dllhost.exe

  • File Path: C:\Windows\SysWOW64\dllhost.exe
  • Description: COM Surrogate

Hashes

Type Hash
MD5 BE467A8F33CDEB0538E98CF10101E9E0
SHA1 CA8D48B7C0646D24C87ACE9D94B851BD2BF8EA0B
SHA256 A422FCB92AB03C9F34FE2296028E68911F87EEAC4A79B37D3769730CA52A6BF8
SHA384 086B6F93BAAF1270C61D16962D3A919B26E4D30005E1B98CC613CD3824120D41260F611A5FE2BEBA82BD051714478CC0
SHA512 F8737DF2283603B9F8F07C229012B91D4BBAECF1730E744BC3C6D1F3889E4AC363AAC63FA4274C36E6EFBEC833DFC81FA382F7575C48A1B42EF3E65895C1B925
SSDEEP 384:nWJTVQyztcEUJnPjz2M2lcCWg5W++GOqD1IDBRJJM95DKlxT1xP:nQKyxcEUR2rlcUB/I1P85DmP
IMP B6A6C5247EFBD2610E3DEA44649D7041
PESHA1 4143E336E42DB861A54D74F8DD9EF763E1C7341E
PE256 48794A06DA6D0BF682E3F3B0A17CB2071C0F633839361DB3DB83570FE1DAA125

Runtime Data

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\dllhost.exe

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: dllhost.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/63
  • VirusTotal Link: https://www.virustotal.com/gui/file/a422fcb92ab03c9f34fe2296028e68911f87eeac4a79b37d3769730ca52a6bf8/detection/

File Similarity (ssdeep match)

File Score
C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe 30
C:\Program Files (x86)\Windows Kits\10\bin\10.0.19041.0\arm64\1033\wstraceutilresources.dll 33
C:\Program Files (x86)\Windows Kits\10\bin\10.0.19041.0\x64\UIAVerify\IQueryString.dll 36
C:\Program Files (x86)\Windows Kits\10\Redist\10.0.19041.0\ucrt\DLLs\x64\api-ms-win-core-processenvironment-l1-1-0.dll 35
C:\Program Files (x86)\Windows Kits\10\Redist\10.0.19041.0\ucrt\DLLs\x64\api-ms-win-core-processthreads-l1-1-0.dll 40
C:\Program Files (x86)\Windows Kits\10\Redist\10.0.19041.0\ucrt\DLLs\x64\api-ms-win-core-rtlsupport-l1-1-0.dll 40
C:\Program Files (x86)\Windows Kits\10\Redist\10.0.19041.0\ucrt\DLLs\x64\api-ms-win-core-util-l1-1-0.dll 33
C:\Windows\system32\69fe178f-26e7-43a9-aa7d-2b616b672dde_eventlogservice.dll 30
C:\Windows\system32\AppVClientPS.dll 36
C:\Windows\system32\AppVSentinel.dll 40
C:\Windows\system32\AppVTerminator.dll 27
C:\Windows\system32\avrt.dll 32
C:\Windows\system32\backgroundTaskHost.exe 33
C:\Windows\system32\bootstr.dll 35
C:\Windows\system32\BOOTVID.DLL 30
C:\Windows\system32\computelibeventlog.dll 36
C:\Windows\system32\DefaultDeviceManager.dll 29
C:\Windows\system32\DeviceCensus.exe 25
C:\WINDOWS\system32\DeviceCensus.exe 25
C:\Windows\system32\dllhost.exe 44
C:\Windows\system32\downlevel\api-ms-win-base-util-l1-1-0.dll 32
C:\Windows\system32\downlevel\api-ms-win-core-com-l1-1-0.dll 40
C:\Windows\system32\downlevel\api-ms-win-core-comm-l1-1-0.dll 35
C:\Windows\system32\downlevel\api-ms-win-core-console-l1-1-0.dll 40
C:\Windows\system32\downlevel\api-ms-win-core-datetime-l1-1-0.dll 38
C:\Windows\system32\downlevel\api-ms-win-core-datetime-l1-1-1.dll 29
C:\Windows\system32\downlevel\api-ms-win-core-debug-l1-1-0.dll 32
