crypt32.dll

  • File Path: C:\Windows\system32\crypt32.dll
  • Description: Crypto API32

Hashes

Type Hash
MD5 37F8F54AA694510809DBA2736A0194F0
SHA1 DEDFDA425C0B3D7815A1B7FB00FFB04705340258
SHA256 08ED695DCE1F42B48D18A3752FB2AFC0CEBD899F04B4BCB994F8F5E4810A1EFF
SHA384 A963711D7C4C4E8D0B74683F63739C9961E76CE5B28B7E4B2FD6ACD710D30E779E2198A94A7D4BAC18749B0941CEDB42
SHA512 10CD2E7A9499E4346FD3A17403CADC611F9A5419ACA08C3D1173CAB5A0DE337F74A8C33832E0CD552FC53F14F1FED3E923967EF822C8CCD1A045034D7F8ECF55
SSDEEP 24576:VBOTZPa5PWh+Yd5mQBi/ioxQnm6LbKDZnFZs8BA1do/nZNAvTfKVyZBg:+TZPaBWLd5mpaoBUsFq8BAgTA+VyM
IMP D9C37EA27DDC4B8CE07F3722E40E06E9
PESHA1 4CC401142F90023495CBD3AF663ACA12EC4DB4F9
PE256 A7DA195ACE62A6807D0E41656743848ADB54C562AFB7A2CD8672A7B80D49169A

DLL Exports:

