1aeb1205-8b02-42b6-a563-b953ea337c19

Tmel.sys :inline

Description

Confirmed vulnerable driver from Microsoft Block List

  • UUID: 1aeb1205-8b02-42b6-a563-b953ea337c19
  • Created: 2023-07-22
  • Author: Michael Haag
  • Acknowledgement: |

DownloadBlock

Use CasePrivilegesOperating System
Elevate privilegeskernelWindows

Detections

YARA 🏹

Expand

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://gist.github.com/mgraeber-rc/1bde6a2a83237f17b463d051d32e802c

    • CVE

    • Known Vulnerable Samples

    PropertyValue
    Filename
    Creation Timestamp2015-05-08 00:06:46
    MD5d052dc4ac3c5bfe34f04abc62a153847
    SHA16eece018896c250f15f778f0ccae667f315b8bd1
    SHA256dd628061d6e53f3f0b44f409ad914b3494c5d7b5ff6ff0e8fc3161aacec93e96
    Authentihash MD59452955f95c4dde4370d5ea363a86400
    Authentihash SHA147d918b63158a297c44e3e8bbe1d2f99900e7fef
    Authentihash SHA2563de38ef40dbda07a537a7e48cb5d59dbd17bf27d5d399b32df737cd67c0cdb25
    RichPEHeaderHash MD55e73d8474cb1757ee6566d0416cc7aea
    RichPEHeaderHash SHA1631a45aea3207ad70ac96c80e6c1e28d87b7a982
    RichPEHeaderHash SHA2565e23e66bee07280a49103359030aa43aa4171df8887676fb7c75fa741496736d
    CompanyTrend Micro Inc.
    DescriptionTrendMicro ELAM Driver
    ProductTrend Micro Early Launch Anti-Malware Driver
    OriginalFilenameTmel.sys

    Download

    Certificates

    Expand
    Certificate 330000000a35c02110041db90300000000000a
    FieldValue
    ToBeSigned (TBS) MD53d599ae8f2823b242ef0b42a48eb116c
    ToBeSigned (TBS) SHA187d1616058dae44dd602ab9acd4ac4e736bbd451
    ToBeSigned (TBS) SHA256eda5653cc4fffbaeded2567b92aa03abb6c60ade2da823b8a07d826e0856c0af
    SubjectC=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=MOPR, CN=Microsoft Windows Early Launch Anti,malware Publisher
    ValidFrom2015-01-14 21:31:10
    ValidTo2016-04-14 21:31:10
    Signature18c72a193d7efedccdf640d0a9c0ff2e9fa9b7b1dc3ac28ea90d33df3ab44670eab692d7c90e5dfa97ea674905adf1578f2d14a6085d2904c8812991ccec229b9dd2f11516f894517e97c201eff48c998ccf6b5d7a0efd07190ab33927be386d62acaaf5b73f4f891af0ef8002648737e57e62e9798e097aacced862778b51cc92357e090203fe6cd2322b82c6bde16dfaf6e598d05b1a352263da413a766038e665108701d6ac7efbe7ec04785a4b4f99a46583d724a09440d4752fb3d40c3565b3d03d37234f1bed4e3ae0c59160650f38aef29d3cf6a920ab86040f09e9f8087e9a89d8c443b3916d87479c352fdb44982f4799753df5e754434759545b1624ebef4794fffc2e2c8957fa370cee7790da87b3dfec3750a9a4a3780454299766c8a77670511082c4765b75be6a94a43113f58e22dac6440a102faf25f10dcd021f2e25b311b641c635b3ae5d9f7f63b342feaa02159be5bb63f09327162a523029df7f44fa36f0665708523b63678748d09ddbe1298817549b9f600a42e2249b654b94276ac16a843f18d1531c0a8512ebdf0a8f8238529bfbf5587542d6cc038e7a5abc9d39d09f455f8f078ab1d26d57bf16eebfd1eb8ed9bf49da61ff138b362abb0a22718c322aada6bd26c1059ba8ebae619c15ddad5496d2a424c975bcc26cfded04ddb3d0f23342882b3bc97602329639df471c2541222b768127f8
    SignatureAlgorithmOID1.2.840.113549.1.1.11
    IsCertificateAuthorityFalse
    SerialNumber330000000a35c02110041db90300000000000a
    Version3
    Certificate 330000000d690d5d7893d076df00000000000d
    FieldValue
    ToBeSigned (TBS) MD583f69422963f11c3c340b81712eef319
    ToBeSigned (TBS) SHA10c5e5f24590b53bc291e28583acb78e5adc95601
    ToBeSigned (TBS) SHA256d8be9e4d9074088ef818bc6f6fb64955e90378b2754155126feebbbd969cf0ae
    SubjectC=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014
    ValidFrom2014-10-15 20:31:27
    ValidTo2029-10-15 20:41:27
    Signature96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f
    SignatureAlgorithmOID1.2.840.113549.1.1.11
    IsCertificateAuthorityTrue
    SerialNumber330000000d690d5d7893d076df00000000000d
    Version3