C:\Windows\system32\downlevel\api-ms-win-core-debug-l1-1-1.dll 35
C:\Windows\system32\downlevel\api-ms-win-core-delayload-l1-1-0.dll 54
C:\Windows\system32\downlevel\api-ms-win-core-errorhandling-l1-1-0.dll 36
C:\Windows\system32\downlevel\api-ms-win-core-errorhandling-l1-1-1.dll 35
C:\Windows\system32\downlevel\api-ms-win-core-fibers-l1-1-0.dll 52
C:\Windows\system32\downlevel\api-ms-win-core-fibers-l1-1-1.dll 32
C:\Windows\system32\downlevel\api-ms-win-core-file-l1-1-0.dll 36
C:\Windows\system32\downlevel\api-ms-win-core-file-l1-2-0.dll 32
C:\Windows\system32\downlevel\api-ms-win-core-file-l1-2-1.dll 33
C:\Windows\system32\downlevel\API-MS-Win-core-file-l2-1-0.dll 36
C:\Windows\system32\downlevel\API-MS-Win-core-file-l2-1-1.dll 36
C:\Windows\system32\downlevel\api-ms-win-core-handle-l1-1-0.dll 35
C:\Windows\system32\downlevel\api-ms-win-core-heap-l1-1-0.dll 32
C:\Windows\system32\downlevel\API-MS-Win-Core-Heap-Obsolete-L1-1-0.dll 30
C:\Windows\system32\downlevel\api-ms-win-core-interlocked-l1-1-0.dll 35
C:\Windows\system32\downlevel\api-ms-win-core-io-l1-1-0.dll 33
C:\Windows\system32\downlevel\api-ms-win-core-io-l1-1-1.dll 52
C:\Windows\system32\downlevel\api-ms-win-core-kernel32-legacy-l1-1-0.dll 32
C:\Windows\system32\downlevel\api-ms-win-core-kernel32-legacy-l1-1-1.dll 55
C:\Windows\system32\downlevel\API-MS-Win-Core-Kernel32-Private-L1-1-0.dll 32
C:\Windows\system32\downlevel\API-MS-Win-Core-Kernel32-Private-L1-1-1.dll 32
C:\Windows\system32\downlevel\api-ms-win-core-libraryloader-l1-1-0.dll 29
C:\Windows\system32\downlevel\api-ms-win-core-libraryloader-l1-1-1.dll 35
C:\Windows\system32\downlevel\api-ms-win-core-localization-l1-2-0.dll 32
C:\Windows\system32\downlevel\api-ms-win-core-localization-l1-2-1.dll 33
C:\Windows\system32\downlevel\API-MS-Win-core-localization-obsolete-l1-2-0.dll 30
C:\Windows\system32\downlevel\api-ms-win-core-memory-l1-1-0.dll 30
C:\Windows\system32\downlevel\api-ms-win-core-memory-l1-1-1.dll 32
C:\Windows\system32\downlevel\api-ms-win-core-memory-l1-1-2.dll 33
C:\Windows\system32\downlevel\api-ms-win-core-namedpipe-l1-1-0.dll 35
C:\Windows\system32\downlevel\api-ms-win-core-privateprofile-l1-1-0.dll 36
C:\Windows\system32\downlevel\api-ms-win-core-privateprofile-l1-1-1.dll 33
C:\Windows\system32\downlevel\api-ms-win-core-processenvironment-l1-1-0.dll 38
C:\Windows\system32\downlevel\api-ms-win-core-processenvironment-l1-2-0.dll 35
C:\Windows\system32\downlevel\api-ms-win-core-processthreads-l1-1-0.dll 35
C:\Windows\system32\downlevel\api-ms-win-core-processthreads-l1-1-1.dll 38
C:\Windows\system32\downlevel\api-ms-win-core-processthreads-l1-1-2.dll 32
C:\Windows\system32\downlevel\api-ms-win-core-processtopology-obsolete-l1-1-0.dll 35
C:\Windows\system32\downlevel\api-ms-win-core-profile-l1-1-0.dll 33
C:\Windows\system32\downlevel\api-ms-win-core-realtime-l1-1-0.dll 27
