DismHost.exe

  • File Path: C:\WINDOWS\SysWOW64\Dism\DismHost.exe
  • Description: Dism Host Servicing Process

Hashes

Type Hash
MD5 F9DA47C0C0B645C2DC4D645146615726
SHA1 AE33D32F396080C0E8E3BAF755A86FA7A1D107DC
SHA256 91A681D017C797CD57BA9245912B71DC84EBD051D6B9645E359A25AE772FF42E
SHA384 E292F0968E1DE9AFE13D92911434CF4AD739986261C9B3EBF7237B4B874FDD894E86779FA67015D6B1CD277D0C13AA67
SHA512 7DB11B46D02848F8351A024779135F107A38F593B7D4C515D541925FA10D7DA45B0EE2B5BE1137CC9990DD4CBC52F8A89C20CC2DDA27A777D63D54A838FA7C3C
SSDEEP 3072:btv1sOgfGr7O3s62UCXCYGbSp6jWEX8Li:btiOg+rq3FGXCY+O6jSi
IMP C6950379594E8299B49479D0AE2C7E31
PESHA1 A665E6094D489E184A0EF3BC8DC3A6D05CC01C7F
PE256 DC81DD114CC515B63005DEEC1A24E6C2ECBB84BAAADCC873599E8C9191249CEA

Runtime Data

Loaded Modules:

Path
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\System32\wow64.dll
C:\WINDOWS\System32\wow64base.dll
C:\WINDOWS\System32\wow64con.dll
C:\WINDOWS\System32\wow64cpu.dll
C:\WINDOWS\System32\wow64win.dll
C:\WINDOWS\SysWOW64\Dism\DismHost.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: DismHost.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/91a681d017c797cd57ba9245912b71dc84ebd051d6b9645e359a25ae772ff42e/detection

Possible Misuse

The following table contains possible examples of DismHost.exe being misused. While DismHost.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma image_load_suspicious_vss_ps_load.yml - 'dismhost.exe' DRL 1.0
sigma proc_creation_win_dsim_remove.yml Image\|endswith: '\DismHost.exe' DRL 1.0
sigma proc_creation_win_uac_bypass_dismhost.yml title: UAC Bypass Using DismHost DRL 1.0
sigma proc_creation_win_uac_bypass_dismhost.yml description: Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63) DRL 1.0
sigma proc_creation_win_uac_bypass_dismhost.yml - '\DismHost.exe' DRL 1.0
sigma proc_creation_win_uac_bypass_ntfs_reparse_point.yml - '\dismhost.exe {' DRL 1.0
sigma proc_creation_win_uac_bypass_ntfs_reparse_point.yml Image\|endswith: '\DismHost.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.