× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 344a83008f41aac3cdfc52efc4f2eff441971c58182597d2fbed315b3fc62137
File name: afd.sys
Detection ratio: 0 / 46
Analysis date: 2013-04-26 22:04:41 UTC ( 5 years, 8 months ago ) View latest
Trusted source! This file belongs to the Microsoft Corporation software catalogue.
Antivirus Result Update
AVG 20130426
Yandex 20130426
AhnLab-V3 20130426
AntiVir 20130426
Antiy-AVL 20130426
Avast 20130427
BitDefender 20130426
ByteHero 20130425
CAT-QuickHeal 20130426
ClamAV 20130426
Commtouch 20130426
Comodo 20130426
DrWeb 20130426
ESET-NOD32 20130426
Emsisoft 20130426
F-Prot 20130426
F-Secure 20130426
Fortinet 20130426
GData 20130426
Ikarus 20130426
Jiangmin 20130426
K7AntiVirus 20130426
K7GW 20130426
Kaspersky 20130426
Kingsoft 20130422
Malwarebytes 20130426
McAfee 20130427
McAfee-GW-Edition 20130426
eScan 20130426
Microsoft 20130426
NANO-Antivirus 20130426
Norman 20130426
PCTools 20130426
Panda 20130426
SUPERAntiSpyware 20130426
Sophos AV 20130426
Symantec 20130426
TheHacker 20130426
TotalDefense 20130426
TrendMicro 20130426
TrendMicro-HouseCall 20130426
VBA32 20130425
VIPRE 20130426
ViRobot 20130426
eSafe 20130423
nProtect 20130426
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Native subsystem.
FileVersionInfo properties
Copyright
© Microsoft Corporation. All rights reserved.

