dsreg[.]dll | Triage

Sharing

Copy URL Twitter E-mail

General

Target

dsreg.dll
Size

1.0MB
MD5

229c0d958f8251340e61ddfdf7d404b2
SHA1

f285bd57b4a90ea92dba72dab6d741ebb8dbfb36
SHA256

4408999e0d1ff9da94ca483d186f76b82a611ff656842a9e7b9f9c9475b64039
SHA512

d1fbb36c80ff8c4706c8b5368044812bb7713209ef6a50ce42e138cd39e8be9f4caac74b2d6eb243d5804d64839edb622f06a5cb49db816a8e5f2c536ec9fffe
SSDEEP

24576:f7G8KwFXE+XCsRLgnRh9spEgIxX8rgm9QASoLx9fO+:f7G8KwFXzXxgR3sy/m9QASoLG+

Score

1^/10

Malware Config

Signatures

Files

dsreg.dll
.dll windows:10 windows x86 arch:x86

9d52008e2c1891fd474f043139bda973

Code Sign

33:00:00:04:5f:f3:c9:6c:1a:7f:f7:da:1d:00:00:00:00:04:5f
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

16/11/2023, 19:20

Not After

14/11/2024, 19:20

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

9c:c8:a6:ed:25:a1:46:29:d1:2a:31:41:30:6c:30:e0:96:f0:f6:74:84:c3:e4:fb:0e:a4:a9:89:42:ec:d9:d6
Signer

Actual PE Digest

9c:c8:a6:ed:25:a1:46:29:d1:2a:31:41:30:6c:30:e0:96:f0:f6:74:84:c3:e4:fb:0e:a4:a9:89:42:ec:d9:d6

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

dsreg.pdb

Imports

msvcrt

memcmp
memcpy
free
_ftol2_sse
_CxxThrowException
__CxxFrameHandler3
_vsnwprintf
memcpy_s
_purecall
??1exception@@UAE@XZ
??0exception@@QAE@XZ
??0exception@@QAE@ABV0@@Z
_vsnprintf_s
memmove_s
swscanf
??1type_info@@UAE@XZ
?terminate@@YAXXZ
strchr
realloc
_wfopen_s
swprintf_s
wcsncpy
_fseeki64
fsetpos
ungetc
setvbuf
fgetpos
fwrite
fgetwc
fgetc
ungetwc
fputwc
fclose
fflush
??0bad_cast@@QAE@ABV0@@Z
??0bad_cast@@QAE@PBD@Z
??1bad_cast@@UAE@XZ
getchar
fwprintf_s
wprintf
wcstok_s
wcsncpy_s
_wcserror
wcsrchr
_errno
wcsnlen
wcscpy_s
wcscspn
swprintf
wcschr
difftime
isdigit
strtol
isxdigit
isalpha
_wtof
_wcslwr
?what@exception@@UBEPBDXZ
memmove
_snwprintf_s
_onexit
__dllonexit
wcsstr
_unlock
_lock
_except_handler4_common
_initterm
_wcsicmp
_wcsnicmp
_amsg_exit
_XcptFilter
_callnewh
toupper
malloc
time
memset

api-ms-win-core-synch-l1-2-0

InitOnceComplete
SleepConditionVariableSRW
WakeAllConditionVariable
Sleep
InitOnceBeginInitialize

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-processthreads-l1-1-0

TerminateProcess
GetCurrentProcess
GetCurrentProcessId
OpenThreadToken
CreateThread
GetCurrentThreadId
ExitThread
GetCurrentThread
OpenProcessToken

api-ms-win-core-sysinfo-l1-1-0

GetTickCount64
GetTickCount
GetSystemTime
GetComputerNameExW
GetSystemTimeAsFileTime

api-ms-win-core-errorhandling-l1-1-0

GetLastError
UnhandledExceptionFilter
SetUnhandledExceptionFilter
SetLastError
RaiseException

