d24758b7b5607bda2ece5e7504a8f2bf6eef36e0b9745910db5da88a484bfc02
Source: Wild
Summary
WmiPrvSE.exe is part of the Windows Management Instrumentation (WMI) system. It serves as the provider host to service other processes (e.g. wmic.exe) requesting information about the state of the operating system.
EchoTrail Prevalence Score (EPS)
82.81
Rank Analysis
Host Prevalence
94.4%
Execution Rank
42,316th
Behavioral Analysis
Top Filenames
Top Paths
C:\Windows\System32\wbem
83.22 %
loading...
Top Network Ports
80
86.67 %
loading...
Ancestry Analysis
Top GrandParents
Top Parents
Top Children
Security Analysis
Intel
WMIC.exe, WMI’s command-line utility, has been seen on countless occasions being abused by attackers to acquire system level information or execute privileged actions on the local host it’s running on or on remote hosts. When WMIC performs actions on remote hosts, the remote host will show a corresponding process launch of WmiPrvSE.exe to handle the source host’s WMIC requests. As such, WmiPrvSE.exe can be seen in the process tree of reconnaissance and lateral movement actions, sometimes launching a shell and other times executing desired attacker commands directly (e.g. net.exe, netstat, ping, etc.).