winrshost.exe

  • File Path: C:\WINDOWS\SysWOW64\winrshost.exe
  • Description: Host Process for WinRM’s Remote Shell plugin

Hashes

Type Hash
MD5 E26A929C67FD752AB052C500988BEC37
SHA1 70478404A0B0C61174BAFE3759D7A55E4DF4EDC5
SHA256 13C3DBDDB0652120D106D283B1E7B639BB4C43689887E4229E178C612197B4A8
SHA384 D602D85548EA7C98DC992E66F442755AEA86730A409661401A911ED72B48A885A6F3747D514F2E1C9A90E9B3DD8A9B88
SHA512 5BE7BCCB15C9F2FCDE4021F3829250898B53B26E808B8242DB4E072C3D3B3EFAA0131B8BB8F371002FD932CCC71D8F9F83839CF635DEA0DFA919BCEF44B9963C
SSDEEP 384:GnkKq8bo30yTBbEk0UHVUD01Q1EHQrrp/U7VWsDEWCmv:EY8bo30yTtEk3egQvp/U7Lwc
IMP 6A1B3D16EBA25EBCF51DE76BC95303E0
PESHA1 ABEE8CFC0A4148F462B850729445099169C8C6FC
PE256 1EFD0FBA21FE853AA15E95ECA2588AE43B81BC83D23D3201643CF39A2C1D9144

Runtime Data

Child Processes:

conhost.exe

Open Handles:

Path Type
(R-D) C:\Windows\SysWOW64\en-US\user32.dll.mui File
(RW-) C:\Windows File
(RW-) C:\Windows\SysWOW64 File
\BaseNamedObjects__ComCatalogCache__ Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro Section
\Sessions\2\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\Sessions\2\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\Sessions\2\Windows\Theme1077709572 Section
\Windows\Theme3461253685 Section

Loaded Modules:

Path
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\System32\wow64.dll
C:\WINDOWS\System32\wow64base.dll
C:\WINDOWS\System32\wow64con.dll
C:\WINDOWS\System32\wow64cpu.dll
C:\WINDOWS\System32\wow64win.dll
C:\WINDOWS\SysWOW64\winrshost.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: winrshost.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/13c3dbddb0652120d106d283b1e7b639bb4c43689887e4229e178c612197b4a8/detection

Possible Misuse

The following table contains possible examples of winrshost.exe being misused. While winrshost.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma image_load_in_memory_powershell.yml - '\winrshost.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.