cb9f4425-66de-4371-a3df-3aeec1fda65c
Driver_win10.sys 
Description
Kernel driver family observed dropped by Black Basta tooling and adjacent intrusions during 2025. The 55 KB sample is signed by Microsoft Windows Hardware Compatibility Publisher (WHQL attestation), allowing it to load on systems with HVCI enabled. Two additional 44 KB unsigned variants share the same imphash and identical/near-identical authentihashes, indicating the same driver body redistributed without the embedded signature blob. Imports include FltEnumerateFilters and FltUnregisterFilter (minifilter enumeration and unregistration), MmCopyVirtualMemory (cross-process kernel-assisted memory copy), ZwTerminateProcess and ZwOpenProcess (process termination), and KeStackAttachProcess (process attach) — primitives suitable for tamper protection or evasion of endpoint security minifilters.
- UUID: cb9f4425-66de-4371-a3df-3aeec1fda65c
- Created: 2026-05-05
- Author: Michael Haag
- Acknowledgement: Florian Roth | @cyb3rops
This download link contains the vulnerable driver!
Block Driver_win10.sys across your endpoints
Add this driver to your block policy in minutes with MagicSword, threat-driven application control. Free for up to 100 endpoints.
Start Blocking for FreeCommands
sc.exe create Driver_win10 binPath=C:\windows\temp\Driver_win10.sys type=kernel && sc.exe start Driver_win10
| Use Case | Privileges | Operating System |
|---|---|---|
| Elevate privileges | kernel | Windows 10 |
Detections
YARA 🏹
Expand
with header and size limitation
without header and size limitation
for renamed driver files
Resources
Known Vulnerable Samples
| Property | Value |
|---|---|
| Filename | Driver_win10.sys |
| Creation Timestamp | 2025-06-18 19:29:55 |
| MD5 | cb1bec51ceb551bcd522ee61afe3964e |
| SHA1 | 61272df03b1d73a1de814b45d07590b502514828 |
| SHA256 | 70c9f9e8dcbba700e0fc20e6ae9b4c5df98326cf212ac8794fc8ee9a46e948c4 |
| Authentihash MD5 | a9cfee8b982ebb4d8365ec2b8cc84dcf |
| Authentihash SHA1 | 2e8789a0ddc7f03fdc504128e4cc18d4c6cdeda8 |
| Authentihash SHA256 | 76c226cbabd9c94c0cffe915097beb3e9f676b4ae317396206424c60fa209c41 |
| RichPEHeaderHash MD5 | c7e00b2314f85d6949eae89753f822d4 |
| RichPEHeaderHash SHA1 | 54dcf2e584e74c3ed61a10956447ef37cda83be8 |
| RichPEHeaderHash SHA256 | 2bb8bca7d1f1df0773026cfae9d6fc64a34201bb33b6a342edc04d6ff5263fa8 |
Certificates
Expand
Certificate 330000006e1229856f0ade6cfc00000000006e
| Field | Value |
|---|---|
| ToBeSigned (TBS) MD5 | 3066a9830894e57ce6e47f7a6b58b84f |
| ToBeSigned (TBS) SHA1 | ce441ecd2f11e400515a85d5a592da38f950f3dc |
| ToBeSigned (TBS) SHA256 | 3e30a731a3b620db0971ecd743ecd312bcdf14c82b9bdc9918102bacbf70520d |
| Subject | C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher |
| ValidFrom | 2024-10-10 19:04:53 |
| ValidTo | 2025-10-08 19:04:53 |
