dbgcore.dll

  • File Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\arm\dbgcore.dll
  • Description: Windows Core Debugging Helpers

Hashes

Type Hash
MD5 EA56C2C6CC1846310DA69F14C7C26883
SHA1 73480B368CE6BAAA07CBC04D9423D7D66709A443
SHA256 8A45E93A18227544A3D465510BDB7E442D85CC1AAC8D60D44218D008ABCE37C7
SHA384 3C1684703909FE89F8E786907E762316E7E4008CA36255B49CF8A675EF17B07E1EFC932A6A6D59FD8A24C04116FE642B
SHA512 638970B2D121951D19D81B0F863779938F540CA9F9D8CD223DD2A5A25D6300366D52FB5FC28D684F4E8248CC7064AB604C0FD40425042F3AFF79A1EBEE7D6D96
SSDEEP 3072:na9ASx0NdOnoQOxTcImz3rMLQHnS1P38cEPxarABe6UJksJux8M5Ap6GNhlwg3qt:MASx0NdOeLqFb5qGeTJhSAggjG
IMP A1A9F77ED03D39B171C0A02E15991E97
PESHA1 627CEC08AF53287A48E443834BE40046F58A496F
PE256 3721D889A7558918C1CA7C585CC0836507D160EBC39C63DDB9F43D05D20500BE

DLL Exports:

Function Name Ordinal Type
MiniDumpWriteDump 2 Exported Function
MiniDumpReadDumpStream 1 Exported Function

Signature

  • Status: Signature verified.
  • Serial: 33000002B7E8E007A82AEF13150000000002B7
  • Thumbprint: 5A68625F1A516670A744F7EF919500A479D32A5B
  • Issuer: CN=Microsoft Code Signing PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows Kits Publisher, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: DBGCORE.DLL
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 452

File Scan

  • VirusTotal Detections: 0/75
  • VirusTotal Link: https://www.virustotal.com/gui/file/8a45e93a18227544a3d465510bdb7e442d85cc1aac8d60d44218d008abce37c7/detection

File Similarity (ssdeep match)

File Score
C:\Program Files (x86)\Windows Kits\10\Debuggers\arm\srcsrv\dbgcore.dll 97

Possible Misuse

The following table contains possible examples of dbgcore.dll being misused. While dbgcore.dll is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma image_load_suspicious_dbghelp_dbgcore_load.yml title: Load of dbghelp/dbgcore DLL from Suspicious Process DRL 1.0
sigma image_load_suspicious_dbghelp_dbgcore_load.yml description: Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes. Tools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine. DRL 1.0
sigma image_load_suspicious_dbghelp_dbgcore_load.yml - '\dbgcore.dll' DRL 1.0
sigma proc_access_win_lsass_memdump.yml description: Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up. DRL 1.0
sigma proc_access_win_lsass_memdump.yml - 'dbgcore.dll' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.