And finally we can analyze the real kernel driver (nups.sys – 36312A4D9ED66377CDEF09B0A247F8AF), turns out it’s a ddos/backdoor agent. This driver comes with no obfuscation/protection whatsoever and as a bonus the author was so kind to leave the DbgPrint calls and debug strings like this: U:\MyProg\WORK\10428\!!BOTSRC!!!\objfre\i386\bot.pdb When the driver starts it gets the agent ID from [...]