sdiagnhost.exe

  • File Path: C:\WINDOWS\SysWOW64\sdiagnhost.exe
  • Description: Scripted Diagnostics Native Host

Hashes

Type Hash
MD5 05A10B350BD6058DDDBFB937DB68A3DB
SHA1 9B9568395D8E4679BF4093E2657990B3667D2FFF
SHA256 EFC329587CA237257B39778942357B7185D0FFE970E4EF549E05C097BB9DDE21
SHA384 BB79FF1C52314ACA73E7F97CA9F110B24C444383D18809B082BBF77D2590865E4ACCE48B083127C881A95F99AC825B07
SHA512 AD87EA4B52C1A27F17AB52DF02969C5D876557101AA97D89CF2F21A53F5775623DE1E9B038F66671750AE859C1745909568405C4BE13E238B51909BCB6B33C69
SSDEEP 384:VKll53sKmxaHm8MXAvaXlDGwZL2U2Ikr+cZj25MbBvPq/9IO4bNmKZTRmxaLelgL:VM9lUvXlDZCvZj256EKbZToaLe+BAW
IMP EA5DA80829D9880E7FF73CD62726D7CE
PESHA1 A49AFBFFB369AE3664D11EA70D6ECCBF67E9CCAD
PE256 5B30257526F30DD0FE8A8388CB2B2BF0491B07E130BA22B6B0148290B6BD5CEF

Runtime Data

Child Processes:

conhost.exe

Open Handles:

Path Type
(R-D) C:\Windows\System32\en-US\sdiagnhost.exe.mui File
(RW-) C:\Windows File
(RW-) C:\Windows\SysWOW64 File
\BaseNamedObjects__ComCatalogCache__ Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro Section
\Sessions\2\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\Sessions\2\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section

Loaded Modules:

Path
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\System32\wow64.dll
C:\WINDOWS\System32\wow64base.dll
C:\WINDOWS\System32\wow64con.dll
C:\WINDOWS\System32\wow64cpu.dll
C:\WINDOWS\System32\wow64win.dll
C:\WINDOWS\SysWOW64\sdiagnhost.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: sdiagnhost.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/efc329587ca237257b39778942357b7185d0ffe970e4ef549e05c097bb9dde21/detection

File Similarity (ssdeep match)

File Score
C:\WINDOWS\SysWOW64\sdiagnhost.exe 35
C:\Windows\SysWOW64\sdiagnhost.exe 36
C:\Windows\SysWOW64\sdiagnhost.exe 36
C:\windows\SysWOW64\sdiagnhost.exe 29

Possible Misuse

The following table contains possible examples of sdiagnhost.exe being misused. While sdiagnhost.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma image_load_in_memory_powershell.yml - '\WINDOWS\System32\sdiagnhost.exe' DRL 1.0
sigma image_load_wmi_module_load.yml - '\sdiagnhost.exe' DRL 1.0
sigma image_load_wsman_provider_image_load.yml - 'C:\Windows\System32\sdiagnhost.exe' DRL 1.0
sigma pipe_created_alternate_powershell_hosts_pipe.yml - '\WINDOWS\System32\sdiagnhost.exe' DRL 1.0
sigma proc_access_win_in_memory_assembly_execution.yml - '\Windows\System32\sdiagnhost.exe' DRL 1.0
sigma proc_creation_win_susp_csc_folder.yml - '\sdiagnhost.exe' # https://twitter.com/gN3mes1s/status/1206874118282448897 DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.