e3a6f604e735b7d8f9e2a6a929d8c7aec40d44b477e173bd87a44a678a5be7f0a51b569540cfa0a0e428035a0031333eb98aaa3e7c47e2d7877583ffcac20bf9d0022778f25b3ba06815ad64e17ff96c8d950c48bcf4bbdfec5b4af75590549e07ba824e3d6141286cb6688f1c439eafa6c |
| SignatureAlgorithmOID | 1.2.840.113549.1.1.5 |
| IsCertificateAuthority | False |
| SerialNumber | 1121a31c92f8dcc52d1c4a45ef579b2e823e |
| Version | 3 |
Certificate 610b7f6b000000000019
| Field | Value |
|---|---|
| ToBeSigned (TBS) MD5 | 4798d55be7663a75649cda4dedc686ef |
| ToBeSigned (TBS) SHA1 | 0f1ab2937b245d9466ea6f9bf056a5942e3989cf |
| ToBeSigned (TBS) SHA256 | ef14ea05bb066ee9f4188196dd69cd769b283ac4d7555db52f5e76922d3456e1 |
| Subject | C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA |
| ValidFrom | 2006-05-23 17:00:51 |
| ValidTo | 2016-05-23 17:10:51 |
| Signature | 13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461 |
| SignatureAlgorithmOID | 1.2.840.113549.1.1.5 |
| IsCertificateAuthority | True |
| SerialNumber | 610b7f6b000000000019 |
| Version | 3 |
Imports
Expand
- ntoskrnl.exe
Imported Functions
Expand
- IoDeleteSymbolicLink
- ExFreePoolWithTag
- ZwMapViewOfSection
- RtlInitUnicodeString
- IoDeleteDevice
- ZwQuerySystemInformation
- ZwUnmapViewOfSection
- ZwClose
- IofCompleteRequest
- ObReferenceObjectByHandle
- IoCreateSymbolicLink
- MmGetPhysicalMemoryRanges
- ZwOpenSection
- DbgPrint
- KeBugCheckEx
- MmGetSystemRoutineAddress
- IoCreateDevice
- ObOpenObjectByPointer
- ZwSetSecurityObject
- IoDeviceObjectType
- _snwprintf
- RtlLengthSecurityDescriptor
- SeCaptureSecurityDescriptor
- RtlCreateSecurityDescriptor
- RtlSetDaclSecurityDescriptor
- RtlAbsoluteToSelfRelativeSD
- IoIsWdmVersionAvailable
- SeExports
- wcschr
- _wcsnicmp
- ExAllocatePoolWithTag
- RtlLengthSid
- RtlAddAccessAllowedAce
- RtlGetSaclSecurityDescriptor
- RtlGetDaclSecurityDescriptor
- RtlGetGroupSecurityDescriptor
- RtlGetOwnerSecurityDescriptor
- ZwOpenKey
- ZwCreateKey
- ZwQueryValueKey
- ZwSetValueKey
- RtlFreeUnicodeString
- __C_specific_handler
Exported Functions
Expand
Sections
Expand
- .text
- .rdata
- .data
- .pdata
- PAGE
- INIT
- .reloc
Signature
Expand
{
"Certificates": [
{
"CertificateType": "CA",
"IsCA": true,
"IsCertificateAuthority": true,
"IsCodeSigning": false,
"SerialNumber": "0400000000012f4ee152d7",
"Signature": "4e5e56901e46b4d94931f3bb1739281bc216ddfd41dc0905049b6fb2a29ad6992e40990055b5ea3fa52076d38634d417cc553ac782eeefa8babcd8069f1550dfcd167b523a02d7191afdaff0785ce04bc518df3a241edaacb8a95804020730dbb0125efe31bef00448f4f070f83a5e5683cf3dfb0dbcf4c5ed979db9d4dba52784e3389b8ba735864420a43b6da46a0ba183fd28ebdaef28f6cc885dfb0a3b00abe021ebe22f356c0f8e344597eba2f79933357ecb9a8abb454de73f9fc2d98afa65b26ec77e65ffe892e12c31a2f7b02736488f266f3bee4d761f79c3e57f9635bc2d0ecc01b08e7fff518080a792d4b34446648c874f166307314b63b0dff3",
"SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
"Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Timestamping CA , G2",
"TBS": {
"MD5": "e140543fe3256027cfa79fc3c19c1776",
"SHA1": "c655f94eb1ecc93de319fc0c9a2dc6c5ec063728",
"SHA256": "3ca71e85908ff67368e4dc00253f5691b9e6d50c966e7784143d75fb92aa3448",
"SHA384": "d9d366f9328f2b55ee19a32cc5fd5148b81d764282fe5dc196c872ae249caa51d2c212ef39f33945dfe0cda81925e326"
},
"ValidFrom": "2011-04-13 10:00:00",
"ValidTo": "2028-01-28 12:00:00",
"Version": 3
},
{
"CertificateType": "CA",
"IsCA": true,
"IsCertificateAuthority": true,
"IsCodeSigning": true,
"SerialNumber": "0400000000012f4ee1355c",
"Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24",
"SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
"Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2",
"TBS": {
"MD5": "f6a9e8eb8784f3f694b4e353c08a0ff5",
