dllhost.exe

  • File Path: C:\Windows\SysWOW64\dllhost.exe
  • Description: COM Surrogate

Hashes

Type Hash
MD5 6046950FC9CA5B7A7E084C189658DACB
SHA1 A39CE2EABF6C9493EFFD3FEC1226061CB1B086E6
SHA256 5137C324038AB2E8EAB4F98A20BEE9F121346D62E4D907CA1E4A860F4C54EAE8
SHA384 EAE31B942ACF53AB13E8D6930822A649774CAEB50A5A5FEE9846F79402C54811C8DD36652EA572C5D8B7FE8B84DC8858
SHA512 FF2F0BB296B4C142358CC6ACA9D530D7CC6CE0409C738F8B5BFA9C71B4CF6FFFFADF2E1BABE744546A6BA8B8E58628BEBA4987F19E8DC7E6829BD8A1E7728AA3
SSDEEP 384:q8ZKHtffwK/8LCsSW/5WyqolRDBRJ73lJQfy:lYXwK0LCs7Jqk1PT9

Signature

  • Status: Signature verified.
  • Serial: 33000000BCE120FDD27CC8EE930000000000BC
  • Thumbprint: E85459B23C232DB3CB94C7A56D47678F58E8E51E
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: dllhost.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.14393.0 (rs1_release.160715-1616)
  • Product Version: 10.0.14393.0
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of dllhost.exe being misused. While dllhost.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma file_event_win_creation_system_file.yml - '\dllhost.exe' DRL 1.0
sigma file_event_win_susp_adsi_cache_usage.yml - 'C:\windows\system32\dllhost.exe' DRL 1.0
sigma file_event_win_uac_bypass_wmp.yml Image: 'C:\Windows\system32\DllHost.exe' DRL 1.0
sigma image_load_suspicious_vss_ps_load.yml - '\dllhost.exe' DRL 1.0
sigma net_connection_win_dllhost_net_connections.yml title: Dllhost Internet Connection DRL 1.0
sigma net_connection_win_dllhost_net_connections.yml description: Detects Dllhost that communicates with public IP addresses DRL 1.0
sigma net_connection_win_dllhost_net_connections.yml Image\|endswith: '\dllhost.exe' DRL 1.0
sigma proc_creation_win_apt_unc2452_cmds.yml Image\|endswith: '\dllhost.exe' DRL 1.0
sigma proc_creation_win_cmstp_com_object_access.yml ParentImage\|endswith: '\DllHost.exe' DRL 1.0
sigma proc_creation_win_cobaltstrike_process_patterns.yml ParentImage\|endswith: '\dllhost.exe' DRL 1.0
sigma proc_creation_win_mal_darkside_ransomware.yml ParentCommandLine\|contains: 'DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}' DRL 1.0
sigma proc_creation_win_script_event_consumer_spawn.yml - '\dllhost.exe' DRL 1.0
sigma proc_creation_win_system_exe_anomaly.yml - '\dllhost.exe' DRL 1.0
LOLBAS Dllhost.yml Name: Dllhost.exe  
LOLBAS Dllhost.yml - Command: dllhost.exe /Processid:{CLSID}  
LOLBAS Dllhost.yml Description: Use dllhost.exe to load a registered or hijacked COM Server payload.  
LOLBAS Dllhost.yml - Path: C:\Windows\System32\dllhost.exe  
LOLBAS Dllhost.yml - Path: C:\Windows\SysWOW64\dllhost.exe  
LOLBAS Dllhost.yml - IOC: DotNet CLR libraries loaded into dllhost.exe  
LOLBAS Dllhost.yml - IOC: DotNet CLR Usage Log - dllhost.exe.log  
LOLBAS Dllhost.yml - IOC: Suspicious network connectings originating from dllhost.exe  
LOLBAS Dllhost.yml - Link: https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08  
signature-base crime_nopetya_jun17.yar $s7 = “dllhost.dat” fullword wide CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.