DismHost.exe

  • File Path: C:\Windows\system32\Dism\DismHost.exe
  • Description: Dism Host Servicing Process

Hashes

Type Hash
MD5 E8007EB8977E83D29F30A122771C09AA
SHA1 B01D428264A51AE803814644EA5EA43E7D7781D5
SHA256 33069F383011494299AD95C20D45929D5FC64C0E4E8441C6425F324B02744A20
SHA384 2BF05263073B15DA1EFE87CE5B4C5E58D460B2065E60202EFF06456AE40A0DE0A8598037062FD3EC4363F6E328D6CB0B
SHA512 581C50DD92B9CC8DC2D4169319D057922301779820270532DFEFCFF7F8E825CB0DACF9B4FEDD40512E215B13DCDE97AF8272F046CD235452D639820C828CD72B
SSDEEP 3072:1AJbGkxmT0RlUtiFg/hKhiU1fgDkr3yz8:6JSkxmGUtcf1IDkr3N

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: DismHost.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.14393.3241 (rs1_release_inmarket.190910-1801)
  • Product Version: 10.0.14393.3241
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of DismHost.exe being misused. While DismHost.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma image_load_suspicious_vss_ps_load.yml - 'dismhost.exe' DRL 1.0
sigma proc_creation_win_dsim_remove.yml Image\|endswith: '\DismHost.exe' DRL 1.0
sigma proc_creation_win_uac_bypass_dismhost.yml title: UAC Bypass Using DismHost DRL 1.0
sigma proc_creation_win_uac_bypass_dismhost.yml description: Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63) DRL 1.0
sigma proc_creation_win_uac_bypass_dismhost.yml - '\DismHost.exe' DRL 1.0
sigma proc_creation_win_uac_bypass_ntfs_reparse_point.yml - '\dismhost.exe {' DRL 1.0
sigma proc_creation_win_uac_bypass_ntfs_reparse_point.yml Image\|endswith: '\DismHost.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.