windbg.exe

  • File Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\arm\windbg.exe
  • Description: Windows GUI symbolic debugger

Screenshot

windbg.exe

Hashes

Type Hash
MD5 DA8D9E0797323466972BAF573BA7C02D
SHA1 D30AED1C1A36DCCC8EA450BDCDA91B6618421C14
SHA256 8B53689B92EE1492A61DBA5476496A807A7954E0171C1B35C906C3EAB1C37465
SHA384 C66BE4204D8812FD73C0EBC6577EC85B72FEC1486B1CAE2B7C47A6EA5F7CD897678CC0ECEA3D9B26DD191B69C43DD88F
SHA512 6923DE22E95D9D318FC12F0DA11624158FAC8B70936F4BCD2481A9379BE10868FC5803DB8593198C379B916D3AF4A4C7BE9C55798D4D9C345743A19C94B779DF
SSDEEP 6144:TQzBThs0lDuWZWwxGFZ+f1wvxKjQjhDnrEw/rl1kwJzF1MfsUZu3Gyg7nZ4GwKrk:TQzlhdc+f1yF9boC1kwJz8wOusrte4Y
IMP F97D651BFA105F22F8A9A2474779DAE8
PESHA1 E6B74D05771CCD639B898C2B43A6CE6F938E04BC
PE256 0648918A493C82086E9D586EDDDBE37FCE782CD06788BF0C63A945DC25858002

Signature

  • Status: Signature verified.
  • Serial: 33000002B7E8E007A82AEF13150000000002B7
  • Thumbprint: 5A68625F1A516670A744F7EF919500A479D32A5B
  • Issuer: CN=Microsoft Code Signing PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows Kits Publisher, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: windbg.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 452

File Scan

  • VirusTotal Detections: 0/75
  • VirusTotal Link: https://www.virustotal.com/gui/file/8b53689b92ee1492a61dba5476496a807a7954e0171c1b35c906c3eab1c37465/detection

File Similarity (ssdeep match)

File Score
C:\Program Files (x86)\Windows Kits\10\Debuggers\arm64\windbg.exe 32
C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\windbg.exe 35

Possible Misuse

The following table contains possible examples of windbg.exe being misused. While windbg.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_susp_cdb.yml title: Possible App Whitelisting Bypass via WinDbg/CDB as a Shellcode Runner DRL 1.0
sigma proc_creation_win_susp_cdb.yml - http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html DRL 1.0
LOLBAS Cdb.yml - Link: http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html  
signature-base gen_deviceguard_evasion.yar reference = “http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html” CC BY-NC 4.0
stockpile 7a6ba833-de40-466a-8969-5c37b13603e0.yml "windbg", Apache-2.0

MIT License. Copyright (c) 2020-2021 Strontic.