Manalyze report for 9288dea72eab10b25a6367c134559701

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	2009-Jul-14 01:09:52
Detected languages	English - United States
Debug artifacts	rsaenh.pdb
CompanyName	Microsoft Corporation
FileDescription	Microsoft Enhanced Cryptographic Provider
FileVersion	`6.1.7600.16385 (win7_rtm.090713-1255)`
InternalName	rsaenh.dll
LegalCopyright	© Microsoft Corporation. All rights reserved.
OriginalFilename	rsaenh.dll
ProductName	Microsoft® Windows® Operating System
ProductVersion	`6.1.7600.16385`

Plugin Output

Info	Cryptographic algorithms detected in the binary:	`Uses constants related to AES`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryExA` `Can access the registry: RegCloseKey RegQueryValueExA RegOpenKeyExA RegSetValueExA RegCreateKeyExA` `Uses Windows's Native API: NtClose NtCreateFile NtQueryValueKey NtOpenKey` `Can create temporary files: CreateFileW GetTempPathW` `Memory manipulation functions often used by packers: VirtualAlloc VirtualProtect`
Suspicious	VirusTotal score: 1/67 (Scanned on 2021-05-22 18:10:56)	`CrowdStrike: win/malicious_confidence_60% (W)`

Hashes

MD5	`9288dea72eab10b25a6367c134559701`
SHA1	`ae3ed284bd26d96fa6f780b92752cd6f764bf0c6`
SHA256	`16602f51ec2cd5a66ee8a5c7651e23f252669981ed236acb054e6929bb784edf`
SHA3	`6eb7e4b0b08c51203169b21504d5d227b7bb41e94522663bb8c6d0567fd4a329`
SSDeep	`1536:a7FczMqqU+F2QS2V/Jzd8ijHWNbFs3IZ2R+etb7:2FczMqqDQQ/V/Jz6ij2zs3Is+eN7`
Imports Hash	`b4b7e5cd8274d2e0726f263aad1e3022`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xd8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`4`
TimeDateStamp	2009-Jul-14 01:09:52
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_DLL` `IMAGE_FILE_EXECUTABLE_IMAGE`

Image Optional Header

Magic	`PE32`
LinkerVersion	`9.1`
SizeOfCode	`0x33c00`
SizeOfInitializedData	`0x5000`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0000128D (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x35000`
ImageBase	`0x74e70000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.1`
ImageVersion	`6.1`
SubsystemVersion	`6.1`
Win32VersionValue	`0`
SizeOfImage	`0x3b000`
SizeOfHeaders	`0x400`
Checksum	`0x401a8`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT`
SizeofStackReserve	`0x40000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`7b9ee3c6f84be79598d72a533d284d83`
SHA1	`fe3be406a3d244b868417dd9553acf9f4ffea5b7`
SHA256	`0a5402448f6395fd4b387819cbe07798b495e71de16a6bdb852add49e523f845`
SHA3	`d67f2412cdce0771566753e27dff5e440d36f34f23a3cbc0e2a72f7ee047a707`
VirtualSize	`0x33aeb`
VirtualAddress	`0x1000`
SizeOfRawData	`0x33c00`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`2.06596`

.data

MD5	`6007fa7a3dc66efe2b7defe79778b621`
SHA1	`4505fd52f684418eddcb00cce196b9e62baa07a8`
SHA256	`05309594b355ec59e1c16d44253d0f8a2aaa0b765ee8384a4fa70f72b92daa0c`
SHA3	`e3cd2246d18ba000e7c723bc4f902ea550bb3e4f791d30952adf2936836f261b`
VirtualSize	`0x2d04`
VirtualAddress	`0x35000`
SizeOfRawData	`0x2e00`
PointerToRawData	`0x34000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`3.1318`

.rsrc

MD5	`1dfdfd49b474d5f2bf550eaf3090d5a4`
SHA1	`ce3c3f10f750e9dbbf556280bb0f4756944ac07d`
SHA256	`b8bb63fe69b79e6a272c6eea9333bd3d481fa164e8d28cace22755b0472a50a7`
SHA3	`d4c6f696e45cf1e4897aa78c6d2c46ab8630b68e735bc27ad28120b938f346b6`
VirtualSize	`0xc58`
VirtualAddress	`0x38000`
SizeOfRawData	`0xe00`
PointerToRawData	`0x36e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`2.98477`

.reloc

MD5	`32ca18808933aa12e979375d07048a11`
SHA1	`ec8d8db07ace21ae014c4d7dbe42297dfe61976a`
SHA256	`a11937f356a9b0ba592c82f5290bac8016cb33a3f9bc68d3490147c158ebb10d`
SHA3	`e992cc944147660b7c3bc6822aa61cd834c320c7d8830a47fd90215b7fdbe5b0`
VirtualSize	`0x1244`
VirtualAddress	`0x39000`
SizeOfRawData	`0x1400`
PointerToRawData	`0x37c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`0`

