{"report_id":"dbc872ff-ebf3-438a-9513-864a48172225","version":6,"status":"done","tags":[],"date":"2025-05-12T20:29:24Z","url":{"schema":"http","addr":"sk-data.special-k.info/redist/WinRing0_32.7z","fqdn":"sk-data.special-k.info","domain":"special-k.info","tld":"info"},"ip":{"addr":"104.18.42.227","port":0,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"final":{"url":{"schema":"about","addr":"about:privatebrowsing","fqdn":"","domain":"","tld":""},"title":"about:privatebrowsing"},"submit":{"url":{"schema":"","addr":"","fqdn":"","domain":"","tld":""},"ip":{"addr":"","port":0,"asn":0,"as":"","country":"","country_code":""},"tags":null,"meta":null},"settings":{"access":"public","device_type":"desktop","expires_at":"2027-07-21T20:29:24Z","useragent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0","referer":"","cookies":null,"exit_node":"z0yflva4pidy47h"},"stats":{"alert_count":{"ids":0,"urlquery":0,"analyzer":0}},"detection":{"ids":null,"analyzer":null,"urlquery":null},"summary":[{"fqdn":"sk-data.special-k.info","ip":{"addr":"172.64.145.29","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"domain_registered":"2020-07-28","domain_rank":0,"first_seen":"2020-08-03T23:31:01Z","last_seen":"2025-05-09T09:27:28.891983Z","alert_count":1,"request_count":1,"received_data":34356,"sent_data":512,"comment":"","tags":null,"fingerprints":null}],"files":[{"md5":"f7d441d534b37441b08bdd1a6c4642b5","sha1":"94921471ec82ad1222a2524030b8f6c00b8844ee","sha256":"d3d8fa22d876ebdf2996b581a7834c68c3d983516733333a225596aefab98af1","sha512":"3e4221fecc71be8e8331322071c6743a7e03418e7e377cb23a267749a13dd15267cc5aa0c35420f07a55c29c7f912557bfa0a69f56cda2ecc033580b33e6fa9e","magic":"7-zip archive data, version 0.4","size":33430,"url":{"schema":"https","addr":"sk-data.special-k.info/redist/WinRing0_32.7z","fqdn":"sk-data.special-k.info","domain":"special-k.info","tld":"info"},"ip":{"addr":"172.64.145.29","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"archive":[{"path":"WinRing0.dll","filename":"WinRing0.dll","modified":"2019-02-14T12:33:56Z","Modified":"","magic":"PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, 5 sections","size":20480,"md5":"ee9de580406199f0f6789e90c68e2fc5","sha1":"2769ef60b46cd7308bed52135ce682df4bf3fb03","sha256":"5c9cf063260ae45f783a16ed9b72232dd9535b5bf6915cd56138de887095d6d3","sha512":"544e37914382f5bb989de4f47201b8d5d2c4e25f6c5e7a4bc503150ab27a2f3ca58cda4b929baaaac2d8fef0806be0b485db46ec3f2bba701a94613f07b52151","alerts":{"urlquery":null,"analyzer":null}},{"path":"WinRing0.sys","filename":"WinRing0.sys","modified":"2018-07-30T16:34:06Z","Modified":"","magic":"PE32 executable (native) Intel 80386, for MS Windows, 6 sections","size":14416,"md5":"845af1ba23c8d5e64def61bcc441604c","sha1":"8ac34eb21b9b38f67cd29684c45696c20ab2e75a","sha256":"206ee7a7c3f4d9496f742ccb84718f556ecb4ba2a95fe7e0cdf3a003ffbe4597","sha512":"0c2d625bbe5b1902cd371f4e1a3dceee6401aa9fa0b25f4720277eaaac3576c2029d7db3ae9983382e4ca8f0415ccd4b0e6c1eea864e7886276f93047258475f","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2025-05-12","alert":"Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WinRing0x64.sys","trigger":"WinRing0.sys","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth","date":"2023-06-13","description":"Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WinRing0x64.sys","hash":"a7b000abbcc344444a9b00cfade7aa22ab92ce0cadec196c30eb1851ae4fa062","reference":"https://github.com/magicsword-io/LOLDrivers","rule":"PUA_VULN_Driver_Openlibsysorg_Winringsys_Winring_11BD","score":"40"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2025-05-12","alert":"signed_sys_with_vulnerablity","trigger":"WinRing0.sys","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"wonderkun","date":"2023-07-21","description":"signed_sys_with_vulnerablity","rule":"signed_sys_with_vulnerablity","tlp":"WHITE","yarahub_license":"CC0 