| filename | lsass.exe | |
|---|---|---|
| size | 57880 (0xe218) | |
| md5 | 568c5cbf9877f6b9e39d1e7ca0ff0a36 | |
| type | PE32+ executable (GUI) x86-64, for MS Windows | |
| mimetype | application/x-dosexec | |
| clamav | OK | |
| virustotal | → scan with virustotal.com | |
| histogram | ||
MZ Header
| signature | MZ |
| bytes_in_last_block | 0x90 |
| blocks_in_file | 3 |
| num_relocs | 0 |
| header_paragraphs | 4 |
| min_extra_paragraphs | 0 |
| max_extra_paragraphs | 0xffff |
| ss | 0 |
| sp | 0xb8 |
| checksum | 0 |
| ip | 0 |
| cs | 0 |
| reloc_table_offset | 0x40 |
| overlay_number | 0 |
| reserved0 | 0 |
| oem_id | 0 |
| oem_info | 0 |
| reserved2 | 0 |
| reserved3 | 0 |
| reserved4 | 0 |
| reserved5 | 0 |
| reserved6 | 0 |
| lfanew | 0xe8 |
Rich Header
| lib id | version | times used |
|---|---|---|
| 257 | 26213 | 4 |
| 259 | 26213 | 2 |
| 147 | 30729 | 37 |
| 1 | 0 | 116 |
| 269 | 26213 | 10 |
| 256 | 26213 | 1 |
| 260 | 26213 | 10 |
| 255 | 26213 | 1 |
| 258 | 26213 | 1 |
DOS stub
00000000: 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 |........!..L.!Th| 00000010: 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f |is program canno| 00000020: 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 |t be run in DOS | 00000030: 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 |mode....$.......|
PE Header
Packer / Compiler
Sections
Data Directory
| module_name | hint | ord | function_name |
|---|---|---|---|
| api-ms-win-core-crt-l1-1-0.dll | 85 | wcschr | |
| api-ms-win-core-crt-l1-1-0.dll | 25 | _wcsicmp | |
| api-ms-win-core-crt-l1-1-0.dll | 98 | wcstol | |
| api-ms-win-core-crt-l1-1-0.dll | 23 | _vsnprintf_s | |
| api-ms-win-core-crt-l1-1-0.dll | 64 | strcpy_s | |
| api-ms-win-core-crt-l1-1-0.dll | 53 | memcpy | |
| api-ms-win-core-crt-l1-1-0.dll | 57 | memset | |
| api-ms-win-core-crt-l2-1-0.dll | 7 | _initterm_e | |
| api-ms-win-core-crt-l2-1-0.dll | 13 | exit | |
| api-ms-win-core-crt-l2-1-0.dll | 6 | _initterm | |
| ntdll.dll | 1245 | RtlNtStatusToDosError | |
| ntdll.dll | 1127 | RtlInitializeSid | |
| ntdll.dll | 715 | RtlAllocateHeap | |
| ntdll.dll | 409 | NtOpenFile | |
| ntdll.dll | 407 | NtOpenEvent | |
| ntdll.dll | 1124 | RtlInitializeResource | |
| ntdll.dll | 1338 | RtlReleaseResource | |
| ntdll.dll | 676 | RtlAcquireResourceShared | |
| ntdll.dll | 1441 | RtlSubAuthoritySid | |
| ntdll.dll | 592 | NtSetSecurityObject | |
| ntdll.dll | 325 | NtDeviceIoControlFile | |
| ntdll.dll | 1400 | RtlSetProcessIsCritical | |