msvcp110_win

?_Incref@facet@locale@std@@UAEXXZ
?_Decref@facet@locale@std@@UAEPAV_Facet_base@3@XZ
??0facet@locale@std@@IAE@I@Z
?_Osfx@?$basic_ostream@GU?$char_traits@G@std@@@std@@QAEXXZ
??1facet@locale@std@@MAE@XZ
??0?$basic_ostream@GU?$char_traits@G@std@@@std@@QAE@PAV?$basic_streambuf@GU?$char_traits@G@std@@@1@_N@Z
?is@?$ctype@G@std@@QBE_NFG@Z
?tolower@?$ctype@G@std@@QBEGG@Z
?tolower@?$ctype@G@std@@QBEPBGPAGPBG@Z
_Wcsxfrm
??_7facet@locale@std@@6B@
?_Xregex_error@std@@YAXW4error_type@regex_constants@1@@Z
?id@?$collate@G@std@@2V0locale@2@A
?_Pninc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IAEPAGXZ
?_Init@locale@std@@CAPAV_Locimp@12@_N@Z
_Wcscoll
??_7_Facet_base@std@@6B@
?widen@?$ctype@G@std@@QBEGD@Z
?_Getcat@?$ctype@G@std@@SAIPAPBVfacet@locale@2@PBV42@@Z
?getloc@ios_base@std@@QBE?AVlocale@2@XZ
??1?$basic_ios@GU?$char_traits@G@std@@@std@@UAE@XZ
??1?$basic_iostream@GU?$char_traits@G@std@@@std@@UAE@XZ
?pbump@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IAEXH@Z
??6?$basic_ostream@GU?$char_traits@G@std@@@std@@QAEAAV01@K@Z
??6?$basic_ostream@GU?$char_traits@G@std@@@std@@QAEAAV01@J@Z
??6?$basic_ostream@GU?$char_traits@G@std@@@std@@QAEAAV01@P6AAAVios_base@1@AAV21@@Z@Z
?gbump@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IAEXH@Z
??0?$basic_iostream@GU?$char_traits@G@std@@@std@@QAE@PAV?$basic_streambuf@GU?$char_traits@G@std@@@1@@Z
?_Getcoll@_Locinfo@std@@QBE?AU_Collvec@@XZ
?id@?$ctype@G@std@@2V0locale@2@A
??0?$basic_ios@GU?$char_traits@G@std@@@std@@IAE@XZ
??0?$basic_streambuf@GU?$char_traits@G@std@@@std@@IAE@XZ
?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z
??1_Locinfo@std@@QAE@XZ
?sputc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@QAEGG@Z
?sputn@?$basic_streambuf@GU?$char_traits@G@std@@@std@@QAE_JPBG_J@Z
?_BADOFF@std@@3_JB
??Bid@locale@std@@QAEIXZ
?uncaught_exception@std@@YA_NXZ
?always_noconv@codecvt_base@std@@QBE_NXZ
?in@?$codecvt@GDH@std@@QBEHAAHPBD1AAPBDPAG3AAPAG@Z
?out@?$codecvt@GDH@std@@QBEHAAHPBG1AAPBGPAD3AAPAD@Z
?unshift@?$codecvt@GDH@std@@QBEHAAHPAD1AAPAD@Z
?_Getcat@?$codecvt@GDH@std@@SAIPAPBVfacet@locale@2@PBV42@@Z
?_Syserror_map@std@@YAPBDH@Z
??6?$basic_ostream@GU?$char_traits@G@std@@@std@@QAEAAV01@PAV?$basic_streambuf@GU?$char_traits@G@std@@@1@@Z
?_Add_vtordisp1@?$basic_istream@GU?$char_traits@G@std@@@std@@UAEXXZ
??1?$basic_istream@GU?$char_traits@G@std@@@std@@UAE@XZ
?_Add_vtordisp2@?$basic_ios@GU?$char_traits@G@std@@@std@@UAEXXZ
??0?$basic_istream@GU?$char_traits@G@std@@@std@@QAE@PAV?$basic_streambuf@GU?$char_traits@G@std@@@1@_N@Z
?_Gndec@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IAEPAGXZ
?clear@?$basic_ios@GU?$char_traits@G@std@@@std@@QAEXH_N@Z
?_Init@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IAEXXZ
??0_Locinfo@std@@QAE@PBD@Z
?getloc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@QBE?AVlocale@2@XZ
?_Xlength_error@std@@YAXPBD@Z
?id@?$codecvt@GDH@std@@2V0locale@2@A
?_Fiopen@std@@YAPAU_iobuf@@PBGHH@Z
?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ
?_Random_device@std@@YAIXZ
??0_Lockit@std@@QAE@H@Z
??1_Lockit@std@@QAE@XZ
??6?$basic_ostream@GU?$char_traits@G@std@@@std@@QAEAAV01@_N@Z
?endl@std@@YAAAV?$basic_ostream@GU?$char_traits@G@std@@@1@AAV21@@Z
??6?$basic_ostream@GU?$char_traits@G@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z
?_Winerror_map@std@@YAPBDH@Z
?setprecision@std@@YA?AU?$_Smanip@_J@1@_J@Z
?flush@?$basic_ostream@GU?$char_traits@G@std@@@std@@QAEAAV12@XZ
?_Add_vtordisp2@?$basic_ostream@GU?$char_traits@G@std@@@std@@UAEXXZ
?_Xout_of_range@std@@YAXPBD@Z
??1?$basic_ostream@GU?$char_traits@G@std@@@std@@UAE@XZ
?imbue@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MAEXABVlocale@2@@Z
?_Xbad_alloc@std@@YAXXZ
??6?$basic_ostream@GU?$char_traits@G@std@@@std@@QAEAAV01@N@Z
?setstate@?$basic_ios@GU?$char_traits@G@std@@@std@@QAEXH_N@Z
??1?$basic_streambuf@GU?$char_traits@G@std@@@std@@UAE@XZ
?sync@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MAEHXZ
?setbuf@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MAEPAV12@PAG_J@Z
?xsputn@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MAE_JPBG_J@Z
?_Add_vtordisp1@?$basic_ios@GU?$char_traits@G@std@@@std@@UAEXXZ
?xsgetn@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MAE_JPAG_J@Z
?uflow@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MAEGXZ
?showmanyc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MAE_JXZ
?_Unlock@?$basic_streambuf@GU?$char_traits@G@std@@@std@@UAEXXZ
?_Lock@?$basic_streambuf@GU?$char_traits@G@std@@@std@@UAEXXZ