1.0","yarahub_reference_md5":"3b25a34bb08f4759792c24b121109513","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"615591f5-2e81-4c01-8ebf-ab8aade6efcf"}},{"sensor_name":"virustotal","sensor_type":"file","title":"","description":"VirusTotal","scan_date":"2025-05-12","alert":"Scan result 1/72","trigger":"206ee7a7c3f4d9496f742ccb84718f556ecb4ba2a95fe7e0cdf3a003ffbe4597","verdict":"suspicious","severity":"","comment":"suspicious - 1/72","link":"https://www.virustotal.com/gui/file/206ee7a7c3f4d9496f742ccb84718f556ecb4ba2a95fe7e0cdf3a003ffbe4597","meta":null}]}},{"path":"WinRing0x64.dll","filename":"WinRing0x64.dll","modified":"2019-02-14T12:45:20Z","Modified":"","magic":"PE32+ executable (DLL) (GUI) x86-64, for MS Windows, 6 sections","size":24064,"md5":"168625537e17442935de4ab929f4e7e3","sha1":"b7edf29af2d87adff20c6e885ab13bd556c40ac4","sha256":"523547f304c04ecf092f5487139bd75533209278effef1554850ff646b94ade0","sha512":"9fbce55e5942eff02e05c4469cc1ce417da87155644664ea46e64d58e2e1c8a74d07c3849ac1f644abdd2cf3e15f0b53e29f1b95ad5ff783b497c6fa91f8010c","alerts":{"urlquery":null,"analyzer":null}},{"path":"WinRing0x64.sys","filename":"WinRing0x64.sys","modified":"2018-07-30T16:33:43Z","Modified":"","magic":"PE32+ executable (native) x86-64, for MS Windows, 6 sections","size":14544,"md5":"0c0195c48b6b8582fa6f6373032118da","sha1":"d25340ae8e92a6d29f599fef426a2bc1b5217299","sha256":"11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5","sha512":"ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2025-05-12","alert":"Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WinRing0x64.sys","trigger":"WinRing0x64.sys","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth","date":"2023-06-13","description":"Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WinRing0x64.sys","hash":"a7b000abbcc344444a9b00cfade7aa22ab92ce0cadec196c30eb1851ae4fa062","reference":"https://github.com/magicsword-io/LOLDrivers","rule":"PUA_VULN_Driver_Openlibsysorg_Winringsys_Winring_11BD","score":"40"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2025-05-12","alert":"signed_sys_with_vulnerablity","trigger":"WinRing0x64.sys","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"wonderkun","date":"2023-07-21","description":"signed_sys_with_vulnerablity","rule":"signed_sys_with_vulnerablity","tlp":"WHITE","yarahub_license":"CC0 1.0","yarahub_reference_md5":"3b25a34bb08f4759792c24b121109513","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"615591f5-2e81-4c01-8ebf-ab8aade6efcf"}},{"sensor_name":"virustotal","sensor_type":"file","title":"","description":"VirusTotal","scan_date":"2025-05-12","alert":"Scan result 2/72","trigger":"11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5","verdict":"suspicious","severity":"","comment":"suspicious - 