Imports

msvcrt.dll	`_except_handler4_common` `_amsg_exit` `_initterm` `free` `malloc` `_XcptFilter` `strcpy_s` `memcpy` `memset` `_vsnwprintf` `swprintf_s` `wcscpy_s` `wcsncpy_s` `wcscat_s` `_strlwr`
API-MS-Win-Core-LocalRegistry-L1-1-0.dll	`RegCloseKey` `RegQueryValueExA` `RegOpenKeyExA`
KERNEL32.dll	`VirtualAlloc` `VirtualProtect` `ReadFile` `RemoveDirectoryW` `GetModuleHandleW` `LoadStringBaseExW` `WideCharToMultiByte` `CreateFileMappingA` `MapViewOfFile` `UnmapViewOfFile` `GetSystemInfo` `VirtualQuery` `GetSystemDirectoryW` `SetUnhandledExceptionFilter` `GetLastError` `SetLastError` `FindClose` `lstrlenA` `LeaveCriticalSection` `EnterCriticalSection` `TlsSetValue` `TlsGetValue` `RaiseException` `lstrlenW` `LocalFree` `InitializeCriticalSection` `CompareStringA` `DeleteCriticalSection` `TlsFree` `TlsAlloc` `HeapFree` `GetProcessHeap` `HeapAlloc` `DelayLoadFailureHook` `GetProcAddress` `FreeLibrary` `InterlockedCompareExchange` `LoadLibraryExA` `InterlockedExchange` `Sleep` `QueryPerformanceCounter` `GetTickCount` `GetCurrentThreadId` `GetCurrentProcessId` `GetSystemTimeAsFileTime` `TerminateProcess` `GetCurrentProcess` `UnhandledExceptionFilter` `FindFirstFileExW` `RtlMoveMemory` `LocalAlloc` `GetCurrentThread` `CloseHandle` `HeapReAlloc` `MultiByteToWideChar` `RegSetValueExA` `RegCreateKeyExA` `GetVersionExA` `CreateFileW` `WriteFile` `GetFileSize` `MoveFileExW` `GetTempFileNameW` `GetTempPathW` `DeleteFileW` `FindNextFileW` `GetVersion`
ntdll.dll	`RtlNtStatusToDosError` `NtClose` `RtlFreeHeap` `RtlReleaseRelativeName` `NtCreateFile` `RtlDosPathNameToRelativeNtPathName_U` `NtQueryValueKey` `NtOpenKey` `RtlInitUnicodeString` `RtlAllocateHeap` `RtlImageNtHeader`
CRYPTBASE.dll (delay-loaded)	`SystemFunction041` `SystemFunction036` `SystemFunction040`

Delayed Imports

Attributes	`0x1`
Name	`CRYPTBASE.dll`
ModuleHandle	`0x350d0`
DelayImportAddressTable	`0x35000`
DelayImportNameTable	`0x33d6c`
BoundDelayImportTable	`0`
UnloadDelayImportTable	`0`
TimeStamp	`1970-Jan-01 00:00:00`

CPAcquireContext

Ordinal	`1`
Address	`0x46b8`

CPCreateHash

Ordinal	`2`
Address	`0x5d47`

CPDecrypt

Ordinal	`3`
Address	`0x256eb`

CPDeriveKey

Ordinal	`4`
Address	`0x28201`

CPDestroyHash

Ordinal	`5`
Address	`0x5f99`

CPDestroyKey

Ordinal	`6`
Address	`0x77fc`

CPDuplicateHash

Ordinal	`7`
Address	`0x2624f`

CPDuplicateKey

Ordinal	`8`
Address	`0x27545`

CPEncrypt

Ordinal	`9`
Address	`0x14bb5`

CPExportKey

Ordinal	`10`
Address	`0x7e48`

CPGenKey

Ordinal	`11`
Address	`0xb4f5`

CPGenRandom

Ordinal	`12`
Address	`0x4423`

CPGetHashParam

Ordinal	`13`
Address	`0x6066`

CPGetKeyParam

Ordinal	`14`
Address	`0x14d62`

CPGetProvParam

Ordinal	`15`
Address	`0x26eac`

CPGetUserKey

Ordinal	`16`
Address	`0xafa0`

CPHashData

Ordinal	`17`
Address	`0x5e99`

CPHashSessionKey

Ordinal	`18`
Address	`0x25e02`

CPImportKey

Ordinal	`19`
Address	`0x793b`

CPReleaseContext

Ordinal	`20`
Address	`0x5a18`

CPSetHashParam

Ordinal	`21`
Address	`0x9d67`

CPSetKeyParam

Ordinal	`22`
Address	`0x14c92`

CPSetProvParam

Ordinal	`23`
Address	`0x26d34`

CPSignHash

Ordinal	`24`
Address	`0xa639`

CPVerifySignature

Ordinal	`25`
Address	`0x8ec6`

DllRegisterServer

Ordinal	`26`
Address	`0x299da`

DllUnregisterServer

Ordinal	`27`
Address	`0x29a22`

1

Type	`RT_STRING`
Language	English - United States
Codepage	UNKNOWN
Size	`0x6e0`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.25252`
MD5	`935f2bfca7fd998f44195c12b5823c93`
SHA1	`8eb5a5652f04a54ba06587142a5b20d4c366d6ff`
SHA256	`cc37aa7e13b857220e6433d1d38d6f8a22f6cf5d598775cfeeec2346463240b7`
SHA3	`85dd22d05fe1b0efd8e35b426ca43157ce2c3a500624804f3c17d44f368e9a69`

