crypt32.dll

  • File Path: C:\Windows\SysWOW64\crypt32.dll
  • Description: Crypto API32

Hashes

Type Hash
MD5 26620D486C4892D15200149924BE2CF8
SHA1 3C6F4923BCE13B6B9A9AA69CE5087086E9774195
SHA256 89B846B844E1273F840F56DFF1FC0A9E463A691C11B5726D012026F83D8368F1
SHA384 C4D2CA3C8509F7753AD30BE11B6FD409C5FA8280096318197CEC65F85CC6D74F934AF7696BBFA22B64CADD7132A5193B
SHA512 3137C9A8B06B065AD637BAB2CDF671DC25C18C8ACB3DA8C52A2B2ACBDDB1755B06B1B0BEDF9C8A6087E01C9BCB2270EA90047C92AB20BD2B6127288ACFB060AB
SSDEEP 24576:6Z7lP0MfeCGUFtVIaLGGJKVtdyPqtWjlvV0+xnCm2:6xuCeciZclV0+xCn
IMP D051A8D530A03273AA5D7B0B0D4B4C62
PESHA1 5662BAFB74D2F2174C22DE12748EBD234806F8A0
PE256 6D4E21E447DEFE033962746D1CDA7633546883C6689565C950F406AAC808E27A

DLL Exports:

