WmiPrvSE.exe

File Path: C:\WINDOWS\SysWOW64\wbem\WmiPrvSE.exe
Description: WMI Provider Host

Hashes

Type	Hash
MD5	`2C1E4FECCEF57399B8F277BB0072BBD8`
SHA1	`32CF0BC2E551DBB8041D5111C0AA2587A83EC7BC`
SHA256	`47494C8A5807C500487ACED9D786726EC3554C32D8429D6269237FA47DC0EA22`
SHA384	`8FD1C832034226EB20DD990375BE3195C540CD1878692C8D57D1D7663B09F8A1A75E404611C33F366C10AC8F30EF33EE`
SHA512	`7094DB12B98C7F77D4D6ACA7534F8AE8F79C98D60FD1CC4F3A0089B5F65EB0FD8269AC3BB4B9900F8D781F82E910A11EF5995760A51B717EBB218AADB41C6900`
SSDEEP	`6144:VFDpZRoMokA8pGk86wYMjCrAN+cvpAnot5lSWYPSgpziGV1a0tttKyDeP1a:TGk86w4AY0pAnu5QWuVoOBg688`
IMP	`ADE155B8FF5A8EE339CD222A3C1C146E`
PESHA1	`A74CBC57645A59C87C67112DC35738C658979CB9`
PE256	`2C139DECAF6C8780E347729B9CBC99FE860F1154F3978EAB5417462427A01FDD`

Runtime Data

Open Handles:

Path	Type
(R-D) C:\Windows\SysWOW64\en-US\user32.dll.mui	File
(RW-) C:\Windows	File
(RW-) C:\Windows\SysWOW64	File
\BaseNamedObjects__ComCatalogCache__	Section
\BaseNamedObjects\C:ProgramDataMicrosoftWindowsCaches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db	Section
\BaseNamedObjects\C:ProgramDataMicrosoftWindowsCaches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db	Section
\BaseNamedObjects\C:ProgramDataMicrosoftWindowsCaches*cversions.2.ro	Section
\Sessions\2\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0	Section
\Sessions\2\BaseNamedObjects\NLS_CodePage_437_3_2_0_0	Section
\Sessions\2\Windows\Theme1077709572	Section
\Windows\Theme3461253685	Section

Loaded Modules:

Path
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\System32\wow64.dll
C:\WINDOWS\System32\wow64base.dll
C:\WINDOWS\System32\wow64con.dll
C:\WINDOWS\System32\wow64cpu.dll
C:\WINDOWS\System32\wow64win.dll
C:\WINDOWS\SysWOW64\wbem\WmiPrvSE.exe

Signature

Status: Signature verified.
Serial: 33000002ED2C45E4C145CF48440000000002ED
Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

Original Filename: Wmiprvse.exe
Product Name: Microsoft Windows Operating System
Company Name: Microsoft Corporation
File Version: 10.0.22000.1 (WinBuild.160101.0800)
Product Version: 10.0.22000.1
Language: English (United States)
Machine Type: 32-bit

File Scan

VirusTotal Detections: 0/73
VirusTotal Link: https://www.virustotal.com/gui/file/47494c8a5807c500487aced9d786726ec3554c32d8429d6269237fa47dc0ea22/detection

