DismHost.exe

  • File Path: C:\Windows\system32\Dism\DismHost.exe
  • Description: Dism Host Servicing Process

Hashes

Type Hash
MD5 5867DC628A444F2393F7EFF007BD4417
SHA1 A8A65B6A45A988F06E17EBD04E5462CA730D2337
SHA256 B94317B7C665F1CEC965E3322E0AA26C8BE29EAF5830FB7FCD7E14AE88A8CF22
SHA384 D17B0ECEFCFEDB93E9E4B7EEE584AF65A9C7DBA7938534D8A2F095C6C9F7F97D185A3E57D145449772780DE3CC6884F5
SHA512 6B5CEC2057188201241C7DC029289325273554C75D6CD07B91C8CE2197F02FEFD2494C6EA01C411E693BD039786599CFC92E9E32E45039FF76A2278F099F34B7
SSDEEP 1536:WygO2NzE67onb8p/M3bPA0pEzdwymj8QF8UDbivjXa/DS+L25LZMELMP/l:Wyd2NzL7e80viQLCO65LZzgnl

Runtime Data

Loaded Modules:

Path
C:\Windows\system32\Dism\DismHost.exe
C:\Windows\SYSTEM32\ntdll.dll

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: DismHost.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.17763.771 (WinBuild.160101.0800)
  • Product Version: 10.0.17763.771
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of DismHost.exe being misused. While DismHost.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma image_load_suspicious_vss_ps_load.yml - 'dismhost.exe' DRL 1.0
sigma proc_creation_win_dsim_remove.yml Image\|endswith: '\DismHost.exe' DRL 1.0
sigma proc_creation_win_uac_bypass_dismhost.yml title: UAC Bypass Using DismHost DRL 1.0
sigma proc_creation_win_uac_bypass_dismhost.yml description: Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63) DRL 1.0
sigma proc_creation_win_uac_bypass_dismhost.yml - '\DismHost.exe' DRL 1.0
sigma proc_creation_win_uac_bypass_ntfs_reparse_point.yml - '\dismhost.exe {' DRL 1.0
sigma proc_creation_win_uac_bypass_ntfs_reparse_point.yml Image\|endswith: '\DismHost.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.