api-ms-win-eventing-provider-l1-1-0

EventSetInformation
EventActivityIdControl
EventUnregister
EventRegister
EventProviderEnabled
EventWriteTransfer

api-ms-win-core-libraryloader-l1-2-0

GetModuleFileNameA
FreeLibraryAndExitThread
GetProcAddress
GetModuleHandleW
FreeLibrary
LoadStringW
GetModuleHandleExW

api-ms-win-core-synch-l1-1-0

ReleaseSRWLockShared
DeleteCriticalSection
CreateMutexW
WaitForSingleObjectEx
AcquireSRWLockExclusive
OpenMutexW
ReleaseSRWLockExclusive
AcquireSRWLockShared
CreateEventW
CreateMutexExW
WaitForSingleObject
InitializeCriticalSectionEx
LeaveCriticalSection
CreateEventExW
ReleaseSemaphore
EnterCriticalSection
SetEvent
OpenSemaphoreW
CreateSemaphoreExW
ResetEvent
ReleaseMutex

api-ms-win-core-heap-l1-1-0

HeapAlloc
HeapReAlloc
GetProcessHeap
HeapFree

api-ms-win-core-threadpool-l1-2-0

SetThreadpoolTimer
CloseThreadpoolTimer
CreateThreadpoolTimer
WaitForThreadpoolTimerCallbacks

api-ms-win-core-localization-l1-2-0

FormatMessageW

api-ms-win-core-debug-l1-1-0

IsDebuggerPresent
OutputDebugStringA
DebugBreak
OutputDebugStringW

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-libraryloader-l1-2-1

LoadLibraryW

api-ms-win-security-sddl-l1-1-0

ConvertStringSidToSidW
ConvertSidToStringSidW

rpcrt4

UuidFromStringW
UuidIsNil
UuidCompare
RpcBindingCreateW
UuidCreate
RpcBindingBind
I_RpcMapWin32Status
I_RpcExceptionFilter
NdrClientCall4
RpcBindingFree
RpcStringFreeW
UuidToStringW