Possible Misuse

The following table contains possible examples of WmiPrvSE.exe being misused. While WmiPrvSE.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source	Source File	Example	License
sigma	win_susp_lsass_dump_generic.yml	`- '\wmiprvse.exe'`	DRL 1.0
sigma	win_susp_wmi_login.yml	`ProcessName\\|endswith: '\WmiPrvSE.exe'`	DRL 1.0
sigma	win_wmiprvse_wbemcomn_dll_hijack.yml	`title: T1047 Wmiprvse Wbemcomn DLL Hijack`	DRL 1.0
sigma	win_alert_lsass_access.yml	`- 'C:\Windows\System32\wbem\WmiPrvSE.exe'`	DRL 1.0
sigma	win_defender_psexec_wmi_asr.yml	`- '\wmiprvse.exe'`	DRL 1.0
sigma	file_event_win_susp_adsi_cache_usage.yml	`- 'C:\Windows\System32\wbem\WmiPrvSE.exe'`	DRL 1.0
sigma	file_event_win_wmiprvse_wbemcomn_dll_hijack.yml	`title: Wmiprvse Wbemcomn DLL Hijack`	DRL 1.0
sigma	image_load_wmiprvse_wbemcomn_dll_hijack.yml	`title: Wmiprvse Wbemcomn DLL Hijack`	DRL 1.0
sigma	image_load_wmiprvse_wbemcomn_dll_hijack.yml	`Image\\|endswith: '\wmiprvse.exe'`	DRL 1.0
sigma	image_load_wmi_module_load.yml	`description: Detects non wmiprvse loading WMI modules`	DRL 1.0
sigma	image_load_wmi_module_load.yml	`- '\WmiPrvSE.exe'`	DRL 1.0
sigma	image_load_wmi_persistence_commandline_event_consumer.yml	`Image: 'C:\Windows\System32\wbem\WmiPrvSE.exe'`	DRL 1.0
sigma	pipe_created_alternate_powershell_hosts_pipe.yml	`- '\Windows\system32\wbem\wmiprvse.exe'`	DRL 1.0
sigma	proc_access_win_cred_dump_lsass_access.yml	`- 'C:\WINDOWS\system32\wbem\wmiprvse.exe'`	DRL 1.0
sigma	proc_access_win_cred_dump_lsass_access.yml	`# - '\wmiprvse.exe'`	DRL 1.0
sigma	proc_access_win_susp_proc_access_lsass.yml	`SourceImage: 'C:\WINDOWS\system32\wbem\wmiprvse.exe'`	DRL 1.0
sigma	proc_access_win_susp_proc_access_lsass.yml	`SourceImage: 'C:\Windows\sysWOW64\wbem\wmiprvse.exe'`	DRL 1.0
sigma	proc_creation_win_apt_lazarus_activity_apr21.yml	`- 'C:\Windows\System32\wbem\wmiprvse.exe'`	DRL 1.0
sigma	proc_creation_win_apt_ta505_dropper.yml	`description: Detects mshta loaded by wmiprvse as parent as used by TA505 malicious documents`	DRL 1.0
sigma	proc_creation_win_apt_ta505_dropper.yml	`ParentImage\\|endswith: '\wmiprvse.exe'`	DRL 1.0
sigma	proc_creation_win_impacket_lateralization.yml	`# parent is wmiprvse.exe`	DRL 1.0
sigma	proc_creation_win_impacket_lateralization.yml	`- '\wmiprvse.exe' # wmiexec`	DRL 1.0
sigma	proc_creation_win_lolbins_with_wmiprvse_parent_process.yml	`title: Lolbins Process Creation with WmiPrvse`	DRL 1.0
sigma	proc_creation_win_lolbins_with_wmiprvse_parent_process.yml	`description: This rule will monitor LOLBin process creations by wmiprvse. Add more LOLBins to rule logic if needed.`	DRL 1.0
sigma	proc_creation_win_lolbins_with_wmiprvse_parent_process.yml	`ParentImage\\|endswith: \wbem\WmiPrvSE.exe`	DRL 1.0
sigma	proc_creation_win_shell_spawn_susp_program.yml	`- '\wmiprvse.exe'`	DRL 1.0
sigma	proc_creation_win_susp_powershell_parent_process.yml	`- '\wmiprvse.exe'`	DRL 1.0
sigma	proc_creation_win_wmiprvse_spawning_process.yml	`title: Wmiprvse Spawning Process`	DRL 1.0
sigma	proc_creation_win_wmiprvse_spawning_process.yml	`description: Detects wmiprvse spawning processes`	DRL 1.0
sigma	proc_creation_win_wmiprvse_spawning_process.yml	`ParentImage\\|endswith: '\WmiPrvSe.exe'`	DRL 1.0
sigma	proc_creation_win_wmiprvse_spawning_process.yml	`- '\WmiPrvSE.exe'`	DRL 1.0
sigma	proc_creation_win_wmi_spwns_powershell.yml	`- '\wmiprvse.exe'`	DRL 1.0
malware-ioc	nukesped_lazarus	`.`WmiPrvse.exe``{:.highlight .language-cmhg}	© ESET 2014-2018
malware-ioc	nukesped_lazarus	`.`Wmiprvse.exe``{:.highlight .language-cmhg}	© ESET 2014-2018
atomic-red-team	T1546.003.md	WMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges.</blockquote>	MIT License. © 2018 Red Canary
signature-base	crime_cn_campaign_njrat.yar	$s4 = “WmiPrvSE.exe” fullword wide	CC BY-NC 4.0
signature-base	crime_cn_campaign_njrat.yar	$a1 = “WmiPrvSE.exe” fullword wide	CC BY-NC 4.0
signature-base	crime_cn_campaign_njrat.yar	$s2 = “Temporary Projects\WmiPrvSE\” ascii	CC BY-NC 4.0
signature-base	gen_cn_hacktools.yar	$s8 = “wmiprvse.exe” fullword ascii	CC BY-NC 4.0
signature-base	gen_cn_hacktools.yar	$s10 = “wmiprvse.exe” fullword ascii	CC BY-NC 4.0
signature-base	gen_cn_hacktools.yar	$s8 = “wmiprvse.exe” ascii	CC BY-NC 4.0
signature-base	gen_cn_hacktools.yar	$s5 = “wmiprvse.exe” fullword ascii	CC BY-NC 4.0
signature-base	gen_cn_hacktools.yar	$s3 = “wmiprvse.exe” fullword ascii	CC BY-NC 4.0
signature-base	gen_cn_hacktools.yar	$s6 = “wmiprvse.exe” fullword ascii	CC BY-NC 4.0