93c84c08-4683-493d-abf7-22dc2d1cb567

PanIOx64.sys

We were not able to verify the hash of this driver successfully, it has not been confirmed.

Description

PanIOx64.sys is a vulnerable driver and more information will be added as found.

  • UUID: 93c84c08-4683-493d-abf7-22dc2d1cb567
  • Created: 2023-01-09
  • Author: Michael Haag
  • Acknowledgement: |

Download

This download link contains the vulnerable driver!

Commands

sc.exe create PanIOx64.sys binPath=C:\windows\temp\PanIOx64.sys type=kernel && sc.exe start PanIOx64.sys
Use CasePrivilegesOperating System
Elevate privilegeskernelWindows 10

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Renamed

for renamed driver files

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules
  • https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules

    • Known Vulnerable Samples

    PropertyValue
    FilenamePanIOx64.sys
    Creation Timestamp2014-04-17 03:14:26
    MD50d6fef14f8e1ce5753424bd22c46b1ce
    SHA1814200191551faec65b21f5f6819b46c8fc227a3
    SHA2566b830ea0db6546a044c9900d3f335e7820c2a80e147b0751641899d1a5aa8f74
    Authentihash MD57bd56fcd55d1fd188e5200b7db5cd7be
    Authentihash SHA1519926b0b385e27141d88c5576aa9f86d8d3bb0d
    Authentihash SHA25613aa698c09a31d642d3e2a9dd03be2363b11b4024689fb6c97234719446dbbd7
    RichPEHeaderHash MD541ddd08b440611823bc5d8cb732c563d
    RichPEHeaderHash SHA18acdfc9ac988c6250e2a031640f6e169b5fddb73
    RichPEHeaderHash SHA256189683b4db2e68d2f0b3f91f1141907b3887f23991867a68a22389d40ad3634e
    CompanyPan Yazilim Bilisim Teknolojileri Tic. Ltd. Sti.
    DescriptionTemperature and system information driver
    ProductPanIO Library
    OriginalFilenamePanIOx64.sys

