home

wbemcore.exe

Windows Management Instrumentation

While the file properties state the file is developed by 'Microsoft Corporation', this is not the case and it is designed just to look like a legitimate Microsoft system file. The executable wbemcore.exe, “Windows Management Instrumentation” has been detected as malware by 24 anti-virus scanners. While running, it connects to the Internet address 85-159-66-62.cizgi.net.tr on port 80 using the HTTP protocol.
Publisher:
Microsoft Corporation*  (Invalid match)

Product:
Microsoft® Windows® Operating System

Description:
Windows Management Instrumentation

Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)

MD5:
46a90f707b0d60a603cb6e4b1fe86ef6

SHA-1:
91b8fae1cb85616aae5a9a308fd237d0396f8fa7

SHA-256:
4023544478b0e685465de7d4b0e17dad092403287c75740c8517cf8b374134b7

Scanner detections:
24 / 68

Status:
Malware

Analysis date:
4/25/2024 10:30:08 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Trojan.Generic.9402652
225

AhnLab V3 Security
Trojan/Win32.Agent
2015.05.02

avast!
Win32:Malware-gen
2014.9-160623

AVG
Agent4
2017.0.2703

Baidu Antivirus
Trojan.MSIL.Agent
4.0.3.16623

Bitdefender
Trojan.Generic.9402652
1.0.20.875

Comodo Security
UnclassifiedMalware
21962

Emsisoft Anti-Malware
Trojan.Generic.9402652
8.16.06.23.09

ESET NOD32
MSIL/Agent.OGC
10.11562

Fortinet FortiGate
W32/Agent.OGC!tr
6/23/2016

F-Secure
Trojan.Generic.9402652
11.2016-23-06_5

G Data
Trojan.Generic.9402652
16.6.25

IKARUS anti.virus
Trojan.Agent4
t3scan.1.8.9.0

Kaspersky
HEUR:Trojan.Win32.Generic
14.0.0.11

McAfee
Artemis!46A90F707B0D
5600.6359

MicroWorld eScan
Trojan.Generic.9402652
17.0.0.525

NANO AntiVirus
Trojan.Win32.Agent.czimdf
0.30.24.1357

Norman
Suspicious_Gen2.VRLRE
11.20160623

nProtect
Trojan.Generic.9402652
15.04.30.01

Panda Antivirus
Generic Malware
16.06.23.09

Qihoo 360 Security
Win32/Trojan.d32
1.0.0.1015

Quick Heal
Trojan.Agen.r3
6.16.14.00

Sophos
Mal/Generic-S
4.98

VIPRE Antivirus
Trojan.Win32.Generic
39854

File size:
10 KB (10,240 bytes)

Product version:
6.1.7601.17514

Copyright:
© Microsoft Corporation. All rights reserved.

Original file name:
wbemcore.dll

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\roaming\microsoft\windows\wbemcore.exe

File PE Metadata
Compilation timestamp:
7/18/2013 7:09:05 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
192:5oSzK/aLbSe77ibGrSNPSD/UEqangIrWTdmW7:5NR0GOgUEXgIrWTdmW

Entry address:
0x3BAE

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 02, 00, 10, 00, 00, 00, 20, 00, 00, 80, 18, 00, 00, 00, 38, 00, 00, 80, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
7 KB (7,168 bytes)

Startup File (User Run Once)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Name:
Windows Management Instrumentation

Command:
C:\users\{user}\appdata\roaming\microsoft\windows\wbemcore.exe


The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to 85-159-66-62.cizgi.net.tr  (85.159.66.62:80)

Remove wbemcore.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.