smartscreen.exe

  • File Path: C:\Windows\system32\smartscreen.exe
  • Description: Windows Defender SmartScreen

Hashes

Type Hash
MD5 B75FA41284409A6134BF824BEAE59B4E
SHA1 75BDDAB181B87DF4C60751A787AA5FD35783ADEB
SHA256 B790B17EA61FC4EDC3D385FF83D0BC565A41594BB86920DEEF990A83B8862097
SHA384 7300F3624A08A2A5BB6E2C6CEAB281FDFC6D5232AE482F728DA56EF9743A288FCF93C03B425A4FA38F67C19A837DAFDE
SHA512 9F67BF42243EC3E27C160269C23ED9DCE4194E9693CC0194D872E56CD7E005ECEBAA2210D988F2F0A13C1368A5B10C8858288E7607D45385F11A7B42D7E49FD6
SSDEEP 49152:+CYVj023iHrPnXdzsXOVCQ1TRfOqI/TYh/Y6PInI/A8r37UnxNDi:lrgSr37eN
IMP 6DFBF12753AF176E3C203C407493A5B9
PESHA1 3124E1ED44FC5076F800D2D1FFE6A78726314926
PE256 841572012FC4573E73EED3EE568C6C3CB216DEA7BA1D42A4502228953B2BB0C1

Runtime Data

Loaded Modules:

Path
C:\Windows\System32\advapi32.dll
C:\Windows\System32\bcrypt.dll
C:\Windows\System32\bcryptPrimitives.dll
C:\Windows\System32\combase.dll
C:\Windows\System32\CRYPT32.dll
C:\Windows\System32\GDI32.dll
C:\Windows\System32\gdi32full.dll
C:\Windows\SYSTEM32\kernel.appcore.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\System32\msvcp_win.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\RPCRT4.dll
C:\Windows\System32\sechost.dll
C:\Windows\System32\shcore.dll
C:\Windows\system32\smartscreen.exe
C:\Windows\System32\ucrtbase.dll
C:\Windows\System32\user32.dll
C:\Windows\System32\win32u.dll
C:\Windows\System32\WINTRUST.dll
C:\Windows\SYSTEM32\wintypes.dll
C:\Windows\System32\WS2_32.dll

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: smartscreen.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/68
  • VirusTotal Link: https://www.virustotal.com/gui/file/b790b17ea61fc4edc3d385ff83d0bc565a41594bb86920deef990a83b8862097/detection/

File Similarity (ssdeep match)

File Score
C:\Windows\system32\smartscreen.exe 50
C:\Windows\system32\smartscreen.exe 44
C:\WINDOWS\system32\smartscreen.exe 30

Possible Misuse

The following table contains possible examples of smartscreen.exe being misused. While smartscreen.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma sysmon_suspicious_remote_thread.yml - '\smartscreen.exe' DRL 1.0
sigma file_event_win_creation_system_file.yml - '\smartscreen.exe' DRL 1.0
sigma proc_creation_win_system_exe_anomaly.yml - '\smartscreen.exe' DRL 1.0
atomic-red-team T1553.005.md <blockquote>Adversaries may abuse specific file formats to subvert Mark-of-the-Web (MOTW) controls. In Windows, when files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.(Citation: Microsoft Zone.Identifier 2020) Files that are tagged with MOTW are protected and cannot perform certain actions. For example, starting in MS Office 10, if a MS Office file has the MOTW, it will open in Protected View. Executables tagged with the MOTW will be processed by Windows Defender SmartScreen that compares files with an allowlist of well-known executables. If the file in not known/trusted, SmartScreen will prevent the execution and warn the user not to run it.(Citation: Beek Use of VHD Dec 2020)(Citation: Outflank MotW 2020)(Citation: Intezer Russian APT Dec 2020) MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.