stordiag.exe
- File Path:
C:\Windows\system32\stordiag.exe - Description:
Hashes
| Type | Hash |
|---|---|
| MD5 | 09595FAB75F9764D8BB8D77A02602E9B |
| SHA1 | 2035188F2858DEC97D9B9CA8587FB2C109425C2F |
| SHA256 | 75CBE3CC080A0C681E925E8A7FA20577524E04E0D7E713DD0E73355ED02AF960 |
| SHA384 | 98F90AFFCF3D4A6FC77AAA8CCBADCCB39DD5A3F13437664F2DD5705255FDB2E41D928067C7AB56E7F49382F38D232C25 |
| SHA512 | 2D780DA4B52038526737AEC828417E26A77184938F2C3D9EF08160CED4F381E591E5443449CB8DBB1EEF1D5050E86C23FE8728DF162D9CC6D39F21559D3FE34B |
| SSDEEP | 384:En4/E+AWVUClB0a9ETJnbMYI1UzscQN0UNUQAzmynEYfP0Kqhihnhacd4SZqxJ4/:En6rUClB19ilbTYcQlxKhs0N+E |
Runtime Data
Usage (stdout):
Collects storage and filesystem diagnostic logs and outputs them to a folder.
StorDiag [-collectEtw] [-out <PATH>]
-collectEtw Collect a 30-second long ETW trace if run from an elevated session
-checkFSConsistency Checks for the consistency of the NTFS file system
-out <PATH> Specify the output path. If not specified, logs are saved to %TEMP%\StorDiag
Child Processes:
conhost.exe systeminfo.exe
Signature
- Status: Signature verified.
- Serial:
33000000BCE120FDD27CC8EE930000000000BC - Thumbprint:
E85459B23C232DB3CB94C7A56D47678F58E8E51E - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: stordiag.exe
- Product Name: Microsoft (R) Windows (R) Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.14393.0
- Product Version: 10.0.14393.0
- Language: Language Neutral
- Legal Copyright: Copyright (c) Microsoft Corporation. All rights reserved.
Possible Misuse
The following table contains possible examples of stordiag.exe being misused. While stordiag.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | proc_creation_win_stordiag_execution.yml | title: Execution via stordiag.exe |
DRL 1.0 |
| sigma | proc_creation_win_stordiag_execution.yml | description: Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe |
DRL 1.0 |
| sigma | proc_creation_win_stordiag_execution.yml | - https://strontic.github.io/xcyclopedia/library/stordiag.exe-1F08FC87C373673944F6A7E8B18CD845.html |
DRL 1.0 |
| sigma | proc_creation_win_stordiag_execution.yml | ParentImage\|endswith: '\stordiag.exe' |
DRL 1.0 |
| sigma | proc_creation_win_stordiag_execution.yml | ParentImage\|startswith: # as first is "Copy c:\windows\system32\stordiag.exe to a folder" |
DRL 1.0 |
| sigma | proc_creation_win_stordiag_execution.yml | - Legitimate usage of stordiag.exe. |
DRL 1.0 |
| LOLBAS | Stordiag.yml | Name: Stordiag.exe |
|
| LOLBAS | Stordiag.yml | - Command: stordiag.exe |
|
| LOLBAS | Stordiag.yml | Description: Once executed, Stordiag.exe will execute schtasks.exe systeminfo.exe and fltmc.exe - if stordiag.exe is copied to a folder and an arbitrary executable is renamed to one of these names, stordiag.exe will execute it. |
|
| LOLBAS | Stordiag.yml | - Path: c:\windows\system32\stordiag.exe |
|
| LOLBAS | Stordiag.yml | - Path: c:\windows\syswow64\stordiag.exe |
MIT License. Copyright (c) 2020-2021 Strontic.