Function Name Ordinal Type
CryptSetKeyIdentifierProperty 1241 Exported Function
CryptSetOIDFunctionValue 1242 Exported Function
CryptRetrieveTimeStamp 1227 Exported Function
CryptSetAsyncParam 1240 Exported Function
CryptSetProviderU 1021 Exported Function
CryptSignCertificate 1245 Exported Function
CryptSignHashU 1022 Exported Function
CryptSignAndEncodeCertificate 1243 Exported Function
CryptSignAndEncryptMessage 1244 Exported Function
CryptRegisterOIDInfo 1226 Exported Function
CryptObjectLocatorIsChanged 1019 Exported Function
CryptObjectLocatorRelease 1020 Exported Function
CryptObjectLocatorGetUpdated 1017 Exported Function
CryptObjectLocatorInitialize 1018 Exported Function
CryptProtectData 1221 Exported Function
CryptRegisterDefaultOIDFunction 1224 Exported Function
CryptRegisterOIDFunction 1225 Exported Function
CryptProtectMemory 1222 Exported Function
CryptQueryObject 1223 Exported Function
CryptSIPRetrieveSubjectGuidForCatalogFile 1238 Exported Function
CryptSIPVerifyIndirectData 1239 Exported Function
CryptSIPRemoveSignedDataMsg 1236 Exported Function
CryptSIPRetrieveSubjectGuid 1237 Exported Function
CryptStringToBinaryA 1248 Exported Function
CryptUnprotectData 1251 Exported Function
CryptUnprotectMemory 1252 Exported Function
CryptStringToBinaryW 1249 Exported Function
CryptUninstallDefaultContext 1250 Exported Function
CryptSIPRemoveProvider 1235 Exported Function
CryptSIPAddProvider 1228 Exported Function
CryptSIPCreateIndirectData 1229 Exported Function
CryptSignMessage 1246 Exported Function
CryptSignMessageWithKey 1247 Exported Function
CryptSIPGetCaps 1230 Exported Function
CryptSIPLoad 1233 Exported Function
CryptSIPPutSignedDataMsg 1234 Exported Function
CryptSIPGetSealedDigest 1231 Exported Function
CryptSIPGetSignedDataMsg 1232 Exported Function
CryptObjectLocatorGetContent 1016 Exported Function
CryptImportPublicKeyInfoEx 1198 Exported Function
CryptImportPublicKeyInfoEx2 1197 Exported Function
CryptImportPKCS8 1195 Exported Function
CryptImportPublicKeyInfo 1196 Exported Function
CryptInitOIDFunctionSet 1199 Exported Function
CryptLoadSip 1202 Exported Function
CryptMemAlloc 1203 Exported Function
CryptInstallDefaultContext 1200 Exported Function
CryptInstallOIDFunctionAddress 1201 Exported Function
CryptHashToBeSigned 1194 Exported Function
CryptGetMessageSignerCount 1187 Exported Function
CryptGetOIDFunctionAddress 1188 Exported Function
CryptGetKeyIdentifierProperty 1185 Exported Function
CryptGetMessageCertificates 1186 Exported Function
CryptGetOIDFunctionValue 1189 Exported Function
CryptHashMessage 1192 Exported Function
CryptHashPublicKeyInfo 1193 Exported Function
CryptHashCertificate 1191 Exported Function
CryptHashCertificate2 1190 Exported Function
CryptMsgOpenToEncode 1216 Exported Function
CryptMsgSignCTL 1217 Exported Function
CryptMsgGetParam 1214 Exported Function
CryptMsgOpenToDecode 1215 Exported Function
CryptMsgUpdate 1218 Exported Function
CryptObjectLocatorFree 1014 Exported Function
CryptObjectLocatorGet 1015 Exported Function
CryptMsgVerifyCountersignatureEncoded 1219 Exported Function
CryptMsgVerifyCountersignatureEncodedEx 1220 Exported Function
CryptMsgGetAndVerifySigner 1213 Exported Function
CryptMsgCalculateEncodedLength 1206 Exported Function
CryptMsgClose 1207 Exported Function
CryptMemFree 1204 Exported Function
CryptMemRealloc 1205 Exported Function
CryptMsgControl 1208 Exported Function
CryptMsgDuplicate 1211 Exported Function
CryptMsgEncodeAndSignCTL 1212 Exported Function
CryptMsgCountersign 1209 Exported Function
CryptMsgCountersignEncoded 1210 Exported Function
CryptUnregisterDefaultOIDFunction 1253 Exported Function
I_CryptReleaseLruEntry 1304 Exported Function
I_CryptRemoveLruEntry 1305 Exported Function
I_CryptReadTrustedPublisherDWORDValueFromRegistry 1302 Exported Function
I_CryptRegisterSmartCardStore 1303 Exported Function
I_CryptSetTls 1306 Exported Function
I_CryptUninstallOssGlobal 1309 Exported Function
I_CryptUnregisterSmartCardStore 1310 Exported Function
I_CryptTouchLruEntry 1307 Exported Function
I_CryptUninstallAsn1Module 1308 Exported Function
I_CryptInstallOssGlobal 1301 Exported Function
I_CryptGetFileVersion 1294 Exported Function
I_CryptGetLruEntryData 1295 Exported Function
I_CryptGetDefaultCryptProv 1292 Exported Function
I_CryptGetDefaultCryptProvForEncrypt 1293 Exported Function
I_CryptGetLruEntryIdentifier 1296 Exported Function
I_CryptInsertLruEntry 1299 Exported Function
I_CryptInstallAsn1Module 1300 Exported Function
I_CryptGetOssGlobal 1297 Exported Function
I_CryptGetTls 1298 Exported Function
RegDeleteValueU 1026 Exported Function
RegEnumValueU 1027 Exported Function
RegCreateHKCUKeyExU 1320 Exported Function
RegCreateKeyExU 1025 Exported Function
RegOpenHKCUKeyExU 1321 Exported Function
RegQueryValueExU 1030 Exported Function
RegSetValueExU 1031 Exported Function
RegOpenKeyExU 1028 Exported Function