Function Name Ordinal Type
CryptProtectMemory 1209 Exported Function
CryptQueryObject 1210 Exported Function
CryptObjectLocatorRelease 1018 Exported Function
CryptProtectData 1208 Exported Function
CryptRegisterDefaultOIDFunction 1211 Exported Function
CryptRetrieveTimeStamp 1214 Exported Function
CryptSetAsyncParam 1227 Exported Function
CryptRegisterOIDFunction 1212 Exported Function
CryptRegisterOIDInfo 1213 Exported Function
CryptMsgVerifyCountersignatureEncodedEx 1207 Exported Function
CryptObjectLocatorFree 1012 Exported Function
CryptMsgUpdate 1205 Exported Function
CryptMsgVerifyCountersignatureEncoded 1206 Exported Function
CryptObjectLocatorGet 1013 Exported Function
CryptObjectLocatorInitialize 1016 Exported Function
CryptObjectLocatorIsChanged 1017 Exported Function
CryptObjectLocatorGetContent 1014 Exported Function
CryptObjectLocatorGetUpdated 1015 Exported Function
CryptSIPGetSignedDataMsg 1219 Exported Function
CryptSIPLoad 1220 Exported Function
CryptSIPGetCaps 1217 Exported Function
CryptSIPGetSealedDigest 1218 Exported Function
CryptSIPPutSignedDataMsg 1221 Exported Function
CryptSIPRetrieveSubjectGuid 1224 Exported Function
CryptSIPRetrieveSubjectGuidForCatalogFile 1225 Exported Function
CryptSIPRemoveProvider 1222 Exported Function
CryptSIPRemoveSignedDataMsg 1223 Exported Function
CryptSignAndEncodeCertificate 1230 Exported Function
CryptSignAndEncryptMessage 1231 Exported Function
CryptSetKeyIdentifierProperty 1228 Exported Function
CryptSetOIDFunctionValue 1229 Exported Function
CryptSignCertificate 1232 Exported Function
CryptSIPAddProvider 1215 Exported Function
CryptSIPCreateIndirectData 1216 Exported Function
CryptSignMessage 1233 Exported Function
CryptSignMessageWithKey 1234 Exported Function
CryptMsgSignCTL 1204 Exported Function
CryptHashMessage 1179 Exported Function
CryptHashPublicKeyInfo 1180 Exported Function
CryptHashCertificate 1177 Exported Function
CryptHashCertificate2 1178 Exported Function
CryptHashToBeSigned 1181 Exported Function
CryptImportPublicKeyInfoEx 1184 Exported Function
CryptImportPublicKeyInfoEx2 1185 Exported Function
CryptImportPKCS8 1182 Exported Function
CryptImportPublicKeyInfo 1183 Exported Function
CryptGetDefaultOIDDllList 1170 Exported Function
CryptGetDefaultOIDFunctionAddress 1171 Exported Function
CryptFreeOIDFunctionAddress 1168 Exported Function
CryptGetAsyncParam 1169 Exported Function
CryptGetKeyIdentifierProperty 1172 Exported Function
CryptGetOIDFunctionAddress 1175 Exported Function
CryptGetOIDFunctionValue 1176 Exported Function
CryptGetMessageCertificates 1173 Exported Function
CryptGetMessageSignerCount 1174 Exported Function
CryptMsgCountersignEncoded 1197 Exported Function
CryptMsgDuplicate 1198 Exported Function
CryptMsgControl 1195 Exported Function
CryptMsgCountersign 1196 Exported Function
CryptMsgEncodeAndSignCTL 1199 Exported Function
CryptMsgOpenToDecode 1202 Exported Function
CryptMsgOpenToEncode 1203 Exported Function
CryptMsgGetAndVerifySigner 1200 Exported Function
CryptMsgGetParam 1201 Exported Function
CryptInstallOIDFunctionAddress 1188 Exported Function
CryptLoadSip 1189 Exported Function
CryptInitOIDFunctionSet 1186 Exported Function
CryptInstallDefaultContext 1187 Exported Function
CryptMemAlloc 1190 Exported Function
CryptMsgCalculateEncodedLength 1193 Exported Function
CryptMsgClose 1194 Exported Function
CryptMemFree 1191 Exported Function
CryptMemRealloc 1192 Exported Function
CryptSIPVerifyIndirectData 1226 Exported Function
I_CryptGetLruEntryIdentifier 1283 Exported Function
I_CryptGetOssGlobal 1284 Exported Function
I_CryptGetFileVersion 1281 Exported Function
I_CryptGetLruEntryData 1282 Exported Function
I_CryptGetTls 1285 Exported Function
I_CryptInstallOssGlobal 1288 Exported Function
I_CryptReadTrustedPublisherDWORDValueFromRegistry 1289 Exported Function
I_CryptInsertLruEntry 1286 Exported Function
I_CryptInstallAsn1Module 1287 Exported Function
I_CryptFlushLruCache 1274 Exported Function
I_CryptFreeLruCache 1275 Exported Function
I_CryptFindLruEntryData 1272 Exported Function
I_CryptFindSmartCardCertInStore 1273 Exported Function
I_CryptFreeTls 1276 Exported Function
I_CryptGetDefaultCryptProv 1279 Exported Function
I_CryptGetDefaultCryptProvForEncrypt 1280 Exported Function
I_CryptGetAsn1Decoder 1277 Exported Function
I_CryptGetAsn1Encoder 1278 Exported Function
I_PFXImportCertStoreEx 1019 Exported Function
PFXExportCertStore 1301 Exported Function
I_PFXDecrypt 1299 Exported Function
I_PFXHMAC 1300 Exported Function
PFXExportCertStore2 1302 Exported Function
PFXIsPFXBlob 1305 Exported Function
PFXVerifyPassword 1306 Exported Function
PFXExportCertStoreEx 1303 Exported Function
PFXImportCertStore 1304 Exported Function
