c1143cd9-a709-4323-9678-2117285d1b47
NSecKrnl.sys 
Description
Driver used by ValleyRAT malware to terminate security processes via IOCTL 0x2248E0
- UUID: c1143cd9-a709-4323-9678-2117285d1b47
- Created: 2025-09-18
- Author: Michael Haag
This download link contains the vulnerable driver!
Commands
sc.exe create NSecKrnl binPath=C:\windows\temp\NSecKrnl.sys type=kernel && sc.exe start NSecKrnl
| Use Case | Privileges | Operating System |
|---|---|---|
| Terminate security processes | kernel | Windows 10 |
Detections
YARA 🏹
Expand
with header and size limitation
without header and size limitation
for renamed driver files
Resources
Known Vulnerable Samples
| Property | Value |
|---|---|
| Filename | 206f27ae820783b7755bca89f83a0fe096dbb510018dd65b63fc80bd20c03261 |
| Creation Timestamp | 2020-04-27 02:13:11 |
| MD5 | 80961850786d6531f075b8a6f9a756ad |
| SHA1 | b0b912a3fd1c05d72080848ec4c92880004021a1 |
| SHA256 | 206f27ae820783b7755bca89f83a0fe096dbb510018dd65b63fc80bd20c03261 |
| Authentihash MD5 | 0cd31f752c2fc1164a3c7b9486c1cd8d |
| Authentihash SHA1 | 383ceae579aa77bd7076eb03615e0469e425fd4f |
| Authentihash SHA256 | cf24c69123d4a72445547f7b5ad6738fb47f2d3fab06e3d628b7278113a63ae0 |
| RichPEHeaderHash MD5 | 5b262c81b9b7b87cd3cdfa35f0bb75da |
| RichPEHeaderHash SHA1 | efdb56cd9ff773a6560045049e471bcb98b7237f |
| RichPEHeaderHash SHA256 | afbf064767a0e97971f5957d718a6592d3dc7605ed787e852e9d7b0d9256c789 |
| Company | NSEC Co.,Ltd |
| Description | NSecKrnl |
| Product | NSEC |
| OriginalFilename | NSecKrnl |
Certificates
Expand
Certificate 61204db4000000000027
| Field | Value |
|---|---|
| ToBeSigned (TBS) MD5 | 8e3ffc222fbcebdbb8b23115ab259be7 |
| ToBeSigned (TBS) SHA1 | ee20bff28ffe13be731c294c90d6ded5aae0ec0e |
| ToBeSigned (TBS) SHA256 | 59826b69bc8c28118c96323b627da59aaca0b142cc5d8bad25a8fcfd399aa821 |
| Subject | CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US |
| ValidFrom | 2011-04-15 19:45:33 |
| ValidTo | 2021-04-15 19:55:33 |
| Signature | 208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410 |
| SignatureAlgorithmOID | 1.2.840.113549.1.1.5 |
| IsCertificateAuthority | True |
| SerialNumber | 61204db4000000000027 |
| Version | 3 |
Certificate 0f5b2784032c07b5e63dbba7be59710d
| Field | Value |
|---|---|
| ToBeSigned (TBS) MD5 | 7e06eb9487b8718d228134b603f8a59a |
| ToBeSigned (TBS) SHA1 | 799d0d1de4e3fd810394cd65a17840827824c95b |
| ToBeSigned (TBS) SHA256 | 3c98cac97e5d563a906d7166c3939a991c0d3e30242732567ba6df6befede90c |
| Subject | CN=Shandong Anzai Information Technology CO.,Ltd.,OU=Development,O=Shandong Anzai Information Technology CO.,Ltd.,L=Jinan,ST=Shandong,C=CN,2.5.4.17=250101,STREET=高新区新泺大街2008号银荷大厦C座606,2.5.4.5=91370100306819342R,2.5.4.15=Private Organization,1.3.6.1.4.1.311.60.2.1.1=Jinan,1.3.6.1.4.1.311.60.2.1.2=Shandong,1.3.6.1.4.1.311.60.2.1.3=CN |
| ValidFrom | 2020-04-28 00:00:00 |
| ValidTo | 2021-03-22 12:00:00 |