| ntdll.dll | 993 | RtlFreeSid | |
| ntdll.dll | 883 | RtlDeriveCapabilitySidsFromName | |
| ntdll.dll | 700 | RtlAddMandatoryAce | |
| ntdll.dll | 1471 | RtlUnhandledExceptionFilter | |
| ntdll.dll | 810 | RtlCreateAndSetSD | |
| ntdll.dll | 576 | NtSetInformationProcess | |
| ntdll.dll | 808 | RtlCreateAcl | |
| ntdll.dll | 827 | RtlCreateSecurityDescriptor | |
| ntdll.dll | 35 | DbgPrintEx | |
| ntdll.dll | 1405 | RtlSetSaclSecurityDescriptor | |
| ntdll.dll | 1397 | RtlSetOwnerSecurityDescriptor | |
| ntdll.dll | 1383 | RtlSetDaclSecurityDescriptor | |
| ntdll.dll | 1522 | RtlVirtualUnwind | |
| ntdll.dll | 1226 | RtlLookupFunctionEntry | |
| ntdll.dll | 746 | RtlCaptureContext | |
| ntdll.dll | 1200 | RtlLeaveCriticalSection | |
| ntdll.dll | 923 | RtlEnterCriticalSection | |
| ntdll.dll | 213 | NtAllocateVirtualMemory | |
| ntdll.dll | 579 | NtSetInformationThread | |
| ntdll.dll | 352 | NtFreeVirtualMemory | |
| ntdll.dll | 263 | NtConnectPort | |
| ntdll.dll | 537 | NtRequestWaitReplyPort | |
| ntdll.dll | 675 | RtlAcquireResourceExclusive | |
| ntdll.dll | 251 | NtClose | |
| ntdll.dll | 190 | NtAcceptConnectPort | |
| ntdll.dll | 533 | NtReplyWaitReceivePort | |
| ntdll.dll | 379 | NtListenPort | |
| ntdll.dll | 261 | NtCompleteConnectPort | |
| ntdll.dll | 287 | NtCreatePort | |
| ntdll.dll | 989 | RtlFreeHeap | |
| ntdll.dll | 1201 | RtlLengthRequiredSid | |
| ntdll.dll | 682 | RtlAddAccessAllowedAce | |
| ntdll.dll | 1203 | RtlLengthSid | |
| ntdll.dll | 712 | RtlAllocateAndInitializeSid | |
| ntdll.dll | 572 | NtSetInformationFile | |
| ntdll.dll | 1105 | RtlInitUnicodeString | |
| ntdll.dll | 1228 | RtlMakeSelfRelativeSD | |
| RPCRT4.dll | 303 | NdrServerCall2 | |
| RPCRT4.dll | 493 | RpcServerUseProtseqEpW | |
| RPCRT4.dll | 478 | RpcServerRegisterIf3 | |
| RPCRT4.dll | 473 | RpcServerListen | |
| RPCRT4.dll | 304 | NdrServerCallAll | |
| RPCRT4.dll | 68 | I_RpcMapWin32Status | |
| api-ms-win-core-errorhandling-l1-1-0.dll | 12 | SetErrorMode | |
| api-ms-win-core-errorhandling-l1-1-0.dll | 5 | GetLastError | |
| api-ms-win-core-errorhandling-l1-1-0.dll | 15 | SetUnhandledExceptionFilter | |
| api-ms-win-core-errorhandling-l1-1-0.dll | 13 | SetLastError | |
| api-ms-win-core-errorhandling-l1-1-0.dll | 17 | UnhandledExceptionFilter | |
| api-ms-win-core-handle-l1-1-0.dll | 2 | DuplicateHandle | |
| api-ms-win-core-handle-l1-1-0.dll | CloseHandle | ||
| api-ms-win-core-io-l1-1-0.dll | 4 | DeviceIoControl | |
