wsmprovhost.exe

  • File Path: C:\Windows\SysWOW64\wsmprovhost.exe
  • Description: Host process for WinRM plug-ins

Hashes

Type Hash
MD5 6F2C7C4E86114D939A96EEB098E3A27C
SHA1 6F8F7E24F24BF1D911EBFB6C276CE5871A836FF4
SHA256 36A36855BED0F40D193F8DE0035C13C636C6CBD52E4F88759C4858FD0CDE08E3
SHA384 14B2DA8B70D43AB4D37846F9D9B535C153A8594647B290FFD7B6126216CF6925FB01CA2C992FF2FEE1ED1DB0C36489E3
SHA512 9D5CB891BFA21EA058F5021B98E4DDB4BA72AAA7562558815453014093D0111716523F2DDFF1EC09F90A5D89513720673996353157E5B2AE695466E39B4756F4
SSDEEP 384:RvbTjuromh33UjeUObqoqb4V7J5KDdPecvnSLXJMs2Fwmf2CSdZ9tn5TiGOaW7yT:pbTY5o4prgPecvSbE2CSdxnJi16Vr
IMP 0D771E3E9A15035B93E08ED3F8386DC4
PESHA1 98E96F9EA1685A7F361FBC1E4C66AD12E7215029
PE256 DB4BB9923F3F722553AD14DA968134500F93CC87749DD6D02A3A631FD56743BC

Runtime Data

Open Handles:

Path Type
(R-D) C:\Windows\SysWOW64\en-US\user32.dll.mui File
(RW-) C:\Users\user File
(RW-) C:\Windows File
\BaseNamedObjects__ComCatalogCache__ Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000004.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000004.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\RPC Control\DSECF94 Section
\Sessions\2\Windows\Theme2131664586 Section
\Windows\Theme966197582 Section

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\wsmprovhost.exe

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: wsmprovhost.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.17763.1 (WinBuild.160101.0800)
  • Product Version: 10.0.17763.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/70
  • VirusTotal Link: https://www.virustotal.com/gui/file/36a36855bed0f40d193f8de0035c13c636c6cbd52e4f88759c4858fd0cde08e3/detection/

Possible Misuse

The following table contains possible examples of wsmprovhost.exe being misused. While wsmprovhost.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma image_load_in_memory_powershell.yml - '\wsmprovhost.exe' DRL 1.0
sigma pipe_created_alternate_powershell_hosts_pipe.yml - '\WINDOWS\System32\wsmprovhost.exe' DRL 1.0
sigma pipe_created_susp_adfs_namedpipe_connection.yml - '\wsmprovhost.exe' DRL 1.0
sigma posh_pc_remote_powershell_session.yml HostApplication\|contains: 'wsmprovhost.exe' DRL 1.0
sigma posh_pm_remote_powershell_session.yml - 'wsmprovhost.exe' # HostApplication\|contains: 'wsmprovhost.exe' french Application hôte = DRL 1.0
sigma proc_access_win_mimikatz_trough_winrm.yml description: Detects usage of mimikatz through WinRM protocol by monitoring access to lsass process by wsmprovhost.exe. DRL 1.0
sigma proc_access_win_mimikatz_trough_winrm.yml SourceImage: 'C:\Windows\system32\wsmprovhost.exe' DRL 1.0
sigma proc_creation_win_remote_powershell_session_process.yml description: Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM host process) as a parent or child process (sign of an active PowerShell remote session). DRL 1.0
sigma proc_creation_win_remote_powershell_session_process.yml - Image\|endswith: '\wsmprovhost.exe' DRL 1.0
sigma proc_creation_win_remote_powershell_session_process.yml - ParentImage\|endswith: '\wsmprovhost.exe' DRL 1.0
sigma proc_creation_win_susp_shell_spawn_from_winrm.yml ParentImage: '*\wsmprovhost.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.