acb5da93-1dcc-4d16-8415-6b4b221cb4a1

360netmon_wfp.sys :inline

Description

Qihoo 360netmon_wfp.sys is a signed kernel driver documented by ESET as the driver abused by the GentleKiller Network Blocker variant used in Gentlemen ransomware intrusions. The sample is associated with ESET detection Win64/VulnDriver.Qihoo360.A.

  • UUID: acb5da93-1dcc-4d16-8415-6b4b221cb4a1
  • Created: 2026-06-22
  • Author: Michael Haag
  • Acknowledgement: ESET Research, 0xd3vnull | [@ESETresearch, @0xd3vnull](https://twitter.com/@ESETresearch, @0xd3vnull)

Download

This download link contains the vulnerable driver!

Block 360netmon_wfp.sys across your endpoints

Add this driver to your block policy in minutes with MagicSword, threat-driven application control. Free for up to 100 endpoints.

Start Blocking for Free

Commands

sc.exe create 360netmon_wfp binPath=C:\windows\temp\360netmon_wfp.sys type=kernel && sc.exe start 360netmon_wfp
Use CasePrivilegesOperating System
Impair defenses through a signed kernel driver abused by an EDR killer.kernelWindows 10, Windows 11

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Renamed

for renamed driver files

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://www.welivesecurity.com/en/eset-research/killing-me-gently-inside-gentlemens-edr-killer-framework/
  • https://www.eset.com/us/about/newsroom/research/eset-research-gentlemen-ransomware-gang-edr-killers/
  • https://github.com/magicsword-io/LOLDrivers/issues/377

    • Known Vulnerable Samples

    PropertyValue
    Filename360netmon_wfp.sys
    Creation Timestamp2024-09-08 21:16:29
    MD540f64b91348bed955acf8551853b72a8
    SHA19ad51ad97c01e97ab59214116740785e0f6320a8
    SHA2563d769a5f1ad0d32fb4e06478d35401d9788bad1a477b813adbdf4fd93b2c2694
    Authentihash MD5cde694feb0bcdf6edbb714a759b0227d
    Authentihash SHA1b7487b99b29570010545f6538cfe90cccaa34d44
    Authentihash SHA256e4df5e185217887012b88164e0fba76d6869c541f6d64db20da505b9707ef370
    RichPEHeaderHash MD5353020153a3fd127e4af7bb7c92a24d1
    RichPEHeaderHash SHA135230f3dd05e9e6872b7f21a4dbb72e3dcca7ccc
    RichPEHeaderHash SHA256ff71b69b08b01e0d9e3b2a6d4c32c01802643ae14665e4458f40c6b721608544
    Company360.cn
    Description360netmon
    Product360netmon
    OriginalFilename360netmon.sys

