winrshost.exe

  • File Path: C:\WINDOWS\system32\winrshost.exe
  • Description: Host Process for WinRM’s Remote Shell plugin

Hashes

Type Hash
MD5 61E79D03CFECF26C0DA9FF008A966C6B
SHA1 4FB2EF4DDF9BAAA9067EB52D2A7A0B323A4AD1AF
SHA256 C9A3A8C9B90FC0418473AF62A19423BB726E1AF0CFAAA1D9DF132DC6605DE178
SHA384 E455D85F3322BDB7AFA7CE4B1A505CF8A5C2867312622A7106E67BEF1DF3E348271808079827C5C1FBB62CFAE1C217B8
SHA512 D0B76DBF9DA0605C7275EC43AC94DFCD8A3E3AD6D67833CFA89249F5D5BD8CA754266813BB0EEE4C053EBF8D0184932A3F36A00184FF89E88833BEB2E41A64DB
SSDEEP 768:JLBVakpHhEnoxfkBiGWSbgmht+Fx8/UmV:lLaWHqiftGrbgGE8/RV

Runtime Data

Child Processes:

conhost.exe

Signature

  • Status: Signature verified.
  • Serial: 330000023241FB59996DCC4DFF000000000232
  • Thumbprint: FF82BC38E1DA5E596DF374C53E3617F7EDA36B06
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: winrshost.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.18362.1 (WinBuild.160101.0800)
  • Product Version: 10.0.18362.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of winrshost.exe being misused. While winrshost.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma image_load_in_memory_powershell.yml - '\winrshost.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.