C:\Windows\system32\downlevel\api-ms-win-core-registry-l1-1-0.dll 36
C:\Windows\system32\downlevel\api-ms-win-core-registry-l2-1-0.dll 35
C:\Windows\system32\downlevel\api-ms-win-core-rtlsupport-l1-1-0.dll 36
C:\Windows\system32\downlevel\api-ms-win-core-shlwapi-legacy-l1-1-0.dll 38
C:\Windows\system32\downlevel\api-ms-win-core-shlwapi-obsolete-l1-1-0.dll 29
C:\Windows\system32\downlevel\api-ms-win-core-shutdown-l1-1-0.dll 35
C:\Windows\system32\downlevel\api-ms-win-core-stringansi-l1-1-0.dll 33
C:\Windows\system32\downlevel\api-ms-win-core-string-l1-1-0.dll 36
C:\Windows\system32\downlevel\API-MS-Win-core-string-l2-1-0.dll 33
C:\Windows\system32\downlevel\api-ms-win-core-stringloader-l1-1-1.dll 32
C:\Windows\system32\downlevel\API-MS-Win-core-string-obsolete-l1-1-0.dll 33
C:\Windows\system32\downlevel\api-ms-win-core-synch-l1-1-0.dll 32
C:\Windows\system32\downlevel\api-ms-win-core-synch-l1-2-0.dll 35
C:\Windows\system32\downlevel\api-ms-win-core-sysinfo-l1-1-0.dll 29
C:\Windows\system32\downlevel\api-ms-win-core-sysinfo-l1-2-0.dll 36
C:\Windows\system32\downlevel\api-ms-win-core-sysinfo-l1-2-1.dll 35
C:\Windows\system32\downlevel\api-ms-win-core-threadpool-l1-2-0.dll 33
C:\Windows\system32\downlevel\api-ms-win-core-threadpool-legacy-l1-1-0.dll 35
C:\Windows\system32\downlevel\api-ms-win-core-threadpool-private-l1-1-0.dll 33
C:\Windows\system32\downlevel\api-ms-win-core-timezone-l1-1-0.dll 32
C:\Windows\system32\downlevel\api-ms-win-core-url-l1-1-0.dll 50
C:\Windows\system32\downlevel\api-ms-win-core-util-l1-1-0.dll 32
C:\Windows\system32\downlevel\api-ms-win-core-version-l1-1-0.dll 40
C:\Windows\system32\downlevel\api-ms-win-core-wow64-l1-1-0.dll 36
C:\Windows\system32\downlevel\api-ms-win-core-xstate-l1-1-0.dll 32
C:\Windows\system32\downlevel\API-MS-Win-core-xstate-l2-1-0.dll 32
C:\Windows\system32\downlevel\api-ms-win-crt-conio-l1-1-0.dll 35
C:\Windows\system32\downlevel\api-ms-win-crt-convert-l1-1-0.dll 30
C:\Windows\system32\downlevel\api-ms-win-crt-environment-l1-1-0.dll 36
C:\Windows\system32\downlevel\api-ms-win-crt-filesystem-l1-1-0.dll 38
C:\Windows\system32\downlevel\api-ms-win-crt-heap-l1-1-0.dll 36
C:\Windows\system32\downlevel\api-ms-win-crt-locale-l1-1-0.dll 32
C:\Windows\system32\downlevel\api-ms-win-crt-math-l1-1-0.dll 49
C:\Windows\system32\downlevel\api-ms-win-crt-multibyte-l1-1-0.dll 30
C:\Windows\system32\downlevel\api-ms-win-crt-process-l1-1-0.dll 36
C:\Windows\system32\downlevel\api-ms-win-crt-runtime-l1-1-0.dll 35
C:\Windows\system32\downlevel\api-ms-win-crt-stdio-l1-1-0.dll 33
C:\Windows\system32\downlevel\api-ms-win-crt-string-l1-1-0.dll 36
C:\Windows\system32\downlevel\api-ms-win-crt-time-l1-1-0.dll 35
C:\Windows\system32\downlevel\api-ms-win-crt-utility-l1-1-0.dll 35
C:\Windows\system32\downlevel\API-MS-Win-devices-config-L1-1-0.dll 33
