× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 3d97f49a4e92ed8e20d2fe2580c66d56cdd7779e3b5b4bcdd291b7b1de26eff8
File name: ntkrnlmp.exe
Detection ratio: 0 / 67
Analysis date: 2018-09-26 10:28:41 UTC ( 1 month, 2 weeks ago )
Antivirus Result Update
Ad-Aware 20180926
AegisLab 20180926
AhnLab-V3 20180925
Alibaba 20180921
ALYac 20180926
Antiy-AVL 20180926
Arcabit 20180926
Avast 20180926
Avast-Mobile 20180926
AVG 20180926
Avira (no cloud) 20180926
AVware 20180925
Babable 20180918
Baidu 20180926
BitDefender 20180926
Bkav 20180925
CAT-QuickHeal 20180923
ClamAV 20180926
CMC 20180926
Comodo 20180926
CrowdStrike Falcon (ML) 20180723
Cybereason 20180225
Cylance 20180926
Cyren 20180926
DrWeb 20180926
eGambit 20180926
Emsisoft 20180926
Endgame 20180730
ESET-NOD32 20180926
F-Prot 20180926
F-Secure 20180926
Fortinet 20180926
GData 20180926
Ikarus 20180926
Sophos ML 20180717
Jiangmin 20180926
K7AntiVirus 20180926
K7GW 20180926
Kaspersky 20180926
Kingsoft 20180926
Malwarebytes 20180926
MAX 20180926
McAfee 20180926
McAfee-GW-Edition 20180926
eScan 20180926
NANO-Antivirus 20180926
Palo Alto Networks (Known Signatures) 20180926
Panda 20180925
Qihoo-360 20180926
Rising 20180926
SentinelOne (Static ML) 20180926
Sophos AV 20180926
SUPERAntiSpyware 20180907
Symantec 20180925
Symantec Mobile Insight 20180924
TACHYON 20180926
Tencent 20180926
TheHacker 20180924
TrendMicro 20180926
TrendMicro-HouseCall 20180926
Trustlook 20180926
VBA32 20180926
VIPRE 20180926
ViRobot 20180925
Webroot 20180926
Yandex 20180925
Zillya 20180925
ZoneAlarm by Check Point 20180925
Zoner 20180926
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Native subsystem that targets 64bit architectures.
FileVersionInfo properties
Copyright
© Microsoft Corporation. All rights reserved.

Product Microsoft® Windows® Operating System
Original name ntkrnlmp.exe
Internal name ntkrnlmp.exe
File version 6.1.7601.17514 (win7sp1_rtm.101119-1850)
Description NT Kernel & System
Signature verification The digital signature of the object did not verify.
Signing date 11:28 AM 9/26/2018
PE header basic information
Target machine x64
Compilation timestamp 2010-11-20 09:30:02
Entry Point 0x002B66F0
Number of sections 24
PE sections
Overlays
MD5 96c02c3b3ef4e3caf6e9571c4bc4f047
File type data
Offset 5556736
Size 7040
Entropy 7.39
PE imports
CiInitialize
ClfsReadNextLogRecord
ClfsFlushToLsn
ClfsLsnDifference
ClfsTerminateReadLog
ClfsLsnContainer
ClfsReadRestartArea
ClfsAddLogContainer
ClfsReserveAndAppendLog
ClfsMgmtRegisterManagedClient
ClfsCreateLogFile
ClfsMgmtDeregisterManagedClient
ClfsPrivGetBaseLogFileFromFileObjectPointer
ClfsCloseLogFileObject
ClfsAdvanceLogBase
ClfsLsnGreater
ClfsLsnInvalid
ClfsLsnEqual
ClfsLsnLess
ClfsMgmtInstallPolicy
ClfsMgmtHandleLogFileFull
CLFS_LSN_NULL
ClfsMgmtTailAdvanceFailure
ClfsCreateMarshallingArea
ClfsReserveAndAppendLogAligned
ClfsGetLogFileInformation
ClfsDeleteMarshallingArea
CLFS_LSN_INVALID
ClfsDeleteLogByPointer
ClfsWriteRestartArea
ClfsReadLogRecord
ClfsMgmtSetLogFileSize
HalHandleMcheck
HalInitializeProcessor
HalSetProfileInterval
HalStopProfileInterrupt
HalQueryMaximumProcessorCount
HalIsHyperThreadingEnabled
HalInitSystem
KeQueryPerformanceCounter
HalEnableInterrupt
HalRequestSoftwareInterrupt
HalRegisterDynamicProcessor
HalRegisterErrataCallbacks
HalDisableInterrupt
HalInitializeOnResume
HalSetTimeIncrement
KeFlushWriteBuffer
HalRequestIpi
HalSendNMI
HalGetProcessorIdByNtNumber
HalEnumerateEnvironmentVariablesEx
HalPerformEndOfInterrupt
HalEnumerateProcessors
HalSetEnvironmentVariable
HalRequestDeferredRecoveryServiceInterrupt
KeStallExecutionProcessor
HalStartProfileInterrupt
HalAllProcessorsStarted
HalQueryEnvironmentVariableInfoEx
HalSetRealTimeClock
HalAllocateCrashDumpRegisters
HalGetEnvironmentVariableEx
HalTranslateBusAddress
HalRequestClockInterrupt
HalSendSoftwareInterrupt
HalGetMessageRoutingInfo
HalGetVectorInput
HalStartDynamicProcessor
HalReturnToFirmware
HalHandleNMI
HalGetInterruptTargetInformation
HalSetEnvironmentVariableEx
HalQueryRealTimeClock
HalInitializeBios
HalSetBusDataByOffset
HalStartNextProcessor
HalReportResourceUsage
HalCalibratePerformanceCounter
HalProcessorIdle
HalGetEnvironmentVariable
HalGetBusDataByOffset
KdD3Transition
KdReceivePacket
KdDebuggerInitialize0
KdRestore
KdSave
KdD0Transition
KdSendPacket
KdDebuggerInitialize1
PshedFinalizeErrorRecord
PshedClearErrorRecord
PshedDisableErrorSource
PshedAttemptErrorRecovery
PshedFreeMemory
PshedGetInjectionCapabilities
PshedReadErrorRecord
PshedInjectError
PshedIsSystemWheaEnabled
PshedGetAllErrorSources
PshedAllocateMemory
PshedInitialize
PshedBugCheckSystem
PshedSetErrorSourceInfo
PshedGetBootErrorPacket
PshedWriteErrorRecord
PshedEnableErrorSource
PE exports
Number of PE resources by type
RT_BITMAP 7
RT_VERSION 1
RT_RCDATA 1
RT_MESSAGETABLE 1
Number of PE resources by language
ENGLISH US 9
NEUTRAL 1
PE resources
Debug information
ExifTool file metadata
UninitializedDataSize
13312

