WmiPrvSE.exe

  • File Path: C:\Windows\system32\wbem\WmiPrvSE.exe
  • Description: WMI Provider Host

Hashes

Type Hash
MD5 60FF40CFD7FB8FE41EE4FE9AE5FE1C51
SHA1 3EA7CC066317AC45F963C2227C4C7C50AA16EB7C
SHA256 2198A7B58BCCB758036B969DDAE6CC2ECE07565E2659A7C541A313A0492231A3
SHA384 2C35968B61058B913E26F050AF04C9DFB05E319C0D081F2A3F9D940D2DF855C915FF351BDC2B04C10496814A0E534659
SHA512 991E38E2B480FFC58EC5ADE9DCC8747A57B29FBC9B12397A8010E73143C4DFB420E5248A0C3ACF0832812C0E804080ED5A83952B9C05419D93763372ECE775C3
SSDEEP 12288:ahBzXzR4mnIu0CWQjONc3XmvzjnyBEIl/t8:qumnGDjnyBll/
IMP B71CB3AC5C352BEC857C940CBC95F0F3
PESHA1 27488A4F4D0FB889F5BCDF2D70CB02CA7CF9FA07
PE256 415006C376C01C74875D9CFA1ECA0D365A67E186399CDFFA1E7C05A6B2080BDF

Runtime Data

Open Handles:

Path Type
(R-D) C:\Windows\System32\en-US\user32.dll.mui File
(RW-) C:\Users\user File
\BaseNamedObjects__ComCatalogCache__ Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2 Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\Sessions\1\Windows\Theme1175649999 Section
\Windows\Theme601709542 Section

Loaded Modules:

Path
C:\Windows\System32\combase.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\SYSTEM32\NCObjAPI.DLL
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\RPCRT4.dll
C:\Windows\System32\ucrtbase.dll
C:\Windows\system32\wbem\FastProx.dll
C:\Windows\system32\wbem\WmiPrvSE.exe
C:\Windows\SYSTEM32\wbemcomn.dll

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: Wmiprvse.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.546 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.546
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/76
  • VirusTotal Link: https://www.virustotal.com/gui/file/2198a7b58bccb758036b969ddae6cc2ece07565e2659a7c541a313a0492231a3/detection

