WmiPrvSE.exe

  • File Path: C:\windows\system32\wbem\WmiPrvSE.exe
  • Description: WMI Provider Host

Hashes

Type Hash
MD5 DCC48F1BDC0E239776BA05A7239991F7
SHA1 58E054F1B9A6EE0663DDAD6F74E2786D7584DAA7
SHA256 25DFB8168246E5D04DD6F124C95E4C4C4E8273503569ACD5452205558D099871
SHA384 2DAF313829C6D35ED4E62FF4ED33BEC44C478641978BE995A692AAA0800FF1DA81AC544D51D9CEDED4C5D306BE79E78A
SHA512 4289626B7BDD6A56A8FAC6502A2FB72C0E1FEBF41CF86A78319778A4FD2AC90BD5F2248E25B38A27CE82132CBEBC723B19427F88B423CDE07F3299260C8FA668
SSDEEP 6144:o3pIP1ExRFuR+Uf/TUXdPVqzDOmiKrOSJQECeIn5Fd3t06Z3gTUL0s/AQDeP:w5A3TXz8Kr4qGvZwTCzT8

Signature

  • Status: The file C:\windows\system32\wbem\WmiPrvSE.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
  • Serial: ``
  • Thumbprint: ``
  • Issuer:
  • Subject:

File Metadata

  • Original Filename: Wmiprvse.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 6.3.9600.18946 (winblue_ltsb_escrow.180302-1800)
  • Product Version: 6.3.9600.18946
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of WmiPrvSE.exe being misused. While WmiPrvSE.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_susp_lsass_dump_generic.yml - '\wmiprvse.exe' DRL 1.0
sigma win_susp_wmi_login.yml ProcessName: "*\\WmiPrvSE.exe" DRL 1.0
sigma sysmon_wmi_module_load.yml description: Detects non wmiprvse loading WMI modules DRL 1.0
sigma sysmon_wmi_module_load.yml - '\WmiPrvSe.exe' DRL 1.0
sigma sysmon_wmi_persistence_commandline_event_consumer.yml Image: 'C:\Windows\System32\wbem\WmiPrvSE.exe' DRL 1.0
sigma win_defender_psexec_wmi_asr.yml - '\wmiprvse.exe' DRL 1.0
sigma sysmon_cred_dump_lsass_access.yml - '\wmiprvse.exe' DRL 1.0
sigma win_apt_ta505_dropper.yml description: Detects mshta loaded by wmiprvse as parent as used by TA505 malicious documents DRL 1.0
sigma win_apt_ta505_dropper.yml ParentImage\|endswith: '\wmiprvse.exe' DRL 1.0
sigma win_impacket_lateralization.yml # parent is wmiprvse.exe DRL 1.0
sigma win_impacket_lateralization.yml - '*\wmiprvse.exe' # wmiexec DRL 1.0
sigma win_shell_spawn_susp_program.yml - '*\wmiprvse.exe' DRL 1.0
sigma win_susp_powershell_parent_process.yml - '\wmiprvse.exe' DRL 1.0
sigma win_wmiprvse_spawning_process.yml title: Wmiprvse Spawning Process DRL 1.0
sigma win_wmiprvse_spawning_process.yml description: Detects wmiprvse spawning processes DRL 1.0
sigma win_wmiprvse_spawning_process.yml ParentImage\|endswith: '\WmiPrvSe.exe' DRL 1.0
sigma win_wmiprvse_spawning_process.yml - '\WmiPrvSE.exe' DRL 1.0
sigma win_wmi_spwns_powershell.yml - '*\wmiprvse.exe' DRL 1.0
sigma sysmon_raw_disk_access_using_illegitimate_tools.yml - '\wmiprvse.exe' DRL 1.0
malware-ioc nukesped_lazarus .WmiPrvse.exe``{:.highlight .language-cmhg} © ESET 2014-2018
malware-ioc nukesped_lazarus .Wmiprvse.exe``{:.highlight .language-cmhg} © ESET 2014-2018
atomic-red-team hta.md ## MSHTA - Wmiprvse Spawning CMD MIT License. © 2018 Red Canary
atomic-red-team hta.md Using COM objects, mshta runs with no child processes. Wmiprvse spawns and executes cmd -> calc. MIT License. © 2018 Red Canary
atomic-red-team hta.md // Child of wmiprvse MIT License. © 2018 Red Canary
atomic-red-team Office_Macro_COM.md Wmiprvse.exe->cmd->powershell. MIT License. © 2018 Red Canary
atomic-red-team T1546.003.md WMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges.</blockquote> MIT License. © 2018 Red Canary
signature-base crime_cn_campaign_njrat.yar $s4 = “WmiPrvSE.exe” fullword wide CC BY-NC 4.0
signature-base crime_cn_campaign_njrat.yar $a1 = “WmiPrvSE.exe” fullword wide CC BY-NC 4.0
signature-base crime_cn_campaign_njrat.yar $s2 = “Temporary Projects\WmiPrvSE\” ascii CC BY-NC 4.0
signature-base gen_cn_hacktools.yar $s8 = “wmiprvse.exe” fullword ascii CC BY-NC 4.0
signature-base gen_cn_hacktools.yar $s10 = “wmiprvse.exe” fullword ascii CC BY-NC 4.0
signature-base gen_cn_hacktools.yar $s8 = “wmiprvse.exe” ascii CC BY-NC 4.0
signature-base gen_cn_hacktools.yar $s5 = “wmiprvse.exe” fullword ascii CC BY-NC 4.0
signature-base gen_cn_hacktools.yar $s3 = “wmiprvse.exe” fullword ascii CC BY-NC 4.0
signature-base gen_cn_hacktools.yar $s6 = “wmiprvse.exe” fullword ascii CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.