MsMpEng.exe

  • File Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2005.5-0\MsMpEng.exe
  • Description: Antimalware Service Executable

Hashes

Type Hash
MD5 1666B24A81512DF8B6F7635C858C044E
SHA1 096C2403A028D60EBAECF15F7C472F66E4AC3CAC
SHA256 AA23BBCABA315E1035FD397A512551C6573B1BAD3B72665DA4F7D6D6537012C8
SHA384 B2359351DA119F256B2B595C5FCD493A7CA8A0034C92DB3CCD8ACBC2AF31361A4F8383A7312419722F6D7A9C303629D9
SHA512 4FB719067BFB2727F3588A6DF791FAB771B367D85EBC0BE0769118D3649A0D304871F7CD153D551A4953336AFABF9EC020680618F589B43A1C22308526C09F1C
SSDEEP 3072:ZF1UoonTD+XE/UMNNKTe1TTfTsc0DfLfyFl:z12TDTMMN7Ic0DfmFl

Signature

  • Status: Signature verified.
  • Serial: 330000024A0E8AFDF15C662D2B00000000024A
  • Thumbprint: 96384A7F5F1C438F32E2454697DC6D312A74517B
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows Publisher, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: MsMpEng.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 4.18.2005.5 (WinBuild.160101.0800)
  • Product Version: 4.18.2005.5
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of MsMpEng.exe being misused. While MsMpEng.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_susp_msmpeng_crash.yml - '*MsMpEng.exe*' DRL 1.0
sigma win_susp_msmpeng_crash.yml - MsMpEng.exe can crash when C:\ is full DRL 1.0
sigma win_plugx_susp_exe_locations.yml Image: '*\MsMpEng.exe' DRL 1.0
sigma win_proc_wrong_parent.yml - '*\Windows Defender\\*\MsMpEng.exe' DRL 1.0
sigma win_susp_svchost.yml - '*\MsMpEng.exe' DRL 1.0
signature-base apt_op_cloudhopper.yar $s1 = “MsMpEng.exe” fullword ascii CC BY-NC 4.0
stockpile 1258b063-27d6-489b-a677-4807faacf868.yml "msmpeng", Apache-2.0

MIT License. Copyright (c) 2020-2021 Strontic.