dbgcore.dll

  • File Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\dbgcore.dll
  • Description: Windows Core Debugging Helpers

Hashes

Type Hash
MD5 844F24E2DE8C9E585D310450FFC2FBDC
SHA1 C083113FF9FA9E788CE84CB02093D2CCE8F3CEDC
SHA256 C988D044ECEE004544ABEAFC602CABB48202249417E4EBC5A1D56EA920884B97
SHA384 B06E5B16F2090329580D2738B2498C6D492712C7AC07EE603EA59A26D53EBA9E6538FD09B9AA2963A19E4C07F469C4D5
SHA512 F81C51B4DF4774322F7674DC1D13402D68C61B64639A2CA8A23728CDFBACBE2831B79CC81C625D6ED4A74557D7D9F4EB0492309616F13CACC229D4DE2836DD6D
SSDEEP 3072:HmaQASh0NdONoQOxTcdmz3QCAalrN3qnKs31pD4AlR3AqXDzePXsEz:4ASh0NdO3CA6Z3qKw12AlR3AqXG9z
IMP 6B4C359DDEE8D04B59FFFFE32DA056B2
PESHA1 ECF515823A251A0B088B41735D810BC0463677F0
PE256 BA228BFC09DB6AD4DD4CB80BC449D9E3AE4AE630A61039BBF9B71408871D8545

DLL Exports:

Function Name Ordinal Type
MiniDumpWriteDump 2 Exported Function
MiniDumpReadDumpStream 1 Exported Function

Signature

  • Status: Signature verified.
  • Serial: 33000002CF6D2CC57CAA65A6D80000000002CF
  • Thumbprint: 1A221B3B4FEF088B17BA6704FD088DF192D9E0EF
  • Issuer: CN=Microsoft Code Signing PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: DBGCORE.DLL
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/76
  • VirusTotal Link: https://www.virustotal.com/gui/file/c988d044ecee004544abeafc602cabb48202249417e4ebc5a1d56ea920884b97/detection

File Similarity (ssdeep match)

File Score
C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\srcsrv\dbgcore.dll 97
C:\Windows\SysWOW64\dbgcore.dll 99

Possible Misuse

The following table contains possible examples of dbgcore.dll being misused. While dbgcore.dll is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma image_load_suspicious_dbghelp_dbgcore_load.yml title: Load of dbghelp/dbgcore DLL from Suspicious Process DRL 1.0
sigma image_load_suspicious_dbghelp_dbgcore_load.yml description: Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes. Tools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine. DRL 1.0
sigma image_load_suspicious_dbghelp_dbgcore_load.yml - '\dbgcore.dll' DRL 1.0
sigma proc_access_win_lsass_memdump.yml description: Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up. DRL 1.0
sigma proc_access_win_lsass_memdump.yml - 'dbgcore.dll' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.