sdiagnhost.exe

  • File Path: C:\WINDOWS\system32\sdiagnhost.exe
  • Description: Scripted Diagnostics Native Host

Hashes

Type Hash
MD5 A4FFA6F266F3E1F3911B4B2D6BF2A0C3
SHA1 EA8C3D4730F40AB6CDC966DF9238F9058F83506C
SHA256 3C3CEB6E016B1B938912D4F341A2FD7799F7A38B81A68981A77C5A01F75D4109
SHA384 2CD86C5E9A01062EECE02BA7C524BE1C9F1E3F077AE7E1466A6C83C8B6E0C1016321DF07E6765F5BCE609C8D73FF58AA
SHA512 6E8CB0B676E049B4B84B63EA87C467D7A257E779A1D7CE9B49306903D53165950CA13AF5826538847677215429D966C507F5203C014AB702143E616CE3D6FF08
SSDEEP 768:SSlMePrzGU5dzfDjRb9nEwbajl0/sA31DKi6:SLeP7TtWj+dFmi6
IMP 5BBF147ECEABB7D6F8E55D3F9C50A9D0
PESHA1 AF2CD02DBBC20C55ABEBBAE7F3C0B037BCA42967
PE256 924C166908F054B71B9D11AF5F6544EBFB5F2CC19E139B4D57BBBC1FB283CE54

Runtime Data

Child Processes:

conhost.exe

Open Handles:

Path Type
(R-D) C:\Windows\System32\en-US\sdiagnhost.exe.mui File
(RW-) C:\Windows\System32 File
\BaseNamedObjects__ComCatalogCache__ Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro Section
\Sessions\2\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\Sessions\2\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section

Loaded Modules:

Path
C:\WINDOWS\System32\KERNEL32.DLL
C:\WINDOWS\System32\KERNELBASE.dll
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\system32\sdiagnhost.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: sdiagnhost.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/71
  • VirusTotal Link: https://www.virustotal.com/gui/file/3c3ceb6e016b1b938912d4f341a2fd7799f7a38b81a68981a77c5a01f75d4109/detection

Possible Misuse

The following table contains possible examples of sdiagnhost.exe being misused. While sdiagnhost.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma image_load_in_memory_powershell.yml - '\WINDOWS\System32\sdiagnhost.exe' DRL 1.0
sigma image_load_wmi_module_load.yml - '\sdiagnhost.exe' DRL 1.0
sigma image_load_wsman_provider_image_load.yml - 'C:\Windows\System32\sdiagnhost.exe' DRL 1.0
sigma pipe_created_alternate_powershell_hosts_pipe.yml - '\WINDOWS\System32\sdiagnhost.exe' DRL 1.0
sigma proc_access_win_in_memory_assembly_execution.yml - '\Windows\System32\sdiagnhost.exe' DRL 1.0
sigma proc_creation_win_susp_csc_folder.yml - '\sdiagnhost.exe' # https://twitter.com/gN3mes1s/status/1206874118282448897 DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.