api-ms-win-core-heap-l2-1-0

LocalAlloc
GlobalFree
LocalFree

api-ms-win-security-lsalookup-l2-1-0

LookupPrivilegeValueW
LookupAccountSidW

api-ms-win-security-base-l1-1-0

EqualSid
AdjustTokenPrivileges
FreeSid
IsValidSid
GetLengthSid
CopySid
DuplicateToken
CheckTokenMembership
AllocateAndInitializeSid
GetTokenInformation

api-ms-win-core-registry-l1-1-0

RegUnLoadKeyW
RegOpenKeyExW
RegQueryInfoKeyW
RegGetValueW
RegFlushKey
RegCloseKey
RegEnumKeyExW
RegDeleteTreeW
RegLoadKeyW
RegSetValueExW
RegCreateKeyExW
RegQueryValueExW
RegDeleteValueW
RegOpenCurrentUser
RegDeleteKeyExW

api-ms-win-core-com-l1-1-0

CoUninitialize
CoTaskMemAlloc
CoWaitForMultipleHandles
CoInitializeEx
CoCreateFreeThreadedMarshaler
StringFromGUID2
CoCreateInstance
CoTaskMemFree
StringFromCLSID

api-ms-win-core-winrt-string-l1-1-0

WindowsGetStringRawBuffer
WindowsDeleteString
WindowsCreateString
WindowsCreateStringReference

api-ms-win-core-winrt-l1-1-0

RoUninitialize
RoGetActivationFactory
RoInitialize
RoActivateInstance

ntdll

RtlGetVersion
RtlPublishWnfStateData
RtlNtStatusToDosError
RtlIsMultiSessionSku
RtlGetDeviceFamilyInfoEnum
RtlGetPersistedStateLocation

api-ms-win-security-cryptoapi-l1-1-0

CryptGetHashParam
CryptReleaseContext
CryptHashData
CryptCreateHash
CryptDestroyHash
CryptAcquireContextW

api-ms-win-core-shlwapi-obsolete-l1-1-0

StrRStrIW
StrChrNW
StrStrIW

api-ms-win-core-string-l1-1-0

MultiByteToWideChar
CompareStringW
CompareStringEx
WideCharToMultiByte

api-ms-win-security-lsalookup-l1-1-2

LsaLookupUserAccountType

api-ms-win-core-registry-l1-1-1

RegSetKeyValueW

api-ms-win-core-file-l1-1-0

DeleteFileW
CompareFileTime
GetTempFileNameW

api-ms-win-core-timezone-l1-1-0

FileTimeToSystemTime

api-ms-win-core-string-obsolete-l1-1-0

lstrcmpiW

oleaut32

SysFreeString
SafeArrayGetUBound
SafeArrayUnlock
SafeArrayGetLBound
SafeArrayLock
SysAllocString
SafeArrayCreate
SafeArrayDestroy
VariantInit

