dbgcore.dll

  • File Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\arm64\srcsrv\dbgcore.dll
  • Description: Windows Core Debugging Helpers

Hashes

Type Hash
MD5 50F6AF4FE83736A5EEEFB4CCE33D187C
SHA1 D9CCF31FB95F37F9D8E61BBED039EAA8E7F8263C
SHA256 E0F1EBA3C311C90CFABA0DA7BCF167AD0654C77521B75F5955F7AAB62BAF8EE1
SHA384 0ACC64D59B12C9197932E407C8BC50BEB5E64C70963B6C759E15C764D5AC2650762008E087A51A854F36F3B903A754E4
SHA512 CA4FC233AF48AA2759E8D779DF2D6F81F333DB14C9F719C80D2BB6221B0F7C47F840901669554CD1E197294595AEF35D0E519FF87947FDAFD8F8C0C1C0124FF0
SSDEEP 3072:eEVY9LNBeRSV8zVU2zqH/gNHHFjyItCDPU6KgASB0ddOyYgOxTsombAay8kGvp:eywX0SVW6LH/gNFjZCDPzASB0ddO3ays
IMP 226ECB2A33EFE15D0F17C78CA601BDEB
PESHA1 CD05AC5C586B4F128A66570E6078AD20B23B060A
PE256 59324828EB48D13876669EF8898D6B24E724433F0FE44B75BFE20C6C80D4E6DA

Signature

  • Status: Signature verified.
  • Serial: 33000002B7E8E007A82AEF13150000000002B7
  • Thumbprint: 5A68625F1A516670A744F7EF919500A479D32A5B
  • Issuer: CN=Microsoft Code Signing PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows Kits Publisher, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: DBGCORE.DLL
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit ARM

File Scan

  • VirusTotal Detections: Unknown

File Similarity (ssdeep match)

File Score
C:\Program Files (x86)\Windows Kits\10\Debuggers\arm64\dbgcore.dll 96
C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\dbgcore.dll 38
C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\srcsrv\dbgcore.dll 38
C:\Windows\system32\dbgcore.dll 38

Possible Misuse

The following table contains possible examples of dbgcore.dll being misused. While dbgcore.dll is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma image_load_suspicious_dbghelp_dbgcore_load.yml title: Load of dbghelp/dbgcore DLL from Suspicious Process DRL 1.0
sigma image_load_suspicious_dbghelp_dbgcore_load.yml description: Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes. Tools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine. DRL 1.0
sigma image_load_suspicious_dbghelp_dbgcore_load.yml - '\dbgcore.dll' DRL 1.0
sigma proc_access_win_lsass_memdump.yml description: Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up. DRL 1.0
sigma proc_access_win_lsass_memdump.yml - 'dbgcore.dll' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.