ScreenShot
| Created | 2021.11.07 06:53 | Machine | s1_win7_x6401 |
| Filename | bthpan.sys | ||
| Type | PE32+ executable (native) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | |||
| md5 | 5a8951d195afef979c4ab02a129ebc37 | ||
| sha256 | 48fd4a921e51b6dd306a1248eb9a1a6aec5f59e49528423bf2f40600b3af1d08 | ||
| ssdeep | 3072:O42TEXnmv8tf6bCg8X5hIBRhSv+fWLNPZNcsBi:YCmEtECgoSR4v+fWRAsc | ||
| imphash | dfa790d8cf26fad6098be1e0a726129e | ||
| impfuzzy | 24:wt54cMi1zVC8z4S2oBtrKKM8S3z8omGznwzQ242nTph7M5oQ9UJ2dfwmiVBuq2J1:0XZM8SvJwQncujsHl7LLg4ryD7APUF | ||
Network IP location
Signature (3cnts)
| Level | Description |
|---|---|
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
| info | This executable has a PDB path |
Rules (2cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
ntoskrnl.exe
0x280f0 ZwSetValueKey
0x280f8 MmBuildMdlForNonPagedPool
0x28100 IoBuildPartialMdl
0x28108 ZwQueryValueKey
0x28110 IoFreeMdl
0x28118 KeBugCheckEx
0x28120 ZwClose
0x28128 IoOpenDeviceRegistryKey
0x28130 ExQueryDepthSList
0x28138 ExpInterlockedPushEntrySList
0x28140 ExpInterlockedPopEntrySList
0x28148 ExDeleteNPagedLookasideList
0x28150 ExInitializeNPagedLookasideList
0x28158 IoCancelIrp
0x28160 KeWaitForSingleObject
0x28168 KeInitializeEvent
0x28170 KeSetEvent
0x28178 RtlUnicodeToUTF8N
0x28180 IoAllocateIrp
0x28188 IoFreeIrp
0x28190 MmMapLockedPagesSpecifyCache
0x28198 RtlUnicodeStringToAnsiString
0x281a0 RtlAnsiStringToUnicodeString
0x281a8 RtlInitString
0x281b0 KeReleaseSpinLock
0x281b8 KeAcquireSpinLockRaiseToDpc
0x281c0 IofCallDriver
0x281c8 IofCompleteRequest
0x281d0 IoWMIRegistrationControl
0x281d8 RtlCompareMemory
0x281e0 MmGetSystemRoutineAddress
0x281e8 ExFreePoolWithTag
0x281f0 IoWMIWriteEvent
0x281f8 ExAllocatePoolWithTag
0x28200 IoAllocateMdl
0x28208 RtlInitUnicodeString
0x28210 ExFreePool
NDIS.SYS
0x28000 NdisAllocatePacket
0x28008 NdisAllocateBuffer
0x28010 NdisFreePacketPool
0x28018 NdisFreeBufferPool
0x28020 NdisAllocateBufferPool
0x28028 NdisAllocatePacketPool
0x28030 NdisMDeregisterDevice
0x28038 NdisMRegisterDevice
0x28040 NdisSetTimer
0x28048 NdisCancelTimer
0x28050 NdisInitializeTimer
0x28058 NdisWaitEvent
0x28060 NdisInitializeEvent
0x28068 NdisSetEvent
0x28070 NdisScheduleWorkItem
0x28078 NdisFreeMemory
0x28080 NdisAllocateMemoryWithTag
0x28088 NdisMIndicateStatus
0x28090 NdisCloseConfiguration
0x28098 NdisReadConfiguration
0x280a0 NdisOpenConfiguration
0x280a8 NdisMGetDeviceProperty
0x280b0 NdisMSetAttributesEx
0x280b8 NdisMSleep
0x280c0 NdisTerminateWrapper
0x280c8 NdisMRegisterUnloadHandler
0x280d0 NdisMRegisterMiniport
0x280d8 NdisInitializeWrapper
0x280e0 NdisFreePacket
EAT(Export Address Table) is none
ntoskrnl.exe
0x280f0 ZwSetValueKey
0x280f8 MmBuildMdlForNonPagedPool
0x28100 IoBuildPartialMdl
0x28108 ZwQueryValueKey
0x28110 IoFreeMdl
0x28118 KeBugCheckEx
0x28120 ZwClose
0x28128 IoOpenDeviceRegistryKey
0x28130 ExQueryDepthSList
0x28138 ExpInterlockedPushEntrySList
0x28140 ExpInterlockedPopEntrySList
0x28148 ExDeleteNPagedLookasideList
0x28150 ExInitializeNPagedLookasideList
0x28158 IoCancelIrp
0x28160 KeWaitForSingleObject
0x28168 KeInitializeEvent
0x28170 KeSetEvent
0x28178 RtlUnicodeToUTF8N
0x28180 IoAllocateIrp
0x28188 IoFreeIrp
0x28190 MmMapLockedPagesSpecifyCache
0x28198 RtlUnicodeStringToAnsiString
0x281a0 RtlAnsiStringToUnicodeString
0x281a8 RtlInitString
0x281b0 KeReleaseSpinLock
0x281b8 KeAcquireSpinLockRaiseToDpc
0x281c0 IofCallDriver
0x281c8 IofCompleteRequest
0x281d0 IoWMIRegistrationControl
0x281d8 RtlCompareMemory
0x281e0 MmGetSystemRoutineAddress
0x281e8 ExFreePoolWithTag
0x281f0 IoWMIWriteEvent
0x281f8 ExAllocatePoolWithTag
0x28200 IoAllocateMdl
0x28208 RtlInitUnicodeString
0x28210 ExFreePool
NDIS.SYS
0x28000 NdisAllocatePacket
0x28008 NdisAllocateBuffer
0x28010 NdisFreePacketPool
0x28018 NdisFreeBufferPool
0x28020 NdisAllocateBufferPool
0x28028 NdisAllocatePacketPool
0x28030 NdisMDeregisterDevice
0x28038 NdisMRegisterDevice
0x28040 NdisSetTimer
0x28048 NdisCancelTimer
0x28050 NdisInitializeTimer
0x28058 NdisWaitEvent
0x28060 NdisInitializeEvent
0x28068 NdisSetEvent
0x28070 NdisScheduleWorkItem
0x28078 NdisFreeMemory
0x28080 NdisAllocateMemoryWithTag
0x28088 NdisMIndicateStatus
0x28090 NdisCloseConfiguration
0x28098 NdisReadConfiguration
0x280a0 NdisOpenConfiguration
0x280a8 NdisMGetDeviceProperty
0x280b0 NdisMSetAttributesEx
0x280b8 NdisMSleep
0x280c0 NdisTerminateWrapper
0x280c8 NdisMRegisterUnloadHandler
0x280d0 NdisMRegisterMiniport
0x280d8 NdisInitializeWrapper
0x280e0 NdisFreePacket
EAT(Export Address Table) is none