C:\Windows\system32\downlevel\API-MS-Win-devices-config-L1-1-1.dll 33
C:\Windows\system32\downlevel\API-MS-Win-Eventing-ClassicProvider-L1-1-0.dll 35
C:\Windows\system32\downlevel\api-ms-win-eventing-consumer-l1-1-0.dll 32
C:\Windows\system32\downlevel\API-MS-Win-Eventing-Controller-L1-1-0.dll 33
C:\Windows\system32\downlevel\API-MS-Win-Eventing-Legacy-L1-1-0.dll 35
C:\Windows\system32\downlevel\API-MS-Win-Eventing-Provider-L1-1-0.dll 30
C:\Windows\system32\downlevel\API-MS-Win-EventLog-Legacy-L1-1-0.dll 40
C:\Windows\system32\downlevel\api-ms-win-security-base-l1-1-0.dll 43
C:\Windows\system32\downlevel\api-ms-win-security-cryptoapi-l1-1-0.dll 35
C:\Windows\system32\downlevel\API-MS-Win-Security-Lsalookup-L2-1-0.dll 32
C:\Windows\system32\downlevel\API-MS-Win-Security-Lsalookup-L2-1-1.dll 32
C:\Windows\system32\downlevel\API-MS-Win-security-lsapolicy-l1-1-0.dll 36
C:\Windows\system32\downlevel\API-MS-Win-security-provider-L1-1-0.dll 30
C:\Windows\system32\downlevel\api-ms-win-security-sddl-l1-1-0.dll 40
C:\Windows\system32\downlevel\api-ms-win-service-core-l1-1-0.dll 38
C:\Windows\system32\downlevel\api-ms-win-service-core-l1-1-1.dll 50
C:\Windows\system32\downlevel\api-ms-win-service-management-l1-1-0.dll 35
C:\Windows\system32\downlevel\api-ms-win-service-management-l2-1-0.dll 32
C:\Windows\system32\downlevel\api-ms-win-service-private-l1-1-0.dll 32
C:\Windows\system32\downlevel\api-ms-win-service-private-l1-1-1.dll 32
C:\Windows\system32\downlevel\api-ms-win-service-winsvc-l1-1-0.dll 38
C:\Windows\system32\downlevel\api-ms-win-shcore-stream-l1-1-0.dll 35
C:\Windows\system32\drivers\UMDF\SDFLauncher.dll 32
C:\Windows\system32\DriverStore\FileRepository\sdflauncher.inf_amd64_1ea082c6cf8f6982\SDFLauncher.dll 32
C:\Windows\system32\dsrole.dll 29
C:\Windows\system32\IME\IMETC\IMTCTRLN.DLL 27
C:\Windows\system32\IME\SHARED\IMEDICAPICCPS.DLL 29
C:\Windows\system32\IME\SHARED\IMESEARCHPS.DLL 32
C:\Windows\system32\kd.dll 33
C:\Windows\system32\kd_02_1af4.dll 33
C:\Windows\system32\kd_07_1415.dll 47
C:\Windows\system32\kdnet_uart16550.dll 33
C:\Windows\system32\kdstub.dll 30
C:\Windows\system32\ksuser.dll 30
C:\Windows\system32\microsoft-windows-battery-events.dll 33
C:\Windows\system32\microsoft-windows-hal-events.dll 35
C:\Windows\system32\microsoft-windows-sleepstudy-events.dll 33
C:\Windows\system32\msdmo.dll 21
C:\Windows\system32\NDKPing.exe 32
C:\Windows\system32\oobe\FirstLogonAnim.exe 30
C:\Windows\system32\pcwum.dll 27
C:\Windows\system32\prproc.exe 36
C:\Windows\system32\psapi.dll 35
C:\Windows\system32\ResetEngine.exe 25
C:\WINDOWS\system32\ResetEngine.exe 30
C:\WINDOWS\system32\ScriptRunner.exe 32
C:\Windows\system32\setupetw.dll 29
C:\Windows\system32\sfc.dll 35
C:\Windows\system32\SlideToShutDown.exe 33
C:\Windows\system32\smphost.dll 29
C:\Windows\system32\spwizres.dll 30
C:\Windows\system32\streamci.dll 30
