Architecture |
IMAGE_FILE_MACHINE_I386
|
---|---|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_CUI
|
Compilation Date | 2009-Jul-14 01:09:52 |
Detected languages |
English - United States
|
Debug artifacts |
rsaenh.pdb
|
CompanyName | Microsoft Corporation |
FileDescription | Microsoft Enhanced Cryptographic Provider |
FileVersion | 6.1.7600.16385 (win7_rtm.090713-1255) |
InternalName | rsaenh.dll |
LegalCopyright | © Microsoft Corporation. All rights reserved. |
OriginalFilename | rsaenh.dll |
ProductName | Microsoft® Windows® Operating System |
ProductVersion | 6.1.7600.16385 |
Info | Cryptographic algorithms detected in the binary: | Uses constants related to AES |
Suspicious | The PE contains functions most legitimate programs don't use. |
[!] The program may be hiding some of its imports:
|
Suspicious | VirusTotal score: 1/67 (Scanned on 2021-05-22 18:10:56) | CrowdStrike: win/malicious_confidence_60% (W) |
e_magic | MZ |
---|---|
e_cblp | 0x90 |
e_cp | 0x3 |
e_crlc | 0 |
e_cparhdr | 0x4 |
e_minalloc | 0 |
e_maxalloc | 0xffff |
e_ss | 0 |
e_sp | 0xb8 |
e_csum | 0 |
e_ip | 0 |
e_cs | 0 |
e_ovno | 0 |
e_oemid | 0 |
e_oeminfo | 0 |
e_lfanew | 0xd8 |
Signature | PE |
---|---|
Machine |
IMAGE_FILE_MACHINE_I386
|
NumberofSections | 4 |
TimeDateStamp | 2009-Jul-14 01:09:52 |
PointerToSymbolTable | 0 |
NumberOfSymbols | 0 |
SizeOfOptionalHeader | 0xe0 |
Characteristics |
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL
IMAGE_FILE_EXECUTABLE_IMAGE
|
Magic | PE32 |
---|---|
LinkerVersion | 9.1 |
SizeOfCode | 0x33c00 |
SizeOfInitializedData | 0x5000 |
SizeOfUninitializedData | 0 |
AddressOfEntryPoint | 0x0000128D (Section: .text) |
BaseOfCode | 0x1000 |
BaseOfData | 0x35000 |
ImageBase | 0x74e70000 |
SectionAlignment | 0x1000 |
FileAlignment | 0x200 |
OperatingSystemVersion | 6.1 |
ImageVersion | 6.1 |
SubsystemVersion | 6.1 |
Win32VersionValue | 0 |
SizeOfImage | 0x3b000 |
SizeOfHeaders | 0x400 |
Checksum | 0x401a8 |
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_CUI
|
DllCharacteristics |
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
|
SizeofStackReserve | 0x40000 |
SizeofStackCommit | 0x1000 |
SizeofHeapReserve | 0x100000 |
SizeofHeapCommit | 0x1000 |
LoaderFlags | 0 |
NumberOfRvaAndSizes | 16 |
msvcrt.dll |
_except_handler4_common
_amsg_exit _initterm free malloc _XcptFilter strcpy_s memcpy memset _vsnwprintf swprintf_s wcscpy_s wcsncpy_s wcscat_s _strlwr |
---|---|
API-MS-Win-Core-LocalRegistry-L1-1-0.dll |
RegCloseKey
RegQueryValueExA RegOpenKeyExA |
KERNEL32.dll |
VirtualAlloc
VirtualProtect ReadFile RemoveDirectoryW GetModuleHandleW LoadStringBaseExW WideCharToMultiByte CreateFileMappingA MapViewOfFile UnmapViewOfFile GetSystemInfo VirtualQuery GetSystemDirectoryW SetUnhandledExceptionFilter GetLastError SetLastError FindClose lstrlenA LeaveCriticalSection EnterCriticalSection TlsSetValue TlsGetValue RaiseException lstrlenW LocalFree InitializeCriticalSection CompareStringA DeleteCriticalSection TlsFree TlsAlloc HeapFree GetProcessHeap HeapAlloc DelayLoadFailureHook GetProcAddress FreeLibrary InterlockedCompareExchange LoadLibraryExA InterlockedExchange Sleep QueryPerformanceCounter GetTickCount GetCurrentThreadId GetCurrentProcessId GetSystemTimeAsFileTime TerminateProcess GetCurrentProcess UnhandledExceptionFilter FindFirstFileExW RtlMoveMemory LocalAlloc GetCurrentThread CloseHandle HeapReAlloc MultiByteToWideChar RegSetValueExA RegCreateKeyExA GetVersionExA CreateFileW WriteFile GetFileSize MoveFileExW GetTempFileNameW GetTempPathW DeleteFileW FindNextFileW GetVersion |
ntdll.dll |
RtlNtStatusToDosError
NtClose RtlFreeHeap RtlReleaseRelativeName NtCreateFile RtlDosPathNameToRelativeNtPathName_U NtQueryValueKey NtOpenKey RtlInitUnicodeString RtlAllocateHeap RtlImageNtHeader |
CRYPTBASE.dll (delay-loaded) |
SystemFunction041
SystemFunction036 SystemFunction040 |
Attributes | 0x1 |
---|---|
Name | CRYPTBASE.dll |
ModuleHandle | 0x350d0 |
DelayImportAddressTable | 0x35000 |
DelayImportNameTable | 0x33d6c |
BoundDelayImportTable | 0 |
