× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: b4df1d2c56a593c6b54de57395e3b51d288f547842893b32b0f59228a0cf70b9
File name: atapi.sys
Detection ratio: 0 / 44
Analysis date: 2012-10-22 04:10:39 UTC ( 1 year, 5 months ago ) View latest
Probably harmless! There are strong indicators suggesting that this file is safe to use.
Antivirus Result Update
AVG 20121022
Agnitum 20121021
AhnLab-V3 20121021
AntiVir 20121022
Antiy-AVL 20121022
Avast 20121021
BitDefender 20121021
ByteHero 20121019
CAT-QuickHeal 20121021
ClamAV 20121022
Commtouch 20121022
Comodo 20121022
DrWeb 20121022
ESET-NOD32 20121021
Emsisoft 20121022
F-Prot 20121022
F-Secure 20121022
Fortinet 20121022
GData 20121022
Ikarus 20121022
Jiangmin 20121022
K7AntiVirus 20121018
Kaspersky 20121022
Kingsoft 20121008
McAfee 20121022
McAfee-GW-Edition 20121022
MicroWorld-eScan 20121022
Microsoft 20121022
Norman 20121021
PCTools 20121022
Panda 20121021
Rising 20121022
SUPERAntiSpyware 20121021
Sophos 20121022
Symantec 20121022
TheHacker 20121021
TotalDefense 20121021
TrendMicro 20121022
TrendMicro-HouseCall 20121022
VBA32 20121019
VIPRE 20121021
ViRobot 20121021
eSafe 20121017
nProtect 20121021
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Native subsystem.
Authenticode signature block
Copyright
© Microsoft Corporation. All rights reserved.

Publisher Microsoft Corporation
Product Microsoft® Windows® Operating System
Original name atapi.sys
Internal name atapi.sys
File version 5.1.2600.5512 (xpsp.080413-2108)
Description IDE/ATAPI Port Driver
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2008-04-13 18:40:29
Link date 7:40 PM 4/13/2008
Entry Point 0x000159F7
Number of sections 9
PE sections
PE imports
READ_PORT_USHORT
READ_PORT_UCHAR
KfReleaseSpinLock
WRITE_PORT_BUFFER_USHORT
KfLowerIrql
KfAcquireSpinLock
HalTranslateBusAddress
WRITE_PORT_UCHAR
HalGetInterruptVector
KeStallExecutionProcessor
KfRaiseIrql
READ_PORT_BUFFER_USHORT
KeGetCurrentIrql
WmiCompleteRequest
WmiSystemControl
ZwOpenKey
_allmul
RtlAppendUnicodeStringToString
PoCallDriver
RtlWriteRegistryValue
IoDisconnectInterrupt
IoWriteErrorLogEntry
_except_handler3
IoInvalidateDeviceState
KeTickCount
KeCancelTimer
sprintf
IoInitializeTimer
RtlIntegerToUnicodeString
IoDeleteSymbolicLink
KeSetEvent
RtlxAnsiStringToUnicodeSize
IoOpenDeviceRegistryKey
RtlFreeUnicodeString
KefReleaseSpinLockFromDpcLevel
KefAcquireSpinLockAtDpcLevel
KeInsertQueueDpc
strstr
RtlDeleteRegistryValue
memmove
IoAllocateErrorLogEntry
MmUnmapIoSpace
RtlInitAnsiString
KeSynchronizeExecution
IoBuildSynchronousFsdRequest
MmAllocateMappingAddress
MmLockPagableDataSection
IoCreateDevice
IoDeleteDevice
IoStartPacket
MmMapIoSpace
MmHighestUserAddress
MmMapLockedPagesWithReservedMapping
IoAttachDeviceToDeviceStack
PoRequestPowerIrp
IoAllocateMdl
IoFreeErrorLogEntry
MmUnlockPagableImageSection
ZwSetValueKey
IoWMIRegistrationControl
IoStartTimer
IoGetConfigurationInformation
RtlCompareMemory
IoQueueWorkItem
KeQuerySystemTime
RtlInitUnicodeString
IoDetachDevice
IoAllocateIrp
MmBuildMdlForNonPagedPool
KeInitializeEvent
PoRegisterDeviceForIdleDetection
MmMapLockedPagesSpecifyCache
NlsMbCodePageTag
IoInvalidateDeviceRelations
IoFreeWorkItem
IoGetDriverObjectExtension
KeRemoveByKeyDeviceQueue
ObReferenceObjectByPointer
MmProbeAndLockPages
IoBuildDeviceIoControlRequest
KeInsertByKeyDeviceQueue
ExAllocatePoolWithTag
IoFreeIrp
RtlAnsiStringToUnicodeString
KeSetTimer
KeInitializeSpinLock
KeWaitForSingleObject
IoFreeMdl
KeInitializeDpc
IoCreateSymbolicLink
PoStartNextPowerIrp
PoSetPowerState
IoAllocateWorkItem
MmUnlockPages
IoReportResourceForDetection
IoReportDetectedDevice
IoAllocateDriverObjectExtension
swprintf
IoBuildAsynchronousFsdRequest
RtlCopyUnicodeString
RtlQueryRegistryValues
IoInitializeIrp
ZwCreateKey
InitSafeBootMode
IoConnectInterrupt
MmUnmapReservedMapping
MmFreeMappingAddress
IofCompleteRequest
_aulldiv
KeInitializeTimer
IofCallDriver
ExFreePoolWithTag
_strupr
RtlCompareUnicodeString
IoGetAttachedDeviceReference
ZwClose
ObReferenceObjectByHandle
KeBugCheckEx
KeRemoveDeviceQueue
ObfDereferenceObject
ZwCreateDirectoryObject
IoStartNextPacket
Number of PE resources by type
RT_VERSION 1
Number of PE resources by language
ENGLISH US 1
ExifTool file metadata
SubsystemVersion
5.1