I_CryptRemoveLruEntry 1292 Exported Function
I_CryptSetTls 1293 Exported Function
I_CryptRegisterSmartCardStore 1290 Exported Function
I_CryptReleaseLruEntry 1291 Exported Function
I_CryptTouchLruEntry 1294 Exported Function
I_CryptUnregisterSmartCardStore 1297 Exported Function
I_CryptWalkAllLruCacheEntries 1298 Exported Function
I_CryptUninstallAsn1Module 1295 Exported Function
I_CryptUninstallOssGlobal 1296 Exported Function
I_CryptFindLruEntry 1271 Exported Function
CryptVerifyDetachedMessageHash 1246 Exported Function
CryptVerifyDetachedMessageSignature 1247 Exported Function
CryptVerifyCertificateSignature 1244 Exported Function
CryptVerifyCertificateSignatureEx 1245 Exported Function
CryptVerifyMessageHash 1248 Exported Function
CryptVerifyTimeStampSignature 1251 Exported Function
I_CertChainEngineIsDisallowedCertificate 1252 Exported Function
CryptVerifyMessageSignature 1249 Exported Function
CryptVerifyMessageSignatureWithKey 1250 Exported Function
CryptUninstallDefaultContext 1237 Exported Function
CryptUnprotectData 1238 Exported Function
CryptStringToBinaryA 1235 Exported Function
CryptStringToBinaryW 1236 Exported Function
CryptUnprotectMemory 1239 Exported Function
CryptUnregisterOIDInfo 1242 Exported Function
CryptUpdateProtectedState 1243 Exported Function
CryptUnregisterDefaultOIDFunction 1240 Exported Function
CryptUnregisterOIDFunction 1241 Exported Function
I_CryptAllocTlsEx 1264 Exported Function
I_CryptCreateLruCache 1265 Exported Function
I_CryptAddSmartCardCertToStore 1262 Exported Function
I_CryptAllocTls 1263 Exported Function
I_CryptCreateLruEntry 1266 Exported Function
I_CryptEnableLruOfEntries 1269 Exported Function
I_CryptEnumMatchingLruEntries 1270 Exported Function
I_CryptDetachTls 1267 Exported Function
I_CryptDisableLruOfEntries 1268 Exported Function
I_CertProcessSslHandshake 1255 Exported Function
I_CertProtectFunction 1256 Exported Function
I_CertDiagControl 1253 Exported Function
I_CertFinishSslHandshake 1254 Exported Function
I_CertSrvProtectFunction 1257 Exported Function
I_CertWnfEnableFlushCache 1260 Exported Function
I_CryptAddRefLruEntry 1261 Exported Function
I_CertSyncStore 1258 Exported Function
I_CertUpdateStore 1259 Exported Function
CryptFormatObject 1167 Exported Function
CertEnumSystemStoreLocation 1068 Exported Function
CertFindAttribute 1069 Exported Function
CertEnumSubjectInSortedCTL 1066 Exported Function
CertEnumSystemStore 1067 Exported Function
CertFindCertificateInCRL 1072 Exported Function
CertFindCRLInStore 1070 Exported Function
CertFindCTLInStore 1071 Exported Function
CertFindCertificateInStore 1073 Exported Function
CertFindChainInStore 1074 Exported Function
CertEnumCertificateContextProperties 1063 Exported Function
CertEnumCertificatesInStore 1064 Exported Function
CertDuplicateCTLContext 1055 Exported Function
CertDuplicateStore 1058 Exported Function
CertEnumCRLContextProperties 1059 Exported Function
CertEnumCTLsInStore 1062 Exported Function
CertEnumPhysicalStore 1065 Exported Function
CertEnumCRLsInStore 1060 Exported Function
CertEnumCTLContextProperties 1061 Exported Function
CertGetCertificateChain 1089 Exported Function
CertGetCertificateContextProperty 1090 Exported Function
CertFreeCTLContext 1080 Exported Function
CertFreeServerOcspResponseContext 1085 Exported Function
CertGetCRLContextProperty 1086 Exported Function
CertGetEnhancedKeyUsage 1091 Exported Function
CertGetIntendedKeyUsage 1092 Exported Function
CertGetCRLFromStore 1087 Exported Function
CertGetCTLContextProperty 1088 Exported Function
CertFindSubjectInCTL 1077 Exported Function
CertFindSubjectInSortedCTL 1078 Exported Function
CertFindExtension 1075 Exported Function
CertFindRDNAttr 1076 Exported Function
CertFreeCertificateChain 1081 Exported Function
CertFreeCertificateContext 1084 Exported Function
CertFreeCRLContext 1079 Exported Function
CertFreeCertificateChainEngine 1082 Exported Function
CertFreeCertificateChainList 1083 Exported Function
CertDuplicateCRLContext 1054 Exported Function
CertAddEnhancedKeyUsageIdentifier 1031 Exported Function
CertAddRefServerOcspResponse 1032 Exported Function
CertAddEncodedCRLToStore 1026 Exported Function
CertAddEncodedCTLToStore 1027 Exported Function
CertAddRefServerOcspResponseContext 1033 Exported Function
CertAlgIdToOID 1036 Exported Function
CertCloseServerOcspResponse 1037 Exported Function
CertAddSerializedElementToStore 1034 Exported Function
CertAddStoreToCollection 1035 Exported Function
CertAddCRLContextToStore 1020 Exported Function
CertAddCRLLinkToStore 1021 Exported Function
CertAddCertificateContextToStore 1024 Exported Function
CertAddCertificateLinkToStore 1025 Exported Function
