WmiPrvSE.exe

  • File Path: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe
  • Description: WMI Provider Host

Hashes

Type Hash
MD5 64ACA4F48771A5BA50CD50F2410632AD
SHA1 F43BB99194F75A0FC535700D688E45750C4FF14D
SHA256 960056479DC34A7DE757813E9EB6ECC72C58EE5D5BA36151BAA86201BAE82F9F
SHA384 D969E2D9C3B185ADB0D223559D6AD0284F9114A1F5CA3BA56C0F09EA7F145084DCD7F9A494076A3ED884DB2E5E10E0B1
SHA512 2997F2B640816EAD0441B7C9B27B7CCCFB329D3647DAF6A77E34881F6FE6BABEA97A701AEAEA5FBA252C1ECFEB76011A96A1A1DC07E969C2B3D1619FFA83596E
SSDEEP 12288:vJT6x/4ScXEnFvznaqwIJyBdqa2gzhlE88IoJw:Ex2GFvTaqwIJyBdqaDzhlOI
IMP 0CA53E98401212233F08B3C410DCDA01
PESHA1 7A513989548DC05029F1BCDB22E087C9046DFC68
PE256 68BBB7B160BB1E9E532803B131942A75CD75A396C06A8A266626A9A5CDD84120

Runtime Data

Open Handles:

Path Type
(R-D) C:\Windows\SysWOW64\en-US\user32.dll.mui File
(RW-) C:\Users\user File
(RW-) C:\Windows File
\BaseNamedObjects__ComCatalogCache__ Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2 Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\Sessions\1\Windows\Theme1175649999 Section
\Windows\Theme601709542 Section

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\wbem\WmiPrvSE.exe

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: Wmiprvse.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.546 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.546
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/75
  • VirusTotal Link: https://www.virustotal.com/gui/file/960056479dc34a7de757813e9eb6ecc72c58ee5d5ba36151baa86201bae82f9f/detection

File Similarity (ssdeep match)

File Score
C:\Windows\SysWOW64\wbem\WmiPrvSE.exe 88

Possible Misuse

The following table contains possible examples of WmiPrvSE.exe being misused. While WmiPrvSE.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_susp_lsass_dump_generic.yml - '\wmiprvse.exe' DRL 1.0
sigma win_susp_wmi_login.yml ProcessName: "*\\WmiPrvSE.exe" DRL 1.0
sigma sysmon_wmi_module_load.yml description: Detects non wmiprvse loading WMI modules DRL 1.0
sigma sysmon_wmi_module_load.yml - '\WmiPrvSe.exe' DRL 1.0
sigma sysmon_wmi_persistence_commandline_event_consumer.yml Image: 'C:\Windows\System32\wbem\WmiPrvSE.exe' DRL 1.0
sigma win_defender_psexec_wmi_asr.yml - '\wmiprvse.exe' DRL 1.0
sigma sysmon_cred_dump_lsass_access.yml - '\wmiprvse.exe' DRL 1.0
sigma win_apt_ta505_dropper.yml description: Detects mshta loaded by wmiprvse as parent as used by TA505 malicious documents DRL 1.0
sigma win_apt_ta505_dropper.yml ParentImage\|endswith: '\wmiprvse.exe' DRL 1.0
sigma win_impacket_lateralization.yml # parent is wmiprvse.exe DRL 1.0
sigma win_impacket_lateralization.yml - '*\wmiprvse.exe' # wmiexec DRL 1.0
sigma win_shell_spawn_susp_program.yml - '*\wmiprvse.exe' DRL 1.0
sigma win_susp_powershell_parent_process.yml - '\wmiprvse.exe' DRL 1.0
sigma win_wmiprvse_spawning_process.yml title: Wmiprvse Spawning Process DRL 1.0
sigma win_wmiprvse_spawning_process.yml description: Detects wmiprvse spawning processes DRL 1.0
sigma win_wmiprvse_spawning_process.yml ParentImage\|endswith: '\WmiPrvSe.exe' DRL 1.0
sigma win_wmiprvse_spawning_process.yml - '\WmiPrvSE.exe' DRL 1.0
sigma win_wmi_spwns_powershell.yml - '*\wmiprvse.exe' DRL 1.0
sigma sysmon_raw_disk_access_using_illegitimate_tools.yml - '\wmiprvse.exe' DRL 1.0
malware-ioc nukesped_lazarus .WmiPrvse.exe``{:.highlight .language-cmhg} © ESET 2014-2018
malware-ioc nukesped_lazarus .Wmiprvse.exe``{:.highlight .language-cmhg} © ESET 2014-2018
atomic-red-team hta.md ## MSHTA - Wmiprvse Spawning CMD MIT License. © 2018 Red Canary
atomic-red-team hta.md Using COM objects, mshta runs with no child processes. Wmiprvse spawns and executes cmd -> calc. MIT License. © 2018 Red Canary
atomic-red-team hta.md // Child of wmiprvse MIT License. © 2018 Red Canary
atomic-red-team Office_Macro_COM.md Wmiprvse.exe->cmd->powershell. MIT License. © 2018 Red Canary
atomic-red-team T1546.003.md WMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges.</blockquote> MIT License. © 2018 Red Canary
signature-base crime_cn_campaign_njrat.yar $s4 = “WmiPrvSE.exe” fullword wide CC BY-NC 4.0
signature-base crime_cn_campaign_njrat.yar $a1 = “WmiPrvSE.exe” fullword wide CC BY-NC 4.0
signature-base crime_cn_campaign_njrat.yar $s2 = “Temporary Projects\WmiPrvSE\” ascii CC BY-NC 4.0
signature-base gen_cn_hacktools.yar $s8 = “wmiprvse.exe” fullword ascii CC BY-NC 4.0
signature-base gen_cn_hacktools.yar $s10 = “wmiprvse.exe” fullword ascii CC BY-NC 4.0
signature-base gen_cn_hacktools.yar $s8 = “wmiprvse.exe” ascii CC BY-NC 4.0
signature-base gen_cn_hacktools.yar $s5 = “wmiprvse.exe” fullword ascii CC BY-NC 4.0
signature-base gen_cn_hacktools.yar $s3 = “wmiprvse.exe” fullword ascii CC BY-NC 4.0
signature-base gen_cn_hacktools.yar $s6 = “wmiprvse.exe” fullword ascii CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.