Product Microsoft® Windows® Operating System
Original name afd.sys
Internal name afd.sys
File version 6.0.6001.18639 (vistasp1_gdr.110421-0338)
Description Ancillary Function Driver for WinSock
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2011-04-21 13:16:39
Entry Point 0x0003B504
Number of sections 9
PE sections
PE imports
KfReleaseSpinLock
KeReleaseInStackQueuedSpinLock
KfLowerIrql
KfAcquireSpinLock
KeAcquireQueuedSpinLock
KfRaiseIrql
KeReleaseQueuedSpinLock
KeAcquireInStackQueuedSpinLock
KeGetCurrentIrql
RtlCleanupTimerWheel
RtlIndicateTimerWheelEntryTimerStart
NmrClientDetachProviderComplete
NmrDeregisterClient
RtlReturnTimerWheelEntry
RtlCopyMdlToBuffer
NetioInsertWorkQueue
NsiRegisterChangeNotification
NsiFreeTable
NsiDeregisterChangeNotification
RtlGetNextExpiredTimerWheelEntry
RtlInitializeTimerWheelEntry
NmrRegisterClient
NmrWaitForProviderDeregisterComplete
NmrClientAttachProvider
NmrWaitForClientDeregisterComplete
RtlSuspendTimerWheel
NsiAllocateAndGetTable
NsiGetAllParameters
NetioInitializeWorkQueue
NmrDeregisterProvider
NmrRegisterProvider
RtlCleanupTimerWheelEntry
NetioShutdownWorkQueue
RtlCopyMdlToMdl
RtlInitializeTimerWheel
RtlUpdateCurrentTimerWheelTick
NmrProviderDetachClientComplete
TdiDeregisterPnPHandlers
TdiCopyBufferToMdl
TdiReturnChainedReceives
TdiCopyMdlToBuffer
TdiRegisterPnPHandlers
TdiMatchPdoWithChainedReceiveContext
KePulseEvent
ZwOpenKey
ExDeleteResourceLite
SeAccessCheck
SeQuerySecurityDescriptorInfo
_allmul
ExRaiseStatus
RtlCreateSecurityDescriptor
RtlInitUnicodeString
PsGetCurrentProcess
SeLockSubjectContext
MmProbeAndLockPages
KeInitializeApc
IoWriteErrorLogEntry
ObCloseHandle
KeFlushQueuedDpcs
SeExports
PsReturnPoolQuota
memcpy
KeTickCount
KeCancelTimer
ExInitializeResourceLite
KefAcquireSpinLockAtDpcLevel
RtlAppendUnicodeStringToString
RtlAddAccessAllowedAce
IoInitializeIrp
ProbeForWrite
KeSetEvent
KeReleaseInStackQueuedSpinLockFromDpcLevel
IoAcquireCancelSpinLock
ObOpenObjectByName
IoFileObjectType
PsGetProcessExitTime
MmSizeOfMdl
KefReleaseSpinLockFromDpcLevel
RtlAppendUnicodeToString
IoThreadToProcess
ObOpenObjectByPointer
IoGetRelatedDeviceObject
memmove
RtlLengthSecurityDescriptor
IoWMIWriteEvent
MmQuerySystemSize
EtwRegister
ExAcquireResourceSharedLite
IoGetRequestorProcess
IoAllocateIrp
KeReadStateEvent
IoCreateFile
IoSetTopLevelIrp
memset
SeFreePrivileges
_alldiv
ExReleaseResourceLite
MmLockPagableDataSection
IoCreateDevice
MmIsThisAnNtAsSystem
KeDetachProcess
IoDeleteDevice
IoReleaseCancelSpinLock
IoGetCurrentProcess
ExInterlockedFlushSList
KeInitializeTimerEx
FsRtlMdlRead
KeQueryActiveProcessorCount
FsRtlInsertExtraCreateParameter
ExDeleteNPagedLookasideList
ZwNotifyChangeKey
KeGetRecommendedSharedDataAlignment
RtlEqualString
KeResetEvent
ExReleaseResourceAndLeaveCriticalRegion
ExRaiseAccessViolation
SeUnlockSubjectContext
KeEnterCriticalRegion
KeInitializeTimer
IoAllocateMdl
IoGetDeviceAttachmentBaseRef
DbgBreakPoint
RtlSetDaclSecurityDescriptor
MmUnlockPagableImageSection
ObfReferenceObject
ExUnregisterCallback
RtlCompareMemory
ExEnterCriticalRegionAndAcquireResourceShared
IoQueueWorkItem
MmResetDriverPaging
FsRtlCopyRead
KeSetTimerEx
SeAppendPrivileges
IoBuildPartialMdl
FsRtlFreeExtraCreateParameterList
KeInitializeEvent
ExEnterCriticalRegionAndAcquireResourceExclusive
ObReferenceSecurityDescriptor
MmMapLockedPagesSpecifyCache
FsRtlAllocateExtraCreateParameter
ExCreateCallback
RtlUnwind
IoFreeWorkItem
ExEventObjectType
ExInitializeNPagedLookasideList
_aullrem
ObFindHandleForObject
SeCreateAccessState
IoBuildDeviceIoControlRequest
InterlockedPopEntrySList
ExGetPreviousMode
ExAllocatePoolWithTag
ObReleaseObjectSecurity
IoFreeIrp
KeGetCurrentThread
MmBuildMdlForNonPagedPool
ObLogSecurityDescriptor
KeSetTimer
RtlMapGenericMask
KeWaitForSingleObject
ExAcquireResourceExclusiveLite
KeInitializeDpc
ExQueueWorkItem
RtlLengthSid
RtlIntegerToUnicode
MmUserProbeAddress
KeAttachProcess
IoAllocateErrorLogEntry
KeRemoveQueueDpc
IoReuseIrp
SeSetSecurityDescriptorInfo
ObDereferenceSecurityDescriptor
IoAllocateWorkItem
RtlCreateAcl
ObfDereferenceObject
KeInsertQueueApc
MmUnlockPages
IoSetIoCompletion
InterlockedPushEntrySList
FsRtlMdlReadComplete
PsChargeProcessPoolQuota
RtlCopyUnicodeString
FsRtlAllocateExtraCreateParameterList
IoCancelIrp
ExRaiseDatatypeMisalignment
IoCreateFileEx
SeAssignSecurity
ZwCreateKey
ObGetObjectSecurity
IoGetFileObjectGenericMapping
IoGetTopLevelIrp
RtlPrefixUnicodeString
MmAdvanceMdl
ExAllocatePoolWithQuotaTag
MmUnmapLockedPages
IofCompleteRequest
RtlEqualUnicodeString
SeDeleteAccessState
_aulldiv
ExRegisterCallback
DbgPrint
KeLeaveCriticalRegion
ZwQueryValueKey
ExInitializeLookasideListEx
KeAcquireInStackQueuedSpinLockAtDpcLevel
ExFreePoolWithTag
EtwUnregister
MmSystemRangeStart
FsRtlFindExtraCreateParameter
RtlCompareUnicodeString
IoQueryFileInformation
MmMapLockedPages
EtwWrite
PsGetCurrentProcessId
KeQueryInterruptTime
ObReferenceObjectByHandle
KeBugCheckEx
KeDelayExecutionThread
IofCallDriver
RtlInitString
ZwClose
ExAllocatePoolWithTagPriority
IoFreeMdl
ExDeleteLookasideListEx
Number of PE resources by type
WEVT_TEMPLATE 1
MUI 1
RT_MESSAGETABLE 1
RT_VERSION 1
Number of PE resources by language
ENGLISH US 4
PE resources
Debug information
ExifTool file metadata
SubsystemVersion
6.0