RegQueryInfoKeyU 1029 Exported Function
PFXVerifyPassword 1319 Exported Function
I_PFXHMAC 1313 Exported Function
I_PFXImportCertStoreEx 1024 Exported Function
I_CryptWalkAllLruCacheEntries 1311 Exported Function
I_PFXDecrypt 1312 Exported Function
PFXExportCertStore 1315 Exported Function
PFXImportCertStore 1317 Exported Function
PFXIsPFXBlob 1318 Exported Function
PFXExportCertStore2 1314 Exported Function
PFXExportCertStoreEx 1316 Exported Function
I_CryptGetAsn1Encoder 1291 Exported Function
I_CertChainEngineIsDisallowedCertificate 1265 Exported Function
I_CertDiagControl 1266 Exported Function
CryptVerifySignatureU 1023 Exported Function
CryptVerifyTimeStampSignature 1264 Exported Function
I_CertFinishSslHandshake 1267 Exported Function
I_CertSrvProtectFunction 1270 Exported Function
I_CertSyncStore 1271 Exported Function
I_CertProcessSslHandshake 1268 Exported Function
I_CertProtectFunction 1269 Exported Function
CryptVerifyMessageSignatureWithKey 1263 Exported Function
CryptUpdateProtectedState 1256 Exported Function
CryptVerifyCertificateSignature 1257 Exported Function
CryptUnregisterOIDFunction 1254 Exported Function
CryptUnregisterOIDInfo 1255 Exported Function
CryptVerifyCertificateSignatureEx 1258 Exported Function
CryptVerifyMessageHash 1261 Exported Function
CryptVerifyMessageSignature 1262 Exported Function
CryptVerifyDetachedMessageHash 1259 Exported Function
CryptVerifyDetachedMessageSignature 1260 Exported Function
I_CryptFindLruEntry 1284 Exported Function
I_CryptFindLruEntryData 1285 Exported Function
I_CryptEnableLruOfEntries 1282 Exported Function
I_CryptEnumMatchingLruEntries 1283 Exported Function
I_CryptFindSmartCardCertInStore 1286 Exported Function
I_CryptFreeTls 1289 Exported Function
I_CryptGetAsn1Decoder 1290 Exported Function
I_CryptFlushLruCache 1287 Exported Function
I_CryptFreeLruCache 1288 Exported Function
I_CryptDisableLruOfEntries 1281 Exported Function
I_CryptAddRefLruEntry 1274 Exported Function
I_CryptAddSmartCardCertToStore 1275 Exported Function
I_CertUpdateStore 1272 Exported Function
I_CertWnfEnableFlushCache 1273 Exported Function
I_CryptAllocTls 1276 Exported Function
I_CryptCreateLruEntry 1279 Exported Function
I_CryptDetachTls 1280 Exported Function
I_CryptAllocTlsEx 1277 Exported Function
I_CryptCreateLruCache 1278 Exported Function
CertFindCertificateInStore 1085 Exported Function
CertFindChainInStore 1086 Exported Function
CertFindAttribute 1081 Exported Function
CertFindCertificateInCRL 1084 Exported Function
CertFindCRLInStore 1082 Exported Function
CertFindRDNAttr 1088 Exported Function
CertFindSubjectInCTL 1089 Exported Function
CertFindCTLInStore 1083 Exported Function
CertFindExtension 1087 Exported Function
CertEnumSystemStoreLocation 1080 Exported Function
CertEnumCRLContextProperties 1071 Exported Function
CertEnumCRLsInStore 1072 Exported Function
CertEnumCertificateContextProperties 1075 Exported Function
CertEnumCertificatesInStore 1076 Exported Function
CertEnumCTLContextProperties 1073 Exported Function
CertEnumSubjectInSortedCTL 1078 Exported Function
CertEnumSystemStore 1079 Exported Function
CertEnumCTLsInStore 1074 Exported Function
CertEnumPhysicalStore 1077 Exported Function
CertGetCTLContextProperty 1100 Exported Function
CertGetEnhancedKeyUsage 1103 Exported Function
CertGetCRLContextProperty 1098 Exported Function
CertGetCRLFromStore 1099 Exported Function
CertGetIntendedKeyUsage 1104 Exported Function
CertGetNameStringW 1107 Exported Function
CertGetPublicKeyLength 1108 Exported Function
CertGetIssuerCertificateFromStore 1105 Exported Function
CertGetNameStringA 1106 Exported Function
CertGetCertificateContextProperty 1102 Exported Function
CertFreeCertificateChainEngine 1094 Exported Function
CertFreeCertificateChainList 1095 Exported Function
CertFindSubjectInSortedCTL 1090 Exported Function
CertFreeCertificateChain 1093 Exported Function
CertFreeCertificateContext 1096 Exported Function
CertFreeServerOcspResponseContext 1097 Exported Function
CertGetCertificateChain 1101 Exported Function
CertFreeCRLContext 1091 Exported Function
CertFreeCTLContext 1092 Exported Function
CertDuplicateStore 1070 Exported Function
CertAddRefServerOcspResponse 1044 Exported Function
CertAddRefServerOcspResponseContext 1045 Exported Function
CertAddEncodedCTLToStore 1039 Exported Function
CertAddEnhancedKeyUsageIdentifier 1043 Exported Function
CertAddSerializedElementToStore 1046 Exported Function
CertCloseServerOcspResponse 1049 Exported Function
CertCloseStore 1050 Exported Function
CertAddStoreToCollection 1047 Exported Function
CertAlgIdToOID 1048 Exported Function
CertAddEncodedCRLToStore 1038 Exported Function
CertAddCRLContextToStore 1032 Exported Function
CertAddCRLLinkToStore 1033 Exported Function
CertAddCertificateContextToStore 1036 Exported Function
CertAddCertificateLinkToStore 1037 Exported Function
CertAddCTLContextToStore 1034 Exported Function
