Register-CimProvider.exe

  • File Path: C:\windows\system32\Register-CimProvider.exe
  • Description: WMI

Hashes

Type Hash
MD5 99F2485F0AA3BC7CFD417A63786CA234
SHA1 00DEB3C56DB95B5EDD8CD3A6466B5CF25638798C
SHA256 31F86C733174CF69AF7430CC4E09D833BA531B87AC9FED6B9CDB0736C68483FF
SHA384 E0EA9A19CDB3E0E4B1B61171DC523DE95ED03A66DC479FA66AC8CBB7D1B9E22AB4C6A55C21126320A438A87A53635BAF
SHA512 EE45B7A320CFCD21E6AD27B5BC3DAC8E89A8774898B2886E1B5C777130780031AC4A4F88C5C39BE829BDBCFD1F9294995F4A6A334BEC750F1DAD342A4AAFE719
SSDEEP 384:JnT3JsHVzYJsVVwJ6GtMIrWdi8FteoWABWfiilhxfW81Wu:PAzYJsXAMIrRmtexAEfiilhxHZ

Signature

  • Status: The file C:\windows\system32\Register-CimProvider.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
  • Serial: ``
  • Thumbprint: ``
  • Issuer:
  • Subject:

File Metadata

  • Original Filename: Register-CimProvider2.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
  • Product Version: 6.3.9600.16384
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of Register-CimProvider.exe being misused. While Register-CimProvider.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
LOLBAS Register-cimprovider.yml Name: Register-cimprovider.exe  
LOLBAS Register-cimprovider.yml - Command: Register-cimprovider -path "C:\folder\evil.dll"  
LOLBAS Register-cimprovider.yml - Path: C:\Windows\System32\Register-cimprovider.exe  
LOLBAS Register-cimprovider.yml - Path: C:\Windows\SysWOW64\Register-cimprovider.exe  
atomic-red-team index.md - Atomic Test #3: Register-CimProvider - Execute evil dll [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #3: Register-CimProvider - Execute evil dll [windows] MIT License. © 2018 Red Canary
atomic-red-team T1218.md - Atomic Test #3 - Register-CimProvider - Execute evil dll MIT License. © 2018 Red Canary
atomic-red-team T1218.md ## Atomic Test #3 - Register-CimProvider - Execute evil dll MIT License. © 2018 Red Canary
atomic-red-team T1218.md C:\Windows\SysWow64\Register-CimProvider.exe -Path #{dll_payload} MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.