× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: b4df1d2c56a593c6b54de57395e3b51d288f547842893b32b0f59228a0cf70b9
File name: atapi.sys
Detection ratio: 0 / 44
Analysis date: 2012-10-22 04:10:39 UTC ( 2 years, 6 months ago ) View latest
Trusted source! This file belongs to the Microsoft Corporation software catalogue.
Antivirus Result Update
AVG 20121022
Agnitum 20121021
AhnLab-V3 20121021
AntiVir 20121022
Antiy-AVL 20121022
Avast 20121021
BitDefender 20121021
ByteHero 20121019
CAT-QuickHeal 20121021
ClamAV 20121022
Commtouch 20121022
Comodo 20121022
DrWeb 20121022
ESET-NOD32 20121021
Emsisoft 20121022
F-Prot 20121022
F-Secure 20121022
Fortinet 20121022
GData 20121022
Ikarus 20121022
Jiangmin 20121022
K7AntiVirus 20121018
Kaspersky 20121022
Kingsoft 20121008
McAfee 20121022
McAfee-GW-Edition 20121022
MicroWorld-eScan 20121022
Microsoft 20121022
Norman 20121021
PCTools 20121022
Panda 20121021
Rising 20121022
SUPERAntiSpyware 20121021
Sophos 20121022
Symantec 20121022
TheHacker 20121021
TotalDefense 20121021
TrendMicro 20121022
TrendMicro-HouseCall 20121022
VBA32 20121019
VIPRE 20121021
ViRobot 20121021
eSafe 20121017
nProtect 20121021
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Native subsystem.
Developer metadata
Copyright
© Microsoft Corporation. All rights reserved.

Publisher Microsoft Corporation
Product Microsoft® Windows® Operating System
Original name atapi.sys
Internal name atapi.sys
File version 5.1.2600.5512 (xpsp.080413-2108)
Description IDE/ATAPI Port Driver
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2008-04-13 18:40:29
Link date 7:40 PM 4/13/2008
Entry Point 0x000159F7
Number of sections 9
PE sections
PE imports
READ_PORT_USHORT
READ_PORT_UCHAR
KfReleaseSpinLock
WRITE_PORT_BUFFER_USHORT
KfLowerIrql
KfAcquireSpinLock
HalTranslateBusAddress
WRITE_PORT_UCHAR
HalGetInterruptVector
KeStallExecutionProcessor
KfRaiseIrql
READ_PORT_BUFFER_USHORT
KeGetCurrentIrql
WmiCompleteRequest
WmiSystemControl
ZwOpenKey
_allmul
RtlAppendUnicodeStringToString
PoCallDriver
RtlWriteRegistryValue
IoDisconnectInterrupt
IoWriteErrorLogEntry
_except_handler3
IoInvalidateDeviceState
KeTickCount
KeCancelTimer
sprintf
IoInitializeTimer
RtlIntegerToUnicodeString
IoDeleteSymbolicLink
KeSetEvent
RtlxAnsiStringToUnicodeSize
IoOpenDeviceRegistryKey
RtlFreeUnicodeString
KefReleaseSpinLockFromDpcLevel
KefAcquireSpinLockAtDpcLevel
KeInsertQueueDpc
strstr
RtlDeleteRegistryValue
memmove
IoAllocateErrorLogEntry
MmUnmapIoSpace
RtlInitAnsiString
KeSynchronizeExecution
IoBuildSynchronousFsdRequest
MmAllocateMappingAddress
MmLockPagableDataSection
IoCreateDevice
IoDeleteDevice
IoStartPacket
MmMapIoSpace
MmHighestUserAddress
MmMapLockedPagesWithReservedMapping
IoAttachDeviceToDeviceStack
PoRequestPowerIrp
IoAllocateMdl
IoFreeErrorLogEntry
MmUnlockPagableImageSection
ZwSetValueKey
IoWMIRegistrationControl
IoStartTimer
IoGetConfigurationInformation
RtlCompareMemory
IoQueueWorkItem
KeQuerySystemTime
RtlInitUnicodeString
IoDetachDevice
IoAllocateIrp
MmBuildMdlForNonPagedPool
KeInitializeEvent
PoRegisterDeviceForIdleDetection
MmMapLockedPagesSpecifyCache
NlsMbCodePageTag
IoInvalidateDeviceRelations
IoFreeWorkItem
IoGetDriverObjectExtension
KeRemoveByKeyDeviceQueue
ObReferenceObjectByPointer
MmProbeAndLockPages
IoBuildDeviceIoControlRequest
KeInsertByKeyDeviceQueue
ExAllocatePoolWithTag
IoFreeIrp
RtlAnsiStringToUnicodeString
KeSetTimer
KeInitializeSpinLock
KeWaitForSingleObject
IoFreeMdl
KeInitializeDpc
IoCreateSymbolicLink
PoStartNextPowerIrp
PoSetPowerState
IoAllocateWorkItem
MmUnlockPages
IoReportResourceForDetection
IoReportDetectedDevice
IoAllocateDriverObjectExtension
swprintf
IoBuildAsynchronousFsdRequest
RtlCopyUnicodeString
RtlQueryRegistryValues
IoInitializeIrp
ZwCreateKey
InitSafeBootMode
IoConnectInterrupt
MmUnmapReservedMapping
MmFreeMappingAddress
IofCompleteRequest
_aulldiv
KeInitializeTimer
IofCallDriver
ExFreePoolWithTag
_strupr
RtlCompareUnicodeString
IoGetAttachedDeviceReference
ZwClose
ObReferenceObjectByHandle
KeBugCheckEx
KeRemoveDeviceQueue
ObfDereferenceObject
ZwCreateDirectoryObject
IoStartNextPacket
Number of PE resources by type
RT_VERSION 1
Number of PE resources by language
ENGLISH US 1
ExifTool file metadata
SubsystemVersion
5.1