2/72","link":"https://www.virustotal.com/gui/file/11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5","meta":null}]}}],"alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2025-05-12","alert":"Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WinRing0x64.sys","trigger":"WinRing0.sys","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth","date":"2023-06-13","description":"Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WinRing0x64.sys","hash":"a7b000abbcc344444a9b00cfade7aa22ab92ce0cadec196c30eb1851ae4fa062","reference":"https://github.com/magicsword-io/LOLDrivers","rule":"PUA_VULN_Driver_Openlibsysorg_Winringsys_Winring_11BD","score":"40"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2025-05-12","alert":"signed_sys_with_vulnerablity","trigger":"WinRing0.sys","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"wonderkun","date":"2023-07-21","description":"signed_sys_with_vulnerablity","rule":"signed_sys_with_vulnerablity","tlp":"WHITE","yarahub_license":"CC0 1.0","yarahub_reference_md5":"3b25a34bb08f4759792c24b121109513","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"615591f5-2e81-4c01-8ebf-ab8aade6efcf"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2025-05-12","alert":"Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WinRing0x64.sys","trigger":"WinRing0x64.sys","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth","date":"2023-06-13","description":"Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WinRing0x64.sys","hash":"a7b000abbcc344444a9b00cfade7aa22ab92ce0cadec196c30eb1851ae4fa062","reference":"https://github.com/magicsword-io/LOLDrivers","rule":"PUA_VULN_Driver_Openlibsysorg_Winringsys_Winring_11BD","score":"40"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2025-05-12","alert":"signed_sys_with_vulnerablity","trigger":"WinRing0x64.sys","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"wonderkun","date":"2023-07-21","description":"signed_sys_with_vulnerablity","rule":"signed_sys_with_vulnerablity","tlp":"WHITE","yarahub_license":"CC0 1.0","yarahub_reference_md5":"3b25a34bb08f4759792c24b121109513","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"615591f5-2e81-4c01-8ebf-ab8aade6efcf"}},{"sensor_name":"virustotal","sensor_type":"file","title":"","description":"VirusTotal","scan_date":"2023-05-29","alert":"Scan result 1/60","trigger":"d3d8fa22d876ebdf2996b581a7834c68c3d983516733333a225596aefab98af1","verdict":"suspicious","severity":"","comment":"suspicious - 1/60","link":"https://www.virustotal.com/gui/file/d3d8fa22d876ebdf2996b581a7834c68c3d983516733333a225596aefab98af1","meta":null}]}}],"artifacts":{"windows_shortcuts":null,"files":[{"md5":"f7d441d534b37441b08bdd1a6c4642b5","sha1":"94921471ec82ad1222a2524030b8f6c00b8844ee","sha256":"d3d8fa22d876ebdf2996b581a7834c68c3d983516733333a225596aefab98af1","sha512":"3e4221fecc71be8e8331322071c6743a7e03418e7e377cb23a267749a13dd15267cc5aa0c35420f07a55c29c7f912557bfa0a69f56cda2ecc033580b33e6fa9e","magic":"7-zip archive data, version 0.4","size":33430,"url":{"schema":"https","addr":"sk-data.special-k.info/redist/WinRing0_32.7z","fqdn":"sk-data.special-k.info","domain":"special-k.info","tld":"info"},"ip":{"addr":"172.64.145.29","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"archive":[{"path":"WinRing0.dll","filename":"WinRing0.dll","modified":"2019-02-14T12:33:56Z","Modified":"","magic":"PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, 5 sections","size":20480,"md5":"ee9de580406199f0f6789e90c68e2fc5","sha1":"2769ef60b46cd7308bed52135ce682df4bf3fb03","sha256":"5c9cf063260ae45f783a16ed9b72232dd9535b5bf6915cd56138de887095d6d3","sha512":"544e37914382f5bb989de4f47201b8d5d2c4e25f6c5e7a4bc503150ab27a2f3ca58cda4b929baaaac2d8fef0806be0b485db46ec3f2bba701a94613f07b52151","alerts":{"urlquery":null,"analyzer":null}},{"path":"WinRing0.sys","filename":"WinRing0.sys","modified":"2018-07-30T16:34:06Z","Modified":"","magic":"PE32 executable (native) Intel 80386, for MS Windows, 6 