dbgcore.dll
- File Path:
C:\Program Files (x86)\Windows Kits\10\Debuggers\arm64\dbgcore.dll
- Description: Windows Core Debugging Helpers
Hashes
Type | Hash |
---|---|
MD5 | E0E1571F0E3CF5F55A40575DC0958271 |
SHA1 | AB62912BD51037264ACD6D6D7B89D4DB0EADB985 |
SHA256 | DE927FBCD3F8ECE16EF13067BA7FE1C9C6C2731FFCF86CBE858B752A3B7B16B8 |
SHA384 | 017BB6E9BBD1FD2F4B21E54DB61DE49CCDFD823BFDA6872F9887D5F0F3556568358A12E66B061A0BAE6C09769F624461 |
SHA512 | F5939864864A4D1173A62CFA60EF09A6B1749D10326A26BC7EACE3D43D092D8AEA05C22265C0F165C309C3424181D9FC592D0EDEA47FF9377E4E5652A43372FF |
SSDEEP | 3072:wEVY9LNBeRSV8zVU2zqH/gNHHFjyItCDPU6KgASB0ddOyYgOxTsombAay8kY:wywX0SVW6LH/gNFjZCDPzASB0ddO3aye |
IMP | 226ECB2A33EFE15D0F17C78CA601BDEB |
PESHA1 | CD05AC5C586B4F128A66570E6078AD20B23B060A |
PE256 | 59324828EB48D13876669EF8898D6B24E724433F0FE44B75BFE20C6C80D4E6DA |
Signature
- Status: Signature verified.
- Serial:
33000002B7E8E007A82AEF13150000000002B7
- Thumbprint:
5A68625F1A516670A744F7EF919500A479D32A5B
- Issuer: CN=Microsoft Code Signing PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows Kits Publisher, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: DBGCORE.DLL
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.19041.1 (WinBuild.160101.0800)
- Product Version: 10.0.19041.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 64-bit ARM
File Scan
- VirusTotal Detections: Unknown
File Similarity (ssdeep match)
Possible Misuse
The following table contains possible examples of dbgcore.dll
being misused. While dbgcore.dll
is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
Source | Source File | Example | License |
---|---|---|---|
sigma | image_load_suspicious_dbghelp_dbgcore_load.yml | title: Load of dbghelp/dbgcore DLL from Suspicious Process |
DRL 1.0 |
sigma | image_load_suspicious_dbghelp_dbgcore_load.yml | description: Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes. Tools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine. |
DRL 1.0 |
sigma | image_load_suspicious_dbghelp_dbgcore_load.yml | - '\dbgcore.dll' |
DRL 1.0 |
sigma | proc_access_win_lsass_memdump.yml | description: Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up. |
DRL 1.0 |
sigma | proc_access_win_lsass_memdump.yml | - 'dbgcore.dll' |
DRL 1.0 |
MIT License. Copyright (c) 2020-2021 Strontic.