InitializedDataSize
49664

ImageVersion
6.0

ProductName
Microsoft Windows Operating System

FileVersionNumber
6.0.6001.18639

UninitializedDataSize
0

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

ImageFileCharacteristics
Executable, 32-bit

CharacterSet
Unicode

LinkerVersion
8.0

FileTypeExtension
exe

OriginalFileName
afd.sys

MIMEType
application/octet-stream

Subsystem
Native

FileVersion
6.0.6001.18639 (vistasp1_gdr.110421-0338)

TimeStamp
2011:04:21 14:16:39+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
afd.sys

ProductVersion
6.0.6001.18639

FileDescription
Ancillary Function Driver for WinSock

OSVersion
6.0

FileOS
Windows NT 32-bit

LegalCopyright
Microsoft Corporation. All rights reserved.

MachineType
Intel 386 or later, and compatibles

CompanyName
Microsoft Corporation

CodeSize
225792

FileSubtype
7

ProductVersionNumber
6.0.6001.18639

EntryPoint
0x3b504

ObjectFileType
Driver

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed the following files in execution wrote this sample to disk.
File identification
MD5 48eb99503533c27ac6135648e5474457
SHA1 dbb3495d5caf0059efc616458c7b4f0e48285dc8
SHA256 344a83008f41aac3cdfc52efc4f2eff441971c58182597d2fbed315b3fc62137
ssdeep
6144:nPElLNfsAFS5wLcpTDuvzOaTiASLk/Nj1h5ci:nclWAcpyXSG5c

authentihash e501aa2658b4c9fec3aa58f6bb1b39d866cb4b30c75c1d4bb03c903820597c82
imphash ea64994466f6c078428594208c16f187
File size 267.0 KB ( 273408 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (native) Intel 80386 32-bit

TrID Win64 Executable (generic) (61.7%)
Win32 Dynamic Link Library (generic) (14.7%)
Win32 Executable (generic) (10.0%)
OS/2 Executable (generic) (4.5%)
Generic Win/DOS Executable (4.4%)
Tags
peexe trusted native

Trusted verdicts
This file belongs to the Microsoft Corporation software catalogue. The file is often found with afd.sys as its name.
VirusTotal metadata
First submission 2011-07-14 23:36:00 UTC ( 7 years, 6 months ago )
Last submission 2017-06-14 11:05:08 UTC ( 1 year, 7 months ago )
File names file-2879570_sys
2d73a0368c4efc468b25d92f0d87f155.tmp
afd.sys
afd.sys
file-3333346_sys
afd.sys
afd.sys
9298d20ff1f55b4880bfad048bcd0aed.tmp
afd.sys
1CA6891200315D552C8704EAA62C5F004725EC00.sys
afd.sys
x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6001.18639_none_d7d0e0cc5e7d461c_afd.sys_084af4a8
afd.sys
9322052c46bd3b4a82945912e7644342.tmp
afd.sys
afd.sys
afd.sys
afdACTsys
Advanced heuristic and reputation engines
Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!