[EchoLink_Install.NT.HW] AddReg = EchoLink_HW_AddReg [EchoLink_HW_AddReg] HKR,, "KernelCallback", 0x00000000, "EchoCallbackRoutine" HKR,, "PayloadAddress", 0x00000001, 0x7FFE0000
She shut the lid and went to bed in the dark. inf file
[EchoLink_Install.NT] CopyFiles = EchoLink_CopyFiles AddReg = EchoLink_AddReg [EchoLink_Install
Not a rootkit. Not ransomware. Something weirder. inf file
She opened a hex editor and scanned the referenced driver binary— echolink.sys , which the INF would copy to System32\drivers . The SYS file was tiny. Too tiny. It contained only a single export: EchoCallbackRoutine . The rest was encrypted data masquerading as padding.
Device: EchoLink Type: INF-based kernel hook + USB side-channel receiver Status: Not malware. A ghost’s goodbye.
[ArisDevices.NTamd64] %EchoLink.DeviceDesc% = EchoLink_Install, USB\VID_045E&PID_07CD