666

Type	`RT_RCDATA`
Language	English - United States
Codepage	UNKNOWN
Size	`0x90`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`0`
MD5	`45971d4e3a47775bb5a7260bb5ea3c36`
SHA1	`d77ebb25c8471fdd5c726fae9f28626670033d9a`
SHA256	`81c611f35bff79491538b2f7cf201c7597a661a5c549633541c62bdc8af1613f`
SHA3	`456545dd877291ac1c7b1e9fbef9ae1fc8e1eefe1f309ec56a5088bcbe9f9385`

667

Type	`RT_RCDATA`
Language	English - United States
Codepage	UNKNOWN
Size	`0x10`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`0`
MD5	`4ae71336e44bf9bf79d2752e234818a5`
SHA1	`e129f27c5103bc5cc44bcdf0a15e160d445066ff`
SHA256	`374708fff7719dd5979ec875d56cd2286f6d3cf7ec317a3b25632aab28ec37bb`
SHA3	`61664696888a110278ff672620c85217e69aa662a83304052f1014d395f545bf`

1 (#2)

Type	`RT_VERSION`
Language	English - United States
Codepage	UNKNOWN
Size	`0x3b8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.55091`
MD5	`85a06d728ad744d24226308f0d5f9da9`
SHA1	`021518c71127af5cc30001248da933e22c335219`
SHA256	`b672346d2afc7240f550cc8e32f7b703f7d482938e66eff2c3999392a1907199`
SHA3	`0fa239cba970d9d3ed9858063fc873ed17d630f65df07076ab7ab424f5bf6155`

String Table contents

CAPI: The install program could not open signature file
CAPI: The install program could not get the size of Rsabase.sig
CAPI: The install program could not allocate memory
CAPI: The install program could not Read Rsabase.sig
CAPI: The install program could not open the registry
CAPI: The install program could not write to the registry
CAPI: The install program could not Read Rsabase.dll
CAPI: The install program could not get the size of Rsabase.dll
CAPI: The install program could not Read Rsabase.dll
CAPI: The registry entry wasn't created, please reinstall rsabase.dll
CAPI: The install program could not read the registry
CAPI: The install failed. The rsabase.dll that is being installed doesn't match the signature file or the value in the registry
CAPI: The install program could not find the signature resource
CAPI: The install program could not load the resource

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	6.1.7600.16385
ProductVersion	6.1.7600.16385
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT` `VOS_NT_WINDOWS32` `VOS_WINCE` `VOS__WINDOWS32`
FileType	`VFT_DLL`
Language	English - United States
CompanyName	Microsoft Corporation
FileDescription	Microsoft Enhanced Cryptographic Provider
FileVersion (#2)	6.1.7600.16385 (win7_rtm.090713-1255)
InternalName	rsaenh.dll
LegalCopyright	© Microsoft Corporation. All rights reserved.
OriginalFilename	rsaenh.dll
ProductName	Microsoft® Windows® Operating System
ProductVersion (#2)	6.1.7600.16385

Resource LangID	English - United States

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics	`0`
TimeDateStamp	2009-Jul-13 23:37:30
Version	`0.0`
SizeofData	`35`
AddressOfRawData	`0x34ac8`
PointerToRawData	`0x33ec8`
Referenced File	rsaenh.pdb

IMAGE_DEBUG_TYPE_RESERVED

Characteristics	`0`
TimeDateStamp	2009-Jul-13 23:37:30
Version	`565.6526`
SizeofData	`4`
AddressOfRawData	`0x34ac4`
PointerToRawData	`0x33ec4`

TLS Callbacks

Load Configuration

Size	`0x48`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x74ea50d8`
SEHandlerTable	`0x74e95078`
SEHandlerCount	`1`

RICH Header

XOR Key	`0xeeb4969f`
Unmarked objects	`0`
ASM objects (VS2008 SP1 build 30729)	`14`
Total imports	`145`
Imports (VS2008 SP1 build 30729)	`9`
Exports (VS2008 SP1 build 30729)	`1`
C objects (VS2008 SP1 build 30729)	`78`
Linker (VS2008 SP1 build 30729)	`1`
Resource objects (VS2008 SP1 build 30729)	`1`

Errors

[*] Warning: Could not read a WIN_CERTIFICATE's header.