ntoskrnl.exe
- File Path:
C:\Windows\system32\ntoskrnl.exe - Description: NT Kernel & System
Hashes
| Type | Hash |
|---|---|
| MD5 | A32DB100C2BBE8BBFE9DA364C0AAE41D |
| SHA1 | 4073E329383ED666431726FDCD5ABF7511FC7A38 |
| SHA256 | A577850D67D1B4DF94E64B3309169E20F3850D4BFA54C40DC9F4F09722E2F5EA |
| SHA384 | 79F61C609846B1AB3CA3073CE8C87C0631A92D6524DA852D949D02672E095A06858CE92B866FABC3A23CE24A81BD8784 |
| SHA512 | 3CFC26F0B1A8A68868607F01E11813D1AA7282EFC3A50647E1CC16DACD91606DC2A9108EC05F2CE472F70232C25804C232CA8FCB66E161A6A51F060CC2AC36BF |
| SSDEEP | 196608:KHq2YSl+2ug2OwzXtFXpED6QQ+ZsLDZ+t:AqNy+2ukwz9FXpE2FusLa |
| IMP | E0E869BBD92F59B58E146BA81EEE3F6D |
| PESHA1 | 051243562FA11642D1ADAE7A935CE52E06F43C6B |
| PE256 | 1AB904E10548F212E6625EDD5ECF0DB60FEBFC71A57F901E739DEAEEBF649B27 |
Signature
- Status: Signature verified.
- Serial:
3300000266BD1580EFA75CD6D3000000000266 - Thumbprint:
A4341B9FD50FB9964283220A36A1EF6F6FAA7840 - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: ntkrnlmp.exe
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.19041.508 (WinBuild.160101.0800)
- Product Version: 10.0.19041.508
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 64-bit
File Scan
- VirusTotal Detections: 0/66
- VirusTotal Link: https://www.virustotal.com/gui/file/a577850d67d1b4df94e64b3309169e20f3850d4bfa54c40dc9f4f09722e2f5ea/detection/
Possible Misuse
The following table contains possible examples of ntoskrnl.exe being misused. While ntoskrnl.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| signature-base | apt_hackingteam_rules.yar | $x4 = “C:\\Windows\\Sysnative\\ntoskrnl.exe” fullword ascii /* PEStudio Blacklist: strings */ | CC BY-NC 4.0 |
| signature-base | apt_winnti.yar | $s17 = “NTOSKRNL.EXE” fullword wide /* Goodware String - occured 4 times */ | CC BY-NC 4.0 |
| signature-base | apt_winnti.yar | $a5 = “ntoskrnl.exe” ascii fullword | CC BY-NC 4.0 |
| signature-base | apt_winnti.yar | $a3 = “%SystemRoot%\System32\ntoskrnl.exe” ascii | CC BY-NC 4.0 |
| signature-base | apt_winnti_hdroot.yar | $s1 = “\system32\ntoskrnl.exe” fullword ascii | CC BY-NC 4.0 |
| signature-base | spy_querty_fiveeyes.yar | $s3 = “ntoskrnl.exe” fullword ascii | CC BY-NC 4.0 |
| signature-base | spy_regin_fiveeyes.yar | $s4 = “ntoskrnl.exe” fullword ascii | CC BY-NC 4.0 |
MIT License. Copyright (c) 2020-2021 Strontic.