ncrypt.dll

  • File Path: C:\Windows\system32\ncrypt.dll
  • Description: Windows NCrypt Router

Hashes

Type Hash
MD5 9376DCF21BC209232ABBE32EEE57F832
SHA1 14467E7E7262ACD5CE56B2B834E2BFCA9CE0F95B
SHA256 E860477B315B6965EB008E4548160E589723D5AB26CE3F33D80C3715B4E555BE
SHA384 4408243D660AC61BDDADB64041FA86DCD0CA24ED8E79FF646DD3B3CA6C50DBBB3EDE14FC4062AACF33FC6485EA30506B
SHA512 084A85D1A9923F2C92DD4BF5910DB82557FAA457D6A572CD51445EDE13A3F0D6C0B6B044DB60410F1A79CDA11E35D209789D02875D515611BCAD80C67D48C08C
SSDEEP 3072:XXtmvigm02+x2oIKM04hjZeU3T9CUz8ir1ZnT9J3iHQng/lcT4:XXt501ke4hjZeU3RrAeKQng/x
IMP 71CE678C1CCE44D29BCEC313566A1C73
PESHA1 F34BA012AE5192D2A40A36E95BD400C6798962C9
PE256 1181F21703BCF72F94FE9A460655BA85CB51EF92FD82A4E6D7A0B3F6D702F055

DLL Exports:

Function Name Ordinal Type
NCryptUnprotectKey 101 Exported Function
NCryptTranslateHandle 100 Exported Function
NCryptVerifyClaim 103 Exported Function
NCryptUnprotectSecret 102 Exported Function
NCryptStreamUpdate 99 Exported Function
NCryptStreamOpenToProtect 96 Exported Function
NCryptStreamClose 95 Exported Function
NCryptStreamOpenToUnprotectEx 98 Exported Function
NCryptStreamOpenToUnprotect 97 Exported Function
SslCreateClientAuthHash 110 Exported Function
SslComputeSessionHash 109 Exported Function
SslCreateHandshakeHash 112 Exported Function
SslCreateEphemeralKey 111 Exported Function
SslComputeFinishedHash 108 Exported Function
SslChangeNotify 105 Exported Function
NCryptVerifySignature 104 Exported Function
SslComputeEapKeyBlock 107 Exported Function
SslComputeClientAuthHash 106 Exported Function
NCryptSignHash 94 Exported Function
NCryptKeyDerivation 82 Exported Function
NCryptIsKeyHandle 81 Exported Function
NCryptOpenKey 84 Exported Function
NCryptNotifyChangeKey 83 Exported Function
NCryptIsAlgSupported 80 Exported Function
NCryptGetProperty 77 Exported Function
NCryptFreeObject 76 Exported Function
NCryptImportKey 79 Exported Function
NCryptGetProtectionDescriptorInfo 78 Exported Function
NCryptSecretAgreement 91 Exported Function
NCryptRegisterProtectionDescriptorName 90 Exported Function
NCryptSetProperty 93 Exported Function
NCryptSetAuditingInterface 92 Exported Function
NCryptQueryProtectionDescriptorName 89 Exported Function
NCryptOpenStorageProvider 86 Exported Function
NCryptOpenKeyProtector 85 Exported Function
NCryptProtectSecret 88 Exported Function
NCryptProtectKey 87 Exported Function
SslGetKeyProperty 138 Exported Function
SslGetCipherSuitePRFHashAlgorithm 137 Exported Function
SslHashHandshake 140 Exported Function
SslGetProviderProperty 139 Exported Function
SslGenerateSessionKeys 136 Exported Function
SslFreeObject 133 Exported Function
SslFreeBuffer 132 Exported Function
SslGeneratePreMasterKey 135 Exported Function
SslGenerateMasterKey 134 Exported Function
SslOpenProvider 147 Exported Function
SslOpenPrivateKey 146 Exported Function
SslVerifySignature 149 Exported Function
SslSignHash 148 Exported Function
SslLookupCipherSuiteInfo 145 Exported Function
SslImportMasterKey 142 Exported Function
SslImportKey 141 Exported Function
SslLookupCipherLengths 144 Exported Function
SslIncrementProviderReferenceCount 143 Exported Function
SslExtractMasterKey 131 Exported Function
SslEnumEccCurves 119 Exported Function
SslEnumCipherSuitesEx 118 Exported Function
SslExpandBinderKey 121 Exported Function
SslEnumProtocolProviders 120 Exported Function
SslEnumCipherSuites 117 Exported Function
SslDecryptPacket 114 Exported Function
SslDecrementProviderReferenceCount 113 Exported Function
SslEncryptPacket 116 Exported Function
SslDuplicateTranscriptHash 115 Exported Function
SslExportKeyingMaterial 128 Exported Function
SslExportKey 127 Exported Function
SslExtractHandshakeKey 130 Exported Function
SslExtractEarlyKey 129 Exported Function
SslExpandWriteKey 126 Exported Function
SslExpandPreSharedKey 123 Exported Function
SslExpandExporterMasterKey 122 Exported Function
SslExpandTrafficKeys 125 Exported Function
SslExpandResumptionMasterKey 124 Exported Function
NCryptFreeBuffer 75 Exported Function
BCryptFinalizeKeyPair 26 Exported Function
BCryptExportKey 25 Exported Function
BCryptFreeBuffer 28 Exported Function
BCryptFinishHash 27 Exported Function
BCryptEnumRegisteredProviders 24 Exported Function
BCryptEnumContextFunctions 21 Exported Function
BCryptEnumContextFunctionProviders 20 Exported Function
BCryptEnumProviders 23 Exported Function
BCryptEnumContexts 22 Exported Function
BCryptHashData 35 Exported Function
BCryptHash 34 Exported Function
BCryptImportKeyPair 37 Exported Function
BCryptImportKey 36 Exported Function
BCryptGetProperty 33 Exported Function
BCryptGenerateSymmetricKey 31 Exported Function
BCryptGenerateKeyPair 30 Exported Function
BCryptGetFipsAlgorithmMode 32 Exported Function
BCryptGenRandom 29 Exported Function
BCryptEnumAlgorithms 19 Exported Function
BCryptCreateHash 7 Exported Function
BCryptCreateContext 6 Exported Function
BCryptDeleteContext 9 Exported Function
BCryptDecrypt 8 Exported Function
BCryptConfigureContextFunction 5 Exported Function
BCryptAddContextFunctionProvider 2 Exported Function
BCryptAddContextFunction 1 Exported Function
BCryptConfigureContext 4 Exported Function
BCryptCloseAlgorithmProvider 3 Exported Function
BCryptDuplicateHash 16 Exported Function
BCryptDestroySecret 15 Exported Function
BCryptEncrypt 18 Exported Function
BCryptDuplicateKey 17 Exported Function
BCryptDestroyKey 14 Exported Function
BCryptDeriveKeyCapi 11 Exported Function
BCryptDeriveKey 10 Exported Function
BCryptDestroyHash 13 Exported Function
BCryptDeriveKeyPBKDF2 12 Exported Function
NCryptCreatePersistedKey 63 Exported Function
NCryptCreateClaim 62 Exported Function
NCryptDecrypt 65 Exported Function
NCryptCreateProtectionDescriptor 64 Exported Function
NCryptCloseProtectionDescriptor 61 Exported Function
GetKeyStorageInterface 58 Exported Function
GetIsolationServerInterface 57 Exported Function
NCryptCloseKeyProtector 60 Exported Function
GetSChannelInterface 59 Exported Function
NCryptEnumStorageProviders 72 Exported Function
NCryptEnumKeys 71 Exported Function
NCryptFinalizeKey 74 Exported Function
NCryptExportKey 73 Exported Function
NCryptEnumAlgorithms 70 Exported Function
NCryptDeriveKey 67 Exported Function
NCryptDeleteKey 66 Exported Function
NCryptEncrypt 69 Exported Function
NCryptDuplicateKeyProtectorHandle 68 Exported Function
BCryptVerifySignature 56 Exported Function
BCryptRegisterConfigChangeNotify 44 Exported Function
BCryptQueryProviderRegistration 43 Exported Function
BCryptRemoveContextFunction 46 Exported Function
BCryptRegisterProvider 45 Exported Function
BCryptQueryContextFunctionProperty 42 Exported Function
BCryptOpenAlgorithmProvider 39 Exported Function
BCryptKeyDerivation 38 Exported Function
BCryptQueryContextFunctionConfiguration 41 Exported Function
BCryptQueryContextConfiguration 40 Exported Function
BCryptSignHash 53 Exported Function
BCryptSetProperty 52 Exported Function
BCryptUnregisterProvider 55 Exported Function
BCryptUnregisterConfigChangeNotify 54 Exported Function
BCryptSetContextFunctionProperty 51 Exported Function
BCryptResolveProviders 48 Exported Function
BCryptRemoveContextFunctionProvider 47 Exported Function
BCryptSetAuditingInterface 50 Exported Function
BCryptSecretAgreement 49 Exported Function

