DismHost.exe

  • File Path: C:\Windows\system32\Dism\DismHost.exe
  • Description: Dism Host Servicing Process

Hashes

Type Hash
MD5 E5D5E9C1F65B8EC7AA5B7F1B1ACDD731
SHA1 DBB14DCDA6502AB1D23A7C77D405DAFBCBEB439E
SHA256 E30508E2088BC16B2A84233CED64995F738DEAEF2366AC6C86B35C93BBCD9D80
SHA384 B7FF22AC2140FC78B0ED457D1D3D37E5DD9338322A2A18F6AECFA998A63AA8AE5B72A0455F6BCB6B3B0219E431CB31FE
SHA512 7CF80D4A16C5DBBF61FCB22EBE30CF78CA42A030B7D7B4AD017F28FBA2C9B111E8CF5B3064621453A44869BBAED124D6FB1E8D2C8FE8202F1E47579D874FA4BC
SSDEEP 1536:16iNEP0SZpv0aVyo0rbRmiUwhjgPp9X6E79KfmeCUhNs4+Au0ceacoM1f/TnbsnG:1rEME0FgH6ERKf3/lb/Rw2siUuaqR
IMP D204EB506D6ABBEB4C51A54E8F6C1789
PESHA1 110701EAE27C0BEB7D895EC6CDC98D7F9BB07E14
PE256 7624FF3D791AD22D1D3F8A48496B1DB11DD837C76486E152B64604C002AE3F24

Runtime Data

Loaded Modules:

Path
C:\Windows\System32\ADVAPI32.dll
C:\Windows\system32\Dism\DismHost.exe
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\RPCRT4.dll
C:\Windows\System32\sechost.dll

Signature

  • Status: Signature verified.
  • Serial: 33000002EC6579AD1E670890130000000002EC
  • Thumbprint: F7C2F2C96A328C13CDA8CDB57B715BDEA2CBD1D9
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: DismHost.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.746 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.746
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/e30508e2088bc16b2a84233ced64995f738deaef2366ac6c86b35c93bbcd9d80/detection

Possible Misuse

The following table contains possible examples of DismHost.exe being misused. While DismHost.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_suspicious_vss_ps_load.yml - 'dismhost.exe' DRL 1.0
sigma win_uac_bypass_dismhost.yml title: UAC Bypass Using DismHost DRL 1.0
sigma win_uac_bypass_dismhost.yml description: Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63) DRL 1.0
sigma win_uac_bypass_dismhost.yml - '\DismHost.exe' DRL 1.0
sigma win_uac_bypass_ntfs_reparse_point.yml - '\dismhost.exe {' DRL 1.0
sigma win_uac_bypass_ntfs_reparse_point.yml Image\|endswith: '\DismHost.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.