Possible Misuse

The following table contains possible examples of WmiPrvSE.exe being misused. While WmiPrvSE.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_susp_lsass_dump_generic.yml - '\wmiprvse.exe' DRL 1.0
sigma win_susp_wmi_login.yml ProcessName\|endswith: '\WmiPrvSE.exe' DRL 1.0
sigma win_wmiprvse_wbemcomn_dll_hijack.yml title: T1047 Wmiprvse Wbemcomn DLL Hijack DRL 1.0
sigma win_alert_lsass_access.yml - 'C:\Windows\System32\wbem\WmiPrvSE.exe' DRL 1.0
sigma win_defender_psexec_wmi_asr.yml - '\wmiprvse.exe' DRL 1.0
sigma file_event_win_susp_adsi_cache_usage.yml - 'C:\Windows\System32\wbem\WmiPrvSE.exe' DRL 1.0
sigma file_event_win_wmiprvse_wbemcomn_dll_hijack.yml title: Wmiprvse Wbemcomn DLL Hijack DRL 1.0
sigma image_load_wmiprvse_wbemcomn_dll_hijack.yml title: Wmiprvse Wbemcomn DLL Hijack DRL 1.0
sigma image_load_wmiprvse_wbemcomn_dll_hijack.yml Image\|endswith: '\wmiprvse.exe' DRL 1.0
sigma image_load_wmi_module_load.yml description: Detects non wmiprvse loading WMI modules DRL 1.0
sigma image_load_wmi_module_load.yml - '\WmiPrvSE.exe' DRL 1.0
sigma image_load_wmi_persistence_commandline_event_consumer.yml Image: 'C:\Windows\System32\wbem\WmiPrvSE.exe' DRL 1.0
sigma pipe_created_alternate_powershell_hosts_pipe.yml - '\Windows\system32\wbem\wmiprvse.exe' DRL 1.0
sigma proc_access_win_cred_dump_lsass_access.yml - 'C:\WINDOWS\system32\wbem\wmiprvse.exe' DRL 1.0
sigma proc_access_win_cred_dump_lsass_access.yml # - '\wmiprvse.exe' DRL 1.0
sigma proc_access_win_susp_proc_access_lsass.yml SourceImage: 'C:\WINDOWS\system32\wbem\wmiprvse.exe' DRL 1.0
sigma proc_access_win_susp_proc_access_lsass.yml SourceImage: 'C:\Windows\sysWOW64\wbem\wmiprvse.exe' DRL 1.0
sigma proc_creation_win_apt_lazarus_activity_apr21.yml - 'C:\Windows\System32\wbem\wmiprvse.exe' DRL 1.0
sigma proc_creation_win_apt_ta505_dropper.yml description: Detects mshta loaded by wmiprvse as parent as used by TA505 malicious documents DRL 1.0
sigma proc_creation_win_apt_ta505_dropper.yml ParentImage\|endswith: '\wmiprvse.exe' DRL 1.0
sigma proc_creation_win_impacket_lateralization.yml # parent is wmiprvse.exe DRL 1.0
sigma proc_creation_win_impacket_lateralization.yml - '\wmiprvse.exe' # wmiexec DRL 1.0
sigma proc_creation_win_lolbins_with_wmiprvse_parent_process.yml title: Lolbins Process Creation with WmiPrvse DRL 1.0
sigma proc_creation_win_lolbins_with_wmiprvse_parent_process.yml description: This rule will monitor LOLBin process creations by wmiprvse. Add more LOLBins to rule logic if needed. DRL 1.0
sigma proc_creation_win_lolbins_with_wmiprvse_parent_process.yml ParentImage\|endswith: \wbem\WmiPrvSE.exe DRL 1.0
sigma proc_creation_win_shell_spawn_susp_program.yml - '\wmiprvse.exe' DRL 1.0
sigma proc_creation_win_susp_powershell_parent_process.yml - '\wmiprvse.exe' DRL 1.0
sigma proc_creation_win_wmiprvse_spawning_process.yml title: Wmiprvse Spawning Process DRL 1.0
sigma proc_creation_win_wmiprvse_spawning_process.yml description: Detects wmiprvse spawning processes DRL 1.0
sigma proc_creation_win_wmiprvse_spawning_process.yml ParentImage\|endswith: '\WmiPrvSe.exe' DRL 1.0
sigma proc_creation_win_wmiprvse_spawning_process.yml - '\WmiPrvSE.exe' DRL 1.0
sigma proc_creation_win_wmi_spwns_powershell.yml - '\wmiprvse.exe' DRL 1.0
malware-ioc nukesped_lazarus .WmiPrvse.exe``{:.highlight .language-cmhg} © ESET 2014-2018
malware-ioc nukesped_lazarus .Wmiprvse.exe``{:.highlight .language-cmhg} © ESET 2014-2018
atomic-red-team T1546.003.md WMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges.</blockquote> MIT License. © 2018 Red Canary
signature-base crime_cn_campaign_njrat.yar $s4 = “WmiPrvSE.exe” fullword wide CC BY-NC 4.0
signature-base crime_cn_campaign_njrat.yar $a1 = “WmiPrvSE.exe” fullword wide CC BY-NC 4.0
signature-base crime_cn_campaign_njrat.yar $s2 = “Temporary Projects\WmiPrvSE\” ascii CC BY-NC 4.0
signature-base gen_cn_hacktools.yar $s8 = “wmiprvse.exe” fullword ascii CC BY-NC 4.0
signature-base gen_cn_hacktools.yar $s10 = “wmiprvse.exe” fullword ascii CC BY-NC 4.0
signature-base gen_cn_hacktools.yar $s8 = “wmiprvse.exe” ascii CC BY-NC 4.0
signature-base gen_cn_hacktools.yar $s5 = “wmiprvse.exe” fullword ascii CC BY-NC 4.0
signature-base gen_cn_hacktools.yar $s3 = “wmiprvse.exe” fullword ascii CC BY-NC 4.0
signature-base gen_cn_hacktools.yar $s6 = “wmiprvse.exe” fullword ascii CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.