windbg.exe

  • File Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\arm64\windbg.exe
  • Description: Windows GUI symbolic debugger

Screenshot

windbg.exe

Hashes

Type Hash
MD5 7B9C6CAB38F6270C7324DCB375501522
SHA1 6F76ABE530B3B6F946CE0F3CD149FFDB821D7EB1
SHA256 E864C79EBAF473CD7DD5859DE079635FA09DDA67725E81C1D1907BA9E406C290
SHA384 D4E2BFC871685530F7D10BB12F32DAC3B0AA48B18758D6431E0B4D5D4F30BBF35CAF4CB5A9039AB9D38E5358108E8E4E
SHA512 867DE687517E881CC59725995D9AF6E07608C96CE74AC47DDDDC69FE5DF54D39CD310C8C030536DE31C8D44A928632F7CD6A5E0E269F70778D206639883FC451
SSDEEP 6144:RZdtMZJQwAAHsrZBJkbngc0ORL7fomCThLwQwM0yg7nZ4GwKrte4A3c:TU/HscgQ/Ct6Jusrte4Gc
IMP 58EACDD61DFF9F4A855CF087FAC2BEF8
PESHA1 266A04EE5D86B6590824D9147AFEF2F1EB7B604A
PE256 AD582815107B816232B649A95777EA0225A20A3515D2386705360BC946FC09F4

Signature

  • Status: Signature verified.
  • Serial: 33000002B7E8E007A82AEF13150000000002B7
  • Thumbprint: 5A68625F1A516670A744F7EF919500A479D32A5B
  • Issuer: CN=Microsoft Code Signing PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows Kits Publisher, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: windbg.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit ARM

File Scan

  • VirusTotal Detections: 0/75
  • VirusTotal Link: https://www.virustotal.com/gui/file/e864c79ebaf473cd7dd5859de079635fa09dda67725e81c1d1907ba9e406c290/detection

File Similarity (ssdeep match)

File Score
C:\Program Files (x86)\Windows Kits\10\Debuggers\arm\windbg.exe 32

Possible Misuse

The following table contains possible examples of windbg.exe being misused. While windbg.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_susp_cdb.yml title: Possible App Whitelisting Bypass via WinDbg/CDB as a Shellcode Runner DRL 1.0
sigma proc_creation_win_susp_cdb.yml - http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html DRL 1.0
LOLBAS Cdb.yml - Link: http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html  
signature-base gen_deviceguard_evasion.yar reference = “http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html” CC BY-NC 4.0
stockpile 7a6ba833-de40-466a-8969-5c37b13603e0.yml "windbg", Apache-2.0

MIT License. Copyright (c) 2020-2021 Strontic.