    Download

    Certificates

    Expand
    Certificate 33000001112a0790aae5568529000000000111
    FieldValue
    ToBeSigned (TBS) MD5778c1775b427242a721643a7a90eae19
    ToBeSigned (TBS) SHA1553ed9bf72af4fce0ef52a7f0a2396245fc3d348
    ToBeSigned (TBS) SHA2566910d4ed97543604c6ad630041532ff89e630311916332b6fda7b211aa29fa78
    SubjectC=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher
    ValidFrom2024-05-16 22:16:06
    ValidTo2025-05-14 22:16:06
    Signature47aa9e6ebb9bdffbdf6d8d99645f726af89374c6136a5f4b2d2f6fe82d8c103a41d186ec5e5ed63749401c724cb5aa6091e023f9125ecfee62f444fbde29edb037b58bd6118a66288ab639cace557ee4a888fe098088aaba592199b25725d664d21269f4aee0bc3682c4a6758c9446b50081d066fdf8cad7b5677c18d63d3404d0ce4ffab1215acc7345dc6ea61c65caee9f6950f957e87b146f7fa34abd5970c79a777436f8d80b6ee5b8876b698bc8d547b47c3d11788c8a730c8c25c7fc878b03243ce55e2c2b898edd1755cb95553578b588122b456ab70dbc084323dcb0487aa462d57b9863a5ecfaa85e5f5d5d3da96dc20ecbc7c2203900fb2f5e84c8
    SignatureAlgorithmOID1.2.840.113549.1.1.11
    IsCertificateAuthorityFalse
    SerialNumber33000001112a0790aae5568529000000000111
    Version3
    Certificate 610baac1000000000009
    FieldValue
    ToBeSigned (TBS) MD5a569061297e8e824767dbc3184a69bea
    ToBeSigned (TBS) SHA1adbb26a587a8f44b4fccaecb306f980d1c55a150
    ToBeSigned (TBS) SHA256cec1afd0e310c55c1dcc601ab8e172917706aa32fb5eaf826813547fdf02dd46
    SubjectC=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012
    ValidFrom2012-04-18 23:48:38
    ValidTo2027-04-18 23:58:38
    Signature5a8a67daccd5fd0d264177bf0a4678b4b3de12692b7723c2652f015fd203f461ba509d2e8c3972f36c3e6ab11e766decb7f382dcccbbc56970287366173f54ebee011648c446d91b80ae813a8d0f796d68b09eea2d3f39d3ca387ebd5e7c086e19dcc6c2f438336861e2524783e1000156d2bacb878205310a418b4ee77f5f5fed5fd3392d45eba213bffd1ec298417161165fc80a70257c59693124e471e70abb0417f79f721ec9d2bb1abe3d02fe090cb243b4591a99539396215fe0d6b72601429536ac27fdbef48577683d18bdf4be98882211865216f345ec0397107087a37043713cdbc98603170cf5735bc67de15c64edd7c548d7ed32e2d1aad3cfa7f6574e61f977eb67f288b3de00da038fd08a34373e1dd862b8d2b1f3e12f8b723b81967c6ffcec667672601b24f2a0896d5b6d002eef28dd868705c2b4b9e5be64c22af24a155c98e2c42785ff52e3627e0fb2020bd766c70ab2d33d200414503259830a7d9bed5a38120152ba2f5e20728e4af1fde771028c3be107bec973f4dd47d8b4efb4a4b330b9893e76cab90098567eabea8ab8a5d038ab6977130b142fe9aa411ff7babd3a2b348aee0aab63e663f788248e200d2b3b9de3c24952ac9f1f0e393b5dd46e506ae67d523aaa7c3315290d265e0158a74ea93d7a846f743f609fe4324f3600af6d71d33ea646655f8174f1fec171da4ca0415a82ddf11f
    SignatureAlgorithmOID1.2.840.113549.1.1.11
    IsCertificateAuthorityTrue
    SerialNumber610baac1000000000009
    Version3