api-ms-win-core-console-l1-2-0

FreeConsole

api-ms-win-core-winrt-error-l1-1-0

SetRestrictedErrorInfo
RoOriginateError

api-ms-win-core-winrt-error-l1-1-1

RoGetMatchingRestrictedErrorInfo

api-ms-win-core-file-l1-2-0

GetTempPathW

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

Exports

Exports

DsrBeginDelegatedWorkplaceJoin
DsrBeginDeviceAndResourceAccountJoin
DsrBeginDeviceJoin
DsrBeginDeviceUnjoin
DsrBeginDeviceUpdate
DsrBeginDiscover
DsrBeginPreprovisionedDeviceJoin
DsrBeginRecovery
DsrBeginWorkplaceJoin
DsrBeginWorkplaceUnjoin
DsrBeginWorkplaceUpdate
DsrCLI
DsrCanCurrentUserProvisionNgcKey
DsrCanCurrentUserResetNgcKey
DsrDeviceHostNameUpdate
DsrEndRecovery
DsrFreeCxhScenarioInfo
DsrFreeDiscoveryMetadata
DsrFreeJoinInfo
DsrFreeJoinInfoEx
DsrGetCurrentUserNgcProvisionStatus
DsrGetCxhScenarioInfo
DsrGetDomainRegistrationData
DsrGetJoinInfo
DsrGetJoinInfoEx
DsrGetPrtAuthorityInfo
DsrGetResourceAccount
DsrIsDeviceJoined
DsrIsDeviceJoinedEx
DsrIsWorkplaceJoined
DsrSaveDeviceTokenProperties
DsrSaveWorkplaceTokenProperties
DsrWriteAutoJoinSvcAdminEvent
DsrWriteAutoJoinSvcDebugEvent
DsrWriteAutoJoinSvcTriggerEvent
FidoDeregisterKey
FidoRegisterKey
NgcDeregisterKey
NgcGetKeyId
NgcGetLogonCertPolicy
NgcGetStatistics
NgcIncrementPinRetryAttempts
NgcNeedProvision
NgcNeedProvisionForAccount
NgcReadRegistryValue
NgcRegisterKey
NgcResetPinRetryAttempts
NgcUpdateCertEnrollStatistics
NgcUpdateStatistics

Sections

.text
Size: 867KB - Virtual size: 866KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 14KB - Virtual size: 21KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 14KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 1024B - Virtual size: 568B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 90KB - Virtual size: 89KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 41KB - Virtual size: 41KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

9d52008e2c1891fd474f043139bda973

Code Sign

33:00:00:04:5f:f3:c9:6c:1a:7f:f7:da:1d:00:00:00:00:04:5fCertificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

9c:c8:a6:ed:25:a1:46:29:d1:2a:31:41:30:6c:30:e0:96:f0:f6:74:84:c3:e4:fb:0e:a4:a9:89:42:ec:d9:d6Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

api-ms-win-core-synch-l1-2-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

msvcp110_win

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-threadpool-l1-2-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-libraryloader-l1-2-1

api-ms-win-security-sddl-l1-1-0

rpcrt4

api-ms-win-core-heap-l2-1-0

api-ms-win-security-lsalookup-l2-1-0

api-ms-win-security-base-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-com-l1-1-0

api-ms-win-core-winrt-string-l1-1-0

api-ms-win-core-winrt-l1-1-0

ntdll

api-ms-win-security-cryptoapi-l1-1-0

api-ms-win-core-shlwapi-obsolete-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-security-lsalookup-l1-1-2

api-ms-win-core-registry-l1-1-1

api-ms-win-core-file-l1-1-0

api-ms-win-core-timezone-l1-1-0

api-ms-win-core-string-obsolete-l1-1-0

oleaut32

api-ms-win-core-console-l1-2-0

api-ms-win-core-winrt-error-l1-1-0

api-ms-win-core-winrt-error-l1-1-1

api-ms-win-core-file-l1-2-0

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-delayload-l1-1-0

api-ms-win-core-apiquery-l1-1-0

Exports

Exports

Sections

.text Size: 867KB - Virtual size: 866KB

.data Size: 14KB - Virtual size: 21KB

.idata Size: 14KB - Virtual size: 13KB

.didat Size: 1024B - Virtual size: 568B

.rsrc Size: 90KB - Virtual size: 89KB

.reloc Size: 41KB - Virtual size: 41KB

33:00:00:04:5f:f3:c9:6c:1a:7f:f7:da:1d:00:00:00:00:04:5f
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

9c:c8:a6:ed:25:a1:46:29:d1:2a:31:41:30:6c:30:e0:96:f0:f6:74:84:c3:e4:fb:0e:a4:a9:89:42:ec:d9:d6
Signer

.text
Size: 867KB - Virtual size: 866KB

.data
Size: 14KB - Virtual size: 21KB

.idata
Size: 14KB - Virtual size: 13KB

.didat
Size: 1024B - Virtual size: 568B

.rsrc
Size: 90KB - Virtual size: 89KB

.reloc
Size: 41KB - Virtual size: 41KB