Reading Time: < 1 minute
WdFilter.sys : antimalware, malware
WdNisDrv.sys : defender

cyvrfsfd.sys : Palo Alto Networks
cyvrlpc.sys : Palo Alto Networks
tedrdrv.sys : Palo Alto Networks
cyvrmtgn.sys : Palo Alto Networks
cyverak.sys : cyvera, Palo Alto Networks
tedrpers-7.???.sys : Palo Alto Networks

cyinjct.dll : Palo Alto Networks  
ntnativeapi.dll  : Palo Alto Networks
cyvera.dll : Palo Alto Networks
cyvrtrap.dll : Palo Alto Networks

amsi.dll : defender

And the altitude signature of the two drivers 380430 and 321234 (nice number 🙂

328010 is for Windows Defender.

DLL injected into processes is : cyinjct.dll (0fed3ea714f128a1db3be30bd7b4c905ff3e50592f1381dae235200311f88af6) for this version

There is also cyvera.dll and cyvrtrap.dll

Hooked functions

KernelBase

CreateFileA
LoadLibraryExW
LoadLibraryA
LoadLibraryExA
VirtualAlloc
VirtualProtect
HeapCreate
VirtualAllocEx
VirtualProtectEx
LoadLibraryW

NTDLL

NtSetInformationThread
NtOpenThreadToken
NtOpenProcess
NtSetInformationFile
NtMapViewOfSection
NtUnmapViewOfSection
NtOpenThreadTokenEx
NtOpenProcessTokenEx
NtOpenFile
NtQueryAttributesFile

Full hooked functions have been gathered here by Mr-Un1k0d3r https://raw.githubusercontent.com/Mr-Un1k0d3r/EDRs/main/cortex.txt

0