.. / dllhost.exe

The process for running DLL Surrogate COM Objects’s on Windows. The dllhost process executes what is known as “Dll surrogates”, which are DLL’s hosting COM objects running inside processes. The command line argument of the dllhost process is /Processid:{CLSID}. Malware author or threat actors can abuse this by registering / hijacking COM Objects and running them via the following command line dllhost.exe /Processid:{Hijacked CLSID} utility.

Image Path

Executable’s image path.

Parent Process

A process which spawned the analyzed process.

Number of Instances

Expected number of processes running which may normally run on Windows.

User Account

Windows account with which the process was launched. This defines what privileges given process has.

Start Time

Expected time of process to be launched.