× В вашем браузере отключены куки (cookie). Для полноценной работы сайта необходимо включить сохранение файлов cookie.
SHA256: 7a68f8c22255496d6153fde0b31b6f5917fb373a1afdffa0aa7b5105db375174
Имя файла: ntkrnlpa.exe
Показатель выявления: 0 / 51
Дата анализа: 2014-04-28 19:15:40 UTC (4 лет, 10 месяцев назад) Показать последний анализ
Trusted source! This file belongs to the Microsoft Corporation software catalogue.
Антивирус Результат Дата обновления
AVG 20140428
Ad-Aware 20140428
AegisLab 20140428
Yandex 20140428
AhnLab-V3 20140428
AntiVir 20140428
Antiy-AVL 20140428
Avast 20140428
Baidu-International 20140428
BitDefender 20140428
Bkav 20140428
ByteHero 20140428
CAT-QuickHeal 20140428
CMC 20140424
ClamAV 20140428
Commtouch 20140428
Comodo 20140428
DrWeb 20140428
ESET-NOD32 20140428
Emsisoft 20140428
F-Prot 20140427
F-Secure 20140428
Fortinet 20140428
GData 20140428
Ikarus 20140428
Jiangmin 20140428
K7AntiVirus 20140428
K7GW 20140428
Kaspersky 20140428
Kingsoft 20140428
Malwarebytes 20140428
McAfee 20140428
McAfee-GW-Edition 20140428
eScan 20140428
Microsoft 20140428
NANO-Antivirus 20140428
Norman 20140428
Panda 20140427
Qihoo-360 20140428
Rising 20140428
SUPERAntiSpyware 20140428
Sophos AV 20140428
Symantec 20140428
TheHacker 20140426
TotalDefense 20140428
TrendMicro 20140428
TrendMicro-HouseCall 20140428
VBA32 20140428
VIPRE 20140428
ViRobot 20140428
nProtect 20140427
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Native subsystem.
Authenticode signature block and FileVersionInfo properties
Copyright
© Microsoft Corporation. All rights reserved.

