DismHost.exe

  • File Path: C:\Windows\SysWOW64\Dism\DismHost.exe
  • Description: Dism Host Servicing Process

Hashes

Type Hash
MD5 FD0B966C41AC54AA77E0D65C8DF7CA2D
SHA1 35467810D9D155E8DA7DC45E721FD123D9010033
SHA256 4D3B036A78298E64E8FEF0010CE98CE8B41E37621B613B4F35EE64765C724393
SHA384 6B4F61C3550FF78BB31ADAA93D09D6EB68089C9EB5D608B583C1F7C337CC141F1892931A2021EE5F4C304D9DEC9030FD
SHA512 B3D3B5B1603C9D468F89B48947A57AA5A5711334DB5F658560965C47DBD864C35193DD4145A91D0807C402C72AE43194D70F6BA47FBD9CABF5891861BC075455
SSDEEP 3072:DffYMtccoo7muBkaO8UHGHBaipik32cyHc0jq:btZ7mF8UH2RIk32RH+
IMP 6D22B1E1FDE3D53E4DD80D9E83A0E1C1
PESHA1 24298E87F2DEF054AA1F855DBB7AD670E399B9FF
PE256 2FEB469F0867D4BD11BFCB26046760A16B0AB8D4D58994048EBD76A1BD2C26CE

Runtime Data

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\Dism\DismHost.exe

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: DismHost.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.572 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.572
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/74
  • VirusTotal Link: https://www.virustotal.com/gui/file/4d3b036a78298e64e8fef0010ce98ce8b41e37621b613b4f35ee64765c724393/detection

Possible Misuse

The following table contains possible examples of DismHost.exe being misused. While DismHost.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma image_load_suspicious_vss_ps_load.yml - 'dismhost.exe' DRL 1.0
sigma proc_creation_win_dsim_remove.yml Image\|endswith: '\DismHost.exe' DRL 1.0
sigma proc_creation_win_uac_bypass_dismhost.yml title: UAC Bypass Using DismHost DRL 1.0
sigma proc_creation_win_uac_bypass_dismhost.yml description: Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63) DRL 1.0
sigma proc_creation_win_uac_bypass_dismhost.yml - '\DismHost.exe' DRL 1.0
sigma proc_creation_win_uac_bypass_ntfs_reparse_point.yml - '\dismhost.exe {' DRL 1.0
sigma proc_creation_win_uac_bypass_ntfs_reparse_point.yml Image\|endswith: '\DismHost.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.