    Imports

    Expand
    • ntoskrnl.exe
    • tbs.sys

    Imported Functions

    Expand
    • ExAllocatePoolWithTag
    • ExFreePoolWithTag
    • _purecall
    • strncpy
    • wcsncpy
    • RtlInitUnicodeString
    • RtlEqualUnicodeString
    • DbgPrint
    • KeQuerySystemTime
    • ZwClose
    • ZwOpenKey
    • ZwQueryValueKey
    • ZwSetValueKey
    • memcpy
    • memset
    • KeInitializeEvent
    • KeWaitForSingleObject
    • IoBuildDeviceIoControlRequest
    • IofCallDriver
    • IofCompleteRequest
    • IoGetDeviceObjectPointer
    • ObfDereferenceObject
    • IoRegisterBootDriverCallback
    • IoUnregisterBootDriverCallback
    • _stricmp
    • MmIsAddressValid
    • RtlImageNtHeader
    • ZwQuerySystemInformation
    • wcsncmp
    • memcmp
    • RtlUnwind
    • Tbsi_Revoke_Attestation

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • INIT
    • .rsrc
    • .reloc

    Signature

    Expand
    {
  "Certificates": [
    {
      "IsCertificateAuthority": false,
      "SerialNumber": "330000000a35c02110041db90300000000000a",
      "Signature": "18c72a193d7efedccdf640d0a9c0ff2e9fa9b7b1dc3ac28ea90d33df3ab44670eab692d7c90e5dfa97ea674905adf1578f2d14a6085d2904c8812991ccec229b9dd2f11516f894517e97c201eff48c998ccf6b5d7a0efd07190ab33927be386d62acaaf5b73f4f891af0ef8002648737e57e62e9798e097aacced862778b51cc92357e090203fe6cd2322b82c6bde16dfaf6e598d05b1a352263da413a766038e665108701d6ac7efbe7ec04785a4b4f99a46583d724a09440d4752fb3d40c3565b3d03d37234f1bed4e3ae0c59160650f38aef29d3cf6a920ab86040f09e9f8087e9a89d8c443b3916d87479c352fdb44982f4799753df5e754434759545b1624ebef4794fffc2e2c8957fa370cee7790da87b3dfec3750a9a4a3780454299766c8a77670511082c4765b75be6a94a43113f58e22dac6440a102faf25f10dcd021f2e25b311b641c635b3ae5d9f7f63b342feaa02159be5bb63f09327162a523029df7f44fa36f0665708523b63678748d09ddbe1298817549b9f600a42e2249b654b94276ac16a843f18d1531c0a8512ebdf0a8f8238529bfbf5587542d6cc038e7a5abc9d39d09f455f8f078ab1d26d57bf16eebfd1eb8ed9bf49da61ff138b362abb0a22718c322aada6bd26c1059ba8ebae619c15ddad5496d2a424c975bcc26cfded04ddb3d0f23342882b3bc97602329639df471c2541222b768127f8",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
      "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=MOPR, CN=Microsoft Windows Early Launch Anti,malware Publisher",