UnloadDelayImportTable | 0 |
TimeStamp | 1970-Jan-01 00:00:00 |
Ordinal | 1 |
---|---|
Address | 0x46b8 |
Ordinal | 2 |
---|---|
Address | 0x5d47 |
Ordinal | 3 |
---|---|
Address | 0x256eb |
Ordinal | 4 |
---|---|
Address | 0x28201 |
Ordinal | 5 |
---|---|
Address | 0x5f99 |
Ordinal | 6 |
---|---|
Address | 0x77fc |
Ordinal | 7 |
---|---|
Address | 0x2624f |
Ordinal | 8 |
---|---|
Address | 0x27545 |
Ordinal | 9 |
---|---|
Address | 0x14bb5 |
Ordinal | 10 |
---|---|
Address | 0x7e48 |
Ordinal | 11 |
---|---|
Address | 0xb4f5 |
Ordinal | 12 |
---|---|
Address | 0x4423 |
Ordinal | 13 |
---|---|
Address | 0x6066 |
Ordinal | 14 |
---|---|
Address | 0x14d62 |
Ordinal | 15 |
---|---|
Address | 0x26eac |
Ordinal | 16 |
---|---|
Address | 0xafa0 |
Ordinal | 17 |
---|---|
Address | 0x5e99 |
Ordinal | 18 |
---|---|
Address | 0x25e02 |
Ordinal | 19 |
---|---|
Address | 0x793b |
Ordinal | 20 |
---|---|
Address | 0x5a18 |
Ordinal | 21 |
---|---|
Address | 0x9d67 |
Ordinal | 22 |
---|---|
Address | 0x14c92 |
Ordinal | 23 |
---|---|
Address | 0x26d34 |
Ordinal | 24 |
---|---|
Address | 0xa639 |
Ordinal | 25 |
---|---|
Address | 0x8ec6 |
Ordinal | 26 |
---|---|
Address | 0x299da |
Ordinal | 27 |
---|---|
Address | 0x29a22 |
CAPI: The install program could not open signature file |
CAPI: The install program could not get the size of Rsabase.sig |
CAPI: The install program could not allocate memory |
CAPI: The install program could not Read Rsabase.sig |
CAPI: The install program could not open the registry |
CAPI: The install program could not write to the registry |
CAPI: The install program could not Read Rsabase.dll |
CAPI: The install program could not get the size of Rsabase.dll |
CAPI: The install program could not Read Rsabase.dll |
CAPI: The registry entry wasn't created, please reinstall rsabase.dll |
CAPI: The install program could not read the registry |
CAPI: The install failed. The rsabase.dll that is being installed doesn't match the signature file or the value in the registry |
CAPI: The install program could not find the signature resource |
CAPI: The install program could not load the resource |
Signature | 0xfeef04bd |
---|---|
StructVersion | 0x10000 |
FileVersion | 6.1.7600.16385 |
ProductVersion | 6.1.7600.16385 |
FileFlags | (EMPTY) |
FileOs |
VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
|
FileType |
VFT_DLL
|
Language | English - United States |
CompanyName | Microsoft Corporation |
FileDescription | Microsoft Enhanced Cryptographic Provider |
FileVersion (#2) | 6.1.7600.16385 (win7_rtm.090713-1255) |
InternalName | rsaenh.dll |
LegalCopyright | © Microsoft Corporation. All rights reserved. |
OriginalFilename | rsaenh.dll |
ProductName | Microsoft® Windows® Operating System |
ProductVersion (#2) | 6.1.7600.16385 |
Resource LangID | English - United States |
---|
Characteristics |
0
|
---|---|
TimeDateStamp | 2009-Jul-13 23:37:30 |
Version | 0.0 |
SizeofData | 35 |
AddressOfRawData | 0x34ac8 |
PointerToRawData | 0x33ec8 |
Referenced File | rsaenh.pdb |
Characteristics |
0
|
---|---|
TimeDateStamp | 2009-Jul-13 23:37:30 |
Version | 565.6526 |
SizeofData | 4 |
AddressOfRawData | 0x34ac4 |
PointerToRawData | 0x33ec4 |
Size | 0x48 |
---|---|
TimeDateStamp | 1970-Jan-01 00:00:00 |
Version | 0.0 |
GlobalFlagsClear | (EMPTY) |
GlobalFlagsSet | (EMPTY) |
CriticalSectionDefaultTimeout | 0 |
DeCommitFreeBlockThreshold | 0 |
DeCommitTotalFreeThreshold | 0 |
LockPrefixTable | 0 |
MaximumAllocationSize | 0 |
VirtualMemoryThreshold | 0 |
ProcessAffinityMask | 0 |
ProcessHeapFlags | (EMPTY) |
CSDVersion | 0 |
Reserved1 | 0 |
EditList | 0 |
SecurityCookie | 0x74ea50d8 |
SEHandlerTable | 0x74e95078 |
SEHandlerCount | 1 |
XOR Key | 0xeeb4969f |
---|---|
Unmarked objects | 0 |
ASM objects (VS2008 SP1 build 30729) | 14 |
Total imports | 145 |
Imports (VS2008 SP1 build 30729) | 9 |
Exports (VS2008 SP1 build 30729) | 1 |
C objects (VS2008 SP1 build 30729) | 78 |
Linker (VS2008 SP1 build 30729) | 1 |
Resource objects (VS2008 SP1 build 30729) | 1 |