47d4b71f-eebd-4775-9e7c-b031135e8f1b

LECOMAx64.sys :inline

Description

LECOMAx64.sys is a signed LECO LECOMA device driver referenced by public PPLShade supported-driver research.

  • UUID: 47d4b71f-eebd-4775-9e7c-b031135e8f1b
  • Created: 2026-06-16
  • Author: Michael Haag
  • Acknowledgement: Arnim Rupp | ruppde

Download

This download link contains the vulnerable driver!

Block LECOMAx64.sys across your endpoints

Add this driver to your block policy in minutes with MagicSword, threat-driven application control. Free for up to 100 endpoints.

Start Blocking for Free

Commands

sc.exe create LECOMAx64 binPath=C:\windows\temp\LECOMAx64.sys type=kernel && sc.exe start LECOMAx64
Use CasePrivilegesOperating System
Load a vulnerable signed kernel driverkernelWindows 10

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Renamed

for renamed driver files

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://github.com/redteamfortress/PPLShade#supported-drivers
  • https://github.com/magicsword-io/LOLDrivers/issues/354

    • Known Vulnerable Samples

    PropertyValue
    FilenameLECOMAx64.sys
    Creation Timestamp
    MD58ac99a014b36c4cf1eeee98f99410cca
    SHA1eb817e8af016f6a3ece2b7cf421ec6d96970e285
    SHA2560f2dff4116a84241d8cafe534b63454fb4ea26272da8977be03670701ec6631c
    PublisherLECO Corporation
    Date07:30 PM 05/09/2007
    CompanyLECO Corporation
    DescriptionLECO LECOMA Device Driver
    OriginalFilenameLECOMAx.SYS

    Download

    Imports

    Expand

    Imported Functions

    Expand

    Exported Functions

    Expand

    Sections

    Expand

    Signature

    Expand

    source

    last_updated: 2026-06-16