| api-ms-win-core-libraryloader-l1-2-0.dll | 24 | LoadLibraryExW | |
| api-ms-win-core-libraryloader-l1-2-0.dll | 21 | GetProcAddress | |
| api-ms-win-core-registry-l1-1-0.dll | 14 | RegEnumKeyExW | |
| api-ms-win-core-registry-l1-1-0.dll | 30 | RegOpenKeyExW | |
| api-ms-win-core-registry-l1-1-0.dll | RegCloseKey | ||
| api-ms-win-core-registry-l1-1-0.dll | 37 | RegQueryValueExW | |
| api-ms-win-core-heap-obsolete-l1-1-0.dll | 8 | LocalAlloc | |
| api-ms-win-core-heap-obsolete-l1-1-0.dll | 10 | LocalFree | |
| api-ms-win-security-base-l1-1-0.dll | 58 | GetTokenInformation | |
| api-ms-win-core-processthreads-l1-1-0.dll | 10 | GetCurrentProcess | |
| api-ms-win-core-processthreads-l1-1-0.dll | 8 | ExitThread | |
| api-ms-win-core-processthreads-l1-1-0.dll | 44 | TlsAlloc | |
| api-ms-win-core-processthreads-l1-1-0.dll | 5 | CreateThread | |
| api-ms-win-core-processthreads-l1-1-0.dll | 46 | TlsGetValue | |
| api-ms-win-core-processthreads-l1-1-0.dll | 42 | TerminateProcess | |
| api-ms-win-core-processthreads-l1-1-0.dll | 47 | TlsSetValue | |
| api-ms-win-core-processthreads-l1-1-0.dll | 26 | OpenProcessToken | |
| api-ms-win-core-processthreads-l1-1-0.dll | 13 | GetCurrentThreadId | |
| api-ms-win-core-processthreads-l1-1-0.dll | 11 | GetCurrentProcessId | |
| api-ms-win-core-processenvironment-l1-1-0.dll | 18 | SetEnvironmentVariableW | |
| api-ms-win-core-processenvironment-l1-1-0.dll | 11 | GetEnvironmentVariableW | |
| api-ms-win-core-synch-l1-1-0.dll | 6 | CreateEventW | |
| api-ms-win-core-synch-l1-1-0.dll | 21 | OpenEventW | |
| api-ms-win-core-synch-l1-1-0.dll | 31 | SetEvent | |
| api-ms-win-core-threadpool-l1-2-0.dll | 9 | CreateThreadpool | |
| api-ms-win-core-threadpool-l1-2-0.dll | 1 | CancelThreadpoolIo | |
| api-ms-win-core-threadpool-l1-2-0.dll | 11 | CreateThreadpoolIo | |
| api-ms-win-core-threadpool-l1-2-0.dll | 30 | StartThreadpoolIo | |
| api-ms-win-core-threadpool-l1-2-0.dll | 24 | SetThreadpoolThreadMaximum | |
| api-ms-win-core-threadpool-l1-2-0.dll | 32 | TrySubmitThreadpoolCallback | |
| api-ms-win-core-sysinfo-l1-1-0.dll | 7 | GetSystemInfo | |
| api-ms-win-core-sysinfo-l1-1-0.dll | 13 | GetTickCount | |
| api-ms-win-core-sysinfo-l1-1-0.dll | 10 | GetSystemTimeAsFileTime | |
| api-ms-win-core-profile-l1-1-0.dll | QueryPerformanceCounter | ||
| api-ms-win-core-windowserrorreporting-l1-1-0.dll | 10 | WerSetFlags | |
| api-ms-win-core-delayload-l1-1-0.dll | DelayLoadFailureHook | ||