| Signature | 3870e583035a72db64856d80e17833cd3badd24f19abf9a3d7c7485743dd875f69102820df4992d74f8fba0529be4e16f4234910064a3a1863299a29b82d3fac869915a368ec0e5d0127282221bce84db444d2e9974dc2761a2080a7bc7508d7064f32b2d97b0263d0d937527a8af95f18bcb54ec21a453ba35e55869791416a2a8813fcf95e889e65158dbb5b4cba653c989179947d286051ef6b0d56f41da479db08c6b93c44fa5c8399e126594cc53dfa756180607a1dd29559061d828b0ce2c5a462245ed0995a196ad96223b6eb1a787b4d10b5a7d4e3a130750103bc9c713fc8f32015273bb238b15aae25e4765d7ab81c5d3df82ef6a7d3c2e7a61dab024ff02df6876a86ec7198aa6e28c8e69a015129a717b1036113911f0aeefa8d05081974d026196f24bc1e4ef942599fafbd1b2c316bda73237f1822296888df2344c92b08c363976beb7020242b3069e6691f19e715e1d1a19ddc03235263c9bb7b8390145af57603105ced358f394547e3be96718835917234eb7fd7134d9fb605656717ed6b15f0583068c84c6c01abf31cc1df1fe7c4d2935590e6017cf8cc5635e1cd7054240fd0059f168e90ec1a49f24e0f050034d99e4aa6599a64d280d00ea8af57d3125caddb342a0b2c160a2f95d97e6045e69dc1c1b3fa56dfd40380ce60536a59750edf0069dc7c27f8ccc8f073b46d169b8fed1fd40ac6f00c |
| SignatureAlgorithmOID | 1.2.840.113549.1.1.11 |
| IsCertificateAuthority | False |
| SerialNumber | 330000006e1229856f0ade6cfc00000000006e |
| Version | 3 |
Certificate 330000000d690d5d7893d076df00000000000d
| Field | Value |
|---|---|
| ToBeSigned (TBS) MD5 | 83f69422963f11c3c340b81712eef319 |
| ToBeSigned (TBS) SHA1 | 0c5e5f24590b53bc291e28583acb78e5adc95601 |
| ToBeSigned (TBS) SHA256 | d8be9e4d9074088ef818bc6f6fb64955e90378b2754155126feebbbd969cf0ae |
| Subject | C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014 |
| ValidFrom | 2014-10-15 20:31:27 |
| ValidTo | 2029-10-15 20:41:27 |
| Signature | 96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f |
| SignatureAlgorithmOID | 1.2.840.113549.1.1.11 |
| IsCertificateAuthority | True |
| SerialNumber | 330000000d690d5d7893d076df00000000000d |
| Version | 3 |
Imports
Expand
- FLTMGR.SYS
- fwpkclnt.sys
- ntoskrnl.exe
- WDFLDR.SYS
Imported Functions
Expand
- FltEnumerateFilters
- FltObjectDereference
- FltUnregisterFilter
- FwpsApplyModifiedLayerData0
- FwpsRedirectHandleCreate0
- FwpsQueryConnectionRedirectState0
- FwpsAcquireClassifyHandle0
- FwpsReleaseClassifyHandle0
- FwpsCalloutRegister2
- FwpsAcquireWritableLayerDataPointer0
- MmProbeAndLockPages
- MmUnlockPages
- MmMapLockedPagesSpecifyCache
- IoAllocateMdl
- IoFreeMdl
- MmIsAddressValid
- __C_specific_handler
- MmHighestUserAddress
- RtlInitUnicodeString
- RtlAppendUnicodeToString
- IofCompleteRequest
- IoCreateDevice
- IoCreateSymbolicLink
- IoDeleteDevice
- RtlCompareMemory
- ExFreePoolWithTag
- ProbeForWrite
- PsCreateSystemThread
- IoGetCurrentProcess
- ObfDereferenceObject
- ZwCreateFile
- ZwQueryInformationFile
- ZwClose
- ZwTerminateProcess
- ZwOpenProcess
- KeStackAttachProcess
- KeUnstackDetachProcess
- PsLookupProcessByProcessId
- ZwWaitForSingleObject
- PsGetProcessWow64Process
- ZwQuerySystemInformation
- PsGetProcessPeb
- PsReferenceProcessFilePointer
- MmCopyVirtualMemory
- PsSetLoadImageNotifyRoutine
- KeInitializeSpinLock
- KeAcquireInStackQueuedSpinLock
- ExAllocatePool
- RtlIpv4AddressToStringA
- PsGetProcessId
- PsProcessType
- _wcslwr
- PsGetProcessImageFileName
- RtlInitAnsiString