    Download

    Certificates

    Expand
    Certificate 0400000000012f4ee152d7
    FieldValue
    ToBeSigned (TBS) MD5e140543fe3256027cfa79fc3c19c1776
    ToBeSigned (TBS) SHA1c655f94eb1ecc93de319fc0c9a2dc6c5ec063728
    ToBeSigned (TBS) SHA2563ca71e85908ff67368e4dc00253f5691b9e6d50c966e7784143d75fb92aa3448
    SubjectC=BE, O=GlobalSign nv,sa, CN=GlobalSign Timestamping CA , G2
    ValidFrom2011-04-13 10:00:00
    ValidTo2028-01-28 12:00:00
    Signature4e5e56901e46b4d94931f3bb1739281bc216ddfd41dc0905049b6fb2a29ad6992e40990055b5ea3fa52076d38634d417cc553ac782eeefa8babcd8069f1550dfcd167b523a02d7191afdaff0785ce04bc518df3a241edaacb8a95804020730dbb0125efe31bef00448f4f070f83a5e5683cf3dfb0dbcf4c5ed979db9d4dba52784e3389b8ba735864420a43b6da46a0ba183fd28ebdaef28f6cc885dfb0a3b00abe021ebe22f356c0f8e344597eba2f79933357ecb9a8abb454de73f9fc2d98afa65b26ec77e65ffe892e12c31a2f7b02736488f266f3bee4d761f79c3e57f9635bc2d0ecc01b08e7fff518080a792d4b34446648c874f166307314b63b0dff3
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber0400000000012f4ee152d7
    Version3
    Certificate 0400000000012f4ee1355c
    FieldValue
    ToBeSigned (TBS) MD5f6a9e8eb8784f3f694b4e353c08a0ff5
    ToBeSigned (TBS) SHA1589a7d4df869395601ba7538a65afae8c4616385
    ToBeSigned (TBS) SHA256cbdc9a0ad785d0c2013211746b42234e18bdc7d54a7a260647badc1c9e712ed4
    SubjectC=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2
    ValidFrom2011-04-13 10:00:00
    ValidTo2019-04-13 10:00:00
    Signature225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber0400000000012f4ee1355c
    Version3
    Certificate 1121405c1f0ed258882be54d8686ba11ea45
    FieldValue
    ToBeSigned (TBS) MD5b95cbc184d388718612d5933f7b36770
    ToBeSigned (TBS) SHA1ff124c5d160710720108616ffee99bbe090ed363
    ToBeSigned (TBS) SHA25613027620255363f07bbf85ae7d0dc06c07d8b0f4368b12f983ee3f4fce605733
    SubjectC=SG, O=GMO GlobalSign Pte Ltd, CN=GlobalSign TSA for MS Authenticode , G1
    ValidFrom2013-08-23 00:00:00
    ValidTo2024-09-23 00:00:00
    Signature0231142e5857644185e8af12753c881cc35eec2ce9a13cf5baaa531db9d12963dc436786d439dadec6c9ffbe4585f4a4d7c151ea18ee40585ee67bcca241291338c8ea21169cce90a62efba6cad994df401df902182bbef65d4f9fff9a48dbc50509ca80cea0f9dc4bc323e6038fb4b4af5b71296191181a6b7af2fd0dd1cd7d5e98ebba705ee5f4ea43de353dc514818adb3e105ebb72faa1a093ab031cc1653c91138b045d2bc4b9161bcc55c50ce8abe743c9b28328a5531347ab3964b91cea3430b176009521f1d43da8fda00032d76e983ca69c3b0b83becbb8bb2a268c59b8b9aeaf26ace234a2dc210d810b3813f745a3e3dbc4aca16d1bb7e5615cd7
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityFalse
    SerialNumber1121405c1f0ed258882be54d8686ba11ea45
    Version3
    Certificate 1121506480253469e07e54ee8612041fbb92
    FieldValue
    ToBeSigned (TBS) MD5f56d9ee0c69c7569e5c15b486bca6e2e
    ToBeSigned (TBS) SHA1819ca6276ed76625e86bb6def0d45f61d37c8975
    ToBeSigned (TBS) SHA256b3b13c549110379d1141116de140cad748fb8345208cd31eb2443850a529b53b
    SubjectC=TR, ST=ISTANBUL, O=PAN YAZILIM BILISIM TEKNOLOJILERI TICARET LTD. STI., CN=PAN YAZILIM BILISIM TEKNOLOJILERI TICARET LTD. STI.
    ValidFrom2014-04-15 15:12:40
    ValidTo2015-04-15 10:41:35
    Signature80c106b241d9ce3836aa7f9cace1ff4019c000e7010613722cb52e25e706045117d0fc96252e9dcea3fbc685222c39fca608d772e3f15cb43d550686265d301bbdc1e45ce75db149dff45be1adb71ee24385407afac778ede4e047359e64e06d29b5bdab18517dd5751cd255bd05600be47f4774be0c97666d5afe6aa64ee53ee9083e0587fd5a2b3767733fd5c1eb58364c4e8823db789da3d0157eb468805f3a0032103e65265ee45cd7181abfb3583d8d3b20d4f6f0a010c0bf01a2d82df1c3a22220e712d83b067aec59990117b623cda1a344a7584fb74145df822b2a709b3ca47a45fd4822d3bcd1691b18ddbb64b7daa42dd63664d796fbf2fc7474ba
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityFalse
    SerialNumber1121506480253469e07e54ee8612041fbb92
    Version3
    Certificate 610b7f6b000000000019
    FieldValue
    ToBeSigned (TBS) MD54798d55be7663a75649cda4dedc686ef
    ToBeSigned (TBS) SHA10f1ab2937b245d9466ea6f9bf056a5942e3989cf
    ToBeSigned (TBS) SHA256ef14ea05bb066ee9f4188196dd69cd769b283ac4d7555db52f5e76922d3456e1
    SubjectC=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA
    ValidFrom2006-05-23 17:00:51
    ValidTo2016-05-23 17:10:51
    Signature13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber610b7f6b000000000019
    Version3

