MRT.exe
- File Path:
C:\WINDOWS\system32\MRT.exe - Description: Microsoft Windows Malicious Software Removal Tool
Screenshot
Hashes
| Type | Hash |
|---|---|
| MD5 | 68E0F8F82B7EFFC1081B3FBED8FB0F39 |
| SHA1 | 729398C5CE1CC00E94C5C0D105B66428FCBB54B9 |
| SHA256 | 27CB2F21EB3F4EF1CC44E58CBECABA81ADB91CBE6E39B86C3C6599F05DB3C659 |
| SHA384 | C282EC48BAABB92EA31D4A38F82BE924868297498C65B5C47FB50D56483C9B3BC9695D17E4FED32DA13986F60428AE3B |
| SHA512 | 001508A829320E507336C4C512E1B28C3AFE51C0211531C5B9726BF7551B673D01A9DB3AF4FE2677CD050582CF9E26617D0E06AD9CFEBFAE1A966FF184FB61E8 |
| SSDEEP | `` |
| IMP | 05D7D27EC48BB0EEDC2DFD4AB9610950 |
| PESHA1 | 7A573A5CD9CAE76FA65F1A911FAE7BDB1B04D292 |
| PE256 | 181E69B982C498AF406A70F4EAB7C9F71E4AA0A1609E45F7ABE1F5DF15687228 |
Runtime Data
Window Title:
Malicious Software Removal Tool
Open Handles:
| Path | Type |
|---|---|
| (R-D) C:\Windows\Fonts\StaticCache.dat | File |
| (R-D) C:\Windows\SystemResources\imageres.dll.mun | File |
| (RW-) C:\Windows\System32 | File |
| (RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.22000.120_none_9d947278b86cc467 | File |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db | Section |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db | Section |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro | Section |
| \Sessions\2\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 | Section |
| \Sessions\2\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 | Section |
| \Sessions\2\Windows\Theme1077709572 | Section |
| \Windows\Theme3461253685 | Section |
Loaded Modules:
| Path |
|---|
| C:\WINDOWS\System32\ADVAPI32.dll |
| C:\WINDOWS\System32\GDI32.dll |
| C:\WINDOWS\System32\KERNEL32.DLL |
| C:\WINDOWS\System32\KERNELBASE.dll |
| C:\WINDOWS\system32\MRT.exe |
| C:\WINDOWS\System32\msvcrt.dll |
| C:\WINDOWS\SYSTEM32\ntdll.dll |
| C:\WINDOWS\System32\RPCRT4.dll |
| C:\WINDOWS\System32\sechost.dll |
| C:\WINDOWS\System32\USER32.dll |
| C:\WINDOWS\System32\win32u.dll |
Signature
- Status: Signature verified.
- Serial:
33000002DD8770F52ABEFDE3430000000002DD - Thumbprint:
03BA55C2D33043729461269EB3A9B5D3AC83DECD - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: mrt.exe
- Product Name: Microsoft Windows Malicious Software Removal Tool
- Company Name: Microsoft Corporation
- File Version: 5.94.18626.1
- Product Version: 5.94.18626.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 64-bit
File Scan
- VirusTotal Detections: 0/73
- VirusTotal Link: https://www.virustotal.com/gui/file/27cb2f21eb3f4ef1cc44e58cbecaba81adb91cbe6e39b86c3c6599f05db3c659/detection
Possible Misuse
The following table contains possible examples of MRT.exe being misused. While MRT.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | proc_access_win_cred_dump_lsass_access.yml | SourceImage: 'C:\Windows\system32\MRT.exe' # Windows Malicious Software Removal Tool |
DRL 1.0 |
| sigma | proc_access_win_susp_proc_access_lsass.yml | SourceImage: 'C:\WINDOWS\system32\MRT.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_svchost.yml | - '\Mrt.exe' |
DRL 1.0 |
| signature-base | crime_fireball.yar | $x1 = “SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MRT.exe” fullword wide | CC BY-NC 4.0 |
MIT License. Copyright (c) 2020-2021 Strontic.