      "TBS": {
        "MD5": "3d599ae8f2823b242ef0b42a48eb116c",
        "SHA1": "87d1616058dae44dd602ab9acd4ac4e736bbd451",
        "SHA256": "eda5653cc4fffbaeded2567b92aa03abb6c60ade2da823b8a07d826e0856c0af",
        "SHA384": "f3d5d7e6a53e96d5c44b92c6bd81d71c6ffaf0ed77c13229adb301bc10ba7c2d5afde3d6a5eb553244666b0ce9ec68af"
      },
      "ValidFrom": "2015-01-14 21:31:10",
      "ValidTo": "2016-04-14 21:31:10",
      "Version": 3
    },
    {
      "IsCertificateAuthority": true,
      "SerialNumber": "330000000d690d5d7893d076df00000000000d",
      "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
      "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014",
      "TBS": {
        "MD5": "83f69422963f11c3c340b81712eef319",
        "SHA1": "0c5e5f24590b53bc291e28583acb78e5adc95601",
        "SHA256": "d8be9e4d9074088ef818bc6f6fb64955e90378b2754155126feebbbd969cf0ae",
        "SHA384": "260ad59ba706420f68ba212931153bd89f760c464b21be55fba9d014fff322407859d4ebfb78ea9a3330f60dc9821a63"
      },
      "ValidFrom": "2014-10-15 20:31:27",
      "ValidTo": "2029-10-15 20:41:27",
      "Version": 3
    }
  ],
  "CertificatesInfo": "",
  "Signer": [
    {
      "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014",
      "SerialNumber": "330000000a35c02110041db90300000000000a",
      "Version": 1
    }
  ],
  "SignerInfo": ""
}
    PropertyValue
    Filename
    Creation Timestamp2015-11-18 03:14:15
    MD54064a81b6339992cbb4171b43b9a69dc
    SHA16cf7db611a351dbbf4e8cfde5b9912ddc329e43d
    SHA256e505569892551b2ba79d8792badff0a41faea033e8d8f85c3afea33463c70bd9
    Authentihash MD593de89630be80425a0f5571498b89048
    Authentihash SHA16f39048e31f8e835f7537998bbd3b6ac5cff2c04
    Authentihash SHA2564bef5f5160c6a981562597dda319f9a235c28d5beba5268a454f734500ec1f4f
    RichPEHeaderHash MD52b90445ddec8a8d927ff6eed42b21531
    RichPEHeaderHash SHA1f49c75459256c711d9fc43aa63094e9059a9f60a
    RichPEHeaderHash SHA25676890383bfcdb892dff16275a90fe117eef2e9733d56439f6580288b2148a10d
    CompanyTrend Micro Inc.
    DescriptionTrendMicro ELAM Driver (64-Bit)
    ProductTrend Micro Early Launch Anti-Malware Driver
    OriginalFilenameTmel.sys