Product Microsoft® Windows® Operating System
Original name ntkrpamp.exe
Internal name ntkrpamp.exe
File version 6.1.7601.18247 (win7sp1_gdr.130828-1532)
Description NT Kernel & System
Signature verification Signed file, verified signature
Signing date 2:52 AM 8/29/2013
Signers
[+] Microsoft Windows
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer Microsoft Windows Verification PCA
Valid from 06:20 PM 05/16/2013
Valid to 06:20 PM 08/16/2014
Valid usage Code Signing, NT5 Crypto
Algorithm sha1RSA
Thumbprint 454749259D5E32ADCA8BEADF737950A73B3E7653
Serial number 33 00 00 00 20 C8 E9 89 17 4A AD FC E6 00 00 00 00 00 20
[+] Microsoft Windows Verification PCA
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer Microsoft Root Certificate Authority
Valid from 09:55 PM 09/15/2005
Valid to 10:05 PM 03/15/2016
Valid usage Code Signing, NT5 Crypto
Algorithm sha1RSA
Thumbprint 5DF0D7571B0780783960C68B78571FFD7EDAF021
Serial number 61 07 02 DC 00 00 00 00 00 0B
[+] Microsoft Root Certificate Authority
Status Valid
Issuer Microsoft Root Certificate Authority
Valid from 11:19 PM 05/09/2001
Valid to 11:28 PM 05/09/2021
Valid usage All
Algorithm sha1RSA
Thumbprint CDD4EEAE6000AC7F40C3802C171E30148030C072
Serial number 79 AD 16 A1 4A A0 A5 AD 4C 73 58 F4 07 13 2E 65
Counter signers
[+] Microsoft Time-Stamp Service
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer Microsoft Time-Stamp PCA
Valid from 09:12 PM 09/04/2012
Valid to 09:12 PM 12/04/2013
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint 2F497C556F94E32731CF86ADD8629C9867C35A24
Serial number 33 00 00 00 2B 39 32 48 C1 B2 C9 48 F3 00 00 00 00 00 2B
[+] Microsoft Time-Stamp PCA
Status Valid
Issuer Microsoft Root Certificate Authority
Valid from 12:53 PM 04/03/2007
Valid to 01:03 PM 04/03/2021
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint 375FCB825C3DC3752A02E34EB70993B4997191EF
Serial number 61 16 68 34 00 00 00 00 00 1C
[+] Microsoft Root Certificate Authority
Status Valid
Issuer Microsoft Root Certificate Authority
Valid from 11:19 PM 05/09/2001
Valid to 11:28 PM 05/09/2021
Valid usage All
Algorithm sha1RSA
Thumbrint CDD4EEAE6000AC7F40C3802C171E30148030C072
Serial number 79 AD 16 A1 4A A0 A5 AD 4C 73 58 F4 07 13 2E 65
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2013-08-29 00:58:30
Entry Point 0x0011E4F0
Number of sections 22
PE sections
Overlays
MD5 474d64773feb56226cd8514e2de25678
File type data
Offset 3962368
Size 7104
Entropy 7.40
PE imports
VidSetScrollRegion
VidScreenToBufferBlt
VidSolidColorFill
VidCleanUp
VidInitialize
VidResetDisplay
VidBufferToScreenBlt
VidBitBlt
VidSetTextColor
VidDisplayString
CiInitialize
ClfsReadNextLogRecord
ClfsFlushToLsn
ClfsLsnDifference
ClfsTerminateReadLog
ClfsLsnContainer
ClfsReadRestartArea
ClfsAddLogContainer
ClfsReserveAndAppendLog
ClfsMgmtRegisterManagedClient
ClfsCreateLogFile
ClfsMgmtDeregisterManagedClient
ClfsPrivGetBaseLogFileFromFileObjectPointer
ClfsCloseLogFileObject
ClfsAdvanceLogBase
ClfsLsnGreater
ClfsLsnInvalid
ClfsLsnEqual
ClfsLsnLess
ClfsMgmtInstallPolicy
ClfsMgmtHandleLogFileFull
CLFS_LSN_NULL
ClfsMgmtTailAdvanceFailure
ClfsCreateMarshallingArea
ClfsReserveAndAppendLogAligned
ClfsGetLogFileInformation
ClfsDeleteMarshallingArea
CLFS_LSN_INVALID
ClfsDeleteLogByPointer
ClfsWriteRestartArea
ClfsReadLogRecord
ClfsMgmtSetLogFileSize
READ_PORT_USHORT
KfReleaseSpinLock
KeRaiseIrqlToDpcLevel
KeRaiseIrqlToSynchLevel
WRITE_PORT_USHORT
HalInitializeProcessor
HalSetProfileInterval
HalStopProfileInterrupt
KfRaiseIrql
HalAllocateCrashDumpRegisters
HalQueryMaximumProcessorCount
HalInitSystem
KeAcquireQueuedSpinLockRaiseToSynch
HalEnableInterrupt
HalRegisterDynamicProcessor
KeAcquireInStackQueuedSpinLock
HalDisableInterrupt
HalInitializeOnResume
KeRaiseIrql
IoFlushAdapterBuffers
KeLowerIrql
KeFlushWriteBuffer
HalReadDmaCounter
KeReleaseQueuedSpinLock
HalRequestIpi
HalClearSoftwareInterrupt
HalTranslateBusAddress
HalGetProcessorIdByNtNumber
HalEnumerateEnvironmentVariablesEx
KeGetCurrentIrql
HalRegisterErrataCallbacks
HalAllocateAdapterChannel
KfAcquireSpinLock
HalSetEnvironmentVariable
HalGetInterruptVector
KeStallExecutionProcessor
HalStartProfileInterrupt
KeReleaseSpinLock
KeAcquireQueuedSpinLock
HalRequestSoftwareInterrupt
HalQueryEnvironmentVariableInfoEx
READ_PORT_ULONG
WRITE_PORT_UCHAR
HalSetRealTimeClock
KeTryToAcquireQueuedSpinLockRaiseToSynch
READ_PORT_UCHAR
HalGetEnvironmentVariableEx
HalReportResourceUsage
HalGetAdapter
KeAcquireSpinLock
HalRequestClockInterrupt
HalEndSystemInterrupt
KeAcquireInStackQueuedSpinLockRaiseToSynch
KeTryToAcquireQueuedSpinLock
HalStartNextProcessor
HalGetMessageRoutingInfo
HalGetEnvironmentVariable
HalStartDynamicProcessor
HalBeginSystemInterrupt
HalReturnToFirmware
HalHandleNMI
IoFreeAdapterChannel
HalGetInterruptTargetInformation
IoMapTransfer
HalSetEnvironmentVariableEx
HalGetVectorInput
HalQueryRealTimeClock
KeReleaseInStackQueuedSpinLock
WRITE_PORT_ULONG
HalInitializeBios
KfLowerIrql
HalSetBusDataByOffset
KeQueryPerformanceCounter
IoFreeMapRegisters
HalAllProcessorsStarted
HalCalibratePerformanceCounter
HalProcessorIdle
HalSystemVectorDispatchEntry
HalGetBusDataByOffset
HalSetTimeIncrement
HalAllocateCommonBuffer
HalFreeCommonBuffer
KdD3Transition
KdReceivePacket
KdDebuggerInitialize0
KdRestore
KdSave
KdD0Transition
KdSendPacket
KdDebuggerInitialize1
PshedFinalizeErrorRecord
PshedClearErrorRecord
PshedDisableErrorSource
PshedAttemptErrorRecovery
PshedFreeMemory
PshedGetInjectionCapabilities
PshedReadErrorRecord
PshedInjectError
PshedIsSystemWheaEnabled
PshedGetAllErrorSources
PshedAllocateMemory
PshedInitialize
PshedBugCheckSystem
PshedSetErrorSourceInfo
PshedGetBootErrorPacket
PshedWriteErrorRecord
PshedEnableErrorSource
PE exports
Number of PE resources by type
RT_BITMAP 7
RT_MESSAGETABLE 1
RT_VERSION 1
Number of PE resources by language
ENGLISH US 9
PE resources
Debug information
ExifTool file metadata
UninitializedDataSize
10240

LinkerVersion
9.0

ImageVersion
6.1

FileSubtype
0

FileVersionNumber
6.1.7601.18247

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

FileDescription
NT Kernel & System

ImageFileCharacteristics
Executable, Large address aware, 32-bit

CharacterSet
Unicode

InitializedDataSize
787456

EntryPoint
0x11e4f0

OriginalFileName
ntkrpamp.exe

MIMEType
application/octet-stream

LegalCopyright
Microsoft Corporation. All rights reserved.

