ntsd.exe
- File Path:
C:\Program Files (x86)\Windows Kits\10\Debuggers\arm64\ntsd.exe - Description: Symbolic Debugger for Windows
Screenshot
Hashes
| Type | Hash |
|---|---|
| MD5 | 10CA7814A78DFC8207BFA64240580478 |
| SHA1 | 0AE0DB47527EEF74AB88C56760F59C6AF0ACE938 |
| SHA256 | BB00E51E6E6611E03464E640D31ABB3DED6ED9FEF6C65756B2341B4F39AD9776 |
| SHA384 | FCB50398E0BC6FD2BB1981D544445C74E24C4446FE2E0EA157BB74872DC74388AEEEA431CCEA1F4C0BD61C693E2F8362 |
| SHA512 | B74B6E3158B88D0BC91C0CE09C34404703FC491C6F56A7D807BEA1D02B29DD749BE48925B59EB7097053669D26FC3E645A506AF766FD2A8B9956F16E463BE4CD |
| SSDEEP | 3072:0rVzuP+Sxcu4YSr/31prVX7MJmpATeKT1zxbFgJX:wVzuP+Sxcu4lvy1bFgx |
| IMP | 104A4B4F037EE805C8AB64205777A309 |
| PESHA1 | 16C37D233A6C70C4F6A1A0B06C19225676CCFC79 |
| PE256 | 892A31A14D0B983EF54F8CB4550CB05A488DC179C300DB2278B9523FB8E28953 |
Signature
- Status: Signature verified.
- Serial:
33000002B7E8E007A82AEF13150000000002B7 - Thumbprint:
5A68625F1A516670A744F7EF919500A479D32A5B - Issuer: CN=Microsoft Code Signing PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows Kits Publisher, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: NTSD.Exe
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.19041.1 (WinBuild.160101.0800)
- Product Version: 10.0.19041.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 64-bit ARM
File Scan
- VirusTotal Detections: Unknown
Possible Misuse
The following table contains possible examples of ntsd.exe being misused. While ntsd.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| atomic-red-team | T1546.012.md | <blockquote>Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., C:\dbg\ntsd.exe -g notepad.exe). (Citation: Microsoft Dev Blog IFEO Mar 2010) |
MIT License. © 2018 Red Canary |
MIT License. Copyright (c) 2020-2021 Strontic.