    Download

    Certificates

    Expand
    Certificate 330000000a35c02110041db90300000000000a
    FieldValue
    ToBeSigned (TBS) MD53d599ae8f2823b242ef0b42a48eb116c
    ToBeSigned (TBS) SHA187d1616058dae44dd602ab9acd4ac4e736bbd451
    ToBeSigned (TBS) SHA256eda5653cc4fffbaeded2567b92aa03abb6c60ade2da823b8a07d826e0856c0af
    SubjectC=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=MOPR, CN=Microsoft Windows Early Launch Anti,malware Publisher
    ValidFrom2015-01-14 21:31:10
    ValidTo2016-04-14 21:31:10
    Signature18c72a193d7efedccdf640d0a9c0ff2e9fa9b7b1dc3ac28ea90d33df3ab44670eab692d7c90e5dfa97ea674905adf1578f2d14a6085d2904c8812991ccec229b9dd2f11516f894517e97c201eff48c998ccf6b5d7a0efd07190ab33927be386d62acaaf5b73f4f891af0ef8002648737e57e62e9798e097aacced862778b51cc92357e090203fe6cd2322b82c6bde16dfaf6e598d05b1a352263da413a766038e665108701d6ac7efbe7ec04785a4b4f99a46583d724a09440d4752fb3d40c3565b3d03d37234f1bed4e3ae0c59160650f38aef29d3cf6a920ab86040f09e9f8087e9a89d8c443b3916d87479c352fdb44982f4799753df5e754434759545b1624ebef4794fffc2e2c8957fa370cee7790da87b3dfec3750a9a4a3780454299766c8a77670511082c4765b75be6a94a43113f58e22dac6440a102faf25f10dcd021f2e25b311b641c635b3ae5d9f7f63b342feaa02159be5bb63f09327162a523029df7f44fa36f0665708523b63678748d09ddbe1298817549b9f600a42e2249b654b94276ac16a843f18d1531c0a8512ebdf0a8f8238529bfbf5587542d6cc038e7a5abc9d39d09f455f8f078ab1d26d57bf16eebfd1eb8ed9bf49da61ff138b362abb0a22718c322aada6bd26c1059ba8ebae619c15ddad5496d2a424c975bcc26cfded04ddb3d0f23342882b3bc97602329639df471c2541222b768127f8
    SignatureAlgorithmOID1.2.840.113549.1.1.11
    IsCertificateAuthorityFalse
    SerialNumber330000000a35c02110041db90300000000000a
    Version3
    Certificate 330000000d690d5d7893d076df00000000000d
    FieldValue
    ToBeSigned (TBS) MD583f69422963f11c3c340b81712eef319
    ToBeSigned (TBS) SHA10c5e5f24590b53bc291e28583acb78e5adc95601
    ToBeSigned (TBS) SHA256d8be9e4d9074088ef818bc6f6fb64955e90378b2754155126feebbbd969cf0ae
    SubjectC=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014
    ValidFrom2014-10-15 20:31:27
    ValidTo2029-10-15 20:41:27
    Signature96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f
    SignatureAlgorithmOID1.2.840.113549.1.1.11
    IsCertificateAuthorityTrue
    SerialNumber330000000d690d5d7893d076df00000000000d
    Version3

    Imports

    Expand
    • ntoskrnl.exe
    • tbs.sys

    Imported Functions

    Expand
    • ExAllocatePoolWithTag
    • ExFreePoolWithTag
    • _purecall
    • strncpy
    • wcsncpy
    • RtlInitUnicodeString
    • RtlEqualUnicodeString
    • DbgPrint
    • ZwClose
    • ZwOpenKey
    • ZwQueryValueKey
    • ZwSetValueKey
    • KeInitializeEvent
    • KeWaitForSingleObject
    • PsGetVersion
    • IoBuildDeviceIoControlRequest
    • IofCallDriver
    • IofCompleteRequest
    • IoGetDeviceObjectPointer
    • ObfDereferenceObject
    • IoRegisterBootDriverCallback
    • IoUnregisterBootDriverCallback
    • _stricmp
    • MmIsAddressValid
    • RtlImageNtHeader
    • ZwQuerySystemInformation
    • wcsncmp
    • Tbsi_Revoke_Attestation

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • .pdata
    • INIT
    • .rsrc
    • .reloc