InitializedDataSize
10752

ImageVersion
5.1

ProductName
Microsoft Windows Operating System

FileVersionNumber
5.1.2600.5512

UninitializedDataSize
0

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

CharacterSet
Unicode

LinkerVersion
7.1

OriginalFilename
atapi.sys

MIMEType
application/octet-stream

Subsystem
Native

FileVersion
5.1.2600.5512 (xpsp.080413-2108)

TimeStamp
2008:04:13 19:40:29+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
atapi.sys

FileAccessDate
2014:04:18 05:00:09+01:00

ProductVersion
5.1.2600.5512

FileDescription
IDE/ATAPI Port Driver

OSVersion
5.1

FileCreateDate
2014:04:18 05:00:09+01:00

FileOS
Windows NT 32-bit

LegalCopyright
Microsoft Corporation. All rights reserved.

MachineType
Intel 386 or later, and compatibles

CompanyName
Microsoft Corporation

CodeSize
84864

FileSubtype
7

ProductVersionNumber
5.1.2600.5512

EntryPoint
0x159f7

ObjectFileType
Driver

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed the following files in execution wrote this sample to disk.
Execution parents
Compressed bundles
File identification
MD5 9f3a2f5aa6875c72bf062c712cfa2674
SHA1 a719156e8ad67456556a02c34e762944234e7a44
SHA256 b4df1d2c56a593c6b54de57395e3b51d288f547842893b32b0f59228a0cf70b9
ssdeep
1536:MwXpkfV74F1D7yNEZIHRRJMohmus27G1j/XBoDQi7oaRMJfYHFktprll1KbDD0u:MQ+N74vkEZIxMohjsimBoDTRMBwFktZ

imphash ff354505fc6f3724c0ec7707078c64b2
File size 94.3 KB ( 96512 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (native) Intel 80386 32-bit

TrID Win32 Dynamic Link Library (generic) (43.5%)
Win32 Executable (generic) (29.8%)
Generic Win/DOS Executable (13.2%)
DOS Executable Generic (13.2%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
Tags
peexe mz native

VirusTotal metadata
First submission 2009-01-14 22:53:16 UTC ( 5 years, 3 months ago )
Last submission 2014-04-17 17:49:38 UTC ( 1 day, 1 hour ago )
File names a8ojejkj.SYS
vs6q1ede.0lv
inf.vir
tmp00000a74c3f172670085c63d
oldatapi.old
DPYTARXYFB-503.pms.sys.SVD
av6rvfbf.sys
tmp00000029ffe7dfa75fd6f6fc
tmp0000001b36c0afd7f8e09fbf
vseq1ucq.lhg
vsb7hq9r.unc
vslo0uds.o1s
ahnjw5cg.SYS
vsg20ue4.gq8
a5oejes4.sys
123
ata.sys.vir
9f3a2f5aa6875c72bf062c712cfa2674
vsdfgvk0.oph
1111.txt
atapi.sys.001
set103e.tmp
a3mmljw2.sys
DPYGWMNASB-497.pms.sys.SVD
aoadzf32.sys
Advanced heuristic and reputation engines
Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!