sections","size":14416,"md5":"845af1ba23c8d5e64def61bcc441604c","sha1":"8ac34eb21b9b38f67cd29684c45696c20ab2e75a","sha256":"206ee7a7c3f4d9496f742ccb84718f556ecb4ba2a95fe7e0cdf3a003ffbe4597","sha512":"0c2d625bbe5b1902cd371f4e1a3dceee6401aa9fa0b25f4720277eaaac3576c2029d7db3ae9983382e4ca8f0415ccd4b0e6c1eea864e7886276f93047258475f","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2025-05-12","alert":"Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WinRing0x64.sys","trigger":"WinRing0.sys","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth","date":"2023-06-13","description":"Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WinRing0x64.sys","hash":"a7b000abbcc344444a9b00cfade7aa22ab92ce0cadec196c30eb1851ae4fa062","reference":"https://github.com/magicsword-io/LOLDrivers","rule":"PUA_VULN_Driver_Openlibsysorg_Winringsys_Winring_11BD","score":"40"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2025-05-12","alert":"signed_sys_with_vulnerablity","trigger":"WinRing0.sys","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"wonderkun","date":"2023-07-21","description":"signed_sys_with_vulnerablity","rule":"signed_sys_with_vulnerablity","tlp":"WHITE","yarahub_license":"CC0 1.0","yarahub_reference_md5":"3b25a34bb08f4759792c24b121109513","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"615591f5-2e81-4c01-8ebf-ab8aade6efcf"}},{"sensor_name":"virustotal","sensor_type":"file","title":"","description":"VirusTotal","scan_date":"2025-05-12","alert":"Scan result 1/72","trigger":"206ee7a7c3f4d9496f742ccb84718f556ecb4ba2a95fe7e0cdf3a003ffbe4597","verdict":"suspicious","severity":"","comment":"suspicious - 1/72","link":"https://www.virustotal.com/gui/file/206ee7a7c3f4d9496f742ccb84718f556ecb4ba2a95fe7e0cdf3a003ffbe4597","meta":null}]}},{"path":"WinRing0x64.dll","filename":"WinRing0x64.dll","modified":"2019-02-14T12:45:20Z","Modified":"","magic":"PE32+ executable (DLL) (GUI) x86-64, for MS Windows, 6 sections","size":24064,"md5":"168625537e17442935de4ab929f4e7e3","sha1":"b7edf29af2d87adff20c6e885ab13bd556c40ac4","sha256":"523547f304c04ecf092f5487139bd75533209278effef1554850ff646b94ade0","sha512":"9fbce55e5942eff02e05c4469cc1ce417da87155644664ea46e64d58e2e1c8a74d07c3849ac1f644abdd2cf3e15f0b53e29f1b95ad5ff783b497c6fa91f8010c","alerts":{"urlquery":null,"analyzer":null}},{"path":"WinRing0x64.sys","filename":"WinRing0x64.sys","modified":"2018-07-30T16:33:43Z","Modified":"","magic":"PE32+ executable (native) x86-64, for MS Windows, 6 sections","size":14544,"md5":"0c0195c48b6b8582fa6f6373032118da","sha1":"d25340ae8e92a6d29f599fef426a2bc1b5217299","sha256":"11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5","sha512":"ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2025-05-12","alert":"Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WinRing0x64.sys","trigger":"WinRing0x64.sys","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth","date":"2023-06-13","description":"Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WinRing0x64.sys","hash":"a7b000abbcc344444a9b00cfade7aa22ab92ce0cadec196c30eb1851ae4fa062","reference":"https://github.com/magicsword-io/LOLDrivers","rule":"PUA_VULN_Driver_Openlibsysorg_Winringsys_Winring_11BD","score":"40"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2025-05-12","alert":"signed_sys_with_vulnerablity","trigger":"WinRing0x64.sys","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"wonderkun","date":"2023-07-21","description":"signed_sys_with_vulnerablity","rule":"signed_sys_with_vulnerablity","tlp":"WHITE","yarahub_license":"CC0 