| api-ms-win-core-delayload-l1-1-1.dll | 1 | ResolveDelayLoadedAPI |
| ord | entry_va | function_name | |
|---|---|---|---|
| 1 | 0x2870 | LsaGetInterface | |
| 2 | 0x1160 | LsaImpersonateKsecCaller | |
| 3 | 0x4170 | LsaRegisterExtension | |
| 4 | 0x41f0 | LsaRegisterInterface |
StringTable 040904B0
| CompanyName | Microsoft Corporation |
| FileDescription | Local Security Authority Process |
| FileVersion | 10.0.17763.1 (WinBuild.160101.0800) |
| InternalName | lsass.exe |
| LegalCopyright | © Microsoft Corporation. All rights reserved. |
| OriginalFilename | lsass.exe |
| ProductName | Microsoft® Windows® Operating System |
| ProductVersion | 10.0.17763.1 |
VS_FIXEDFILEINFO
| FileVersion | 10.0.17763.1 |
| ProductVersion | 10.0.17763.1 |
| StrucVersion | 0x10000 |
| FileFlagsMask | 0x3f |
| FileFlags | 0 |
| FileOS | 0x40004 |
| FileType | 2 |
| FileSubtype | 0 |
Signers (1)
issuer: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows Production PCA 2011
serial: 33000001A90F2D80C9A929387C0000000001A9
Certificates (2)
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
33:00:00:01:a9:0f:2d:80:c9:a9:29:38:7c:00:00:00:00:01:a9
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011
Validity
Not Before: Jun 6 18:57:19 2018 GMT
Not After : May 29 18:57:19 2019 GMT
Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Publisher
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:9d:a9:43:93:dd:10:f3:d2:f9:79:7e:c6:d8:53:
9a:c8:89:ca:e5:16:f1:79:b1:af:99:f4:69:d0:8d:
ce:e8:c3:c0:b8:b5:82:2d:48:6f:75:1e:8e:fb:e9:
ee:f6:06:de:f7:b6:34:0f:17:4e:31:54:c8:ba:96:
b3:db:42:23:9e:b2:5b:f7:21:53:fc:1b:f4:9e:f8:
1d:84:df:ec:46:ad:6e:5f:5a:bf:4f:3b:e7:1a:ba:
3e:73:f6:fb:58:0c:2c:a4:b7:b8:52:82:21:f2:3c:
9c:9e:49:1c:cf:fa:28:81:51:09:00:12:40:2b:6c:
6a:4d:a4:73:4b:20:04:74:aa:6e:0e:3a:96:f1:8b:
b6:d7:2c:c0:76:ab:ff:7e:70:bf:c6:09:38:57:1a:
fb:24:73:bf:29:36:31:98:9f:2e:9e:1f:9e:9f:c2:
63:da:31:04:34:b9:9d:a2:5f:d7:7a:0c:de:e7:8c:
fb:35:8c:ae:f5:92:a7:e0:f5:9b:f8:b0:67:fc:4a:
ce:44:25:23:68:0f:3e:eb:18:52:96:1a:59:3f:86:
3c:ce:30:59:fe:e5:67:de:5c:1b:aa:0e:9a:8c:1b:
cd:b5:14:4d:fe:0c:fe:37:f6:d9:ab:0f:8e:95:d3:
9d:a4:36:1e:b1:12:cb:8c:d9:ae:b9:38:99:ad:6d:
16:cd
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Extended Key Usage:
1.3.6.1.4.1.311.10.3.22, 1.3.6.1.4.1.311.10.3.6, Code Signing
X509v3 Subject Key Identifier:
D2:6C:BF:C2:9D:E2:29:44:B5:C8:6F:C4:0D:02:59:52:68:99:DC:DF
X509v3 Subject Alternative Name:
DirName:/OU=Microsoft Ireland Operations Limited/serialNumber=230280+436116
