stordiag.exe
- File Path:
C:\WINDOWS\system32\stordiag.exe - Description:
Hashes
| Type | Hash |
|---|---|
| MD5 | 90A922FDB190D75111DBE5A741EE0510 |
| SHA1 | 728132E27C24796A7C29A927FF56414E4D66C547 |
| SHA256 | 3BC839B933D9C40A8B8D25B415C1037BA4A47009BF3C4E3A3D4C26554B7D4898 |
| SHA384 | 56C87BF0397F07D106F8CDEAFBA7BE0584E04909598C9C656F69249A23A548BE935276CB17F022BD6012E4BDBF85DDC0 |
| SHA512 | 5F4A9DD8A99F197793FBBB00D6AA32AF93BFF90F2E52381FCF9C2FCA4F00AEDB44ADF3F627FB3D14D9960FDD31CB863F3BE7B6C051C129969C7D8B792D6F3D8B |
| SSDEEP | 1536:D6dFZKXt4SeKT/DSsdj9hf5+VIsWzbJWE4KAhUfb3M:mFZpSeK6MkWpzbJWE4nQb3M |
Runtime Data
Usage (stdout):
Collects storage and filesystem diagnostic logs and outputs them to a folder.
StorDiag [-collectEtw] [-out <PATH>]
-collectEtw Collect a 30-second long ETW trace if run from an elevated session
-collectPerf Collect disk performance counters
-checkFSConsistency Checks for the consistency of the NTFS file system
-diagnostic outputs a storage diagnostic report
-bootdiag output boot sectors of the disk
-driverdiag output avaliable storport and storahci logs
-out <PATH> Specify the output path. If not specified, logs are saved to %TEMP%\StorDiag
Child Processes:
conhost.exe
Signature
- Status: Signature verified.
- Serial:
330000023241FB59996DCC4DFF000000000232 - Thumbprint:
FF82BC38E1DA5E596DF374C53E3617F7EDA36B06 - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: stordiag.exe
- Product Name: Microsoft (R) Windows (R) Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.18362.1
- Product Version: 10.0.18362.1
- Language: Language Neutral
- Legal Copyright: Copyright (c) Microsoft Corporation. All rights reserved.
File Similarity (ssdeep match)
| File | Score |
|---|---|
| C:\WINDOWS\SysWOW64\stordiag.exe | 91 |
Possible Misuse
The following table contains possible examples of stordiag.exe being misused. While stordiag.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | proc_creation_win_stordiag_execution.yml | title: Execution via stordiag.exe |
DRL 1.0 |
| sigma | proc_creation_win_stordiag_execution.yml | description: Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe |
DRL 1.0 |
| sigma | proc_creation_win_stordiag_execution.yml | - https://strontic.github.io/xcyclopedia/library/stordiag.exe-1F08FC87C373673944F6A7E8B18CD845.html |
DRL 1.0 |
| sigma | proc_creation_win_stordiag_execution.yml | ParentImage\|endswith: '\stordiag.exe' |
DRL 1.0 |
| sigma | proc_creation_win_stordiag_execution.yml | ParentImage\|startswith: # as first is "Copy c:\windows\system32\stordiag.exe to a folder" |
DRL 1.0 |
| sigma | proc_creation_win_stordiag_execution.yml | - Legitimate usage of stordiag.exe. |
DRL 1.0 |
| LOLBAS | Stordiag.yml | Name: Stordiag.exe |
|
| LOLBAS | Stordiag.yml | - Command: stordiag.exe |
|
| LOLBAS | Stordiag.yml | Description: Once executed, Stordiag.exe will execute schtasks.exe systeminfo.exe and fltmc.exe - if stordiag.exe is copied to a folder and an arbitrary executable is renamed to one of these names, stordiag.exe will execute it. |
|
| LOLBAS | Stordiag.yml | - Path: c:\windows\system32\stordiag.exe |
|
| LOLBAS | Stordiag.yml | - Path: c:\windows\syswow64\stordiag.exe |
MIT License. Copyright (c) 2020-2021 Strontic.