winrshost.exe

  • File Path: C:\WINDOWS\SysWOW64\winrshost.exe
  • Description: Host Process for WinRM’s Remote Shell plugin

Hashes

Type Hash
MD5 6052104B17F7344A9655A3EE30365D1A
SHA1 0F5605DFF843BA9F6AC693E059D3132FEBF4B0B8
SHA256 C544EA4A01F1BC674D6F1A47A8D2DE6E6F849C069373EF71084C8FDB13DE5C8C
SHA384 A27404355CD7040243BA3953C2788BC52FE554AB812F69ABBC964095FD5C4A3D97C83BBA92C371EE5C15E12F5C13C963
SHA512 A88B62881286D941459FA0DE6FBA362B635C5CEEA9AC0849DDB956104677DFB0CB7CF1B71960BFD46E274B98053DA2EE3C7ED455BCF3EEBD708153FFAC7875CD
SSDEEP 384:qhPCqQ2beFNVFsTVXMg2KOUBECQTTW3ap/RXVWstEW:8qqzbCNVFsRMg2CSaKp/BF

Runtime Data

Child Processes:

conhost.exe

Signature

  • Status: Signature verified.
  • Serial: 330000023241FB59996DCC4DFF000000000232
  • Thumbprint: FF82BC38E1DA5E596DF374C53E3617F7EDA36B06
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: winrshost.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.18362.1 (WinBuild.160101.0800)
  • Product Version: 10.0.18362.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\Windows\SysWOW64\winrshost.exe 43

Possible Misuse

The following table contains possible examples of winrshost.exe being misused. While winrshost.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma image_load_in_memory_powershell.yml - '\winrshost.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.