X509v3 Authority Key Identifier:
keyid:A9:29:02:39:8E:16:C4:97:78:CD:90:F9:9E:4F:9A:E1:7C:55:AF:53
X509v3 CRL Distribution Points:
Full Name:
URI:http://www.microsoft.com/pkiops/crl/MicWinProPCA2011_2011-10-19.crl
Authority Information Access:
CA Issuers - URI:http://www.microsoft.com/pkiops/certs/MicWinProPCA2011_2011-10-19.crt
X509v3 Basic Constraints: critical
CA:FALSE
Signature Algorithm: sha256WithRSAEncryption
8d:f6:c8:84:83:e6:a5:9d:aa:c0:da:c6:d4:03:62:8f:42:8e:
cb:7c:a7:3c:ad:1f:da:af:62:a6:98:c6:1a:ae:50:77:6c:06:
0c:49:aa:82:5e:b7:65:55:69:e2:83:7e:52:ad:28:41:be:c0:
e6:7d:56:67:dd:48:e1:6e:ee:fb:c1:24:cd:ab:b2:8e:9e:c6:
3a:89:2e:c3:64:09:f5:64:4d:a7:db:e0:e2:9f:8b:ec:cb:07:
29:46:05:e9:b7:cf:8e:8d:a6:41:fa:6e:f4:84:7b:ef:ca:7e:
49:15:53:eb:1e:6e:6a:2d:3e:c6:9f:0a:8d:af:8a:6e:51:69:
20:2c:5d:3b:17:28:4f:b0:5c:1f:d9:89:3d:01:45:90:0f:04:
f7:84:2c:99:42:a6:fe:4e:ce:1e:42:18:3e:24:37:3c:45:4b:
03:5a:75:3d:d4:93:3d:74:02:bf:a8:04:2a:f6:e5:4a:fc:56:
84:c5:d6:5a:56:2f:a0:01:8e:65:8a:f7:14:87:ce:fd:52:4d:
35:d8:83:8d:45:9e:c4:ed:e7:13:b6:15:4c:e6:df:2a:4c:0b:
f9:78:9b:74:cf:87:9f:57:46:9a:d6:48:8c:0f:d5:b3:8e:f7:
a7:5b:08:e8:fb:c6:5f:cd:64:8f:ec:e2:32:3a:db:94:ba:6d:
17:81:29:75Certificate:
Data:
Version: 3 (0x2)
Serial Number:
61:07:76:56:00:00:00:00:00:08
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Root Certificate Authority 2010
Validity
Not Before: Oct 19 18:41:42 2011 GMT
Not After : Oct 19 18:51:42 2026 GMT
Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:dd:0c:bb:a2:e4:2e:09:e3:e7:c5:f7:96:69:bc:
00:21:bd:69:33:33:ef:ad:04:cb:54:80:ee:06:83:
bb:c5:20:84:d9:f7:d2:8b:f3:38:b0:ab:a4:ad:2d:
7c:62:79:05:ff:e3:4a:3f:04:35:20:70:e3:c4:e7:
6b:e0:9c:c0:36:75:e9:8a:31:dd:8d:70:e5:dc:37:
b5:74:46:96:28:5b:87:60:23:2c:bf:dc:47:a5:67:
f7:51:27:9e:72:eb:07:a6:c9:b9:1e:3b:53:35:7c:
e5:d3:ec:27:b9:87:1c:fe:b9:c9:23:09:6f:a8:46:
91:c1:6e:96:3c:41:d3:cb:a3:3f:5d:02:6a:4d:ec:
69:1f:25:28:5c:36:ff:fd:43:15:0a:94:e0:19:b4:
cf:df:c2:12:e2:c2:5b:27:ee:27:78:30:8b:5b:2a:
09:6b:22:89:53:60:16:2c:c0:68:1d:53:ba:ec:49:
f3:9d:61:8c:85:68:09:73:44:5d:7d:a2:54:2b:dd:
79:f7:15:cf:35:5d:6c:1c:2b:5c:ce:bc:9c:23:8b:
6f:6e:b5:26:d9:36:13:c3:4f:d6:27:ae:b9:32:3b:
41:92:2c:e1:c7:cd:77:e8:aa:54:4e:f7:5c:0b:04:
87:65:b4:43:18:a8:b2:e0:6d:19:77:ec:5a:24:fa:
48:03
Exponent: 65537 (0x10001)
X509v3 extensions:
1.3.6.1.4.1.311.21.1:
...
X509v3 Subject Key Identifier:
A9:29:02:39:8E:16:C4:97:78:CD:90:F9:9E:4F:9A:E1:7C:55:AF:53
1.3.6.1.4.1.311.20.2:
.
