DismHost.exe

  • File Path: C:\WINDOWS\SysWOW64\Dism\DismHost.exe
  • Description: Dism Host Servicing Process

Hashes

Type Hash
MD5 5C03E96B1D6BF156F67BA119843B3A09
SHA1 C7770E868485FA5C52CC653F7142C296E90207FB
SHA256 CE16713C1A1B97D1E8AD632391531511D2788950A43443FFC776AE25DB6F9AA2
SHA384 EE7F56E6C0089BCAE0949CECDEF4D4081EB89539C6A3AA421B70E77CC5F68EFF96F96D40D84C133C5376118F84C91731
SHA512 E84DD0003FCD8ED5722980A210642967F2B6ECB2325D2342B7234816F526EC4EB046D66E0C4D2B6D40D1DAFA1C03F5A57A75EAB6B8761AC71E09025F6E9B59F6
SSDEEP 1536:fB8PziSvy9mKtADr+bL01nzkBifwG/oov+szRTG/Y5HX/LRsLRY32/groXmpPc:fBovy2dxwUfJrmszZG/Y5z+O32IroWk

Signature

  • Status: Signature verified.
  • Serial: 330000023241FB59996DCC4DFF000000000232
  • Thumbprint: FF82BC38E1DA5E596DF374C53E3617F7EDA36B06
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: DismHost.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.18362.1 (WinBuild.160101.0800)
  • Product Version: 10.0.18362.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of DismHost.exe being misused. While DismHost.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma image_load_suspicious_vss_ps_load.yml - 'dismhost.exe' DRL 1.0
sigma proc_creation_win_dsim_remove.yml Image\|endswith: '\DismHost.exe' DRL 1.0
sigma proc_creation_win_uac_bypass_dismhost.yml title: UAC Bypass Using DismHost DRL 1.0
sigma proc_creation_win_uac_bypass_dismhost.yml description: Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63) DRL 1.0
sigma proc_creation_win_uac_bypass_dismhost.yml - '\DismHost.exe' DRL 1.0
sigma proc_creation_win_uac_bypass_ntfs_reparse_point.yml - '\dismhost.exe {' DRL 1.0
sigma proc_creation_win_uac_bypass_ntfs_reparse_point.yml Image\|endswith: '\DismHost.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.