Register-CimProvider.exe

  • File Path: C:\windows\SysWOW64\Register-CimProvider.exe
  • Description: WMI

Hashes

Type Hash
MD5 7659706ABE8CC14824F572234606A8D9
SHA1 B2F019D7AD40E5E2F6208F14F399CDFF033CC98C
SHA256 3530A30A2D62F158CCBB9F2AF51722F658BBCC179E559ECC06A0CBDF3007871F
SHA384 8DE64A81D00C1ADCD111B52798B091CB648475F61134472722CF5D2664EFDDF682B719763DD4483CE3C473A283F08304
SHA512 3D6B09613840BBD336EC92AD6B3797FCF59FF969C60C2E3184B6EE7ABEBAD25E114A916873D092C50C68977BCB1267333C8531A426E1B6455C5298A35507B0A0
SSDEEP 192:6StRIbahjZqHwGbyo3X8WTB13+tBDs9pziSdlj4OfI4HW81WI4C0:6StvLqLbywX8YPLll/xHW81WM

Signature

  • Status: The file C:\windows\SysWOW64\Register-CimProvider.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
  • Serial: ``
  • Thumbprint: ``
  • Issuer:
  • Subject:

File Metadata

  • Original Filename: Register-CimProvider2.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
  • Product Version: 6.3.9600.16384
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of Register-CimProvider.exe being misused. While Register-CimProvider.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
LOLBAS Register-cimprovider.yml Name: Register-cimprovider.exe  
LOLBAS Register-cimprovider.yml - Command: Register-cimprovider -path "C:\folder\evil.dll"  
LOLBAS Register-cimprovider.yml - Path: C:\Windows\System32\Register-cimprovider.exe  
LOLBAS Register-cimprovider.yml - Path: C:\Windows\SysWOW64\Register-cimprovider.exe  
atomic-red-team index.md - Atomic Test #3: Register-CimProvider - Execute evil dll [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #3: Register-CimProvider - Execute evil dll [windows] MIT License. © 2018 Red Canary
atomic-red-team T1218.md - Atomic Test #3 - Register-CimProvider - Execute evil dll MIT License. © 2018 Red Canary
atomic-red-team T1218.md ## Atomic Test #3 - Register-CimProvider - Execute evil dll MIT License. © 2018 Red Canary
atomic-red-team T1218.md C:\Windows\SysWow64\Register-CimProvider.exe -Path #{dll_payload} MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.