.S.u.b.C.A
X509v3 Key Usage:
Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Authority Key Identifier:
keyid:D5:F6:56:CB:8F:E8:A2:5C:62:68:D1:3D:94:90:5B:D7:CE:9A:18:C4
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
Authority Information Access:
CA Issuers - URI:http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt
Signature Algorithm: sha256WithRSAEncryption
14:fc:7c:71:51:a5:79:c2:6e:b2:ef:39:3e:bc:3c:52:0f:6e:
2b:3f:10:13:73:fe:a8:68:d0:48:a6:34:4d:8a:96:05:26:ee:
31:46:90:61:79:d6:ff:38:2e:45:6b:f4:c0:e5:28:b8:da:1d:
8f:8a:db:09:d7:1a:c7:4c:0a:36:66:6a:8c:ec:1b:d7:04:90:
a8:18:17:a4:9b:b9:e2:40:32:36:76:c4:c1:5a:c6:bf:e4:04:
c0:ea:16:d3:ac:c3:68:ef:62:ac:dd:54:6c:50:30:58:a6:eb:
7c:fe:94:a7:4e:8e:f4:ec:7c:86:73:57:c2:52:21:73:34:5a:
f3:a3:8a:56:c8:04:da:07:09:ed:f8:8b:e3:ce:f4:7e:8e:ae:
f0:f6:0b:8a:08:fb:3f:c9:1d:72:7f:53:b8:eb:be:63:e0:e3:
3d:31:65:b0:81:e5:f2:ac:cd:16:a4:9f:3d:a8:b1:9b:c2:42:
d0:90:84:5f:54:1d:ff:89:ea:ba:1d:47:90:6f:b0:73:4e:41:
9f:40:9f:5f:e5:a1:2a:b2:11:91:73:8a:21:28:f0:ce:de:73:
39:5f:3e:ab:5c:60:ec:df:03:10:a8:d3:09:e9:f4:f6:96:85:
b6:7f:51:88:66:47:19:8d:a2:b0:12:3d:81:2a:68:05:77:bb:
91:4c:62:7b:b6:c1:07:c7:ba:7a:87:34:03:0e:4b:62:7a:99:
e9:ca:fc:ce:4a:37:c9:2d:a4:57:7c:1c:fe:3d:dc:b8:0f:5a:
fa:d6:c4:b3:02:85:02:3a:ea:b3:d9:6e:e4:69:21:37:de:81:
d1:f6:75:19:05:67:d3:93:57:5e:29:1b:39:c8:ee:2d:e1:cd:
e4:45:73:5b:d0:d2:ce:7a:ab:16:19:82:46:58:d0:5e:9d:81:
b3:67:af:6c:35:f2:bc:e5:3f:24:e2:35:a2:0a:75:06:f6:18:
56:99:d4:78:2c:d1:05:1b:eb:d0:88:01:9d:aa:10:f1:05:df:
ba:7e:2c:63:b7:06:9b:23:21:c4:f9:78:6c:e2:58:17:06:36:
2b:91:12:03:cc:a4:d9:f2:2d:ba:f9:94:9d:40:ed:18:45:f1:
ce:8a:5c:6b:3e:ab:03:d3:70:18:2a:0a:6a:e0:5f:47:d1:d5:
63:0a:32:f2:af:d7:36:1f:2a:70:5a:e5:42:59:08:71:4b:57:
ba:7e:83:81:f0:21:3c:f4:1c:c1:c5:b9:90:93:0e:88:45:93:
86:e9:b1:20:99:be:98:cb:c5:95:a4:5d:62:d6:a0:63:08:20:
bd:75:10:77:7d:3d:f3:45:b9:9f:97:9f:cb:57:80:6f:33:a9:
04:cf:77:a4:62:1c:59:7eundefined method `first' for #
 |
| Please donate some bucks to keep this site up and running: | |
| Ko-fi | |
|---|---|
| Yandex.Money | |
| Thank you! | |
everything is OK