DismHost.exe

  • File Path: C:\Windows\system32\Dism\DismHost.exe
  • Description: Dism Host Servicing Process

Hashes

Type Hash
MD5 80E6C06C378BC7C382C23B1D643CD7D2
SHA1 F95ED0E286AA68B4DF779D7E782363EDB5B9FF04
SHA256 21BAEF2BB5AB2DF3AA4D95C8333AADADDA61DEE65E61AD2DBE5F3DBADDB163C7
SHA384 052D309828532E7F5996D22932D6E27CBADC90240E3C8D7D19FA800F03EFBB556D794F4EFC9CC81B4FCEDCA90C49D25D
SHA512 1993564E378A9AC9E66FEFC9E0AEB150B0BF5A88ABA6AB53A0811263823E902B1A2220C06D435CEB52F3151C5BAE5DB0EDC3D4BD23EC45190E6CBE1BE64B98F8
SSDEEP 1536:EasXwMMHIj1tlkHBoq18dCILuSVFX/U3NdDEIdfvDMY8SeacKMck/T8QgOJMMY8J:Ea5hItlvvJVYNdR1Qgkw2CLNEiYD
IMP CA3036FDC2F24315F9C2173721E21693
PESHA1 DB84D79A86D1A97B63A53B757CFAA5827B3D2987
PE256 01493BC4B1DD27B3879C52C037BDA22B1AA957C05DAFE1C992E58682294C9670

Runtime Data

Loaded Modules:

Path
C:\Windows\System32\ADVAPI32.dll
C:\Windows\System32\combase.dll
C:\Windows\system32\Dism\DismHost.exe
C:\Windows\System32\GDI32.dll
C:\Windows\System32\gdi32full.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\System32\msvcp_win.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\OLE32.dll
C:\Windows\System32\OLEAUT32.dll
C:\Windows\System32\RPCRT4.dll
C:\Windows\System32\sechost.dll
C:\Windows\System32\ucrtbase.dll
C:\Windows\System32\USER32.dll
C:\Windows\System32\win32u.dll

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: DismHost.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/76
  • VirusTotal Link: https://www.virustotal.com/gui/file/21baef2bb5ab2df3aa4d95c8333aadadda61dee65e61ad2dbe5f3dbaddb163c7/detection

Possible Misuse

The following table contains possible examples of DismHost.exe being misused. While DismHost.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma image_load_suspicious_vss_ps_load.yml - 'dismhost.exe' DRL 1.0
sigma proc_creation_win_dsim_remove.yml Image\|endswith: '\DismHost.exe' DRL 1.0
sigma proc_creation_win_uac_bypass_dismhost.yml title: UAC Bypass Using DismHost DRL 1.0
sigma proc_creation_win_uac_bypass_dismhost.yml description: Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63) DRL 1.0
sigma proc_creation_win_uac_bypass_dismhost.yml - '\DismHost.exe' DRL 1.0
sigma proc_creation_win_uac_bypass_ntfs_reparse_point.yml - '\dismhost.exe {' DRL 1.0
sigma proc_creation_win_uac_bypass_ntfs_reparse_point.yml Image\|endswith: '\DismHost.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.