sdiagnhost.exe

  • File Path: C:\Windows\SysWOW64\sdiagnhost.exe
  • Description: Scripted Diagnostics Native Host

Hashes

Type Hash
MD5 A42E590E384DBBAEA788F73C601DA963
SHA1 778EA96431D9D86BC3B7C6AD055A9CB150EE1ABA
SHA256 943BB9D1AC027133EE5CB1461B3359993EEEF0A799DC85F9E4AB9CD57DD8F281
SHA384 4BD77431DAD0DC654C52449C75116ABEA66CA9B92CBEED3185D8E4A48F4ECFFFA224EF605B08E23E521ED5C178CF8BCB
SHA512 AC92A2944596B29DE817874C361B20EE3C8D4D71CBD82F0640CB63D97B53A33C5A991A95F7C3EC072F1CA86DCD222E0CA9B91ECA635E8F808EB7F0603F8A3DA8
SSDEEP 384:4Hm8MXAxa0GJsu9JfeI1Hd0FVLxPXZPqLdMnBXLei1Wa7DWMZrF:/0GJD3DkVxVq5MBXLeibDx

Runtime Data

Child Processes:

conhost.exe

Signature

  • Status: Signature verified.
  • Serial: 33000000BCE120FDD27CC8EE930000000000BC
  • Thumbprint: E85459B23C232DB3CB94C7A56D47678F58E8E51E
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: sdiagnhost.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.14393.0 (rs1_release.160715-1616)
  • Product Version: 10.0.14393.0
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of sdiagnhost.exe being misused. While sdiagnhost.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma image_load_in_memory_powershell.yml - '\WINDOWS\System32\sdiagnhost.exe' DRL 1.0
sigma image_load_wmi_module_load.yml - '\sdiagnhost.exe' DRL 1.0
sigma image_load_wsman_provider_image_load.yml - 'C:\Windows\System32\sdiagnhost.exe' DRL 1.0
sigma pipe_created_alternate_powershell_hosts_pipe.yml - '\WINDOWS\System32\sdiagnhost.exe' DRL 1.0
sigma proc_access_win_in_memory_assembly_execution.yml - '\Windows\System32\sdiagnhost.exe' DRL 1.0
sigma proc_creation_win_susp_csc_folder.yml - '\sdiagnhost.exe' # https://twitter.com/gN3mes1s/status/1206874118282448897 DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.