ntoskrnl.exe

  • File Path: C:\Windows\system32\ntoskrnl.exe
  • Description: NT Kernel & System

Hashes

Type Hash
MD5 3A5D7AB12339C4DD4A6DCDD85970C155
SHA1 3410EBFBC41E4FE50FAD26D350608247715BB83C
SHA256 1878B3AEF56DB720FDA0307FE88D4283849B08AF6A7A97D42F3CC8B10081F61B
SHA384 88C16D8C2A8B2076C9A997AC8EB3CFD5CA7FADC073EC1B524ECC89BC340B0E8D1B65254431A1F97899BB19DEB6C02006
SHA512 1743CC068BFA5B08082026BDBA088A9420D6C933FD1DCB912C0F1F45883C4E49BB1B790DE2F40FFF7E05F1317B13C581BB3B3CA724301F9FAC32A3D0A1B88F76
SSDEEP 196608:r7OFWTLewHZldmZNIh2DHEfaO4LVbvYO2cOrqJOj9o:ryF1uZldmZuh2DHECO4LJRxkqJ1

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: ntkrnlmp.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.450 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.450
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of ntoskrnl.exe being misused. While ntoskrnl.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
signature-base apt_hackingteam_rules.yar $x4 = “C:\\Windows\\Sysnative\\ntoskrnl.exe” fullword ascii /* PEStudio Blacklist: strings */ CC BY-NC 4.0
signature-base apt_winnti.yar $s17 = “NTOSKRNL.EXE” fullword wide /* Goodware String - occured 4 times */ CC BY-NC 4.0
signature-base apt_winnti.yar $a5 = “ntoskrnl.exe” ascii fullword CC BY-NC 4.0
signature-base apt_winnti.yar $a3 = “%SystemRoot%\System32\ntoskrnl.exe” ascii CC BY-NC 4.0
signature-base apt_winnti_hdroot.yar $s1 = “\system32\ntoskrnl.exe” fullword ascii CC BY-NC 4.0
signature-base spy_querty_fiveeyes.yar $s3 = “ntoskrnl.exe” fullword ascii CC BY-NC 4.0
signature-base spy_regin_fiveeyes.yar $s4 = “ntoskrnl.exe” fullword ascii CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.