sdiagnhost.exe

  • File Path: C:\windows\SysWOW64\sdiagnhost.exe
  • Description: Scripted Diagnostics Native Host

Hashes

Type Hash
MD5 BD954F1A95B1C1B0D68AC4AF5E427807
SHA1 B917E3FDC09AF0B50E5A46044731139A4F6D3FD7
SHA256 BBF6D9ED2664F6BFCCE40348A0CBD73C55BA364CEC8649B2BF332E3301ED7A19
SHA384 10ADEDE125E448A651651F76C20002D036241EAD5416812450B05BCB1B218E9CD60DD1283DA4842C0308DCA6570DE522
SHA512 5CE8E35948616680EAB7F18B66EBE05A73A0CE34D2459078767FE31D0D661183CAC915269A9D664F326704E7C51FFF84FCEE978C004BEA27BD8375220E26F9B3
SSDEEP 384:FHm8MXAvartizJWNBtoUX34d4UXiqwcI1KEac/sG/XLeitWj7DWf:irtzdnw4uw6tc/sMXLei6U

Signature

  • Status: The file C:\windows\SysWOW64\sdiagnhost.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
  • Serial: ``
  • Thumbprint: ``
  • Issuer:
  • Subject:

File Metadata

  • Original Filename: sdiagnhost.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
  • Product Version: 6.3.9600.16384
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\WINDOWS\SysWOW64\sdiagnhost.exe 29
C:\WINDOWS\SysWOW64\sdiagnhost.exe 41
C:\Windows\SysWOW64\sdiagnhost.exe 41
C:\Windows\SysWOW64\sdiagnhost.exe 35

Possible Misuse

The following table contains possible examples of sdiagnhost.exe being misused. While sdiagnhost.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma image_load_in_memory_powershell.yml - '\WINDOWS\System32\sdiagnhost.exe' DRL 1.0
sigma image_load_wmi_module_load.yml - '\sdiagnhost.exe' DRL 1.0
sigma image_load_wsman_provider_image_load.yml - 'C:\Windows\System32\sdiagnhost.exe' DRL 1.0
sigma pipe_created_alternate_powershell_hosts_pipe.yml - '\WINDOWS\System32\sdiagnhost.exe' DRL 1.0
sigma proc_access_win_in_memory_assembly_execution.yml - '\Windows\System32\sdiagnhost.exe' DRL 1.0
sigma proc_creation_win_susp_csc_folder.yml - '\sdiagnhost.exe' # https://twitter.com/gN3mes1s/status/1206874118282448897 DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.