wbengine.exe

  • File Path: C:\WINDOWS\system32\wbengine.exe
  • Description: Microsoft Block Level Backup Engine Service EXE

Hashes

Type Hash
MD5 0BE23D2BC7C5F54023FD3EEC52E1BBCA
SHA1 67D91146C47C688BFCAE0283928A6E848000017D
SHA256 A61C92E436C09BACB128C8558B20D94115275A55CA0485088121A265A1AC81DB
SHA384 6AFBB075D2B9EEA052891F01FC598E666F3450D9771C892D837E0A41DD8A26CC4653372A74F771B3FD0E2519AF26115B
SHA512 38A8E30F6BD357BA48BDFFD390B9C537FCCFBA1C43180F71872BF017E68ED648DF2F44177F908E4422F51057D9AED69BE8858E3E36B0792D3AEB64402F889564
SSDEEP 49152:+pJFwrPpGyqWo6cbT2TZ8maJO35NPHXogsS7Q78ZGAvL9vnF35LWAP:rpC7b4+80GTk
IMP B9CD794DA9D1F1BB25B339990D3C5D16
PESHA1 4D01DE88090F0C5AB375390299CA652F09FA938D
PE256 AEDA80E4BC3768D2D27AD4C11EF6C55344A3C57A1A36161781C83762E21A87F2

Runtime Data

Loaded Modules:

Path
C:\WINDOWS\System32\ADVAPI32.dll
C:\WINDOWS\System32\KERNEL32.DLL
C:\WINDOWS\System32\KERNELBASE.dll
C:\WINDOWS\System32\msvcrt.dll
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\System32\sechost.dll
C:\WINDOWS\system32\wbengine.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: wbengine.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/a61c92e436c09bacb128c8558b20d94115275a55ca0485088121a265a1ac81db/detection

Possible Misuse

The following table contains possible examples of wbengine.exe being misused. While wbengine.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma file_event_win_creation_system_file.yml Image: 'C:\Windows\system32\wbengine.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.