dllhost.exe

  • File Path: C:\WINDOWS\SysWOW64\dllhost.exe
  • Description: COM Surrogate

Hashes

Type Hash
MD5 60D0B50CFF3A0722ADC274F49FB16F14
SHA1 E04E8DEB73F29F336A68FA62CEC8AE863EEFAB90
SHA256 4B878483EB200C8731F95096EEF036F285BD36AB916FE550DD484B872E60D037
SHA384 6E9BC7DC5C3C9FFBC3F81144668399BD60E4C28D127B5CB8679513CB04F7AAED79ADBE48183987ABDEC9D0FEB5E20056
SHA512 934A1D0CE45FB6EDBF0FF25325CBA44A8A99202FAF3B5B1024DECF41E46DE0F3C6FDFBF300CAB1E2FDFD592A6EABFE786FA7E9602C308C6E71A6C26F8403D034
SSDEEP 384:TnrG6z40eYJnRB/cCWx5WzbnmXjDBRJPraLbBlwA4BN:nR5eYRRB/cF6bmXj1P0b4

Signature

  • Status: Signature verified.
  • Serial: 330000023241FB59996DCC4DFF000000000232
  • Thumbprint: FF82BC38E1DA5E596DF374C53E3617F7EDA36B06
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: dllhost.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.18362.1 (WinBuild.160101.0800)
  • Product Version: 10.0.18362.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\Program Files (x86)\Common Files\microsoft shared\Ink\TabTip32.exe 30
C:\Windows\system32\backgroundTaskHost.exe 33
C:\WINDOWS\system32\backgroundTaskHost.exe 30
C:\Windows\system32\browser_broker.exe 29
C:\WINDOWS\system32\dllhost.exe 43
C:\Windows\system32\dllhost.exe 38
C:\Windows\system32\oobe\FirstLogonAnim.exe 38
C:\WINDOWS\system32\oobe\FirstLogonAnim.exe 35
C:\Windows\system32\prproc.exe 35
C:\WINDOWS\system32\prproc.exe 38
C:\Windows\system32\ScriptRunner.exe 33
C:\Windows\system32\SlideToShutDown.exe 32
C:\WINDOWS\system32\SlideToShutDown.exe 33
C:\WINDOWS\SysWOW64\backgroundTaskHost.exe 35
C:\Windows\SysWOW64\backgroundTaskHost.exe 36
C:\Windows\SysWOW64\CameraSettingsUIHost.exe 27
C:\WINDOWS\SysWOW64\CameraSettingsUIHost.exe 25
C:\Windows\SysWOW64\dllhost.exe 36
C:\WINDOWS\SysWOW64\dllhst3g.exe 47

Possible Misuse

The following table contains possible examples of dllhost.exe being misused. While dllhost.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma file_event_win_creation_system_file.yml - '\dllhost.exe' DRL 1.0
sigma file_event_win_susp_adsi_cache_usage.yml - 'C:\windows\system32\dllhost.exe' DRL 1.0
sigma file_event_win_uac_bypass_wmp.yml Image: 'C:\Windows\system32\DllHost.exe' DRL 1.0
sigma image_load_suspicious_vss_ps_load.yml - '\dllhost.exe' DRL 1.0
sigma net_connection_win_dllhost_net_connections.yml title: Dllhost Internet Connection DRL 1.0
sigma net_connection_win_dllhost_net_connections.yml description: Detects Dllhost that communicates with public IP addresses DRL 1.0
sigma net_connection_win_dllhost_net_connections.yml Image\|endswith: '\dllhost.exe' DRL 1.0
sigma proc_creation_win_apt_unc2452_cmds.yml Image\|endswith: '\dllhost.exe' DRL 1.0
sigma proc_creation_win_cmstp_com_object_access.yml ParentImage\|endswith: '\DllHost.exe' DRL 1.0
sigma proc_creation_win_cobaltstrike_process_patterns.yml ParentImage\|endswith: '\dllhost.exe' DRL 1.0
sigma proc_creation_win_mal_darkside_ransomware.yml ParentCommandLine\|contains: 'DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}' DRL 1.0
sigma proc_creation_win_script_event_consumer_spawn.yml - '\dllhost.exe' DRL 1.0
sigma proc_creation_win_system_exe_anomaly.yml - '\dllhost.exe' DRL 1.0
LOLBAS Dllhost.yml Name: Dllhost.exe  
LOLBAS Dllhost.yml - Command: dllhost.exe /Processid:{CLSID}  
LOLBAS Dllhost.yml Description: Use dllhost.exe to load a registered or hijacked COM Server payload.  
LOLBAS Dllhost.yml - Path: C:\Windows\System32\dllhost.exe  
LOLBAS Dllhost.yml - Path: C:\Windows\SysWOW64\dllhost.exe  
LOLBAS Dllhost.yml - IOC: DotNet CLR libraries loaded into dllhost.exe  
LOLBAS Dllhost.yml - IOC: DotNet CLR Usage Log - dllhost.exe.log  
LOLBAS Dllhost.yml - IOC: Suspicious network connectings originating from dllhost.exe  
LOLBAS Dllhost.yml - Link: https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08  
signature-base crime_nopetya_jun17.yar $s7 = “dllhost.dat” fullword wide CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.