C:\Windows\system32\ttdloader.dll 35
C:\Windows\system32\UtilityVmSysprep.dll 33
C:\Windows\system32\uxlibres.dll 32
C:\Windows\system32\VmApplicationHealthMonitorProxy.dll 35
C:\Windows\system32\wbem\Microsoft.AppV.AppVClientWmi.dll 29
C:\Windows\system32\winnsi.dll 27
C:\Windows\system32\wshhyperv.dll 50
C:\Windows\system32\wshunix.dll 32
C:\Windows\system32\wuauclt.exe 36
C:\Windows\SysWOW64\AppVClientPS.dll 38
C:\Windows\SysWOW64\AppVSentinel.dll 30
C:\Windows\SysWOW64\AppVTerminator.dll 35
C:\Windows\SysWOW64\avrt.dll 30
C:\Windows\SysWOW64\backgroundTaskHost.exe 35
C:\Windows\SysWOW64\BOOTVID.DLL 29
C:\Windows\SysWOW64\CameraSettingsUIHost.exe 25
C:\Windows\SysWOW64\DefaultDeviceManager.dll 29
C:\Windows\SysWOW64\dllhost.exe 63
C:\Windows\SysWOW64\dllhst3g.exe 65
C:\Windows\SysWOW64\downlevel\api-ms-win-base-util-l1-1-0.dll 32
C:\Windows\SysWOW64\downlevel\api-ms-win-core-com-l1-1-0.dll 33
C:\Windows\SysWOW64\downlevel\api-ms-win-core-comm-l1-1-0.dll 30
C:\Windows\SysWOW64\downlevel\api-ms-win-core-console-l1-1-0.dll 32
C:\Windows\SysWOW64\downlevel\api-ms-win-core-datetime-l1-1-0.dll 32
C:\Windows\SysWOW64\downlevel\api-ms-win-core-datetime-l1-1-1.dll 32
C:\Windows\SysWOW64\downlevel\api-ms-win-core-debug-l1-1-0.dll 33
C:\Windows\SysWOW64\downlevel\api-ms-win-core-debug-l1-1-1.dll 29
C:\Windows\SysWOW64\downlevel\api-ms-win-core-delayload-l1-1-0.dll 32
C:\Windows\SysWOW64\downlevel\api-ms-win-core-errorhandling-l1-1-0.dll 36
C:\Windows\SysWOW64\downlevel\api-ms-win-core-errorhandling-l1-1-1.dll 30
C:\Windows\SysWOW64\downlevel\api-ms-win-core-fibers-l1-1-0.dll 32
C:\Windows\SysWOW64\downlevel\api-ms-win-core-fibers-l1-1-1.dll 35
C:\Windows\SysWOW64\downlevel\api-ms-win-core-file-l1-1-0.dll 30
C:\Windows\SysWOW64\downlevel\api-ms-win-core-file-l1-2-0.dll 36
C:\Windows\SysWOW64\downlevel\api-ms-win-core-file-l1-2-1.dll 36
C:\Windows\SysWOW64\downlevel\API-MS-Win-core-file-l2-1-0.dll 32
C:\Windows\SysWOW64\downlevel\API-MS-Win-core-file-l2-1-1.dll 50
C:\Windows\SysWOW64\downlevel\api-ms-win-core-handle-l1-1-0.dll 30
C:\Windows\SysWOW64\downlevel\api-ms-win-core-heap-l1-1-0.dll 35
C:\Windows\SysWOW64\downlevel\API-MS-Win-Core-Heap-Obsolete-L1-1-0.dll 33
C:\Windows\SysWOW64\downlevel\api-ms-win-core-interlocked-l1-1-0.dll 27
C:\Windows\SysWOW64\downlevel\api-ms-win-core-io-l1-1-0.dll 32
C:\Windows\SysWOW64\downlevel\api-ms-win-core-io-l1-1-1.dll 32
C:\Windows\SysWOW64\downlevel\api-ms-win-core-kernel32-legacy-l1-1-0.dll 32
C:\Windows\SysWOW64\downlevel\api-ms-win-core-kernel32-legacy-l1-1-1.dll 30
C:\Windows\SysWOW64\downlevel\API-MS-Win-Core-Kernel32-Private-L1-1-0.dll 33
C:\Windows\SysWOW64\downlevel\API-MS-Win-Core-Kernel32-Private-L1-1-1.dll 32
C:\Windows\SysWOW64\downlevel\api-ms-win-core-libraryloader-l1-1-0.dll 29
C:\Windows\SysWOW64\downlevel\api-ms-win-core-libraryloader-l1-1-1.dll 36