- RtlAnsiStringToUnicodeString
- RtlUnicodeStringToAnsiString
- RtlFreeUnicodeString
- RtlFreeAnsiString
- _vsnprintf
- _vsnwprintf
- KeEnterCriticalRegion
- KeLeaveCriticalRegion
- ExInitializeResourceLite
- ExAcquireResourceSharedLite
- ExAcquireResourceExclusiveLite
- ExReleaseResourceLite
- ExAllocatePoolWithTag
- ObReferenceObjectByHandle
- ZwSetInformationFile
- ZwReadFile
- ZwWriteFile
- ZwDeleteFile
- IoFileObjectType
- RtlAppendUnicodeStringToString
- RtlGetVersion
- ZwOpenSymbolicLinkObject
- ZwQuerySymbolicLinkObject
- KeInitializeEvent
- KeWaitForSingleObject
- KeQueryTimeIncrement
- RtlRandomEx
- RtlCopyUnicodeString
- MmGetSystemRoutineAddress
- KeBugCheckEx
- wcsstr
- ExSystemTimeToLocalTime
- RtlTimeToTimeFields
- PsSetCreateProcessNotifyRoutine
- KeReleaseInStackQueuedSpinLock
- WdfVersionUnbindClass
- WdfVersionBindClass
- WdfVersionUnbind
- WdfVersionBind
Exported Functions
Expand
Sections
Expand
- .text
- .rdata
- .data
- .pdata
- .gfids
- INIT
- .reloc
Signature
Expand
{
"Certificates": [
{
"CertificateType": "Leaf (Code Signing)",
"IsCA": false,
"IsCertificateAuthority": false,
"IsCodeSigning": true,
"SerialNumber": "330000006e1229856f0ade6cfc00000000006e",
"Signature": "3870e583035a72db64856d80e17833cd3badd24f19abf9a3d7c7485743dd875f69102820df4992d74f8fba0529be4e16f4234910064a3a1863299a29b82d3fac869915a368ec0e5d0127282221bce84db444d2e9974dc2761a2080a7bc7508d7064f32b2d97b0263d0d937527a8af95f18bcb54ec21a453ba35e55869791416a2a8813fcf95e889e65158dbb5b4cba653c989179947d286051ef6b0d56f41da479db08c6b93c44fa5c8399e126594cc53dfa756180607a1dd29559061d828b0ce2c5a462245ed0995a196ad96223b6eb1a787b4d10b5a7d4e3a130750103bc9c713fc8f32015273bb238b15aae25e4765d7ab81c5d3df82ef6a7d3c2e7a61dab024ff02df6876a86ec7198aa6e28c8e69a015129a717b1036113911f0aeefa8d05081974d026196f24bc1e4ef942599fafbd1b2c316bda73237f1822296888df2344c92b08c363976beb7020242b3069e6691f19e715e1d1a19ddc03235263c9bb7b8390145af57603105ced358f394547e3be96718835917234eb7fd7134d9fb605656717ed6b15f0583068c84c6c01abf31cc1df1fe7c4d2935590e6017cf8cc5635e1cd7054240fd0059f168e90ec1a49f24e0f050034d99e4aa6599a64d280d00ea8af57d3125caddb342a0b2c160a2f95d97e6045e69dc1c1b3fa56dfd40380ce60536a59750edf0069dc7c27f8ccc8f073b46d169b8fed1fd40ac6f00c",
"SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
"Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher",
"TBS": {
"MD5": "3066a9830894e57ce6e47f7a6b58b84f",
"SHA1": "ce441ecd2f11e400515a85d5a592da38f950f3dc",
"SHA256": "3e30a731a3b620db0971ecd743ecd312bcdf14c82b9bdc9918102bacbf70520d",
"SHA384": "68c6537d64e3a4f02a2c1d04257c13ab1def23c9c54bafc434176be50a411a75c118c9f8edc81f97b8a1db2dc1d009e3"
},
"ValidFrom": "2024-10-10 19:04:53",
"ValidTo": "2025-10-08 19:04:53",
"Version": 3
},
{
"CertificateType": "CA",
"IsCA": true,
"IsCertificateAuthority": true,
"IsCodeSigning": false,
"SerialNumber": "330000000d690d5d7893d076df00000000000d",
"Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f",
"SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
"Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014",
"TBS": {
"MD5": "83f69422963f11c3c340b81712eef319",
"SHA1": "0c5e5f24590b53bc291e28583acb78e5adc95601",
"SHA256": "d8be9e4d9074088ef818bc6f6fb64955e90378b2754155126feebbbd969cf0ae",
"SHA384": "260ad59ba706420f68ba212931153bd89f760c464b21be55fba9d014fff322407859d4ebfb78ea9a3330f60dc9821a63"
},
"ValidFrom": "2014-10-15 20:31:27",
"ValidTo": "2029-10-15 20:41:27",
"Version": 3
}
],
"CertificatesInfo": "",
"Signer": [
{
"Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014",
"SerialNumber": "330000006e1229856f0ade6cfc00000000006e",
"Version": 1
}
],
"SignerInfo": ""
}
| Property | Value |
|---|---|
| Filename | Driver_win10.sys |
| Creation Timestamp | 2025-06-18 19:29:55 |
| MD5 | f05ed5805c259c3c770db028188b1e75 |
| SHA1 | 02fbacd721a7da543f73257ee1b6668dd10aec9a |
| SHA256 | c4179ed787aab61dc99879e87e1155003c5438cf683455b1230959f55296579d |
| Authentihash MD5 | a9cfee8b982ebb4d8365ec2b8cc84dcf |
| Authentihash SHA1 | 2e8789a0ddc7f03fdc504128e4cc18d4c6cdeda8 |
| Authentihash SHA256 | 76c226cbabd9c94c0cffe915097beb3e9f676b4ae317396206424c60fa209c41 |
| RichPEHeaderHash MD5 | c7e00b2314f85d6949eae89753f822d4 |
| RichPEHeaderHash SHA1 | 54dcf2e584e74c3ed61a10956447ef37cda83be8 |
| RichPEHeaderHash SHA256 | 2bb8bca7d1f1df0773026cfae9d6fc64a34201bb33b6a342edc04d6ff5263fa8 |
Imports
Expand
- FLTMGR.SYS
- fwpkclnt.sys
- ntoskrnl.exe
- WDFLDR.SYS
Imported Functions
Expand
- FltEnumerateFilters
- FltObjectDereference
- FltUnregisterFilter
- FwpsApplyModifiedLayerData0
- FwpsRedirectHandleCreate0
- FwpsQueryConnectionRedirectState0
- FwpsAcquireClassifyHandle0
- FwpsReleaseClassifyHandle0
- FwpsCalloutRegister2
- FwpsAcquireWritableLayerDataPointer0
- MmProbeAndLockPages
- MmUnlockPages
- MmMapLockedPagesSpecifyCache
- IoAllocateMdl
- IoFreeMdl
- MmIsAddressValid
- __C_specific_handler
- MmHighestUserAddress
- RtlInitUnicodeString
- RtlAppendUnicodeToString
- IofCompleteRequest
- IoCreateDevice
- IoCreateSymbolicLink
- IoDeleteDevice
- RtlCompareMemory
- ExFreePoolWithTag
- ProbeForWrite
- PsCreateSystemThread
- IoGetCurrentProcess
- ObfDereferenceObject
- ZwCreateFile
- ZwQueryInformationFile
- ZwClose
- ZwTerminateProcess
- ZwOpenProcess
- KeStackAttachProcess
- KeUnstackDetachProcess
- PsLookupProcessByProcessId
- ZwWaitForSingleObject
- PsGetProcessWow64Process
- ZwQuerySystemInformation
- PsGetProcessPeb
- PsReferenceProcessFilePointer
- MmCopyVirtualMemory
- PsSetLoadImageNotifyRoutine
- KeInitializeSpinLock
- KeAcquireInStackQueuedSpinLock
- ExAllocatePool
- RtlIpv4AddressToStringA
- PsGetProcessId
- PsProcessType
- _wcslwr
- PsGetProcessImageFileName
- RtlInitAnsiString
- RtlAnsiStringToUnicodeString
- RtlUnicodeStringToAnsiString
- RtlFreeUnicodeString
- RtlFreeAnsiString
- _vsnprintf
- _vsnwprintf
- KeEnterCriticalRegion
- KeLeaveCriticalRegion
- ExInitializeResourceLite
- ExAcquireResourceSharedLite
- ExAcquireResourceExclusiveLite
- ExReleaseResourceLite
- ExAllocatePoolWithTag
