locked
Why does defender create service "MpKslfa1a362a" as a driver started at system start ? RRS feed

  • Question

  • Just refreshed pc with win 10, 

    Got process hacker running in the background popping up a notification each time a service is created or deleted. 

    And i saw this monstrosity : 
    MpKslfa1a362a.sys 

    binary path \??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{686BE312-53BF-42D7-BD22-F978B5019D6D}\MpKslfa1a362a.sys

    Virustotal hash: https://www.virustotal.com/en/file/aade8c93bfe0830ae43ad649f62d7d7e25fc14107b172815ef9f4069c19adfcc/analysis/

    appears to have randomly generated name but the sys is the same. 
    What purpose does it serve ? Why is it obfuscated to such a degree that it screams malware everytime you look at it ? 

    Saturday, July 22, 2017 4:09 PM