    Imports

    Expand
    • ntoskrnl.exe
    • fwpkclnt.sys
    • TDI.SYS
    • NDIS.SYS

    Imported Functions

    Expand
    • IoFileObjectType
    • ZwCreateFile
    • ZwQueryDirectoryFile
    • IoGetCurrentProcess
    • ZwEnumerateValueKey
    • IoAttachDevice
    • ZwQueryInformationProcess
    • ZwOpenFile
    • IoQueryFileDosDeviceName
    • ObOpenObjectByPointer
    • KeStackAttachProcess
    • ZwQueryKey
    • IoFreeMdl
    • KeWaitForSingleObject
    • MmProbeAndLockPages
    • MmUnlockPages
    • IoAllocateMdl
    • KeUnstackDetachProcess
    • KeLeaveCriticalRegion
    • KeEnterCriticalRegion
    • ExReleaseResourceLite
    • _wcsicmp
    • IoBuildPartialMdl
    • IoMakeAssociatedIrp
    • ZwQuerySystemInformation
    • wcsstr
    • ExInterlockedInsertHeadList
    • IoFreeIrp
    • ExInterlockedRemoveHeadList
    • _wcsupr
    • _wcsnicmp
    • _stricmp
    • DbgPrint
    • KeBugCheckEx
    • ZwSetValueKey
    • ZwDeleteValueKey
    • RtlIntegerToUnicodeString
    • PsLookupProcessByProcessId
    • ZwCreateKey
    • IoBuildDeviceIoControlRequest
    • PsGetProcessPeb
    • KeAcquireSpinLockRaiseToDpc
    • ZwOpenKey
    • IofCallDriver
    • RtlUpcaseUnicodeChar
    • ExCreateCallback
    • ExInitializeResourceLite
    • IoCreateDevice
    • ObfDereferenceObject
    • MmIsAddressValid
    • PsGetCurrentProcessId
    • PsGetCurrentThreadId
    • IoCreateSymbolicLink
    • RtlCompareMemory
    • CmRegisterCallback
    • ExRegisterCallback
    • RtlTimeToTimeFields
    • ObReferenceObjectByHandle
    • ExQueryDepthSList
    • IofCompleteRequest
    • ZwClose
    • InitSafeBootMode
    • PsTerminateSystemThread
    • ExInterlockedInsertTailList
    • ExAllocatePool
    • ZwQueryValueKey
    • IoGetDeviceObjectPointer
    • PsCreateSystemThread
    • wcsrchr
    • ObQueryNameString
    • KeDelayExecutionThread
    • MmUserProbeAddress
    • IoCreateSynchronizationEvent
    • RtlTimeFieldsToTime
    • RtlEqualUnicodeString
    • PsSetCreateProcessNotifyRoutine
    • ExpInterlockedPopEntrySList
    • KeAcquireInStackQueuedSpinLock
    • KeReleaseSpinLock
    • RtlGetVersion
    • IoIsOperationSynchronous
    • KeInitializeEvent
    • ExpInterlockedPushEntrySList
    • MmGetSystemRoutineAddress
    • KeSetEvent
    • ProbeForWrite
    • IoDeleteDevice
    • RtlInitUnicodeString
    • IoRegisterDriverReinitialization
    • KeReleaseInStackQueuedSpinLock
    • ExInitializeNPagedLookasideList
    • ExFreePoolWithTag
    • IoDeleteSymbolicLink
    • ProbeForRead
    • ExAllocatePoolWithTag
    • ExAcquireResourceExclusiveLite
    • ExUnregisterCallback
    • __C_specific_handler
    • FwpmCalloutEnum0
    • FwpsFlowAssociateContext0
    • FwpsAcquireWritableLayerDataPointer0
    • FwpsCalloutUnregisterById0
    • FwpmProviderDestroyEnumHandle0
    • FwpmSubLayerAdd0
    • FwpsApplyModifiedLayerData0
    • FwpsFreeCloneNetBufferList0
    • FwpsFlowRemoveContext0
    • FwpmCalloutDeleteByKey0
    • FwpsQueryPacketInjectionState0
    • FwpmCalloutDeleteById0
    • FwpmProviderEnum0
    • FwpmSubLayerDeleteByKey0
    • FwpmProviderCreateEnumHandle0
    • FwpsCloneStreamData0
    • FwpsConstructIpHeaderForTransportPacket0
    • FwpmSubLayerEnum0
    • FwpsAllocateNetBufferAndNetBufferList0
    • FwpsInjectionHandleCreate0
    • FwpmTransactionCommit0
    • FwpmSubLayerCreateEnumHandle0
    • FwpmSubLayerDestroyEnumHandle0
    • FwpmCalloutAdd0
    • FwpmCalloutDestroyEnumHandle0
    • FwpmFilterDeleteByKey0
    • FwpsAllocateCloneNetBufferList0
    • FwpmBfeStateSubscribeChanges0
    • FwpmFilterEnum0
    • FwpmProviderAdd0
    • FwpsCalloutRegister0
    • FwpmTransactionAbort0
    • FwpmEngineOpen0
    • FwpsAcquireClassifyHandle0
    • FwpmFilterDestroyEnumHandle0
    • FwpmProviderDeleteByKey0
    • FwpmCalloutCreateEnumHandle0
    • FwpmFilterAdd0
    • FwpsCalloutRegister1
    • FwpsInjectTransportSendAsync0
    • FwpmTransactionBegin0
    • FwpsReleaseClassifyHandle0
    • FwpmEngineClose0
    • FwpsDiscardClonedStreamData0
    • FwpmFreeMemory0
    • FwpmFilterDeleteById0
    • FwpsFreeNetBufferList0
    • FwpmFilterCreateEnumHandle0
    • TdiMapUserRequest
    • NdisAdvanceNetBufferListDataStart
    • NdisGetDataBuffer
    • NdisAllocateNetBufferListPool
    • NdisRetreatNetBufferListDataStart
    • NdisCopyFromNetBufferToNetBuffer
    • NdisAllocateMdl
    • NdisFreeGenericObject
    • NdisSetTimer
    • NdisInitializeTimer
    • NdisCancelTimer
    • NdisAllocateGenericObject

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • .pdata
    • INIT
    • .rsrc
    • .reloc

