KernelDumpDecrypt.exe
- File Path:
C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\KernelDumpDecrypt.exe
- Description: Windows Kernel Dump File Decryptor
Hashes
| Type |
Hash |
| MD5 |
8990D55CD7DBA7B9A0FE25B448D2FBBF |
| SHA1 |
FF12864C1F6943F97CAE31F3CDA98EDEEEC24920 |
| SHA256 |
7B422910859C6D7C46F309CE857904B06FBE867E77C552786D23376804E73806 |
| SHA384 |
2DC947E64F437824DB9E1086A804812A756E2A83ABB0668490E5FE14822F95D7AC2F50CC45624243815251E9228D9872 |
| SHA512 |
785D35A9F934261E8150056F6F177CE74F8B176221397C7EE4169B443C213420C0EAE47F5271D1B6A0F29A120F31B1AEDA8871CA9CA312C8462AB8C520D2D653 |
| SSDEEP |
384:52815cuxAUXQTEWaWc1IvNK/Yadeh2iaWoXWorywwGyzTzIwS+klTxXH:ko53QvPc1IvsAYe/Unryw8vdO3 |
| IMP |
1E442598CB7E6DB7CAAD1C1E6392857C |
| PESHA1 |
007172FF9059F93B0D6F362270EBD6AA9A31B485 |
| PE256 |
7E75E8284C0EBD5AF4BB0FB3392C8BF4849BD0DDCC0EBFD1AF1765E447DD2E1D |
Runtime Data
Usage (stdout):
Usage: KernelDumpDecrypt [args] <input.dmp> <output.dmp>
Where args is a sequence of the following:
/user - Use user certificate store/key store.
/machine - Use machine certificate store/key store.
/keystore <name> - Name of the key store provider.
/keyname <name> - Name of the key to lookup in the KSP.
/keyfile <path> - Path to the file containing a raw private key
or a full key pair (starts with 'RSA2' magic).
/enumproviders - List key store providers.
/enumkeys - List keys in the key store.
If no key parameters are specified, the tool looks up the certificate
matching the thumbprint contained in the encrypted dump file.
If only the keyname is specified, the key will be retrieved from the
default key store for the current user.
Examples:
KernelDumpDecrypt memory.dmp memory_decr.dmp
Decrypts memory.dmp using the private key obtained from the
current user's certificate store. Writes memory_decr.dmp.
KernelDumpDecrypt /machine memory.dmp memory_decr.dmp
Decrypts the dump using a key obtained from the local
machine's certificate store.
KernelDumpDecrypt /user /keyname "My app key" memory.dmp memory_decr.dmp
Decrypts the dump using named key in the
user store of the default key storage provider
Exit status: SUCCEEDED: 00000000: The operation completed successfully.
Loaded Modules:
| Path |
| C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\KernelDumpDecrypt.exe |
| C:\Windows\SYSTEM32\ntdll.dll |
| C:\Windows\System32\wow64.dll |
| C:\Windows\System32\wow64cpu.dll |
| C:\Windows\System32\wow64win.dll |
Signature
- Status: Signature verified.
- Serial:
33000002CF6D2CC57CAA65A6D80000000002CF
- Thumbprint:
1A221B3B4FEF088B17BA6704FD088DF192D9E0EF
- Issuer: CN=Microsoft Code Signing PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Original Filename: KernelDumpDecrypt.exe
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.19041.1 (WinBuild.160101.0800)
- Product Version: 10.0.19041.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 32-bit
File Scan
- VirusTotal Detections: 0/76
- VirusTotal Link: https://www.virustotal.com/gui/file/7b422910859c6d7c46f309ce857904b06fbe867e77c552786d23376804e73806/detection
File Similarity (ssdeep match)
MIT License. Copyright (c) 2020-2021 Strontic.