C:\Windows\SysWOW64\downlevel\api-ms-win-core-localization-l1-2-0.dll 29
C:\Windows\SysWOW64\downlevel\api-ms-win-core-localization-l1-2-1.dll 29
C:\Windows\SysWOW64\downlevel\API-MS-Win-core-localization-obsolete-l1-2-0.dll 36
C:\Windows\SysWOW64\downlevel\api-ms-win-core-memory-l1-1-0.dll 30
C:\Windows\SysWOW64\downlevel\api-ms-win-core-memory-l1-1-1.dll 30
C:\Windows\SysWOW64\downlevel\api-ms-win-core-memory-l1-1-2.dll 30
C:\Windows\SysWOW64\downlevel\api-ms-win-core-namedpipe-l1-1-0.dll 33
C:\Windows\SysWOW64\downlevel\api-ms-win-core-privateprofile-l1-1-0.dll 33
C:\Windows\SysWOW64\downlevel\api-ms-win-core-privateprofile-l1-1-1.dll 33
C:\Windows\SysWOW64\downlevel\api-ms-win-core-processenvironment-l1-1-0.dll 35
C:\Windows\SysWOW64\downlevel\api-ms-win-core-processenvironment-l1-2-0.dll 33
C:\Windows\SysWOW64\downlevel\api-ms-win-core-processthreads-l1-1-0.dll 36
C:\Windows\SysWOW64\downlevel\api-ms-win-core-processthreads-l1-1-1.dll 27
C:\Windows\SysWOW64\downlevel\api-ms-win-core-processthreads-l1-1-2.dll 32
C:\Windows\SysWOW64\downlevel\api-ms-win-core-processtopology-obsolete-l1-1-0.dll 32
C:\Windows\SysWOW64\downlevel\api-ms-win-core-profile-l1-1-0.dll 32
C:\Windows\SysWOW64\downlevel\api-ms-win-core-realtime-l1-1-0.dll 36
C:\Windows\SysWOW64\downlevel\api-ms-win-core-registry-l1-1-0.dll 36
C:\Windows\SysWOW64\downlevel\api-ms-win-core-registry-l2-1-0.dll 30
C:\Windows\SysWOW64\downlevel\api-ms-win-core-rtlsupport-l1-1-0.dll 30
C:\Windows\SysWOW64\downlevel\api-ms-win-core-shlwapi-legacy-l1-1-0.dll 41
C:\Windows\SysWOW64\downlevel\api-ms-win-core-shlwapi-obsolete-l1-1-0.dll 33
C:\Windows\SysWOW64\downlevel\api-ms-win-core-shutdown-l1-1-0.dll 36
C:\Windows\SysWOW64\downlevel\api-ms-win-core-stringansi-l1-1-0.dll 35
C:\Windows\SysWOW64\downlevel\api-ms-win-core-string-l1-1-0.dll 32
C:\Windows\SysWOW64\downlevel\API-MS-Win-core-string-l2-1-0.dll 33
C:\Windows\SysWOW64\downlevel\api-ms-win-core-stringloader-l1-1-1.dll 32
C:\Windows\SysWOW64\downlevel\API-MS-Win-core-string-obsolete-l1-1-0.dll 32
C:\Windows\SysWOW64\downlevel\api-ms-win-core-synch-l1-1-0.dll 35
C:\Windows\SysWOW64\downlevel\api-ms-win-core-synch-l1-2-0.dll 33
C:\Windows\SysWOW64\downlevel\api-ms-win-core-sysinfo-l1-1-0.dll 30
C:\Windows\SysWOW64\downlevel\api-ms-win-core-sysinfo-l1-2-0.dll 33
C:\Windows\SysWOW64\downlevel\api-ms-win-core-sysinfo-l1-2-1.dll 30
C:\Windows\SysWOW64\downlevel\api-ms-win-core-threadpool-l1-2-0.dll 32
C:\Windows\SysWOW64\downlevel\api-ms-win-core-threadpool-legacy-l1-1-0.dll 36
C:\Windows\SysWOW64\downlevel\api-ms-win-core-threadpool-private-l1-1-0.dll 29
C:\Windows\SysWOW64\downlevel\api-ms-win-core-timezone-l1-1-0.dll 36
C:\Windows\SysWOW64\downlevel\api-ms-win-core-url-l1-1-0.dll 32
C:\Windows\SysWOW64\downlevel\api-ms-win-core-util-l1-1-0.dll 30
C:\Windows\SysWOW64\downlevel\api-ms-win-core-version-l1-1-0.dll 35
