WmiPrvSE.exe

  • File Path: C:\WINDOWS\SysWOW64\wbem\WmiPrvSE.exe
  • Description: WMI Provider Host

Hashes

Type Hash
MD5 80FE0B5D1CE31925FA06CEE3BC4677B2
SHA1 6B2845DAF5F8F755D901C7B03B75E4F053DE69EB
SHA256 492657ECE8183337FF324F69C6B2ACCE51DC80EE035D45CC566255F8E6C08381
SHA384 3CF7CF6341406726ECEB249C9F3EB282938D77FB2A5F9B5321319A6A0B1438C3D036F88F5455BF4A407D93B23371025F
SHA512 5EFBF9951544FA49A9BC99DC1838315D41CB1EE9E26E5929B9A779A9C44C058393532647DD1CC50E43D0B19F22479FD60591076BF9B5EAD9A8CE6F57F14DB59B
SSDEEP 6144:IfjzzBiriDTF03SDQAF37rh/YxFnHvJr3AVynBDePWmS3T:IfjzzBiriN03ST37rhQ7HCYp8VY

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: Wmiprvse.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.18362.1 (WinBuild.160101.0800)
  • Product Version: 10.0.18362.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of WmiPrvSE.exe being misused. While WmiPrvSE.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_susp_lsass_dump_generic.yml - '\wmiprvse.exe' DRL 1.0
sigma win_susp_wmi_login.yml ProcessName: "*\\WmiPrvSE.exe" DRL 1.0
sigma sysmon_wmi_module_load.yml description: Detects non wmiprvse loading WMI modules DRL 1.0
sigma sysmon_wmi_module_load.yml - '\WmiPrvSe.exe' DRL 1.0
sigma sysmon_wmi_persistence_commandline_event_consumer.yml Image: 'C:\Windows\System32\wbem\WmiPrvSE.exe' DRL 1.0
sigma win_defender_psexec_wmi_asr.yml - '\wmiprvse.exe' DRL 1.0
sigma sysmon_cred_dump_lsass_access.yml - '\wmiprvse.exe' DRL 1.0
sigma win_apt_ta505_dropper.yml description: Detects mshta loaded by wmiprvse as parent as used by TA505 malicious documents DRL 1.0
sigma win_apt_ta505_dropper.yml ParentImage\|endswith: '\wmiprvse.exe' DRL 1.0
sigma win_impacket_lateralization.yml # parent is wmiprvse.exe DRL 1.0
sigma win_impacket_lateralization.yml - '*\wmiprvse.exe' # wmiexec DRL 1.0
sigma win_shell_spawn_susp_program.yml - '*\wmiprvse.exe' DRL 1.0
sigma win_susp_powershell_parent_process.yml - '\wmiprvse.exe' DRL 1.0
sigma win_wmiprvse_spawning_process.yml title: Wmiprvse Spawning Process DRL 1.0
sigma win_wmiprvse_spawning_process.yml description: Detects wmiprvse spawning processes DRL 1.0
sigma win_wmiprvse_spawning_process.yml ParentImage\|endswith: '\WmiPrvSe.exe' DRL 1.0
sigma win_wmiprvse_spawning_process.yml - '\WmiPrvSE.exe' DRL 1.0
sigma win_wmi_spwns_powershell.yml - '*\wmiprvse.exe' DRL 1.0
sigma sysmon_raw_disk_access_using_illegitimate_tools.yml - '\wmiprvse.exe' DRL 1.0
malware-ioc nukesped_lazarus .WmiPrvse.exe``{:.highlight .language-cmhg} © ESET 2014-2018
malware-ioc nukesped_lazarus .Wmiprvse.exe``{:.highlight .language-cmhg} © ESET 2014-2018
atomic-red-team hta.md ## MSHTA - Wmiprvse Spawning CMD MIT License. © 2018 Red Canary
atomic-red-team hta.md Using COM objects, mshta runs with no child processes. Wmiprvse spawns and executes cmd -> calc. MIT License. © 2018 Red Canary
atomic-red-team hta.md // Child of wmiprvse MIT License. © 2018 Red Canary
atomic-red-team Office_Macro_COM.md Wmiprvse.exe->cmd->powershell. MIT License. © 2018 Red Canary
atomic-red-team T1546.003.md WMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges.</blockquote> MIT License. © 2018 Red Canary
signature-base crime_cn_campaign_njrat.yar $s4 = “WmiPrvSE.exe” fullword wide CC BY-NC 4.0
signature-base crime_cn_campaign_njrat.yar $a1 = “WmiPrvSE.exe” fullword wide CC BY-NC 4.0
signature-base crime_cn_campaign_njrat.yar $s2 = “Temporary Projects\WmiPrvSE\” ascii CC BY-NC 4.0
signature-base gen_cn_hacktools.yar $s8 = “wmiprvse.exe” fullword ascii CC BY-NC 4.0
signature-base gen_cn_hacktools.yar $s10 = “wmiprvse.exe” fullword ascii CC BY-NC 4.0
signature-base gen_cn_hacktools.yar $s8 = “wmiprvse.exe” ascii CC BY-NC 4.0
signature-base gen_cn_hacktools.yar $s5 = “wmiprvse.exe” fullword ascii CC BY-NC 4.0
signature-base gen_cn_hacktools.yar $s3 = “wmiprvse.exe” fullword ascii CC BY-NC 4.0
signature-base gen_cn_hacktools.yar $s6 = “wmiprvse.exe” fullword ascii CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.