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: ncrypt.dll.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/71
  • VirusTotal Link: https://www.virustotal.com/gui/file/e860477b315b6965eb008e4548160e589723d5ab26ce3f33d80c3715b4e555be/detection/

Possible Misuse

The following table contains possible examples of ncrypt.dll being misused. While ncrypt.dll is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
signature-base apt_turla_png_dropper_nov18.yar pe.imports(“ncrypt.dll”, “NCryptOpenStorageProvider”) and CC BY-NC 4.0
signature-base apt_turla_png_dropper_nov18.yar pe.imports(“ncrypt.dll”, “NCryptEnumKeys”) and CC BY-NC 4.0
signature-base apt_turla_png_dropper_nov18.yar pe.imports(“ncrypt.dll”, “NCryptOpenKey”) and CC BY-NC 4.0
signature-base apt_turla_png_dropper_nov18.yar pe.imports(“ncrypt.dll”, “NCryptDecrypt”) and CC BY-NC 4.0
signature-base apt_turla_png_dropper_nov18.yar pe.imports(“ncrypt.dll”, “BCryptGenerateSymmetricKey”) and CC BY-NC 4.0
signature-base apt_turla_png_dropper_nov18.yar pe.imports(“ncrypt.dll”, “BCryptGetProperty”) and CC BY-NC 4.0
signature-base apt_turla_png_dropper_nov18.yar pe.imports(“ncrypt.dll”, “BCryptDecrypt”) and CC BY-NC 4.0
signature-base apt_turla_png_dropper_nov18.yar pe.imports(“ncrypt.dll”, “BCryptEncrypt”) and CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.