| Signature | 3839475cba2451802a28f2519d44d484d24a2df89f1c7d38151696702e07ae2af536023585eaed2d7e20824612716b203e0d89af3a92f24ce6c1dcd647fd0130e03305e4da24fd2b98c806cf6514bd22b4b201e98ac64f62bea4efa353a7ab16ae2c59be2acb81565237ff3b2b93ddfc6c6c5844f6b7427ad69c18e4d74da0dc27cde8966c187b823649b3ba707c6f4af1ce03ae630913289bb78e91411f7c16c5a8a16bf027ece6172218cf42232ac6fc1234eae81fca8703721005ce93a0e4768ab33f3030bb0dbf57f2296406b54c19e4f6e262aeb4eba7015698bddf8e60f1e13c0bd4348b1562f160db7e17e6024fc731a9cf022a916a25e9f52f682626 |
| SignatureAlgorithmOID | 1.2.840.113549.1.1.11 |
| IsCertificateAuthority | False |
| SerialNumber | 0f5b2784032c07b5e63dbba7be59710d |
| Version | 3 |
Certificate 03f1b4e15f3a82f1149678b3d7d8475c
| Field | Value |
|---|---|
| ToBeSigned (TBS) MD5 | 83f5de89f641d0fbf60248e10a7b9534 |
| ToBeSigned (TBS) SHA1 | 382a73a059a08698d6eb98c87e1b36fc750933a4 |
| ToBeSigned (TBS) SHA256 | eec58131dc11cd7f512501b15fdbc6074c603b68ca91f7162d5a042054edb0cf |
| Subject | CN=DigiCert EV Code Signing CA (SHA2),OU=www.digicert.com,O=DigiCert Inc,C=US |
| ValidFrom | 2012-04-18 12:00:00 |
| ValidTo | 2027-04-18 12:00:00 |
| Signature | 19334a0c813337dbad36c9e4c93abbb51b2e7aa2e2f44342179ebf4ea14de1b1dbe981dd9f01f2e488d5e9fe09fd21c1ec5d80d2f0d6c143c2fe772bdbf9d79133ce6cd5b2193be62ed6c9934f88408ecde1f57ef10fc6595672e8eb6a41bd1cd546d57c49ca663815c1bfe091707787dcc98d31c90c29a233ed8de287cd898d3f1bffd5e01a978b7cda6dfba8c6b23a666b7b01b3cdd8a634ec1201ab9558a5c45357a860e6e70212a0b92364a24dbb7c81256421becfee42184397bba53706af4dff26a54d614bec4641b865ceb8799e08960b818c8a3b8fc7998ca32a6e986d5e61c696b78ab9612d93b8eb0e0443d7f5fea6f062d4996aa5c1c1f0649480 |
| SignatureAlgorithmOID | 1.2.840.113549.1.1.11 |
| IsCertificateAuthority | True |
| SerialNumber | 03f1b4e15f3a82f1149678b3d7d8475c |
| Version | 3 |
Imports
Expand
- ntoskrnl.exe
Imported Functions
Expand
- RtlInitUnicodeString
- IofCompleteRequest
- IoCreateDevice
- IoCreateSymbolicLink
- IoDeleteDevice
- IoDeleteSymbolicLink
- PsSetCreateProcessNotifyRoutine
- PsSetLoadImageNotifyRoutine
- PsRemoveLoadImageNotifyRoutine
- KeAcquireInStackQueuedSpinLock
- KeReleaseInStackQueuedSpinLock
- IoGetCurrentProcess
- ObfDereferenceObject
- ObRegisterCallbacks
- ObUnRegisterCallbacks
- ZwClose
- PsGetCurrentProcessId
- PsGetProcessId
- ZwTerminateProcess
- PsLookupProcessByProcessId
- ObOpenObjectByPointer
- PsProcessType
Exported Functions
Expand
Sections
Expand
- .text
- .rdata
- .data
- .pdata
- INIT
- .rsrc
- .reloc
Signature
Expand
{
"Certificates": [
{
"CertificateType": "CA",
"IsCA": true,
"IsCertificateAuthority": true,
"IsCodeSigning": false,
"SerialNumber": "61204db4000000000027",
"Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410",
"SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
"Subject": "CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US",
"TBS": {
"MD5": "8e3ffc222fbcebdbb8b23115ab259be7",
"SHA1": "ee20bff28ffe13be731c294c90d6ded5aae0ec0e",
"SHA256": "59826b69bc8c28118c96323b627da59aaca0b142cc5d8bad25a8fcfd399aa821",
"SHA384": "f2dab7e56a33298654924501499487f6ba72c7d9477476a186e1ed7a9be031fade0e35ac09eff5e56bbbab95ae5374e7"
},
"ValidFrom": "2011-04-15 19:45:33",