- ObReferenceObjectByHandle
- ZwSetInformationFile
- ZwReadFile
- ZwWriteFile
- ZwDeleteFile
- IoFileObjectType
- RtlAppendUnicodeStringToString
- RtlGetVersion
- ZwOpenSymbolicLinkObject
- ZwQuerySymbolicLinkObject
- KeInitializeEvent
- KeWaitForSingleObject
- KeQueryTimeIncrement
- RtlRandomEx
- RtlCopyUnicodeString
- MmGetSystemRoutineAddress
- KeBugCheckEx
- wcsstr
- ExSystemTimeToLocalTime
- RtlTimeToTimeFields
- PsSetCreateProcessNotifyRoutine
- KeReleaseInStackQueuedSpinLock
- WdfVersionUnbindClass
- WdfVersionBindClass
- WdfVersionUnbind
- WdfVersionBind
Exported Functions
Expand
Sections
Expand
- .text
- .rdata
- .data
- .pdata
- .gfids
- INIT
- .reloc
Signature
Expand
{
"Certificates": [
{
"CertificateType": "Leaf (Code Signing)",
"IsCA": false,
"IsCertificateAuthority": false,
"IsCodeSigning": true,
"SerialNumber": "330000006e1229856f0ade6cfc00000000006e",
"Signature": "3870e583035a72db64856d80e17833cd3badd24f19abf9a3d7c7485743dd875f69102820df4992d74f8fba0529be4e16f4234910064a3a1863299a29b82d3fac869915a368ec0e5d0127282221bce84db444d2e9974dc2761a2080a7bc7508d7064f32b2d97b0263d0d937527a8af95f18bcb54ec21a453ba35e55869791416a2a8813fcf95e889e65158dbb5b4cba653c989179947d286051ef6b0d56f41da479db08c6b93c44fa5c8399e126594cc53dfa756180607a1dd29559061d828b0ce2c5a462245ed0995a196ad96223b6eb1a787b4d10b5a7d4e3a130750103bc9c713fc8f32015273bb238b15aae25e4765d7ab81c5d3df82ef6a7d3c2e7a61dab024ff02df6876a86ec7198aa6e28c8e69a015129a717b1036113911f0aeefa8d05081974d026196f24bc1e4ef942599fafbd1b2c316bda73237f1822296888df2344c92b08c363976beb7020242b3069e6691f19e715e1d1a19ddc03235263c9bb7b8390145af57603105ced358f394547e3be96718835917234eb7fd7134d9fb605656717ed6b15f0583068c84c6c01abf31cc1df1fe7c4d2935590e6017cf8cc5635e1cd7054240fd0059f168e90ec1a49f24e0f050034d99e4aa6599a64d280d00ea8af57d3125caddb342a0b2c160a2f95d97e6045e69dc1c1b3fa56dfd40380ce60536a59750edf0069dc7c27f8ccc8f073b46d169b8fed1fd40ac6f00c",
"SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
"Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher",
"TBS": {
"MD5": "3066a9830894e57ce6e47f7a6b58b84f",
"SHA1": "ce441ecd2f11e400515a85d5a592da38f950f3dc",
"SHA256": "3e30a731a3b620db0971ecd743ecd312bcdf14c82b9bdc9918102bacbf70520d",
"SHA384": "68c6537d64e3a4f02a2c1d04257c13ab1def23c9c54bafc434176be50a411a75c118c9f8edc81f97b8a1db2dc1d009e3"
},
"ValidFrom": "2024-10-10 19:04:53",
"ValidTo": "2025-10-08 19:04:53",
"Version": 3
},
{
"CertificateType": "CA",
"IsCA": true,
"IsCertificateAuthority": true,
"IsCodeSigning": false,
"SerialNumber": "330000000d690d5d7893d076df00000000000d",
"Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f",
"SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
"Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014",
"TBS": {
"MD5": "83f69422963f11c3c340b81712eef319",
"SHA1": "0c5e5f24590b53bc291e28583acb78e5adc95601",
"SHA256": "d8be9e4d9074088ef818bc6f6fb64955e90378b2754155126feebbbd969cf0ae",
"SHA384": "260ad59ba706420f68ba212931153bd89f760c464b21be55fba9d014fff322407859d4ebfb78ea9a3330f60dc9821a63"