    Signature

    Expand
    {
  "Certificates": [
    {
      "IsCertificateAuthority": false,
      "SerialNumber": "330000000a35c02110041db90300000000000a",
      "Signature": "18c72a193d7efedccdf640d0a9c0ff2e9fa9b7b1dc3ac28ea90d33df3ab44670eab692d7c90e5dfa97ea674905adf1578f2d14a6085d2904c8812991ccec229b9dd2f11516f894517e97c201eff48c998ccf6b5d7a0efd07190ab33927be386d62acaaf5b73f4f891af0ef8002648737e57e62e9798e097aacced862778b51cc92357e090203fe6cd2322b82c6bde16dfaf6e598d05b1a352263da413a766038e665108701d6ac7efbe7ec04785a4b4f99a46583d724a09440d4752fb3d40c3565b3d03d37234f1bed4e3ae0c59160650f38aef29d3cf6a920ab86040f09e9f8087e9a89d8c443b3916d87479c352fdb44982f4799753df5e754434759545b1624ebef4794fffc2e2c8957fa370cee7790da87b3dfec3750a9a4a3780454299766c8a77670511082c4765b75be6a94a43113f58e22dac6440a102faf25f10dcd021f2e25b311b641c635b3ae5d9f7f63b342feaa02159be5bb63f09327162a523029df7f44fa36f0665708523b63678748d09ddbe1298817549b9f600a42e2249b654b94276ac16a843f18d1531c0a8512ebdf0a8f8238529bfbf5587542d6cc038e7a5abc9d39d09f455f8f078ab1d26d57bf16eebfd1eb8ed9bf49da61ff138b362abb0a22718c322aada6bd26c1059ba8ebae619c15ddad5496d2a424c975bcc26cfded04ddb3d0f23342882b3bc97602329639df471c2541222b768127f8",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
      "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=MOPR, CN=Microsoft Windows Early Launch Anti,malware Publisher",
      "TBS": {
        "MD5": "3d599ae8f2823b242ef0b42a48eb116c",
        "SHA1": "87d1616058dae44dd602ab9acd4ac4e736bbd451",
        "SHA256": "eda5653cc4fffbaeded2567b92aa03abb6c60ade2da823b8a07d826e0856c0af",
        "SHA384": "f3d5d7e6a53e96d5c44b92c6bd81d71c6ffaf0ed77c13229adb301bc10ba7c2d5afde3d6a5eb553244666b0ce9ec68af"
      },
      "ValidFrom": "2015-01-14 21:31:10",
      "ValidTo": "2016-04-14 21:31:10",
      "Version": 3
    },
    {
      "IsCertificateAuthority": true,
      "SerialNumber": "330000000d690d5d7893d076df00000000000d",
      "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
      "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014",
      "TBS": {
        "MD5": "83f69422963f11c3c340b81712eef319",
        "SHA1": "0c5e5f24590b53bc291e28583acb78e5adc95601",
        "SHA256": "d8be9e4d9074088ef818bc6f6fb64955e90378b2754155126feebbbd969cf0ae",
        "SHA384": "260ad59ba706420f68ba212931153bd89f760c464b21be55fba9d014fff322407859d4ebfb78ea9a3330f60dc9821a63"
      },
      "ValidFrom": "2014-10-15 20:31:27",
      "ValidTo": "2029-10-15 20:41:27",
      "Version": 3
    }
  ],
  "CertificatesInfo": "",
  "Signer": [
    {
      "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014",
      "SerialNumber": "330000000a35c02110041db90300000000000a",
      "Version": 1
    }
  ],
  "SignerInfo": ""
}
    PropertyValue
    Filename
    Creation Timestamp2015-05-08 01:13:56
    MD5e58491b5aec097f17e310f83e82ae0c8
    SHA1b667f48f5518632f3159f51e5e1f6332627c4fd8
    SHA256d0eb3ba0aff471d19260192784bf9f056d669b779b6eaff84e732b7124ce1d11
    Authentihash MD5517db4899b3d996cb6f902b0611d233f
    Authentihash SHA1a9c9cb2548322748208199a7702d8056ad9a24fd
    Authentihash SHA2560e121d80264c51df9a6fca2f2201d75ccd4dc29d9566bbf0975bb05759e9c6c7
    RichPEHeaderHash MD5fed8b3a0eacb12baa3271fc6856838a1
    RichPEHeaderHash SHA1173b7cc38568ee8dabd25b695d2ab5a03febc21a
    RichPEHeaderHash SHA25691598130b4705df160c726ff59dee5a2e460cc731ad6ef0b0b062ed06c7cec38
    CompanyTrend Micro Inc.
    DescriptionTrendMicro ELAM Driver (64-Bit)
    ProductTrend Micro Early Launch Anti-Malware Driver
    OriginalFilenameTmel.sys

