DismHost.exe

  • File Path: C:\Windows\SysWOW64\Dism\DismHost.exe
  • Description: Dism Host Servicing Process

Hashes

Type Hash
MD5 F8C86D4F3CAF75138F7AC5112643033C
SHA1 3AC1B2F6AB48EA821635B366972F81213F814D70
SHA256 795483C8F2901DD399E545178DAB52B98A90A62B0ECD4EDFFD859E5261122CD9
SHA384 F01380AAF8566596722F421D22CE2F931EC5E95EC9B603793512881903021AA2BA940D6316EF8C47577A4ADC49BCA511
SHA512 D24BBF7B9FA8A5E3EFA34B6396C834D0691B648B8F279B016261E03AB68CE08BA161CD0907543B48FC7C5A2AC7A3355372747DE070D141903D1A71E6FD3B4AB5
SSDEEP 3072:jfGAMtK5mihNXycC5H8iXGHQsSFipik32KJYcV7qs:7l3NXO8iX2zIk32Ta
IMP 6D22B1E1FDE3D53E4DD80D9E83A0E1C1
PESHA1 75B255EF539DAD1D6D0A96A4C64A49B7CA43026E
PE256 6B78C96C9AEE6E5A4E9C6B323A9AD1C103650E711D06308ECB5305B93E915B46

Runtime Data

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\Dism\DismHost.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002EC6579AD1E670890130000000002EC
  • Thumbprint: F7C2F2C96A328C13CDA8CDB57B715BDEA2CBD1D9
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: DismHost.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.746 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.746
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/795483c8f2901dd399e545178dab52b98a90a62b0ecd4edffd859e5261122cd9/detection

Possible Misuse

The following table contains possible examples of DismHost.exe being misused. While DismHost.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma image_load_suspicious_vss_ps_load.yml - 'dismhost.exe' DRL 1.0
sigma proc_creation_win_dsim_remove.yml Image\|endswith: '\DismHost.exe' DRL 1.0
sigma proc_creation_win_uac_bypass_dismhost.yml title: UAC Bypass Using DismHost DRL 1.0
sigma proc_creation_win_uac_bypass_dismhost.yml description: Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63) DRL 1.0
sigma proc_creation_win_uac_bypass_dismhost.yml - '\DismHost.exe' DRL 1.0
sigma proc_creation_win_uac_bypass_ntfs_reparse_point.yml - '\dismhost.exe {' DRL 1.0
sigma proc_creation_win_uac_bypass_ntfs_reparse_point.yml Image\|endswith: '\DismHost.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.