dbgcore.dll

  • File Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\srcsrv\dbgcore.dll
  • Description: Windows Core Debugging Helpers

Hashes

Type Hash
MD5 5E5EFBC2FF0880AE227863015F8FBBBC
SHA1 A6AD1A2510279A1546A757612CD151181578F6EA
SHA256 5850BF81CF88914EC709F8A56BA8EB119F7EC82B204FA3CA3193E3FA268DFBC8
SHA384 125A59616604AE83ECFCF8373780D2646C4F4518FF6C40CEAADAA0CA6905E4773D2A63321A1A61E5C863D48368E043F1
SHA512 51F393D52050708E1EE743E5C3BAD55DF8549C09301C0D12F49300AFE978AE02FC4047F80C0B6B9F794F2F6A296E4BEDD03CEC4051915C02B67DE499D347FD87
SSDEEP 3072:LmaQASh0NdONoQOxTcdmz3QCAalrN3qnKs31pD4AlR3AqXDzePXsEf:UASh0NdO3CA6Z3qKw12AlR3AqXG9f
IMP 6B4C359DDEE8D04B59FFFFE32DA056B2
PESHA1 ECF515823A251A0B088B41735D810BC0463677F0
PE256 BA228BFC09DB6AD4DD4CB80BC449D9E3AE4AE630A61039BBF9B71408871D8545

DLL Exports:

Function Name Ordinal Type
MiniDumpWriteDump 2 Exported Function
MiniDumpReadDumpStream 1 Exported Function

Signature

  • Status: Signature verified.
  • Serial: 33000002CF6D2CC57CAA65A6D80000000002CF
  • Thumbprint: 1A221B3B4FEF088B17BA6704FD088DF192D9E0EF
  • Issuer: CN=Microsoft Code Signing PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: DBGCORE.DLL
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/76
  • VirusTotal Link: https://www.virustotal.com/gui/file/5850bf81cf88914ec709f8a56ba8eb119f7ec82b204fa3ca3193e3fa268dfbc8/detection

File Similarity (ssdeep match)

File Score
C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\dbgcore.dll 97
C:\Windows\SysWOW64\dbgcore.dll 99

Possible Misuse

The following table contains possible examples of dbgcore.dll being misused. While dbgcore.dll is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma image_load_suspicious_dbghelp_dbgcore_load.yml title: Load of dbghelp/dbgcore DLL from Suspicious Process DRL 1.0
sigma image_load_suspicious_dbghelp_dbgcore_load.yml description: Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes. Tools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine. DRL 1.0
sigma image_load_suspicious_dbghelp_dbgcore_load.yml - '\dbgcore.dll' DRL 1.0
sigma proc_access_win_lsass_memdump.yml description: Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up. DRL 1.0
sigma proc_access_win_lsass_memdump.yml - 'dbgcore.dll' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.