    Download

    Certificates

    Expand
    Certificate 330000000a35c02110041db90300000000000a
    FieldValue
    ToBeSigned (TBS) MD53d599ae8f2823b242ef0b42a48eb116c
    ToBeSigned (TBS) SHA187d1616058dae44dd602ab9acd4ac4e736bbd451
    ToBeSigned (TBS) SHA256eda5653cc4fffbaeded2567b92aa03abb6c60ade2da823b8a07d826e0856c0af
    SubjectC=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=MOPR, CN=Microsoft Windows Early Launch Anti,malware Publisher
    ValidFrom2015-01-14 21:31:10
    ValidTo2016-04-14 21:31:10
    Signature18c72a193d7efedccdf640d0a9c0ff2e9fa9b7b1dc3ac28ea90d33df3ab44670eab692d7c90e5dfa97ea674905adf1578f2d14a6085d2904c8812991ccec229b9dd2f11516f894517e97c201eff48c998ccf6b5d7a0efd07190ab33927be386d62acaaf5b73f4f891af0ef8002648737e57e62e9798e097aacced862778b51cc92357e090203fe6cd2322b82c6bde16dfaf6e598d05b1a352263da413a766038e665108701d6ac7efbe7ec04785a4b4f99a46583d724a09440d4752fb3d40c3565b3d03d37234f1bed4e3ae0c59160650f38aef29d3cf6a920ab86040f09e9f8087e9a89d8c443b3916d87479c352fdb44982f4799753df5e754434759545b1624ebef4794fffc2e2c8957fa370cee7790da87b3dfec3750a9a4a3780454299766c8a77670511082c4765b75be6a94a43113f58e22dac6440a102faf25f10dcd021f2e25b311b641c635b3ae5d9f7f63b342feaa02159be5bb63f09327162a523029df7f44fa36f0665708523b63678748d09ddbe1298817549b9f600a42e2249b654b94276ac16a843f18d1531c0a8512ebdf0a8f8238529bfbf5587542d6cc038e7a5abc9d39d09f455f8f078ab1d26d57bf16eebfd1eb8ed9bf49da61ff138b362abb0a22718c322aada6bd26c1059ba8ebae619c15ddad5496d2a424c975bcc26cfded04ddb3d0f23342882b3bc97602329639df471c2541222b768127f8
    SignatureAlgorithmOID1.2.840.113549.1.1.11
    IsCertificateAuthorityFalse
    SerialNumber330000000a35c02110041db90300000000000a
    Version3
    Certificate 330000000d690d5d7893d076df00000000000d
    FieldValue
    ToBeSigned (TBS) MD583f69422963f11c3c340b81712eef319
    ToBeSigned (TBS) SHA10c5e5f24590b53bc291e28583acb78e5adc95601
    ToBeSigned (TBS) SHA256d8be9e4d9074088ef818bc6f6fb64955e90378b2754155126feebbbd969cf0ae
    SubjectC=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014
    ValidFrom2014-10-15 20:31:27
    ValidTo2029-10-15 20:41:27
    Signature96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f
    SignatureAlgorithmOID1.2.840.113549.1.1.11
    IsCertificateAuthorityTrue
    SerialNumber330000000d690d5d7893d076df00000000000d
    Version3

    Imports

    Expand
    • ntoskrnl.exe
    • tbs.sys

    Imported Functions

    Expand
    • ExAllocatePoolWithTag
    • ExFreePoolWithTag
    • _purecall
    • strncpy
    • wcsncpy
    • RtlInitUnicodeString
    • RtlEqualUnicodeString
    • DbgPrint
    • ZwClose
    • ZwOpenKey
    • ZwQueryValueKey
    • ZwSetValueKey
    • KeInitializeEvent
    • KeWaitForSingleObject
    • IoBuildDeviceIoControlRequest
    • IofCallDriver
    • IofCompleteRequest
    • IoGetDeviceObjectPointer
    • ObfDereferenceObject
    • IoRegisterBootDriverCallback
    • IoUnregisterBootDriverCallback
    • _stricmp
    • MmIsAddressValid
    • RtlImageNtHeader
    • ZwQuerySystemInformation
    • wcsncmp
    • Tbsi_Revoke_Attestation