C:\Windows\SysWOW64\downlevel\api-ms-win-core-wow64-l1-1-0.dll 32
C:\Windows\SysWOW64\downlevel\api-ms-win-core-xstate-l1-1-0.dll 38
C:\Windows\SysWOW64\downlevel\API-MS-Win-core-xstate-l2-1-0.dll 27
C:\Windows\SysWOW64\downlevel\api-ms-win-crt-conio-l1-1-0.dll 38
C:\Windows\SysWOW64\downlevel\api-ms-win-crt-convert-l1-1-0.dll 30
C:\Windows\SysWOW64\downlevel\api-ms-win-crt-environment-l1-1-0.dll 38
C:\Windows\SysWOW64\downlevel\api-ms-win-crt-filesystem-l1-1-0.dll 36
C:\Windows\SysWOW64\downlevel\api-ms-win-crt-heap-l1-1-0.dll 35
C:\Windows\SysWOW64\downlevel\api-ms-win-crt-locale-l1-1-0.dll 35
C:\Windows\SysWOW64\downlevel\api-ms-win-crt-math-l1-1-0.dll 30
C:\Windows\SysWOW64\downlevel\api-ms-win-crt-multibyte-l1-1-0.dll 25
C:\Windows\SysWOW64\downlevel\api-ms-win-crt-process-l1-1-0.dll 32
C:\Windows\SysWOW64\downlevel\api-ms-win-crt-runtime-l1-1-0.dll 32
C:\Windows\SysWOW64\downlevel\api-ms-win-crt-stdio-l1-1-0.dll 32
C:\Windows\SysWOW64\downlevel\api-ms-win-crt-string-l1-1-0.dll 43
C:\Windows\SysWOW64\downlevel\api-ms-win-crt-time-l1-1-0.dll 35
C:\Windows\SysWOW64\downlevel\api-ms-win-crt-utility-l1-1-0.dll 50
C:\Windows\SysWOW64\downlevel\API-MS-Win-devices-config-L1-1-0.dll 29
C:\Windows\SysWOW64\downlevel\API-MS-Win-devices-config-L1-1-1.dll 33
C:\Windows\SysWOW64\downlevel\API-MS-Win-Eventing-ClassicProvider-L1-1-0.dll 35
C:\Windows\SysWOW64\downlevel\api-ms-win-eventing-consumer-l1-1-0.dll 35
C:\Windows\SysWOW64\downlevel\API-MS-Win-Eventing-Controller-L1-1-0.dll 29
C:\Windows\SysWOW64\downlevel\API-MS-Win-Eventing-Legacy-L1-1-0.dll 33
C:\Windows\SysWOW64\downlevel\API-MS-Win-Eventing-Provider-L1-1-0.dll 38
C:\Windows\SysWOW64\downlevel\API-MS-Win-EventLog-Legacy-L1-1-0.dll 29
C:\Windows\SysWOW64\downlevel\api-ms-win-security-base-l1-1-0.dll 32
C:\Windows\SysWOW64\downlevel\api-ms-win-security-cryptoapi-l1-1-0.dll 35
C:\Windows\SysWOW64\downlevel\API-MS-Win-Security-Lsalookup-L2-1-0.dll 33
C:\Windows\SysWOW64\downlevel\API-MS-Win-Security-Lsalookup-L2-1-1.dll 30
C:\Windows\SysWOW64\downlevel\API-MS-Win-security-lsapolicy-l1-1-0.dll 33
C:\Windows\SysWOW64\downlevel\API-MS-Win-security-provider-L1-1-0.dll 30
C:\Windows\SysWOW64\downlevel\api-ms-win-security-sddl-l1-1-0.dll 29
C:\Windows\SysWOW64\downlevel\api-ms-win-service-core-l1-1-0.dll 35
C:\Windows\SysWOW64\downlevel\api-ms-win-service-core-l1-1-1.dll 36
C:\Windows\SysWOW64\downlevel\api-ms-win-service-management-l1-1-0.dll 32
C:\Windows\SysWOW64\downlevel\api-ms-win-service-management-l2-1-0.dll 35
C:\Windows\SysWOW64\downlevel\api-ms-win-service-private-l1-1-0.dll 30
C:\Windows\SysWOW64\downlevel\api-ms-win-service-private-l1-1-1.dll 27
C:\Windows\SysWOW64\downlevel\api-ms-win-service-winsvc-l1-1-0.dll 38
C:\Windows\SysWOW64\downlevel\api-ms-win-shcore-stream-l1-1-0.dll 32
C:\Windows\SysWOW64\dsrole.dll 33
C:\Windows\SysWOW64\fltLib.dll 35
