sdbinst.exe

  • File Path: C:\WINDOWS\system32\sdbinst.exe
  • Description: Application Compatibility Database Installer

Hashes

Type Hash
MD5 B365F6D8D8B2F42CB499179EA0693B9E
SHA1 0FFB031F0EBD08468AF267829A020EFAF6A0D60A
SHA256 794DB11EF7CAB2A0FA3D1E2128B26C2785A37E0BC7B12FB2DA371F61FDED3495
SHA384 8DBA463EDAABFE12FF19D7B69DADB890CBDDB7D1E01F3279ED926551CC3B3D82937428567281F2B672F87F5A9E55A7B1
SHA512 AAE63E85D3EDEEF41EF66EF6CE98F4A975C33E45B1485819737F3A33C9785D89936F2C8ECD0B14135D04D3950E596DD345CE0AC931CCF163610D25893635DD15
SSDEEP 384:6yiZ178Kqb8oDXYJ4/5FohU6oALA7rRi/EK5eOLCIy2BcSrWNgW:6yiZA5oU5YPU2eOWIy2BcSG

Signature

  • Status: Signature verified.
  • Serial: 330000023241FB59996DCC4DFF000000000232
  • Thumbprint: FF82BC38E1DA5E596DF374C53E3617F7EDA36B06
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: sdbinst.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.18362.1 (WinBuild.160101.0800)
  • Product Version: 10.0.18362.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\Windows\system32\sdbinst.exe 40

Possible Misuse

The following table contains possible examples of sdbinst.exe being misused. While sdbinst.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_sdbinst_shim_persistence.yml title: Possible Shim Database Persistence via sdbinst.exe DRL 1.0
sigma proc_creation_win_sdbinst_shim_persistence.yml description: Detects installation of a new shim using sdbinst.exe. A shim can be used to load malicious DLLs into applications. DRL 1.0
sigma proc_creation_win_sdbinst_shim_persistence.yml Image\|endswith: '\sdbinst.exe' DRL 1.0
atomic-red-team T1546.011.md A list of all shims currently installed by the default Windows installer (sdbinst.exe) is kept in: MIT License. © 2018 Red Canary
atomic-red-team T1546.011.md sdbinst.exe #{file_path} MIT License. © 2018 Red Canary
atomic-red-team T1546.011.md sdbinst.exe -u #{file_path} >nul 2>&1 MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.