Register-CimProvider.exe
- File Path:
C:\windows\SysWOW64\Register-CimProvider.exe - Description: WMI
Hashes
| Type | Hash |
|---|---|
| MD5 | 7659706ABE8CC14824F572234606A8D9 |
| SHA1 | B2F019D7AD40E5E2F6208F14F399CDFF033CC98C |
| SHA256 | 3530A30A2D62F158CCBB9F2AF51722F658BBCC179E559ECC06A0CBDF3007871F |
| SHA384 | 8DE64A81D00C1ADCD111B52798B091CB648475F61134472722CF5D2664EFDDF682B719763DD4483CE3C473A283F08304 |
| SHA512 | 3D6B09613840BBD336EC92AD6B3797FCF59FF969C60C2E3184B6EE7ABEBAD25E114A916873D092C50C68977BCB1267333C8531A426E1B6455C5298A35507B0A0 |
| SSDEEP | 192:6StRIbahjZqHwGbyo3X8WTB13+tBDs9pziSdlj4OfI4HW81WI4C0:6StvLqLbywX8YPLll/xHW81WM |
Signature
- Status: The file C:\windows\SysWOW64\Register-CimProvider.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
- Serial: ``
- Thumbprint: ``
- Issuer:
- Subject:
File Metadata
- Original Filename: Register-CimProvider2.exe.mui
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
- Product Version: 6.3.9600.16384
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
Possible Misuse
The following table contains possible examples of Register-CimProvider.exe being misused. While Register-CimProvider.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | proc_creation_win_susp_register_cimprovider.yml | title: DLL Execution Via Register-cimprovider.exe |
DRL 1.0 |
| sigma | proc_creation_win_susp_register_cimprovider.yml | description: Detects using register-cimprovider.exe to execute arbitrary dll file. |
DRL 1.0 |
| sigma | proc_creation_win_susp_register_cimprovider.yml | - https://github.com/api0cradle/LOLBAS/blob/master/OSBinaries/Register-cimprovider.md |
DRL 1.0 |
| sigma | proc_creation_win_susp_register_cimprovider.yml | Image\|endswith: '\register-cimprovider.exe' |
DRL 1.0 |
| LOLBAS | Register-cimprovider.yml | Name: Register-cimprovider.exe |
|
| LOLBAS | Register-cimprovider.yml | - Command: Register-cimprovider -path "C:\folder\evil.dll" |
|
| LOLBAS | Register-cimprovider.yml | - Path: C:\Windows\System32\Register-cimprovider.exe |
|
| LOLBAS | Register-cimprovider.yml | - Path: C:\Windows\SysWOW64\Register-cimprovider.exe |
|
| LOLBAS | Register-cimprovider.yml | - IOC: Register-cimprovider.exe execution and cmdline DLL load may be supsicious |
|
| atomic-red-team | index.md | - Atomic Test #3: Register-CimProvider - Execute evil dll [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #3: Register-CimProvider - Execute evil dll [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.md | - Atomic Test #3 - Register-CimProvider - Execute evil dll | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.md | ## Atomic Test #3 - Register-CimProvider - Execute evil dll | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.md | C:\Windows\SysWow64\Register-CimProvider.exe -Path #{dll_payload} | MIT License. © 2018 Red Canary |
MIT License. Copyright (c) 2020-2021 Strontic.