    Imports

    Expand
    • ntoskrnl.exe
    • HAL.dll

    Imported Functions

    Expand
    • MmUnmapIoSpace
    • MmMapIoSpace
    • IofCompleteRequest
    • IoDeleteDevice
    • IoCreateDevice
    • KeBugCheckEx
    • RtlInitUnicodeString
    • IoCreateSymbolicLink
    • IoDeleteSymbolicLink
    • __C_specific_handler
    • HalSetBusDataByOffset
    • HalGetBusDataByOffset

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • .pdata
    • INIT
    • .rsrc

    Signature

    Expand
    {
  "Certificates": [
    {
      "IsCertificateAuthority": true,
      "SerialNumber": "0400000000012f4ee152d7",
      "Signature": "4e5e56901e46b4d94931f3bb1739281bc216ddfd41dc0905049b6fb2a29ad6992e40990055b5ea3fa52076d38634d417cc553ac782eeefa8babcd8069f1550dfcd167b523a02d7191afdaff0785ce04bc518df3a241edaacb8a95804020730dbb0125efe31bef00448f4f070f83a5e5683cf3dfb0dbcf4c5ed979db9d4dba52784e3389b8ba735864420a43b6da46a0ba183fd28ebdaef28f6cc885dfb0a3b00abe021ebe22f356c0f8e344597eba2f79933357ecb9a8abb454de73f9fc2d98afa65b26ec77e65ffe892e12c31a2f7b02736488f266f3bee4d761f79c3e57f9635bc2d0ecc01b08e7fff518080a792d4b34446648c874f166307314b63b0dff3",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Timestamping CA , G2",
      "TBS": {
        "MD5": "e140543fe3256027cfa79fc3c19c1776",
        "SHA1": "c655f94eb1ecc93de319fc0c9a2dc6c5ec063728",
        "SHA256": "3ca71e85908ff67368e4dc00253f5691b9e6d50c966e7784143d75fb92aa3448",
        "SHA384": "d9d366f9328f2b55ee19a32cc5fd5148b81d764282fe5dc196c872ae249caa51d2c212ef39f33945dfe0cda81925e326"
      },
      "ValidFrom": "2011-04-13 10:00:00",
      "ValidTo": "2028-01-28 12:00:00",
      "Version": 3
    },
    {
      "IsCertificateAuthority": true,
      "SerialNumber": "0400000000012f4ee1355c",
      "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2",
      "TBS": {
        "MD5": "f6a9e8eb8784f3f694b4e353c08a0ff5",
        "SHA1": "589a7d4df869395601ba7538a65afae8c4616385",
        "SHA256": "cbdc9a0ad785d0c2013211746b42234e18bdc7d54a7a260647badc1c9e712ed4",
        "SHA384": "dcec542f242317863d0b3d23947e17d6982e381003831777b07ed75b46fb18bd0392a89c9beb6862981cd05f3f2fb77b"
      },
      "ValidFrom": "2011-04-13 10:00:00",
      "ValidTo": "2019-04-13 10:00:00",
      "Version": 3
    },
    {
      "IsCertificateAuthority": false,
      "SerialNumber": "1121405c1f0ed258882be54d8686ba11ea45",
      "Signature": "0231142e5857644185e8af12753c881cc35eec2ce9a13cf5baaa531db9d12963dc436786d439dadec6c9ffbe4585f4a4d7c151ea18ee40585ee67bcca241291338c8ea21169cce90a62efba6cad994df401df902182bbef65d4f9fff9a48dbc50509ca80cea0f9dc4bc323e6038fb4b4af5b71296191181a6b7af2fd0dd1cd7d5e98ebba705ee5f4ea43de353dc514818adb3e105ebb72faa1a093ab031cc1653c91138b045d2bc4b9161bcc55c50ce8abe743c9b28328a5531347ab3964b91cea3430b176009521f1d43da8fda00032d76e983ca69c3b0b83becbb8bb2a268c59b8b9aeaf26ace234a2dc210d810b3813f745a3e3dbc4aca16d1bb7e5615cd7",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=SG, O=GMO GlobalSign Pte Ltd, CN=GlobalSign TSA for MS Authenticode , G1",