C:\Windows\SysWOW64\IME\IMETC\IMTCTRLN.DLL 30
C:\Windows\SysWOW64\IME\SHARED\imecfmps.dll 30
C:\Windows\SysWOW64\IME\SHARED\IMEDICAPICCPS.DLL 24
C:\Windows\SysWOW64\IME\SHARED\IMESEARCHPS.DLL 32
C:\Windows\SysWOW64\ksuser.dll 50
C:\Windows\SysWOW64\LocationFrameworkPS.dll 29
C:\Windows\SysWOW64\MSVP9DEC.dll 30
C:\Windows\SysWOW64\pcwum.dll 32
C:\Windows\SysWOW64\psapi.dll 29
C:\Windows\SysWOW64\sfc.dll 33
C:\Windows\SysWOW64\smphost.dll 29
C:\Windows\SysWOW64\ttdloader.dll 36
C:\Windows\SysWOW64\uxlibres.dll 32
C:\Windows\SysWOW64\wbem\Microsoft.AppV.AppVClientWmi.dll 27
C:\Windows\SysWOW64\winnsi.dll 29
C:\Windows\SysWOW64\wshhyperv.dll 36
C:\Windows\SysWOW64\wshunix.dll 29

Possible Misuse

The following table contains possible examples of dllhost.exe being misused. While dllhost.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma file_event_win_creation_system_file.yml - '\dllhost.exe' DRL 1.0
sigma file_event_win_susp_adsi_cache_usage.yml - 'C:\windows\system32\dllhost.exe' DRL 1.0
sigma file_event_win_uac_bypass_wmp.yml Image: 'C:\Windows\system32\DllHost.exe' DRL 1.0
sigma image_load_suspicious_vss_ps_load.yml - '\dllhost.exe' DRL 1.0
sigma net_connection_win_dllhost_net_connections.yml title: Dllhost Internet Connection DRL 1.0
sigma net_connection_win_dllhost_net_connections.yml description: Detects Dllhost that communicates with public IP addresses DRL 1.0
sigma net_connection_win_dllhost_net_connections.yml Image\|endswith: '\dllhost.exe' DRL 1.0
sigma proc_creation_win_apt_unc2452_cmds.yml Image\|endswith: '\dllhost.exe' DRL 1.0
sigma proc_creation_win_cmstp_com_object_access.yml ParentImage\|endswith: '\DllHost.exe' DRL 1.0
sigma proc_creation_win_cobaltstrike_process_patterns.yml ParentImage\|endswith: '\dllhost.exe' DRL 1.0
sigma proc_creation_win_mal_darkside_ransomware.yml ParentCommandLine\|contains: 'DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}' DRL 1.0
sigma proc_creation_win_script_event_consumer_spawn.yml - '\dllhost.exe' DRL 1.0
sigma proc_creation_win_system_exe_anomaly.yml - '\dllhost.exe' DRL 1.0
LOLBAS Dllhost.yml Name: Dllhost.exe  
LOLBAS Dllhost.yml - Command: dllhost.exe /Processid:{CLSID}  
LOLBAS Dllhost.yml Description: Use dllhost.exe to load a registered or hijacked COM Server payload.  
LOLBAS Dllhost.yml - Path: C:\Windows\System32\dllhost.exe  
LOLBAS Dllhost.yml - Path: C:\Windows\SysWOW64\dllhost.exe  
LOLBAS Dllhost.yml - IOC: DotNet CLR libraries loaded into dllhost.exe  
LOLBAS Dllhost.yml - IOC: DotNet CLR Usage Log - dllhost.exe.log  
LOLBAS Dllhost.yml - IOC: Suspicious network connectings originating from dllhost.exe  
LOLBAS Dllhost.yml - Link: https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08  
signature-base crime_nopetya_jun17.yar $s7 = “dllhost.dat” fullword wide CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.