dbgcore.dll

File Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\dbgcore.dll
Description: Windows Core Debugging Helpers

Hashes

Type	Hash
MD5	`DC40CB46D05EF450684E1A1A09C0CFE3`
SHA1	`D7A177C8BDD217BC2EC4A56714EA289D837AF465`
SHA256	`4AA03E8A3A89835D2FE52375F2032002D5FC468A38A885BA306EB1F154E2251F`
SHA384	`8AEBC803A80F7247086B36DA6B25DAF6D32411BE8A1455B03E626ACDFC9A1C2FE4F5790C1B47E8FFF35BFD680232DEEF`
SHA512	`F6B3B81F0E12FEFE526B8D4C404D485E15FD96AB52ADF4C8CBC7AB43A84BA3F15E190419E095C58582C7DAE571FE7813CF241AC48179D775ACD5C800A8CDF8EE`
SSDEEP	`3072:zEqbGcbEWcgmPtELNGmpbg04HhpEXWpINKKASB0ddOMYgOxTsvmbmr1VH:zEqdEWqtCNG6gNBwWpeASB0ddOm1`
IMP	`1931C583747A3AFF6555664A0BEA87DD`
PESHA1	`95FF51B808527EE83BD3122ABC4540A96C19BC8A`
PE256	`A03E2287F371B5A69C37DD875AA8446FA93C1758DCF4F8EF2077075BD2E95FF4`

DLL Exports:

Function Name	Ordinal	Type
`MiniDumpWriteDump`	2	Exported Function
`MiniDumpReadDumpStream`	1	Exported Function

Signature

Status: Signature verified.
Serial: 33000002CF6D2CC57CAA65A6D80000000002CF
Thumbprint: 1A221B3B4FEF088B17BA6704FD088DF192D9E0EF
Issuer: CN=Microsoft Code Signing PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Subject: CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

Original Filename: DBGCORE.DLL
Product Name: Microsoft Windows Operating System
Company Name: Microsoft Corporation
File Version: 10.0.19041.1 (WinBuild.160101.0800)
Product Version: 10.0.19041.1
Language: English (United States)
Legal Copyright: Microsoft Corporation. All rights reserved.
Machine Type: 64-bit

File Scan

VirusTotal Detections: 0/76
VirusTotal Link: https://www.virustotal.com/gui/file/4aa03e8a3a89835d2fe52375f2032002d5fc468a38a885ba306eb1f154e2251f/detection

File Similarity (ssdeep match)

File	Score
C:\Program Files (x86)\Windows Kits\10\Debuggers\arm64\dbgcore.dll	40
C:\Program Files (x86)\Windows Kits\10\Debuggers\arm64\srcsrv\dbgcore.dll	38
C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\srcsrv\dbgcore.dll	99
C:\Windows\system32\dbgcore.dll	99

Possible Misuse

The following table contains possible examples of dbgcore.dll being misused. While dbgcore.dll is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source	Source File	Example	License
sigma	image_load_suspicious_dbghelp_dbgcore_load.yml	`title: Load of dbghelp/dbgcore DLL from Suspicious Process`	DRL 1.0
sigma	image_load_suspicious_dbghelp_dbgcore_load.yml	`description: Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes. Tools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.`	DRL 1.0
sigma	image_load_suspicious_dbghelp_dbgcore_load.yml	`- '\dbgcore.dll'`	DRL 1.0
sigma	proc_access_win_lsass_memdump.yml	`description: Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.`	DRL 1.0
sigma	proc_access_win_lsass_memdump.yml	`- 'dbgcore.dll'`	DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.