1.0","yarahub_reference_md5":"3b25a34bb08f4759792c24b121109513","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"615591f5-2e81-4c01-8ebf-ab8aade6efcf"}},{"sensor_name":"virustotal","sensor_type":"file","title":"","description":"VirusTotal","scan_date":"2025-05-12","alert":"Scan result 2/72","trigger":"11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5","verdict":"suspicious","severity":"","comment":"suspicious - 2/72","link":"https://www.virustotal.com/gui/file/11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5","meta":null}]}}],"alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2025-05-12","alert":"Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WinRing0x64.sys","trigger":"WinRing0.sys","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth","date":"2023-06-13","description":"Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WinRing0x64.sys","hash":"a7b000abbcc344444a9b00cfade7aa22ab92ce0cadec196c30eb1851ae4fa062","reference":"https://github.com/magicsword-io/LOLDrivers","rule":"PUA_VULN_Driver_Openlibsysorg_Winringsys_Winring_11BD","score":"40"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2025-05-12","alert":"signed_sys_with_vulnerablity","trigger":"WinRing0.sys","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"wonderkun","date":"2023-07-21","description":"signed_sys_with_vulnerablity","rule":"signed_sys_with_vulnerablity","tlp":"WHITE","yarahub_license":"CC0 1.0","yarahub_reference_md5":"3b25a34bb08f4759792c24b121109513","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"615591f5-2e81-4c01-8ebf-ab8aade6efcf"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2025-05-12","alert":"Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WinRing0x64.sys","trigger":"WinRing0x64.sys","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth","date":"2023-06-13","description":"Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WinRing0x64.sys","hash":"a7b000abbcc344444a9b00cfade7aa22ab92ce0cadec196c30eb1851ae4fa062","reference":"https://github.com/magicsword-io/LOLDrivers","rule":"PUA_VULN_Driver_Openlibsysorg_Winringsys_Winring_11BD","score":"40"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2025-05-12","alert":"signed_sys_with_vulnerablity","trigger":"WinRing0x64.sys","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"wonderkun","date":"2023-07-21","description":"signed_sys_with_vulnerablity","rule":"signed_sys_with_vulnerablity","tlp":"WHITE","yarahub_license":"CC0 1.0","yarahub_reference_md5":"3b25a34bb08f4759792c24b121109513","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"615591f5-2e81-4c01-8ebf-ab8aade6efcf"}},{"sensor_name":"virustotal","sensor_type":"file","title":"","description":"VirusTotal","scan_date":"2023-05-29","alert":"Scan result 1/60","trigger":"d3d8fa22d876ebdf2996b581a7834c68c3d983516733333a225596aefab98af1","verdict":"suspicious","severity":"","comment":"suspicious - 1/60","link":"https://www.virustotal.com/gui/file/d3d8fa22d876ebdf2996b581a7834c68c3d983516733333a225596aefab98af1","meta":null}]}}],"telegram":null,"pdfs":null,"clipboard":null},"sensors":{"ids":[{"sensor_name":"suricata","description":"Suricata /w Emerging Threats Pro","alerts":null}],"analyzer":[{"sensor_name":"infosec_yara","type":"yara","description":"Public InfoSec YARA rules","link":"","alerts":null},{"sensor_name":"openphish","type":"url","description":"OpenPhish","link":"","alerts":null},{"sensor_name":"phishtank","type":"url","description":"PhishTank","link":"","alerts":null},{"sensor_name":"quad9","type":"domain","description":"Quad9 