LinkerVersion
9.0

ImageVersion
6.1

FileSubtype
0

FileVersionNumber
6.1.7601.17514

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

FileDescription
NT Kernel & System

ImageFileCharacteristics
Executable, Large address aware

CharacterSet
Unicode

InitializedDataSize
852480

EntryPoint
0x2b66f0

OriginalFileName
ntkrnlmp.exe

MIMEType
application/octet-stream

LegalCopyright
Microsoft Corporation. All rights reserved.

FileVersion
6.1.7601.17514 (win7sp1_rtm.101119-1850)

TimeStamp
2010:11:20 10:30:02+01:00

FileType
Win64 EXE

PEType
PE32+

InternalName
ntkrnlmp.exe

ProductVersion
6.1.7601.17514

SubsystemVersion
6.1

OSVersion
6.1

FileOS
Windows NT 32-bit

Subsystem
Native

MachineType
AMD AMD64

CompanyName
Microsoft Corporation

CodeSize
4706816

ProductName
Microsoft Windows Operating System

ProductVersionNumber
6.1.7601.17514

FileTypeExtension
exe

ObjectFileType
Executable application

File identification
MD5 aecdab08fdd74d6a9fafb4743188e721
SHA1 d4148d6aae1d35ba38f7f9f768a853ab1aeb545f
SHA256 3d97f49a4e92ed8e20d2fe2580c66d56cdd7779e3b5b4bcdd291b7b1de26eff8
ssdeep
49152:DmQiN93Ttt4wQyw8oFVbu+mG2FodxuI8IwLGFf2GThaVGH/9A7bnw1Yz/9oN37Rp:DmnPjgLPg0d1cOAHnIsI37Rv5lPF

authentihash 5d9f0d2b80f902627e41e75cea3c298f5a170639c2d82f96169a5b2456e3ea52
imphash c765bff6b07c2a7309ca95366bf9ba62
File size 5.3 MB ( 5563776 bytes )
File type Win32 EXE
Magic literal
PE32+ executable for MS Windows (native) Mono/.Net assembly

TrID OS/2 Executable (generic) (33.6%)
Generic Win/DOS Executable (33.1%)
DOS Executable Generic (33.1%)
Tags
64bits peexe native assembly overlay

VirusTotal metadata
First submission 2011-03-13 21:25:38 UTC ( 7 years, 8 months ago )
Last submission 2018-08-21 16:03:26 UTC ( 2 months, 3 weeks ago )
File names smona131731974210121090941
smona131731925741313475234
1.exe
xNtKrnl.exe
avz00001.dta
xNtKrnl.exe
xNTkrnl.exe_
smona131732006633531282415
xNtKrnl - копия.exe
1111
xntkrn.exe
xxx.xxx
smona131731907024167571329
XNTKRNL.EXE
file-3103062_exe
xNtKrnl.exe_
xNtKrnl.exe
ntkrnlmp.exe
avz00005.dta
Advanced heuristic and reputation engines
ClamAV
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: https://www.clamav.net/documents/potentially-unwanted-applications-pua .

Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!