WMIADAP.exe

  • File Path: C:\Windows\SysWOW64\wbem\WMIADAP.exe
  • Description: WMI Reverse Performance Adapter Maintenance Utility

Hashes

Type Hash
MD5 83CFA0ACAA299FD5B1B5A255CBD4602B
SHA1 63305D366610DC2AFF85C0CBFF508231B1AC3A05
SHA256 2D484A551751F118EA7609EBA1400F29A98206551959ABECD464828F72CFA28A
SHA384 AC92227AB27C80B09E66D3524FA85CCA68E94840FFD16B849D26AB11E9AFF719996B7875C8C111DD6B93EF3A61581D8E
SHA512 49F7B62DE1E1EF19485E8F9EF42FD9408B6DF84101A0E6A8CE602D75311828BDFDDF972FDE57D81CB976D8111A20FA4287D5722EBBF19130BB109AEC359CB32C
SSDEEP 3072:6i+66+4VOWQZPOu2qgXRm6kMxmZO7kvg6/W:6ip4kWQ9x2qotkmmZO7kosW
IMP 8CFB5725B2F97204F3268EDACE605269
PESHA1 92F3132ED12A7C9AA869E057634E606DDBEE17B2
PE256 62FB0C96B58BAD4D73A6A977EEDA949C7F4C2743BF88655FE25CC5938957A7BA

Runtime Data

Child Processes:

explorer.exe

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\wbem\WMIADAP.exe

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: wmicookr.dll
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.610 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.610
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/76
  • VirusTotal Link: https://www.virustotal.com/gui/file/2d484a551751f118ea7609eba1400f29a98206551959abecd464828f72cfa28a/detection

File Similarity (ssdeep match)

File Score
C:\Windows\SysWOW64\wbem\WMIADAP.exe 82
C:\Windows\SysWOW64\wbem\WMIADAP.exe 85

Possible Misuse

The following table contains possible examples of WMIADAP.exe being misused. While WMIADAP.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma image_load_wmi_module_load.yml - '\windows\system32\wbem\WMIADAP.exe' # https://github.com/SigmaHQ/sigma/issues/1871 DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.