CertAddEncodedCertificateToSystemStoreA 1041 Exported Function
CertAddEncodedCertificateToSystemStoreW 1042 Exported Function
CertAddCTLLinkToStore 1035 Exported Function
CertAddEncodedCertificateToStore 1040 Exported Function
CertDeleteCertificateFromStore 1065 Exported Function
CertDeleteCRLFromStore 1063 Exported Function
CertCreateCTLEntryFromCertificateContextProperties 1058 Exported Function
CertCreateSelfSignCertificate 1062 Exported Function
CertDeleteCTLFromStore 1064 Exported Function
CertDuplicateCRLContext 1066 Exported Function
CertDuplicateCTLContext 1067 Exported Function
CertDuplicateCertificateChain 1068 Exported Function
CertDuplicateCertificateContext 1069 Exported Function
CertCreateCTLContext 1057 Exported Function
CertCompareIntegerBlob 1053 Exported Function
CertComparePublicKeyInfo 1054 Exported Function
CertCompareCertificate 1051 Exported Function
CertCompareCertificateName 1052 Exported Function
CertControlStore 1055 Exported Function
CertCreateContext 1061 Exported Function
CertCreateCRLContext 1056 Exported Function
CertCreateCertificateChainEngine 1059 Exported Function
CertCreateCertificateContext 1060 Exported Function
CertGetServerOcspResponseContext 1109 Exported Function
CryptCreateAsyncHandle 1160 Exported Function
CryptCreateKeyIdentifierFromCSP 1161 Exported Function
CryptBinaryToStringW 1158 Exported Function
CryptCloseAsyncHandle 1159 Exported Function
CryptDecodeMessage 1162 Exported Function
CryptDecryptAndVerifyMessageSignature 1165 Exported Function
CryptDecryptMessage 1166 Exported Function
CryptDecodeObject 1163 Exported Function
CryptDecodeObjectEx 1164 Exported Function
CryptBinaryToStringA 1157 Exported Function
CertVerifyRevocation 1151 Exported Function
CertVerifySubjectCertificateContext 1152 Exported Function
CertVerifyCRLTimeValidity 1148 Exported Function
CertVerifyCTLUsage 1149 Exported Function
CertVerifyTimeValidity 1153 Exported Function
CryptAcquireCertificatePrivateKey 1156 Exported Function
CryptAcquireContextU 1012 Exported Function
CertVerifyValidityNesting 1154 Exported Function
CreateFileU 1155 Exported Function
CryptFindLocalizedName 1178 Exported Function
CryptFindOIDInfo 1179 Exported Function
CryptExportPublicKeyInfoFromBCryptKeyHandle 1176 Exported Function
CryptFindCertificateKeyProvInfo 1177 Exported Function
CryptFormatObject 1180 Exported Function
CryptGetDefaultOIDDllList 1183 Exported Function
CryptGetDefaultOIDFunctionAddress 1184 Exported Function
CryptFreeOIDFunctionAddress 1181 Exported Function
CryptGetAsyncParam 1182 Exported Function
CryptExportPublicKeyInfoEx 1175 Exported Function
CryptEncryptMessage 1169 Exported Function
CryptEnumKeyIdentifierProperties 1170 Exported Function
CryptEncodeObject 1167 Exported Function
CryptEncodeObjectEx 1168 Exported Function
CryptEnumOIDFunction 1171 Exported Function
CryptExportPKCS8 1173 Exported Function
CryptExportPublicKeyInfo 1174 Exported Function
CryptEnumOIDInfo 1172 Exported Function
CryptEnumProvidersU 1013 Exported Function
CertVerifyCRLRevocation 1147 Exported Function
CertOpenSystemStoreA 1122 Exported Function
CertOpenSystemStoreW 1123 Exported Function
CertOpenServerOcspResponse 1120 Exported Function
CertOpenStore 1121 Exported Function
CertRDNValueToStrA 1124 Exported Function
CertRegisterSystemStore 1127 Exported Function
CertRemoveEnhancedKeyUsageIdentifier 1128 Exported Function
CertRDNValueToStrW 1125 Exported Function
CertRegisterPhysicalStore 1126 Exported Function
CertOIDToAlgId 1119 Exported Function
CertGetValidUsages 1112 Exported Function
CertIsRDNAttrsInCertificateName 1113 Exported Function
CertGetStoreProperty 1110 Exported Function
CertGetSubjectCertificateFromStore 1111 Exported Function
CertIsStrongHashToSign 1114 Exported Function
CertNameToStrA 1117 Exported Function
CertNameToStrW 1118 Exported Function
CertIsValidCRLForCertificate 1115 Exported Function
CertIsWeakHash 1116 Exported Function
CertSetEnhancedKeyUsage 1141 Exported Function
CertSetStoreProperty 1142 Exported Function
CertSetCRLContextProperty 1137 Exported Function
CertSetCTLContextProperty 1138 Exported Function
CertStrToNameA 1143 Exported Function
CertUnregisterSystemStore 1146 Exported Function
CertVerifyCertificateChainPolicy 1150 Exported Function
CertStrToNameW 1144 Exported Function
CertUnregisterPhysicalStore 1145 Exported Function
CertSetCertificateContextProperty 1140 Exported Function
CertRetrieveLogoOrBiometricInfo 1131 Exported Function
CertSaveStore 1132 Exported Function
CertRemoveStoreFromCollection 1129 Exported Function
CertResyncCertificateChainEngine 1130 Exported Function
CertSelectCertificateChains 1133 Exported Function
CertSerializeCTLStoreElement 1135 Exported Function
CertSetCertificateContextPropertiesFromCTLEntry 1139 Exported Function
CertSerializeCertificateStoreElement 1136 Exported Function
CertSerializeCRLStoreElement 1134 Exported Function

