windbg.exe
- File Path:
C:\Program Files (x86)\Windows Kits\10\Debuggers\arm\windbg.exe - Description: Windows GUI symbolic debugger
Screenshot
Hashes
| Type | Hash |
|---|---|
| MD5 | DA8D9E0797323466972BAF573BA7C02D |
| SHA1 | D30AED1C1A36DCCC8EA450BDCDA91B6618421C14 |
| SHA256 | 8B53689B92EE1492A61DBA5476496A807A7954E0171C1B35C906C3EAB1C37465 |
| SHA384 | C66BE4204D8812FD73C0EBC6577EC85B72FEC1486B1CAE2B7C47A6EA5F7CD897678CC0ECEA3D9B26DD191B69C43DD88F |
| SHA512 | 6923DE22E95D9D318FC12F0DA11624158FAC8B70936F4BCD2481A9379BE10868FC5803DB8593198C379B916D3AF4A4C7BE9C55798D4D9C345743A19C94B779DF |
| SSDEEP | 6144:TQzBThs0lDuWZWwxGFZ+f1wvxKjQjhDnrEw/rl1kwJzF1MfsUZu3Gyg7nZ4GwKrk:TQzlhdc+f1yF9boC1kwJz8wOusrte4Y |
| IMP | F97D651BFA105F22F8A9A2474779DAE8 |
| PESHA1 | E6B74D05771CCD639B898C2B43A6CE6F938E04BC |
| PE256 | 0648918A493C82086E9D586EDDDBE37FCE782CD06788BF0C63A945DC25858002 |
Signature
- Status: Signature verified.
- Serial:
33000002B7E8E007A82AEF13150000000002B7 - Thumbprint:
5A68625F1A516670A744F7EF919500A479D32A5B - Issuer: CN=Microsoft Code Signing PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows Kits Publisher, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: windbg.exe
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.19041.1 (WinBuild.160101.0800)
- Product Version: 10.0.19041.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 452
File Scan
- VirusTotal Detections: 0/75
- VirusTotal Link: https://www.virustotal.com/gui/file/8b53689b92ee1492a61dba5476496a807a7954e0171c1b35c906c3eab1c37465/detection
File Similarity (ssdeep match)
| File | Score |
|---|---|
| C:\Program Files (x86)\Windows Kits\10\Debuggers\arm64\windbg.exe | 32 |
| C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\windbg.exe | 35 |
Possible Misuse
The following table contains possible examples of windbg.exe being misused. While windbg.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | proc_creation_win_susp_cdb.yml | title: Possible App Whitelisting Bypass via WinDbg/CDB as a Shellcode Runner |
DRL 1.0 |
| sigma | proc_creation_win_susp_cdb.yml | - http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html |
DRL 1.0 |
| LOLBAS | Cdb.yml | - Link: http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html |
|
| signature-base | gen_deviceguard_evasion.yar | reference = “http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html” | CC BY-NC 4.0 |
| stockpile | 7a6ba833-de40-466a-8969-5c37b13603e0.yml | "windbg", |
Apache-2.0 |
MIT License. Copyright (c) 2020-2021 Strontic.