DNS","link":"","alerts":null},{"sensor_name":"threatfox","type":"url","description":"ThreatFox","link":"","alerts":null}],"urlquery":null},"javascript":{"script":null,"eval":null,"write":null},"http":[{"url":{"schema":"https","addr":"sk-data.special-k.info/redist/WinRing0_32.7z","fqdn":"sk-data.special-k.info","domain":"special-k.info","tld":"info"},"ip":{"addr":"172.64.145.29","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"is_navigation_request":true,"resource_type":"","requested_by":"","date":"2025-05-12T20:28:51.734Z","timestamp":0,"http_version":"","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"ECDSA-P256-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"special-k.info","organization":""},"issuer":{"commonName":"E5","organization":"Let's Encrypt"},"validity":{"start":"Mon, 28 Apr 2025 15:08:08 GMT","end":"Sun, 27 Jul 2025 15:08:07 GMT"},"fingerprint":{"sha1":"C7:86:60:A5:25:3B:1F:F8:86:27:FF:15:CB:90:65:0E:F0:3F:61:02","sha256":"CD:85:0C:60:F7:8D:B8:7B:C0:3A:C5:74:51:17:37:CB:00:D6:09:42:E4:65:B4:5D:E0:1B:F7:63:4F:C6:2E:7F"}}},"request":{"raw":"GET /redist/WinRing0_32.7z HTTP/1.1\r\nHost: sk-data.special-k.info\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nUpgrade-Insecure-Requests: 1\r\nConnection: keep-alive\r\nSec-Fetch-Dest: document\r\nSec-Fetch-Mode: navigate\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/2 200 OK\r\ndate: Mon, 12 May 2025 20:28:52 GMT\r\ncontent-length: 33430\r\nlast-modified: Mon, 21 Feb 2022 06:19:24 GMT\r\nx-rgw-object-type: Normal\r\netag: \"f7d441d534b37441b08bdd1a6c4642b5\"\r\nx-amz-request-id: tx000001b048862a11a72fb-00681d9108-52766bbc-nyc3b\r\nvary: Origin, Access-Control-Request-Headers, Access-Control-Request-Method, Accept-Encoding\r\nstrict-transport-security: max-age=15552000; includeSubDomains; preload\r\nx-do-cdn-uuid: 1f6e7126-9eca-4f49-ba8a-6c7941681748\r\ncache-control: max-age=3600\r\ncf-cache-status: HIT\r\naccept-ranges: bytes\r\nset-cookie: __cf_bm=jIeFbjqI4vdcN4BxWFfPTV.jcCwaMN0J9GvGLCkG__E-1747081732-1.0.1.1-fiMpt69cZLv3aapGHqf.Zb3mcyr1jxAY7C4cUrjqGWtRBmOWb.S2qrGcjt.NH8vWJLXlFkalQpLHjdCyMszOpWd9a5my15c.PsRBSccWPVI; path=/; expires=Mon, 12-May-25 20:58:52 GMT; domain=.sk-data.special-k.info; HttpOnly; Secure; SameSite=None\r\nserver: cloudflare\r\ncf-ray: 93ecaa37ad620b55-OSL\r\nX-Firefox-Spdy: h2\r\n\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":null,"data":{"size":33430,"size_decoded":0,"mime_type":"application/x-7z-compressed","magic":"7-zip archive data, version 0.4","md5":"f7d441d534b37441b08bdd1a6c4642b5","sha1":"94921471ec82ad1222a2524030b8f6c00b8844ee","sha256":"d3d8fa22d876ebdf2996b581a7834c68c3d983516733333a225596aefab98af1","sha512":"3e4221fecc71be8e8331322071c6743a7e03418e7e377cb23a267749a13dd15267cc5aa0c35420f07a55c29c7f912557bfa0a69f56cda2ecc033580b33e6fa9e","ssdeep":"768:XzWIbEZCLU+TXZaXN+Jro6y8BLCGx9Uy9EoTY:jWIbE4U8XZa9irol8BLbAoTY","tlshash":"d1e2e1215b22cdec33c9457d71778368b7e2ca70238e96ff48063399a6e76275a3841d","first_seen":"2023-06-18T08:51:17Z","last_seen":"2025-06-25T05:27:43.795598Z","times_seen":372,"resource_available":false,"data":null}},"time_used":539,"timings":{"blocked":50,"dns":11,"connect":1,"send":0,"wait":439,"receive":3,"ssl":25},"alerts":{"ids":null,"analyzer":[{"sensor_name":"virustotal","sensor_type":"file","title":"","description":"VirusTotal","scan_date":"2023-05-29","alert":"Scan result 1/60","trigger":"d3d8fa22d876ebdf2996b581a7834c68c3d983516733333a225596aefab98af1","verdict":"suspicious","severity":"","comment":"suspicious - 1/60","link":"https://www.virustotal.com/gui/file/d3d8fa22d876ebdf2996b581a7834c68c3d983516733333a225596aefab98af1","meta":null}],"urlquery":null}}]}