Register-CimProvider.exe

  • File Path: C:\WINDOWS\SysWOW64\Register-CimProvider.exe
  • Description: WMI

Hashes

Type Hash
MD5 0042B2C7A176D23ACBAD0AE1F43AEF7C
SHA1 DECFBD2FE5AA5F163AED1D428C8FDD0F4BA012E3
SHA256 8B76F4C4E0D1D3A87B0C749A995E3A31CFCA2BA88C180C18BA7F169E14C06B60
SHA384 EC4E4F5EA12C3A36554D84F188A4FB1551BD1DE942E2DF1902F938ED0B95F95D84FB9B99DC088C5FFC756AAA3AA29C54
SHA512 B82921B999976B6BE7BD78F3F4822492B79F33CE0A2DE73F53BB829A1DD065C2543337FA163CC91A1E578DE5E6C8EC15295428256833DD4639C7B44FA72B0A62
SSDEEP 384:xsR1sKmxpfQ6bRsOGoEajBBpszlfWaHm1ZPTKtoQw5EDcYkf+N2OB4KQ+xgWB1Ww:2R1lUuYsv8ps1WaHAVKXDcYkG2OB4sxl
IMP E38114F7B41F83A6809D0A3C49C82EEE
PESHA1 70A7C6E11C89734A9B62A881618E772251A5D3C4
PE256 FD86430B837FCB95D1D7E16AA53DE8A5714FE3B414AAE753709269E9915106F3

Runtime Data

Usage (stdout):


Registers CIM Provider into system

Usage:  Register-CimProvider.exe
		-Namespace <NamespaceName>
		-ProviderName <ProviderName>
		-Path <ProviderDllPath>
		[-ClassList <Space delimited list of white-listed classes>]
		[-Impersonation <True or False>]
		[-Decoupled <SDDL>]
		[-HostingModel <HostingModel>]
		[-Localize <locale>]
		[-NoAutorecover]
		[-SupportWQL]
		[-GenerateUnregistration]
		[-ForceUpdate]
		[-Verbose]

-Namespace <NamespaceName>
	Specifies the target namespace of the provider.

-ProviderName <ProviderName>
	Specifies the provider name.

-Path <ProviderDllPath>
	Specifies the provider binary path.

-Impersonation <True or False>
	Specifies foldidentity of decoupled provider, by default is True.

-Decoupled <SDDL>
	Registers provider as decoupled and specifies the security descriptor
	that determines the set of users that can successfully register
	the provider.

-HostingModel <HostingModel>
	Specifies the HostingModel of coupled provider.

-Localize <locale>
	Localizes the provider with resource of specified locale.

-NoAutorecover
	Doesn't autorecover the provider.

-SupportWQL
	Passes the query expression to the filter.

-GenerateUnregistration
	Generate the uninstall mof for the registration,
	which is disabled by default.

-ForceUpdate
	Force update the class if it exists in the system.

-ClassList <ProviderDllPath>
	Specifies space delimited list of white-listed classes that
	will be generated in the mof.

-Verbose
	Outputs registration log.


Loaded Modules:

Path
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\System32\wow64.dll
C:\WINDOWS\System32\wow64base.dll
C:\WINDOWS\System32\wow64con.dll
C:\WINDOWS\System32\wow64cpu.dll
C:\WINDOWS\System32\wow64win.dll
C:\WINDOWS\SysWOW64\Register-CimProvider.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: Register-CimProvider2.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/8b76f4c4e0d1d3a87b0c749a995e3a31cfca2ba88c180c18ba7f169e14c06b60/detection

Possible Misuse

The following table contains possible examples of Register-CimProvider.exe being misused. While Register-CimProvider.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_susp_register_cimprovider.yml title: DLL Execution Via Register-cimprovider.exe DRL 1.0
sigma win_susp_register_cimprovider.yml description: Detects using register-cimprovider.exe to execute arbitrary dll file. DRL 1.0
sigma win_susp_register_cimprovider.yml - https://github.com/api0cradle/LOLBAS/blob/master/OSBinaries/Register-cimprovider.md DRL 1.0
sigma win_susp_register_cimprovider.yml Image\|endswith: '\register-cimprovider.exe' DRL 1.0
LOLBAS Register-cimprovider.yml Name: Register-cimprovider.exe  
LOLBAS Register-cimprovider.yml - Command: Register-cimprovider -path "C:\folder\evil.dll"  
LOLBAS Register-cimprovider.yml - Path: C:\Windows\System32\Register-cimprovider.exe  
LOLBAS Register-cimprovider.yml - Path: C:\Windows\SysWOW64\Register-cimprovider.exe  
atomic-red-team index.md - Atomic Test #3: Register-CimProvider - Execute evil dll [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #3: Register-CimProvider - Execute evil dll [windows] MIT License. © 2018 Red Canary
atomic-red-team T1218.md - Atomic Test #3 - Register-CimProvider - Execute evil dll MIT License. © 2018 Red Canary
atomic-red-team T1218.md ## Atomic Test #3 - Register-CimProvider - Execute evil dll MIT License. © 2018 Red Canary
atomic-red-team T1218.md C:\Windows\SysWow64\Register-CimProvider.exe -Path #{dll_payload} MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.