FileVersion
6.1.7601.18247 (win7sp1_gdr.130828-1532)

TimeStamp
2013:08:29 01:58:30+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
ntkrpamp.exe

ProductVersion
6.1.7601.18247

SubsystemVersion
6.1

OSVersion
6.1

FileOS
Windows NT 32-bit

Subsystem
Native

MachineType
Intel 386 or later, and compatibles

CompanyName
Microsoft Corporation

CodeSize
3433472

ProductName
Microsoft Windows Operating System

ProductVersionNumber
6.1.7601.18247

FileTypeExtension
exe

ObjectFileType
Executable application

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed the following files in execution wrote this sample to disk.
While monitoring an end-user machine in-the-wild, CarbonBlack noticed this sample wrote the following files to disk.
Execution parents
Compressed bundles
File identification
MD5 482c8cd985c727c7c78a5e9b320947f0
SHA1 d482cc5bef7d5c55facce425a1eccda2ba9bf312
SHA256 7a68f8c22255496d6153fde0b31b6f5917fb373a1afdffa0aa7b5105db375174
ssdeep
98304:ZZvMS2J9ln8EQp5vC4RZZDesZb+fqQUSAuK1Bo:Xv6J/nJM5K4RZRea+jWuK1Bo

authentihash 1b3ef25b9fdfb2306ec8d6504a2873a53fc7d05f536ef4193b83bee1f1f884b4
imphash b39dcbd05360a7bf840c22c4dc39cad0
Размер файла 3.8 MБ ( 3969472 bytes )
Тип файла Win32 EXE
Описание
PE32 executable for MS Windows (native) Intel 80386 32-bit

TrID Win64 Executable (generic) (44.5%)
Windows screen saver (21.1%)
Win32 Dynamic Link Library (generic) (10.6%)
Win32 Executable (generic) (7.2%)
Win16/32 Executable Delphi generic (3.3%)
Tags
peexe overlay signed trusted native

Trusted verdicts
This file belongs to the Microsoft Corporation software catalogue. The file is often found with ntkrnlpa.exe as its name.
VirusTotal metadata
First submission 2013-10-09 22:49:38 UTC (5 лет, 5 месяцев назад)
Last submission 2019-03-21 22:13:15 UTC (1 час, 41 минута назад)
Имена файлов 5c60d7baec0d61458272f18c0ff76927.tmp
9ef34aa39b120e4dae20e7d9e5e12a67.tmp
e17ff684f952e44481620bbe3abdd515.tmp
ccb8cad8d37352448451f6e80d4237f3.tmp
1445d5897288074bb5d849455a8c12e1.tmp
7805e7eff2accc4dbb3044acd8702454.tmp
2755f8e0d4f6954494255d0f9915f3c6.tmp
d5453ce403e5d201945600000c06f81b_ntkrnlpa.exe
8ff5e37754ead201ff1a000014107019_ntkrnlpa.exe
b0cabfa4a5dd3e47b801ff011eb1e16c.tmp
590c7aa17bdad20113130000e818a41a_ntkrnlpa.exe
51263c4cdf7f46448266e447dc85c8b5.tmp
2fa50ced3d801345904f50f4f24ad0ae.tmp
15056bdc6d9902468b1c44b868437dba.tmp
5558ca56675e404aa167d5dedc4baa71.tmp
82bf3a9a7a75904799d08411070fd2a6.tmp
d386ab3057cff548b921842b58f16064.tmp
59d2adab64ebd201490f0000b403a40a_ntkrnlpa.exe
0e6c7b33859a2d48b8714ddfe9fbd243.tmp
4d66c35350da0549b2878288e9112f5f.tmp
e0b9edae6bcc0d4384c05ef93a352307.tmp
e740e5b7af1a14429734281ca7b785e8.tmp
5c9dd65654842d47854996cc85dbc608.tmp
b1eee11cc172364e85f9a50cb817c50e.tmp
b5c1f4717a25004288a3422179516857.tmp
Advanced heuristic and reputation engines
ClamAV
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: https://www.clamav.net/documents/potentially-unwanted-applications-pua .

Symantec reputation Suspicious.Insight
Нет комментариев. Из участников сообщества VirusTotal ещё пока никто не оставил комментарий по поводу результатов анализа. Станьте первым!

Оставьте свой комментарий...

?
Отправить

Вы не выполнили вход. Только зарегистрированные пользователи могут оставлять комментарии. Выполните вход и получите право голоса!

Нет голосов. Ещё пока никто не проголосовал за результаты анализа. Станьте первым!