winrshost.exe

  • File Path: C:\Windows\SysWOW64\winrshost.exe
  • Description: Host Process for WinRM’s Remote Shell plugin

Hashes

Type Hash
MD5 63BDB2B3BDBD4AC4AF6F3C78ED366175
SHA1 C771AD8DD2B00E9D88AC62209521006A1A693F5C
SHA256 D3163D97DAE33CCF4B845416C13DF6FEA0650A4D1CEA1334EA212ACCDF7732FB
SHA384 E581E7DB22C19D6FFB80F1252E91C68A9AB8482D955B0F34DA54D1913F2685994C3F625E880ADDAC1DB525C1C3746644
SHA512 17BC53EE375ACEE0BF263DA81F5DDD7C1B5E1BFC3B81C10B3857BFEFD531F2D74A4CE19BFB6A9C5B3BFBA9CC80283E49B23254F4D8C7C3141A1064841264C018
SSDEEP 384:ohbmbbU5Kclb5Bc4XXGxai0+n/6ocJ/qWsjEWc6:CbmX8Kch5Bc4YD0YSocJ/6q

Runtime Data

Child Processes:

conhost.exe

Signature

  • Status: Signature verified.
  • Serial: 33000000BCE120FDD27CC8EE930000000000BC
  • Thumbprint: E85459B23C232DB3CB94C7A56D47678F58E8E51E
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: winrshost.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.14393.0 (rs1_release.160715-1616)
  • Product Version: 10.0.14393.0
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of winrshost.exe being misused. While winrshost.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma image_load_in_memory_powershell.yml - '\winrshost.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.