InitializedDataSize
10752

ImageVersion
5.1

ProductName
Microsoft Windows Operating System

FileVersionNumber
5.1.2600.5512

UninitializedDataSize
0

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

CharacterSet
Unicode

LinkerVersion
7.1

FileOS
Windows NT 32-bit

MIMEType
application/octet-stream

Subsystem
Native

FileVersion
5.1.2600.5512 (xpsp.080413-2108)

TimeStamp
2008:04:13 19:40:29+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
atapi.sys

ProductVersion
5.1.2600.5512

FileDescription
IDE/ATAPI Port Driver

OSVersion
5.1

OriginalFilename
atapi.sys

LegalCopyright
Microsoft Corporation. All rights reserved.

MachineType
Intel 386 or later, and compatibles

CompanyName
Microsoft Corporation

CodeSize
84864

FileSubtype
7

ProductVersionNumber
5.1.2600.5512

EntryPoint
0x159f7

ObjectFileType
Driver

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed the following files in execution wrote this sample to disk.
Execution parents
Compressed bundles
File identification
MD5 9f3a2f5aa6875c72bf062c712cfa2674
SHA1 a719156e8ad67456556a02c34e762944234e7a44
SHA256 b4df1d2c56a593c6b54de57395e3b51d288f547842893b32b0f59228a0cf70b9
ssdeep
1536:MwXpkfV74F1D7yNEZIHRRJMohmus27G1j/XBoDQi7oaRMJfYHFktprll1KbDD0uu:MQ+N74vkEZIxMohjsimBoDTRMBwFktZu

authentihash 5b0377b694dbcd7fa5a1b6f4e45f8672c10a0d9c96cd6ba3dce775d27b313d79
imphash ff354505fc6f3724c0ec7707078c64b2
File size 94.3 KB ( 96512 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (native) Intel 80386 32-bit

TrID Win32 Dynamic Link Library (generic) (43.5%)
Win32 Executable (generic) (29.8%)
Generic Win/DOS Executable (13.2%)
DOS Executable Generic (13.2%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
Tags
peexe trusted native

Trusted verdicts
This file belongs to the Microsoft Corporation software catalogue. The file is often found with atapi.sys as its name.
VirusTotal metadata
First submission 2009-01-14 22:53:16 UTC ( 6 years, 3 months ago )
Last submission 2015-04-17 00:24:49 UTC ( 1 week, 2 days ago )
File names vskr0860.1c9
vsubg4cu.h01
vs91hi5e.h5j
vs990urg.h4g
vs0s0qej.knd
vs3l17ia.glr
vsse055g.l80
vs4i1fo6.vel
vs861pug.cl2
vsbq06q9.94t
vs860htq.8qn
vso61h2d.gm7
vsbp1svk.1iq
vs821781.08p
vs5l1n55.o1d
vs3qgnpv.of7
vsrf18m8.95f
vsroh3l7.ae4
vstl0qag.isd
vsqogf39.ofm
vsap1eha.gm6
vso602s6.2qf
vs3u1fhp.2e5
vsll1m43.334
hfxd9.tmp
Advanced heuristic and reputation engines
Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!