DismHost.exe

  • File Path: C:\Windows\SysWOW64\Dism\DismHost.exe
  • Description: Dism Host Servicing Process

Hashes

Type Hash
MD5 A886F2E74D13F11601D66666DBCF4A3B
SHA1 4F05298F4512B0EDFF690998B88EE5DBF5CFDE30
SHA256 077C85278D414473EB9807C0F1093BFFA8C9EC8DEA4F40BD585E4C4C822262B9
SHA384 A13464892C9FD335BE27A7EB58777AE46EED1A66341B02340FC33D57F1EC8BF1A42F50FEFBC5B0511E23F3653595CCF4
SHA512 A370A9666479964CC9DC7F79B0C137A2AB16826F3ECEA0CA79A7071822BA7EE49244A7C344EE6830EA735070C780186B5641A1A23CDF6B4497801D67DC8DE2D1
SSDEEP 3072:m2oBecUwyUBE/CheGktN8DFJV6LDPofc4i:m2k2ZChelT8DFJV6Lz4cR

Runtime Data

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\SysWOW64\Dism\DismHost.exe

Signature

  • Status: Signature verified.
  • Serial: 330000026551AE1BBD005CBFBD000000000265
  • Thumbprint: E168609353F30FF2373157B4EB8CD519D07A2BFF
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: DismHost.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.17763.771 (WinBuild.160101.0800)
  • Product Version: 10.0.17763.771
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of DismHost.exe being misused. While DismHost.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma image_load_suspicious_vss_ps_load.yml - 'dismhost.exe' DRL 1.0
sigma proc_creation_win_dsim_remove.yml Image\|endswith: '\DismHost.exe' DRL 1.0
sigma proc_creation_win_uac_bypass_dismhost.yml title: UAC Bypass Using DismHost DRL 1.0
sigma proc_creation_win_uac_bypass_dismhost.yml description: Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63) DRL 1.0
sigma proc_creation_win_uac_bypass_dismhost.yml - '\DismHost.exe' DRL 1.0
sigma proc_creation_win_uac_bypass_ntfs_reparse_point.yml - '\dismhost.exe {' DRL 1.0
sigma proc_creation_win_uac_bypass_ntfs_reparse_point.yml Image\|endswith: '\DismHost.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.