winrshost.exe

  • File Path: C:\WINDOWS\system32\winrshost.exe
  • Description: Host Process for WinRM’s Remote Shell plugin

Hashes

Type Hash
MD5 EC8716D90D5ADD5B9C2638080EB2FBAE
SHA1 C01C340B9506B80A5BB0F11549A378ABB38B9B9A
SHA256 EDA7DCCEFB6620F2B0F104B29889D23733B7A2B8E4BC6B228E02E74DB126B005
SHA384 F19AFF878D5727266D7F908CAAC040D19A56B816CA864336C0AEAA3C044AB4B4ECD4330AED24676BB47D999AB3D4948B
SHA512 A88497F18AFAAF9C8D4101AE326D83A580063CAF199F5FF982918DFA7B09271141830F624AC2AFC938675D292E7FC0CE4C96DBEB150634016DC7B58ACD4EB329
SSDEEP 768:m1TxNy60RU6W4usjYikNTqXy3l1Mm5jY/g5b:6TxNx0tW4yik4Xy3/TY/g5b
IMP F4493EAE4A8FB993B9A0B1F77FB558E2
PESHA1 2462D463537F677ACE44B2EC2E1331FBA2681CA6
PE256 C3A51B11CE761DDE7124C370198217397B6F64E93275D7EE940E8601B985F2EC

Runtime Data

Child Processes:

conhost.exe

Open Handles:

Path Type
(R-D) C:\Windows\System32\en-US\user32.dll.mui File
(RW-) C:\Windows\System32 File
\BaseNamedObjects__ComCatalogCache__ Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro Section
\Sessions\2\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\Sessions\2\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\Sessions\2\Windows\Theme1077709572 Section
\Windows\Theme3461253685 Section

Loaded Modules:

Path
C:\WINDOWS\System32\KERNEL32.DLL
C:\WINDOWS\System32\KERNELBASE.dll
C:\WINDOWS\System32\msvcrt.dll
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\system32\winrshost.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: winrshost.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/72
  • VirusTotal Link: https://www.virustotal.com/gui/file/eda7dccefb6620f2b0f104b29889d23733b7a2b8e4bc6b228e02e74db126b005/detection

Possible Misuse

The following table contains possible examples of winrshost.exe being misused. While winrshost.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma image_load_in_memory_powershell.yml - '\winrshost.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.