I have recently been updating my Windows Forensics First Responder script and have noticed a number of servers reporting the following when using Sysinternals/Microsoft’s listdlls.exe.
*** Loaded C:\WINNT\system32\KERNEL32.dll differs from file image:
*** File timestamp: Wed Apr 18 12:25:36 2007
*** Loaded image timestamp: Wed Apr 18 12:25:37 2007
*** 0x77e40000 0x102000 5.02.3790.4062 C:\WINNT\system32\KERNEL32.dll
Now I can think of lots of malicious reasons why this would be. In fact I recently wrote on one of these reasons. But I cant think of any legitimate reasons.
I’m not one to jump to conclusions without having evaluated all possibilities but my research is turning up almost nothing.
Can anyone think of a legitimate reason why windows would load kernel32.dll and then something alter it as its going into memory?
Thanks guys.