CertAddCTLContextToStore 1022 Exported Function
CertAddEncodedCertificateToSystemStoreA 1029 Exported Function
CertAddEncodedCertificateToSystemStoreW 1030 Exported Function
CertAddCTLLinkToStore 1023 Exported Function
CertAddEncodedCertificateToStore 1028 Exported Function
CertCreateCTLEntryFromCertificateContextProperties 1046 Exported Function
CertCreateSelfSignCertificate 1050 Exported Function
CertCreateCRLContext 1044 Exported Function
CertCreateCTLContext 1045 Exported Function
CertDeleteCertificateFromStore 1053 Exported Function
CertDuplicateCertificateChain 1056 Exported Function
CertDuplicateCertificateContext 1057 Exported Function
CertDeleteCRLFromStore 1051 Exported Function
CertDeleteCTLFromStore 1052 Exported Function
CertCompareCertificateName 1040 Exported Function
CertCompareIntegerBlob 1041 Exported Function
CertCloseStore 1038 Exported Function
CertCompareCertificate 1039 Exported Function
CertComparePublicKeyInfo 1042 Exported Function
CertCreateCertificateContext 1048 Exported Function
CertCreateContext 1049 Exported Function
CertControlStore 1043 Exported Function
CertCreateCertificateChainEngine 1047 Exported Function
CertGetIssuerCertificateFromStore 1093 Exported Function
CertVerifyValidityNesting 1142 Exported Function
CryptAcquireCertificatePrivateKey 1143 Exported Function
CertVerifySubjectCertificateContext 1140 Exported Function
CertVerifyTimeValidity 1141 Exported Function
CryptBinaryToStringA 1144 Exported Function
CryptCreateAsyncHandle 1147 Exported Function
CryptCreateKeyIdentifierFromCSP 1148 Exported Function
CryptBinaryToStringW 1145 Exported Function
CryptCloseAsyncHandle 1146 Exported Function
CertUnregisterPhysicalStore 1133 Exported Function
CertUnregisterSystemStore 1134 Exported Function
CertStrToNameA 1131 Exported Function
CertStrToNameW 1132 Exported Function
CertVerifyCertificateChainPolicy 1138 Exported Function
CertVerifyCTLUsage 1137 Exported Function
CertVerifyRevocation 1139 Exported Function
CertVerifyCRLRevocation 1135 Exported Function
CertVerifyCRLTimeValidity 1136 Exported Function
CryptExportPKCS8 1160 Exported Function
CryptExportPublicKeyInfo 1161 Exported Function
CryptEnumOIDFunction 1158 Exported Function
CryptEnumOIDInfo 1159 Exported Function
CryptExportPublicKeyInfoEx 1162 Exported Function
CryptFindLocalizedName 1165 Exported Function
CryptFindOIDInfo 1166 Exported Function
CryptExportPublicKeyInfoFromBCryptKeyHandle 1163 Exported Function
CryptFindCertificateKeyProvInfo 1164 Exported Function
CryptDecodeObjectEx 1151 Exported Function
CryptDecryptAndVerifyMessageSignature 1152 Exported Function
CryptDecodeMessage 1149 Exported Function
CryptDecodeObject 1150 Exported Function
CryptDecryptMessage 1153 Exported Function
CryptEncryptMessage 1156 Exported Function
CryptEnumKeyIdentifierProperties 1157 Exported Function
CryptEncodeObject 1154 Exported Function
CryptEncodeObjectEx 1155 Exported Function
CertSetStoreProperty 1130 Exported Function
CertNameToStrA 1105 Exported Function
CertNameToStrW 1106 Exported Function
CertIsValidCRLForCertificate 1103 Exported Function
CertIsWeakHash 1104 Exported Function
CertOIDToAlgId 1107 Exported Function
CertOpenSystemStoreA 1110 Exported Function
CertOpenSystemStoreW 1111 Exported Function
CertOpenServerOcspResponse 1108 Exported Function
CertOpenStore 1109 Exported Function
CertGetPublicKeyLength 1096 Exported Function
CertGetServerOcspResponseContext 1097 Exported Function
CertGetNameStringA 1094 Exported Function
CertGetNameStringW 1095 Exported Function
CertGetStoreProperty 1098 Exported Function
CertIsRDNAttrsInCertificateName 1101 Exported Function
CertIsStrongHashToSign 1102 Exported Function
CertGetSubjectCertificateFromStore 1099 Exported Function
CertGetValidUsages 1100 Exported Function
CertSerializeCRLStoreElement 1122 Exported Function
CertSerializeCTLStoreElement 1123 Exported Function
CertSelectCertificateChains 1121 Exported Function
CertSerializeCertificateStoreElement 1124 Exported Function
CertSetCertificateContextPropertiesFromCTLEntry 1127 Exported Function
CertSetCTLContextProperty 1126 Exported Function
CertSetEnhancedKeyUsage 1129 Exported Function
CertSetCertificateContextProperty 1128 Exported Function
CertSetCRLContextProperty 1125 Exported Function
CertRegisterPhysicalStore 1114 Exported Function
CertRegisterSystemStore 1115 Exported Function
CertRDNValueToStrA 1112 Exported Function
CertRDNValueToStrW 1113 Exported Function
CertRemoveEnhancedKeyUsageIdentifier 1116 Exported Function
CertRetrieveLogoOrBiometricInfo 1119 Exported Function
CertSaveStore 1120 Exported Function
CertRemoveStoreFromCollection 1117 Exported Function
CertResyncCertificateChainEngine 1118 Exported Function

