DismHost.exe

  • File Path: C:\WINDOWS\system32\Dism\DismHost.exe
  • Description: Dism Host Servicing Process

Hashes

Type Hash
MD5 B5E80BA4CE0781E4B9129AB4D86AB4A9
SHA1 6D2BB75F77FA1FA5071D88EB147F7EE30A006510
SHA256 5108587A0713975BBD79A0E1A56B0DD0D0E63D89D7B681D1E0BF7979E21080B0
SHA384 106AF13C3811B96B75D19087D38AB9CBB081987B337265BCD3DA6B7453AEC470D7F2506534F44129B66AE2D1132C03D5
SHA512 0D67EEA2DBB9A7CC6E319D4A9BB28440B0970B9C3048E0F7298A042E8C30BEF49E554A084F4DE588DB4A590F5E1297B5B0297224195C10AA093DB8BB4DE015FF
SSDEEP 1536:YybeFjuY89lfyRE5C8/OeCdE3pKB6DZ27b1pCXp9C9d/DEsPkcMDeADq9Hw2pOPP:YyiFjuYifyr8xq6wlaMNsfxoHw2ExJ

Signature

  • Status: Signature verified.
  • Serial: 330000023241FB59996DCC4DFF000000000232
  • Thumbprint: FF82BC38E1DA5E596DF374C53E3617F7EDA36B06
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: DismHost.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.18362.1 (WinBuild.160101.0800)
  • Product Version: 10.0.18362.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of DismHost.exe being misused. While DismHost.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma image_load_suspicious_vss_ps_load.yml - 'dismhost.exe' DRL 1.0
sigma proc_creation_win_dsim_remove.yml Image\|endswith: '\DismHost.exe' DRL 1.0
sigma proc_creation_win_uac_bypass_dismhost.yml title: UAC Bypass Using DismHost DRL 1.0
sigma proc_creation_win_uac_bypass_dismhost.yml description: Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63) DRL 1.0
sigma proc_creation_win_uac_bypass_dismhost.yml - '\DismHost.exe' DRL 1.0
sigma proc_creation_win_uac_bypass_ntfs_reparse_point.yml - '\dismhost.exe {' DRL 1.0
sigma proc_creation_win_uac_bypass_ntfs_reparse_point.yml Image\|endswith: '\DismHost.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.