Inf File -

Not a rootkit. Not ransomware. Something weirder.

She copied it to a sandbox VM and opened it in Notepad. The file was pristine—comments intact, sections clearly marked. It looked like a standard driver INF for a fictional device called "EchoLink." inf file

[EchoLink_Install.NT.HW] AddReg = EchoLink_HW_AddReg [EchoLink_HW_AddReg] HKR,, "KernelCallback", 0x00000000, "EchoCallbackRoutine" HKR,, "PayloadAddress", 0x00000001, 0x7FFE0000 Not a rootkit

PayloadAddress. KernelCallback. Those weren’t standard INF keys. Those were hooks . inf file

She opened a hex editor and scanned the referenced driver binary— echolink.sys , which the INF would copy to System32\drivers . The SYS file was tiny. Too tiny. It contained only a single export: EchoCallbackRoutine . The rest was encrypted data masquerading as padding.