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: CRYPT32.DLL.MUI
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/71
  • VirusTotal Link: https://www.virustotal.com/gui/file/08ed695dce1f42b48d18a3752fb2afc0cebd899f04b4bcb994f8f5e4810a1eff/detection/

Possible Misuse

The following table contains possible examples of crypt32.dll being misused. While crypt32.dll is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
malware-ioc oceanlotus-rtf_ocx_campaigns.misp.event.json "description": "Data is encrypted before being exfiltrated in order to hide the information that is being exfiltrated from detection or to make the exfiltration less conspicuous upon inspection by a defender. The encryption is performed by a utility, programming library, or custom algorithm on the data itself and is considered separate from any encryption performed by the command and control or file transfer protocol. Common file archive formats that can encrypt files are RAR and zip.\n\nOther exfiltration techniques likely apply as well to transfer the information out of the network, such as Exfiltration Over Command and Control Channel and Exfiltration Over Alternative Protocol\n\nDetection: Encryption software and encrypted files can be detected in many ways. Common utilities that may be present on the system or brought in by an adversary may be detectable through process monitoring and monitoring for command-line arguments for known encryption utilities. This may yield a significant amount of benign events, depending on how systems in the environment are typically used. Often the encryption key is stated within command-line invocation of the software. \n\nA process that loads the Windows DLL crypt32.dll may be used to perform encryption, decryption, or verification of file signatures. \n\nNetwork traffic may also be analyzed for entropy to determine if encrypted data is being transmitted. (Citation: Zhang 2013) If the communications channel is unencrypted, encrypted files of known file types can be detected in transit during exfiltration with a network intrusion detection or data loss prevention system analyzing file headers. (Citation: Wikipedia File Header Signatures)\n\nPlatforms: Linux, macOS, Windows\n\nData Sources: File monitoring, Binary file metadata, Process command-line parameters, Process monitoring\n\nRequires Network: No", © ESET 2014-2018
malware-ioc rtm crypt32.dll © ESET 2014-2018
malware-ioc misp-turla-lightneuron-event.json "description": "Data is encrypted before being exfiltrated in order to hide the information that is being exfiltrated from detection or to make the exfiltration less conspicuous upon inspection by a defender. The encryption is performed by a utility, programming library, or custom algorithm on the data itself and is considered separate from any encryption performed by the command and control or file transfer protocol. Common file archive formats that can encrypt files are RAR and zip.\n\nOther exfiltration techniques likely apply as well to transfer the information out of the network, such as Exfiltration Over Command and Control Channel and Exfiltration Over Alternative Protocol\n\nDetection: Encryption software and encrypted files can be detected in many ways. Common utilities that may be present on the system or brought in by an adversary may be detectable through process monitoring and monitoring for command-line arguments for known encryption utilities. This may yield a significant amount of benign events, depending on how systems in the environment are typically used. Often the encryption key is stated within command-line invocation of the software. \n\nA process that loads the Windows DLL crypt32.dll may be used to perform encryption, decryption, or verification of file signatures. \n\nNetwork traffic may also be analyzed for entropy to determine if encrypted data is being transmitted. (Citation: Zhang 2013) If the communications channel is unencrypted, encrypted files of known file types can be detected in transit during exfiltration with a network intrusion detection or data loss prevention system analyzing file headers. (Citation: Wikipedia File Header Signatures)\n\nPlatforms: Linux, macOS, Windows\n\nData Sources: File monitoring, Binary file metadata, Process command-line parameters, Process monitoring\n\nRequires Network: No", © ESET 2014-2018

MIT License. Copyright (c) 2020-2021 Strontic.