sdiagnhost.exe

  • File Path: C:\Windows\SysWOW64\sdiagnhost.exe
  • Description: Scripted Diagnostics Native Host

Hashes

Type Hash
MD5 43353191117C9236DDCCE362A8E74BA7
SHA1 6A0B5CE7964379CE5019E46302EFDF6F5EC19A95
SHA256 3584436E99BD2D420E9066E3A237ED1BE41E964E92FB5E1C88E052E6C834B1DA
SHA384 401182DCA59A4CC3B3A28DDE61F52ADF67B28B70161EED5DE82AB34CA982F5C2742A00E520AA2F125C41E533DD3B9912
SHA512 94014C6EB596222A7E72E089518AA071F24C870DEDA3050B6EB4D9A9766A0291D31A009E94CF2874AB8FCEEAC8AFBA97465D38E295874025948573648A4E732F
SSDEEP 384:zHm8MXAvaHQ41cJluoPk8KWreBiyj7hZxaLelgWh7DWIH:wHElu4b8j75aLeN
IMP 1AC4615E680B9BC131EC1F2ADCF60B35
PESHA1 687EF5C2A6DA51ABC7EA3E15104034086017AC3E
PE256 E415F46A53DCE06C8995B85E54A40D8F8DE5E27067A96E1B4E9B2BFC749D7240

Runtime Data

Child Processes:

conhost.exe

Open Handles:

Path Type
(R-D) C:\Windows\System32\en-US\sdiagnhost.exe.mui File
(RW-) C:\Users\user File
(RW-) C:\Windows File
\BaseNamedObjects__ComCatalogCache__ Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2 Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\sdiagnhost.exe

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: sdiagnhost.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/76
  • VirusTotal Link: https://www.virustotal.com/gui/file/3584436e99bd2d420e9066e3a237ed1be41e964e92fb5e1c88e052e6c834b1da/detection

File Similarity (ssdeep match)

File Score
C:\WINDOWS\SysWOW64\sdiagnhost.exe 36
C:\WINDOWS\SysWOW64\sdiagnhost.exe 80
C:\Windows\SysWOW64\sdiagnhost.exe 52
C:\windows\SysWOW64\sdiagnhost.exe 41

Possible Misuse

The following table contains possible examples of sdiagnhost.exe being misused. While sdiagnhost.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma image_load_in_memory_powershell.yml - '\WINDOWS\System32\sdiagnhost.exe' DRL 1.0
sigma image_load_wmi_module_load.yml - '\sdiagnhost.exe' DRL 1.0
sigma image_load_wsman_provider_image_load.yml - 'C:\Windows\System32\sdiagnhost.exe' DRL 1.0
sigma pipe_created_alternate_powershell_hosts_pipe.yml - '\WINDOWS\System32\sdiagnhost.exe' DRL 1.0
sigma proc_access_win_in_memory_assembly_execution.yml - '\Windows\System32\sdiagnhost.exe' DRL 1.0
sigma proc_creation_win_susp_csc_folder.yml - '\sdiagnhost.exe' # https://twitter.com/gN3mes1s/status/1206874118282448897 DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.