KernelDumpDecrypt.exe

  • File Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\KernelDumpDecrypt.exe
  • Description: Windows Kernel Dump File Decryptor

Hashes

Type Hash
MD5 8990D55CD7DBA7B9A0FE25B448D2FBBF
SHA1 FF12864C1F6943F97CAE31F3CDA98EDEEEC24920
SHA256 7B422910859C6D7C46F309CE857904B06FBE867E77C552786D23376804E73806
SHA384 2DC947E64F437824DB9E1086A804812A756E2A83ABB0668490E5FE14822F95D7AC2F50CC45624243815251E9228D9872
SHA512 785D35A9F934261E8150056F6F177CE74F8B176221397C7EE4169B443C213420C0EAE47F5271D1B6A0F29A120F31B1AEDA8871CA9CA312C8462AB8C520D2D653
SSDEEP 384:52815cuxAUXQTEWaWc1IvNK/Yadeh2iaWoXWorywwGyzTzIwS+klTxXH:ko53QvPc1IvsAYe/Unryw8vdO3
IMP 1E442598CB7E6DB7CAAD1C1E6392857C
PESHA1 007172FF9059F93B0D6F362270EBD6AA9A31B485
PE256 7E75E8284C0EBD5AF4BB0FB3392C8BF4849BD0DDCC0EBFD1AF1765E447DD2E1D

Runtime Data

Usage (stdout):

Usage: KernelDumpDecrypt [args] <input.dmp> <output.dmp>
Where args is a sequence of the following:
	/user             - Use user certificate store/key store.
	/machine          - Use machine certificate store/key store.
	/keystore <name>  - Name of the key store provider.
	/keyname <name>   - Name of the key to lookup in the KSP.
	/keyfile <path>   - Path to the file containing a raw private key
	                    or a full key pair (starts with 'RSA2' magic).
	/enumproviders    - List key store providers.
	/enumkeys         - List keys in the key store.

If no key parameters are specified, the tool looks up the certificate
matching the thumbprint contained in the encrypted dump file.
If only the keyname is specified, the key will be retrieved from the
default key store for the current user.

Examples:

KernelDumpDecrypt memory.dmp memory_decr.dmp
	Decrypts memory.dmp using the private key obtained from the
	current user's certificate store. Writes memory_decr.dmp.

KernelDumpDecrypt /machine memory.dmp memory_decr.dmp
	Decrypts the dump using a key obtained from the local
	machine's certificate store.

KernelDumpDecrypt  /user /keyname "My app key" memory.dmp memory_decr.dmp
	Decrypts the dump using named key in the
	user store of the default key storage provider


Exit status: SUCCEEDED: 00000000: The operation completed successfully.


Loaded Modules:

Path
C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\KernelDumpDecrypt.exe
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll

Signature

  • Status: Signature verified.
  • Serial: 33000002CF6D2CC57CAA65A6D80000000002CF
  • Thumbprint: 1A221B3B4FEF088B17BA6704FD088DF192D9E0EF
  • Issuer: CN=Microsoft Code Signing PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: KernelDumpDecrypt.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/76
  • VirusTotal Link: https://www.virustotal.com/gui/file/7b422910859c6d7c46f309ce857904b06fbe867e77c552786d23376804e73806/detection

File Similarity (ssdeep match)

File Score
C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Smart Tag\SmartTagInstall.exe 30
C:\Program Files (x86)\Windows Kits\10\bin\10.0.19041.0\x86\pvk2pfx.exe 40
C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\convertstore.exe 40
C:\Program Files (x86)\Windows Kits\10\Redist\10.0.19041.0\ucrt\DLLs\arm\api-ms-win-core-handle-l1-1-0.dll 38
C:\Program Files (x86)\Windows Kits\10\Redist\10.0.19041.0\ucrt\DLLs\arm\api-ms-win-crt-math-l1-1-0.dll 33
C:\Program Files (x86)\Windows Kits\10\Redist\10.0.19041.0\ucrt\DLLs\arm\api-ms-win-crt-runtime-l1-1-0.dll 32
C:\Program Files (x86)\Windows Kits\10\Redist\10.0.19041.0\ucrt\DLLs\x86\api-ms-win-core-console-l1-2-0.dll 40
C:\Program Files (x86)\Windows Kits\10\Redist\10.0.19041.0\ucrt\DLLs\x86\api-ms-win-core-libraryloader-l1-1-0.dll 40
C:\Program Files (x86)\Windows Kits\10\Redist\10.0.19041.0\ucrt\DLLs\x86\api-ms-win-crt-runtime-l1-1-0.dll 43
C:\Windows\system32\downlevel\api-ms-win-core-errorhandling-l1-1-0.dll 35
C:\Windows\system32\downlevel\api-ms-win-core-localization-l1-2-0.dll 29
C:\Windows\system32\downlevel\api-ms-win-core-registry-l1-1-0.dll 32
C:\Windows\system32\downlevel\api-ms-win-core-timezone-l1-1-0.dll 35
C:\Windows\system32\downlevel\api-ms-win-crt-environment-l1-1-0.dll 35
C:\Windows\system32\downlevel\api-ms-win-shcore-stream-l1-1-0.dll 35
C:\Windows\system32\kd.dll 36
C:\Windows\SysWOW64\downlevel\api-ms-win-core-delayload-l1-1-0.dll 33
C:\Windows\SysWOW64\downlevel\api-ms-win-core-fibers-l1-1-1.dll 38
C:\Windows\SysWOW64\downlevel\api-ms-win-core-processenvironment-l1-1-0.dll 32
C:\Windows\SysWOW64\downlevel\api-ms-win-core-realtime-l1-1-0.dll 33
C:\Windows\SysWOW64\downlevel\api-ms-win-core-version-l1-1-0.dll 32
C:\Windows\SysWOW64\downlevel\api-ms-win-crt-filesystem-l1-1-0.dll 33
C:\Windows\SysWOW64\downlevel\api-ms-win-crt-stdio-l1-1-0.dll 35
C:\Windows\SysWOW64\fltLib.dll 32
C:\Windows\SysWOW64\IME\IMETC\IMTCTRLN.DLL 32

MIT License. Copyright (c) 2020-2021 Strontic.