windbg.exe

  • File Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\windbg.exe
  • Description: Windows GUI symbolic debugger

Screenshot

windbg.exe

Hashes

Type Hash
MD5 8CC7AB7DC9C670809113929568FB3F31
SHA1 A5B6A107B4D5318D6B666E3CC831E967E999C039
SHA256 179730146A9A47DF359128F3A49BF09DE932F6F9EECF5BDC96918C5647598BC5
SHA384 4FDEFF919DD1B1B1F3CFB7618D40F8842611D4AF0101C3EBF4579C1126AA3D72465BDE020DD6A601D061AC79E131C250
SHA512 6B0D0715BBC2703076E07A55EDF378D3B9AB8FC2737947D1A7D23C1621F9D6CC323FD909C6A8366DB60166D4B28079ECBFBD9929BA974CD19429B76BCEBFC217
SSDEEP 12288:fZcJofqA3te2VZds33/VgI1y4erFR/32Ousrte4:BcGfqA3te2Si+y4enmOuge
IMP 0D94733CE3020EDCCF4DFF51CEA82E82
PESHA1 FF4A5553212033E6FC3DC28B04413CFE9520B3D0
PE256 9B6D625987984B9386D112A93AF03E1AEB03981E6DC471FD55F78D9BDEB17131

Runtime Data

Child Processes:

help.exe

Window Title:

help - WinDbg:10.0.19041.1 AMD64

Open Handles:

Path Type
(R-D) C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\sym\ntdll.pdb\1EB9FACB04C73C5DEA7160764CD333D01\ntdll.pdb File
(R-D) C:\Windows\Fonts\StaticCache.dat File
(RW-) C:\Users\user File
(RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21 File
(RWD) C:\Windows\System32\ntdll.dll File
\BaseNamedObjects__ComCatalogCache__ Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2 Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\Sessions\1\BaseNamedObjects\1dbcHWNDInterface:5802de Section
\Sessions\1\Windows\Theme1383959086 Section
\Windows\Theme2042523233 Section

Loaded Modules:

Path
C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\dbghelp.dll
C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\windbg.exe
C:\Windows\System32\ADVAPI32.dll
C:\Windows\System32\combase.dll
C:\Windows\System32\GDI32.dll
C:\Windows\System32\gdi32full.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\System32\msvcp_win.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\ole32.dll
C:\Windows\System32\RPCRT4.dll
C:\Windows\System32\sechost.dll
C:\Windows\System32\SHELL32.dll
C:\Windows\System32\ucrtbase.dll
C:\Windows\System32\USER32.dll
C:\Windows\System32\win32u.dll

Signature

  • Status: Signature verified.
  • Serial: 33000002CF6D2CC57CAA65A6D80000000002CF
  • Thumbprint: 1A221B3B4FEF088B17BA6704FD088DF192D9E0EF
  • Issuer: CN=Microsoft Code Signing PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: windbg.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/76
  • VirusTotal Link: https://www.virustotal.com/gui/file/179730146a9a47df359128f3a49bf09de932f6f9eecf5bdc96918c5647598bc5/detection

File Similarity (ssdeep match)

File Score
C:\Program Files (x86)\Windows Kits\10\Debuggers\arm\windbg.exe 35

Possible Misuse

The following table contains possible examples of windbg.exe being misused. While windbg.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_susp_cdb.yml title: Possible App Whitelisting Bypass via WinDbg/CDB as a Shellcode Runner DRL 1.0
sigma proc_creation_win_susp_cdb.yml - http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html DRL 1.0
LOLBAS Cdb.yml - Link: http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html  
signature-base gen_deviceguard_evasion.yar reference = “http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html” CC BY-NC 4.0
stockpile 7a6ba833-de40-466a-8969-5c37b13603e0.yml "windbg", Apache-2.0

MIT License. Copyright (c) 2020-2021 Strontic.