},
"ValidFrom": "2014-10-15 20:31:27",
"ValidTo": "2029-10-15 20:41:27",
"Version": 3
}
],
"CertificatesInfo": "",
"Signer": [
{
"Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014",
"SerialNumber": "330000006e1229856f0ade6cfc00000000006e",
"Version": 1
}
],
"SignerInfo": ""
}
| Property | Value |
|---|---|
| Filename | Filter.sys |
| Creation Timestamp | 2025-06-09 21:27:35 |
| MD5 | 16371565c1ee97f68ba76fb78e6620e7 |
| SHA1 | 1a55b45735ce928ce2df94d4cc2a536da1ee55c7 |
| SHA256 | 97550af2414d6c9b70d67b2142b6711e98289483cec3f788192096638c2dda51 |
| Authentihash MD5 | 7c5bc42ef26e05034b8b4a3fd8db68c7 |
| Authentihash SHA1 | 11d884eb05c317b2f655a2d9240f1b331fbf9637 |
| Authentihash SHA256 | 3daf472b3315397d8494994288b36b14f4eceac012356d3b2032e1fbc9c6a3cc |
| RichPEHeaderHash MD5 | c7e00b2314f85d6949eae89753f822d4 |
| RichPEHeaderHash SHA1 | 54dcf2e584e74c3ed61a10956447ef37cda83be8 |
| RichPEHeaderHash SHA256 | 2bb8bca7d1f1df0773026cfae9d6fc64a34201bb33b6a342edc04d6ff5263fa8 |
Imports
Expand
- FLTMGR.SYS
- fwpkclnt.sys
- ntoskrnl.exe
- WDFLDR.SYS
Imported Functions
Expand
- FltEnumerateFilters
- FltObjectDereference
- FltUnregisterFilter
- FwpsApplyModifiedLayerData0
- FwpsRedirectHandleCreate0
- FwpsQueryConnectionRedirectState0
- FwpsAcquireClassifyHandle0
- FwpsReleaseClassifyHandle0
- FwpsCalloutRegister2
- FwpsAcquireWritableLayerDataPointer0
- MmProbeAndLockPages
- MmUnlockPages
- MmMapLockedPagesSpecifyCache
- IoAllocateMdl
- IoFreeMdl
- MmIsAddressValid
- __C_specific_handler
- MmHighestUserAddress
- RtlInitUnicodeString
- RtlAppendUnicodeToString
- IofCompleteRequest
- IoCreateDevice
- IoCreateSymbolicLink
- IoDeleteDevice
- RtlCompareMemory
- ExFreePoolWithTag
- ProbeForWrite
- PsCreateSystemThread
- IoGetCurrentProcess
- ObfDereferenceObject
- ZwCreateFile
- ZwQueryInformationFile
- ZwClose
- ZwTerminateProcess
- ZwOpenProcess
- KeStackAttachProcess
- KeUnstackDetachProcess
- PsLookupProcessByProcessId
- ZwWaitForSingleObject
- PsGetProcessWow64Process
- ZwQuerySystemInformation
- PsGetProcessPeb
- PsReferenceProcessFilePointer
- MmCopyVirtualMemory
- PsSetLoadImageNotifyRoutine
- KeInitializeSpinLock
- KeAcquireInStackQueuedSpinLock
- ExAllocatePool
- RtlIpv4AddressToStringA
- PsGetProcessId
- PsProcessType
- _wcslwr
- PsGetProcessImageFileName
- RtlInitAnsiString
- RtlAnsiStringToUnicodeString
- RtlUnicodeStringToAnsiString
- RtlFreeUnicodeString
- RtlFreeAnsiString
- _vsnprintf
- _vsnwprintf
- KeEnterCriticalRegion
- KeLeaveCriticalRegion
- ExInitializeResourceLite
- ExAcquireResourceSharedLite
- ExAcquireResourceExclusiveLite
- ExReleaseResourceLite
- ExAllocatePoolWithTag
- ObReferenceObjectByHandle
- ZwSetInformationFile
- ZwReadFile
- ZwWriteFile
- ZwDeleteFile
- IoFileObjectType
- RtlAppendUnicodeStringToString
- RtlGetVersion
- ZwOpenSymbolicLinkObject
- ZwQuerySymbolicLinkObject
- KeInitializeEvent
- KeWaitForSingleObject
- KeQueryTimeIncrement
- RtlRandomEx
- RtlCopyUnicodeString
- MmGetSystemRoutineAddress
