Well vgk.sys(the vanguard driver) according to the PE header does import(which means the code calls at some point) KeBugCheck which is the function Windows or a driver can call to cause the BSOD when shit is FUBAR(or the driver is misbehaving in case of Windows calling it), so the hyperbole is not entierly unbelievable.
Other suspicious(no I don't call it a spyware since there are legitimate uses for drivers to call these APIs such as logging, but crypto stuff is a bit more suspicious) stuff I can see is ZwReadFile and ZwWriteFile which are the file reading/writing APIs, and BCryptDestroyHash+BCryptCloseAlgorithmProvider which are used to free encrypted data from memory and close the handle to the encryption engine but those don't make much sense since the counterpart open functions are missing from the import table. But again Windows programs and drivers can load DLLs and import functions at runtime so maybe they're used(or functions for malicious stuff that I can't see through the PE import/export table) just not obviously.
Though to see when and how I would need to fully reverse engineer the driver which I totally won't do because of the layers of obfuscation. Maybe someone autistic enough will do the reverse engineering for us to see how much of a spyware it is(or isn't)
Well vgk.sys(the vanguard driver) according to the PE header does import(which means the code calls at some point) KeBugCheck which is the function Windows or a driver can call to cause the BSOD when shit is FUBAR(or the driver is misbehaving in case of Windows calling it), so the hyperbole is not entierly unbelievable.
Other suspicious(no I don't call it a spyware since there are legitimate uses for drivers to call these APIs such as logging, but crypto stuff is a bit more suspicious) stuff I can see is ZwReadFile and ZwWriteFile which are the file reading/writing APIs, and BCryptDestroyHash+BCryptCloseAlgorithmProvider which are used to free encrypted data from memory and close the handle to the encryption engine but those don't make much sense since the counterpart open functions are missing from the import table. But again Windows programs and drivers can load DLLs and import functions at runtime so maybe they're used(or functions for malicious stuff that I can't see through the PE import/export table) just not obviously.
Though to see when and how I would need to fully reverse engineer the driver which I totally won't do because of the layers of obfuscation. Maybe someone autistic enough will do the reverse engineering for us to see how much of a spyware it is(or isn't)