MsMpEng.exe

  • File Path: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2004.6-0\MsMpEng.exe
  • Description: Antimalware Service Executable

Hashes

Type Hash
MD5 A5B18DBC79586D1D338D67B025EC8610
SHA1 33DC627D74F3AA94E7973D905C382D81961C52E8
SHA256 91917728E8019E77E7AFAC60D86174E0A61F1CE7BA0EA6078E648853BE998800
SHA384 183C831572E297907E497E6F1E897269E6F359428E4DAEDBF7340CA58ED4DC9DCA65E98DAEC528A470F340E12E34FE77
SHA512 4D80CEACE2E61944B3C065759DDA5E71BBA3C1467CADC07E05456A4E58EA960C6D0B9A9732E95F7671925341DD27B8BC8D8A1B867471E6F4D2D1B9FEF4C6C0AA
SSDEEP 3072:fdI8TdDVcmoEVF5+KTeviKDmD/6u89VVE:fiMdDgYF5ADmT65BE

Signature

  • Status: Signature verified.
  • Serial: 330000024A0E8AFDF15C662D2B00000000024A
  • Thumbprint: 96384A7F5F1C438F32E2454697DC6D312A74517B
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows Publisher, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: MsMpEng.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 4.18.2004.6 (WinBuild.160101.0800)
  • Product Version: 4.18.2004.6
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of MsMpEng.exe being misused. While MsMpEng.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_susp_msmpeng_crash.yml - 'MsMpEng.exe' DRL 1.0
sigma win_susp_msmpeng_crash.yml - MsMpEng.exe can crash when C:\ is full DRL 1.0
sigma win_firewall_as_add_rule.yml - 'C:\Program Files\Windows Defender\MsMpEng.exe' DRL 1.0
sigma win_susp_lsass_dump_generic.yml - '\MsMpEng.exe' # Defender DRL 1.0
sigma image_load_wmi_module_load.yml - '\MsMpEng.exe' DRL 1.0
sigma proc_access_win_cred_dump_lsass_access.yml SourceImage\|endswith: '\MsMpEng.exe' DRL 1.0
sigma proc_access_win_cred_dump_lsass_access.yml # - '\MsMpEng.exe' DRL 1.0
sigma proc_access_win_in_memory_assembly_execution.yml SourceImage\|endswith: '\MsMpEng.exe' DRL 1.0
sigma proc_access_win_susp_proc_access_lsass.yml - 'C:\Program Files\Windows Defender\MsMpEng.exe' DRL 1.0
sigma proc_access_win_susp_proc_access_lsass.yml SourceImage\|endswith: '\MsMpEng.exe' DRL 1.0
sigma proc_creation_win_apt_revil_kaseya.yml - '\AppData\Local\Temp\MsMpEng.exe' DRL 1.0
sigma proc_creation_win_apt_revil_kaseya.yml - 'C:\Windows\MsMpEng.exe' DRL 1.0
sigma proc_creation_win_plugx_susp_exe_locations.yml Image\|endswith: '\MsMpEng.exe' DRL 1.0
sigma proc_creation_win_proc_wrong_parent.yml ParentImage\|endswith: '\MsMpEng.exe' DRL 1.0
sigma proc_creation_win_susp_svchost.yml - '\MsMpEng.exe' DRL 1.0
sigma sysmon_raw_disk_access_using_illegitimate_tools.yml Image\|endswith: '\MsMpEng.exe' DRL 1.0
sigma registry_event_asep_reg_keys_modification_currentversion.yml Image: 'C:\Program Files\Windows Defender\MsMpEng.exe' DRL 1.0
sigma registry_event_persistence_search_order.yml Image\|endswith: '\MsMpEng.exe' DRL 1.0
signature-base apt_apt27_hyperbro.yar $s3 = “msmpeng.exe” fullword wide CC BY-NC 4.0
signature-base apt_op_cloudhopper.yar $s1 = “MsMpEng.exe” fullword ascii CC BY-NC 4.0
stockpile 1258b063-27d6-489b-a677-4807faacf868.yml "msmpeng", Apache-2.0

MIT License. Copyright (c) 2020-2021 Strontic.