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • .pdata
    • INIT
    • .rsrc
    • .reloc

    Signature

    Expand
    {
  "Certificates": [
    {
      "IsCertificateAuthority": false,
      "SerialNumber": "330000000a35c02110041db90300000000000a",
      "Signature": "18c72a193d7efedccdf640d0a9c0ff2e9fa9b7b1dc3ac28ea90d33df3ab44670eab692d7c90e5dfa97ea674905adf1578f2d14a6085d2904c8812991ccec229b9dd2f11516f894517e97c201eff48c998ccf6b5d7a0efd07190ab33927be386d62acaaf5b73f4f891af0ef8002648737e57e62e9798e097aacced862778b51cc92357e090203fe6cd2322b82c6bde16dfaf6e598d05b1a352263da413a766038e665108701d6ac7efbe7ec04785a4b4f99a46583d724a09440d4752fb3d40c3565b3d03d37234f1bed4e3ae0c59160650f38aef29d3cf6a920ab86040f09e9f8087e9a89d8c443b3916d87479c352fdb44982f4799753df5e754434759545b1624ebef4794fffc2e2c8957fa370cee7790da87b3dfec3750a9a4a3780454299766c8a77670511082c4765b75be6a94a43113f58e22dac6440a102faf25f10dcd021f2e25b311b641c635b3ae5d9f7f63b342feaa02159be5bb63f09327162a523029df7f44fa36f0665708523b63678748d09ddbe1298817549b9f600a42e2249b654b94276ac16a843f18d1531c0a8512ebdf0a8f8238529bfbf5587542d6cc038e7a5abc9d39d09f455f8f078ab1d26d57bf16eebfd1eb8ed9bf49da61ff138b362abb0a22718c322aada6bd26c1059ba8ebae619c15ddad5496d2a424c975bcc26cfded04ddb3d0f23342882b3bc97602329639df471c2541222b768127f8",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
      "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=MOPR, CN=Microsoft Windows Early Launch Anti,malware Publisher",
      "TBS": {
        "MD5": "3d599ae8f2823b242ef0b42a48eb116c",
        "SHA1": "87d1616058dae44dd602ab9acd4ac4e736bbd451",
        "SHA256": "eda5653cc4fffbaeded2567b92aa03abb6c60ade2da823b8a07d826e0856c0af",
        "SHA384": "f3d5d7e6a53e96d5c44b92c6bd81d71c6ffaf0ed77c13229adb301bc10ba7c2d5afde3d6a5eb553244666b0ce9ec68af"
      },
      "ValidFrom": "2015-01-14 21:31:10",
      "ValidTo": "2016-04-14 21:31:10",
      "Version": 3
    },
    {
      "IsCertificateAuthority": true,
      "SerialNumber": "330000000d690d5d7893d076df00000000000d",
      "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
      "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014",
      "TBS": {
        "MD5": "83f69422963f11c3c340b81712eef319",
        "SHA1": "0c5e5f24590b53bc291e28583acb78e5adc95601",
        "SHA256": "d8be9e4d9074088ef818bc6f6fb64955e90378b2754155126feebbbd969cf0ae",
        "SHA384": "260ad59ba706420f68ba212931153bd89f760c464b21be55fba9d014fff322407859d4ebfb78ea9a3330f60dc9821a63"
      },
      "ValidFrom": "2014-10-15 20:31:27",
      "ValidTo": "2029-10-15 20:41:27",
      "Version": 3
    }
  ],
  "CertificatesInfo": "",
  "Signer": [
    {
      "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014",
      "SerialNumber": "330000000a35c02110041db90300000000000a",
      "Version": 1
    }
  ],
  "SignerInfo": ""
}

    source

    last_updated: 2024-09-26