- KeBugCheckEx
- wcsstr
- ExSystemTimeToLocalTime
- RtlTimeToTimeFields
- PsSetCreateProcessNotifyRoutine
- KeReleaseInStackQueuedSpinLock
- WdfVersionUnbindClass
- WdfVersionBindClass
- WdfVersionUnbind
- WdfVersionBind
Exported Functions
Expand
Sections
Expand
- .text
- .rdata
- .data
- .pdata
- .gfids
- INIT
- .reloc
Signature
Expand
{
"Certificates": [
{
"CertificateType": "Leaf (Code Signing)",
"IsCA": false,
"IsCertificateAuthority": false,
"IsCodeSigning": true,
"SerialNumber": "330000006e1229856f0ade6cfc00000000006e",
"Signature": "3870e583035a72db64856d80e17833cd3badd24f19abf9a3d7c7485743dd875f69102820df4992d74f8fba0529be4e16f4234910064a3a1863299a29b82d3fac869915a368ec0e5d0127282221bce84db444d2e9974dc2761a2080a7bc7508d7064f32b2d97b0263d0d937527a8af95f18bcb54ec21a453ba35e55869791416a2a8813fcf95e889e65158dbb5b4cba653c989179947d286051ef6b0d56f41da479db08c6b93c44fa5c8399e126594cc53dfa756180607a1dd29559061d828b0ce2c5a462245ed0995a196ad96223b6eb1a787b4d10b5a7d4e3a130750103bc9c713fc8f32015273bb238b15aae25e4765d7ab81c5d3df82ef6a7d3c2e7a61dab024ff02df6876a86ec7198aa6e28c8e69a015129a717b1036113911f0aeefa8d05081974d026196f24bc1e4ef942599fafbd1b2c316bda73237f1822296888df2344c92b08c363976beb7020242b3069e6691f19e715e1d1a19ddc03235263c9bb7b8390145af57603105ced358f394547e3be96718835917234eb7fd7134d9fb605656717ed6b15f0583068c84c6c01abf31cc1df1fe7c4d2935590e6017cf8cc5635e1cd7054240fd0059f168e90ec1a49f24e0f050034d99e4aa6599a64d280d00ea8af57d3125caddb342a0b2c160a2f95d97e6045e69dc1c1b3fa56dfd40380ce60536a59750edf0069dc7c27f8ccc8f073b46d169b8fed1fd40ac6f00c",
"SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
"Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher",
"TBS": {
"MD5": "3066a9830894e57ce6e47f7a6b58b84f",
"SHA1": "ce441ecd2f11e400515a85d5a592da38f950f3dc",
"SHA256": "3e30a731a3b620db0971ecd743ecd312bcdf14c82b9bdc9918102bacbf70520d",
"SHA384": "68c6537d64e3a4f02a2c1d04257c13ab1def23c9c54bafc434176be50a411a75c118c9f8edc81f97b8a1db2dc1d009e3"
},
"ValidFrom": "2024-10-10 19:04:53",
"ValidTo": "2025-10-08 19:04:53",
"Version": 3
},
{
"CertificateType": "CA",
"IsCA": true,
"IsCertificateAuthority": true,
"IsCodeSigning": false,
"SerialNumber": "330000000d690d5d7893d076df00000000000d",
"Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f",
"SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
"Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014",
"TBS": {
"MD5": "83f69422963f11c3c340b81712eef319",
"SHA1": "0c5e5f24590b53bc291e28583acb78e5adc95601",
"SHA256": "d8be9e4d9074088ef818bc6f6fb64955e90378b2754155126feebbbd969cf0ae",
"SHA384": "260ad59ba706420f68ba212931153bd89f760c464b21be55fba9d014fff322407859d4ebfb78ea9a3330f60dc9821a63"
},
"ValidFrom": "2014-10-15 20:31:27",
"ValidTo": "2029-10-15 20:41:27",
"Version": 3
}
],
"CertificatesInfo": "",
"Signer": [
{
"Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014",
"SerialNumber": "330000006e1229856f0ade6cfc00000000006e",
"Version": 1
}
],
"SignerInfo": ""
}
last_updated: 2026-06-16