DismHost.exe

  • File Path: C:\WINDOWS\system32\Dism\DismHost.exe
  • Description: Dism Host Servicing Process

Hashes

Type Hash
MD5 17275206102D1CF6F17346FD73300030
SHA1 BBEC93F6FB2AE56C705EFD6E58D6B3CC68BF1166
SHA256 DEAD0EBD5B5BF5D4B0E68BA975E9A70F98820E85D056B0A6B3775FC4DF4DA0F6
SHA384 1EFA75D7D7A7C518D2975086BDBA8A37E8DF918A4DA37997605135DD834EBAFB0F417BCA7145DE38F6832E59E6E2A8A6
SHA512 CE14A4F95328BB9CE437C5D79084E9D647CB89B66CDE86A540B200B1667EDC76AA27A36061B6E2CECCECB70B9A011B4BD54040E2A480B8546888BA5CC84A01B3
SSDEEP 3072:u6bLa/eoNP/VYbxYxVipvxx9hXD0L6/Dk6F62G0rrqw:u6q/eMYbxYxAVxr1DY6v62G0l
IMP ABD337557EE12F0D04A61A058D3FD18D
PESHA1 A77FE4A7FF205D3A12ED552BE9991E011D2546ED
PE256 5C8992330308790527FC2E0EB85C99C264BDBA663FCE9950D3699A184F56F1E4

Runtime Data

Loaded Modules:

Path
C:\WINDOWS\system32\Dism\DismHost.exe
C:\WINDOWS\System32\KERNEL32.DLL
C:\WINDOWS\System32\KERNELBASE.dll
C:\WINDOWS\System32\msvcrt.dll
C:\WINDOWS\SYSTEM32\ntdll.dll

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: DismHost.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/dead0ebd5b5bf5d4b0e68ba975e9a70f98820e85d056b0a6b3775fc4df4da0f6/detection

Possible Misuse

The following table contains possible examples of DismHost.exe being misused. While DismHost.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_suspicious_vss_ps_load.yml - 'dismhost.exe' DRL 1.0
sigma win_uac_bypass_dismhost.yml title: UAC Bypass Using DismHost DRL 1.0
sigma win_uac_bypass_dismhost.yml description: Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63) DRL 1.0
sigma win_uac_bypass_dismhost.yml - '\DismHost.exe' DRL 1.0
sigma win_uac_bypass_ntfs_reparse_point.yml - '\dismhost.exe {' DRL 1.0
sigma win_uac_bypass_ntfs_reparse_point.yml Image\|endswith: '\DismHost.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.