      "TBS": {
        "MD5": "b95cbc184d388718612d5933f7b36770",
        "SHA1": "ff124c5d160710720108616ffee99bbe090ed363",
        "SHA256": "13027620255363f07bbf85ae7d0dc06c07d8b0f4368b12f983ee3f4fce605733",
        "SHA384": "f42ed00f615f2822dcd3d33794477428afb52ddab932ebcde3586f92a27e18f9faba6b3334ca4e59e0cb24bdbf8395a6"
      },
      "ValidFrom": "2013-08-23 00:00:00",
      "ValidTo": "2024-09-23 00:00:00",
      "Version": 3
    },
    {
      "IsCertificateAuthority": false,
      "SerialNumber": "1121506480253469e07e54ee8612041fbb92",
      "Signature": "80c106b241d9ce3836aa7f9cace1ff4019c000e7010613722cb52e25e706045117d0fc96252e9dcea3fbc685222c39fca608d772e3f15cb43d550686265d301bbdc1e45ce75db149dff45be1adb71ee24385407afac778ede4e047359e64e06d29b5bdab18517dd5751cd255bd05600be47f4774be0c97666d5afe6aa64ee53ee9083e0587fd5a2b3767733fd5c1eb58364c4e8823db789da3d0157eb468805f3a0032103e65265ee45cd7181abfb3583d8d3b20d4f6f0a010c0bf01a2d82df1c3a22220e712d83b067aec59990117b623cda1a344a7584fb74145df822b2a709b3ca47a45fd4822d3bcd1691b18ddbb64b7daa42dd63664d796fbf2fc7474ba",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=TR, ST=ISTANBUL, O=PAN YAZILIM BILISIM TEKNOLOJILERI TICARET LTD. STI., CN=PAN YAZILIM BILISIM TEKNOLOJILERI TICARET LTD. STI.",
      "TBS": {
        "MD5": "f56d9ee0c69c7569e5c15b486bca6e2e",
        "SHA1": "819ca6276ed76625e86bb6def0d45f61d37c8975",
        "SHA256": "b3b13c549110379d1141116de140cad748fb8345208cd31eb2443850a529b53b",
        "SHA384": "2f15812fb4c9bba4d8ae7916fa4ffc9ad0a69724d77dc564c89b1e5df3e98b8797b63fcafe68eef9acf1d8817e9988cf"
      },
      "ValidFrom": "2014-04-15 15:12:40",
      "ValidTo": "2015-04-15 10:41:35",
      "Version": 3
    },
    {
      "IsCertificateAuthority": true,
      "SerialNumber": "610b7f6b000000000019",
      "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA",
      "TBS": {
        "MD5": "4798d55be7663a75649cda4dedc686ef",
        "SHA1": "0f1ab2937b245d9466ea6f9bf056a5942e3989cf",
        "SHA256": "ef14ea05bb066ee9f4188196dd69cd769b283ac4d7555db52f5e76922d3456e1",
        "SHA384": "6e7450a139856aeda6fa6284ff89b3752a9b646e096b4d33dd7e8e727742a2111481531581c0aa2cda0338e22cfdbad3"
      },
      "ValidFrom": "2006-05-23 17:00:51",
      "ValidTo": "2016-05-23 17:10:51",
      "Version": 3
    }
  ],
  "CertificatesInfo": "",
  "Signer": [
    {
      "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2",
      "SerialNumber": "1121506480253469e07e54ee8612041fbb92",
      "Version": 1
    }
  ],
  "SignerInfo": ""
}

    source

    last_updated: 2024-04-09