"SHA1": "589a7d4df869395601ba7538a65afae8c4616385",
"SHA256": "cbdc9a0ad785d0c2013211746b42234e18bdc7d54a7a260647badc1c9e712ed4",
"SHA384": "dcec542f242317863d0b3d23947e17d6982e381003831777b07ed75b46fb18bd0392a89c9beb6862981cd05f3f2fb77b"
},
"ValidFrom": "2011-04-13 10:00:00",
"ValidTo": "2019-04-13 10:00:00",
"Version": 3
},
{
"CertificateType": "Intermediate",
"IsCA": false,
"IsCertificateAuthority": false,
"IsCodeSigning": false,
"SerialNumber": "1121405c1f0ed258882be54d8686ba11ea45",
"Signature": "0231142e5857644185e8af12753c881cc35eec2ce9a13cf5baaa531db9d12963dc436786d439dadec6c9ffbe4585f4a4d7c151ea18ee40585ee67bcca241291338c8ea21169cce90a62efba6cad994df401df902182bbef65d4f9fff9a48dbc50509ca80cea0f9dc4bc323e6038fb4b4af5b71296191181a6b7af2fd0dd1cd7d5e98ebba705ee5f4ea43de353dc514818adb3e105ebb72faa1a093ab031cc1653c91138b045d2bc4b9161bcc55c50ce8abe743c9b28328a5531347ab3964b91cea3430b176009521f1d43da8fda00032d76e983ca69c3b0b83becbb8bb2a268c59b8b9aeaf26ace234a2dc210d810b3813f745a3e3dbc4aca16d1bb7e5615cd7",
"SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
"Subject": "C=SG, O=GMO GlobalSign Pte Ltd, CN=GlobalSign TSA for MS Authenticode , G1",
"TBS": {
"MD5": "b95cbc184d388718612d5933f7b36770",
"SHA1": "ff124c5d160710720108616ffee99bbe090ed363",
"SHA256": "13027620255363f07bbf85ae7d0dc06c07d8b0f4368b12f983ee3f4fce605733",
"SHA384": "f42ed00f615f2822dcd3d33794477428afb52ddab932ebcde3586f92a27e18f9faba6b3334ca4e59e0cb24bdbf8395a6"
},
"ValidFrom": "2013-08-23 00:00:00",
"ValidTo": "2024-09-23 00:00:00",
"Version": 3
},
{
"CertificateType": "Leaf (Code Signing)",
"IsCA": false,
"IsCertificateAuthority": false,
"IsCodeSigning": true,
"SerialNumber": "1121a31c92f8dcc52d1c4a45ef579b2e823e",
"Signature": "8e17d46ad557f0a1fa0270538c46e1c91d42852e8dfa8f352f5c62060581711d786189f5353458020e70fe4218f523cc8485baa354c3ce875896e4011ba4e82f292beb33670dfe1475e5c60f2ca7c6a2cde186eab18ad125e42ffe78fee81260fdf288ebf559dfd2a73e6a7812ebf2ebaa00ababe60b061101478c2900aadc237b6dc568a91d25d07224cbc857682e3a6f604e735b7d8f9e2a6a929d8c7aec40d44b477e173bd87a44a678a5be7f0a51b569540cfa0a0e428035a0031333eb98aaa3e7c47e2d7877583ffcac20bf9d0022778f25b3ba06815ad64e17ff96c8d950c48bcf4bbdfec5b4af75590549e07ba824e3d6141286cb6688f1c439eafa6c",
"SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
"Subject": "C=US, ST=FL, L=Tampa, O=Agile Risk Management LLC, CN=Agile Risk Management LLC, emailAddress=support@f,response.com",
"TBS": {
"MD5": "33b328331a13e81d899243b9efbc79ca",
"SHA1": "39a095244961da1e543f43deb38c94c0428e073e",
"SHA256": "941ee081b4ead65cc1d79f29b3641fabaad082d449fdc4f0c51abcaf67013f18",
"SHA384": "86b04932e1c20aaa6da0dc87667a716857be4ee5c1aa2d7f9190487bab5317647d1a92a96a211e43277d83f33f7163d2"
},
"ValidFrom": "2011-11-22 18:54:31",
"ValidTo": "2015-02-22 18:54:31",
"Version": 3
},
{
"CertificateType": "CA",
"IsCA": true,
"IsCertificateAuthority": true,
"IsCodeSigning": false,
"SerialNumber": "610b7f6b000000000019",
"Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461",
"SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
"Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA",
"TBS": {
"MD5": "4798d55be7663a75649cda4dedc686ef",
"SHA1": "0f1ab2937b245d9466ea6f9bf056a5942e3989cf",
"SHA256": "ef14ea05bb066ee9f4188196dd69cd769b283ac4d7555db52f5e76922d3456e1",
"SHA384": "6e7450a139856aeda6fa6284ff89b3752a9b646e096b4d33dd7e8e727742a2111481531581c0aa2cda0338e22cfdbad3"
},
"ValidFrom": "2006-05-23 17:00:51",
"ValidTo": "2016-05-23 17:10:51",
"Version": 3
}
],
"CertificatesInfo": "",
"Signer": [
{
"Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2",
"SerialNumber": "1121a31c92f8dcc52d1c4a45ef579b2e823e",
"Version": 1
}
],
"SignerInfo": ""
}
last_updated: 2026-04-20