"ValidTo": "2021-04-15 19:55:33",
"Version": 3
},
{
"CertificateType": "Leaf (Code Signing)",
"IsCA": false,
"IsCertificateAuthority": false,
"IsCodeSigning": true,
"SerialNumber": "0f5b2784032c07b5e63dbba7be59710d",
"Signature": "3839475cba2451802a28f2519d44d484d24a2df89f1c7d38151696702e07ae2af536023585eaed2d7e20824612716b203e0d89af3a92f24ce6c1dcd647fd0130e03305e4da24fd2b98c806cf6514bd22b4b201e98ac64f62bea4efa353a7ab16ae2c59be2acb81565237ff3b2b93ddfc6c6c5844f6b7427ad69c18e4d74da0dc27cde8966c187b823649b3ba707c6f4af1ce03ae630913289bb78e91411f7c16c5a8a16bf027ece6172218cf42232ac6fc1234eae81fca8703721005ce93a0e4768ab33f3030bb0dbf57f2296406b54c19e4f6e262aeb4eba7015698bddf8e60f1e13c0bd4348b1562f160db7e17e6024fc731a9cf022a916a25e9f52f682626",
"SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
"Subject": "CN=Shandong Anzai Information Technology CO.,Ltd.,OU=Development,O=Shandong Anzai Information Technology CO.,Ltd.,L=Jinan,ST=Shandong,C=CN,2.5.4.17=250101,STREET=\u9ad8\u65b0\u533a\u65b0\u6cfa\u5927\u88572008\u53f7\u94f6\u8377\u5927\u53a6C\u5ea7606,2.5.4.5=91370100306819342R,2.5.4.15=Private Organization,1.3.6.1.4.1.311.60.2.1.1=Jinan,1.3.6.1.4.1.311.60.2.1.2=Shandong,1.3.6.1.4.1.311.60.2.1.3=CN",
"TBS": {
"MD5": "7e06eb9487b8718d228134b603f8a59a",
"SHA1": "799d0d1de4e3fd810394cd65a17840827824c95b",
"SHA256": "3c98cac97e5d563a906d7166c3939a991c0d3e30242732567ba6df6befede90c",
"SHA384": "480916146947ecb7567b657d140afb826098880d2415a6d4cbc895c9571ddb85cc5327f5cbfe3f1c8a7f2ae6ed9a3333"
},
"ValidFrom": "2020-04-28 00:00:00",
"ValidTo": "2021-03-22 12:00:00",
"Version": 3
},
{
"CertificateType": "CA",
"IsCA": true,
"IsCertificateAuthority": true,
"IsCodeSigning": true,
"SerialNumber": "03f1b4e15f3a82f1149678b3d7d8475c",
"Signature": "19334a0c813337dbad36c9e4c93abbb51b2e7aa2e2f44342179ebf4ea14de1b1dbe981dd9f01f2e488d5e9fe09fd21c1ec5d80d2f0d6c143c2fe772bdbf9d79133ce6cd5b2193be62ed6c9934f88408ecde1f57ef10fc6595672e8eb6a41bd1cd546d57c49ca663815c1bfe091707787dcc98d31c90c29a233ed8de287cd898d3f1bffd5e01a978b7cda6dfba8c6b23a666b7b01b3cdd8a634ec1201ab9558a5c45357a860e6e70212a0b92364a24dbb7c81256421becfee42184397bba53706af4dff26a54d614bec4641b865ceb8799e08960b818c8a3b8fc7998ca32a6e986d5e61c696b78ab9612d93b8eb0e0443d7f5fea6f062d4996aa5c1c1f0649480",
"SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
"Subject": "CN=DigiCert EV Code Signing CA (SHA2),OU=www.digicert.com,O=DigiCert Inc,C=US",
"TBS": {
"MD5": "83f5de89f641d0fbf60248e10a7b9534",
"SHA1": "382a73a059a08698d6eb98c87e1b36fc750933a4",
"SHA256": "eec58131dc11cd7f512501b15fdbc6074c603b68ca91f7162d5a042054edb0cf",
"SHA384": "4a25018683cabfb8ec2cad136334f37f33c89aa8540326322991d997c8adfb7faf06ab602ebd46630fe75fe3d2edc6b1"
},
"ValidFrom": "2012-04-18 12:00:00",
"ValidTo": "2027-04-18 12:00:00",
"Version": 3
}
],
"CertificatesInfo": "",
"Signer": [
{
"Issuer": "CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US",
"SerialNumber": "0f5b2784032c07b5e63dbba7be59710d",
"Version": 1
}
],
"SignerInfo": ""
}
last_updated: 2026-01-07