    Signature

    Expand
    {
  "Certificates": [
    {
      "CertificateType": "Leaf (Code Signing)",
      "IsCA": false,
      "IsCertificateAuthority": false,
      "IsCodeSigning": true,
      "SerialNumber": "33000001112a0790aae5568529000000000111",
      "Signature": "47aa9e6ebb9bdffbdf6d8d99645f726af89374c6136a5f4b2d2f6fe82d8c103a41d186ec5e5ed63749401c724cb5aa6091e023f9125ecfee62f444fbde29edb037b58bd6118a66288ab639cace557ee4a888fe098088aaba592199b25725d664d21269f4aee0bc3682c4a6758c9446b50081d066fdf8cad7b5677c18d63d3404d0ce4ffab1215acc7345dc6ea61c65caee9f6950f957e87b146f7fa34abd5970c79a777436f8d80b6ee5b8876b698bc8d547b47c3d11788c8a730c8c25c7fc878b03243ce55e2c2b898edd1755cb95553578b588122b456ab70dbc084323dcb0487aa462d57b9863a5ecfaa85e5f5d5d3da96dc20ecbc7c2203900fb2f5e84c8",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
      "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher",
      "TBS": {
        "MD5": "778c1775b427242a721643a7a90eae19",
        "SHA1": "553ed9bf72af4fce0ef52a7f0a2396245fc3d348",
        "SHA256": "6910d4ed97543604c6ad630041532ff89e630311916332b6fda7b211aa29fa78",
        "SHA384": "dccc0fe272475403fc9e0c1db6c456428798dfbe00fb20c962f57858256565a2cf361acb4eba8c771ec7611f2aa06bc1"
      },
      "ValidFrom": "2024-05-16 22:16:06",
      "ValidTo": "2025-05-14 22:16:06",
      "Version": 3
    },
    {
      "CertificateType": "CA",
      "IsCA": true,
      "IsCertificateAuthority": true,
      "IsCodeSigning": false,
      "SerialNumber": "610baac1000000000009",
      "Signature": "5a8a67daccd5fd0d264177bf0a4678b4b3de12692b7723c2652f015fd203f461ba509d2e8c3972f36c3e6ab11e766decb7f382dcccbbc56970287366173f54ebee011648c446d91b80ae813a8d0f796d68b09eea2d3f39d3ca387ebd5e7c086e19dcc6c2f438336861e2524783e1000156d2bacb878205310a418b4ee77f5f5fed5fd3392d45eba213bffd1ec298417161165fc80a70257c59693124e471e70abb0417f79f721ec9d2bb1abe3d02fe090cb243b4591a99539396215fe0d6b72601429536ac27fdbef48577683d18bdf4be98882211865216f345ec0397107087a37043713cdbc98603170cf5735bc67de15c64edd7c548d7ed32e2d1aad3cfa7f6574e61f977eb67f288b3de00da038fd08a34373e1dd862b8d2b1f3e12f8b723b81967c6ffcec667672601b24f2a0896d5b6d002eef28dd868705c2b4b9e5be64c22af24a155c98e2c42785ff52e3627e0fb2020bd766c70ab2d33d200414503259830a7d9bed5a38120152ba2f5e20728e4af1fde771028c3be107bec973f4dd47d8b4efb4a4b330b9893e76cab90098567eabea8ab8a5d038ab6977130b142fe9aa411ff7babd3a2b348aee0aab63e663f788248e200d2b3b9de3c24952ac9f1f0e393b5dd46e506ae67d523aaa7c3315290d265e0158a74ea93d7a846f743f609fe4324f3600af6d71d33ea646655f8174f1fec171da4ca0415a82ddf11f",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
      "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012",
      "TBS": {
        "MD5": "a569061297e8e824767dbc3184a69bea",
        "SHA1": "adbb26a587a8f44b4fccaecb306f980d1c55a150",
        "SHA256": "cec1afd0e310c55c1dcc601ab8e172917706aa32fb5eaf826813547fdf02dd46",
        "SHA384": "e947cac936803f5683196e4ff1b259096073395d0b908522ddce90d57597c9f7b57f7ddcdbe021ba863d843c340da8ba"
      },
      "ValidFrom": "2012-04-18 23:48:38",
      "ValidTo": "2027-04-18 23:58:38",
      "Version": 3
    }
  ],
  "CertificatesInfo": "",
  "Signer": [
    {
      "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012",
      "SerialNumber": "33000001112a0790aae5568529000000000111",
      "Version": 1
    }
  ],
  "SignerInfo": ""
}

    source

    last_updated: 2026-06-23