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: CRYPT32.DLL
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.21 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.21
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/68
  • VirusTotal Link: https://www.virustotal.com/gui/file/89b846b844e1273f840f56dff1fc0a9e463a691c11b5726d012026f83d8368f1/detection/

Possible Misuse

The following table contains possible examples of crypt32.dll being misused. While crypt32.dll is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
malware-ioc oceanlotus-rtf_ocx_campaigns.misp.event.json "description": "Data is encrypted before being exfiltrated in order to hide the information that is being exfiltrated from detection or to make the exfiltration less conspicuous upon inspection by a defender. The encryption is performed by a utility, programming library, or custom algorithm on the data itself and is considered separate from any encryption performed by the command and control or file transfer protocol. Common file archive formats that can encrypt files are RAR and zip.\n\nOther exfiltration techniques likely apply as well to transfer the information out of the network, such as Exfiltration Over Command and Control Channel and Exfiltration Over Alternative Protocol\n\nDetection: Encryption software and encrypted files can be detected in many ways. Common utilities that may be present on the system or brought in by an adversary may be detectable through process monitoring and monitoring for command-line arguments for known encryption utilities. This may yield a significant amount of benign events, depending on how systems in the environment are typically used. Often the encryption key is stated within command-line invocation of the software. \n\nA process that loads the Windows DLL crypt32.dll may be used to perform encryption, decryption, or verification of file signatures. \n\nNetwork traffic may also be analyzed for entropy to determine if encrypted data is being transmitted. (Citation: Zhang 2013) If the communications channel is unencrypted, encrypted files of known file types can be detected in transit during exfiltration with a network intrusion detection or data loss prevention system analyzing file headers. (Citation: Wikipedia File Header Signatures)\n\nPlatforms: Linux, macOS, Windows\n\nData Sources: File monitoring, Binary file metadata, Process command-line parameters, Process monitoring\n\nRequires Network: No", © ESET 2014-2018
malware-ioc rtm crypt32.dll © ESET 2014-2018
malware-ioc misp-turla-lightneuron-event.json "description": "Data is encrypted before being exfiltrated in order to hide the information that is being exfiltrated from detection or to make the exfiltration less conspicuous upon inspection by a defender. The encryption is performed by a utility, programming library, or custom algorithm on the data itself and is considered separate from any encryption performed by the command and control or file transfer protocol. Common file archive formats that can encrypt files are RAR and zip.\n\nOther exfiltration techniques likely apply as well to transfer the information out of the network, such as Exfiltration Over Command and Control Channel and Exfiltration Over Alternative Protocol\n\nDetection: Encryption software and encrypted files can be detected in many ways. Common utilities that may be present on the system or brought in by an adversary may be detectable through process monitoring and monitoring for command-line arguments for known encryption utilities. This may yield a significant amount of benign events, depending on how systems in the environment are typically used. Often the encryption key is stated within command-line invocation of the software. \n\nA process that loads the Windows DLL crypt32.dll may be used to perform encryption, decryption, or verification of file signatures. \n\nNetwork traffic may also be analyzed for entropy to determine if encrypted data is being transmitted. (Citation: Zhang 2013) If the communications channel is unencrypted, encrypted files of known file types can be detected in transit during exfiltration with a network intrusion detection or data loss prevention system analyzing file headers. (Citation: Wikipedia File Header Signatures)\n\nPlatforms: Linux, macOS, Windows\n\nData Sources: File monitoring, Binary file metadata, Process command-line parameters, Process monitoring\n\nRequires Network: No", © ESET 2014-2018

MIT License. Copyright (c) 2020-2021 Strontic.