sdbinst.exe

  • File Path: C:\WINDOWS\SysWOW64\sdbinst.exe
  • Description: Application Compatibility Database Installer

Hashes

Type Hash
MD5 90B941232094F8C281AE47F8C9C8C0CF
SHA1 9B8DEC344A44CA5DA6D99E4D6675FBB3C1F09224
SHA256 1B0883DA2CC4C1959D3FE8F6DE63FF9AD85F7CF9B229879C6F54B734E2C5F14D
SHA384 D6C19520A88C859C3105B9C05C4CEEB2D123D3F27DBB0A13252051500B39513B27E74940299BFE017903EC27A9459848
SHA512 23125FB4EC1006CAA64C3F64B35A386F5181CFB5865386DD0775217931FAE1CEF14E948656B90722D324E1C9828CB70C93C3DBBB6ECBD4BEF18B2488D6243DF7
SSDEEP 384:2ehy/EpSJ0b9o0a24wdJVIGxif3+cox1IuOQVsYmsPDERzWNgWD:2e/VbXa24oIAoy1HkYmsPDER+R

Signature

  • Status: Signature verified.
  • Serial: 330000023241FB59996DCC4DFF000000000232
  • Thumbprint: FF82BC38E1DA5E596DF374C53E3617F7EDA36B06
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: sdbinst.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.18362.1 (WinBuild.160101.0800)
  • Product Version: 10.0.18362.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\Windows\SysWOW64\sdbinst.exe 40

Possible Misuse

The following table contains possible examples of sdbinst.exe being misused. While sdbinst.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_sdbinst_shim_persistence.yml title: Possible Shim Database Persistence via sdbinst.exe DRL 1.0
sigma proc_creation_win_sdbinst_shim_persistence.yml description: Detects installation of a new shim using sdbinst.exe. A shim can be used to load malicious DLLs into applications. DRL 1.0
sigma proc_creation_win_sdbinst_shim_persistence.yml Image\|endswith: '\sdbinst.exe' DRL 1.0
atomic-red-team T1546.011.md A list of all shims currently installed by the default Windows installer (sdbinst.exe) is kept in: MIT License. © 2018 Red Canary
atomic-red-team T1546.011.md sdbinst.exe #{file_path} MIT License. © 2018 Red Canary
atomic-red-team T1546.011.md sdbinst.exe -u #{file_path} >nul 2>&1 MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.